This commit was generated by cvs2svn to compensate for changes in r178825,

which included commits to RCS files with non-trunk default branches.

1483 files changed, 252590 insertions, 48403 deletions

diff --git a/crypto/heimdal/ChangeLog b/crypto/heimdal/ChangeLog
index 159cf48..e167b09 100644
--- a/crypto/heimdal/ChangeLog
+++ b/crypto/heimdal/ChangeLog
@@ -1,897 +1,1356 @@
-2004-09-13  Johan Danielsson  <joda@pdc.kth.se>
+2008-01-24  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* Release 0.6.3
-	
-2004-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	* Release 1.1
+
+2008-01-21  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/asn1/der_get.c (decode_enumerated): check that the tag
-	length isn't longer the the length
+	* lib/krb5/get_for_creds.c: Use on variable less.
 
-2004-08-31  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/get_for_creds.c: Try to handle ticket full and
+	ticketless tickets better. Add doxygen comments while here.
 
-	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password):
-	kdc_reply can be set in case of failure too, clean on entry and
-	free the exit unconditionally to avoid memory leak
+	* lib/krb5/test_forward.c: Used for testing
+	krb5_get_forwarded_creds().
 	
-2004-08-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward
 
-	* lib/krb5/context.c: 1.93: (krb5_get_err_text): if neither of
-	com_right nor strerror finds the error-code, return Unknown error.
+	* lib/krb5/Makefile.am: drop CHECK_SYMBOLS
 
-2004-08-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/hdb/Makefile.am: drop CHECK_SYMBOLS
 
-	* kdc/kerberos5.c: based on 1.162: (get_pa_etype_info): check for
-	dup enctypes from the client and filter them out.
-	
-2004-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kdc/Makefile.am: drop CHECK_SYMBOLS
 
-	* admin/get.c: 1.23: (kt_get): catch errors from krb5_parse_name
-	
-2004-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2008-01-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/Makefile.am: man_MANS += krb5_set_password.3
+	* lib/krb5/version-script.map: Add krb5_digest_probe.
 	
-	* lib/krb5/krb5_set_password.3: 1.1-1.3: change password manpage
+2008-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* lib/krb5/changepw.c: 1.49: implement
-	krb5_set_password_using_ccache 1.47: add tcp support to the set
-	protocol, should be cleaned up to enable sharing code with
-	krb5_sendto 1.46: (process_reply): log into result_string if
-	something goes bad, return 0 (even on failure), not the KPASSWD
-	protocol error code 1.45: krb5_princ_realm ->
-	krb5_principal_get_realm 1.44: (setpw_send_request): free
-	ap_req_data on failure 1.41: ooops, remove cut and paste error
-	1.40: draft-ietf-cat-kerb-chg-password-02 and rfc3244 share the
-	response packet sure more constants now that they exists 1.39:
-	implement rfc3244, partly from shadow@dementia.org
+	* lib/krb5/pkinit.c: Replace hx509_name_to_der_name with
+	hx509_name_binary.
+
+2008-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: add missing files
+
+2007-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/digest.c: Log probe message, add NTLM_TARGET_DOMAIN to the
+	type2 message.
+
+2007-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/dbinfo.c: Add hdb_default_db().
+
+	* Makefile.am: Add some extra cf/*.
+
+2007-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* lib/krb5/krb5.h: 1.211: some defines for rfc3244
+	* kuser/kgetcred.c: Fix type of name-type. From Andy Polyakov.
+
+2007-12-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/log.c: Use hdb_db_dir().
+
+	* kpasswd/kpasswdd.c: Use hdb_db_dir().
+
+2007-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* lib/asn1/Makefile.am: 1.71: (gen_files):
-	asn1_ChangePasswdDataMS.x for RFC3244
+	* kdc/config.c: Use hdb_db_dir().
+
+	* kdc/kdc_locl.h: add KDC_LOG_FILE
+
+	* kdc/hpropd.c: Use hdb_default_db().
+
+	* kdc/kstash.c: Use hdb_db_dir().
+
+	* kdc/pkinit.c: Adapt to hx509 changes, use hdb_db_dir().
+
+	* lib/krb5/rd_req.c: Document krb5_rd_req_in_set_pac_check.
+
+	* lib/krb5/verify_krb5_conf.c: Check check_pac.
+
+	* lib/krb5/rd_req.c: use KRB5_CTX_F_CHECK_PAC to init check_pac
+	field in the krb5_rd_req_in_ctx
+
+	* lib/krb5/expand_hostname.c: Adapt to changing
+	dns_canonicalize_hostname into flags field.
+
+	* lib/krb5/context.c: Adapt to changing dns_canonicalize_hostname
+	into flags field, add check-pac as an libdefaults option.
+
+	* lib/krb5/pkinit.c: Adapt to changes in hx509 interface.
+
+	* doc: add doxygen documentation to hcrypto
+
+	* doc/doxytmpl.dxy: generate links
 	
-	* lib/asn1/k5.asn1: 1.30: add ChangePasswdDataMS, for RFC3244
+2007-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: build_HEADERZ += heim_threads.h
+
+	* lib/hdb/dbinfo.c (hdb_db_dir): Return the directory where the
+	hdb database resides.
+
+	* configure.in: Add --with-hdbdir to specify where the database is
+	stored.
+
+	* lib/krb5/crypto.c: revert previous patch, the problem is located
+	in the RAND_file_name() function that will cause recursive nss
+	lookups, can't fix that here.
+
+2007-12-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/crypto.c (krb5_generate_random_block): try to avoid the
+	dead-lock in by not holding the lock while running
+	RAND_file_name. Prompted by Hai Zaar.
+
+	* lib/krb5/n-fold.c: spelling
 	
-	* kuser/kinit.c: 1.114: move "setpag if (argc < 1)" to common path
+2007-12-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kdigest.c (digest-probe): implement command.
+
+	* kuser/kdigest-commands.in (digest-probe): new command
 	
-2004-05-06  Johan Danielsson  <joda@pdc.kth.se>
+	* kdc/digest.c: Implement supportedMechs request.
 
-	* Release 0.6.2
+	* lib/krb5/error_string.c: Make krb5_get_error_string return an
+	allocated string to make the function indempotent. From
+	Zeqing (Fred) Xia.
 
-2004-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-12-03  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* kdc/connect.c: case size_t to unsigned long for LP64 platforms
-	
-2004-04-01  Johan Danielsson  <joda@pdc.kth.se>
+	* lib/krb5/krb5_locl.h (krb5_context_data): Flag if
+	default_cc_name was set by the user.
 
-	* Release 0.6.1
+	* lib/krb5/fcache.c (fcc_move): make sure ->version is uptodate.
 
-2004-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kcm/acquire.c: use krb5_free_cred_contents
 
-	* kdc/kerberos4.c: 1.46: stop the client from renewing tickets
-	into the future From: Jeffrey Hutzelman <jhutz@cmu.edu>
+	* kuser/kimpersonate.c: use krb5_free_cred_contents
 	
-2004-03-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kuser/kinit.c: Use krb5_cc_move to make an atomic switch of the
+	cred cache.
+
+	* lib/krb5/cache.c: Put back code that was needed, move gen_new
+	into new_unique.
 
-	* lib/krb5/fcache.c: 1.43: (fcc_store_cred): NULL terminate
-	krb5_config_get_bool_default' arglist
+	* lib/krb5/mcache.c (mcc_default_name): Remove const
+
+	* lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME_KCM, redefine
+	KRB5_DEFAULT_CCNAME to KRB5_DEFAULT_CCTYPE
+
+	* lib/krb5/cache.c: Use krb5_cc_ops->default_name to get the
+	default name.
+
+	* lib/krb5/kcm.c: Implement krb5_cc_ops->default_name.
+
+	* lib/krb5/mcache.c: Implement krb5_cc_ops->default_name.
+
+	* lib/krb5/fcache.c: Implement krb5_cc_ops->default_name.
+
+	* lib/krb5/krb5.h: Add krb5_cc_ops->default_name.
+
+	* lib/krb5/acache.c: Free context when done, implement
+	krb5_cc_ops->default_name.
+
+	* lib/krb5/kcm.c: implement dummy kcm_move
+
+	* lib/krb5/mcache.c: Implement the move operation.
+
+	* lib/krb5/version-script.map: export krb5_cc_move
+
+	* lib/krb5/cache.c: New function krb5_cc_move().
+
+	* lib/krb5/fcache.c: Implement the move operation.
+
+	* lib/krb5/krb5.h: Add move to the krb5_cc_ops, causes major
+	version bump.
+
+	* lib/krb5/acache.c: Implement the move operation. Avoid using
+	cc_set_principal() since it broken on Mac OS X 10.5.0.
 	
-2004-03-09  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-12-02  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/krb5.conf.5: 1.44: document
-	[libdefaults]fcc-mit-ticketflags=boolean 1.43: don't use path's in
-	first .Nm, it confuses some locate.updatedb, use FILES section to
-	describe where the file is instead.
+	* lib/krb5/krb5_ccapi.h: Drop variable names to avoid -Wshadow.
 	
-	* lib/krb5/fcache.c (fcc_store_cred): default to use old format
+2007-11-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/krb5tgs.c: Should pass different key usage constants
+	depending on whether or not optional sub-session key was passed by
+	the client for the check of authorization data. The constant is
+	used to derive "specific key" and its values are specified in
+	7.5.1 of RFC4120.
 	
-	* lib/krb5/fcache.c: 1.42: (fcc_store_cred): use
-	[libdefaults]fcc-mit-ticketflags=boolean to decide what format to
-	write the fcc in. Default to mit format (aka heimdal 0.7 format)
-	1.41: (_krb5_xlock): handle that everything was ok, and don't put
-	an error in the error strings then
+	Patch from Andy Polyakov.
+
+	* kdc/krb5tgs.c: Don't send auth data in referrals, microsoft
+	clients have started to not like that. Thanks to Andy Polyakov for
+	excellent research.
+
+2007-11-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/creds.c: use krb5_data_cmp
+
+	* lib/krb5/acache.c: use krb5_free_cred_contents
+
+	* lib/krb5/test_renew.c: use krb5_free_cred_contents
 	
-	* lib/krb5/store.c: 1.43: add _krb5_store_creds_heimdal_0_7 and
-	_krb5_store_creds_heimdal_pre_0_7 that store the creds in just
-	that format make krb5_store_creds default to mit format 1.42:
-	(krb5_ret_creds): Runtime detect the what is the higher bits of
-	the bitfield 1.41: (krb5_store_creds): add disabled code that
-	store the ticket flags in reverse order (bitswap32): new function
-	1.40: (krb5_ret_creds): if the higher ticket flags are set, its a
-	mit cache, reverse the bits, bug pointed out by Sergio Gelato
-	<Sergio.Gelato@astro.su.se>
+2007-11-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/acl.c: doxygen documentation
+
+	* lib/krb5/addr_families.c: doxygen documentation
+
+	* doc: add doxygen
+
+	* lib/krb5/plugin.c: doxygen documentation
+
+	* lib/krb5/kcm.c: doxygen documentation
+
+	* lib/krb5/fcache.c: doxygen documentation
+
+	* lib/krb5/cache.c: doxygen documentations
 	
-	delta modfied to not change the behavior of krb5_store_creds
+	* lib/krb5/doxygen.c: doxygen introduction
+
+	* lib/krb5/error_string.c: Doxygen documentation.
+
+2007-11-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_plugin.c: expose krb5_plugin_register
+
+	* lib/krb5/plugin.c: expose krb5_plugin_register
+
+	* lib/krb5/version-script.map: sort, expose krb5_plugin_register
+
+2007-10-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: Adding same enctype is enough one time. From
+	Andy Polyakov and Bjorn Sandell.
 	
-2004-03-07  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-10-18  Love  <lha@stacken.kth.se>
 
-	* lib/krb5/mk_safe.c (krb5_mk_safe): fix assignment of usec2
+	* lib/krb5/cache.c (krb5_cc_retrieve_cred): check return value
+	from krb5_cc_start_seq_get. From Zeqing (Fred) Xia
 	
-2004-03-06  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/fcache.c (init_fcc): provide better error codes
 
-	* lib/krb5/mcache.c: patch based on 1.17 and 1.18 but with
-	threading code pulled out;
+	* kdc/kerberos5.c (get_pa_etype_info2): more paranoia, avoid
+	sending warning about pruned etypes.
+
+	* kdc/kerberos5.c (older_enctype): old windows enctypes (arcfour
+	based) "old", this to support windows 2000 clients (unjoined to a
+	domain). From Andy Polyakov.
+
+2007-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: Spelling, from Mark Peoples via Bjorn Sandell.
 	
-	1.18: (mcc_get_principal): also check for primary_principal ==
-	NULL now that that isn't used as dead flag 1.17: don't overload
-	the primary_principal == NULL as dead since that doesn't always
-	work Based on patch from Jeffrey Hutzelman <jhutz@cmu.edu>, but
-	tweek by me
+2007-10-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/krb5tgs.c: More prettier printing of enctype, from KAMADA
+	Ken'ichi.
 
-	* lib/krb5/crypto.c: 1.94: (decrypt_internal_special): do not not
-	modify the original data test case from Ronnie Sahlberg
-	<ronnie_sahlberg@ozemail.com.au>
+	* lib/krb5/crypto.c (krb5_enctype_to_string): make sure string is
+	NULL on failure.
 
-2004-02-13  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-10-03  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/verify_krb5_conf.c: 1.22->1.23: (check_host): don't
-	check for EAI_NODATA, because its depricated in RFC3493 Pointed
-	out by Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss
+	* kdc/kdc-replay.c: Catch KRB5_PROG_ATYPE_NOSUPP from
+	krb5_addr2sockaddr and igore thte test is that case.
 	
-	* lib/krb5/eai_to_heim_errno.c: 1.3->1.4: EAI_ADDRFAMILY and
-	EAI_NODATA is deprecated in RFC3493
+2007-09-29  Love Hörnquist Åstrand  <lha@it.su.se>
 
-2004-02-09  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/context.c (krb5_free_context): free
+	default_cc_name_env, from Gunther Deschner.
 
-	* lib/asn1/der_length.c: 1.16: Fix len_unsigned for certain
-	negative integers, it got the length wrong, fix from Panasas, Inc.
+2007-08-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/{krb5.h,pac.c,test_pac.c,send_to_kdc.c,rd_req.c}: Make
+	work with c++, reported by Hai Zaar
+
+	* lib/krb5/{digest.c,krb5.h}: Make work with c++, reported by Hai Zaar
+
+2007-08-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/Makefile.am: EXTRA_DIST += hdb.schema
+
+2007-07-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check return value of alloc functions, from Charles Longeau
+
+	* lib/krb5/principal.c: spelling.
+
+	* kadmin/kadmin.8: spelling
+
+	* lib/krb5/crypto.c: Check return values from alloc
+	functions. Prompted by patch of Charles Longeau.
+
+	* lib/krb5/n-fold.c: Make _krb5_n_fold return a error
+	code. Prompted by patch of Charles Longeau.
+
+2007-07-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds.c: Always set the ticket options, use
+	KRB5_ADDRESSLESS_DEFAULT as the default value, this make the unset
+	tri-state not so useful.
+
+2007-07-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* tools/heimdal-gssapi.pc.in: Add LIB_pkinit to the list of
+	libraries.
+
+	* tools/heimdal-gssapi.pc.in: pkg-config file for libgssapi in
+	heimdal.
+
+	* tools/Makefile.am: Add heimdal-gssapi.pc and install it into
+	$(libdir)/pkgconfig
+
+2007-07-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: Add RFC3526 modp group14 as a default.
+
+2007-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/dbinfo.c (get_dbinfo): use dbname instead of realm as
+	key if the entry is a correct entry.
+
+	* lib/krb5/get_cred.c: Make krb5_get_renewed_creds work, from
+	Gunther Deschner.
+
+	* lib/krb5/Makefile.am: Add test_renew to noinst_PROGRAMS.
+
+	* lib/krb5/test_renew.c: Test for krb5_get_renewed_creds.
+
+2007-07-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/keys.c: Make parse_key_set handle key set string "v5",
+	from Peter Meinecke.
+
+	* kdc/kaserver.c: Don't ovewrite the error code, from Peter
+	Meinecke.
+
+2007-07-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* TODO-1.0: remove 
+
+	* Makefile.am: remove TODO-1.0
+
+2007-07-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Heimdal 1.0 release branch cut here
+	
+	* doc/hx509.texi: use version.texi
 	
-	* lib/asn1/der_locl.h: 1.5: add _heim_len_unsigned, _heim_len_int
+	* doc/heimdal.texi: use version.texi
 	
-2004-01-26  Love Hörnquist Åstrand  <lha@it.su.se>
+	* doc/version.texi: version.texi
 
-	* lib/asn1/gen_length.c: 1.14: (length_type): TSequenceOf: add up
-	the size of all the elements, don't use just the size of the last
-	element.
+	* lib/hdb/db3.c: avoid type-punned pointer warning.
 
-	* lib/krb5/fcache.c: 1.40: (_krb5_xlock): catch EINVAL and assume
-	that it means that the filesystem doesn't support locking 1.39:
-	(_krb5_xlock): fix compile error in last commit 1.38: internally
-	export x{,un}lock and thus prefix them with _krb5_
-	
-2004-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kdc/kx509.c: Use unsigned char * as argument to HMAC_Update to
+	please OpenSSL and gcc.
 
-	* kuser/kinit.c: 1.106: (renew_validate): if renewable_flag and
-	not time specifed, use "1 month"
-	1.105: make -9 work again
+	* kdc/digest.c: Use unsigned char * as argument to MD5_Update to
+	please OpenSSL and gcc.
 
-2004-01-09  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-07-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/get_for_creds.c: 1.36: (add_addrs): don't increase
-	addr->len until in contains interesting data, use right iteration
-	counter when clearing the addresses 1.39: krb5_princ_realm ->
-	krb5_principal_get_realm 1.38: (krb5_get_forwarded_creds): use
-	KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded
-	krb-cred 1.39: (krb5_get_forwarded_creds): If tickets are
-	address-less, forward address-less tickets.  1.40:
-	(krb5_get_forwarded_creds): try to handle errors better for
-	previous commit 1.41: (add_addrs): don't add same address multiple
-	times
-	
-	* lib/krb5/get_cred.c: 1.96->1.97: rename get_krbtgt to
-	_krb5_get_krbtgt and export it
+	* include/Makefile.am: Add krb_err.h.
 
-2003-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kdc/set_dbinfo.c: Print acl file too.
 
-	* kdc/kerberos5.c: part of 1.146->1.147: handle NULL client/server
-	names
+	* kdc/kerberos4.c: Error codes are just fine, remove XXX now.
 
-2003-12-03  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/krb5-v4compat.h: Drop duplicate error codes.
 
-	* lib/krb5/crypto.c: 1.90->1.91: require cipher-text to be padded
-	to padsize 1.91->1.92: (decrypt_internal_derived): move up padsize
-	check to avoid memory leak
-	
-2003-12-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kdc/kerberos4.c: switch to ET errors.
 
-	* kuser/kinit.c: 1.103->1.104: (main): return the return value
-	from simple_execvp
+	* lib/krb5/Makefile.am: Add krb_err.h to build_HEADERZ.
 
-2003-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/v4_glue.c: If its a Kerberos 4 error-code, remove the
+	et BASE.
 
-	* lib/krb5/transited.c: 1.13->1.14: (krb5_domain_x500_encode):
-	always zero out encoding to make sure it have a defined value on
-	failure
+2007-07-15  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/transited.c: 1.12->1.13: (krb5_domain_x500_encode): if
-	num_realms == 0, set encoding and return (avoids malloc(0)) check
-	return value from malloc
-	
-2003-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/krb5-v4compat.h: Include "krb_err.h".
+
+	* lib/krb5/v4_glue.c: return more interesting error codes.
 
-	* doc/setup.texi: 1.35->1.36: spelling
+	* lib/krb5/plugin.c: Prefix enum plugin_type.
+
+	* lib/krb5/krb5_locl.h: Expose plugin structures.
 	
-	* kdc/kdc_locl.h: 1.58->1.59: add flag to always check transited
-	policy
+	* lib/krb5/krb5.h: Add plugin structures.
+
+	* lib/krb5/krb_err.et: V4 errors.
 
-	* doc/setup.texi: 1.27->1.35: many changes
+	* lib/krb5/version-script.map: First version of version script.
+
+2007-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: Java 1.6 expects the name to be the same type,
+	lets allow that for uncomplicated name-types.
+
+2007-07-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/v4_glue.c (_krb5_krb_rd_req): if ticket contains
+	address 0, its ticket less and don't really care about
+	from_addr. return better error codes.
+
+	* kpasswd/kpasswdd.c: Fix pointer vs strict alias rules.
+
+2007-07-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c: When using sambaNTPassword, avoid adding
+	more then one enctype 23 to krb5EncryptionType.
+
+	* lib/krb5/cache.c: Spelling.
+
+	* kdc/kerberos5.c: Don't send newer enctypes in ETYPE-INFO.
+	(get_pa_etype_info2): return the enctypes as sorted in the
+	database
+
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: krb5-v4compat.h defines prototypes for
+	v4 (semiprivate functions) in libkrb5, don't include
+	krb5-private.h any longer.
+
+	* lib/krb5/krbhst.c: Set error string when there is no KDC for a
+	realm.
+
+	* lib/krb5/Makefile.am: New library version.
+
+	* kdc/Makefile.am: New library version.
+
+	* lib/krb5/krb5_locl.h: Add default_cc_name_env.
+
+	* lib/krb5/cache.c (enviroment_changed): return non-zero if
+	enviroment that will determine default krb5cc name has changed.
+	(krb5_cc_default_name): also check if cached value is uptodate.
+
+	* lib/krb5/krb5_locl.h: Drop pkinit_flags.
+
+2007-07-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: add tests/java/Makefile
+
+	* lib/hdb/dbinfo.c: Add hdb_dbinfo_get_log_file.
+
+2007-07-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: Improve the default salt detection to avoid
+	returning v4 password salting to java that doesn't look at the
+	returning padata for salting.
+
+	* kdc: Split out krb5_kdc_set_dbinfo, From Andrew Bartlett
+
+2007-07-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/digest.c: Try harder to provide better error message for
+	digest messages.
+
+	* lib/krb5/Makefile.am: verify_krb5_conf_OBJECTS depends on
+	krb5-pr*.h, make -j finds this.
 	
-	* lib/krb5/get_cred.c: 1.95->1.96: get capath info from [capaths]
-	section
+2007-06-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/digest.c: On success, print username, not ip-adress.
 
-	* lib/krb5/rd_req.c: 1.50->1.51: (krb5_decrypt_ticket): try to
-	verify transited realms, unless the transited-policy-checked flag
-	is set
+2007-06-26  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/transited.c:
-	1.12: (krb5_domain_x500_decode): set *num_realms to zero not num_realms
-	1.11: (krb5_domain_x500_decode): handle zero length tr data;
-	(krb5_check_transited): new function that does more useful stuff
+	* lib/krb5/get_cred.c: Add krb5_get_renewed_creds.
 
-	* kdc/kdc.8: 1.23->1.24: document enforce-transited-policy
+	* lib/krb5/krb5_get_credentials.3: add krb5_get_renewed_creds
+
+	* lib/krb5/pkinit.c: Use hx509_cms_unwrap_ContentInfo.
 	
-	* kdc/config.c: 1.47->1.48: add flag to always check transited
-	policy
+2007-06-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: Add example for pkinit_win2k_require_binding
+	in [kdc] section.
+
+	* kdc/default_config.c: Rename require_binding to
+	win2k_require_binding to match client configuration.
+
+	* kdc/default_config.c: Add [kdc]pkinit_require_binding option.
+
+	* kdc/pkinit.c (pk_mk_pa_reply_enckey): only allow non-bound reply
+	if its not required.
+
+	* kdc/default_config.c: rename pkinit_princ_in_cert and add
+	pkinit_require_binding
+
+	* kdc/kdc.h: rename pkinit_princ_in_cert and add
+	pkinit_require_binding
+
+	* kdc/pkinit.c: rename pkinit_princ_in_cert
+
+2007-06-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: Adapt to hx509_verify_hostname change.
+
+2007-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* kdc/kerberos5.c:
-	1.150: (fix_transited_encoding): also verify with policy,
-	unless asked not to
-	1.151: always check transited policy if flag set either globally
-	(on principal part of patch not pulled up)
-	1.152: (fix_transited_encoding): set transited type
-	1.153: (fix_transited_encoding): always print cross-realm information
+	* kdc/krb5tgs.c: Drop unused variable.
 
-2003-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kdc/krb5tgs.c: disable anonyous tgs requests
 
-	* lib/krb5/config_file.c: 1.48->1.49:
-	(krb5_config_parse_file_debug): punt if there is binding before a
-	section declaration.
-	Bug found by Arkadiusz Miskiewicz <arekm@pld-linux.org>
+	* kdc/krb5tgs.c: Don't check PAC on cross realm for now.
 
-	* kdc/kaserver.c: 1.21->1.23:
-	(do_getticket): if times data is shorter then 8 bytes, request is
-	malformed.
-	(do_authenticate): if request length is less then 8 bytes, its a
-	bad request and fail. Pointed out by Marco Foglia <marco@foglia.org>
+	* kuser/kgetcred.c: Set KRB5_GC_CONSTRAINED_DELEGATION and parse
+	nametypes.
 
-2003-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/krb5_principal.3: Document krb5_parse_nametype.
 
-	* lib/krb5/verify_krb5_conf.c: 1.17->1.18: add missing " within
-	#if 0 From: stefan sokoll <stefansokoll@yahoo.de>
+	* lib/krb5/principal.c (krb5_parse_nametype): parse nametype and
+	return their integer values.
+
+	* lib/krb5/krb5.h (krb5_get_creds): Add
+	KRB5_GC_CONSTRAINED_DELEGATION.
+
+	* lib/krb5/get_cred.c (krb5_get_creds): if
+	KRB5_GC_CONSTRAINED_DELEGATION is set, set both request_anonymous
+	and constrained_delegation.
+
+2007-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/digest.c: Return an error message instead of dropping the
+	packet for more failure cases.
+
+	* lib/krb5/krb5_principal.3: Add KRB5_PRINCIPAL_UNPARSE_DISPLAY.
+
+	* appl/gssmask/gssmask.c (AcquirePKInitCreds): fail more
+	gracefully
 	
-2003-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/rd_req.c:
-	1.47->1.48: (krb5_rd_req): allow caller to pass in a key
-	in the auth_context, they way processes that doesn't use the
-	keytab can still pass in the key of the service (matches behavior
-	of MIT Kerberos).
+	* lib/krb5/pac.c: make compile.
 	
-2003-09-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/pac.c (verify_checksum): memset cksum to avoid using
+	pointer from stack.
+
+	* lib/krb5/plugin.c: Don't expose free pointer.
+
+	* lib/krb5/pkinit.c (_krb5_pk_load_id): fail directoy for first
+	calloc.
 	
-	* lib/krb5/crypto.c: 
-	1.87->1.88: (usage2arcfour): simplify, only
-	include special cases From: Luke Howard <lukeh@PADL.COM>
-	1.86->1.87: (arcfour_checksum_p): return true when is arcfour,
-	not when its not pointed out by Luke Howard
-	1.82->1.83: Do the arcfour checksum mapping for
-	krb5_create_checksum and krb5_verify_checksum, From: Luke Howard
-	<lukeh@PADL.COM>
-	1.81->1.82: (hmac): make it return an error
-	when out of memory, update callsites to either return error or use
-	krb5_abortx
-	(krb5_hmac): expose hmac
-	* lib/krb5/mk_req_ext.c: 1.26->1.27: (krb5_mk_req_internal):
-	when using arcfour-hmac-md5, use an unkeyed checksum
-	(rsa-md5), since Microsoft calculates the keyed checksum with
-	the subkey of the authenticator.
+	* lib/krb5/pkinit.c (get_reply_key*): don't expose freed memory
+
+	* lib/krb5/krbhst.c: Host is static memory, don't free.
+
+	* lib/krb5/crypto.c (decrypt_internal_derived): make sure length
+	is longer then confounder + checksum.
 
-	* lib/krb5/get_cred.c:
-	1.93->1.94 (init_tgs_req): make generation of subkey
-	optional on configuration parameter
-	[realms]realm={tgs_require_subkey=bool}
-	defaults to off. The RFC1510 weakly defines the correct behavior,
-	so old DCE secd apparently required the subkey to be there, and MS
-	will use it when its there. But the request isn't encrypted in the
-	subkey, so you get to choose if you want to talk to a MS mdc or a
-	old DCE secd.
+	* kdc: export get_dbinfo as krb5_kdc_set_dbinfo and call from
+	users. This to allows libkdc users to to specify their own
+	databases
 
-	partly 1.91->1.92: (init_tgs_req): in case of error, don't
-	free in	the req_body addresses since they where pass in by caller
+	* lib/krb5/pkinit.c (pk_rd_pa_reply_enckey): simplify handling of
+	content data (and avoid leaking memory).
 
-	lib/krb5/get_in_tkt.c:
-	1.108->1.1.09: (krb5_get_in_tkt): for compatibility with with
-	the mit implemtation, don't free `creds' argument when done, its up
-	the the caller to do that, also allow a NULL ccache.
+	* kdc/misc.c (_kdc_db_fetch): set error string for failures.
+	
+2007-06-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c: Use KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.
 
-	* doc/ack.texi
-	1.16->1.17: update Luke Howard email address
+2007-06-13  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/hdb/hdb-ldap.c:
-	1.13->1.14: code rewrite from Luke Howard <lukeh@PADL.COM>
-	1.12->1.13: (LDAP_store): log what principal/dn failed
-	1.11->1.12: use int2HDBFlags/HDBFlags2int
-	From: Alberto Patino <jalbertop@aranea.com.mx>, 
-	Luke Howard <lukeh@PADL.COM>
-	Pointed out by Andrew Bartlett of Samba
-	1.10->1.11: (LDAP__connect): bind sasl "EXTERNAL" to ldap connection
-	(LDAP_store): remove superfluous argument to asprintf
-	From Alberto Patino <jalbertop@aranea.com.mx>
+	* kdc/pkinit.c: tell user when they got a pk-init request with
+	pkinit disabled.
 
-	* lib/krb5/krb5.h:
-	1.214->1.2015: add KEYTYPE_ARCFOUR_56
+2007-06-12  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-2003-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/principal.c: Rename UNPARSE_NO_QUOTE to
+	UNPARSE_DISPLAY.
+
+	* lib/krb5/krb5.h: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY.
+
+	* lib/krb5/principal.c: Make no-quote mean replace strange chars
+	with space.
+
+	* lib/krb5/principal.c: Support KRB5_PRINCIPAL_UNPARSE_NO_QUOTE.
 
-	* lib/krb5/config_file.c: fix prototypes Fredrik Ljungberg
-	<flag@pobox.se>
+	* lib/krb5/krb5.h: Add KRB5_PRINCIPAL_UNPARSE_NO_QUOTE.
+
+	* lib/krb5/test_princ.c: Test quoteing.
+
+	* lib/krb5/pkinit.c: update (c)
 	
-2003-09-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/get_cred.c: use krb5_sendto_context to talk to the KDC.
+
+	* lib/krb5/send_to_kdc.c (_krb5_kdc_retry): check if the whole
+	process needs to restart or just skip this KDC.
+
+	* lib/krb5/init_creds_pw.c: Use krb5_sendto_context to talk to
+	KDC.
+
+	* lib/krb5/krb5.h: Add sendto hooks and opaque structure.
 
-	* lib/hdb/hdb_locl.h: 1.18->1.19: include <limits.h> for ULONG_MAX
-	noted by Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss
+	* lib/krb5/krb5_rd_error.3: Update prototype.
+
+	* lib/krb5/send_to_kdc.c: Add hooks for processing the reply from
+	the server.
 	
-2003-08-29  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-11  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/hdb/db3.c: 1.8->1.9: patch for working with DB4 on
-	heimdal-discuss From: Luke Howard <lukeh@PADL.COM> 1.9->1.10: try
-	to include more db headers
+	* lib/krb5/krb5_err.et: Some new error codes from RFC 4120.
 	
-2003-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/krb5tgs.c: Constify.
+
+	* kdc/kerberos5.c: Constify.
+
+	* kdc/pkinit.c: Check for KRB5-PADATA-PK-AS-09-BINDING. Constify.
+
+2007-06-08  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* kdc/connect.c: 1.92->1.93 (handle_tcp): handle recvfrom
-	returning 0 (connection closed) 1.91->1.92: (grow_descr):
-	increment the size after we succeed to allocate the space
+	* include/Makefile.am: Make krb5-types.h nodist_include_HEADERS.
+
+	* kdc/Makefile.am: EXTRA_DIST += version-script.map.
+	
+2007-06-07  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-2003-08-15  Love Hörnquist Åstrand  <lha@it.su.se>
+	* Makefile.am (print-distdir): print name of dist
+
+	* kdc/pkinit.c: Break out loading of mappings file to a separate
+	function and remove warning that it can't open the mapping file,
+	there are now mappings in the db, maybe the users uses that
+	instead...
+
+	* lib/krb5/crypto.c: Require the raw key have the correct size and
+	do away with the minsize.  Minsize was a thing that originated
+	from RC2, but since RC2 is done in the x509/cms subsystem now
+	there is no need to keep that around.
+
+	* lib/hdb/dbinfo.c: If there is no default dbname, also check for
+	unset mkey_file and set it default mkey name, make backward compat
+	stuff work.
 
-	* lib/krb5/principal.c: 1.83->1.85: (unparse_name): len can't be
-	zero, so, don't check for that
-	(unparse_name): make sure there are space for a NUL, set *name to NULL
-	when there is a failure (so caller can't get hold of a freed
-	pointer)
+	* kdc/version-script.map: add new symbols
 
-2003-05-08  Johan Danielsson  <joda@ratatosk.pdc.kth.se>
+	* kdc/kdc-replay.c: Also update krb5_context view of what the time
+	is.
 
-	* Release 0.6
+	* configure.in: add tests/can/Makefile
 
-2003-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kdc/kdc-replay.c: Add --[version|help].
 
-	* kuser/klist.c: 1.68->1.69: print tokens even if there isn't v4
-	support
+	* kdc/pkinit.c: Push down the kdc time into the x509 library.
 
-	* kuser/kdestroy.c: 1.14->1.15: destroy tokens even if there isn't
-	v4 support
+	* kdc/connect.c: Move up krb5_kdc_save_request so we can catch the
+	reply data too.
 
-	* kuser/kinit.c: 1.90->1.91: print tokens even if there isn't v4
-	support
+	* kdc/kdc-replay.c: verify reply by checking asn1 class, type and
+	tag of the reply if there is one.
 
-2003-05-06  Johan Danielsson  <joda@pdc.kth.se>
+	* kdc/process.c: Save asn1 class, type and tag of the reply if
+	there is one. Used to verify the reply in kdc-replay.
 
-	* lib/krb5/name-45-test.c: need to use empty krb5.conf for some
-	tests
+2007-06-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/asn1/check-gen.c: there is no \e escape sequence; replace
-	everything with hex-codes, and cast to unsigned char* to make some
-	compilers happy
+	* kdc/kdc_locl.h: extern for request_log.
 
-2003-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kdc/Makefile.am: Add kdc-replay.
 
-	* lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first
-	argument to krb5_us_timeofday have correct type
+	* kdc/kdc-replay.c: Replay kdc messages to the KDC library.
+
+	* kdc/config.c: Pick up request_log from [kdc]kdc-request-log.
+
+	* kdc/connect.c: Option to save the request to disk.
+
+	* kdc/process.c (krb5_kdc_save_request): save request to file.
+
+	* kdc/process.c (krb5_kdc_process*): dont update _kdc_time
+	automagicly.
+	(krb5_kdc_update_time): set or get current kdc-time.
+
+	* kdc/pkinit.c (_kdc_pk_rd_padata): accept both pkcs-7 and
+	pkauthdata as the signeddata oid
 	
-2003-05-05  Assar Westerlund  <assar@kth.se>
+	* kdc/pkinit.c (_kdc_pk_rd_padata): Try to log what went wrong.
 
-	* include/make_crypto.c (main): include aes.h if ENABLE_AES
+2007-06-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/pkinit.c: Use oid_id_pkcs7_data for pkinit-9 encKey reply to
+	match windows DC behavior better.
+	
+2007-06-04  Love Hörnquist Åstrand  <lha@it.su.se>
 
-2003-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	* configure.in: use test for -framework Security
 
-	* NEWS: 1.108->1.110: fix text about gssapi compat
+	* appl/test/uu_server.c: Print status to stdout.
+
+	* kdc/digest.c (digest ntlm): provide log entires by setting ret
+	to an error.
 	
-2003-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-03  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* kdc/v4_dump.c: 1.4->1.5: (v4_prop_dump): limit strings length,
-	from openbsd
+	* doc/hx509.texi: Indent crl-sign.
 
-2003-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+	* doc/hx509.texi: One more crl-sign example.
 
-	* doc/programming.texi: 1.2-1.3: s/managment/management/, from jmc
-	<jmc@prioris.mini.pw.edu.pl>
+	* lib/krb5/test_princ.c: plug memory leaks.
 
-2003-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/pac.c: plug memory leaks.
 
-	* lib/krb5/krbhst.c: 1.43->1.44: copy NUL too, from janj@wenf.org
-	via openbsd
+	* lib/krb5/test_pac.c: plug memory leaks.
 
-2003-04-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/test_prf.c: plug memory leak.
 
-	* lib/asn1/der_copy.c (copy_general_string): use strdup
-	* lib/asn1/der_put.c: remove sprintf
-	* lib/asn1/gen.c: remove strcpy/sprintf
-	
-	* lib/krb5/name-45-test.c: use a more unique name then ratatosk so
-	that other (me) have such hosts in the local domain and the tests
-	fails, to take hokkigai.pdc.kth.se instead
-	
-	* lib/krb5/test_alname.c: add --version and --help
+	* lib/krb5/test_cc.c: plug memory leaks.
+
+	* doc/hx509.texi: Simple blob about publishing CRLs.
+
+	* doc/win2k.texi: drop text about enctypes.
 	
-2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/krb5_warn.3: add krb5_get_err_text
+	* kdc/pkinit.c: In case of OCSP verification failure, referash
+	every 5 min. In case of success, refreash 2 min before expiring or
+	faster.
 	
-	* lib/krb5/transited.c: use strlcat/strlcpy, from openbsd
-	* lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd
-	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use
-	strlcpy, from openbsd
-	* kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd
-	* appl/kf/kfd.c: use strlcpy, from openbsd
+2007-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-2003-04-16  Johan Danielsson  <joda@pdc.kth.se>
+	* lib/krb5/krb5_err.et: add error 68, WRONG_REALM
+
+	* kdc/pkinit.c: Handle the ms san in a propper way, still cheat
+	with the realm name.
+
+	* kdc/kerberos5.c: If _kdc_pk_check_client failes, bail out
+	directly and hand the error back to the client.
 
-	* configure.in: fix for large file support in AIX, _LARGE_FILES
-	needs to be defined on the command line, since lex likes to
-	include stdio.h before we get to config.h
+	* lib/krb5/krb5_err.et: Add missing REVOCATION_STATUS_UNAVAILABLE
+	and fix error message for CLIENT_NAME_MISMATCH.
 
-2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kdc/pkinit.c: More logging for pk-init client mismatch.
+
+	* kdc/kerberos5.c: Also add a KRB5_PADATA_PK_AS_REQ_WIN for
+	windows pk-init (-9) to make MIT clients happy.
 	
-	* lib/krb5/*.3: Change .Fd #include <header.h> to .In header.h,
-	from Thomas Klausner <wiz@netbsd.org>
+2007-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* lib/krb5/krb5.conf.5: spelling, from Thomas Klausner
-	<wiz@netbsd.org>
+	* kdc/pkinit.c: Force des3 for win2k.
+
+	* kdc/pkinit.c: Add wrapping to ContentInfo wrapping to
+	COMPAT_WIN2K.
 
-2003-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/keytab_keyfile.c: Spelling.
 
-	* kdc/kerberos5.c: fix some more memory leaks
+	* kdc/pkinit.c: Allow matching by MS UPN SAN, note that this delta
+	doesn't deal with case of realm.
 	
-2003-04-11  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-05-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* appl/kf/kf.1: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
+	* lib/krb5/crypto.c (krb5_crypto_overhead): return static overhead
+	of encryption.
+	
+2007-05-10  Dave Love  <fx@gnu.org>
 	
-2003-04-08  Love Hörnquist Åstrand  <lha@it.su.se>
+	* doc/win2k.texi: Update some URLs.
 
-	* admin/ktutil.8: typos, from jmc <jmc@acn.waw.pl>
+2007-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kimpersonate.c: Fix version number of ticket, it should be
+	5 not the kvno.
 	
-2003-04-06  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/krb5.3: s/kerberos/Kerberos/
-	* lib/krb5/krb5_data.3: s/kerberos/Kerberos/
-	* lib/krb5/krb5_address.3: s/kerberos/Kerberos/
-	* lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/
-	* lib/krb5/krb5.conf.5: s/kerberos/Kerberos/
-	* kuser/kinit.1: s/kerberos/Kerberos/
-	* kdc/kdc.8: s/kerberos/Kerberos/
+	* doc/setup.texi: Salting is really Encryption types and salting.
+	
+2007-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-2003-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	* doc/setup.texi: spelling, from Ronny Blomme
 
-	* lib/krb5/test_alname.c: more krb5_aname_to_localname tests
+	* doc/win2k.texi: Fix ksetup /SetComputerPassword, from Ronny
+	Blomme
 	
-	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when
-	converting too root, make sure user is ok according to
-	krb5_kuserok before allowing it.
+2007-05-02  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname
+	* lib/hdb/dbinfo.c (hdb_get_dbinfo) If there are no database
+	specified, create one and let it use the defaults.
 	
-	* lib/krb5/test_alname.c: add test for krb5_aname_to_localname
+2007-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1
-	instead of the "illegal" salt #~, same change as kth-krb did
-	1999. Problems occur with crypt() that behaves like AT&T crypt
-	(openssl does this). Pointed out by Marcus Watts.
+	* lib/hdb/test_dbinfo.c: test acl file
 
-	* admin/change.c (kt_change): collect all principals we are going
-	to change, and pick the highest kvno and use that to guess what
-	kvno the resulting kvno is going to be. Now two ktutil change in a
-	row works. XXX fix the protocol to pass the kvno back.
+	* lib/hdb/test_dbinfo.c: test acl file
+
+	* lib/hdb/dbinfo.c: add acl file
+
+	* etc: ignore Makefile.in
+
+	* Makefile.am: SUBDIRS += etc
+
+	* configure.in: Add etc/Makefile.
+
+	* etc/Makefile.am: make sure services.append is distributed
+
+2007-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc: rename windc_init to krb5_kdc_windc_init
+
+	* kdc/version-script.map: version script for libkdc
+	
+	* kdc/Makefile.am: version script for libkdc
 	
-2003-03-31  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* appl/kf/kf.1: afs->AFS, from jmc <jmc@acn.waw.pl>
+	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error):
+	correct the order of the arguments.
+
+	* lib/hdb/Makefile.am: Add and test dbinfo.
+
+	* lib/hdb/hdb.h: Forward declaration for struct hdb_dbinfo;
+
+	* kdc/config.c: Use krb5_kdc_get_config and just fill in what the
+	users wanted differently.
+
+	* kdc/default_config.c: Make the default configuration fetch info
+	from the krb5.conf.
 	
-2003-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* doc/setup.texi: add description on how to turn on v4, 524 and
-	kaserver support
+	* lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to
+	determine if to send the session-key, for the second place in the
+	function.
 
-2003-03-29  Love Hörnquist Åstrand  <lha@it.su.se>
+	* tools/krb5-config.in: rename des to hcrypto
 
-	* lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog
-	and afs-use-524
+	* kuser/Makefile.am: depend on libheimntlm
 
-2003-03-28  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kuser/kinit.c: Add --ntlm-domain that store the ntlm cred for
+	this domain if the Kerberos password auth worked.
 
-	* kdc/kerberos5.c (as_rep): when the second enctype_to_string
-	failes, remember to free memory from the first enctype_to_string
+	* kuser/klist.c: add new option --hidden that doesn't display
+	principal that starts with @
 
-	* lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2,
-	from Harald Joerg <harald.joerg@fujitsu-siemens.com>
-	(enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc
+	* tools/krb5-config.in: Add heimntlm when we use gssapi.
 
-	* lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key
-	length when key is longer then expected length, its probably
-	longer since the encrypted data was padded, reported by Aidan
-	Cully <aidan@kublai.com>
+	* lib/krb5/krb5_ccache.3 (krb5_cc_retrieve_cred): document what to
+	free 'cred' with.
 
-	* lib/krb5/crypto.c (krb5_enctype_keysize): return key size of
-	encyption type, inspired by Aidan Cully <aidan@kublai.com>
+	* lib/krb5/cache.c (krb5_cc_retrieve_cred): document what to free
+	'cred' with.
 	
-2003-03-27  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to
+	determine if to send the session-key.
 
-	* lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0
-	(wildcard kvno) after principal when the keytab entry isn't found,
-	reported by Chris Chiappa <chris@chiappa.net>
+	* kcm/client.c (kcm_ccache_new_client): make root be able to pass
+	the name constraints, not the opposite. From Bryan Jacobs.
 	
-2003-03-26  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* doc/misc.texi: update 2b example to match reality (from
-	mattiasa@e.kth.se)
+	* kcm/acl.c: make compile again.
 
-	* doc/misc.texi: spelling and add `Configuring AFS clients'
-	subsection
+	* kcm/client.c: fix warning.
+	
+	* kcm: First, it allows root to ignore the naming conventions.
+	Second, it allows root to always perform any operation on any
+	ccache.  Note that root could do this anyway with FILE ccaches.
+	From Bryan Jacobs.
 
-2003-03-25  Love Hörnquist Åstrand  <lha@it.su.se>
+	* Rename libdes to libhcrypto.
 
-	* lib/krb5/krb5.3: add krb5_free_data_contents.3
-	
-	* lib/krb5/data.c: add krb5_free_data_contents for compat with MIT
-	API
+2007-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/krb5_data.3: add krb5_free_data_contents for compat
-	with MIT API
+	* kinit: remove code that depend on kerberos 4 library
 	
-	* lib/krb5/krb5_verify_user.3: write more about how the ccache
-	argument should be inited when used
+	* kdc: remove code that depend on kerberos 4 library
 	
-2003-03-25  Johan Danielsson  <joda@pdc.kth.se>
+	* configure.in: Drop kerberos 4 support.
 
-	* lib/krb5/addr_families.c (krb5_print_address): make sure
-	print_addr is defined for the given address type; make addrports
-	printable
+	* kdc/hpropd.c (main): free the message when done with it.
 
-	* kdc/string2key.c: print the used enctype for kerberos 5 keys
+	* lib/krb5/pkinit.c (_krb5_get_init_creds_opt_free_pkinit):
+	remember to free memory too.
 
-2003-03-25  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/pkinit.c (pk_rd_pa_reply_dh): free content-type when
+	done.
 
-	* lib/krb5/aes-test.c: add another arcfour test
+	* configure.in: test rk_VERSIONSCRIPT
 	
-2003-03-22  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5
-	
-2003-03-20  Love Hörnquist Åstrand  <lha@it.su.se>
-	
-	* lib/krb5/krb5_ccache.3: update .Dd
+	* fix-export: remove, all done by make dist now
 
-	* lib/krb5/krb5.3: sort in krb5_data functions
+2007-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/Makefile.am (man_MANS): += krb5_data.3
+	* lib/krb5/krb5_get_credentials.3: spelling, from Jason McIntyre
 
-	* lib/krb5/krb5_data.3: document krb5_data
+2007-04-11  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if
-	prompter is NULL, don't try to ask for a password to
-	change. reported by Iain Moffat @ ufl.edu via Howard Chu
-	<hyc@highlandsun.com>
+	* kdc/kstash.8: Spelling, from raga <raga@comcast.net> 
+	via Bjorn Sandell.
 
-2003-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/store_mem.c: indent.
 
-	* lib/krb5/krb5_keytab.3: spelling, from
-	<jmc@prioris.mini.pw.edu.pl>
+	* lib/krb5/recvauth.c: Set error string.
 
-	* lib/krb5/krb5.conf.5: . means new line
-	
-	* lib/krb5/krb5.conf.5: spelling, from
-	<jmc@prioris.mini.pw.edu.pl>
+	* lib/krb5/rd_req.c: clear error strings.
 
-	* lib/krb5/krb5_auth_context.3: spelling, from
-	<jmc@prioris.mini.pw.edu.pl>
+	* lib/krb5/rd_cred.c: clear error string.
 
-2003-03-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/pkinit.c: Set error strings.
 
-	* kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5
+	* lib/krb5/get_cred.c: Tell what principal we are not finding for
+	all KRB5_CC_NOTFOUND.
 	
-	* lib/krb5/convert_creds.c: add _krb5_krb_life_to_time
+2007-02-22  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time
+	* kdc/kerberos5.c: Return the same error codes as a windows KDC.
 
-	* kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out
-	#ifdef KRB4 from enable_v4_cross_realm since 524 needs it
+	* kuser/kinit.c: KRB5KDC_ERR_PREAUTH_FAILED is also a password
+	failed.
 	
-	* kdc/config.c: 524 is independent of kerberos 4, so move out
-	enable_v4_cross_realm from #ifdef KRB4 since 524 needs it
-	
-2003-03-17  Assar Westerlund  <assar@kth.se>
+	* kdc/kerberos5.c: Make handling of replying e_data more generic,
+	from metze.
 
-	* kdc/kdc.8: document --kerberos4-cross-realm
-	* kdc/kerberos4.c: pay attention to enable_v4_cross_realm
-	* kdc/kdc_locl.h (enable_v4_cross_realm): add
-	* kdc/524.c (encode_524_response): check the enable_v4_cross_realm
-	flag before giving out v4 tickets for foreign v5 principals
-	* kdc/config.c: add --enable-kerberos4-cross-realm option (default
-	to off)
+	* kdc/kerberos5.c: Fix (string const and shadow) warnings, from
+	metze.
 
-2003-03-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/pac.c: Create the PAC element in the same order as
+	w2k3, maybe there's some broken code in windows which relies on
+	this... From metze.
 
-	* lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3
+	* kdc/kerberos5.c: Select a session enctype from the list of the
+	crypto systems supported enctype, is supported by the client and
+	is one of the enctype of the enctype of the krbtgt.
+	
+	The later is used as a hint what enctype all KDC are supporting to
+	make sure a newer version of KDC wont generate a session enctype
+	that and older version of a KDC in the same realm can't decrypt.
+	
+	But if the KDC admin is paranoid and doesn't want to have "no the
+	best" enctypes on the krbtgt, lets save the best pick from the
+	client list and hope that that will work for any other KDCs.
 	
-	* lib/krb5/krb5_aname_to_localname.3: manpage for
-	krb5_aname_to_localname
+	Reported by metze.
 
-	* lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/
+	* kdc/hprop.c (propagate_database): on any failure, drop the
+	connection to the peer and try next one.
 	
-2003-03-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-02-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3
+	* lib/krb5/krb5_get_init_creds.3: document new options.
 
-	* lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3
+	* kdc/krb5tgs.c: Only check service key for cross realm PACs.
 
-	* lib/krb5/krb5_set_default_realm.3: Manpage for
-	krb5_free_host_realm, krb5_get_default_realm,
-	krb5_get_default_realms, krb5_get_host_realm, and
-	krb5_set_default_realm.
+	* lib/krb5/init_creds.c: use the new merged flags field.
+	(krb5_get_init_creds_opt_set_win2k): new function, turn on all w2k
+	compat flags.
 
-	* admin/ktutil.8: s/entype/enctype/, from Igor Sobrado
-	<sobrado@acm.org> via NetBSD
+	* lib/krb5/init_creds_pw.c: use the new merged flags field.
 
-	* lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type
+	* lib/krb5/krb5_locl.h: merge all flags into one entity
 	
-	* lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab
+2007-02-11  Dave Love  <fx@gnu.org>
 	
-	* lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix
+	* lib/krb5/krb5_aname_to_localname.3: Small fixes
 	
-	* lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more
-	types, add krb5_fcc_ops and krb5_mcc_ops
+	* lib/krb5/krb5_digest.3: Small fixes
 	
-	* lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for
-	a id
+	* kuser/kimpersonate.1: Small fixes
 
-2003-03-15  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-02-17  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* doc/intro.texi: add reference to source code, binaries and the
-	manual
+	* lib/krb5/init_creds_pw.c (find_pa_data): if there is no list,
+	there is no entry.
 
-	* lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal
-	
-2003-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kdc/krb5tgs.c: Don't check PACs on cross realm requests.
+
+	* lib/krb5/krb5.h: add KRB5_KU_CANONICALIZED_NAMES.
 
-	* kdc/kdc.8: better/difrent english
+	* lib/krb5/init_creds_pw.c: Verify client referral data.
 
-	* kdc/kdc.8: . -> .\n, copyright/license
+	* kdc/kerberos5.c: switch some "return ret" to "goto out".
 	
-	* kdc/kdc.8: changed configuration file -> restart kdc
+	* kdc/kerberos5.c: Pass down canonicalize request to hdb layer,
+	sign client referrals.
+	
+	* lib/hdb/hdb.h: Add HDB_F_CANON.
+
+	* lib/hdb: add simple alias support to the database backends
 
-	* kdc/kerberos4.c: add krb4 into the most error messages written
-	to the logfile
+2007-02-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/krb5_ccache.3: add missing name of argument
-	(krb5_context) to most functions
+	* kuser/kinit.c: Add canonicalize flag.
 
-2003-03-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/init_creds_pw.c: Use EXTRACT_TICKET_* flags, support
+	canonicalize.
 
-	* lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of
-	function and return FALSE when there isn't a local account for
-	`luser'.
+	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_canonicalize):
+	new function.
+	
+	* lib/krb5/get_cred.c: Use EXTRACT_TICKET_* flags.
 
-	* lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text
-	describing the function
+	* lib/krb5/get_in_tkt.c: Use EXTRACT_TICKET_* flags.
 
-2003-03-12  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/krb5_locl.h: Add EXTRACT_TICKET_* flags.
+	
+2007-02-15  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name
-	returned memory, don't return ENOMEM
+	* lib/krb5/test_princ.c: test parsing enterprise-names.
 
-2003-03-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/principal.c: Add support for parsing enterprise-names.
 
-	* lib/krb5/krb5.3: add krb5_address stuff and sort
+	* lib/krb5/krb5.h: Add KRB5_PRINCIPAL_PARSE_ENTERPRISE.
+
+	* lib/hdb/hdb-ldap.c: Make work again.
 	
-	* lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description
+2007-02-11  Dave Love  <fx@gnu.org>
+
+	* kcm/client.c (kcm_ccache_new_client): Cast snprintf'ed value.
 	
-	* lib/krb5/Makefile.am (man_MANS): += krb5_address.3
+2007-02-10  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* lib/krb5/krb5_address.3: document types krb5_address and
-	krb5_addresses and their helper functions
+	* doc/setup.texi: prune trailing space
 
-2003-03-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/hdb/db.c: Be better at setting and clearing error string.
 
-	* lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3
+	* lib/hdb/hdb.c: Be better at setting and clearing error string.
 
-	* lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se
+2007-02-09  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3
+	* lib/krb5/keytab.c (krb5_kt_get_entry): Use krb5_kt_get_full_name
+	to print out the keytab name.
 
-	* lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se
+	* doc/setup.texi: Spelling, from Guido Guenther
 	
-	* lib/krb5/krb5.3: add more functions
+2007-02-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/rd_cred.c: Plug memory leak, from Michael B Allen.
+
+2007-02-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_store.c (test_uint16): unsigned ints can't be
+	negative
 	
-	* lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc
-	functions
+2007-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/krb5/krb5_kuserok.3: document krb5_kuserok
+	* kdc/pkinit.c: pass extra flags for detached signatures.
+
+	* lib/krb5/pkinit.c: pass extra flags for detached signatures.
+
+	* kdc/digest.c: Remove debug output.
+
+	* kuser/kdigest.c: Add support for ms-chap-v2 client.
 	
-	* lib/krb5/krb5_verify_user.3: document
-	krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior
+2007-02-02  Love Hörnquist Åstrand  <lha@it.su.se>
+		
+	* kdc/digest.c: Fix ms-chap-v2 get_masterkey
+
+	* kdc/digest.c: Fix ms-chap-v2 mutual response auth code.
+
+	* kuser/kdigest.c: Print session key if there is one.
 
-	* lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and
-	krb5_verify_user_opt
+	* lib/krb5/digest.c: rename hash-a1 to session key
 
-	* lib/krb5/*.[0-9]: add copyright/licenses on more manpages
+	* kdc/digest.c: Add get_master from RFC 3079 3.4 for MS-CHAP-V2
 
-	* kuser/kdestroy.c (main): handle that krb5_cc_default_name can
-	return NULL
+	* kuser/kdigest.c: print rsp if there is one, from Klas.
 
-	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor
-	(TESTS): add test_cc
+	* kdc/digest.c: Use right size, from Klas Lindfors.
 
-	* lib/krb5/test_cc.c: test some
-	krb5_cc_default_name/krb5_cc_set_default_name combinations
+	* kuser/kdigest.c: Set client nonce if avaible, from Klas.
+
+	* kdc/digest.c: First version from kllin.
+
+	* kuser/kdigest.c: Don't restrict the type.
+	
+2007-02-01  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* lib/krb5/context.c (init_context_from_config_file): set
-	default_cc_name to NULL
-	(krb5_free_context): free default_cc_name if set
+	* kuser/kdigest-commands.in: add --client-response
+
+	* kuser/kdigest.c: Print status instead of response.
+
+	* kdc/digest.c: Better logging and return status = FALSE when
+	checksum doesn't match.
 
-	* lib/krb5/cache.c (krb5_cc_set_default_name): new function
-	(krb5_cc_default_name): use krb5_cc_set_default_name
+	* kdc/digest.c: Check the digest response in the KDC.
 
-	* lib/krb5/krb5.h (krb5_context_data): add default_cc_name
+	* lib/krb5/digest.c: New functions to send in requestResponse to
+	KDC and get status of the request.
+
+	* kdc/digest.c: Add support for MS-CHAP v2.
+
+	* lib/hdb/hdb-ldap.c: Set hdb->hdb_db for ldap.
 	
-2003-02-25  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* appl/kf/kf.1: s/securly/securely/ from NetBSD
+	* fix-export: Make hx509.info too
+
+	* kdc/digest.c: don't verify identifier in CHAP, its the client
+	that chooses it.
 	
-2003-02-18  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: Basic test of prf.
 
-	* kdc/connect.c: s/intialize/initialize, from
-	<jmc@prioris.mini.pw.edu.pl>
+	* lib/krb5/test_prf.c: Basic test of prf.
 
-2003-02-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/mit_glue.c: Add MIT glue for Kerberos RFC 3961 PRF
+	functions.
 
-	* configure.in: add AM_MAINTAINER_MODE
+	* lib/krb5/crypto.c: Add Kerberos RFC 3961 PRF functions.
+
+	* lib/krb5/krb5_data.3: Document krb5_data_cmp.
+
+	* lib/krb5/data.c: Add krb5_data_cmp.
+	
+2007-01-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kx509.c: Don't use C99 syntax.
+	
+2007-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-2003-02-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	* configure.in: its LIBADD_roken (and shouldn't really exist, our
+	libtool usage it broken)
 
-	* **/*.[0-9]: add copyright/licenses on all manpages
+	* configure.in: Add an extra variable for roken, LIBADD, that
+	should be used for library depencies.
 
-2003-14-16  Jacques Vidrine  <nectar@kth.se>
+	* lib/krb5/send_to_kdc.c (krb5_sendto): zero out receive buffer.
 
-	* lib/krb5/get_in_tkt.c (init_as_req): Send only a single
-	PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption
-	type specified by the KDC.
+	* lib/krb5/krb5_init_context.3: fix mdoc errors
 
-2003-02-15  Love Hörnquist Åstrand  <lha@it.su.se>
+	* Heimdal 0.8 branch cut today
 
-	* fix-export: some autoconf put their version number in
-	autom4te.cache, so remove autom4te*.cache
+	* doc/hx509.texi: Spelling and more about proxy certificates.
+
+	* configure.in: check for arc4random
 	
-	* fix-export: make sure $1 is a directory
+2007-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-2003-02-04  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/send_to_kdc.c (krb5_sendto): zero receive krb5_data
+	before starting
 
-	* kpasswd/kpasswdd.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
+	* tools/heimdal-build.sh: make cvs keep quiet
 
-	* kdc/kdc.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
+	* kuser/kverify.c: Use argument as principal if passed an
+	argument. Bug report from Douglas E. Engert
+	
+2007-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-2003-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/rd_req.c (krb5_rd_req_ctx): The code failed to consider
+	the enc_tkt_in_skey case, from Douglas E. Engert.
+
+	* kdc/kx509.c: Issue certificates.
 
-	* kdc/hpropd.8: s/databases/a database/ s/Not/not/
+	* kdc/config.c: Parse kx509/kca configuration.
 
-	* kdc/hprop.8: add missing .
+	* kdc/kdc.h: add kx509 config
 	
-2003-01-30  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/kerberos5.c (_kdc_find_padata): if there is not padata,
+	there is nothing find.
+
+	* doc/hx509.texi: Examples for pk-init.
 
-	* lib/krb5/krb5.conf.5: documentation for of boolean, etypes,
-	address, write out encryption type in sentences, s/Host/host
+	* doc/hx509.texi: About extending ca lifetime and sub cas.
 	
-2003-01-26  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-13  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* doc/hx509.texi: More about certificates.
+	
+2007-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* lib/asn1/check-gen.c: add checks for Authenticator too
+	* doc/hx509.texi: add Application requirements and write about
+	xmpp/jabber.
 	
-2003-01-25  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-11  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* doc/setup.texi: in the hprop example, use hprop and the first
-	component, not host
+	* doc/hx509.texi: More about issuing certificates.
 
-	* lib/krb5/get_addrs.c (find_all_addresses): address-less
-	point-to-point might not have an address, just ignore
-	those. Reported by Harald Barth.
+	* doc/hx509.texi: Start of a x.509 manual.
 
-2003-01-23  Love Hörnquist Åstrand  <lha@it.su.se>
+	* include/Makefile.am: remove install headerfiles
 
-	* lib/krb5/verify_krb5_conf.c (check_section): when key isn't
-	found, don't print out all known keys
+	* lib/krb5/test_pac.c: Use more interesting data to cause more
+	errors.
 
-	* lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity
-	and facility start resp
-	(check_log): find_value() returns -1 when key isn't found
+	* include/Makefile.am: remove install headerfiles
 
-	* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a
-	'const void *' to avoid AES_KEY being exposed in krb5-private.h
-	
-	* lib/krb5/krb5.conf.5: add [kdc]use_2b
+	* lib/krb5/mcache.c: MCC_CURSOR not used, remove.
 
-	* kdc/524.c (encode_524_response): its 2b not b2
-	
-	* doc/misc.texi: quote @ where missing
+	* lib/krb5/crypto.c: macro kcrypto_oid_enc now longer used
+
+	* lib/krb5/rd_safe.c (krb5_rd_safe): set length before trying to
+	allocate data
 	
-	* lib/asn1/Makefile.am: add check-gen
+2007-01-10  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* lib/asn1/check-gen.c: add Principal check
+	* doc/setup.texi: Hint about hxtool validate.
+
+	* appl/test/uu_server.c: print both "server" and "client"
+
+	* kdc/krb5tgs.c: Rename keys to be more obvious what they do.
+
+	* kdc/kerberos5.c: Use other keys to sign PAC with. From Andrew
+	Bartlett
 	
-	* lib/asn1/check-common.h: move generic asn1/der functions from
-	check-der.c to here
+	* kdc/windc.c: ident, spelling.
+
+	* kdc/windc_plugin.h: indent.
 
-	* lib/asn1/check-common.c: move generic asn1/der functions from
-	check-der.c to here
+	* kdc/krb5tgs.c: Pass down server entry to verify_pac function.
+	from Andrew Bartlett
 
-	* lib/asn1/check-der.c: move out the generic asn1/der functions to
-	a common file
+	* kdc/windc.c: pass down server entry to verify_pac function, from
+	Andrew Bartlett
 
-2003-01-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kdc/windc_plugin.h: pass down server entry to verify_pac
+	function, from Andrew Bartlett
 
-	* doc/misc.texi: more text about afs, how to get get your KeyFile,
-	and how to start use 2b tokens
+	* configure.in: Provide a automake symbol ENABLE_SHARED if shared
+	libraries are built.
 
-	* lib/krb5/krb5.conf.5: spelling, from Jason McIntyre
-	<jmc@cvs.openbsd.org>
+	* lib/krb5/rd_req.c (krb5_rd_req_ctx): Use the correct keyblock
+	when verifying the PAC.  From Andrew Bartlett.
 	
-2003-01-21  Jacques Vidrine  <nectar@kth.se>
+2007-01-09  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* kuser/kuser_locl.h: include crypto-headers.h for
-	des_read_pw_string prototype
+	* lib/krb5/test_pac.c: move around to code test on real PAC.
 
-2003-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/pac.c: A tiny 2 char diffrence that make the code work
+	for real.
 
-	* admin/ktutil.8: document -v, --verbose
+	* lib/krb5/test_pac.c: Test more PAC (note that the values used in
+	this test is wrong, they have to be fixed when the pac code is
+	fixed).
 
-	* admin/get.c (kt_get): make getarg usage consistent with other
-	other parts of ktutil
+	* doc/setup.texi: Update to new hxtool issue-certificate usage
 
-	* admin/copy.c (kt_copy): remove adding verbose_flag to args
-	struct, since it will overrun the args array (from Sumit Bose)
+	* lib/krb5/init_creds_pw.c: Make sure we don't sent both ENC-TS
+	and PK-INIT pa data, no need to expose our password protecting our
+	PKCS12 key.
+
+	* kuser/klist.c (print_cred_verbose): include ticket length in the
+	verbose output
+	
+2007-01-08  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-2003-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
+	* lib/krb5/acache.c (loadlib): pass RTLD_LAZY to dlopen, without
+	it linux is unhappy.
 
-	* lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc =
-	... }
+	* lib/krb5/plugin.c (loadlib): pass RTLD_LAZY to dlopen, without
+	it linux is unhappy.
 
-	* lib/krb5/aes-test.c: test vectors in aes-draft
-	
-	* lib/krb5/Makefile.am: add aes-test.c
+	* lib/krb5/name-45-test.c: One of the hosts I sometimes uses is
+	named "bar.domain", this make one of the tests pass when it
+	shouldn't.
 
-	* lib/krb5/crypto.c: Add support for AES
-	(draft-raeburn-krb-rijndael-krb-02), not enabled by default.
-	(HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify
-	to support checksumtype that are have a shorter wireformat then
-	their output block size.
-	
-	* lib/krb5/crypto.c (struct encryption_type): split the blocksize
-	into blocksize and padsize, padsize is the minimum padding
-	size. they are the same for now
-	(enctype_*): add padsize
-	(encrypt_internal): use padsize
-	(encrypt_internal_derived): use padsize
-	(wrapped_length): use padsize
-	(wrapped_length_dervied): use padsize
+2007-01-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: Change --key argument to --out-key.
 
-	* lib/krb5/crypto.c: add extra `opaque' argument to string_to_key
-	function for each enctype in preparation enctypes that uses
-	`Encryption and Checksum Specifications for Kerberos 5' draft
+	* kuser/kimpersonate.1: mangle my name
 	
-	* lib/asn1/k5.asn1: add checksum and enctype for AES from
-	draft-raeburn-krb-rijndael-krb-02.txt
+2007-01-04  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* doc/setup.texi: describe how to use hx509 to create
+	certificates.
 
-	* lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128,
-	KEYTYPE_AES256
+	* tools/heimdal-build.sh: Add --distcheck.
 
-2003-01-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	* kdc/kerberos5.c: Check for KRB5_PADATA_PA_PAC_REQUEST to check
+	if we should include the PAC in the krbtgt.
 
-	* lib/hdb/common.c (_hdb_fetch): handle error code from
-	hdb_value2entry
+	* kdc/pkinit.c (_kdc_as_rep): check if
+	krb5_generate_random_keyblock failes.
 
-	* kdc/Makefile.am: always include kerberos4.c and 524.c in
-	kdc_SOURCES to support 524
+	* kdc/kerberos5.c (_kdc_as_rep): check if
+	krb5_generate_random_keyblock failes.
 
-	* kdc/524.c: always compile in support for 524
-	
-	* kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4
+	* kdc/krb5tgs.c (tgs_build_reply): check if
+	krb5_generate_random_keyblock failes.
+
+	* kdc/krb5tgs.c: Scope etype.
+
+	* lib/krb5/rd_req.c: Make it possible to turn off PAC check, its
+	default on.
+
+	* lib/krb5/rd_req.c (krb5_rd_req_ctx): If there is a PAC, verify
+	its server signature.
+
+	* kdc/kerberos5.c (_kdc_as_rep): call windc client access hook.
+	(_kdc_tkt_add_if_relevant_ad): constify in data argument.
+
+	* kdc/windc_plugin.h: More comments add a client_access hook.
+
+	* kdc/windc.c: Add _kdc_windc_client_access.
+
+	* kdc/krb5tgs.c: rename functions after export some more pac
+	functions.
+
+	* lib/krb5/test_pac.c: export some more pac functions.
+
+	* lib/krb5/pac.c: export some more pac functions.
+
+	* kdc/krb5tgs.c: Resign the PAC in tgsreq if we have a PAC.
+
+	* configure.in: add tests/plugin/Makefile
 	
-	* kdc/config.c: always compile in support for 524
+2007-01-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/krb5tgs.c: Get right key for PAC krbtgt verification.
+
+	* kdc/config.c: spelling
+
+	* lib/krb5/krb5.h: typedef for krb5_pac.
+
+	* kdc/headers.h: Include <windc_plugin.h>.
+
+	* kdc/Makefile.am: Include windc.c and use windc_plugin.h
+
+	* kdc/krb5tgs.c: Call callbacks for emulating a Windows Domain
+	Controller.
+
+	* kdc/kerberos5.c: Call callbacks for emulating a Windows Domain
+	Controller.  Move the some of the log related stuff to its own
+	function.
+
+	* kdc/config.c: Init callbacks for emulating a Windows Domain
+	Controller.
+
+	* kdc/windc.c: Rename the init function to windc instead of pac.
+
+	* kdc/windc.c: Callbacks specific to emulating a Windows Domain
+	Controller.
+
+	* kdc/windc_plugin.h: Callbacks specific to emulating a Windows
+	Domain Controller.
+
+	* lib/krb5/Makefile.am: add krb5_HEADERS to build_HEADERZ
+
+	* lib/krb5/pac.c: Support all keyed checksum types.
 	
-	* kdc/connect.c: always compile in support for 524
+2007-01-02  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* kdc/kerberos4.c: export encode_v4_ticket() and get_des_key()
-	even when we build without kerberos 4, 524 needs them
+	* lib/krb5/pac.c (krb5_pac_get_types): Return list of types.
 	
-	* lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out
-	Kerberos 4 help functions/structures so other parts of the source
-	tree can use it (like the KDC)
+	* lib/krb5/test_pac.c: test krb5_pac_get_types
+
+	* lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA.
+
+	* lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA.
+
+	* lib/krb5/krb5.h: Add KRB5_KRBHST_KCA.
 
+	* lib/krb5/test_pac.c: test Add/remove pac buffer functions.
+
+	* lib/krb5/pac.c: Add/remove pac buffer functions.
+
+	* lib/krb5/pac.c: sprinkle const
+
+	* lib/krb5/pac.c: rename DCHECK to CHECK
+	
+	* Happy New Year.
diff --git a/crypto/heimdal/ChangeLog.2003 b/crypto/heimdal/ChangeLog.2003
new file mode 100644
index 0000000..8223351
--- /dev/null
+++ b/crypto/heimdal/ChangeLog.2003
@@ -0,0 +1,1795 @@
+2003-12-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/error_string.c: protect error_string with mutex
+	
+	* lib/krb5/context.c: allocate and destroy mutex in krb5_context
+	
+	* lib/krb5/krb5.h (krb5_context_data): add mutex for error_string
+	
+2003-12-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: make -9 work again
+	
+2003-12-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c: try handle ts preauth better, still
+	not good, but at least it work with older heimdal releases that
+	doesn't send back KRB5KDC_ERR_PREAUTH_REQUIRED when preauth was
+	sent
+
+2003-12-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb.asn1: remove enforce-transited-policy, its no longer
+	used
+
+2003-12-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/pkinit.c (_krb5_pk_create_sign): fill in NULL as
+	parameters, required by CMS
+
+2003-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/get_in_tkt_with_keytab.c (krb5_get_in_tkt_with_keytab):
+	avoid memory leak that snuck in when krb5_keytab_key_proc was
+	exported, pointed out by Panases Inc
+	
+	* lib/krb5/keytab_file.c: do locking, found to be a problem for
+	Panasas Inc
+
+	* lib/krb5/fcache.c: internally export x{,un}lock and thus prefix
+	them with _krb5_
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use
+	KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded
+	krb-cred
+
+	* lib/krb5/krb5_auth_context.3: some text about
+	krb5_auth_con_{add,remove}flags
+
+	* lib/krb5/auth_context.c: add krb5_auth_con_addflags and
+	krb5_auth_con_removeflags
+
+2003-12-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/crypto.c (decrypt_internal_derived): move up padsize to
+	avoid memory leak
+
+2003-12-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/crypto.c: require cipher-text to be padded to padsize
+	
+	* lib/krb5/eai_to_heim_errno.c: EAI_ADDRFAMILY and EAI_NODATA is
+	deprecated in RFC3493
+
+	* lib/krb5/verify_krb5_conf.c (check_host): don't check for
+	EAI_NODATA, because its depricated in RFC3493 Pointed out by
+	Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss
+
+2003-12-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: move test_crypto to noinst_PROGRAMS
+	
+	* lib/krb5/test_crypto.c: add --version,--help
+	
+	* kuser/kinit.c (main): return the return value from simple_execvp
+	
+2003-11-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: don't use PKINIT DH per default since its too
+	slow
+
+	* lib/krb5/pkinit.c: tweek to make pkinit work with the fact the
+	asn1_compile can't generate code for context tagless optionals
+	
+	* kdc/pkinit.c: add support for KDC side of DH PKINIT
+	
+	* lib/krb5/pkinit.c: clean up error handling, make enc-type work
+	again
+
+2003-11-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: add flag to make it work with pkinit dh
+	
+	* lib/krb5/pkinit.c: make PKINIT DH support work
+	
+2003-11-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/Makefile.am (LDADD): link with LIB_dlopen
+	
+	* kdc/pkinit.c: clean up
+	
+	* lib/krb5/krb5.h: make pkinit_win2k_compatible into a flag field
+	
+	* lib/krb5/pkinit.c: remove most compile depencies clean up
+	
+	* kdc/pkinit.c: print an error and turn of pkinit if openssl
+	failed to load
+
+	* kdc/config.c: read pkinit (pki-mumble) configuration options
+	
+	* kdc/kerberos5.c: add pkinit support
+	
+	* kdc/kdc_locl.h: add prototypes for pkinit
+	
+	* kdc/pkinit.c: PKINIT patch from Daniel Kouril and Petr Holub, I
+	removed the dependency on valicert asn1 parser, remove smartcard
+	and globus support (for now). Work to be done on this: DH support,
+	Globus support, Smartcard support, windows support (MS implements
+	-09 of the draft), make it conform to the new draft
+	
+	* lib/krb5/pkinit.c: fix bugs, improve error reporting
+
+2003-11-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: add some "struct foo;" glue for pkinit
+	structures that isn't used
+
+	* lib/krb5/pkinit.c: clean up, make remove depenency on openssl's
+	api
+
+	* lib/krb5/krb5_locl.h: add some glue for pkinit add reference
+	counter to _krb5_get_init_creds_opt_private
+	
+	* lib/krb5/init_creds.c: reference count krb5_get_init_creds_opt
+	private component to avoid copy all the data in it
+	
+	* lib/krb5/crypto.c (AES_string_to_key): fix memory leak
+
+	* lib/krb5/init_creds_pw.c (init_cred_loop): fix memory leak
+	
+	* lib/krb5/heim_threads.h: include pthread.h in the pthread case
+	
+2003-11-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kpasswd/kpasswdd.c (main): parse kdc.conf
+	From: Jeffrey Hutzelman <jhutz@cmu.edu>
+	
+2003-11-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am (TESTS): add test_crypto
+	
+	* lib/krb5/test_crypto.c: time crypto operations
+	
+2003-11-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/init-creds: spelling, Bruno Rohee <bruno@rohee.com>
+	
+2003-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/rd_req.c (krb5_verify_ap_req2): krb5_free_ticket free
+	the ticket now, rewrite error handling to handle that
+	
+	* kpasswd/kpasswdd.c (process): don't free ticket,
+	krb5_free_ticket does that now
+
+	* kdc/kerberos5.c (tgs_rep2): don't free ticket, krb5_free_ticket
+	does that now
+
+	* lib/krb5/ticket.c (krb5_free_ticket): free the ticket itself to
+	match mit behavior, pointed out by Derrick Brashear
+	
+	* lib/krb5/krb5_ticket.3: krb5_free_ticket free the whole ticket
+	
+2003-11-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/padata.c: add krb5_padata_add
+	
+	* lib/krb5/krb5.h: krb5_context_data.pkinit_win2k_compatible
+	
+	* lib/krb5/Makefile.am: add pkinit.c
+	
+	* kuser/kinit.c: add pkinit support
+	
+	* lib/krb5/init_creds_pw.c: add support for pkinit
+	
+	* lib/krb5/krb5_locl.h: add the opaque krb5_pk_init_ctx to
+	_krb5_get_init_creds_opt_private
+
+	* lib/krb5/pkinit.c: rename krb5_pk_init_openssl_ctx to
+	krb5_pk_init_ctx fix win2k error handling
+	
+	* lib/krb5/pkinit.c: PKINIT patch from Daniel Kouril and Petr
+	Holub, I removed the dependency on valicert asn1 parser, remove
+	smartcard and globus support (for now). Work to be done on this:
+	DH support, Globus support, Smartcard support, windows support (MS
+	implements -09 of the draft), verify that it conforms the new
+	draft
+
+2003-11-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/der_copy.c (copy_oid): copy all components
+	
+2003-10-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5.conf.5: document capaths section
+
+2003-10-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c: make sure that the server realm and the krbtgt
+	second component are identical; get rpath from the capaths section
+
+	* kdc/kerberos5.c: change logic for when to check transited policy
+	to a tri-state model involving per principal flags (to be
+	implemented)
+
+	* kdc/kdc_locl.h: change enforce_transited_policy to a tri-state
+	variable
+
+	* kdc/config.c: change enforce_transited_policy to a tri-state
+	variable
+
+2003-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/transited.c (krb5_domain_x500_encode): always zero out
+	encoding to make sure it have a defined value on failure
+
+	* lib/krb5/transited.c (krb5_domain_x500_encode): 
+	if num_realms ==0, set encoding and return (avoids malloc(0)),
+	check return value for malloc
+
+2003-10-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c (fix_transited_encoding): always print
+	cross-realm information
+	
+2003-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: spelling, From: Tracy Di Marco White
+	
+	* kdc/kerberos5.c (fix_transited_encoding): set transited type
+	
+2003-10-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kdc.8: document enforce-transited-policy
+
+	* kdc/kerberos5.c: always check transited policy if flag set
+	either globally or on principal
+
+	* kdc/config.c: add flag to always check transited policy
+
+	* lib/hdb/hdb.asn1: add flag to enforce transited policy
+
+2003-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/transited.c (krb5_domain_x500_decode): set *num_realms
+	to zero not num_realms
+
+	* kuser/kgetcred.1: add --no-transit-check
+	
+	* kuser/kgetcred.c: add --no-transit-check
+
+	* doc/setup.texi: describe Transit policy
+	
+2003-10-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c (fix_transited_encoding): also verify with
+	policy, unless asked not to
+
+	* lib/krb5/rd_req.c (krb5_decrypt_ticket): try to verify transited
+	realms, unless the transited-policy-checked flag is set
+
+	* lib/krb5/transited.c (krb5_domain_x500_decode): handle zero
+	length tr data;
+	(krb5_check_transited): new function that does more useful stuff
+
+	* lib/krb5/get_cred.c: get capath info from [capaths] section
+
+2003-10-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/fcache.c: Sleep forever waiting for lock. Previous
+	method doesn't work well with a large number of clients accessing
+	the cache at the same time, and there is no simple way to add a
+	timeout to the lock.
+
+2003-10-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.c: print the error value
+	krb5_init_context failed with
+
+	* lib/krb5/config_file.c (krb5_config_parse_file_debug): punt if
+	there is binding before a section declaration. Bug found by
+	Arkadiusz Miskiewicz <arekm@pld-linux.org>
+
+2003-10-13  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/fcache.c (erase_file): revert a change in previous; if
+	the ccache is a symlink, kdestroy should remove it
+
+	* lib/krb5/fcache.c: implement locking
+
+2003-10-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/klist.c (print_tickets): bail out if krb5_cc_next_cred
+	returns error other than KRB5_CC_END
+
+2003-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c: add some help function that is common
+	between ENC_TS and SAM2, free the etype{,2}-infos on failure, move
+	the pa counter into krb5_get_init_creds_ctx
+	
+2003-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kaserver.c (do_getticket): if times data is shorter then 8
+	byte, request is malformed.
+
+	* kdc/kaserver.c (do_authenticate): if request length is less then
+	8 byte, its a bad request and fail. Pointed out by Marco Foglia
+	<marco@foglia.org>
+
+	* lib/krb5/verify_krb5_conf.c: add flag --warn-mit-syntax that
+	warns for mit syntax is used and just ignore the mit syntax when
+	its used
+
+	* lib/krb5/verify_krb5_conf.c: parse [kdc]use_2b and [gssapi]
+	
+2003-10-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/lex.l: add BOOLEAN
+	
+	* lib/asn1/parse.y: add BOOLEAN
+	
+2003-10-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: When running kinit in "fork mode" do pagsh
+	independent of krb4, also always do krb4 setup of cc. Always try
+	to destroy the v4 cc.
+	- add boolean --{,no-}request-pac that will request pac or not
+
+	* kuser/klist.c (check_for_tgt): set client as part of the
+	pattern/match cred
+
+	* lib/krb5/convert_creds.c (_krb5_krb_dest_tkt): unlink v4 token
+	(get_krb4_cc_name): move out from _krb5_krb_tf_setup
+	(_krb5_krb_tf_setup): adapt to allocated filename instead of
+	static filename
+
+	* lib/krb5/krb5-v4compat.h: add _krb5_krb_dest_tkt and TKT_ROOT
+	
+	* lib/krb5/init_creds_pw.c (*) send PA_PAC_REQUEST when the user
+	have requested either use PAC or not use PAC, if the option not
+	set from the user, leave it up to the kdc to decide.
+	(init_creds_loop): clear error string on success
+
+	* lib/krb5/init_creds.c: add
+	krb5_get_init_creds_opt_set_paq_request break out common part of
+	extended opt functions to require_ext_opt
+
+	* lib/krb5/krb5_locl.h: add enum krb5_get_init_creds_req_pac and
+	use it in struct _krb5_get_init_creds_opt_private
+	
+	* tools/kdc-log-analyze.pl: handle some more failure lines
+	
+	* doc/programming.texi: some diffrences between Heimdal and MIT
+	Kerberos in the API
+
+	* doc/setup.texi: add Setting up DNS
+	
+	* lib/krb5/rd_req.c (krb5_rd_req): always free keyblock since its
+	alway used
+
+	* lib/asn1/Makefile.am: add SAM types and PAC_REQUEST
+	
+	* lib/asn1/k5.asn1: add more preauth types, add PA-PAC-REQUEST
+	
+	* lib/asn1: add boolean support
+
+2003-10-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/changepw.c (setpw_send_request): free ap_req_data on
+	failure
+
+2003-09-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/test/http_client.c (do_connect): use ai_protocol 0
+	
+	* lib/krb5/init_creds_pw.c (init_cred_loop): handle
+	KRB5KRB_ERR_RESPONSE_TOO_BIG and loop again, this time requesting
+	LARGE_MSG from send to kdc, and if this is the second time bail
+	out; try to free memory
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc_flags): new function,
+	and then implement the order krb5_sendto_kdc* function with this
+	function.
+
+	* lib/krb5/krbhst.c (krb5_krbhst_init_flags): new function, use it
+	and adapt callers
+	(krbhst_get_default_proto): new function, returns udp, or in case
+	large_msg was requested for the krb5_krbhst_data, use tcp.
+	(*): if the flag KD_LARGE_MSG was set on the krb5_krbhst_data, avoid
+	using udp, use krbhst_get_default_proto
+	
+	* lib/krb5/krb5.h: flags for krb5_krbhst_init_flags (and
+	krb5_send_to_kdc_flags)
+
+2003-09-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/rd_req.c (krb5_rd_req): if we have a keyblock in auth
+	context, use that
+
+	* appl/test/uu_client.c: print authorization data if there are any
+	
+	* lib/asn1/asn1_print.c: decode IA5Stringa and UTF8String
+	
+2003-09-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c: use _krb5_get_init_creds_opt_copy
+	* lib/krb5/init_creds.c: don't export krb5_get_init_creds_opt_copy
+	
+	* lib/hdb/Makefile.am: libhdb might depend on LIB_dlopen
+	
+	* kuser/kinit.c: don't get v4 tickets by default
+	
+2003-09-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kpasswd/kpasswdd.c (process): remove a abort()
+	
+	* doc/win2k.texi: add some text about netdom.exe and trusts
+	
+	* TODO-1.0: gssapi rc4 done
+	
+	* kpasswd/kpasswdd.c: add support for Set password protocol as
+	defined by RFC3244 -- Microsoft Windows 2000 Kerberos Change
+	Password and Set Password Protocols
+
+2003-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/db3.c: improve readability of ->open ifdef, check if
+	version >= 4.1
+
+	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_copy): add
+	
+	* lib/krb5/rd_req.c (krb5_rd_req): allow caller to pass in a key
+	in the auth_context, they way processes that doesn't use the
+	keytab can still pass in the key of the service (matches behavior
+	of MIT Kerberos).
+	
+2003-09-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c: collect all init_creds context into a
+	structure so it can easier be passed around, also, while here,
+	change nonce for every request
+
+	* lib/krb5/get_in_tkt.c (init_as_req): don't realloc data before
+	the loop, add_padata() will handle that itself
+
+	* lib/krb5/get_for_creds.c (add_addrs): don't increase addr->len
+	until in contains interesting data, use right iteration counter
+	when clearing the addresses
+
+	* lib/krb5/log.c (log_realloc): increase len after realloc returns
+	sucessfully
+
+2003-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/config_file.c: fix prototypes
+	From: Fredrik Ljungberg <flag@pobox.se>
+	
+2003-09-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/test/http_client.c: close socket when we are done, don't
+	allow the server to restart gssapi negotiation
+	
+	* lib/hdb/hdb_locl.h: include <limits.h> for ULONG_MAX noted by
+	Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss
+	
+	* appl/test/gssapi_client.c (proto): use select_mech
+	
+	* appl/test/http_client.c: use getarg
+	
+	* appl/test/gss_common.h: prototype for select_mech
+	
+	* appl/test/gss_common.c (select_mech): return the gss_OID from a
+	mech name
+
+	* appl/test/http_client.c: print both source and target
+	
+	* appl/test/Makefile.am: build http_client
+	
+2003-09-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/asn1_print.c: add support for printing Enumerated
+	
+	* appl/test/gssapi_client.c: allow user to select mech; krb5,
+	spnego, and no-oid
+
+	* appl/test/test_locl.h: add mech
+	
+	* appl/test/common.c: add --mech,-m argument
+	
+	* appl/test/gssapi_server.c: print the mech that was used
+	
+	* kdc/kerberos5.c (only_older_enctype_p): check request if the
+	client only supports old enctypes, before it used the database
+	
+2003-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* **/*.c: add context argument to krb5_get_init_creds_opt_alloc
+
+	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): add
+	context argument
+
+	* lib/krb5/krb5_get_init_creds.3: spelling
+	
+2003-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/context.c (add_file): make len argument an pointer to
+	an integer
+
+	* lib/asn1/k5.asn1: add SAM types
+
+	* lib/krb5/init_creds_pw.c: break out the encrypt timestamp
+	preauth to its function break out the pa_data_to_key_plain to its
+	own function make more variables const
+	
+2003-09-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5.conf.5: document appdefaults/{forward,encrypt}
+
+2003-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.h: Add key usage for encryption of the
+	SAM-NONCE-OR-SAD field.
+
+	* include/make_crypto.c: include <openssl/ui.h> in the openssl
+	case
+
+	* kdc/hprop.h: use new DES_ api
+	
+	* lib/krb5/krb5-v4compat.h: assume session key is a char array of
+	length 8
+
+	* lib/krb5/prompter_posix.c:
+	s/des_read_pw_string/UI_UTIL_read_pw_string/
+
+	* kuser/kinit.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
+	
+	* kdc/string2key.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
+	
+	* kdc/kstash.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
+	
+	* admin/add.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
+	
+	* lib/krb5/crypto.c: switch from the des_ to the DES_ api
+	
+	* kdc/hprop.c: use DES_KEY_SZ instead of sizeof(des_block)
+	
+	* kuser/kverify.c: use
+	krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
+
+	* kpasswd/kpasswd-generator.c: use
+	krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
+
+	* kdc/hprop.c: use
+	krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free compare
+	a uint32_t with 0xffffffff instead of -1
+
+	* lib/krb5/krb5_425_conv_principal.3: fix [Gt]
+	
+	* kuser/kinit.c: use
+	krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): handle
+	password passed in though context
+
+	* lib/krb5/Makefile.am (TESTS): += test_config
+
+	* lib/krb5/aes-test.c: move variable thats used within a #ifdef to
+	be defined within that #ifdef
+
+	* lib/krb5/data.c (krb5_data_free): reset whole krb5_data when
+	freeing it
+
+	* lib/krb5/keyblock.c (krb5_keyblock_zero): new function, zeros
+	out a keyblock
+
+	* lib/krb5/init_creds_pw.c: rewrite/implement
+	krb5_get_init_creds_password with new preauth handing, still it
+	can only work with krb5-pa-enc-timestamp for preauth, but now it
+	can handle etype-info2
+
+	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): allocate
+	a opt structure
+	(krb5_get_init_creds_opt_free): free a opt structure
+	(krb5_get_init_creds_opt_set_pa_password): set preauth info for
+	enc-timestamp
+
+	* lib/krb5/krb5_locl.h: add struct
+	_krb5_get_init_creds_opt_private
+
+2003-09-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.h: add SAM keyusage numbers, add s2k proc typedef,
+	add a pointer to a private part of krb5_get_init_creds_opt
+	
+	* kdc/string2key.c (main): avoid const warning by using a extra
+	variable
+
+2003-08-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type):
+	reindent
+
+	* lib/krb5/ticket.c (krb5_copy_ticket): free all data when
+	failing, copy data to right memory, the later pointed out by Luke
+	Howard.
+
+2003-08-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.h: cfx-01 use diffrent usage numbers
+	
+2003-08-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/db3.c: try to include more db headers
+
+	* lib/hdb/db3.c: patch for working with DB4 on heimdal-discuss
+	From: Luke Howard <lukeh@PADL.COM>
+	
+2003-08-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.h: add KEYTYPE_ARCFOUR_56
+	
+	* appl/test/gssapi_client.c: send both INT and CONF wrapped token
+	
+	* appl/test/gssapi_server.c: recv both INT and CONF wrapped token
+	
+	* lib/asn1/k5.asn1: add KRB5_NT_SMTP_NAME and KRB5_NT_ENTERPRISE
+	
+2003-08-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/test/uu_client.c (proto): fill in client in the match cred
+	
+2003-08-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.h: CFX uses slightly diffrent usage numbers
+	
+	* lib/krb5/crypto.c (usage2arcfour): simplify, only include
+	special cases From: Luke Howard <lukeh@PADL.COM>
+	
+2003-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c: code rewrite from Luke Howard
+	<lukeh@PADL.COM>
+
+	* lib/krb5/crypto.c (arcfour_checksum_p): return true when is
+	arcfour, not when its not pointed out by Luke Howard
+	
+	* doc/ack.texi: update Luke Howard email address
+	
+2003-08-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_encrypt.3: document:
+	krb5_crypto_getconfoundersize, krb5_crypto_getblocksize
+	krb5_crypto_getenctype, krb5_crypto_getpadsize
+
+	* lib/krb5/crypto.c (krb5_crypto_getpadsize,
+	krb5_crypto_getconfoundersize): added From: Luke Howard
+	<lukeh@PADL.COM>
+
+2003-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/connect.c (handle_tcp): handle recvfrom returning 0
+	(connection closed)
+
+	* kdc/connect.c (grow_descr): increment the size after we succeed
+	to allocate the space
+
+	* lib/krb5/krb5_create_checksum.3: text about when
+	krb5_crypto_get_checksum_type is useful
+
+	* lib/krb5/crypto.c (krb5_crypto_get_checksum_type): fix format
+	string
+
+	* lib/krb5/krb5_create_checksum.3: document
+	krb5_crypto_get_checksum_type
+
+	* lib/krb5/crypto.c: add krb5_crypto_get_checksum_type
+	From: Luke Howard <lukeh@PADL.COM>
+	
+	* lib/asn1/gen.c: s/UTF8String/heim_utf8_string/ in generated code
+	From: Luke Howard <lukeh@PADL.COM>
+	
+2003-08-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* include/make_crypto.c: include aes.h inc in the local libdes
+	case too
+
+2003-08-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/asn1/der_free.c: set free'd poiners to NULL
+	
+	* lib/asn1/gen_free.c: set free'd poiners to NULL
+	
+2003-08-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/heim_threads.h: XXX don't use "plain" pthread support
+	on netbsd
+
+	* lib/krb5/crypto.c: Do the arcfour checksum mapping for
+	krb5_create_checksum and krb5_verify_checksum, From: Luke Howard
+	<lukeh@PADL.COM>
+
+2003-08-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_config.c: check krb5_prepend_config_files_default
+	and krb5_prepend_config_files
+
+	* lib/krb5/context.c: add krb5_prepend_config_files and
+	krb5_prepend_config_files_default
+
+2003-08-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/mkey.c (read_master_mit): krb5_ret_int16 takes a int16_t
+	as argument
+
+	* lib/krb5/parse-name-test.c: please lint (and me)
+	
+	* kdc/config.c (configure): remove only set variable 'e'
+	
+	* kdc/connect.c (init_socket): sockaddr size argument to
+	krb5_addr2sockaddr is a krb5_addr2sockaddr *
+	
+	* kdc/kerberos5.c (as_rep): remove usused variable
+	(tgs_rep2): don't use a temporary ret-variable, ret is reset later
+
+	* lib/krb5/krb5_get_in_cred.3: these function will be deprecated
+	
+	* lib/krb5/Makefile.am: man_MANS += krb5_get_init_creds.3
+	
+	* lib/krb5/krb5_get_init_creds.3: begining of documentation of
+	krb5_get_init_creds
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_tkt): for compatibility with
+	with the mit implemtation, don't free `creds' argument when done,
+	its up the the caller to do that, also allow a NULL ccache.
+	
+2003-08-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.conf.5: document tgs_require_subkey
+	
+	* lib/asn1/Makefile.am: remove trance of generate tests files, its
+	not really for consumption yet
+
+	* lib/hdb/Makefile.am: split generated source from non generated
+	source we make-proto.pl can generate prototypes for non
+	generate-source only (make-proto.pl dies on asn1compile's .c
+	files)
+
+	* lib/krb5/get_cred.c (init_tgs_req): make generation of subkey
+	optional on configuration parameter
+	[realms]realm={tgs_require_subkey=bool}
+	defaults to off. The RFC1510 weakly defines the correct behavior,
+	so old DCE secd apparently required the subkey to be there, and MS
+	will use it when its there. But the request isn't encrypted in the
+	subkey, so you get to choose if you want to talk to a MS mdc or a
+	old DCE secd.
+
+	* kdc/kerberos5.c (*): handle krb5_unparse_name returning non-zero
+	
+2003-08-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/principal.c (unparse_name): len can't be zero, so,
+	don't check for that
+
+2003-08-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/principal.c (unparse_name): make sure there are space
+	for a NUL, set *name to NULL when there is a failure (so caller
+	can't get hold of a freed pointer)
+
+2003-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/kerberos.8: remove duplicate manual, from
+	cjep@netbsd.org
+
+2003-07-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/cache.c: indent
+	
+	* lib/krb5/cache.c (krb5_cc_set_default_name): only read
+	KRB5CCNAME when not suid
+
+2003-07-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/keytab_krb4.c (read_v4_entry): the des key is 8 bytes,
+	use a char array instead of des_cblock
+
+2003-07-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: add support for KRB5_PADATA_ETYPE_INFO2
+	
+	* lib/krb5/crypto.c (hmac): make it return an error when out of
+	memory, update callsites to either return error or use krb5_abortx
+	(krb5_hmac): expose hmac
+
+2003-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/keyblock.c (krb5_keyblock_get_enctype): return enctype
+	of keyblock
+
+	* lib/krb5/Makefile.am (man_MANS): += krb5_keyblock.3
+
+	* lib/krb5/krb5_keyblock.3: some information about krb5_keyblock
+	and related functions
+
+	* lib/krb5/heim_threads.h: make the non-debug version of the mutex
+	macros "use" the "mutex" integer so the compile wont complain
+	about defined unused variables
+
+	* lib/krb5/heim_threads.h: make thread local storage macros take a
+	"return" argument so no functions need to be created for the
+	no-pthread case
+
+	* lib/krb5/heim_threads.h: adding RWLOCKS and [sg]etspecific
+	
+	* configure.in: use KRB_PTHREADS
+	
+	* lib/asn1/Makefile.am (gen_files): add asn1_KerberosString and
+	sort
+
+	* lib/asn1/k5.asn1 (ETYPE-INFO2-ENTRY): salt is a KerberosString
+	
+	* lib/krb5/krb5.3: add ticket access functions
+	* lib/krb5/krb5_ticket.3: ditto
+	* lib/krb5/ticket.c: ditto
+	* lib/krb5/Makefile.am: ditto
+	
+	* lib/krb5/mit_glue.c: add some more krb5_c functions
+	
+	* lib/krb5/krb5_c_make_checksum.3: add some more krb5_c functions
+	
+	* lib/krb5/crypto.c (krb5_cksumtype_valid): check is checksum type
+	is a valid one
+
+	* lib/krb5/crypto.c (krb5_checksum_is_keyed): only set extented
+	error string when there is a context
+	(krb5_checksum_is_collision_proof): ditto
+
+2003-07-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/mit_glue.c (krb5_c_get_checksum): make type and data
+	argument optional
+	(krb5_c_{encrypt,decrypt}): return "better" error codes for
+	invalid ivec length
+
+	* lib/krb5/krb5_c_make_checksum.3: update krb5_c_get_checksum
+	usage
+
+	* lib/krb5/crypto.c (krb5_crypto_getenctype): new function
+	
+	* include/make_crypto.c: avoid redefining
+	OPENSSL_DES_LIBDES_COMPATIBILITY
+
+	* lib/krb5/krb5.h: add krb5_enc_data
+	
+2003-07-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.3: add krb5_c_ functions
+	
+	* lib/krb5/mit_glue.c: support passing in NULL as the
+	cipher_state/ivec
+
+	* lib/krb5/aes-test.c: add test for krb5_c_encrypt_length and
+	krb5_c_decrypt
+
+	* lib/krb5/krb5_c_make_checksum.3: krb5_c encryption glue
+	
+	* lib/krb5/crypto.c (wrapped_length/wrapped_length_derived): when
+	calculating the length of the encrypted data, use the keyed
+	checksum length if the enctype supports a keyed checksum. This
+	only matter for aes, for all other enctypes the key and unkeyed
+	checksum have the same length.
+
+2003-07-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/mit_glue.c: first version of krb5_c encryption glue
+
+	* doc/install.texi: update pointer to luke ldap documentation
+	
+	* lib/hdb/hdb.c (hdb_create): check for dynamic backend after
+	static to avoid warning from dynamic backend when using a known
+	static backend
+
+2003-07-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/cache.c: don't return value in void function
+	
+2003-07-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/creds.c (krb5_compare_creds): if client is specified in
+	the mcreds, check that too
+
+	* lib/krb5/{keytab_file.c,principal.c,mk_error.c,krb5.h,get_cred.c}:
+	prefix libasn1 types with heim_
+	
+	* lib/asn1: prefix typedefs and structs with heim_
+
+2003-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb.c: avoid unnecessary setting of variable
+	
+2003-07-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/klist.c (check_for_tgt): use krb5_cc_clear_mcred
+	
+	* appl/test/uu_client.c (proto): use krb5_cc_clear_mcred
+	
+	* lib/krb5/get_cred.c (init_tgs_req): in case of error, don't free
+	in the req_body addresses since they where pass in by caller
+	(find_cred): use krb5_cc_clear_mcred
+
+	* lib/krb5/krb5_ccache.3: document krb5_cc_clear_mcred
+	
+	* lib/krb5/cache.c (krb5_cc_clear_mcred): new function, clear a
+	krb5_creds to use with krb5_cc_retrieve_cred
+	
+2003-06-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb.c (find_dynamic_method): if there isn't a prefix,
+	don't load anything
+
+2003-06-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb.c: Dynamic backend loading, based on patch from Luke
+	Howard <lukeh@PADL.COM>
+
+	* lib/hdb/hdb.h: add struct hdb_so_method and
+	HDB_INTERFACE_VERSION
+
+2003-06-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): when using
+	arcfour-hmac-md5, use an unkeyed checksum (rsa-md5), since
+	Microsoft calculates the keyed checksum with the subkey of the
+	authenticator.
+
+	* kuser/kinit.c: write out v4 credential caches with
+	_krb5_krb_tf_setup
+
+	* lib/krb5/krb5-v4compat.h: add _krb5_krb_tf_setup
+
+	* lib/krb5/convert_creds.c (_krb5_krb_tf_setup): create/append v4
+	credential to a new krb4 ticket file
+	
+2003-06-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5_kuserok.3: put Nd argument in double quotes since
+	it contains more than 9 words; from wiz
+
+2003-06-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.c: add missing " within #if 0, from
+	stefan sokoll <stefansokoll@yahoo.de>
+
+2003-06-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_timeofday.3: improve krb5_set_real_time text
+	
+	* lib/krb5/time.c: improve comment for krb5_set_real_time
+	
+2003-06-23  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.1: document -A
+
+	* kuser/kinit.c: add -A as an alias for --no-addresses
+
+2003-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): pass in a
+	krb5_timestamp to krb5_us_timeofday
+
+	* lib/krb5/mk_error.c (krb5_mk_error): pass in a krb5_timestamp to
+	krb5_us_timeofday
+
+	* lib/krb5/time.c (krb5_set_real_time): fix comment and make it
+	work
+
+	* lib/krb5/time.c, lib/krb5/krb5_timeofday.3, 
+	lib/krb5/Makefile.am lib/krb5/test_time.c:
+	
+	implement krb5_set_real_time, used by SAMBA, requested by Luke
+	Howard <lukeh@PADL.COM>
+
+	* lib/asn1/k5.asn1: make the aes and sha1 checksum types match
+	draft-ietf-krb-wg-crypto-05
+
+2003-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/aes-test.c: add a test for aes kcrypto encrypted data
+	
+	* lib/krb5/crypto.c: clean up AES code to use a structure instead
+	of a key array
+	(_krb5_AES_string_to_default_iterator): set to 4096 as described in
+	aes draft -04
+	(derive_key): always remove the key->schedule since its
+	will contain the wrong (parent key) info
+
+2003-06-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/aes-test.c: add aes256 test vectors from Ken Raeburn
+	* doc/setup.texi: add more kdc's to the example
+	
+2003-06-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c: use int2HDBFlags/HDBFlags2int From: Alberto
+	Patino <jalbertop@aranea.com.mx>, Luke Howard <lukeh@PADL.COM>
+	Pointed out by Andrew Bartlett of Samba
+	
+	* lib/krb5/heim_threads.h: remove freebsd comment, don't use debug
+	pthread stubs by default
+
+	* lib/krb5/Makefile.am (man_MANS): drop krb5_free_addresses.3
+	
+	* lib/krb5/krb5_free_addresses.3: removed file, functions are
+	documented in krb5_address.3
+	
+	* lib/krb5/codec.c: add krb5_{de,en}code_ETYPE_INFO2
+	
+	* lib/krb5/crypto.c: add _krb5_AES_string_to_default_iterator add
+	krb5_string_to_key_salt_opaque() fix keylengh for keytype_aes256
+	
+2003-06-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: Point out that slave needs /var/heimdal
+	directory and masterkey From: Mans Nilsson <mansaxel@sunet.se>,
+	Fix spelling while here
+	
+2003-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am, krb5_get_in_cred.3, krb5.3:
+	add manpage for: krb5_get_in_cred, krb5_get_in_tkt,
+	krb5_get_in_tkt_with_keytab, krb5_get_in_tkt_with_password,
+	krb5_get_in_tkt_with_skey
+
+2003-05-28  Assar Westerlund  <assar@kth.se>
+
+	* lib/krb5/heim_threads.h: Fix unlock/destroy macros for the
+	non-threaded cases to work.  Fix typo.
+
+2003-05-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/asn1/{der_put.c,der_length.c,check-der.c}: Fix encoding of
+	"unsigned" integers. If MSB is set, we need to pad with a zero
+	byte.
+
+2003-05-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_c_make_checksum.3: some more mdoc fixes
+	
+	* lib/hdb/hdb-ldap.c (LDAP__connect): bind sasl "EXTERNAL" to ldap
+	connection
+	(LDAP_store): remove superfluous argument to asprintf
+	
+	From Alberto Patino <jalbertop@aranea.com.mx>
+
+2003-05-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/*.[0-9]: pacify mdoclink
+
+	* lib/krb5/krb5_ccache.3: document diffrences between mit and
+	heimdal krb5_cc_gen_new ccache -> credential cache s/[\t ]+$//
+	
+2003-05-21  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* appl/test/gssapi_server.c (proto): start to use
+	gss_krb5_copy_ccache
+
+	* appl/test/nt_gss_server.c (proto): comment out gss_ctx_id_t
+	groveling for now
+
+2003-05-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1:
+	- add parser/generate glue for UTF8String and NULL
+	  (DER primitive encode/decode functions missing)
+	- handle parsing of DEFAULT and, ...
+
+2003-05-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/heim_threads.h: add missing argument to mutex_init
+	
+	* lib/krb5/crypto.c: protect the random initiator with a mutex
+	
+	* lib/krb5/mcache.c: protect the mcc_head with a mutex
+	
+	* lib/krb5/krb5_locl.h: include heim_threads.h
+	
+	* lib/krb5/heim_threads.h: wrapper macros for thread
+	synchronization primitives
+
+2003-05-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_principal.3
+	lib/krb5/Makefile.am:
+	Add all Kerberos principal function to one manpage, add a few more
+	principal function to it, remove old now dup manpages
+	
+	* lib/krb5/krb5_build_principal.3: remove file
+	* lib/krb5/krb5_free_principal.3: remove file
+	* lib/krb5/krb5_sname_to_principal.3: remove file
+	* lib/krb5/krb5_principal_get_realm.3: remove file
+
+2003-05-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.8: sort sections, from netbsd
+	
+	* lib/krb5/krb5_verify_user.3: .Sh EXAMPLE -> .Sh EXAMPLES, from
+	netbsd
+
+	* lib/krb5/krb5_openlog.3: .Sh EXAMPLE -> .Sh EXAMPLES, sort
+	sections, from netbsd
+
+	* lib/krb5/krb5_keytab.3: .Sh EXAMPLE -> .Sh EXAMPLES, mdoc fixes,
+	from netbsd
+
+	* lib/krb5/krb5_get_krbhst.3: .Sh EXAMPLE -> .Sh EXAMPLES, from
+	netbsd
+	
+	* lib/krb5/krb5_get_all_client_addrs.3: add .Os, from NetBSD
+
+	* lib/krb5/krb5_build_principal.3: sort sections, from NetBSD
+	
+	* lib/krb5/krb5.conf.5: .Sh EXAMPLE -> .Sh EXAMPLES, from netbsd
+	
+	* lib/krb5/get_default_realm.c: compatability -> compatibility,
+	from netbsd
+
+	* lib/krb5/krb5_warn.3: add copyright/license
+	
+	* lib/krb5/krb5_context.3: add SYNOPSIS and LIBRARY
+	
+	* lib/krb5/krb5.3: add RCSID
+	
+	* kdc/hprop.8: fix mdoc problem, from netbsd
+	
+	* lib/krb5/krb5_krbhst_init.3: uppercase url, from Thomas Klausner
+	<wiz@netbsd.org>
+
+	* kuser/kinit.1: setup -> set up, new sentence, new line from
+	Thomas Klausner <wiz@netbsd.org>
+	
+2003-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kpasswd/kpasswd.1: handle setting passwords for multiple
+	principals at the same time
+
+	* kpasswd/kpasswd.c: handle setting passwords for multiple
+	principals at the same time
+
+	* lib/krb5/changepw.c: draft-ietf-cat-kerb-chg-password-02 and
+	rfc3244 share the response packet sure more constants now that
+	they exists
+
+2003-05-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.h: some define for rfc3244
+	
+	* lib/krb5/krb5.3: add krb5_change_password and krb5_set_password
+	
+	* kpasswd/kpasswd.1: document --admin-principal
+	
+	* kpasswd/kpasswd.c: use krb5_set_password
+	
+	* lib/krb5/krb5_set_password.3: document krb5_change_password and
+	krb5_set_password
+
+	* lib/krb5/changepw.c: implement rfc3244, partly from
+	shadow@dementia.org
+
+	* lib/asn1/Makefile.am (gen_files): asn1_ChangePasswdDataMS.x for
+	RFC3244
+
+	* lib/asn1/k5.asn1: add ChangePasswdDataMS, for
+	RFC3244
+
+2003-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kuser/kdestroy.c: destroy tokens even if there isn't v4 support
+
+	* kuser/kinit.c: get token even if there isn't v4 support
+	
+	* kuser/klist.c: print tokens even if there isn't v4 support
+	
+2003-05-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/name-45-test.c: need to use empty krb5.conf for some
+	tests
+
+	* lib/asn1/check-gen.c: there is no \e escape sequence; replace
+	everything with hex-codes, and cast to unsigned char* to make some
+	compilers happy
+
+2003-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first
+	argument to krb5_us_timeofday have correct type
+	
+2003-05-05  Assar Westerlund  <assar@kth.se>
+
+	* include/make_crypto.c (main): include aes.h if ENABLE_AES
+
+2003-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* make-release: when fixing a valid cvs tag from release name
+	replace all number. to number- for all non-overlapping matches
+	
+2003-05-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/Makefile.am: gen_files += asn1_ETYPE_INFO2.x and
+	asn1_ETYPE_INFO2_ENTRY.x
+	(libasn1_la_LDFLAGS): set version to 6:1:1
+
+	* doc/Makefile.am: add apps.texi
+	
+	* doc/setup.texi: add move forward link to applications
+	
+	* doc/heimdal.texi: add applications
+	
+	* doc/misc.texi: move afs stuff to applications add link to
+	applications
+	
+	* doc/apps.texi: text about applications using kerberos
+	move afs text here
+	
+2003-05-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: add cross realm text
+	
+2003-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_crypto_init.3: document krb5_enctype_to_string and
+	krb5_string_to_enctype
+
+2003-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/v4_dump.c (v4_prop_dump): limit strings length, from openbsd
+	
+2003-04-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/aes-test.c: use _krb5_PKCS5_PBKDF2
+	* lib/krb5/crypto.c: unexport krb5_PKCS5_PBKDF2
+	
+2003-04-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): if the local
+	sequence number is non-zero, don't generate a new one
+
+	* lib/krb5/mk_rep.c (krb5_mk_rep): if the local sequence number is
+	non-zero, don't generate a new one
+	
+	* lib/krb5/time.c (krb5_us_timeofday): make the sec parameter a
+	krb5_timestamp
+
+	* lib/krb5/mk_priv.c lib/krb5/mk_safe.c lib/krb5/rd_priv.c
+	lib/krb5/rd_safe.c lib/krb5/rd_cred.c: implement RET_SEQUENCE and
+	RET_TIME
+
+	* lib/krb5/krb5.h (krb5_replay_data): make usec signed (matching
+	asn1)
+
+2003-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/programming.texi: s/managment/management/, from jmc
+	<jmc@prioris.mini.pw.edu.pl>
+
+2003-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/context.c (default_etypes): also advertise that we
+	handle aes encryption types
+
+	* lib/krb5/Makefile.am: add krb5_c_ checksum related functions
+
+	* lib/krb5/krb5_c_make_checksum.3: document krb5_c_ checksum
+	related functions
+
+	* lib/krb5/mit_glue.c: add compat mit krb5_c checksum related
+	functions
+
+	* lib/asn1/k5.asn1: add ETYPE-INFO2 and ETYPE-INFO2-ENTRY
+	
+2003-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krbhst.c: copy NUL too, from janj@wenf.org via openbsd
+	
+2003-04-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/der_copy.c (copy_general_string): use strdup
+	* lib/asn1/der_put.c: remove sprintf
+	* lib/asn1/gen.c: remove strcpy/sprintf
+	
+	* lib/krb5/name-45-test.c: use a more unique name then ratatosk so
+	that other (me) have such hosts in the local domain and the tests
+	fails, to take hokkigai.pdc.kth.se instead
+	
+	* lib/krb5/test_alname.c: add --version and --help
+	
+2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_warn.3: add krb5_get_err_text
+	
+	* lib/krb5/transited.c: use strlcat/strlcpy, from openbsd
+	* lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd
+	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use
+	strlcpy, from openbsd
+	* kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd
+	* appl/kf/kfd.c: use strlcpy, from openbsd
+	
+2003-04-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: fix for large file support in AIX, _LARGE_FILES
+	needs to be defined on the command line, since lex likes to
+	include stdio.h before we get to config.h
+
+2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/*.3: Change .Fd #include <header.h> to .In header.h,
+	from Thomas Klausner <wiz@netbsd.org>
+	
+	* lib/krb5/krb5.conf.5: spelling, from Thomas Klausner
+	<wiz@netbsd.org>
+
+2003-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: fix some more memory leaks
+	
+2003-04-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/kf/kf.1: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
+	
+2003-04-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* admin/ktutil.8: typos, from jmc <jmc@acn.waw.pl>
+	
+2003-04-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.3: s/kerberos/Kerberos/
+	* lib/krb5/krb5_data.3: s/kerberos/Kerberos/
+	* lib/krb5/krb5_address.3: s/kerberos/Kerberos/
+	* lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/
+	* lib/krb5/krb5.conf.5: s/kerberos/Kerberos/
+	* kuser/kinit.1: s/kerberos/Kerberos/
+	* kdc/kdc.8: s/kerberos/Kerberos/
+	
+2003-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_alname.c: more krb5_aname_to_localname tests
+	
+	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when
+	converting too root, make sure user is ok according to
+	krb5_kuserok before allowing it.
+
+	* lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname
+	
+	* lib/krb5/test_alname.c: add test for krb5_aname_to_localname
+	
+	* lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1
+	instead of the "illegal" salt #~, same change as kth-krb did
+	1999. Problems occur with crypt() that behaves like AT&T crypt
+	(openssl does this). Pointed out by Marcus Watts.
+
+	* admin/change.c (kt_change): collect all principals we are going
+	to change, and pick the highest kvno and use that to guess what
+	kvno the resulting kvno is going to be. Now two ktutil change in a
+	row works. XXX fix the protocol to pass the kvno back.
+	
+2003-03-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/kf/kf.1: afs->AFS, from jmc <jmc@acn.waw.pl>
+	
+2003-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: add description on how to turn on v4, 524 and
+	kaserver support
+
+2003-03-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog
+	and afs-use-524
+
+2003-03-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c (as_rep): when the second enctype_to_string
+	failes, remember to free memory from the first enctype_to_string
+
+	* lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2,
+	from Harald Joerg <harald.joerg@fujitsu-siemens.com>
+	(enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc
+
+	* lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key
+	length when key is longer then expected length, its probably
+	longer since the encrypted data was padded, reported by Aidan
+	Cully <aidan@kublai.com>
+
+	* lib/krb5/crypto.c (krb5_enctype_keysize): return key size of
+	encyption type, inspired by Aidan Cully <aidan@kublai.com>
+	
+2003-03-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0
+	(wildcard kvno) after principal when the keytab entry isn't found,
+	reported by Chris Chiappa <chris@chiappa.net>
+	
+2003-03-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/misc.texi: update 2b example to match reality (from
+	mattiasa@e.kth.se)
+
+	* doc/misc.texi: spelling and add `Configuring AFS clients'
+	subsection
+
+2003-03-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.3: add krb5_free_data_contents.3
+	
+	* lib/krb5/data.c: add krb5_free_data_contents for compat with MIT
+	API
+
+	* lib/krb5/krb5_data.3: add krb5_free_data_contents for compat
+	with MIT API
+	
+	* lib/krb5/krb5_verify_user.3: write more about how the ccache
+	argument should be inited when used
+	
+2003-03-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/addr_families.c (krb5_print_address): make sure
+	print_addr is defined for the given address type; make addrports
+	printable
+
+	* kdc/string2key.c: print the used enctype for kerberos 5 keys
+
+2003-03-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/aes-test.c: add another arcfour test
+	
+2003-03-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5
+	
+2003-03-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/krb5_ccache.3: update .Dd
+
+	* lib/krb5/krb5.3: sort in krb5_data functions
+
+	* lib/krb5/Makefile.am (man_MANS): += krb5_data.3
+
+	* lib/krb5/krb5_data.3: document krb5_data
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if
+	prompter is NULL, don't try to ask for a password to
+	change. reported by Iain Moffat @ ufl.edu via Howard Chu
+	<hyc@highlandsun.com>
+
+2003-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_keytab.3: spelling, from
+	<jmc@prioris.mini.pw.edu.pl>
+
+	* lib/krb5/krb5.conf.5: . means new line
+	
+	* lib/krb5/krb5.conf.5: spelling, from
+	<jmc@prioris.mini.pw.edu.pl>
+
+	* lib/krb5/krb5_auth_context.3: spelling, from
+	<jmc@prioris.mini.pw.edu.pl>
+
+2003-03-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5
+	
+	* lib/krb5/convert_creds.c: add _krb5_krb_life_to_time
+	
+	* lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time
+
+	* kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out
+	#ifdef KRB4 from enable_v4_cross_realm since 524 needs it
+	
+	* kdc/config.c: 524 is independent of kerberos 4, so move out
+	enable_v4_cross_realm from #ifdef KRB4 since 524 needs it
+	
+2003-03-17  Assar Westerlund  <assar@kth.se>
+
+	* kdc/kdc.8: document --kerberos4-cross-realm
+	* kdc/kerberos4.c: pay attention to enable_v4_cross_realm
+	* kdc/kdc_locl.h (enable_v4_cross_realm): add
+	* kdc/524.c (encode_524_response): check the enable_v4_cross_realm
+	flag before giving out v4 tickets for foreign v5 principals
+	* kdc/config.c: add --enable-kerberos4-cross-realm option (default
+	to off)
+
+2003-03-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3
+	
+	* lib/krb5/krb5_aname_to_localname.3: manpage for
+	krb5_aname_to_localname
+
+	* lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/
+	
+2003-03-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3
+
+	* lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3
+
+	* lib/krb5/krb5_set_default_realm.3: Manpage for
+	krb5_free_host_realm, krb5_get_default_realm,
+	krb5_get_default_realms, krb5_get_host_realm, and
+	krb5_set_default_realm.
+
+	* admin/ktutil.8: s/entype/enctype/, from Igor Sobrado
+	<sobrado@acm.org> via NetBSD
+
+	* lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type
+	
+	* lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab
+	
+	* lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix
+	
+	* lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more
+	types, add krb5_fcc_ops and krb5_mcc_ops
+	
+	* lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for
+	a id
+
+2003-03-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/intro.texi: add reference to source code, binaries and the
+	manual
+
+	* lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal
+	
+2003-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kdc.8: better/difrent english
+
+	* kdc/kdc.8: . -> .\n, copyright/license
+	
+	* kdc/kdc.8: changed configuration file -> restart kdc
+
+	* kdc/kerberos4.c: add krb4 into the most error messages written
+	to the logfile
+
+	* lib/krb5/krb5_ccache.3: add missing name of argument
+	(krb5_context) to most functions
+
+2003-03-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of
+	function and return FALSE when there isn't a local account for
+	`luser'.
+
+	* lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text
+	describing the function
+
+2003-03-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name
+	returned memory, don't return ENOMEM
+
+2003-03-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.3: add krb5_address stuff and sort
+	
+	* lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description
+	
+	* lib/krb5/Makefile.am (man_MANS): += krb5_address.3
+	
+	* lib/krb5/krb5_address.3: document types krb5_address and
+	krb5_addresses and their helper functions
+
+2003-03-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3
+
+	* lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se
+
+	* lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3
+
+	* lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se
+	
+	* lib/krb5/krb5.3: add more functions
+	
+	* lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc
+	functions
+
+	* lib/krb5/krb5_kuserok.3: document krb5_kuserok
+	
+	* lib/krb5/krb5_verify_user.3: document
+	krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior
+
+	* lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and
+	krb5_verify_user_opt
+
+	* lib/krb5/*.[0-9]: add copyright/licenses on more manpages
+
+	* kuser/kdestroy.c (main): handle that krb5_cc_default_name can
+	return NULL
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor
+	(TESTS): add test_cc
+
+	* lib/krb5/test_cc.c: test some
+	krb5_cc_default_name/krb5_cc_set_default_name combinations
+	
+	* lib/krb5/context.c (init_context_from_config_file): set
+	default_cc_name to NULL
+	(krb5_free_context): free default_cc_name if set
+
+	* lib/krb5/cache.c (krb5_cc_set_default_name): new function
+	(krb5_cc_default_name): use krb5_cc_set_default_name
+
+	* lib/krb5/krb5.h (krb5_context_data): add default_cc_name
+	
+2003-02-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/kf/kf.1: s/securly/securely/ from NetBSD
+	
+2003-02-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/connect.c: s/intialize/initialize, from
+	<jmc@prioris.mini.pw.edu.pl>
+
+2003-02-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: add AM_MAINTAINER_MODE
+	
+2003-02-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* **/*.[0-9]: add copyright/licenses on all manpages
+
+2003-14-16  Jacques Vidrine  <nectar@kth.se>
+
+	* lib/krb5/get_in_tkt.c (init_as_req): Send only a single
+	PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption
+	type specified by the KDC.
+
+2003-02-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* fix-export: some autoconf put their version number in
+	autom4te.cache, so remove autom4te*.cache
+	
+	* fix-export: make sure $1 is a directory
+	
+2003-02-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kpasswd/kpasswdd.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
+
+	* kdc/kdc.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
+	
+2003-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/hpropd.8: s/databases/a database/ s/Not/not/
+
+	* kdc/hprop.8: add missing .
+	
+2003-01-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.conf.5: documentation for of boolean, etypes,
+	address, write out encryption type in sentences, s/Host/host
+	
+2003-01-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/check-gen.c: add checks for Authenticator too
+	
+2003-01-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: in the hprop example, use hprop and the first
+	component, not host
+
+	* lib/krb5/get_addrs.c (find_all_addresses): address-less
+	point-to-point might not have an address, just ignore
+	those. Reported by Harald Barth.
+
+2003-01-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.c (check_section): when key isn't
+	found, don't print out all known keys
+
+	* lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity
+	and facility start resp
+	(check_log): find_value() returns -1 when key isn't found
+
+	* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a
+	'const void *' to avoid AES_KEY being exposed in krb5-private.h
+	
+	* lib/krb5/krb5.conf.5: add [kdc]use_2b
+
+	* kdc/524.c (encode_524_response): its 2b not b2
+	
+	* doc/misc.texi: quote @ where missing
+	
+	* lib/asn1/Makefile.am: add check-gen
+	
+	* lib/asn1/check-gen.c: add Principal check
+	
+	* lib/asn1/check-common.h: move generic asn1/der functions from
+	check-der.c to here
+
+	* lib/asn1/check-common.c: move generic asn1/der functions from
+	check-der.c to here
+
+	* lib/asn1/check-der.c: move out the generic asn1/der functions to
+	a common file
+
+2003-01-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/misc.texi: more text about afs, how to get get your KeyFile,
+	and how to start use 2b tokens
+
+	* lib/krb5/krb5.conf.5: spelling, from Jason McIntyre
+	<jmc@cvs.openbsd.org>
+	
+2003-01-21  Jacques Vidrine  <nectar@kth.se>
+
+	* kuser/kuser_locl.h: include crypto-headers.h for
+	des_read_pw_string prototype
+
+2003-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* admin/ktutil.8: document -v, --verbose
+
+	* admin/get.c (kt_get): make getarg usage consistent with other
+	other parts of ktutil
+
+	* admin/copy.c (kt_copy): remove adding verbose_flag to args
+	struct, since it will overrun the args array (from Sumit Bose)
+	
+2003-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc =
+	... }
+
+	* lib/krb5/aes-test.c: test vectors in aes-draft
+	
+	* lib/krb5/Makefile.am: add aes-test.c
+
+	* lib/krb5/crypto.c: Add support for AES
+	(draft-raeburn-krb-rijndael-krb-02), not enabled by default.
+	(HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify
+	to support checksumtype that are have a shorter wireformat then
+	their output block size.
+	
+	* lib/krb5/crypto.c (struct encryption_type): split the blocksize
+	into blocksize and padsize, padsize is the minimum padding
+	size. they are the same for now
+	(enctype_*): add padsize
+	(encrypt_internal): use padsize
+	(encrypt_internal_derived): use padsize
+	(wrapped_length): use padsize
+	(wrapped_length_dervied): use padsize
+
+	* lib/krb5/crypto.c: add extra `opaque' argument to string_to_key
+	function for each enctype in preparation enctypes that uses
+	`Encryption and Checksum Specifications for Kerberos 5' draft
+	
+	* lib/asn1/k5.asn1: add checksum and enctype for AES from
+	draft-raeburn-krb-rijndael-krb-02.txt
+
+	* lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128,
+	KEYTYPE_AES256
+
+2003-01-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/common.c (_hdb_fetch): handle error code from
+	hdb_value2entry
+
+	* kdc/Makefile.am: always include kerberos4.c and 524.c in
+	kdc_SOURCES to support 524
+
+	* kdc/524.c: always compile in support for 524
+	
+	* kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4
+	
+	* kdc/config.c: always compile in support for 524
+	
+	* kdc/connect.c: always compile in support for 524
+	
+	* kdc/kerberos4.c: export encode_v4_ticket() and get_des_key()
+	even when we build without kerberos 4, 524 needs them
+	
+	* lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out
+	Kerberos 4 help functions/structures so other parts of the source
+	tree can use it (like the KDC)
+
diff --git a/crypto/heimdal/ChangeLog.2004 b/crypto/heimdal/ChangeLog.2004
new file mode 100644
index 0000000..5e39342
--- /dev/null
+++ b/crypto/heimdal/ChangeLog.2004
@@ -0,0 +1,1485 @@
+2004-12-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for
+	now (used in pkinit)
+
+2004-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/Makefile.am: add CHECK_SYMBOLS
+
+	* lib/hdb/keys.c: make all_etypes static
+
+	* lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err
+	-version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops
+
+	* kdc/kerberos5.c: use private version of principalname
+
+	* kdc/kerberos4.c: use private version of principalname
+
+	* kdc/hpropd.c: use private version of principalname
+
+	* kdc/524.c: use private version of principalname
+
+	* lib/krb5/rd_req.c: use private version of principalname
+
+	* lib/krb5/rd_cred.c: use private version of principalname
+
+	* lib/krb5/init_creds_pw.c: use private version of principalname
+
+	* lib/krb5/get_in_tkt.c: use private version of principalname
+
+	* lib/krb5/asn1_glue.c: make principalname functions private
+
+	* lib/krb5/krb5.h: add key usage for server referrals
+	
+2004-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/principal.c: make default_v4_name_convert static
+	
+	* lib/krb5/crypto.c: make lots of crypto related variables static
+	
+	* lib/krb5/acache.c: make default_acc_name static
+	
+2004-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: add some text about samba, use example.com
+	
+	* lib/hdb/hdb-ldap.c: Add account expiration for samba from James
+	F.  Hranicky <jfh@cise.ufl.edu>.
+	Add LDAP_addmod_integer and use it.
+
+2004-12-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text
+	fixes, from Dave Love
+
+2004-12-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just
+	needs pthread.h, threadlib is dead
+
+2004-12-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/config.c (configure): check for deprecated
+	enforce-transited-policy is set and fail if it is
+	
+	* lib/asn1/asn1_print.c: don't print garabage for octet strings
+	
+2004-12-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/main.c (main): catch sigpipe, we don't bother select()ing
+	for errors
+
+	* kdc/connect.c (handle_http_tcp): handle error from write(2)
+	
+	* doc/setup.texi: clarify credentials refreshing stuff
+	
+	* doc/setup.texi: add new node: Providing Kerberos credentials to
+	servers and programs
+
+	* doc/whatis.texi: fix spurious cross-reference makeinfo warning
+	
+	* lib/hdb/hdb-ldap.c (pos): uppercase in character
+
+2004-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode
+	nibbels in the other order
+
+	* lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if
+	attribute exists before we try to delete it LDAP__bytes2hex
+	encodes in strange byte order, is this really right ?
+	
+2004-12-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all
+	entries, search for samba accounts too, From: "James F. Hranicky"
+	<jfh@cise.ufl.edu>
+
+	* lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid
+	too
+
+	* lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing
+	both krb5PrincipalName and uid, it must be broken, ignore it and
+	return it doesn't exists.
+
+2004-12-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/hpropd.8: spelling, from OpenBSD
+	
+	* kdc/kdc.8: use keeps for options, From OpenBSD k
+	
+2004-12-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: document --random-key and the need to do backup
+	of the master key
+
+	* kdc/kstash.8: add --random-key
+	
+	* kdc/kstash.c: add --random-key
+	
+2004-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.8: spelling, from openbsd
+	
+	* lib/krb5/krb5_init_context.3: spelling, from openbsd
+	
+	* lib/krb5/krb5.conf.5: spelling, from openbsd
+	
+	* kuser/kdestroy.1: use keeps around options, spelling, from
+	openbsd
+
+	* kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD
+	
+	* kdc/hpropd.8: use keeps around options, from OpenBSD
+	
+	* kdc/hprop.8: use keeps around options, from OpenBSD
+	
+2004-11-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/context.c (krb5_free_context): clear error string
+	before destroying mutex
+	(krb5_init_context): don't call krb5_free_context before there is a
+	mutex initialized
+
+2004-11-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c (get_new_tickets): only complain about ticket
+	renewable lifetime when the user asked for a specific renewable
+	lifetime
+
+2004-11-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c (find_keys): log what principal is missing
+	enctypes
+
+2004-11-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after
+	freeing data
+
+	* lib/krb5/init_creds_pw.c (change_password): handle old_options
+	being NULL From Guenther Deschner on samba-technical.
+	
+2004-11-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_get_init_creds.3: add more text describing the
+	krb5_get_init_creds functions
+
+2004-11-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work
+	again
+
+2004-11-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb.asn1: use constrained integers
+	
+2004-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_get_init_creds.3: add description for opt_init,
+	opt_alloc, opt_free
+
+	* lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit
+	
+	* lib/krb5/init_creds.c: unexport
+	krb5_get_init_creds_opt_free_pkinit
+
+	* lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into
+	get_init_creds_common
+
+	* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in
+	options NULL, just make a clean copy
+
+2004-11-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier
+	so we don't leak it on error
+
+2004-10-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.conf.5: unbreak 2b entry
+	
+	* lib/krb5/acache.c (make_cred_from_ccred): the address isn't a
+	sockaddr but rather a kerberos address, deal with that.  Based on
+	bug report from Jakob Schlyter <jakob@rfc.se>.
+
+2004-10-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/connect.c: Make sure argument passed to ctype isn't signed
+	char
+
+2004-10-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: match new error names
+	
+	* lib/krb5/krb5_err.et: make error messages sane again
+	
+2004-10-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/keytab.c: use KRB5_KT_BADNAME
+
+	* lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major
+	version bump) add KRB5_DELTAT_BADFORMAT
+	
+	* lib/krb5/krb5.conf.5: time defaults to "s"
+	
+	* lib/krb5/time.c (krb5_string_to_deltat): default to "s" again,
+	MIT's behavior was actually that it failed to parse the number
+	(and thus used the default). Even better, ticket_lifetime (that
+	was a consumer supposed a of the interface) was documented but
+	never implemented, when it was implemented, people configuraiton
+	files started to fail.  Also, use KRB5_DELTAT_BADFORMAT as a
+	failure code.
+
+	* lib/asn1/k5.asn1: sync enctypes with pkinit branch
+	
+	* lib/asn1/parse.y (readd) support negative numbers
+	
+	* lib/asn1/lex.l: support hex numbers
+	
+2004-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS
+	
+	* lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding
+	for rc2 don't to padding for blocksize 1
+	
+	* lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c:
+	Move keyset parsing and password based keyset generation into hdb.
+	Requested by Andrew Bartlett <abartlet@samba.org> for hdb-ldb
+	backend.
+
+2004-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: adapt to new signature of
+	krb5_get_init_creds_opt_set_pkinit
+	
+	* lib/krb5/pkinit.c: free openssl engine deal with
+	RecipientIdentifier -> CMSIdentifier and heim_any -> name change
+	improve error messages
+	
+	* kdc/pkinit.c: free openssl engine deal with RecipientIdentifier
+	-> CMSIdentifier and heim_any -> name change
+	
+2004-10-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/klist.c: use rtbl_set_separator
+	
+2004-10-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: filter out dup openssl engine keys, parse
+	user options first
+
+	* lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add
+	openssl engine support for private key
+
+	* lib/krb5/crypto.c: support padding as its done in CMS
+	
+	* kdc/pkinit.c: improve error logging
+	
+	* kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt
+	
+2004-09-30  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* lib/krb5/krb5.conf.5: assume minutes for time
+
+	* lib/krb5/config_file.c (krb5_config_vget_time_default): use
+	krb5_string_to_deltat
+
+	* lib/krb5/appdefault.c (krb5_appdefault_time): use
+	krb5_string_to_deltat
+
+	* lib/krb5/time.c (krb5_string_to_deltat): set default unit to
+	minute for compatibility with MIT Kerberos.
+	
+
+2004-09-28  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large
+	message safe" transport if we get back
+	KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner
+	<gd@sernet.de>
+
+2004-09-23 Johan Danielsson <joda@pdc.kth.se>
+
+	* admin/list.c: use rtbl
+	
+	* admin/ktutil-commands.in: slc source file
+	
+	* lib/krb5/constants.c: check
+	/Library/Preferences/edu.mit.Kerberos on OSX
+
+2004-09-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/time.c (krb5_format_time): check return value from
+	localtime and strftime
+
+2004-09-14  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c: make sure we don't always get renewable creds
+	
+2004-09-11   Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/acache.c: use krb5_ccapi.h
+	
+	* lib/krb5/krb5_ccapi.h: break out krb5 api definitions to
+	separate (not installed) file
+
+	* lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS
+	since AM_CPPFLAGS overridden by target specific _CPPFLAGS
+	
+2004-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: make variable shorter, make error messages
+	from pkinit, make freeing easier
+	
+2004-09-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen
+	
+	* lib/krb5/crypto.c (seed_something): avoid poking at memory that
+	is uninitialized, make valgrind unhappy. Pointd out by
+	abartlet@samba.org. While where, plug the fd leak.
+	
+2004-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/der_get.c (decode_*): name all tag-length variables the
+	same
+	(decode_enumerated): check that the tag-length is not longer the length
+
+	* lib/asn1/der_get.c (decode_boolean): fail if length of tag is
+	larger then len
+
+2004-08-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be
+	set in case of failure too, free unconditionally on exit to avoid
+	memory leak
+
+2004-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after
+	free
+
+2004-08-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/context.c (krb5_get_err_text): if neither of com_right
+	nor strerror finds the error-code, return Unknown error.
+	
+2004-08-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5_kuserok.3: update to reality
+
+	* lib/krb5/kuserok.c: if a .k5login file exist, don't give
+	implicit rights to anyone; also check owner/mode of .k5login
+
+2004-08-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3
+	
+	* lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname
+	
+	* lib/krb5/krb5.3: add krb5_getportbyname
+	
+	* lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid
+
+	* lib/krb5/krb5_encrypt.3: document krb5_enctype_valid
+	
+2004-08-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes
+	from the client and filter them out.
+	
+	* lib/krb5/krb5_string_to_key.3: document krb5_free_salt
+	
+2004-08-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_ticket.3: data needs to be freed when using
+	krb5_ticket_get_authorization_data_type
+
+2004-08-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_cc.c: test variables in default_cc_name
+	
+	* lib/krb5/krb5.conf.5: explain support for varibles in
+	[libdefaults]default_cc_name
+	
+	* lib/krb5/cache.c: drop ${time}, its not very useful
+	
+	* lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand
+	variables in the default cc name. Supported variables now are:
+	${time},${uid} and ${null}
+
+	* lib/krb5/krb5.conf.5: document default_cc_name
+	
+	* lib/krb5/cache.c (krb5_cc_set_default_name):
+	s/libdefault/libdefaults/
+
+2004-08-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/acache.c: replace magic 3 with ccapi_version_3
+	
+	* lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c
+	
+	* lib/krb5/krb5.h: add krb5_acc_ops
+	
+	* lib/krb5/acache.c: CCAPI v3 implementation, the read only
+	support was from Magnus Ahltorp and then extended by me to support
+	all other operations.  Tested with MIT kerberos cc cache
+	implementation on MacOS 10.3.3
+
+	* lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the
+	default cc name, this is not very useful for general purpose glue
+	since its not possible to glue in user information (like uid), but
+	for CCAPI it works just fine
+
+2004-08-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kgetcred.1: document --cache/-c
+	
+	* kuser/kgetcred.c: allow to specify what credential cache to use
+	
+2004-08-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3
+	
+	* lib/krb5/krb5_eai_to_heim_errno.3: document
+	krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno
+	
+	* lib/krb5/krb5.3: add krb5_eai_to_heim_errno,
+	krb5_h_errno_to_heim_errno
+
+2004-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms
+	result should be free with krb5_free_host_realm drop
+	krb5_get_host_realm text
+
+	* lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result
+	should be free with krb5_free_host_realm
+	
+	* lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep
+	
+	* lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds
+	
+	* lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator
+	
+	* lib/krb5/Makefile.am: man_MANS += krb5_rd_error
+	
+	* lib/krb5/krb5_rd_error.3: krb5_rd_error and friends
+	
+	* lib/krb5/krb5_warn.3: clarify on what string
+	krb5_free_error_string should operate on
+
+	* lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred
+	
+	* lib/krb5/Makefile.am: krb5_get_credentials,
+	krb5_get_forwarded_creds and friends
+
+	* lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds
+	and friends
+
+	* lib/krb5/krb5_get_credentials.3: krb5_get_credentials and
+	friends
+
+2004-07-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/klist.c (print_cred_verbose): keytypes are no longer, use
+	enctype
+
+2004-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99
+	compilers, From metze at samba.org
+
+2004-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_cc.c: more cc tests
+	
+	* lib/krb5/krb5_check_transited.3: document krb5_check_transited
+	
+2004-07-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c (pk_principal_from_X509): reverse test, makes
+	principal in cert work From: Mayur Patel <patelm4@rpi.edu>
+	
+2004-07-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: add krb5_verify_init_creds.3
+
+	* lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds
+	
+2004-07-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_set_password.3: spelling from wiz@netbsd.org
+	description for krb5_passwd_result_to_string
+	
+2004-07-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar
+	fixes; split sentence in two for better understanding.  From
+	wiz@NetBSD.org. Describe krb5_set_password_using_ccache while here.
+
+	* lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan
+	Stone <jonathan@dsg.stanford.edu>
+
+	* lib/krb5/changepw.c (process_reply): cast ssize_t to long and
+	print that From NetBSD via Havard Eidnes.
+	
+2004-07-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: fix helpstring for hdb-openldap-module
+	
+	* lib/krb5/test_cc.c: don't use krb5_err on error code 0
+	
+2004-07-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better
+	
+2004-07-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const
+	
+2004-07-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with
+	right argument
+
+2004-06-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the
+	krbtgt is without addresses, default to not sending our own
+	addrport
+
+	* lib/asn1/lex.l: add support for /* */ and partial line --
+	comments
+
+	* kuser/Makefile.am: don't install copy_cred_cache manpage
+	
+2004-06-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if
+	copying a static opt, make sure to allocate the "private" field
+
+2004-06-24  Love  <lha@stacken.kth.se>
+
+	* kdc/config.c: add enable_pkinit_princ_in_cert
+	
+	* kdc/kdc_locl.h: enable_pkinit_princ_in_cert
+	
+	* kdc/pkinit.c: Check certificate for Kerberos Principal in
+	OtherName of subjectAltName Based on patch from Mayur Patel
+	<patelm4@rpi.edu>
+
+2004-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use
+	session key for authorization-data
+
+2004-06-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/connect.c (handle_tcp): note who is what that closed the
+	connection on us
+
+2004-06-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* admin/get.c (kt_get): catch errors from krb5_parse_name
+	
+2004-06-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c: if its the entry just contains the
+	structural object (no samba nor heimdal object), add an aux
+	heimdal object on to it.
+	
+2004-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kpasswd/kpasswd.c: use krb5_set_password_using_ccache
+	
+	* lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache
+	
+	* lib/krb5/changepw.c: implement krb5_set_password_using_ccache
+	
+	* lib/hdb/hdb-ldap.c: Allow the objectClass to be
+	"sambaSamAccount" or structural_object when searching for uid
+	entries.
+
+	* lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base
+	
+	* lib/hdb/hdb-ldap.c: add creation base that defaults to the
+	search base
+
+	* lib/hdb/hdb-ldap.c: indent like the rest of the code
+	
+2004-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c: check return values from ldap operations and
+	close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you
+	should retry by yourself.
+
+	* lib/hdb/hdb-ldap.c: require search base to be configured, create
+	local context structure
+	
+2004-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: more ldap text, partly from Tarjei Huse
+	<tarjei@nu.no>
+
+2004-05-28  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/hdb/hdb-ldap.c: clean, indent
+	
+	* lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure
+	krb5KeyVersionNumber is added on new entires
+
+2004-05-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: minor fixes, partly from Tarjei Huse
+	<tarjei@nu.no>
+
+	* lib/krb5/krb5.conf.5: some text about dbname and realm
+	
+	* lib/krb5/krb5.conf.5: default value for
+	hdb-ldap-structural-object is account
+
+2004-05-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* tools/Makefile.am: use ! instead of , as sed delimiter
+	
+2004-05-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions
+
+2004-05-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean
+	
+	* lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure
+	option
+
+	* lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From:
+	Andrew Bartlett <abartlet@samba.org>
+	
+	* lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length
+	check From: Andrew Bartlett <abartlet@samba.org>
+	
+	* lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword
+	case, make sure ent->etypes are allocated, From: Andrew Bartlett
+	<abartlet@samba.org>
+
+2004-05-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: move "setpag if (argc < 1)" to common path
+	
+2004-05-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers
+	
+	* fix-export: use right argument for -E
+
+2004-05-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c: print some diagnostics if the exec fails
+	
+2004-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key
+	From: Luke Howard <lukeh@padl.com>
+	
+	* lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket,
+	not just a pointer size of it From: Luke Howard <lukeh@padl.com>
+	
+2004-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* fix-export: add -E flag where needed to make-proto
+	
+2004-04-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/crypto.c: add set_param for RC2
+	
+	* lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids
+	that are no longer needed
+
+	* kdc/pkinit.c: use krb5_enctype_to_oid
+	
+	* lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists
+	before we compare with it
+
+	* lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length
+	before returning it add aes-oids
+	
+	* lib/krb5/crypto.c: add krb5_enctype_to_oid and
+	krb5_oid_to_enctype
+
+	* kdc/pkinit.c: use krb5_crypto_set_params
+	
+	* lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none
+
+	* lib/krb5/krb5.h: add KEYTYPE_AES192
+	
+	* lib/krb5/pkinit.c: use krb5_crypto_get_params to implement
+	kcrypto RC2 support
+
+	* lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
+	rc2-cbc XXX RC2CBCParameter is wrong because the compiler is
+	broken
+
+	* lib/krb5/krb5.h: add KEYTYPE_RC2
+	
+	* lib/krb5/crypto.c: add partial CMS parameter handling, this is
+	needed for RC2
+	
+	* lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp
+	
+	* lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c
+	
+	* lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp
+	
+	* lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE
+	
+	* lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
+	rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken
+
+2004-04-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/config_file.c: allow parsing directly from strings with
+	krb5_config_parse_string_multi
+	
+	* lib/krb5/verify_krb5_conf.c: try to resolve hostnames
+	
+2004-04-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file
+	descriptor so we don't have to keep track of it in two places
+	
+	* kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in
+	libkrb5
+
+	* lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its
+	own manpage
+	
+	* replace krb5_free_creds_contents by krb5_free_cred_contents
+	
+	* lib/krb5/cache.c: add krb5_cc_next_cred_match() and
+	krb5_cc_copy_cred_match()
+	
+	* lib/krb5/creds.c (krb5_compare_creds): add more matching options
+	
+	* lib/krb5/krb5.h: add more creds match flags
+	
+	* kuser/copy_cred_cache: add --valid-for option
+	
+	* lib/krb5/store.c (krb5_store_creds): set is_skey flag if length
+	of second ticket is > 0
+
+2004-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/pkinit.c: use the right oid for pkauthdata
+	
+	* lib/krb5/pkinit.c: always send both win2k compat version and the
+	ietf draft one, this is possible since microsoft use
+	wrong/diffrent PA number.  Make the configuration flag boolean
+	configuring if NOT to send the win2k compat glue.
+	
+	* lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec
+
+	* kuser/copy_cred_cache.1: pacify mdoclint
+	
+	* kdc/pkinit.c: use IV for envelopeddata encryption, patch
+	originally from Luke Howard <lukeh@padl.com>, tweeked by me.
+	
+	* lib/krb5/krb5_storage.3: document
+	KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER
+
+	* lib/krb5/krb5_data.3: document that krb5_data_free cleans the
+	structure too
+
+	* lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch
+	originally from Luke Howard <lukeh@padl.com>, tweeked by me.
+	
+2004-04-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/copy_cred_cache.{c,1}: add cred cache copy tool
+	
+	* configure.in: use rk_SYS_LARGEFILE
+	
+	* lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder
+	issue with a storage flag instead of a separate function.
+	
+2004-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: move out the oid check from get_reply_key
+
+	* lib/krb5/pkinit.c: uniquify error messages
+	
+	* lib/krb5/init_creds_pw.c: make the pkinit nonce same os the
+	plain nonce for now
+
+	* lib/krb5/pkinit.c: more w2k compat from Luke Howard
+	<lukeh@padl.com> add RC2 support, clean up error messages
+	
+	* lib/krb5/pkinit.c: remove more dependency on
+	krb5_config->pkinit_flags
+
+	* lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft
+	style answer to IETF, From Luke Howard <lukeh@padl.com>
+	(_krb5_pk_create_sign): ms handles NULL in param, so always send it
+	(_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool }
+
+	* lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the
+	digestAlgorithm to sha1 (both for SignerInfo and SignedData, add
+	new function _set_digest_alg to set it
+
+2004-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* include/make_crypto.c: include rc2.h, and when I'm here, make
+	aes mandatory
+
+	* lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT
+	kerberos
+
+	* lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on
+	failure
+
+	* lib/krb5/crypto.c (DES3_random_to_key): make it produce the
+	right result
+	(DES3_postproc): use DES3_random_to_key
+	(krb5_random_to_key): check the required number of bits (not the size
+	of the key)
+
+	* lib/krb5/aes-test.c: test random to key function
+
+	* lib/krb5/string-to-key-test.c: comment out the "@"/"" test for
+	now
+
+2004-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_string_to_key.3: document that
+	krb5_string_to_key_derived is broken for non 3des enctypes and
+	thus deprecated
+
+	* kdc/pkinit.c (generate_dh_keyblock): use the new function
+	krb5_random_to_key
+
+	* lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they
+	need special processing
+
+	* lib/krb5/crypto.c (krb5_random_to_key): new function
+	
+	* lib/krb5/krb5_keyblock.3: document krb5_random_to_key
+	
+2004-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c: use the first proposed enable enctype
+	
+	* lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the
+	return from krb5_enctype_valid
+
+	* kdc/pkinit.c: at least try to handle diffrent enveloped enctypes
+	
+2004-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid
+	components being smaller then 127 and allocate one extra element
+	since first byte is split to to elements.
+	
+2004-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE:
+	private use, lukeh@padl.com
+
+2004-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode
+	DH public key
+
+2004-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_init_context.3: add krb5_context to so its added
+	as manpage-link too
+
+2004-04-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation,
+	XXX add locking
+
+	* kuser/kdestroy.c: add --credential argument that just remove one
+	credential entry out of the cache specified
+	
+	* kdc/pkinit.c: replace the krb5.conf configuration option that
+	describes the mapping between principals and subject names with a
+	file, default /var/heimdal/pki-mapping. XXX this should be pushed
+	into HDB. XXX should add issuer too
+	
+	* kdc/config.c: merge certificate/private_key to a user_id
+	
+2004-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kdc_locl.h: update prototype for pk_initialize
+	
+	* kuser/kinit.c: merge certificate/private_key to a user_id
+	
+	* kdc/pkinit.c: adapt to heim_integer changes
+	
+	* lib/krb5/pkinit.c: merge certificate/private_key to a user_id
+	
+	* kdc/pkinit.c: adapt to heim_integer changes,
+	merge certificate/private_key to a user_id
+	
+2004-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE
+	
+2004-04-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building
+	libkrb5.la, add KRB5_LIB_FUNCTION proto
+
+	* lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION
+	
+	* configure.in: export KRB5_LIB_FUNCTION when building with
+	BUILD_KRB5_LIB
+
+	* lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add
+	error strings
+
+	* lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing
+	is printed on stderr, fflush it
+
+	* lib/krb5/krb5_keyblock.3: free functions also zeros out the key
+	
+	* lib/krb5/krb5_get_init_creds.3: some text about
+	krb5_prompter_posix
+
+	* lib/krb5/krb5.conf.5: document hdb-ldap-structural-object
+	
+	* lib/krb5/cache.c: add krb5_cc_get_prefix_ops
+	
+	* lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops
+	
+2004-04-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/test/http_client.c: support GSS_C_DELEG_FLAG and
+	GSS_C_MUTUAL_FLAG
+
+	* appl/test/http_client.c: verbose logging
+	
+2004-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/connect.c: case size_t to unsigned long for LP64 platforms
+	
+2004-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of
+	default structural object
+
+	* tools/Makefile.am: handle sed expression breaking
+	
+2004-03-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr
+	
+	* lib/krb5/changepw.c: add tcp support to the set protocol, should
+	be cleaned up to enable sharing code with krb5_sendto
+	
+	* kpasswd/kpasswd.c (change_password): remove extra free
+	
+	* lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on
+	osf/1
+
+2004-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't
+	increase md->len, krb5_padata_add already does that
+	
+	* lib/krb5/init_creds.c: its PAC not PAQ
+	
+	* kuser/kinit.c: its PAC not PAQ
+	
+	* kdc/kerberos4.c: stop the client from renewing tickets into the
+	future From: Jeffrey Hutzelman <jhutz@cmu.edu>
+
+2004-03-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: try to handle sys/strtty.h needing sys/stream.h
+	
+2004-03-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/send_to_kdc.c: remove function krb5_sendto_kdc2, its no
+	longer used
+	
+	* kdc/kerberos5.c: s/krb5_get_host_realm_int/_&/
+	
+	* lib/krb5/get_host_realm.c: unexport krb5_get_host_realm_int to
+	external users by prefixing it with _
+
+	* lib/krb5/get_cred.c: s/krb5_mk_req_internal/_&/
+	
+	* lib/krb5/mk_req_ext.c: unexport krb5_mk_req_internal to external
+	users by prefixing it with _
+
+2004-03-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: add missing }
+	
+2004-03-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c: adapt to change of signature of
+	_krb5_pk_load_openssl_id
+
+	* lib/krb5/pkinit.c: (krb5_get_init_creds_opt_set_pkinit): add
+	prompter argument and use it
+
+	* kuser/kinit.c: adapt to signature change of
+	krb5_get_init_creds_opt_set_pkinit
+	
+	* lib/krb5/krb5.3: add more stuff, 105 functions to go
+
+	* lib/krb5/krb5_rcache.3: add krb5_get_server_rcache
+	
+	* lib/krb5/krb5_rcache.3: framework for replay cache manpage
+	
+	* lib/krb5/krb5_string_to_key.3: document string to key functions
+	
+	* lib/krb5/Makefile.am: man_MANS += krb5_expand_hostname.3
+	krb5_find_padata.3 krb5_generate_random_block.3
+
+	* lib/krb5/krb5_encrypt.3: document krb5_get_wrapped_length
+	
+	* lib/krb5/krb5.3: add some more, 137 to go
+	
+	* lib/krb5/krb5_principal.3: document krb5_get_default_principal
+	
+	* lib/krb5/krb5_keyblock.3: document krb5_generate_subkey
+	
+	* lib/krb5/krb5_generate_random_block.3: document
+	krb5_generate_random_block
+	
+	* lib/krb5/krb5_find_padata.3: document padata functions
+	
+	* lib/krb5/krb5.3: add some more, 142 to go
+	
+	* lib/krb5/krb5_creds.3: drop .Pp before .Sh
+	
+	* lib/krb5/krb5_set_default_realm.3: document krb5_copy_host_realm
+	
+	* lib/krb5/krb5_expand_hostname.3: document krb5_expand_hostname
+	and krb5_expand_hostname_realms
+
+	* lib/krb5/krb5.3: add more functions, 147 to go
+	
+	* lib/krb5/krb5_creds.3: document krb5_creds
+	
+	* lib/krb5/krb5_get_init_creds.3: add more functions, some more
+	text
+
+	* lib/krb5/krb5_ticket.3: document
+	krb5_ticket_get_authorization_data_type
+
+2004-03-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/aes-test.c: remove #if 0'ed code
+	
+	* lib/krb5/krb5.3: add keyblock functions, 177 functions to go
+	
+	* lib/krb5/krb5_verify_user.3: add krb5_verify_opt_set_ccache
+	
+	* lib/krb5/krb5_encrypt.3: document krb5_decrypt_ticket
+	
+	* lib/krb5/krb5_config.3: document krb5_config_free_strings and
+	krb5_config_file_free
+
+	* lib/krb5/krb5_create_checksum.3: add krb5_hmac
+	
+	* lib/krb5/krb5.3: add keyblock functions, 190 functions to go
+
+	* lib/krb5/krb5_keyblock.3: update .Dd
+	
+	* lib/krb5/krb5_keyblock.3: document krb5_copy_keyblock and
+	krb5_generate_random_keyblock
+
+	* lib/krb5/krb5_init_context.3: add krb5_init_ets
+	
+	* lib/krb5/krb5_config.3: add more krb5_config_ functions and
+	prototypes
+
+	* lib/krb5/krb5_init_context.3: document context modifcation
+	functions: address list, config file, use admin kdc, fcc version
+	
+	* lib/krb5/krb5_storage.3: document krb5_storage and related
+	functions
+
+	* lib/krb5/Makefile.am: add acl and krb524_convert_creds_kdc
+	manpages and test_acl test program
+
+	* lib/krb5/krb5.3: add error string functions and sort
+	
+	* lib/krb5/krb5_warn.3: document krb5_abort and error string
+	functions
+
+	* lib/krb5/krb5.3: add missing functions, only 285 left to
+	document
+
+	* lib/krb5/krb5_crypto_init.3: remove various enctype related
+	function
+
+	* lib/krb5/krb5_encrypt.3: add various enctype related function
+	here
+
+	* lib/krb5/krb5_create_checksum.3: add krb5_cksumtype_valid
+	krb5_cksumtype_valid
+
+	* lib/krb5/crypto.c: real return values for
+	krb5_{enctype,cksumtype}_valid
+
+	* lib/krb5/krb5_create_checksum.3: add some functions and
+	descriptions
+
+	* lib/krb5/krb5_c_make_checksum.3: move out non krb5_c functions
+	
+	* lib/krb5/krb5_auth_context.3: document
+	krb5_auth_con_generatelocalsubkey
+
+	* lib/krb5/krb5_krbhst_init.3: document krb5_krbhst_init_flags
+	
+	* lib/krb5/krb5_keytab.3: document krb5_kt_default_modify_name
+	
+	* lib/krb5/krb5_init_context.3: document krb5_add_et_list
+	
+	* lib/krb5/krb524_convert_creds_kdc.3: document
+	krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache
+
+	* lib/krb5/krb5_acl_match_file.3: document krb5_acl_match_*
+	
+	* lib/krb5/test_acl.c: test for generic acl code
+
+	* lib/krb5/acl.c: plug memory leak on file matching, 
+	make it not fall over when no non matching acl,
+	make fnmatch matching useful by switching arguments
+	
+2004-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/config.c: add --builtin-hdb command
+	
+	* lib/hdb/hdb.c (hdb_list_builtin): return a list of builtin
+	backends
+
+	* doc/setup.texi: include Luke Howard of PADL.COM ldap hdb
+	documentation
+
+	* doc/win2k.texi: fix bugs in examples, add more restrictions, use
+	example.com as an example. From: Pavel Ferdan
+	<xferdan@informatics.muni.cz>
+
+2004-03-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5.conf.5: add a bunch of Li and document [kadmin]
+	password_lifetime; from Henry B. Hotz
+
+2004-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/mk_rep.c (krb5_mk_rep): if KRB5_AUTH_CONTEXT_USE_SUBKEY
+	is set send subkey
+	(generate if needed)
+
+	* lib/krb5/krb5.h: add KRB5_AUTH_CONTEXT_USE_SUBKEY
+	
+2004-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c: clean up error handling, plug memory leaks,
+	and free memory in error path, assume realloc(NULL, ...) works,
+	factor out common code, indent
+
+2004-03-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.c: understand [password_quality]
+	spelling
+	
+	* kuser/kgetcred.1: document --canonicalize
+	
+	* kuser/kgetcred.c: add --canonicalize
+	
+2004-03-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/fcache.c (fcc_store_cred): NULL terminate
+	krb5_config_get_bool_default' arglist
+	
+2004-03-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: add missing req argument to pk_mk_pa_reply
+	
+	* kdc/pkinit.c (pk_mk_pa_reply): add hdb_entry
+	
+	* kdc/pkinit.c: pass client hdb_entry to pk_check_client
+	
+	* kdc/kdc_locl.h: pass client hdb_entry to pk_check_client
+	
+	* kuser/kinit.c: rename ca_dir to pkinit/x509_anchors since its
+	more like that language in RFC3280
+	
+	* lib/krb5/pkinit.c: rename ca_dir to pkinit/x509_anchors since
+	its more like that language in RFC3280
+	
+	* lib/krb5/krb5.conf.5: document
+	[libdefaults]fcc-mit-ticketflags=boolean
+
+	* lib/krb5/fcache.c (fcc_store_cred): use
+	[libdefaults]fcc-mit-ticketflags=boolean to decide what format to
+	write the fcc in. Default to mit version (aka heimdal 0.7)
+	
+	* lib/krb5/store.c: add _krb5_store_creds_heimdal_0_7 and
+	_krb5_store_creds_heimdal_pre_0_7 that store the creds in just
+	that format make krb5_store_creds default to mit format
+	
+	* lib/krb5/store.c (krb5_ret_creds): Runtime detect the what is
+	the higher bits of the bitfield
+	
+2004-03-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/store.c (krb5_store_creds): add disabled code that
+	store the ticket flags in reverse order
+	(bitswap32): new function
+
+	* lib/krb5/store.c (krb5_ret_creds): if the higher ticket flags
+	are set, its a mit cache, reverse the bits, bug pointed out by
+	Sergio Gelato <Sergio.Gelato@astro.su.se>
+
+2004-03-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c: use macro for HDB * -> LDAP *
+	
+	* kuser/kinit.c: when running kinit with a subprocess, fetch new
+	tickets after half the tickets lifetime
+	
+	* lib/hdb/hdb.c: spelling
+	
+	* lib/hdb/hdb-ldap.c: Intergrate Heimdal's hdb-ldap and the Samba
+	password database.  From: Andrew Bartlett <abartlet@samba.org>
+
+	* kdc/config.c: add --disable-DES
+	
+	* kdc/kdc.8: document --detach and --disable-DES
+	
+	* kdc/kerberos5.c: check if enctype is disabled before using it
+	
+	* lib/krb5/crypto.c: add support for disabling checksum/encryption
+	types
+
+	* tools/kdc-log-analyze.pl: add more cases
+	
+	* kdc/connect.c: on strange tcp error; log local port number and
+	socket type
+	
+	* lib/asn1/der.h: fix prototype of encode_utf8string
+	
+	* lib/asn1/gen.c: catch CHOICE and generate dummy placeholder
+	
+	* lib/asn1/lex.l: added dummy parsing of CHOICE
+	
+	* lib/asn1/parse.y: added dummy parsing of CHOICE
+	
+	* lib/asn1/k5.asn1: drop SMTP_NAME
+	
+2004-03-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/Makefile.am: support building ldap backend as module
+	sort asn1 hdb files
+	
+	* lib/hdb/hdb.c: when building ldap as a shared module, don't
+	include it in the list
+
+	* configure.in: add --enable-hdb-openldap-module
+	
+	* lib/hdb/hdb-ldap.c: make ldap possible to build as a shared
+	module
+
+	* lib/hdb/mkey.c: add hdb_{,un}seal_key{,_mkey} from Andrew
+	Bartlett <abartlet@samba.org>
+
+	* lib/krb5/crypto.c (decrypt_internal_special): do not not modify
+	the original data test case from Ronnie Sahlberg
+	<ronnie_sahlberg@ozemail.com.au>
+
+2004-03-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_cc.c: more cc tests, mostly related to mcc
+	behavior
+
+	* lib/krb5/mcache.c (mcc_get_principal): also check for
+	primary_principal == NULL now that that isn't used as dead flag
+	
+	* lib/krb5/mcache.c: don't overload the primary_principal == NULL
+	as dead since that doesn't always work. Based on patch from
+	Jeffrey Hutzelman <jhutz@cmu.edu>, tweeked by me
+	
+2004-02-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp
+	
+	* lib/krb5/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp
+	
+	* lib/hdb/db3.c: fix all db >= 4.1 cases
+	
+	* doc/setup.texi: add text about hostname to realm mapping using
+	DNS
+
+2004-02-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c: update error codes
+	
+	* lib/krb5/krb5_err.et: prefix pkinit error codes with KRB5_
+
+	* lib/krb5/pkinit.c: update error codes
+	
+2004-02-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: indent, use krb5_abortx() instead of abort()
+	
+	* lib/krb5/init_creds_pw.c (process_pa_data_to_key): spelling
+	
+	* lib/krb5/store.c: handle memory allocate errors
+
+	* lib/krb5/fcache.c (_krb5_xlock): handle that everything was ok,
+	and don't put an error in the error strings then
+	
+2004-02-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c: s/heim_big_integer/heim_integer/
+	
+	* lib/krb5/pkinit.c: s/heim_big_integer/heim_integer/
+	
+	* kdc/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors
+	
+	* lib/krb5/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT
+	errors
+	
+	* lib/krb5/heim_err.et: add HEIM_PKINIT specific errors
+	
+2004-02-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: rename AC_WFLAGS to rk_WFLAGS
+	
+	* acinclude.m4: use m4_define, over-quote string
+	
+2004-02-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c (change_password): handle that
+	printf("%.*s", 0, (void*)NULL); doesn't work on solaris
+	
+2004-02-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kpasswd/kpasswd.c (change_password): handle that printf("%.*s",
+	0, (void*)NULL); doesn't work on solaris
+	
+	* lib/krb5/krb5.conf.5: don't use path's in first .Nm, it confuses
+	some locate.updatedb, use FILES section to describe where the file
+	is instead.
+
+2004-02-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/check-der.c: test for "der_length.c: Fix len_unsigned
+	for certain negative integers, it got the length wrong" , from
+	Panasas, Inc.
+
+	* lib/asn1/der_length.c: Fix len_unsigned for certain negative
+	integers, it got the length wrong, fix from Panasas, Inc.
+	
+	rename len_int and len_unsigned to _heim_\&
+	
+	* lib/asn1/der_locl.h: add _heim_len_unsigned, _heim_len_int
+	
+2004-02-06  Dave Love  <d.love@dl.ac.uk>
+
+	* configure.in: Check for sys/socket.h, net/if.h.  Modify term.h,
+	security/pam_appl.h tests.
+	
+2004-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/check-gen.c: test for: (length_type): TSequenceOf: add
+	up the size of all the elements, don't use just the size of the
+	last element.
+
+	* lib/krb5/aes-test.c: add "next iv" test for aes128, check
+	decryption case too
+
+	* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of
+	the next to last block, fix decryption case too
+	
+	* lib/krb5/aes-test.c: add "next iv" test for aes128
+	
+	* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of
+	the next to last block
+
+	* lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode
+	error
+	
+	* lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode
+	error
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): abort on internal asn1
+	encode error
+
+	* lib/krb5/mk_priv.c (krb5_mk_priv): abort on internal asn1 encode
+	error
+
+	* lib/krb5/get_cred.c (make_pa_tgs_req): abort on internal asn1
+	encode error
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): abort on
+	internal asn1 encode error
+
+	* lib/krb5/build_ap_req.c (krb5_build_ap_req): abort on internal
+	asn1 encode error
+
+2004-01-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: some text about order of [capaths] realms
+	
+2004-01-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/context.c: register WRFILE ops
+	
+	* lib/krb5/keytab_file.c: add krb5_wrfkt_ops/WRFILE (same as FILE)
+	
+	* lib/krb5/krb5.h: add krb5_wrfkt_ops
+	
+	* kpasswd/kpasswdd.c (change): use the right password when
+	changing the password
+
+2004-01-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/fcache.c (_krb5_xlock): catch EINVAL and assume that it
+	means that the filesystem doesn't support locking
+	
+	* lib/krb5/keytab.c: remove #if 0 out file locking code
+	
+2004-01-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/gen_length.c (length_type): TSequenceOf: add up the
+	size of all the elements, don't use just the size of the last
+	element.
+
+2004-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c (renew_validate): if renewable_flag and not time
+	specifed, use "1 month"
+
+2004-01-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_keyblock.3: add prototypes, describe
+	krb5_keyblock_zero
+
+2004-01-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/get_for_creds.c (add_addrs): don't add same address
+	multiple times
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): try to
+	handle errors better for previous commit
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): If tickets
+	are address-less, forward address-less tickets.
+	
+	* lib/krb5/get_cred.c: rename get_krbtgt to _krb5_get_krbtgt and
+	export it
+
diff --git a/crypto/heimdal/ChangeLog.2005 b/crypto/heimdal/ChangeLog.2005
new file mode 100644
index 0000000..8c84b1c
--- /dev/null
+++ b/crypto/heimdal/ChangeLog.2005
@@ -0,0 +1,2004 @@
+2005-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c (tgs_make_reply): less const on hdb_entry_ex to
+	make samba happy
+
+	* fix-export: Build kdc-private.h.
+	
+2005-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c (tgs_rep2): also print the principal for which
+	the enctype was missing
+	
+2005-12-13  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* kdc/kaserver.c: Finish up transition from hdb_entry to
+	hdb_entry_ex.
+
+	* kdc/kerberos4.c: Finish up transition from hdb_entry to
+	hdb_entry_ex.
+
+	* kdc/524.c: Finish up transition from hdb_entry to hdb_entry_ex.
+
+	* kdc/kerberos5.c: Finish up transition from hdb_entry with
+	hdb_entry_ex.
+
+	* lib/krb5/cache.c (krb5_cc_set_default_name): use
+	KRB5_DEFAULT_CCNAME.
+
+	* lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME, pointer to
+	default credential cache.
+
+	* lib/hdb/ndbm.c: memset hdb_entry_ex before use
+
+	* lib/hdb/db3.c: memset hdb_entry_ex before use
+	
+	* lib/hdb/db.c: memset hdb_entry_ex before use
+	
+2005-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.3: Add some more entrypoints.
+
+	* lib/krb5/changepw.c: If there is a target principal, use the
+	realm of the realm to change the password with,
+
+	* kuser/kinit.c: Default to use DH when fetching keys.
+
+	* lib/hdb, kdc, kadmin/load.c: Wrap hdb_entry with hdb_entry_ex, patch
+	originally from Andrew Bartlet
+
+	* lib/hdb/hdb-ldap.c: Wrap hdb_entry with hdb_entry_ex, add url
+	support, add ldapi support.
+
+	* kdc/kerberos5.c (tgs_make_reply): there are no such things a
+	keytypes any more, just use enctypes.
+
+	* kdc/kdc_locl.h: Remove private prototypes and instead include
+	<kdc-private.h>.
+
+	* kdc/Makefile.am: Build kdc-private.h and depend on it.
+
+	* kdc/config.c (configure): wrap line
+
+	* doc/kerberos4.texi: KDC 4 support is always compiled in.
+	
+	* TODO: Remove some stuff that have been done.
+
+	* Makefile.am: Split long line
+
+	* doc/apps.texi: Spelling, From Måns Nilsson.
+
+	* doc/install.texi: spelling, From Måns Nilsson
+	
+2005-12-11  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* lib/krb5/krb5_principal.3: Constify principal argument to on
+	krb5_principal_get_ functions.
+
+	* lib/krb5/principal.c: Constify principal argument to on
+	krb5_principal_get_ functions.
+	
+2005-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb: drop convert_db, 0.0 to 0.1 transition was a long long
+	time ago
+
+2005-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_keytab.c: more tests, From Andrew Bartlet
+
+	* lib/krb5/keytab_memory.c (mkt_remove_entry): realloc can return
+	NULL on success in the case 0 entries are allocated, From Andrew
+	Bartlet
+	
+2005-12-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/acl.c (acl_parse_format): tmp needs to be freed too on
+	failure to parse format specifier.
+	
+	* lib/krb5/store-test.c: Free more of the allocated memory.
+
+	* lib/krb5/crypto.c (krb5_derive_key): Free more of the allocated
+	memory, this function is only used by the test program.
+	
+	* lib/krb5/parse-name-test.c: Free more of the allocated memory.
+
+	* lib/krb5/derived-key-test.c: Free more of the allocated memory.
+	
+2005-12-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: spelling, From Måns Nilsson
+
+	* lib/krb5/krb5_keytab.3: Memory keytab are now named and
+	refcounted.
+
+	* lib/krb5/test_keytab.c: Test that memory keytab are refcounted.
+
+	* lib/krb5/keytab_memory.c: Index by name and start reference
+	counting on entries.
+	
+2005-11-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.h (krb5_address_type): add
+	KRB5_ADDRESS_NETBIOS (20)
+
+	* lib/hdb/hdb.c (find_method): accept relative paths as old db
+	format too.
+
+	* lib/krb5/aes-test.c: Remove usage of krb5_enctype_to_keytype.
+	
+2005-11-29  Dave Love  <fx@gnu.org>
+
+	* kcm/connect.c (kcm_loop): Use HAVE_DOOR_CREATE, not HAVE_DOORS.
+	
+2005-11-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.c (libdefaults_entries): add
+	default_cc_name
+
+	* lib/hdb/hdb.c: Only match db databases on filename starting with
+	'/'.
+
+	* lib/krb5/rd_req.c (krb5_verify_ap_re2): check timestamp in
+	authenticator
+
+	* lib/krb5/rd_req.c (check_transited): explain the TR-type 0
+	better and why it matters.
+
+	* lib/krb5/test_cc.c: test krb5_cc_get_prefix_ops
+
+	* lib/krb5/cache.c (krb5_cc_get_prefix_ops): change the behavior
+	to return NULL when its not found, and fcc when the name starts
+	with a '/'. Almost matches behavior in other parts of the code,
+	but can't really do that since the name passed in to this function
+	may only contain the prefix itself without the colon.
+
+	* lib/krb5/cache.c (krb5_cc_get_prefix_ops): if there are not
+	colon (:) in the name, its a file credential cache
+
+	* lib/hdb/db3.c (hdb_db_create): use calloc to callocate memory
+
+	* lib/hdb/ndbm.c (hdb_ndbm_create): use calloc to allocate memory
+
+	* lib/hdb/db.c (hdb_db_create): use calloc to allocate memory
+
+2005-11-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use session
+	key for delegated credentials
+
+	* kdc/kerberos5.c (_kdc_as_rep): add comment when we send
+	ETYPE-INFO and ETYPE-INFO2, from Andrew Bartlett
+	
+2005-11-25  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* lib/krb5/keytab.c (krb5_kt_get_full_name): new function
+	
+2005-11-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_crypto.c: Split encryption and s2k iterations to
+	diffrent counters, 38seconds of aes256 s2k is way too long.
+
+	* lib/krb5/test_crypto.c: Add timing code for s2k function.
+
+2005-11-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/kerberos5.c: Print the time the principal expired, based on
+	patch from Andrew Bartlett.
+	
+2005-11-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/cache.c (krb5_cc_get_full_name): Add
+	
+2005-11-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: Spelling, From Michael Banck <mbanck@debian.org>
+	
+2005-10-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kcm/headers.h: Maybe include <sys/param.h>.
+
+2005-10-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type):
+	understand KRB5_AUTHDATA_IF_RELEVANT and KRB5_AUTHDATA_AND_OR (but
+	have KRB5_AUTHDATA_KDC_ISSUED commented out for now)
+	
+2005-10-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/klist.c: In the list caches view, rename the Status field
+	to Expires.
+
+	* lib/krb5/krb5_encrypt.3: Fix mdoc for
+	krb5_encrypt_EncryptedData, Johnny Lam <jlam@pkgsrc.org>
+	
+2005-10-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/test/gssapi_client.c: Check return value from asprintf
+	instead of string != NULL since it undefined behavior on
+	Linux. From Björn Sandell
+	
+2005-10-21  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* lib/krb5/pkinit.c (_krb5_dh_group_ok): if not enough bits are
+	generated from the DH groups, fail.
+
+	* kdc/pkinit.c (get_dh_param): Pass down config so this function
+	can check pkinit_dh_min_bits
+
+	* kdc/config.c: Fill in pkinit_dh_min_bits from configuration
+	file.
+
+	* kdc/kdc.h: Add pkinit_dh_min_bits to krb5_kdc_configuration.
+	
+2005-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: Add option to require binding between reply
+	and response for the win2k version of the protocol.
+	
+2005-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/programming.texi: Text about Kerberos errors.
+	
+	* lib/krb5/pkinit.c: Try both ReplyKey and ReplyKey-Win2k for the
+	Windows case to support the updated -09 protocol (using
+	asChecksum). Tell KDC we support this by sending
+	KRB5-PADATA-PK-AS-09-BINDING in the pa-data.
+	
+	* lib/krb5/test_cc.c: Test copy FILE -> FILE, and MEMORY -> MEMORY
+	too.
+
+	* lib/krb5/test_cc.c: Test krb5_cc_copy_cache and
+	krb5_cc_cache_match.
+
+	* lib/krb5/cache.c (krb5_cc_cache_match): add function that
+	iterates over all credential caches for a user and returns a
+	match.
+	
+	* lib/krb5/krb5_ccache.3: Add krb5_cc_start_seq_get and an
+	example.
+
+2005-10-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/programming.texi: Try to explain krb5_ccache, krb5_principal
+	and errors.
+	
+2005-10-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_get_credentials.3: Add example how to use
+	krb5_get_credentials.
+	
+2005-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds.c: Rename private to opt_private.
+
+	* lib/krb5/init_creds_pw.c: Rename private to opt_private.
+
+	* lib/krb5/pkinit.c: rename element private to opt_private to make
+	c++ picky compilers less upset.
+
+	* lib/krb5/krb5.h (krb5_get_init_creds_opt): rename element
+	private to opt_private to make c++ picky compilers less upset.
+	
+2005-10-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krbhst.c (_krb5_krbhost_info_move): new function
+	(_krb5_free_krbhst_info): expose to internal use
+	
+	* lib/krb5/init_creds_pw.c: Prepare to pass down a
+	krb5_krbhst_info into the pre-auth mechs
+
+	* lib/krb5/pkinit.c: Inline short functions, share more code,
+	rename COMPAT_27 to COMPAT_IETF, pass down a krb5_krbhst_info for
+	verification of KDC info, and general cleaning up.
+	
+2005-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: Install krb5.moduli in sysconfdir.
+
+	* lib/krb5/krb5_locl.h: rename moduli file to SYSCONFDIR
+	"/krb5.moduli"
+
+	* lib/krb5/krb5_locl.h: Add forward declaration for
+	krb5_dh_moduli.  Add define for MODULI_FILE.
+
+	* kdc/pkinit.c: Removing PK-INIT-19 support.
+
+	* lib/krb5/pkinit.c: Removing PK-INIT-19 support.
+
+	* lib/krb5/pkinit.c (_krb5_dh_group_ok): return DH group name on
+	success.
+	(krb5_get_init_creds_opt_set_pkinit): use moduli file if it exists
+
+	* kdc/pkinit.c: Save DH group name and print it on success.
+
+	* lib/krb5/pkinit.c (_krb5_dh_group_ok): if q is zero, ignore it.
+
+	* kdc/pkinit.c: Check dh group parameters from client.
+
+	* lib/krb5/krb5_err.et: Match error code with pk-init-27.
+
+	* lib/krb5/pkinit.c: Update error codes. Add name to group. Change
+	return value of _krb5_dh_group_ok.
+
+	* lib/krb5/pkinit.c: Add support for reading a moduli-file for DH
+	parameters.
+	
+2005-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/klist.1: Document --list-caches
+
+	* kuser/klist.c: Change short flag of --list-caches to -l (-v is
+	already used).
+
+2005-10-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/kerberos.8: RFC 1510 was obsoleted by 4120.
+	
+	* lib/krb5/acache.c (init_ccapi): return kerberos errors, callers
+	expect it
+	(acc_get_cache_first): don't leak memory or abort on malloc
+	failure
+	
+2005-10-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/kerberos.8: Update text about Kerberos RFC's.
+	
+2005-10-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/klist.c: Add option --list-caches that lists the avaible
+	caches and their status.
+
+	$ klist --list-caches
+	  Principal        Cache name               Status
+	lha@E.KTH.SE     2                        Valid
+	lha@SU.SE        1                        Expired
+	lha/root@SU.SE   0                        Expired
+	lha@N.L.NXS.SE   Initial default ccache   Expired
+	
+2005-09-30  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/keytab_keyfile.c: Use all DES keys, not just
+	des-cbc-md5, verify that they all are the same.
+
+	* lib/krb5/mcache.c Implement the cache iteration functions.
+
+	* lib/krb5/acache.c: Implement the cache iteration functions.
+
+	* lib/krb5/test_cc.c: Test the new cache iteration functions.
+
+	* lib/krb5/cache.c: Add cache iteration funcations. Add internal
+	allocation function for the memory of a krb5_ccache, and use it.
+
+	* lib/krb5/krb5.h (krb5_cc_ops): add cache iteration functions
+	
+2005-09-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_mk_req.3: Remove leftovers, remove extra space.
+
+	* kdc/kerberos5.c: More verbose PK-INIT logging.
+
+	* kdc/pkinit.c: The public DH key is encoded as an INTEGER in
+	subjectPublicKey.  Don't verify OID's for now.
+	
+	* lib/krb5/pkinit.c: Support cached DH variable (still need to
+	store it though), don't check the oid of the DH signedData for
+	now.
+	
+2005-09-22 Love Hörnquist Åstrand <lha@it.su.se>
+
+	* lib/krb5/rd_cred.c (krb5_rd_cred): try both the session key and
+	the sender subkey. Both RFC1510 and RFC4120 say that you have to
+	use the session key, Heimdal uses subkey.
+	
+2005-09-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: Don't check oid's too closely, they change in
+	Windows Vista.
+	
+2005-09-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: Disable sending -19, fix parsing -27 of the
+	protocol.
+
+	* kdc/pkinit.c: Support PK-INIT-27 DH (and remove -19)
+
+	* lib/krb5/pkinit.c (pk_verify_chain_standard): set cert to NULL
+	to make sure its not freed.
+	
+2005-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/crypto.c (krb5_DES_string_to_key): If the opaque length
+	it set to 1, and content is 0x01, use the afs3 string-to-key.
+
+	* kdc/kerberos5.c (make_etype_info2_entry): When its a afs3-salted
+	key, use send the opaque, length 1 (with content set to 0x01) in
+	ETYPE-INFO2-ENTRY.
+
+	* lib/krb5/kcm.c: Remove signedness warnings.
+	
+2005-09-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: Use libtool's default values for building
+	shared/static libaries, ie remove AC_ENABLE_SHARED(no), solves
+	building problems users have on Mac OS X.
+	
+2005-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/changepw.c: Constify password.
+	
+2005-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_mk_req.3: Document krb5_rd_req.
+	
+	* lib/krb5/Makefile.am: MAN_mans+= krb5_mk_req.3
+	
+	* lib/krb5/krb5_mk_req.3: Document krb5_mk_req, krb5_mk_req_exact,
+	krb5_mk_req_extended, krb5_rd_req, krb5_rd_req_with_keyblock,
+	krb5_mk_rep, krb5_mk_rep_exact, krb5_mk_rep_extended, krb5_rd_rep,
+	krb5_build_ap_req, krb5_verify_ap_req.
+	
+2005-09-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c (make_etype_info_entry): Dont send salttype at
+	all, use KRB5-PADATA-AFS3-SALT
+	
+2005-08-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c (log_timestamp): endtime, not endtype
+	
+2005-08-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: Check for <sys/ucred.h>.
+
+	* kcm/connect.c (update_client_creds): in case there is no
+	UCRED_VERSION, skip LOCAL_PEERCRED
+	
+	* kcm/headers.h: include <sys/ucred.h>
+	
+2005-08-27 Love Hörnquist Åstrand <lha@it.su.se>
+
+	* lib/krb5/rd_req.c (check_transited): Allow empty content of type
+	0 because that is was Microsoft generates in their TGT.
+
+	* kdc/kerberos5.c (fix_transited_encoding): Allow empty content of
+	type 0 because that is was Microsoft enerates in their TGT.
+
+2005-08-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/intro.texi: RFC 4120 replaces RFC 1510
+	
+2005-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: Add --disable-afs-support.
+
+2005-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: Add test_hostname to check_PROGRAMS but
+	not TESTS, I have no same dns to use.
+
+	* lib/krb5/test_hostname.c: Testprogram for krb5_expand_hostname()
+	and krb5_expand_hostname_realms().
+	
+	* configure.in: Build KCM if we have doors or unix sockets.
+
+	* lib/krb5/principal.c (krb5_425_conv_principal_ex2): Remove
+	shadowing variable.
+
+	* lib/krb5/get_host_realm.c (dns_find_realm): Fix const warnings,
+	plug memory leak. From: Stefan Metzmacher <metze@samba.org>
+	
+	* lib/krb5/krb5_config.3: Document what happens with NULL to
+	krb5_config_free_strings
+	(nothing). Mdoc nit.
+	
+2005-08-22 Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/klist.c (check_for_tgt): Re-order code so it only free the
+	credential if one was returned.
+	
+	* lib/krb5/test_crypto_wrapping.c: Fix printing of size_t.
+
+2005-08-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/dbinfo.c: provide interface to find databases
+
+	* lib/hdb/mkey.c: hdb_seal_key_mkey): dont double encrypt keys
+
+2005-08-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kdc_locl.h: Update prototype for _kdc_pk_mk_pa_reply.
+
+2005-08-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c: Save the request buffer so that
+	pre-auth mechanism that needs it can verify the reply.
+
+2005-08-12  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/test_mem.c: Rename logf to avoid shadowing.
+	
+	* lib/krb5/krb5_keytab.3: Fix the version number for
+	fcc-mit-ticketflags.
+
+	* lib/krb5/fcache.c: Revert previous, I was confused.
+	
+	* lib/krb5/krb5_keytab.3: Document fcc-mit-ticketflags in
+	COMPATIBILITY section.
+	
+	* lib/krb5/fcache.c (fcc_store_cred): default to MIT style ticket
+	flags.
+
+	* kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break;
+
+	* lib/krb5/krb5_create_checksum.3: Update prototype for
+	krb5_create_checksum.
+	
+	* kdc/pkinit.c: Make compile.
+	
+	* lib/krb5/pkinit.c: Implement verification of asChecksum, now
+	client side code is using -27 of the pk-init draft.
+	
+	* kdc/kdc_locl.h: update prototype for _kdc_as_rep
+
+	* kdc/pkinit.c: Fill in asChecksum, we now implements -27 in the KDC.
+	
+	* kdc/process.c: Pass down the request buffer to _kdc_as_rep().
+
+	* kdc/kerberos5.c (_kdc_as_rep): Pass down the request buffer to
+	_kdc_pk_mk_pa_reply.
+
+2005-08-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/ext.c: HDB extensions access glue.
+
+	* kcm/acquire.c: Use krb5_set_password instead of
+	krb5_change_password.
+
+	* configure.in: Add tests/Makefile and tests/db/Makefile.
+
+	* NEWS: New ASN.1 compiler
+
+	* lib/hdb/Makefile.am: Build extensions.
+
+	* lib/hdb/print.c: Print extensions.
+
+	* lib/hdb/hdb_err.et: Add error "Entry contains unknown mandatory
+	extension".
+
+	* lib/hdb/hdb.h: Update interface version (and indent).
+	
+	* lib/hdb/hdb.asn1: Add support for HDB-extension.
+
+2005-08-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_pkinit_dh2key.c: add tests vectors from
+	"Liqiang(Larry) Zhu" <lzhu@windows.microsoft.com>
+
+	* lib/hdb/mkey.c: Expose the crypto operations on the master key.
+
+	* lib/krb5/test_pkinit_dh2key.c: even more bits, not done yet
+	
+2005-08-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c (_kdc_as_rep): preserve the error code in the
+	ENC-TS case.  From: Andrew Bartlett <abartlet@samba.org>
+
+	* kdc/kerberos5.c (tgs_rep2): only needs to log "Failed to verify
+	authenticator" once, its already done by
+	tgs_check_authenticator().
+	
+	* kdc/kerberos5.c: Indent strings.
+
+	* kdc/kerberos5.c (log_timestamp): avoid shadow warnings From:
+	Andrew Bartlett <abartlet@samba.org>
+	
+	* lib/krb5/verify_user.c: Add krb5_verify_opt_alloc and
+	krb5_verify_opt_free.
+	
+	* lib/krb5/krb5_verify_user.3: Document krb5_verify_opt_alloc and
+	krb5_verify_opt_free.
+
+	* lib/hdb/db3.c (DB_open): catch errors from the d->open calls
+	instead of letting them slip though to d->cursor. Bug repport from
+	Andrew Bartlett <abartlet@samba.org>
+
+2005-07-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/Makefile.am (kdc_LDADD): add LDADD
+	
+2005-07-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c (_kdc_as_rep): log what enctypes was using in
+	ENC-TS preauth, both for failure and success.
+
+	* kdc/hprop.c: Use the _krb5_krb_life_to_time function from
+	libkrb5 instead of including our own here too.
+
+	* kdc/kerberos5.c: indent printf strings
+
+	* lib/hdb/mkey.c (hdb_unseal_key_mkey): try to unseal key with
+	keyusage 0 in case the key was encrypted with MIT Kerberos (old
+	patch from Johan)
+
+2005-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c: update to pkinit-27
+
+2005-07-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: Adapt to IMPLICIT changes in CMS module.
+
+2005-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_pkinit_dh2key.c: framework for testing
+	_krb5_pk_octetstring2key
+
+	* kpasswd/kpasswdd.c (doit): krb5_addr2sockaddr takes a
+	krb5_socklen_t
+
+	* kdc/connect.c (de_http): sscanf takes a char *, not unsigned
+	ditto, cast approriately
+
+	* lib/krb5/crypto.c (_krb5_pk_octetstring2key): make sha1 output
+	unsigned char to match openssl
+
+2005-07-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/common.c: Check encoder lengths from ASN1_MALLOC_ENCODE.
+
+2005-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/rd_cred.c (krb5_rd_cred): don't leak memory
+
+	* lib/krb5/get_cred.c (krb5_get_credentials_with_flags): only call
+	krb5_cc_retrieve_cred once, and plug memory leak.
+
+2005-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/Makefile.am: the new asn.1 compiler includes the modules
+	name in the depend file
+
+	* lib/krb5/keytab_file.c (fkt_start_seq_get_int): check return
+	value from krb5_storage_from_fd
+
+	* lib/krb5/pkinit.c (pk_rd_pa_reply_dh): client do not contribute
+	to the DH when the server doesn't support the cached DH request.
+
+	* lib/krb5/crypto.c (_krb5_pk_octetstring2key): fix arguments
+
+2005-07-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: clean up pk-init DH support, not finished
+	yet; improve error reporting
+
+	* lib/krb5/crypto.c (_krb5_pk_octetstring2key): string2key
+	function used in pk-init-25
+
+	* configure.in: Use a configure switch to turn on PK-INIT, not by
+	detecting existence of the new ASN.1 library.
+
+	* lib/asn1: Much improved ASN.1 compiler from joda-choice-branch.
+
+	Highlighs for the compiler is support for CHOICE and in general better
+	support for tags. This compiler support most of what is needed for
+	PK-INIT, LDAP, X.509, PKCS-12 and many other protocols.
+
+2005-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1: make scope variables unique to avoid shadow warnings
+
+2005-07-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.h: comment out paramenter name in typedef
+	functions to avoid shadow warnings
+
+	* lib/krb5/crypto.c: make input data to krb5_encrypt{,_ivec} const
+
+	* kuser/klist.c: If there are no addresses, print addressless
+	instead of nothing.
+
+	* lib/krb5/Makefile.am (TESTS): add test_crypto_wrapping
+
+	* lib/krb5/crypto.c (wrapped_length): the underived encrypted
+	types checksum are all unkeyed (matches the code in
+	encrypt_internal() and encrypt_internal_special())
+
+	* lib/krb5/test_crypto_wrapping.c: ETYPE_ARCFOUR_HMAC_MD5_56 isn't
+	not supported
+
+	* lib/krb5/test_crypto_wrapping.c: test encryption wrapping
+
+	* lib/krb5/test_crypto.c (time_encryption): free cleartext buffer
+
+2005-07-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: run AM_INIT_AUTOMAKE before AM_PROG_CC_C_O
+	otherwise am_aux_dir will be expanded using ac_aux_dir before the
+	later is set.
+
+	* configure.in: check for strings.h explicitly instead of
+	depending on AC_HEADER_STDC to check it for us
+
+2005-07-07  Assar Westerlund  <assar@kth.se>
+
+	* configure.in: add AM_PROG_CC_C_O for automake 1.9
+
+2005-07-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/keytab.c (krb5_kt_get_entry): clear error string when
+	returning a new error
+	
+	* lib/krb5/keytab.c: krb5_kt_close frees all resources, even on
+	error.
+
+	* lib/krb5/verify_init.c (krb5_verify_init_creds): `entry' unused,
+	remove From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
+
+2005-07-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/win2k.texi: arcfour-hmac-md5 support for windows cross was
+	added in w2k3-sp1 From David Love
+	
+	* doc/setup.texi: document kadmin command password-quality instead
+	of the not installed test_pw_quality
+	
+	* lib/krb5/krb5_get_init_creds.3: Spelling, from David Love
+	
+	* fix-export: build kdc-protos.h
+
+2005-07-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc: prefix pkinit symbols with _kdc
+
+	* kuser/kinit.c: avoid shadowing variables
+	
+	* kuser: s/optind/optidx/
+
+	* kdc: adapt pkinit code to libkdc split
+
+2005-06-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* tools/Makefile.am: add depency on LIB_dlopen and LIB_door_create
+	
+	* tools/krb5-config.in: add depency on LIB_dlopen and LIB_door_create
+	
+	* kdc/kdc_locl.h: indent, remove dup prototypes
+	
+	* kdc/libkdc: don't pollute namespace, generate public headerfile
+
+	* lib/krb5/principal.c: add krb5_425_conv_principal_ext2 that work
+	just like krb5_425_conv_principal_ext but takes a context variable
+	for the verification function
+	
+	* kdc/Makefile.am: there is no export script, not pretend there is
+
+	* kdc: Merge in the libkdc/kdc configuration split from Andrew
+	Bartlet <abartlet@samba.org>
+
+	* lib/krb5/crypto.c: optionally compile in support for afs string2key
+	
+	* configure.in: add --disable-afs-string-to-key to allow removal
+	of support for afs string2key (and dependency on crypt)
+
+2005-06-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: Add logging of all timestamps in AS-REQ and
+	TGS-REQ, for auditing
+
+	* kdc/kerberos5.c (as_req): print the supported encryption types
+	so its possible to know what clients to update.
+	(find_rpath): return const char * and update callers.
+
+2005-06-28  Luke Howard  <lukeh@padl.com>
+
+	* kcm/connect.c: fix arguments to kcm_log() when reporting
+	  sendmsg() error
+
+	* kcm/connect.c: don't send socket address in msghdr, it
+	  returns an already connected error on Linux
+
+2005-06-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/524.c: Always include <krb5-v4compat.h>.
+
+2005-06-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/intro.texi: no more libdes, gssapi lib is complete
+	
+	* lib/krb5/krb5.conf.5: Documentation for password quality
+	control. From: "James F. Hranicky" <jfh@cise.ufl.edu>
+
+	* lib/krb5/verify_krb5_conf.c (password_quality_entries): add
+	min_length and min_classes
+
+	* kdc/kaserver.c: log the kaserver requests, avoid shadowing
+	variables
+
+	* lib/hdb/db3.c (DB_open): in case of error, close database
+
+	* lib/hdb/ndbm.c (NDBM_open): in case of error, close database
+
+	* lib/hdb/db.c (DB_open): in case of error, close database
+
+2005-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kcm/kcm.8: fix example
+
+2005-06-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/rd_rep.c: indent
+
+	* lib/krb5/rd_rep.c (krb5_rd_rep): check if
+	KRB5_AUTH_CONTEXT_DO_TIME set and use that as a que that timestamp
+	should be checked, DCE-STYLE gssapi needs to be able to tweek this
+
+	* kdc/string2key.c: rename optind to optidx
+
+	* lib/hdb/convert_db.c: rename optind to optidx
+
+	* lib/hdb/keytab.c: const poison, add a unconst where needed
+
+	* lib/krb5/crypto.c (krb5_string_to_key): unconst password
+
+	* lib/asn1/k5.asn1: rename pvno to krb5-pvno
+
+	* lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc):
+	unconst argument
+
+	* lib/krb5/verify_krb5_conf.c: rename optind to optidx
+
+	* lib/krb5/transited.c: rename the temporary string variable to
+	`str'
+
+	* lib/krb5/test_crypto.c: rename optind to optidx
+
+	* lib/krb5/test_alname.c: rename optind to optidx
+
+	* lib/krb5/store.c: unconst argument to krb5_store (XXX this
+	should be fixed, krb5_store doesn't need to modify its argument)
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto): remove shadowing
+	unnessecery variable ret
+
+	* lib/krb5/rd_cred.c (krb5_rd_cred): remove shadowing unnessecery
+	variable len
+
+	* lib/krb5/prog_setup.c: rename optind to optidx
+
+	* lib/krb5/padata.c: rename variable index to idx
+
+	* lib/krb5/log.c: rename variable time to timestr to avoid
+	shadowing
+
+	* lib/krb5/krbhst.c (krb5_krbhst_init_flags): rename variable to
+	avoid shadowing
+
+	* lib/krb5/krbhst-test.c: rename optind to optidx
+
+	* lib/krb5/kcm.c: unconst argumen to connect, unconst argument to
+	krb5_store (XXX this should be fixed, krb5_store doesn't need to
+	modify its argument)
+
+	* lib/krb5/init_creds_pw.c (default_s2k_func): unconst password
+
+	* lib/krb5/crypto.c: rename `encrypt' to avoid shadow warning
+	
+2005-06-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/principal.c: rename index to idx
+	
+	* lib/krb5/mk_error.c: use rk_UNCONST
+	
+	* lib/krb5/fcache.c: rename to avoid shadowing
+
+	* lib/krb5/config_file.c: rename to avoid shadowing
+	
+	* lib/krb5/cache.c (_krb5_expand_default_cc_name): just copy the
+	string instead of losing const
+
+	* lib/krb5/addr_families.c: use rk_UNCONST to silence const
+	warning
+
+	* lib/krb5/addr_families.c: rename sin to sin4
+
+	* lib/asn1/asn1_print.c: rename optind to optidx, remove shadowed
+	variables
+
+	* lib/asn1/main.c: rename optind to optidx
+
+	* lib/asn1/gen_copy.c: rename to avoid shadowing
+
+	* lib/asn1/gen_locl.h: rename function filename to get_filename
+
+	* lib/asn1/lex.l: use get_filename
+
+	* lib/asn1/gen.c: rename function filename to get_filename
+
+	* lib/krb5/acache.c: use HAVE_DLOPEN around cc_handle
+	
+	* configure.in: add headers and prototypes to logwtmp, logout and
+	openpty checks
+
+	* configure.in: include headerfiles and set prototype for tgetent
+	
+	* kdc/kerberos5.c (make_etype_info2_entry): NUL terminate the
+	string
+
+	* kdc/kerberos5.c: replace strndup with inline copy, free data on
+	failure
+
+	* lib/krb5/cache.c (_krb5_expand_default_cc_name): replace strndup
+	with inline copy
+
+	* lib/krb5/log.c: rename close and log to avoid shadow warnings
+	
+	* lib/krb5/get_in_tkt.c: rename index to i to avoid shadowing
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): rename two
+	of the local `realm' to srealm to avoid shadowing
+	
+	* kdc/kerberos5.c (tgs_rep2): rename one of the tkey to uukey to
+	avoid shadow warning
+
+	* kdc/kerberos5.c (tgs_rep2): rename loop to nloop to avoid shadow
+	warning
+
+2005-06-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Release 0.7, see branch
+	
+2005-06-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: TESTS += test_mem libkrb5_la_SOURCES +=
+	kcm.h
+	
+	* kuser/kinit.c (main): catch KRB5_CONFIG_BADFORMAT from
+	krb5_init_context
+
+	* kdc/main.c (main): catch KRB5_CONFIG_BADFORMAT from
+	krb5_init_context
+
+	* lib/krb5/verify_krb5_conf.c (main): catch KRB5_CONFIG_BADFORMAT
+	from krb5_init_context From: Mathias Feiler
+	<feiler@uni-hohenheim.de>
+
+	* lib/krb5/verify_krb5_conf.c: Add more missig entires, from
+	Mathias Feiler <feiler@uni-hohenheim.de>
+
+2005-06-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c (pk_principal_from_X509): remember to free
+	KRB5PrincipalName
+
+	* lib/krb5/log.c (krb5_closelog): free all content in
+	krb5_log_facility
+
+2005-06-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/524.c: init kvno to please gcc
+
+	* kdc/kaserver.c (do_authenticate): check return value from
+	unparse_auth_args
+
+2005-06-07  Dave Love  <fx@gnu.org>
+
+	* doc/setup.texi: Spelling.
+	
+	* doc/programming.texi: Spelling.
+
+2005-06-02  Dave Love  <fx@gnu.org>
+
+	* kcm/connect.c (kcm_door_server): Make static.
+
+	* kcm/kcm_locl.h (disallow_getting_krbtgt): Declare.
+
+2005-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/mit_dump.c (mit_prop_dump): cast argument to
+	krb5_parse_principal to avoid warning
+
+	* kdc/mit_dump.c: rename KRB5_TL_MOD_PRINC to
+	mit_KRB5_TL_MOD_PRINC to hint its a constant originating from mit
+	codebase
+
+2005-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/store.c: If we are allocating 0 entires, avoid failing
+	if ALLOC returns NULL
+
+	* lib/krb5/verify_krb5_conf.c: Check for [kdc]v4-realm
+	
+	* lib/krb5/cache.c: When returning a new error code, set error
+	string.
+
+2005-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/keytab_file.c: Adapt to changed signature of
+	_krb5_xunlock, clear more error string where needed.
+
+	* lib/krb5/fcache.c (_krb5_xunlock): catch the error and turn it
+	into something sensable
+
+2005-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/kerberos5.c (tgs_make_reply): copy ok-as-delegate flag from
+	server entry to encrypted ticket flags
+
+2005-05-30  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/connect.c: rename sendlength to prependlength (which
+	hopefully better represents its purpose), and change type to
+	krb5_boolean
+
+	* kdc/connect.c: log signal causing exit
+	
+	* kdc/main.c (sigterm): set exit_flag to signal causing exit;
+	(main): trap SIGXCPU
+
+2005-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kcm/kcm.8: document --disallow-getting-krbtgt and --door-path
+
+	* kcm/protocol.c (kcm_op_retrieve): check server for krbtgt, not
+	client
+
+	* kcm/main.c: ignore SIGPIPE
+
+	* kcm/protocol.c: Add option to disallow getting krbtgt out from
+	from KCM. KCM will do the fetching part itself.
+	
+	* kcm/config.c: Add option to disallow getting krbtgt out from
+	from KCM. KCM will do the fetching part itself.
+
+2005-05-30  Luke Howard <lukeh@padl.com>
+
+	* kcm/events.c: if credentials have expired when attempting
+	to renew, attempt to reacquire them using initial creds
+
+2005-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_principal.3: Spelling, from Björn Sandell
+	
+	* doc/setup.texi: spelling, from Björn Sandell
+
+	* lib/krb5/name-45-test.c: XXX don't run the test unless the
+	machine is in kth.se or su.se because it depends on local resolver
+	configuration.
+
+	* lib/hdb/hdb.c: provde RTLD_NOW and RTLD_GLOBAL if they don't
+	exists
+
+	* kcm/connect.c: fix doors support, fix signedness warnings
+
+	* kcm/config.c: add --door-path=
+	
+	* configure.in: comment what the "detect doors on solaris"
+	fragment tries to do
+
+	* kcm/acquire.c (generate_random_pw): fix signed-ness warnings
+
+	* kcm/connect.c (update_client_creds): fix compile error in the
+	getpeerucred case
+
+	* lib/krb5/test_cc.c: change format for expantion variables in
+	default_cc_name to %{variable} to not confuse them with shell
+	ditto
+
+	* kcm/headers.h: Maybe include <door.h>.
+
+	* kcm/kcm_locl.h: add extern door_path;
+
+	* configure.in: detect doors using door_create
+	
+	* kcm/Makefile.am: add dependcy on kcm_protos.h add lib depency on
+	LIB_door_create
+
+	* lib/krb5/kcm.h: add _PATH_KCM_DOOR, default path to kcm door
+
+	* lib/krb5/kcm.c: use [libdefaults]kcm_door to find the door to
+	kcm
+
+	* lib/krb5/Makefile.am: libkrb5_la_LIBADD += LIB_door_create
+	
+	* lib/krb5/krb5_locl.h: Maybe include <sys/mman.h>, maybe include
+	<door.h>.
+
+	* lib/krb5/kcm.c (kcm_send_request): add support for doing a door
+	call to kcm
+
+	* lib/asn1: prefix Der_class with ASN1_C_ to avoid problems with
+	system headerfiles that pollute the name space
+
+	* kcm/kcm.8: change format for expantion variables in
+	default_cc_name to %{variable} to not confuse them with shell
+	ditto
+
+	* lib/krb5/krb5.conf.5: change format for expantion variables in
+	default_cc_name to %{variable} to not confuse them with shell
+	ditto
+
+	* lib/krb5/cache.c (_krb5_expand_default_cc_name): change format
+	for expantion variables to %{variable} to not confuse them with
+	shell ditto
+	
+	* kcm/connect.c: add LOCAL_PEERCRED and experimental doors support
+
+2005-05-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/kf/kfd.c: case uid_t to unsigned long in printf format
+
+2005-05-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_auth_context.3: remove trailing space
+
+2005-05-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kcm/connect.c (do_request): use sendmsg to send the reply
+	
+	* fix-export: add make_proto for kcm/kcm_protos.h
+	
+	* kcm/kcm_locl.h: remove prototypes and add <kcm_protos.h>
+
+	* kcm/Makefile.am (kcm_SOURCES): add headerfiles
+	(kcm_protos.h): generate prototypes
+
+	* kcm/protocol.c: fix error in last commit, use right function
+
+	* kcm/headers.h: include <ucred.h> if we have getpeerucred
+
+	* configure.in: check for functions getpeerucred and getpeereid
+
+	* kcm/connect.c (update_client_creds): add support for
+	getpeerucred and getpeereid
+
+	* lib/krb5/kcm.c (kcm_alloc): allow kcm socket to be configured by
+	[libdefaults]kcm_socket=/path
+
+2005-05-24  David Love  <fx@gnu.org>
+
+	* kcm/kcm.8: KRB5CCNAME needs an literal uid, not ${uid}, spelling
+
+2005-05-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kcm/protocol.c: Merge the description and function jumptables
+	into one structure.  Use the length of the array when checking if
+	opcode is value, not a constant.
+
+	* kcm/kcm_locl.h: struct kcm_op: jumptable structure
+
+	* kcm/main.c: move declaration of detach_from_console away from
+	here to kcm_locl.h, Don't test HAVE_DAEMON since roken supplies it.
+	
+	* kcm/kcm_locl.h: move declaration of detach_from_console here
+	
+	* kdc/config.c: Don't test HAVE_DAEMON since roken supplies it.
+	
+2005-05-23  Dave Love  <fx@gnu.org>
+
+	* kcm/config.c: Don't test HAVE_DAEMON since roken supplies it.
+
+	* kdc/main.c: Don't test HAVE_DAEMON since roken supplies it.
+
+2005-05-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_keytab.3: document WRFILE and JAVA14
+
+2005-05-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krbhst.c (srv_get_hosts): if srv_get_hosts failes,
+	return and ignore the error
+
+	* lib/krb5/krbhst.c (srv_find_realm): make sure `res' and `count'
+	have good values
+	
+	* lib/krb5/test_keytab.c: tests all keytab format
+	
+2005-05-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): non non asn1 decoding
+	errors, fail. Make sure we free memory on error.
+	(pk_verify_chain_standard): make sure we provide good errors.
+
+	* lib/krb5/verify_krb5_conf.c: add missing options, prompted by
+	James F. Hranicky mail to heimdal-discuss
+
+	* lib/krb5/verify_krb5_conf.c: add pkinit and password quailty
+	check options
+
+	* lib/krb5/pkinit.c (pk_verify_chain_standard): store better error
+	message in the context for certificate errors.
+	
+	* lib/krb5/keytab.c (krb5_kt_free_entry): zero out content of all
+	krb5_free_x_content like functions to make sure data doesnt get
+	reused, idea from Wynn Wilkes <wwilkes@vintela.com>
+
+	* configure.in: depend on automake 1.8, we don't test anything
+	older
+
+	* lib/krb5/init_creds_pw.c (process_pa_data_to_md): add comment
+	that the caller always free out_md; remove comment about memory,
+	it doesn't happen.
+	(init_cred_loop): free ctx->as_req.padata when its reset (From Wynn
+	Wilkes <wwilkes@vintela.com>), move a comment close the the code
+
+	* lib/krb5/keytab_krb4.c (fkt_remove_entry): need to call
+	krb5_kt_free_entry after each krb5_kt_next_entry.
+
+	* lib/krb5/keytab_file.c (fkt_remove_entry): need to call
+	krb5_kt_free_entry after each fkt_next_entry_int. From: Wynn
+	Wilkes <wwilkes@vintela.com>
+
+2005-05-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: TESTS += test_keytab
+
+	* lib/krb5/keytab_krb4.c (krb4_kt_remove_entry): plug memory leaks,
+	avoid crashing on empty keytab
+
+	* lib/krb5/krb5_keytab.3: document behavior of
+	krb5_kt_remove_entry
+
+	* lib/krb5/keytab_memory.c (mkt_remove_entry): check if there
+	isn't any entries in the keytab before removing any since that
+	leads to bad pointer arithmetic and crashing. From: Wynn Wilkes
+	<wwilkes@vintela.com>.  Make the function return KRB5_KT_NOTFOUND
+	if the entry wasn't in the keytab (just like the filebased
+	keytab).
+
+	* lib/krb5/test_keytab.c: test memory corruption in MEMORY keytab
+
+	* lib/krb5{addr_families,context,creds,free,keyblock,
+	mit_glue,rd_error}.c:zero out content of all krb5_free_x_content
+	like functions to make sure data doesnt get reused, idea from
+	Wynn Wilkes <wwilkes@vintela.com>
+
+	* lib/krb5/krb5_get_credentials.3: document KRB5_GC_EXPIRED_OK
+	
+	* lib/krb5/krb5.3: add krb5_cc_new_unique
+
+2005-05-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/fcache.c (fcc_get_first): check return value from
+	malloc, memset the structure, make sure cursor doesn't point to
+	freed memory on failure.  From: Wynn Wilkes <wwilkes@vintela.com>
+
+	* lib/krb5/krb5_auth_context.3: document
+	KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
+
+	* lib/krb5/get_cred.c: Remove expired credentials, based on
+	patches and comments from Anders Magnusson <ragge@ltu.se> and Wynn
+	Wilkes <wwilkes@vintela.com>
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): honor
+	KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED and create unencrypted
+	(ENCTYPE_NULL) credentials. for use with old mit server and java based
+	ones as they can't handle encrypted KRB-CRED. Note that the option
+	needs to turned on because if the consumer sends the KRB-CRED in
+	clear bad things will happen.
+
+	* lib/krb5/context.c (krb5_init_context): register krb5_javakt_ops
+
+	* lib/krb5/krb5.h: KRB5_GC_EXPIRED_OK: expired credentials is ok
+	to return from krb5_get_credentials.
+	KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED: make forward credentials
+	be unencrypted, for compatibility with mit kerberos and java
+	kerberos. krb5_javakt_ops: export
+
+2005-05-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/keytab_file.c: Add new keytab file format JAVA14 that
+	doesn't the use extended kvnos, as hinted, this is needed for
+	Java's Kerberos implementation.
+
+2005-05-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25
+	enckey, still no DH
+	
+	* kdc/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 enckey,
+	still no DH
+
+	* kdc/kerberos5.c (as_rep): search for pkinit-9, pkinit-19, and
+	pkinit-25 pa-data, return empty pkinit pa-data in the
+	PREAUTH_REQUIRED krb-error
+
+	* doc/ack.texi: add pkinit people
+
+	* lib/krb5/krb5_storage.3: document krb5_storage_is_flags
+
+	* lib/krb5/{krb5_compare_creds.3,krb5_get_init_creds.3,
+	krb5_krbhst_init.3,krb5_storage.3}:
+	make more pretty, from Björn Sandell
+
+2005-05-09  Dave Love  <fx@gnu.org>
+
+	* doc/setup.texi: Fix and clarify password quality check examples.
+	
+2005-05-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/kuserok.c (krb5_kuserok): use POSIX_GETPWNAM_R instead
+	of HAVE_GETPWNAM_R From: Dave Love <d.love@dl.ac.uk>
+
+2005-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/addr_families.c (krb5_print_address): catch when the
+	unknown adress don't fit. From Björn Sandell <biorn@dce.chalmers.se>
+
+2005-05-05  Dave Love  <d.love@dl.ac.uk>
+
+	* configure.in: fix type right test, include <termios.h> for
+	sys/strtty.h, not sys/ptyvar.h
+	
+2005-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.conf.5: spelling
+
+2005-05-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.conf.5: expand on what "trailing component" means
+	
+2005-05-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/rd_cred.c: put address comparison in separate function
+	
+	* lib/krb5/krb5_kuserok.3: check the user's ~/.k5login.d directory
+	for access files, all of which is handled like the regular
+	~/.k5login
+
+	* lib/krb5/kuserok.c: check the user's ~/.k5login.d directory for
+	access files, all of which is handled like the regular ~/.k5login
+	
+2005-05-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/ack.texi: Clearify what version of libdes we are using and
+	who's code in it we are using.
+	
+	* kcm/kcm.8: more text about usage
+	
+	* kcm/Makefile.am: man_MANS += kcm.8
+
+	* kcm/kcm.8: initial manpage
+
+	* configure.in: if we have a $srcdir/lib/asn1/pkcs12.asn1, define
+	PKINIT
+	
+2005-05-02  Dave Love  <fx@gnu.org>
+
+	* configure.in: sys/tty.h (for sys/ptyvar.h) might need termios.h.
+
+2005-05-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* tools/krb5-config.in: add com_err to required libs
+	
+	* lib/krb5/pkinit.c (krb5_ui_method_read_string): use the fill in
+	length
+
+	* lib/krb5/init_creds_pw.c: Now that we fixed the signed-ness of
+	nonce for windows, remove the code that removed the signed
+	bit. Instead add comment that they still need to be the same
+	(Kerberos protocol nonce and pk-init nonce) for Windows.
+	
+2005-05-02  David Love  <fx@gnu.org>
+
+	* lib/krb5/crypto.c: Don't declare des_salt &c as static with
+	incomplete type (invalid in c89, at least).
+	
+2005-05-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_locl.h: include <crypt.h>
+
+2005-05-02  David Love  <fx@gnu.org>
+
+	* kcm/connect.c (init_socket): rename variable sun to un to avoid
+	namespace collision.
+	(handle_stream): Cast arg of krb5_warnx.
+
+2005-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c: if we are using PKINIT, strip of the
+	highest bit to make windows PK-INIT happy. Also make the nonces
+	the same, again for windows, they are using pk-init-9.
+	
+	XXX check if it isn't the that nonce is an unsigned variable so
+	its just a asn1 mismatch.
+
+	* kdc/pkinit.c: pass a NULL prompter data to _krb5_pk_load_openssl_id
+	
+	* kuser/kinit.c: krb5_get_init_creds_opt_set_pkinit
+	
+	* lib/krb5/pkinit.c: Pass prompter data to the prompter function,
+	implement a UI prompter function wrapping the kerberos prompter
+	function so that the the OpenSSL ENGINE can ask for a password
+	when loading the private key. From: Douglas E. Engert
+
+	* lib/krb5: add <err.h> in test programs
+	
+	* configure.in: sys/ptyvar.h might need <sys/tty.h>
+	
+	* lib/krb5/Makefile.am: use LIB_com_err for libkrb5.la
+
+2005-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/Makefile.am: use $(LIB_com_err)
+	
+2005-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/context.c (krb5_set_config_files): ignore permission
+	denied on configuration files, user might not be allowed to read
+	/var/heimdal/kdc.conf
+
+2005-04-26  Dave Love  <fx@gnu.org>
+
+	* lib/krb5/krb5_locl.h: define _POSIX_PTHREAD_SEMANTICS so we get
+	posix getpwnam_r
+
+2005-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/gen_glue.c: switch the units variable to a
+	function. gcc-4.1 needs the size of the structure if its defined
+	as extern struct units foo_units[] an we don't want to include
+	<parse_units.h> in the generate headerfile
+
+2005-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb.schema: add EQUALITY rule for krb5ValidStart,
+	krb5ValidEnd, krb5PasswordEnd From Howard Chu
+
+2005-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/whatis.texi: comment out docbook stuff for now
+	
+	* kuser/klist.c: use strlcpy
+	
+	* doc/ack.texi: we no longer use eay libdes, make acknowledgment
+	still be there, but claim that we no longer use it. Mark editline
+	to be a modified version as required by the license.
+	
+	* lib/krb5/pkinit.c: use the unexported oid_to_enctype function
+	
+	* lib/krb5/crypto.c: unexport the oid_to_enctype function, not for
+	external consumers
+
+	* kdc/Makefile.am: always add kaserver
+	
+	* lib/krb5/krb5_ccache.3: document krb5_cc_new_unique
+
+	* lib/krb5/cache.c (krb5_cc_new_unique): new function to create a
+	new credential cache
+
+	* kdc/headers.h: don't include kerberos 4 headers here
+
+	* kdc/hpropd.c: include kerberos 4 headers here
+
+	* kdc/connect.c: add kaserver support independ of having krb4
+	support
+	
+	* kdc/config.c: add kaserver support unconditionally, make kdc
+	only fail to start when there are no v4 realm configured and
+	krb4/kaserver is turned on
+
+	* kdc/kaserver.c: Use the new Kerberos 4 functions in libkrb5 and
+	so kaserver support is always compiled in (still default disabled)
+	
+	* lib/krb5/v4_glue.c: simplify error handling
+
+	* doc/whatis.texi: add docbook version macro of @sub
+	
+	* doc/heimdal.texi: change the wrapping around the Top node to
+	ifnottex, make html generation work
+
+	* lib/krb5/krb5_krbhst_init.3: spelling, from Björn Sandell
+	<biorn@dce.chalmers.se>
+
+	* lib/krb5/krb5_get_krbhst.3: spelling, from Björn Sandell
+	<biorn@dce.chalmers.se>
+
+	* lib/krb5/krb5_data.3: spelling, from Björn Sandell
+	<biorn@dce.chalmers.se>
+
+	* lib/krb5/krb5_aname_to_localname.3: spelling, from Björn Sandell
+	<biorn@dce.chalmers.se>
+
+	* lib/krb5/krb5_address.3: spelling, from Björn Sandell
+	<biorn@dce.chalmers.se>
+
+2005-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/config.c: Use the new Kerberos 4 functions in libkrb5 and so
+	kerberos 4 is always compiled in (still default disabled)
+
+	* kdc/kerberos4.c: Use the new Kerberos 4 functions in libkrb5 and
+	so kerberos 4 is always compiled in (still default disabled)
+
+	* lib/krb5/krb5_locl.h: forward declaration of _krb5_krb_auth_data
+	
+	* lib/krb5/convert_creds.c: Move the kerberos v4 replacement
+	functions to v4_glue.c
+
+	* lib/krb5/v4_glue.c: Implement enough of kerberos 4 protocol to
+	be a KDC, move the v4 bits over here
+	
+	* lib/krb5/krb5-v4compat.h: add more v4 defines
+	
+2005-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kpasswd/kpasswdd.c: Support multi-realms databases, requires
+	that all the realms are configured on the KDC in krb5.conf with
+	[libdefaults]default_realm stanzas.
+
+2005-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: spell succeeded correctly, From Sean Chittenden
+
+	* lib/krb5/addr_families.c: catch two more snprintf problems
+	
+2005-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/Makefile.am: this lib include com_err, add -com_err to
+	CHECK_SYMBOLS
+
+	* appl/test/http_client.c: cast ssize_t to unsigned long, fix
+	printf format
+
+2005-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/kuserok.c: use asprintf to avoid truncating pathnames
+	
+	* lib/krb5/get_host_realm.c: check return value of snprintf
+	
+	* lib/krb5/test_addr.c: check address truncation
+	
+	* lib/krb5/addr_families.c: check return values from snprintf and
+	clean up semantics of ret_len
+
+	* lib/krb5/krb5_address.3: clarify what ret_len is in
+	krb5_print_address
+
+	* lib/krb5/test_kuserok.c: add --version and --help
+	
+	* lib/krb5/kuserok.c: use getpwnamn_r if it exists
+
+	* lib/krb5/Makefile.am: noinst_PROGRAMS += test_kuserok
+
+	* lib/krb5/test_kuserok.c: test program for krb5_kuserok
+
+2005-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/acache.c (acc_resolve): if open_default_ccache failed
+	with ccErrCCacheNotFound try again with create_default_ccache,
+	this fixes the problem where the security server apperenly haven't
+	started yet on Mac OS X
+	
+	* lib/krb5/get_default_principal.c
+	(_krb5_get_default_principal_local): add, for use of functions
+	that in ccache layer to avoid recursive calls.
+	
+	* lib/hdb/hdb-ldap.c: drop <ctype.h>, no longer use any of the is*
+	macros in this file
+
+	* include/make_crypto.c: cast to unsigned char to make sure its
+	not negative when passing it to is* functions
+
+2005-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/programming.texi: remove manpage macro, add some more
+	references to manpages
+
+	* doc/heimdal.texi: define manpage macro
+	
+	* doc/setup.texi: document new password policy code
+	
+	* kpasswd/kpasswdd.c: add verifier libraries with
+	kadm5_add_passwd_quality_verifier
+
+	* lib/krb5/krb5_keyblock.3: document krb5_keyblock_init
+	
+2005-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kaserver.c: AUTHENTICATE and AUTHENTICATE_V2 is almost the
+	same, and clients
+	(klog) can deal with that the kaserver returns the same thing for
+	both
+
+	* lib/krb5/keyblock.c: Add krb5_keyblock_init to allocate an fill
+	in a keyblock from key data.
+	
+2005-04-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: rk_WIN32_EXPORT for roken
+
+2005-04-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* appl/test/gssapi_server.c: print out client principla of
+	delegated credential
+
+2005-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c (process_pa_data_to_key): also check
+	for KRB5_PADATA_PK_AS_REP_19, From: Douglas Engert
+
+2005-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* .cvsignore: ignore more generate files
+	
+2005-04-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/check-der.c: use size_t, print size_t by casting to
+	unsigned long
+	
+	* lib/krb5/test_crypto.c: print size_t by casting to unsigned long
+	
+	* lib/krb5/acache.c: Argument to create_new_ccache is a principal,
+	not a credential cache name.  Clean up lossage related to this
+	problem.
+
+	* lib/hdb/Makefile.am: CHECK_SYMBOLS += HDBFlags2int
+	
+	* lib/krb5/addr_families.c
+	(krb5_address_prefixlen_boundary,krb5_free_address):
+	use find_atype when we are dealing with a kerberos address type
+
+	* lib/krb5/aes-test.c: size_t vs int + fix printf
+	
+	* lib/krb5/pkinit.c: Since the decode can't make out the diffrence
+	between PA-PK-AS-REP-19 and PA-PK-AS-REQ-Win2k, try harder to
+	verify both cases
+
+2005-04-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/test/uu_client.c: print size_t by casting to unsigned long
+	
+2005-04-01 Johan Danielsson <joda@pdc.kth.se>
+
+	* kdc/kerberos4.c (do_version4): check client and server max_life
+	
+	* kdc/kaserver.c (do_getticket): check client max_life
+	
+2005-03-31  Love  <lha@kth.se>
+
+	* lib/krb5/verify_krb5_conf.c: const poison
+
+	* lib/krb5/test_alname.c: const poison
+
+	* lib/asn1/main.c: const poison
+
+	* lib/krb5/test_addr.c: test parse IPv6 RANGE addresses
+
+	* lib/krb5/addr_families.c: implement mask boundary for IPv6
+
+	* lib/asn1/gen.c: avoid const string warnings steming from
+	writeable-string
+
+2005-03-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: TESTS += test_addr
+
+	* lib/krb5/test_addr.c: simple test for addresses
+	
+	* lib/krb5/addr_families.c: make RANGE parse prefixlen style
+	addresses too, fix printing of RANGE addresses, add
+	krb5_address_prefixlen_boundary
+
+	* lib/krb5/krb5_keytab.3: stop memory leak in example, expand on
+	wildcards
+
+2005-03-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_principal.3: spelling, from Tomas Olsson
+
+	* lib/krb5/krb5_warn.3: spelling, from Tomas Olsson
+
+2005-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/acache.c: add mutex for global variables, clean up
+	returned error codes, implement storing addresses into the ccapi
+
+	* appl/test/gssapi_server.c: free memory, make error strings match
+	
+	* appl/test/gssapi_server.c: use print_gss_name, print server name
+	too
+
+	* appl/test/gss_common.h (print_gss_name): common code for
+	printing gss name
+
+	* appl/test/gss_common.c (print_gss_name): common code for
+	printing gss name
+
+	* appl/test/http_client.c: Make constent with rest of the gssapi
+	test programs
+
+2005-03-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/keys.c: AES is enabled by default, remove ifdefs
+	
+	* lib/krb5/crypto.c: AES is enabled by default, remove ifdefs
+	
+	* lib/krb5/aes-test.c: use hex encoder from roken AES is enabled
+	by default, remove ifdefs
+
+	* kdc/kerberos5.c: AES is enabled by default, remove ifdefs
+
+2005-03-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: Add some text about modifying the database
+	
+2005-03-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: widen lifetime/renewal warning text field, also
+	make use of unparse_time_approx, no need to be specific to the
+	second when ticket needs to be renewed or their lifetime.
+
+	* doc/heimdal.texi: copyright maintenance, drop eay, use updated
+	UCB license
+
+	* lib/krb5/crypto.c: more static and unsigned issues
+
+	* lib/krb5/crypto.c: fix signedness issues, prompted by report of
+	Magnus Ahltorp
+
+2005-03-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_keytab.3: more text about how to free returned
+	resources
+
+2005-03-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: handle the -25 generation path
+
+	* lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_19
+	
+	* lib/krb5/pkinit.c: fold in pk-init-25 asn1 changes
+	
+2005-03-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c: use generated oid's
+	
+	* lib/krb5/pkinit.c: use generated oid's
+	
+2005-03-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c: update to the asn1 structures used in -25's
+
+	* lib/krb5/pkinit.c: update to the asn1 structures used in -25's
+
+2005-03-04  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/hdb/hdb-ldap.c: use the newly written hex function from
+	roken and remove the old implementation
+
+2005-03-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/test/http_client.c: allow specifing port to connect to
+
+2005-02-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: bump version to 21:0:4
+
+	* lib/hdb/Makefile.am: bump version to 8:0:1
+	
+	* lib/asn1/Makefile.am: bump version to 7:0:1
+
+2005-02-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/crypto.c (DES_string_to_key_int): must check for weak
+	keys after doing the DES_cbc_cksum
+
+2005-02-19  Luke Howard  <lukeh@padl.com>
+
+	* lib/krb5/krbhst.c: set KD_CONFIG after calling
+	  config_get_hosts() in kpasswd_get_next()
+	  From: Wynn Wilkes <wynnw@vintela.com>
+
+2005-02-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/db3.c (DB_open): correct the check for O_RDONLY
+	From: Chaskiel M Grundman <cg2v@andrew.cmu.edu>
+
+2005-02-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/crypto.c (krb5_random_to_key): cast size_t to int to
+	make %d work
+
+2005-02-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/keytab.c (krb5_kt_get_entry): tell what enctype the
+	caller requested to provide the user with a glue what the caller
+	was asking for.
+
+2005-02-05  Luke Howard  <lukeh@padl.com>
+
+	* lib/krb5/kcm.c: add _krb5_kcm_is_running, _krb5_kcm_noop
+
+	* kcm/acquire.c: don't leak salt if keyproc called multiple
+	  times
+
+	* kcm/config.c: allow KCM system ccache to be configured from
+	  krb5.conf, in the system_ccache stanza of [kcm]
+
+2005-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kcm/protocol.c: use -1 as the invalid pid number
+
+	* kcm/connect.c: support SCM_CREDS (for NetBSD)
+
+	* kcm/Makefile.am: LDADD += LIB_pidfile
+	
+	* kcm/connect.c: make it possible to build on systems without
+	SO_PEERCRED (still doesn't work)
+
+	* kcm/config.c: cast argument to isdigit to unsigned char
+	
+	* lib/krb5/krb5.conf.5: document large_msg_size
+
+	* lib/krb5/context.c (init_context_from_config_file): init
+	large_msg_size to 6000
+
+	* lib/krb5/krb5.h (krb5_context_data): add large_msg_size,
+	threshold where we start to use transport protocols without tiny
+	max data transport sizes.
+
+	* lib/krb5/kcm.h: drop prototypes, they all live in krb5-private.h
+	by now
+
+2005-02-02  Luke Howard  <lukeh@padl.com>
+
+	* configure.in: generate kcm/Makefile
+
+	* Makefile.am: recurse into kcm/ if KCM defined
+
+	* kcm: add KCM daemon
+
+2005-02-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/send_to_kdc.c (send_and_recv_udp): make private again
+
+	* lib/krb5/kcm.c: use AF_UNIX like the rest of the codebase, add
+	some more error strings
+
+2005-02-02  Luke Howard  <lukeh@padl.com>
+
+	* configure.in: add --enable-kcm option for Kerberos
+	  Credentials Manager (KCM)
+
+	* lib/krb5/Makefile.am: add kcm.c
+
+	* lib/krb5/cache.c: use cc_retrieve_cred if present rather
+	  than enumerating ccache
+
+	* lib/krb5/context.c: register KCM cc_ops
+
+	* lib/krb5/get_cred.c: pass all options to cc_retrieve_cred
+
+	* lib/krb5/init_creds_pw.c: add krb5_get_init_creds_keyblock
+
+	* lib/krb5/kcm.[ch]: add initial implementation of KCM
+	  client library
+
+	* lib/krb5/krb5.h: fix cc_retrieve prototype, add KCM cc_ops
+
+	* lib/krb5/send_to_kdc.c: add _krb5_send_and_recv_tcp
+
+	* lib/krb5/store.c: add krb5_store_creds_tag, krb5_ret_creds_tag
+
+2005-01-24  Luke Howard  <lukeh@padl.com>
+
+	* lib/krb5/init_creds_pw.c: allow NULL in_options to be passed
+	  krb5_get_init_creds_password()
+
+	* kdc/kerberos5.c: don't crash when logging no server etype
+	  support if client == NULL
+
+2005-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kstash.c: s/random_key/random_key_flag/, From Dave Love
+	<d.love@dl.ac.uk>
+
+2005-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/apps.texi: Texinfo fixes. Text about irix 6.5 using
+	PAM. From: Dave Love <d.love@dl.ac.uk>
+
+2005-01-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.c: cast argument to isdigit to
+	unsigned char
+
+	* lib/krb5/keytab_keyfile.c: cast argument to toupper to unsigned
+	char
+
+	* lib/asn1/hash.c (hashcaseadd): cast argument to toupper to
+	unsigned char
+
+	* appl/kf/kfd.c (kfd_match_version): cast argument to islower to
+	unsigned char
+
+	* lib/krb5/krb5.3: drop krb5_{checksum,enctype}_is_disabled
+
+	* lib/krb5/krb5_encrypt.3: drop krb5_enctype_is_disabled, more
+	text about krb5_enctype_valid
+
+	* lib/krb5/krb5_create_checksum.3: drop
+	krb5_checksum_is_disabled
+
+	* lib/krb5/crypto.c: drop krb5_{checksum,enctype}_isdisabled
+	
+	* lib/krb5/context.c: krb5_enctype_is_disabled is the same thing
+	as krb5_enctype_valid, so use the later since its older and the
+	api doesn't really need another entry point
+
+	* lib/krb5/rd_req.c: krb5_enctype_is_disabled is the same thing as
+	krb5_enctype_valid, so use the later since its older and the api
+	doesn't really need another entry point
+
+	* kdc/kerberos5.c: krb5_enctype_is_disabled is the same thing as
+	krb5_enctype_valid, so use the later since its older and the api
+	doesn't really need another entry point
+
+2005-01-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kpasswd/kpasswdd.8: document --addresses, controls what
+	addresses kpasswd should listen too
+
+	* kpasswd/kpasswdd.c: add --addresses, controls what addresses
+	kpasswd should listen too
+
+	* lib/krb5/addr_families.c (krb5_parse_address): filter out dup
+	addresses from getaddrinfo
+
+	* kpasswd/kpasswd.1: document -c
+
+	* kpasswd/kpasswd.c: allow specifying a credential cache to use
+	for the admin principal
+
+	* include/bits.c: constify to avoid warning with -Wwrite-string
+	
+	* NEWS: add 0.6.2 and 0.6.3 items
+	
+	* lib/krb5/krb5_keyblock.3: document krb5_generate_subkey_extended
+
+	* lib/krb5/krb5_is_thread_safe.3: document function
+
+	* lib/krb5/Makefile.am (man_MANS) += krb5_is_thread_safe.3
+	
+	* lib/krb5/context.c (krb5_is_thread_safe): return TRUE is the
+	library was compiled with multithreading support. If not,
+	application must global lock the library, it it uses threads that
+	call kerberos functions at the same time.
+	
+2005-01-05  Luke Howard  <lukeh@padl.com>
+
+	* lib/krb5/auth_context.c: use krb5_generate_subkey_extended()
+
+	* lib/krb5/appdefault.c: remove redundant KRB5_LIB_FUNCTION
+
+	* lib/krb5/build_auth.c: support for enctype negotiation
+	  (client sends EtypeList in Authenticator authz data)
+
+	* lib/krb5/context.c: mutex should be destroyed last in
+	  krb5_free_context()
+
+	* lib/krb5/generate_subkey.c: add krb5_generate_subkey_extended(),
+	  set *subkey to NULL if key geneartion fails
+
+	* lib/krb5/krb5.h: add KRB5_KU_PA_SERVER_REFERRAL_DATA
+
+	* lib/krb5/mk_req_ext.c: support ETYPE_ARCFOUR_HMAC_MD5_56
+
+	* lib/krb5/rd_req.c: support for enctype negotiation
+	  (client sends EtypeList in Authenticator authz data)
+
+2005-01-04  Luke Howard  <lukeh@padl.com>
+
+	* lib/asn1/k5.asn1: add authorization data types for enctype
+	negotiation implementation
+
+2005-01-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/changepw.c (change_password_loop): on failing to find a
+	kdc, set result_code to KRB5_KPASSWD_HARDERROR
+	
+2005-01-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/heimdal.texi: Happy New Year
+	
diff --git a/crypto/heimdal/ChangeLog.2006 b/crypto/heimdal/ChangeLog.2006
new file mode 100644
index 0000000..f0e1ce9
--- /dev/null
+++ b/crypto/heimdal/ChangeLog.2006
@@ -0,0 +1,2047 @@
+2006-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/process.c: Handle kx509 requests.
+
+	* kdc/connect.c: Listen to 9878 if kca is turned on.
+
+	* kdc/headers.h: Include <kx509_asn1.h>.
+
+	* kdc/config.c: code to parse [kdc]enable-kx509
+
+	* kdc/kdc.h: add enable_kx509
+
+	* kdc/Makefile.am: add kx509.c
+
+	* kdc/kx509.c: Kx509server (external certificate genration).
+
+	* lib/krb5/ticket.c: add krb5_ticket_get_endtime
+
+	* lib/krb5/krb5_ticket.3: Document krb5_ticket_get_endtime
+
+	* kdc/digest.c: Remove <digest_asn.h>, its already included in
+	headers.h
+
+	* kdc/digest.c: Return session key for the NTLMv2 case too
+
+	* lib/krb5/digest.c (krb5_ntlm_rep_get_sessionkey): return value
+	is krb5_error_code
+	
+2006-12-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): use md5 for
+	des-cbc-md4 and des-cbc-md5.  This is for (older) windows that
+	will be unhappy anything else.  From Inna Bort-Shatsky
+	
+2006-12-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/digest.c: Prefix internal symbol with _kdc_.
+
+	* kdc/kdc.h: add digests_allowed
+
+	* kdc/digest.c: return NTLM2 targetinfo structure.
+
+	* lib/krb5/digest.c: Add krb5_ntlm_init_get_targetinfo.
+
+	* kdc/config.c: Parse digest acl's
+
+	* kdc/kdc_locl.h: forward decl;
+
+	* kdc/digest.c: Add digest acl's
+	
+2006-12-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* fix-export: build ntlm-private.h
+	
+2006-12-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* include/make_crypto.c: Include <.../hmac.h>.
+
+	* kdc/digest.c: reorder to show slot here ntlmv2 code will be
+	placed.
+
+	* kdc/digest.c: Announce that we support key exchange and add bits
+	to detect when it wasn't used.
+
+	* kdc/digest.c: Add support for generating NTLM2 session security
+	answer.
+	
+2006-12-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/digest.c: Add sessionkey accessor functions.
+	
+2006-12-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/digest.c: Unwrap the NTLM session key and return it to the
+	server.
+	
+2006-12-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/store.c (krb5_ret_principal): Fix a bug in the malloc
+	failure part, noticed by Arnaud Lacombe in NetBSD coverity scan.
+	
+2006-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/fcache.c (fcc_get_cache_next): avoid const warning.
+
+	* kdc/digest.c: Support NTLM verification, note that the KDC does
+	no NTLM packet parsing, its all done by the client side, the KDC
+	just calculate and verify the digest and return the result to the
+	service.
+
+	* kuser/kdigest.c: add ntlm-server-init
+
+	* kuser/Makefile.am: kdigest depends on libheimntlm.la
+
+	* kdc/headers.h: Include <heimntlm.h>.
+
+	* kdc/Makefile.am: libkdc needs libheimntlm.la
+
+	* autogen.sh: just run autoreconf -i -f
+
+	* lib/Makefile.am: hook in ntlm
+
+	* configure.in (AC_CONFIG_FILES): add lib/ntlm/Makefile
+
+	* lib/krb5/digest.c: API to authenticate ntlm requests.
+
+	* lib/krb5/fcache.c: Support "iteration" of file credential caches
+	by giving the user back the default file credential cache and only
+	that.
+
+	* lib/krb5/krb5_locl.h: Expand the default root for some of the cc
+	type names.
+	
+2006-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/init_creds_pw.c (free_paid): free the krb5_data
+	structure too.  Bug report from Stefan Metzmacher.
+	
+2006-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kuser/kinit.c: Read the appdefault configration before we try to
+	use the flags.  Bug reported by Ingemar Nilsson.
+
+	* kuser/kdigest.c: prefix digest commands with digest_
+
+	* kuser/kdigest-commands.in: prefix digest commands with digest-
+	
+2006-12-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/hprop.c: Return error codes on failure, improve error
+	reporting.
+	
+2006-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: sprinkle more _krb5_pk_copy_error
+
+	* lib/krb5/pkinit.c: Copy more hx509 error strings to krb5 error
+	strings
+	
+2006-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* include/Makefile.am: CLEANFILES += vis.h
+	
+2006-12-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c (_kdc_as_rep): add AD-INITAL-VERIFIED-CAS to the
+	encrypted ticket
+
+	* kdc/pkinit.c (_kdc_add_inital_verified_cas): new function, adds
+	an empty (for now) AD_INITIAL_VERIFIED_CAS to tell the clients
+	that we vouches for the CA.
+
+	* kdc/kerberos5.c (_kdc_tkt_add_if_relevant_ad): new function.
+
+	* lib/Makefile.am: Make the directories test automake conditional
+	so automake can include directories in make dist step.
+
+	* kdc/pkinit.c (_kdc_pk_rd_padata): leak less memory for
+	ExternalPrincipalIdentifiers
+
+	* kdc/pkinit.c: Parse and use PA-PK-AS-REQ.trustedCertifiers
+
+	* kdc/pkinit.c: Add comment that the anchors in the signed data
+	really should be the trust anchors of the client.
+
+	* kuser/generate-requests.c: Use strcspn to remove \n from
+	string returned by fgets.  From Björn Sandell
+	
+	* kpasswd/kpasswd-generator.c: Use strcspn to remove \n from
+	string returned by fgets.  From Björn Sandell
+	
+2006-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c: Clear errno before calling the strtol
+	functions. From Paul Stoeber to OpenBSD by Ray Lai and Björn
+	Sandell.
+
+	* lib/krb5/config_file.c: Use strcspn to remove \n from fgets
+	result. Prompted by change by Ray Lai of OpenBSD via Björn
+	Sandell.
+
+	* kdc/string2key.c: Use strcspn to remove \n from fgets
+	result. Prompted by change by Ray Lai of OpenBSD via Björn
+	Sandell.
+	
+2006-11-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krbhst.c (plugin_get_hosts): be more paranoid and pass
+	in a NULLed plugin list
+	
+2006-11-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.c: add more pkinit options.
+
+	* lib/krb5/pkinit.c: Store what PK-INIT type we used to know reply
+	to expect, this avoids overwriting the real PK-INIT error from
+	just a failed requeat with a Windows PK-INIT error (that always
+	failes).
+
+	* kdc/Makefile.am: Add LIB_pkinit to pacify AIX
+
+	* lib/hdb/Makefile.am: Add LIB_com_err to pacify AIX
+	
+2006-11-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c: Make build again from the hdb_entry
+	wrapping. Patch from Andreas Hasenack.
+
+	* kdc/pkinit.c: Need better code in the DH parameter rejection
+	case, add comment to that effect.
+	
+2006-11-27  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/krb5tgs.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG for too large
+	packets when using datagram based transports.
+
+	* kdc/process.c: Pass down datagram_reply to _kdc_tgs_rep.
+
+	* lib/krb5/pkinit.c (build_auth_pack): set supportedCMSTypes.
+	
+2006-11-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: Pass down hx509_peer_info.
+
+	* kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and
+	pass in into hx509_cms_create_signed_1 via hx509_peer_info blob.
+
+	* kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and
+	pass in into hx509_cms_create_signed_1 via hx509_peer_info blob.
+	
+2006-11-24  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/send_to_kdc.c: Set the large_msg_size to 1400, lets not
+	fragment packets and avoid stupid linklayers that doesn't allow
+	fragmented packets (unix dgram sockets on Mac OS X)
+	
+2006-11-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c (_krb5_pk_create_sign): stuff down the users
+	certs in the pool to make sure a path is returned, without this
+	proxy certificates wont work.
+	
+2006-11-21  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/config.c: Make all pkinit options prefixed with pkinit_
+
+	* lib/krb5/log.c (krb5_get_warn_dest): return warn_dest from
+	krb5_context
+
+	* lib/krb5/krb5_warn.3: document krb5_[gs]et_warn_dest
+
+	* lib/krb5/krb5.h: Drop KRB5_KU_TGS_IMPERSONATE.
+
+	* kdc/krb5tgs.c: Use KRB5_KU_OTHER_CKSUM for the impersonate
+	checksum.
+
+	* lib/krb5/get_cred.c: Use KRB5_KU_OTHER_CKSUM for the impersonate
+	checksum.
+	
+2006-11-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_user.c: Make krb5_get_init_creds_opt_free take a
+	context argument.
+
+	* lib/krb5/krb5_get_init_creds.3: Make
+	krb5_get_init_creds_opt_free take a context argument.
+
+	* lib/krb5/init_creds_pw.c: Make krb5_get_init_creds_opt_free take
+	a context argument.
+
+	* kuser/kinit.c: Make krb5_get_init_creds_opt_free take a context
+	argument.
+
+	* kpasswd/kpasswd.c: Make krb5_get_init_creds_opt_free take a
+	context argument.
+
+	* kpasswd/kpasswd-generator.c: Make krb5_get_init_creds_opt_free
+	take a context argument.
+
+	* kdc/hprop.c: Make krb5_get_init_creds_opt_free take a context
+	argument.
+
+	* lib/krb5/init_creds.c: Make krb5_get_init_creds_opt_free take a
+	context argument.
+
+	* appl/gssmask/gssmask.c: Make krb5_get_init_creds_opt_free take a
+	context argument.
+	
+2006-11-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* doc/setup.texi: fix pkinit option (s/-/_/)
+
+	* kdc/config.c: revert the enable-pkinit change, and make it
+	consistant with all other other enable- options
+	
+2006-11-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: Make all pkinit options prefixed with pkinit_
+
+	* kdc/config.c: Make all pkinit options prefixed with pkinit_
+
+	* kdc/pkinit.c: Make app pkinit options prefixed with pkinit_
+
+	* lib/krb5/pkinit.c: Make app pkinit options prefixed with pkinit_
+
+	* lib/krb5/mit_glue.c (krb5_c_keylengths): make compile again.
+
+	* lib/krb5/mit_glue.c (krb5_c_keylengths): rename.
+
+	* lib/krb5/mit_glue.c (krb5_c_keylength): mit changed the api,
+	deal.
+	
+2006-11-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/pac.c (fill_zeros): stop using MIN.
+
+	* kuser/kinit.c: Forward decl
+	
+	* lib/krb5/test_plugin.c: Use NOTHERE.H5L.SE.
+
+	* lib/krb5/krbhst.c: Fill in hints for picky getaddrinfo()s.
+
+	* lib/krb5/test_plugin.c: Set sin_len if it exists.
+
+	* lib/krb5/krbhst.c: Use plugin for the other realm locate types
+	too.
+	
+2006-11-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_locl.h: Add plugin api
+
+	* lib/krb5/Makefile.am: Add plugin api.
+
+	* lib/krb5/krbhst.c: Use the resolve plugin interface.
+
+	* lib/krb5/locate_plugin.h: Add plugin interface for resolving
+	that is API compatible with MITs version.
+
+	* lib/krb5/plugin.c: Add first version of the plugin interface.
+
+	* lib/krb5/test_pac.c: Test signing.
+
+	* lib/krb5/pac.c: Add code to sign PACs, only arcfour for now.
+
+	* lib/krb5/krb5.h: Add struct krb5_pac.
+	
+2006-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/test_pac.c: PAC testing.
+
+	* lib/krb5/pac.c: Sprinkle error strings.
+
+	* lib/krb5/pac.c: Verify LOGON_NAME.
+
+	* kdc/pkinit.c (_kdc_pk_check_client): drop client_princ as an
+	argument
+
+	* kdc/kerberos5.c (_kdc_as_rep): drop client_princ from
+	_kdc_pk_check_client since its not valid in canonicalize case
+
+	* lib/krb5/krb5_c_make_checksum.3: Document krb5_c_keylength.
+
+	* lib/krb5/mit_glue.c: Add krb5_c_keylength.
+	
+2006-11-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pac.c: Almost enough code to do PAC parsing and
+	verification, missing in the unix2NTTIME and ucs2 corner. The
+	later will be adressed by finally adding libwind.
+
+	* lib/krb5/krb5_init_context.3: document krb5_[gs]et_max_time_skew
+
+	* kdc/hpropd.c: Remove support dumping to a kerberos 4 database.
+	
+2006-11-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/context.c: rename krb5_[gs]et_time_wrap to
+	krb5_[gs]et_max_time_skew
+
+	* kdc/pkinit.c: Catch error string from hx509_cms_verify_signed.
+	Check for id-pKKdcEkuOID and warn if its not there.
+
+	* lib/krb5/rd_req.c: Add more krb5_rd_req_out_get functions.
+
+2006-11-06  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/krb5.h: krb5_rd_req{,_in,_out}_ctx.
+
+	* lib/krb5/rd_req.c (krb5_rd_req_ctx): Add context all singing-all
+	dancing version of the krb5_rd_req and implement krb5_rd_req and
+	krb5_rd_req_with_keyblock using it.
+
+2006-11-04 Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* kdc/kerberos5.c (_kdc_as_rep): More verbose time skew logging.
+	
+2006-11-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/expand_hostname.c: Rename various routines and
+	constants from canonize to canonicalize.  From Andrew Bartlett
+
+	* lib/krb5/context.c: Add krb5_[gs]et_time_wrap
+
+	* lib/krb5/krb5_locl.h: Rename various routines and constants from
+	canonize to canonicalize.  From Andrew Bartlett
+
+	* appl/gssmask/common.c (add_list): fix alloc statement.
+	From Alex Deiter
+	
+2006-10-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* include/Makefile.am: Move version.h and version.h.in to
+	DISTCLEANFILES.
+	
+2006-10-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/gssmask/gssmask.c: Only log when there are resources left.
+
+	* appl/gssmask/gssmask.c: make compile
+
+	* appl/gssmask/gssmask.c (AcquireCreds): free
+	krb5_get_init_creds_opt
+	
+2006-10-23  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* configure.in: heimdal 0.8-RC1
+
+2006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/digest.c: Try to not leak memory.
+
+	* kdc/digest.c: Try to not leak memory.
+
+	* Makefile.am: remove valgrind target, it doesn't belong here.
+
+	* kuser/kinit.c: Try to not leak memory.
+
+	* kuser/kgetcred.c: Try to not leak memory.
+
+	* kdc/krb5tgs.c (check_KRB5SignedPath): free KRB5SignedPath on
+	successful completion too, not just the error cases.
+
+	* fix-export: Make make fix-export less verbose.
+
+	* kuser/kgetcred.c: Try to not leak memory.
+
+	* lib/hdb/keys.c (hdb_generate_key_set): free list of enctype when
+	done.
+
+	* lib/krb5/crypto.c: Allocate the memory we later use.
+
+	* lib/krb5/test_princ.c: Try to not leak memory.
+
+	* lib/krb5/test_crypto_wrapping.c: Try to not leak memory.
+
+	* lib/krb5/test_cc.c: Try to not leak memory.
+
+	* lib/krb5/addr_families.c (arange_free): Try to not leak memory.
+
+	* lib/krb5/crypto.c (AES_string_to_key): Try to not leak memory.
+
+2006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* tools/heimdal-build.sh: Add --test-environment
+
+	* tools/heimdal-build.sh: Add --ccache-dir
+
+	* lib/hdb/Makefile.am: remove dependency on et files covert_db
+	that now is removed
+	
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* include/Makefile.am: add gssapi to subdirs
+
+	* lib/hdb/hdb-ldap.c: Make compile.
+
+	* configure.in: add include/gssapi/Makefile.
+
+	* include/Makefile.am: clean more files
+
+	* include/make_crypto.c: Avoid creating a file called --version.
+
+	* include/bits.c: Avoid creating a file called --version.
+
+	* appl/test/Makefile.am: add nt_gss_common.h
+
+	* doc/Makefile.am: Disable TEXI2DVI for now.
+
+	* tools/Makefile.am: more files
+
+	* lib/krb5/context.c (krb5_free_context): free send_to_kdc context
+
+	* doc/heimdal.texi: Put Heimdal in the dircategory Security.
+
+	* lib/krb5/send_to_kdc.c: Add sent_to_kdc hook, from Andrew
+	Bartlet.
+
+	* lib/krb5/krb5_locl.h: Add send_to_kdc hook.
+
+	* lib/krb5/krb5.h: Add krb5_send_to_kdc_func prototype.
+
+	* kcm/Makefile.am: more files
+
+	* kdc/Makefile.am: more files
+
+	* lib/hdb/Makefile.am: more files
+
+	* lib/krb5/Makefile.am: add more files
+	
+2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* tools/Makefile.am: Add heimdal-build.sh to EXTRA_DIST.
+
+	* configure.in: Don't check for timegm, libroken provides it for
+	us.
+
+	* lib/krb5/acache.c: Does function typecasts instead of void *
+	type-casts.
+
+	* lib/krb5/krb5.h: Remove bonus , that Love sneeked in.
+
+	* configure.in: make --disable-pk-init help text also negative
+	
+2006-10-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kuser/kgetcred.c: Avoid memory leak.
+
+	* tools/heimdal-build.sh: Add more verbose logging, add version of
+	script and heimdal to the mail.
+
+	* lib/hdb/db3.c: Wrap function call pointer calls in (*func) to
+	avoid macros rewriting open and close.
+
+	* lib/krb5/Makefile.am: Add test_princ.
+
+	* lib/krb5/principal.c: More error strings, handle realm-less
+	printing.
+
+	* lib/krb5/test_princ.c: Test principal parsing and unparsing.
+	
+2006-10-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): make sure we
+	don't recurse
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): no components
+	-> no dns. no mapping, try local realm and hope KDC knows better.
+
+	* lib/krb5/krb5.h: Add flags for krb5_unparse_name_flags
+
+	* lib/krb5/krb5_principal.3: Document
+	krb5_unparse_name{_fixed,}_flags.
+
+	* lib/krb5/principal.c: Add krb5_unparse_name_flags and
+	krb5_unparse_name_fixed_flags.
+
+	* lib/krb5/krb5_principal.3: Document krb5_parse_name_flags.
+
+	* lib/krb5/principal.c: Add krb5_parse_name_flags.
+
+	* lib/krb5/principal.c: Add krb5_parse_name_flags.
+
+	* lib/krb5/krb5.h: Add krb5_parse_name_flags flags.
+
+	* lib/krb5/krb5_locl.h: Hide krb5_context_data from public
+	exposure.
+
+	* lib/krb5/krb5.h: Hide krb5_context_data from public exposure.
+
+	* kuser/klist.c: Use krb5_get_kdc_sec_offset.
+
+	* lib/krb5/context.c: Document krb5_get_kdc_sec_offset()
+	
+	* lib/krb5/krb5_init_context.3: Add krb5_get_kdc_sec_offset()
+	
+	* lib/krb5/krb5_init_context.3: Add krb5_set_dns_canonize_hostname
+	and krb5_get_dns_canonize_hostname
+
+	* lib/krb5/verify_krb5_conf.c:
+	add [libdefaults]dns_canonize_hostname
+
+	* lib/krb5/expand_hostname.c: use dns_canonize_hostname to
+	determin if we should talk to dns to find the canonical name of
+	the host.
+
+	* lib/krb5/krb5.h (krb5_context): add dns_canonize_hostname.
+
+	* tools/heimdal-build.sh: Set status.
+
+	* appl/gssmask/gssmask.c: handle more bits
+
+	* kdc/kerberos5.c: Prefix asn1 primitives with der_.
+	
+2006-10-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* fix-export: Build lib/asn1/der-protos.h.
+	
+2006-10-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/gssmask/Makefile.am: Add explit depenency on libroken.
+
+	* kdc/krb5tgs.c: Prefix der primitives with der_.
+
+	* kdc/pkinit.c: Prefix der primitives with der_.
+
+	* lib/hdb/ext.c: Prefix der primitives with der_.
+	
+	* lib/hdb/ext.c: Prefix der primitives with der_.
+
+	* lib/krb5/crypto.c: Remove workaround from when there wasn't
+	always aes.
+
+	* lib/krb5/ticket.c: Prefix der primitives with der_.
+	
+	* lib/krb5/digest.c: Prefix der primitives with der_.
+
+	* lib/krb5/crypto.c: Prefix der primitives with der_.
+
+	* lib/krb5/data.c: Prefix der primitives with der_.
+	
+2006-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break. From
+	Olga Kornievskaia.
+
+	* kdc/kdc.8: document max-kdc-datagram-reply-length
+
+	* include/bits.c: Include Xint64 types.
+	
+2006-10-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* tools/heimdal-build.sh: Add socketwrapper and cputime limit.
+
+	* kdc/connect.c (loop): Log that the kdc have started.
+	
+2006-10-09  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/connect.c (do_request): tell krb5_kdc_process_request if its
+	a datagram reply or not
+
+	* kdc/kerberos5.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG error if its
+	a datagram reply and the datagram reply length limit is reached.
+
+	* kdc/process.c: Rename krb5_kdc_process_generic_request to
+	krb5_kdc_process_request Add datagram_reply argument.
+
+	* kdc/config.c: check for [kdc]max-kdc-datagram-reply-length
+
+	* kdc/kdc.h (krb5_kdc_config): Add max_datagram_reply_length.
+
+	* lib/hdb/keytab.c: Change || to |, From metze.
+
+	* lib/hdb/keytab.c: Add back :file to sample format.
+
+	* lib/hdb/keytab.c: Add more HDB_F flags to hdb_fetch. Pointed out
+	by Andrew Bartlet.
+
+	* kdc/krb5tgs.c (tgs_parse_request): set cusec, not csec from
+	auth->cusec.
+	
+2006-10-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* fix-export: dist_-ify libkadm5clnt_la_SOURCES too
+
+	* doc/heimdal.texi: Update (c) years.
+
+	* appl/gssmask/protocol.h: Clarify protocol.
+
+	* kdc/hpropd.c: Adapt to signature change of
+	_krb5_principalname2krb5_principal.
+
+	* kdc/kerberos4.c: Adapt to signature change of
+	_krb5_principalname2krb5_principal.
+
+	* kdc/connect.c (handle_vanilla_tcp): shorten length when we
+	shorten the buffer, this matter im the PK-INIT encKey case where a
+	checksum is done over the whole packet. Reported by Olga
+	Kornievskaia
+	
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* include/Makefile.am: crypto-headers.h is a nodist header
+
+	* lib/krb5/aes-test.c: Make argument to PKCS5_PBKDF2_HMAC_SHA1
+	unsigned char to make OpenSSL happy.
+
+	* appl/kf/Makefile.am: Add man_MANS to EXTRA_DIST
+
+	* kuser/Makefile.am: split build files into dist_ and noinst_
+	SOURCES
+
+	* lib/hdb/Makefile.am: split build files into dist_ and noinst_
+	SOURCES
+
+	* lib/krb5/Makefile.am: split build files into dist_ and noinst_
+	SOURCES
+
+	* kdc/kerberos5.c: Adapt to signature change of
+	_krb5_principalname2krb5_principal.
+	
+2006-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krbhst.c (common_init): don't try DNS when there is
+	realm w/o a dot.
+
+	* kdc/524.c: Adapt to signature change of
+	_krb5_principalname2krb5_principal.
+
+	* kdc/krb5tgs.c: Adapt to signature change of
+	_krb5_principalname2krb5_principal.
+
+	* lib/krb5/get_in_tkt.c: Adapt to signature change of
+	_krb5_principalname2krb5_principal.
+
+	* lib/krb5/rd_cred.c: Adapt to signature change of
+	_krb5_principalname2krb5_principal.
+
+	* lib/krb5/rd_req.c: Adapt to signature change of
+	_krb5_principalname2krb5_principal.
+
+	* lib/krb5/asn1_glue.c (_krb5_principalname2krb5_principal): add
+	krb5_context to signature.
+
+	* kdc/524.c (_krb5_principalname2krb5_principal): adapt to
+	signature change
+
+	* lib/hdb/keytab.c (hdb_get_entry): close and destroy the database
+	later, the hdb_entry_ex might still contain links to the database
+	that it expects to use.
+
+	* kdc/digest.c: Make digest argument o MD5_final unsigned char to
+	help OpenSSL.
+
+	* kuser/kdigest.c: Make digest argument o MD5_final unsigned char
+	to help OpenSSL.
+
+	* appl/gssmask/common.h: Maybe include <sys/wait.h>.
+	
+2006-10-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* appl/gssmask/common.h: disable ENABLE_PTHREAD_SUPPORT and
+	explain why
+
+	* tools/heimdal-build.sh: Another mail header.
+
+	* tools/heimdal-build.sh: small fixes
+
+	* fix-export: More liberal parsing of AC_INIT
+
+	* tools/heimdal-build.sh: first cut
+	
+2006-10-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: Call AB_INIT.
+
+	* kuser/kinit.c: Add flag --pk-use-enckey.
+
+	* kdc/pkinit.c: Sign the request in the encKey case.  Bug reported
+	by Olga Kornievskaia of Umich.
+
+	* lib/krb5/Makefile.am: man_MANS += krb5_digest.3
+
+	* lib/krb5/krb5_digest.3: Add all protos
+	
+2006-10-03  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/krb5_digest.3: Basic krb5_digest manpage.
+	
+2006-10-02  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* fix-export: build gssapi mech private files
+	
+	* lib/krb5/init_creds_pw.c: minimize layering and remove
+	krb5_kdc_flags
+
+	* lib/krb5/get_in_tkt.c: Always use the kdc_flags in the right bit
+	order.
+
+	* lib/krb5/init_creds_pw.c: Always use the kdc_flags in the right
+	bit order.
+
+	* kuser/kdigest.c: Don't require --kerberos-realm.
+
+	* lib/krb5/digest.c (digest_request): if NULL is passed in as
+	realm, use default realm.
+
+	* fix-export: build gssapi mech private files
+	
+2006-09-26  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* appl/gssmask/gssmaestro.c: Handle FIRST_CALL in the context
+	building, better error handling.
+
+	* appl/gssmask/gssmaestro.c: switch from wrap/unwrap to
+	encrypt/decrypt
+	
+	* appl/gssmask/gssmask.c: Don't announce spn if there is none.
+
+	* appl/gssmask/gssmaestro.c: Check that the pre-wrapped data is
+	the same as afterward.
+	
+2006-09-25  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* appl/gssmask/gssmaestro.c: Remove stray GSS_C_DCE_STYLE.
+
+	* appl/gssmask/gssmaestro.c: Add logsocket support.
+	
+2006-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* appl/gssmask/gssmaestro.c (build_context): print the step the
+	context exchange.
+	
+2006-09-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/gssmask/gssmaestro.c: Add GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG
+	to all context flags
+	
+	* appl/gssmask/gssmaestro.c: Add wrap and mic tests for all
+	elements
+
+	* appl/gssmask/gssmask.c: Add mic tests
+
+	* appl/gssmask/gssmaestro.c: dont exit early then when context
+	is half built.
+	
+	* lib/krb5/rd_req.c: disable ETypeList parsing usage for now, cfx
+	seems broken and its not good to upgrade to a broken enctype.
+	
+2006-09-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* appl/gssmask/gssmask.c: Add wrap/unwrap ops
+
+	* appl/gssmask/protocol.h: Add eGetVersionAndCapabilities flags
+
+	* appl/gssmask/common.c: Add permutate_all (and support
+	functions).
+
+	* appl/gssmask/common.h: Add permutate_all
+
+	* appl/gssmask/gssmask.c: use new flags, return moniker
+
+	* appl/gssmask/gssmaestro.c: test self context building and all
+	permutation of clients
+	
+2006-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/gssmask/gssmask.c: add --logfile option, use htons() on
+	port number
+
+	* appl/gssmask/gssmaestro.c: Log port in connection message.
+
+	* configure.in: Make pk-init turned on by default.
+	
+2006-09-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* fix-export: Build lib/hx509/{hx509-protos.h,hx509-private.h}.
+
+	* kuser/Makefile.am: Add tool for printing tickets.
+
+	* kuser/kimpersonate.1: Add tool for printing tickets.
+	
+	* kuser/kimpersonate.c: Add tool for printing tickets.
+
+	* kdc/krb5tgs.c: Check the adtkt in the constrained delegation
+	case too.
+	
+2006-09-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/main.c (sigterm): don't _exit, let loop() catch the signal
+	instead.
+
+	* lib/krb5/krb5_timeofday.3: Fixes from Björn Sandell.
+
+	* lib/krb5/krb5_get_init_creds.3: Fixes from Björn Sandell.
+	
+2006-09-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* tools/krb5-config.in: Add "kafs" option.
+	
+2006-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/db.c: By using full function calling conversion (*func)
+	we avoid problem when close(fd) is overridden using a macro.
+
+	* lib/krb5/cache.c: By using full function calling
+	conversion (*func) we avoid problem when close(fd) is overridden
+	using a macro.
+	
+2006-09-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/kerberos5.c: Signing outgoing tickets.
+
+	* kdc/krb5tgs.c: Add signing and checking of tickets to s4u2self
+	works securely.
+
+	* lib/krb5/pkinit.c: Adapt to new signature of
+	hx509_cms_unenvelope.
+	
+2006-09-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c (pk_verify_host): set errorstrings in a
+	sensable way
+	
+2006-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_init_context.3: Prevent a font generation warning,
+	from Jason McIntyre.
+	
+2006-09-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/context.c (krb5_init_ets): Add the hx errortable
+
+	* lib/krb5/krb5_locl.h: Include hx509_err.h.
+
+	* lib/krb5/pkinit.c (_krb5_pk_verify_sign): catch the error string
+	from the hx509 lib
+	
+2006-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags):
+	fix argument to krb5_get_init_creds_opt_set_addressless.
+
+	* lib/krb5/init_creds_pw.c (init_cred_loop): try to catch the
+	error when we actually have an error to catch.
+
+	* lib/krb5/init_creds_pw.c: Remove debug printfs.
+
+	* kuser/kinit.c: Remove debug printf
+
+	* lib/krb5/krb5_get_init_creds.3: Document
+	krb5_get_init_creds_opt_set_addressless.
+
+	* kuser/kinit.c: Use new function
+	krb5_get_init_creds_opt_set_addressless.
+
+	* lib/krb5/krb5_locl.h: use new addressless, convert pa-pac option
+	to use the same tri-state option as the new addressless option.
+
+	* lib/krb5/init_creds_pw.c: use new addressless, convert pa-pac
+	option to use the same tri-state option as the new addressless
+	option.
+
+	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_addressless):
+	used to control the address-lessness of the initial tickets
+	instead of passing in the empty set of address into
+	krb5_get_init_creds_opt_set_addresses.
+	
+2006-09-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kuser/kinit.c (renew_validate): inherit the proxiable and
+	forwardable from the orignal ticket, pointed out by Bernard
+	Antoine of CERN.
+	
+	* doc/setup.texi: More text about the acl_file entry and
+	hdb-ldap-structural-object.  From Rüdiger Ranft.
+
+	* lib/krb5/krbhst.c (fallback_get_hosts): limit the fallback
+	lookups to 5.  Patch from Wesley Craig, umich.edu
+
+	* configure.in: Add special tests for <sys/ucred.h>, include test
+	for sys/param.h and sys/types.h
+
+	* appl/test/tcp_server.c (proto): use keytab for krb5_recvauth
+	Patch from Ingemar Nilsson <init@pdc.kth.se>
+	
+2006-08-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kdigest.c (help): use sl_slc_help().
+
+	* kdc/digest.c: Catch more error, add SASL DIGEST MD5.
+
+	* lib/krb5/digest.c: Catch more error.
+
+2006-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: language.
+
+	* doc/heimdal.texi: Add last updated text.
+	
+	* doc/heimdal.css: make box around heimdal title
+	
+	* doc/heimdal.css: Inital Heimdal css for the info manual
+	
+	* lib/krb5/digest.c: In the case where we get a DigestError back,
+	save the error string and code.
+	
+2006-08-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: Remove _kdc_find_etype(), its no longer used.
+
+	* kdc/digest.c: Remove local error label and have just one exit
+	label, set error strings properly.
+
+	* kdc/digest.c: Simply the disabled-service case.  Check the
+	allow-digest flag in the HDB entry for the client.
+
+	* kdc/process.c (krb5_kdc_process_generic_request): check if we
+	got a digest request and process it.
+
+	* kdc/main.c: Register hdb keytab operations.
+
+	* kdc/kdc.8: document [kdc]enable-digest=boolean
+
+	* kdc/Makefile.am: add digest to libkdc
+
+	* kdc/digest.c: Make a return a goto to avoid freeing un-inited
+	memory in cleanup code.
+
+	* kdc/default_config.c (krb5_kdc_default_config): default to all
+	bits set to zero.
+
+	* kdc/kdc.h (krb5_kdc_configuration): Add enable_digest
+
+	* kdc/headers.h: Include <digest_asn1.h>.
+
+	* lib/krb5/context.c (krb5_kerberos_enctypes): new function,
+	returns the list of Kerberos encryption types sorted in order of
+	most preferred to least preferred encryption type.
+
+	* kdc/misc.c (_kdc_get_preferred_key): new function, Use the order
+	list of preferred encryption types and sort the available keys and
+	return the most preferred key.
+
+	* kdc/krb5tgs.c: Adapt to the new sigature of _kdc_find_keys().
+
+	* kdc/kerberos5.c: Handle session key etype separately from the
+	tgt etype, now the krbtgt can be a aes-only key without the need
+	to support not-as-good etypes for the krbtgt.
+	
+2006-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/misc.c: Change _kdc_db_fetch() to return the database
+	pointer to if needed by the consumer.
+
+	* kdc/krb5tgs.c: Change _kdc_db_fetch() to return the database
+	pointer to if needed by the consumer.
+
+	* kdc/kerberos5.c: Change _kdc_db_fetch() to return the database
+	pointer to if needed by the consumer.
+	
+	* kdc/kerberos4.c: Change _kdc_db_fetch() to return the database
+	pointer to if needed by the consumer.
+	
+	* kdc/kaserver.c: Change _kdc_db_fetch() to return the database
+	pointer to if needed by the consumer.
+
+	* kdc/524.c: Change _kdc_db_fetch() to return the database pointer
+	to if needed by the consumer.
+
+	* kuser/kdigest-commands.in: Add --kerberos-realm, add client
+	request command.
+
+	* lib/krb5/Makefile.am: digest.c
+	
+	* lib/krb5/krb5.h: Add digest glue.
+
+	* lib/krb5/digest.c (krb5_digest_set_authentication_user): use
+	krb5_principal
+	
+	* lib/krb5/digest.c: Add digest support to the client side.
+	
+2006-08-21  Love Hörnquist Åstrand  <lha@it.kth.se>
+
+	* lib/krb5/rd_rep.c (krb5_rd_rep): free krb5_ap_rep_enc_part on
+	error and set return pointer to NULL
+	(krb5_free_ap_rep_enc_part): permit freeing of NULL
+	
+2006-08-18  Love Hörnquist Åstrand  <lha@it.kth.se>
+
+	* kdc/{Makefile.am,kdigest.c,kdigest-commands.in}:
+	Frontend for remote digest service in KDC
+
+	* lib/krb5/krb5_storage.3: Document krb5_{ret,store}_stringnl
+	functions.
+
+	* lib/krb5/store.c: Add krb5_{ret,store}_stringnl functions,
+	stores/retrieves a \n terminated string.
+
+	* lib/krb5/krb5_locl.h: Default to address-less tickets.
+
+	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): clear
+	error string on error.
+	
+2006-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/crypto.c: remove aes-192 (CMS)
+
+	* lib/krb5/crypto.c: Remove more CMS bits.
+	
+	* lib/krb5/crypto.c: Remove CMS symmetric encryption support.
+	
+2006-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c (_kdc_pk_check_client): make it not crash when
+	there are no acl
+
+	* kdc/pkinit.c (_kdc_pk_check_client): use the acl in the kerberos
+	database
+
+	* lib/hdb/hdb.asn1: Rename HDB-Ext-PKINIT-certificate to
+	HDB-Ext-PKINIT-hash.  Add trust anchor to HDB-Ext-PKINIT-acl.
+
+	* lib/hdb/Makefile.am: rename asn1_HDB_Ext_PKINIT_certificate to
+	asn1_HDB_Ext_PKINIT_hash
+
+	* lib/hdb/ext.c: Add hdb_entry_get_pkinit_hash().
+	
+2006-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: If --password-file gets STDIN, read the password
+	from the standard input.
+
+	* kuser/kinit.1: Document --password-file=STDIN.
+
+	* lib/krb5/krb5_string_to_key.3: Remove duplicate to.
+	
+2006-07-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/krb5tgs.c: (tgs_build_reply): when checking for removed
+	principals, check the second component of the krbtgt, otherwise
+	cross realm wont work.  Prompted by report from Mattias Amnefelt.
+
+2006-07-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/connect.c (handle_vanilla_tcp): use unsigned integer for for
+	length
+	(handle_tcp): if the high bit it set in the unknown case, send
+	back a KRB_ERR_FIELD_TOOLONG
+	
+2006-07-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/gssmask/gssmaestro.c: Add get_version_capa, cache
+	target_name.
+
+	* appl/gssmask/gssmask.c: use utname() to find the local hostname
+	and version of operatingsystem
+
+	* appl/gssmask/common.h: include <sys/utsname.h>
+
+	* appl/gssmask/gssmask.c: break out creation of a client and make
+	handleServer pthread_create compatible
+
+	* appl/gssmask/gssmaestro.c: break out out the build context
+	function
+	
+2006-07-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* appl/gssmask/gssmaestro.c: externalize slave handling, add
+	GetTargetName glue
+
+	* appl/gssmask/gssmaestro.c: externalize principal/password handling
+
+	* lib/krb5/principal.c (krb5_parse_name): set *principal to NULL
+	the first thing we do, so that on failure its set to a known value
+
+	* appl/gssmask/gssmask.c: AcquireCreds: set principal to NULL to
+	avoid memory corruption GetTargetName: always send a string, even
+	though we don't have a targetname
+
+	* appl/gssmask: break out common function; add gssmaestro (that
+	only tests one context for now)
+
+2006-06-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/store_fd.c (krb5_storage_from_fd): don't leak fd on
+	malloc failure
+
+	* appl/gssmask/gssmask.c: split out fetching of credentials for
+	easier reuse for pk-init testing
+
+	* appl/gssmask: maggot replacement, handles context testing
+
+	* lib/krb5/cache.c (krb5_cc_new_unique): use KRB5_DEFAULT_CCNAME
+	as the default prefix
+	
+2006-06-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/heimdal.texi: Add Doug Rabson's license
+	
+2006-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds.c: Add storing and getting KRB-ERROR in the
+	krb5_get_init_creds_opt structure.
+
+	* lib/krb5/init_creds_pw.c: Save KRB-ERROR on error.
+
+	* lib/krb5/krb5_locl.h (_krb5_get_init_creds_opt_private): add
+	KRB-ERROR
+	
+2006-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: section about verify_krb5_conf and kadmin check
+	
+2006-06-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c (get_init_creds_common): drop cred
+	argument, its unused
+
+	* lib/krb5/Makefile.am: install krb5_get_creds.3
+	
+	* lib/krb5/krb5_get_creds.3: new file
+	
+2006-06-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb-ldap.c: don't use the sambaNTPassword if there is
+	ARCFOUR key already.  Idea from Andreas Hasenack.  While here, set
+	pw change time using sambaPwdLastSet
+
+	* kdc/kerberos4.c: Use enable_v4_per_principal and check the new
+	hdb flag.
+
+	* kdc/kdc.h: Add enable_v4_per_principal
+	
+2006-06-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c (_kdc_as_rep): if kdc_time +
+	config->kdc_warn_pwexpire is past pw_end, add expiration
+	message. From Bernard Antoine.
+	
+	* kdc/default_config.c (krb5_kdc_default_config): set
+	kdc_warn_pwexpire to 0
+
+	* kdc/kerberos5.c: indent.
+	
+2006-06-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: constify
+	
+2006-06-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/get_cred.c: Allow setting additional tickets in the
+	tgs-req
+
+	* kuser/kgetcred.c: add --delegation-credential-cache
+
+	* kdc/krb5tgs.c (tgs_build_reply): add constrained delegation.
+
+	* kdc/krb5tgs.c: Add impersonation.
+
+	* kuser/kgetcred.c: use new krb5_get_creds interface, add
+	impersonation.
+
+	* lib/krb5/get_cred.c (krb5_get_creds): add
+	KRB5_GC_NO_TRANSIT_CHECK
+
+	* lib/krb5/misc.c: Add impersonate support functions.
+
+	* lib/krb5/get_cred.c: Add impersonate and new krb5_get_creds interface.
+
+	* lib/hdb/hdb.asn1 (HDBFlags): add trusted-for-delegation
+
+	* lib/krb5/krb5.h: Add krb5_get_creds_opt_data and some more
+	KRB5_GC flags.
+	
+2006-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/hdb/ext.c (hdb_entry_get_ConstrainedDelegACL): new function.
+
+	* lib/krb5/pkinit.c: Avoid more shadowing.
+
+	* kdc/connect.c (do_request): clean reply with krb5_data_zero
+
+	* kdc/krb5tgs.c: Split up the reverse cross krbtgt check and local
+	clien must exists test.
+
+	* kdc/krb5tgs.c: Plug old memory leaks, unify all goto's.
+
+	* kdc/krb5tgs.c: Split tgs_rep2 into tgs_parse_request and
+	tgs_build_reply.
+
+	* kdc/kerberos5.c: split out krb5 tgs req to make it easier to
+ 	reorganize the code.
+	
+2006-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_get_init_creds.3: spelling Björn Sandell
+
+	* lib/krb5/krb5_get_in_cred.3: spelling Björn Sandell
+	
+2006-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kpasswd/kpasswdd.c (change): select the realm based on the
+	target principal From Gabor Gombas
+
+	* lib/krb5/krb5_get_init_creds.3: Add KRB5_PROMPT_TYPE_INFO
+	
+	* lib/krb5/krb5.h: Add KRB5_PROMPT_TYPE_INFO
+	
+2006-05-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: Hidden field of hx509 prompter is removed.
+	Fix a warning.
+
+	* doc/setup.texi: Point to more examples, hint that you have to
+	use openssl 0.9.8a or later.
+
+	* doc/setup.texi: DIR now handles both PEM and DER.
+
+	* kuser/kinit.c: Pass down prompter and password to
+	krb5_get_init_creds_opt_set_pkinit.
+
+	* lib/krb5/pkinit.c (_krb5_pk_load_id): only use password if its
+	longer then 0
+	
+	* doc/ack.texi: Add Jason McIntyre.
+	
+	* lib/krb5/krb5_acl_match_file.3: Various tweaks, from Jason
+	McIntyre.
+	
+2006-05-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: Move parsing of the PK-INIT configuration file to
+	the library so application doesn't need to deal with it.
+
+	* lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit): move
+	parsing of the configuration file to the library so application
+	doesn't need to deal with it.
+
+	* lib/krb5/pkinit.c (_krb5_pk_load_id): pass the hx509_lock to
+	when trying to read the user certificate.
+
+	* lib/krb5/pkinit.c (hx_pass_prompter): return 0 on success and 1
+	on failure. Pointed out by Douglas E. Engert.
+	
+2006-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/crypto.c: Catches both keyed checkout w/o crypto
+	context cases and doesn't reset the string, and corrects the
+	grammar.
+
+	* lib/krb5/crypto.c: Drop aes-cbc, rc2 and CMS padding support,
+	its all containted in libhcrypto and libhx509 now.
+	
+2006-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/pkinit.c (_krb5_pk_verify_sign): Use
+	hx509_get_one_cert.
+
+	* lib/krb5/crypto.c (create_checksum): provide a error message
+	that a key checksum needs a key.  From Andew Bartlett.
+	
+2006-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/pkinit.c: Now that hcrypto supports DH, remove check
+	for hx509 null DH.
+
+	* kdc/pkinit.c: Don't call DH_check_pubkey, it doesn't exists in
+	older OpenSSL.
+
+	* doc/heimdal.texi: Add blob about imath.
+
+	* doc/ack.texi: Add blob about imath.
+
+	* include/make_crypto.c: Move up evp.h to please OpenSSL, from
+	Douglas E. Engert.
+
+	* kcm/acl.c: Multicache kcm interation isn't done yet, let wait
+	with this enum.
+	
+2006-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_set_default_realm.3: Spelling/mdoc from Björn
+	Sandell
+
+	* lib/krb5/krb5_rcache.3: Spelling/mdoc from Björn Sandell
+
+	* lib/krb5/krb5_keytab.3: Spelling/mdoc from Björn Sandell
+
+	* lib/krb5/krb5_get_in_cred.3: Spelling/mdoc from Björn Sandell
+
+	* lib/krb5/krb5_expand_hostname.3: Spelling/mdoc from Björn
+	Sandell
+
+	* lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc from Björn
+	Sandell
+
+	* lib/krb5/keytab_file.c (fkt_next_entry_int): read the 32 bit
+	kvno if the reset of the data is longer then 4 bytes in hope to be
+	forward compatible. Pointed out by Michael B Allen.
+
+	* doc/programming.texi: Add fileformats.
+
+	* appl/test: Rename u_intXX_t to uintXX_t
+
+	* kuser: Rename u_intXX_t to uintXX_t
+
+	* kdc: Rename u_intXX_t to uintXX_t
+
+	* lib/hdb: Rename u_intXX_t to uintXX_t
+	
+	* lib/45]: Rename u_intXX_t to uintXX_t
+
+	* lib/krb5: Rename u_intXX_t to uintXX_t
+
+	* lib/krb5/Makefile.am: Add test_store to TESTS
+
+	* lib/krb5/pkinit.c: Catch using hx509 null DH and print a more
+	useful error message.
+
+	* lib/krb5/store.c: Rewrite the krb5_ret_u as proposed by Johan.
+	
+2006-05-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos4.c: Use the new unsigned integer storage types.
+
+	* kdc/kaserver.c: Use the new unsigned integer storage
+	types. Sprinkle some error handling.
+
+	* lib/krb5/krb5_storage.3: Document ret and store function for the
+	unsigned fixed size integer types.
+
+	* lib/krb5/v4_glue.c: Use the new unsigned integer storage
+	types. Fail that the address doesn't match, not the reverse.
+
+	* lib/krb5/store.c: Add ret and store function for the unsigned
+	fixed size integer types.
+
+	* lib/krb5/test_store.c: Test the integer storage types.
+	
+2006-05-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/store.c (krb5_store_principal): make it take a
+	krb5_const_principal, indent
+
+	* lib/krb5/krb5_storage.3: krb5_store_principal takes a
+	krb5_const_principal
+
+	* lib/krb5/pkinit.c: Deal with that hx509_prompt.reply is no
+	longer a pointer.
+
+	* kdc/kdc.h (krb5_kdc_configuration): add pkinit_kdc_ocsp_file
+
+	* kdc/config.c: read [kdc]pki-kdc-ocsp
+	
+2006-05-02  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/pkinit.c (_kdc_pk_mk_pa_reply): send back ocsp response if
+	it seems to be valid, simplfy the pkinit-windows DH case (it
+	doesn't exists).
+	
+2006-05-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/krb5_warn.3: Spelling/mdoc changes, from Björn Sandell.
+
+	* lib/krb5/krb5_verify_user.3: Spelling/mdoc changes, from Björn
+	Sandell.
+
+	* lib/krb5/krb5_verify_init_creds.3: Spelling/mdoc changes, from
+	Björn Sandell.
+
+	* lib/krb5/krb5_timeofday.3: Spelling/mdoc changes, from Björn
+	Sandell.
+
+	* lib/krb5/krb5_ticket.3: Spelling/mdoc changes, from Björn
+	Sandell.
+
+	* lib/krb5/krb5_rd_safe.3: Spelling/mdoc changes, from Björn
+	Sandell.
+
+	* lib/krb5/krb5_rcache.3: Spelling/mdoc changes, from Björn
+	Sandell.
+
+	* lib/krb5/krb5_principal.3: Spelling/mdoc changes, from Björn
+	Sandell.
+
+	* lib/krb5/krb5_parse_name.3: Spelling/mdoc changes, from Björn
+	Sandell.
+
+	* lib/krb5/krb5_mk_safe.3: Spelling/mdoc changes, from Björn
+	Sandell.
+
+	* lib/krb5/krb5_keyblock.3: Spelling/mdoc changes, from Björn
+	Sandell.
+
+	* lib/krb5/krb5_is_thread_safe.3: Spelling/mdoc changes, from
+	Björn Sandell.
+
+	* lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
+	from Björn Sandell.
+
+	* lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
+	from Björn Sandell.
+
+	* lib/krb5/krb5_expand_hostname.3: Spelling/mdoc changes, from
+	Björn Sandell.
+
+	* lib/krb5/krb5_check_transited.3: Spelling/mdoc changes, from
+	Björn Sandell.
+
+	* lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc changes, from
+	Björn Sandell.
+
+	* lib/krb5/krb5_address.3: Spelling/mdoc changes, from
+	Björn Sandell.
+
+	* lib/krb5/krb5_acl_match_file.3: Spelling/mdoc changes, from
+	Björn Sandell.
+
+	* lib/krb5/krb5.3: Spelling, from Björn Sandell.
+	
+	* doc/ack.texi: add Björn
+
+2006-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c (cert2epi): don't include subject if its null
+	
+2006-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: Send over what trust anchors the client have
+	configured.
+
+	* lib/krb5/pkinit.c (pk_verify_host): set better error string,
+	only check kdc name/address when we got a hostname/address passed
+	in the the function.
+
+	* kdc/pkinit.c (_kdc_pk_check_client): reorganize and make log
+	when a SAN matches.
+	
+2006-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: More options and some text about windows
+	clients, certificate and KDCs.
+
+	* doc/setup.texi: notice about pki-mappings file space sensitive
+
+	* doc/setup.texi: Example pki-mapping file.
+
+	* lib/krb5/pkinit.c (pk_verify_host): verify hostname/address
+
+	* lib/hdb/hdb.h: Bump hdb interface version to 4.
+	
+2006-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kuser/kdestroy.1: Document --credential=principal.
+
+	* kdc/kerberos5.c (tgs_rep2): check that the client exists in the
+	kerberos database if its local request.
+
+	* kdc/{misc.c,524.c,kaserver.c,kerberos5.c}: pass down HDB_F_GET_
+	flags as appropriate
+
+	* kdc/kerberos4.c (_kdc_db_fetch4): pass down flags though
+	krb5_425_conv_principal_ext2
+
+	* kdc/misc.c (_kdc_db_fetch): Break out the that we request from
+	principal from the entry and pass it in as a seprate argument.
+
+	* lib/hdb/keytab.c (hdb_get_entry): Break out the that we request
+	from principal from the entry and pass it in as a seprate
+	argument.
+
+	* lib/hdb/common.c: Break out the that we request from principal
+	from the entry and pass it in as a seprate argument.
+
+	* lib/hdb/hdb.h: Break out the that we request from principal from
+	the entry and pass it in as a seprate argument. Add more flags to
+	->hdb_get(). Re-indent.
+	
+2006-04-26  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* doc/setup.texi: document pki-allow-proxy-certificate
+
+	* kdc/pkinit.c: Add option [kdc]pki-allow-proxy-certificate=bool
+	to allow using proxy certificate.
+
+	* lib/krb5/pkinit.c (_krb5_pk_allow_proxy_certificates): expose
+	hx509_verify_set_proxy_certificate
+
+	* kdc/pkinit.c (_kdc_pk_check_client): Use
+	hx509_cert_get_base_subject to get subject name of the
+	certificate, needed for proxy certificates.
+
+	* kdc/kerberos5.c: Now that find_keys speaks for it self, remove
+	extra logging.
+
+	* kdc/kerberos5.c (find_keys): add client_name and server_name
+	argument and use them, and adapt callers.
+	
+2006-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kuser/kinit.1: document option password-file
+
+	* kuser/kinit.c: Add option password-file, read password from the
+	first line of a file.
+
+	* configure.in: make tests/kdc/Makefile
+
+	* kdc/kerberos5.c: Catch the case where the client sends no
+	encryption types or no pa-types.
+
+	* lib/hdb/ext.c (hdb_replace_extension): set error message on
+	failure, not success.
+
+	* lib/hdb/keys.c (parse_key_set): handle error case better
+	(hdb_generate_key_set): return better error
+	
+2006-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb.c (hdb_create): print out what we don't support
+
+	* lib/krb5/principal.c: Remove a double free introduced in 1.93
+
+	* lib/krb5/log.c (log_file): reset pointer to freed memory
+
+	* lib/krb5/keytab_keyfile.c (get_cell_and_realm): reset d->cell to
+	make sure its not refereced
+
+	* tools/krb5-config.in: libhcrypto might depend on libasn1, switch
+	order
+
+	* lib/krb5/recvauth.c: indent
+
+	* doc/heimdal.texi: Add Setting up PK-INIT to Detailed Node
+	Listing.
+
+	* lib/krb5/pkinit.c: Pass down realm to pk_verify_host so the
+	function can verify the certificate is from the right realm.
+
+	* lib/krb5/init_creds_pw.c: Pass down realm to
+	_krb5_pk_rd_pa_reply
+	
+2006-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c (pk_verify_host): Add begining of finding
+	subjectAltName_otherName pk-init-san and verifing it.
+
+	* lib/krb5/sendauth.c: reindent
+
+	* doc/Makefile.am: use --no-split to make one large file, mostly
+	for html
+
+	* doc/setup.texi: "document" pkinit_require_eku and
+	pkinit_require_krbtgt_otherName
+
+	* lib/krb5/pkinit.c: Add pkinit_require_eku and
+	pkinit_require_krbtgt_otherName
+
+	* doc/setup.texi: Add text about pk-init
+
+	* tools/kdc-log-analyze.pl: count v5 cross realms too
+	
+2006-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/pkinit.c: Adapt to change in hx509_cms_create_signed_1.
+
+	* lib/krb5/pkinit.c: Adapt to change in hx509_cms_create_signed_1.
+	
+2006-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c (_kdc_pk_rd_padata): use
+	hx509_cms_unwrap_ContentInfo.
+
+	* kdc/config.c: unbreak
+
+	* lib/krb5/pkinit.c: Handle diffrences between libhcrypto and
+	libcrypto.
+
+	* kdc/config.c: Rename pki-chain to pki-pool to match rest of
+	code.
+	
+2006-04-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/rd_priv.c: Fix argument to krb5_data_zero.
+
+	* kdc/config.c: Added certificate revoke information from
+	configuration file.
+	
+	* kdc/pkinit.c: Added certificate revoke information.
+
+	* kuser/kinit.c: Added certificate revoke information from
+	configuration file.
+
+	* lib/krb5/pkinit.c (_krb5_pk_load_id): Added certificate revoke
+	information, ie CRL's
+	
+2006-04-10 Love Hörnquist Åstrand <lha@it.su.se>
+
+	* lib/krb5/replay.c (krb5_rc_resolve_full): make compile again.
+
+	* lib/krb5/keytab_krb4.c (krb4_kt_start_seq_get_int): make compile
+	again.
+
+	* lib/krb5/transited.c (make_path): make sure we return allocated
+	memory Coverity, NetBSD CID#1892
+
+	* lib/krb5/transited.c (make_path): make sure we return allocated
+	memory Coverity, NetBSD CID#1892
+
+	* lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): on
+	protocol failure, avoid leaking memory Coverity, NetBSD CID#1900
+
+	* lib/krb5/principal.c (krb5_parse_name): remember to free realm
+	in case of error Coverity, NetBSD CID#1883
+
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext2): remove
+	memory leak in case of weird formated dns replys.
+	Coverity, NetBSD CID#1885
+	
+	* lib/krb5/replay.c (krb5_rc_resolve_full): don't return pointer
+	to a allocated krb5_rcache in case of error.
+
+	* lib/krb5/log.c (krb5_addlog_dest): free fn in case of error
+	Coverity, NetBSD CID#1882
+	
+	* lib/krb5/keytab_krb4.c: Fix deref before NULL check, fix error
+	handling.  Coverity, NetBSD CID#2369
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
+	in_creds->client should always be set, assume so.
+
+	* lib/krb5/keytab_any.c (any_next_entry): restructure to make it
+	easier to read Fixes Coverity, NetBSD CID#625
+
+	* lib/krb5/crypto.c (krb5_string_to_key_derived): deref after NULL
+	check.  Coverity NetBSD CID#2367
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): use
+	calloc. removed check that was never really used. Coverity NetBSD
+	CID#2370
+	
+2006-04-09  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/rd_req.c (krb5_verify_ap_req2): make sure `ticket´
+	points to NULL in case of error, add error handling, use calloc.
+
+	* kpasswd/kpasswdd.c (doit): when done, close all fd in the
+	sockets array and free it.  Coverity NetBSD CID#1916
+	
+2006-04-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/store.c (krb5_ret_principal): fix memory leak Coverity,
+	NetBSD CID#1695
+
+	* kdc/524.c (_kdc_do_524): Handle memory allocation failure
+	Coverity, NetBSD CID#2752
+	
+2006-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/keytab_file.c (krb5_kt_ret_principal): plug a memory
+	leak Coverity NetBSD CID#1890
+
+	* kdc/hprop.c (main): make sure type doesn't need to be set
+
+	* kdc/mit_dump.c (mit_prop_dump): close fd when done processing
+	Coverity NetBSD CID#1955
+
+	* kdc/string2key.c (tokey): catch warnings, free memory after use.
+	Based on Coverity NetBSD CID#1894
+
+	* kdc/hprop.c (main): remove dead code.  Coverity NetBSD CID#633
+	
+2006-04-04  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kpasswd/kpasswd-generator.c (read_words): catch empty file case,
+	will cause PBE (division by zero) later. From Tobias Stoeckmann.
+	
+2006-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/hdb/keytab.c: Remove a delta from last revision that should
+	have gone in later.
+	
+	* lib/krb5/krbhst.c: fix spelling
+
+	* lib/krb5/send_to_kdc.c (send_and_recv_http): don't expose freed
+	pointer, found by IBM checker.
+
+	* lib/krb5/rd_cred.c (krb5_rd_cred): don't expose freed pointer,
+	found by IBM checker.
+
+	* lib/krb5/addr_families.c (krb5_make_addrport): clear return
+	value on error, found by IBM checker.
+
+	* kdc/kerberos5.c (check_addresses): treat netbios as no addresses
+	
+	* kdc/{kerberos4,kaserver}.c: _kdc_check_flags takes hdb_entry_ex
+
+	* kdc/kerberos5.c (_kdc_check_flags): make it take hdb_entry_ex to
+	avoid ?:'s at callers
+
+	* lib/krb5/v4_glue.c: Avoid using free memory, found by IBM
+	checker.
+
+	* lib/krb5/transited.c (expand_realm): avoid passing NULL to
+	strlen, found by IBM checker.
+
+	* lib/krb5/rd_cred.c (krb5_rd_cred): avoid a memory leak on malloc
+	failure, found by IBM checker.
+
+	* lib/krb5/krbhst.c (_krb5_krbhost_info_move): replace a strcpy
+	with a memcpy
+
+	* lib/krb5/keytab_keyfile.c (get_cell_and_realm): plug a memory
+	leak, found by IBM checker.
+
+	* lib/krb5/keytab_file.c (fkt_next_entry_int): remove a
+	dereferencing NULL pointer, found by IBM checker.
+
+	* lib/krb5/init_creds_pw.c (init_creds_init_as_req): in AS-REQ the
+	cname must always be given, don't avoid that fact and remove a
+	cname == NULL case. Plugs a memory leak found by IBM checker.
+
+	* lib/krb5/init_creds_pw.c (default_s2k_func): avoid exposing
+	free-ed memory on error. Found by IBM checker.
+
+	* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): use
+	calloc to avoid uninitialized memory problem.
+
+	* lib/krb5/data.c (krb5_copy_data): avoid exposing free-ed memory
+	on error. Found by IBM checker.
+
+	* lib/krb5/fcache.c (fcc_gen_new): fix a use after free, found by
+	IBM checker.
+
+	* lib/krb5/config_file.c (krb5_config_vget_strings): IBM checker
+	thought it found a memory leak, it didn't, but there was another
+	error in the code, lets fix that instead.
+
+	* lib/krb5/cache.c (_krb5_expand_default_cc_name): plug memory
+	leak. Found by IBM checker.
+
+	* lib/krb5/cache.c (_krb5_expand_default_cc_name): avoid return
+	pointer to freed memory in the error case. Found by IBM checker.
+
+	* lib/hdb/keytab.c (hdb_resolve): off by one, found by IBM
+	checker.
+
+	* lib/hdb/keys.c (hdb_generate_key_set): set ret_key_set before
+	going into the error clause and freeing key_set. Found by IBM
+	checker.  Make sure ret == 0 after of parse error, we catch the
+	"no entries parsed" case later.
+
+	* lib/krb5/log.c (krb5_addlog_dest): make string length match
+	strings in strcasecmp.  Found by IBM checker.
+	
+2006-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/hdb/hdb-ldap.c (LDAP_message2entry): in declaration set
+	variable_name as "hdb_entry_ex"
+	(hdb_ldap_common): change "arg" in condition (if) to "search_base"
+	(hdb_ldapi_create): change "serach_base" to "search_base" From
+	Alex V. Labuta.
+
+	* lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit); fix
+	prototype
+
+	* kuser/kinit.c: Add pool of certificates to help certificate path
+	building for clients sending incomplete path in the signedData.
+	
+2006-03-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/pkinit.c: Add pool of certificates to help certificate path
+	building for clients sending incomplete path in the signedData.
+
+	* lib/krb5/pkinit.c: Add pool of certificates to help certificate
+	path building for clients sending incomplete path in the
+	signedData.
+	
+2006-03-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/config.c: Allow passing in related certificates used to
+	build the chain.
+
+	* kdc/pkinit.c: Allow passing in related certificates used to
+	build the chain.
+
+	* kdc/kerberos5.c (log_patype): Add case for
+	KRB5_PADATA_PA_PK_OCSP_RESPONSE.
+
+	* tools/Makefile.am: Spelling
+
+	* tools/krb5-config.in: Add hx509 when using PK-INIT.
+
+	* tools/Makefile.am: Add hx509 when using PK-INIT.
+	
+2006-03-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/acache.c: Use ticket flags definition, might fix Mac OS
+	X Kerberos.app problems.
+
+	* lib/krb5/krb5_ccapi.h: Add ticket flags definitions
+
+	* lib/krb5/pkinit.c: Use less openssl, spell chelling.
+
+	* kdc/pkinit.c (pk_mk_pa_reply_dh): encode the DH public key with
+	asn1 wrapping
+
+	* configure.in (AC_CONFIG_FILES): add lib/hx509/Makefile
+
+	* lib/Makefile.am: Add hx509.
+
+	* lib/krb5/Makefile.am: Add libhx509.la when PKINIT is used.
+
+	* configure.in: define automake PKINIT variable
+
+	* kdc/pkinit.c: Switch to hx509.
+
+	* lib/krb5/pkinit.c: Switch to hx509.
+	
+2006-03-24  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/kerberos5.c (log_patypes): log the patypes requested by the
+	client
+	
+2006-03-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): pass down the
+	req_buffer in the w2k case too. From Douglas E. Engert.
+	
+2006-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): on failure, goto
+	error handling.  Fixes Coverity NetBSD CID 2591 by catching a
+	failing krb5_copy_keyblock()
+	
+2006-03-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/addr_families.c (krb5_free_addresses): reset val,len in
+	address when free-ing.  Fixes Coverity NetBSD bug #2605
+	(krb5_parse_address): reset val,len before possibly return errors
+	Fixes Coverity NetBSD bug #2605
+	
+2006-03-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/send_to_kdc.c (recv_loop): it should never happen, but
+	make sure nbytes > 0
+
+	* lib/krb5/get_for_creds.c (add_addrs): handle the case where
+	addr->len == 0 and n == 0, then realloc might return NULL.
+
+	* lib/krb5/crypto.c (decrypt_*): handle the case where the
+	plaintext is 0 bytes long, realloc might then return NULL.
+	
+2006-02-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_string_to_key.3: Drop krb5_string_to_key_derived.
+
+	* lib/krb5/krb5.3: Remove krb5_string_to_key_derived.
+
+	* lib/krb5/crypto.c (AES_string_to_key): drop _krb5_PKCS5_PBKDF2
+	and use PKCS5_PBKDF2_HMAC_SHA1 instead.
+
+	* lib/krb5/aes-test.c: reformat, avoid free-ing un-init'd memory
+
+	* lib/krb5/aes-test.c: Only use PKCS5_PBKDF2_HMAC_SHA1.
+	
+2006-02-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* doc/setup.texi: remove cartouches - we don't use them anywhere
+	else, they should be around the example, not inside it, and
+	probably shouldn't be used in html at all
+
+2006-02-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_warn.3: Document that applications want to use
+	krb5_get_error_message, add example.
+
+2006-02-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/crypto.c (krb5_generate_random_block): check return
+	value from RAND_bytes
+
+	* lib/krb5/error_string.c: Change indentation, update (c)
+
+2006-02-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: Make struct krb5_dh_moduli available when
+	compiling w/o pkinit.
+	
+2006-02-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/pkinit.c: update to new paChecksum definition, update
+	the dhgroup handling
+
+	* kdc/pkinit.c: update to new paChecksum definition, use
+	hdb_entry_ex
+	
+2006-02-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5_locl.h: Move Configurable options to last in the
+	file.
+	
+	* lib/krb5/krb5_locl.h: Wrap KRB5_ADDRESSLESS_DEFAULT with #ifndef
+	
+2006-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kpasswd/kpasswdd.c: Send back a better error-message to the
+	client in case the password change was rejected.
+
+	* lib/krb5/krb5_warn.3: Document krb5_get_error_message.
+
+	* lib/krb5/error_string.c (krb5_get_error_message): new function,
+	and combination of krb5_get_error_string and krb5_get_err_text
+
+	* lib/krb5/krb5.3: sort, and krb5_get_error_message
+
+	* lib/hdb/hdb-ldap.c: Log the filter string to the error message
+	when doing searches.
+
+	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags):
+	Use KRB5_ADDRESSLESS_DEFAULT when
+	checking [appdefault]no-addresses.
+
+	* lib/krb5/get_cred.c (get_cred_from_kdc_flags): Use
+	KRB5_ADDRESSLESS_DEFAULT when checking
+	[appdefault]no-addresses.
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
+	Use [appdefault]no-addresses before checking if the krbtgt is
+	address-less, use KRB5_ADDRESSLESS_DEFAULT.
+
+	* lib/krb5/krb5_locl.h: Introduce KRB5_ADDRESSLESS_DEFAULT that
+	controlls all address-less behavior.  Defaults to false.
+	
+2006-02-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION
+
+	* lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE
+	failes to produce the matching lenghts.
+	
+2006-01-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kcm/protocol.c (kcm_op_retrieve): remove unused variable
+	
+2006-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* tools/krb5-config.in: Move depenency on @LIB_dbopen@ to
+	kadm-server, kerberos library doesn't depend on db-library.
+	
+2006-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* include/Makefile.am: Don't clean crypto headers, they now live
+	in hcrypto/.  Add hcrypto to SUBDIRS.
+
+	* include/hcrypto/Makefile.am: clean installed headers
+
+	* include/make_crypto.c: include crypto headers from hcrypto/
+
+	* include/make_crypto.c: Include more crypto headerfiles. Remove
+	support for old hash names.
+	
+2006-01-02  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* kdc/misc.c (_kdc_db_fetch): use calloc to allocate the entry,
+	from Andrew Bartlet.
+	
+	* Happy New Year.
diff --git a/crypto/heimdal/LICENSE b/crypto/heimdal/LICENSE
new file mode 100644
index 0000000..d61e65f
--- /dev/null
+++ b/crypto/heimdal/LICENSE
@@ -0,0 +1,30 @@
+Copyright (c) 1995 - 2007 Kungliga Tekniska Högskolan
+(Royal Institute of Technology, Stockholm, Sweden). 
+All rights reserved. 
+
+Redistribution and use in source and binary forms, with or without 
+modification, are permitted provided that the following conditions 
+are met: 
+
+1. Redistributions of source code must retain the above copyright 
+   notice, this list of conditions and the following disclaimer. 
+
+2. Redistributions in binary form must reproduce the above copyright 
+   notice, this list of conditions and the following disclaimer in the 
+   documentation and/or other materials provided with the distribution. 
+
+3. Neither the name of the Institute nor the names of its contributors 
+   may be used to endorse or promote products derived from this software 
+   without specific prior written permission. 
+
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+SUCH DAMAGE. 
diff --git a/crypto/heimdal/Makefile.am b/crypto/heimdal/Makefile.am
index f3d5441..693c23f 100644
--- a/crypto/heimdal/Makefile.am
+++ b/crypto/heimdal/Makefile.am
@@ -1,10 +1,50 @@
-# $Id: Makefile.am,v 1.16 2000/11/15 22:54:15 assar Exp $
+# $Id: Makefile.am 22497 2008-01-21 12:12:23Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-SUBDIRS	= include lib kuser kdc admin kadmin kpasswd appl doc tools
+if KCM
+kcm_dir = kcm
+endif
+
+SUBDIRS=  include lib kuser kdc admin kadmin kpasswd 
+SUBDIRS+= $(kcm_dir) appl doc tools tests packages etc
 
 ## ACLOCAL = @ACLOCAL@ -I cf
 ACLOCAL_AMFLAGS = -I cf
 
-EXTRA_DIST = Makefile.am.common krb5.conf
+EXTRA_DIST = \
+	TODO \
+	LICENSE \
+	README \
+	ChangeLog \
+	ChangeLog.1998 \
+	ChangeLog.1999 \
+	ChangeLog.2000 \
+	ChangeLog.2001 \
+	ChangeLog.2002 \
+	ChangeLog.2003 \
+	ChangeLog.2004 \
+	ChangeLog.2005 \
+	ChangeLog.2006 \
+	Makefile.am.common \
+	autogen.sh \
+	krb5.conf \
+	cf/make-proto.pl \
+	cf/install-catman.sh \
+	cf/ChangeLog \
+	cf/c-function.m4 \
+	cf/ChangeLog \
+	cf/have-pragma-weak.m4 \
+	cf/have-types.m4 \
+	cf/krb-func-getcwd-broken.m4 \
+	cf/krb-prog-ranlib.m4 \
+	cf/krb-prog-yacc.m4 \
+	cf/krb-sys-aix.m4 \
+	cf/krb-sys-nextstep.m4 \
+	cf/krb-version.m4 \
+	cf/roken.m4 \
+	cf/valgrind-suppressions \
+	cf/vararray.m4
+
+print-distdir:
+	@echo $(distdir)
diff --git a/crypto/heimdal/Makefile.am.common b/crypto/heimdal/Makefile.am.common
index 3f71443..b3bbf45 100644
--- a/crypto/heimdal/Makefile.am.common
+++ b/crypto/heimdal/Makefile.am.common
@@ -1,4 +1,4 @@
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
 include $(top_srcdir)/cf/Makefile.am.common
 
diff --git a/crypto/heimdal/Makefile.in b/crypto/heimdal/Makefile.in
index 3d00592..68a2ddf 100644
--- a/crypto/heimdal/Makefile.in
+++ b/crypto/heimdal/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,20 +14,16 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.16 2000/11/15 22:54:15 assar Exp $
+# $Id: Makefile.am 22497 2008-01-21 12:12:23Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = .
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -39,25 +35,24 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
 	$(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure \
 	ChangeLog NEWS TODO compile config.guess config.sub install-sh \
-	ltconfig ltmain.sh missing mkinstalldirs
+	ltmain.sh missing ylwrap
 subdir = .
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -70,6 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -78,18 +74,22 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
- configure.lineno configure.status.lineno
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+ configure.lineno config.status.lineno
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 depcomp =
@@ -98,13 +98,17 @@ SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	html-recursive info-recursive install-data-recursive \
-	install-exec-recursive install-info-recursive \
-	install-recursive installcheck-recursive installdirs-recursive \
-	pdf-recursive ps-recursive uninstall-info-recursive \
-	uninstall-recursive
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = $(SUBDIRS)
+DIST_SUBDIRS = include lib kuser kdc admin kadmin kpasswd kcm appl doc \
+	tools tests packages etc
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -117,13 +121,7 @@ GZIP_ENV = --best
 distuninstallcheck_listfiles = find . -type f -print
 distcleancheck_listfiles = find . -type f -print
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -133,8 +131,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -145,11 +141,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -157,42 +152,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -210,12 +190,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -225,15 +202,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -242,6 +218,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -253,15 +230,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -269,74 +241,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -353,14 +330,50 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc tools
+@KCM_TRUE@kcm_dir = kcm
+SUBDIRS = include lib kuser kdc admin kadmin kpasswd $(kcm_dir) appl \
+	doc tools tests packages etc
 ACLOCAL_AMFLAGS = -I cf
-EXTRA_DIST = Makefile.am.common krb5.conf
+EXTRA_DIST = \
+	TODO \
+	LICENSE \
+	README \
+	ChangeLog \
+	ChangeLog.1998 \
+	ChangeLog.1999 \
+	ChangeLog.2000 \
+	ChangeLog.2001 \
+	ChangeLog.2002 \
+	ChangeLog.2003 \
+	ChangeLog.2004 \
+	ChangeLog.2005 \
+	ChangeLog.2006 \
+	Makefile.am.common \
+	autogen.sh \
+	krb5.conf \
+	cf/make-proto.pl \
+	cf/install-catman.sh \
+	cf/ChangeLog \
+	cf/c-function.m4 \
+	cf/ChangeLog \
+	cf/have-pragma-weak.m4 \
+	cf/have-types.m4 \
+	cf/krb-func-getcwd-broken.m4 \
+	cf/krb-prog-ranlib.m4 \
+	cf/krb-prog-yacc.m4 \
+	cf/krb-sys-aix.m4 \
+	cf/krb-sys-nextstep.m4 \
+	cf/krb-version.m4 \
+	cf/roken.m4 \
+	cf/valgrind-suppressions \
+	cf/vararray.m4
+
 all: all-recursive
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
 am--refresh:
 	@:
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
@@ -403,7 +416,6 @@ clean-libtool:
 
 distclean-libtool:
 	-rm -f libtool
-uninstall-info-am:
 
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
@@ -412,7 +424,13 @@ uninstall-info-am:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	target=`echo $@ | sed s/-recursive//`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -424,15 +442,20 @@ $(RECURSIVE_TARGETS):
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done; \
 	if test "$$dot_seen" = "no"; then \
 	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
 	fi; test -z "$$fail"
 
-mostlyclean-recursive clean-recursive distclean-recursive \
-maintainer-clean-recursive:
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	case "$@" in \
 	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
@@ -453,7 +476,7 @@ maintainer-clean-recursive:
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done && test -z "$$fail"
 tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -478,14 +501,16 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	if (etags --etags-include --version) >/dev/null 2>&1; then \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
 	  include_option=--etags-include; \
+	  empty_fix=.; \
 	else \
 	  include_option=--include; \
+	  empty_fix=; \
 	fi; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -f $$subdir/TAGS && \
+	    test ! -f $$subdir/TAGS || \
 	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
@@ -495,9 +520,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -523,24 +550,22 @@ distclean-tags:
 
 distdir: $(DISTFILES)
 	$(am__remove_distdir)
-	mkdir $(distdir)
-	$(mkdir_p) $(distdir)/cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	test -d $(distdir) || mkdir $(distdir)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -551,15 +576,19 @@ distdir: $(DISTFILES)
 	    || exit 1; \
 	  fi; \
 	done
-	list='$(SUBDIRS)'; for subdir in $$list; do \
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test -d "$(distdir)/$$subdir" \
-	    || mkdir "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
 	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
 	    (cd $$subdir && \
 	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="../$(top_distdir)" \
-	        distdir="../$(distdir)/$$subdir" \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
 	        distdir) \
 	      || exit 1; \
 	  fi; \
@@ -570,18 +599,18 @@ distdir: $(DISTFILES)
 	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
 	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
 	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
-	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
+	  ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
 	|| chmod -R a+r $(distdir)
 dist-gzip: distdir
-	$(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
+	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
 	$(am__remove_distdir)
 
 dist-bzip2: distdir
-	$(AMTAR) chof - $(distdir) | bzip2 -9 -c >$(distdir).tar.bz2
+	tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
 	$(am__remove_distdir)
 
 dist-tarZ: distdir
-	$(AMTAR) chof - $(distdir) | compress -c >$(distdir).tar.Z
+	tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
 	$(am__remove_distdir)
 
 dist-shar: distdir
@@ -594,7 +623,7 @@ dist-zip: distdir
 	$(am__remove_distdir)
 
 dist dist-all: distdir
-	$(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
+	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
 	$(am__remove_distdir)
 
 # This target untars the dist file and tries a VPATH configuration.  Then
@@ -603,13 +632,13 @@ dist dist-all: distdir
 distcheck: dist
 	case '$(DIST_ARCHIVES)' in \
 	*.tar.gz*) \
-	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(AMTAR) xf - ;;\
+	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(am__untar) ;;\
 	*.tar.bz2*) \
-	  bunzip2 -c $(distdir).tar.bz2 | $(AMTAR) xf - ;;\
+	  bunzip2 -c $(distdir).tar.bz2 | $(am__untar) ;;\
 	*.tar.Z*) \
-	  uncompress -c $(distdir).tar.Z | $(AMTAR) xf - ;;\
+	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
 	*.shar.gz*) \
-	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | unshar ;;\
+	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).shar.gz | unshar ;;\
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
 	esac
@@ -645,7 +674,7 @@ distcheck: dist
 	$(am__remove_distdir)
 	@(echo "$(distdir) archives ready for distribution: "; \
 	  list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
-	  sed -e '1{h;s/./=/g;p;x;}' -e '$${p;x;}'
+	  sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
 distuninstallcheck:
 	@cd $(distuninstallcheck_dir) \
 	&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
@@ -689,7 +718,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -718,14 +747,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-recursive
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-recursive
+
 install-info: install-info-recursive
 
 install-man:
 
+install-pdf: install-pdf-recursive
+
+install-ps: install-ps-recursive
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
@@ -746,24 +783,29 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-info-am
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
-uninstall-info: uninstall-info-recursive
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
+	install-data-am install-exec-am install-strip uninstall-am
 
-.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local \
-	am--refresh check check-am check-local clean clean-generic \
-	clean-libtool clean-recursive ctags ctags-recursive dist \
-	dist-all dist-bzip2 dist-gzip dist-shar dist-tarZ dist-zip \
-	distcheck distclean distclean-generic distclean-libtool \
-	distclean-recursive distclean-tags distcleancheck distdir \
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am all-local am--refresh check check-am check-local \
+	clean clean-generic clean-libtool ctags ctags-recursive dist \
+	dist-all dist-bzip2 dist-gzip dist-hook dist-shar dist-tarZ \
+	dist-zip distcheck distclean distclean-generic \
+	distclean-libtool distclean-tags distcleancheck distdir \
 	distuninstallcheck dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am install-man \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	maintainer-clean-recursive mostlyclean mostlyclean-generic \
-	mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am uninstall-info-am
+	install install-am install-data install-data-am \
+	install-data-hook install-dvi install-dvi-am install-exec \
+	install-exec-am install-exec-hook install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs installdirs-am \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-recursive uninstall uninstall-am uninstall-hook
 
 
 install-suid-programs:
@@ -778,8 +820,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -789,19 +831,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -817,7 +871,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -887,14 +941,42 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+print-distdir:
+	@echo $(distdir)
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/NEWS b/crypto/heimdal/NEWS
index 262038b..f050427 100644
--- a/crypto/heimdal/NEWS
+++ b/crypto/heimdal/NEWS
@@ -1,3 +1,180 @@
+Changes in release 1.1
+
+ * Read-only PKCS11 provider built-in to hx509.
+
+ * Documentation for hx509, hcrypto and ntlm libraries improved.
+
+ * Better compatibilty with Windows 2008 Server pre-releases and Vista.
+
+ * Mac OS X 10.5 support for native credential cache.
+
+ * Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
+
+ * Bug fixes.
+
+Changes in release 1.0.2
+
+* Ubuntu packages.
+
+* Bug fixes.
+
+Changes in release 1.0.1
+
+ * Serveral bug fixes to iprop.
+
+ * Make work on platforms without dlopen.
+
+ * Add RFC3526 modp group14 as default.
+
+ * Handle [kdc] database = { } entries without realm = stanzas.
+
+ * Make krb5_get_renewed_creds work.
+
+ * Make kaserver preauth work again.
+
+ * Bug fixes.
+
+Changes in release 1.0
+
+ * Add gss_pseudo_random() for mechglue and krb5.
+
+ * Make session key for the krbtgt be selected by the best encryption
+   type of the client.
+
+ * Better interoperability with other PK-INIT implementations.
+
+ * Inital support for Mac OS X Keychain for hx509.
+
+ * Alias support for inital ticket requests.
+
+ * Add symbol versioning to selected libraries on platforms that uses
+   GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
+
+ * New version of imath included in hcrypto.
+
+ * Fix memory leaks.
+
+ * Bugs fixes.
+
+Changes in release 0.8.1
+
+ * Make ASN.1 library less paranoid to with regard to NUL in string to
+   make it inter-operate with MIT Kerberos again.
+
+ * Make GSS-API library work again when using gss_acquire_cred
+
+ * Add symbol versioning to libgssapi when using GNU ld.
+
+ * Fix memory leaks 
+
+ * Bugs fixes
+
+Changes in release 0.8
+
+ * PK-INIT support.
+
+ * HDB extensions support, used by PK-INIT.
+
+ * New ASN.1 compiler.
+
+ * GSS-API mechglue from FreeBSD.
+
+ * Updated SPNEGO to support RFC4178.
+
+ * Support for Cryptosystem Negotiation Extension (RFC 4537).
+
+ * A new X.509 library (hx509) and related crypto functions.
+
+ * A new ntlm library (heimntlm) and related crypto functions.
+
+ * Updated the built-in crypto library with bignum support using
+   imath, support for RSA and DH and renamed it to libhcrypto.
+
+ * Subsystem in the KDC, digest, that will perform the digest
+   operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
+   DIGEST-MD5 NTLMv1 and NTLMv2.
+
+ * KDC will return the "response too big" error to force TCP retries
+   for large (default 1400 bytes) UDP replies.  This is common for
+   PK-INIT requests.
+
+ * Libkafs defaults to use 2b tokens.
+
+ * Default to use the API cache on Mac OS X.
+
+ * krb5_kuserok() also checks ~/.k5login.d directory for acl files,
+   see manpage for krb5_kuserok for description.
+
+ * Many, many, other updates to code and info manual and manual pages.
+
+ * Bug fixes
+
+Changes in release 0.7.2
+
+* Fix security problem in rshd that enable an attacker to overwrite
+  and change ownership of any file that root could write.
+
+* Fix a DOS in telnetd. The attacker could force the server to crash
+  in a NULL de-reference before the user logged in, resulting in inetd
+  turning telnetd off because it forked too fast.
+
+* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
+  exists in the keytab before returning success. This allows servers
+  to check if its even possible to use GSSAPI.
+
+* Fix receiving end of token delegation for GSS-API. It still wrongly
+  uses subkey for sending for compatibility reasons, this will change
+  in 0.8.
+
+* telnetd, login and rshd are now more verbose in logging failed and
+  successful logins.
+
+* Bug fixes
+
+Changes in release 0.7.1
+
+* Bug fixes
+
+Changes in release 0.7
+
+ * Support for KCM, a process based credential cache
+
+ * Support CCAPI credential cache
+
+ * SPNEGO support
+
+ * AES (and the gssapi conterpart, CFX) support
+
+ * Adding new and improve old documentation
+
+ * Bug fixes
+
+Changes in release 0.6.6
+
+* Fix security problem in rshd that enable an attacker to overwrite
+  and change ownership of any file that root could write.
+
+* Fix a DOS in telnetd. The attacker could force the server to crash
+  in a NULL de-reference before the user logged in, resulting in inetd
+  turning telnetd off because it forked too fast.
+
+Changes in release 0.6.5
+
+ * fix vulnerabilities in telnetd
+
+ * unbreak Kerberos 4 and kaserver
+
+Changes in release 0.6.4
+
+ * fix vulnerabilities in telnet
+
+ * rshd: encryption without a separate error socket should now work
+
+ * telnet now uses appdefaults for the encrypt and forward/forwardable
+   settings
+
+ * bug fixes
+
 Changes in release 0.6.3
 
  * fix vulnerabilities in ftpd
diff --git a/crypto/heimdal/README b/crypto/heimdal/README
index f27b67f..88ab7fd 100644
--- a/crypto/heimdal/README
+++ b/crypto/heimdal/README
@@ -1,4 +1,4 @@
-$Id: README,v 1.1 2000/07/27 02:33:54 assar Exp $
+$Id: README 8839 2000-07-27 02:33:54Z assar $
 
 Heimdal is a Kerberos 5 implementation.
 
diff --git a/crypto/heimdal/aclocal.m4 b/crypto/heimdal/aclocal.m4
index 1e2ce60..e9dcb29 100644
--- a/crypto/heimdal/aclocal.m4
+++ b/crypto/heimdal/aclocal.m4
@@ -1,7 +1,7 @@
-# generated automatically by aclocal 1.8.3 -*- Autoconf -*-
+# generated automatically by aclocal 1.10 -*- Autoconf -*-
 
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004
-# Free Software Foundation, Inc.
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+# 2005, 2006  Free Software Foundation, Inc.
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -11,9 +11,14 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
+m4_if(m4_PACKAGE_VERSION, [2.61],,
+[m4_fatal([this file was generated for autoconf 2.61.
+You have another version of autoconf.  If you want to use that,
+you should regenerate the build system entirely.], [63])])
+
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
 
-# serial 47 AC_PROG_LIBTOOL
+# serial 48 AC_PROG_LIBTOOL
 
 
 # AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
@@ -123,7 +128,7 @@ esac
 
 # Sed substitution that helps us do robust quoting.  It backslashifies
 # metacharacters that are still active within double-quoted strings.
-Xsed='sed -e s/^X//'
+Xsed='sed -e 1s/^X//'
 [sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g']
 
 # Same as above, but do not quote variable references.
@@ -143,7 +148,7 @@ rm="rm -f"
 default_ofile=libtool
 can_build_shared=yes
 
-# All known linkers require a `.a' archive for static linking (except M$VC,
+# All known linkers require a `.a' archive for static linking (except MSVC,
 # which needs '.lib').
 libext=a
 ltmain="$ac_aux_dir/ltmain.sh"
@@ -163,6 +168,7 @@ test -z "$AR_FLAGS" && AR_FLAGS=cru
 test -z "$AS" && AS=as
 test -z "$CC" && CC=cc
 test -z "$LTCC" && LTCC=$CC
+test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
 test -z "$DLLTOOL" && DLLTOOL=dlltool
 test -z "$LD" && LD=ld
 test -z "$LN_S" && LN_S="ln -s"
@@ -182,15 +188,17 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="\$RANLIB -t \$oldlib~$old_postinstall_cmds"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
     ;;
   *)
-    old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
     ;;
   esac
   old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
 fi
 
+_LT_CC_BASENAME([$compiler])
+
 # Only perform the check for file, if the check method requires it
 case $deplibs_check_method in
 file_magic*)
@@ -231,11 +239,56 @@ AC_DEFUN([_LT_AC_SYS_COMPILER],
 # If no C compiler was specified, use CC.
 LTCC=${LTCC-"$CC"}
 
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
 # Allow CC to be a program name with arguments.
 compiler=$CC
 ])# _LT_AC_SYS_COMPILER
 
 
+# _LT_CC_BASENAME(CC)
+# -------------------
+# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
+AC_DEFUN([_LT_CC_BASENAME],
+[for cc_temp in $1""; do
+  case $cc_temp in
+    compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;;
+    distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+])
+
+
+# _LT_COMPILER_BOILERPLATE
+# ------------------------
+# Check for compiler boilerplate output or warnings with
+# the simple compiler test code.
+AC_DEFUN([_LT_COMPILER_BOILERPLATE],
+[ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+])# _LT_COMPILER_BOILERPLATE
+
+
+# _LT_LINKER_BOILERPLATE
+# ----------------------
+# Check for linker boilerplate output or warnings with
+# the simple link test code.
+AC_DEFUN([_LT_LINKER_BOILERPLATE],
+[ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
+])# _LT_LINKER_BOILERPLATE
+
+
 # _LT_AC_SYS_LIBPATH_AIX
 # ----------------------
 # Links a minimal program and checks the executable
@@ -308,15 +361,15 @@ fi
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
 if test -z "$ECHO"; then
 if test "X${echo_test_string+set}" != Xset; then
 # find a string as large as possible, as long as the shell can cope with it
   for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
     # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-    if (echo_test_string="`eval $cmd`") 2>/dev/null &&
-       echo_test_string="`eval $cmd`" &&
+    if (echo_test_string=`eval $cmd`) 2>/dev/null &&
+       echo_test_string=`eval $cmd` &&
        (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
     then
       break
@@ -485,7 +538,7 @@ x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
-    case "`/usr/bin/file conftest.o`" in
+    case `/usr/bin/file conftest.o` in
     *32-bit*)
       case $host in
         x86_64-*linux*)
@@ -536,6 +589,22 @@ x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
+sparc*-*solaris*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.o` in
+    *64-bit*)
+      case $lt_cv_prog_gnu_ld in
+      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      *)    LD="${LD-ld} -64" ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
 AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
 [*-*-cygwin* | *-*-mingw* | *-*-pw32*)
   AC_CHECK_TOOL(DLLTOOL, dlltool, false)
@@ -567,7 +636,7 @@ AC_CACHE_CHECK([$1], [$2],
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    # The option is referenced via a variable to avoid confusing sed.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
    (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
@@ -577,8 +646,10 @@ AC_CACHE_CHECK([$1], [$2],
    echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        $2=yes
      fi
    fi
@@ -604,11 +675,16 @@ AC_DEFUN([AC_LIBTOOL_LINKER_OPTION],
    LDFLAGS="$LDFLAGS $3"
    printf "$lt_simple_link_test_code" > conftest.$ac_ext
    if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The compiler can only warn and ignore the option if not recognized
+     # The linker can only warn and ignore the option if not recognized
      # So say no if there are warnings
      if test -s conftest.err; then
        # Append any errors to the config.log.
        cat conftest.err 1>&AS_MESSAGE_LOG_FD
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         $2=yes
+       fi
      else
        $2=yes
      fi
@@ -632,7 +708,7 @@ AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN],
 AC_MSG_CHECKING([the maximum length of command line arguments])
 AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
   i=0
-  testring="ABCD"
+  teststring="ABCD"
 
   case $build_os in
   msdosdjgpp*)
@@ -667,20 +743,64 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
- *)
+  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
+    # This has been around since 386BSD, at least.  Likely further.
+    if test -x /sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
+    elif test -x /usr/sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
+    else
+      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
+    fi
+    # And add a safety zone
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    ;;
+
+  interix*)
+    # We know the value 262144 and hardcode it with a safety zone (like BSD)
+    lt_cv_sys_max_cmd_len=196608
+    ;;
+
+  osf*)
+    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
+    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
+    # nice to cause kernel panics so lets avoid the loop below.
+    # First set a reasonable default.
+    lt_cv_sys_max_cmd_len=16384
+    #
+    if test -x /sbin/sysconfig; then
+      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
+        *1*) lt_cv_sys_max_cmd_len=-1 ;;
+      esac
+    fi
+    ;;
+  sco3.2v5*)
+    lt_cv_sys_max_cmd_len=102400
+    ;;
+  sysv5* | sco5v6* | sysv4.2uw2*)
+    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
+    if test -n "$kargmax"; then
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ 	]]//'`
+    else
+      lt_cv_sys_max_cmd_len=32768
+    fi
+    ;;
+  *)
     # If test is not a shell built-in, we'll probably end up computing a
     # maximum length that is only half of the actual maximum length, but
     # we can't tell.
-    while (test "X"`$CONFIG_SHELL [$]0 --fallback-echo "X$testring" 2>/dev/null` \
-	       = "XX$testring") >/dev/null 2>&1 &&
-	    new_result=`expr "X$testring" : ".*" 2>&1` &&
+    SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
+    while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \
+	       = "XX$teststring") >/dev/null 2>&1 &&
+	    new_result=`expr "X$teststring" : ".*" 2>&1` &&
 	    lt_cv_sys_max_cmd_len=$new_result &&
 	    test $i != 17 # 1/2 MB should be enough
     do
       i=`expr $i + 1`
-      testring=$testring$testring
+      teststring=$teststring$teststring
     done
-    testring=
+    teststring=
     # Add a significant safety factor because C++ compilers can tack on massive
     # amounts of additional arguments before passing them to the linker.
     # It appears as though 1/2 is a usable value.
@@ -697,7 +817,7 @@ fi
 
 
 # _LT_AC_CHECK_DLFCN
-# --------------------
+# ------------------
 AC_DEFUN([_LT_AC_CHECK_DLFCN],
 [AC_CHECK_HEADERS(dlfcn.h)dnl
 ])# _LT_AC_CHECK_DLFCN
@@ -705,7 +825,7 @@ AC_DEFUN([_LT_AC_CHECK_DLFCN],
 
 # _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
 #                           ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
-# ------------------------------------------------------------------
+# ---------------------------------------------------------------------
 AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF],
 [AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
 if test "$cross_compiling" = yes; then :
@@ -771,17 +891,19 @@ int main ()
       else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
       /* dlclose (self); */
     }
+  else
+    puts (dlerror ());
 
     exit (status);
 }]
 EOF
   if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
+    (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null
     lt_status=$?
     case x$lt_status in
       x$lt_dlno_uscore) $1 ;;
       x$lt_dlneed_uscore) $2 ;;
-      x$lt_unknown|x*) $3 ;;
+      x$lt_dlunknown|x*) $3 ;;
     esac
   else :
     # compilation failed
@@ -793,7 +915,7 @@ rm -fr conftest*
 
 
 # AC_LIBTOOL_DLOPEN_SELF
-# -------------------
+# ----------------------
 AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF],
 [AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
 if test "x$enable_dlopen" != xyes; then
@@ -864,7 +986,7 @@ else
     test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
 
     save_LDFLAGS="$LDFLAGS"
-    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
 
     save_LIBS="$LIBS"
     LIBS="$lt_cv_dlopen_libs $LIBS"
@@ -877,7 +999,7 @@ else
     ])
 
     if test "x$lt_cv_dlopen_self" = xyes; then
-      LDFLAGS="$LDFLAGS $link_static_flag"
+      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
       AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
     	  lt_cv_dlopen_self_static, [dnl
 	  _LT_AC_TRY_DLOPEN_SELF(
@@ -925,7 +1047,7 @@ AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
    # Note that $ac_compile itself does not contain backslashes and begins
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
    (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
@@ -937,11 +1059,13 @@ AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     if test ! -s out/conftest.err; then
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
      fi
    fi
-   chmod u+w .
+   chmod u+w . 2>&AS_MESSAGE_LOG_FD
    $rm conftest*
    # SGI C++ compiler will create directory out/ii_files/ for
    # template instantiation
@@ -1005,8 +1129,8 @@ AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH],
 [AC_MSG_CHECKING([how to hardcode library paths into programs])
 _LT_AC_TAGVAR(hardcode_action, $1)=
 if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \
-   test -n "$_LT_AC_TAGVAR(runpath_var $1)" || \
-   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)"="Xyes" ; then
+   test -n "$_LT_AC_TAGVAR(runpath_var, $1)" || \
+   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no &&
@@ -1076,7 +1200,7 @@ AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext=".so"
+shrext_cmds=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -1173,7 +1297,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi4*)
+bsdi[[45]]*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -1189,7 +1313,7 @@ bsdi4*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext=".dll"
+  shrext_cmds=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -1201,7 +1325,8 @@ cygwin* | mingw* | pw32*)
       dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
       dldir=$destdir/`dirname \$dlpath`~
       test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
     postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
       dlpath=$dir/\$dldll~
        $rm \$dlpath'
@@ -1231,7 +1356,7 @@ cygwin* | mingw* | pw32*)
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
     ;;
@@ -1250,11 +1375,11 @@ darwin* | rhapsody*)
   version_type=darwin
   need_lib_prefix=no
   need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext ${libname}${release}${versuffix}$shared_ext'
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -1289,8 +1414,17 @@ kfreebsd*-gnu)
   dynamic_linker='GNU ld.so'
   ;;
 
-freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[[123]]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
   version_type=freebsd-$objformat
   case $version_type in
     freebsd-elf*)
@@ -1308,14 +1442,19 @@ freebsd*)
   freebsd2*)
     shlibpath_overrides_runpath=yes
     ;;
-  freebsd3.[01]* | freebsdelf3.[01]*)
+  freebsd3.[[01]]* | freebsdelf3.[[01]]*)
     shlibpath_overrides_runpath=yes
     hardcode_into_libs=yes
     ;;
-  *) # from 3.2 on
+  freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \
+  freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1)
     shlibpath_overrides_runpath=no
     hardcode_into_libs=yes
     ;;
+  freebsd*) # from 4.6 on
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
   esac
   ;;
 
@@ -1335,9 +1474,9 @@ hpux9* | hpux10* | hpux11*)
   version_type=sunos
   need_lib_prefix=no
   need_version=no
-  case "$host_cpu" in
+  case $host_cpu in
   ia64*)
-    shrext='.so'
+    shrext_cmds='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -1352,7 +1491,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext='.sl'
+     shrext_cmds='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -1363,7 +1502,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext='.sl'
+    shrext_cmds='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -1375,6 +1514,18 @@ hpux9* | hpux10* | hpux11*)
   postinstall_cmds='chmod 555 $lib'
   ;;
 
+interix3*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
 irix5* | irix6* | nonstopux*)
   case $host_os in
     nonstopux*) version_type=nonstopux ;;
@@ -1434,8 +1585,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    ld_extra=`$SED -e 's/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g' /etc/ld.so.conf`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -1496,8 +1647,13 @@ nto-qnx*)
 
 openbsd*)
   version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
   need_lib_prefix=no
-  need_version=yes
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -1517,7 +1673,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext=".dll"
+  shrext_cmds=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -1535,13 +1691,6 @@ osf3* | osf4* | osf5*)
   sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
   ;;
 
-sco3.2v5*)
-  version_type=osf
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
 solaris*)
   version_type=linux
   need_lib_prefix=no
@@ -1567,7 +1716,7 @@ sunos4*)
   need_version=yes
   ;;
 
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+sysv4 | sysv4.3*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -1600,6 +1749,29 @@ sysv4*MP*)
   fi
   ;;
 
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
 uts4*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -1613,6 +1785,11 @@ uts4*)
 esac
 AC_MSG_RESULT([$dynamic_linker])
 test "$dynamic_linker" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
 ])# AC_LIBTOOL_SYS_DYNAMIC_LINKER
 
 
@@ -1637,6 +1814,9 @@ if test -f "$ltmain" && test -n "$tagnames"; then
       AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile'])
     fi
   fi
+  if test -z "$LTCFLAGS"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`"
+  fi
 
   # Extract list of available tagged configurations in $ofile.
   # Note that this assumes the entire list is on one line.
@@ -1663,7 +1843,9 @@ if test -f "$ltmain" && test -n "$tagnames"; then
 
       case $tagname in
       CXX)
-	if test -n "$CXX" && test "X$CXX" != "Xno"; then
+	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+	    (test "X$CXX" != "Xg++"))) ; then
 	  AC_LIBTOOL_LANG_CXX_CONFIG
 	else
 	  tagname=""
@@ -1725,7 +1907,7 @@ AC_DEFUN([AC_LIBTOOL_DLOPEN],
 
 # AC_LIBTOOL_WIN32_DLL
 # --------------------
-# declare package support for building win32 dll's
+# declare package support for building win32 DLLs
 AC_DEFUN([AC_LIBTOOL_WIN32_DLL],
 [AC_BEFORE([$0], [AC_LIBTOOL_SETUP])
 ])# AC_LIBTOOL_WIN32_DLL
@@ -1763,7 +1945,7 @@ AC_ARG_ENABLE([shared],
 
 # AC_DISABLE_SHARED
 # -----------------
-#- set the default shared flag to --disable-shared
+# set the default shared flag to --disable-shared
 AC_DEFUN([AC_DISABLE_SHARED],
 [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
 AC_ENABLE_SHARED(no)
@@ -1899,7 +2081,7 @@ dnl not every word.  This closes a longstanding sh security hole.
       if test -n "$file_magic_test_file"; then
 	case $deplibs_check_method in
 	"file_magic "*)
-	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
 	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
 	    $EGREP "$file_magic_regex" > /dev/null; then
@@ -2009,7 +2191,7 @@ AC_CACHE_VAL(lt_cv_path_LD,
     if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
       lt_cv_path_LD="$ac_dir/$ac_prog"
       # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some GNU ld's only accept -v.
+      # but apparently some variants of GNU ld only accept -v.
       # Break only if it was the GNU/non-GNU ld that we prefer.
       case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
       *GNU* | *'with BFD'*)
@@ -2041,7 +2223,7 @@ AC_PROG_LD_GNU
 AC_DEFUN([AC_PROG_LD_GNU],
 [AC_REQUIRE([AC_PROG_EGREP])dnl
 AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
-[# I'd rather use --version here, but apparently some GNU ld's only accept -v.
+[# I'd rather use --version here, but apparently some GNU lds only accept -v.
 case `$LD -v 2>&1 </dev/null` in
 *GNU* | *'with BFD'*)
   lt_cv_prog_gnu_ld=yes
@@ -2068,6 +2250,15 @@ case $reload_flag in
 *) reload_flag=" $reload_flag" ;;
 esac
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
+case $host_os in
+  darwin*)
+    if test "$GCC" = yes; then
+      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
+    else
+      reload_cmds='$LD$reload_flag -o $output$reload_objs'
+    fi
+    ;;
+esac
 ])# AC_PROG_LD_RELOAD_FLAG
 
 
@@ -2101,21 +2292,21 @@ beos*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-bsdi4*)
+bsdi[[45]]*)
   lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
   lt_cv_file_magic_cmd='/usr/bin/file -L'
   lt_cv_file_magic_test_file=/shlib/libc.so
   ;;
 
 cygwin*)
-  # win32_libid is a shell function defined in ltmain.sh
+  # func_win32_libid is a shell function defined in ltmain.sh
   lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='win32_libid'
+  lt_cv_file_magic_cmd='func_win32_libid'
   ;;
 
 mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
-  # win32_libid shell function, so use a weaker test based on 'objdump'.
+  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
   lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
   lt_cv_file_magic_cmd='$OBJDUMP -f'
   ;;
@@ -2124,13 +2315,13 @@ darwin* | rhapsody*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-freebsd* | kfreebsd*-gnu)
+freebsd* | kfreebsd*-gnu | dragonfly*)
   if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
     case $host_cpu in
     i*86 )
       # Not sure whether the presence of OpenBSD here was a mistake.
       # Let's accept both of them until this is cleared up.
-      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD)/i[[3-9]]86 (compact )?demand paged shared library'
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library'
       lt_cv_file_magic_cmd=/usr/bin/file
       lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
       ;;
@@ -2146,7 +2337,7 @@ gnu*)
 
 hpux10.20* | hpux11*)
   lt_cv_file_magic_cmd=/usr/bin/file
-  case "$host_cpu" in
+  case $host_cpu in
   ia64*)
     lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
     lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
@@ -2162,6 +2353,11 @@ hpux10.20* | hpux11*)
   esac
   ;;
 
+interix3*)
+  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
+  lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$'
+  ;;
+
 irix5* | irix6* | nonstopux*)
   case $LD in
   *-32|*"-32 ") libmagic=32-bit;;
@@ -2174,15 +2370,6 @@ irix5* | irix6* | nonstopux*)
 
 # This must be Linux ELF.
 linux*)
-  case $host_cpu in
-  alpha*|hppa*|i*86|ia64*|m68*|mips*|powerpc*|sparc*|s390*|sh*)
-    lt_cv_deplibs_check_method=pass_all ;;
-  *)
-    # glibc up to 2.1.1 does not perform some relocations on ARM
-    # this will be overridden with pass_all, but let us keep it just in case
-    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )' ;;
-  esac
-  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -2205,12 +2392,10 @@ nto-qnx*)
   ;;
 
 openbsd*)
-  lt_cv_file_magic_cmd=/usr/bin/file
-  lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
   if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB shared object'
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$'
   else
-    lt_cv_deplibs_check_method='file_magic OpenBSD.* shared library'
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
   fi
   ;;
 
@@ -2218,15 +2403,11 @@ osf3* | osf4* | osf5*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-sco3.2v5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
 solaris*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+sysv4 | sysv4.3*)
   case $host_vendor in
   motorola)
     lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
@@ -2247,10 +2428,13 @@ sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
   siemens)
     lt_cv_deplibs_check_method=pass_all
     ;;
+  pc)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
   esac
   ;;
 
-sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7* | sysv4*uw2*)
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 esac
@@ -2270,36 +2454,43 @@ AC_DEFUN([AC_PROG_NM],
   # Let the user override the test.
   lt_cv_path_NM="$NM"
 else
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    tmp_nm="$ac_dir/${ac_tool_prefix}nm"
-    if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
-      # Check to see if the nm accepts a BSD-compat flag.
-      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
-      #   nm: unknown option "B" ignored
-      # Tru64's nm complains that /dev/null is an invalid object file
-      case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
-      */dev/null* | *'Invalid file or object type'*)
-	lt_cv_path_NM="$tmp_nm -B"
-	break
-        ;;
-      *)
-	case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
-	*/dev/null*)
-	  lt_cv_path_NM="$tmp_nm -p"
+  lt_nm_to_check="${ac_tool_prefix}nm"
+  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then 
+    lt_nm_to_check="$lt_nm_to_check nm"
+  fi
+  for lt_tmp_nm in $lt_nm_to_check; do
+    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
+      IFS="$lt_save_ifs"
+      test -z "$ac_dir" && ac_dir=.
+      tmp_nm="$ac_dir/$lt_tmp_nm"
+      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+	# Check to see if the nm accepts a BSD-compat flag.
+	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
+	#   nm: unknown option "B" ignored
+	# Tru64's nm complains that /dev/null is an invalid object file
+	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+	*/dev/null* | *'Invalid file or object type'*)
+	  lt_cv_path_NM="$tmp_nm -B"
 	  break
 	  ;;
 	*)
-	  lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
-	  continue # so that we can try to find one that supports BSD flags
+	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	  */dev/null*)
+	    lt_cv_path_NM="$tmp_nm -p"
+	    break
+	    ;;
+	  *)
+	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	    continue # so that we can try to find one that supports BSD flags
+	    ;;
+	  esac
 	  ;;
 	esac
-      esac
-    fi
+      fi
+    done
+    IFS="$lt_save_ifs"
   done
-  IFS="$lt_save_ifs"
   test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
 fi])
 NM="$lt_cv_path_NM"
@@ -2331,13 +2522,13 @@ esac
 # -----------------------------------
 # sets LIBLTDL to the link flags for the libltdl convenience library and
 # LTDLINCL to the include flags for the libltdl header and adds
-# --enable-ltdl-convenience to the configure arguments.  Note that LIBLTDL
-# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
-# DIRECTORY is not provided, it is assumed to be `libltdl'.  LIBLTDL will
-# be prefixed with '${top_builddir}/' and LTDLINCL will be prefixed with
-# '${top_srcdir}/' (note the single quotes!).  If your package is not
-# flat and you're not using automake, define top_builddir and
-# top_srcdir appropriately in the Makefiles.
+# --enable-ltdl-convenience to the configure arguments.  Note that
+# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
+# it is assumed to be `libltdl'.  LIBLTDL will be prefixed with
+# '${top_builddir}/' and LTDLINCL will be prefixed with '${top_srcdir}/'
+# (note the single quotes!).  If your package is not flat and you're not
+# using automake, define top_builddir and top_srcdir appropriately in
+# the Makefiles.
 AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
 [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
   case $enable_ltdl_convenience in
@@ -2356,13 +2547,13 @@ AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
 # -----------------------------------
 # sets LIBLTDL to the link flags for the libltdl installable library and
 # LTDLINCL to the include flags for the libltdl header and adds
-# --enable-ltdl-install to the configure arguments.  Note that LIBLTDL
-# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
-# DIRECTORY is not provided and an installed libltdl is not found, it is
-# assumed to be `libltdl'.  LIBLTDL will be prefixed with '${top_builddir}/'
-# and LTDLINCL will be prefixed with '${top_srcdir}/' (note the single
-# quotes!).  If your package is not flat and you're not using automake,
-# define top_builddir and top_srcdir appropriately in the Makefiles.
+# --enable-ltdl-install to the configure arguments.  Note that
+# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
+# and an installed libltdl is not found, it is assumed to be `libltdl'.
+# LIBLTDL will be prefixed with '${top_builddir}/'# and LTDLINCL with
+# '${top_srcdir}/' (note the single quotes!).  If your package is not
+# flat and you're not using automake, define top_builddir and top_srcdir
+# appropriately in the Makefiles.
 # In the future, this macro may have to be called after AC_PROG_LIBTOOL.
 AC_DEFUN([AC_LIBLTDL_INSTALLABLE],
 [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
@@ -2400,10 +2591,21 @@ AC_DEFUN([AC_LIBTOOL_CXX],
 # ---------------
 AC_DEFUN([_LT_AC_LANG_CXX],
 [AC_REQUIRE([AC_PROG_CXX])
-AC_REQUIRE([AC_PROG_CXXCPP])
+AC_REQUIRE([_LT_AC_PROG_CXXCPP])
 _LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX])
 ])# _LT_AC_LANG_CXX
 
+# _LT_AC_PROG_CXXCPP
+# ------------------
+AC_DEFUN([_LT_AC_PROG_CXXCPP],
+[
+AC_REQUIRE([AC_PROG_CXX])
+if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+    (test "X$CXX" != "Xg++"))) ; then
+  AC_PROG_CXXCPP
+fi
+])# _LT_AC_PROG_CXXCPP
 
 # AC_LIBTOOL_F77
 # --------------
@@ -2443,7 +2645,7 @@ _LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ])
 
 
 # AC_LIBTOOL_RC
-# --------------
+# -------------
 # enable support for Windows resource files
 AC_DEFUN([AC_LIBTOOL_RC],
 [AC_REQUIRE([LT_AC_PROG_RC])
@@ -2476,36 +2678,9 @@ lt_simple_link_test_code='int main(){return(0);}\n'
 
 _LT_AC_SYS_COMPILER
 
-#
-# Check for any special shared library compilation flags.
-#
-_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)=
-if test "$GCC" = no; then
-  case $host_os in
-  sco3.2v5*)
-    _LT_AC_TAGVAR(lt_prog_cc_shlib, $1)='-belf'
-    ;;
-  esac
-fi
-if test -n "$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)"; then
-  AC_MSG_WARN([`$CC' requires `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to build shared libraries])
-  if echo "$old_CC $old_CFLAGS " | grep "[[ 	]]$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)[[ 	]]" >/dev/null; then :
-  else
-    AC_MSG_WARN([add `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to the CC or CFLAGS env variable and reconfigure])
-    _LT_AC_TAGVAR(lt_cv_prog_cc_can_build_shared, $1)=no
-  fi
-fi
-
-
-#
-# Check to make sure the static flag actually works.
-#
-AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $_LT_AC_TAGVAR(lt_prog_compiler_static, $1) works],
-  _LT_AC_TAGVAR(lt_prog_compiler_static_works, $1),
-  $_LT_AC_TAGVAR(lt_prog_compiler_static, $1),
-  [],
-  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
-
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
 
 AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
 AC_LIBTOOL_PROG_COMPILER_PIC($1)
@@ -2515,9 +2690,9 @@ AC_LIBTOOL_PROG_LD_SHLIBS($1)
 AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
 AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
 AC_LIBTOOL_SYS_LIB_STRIP
-AC_LIBTOOL_DLOPEN_SELF($1)
+AC_LIBTOOL_DLOPEN_SELF
 
-# Report which librarie types wil actually be built
+# Report which library types will actually be built
 AC_MSG_CHECKING([if libtool supports shared libraries])
 AC_MSG_RESULT([$can_build_shared])
 
@@ -2526,7 +2701,7 @@ test "$can_build_shared" = "no" && enable_shared=no
 
 # On AIX, shared libraries and static libraries use the same namespace, and
 # are all built from PIC.
-case "$host_os" in
+case $host_os in
 aix3*)
   test "$enable_shared" = yes && enable_static=no
   if test -n "$RANLIB"; then
@@ -2535,47 +2710,10 @@ aix3*)
   fi
   ;;
 
-aix4*)
+aix4* | aix5*)
   if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
     test "$enable_shared" = yes && enable_static=no
   fi
-  ;;
-  darwin* | rhapsody*)
-  if test "$GCC" = yes; then
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    case "$host_os" in
-    rhapsody* | darwin1.[[012]])
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
-      ;;
-    *) # Darwin 1.3 on
-      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
-      else
-        case ${MACOSX_DEPLOYMENT_TARGET} in
-          10.[[012]])
-            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
-            ;;
-          10.*)
-            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
-            ;;
-        esac
-      fi
-      ;;
-    esac
-    output_verbose_link_cmd='echo'
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring'
-    _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag  -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    _LT_AC_TAGVAR(hardcode_direct, $1)=no
-    _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
-    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
-    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-  else
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-  fi
     ;;
 esac
 AC_MSG_RESULT([$enable_shared])
@@ -2601,7 +2739,7 @@ AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)])
 AC_DEFUN([_LT_AC_LANG_CXX_CONFIG],
 [AC_LANG_PUSH(C++)
 AC_REQUIRE([AC_PROG_CXX])
-AC_REQUIRE([AC_PROG_CXXCPP])
+AC_REQUIRE([_LT_AC_PROG_CXXCPP])
 
 _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
 _LT_AC_TAGVAR(allow_undefined_flag, $1)=
@@ -2613,6 +2751,7 @@ _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
 _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
 _LT_AC_TAGVAR(hardcode_automatic, $1)=no
 _LT_AC_TAGVAR(module_cmds, $1)=
 _LT_AC_TAGVAR(module_expsym_cmds, $1)=
@@ -2630,7 +2769,7 @@ _LT_AC_TAGVAR(postdeps, $1)=
 _LT_AC_TAGVAR(compiler_lib_search_path, $1)=
 
 # Source file extension for C++ test sources.
-ac_ext=cc
+ac_ext=cpp
 
 # Object file extension for compiled C++ test sources.
 objext=o
@@ -2640,11 +2779,15 @@ _LT_AC_TAGVAR(objext, $1)=$objext
 lt_simple_compile_test_code="int some_variable = 0;\n"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n'
+lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }\n'
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_AC_SYS_COMPILER
 
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
 # Allow CC to be a program name with arguments.
 lt_save_CC=$CC
 lt_save_LD=$LD
@@ -2655,18 +2798,18 @@ lt_save_path_LD=$lt_cv_path_LD
 if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
   lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
 else
-  unset lt_cv_prog_gnu_ld
+  $as_unset lt_cv_prog_gnu_ld
 fi
 if test -n "${lt_cv_path_LDCXX+set}"; then
   lt_cv_path_LD=$lt_cv_path_LDCXX
 else
-  unset lt_cv_path_LD
+  $as_unset lt_cv_path_LD
 fi
 test -z "${LDCXX+set}" || LD=$LDCXX
 CC=${CXX-"c++"}
 compiler=$CC
 _LT_AC_TAGVAR(compiler, $1)=$CC
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+_LT_CC_BASENAME([$compiler])
 
 # We don't want -fno-exception wen compiling C++ code, so set the
 # no_builtin_flag separately
@@ -2755,6 +2898,7 @@ case $host_os in
 	    ;;
 	  esac
 	done
+	;;
       esac
 
       exp_sym_flag='-bexport'
@@ -2773,7 +2917,7 @@ case $host_os in
     _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
 
     if test "$GXX" = yes; then
-      case $host_os in aix4.[012]|aix4.[012].*)
+      case $host_os in aix4.[[012]]|aix4.[[012]].*)
       # We only want to do this on AIX 4.2 and lower, the check
       # below for broken collect2 doesn't work under 4.3+
 	collect2name=`${CC} -print-prog-name=collect2`
@@ -2792,8 +2936,12 @@ case $host_os in
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
 	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
 	fi
+	;;
       esac
       shared_flag='-shared'
+      if test "$aix_use_runtimelinking" = yes; then
+	shared_flag="$shared_flag "'${wl}-G'
+      fi
     else
       # not using gcc
       if test "$host_cpu" = ia64; then
@@ -2820,12 +2968,12 @@ case $host_os in
       _LT_AC_SYS_LIBPATH_AIX
       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
 
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
      else
       if test "$host_cpu" = ia64; then
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
 	_LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
       else
 	# Determine the default libpath from the value encoded in an empty executable.
 	_LT_AC_SYS_LIBPATH_AIX
@@ -2834,16 +2982,26 @@ case $host_os in
 	# -berok will link without error, but may produce a broken library.
 	_LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
 	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	# -bexpall does not export symbols beginning with underscore (_)
-	_LT_AC_TAGVAR(always_export_symbols, $1)=yes
 	# Exported symbols can be pulled into shared objects from archives
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
 	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-	# This is similar to how AIX traditionally builds it's shared libraries.
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	# This is similar to how AIX traditionally builds its shared libraries.
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
       fi
     fi
     ;;
+
+  beos*)
+    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+      # support --undefined.  This deserves some investigation.  FIXME
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+    ;;
+
   chorus*)
     case $cc_basename in
       *)
@@ -2862,7 +3020,7 @@ case $host_os in
     _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
 
     if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
       # If the export-symbols file already is a .def file (1st line
       # is EXPORTS), use it as is; otherwise, prepend...
       _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -2871,70 +3029,81 @@ case $host_os in
 	echo EXPORTS > $output_objdir/$soname.def;
 	cat $export_symbols >> $output_objdir/$soname.def;
       fi~
-      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
     else
       _LT_AC_TAGVAR(ld_shlibs, $1)=no
     fi
   ;;
+      darwin* | rhapsody*)
+        case $host_os in
+        rhapsody* | darwin1.[[012]])
+         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[[012]])
+               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+        esac
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
 
-  darwin* | rhapsody*)
-  if test "$GXX" = yes; then
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    case "$host_os" in
-    rhapsody* | darwin1.[[012]])
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
-      ;;
-    *) # Darwin 1.3 on
-      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+    if test "$GXX" = yes ; then
+      lt_int_apple_cc_single_mod=no
+      output_verbose_link_cmd='echo'
+      if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then
+       lt_int_apple_cc_single_mod=yes
+      fi
+      if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+       _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
       else
-        case ${MACOSX_DEPLOYMENT_TARGET} in
-          10.[[012]])
-            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
-            ;;
-          10.*)
-            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
-            ;;
-        esac
+          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+        fi
+        _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+        # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+          if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+            _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          else
+            _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          fi
+            _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+          _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         _LT_AC_TAGVAR(ld_shlibs, $1)=no
+          ;;
+      esac
       fi
-      ;;
-    esac
-    lt_int_apple_cc_single_mod=no
-    output_verbose_link_cmd='echo'
-    if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
-      lt_int_apple_cc_single_mod=yes
-    fi
-    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-    else
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-    fi
-    _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-
-    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    else
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    fi
-    _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    _LT_AC_TAGVAR(hardcode_direct, $1)=no
-    _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
-    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
-    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-  else
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-  fi
-    ;;
+        ;;
 
   dgux*)
     case $cc_basename in
-      ec++)
+      ec++*)
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
-      ghcx)
+      ghcx*)
 	# Green Hills C++ Compiler
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
@@ -2945,14 +3114,14 @@ case $host_os in
 	;;
     esac
     ;;
-  freebsd[12]*)
+  freebsd[[12]]*)
     # C++ shared libraries reported to be fairly broken before switch to ELF
     _LT_AC_TAGVAR(ld_shlibs, $1)=no
     ;;
   freebsd-elf*)
     _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
     ;;
-  freebsd* | kfreebsd*-gnu)
+  freebsd* | kfreebsd*-gnu | dragonfly*)
     # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
     # conventions
     _LT_AC_TAGVAR(ld_shlibs, $1)=yes
@@ -2969,11 +3138,11 @@ case $host_os in
 				# location of the library.
 
     case $cc_basename in
-    CC)
+    CC*)
       # FIXME: insert proper C++ library support
       _LT_AC_TAGVAR(ld_shlibs, $1)=no
       ;;
-    aCC)
+    aCC*)
       _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       # Commands to make compiler produce verbose output that lists
       # what "hidden" libraries, object files and flags are used when
@@ -2983,7 +3152,7 @@ case $host_os in
       # explicitly linking system object files so we need to strip them
       # from the output so that they don't get included in the library
       # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | egrep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[[-]]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
       ;;
     *)
       if test "$GXX" = yes; then
@@ -2997,33 +3166,22 @@ case $host_os in
     ;;
   hpux10*|hpux11*)
     if test $with_gnu_ld = no; then
-      case "$host_cpu" in
-      hppa*64*)
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+      case $host_cpu in
+      hppa*64*|ia64*)
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-        ;;
-      ia64*)
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
         ;;
       *)
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
 	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
         ;;
       esac
     fi
-    case "$host_cpu" in
-    hppa*64*)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-    ia64*)
+    case $host_cpu in
+    hppa*64*|ia64*)
       _LT_AC_TAGVAR(hardcode_direct, $1)=no
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-					      # but as the default
-					      # location of the library.
       ;;
     *)
       _LT_AC_TAGVAR(hardcode_direct, $1)=yes
@@ -3034,14 +3192,17 @@ case $host_os in
     esac
 
     case $cc_basename in
-      CC)
+      CC*)
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
-      aCC)
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+      aCC*)
+	case $host_cpu in
+	hppa*64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	  ;;
 	*)
 	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
@@ -3060,9 +3221,12 @@ case $host_os in
       *)
 	if test "$GXX" = yes; then
 	  if test $with_gnu_ld = no; then
-	    case "$host_cpu" in
-	    ia64*|hppa*64*)
-	      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+	    case $host_cpu in
+	    hppa*64*)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    ia64*)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	      ;;
 	    *)
 	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
@@ -3076,11 +3240,25 @@ case $host_os in
 	;;
     esac
     ;;
+  interix3*)
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+    # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+    # Instead, shared libraries are loaded at an image base (0x10000000 by
+    # default) and relocated if they conflict, which is a slow very memory
+    # consuming and fragmenting process.  To avoid this, we pick a random,
+    # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+    # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    ;;
   irix5* | irix6*)
     case $cc_basename in
-      CC)
+      CC*)
 	# SGI C++
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 
 	# Archives containing C++ object files must be created using
 	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
@@ -3091,7 +3269,7 @@ case $host_os in
       *)
 	if test "$GXX" = yes; then
 	  if test "$with_gnu_ld" = no; then
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	  else
 	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
 	  fi
@@ -3104,7 +3282,7 @@ case $host_os in
     ;;
   linux*)
     case $cc_basename in
-      KCC)
+      KCC*)
 	# Kuck and Associates, Inc. (KAI) C++ Compiler
 
 	# KCC will only create a shared library if the output file
@@ -3129,17 +3307,41 @@ case $host_os in
 	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
 	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
 	;;
-      icpc)
+      icpc*)
 	# Intel C++
 	with_gnu_ld=yes
+	# version 8.0 and above of icpc choke on multiply defined symbols
+	# if we add $predep_objects and $postdep_objects, however 7.1 and
+	# earlier do not add the objects themselves.
+	case `$CC -V 2>&1` in
+	*"Version 7."*)
+  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+  	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	*)  # Version 8.0 or newer
+	  tmp_idyn=
+	  case $host_cpu in
+	    ia64*) tmp_idyn=' -i_dynamic';;
+	  esac
+  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	esac
 	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
 	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
 	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
 	;;
-      cxx)
+      pgCC*)
+        # Portland Group C++ compiler
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+  	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+        ;;
+      cxx*)
 	# Compaq C++
 	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
@@ -3170,7 +3372,7 @@ case $host_os in
     ;;
   mvs*)
     case $cc_basename in
-      cxx)
+      cxx*)
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
@@ -3191,9 +3393,25 @@ case $host_os in
     # Workaround some broken pre-1.5 toolchains
     output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
     ;;
+  openbsd2*)
+    # C++ shared libraries are fairly broken
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  openbsd*)
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+    if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    fi
+    output_verbose_link_cmd='echo'
+    ;;
   osf3*)
     case $cc_basename in
-      KCC)
+      KCC*)
 	# Kuck and Associates, Inc. (KAI) C++ Compiler
 
 	# KCC will only create a shared library if the output file
@@ -3209,14 +3427,14 @@ case $host_os in
 	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
 
 	;;
-      RCC)
+      RCC*)
 	# Rational C++ 2.4.1
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
-      cxx)
+      cxx*)
 	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
@@ -3234,7 +3452,7 @@ case $host_os in
       *)
 	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
@@ -3253,7 +3471,7 @@ case $host_os in
     ;;
   osf4* | osf5*)
     case $cc_basename in
-      KCC)
+      KCC*)
 	# Kuck and Associates, Inc. (KAI) C++ Compiler
 
 	# KCC will only create a shared library if the output file
@@ -3268,17 +3486,17 @@ case $host_os in
 	# the KAI C++ compiler.
 	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs'
 	;;
-      RCC)
+      RCC*)
 	# Rational C++ 2.4.1
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
-      cxx)
+      cxx*)
 	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
 	  echo "-hidden">> $lib.exp~
-	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry $objdir/so_locations -o $lib~
+	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry ${output_objdir}/so_locations -o $lib~
 	  $rm $lib.exp'
 
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
@@ -3297,7 +3515,7 @@ case $host_os in
       *)
 	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
@@ -3318,27 +3536,14 @@ case $host_os in
     # FIXME: insert proper C++ library support
     _LT_AC_TAGVAR(ld_shlibs, $1)=no
     ;;
-  sco*)
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    case $cc_basename in
-      CC)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
   sunos4*)
     case $cc_basename in
-      CC)
+      CC*)
 	# Sun C++ 4.x
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
-      lcc)
+      lcc*)
 	# Lucid
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
@@ -3351,36 +3556,33 @@ case $host_os in
     ;;
   solaris*)
     case $cc_basename in
-      CC)
+      CC*)
 	# Sun C++ 4.2, 5.x and Centerline C++
+        _LT_AC_TAGVAR(archive_cmds_need_lc,$1)=yes
 	_LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -nolib -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	$CC -G${allow_undefined_flag} -nolib ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+	$CC -G${allow_undefined_flag}  ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
 
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
 	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
 	case $host_os in
-	  solaris2.[0-5] | solaris2.[0-5].*) ;;
+	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
 	  *)
 	    # The C++ compiler is used as linker so we must use $wl
 	    # flag to pass the commands to the underlying system
-	    # linker.
+	    # linker. We must also pass each convience library through
+	    # to the system linker between allextract/defaultextract.
+	    # The C++ compiler will combine linker options so we
+	    # cannot just pass the convience library names through
+	    # without $wl.
 	    # Supported since Solaris 2.6 (maybe 2.5.1?)
-	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract'
 	    ;;
 	esac
 	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
 
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep "\-[[LR]]"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	output_verbose_link_cmd='echo'
 
 	# Archives containing C++ object files must be created using
 	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
@@ -3388,7 +3590,7 @@ case $host_os in
 	# in the archive.
 	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
 	;;
-      gcx)
+      gcx*)
 	# Green Hills C++ Compiler
 	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
 
@@ -3426,12 +3628,63 @@ case $host_os in
 	;;
     esac
     ;;
-  sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7*)
+  sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
     _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
+    ;;
+  sysv5* | sco3.2v5* | sco5v6*)
+    # Note: We can NOT use -z defs as we might desire, because we do not
+    # link with -lc, and that would cause any symbols used from libc to
+    # always be unresolved, which means just about no library would
+    # ever link correctly.  If we're not using GNU ld we use -z text
+    # though, which does catch some bad symbols but isn't as heavy-handed
+    # as -z defs.
+    # For security reasons, it is highly recommended that you always
+    # use absolute paths for naming shared libraries, and exclude the
+    # DT_RUNPATH tag from executables and libraries.  But doing so
+    # requires that you compile everything twice, which is a pain.
+    # So that behaviour is only enabled if SCOABSPATH is set to a
+    # non-empty value in the environment.  Most likely only useful for
+    # creating official distributions of packages.
+    # This is a hack until libtool officially supports absolute path
+    # names for shared libraries.
+    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+    _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
     ;;
   tandem*)
     case $cc_basename in
-      NCC)
+      NCC*)
 	# NonStop-UX NCC 3.20
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
@@ -3464,8 +3717,6 @@ AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
 AC_LIBTOOL_PROG_LD_SHLIBS($1)
 AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
 AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-AC_LIBTOOL_DLOPEN_SELF($1)
 
 AC_LIBTOOL_CONFIG($1)
 
@@ -3483,7 +3734,7 @@ lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
 ])# AC_LIBTOOL_LANG_CXX_CONFIG
 
 # AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME])
-# ------------------------
+# ------------------------------------
 # Figure out "hidden" library dependencies from verbose
 # compiler output when linking a shared library.
 # Parse the compiler output and extract the necessary
@@ -3537,7 +3788,7 @@ if AC_TRY_EVAL(ac_compile); then
   # The `*' in the case matches for architectures that use `case' in
   # $output_verbose_cmd can trigger glob expansion during the loop
   # eval without this substitution.
-  output_verbose_link_cmd="`$echo \"X$output_verbose_link_cmd\" | $Xsed -e \"$no_glob_subst\"`"
+  output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"`
 
   for p in `eval $output_verbose_link_cmd`; do
     case $p in
@@ -3613,13 +3864,37 @@ fi
 
 $rm -f confest.$objext
 
+# PORTME: override above test on systems where it is broken
+ifelse([$1],[CXX],
+[case $host_os in
+interix3*)
+  # Interix 3.5 installs completely hosed .la files for C++, so rather than
+  # hack all around it, let's just trust "g++" to DTRT.
+  _LT_AC_TAGVAR(predep_objects,$1)=
+  _LT_AC_TAGVAR(postdep_objects,$1)=
+  _LT_AC_TAGVAR(postdeps,$1)=
+  ;;
+
+solaris*)
+  case $cc_basename in
+  CC*)
+    # Adding this requires a known-good setup of shared libraries for
+    # Sun compiler versions before 5.6, else PIC objects from an old
+    # archive will be linked into the output, leading to subtle bugs.
+    _LT_AC_TAGVAR(postdeps,$1)='-lCstd -lCrun'
+    ;;
+  esac
+  ;;
+esac
+])
+
 case " $_LT_AC_TAGVAR(postdeps, $1) " in
 *" -lc "*) _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no ;;
 esac
 ])# AC_LIBTOOL_POSTDEP_PREDEP
 
 # AC_LIBTOOL_LANG_F77_CONFIG
-# ------------------------
+# --------------------------
 # Ensure that the configuration vars for the C compiler are
 # suitably defined.  Those variables are subsequently used by
 # AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
@@ -3663,12 +3938,16 @@ lt_simple_link_test_code="      program t\n      end\n"
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_AC_SYS_COMPILER
 
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
 CC=${F77-"f77"}
 compiler=$CC
 _LT_AC_TAGVAR(compiler, $1)=$CC
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+_LT_CC_BASENAME([$compiler])
 
 AC_MSG_CHECKING([if libtool supports shared libraries])
 AC_MSG_RESULT([$can_build_shared])
@@ -3678,7 +3957,7 @@ test "$can_build_shared" = "no" && enable_shared=no
 
 # On AIX, shared libraries and static libraries use the same namespace, and
 # are all built from PIC.
-case "$host_os" in
+case $host_os in
 aix3*)
   test "$enable_shared" = yes && enable_static=no
   if test -n "$RANLIB"; then
@@ -3686,8 +3965,10 @@ aix3*)
     postinstall_cmds='$RANLIB $lib'
   fi
   ;;
-aix4*)
-  test "$enable_shared" = yes && enable_static=no
+aix4* | aix5*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
   ;;
 esac
 AC_MSG_RESULT([$enable_shared])
@@ -3697,8 +3978,6 @@ AC_MSG_CHECKING([whether to build static libraries])
 test "$enable_shared" = yes || enable_static=yes
 AC_MSG_RESULT([$enable_static])
 
-test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
-
 _LT_AC_TAGVAR(GCC, $1)="$G77"
 _LT_AC_TAGVAR(LD, $1)="$LD"
 
@@ -3708,8 +3987,6 @@ AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
 AC_LIBTOOL_PROG_LD_SHLIBS($1)
 AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
 AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-
 
 AC_LIBTOOL_CONFIG($1)
 
@@ -3738,20 +4015,27 @@ _LT_AC_TAGVAR(objext, $1)=$objext
 lt_simple_compile_test_code="class foo {}\n"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }\n'
+lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }\n'
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_AC_SYS_COMPILER
 
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
 CC=${GCJ-"gcj"}
 compiler=$CC
 _LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
 
 # GCJ did not exist at the time GCC didn't implicitly link libc in.
 _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
 
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+
 AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
 AC_LIBTOOL_PROG_COMPILER_PIC($1)
 AC_LIBTOOL_PROG_CC_C_O($1)
@@ -3759,8 +4043,6 @@ AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
 AC_LIBTOOL_PROG_LD_SHLIBS($1)
 AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
 AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-AC_LIBTOOL_DLOPEN_SELF($1)
 
 AC_LIBTOOL_CONFIG($1)
 
@@ -3770,7 +4052,7 @@ CC="$lt_save_CC"
 
 
 # AC_LIBTOOL_LANG_RC_CONFIG
-# --------------------------
+# -------------------------
 # Ensure that the configuration vars for the Windows resource compiler are
 # suitably defined.  Those variables are subsequently used by
 # AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
@@ -3794,11 +4076,16 @@ lt_simple_link_test_code="$lt_simple_compile_test_code"
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_AC_SYS_COMPILER
 
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
 CC=${RC-"windres"}
 compiler=$CC
 _LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
 _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
 
 AC_LIBTOOL_CONFIG($1)
@@ -3828,7 +4115,7 @@ if test -f "$ltmain"; then
   # Now quote all the things that may contain metacharacters while being
   # careful not to overquote the AC_SUBSTed values.  We take copies of the
   # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
     SED SHELL STRIP \
     libname_spec library_names_spec soname_spec extract_expsyms_cmds \
     old_striplib striplib file_magic_cmd finish_cmds finish_eval \
@@ -3934,7 +4221,7 @@ ifelse([$1], [],
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -3945,11 +4232,11 @@ ifelse([$1], [],
 SED=$lt_SED
 
 # Sed that helps us avoid accidentally triggering echo(1) options like -n.
-Xsed="$SED -e s/^X//"
+Xsed="$SED -e 1s/^X//"
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
 # The names of the tagged configurations supported by this script.
 available_tags=
@@ -3980,6 +4267,12 @@ fast_install=$enable_fast_install
 # The host system.
 host_alias=$host_alias
 host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
 
 # An echo program that does not interpret backslashes.
 echo=$lt_echo
@@ -3991,6 +4284,9 @@ AR_FLAGS=$lt_AR_FLAGS
 # A C compiler.
 LTCC=$lt_LTCC
 
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
 # A language-specific compiler.
 CC=$lt_[]_LT_AC_TAGVAR(compiler, $1)
 
@@ -4041,7 +4337,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext='$shrext'
+shrext_cmds='$shrext_cmds'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -4056,7 +4352,7 @@ max_cmd_len=$lt_cv_sys_max_cmd_len
 # Does compiler simultaneously support -c and -o options?
 compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)
 
-# Must we lock files when doing compilation ?
+# Must we lock files when doing compilation?
 need_locks=$lt_need_locks
 
 # Do we need the lib prefix for modules?
@@ -4330,9 +4626,6 @@ symcode='[[BCDEGRST]]'
 # Regexp to match symbols that can be accessed directly from C.
 sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
 
-# Transform the above into a raw symbol and a C symbol.
-symxfrm='\1 \2\3 \3'
-
 # Transform an extracted symbol line into a proper C declaration
 lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
 
@@ -4354,15 +4647,31 @@ hpux*) # Its linker distinguishes data from code symbols
   lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
   lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
   ;;
+linux*)
+  if test "$host_cpu" = ia64; then
+    symcode='[[ABCDGIRSTW]]'
+    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  fi
+  ;;
 irix* | nonstopux*)
   symcode='[[BCDEGRST]]'
   ;;
 osf*)
   symcode='[[BCDEGQRST]]'
   ;;
-solaris* | sysv5*)
+solaris*)
   symcode='[[BDRT]]'
   ;;
+sco3.2v5*)
+  symcode='[[DT]]'
+  ;;
+sysv4.2uw2*)
+  symcode='[[DT]]'
+  ;;
+sysv5* | sco5v6* | unixware* | OpenUNIX*)
+  symcode='[[ABDT]]'
+  ;;
 sysv4)
   symcode='[[DFNSTU]]'
   ;;
@@ -4385,8 +4694,11 @@ esac
 # Try without a prefix undercore, then with it.
 for ac_symprfx in "" "_"; do
 
+  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
+  symxfrm="\\1 $ac_symprfx\\2 \\2"
+
   # Write the raw and C identifiers.
-  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'"
+  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
 
   # Check to see that the pipe works correctly.
   pipe_works=no
@@ -4542,6 +4854,10 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       # DJGPP does not support shared libraries at all
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
       ;;
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
     sysv4*MP*)
       if test -d /usr/nec; then
 	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
@@ -4550,7 +4866,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
     hpux*)
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	;;
       *)
@@ -4575,18 +4891,28 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       chorus*)
 	case $cc_basename in
-	cxch68)
+	cxch68*)
 	  # Green Hills C++ Compiler
 	  # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
 	  ;;
 	esac
 	;;
+       darwin*)
+         # PIC is the default on this platform
+         # Common symbols not allowed in MH_DYLIB files
+         case $cc_basename in
+           xlc*)
+           _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
+           _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+           ;;
+         esac
+       ;;
       dgux*)
 	case $cc_basename in
-	  ec++)
+	  ec++*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    ;;
-	  ghcx)
+	  ghcx*)
 	    # Green Hills C++ Compiler
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
 	    ;;
@@ -4594,22 +4920,22 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	    ;;
 	esac
 	;;
-      freebsd* | kfreebsd*-gnu)
+      freebsd* | kfreebsd*-gnu | dragonfly*)
 	# FreeBSD uses GNU C++
 	;;
       hpux9* | hpux10* | hpux11*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
 	    if test "$host_cpu" != ia64; then
 	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
 	    fi
 	    ;;
-	  aCC)
+	  aCC*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
-	    case "$host_cpu" in
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+	    case $host_cpu in
 	    hppa*64*|ia64*)
 	      # +Z the default
 	      ;;
@@ -4622,9 +4948,13 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	    ;;
 	esac
 	;;
+      interix*)
+	# This is c89, which is MS Visual C++ (no shared libs)
+	# Anyone wants to do a port?
+	;;
       irix5* | irix6* | nonstopux*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
 	    # CC pic flag -KPIC is the default.
@@ -4635,18 +4965,24 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       linux*)
 	case $cc_basename in
-	  KCC)
+	  KCC*)
 	    # KAI C++ Compiler
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
 	    ;;
-	  icpc)
+	  icpc* | ecpc*)
 	    # Intel C++
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
 	    ;;
-	  cxx)
+	  pgCC*)
+	    # Portland Group C++ compiler.
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  cxx*)
 	    # Compaq C++
 	    # Make sure the PIC flag is empty.  It appears that all Alpha
 	    # Linux and Compaq Tru64 Unix objects are PIC.
@@ -4663,7 +4999,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       mvs*)
 	case $cc_basename in
-	  cxx)
+	  cxx*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
 	    ;;
 	  *)
@@ -4674,14 +5010,14 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       osf3* | osf4* | osf5*)
 	case $cc_basename in
-	  KCC)
+	  KCC*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
 	    ;;
-	  RCC)
+	  RCC*)
 	    # Rational C++ 2.4.1
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
 	    ;;
-	  cxx)
+	  cxx*)
 	    # Digital/Compaq C++
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	    # Make sure the PIC flag is empty.  It appears that all Alpha
@@ -4695,24 +5031,15 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       psos*)
 	;;
-      sco*)
-	case $cc_basename in
-	  CC)
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
       solaris*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    # Sun C++ 4.2, 5.x and Centerline C++
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
 	    ;;
-	  gcx)
+	  gcx*)
 	    # Green Hills C++ Compiler
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
 	    ;;
@@ -4722,12 +5049,12 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       sunos4*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    # Sun C++ 4.x
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
 	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	    ;;
-	  lcc)
+	  lcc*)
 	    # Lucid
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
 	    ;;
@@ -4737,7 +5064,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       tandem*)
 	case $cc_basename in
-	  NCC)
+	  NCC*)
 	    # NonStop-UX NCC 3.20
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    ;;
@@ -4745,7 +5072,14 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	    ;;
 	esac
 	;;
-      unixware*)
+      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+	case $cc_basename in
+	  CC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	esac
 	;;
       vxworks*)
 	;;
@@ -4792,6 +5126,11 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
       ;;
 
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
     msdosdjgpp*)
       # Just because we use GCC doesn't mean we suddenly get shared libraries
       # on systems that don't support them.
@@ -4808,7 +5147,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
     hpux*)
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	# +Z the default
 	;;
@@ -4834,6 +5173,16 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
+         _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+         ;;
+       esac
+       ;;
 
     mingw* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
@@ -4845,7 +5194,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	# +Z the default
 	;;
@@ -4869,12 +5218,19 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       ;;
 
     linux*)
-      case $CC in
+      case $cc_basename in
       icc* | ecc*)
 	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
         ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+        ;;
       ccc*)
         _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
         # All Alpha code is PIC.
@@ -4889,15 +5245,15 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
       ;;
 
-    sco3.2v5*)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kpic'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-dn'
-      ;;
-
     solaris*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
+      esac
       ;;
 
     sunos4*)
@@ -4906,7 +5262,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
       ;;
 
-    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+    sysv4 | sysv4.2uw2* | sysv4.3*)
       _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
@@ -4919,6 +5275,17 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       fi
       ;;
 
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    unicos*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+
     uts4*)
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
@@ -4946,7 +5313,7 @@ if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then
     [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
 fi
-case "$host_os" in
+case $host_os in
   # For platforms which do not support PIC, -DPIC is meaningless:
   *djgpp*)
     _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
@@ -4955,6 +5322,16 @@ case "$host_os" in
     _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])"
     ;;
 esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_AC_TAGVAR(lt_prog_compiler_static, $1)\"
+AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
+  _LT_AC_TAGVAR(lt_prog_compiler_static_works, $1),
+  $lt_tmp_static_flag,
+  [],
+  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
 ])
 
 
@@ -4979,7 +5356,7 @@ ifelse([$1],[CXX],[
     _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
   ;;
   cygwin* | mingw*)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]] /s/.* \([[^ ]]*\)/\1 DATA/;/^.* __nm__/s/^.* __nm__\([[^ ]]*\) [[^ ]]*/\1 DATA/;/^I /d;/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
   ;;
   *)
     _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
@@ -5022,7 +5399,8 @@ ifelse([$1],[CXX],[
   # rely on this symbol name, it's probably fine to never include it in
   # preloaded symbol tables.
   extract_expsyms_cmds=
-
+  # Just being paranoid about ensuring that cc_basename is set.
+  _LT_CC_BASENAME([$compiler])
   case $host_os in
   cygwin* | mingw* | pw32*)
     # FIXME: the MSVC++ port hasn't been tested in a loooong time
@@ -5032,6 +5410,10 @@ ifelse([$1],[CXX],[
       with_gnu_ld=no
     fi
     ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
   openbsd*)
     with_gnu_ld=no
     ;;
@@ -5042,6 +5424,27 @@ ifelse([$1],[CXX],[
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
 
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
     # See if GNU ld supports shared libraries.
     case $host_os in
     aix3* | aix4* | aix5*)
@@ -5092,10 +5495,10 @@ EOF
       _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
       _LT_AC_TAGVAR(always_export_symbols, $1)=no
       _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
 	# If the export-symbols file already is a .def file (1st line
 	# is EXPORTS), use it as is; otherwise, prepend...
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -5104,9 +5507,55 @@ EOF
 	  echo EXPORTS > $output_objdir/$soname.def;
 	  cat $export_symbols >> $output_objdir/$soname.def;
 	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    interix3*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    linux*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
       else
-	ld_shlibs=no
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
       fi
       ;;
 
@@ -5120,7 +5569,7 @@ EOF
       fi
       ;;
 
-    solaris* | sysv5*)
+    solaris*)
       if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	cat <<EOF 1>&2
@@ -5141,6 +5590,33 @@ EOF
       fi
       ;;
 
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) 
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	  fi
+	;;
+      esac
+      ;;
+
     sunos4*)
       _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       wlarc=
@@ -5148,31 +5624,6 @@ EOF
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
       ;;
 
-  linux*)
-    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
-        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_cmds, $1)="$tmp_archive_cmds"
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ [01].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="$tmp_archive_cmds"
-      fi
-    else
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    fi
-    ;;
-
     *)
       if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
 	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
@@ -5183,16 +5634,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       ;;
     esac
 
-    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = yes; then
-      runpath_var=LD_RUN_PATH
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-      # ancient GNU ld didn't support --whole-archive et. al.
-      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
- 	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-      fi
+    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no; then
+      runpath_var=
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
     fi
   else
     # PORTME fill in a description of your system's linker (not GNU ld)
@@ -5204,7 +5650,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       # Note: this linker hardcodes the directories in LIBPATH if there
       # are no directories specified by -L.
       _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      if test "$GCC" = yes && test -z "$link_static_flag"; then
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
 	# Neither direct hardcoding nor static linking is supported with a
 	# broken collect2.
 	_LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
@@ -5238,6 +5684,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	    break
   	  fi
 	  done
+	  ;;
 	esac
 
 	exp_sym_flag='-bexport'
@@ -5256,7 +5703,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
 
       if test "$GCC" = yes; then
-	case $host_os in aix4.[012]|aix4.[012].*)
+	case $host_os in aix4.[[012]]|aix4.[[012]].*)
 	# We only want to do this on AIX 4.2 and lower, the check
 	# below for broken collect2 doesn't work under 4.3+
 	  collect2name=`${CC} -print-prog-name=collect2`
@@ -5275,8 +5722,12 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
   	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
 	  fi
+	  ;;
 	esac
 	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
       else
 	# not using gcc
 	if test "$host_cpu" = ia64; then
@@ -5284,11 +5735,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	# chokes on -Wl,-G. The following line is correct:
 	  shared_flag='-G'
 	else
-  	if test "$aix_use_runtimelinking" = yes; then
+	  if test "$aix_use_runtimelinking" = yes; then
 	    shared_flag='${wl}-G'
 	  else
 	    shared_flag='${wl}-bM:SRE'
-  	fi
+	  fi
 	fi
       fi
 
@@ -5302,12 +5753,12 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
        # Determine the default libpath from the value encoded in an empty executable.
        _LT_AC_SYS_LIBPATH_AIX
        _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
        else
 	if test "$host_cpu" = ia64; then
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
 	  _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
 	else
 	 # Determine the default libpath from the value encoded in an empty executable.
 	 _LT_AC_SYS_LIBPATH_AIX
@@ -5316,13 +5767,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
 	  # -berok will link without error, but may produce a broken library.
 	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
 	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	  # -bexpall does not export symbols beginning with underscore (_)
-	  _LT_AC_TAGVAR(always_export_symbols, $1)=yes
 	  # Exported symbols can be pulled into shared objects from archives
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
 	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-	  # This is similar to how AIX traditionally builds it's shared libraries.
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
 	fi
       fi
       ;;
@@ -5335,7 +5784,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(ld_shlibs, $1)=no
       ;;
 
-    bsdi4*)
+    bsdi[[45]]*)
       _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
       ;;
 
@@ -5349,64 +5798,64 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       # Tell ltmain to make .lib files, not .a files.
       libext=lib
       # Tell ltmain to make .dll files, not .so files.
-      shrext=".dll"
+      shrext_cmds=".dll"
       # FIXME: Setting linknames here is a bad hack.
       _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
       # The linker will automatically build a .lib file if we build a DLL.
       _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true'
       # FIXME: Should let the user specify the lib program.
       _LT_AC_TAGVAR(old_archive_cmds, $1)='lib /OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      _LT_AC_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
       _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
       ;;
 
     darwin* | rhapsody*)
-    if test "$GXX" = yes ; then
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      case "$host_os" in
-      rhapsody* | darwin1.[[012]])
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
-	;;
-      *) # Darwin 1.3 on
-      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
-      else
-        case ${MACOSX_DEPLOYMENT_TARGET} in
-          10.[[012]])
-            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
-            ;;
-          10.*)
-            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
-            ;;
-        esac
-      fi
-	;;
+      case $host_os in
+        rhapsody* | darwin1.[[012]])
+         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[[012]])
+               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
       esac
-    	lt_int_apple_cc_single_mod=no
-    	output_verbose_link_cmd='echo'
-    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
-    	  lt_int_apple_cc_single_mod=yes
-    	fi
-    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-    	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-    	else
-        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      fi
-      _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-        else
-          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-        fi
-          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
       _LT_AC_TAGVAR(hardcode_direct, $1)=no
       _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
       _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
     else
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+         _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         _LT_AC_TAGVAR(ld_shlibs, $1)=no
+          ;;
+      esac
     fi
       ;;
 
@@ -5440,7 +5889,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       ;;
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu)
+    freebsd* | kfreebsd*-gnu | dragonfly*)
       _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
       _LT_AC_TAGVAR(hardcode_direct, $1)=yes
@@ -5463,47 +5912,62 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
       ;;
 
-    hpux10* | hpux11*)
+    hpux10*)
       if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*|ia64*)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	_LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	_LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
 	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
 	*)
 	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       else
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
+	case $host_cpu in
+	hppa*64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       fi
       if test "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*)
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
 	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
 	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
 	  ;;
-	ia64*)
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-	  ;;
 	*)
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
 	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
 	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
 
@@ -5551,6 +6015,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
       if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
 	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
 	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
       else
@@ -5596,7 +6061,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
 	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
 	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
 
 	# Both c and cxx compiler support -rpath directly
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
@@ -5604,21 +6069,15 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
       ;;
 
-    sco3.2v5*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
-      runpath_var=LD_RUN_PATH
-      hardcode_runpath_var=yes
-      ;;
-
     solaris*)
       _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
       if test "$GCC" = yes; then
+	wlarc='${wl}'
 	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
 	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
       else
+	wlarc=''
 	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
   	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
@@ -5627,8 +6086,18 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
       case $host_os in
       solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;;
+      *)
+ 	# The compiler driver will combine linker options so we
+ 	# cannot just pass the convience library names through
+ 	# without $wl, iff we do not link with $LD.
+ 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+ 	case $wlarc in
+ 	'')
+ 	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;;
+ 	*)
+ 	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
+ 	esac ;;
       esac
       _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
       ;;
@@ -5685,36 +6154,45 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       fi
       ;;
 
-    sysv4.2uw2*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      hardcode_runpath_var=yes
-      runpath_var=LD_RUN_PATH
-      ;;
+      runpath_var='LD_RUN_PATH'
 
-   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[[78]]* | unixware7*)
-      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z ${wl}text'
       if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
       else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
       fi
-      runpath_var='LD_RUN_PATH'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
       ;;
 
-    sysv5*)
-      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
-      # $CC -shared without GNU ld will not create a library from C++
-      # object files and a static libstdc++, better avoid it by now
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
       runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
       ;;
 
     uts4*)
@@ -5732,11 +6210,6 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
 AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
 test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
 
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
 #
 # Do we need to explicitly link libc?
 #
@@ -5764,6 +6237,7 @@ x|xyes)
         libobjs=conftest.$ac_objext
         deplibs=
         wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+	pic_flag=$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
         compiler_flags=-v
         linker_flags=-v
         verstring=
@@ -5889,7 +6363,7 @@ lt_ac_count=0
 # Add /usr/xpg4/bin/sed as it is typically found on Solaris
 # along with /bin/sed that truncates output.
 for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
-  test ! -f $lt_ac_sed && break
+  test ! -f $lt_ac_sed && continue
   cat /dev/null > conftest.in
   lt_ac_count=0
   echo $ECHO_N "0123456789$ECHO_C" >conftest.in
@@ -5914,60 +6388,52 @@ for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
     fi
   done
 done
-SED=$lt_cv_path_SED
 ])
+SED=$lt_cv_path_SED
 AC_MSG_RESULT([$SED])
 ])
 
-#                                                        -*- Autoconf -*-
-# Copyright (C) 2002, 2003  Free Software Foundation, Inc.
-# Generated from amversion.in; do not edit by hand.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# Copyright (C) 2002, 2003, 2005, 2006  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
 # AM_AUTOMAKE_VERSION(VERSION)
 # ----------------------------
 # Automake X.Y traces this macro to ensure aclocal.m4 has been
 # generated from the m4 files accompanying Automake X.Y.
-AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version="1.8"])
+# (This private macro should not be called outside this file.)
+AC_DEFUN([AM_AUTOMAKE_VERSION],
+[am__api_version='1.10'
+dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
+dnl require some minimum version.  Point them to the right macro.
+m4_if([$1], [1.10], [],
+      [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
+])
+
+# _AM_AUTOCONF_VERSION(VERSION)
+# -----------------------------
+# aclocal traces this macro to find the Autoconf version.
+# This is a private macro too.  Using m4_define simplifies
+# the logic in aclocal, which can simply ignore this definition.
+m4_define([_AM_AUTOCONF_VERSION], [])
 
 # AM_SET_CURRENT_AUTOMAKE_VERSION
 # -------------------------------
-# Call AM_AUTOMAKE_VERSION so it can be traced.
+# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AC_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-	 [AM_AUTOMAKE_VERSION([1.8.3])])
-
-# AM_AUX_DIR_EXPAND
-
-# Copyright (C) 2001, 2003 Free Software Foundation, Inc.
+[AM_AUTOMAKE_VERSION([1.10])dnl
+_AM_AUTOCONF_VERSION(m4_PACKAGE_VERSION)])
 
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# AM_AUX_DIR_EXPAND                                         -*- Autoconf -*-
 
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
+# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
 # For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets
 # $ac_aux_dir to `$srcdir/foo'.  In other projects, it is set to
@@ -6014,26 +6480,16 @@ AC_PREREQ([2.50])dnl
 am_aux_dir=`cd $ac_aux_dir && pwd`
 ])
 
-# AM_CONDITIONAL                                              -*- Autoconf -*-
-
-# Copyright (C) 1997, 2000, 2001, 2003 Free Software Foundation, Inc.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# AM_CONDITIONAL                                            -*- Autoconf -*-
 
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
+# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
-# serial 6
+# serial 8
 
 # AM_CONDITIONAL(NAME, SHELL-CONDITION)
 # -------------------------------------
@@ -6042,8 +6498,10 @@ AC_DEFUN([AM_CONDITIONAL],
 [AC_PREREQ(2.52)dnl
  ifelse([$1], [TRUE],  [AC_FATAL([$0: invalid condition: $1])],
 	[$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
-AC_SUBST([$1_TRUE])
-AC_SUBST([$1_FALSE])
+AC_SUBST([$1_TRUE])dnl
+AC_SUBST([$1_FALSE])dnl
+_AM_SUBST_NOTMAKE([$1_TRUE])dnl
+_AM_SUBST_NOTMAKE([$1_FALSE])dnl
 if $2; then
   $1_TRUE=
   $1_FALSE='#'
@@ -6053,59 +6511,24 @@ else
 fi
 AC_CONFIG_COMMANDS_PRE(
 [if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
-  AC_MSG_ERROR([conditional "$1" was never defined.
-Usually this means the macro was only invoked conditionally.])
+  AC_MSG_ERROR([[conditional "$1" was never defined.
+Usually this means the macro was only invoked conditionally.]])
 fi])])
 
-# Like AC_CONFIG_HEADER, but automatically create stamp file. -*- Autoconf -*-
-
-# Copyright (C) 1996, 1997, 2000, 2001, 2003 Free Software Foundation, Inc.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
+# Do all the work for Automake.                             -*- Autoconf -*-
 
-# serial 7
-
-# AM_CONFIG_HEADER is obsolete.  It has been replaced by AC_CONFIG_HEADERS.
-AU_DEFUN([AM_CONFIG_HEADER], [AC_CONFIG_HEADERS($@)])
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+# 2005, 2006 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
-# Do all the work for Automake.                            -*- Autoconf -*-
+# serial 12
 
-# This macro actually does too much some checks are only needed if
+# This macro actually does too much.  Some checks are only needed if
 # your package does certain things.  But this isn't really a big deal.
 
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003
-# Free Software Foundation, Inc.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
-
-# serial 11
-
 # AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE])
 # AM_INIT_AUTOMAKE([OPTIONS])
 # -----------------------------------------------
@@ -6118,16 +6541,20 @@ AU_DEFUN([AM_CONFIG_HEADER], [AC_CONFIG_HEADERS($@)])
 # arguments mandatory, and then we can depend on a new Autoconf
 # release and drop the old call support.
 AC_DEFUN([AM_INIT_AUTOMAKE],
-[AC_PREREQ([2.58])dnl
+[AC_PREREQ([2.60])dnl
 dnl Autoconf wants to disallow AM_ names.  We explicitly allow
 dnl the ones we care about.
 m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl
 AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl
 AC_REQUIRE([AC_PROG_INSTALL])dnl
-# test to see if srcdir already configured
-if test "`cd $srcdir && pwd`" != "`pwd`" &&
-   test -f $srcdir/config.status; then
-  AC_MSG_ERROR([source directory already configured; run "make distclean" there first])
+if test "`cd $srcdir && pwd`" != "`pwd`"; then
+  # Use -I$(srcdir) only when $(srcdir) != ., so that make's output
+  # is not polluted with repeated "-I."
+  AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl
+  # test to see if srcdir already configured
+  if test -f $srcdir/config.status; then
+    AC_MSG_ERROR([source directory already configured; run "make distclean" there first])
+  fi
 fi
 
 # test whether we have cygpath
@@ -6147,6 +6574,9 @@ m4_ifval([$2],
  AC_SUBST([PACKAGE], [$1])dnl
  AC_SUBST([VERSION], [$2])],
 [_AM_SET_OPTIONS([$1])dnl
+dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT.
+m4_if(m4_ifdef([AC_PACKAGE_NAME], 1)m4_ifdef([AC_PACKAGE_VERSION], 1), 11,,
+  [m4_fatal([AC_INIT should be called with package and version arguments])])dnl
  AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl
  AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl
 
@@ -6162,7 +6592,6 @@ AM_MISSING_PROG(AUTOCONF, autoconf)
 AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version})
 AM_MISSING_PROG(AUTOHEADER, autoheader)
 AM_MISSING_PROG(MAKEINFO, makeinfo)
-AM_MISSING_PROG(AMTAR, tar)
 AM_PROG_INSTALL_SH
 AM_PROG_INSTALL_STRIP
 AC_REQUIRE([AM_PROG_MKDIR_P])dnl
@@ -6171,7 +6600,9 @@ AC_REQUIRE([AM_PROG_MKDIR_P])dnl
 AC_REQUIRE([AC_PROG_AWK])dnl
 AC_REQUIRE([AC_PROG_MAKE_SET])dnl
 AC_REQUIRE([AM_SET_LEADING_DOT])dnl
-
+_AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])],
+              [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])],
+	      		     [_AM_PROG_TAR([v7])])])
 _AM_IF_OPTION([no-dependencies],,
 [AC_PROVIDE_IFELSE([AC_PROG_CC],
                   [_AM_DEPENDENCIES(CC)],
@@ -6181,6 +6612,10 @@ AC_PROVIDE_IFELSE([AC_PROG_CXX],
                   [_AM_DEPENDENCIES(CXX)],
                   [define([AC_PROG_CXX],
                           defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl
+AC_PROVIDE_IFELSE([AC_PROG_OBJC],
+                  [_AM_DEPENDENCIES(OBJC)],
+                  [define([AC_PROG_OBJC],
+                          defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl
 ])
 ])
 
@@ -6205,51 +6640,27 @@ for _am_header in $config_headers :; do
 done
 echo "timestamp for $1" >`AS_DIRNAME([$1])`/stamp-h[]$_am_stamp_count])
 
+# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
 # AM_PROG_INSTALL_SH
 # ------------------
 # Define $install_sh.
-
-# Copyright (C) 2001, 2003 Free Software Foundation, Inc.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
-
 AC_DEFUN([AM_PROG_INSTALL_SH],
 [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
-install_sh=${install_sh-"$am_aux_dir/install-sh"}
+install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"}
 AC_SUBST(install_sh)])
 
-#                                                          -*- Autoconf -*-
-# Copyright (C) 2003  Free Software Foundation, Inc.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
+# Copyright (C) 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
-# serial 1
+# serial 2
 
 # Check whether the underlying file-system supports filenames
 # with a leading dot.  For instance MS-DOS doesn't.
@@ -6264,26 +6675,14 @@ fi
 rmdir .tst 2>/dev/null
 AC_SUBST([am__leading_dot])])
 
-
-# Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003
+# Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2005
 # Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
-
-# serial 4
+# serial 5
 
 # AM_PROG_LEX
 # -----------
@@ -6297,28 +6696,17 @@ if test "$LEX" = :; then
   LEX=${am_missing_run}flex
 fi])
 
-# Add --enable-maintainer-mode option to configure.
+# Add --enable-maintainer-mode option to configure.         -*- Autoconf -*-
 # From Jim Meyering
 
-# Copyright (C) 1996, 1998, 2000, 2001, 2002, 2003, 2004
+# Copyright (C) 1996, 1998, 2000, 2001, 2002, 2003, 2004, 2005
 # Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
-
-# serial 3
+# serial 4
 
 AC_DEFUN([AM_MAINTAINER_MODE],
 [AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
@@ -6337,27 +6725,50 @@ AC_DEFUN([AM_MAINTAINER_MODE],
 
 AU_DEFUN([jm_MAINTAINER_MODE], [AM_MAINTAINER_MODE])
 
-#  -*- Autoconf -*-
-
+# Copyright (C) 1999, 2000, 2001, 2003, 2004, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
-# Copyright (C) 1997, 1999, 2000, 2001, 2003 Free Software Foundation, Inc.
+# serial 5
 
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
+# AM_PROG_CC_C_O
+# --------------
+# Like AC_PROG_CC_C_O, but changed for automake.
+AC_DEFUN([AM_PROG_CC_C_O],
+[AC_REQUIRE([AC_PROG_CC_C_O])dnl
+AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+AC_REQUIRE_AUX_FILE([compile])dnl
+# FIXME: we rely on the cache variable name because
+# there is no other way.
+set dummy $CC
+ac_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']`
+if eval "test \"`echo '$ac_cv_prog_cc_'${ac_cc}_c_o`\" != yes"; then
+   # Losing compiler, so override with the script.
+   # FIXME: It is wrong to rewrite CC.
+   # But if we don't then we get into trouble of one sort or another.
+   # A longer-term fix would be to have automake use am__CC in this case,
+   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+   CC="$am_aux_dir/compile $CC"
+fi
+dnl Make sure AC_PROG_CC is never called again, or it will override our
+dnl setting of CC.
+m4_define([AC_PROG_CC],
+          [m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])])
+])
 
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
 
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
+# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
-# serial 3
+# serial 5
 
 # AM_MISSING_PROG(NAME, PROGRAM)
 # ------------------------------
@@ -6373,6 +6784,7 @@ AC_SUBST($1)])
 # If it does, set am_missing_run to use it, otherwise, to nothing.
 AC_DEFUN([AM_MISSING_HAS_RUN],
 [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+AC_REQUIRE_AUX_FILE([missing])dnl
 test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing"
 # Use eval to expand $SHELL
 if eval "$MISSING --run true"; then
@@ -6383,92 +6795,41 @@ else
 fi
 ])
 
+# Copyright (C) 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
 # AM_PROG_MKDIR_P
 # ---------------
-# Check whether `mkdir -p' is supported, fallback to mkinstalldirs otherwise.
-
-# Copyright (C) 2003, 2004 Free Software Foundation, Inc.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
-
-# Automake 1.8 used `mkdir -m 0755 -p --' to ensure that directories
-# created by `make install' are always world readable, even if the
-# installer happens to have an overly restrictive umask (e.g. 077).
-# This was a mistake.  There are at least two reasons why we must not
-# use `-m 0755':
-#   - it causes special bits like SGID to be ignored,
-#   - it may be too restrictive (some setups expect 775 directories).
-#
-# Do not use -m 0755 and let people choose whatever they expect by
-# setting umask.
-#
-# We cannot accept any implementation of `mkdir' that recognizes `-p'.
-# Some implementations (such as Solaris 8's) are not thread-safe: if a
-# parallel make tries to run `mkdir -p a/b' and `mkdir -p a/c'
-# concurrently, both version can detect that a/ is missing, but only
-# one can create it and the other will error out.  Consequently we
-# restrict ourselves to GNU make (using the --version option ensures
-# this.)
+# Check for `mkdir -p'.
 AC_DEFUN([AM_PROG_MKDIR_P],
-[if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then
-  # Keeping the `.' argument allows $(mkdir_p) to be used without
-  # argument.  Indeed, we sometimes output rules like
-  #   $(mkdir_p) $(somedir)
-  # where $(somedir) is conditionally defined.
-  # (`test -n '$(somedir)' && $(mkdir_p) $(somedir)' is a more
-  # expensive solution, as it forces Make to start a sub-shell.)
-  mkdir_p='mkdir -p -- .'
-else
-  # On NextStep and OpenStep, the `mkdir' command does not
-  # recognize any option.  It will interpret all options as
-  # directories to create, and then abort because `.' already
-  # exists.
-  for d in ./-p ./--version;
-  do
-    test -d $d && rmdir $d
-  done
-  # $(mkinstalldirs) is defined by Automake if mkinstalldirs exists.
-  if test -f "$ac_aux_dir/mkinstalldirs"; then
-    mkdir_p='$(mkinstalldirs)'
-  else
-    mkdir_p='$(install_sh) -d'
-  fi
-fi
-AC_SUBST([mkdir_p])])
-
-# Helper functions for option handling.                    -*- Autoconf -*-
-
-# Copyright (C) 2001, 2002, 2003  Free Software Foundation, Inc.
+[AC_PREREQ([2.60])dnl
+AC_REQUIRE([AC_PROG_MKDIR_P])dnl
+dnl Automake 1.8 to 1.9.6 used to define mkdir_p.  We now use MKDIR_P,
+dnl while keeping a definition of mkdir_p for backward compatibility.
+dnl @MKDIR_P@ is magic: AC_OUTPUT adjusts its value for each Makefile.
+dnl However we cannot define mkdir_p as $(MKDIR_P) for the sake of
+dnl Makefile.ins that do not define MKDIR_P, so we do our own
+dnl adjustment using top_builddir (which is defined more often than
+dnl MKDIR_P).
+AC_SUBST([mkdir_p], ["$MKDIR_P"])dnl
+case $mkdir_p in
+  [[\\/$]]* | ?:[[\\/]]*) ;;
+  */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;;
+esac
+])
 
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
+# Helper functions for option handling.                     -*- Autoconf -*-
 
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
+# Copyright (C) 2001, 2002, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
-# serial 2
+# serial 3
 
 # _AM_MANGLE_OPTION(NAME)
 # -----------------------
@@ -6493,28 +6854,16 @@ AC_DEFUN([_AM_SET_OPTIONS],
 AC_DEFUN([_AM_IF_OPTION],
 [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
 
-#
-# Check to make sure that the build environment is sane.
-#
-
-# Copyright (C) 1996, 1997, 2000, 2001, 2003 Free Software Foundation, Inc.
+# Check to make sure that the build environment is sane.    -*- Autoconf -*-
 
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
+# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
-# serial 3
+# serial 4
 
 # AM_SANITY_CHECK
 # ---------------
@@ -6557,25 +6906,14 @@ Check your system clock])
 fi
 AC_MSG_RESULT(yes)])
 
-# AM_PROG_INSTALL_STRIP
-
-# Copyright (C) 2001, 2003 Free Software Foundation, Inc.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
+# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
 
+# AM_PROG_INSTALL_STRIP
+# ---------------------
 # One issue with vendor `install' (even GNU) is that you can't
 # specify the program used to strip binaries.  This is especially
 # annoying in cross-compiling environments, where the build's strip
@@ -6593,13 +6931,121 @@ dnl Don't test for $cross_compiling = yes, because it might be `maybe'.
 if test "$cross_compiling" != no; then
   AC_CHECK_TOOL([STRIP], [strip], :)
 fi
-INSTALL_STRIP_PROGRAM="\${SHELL} \$(install_sh) -c -s"
+INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 AC_SUBST([INSTALL_STRIP_PROGRAM])])
 
+# Copyright (C) 2006  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# _AM_SUBST_NOTMAKE(VARIABLE)
+# ---------------------------
+# Prevent Automake from outputing VARIABLE = @VARIABLE@ in Makefile.in.
+# This macro is traced by Automake.
+AC_DEFUN([_AM_SUBST_NOTMAKE])
+
+# Check how to create a tarball.                            -*- Autoconf -*-
+
+# Copyright (C) 2004, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 2
+
+# _AM_PROG_TAR(FORMAT)
+# --------------------
+# Check how to create a tarball in format FORMAT.
+# FORMAT should be one of `v7', `ustar', or `pax'.
+#
+# Substitute a variable $(am__tar) that is a command
+# writing to stdout a FORMAT-tarball containing the directory
+# $tardir.
+#     tardir=directory && $(am__tar) > result.tar
+#
+# Substitute a variable $(am__untar) that extract such
+# a tarball read from stdin.
+#     $(am__untar) < result.tar
+AC_DEFUN([_AM_PROG_TAR],
+[# Always define AMTAR for backward compatibility.
+AM_MISSING_PROG([AMTAR], [tar])
+m4_if([$1], [v7],
+     [am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'],
+     [m4_case([$1], [ustar],, [pax],,
+              [m4_fatal([Unknown tar format])])
+AC_MSG_CHECKING([how to create a $1 tar archive])
+# Loop over all known methods to create a tar archive until one works.
+_am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none'
+_am_tools=${am_cv_prog_tar_$1-$_am_tools}
+# Do not fold the above two line into one, because Tru64 sh and
+# Solaris sh will not grok spaces in the rhs of `-'.
+for _am_tool in $_am_tools
+do
+  case $_am_tool in
+  gnutar)
+    for _am_tar in tar gnutar gtar;
+    do
+      AM_RUN_LOG([$_am_tar --version]) && break
+    done
+    am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"'
+    am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"'
+    am__untar="$_am_tar -xf -"
+    ;;
+  plaintar)
+    # Must skip GNU tar: if it does not support --format= it doesn't create
+    # ustar tarball either.
+    (tar --version) >/dev/null 2>&1 && continue
+    am__tar='tar chf - "$$tardir"'
+    am__tar_='tar chf - "$tardir"'
+    am__untar='tar xf -'
+    ;;
+  pax)
+    am__tar='pax -L -x $1 -w "$$tardir"'
+    am__tar_='pax -L -x $1 -w "$tardir"'
+    am__untar='pax -r'
+    ;;
+  cpio)
+    am__tar='find "$$tardir" -print | cpio -o -H $1 -L'
+    am__tar_='find "$tardir" -print | cpio -o -H $1 -L'
+    am__untar='cpio -i -H $1 -d'
+    ;;
+  none)
+    am__tar=false
+    am__tar_=false
+    am__untar=false
+    ;;
+  esac
+
+  # If the value was cached, stop now.  We just wanted to have am__tar
+  # and am__untar set.
+  test -n "${am_cv_prog_tar_$1}" && break
+
+  # tar/untar a dummy directory, and stop if the command works
+  rm -rf conftest.dir
+  mkdir conftest.dir
+  echo GrepMe > conftest.dir/file
+  AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar])
+  rm -rf conftest.dir
+  if test -s conftest.tar; then
+    AM_RUN_LOG([$am__untar <conftest.tar])
+    grep GrepMe conftest.dir/file >/dev/null 2>&1 && break
+  fi
+done
+rm -rf conftest.dir
+
+AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool])
+AC_MSG_RESULT([$am_cv_prog_tar_$1])])
+AC_SUBST([am__tar])
+AC_SUBST([am__untar])
+]) # _AM_PROG_TAR
+
 m4_include([cf/aix.m4])
 m4_include([cf/auth-modules.m4])
+m4_include([cf/autobuild.m4])
 m4_include([cf/broken-getaddrinfo.m4])
-m4_include([cf/broken-getnameinfo.m4])
 m4_include([cf/broken-glob.m4])
 m4_include([cf/broken-realloc.m4])
 m4_include([cf/broken-snprintf.m4])
@@ -6608,7 +7054,6 @@ m4_include([cf/broken2.m4])
 m4_include([cf/c-attribute.m4])
 m4_include([cf/capabilities.m4])
 m4_include([cf/check-compile-et.m4])
-m4_include([cf/check-declaration.m4])
 m4_include([cf/check-getpwnam_r-posix.m4])
 m4_include([cf/check-man.m4])
 m4_include([cf/check-netinet-ip-and-tcp.m4])
@@ -6624,6 +7069,7 @@ m4_include([cf/find-func-no-libs.m4])
 m4_include([cf/find-func-no-libs2.m4])
 m4_include([cf/find-func.m4])
 m4_include([cf/find-if-not-broken.m4])
+m4_include([cf/framework-security.m4])
 m4_include([cf/have-struct-field.m4])
 m4_include([cf/have-type.m4])
 m4_include([cf/irix.m4])
@@ -6634,16 +7080,23 @@ m4_include([cf/krb-prog-ln-s.m4])
 m4_include([cf/krb-readline.m4])
 m4_include([cf/krb-struct-spwd.m4])
 m4_include([cf/krb-struct-winsize.m4])
+m4_include([cf/largefile.m4])
 m4_include([cf/mips-abi.m4])
 m4_include([cf/misc.m4])
 m4_include([cf/need-proto.m4])
 m4_include([cf/osfc2.m4])
 m4_include([cf/otp.m4])
 m4_include([cf/proto-compat.m4])
+m4_include([cf/pthreads.m4])
+m4_include([cf/resolv.m4])
 m4_include([cf/retsigtype.m4])
 m4_include([cf/roken-frag.m4])
+m4_include([cf/socket-wrapper.m4])
 m4_include([cf/sunos.m4])
 m4_include([cf/telnet.m4])
 m4_include([cf/test-package.m4])
+m4_include([cf/version-script.m4])
 m4_include([cf/wflags.m4])
+m4_include([cf/win32.m4])
 m4_include([cf/with-all.m4])
+m4_include([acinclude.m4])
diff --git a/crypto/heimdal/admin/ChangeLog b/crypto/heimdal/admin/ChangeLog
new file mode 100644
index 0000000..6587240
--- /dev/null
+++ b/crypto/heimdal/admin/ChangeLog
@@ -0,0 +1,70 @@
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add man_MANS to EXTRA_DIST
+
+	* Makefile.am: split build files into dist_ and noinst_ SOURCES
+	
+2005-07-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ktutil.c: rename optind to optidx
+
+	* list.c: make a copy of realm and admin_server to avoid
+	un-consting avoid shadowing
+
+	* get.c: make a copy of realm and admin_server to avoid
+	un-consting avoid shadowing
+	
+	* change.c (change_entry): just use global context to avoid
+	shadowing; make a copy of realm and admin_server to avoid
+	un-consting.
+
+2005-05-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* change.c (kt_change): plug memory leak from
+	krb5_kt_remove_entry, print principal on error.
+
+2005-05-02  Dave Love  <d.love@dl.ac.uk>
+
+	* ktutil.c (help): Don't use non-constant initializer for `fake'.
+
+2005-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ktutil_locl.h: include <hex.h>
+
+2005-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* add.c: add option -H --hex to the add command
+	
+	* ktutil-commands.in: add option -H --hex to the add command
+	
+	* ktutil.8: document option -H --hex to the add command
+
+2004-09-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* list.c: un c99'ify, from Anders.Magnusson@ltu.se
+
+2004-09-23 Johan Danielsson <joda@pdc.kth.se>
+
+	* purge.c: convert to slc; don't purge keys older that a certain
+	time, instead purge keys that have newer versions that are at
+	least a certain age
+
+	* rename.c: convert to slc
+	
+	* remove.c: convert to slc
+	
+	* get.c: convert to slc; warn if resetting disallow-all-tix
+	
+	* copy.c: convert to slc
+	
+	* change.c: convert to slc
+	
+	* add.c: convert to slc
+	
+	* list.c: convert to slc
+	
+	* ktutil_locl.h: convert to slc
+	
+	* ktutil.c: convert to slc
+	
+	* ktutil-commands.in: slc source file
diff --git a/crypto/heimdal/admin/Makefile.am b/crypto/heimdal/admin/Makefile.am
index 81aa47f..8c679e1 100644
--- a/crypto/heimdal/admin/Makefile.am
+++ b/crypto/heimdal/admin/Makefile.am
@@ -1,29 +1,44 @@
-# $Id: Makefile.am,v 1.35 2001/08/28 08:31:19 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_readline) $(INCLUDE_des)
+AM_CPPFLAGS += $(INCLUDE_readline) $(INCLUDE_hcrypto)
+
+SLC = $(top_builddir)/lib/sl/slc
 
 man_MANS = ktutil.8
 
 sbin_PROGRAMS = ktutil
 
-ktutil_SOURCES =				\
+dist_ktutil_SOURCES =				\
 	add.c					\
 	change.c				\
 	copy.c					\
 	get.c					\
 	ktutil.c				\
+	ktutil_locl.h				\
 	list.c					\
 	purge.c					\
 	remove.c				\
 	rename.c
 
+nodist_ktutil_SOURCES =				\
+	ktutil-commands.c
+
+$(ktutil_OBJECTS): ktutil-commands.h
+
+CLEANFILES = ktutil-commands.h ktutil-commands.c
+
+ktutil-commands.c ktutil-commands.h: ktutil-commands.in
+	$(SLC) $(srcdir)/ktutil-commands.in
+
 LDADD = \
 	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(top_builddir)/lib/sl/libsl.la \
 	$(LIB_readline) \
 	$(LIB_roken)
+
+EXTRA_DIST = $(man_MANS) ktutil-commands.in
diff --git a/crypto/heimdal/admin/Makefile.in b/crypto/heimdal/admin/Makefile.in
index 024a9a7..b8fc3fd 100644
--- a/crypto/heimdal/admin/Makefile.in
+++ b/crypto/heimdal/admin/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.35 2001/08/28 08:31:19 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(ktutil_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,24 +36,23 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
-	$(top_srcdir)/cf/Makefile.am.common
+	$(top_srcdir)/cf/Makefile.am.common ChangeLog
 sbin_PROGRAMS = ktutil$(EXEEXT)
 subdir = admin
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -72,6 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -80,25 +74,30 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
 sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(sbin_PROGRAMS)
-am_ktutil_OBJECTS = add.$(OBJEXT) change.$(OBJEXT) copy.$(OBJEXT) \
+dist_ktutil_OBJECTS = add.$(OBJEXT) change.$(OBJEXT) copy.$(OBJEXT) \
 	get.$(OBJEXT) ktutil.$(OBJEXT) list.$(OBJEXT) purge.$(OBJEXT) \
 	remove.$(OBJEXT) rename.$(OBJEXT)
-ktutil_OBJECTS = $(am_ktutil_OBJECTS)
+nodist_ktutil_OBJECTS = ktutil-commands.$(OBJEXT)
+ktutil_OBJECTS = $(dist_ktutil_OBJECTS) $(nodist_ktutil_OBJECTS)
 ktutil_LDADD = $(LDADD)
 am__DEPENDENCIES_1 =
 ktutil_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5clnt.la \
@@ -106,32 +105,27 @@ ktutil_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5clnt.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(top_builddir)/lib/sl/libsl.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-SOURCES = $(ktutil_SOURCES)
-DIST_SOURCES = $(ktutil_SOURCES)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(dist_ktutil_SOURCES) $(nodist_ktutil_SOURCES)
+DIST_SOURCES = $(dist_ktutil_SOURCES)
 man8dir = $(mandir)/man8
 MANS = $(man_MANS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -141,8 +135,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -153,11 +145,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -165,42 +156,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -218,12 +194,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -233,15 +206,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -250,6 +222,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -261,15 +234,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -277,74 +245,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_readline) $(INCLUDE_des)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_readline) $(INCLUDE_hcrypto)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -361,32 +335,40 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+SLC = $(top_builddir)/lib/sl/slc
 man_MANS = ktutil.8
-ktutil_SOURCES = \
+dist_ktutil_SOURCES = \
 	add.c					\
 	change.c				\
 	copy.c					\
 	get.c					\
 	ktutil.c				\
+	ktutil_locl.h				\
 	list.c					\
 	purge.c					\
 	remove.c				\
 	rename.c
 
+nodist_ktutil_SOURCES = \
+	ktutil-commands.c
+
+CLEANFILES = ktutil-commands.h ktutil-commands.c
 LDADD = \
 	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(top_builddir)/lib/sl/libsl.la \
 	$(LIB_readline) \
 	$(LIB_roken)
 
+EXTRA_DIST = $(man_MANS) ktutil-commands.in
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -418,7 +400,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-sbinPROGRAMS: $(sbin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)"
+	test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
 	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -446,7 +428,7 @@ clean-sbinPROGRAMS:
 	done
 ktutil$(EXEEXT): $(ktutil_OBJECTS) $(ktutil_DEPENDENCIES) 
 	@rm -f ktutil$(EXEEXT)
-	$(LINK) $(ktutil_LDFLAGS) $(ktutil_OBJECTS) $(ktutil_LDADD) $(LIBS)
+	$(LINK) $(ktutil_OBJECTS) $(ktutil_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -468,13 +450,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man8: $(man8_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
 	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -538,9 +516,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -565,23 +545,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/.. $(distdir)/../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -601,7 +579,7 @@ check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -620,9 +598,10 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -635,7 +614,7 @@ clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -651,14 +630,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-sbinPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man8
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -678,23 +665,30 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am uninstall-man uninstall-sbinPROGRAMS
+uninstall-am: uninstall-man uninstall-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man8
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-generic clean-libtool clean-sbinPROGRAMS ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-exec install-exec-am install-info \
-	install-info-am install-man install-man8 install-sbinPROGRAMS \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-info-am uninstall-man uninstall-man8 \
-	uninstall-sbinPROGRAMS
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-man8 install-pdf install-pdf-am install-ps \
+	install-ps-am install-sbinPROGRAMS install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-hook uninstall-man \
+	uninstall-man8 uninstall-sbinPROGRAMS
 
 
 install-suid-programs:
@@ -709,8 +703,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -720,19 +714,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -748,7 +754,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -818,14 +824,44 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+$(ktutil_OBJECTS): ktutil-commands.h
+
+ktutil-commands.c ktutil-commands.h: ktutil-commands.in
+	$(SLC) $(srcdir)/ktutil-commands.in
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/admin/add.c b/crypto/heimdal/admin/add.c
index a600380..1c20320 100644
--- a/crypto/heimdal/admin/add.c
+++ b/crypto/heimdal/admin/add.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,117 +33,119 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: add.c,v 1.5 2002/09/10 19:26:52 joda Exp $");
+RCSID("$Id: add.c 14793 2005-04-14 16:45:14Z lha $");
+
+static char *
+readstring(const char *prompt, char *buf, size_t len)
+{
+    printf("%s", prompt);
+    if (fgets(buf, len, stdin) == NULL)
+	return NULL;
+    buf[strcspn(buf, "\r\n")] = '\0';
+    return buf;
+}
 
 int
-kt_add(int argc, char **argv)
+kt_add(struct add_options *opt, int argc, char **argv)
 {
     krb5_error_code ret;
     krb5_keytab keytab;
     krb5_keytab_entry entry;
-    char buf[128];
-    char *principal_string = NULL;
-    int kvno = -1;
-    char *enctype_string = NULL;
+    char buf[1024];
     krb5_enctype enctype;
-    char *password_string = NULL;
-    int salt_flag = 1;
-    int random_flag = 0;
-    int help_flag = 0;
-    struct getargs args[] = {
-	{ "principal", 'p', arg_string, NULL, "principal of key", "principal"},
-	{ "kvno", 'V', arg_integer, NULL, "key version of key" },
-	{ "enctype", 'e', arg_string, NULL, "encryption type of key" },
-	{ "password", 'w', arg_string, NULL, "password for key"},
-	{ "salt", 's',	arg_negative_flag, NULL, "no salt" },
-	{ "random",  'r', arg_flag, NULL, "generate random key" },
-	{ "help", 'h', arg_flag, NULL }
-    };
-    int num_args = sizeof(args) / sizeof(args[0]);
-    int optind = 0;
-    int i = 0;
-    args[i++].value = &principal_string;
-    args[i++].value = &kvno;
-    args[i++].value = &enctype_string;
-    args[i++].value = &password_string;
-    args[i++].value = &salt_flag;
-    args[i++].value = &random_flag;
-    args[i++].value = &help_flag;
 
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	arg_printusage(args, num_args, "ktutil add", "");
-	return 1;
-    }
-    if(help_flag) {
-	arg_printusage(args, num_args, "ktutil add", "");
-	return 1;
-    }
     if((keytab = ktutil_open_keytab()) == NULL)
 	return 1;
 
     memset(&entry, 0, sizeof(entry));
-    if(principal_string == NULL) {
-	printf("Principal: ");
-	if (fgets(buf, sizeof(buf), stdin) == NULL)
+    if(opt->principal_string == NULL) {
+	if(readstring("Principal: ", buf, sizeof(buf)) == NULL)
 	    return 1;
-	buf[strcspn(buf, "\r\n")] = '\0';
-	principal_string = buf;
+	opt->principal_string = buf;
     }
-    ret = krb5_parse_name(context, principal_string, &entry.principal);
+    ret = krb5_parse_name(context, opt->principal_string, &entry.principal);
     if(ret) {
-	krb5_warn(context, ret, "%s", principal_string);
+	krb5_warn(context, ret, "%s", opt->principal_string);
 	goto out;
     }
-    if(enctype_string == NULL) {
-	printf("Encryption type: ");
-	if (fgets(buf, sizeof(buf), stdin) == NULL)
+    if(opt->enctype_string == NULL) {
+	if(readstring("Encryption type: ", buf, sizeof(buf)) == NULL) {
+	    ret = 1;
 	    goto out;
-	buf[strcspn(buf, "\r\n")] = '\0';
-	enctype_string = buf;
+	}
+	opt->enctype_string = buf;
     }
-    ret = krb5_string_to_enctype(context, enctype_string, &enctype);
+    ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype);
     if(ret) {
 	int t;
-	if(sscanf(enctype_string, "%d", &t) == 1)
+	if(sscanf(opt->enctype_string, "%d", &t) == 1)
 	    enctype = t;
 	else {
-	    krb5_warn(context, ret, "%s", enctype_string);
+	    krb5_warn(context, ret, "%s", opt->enctype_string);
 	    goto out;
 	}
     }
-    if(kvno == -1) {
-	printf("Key version: ");
-	if (fgets(buf, sizeof(buf), stdin) == NULL)
+    if(opt->kvno_integer == -1) {
+	if(readstring("Key version: ", buf, sizeof(buf)) == NULL) {
+	    ret = 1;
+	    goto out;
+	}
+	if(sscanf(buf, "%u", &opt->kvno_integer) != 1)
 	    goto out;
-	buf[strcspn(buf, "\r\n")] = '\0';
-	kvno = atoi(buf);
     }
-    if(password_string == NULL && random_flag == 0) {
-	if(des_read_pw_string(buf, sizeof(buf), "Password: ", 1))
+    if(opt->password_string == NULL && opt->random_flag == 0) {
+	if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ", 1)) {
+	    ret = 1;
 	    goto out;
-	password_string = buf;
+	}
+	opt->password_string = buf;
     }
-    if(password_string) {
-	if (!salt_flag) {
+    if(opt->password_string) {
+	if (opt->hex_flag) {
+	    size_t len;
+	    void *data;
+	    
+	    len = (strlen(opt->password_string) + 1) / 2;
+
+	    data = malloc(len);
+	    if (data == NULL) {
+		krb5_warn(context, ENOMEM, "malloc");
+		goto out;
+	    }
+
+	    if (hex_decode(opt->password_string, data, len) != len) {
+		free(data);
+		krb5_warn(context, ENOMEM, "hex decode failed");
+		goto out;
+	    }
+
+	    ret = krb5_keyblock_init(context, enctype, 
+				     data, len, &entry.keyblock);
+	    free(data);
+	} else if (!opt->salt_flag) {
 	    krb5_salt salt;
 	    krb5_data pw;
 
 	    salt.salttype         = KRB5_PW_SALT;
 	    salt.saltvalue.data   = NULL;
 	    salt.saltvalue.length = 0;
-	    pw.data = (void*)password_string;
-	    pw.length = strlen(password_string);
-	    krb5_string_to_key_data_salt(context, enctype, pw, salt,
-					 &entry.keyblock);
+	    pw.data = (void*)opt->password_string;
+	    pw.length = strlen(opt->password_string);
+	    ret = krb5_string_to_key_data_salt(context, enctype, pw, salt,
+					       &entry.keyblock);
         } else {
-	    krb5_string_to_key(context, enctype, password_string, 
-			       entry.principal, &entry.keyblock);
+	    ret = krb5_string_to_key(context, enctype, opt->password_string, 
+				     entry.principal, &entry.keyblock);
 	}
-	memset (password_string, 0, strlen(password_string));
+	memset (opt->password_string, 0, strlen(opt->password_string));
     } else {
-	krb5_generate_random_keyblock(context, enctype, &entry.keyblock);
+	ret = krb5_generate_random_keyblock(context, enctype, &entry.keyblock);
+    }
+    if(ret) {
+	krb5_warn(context, ret, "add");
+	goto out;
     }
-    entry.vno = kvno;
+    entry.vno = opt->kvno_integer;
     entry.timestamp = time (NULL);
     ret = krb5_kt_add_entry(context, keytab, &entry);
     if(ret)
@@ -151,5 +153,5 @@ kt_add(int argc, char **argv)
  out:
     krb5_kt_free_entry(context, &entry);
     krb5_kt_close(context, keytab);
-    return 0;
+    return ret != 0;
 }
diff --git a/crypto/heimdal/admin/change.c b/crypto/heimdal/admin/change.c
index f790da3..01f69c4 100644
--- a/crypto/heimdal/admin/change.c
+++ b/crypto/heimdal/admin/change.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,10 +33,10 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: change.c,v 1.5 2003/04/01 15:04:49 lha Exp $");
+RCSID("$Id: change.c 15578 2005-07-07 20:44:48Z lha $");
 
-static void
-change_entry (krb5_context context, krb5_keytab keytab,
+static krb5_error_code
+change_entry (krb5_keytab keytab,
 	      krb5_principal principal, krb5_kvno kvno,
 	      const char *realm, const char *admin_server, int server_port)
 {
@@ -51,19 +51,29 @@ change_entry (krb5_context context, krb5_keytab keytab,
     ret = krb5_unparse_name (context, principal, &client_name);
     if (ret) {
 	krb5_warn (context, ret, "krb5_unparse_name");
-	return;
+	return ret;
     }
 
     memset (&conf, 0, sizeof(conf));
 
-    if(realm)
-	conf.realm = (char *)realm;
-    else
-	conf.realm = *krb5_princ_realm (context, principal);
+    if(realm == NULL)
+	realm = krb5_principal_get_realm(context, principal);
+    conf.realm = strdup(realm);
+    if (conf.realm == NULL) {
+	free (client_name);
+	krb5_set_error_string(context, "malloc failed");
+	return ENOMEM;
+    }
     conf.mask |= KADM5_CONFIG_REALM;
     
     if (admin_server) {
-	conf.admin_server = (char *)admin_server;
+	conf.admin_server = strdup(admin_server);
+	if (conf.admin_server == NULL) {
+	    free(client_name);
+	    free(conf.realm);
+	    krb5_set_error_string(context, "malloc failed");
+	    return ENOMEM;
+	}	    
 	conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
     }
 
@@ -78,17 +88,22 @@ change_entry (krb5_context context, krb5_keytab keytab,
 				    KADM5_ADMIN_SERVICE,
 				    &conf, 0, 0,
 				    &kadm_handle);
-    free (client_name);
+    free(conf.admin_server);
+    free(conf.realm);
     if (ret) {
-	krb5_warn (context, ret, "kadm5_c_init_with_skey_ctx");
-	return;
+	krb5_warn (context, ret,
+		   "kadm5_c_init_with_skey_ctx: %s:", client_name);
+	free (client_name);
+	return ret;
     }
     ret = kadm5_randkey_principal (kadm_handle, principal, &keys, &num_keys);
     kadm5_destroy (kadm_handle);
     if (ret) {
-	krb5_warn(context, ret, "kadm5_randkey_principal");
-	return;
+	krb5_warn(context, ret, "kadm5_randkey_principal: %s:", client_name);
+	free (client_name);
+	return ret;
     }
+    free (client_name);
     for (i = 0; i < num_keys; ++i) {
 	krb5_keytab_entry new_entry;
 
@@ -102,6 +117,7 @@ change_entry (krb5_context context, krb5_keytab keytab,
 	    krb5_warn (context, ret, "krb5_kt_add_entry");
 	krb5_free_keyblock_contents (context, &keys[i]);
     }
+    return ret;
 }
 
 /*
@@ -115,44 +131,15 @@ struct change_set {
 };
 
 int
-kt_change (int argc, char **argv)
+kt_change (struct change_options *opt, int argc, char **argv)
 {
     krb5_error_code ret;
     krb5_keytab keytab;
     krb5_kt_cursor cursor;
     krb5_keytab_entry entry;
-    char *realm = NULL;
-    char *admin_server = NULL;
-    int server_port = 0;
-    int help_flag = 0;
-    int optind = 0;
     int i, j, max;
     struct change_set *changeset;
-    
-    struct getargs args[] = {
-	{ "realm",	'r',	arg_string,   NULL, 
-	  "realm to use", "realm" 
-	},
-	{ "admin-server",	'a',	arg_string, NULL,
-	  "server to contact", "host" 
-	},
-	{ "server-port",	's',	arg_integer, NULL,
-	  "port to contact", "port number" 
-	},
-	{ "help",		'h',	arg_flag,    NULL }
-    };
-
-    args[0].value = &realm;
-    args[1].value = &admin_server;
-    args[2].value = &server_port;
-    args[3].value = &help_flag;
-
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)
-       || help_flag) {
-	arg_printusage(args, sizeof(args) / sizeof(args[0]), 
-		       "ktutil change", "principal...");
-	return 1;
-    }
+    int errors = 0;
     
     if((keytab = ktutil_open_keytab()) == NULL)
 	return 1;
@@ -163,7 +150,7 @@ kt_change (int argc, char **argv)
 
     ret = krb5_kt_start_seq_get(context, keytab, &cursor);
     if(ret){
-	krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string);
+	krb5_warn(context, ret, "%s", keytab_string);
 	goto out;
     }
 
@@ -178,18 +165,20 @@ kt_change (int argc, char **argv)
 		break;
 	    }
 	}
-	if (i < j)
+	if (i < j) {
+	    krb5_kt_free_entry (context, &entry);
 	    continue;
+	}
 
-	if (optind == argc) {
+	if (argc == 0) {
 	    add = 1;
 	} else {
-	    for (i = optind; i < argc; ++i) {
+	    for (i = 0; i < argc; ++i) {
 		krb5_principal princ;
 
 		ret = krb5_parse_name (context, argv[i], &princ);
 		if (ret) {
-		    krb5_warn (context, ret, "krb5_parse_name %s", argv[i]);
+		    krb5_warn (context, ret, "%s", argv[i]);
 		    continue;
 		}
 		if (krb5_principal_compare (context, princ, entry.principal))
@@ -225,8 +214,10 @@ kt_change (int argc, char **argv)
 	}
 	krb5_kt_free_entry (context, &entry);
     }
+    krb5_kt_end_seq_get(context, keytab, &cursor);
 
     if (ret == KRB5_KT_END) {
+	ret = 0;
 	for (i = 0; i < j; i++) {
 	    if (verbose_flag) {
 		char *client_name;
@@ -241,17 +232,21 @@ kt_change (int argc, char **argv)
 		    free(client_name);
 		}
 	    }
-	    change_entry (context, keytab, 
-			  changeset[i].principal, changeset[i].kvno,
-			  realm, admin_server, server_port);
+	    ret = change_entry (keytab, 
+				changeset[i].principal, changeset[i].kvno,
+				opt->realm_string, 
+				opt->admin_server_string, 
+				opt->server_port_integer);
+	    if (ret != 0)
+		errors = 1;
 	}
-    }
+    } else
+	errors = 1;
     for (i = 0; i < j; i++)
 	krb5_free_principal (context, changeset[i].principal);
     free (changeset);
 
-    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
  out:
     krb5_kt_close(context, keytab);
-    return 0;
+    return errors;
 }
diff --git a/crypto/heimdal/admin/copy.c b/crypto/heimdal/admin/copy.c
index 18b9d6e..83b65b6 100644
--- a/crypto/heimdal/admin/copy.c
+++ b/crypto/heimdal/admin/copy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: copy.c,v 1.9 2003/01/16 18:59:03 lha Exp $");
+RCSID("$Id: copy.c 14260 2004-09-23 14:45:29Z joda $");
 
 
 static krb5_boolean
@@ -80,8 +80,16 @@ kt_copy_int (const char *from, const char *to)
 				    &entry, &cursor)) == 0) {
 	char *name_str;
 	char *etype_str;
-	krb5_unparse_name (context, entry.principal, &name_str);
-	krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
+	ret = krb5_unparse_name (context, entry.principal, &name_str);
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_unparse_name");
+	    name_str = NULL; /* XXX */
+	}
+	ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_enctype_to_string");
+	    etype_str = NULL; /* XXX */
+	}
 	ret = krb5_kt_get_entry(context, dst_keytab, 
 				entry.principal, 
 				entry.vno, 
@@ -102,7 +110,8 @@ kt_copy_int (const char *from, const char *to)
 	    free(etype_str);
 	    continue;
 	} else if(ret != KRB5_KT_NOTFOUND) {
-	    krb5_warn(context, ret, "krb5_kt_get_entry(%s)", name_str);
+	    krb5_warn (context, ret, "%s: fetching %s/%s/%u", 
+		       to, name_str, etype_str, entry.vno);
 	    krb5_kt_free_entry (context, &entry);
 	    free(name_str);
 	    free(etype_str);
@@ -114,7 +123,8 @@ kt_copy_int (const char *from, const char *to)
 	ret = krb5_kt_add_entry (context, dst_keytab, &entry);
 	krb5_kt_free_entry (context, &entry);
 	if (ret) {
-	    krb5_warn (context, ret, "krb5_kt_add_entry(%s)", name_str);
+	    krb5_warn (context, ret, "%s: adding %s/%s/%u", 
+		       to, name_str, etype_str, entry.vno);
 	    free(name_str);
 	    free(etype_str);
 	    break;
@@ -127,121 +137,39 @@ kt_copy_int (const char *from, const char *to)
   out:
     krb5_kt_close (context, src_keytab);
     krb5_kt_close (context, dst_keytab);
-    return 0;
+    return ret != 0;
 }
 
 int
-kt_copy (int argc, char **argv)
+kt_copy (void *opt, int argc, char **argv)
 {
-    int help_flag = 0;
-    int optind = 0;
-
-    struct getargs args[] = {
-	{ "help", 'h', arg_flag, NULL}
-    };
-
-    int num_args = sizeof(args) / sizeof(args[0]);
-    int i = 0;
-
-    args[i++].value = &help_flag;
-
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	arg_printusage(args, num_args, "ktutil copy",
-		       "keytab-src keytab-dest");
-	return 1;
-    }
-    if (help_flag) {
-	arg_printusage(args, num_args, "ktutil copy",
-		       "keytab-src keytab-dest");
-	return 1;
-    }
-
-    argv += optind;
-    argc -= optind;
-
-    if (argc != 2) {
-	arg_printusage(args, num_args, "ktutil copy",
-		       "keytab-src keytab-dest");
-	return 1;
-    }
-
     return kt_copy_int(argv[0], argv[1]);
 }
 
-#ifndef KEYFILE
-#define KEYFILE SYSCONFDIR "/srvtab"
-#endif
-
-/* copy to from v4 srvtab, just short for copy */
-static int
-conv(int srvconv, int argc, char **argv)
+int
+srvconv(struct srvconvert_options *opt, int argc, char **argv)
 {
-    int help_flag = 0;
-    char *srvtab = KEYFILE;
-    int optind = 0;
     char kt4[1024], kt5[1024];
 
-    char *name;
-
-    struct getargs args[] = {
-	{ "srvtab", 's', arg_string, NULL},
-	{ "help", 'h', arg_flag, NULL}
-    };
-
-    int num_args = sizeof(args) / sizeof(args[0]);
-    int i = 0;
+    snprintf(kt4, sizeof(kt4), "krb4:%s", opt->srvtab_string);
 
-    args[i++].value = &srvtab;
-    args[i++].value = &help_flag;
+    if(keytab_string != NULL)
+	return kt_copy_int(kt4, keytab_string);
 
-    if(srvconv)
-	name = "ktutil srvconvert";
-    else 
-	name = "ktutil srvcreate";
-
-    if(getarg(args, num_args, argc, argv, &optind)){
-	arg_printusage(args, num_args, name, "");
-	return 1;
-    }
-    if(help_flag){
-	arg_printusage(args, num_args, name, "");
-	return 0;
-    }
-
-    argc -= optind;
-    argv += optind;
-
-    if (argc != 0) {
-	arg_printusage(args, num_args, name, "");
-	return 1;
-    }
-
-    snprintf(kt4, sizeof(kt4), "krb4:%s", srvtab);
-
-    if(srvconv) {
-	if(keytab_string != NULL)
-	    return kt_copy_int(kt4, keytab_string);
-	else {
-	    krb5_kt_default_modify_name(context, kt5, sizeof(kt5));
-	    return kt_copy_int(kt4, kt5);
-	}
-    } else {
-	if(keytab_string != NULL)
-	    return kt_copy_int(keytab_string, kt4);
-
-	krb5_kt_default_name(context, kt5, sizeof(kt5));
-	return kt_copy_int(kt5, kt4);
-    }
+    krb5_kt_default_modify_name(context, kt5, sizeof(kt5));
+    return kt_copy_int(kt4, kt5);
 }
 
 int
-srvconv(int argc, char **argv)
+srvcreate(struct srvcreate_options *opt, int argc, char **argv)
 {
-    return conv(1, argc, argv);
-}
+    char kt4[1024], kt5[1024];
 
-int
-srvcreate(int argc, char **argv)
-{
-    return conv(0, argc, argv);
+    snprintf(kt4, sizeof(kt4), "krb4:%s", opt->srvtab_string);
+
+    if(keytab_string != NULL)
+	return kt_copy_int(keytab_string, kt4);
+
+    krb5_kt_default_name(context, kt5, sizeof(kt5));
+    return kt_copy_int(kt5, kt4);
 }
diff --git a/crypto/heimdal/admin/get.c b/crypto/heimdal/admin/get.c
index e827738..7ad1fc4 100644
--- a/crypto/heimdal/admin/get.c
+++ b/crypto/heimdal/admin/get.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: get.c,v 1.22.2.1 2004/06/21 10:55:46 lha Exp $");
+RCSID("$Id: get.c 15583 2005-07-07 21:44:37Z lha $");
 
 static void*
 open_kadmin_connection(char *principal,
@@ -47,7 +47,11 @@ open_kadmin_connection(char *principal,
     memset(&conf, 0, sizeof(conf));
 
     if(realm) {
-	conf.realm = (char*)realm;
+	conf.realm = strdup(realm);
+	if (conf.realm == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return NULL;
+	}
 	conf.mask |= KADM5_CONFIG_REALM;
     }
     
@@ -70,6 +74,7 @@ open_kadmin_connection(char *principal,
 				       KADM5_ADMIN_SERVICE,
 				       &conf, 0, 0, 
 				       &kadm_handle);
+    free(conf.realm);
     if(ret) {
 	krb5_warn(context, ret, "kadm5_init_with_password");
 	return NULL;
@@ -78,89 +83,44 @@ open_kadmin_connection(char *principal,
 }
 
 int
-kt_get(int argc, char **argv)
+kt_get(struct get_options *opt, int argc, char **argv)
 {
     krb5_error_code ret = 0;
     krb5_keytab keytab;
     void *kadm_handle = NULL;
-    char *principal = NULL;
-    char *realm = NULL;
-    char *admin_server = NULL;
-    int server_port = 0;
-    int help_flag = 0;
-    int optind = 0;
-    struct getarg_strings etype_strs = {0, NULL};
     krb5_enctype *etypes = NULL;
     size_t netypes = 0;
-    
-    struct getargs args[] = {
-	{ "principal",	'p',	arg_string,   NULL, 
-	  "admin principal", "principal" 
-	},
-	{ "enctypes",	'e',	arg_strings,	NULL,
-	  "encryption types to use", "enctypes" },
-	{ "realm",	'r',	arg_string,   NULL, 
-	  "realm to use", "realm" 
-	},
-	{ "admin-server",	'a',	arg_string, NULL,
-	  "server to contact", "host" 
-	},
-	{ "server-port",	's',	arg_integer, NULL,
-	  "port to contact", "port number" 
-	},
-	{ "help",		'h',	arg_flag,    NULL }
-    };
-    int i = 0, j;
-
-    args[i++].value = &principal;
-    args[i++].value = &etype_strs;
-    args[i++].value = &realm;
-    args[i++].value = &admin_server;
-    args[i++].value = &server_port;
-    args[i++].value = &help_flag;
-
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)
-       || help_flag) {
-	arg_printusage(args, sizeof(args) / sizeof(args[0]), 
-		       "ktutil get", "principal...");
-	return 1;
-    }
-    if(optind == argc) {
-	krb5_warnx(context, "no principals specified");
-	arg_printusage(args, sizeof(args) / sizeof(args[0]), 
-		       "ktutil get", "principal...");
-	return 1;
-    }
+    int i, j;
+    unsigned int failed = 0;
     
     if((keytab = ktutil_open_keytab()) == NULL)
 	return 1;
 
-    if(realm)
-	krb5_set_default_realm(context, realm);
+    if(opt->realm_string)
+	krb5_set_default_realm(context, opt->realm_string);
 
-    if (etype_strs.num_strings) {
-	int i;
+    if (opt->enctypes_strings.num_strings != 0) {
 
-	etypes = malloc (etype_strs.num_strings * sizeof(*etypes));
+	etypes = malloc (opt->enctypes_strings.num_strings * sizeof(*etypes));
 	if (etypes == NULL) {
 	    krb5_warnx(context, "malloc failed");
 	    goto out;
 	}
-	netypes = etype_strs.num_strings;
+	netypes = opt->enctypes_strings.num_strings;
 	for(i = 0; i < netypes; i++) {
 	    ret = krb5_string_to_enctype(context, 
-					 etype_strs.strings[i], 
+					 opt->enctypes_strings.strings[i], 
 					 &etypes[i]);
 	    if(ret) {
 		krb5_warnx(context, "unrecognized enctype: %s",
-			   etype_strs.strings[i]);
+			   opt->enctypes_strings.strings[i]);
 		goto out;
 	    }
 	}
     }
 
     
-    for(i = optind; i < argc; i++){
+    for(i = 0; i < argc; i++){
 	krb5_principal princ_ent;
 	kadm5_principal_ent_rec princ;
 	int mask = 0;
@@ -172,6 +132,7 @@ kt_get(int argc, char **argv)
 	ret = krb5_parse_name(context, argv[i], &princ_ent);
 	if (ret) {
 	    krb5_warn(context, ret, "can't parse principal %s", argv[i]);
+	    failed++;
 	    continue;
 	}
 	memset(&princ, 0, sizeof(princ));
@@ -184,31 +145,32 @@ kt_get(int argc, char **argv)
 
 	if(kadm_handle == NULL) {
 	    const char *r;
-	    if(realm != NULL)
-		r = realm;
+	    if(opt->realm_string != NULL)
+		r = opt->realm_string;
 	    else
 		r = krb5_principal_get_realm(context, princ_ent);
-	    kadm_handle = open_kadmin_connection(principal, 
+	    kadm_handle = open_kadmin_connection(opt->principal_string, 
 						 r, 
-						 admin_server, 
-						 server_port);
-	    if(kadm_handle == NULL) {
+						 opt->admin_server_string, 
+						 opt->server_port_integer);
+	    if(kadm_handle == NULL)
 		break;
-	    }
 	}
 	
 	ret = kadm5_create_principal(kadm_handle, &princ, mask, "x");
 	if(ret == 0)
-	    created++;
+	    created = 1;
 	else if(ret != KADM5_DUP) {
 	    krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[i]);
 	    krb5_free_principal(context, princ_ent);
+	    failed++;
 	    continue;
 	}
 	ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys);
 	if (ret) {
 	    krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[i]);
 	    krb5_free_principal(context, princ_ent);
+	    failed++;
 	    continue;
 	}
 	
@@ -219,8 +181,11 @@ kt_get(int argc, char **argv)
 	    for (j = 0; j < n_keys; j++)
 		krb5_free_keyblock_contents(context, &keys[j]);
 	    krb5_free_principal(context, princ_ent);
+	    failed++;
 	    continue;
 	}
+	if(!created && (princ.attributes & KRB5_KDB_DISALLOW_ALL_TIX))
+	    krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[i]);
 	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
 	mask = KADM5_ATTRIBUTES;
 	if(created) {
@@ -233,17 +198,18 @@ kt_get(int argc, char **argv)
 	    for (j = 0; j < n_keys; j++)
 		krb5_free_keyblock_contents(context, &keys[j]);
 	    krb5_free_principal(context, princ_ent);
+	    failed++;
 	    continue;
 	}
 	for(j = 0; j < n_keys; j++) {
 	    int do_add = TRUE;
 
 	    if (netypes) {
-		int i;
+		int k;
 
 		do_add = FALSE;
-		for (i = 0; i < netypes; ++i)
-		    if (keys[j].keytype == etypes[i]) {
+		for (k = 0; k < netypes; ++k)
+		    if (keys[j].keytype == etypes[k]) {
 			do_add = TRUE;
 			break;
 		    }
@@ -264,10 +230,9 @@ kt_get(int argc, char **argv)
 	krb5_free_principal(context, princ_ent);
     }
  out:
-    free_getarg_strings(&etype_strs);
     free(etypes);
     if (kadm_handle)
 	kadm5_destroy(kadm_handle);
     krb5_kt_close(context, keytab);
-    return ret != 0;
+    return ret != 0 || failed > 0;
 }
diff --git a/crypto/heimdal/admin/ktutil-commands.in b/crypto/heimdal/admin/ktutil-commands.in
new file mode 100644
index 0000000..fc5d1bf
--- /dev/null
+++ b/crypto/heimdal/admin/ktutil-commands.in
@@ -0,0 +1,266 @@
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: ktutil-commands.in 14793 2005-04-14 16:45:14Z lha $ */
+
+command = {
+	name = "add"
+	option = {
+		long = "principal"
+		short = "p"
+		type = "string"
+		help = "principal to add"
+		argument = "principal"
+		default = ""
+	}
+	option = {
+		long = "kvno"
+		short = "V"
+		type = "integer"
+		help = "key version number"
+		default = "-1"
+	}
+	option = {
+		long = "enctype"
+		short = "e"
+		type = "string"
+		argument = "enctype"
+		help = "encryption type"
+	}
+	option = {
+		long = "password"
+		short = "w"
+		type = "string"
+		help = "password for key"
+	}
+	option = {
+		long = "salt"
+		short = "s"
+		type = "-flag"
+		help = "use unsalted keys"
+		default = "1"
+	}
+	option = {
+		long = "random"
+		short = "r"
+		type = "flag"
+		help = "generate random key"
+	}
+	option = {
+		long = "hex"
+		short = "H"
+		type = "flag"
+		help = "password is a hexadecimal string"
+	}
+	function = "kt_add"
+	help = "Adds a key to a keytab."
+	max_args = "0"
+}
+command = {
+	name = "change"
+	option = {
+		long = "realm"
+		short = "r"
+		type = "string"
+		argument = "realm"
+		help = "realm to use"
+	}
+	option = {
+		long = "admin-server"
+		short = "a"
+		type = "string"
+		argument = "host"
+		help = "server to contact"
+	}
+	option = {
+		long = "server-port"
+		short = "s"
+		type = "integer"
+		argument = "port number"
+		help = "port number on server"
+	}
+	function = "kt_change"
+	argument = "[principal...]"
+	help = "Change keys for specified principals (default all)."
+}
+command = {
+	name = "copy"
+	function = "kt_copy"
+	argument = "source destination"
+	min_args = "2"
+	max_args = "2"
+	help = "Copies one keytab to another."
+}
+command = {
+	name = "get"
+	option = {
+		long = "principal"
+		short = "p"
+		type = "string"
+		help = "admin principal"
+		argument = "principal"
+	}
+	option = {
+		long = "enctypes"
+		short = "e"
+		type = "strings"
+		help = "encryption types to use"
+		argument = "enctype"
+	}
+	option = {
+		long = "realm"
+		short = "r"
+		type = "string"
+		argument = "realm"
+		help = "realm to use"
+	}
+	option = {
+		long = "admin-server"
+		short = "a"
+		type = "string"
+		argument = "host"
+		help = "server to contact"
+	}
+	option = {
+		long = "server-port"
+		short = "s"
+		type = "integer"
+		argument = "port number"
+		help = "port number on server"
+	}
+	function = "kt_get"
+	min_args = "1"
+	argument = "principal..."
+	help = "Change keys for specified principals, and add them to the keytab."
+}
+command = {
+	name = "list"
+	option = {
+		long = "keys"
+		type = "flag"
+		help = "show key values"
+	}
+	option = {
+		long = "timestamp"
+		type = "flag"
+		help = "show timestamps"
+	}
+	max_args = "0"
+	function = "kt_list"
+	help = "Show contents of keytab."
+}
+command = {
+	name = "purge"
+	option = {
+		long = "age"
+		type = "string"
+		help = "age to retiere"
+		default = "1 week";
+		argument = "time"
+	}
+	max_args = "0"
+	function = "kt_purge"
+	help = "Remove superceded keys from keytab."
+}
+command = {
+	name = "remove"
+	name = "delete"
+	option = {
+		long = "principal"
+		short = "p"
+		type = "string"
+		help = "principal to remove"
+		argument = "principal"
+	}
+	option = {
+		long = "kvno"
+		short = "V"
+		type = "integer"
+		help = "key version to remove"
+		argument = "enctype"
+		default = "0"
+	}
+	option = {
+		long = "enctype"
+		short = "e"
+		type = "string"
+		help = "enctype to remove"
+		argument = "enctype"
+	}
+	max_args = "0"
+	function = "kt_remove"
+	help = "Remove keys from keytab."
+}
+command = {
+	name = "rename"
+	function = "kt_rename"
+	argument = "from to"
+	min_args = "2"
+	max_args = "2"
+	help = "Renames an entry in the keytab."
+}
+command = {
+	name = "srvconvert"
+	name = "srv2keytab"
+	option = {
+		long = "srvtab"
+		short = "s"
+		type = "string"
+		argument = "file"
+		help = "name of Kerberos 4 srvtab"
+		default = "/etc/srvtab"
+	}
+	max_args = "0"
+	function = "srvconv"
+	help = "Convert a Kerberos 4 srvtab to a keytab."
+}
+command = {
+	name = "srvcreate"
+	name = "key2srvtab"
+	option = {
+		long = "srvtab"
+		short = "s"
+		type = "string"
+		argument = "file"
+		help = "name of Kerberos 4 srvtab"
+		default = "/etc/srvtab"
+	}
+	max_args = "0"
+	function = "srvcreate"
+	help = "Convert a keytab to a Kerberos 4 srvtab."
+}
+command = {
+	name = "help"
+	argument = "command"
+	max_args = "1"
+	function = "help"
+}
diff --git a/crypto/heimdal/admin/ktutil.8 b/crypto/heimdal/admin/ktutil.8
index f75a953..15523b4 100644
--- a/crypto/heimdal/admin/ktutil.8
+++ b/crypto/heimdal/admin/ktutil.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+.\" Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: ktutil.8,v 1.19 2003/04/08 20:55:10 lha Exp $
+.\" $Id: ktutil.8 14792 2005-04-14 16:43:57Z lha $
 .\"
-.Dd December 16, 2000
+.Dd April 14, 2005
 .Dt KTUTIL 8
 .Os HEIMDAL
 .Sh NAME
@@ -76,9 +76,11 @@ can be one of the following:
 .Op Fl -random
 .Op Fl s
 .Op Fl -no-salt
+.Op Fl H
+.Op Fl -hex
 .Xc
 Adds a key to the keytab. Options that are not specified will be
-prompted for. This requires that you know the password of the
+prompted for. This requires that you know the password or the hex key of the
 principal to add; if what you really want is to add a new principal to
 the keytab, you should consider the
 .Ar get
@@ -155,10 +157,10 @@ to
 .It purge Xo
 .Op Fl -age= Ns Ar age
 .Xc
-Removes all old entries (for which there is a newer version) that are
-older than
+Removes all old versions of a key for which there is a newer version
+that is at least
 .Ar age
-(default one week).
+(default one week) old.
 .It srvconvert
 .It srv2keytab Xo
 .Op Fl s Ar srvtab
diff --git a/crypto/heimdal/admin/ktutil.c b/crypto/heimdal/admin/ktutil.c
index 7ac9b4b..dfcbbfd 100644
--- a/crypto/heimdal/admin/ktutil.c
+++ b/crypto/heimdal/admin/ktutil.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "ktutil_locl.h"
 #include <err.h>
 
-RCSID("$Id: ktutil.c,v 1.36 2002/02/11 14:14:11 joda Exp $");
+RCSID("$Id: ktutil.c 15585 2005-07-07 21:52:04Z lha $");
 
 static int help_flag;
 static int version_flag;
@@ -42,35 +42,6 @@ int verbose_flag;
 char *keytab_string; 
 static char keytab_buf[256];
 
-static int help(int argc, char **argv);
-
-static SL_cmd cmds[] = {
-    { "add", 		kt_add,		"add",
-      "adds key to keytab" },
-    { "change",		kt_change,	"change [principal...]",
-      "get new key for principals (all)" },
-    { "copy",		kt_copy,	"copy src dst",
-      "copy one keytab to another" },
-    { "get", 		kt_get,		"get [principal...]",
-      "create key in database and add to keytab" },
-    { "list",		kt_list,	"list",
-      "shows contents of a keytab" },
-    { "purge",		kt_purge,	"purge",
-      "remove old and superceeded entries" },
-    { "remove", 	kt_remove,	"remove",
-      "remove key from keytab" },
-    { "rename", 	kt_rename,	"rename from to",
-      "rename entry" },
-    { "srvconvert",	srvconv,	"srvconvert [flags]",
-      "convert v4 srvtab to keytab" },
-    { "srv2keytab" },
-    { "srvcreate",	srvcreate,	"srvcreate [flags]",
-      "convert keytab to v4 srvtab" },
-    { "key2srvtab" },
-    { "help",		help,		"help",			"" },
-    { NULL, 	NULL,		NULL, 			NULL }
-};
-
 static struct getargs args[] = {
     { 
 	"version",
@@ -134,10 +105,37 @@ ktutil_open_keytab(void)
     return keytab;
 }
 
-static int
-help(int argc, char **argv)
+int
+help(void *opt, int argc, char **argv)
 {
-    sl_help(cmds, argc, argv);
+    if(argc == 0) {
+	sl_help(commands, 1, argv - 1 /* XXX */);
+    } else {
+	SL_cmd *c = sl_match (commands, argv[0], 0);
+ 	if(c == NULL) {
+	    fprintf (stderr, "No such command: %s. "
+		     "Try \"help\" for a list of commands\n",
+		     argv[0]);
+	} else {
+	    if(c->func) {
+		char *fake[] = { NULL, "--help", NULL };
+		fake[0] = argv[0];
+		(*c->func)(2, fake);
+		fprintf(stderr, "\n");
+	    }
+	    if(c->help && *c->help)
+		fprintf (stderr, "%s\n", c->help);
+	    if((++c)->name && c->func == NULL) {
+		int f = 0;
+		fprintf (stderr, "Synonyms:");
+		while (c->name && c->func == NULL) {
+		    fprintf (stderr, "%s%s", f ? ", " : " ", (c++)->name);
+		    f = 1;
+		}
+		fprintf (stderr, "\n");
+	    }
+	}
+    }
     return 0;
 }
 
@@ -151,13 +149,13 @@ usage(int status)
 int
 main(int argc, char **argv)
 {
-    int optind = 0;
+    int optidx = 0;
     krb5_error_code ret;
     setprogname(argv[0]);
     ret = krb5_init_context(&context);
     if (ret)
 	errx (1, "krb5_init_context failed: %d", ret);
-    if(getarg(args, num_args, argc, argv, &optind))
+    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
     if(help_flag)
 	usage(0);
@@ -165,11 +163,11 @@ main(int argc, char **argv)
 	print_version(NULL);
 	exit(0);
     }
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
     if(argc == 0)
 	usage(1);
-    ret = sl_command(cmds, argc, argv);
+    ret = sl_command(commands, argc, argv);
     if(ret == -1)
 	krb5_warnx (context, "unrecognized command: %s", argv[0]);
     return ret;
diff --git a/crypto/heimdal/admin/list.c b/crypto/heimdal/admin/list.c
index 4c11c2f..f305ab3 100644
--- a/crypto/heimdal/admin/list.c
+++ b/crypto/heimdal/admin/list.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,182 +32,126 @@
  */
 
 #include "ktutil_locl.h"
+#include <rtbl.h>
 
-RCSID("$Id: list.c,v 1.10 2002/01/30 10:12:21 joda Exp $");
-
-static int help_flag;
-static int list_keys;
-static int list_timestamp;
-
-static struct getargs args[] = {
-    { "help",      'h', arg_flag, &help_flag },
-    { "keys",	   0,   arg_flag, &list_keys, "show key value" },
-    { "timestamp", 0,   arg_flag, &list_timestamp, "show timestamp" },
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-struct key_info {
-    char *version;
-    char *etype;
-    char *principal;
-    char *timestamp;
-    char *key;
-    struct key_info *next;
-};
+RCSID("$Id: list.c 21745 2007-07-31 16:11:25Z lha $");
 
 static int
-do_list(const char *keytab_string)
+do_list(struct list_options *opt, const char *keytab_str)
 {
     krb5_error_code ret;
     krb5_keytab keytab;
     krb5_keytab_entry entry;
     krb5_kt_cursor cursor;
-    struct key_info *ki, **kie = &ki, *kp;
-
-    int max_version = sizeof("Vno") - 1;
-    int max_etype = sizeof("Type") - 1;
-    int max_principal = sizeof("Principal") - 1;
-    int max_timestamp = sizeof("Date") - 1;
-    int max_key = sizeof("Key") - 1;
+    rtbl_t table;
 
     /* XXX specialcase the ANY type */
-    if(strncasecmp(keytab_string, "ANY:", 4) == 0) {
+    if(strncasecmp(keytab_str, "ANY:", 4) == 0) {
 	int flag = 0;
 	char buf[1024];
-	keytab_string += 4;
-	while (strsep_copy((const char**)&keytab_string, ",", 
+	keytab_str += 4;
+	ret = 0;
+	while (strsep_copy((const char**)&keytab_str, ",", 
 			   buf, sizeof(buf)) != -1) {
 	    if(flag)
 		printf("\n");
-	    do_list(buf);
+	    if(do_list(opt, buf))
+		ret = 1;
 	    flag = 1;
 	}
-	return 0;
+	return ret;
     }
 
-    ret = krb5_kt_resolve(context, keytab_string, &keytab);
+    ret = krb5_kt_resolve(context, keytab_str, &keytab);
     if (ret) {
-	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
-	return 0;
+	krb5_warn(context, ret, "resolving keytab %s", keytab_str);
+	return ret;
     }
 
     ret = krb5_kt_start_seq_get(context, keytab, &cursor);
-    if(ret){
-	krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string);
-	goto out;
+    if(ret) {
+	krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_str);
+	krb5_kt_close(context, keytab);
+	return ret;
     }
 
-    printf ("%s:\n\n", keytab_string);
+    printf ("%s:\n\n", keytab_str);
 	
+    table = rtbl_create();
+    rtbl_add_column_by_id(table, 0, "Vno", RTBL_ALIGN_RIGHT);
+    rtbl_add_column_by_id(table, 1, "Type", 0);
+    rtbl_add_column_by_id(table, 2, "Principal", 0);
+    if (opt->timestamp_flag)
+	rtbl_add_column_by_id(table, 3, "Date", 0);
+    if(opt->keys_flag)
+	rtbl_add_column_by_id(table, 4, "Key", 0);
+    rtbl_set_separator(table, "  ");
+
     while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
-#define CHECK_MAX(F) if(max_##F < strlen(kp->F)) max_##F = strlen(kp->F)
-
-	kp = malloc(sizeof(*kp));
-	if (kp == NULL) {
-	    krb5_kt_free_entry(context, &entry);
-	    krb5_kt_end_seq_get(context, keytab, &cursor);
-	    krb5_warn(context, ret, "malloc failed");
-	    goto out;
-	}
+	char buf[1024], *s;
+
+	snprintf(buf, sizeof(buf), "%d", entry.vno);
+	rtbl_add_column_entry_by_id(table, 0, buf);
 
-	asprintf(&kp->version, "%d", entry.vno);
-	CHECK_MAX(version);
 	ret = krb5_enctype_to_string(context, 
-				     entry.keyblock.keytype, &kp->etype);
-	if (ret != 0) 
-	    asprintf(&kp->etype, "unknown (%d)", entry.keyblock.keytype);
-	CHECK_MAX(etype);
-	krb5_unparse_name(context, entry.principal, &kp->principal);
-	CHECK_MAX(principal);
-	if (list_timestamp) {
-	    char tstamp[256];
-
-	    krb5_format_time(context, entry.timestamp, 
-			     tstamp, sizeof(tstamp), FALSE);
-
-	    kp->timestamp = strdup(tstamp);
-	    CHECK_MAX(timestamp);
+				     entry.keyblock.keytype, &s);
+	if (ret != 0) {
+	    snprintf(buf, sizeof(buf), "unknown (%d)", entry.keyblock.keytype);
+	    rtbl_add_column_entry_by_id(table, 1, buf);
+	} else {
+	    rtbl_add_column_entry_by_id(table, 1, s);
+	    free(s);
 	}
-	if(list_keys) {
+
+	krb5_unparse_name_fixed(context, entry.principal, buf, sizeof(buf));
+	rtbl_add_column_entry_by_id(table, 2, buf);
+
+	if (opt->timestamp_flag) {
+	    krb5_format_time(context, entry.timestamp, buf, 
+			     sizeof(buf), FALSE);
+	    rtbl_add_column_entry_by_id(table, 3, buf);
+	}
+	if(opt->keys_flag) {
 	    int i;
-	    kp->key = malloc(2 * entry.keyblock.keyvalue.length + 1);
+	    s = malloc(2 * entry.keyblock.keyvalue.length + 1);
+	    if (s == NULL) {
+		krb5_warnx(context, "malloc failed");
+		ret = ENOMEM;
+		goto out;
+	    }
 	    for(i = 0; i < entry.keyblock.keyvalue.length; i++)
-		snprintf(kp->key + 2 * i, 3, "%02x", 
+		snprintf(s + 2 * i, 3, "%02x", 
 			 ((unsigned char*)entry.keyblock.keyvalue.data)[i]);
-	    CHECK_MAX(key);
+	    rtbl_add_column_entry_by_id(table, 4, s);
+	    free(s);
 	}
-	*kie = kp;
-	kie = &kp->next;
 	krb5_kt_free_entry(context, &entry);
     }
-    *kie = NULL; /* termiate list */
     ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+    rtbl_format(table, stdout);
 
-    printf("%-*s  %-*s  %-*s", max_version, "Vno", 
-	   max_etype, "Type", 
-	   max_principal, "Principal");
-    if(list_timestamp)
-	printf("  %-*s", max_timestamp, "Date");
-    if(list_keys)
-	printf("  %s", "Key");
-    printf("\n");
-
-    for(kp = ki; kp; ) {
-	printf("%*s  %-*s  %-*s", max_version, kp->version, 
-	       max_etype, kp->etype, 
-	       max_principal, kp->principal);
-	if(list_timestamp)
-	    printf("  %-*s", max_timestamp, kp->timestamp);
-	if(list_keys)
-	    printf("  %s", kp->key);
-	printf("\n");
-
-	/* free entries */
-	free(kp->version);
-	free(kp->etype);
-	free(kp->principal);
-	if(list_timestamp)
-	    free(kp->timestamp);
-	if(list_keys) {
-	    memset(kp->key, 0, strlen(kp->key));
-	    free(kp->key);
-	}
-	ki = kp;
-	kp = kp->next;
-	free(ki);
-    }
 out:
+    rtbl_destroy(table);
+
     krb5_kt_close(context, keytab);
-    return 0;
+    return ret;
 }
 
 int
-kt_list(int argc, char **argv)
+kt_list(struct list_options *opt, int argc, char **argv)
 {
     krb5_error_code ret;
-    int optind = 0;
     char kt[1024];
 
     if(verbose_flag)
-	list_timestamp = 1;
-
-    if(getarg(args, num_args, argc, argv, &optind)){
-	arg_printusage(args, num_args, "ktutil list", "");
-	return 1;
-    }
-    if(help_flag){
-	arg_printusage(args, num_args, "ktutil list", "");
-	return 0;
-    }
+	opt->timestamp_flag = 1;
 
     if (keytab_string == NULL) {
 	if((ret = krb5_kt_default_name(context, kt, sizeof(kt))) != 0) {
 	    krb5_warn(context, ret, "getting default keytab name");
-	    return 0;
+	    return 1;
 	}
 	keytab_string = kt;
     }
-    do_list(keytab_string);
-    return 0;
+    return do_list(opt, keytab_string) != 0;
 }
diff --git a/crypto/heimdal/admin/purge.c b/crypto/heimdal/admin/purge.c
index aaca00a..e928c3e 100644
--- a/crypto/heimdal/admin/purge.c
+++ b/crypto/heimdal/admin/purge.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: purge.c,v 1.6 2001/07/23 09:46:41 joda Exp $");
+RCSID("$Id: purge.c 14261 2004-09-23 14:46:43Z joda $");
 
 /*
  * keep track of the highest version for every principal.
@@ -42,6 +42,7 @@ RCSID("$Id: purge.c,v 1.6 2001/07/23 09:46:41 joda Exp $");
 struct e {
     krb5_principal principal;
     int max_vno;
+    time_t timestamp;
     struct e *next;
 };
 
@@ -57,14 +58,17 @@ get_entry (krb5_principal princ, struct e *head)
 }
 
 static void
-add_entry (krb5_principal princ, int vno, struct e **head)
+add_entry (krb5_principal princ, int vno, time_t timestamp, struct e **head)
 {
     krb5_error_code ret;
     struct e *e;
 
     e = get_entry (princ, *head);
     if (e != NULL) {
-	e->max_vno = max (e->max_vno, vno);
+	if(e->max_vno < vno) {
+	    e->max_vno = vno;
+	    e->timestamp = timestamp;
+	}
 	return;
     }
     e = malloc (sizeof (*e));
@@ -74,6 +78,7 @@ add_entry (krb5_principal princ, int vno, struct e **head)
     if (ret)
 	krb5_err (context, 1, ret, "krb5_copy_principal");
     e->max_vno = vno;
+    e->timestamp = timestamp;
     e->next    = *head;
     *head      = e;
 }
@@ -95,40 +100,19 @@ delete_list (struct e *head)
  */
 
 int
-kt_purge(int argc, char **argv)
+kt_purge(struct purge_options *opt, int argc, char **argv)
 {
     krb5_error_code ret = 0;
     krb5_kt_cursor cursor;
     krb5_keytab keytab;
     krb5_keytab_entry entry;
-    int help_flag = 0;
-    char *age_str = "1 week";
     int age;
-    struct getargs args[] = {
-	{ "age",   0,  arg_string, NULL, "age to retire" },
-	{ "help", 'h', arg_flag, NULL }
-    };
-    int num_args = sizeof(args) / sizeof(args[0]);
-    int optind = 0;
-    int i = 0;
     struct e *head = NULL;
     time_t judgement_day;
 
-    args[i++].value = &age_str;
-    args[i++].value = &help_flag;
-
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	arg_printusage(args, num_args, "ktutil purge", "");
-	return 1;
-    }
-    if(help_flag) {
-	arg_printusage(args, num_args, "ktutil purge", "");
-	return 1;
-    }
-
-    age = parse_time(age_str, "s");
+    age = parse_time(opt->age_string, "s");
     if(age < 0) {
-	krb5_warnx(context, "unparasable time `%s'", age_str);
+	krb5_warnx(context, "unparasable time `%s'", opt->age_string);
 	return 1;
     }
 
@@ -137,12 +121,12 @@ kt_purge(int argc, char **argv)
 
     ret = krb5_kt_start_seq_get(context, keytab, &cursor);
     if(ret){
-	krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string);
+	krb5_warn(context, ret, "%s", keytab_string);
 	goto out;
     }
 
     while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
-	add_entry (entry.principal, entry.vno, &head);
+	add_entry (entry.principal, entry.vno, entry.timestamp, &head);
 	krb5_kt_free_entry(context, &entry);
     }
     ret = krb5_kt_end_seq_get(context, keytab, &cursor);
@@ -151,7 +135,7 @@ kt_purge(int argc, char **argv)
 
     ret = krb5_kt_start_seq_get(context, keytab, &cursor);
     if(ret){
-	krb5_warn(context, ret, "krb5_kt_start_seq_get, %s", keytab_string);
+	krb5_warn(context, ret, "%s", keytab_string);
 	goto out;
     }
 
@@ -164,7 +148,7 @@ kt_purge(int argc, char **argv)
 	}
 
 	if (entry.vno < e->max_vno
-	    && judgement_day - entry.timestamp > age) {
+	    && judgement_day - e->timestamp > age) {
 	    if (verbose_flag) {
 		char *name_str;
 
diff --git a/crypto/heimdal/admin/remove.c b/crypto/heimdal/admin/remove.c
index 45f8119..15f88cf 100644
--- a/crypto/heimdal/admin/remove.c
+++ b/crypto/heimdal/admin/remove.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,81 +33,61 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: remove.c,v 1.3 2001/07/23 09:46:41 joda Exp $");
+RCSID("$Id: remove.c 17004 2006-04-07 13:06:37Z lha $");
 
 int
-kt_remove(int argc, char **argv)
+kt_remove(struct remove_options *opt, int argc, char **argv)
 {
     krb5_error_code ret = 0;
     krb5_keytab_entry entry;
     krb5_keytab keytab;
-    char *principal_string = NULL;
     krb5_principal principal = NULL;
-    int kvno = 0;
-    char *keytype_string = NULL;
     krb5_enctype enctype = 0;
-    int help_flag = 0;
-    struct getargs args[] = {
-	{ "principal", 'p', arg_string, NULL, "principal to remove" },
-	{ "kvno", 'V', arg_integer, NULL, "key version to remove" },
-	{ "enctype", 'e', arg_string, NULL, "enctype to remove" },
-	{ "help", 'h', arg_flag, NULL }
-    };
-    int num_args = sizeof(args) / sizeof(args[0]);
-    int optind = 0;
-    int i = 0;
-    args[i++].value = &principal_string;
-    args[i++].value = &kvno;
-    args[i++].value = &keytype_string;
-    args[i++].value = &help_flag;
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	arg_printusage(args, num_args, "ktutil remove", "");
-	return 1;
-    }
-    if(help_flag) {
-	arg_printusage(args, num_args, "ktutil remove", "");
-	return 0;
-    }
-    if(principal_string) {
-	ret = krb5_parse_name(context, principal_string, &principal);
+
+    if(opt->principal_string) {
+	ret = krb5_parse_name(context, opt->principal_string, &principal);
 	if(ret) {
-	    krb5_warn(context, ret, "%s", principal_string);
+	    krb5_warn(context, ret, "%s", opt->principal_string);
 	    return 1;
 	}
     }
-    if(keytype_string) {
-	ret = krb5_string_to_enctype(context, keytype_string, &enctype);
+    if(opt->enctype_string) {
+	ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype);
 	if(ret) {
 	    int t;
-	    if(sscanf(keytype_string, "%d", &t) == 1)
+	    if(sscanf(opt->enctype_string, "%d", &t) == 1)
 		enctype = t;
 	    else {
-		krb5_warn(context, ret, "%s", keytype_string);
+		krb5_warn(context, ret, "%s", opt->enctype_string);
 		if(principal)
 		    krb5_free_principal(context, principal);
 		return 1;
 	    }
 	}
     }
-    if (!principal && !enctype && !kvno) {
+    if (!principal && !enctype && !opt->kvno_integer) {
 	krb5_warnx(context, 
 		   "You must give at least one of "
 		   "principal, enctype or kvno.");
-	return 1;
+	ret = EINVAL;
+	goto out;
     }
 
-    if((keytab = ktutil_open_keytab()) == NULL)
-	return 1;
+    if((keytab = ktutil_open_keytab()) == NULL) {
+	ret = 1;
+	goto out;
+    }
 
     entry.principal = principal;
     entry.keyblock.keytype = enctype;
-    entry.vno = kvno;
+    entry.vno = opt->kvno_integer;
     ret = krb5_kt_remove_entry(context, keytab, &entry);
     krb5_kt_close(context, keytab);
     if(ret)
 	krb5_warn(context, ret, "remove");
+ out:
     if(principal)
 	krb5_free_principal(context, principal);
-    return 0;
+    return ret != 0;
 }
 
diff --git a/crypto/heimdal/admin/rename.c b/crypto/heimdal/admin/rename.c
index dcfb352..aea02b0 100644
--- a/crypto/heimdal/admin/rename.c
+++ b/crypto/heimdal/admin/rename.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 2001-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,52 +33,28 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$Id: rename.c,v 1.1 2001/07/23 10:17:32 joda Exp $");
+RCSID("$Id: rename.c 14260 2004-09-23 14:45:29Z joda $");
 
 int
-kt_rename(int argc, char **argv)
+kt_rename(void *opt, int argc, char **argv)
 {
     krb5_error_code ret = 0;
     krb5_keytab_entry entry;
     krb5_keytab keytab;
     krb5_kt_cursor cursor;
     krb5_principal from_princ, to_princ;
-    int help_flag = 0;
-
-    struct getargs args[] = {
-	{ "help", 'h', arg_flag, NULL }
-    };
-    int num_args = sizeof(args) / sizeof(args[0]);
-    int optind = 0;
-    int i = 0;
-
-    args[i++].value = &help_flag;
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	arg_printusage(args, num_args, "ktutil rename", "from to");
-	return 1;
-    }
-    if(help_flag) {
-	arg_printusage(args, num_args, "ktutil rename", "from to");
-	return 0;
-    }
-    argv += optind;
-    argc -= optind;
-    if(argc != 2) {
-	arg_printusage(args, num_args, "ktutil rename", "from to");
-	return 0;
-    }
 
     ret = krb5_parse_name(context, argv[0], &from_princ);
     if(ret != 0) {
 	krb5_warn(context, ret, "%s", argv[0]);
-	return 0;
+	return 1;
     }
 
     ret = krb5_parse_name(context, argv[1], &to_princ);
     if(ret != 0) {
 	krb5_free_principal(context, from_princ);
 	krb5_warn(context, ret, "%s", argv[1]);
-	return 0;
+	return 1;
     }
 
     if((keytab = ktutil_open_keytab()) == NULL) {
@@ -99,6 +75,8 @@ kt_rename(int argc, char **argv)
 	if(ret != 0) {
 	    if(ret != KRB5_CC_END && ret != KRB5_KT_END)
 		krb5_warn(context, ret, "getting entry from keytab");
+	    else
+		ret = 0;
 	    break;
 	}
 	if(krb5_principal_compare(context, entry.principal, from_princ)) {
@@ -128,6 +106,6 @@ kt_rename(int argc, char **argv)
     krb5_free_principal(context, from_princ);
     krb5_free_principal(context, to_princ);
 
-    return 0;
+    return ret != 0;
 }
 
diff --git a/crypto/heimdal/appl/Makefile.am b/crypto/heimdal/appl/Makefile.am
index e867521..8f26703 100644
--- a/crypto/heimdal/appl/Makefile.am
+++ b/crypto/heimdal/appl/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.24 2001/01/27 18:34:39 assar Exp $
+# $Id: Makefile.am 17775 2006-06-30 20:26:15Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -13,6 +13,7 @@ SUBDIRS = 					\
 	  ftp					\
 	  login					\
 	  $(dir_otp)				\
+	  gssmask				\
 	  popper				\
 	  push					\
 	  rsh					\
diff --git a/crypto/heimdal/appl/Makefile.in b/crypto/heimdal/appl/Makefile.in
index 6846105..52834fa 100644
--- a/crypto/heimdal/appl/Makefile.in
+++ b/crypto/heimdal/appl/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,20 +14,16 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.24 2001/01/27 18:34:39 assar Exp $
+# $Id: Makefile.am 17775 2006-06-30 20:26:15Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -39,6 +35,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -46,16 +43,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = appl
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -68,6 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -76,16 +72,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 depcomp =
@@ -94,23 +94,20 @@ SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	html-recursive info-recursive install-data-recursive \
-	install-exec-recursive install-info-recursive \
-	install-recursive installcheck-recursive installdirs-recursive \
-	pdf-recursive ps-recursive uninstall-info-recursive \
-	uninstall-recursive
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = afsutil ftp login otp popper push rsh rcp su xnlock \
-	telnet test kx kf dceutils
+DIST_SUBDIRS = afsutil ftp login otp gssmask popper push rsh rcp su \
+	xnlock telnet test kx kf dceutils
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -120,8 +117,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -132,11 +127,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -144,42 +138,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -197,12 +176,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -212,15 +188,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -229,6 +204,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -240,15 +216,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -256,74 +227,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -340,6 +316,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 @OTP_TRUE@dir_otp = otp
 @DCE_TRUE@dir_dce = dceutils
@@ -348,6 +325,7 @@ SUBDIRS = \
 	  ftp					\
 	  login					\
 	  $(dir_otp)				\
+	  gssmask				\
 	  popper				\
 	  push					\
 	  rsh					\
@@ -363,7 +341,7 @@ SUBDIRS = \
 all: all-recursive
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -400,10 +378,6 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
 # To change the values of `make' variables: instead of editing Makefiles,
@@ -411,7 +385,13 @@ uninstall-info-am:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	target=`echo $@ | sed s/-recursive//`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -423,15 +403,20 @@ $(RECURSIVE_TARGETS):
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done; \
 	if test "$$dot_seen" = "no"; then \
 	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
 	fi; test -z "$$fail"
 
-mostlyclean-recursive clean-recursive distclean-recursive \
-maintainer-clean-recursive:
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	case "$@" in \
 	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
@@ -452,7 +437,7 @@ maintainer-clean-recursive:
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done && test -z "$$fail"
 tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -477,14 +462,16 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	if (etags --etags-include --version) >/dev/null 2>&1; then \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
 	  include_option=--etags-include; \
+	  empty_fix=.; \
 	else \
 	  include_option=--include; \
+	  empty_fix=; \
 	fi; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -f $$subdir/TAGS && \
+	    test ! -f $$subdir/TAGS || \
 	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
@@ -494,9 +481,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -521,23 +510,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/.. $(distdir)/../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -551,12 +538,16 @@ distdir: $(DISTFILES)
 	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test -d "$(distdir)/$$subdir" \
-	    || mkdir "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
 	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
 	    (cd $$subdir && \
 	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="../$(top_distdir)" \
-	        distdir="../$(distdir)/$$subdir" \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
 	        distdir) \
 	      || exit 1; \
 	  fi; \
@@ -589,7 +580,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -600,8 +591,7 @@ clean-am: clean-generic clean-libtool mostlyclean-am
 
 distclean: distclean-recursive
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool \
-	distclean-tags
+distclean-am: clean-am distclean-generic distclean-tags
 
 dvi: dvi-recursive
 
@@ -617,14 +607,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-recursive
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-recursive
+
 install-info: install-info-recursive
 
 install-man:
 
+install-pdf: install-pdf-recursive
+
+install-ps: install-ps-recursive
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
@@ -643,22 +641,27 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-info-am
-
-uninstall-info: uninstall-info-recursive
-
-.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \
-	check-am check-local clean clean-generic clean-libtool \
-	clean-recursive ctags ctags-recursive distclean \
-	distclean-generic distclean-libtool distclean-recursive \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am install-man \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	maintainer-clean-recursive mostlyclean mostlyclean-generic \
-	mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am uninstall-info-am
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
+	install-data-am install-exec-am install-strip uninstall-am
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool ctags ctags-recursive dist-hook \
+	distclean distclean-generic distclean-libtool distclean-tags \
+	distdir dvi dvi-am html html-am info info-am install \
+	install-am install-data install-data-am install-data-hook \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-exec-hook install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am uninstall-hook
 
 
 install-suid-programs:
@@ -673,8 +676,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -684,19 +687,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -712,7 +727,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -782,14 +797,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/afsutil/ChangeLog b/crypto/heimdal/appl/afsutil/ChangeLog
index c3f5605..c6cfd39 100644
--- a/crypto/heimdal/appl/afsutil/ChangeLog
+++ b/crypto/heimdal/appl/afsutil/ChangeLog
@@ -1,11 +1,59 @@
-2003-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-11  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* afslog.c: 1.22->1.23: (do_afslog): is cell is unset, set it
-	"<default cell>" for error printing
+	* pagsh.1,afslog.1: - options must be lexicographically ordered;
+	  again, options without arguments must be placed before options
+	  with arguments.  - manual page cross references are done using
+	  the macro `.Xr', not the macro `.Nm' (used for command names
+	  instead).
+	
+	From Igor Sobrado.
+	
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add man_MANS to EXTRA_DIST
+	
+2006-01-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afslog.1: Document options to allow select principal or
+	credential cache when doing afslog.
+
+	* afslog.c: Add options to allow select principal or credential
+	cache when doing afslog.
+	
+2005-02-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: man_MANS += pagsh.1
+
+	* pagsh.c: add --cache-type that allows the user to control the
+	resulting credential cache type, inherit the type from the
+	invoking process
+
+	* pagsh.1: manpage for pagsh
+
+2004-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afslog.c: use negative string help string for arg_negative_flag
+	Pointed out by Harald Barth
+	
+2004-07-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pagsh.c: use setprogname, if we stripped off -c, try use the
+	fallback code
+	
+2003-10-14  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pagsh.c: mkstemp formats must end in exactly six X's
+
+2003-07-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afslog.c (do_afslog): is cell is unset, set it "<default cell>"
+	for error printing
+
+	* pagsh.c: unconditionally set KRBTKFILE
 	
 2003-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* afslog.c: 1.21->1.22: (log_func): drop the error number
+	* afslog.c (log_func): drop the error number
 	
 2003-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
 
diff --git a/crypto/heimdal/appl/afsutil/Makefile.am b/crypto/heimdal/appl/afsutil/Makefile.am
index 0e6c4eb..365897b 100644
--- a/crypto/heimdal/appl/afsutil/Makefile.am
+++ b/crypto/heimdal/appl/afsutil/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.15 2003/03/18 13:13:06 lha Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4)
+AM_CPPFLAGS += $(INCLUDE_krb4)
 
 bin_PROGRAMS = afslog pagsh
 
@@ -10,11 +10,13 @@ afslog_SOURCES = afslog.c
 
 pagsh_SOURCES  = pagsh.c
 
-man_MANS = afslog.1
+man_MANS = afslog.1 pagsh.1
 
 LDADD = $(LIB_kafs) \
 	$(LIB_krb4) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_roken)
+
+EXTRA_DIST = $(man_MANS)
diff --git a/crypto/heimdal/appl/afsutil/Makefile.in b/crypto/heimdal/appl/afsutil/Makefile.in
index be6de83..e50ac2e 100644
--- a/crypto/heimdal/appl/afsutil/Makefile.in
+++ b/crypto/heimdal/appl/afsutil/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.15 2003/03/18 13:13:06 lha Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(afslog_SOURCES) $(pagsh_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -50,16 +45,14 @@ bin_PROGRAMS = afslog$(EXEEXT) pagsh$(EXEEXT)
 subdir = appl/afsutil
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -72,6 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -80,16 +74,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"
@@ -112,17 +110,18 @@ pagsh_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(afslog_SOURCES) $(pagsh_SOURCES)
 DIST_SOURCES = $(afslog_SOURCES) $(pagsh_SOURCES)
 man1dir = $(mandir)/man1
@@ -131,13 +130,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -147,8 +140,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -159,11 +150,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -171,42 +161,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -224,12 +199,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -239,15 +211,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -256,6 +227,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -267,15 +239,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -283,74 +250,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -367,21 +340,23 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 afslog_SOURCES = afslog.c
 pagsh_SOURCES = pagsh.c
-man_MANS = afslog.1
+man_MANS = afslog.1 pagsh.1
 LDADD = $(LIB_kafs) \
 	$(LIB_krb4) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_roken)
 
+EXTRA_DIST = $(man_MANS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -413,7 +388,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -441,10 +416,10 @@ clean-binPROGRAMS:
 	done
 afslog$(EXEEXT): $(afslog_OBJECTS) $(afslog_DEPENDENCIES) 
 	@rm -f afslog$(EXEEXT)
-	$(LINK) $(afslog_LDFLAGS) $(afslog_OBJECTS) $(afslog_LDADD) $(LIBS)
+	$(LINK) $(afslog_OBJECTS) $(afslog_LDADD) $(LIBS)
 pagsh$(EXEEXT): $(pagsh_OBJECTS) $(pagsh_DEPENDENCIES) 
 	@rm -f pagsh$(EXEEXT)
-	$(LINK) $(pagsh_LDFLAGS) $(pagsh_OBJECTS) $(pagsh_LDADD) $(LIBS)
+	$(LINK) $(pagsh_OBJECTS) $(pagsh_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -466,13 +441,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man1: $(man1_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)"
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
 	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -536,9 +507,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -563,23 +536,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -599,7 +570,7 @@ check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -620,7 +591,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -632,7 +603,7 @@ clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -648,14 +619,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man1
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -675,23 +654,30 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man1
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-binPROGRAMS clean-generic clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-binPROGRAMS \
-	install-data install-data-am install-exec install-exec-am \
-	install-info install-info-am install-man install-man1 \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-binPROGRAMS uninstall-info-am uninstall-man \
-	uninstall-man1
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-man install-man1 install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+	uninstall-am uninstall-binPROGRAMS uninstall-hook \
+	uninstall-man uninstall-man1
 
 
 install-suid-programs:
@@ -706,8 +692,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -717,19 +703,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -745,7 +743,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -815,14 +813,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/afsutil/afslog.1 b/crypto/heimdal/appl/afsutil/afslog.1
index c0bfaac..aa4b9d6 100644
--- a/crypto/heimdal/appl/afsutil/afslog.1
+++ b/crypto/heimdal/appl/afsutil/afslog.1
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2002 Kungliga Tekniska Högskolan
+.\" Copyright (c) 2002 - 2007 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: afslog.1,v 1.3 2003/03/18 04:29:34 lha Exp $
+.\" $Id: afslog.1 20310 2007-04-11 11:22:23Z lha $
 .\"
 .Dd November 26, 2002
 .Dt AFSLOG 1
@@ -40,24 +40,30 @@
 obtain AFS tokens
 .Sh SYNOPSIS
 .Nm
+.Op Fl h | Fl -help
+.Op Fl -no-v4
+.Op Fl -no-v5
+.Op Fl u | Fl -unlog
+.Op Fl v | Fl -verbose
+.Op Fl -version
 .Oo Fl c Ar cell \*(Ba Xo
 .Fl -cell= Ns Ar cell
 .Xc
 .Oc
-.Oo Fl p Ar path \*(Ba Xo
-.Fl -file= Ns Ar path
-.Xc
-.Oc
 .Oo Fl k Ar realm \*(Ba Xo
 .Fl -realm= Ns Ar realm
 .Xc
 .Oc
-.Op Fl -no-v4
-.Op Fl -no-v5
-.Op Fl u | Fl -unlog
-.Op Fl v | Fl -verbose
-.Op Fl -version
-.Op Fl h | Fl -help
+.Oo Fl P Ar principal \*(Ba Xo
+.Fl -principal= Ns Ar principal
+.Xc
+.Oc
+.Bk -words
+.Oo Fl p Ar path \*(Ba Xo
+.Fl -file= Ns Ar path
+.Xc
+.Oc
+.Ek
 .Op Ar cell | path ...
 .Sh DESCRIPTION
 .Nm
@@ -71,23 +77,6 @@ decides upon.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar cell,
-.Fl -cell= Ns Ar cell
-.Xc
-This specified one or more cell names to get tokens for.
-.It Xo
-.Fl p Ar path ,
-.Fl -file= Ns Ar path
-.Xc
-This specified one or more file paths for which tokens should be
-obtained.
-.It Xo
-.Fl k Ar realm ,
-.Fl -realm= Ns Ar realm
-.Xc
-This is the Kerberos realm the AFS servers live in, this should
-normally not be specified.
 .It Fl -no-v4
 This makes
 .Nm
@@ -97,6 +86,15 @@ This makes
 .Nm
 not try using Kerberos 5.
 .It Xo
+.Fl P Ar principal ,
+.Fl -principal Ar principal
+.Xc
+select what Kerberos 5 principal to use.
+.It Fl -cache Ar cache
+select what Kerberos 5 credential cache to use.
+.Fl -principal
+overrides this option.
+.It Xo
 .Fl u ,
 .Fl -unlog
 .Xc
@@ -110,7 +108,25 @@ and
 .Fl -verbose
 .Xc
 Adds more verbosity for what is actually going on.
+.It Xo
+.Fl c Ar cell,
+.Fl -cell= Ns Ar cell
+.Xc
+This specified one or more cell names to get tokens for.
+.It Xo
+.Fl k Ar realm ,
+.Fl -realm= Ns Ar realm
+.Xc
+This is the Kerberos realm the AFS servers live in, this should
+normally not be specified.
+.It Xo
+.Fl p Ar path ,
+.Fl -file= Ns Ar path
+.Xc
+This specified one or more file paths for which tokens should be
+obtained.
 .El
+.Pp
 Instead of using
 .Fl c
 and
diff --git a/crypto/heimdal/appl/afsutil/afslog.c b/crypto/heimdal/appl/afsutil/afslog.c
index 0d85a1e..6ca5b20 100644
--- a/crypto/heimdal/appl/afsutil/afslog.c
+++ b/crypto/heimdal/appl/afsutil/afslog.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: afslog.c,v 1.21.2.2 2003/08/25 11:43:51 lha Exp $");
+RCSID("$Id: afslog.c 16438 2006-01-03 09:27:54Z lha $");
 #endif
 #include <ctype.h>
 #ifdef KRB5
@@ -49,9 +49,6 @@ RCSID("$Id: afslog.c,v 1.21.2.2 2003/08/25 11:43:51 lha Exp $");
 
 static int help_flag;
 static int version_flag;
-#if 0
-static int create_user;
-#endif
 static getarg_strings cells;
 static char *realm;
 static getarg_strings files;
@@ -61,6 +58,8 @@ static int verbose;
 static int use_krb4 = 1;
 #endif
 #ifdef KRB5
+static char *client_string;
+static char *cache_string;
 static int use_krb5 = 1;
 #endif
 
@@ -70,13 +69,12 @@ struct getargs args[] = {
     { "realm",	'k', arg_string, &realm, "realm for afs cell", "realm" },
     { "unlog",	'u', arg_flag, &unlog_flag, "remove tokens" },
 #ifdef KRB4
-    { "v4",	 0, arg_negative_flag, &use_krb4, "use Kerberos 4" },
+    { "v4",	 0, arg_negative_flag, &use_krb4, "don't use Kerberos 4" },
 #endif
 #ifdef KRB5
-    { "v5",	 0, arg_negative_flag, &use_krb5, "use Kerberos 5" },
-#endif
-#if 0
-    { "create-user", 0, arg_flag, &create_user, "create user if not found" },
+    { "principal",'P',arg_string,&client_string,"principal to use","principal"},
+    { "cache",   0,  arg_string, &cache_string, "ccache to use", "cache"},
+    { "v5",	 0,  arg_negative_flag, &use_krb5, "don't use Kerberos 5" },
 #endif
     { "verbose",'v', arg_flag, &verbose },
     { "version", 0,  arg_flag, &version_flag },
@@ -131,43 +129,6 @@ expand_cell_name(const char *cell)
     return cell;
 }
 
-#if 0
-static int
-createuser (char *cell)
-{
-    char cellbuf[64];
-    char name[ANAME_SZ];
-    char instance[INST_SZ];
-    char realm[REALM_SZ];
-    char cmd[1024];
-
-    if (cell == NULL) {
-	FILE *f;
-	int len;
-
-	f = fopen (_PATH_THISCELL, "r");
-	if (f == NULL)
-	    err (1, "open(%s)", _PATH_THISCELL);
-	if (fgets (cellbuf, sizeof(cellbuf), f) == NULL)
-	    err (1, "read cellname from %s", _PATH_THISCELL);
-	len = strlen(cellbuf);
-	if (cellbuf[len-1] == '\n')
-	    cellbuf[len-1] = '\0';
-	cell = cellbuf;
-    }
-
-    if(krb_get_default_principal(name, instance, realm))
-	errx (1, "Could not even figure out who you are");
-
-    snprintf (cmd, sizeof(cmd),
-	      "pts createuser %s%s%s@%s -cell %s",
-	      name, *instance ? "." : "", instance, strlwr(realm),
-	      cell);
-    DEBUG("Executing %s", cmd);
-    return system(cmd);
-}
-#endif
-
 static void
 usage(int ecode)
 {
@@ -234,14 +195,14 @@ do_afslog(const char *cell)
 
 #ifdef KRB5
     if(context != NULL && id != NULL && use_krb5) {
-	k5ret = krb5_afslog(context, id, cell, NULL);
+	k5ret = krb5_afslog(context, id, cell, realm);
 	if(k5ret == 0)
 	    return 0;
     }
 #endif
 #if KRB4
     if (use_krb4) {
-	k4ret = krb_afslog(cell, NULL);
+	k4ret = krb_afslog(cell, realm);
 	if(k4ret == 0)
 	    return 0;
     }
@@ -297,11 +258,29 @@ main(int argc, char **argv)
     }
 #ifdef KRB5
     ret = krb5_init_context(&context);
-    if (ret)
+    if (ret) {
 	context = NULL;
-    else
-	if(krb5_cc_default(context, &id) != 0)
-	    id = NULL;
+    } else {
+	if (client_string) {
+	    krb5_principal client;
+
+	    ret = krb5_parse_name(context, client_string, &client);
+	    if (ret == 0)
+		ret = krb5_cc_cache_match(context, client, NULL, &id);
+	    if (ret)
+		id = NULL;
+	}
+	if (id == NULL && cache_string) {
+	    if(krb5_cc_resolve(context, cache_string, &id) != 0) {
+		krb5_warnx(context, "failed to open kerberos 5 cache '%s'",
+			   cache_string);
+		id = NULL;
+	    }
+	}
+	if (id == NULL)
+	    if(krb5_cc_default(context, &id) != 0)
+		id = NULL;
+    }
 #endif
 
     if (verbose)
diff --git a/crypto/heimdal/appl/afsutil/pagsh.1 b/crypto/heimdal/appl/afsutil/pagsh.1
new file mode 100644
index 0000000..c3e93d4
--- /dev/null
+++ b/crypto/heimdal/appl/afsutil/pagsh.1
@@ -0,0 +1,92 @@
+.\" Copyright (c) 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden). 
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\" 
+.\" $Id: pagsh.1 20311 2007-04-11 11:27:51Z lha $
+.\"
+.Dd February 12, 2005
+.Dt PAGSH 1
+.Os Heimdal
+.Sh NAME
+.Nm pagsh
+.Nd
+creates a new credential cache sandbox
+.Sh SYNOPSIS
+.Nm
+.Op Fl c
+.Op Fl h | Fl -help
+.Op Fl -version
+.Op Fl -cache-type= Ns Ar string
+.Ar command [args...]
+.Sh DESCRIPTION
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl c
+.Xc
+.It Xo
+.Fl -cache-type= Ns Ar string
+.Xc
+.It Xo
+.Fl h ,
+.Fl -help
+.Xc
+.It Xo
+.Fl -version
+.Xc
+.El
+.Pp
+.Nm
+creates a new credential cache sandbox for the user to live in.
+If AFS is installed on the computer, the user is put in a newly
+created PAG.
+.Pp
+For Kerberos 5, the credential cache type that is used is the same as
+the credential cache type that was used at the time of
+.Nm
+invocation.
+The credential cache type can be controlled by the option
+.Fl -cache-type .
+.Sh EXAMPLES
+Create a new sandbox where new credentials can be used, while the old
+credentials can be used by other processes.
+.Bd -literal -offset indent
+$ klist
+Credentials cache: FILE:/tmp/krb5cc_913
+        Principal: lha@E.KTH.SE
+
+  Issued           Expires          Principal
+Feb 12 10:08:31  Feb 12 20:06:36  krbtgt/E.KTH.SE@E.KTH.SE
+$ pagsh
+$ klist
+klist: No ticket file: /tmp/krb5cc_03014a
+.Ed
+.Sh SEE ALSO
+.Xr afslog 1
diff --git a/crypto/heimdal/appl/afsutil/pagsh.c b/crypto/heimdal/appl/afsutil/pagsh.c
index d61dba2..d975fad 100644
--- a/crypto/heimdal/appl/afsutil/pagsh.c
+++ b/crypto/heimdal/appl/afsutil/pagsh.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -35,7 +35,7 @@
 #include <config.h>
 #endif
 
-RCSID("$Id: pagsh.c,v 1.6 2002/08/23 17:54:20 assar Exp $");
+RCSID("$Id: pagsh.c 14574 2005-02-12 14:23:28Z lha $");
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -64,12 +64,22 @@ RCSID("$Id: pagsh.c,v 1.6 2002/08/23 17:54:20 assar Exp $");
 #include <roken.h>
 #include <getarg.h>
 
+#ifndef TKT_ROOT
+#define TKT_ROOT "/tmp/tkt"
+#endif
+
 static int help_flag;
 static int version_flag;
 static int c_flag;
+#ifdef KRB5
+static char *typename_arg;
+#endif
 
 struct getargs getargs[] = {
     { NULL,	'c', arg_flag, &c_flag },
+#ifdef KRB5
+    { "cache-type", 0,  arg_string, &typename_arg },
+#endif
     { "version", 0,  arg_flag, &version_flag },
     { "help",	'h', arg_flag, &help_flag },
 };
@@ -90,94 +100,140 @@ usage(int ecode)
 int
 main(int argc, char **argv)
 {
-  int f;
-  char tf[1024];
-  char *p;
-
-  char *path;
-  char **args;
-  int i;
-  int optind = 0;
-
-  set_progname(argv[0]);
-  if(getarg(getargs, num_args, argc, argv, &optind))
-      usage(1);
-  if(help_flag)
-      usage(0);
-  if(version_flag) {
-      print_version(NULL);
-      exit(0);
-  }
-
-  argc -= optind;
-  argv += optind;
+    int f;
+    char tf[1024];
+    char *p;
+
+    char *path;
+    char **args;
+    int i;
+    int optind = 0;
+
+    setprogname(argv[0]);
+    if(getarg(getargs, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
 
 #ifdef KRB5
-  snprintf (tf, sizeof(tf), "%sXXXXXX", KRB5_DEFAULT_CCROOT);
-  f = mkstemp (tf + 5);
-  close (f);
-  unlink (tf + 5);
-  esetenv("KRB5CCNAME", tf, 1);
+    {
+	const krb5_cc_ops *type;
+	krb5_error_code ret;
+	krb5_context context;
+	krb5_ccache id;
+	const char *name;
+
+	ret = krb5_init_context(&context);
+	if (ret) /* XXX should this really call exit ? */
+	    errx(1, "no kerberos 5 support");
+
+	if (typename_arg == NULL) {
+	    char *s;
+
+	    name = krb5_cc_default_name(context);
+	    if (name == NULL)
+		krb5_errx(context, 1, "Failed getting default "
+			  "credential cache type");
+	    
+	    typename_arg = strdup(name);
+	    if (typename_arg == NULL)
+		errx(1, "strdup");
+	    
+	    s = strchr(typename_arg, ':');
+	    if (s)
+		*s = '\0';
+	}
+
+	type = krb5_cc_get_prefix_ops(context, typename_arg);
+	if (type == NULL)
+	    krb5_err(context, 1, ret, "Failed getting ops for %s "
+		     "credential cache", typename_arg);
+     
+	ret = krb5_cc_gen_new(context, type, &id);
+	if (ret)
+	    krb5_err(context, 1, ret, "Failed generating credential cache");
+
+	name = krb5_cc_get_name(context, id);
+	if (name == NULL)
+	    krb5_errx(context, 1, "Generated credential cache have no name");
+
+	snprintf(tf, sizeof(tf), "%s:%s", typename_arg, name);
+
+	ret = krb5_cc_close(context, id);
+	if (ret)
+	    krb5_err(context, 1, ret, "Failed closing credential cache");
+
+	krb5_free_context(context);
+
+	esetenv("KRB5CCNAME", tf, 1);
+    }
 #endif
 
-#ifdef KRB4
-  snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT);
-  f = mkstemp (tf);
-  close (f);
-  unlink (tf);
-  esetenv("KRBTKFILE", tf, 1);
-#endif
+    snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT);
+    f = mkstemp (tf);
+    if (f < 0)
+	err(1, "mkstemp failed");
+    close (f);
+    unlink (tf);
+    esetenv("KRBTKFILE", tf, 1);
 
-  i = 0;
+    i = 0;
 
-  args = (char **) malloc((argc + 10)*sizeof(char *));
-  if (args == NULL)
-      errx (1, "Out of memory allocating %lu bytes",
-	    (unsigned long)((argc + 10)*sizeof(char *)));
+    args = (char **) malloc((argc + 10)*sizeof(char *));
+    if (args == NULL)
+	errx (1, "Out of memory allocating %lu bytes",
+	      (unsigned long)((argc + 10)*sizeof(char *)));
   
-  if(*argv == NULL) {
-    path = getenv("SHELL");
-    if(path == NULL){
-      struct passwd *pw = k_getpwuid(geteuid());
-      path = strdup(pw->pw_shell);
+    if(*argv == NULL) {
+	path = getenv("SHELL");
+	if(path == NULL){
+	    struct passwd *pw = k_getpwuid(geteuid());
+	    path = strdup(pw->pw_shell);
+	}
+    } else {
+	path = strdup(*argv++);
     }
-  } else {
-    path = strdup(*argv++);
-  }
-  if (path == NULL)
-      errx (1, "Out of memory copying path");
+    if (path == NULL)
+	errx (1, "Out of memory copying path");
   
-  p=strrchr(path, '/');
-  if(p)
-    args[i] = strdup(p+1);
-  else
-    args[i] = strdup(path);
-
-  if (args[i++] == NULL)
-      errx (1, "Out of memory copying arguments");
+    p=strrchr(path, '/');
+    if(p)
+	args[i] = strdup(p+1);
+    else
+	args[i] = strdup(path);
+
+    if (args[i++] == NULL)
+	errx (1, "Out of memory copying arguments");
   
-  while(*argv)
-    args[i++] = *argv++;
-
-  args[i++] = NULL;
-
-  if(k_hasafs())
-    k_setpag();
-
-  unsetenv("PAGPID");
-  execvp(path, args);
-  if (errno == ENOENT) {
-      char **sh_args = malloc ((i + 2) * sizeof(char *));
-      int j;
-
-      if (sh_args == NULL)
-	  errx (1, "Out of memory copying sh arguments");
-      for (j = 1; j < i; ++j)
-	  sh_args[j + 2] = args[j];
-      sh_args[0] = "sh";
-      sh_args[1] = "-c";
-      sh_args[2] = path;
-      execv ("/bin/sh", sh_args);
-  }
-  err (1, "execvp");
+    while(*argv)
+	args[i++] = *argv++;
+
+    args[i++] = NULL;
+
+    if(k_hasafs())
+	k_setpag();
+
+    unsetenv("PAGPID");
+    execvp(path, args);
+    if (errno == ENOENT || c_flag) {
+	char **sh_args = malloc ((i + 2) * sizeof(char *));
+	int j;
+
+	if (sh_args == NULL)
+	    errx (1, "Out of memory copying sh arguments");
+	for (j = 1; j < i; ++j)
+	    sh_args[j + 2] = args[j];
+	sh_args[0] = "sh";
+	sh_args[1] = "-c";
+	sh_args[2] = path;
+	execv ("/bin/sh", sh_args);
+    }
+    err (1, "execvp");
 }
diff --git a/crypto/heimdal/appl/ftp/ChangeLog b/crypto/heimdal/appl/ftp/ChangeLog
index 74ed742..139e193 100644
--- a/crypto/heimdal/appl/ftp/ChangeLog
+++ b/crypto/heimdal/appl/ftp/ChangeLog
@@ -1,6 +1,189 @@
-2004-08-20  Love Hörnquist Åstrand <lha@it.su.se>
+2007-07-12  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* ftp/ftp.c: 1.77: send ABOR protect with security layer if its there
+	* ftp/gssapi.c: Fix pointer vs strict alias rules.
+
+2007-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/security.c: if no mech have no session, its ok, just don't
+	call it.
+
+	* ftp/security.h: provide prototype for sec_userok().
+
+	* move ksetpag after initgroups to make it work on Linux when its
+	without syscall hooks to change sys_setgroups preserve the
+	pag. From Alexsander Boström.
+	
+2007-06-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftpd/Makefile.am: don't clean yacc/lex files in CLEANFILES,
+	maintainers clean will do that for us.
+	
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftpd/Makefile.am: Add man_MANS to EXTRA_DIST
+
+	* ftp/Makefile.am: Add man_MANS to EXTRA_DIST
+	
+2006-08-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftpd/ftpd.c: Add comment by seteuid call isn't not needed.
+
+	* ftpd/ftpd.c: Check return values from seteuid, prompted by MIT
+	advisory.  Thanks to Tom Yu at MIT, and Michael Calmer and Marcus
+	Meissner at SUSE.  Either of CVE-2006-3083 or CVE-2006-3084.
+	
+2006-06-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftpd/gss_userok.c (gss_userok): create a local krb5_context and
+	use that instead of the libgssapi context (that might not exist).
+	
+2006-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Rename u_intXX_t to uintXX_t
+
+2006-03-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/ftp.1: Add undocument flags and spelling, from Ted Percival
+	<Ted.Percival@quest.com>
+	
+2006-02-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.8: fix grammar in --no-insecure-oob option (partly
+	from Thomas Klausner)
+	
+2006-01-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/ftp.c: Indent.
+	
+2006-01-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (pass): remove unused variable in the !OTP case
+	
+2005-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ftpd/ls.c: Check return value from asprintf instead of string !=
+	NULL since it undefined behavior on Linux. From Björn Sandell
+
+	* ftpd/gss_userok.c: Check return value from asprintf instead of
+	string != NULL since it undefined behavior on Linux. From Björn
+	Sandell
+
+	* ftpd/ftpd.c: Check return value from asprintf instead of string
+	!= NULL since it undefined behavior on Linux. From Björn Sandell
+
+	* ftp/gssapi.c: Check return value from asprintf instead of string
+	!= NULL since it undefined behavior on Linux. From Björn Sandell
+	
+2005-10-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftp/ftp.1: document -x
+	
+	* ftp/security.h: implement cprotect (from MIT)
+	
+	* ftp/security.c: add -x (encrypt) option; implement cprotect
+	(from MIT); make sure we CCC if switching to clear-text command
+	channel
+
+	* ftp/cmdtab.c: implement cprotect (from MIT)
+	
+	* ftp/ruserpass.c: if doing command line encryption (-x), ignore
+	prot commands in .netrc
+
+	* ftp/ftp_var.h: add -x (encrypt) option
+	
+	* ftp/globals.c: add -x (encrypt) option
+	
+	* ftp/main.c: add -x (encrypt) option
+	
+2005-07-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftpd/ftpcmd.y: Fix shadow warning.
+
+	* ftp/security.c: Fix shadow warning.
+	* ftp/security.c: Fix shadow warnings.
+	
+	* ftp/ruserpass.c: Fix shadow warnings.
+
+	* ftp/ftp.c: Fix shadow warnings.
+	
+	* ftp/cmds.c: fix shadow warnings
+
+	* Add Kerberos 5 klist, old patch from Tomas Nyström (remove krb4
+	support). Support klist in client for kerberos 5 clase.
+	Clean up delegation of gss tokens and do afslog.
+
+2005-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/gssapi.c (gss_adat): avoid leaking memory
+	(gss_auth): always try next kname if there is one, independant of
+	min_stat
+
+	* ftp/gssapi.c: avoid const warning, use sin4 instead of sin to
+	avoid shadow warning, free target_name
+
+2005-07-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/security.c: keep track of if CCC was passed
+
+	* ftpd/extern.h: variable to keep track of if CCC was passed
+
+	* ftpd/ftpcmd.y: sprinkel check_secure, check if CCC was passed in
+	check_secure
+
+2005-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftpd/ftpd.c (filename_check): change signednes of p to avoid
+	warning, move typecasts
+
+2005-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftpd/ftpd.c: avoid 'unused variable' warnings
+
+2005-05-10  David Love  <fx@gnu.org>
+
+	* ftpd/pathnames.h: #ifdef protect _PATH_ISSUE
+
+2005-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/domacro.c: handle string trunctions
+
+2005-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/security.c: use strlcat
+	
+	* ftp/domacro.c: use strlcpy
+	
+2005-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/security.c: cast size_t to unsigned long
+
+2005-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftpd/ftpd.c (statcmd): cast argument to isdigit to unsigned char
+
+	* ftp/cmds.c (mget): cast char to unsigned char to make sure its
+	not negative when passing it to tolower
+
+2005-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/ftp.c: fix 3 'var' might be used uninitialized warnings
+
+2005-04-04 Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/cmds.c: MacOS is also a unix that doesn't define
+	__unix__/unix While here, rewrite this part of the function to not
+	modify that string, but rather take a copy of it and them modify
+	is, all this just to pacify gcc
+	
+2005-01-09 Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/domacro.c: cast argument to is* to unsigned char
+
+	* ftp/ftp.c: cast argument to tolower to unsigned char
+
+2004-08-20 Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/ftp.c: send ABOR protect with security layer if its there
 
 	* ftpd/{ftpd_locl.h, extern.h, ftpcmd.y, ftpd.8, ftpd.c}:
 	Remove all traces of setjmp/longjmp.
@@ -12,51 +195,95 @@
 	most places since the code no longer look and is structured the same
 	way.
 
-	extern.h: 1.25
-	ftpcmd.y: 1.65
-	ftpd.8: 1.22
-	ftpd.c: 1.170
-	ftpd_locl.h: 1.14
+2004-08-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftp/main.c: reverse help strings for --no-gss-bindings and
+	--no-gss-delegate
+
+2004-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftpd/ftpcmd.y: make cbuf 64k to handle lager tickets From:
+	MAAAAA MOOOR <huaraz@btinternet.com>
 	
-2004-06-21  Love Hörnquist Åstrand <lha@it.su.se>
+2004-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* ftpd/ftpcmd.y: 1.64: make cbuf 64k to handle lager tickets From:
-	MAAAAA MOOOR <huaraz@btinternet.com> 1.63: strncasecmp returns
-	integer so don't compare with NULL
+	* ftpd/ftpd.c (main): setpag if there is krb4 OR krb5 support
 	
-2004-03-14  Love Hörnquist Åstrand <lha@it.su.se>
+2003-12-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* ftpd/ftpd.c: 1.169: (main): setpag if there is krb4 OR krb5
-	support
+	* ftp/security.h: add ftp_do_gss_delegate
+	
+	* ftp/main.c (getargs): negative flag for delegating gss creds
+	
+	* ftp/gssapi.c (ftp_do_gss_delegate): delegate creds (default on)
+	
+2003-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
 
-2003-08-20  Love Hörnquist Åstrand <lha@it.su.se>
+	* ftp/ftp.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
+	
+	* ftp/cmds.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
+	
+2003-07-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* ftpd/ftpd.8: 1.20->1.21: document --gss-bindings
+	* ftp/security.h: add ftp_do_gss_bindings
+	
+	* ftp/ftp.1: fix mdoc bug
 	
-	* ftpd/ftpd.c: 1.166->1.168: wrap gssapi stuff with KRB5,
-	(args): add gss-bindings
+	* ftp/ftp.1: document --no-gss-bindings
 
-	* ftp/main.c: 1.33->1.35: wrap gssapi stuff with KRB5,
-	(args): add gss-bindings
+	* ftp/gssapi.c: Optionally support gss bindings, client does it by
+	default, server not.  This is to make it work for clients behind
+	NAT.
+
+	* ftp/main.c (args): add gss-bindings
 	(main): set ftp_do_gss_bindings to 1 to make client use them
+
+	* ftpd/ftpd.c (args): add gss-bindings
+	
+	* ftpd/ftpd.8: document --gss-bindings
+	
+2003-06-13  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftp/gssapi.c (gss_adat): fix name allocation bug
+
+2003-05-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftpd/gss_userok.c (gss_userok): release delegated cred handle
+	
+	* ftp/gssapi.c (gss_adat): remove poking inside the delegated
+	handle, also fixes problem where to much memory was allocated
+	
+	* ftpd/gss_userok.c (gss_userok): remove poking inside the
+	delegated handle
+
+2003-05-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftpd/ftpcmd.y: support afslog <cell> and afslog when compiled
+	with krb5
+
+2003-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ftp/cmdtab.c: include afslog in both the krb4 and krb5 case
+	
+	* ftp/kauth.c: include afslog in both the krb4 and krb5 case
+	
+	* ftp/Makefile.am: always include auth.c
 	
-	* ftp/security.h: 1.9->1.10: add ftp_do_gss_bindings
+2003-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* ftp/gssapi.c: 1.24->1.25: Optionally support gss bindings,
-	client does it by default, server not.  This is to make it work
-	for clients behind NAT.
+	* ftpd/Makefile.am: always include auth.c
 
-	* ftp/ftp.1: 1.12->1.15: gssapi bindings + madoc fixes
+	* ftpd/kauth.c: do afslog in the krb5 case too
 	
-2003-08-15  Love Hörnquist Åstrand <lha@it.su.se>
+2003-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* ftp/gssapi.c: 1.23->1.24: (gss_adat): fix name allocation bug
+	* ftp/ftp.1: replace > with \*[Gt]
 	
-2003-04-16  Love Hörnquist Åstrand <lha@it.su.se>
+2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ftpd/ftpd.c: make sure argument to is* functions are unsigned
 	
-2003-04-06  Love Hörnquist Åstrand <lha@it.su.se>
+2003-04-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ftpd/ftpd.8: s/kerberos/Kerberos/
 	
@@ -64,7 +291,7 @@
 
 	* ftpd/pathnames.h (_PATH_FTPUSERS): conditionalize
 
-2003-03-18  Love Hörnquist Åstrand <lha@it.su.se>
+2003-03-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ftpd/ftpd.c (krb5_verify): always do krb5_afslog, remove setpag
 	(its done in main)
@@ -78,17 +305,17 @@
 
 	* ftpd/ftpd_locl.h: always include kafs
 	
-2003-03-16  Love Hörnquist Åstrand <lha@it.su.se>
+2003-03-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ftp/gssapi.c (gss_adat): now that gss_export_name exports a
 	principal, bandaid with gss_display_name, and check that oid is
 	GSS_KRB5_NT_PRINCIPAL_NAME, also free memory
 	
-2003-02-25  Love Hörnquist Åstrand <lha@it.su.se>
+2003-02-25  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ftp/gssapi.c (gss_auth): print out the name we authenticated too
 	
-2003-02-25  Love Hörnquist Åstrand <lha@it.su.se>
+2003-02-25  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ftpd/ls.c: use readlink with bufsize - 1, From NetBSD
 
diff --git a/crypto/heimdal/appl/ftp/Makefile.am b/crypto/heimdal/appl/ftp/Makefile.am
index f8831a3..44116ee 100644
--- a/crypto/heimdal/appl/ftp/Makefile.am
+++ b/crypto/heimdal/appl/ftp/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $
+# $Id: Makefile.am 5652 1999-03-20 13:58:20Z joda $
 
 include $(top_srcdir)/Makefile.am.common
 
diff --git a/crypto/heimdal/appl/ftp/Makefile.in b/crypto/heimdal/appl/ftp/Makefile.in
index c1b7c39..3bb9eda 100644
--- a/crypto/heimdal/appl/ftp/Makefile.in
+++ b/crypto/heimdal/appl/ftp/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,20 +14,16 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $
+# $Id: Makefile.am 5652 1999-03-20 13:58:20Z joda $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -39,6 +35,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -46,16 +43,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = appl/ftp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -68,6 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -76,16 +72,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 depcomp =
@@ -94,22 +94,19 @@ SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	html-recursive info-recursive install-data-recursive \
-	install-exec-recursive install-info-recursive \
-	install-recursive installcheck-recursive installdirs-recursive \
-	pdf-recursive ps-recursive uninstall-info-recursive \
-	uninstall-recursive
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = $(SUBDIRS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -119,8 +116,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -131,11 +126,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -143,42 +137,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -196,12 +175,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -211,15 +187,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -228,6 +203,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -239,15 +215,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -255,74 +226,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -339,12 +315,13 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 SUBDIRS = common ftp ftpd
 all: all-recursive
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -381,10 +358,6 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
 # To change the values of `make' variables: instead of editing Makefiles,
@@ -392,7 +365,13 @@ uninstall-info-am:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	target=`echo $@ | sed s/-recursive//`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -404,15 +383,20 @@ $(RECURSIVE_TARGETS):
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done; \
 	if test "$$dot_seen" = "no"; then \
 	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
 	fi; test -z "$$fail"
 
-mostlyclean-recursive clean-recursive distclean-recursive \
-maintainer-clean-recursive:
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	case "$@" in \
 	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
@@ -433,7 +417,7 @@ maintainer-clean-recursive:
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done && test -z "$$fail"
 tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -458,14 +442,16 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	if (etags --etags-include --version) >/dev/null 2>&1; then \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
 	  include_option=--etags-include; \
+	  empty_fix=.; \
 	else \
 	  include_option=--include; \
+	  empty_fix=; \
 	fi; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -f $$subdir/TAGS && \
+	    test ! -f $$subdir/TAGS || \
 	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
@@ -475,9 +461,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -502,23 +490,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -529,15 +515,19 @@ distdir: $(DISTFILES)
 	    || exit 1; \
 	  fi; \
 	done
-	list='$(SUBDIRS)'; for subdir in $$list; do \
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test -d "$(distdir)/$$subdir" \
-	    || mkdir "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
 	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
 	    (cd $$subdir && \
 	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="../$(top_distdir)" \
-	        distdir="../$(distdir)/$$subdir" \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
 	        distdir) \
 	      || exit 1; \
 	  fi; \
@@ -570,7 +560,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -581,8 +571,7 @@ clean-am: clean-generic clean-libtool mostlyclean-am
 
 distclean: distclean-recursive
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool \
-	distclean-tags
+distclean-am: clean-am distclean-generic distclean-tags
 
 dvi: dvi-recursive
 
@@ -598,14 +587,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-recursive
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-recursive
+
 install-info: install-info-recursive
 
 install-man:
 
+install-pdf: install-pdf-recursive
+
+install-ps: install-ps-recursive
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
@@ -624,22 +621,27 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-info-am
-
-uninstall-info: uninstall-info-recursive
-
-.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \
-	check-am check-local clean clean-generic clean-libtool \
-	clean-recursive ctags ctags-recursive distclean \
-	distclean-generic distclean-libtool distclean-recursive \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am install-man \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	maintainer-clean-recursive mostlyclean mostlyclean-generic \
-	mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am uninstall-info-am
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
+	install-data-am install-exec-am install-strip uninstall-am
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool ctags ctags-recursive dist-hook \
+	distclean distclean-generic distclean-libtool distclean-tags \
+	distdir dvi dvi-am html html-am info info-am install \
+	install-am install-data install-data-am install-data-hook \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-exec-hook install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am uninstall-hook
 
 
 install-suid-programs:
@@ -654,8 +656,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -665,19 +667,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -693,7 +707,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -763,14 +777,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/ftp/common/Makefile.am b/crypto/heimdal/appl/ftp/common/Makefile.am
index 4fab07b..304fcd1 100644
--- a/crypto/heimdal/appl/ftp/common/Makefile.am
+++ b/crypto/heimdal/appl/ftp/common/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $
+# $Id: Makefile.am 14164 2004-08-26 11:55:29Z joda $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4) 
+AM_CPPFLAGS += $(INCLUDE_krb4) 
 
 noinst_LIBRARIES = libcommon.a
 
diff --git a/crypto/heimdal/appl/ftp/common/Makefile.in b/crypto/heimdal/appl/ftp/common/Makefile.in
index 02e525f..1c5338a 100644
--- a/crypto/heimdal/appl/ftp/common/Makefile.in
+++ b/crypto/heimdal/appl/ftp/common/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $
+# $Id: Makefile.am 14164 2004-08-26 11:55:29Z joda $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(libcommon_a_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -49,16 +44,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = appl/ftp/common
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -71,6 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -79,48 +73,47 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-ARFLAGS = cru
 LIBRARIES = $(noinst_LIBRARIES)
+ARFLAGS = cru
 libcommon_a_AR = $(AR) $(ARFLAGS)
 libcommon_a_LIBADD =
 am_libcommon_a_OBJECTS = sockbuf.$(OBJEXT) buffer.$(OBJEXT)
 libcommon_a_OBJECTS = $(am_libcommon_a_OBJECTS)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(libcommon_a_SOURCES)
 DIST_SOURCES = $(libcommon_a_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -130,8 +123,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -142,11 +133,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -154,42 +144,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -207,12 +182,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -222,15 +194,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -239,6 +210,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -250,15 +222,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -266,74 +233,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) 
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -350,6 +323,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 noinst_LIBRARIES = libcommon.a
 libcommon_a_SOURCES = \
@@ -360,7 +334,7 @@ libcommon_a_SOURCES = \
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -419,10 +393,6 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -443,9 +413,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -470,23 +442,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -524,7 +494,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -537,7 +507,7 @@ clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -553,14 +523,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -580,19 +558,26 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-generic clean-libtool clean-noinstLIBRARIES ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-exec install-exec-am install-info \
-	install-info-am install-man install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-info-am
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-hook
 
 
 install-suid-programs:
@@ -607,8 +592,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -618,19 +603,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -646,7 +643,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -716,14 +713,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/ftp/common/buffer.c b/crypto/heimdal/appl/ftp/common/buffer.c
index ba7773b..3bca113 100644
--- a/crypto/heimdal/appl/ftp/common/buffer.c
+++ b/crypto/heimdal/appl/ftp/common/buffer.c
@@ -36,7 +36,7 @@
 #include <err.h>
 #include "roken.h"
 
-RCSID("$Id: buffer.c,v 1.4 2000/10/23 04:49:25 joda Exp $");
+RCSID("$Id: buffer.c 9129 2000-10-23 04:49:25Z joda $");
 
 /*
  * Allocate a buffer enough to handle st->st_blksize, if
diff --git a/crypto/heimdal/appl/ftp/common/common.h b/crypto/heimdal/appl/ftp/common/common.h
index 5949b25..7616859 100644
--- a/crypto/heimdal/appl/ftp/common/common.h
+++ b/crypto/heimdal/appl/ftp/common/common.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: common.h,v 1.12 1999/12/02 16:58:29 joda Exp $ */
+/* $Id: common.h 7463 1999-12-02 16:58:55Z joda $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
diff --git a/crypto/heimdal/appl/ftp/common/sockbuf.c b/crypto/heimdal/appl/ftp/common/sockbuf.c
index 460cc6f..bb9068a 100644
--- a/crypto/heimdal/appl/ftp/common/sockbuf.c
+++ b/crypto/heimdal/appl/ftp/common/sockbuf.c
@@ -39,7 +39,7 @@
 #include <sys/socket.h>
 #endif
 
-RCSID("$Id: sockbuf.c,v 1.3 1999/12/02 16:58:29 joda Exp $");
+RCSID("$Id: sockbuf.c 7463 1999-12-02 16:58:55Z joda $");
 
 void
 set_buffer_size(int fd, int read)
diff --git a/crypto/heimdal/appl/ftp/ftp/Makefile.am b/crypto/heimdal/appl/ftp/ftp/Makefile.am
index 9f4927d..24679dc 100644
--- a/crypto/heimdal/appl/ftp/ftp/Makefile.am
+++ b/crypto/heimdal/appl/ftp/ftp/Makefile.am
@@ -1,15 +1,15 @@
-# $Id: Makefile.am,v 1.15 2001/08/28 08:31:21 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des)
+AM_CPPFLAGS += -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_hcrypto)
 
 bin_PROGRAMS = ftp
 
 CHECK_LOCAL = 
 
 if KRB4
-krb4_sources = krb4.c kauth.c
+krb4_sources = krb4.c
 endif
 if KRB5
 krb5_sources = gssapi.c
@@ -29,10 +29,11 @@ ftp_SOURCES = \
 	globals.c \
 	security.c \
 	security.h \
+	kauth.c \
 	$(krb4_sources) \
 	$(krb5_sources)
 
-EXTRA_ftp_SOURCES = krb4.c kauth.c gssapi.c
+EXTRA_ftp_SOURCES = krb4.c gssapi.c
 
 man_MANS = ftp.1
 
@@ -41,6 +42,8 @@ LDADD = \
 	$(LIB_gssapi) \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_roken) \
 	$(LIB_readline)
+
+EXTRA_DIST = $(man_MANS)
diff --git a/crypto/heimdal/appl/ftp/ftp/Makefile.in b/crypto/heimdal/appl/ftp/ftp/Makefile.in
index da8fef7..431d087 100644
--- a/crypto/heimdal/appl/ftp/ftp/Makefile.in
+++ b/crypto/heimdal/appl/ftp/ftp/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.15 2001/08/28 08:31:21 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(ftp_SOURCES) $(EXTRA_ftp_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -50,16 +45,14 @@ bin_PROGRAMS = ftp$(EXEEXT)
 subdir = appl/ftp/ftp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -72,6 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -80,16 +74,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"
@@ -97,35 +95,31 @@ binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(bin_PROGRAMS)
 am__ftp_SOURCES_DIST = cmds.c cmdtab.c extern.h ftp.c ftp_locl.h \
 	ftp_var.h main.c pathnames.h ruserpass.c domacro.c globals.c \
-	security.c security.h krb4.c kauth.c gssapi.c
-@KRB4_TRUE@am__objects_1 = krb4.$(OBJEXT) kauth.$(OBJEXT)
+	security.c security.h kauth.c krb4.c gssapi.c
+@KRB4_TRUE@am__objects_1 = krb4.$(OBJEXT)
 @KRB5_TRUE@am__objects_2 = gssapi.$(OBJEXT)
 am_ftp_OBJECTS = cmds.$(OBJEXT) cmdtab.$(OBJEXT) ftp.$(OBJEXT) \
 	main.$(OBJEXT) ruserpass.$(OBJEXT) domacro.$(OBJEXT) \
-	globals.$(OBJEXT) security.$(OBJEXT) $(am__objects_1) \
-	$(am__objects_2)
+	globals.$(OBJEXT) security.$(OBJEXT) kauth.$(OBJEXT) \
+	$(am__objects_1) $(am__objects_2)
 ftp_OBJECTS = $(am_ftp_OBJECTS)
 ftp_LDADD = $(LDADD)
-@KRB5_TRUE@am__DEPENDENCIES_1 =  \
-@KRB5_TRUE@	$(top_builddir)/lib/gssapi/libgssapi.la
-@KRB5_TRUE@am__DEPENDENCIES_2 = $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
-am__DEPENDENCIES_3 =
-ftp_DEPENDENCIES = ../common/libcommon.a $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \
-	$(am__DEPENDENCIES_3) $(am__DEPENDENCIES_3) \
-	$(am__DEPENDENCIES_3)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+am__DEPENDENCIES_1 =
+ftp_DEPENDENCIES = ../common/libcommon.a $(LIB_gssapi) $(LIB_krb5) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(ftp_SOURCES) $(EXTRA_ftp_SOURCES)
 DIST_SOURCES = $(am__ftp_SOURCES_DIST) $(EXTRA_ftp_SOURCES)
 man1dir = $(mandir)/man1
@@ -134,13 +128,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -150,8 +138,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -162,11 +148,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -174,42 +159,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -227,12 +197,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -242,15 +209,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -259,6 +225,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -270,15 +237,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -286,74 +248,81 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	-I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4) \
+	$(INCLUDE_hcrypto)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -370,9 +339,10 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 CHECK_LOCAL = 
-@KRB4_TRUE@krb4_sources = krb4.c kauth.c
+@KRB4_TRUE@krb4_sources = krb4.c
 @KRB5_TRUE@krb5_sources = gssapi.c
 ftp_SOURCES = \
 	cmds.c \
@@ -388,24 +358,26 @@ ftp_SOURCES = \
 	globals.c \
 	security.c \
 	security.h \
+	kauth.c \
 	$(krb4_sources) \
 	$(krb5_sources)
 
-EXTRA_ftp_SOURCES = krb4.c kauth.c gssapi.c
+EXTRA_ftp_SOURCES = krb4.c gssapi.c
 man_MANS = ftp.1
 LDADD = \
 	../common/libcommon.a \
 	$(LIB_gssapi) \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_roken) \
 	$(LIB_readline)
 
+EXTRA_DIST = $(man_MANS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -437,7 +409,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -465,7 +437,7 @@ clean-binPROGRAMS:
 	done
 ftp$(EXEEXT): $(ftp_OBJECTS) $(ftp_DEPENDENCIES) 
 	@rm -f ftp$(EXEEXT)
-	$(LINK) $(ftp_LDFLAGS) $(ftp_OBJECTS) $(ftp_LDADD) $(LIBS)
+	$(LINK) $(ftp_OBJECTS) $(ftp_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -487,13 +459,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man1: $(man1_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)"
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
 	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -557,9 +525,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -584,23 +554,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -620,7 +588,7 @@ check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -641,7 +609,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -653,7 +621,7 @@ clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -669,14 +637,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man1
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -696,23 +672,30 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man1
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-binPROGRAMS clean-generic clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-binPROGRAMS \
-	install-data install-data-am install-exec install-exec-am \
-	install-info install-info-am install-man install-man1 \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-binPROGRAMS uninstall-info-am uninstall-man \
-	uninstall-man1
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-man install-man1 install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+	uninstall-am uninstall-binPROGRAMS uninstall-hook \
+	uninstall-man uninstall-man1
 
 
 install-suid-programs:
@@ -727,8 +710,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -738,19 +721,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -766,7 +761,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -836,14 +831,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/ftp/ftp/cmds.c b/crypto/heimdal/appl/ftp/ftp/cmds.c
index a7928eb..86f4ff4 100644
--- a/crypto/heimdal/appl/ftp/ftp/cmds.c
+++ b/crypto/heimdal/appl/ftp/ftp/cmds.c
@@ -36,7 +36,7 @@
  */
 
 #include "ftp_locl.h"
-RCSID("$Id: cmds.c,v 1.44 2001/08/05 06:39:14 assar Exp $");
+RCSID("$Id: cmds.c 15673 2005-07-19 18:19:33Z lha $");
 
 typedef void (*sighand)(int);
 
@@ -142,7 +142,7 @@ setpeer(int argc, char **argv)
 		if (autologin)
 			login(argv[1]);
 
-#if (defined(unix) || defined(__unix__) || defined(__unix) || defined(_AIX) || defined(_CRAY) || defined(__NetBSD__)) && NBBY == 8
+#if (defined(unix) || defined(__unix__) || defined(__unix) || defined(_AIX) || defined(_CRAY) || defined(__NetBSD__) || defined(__APPLE__)) && NBBY == 8
 /*
  * this ifdef is to keep someone form "porting" this to an incompatible
  * system and not checking this out. This way they have to think about it.
@@ -150,22 +150,23 @@ setpeer(int argc, char **argv)
 		overbose = verbose;
 		if (debug == 0)
 			verbose = -1;
-		if (command("SYST") == COMPLETE && overbose) {
-			char *cp, c;
-			cp = strchr(reply_string+4, ' ');
+		if (command("SYST") == COMPLETE && overbose && strlen(reply_string) > 4) {
+			char *cp, *p;
+
+			cp = strdup(reply_string + 4);
 			if (cp == NULL)
-				cp = strchr(reply_string+4, '\r');
-			if (cp) {
-				if (cp[-1] == '.')
-					cp--;
-				c = *cp;
-				*cp = '\0';
+			    errx(1, "strdup: out of memory");
+			p = strchr(cp, ' ');
+			if (p == NULL)
+				p = strchr(cp, '\r');
+			if (p) {
+				if (p[-1] == '.')
+					p--;
+				*p = '\0';
 			}
 
-			printf("Remote system type is %s.\n",
-				reply_string+4);
-			if (cp)
-				*cp = c;
+			printf("Remote system type is %s.\n", cp);
+			free(cp);
 		}
 		if (!strncmp(reply_string, "215 UNIX Type: L8", 17)) {
 			if (proxy)
@@ -573,28 +574,28 @@ reget(int argc, char **argv)
 void
 get(int argc, char **argv)
 {
-    char *mode;
+    char *filemode;
 
     if (restart_point) {
 	if (curtype == TYPE_I)
-	    mode = "r+wb";
+	    filemode = "r+wb";
 	else
-	    mode = "r+w";
+	    filemode = "r+w";
     } else {
 	if (curtype == TYPE_I)
-	    mode = "wb";
+	    filemode = "wb";
 	else
-	    mode = "w";
+	    filemode = "w";
     }
 
-    getit(argc, argv, 0, mode);
+    getit(argc, argv, 0, filemode);
 }
 
 /*
  * Receive one file.
  */
 int
-getit(int argc, char **argv, int restartit, char *mode)
+getit(int argc, char **argv, int restartit, char *filemode)
 {
 	int loc = 0;
 	int local_given = 1;
@@ -695,7 +696,7 @@ getit(int argc, char **argv, int restartit, char *mode)
 		}
 	}
 
-	recvrequest("RETR", argv[2], argv[1], mode,
+	recvrequest("RETR", argv[2], argv[1], filemode,
 		    argv[1] != oldargv1 || argv[2] != oldargv2, local_given);
 	restart_point = 0;
 	return (0);
@@ -736,7 +737,7 @@ mget(int argc, char **argv)
 		if (mflag && confirm(argv[0], cp)) {
 			tp = cp;
 			if (mcase) {
-				for (tp2 = tmpbuf; (ch = *tp++);)
+				for (tp2 = tmpbuf;(ch = (unsigned char)*tp++);)
 					*tp2++ = tolower(ch);
 				*tp2 = '\0';
 				tp = tmpbuf;
@@ -772,7 +773,7 @@ remglob(char **argv, int doswitch)
     static FILE *ftemp = NULL;
     static char **args;
     int oldverbose, oldhash;
-    char *cp, *mode;
+    char *cp, *filemode;
 
     if (!mflag) {
 	if (!doglob) {
@@ -807,8 +808,8 @@ remglob(char **argv, int doswitch)
 	if (doswitch) {
 	    pswitch(!proxy);
 	}
-	for (mode = "w"; *++argv != NULL; mode = "a")
-	    recvrequest ("NLST", temp, *argv, mode, 0, 0);
+	for (filemode = "w"; *++argv != NULL; filemode = "a")
+	    recvrequest ("NLST", temp, *argv, filemode, 0, 0);
 	if (doswitch) {
 	    pswitch(!proxy);
 	}
@@ -1187,7 +1188,7 @@ mls(int argc, char **argv)
 {
 	sighand oldintr;
 	int ointer, i;
-	char *cmd, mode[1], *dest;
+	char *cmd, filemode[2], *dest;
 
 	if (argc < 2 && !another(&argc, &argv, "remote-files"))
 		goto usage;
@@ -1210,9 +1211,10 @@ usage:
 	mflag = 1;
 	oldintr = signal(SIGINT, mabort);
 	setjmp(jabort);
+	filemode[1] = '\0';
 	for (i = 1; mflag && i < argc-1; ++i) {
-		*mode = (i == 1) ? 'w' : 'a';
-		recvrequest(cmd, dest, argv[i], mode, 0, 1);
+		*filemode = (i == 1) ? 'w' : 'a';
+		recvrequest(cmd, dest, argv[i], filemode, 0, 1);
 		if (!mflag && fromatty) {
 			ointer = interactive;
 			interactive = 1;
@@ -1235,8 +1237,8 @@ shell(int argc, char **argv)
 {
 	pid_t pid;
 	RETSIGTYPE (*old1)(int), (*old2)(int);
-	char shellnam[40], *shell, *namep; 
-	int status;
+	char shellnam[40], *shellpath, *namep; 
+	int waitstatus;
 
 	old1 = signal (SIGINT, SIG_IGN);
 	old2 = signal (SIGQUIT, SIG_IGN);
@@ -1245,32 +1247,32 @@ shell(int argc, char **argv)
 			close(pid);
 		signal(SIGINT, SIG_DFL);
 		signal(SIGQUIT, SIG_DFL);
-		shell = getenv("SHELL");
-		if (shell == NULL)
-			shell = _PATH_BSHELL;
-		namep = strrchr(shell,'/');
+		shellpath = getenv("SHELL");
+		if (shellpath == NULL)
+			shellpath = _PATH_BSHELL;
+		namep = strrchr(shellpath, '/');
 		if (namep == NULL)
-			namep = shell;
+			namep = shellpath;
 		snprintf (shellnam, sizeof(shellnam),
 			  "-%s", ++namep);
 		if (strcmp(namep, "sh") != 0)
 			shellnam[0] = '+';
 		if (debug) {
-			printf ("%s\n", shell);
+			printf ("%s\n", shellpath);
 			fflush (stdout);
 		}
 		if (argc > 1) {
-			execl(shell,shellnam,"-c",altarg,(char *)0);
+			execl(shellpath,shellnam,"-c",altarg,(char *)0);
 		}
 		else {
-			execl(shell,shellnam,(char *)0);
+			execl(shellpath,shellnam,(char *)0);
 		}
-		warn("%s", shell);
+		warn("%s", shellpath);
 		code = -1;
 		exit(1);
 	}
 	if (pid > 0)
-		while (waitpid(-1, &status, 0) != pid)
+		while (waitpid(-1, &waitstatus, 0) != pid)
 			;
 	signal(SIGINT, old1);
 	signal(SIGQUIT, old2);
@@ -1289,7 +1291,7 @@ shell(int argc, char **argv)
 void
 user(int argc, char **argv)
 {
-	char acct[80];
+	char acctstr[80];
 	int n, aflag = 0;
 	char tmp[256];
 
@@ -1303,7 +1305,7 @@ user(int argc, char **argv)
 	n = command("USER %s", argv[1]);
 	if (n == CONTINUE) {
 	    if (argc < 3 ) {
-		des_read_pw_string (tmp,
+		UI_UTIL_read_pw_string (tmp,
 				    sizeof(tmp),
 				    "Password: ", 0);
 		argv[2] = tmp;
@@ -1314,9 +1316,9 @@ user(int argc, char **argv)
 	if (n == CONTINUE) {
 		if (argc < 4) {
 			printf("Account: "); fflush(stdout);
-			fgets(acct, sizeof(acct) - 1, stdin);
-			acct[strlen(acct) - 1] = '\0';
-			argv[3] = acct; argc++;
+			fgets(acctstr, sizeof(acctstr) - 1, stdin);
+			acctstr[strcspn(acctstr, "\r\n")] = '\0';
+			argv[3] = acctstr; argc++;
 		}
 		n = command("ACCT %s", argv[3]);
 		aflag++;
@@ -1532,15 +1534,15 @@ disconnect(int argc, char **argv)
 int
 confirm(char *cmd, char *file)
 {
-	char line[BUFSIZ];
+	char buf[BUFSIZ];
 
 	if (!interactive)
 		return (1);
 	printf("%s %s? ", cmd, file);
 	fflush(stdout);
-	if (fgets(line, sizeof line, stdin) == NULL)
+	if (fgets(buf, sizeof buf, stdin) == NULL)
 		return (0);
-	return (*line == 'y' || *line == 'Y');
+	return (*buf == 'y' || *buf == 'Y');
 }
 
 void
@@ -1581,22 +1583,22 @@ globulize(char **cpp)
 void
 account(int argc, char **argv)
 {
-	char acct[50];
+	char acctstr[50];
 
 	if (argc > 1) {
 		++argv;
 		--argc;
-		strlcpy (acct, *argv, sizeof(acct));
+		strlcpy (acctstr, *argv, sizeof(acctstr));
 		while (argc > 1) {
 			--argc;
 			++argv;
-			strlcat(acct, *argv, sizeof(acct));
+			strlcat(acctstr, *argv, sizeof(acctstr));
 		}
 	}
 	else {
-	    des_read_pw_string(acct, sizeof(acct), "Account:", 0);
+	    UI_UTIL_read_pw_string(acctstr, sizeof(acctstr), "Account:", 0);
 	}
-	command("ACCT %s", acct);
+	command("ACCT %s", acctstr);
 }
 
 jmp_buf abortprox;
@@ -2125,3 +2127,17 @@ newer(int argc, char **argv)
 		printf("Local file \"%s\" is newer than remote file \"%s\"\n",
 			argv[2], argv[1]);
 }
+
+void
+klist(int argc, char **argv)
+{
+    int ret;
+    if(argc != 1){
+	printf("usage: %s\n", argv[0]);
+	code = -1;
+	return;
+    }
+    
+    ret = command("SITE KLIST");
+    code = (ret == COMPLETE);
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/cmdtab.c b/crypto/heimdal/appl/ftp/ftp/cmdtab.c
index 5dc96ef..1c65e71 100644
--- a/crypto/heimdal/appl/ftp/ftp/cmdtab.c
+++ b/crypto/heimdal/appl/ftp/ftp/cmdtab.c
@@ -105,11 +105,18 @@ char	userhelp[] =	"send new user information";
 char	verbosehelp[] =	"toggle verbose mode";
 
 char	prothelp[] = 	"set protection level";
+char	prothelp_c[] =	"set command protection level";
 #ifdef KRB4
 char	kauthhelp[] = 	"get remote tokens";
+#endif
+#if defined(KRB4) || defined(KRB5)
 char	klisthelp[] =	"show remote tickets";
+#endif
+#ifdef KRB4
 char	kdestroyhelp[] = "destroy remote tickets";
 char	krbtkfilehelp[] = "set filename of remote tickets";
+#endif
+#if defined(KRB4) || defined(KRB5)
 char	afsloghelp[] = 	"obtain remote AFS tokens";
 #endif
 
@@ -187,12 +194,20 @@ struct cmd cmdtab[] = {
 	{ "verbose",	verbosehelp,	0,	0,	0,	setverbose },
 	{ "?",		helphelp,	0,	0,	1,	help },
 
-	{ "prot", 	prothelp, 	0, 	1, 	0,	sec_prot },
+	{ "protect", 	prothelp, 	0, 	1, 	0,	sec_prot },
+	/* what MIT uses */
+	{ "cprotect",	prothelp_c,	0,	1,	1,	sec_prot_command },
 #ifdef KRB4
 	{ "kauth", 	kauthhelp, 	0, 	1, 	0,	kauth },
+#endif
+#if defined(KRB4) || defined(KRB5)
 	{ "klist", 	klisthelp, 	0, 	1, 	0,	klist },
+#endif
+#ifdef KRB4
 	{ "kdestroy",	kdestroyhelp,	0,	1,	0,	kdestroy },
 	{ "krbtkfile",	krbtkfilehelp,	0,	1,	0,	krbtkfile },
+#endif
+#if defined(KRB4) || defined(KRB5)
 	{ "afslog",	afsloghelp,	0,	1,	0,	afslog },
 #endif
 	
diff --git a/crypto/heimdal/appl/ftp/ftp/domacro.c b/crypto/heimdal/appl/ftp/ftp/domacro.c
index d91660d..f0be87a 100644
--- a/crypto/heimdal/appl/ftp/ftp/domacro.c
+++ b/crypto/heimdal/appl/ftp/ftp/domacro.c
@@ -32,7 +32,7 @@
  */
 
 #include "ftp_locl.h"
-RCSID("$Id: domacro.c,v 1.7 1999/09/16 20:37:29 assar Exp $");
+RCSID("$Id: domacro.c 14951 2005-04-25 13:09:26Z lha $");
 
 void
 domacro(int argc, char **argv)
@@ -60,24 +60,29 @@ domacro(int argc, char **argv)
 TOP:
 	cp1 = macros[i].mac_start;
 	while (cp1 != macros[i].mac_end) {
-		while (isspace(*cp1)) {
+		while (isspace((unsigned char)*cp1)) {
 			cp1++;
 		}
 		cp2 = line;
 		while (*cp1 != '\0') {
+		      size_t len;
 		      switch(*cp1) {
 		   	    case '\\':
-				 *cp2++ = *++cp1;
+				if (line + sizeof(line) - 2 < cp2)
+				    goto out;
+				*cp2++ = *++cp1;
 				 break;
 			    case '$':
-				 if (isdigit(*(cp1+1))) {
+				 if (isdigit((unsigned char)*(cp1+1))) {
 				    j = 0;
-				    while (isdigit(*++cp1)) {
+				    while (isdigit((unsigned char)*++cp1)) {
 					  j = 10*j +  *cp1 - '0';
 				    }
 				    cp1--;
 				    if (argc - 2 >= j) {
-					strcpy(cp2, argv[j+1]);
+					len = sizeof(line) - (cp2 - line) - 1;
+					if (strlcpy(cp2, argv[j+1], len) >= len)
+					    goto out;
 					cp2 += strlen(argv[j+1]);
 				    }
 				    break;
@@ -86,13 +91,17 @@ TOP:
 					loopflg = 1;
 					cp1++;
 					if (count < argc) {
-					   strcpy(cp2, argv[count]);
+					   len = sizeof(line) - (cp2 - line) - 1;
+					   if (strlcpy(cp2, argv[count], len) >= len)
+					       goto out;
 					   cp2 += strlen(argv[count]);
 					}
 					break;
 				}
 				/* intentional drop through */
 			    default:
+				if (line + sizeof(line) - 2 < cp2)
+				    goto out;
 				*cp2++ = *cp1;
 				break;
 		      }
@@ -100,6 +109,7 @@ TOP:
 			 cp1++;
 		      }
 		}
+	out:
 		*cp2 = '\0';
 		makeargv();
 		c = getcmd(margv[0]);
@@ -123,7 +133,7 @@ TOP:
 			if (bell && c->c_bell) {
 				putchar('\007');
 			}
-			strcpy(line, line2);
+			strlcpy(line, line2, sizeof(line));
 			makeargv();
 			argc = margc;
 			argv = margv;
diff --git a/crypto/heimdal/appl/ftp/ftp/extern.h b/crypto/heimdal/appl/ftp/ftp/extern.h
index 337bed6..a38ccd9 100644
--- a/crypto/heimdal/appl/ftp/ftp/extern.h
+++ b/crypto/heimdal/appl/ftp/ftp/extern.h
@@ -33,7 +33,7 @@
  *	@(#)extern.h	8.3 (Berkeley) 10/9/94
  */
 
-/* $Id: extern.h,v 1.19 2000/09/19 13:15:12 assar Exp $ */
+/* $Id: extern.h 9075 2000-09-19 13:15:12Z assar $ */
 
 #include <setjmp.h>
 #include <stdlib.h>
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.1 b/crypto/heimdal/appl/ftp/ftp/ftp.1
index 282aab8..5b8b8f6 100644
--- a/crypto/heimdal/appl/ftp/ftp/ftp.1
+++ b/crypto/heimdal/appl/ftp/ftp/ftp.1
@@ -33,7 +33,7 @@
 .\"
 .\"	@(#)ftp.1	8.3 (Berkeley) 10/9/94
 .\"
-.Dd April 27, 1996
+.Dd March 23, 2006
 .Dt FTP 1
 .Os BSD 4.2
 .Sh NAME
@@ -43,30 +43,35 @@
 file transfer program
 .Sh SYNOPSIS
 .Nm ftp
-.Op Fl t
-.Op Fl v
+.Op Fl K
 .Op Fl d
+.Op Fl g
 .Op Fl i
+.Op Fl l
 .Op Fl n
-.Op Fl g
 .Op Fl p
-.Op Fl l
+.Op Fl t
+.Op Fl v
+.Op Fl x
 .Op Fl -no-gss-bindings
+.Op Fl -no-gss-delegate
 .Op Ar host
 .Sh DESCRIPTION
-.Nm Ftp
+.Nm
 is the user interface to the
 .Tn ARPANET
 standard File Transfer Protocol.
 The program allows a user to transfer files to and from a
 remote network site.
 .Pp
-Modifications has been made so that it almost follows the ftpsec
-Internet draft.
+Modifications have been made so that it almost follows the FTP
+Security Extensions, RFC 2228.
 .Pp
 Options may be specified at the command line, or to the
 command interpreter.
 .Bl -tag -width flag
+.It Fl K
+Disable Kerberos authentication.
 .It Fl t
 Enables packet tracing.
 .It Fl v
@@ -98,10 +103,15 @@ Turn on passive mode.
 Enables debugging.
 .It Fl g
 Disables file name globbing.
-.It Fl -no-gss-bindings
-use GSS-API bindings when talking to peer (ie make sure IP addresses match).
+ .It Fl -no-gss-bindings
+Don't use GSS-API bindings when talking to peer. IP addresses will not
+be checked to ensure they match.
+.It Fl -no-gss-delegate
+Disable delegation of GSSAPI credentials.
 .It Fl l
 Disables command line editing.
+.It Fl x
+Encrypt command and data channel.
 .El
 .Pp
 The client host with which
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.c b/crypto/heimdal/appl/ftp/ftp/ftp.c
index a6cb90e..0a00bd2 100644
--- a/crypto/heimdal/appl/ftp/ftp/ftp.c
+++ b/crypto/heimdal/appl/ftp/ftp/ftp.c
@@ -32,7 +32,7 @@
  */
 
 #include "ftp_locl.h"
-RCSID ("$Id: ftp.c,v 1.75.2.1 2004/08/20 14:59:06 lha Exp $");
+RCSID ("$Id: ftp.c 16650 2006-01-24 08:16:08Z lha $");
 
 struct sockaddr_storage hisctladdr_ss;
 struct sockaddr *hisctladdr = (struct sockaddr *)&hisctladdr_ss;
@@ -79,6 +79,7 @@ hookup (const char *host, int port)
     strlcpy (hostnamebuf, host, sizeof(hostnamebuf));
     hostname = hostnamebuf;
 
+    s = -1;
     for (a = ai; a != NULL; a = a->ai_next) {
 	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
 	if (s < 0)
@@ -100,12 +101,13 @@ hookup (const char *host, int port)
 			     
 	    warn ("connect %s", addrstr);
 	    close (s);
+	    s = -1;
 	    continue;
 	}
 	break;
     }
     freeaddrinfo (ai);
-    if (error < 0) {
+    if (s < 0) {
 	warnx ("failed to contact %s", host);
 	code = -1;
 	return NULL;
@@ -164,7 +166,7 @@ login (char *host)
 {
     char tmp[80];
     char defaultpass[128];
-    char *user, *pass, *acct;
+    char *userstr, *pass, *acctstr;
     int n, aflag = 0;
 
     char *myname = NULL;
@@ -173,7 +175,7 @@ login (char *host)
     if (pw != NULL)
 	myname = pw->pw_name;
 
-    user = pass = acct = 0;
+    userstr = pass = acctstr = 0;
 
     if(sec_login(host))
 	printf("\n*** Using plaintext user and password ***\n\n");
@@ -181,11 +183,11 @@ login (char *host)
 	printf("Authentication successful.\n\n");
     }
 
-    if (ruserpass (host, &user, &pass, &acct) < 0) {
+    if (ruserpass (host, &userstr, &pass, &acctstr) < 0) {
 	code = -1;
 	return (0);
     }
-    while (user == NULL) {
+    while (userstr == NULL) {
 	if (myname)
 	    printf ("Name (%s:%s): ", host, myname);
 	else
@@ -194,19 +196,19 @@ login (char *host)
 	if (fgets (tmp, sizeof (tmp) - 1, stdin) != NULL)
 	    tmp[strlen (tmp) - 1] = '\0';
 	if (*tmp == '\0')
-	    user = myname;
+	    userstr = myname;
 	else
-	    user = tmp;
+	    userstr = tmp;
     }
-    strlcpy(username, user, sizeof(username));
-    n = command("USER %s", user);
+    strlcpy(username, userstr, sizeof(username));
+    n = command("USER %s", userstr);
     if (n == COMPLETE) 
        n = command("PASS dummy"); /* DK: Compatibility with gssftp daemon */
     else if(n == CONTINUE) {
 	if (pass == NULL) {
 	    char prompt[128];
 	    if(myname && 
-	       (!strcmp(user, "ftp") || !strcmp(user, "anonymous"))) {
+	       (!strcmp(userstr, "ftp") || !strcmp(userstr, "anonymous"))) {
 		snprintf(defaultpass, sizeof(defaultpass), 
 			 "%s@%s", myname, mydomain);
 		snprintf(prompt, sizeof(prompt), 
@@ -219,7 +221,7 @@ login (char *host)
 	    }
 	    if (pass == NULL) {
 		pass = defaultpass;
-		des_read_pw_string (tmp, sizeof (tmp), prompt, 0);
+		UI_UTIL_read_pw_string (tmp, sizeof (tmp), prompt, 0);
 		if (tmp[0])
 		    pass = tmp;
 	    }
@@ -228,16 +230,16 @@ login (char *host)
     }
     if (n == CONTINUE) {
 	aflag++;
-	acct = tmp;
-	des_read_pw_string (acct, 128, "Account:", 0);
-	n = command ("ACCT %s", acct);
+	acctstr = tmp;
+	UI_UTIL_read_pw_string (acctstr, 128, "Account:", 0);
+	n = command ("ACCT %s", acctstr);
     }
     if (n != COMPLETE) {
 	warnx ("Login failed.");
 	return (0);
     }
-    if (!aflag && acct != NULL)
-	command ("ACCT %s", acct);
+    if (!aflag && acctstr != NULL)
+	command ("ACCT %s", acctstr);
     if (proxy)
 	return (1);
     for (n = 0; n < macnum; ++n) {
@@ -351,7 +353,7 @@ getreply (int expecteof)
 	    continue;
 	case '\n':
 	    *p++ = '\0';
-	    if(isdigit(buf[0])){
+	    if(isdigit((unsigned char)buf[0])){
 		sscanf(buf, "%d", &code);
 		if(code == 631){
 		    code = 0;
@@ -390,15 +392,15 @@ getreply (int expecteof)
 			osa.sa_handler (SIGINT);
 #endif
 		    if (code == 227 || code == 229) {
-			char *p;
-
-			p = strchr (reply_string, '(');
-			if (p) {
-			    p++;
-			    strlcpy(pasv, p, sizeof(pasv));
-			    p = strrchr(pasv, ')');
-			    if (p)
-				*p = '\0';
+			char *q;
+
+			q = strchr (reply_string, '(');
+			if (q) {
+			    q++;
+			    strlcpy(pasv, q, sizeof(pasv));
+			    q = strrchr(pasv, ')');
+			    if (q)
+				*q = '\0';
 			}
 		    }
 		    return code / 100;
@@ -727,6 +729,8 @@ sendrequest (char *cmd, char *local, char *remote, char *lmode, int printnames)
 	case TYPE_L:
 	    rc = lseek (fileno (fin), restart_point, SEEK_SET);
 	    break;
+	default:
+	    abort();
 	}
 	if (rc < 0) {
 	    warn ("local: %s", local);
@@ -859,7 +863,7 @@ void
 recvrequest (char *cmd, char *local, char *remote,
 	     char *lmode, int printnames, int local_given)
 {
-    FILE *fout, *din = 0;
+    FILE *fout = NULL, *din = NULL;
     int (*closefunc) (FILE *);
     sighand oldintr, oldintp;
     int c, d, is_retr, tcrflag, bare_lfs = 0;
@@ -1166,7 +1170,7 @@ parse_epsv (const char *str)
 }
 
 static int
-parse_pasv (struct sockaddr_in *sin, const char *str)
+parse_pasv (struct sockaddr_in *sin4, const char *str)
 {
     int a0, a1, a2, a3, p0, p1;
 
@@ -1192,11 +1196,11 @@ parse_pasv (struct sockaddr_in *sin, const char *str)
 	printf ("Can't parse passive mode string.\n");
 	return -1;
     }
-    memset (sin, 0, sizeof(*sin));
-    sin->sin_family      = AF_INET;
-    sin->sin_addr.s_addr = htonl ((a0 << 24) | (a1 << 16) |
+    memset (sin4, 0, sizeof(*sin4));
+    sin4->sin_family      = AF_INET;
+    sin4->sin_addr.s_addr = htonl ((a0 << 24) | (a1 << 16) |
 				  (a2 << 8) | a3);
-    sin->sin_port = htons ((p0 << 8) | p1);
+    sin4->sin_port = htons ((p0 << 8) | p1);
     return 0;
 }
 
@@ -1318,10 +1322,10 @@ noport:
 	verbose = overbose;
 
 	if (result == ERROR) {
-	    struct sockaddr_in *sin = (struct sockaddr_in *)data_addr;
+	    struct sockaddr_in *sin4 = (struct sockaddr_in *)data_addr;
 
-	    unsigned int a = ntohl(sin->sin_addr.s_addr);
-	    unsigned int p = ntohs(sin->sin_port);
+	    unsigned int a = ntohl(sin4->sin_addr.s_addr);
+	    unsigned int p = ntohs(sin4->sin_port);
 
 	    if (data_addr->sa_family != AF_INET) {
 		warnx ("remote server doesn't support EPRT");
@@ -1544,7 +1548,7 @@ abortpt (int sig)
 void
 proxtrans (char *cmd, char *local, char *remote)
 {
-    sighand oldintr;
+    sighand oldintr = NULL;
     int secndflag = 0, prox_type, nfnd;
     char *cmd2;
     fd_set mask;
@@ -1616,7 +1620,8 @@ abort:
 	pswitch (1);
 	if (ptabflg)
 	    code = -1;
-	signal (SIGINT, oldintr);
+	if (oldintr)
+	    signal (SIGINT, oldintr);
 	return;
     }
     if (cpend)
@@ -1751,8 +1756,8 @@ abort_remote (FILE * din)
 	errx (1, "fd too large");
     FD_SET (fileno (cin), &mask);
     if (din) {
-    if (fileno (din) >= FD_SETSIZE)
-	errx (1, "fd too large");
+	if (fileno (din) >= FD_SETSIZE)
+	    errx (1, "fd too large");
 	FD_SET (fileno (din), &mask);
     }
     if ((nfnd = empty (&mask, 10)) <= 0) {
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp_var.h b/crypto/heimdal/appl/ftp/ftp/ftp_var.h
index 3dbe6b4..75ec495 100644
--- a/crypto/heimdal/appl/ftp/ftp/ftp_var.h
+++ b/crypto/heimdal/appl/ftp/ftp/ftp_var.h
@@ -57,6 +57,7 @@ extern int	debug;			/* debugging level */
 extern int	bell;			/* ring bell on cmd completion */
 extern int	doglob;			/* glob local file names */
 extern int	autologin;		/* establish user account on connection */
+extern int	doencrypt;
 extern int	proxy;			/* proxy server connection active */
 extern int	proxflag;		/* proxy connection exists */
 extern int	sunique;		/* store files on server with unique name */
diff --git a/crypto/heimdal/appl/ftp/ftp/globals.c b/crypto/heimdal/appl/ftp/ftp/globals.c
index 8a0e1c9..52f8048 100644
--- a/crypto/heimdal/appl/ftp/ftp/globals.c
+++ b/crypto/heimdal/appl/ftp/ftp/globals.c
@@ -1,5 +1,5 @@
 #include "ftp_locl.h"
-RCSID("$Id: globals.c,v 1.8 2000/11/15 22:56:08 assar Exp $");
+RCSID("$Id: globals.c 16160 2005-10-12 09:42:47Z joda $");
 
 /*
  * Options and other state info.
@@ -15,6 +15,7 @@ int	lineedit;		/* use line-editing */
 int	debug;			/* debugging level */
 int	bell;			/* ring bell on cmd completion */
 int	doglob;			/* glob local file names */
+int	doencrypt;		/* try to use encryption */
 int	autologin;		/* establish user account on connection */
 int	proxy;			/* proxy server connection active */
 int	proxflag;		/* proxy connection exists */
diff --git a/crypto/heimdal/appl/ftp/ftp/gssapi.c b/crypto/heimdal/appl/ftp/ftp/gssapi.c
index 65742e8..9432feb 100644
--- a/crypto/heimdal/appl/ftp/ftp/gssapi.c
+++ b/crypto/heimdal/appl/ftp/ftp/gssapi.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -39,14 +39,16 @@
 #include <gssapi.h>
 #include <krb5_err.h>
 
-RCSID("$Id: gssapi.c,v 1.22.2.2 2003/08/20 16:41:24 lha Exp $");
+RCSID("$Id: gssapi.c 21513 2007-07-12 12:45:25Z lha $");
 
 int ftp_do_gss_bindings = 0;
+int ftp_do_gss_delegate = 1;
 
 struct gss_data {
     gss_ctx_id_t context_hdl;
     char *client_name;
     gss_cred_id_t delegated_cred_handle;
+    void *mech_data;
 };
 
 static int
@@ -54,7 +56,7 @@ gss_init(void *app_data)
 {
     struct gss_data *d = app_data;
     d->context_hdl = GSS_C_NO_CONTEXT;
-    d->delegated_cred_handle = NULL;
+    d->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
 #if defined(FTP_SERVER)
     return 0;
 #else
@@ -62,7 +64,7 @@ gss_init(void *app_data)
 #ifdef KRB5
     return !use_kerberos;
 #else
-    return 0
+    return 0;
 #endif /* KRB5 */
 #endif /* FTP_SERVER */
 }
@@ -130,7 +132,7 @@ gss_encode(void *app_data, void *from, int length, int level, void **to)
 }
 
 static void
-sockaddr_to_gss_address (const struct sockaddr *sa,
+sockaddr_to_gss_address (struct sockaddr *sa,
 			 OM_uint32 *addr_type,
 			 gss_buffer_desc *gss_addr)
 {
@@ -146,10 +148,10 @@ sockaddr_to_gss_address (const struct sockaddr *sa,
     }
 #endif
     case AF_INET : {
-	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+	struct sockaddr_in *sin4 = (struct sockaddr_in *)sa;
 
 	gss_addr->length = 4;
-	gss_addr->value  = &sin->sin_addr;
+	gss_addr->value  = &sin4->sin_addr;
 	*addr_type       = GSS_C_AF_INET;
 	break;
     }
@@ -193,15 +195,6 @@ gss_adat(void *app_data, void *buf, size_t len)
     input_token.value = buf;
     input_token.length = len;
 
-    d->delegated_cred_handle = malloc(sizeof(*d->delegated_cred_handle));
-    if (d->delegated_cred_handle == NULL) {
-	reply(500, "Out of memory");
-	goto out;
-    }
-
-    memset ((char*)d->delegated_cred_handle, 0,
-	    sizeof(*d->delegated_cred_handle));
-    
     maj_stat = gss_accept_sec_context (&min_stat,
 				       &d->context_hdl,
 				       GSS_C_NO_CREDENTIAL,
@@ -222,6 +215,7 @@ gss_adat(void *app_data, void *buf, size_t len)
 	    reply(535, "Out of memory base64-encoding.");
 	    return -1;
 	}
+	gss_release_buffer(&min_stat, &output_token);
     }
     if(maj_stat == GSS_S_COMPLETE){
 	char *name;
@@ -277,11 +271,14 @@ gss_adat(void *app_data, void *buf, size_t len)
 	reply(431, "Security resource unavailable");
     }
   out:
+    if (client_name)
+	gss_release_name(&min_stat, &client_name);
     free(p);
     return 0;
 }
 
 int gss_userok(void*, char*);
+int gss_session(void*, char*);
 
 struct sec_server_mech gss_server_mech = {
     "GSSAPI",
@@ -297,7 +294,8 @@ struct sec_server_mech gss_server_mech = {
     gss_adat,
     NULL, /* pbsz */
     NULL, /* ccc */
-    gss_userok
+    gss_userok,
+    gss_session
 };
 
 #else /* FTP_SERVER */
@@ -309,12 +307,14 @@ import_name(const char *kname, const char *host, gss_name_t *target_name)
 {
     OM_uint32 maj_stat, min_stat;
     gss_buffer_desc name;
+    char *str;
 
-    name.length = asprintf((char**)&name.value, "%s@%s", kname, host);
-    if (name.value == NULL) {
+    name.length = asprintf(&str, "%s@%s", kname, host);
+    if (str == NULL) {
 	printf("Out of memory\n");
 	return AUTH_ERROR;
     }
+    name.value = str;
 
     maj_stat = gss_import_name(&min_stat,
 			       &name,
@@ -334,6 +334,7 @@ import_name(const char *kname, const char *host, gss_name_t *target_name)
 	printf("Error importing name %s: %s\n", 
 	       (char *)name.value,
 	       (char *)status_string.value);
+	free(name.value);
 	gss_release_buffer(&new_stat, &status_string);
 	return AUTH_ERROR;
     }
@@ -353,6 +354,7 @@ gss_auth(void *app_data, char *host)
     int n;
     gss_channel_bindings_t bindings;
     struct gss_data *d = app_data;
+    OM_uint32 mech_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
 
     const char *knames[] = { "ftp", "host", NULL }, **kname = knames;
 	    
@@ -380,14 +382,16 @@ gss_auth(void *app_data, char *host)
     } else
 	bindings = GSS_C_NO_CHANNEL_BINDINGS;
 
+    if (ftp_do_gss_delegate)
+	mech_flags |= GSS_C_DELEG_FLAG;
+
     while(!context_established) {
 	maj_stat = gss_init_sec_context(&min_stat,
 					GSS_C_NO_CREDENTIAL,
 					&d->context_hdl,
 					target_name,
 					GSS_C_NO_OID,
-                                        GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG
-                                          | GSS_C_DELEG_FLAG,
+                                        mech_flags,
 					0,
 					bindings,
 					&input,
@@ -400,7 +404,12 @@ gss_auth(void *app_data, char *host)
 	    OM_uint32 msg_ctx = 0;
 	    gss_buffer_desc status_string;
 
-	    if(min_stat == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN && *kname != NULL) {
+	    d->context_hdl = GSS_C_NO_CONTEXT;
+
+	    gss_release_name(&min_stat, &target_name);
+
+	    if(*kname != NULL) {
+
 		if(import_name(*kname++, host, &target_name)) {
 		    if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
 			free(bindings);
@@ -466,6 +475,8 @@ gss_auth(void *app_data, char *host)
 	}
     }
 
+    gss_release_name(&min_stat, &target_name);
+
     if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
 	free(bindings);
     if (input.value)
diff --git a/crypto/heimdal/appl/ftp/ftp/kauth.c b/crypto/heimdal/appl/ftp/ftp/kauth.c
index 613593a..36305d2 100644
--- a/crypto/heimdal/appl/ftp/ftp/kauth.c
+++ b/crypto/heimdal/appl/ftp/ftp/kauth.c
@@ -32,8 +32,10 @@
  */
 
 #include "ftp_locl.h"
+RCSID("$Id: kauth.c 15666 2005-07-19 17:08:11Z lha $");
+
+#ifdef KRB4
 #include <krb.h>
-RCSID("$Id: kauth.c,v 1.20 1999/12/02 16:58:29 joda Exp $");
 
 void
 kauth(int argc, char **argv)
@@ -142,20 +144,6 @@ kauth(int argc, char **argv)
 }
 
 void
-klist(int argc, char **argv)
-{
-    int ret;
-    if(argc != 1){
-	printf("usage: %s\n", argv[0]);
-	code = -1;
-	return;
-    }
-    
-    ret = command("SITE KLIST");
-    code = (ret == COMPLETE);
-}
-
-void
 kdestroy(int argc, char **argv)
 {
     int ret;
@@ -180,6 +168,9 @@ krbtkfile(int argc, char **argv)
     ret = command("SITE KRBTKFILE %s", argv[1]);
     code = (ret == COMPLETE);
 }
+#endif
+
+#if defined(KRB4) || defined(KRB5)
 
 void
 afslog(int argc, char **argv)
@@ -196,3 +187,7 @@ afslog(int argc, char **argv)
 	ret = command("SITE AFSLOG");
     code = (ret == COMPLETE);
 }
+
+#else
+int ftp_afslog_placeholder;
+#endif
diff --git a/crypto/heimdal/appl/ftp/ftp/krb4.c b/crypto/heimdal/appl/ftp/ftp/krb4.c
index d057ed7..408b7fa 100644
--- a/crypto/heimdal/appl/ftp/ftp/krb4.c
+++ b/crypto/heimdal/appl/ftp/ftp/krb4.c
@@ -38,7 +38,7 @@
 #endif
 #include <krb.h>
 
-RCSID("$Id: krb4.c,v 1.38 2000/06/21 02:46:09 assar Exp $");
+RCSID("$Id: krb4.c 17450 2006-05-05 11:11:43Z lha $");
 
 #ifdef FTP_SERVER
 #define LOCAL_ADDR ctrl_addr
@@ -121,7 +121,7 @@ krb4_adat(void *app_data, void *buf, size_t len)
     AUTH_DAT auth_dat;
     char *p;
     int kerror;
-    u_int32_t cs;
+    uint32_t cs;
     char msg[35]; /* size of encrypted block */
     int tmp_len;
     struct krb4_data *d = app_data;
@@ -240,7 +240,7 @@ krb4_auth(void *app_data, char *host)
     KTEXT_ST adat;
     MSG_DAT msg_data;
     int checksum;
-    u_int32_t cs;
+    uint32_t cs;
     struct krb4_data *d = app_data;
     struct sockaddr_in *localaddr  = (struct sockaddr_in *)LOCAL_ADDR;
     struct sockaddr_in *remoteaddr = (struct sockaddr_in *)REMOTE_ADDR;
diff --git a/crypto/heimdal/appl/ftp/ftp/main.c b/crypto/heimdal/appl/ftp/ftp/main.c
index 071f601..c78cd4a 100644
--- a/crypto/heimdal/appl/ftp/ftp/main.c
+++ b/crypto/heimdal/appl/ftp/ftp/main.c
@@ -38,7 +38,7 @@
 #include "ftp_locl.h"
 #include <getarg.h>
 
-RCSID("$Id: main.c,v 1.33.2.1 2003/08/20 16:43:14 lha Exp $");
+RCSID("$Id: main.c 16160 2005-10-12 09:42:47Z joda $");
 
 static int help_flag;
 static int version_flag;
@@ -61,12 +61,16 @@ struct getargs getargs[] = {
       "Packet tracing", NULL},
 #ifdef KRB5
     { "gss-bindings", 0,  arg_negative_flag, &ftp_do_gss_bindings,
-      "Use GSS-API bindings", NULL},
+      "Don't use GSS-API bindings", NULL},
+    { "gss-delegate", 0,  arg_negative_flag, &ftp_do_gss_delegate,
+      "Disable delegation of GSS-API credentials", NULL},
 #endif
     { NULL,	'v', arg_counter, &verbose,
       "verbosity", NULL},
     { NULL,	'K', arg_negative_flag, &use_kerberos,
       "Disable kerberos authentication", NULL},
+    { "encrypt", 'x', arg_flag, &doencrypt,
+      "Encrypt command and data channel if possible" },
     { "version", 0,  arg_flag, &version_flag },
     { "help",	'h', arg_flag, &help_flag },
 };
diff --git a/crypto/heimdal/appl/ftp/ftp/ruserpass.c b/crypto/heimdal/appl/ftp/ftp/ruserpass.c
index b22f699..8c0cd8d 100644
--- a/crypto/heimdal/appl/ftp/ftp/ruserpass.c
+++ b/crypto/heimdal/appl/ftp/ftp/ruserpass.c
@@ -32,7 +32,7 @@
  */
 
 #include "ftp_locl.h"
-RCSID("$Id: ruserpass.c,v 1.19 2000/01/08 07:45:11 assar Exp $");
+RCSID("$Id: ruserpass.c 16161 2005-10-12 09:44:24Z joda $");
 
 static	int token (void);
 static	FILE *cfile;
@@ -69,39 +69,39 @@ static struct toktab {
  */
 
 static char *
-guess_domain (char *hostname, size_t sz)
+guess_domain (char *hostname_str, size_t sz)
 {
     struct addrinfo *ai, *a;
     struct addrinfo hints;
     int error;
     char *dot;
 
-    if (gethostname (hostname, sz) < 0) {
-	strlcpy (hostname, "", sz);
+    if (gethostname (hostname_str, sz) < 0) {
+	strlcpy (hostname_str, "", sz);
 	return "";
     }
-    dot = strchr (hostname, '.');
+    dot = strchr (hostname_str, '.');
     if (dot != NULL)
 	return dot + 1;
 
     memset (&hints, 0, sizeof(hints));
     hints.ai_flags = AI_CANONNAME;
 
-    error = getaddrinfo (hostname, NULL, &hints, &ai);
+    error = getaddrinfo (hostname_str, NULL, &hints, &ai);
     if (error)
-	return hostname;
+	return hostname_str;
 
     for (a = ai; a != NULL; a = a->ai_next)
 	if (a->ai_canonname != NULL) {
-	    strlcpy (hostname, ai->ai_canonname, sz);
+	    strlcpy (hostname_str, ai->ai_canonname, sz);
 	    break;
 	}
     freeaddrinfo (ai);
-    dot = strchr (hostname, '.');
+    dot = strchr (hostname_str, '.');
     if (dot != NULL)
 	return dot + 1;
     else
-	return hostname;
+	return hostname_str;
 }
 
 int
@@ -256,7 +256,7 @@ next:
 	    break;
 	case PROT:
 	    token();
-	    if(sec_request_prot(tokval) < 0)
+	    if(doencrypt == 0 && sec_request_prot(tokval) < 0)
 		warnx("Unknown protection level \"%s\"", tokval);
 	    break;
 	default:
diff --git a/crypto/heimdal/appl/ftp/ftp/security.c b/crypto/heimdal/appl/ftp/ftp/security.c
index db67775..2a4803f 100644
--- a/crypto/heimdal/appl/ftp/ftp/security.c
+++ b/crypto/heimdal/appl/ftp/ftp/security.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998-2002, 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -37,7 +37,7 @@
 #include "ftp_locl.h"
 #endif
 
-RCSID("$Id: security.c,v 1.19 2002/09/04 22:01:28 joda Exp $");
+RCSID("$Id: security.c 21225 2007-06-20 10:16:02Z lha $");
 
 static enum protection_level command_prot;
 static enum protection_level data_prot;
@@ -189,16 +189,16 @@ sec_get_data(int fd, struct buffer *buf, int level)
 }
 
 static size_t
-buffer_read(struct buffer *buf, void *data, size_t len)
+buffer_read(struct buffer *buf, void *dataptr, size_t len)
 {
     len = min(len, buf->size - buf->index);
-    memcpy(data, (char*)buf->data + buf->index, len);
+    memcpy(dataptr, (char*)buf->data + buf->index, len);
     buf->index += len;
     return len;
 }
 
 static size_t
-buffer_write(struct buffer *buf, void *data, size_t len)
+buffer_write(struct buffer *buf, void *dataptr, size_t len)
 {
     if(buf->index + len > buf->size) {
 	void *tmp;
@@ -211,29 +211,29 @@ buffer_write(struct buffer *buf, void *data, size_t len)
 	buf->data = tmp;
 	buf->size = buf->index + len;
     }
-    memcpy((char*)buf->data + buf->index, data, len);
+    memcpy((char*)buf->data + buf->index, dataptr, len);
     buf->index += len;
     return len;
 }
 
 int
-sec_read(int fd, void *data, int length)
+sec_read(int fd, void *dataptr, int length)
 {
     size_t len;
     int rx = 0;
 
     if(sec_complete == 0 || data_prot == 0)
-	return read(fd, data, length);
+	return read(fd, dataptr, length);
 
     if(in_buffer.eof_flag){
 	in_buffer.eof_flag = 0;
 	return 0;
     }
     
-    len = buffer_read(&in_buffer, data, length);
+    len = buffer_read(&in_buffer, dataptr, length);
     length -= len;
     rx += len;
-    data = (char*)data + len;
+    dataptr = (char*)dataptr + len;
     
     while(length){
 	int ret;
@@ -246,10 +246,10 @@ sec_read(int fd, void *data, int length)
 		in_buffer.eof_flag = 1;
 	    return rx;
 	}
-	len = buffer_read(&in_buffer, data, length);
+	len = buffer_read(&in_buffer, dataptr, length);
 	length -= len;
 	rx += len;
-	data = (char*)data + len;
+	dataptr = (char*)dataptr + len;
     }
     return rx;
 }
@@ -282,21 +282,21 @@ sec_fflush(FILE *F)
 }
 
 int
-sec_write(int fd, char *data, int length)
+sec_write(int fd, char *dataptr, int length)
 {
     int len = buffer_size;
     int tx = 0;
       
     if(data_prot == prot_clear)
-	return write(fd, data, length);
+	return write(fd, dataptr, length);
 
     len -= (*mech->overhead)(app_data, data_prot, len);
     while(length){
 	if(length < len)
 	    len = length;
-	sec_send(fd, data, len);
+	sec_send(fd, dataptr, len);
 	length -= len;
-	data += len;
+	dataptr += len;
 	tx += len;
     }
     return tx;
@@ -310,8 +310,11 @@ sec_vfprintf2(FILE *f, const char *fmt, va_list ap)
     if(data_prot == prot_clear)
 	return vfprintf(f, fmt, ap);
     else {
-	vasprintf(&buf, fmt, ap);
-	ret = buffer_write(&out_buffer, buf, strlen(buf));
+	int len;
+	len = vasprintf(&buf, fmt, ap);
+	if (len == -1)
+	    return len;
+	ret = buffer_write(&out_buffer, buf, len);
 	free(buf);
 	return ret;
     }
@@ -348,7 +351,7 @@ sec_read_msg(char *s, int level)
 {
     int len;
     char *buf;
-    int code;
+    int return_code;
     
     buf = malloc(strlen(s));
     len = base64_decode(s + 4, buf); /* XXX */
@@ -360,14 +363,14 @@ sec_read_msg(char *s, int level)
     buf[len] = '\0';
 
     if(buf[3] == '-')
-	code = 0;
+	return_code = 0;
     else
-	sscanf(buf, "%d", &code);
+	sscanf(buf, "%d", &return_code);
     if(buf[len-1] == '\n')
 	buf[len-1] = '\0';
     strcpy(s, buf);
     free(buf);
-    return code;
+    return return_code;
 }
 
 int
@@ -379,7 +382,10 @@ sec_vfprintf(FILE *f, const char *fmt, va_list ap)
     if(!sec_complete)
 	return vfprintf(f, fmt, ap);
     
-    vasprintf(&buf, fmt, ap);
+    if (vasprintf(&buf, fmt, ap) == -1) {
+	printf("Failed to allocate command.\n");
+	return -1;
+    }
     len = (*mech->encode)(app_data, buf, strlen(buf), command_prot, &enc);
     free(buf);
     if(len < 0) {
@@ -426,6 +432,8 @@ sec_fprintf(FILE *f, const char *fmt, ...)
 
 #ifdef FTP_SERVER
 
+int ccc_passed;
+
 void
 auth(char *auth_name)
 {
@@ -529,9 +537,10 @@ prot(char *pl)
 void ccc(void)
 {
     if(sec_complete){
-	if(mech->ccc && (*mech->ccc)(app_data) == 0)
+	if(mech->ccc && (*mech->ccc)(app_data) == 0) {
 	    command_prot = data_prot = prot_clear;
-	else
+	    ccc_passed = 1;
+	} else
 	    reply(534, "You must be joking.");
     }else
 	reply(503, "Incomplete security data exchange.");
@@ -540,13 +549,13 @@ void ccc(void)
 void mec(char *msg, enum protection_level level)
 {
     void *buf;
-    size_t len;
+    size_t len, buf_size;
     if(!sec_complete) {
 	reply(503, "Incomplete security data exchange.");
 	return;
     }
-    buf = malloc(strlen(msg) + 2); /* XXX go figure out where that 2
-				      comes from :-) */
+    buf_size = strlen(msg) + 2;
+    buf = malloc(buf_size);
     len = base64_decode(msg, buf);
     command_prot = level;
     if(len == (size_t)-1) {
@@ -560,17 +569,25 @@ void mec(char *msg, enum protection_level level)
     }
     ((char*)buf)[len] = '\0';
     if(strstr((char*)buf, "\r\n") == NULL)
-	strcat((char*)buf, "\r\n");
+	strlcat((char*)buf, "\r\n", buf_size);
     new_ftp_command(buf);
 }
 
 /* ------------------------------------------------------------ */
 
 int
-sec_userok(char *user)
+sec_userok(char *userstr)
 {
     if(sec_complete)
-	return (*mech->userok)(app_data, user);
+	return (*mech->userok)(app_data, userstr);
+    return 0;
+}
+
+int
+sec_session(char *user)
+{
+    if(sec_complete && mech->session)
+	return (*mech->session)(app_data, user);
     return 0;
 }
 
@@ -660,7 +677,15 @@ sec_prot_internal(int level)
 enum protection_level
 set_command_prot(enum protection_level level)
 {
+    int ret;
     enum protection_level old = command_prot;
+    if(level != command_prot && level == prot_clear) {
+	ret = command("CCC");
+	if(ret != COMPLETE) {
+	    printf("Failed to clear command channel.\n");
+	    return -1;
+	}
+    }
     command_prot = level;
     return old;
 }
@@ -670,8 +695,13 @@ sec_prot(int argc, char **argv)
 {
     int level = -1;
 
-    if(argc < 2 || argc > 3)
+    if(argc > 3)
 	goto usage;
+
+    if(argc == 1) {
+	sec_status();
+	return;
+    }
     if(!sec_complete) {
 	printf("No security data exchange has taken place.\n");
 	code = -1;
@@ -694,9 +724,12 @@ sec_prot(int argc, char **argv)
 	    code = -1;
 	    return;
 	}
-    } else if(strncasecmp(argv[1], "command", strlen(argv[1])) == 0)
-	set_command_prot(level);
-    else
+    } else if(strncasecmp(argv[1], "command", strlen(argv[1])) == 0) {
+	if(set_command_prot(level) < 0) {
+	    code = -1;
+	    return;
+	}
+    } else
 	goto usage;
     code = 0;
     return;
@@ -706,6 +739,46 @@ sec_prot(int argc, char **argv)
     code = -1;
 }
 
+void
+sec_prot_command(int argc, char **argv)
+{
+    int level;
+
+    if(argc > 2)
+	goto usage;
+
+    if(!sec_complete) {
+	printf("No security data exchange has taken place.\n");
+	code = -1;
+	return;
+    }
+
+    if(argc == 1) {
+	sec_status();
+    } else {
+	level = name_to_level(argv[1]);
+	if(level == -1)
+	    goto usage;
+    
+	if((*mech->check_prot)(app_data, level)) {
+	    printf("%s does not implement %s protection.\n", 
+		   mech->name, level_to_name(level));
+	    code = -1;
+	    return;
+	}
+	if(set_command_prot(level) < 0) {
+	    code = -1;
+	    return;
+	}
+    }
+    code = 0;
+    return;
+ usage:
+    printf("usage: %s [clear|safe|confidential|private]\n",
+	   argv[0]);
+    code = -1;
+}
+
 static enum protection_level request_data_prot;
 
 void
@@ -741,7 +814,7 @@ sec_login(char *host)
 
 	tmp = realloc(app_data, (*m)->size);
 	if (tmp == NULL) {
-	    warnx ("realloc %u failed", (*m)->size);
+	    warnx ("realloc %lu failed", (unsigned long)(*m)->size);
 	    return -1;
 	}
 	app_data = tmp;
@@ -777,7 +850,12 @@ sec_login(char *host)
 	}
 	mech = *m;
 	sec_complete = 1;
-	command_prot = prot_safe;
+	if(doencrypt) {
+	    command_prot = prot_private;
+	    request_data_prot = prot_private; 
+	} else {
+	    command_prot = prot_safe;
+	}
 	break;
     }
     
diff --git a/crypto/heimdal/appl/ftp/ftp/security.h b/crypto/heimdal/appl/ftp/ftp/security.h
index 5e14ebd..85ba23e 100644
--- a/crypto/heimdal/appl/ftp/ftp/security.h
+++ b/crypto/heimdal/appl/ftp/ftp/security.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: security.h,v 1.9.12.1 2003/08/20 16:41:53 lha Exp $ */
+/* $Id: security.h 21224 2007-06-20 10:15:13Z lha $ */
 
 #ifndef __security_h__
 #define __security_h__
@@ -70,6 +70,7 @@ struct sec_server_mech {
     size_t (*pbsz)(void *, size_t);
     int (*ccc)(void*);
     int (*userok)(void*, char*);
+    int (*session)(void*, char*);
 };
 
 #define AUTH_OK		0
@@ -77,6 +78,7 @@ struct sec_server_mech {
 #define AUTH_ERROR	2
 
 extern int ftp_do_gss_bindings;
+extern int ftp_do_gss_delegate;
 #ifdef FTP_SERVER
 extern struct sec_server_mech krb4_server_mech, gss_server_mech;
 #else
@@ -119,12 +121,14 @@ void prot (char *);
 void delete_ftp_command (void);
 void new_ftp_command (char *);
 int sec_userok (char *);
+int sec_session(char *);
 int secure_command (void);
 enum protection_level get_command_prot(void);
 #else
 void sec_end (void);
 int sec_login (char *);
 void sec_prot (int, char **);
+void sec_prot_command (int, char **);
 int sec_request_prot (char *);
 void sec_set_protection_level (void);
 void sec_status (void);
diff --git a/crypto/heimdal/appl/ftp/ftpd/Makefile.am b/crypto/heimdal/appl/ftp/ftpd/Makefile.am
index 20f8b57..b404876 100644
--- a/crypto/heimdal/appl/ftp/ftpd/Makefile.am
+++ b/crypto/heimdal/appl/ftp/ftpd/Makefile.am
@@ -1,15 +1,15 @@
-# $Id: Makefile.am,v 1.26 2001/09/06 12:18:34 assar Exp $
+# $Id: Makefile.am 21031 2007-06-09 05:00:27Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
+AM_CPPFLAGS += -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
 
 libexec_PROGRAMS = ftpd
 
 CHECK_LOCAL = 
 
 if KRB4
-krb4_sources = krb4.c kauth.c
+krb4_sources = krb4.c
 endif
 if KRB5
 krb5_sources = gssapi.c gss_userok.c
@@ -25,6 +25,8 @@ ftpd_SOURCES =		\
 	pathnames.h	\
 	popen.c		\
 	security.c	\
+	kauth.c		\
+	klist.c		\
 	$(krb4_sources) \
 	$(krb5_sources)
 
@@ -41,7 +43,7 @@ krb4.c:
 gssapi.c:
 	@test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c .
 
-CLEANFILES = security.c security.h krb4.c gssapi.c ftpcmd.c
+CLEANFILES = security.c security.h krb4.c gssapi.c
 
 man_MANS = ftpd.8 ftpusers.5
 
@@ -51,5 +53,7 @@ LDADD = ../common/libcommon.a \
 	$(LIB_krb5) \
 	$(LIB_kafs) \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_roken)
+
+EXTRA_DIST = $(man_MANS)
diff --git a/crypto/heimdal/appl/ftp/ftpd/Makefile.in b/crypto/heimdal/appl/ftp/ftpd/Makefile.in
index b6d8f62..c7a6a8f 100644
--- a/crypto/heimdal/appl/ftp/ftpd/Makefile.in
+++ b/crypto/heimdal/appl/ftp/ftpd/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.26 2001/09/06 12:18:34 assar Exp $
+# $Id: Makefile.am 21031 2007-06-09 05:00:27Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(ftpd_SOURCES) $(EXTRA_ftpd_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -50,16 +45,14 @@ libexec_PROGRAMS = ftpd$(EXEEXT)
 subdir = appl/ftp/ftpd
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -72,6 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -80,56 +74,61 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man5dir)" \
+	"$(DESTDIR)$(man8dir)"
 libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(libexec_PROGRAMS)
 am__ftpd_SOURCES_DIST = extern.h ftpcmd.y ftpd.c ftpd_locl.h logwtmp.c \
-	ls.c pathnames.h popen.c security.c krb4.c kauth.c gssapi.c \
-	gss_userok.c
-@KRB4_TRUE@am__objects_1 = krb4.$(OBJEXT) kauth.$(OBJEXT)
+	ls.c pathnames.h popen.c security.c kauth.c klist.c krb4.c \
+	gssapi.c gss_userok.c
+@KRB4_TRUE@am__objects_1 = krb4.$(OBJEXT)
 @KRB5_TRUE@am__objects_2 = gssapi.$(OBJEXT) gss_userok.$(OBJEXT)
 am_ftpd_OBJECTS = ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) logwtmp.$(OBJEXT) \
 	ls.$(OBJEXT) popen.$(OBJEXT) security.$(OBJEXT) \
-	$(am__objects_1) $(am__objects_2)
+	kauth.$(OBJEXT) klist.$(OBJEXT) $(am__objects_1) \
+	$(am__objects_2)
 ftpd_OBJECTS = $(am_ftpd_OBJECTS)
 ftpd_LDADD = $(LDADD)
 am__DEPENDENCIES_1 =
-@KRB5_TRUE@am__DEPENDENCIES_2 =  \
-@KRB5_TRUE@	$(top_builddir)/lib/gssapi/libgssapi.la
-@KRB5_TRUE@am__DEPENDENCIES_3 = $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
-am__DEPENDENCIES_4 = $(top_builddir)/lib/kafs/libkafs.la \
+am__DEPENDENCIES_2 = $(top_builddir)/lib/kafs/libkafs.la \
 	$(am__DEPENDENCIES_1)
 ftpd_DEPENDENCIES = ../common/libcommon.a $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \
-	$(am__DEPENDENCIES_4) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+	$(LIB_gssapi) $(LIB_krb5) $(am__DEPENDENCIES_2) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MAINTAINER_MODE_FALSE@am__skipyacc = test -f $@ ||
 YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) \
-	$(AM_YFLAGS)
+LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+YLWRAP = $(top_srcdir)/ylwrap
 SOURCES = $(ftpd_SOURCES) $(EXTRA_ftpd_SOURCES)
 DIST_SOURCES = $(am__ftpd_SOURCES_DIST) $(EXTRA_ftpd_SOURCES)
 man5dir = $(mandir)/man5
@@ -139,13 +138,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -155,8 +148,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -167,11 +158,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -179,42 +169,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -232,12 +207,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -247,15 +219,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -264,6 +235,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -275,15 +247,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -291,74 +258,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	-I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -375,9 +348,10 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 CHECK_LOCAL = 
-@KRB4_TRUE@krb4_sources = krb4.c kauth.c
+@KRB4_TRUE@krb4_sources = krb4.c
 @KRB5_TRUE@krb5_sources = gssapi.c gss_userok.c
 ftpd_SOURCES = \
 	extern.h	\
@@ -389,11 +363,13 @@ ftpd_SOURCES = \
 	pathnames.h	\
 	popen.c		\
 	security.c	\
+	kauth.c		\
+	klist.c		\
 	$(krb4_sources) \
 	$(krb5_sources)
 
 EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c
-CLEANFILES = security.c security.h krb4.c gssapi.c ftpcmd.c
+CLEANFILES = security.c security.h krb4.c gssapi.c
 man_MANS = ftpd.8 ftpusers.5
 LDADD = ../common/libcommon.a \
 	$(LIB_otp) \
@@ -401,13 +377,14 @@ LDADD = ../common/libcommon.a \
 	$(LIB_krb5) \
 	$(LIB_kafs) \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_roken)
 
+EXTRA_DIST = $(man_MANS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj .y
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj .y
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -439,7 +416,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)"
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -467,7 +444,7 @@ clean-libexecPROGRAMS:
 	done
 ftpd$(EXEEXT): $(ftpd_OBJECTS) $(ftpd_DEPENDENCIES) 
 	@rm -f ftpd$(EXEEXT)
-	$(LINK) $(ftpd_LDFLAGS) $(ftpd_OBJECTS) $(ftpd_LDADD) $(LIBS)
+	$(LINK) $(ftpd_OBJECTS) $(ftpd_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -485,37 +462,16 @@ distclean-compile:
 	$(LTCOMPILE) -c -o $@ $<
 
 .y.c:
-	$(YACCCOMPILE) $<
-	if test -f y.tab.h; then \
-	  to=`echo "$*_H" | sed \
-                -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \
-                -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \
-	  sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \
-	  rm -f y.tab.h; \
-	  if cmp -s $*.ht $*.h; then \
-	    rm -f $*.ht ;\
-	  else \
-	    mv $*.ht $*.h; \
-	  fi; \
-	fi
-	if test -f y.output; then \
-	  mv y.output $*.output; \
-	fi
-	sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@t && mv $@t $@
-	rm -f y.tab.c
+	$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man5: $(man5_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man5dir)" || $(mkdir_p) "$(DESTDIR)$(man5dir)"
+	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
 	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -560,7 +516,7 @@ uninstall-man5:
 	done
 install-man8: $(man8_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
 	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -624,9 +580,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -651,23 +609,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -687,7 +643,7 @@ check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -709,7 +665,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -723,7 +679,7 @@ clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -739,14 +695,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-libexecPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man5 install-man8
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -766,23 +730,29 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS \
-	uninstall-man
+uninstall-am: uninstall-libexecPROGRAMS uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man5 uninstall-man8
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-generic clean-libexecPROGRAMS clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-exec install-exec-am install-info \
-	install-info-am install-libexecPROGRAMS install-man \
-	install-man5 install-man8 install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-info-am \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am \
+	install-libexecPROGRAMS install-man install-man5 install-man8 \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-hook \
 	uninstall-libexecPROGRAMS uninstall-man uninstall-man5 \
 	uninstall-man8
 
@@ -799,8 +769,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -810,19 +780,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -838,7 +820,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -908,15 +890,40 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 $(ftpd_OBJECTS): security.h
 
 security.c:
diff --git a/crypto/heimdal/appl/ftp/ftpd/extern.h b/crypto/heimdal/appl/ftp/ftpd/extern.h
index 751d04c..db40f2f 100644
--- a/crypto/heimdal/appl/ftp/ftpd/extern.h
+++ b/crypto/heimdal/appl/ftp/ftpd/extern.h
@@ -107,9 +107,12 @@ void	klist(void);
 void	cond_kdestroy(void);
 void	kdestroy(void);
 void	krbtkfile(const char *tkfile);
-void	afslog(const char *cell);
+void	afslog(const char *, int);
 void	afsunlog(void);
 
+extern int do_destroy_tickets;
+extern char *k5ccname;
+
 int	find(char *);
 
 int	builtin_ls(FILE*, const char*);
@@ -130,6 +133,7 @@ extern	int logging;
 extern	int type;
 extern off_t file_size;
 extern off_t byte_count;
+extern	int ccc_passed;
 
 extern	int form;
 extern	int debug;
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpcmd.c b/crypto/heimdal/appl/ftp/ftpd/ftpcmd.c
new file mode 100644
index 0000000..94eadee
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpcmd.c
@@ -0,0 +1,3551 @@
+/* A Bison parser, made by GNU Bison 2.3.  */
+
+/* Skeleton implementation for Bison's Yacc-like parsers in C
+
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+   Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
+
+/* As a special exception, you may create a larger work that contains
+   part or all of the Bison parser skeleton and distribute that work
+   under terms of your choice, so long as that work isn't itself a
+   parser generator using the skeleton or a modified version thereof
+   as a parser skeleton.  Alternatively, if you modify or redistribute
+   the parser skeleton itself, you may (at your option) remove this
+   special exception, which will cause the skeleton and the resulting
+   Bison output files to be licensed under the GNU General Public
+   License without this special exception.
+
+   This special exception was added by the Free Software Foundation in
+   version 2.2 of Bison.  */
+
+/* C LALR(1) parser skeleton written by Richard Stallman, by
+   simplifying the original so-called "semantic" parser.  */
+
+/* All symbols defined below should begin with yy or YY, to avoid
+   infringing on user name space.  This should be done even for local
+   variables, as they might otherwise be expanded by user macros.
+   There are some unavoidable exceptions within include files to
+   define necessary library symbols; they are noted "INFRINGES ON
+   USER NAME SPACE" below.  */
+
+/* Identify Bison output.  */
+#define YYBISON 1
+
+/* Bison version.  */
+#define YYBISON_VERSION "2.3"
+
+/* Skeleton name.  */
+#define YYSKELETON_NAME "yacc.c"
+
+/* Pure parsers.  */
+#define YYPURE 0
+
+/* Using locations.  */
+#define YYLSP_NEEDED 0
+
+
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     A = 258,
+     B = 259,
+     C = 260,
+     E = 261,
+     F = 262,
+     I = 263,
+     L = 264,
+     N = 265,
+     P = 266,
+     R = 267,
+     S = 268,
+     T = 269,
+     SP = 270,
+     CRLF = 271,
+     COMMA = 272,
+     USER = 273,
+     PASS = 274,
+     ACCT = 275,
+     REIN = 276,
+     QUIT = 277,
+     PORT = 278,
+     PASV = 279,
+     TYPE = 280,
+     STRU = 281,
+     MODE = 282,
+     RETR = 283,
+     STOR = 284,
+     APPE = 285,
+     MLFL = 286,
+     MAIL = 287,
+     MSND = 288,
+     MSOM = 289,
+     MSAM = 290,
+     MRSQ = 291,
+     MRCP = 292,
+     ALLO = 293,
+     REST = 294,
+     RNFR = 295,
+     RNTO = 296,
+     ABOR = 297,
+     DELE = 298,
+     CWD = 299,
+     LIST = 300,
+     NLST = 301,
+     SITE = 302,
+     sTAT = 303,
+     HELP = 304,
+     NOOP = 305,
+     MKD = 306,
+     RMD = 307,
+     PWD = 308,
+     CDUP = 309,
+     STOU = 310,
+     SMNT = 311,
+     SYST = 312,
+     SIZE = 313,
+     MDTM = 314,
+     EPRT = 315,
+     EPSV = 316,
+     UMASK = 317,
+     IDLE = 318,
+     CHMOD = 319,
+     AUTH = 320,
+     ADAT = 321,
+     PROT = 322,
+     PBSZ = 323,
+     CCC = 324,
+     MIC = 325,
+     CONF = 326,
+     ENC = 327,
+     KAUTH = 328,
+     KLIST = 329,
+     KDESTROY = 330,
+     KRBTKFILE = 331,
+     AFSLOG = 332,
+     LOCATE = 333,
+     URL = 334,
+     FEAT = 335,
+     OPTS = 336,
+     LEXERR = 337,
+     STRING = 338,
+     NUMBER = 339
+   };
+#endif
+/* Tokens.  */
+#define A 258
+#define B 259
+#define C 260
+#define E 261
+#define F 262
+#define I 263
+#define L 264
+#define N 265
+#define P 266
+#define R 267
+#define S 268
+#define T 269
+#define SP 270
+#define CRLF 271
+#define COMMA 272
+#define USER 273
+#define PASS 274
+#define ACCT 275
+#define REIN 276
+#define QUIT 277
+#define PORT 278
+#define PASV 279
+#define TYPE 280
+#define STRU 281
+#define MODE 282
+#define RETR 283
+#define STOR 284
+#define APPE 285
+#define MLFL 286
+#define MAIL 287
+#define MSND 288
+#define MSOM 289
+#define MSAM 290
+#define MRSQ 291
+#define MRCP 292
+#define ALLO 293
+#define REST 294
+#define RNFR 295
+#define RNTO 296
+#define ABOR 297
+#define DELE 298
+#define CWD 299
+#define LIST 300
+#define NLST 301
+#define SITE 302
+#define sTAT 303
+#define HELP 304
+#define NOOP 305
+#define MKD 306
+#define RMD 307
+#define PWD 308
+#define CDUP 309
+#define STOU 310
+#define SMNT 311
+#define SYST 312
+#define SIZE 313
+#define MDTM 314
+#define EPRT 315
+#define EPSV 316
+#define UMASK 317
+#define IDLE 318
+#define CHMOD 319
+#define AUTH 320
+#define ADAT 321
+#define PROT 322
+#define PBSZ 323
+#define CCC 324
+#define MIC 325
+#define CONF 326
+#define ENC 327
+#define KAUTH 328
+#define KLIST 329
+#define KDESTROY 330
+#define KRBTKFILE 331
+#define AFSLOG 332
+#define LOCATE 333
+#define URL 334
+#define FEAT 335
+#define OPTS 336
+#define LEXERR 337
+#define STRING 338
+#define NUMBER 339
+
+
+
+
+/* Copy the first part of user declarations.  */
+#line 43 "ftpcmd.y"
+
+
+#include "ftpd_locl.h"
+RCSID("$Id: ftpcmd.y 15677 2005-07-19 18:33:08Z lha $");
+
+off_t	restart_point;
+
+static	int hasyyerrored;
+
+
+static	int cmd_type;
+static	int cmd_form;
+static	int cmd_bytesz;
+char	cbuf[64*1024];
+char	*fromname;
+
+struct tab {
+	char	*name;
+	short	token;
+	short	state;
+	short	implemented;	/* 1 if command is implemented */
+	char	*help;
+};
+
+extern struct tab cmdtab[];
+extern struct tab sitetab[];
+
+static char		*copy (char *);
+static void		 help (struct tab *, char *);
+static struct tab *
+			 lookup (struct tab *, char *);
+static void		 sizecmd (char *);
+static RETSIGTYPE	 toolong (int);
+static int		 yylex (void);
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+
+
+/* Enabling traces.  */
+#ifndef YYDEBUG
+# define YYDEBUG 0
+#endif
+
+/* Enabling verbose error messages.  */
+#ifdef YYERROR_VERBOSE
+# undef YYERROR_VERBOSE
+# define YYERROR_VERBOSE 1
+#else
+# define YYERROR_VERBOSE 0
+#endif
+
+/* Enabling the token table.  */
+#ifndef YYTOKEN_TABLE
+# define YYTOKEN_TABLE 0
+#endif
+
+#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
+typedef union YYSTYPE
+#line 86 "ftpcmd.y"
+{
+	int	i;
+	char   *s;
+}
+/* Line 193 of yacc.c.  */
+#line 312 "ftpcmd.c"
+	YYSTYPE;
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
+# define YYSTYPE_IS_DECLARED 1
+# define YYSTYPE_IS_TRIVIAL 1
+#endif
+
+
+
+/* Copy the second part of user declarations.  */
+
+
+/* Line 216 of yacc.c.  */
+#line 325 "ftpcmd.c"
+
+#ifdef short
+# undef short
+#endif
+
+#ifdef YYTYPE_UINT8
+typedef YYTYPE_UINT8 yytype_uint8;
+#else
+typedef unsigned char yytype_uint8;
+#endif
+
+#ifdef YYTYPE_INT8
+typedef YYTYPE_INT8 yytype_int8;
+#elif (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+typedef signed char yytype_int8;
+#else
+typedef short int yytype_int8;
+#endif
+
+#ifdef YYTYPE_UINT16
+typedef YYTYPE_UINT16 yytype_uint16;
+#else
+typedef unsigned short int yytype_uint16;
+#endif
+
+#ifdef YYTYPE_INT16
+typedef YYTYPE_INT16 yytype_int16;
+#else
+typedef short int yytype_int16;
+#endif
+
+#ifndef YYSIZE_T
+# ifdef __SIZE_TYPE__
+#  define YYSIZE_T __SIZE_TYPE__
+# elif defined size_t
+#  define YYSIZE_T size_t
+# elif ! defined YYSIZE_T && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+#  include <stddef.h> /* INFRINGES ON USER NAME SPACE */
+#  define YYSIZE_T size_t
+# else
+#  define YYSIZE_T unsigned int
+# endif
+#endif
+
+#define YYSIZE_MAXIMUM ((YYSIZE_T) -1)
+
+#ifndef YY_
+# if defined YYENABLE_NLS && YYENABLE_NLS
+#  if ENABLE_NLS
+#   include <libintl.h> /* INFRINGES ON USER NAME SPACE */
+#   define YY_(msgid) dgettext ("bison-runtime", msgid)
+#  endif
+# endif
+# ifndef YY_
+#  define YY_(msgid) msgid
+# endif
+#endif
+
+/* Suppress unused-variable warnings by "using" E.  */
+#if ! defined lint || defined __GNUC__
+# define YYUSE(e) ((void) (e))
+#else
+# define YYUSE(e) /* empty */
+#endif
+
+/* Identity function, used to suppress warnings about constant conditions.  */
+#ifndef lint
+# define YYID(n) (n)
+#else
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static int
+YYID (int i)
+#else
+static int
+YYID (i)
+    int i;
+#endif
+{
+  return i;
+}
+#endif
+
+#if ! defined yyoverflow || YYERROR_VERBOSE
+
+/* The parser invokes alloca or malloc; define the necessary symbols.  */
+
+# ifdef YYSTACK_USE_ALLOCA
+#  if YYSTACK_USE_ALLOCA
+#   ifdef __GNUC__
+#    define YYSTACK_ALLOC __builtin_alloca
+#   elif defined __BUILTIN_VA_ARG_INCR
+#    include <alloca.h> /* INFRINGES ON USER NAME SPACE */
+#   elif defined _AIX
+#    define YYSTACK_ALLOC __alloca
+#   elif defined _MSC_VER
+#    include <malloc.h> /* INFRINGES ON USER NAME SPACE */
+#    define alloca _alloca
+#   else
+#    define YYSTACK_ALLOC alloca
+#    if ! defined _ALLOCA_H && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+#     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+#     ifndef _STDLIB_H
+#      define _STDLIB_H 1
+#     endif
+#    endif
+#   endif
+#  endif
+# endif
+
+# ifdef YYSTACK_ALLOC
+   /* Pacify GCC's `empty if-body' warning.  */
+#  define YYSTACK_FREE(Ptr) do { /* empty */; } while (YYID (0))
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+    /* The OS might guarantee only one guard page at the bottom of the stack,
+       and a page size can be as small as 4096 bytes.  So we cannot safely
+       invoke alloca (N) if N exceeds 4096.  Use a slightly smaller number
+       to allow for a few compiler-allocated temporary stack slots.  */
+#   define YYSTACK_ALLOC_MAXIMUM 4032 /* reasonable circa 2006 */
+#  endif
+# else
+#  define YYSTACK_ALLOC YYMALLOC
+#  define YYSTACK_FREE YYFREE
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+#   define YYSTACK_ALLOC_MAXIMUM YYSIZE_MAXIMUM
+#  endif
+#  if (defined __cplusplus && ! defined _STDLIB_H \
+       && ! ((defined YYMALLOC || defined malloc) \
+	     && (defined YYFREE || defined free)))
+#   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+#   ifndef _STDLIB_H
+#    define _STDLIB_H 1
+#   endif
+#  endif
+#  ifndef YYMALLOC
+#   define YYMALLOC malloc
+#   if ! defined malloc && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+#  ifndef YYFREE
+#   define YYFREE free
+#   if ! defined free && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+void free (void *); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+# endif
+#endif /* ! defined yyoverflow || YYERROR_VERBOSE */
+
+
+#if (! defined yyoverflow \
+     && (! defined __cplusplus \
+	 || (defined YYSTYPE_IS_TRIVIAL && YYSTYPE_IS_TRIVIAL)))
+
+/* A type that is properly aligned for any stack member.  */
+union yyalloc
+{
+  yytype_int16 yyss;
+  YYSTYPE yyvs;
+  };
+
+/* The size of the maximum gap between one aligned stack and the next.  */
+# define YYSTACK_GAP_MAXIMUM (sizeof (union yyalloc) - 1)
+
+/* The size of an array large to enough to hold all stacks, each with
+   N elements.  */
+# define YYSTACK_BYTES(N) \
+     ((N) * (sizeof (yytype_int16) + sizeof (YYSTYPE)) \
+      + YYSTACK_GAP_MAXIMUM)
+
+/* Copy COUNT objects from FROM to TO.  The source and destination do
+   not overlap.  */
+# ifndef YYCOPY
+#  if defined __GNUC__ && 1 < __GNUC__
+#   define YYCOPY(To, From, Count) \
+      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
+#  else
+#   define YYCOPY(To, From, Count)		\
+      do					\
+	{					\
+	  YYSIZE_T yyi;				\
+	  for (yyi = 0; yyi < (Count); yyi++)	\
+	    (To)[yyi] = (From)[yyi];		\
+	}					\
+      while (YYID (0))
+#  endif
+# endif
+
+/* Relocate STACK from its old location to the new one.  The
+   local variables YYSIZE and YYSTACKSIZE give the old and new number of
+   elements in the stack, and YYPTR gives the new location of the
+   stack.  Advance YYPTR to a properly aligned location for the next
+   stack.  */
+# define YYSTACK_RELOCATE(Stack)					\
+    do									\
+      {									\
+	YYSIZE_T yynewbytes;						\
+	YYCOPY (&yyptr->Stack, Stack, yysize);				\
+	Stack = &yyptr->Stack;						\
+	yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \
+	yyptr += yynewbytes / sizeof (*yyptr);				\
+      }									\
+    while (YYID (0))
+
+#endif
+
+/* YYFINAL -- State number of the termination state.  */
+#define YYFINAL  2
+/* YYLAST -- Last index in YYTABLE.  */
+#define YYLAST   327
+
+/* YYNTOKENS -- Number of terminals.  */
+#define YYNTOKENS  85
+/* YYNNTS -- Number of nonterminals.  */
+#define YYNNTS  18
+/* YYNRULES -- Number of rules.  */
+#define YYNRULES  98
+/* YYNRULES -- Number of states.  */
+#define YYNSTATES  317
+
+/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX.  */
+#define YYUNDEFTOK  2
+#define YYMAXUTOK   339
+
+#define YYTRANSLATE(YYX)						\
+  ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
+
+/* YYTRANSLATE[YYLEX] -- Bison symbol number corresponding to YYLEX.  */
+static const yytype_uint8 yytranslate[] =
+{
+       0,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     1,     2,     3,     4,
+       5,     6,     7,     8,     9,    10,    11,    12,    13,    14,
+      15,    16,    17,    18,    19,    20,    21,    22,    23,    24,
+      25,    26,    27,    28,    29,    30,    31,    32,    33,    34,
+      35,    36,    37,    38,    39,    40,    41,    42,    43,    44,
+      45,    46,    47,    48,    49,    50,    51,    52,    53,    54,
+      55,    56,    57,    58,    59,    60,    61,    62,    63,    64,
+      65,    66,    67,    68,    69,    70,    71,    72,    73,    74,
+      75,    76,    77,    78,    79,    80,    81,    82,    83,    84
+};
+
+#if YYDEBUG
+/* YYPRHS[YYN] -- Index of the first RHS symbol of rule number YYN in
+   YYRHS.  */
+static const yytype_uint16 yyprhs[] =
+{
+       0,     0,     3,     4,     7,    10,    16,    22,    28,    34,
+      38,    42,    48,    54,    60,    66,    72,    82,    88,    94,
+     100,   104,   110,   114,   120,   126,   130,   136,   142,   146,
+     150,   156,   160,   166,   170,   176,   182,   186,   190,   194,
+     200,   206,   214,   220,   228,   238,   244,   252,   260,   266,
+     272,   280,   286,   294,   302,   308,   314,   318,   324,   330,
+     334,   337,   343,   349,   354,   359,   365,   371,   375,   380,
+     385,   390,   392,   393,   395,   397,   409,   411,   413,   415,
+     417,   421,   423,   427,   429,   431,   435,   438,   440,   442,
+     444,   446,   448,   450,   452,   454,   456,   458,   460
+};
+
+/* YYRHS -- A `-1'-separated list of the rules' RHS.  */
+static const yytype_int8 yyrhs[] =
+{
+      86,     0,    -1,    -1,    86,    87,    -1,    86,    88,    -1,
+      18,    15,    89,    16,   102,    -1,    19,    15,    90,    16,
+     102,    -1,    23,    15,    92,    16,   102,    -1,    60,    15,
+      83,    16,   102,    -1,    24,    16,   101,    -1,    61,    16,
+     101,    -1,    61,    15,    83,    16,   101,    -1,    25,    15,
+      94,    16,   102,    -1,    26,    15,    95,    16,   102,    -1,
+      27,    15,    96,    16,   102,    -1,    38,    15,    84,    16,
+     102,    -1,    38,    15,    84,    15,    12,    15,    84,    16,
+     102,    -1,    28,    15,    97,    16,   101,    -1,    29,    15,
+      97,    16,   101,    -1,    30,    15,    97,    16,   101,    -1,
+      46,    16,   101,    -1,    46,    15,    83,    16,   101,    -1,
+      45,    16,   101,    -1,    45,    15,    97,    16,   101,    -1,
+      48,    15,    97,    16,   101,    -1,    48,    16,   102,    -1,
+      43,    15,    97,    16,   100,    -1,    41,    15,    97,    16,
+     100,    -1,    42,    16,   102,    -1,    44,    16,   101,    -1,
+      44,    15,    97,    16,   101,    -1,    49,    16,   102,    -1,
+      49,    15,    83,    16,   102,    -1,    50,    16,   102,    -1,
+      51,    15,    97,    16,   101,    -1,    52,    15,    97,    16,
+     100,    -1,    53,    16,   101,    -1,    54,    16,   101,    -1,
+      80,    16,   102,    -1,    81,    15,    83,    16,   102,    -1,
+      47,    15,    49,    16,   102,    -1,    47,    15,    49,    15,
+      83,    16,   102,    -1,    47,    15,    62,    16,   101,    -1,
+      47,    15,    62,    15,    99,    16,   100,    -1,    47,    15,
+      64,    15,    99,    15,    97,    16,   100,    -1,    47,    15,
+      63,    16,   102,    -1,    47,    15,    63,    15,    84,    16,
+     102,    -1,    47,    15,    73,    15,    83,    16,   101,    -1,
+      47,    15,    74,    16,   101,    -1,    47,    15,    75,    16,
+     101,    -1,    47,    15,    76,    15,    83,    16,   101,    -1,
+      47,    15,    77,    16,   101,    -1,    47,    15,    77,    15,
+      83,    16,   101,    -1,    47,    15,    78,    15,    83,    16,
+     101,    -1,    47,    15,    79,    16,   102,    -1,    55,    15,
+      97,    16,   101,    -1,    57,    16,   102,    -1,    58,    15,
+      97,    16,   101,    -1,    59,    15,    97,    16,   101,    -1,
+      22,    16,   102,    -1,     1,    16,    -1,    40,    15,    97,
+      16,   100,    -1,    39,    15,    91,    16,   102,    -1,    65,
+      15,    83,    16,    -1,    66,    15,    83,    16,    -1,    68,
+      15,    84,    16,   102,    -1,    67,    15,    83,    16,   102,
+      -1,    69,    16,   102,    -1,    70,    15,    83,    16,    -1,
+      71,    15,    83,    16,    -1,    72,    15,    83,    16,    -1,
+      83,    -1,    -1,    83,    -1,    84,    -1,    84,    17,    84,
+      17,    84,    17,    84,    17,    84,    17,    84,    -1,    10,
+      -1,    14,    -1,     5,    -1,     3,    -1,     3,    15,    93,
+      -1,     6,    -1,     6,    15,    93,    -1,     8,    -1,     9,
+      -1,     9,    15,    91,    -1,     9,    91,    -1,     7,    -1,
+      12,    -1,    11,    -1,    13,    -1,     4,    -1,     5,    -1,
+      98,    -1,    83,    -1,    84,    -1,   101,    -1,   102,    -1,
+      -1
+};
+
+/* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
+static const yytype_uint16 yyrline[] =
+{
+       0,   129,   129,   131,   136,   140,   146,   153,   164,   170,
+     175,   180,   186,   223,   237,   251,   257,   263,   272,   281,
+     290,   295,   304,   309,   315,   322,   327,   334,   348,   353,
+     358,   365,   370,   387,   392,   399,   406,   411,   416,   426,
+     433,   438,   443,   451,   464,   478,   485,   502,   525,   530,
+     539,   552,   563,   576,   583,   588,   595,   613,   630,   658,
+     665,   671,   681,   691,   696,   701,   706,   711,   716,   721,
+     726,   734,   739,   742,   746,   750,   763,   767,   771,   778,
+     783,   788,   793,   798,   802,   807,   813,   821,   825,   829,
+     836,   840,   844,   851,   879,   883,   909,   917,   928
+};
+#endif
+
+#if YYDEBUG || YYERROR_VERBOSE || YYTOKEN_TABLE
+/* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM.
+   First, the terminals, then, starting at YYNTOKENS, nonterminals.  */
+static const char *const yytname[] =
+{
+  "$end", "error", "$undefined", "A", "B", "C", "E", "F", "I", "L", "N",
+  "P", "R", "S", "T", "SP", "CRLF", "COMMA", "USER", "PASS", "ACCT",
+  "REIN", "QUIT", "PORT", "PASV", "TYPE", "STRU", "MODE", "RETR", "STOR",
+  "APPE", "MLFL", "MAIL", "MSND", "MSOM", "MSAM", "MRSQ", "MRCP", "ALLO",
+  "REST", "RNFR", "RNTO", "ABOR", "DELE", "CWD", "LIST", "NLST", "SITE",
+  "sTAT", "HELP", "NOOP", "MKD", "RMD", "PWD", "CDUP", "STOU", "SMNT",
+  "SYST", "SIZE", "MDTM", "EPRT", "EPSV", "UMASK", "IDLE", "CHMOD", "AUTH",
+  "ADAT", "PROT", "PBSZ", "CCC", "MIC", "CONF", "ENC", "KAUTH", "KLIST",
+  "KDESTROY", "KRBTKFILE", "AFSLOG", "LOCATE", "URL", "FEAT", "OPTS",
+  "LEXERR", "STRING", "NUMBER", "$accept", "cmd_list", "cmd", "rcmd",
+  "username", "password", "byte_size", "host_port", "form_code",
+  "type_code", "struct_code", "mode_code", "pathname", "pathstring",
+  "octal_number", "check_login_no_guest", "check_login", "check_secure", 0
+};
+#endif
+
+# ifdef YYPRINT
+/* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to
+   token YYLEX-NUM.  */
+static const yytype_uint16 yytoknum[] =
+{
+       0,   256,   257,   258,   259,   260,   261,   262,   263,   264,
+     265,   266,   267,   268,   269,   270,   271,   272,   273,   274,
+     275,   276,   277,   278,   279,   280,   281,   282,   283,   284,
+     285,   286,   287,   288,   289,   290,   291,   292,   293,   294,
+     295,   296,   297,   298,   299,   300,   301,   302,   303,   304,
+     305,   306,   307,   308,   309,   310,   311,   312,   313,   314,
+     315,   316,   317,   318,   319,   320,   321,   322,   323,   324,
+     325,   326,   327,   328,   329,   330,   331,   332,   333,   334,
+     335,   336,   337,   338,   339
+};
+# endif
+
+/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
+static const yytype_uint8 yyr1[] =
+{
+       0,    85,    86,    86,    86,    87,    87,    87,    87,    87,
+      87,    87,    87,    87,    87,    87,    87,    87,    87,    87,
+      87,    87,    87,    87,    87,    87,    87,    87,    87,    87,
+      87,    87,    87,    87,    87,    87,    87,    87,    87,    87,
+      87,    87,    87,    87,    87,    87,    87,    87,    87,    87,
+      87,    87,    87,    87,    87,    87,    87,    87,    87,    87,
+      87,    88,    88,    88,    88,    88,    88,    88,    88,    88,
+      88,    89,    90,    90,    91,    92,    93,    93,    93,    94,
+      94,    94,    94,    94,    94,    94,    94,    95,    95,    95,
+      96,    96,    96,    97,    98,    99,   100,   101,   102
+};
+
+/* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN.  */
+static const yytype_uint8 yyr2[] =
+{
+       0,     2,     0,     2,     2,     5,     5,     5,     5,     3,
+       3,     5,     5,     5,     5,     5,     9,     5,     5,     5,
+       3,     5,     3,     5,     5,     3,     5,     5,     3,     3,
+       5,     3,     5,     3,     5,     5,     3,     3,     3,     5,
+       5,     7,     5,     7,     9,     5,     7,     7,     5,     5,
+       7,     5,     7,     7,     5,     5,     3,     5,     5,     3,
+       2,     5,     5,     4,     4,     5,     5,     3,     4,     4,
+       4,     1,     0,     1,     1,    11,     1,     1,     1,     1,
+       3,     1,     3,     1,     1,     3,     2,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     1,     1,     0
+};
+
+/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
+   STATE-NUM when YYTABLE doesn't specify something else to do.  Zero
+   means the default is an error.  */
+static const yytype_uint8 yydefact[] =
+{
+       2,     0,     1,     0,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,     0,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,     0,     0,     0,     0,     0,     3,     4,
+      60,     0,    72,    98,     0,    98,     0,     0,     0,     0,
+       0,     0,     0,     0,     0,     0,    98,     0,     0,    98,
+       0,    98,     0,    98,     0,     0,    98,     0,    98,    98,
+       0,     0,    98,    98,     0,    98,     0,     0,     0,     0,
+      98,     0,     0,     0,     0,    98,     0,     0,     0,    98,
+       0,    71,     0,    73,     0,    59,     0,     0,     9,    97,
+      79,    81,    83,    84,     0,    87,    89,    88,     0,    91,
+      92,    90,     0,    94,     0,    93,     0,     0,     0,    74,
+       0,     0,     0,    28,     0,     0,    29,     0,    22,     0,
+      20,     0,     0,     0,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,    25,     0,    31,    33,     0,     0,    36,
+      37,     0,    56,     0,     0,     0,     0,    10,     0,     0,
+       0,     0,    67,     0,     0,     0,    38,     0,    98,    98,
+       0,    98,     0,     0,     0,    86,    98,    98,    98,    98,
+      98,    98,     0,    98,    98,    98,    98,    98,    98,    98,
+      98,     0,    98,     0,    98,     0,    98,     0,     0,    98,
+      98,     0,     0,    98,     0,    98,    98,    98,    98,    98,
+      98,    98,    98,    98,    98,    63,    64,    98,    98,    68,
+      69,    70,    98,     5,     6,     0,     7,    78,    76,    77,
+      80,    82,    85,    12,    13,    14,    17,    18,    19,     0,
+      15,    62,    61,    96,    27,    26,    30,    23,    21,     0,
+      40,    95,     0,    42,     0,    45,     0,     0,    48,    49,
+       0,     0,    51,     0,    54,    24,    32,    34,    35,    55,
+      57,    58,     8,    11,    66,    65,    39,     0,     0,    98,
+      98,    98,     0,    98,    98,    98,    98,     0,     0,    41,
+      43,    46,     0,    47,    50,    52,    53,     0,    98,    98,
+       0,    16,    44,     0,     0,     0,    75
+};
+
+/* YYDEFGOTO[NTERM-NUM].  */
+static const yytype_int16 yydefgoto[] =
+{
+      -1,     1,    48,    49,   102,   104,   130,   107,   240,   114,
+     118,   122,   124,   125,   262,   252,   253,   109
+};
+
+/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
+   STATE-NUM.  */
+#define YYPACT_NINF -196
+static const yytype_int16 yypact[] =
+{
+    -196,   246,  -196,     3,    13,    20,    11,    24,    21,    26,
+      30,    45,    66,    67,    68,    69,    70,    71,    72,    76,
+      73,    -7,    -5,    15,    78,    28,    32,    80,    79,    82,
+      83,    91,    93,    94,    96,    97,    98,    38,   100,   101,
+     102,   103,   104,   106,   107,   108,   111,   109,  -196,  -196,
+    -196,   -66,    36,  -196,    14,  -196,    12,    22,     1,    46,
+      46,    46,    25,    48,    46,    46,  -196,    46,    46,  -196,
+      46,  -196,    53,  -196,    27,    46,  -196,    55,  -196,  -196,
+      46,    46,  -196,  -196,    46,  -196,    46,    46,    56,    59,
+    -196,    60,    61,    62,    63,  -196,    65,    77,    85,  -196,
+      86,  -196,   114,  -196,   115,  -196,   120,   130,  -196,  -196,
+     135,   136,  -196,   -11,   138,  -196,  -196,  -196,   139,  -196,
+    -196,  -196,   143,  -196,   145,  -196,   147,   156,    47,  -196,
+     157,   162,   165,  -196,   166,   168,  -196,   170,  -196,   174,
+    -196,    49,    52,    54,   137,   177,   178,   179,   181,    64,
+     182,   183,   184,  -196,   185,  -196,  -196,   186,   187,  -196,
+    -196,   188,  -196,   189,   190,   191,   192,  -196,   193,   194,
+     195,   196,  -196,   197,   198,   199,  -196,   200,  -196,  -196,
+     133,  -196,     2,     2,    48,  -196,  -196,  -196,  -196,  -196,
+    -196,  -196,   206,  -196,  -196,  -196,  -196,  -196,  -196,  -196,
+    -196,   110,  -196,   140,  -196,   141,  -196,   140,   144,  -196,
+    -196,   146,   148,  -196,   149,  -196,  -196,  -196,  -196,  -196,
+    -196,  -196,  -196,  -196,  -196,  -196,  -196,  -196,  -196,  -196,
+    -196,  -196,  -196,  -196,  -196,   202,  -196,  -196,  -196,  -196,
+    -196,  -196,  -196,  -196,  -196,  -196,  -196,  -196,  -196,   205,
+    -196,  -196,  -196,  -196,  -196,  -196,  -196,  -196,  -196,   207,
+    -196,  -196,   210,  -196,   212,  -196,   215,   217,  -196,  -196,
+     218,   219,  -196,   221,  -196,  -196,  -196,  -196,  -196,  -196,
+    -196,  -196,  -196,  -196,  -196,  -196,  -196,   155,   158,  -196,
+    -196,  -196,    46,  -196,  -196,  -196,  -196,   204,   224,  -196,
+    -196,  -196,   225,  -196,  -196,  -196,  -196,   159,  -196,  -196,
+     227,  -196,  -196,   161,   231,   167,  -196
+};
+
+/* YYPGOTO[NTERM-NUM].  */
+static const yytype_int16 yypgoto[] =
+{
+    -196,  -196,  -196,  -196,  -196,  -196,  -110,  -196,    39,  -196,
+    -196,  -196,    -9,  -196,    42,  -195,   -33,   -53
+};
+
+/* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
+   positive, shift that token.  If negative, reduce the rule which
+   number is the opposite.  If zero, do what YYDEFACT says.
+   If YYTABLE_NINF, syntax error.  */
+#define YYTABLE_NINF -1
+static const yytype_uint16 yytable[] =
+{
+     105,   254,   255,   185,   184,   119,   120,   237,    68,    69,
+      70,    71,   238,   133,   121,   110,   239,   101,   111,    50,
+     112,   113,   108,   153,   278,   155,   156,    53,    51,   115,
+      72,    73,   162,   116,   117,    52,   136,    55,   138,    54,
+     140,    56,   172,    75,    76,    57,   176,    77,    78,   159,
+     160,   126,   127,    89,    90,   131,   132,   167,   134,   135,
+      58,   137,   192,   193,   201,   202,   152,   203,   204,   205,
+     206,   157,   158,   129,   242,   161,   141,   163,   164,   212,
+     213,    59,    60,    61,    62,    63,    64,    65,    67,   142,
+     143,   144,    66,    74,    80,   300,    79,    81,   106,    82,
+     145,   146,   147,   148,   149,   150,   151,    83,    84,   128,
+      85,    86,    87,    88,   312,    91,    92,    93,    94,   103,
+      95,    96,    97,    98,   100,   233,   234,    99,   236,   123,
+     178,   179,   129,   243,   244,   245,   139,   180,   154,   165,
+     250,   251,   166,   168,   169,   170,   181,   171,   173,   260,
+     182,   183,   207,   265,   186,   187,   246,   247,   248,   188,
+     174,   189,   274,   190,   276,   256,   257,   258,   175,   177,
+     282,   263,   191,   194,   284,   285,   268,   269,   195,   286,
+     272,   196,   197,   275,   198,   277,   199,   279,   280,   281,
+     200,   283,   208,   259,   209,   210,   211,   214,     0,   215,
+     216,   217,   218,   219,   220,   221,   222,   223,   224,   225,
+     226,   227,   228,   229,   230,   231,   232,   235,   249,   287,
+     288,   307,   241,   289,   261,   264,   290,   267,   291,   270,
+     292,   271,   273,   293,   294,   295,   299,   296,   301,   297,
+     308,   309,   298,   310,   313,   314,     2,     3,   315,   266,
+       0,   316,     0,     0,     0,   311,     0,     0,     0,     0,
+     303,   304,   305,   306,     4,     5,     0,     0,     6,     7,
+       8,     9,    10,    11,    12,    13,    14,     0,     0,     0,
+       0,     0,     0,   302,    15,    16,    17,    18,    19,    20,
+      21,    22,    23,    24,    25,    26,    27,    28,    29,    30,
+      31,    32,     0,    33,    34,    35,    36,    37,     0,     0,
+       0,    38,    39,    40,    41,    42,    43,    44,    45,     0,
+       0,     0,     0,     0,     0,     0,    46,    47
+};
+
+static const yytype_int16 yycheck[] =
+{
+      53,   196,   197,   113,    15,     4,     5,     5,    15,    16,
+      15,    16,    10,    66,    13,     3,    14,    83,     6,    16,
+       8,     9,    55,    76,   219,    78,    79,    16,    15,     7,
+      15,    16,    85,    11,    12,    15,    69,    16,    71,    15,
+      73,    15,    95,    15,    16,    15,    99,    15,    16,    82,
+      83,    60,    61,    15,    16,    64,    65,    90,    67,    68,
+      15,    70,    15,    16,    15,    16,    75,    15,    16,    15,
+      16,    80,    81,    84,   184,    84,    49,    86,    87,    15,
+      16,    15,    15,    15,    15,    15,    15,    15,    15,    62,
+      63,    64,    16,    15,    15,   290,    16,    15,    84,    16,
+      73,    74,    75,    76,    77,    78,    79,    16,    15,    84,
+      16,    15,    15,    15,   309,    15,    15,    15,    15,    83,
+      16,    15,    15,    15,    15,   178,   179,    16,   181,    83,
+      16,    16,    84,   186,   187,   188,    83,    17,    83,    83,
+     193,   194,    83,    83,    83,    83,    16,    84,    83,   202,
+      15,    15,    15,   206,    16,    16,   189,   190,   191,    16,
+      83,    16,   215,    16,   217,   198,   199,   200,    83,    83,
+     223,   204,    16,    16,   227,   228,   209,   210,    16,   232,
+     213,    16,    16,   216,    16,   218,    16,   220,   221,   222,
+      16,   224,    15,    83,    16,    16,    15,    15,    -1,    16,
+      16,    16,    16,    16,    16,    16,    16,    16,    16,    16,
+      16,    16,    16,    16,    16,    16,    16,    84,    12,    17,
+      15,    17,   183,    16,    84,    84,    16,    83,    16,    83,
+      15,    83,    83,    16,    16,    16,   289,    16,   291,    84,
+      16,    16,    84,    84,    17,    84,     0,     1,    17,   207,
+      -1,    84,    -1,    -1,    -1,   308,    -1,    -1,    -1,    -1,
+     293,   294,   295,   296,    18,    19,    -1,    -1,    22,    23,
+      24,    25,    26,    27,    28,    29,    30,    -1,    -1,    -1,
+      -1,    -1,    -1,   292,    38,    39,    40,    41,    42,    43,
+      44,    45,    46,    47,    48,    49,    50,    51,    52,    53,
+      54,    55,    -1,    57,    58,    59,    60,    61,    -1,    -1,
+      -1,    65,    66,    67,    68,    69,    70,    71,    72,    -1,
+      -1,    -1,    -1,    -1,    -1,    -1,    80,    81
+};
+
+/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
+   symbol of state STATE-NUM.  */
+static const yytype_uint8 yystos[] =
+{
+       0,    86,     0,     1,    18,    19,    22,    23,    24,    25,
+      26,    27,    28,    29,    30,    38,    39,    40,    41,    42,
+      43,    44,    45,    46,    47,    48,    49,    50,    51,    52,
+      53,    54,    55,    57,    58,    59,    60,    61,    65,    66,
+      67,    68,    69,    70,    71,    72,    80,    81,    87,    88,
+      16,    15,    15,    16,    15,    16,    15,    15,    15,    15,
+      15,    15,    15,    15,    15,    15,    16,    15,    15,    16,
+      15,    16,    15,    16,    15,    15,    16,    15,    16,    16,
+      15,    15,    16,    16,    15,    16,    15,    15,    15,    15,
+      16,    15,    15,    15,    15,    16,    15,    15,    15,    16,
+      15,    83,    89,    83,    90,   102,    84,    92,   101,   102,
+       3,     6,     8,     9,    94,     7,    11,    12,    95,     4,
+       5,    13,    96,    83,    97,    98,    97,    97,    84,    84,
+      91,    97,    97,   102,    97,    97,   101,    97,   101,    83,
+     101,    49,    62,    63,    64,    73,    74,    75,    76,    77,
+      78,    79,    97,   102,    83,   102,   102,    97,    97,   101,
+     101,    97,   102,    97,    97,    83,    83,   101,    83,    83,
+      83,    84,   102,    83,    83,    83,   102,    83,    16,    16,
+      17,    16,    15,    15,    15,    91,    16,    16,    16,    16,
+      16,    16,    15,    16,    16,    16,    16,    16,    16,    16,
+      16,    15,    16,    15,    16,    15,    16,    15,    15,    16,
+      16,    15,    15,    16,    15,    16,    16,    16,    16,    16,
+      16,    16,    16,    16,    16,    16,    16,    16,    16,    16,
+      16,    16,    16,   102,   102,    84,   102,     5,    10,    14,
+      93,    93,    91,   102,   102,   102,   101,   101,   101,    12,
+     102,   102,   100,   101,   100,   100,   101,   101,   101,    83,
+     102,    84,    99,   101,    84,   102,    99,    83,   101,   101,
+      83,    83,   101,    83,   102,   101,   102,   101,   100,   101,
+     101,   101,   102,   101,   102,   102,   102,    17,    15,    16,
+      16,    16,    15,    16,    16,    16,    16,    84,    84,   102,
+     100,   102,    97,   101,   101,   101,   101,    17,    16,    16,
+      84,   102,   100,    17,    84,    17,    84
+};
+
+#define yyerrok		(yyerrstatus = 0)
+#define yyclearin	(yychar = YYEMPTY)
+#define YYEMPTY		(-2)
+#define YYEOF		0
+
+#define YYACCEPT	goto yyacceptlab
+#define YYABORT		goto yyabortlab
+#define YYERROR		goto yyerrorlab
+
+
+/* Like YYERROR except do call yyerror.  This remains here temporarily
+   to ease the transition to the new meaning of YYERROR, for GCC.
+   Once GCC version 2 has supplanted version 1, this can go.  */
+
+#define YYFAIL		goto yyerrlab
+
+#define YYRECOVERING()  (!!yyerrstatus)
+
+#define YYBACKUP(Token, Value)					\
+do								\
+  if (yychar == YYEMPTY && yylen == 1)				\
+    {								\
+      yychar = (Token);						\
+      yylval = (Value);						\
+      yytoken = YYTRANSLATE (yychar);				\
+      YYPOPSTACK (1);						\
+      goto yybackup;						\
+    }								\
+  else								\
+    {								\
+      yyerror (YY_("syntax error: cannot back up")); \
+      YYERROR;							\
+    }								\
+while (YYID (0))
+
+
+#define YYTERROR	1
+#define YYERRCODE	256
+
+
+/* YYLLOC_DEFAULT -- Set CURRENT to span from RHS[1] to RHS[N].
+   If N is 0, then set CURRENT to the empty location which ends
+   the previous symbol: RHS[0] (always defined).  */
+
+#define YYRHSLOC(Rhs, K) ((Rhs)[K])
+#ifndef YYLLOC_DEFAULT
+# define YYLLOC_DEFAULT(Current, Rhs, N)				\
+    do									\
+      if (YYID (N))                                                    \
+	{								\
+	  (Current).first_line   = YYRHSLOC (Rhs, 1).first_line;	\
+	  (Current).first_column = YYRHSLOC (Rhs, 1).first_column;	\
+	  (Current).last_line    = YYRHSLOC (Rhs, N).last_line;		\
+	  (Current).last_column  = YYRHSLOC (Rhs, N).last_column;	\
+	}								\
+      else								\
+	{								\
+	  (Current).first_line   = (Current).last_line   =		\
+	    YYRHSLOC (Rhs, 0).last_line;				\
+	  (Current).first_column = (Current).last_column =		\
+	    YYRHSLOC (Rhs, 0).last_column;				\
+	}								\
+    while (YYID (0))
+#endif
+
+
+/* YY_LOCATION_PRINT -- Print the location on the stream.
+   This macro was not mandated originally: define only if we know
+   we won't break user code: when these are the locations we know.  */
+
+#ifndef YY_LOCATION_PRINT
+# if defined YYLTYPE_IS_TRIVIAL && YYLTYPE_IS_TRIVIAL
+#  define YY_LOCATION_PRINT(File, Loc)			\
+     fprintf (File, "%d.%d-%d.%d",			\
+	      (Loc).first_line, (Loc).first_column,	\
+	      (Loc).last_line,  (Loc).last_column)
+# else
+#  define YY_LOCATION_PRINT(File, Loc) ((void) 0)
+# endif
+#endif
+
+
+/* YYLEX -- calling `yylex' with the right arguments.  */
+
+#ifdef YYLEX_PARAM
+# define YYLEX yylex (YYLEX_PARAM)
+#else
+# define YYLEX yylex ()
+#endif
+
+/* Enable debugging if requested.  */
+#if YYDEBUG
+
+# ifndef YYFPRINTF
+#  include <stdio.h> /* INFRINGES ON USER NAME SPACE */
+#  define YYFPRINTF fprintf
+# endif
+
+# define YYDPRINTF(Args)			\
+do {						\
+  if (yydebug)					\
+    YYFPRINTF Args;				\
+} while (YYID (0))
+
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)			  \
+do {									  \
+  if (yydebug)								  \
+    {									  \
+      YYFPRINTF (stderr, "%s ", Title);					  \
+      yy_symbol_print (stderr,						  \
+		  Type, Value); \
+      YYFPRINTF (stderr, "\n");						  \
+    }									  \
+} while (YYID (0))
+
+
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
+
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_symbol_value_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_value_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
+{
+  if (!yyvaluep)
+    return;
+# ifdef YYPRINT
+  if (yytype < YYNTOKENS)
+    YYPRINT (yyoutput, yytoknum[yytype], *yyvaluep);
+# else
+  YYUSE (yyoutput);
+# endif
+  switch (yytype)
+    {
+      default:
+	break;
+    }
+}
+
+
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_symbol_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
+{
+  if (yytype < YYNTOKENS)
+    YYFPRINTF (yyoutput, "token %s (", yytname[yytype]);
+  else
+    YYFPRINTF (yyoutput, "nterm %s (", yytname[yytype]);
+
+  yy_symbol_value_print (yyoutput, yytype, yyvaluep);
+  YYFPRINTF (yyoutput, ")");
+}
+
+/*------------------------------------------------------------------.
+| yy_stack_print -- Print the state stack from its BOTTOM up to its |
+| TOP (included).                                                   |
+`------------------------------------------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_stack_print (yytype_int16 *bottom, yytype_int16 *top)
+#else
+static void
+yy_stack_print (bottom, top)
+    yytype_int16 *bottom;
+    yytype_int16 *top;
+#endif
+{
+  YYFPRINTF (stderr, "Stack now");
+  for (; bottom <= top; ++bottom)
+    YYFPRINTF (stderr, " %d", *bottom);
+  YYFPRINTF (stderr, "\n");
+}
+
+# define YY_STACK_PRINT(Bottom, Top)				\
+do {								\
+  if (yydebug)							\
+    yy_stack_print ((Bottom), (Top));				\
+} while (YYID (0))
+
+
+/*------------------------------------------------.
+| Report that the YYRULE is going to be reduced.  |
+`------------------------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_reduce_print (YYSTYPE *yyvsp, int yyrule)
+#else
+static void
+yy_reduce_print (yyvsp, yyrule)
+    YYSTYPE *yyvsp;
+    int yyrule;
+#endif
+{
+  int yynrhs = yyr2[yyrule];
+  int yyi;
+  unsigned long int yylno = yyrline[yyrule];
+  YYFPRINTF (stderr, "Reducing stack by rule %d (line %lu):\n",
+	     yyrule - 1, yylno);
+  /* The symbols being reduced.  */
+  for (yyi = 0; yyi < yynrhs; yyi++)
+    {
+      fprintf (stderr, "   $%d = ", yyi + 1);
+      yy_symbol_print (stderr, yyrhs[yyprhs[yyrule] + yyi],
+		       &(yyvsp[(yyi + 1) - (yynrhs)])
+		       		       );
+      fprintf (stderr, "\n");
+    }
+}
+
+# define YY_REDUCE_PRINT(Rule)		\
+do {					\
+  if (yydebug)				\
+    yy_reduce_print (yyvsp, Rule); \
+} while (YYID (0))
+
+/* Nonzero means print parse trace.  It is left uninitialized so that
+   multiple parsers can coexist.  */
+int yydebug;
+#else /* !YYDEBUG */
+# define YYDPRINTF(Args)
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)
+# define YY_STACK_PRINT(Bottom, Top)
+# define YY_REDUCE_PRINT(Rule)
+#endif /* !YYDEBUG */
+
+
+/* YYINITDEPTH -- initial size of the parser's stacks.  */
+#ifndef	YYINITDEPTH
+# define YYINITDEPTH 200
+#endif
+
+/* YYMAXDEPTH -- maximum size the stacks can grow to (effective only
+   if the built-in stack extension method is used).
+
+   Do not make this value too large; the results are undefined if
+   YYSTACK_ALLOC_MAXIMUM < YYSTACK_BYTES (YYMAXDEPTH)
+   evaluated with infinite-precision integer arithmetic.  */
+
+#ifndef YYMAXDEPTH
+# define YYMAXDEPTH 10000
+#endif
+
+
+
+#if YYERROR_VERBOSE
+
+# ifndef yystrlen
+#  if defined __GLIBC__ && defined _STRING_H
+#   define yystrlen strlen
+#  else
+/* Return the length of YYSTR.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static YYSIZE_T
+yystrlen (const char *yystr)
+#else
+static YYSIZE_T
+yystrlen (yystr)
+    const char *yystr;
+#endif
+{
+  YYSIZE_T yylen;
+  for (yylen = 0; yystr[yylen]; yylen++)
+    continue;
+  return yylen;
+}
+#  endif
+# endif
+
+# ifndef yystpcpy
+#  if defined __GLIBC__ && defined _STRING_H && defined _GNU_SOURCE
+#   define yystpcpy stpcpy
+#  else
+/* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in
+   YYDEST.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static char *
+yystpcpy (char *yydest, const char *yysrc)
+#else
+static char *
+yystpcpy (yydest, yysrc)
+    char *yydest;
+    const char *yysrc;
+#endif
+{
+  char *yyd = yydest;
+  const char *yys = yysrc;
+
+  while ((*yyd++ = *yys++) != '\0')
+    continue;
+
+  return yyd - 1;
+}
+#  endif
+# endif
+
+# ifndef yytnamerr
+/* Copy to YYRES the contents of YYSTR after stripping away unnecessary
+   quotes and backslashes, so that it's suitable for yyerror.  The
+   heuristic is that double-quoting is unnecessary unless the string
+   contains an apostrophe, a comma, or backslash (other than
+   backslash-backslash).  YYSTR is taken from yytname.  If YYRES is
+   null, do not copy; instead, return the length of what the result
+   would have been.  */
+static YYSIZE_T
+yytnamerr (char *yyres, const char *yystr)
+{
+  if (*yystr == '"')
+    {
+      YYSIZE_T yyn = 0;
+      char const *yyp = yystr;
+
+      for (;;)
+	switch (*++yyp)
+	  {
+	  case '\'':
+	  case ',':
+	    goto do_not_strip_quotes;
+
+	  case '\\':
+	    if (*++yyp != '\\')
+	      goto do_not_strip_quotes;
+	    /* Fall through.  */
+	  default:
+	    if (yyres)
+	      yyres[yyn] = *yyp;
+	    yyn++;
+	    break;
+
+	  case '"':
+	    if (yyres)
+	      yyres[yyn] = '\0';
+	    return yyn;
+	  }
+    do_not_strip_quotes: ;
+    }
+
+  if (! yyres)
+    return yystrlen (yystr);
+
+  return yystpcpy (yyres, yystr) - yyres;
+}
+# endif
+
+/* Copy into YYRESULT an error message about the unexpected token
+   YYCHAR while in state YYSTATE.  Return the number of bytes copied,
+   including the terminating null byte.  If YYRESULT is null, do not
+   copy anything; just return the number of bytes that would be
+   copied.  As a special case, return 0 if an ordinary "syntax error"
+   message will do.  Return YYSIZE_MAXIMUM if overflow occurs during
+   size calculation.  */
+static YYSIZE_T
+yysyntax_error (char *yyresult, int yystate, int yychar)
+{
+  int yyn = yypact[yystate];
+
+  if (! (YYPACT_NINF < yyn && yyn <= YYLAST))
+    return 0;
+  else
+    {
+      int yytype = YYTRANSLATE (yychar);
+      YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]);
+      YYSIZE_T yysize = yysize0;
+      YYSIZE_T yysize1;
+      int yysize_overflow = 0;
+      enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
+      char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
+      int yyx;
+
+# if 0
+      /* This is so xgettext sees the translatable formats that are
+	 constructed on the fly.  */
+      YY_("syntax error, unexpected %s");
+      YY_("syntax error, unexpected %s, expecting %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s or %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s");
+# endif
+      char *yyfmt;
+      char const *yyf;
+      static char const yyunexpected[] = "syntax error, unexpected %s";
+      static char const yyexpecting[] = ", expecting %s";
+      static char const yyor[] = " or %s";
+      char yyformat[sizeof yyunexpected
+		    + sizeof yyexpecting - 1
+		    + ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2)
+		       * (sizeof yyor - 1))];
+      char const *yyprefix = yyexpecting;
+
+      /* Start YYX at -YYN if negative to avoid negative indexes in
+	 YYCHECK.  */
+      int yyxbegin = yyn < 0 ? -yyn : 0;
+
+      /* Stay within bounds of both yycheck and yytname.  */
+      int yychecklim = YYLAST - yyn + 1;
+      int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
+      int yycount = 1;
+
+      yyarg[0] = yytname[yytype];
+      yyfmt = yystpcpy (yyformat, yyunexpected);
+
+      for (yyx = yyxbegin; yyx < yyxend; ++yyx)
+	if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
+	  {
+	    if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
+	      {
+		yycount = 1;
+		yysize = yysize0;
+		yyformat[sizeof yyunexpected - 1] = '\0';
+		break;
+	      }
+	    yyarg[yycount++] = yytname[yyx];
+	    yysize1 = yysize + yytnamerr (0, yytname[yyx]);
+	    yysize_overflow |= (yysize1 < yysize);
+	    yysize = yysize1;
+	    yyfmt = yystpcpy (yyfmt, yyprefix);
+	    yyprefix = yyor;
+	  }
+
+      yyf = YY_(yyformat);
+      yysize1 = yysize + yystrlen (yyf);
+      yysize_overflow |= (yysize1 < yysize);
+      yysize = yysize1;
+
+      if (yysize_overflow)
+	return YYSIZE_MAXIMUM;
+
+      if (yyresult)
+	{
+	  /* Avoid sprintf, as that infringes on the user's name space.
+	     Don't have undefined behavior even if the translation
+	     produced a string with the wrong number of "%s"s.  */
+	  char *yyp = yyresult;
+	  int yyi = 0;
+	  while ((*yyp = *yyf) != '\0')
+	    {
+	      if (*yyp == '%' && yyf[1] == 's' && yyi < yycount)
+		{
+		  yyp += yytnamerr (yyp, yyarg[yyi++]);
+		  yyf += 2;
+		}
+	      else
+		{
+		  yyp++;
+		  yyf++;
+		}
+	    }
+	}
+      return yysize;
+    }
+}
+#endif /* YYERROR_VERBOSE */
+
+
+/*-----------------------------------------------.
+| Release the memory associated to this symbol.  |
+`-----------------------------------------------*/
+
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep)
+#else
+static void
+yydestruct (yymsg, yytype, yyvaluep)
+    const char *yymsg;
+    int yytype;
+    YYSTYPE *yyvaluep;
+#endif
+{
+  YYUSE (yyvaluep);
+
+  if (!yymsg)
+    yymsg = "Deleting";
+  YY_SYMBOL_PRINT (yymsg, yytype, yyvaluep, yylocationp);
+
+  switch (yytype)
+    {
+
+      default:
+	break;
+    }
+}
+
+
+/* Prevent warnings from -Wmissing-prototypes.  */
+
+#ifdef YYPARSE_PARAM
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void *YYPARSE_PARAM);
+#else
+int yyparse ();
+#endif
+#else /* ! YYPARSE_PARAM */
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void);
+#else
+int yyparse ();
+#endif
+#endif /* ! YYPARSE_PARAM */
+
+
+
+/* The look-ahead symbol.  */
+int yychar;
+
+/* The semantic value of the look-ahead symbol.  */
+YYSTYPE yylval;
+
+/* Number of syntax errors so far.  */
+int yynerrs;
+
+
+
+/*----------.
+| yyparse.  |
+`----------*/
+
+#ifdef YYPARSE_PARAM
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+int
+yyparse (void *YYPARSE_PARAM)
+#else
+int
+yyparse (YYPARSE_PARAM)
+    void *YYPARSE_PARAM;
+#endif
+#else /* ! YYPARSE_PARAM */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+int
+yyparse (void)
+#else
+int
+yyparse ()
+
+#endif
+#endif
+{
+  
+  int yystate;
+  int yyn;
+  int yyresult;
+  /* Number of tokens to shift before error messages enabled.  */
+  int yyerrstatus;
+  /* Look-ahead token as an internal (translated) token number.  */
+  int yytoken = 0;
+#if YYERROR_VERBOSE
+  /* Buffer for error messages, and its allocated size.  */
+  char yymsgbuf[128];
+  char *yymsg = yymsgbuf;
+  YYSIZE_T yymsg_alloc = sizeof yymsgbuf;
+#endif
+
+  /* Three stacks and their tools:
+     `yyss': related to states,
+     `yyvs': related to semantic values,
+     `yyls': related to locations.
+
+     Refer to the stacks thru separate pointers, to allow yyoverflow
+     to reallocate them elsewhere.  */
+
+  /* The state stack.  */
+  yytype_int16 yyssa[YYINITDEPTH];
+  yytype_int16 *yyss = yyssa;
+  yytype_int16 *yyssp;
+
+  /* The semantic value stack.  */
+  YYSTYPE yyvsa[YYINITDEPTH];
+  YYSTYPE *yyvs = yyvsa;
+  YYSTYPE *yyvsp;
+
+
+
+#define YYPOPSTACK(N)   (yyvsp -= (N), yyssp -= (N))
+
+  YYSIZE_T yystacksize = YYINITDEPTH;
+
+  /* The variables used to return semantic value and location from the
+     action routines.  */
+  YYSTYPE yyval;
+
+
+  /* The number of symbols on the RHS of the reduced rule.
+     Keep to zero when no symbol should be popped.  */
+  int yylen = 0;
+
+  YYDPRINTF ((stderr, "Starting parse\n"));
+
+  yystate = 0;
+  yyerrstatus = 0;
+  yynerrs = 0;
+  yychar = YYEMPTY;		/* Cause a token to be read.  */
+
+  /* Initialize stack pointers.
+     Waste one element of value and location stack
+     so that they stay on the same level as the state stack.
+     The wasted elements are never initialized.  */
+
+  yyssp = yyss;
+  yyvsp = yyvs;
+
+  goto yysetstate;
+
+/*------------------------------------------------------------.
+| yynewstate -- Push a new state, which is found in yystate.  |
+`------------------------------------------------------------*/
+ yynewstate:
+  /* In all cases, when you get here, the value and location stacks
+     have just been pushed.  So pushing a state here evens the stacks.  */
+  yyssp++;
+
+ yysetstate:
+  *yyssp = yystate;
+
+  if (yyss + yystacksize - 1 <= yyssp)
+    {
+      /* Get the current used size of the three stacks, in elements.  */
+      YYSIZE_T yysize = yyssp - yyss + 1;
+
+#ifdef yyoverflow
+      {
+	/* Give user a chance to reallocate the stack.  Use copies of
+	   these so that the &'s don't force the real ones into
+	   memory.  */
+	YYSTYPE *yyvs1 = yyvs;
+	yytype_int16 *yyss1 = yyss;
+
+
+	/* Each stack pointer address is followed by the size of the
+	   data in use in that stack, in bytes.  This used to be a
+	   conditional around just the two extra args, but that might
+	   be undefined if yyoverflow is a macro.  */
+	yyoverflow (YY_("memory exhausted"),
+		    &yyss1, yysize * sizeof (*yyssp),
+		    &yyvs1, yysize * sizeof (*yyvsp),
+
+		    &yystacksize);
+
+	yyss = yyss1;
+	yyvs = yyvs1;
+      }
+#else /* no yyoverflow */
+# ifndef YYSTACK_RELOCATE
+      goto yyexhaustedlab;
+# else
+      /* Extend the stack our own way.  */
+      if (YYMAXDEPTH <= yystacksize)
+	goto yyexhaustedlab;
+      yystacksize *= 2;
+      if (YYMAXDEPTH < yystacksize)
+	yystacksize = YYMAXDEPTH;
+
+      {
+	yytype_int16 *yyss1 = yyss;
+	union yyalloc *yyptr =
+	  (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
+	if (! yyptr)
+	  goto yyexhaustedlab;
+	YYSTACK_RELOCATE (yyss);
+	YYSTACK_RELOCATE (yyvs);
+
+#  undef YYSTACK_RELOCATE
+	if (yyss1 != yyssa)
+	  YYSTACK_FREE (yyss1);
+      }
+# endif
+#endif /* no yyoverflow */
+
+      yyssp = yyss + yysize - 1;
+      yyvsp = yyvs + yysize - 1;
+
+
+      YYDPRINTF ((stderr, "Stack size increased to %lu\n",
+		  (unsigned long int) yystacksize));
+
+      if (yyss + yystacksize - 1 <= yyssp)
+	YYABORT;
+    }
+
+  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
+
+  goto yybackup;
+
+/*-----------.
+| yybackup.  |
+`-----------*/
+yybackup:
+
+  /* Do appropriate processing given the current state.  Read a
+     look-ahead token if we need one and don't already have one.  */
+
+  /* First try to decide what to do without reference to look-ahead token.  */
+  yyn = yypact[yystate];
+  if (yyn == YYPACT_NINF)
+    goto yydefault;
+
+  /* Not known => get a look-ahead token if don't already have one.  */
+
+  /* YYCHAR is either YYEMPTY or YYEOF or a valid look-ahead symbol.  */
+  if (yychar == YYEMPTY)
+    {
+      YYDPRINTF ((stderr, "Reading a token: "));
+      yychar = YYLEX;
+    }
+
+  if (yychar <= YYEOF)
+    {
+      yychar = yytoken = YYEOF;
+      YYDPRINTF ((stderr, "Now at end of input.\n"));
+    }
+  else
+    {
+      yytoken = YYTRANSLATE (yychar);
+      YY_SYMBOL_PRINT ("Next token is", yytoken, &yylval, &yylloc);
+    }
+
+  /* If the proper action on seeing token YYTOKEN is to reduce or to
+     detect an error, take that action.  */
+  yyn += yytoken;
+  if (yyn < 0 || YYLAST < yyn || yycheck[yyn] != yytoken)
+    goto yydefault;
+  yyn = yytable[yyn];
+  if (yyn <= 0)
+    {
+      if (yyn == 0 || yyn == YYTABLE_NINF)
+	goto yyerrlab;
+      yyn = -yyn;
+      goto yyreduce;
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  /* Count tokens shifted since error; after three, turn off error
+     status.  */
+  if (yyerrstatus)
+    yyerrstatus--;
+
+  /* Shift the look-ahead token.  */
+  YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc);
+
+  /* Discard the shifted token unless it is eof.  */
+  if (yychar != YYEOF)
+    yychar = YYEMPTY;
+
+  yystate = yyn;
+  *++yyvsp = yylval;
+
+  goto yynewstate;
+
+
+/*-----------------------------------------------------------.
+| yydefault -- do the default action for the current state.  |
+`-----------------------------------------------------------*/
+yydefault:
+  yyn = yydefact[yystate];
+  if (yyn == 0)
+    goto yyerrlab;
+  goto yyreduce;
+
+
+/*-----------------------------.
+| yyreduce -- Do a reduction.  |
+`-----------------------------*/
+yyreduce:
+  /* yyn is the number of a rule to reduce with.  */
+  yylen = yyr2[yyn];
+
+  /* If YYLEN is nonzero, implement the default value of the action:
+     `$$ = $1'.
+
+     Otherwise, the following line sets YYVAL to garbage.
+     This behavior is undocumented and Bison
+     users should not rely upon it.  Assigning to YYVAL
+     unconditionally makes the parser a bit smaller, and it avoids a
+     GCC warning that YYVAL may be used uninitialized.  */
+  yyval = yyvsp[1-yylen];
+
+
+  YY_REDUCE_PRINT (yyn);
+  switch (yyn)
+    {
+        case 3:
+#line 132 "ftpcmd.y"
+    {
+			fromname = (char *) 0;
+			restart_point = (off_t) 0;
+		}
+    break;
+
+  case 5:
+#line 141 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i))
+			user((yyvsp[(3) - (5)].s));
+		    free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 6:
+#line 147 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i))
+			pass((yyvsp[(3) - (5)].s));
+		    memset ((yyvsp[(3) - (5)].s), 0, strlen((yyvsp[(3) - (5)].s)));
+		    free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 7:
+#line 154 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i)) {
+			usedefault = 0;
+			if (pdata >= 0) {
+				close(pdata);
+				pdata = -1;
+			}
+			reply(200, "PORT command successful.");
+		    }
+		}
+    break;
+
+  case 8:
+#line 165 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i))
+			eprt ((yyvsp[(3) - (5)].s));
+		    free ((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 9:
+#line 171 "ftpcmd.y"
+    {
+		    if((yyvsp[(3) - (3)].i))
+			pasv ();
+		}
+    break;
+
+  case 10:
+#line 176 "ftpcmd.y"
+    {
+		    if((yyvsp[(3) - (3)].i))
+			epsv (NULL);
+		}
+    break;
+
+  case 11:
+#line 181 "ftpcmd.y"
+    {
+		    if((yyvsp[(5) - (5)].i))
+			epsv ((yyvsp[(3) - (5)].s));
+		    free ((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 12:
+#line 187 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i)) {
+			switch (cmd_type) {
+
+			case TYPE_A:
+				if (cmd_form == FORM_N) {
+					reply(200, "Type set to A.");
+					type = cmd_type;
+					form = cmd_form;
+				} else
+					reply(504, "Form must be N.");
+				break;
+
+			case TYPE_E:
+				reply(504, "Type E not implemented.");
+				break;
+
+			case TYPE_I:
+				reply(200, "Type set to I.");
+				type = cmd_type;
+				break;
+
+			case TYPE_L:
+#if NBBY == 8
+				if (cmd_bytesz == 8) {
+					reply(200,
+					    "Type set to L (byte size 8).");
+					type = cmd_type;
+				} else
+					reply(504, "Byte size must be 8.");
+#else /* NBBY == 8 */
+				UNIMPLEMENTED for NBBY != 8
+#endif /* NBBY == 8 */
+			}
+		    }
+		}
+    break;
+
+  case 13:
+#line 224 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i)) {
+			switch ((yyvsp[(3) - (5)].i)) {
+
+			case STRU_F:
+				reply(200, "STRU F ok.");
+				break;
+
+			default:
+				reply(504, "Unimplemented STRU type.");
+			}
+		    }
+		}
+    break;
+
+  case 14:
+#line 238 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i)) {
+			switch ((yyvsp[(3) - (5)].i)) {
+
+			case MODE_S:
+				reply(200, "MODE S ok.");
+				break;
+
+			default:
+				reply(502, "Unimplemented MODE type.");
+			}
+		    }
+		}
+    break;
+
+  case 15:
+#line 252 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i)) {
+			reply(202, "ALLO command ignored.");
+		    }
+		}
+    break;
+
+  case 16:
+#line 258 "ftpcmd.y"
+    {
+		    if ((yyvsp[(9) - (9)].i)) {
+			reply(202, "ALLO command ignored.");
+		    }
+		}
+    break;
+
+  case 17:
+#line 264 "ftpcmd.y"
+    {
+			char *name = (yyvsp[(3) - (5)].s);
+
+			if ((yyvsp[(5) - (5)].i) && name != NULL)
+				retrieve(0, name);
+			if (name != NULL)
+				free(name);
+		}
+    break;
+
+  case 18:
+#line 273 "ftpcmd.y"
+    {
+			char *name = (yyvsp[(3) - (5)].s);
+
+			if ((yyvsp[(5) - (5)].i) && name != NULL)
+				do_store(name, "w", 0);
+			if (name != NULL)
+				free(name);
+		}
+    break;
+
+  case 19:
+#line 282 "ftpcmd.y"
+    {
+			char *name = (yyvsp[(3) - (5)].s);
+
+			if ((yyvsp[(5) - (5)].i) && name != NULL)
+				do_store(name, "a", 0);
+			if (name != NULL)
+				free(name);
+		}
+    break;
+
+  case 20:
+#line 291 "ftpcmd.y"
+    {
+			if ((yyvsp[(3) - (3)].i))
+				send_file_list(".");
+		}
+    break;
+
+  case 21:
+#line 296 "ftpcmd.y"
+    {
+			char *name = (yyvsp[(3) - (5)].s);
+
+			if ((yyvsp[(5) - (5)].i) && name != NULL)
+				send_file_list(name);
+			if (name != NULL)
+				free(name);
+		}
+    break;
+
+  case 22:
+#line 305 "ftpcmd.y"
+    {
+		    if((yyvsp[(3) - (3)].i))
+			list_file(".");
+		}
+    break;
+
+  case 23:
+#line 310 "ftpcmd.y"
+    {
+		    if((yyvsp[(5) - (5)].i))
+			list_file((yyvsp[(3) - (5)].s));
+		    free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 24:
+#line 316 "ftpcmd.y"
+    {
+			if ((yyvsp[(5) - (5)].i) && (yyvsp[(3) - (5)].s) != NULL)
+				statfilecmd((yyvsp[(3) - (5)].s));
+			if ((yyvsp[(3) - (5)].s) != NULL)
+				free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 25:
+#line 323 "ftpcmd.y"
+    {
+		    if ((yyvsp[(3) - (3)].i))
+			statcmd();
+		}
+    break;
+
+  case 26:
+#line 328 "ftpcmd.y"
+    {
+			if ((yyvsp[(5) - (5)].i) && (yyvsp[(3) - (5)].s) != NULL)
+				do_delete((yyvsp[(3) - (5)].s));
+			if ((yyvsp[(3) - (5)].s) != NULL)
+				free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 27:
+#line 335 "ftpcmd.y"
+    {
+			if((yyvsp[(5) - (5)].i)){
+				if (fromname) {
+					renamecmd(fromname, (yyvsp[(3) - (5)].s));
+					free(fromname);
+					fromname = (char *) 0;
+				} else {
+					reply(503, "Bad sequence of commands.");
+				}
+			}
+			if ((yyvsp[(3) - (5)].s) != NULL)
+				free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 28:
+#line 349 "ftpcmd.y"
+    {
+		    if ((yyvsp[(3) - (3)].i))
+			reply(225, "ABOR command successful.");
+		}
+    break;
+
+  case 29:
+#line 354 "ftpcmd.y"
+    {
+			if ((yyvsp[(3) - (3)].i))
+				cwd(pw->pw_dir);
+		}
+    break;
+
+  case 30:
+#line 359 "ftpcmd.y"
+    {
+			if ((yyvsp[(5) - (5)].i) && (yyvsp[(3) - (5)].s) != NULL)
+				cwd((yyvsp[(3) - (5)].s));
+			if ((yyvsp[(3) - (5)].s) != NULL)
+				free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 31:
+#line 366 "ftpcmd.y"
+    {
+		    if ((yyvsp[(3) - (3)].i))
+			help(cmdtab, (char *) 0);
+		}
+    break;
+
+  case 32:
+#line 371 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i)) {
+			char *cp = (yyvsp[(3) - (5)].s);
+
+			if (strncasecmp(cp, "SITE", 4) == 0) {
+				cp = (yyvsp[(3) - (5)].s) + 4;
+				if (*cp == ' ')
+					cp++;
+				if (*cp)
+					help(sitetab, cp);
+				else
+					help(sitetab, (char *) 0);
+			} else
+				help(cmdtab, (yyvsp[(3) - (5)].s));
+		    }
+		}
+    break;
+
+  case 33:
+#line 388 "ftpcmd.y"
+    {
+		    if ((yyvsp[(3) - (3)].i))
+			reply(200, "NOOP command successful.");
+		}
+    break;
+
+  case 34:
+#line 393 "ftpcmd.y"
+    {
+			if ((yyvsp[(5) - (5)].i) && (yyvsp[(3) - (5)].s) != NULL)
+				makedir((yyvsp[(3) - (5)].s));
+			if ((yyvsp[(3) - (5)].s) != NULL)
+				free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 35:
+#line 400 "ftpcmd.y"
+    {
+			if ((yyvsp[(5) - (5)].i) && (yyvsp[(3) - (5)].s) != NULL)
+				removedir((yyvsp[(3) - (5)].s));
+			if ((yyvsp[(3) - (5)].s) != NULL)
+				free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 36:
+#line 407 "ftpcmd.y"
+    {
+			if ((yyvsp[(3) - (3)].i))
+				pwd();
+		}
+    break;
+
+  case 37:
+#line 412 "ftpcmd.y"
+    {
+			if ((yyvsp[(3) - (3)].i))
+				cwd("..");
+		}
+    break;
+
+  case 38:
+#line 417 "ftpcmd.y"
+    {
+		    if ((yyvsp[(3) - (3)].i)) {
+			lreply(211, "Supported features:");
+			lreply(0, " MDTM");
+			lreply(0, " REST STREAM");
+			lreply(0, " SIZE");
+			reply(211, "End");
+		    }
+		}
+    break;
+
+  case 39:
+#line 427 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i))
+			reply(501, "Bad options");
+		    free ((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 40:
+#line 434 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i))
+			help(sitetab, (char *) 0);
+		}
+    break;
+
+  case 41:
+#line 439 "ftpcmd.y"
+    {
+		    if ((yyvsp[(7) - (7)].i))
+			help(sitetab, (yyvsp[(5) - (7)].s));
+		}
+    break;
+
+  case 42:
+#line 444 "ftpcmd.y"
+    {
+			if ((yyvsp[(5) - (5)].i)) {
+				int oldmask = umask(0);
+				umask(oldmask);
+				reply(200, "Current UMASK is %03o", oldmask);
+			}
+		}
+    break;
+
+  case 43:
+#line 452 "ftpcmd.y"
+    {
+			if ((yyvsp[(7) - (7)].i)) {
+				if (((yyvsp[(5) - (7)].i) == -1) || ((yyvsp[(5) - (7)].i) > 0777)) {
+					reply(501, "Bad UMASK value");
+				} else {
+					int oldmask = umask((yyvsp[(5) - (7)].i));
+					reply(200,
+					      "UMASK set to %03o (was %03o)",
+					      (yyvsp[(5) - (7)].i), oldmask);
+				}
+			}
+		}
+    break;
+
+  case 44:
+#line 465 "ftpcmd.y"
+    {
+			if ((yyvsp[(9) - (9)].i) && (yyvsp[(7) - (9)].s) != NULL) {
+				if ((yyvsp[(5) - (9)].i) > 0777)
+					reply(501,
+				"CHMOD: Mode value must be between 0 and 0777");
+				else if (chmod((yyvsp[(7) - (9)].s), (yyvsp[(5) - (9)].i)) < 0)
+					perror_reply(550, (yyvsp[(7) - (9)].s));
+				else
+					reply(200, "CHMOD command successful.");
+			}
+			if ((yyvsp[(7) - (9)].s) != NULL)
+				free((yyvsp[(7) - (9)].s));
+		}
+    break;
+
+  case 45:
+#line 479 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i))
+			reply(200,
+			    "Current IDLE time limit is %d seconds; max %d",
+				ftpd_timeout, maxtimeout);
+		}
+    break;
+
+  case 46:
+#line 486 "ftpcmd.y"
+    {
+		    if ((yyvsp[(7) - (7)].i)) {
+			if ((yyvsp[(5) - (7)].i) < 30 || (yyvsp[(5) - (7)].i) > maxtimeout) {
+				reply(501,
+			"Maximum IDLE time must be between 30 and %d seconds",
+				    maxtimeout);
+			} else {
+				ftpd_timeout = (yyvsp[(5) - (7)].i);
+				alarm((unsigned) ftpd_timeout);
+				reply(200,
+				    "Maximum IDLE time set to %d seconds",
+				    ftpd_timeout);
+			}
+		    }
+		}
+    break;
+
+  case 47:
+#line 503 "ftpcmd.y"
+    {
+#ifdef KRB4
+			char *p;
+			
+			if(guest)
+				reply(500, "Can't be done as guest.");
+			else{
+				if((yyvsp[(7) - (7)].i) && (yyvsp[(5) - (7)].s) != NULL){
+				    p = strpbrk((yyvsp[(5) - (7)].s), " \t");
+				    if(p){
+					*p++ = 0;
+					kauth((yyvsp[(5) - (7)].s), p + strspn(p, " \t"));
+				    }else
+					kauth((yyvsp[(5) - (7)].s), NULL);
+				}
+			}
+			if((yyvsp[(5) - (7)].s) != NULL)
+			    free((yyvsp[(5) - (7)].s));
+#else
+			reply(500, "Command not implemented.");
+#endif
+		}
+    break;
+
+  case 48:
+#line 526 "ftpcmd.y"
+    {
+		    if((yyvsp[(5) - (5)].i))
+			klist();
+		}
+    break;
+
+  case 49:
+#line 531 "ftpcmd.y"
+    {
+#ifdef KRB4
+		    if((yyvsp[(5) - (5)].i))
+			kdestroy();
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+    break;
+
+  case 50:
+#line 540 "ftpcmd.y"
+    {
+#ifdef KRB4
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if((yyvsp[(7) - (7)].i) && (yyvsp[(5) - (7)].s))
+			krbtkfile((yyvsp[(5) - (7)].s));
+		    if((yyvsp[(5) - (7)].s))
+			free((yyvsp[(5) - (7)].s));
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+    break;
+
+  case 51:
+#line 553 "ftpcmd.y"
+    {
+#if defined(KRB4) || defined(KRB5)
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if((yyvsp[(5) - (5)].i))
+			afslog(NULL, 0);
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+    break;
+
+  case 52:
+#line 564 "ftpcmd.y"
+    {
+#if defined(KRB4) || defined(KRB5)
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if((yyvsp[(7) - (7)].i))
+			afslog((yyvsp[(5) - (7)].s), 0);
+		    if((yyvsp[(5) - (7)].s))
+			free((yyvsp[(5) - (7)].s));
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+    break;
+
+  case 53:
+#line 577 "ftpcmd.y"
+    {
+		    if((yyvsp[(7) - (7)].i) && (yyvsp[(5) - (7)].s) != NULL)
+			find((yyvsp[(5) - (7)].s));
+		    if((yyvsp[(5) - (7)].s) != NULL)
+			free((yyvsp[(5) - (7)].s));
+		}
+    break;
+
+  case 54:
+#line 584 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i))
+			reply(200, "http://www.pdc.kth.se/heimdal/");
+		}
+    break;
+
+  case 55:
+#line 589 "ftpcmd.y"
+    {
+			if ((yyvsp[(5) - (5)].i) && (yyvsp[(3) - (5)].s) != NULL)
+				do_store((yyvsp[(3) - (5)].s), "w", 1);
+			if ((yyvsp[(3) - (5)].s) != NULL)
+				free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 56:
+#line 596 "ftpcmd.y"
+    {
+		    if ((yyvsp[(3) - (3)].i)) {
+#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
+			reply(215, "UNIX Type: L%d", NBBY);
+#else
+			reply(215, "UNKNOWN Type: L%d", NBBY);
+#endif
+		    }
+		}
+    break;
+
+  case 57:
+#line 614 "ftpcmd.y"
+    {
+			if ((yyvsp[(5) - (5)].i) && (yyvsp[(3) - (5)].s) != NULL)
+				sizecmd((yyvsp[(3) - (5)].s));
+			if ((yyvsp[(3) - (5)].s) != NULL)
+				free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 58:
+#line 631 "ftpcmd.y"
+    {
+			if ((yyvsp[(5) - (5)].i) && (yyvsp[(3) - (5)].s) != NULL) {
+				struct stat stbuf;
+				if (stat((yyvsp[(3) - (5)].s), &stbuf) < 0)
+					reply(550, "%s: %s",
+					    (yyvsp[(3) - (5)].s), strerror(errno));
+				else if (!S_ISREG(stbuf.st_mode)) {
+					reply(550,
+					      "%s: not a plain file.", (yyvsp[(3) - (5)].s));
+				} else {
+					struct tm *t;
+					time_t mtime = stbuf.st_mtime;
+
+					t = gmtime(&mtime);
+					reply(213,
+					      "%04d%02d%02d%02d%02d%02d",
+					      t->tm_year + 1900,
+					      t->tm_mon + 1,
+					      t->tm_mday,
+					      t->tm_hour,
+					      t->tm_min,
+					      t->tm_sec);
+				}
+			}
+			if ((yyvsp[(3) - (5)].s) != NULL)
+				free((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 59:
+#line 659 "ftpcmd.y"
+    {
+		    if ((yyvsp[(3) - (3)].i)) {
+			reply(221, "Goodbye.");
+			dologout(0);
+		    }
+		}
+    break;
+
+  case 60:
+#line 666 "ftpcmd.y"
+    {
+			yyerrok;
+		}
+    break;
+
+  case 61:
+#line 672 "ftpcmd.y"
+    {
+			restart_point = (off_t) 0;
+			if ((yyvsp[(5) - (5)].i) && (yyvsp[(3) - (5)].s)) {
+				fromname = renamefrom((yyvsp[(3) - (5)].s));
+				if (fromname == (char *) 0 && (yyvsp[(3) - (5)].s)) {
+					free((yyvsp[(3) - (5)].s));
+				}
+			}
+		}
+    break;
+
+  case 62:
+#line 682 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i)) {
+			fromname = (char *) 0;
+			restart_point = (yyvsp[(3) - (5)].i);	/* XXX $3 is only "int" */
+			reply(350, "Restarting at %ld. %s",
+			      (long)restart_point,
+			      "Send STORE or RETRIEVE to initiate transfer.");
+		    }
+		}
+    break;
+
+  case 63:
+#line 692 "ftpcmd.y"
+    {
+			auth((yyvsp[(3) - (4)].s));
+			free((yyvsp[(3) - (4)].s));
+		}
+    break;
+
+  case 64:
+#line 697 "ftpcmd.y"
+    {
+			adat((yyvsp[(3) - (4)].s));
+			free((yyvsp[(3) - (4)].s));
+		}
+    break;
+
+  case 65:
+#line 702 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i))
+			pbsz((yyvsp[(3) - (5)].i));
+		}
+    break;
+
+  case 66:
+#line 707 "ftpcmd.y"
+    {
+		    if ((yyvsp[(5) - (5)].i))
+			prot((yyvsp[(3) - (5)].s));
+		}
+    break;
+
+  case 67:
+#line 712 "ftpcmd.y"
+    {
+		    if ((yyvsp[(3) - (3)].i))
+			ccc();
+		}
+    break;
+
+  case 68:
+#line 717 "ftpcmd.y"
+    {
+			mec((yyvsp[(3) - (4)].s), prot_safe);
+			free((yyvsp[(3) - (4)].s));
+		}
+    break;
+
+  case 69:
+#line 722 "ftpcmd.y"
+    {
+			mec((yyvsp[(3) - (4)].s), prot_confidential);
+			free((yyvsp[(3) - (4)].s));
+		}
+    break;
+
+  case 70:
+#line 727 "ftpcmd.y"
+    {
+			mec((yyvsp[(3) - (4)].s), prot_private);
+			free((yyvsp[(3) - (4)].s));
+		}
+    break;
+
+  case 72:
+#line 739 "ftpcmd.y"
+    {
+			(yyval.s) = (char *)calloc(1, sizeof(char));
+		}
+    break;
+
+  case 75:
+#line 752 "ftpcmd.y"
+    {
+			struct sockaddr_in *sin4 = (struct sockaddr_in *)data_dest;
+
+			sin4->sin_family = AF_INET;
+			sin4->sin_port = htons((yyvsp[(9) - (11)].i) * 256 + (yyvsp[(11) - (11)].i));
+			sin4->sin_addr.s_addr = 
+			    htonl(((yyvsp[(1) - (11)].i) << 24) | ((yyvsp[(3) - (11)].i) << 16) | ((yyvsp[(5) - (11)].i) << 8) | (yyvsp[(7) - (11)].i));
+		}
+    break;
+
+  case 76:
+#line 764 "ftpcmd.y"
+    {
+			(yyval.i) = FORM_N;
+		}
+    break;
+
+  case 77:
+#line 768 "ftpcmd.y"
+    {
+			(yyval.i) = FORM_T;
+		}
+    break;
+
+  case 78:
+#line 772 "ftpcmd.y"
+    {
+			(yyval.i) = FORM_C;
+		}
+    break;
+
+  case 79:
+#line 779 "ftpcmd.y"
+    {
+			cmd_type = TYPE_A;
+			cmd_form = FORM_N;
+		}
+    break;
+
+  case 80:
+#line 784 "ftpcmd.y"
+    {
+			cmd_type = TYPE_A;
+			cmd_form = (yyvsp[(3) - (3)].i);
+		}
+    break;
+
+  case 81:
+#line 789 "ftpcmd.y"
+    {
+			cmd_type = TYPE_E;
+			cmd_form = FORM_N;
+		}
+    break;
+
+  case 82:
+#line 794 "ftpcmd.y"
+    {
+			cmd_type = TYPE_E;
+			cmd_form = (yyvsp[(3) - (3)].i);
+		}
+    break;
+
+  case 83:
+#line 799 "ftpcmd.y"
+    {
+			cmd_type = TYPE_I;
+		}
+    break;
+
+  case 84:
+#line 803 "ftpcmd.y"
+    {
+			cmd_type = TYPE_L;
+			cmd_bytesz = NBBY;
+		}
+    break;
+
+  case 85:
+#line 808 "ftpcmd.y"
+    {
+			cmd_type = TYPE_L;
+			cmd_bytesz = (yyvsp[(3) - (3)].i);
+		}
+    break;
+
+  case 86:
+#line 814 "ftpcmd.y"
+    {
+			cmd_type = TYPE_L;
+			cmd_bytesz = (yyvsp[(2) - (2)].i);
+		}
+    break;
+
+  case 87:
+#line 822 "ftpcmd.y"
+    {
+			(yyval.i) = STRU_F;
+		}
+    break;
+
+  case 88:
+#line 826 "ftpcmd.y"
+    {
+			(yyval.i) = STRU_R;
+		}
+    break;
+
+  case 89:
+#line 830 "ftpcmd.y"
+    {
+			(yyval.i) = STRU_P;
+		}
+    break;
+
+  case 90:
+#line 837 "ftpcmd.y"
+    {
+			(yyval.i) = MODE_S;
+		}
+    break;
+
+  case 91:
+#line 841 "ftpcmd.y"
+    {
+			(yyval.i) = MODE_B;
+		}
+    break;
+
+  case 92:
+#line 845 "ftpcmd.y"
+    {
+			(yyval.i) = MODE_C;
+		}
+    break;
+
+  case 93:
+#line 852 "ftpcmd.y"
+    {
+			/*
+			 * Problem: this production is used for all pathname
+			 * processing, but only gives a 550 error reply.
+			 * This is a valid reply in some cases but not in others.
+			 */
+			if (logged_in && (yyvsp[(1) - (1)].s) && *(yyvsp[(1) - (1)].s) == '~') {
+				glob_t gl;
+				int flags =
+				 GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+
+				memset(&gl, 0, sizeof(gl));
+				if (glob((yyvsp[(1) - (1)].s), flags, NULL, &gl) ||
+				    gl.gl_pathc == 0) {
+					reply(550, "not found");
+					(yyval.s) = NULL;
+				} else {
+					(yyval.s) = strdup(gl.gl_pathv[0]);
+				}
+				globfree(&gl);
+				free((yyvsp[(1) - (1)].s));
+			} else
+				(yyval.s) = (yyvsp[(1) - (1)].s);
+		}
+    break;
+
+  case 95:
+#line 884 "ftpcmd.y"
+    {
+			int ret, dec, multby, digit;
+
+			/*
+			 * Convert a number that was read as decimal number
+			 * to what it would be if it had been read as octal.
+			 */
+			dec = (yyvsp[(1) - (1)].i);
+			multby = 1;
+			ret = 0;
+			while (dec) {
+				digit = dec%10;
+				if (digit > 7) {
+					ret = -1;
+					break;
+				}
+				ret += digit * multby;
+				multby *= 8;
+				dec /= 10;
+			}
+			(yyval.i) = ret;
+		}
+    break;
+
+  case 96:
+#line 910 "ftpcmd.y"
+    {
+			(yyval.i) = (yyvsp[(1) - (1)].i) && !guest;
+			if((yyvsp[(1) - (1)].i) && !(yyval.i))
+				reply(550, "Permission denied");
+		}
+    break;
+
+  case 97:
+#line 918 "ftpcmd.y"
+    {
+		    if((yyvsp[(1) - (1)].i)) {
+			if(((yyval.i) = logged_in) == 0)
+			    reply(530, "Please login with USER and PASS.");
+		    } else
+			(yyval.i) = 0;
+		}
+    break;
+
+  case 98:
+#line 928 "ftpcmd.y"
+    {
+		    (yyval.i) = 1;
+		    if(sec_complete && !ccc_passed && !secure_command()) {
+			(yyval.i) = 0;
+			reply(533, "Command protection level denied "
+			      "for paranoid reasons.");
+		    }
+		}
+    break;
+
+
+/* Line 1267 of yacc.c.  */
+#line 2778 "ftpcmd.c"
+      default: break;
+    }
+  YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
+
+  YYPOPSTACK (yylen);
+  yylen = 0;
+  YY_STACK_PRINT (yyss, yyssp);
+
+  *++yyvsp = yyval;
+
+
+  /* Now `shift' the result of the reduction.  Determine what state
+     that goes to, based on the state we popped back to and the rule
+     number reduced by.  */
+
+  yyn = yyr1[yyn];
+
+  yystate = yypgoto[yyn - YYNTOKENS] + *yyssp;
+  if (0 <= yystate && yystate <= YYLAST && yycheck[yystate] == *yyssp)
+    yystate = yytable[yystate];
+  else
+    yystate = yydefgoto[yyn - YYNTOKENS];
+
+  goto yynewstate;
+
+
+/*------------------------------------.
+| yyerrlab -- here on detecting error |
+`------------------------------------*/
+yyerrlab:
+  /* If not already recovering from an error, report this error.  */
+  if (!yyerrstatus)
+    {
+      ++yynerrs;
+#if ! YYERROR_VERBOSE
+      yyerror (YY_("syntax error"));
+#else
+      {
+	YYSIZE_T yysize = yysyntax_error (0, yystate, yychar);
+	if (yymsg_alloc < yysize && yymsg_alloc < YYSTACK_ALLOC_MAXIMUM)
+	  {
+	    YYSIZE_T yyalloc = 2 * yysize;
+	    if (! (yysize <= yyalloc && yyalloc <= YYSTACK_ALLOC_MAXIMUM))
+	      yyalloc = YYSTACK_ALLOC_MAXIMUM;
+	    if (yymsg != yymsgbuf)
+	      YYSTACK_FREE (yymsg);
+	    yymsg = (char *) YYSTACK_ALLOC (yyalloc);
+	    if (yymsg)
+	      yymsg_alloc = yyalloc;
+	    else
+	      {
+		yymsg = yymsgbuf;
+		yymsg_alloc = sizeof yymsgbuf;
+	      }
+	  }
+
+	if (0 < yysize && yysize <= yymsg_alloc)
+	  {
+	    (void) yysyntax_error (yymsg, yystate, yychar);
+	    yyerror (yymsg);
+	  }
+	else
+	  {
+	    yyerror (YY_("syntax error"));
+	    if (yysize != 0)
+	      goto yyexhaustedlab;
+	  }
+      }
+#endif
+    }
+
+
+
+  if (yyerrstatus == 3)
+    {
+      /* If just tried and failed to reuse look-ahead token after an
+	 error, discard it.  */
+
+      if (yychar <= YYEOF)
+	{
+	  /* Return failure if at end of input.  */
+	  if (yychar == YYEOF)
+	    YYABORT;
+	}
+      else
+	{
+	  yydestruct ("Error: discarding",
+		      yytoken, &yylval);
+	  yychar = YYEMPTY;
+	}
+    }
+
+  /* Else will try to reuse look-ahead token after shifting the error
+     token.  */
+  goto yyerrlab1;
+
+
+/*---------------------------------------------------.
+| yyerrorlab -- error raised explicitly by YYERROR.  |
+`---------------------------------------------------*/
+yyerrorlab:
+
+  /* Pacify compilers like GCC when the user code never invokes
+     YYERROR and the label yyerrorlab therefore never appears in user
+     code.  */
+  if (/*CONSTCOND*/ 0)
+     goto yyerrorlab;
+
+  /* Do not reclaim the symbols of the rule which action triggered
+     this YYERROR.  */
+  YYPOPSTACK (yylen);
+  yylen = 0;
+  YY_STACK_PRINT (yyss, yyssp);
+  yystate = *yyssp;
+  goto yyerrlab1;
+
+
+/*-------------------------------------------------------------.
+| yyerrlab1 -- common code for both syntax error and YYERROR.  |
+`-------------------------------------------------------------*/
+yyerrlab1:
+  yyerrstatus = 3;	/* Each real token shifted decrements this.  */
+
+  for (;;)
+    {
+      yyn = yypact[yystate];
+      if (yyn != YYPACT_NINF)
+	{
+	  yyn += YYTERROR;
+	  if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
+	    {
+	      yyn = yytable[yyn];
+	      if (0 < yyn)
+		break;
+	    }
+	}
+
+      /* Pop the current state because it cannot handle the error token.  */
+      if (yyssp == yyss)
+	YYABORT;
+
+
+      yydestruct ("Error: popping",
+		  yystos[yystate], yyvsp);
+      YYPOPSTACK (1);
+      yystate = *yyssp;
+      YY_STACK_PRINT (yyss, yyssp);
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  *++yyvsp = yylval;
+
+
+  /* Shift the error token.  */
+  YY_SYMBOL_PRINT ("Shifting", yystos[yyn], yyvsp, yylsp);
+
+  yystate = yyn;
+  goto yynewstate;
+
+
+/*-------------------------------------.
+| yyacceptlab -- YYACCEPT comes here.  |
+`-------------------------------------*/
+yyacceptlab:
+  yyresult = 0;
+  goto yyreturn;
+
+/*-----------------------------------.
+| yyabortlab -- YYABORT comes here.  |
+`-----------------------------------*/
+yyabortlab:
+  yyresult = 1;
+  goto yyreturn;
+
+#ifndef yyoverflow
+/*-------------------------------------------------.
+| yyexhaustedlab -- memory exhaustion comes here.  |
+`-------------------------------------------------*/
+yyexhaustedlab:
+  yyerror (YY_("memory exhausted"));
+  yyresult = 2;
+  /* Fall through.  */
+#endif
+
+yyreturn:
+  if (yychar != YYEOF && yychar != YYEMPTY)
+     yydestruct ("Cleanup: discarding lookahead",
+		 yytoken, &yylval);
+  /* Do not reclaim the symbols of the rule which action triggered
+     this YYABORT or YYACCEPT.  */
+  YYPOPSTACK (yylen);
+  YY_STACK_PRINT (yyss, yyssp);
+  while (yyssp != yyss)
+    {
+      yydestruct ("Cleanup: popping",
+		  yystos[*yyssp], yyvsp);
+      YYPOPSTACK (1);
+    }
+#ifndef yyoverflow
+  if (yyss != yyssa)
+    YYSTACK_FREE (yyss);
+#endif
+#if YYERROR_VERBOSE
+  if (yymsg != yymsgbuf)
+    YYSTACK_FREE (yymsg);
+#endif
+  /* Make sure YYID is used.  */
+  return YYID (yyresult);
+}
+
+
+#line 938 "ftpcmd.y"
+
+
+#define	CMD	0	/* beginning of command */
+#define	ARGS	1	/* expect miscellaneous arguments */
+#define	STR1	2	/* expect SP followed by STRING */
+#define	STR2	3	/* expect STRING */
+#define	OSTR	4	/* optional SP then STRING */
+#define	ZSTR1	5	/* SP then optional STRING */
+#define	ZSTR2	6	/* optional STRING after SP */
+#define	SITECMD	7	/* SITE command */
+#define	NSTR	8	/* Number followed by a string */
+
+struct tab cmdtab[] = {		/* In order defined in RFC 765 */
+	{ "USER", USER, STR1, 1,	"<sp> username" },
+	{ "PASS", PASS, ZSTR1, 1,	"<sp> password" },
+	{ "ACCT", ACCT, STR1, 0,	"(specify account)" },
+	{ "SMNT", SMNT, ARGS, 0,	"(structure mount)" },
+	{ "REIN", REIN, ARGS, 0,	"(reinitialize server state)" },
+	{ "QUIT", QUIT, ARGS, 1,	"(terminate service)", },
+	{ "PORT", PORT, ARGS, 1,	"<sp> b0, b1, b2, b3, b4" },
+	{ "EPRT", EPRT, STR1, 1,	"<sp> string" },
+	{ "PASV", PASV, ARGS, 1,	"(set server in passive mode)" },
+	{ "EPSV", EPSV, OSTR, 1,	"[<sp> foo]" },
+	{ "TYPE", TYPE, ARGS, 1,	"<sp> [ A | E | I | L ]" },
+	{ "STRU", STRU, ARGS, 1,	"(specify file structure)" },
+	{ "MODE", MODE, ARGS, 1,	"(specify transfer mode)" },
+	{ "RETR", RETR, STR1, 1,	"<sp> file-name" },
+	{ "STOR", STOR, STR1, 1,	"<sp> file-name" },
+	{ "APPE", APPE, STR1, 1,	"<sp> file-name" },
+	{ "MLFL", MLFL, OSTR, 0,	"(mail file)" },
+	{ "MAIL", MAIL, OSTR, 0,	"(mail to user)" },
+	{ "MSND", MSND, OSTR, 0,	"(mail send to terminal)" },
+	{ "MSOM", MSOM, OSTR, 0,	"(mail send to terminal or mailbox)" },
+	{ "MSAM", MSAM, OSTR, 0,	"(mail send to terminal and mailbox)" },
+	{ "MRSQ", MRSQ, OSTR, 0,	"(mail recipient scheme question)" },
+	{ "MRCP", MRCP, STR1, 0,	"(mail recipient)" },
+	{ "ALLO", ALLO, ARGS, 1,	"allocate storage (vacuously)" },
+	{ "REST", REST, ARGS, 1,	"<sp> offset (restart command)" },
+	{ "RNFR", RNFR, STR1, 1,	"<sp> file-name" },
+	{ "RNTO", RNTO, STR1, 1,	"<sp> file-name" },
+	{ "ABOR", ABOR, ARGS, 1,	"(abort operation)" },
+	{ "DELE", DELE, STR1, 1,	"<sp> file-name" },
+	{ "CWD",  CWD,  OSTR, 1,	"[ <sp> directory-name ]" },
+	{ "XCWD", CWD,	OSTR, 1,	"[ <sp> directory-name ]" },
+	{ "LIST", LIST, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "NLST", NLST, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "SITE", SITE, SITECMD, 1,	"site-cmd [ <sp> arguments ]" },
+	{ "SYST", SYST, ARGS, 1,	"(get type of operating system)" },
+	{ "STAT", sTAT, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "HELP", HELP, OSTR, 1,	"[ <sp> <string> ]" },
+	{ "NOOP", NOOP, ARGS, 1,	"" },
+	{ "MKD",  MKD,  STR1, 1,	"<sp> path-name" },
+	{ "XMKD", MKD,  STR1, 1,	"<sp> path-name" },
+	{ "RMD",  RMD,  STR1, 1,	"<sp> path-name" },
+	{ "XRMD", RMD,  STR1, 1,	"<sp> path-name" },
+	{ "PWD",  PWD,  ARGS, 1,	"(return current directory)" },
+	{ "XPWD", PWD,  ARGS, 1,	"(return current directory)" },
+	{ "CDUP", CDUP, ARGS, 1,	"(change to parent directory)" },
+	{ "XCUP", CDUP, ARGS, 1,	"(change to parent directory)" },
+	{ "STOU", STOU, STR1, 1,	"<sp> file-name" },
+	{ "SIZE", SIZE, OSTR, 1,	"<sp> path-name" },
+	{ "MDTM", MDTM, OSTR, 1,	"<sp> path-name" },
+
+	/* extensions from RFC2228 */
+	{ "AUTH", AUTH,	STR1, 1,	"<sp> auth-type" },
+	{ "ADAT", ADAT,	STR1, 1,	"<sp> auth-data" },
+	{ "PBSZ", PBSZ,	ARGS, 1,	"<sp> buffer-size" },
+	{ "PROT", PROT,	STR1, 1,	"<sp> prot-level" },
+	{ "CCC",  CCC,	ARGS, 1,	"" },
+	{ "MIC",  MIC,	STR1, 1,	"<sp> integrity command" },
+	{ "CONF", CONF,	STR1, 1,	"<sp> confidentiality command" },
+	{ "ENC",  ENC,	STR1, 1,	"<sp> privacy command" },
+
+	/* RFC2389 */
+	{ "FEAT", FEAT, ARGS, 1,	"" },
+	{ "OPTS", OPTS, ARGS, 1,	"<sp> command [<sp> options]" },
+
+	{ NULL,   0,    0,    0,	0 }
+};
+
+struct tab sitetab[] = {
+	{ "UMASK", UMASK, ARGS, 1,	"[ <sp> umask ]" },
+	{ "IDLE", IDLE, ARGS, 1,	"[ <sp> maximum-idle-time ]" },
+	{ "CHMOD", CHMOD, NSTR, 1,	"<sp> mode <sp> file-name" },
+	{ "HELP", HELP, OSTR, 1,	"[ <sp> <string> ]" },
+
+	{ "KAUTH", KAUTH, STR1, 1,	"<sp> principal [ <sp> ticket ]" },
+	{ "KLIST", KLIST, ARGS, 1,	"(show ticket file)" },
+	{ "KDESTROY", KDESTROY, ARGS, 1, "(destroy tickets)" },
+	{ "KRBTKFILE", KRBTKFILE, STR1, 1, "<sp> ticket-file" },
+	{ "AFSLOG", AFSLOG, OSTR, 1,	"[<sp> cell]" },
+
+	{ "LOCATE", LOCATE, STR1, 1,	"<sp> globexpr" },
+	{ "FIND", LOCATE, STR1, 1,	"<sp> globexpr" },
+
+	{ "URL",  URL,  ARGS, 1,	"?" },
+	
+	{ NULL,   0,    0,    0,	0 }
+};
+
+static struct tab *
+lookup(struct tab *p, char *cmd)
+{
+
+	for (; p->name != NULL; p++)
+		if (strcmp(cmd, p->name) == 0)
+			return (p);
+	return (0);
+}
+
+/*
+ * ftpd_getline - a hacked up version of fgets to ignore TELNET escape codes.
+ */
+char *
+ftpd_getline(char *s, int n)
+{
+	int c;
+	char *cs;
+
+	cs = s;
+
+	/* might still be data within the security MIC/CONF/ENC */
+	if(ftp_command){
+	    strlcpy(s, ftp_command, n);
+	    if (debug)
+		syslog(LOG_DEBUG, "command: %s", s);
+	    return s;
+	}
+	while ((c = getc(stdin)) != EOF) {
+		c &= 0377;
+		if (c == IAC) {
+		    if ((c = getc(stdin)) != EOF) {
+			c &= 0377;
+			switch (c) {
+			case WILL:
+			case WONT:
+				c = getc(stdin);
+				printf("%c%c%c", IAC, DONT, 0377&c);
+				fflush(stdout);
+				continue;
+			case DO:
+			case DONT:
+				c = getc(stdin);
+				printf("%c%c%c", IAC, WONT, 0377&c);
+				fflush(stdout);
+				continue;
+			case IAC:
+				break;
+			default:
+				continue;	/* ignore command */
+			}
+		    }
+		}
+		*cs++ = c;
+		if (--n <= 0 || c == '\n')
+			break;
+	}
+	if (c == EOF && cs == s)
+		return (NULL);
+	*cs++ = '\0';
+	if (debug) {
+		if (!guest && strncasecmp("pass ", s, 5) == 0) {
+			/* Don't syslog passwords */
+			syslog(LOG_DEBUG, "command: %.5s ???", s);
+		} else {
+			char *cp;
+			int len;
+
+			/* Don't syslog trailing CR-LF */
+			len = strlen(s);
+			cp = s + len - 1;
+			while (cp >= s && (*cp == '\n' || *cp == '\r')) {
+				--cp;
+				--len;
+			}
+			syslog(LOG_DEBUG, "command: %.*s", len, s);
+		}
+	}
+#ifdef XXX
+	fprintf(stderr, "%s\n", s);
+#endif
+	return (s);
+}
+
+static RETSIGTYPE
+toolong(int signo)
+{
+
+	reply(421,
+	    "Timeout (%d seconds): closing control connection.",
+	      ftpd_timeout);
+	if (logging)
+		syslog(LOG_INFO, "User %s timed out after %d seconds",
+		    (pw ? pw -> pw_name : "unknown"), ftpd_timeout);
+	dologout(1);
+	SIGRETURN(0);
+}
+
+static int
+yylex(void)
+{
+	static int cpos, state;
+	char *cp, *cp2;
+	struct tab *p;
+	int n;
+	char c;
+
+	for (;;) {
+		switch (state) {
+
+		case CMD:
+			hasyyerrored = 0;
+
+			signal(SIGALRM, toolong);
+			alarm((unsigned) ftpd_timeout);
+			if (ftpd_getline(cbuf, sizeof(cbuf)-1) == NULL) {
+				reply(221, "You could at least say goodbye.");
+				dologout(0);
+			}
+			alarm(0);
+#ifdef HAVE_SETPROCTITLE
+			if (strncasecmp(cbuf, "PASS", 4) != 0)
+				setproctitle("%s: %s", proctitle, cbuf);
+#endif /* HAVE_SETPROCTITLE */
+			if ((cp = strchr(cbuf, '\r'))) {
+				*cp++ = '\n';
+				*cp = '\0';
+			}
+			if ((cp = strpbrk(cbuf, " \n")))
+				cpos = cp - cbuf;
+			if (cpos == 0)
+				cpos = 4;
+			c = cbuf[cpos];
+			cbuf[cpos] = '\0';
+			strupr(cbuf);
+			p = lookup(cmdtab, cbuf);
+			cbuf[cpos] = c;
+			if (p != 0) {
+				if (p->implemented == 0) {
+					nack(p->name);
+					hasyyerrored = 1;
+					break;
+				}
+				state = p->state;
+				yylval.s = p->name;
+				return (p->token);
+			}
+			break;
+
+		case SITECMD:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				return (SP);
+			}
+			cp = &cbuf[cpos];
+			if ((cp2 = strpbrk(cp, " \n")))
+				cpos = cp2 - cbuf;
+			c = cbuf[cpos];
+			cbuf[cpos] = '\0';
+			strupr(cp);
+			p = lookup(sitetab, cp);
+			cbuf[cpos] = c;
+			if (p != 0) {
+				if (p->implemented == 0) {
+					state = CMD;
+					nack(p->name);
+					hasyyerrored = 1;
+					break;
+				}
+				state = p->state;
+				yylval.s = p->name;
+				return (p->token);
+			}
+			state = CMD;
+			break;
+
+		case OSTR:
+			if (cbuf[cpos] == '\n') {
+				state = CMD;
+				return (CRLF);
+			}
+			/* FALLTHROUGH */
+
+		case STR1:
+		case ZSTR1:
+		dostr1:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				if(state == OSTR)
+				    state = STR2;
+				else
+				    state++;
+				return (SP);
+			}
+			break;
+
+		case ZSTR2:
+			if (cbuf[cpos] == '\n') {
+				state = CMD;
+				return (CRLF);
+			}
+			/* FALLTHROUGH */
+
+		case STR2:
+			cp = &cbuf[cpos];
+			n = strlen(cp);
+			cpos += n - 1;
+			/*
+			 * Make sure the string is nonempty and \n terminated.
+			 */
+			if (n > 1 && cbuf[cpos] == '\n') {
+				cbuf[cpos] = '\0';
+				yylval.s = copy(cp);
+				cbuf[cpos] = '\n';
+				state = ARGS;
+				return (STRING);
+			}
+			break;
+
+		case NSTR:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				return (SP);
+			}
+			if (isdigit((unsigned char)cbuf[cpos])) {
+				cp = &cbuf[cpos];
+				while (isdigit((unsigned char)cbuf[++cpos]))
+					;
+				c = cbuf[cpos];
+				cbuf[cpos] = '\0';
+				yylval.i = atoi(cp);
+				cbuf[cpos] = c;
+				state = STR1;
+				return (NUMBER);
+			}
+			state = STR1;
+			goto dostr1;
+
+		case ARGS:
+			if (isdigit((unsigned char)cbuf[cpos])) {
+				cp = &cbuf[cpos];
+				while (isdigit((unsigned char)cbuf[++cpos]))
+					;
+				c = cbuf[cpos];
+				cbuf[cpos] = '\0';
+				yylval.i = atoi(cp);
+				cbuf[cpos] = c;
+				return (NUMBER);
+			}
+			switch (cbuf[cpos++]) {
+
+			case '\n':
+				state = CMD;
+				return (CRLF);
+
+			case ' ':
+				return (SP);
+
+			case ',':
+				return (COMMA);
+
+			case 'A':
+			case 'a':
+				return (A);
+
+			case 'B':
+			case 'b':
+				return (B);
+
+			case 'C':
+			case 'c':
+				return (C);
+
+			case 'E':
+			case 'e':
+				return (E);
+
+			case 'F':
+			case 'f':
+				return (F);
+
+			case 'I':
+			case 'i':
+				return (I);
+
+			case 'L':
+			case 'l':
+				return (L);
+
+			case 'N':
+			case 'n':
+				return (N);
+
+			case 'P':
+			case 'p':
+				return (P);
+
+			case 'R':
+			case 'r':
+				return (R);
+
+			case 'S':
+			case 's':
+				return (S);
+
+			case 'T':
+			case 't':
+				return (T);
+
+			}
+			break;
+
+		default:
+			fatal("Unknown state in scanner.");
+		}
+		yyerror(NULL);
+		state = CMD;
+		return (0);
+	}
+}
+
+/* ARGSUSED */
+void
+yyerror(char *s)
+{
+	char *cp;
+
+	if (hasyyerrored)
+	    return;
+
+	if ((cp = strchr(cbuf,'\n')))
+		*cp = '\0';
+	reply(500, "'%s': command not understood.", cbuf);
+	hasyyerrored = 1;
+}
+
+static char *
+copy(char *s)
+{
+	char *p;
+
+	p = strdup(s);
+	if (p == NULL)
+		fatal("Ran out of memory.");
+	return p;
+}
+
+static void
+help(struct tab *ctab, char *s)
+{
+	struct tab *c;
+	int width, NCMDS;
+	char *t;
+	char buf[1024];
+
+	if (ctab == sitetab)
+		t = "SITE ";
+	else
+		t = "";
+	width = 0, NCMDS = 0;
+	for (c = ctab; c->name != NULL; c++) {
+		int len = strlen(c->name);
+
+		if (len > width)
+			width = len;
+		NCMDS++;
+	}
+	width = (width + 8) &~ 7;
+	if (s == 0) {
+		int i, j, w;
+		int columns, lines;
+
+		lreply(214, "The following %scommands are recognized %s.",
+		    t, "(* =>'s unimplemented)");
+		columns = 76 / width;
+		if (columns == 0)
+			columns = 1;
+		lines = (NCMDS + columns - 1) / columns;
+		for (i = 0; i < lines; i++) {
+		    strlcpy (buf, "   ", sizeof(buf));
+		    for (j = 0; j < columns; j++) {
+			c = ctab + j * lines + i;
+			snprintf (buf + strlen(buf),
+				  sizeof(buf) - strlen(buf),
+				  "%s%c",
+				  c->name,
+				  c->implemented ? ' ' : '*');
+			if (c + lines >= &ctab[NCMDS])
+			    break;
+			w = strlen(c->name) + 1;
+			while (w < width) {
+			    strlcat (buf,
+					     " ",
+					     sizeof(buf));
+			    w++;
+			}
+		    }
+		    lreply(214, "%s", buf);
+		}
+		reply(214, "Direct comments to kth-krb-bugs@pdc.kth.se");
+		return;
+	}
+	strupr(s);
+	c = lookup(ctab, s);
+	if (c == (struct tab *)0) {
+		reply(502, "Unknown command %s.", s);
+		return;
+	}
+	if (c->implemented)
+		reply(214, "Syntax: %s%s %s", t, c->name, c->help);
+	else
+		reply(214, "%s%-*s\t%s; unimplemented.", t, width,
+		    c->name, c->help);
+}
+
+static void
+sizecmd(char *filename)
+{
+	switch (type) {
+	case TYPE_L:
+	case TYPE_I: {
+		struct stat stbuf;
+		if (stat(filename, &stbuf) < 0 || !S_ISREG(stbuf.st_mode))
+			reply(550, "%s: not a plain file.", filename);
+		else
+			reply(213, "%lu", (unsigned long)stbuf.st_size);
+		break;
+	}
+	case TYPE_A: {
+		FILE *fin;
+		int c;
+		size_t count;
+		struct stat stbuf;
+		fin = fopen(filename, "r");
+		if (fin == NULL) {
+			perror_reply(550, filename);
+			return;
+		}
+		if (fstat(fileno(fin), &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) {
+			reply(550, "%s: not a plain file.", filename);
+			fclose(fin);
+			return;
+		}
+
+		count = 0;
+		while((c=getc(fin)) != EOF) {
+			if (c == '\n')	/* will get expanded to \r\n */
+				count++;
+			count++;
+		}
+		fclose(fin);
+
+		reply(213, "%lu", (unsigned long)count);
+		break;
+	}
+	default:
+		reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]);
+	}
+}
+
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y b/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y
index 9c5fa4c..963a6a0 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y
@@ -43,7 +43,7 @@
 %{
 
 #include "ftpd_locl.h"
-RCSID("$Id: ftpcmd.y,v 1.61.10.2 2004/08/20 15:15:46 lha Exp $");
+RCSID("$Id: ftpcmd.y 15677 2005-07-19 18:33:08Z lha $");
 
 off_t	restart_point;
 
@@ -137,30 +137,35 @@ cmd_list
 	;
 
 cmd
-	: USER SP username CRLF
+	: USER SP username CRLF check_secure
 		{
+		    if ($5)
 			user($3);
-			free($3);
+		    free($3);
 		}
-	| PASS SP password CRLF
+	| PASS SP password CRLF check_secure
 		{
+		    if ($5)
 			pass($3);
-			memset ($3, 0, strlen($3));
-			free($3);
+		    memset ($3, 0, strlen($3));
+		    free($3);
 		}
-	| PORT SP host_port CRLF
+	| PORT SP host_port CRLF check_secure
 		{
+		    if ($5) {
 			usedefault = 0;
 			if (pdata >= 0) {
 				close(pdata);
 				pdata = -1;
 			}
 			reply(200, "PORT command successful.");
+		    }
 		}
-	| EPRT SP STRING CRLF
+	| EPRT SP STRING CRLF check_secure
 		{
+		    if ($5)
 			eprt ($3);
-			free ($3);
+		    free ($3);
 		}
 	| PASV CRLF check_login
 		{
@@ -178,8 +183,9 @@ cmd
 			epsv ($3);
 		    free ($3);
 		}
-	| TYPE SP type_code CRLF
+	| TYPE SP type_code CRLF check_secure
 		{
+		    if ($5) {
 			switch (cmd_type) {
 
 			case TYPE_A:
@@ -212,9 +218,11 @@ cmd
 				UNIMPLEMENTED for NBBY != 8
 #endif /* NBBY == 8 */
 			}
+		    }
 		}
-	| STRU SP struct_code CRLF
+	| STRU SP struct_code CRLF check_secure
 		{
+		    if ($5) {
 			switch ($3) {
 
 			case STRU_F:
@@ -224,9 +232,11 @@ cmd
 			default:
 				reply(504, "Unimplemented STRU type.");
 			}
+		    }
 		}
-	| MODE SP mode_code CRLF
+	| MODE SP mode_code CRLF check_secure
 		{
+		    if ($5) {
 			switch ($3) {
 
 			case MODE_S:
@@ -236,14 +246,19 @@ cmd
 			default:
 				reply(502, "Unimplemented MODE type.");
 			}
+		    }
 		}
-	| ALLO SP NUMBER CRLF
+	| ALLO SP NUMBER CRLF check_secure
 		{
+		    if ($5) {
 			reply(202, "ALLO command ignored.");
+		    }
 		}
-	| ALLO SP NUMBER SP R SP NUMBER CRLF
+	| ALLO SP NUMBER SP R SP NUMBER CRLF check_secure
 		{
+		    if ($9) {
 			reply(202, "ALLO command ignored.");
+		    }
 		}
 	| RETR SP pathname CRLF check_login
 		{
@@ -304,10 +319,11 @@ cmd
 			if ($3 != NULL)
 				free($3);
 		}
-	| sTAT CRLF
+	| sTAT CRLF check_secure
 		{
+		    if ($3)
 			statcmd();
-	}
+		}
 	| DELE SP pathname CRLF check_login_no_guest
 		{
 			if ($5 && $3 != NULL)
@@ -329,8 +345,9 @@ cmd
 			if ($3 != NULL)
 				free($3);
 		}
-	| ABOR CRLF
+	| ABOR CRLF check_secure
 		{
+		    if ($3)
 			reply(225, "ABOR command successful.");
 		}
 	| CWD CRLF check_login
@@ -345,12 +362,14 @@ cmd
 			if ($3 != NULL)
 				free($3);
 		}
-	| HELP CRLF
+	| HELP CRLF check_secure
 		{
+		    if ($3)
 			help(cmdtab, (char *) 0);
 		}
-	| HELP SP STRING CRLF
+	| HELP SP STRING CRLF check_secure
 		{
+		    if ($5) {
 			char *cp = $3;
 
 			if (strncasecmp(cp, "SITE", 4) == 0) {
@@ -363,9 +382,11 @@ cmd
 					help(sitetab, (char *) 0);
 			} else
 				help(cmdtab, $3);
+		    }
 		}
-	| NOOP CRLF
+	| NOOP CRLF check_secure
 		{
+		    if ($3)
 			reply(200, "NOOP command successful.");
 		}
 	| MKD SP pathname CRLF check_login
@@ -392,26 +413,31 @@ cmd
 			if ($3)
 				cwd("..");
 		}
-	| FEAT CRLF
+	| FEAT CRLF check_secure
 		{
+		    if ($3) {
 			lreply(211, "Supported features:");
 			lreply(0, " MDTM");
 			lreply(0, " REST STREAM");
 			lreply(0, " SIZE");
 			reply(211, "End");
+		    }
 		}
-	| OPTS SP STRING CRLF
+	| OPTS SP STRING CRLF check_secure
 		{
-			free ($3);
+		    if ($5)
 			reply(501, "Bad options");
+		    free ($3);
 		}
 
-	| SITE SP HELP CRLF
+	| SITE SP HELP CRLF check_secure
 		{
+		    if ($5)
 			help(sitetab, (char *) 0);
 		}
-	| SITE SP HELP SP STRING CRLF
+	| SITE SP HELP SP STRING CRLF check_secure
 		{
+		    if ($7)
 			help(sitetab, $5);
 		}
 	| SITE SP UMASK CRLF check_login
@@ -449,14 +475,16 @@ cmd
 			if ($7 != NULL)
 				free($7);
 		}
-	| SITE SP IDLE CRLF
+	| SITE SP IDLE CRLF check_secure
 		{
+		    if ($5)
 			reply(200,
 			    "Current IDLE time limit is %d seconds; max %d",
 				ftpd_timeout, maxtimeout);
 		}
-	| SITE SP IDLE SP NUMBER CRLF
+	| SITE SP IDLE SP NUMBER CRLF check_secure
 		{
+		    if ($7) {
 			if ($5 < 30 || $5 > maxtimeout) {
 				reply(501,
 			"Maximum IDLE time must be between 30 and %d seconds",
@@ -468,6 +496,7 @@ cmd
 				    "Maximum IDLE time set to %d seconds",
 				    ftpd_timeout);
 			}
+		    }
 		}
 
 	| SITE SP KAUTH SP STRING CRLF check_login
@@ -495,12 +524,8 @@ cmd
 		}
 	| SITE SP KLIST CRLF check_login
 		{
-#ifdef KRB4
 		    if($5)
 			klist();
-#else
-		    reply(500, "Command not implemented.");
-#endif
 		}
 	| SITE SP KDESTROY CRLF check_login
 		{
@@ -526,22 +551,22 @@ cmd
 		}
 	| SITE SP AFSLOG CRLF check_login
 		{
-#ifdef KRB4
+#if defined(KRB4) || defined(KRB5)
 		    if(guest)
 			reply(500, "Can't be done as guest.");
 		    else if($5)
-			afslog(NULL);
+			afslog(NULL, 0);
 #else
 		    reply(500, "Command not implemented.");
 #endif
 		}
 	| SITE SP AFSLOG SP STRING CRLF check_login
 		{
-#ifdef KRB4
+#if defined(KRB4) || defined(KRB5)
 		    if(guest)
 			reply(500, "Can't be done as guest.");
 		    else if($7)
-			afslog($5);
+			afslog($5, 0);
 		    if($5)
 			free($5);
 #else
@@ -555,9 +580,10 @@ cmd
 		    if($5 != NULL)
 			free($5);
 		}
-	| SITE SP URL CRLF
+	| SITE SP URL CRLF check_secure
 		{
-			reply(200, "http://www.pdc.kth.se/kth-krb/");
+		    if ($5)
+			reply(200, "http://www.pdc.kth.se/heimdal/");
 		}
 	| STOU SP pathname CRLF check_login
 		{
@@ -566,13 +592,15 @@ cmd
 			if ($3 != NULL)
 				free($3);
 		}
-	| SYST CRLF
+	| SYST CRLF check_secure
 		{
+		    if ($3) {
 #if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
-		    reply(215, "UNIX Type: L%d", NBBY);
+			reply(215, "UNIX Type: L%d", NBBY);
 #else
-		    reply(215, "UNKNOWN Type: L%d", NBBY);
+			reply(215, "UNKNOWN Type: L%d", NBBY);
 #endif
+		    }
 		}
 
 		/*
@@ -627,10 +655,12 @@ cmd
 			if ($3 != NULL)
 				free($3);
 		}
-	| QUIT CRLF
+	| QUIT CRLF check_secure
 		{
+		    if ($3) {
 			reply(221, "Goodbye.");
 			dologout(0);
+		    }
 		}
 	| error CRLF
 		{
@@ -648,13 +678,15 @@ rcmd
 				}
 			}
 		}
-	| REST SP byte_size CRLF
+	| REST SP byte_size CRLF check_secure
 		{
+		    if ($5) {
 			fromname = (char *) 0;
 			restart_point = $3;	/* XXX $3 is only "int" */
 			reply(350, "Restarting at %ld. %s",
 			      (long)restart_point,
 			      "Send STORE or RETRIEVE to initiate transfer.");
+		    }
 		}
 	| AUTH SP STRING CRLF
 		{
@@ -666,16 +698,19 @@ rcmd
 			adat($3);
 			free($3);
 		}
-	| PBSZ SP NUMBER CRLF
+	| PBSZ SP NUMBER CRLF check_secure
 		{
+		    if ($5)
 			pbsz($3);
 		}
-	| PROT SP STRING CRLF
+	| PROT SP STRING CRLF check_secure
 		{
+		    if ($5)
 			prot($3);
 		}
-	| CCC CRLF
+	| CCC CRLF check_secure
 		{
+		    if ($3)
 			ccc();
 		}
 	| MIC SP STRING CRLF
@@ -715,11 +750,11 @@ host_port
 	: NUMBER COMMA NUMBER COMMA NUMBER COMMA NUMBER COMMA
 		NUMBER COMMA NUMBER
 		{
-			struct sockaddr_in *sin = (struct sockaddr_in *)data_dest;
+			struct sockaddr_in *sin4 = (struct sockaddr_in *)data_dest;
 
-			sin->sin_family = AF_INET;
-			sin->sin_port = htons($9 * 256 + $11);
-			sin->sin_addr.s_addr = 
+			sin4->sin_family = AF_INET;
+			sin4->sin_port = htons($9 * 256 + $11);
+			sin4->sin_addr.s_addr = 
 			    htonl(($1 << 24) | ($3 << 16) | ($5 << 8) | $7);
 		}
 	;
@@ -892,7 +927,7 @@ check_login : check_secure
 check_secure : /* empty */
 		{
 		    $$ = 1;
-		    if(sec_complete && !secure_command()) {
+		    if(sec_complete && !ccc_passed && !secure_command()) {
 			$$ = 0;
 			reply(533, "Command protection level denied "
 			      "for paranoid reasons.");
@@ -1352,13 +1387,13 @@ help(struct tab *ctab, char *s)
 {
 	struct tab *c;
 	int width, NCMDS;
-	char *type;
+	char *t;
 	char buf[1024];
 
 	if (ctab == sitetab)
-		type = "SITE ";
+		t = "SITE ";
 	else
-		type = "";
+		t = "";
 	width = 0, NCMDS = 0;
 	for (c = ctab; c->name != NULL; c++) {
 		int len = strlen(c->name);
@@ -1373,7 +1408,7 @@ help(struct tab *ctab, char *s)
 		int columns, lines;
 
 		lreply(214, "The following %scommands are recognized %s.",
-		    type, "(* =>'s unimplemented)");
+		    t, "(* =>'s unimplemented)");
 		columns = 76 / width;
 		if (columns == 0)
 			columns = 1;
@@ -1409,9 +1444,9 @@ help(struct tab *ctab, char *s)
 		return;
 	}
 	if (c->implemented)
-		reply(214, "Syntax: %s%s %s", type, c->name, c->help);
+		reply(214, "Syntax: %s%s %s", t, c->name, c->help);
 	else
-		reply(214, "%s%-*s\t%s; unimplemented.", type, width,
+		reply(214, "%s%-*s\t%s; unimplemented.", t, width,
 		    c->name, c->help);
 }
 
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.8 b/crypto/heimdal/appl/ftp/ftpd/ftpd.8
index b630641..0dfed9f 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpd.8
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.8
@@ -156,8 +156,8 @@ allowed anonymous upload filename chars
 .Fl -no-insecure-oob
 .Xc
 don't allow insecure out of band.
-Heimdal ftp client before 0.7 doesn't support secure oob, so turning
-on this options makes them no longer work.
+Heimdal ftp clients before 0.6.3 doesn't support secure oob, so turning
+on this option makes them no longer work.
 .El
 .Pp
 The file
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.c b/crypto/heimdal/appl/ftp/ftpd/ftpd.c
index 88bb4a1..2005a4f 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpd.c
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.c
@@ -38,7 +38,7 @@
 #endif
 #include "getarg.h"
 
-RCSID("$Id: ftpd.c,v 1.166.2.3 2004/08/20 15:16:37 lha Exp $");
+RCSID("$Id: ftpd.c 21222 2007-06-20 10:11:14Z lha $");
 
 static char version[] = "Version 6.00";
 
@@ -138,9 +138,9 @@ static int	 handleoobcmd(void);
 static int	 checkuser (char *, char *);
 static int	 checkaccess (char *);
 static FILE	*dataconn (const char *, off_t, const char *);
-static void	 dolog (struct sockaddr *sa, int len);
+static void	 dolog (struct sockaddr *, int);
 static void	 end_login (void);
-static FILE	*getdatasock (const char *);
+static FILE	*getdatasock (const char *, int);
 static char	*gunique (char *);
 static RETSIGTYPE	 lostconn (int);
 static int	 receive_data (FILE *, FILE *);
@@ -280,10 +280,6 @@ main(int argc, char **argv)
 	krb_set_tkt_string(tkfile);
 #endif
     }
-#if defined(KRB4) || defined(KRB5)
-    if(k_hasafs())
-	k_setpag();
-#endif
 
     if(getarg(args, num_args, argc, argv, &optind))
 	usage(1);
@@ -595,14 +591,15 @@ user(char *name)
 	if (logging)
 	    strlcpy(curname, name, sizeof(curname));
 	if(sec_complete) {
-	    if(sec_userok(name) == 0)
+	    if(sec_userok(name) == 0) {
 		do_login(232, name);
-	    else
+		sec_session(name);
+	    } else
 		reply(530, "User %s access denied.", name);
 	} else {
+#ifdef OTP
 		char ss[256];
 
-#ifdef OTP
 		if (otp_challenge(&otp_ctx, name, ss, sizeof(ss)) == 0) {
 			reply(331, "Password %s for %s required.",
 			      ss, name);
@@ -613,9 +610,9 @@ user(char *name)
 		    reply(331, "Password required for %s.", name);
 		    askpasswd = 1;
 		} else {
-		    char *s;
-		    
 #ifdef OTP
+		    char *s;
+
 		    if ((s = otp_error (&otp_ctx)) != NULL)
 			lreply(530, "OTP: %s", s);
 #endif
@@ -727,6 +724,10 @@ int do_login(int code, char *passwd)
 	return -1;
     }
     initgroups(pw->pw_name, pw->pw_gid);
+#if defined(KRB4) || defined(KRB5)
+    if(k_hasafs())
+	k_setpag();
+#endif
 
     /* open wtmp before chroot */
     ftpd_logwtmp(ttyline, pw->pw_name, remotehost);
@@ -835,7 +836,8 @@ static void
 end_login(void)
 {
 
-	seteuid((uid_t)0);
+	if (seteuid((uid_t)0) < 0)
+		fatal("Failed to seteuid");
 	if (logged_in)
 		ftpd_logwtmp(ttyline, "", "");
 	pw = NULL;
@@ -933,9 +935,8 @@ pass(char *passwd)
 		    if (rval)
 			rval = unix_verify_user(pw->pw_name, passwd);
 		} else {
-		    char *s;
-		    
 #ifdef OTP
+		    char *s;
 		    if ((s = otp_error(&otp_ctx)) != NULL)
 			lreply(530, "OTP: %s", s);
 #endif
@@ -1023,9 +1024,10 @@ retrieve(const char *cmd, char *name)
 			*tail = c;
 			if (p->rev_cmd != NULL) {
 			    char *ext;
+			    int ret;
 
-			    asprintf(&ext, "%s%s", name, p->ext);
-			    if (ext != NULL) { 
+			    ret = asprintf(&ext, "%s%s", name, p->ext);
+			    if (ret != -1) {
   			        if (access(ext, R_OK) == 0) {
 				    snprintf (line, sizeof(line),
 					      p->rev_cmd, ext);
@@ -1107,17 +1109,17 @@ done:
 int 
 filename_check(char *filename)
 {
-    unsigned char *p;
+    char *p;
 
-    p = (unsigned char *)strrchr(filename, '/');
+    p = strrchr(filename, '/');
     if(p)
 	filename = p + 1;
 
     p = filename;
 
-    if(isalnum(*p)){
+    if(isalnum((unsigned char)*p)){
 	p++;
-	while(*p && (isalnum(*p) || strchr(good_chars, *p)))
+	while(*p && (isalnum((unsigned char)*p) || strchr(good_chars, (unsigned char)*p)))
 	    p++;
 	if(*p == '\0')
 	    return 0;
@@ -1208,14 +1210,15 @@ done:
 }
 
 static FILE *
-getdatasock(const char *mode)
+getdatasock(const char *mode, int domain)
 {
 	int s, t, tries;
 
 	if (data >= 0)
 		return (fdopen(data, mode));
-	seteuid(0);
-	s = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
+	if (seteuid(0) < 0)
+		fatal("Failed to seteuid");
+	s = socket(domain, SOCK_STREAM, 0);
 	if (s < 0)
 		goto bad;
 	socket_set_reuseaddr (s, 1);
@@ -1232,7 +1235,8 @@ getdatasock(const char *mode)
 			goto bad;
 		sleep(tries);
 	}
-	seteuid(pw->pw_uid);
+	if (seteuid(pw->pw_uid) < 0)
+		fatal("Failed to seteuid");
 #ifdef IPTOS_THROUGHPUT
 	socket_set_tos (s, IPTOS_THROUGHPUT);
 #endif
@@ -1240,7 +1244,8 @@ getdatasock(const char *mode)
 bad:
 	/* Return the real value of errno (close may change it) */
 	t = errno;
-	seteuid((uid_t)pw->pw_uid);
+	if (seteuid((uid_t)pw->pw_uid) < 0)
+		fatal("Failed to seteuid");
 	close(s);
 	errno = t;
 	return (NULL);
@@ -1271,7 +1276,7 @@ dataconn(const char *name, off_t size, const char *mode)
 {
 	char sizebuf[32];
 	FILE *file;
-	int retry = 0;
+	int domain, retry = 0;
 
 	file_size = size;
 	byte_count = 0;
@@ -1318,7 +1323,15 @@ dataconn(const char *name, off_t size, const char *mode)
 	if (usedefault)
 		data_dest = his_addr;
 	usedefault = 1;
-	file = getdatasock(mode);
+	/* 
+	 * Default to using the same socket type as the ctrl address,
+	 * unless we know the type of the data address.
+	 */
+	domain = data_dest->sa_family;
+	if (domain == PF_UNSPEC)
+	    domain = ctrl_addr->sa_family;
+
+	file = getdatasock(mode, domain);
 	if (file == NULL) {
 		char data_addr[256];
 
@@ -1625,7 +1638,7 @@ statcmd(void)
 	lreply(211, "%s FTP server (%s) status:", hostname, version);
 	printf("     %s\r\n", version);
 	printf("     Connected to %s", remotehost);
-	if (!isdigit(remotehost[0]))
+	if (!isdigit((unsigned char)remotehost[0]))
 		printf(" (%s)", inet_ntoa(his_addr.sin_addr));
 	printf("\r\n");
 	if (logged_in) {
@@ -1889,11 +1902,11 @@ dologout(int status)
     transflag = 0;
     urgflag = 0;
     if (logged_in) {
-	seteuid((uid_t)0);
-	ftpd_logwtmp(ttyline, "", "");
-#ifdef KRB4
+#if KRB4 || KRB5
 	cond_kdestroy();
 #endif
+	seteuid((uid_t)0); /* No need to check, we call exit() below */
+	ftpd_logwtmp(ttyline, "", "");
     }
     /* beware of flushing buffers after a SIGPIPE */
 #ifdef XXX
@@ -2006,12 +2019,15 @@ pasv(void)
 				     0);
 	socket_set_portrange(pdata, restricted_data_ports, 
 	    pasv_addr->sa_family); 
-	seteuid(0);
+	if (seteuid(0) < 0)
+		fatal("Failed to seteuid");
 	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
-		seteuid(pw->pw_uid);
+		if (seteuid(pw->pw_uid) < 0)
+			fatal("Failed to seteuid");
 		goto pasv_error;
 	}
-	seteuid(pw->pw_uid);
+	if (seteuid(pw->pw_uid) < 0)
+		fatal("Failed to seteuid");
 	len = sizeof(pasv_addr_ss);
 	if (getsockname(pdata, pasv_addr, &len) < 0)
 		goto pasv_error;
@@ -2050,12 +2066,15 @@ epsv(char *proto)
 				     0);
 	socket_set_portrange(pdata, restricted_data_ports, 
 	    pasv_addr->sa_family); 
-	seteuid(0);
+	if (seteuid(0) < 0)
+		fatal("Failed to seteuid");
 	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
-		seteuid(pw->pw_uid);
+		if (seteuid(pw->pw_uid))
+			fatal("Failed to seteuid");
 		goto pasv_error;
 	}
-	seteuid(pw->pw_uid);
+	if (seteuid(pw->pw_uid) < 0)
+		fatal("Failed to seteuid");
 	len = sizeof(pasv_addr_ss);
 	if (getsockname(pdata, pasv_addr, &len) < 0)
 		goto pasv_error;
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h b/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h
index bb172ac..f5574e9 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: ftpd_locl.h,v 1.13.2.1 2004/08/20 15:17:07 lha Exp $ */
+/* $Id: ftpd_locl.h 14933 2005-04-24 19:58:14Z lha $ */
 
 #ifndef __ftpd_locl_h__
 #define __ftpd_locl_h__
@@ -166,7 +166,7 @@ extern int LIBPREFIX(fclose)      (FILE *);
 
 int fclose(FILE *stream);
 
-int yyparse();
+int yyparse(void);
 
 #ifndef LOG_FTP
 #define LOG_FTP LOG_DAEMON
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpusers.5 b/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
index ce59df8..85b5f62 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
@@ -1,4 +1,4 @@
-.\"	$Id: ftpusers.5,v 1.5 2002/08/20 17:07:04 joda Exp $
+.\"	$Id: ftpusers.5 11176 2002-08-20 17:07:29Z joda $
 .\"
 .Dd May 7, 1997
 .Dt FTPUSERS 5
diff --git a/crypto/heimdal/appl/ftp/ftpd/gss_userok.c b/crypto/heimdal/appl/ftp/ftpd/gss_userok.c
index 11a2e75..6fa8f7e 100644
--- a/crypto/heimdal/appl/ftp/ftpd/gss_userok.c
+++ b/crypto/heimdal/appl/ftp/ftpd/gss_userok.c
@@ -35,90 +35,121 @@
 #include <gssapi.h>
 #include <krb5.h>
 
-RCSID("$Id: gss_userok.c,v 1.10 2003/03/18 13:56:35 lha Exp $");
+RCSID("$Id: gss_userok.c 21222 2007-06-20 10:11:14Z lha $");
 
 /* XXX a bit too much of krb5 dependency here... 
    What is the correct way to do this? 
    */
 
-extern krb5_context gssapi_krb5_context;
+struct gss_krb5_data {
+    krb5_context context;
+};
 
 /* XXX sync with gssapi.c */
 struct gss_data {
     gss_ctx_id_t context_hdl;
     char *client_name;
     gss_cred_id_t delegated_cred_handle;
+    void *mech_data;
 };
 
 int gss_userok(void*, char*); /* to keep gcc happy */
+int gss_session(void*, char*); /* to keep gcc happy */
 
 int
 gss_userok(void *app_data, char *username)
 {
     struct gss_data *data = app_data;
-    if(gssapi_krb5_context) {
-	krb5_principal client;
-	krb5_error_code ret;
-        
-	ret = krb5_parse_name(gssapi_krb5_context, data->client_name, &client);
-	if(ret)
-	    return 1;
-	ret = krb5_kuserok(gssapi_krb5_context, client, username);
-        if (!ret) {
-           krb5_free_principal(gssapi_krb5_context, client);
-           return 1;
-        }
-        
-        ret = 0;
+    krb5_error_code ret;
+    krb5_principal client;
+    struct gss_krb5_data *kdata;
+
+    kdata = calloc(1, sizeof(struct gss_krb5_data));
+    if (kdata == NULL)
+	return 1;
+    data->mech_data = kdata;
+
+    ret = krb5_init_context(&(kdata->context));
+    if (ret) {
+	free(kdata);
+	return 1;
+    }
+
+    ret = krb5_parse_name(kdata->context, data->client_name, &client);
+    if(ret) {
+	krb5_free_context(kdata->context);
+	free(kdata);
+	return 1;
+    }
+    ret = krb5_kuserok(kdata->context, client, username);
+    if (!ret) {
+	krb5_free_principal(kdata->context, client);
+	krb5_free_context(kdata->context);
+	free(kdata);
+	return 1;
+    }
         
-        /* more of krb-depend stuff :-( */
-	/* gss_add_cred() ? */
-        if (data->delegated_cred_handle && 
-            data->delegated_cred_handle->ccache ) {
-            
-           krb5_ccache ccache = NULL; 
-           char* ticketfile;
-           struct passwd *pw;
-	   OM_uint32 minor_status;
-           
-           pw = getpwnam(username);
-           
-	   if (pw == NULL) {
-	       ret = 1;
-	       goto fail;
-	   }
+    ret = 0;
+    krb5_free_principal(kdata->context, client);
+    return ret;
+}
+
+int
+gss_session(void *app_data, char *username)
+{
+    struct gss_data *data = app_data;
+    krb5_error_code ret;
+    OM_uint32 minor_status;
+    struct gss_krb5_data *kdata;
+
+    ret = 0;
 
-           asprintf (&ticketfile, "%s%u", KRB5_DEFAULT_CCROOT,
-		     (unsigned)pw->pw_uid);
+    kdata = (struct gss_krb5_data *)(data->mech_data);
         
-           ret = krb5_cc_resolve(gssapi_krb5_context, ticketfile, &ccache);
-           if (ret)
-              goto fail;
+    /* more of krb-depend stuff :-( */
+    /* gss_add_cred() ? */
+    if (data->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
+	krb5_ccache ccache = NULL; 
+	const char* ticketfile;
+	struct passwd *kpw;
            
-           ret = gss_krb5_copy_ccache(&minor_status,
-				      data->delegated_cred_handle,
-				      ccache);
-           if (ret)
-              goto fail;
-           
-           chown (ticketfile+5, pw->pw_uid, pw->pw_gid);
+	ret = krb5_cc_gen_new(kdata->context, &krb5_fcc_ops, &ccache);
+	if (ret)
+	    goto fail;
+	   
+	ticketfile = krb5_cc_get_name(kdata->context, ccache);
+        
+	ret = gss_krb5_copy_ccache(&minor_status,
+				   data->delegated_cred_handle,
+				   ccache);
+	if (ret) {
+	    ret = 0;
+	    goto fail;
+	}
            
-           if (k_hasafs()) {
-	       krb5_afslog(gssapi_krb5_context, ccache, 0, 0);
-           }
-           esetenv ("KRB5CCNAME", ticketfile, 1);
+	do_destroy_tickets = 1;
+
+	kpw = getpwnam(username);
            
-fail:
-           if (ccache)
-              krb5_cc_close(gssapi_krb5_context, ccache); 
-           krb5_cc_destroy(gssapi_krb5_context, 
-                           data->delegated_cred_handle->ccache);
-           data->delegated_cred_handle->ccache = NULL;
-           free(ticketfile);
-        }
+	if (kpw == NULL) {
+	    unlink(ticketfile);
+	    ret = 1;
+	    goto fail;
+	}
+
+	chown (ticketfile, kpw->pw_uid, kpw->pw_gid);
            
-	krb5_free_principal(gssapi_krb5_context, client);
-        return ret;
+	if (asprintf(&k5ccname, "FILE:%s", ticketfile) != -1) {
+	    esetenv ("KRB5CCNAME", k5ccname, 1);
+	}
+	afslog(NULL, 1);
+    fail:
+	if (ccache)
+	    krb5_cc_close(kdata->context, ccache); 
     }
-    return 1;
+           
+    gss_release_cred(&minor_status, &data->delegated_cred_handle);
+    krb5_free_context(kdata->context);
+    free(kdata);
+    return ret;
 }
diff --git a/crypto/heimdal/appl/ftp/ftpd/gssapi.c b/crypto/heimdal/appl/ftp/ftpd/gssapi.c
new file mode 100644
index 0000000..9432feb
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/gssapi.c
@@ -0,0 +1,528 @@
+/*
+ * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+#include <gssapi.h>
+#include <krb5_err.h>
+
+RCSID("$Id: gssapi.c 21513 2007-07-12 12:45:25Z lha $");
+
+int ftp_do_gss_bindings = 0;
+int ftp_do_gss_delegate = 1;
+
+struct gss_data {
+    gss_ctx_id_t context_hdl;
+    char *client_name;
+    gss_cred_id_t delegated_cred_handle;
+    void *mech_data;
+};
+
+static int
+gss_init(void *app_data)
+{
+    struct gss_data *d = app_data;
+    d->context_hdl = GSS_C_NO_CONTEXT;
+    d->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+#if defined(FTP_SERVER)
+    return 0;
+#else
+    /* XXX Check the gss mechanism; with  gss_indicate_mechs() ? */
+#ifdef KRB5
+    return !use_kerberos;
+#else
+    return 0;
+#endif /* KRB5 */
+#endif /* FTP_SERVER */
+}
+
+static int
+gss_check_prot(void *app_data, int level)
+{
+    if(level == prot_confidential)
+	return -1;
+    return 0;
+}
+
+static int
+gss_decode(void *app_data, void *buf, int len, int level)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc input, output;
+    gss_qop_t qop_state;
+    int conf_state;
+    struct gss_data *d = app_data;
+    size_t ret_len;
+
+    input.length = len;
+    input.value = buf;
+    maj_stat = gss_unwrap (&min_stat,
+			   d->context_hdl,
+			   &input,
+			   &output,
+			   &conf_state,
+			   &qop_state);
+    if(GSS_ERROR(maj_stat))
+	return -1;
+    memmove(buf, output.value, output.length);
+    ret_len = output.length;
+    gss_release_buffer(&min_stat, &output);
+    return ret_len;
+}
+
+static int
+gss_overhead(void *app_data, int level, int len)
+{
+    return 100; /* dunno? */
+}
+
+
+static int
+gss_encode(void *app_data, void *from, int length, int level, void **to)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc input, output;
+    int conf_state;
+    struct gss_data *d = app_data;
+
+    input.length = length;
+    input.value = from;
+    maj_stat = gss_wrap (&min_stat,
+			 d->context_hdl,
+			 level == prot_private,
+			 GSS_C_QOP_DEFAULT,
+			 &input,
+			 &conf_state,
+			 &output);
+    *to = output.value;
+    return output.length;
+}
+
+static void
+sockaddr_to_gss_address (struct sockaddr *sa,
+			 OM_uint32 *addr_type,
+			 gss_buffer_desc *gss_addr)
+{
+    switch (sa->sa_family) {
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+	gss_addr->length = 16;
+	gss_addr->value  = &sin6->sin6_addr;
+	*addr_type       = GSS_C_AF_INET6;
+	break;
+    }
+#endif
+    case AF_INET : {
+	struct sockaddr_in *sin4 = (struct sockaddr_in *)sa;
+
+	gss_addr->length = 4;
+	gss_addr->value  = &sin4->sin_addr;
+	*addr_type       = GSS_C_AF_INET;
+	break;
+    }
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	
+    }
+}
+
+/* end common stuff */
+
+#ifdef FTP_SERVER
+
+static int
+gss_adat(void *app_data, void *buf, size_t len)
+{
+    char *p = NULL;
+    gss_buffer_desc input_token, output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t client_name;
+    struct gss_data *d = app_data;
+    gss_channel_bindings_t bindings;
+
+    if (ftp_do_gss_bindings) {
+	bindings = malloc(sizeof(*bindings));
+	if (bindings == NULL)
+	    errx(1, "out of memory");
+
+	sockaddr_to_gss_address (his_addr,
+				 &bindings->initiator_addrtype,
+				 &bindings->initiator_address);
+	sockaddr_to_gss_address (ctrl_addr,
+				 &bindings->acceptor_addrtype,
+				 &bindings->acceptor_address);
+	
+	bindings->application_data.length = 0;
+	bindings->application_data.value = NULL;
+    } else
+	bindings = GSS_C_NO_CHANNEL_BINDINGS;
+
+    input_token.value = buf;
+    input_token.length = len;
+
+    maj_stat = gss_accept_sec_context (&min_stat,
+				       &d->context_hdl,
+				       GSS_C_NO_CREDENTIAL,
+				       &input_token,
+				       bindings,
+				       &client_name,
+				       NULL,
+				       &output_token,
+				       NULL,
+				       NULL,
+				       &d->delegated_cred_handle);
+
+    if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
+	free(bindings);
+
+    if(output_token.length) {
+	if(base64_encode(output_token.value, output_token.length, &p) < 0) {
+	    reply(535, "Out of memory base64-encoding.");
+	    return -1;
+	}
+	gss_release_buffer(&min_stat, &output_token);
+    }
+    if(maj_stat == GSS_S_COMPLETE){
+	char *name;
+	gss_buffer_desc export_name;
+	gss_OID oid;
+
+	maj_stat = gss_display_name(&min_stat, client_name,
+				    &export_name, &oid);
+	if(maj_stat != 0) {
+	    reply(500, "Error displaying name");
+	    goto out;
+	}
+	/* XXX kerberos */
+	if(oid != GSS_KRB5_NT_PRINCIPAL_NAME) {
+	    reply(500, "OID not kerberos principal name");
+	    gss_release_buffer(&min_stat, &export_name);
+	    goto out;
+	}
+	name = malloc(export_name.length + 1);
+	if(name == NULL) {
+	    reply(500, "Out of memory");
+	    gss_release_buffer(&min_stat, &export_name);
+	    goto out;
+	}
+	memcpy(name, export_name.value, export_name.length);
+	name[export_name.length] = '\0';
+	gss_release_buffer(&min_stat, &export_name);
+	d->client_name = name;
+	if(p)
+	    reply(235, "ADAT=%s", p);
+	else
+	    reply(235, "ADAT Complete");
+	sec_complete = 1;
+
+    } else if(maj_stat == GSS_S_CONTINUE_NEEDED) {
+	if(p)
+	    reply(335, "ADAT=%s", p);
+	else
+	    reply(335, "OK, need more data");
+    } else {
+	OM_uint32 new_stat;
+	OM_uint32 msg_ctx = 0;
+	gss_buffer_desc status_string;
+	gss_display_status(&new_stat,
+			   min_stat,
+			   GSS_C_MECH_CODE,
+			   GSS_C_NO_OID,
+			   &msg_ctx,
+			   &status_string);
+	syslog(LOG_ERR, "gss_accept_sec_context: %s", 
+	       (char*)status_string.value);
+	gss_release_buffer(&new_stat, &status_string);
+	reply(431, "Security resource unavailable");
+    }
+  out:
+    if (client_name)
+	gss_release_name(&min_stat, &client_name);
+    free(p);
+    return 0;
+}
+
+int gss_userok(void*, char*);
+int gss_session(void*, char*);
+
+struct sec_server_mech gss_server_mech = {
+    "GSSAPI",
+    sizeof(struct gss_data),
+    gss_init, /* init */
+    NULL, /* end */
+    gss_check_prot,
+    gss_overhead,
+    gss_encode,
+    gss_decode,
+    /* */
+    NULL,
+    gss_adat,
+    NULL, /* pbsz */
+    NULL, /* ccc */
+    gss_userok,
+    gss_session
+};
+
+#else /* FTP_SERVER */
+
+extern struct sockaddr *hisctladdr, *myctladdr;
+
+static int
+import_name(const char *kname, const char *host, gss_name_t *target_name)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc name;
+    char *str;
+
+    name.length = asprintf(&str, "%s@%s", kname, host);
+    if (str == NULL) {
+	printf("Out of memory\n");
+	return AUTH_ERROR;
+    }
+    name.value = str;
+
+    maj_stat = gss_import_name(&min_stat,
+			       &name,
+			       GSS_C_NT_HOSTBASED_SERVICE,
+			       target_name);
+    if (GSS_ERROR(maj_stat)) {
+	OM_uint32 new_stat;
+	OM_uint32 msg_ctx = 0;
+	gss_buffer_desc status_string;
+	    
+	gss_display_status(&new_stat,
+			   min_stat,
+			   GSS_C_MECH_CODE,
+			   GSS_C_NO_OID,
+			   &msg_ctx,
+			   &status_string);
+	printf("Error importing name %s: %s\n", 
+	       (char *)name.value,
+	       (char *)status_string.value);
+	free(name.value);
+	gss_release_buffer(&new_stat, &status_string);
+	return AUTH_ERROR;
+    }
+    free(name.value);
+    return 0;
+}
+
+static int
+gss_auth(void *app_data, char *host)
+{
+    
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t target_name;
+    gss_buffer_desc input, output_token;
+    int context_established = 0;
+    char *p;
+    int n;
+    gss_channel_bindings_t bindings;
+    struct gss_data *d = app_data;
+    OM_uint32 mech_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
+
+    const char *knames[] = { "ftp", "host", NULL }, **kname = knames;
+	    
+    
+    if(import_name(*kname++, host, &target_name))
+	return AUTH_ERROR;
+
+    input.length = 0;
+    input.value = NULL;
+
+    if (ftp_do_gss_bindings) {
+	bindings = malloc(sizeof(*bindings));
+	if (bindings == NULL)
+	    errx(1, "out of memory");
+	
+	sockaddr_to_gss_address (myctladdr,
+				 &bindings->initiator_addrtype,
+				 &bindings->initiator_address);
+	sockaddr_to_gss_address (hisctladdr,
+				 &bindings->acceptor_addrtype,
+				 &bindings->acceptor_address);
+	
+	bindings->application_data.length = 0;
+	bindings->application_data.value = NULL;
+    } else
+	bindings = GSS_C_NO_CHANNEL_BINDINGS;
+
+    if (ftp_do_gss_delegate)
+	mech_flags |= GSS_C_DELEG_FLAG;
+
+    while(!context_established) {
+	maj_stat = gss_init_sec_context(&min_stat,
+					GSS_C_NO_CREDENTIAL,
+					&d->context_hdl,
+					target_name,
+					GSS_C_NO_OID,
+                                        mech_flags,
+					0,
+					bindings,
+					&input,
+					NULL,
+					&output_token,
+					NULL,
+					NULL);
+	if (GSS_ERROR(maj_stat)) {
+	    OM_uint32 new_stat;
+	    OM_uint32 msg_ctx = 0;
+	    gss_buffer_desc status_string;
+
+	    d->context_hdl = GSS_C_NO_CONTEXT;
+
+	    gss_release_name(&min_stat, &target_name);
+
+	    if(*kname != NULL) {
+
+		if(import_name(*kname++, host, &target_name)) {
+		    if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
+			free(bindings);
+		    return AUTH_ERROR;
+		}
+		continue;
+	    }
+	    
+	    if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
+		free(bindings);
+
+	    gss_display_status(&new_stat,
+			       min_stat,
+			       GSS_C_MECH_CODE,
+			       GSS_C_NO_OID,
+			       &msg_ctx,
+			       &status_string);
+	    printf("Error initializing security context: %s\n", 
+		   (char*)status_string.value);
+	    gss_release_buffer(&new_stat, &status_string);
+	    return AUTH_CONTINUE;
+	}
+
+	if (input.value) {
+	    free(input.value);
+	    input.value = NULL;
+	    input.length = 0;
+	}
+	if (output_token.length != 0) {
+	    base64_encode(output_token.value, output_token.length, &p);
+	    gss_release_buffer(&min_stat, &output_token);
+	    n = command("ADAT %s", p);
+	    free(p);
+	}
+	if (GSS_ERROR(maj_stat)) {
+	    if (d->context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&d->context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+	if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+	    p = strstr(reply_string, "ADAT=");
+	    if(p == NULL){
+		printf("Error: expected ADAT in reply. got: %s\n",
+		       reply_string);
+		if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
+		    free(bindings);
+		return AUTH_ERROR;
+	    } else {
+		p+=5;
+		input.value = malloc(strlen(p));
+		input.length = base64_decode(p, input.value);
+	    }
+	} else {
+	    if(code != 235) {
+		printf("Unrecognized response code: %d\n", code);
+		if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
+		    free(bindings);
+		return AUTH_ERROR;
+	    }
+	    context_established = 1;
+	}
+    }
+
+    gss_release_name(&min_stat, &target_name);
+
+    if (bindings != GSS_C_NO_CHANNEL_BINDINGS)
+	free(bindings);
+    if (input.value)
+	free(input.value);
+
+    {
+	gss_name_t targ_name;
+
+	maj_stat = gss_inquire_context(&min_stat,
+				       d->context_hdl,
+				       NULL,
+				       &targ_name,
+				       NULL,
+				       NULL,
+				       NULL,
+				       NULL,
+				       NULL);
+	if (GSS_ERROR(maj_stat) == 0) {
+	    gss_buffer_desc name;
+	    maj_stat = gss_display_name (&min_stat,
+					 targ_name,
+					 &name,
+					 NULL);
+	    if (GSS_ERROR(maj_stat) == 0) {
+		printf("Authenticated to <%s>\n", (char *)name.value);
+		gss_release_buffer(&min_stat, &name);
+	    }
+	    gss_release_name(&min_stat, &targ_name);
+	} else
+	    printf("Failed to get gss name of peer.\n");
+    }	    
+
+
+    return AUTH_OK;
+}
+
+struct sec_client_mech gss_client_mech = {
+    "GSSAPI",
+    sizeof(struct gss_data),
+    gss_init,
+    gss_auth,
+    NULL, /* end */
+    gss_check_prot,
+    gss_overhead,
+    gss_encode,
+    gss_decode,
+};
+
+#endif /* FTP_SERVER */
diff --git a/crypto/heimdal/appl/ftp/ftpd/kauth.c b/crypto/heimdal/appl/ftp/ftpd/kauth.c
index dad4de5..0f34092 100644
--- a/crypto/heimdal/appl/ftp/ftpd/kauth.c
+++ b/crypto/heimdal/appl/ftp/ftpd/kauth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 1999, 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,16 @@
 
 #include "ftpd_locl.h"
 
-RCSID("$Id: kauth.c,v 1.25 1999/12/02 16:58:31 joda Exp $");
+RCSID("$Id: kauth.c 15666 2005-07-19 17:08:11Z lha $");
+
+#if defined(KRB4) || defined(KRB5)
+
+int do_destroy_tickets = 1;
+char *k5ccname;
+
+#endif
+
+#ifdef KRB4
 
 static KTEXT_ST cip;
 static unsigned int lifetime;
@@ -41,8 +50,6 @@ static time_t local_time;
 
 static krb_principal pr;
 
-static int do_destroy_tickets = 1;
-
 static int
 save_tkt(const char *user,
 	 const char *instance,
@@ -237,86 +244,41 @@ short_date(int32_t dp)
 }
 
 void
-klist(void)
+krbtkfile(const char *tkfile)
 {
-    int err;
+    do_destroy_tickets = 0;
+    krb_set_tkt_string(tkfile);
+    reply(200, "Using ticket file %s", tkfile);
+}
 
-    char *file = tkt_string();
+#endif /* KRB4 */
 
-    krb_principal pr;
-    
-    char buf1[128], buf2[128];
-    int header = 1;
-    CREDENTIALS c;
+#ifdef KRB5
 
+static void
+dest_cc(void)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_ccache id;
     
-
-    err = tf_init(file, R_TKT_FIL);
-    if(err != KSUCCESS){
-	reply(500, "%s", krb_get_err_text(err));
-	return;
-    }
-    tf_close();
-
-    /* 
-     * We must find the realm of the ticket file here before calling
-     * tf_init because since the realm of the ticket file is not
-     * really stored in the principal section of the file, the
-     * routine we use must itself call tf_init and tf_close.
-     */
-    err = krb_get_tf_realm(file, pr.realm);
-    if(err != KSUCCESS){
-	reply(500, "%s", krb_get_err_text(err));
-	return;
-    }
-
-    err = tf_init(file, R_TKT_FIL);
-    if(err != KSUCCESS){
-	reply(500, "%s", krb_get_err_text(err));
-	return;
-    }
-
-    err = tf_get_pname(pr.name);
-    if(err != KSUCCESS){
-	reply(500, "%s", krb_get_err_text(err));
-	return;
-    }
-    err = tf_get_pinst(pr.instance);
-    if(err != KSUCCESS){
-	reply(500, "%s", krb_get_err_text(err));
-	return;
-    }
-
-    /* 
-     * You may think that this is the obvious place to get the
-     * realm of the ticket file, but it can't be done here as the
-     * routine to do this must open the ticket file.  This is why 
-     * it was done before tf_init.
-     */
-       
-    lreply(200, "Ticket file: %s", tkt_string());
-
-    lreply(200, "Principal: %s", krb_unparse_name(&pr));
-    while ((err = tf_get_cred(&c)) == KSUCCESS) {
-	if (header) {
-	    lreply(200, "%-15s  %-15s  %s",
-		   "  Issued", "  Expires", "  Principal (kvno)");
-	    header = 0;
-	}
-	strlcpy(buf1, short_date(c.issue_date), sizeof(buf1));
-	c.issue_date = krb_life_to_time(c.issue_date, c.lifetime);
-	if (time(0) < (unsigned long) c.issue_date)
-	    strlcpy(buf2, short_date(c.issue_date), sizeof(buf2));
+    ret = krb5_init_context(&context);
+    if (ret == 0) {
+	if (k5ccname)
+	    ret = krb5_cc_resolve(context, k5ccname, &id);
 	else
-	    strlcpy(buf2, ">>> Expired <<< ", sizeof(buf2));
-	lreply(200, "%s  %s  %s (%d)", buf1, buf2,
-	       krb_unparse_name_long(c.service, c.instance, c.realm), c.kvno); 
+	    ret = krb5_cc_default (context, &id);
+	if (ret)
+	    krb5_free_context(context);
     }
-    if (header && err == EOF) {
-	lreply(200, "No tickets in file.");
+    if (ret == 0) {
+	krb5_cc_destroy(context, id);
+	krb5_free_context (context);
     }
-    reply(200, " ");
 }
+#endif
+
+#if defined(KRB4) || defined(KRB5)
 
 /*
  * Only destroy if we created the tickets
@@ -325,35 +287,64 @@ klist(void)
 void
 cond_kdestroy(void)
 {
-    if (do_destroy_tickets)
+    if (do_destroy_tickets) {
+#if KRB4
 	dest_tkt();
+#endif
+#if KRB5
+	dest_cc();
+#endif
+	do_destroy_tickets = 0;
+    }
     afsunlog();
 }
 
 void
 kdestroy(void)
 {
+#if KRB4
     dest_tkt();
+#endif
+#if KRB5
+    dest_cc();
+#endif
     afsunlog();
     reply(200, "Tickets destroyed");
 }
 
-void
-krbtkfile(const char *tkfile)
-{
-    do_destroy_tickets = 0;
-    krb_set_tkt_string(tkfile);
-    reply(200, "Using ticket file %s", tkfile);
-}
 
 void
-afslog(const char *cell)
+afslog(const char *cell, int quiet)
 {
     if(k_hasafs()) {
+#ifdef KRB5
+	krb5_context context;
+	krb5_error_code ret;
+	krb5_ccache id;
+
+	ret = krb5_init_context(&context);
+	if (ret == 0) {
+	    if (k5ccname)
+		ret = krb5_cc_resolve(context, k5ccname, &id);
+	    else
+		ret = krb5_cc_default(context, &id);
+	    if (ret)
+		krb5_free_context(context);
+	}
+	if (ret == 0) {
+	    krb5_afslog(context, id, cell, 0);
+	    krb5_cc_close (context, id);
+	    krb5_free_context (context);
+	}
+#endif
+#ifdef KRB4
 	krb_afslog(cell, 0);
-	reply(200, "afslog done");
+#endif
+	if (!quiet)
+	    reply(200, "afslog done");
     } else {
-	reply(200, "no AFS present");
+	if (!quiet)
+	    reply(200, "no AFS present");
     }
 }
 
@@ -363,3 +354,7 @@ afsunlog(void)
     if(k_hasafs())
 	k_unlog();
 }
+
+#else
+int ftpd_afslog_placeholder;
+#endif /* KRB4 || KRB5 */
diff --git a/crypto/heimdal/appl/ftp/ftpd/klist.c b/crypto/heimdal/appl/ftp/ftpd/klist.c
new file mode 100644
index 0000000..4afa9b8
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/klist.c
@@ -0,0 +1,178 @@
+/*
+ * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftpd_locl.h"
+
+#ifdef KRB5
+
+static int
+print_cred(krb5_context context, krb5_creds *cred)
+{
+    char t1[128], t2[128], *str;
+    krb5_error_code ret;
+    krb5_timestamp sec;
+
+    krb5_timeofday (context, &sec);
+
+    if(cred->times.starttime)
+	krb5_format_time(context, cred->times.starttime, t1, sizeof(t1), 1);
+    else
+	krb5_format_time(context, cred->times.authtime, t1, sizeof(t1), 1);
+    
+    if(cred->times.endtime > sec)
+	krb5_format_time(context, cred->times.endtime, t2, sizeof(t2), 1);
+    else
+	strlcpy(t2, ">>>Expired<<<", sizeof(t2));
+
+    ret = krb5_unparse_name (context, cred->server, &str);
+    if (ret) {
+	lreply(500, "krb5_unparse_name: %d", ret);
+	return 1;
+    }
+
+    lreply(200, "%-20s %-20s %s", t1, t2, str);
+    free(str);
+    return 0;
+}
+
+static int
+print_tickets (krb5_context context,
+	       krb5_ccache ccache,
+	       krb5_principal principal)
+{
+    krb5_error_code ret;
+    krb5_cc_cursor cursor;
+    krb5_creds cred;
+    char *str;
+
+    ret = krb5_unparse_name (context, principal, &str);
+    if (ret) {
+	lreply(500, "krb5_unparse_name: %d", ret);
+	return 500;
+    }
+
+    lreply(200, "%17s: %s:%s", 
+	   "Credentials cache",
+	   krb5_cc_get_type(context, ccache),
+	   krb5_cc_get_name(context, ccache));
+    lreply(200, "%17s: %s", "Principal", str);
+    free (str);
+
+    ret = krb5_cc_start_seq_get (context, ccache, &cursor);
+    if (ret) {
+	lreply(500, "krb5_cc_start_seq_get: %d", ret);
+	return 500;
+    }
+
+    lreply(200, "  Issued               Expires              Principal");
+
+    while ((ret = krb5_cc_next_cred (context,
+				     ccache,
+				     &cursor,
+				     &cred)) == 0) {
+	if (print_cred(context, &cred))
+	    return 500;		
+	krb5_free_cred_contents (context, &cred);
+    }
+    if (ret != KRB5_CC_END) {
+	lreply(500, "krb5_cc_get_next: %d", ret);
+	return 500;
+    }
+    ret = krb5_cc_end_seq_get (context, ccache, &cursor);
+    if (ret) {
+	lreply(500, "krb5_cc_end_seq_get: %d", ret);
+	return 500;
+    }
+
+    return 200;
+}
+
+static int
+klist5(void)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache ccache;
+    krb5_principal principal;
+    int exit_status = 200;
+
+    ret = krb5_init_context (&context);
+    if (ret) {
+	lreply(500, "krb5_init_context failed: %d", ret);
+	return 500;
+    }
+
+    if (k5ccname)
+	ret = krb5_cc_resolve(context, k5ccname, &ccache);
+    else
+	ret = krb5_cc_default (context, &ccache);
+    if (ret) {
+	lreply(500, "krb5_cc_default: %d", ret);	    
+	return 500;
+    }
+
+    ret = krb5_cc_get_principal (context, ccache, &principal);
+    if (ret) {
+	if(ret == ENOENT)
+	    lreply(500, "No ticket file: %s",
+		   krb5_cc_get_name(context, ccache));
+	else
+	    lreply(500, "krb5_cc_get_principal: %d", ret);
+
+	return 500;
+    }
+    exit_status = print_tickets (context, ccache, principal);
+
+    ret = krb5_cc_close (context, ccache);
+    if (ret) {
+	lreply(500, "krb5_cc_close: %d", ret);	    
+	exit_status = 500;
+    }
+
+    krb5_free_principal (context, principal);
+    krb5_free_context (context);
+    return exit_status;
+}
+#endif
+
+void
+klist(void)
+{
+#if KRB5
+    int res = klist5();
+    reply(res, " ");
+#else
+    reply(500, "Command not implemented.");
+#endif
+}
+
diff --git a/crypto/heimdal/appl/ftp/ftpd/krb4.c b/crypto/heimdal/appl/ftp/ftpd/krb4.c
new file mode 100644
index 0000000..408b7fa
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/krb4.c
@@ -0,0 +1,340 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+#include <krb.h>
+
+RCSID("$Id: krb4.c 17450 2006-05-05 11:11:43Z lha $");
+
+#ifdef FTP_SERVER
+#define LOCAL_ADDR ctrl_addr
+#define REMOTE_ADDR his_addr
+#else
+#define LOCAL_ADDR myctladdr
+#define REMOTE_ADDR hisctladdr
+#endif
+
+extern struct sockaddr *LOCAL_ADDR, *REMOTE_ADDR;
+
+struct krb4_data {
+    des_cblock key;
+    des_key_schedule schedule;
+    char name[ANAME_SZ];
+    char instance[INST_SZ];
+    char realm[REALM_SZ];
+};
+
+static int
+krb4_check_prot(void *app_data, int level)
+{
+    if(level == prot_confidential)
+	return -1;
+    return 0;
+}
+
+static int
+krb4_decode(void *app_data, void *buf, int len, int level)
+{
+    MSG_DAT m;
+    int e;
+    struct krb4_data *d = app_data;
+    
+    if(level == prot_safe)
+	e = krb_rd_safe(buf, len, &d->key,
+			(struct sockaddr_in *)REMOTE_ADDR,
+			(struct sockaddr_in *)LOCAL_ADDR, &m);
+    else
+	e = krb_rd_priv(buf, len, d->schedule, &d->key, 
+			(struct sockaddr_in *)REMOTE_ADDR,
+			(struct sockaddr_in *)LOCAL_ADDR, &m);
+    if(e){
+	syslog(LOG_ERR, "krb4_decode: %s", krb_get_err_text(e));
+	return -1;
+    }
+    memmove(buf, m.app_data, m.app_length);
+    return m.app_length;
+}
+
+static int
+krb4_overhead(void *app_data, int level, int len)
+{
+    return 31;
+}
+
+static int
+krb4_encode(void *app_data, void *from, int length, int level, void **to)
+{
+    struct krb4_data *d = app_data;
+    *to = malloc(length + 31);
+    if(level == prot_safe)
+	return krb_mk_safe(from, *to, length, &d->key, 
+			   (struct sockaddr_in *)LOCAL_ADDR,
+			   (struct sockaddr_in *)REMOTE_ADDR);
+    else if(level == prot_private)
+	return krb_mk_priv(from, *to, length, d->schedule, &d->key, 
+			   (struct sockaddr_in *)LOCAL_ADDR,
+			   (struct sockaddr_in *)REMOTE_ADDR);
+    else
+	return -1;
+}
+
+#ifdef FTP_SERVER
+
+static int
+krb4_adat(void *app_data, void *buf, size_t len)
+{
+    KTEXT_ST tkt;
+    AUTH_DAT auth_dat;
+    char *p;
+    int kerror;
+    uint32_t cs;
+    char msg[35]; /* size of encrypted block */
+    int tmp_len;
+    struct krb4_data *d = app_data;
+    char inst[INST_SZ];
+    struct sockaddr_in *his_addr_sin = (struct sockaddr_in *)his_addr;
+
+    memcpy(tkt.dat, buf, len);
+    tkt.length = len;
+
+    k_getsockinst(0, inst, sizeof(inst));
+    kerror = krb_rd_req(&tkt, "ftp", inst, 
+			his_addr_sin->sin_addr.s_addr, &auth_dat, "");
+    if(kerror == RD_AP_UNDEC){
+	k_getsockinst(0, inst, sizeof(inst));
+	kerror = krb_rd_req(&tkt, "rcmd", inst, 
+			    his_addr_sin->sin_addr.s_addr, &auth_dat, "");
+    }
+
+    if(kerror){
+	reply(535, "Error reading request: %s.", krb_get_err_text(kerror));
+	return -1;
+    }
+    
+    memcpy(d->key, auth_dat.session, sizeof(d->key));
+    des_set_key(&d->key, d->schedule);
+
+    strlcpy(d->name, auth_dat.pname, sizeof(d->name));
+    strlcpy(d->instance, auth_dat.pinst, sizeof(d->instance));
+    strlcpy(d->realm, auth_dat.prealm, sizeof(d->instance));
+
+    cs = auth_dat.checksum + 1;
+    {
+	unsigned char tmp[4];
+	KRB_PUT_INT(cs, tmp, 4, sizeof(tmp));
+	tmp_len = krb_mk_safe(tmp, msg, 4, &d->key,
+			      (struct sockaddr_in *)LOCAL_ADDR,
+			      (struct sockaddr_in *)REMOTE_ADDR);
+    }
+    if(tmp_len < 0){
+	reply(535, "Error creating reply: %s.", strerror(errno));
+	return -1;
+    }
+    len = tmp_len;
+    if(base64_encode(msg, len, &p) < 0) {
+	reply(535, "Out of memory base64-encoding.");
+	return -1;
+    }
+    reply(235, "ADAT=%s", p);
+    sec_complete = 1;
+    free(p);
+    return 0;
+}
+
+static int
+krb4_userok(void *app_data, char *user)
+{
+    struct krb4_data *d = app_data;
+    return krb_kuserok(d->name, d->instance, d->realm, user);
+}
+
+struct sec_server_mech krb4_server_mech = {
+    "KERBEROS_V4",
+    sizeof(struct krb4_data),
+    NULL, /* init */
+    NULL, /* end */
+    krb4_check_prot,
+    krb4_overhead,
+    krb4_encode,
+    krb4_decode,
+    /* */
+    NULL,
+    krb4_adat,
+    NULL, /* pbsz */
+    NULL, /* ccc */
+    krb4_userok
+};
+
+#else /* FTP_SERVER */
+
+static int
+krb4_init(void *app_data)
+{
+   return !use_kerberos;
+}
+
+static int
+mk_auth(struct krb4_data *d, KTEXT adat, 
+	char *service, char *host, int checksum)
+{
+    int ret;
+    CREDENTIALS cred;
+    char sname[SNAME_SZ], inst[INST_SZ], realm[REALM_SZ];
+
+    strlcpy(sname, service, sizeof(sname));
+    strlcpy(inst, krb_get_phost(host), sizeof(inst));
+    strlcpy(realm, krb_realmofhost(host), sizeof(realm));
+    ret = krb_mk_req(adat, sname, inst, realm, checksum);
+    if(ret)
+	return ret;
+    strlcpy(sname, service, sizeof(sname));
+    strlcpy(inst, krb_get_phost(host), sizeof(inst));
+    strlcpy(realm, krb_realmofhost(host), sizeof(realm));
+    ret = krb_get_cred(sname, inst, realm, &cred);
+    memmove(&d->key, &cred.session, sizeof(des_cblock));
+    des_key_sched(&d->key, d->schedule);
+    memset(&cred, 0, sizeof(cred));
+    return ret;
+}
+
+static int
+krb4_auth(void *app_data, char *host)
+{
+    int ret;
+    char *p;
+    int len;
+    KTEXT_ST adat;
+    MSG_DAT msg_data;
+    int checksum;
+    uint32_t cs;
+    struct krb4_data *d = app_data;
+    struct sockaddr_in *localaddr  = (struct sockaddr_in *)LOCAL_ADDR;
+    struct sockaddr_in *remoteaddr = (struct sockaddr_in *)REMOTE_ADDR;
+
+    checksum = getpid();
+    ret = mk_auth(d, &adat, "ftp", host, checksum);
+    if(ret == KDC_PR_UNKNOWN)
+	ret = mk_auth(d, &adat, "rcmd", host, checksum);
+    if(ret){
+	printf("%s\n", krb_get_err_text(ret));
+	return AUTH_CONTINUE;
+    }
+
+#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
+    if (krb_get_config_bool("nat_in_use")) {
+      struct in_addr natAddr;
+
+      if (krb_get_our_ip_for_realm(krb_realmofhost(host),
+				   &natAddr) != KSUCCESS
+	  && krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
+	printf("Can't get address for realm %s\n",
+	       krb_realmofhost(host));
+      else {
+	if (natAddr.s_addr != localaddr->sin_addr.s_addr) {
+	  printf("Using NAT IP address (%s) for kerberos 4\n",
+		 inet_ntoa(natAddr));
+	  localaddr->sin_addr = natAddr;
+	  
+	  /*
+	   * This not the best place to do this, but it
+	   * is here we know that (probably) NAT is in
+	   * use!
+	   */
+
+	  passivemode = 1;
+	  printf("Setting: Passive mode on.\n");
+	}
+      }
+    }
+#endif
+
+    printf("Local address is %s\n", inet_ntoa(localaddr->sin_addr));
+    printf("Remote address is %s\n", inet_ntoa(remoteaddr->sin_addr));
+
+   if(base64_encode(adat.dat, adat.length, &p) < 0) {
+	printf("Out of memory base64-encoding.\n");
+	return AUTH_CONTINUE;
+    }
+    ret = command("ADAT %s", p);
+    free(p);
+
+    if(ret != COMPLETE){
+	printf("Server didn't accept auth data.\n");
+	return AUTH_ERROR;
+    }
+
+    p = strstr(reply_string, "ADAT=");
+    if(!p){
+	printf("Remote host didn't send adat reply.\n");
+	return AUTH_ERROR;
+    }
+    p += 5;
+    len = base64_decode(p, adat.dat);
+    if(len < 0){
+	printf("Failed to decode base64 from server.\n");
+	return AUTH_ERROR;
+    }
+    adat.length = len;
+    ret = krb_rd_safe(adat.dat, adat.length, &d->key, 
+		      (struct sockaddr_in *)hisctladdr, 
+		      (struct sockaddr_in *)myctladdr, &msg_data);
+    if(ret){
+	printf("Error reading reply from server: %s.\n", 
+	       krb_get_err_text(ret));
+	return AUTH_ERROR;
+    }
+    krb_get_int(msg_data.app_data, &cs, 4, 0);
+    if(cs - checksum != 1){
+	printf("Bad checksum returned from server.\n");
+	return AUTH_ERROR;
+    }
+    return AUTH_OK;
+}
+
+struct sec_client_mech krb4_client_mech = {
+    "KERBEROS_V4",
+    sizeof(struct krb4_data),
+    krb4_init, /* init */
+    krb4_auth,
+    NULL, /* end */
+    krb4_check_prot,
+    krb4_overhead,
+    krb4_encode,
+    krb4_decode
+};
+
+#endif /* FTP_SERVER */
diff --git a/crypto/heimdal/appl/ftp/ftpd/logwtmp.c b/crypto/heimdal/appl/ftp/ftpd/logwtmp.c
index 51139a8..ebf37e6 100644
--- a/crypto/heimdal/appl/ftp/ftpd/logwtmp.c
+++ b/crypto/heimdal/appl/ftp/ftpd/logwtmp.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: logwtmp.c,v 1.15 2000/09/19 13:17:05 assar Exp $");
+RCSID("$Id: logwtmp.c 9079 2000-09-19 13:17:20Z assar $");
 #endif
 
 #include <stdio.h>
diff --git a/crypto/heimdal/appl/ftp/ftpd/ls.c b/crypto/heimdal/appl/ftp/ftpd/ls.c
index f8ec4ad..9dcd848 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ls.c
+++ b/crypto/heimdal/appl/ftp/ftpd/ls.c
@@ -33,7 +33,7 @@
 #ifndef TEST
 #include "ftpd_locl.h"
 
-RCSID("$Id: ls.c,v 1.26 2003/02/25 10:51:30 lha Exp $");
+RCSID("$Id: ls.c 16216 2005-10-22 13:15:43Z lha $");
 
 #else
 #include <stdio.h>
@@ -146,16 +146,16 @@ block_convert(size_t blocks)
 #endif
 }
 
-static void
+static int
 make_fileinfo(FILE *out, const char *filename, struct fileinfo *file, int flags)
 {
     char buf[128];
     int file_type = 0;
     struct stat *st = &file->st;
-
+    
     file->inode = st->st_ino;
     file->bsize = block_convert(st->st_blocks);
-
+    
     if(S_ISDIR(st->st_mode)) {
 	file->mode[0] = 'd';
 	file_type = '/';
@@ -218,31 +218,51 @@ make_fileinfo(FILE *out, const char *filename, struct fileinfo *file, int flags)
     {
 	struct passwd *pwd;
 	pwd = getpwuid(st->st_uid);
-	if(pwd == NULL)
-	    asprintf(&file->user, "%u", (unsigned)st->st_uid);
-	else
+	if(pwd == NULL) {
+	    if (asprintf(&file->user, "%u", (unsigned)st->st_uid) == -1)
+		file->user = NULL;
+	} else
 	    file->user = strdup(pwd->pw_name);
+	if (file->user == NULL) {
+	    syslog(LOG_ERR, "out of memory");
+	    return -1;
+	}
     }
     {
 	struct group *grp;
 	grp = getgrgid(st->st_gid);
-	if(grp == NULL)
-	    asprintf(&file->group, "%u", (unsigned)st->st_gid);
-	else
+	if(grp == NULL) {
+	    if (asprintf(&file->group, "%u", (unsigned)st->st_gid) == -1)
+		file->group = NULL;
+	} else
 	    file->group = strdup(grp->gr_name);
+	if (file->group == NULL) {
+	    syslog(LOG_ERR, "out of memory");
+	    return -1;
+	}
     }
     
     if(S_ISCHR(st->st_mode) || S_ISBLK(st->st_mode)) {
 #if defined(major) && defined(minor)
-	asprintf(&file->major, "%u", (unsigned)major(st->st_rdev));
-	asprintf(&file->minor, "%u", (unsigned)minor(st->st_rdev));
+	if (asprintf(&file->major, "%u", (unsigned)major(st->st_rdev)) == -1)
+	    file->major = NULL;
+	if (asprintf(&file->minor, "%u", (unsigned)minor(st->st_rdev)) == -1)
+	    file->minor = NULL;
 #else
 	/* Don't want to use the DDI/DKI crap. */
-	asprintf(&file->major, "%u", (unsigned)st->st_rdev);
-	asprintf(&file->minor, "%u", 0);
+	if (asprintf(&file->major, "%u", (unsigned)st->st_rdev) == -1)
+	    file->major = NULL;
+	if (asprintf(&file->minor, "%u", 0) == -1)
+	    file->minor = NULL;
 #endif
-    } else
-	asprintf(&file->size, "%lu", (unsigned long)st->st_size);
+	if (file->major == NULL || file->minor == NULL) {
+	    syslog(LOG_ERR, "out of memory");
+	    return -1;
+	}
+    } else {
+	if (asprintf(&file->size, "%lu", (unsigned long)st->st_size) == -1)
+	    file->size = NULL;
+    }
 
     {
 	time_t t = time(NULL);
@@ -254,6 +274,10 @@ make_fileinfo(FILE *out, const char *filename, struct fileinfo *file, int flags)
 	else
 	    strftime(buf, sizeof(buf), "%b %e %H:%M", tm);
 	file->date = strdup(buf);
+	if (file->date == NULL) {
+	    syslog(LOG_ERR, "out of memory");
+	    return -1;
+	}
     }
     {
 	const char *p = strrchr(filename, '/');
@@ -261,10 +285,15 @@ make_fileinfo(FILE *out, const char *filename, struct fileinfo *file, int flags)
 	    p++;
 	else
 	    p = filename;
-	if((flags & LS_TYPE) && file_type != 0)
-	    asprintf(&file->filename, "%s%c", p, file_type);
-	else
+	if((flags & LS_TYPE) && file_type != 0) {
+	    if (asprintf(&file->filename, "%s%c", p, file_type) == -1)
+		file->filename = NULL;
+	} else
 	    file->filename = strdup(p);
+	if (file->filename == NULL) {
+	    syslog(LOG_ERR, "out of memory");
+	    return -1;
+	}
     }
     if(S_ISLNK(st->st_mode)) {
 	int n;
@@ -272,9 +301,14 @@ make_fileinfo(FILE *out, const char *filename, struct fileinfo *file, int flags)
 	if(n >= 0) {
 	    buf[n] = '\0';
 	    file->link = strdup(buf);
+	    if (file->link == NULL) {
+		syslog(LOG_ERR, "out of memory");
+		return -1;
+	    }
 	} else
 	    sec_fprintf2(out, "readlink(%s): %s", filename, strerror(errno));
     }
+    return 0;
 }
 
 static void
@@ -356,7 +390,7 @@ compare_size(struct fileinfo *a, struct fileinfo *b)
 static int list_dir(FILE*, const char*, int);
 
 static int
-log10(int num)
+find_log10(int num)
 {
     int i = 1;
     while(num > 10) {
@@ -508,7 +542,9 @@ list_files(FILE *out, const char **files, int n_files, int flags)
 		    include_in_list = 0;
 	    }
 	    if(include_in_list) {
-		make_fileinfo(out, files[i], &fi[i], flags);
+		ret = make_fileinfo(out, files[i], &fi[i], flags);
+		if (ret)
+		    goto out;
 		n_print++;
 	    }
 	}
@@ -563,9 +599,9 @@ list_files(FILE *out, const char **files, int n_files, int flags)
 	    max_size = max_major + max_minor + 2;
 	else if(max_size - max_minor - 2 > max_major)
 	    max_major = max_size - max_minor - 2;
-	max_inode = log10(max_inode);
-	max_bsize = log10(max_bsize);
-	max_n_link = log10(max_n_link);
+	max_inode = find_log10(max_inode);
+	max_bsize = find_log10(max_bsize);
+	max_n_link = find_log10(max_n_link);
 	
 	if(n_print > 0)
 	    sec_fprintf2(out, "total %lu\r\n", (unsigned long)total_blocks);
@@ -611,8 +647,8 @@ list_files(FILE *out, const char **files, int n_files, int flags)
 	    }
 	    if(strlen(fi[i].filename) > max_len)
 		max_len = strlen(fi[i].filename);
-	    if(log10(fi[i].bsize) > size_len)
-		size_len = log10(fi[i].bsize);
+	    if(find_log10(fi[i].bsize) > size_len)
+		size_len = find_log10(fi[i].bsize);
 	}
 	if(num_files == 0)
 	    goto next;
@@ -729,6 +765,7 @@ list_dir(FILE *out, const char *directory, int flags)
     struct dirent *ent;
     char **files = NULL;
     int n_files = 0;
+    int ret;
 
     if(d == NULL) {
 	syslog(LOG_ERR, "%s: %m", directory);
@@ -747,8 +784,8 @@ list_dir(FILE *out, const char *directory, int flags)
 	    return -1;
 	}
 	files = tmp;
-	asprintf(&files[n_files], "%s/%s", directory, ent->d_name);
-	if (files[n_files] == NULL) {
+	ret = asprintf(&files[n_files], "%s/%s", directory, ent->d_name);
+	if (ret == -1) {
 	    syslog(LOG_ERR, "%s: out of memory", directory);
 	    free_files (files, n_files);
 	    closedir (d);
diff --git a/crypto/heimdal/appl/ftp/ftpd/pathnames.h b/crypto/heimdal/appl/ftp/ftpd/pathnames.h
index e4f5b44..8849029 100644
--- a/crypto/heimdal/appl/ftp/ftpd/pathnames.h
+++ b/crypto/heimdal/appl/ftp/ftpd/pathnames.h
@@ -57,5 +57,7 @@
 #define	_PATH_FTPWELCOME	SYSCONFDIR "/ftpwelcome"
 #define	_PATH_FTPLOGINMESG	SYSCONFDIR "/motd"
 
+#ifndef _PATH_ISSUE
 #define _PATH_ISSUE		SYSCONFDIR "/issue"
+#endif
 #define _PATH_ISSUE_NET		SYSCONFDIR "/issue.net"
diff --git a/crypto/heimdal/appl/ftp/ftpd/popen.c b/crypto/heimdal/appl/ftp/ftpd/popen.c
index 708cae1..dc75fb4 100644
--- a/crypto/heimdal/appl/ftp/ftpd/popen.c
+++ b/crypto/heimdal/appl/ftp/ftpd/popen.c
@@ -37,7 +37,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: popen.c,v 1.26 2002/04/02 11:57:39 joda Exp $");
+RCSID("$Id: popen.c 10900 2002-04-02 11:57:39Z joda $");
 #endif
 
 #include <sys/types.h>
diff --git a/crypto/heimdal/appl/ftp/ftpd/security.c b/crypto/heimdal/appl/ftp/ftpd/security.c
new file mode 100644
index 0000000..2a4803f
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/security.c
@@ -0,0 +1,883 @@
+/*
+ * Copyright (c) 1998-2002, 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+
+RCSID("$Id: security.c 21225 2007-06-20 10:16:02Z lha $");
+
+static enum protection_level command_prot;
+static enum protection_level data_prot;
+static size_t buffer_size;
+
+struct buffer {
+    void *data;
+    size_t size;
+    size_t index;
+    int eof_flag;
+};
+
+static struct buffer in_buffer, out_buffer;
+int sec_complete;
+
+static struct {
+    enum protection_level level;
+    const char *name;
+} level_names[] = {
+    { prot_clear, "clear" },
+    { prot_safe, "safe" },
+    { prot_confidential, "confidential" },
+    { prot_private, "private" }
+};
+
+static const char *
+level_to_name(enum protection_level level)
+{
+    int i;
+    for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
+	if(level_names[i].level == level)
+	    return level_names[i].name;
+    return "unknown";
+}
+
+#ifndef FTP_SERVER /* not used in server */
+static enum protection_level 
+name_to_level(const char *name)
+{
+    int i;
+    for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
+	if(!strncasecmp(level_names[i].name, name, strlen(name)))
+	    return level_names[i].level;
+    return (enum protection_level)-1;
+}
+#endif
+
+#ifdef FTP_SERVER
+
+static struct sec_server_mech *mechs[] = {
+#ifdef KRB5
+    &gss_server_mech,
+#endif
+#ifdef KRB4
+    &krb4_server_mech,
+#endif
+    NULL
+};
+
+static struct sec_server_mech *mech;
+
+#else
+
+static struct sec_client_mech *mechs[] = {
+#ifdef KRB5
+    &gss_client_mech,
+#endif
+#ifdef KRB4
+    &krb4_client_mech,
+#endif
+    NULL
+};
+
+static struct sec_client_mech *mech;
+
+#endif
+
+static void *app_data;
+
+int
+sec_getc(FILE *F)
+{
+    if(sec_complete && data_prot) {
+	char c;
+	if(sec_read(fileno(F), &c, 1) <= 0)
+	    return EOF;
+	return c;
+    } else
+	return getc(F);
+}
+
+static int
+block_read(int fd, void *buf, size_t len)
+{
+    unsigned char *p = buf;
+    int b;
+    while(len) {
+	b = read(fd, p, len);
+	if (b == 0)
+	    return 0;
+	else if (b < 0)
+	    return -1;
+	len -= b;
+	p += b;
+    }
+    return p - (unsigned char*)buf;
+}
+
+static int
+block_write(int fd, void *buf, size_t len)
+{
+    unsigned char *p = buf;
+    int b;
+    while(len) {
+	b = write(fd, p, len);
+	if(b < 0)
+	    return -1;
+	len -= b;
+	p += b;
+    }
+    return p - (unsigned char*)buf;
+}
+
+static int
+sec_get_data(int fd, struct buffer *buf, int level)
+{
+    int len;
+    int b;
+    void *tmp;
+
+    b = block_read(fd, &len, sizeof(len));
+    if (b == 0)
+	return 0;
+    else if (b < 0)
+	return -1;
+    len = ntohl(len);
+    tmp = realloc(buf->data, len);
+    if (tmp == NULL)
+	return -1;
+    buf->data = tmp;
+    b = block_read(fd, buf->data, len);
+    if (b == 0)
+	return 0;
+    else if (b < 0)
+	return -1;
+    buf->size = (*mech->decode)(app_data, buf->data, len, data_prot);
+    buf->index = 0;
+    return 0;
+}
+
+static size_t
+buffer_read(struct buffer *buf, void *dataptr, size_t len)
+{
+    len = min(len, buf->size - buf->index);
+    memcpy(dataptr, (char*)buf->data + buf->index, len);
+    buf->index += len;
+    return len;
+}
+
+static size_t
+buffer_write(struct buffer *buf, void *dataptr, size_t len)
+{
+    if(buf->index + len > buf->size) {
+	void *tmp;
+	if(buf->data == NULL)
+	    tmp = malloc(1024);
+	else
+	    tmp = realloc(buf->data, buf->index + len);
+	if(tmp == NULL)
+	    return -1;
+	buf->data = tmp;
+	buf->size = buf->index + len;
+    }
+    memcpy((char*)buf->data + buf->index, dataptr, len);
+    buf->index += len;
+    return len;
+}
+
+int
+sec_read(int fd, void *dataptr, int length)
+{
+    size_t len;
+    int rx = 0;
+
+    if(sec_complete == 0 || data_prot == 0)
+	return read(fd, dataptr, length);
+
+    if(in_buffer.eof_flag){
+	in_buffer.eof_flag = 0;
+	return 0;
+    }
+    
+    len = buffer_read(&in_buffer, dataptr, length);
+    length -= len;
+    rx += len;
+    dataptr = (char*)dataptr + len;
+    
+    while(length){
+	int ret;
+
+	ret = sec_get_data(fd, &in_buffer, data_prot);
+	if (ret < 0)
+	    return -1;
+	if(ret == 0 && in_buffer.size == 0) {
+	    if(rx)
+		in_buffer.eof_flag = 1;
+	    return rx;
+	}
+	len = buffer_read(&in_buffer, dataptr, length);
+	length -= len;
+	rx += len;
+	dataptr = (char*)dataptr + len;
+    }
+    return rx;
+}
+
+static int
+sec_send(int fd, char *from, int length)
+{
+    int bytes;
+    void *buf;
+    bytes = (*mech->encode)(app_data, from, length, data_prot, &buf);
+    bytes = htonl(bytes);
+    block_write(fd, &bytes, sizeof(bytes));
+    block_write(fd, buf, ntohl(bytes));
+    free(buf);
+    return length;
+}
+
+int
+sec_fflush(FILE *F)
+{
+    if(data_prot != prot_clear) {
+	if(out_buffer.index > 0){
+	    sec_write(fileno(F), out_buffer.data, out_buffer.index);
+	    out_buffer.index = 0;
+	}
+	sec_send(fileno(F), NULL, 0);
+    }
+    fflush(F);
+    return 0;
+}
+
+int
+sec_write(int fd, char *dataptr, int length)
+{
+    int len = buffer_size;
+    int tx = 0;
+      
+    if(data_prot == prot_clear)
+	return write(fd, dataptr, length);
+
+    len -= (*mech->overhead)(app_data, data_prot, len);
+    while(length){
+	if(length < len)
+	    len = length;
+	sec_send(fd, dataptr, len);
+	length -= len;
+	dataptr += len;
+	tx += len;
+    }
+    return tx;
+}
+
+int
+sec_vfprintf2(FILE *f, const char *fmt, va_list ap)
+{
+    char *buf;
+    int ret;
+    if(data_prot == prot_clear)
+	return vfprintf(f, fmt, ap);
+    else {
+	int len;
+	len = vasprintf(&buf, fmt, ap);
+	if (len == -1)
+	    return len;
+	ret = buffer_write(&out_buffer, buf, len);
+	free(buf);
+	return ret;
+    }
+}
+
+int
+sec_fprintf2(FILE *f, const char *fmt, ...)
+{
+    int ret;
+    va_list ap;
+    va_start(ap, fmt);
+    ret = sec_vfprintf2(f, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+int
+sec_putc(int c, FILE *F)
+{
+    char ch = c;
+    if(data_prot == prot_clear)
+	return putc(c, F);
+    
+    buffer_write(&out_buffer, &ch, 1);
+    if(c == '\n' || out_buffer.index >= 1024 /* XXX */) {
+	sec_write(fileno(F), out_buffer.data, out_buffer.index);
+	out_buffer.index = 0;
+    }
+    return c;
+}
+
+int
+sec_read_msg(char *s, int level)
+{
+    int len;
+    char *buf;
+    int return_code;
+    
+    buf = malloc(strlen(s));
+    len = base64_decode(s + 4, buf); /* XXX */
+    
+    len = (*mech->decode)(app_data, buf, len, level);
+    if(len < 0)
+	return -1;
+    
+    buf[len] = '\0';
+
+    if(buf[3] == '-')
+	return_code = 0;
+    else
+	sscanf(buf, "%d", &return_code);
+    if(buf[len-1] == '\n')
+	buf[len-1] = '\0';
+    strcpy(s, buf);
+    free(buf);
+    return return_code;
+}
+
+int
+sec_vfprintf(FILE *f, const char *fmt, va_list ap)
+{
+    char *buf;
+    void *enc;
+    int len;
+    if(!sec_complete)
+	return vfprintf(f, fmt, ap);
+    
+    if (vasprintf(&buf, fmt, ap) == -1) {
+	printf("Failed to allocate command.\n");
+	return -1;
+    }
+    len = (*mech->encode)(app_data, buf, strlen(buf), command_prot, &enc);
+    free(buf);
+    if(len < 0) {
+	printf("Failed to encode command.\n");
+	return -1;
+    }
+    if(base64_encode(enc, len, &buf) < 0){
+	free(enc);
+	printf("Out of memory base64-encoding.\n");
+	return -1;
+    }
+    free(enc);
+#ifdef FTP_SERVER
+    if(command_prot == prot_safe)
+	fprintf(f, "631 %s\r\n", buf);
+    else if(command_prot == prot_private)
+	fprintf(f, "632 %s\r\n", buf);
+    else if(command_prot == prot_confidential)
+	fprintf(f, "633 %s\r\n", buf);
+#else
+    if(command_prot == prot_safe)
+	fprintf(f, "MIC %s", buf);
+    else if(command_prot == prot_private)
+	fprintf(f, "ENC %s", buf);
+    else if(command_prot == prot_confidential)
+	fprintf(f, "CONF %s", buf);
+#endif
+    free(buf);
+    return 0;
+}
+
+int
+sec_fprintf(FILE *f, const char *fmt, ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, fmt);
+    ret = sec_vfprintf(f, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+/* end common stuff */
+
+#ifdef FTP_SERVER
+
+int ccc_passed;
+
+void
+auth(char *auth_name)
+{
+    int i;
+    void *tmp;
+
+    for(i = 0; (mech = mechs[i]) != NULL; i++){
+	if(!strcasecmp(auth_name, mech->name)){
+	    tmp = realloc(app_data, mech->size);
+	    if (tmp == NULL) {
+		reply(431, "Unable to accept %s at this time", mech->name);
+		return;
+	    }
+	    app_data = tmp;
+
+	    if(mech->init && (*mech->init)(app_data) != 0) {
+		reply(431, "Unable to accept %s at this time", mech->name);
+		return;
+	    }
+	    if(mech->auth) {
+		(*mech->auth)(app_data);
+		return;
+	    }
+	    if(mech->adat)
+		reply(334, "Send authorization data.");
+	    else
+		reply(234, "Authorization complete.");
+	    return;
+	}
+    }
+    free (app_data);
+    app_data = NULL;
+    reply(504, "%s is unknown to me", auth_name);
+}
+
+void
+adat(char *auth_data)
+{
+    if(mech && !sec_complete) {
+	void *buf = malloc(strlen(auth_data));
+	size_t len;
+	len = base64_decode(auth_data, buf);
+	(*mech->adat)(app_data, buf, len);
+	free(buf);
+    } else
+	reply(503, "You must %sissue an AUTH first.", mech ? "re-" : "");
+}
+
+void pbsz(int size)
+{
+    size_t new = size;
+    if(!sec_complete)
+	reply(503, "Incomplete security data exchange.");
+    if(mech->pbsz)
+	new = (*mech->pbsz)(app_data, size);
+    if(buffer_size != new){
+	buffer_size = size;
+    }
+    if(new != size)
+	reply(200, "PBSZ=%lu", (unsigned long)new);
+    else
+	reply(200, "OK");
+}
+
+void
+prot(char *pl)
+{
+    int p = -1;
+
+    if(buffer_size == 0){
+	reply(503, "No protection buffer size negotiated.");
+	return;
+    }
+
+    if(!strcasecmp(pl, "C"))
+	p = prot_clear;
+    else if(!strcasecmp(pl, "S"))
+	p = prot_safe;
+    else if(!strcasecmp(pl, "E"))
+	p = prot_confidential;
+    else if(!strcasecmp(pl, "P"))
+	p = prot_private;
+    else {
+	reply(504, "Unrecognized protection level.");
+	return;
+    }
+    
+    if(sec_complete){
+	if((*mech->check_prot)(app_data, p)){
+	    reply(536, "%s does not support %s protection.", 
+		  mech->name, level_to_name(p));
+	}else{
+	    data_prot = (enum protection_level)p;
+	    reply(200, "Data protection is %s.", level_to_name(p));
+	}
+    }else{
+	reply(503, "Incomplete security data exchange.");
+    }
+}
+
+void ccc(void)
+{
+    if(sec_complete){
+	if(mech->ccc && (*mech->ccc)(app_data) == 0) {
+	    command_prot = data_prot = prot_clear;
+	    ccc_passed = 1;
+	} else
+	    reply(534, "You must be joking.");
+    }else
+	reply(503, "Incomplete security data exchange.");
+}
+
+void mec(char *msg, enum protection_level level)
+{
+    void *buf;
+    size_t len, buf_size;
+    if(!sec_complete) {
+	reply(503, "Incomplete security data exchange.");
+	return;
+    }
+    buf_size = strlen(msg) + 2;
+    buf = malloc(buf_size);
+    len = base64_decode(msg, buf);
+    command_prot = level;
+    if(len == (size_t)-1) {
+	reply(501, "Failed to base64-decode command");
+	return;
+    }
+    len = (*mech->decode)(app_data, buf, len, level);
+    if(len == (size_t)-1) {
+	reply(535, "Failed to decode command");
+	return;
+    }
+    ((char*)buf)[len] = '\0';
+    if(strstr((char*)buf, "\r\n") == NULL)
+	strlcat((char*)buf, "\r\n", buf_size);
+    new_ftp_command(buf);
+}
+
+/* ------------------------------------------------------------ */
+
+int
+sec_userok(char *userstr)
+{
+    if(sec_complete)
+	return (*mech->userok)(app_data, userstr);
+    return 0;
+}
+
+int
+sec_session(char *user)
+{
+    if(sec_complete && mech->session)
+	return (*mech->session)(app_data, user);
+    return 0;
+}
+
+char *ftp_command;
+
+void
+new_ftp_command(char *command)
+{
+    ftp_command = command;
+}
+
+void
+delete_ftp_command(void)
+{
+    free(ftp_command);
+    ftp_command = NULL;
+}
+
+int
+secure_command(void)
+{
+    return ftp_command != NULL;
+}
+
+enum protection_level
+get_command_prot(void)
+{
+    return command_prot;
+}
+
+#else /* FTP_SERVER */
+
+void
+sec_status(void)
+{
+    if(sec_complete){
+	printf("Using %s for authentication.\n", mech->name);
+	printf("Using %s command channel.\n", level_to_name(command_prot));
+	printf("Using %s data channel.\n", level_to_name(data_prot));
+	if(buffer_size > 0)
+	    printf("Protection buffer size: %lu.\n", 
+		   (unsigned long)buffer_size);
+    }else{
+	printf("Not using any security mechanism.\n");
+    }
+}
+
+static int
+sec_prot_internal(int level)
+{
+    int ret;
+    char *p;
+    unsigned int s = 1048576;
+
+    int old_verbose = verbose;
+    verbose = 0;
+
+    if(!sec_complete){
+	printf("No security data exchange has taken place.\n");
+	return -1;
+    }
+
+    if(level){
+	ret = command("PBSZ %u", s);
+	if(ret != COMPLETE){
+	    printf("Failed to set protection buffer size.\n");
+	    return -1;
+	}
+	buffer_size = s;
+	p = strstr(reply_string, "PBSZ=");
+	if(p)
+	    sscanf(p, "PBSZ=%u", &s);
+	if(s < buffer_size)
+	    buffer_size = s;
+    }
+    verbose = old_verbose;
+    ret = command("PROT %c", level["CSEP"]); /* XXX :-) */
+    if(ret != COMPLETE){
+	printf("Failed to set protection level.\n");
+	return -1;
+    }
+    
+    data_prot = (enum protection_level)level;
+    return 0;
+}
+
+enum protection_level
+set_command_prot(enum protection_level level)
+{
+    int ret;
+    enum protection_level old = command_prot;
+    if(level != command_prot && level == prot_clear) {
+	ret = command("CCC");
+	if(ret != COMPLETE) {
+	    printf("Failed to clear command channel.\n");
+	    return -1;
+	}
+    }
+    command_prot = level;
+    return old;
+}
+
+void
+sec_prot(int argc, char **argv)
+{
+    int level = -1;
+
+    if(argc > 3)
+	goto usage;
+
+    if(argc == 1) {
+	sec_status();
+	return;
+    }
+    if(!sec_complete) {
+	printf("No security data exchange has taken place.\n");
+	code = -1;
+	return;
+    }
+    level = name_to_level(argv[argc - 1]);
+    
+    if(level == -1)
+	goto usage;
+    
+    if((*mech->check_prot)(app_data, level)) {
+	printf("%s does not implement %s protection.\n", 
+	       mech->name, level_to_name(level));
+	code = -1;
+	return;
+    }
+    
+    if(argc == 2 || strncasecmp(argv[1], "data", strlen(argv[1])) == 0) {
+	if(sec_prot_internal(level) < 0){
+	    code = -1;
+	    return;
+	}
+    } else if(strncasecmp(argv[1], "command", strlen(argv[1])) == 0) {
+	if(set_command_prot(level) < 0) {
+	    code = -1;
+	    return;
+	}
+    } else
+	goto usage;
+    code = 0;
+    return;
+ usage:
+    printf("usage: %s [command|data] [clear|safe|confidential|private]\n",
+	   argv[0]);
+    code = -1;
+}
+
+void
+sec_prot_command(int argc, char **argv)
+{
+    int level;
+
+    if(argc > 2)
+	goto usage;
+
+    if(!sec_complete) {
+	printf("No security data exchange has taken place.\n");
+	code = -1;
+	return;
+    }
+
+    if(argc == 1) {
+	sec_status();
+    } else {
+	level = name_to_level(argv[1]);
+	if(level == -1)
+	    goto usage;
+    
+	if((*mech->check_prot)(app_data, level)) {
+	    printf("%s does not implement %s protection.\n", 
+		   mech->name, level_to_name(level));
+	    code = -1;
+	    return;
+	}
+	if(set_command_prot(level) < 0) {
+	    code = -1;
+	    return;
+	}
+    }
+    code = 0;
+    return;
+ usage:
+    printf("usage: %s [clear|safe|confidential|private]\n",
+	   argv[0]);
+    code = -1;
+}
+
+static enum protection_level request_data_prot;
+
+void
+sec_set_protection_level(void)
+{
+    if(sec_complete && data_prot != request_data_prot)
+	sec_prot_internal(request_data_prot);
+}
+
+
+int
+sec_request_prot(char *level)
+{
+    int l = name_to_level(level);
+    if(l == -1)
+	return -1;
+    request_data_prot = (enum protection_level)l;
+    return 0;
+}
+
+int
+sec_login(char *host)
+{
+    int ret;
+    struct sec_client_mech **m;
+    int old_verbose = verbose;
+
+    verbose = -1; /* shut up all messages this will produce (they
+		     are usually not very user friendly) */
+    
+    for(m = mechs; *m && (*m)->name; m++) {
+	void *tmp;
+
+	tmp = realloc(app_data, (*m)->size);
+	if (tmp == NULL) {
+	    warnx ("realloc %lu failed", (unsigned long)(*m)->size);
+	    return -1;
+	}
+	app_data = tmp;
+	    
+	if((*m)->init && (*(*m)->init)(app_data) != 0) {
+	    printf("Skipping %s...\n", (*m)->name);
+	    continue;
+	}
+	printf("Trying %s...\n", (*m)->name);
+	ret = command("AUTH %s", (*m)->name);
+	if(ret != CONTINUE){
+	    if(code == 504){
+		printf("%s is not supported by the server.\n", (*m)->name);
+	    }else if(code == 534){
+		printf("%s rejected as security mechanism.\n", (*m)->name);
+	    }else if(ret == ERROR) {
+		printf("The server doesn't support the FTP "
+		       "security extensions.\n");
+		verbose = old_verbose;
+		return -1;
+	    }
+	    continue;
+	}
+
+	ret = (*(*m)->auth)(app_data, host);
+	
+	if(ret == AUTH_CONTINUE)
+	    continue;
+	else if(ret != AUTH_OK){
+	    /* mechanism is supposed to output error string */
+	    verbose = old_verbose;
+	    return -1;
+	}
+	mech = *m;
+	sec_complete = 1;
+	if(doencrypt) {
+	    command_prot = prot_private;
+	    request_data_prot = prot_private; 
+	} else {
+	    command_prot = prot_safe;
+	}
+	break;
+    }
+    
+    verbose = old_verbose;
+    return *m == NULL;
+}
+
+void
+sec_end(void)
+{
+    if (mech != NULL) {
+	if(mech->end)
+	    (*mech->end)(app_data);
+	if (app_data != NULL) {
+	    memset(app_data, 0, mech->size);
+	    free(app_data);
+	    app_data = NULL;
+	}
+    }
+    sec_complete = 0;
+    data_prot = (enum protection_level)0;
+}
+
+#endif /* FTP_SERVER */
+
diff --git a/crypto/heimdal/appl/gssmask/Makefile.am b/crypto/heimdal/appl/gssmask/Makefile.am
new file mode 100644
index 0000000..347a27e
--- /dev/null
+++ b/crypto/heimdal/appl/gssmask/Makefile.am
@@ -0,0 +1,12 @@
+# $Id: Makefile.am 18468 2006-10-14 13:50:51Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_PROGRAMS = gssmask gssmaestro
+
+gssmask_SOURCES = gssmask.c common.c common.h protocol.h
+
+gssmaestro_SOURCES = gssmaestro.c common.c common.h protocol.h
+
+LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LIB_roken)
+
diff --git a/crypto/heimdal/appl/gssmask/Makefile.in b/crypto/heimdal/appl/gssmask/Makefile.in
new file mode 100644
index 0000000..a510922
--- /dev/null
+++ b/crypto/heimdal/appl/gssmask/Makefile.in
@@ -0,0 +1,760 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 18468 2006-10-14 13:50:51Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+noinst_PROGRAMS = gssmask$(EXEEXT) gssmaestro$(EXEEXT)
+subdir = appl/gssmask
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+PROGRAMS = $(noinst_PROGRAMS)
+am_gssmaestro_OBJECTS = gssmaestro.$(OBJEXT) common.$(OBJEXT)
+gssmaestro_OBJECTS = $(am_gssmaestro_OBJECTS)
+gssmaestro_LDADD = $(LDADD)
+am__DEPENDENCIES_1 =
+gssmaestro_DEPENDENCIES = $(top_builddir)/lib/gssapi/libgssapi.la \
+	$(am__DEPENDENCIES_1)
+am_gssmask_OBJECTS = gssmask.$(OBJEXT) common.$(OBJEXT)
+gssmask_OBJECTS = $(am_gssmask_OBJECTS)
+gssmask_LDADD = $(LDADD)
+gssmask_DEPENDENCIES = $(top_builddir)/lib/gssapi/libgssapi.la \
+	$(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
+depcomp =
+am__depfiles_maybe =
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(gssmaestro_SOURCES) $(gssmask_SOURCES)
+DIST_SOURCES = $(gssmaestro_SOURCES) $(gssmask_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+gssmask_SOURCES = gssmask.c common.c common.h protocol.h
+gssmaestro_SOURCES = gssmaestro.c common.c common.h protocol.h
+LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LIB_roken)
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps appl/gssmask/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps appl/gssmask/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+gssmaestro$(EXEEXT): $(gssmaestro_OBJECTS) $(gssmaestro_DEPENDENCIES) 
+	@rm -f gssmaestro$(EXEEXT)
+	$(LINK) $(gssmaestro_OBJECTS) $(gssmaestro_LDADD) $(LIBS)
+gssmask$(EXEEXT): $(gssmask_OBJECTS) $(gssmask_DEPENDENCIES) 
+	@rm -f gssmask$(EXEEXT)
+	$(LINK) $(gssmask_OBJECTS) $(gssmask_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+.c.o:
+	$(COMPILE) -c $<
+
+.c.obj:
+	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+all-am: Makefile $(PROGRAMS) all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
+	clean clean-generic clean-libtool clean-noinstPROGRAMS ctags \
+	dist-hook distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/gssmask/common.c b/crypto/heimdal/appl/gssmask/common.c
new file mode 100644
index 0000000..a57b803
--- /dev/null
+++ b/crypto/heimdal/appl/gssmask/common.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <common.h>
+RCSID("$Id: common.c 18900 2006-11-03 05:21:01Z lha $");
+
+krb5_error_code
+store_string(krb5_storage *sp, const char *str)
+{
+    size_t len = strlen(str) + 1;
+    krb5_error_code ret;
+
+    ret = krb5_store_int32(sp, len);
+    if (ret)
+	return ret;
+    ret = krb5_storage_write(sp, str, len);
+    if (ret != len)
+	return EINVAL;
+    return 0;
+}
+
+static void
+add_list(char ****list, size_t *listlen, char **str, size_t len)
+{
+    size_t i;
+    *list = erealloc(*list, sizeof(**list) * (*listlen + 1));
+
+    (*list)[*listlen] = ecalloc(len, sizeof(**list));
+    for (i = 0; i < len; i++)
+	(*list)[*listlen][i] = str[i];
+    (*listlen)++;
+}
+
+static void
+permute(char ****list, size_t *listlen, 
+	char **str, const int start, const int len) 
+{
+    int i, j;
+
+#define SWAP(s,i,j) { char *t = str[i]; str[i] = str[j]; str[j] = t; }
+
+    for (i = start; i < len - 1; i++) {
+	for (j = i+1; j < len; j++) {
+	    SWAP(str,i,j);
+	    permute(list, listlen, str, i+1, len);
+	    SWAP(str,i,j);
+	}
+    }
+    add_list(list, listlen, str, len);
+}
+
+char ***
+permutate_all(struct getarg_strings *strings, size_t *size)
+{
+    char **list, ***all = NULL;
+    int i;
+
+    *size = 0;
+
+    list = ecalloc(strings->num_strings, sizeof(*list));
+    for (i = 0; i < strings->num_strings; i++)
+	list[i] = strings->strings[i];
+
+    permute(&all, size, list, 0, strings->num_strings);
+    free(list);
+    return all;
+}
diff --git a/crypto/heimdal/appl/gssmask/common.h b/crypto/heimdal/appl/gssmask/common.h
new file mode 100644
index 0000000..a44339e
--- /dev/null
+++ b/crypto/heimdal/appl/gssmask/common.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id: common.h 18250 2006-10-06 07:22:00Z lha $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+/* 
+ * pthread support is disable because the pthread
+ * test have no "application pthread libflags" variable,
+ * when this is fixed pthread support can be enabled again.
+ */
+#undef ENABLE_PTHREAD_SUPPORT
+
+#include <sys/param.h>
+#ifdef HAVE_SYS_UTSNAME_H
+#include <sys/utsname.h>
+#endif
+
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+#include <assert.h>
+#include <krb5.h>
+#include <gssapi.h>
+#include <unistd.h>
+
+#include <roken.h>
+#include <getarg.h>
+
+#include "protocol.h"
+
+krb5_error_code store_string(krb5_storage *, const char *);
+
+
+#define ret16(_client, num)					\
+    do {							\
+        if (krb5_ret_int16((_client)->sock, &(num)) != 0)	\
+	    errx(1, "krb5_ret_int16 " #num);		\
+    } while(0)
+
+#define ret32(_client, num)					\
+    do {							\
+        if (krb5_ret_int32((_client)->sock, &(num)) != 0)	\
+	    errx(1, "krb5_ret_int32 " #num);		\
+    } while(0)
+
+#define retdata(_client, data)					\
+    do {							\
+        if (krb5_ret_data((_client)->sock, &(data)) != 0)	\
+	    errx(1, "krb5_ret_data " #data);		\
+    } while(0)
+
+#define retstring(_client, data)					\
+    do {							\
+        if (krb5_ret_string((_client)->sock, &(data)) != 0)	\
+	    errx(1, "krb5_ret_data " #data);		\
+    } while(0)
+
+
+#define put32(_client, num)					\
+    do {							\
+        if (krb5_store_int32((_client)->sock, num) != 0)	\
+	    errx(1, "krb5_store_int32 " #num);	\
+    } while(0)
+
+#define putdata(_client, data)					\
+    do {							\
+        if (krb5_store_data((_client)->sock, data) != 0)	\
+	    errx(1, "krb5_store_data " #data);	\
+    } while(0)
+
+#define putstring(_client, str)					\
+    do {							\
+        if (store_string((_client)->sock, str) != 0)		\
+	    errx(1, "krb5_store_str " #str);			\
+    } while(0)
+
+char *** permutate_all(struct getarg_strings *, size_t *);
diff --git a/crypto/heimdal/appl/gssmask/gssmaestro.c b/crypto/heimdal/appl/gssmask/gssmaestro.c
new file mode 100644
index 0000000..610c53f
--- /dev/null
+++ b/crypto/heimdal/appl/gssmask/gssmaestro.c
@@ -0,0 +1,851 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <common.h>
+RCSID("$Id: gssmaestro.c 21605 2007-07-17 06:51:57Z lha $");
+
+static FILE *logfile;
+
+/*
+ *
+ */
+
+struct client {
+    char *name;
+    struct sockaddr *sa;
+    socklen_t salen;
+    krb5_storage *sock;
+    int32_t capabilities;
+    char *target_name;
+    char *moniker;
+    krb5_storage *logsock;
+    int have_log;
+#ifdef ENABLE_PTHREAD_SUPPORT
+    pthread_t thr;
+#else
+    pid_t child;
+#endif
+};
+
+static struct client **clients;
+static int num_clients;
+
+static int
+init_sec_context(struct client *client, 
+		 int32_t *hContext, int32_t *hCred,
+		 int32_t flags, 
+		 const char *targetname,
+		 const krb5_data *itoken, krb5_data *otoken)
+{
+    int32_t val;
+    krb5_data_zero(otoken);
+    put32(client, eInitContext);
+    put32(client, *hContext);
+    put32(client, *hCred);
+    put32(client, flags);
+    putstring(client, targetname);
+    putdata(client, *itoken);
+    ret32(client, *hContext);
+    ret32(client, val);
+    retdata(client, *otoken);
+    return val;
+}
+
+static int
+accept_sec_context(struct client *client, 
+		   int32_t *hContext,
+		   int32_t flags,
+		   const krb5_data *itoken,
+		   krb5_data *otoken,
+		   int32_t *hDelegCred)
+{
+    int32_t val;
+    krb5_data_zero(otoken);
+    put32(client, eAcceptContext);
+    put32(client, *hContext);
+    put32(client, flags);
+    putdata(client, *itoken);
+    ret32(client, *hContext);
+    ret32(client, val);
+    retdata(client, *otoken);
+    ret32(client, *hDelegCred);
+    return val;
+}
+
+static int
+acquire_cred(struct client *client, 
+	     const char *username,
+	     const char *password,
+	     int32_t flags,
+	     int32_t *hCred)
+{
+    int32_t val;
+    put32(client, eAcquireCreds);
+    putstring(client, username);
+    putstring(client, password);
+    put32(client, flags);
+    ret32(client, val);
+    ret32(client, *hCred);
+    return val;
+}
+
+static int
+toast_resource(struct client *client, 
+	       int32_t hCred)
+{
+    int32_t val;
+    put32(client, eToastResource);
+    put32(client, hCred);
+    ret32(client, val);
+    return val;
+}
+
+static int
+goodbye(struct client *client)
+{
+    put32(client, eGoodBye);
+    return GSMERR_OK;
+}
+
+static int
+get_targetname(struct client *client, 
+	       char **target)
+{
+    put32(client, eGetTargetName);
+    retstring(client, *target);
+    return GSMERR_OK;
+}
+
+static int32_t
+encrypt_token(struct client *client, int32_t hContext, int32_t flags,
+	   krb5_data *in, krb5_data *out)
+{
+    int32_t val;
+    put32(client, eEncrypt);
+    put32(client, hContext);
+    put32(client, flags);
+    put32(client, 0);
+    putdata(client, *in);
+    ret32(client, val);
+    retdata(client, *out);
+    return val;
+}
+
+static int32_t
+decrypt_token(struct client *client, int32_t hContext, int flags, 
+	     krb5_data *in, krb5_data *out)
+{
+    int32_t val;
+    put32(client, eDecrypt);
+    put32(client, hContext);
+    put32(client, flags);
+    put32(client, 0);
+    putdata(client, *in);
+    ret32(client, val);
+    retdata(client, *out);
+    return val;
+}
+
+static int32_t
+get_mic(struct client *client, int32_t hContext,
+	krb5_data *in, krb5_data *mic)
+{
+    int32_t val;
+    put32(client, eSign);
+    put32(client, hContext);
+    put32(client, 0);
+    put32(client, 0);
+    putdata(client, *in);
+    ret32(client, val);
+    retdata(client, *mic);
+    return val;
+}
+
+static int32_t
+verify_mic(struct client *client, int32_t hContext, 
+	   krb5_data *in, krb5_data *mic)
+{
+    int32_t val;
+    put32(client, eVerify);
+    put32(client, hContext);
+    put32(client, 0);
+    put32(client, 0);
+    putdata(client, *in);
+    putdata(client, *mic);
+    ret32(client, val);
+    return val;
+}
+
+
+static int32_t
+get_version_capa(struct client *client, 
+		 int32_t *version, int32_t *capa,
+		 char **version_str)
+{
+    put32(client, eGetVersionAndCapabilities);
+    ret32(client, *version);
+    ret32(client, *capa);
+    retstring(client, *version_str);
+    return GSMERR_OK;
+}
+
+static int32_t
+get_moniker(struct client *client, 
+	    char **moniker)
+{
+    put32(client, eGetMoniker);
+    retstring(client, *moniker);
+    return GSMERR_OK;
+}
+
+static int
+wait_log(struct client *c)
+{
+    int32_t port;
+    struct sockaddr_storage sast;
+    socklen_t salen = sizeof(sast);
+    int fd, fd2, ret;
+
+    memset(&sast, 0, sizeof(sast));
+
+    assert(sizeof(sast) >= c->salen);
+
+    fd = socket(c->sa->sa_family, SOCK_STREAM, 0);
+    if (fd < 0)
+	err(1, "failed to build socket for %s's logging port", c->moniker);
+
+    ((struct sockaddr *)&sast)->sa_family = c->sa->sa_family;
+    ret = bind(fd, (struct sockaddr *)&sast, c->salen);
+    if (ret < 0)
+	err(1, "failed to bind %s's logging port", c->moniker);
+
+    if (listen(fd, SOMAXCONN) < 0)
+	err(1, "failed to listen %s's logging port", c->moniker);
+
+    salen = sizeof(sast);
+    ret = getsockname(fd, (struct sockaddr *)&sast, &salen);
+    if (ret < 0)
+	err(1, "failed to get address of local socket for %s", c->moniker);
+
+    port = socket_get_port((struct sockaddr *)&sast);
+
+    put32(c, eSetLoggingSocket);
+    put32(c, ntohs(port));
+
+    salen = sizeof(sast);
+    fd2 = accept(fd, (struct sockaddr *)&sast, &salen);
+    if (fd2 < 0)
+	err(1, "failed to accept local socket for %s", c->moniker);
+    close(fd);
+
+    return fd2;
+}
+
+
+
+
+static int
+build_context(struct client *ipeer, struct client *apeer,
+	      int32_t flags, int32_t hCred,
+	      int32_t *iContext, int32_t *aContext, int32_t *hDelegCred)
+{
+    int32_t val = GSMERR_ERROR, ic = 0, ac = 0, deleg = 0;
+    krb5_data itoken, otoken;
+    int iDone = 0, aDone = 0;
+    int step = 0;
+    int first_call = 0x80;
+
+    if (apeer->target_name == NULL)
+	errx(1, "apeer %s have no target name", apeer->name);
+
+    krb5_data_zero(&itoken);
+
+    while (!iDone || !aDone) {
+	
+	if (iDone) {
+	    warnx("iPeer already done, aPeer want extra rtt");
+	    val = GSMERR_ERROR;
+	    goto out;
+	}
+
+	val = init_sec_context(ipeer, &ic, &hCred, flags|first_call,
+			       apeer->target_name, &itoken, &otoken);
+	step++;
+	switch(val) {
+	case GSMERR_OK:
+	    iDone = 1;
+	    if (aDone)
+		continue;
+	    break;
+	case GSMERR_CONTINUE_NEEDED:
+	    break;
+	default:
+	    warnx("iPeer %s failed with %d (step %d)", 
+		  ipeer->name, (int)val, step);
+	    goto out;
+	}
+
+	if (aDone) {
+	    warnx("aPeer already done, iPeer want extra rtt");
+	    val = GSMERR_ERROR;
+	    goto out;
+	}
+
+	val = accept_sec_context(apeer, &ac, flags|first_call,
+				 &otoken, &itoken, &deleg);
+	step++;
+	switch(val) {
+	case GSMERR_OK:
+	    aDone = 1;
+	    if (iDone)
+		continue;
+	    break;
+	case GSMERR_CONTINUE_NEEDED:
+	    break;
+	default:
+	    warnx("aPeer %s failed with %d (step %d)",
+		 apeer->name, (int)val, step);
+	    val = GSMERR_ERROR;
+	    goto out;
+	}
+	first_call = 0;
+	val = GSMERR_OK;
+    }
+
+    if (iContext == NULL || val != GSMERR_OK) {
+	if (ic)
+	    toast_resource(ipeer, ic);
+	if (iContext)
+	    *iContext = 0;
+    } else
+	*iContext = ic;
+
+    if (aContext == NULL || val != GSMERR_OK) {
+	if (ac)
+	    toast_resource(apeer, ac);
+	if (aContext)
+	    *aContext = 0;
+    } else
+	*aContext = ac;
+
+    if (hDelegCred == NULL || val != GSMERR_OK) {
+	if (deleg)
+	    toast_resource(apeer, deleg);
+	if (hDelegCred)
+	    *hDelegCred = 0;
+    } else
+	*hDelegCred = deleg;
+
+out:
+    return val;
+}
+			 
+static void
+test_mic(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2)
+{
+    krb5_data msg, mic;
+    int32_t val;
+    
+    msg.data = "foo";
+    msg.length = 3;
+
+    krb5_data_zero(&mic);
+
+    val = get_mic(c1, hc1, &msg, &mic);
+    if (val)
+	errx(1, "get_mic failed to host: %s", c1->moniker);
+    val = verify_mic(c2, hc2, &msg, &mic);
+    if (val)
+	errx(1, "verify_mic failed to host: %s", c2->moniker);
+
+    krb5_data_free(&mic);
+}
+
+static int32_t
+test_wrap(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2, 
+	  int conf)
+{
+    krb5_data msg, wrapped, out;
+    int32_t val;
+    
+    msg.data = "foo";
+    msg.length = 3;
+
+    krb5_data_zero(&wrapped);
+    krb5_data_zero(&out);
+
+    val = encrypt_token(c1, hc1, conf, &msg, &wrapped);
+    if (val) {
+	warnx("encrypt_token failed to host: %s", c1->moniker);
+	return val;
+    }
+    val = decrypt_token(c2, hc2, conf, &wrapped, &out);
+    if (val) {
+	krb5_data_free(&wrapped);
+	warnx("decrypt_token failed to host: %s", c2->moniker);
+	return val;
+    }
+
+    if (msg.length != out.length) {
+	warnx("decrypted'ed token have wrong length (%lu != %lu)",
+	      (unsigned long)msg.length, (unsigned long)out.length);
+	val = GSMERR_ERROR;
+    } else if (memcmp(msg.data, out.data, msg.length) != 0) {
+	warnx("decryptd'ed token have wrong data");
+	val = GSMERR_ERROR;
+    }
+
+    krb5_data_free(&wrapped);
+    krb5_data_free(&out);
+    return val;
+}
+
+static int32_t
+test_token(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2)
+{
+    int32_t val;
+    int i;
+
+    for (i = 0; i < 10; i++) {
+	test_mic(c1, hc1, c2, hc2);
+	test_mic(c2, hc2, c1, hc1);
+	val = test_wrap(c1, hc1, c2, hc2, 0);
+	if (val) return val;
+	val = test_wrap(c2, hc2, c1, hc1, 0);
+	if (val) return val;
+	val = test_wrap(c1, hc1, c2, hc2, 1);
+	if (val) return val;
+	val = test_wrap(c2, hc2, c1, hc1, 1);
+	if (val) return val;
+    }
+    return GSMERR_OK;
+}
+
+static int
+log_function(void *ptr)
+{
+    struct client *c = ptr;
+    int32_t cmd, line;
+    char *file, *string;
+
+    while (1) {
+        if (krb5_ret_int32(c->logsock, &cmd))
+	    goto out;
+
+	switch (cmd) {
+	case eLogSetMoniker:
+	    if (krb5_ret_string(c->logsock, &file))
+		goto out;
+	    free(file);
+	    break;
+	case eLogInfo:
+	case eLogFailure:
+	    if (krb5_ret_string(c->logsock, &file))
+		goto out;
+	    if (krb5_ret_int32(c->logsock, &line))
+		goto out;
+	    if (krb5_ret_string(c->logsock, &string))
+		goto out;
+	    printf("%s:%lu: %s\n", 
+		   file, (unsigned long)line, string);
+	    fprintf(logfile, "%s:%lu: %s\n", 
+		    file, (unsigned long)line, string);
+	    fflush(logfile);
+	    free(file);
+	    free(string);
+	    if (krb5_store_int32(c->logsock, 0))
+		goto out;
+	    break;
+	default:
+	    errx(1, "client send bad log command: %d", (int)cmd);
+	}
+    }
+out:
+
+    return 0;
+}
+
+static void
+connect_client(const char *slave)
+{
+    char *name, *port;
+    struct client *c = ecalloc(1, sizeof(*c));
+    struct addrinfo hints, *res0, *res;
+    int ret, fd;
+
+    name = estrdup(slave);
+    port = strchr(name, ':');
+    if (port == NULL)
+	errx(1, "port missing from %s", name);
+    *port++ = 0;
+
+    c->name = estrdup(slave);
+    
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family = PF_UNSPEC;
+    hints.ai_socktype = SOCK_STREAM;
+
+    ret = getaddrinfo(name, port, &hints, &res0);
+    if (ret)
+	errx(1, "error resolving %s", name);
+
+    for (res = res0, fd = -1; res; res = res->ai_next) {
+	fd = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+	if (fd < 0)
+	    continue;
+	if (connect(fd, res->ai_addr, res->ai_addrlen) < 0) {
+	    close(fd);
+	    fd = -1;
+	    continue;
+	}
+	c->sa = ecalloc(1, res->ai_addrlen);
+	memcpy(c->sa, res->ai_addr, res->ai_addrlen);
+	c->salen = res->ai_addrlen;
+	break;  /* okay we got one */
+    }
+    if (fd < 0)
+	err(1, "connect to host: %s", name);
+    freeaddrinfo(res);
+
+    c->sock = krb5_storage_from_fd(fd);
+    close(fd);
+    if (c->sock == NULL)
+	errx(1, "krb5_storage_from_fd");
+
+    {
+	int32_t version;
+	char *str = NULL;
+	get_version_capa(c, &version, &c->capabilities, &str);
+	if (str) {
+	    free(str);
+	}
+	if (c->capabilities & HAS_MONIKER)
+	    get_moniker(c, &c->moniker);
+	else
+	    c->moniker = c->name;
+	if (c->capabilities & ISSERVER)
+	    get_targetname(c, &c->target_name);
+    }
+
+    if (logfile) {
+	int fd;
+
+	printf("starting log socket to client %s\n", c->moniker);
+
+	fd = wait_log(c);
+
+	c->logsock = krb5_storage_from_fd(fd);
+	close(fd);
+	if (c->logsock == NULL)
+	    errx(1, "failed to create log krb5_storage");
+#ifdef ENABLE_PTHREAD_SUPPORT
+	pthread_create(&c->thr, NULL, log_function, c);
+#else
+	c->child = fork();
+	if (c->child == -1)
+	    errx(1, "failed to fork");
+	else if (c->child == 0) {
+	    log_function(c);
+	    fclose(logfile);
+	    exit(0);
+	}
+#endif
+   }
+
+
+    clients = erealloc(clients, (num_clients + 1) * sizeof(*clients));
+    
+    clients[num_clients] = c;
+    num_clients++;
+
+    free(name);
+}
+
+static struct client *
+get_client(const char *slave)
+{
+    size_t i;
+    for (i = 0; i < num_clients; i++)
+	if (strcmp(slave, clients[i]->name) == 0)
+	    return clients[i];
+    errx(1, "failed to find client %s", slave);
+}
+
+/*
+ *
+ */
+
+static int version_flag;
+static int help_flag;
+static char *logfile_str;
+static getarg_strings principals;
+static getarg_strings slaves;
+
+struct getargs args[] = {
+    { "principals", 0,  arg_strings,	&principals,	"Test principal",
+      NULL },
+    { "slaves", 0,  arg_strings,	&slaves,	"Slaves",
+      NULL },
+    { "log-file", 0, arg_string,	&logfile_str,	"Logfile",
+      NULL },
+    { "version", 0,  arg_flag,		&version_flag,	"Print version",
+      NULL },
+    { "help",	 0,  arg_flag,		&help_flag,	NULL,
+      NULL }
+};
+
+static void
+usage(int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optidx= 0;
+    char *user;
+    char *password;
+    char ***list, **p;
+    size_t num_list, i, j, k;
+    int failed = 0;
+
+    setprogname (argv[0]);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage (1);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version (NULL);
+	return 0;
+    }
+
+    if (optidx != argc)
+	usage (1);
+
+    if (principals.num_strings == 0)
+	errx(1, "no principals");
+
+    user = estrdup(principals.strings[0]);
+    password = strchr(user, ':');
+    if (password == NULL)
+	errx(1, "password missing from %s", user);
+    *password++ = 0;
+	
+    if (slaves.num_strings == 0)
+	errx(1, "no principals");
+
+    if (logfile_str) {
+	printf("open logfile %s\n", logfile_str);
+	logfile = fopen(logfile_str, "w+");
+	if (logfile == NULL)
+	    err(1, "failed to open: %s", logfile_str);
+    }
+
+    /*
+     *
+     */
+
+    list = permutate_all(&slaves, &num_list);
+
+    /*
+     * Set up connection to all clients
+     */
+
+    printf("Connecting to slaves\n");
+    for (i = 0; i < slaves.num_strings; i++)
+	connect_client(slaves.strings[i]);
+
+    /*
+     * Test acquire credentials
+     */
+
+    printf("Test acquire credentials\n");
+    for (i = 0; i < slaves.num_strings; i++) {
+	int32_t hCred, val;
+
+	val = acquire_cred(clients[i], user, password, 1, &hCred);
+	if (val != GSMERR_OK) {
+	    warnx("Failed to acquire_cred on host %s: %d", 
+		 clients[i]->moniker, (int)val);
+	    failed = 1;
+	} else
+	    toast_resource(clients[i], hCred);
+    }
+
+    if (failed)
+	goto out;
+
+    /* 
+     * First test if all slaves can build context to them-self.
+     */
+
+    printf("Self context tests\n");
+    for (i = 0; i < num_clients; i++) {
+	int32_t hCred, val, delegCred;
+	int32_t clientC, serverC;
+	struct client *c = clients[i];
+	
+	if (c->target_name == NULL)
+	    continue;
+
+	printf("%s connects to self using %s\n",
+	       c->moniker, c->target_name);
+
+	val = acquire_cred(c, user, password, 1, &hCred);
+	if (val != GSMERR_OK)
+	    errx(1, "failed to acquire_cred: %d", (int)val);
+    
+	val = build_context(c, c, 
+			    GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG|
+			    GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG|
+			    GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG,
+			    hCred, &clientC, &serverC, &delegCred);
+	if (val == GSMERR_OK) {
+	    test_token(c, clientC, c, serverC);
+	    toast_resource(c, clientC);
+	    toast_resource(c, serverC);
+	    if (delegCred)
+		toast_resource(c, delegCred);
+	} else {
+	    warnx("build_context failed: %d", (int)val);
+	}
+	/*
+	 *
+	 */
+
+	val = build_context(c, c,
+			    GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG,
+			    hCred, &clientC, &serverC, &delegCred);
+	if (val == GSMERR_OK) {
+	    test_token(c, clientC, c, serverC);
+	    toast_resource(c, clientC);
+	    toast_resource(c, serverC);
+	    if (delegCred)
+		toast_resource(c, delegCred);
+	} else {
+	    warnx("build_context failed: %d", (int)val);
+	}
+
+	toast_resource(c, hCred);
+    }
+    /*
+     * Build contexts though all entries in each lists, including the
+     * step from the last entry to the first, ie treat the list as a
+     * circle.
+     *
+     * Only follow the delegated credential, but test "all"
+     * flags. (XXX only do deleg|mutual right now.
+     */
+
+    printf("\"All\" permutation tests\n");
+
+    for (i = 0; i < num_list; i++) {
+	int32_t hCred, val, delegCred = 0;
+	int32_t clientC = 0, serverC = 0;
+	struct client *client, *server;
+	
+	p = list[i];
+	
+	client = get_client(p[0]);
+	
+	val = acquire_cred(client, user, password, 1, &hCred);
+	if (val != GSMERR_OK)
+	    errx(1, "failed to acquire_cred: %d", (int)val);
+
+	for (j = 1; j < num_clients + 1; j++) {
+	    server = get_client(p[j % num_clients]);
+	    
+	    if (server->target_name == NULL)
+		break;
+
+	    for (k = 1; k < j; k++)
+		printf("\t");
+	    printf("%s -> %s\n", client->moniker, server->moniker);
+
+	    val = build_context(client, server,
+				GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG|
+				GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG|
+				GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG,
+				hCred, &clientC, &serverC, &delegCred);
+	    if (val != GSMERR_OK) {
+		warnx("build_context failed: %d", (int)val);
+		break;
+	    }
+	    
+	    val = test_token(client, clientC, server, serverC);
+	    if (val)
+		break;
+	    
+	    toast_resource(client, clientC);
+	    toast_resource(server, serverC);
+	    if (!delegCred) {
+		warnx("no delegated cred on %s", server->moniker);
+		break;
+	    }
+	    toast_resource(client, hCred);
+	    hCred = delegCred;
+	    client = server;
+	}
+	if (hCred)
+	    toast_resource(client, hCred);
+    }
+    
+    /*
+     * Close all connections to clients
+     */
+    
+out:
+    printf("sending goodbye and waiting for log sockets\n");
+    for (i = 0; i < num_clients; i++) {
+	goodbye(clients[i]);
+	if (clients[i]->logsock) {
+#ifdef ENABLE_PTHREAD_SUPPORT
+	    pthread_join(&clients[i]->thr, NULL);
+#else
+	    waitpid(clients[i]->child, NULL, 0);
+#endif
+	}
+    }
+
+    printf("done\n");
+
+    return 0;
+}
diff --git a/crypto/heimdal/appl/gssmask/gssmask.c b/crypto/heimdal/appl/gssmask/gssmask.c
new file mode 100644
index 0000000..46b532b
--- /dev/null
+++ b/crypto/heimdal/appl/gssmask/gssmask.c
@@ -0,0 +1,1092 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "common.h"
+RCSID("$Id: gssmask.c 21229 2007-06-20 10:19:19Z lha $");
+
+/*
+ *
+ */
+
+enum handle_type { handle_context, handle_cred };
+
+struct handle {
+    int32_t idx;
+    enum handle_type type;
+    void *ptr;
+    struct handle *next;
+};
+
+struct client {
+    krb5_storage *sock;
+    krb5_storage *logging;
+    char *moniker;
+    int32_t nHandle;
+    struct handle *handles;
+    struct sockaddr_storage sa;
+    socklen_t salen;
+    char servername[MAXHOSTNAMELEN];
+};
+
+FILE *logfile;
+static char *targetname;
+krb5_context context;
+
+/*
+ *
+ */
+
+static void
+logmessage(struct client *c, const char *file, unsigned int lineno,
+	   int level, const char *fmt, ...)
+{
+    char *message;
+    va_list ap;
+    int32_t ackid;
+
+    va_start(ap, fmt);
+    vasprintf(&message, fmt, ap);
+    va_end(ap);
+
+    if (logfile)
+	fprintf(logfile, "%s:%u: %d %s\n", file, lineno, level, message);
+
+    if (c->logging) {
+	if (krb5_store_int32(c->logging, eLogInfo) != 0)
+	    errx(1, "krb5_store_int32: log level");
+	if (krb5_store_string(c->logging, file) != 0)
+	    errx(1, "krb5_store_string: filename");
+	if (krb5_store_int32(c->logging, lineno) != 0)
+	    errx(1, "krb5_store_string: filename");
+	if (krb5_store_string(c->logging, message) != 0)
+	    errx(1, "krb5_store_string: message");
+	if (krb5_ret_int32(c->logging, &ackid) != 0)
+	    errx(1, "krb5_ret_int32: ackid");
+    }
+    free(message);
+}
+
+/*
+ *
+ */
+
+static int32_t
+add_handle(struct client *c, enum handle_type type, void *data)
+{
+    struct handle *h;
+
+    h = ecalloc(1, sizeof(*h));
+
+    h->idx = ++c->nHandle;
+    h->type = type;
+    h->ptr = data;
+    h->next = c->handles;
+    c->handles = h;
+
+    return h->idx;
+}
+
+static void
+del_handle(struct handle **h, int32_t idx)
+{
+    OM_uint32 min_stat;
+
+    if (idx == 0)
+	return;
+
+    while (*h) {
+	if ((*h)->idx == idx) {
+	    struct handle *p = *h;
+	    *h = (*h)->next;
+	    switch(p->type) {
+	    case handle_context: {
+		gss_ctx_id_t c = p->ptr;
+		gss_delete_sec_context(&min_stat, &c, NULL);
+		break; }
+	    case handle_cred: {
+		gss_cred_id_t c = p->ptr;
+		gss_release_cred(&min_stat, &c);
+		break; }
+	    }
+	    free(p);
+	    return;
+	}
+	h = &((*h)->next);
+    }
+    errx(1, "tried to delete an unexisting handle");
+}
+
+static void *
+find_handle(struct handle *h, int32_t idx, enum handle_type type)
+{
+    if (idx == 0)
+	return NULL;
+    
+    while (h) {
+	if (h->idx == idx) {
+	    if (type == h->type)
+		return h->ptr;
+	    errx(1, "monger switched type on handle!");
+	}
+	h = h->next;
+    }
+    return NULL;    
+}
+
+
+static int32_t
+convert_gss_to_gsm(OM_uint32 maj_stat)
+{
+    switch(maj_stat) {
+    case 0:
+	return GSMERR_OK;
+    case GSS_S_CONTINUE_NEEDED:
+	return GSMERR_CONTINUE_NEEDED;
+    case GSS_S_DEFECTIVE_TOKEN:
+        return GSMERR_INVALID_TOKEN;
+    case GSS_S_BAD_MIC:
+	return GSMERR_AP_MODIFIED;
+    default:
+	return GSMERR_ERROR;
+    }
+}
+
+static int32_t
+convert_krb5_to_gsm(krb5_error_code ret)
+{
+    switch(ret) {
+    case 0:
+	return GSMERR_OK;
+    default:
+	return GSMERR_ERROR;
+    }
+}
+
+/*
+ *
+ */
+
+static int32_t
+acquire_cred(struct client *c,
+	     krb5_principal principal,
+	     krb5_get_init_creds_opt *opt,
+	     int32_t *handle)
+{
+    krb5_error_code ret;
+    krb5_creds cred;
+    krb5_ccache id;
+    gss_cred_id_t gcred;
+    OM_uint32 maj_stat, min_stat;
+
+    *handle = 0;
+
+    krb5_get_init_creds_opt_set_forwardable (opt, 1);
+    krb5_get_init_creds_opt_set_renew_life (opt, 3600 * 24 * 30);
+
+    memset(&cred, 0, sizeof(cred));
+
+    ret = krb5_get_init_creds_password (context,
+					&cred,
+					principal,
+					NULL,
+					NULL,
+					NULL,
+					0,
+					NULL,
+					opt);
+    if (ret) {
+	logmessage(c, __FILE__, __LINE__, 0,
+		   "krb5_get_init_creds failed: %d", ret);
+	return convert_krb5_to_gsm(ret);
+    }
+	
+    ret = krb5_cc_new_unique(context, "MEMORY", NULL, &id);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_initialize");
+
+    ret = krb5_cc_initialize (context, id, cred.client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_initialize");
+    
+    ret = krb5_cc_store_cred (context, id, &cred);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_store_cred");
+
+    krb5_free_cred_contents (context, &cred);
+
+    maj_stat = gss_krb5_import_cred(&min_stat,
+				    id,
+				    NULL,
+				    NULL,
+				    &gcred);
+    krb5_cc_close(context, id);
+    if (maj_stat) {
+	logmessage(c, __FILE__, __LINE__, 0,
+		   "krb5 import creds failed with: %d", maj_stat);
+	return convert_gss_to_gsm(maj_stat);
+    }
+
+    *handle = add_handle(c, handle_cred, gcred);
+
+    return 0;
+}
+
+
+/*
+ *
+ */
+
+#define HandleOP(h) \
+handle##h(enum gssMaggotOp op, struct client *c)
+
+/*
+ *
+ */
+
+static int
+HandleOP(GetVersionInfo)
+{
+    put32(c, GSSMAGGOTPROTOCOL);
+    errx(1, "GetVersionInfo");
+}
+
+static int
+HandleOP(GoodBye)
+{
+    struct handle *h = c->handles;
+    int i = 0;
+
+    while (h) {
+	h = h->next;
+	i++;
+    }
+
+    if (i != 0)
+	logmessage(c, __FILE__, __LINE__, 0,
+		   "Did not toast all resources: %d", i);
+    return 1;
+}
+
+static int
+HandleOP(InitContext)
+{
+    OM_uint32 maj_stat, min_stat, ret_flags;
+    int32_t hContext, hCred, flags;
+    krb5_data target_name, in_token;
+    int32_t new_context_id = 0, gsm_error = 0;
+    krb5_data out_token = { 0 , NULL };
+
+    gss_ctx_id_t ctx;
+    gss_cred_id_t creds;
+    gss_name_t gss_target_name;
+    gss_buffer_desc input_token, output_token;
+    gss_OID oid = GSS_C_NO_OID;
+    gss_buffer_t input_token_ptr = GSS_C_NO_BUFFER;
+
+    ret32(c, hContext);
+    ret32(c, hCred);
+    ret32(c, flags);
+    retdata(c, target_name);
+    retdata(c, in_token);
+
+    logmessage(c, __FILE__, __LINE__, 0,
+	       "targetname: <%.*s>", (int)target_name.length,
+	       (char *)target_name.data);
+
+    ctx = find_handle(c->handles, hContext, handle_context);
+    if (ctx == NULL)
+	hContext = 0;
+    creds = find_handle(c->handles, hCred, handle_cred);
+    if (creds == NULL)
+	abort();
+
+    input_token.length = target_name.length;
+    input_token.value = target_name.data;
+
+    maj_stat = gss_import_name(&min_stat,
+			       &input_token,
+			       GSS_KRB5_NT_PRINCIPAL_NAME,
+			       &gss_target_name);
+    if (GSS_ERROR(maj_stat)) {
+	logmessage(c, __FILE__, __LINE__, 0,
+		   "import name creds failed with: %d", maj_stat);
+	gsm_error = convert_gss_to_gsm(maj_stat);
+	goto out;
+    }
+
+    /* oid from flags */
+
+    if (in_token.length) {
+	input_token.length = in_token.length;
+	input_token.value = in_token.data;
+	input_token_ptr = &input_token;
+	if (ctx == NULL)
+	    krb5_errx(context, 1, "initcreds, context NULL, but not first req");
+    } else {
+	input_token.length = 0;
+	input_token.value = NULL;
+	if (ctx)
+	    krb5_errx(context, 1, "initcreds, context not NULL, but first req");
+    }
+	
+    if ((flags & GSS_C_DELEG_FLAG) != 0)
+	logmessage(c, __FILE__, __LINE__, 0, "init_sec_context delegating");
+    if ((flags & GSS_C_DCE_STYLE) != 0)
+	logmessage(c, __FILE__, __LINE__, 0, "init_sec_context dce-style");
+
+    maj_stat = gss_init_sec_context(&min_stat,
+				    creds,
+				    &ctx,
+				    gss_target_name,
+				    oid,
+				    flags & 0x7f,
+				    0, 
+				    NULL,
+				    input_token_ptr,
+				    NULL,
+				    &output_token,
+				    &ret_flags,
+				    NULL);
+    if (GSS_ERROR(maj_stat)) {
+	if (hContext != 0)
+	    del_handle(&c->handles, hContext);
+	new_context_id = 0;
+	logmessage(c, __FILE__, __LINE__, 0,
+		   "gss_init_sec_context returns code: %d/%d", 
+		   maj_stat, min_stat);
+    } else {
+	if (input_token.length == 0)
+	    new_context_id = add_handle(c, handle_context, ctx);
+	else
+	    new_context_id = hContext;
+    }
+
+    gsm_error = convert_gss_to_gsm(maj_stat);
+
+    if (output_token.length) {
+	out_token.data = output_token.value;
+	out_token.length = output_token.length;
+    }
+
+out:
+    logmessage(c, __FILE__, __LINE__, 0,
+	       "InitContext return code: %d", gsm_error);
+
+    put32(c, new_context_id);
+    put32(c, gsm_error);
+    putdata(c, out_token);
+
+    gss_release_name(&min_stat, &gss_target_name);
+    if (output_token.length)
+	gss_release_buffer(&min_stat, &output_token);
+    krb5_data_free(&in_token);
+    krb5_data_free(&target_name);
+
+    return 0;
+}
+
+static int
+HandleOP(AcceptContext)
+{
+    OM_uint32 maj_stat, min_stat, ret_flags;
+    int32_t hContext, deleg_hcred, flags;
+    krb5_data in_token;
+    int32_t new_context_id = 0, gsm_error = 0;
+    krb5_data out_token = { 0 , NULL };
+
+    gss_ctx_id_t ctx;
+    gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
+    gss_buffer_desc input_token, output_token;
+    gss_buffer_t input_token_ptr = GSS_C_NO_BUFFER;
+
+    ret32(c, hContext);
+    ret32(c, flags);
+    retdata(c, in_token);
+
+    ctx = find_handle(c->handles, hContext, handle_context);
+    if (ctx == NULL)
+	hContext = 0;
+
+    if (in_token.length) {
+	input_token.length = in_token.length;
+	input_token.value = in_token.data;
+	input_token_ptr = &input_token;
+    } else {
+	input_token.length = 0;
+	input_token.value = NULL;
+    }
+
+    maj_stat = gss_accept_sec_context(&min_stat,
+				      &ctx,
+				      GSS_C_NO_CREDENTIAL,
+				      &input_token,
+				      GSS_C_NO_CHANNEL_BINDINGS,
+				      NULL,
+				      NULL,
+				      &output_token,
+				      &ret_flags,
+				      NULL,
+				      &deleg_cred);
+    if (GSS_ERROR(maj_stat)) {
+	if (hContext != 0)
+	    del_handle(&c->handles, hContext);
+	logmessage(c, __FILE__, __LINE__, 0,
+		   "gss_accept_sec_context returns code: %d/%d", 
+		   maj_stat, min_stat);
+	new_context_id = 0;
+    } else {
+	if (hContext == 0)
+	    new_context_id = add_handle(c, handle_context, ctx);
+	else
+	    new_context_id = hContext;
+    }
+    if (output_token.length) {
+	out_token.data = output_token.value;
+	out_token.length = output_token.length;
+    }
+    if ((ret_flags & GSS_C_DCE_STYLE) != 0)
+	logmessage(c, __FILE__, __LINE__, 0, "accept_sec_context dce-style");
+    if ((ret_flags & GSS_C_DELEG_FLAG) != 0) {
+	deleg_hcred = add_handle(c, handle_cred, deleg_cred);
+	logmessage(c, __FILE__, __LINE__, 0,
+		   "accept_context delegated handle: %d", deleg_hcred);
+    } else {
+	gss_release_cred(&min_stat, &deleg_cred);
+	deleg_hcred = 0;
+    }
+	 
+    
+    gsm_error = convert_gss_to_gsm(maj_stat);
+
+    put32(c, new_context_id);
+    put32(c, gsm_error);
+    putdata(c, out_token);
+    put32(c, deleg_hcred);
+
+    if (output_token.length)
+	gss_release_buffer(&min_stat, &output_token);
+    krb5_data_free(&in_token);
+
+    return 0;
+}
+
+static int
+HandleOP(ToastResource)
+{
+    int32_t handle;
+
+    ret32(c, handle);
+    logmessage(c, __FILE__, __LINE__, 0, "toasting %d", handle);
+    del_handle(&c->handles, handle);
+    put32(c, GSMERR_OK);
+
+    return 0;
+}
+
+static int
+HandleOP(AcquireCreds)
+{
+    char *name, *password;
+    int32_t gsm_error, flags, handle = 0;
+    krb5_principal principal = NULL;
+    krb5_get_init_creds_opt *opt = NULL;
+    krb5_error_code ret;
+
+    retstring(c, name);
+    retstring(c, password);
+    ret32(c, flags);
+
+    logmessage(c, __FILE__, __LINE__, 0,
+	       "username: %s password: %s", name, password);
+
+    ret = krb5_parse_name(context, name, &principal);
+    if (ret) {
+	gsm_error = convert_krb5_to_gsm(ret);
+	goto out;
+    }
+    
+    ret = krb5_get_init_creds_opt_alloc (context, &opt);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
+    
+    krb5_get_init_creds_opt_set_pa_password(context, opt, password, NULL);
+
+    gsm_error = acquire_cred(c, principal, opt, &handle);
+
+out:
+    logmessage(c, __FILE__, __LINE__, 0,
+	       "AcquireCreds handle: %d return code: %d", handle, gsm_error);
+
+    if (opt)
+	krb5_get_init_creds_opt_free (context, opt);
+    if (principal)
+	krb5_free_principal(context, principal);
+    free(name);
+    free(password);
+
+    put32(c, gsm_error);
+    put32(c, handle);
+
+    return 0;
+}
+
+static int
+HandleOP(Sign)
+{
+    OM_uint32 maj_stat, min_stat;
+    int32_t hContext, flags, seqno;
+    krb5_data token;
+    gss_ctx_id_t ctx;
+    gss_buffer_desc input_token, output_token;
+
+    ret32(c, hContext);
+    ret32(c, flags);
+    ret32(c, seqno);
+    retdata(c, token);
+
+    ctx = find_handle(c->handles, hContext, handle_context);
+    if (ctx == NULL)
+	errx(1, "sign: reference to unknown context");
+
+    input_token.length = token.length;
+    input_token.value = token.data;
+    
+    maj_stat = gss_get_mic(&min_stat, ctx, 0, &input_token,
+			   &output_token);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_get_mic failed");
+    
+    krb5_data_free(&token);
+    
+    token.data = output_token.value;
+    token.length = output_token.length;
+    
+    put32(c, 0); /* XXX fix gsm_error */
+    putdata(c, token);
+    
+    gss_release_buffer(&min_stat, &output_token);
+    
+    return 0;
+}
+
+static int
+HandleOP(Verify)
+{
+    OM_uint32 maj_stat, min_stat;
+    int32_t hContext, flags, seqno;
+    krb5_data msg, mic;
+    gss_ctx_id_t ctx;
+    gss_buffer_desc msg_token, mic_token;
+    gss_qop_t qop;
+
+    ret32(c, hContext);
+
+    ctx = find_handle(c->handles, hContext, handle_context);
+    if (ctx == NULL)
+	errx(1, "verify: reference to unknown context");
+
+    ret32(c, flags);
+    ret32(c, seqno);
+    retdata(c, msg);
+
+    msg_token.length = msg.length;
+    msg_token.value = msg.data;
+    
+    retdata(c, mic);
+
+    mic_token.length = mic.length;
+    mic_token.value = mic.data;
+
+    maj_stat = gss_verify_mic(&min_stat, ctx, &msg_token,
+			      &mic_token, &qop);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_verify_mic failed");
+    
+    krb5_data_free(&mic);
+    krb5_data_free(&msg);
+    
+    put32(c, 0); /* XXX fix gsm_error */
+    
+    return 0;
+}
+
+static int
+HandleOP(GetVersionAndCapabilities)
+{
+    int32_t cap = HAS_MONIKER;
+    char name[256] = "unknown", *str;
+
+    if (targetname)
+	cap |= ISSERVER; /* is server */
+
+#ifdef HAVE_UNAME
+    {
+	struct utsname ut;
+	if (uname(&ut) == 0) {
+	    snprintf(name, sizeof(name), "%s-%s-%s", 
+		     ut.sysname, ut.version, ut.machine);
+	}
+    }
+#endif
+
+    asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name);
+
+    put32(c, GSSMAGGOTPROTOCOL);
+    put32(c, cap);
+    putstring(c, str); 
+    free(str);
+
+    return 0;
+}
+
+static int
+HandleOP(GetTargetName)
+{
+    if (targetname)
+	putstring(c, targetname);
+    else
+	putstring(c, "");
+    return 0;
+}
+
+static int
+HandleOP(SetLoggingSocket)
+{
+    int32_t portnum;
+    int fd, ret;
+
+    ret32(c, portnum);
+
+    logmessage(c, __FILE__, __LINE__, 0,
+	       "logging port on peer is: %d", (int)portnum);
+
+    socket_set_port((struct sockaddr *)(&c->sa), htons(portnum));
+
+    fd = socket(((struct sockaddr *)&c->sa)->sa_family, SOCK_STREAM, 0);
+    if (fd < 0)
+	return 0;
+
+    ret = connect(fd, (struct sockaddr *)&c->sa, c->salen);
+    if (ret < 0) {
+	logmessage(c, __FILE__, __LINE__, 0, "failed connect to log port: %s",
+		   strerror(errno));
+	close(fd);
+	return 0;
+    }
+
+    if (c->logging)
+	krb5_storage_free(c->logging);
+    c->logging = krb5_storage_from_fd(fd);
+    close(fd);
+
+    krb5_store_int32(c->logging, eLogSetMoniker);
+    store_string(c->logging, c->moniker);
+    
+    logmessage(c, __FILE__, __LINE__, 0, "logging turned on");
+
+    return 0;
+}
+    
+
+static int
+HandleOP(ChangePassword)
+{
+    errx(1, "ChangePassword");
+}
+
+static int
+HandleOP(SetPasswordSelf)
+{
+    errx(1, "SetPasswordSelf");
+}
+
+static int
+HandleOP(Wrap)
+{
+    OM_uint32 maj_stat, min_stat;
+    int32_t hContext, flags, seqno;
+    krb5_data token;
+    gss_ctx_id_t ctx;
+    gss_buffer_desc input_token, output_token;
+    int conf_state;
+
+    ret32(c, hContext);
+    ret32(c, flags);
+    ret32(c, seqno);
+    retdata(c, token);
+
+    ctx = find_handle(c->handles, hContext, handle_context);
+    if (ctx == NULL)
+	errx(1, "wrap: reference to unknown context");
+
+    input_token.length = token.length;
+    input_token.value = token.data;
+    
+    maj_stat = gss_wrap(&min_stat, ctx, flags, 0, &input_token,
+			&conf_state, &output_token);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_wrap failed");
+    
+    krb5_data_free(&token);
+    
+    token.data = output_token.value;
+    token.length = output_token.length;
+    
+    put32(c, 0); /* XXX fix gsm_error */
+    putdata(c, token);
+    
+    gss_release_buffer(&min_stat, &output_token);
+    
+    return 0;
+}
+
+
+static int
+HandleOP(Unwrap)
+{
+    OM_uint32 maj_stat, min_stat;
+    int32_t hContext, flags, seqno;
+    krb5_data token;
+    gss_ctx_id_t ctx;
+    gss_buffer_desc input_token, output_token;
+    int conf_state;
+    gss_qop_t qop_state;
+
+    ret32(c, hContext);
+    ret32(c, flags);
+    ret32(c, seqno);
+    retdata(c, token);
+
+    ctx = find_handle(c->handles, hContext, handle_context);
+    if (ctx == NULL)
+	errx(1, "unwrap: reference to unknown context");
+
+    input_token.length = token.length;
+    input_token.value = token.data;
+    
+    maj_stat = gss_unwrap(&min_stat, ctx, &input_token,
+			  &output_token, &conf_state, &qop_state);
+    
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat);
+	
+    krb5_data_free(&token);
+    if (maj_stat == GSS_S_COMPLETE) {
+	token.data = output_token.value;
+	token.length = output_token.length;
+    } else {
+	token.data = NULL;
+	token.length = 0;
+    }
+    put32(c, 0); /* XXX fix gsm_error */
+    putdata(c, token);
+
+    if (maj_stat == GSS_S_COMPLETE)
+	gss_release_buffer(&min_stat, &output_token);
+
+    return 0;
+}
+
+static int
+HandleOP(Encrypt)
+{
+    return handleWrap(op, c);
+}
+
+static int
+HandleOP(Decrypt)
+{
+    return handleUnwrap(op, c);
+}
+
+static int
+HandleOP(ConnectLoggingService2)
+{
+    errx(1, "ConnectLoggingService2");
+}
+
+static int
+HandleOP(GetMoniker)
+{
+    putstring(c, c->moniker);
+    return 0;
+}
+
+static int
+HandleOP(CallExtension)
+{
+    errx(1, "CallExtension");
+}
+
+static int
+HandleOP(AcquirePKInitCreds)
+{
+    int32_t flags;
+    krb5_data pfxdata;
+
+    ret32(c, flags);
+    retdata(c, pfxdata);
+
+    /* get credentials */
+
+    krb5_data_free(&pfxdata);
+
+    put32(c, -1); /* hResource */
+    put32(c, GSMERR_NOT_SUPPORTED);
+    return 0;
+}
+
+/*
+ *
+ */
+
+struct handler {
+    enum gssMaggotOp op;
+    const char *name;
+    int (*func)(enum gssMaggotOp, struct client *);
+};
+
+#define S(a) { e##a, #a, handle##a }
+
+struct handler handlers[] = {
+    S(GetVersionInfo),
+    S(GoodBye),
+    S(InitContext),
+    S(AcceptContext),
+    S(ToastResource),
+    S(AcquireCreds),
+    S(Encrypt),
+    S(Decrypt),
+    S(Sign),
+    S(Verify),
+    S(GetVersionAndCapabilities),
+    S(GetTargetName),
+    S(SetLoggingSocket),
+    S(ChangePassword),
+    S(SetPasswordSelf),
+    S(Wrap),
+    S(Unwrap),
+    S(ConnectLoggingService2),
+    S(GetMoniker),
+    S(CallExtension),
+    S(AcquirePKInitCreds)
+};
+
+#undef S
+
+/*
+ *
+ */
+
+static struct handler *
+find_op(int32_t op)
+{
+    int i;
+
+    for (i = 0; i < sizeof(handlers)/sizeof(handlers[0]); i++)
+	if (handlers[i].op == op)
+	    return &handlers[i];
+    return NULL;
+}
+
+static struct client *
+create_client(int fd, int port, const char *moniker)
+{
+    struct client *c;
+
+    c = ecalloc(1, sizeof(*c));
+
+    if (moniker) {
+	c->moniker = estrdup(moniker);
+    } else {
+	char hostname[MAXHOSTNAMELEN];
+	gethostname(hostname, sizeof(hostname));
+	asprintf(&c->moniker, "gssmask: %s:%d", hostname, port);
+    }
+
+    {
+	c->salen = sizeof(c->sa);
+	getpeername(fd, (struct sockaddr *)&c->sa, &c->salen);
+	
+	getnameinfo((struct sockaddr *)&c->sa, c->salen, 
+		    c->servername, sizeof(c->servername), 
+		    NULL, 0, NI_NUMERICHOST);
+    }
+
+    c->sock = krb5_storage_from_fd(fd);
+    if (c->sock == NULL)
+	errx(1, "krb5_storage_from_fd");
+    
+    close(fd);
+
+    return c;
+}
+
+static void
+free_client(struct client *c)
+{
+    while(c->handles)
+	del_handle(&c->handles, c->handles->idx);
+
+    free(c->moniker);
+    krb5_storage_free(c->sock);
+    if (c->logging)
+	krb5_storage_free(c->logging);
+    free(c);
+}
+
+
+static void *
+handleServer(void *ptr)
+{
+    struct handler *handler;
+    struct client *c;
+    int32_t op;
+
+    c = (struct client *)ptr;
+
+
+    while(1) {
+	ret32(c, op);
+
+	handler = find_op(op);
+	if (handler == NULL) {
+	    logmessage(c, __FILE__, __LINE__, 0,
+		       "op %d not supported", (int)op);
+	    exit(1);
+	}
+
+	logmessage(c, __FILE__, __LINE__, 0,
+		   "---> Got op %s from server %s", 
+		   handler->name, c->servername);
+
+	if ((handler->func)(handler->op, c))
+	    break;
+    }
+
+    return NULL;
+}
+
+
+static char *port_str;
+static int version_flag;
+static int help_flag;
+static char *logfile_str;
+static char *moniker_str;
+
+static int port = 4711;
+
+struct getargs args[] = {
+    { "spn",	0,   arg_string,	&targetname,	"This host's SPN",
+      "service/host@REALM" },
+    { "port",	'p', arg_string,	&port_str,	"Use this port",
+      "number-of-service" },
+    { "logfile", 0,  arg_string,	&logfile_str,	"logfile",
+      "number-of-service" },
+    { "moniker", 0,  arg_string,	&moniker_str,	"nickname",
+      "name" },
+    { "version", 0,  arg_flag,		&version_flag,	"Print version",
+      NULL },
+    { "help",	 0,  arg_flag,		&help_flag,	NULL,
+      NULL }
+};
+
+static void
+usage(int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optidx	= 0;
+
+    setprogname (argv[0]);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage (1);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version (NULL);
+	return 0;
+    }
+
+    if (optidx != argc)
+	usage (1);
+
+    if (port_str) {
+	char *ptr;
+
+	port = strtol (port_str, &ptr, 10);
+	if (port == 0 && ptr == port_str)
+	    errx (1, "Bad port `%s'", port_str);
+    }
+
+    krb5_init_context(&context);
+
+    {
+	const char *lf = logfile_str;
+	if (lf == NULL)
+	    lf = "/dev/tty";
+
+	logfile = fopen(lf, "w");
+	if (logfile == NULL)
+	    err(1, "error opening %s", lf);
+    }
+
+    mini_inetd(htons(port));
+    fprintf(logfile, "connected\n");
+
+    {
+	struct client *c; 
+
+	c = create_client(0, port, moniker_str);
+	/* close(0); */
+
+	handleServer(c);
+
+	free_client(c);
+    }
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/appl/gssmask/protocol.h b/crypto/heimdal/appl/gssmask/protocol.h
new file mode 100644
index 0000000..3683fa6
--- /dev/null
+++ b/crypto/heimdal/appl/gssmask/protocol.h
@@ -0,0 +1,286 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * $Id: protocol.h 18352 2006-10-08 13:53:28Z lha $
+ */
+
+/* missing from tests:
+ * - export context
+ * - import context
+ */
+
+/*
+ * wire encodings:
+ *   int16: number, 2 bytes, in network order
+ *   int32: number, 4 bytes, in network order
+ *   length-encoded: [int32 length, data of length bytes]
+ *   string: [int32 length, string of length + 1 bytes, includes trailing '\0' ]
+ */
+
+enum gssMaggotErrorCodes {
+    GSMERR_OK		= 0,
+    GSMERR_ERROR,
+    GSMERR_CONTINUE_NEEDED,
+    GSMERR_INVALID_TOKEN,
+    GSMERR_AP_MODIFIED,
+    GSMERR_TEST_ISSUE,
+    GSMERR_NOT_SUPPORTED
+};
+
+/*
+ * input:
+ *   int32: message OP (enum gssMaggotProtocol)
+ *   ...
+ *
+ * return:   -- on error 
+ *    int32: not support (GSMERR_NOT_SUPPORTED)
+ * 
+ * return:   -- on existing message OP
+ *    int32: support (GSMERR_OK) -- only sent for extensions
+ *    ...
+ */
+
+#define GSSMAGGOTPROTOCOL 14
+
+enum gssMaggotOp {
+    eGetVersionInfo	= 0,
+    /* 
+     * input:
+     *   none
+     * return:
+     *   int32: last version handled 
+     */
+    eGoodBye,
+    /* 
+     * input:
+     *   none
+     * return:
+     *   close socket
+     */
+    eInitContext,
+    /* 
+     * input:
+     *   int32: hContext
+     *   int32: hCred
+     *   int32: Flags
+     *      the lowest 0x7f flags maps directly to GSS-API flags
+     *      DELEGATE		0x001 
+     *      MUTUAL_AUTH		0x002 
+     *      REPLAY_DETECT	0x004
+     *      SEQUENCE_DETECT	0x008
+     *      CONFIDENTIALITY	0x010
+     *      INTEGRITY		0x020
+     *      ANONYMOUS		0x040
+     *
+     *      FIRST_CALL		0x080
+     *
+     *      NTLM		0x100
+     *      SPNEGO		0x200
+     *   length-encoded: targetname
+     *   length-encoded: token
+     * return:
+     *   int32: hNewContextId
+     *   int32: gssapi status val
+     *   length-encoded: output token
+     */
+    eAcceptContext,
+    /* 
+     * input:
+     *   int32: hContext
+     *   int32: Flags		-- unused ?
+     *      flags are same as flags for eInitContext
+     *   length-encoded: token
+     * return:
+     *   int32: hNewContextId
+     *   int32: gssapi status val
+     *   length-encoded: output token
+     *   int32: delegation cred id
+     */
+    eToastResource,
+    /*
+     * input:
+     *   int32: hResource
+     * return:
+     *   int32: gsm status val
+     */
+    eAcquireCreds,
+    /*
+     * input:
+     *   string: principal name
+     *   string: password
+     *   int32: flags
+     *      FORWARDABLE		0x001
+     *      DEFAULT_CREDS	0x002
+     *
+     *      NTLM		0x100
+     *      SPNEGO		0x200
+     * return:
+     *   int32: gsm status val
+     *   int32: hCred
+     */
+    eEncrypt,
+    /*
+     * input:
+     *   int32: hContext
+     *   int32: flags		-- unused
+     *   int32: seqno		-- unused
+     *   length-encode: plaintext
+     * return:
+     *   int32: gsm status val
+     *   length-encode: ciphertext
+     */
+    eDecrypt,
+    /*
+     * input:
+     *   int32: hContext
+     *   int32: flags		-- unused
+     *   int32: seqno		-- unused
+     *   length-encode: ciphertext
+     * return:
+     *   int32: gsm status val
+     *   length-encode: plaintext
+     */
+    eSign,
+    /* message same as eEncrypt */
+    eVerify,
+    /*
+     * input:
+     *   int32: hContext
+     *   int32: flags		-- unused
+     *   int32: seqno		-- unused
+     *   length-encode: message
+     *   length-encode: signature
+     * return:
+     *   int32: gsm status val
+     */
+    eGetVersionAndCapabilities,
+    /*
+     * return:
+     *   int32: protocol version
+     *   int32: capability flags */
+#define      ISSERVER		0x01
+#define      ISKDC		0x02
+#define      MS_KERBEROS	0x04
+#define      LOGSERVER		0x08
+#define      HAS_MONIKER	0x10
+    /*   string: version string
+     */
+    eGetTargetName,
+    /*
+     * return:
+     *   string: target principal name
+     */
+    eSetLoggingSocket,
+    /*
+     * input:
+     *   int32: hostPort
+     * return to the port on the host:
+     *   int32: opcode - for example eLogSetMoniker
+     */
+    eChangePassword,
+    /* here ended version 7 of the protocol */
+    /*
+     * input:
+     *   string: principal name
+     *   string: old password
+     *   string: new password
+     * return:
+     *   int32: gsm status val
+     */
+    eSetPasswordSelf,
+    /* same as eChangePassword */
+    eWrap,
+    /* message same as eEncrypt */
+    eUnwrap,
+    /* message same as eDecrypt */
+    eConnectLoggingService2,
+    /*
+     * return1:
+     *   int16: log port number
+     *   int32: master log prototocol version (0)
+     * 
+     * wait for master to connect on the master log socket
+     *
+     * return2:
+     *   int32: gsm connection status
+     *   int32: maggot log prototocol version (2)
+     */
+    eGetMoniker,
+    /*
+     * return:
+     *   string: moniker (Nickname the master can refer to maggot)
+     */
+    eCallExtension,
+    /*
+     * input:
+     *   string: extension name
+     *   int32: message id
+     * return:
+     *   int32: gsm status val
+     */
+    eAcquirePKInitCreds,
+    /*
+     * input:
+     *   int32: flags
+     *   length-encode: certificate (pkcs12 data)
+     * return:
+     *   int32: hResource
+     *   int32: gsm status val (GSMERR_NOT_SUPPORTED)
+     */
+    /* here ended version 7 of the protocol */
+    eLastProtocolMessage
+};
+
+enum gssMaggotLogOp{
+  eLogInfo = 0,
+	/*
+	string: File
+	int32: Line
+	string: message
+     reply:
+  	int32: ackid
+	*/
+  eLogFailure,
+	/*
+	string: File
+	int32: Line
+	string: message
+     reply:
+  	int32: ackid
+	*/
+  eLogSetMoniker
+	/*
+	string: moniker
+	*/
+};
diff --git a/crypto/heimdal/appl/kf/Makefile.am b/crypto/heimdal/appl/kf/Makefile.am
index c145e07..10d4be6 100644
--- a/crypto/heimdal/appl/kf/Makefile.am
+++ b/crypto/heimdal/appl/kf/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.5 2000/11/15 22:51:08 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -13,6 +13,8 @@ kf_SOURCES = kf.c kf_locl.h
 kfd_SOURCES = kfd.c kf_locl.h
 
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
+
+EXTRA_DIST = $(man_MANS)
diff --git a/crypto/heimdal/appl/kf/Makefile.in b/crypto/heimdal/appl/kf/Makefile.in
index ac8c4e7..1dc0684 100644
--- a/crypto/heimdal/appl/kf/Makefile.in
+++ b/crypto/heimdal/appl/kf/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.5 2000/11/15 22:51:08 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(kf_SOURCES) $(kfd_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -51,16 +46,14 @@ libexec_PROGRAMS = kfd$(EXEEXT)
 subdir = appl/kf
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -73,6 +66,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -81,19 +75,24 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" \
+	"$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS)
@@ -110,17 +109,18 @@ kfd_LDADD = $(LDADD)
 kfd_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \
 	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
 	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(kf_SOURCES) $(kfd_SOURCES)
 DIST_SOURCES = $(kf_SOURCES) $(kfd_SOURCES)
 man1dir = $(mandir)/man1
@@ -130,13 +130,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -146,8 +140,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -158,11 +150,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -170,42 +161,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -223,12 +199,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -238,15 +211,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -255,6 +227,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -266,15 +239,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -282,74 +250,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -366,19 +339,21 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 man_MANS = kf.1 kfd.8
 kf_SOURCES = kf.c kf_locl.h
 kfd_SOURCES = kfd.c kf_locl.h
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
+EXTRA_DIST = $(man_MANS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -410,7 +385,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -438,7 +413,7 @@ clean-binPROGRAMS:
 	done
 install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)"
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -466,10 +441,10 @@ clean-libexecPROGRAMS:
 	done
 kf$(EXEEXT): $(kf_OBJECTS) $(kf_DEPENDENCIES) 
 	@rm -f kf$(EXEEXT)
-	$(LINK) $(kf_LDFLAGS) $(kf_OBJECTS) $(kf_LDADD) $(LIBS)
+	$(LINK) $(kf_OBJECTS) $(kf_LDADD) $(LIBS)
 kfd$(EXEEXT): $(kfd_OBJECTS) $(kfd_DEPENDENCIES) 
 	@rm -f kfd$(EXEEXT)
-	$(LINK) $(kfd_LDFLAGS) $(kfd_OBJECTS) $(kfd_LDADD) $(LIBS)
+	$(LINK) $(kfd_OBJECTS) $(kfd_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -491,13 +466,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man1: $(man1_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)"
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
 	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -542,7 +513,7 @@ uninstall-man1:
 	done
 install-man8: $(man8_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
 	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -606,9 +577,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -633,23 +606,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -669,7 +640,7 @@ check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -690,7 +661,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -703,7 +674,7 @@ clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -719,14 +690,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS install-libexecPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man1 install-man8
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -746,26 +725,33 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am \
-	uninstall-libexecPROGRAMS uninstall-man
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+	uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man1 uninstall-man8
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
-	clean-libtool ctags distclean distclean-compile \
+	clean-libtool ctags dist-hook distclean distclean-compile \
 	distclean-generic distclean-libtool distclean-tags distdir dvi \
 	dvi-am html html-am info info-am install install-am \
-	install-binPROGRAMS install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am \
-	install-libexecPROGRAMS install-man install-man1 install-man8 \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-binPROGRAMS uninstall-info-am \
-	uninstall-libexecPROGRAMS uninstall-man uninstall-man1 \
-	uninstall-man8
+	install-binPROGRAMS install-data install-data-am \
+	install-data-hook install-dvi install-dvi-am install-exec \
+	install-exec-am install-exec-hook install-html install-html-am \
+	install-info install-info-am install-libexecPROGRAMS \
+	install-man install-man1 install-man8 install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-binPROGRAMS \
+	uninstall-hook uninstall-libexecPROGRAMS uninstall-man \
+	uninstall-man1 uninstall-man8
 
 
 install-suid-programs:
@@ -780,8 +766,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -791,19 +777,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -819,7 +817,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -889,14 +887,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/kf/kf.1 b/crypto/heimdal/appl/kf/kf.1
index 2426063..97e408d 100644
--- a/crypto/heimdal/appl/kf/kf.1
+++ b/crypto/heimdal/appl/kf/kf.1
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: kf.1,v 1.6 2003/04/11 12:43:57 lha Exp $
+.\" $Id: kf.1 11986 2003-04-11 12:43:57Z lha $
 .\"
 .Dd July  2, 2000
 .Dt KF 1
diff --git a/crypto/heimdal/appl/kf/kf.c b/crypto/heimdal/appl/kf/kf.c
index 190101b..6377965 100644
--- a/crypto/heimdal/appl/kf/kf.c
+++ b/crypto/heimdal/appl/kf/kf.c
@@ -32,7 +32,7 @@
  */
 
 #include "kf_locl.h"
-RCSID("$Id: kf.c,v 1.17 2002/09/05 15:00:03 joda Exp $");
+RCSID("$Id: kf.c 11400 2002-09-05 15:00:03Z joda $");
 
 krb5_context context;
 static int help_flag;
diff --git a/crypto/heimdal/appl/kf/kf_locl.h b/crypto/heimdal/appl/kf/kf_locl.h
index 0a6a28f..e4d9ee8 100644
--- a/crypto/heimdal/appl/kf/kf_locl.h
+++ b/crypto/heimdal/appl/kf/kf_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: kf_locl.h,v 1.3 2002/09/04 20:29:04 joda Exp $ */
+/* $Id: kf_locl.h 11376 2002-09-04 20:29:04Z joda $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
diff --git a/crypto/heimdal/appl/kf/kfd.8 b/crypto/heimdal/appl/kf/kfd.8
index 94d26cc..f676749 100644
--- a/crypto/heimdal/appl/kf/kfd.8
+++ b/crypto/heimdal/appl/kf/kfd.8
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: kfd.8,v 1.4 2003/02/16 21:10:05 lha Exp $
+.\" $Id: kfd.8 11648 2003-02-16 21:10:32Z lha $
 .\"
 .Dd July  2, 2000
 .Dt KFD 8
diff --git a/crypto/heimdal/appl/kf/kfd.c b/crypto/heimdal/appl/kf/kfd.c
index c358b54..9d8c84c 100644
--- a/crypto/heimdal/appl/kf/kfd.c
+++ b/crypto/heimdal/appl/kf/kfd.c
@@ -32,7 +32,7 @@
  */
 
 #include "kf_locl.h"
-RCSID("$Id: kfd.c,v 1.11 2003/04/16 15:40:24 lha Exp $");
+RCSID("$Id: kfd.c 15246 2005-05-27 13:47:20Z lha $");
 
 krb5_context context;
 char krb5_tkfile[MAXPATHLEN];
@@ -112,7 +112,7 @@ kfd_match_version(const void *arg, const char *version)
 	       version[0] == '0' &&
 	       version[1] == '.' &&
 	       (version[2] == '4' || version[2] == '3') &&
-	       islower(version[3])) {
+	       islower((unsigned char)version[3])) {
 	protocol_version = 0;
 	return TRUE;
     }
@@ -235,7 +235,8 @@ proto (int sock, const char *service)
     if (tk_file.length != 1)
 	snprintf (ccname, sizeof(ccname), "%s", (char *)(tk_file.data));
     else
-	snprintf (ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%u",pwd->pw_uid);
+	snprintf (ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%lu",
+		  (unsigned long)pwd->pw_uid);
 
     status = krb5_cc_resolve (context, ccname, &ccache);
     if (status) {
diff --git a/crypto/heimdal/appl/login/ChangeLog b/crypto/heimdal/appl/login/ChangeLog
index 3da3237..2400808 100644
--- a/crypto/heimdal/appl/login/ChangeLog
+++ b/crypto/heimdal/appl/login/ChangeLog
@@ -1,8 +1,79 @@
+2006-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* limits_conf.c: Clear errno before calling the strtol
+	functions. From Paul Stoeber to OpenBSD by Ray Lai and Björn
+	Sandell.
+
+	* limits_conf.c: Report to syslog strings that start with NUL;
+	prevents negative index array access. Ray Lai of OpenBSD via Björn
+	Sandell.
+	
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Add man_MANS to EXTRA_DIST
+
+2006-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* read_string.c: try to not call signaction for signal 0 and use
+	NSIG if it exists to determin how many signals there exists, also,
+	only restore those signalhandlers that we got out.
+	
+2006-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* login_locl.h: Include "loginpaths.h"
+	
+	* loginpaths.h: Shared paths between login and rshd.
+	
+2006-01-09 Johan Danielsson <joda@blubb.pdc.kth.se>
+
+	* login.c: log successful logins
+	
+2005-08-08  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* login.c (do_login): only do krb4_get_afs_tokens if we have done
+	v4 authentication or done a 5to4 conversion of tickets. This is to
+	avoid delays on a realm that only support Kerberos 5 and drop
+	Kerberos 4 requests.
+
+2005-05-10  Dave Love  <fx@gnu.org>
+
+	* login.c: Include <crypt.h>.
+
+2005-05-02  Dave Love  <fx@gnu.org>
+
+	* limits_conf.c: Check RLIMIT_MEMLOCK, not RLIMIT_LOCK.
+
+2005-04-28  Dave Love  <fx@gnu.org>
+
+	* limits_conf.c: Maybe include sys/resource.h.  Use various
+	RLIMIT_ macros conditionally.  For Solaris, Irix and Tru64.
+
+2005-04-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* login.1: document limits.conf
+	
+	* Makefile.am: limits_conf.c
+	
+	* login_locl.h: template for limits.conf
+	
+	* login.c: read limits.conf (from /etc/security by default,
+	overridable in login.conf)
+	
+	* limits_conf.c: implement a parser for limits.conf
+	
 2004-09-08  Johan Danielsson  <joda@pdc.kth.se>
 
-	* login.c: pull up 1.62->1.63: use krb5_appdefault_boolean instead
-	of krb5_config_get_bool
+	* login.c: use krb5_appdefault_boolean instead of
+	krb5_config_get_bool
+
+2003-09-03  Love Hörnquist Åstrand <lha@it.su.se>
 
+	* login.c (krb5_to4): set client princ of the mcred
+	
+2003-07-07  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* login.c (krb5_to4): use krb5_cc_clear_mcred
+	
 2003-03-24  Johan Danielsson  <joda@pdc.kth.se>
 
 	* Makefile.am: install man pages
diff --git a/crypto/heimdal/appl/login/Makefile.am b/crypto/heimdal/appl/login/Makefile.am
index 860ce70..b7c9f93 100644
--- a/crypto/heimdal/appl/login/Makefile.am
+++ b/crypto/heimdal/appl/login/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.21 2003/03/24 16:15:48 joda Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4)
+AM_CPPFLAGS += $(INCLUDE_krb4)
 
 man_MANS = login.1 login.access.5
 
@@ -15,6 +15,8 @@ login_SOURCES =					\
 		login_access.c			\
 		login_locl.h			\
 		login_protos.h			\
+		loginpaths.h			\
+		limits_conf.c			\
 		osfc2.c				\
 		read_string.c			\
 		shadow.c			\
@@ -27,7 +29,7 @@ LDADD = $(LIB_otp) \
 	$(LIB_kafs) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(LIB_security) \
@@ -37,3 +39,5 @@ $(srcdir)/login_protos.h:
 	cd $(srcdir); perl ../../cf/make-proto.pl -o login_protos.h -q -P comment $(login_SOURCES) || rm -f login_protos.h
 
 $(login_OBJECTS): $(srcdir)/login_protos.h
+
+EXTRA_DIST = $(man_MANS)
diff --git a/crypto/heimdal/appl/login/Makefile.in b/crypto/heimdal/appl/login/Makefile.in
index 72648ab..faa632a 100644
--- a/crypto/heimdal/appl/login/Makefile.in
+++ b/crypto/heimdal/appl/login/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.21 2003/03/24 16:15:48 joda Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(login_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -50,16 +45,14 @@ bin_PROGRAMS = login$(EXEEXT)
 subdir = appl/login
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -72,6 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -80,25 +74,30 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)"
+am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" \
+	"$(DESTDIR)$(man5dir)"
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(bin_PROGRAMS)
 am_login_OBJECTS = conf.$(OBJEXT) env.$(OBJEXT) login.$(OBJEXT) \
-	login_access.$(OBJEXT) osfc2.$(OBJEXT) read_string.$(OBJEXT) \
-	shadow.$(OBJEXT) stty_default.$(OBJEXT) tty.$(OBJEXT) \
-	utmp_login.$(OBJEXT) utmpx_login.$(OBJEXT)
+	login_access.$(OBJEXT) limits_conf.$(OBJEXT) osfc2.$(OBJEXT) \
+	read_string.$(OBJEXT) shadow.$(OBJEXT) stty_default.$(OBJEXT) \
+	tty.$(OBJEXT) utmp_login.$(OBJEXT) utmpx_login.$(OBJEXT)
 login_OBJECTS = $(am_login_OBJECTS)
 login_LDADD = $(LDADD)
 am__DEPENDENCIES_1 =
@@ -109,17 +108,18 @@ login_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \
 	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(login_SOURCES)
 DIST_SOURCES = $(login_SOURCES)
 man1dir = $(mandir)/man1
@@ -129,13 +129,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -145,8 +139,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -157,11 +149,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -169,42 +160,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -222,12 +198,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -237,15 +210,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -254,6 +226,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -265,15 +238,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -281,74 +249,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -365,6 +339,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 man_MANS = login.1 login.access.5
 login_SOURCES = \
@@ -374,6 +349,8 @@ login_SOURCES = \
 		login_access.c			\
 		login_locl.h			\
 		login_protos.h			\
+		loginpaths.h			\
+		limits_conf.c			\
 		osfc2.c				\
 		read_string.c			\
 		shadow.c			\
@@ -386,16 +363,17 @@ LDADD = $(LIB_otp) \
 	$(LIB_kafs) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(LIB_security) \
 	$(DBLIB)
 
+EXTRA_DIST = $(man_MANS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -427,7 +405,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -455,7 +433,7 @@ clean-binPROGRAMS:
 	done
 login$(EXEEXT): $(login_OBJECTS) $(login_DEPENDENCIES) 
 	@rm -f login$(EXEEXT)
-	$(LINK) $(login_LDFLAGS) $(login_OBJECTS) $(login_LDADD) $(LIBS)
+	$(LINK) $(login_OBJECTS) $(login_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -477,13 +455,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man1: $(man1_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)"
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
 	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -528,7 +502,7 @@ uninstall-man1:
 	done
 install-man5: $(man5_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man5dir)" || $(mkdir_p) "$(DESTDIR)$(man5dir)"
+	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
 	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -592,9 +566,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -619,23 +595,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -655,7 +629,7 @@ check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -676,7 +650,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -688,7 +662,7 @@ clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -704,14 +678,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man1 install-man5
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -731,23 +713,30 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man1 uninstall-man5
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-binPROGRAMS clean-generic clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-binPROGRAMS \
-	install-data install-data-am install-exec install-exec-am \
-	install-info install-info-am install-man install-man1 \
-	install-man5 install-strip installcheck installcheck-am \
-	installdirs maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
-	uninstall-am uninstall-binPROGRAMS uninstall-info-am \
-	uninstall-man uninstall-man1 uninstall-man5
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-man install-man1 install-man5 install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-binPROGRAMS \
+	uninstall-hook uninstall-man uninstall-man1 uninstall-man5
 
 
 install-suid-programs:
@@ -762,8 +751,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -773,19 +762,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -801,7 +802,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -871,15 +872,40 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 $(srcdir)/login_protos.h:
 	cd $(srcdir); perl ../../cf/make-proto.pl -o login_protos.h -q -P comment $(login_SOURCES) || rm -f login_protos.h
 
diff --git a/crypto/heimdal/appl/login/conf.c b/crypto/heimdal/appl/login/conf.c
index 85cfc00..81a3c74 100644
--- a/crypto/heimdal/appl/login/conf.c
+++ b/crypto/heimdal/appl/login/conf.c
@@ -32,7 +32,7 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: conf.c,v 1.3 2000/05/29 16:52:24 assar Exp $");
+RCSID("$Id: conf.c 8302 2000-05-29 16:52:24Z assar $");
 
 static char *confbuf;
 
diff --git a/crypto/heimdal/appl/login/env.c b/crypto/heimdal/appl/login/env.c
index 57f68b1..e1b33ba 100644
--- a/crypto/heimdal/appl/login/env.c
+++ b/crypto/heimdal/appl/login/env.c
@@ -32,7 +32,7 @@
  */
 
 #include "login_locl.h"
-RCSID("$Id: env.c,v 1.1 2000/06/28 12:27:38 joda Exp $");
+RCSID("$Id: env.c 8476 2000-06-28 12:27:38Z joda $");
 
 /*
  * the environment we will send to execle and the shell.
diff --git a/crypto/heimdal/appl/login/limits_conf.c b/crypto/heimdal/appl/login/limits_conf.c
new file mode 100644
index 0000000..ac9837f
--- /dev/null
+++ b/crypto/heimdal/appl/login/limits_conf.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: limits_conf.c 19215 2006-12-04 23:41:18Z lha $");
+
+#include <errno.h>
+#include <limits.h>
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+
+struct limit {
+    const char *name;
+    int resource;
+    int scale;
+    int has_limit;
+    struct rlimit limit;
+} limits[] = {
+#define LIM(X, S) { #X, RLIMIT_##X, S, 0 }
+    LIM(CORE, 1024),
+    LIM(CPU, 60),
+    LIM(DATA, 1024),
+    LIM(FSIZE, 1024),
+#ifdef RLIMIT_MEMLOCK
+    LIM(MEMLOCK, 1024),
+#endif
+    LIM(NOFILE, 1),
+#ifdef RLIMIT_NPROC
+    LIM(NPROC, 1),
+#endif
+#ifdef RLIMIT_RSS
+    LIM(RSS, 1024),
+#endif
+    LIM(STACK, 1024),
+
+#ifdef RLIMIT_AS
+    LIM(AS, 1024),
+#endif
+#ifdef RLIMIT_LOCKS
+    LIM(LOCKS, 1),
+#endif
+    /*
+      maxlogins
+      priority
+    */
+    { NULL, 0 }
+};
+
+static struct limit *
+find_limit(const char *name)
+{
+    struct limit *l;
+    for(l = limits; l->name != NULL; l++)
+	if(strcasecmp(name, l->name) == 0)
+	    return l;
+    return NULL;
+}
+
+/* this function reads limits.conf files similar to pam_limits
+   unimplemented features include:
+   	% maxlogins
+	"-" no limits, 
+	priorities etc that are not set via setrlimit
+   XXX uses static storage, and clobbers getgr*
+*/
+
+int
+read_limits_conf(const char *file, const struct passwd *pwd)
+{
+    FILE *f;
+    char *args[4];
+    int lineno = 0;
+    char buf[1024];
+    struct limit *l;
+    rlim_t value;
+
+    f = fopen(file, "r");
+    if(f == NULL) {
+	if(errno != ENOENT && errno != ENOTDIR)
+	    syslog(LOG_ERR, "%s: %m", file);
+	return -1;
+    }
+
+    while(fgets(buf, sizeof(buf), f) != NULL) {
+	char *last = NULL;
+	char *end = NULL;
+	int level;
+
+	lineno++;
+
+	if(buf[0] == '\0') {
+	    syslog(LOG_ERR, "%s: line %d: NUL character", file, lineno);
+	    continue;
+	}
+	if(buf[strlen(buf) - 1] != '\n') {
+	    /* file did not end with a newline, figure out if we're at
+               the EOF, or if our buffer was too small */
+	    int eof = 1;
+	    int c;
+	    while((c = fgetc(f)) != EOF) {
+		eof = 0;
+		if(c == '\n') 
+		    break;
+	    }
+	    if(!eof) {
+		syslog(LOG_ERR, "%s: line %d: line too long", file, lineno);
+		continue;
+	    }
+	}
+	buf[strcspn(buf, "#\r\n")] = '\0';
+	if((args[0] = strtok_r(buf, " \t", &last)) == NULL ||
+	   (args[1] = strtok_r(NULL, " \t", &last)) == NULL ||
+	   (args[2] = strtok_r(NULL, " \t", &last)) == NULL ||
+	   (args[3] = strtok_r(NULL, " \t", &last)) == NULL) {
+	    if(args[0] != NULL) /* this would include comment lines */
+		syslog(LOG_ERR, "%s: line %d: malformed line", file, lineno);
+	    continue;
+	}
+
+	l = find_limit(args[2]);
+	if(l == NULL) {
+	    syslog(LOG_ERR, "%s: line %d: unknown limit %s", file, lineno, args[2]);
+	    continue;
+	}
+	if(strcmp(args[3], "-") == 0) {
+	    value = RLIM_INFINITY;
+	} else {
+	    errno = 0;
+	    value = strtol(args[3], &end, 10);
+	    if(*end != '\0') {
+		syslog(LOG_ERR, "%s: line %d: bad value %s", file, lineno, args[3]);
+		continue;
+	    }
+	    if((value == LONG_MIN || value == LONG_MAX) && errno == ERANGE) {
+		syslog(LOG_ERR, "%s: line %d: bad value %s", file, lineno, args[3]);
+		continue;
+	    }
+	    if(value * l->scale < value)
+		value = RLIM_INFINITY;
+	    else
+		value *= l->scale;
+	}
+	level = 0;
+	/* XXX unclear: if you set group hard and user soft limit,
+           should the hard limit still apply? this code doesn't. */
+	if(strcmp(args[0], pwd->pw_name) == 0)
+	    level = 3;
+	if(*args[0] == '@') {
+	    struct group *gr;
+	    gr = getgrnam(args[0] + 1);
+	    if(gr != NULL && gr->gr_gid == pwd->pw_gid)
+		level = 2;
+	}
+	if(strcmp(args[0], "*") == 0)
+	    level = 1;
+	if(level == 0 || level < l->has_limit) /* not for us */
+	    continue;
+	if(l->has_limit < level) {
+	    if(getrlimit(l->resource, &l->limit) < 0)
+		continue;
+	    l->has_limit = level;
+	}
+	
+	/* XXX unclear: if you soft to more than default hard, should
+           we set hard to soft? this code doesn't. */
+	if(strcasecmp(args[1], "soft") == 0 || strcmp(args[1], "-") == 0)
+	    l->limit.rlim_cur = value;
+	if(strcasecmp(args[1], "hard") == 0 || strcmp(args[1], "-") == 0) 
+	    l->limit.rlim_max = value;
+    }
+    fclose(f);
+    for(l = limits; l->name != NULL; l++) {
+	if(l->has_limit) {
+	    if(l->limit.rlim_cur > l->limit.rlim_max)
+		l->limit.rlim_cur = l->limit.rlim_max;
+	    if(setrlimit(l->resource, &l->limit) != 0)
+		syslog(LOG_ERR, "setrlimit RLIM_%s failed: %m", l->name);
+	}
+	l->has_limit = 0;
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/appl/login/login.1 b/crypto/heimdal/appl/login/login.1
index b0c9a6c..1ae4f3e 100644
--- a/crypto/heimdal/appl/login/login.1
+++ b/crypto/heimdal/appl/login/login.1
@@ -1,6 +1,6 @@
-.\" $Id: login.1,v 1.1 2003/03/24 16:15:12 joda Exp $
+.\" $Id: login.1 14891 2005-04-22 15:49:25Z joda $
 .\" 
-.Dd March 24, 2003
+.Dd April 22, 2005
 .Dt LOGIN 1
 .Os HEIMDAL
 .Sh NAME
@@ -189,6 +189,10 @@ A comma separated list of text files that will be printed to the
 user's terminal before starting the shell. The string
 .Li welcome
 works similarly, but points to a single file.
+.It Li limits
+Points to a file containing ulimit settings for various users. Syntax
+is inspired by what pam_limits uses, and the default is
+.Pa /etc/security/limits.conf .
 .El
 .It Pa /etc/nologin
 If it exists, login is denied to all but root. The contents of this
@@ -213,8 +217,31 @@ A
 file could look like:
 .Bd -literal -offset indent
 default:\\
-	:motd=/etc/motd,/etc/motd.local:
+	:motd=/etc/motd,/etc/motd.local:\\
+	:limits=/etc/limits.conf:
 .Ed
+.Pp
+The
+.Pa limits.conf
+file consists of a table with four whitespace separated fields. First
+field is a username or a groupname (prefixed with
+.Sq @ ) , 
+or 
+.Sq * .
+Second field is
+.Sq soft ,
+.Sq hard ,
+or
+.Sq -
+(the last meaning both soft and hard).
+Third field is a limit name (such as
+.Sq cpu 
+or 
+.Sq core ) .
+Last field is the limit value (a number or
+.Sq - 
+for unlimited). In the case of data sizes, the value is in kilobytes,
+and cputime is in minutes.
 .Sh SEE ALSO
 .Xr su 1 ,
 .Xr login.access 5 ,
diff --git a/crypto/heimdal/appl/login/login.access.5 b/crypto/heimdal/appl/login/login.access.5
index be8828c..23290be 100644
--- a/crypto/heimdal/appl/login/login.access.5
+++ b/crypto/heimdal/appl/login/login.access.5
@@ -1,4 +1,4 @@
-.\" $Id: login.access.5,v 1.1 2003/03/24 15:49:30 joda Exp $
+.\" $Id: login.access.5 11902 2003-03-24 15:49:30Z joda $
 .\" 
 .Dd March 21, 2003
 .Dt LOGIN.ACCESS 5
diff --git a/crypto/heimdal/appl/login/login.c b/crypto/heimdal/appl/login/login.c
index 1531eec..cc41097 100644
--- a/crypto/heimdal/appl/login/login.c
+++ b/crypto/heimdal/appl/login/login.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -38,8 +38,11 @@
 #ifdef HAVE_SYS_CAPABILITY_H
 #include <sys/capability.h>
 #endif
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
 
-RCSID("$Id: login.c,v 1.59.2.1 2004/09/08 09:15:39 joda Exp $");
+RCSID("$Id: login.c 16498 2006-01-09 16:26:25Z joda $");
 
 static int login_timeout = 60;
 
@@ -118,7 +121,8 @@ exec_shell(const char *shell, int fallback)
 	p++;
     else
 	p = shell;
-    asprintf(&sh, "-%s", p);
+    if (asprintf(&sh, "-%s", p) == -1)
+	errx(1, "Out of memory");
     execle(shell, sh, NULL, env);
     if(fallback){
 	warnx("Can't exec %s, trying %s", 
@@ -131,6 +135,10 @@ exec_shell(const char *shell, int fallback)
 
 static enum { NONE = 0, AUTH_KRB4 = 1, AUTH_KRB5 = 2, AUTH_OTP = 3 } auth;
 
+#ifdef KRB4
+static krb5_boolean get_v4_tgt = FALSE;
+#endif
+
 #ifdef OTP
 static OtpContext otp_ctx;
 
@@ -179,8 +187,6 @@ krb5_to4 (krb5_ccache id)
     krb5_error_code ret;
     krb5_principal princ;
 
-    int get_v4_tgt;
-
     ret = krb5_cc_get_principal(context, id, &princ);
     if(ret == 0) {
 	krb5_appdefault_boolean(context, "login", 
@@ -203,6 +209,8 @@ krb5_to4 (krb5_ccache id)
 	krb5_error_code ret;
 	krb5_principal princ;
 
+	krb5_cc_clear_mcred(&mcred);
+
 	ret = krb5_cc_get_principal (context, id, &princ);
 	if (ret)
 	    return ret;
@@ -212,9 +220,11 @@ krb5_to4 (krb5_ccache id)
 				  "krbtgt",
 				  princ->realm,
 				  NULL);
-	krb5_free_principal (context, princ);
-	if (ret)
+	if (ret) {
+	    krb5_free_principal(context, princ);
 	    return ret;
+	}
+	mcred.client = princ;
 
 	ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
 	if(ret == 0) {
@@ -226,9 +236,12 @@ krb5_to4 (krb5_ccache id)
 		tf_setup(&c, c.pname, c.pinst);
 	    }
 	    memset(&c, 0, sizeof(c));
-	    krb5_free_creds_contents(context, &cred);
+	    krb5_free_cred_contents(context, &cred);
 	}
+	if (ret != 0)
+	    get_v4_tgt = FALSE;
 	krb5_free_principal(context, mcred.server);
+	krb5_free_principal(context, mcred.client);
     }
     return 0;
 }
@@ -476,6 +489,14 @@ do_login(const struct passwd *pwd, char *tty, char *ttyn)
 	    exit(1);
     }
 #endif
+    if(rootlogin == 0) {
+	const char *file = login_conf_get_string("limits");
+	if(file == NULL)
+	    file = _PATH_LIMITS_CONF;
+
+	read_limits_conf(file, pwd);
+    }
+	    
 #ifdef HAVE_SETPCRED
     if (setpcred (pwd->pw_name, NULL) == -1)
 	warn("setpcred(%s)", pwd->pw_name);
@@ -598,7 +619,8 @@ do_login(const struct passwd *pwd, char *tty, char *ttyn)
 #endif /* KRB5 */
 
 #ifdef KRB4
-    krb4_get_afs_tokens (pwd);
+    if (auth == AUTH_KRB4 || get_v4_tgt)
+	krb4_get_afs_tokens (pwd);
 #endif /* KRB4 */
 
     add_env("PATH", _PATH_DEFPATH);
@@ -700,7 +722,7 @@ main(int argc, char **argv)
     int try;
 
     char username[32];
-    int optind = 0;
+    int optidx = 0;
 
     int ask = 1;
     struct sigaction sa;
@@ -717,13 +739,13 @@ main(int argc, char **argv)
     }
 #endif
 
-    openlog("login", LOG_ODELAY, LOG_AUTH);
+    openlog("login", LOG_ODELAY | LOG_PID, LOG_AUTH);
 
     if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
-		&optind))
+		&optidx))
 	usage (1);
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     if(help_flag)
 	usage(0);
@@ -850,6 +872,13 @@ main(int argc, char **argv)
 		syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s",
 		       pwd->pw_name, tty);
 	    exit (1);
+	} else {
+	    if (remote_host)
+		syslog(LOG_NOTICE, "%s LOGIN ACCEPTED FROM %s ppid=%d",
+		       pwd->pw_name, remote_host, (int) getppid());
+	    else
+		syslog(LOG_NOTICE, "%s LOGIN ACCEPTED ON %s ppid=%d",
+		       pwd->pw_name, tty, (int) getppid());
 	}
         alarm(0);
 	do_login(pwd, tty, ttyn);
diff --git a/crypto/heimdal/appl/login/login_access.c b/crypto/heimdal/appl/login/login_access.c
index d6275fd..e1bfe42e 100644
--- a/crypto/heimdal/appl/login/login_access.c
+++ b/crypto/heimdal/appl/login/login_access.c
@@ -25,7 +25,7 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: login_access.c,v 1.2 2001/06/04 14:09:45 assar Exp $");
+RCSID("$Id: login_access.c 10020 2001-06-04 14:10:19Z assar $");
 
  /* Delimiters for fields and for lists of users, ttys or hosts. */
 
diff --git a/crypto/heimdal/appl/login/login_locl.h b/crypto/heimdal/appl/login/login_locl.h
index cc1d920..08b960c 100644
--- a/crypto/heimdal/appl/login/login_locl.h
+++ b/crypto/heimdal/appl/login/login_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: login_locl.h,v 1.24 2002/08/12 15:09:15 joda Exp $ */
+/* $Id: login_locl.h 17302 2006-04-27 09:17:01Z lha $ */
 
 #ifndef __LOGIN_LOCL_H__
 #define __LOGIN_LOCL_H__
@@ -111,9 +111,6 @@
 #ifndef _PATH_DEV
 #define _PATH_DEV "/dev/"
 #endif
-#ifndef _PATH_NOLOGIN
-#define _PATH_NOLOGIN "/etc/nologin"
-#endif
 #ifndef _PATH_WTMP
 #ifdef WTMP_FILE
 #define _PATH_WTMP WTMP_FILE
@@ -137,14 +134,12 @@
 #define _PATH_LOGIN_CONF SYSCONFDIR "/login.conf"
 #endif /* _PATH_LOGIN_CONF */
 
-#ifndef _PATH_ETC_ENVIRONMENT
-#define _PATH_ETC_ENVIRONMENT SYSCONFDIR "/environment"
-#endif
-
 #ifndef _PATH_DEFPATH
 #define _PATH_DEFPATH "/usr/bin:/bin"
 #endif
 
+#include "loginpaths.h"
+
 struct spwd;
 
 extern char **env;
diff --git a/crypto/heimdal/appl/login/login_protos.h b/crypto/heimdal/appl/login/login_protos.h
index 48b8101..7fdbb35 100644
--- a/crypto/heimdal/appl/login/login_protos.h
+++ b/crypto/heimdal/appl/login/login_protos.h
@@ -4,6 +4,10 @@
 
 #include <stdarg.h>
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void
 add_env (
 	const char */*var*/,
@@ -48,6 +52,11 @@ prepare_utmp (
 	const char */*hostname*/);
 
 int
+read_limits_conf (
+	const char */*file*/,
+	const struct passwd */*pwd*/);
+
+int
 read_string (
 	const char */*prompt*/,
 	char */*buf*/,
@@ -75,4 +84,8 @@ utmpx_login (
 	const char */*user*/,
 	const char */*host*/);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* __login_protos_h__ */
diff --git a/crypto/heimdal/appl/login/loginpaths.h b/crypto/heimdal/appl/login/loginpaths.h
new file mode 100644
index 0000000..141f81e
--- /dev/null
+++ b/crypto/heimdal/appl/login/loginpaths.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: loginpaths.h 17299 2006-04-27 09:14:20Z lha $ */
+
+#ifndef __LOGIN_PATH_H
+#define __LOGIN_PATH_H
+
+#ifndef _PATH_NOLOGIN
+#define _PATH_NOLOGIN "/etc/nologin"
+#endif
+
+#ifndef _PATH_ETC_ENVIRONMENT
+#define _PATH_ETC_ENVIRONMENT SYSCONFDIR "/environment"
+#endif
+
+#ifndef _PATH_LIMITS_CONF
+#define _PATH_LIMITS_CONF "/etc/security/limits.conf"
+#endif
+
+
+#endif /* __LOGIN_PATH_H */
diff --git a/crypto/heimdal/appl/login/osfc2.c b/crypto/heimdal/appl/login/osfc2.c
index 056484c..e9c3679 100644
--- a/crypto/heimdal/appl/login/osfc2.c
+++ b/crypto/heimdal/appl/login/osfc2.c
@@ -32,7 +32,7 @@
  */
 
 #include "login_locl.h"
-RCSID("$Id: osfc2.c,v 1.4 2001/02/20 01:44:46 assar Exp $");
+RCSID("$Id: osfc2.c 9704 2001-02-20 01:44:56Z assar $");
 
 int
 do_osfc2_magic(uid_t uid)
diff --git a/crypto/heimdal/appl/login/read_string.c b/crypto/heimdal/appl/login/read_string.c
index f3cee14..925345e 100644
--- a/crypto/heimdal/appl/login/read_string.c
+++ b/crypto/heimdal/appl/login/read_string.c
@@ -33,7 +33,7 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: read_string.c,v 1.4 2000/06/21 02:09:36 assar Exp $");
+RCSID("$Id: read_string.c 18156 2006-09-22 15:42:39Z lha $");
 
 static sig_atomic_t intr_flag;
 
@@ -43,10 +43,15 @@ intr(int sig)
     intr_flag++;
 }
 
+#ifndef NSIG
+#define NSIG 47
+#endif
+
 int
 read_string(const char *prompt, char *buf, size_t len, int echo)
 {
-    struct sigaction sigs[47];
+    struct sigaction sigs[NSIG];
+    int oksigs[NSIG];
     struct sigaction sa;
     FILE *tty;
     int ret = 0;
@@ -57,12 +62,16 @@ read_string(const char *prompt, char *buf, size_t len, int echo)
 
     struct termios t_new, t_old;
 
+    memset(&oksigs, 0, sizeof(oksigs));
+
     memset(&sa, 0, sizeof(sa));
     sa.sa_handler = intr;
     sigemptyset(&sa.sa_mask);
     sa.sa_flags = 0;
-    for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++)
-	if (i != SIGALRM) sigaction(i, &sa, &sigs[i]);
+    for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++)
+	if (i != SIGALRM) 
+	    if (sigaction(i, &sa, &sigs[i]) == 0)
+		oksigs[i] = 1;
 
     if((tty = fopen("/dev/tty", "r")) == NULL)
 	tty = stdin;
@@ -103,8 +112,9 @@ read_string(const char *prompt, char *buf, size_t len, int echo)
     if(tty != stdin)
 	fclose(tty);
 
-    for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++)
-	if (i != SIGALRM) sigaction(i, &sigs[i], NULL);
+    for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++)
+	if (oksigs[i])
+	    sigaction(i, &sigs[i], NULL);
     
     if(ret)
 	return -3;
diff --git a/crypto/heimdal/appl/login/shadow.c b/crypto/heimdal/appl/login/shadow.c
index 0923831..081fe1c 100644
--- a/crypto/heimdal/appl/login/shadow.c
+++ b/crypto/heimdal/appl/login/shadow.c
@@ -33,7 +33,7 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: shadow.c,v 1.5 1999/12/02 17:04:56 joda Exp $");
+RCSID("$Id: shadow.c 7464 1999-12-02 17:05:13Z joda $");
 
 #ifdef HAVE_SHADOW_H
 
diff --git a/crypto/heimdal/appl/login/stty_default.c b/crypto/heimdal/appl/login/stty_default.c
index 5e38566..df49048 100644
--- a/crypto/heimdal/appl/login/stty_default.c
+++ b/crypto/heimdal/appl/login/stty_default.c
@@ -33,7 +33,7 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: stty_default.c,v 1.8 1999/12/02 17:04:56 joda Exp $");
+RCSID("$Id: stty_default.c 7464 1999-12-02 17:05:13Z joda $");
 
 #include <termios.h>
 
diff --git a/crypto/heimdal/appl/login/tty.c b/crypto/heimdal/appl/login/tty.c
index 0ffea72..8dd68ee 100644
--- a/crypto/heimdal/appl/login/tty.c
+++ b/crypto/heimdal/appl/login/tty.c
@@ -33,7 +33,7 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: tty.c,v 1.4 1999/12/02 17:04:56 joda Exp $");
+RCSID("$Id: tty.c 7464 1999-12-02 17:05:13Z joda $");
 
 /*
  * Clean the tty name.  Return a pointer to the cleaned version.
diff --git a/crypto/heimdal/appl/login/utmp_login.c b/crypto/heimdal/appl/login/utmp_login.c
index 0be6cdb..5f6c79c 100644
--- a/crypto/heimdal/appl/login/utmp_login.c
+++ b/crypto/heimdal/appl/login/utmp_login.c
@@ -33,7 +33,7 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: utmp_login.c,v 1.18 2001/02/08 16:08:26 assar Exp $");
+RCSID("$Id: utmp_login.c 9661 2001-02-08 16:08:47Z assar $");
 
 /* try to put something useful from hostname into dst, dst_sz:
  * full name, first component or address */
diff --git a/crypto/heimdal/appl/login/utmpx_login.c b/crypto/heimdal/appl/login/utmpx_login.c
index b6e5fcf..5e25c09 100644
--- a/crypto/heimdal/appl/login/utmpx_login.c
+++ b/crypto/heimdal/appl/login/utmpx_login.c
@@ -18,7 +18,7 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: utmpx_login.c,v 1.26 2001/06/04 14:10:19 assar Exp $");
+RCSID("$Id: utmpx_login.c 10020 2001-06-04 14:10:19Z assar $");
 
 /* utmpx_login - update utmp and wtmp after login */
 
diff --git a/crypto/heimdal/appl/push/ChangeLog b/crypto/heimdal/appl/push/ChangeLog
index e158181..d1ad46b 100644
--- a/crypto/heimdal/appl/push/ChangeLog
+++ b/crypto/heimdal/appl/push/ChangeLog
@@ -1,6 +1,10 @@
-2004-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* push.c: 1.48: alloc memory to handle very long lines
+	* push.c: catch when snprint needs a larger buffer
+
+2004-06-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* push.c: alloc memory to handle very long lines
 	
 2003-04-03  Assar Westerlund  <assar@kth.se>
 
diff --git a/crypto/heimdal/appl/push/Makefile.am b/crypto/heimdal/appl/push/Makefile.am
index 5999ec1..eb67943 100644
--- a/crypto/heimdal/appl/push/Makefile.am
+++ b/crypto/heimdal/appl/push/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.17 2000/11/15 22:51:09 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4) $(INCLUDE_hesiod)
+AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_hesiod)
 
 bin_SCRIPTS		= pfrom
 
@@ -22,6 +22,6 @@ EXTRA_DIST = pfrom.in $(man_MANS)
 
 LDADD = $(LIB_krb5) \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_roken) \
 	$(LIB_hesiod)
diff --git a/crypto/heimdal/appl/push/Makefile.in b/crypto/heimdal/appl/push/Makefile.in
index 4dc3b92..9178f7b 100644
--- a/crypto/heimdal/appl/push/Makefile.in
+++ b/crypto/heimdal/appl/push/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,24 +14,18 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.17 2000/11/15 22:51:09 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
-SOURCES = $(push_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -43,6 +37,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -51,16 +46,14 @@ libexec_PROGRAMS = push$(EXEEXT)
 subdir = appl/push
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -73,6 +66,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -81,43 +75,47 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(bindir)" \
+	"$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
 libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(libexec_PROGRAMS)
 am_push_OBJECTS = push.$(OBJEXT)
 push_OBJECTS = $(am_push_OBJECTS)
 push_LDADD = $(LDADD)
-@KRB5_TRUE@am__DEPENDENCIES_1 = $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
-am__DEPENDENCIES_2 =
-push_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \
-	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_2) \
-	$(am__DEPENDENCIES_2)
+am__DEPENDENCIES_1 =
+push_DEPENDENCIES = $(LIB_krb5) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
 binSCRIPT_INSTALL = $(INSTALL_SCRIPT)
 SCRIPTS = $(bin_SCRIPTS)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(push_SOURCES)
 DIST_SOURCES = $(push_SOURCES)
 man1dir = $(mandir)/man1
@@ -127,13 +125,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -143,8 +135,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -155,11 +145,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -167,42 +156,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -220,12 +194,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -235,15 +206,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -252,6 +222,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -263,15 +234,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -279,74 +245,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_hesiod)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4) $(INCLUDE_hesiod)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -363,6 +335,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 bin_SCRIPTS = pfrom
 push_SOURCES = push.c push_locl.h
@@ -371,14 +344,14 @@ CLEANFILES = pfrom
 EXTRA_DIST = pfrom.in $(man_MANS)
 LDADD = $(LIB_krb5) \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_roken) \
 	$(LIB_hesiod)
 
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -410,7 +383,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)"
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -438,10 +411,10 @@ clean-libexecPROGRAMS:
 	done
 push$(EXEEXT): $(push_OBJECTS) $(push_DEPENDENCIES) 
 	@rm -f push$(EXEEXT)
-	$(LINK) $(push_LDFLAGS) $(push_OBJECTS) $(push_LDADD) $(LIBS)
+	$(LINK) $(push_OBJECTS) $(push_LDADD) $(LIBS)
 install-binSCRIPTS: $(bin_SCRIPTS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_SCRIPTS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  if test -f $$d$$p; then \
@@ -479,13 +452,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man1: $(man1_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)"
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
 	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -530,7 +499,7 @@ uninstall-man1:
 	done
 install-man8: $(man8_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
 	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -594,9 +563,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -621,23 +592,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -657,7 +626,7 @@ check: check-am
 all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -679,7 +648,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -692,7 +661,7 @@ clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -708,14 +677,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binSCRIPTS install-libexecPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man1 install-man8
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -735,25 +712,32 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binSCRIPTS uninstall-info-am \
-	uninstall-libexecPROGRAMS uninstall-man
+uninstall-am: uninstall-binSCRIPTS uninstall-libexecPROGRAMS \
+	uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man1 uninstall-man8
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-generic clean-libexecPROGRAMS clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-binSCRIPTS \
-	install-data install-data-am install-exec install-exec-am \
-	install-info install-info-am install-libexecPROGRAMS \
-	install-man install-man1 install-man8 install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-binSCRIPTS \
-	uninstall-info-am uninstall-libexecPROGRAMS uninstall-man \
-	uninstall-man1 uninstall-man8
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-libexecPROGRAMS install-man install-man1 install-man8 \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-binSCRIPTS uninstall-hook uninstall-libexecPROGRAMS \
+	uninstall-man uninstall-man1 uninstall-man8
 
 
 install-suid-programs:
@@ -768,8 +752,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -779,19 +763,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -807,7 +803,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -877,15 +873,40 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 pfrom: pfrom.in
 	sed -e "s!%libexecdir%!$(libexecdir)!" $(srcdir)/pfrom.in > $@
 	chmod +x $@
diff --git a/crypto/heimdal/appl/push/pfrom.1 b/crypto/heimdal/appl/push/pfrom.1
index 2d7983c..e8f1561 100644
--- a/crypto/heimdal/appl/push/pfrom.1
+++ b/crypto/heimdal/appl/push/pfrom.1
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: pfrom.1,v 1.5 2003/02/16 21:10:11 lha Exp $
+.\" $Id: pfrom.1 11648 2003-02-16 21:10:32Z lha $
 .\"
 .Dd March 4, 2000
 .Dt PFROM 1
diff --git a/crypto/heimdal/appl/push/pfrom.in b/crypto/heimdal/appl/push/pfrom.in
index 6adf4f0..8af97ef 100644
--- a/crypto/heimdal/appl/push/pfrom.in
+++ b/crypto/heimdal/appl/push/pfrom.in
@@ -1,5 +1,5 @@
 #!/bin/sh
-# $Id: pfrom.in,v 1.2 1998/11/24 13:25:47 assar Exp $
+# $Id: pfrom.in 5248 1998-11-24 13:25:47Z assar $
 libexecdir=%libexecdir%
 PATH=$libexecdir:$PATH
 export PATH
diff --git a/crypto/heimdal/appl/push/push.8 b/crypto/heimdal/appl/push/push.8
index 14561a9..985545e 100644
--- a/crypto/heimdal/appl/push/push.8
+++ b/crypto/heimdal/appl/push/push.8
@@ -1,4 +1,4 @@
-.\" $Id: push.8,v 1.13 2002/08/20 17:07:07 joda Exp $
+.\" $Id: push.8 11176 2002-08-20 17:07:29Z joda $
 .\"
 .Dd May 31, 1998
 .Dt PUSH 8
diff --git a/crypto/heimdal/appl/push/push.c b/crypto/heimdal/appl/push/push.c
index 2e6f8b8..87a0be2 100644
--- a/crypto/heimdal/appl/push/push.c
+++ b/crypto/heimdal/appl/push/push.c
@@ -32,7 +32,7 @@
  */
 
 #include "push_locl.h"
-RCSID("$Id: push.c,v 1.47.2.1 2004/06/21 10:54:46 lha Exp $");
+RCSID("$Id: push.c 14850 2005-04-19 18:00:17Z lha $");
 
 #ifdef KRB4
 static int use_v4 = -1;
@@ -268,11 +268,13 @@ doit(int s,
     now = time(NULL);
     from_line_length = snprintf (from_line, sizeof(from_line),
 				 "From %s %s", "push", ctime(&now));
+    if (from_line_length < 0 || from_line_length > sizeof(from_line))
+	errx (1, "snprintf failed");
 
     out_len = snprintf (out_buf, sizeof(out_buf),
 			"USER %s\r\nPASS hej\r\nSTAT\r\n",
 			user);
-    if (out_len < 0)
+    if (out_len < 0 || out_len > sizeof(out_buf))
 	errx (1, "snprintf failed");
     if (net_write (s, out_buf, out_len) != out_len)
 	err (1, "write");
@@ -490,7 +492,7 @@ doit(int s,
 	    else if(state == DELE)
 		out_len = snprintf (out_buf, sizeof(out_buf),
 				    "DELE %u\r\n", ++asked_deleted);
-	    if (out_len < 0)
+	    if (out_len < 0 || out_len > sizeof(out_buf))
 		errx (1, "snprintf failed");
 	    if (net_write (s, out_buf, out_len) != out_len)
 		err (1, "write");
diff --git a/crypto/heimdal/appl/push/push_locl.h b/crypto/heimdal/appl/push/push_locl.h
index 1e5ca78..0bcac64 100644
--- a/crypto/heimdal/appl/push/push_locl.h
+++ b/crypto/heimdal/appl/push/push_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: push_locl.h,v 1.6 1999/12/02 16:58:33 joda Exp $ */
+/* $Id: push_locl.h 7463 1999-12-02 16:58:55Z joda $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
diff --git a/crypto/heimdal/appl/rcp/ChangeLog b/crypto/heimdal/appl/rcp/ChangeLog
index 6c830d6..6ae6a1d 100644
--- a/crypto/heimdal/appl/rcp/ChangeLog
+++ b/crypto/heimdal/appl/rcp/ChangeLog
@@ -1,3 +1,56 @@
+2007-12-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add missing files, from Buchan Milne.
+
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: more files
+	
+2006-08-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* util.c: Check return values from setuid, prompted by MIT
+	advisory.  Thanks to Tom Yu at MIT, and Michael Calmer and Marcus
+	Meissner at SUSE.  Either of CVE-2006-3083 or CVE-2006-3084.
+
+	* rcp.c: Check return values from setuid, prompted by MIT
+	advisory.  Thanks to Tom Yu at MIT, and Michael Calmer and Marcus
+	Meissner at SUSE.  Either of CVE-2006-3083 or CVE-2006-3084.
+
+	* rcp.c: Check return values from seteuid, prompted by MIT
+	advisory.  Thanks to Tom Yu at MIT, and Michael Calmer and Marcus
+	Meissner at SUSE.  Either of CVE-2006-3083 or CVE-2006-3084.
+	
+2005-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rcp.c: Check return value from asprintf instead of string !=
+	NULL since it undefined behavior on Linux. From Björn Sandell
+	
+2005-08-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* util.c: Explicit typecast to avoid signess warning.
+	
+2005-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rcp_locl.h: undef _PATH_RSH to make sure our version is used
+	
+2005-05-11  David Love  <fx@gnu.org>
+
+	* rcp.c: MODEMASK is defined in sys/vnode.h on Solaris, so undef
+	it before we define our own.
+
+2005-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rcp_locl.h: use BINDIR instead of "/usr/bin/ with _PATH_RSH
+
+2005-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* util.c: use unsigned char * to make sure its not negative when
+	passing it to is* functions
+
+2004-05-14  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rcp.c: add -e (passed to rsh)
+	
 2003-04-16  Johan Danielsson  <joda@pdc.kth.se>
 
 	* rcp.1: add a HISTORY section
diff --git a/crypto/heimdal/appl/rcp/Makefile.am b/crypto/heimdal/appl/rcp/Makefile.am
index 4ecf7a6..6b2295a 100644
--- a/crypto/heimdal/appl/rcp/Makefile.am
+++ b/crypto/heimdal/appl/rcp/Makefile.am
@@ -1,11 +1,15 @@
-# $Id: Makefile.am,v 1.2 2001/01/28 22:50:35 assar Exp $
+# $Id: Makefile.am 22281 2007-12-13 20:35:52Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4)
+AM_CPPFLAGS += $(INCLUDE_krb4)
 
 bin_PROGRAMS = rcp
 
-rcp_SOURCES  = rcp.c util.c
+rcp_SOURCES  = rcp.c util.c rcp_locl.h extern.h
+
+man_MANS = rcp.1
+
+EXTRA_DIST = $(man_MANS)
 
 LDADD = $(LIB_roken)
diff --git a/crypto/heimdal/appl/rcp/Makefile.in b/crypto/heimdal/appl/rcp/Makefile.in
index 7c5a0c4..2ee0151 100644
--- a/crypto/heimdal/appl/rcp/Makefile.in
+++ b/crypto/heimdal/appl/rcp/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.2 2001/01/28 22:50:35 assar Exp $
+# $Id: Makefile.am 22281 2007-12-13 20:35:52Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(rcp_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -50,16 +45,14 @@ bin_PROGRAMS = rcp$(EXEEXT)
 subdir = appl/rcp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -72,6 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -80,19 +74,23 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)"
+am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(bin_PROGRAMS)
 am_rcp_OBJECTS = rcp.$(OBJEXT) util.$(OBJEXT)
@@ -100,30 +98,27 @@ rcp_OBJECTS = $(am_rcp_OBJECTS)
 rcp_LDADD = $(LDADD)
 am__DEPENDENCIES_1 =
 rcp_DEPENDENCIES = $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(rcp_SOURCES)
 DIST_SOURCES = $(rcp_SOURCES)
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -133,8 +128,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -145,11 +138,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -157,42 +149,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -210,12 +187,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -225,15 +199,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -242,6 +215,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -253,15 +227,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -269,74 +238,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -353,13 +328,16 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-rcp_SOURCES = rcp.c util.c
+rcp_SOURCES = rcp.c util.c rcp_locl.h extern.h
+man_MANS = rcp.1
+EXTRA_DIST = $(man_MANS)
 LDADD = $(LIB_roken)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -391,7 +369,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -419,7 +397,7 @@ clean-binPROGRAMS:
 	done
 rcp$(EXEEXT): $(rcp_OBJECTS) $(rcp_DEPENDENCIES) 
 	@rm -f rcp$(EXEEXT)
-	$(LINK) $(rcp_LDFLAGS) $(rcp_OBJECTS) $(rcp_LDADD) $(LIBS)
+	$(LINK) $(rcp_OBJECTS) $(rcp_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -441,10 +419,51 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
+install-man1: $(man1_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
+	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    1*) ;; \
+	    *) ext='1' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \
+	done
+uninstall-man1:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    1*) ;; \
+	    *) ext='1' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man1dir)/$$inst"; \
+	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -466,9 +485,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -493,23 +514,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -526,10 +545,10 @@ distdir: $(DISTFILES)
 check-am: all-am
 	$(MAKE) $(AM_MAKEFLAGS) check-local
 check: check-am
-all-am: Makefile $(PROGRAMS) all-local
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
-	for dir in "$(DESTDIR)$(bindir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -550,7 +569,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -562,7 +581,7 @@ clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -574,17 +593,25 @@ info: info-am
 
 info-am:
 
-install-data-am:
+install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
-install-man:
+install-man: install-man1
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
 
 installcheck-am:
 
@@ -605,20 +632,30 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+uninstall-man: uninstall-man1
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-binPROGRAMS clean-generic clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-binPROGRAMS \
-	install-data install-data-am install-exec install-exec-am \
-	install-info install-info-am install-man install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-binPROGRAMS \
-	uninstall-info-am
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-man install-man1 install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+	uninstall-am uninstall-binPROGRAMS uninstall-hook \
+	uninstall-man uninstall-man1
 
 
 install-suid-programs:
@@ -633,8 +670,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -644,19 +681,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -672,7 +721,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -742,14 +791,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/rcp/rcp.1 b/crypto/heimdal/appl/rcp/rcp.1
index 5ce9527..920a4f7 100644
--- a/crypto/heimdal/appl/rcp/rcp.1
+++ b/crypto/heimdal/appl/rcp/rcp.1
@@ -1,4 +1,4 @@
-.\" $Id: rcp.1,v 1.2 2003/04/16 12:20:43 joda Exp $
+.\" $Id: rcp.1 12025 2003-04-16 12:20:43Z joda $
 .\"
 .Dd April 16, 2003
 .Dt RCP 1
diff --git a/crypto/heimdal/appl/rcp/rcp.c b/crypto/heimdal/appl/rcp/rcp.c
index c54409a..9a138c7 100644
--- a/crypto/heimdal/appl/rcp/rcp.c
+++ b/crypto/heimdal/appl/rcp/rcp.c
@@ -43,6 +43,7 @@ int     pflag, iamremote, iamrecursive, targetshouldbedirectory;
 int     doencrypt, noencrypt;
 int     usebroken, usekrb4, usekrb5, forwardtkt;
 char    *port;
+int     eflag = 0;
 
 #define	CMDNEEDS	64
 char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */
@@ -71,6 +72,7 @@ struct getargs args[] = {
     { NULL,	'x', arg_flag,		&doencrypt,	"use encryption" },
     { NULL,	'z', arg_flag,		&noencrypt,	"don't encrypt" },
     { NULL,	'd', arg_flag,		&targetshouldbedirectory },
+    { NULL,	'e', arg_flag,		&eflag, 	"passed to rsh" },
     { NULL,	'f', arg_flag,		&fflag },
     { NULL,	't', arg_flag,		&tflag },
     { "version", 0,  arg_flag,		&version_flag },
@@ -117,13 +119,15 @@ main(int argc, char **argv)
 
 	if (fflag) {			/* Follow "protocol", send data. */
 		response();
-		setuid(userid);
+		if (setuid(userid) < 0)
+			errx(1, "setuid failed");
 		source(argc, argv);
 		exit(errs);
 	}
 
 	if (tflag) {			/* Receive data. */
-		setuid(userid);
+		if (setuid(userid) < 0)
+			errx(1, "setuid failed");
 		sink(argc, argv);
 		exit(errs);
 	}
@@ -177,6 +181,7 @@ toremote(char *targ, int argc, char **argv)
 	for (i = 0; i < argc - 1; i++) {
 		src = colon(argv[i]);
 		if (src) {			/* remote to remote */
+			int ret;
 			*src++ = 0;
 			if (*src == 0)
 				src = ".";
@@ -188,26 +193,27 @@ toremote(char *targ, int argc, char **argv)
 					suser = pwd->pw_name;
 				else if (!okname(suser))
 					continue;
-				asprintf(&bp,
-				    "%s %s -l %s -n %s %s '%s%s%s:%s'",
-				    _PATH_RSH, host, suser, cmd, src,
+				ret = asprintf(&bp,
+				    "%s%s %s -l %s -n %s %s '%s%s%s:%s'",
+					 _PATH_RSH, eflag ? " -e" : "", 
+					 host, suser, cmd, src,
 				    tuser ? tuser : "", tuser ? "@" : "",
 				    thost, targ);
 			} else {
-				asprintf(&bp,
-				    "exec %s %s -n %s %s '%s%s%s:%s'",
-				    _PATH_RSH, argv[i], cmd, src,
-				    tuser ? tuser : "", tuser ? "@" : "",
-				    thost, targ);
+				ret = asprintf(&bp,
+					 "exec %s%s %s -n %s %s '%s%s%s:%s'",
+					 _PATH_RSH, eflag ? " -e" : "", 
+					 argv[i], cmd, src,
+					 tuser ? tuser : "", tuser ? "@" : "",
+					 thost, targ);
 			}
-			if (bp == NULL)
+			if (ret == -1)
 				err (1, "malloc");
 			susystem(bp, userid);
 			free(bp);
 		} else {			/* local to remote */
 			if (remin == -1) {
-				asprintf(&bp, "%s -t %s", cmd, targ);
-				if (bp == NULL)
+				if (asprintf(&bp, "%s -t %s", cmd, targ) == -1)
 					err (1, "malloc");
 				host = thost;
 
@@ -217,7 +223,8 @@ toremote(char *targ, int argc, char **argv)
 				if (response() < 0)
 					exit(1);
 				free(bp);
-				setuid(userid);
+				if (setuid(userid) < 0)
+					errx(1, "setuid failed");
 			}
 			source(1, argv+i);
 		}
@@ -231,11 +238,13 @@ tolocal(int argc, char **argv)
 	char *bp, *host, *src, *suser;
 
 	for (i = 0; i < argc - 1; i++) {
+		int ret;
+
 		if (!(src = colon(argv[i]))) {		/* Local to local. */
-			asprintf(&bp, "exec %s%s%s %s %s", _PATH_CP,
+			ret = asprintf(&bp, "exec %s%s%s %s %s", _PATH_CP,
 			    iamrecursive ? " -PR" : "", pflag ? " -p" : "",
 			    argv[i], argv[argc - 1]);
-			if (bp == NULL)
+			if (ret == -1)
 				err (1, "malloc");
 			if (susystem(bp, userid))
 				++errs;
@@ -256,8 +265,8 @@ tolocal(int argc, char **argv)
 			else if (!okname(suser))
 				continue;
 		}
-		asprintf(&bp, "%s -f %s", cmd, src);
-		if (bp == NULL)
+		ret = asprintf(&bp, "%s -f %s", cmd, src);
+		if (ret == -1)
 			err (1, "malloc");
 		if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
 			free(bp);
@@ -266,7 +275,8 @@ tolocal(int argc, char **argv)
 		}
 		free(bp);
 		sink(1, argv + argc - 1);
-		seteuid(0);
+		if (seteuid(0) < 0)
+			exit(1);
 		close(remin);
 		remin = remout = -1;
 	}
@@ -319,6 +329,7 @@ syserr:			run_err("%s: %s", name, strerror(errno));
 			if (response() < 0)
 				goto next;
 		}
+#undef MODEMASK
 #define	MODEMASK	(S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)
 		snprintf(buf, sizeof(buf), "C%04o %lu %s\n",
 			 stb.st_mode & MODEMASK,
@@ -768,6 +779,8 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout)
 			args[i++] = "-p";
 			args[i++] = port;
 		}
+		if (eflag)
+		    args[i++] = "-e";
 		if (remuser != NULL) {
 			args[i++] = "-l";
 			args[i++] = remuser;
diff --git a/crypto/heimdal/appl/rcp/rcp_locl.h b/crypto/heimdal/appl/rcp/rcp_locl.h
index 4397c9f..4dc6d5f 100644
--- a/crypto/heimdal/appl/rcp/rcp_locl.h
+++ b/crypto/heimdal/appl/rcp/rcp_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: rcp_locl.h,v 1.3 2001/01/29 05:59:24 assar Exp $ */
+/* $Id: rcp_locl.h 15285 2005-05-29 18:24:43Z lha $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -60,5 +60,8 @@
 
 #include "extern.h"
 
+#ifndef _PATH_CP
 #define	_PATH_CP	"/bin/cp"
-#define	_PATH_RSH	"/usr/bin/rsh"
+#endif
+#undef _PATH_RSH
+#define	_PATH_RSH	BINDIR "/rsh"
diff --git a/crypto/heimdal/appl/rcp/util.c b/crypto/heimdal/appl/rcp/util.c
index 3621d30..fe9e899 100644
--- a/crypto/heimdal/appl/rcp/util.c
+++ b/crypto/heimdal/appl/rcp/util.c
@@ -43,7 +43,7 @@ static const char rcsid[] =
 
 #include "rcp_locl.h"
 
-RCSID("$Id: util.c,v 1.6 2001/09/04 14:35:58 assar Exp $");
+RCSID("$Id: util.c 17878 2006-08-08 21:43:58Z lha $");
 
 char *
 colon(cp)
@@ -81,9 +81,9 @@ okname(cp0)
 	char *cp0;
 {
 	int c;
-	char *cp;
+	unsigned char *cp;
 
-	cp = cp0;
+	cp = (unsigned char *)cp0;
 	do {
 		c = *cp;
 		if (c & 0200)
@@ -112,7 +112,8 @@ susystem(s, userid)
 		return (127);
 
 	case 0:
-		(void)setuid(userid);
+		if (setuid(userid) < 0)
+			_exit(127);
 		execl(_PATH_BSHELL, "sh", "-c", s, NULL);
 		_exit(127);
 	}
diff --git a/crypto/heimdal/appl/rsh/ChangeLog b/crypto/heimdal/appl/rsh/ChangeLog
index 1f33245..e78ff25a8 100644
--- a/crypto/heimdal/appl/rsh/ChangeLog
+++ b/crypto/heimdal/appl/rsh/ChangeLog
@@ -1,3 +1,128 @@
+2007-07-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rsh.c: Fix pointer vs strict alias rules.
+
+	* rshd.c: Fix pointer vs strict alias rules.
+
+2007-01-04  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* rshd.c: Declare iruserok if needed, based on bug report from
+	David Love.
+	
+2006-11-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* rsh_locl.h: Forward decl.
+	
+2006-10-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rsh_locl.h: Include "crypto-headers.h".
+	
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add man_MANS to EXTRA_DIST
+	
+2006-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: rshd_SOURCES += add limits_conf.c
+
+	* rsh_locl.h: Include "loginpaths.h"
+
+	* rshd.c: Read limits from limits.confon non-root login, patch
+	from Daniel Ahlin
+	
+2006-02-27 Johan Danielsson <joda@pdc.kth.se>
+
+	* rshd.8: grammar (from Thomas Klausner)
+	
+2006-01-31  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rshd.c (krb5_start_session): syslog failures to store cred cache
+	
+2005-12-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rshd.c (doit): move creation of users ticket file to later to
+	avoid seteuid/setuid dance. this breaks DCE, so remove support for
+	it completely.
+	
+2005-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rshd.c: Check return value from asprintf instead of string !=
+	NULL since it undefined behavior on Linux. From Björn Sandell
+
+	* rsh.c: Check return value from asprintf instead of string !=
+	NULL since it undefined behavior on Linux. From Björn Sandell
+
+2005-06-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rshd.c: init some important variables and check that they are
+	set checking authentication, all to please gcc
+
+2005-05-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rshd.c: case uid_t to unsigned long in printf format
+	
+2005-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rsh_locl.h: Use larger buffer for recving data to be compatible
+	with older versions of heimdal (0.4 branch specificly)
+
+	* rshd.c: Use larger buffer for recving data to be compatible with
+	older versions of heimdal (0.4 branch specificly)
+
+2005-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rshd.c: use snprintf to format tkfile
+	
+2005-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rsh.c: use strlcat
+
+	* rsh.c: use strlcpy
+
+	* rsh_locl.h: forward declaration for private structures
+
+2005-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rsh.c: cast size_t to unsigned long
+
+2004-09-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rshd.c: rename loop to rshd_loop
+	
+	* rshd.c: pass errsock status to init_ivecs
+	
+	* rsh.c: rename loop() to rsh_loop()
+	
+	* rsh.c (loop): pass errsock status to init_ivecs
+	
+	* common.c (init_ivecs): if we don't have an errsock the ivecs
+	should point to the same data
+	
+	* rshd.c: if we don't have an errsock, dup stdout to stderr (this
+	would normally be done by inetd, but not by mini_inetd).
+	
+	* rshd.c: move keepalive setting to after setting up sockets
+	
+2004-02-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rsh.1: reorder and document some options
+
+	* rsh_locl.h: include kafs.h if krb4 || krb5
+
+	* rsh.c: reorder some options
+
+2003-09-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rsh.1: document -d
+
+2003-08-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rshd.c: -P also with KRB5
+	
+2003-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rsh.1: replace > with \*[Gt]
+	
 2003-04-16  Johan Danielsson  <joda@pdc.kth.se>
 
 	* rsh.c: use krb5_appdefault to get defaults for forward and
diff --git a/crypto/heimdal/appl/rsh/Makefile.am b/crypto/heimdal/appl/rsh/Makefile.am
index 2fbc8e0..6377e02 100644
--- a/crypto/heimdal/appl/rsh/Makefile.am
+++ b/crypto/heimdal/appl/rsh/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.17 2001/07/31 09:12:03 joda Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4) -I$(srcdir)/../login
+AM_CPPFLAGS += $(INCLUDE_krb4) -I$(srcdir)/../login
 
 bin_PROGRAMS = rsh
 
@@ -12,14 +12,18 @@ libexec_PROGRAMS = rshd
 
 rsh_SOURCES  = rsh.c common.c rsh_locl.h
 
-rshd_SOURCES = rshd.c common.c login_access.c rsh_locl.h
+rshd_SOURCES = rshd.c common.c login_access.c limits_conf.c rsh_locl.h
 
 login_access.c:
 	$(LN_S) $(srcdir)/../login/login_access.c .
 
+limits_conf.c:
+	$(LN_S) $(srcdir)/../login/limits_conf.c .
+
 LDADD = $(LIB_kafs) \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(LIB_des) \
-	$(LIB_roken) \
-	$(LIB_kdfs)
+	$(LIB_hcrypto) \
+	$(LIB_roken)
+
+EXTRA_DIST = $(man_MANS)
diff --git a/crypto/heimdal/appl/rsh/Makefile.in b/crypto/heimdal/appl/rsh/Makefile.in
index 04412b3..6c7651c 100644
--- a/crypto/heimdal/appl/rsh/Makefile.in
+++ b/crypto/heimdal/appl/rsh/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.17 2001/07/31 09:12:03 joda Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(rsh_SOURCES) $(rshd_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -51,16 +46,14 @@ libexec_PROGRAMS = rshd$(EXEEXT)
 subdir = appl/rsh
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -73,6 +66,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -81,19 +75,24 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" \
+	"$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS)
@@ -103,30 +102,28 @@ rsh_LDADD = $(LDADD)
 am__DEPENDENCIES_1 =
 am__DEPENDENCIES_2 = $(top_builddir)/lib/kafs/libkafs.la \
 	$(am__DEPENDENCIES_1)
-@KRB5_TRUE@am__DEPENDENCIES_3 = $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
-@DCE_TRUE@am__DEPENDENCIES_4 = $(top_builddir)/lib/kdfs/libkdfs.la
-rsh_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \
+rsh_DEPENDENCIES = $(am__DEPENDENCIES_2) $(LIB_krb5) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_4)
+	$(am__DEPENDENCIES_1)
 am_rshd_OBJECTS = rshd.$(OBJEXT) common.$(OBJEXT) \
-	login_access.$(OBJEXT)
+	login_access.$(OBJEXT) limits_conf.$(OBJEXT)
 rshd_OBJECTS = $(am_rshd_OBJECTS)
 rshd_LDADD = $(LDADD)
-rshd_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \
+rshd_DEPENDENCIES = $(am__DEPENDENCIES_2) $(LIB_krb5) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_4)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+	$(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(rsh_SOURCES) $(rshd_SOURCES)
 DIST_SOURCES = $(rsh_SOURCES) $(rshd_SOURCES)
 man1dir = $(mandir)/man1
@@ -136,13 +133,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -152,8 +143,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -164,11 +153,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -176,42 +164,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -229,12 +202,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -244,15 +214,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -261,6 +230,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -272,15 +242,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -288,74 +253,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -I$(srcdir)/../login
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4) -I$(srcdir)/../login
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -372,21 +343,22 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 man_MANS = rsh.1 rshd.8
 rsh_SOURCES = rsh.c common.c rsh_locl.h
-rshd_SOURCES = rshd.c common.c login_access.c rsh_locl.h
+rshd_SOURCES = rshd.c common.c login_access.c limits_conf.c rsh_locl.h
 LDADD = $(LIB_kafs) \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(LIB_des) \
-	$(LIB_roken) \
-	$(LIB_kdfs)
+	$(LIB_hcrypto) \
+	$(LIB_roken)
 
+EXTRA_DIST = $(man_MANS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -418,7 +390,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -446,7 +418,7 @@ clean-binPROGRAMS:
 	done
 install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)"
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -474,10 +446,10 @@ clean-libexecPROGRAMS:
 	done
 rsh$(EXEEXT): $(rsh_OBJECTS) $(rsh_DEPENDENCIES) 
 	@rm -f rsh$(EXEEXT)
-	$(LINK) $(rsh_LDFLAGS) $(rsh_OBJECTS) $(rsh_LDADD) $(LIBS)
+	$(LINK) $(rsh_OBJECTS) $(rsh_LDADD) $(LIBS)
 rshd$(EXEEXT): $(rshd_OBJECTS) $(rshd_DEPENDENCIES) 
 	@rm -f rshd$(EXEEXT)
-	$(LINK) $(rshd_LDFLAGS) $(rshd_OBJECTS) $(rshd_LDADD) $(LIBS)
+	$(LINK) $(rshd_OBJECTS) $(rshd_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -499,13 +471,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man1: $(man1_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)"
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
 	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -550,7 +518,7 @@ uninstall-man1:
 	done
 install-man8: $(man8_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
 	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -614,9 +582,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -641,23 +611,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -677,7 +645,7 @@ check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -698,7 +666,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -711,7 +679,7 @@ clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -727,14 +695,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS install-libexecPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man1 install-man8
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -754,26 +730,33 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am \
-	uninstall-libexecPROGRAMS uninstall-man
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+	uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man1 uninstall-man8
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
-	clean-libtool ctags distclean distclean-compile \
+	clean-libtool ctags dist-hook distclean distclean-compile \
 	distclean-generic distclean-libtool distclean-tags distdir dvi \
 	dvi-am html html-am info info-am install install-am \
-	install-binPROGRAMS install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am \
-	install-libexecPROGRAMS install-man install-man1 install-man8 \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-binPROGRAMS uninstall-info-am \
-	uninstall-libexecPROGRAMS uninstall-man uninstall-man1 \
-	uninstall-man8
+	install-binPROGRAMS install-data install-data-am \
+	install-data-hook install-dvi install-dvi-am install-exec \
+	install-exec-am install-exec-hook install-html install-html-am \
+	install-info install-info-am install-libexecPROGRAMS \
+	install-man install-man1 install-man8 install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-binPROGRAMS \
+	uninstall-hook uninstall-libexecPROGRAMS uninstall-man \
+	uninstall-man1 uninstall-man8
 
 
 install-suid-programs:
@@ -788,8 +771,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -799,19 +782,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -827,7 +822,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -897,17 +892,45 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 login_access.c:
 	$(LN_S) $(srcdir)/../login/login_access.c .
+
+limits_conf.c:
+	$(LN_S) $(srcdir)/../login/limits_conf.c .
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/rsh/common.c b/crypto/heimdal/appl/rsh/common.c
index 69b0c9b..84311b0 100644
--- a/crypto/heimdal/appl/rsh/common.c
+++ b/crypto/heimdal/appl/rsh/common.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "rsh_locl.h"
-RCSID("$Id: common.c,v 1.16 2002/09/04 15:50:36 assar Exp $");
+RCSID("$Id: common.c 17450 2006-05-05 11:11:43Z lha $");
 
 #if defined(KRB4) || defined(KRB5)
 
@@ -43,7 +43,7 @@ void *ivec_in[2];
 void *ivec_out[2];
 
 void
-init_ivecs(int client)
+init_ivecs(int client, int have_errsock)
 {
     size_t blocksize;
 
@@ -52,14 +52,20 @@ init_ivecs(int client)
     ivec_in[0] = malloc(blocksize);
     memset(ivec_in[0], client, blocksize);
 
-    ivec_in[1] = malloc(blocksize);
-    memset(ivec_in[1], 2 | client, blocksize);
+    if(have_errsock) {
+	ivec_in[1] = malloc(blocksize);
+	memset(ivec_in[1], 2 | client, blocksize);
+    } else
+	ivec_in[1] = ivec_in[0];
 
     ivec_out[0] = malloc(blocksize);
     memset(ivec_out[0], !client, blocksize);
 
-    ivec_out[1] = malloc(blocksize);
-    memset(ivec_out[1], 2 | !client, blocksize);
+    if(have_errsock) {
+	ivec_out[1] = malloc(blocksize);
+	memset(ivec_out[1], 2 | !client, blocksize);
+    } else
+	ivec_out[1] = ivec_out[0];
 }
 #endif
 
@@ -76,7 +82,7 @@ do_read (int fd, void *buf, size_t sz, void *ivec)
 #ifdef KRB5
         if(auth_method == AUTH_KRB5) {
 	    krb5_error_code ret;
-	    u_int32_t len, outer_len;
+	    uint32_t len, outer_len;
 	    int status;
 	    krb5_data data;
 	    void *edata;
diff --git a/crypto/heimdal/appl/rsh/limits_conf.c b/crypto/heimdal/appl/rsh/limits_conf.c
new file mode 100644
index 0000000..ac9837f
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/limits_conf.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: limits_conf.c 19215 2006-12-04 23:41:18Z lha $");
+
+#include <errno.h>
+#include <limits.h>
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+
+struct limit {
+    const char *name;
+    int resource;
+    int scale;
+    int has_limit;
+    struct rlimit limit;
+} limits[] = {
+#define LIM(X, S) { #X, RLIMIT_##X, S, 0 }
+    LIM(CORE, 1024),
+    LIM(CPU, 60),
+    LIM(DATA, 1024),
+    LIM(FSIZE, 1024),
+#ifdef RLIMIT_MEMLOCK
+    LIM(MEMLOCK, 1024),
+#endif
+    LIM(NOFILE, 1),
+#ifdef RLIMIT_NPROC
+    LIM(NPROC, 1),
+#endif
+#ifdef RLIMIT_RSS
+    LIM(RSS, 1024),
+#endif
+    LIM(STACK, 1024),
+
+#ifdef RLIMIT_AS
+    LIM(AS, 1024),
+#endif
+#ifdef RLIMIT_LOCKS
+    LIM(LOCKS, 1),
+#endif
+    /*
+      maxlogins
+      priority
+    */
+    { NULL, 0 }
+};
+
+static struct limit *
+find_limit(const char *name)
+{
+    struct limit *l;
+    for(l = limits; l->name != NULL; l++)
+	if(strcasecmp(name, l->name) == 0)
+	    return l;
+    return NULL;
+}
+
+/* this function reads limits.conf files similar to pam_limits
+   unimplemented features include:
+   	% maxlogins
+	"-" no limits, 
+	priorities etc that are not set via setrlimit
+   XXX uses static storage, and clobbers getgr*
+*/
+
+int
+read_limits_conf(const char *file, const struct passwd *pwd)
+{
+    FILE *f;
+    char *args[4];
+    int lineno = 0;
+    char buf[1024];
+    struct limit *l;
+    rlim_t value;
+
+    f = fopen(file, "r");
+    if(f == NULL) {
+	if(errno != ENOENT && errno != ENOTDIR)
+	    syslog(LOG_ERR, "%s: %m", file);
+	return -1;
+    }
+
+    while(fgets(buf, sizeof(buf), f) != NULL) {
+	char *last = NULL;
+	char *end = NULL;
+	int level;
+
+	lineno++;
+
+	if(buf[0] == '\0') {
+	    syslog(LOG_ERR, "%s: line %d: NUL character", file, lineno);
+	    continue;
+	}
+	if(buf[strlen(buf) - 1] != '\n') {
+	    /* file did not end with a newline, figure out if we're at
+               the EOF, or if our buffer was too small */
+	    int eof = 1;
+	    int c;
+	    while((c = fgetc(f)) != EOF) {
+		eof = 0;
+		if(c == '\n') 
+		    break;
+	    }
+	    if(!eof) {
+		syslog(LOG_ERR, "%s: line %d: line too long", file, lineno);
+		continue;
+	    }
+	}
+	buf[strcspn(buf, "#\r\n")] = '\0';
+	if((args[0] = strtok_r(buf, " \t", &last)) == NULL ||
+	   (args[1] = strtok_r(NULL, " \t", &last)) == NULL ||
+	   (args[2] = strtok_r(NULL, " \t", &last)) == NULL ||
+	   (args[3] = strtok_r(NULL, " \t", &last)) == NULL) {
+	    if(args[0] != NULL) /* this would include comment lines */
+		syslog(LOG_ERR, "%s: line %d: malformed line", file, lineno);
+	    continue;
+	}
+
+	l = find_limit(args[2]);
+	if(l == NULL) {
+	    syslog(LOG_ERR, "%s: line %d: unknown limit %s", file, lineno, args[2]);
+	    continue;
+	}
+	if(strcmp(args[3], "-") == 0) {
+	    value = RLIM_INFINITY;
+	} else {
+	    errno = 0;
+	    value = strtol(args[3], &end, 10);
+	    if(*end != '\0') {
+		syslog(LOG_ERR, "%s: line %d: bad value %s", file, lineno, args[3]);
+		continue;
+	    }
+	    if((value == LONG_MIN || value == LONG_MAX) && errno == ERANGE) {
+		syslog(LOG_ERR, "%s: line %d: bad value %s", file, lineno, args[3]);
+		continue;
+	    }
+	    if(value * l->scale < value)
+		value = RLIM_INFINITY;
+	    else
+		value *= l->scale;
+	}
+	level = 0;
+	/* XXX unclear: if you set group hard and user soft limit,
+           should the hard limit still apply? this code doesn't. */
+	if(strcmp(args[0], pwd->pw_name) == 0)
+	    level = 3;
+	if(*args[0] == '@') {
+	    struct group *gr;
+	    gr = getgrnam(args[0] + 1);
+	    if(gr != NULL && gr->gr_gid == pwd->pw_gid)
+		level = 2;
+	}
+	if(strcmp(args[0], "*") == 0)
+	    level = 1;
+	if(level == 0 || level < l->has_limit) /* not for us */
+	    continue;
+	if(l->has_limit < level) {
+	    if(getrlimit(l->resource, &l->limit) < 0)
+		continue;
+	    l->has_limit = level;
+	}
+	
+	/* XXX unclear: if you soft to more than default hard, should
+           we set hard to soft? this code doesn't. */
+	if(strcasecmp(args[1], "soft") == 0 || strcmp(args[1], "-") == 0)
+	    l->limit.rlim_cur = value;
+	if(strcasecmp(args[1], "hard") == 0 || strcmp(args[1], "-") == 0) 
+	    l->limit.rlim_max = value;
+    }
+    fclose(f);
+    for(l = limits; l->name != NULL; l++) {
+	if(l->has_limit) {
+	    if(l->limit.rlim_cur > l->limit.rlim_max)
+		l->limit.rlim_cur = l->limit.rlim_max;
+	    if(setrlimit(l->resource, &l->limit) != 0)
+		syslog(LOG_ERR, "setrlimit RLIM_%s failed: %m", l->name);
+	}
+	l->has_limit = 0;
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/appl/rsh/login_access.c b/crypto/heimdal/appl/rsh/login_access.c
new file mode 100644
index 0000000..e1bfe42e
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/login_access.c
@@ -0,0 +1,277 @@
+/************************************************************************
+* Copyright 1995 by Wietse Venema.  All rights reserved.  Some individual
+* files may be covered by other copyrights.
+*
+* This material was originally written and compiled by Wietse Venema at
+* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
+* 1992, 1993, 1994 and 1995.
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that this entire copyright notice
+* is duplicated in all such copies.
+*
+* This software is provided "as is" and without any expressed or implied
+* warranties, including, without limitation, the implied warranties of
+* merchantibility and fitness for any particular purpose.
+************************************************************************/
+ /*
+  * This module implements a simple but effective form of login access
+  * control based on login names and on host (or domain) names, internet
+  * addresses (or network numbers), or on terminal line names in case of
+  * non-networked logins. Diagnostics are reported through syslog(3).
+  *
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#include "login_locl.h"
+
+RCSID("$Id: login_access.c 10020 2001-06-04 14:10:19Z assar $");
+
+ /* Delimiters for fields and for lists of users, ttys or hosts. */
+
+static char fs[] = ":";			/* field separator */
+static char sep[] = ", \t";		/* list-element separator */
+
+ /* Constants to be used in assignments only, not in comparisons... */
+
+#define YES             1
+#define NO              0
+
+ /*
+  * A structure to bundle up all login-related information to keep the
+  * functional interfaces as generic as possible.
+  */
+struct login_info {
+    struct passwd *user;
+    char   *from;
+};
+
+static int list_match(char *list, struct login_info *item,
+		      int (*match_fn)(char *, struct login_info *));
+static int user_match(char *tok, struct login_info *item);
+static int from_match(char *tok, struct login_info *item);
+static int string_match(char *tok, char *string);
+
+/* login_access - match username/group and host/tty with access control file */
+
+int login_access(struct passwd *user, char *from)
+{
+    struct login_info item;
+    FILE   *fp;
+    char    line[BUFSIZ];
+    char   *perm;			/* becomes permission field */
+    char   *users;			/* becomes list of login names */
+    char   *froms;			/* becomes list of terminals or hosts */
+    int     match = NO;
+    int     end;
+    int     lineno = 0;			/* for diagnostics */
+    char   *foo;
+
+    /*
+     * Bundle up the arguments to avoid unnecessary clumsiness lateron.
+     */
+    item.user = user;
+    item.from = from;
+
+    /*
+     * Process the table one line at a time and stop at the first match.
+     * Blank lines and lines that begin with a '#' character are ignored.
+     * Non-comment lines are broken at the ':' character. All fields are
+     * mandatory. The first field should be a "+" or "-" character. A
+     * non-existing table means no access control.
+     */
+
+    if ((fp = fopen(_PATH_LOGACCESS, "r")) != 0) {
+	while (!match && fgets(line, sizeof(line), fp)) {
+	    lineno++;
+	    if (line[end = strlen(line) - 1] != '\n') {
+		syslog(LOG_ERR, "%s: line %d: missing newline or line too long",
+		       _PATH_LOGACCESS, lineno);
+		continue;
+	    }
+	    if (line[0] == '#')
+		continue;			/* comment line */
+	    while (end > 0 && isspace((unsigned char)line[end - 1]))
+		end--;
+	    line[end] = 0;			/* strip trailing whitespace */
+	    if (line[0] == 0)			/* skip blank lines */
+		continue;
+	    foo = NULL;
+	    if (!(perm = strtok_r(line, fs, &foo))
+		|| !(users = strtok_r(NULL, fs, &foo))
+		|| !(froms = strtok_r(NULL, fs, &foo))
+		|| strtok_r(NULL, fs, &foo)) {
+		syslog(LOG_ERR, "%s: line %d: bad field count", 
+		       _PATH_LOGACCESS,
+		       lineno);
+		continue;
+	    }
+	    if (perm[0] != '+' && perm[0] != '-') {
+		syslog(LOG_ERR, "%s: line %d: bad first field", 
+		       _PATH_LOGACCESS,
+		       lineno);
+		continue;
+	    }
+	    match = (list_match(froms, &item, from_match)
+		     && list_match(users, &item, user_match));
+	}
+	fclose(fp);
+    } else if (errno != ENOENT) {
+	syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS);
+    }
+    return (match == 0 || (line[0] == '+'));
+}
+
+/* list_match - match an item against a list of tokens with exceptions */
+
+static int
+list_match(char *list,
+	   struct login_info *item,
+	   int (*match_fn)(char *, struct login_info *))
+{
+    char   *tok;
+    int     match = NO;
+    char   *foo = NULL;
+
+    /*
+     * Process tokens one at a time. We have exhausted all possible matches
+     * when we reach an "EXCEPT" token or the end of the list. If we do find
+     * a match, look for an "EXCEPT" list and recurse to determine whether
+     * the match is affected by any exceptions.
+     */
+
+    for (tok = strtok_r(list, sep, &foo);
+	 tok != NULL;
+	 tok = strtok_r(NULL, sep, &foo)) {
+	if (strcasecmp(tok, "EXCEPT") == 0)	/* EXCEPT: give up */
+	    break;
+	if ((match = (*match_fn) (tok, item)) != 0)	/* YES */
+	    break;
+    }
+    /* Process exceptions to matches. */
+
+    if (match != NO) {
+	while ((tok = strtok_r(NULL, sep, &foo)) && strcasecmp(tok, "EXCEPT"))
+	     /* VOID */ ;
+	if (tok == 0 || list_match(NULL, item, match_fn) == NO)
+	    return (match);
+    }
+    return (NO);
+}
+
+/* myhostname - figure out local machine name */
+
+static char *myhostname(void)
+{
+    static char name[MAXHOSTNAMELEN + 1] = "";
+
+    if (name[0] == 0) {
+	gethostname(name, sizeof(name));
+	name[MAXHOSTNAMELEN] = 0;
+    }
+    return (name);
+}
+
+/* netgroup_match - match group against machine or user */
+
+static int netgroup_match(char *group, char *machine, char *user)
+{
+#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
+    static char *mydomain = 0;
+
+    if (mydomain == 0)
+	yp_get_default_domain(&mydomain);
+    return (innetgr(group, machine, user, mydomain));
+#else
+    syslog(LOG_ERR, "NIS netgroup support not configured");
+    return 0;
+#endif
+}
+
+/* user_match - match a username against one token */
+
+static int user_match(char *tok, struct login_info *item)
+{
+    char   *string = item->user->pw_name;
+    struct login_info fake_item;
+    struct group *group;
+    int     i;
+    char   *at;
+
+    /*
+     * If a token has the magic value "ALL" the match always succeeds.
+     * Otherwise, return YES if the token fully matches the username, if the
+     * token is a group that contains the username, or if the token is the
+     * name of the user's primary group.
+     */
+
+    if ((at = strchr(tok + 1, '@')) != 0) {	/* split user@host pattern */
+	*at = 0;
+	fake_item.from = myhostname();
+	return (user_match(tok, item) && from_match(at + 1, &fake_item));
+    } else if (tok[0] == '@') {			/* netgroup */
+	return (netgroup_match(tok + 1, (char *) 0, string));
+    } else if (string_match(tok, string)) {	/* ALL or exact match */
+	return (YES);
+    } else if ((group = getgrnam(tok)) != 0) { /* try group membership */
+	if (item->user->pw_gid == group->gr_gid)
+	    return (YES);
+	for (i = 0; group->gr_mem[i]; i++)
+	    if (strcasecmp(string, group->gr_mem[i]) == 0)
+		return (YES);
+    }
+    return (NO);
+}
+
+/* from_match - match a host or tty against a list of tokens */
+
+static int from_match(char *tok, struct login_info *item)
+{
+    char   *string = item->from;
+    int     tok_len;
+    int     str_len;
+
+    /*
+     * If a token has the magic value "ALL" the match always succeeds. Return
+     * YES if the token fully matches the string. If the token is a domain
+     * name, return YES if it matches the last fields of the string. If the
+     * token has the magic value "LOCAL", return YES if the string does not
+     * contain a "." character. If the token is a network number, return YES
+     * if it matches the head of the string.
+     */
+
+    if (tok[0] == '@') {			/* netgroup */
+	return (netgroup_match(tok + 1, string, (char *) 0));
+    } else if (string_match(tok, string)) {	/* ALL or exact match */
+	return (YES);
+    } else if (tok[0] == '.') {			/* domain: match last fields */
+	if ((str_len = strlen(string)) > (tok_len = strlen(tok))
+	    && strcasecmp(tok, string + str_len - tok_len) == 0)
+	    return (YES);
+    } else if (strcasecmp(tok, "LOCAL") == 0) {	/* local: no dots */
+	if (strchr(string, '.') == 0)
+	    return (YES);
+    } else if (tok[(tok_len = strlen(tok)) - 1] == '.'	/* network */
+	       && strncmp(tok, string, tok_len) == 0) {
+	return (YES);
+    }
+    return (NO);
+}
+
+/* string_match - match a string against one token */
+
+static int string_match(char *tok, char *string)
+{
+
+    /*
+     * If the token has the magic value "ALL" the match always succeeds.
+     * Otherwise, return YES if the token fully matches the string.
+     */
+
+    if (strcasecmp(tok, "ALL") == 0) {		/* all: always matches */
+	return (YES);
+    } else if (strcasecmp(tok, string) == 0) {	/* try exact match */
+	return (YES);
+    }
+    return (NO);
+}
diff --git a/crypto/heimdal/appl/rsh/rsh.1 b/crypto/heimdal/appl/rsh/rsh.1
index 82c1f6c..2999dc0 100644
--- a/crypto/heimdal/appl/rsh/rsh.1
+++ b/crypto/heimdal/appl/rsh/rsh.1
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\"	$Id: rsh.1,v 1.6 2003/04/16 19:57:25 lha Exp $
+.\"	$Id: rsh.1 13394 2004-02-20 12:21:42Z joda $
 .\"
-.Dd September 4, 2002
+.Dd February 20, 2004
 .Dt RSH 1
 .Os HEIMDAL
 .Sh NAME
@@ -85,9 +85,9 @@ option.
 .Xc
 The
 .Fl K
-option turns off all Kerberos authentication. The long name implies
-that this is more or less totally unsecure. The security in this mode
-relies on reserved ports, which is not very secure.
+option turns off all Kerberos authentication. The security in this
+mode relies on reserved ports. The long name is an indication of how
+good this is.
 .It Xo
 .Fl n ,
 .Fl -no-input
@@ -99,6 +99,10 @@ option directs the input from the
 device (see the
 .Sx BUGS
 section of this manual page).
+.It Fl d
+Enable
+.Xr setsockopt 2
+socket debugging.
 .It Xo
 .Fl e ,
 .Fl -no-stderr
@@ -120,45 +124,48 @@ section for limitations).
 .Xc
 The opposite of
 .Fl x .
-This is the default, but encryption can be enabled when using
-Kerberos 5, by setting the
-.Li libdefaults/encrypt
-option in
-.Xr krb5.conf 5 .
+This is the default, and is mainly useful if encryption has been
+enabled by default, for instance in the
+.Li appdefaults
+section of 
+.Pa /etc/krb5.conf
+when using Kerberos 5.
 .It Xo
 .Fl f ,
 .Fl -forward
 .Xc
-Forward Kerberos 5 credentials to the remote host. Also controlled by
-.Li libdefaults/forward
-in
-.Xr krb5.conf 5 .
-.It Xo
-.Fl G
-.Xc
-The opposite of
-.Fl f .
+Forward Kerberos 5 credentials to the remote host.
+Also settable via
+.Li appdefaults
+(see
+.Xr krb5.conf ) .
 .It Xo
 .Fl F ,
 .Fl -forwardable
 .Xc
-Make the forwarded credentials re-forwardable. Also controlled by
-.Li libdefaults/forwardable
-in
-.Xr krb5.conf 5 .
+Make the forwarded credentials re-forwardable. 
+Also settable via
+.Li appdefaults
+(see
+.Xr krb5.conf ) .
 .It Xo
-.Fl u ,
-.Fl -unique
+.Fl l Ar string ,
+.Fl -user= Ns Ar string
 .Xc
-Make sure the remote credentials cache is unique, that is, don't reuse
-any existing cache. Mutually exclusive to
-.Fl U .
+By default the remote username is the same as the local. The
+.Fl l
+option or the
+.Pa username@host
+format allow the remote name to be specified.
 .It Xo
-.Fl U Pa string ,
-.Fl -tkfile= Ns Pa string
+.Fl n ,
+.Fl -no-input
 .Xc
-Name of the remote credentials cache. Mutually exclusive to
-.Fl u .
+Direct input from 
+.Pa /dev/null
+(see the
+.Sx BUGS
+section).
 .It Xo
 .Fl p Ar number-or-service ,
 .Fl -port= Ns Ar number-or-service
@@ -169,30 +176,52 @@ Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to
 the contents of
 .Pa /etc/services ) .
 .It Xo
-.Fl l Ar string ,
-.Fl -user= Ns Ar string
-.Xc
-By default the remote username is the same as the local. The
-.Fl l
-option or the
-.Pa username@host
-format allow the remote name to be specified.
-.It Xo
 .Fl P Ar N|O|1|2 ,
 .Fl -protocol= Ns Ar N|O|1|2
 .Xc
-Specifies which protocol version to use with Kerberos 5.
+Specifies the protocol version to use with Kerberos 5.
 .Ar N
 and
 .Ar 2
-selects protocol version 2, while 
+select protocol version 2, while 
 .Ar O
 and
 .Ar 1
-selects version 1. Version 2 is believed to be more secure, and is the
+select version 1. Version 2 is believed to be more secure, and is the
 default. Unless asked for a specific version,
 .Nm
 will try both.  This behaviour may change in the future.
+.It Xo
+.Fl u ,
+.Fl -unique
+.Xc
+Make sure the remote credentials cache is unique, that is, don't reuse
+any existing cache. Mutually exclusive to
+.Fl U .
+.It Xo
+.Fl U Pa string ,
+.Fl -tkfile= Ns Pa string
+.Xc
+Name of the remote credentials cache. Mutually exclusive to
+.Fl u .
+.It Xo
+.Fl x ,
+.Fl -encrypt
+.Xc
+The
+.Fl x
+option enables encryption for all data exchange. This is only valid
+for Kerberos authenticated connections (see the
+.Sx BUGS
+section for limitations).
+.It Fl z
+The opposite of
+.Fl x .
+This is the default, but encryption can be enabled when using
+Kerberos 5, by setting the
+.Li libdefaults/encrypt
+option in
+.Xr krb5.conf 5 .
 .El
 .\".Pp
 .\"Without a
@@ -208,7 +237,7 @@ machine.
 .Pp
 The following command:
 .Pp
-.Dl rsh otherhost cat remotefile > localfile
+.Dl rsh otherhost cat remotefile \*[Gt] localfile
 .Pp
 will write the contents of the remote
 .Pa remotefile
@@ -216,7 +245,7 @@ to the local
 .Pa localfile ,
 but:
 .Pp
-.Dl rsh otherhost 'cat remotefile > remotefile2'
+.Dl rsh otherhost 'cat remotefile \*[Gt] remotefile2'
 .Pp
 will write it to the remote
 .Pa remotefile2 .
diff --git a/crypto/heimdal/appl/rsh/rsh.c b/crypto/heimdal/appl/rsh/rsh.c
index 8af5096..2d64d21 100644
--- a/crypto/heimdal/appl/rsh/rsh.c
+++ b/crypto/heimdal/appl/rsh/rsh.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "rsh_locl.h"
-RCSID("$Id: rsh.c,v 1.71 2003/04/16 20:37:20 joda Exp $");
+RCSID("$Id: rsh.c 21516 2007-07-12 12:47:23Z lha $");
 
 enum auth_method auth_method;
 #if defined(KRB4) || defined(KRB5)
@@ -60,15 +60,21 @@ static int use_v4 = -1;
 #ifdef KRB5
 static int use_v5 = -1;
 #endif
+#if defined(KRB4) || defined(KRB5)
 static int use_only_broken = 0;
+#else
+static int use_only_broken = 1;
+#endif
 static int use_broken = 1;
 static char *port_str;
 static const char *user;
 static int do_version;
 static int do_help;
 static int do_errsock = 1;
+#ifdef KRB5
 static char *protocol_version_str;
 static int protocol_version = 2;
+#endif
 
 /*
  *
@@ -77,14 +83,14 @@ static int protocol_version = 2;
 static int input = 1;		/* Read from stdin */
 
 static int
-loop (int s, int errsock)
+rsh_loop (int s, int errsock)
 {
     fd_set real_readset;
     int count = 1;
 
 #ifdef KRB5
     if(auth_method == AUTH_KRB5 && protocol_version == 2)
-	init_ivecs(1);
+	init_ivecs(1, errsock != -1);
 #endif
 
     if (s >= FD_SETSIZE || (errsock != -1 && errsock >= FD_SETSIZE))
@@ -294,6 +300,7 @@ send_krb5_auth(int s,
     krb5_auth_context auth_context = NULL;
     const char *protocol_string = NULL;
     krb5_flags ap_opts;
+    char *str;
 
     status = krb5_sname_to_principal(context,
 				     hostname,
@@ -313,12 +320,17 @@ send_krb5_auth(int s,
 				&do_encrypt);
     }
 
-    cksum_data.length = asprintf ((char **)&cksum_data.data,
+    cksum_data.length = asprintf (&str,
 				  "%u:%s%s%s",
 				  ntohs(socket_get_port(thataddr)),
 				  do_encrypt ? "-x " : "",
 				  cmd,
 				  remote_user);
+    if (str == NULL) {
+	warnx ("%s: failed to allocate command", hostname);
+	return 1;
+    }
+    cksum_data.data = str;
 
     ap_opts = 0;
 
@@ -614,7 +626,7 @@ proto (int s, int errsock,
 	    warn("setsockopt stderr");
     }
     
-    return loop (s, errsock2);
+    return rsh_loop (s, errsock2);
 }
 
 /*
@@ -633,15 +645,15 @@ construct_command (char **res, int argc, char **argv)
     len = max (1, len);
     tmp = malloc (len);
     if (tmp == NULL)
-	errx (1, "malloc %u failed", len);
+	errx (1, "malloc %lu failed", (unsigned long)len);
 
     *tmp = '\0';
     for (i = 0; i < argc - 1; ++i) {
-	strcat (tmp, argv[i]);
-	strcat (tmp, " ");
+	strlcat (tmp, argv[i], len);
+	strlcat (tmp, " ", len);
     }
     if (argc > 0)
-	strcat (tmp, argv[argc-1]);
+	strlcat (tmp, argv[argc-1], len);
     *res = tmp;
     return len;
 }
@@ -750,7 +762,6 @@ doit (const char *hostname,
       const char *local_user,
       const char *cmd,
       size_t cmd_len,
-      int do_errsock,
       int (*auth_func)(int s,
 		       struct sockaddr *this, struct sockaddr *that,
 		       const char *hostname, const char *remote_user,
@@ -829,31 +840,31 @@ struct getargs args[] = {
 #endif
 #ifdef KRB5
     { "krb5",	'5', arg_flag,		&use_v5,	"Use Kerberos V5" },
-    { "forward", 'f', arg_flag,		&do_forward,	"Forward credentials (krb5)"},
-    { NULL, 'G', arg_negative_flag,&do_forward,	"Don't forward credentials" },
+    { "forward", 'f', arg_flag,		&do_forward,	"Forward credentials [krb5]"},
     { "forwardable", 'F', arg_flag,	&do_forwardable,
-      "Forward forwardable credentials" },
+      "Forward forwardable credentials [krb5]" },
+    { NULL, 'G', arg_negative_flag,&do_forward,	"Don't forward credentials" },
+    { "unique", 'u', arg_flag,	&do_unique_tkfile,
+      "Use unique remote credentials cache [krb5]" },
+    { "tkfile", 'U', arg_string,  &unique_tkfile,
+      "Specifies remote credentials cache [krb5]" },
+    { "protocol", 'P', arg_string,      &protocol_version_str, 
+      "Protocol version [krb5]", "protocol" },
 #endif
-#if defined(KRB4) || defined(KRB5)
     { "broken", 'K', arg_flag,		&use_only_broken, "Use only priv port" },
+#if defined(KRB4) || defined(KRB5)
     { "encrypt", 'x', arg_flag,		&do_encrypt,	"Encrypt connection" },
     { NULL, 	'z', arg_negative_flag,      &do_encrypt,
       "Don't encrypt connection", NULL },
 #endif
-#ifdef KRB5
-    { "unique", 'u', arg_flag,	&do_unique_tkfile,
-      "Use unique remote tkfile (krb5)" },
-    { "tkfile", 'U', arg_string,  &unique_tkfile,
-      "Use that remote tkfile (krb5)" },
-#endif
     { NULL,	'd', arg_flag,		&sock_debug, "Enable socket debugging" },
     { "input",	'n', arg_negative_flag,	&input,		"Close stdin" },
     { "port",	'p', arg_string,	&port_str,	"Use this port",
       "port" },
     { "user",	'l', arg_string,	&user,		"Run as this user", "login" },
     { "stderr", 'e', arg_negative_flag, &do_errsock,	"Don't open stderr"},
-    { "protocol", 'P', arg_string,      &protocol_version_str, 
-      "Protocol version", "protocol" },
+#ifdef KRB5
+#endif
     { "version", 0,  arg_flag,		&do_version,	NULL },
     { "help",	 0,  arg_flag,		&do_help,	NULL }
 };
@@ -918,6 +929,7 @@ main(int argc, char **argv)
 	return 0;
     }
 
+#ifdef KRB5
     if(protocol_version_str != NULL) {
 	if(strcasecmp(protocol_version_str, "N") == 0)
 	    protocol_version = 2;
@@ -935,7 +947,6 @@ main(int argc, char **argv)
 	}
     }
 
-#ifdef KRB5
     status = krb5_init_context (&context);
     if (status) {
 	if(use_v5 == 1)
@@ -985,7 +996,7 @@ main(int argc, char **argv)
 	errx (1, "Only one of -u and -U allowed.");
 
     if (do_unique_tkfile)
-	strcpy(tkfile,"-u ");
+	strlcpy(tkfile,"-u ", sizeof(tkfile));
     else if (unique_tkfile != NULL) {
 	if (strchr(unique_tkfile,' ') != NULL) {
 	    warnx("Space is not allowed in tkfilename");
@@ -1049,7 +1060,6 @@ main(int argc, char **argv)
 	auth_method = AUTH_KRB5;
       again:
 	ret = doit (host, ai, user, local_user, cmd, cmd_len,
-		    do_errsock,
 		    send_krb5_auth);
 	if(ret != 0 && sendauth_version_error && 
 	   protocol_version == 2) {
@@ -1082,7 +1092,6 @@ main(int argc, char **argv)
 	    errx (1, "getaddrinfo: %s", gai_strerror(error));
 	auth_method = AUTH_KRB4;
 	ret = doit (host, ai, user, local_user, cmd, cmd_len,
-		    do_errsock,
 		    send_krb4_auth);
 	freeaddrinfo(ai);
     }
diff --git a/crypto/heimdal/appl/rsh/rsh_locl.h b/crypto/heimdal/appl/rsh/rsh_locl.h
index 151a888..0d65962 100644
--- a/crypto/heimdal/appl/rsh/rsh_locl.h
+++ b/crypto/heimdal/appl/rsh/rsh_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: rsh_locl.h,v 1.33 2003/04/16 20:05:39 lha Exp $ */
+/* $Id: rsh_locl.h 21553 2007-07-15 09:04:52Z lha $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -102,12 +102,17 @@
 #endif
 #ifdef KRB5
 #include <krb5.h>
+/* XXX */
+struct krb5_pk_identity;
+struct krb5_pk_cert;
+struct ContentInfo;
+struct _krb5_krb_auth_data;
+struct krb5_dh_moduli;
+#include "crypto-headers.h"
 #include <krb5-private.h> /* for _krb5_{get,put}_int */
 #endif
+#if defined(KRB4) || defined(KRB5)
 #include <kafs.h>
-
-#ifndef _PATH_NOLOGIN
-#define _PATH_NOLOGIN   "/etc/nologin"
 #endif
 
 #ifndef _PATH_BSHELL
@@ -118,9 +123,7 @@
 #define _PATH_DEFPATH	"/usr/bin:/bin"
 #endif
 
-#ifndef _PATH_ETC_ENVIRONMENT
-#define _PATH_ETC_ENVIRONMENT SYSCONFDIR "/environment"
-#endif
+#include "loginpaths.h"
 
 /*
  *
@@ -137,7 +140,7 @@ extern krb5_crypto crypto;
 extern int key_usage;
 extern void *ivec_in[2];
 extern void *ivec_out[2];
-void init_ivecs(int);
+void init_ivecs(int, int);
 #endif
 #ifdef KRB4
 extern des_key_schedule schedule;
@@ -153,6 +156,7 @@ extern des_cblock iv;
 #endif
 
 #define RSH_BUFSIZ (5 * 1024) /* MIT kcmd can't handle larger buffers */
+#define RSHD_BUFSIZ (16 * 1024) /* Old maxize for Heimdal 0.4 rsh */
 
 #define PATH_RSH BINDIR "/rsh"
 
diff --git a/crypto/heimdal/appl/rsh/rshd.8 b/crypto/heimdal/appl/rsh/rshd.8
index 7c7a363..95737a5 100644
--- a/crypto/heimdal/appl/rsh/rshd.8
+++ b/crypto/heimdal/appl/rsh/rshd.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan
+.\" Copyright (c) 2001 - 2006 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: rshd.8,v 1.7 2003/04/16 19:58:42 lha Exp $
+.\" $Id: rshd.8 16764 2006-02-27 10:07:04Z joda $
 .\"
 .Dd November 22, 2002
 .Dt RSHD 8
@@ -83,7 +83,7 @@ will deny unencrypted connections. This option implies
 .\".Xc
 .\"When using old port-based authentication, the user's
 .\".Pa .rhosts
-.\"files are normally checked. This options disables this.
+.\"files are normally checked. This option disables this.
 .It Xo
 .Fl v ,
 .Fl -vacuous
diff --git a/crypto/heimdal/appl/rsh/rshd.c b/crypto/heimdal/appl/rsh/rshd.c
index 1464fe1..852327a 100644
--- a/crypto/heimdal/appl/rsh/rshd.c
+++ b/crypto/heimdal/appl/rsh/rshd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,10 +32,17 @@
  */
 
 #include "rsh_locl.h"
-RCSID("$Id: rshd.c,v 1.51.2.1 2003/08/19 11:36:17 joda Exp $");
+#include "login_locl.h"
+RCSID("$Id: rshd.c 21515 2007-07-12 12:47:07Z lha $");
 
 int
 login_access( struct passwd *user, char *from);
+int
+read_limits_conf(const char *file, const struct passwd *pwd);
+
+#ifdef NEED_IRUSEROK_PROTO
+int iruserok(uint32_t, int, const char *, const char *);
+#endif
 
 enum auth_method auth_method;
 
@@ -74,13 +81,6 @@ static int do_keepalive = 1;
 static int do_version;
 static int do_help = 0;
 
-#if defined(KRB5) && defined(DCE)
-int dfsk5ok = 0;
-int dfspag = 0;
-int dfsfwd = 0;
-krb5_ticket *user_ticket;
-#endif
-
 static void
 syslog_and_die (const char *m, ...)
     __attribute__ ((format (printf, 1, 2)));
@@ -263,15 +263,25 @@ static void
 krb5_start_session (void)
 {
     krb5_error_code ret;
+    char *estr;
 
     ret = krb5_cc_resolve (context, tkfile, &ccache2);
     if (ret) {
+	estr = krb5_get_error_string(context);
+	syslog(LOG_WARNING, "resolve cred cache %s: %s", 
+	       tkfile, 
+	       estr ? estr : krb5_get_err_text(context, ret));
+	free(estr);
 	krb5_cc_destroy(context, ccache);
 	return;
     }
 
     ret = krb5_cc_copy_cache (context, ccache, ccache2);
     if (ret) {
+	estr = krb5_get_error_string(context);
+	syslog(LOG_WARNING, "storing credentials: %s", 
+	       estr ? estr : krb5_get_err_text(context, ret));
+	free(estr);
 	krb5_cc_destroy(context, ccache);
 	return ;
     }
@@ -307,12 +317,13 @@ recv_krb5_auth (int s, u_char *buf,
 		char **server_username,
 		char **cmd)
 {
-    u_int32_t len;
+    uint32_t len;
     krb5_auth_context auth_context = NULL;
     krb5_ticket *ticket;
     krb5_error_code status;
     krb5_data cksum_data;
     krb5_principal server;
+    char *str;
 
     if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0)
 	return -1;
@@ -371,11 +382,14 @@ recv_krb5_auth (int s, u_char *buf,
 		       krb5_get_err_text(context, status));
 
     
-    cksum_data.length = asprintf ((char **)&cksum_data.data,
+    cksum_data.length = asprintf (&str,
 				  "%u:%s%s",
 				  ntohs(socket_get_port (thisaddr)),
 				  *cmd,
 				  *server_username);
+    if (str == NULL)
+	syslog_and_die ("asprintf: out of memory");
+    cksum_data.data = str;
 
     status = krb5_verify_authenticator_checksum(context, 
 						auth_context,
@@ -401,12 +415,16 @@ recv_krb5_auth (int s, u_char *buf,
 	if (strncmp (*client_username + 3, "FILE:", 5) == 0) {
 	    temp_tkfile = tkfile;
 	} else {
-	    strcpy (tkfile, "FILE:");
+	    strlcpy (tkfile, "FILE:", sizeof(tkfile));
 	    temp_tkfile = tkfile + 5;
 	}
 	end = strchr(*client_username + 3,' ');
-	strncpy(temp_tkfile, *client_username + 3, end - *client_username - 3);
-	temp_tkfile[end - *client_username - 3] = '\0';
+	if (end == NULL)
+	    syslog_and_die("missing argument after -U");
+	snprintf(temp_tkfile, sizeof(tkfile) - (temp_tkfile - tkfile),
+		 "%.*s",
+		 (int)(end - *client_username - 3),
+		 *client_username + 3);
 	memmove (*client_username, end + 1, strlen(end+1)+1);
     }
 
@@ -448,29 +466,27 @@ recv_krb5_auth (int s, u_char *buf,
 	}
     }	   
 
-#if defined(DCE)
-    user_ticket = ticket;
-#endif
-
     return 0;
 }
 #endif /* KRB5 */
 
 static void
-loop (int from0, int to0,
-      int to1,   int from1,
-      int to2,   int from2)
+rshd_loop (int from0, int to0,
+	   int to1,   int from1,
+	   int to2,   int from2,
+	   int have_errsock)
 {
     fd_set real_readset;
     int max_fd;
     int count = 2;
+    char *buf;
 
     if(from0 >= FD_SETSIZE || from1 >= FD_SETSIZE || from2 >= FD_SETSIZE)
 	errx (1, "fd too large");
 
 #ifdef KRB5
     if(auth_method == AUTH_KRB5 && protocol_version == 2)
-	init_ivecs(0);
+	init_ivecs(0, have_errsock);
 #endif
 
     FD_ZERO(&real_readset);
@@ -478,10 +494,14 @@ loop (int from0, int to0,
     FD_SET(from1, &real_readset);
     FD_SET(from2, &real_readset);
     max_fd = max(from0, max(from1, from2)) + 1;
+
+    buf = malloc(max(RSHD_BUFSIZ, RSH_BUFSIZ));
+    if (buf == NULL)
+	syslog_and_die("out of memory");
+
     for (;;) {
 	int ret;
 	fd_set readset = real_readset;
-	char buf[RSH_BUFSIZ];
 
 	ret = select (max_fd, &readset, NULL, NULL, NULL);
 	if (ret < 0) {
@@ -491,7 +511,7 @@ loop (int from0, int to0,
 		syslog_and_die ("select: %m");
 	}
 	if (FD_ISSET(from0, &readset)) {
-	    ret = do_read (from0, buf, sizeof(buf), ivec_in[0]);
+	    ret = do_read (from0, buf, RSHD_BUFSIZ, ivec_in[0]);
 	    if (ret < 0)
 		syslog_and_die ("read: %m");
 	    else if (ret == 0) {
@@ -502,7 +522,7 @@ loop (int from0, int to0,
 		net_write (to0, buf, ret);
 	}
 	if (FD_ISSET(from1, &readset)) {
-	    ret = read (from1, buf, sizeof(buf));
+	    ret = read (from1, buf, RSH_BUFSIZ);
 	    if (ret < 0)
 		syslog_and_die ("read: %m");
 	    else if (ret == 0) {
@@ -515,7 +535,7 @@ loop (int from0, int to0,
 		do_write (to1, buf, ret, ivec_out[0]);
 	}
 	if (FD_ISSET(from2, &readset)) {
-	    ret = read (from2, buf, sizeof(buf));
+	    ret = read (from2, buf, RSH_BUFSIZ);
 	    if (ret < 0)
 		syslog_and_die ("read: %m");
 	    else if (ret == 0) {
@@ -551,7 +571,7 @@ pipe_a_like (int fd[2])
  * Start a child process and leave the parent copying data to and from it.  */
 
 static void
-setup_copier (void)
+setup_copier (int have_errsock)
 {
     int p0[2], p1[2], p2[2];
     pid_t pid;
@@ -580,9 +600,10 @@ setup_copier (void)
 	if (net_write (STDOUT_FILENO, "", 1) != 1)
 	    fatal (STDOUT_FILENO, "net_write", "Write failure.");
 
-	loop (STDIN_FILENO, p0[1],
+	rshd_loop (STDIN_FILENO, p0[1],
 	      STDOUT_FILENO, p1[0],
-	      STDERR_FILENO, p2[0]);
+	      STDERR_FILENO, p2[0],
+	      have_errsock);
     }
 }
 
@@ -621,20 +642,20 @@ setup_environment (char ***env, const struct passwd *pwd)
     e = *env;
     e = realloc(e, (i + 7) * sizeof(char *));
 
-    asprintf (&e[i++], "USER=%s",  pwd->pw_name);
-    asprintf (&e[i++], "HOME=%s",  pwd->pw_dir);
-    asprintf (&e[i++], "SHELL=%s", pwd->pw_shell);
+    if (asprintf (&e[i++], "USER=%s",  pwd->pw_name) == -1)
+	syslog_and_die ("asprintf: out of memory");
+    if (asprintf (&e[i++], "HOME=%s",  pwd->pw_dir) == -1)
+	syslog_and_die ("asprintf: out of memory");
+    if (asprintf (&e[i++], "SHELL=%s", pwd->pw_shell) == -1)
+	syslog_and_die ("asprintf: out of memory");
     if (! path) {
-	asprintf (&e[i++], "PATH=%s",  _PATH_DEFPATH);
+	if (asprintf (&e[i++], "PATH=%s",  _PATH_DEFPATH) == -1)
+	    syslog_and_die ("asprintf: out of memory");
     }
     asprintf (&e[i++], "SSH_CLIENT=only_to_make_bash_happy");
-#if defined(DCE)
-    if (getenv("KRB5CCNAME"))
-	asprintf (&e[i++], "KRB5CCNAME=%s",  getenv("KRB5CCNAME"));
-#else
     if (do_unique_tkfile)
-	asprintf (&e[i++], "KRB5CCNAME=%s", tkfile);
-#endif
+	if (asprintf (&e[i++], "KRB5CCNAME=%s", tkfile) == -1)
+	    syslog_and_die ("asprintf: out of memory");
     e[i++] = NULL;
     *env = e;
 }
@@ -653,7 +674,7 @@ doit (void)
     socklen_t thisaddr_len, thataddr_len;
     int port;
     int errsock = -1;
-    char *client_user, *server_user, *cmd;
+    char *client_user = NULL, *server_user = NULL, *cmd = NULL;
     struct passwd *pwd;
     int s = STDIN_FILENO;
     char **env;
@@ -760,9 +781,8 @@ doit (void)
 	    syslog_and_die("recv_bsd_auth failed");
     }
 
-#if defined(DCE) && defined(_AIX)
-    esetenv("AUTHSTATE", "DCE", 1);
-#endif
+    if (client_user == NULL || server_user == NULL || cmd == NULL)
+	syslog_and_die("mising client/server/cmd");
 
     pwd = getpwnam (server_user);
     if (pwd == NULL)
@@ -803,33 +823,6 @@ doit (void)
 #endif
     
 
-#ifdef KRB5
-    {
-	int fd;
- 
-	if (!do_unique_tkfile)
-	    snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_%u",pwd->pw_uid);
-	else if (*tkfile=='\0') {
-	    snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_XXXXXX");
-	    fd = mkstemp(tkfile+5);
-	    close(fd);
-	    unlink(tkfile+5);
-	}
- 
-	if (kerberos_status)
-	    krb5_start_session();
-    }
-    chown(tkfile + 5, pwd->pw_uid, -1);
-
-#if defined(DCE)
-    if (kerberos_status) {
-	esetenv("KRB5CCNAME", tkfile, 1);
-	dfspag = krb5_dfs_pag(context, kerberos_status, user_ticket->client, server_user);
-    }
-#endif
-
-#endif
-
 #ifdef HAVE_SETLOGIN
     if (setlogin(pwd->pw_name) < 0)
 	syslog(LOG_ERR, "setlogin() failed: %m");
@@ -840,6 +833,12 @@ doit (void)
 	syslog(LOG_ERR, "setpcred() failure: %m");
 #endif /* HAVE_SETPCRED */
 
+    /* Apply limits if not root */
+    if(pwd->pw_uid != 0) {
+	 const char *file = _PATH_LIMITS_CONF;
+	 read_limits_conf(file, pwd);
+    }
+
     if (initgroups (pwd->pw_name, pwd->pw_gid) < 0)
 	fatal (s, "initgroups", "Login incorrect.");
 
@@ -856,12 +855,34 @@ doit (void)
 	if (dup2 (errsock, STDERR_FILENO) < 0)
 	    fatal (s, "dup2", "Cannot dup stderr.");
 	close (errsock);
+    } else {
+	if (dup2 (STDOUT_FILENO, STDERR_FILENO) < 0)
+	    fatal (s, "dup2", "Cannot dup stderr.");
     }
 
+#ifdef KRB5
+    {
+	int fd;
+ 
+	if (!do_unique_tkfile)
+	    snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_%lu",
+		     (unsigned long)pwd->pw_uid);
+	else if (*tkfile=='\0') {
+	    snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_XXXXXX");
+	    fd = mkstemp(tkfile+5);
+	    close(fd);
+	    unlink(tkfile+5);
+	}
+ 
+	if (kerberos_status)
+	    krb5_start_session();
+    }
+#endif
+
     setup_environment (&env, pwd);
 
     if (do_encrypt) {
-	setup_copier ();
+	setup_copier (errsock >= 0);
     } else {
 	if (net_write (s, "", 1) != 1)
 	    fatal (s, "net_write", "write failed");
@@ -972,13 +993,6 @@ main(int argc, char **argv)
 	do_kerberos = DO_KRB4 | DO_KRB5;
 #endif
 
-    if (do_keepalive &&
-	setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (char *)&on,
-		   sizeof(on)) < 0)
-	syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
-
-    /* set SO_LINGER? */
-
 #ifdef KRB5
     if((do_kerberos & DO_KRB5) && krb5_init_context (&context) != 0)
 	do_kerberos &= ~DO_KRB5;
@@ -1035,6 +1049,13 @@ main(int argc, char **argv)
 	freeaddrinfo(ai);
     }
 
+    if (do_keepalive &&
+	setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (char *)&on,
+		   sizeof(on)) < 0)
+	syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
+
+    /* set SO_LINGER? */
+
     signal (SIGPIPE, SIG_IGN);
 
     doit ();
diff --git a/crypto/heimdal/appl/su/ChangeLog b/crypto/heimdal/appl/su/ChangeLog
index 7420d85..591eada 100644
--- a/crypto/heimdal/appl/su/ChangeLog
+++ b/crypto/heimdal/appl/su/ChangeLog
@@ -1,9 +1,45 @@
+2007-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* su.c: read environment from _PATH_ETC_ENVIRONMENT
+
+	* supaths.c: paths
+
+2007-08-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* su.c: Check all local realms when su-ing, from Magnus Holmberg.
+
+2007-06-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* su.c: If not root and not setuid, print warning.
+
+2006-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* su.c (group_member_p): rename from group_member to avoid name
+	pollution from glibc headers. Fixed based on report from David Love.
+
+2006-01-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* su.c: fix reversed logic when deciding to print tty or not
+	
+2005-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* su.c: Check return value from asprintf instead of string != NULL
+	since it undefined behavior on Linux. From Björn Sandell
+	
+2005-05-10  Dave Love  <fx@gnu.org>
+
+	* su.c: Include <crypt.h>.
+
+2003-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* su.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
+	
 2003-05-06  Johan Danielsson  <joda@pdc.kth.se>
 
 	* su.c: remove accidentally committed code that prints the command
 	being executed
 
-2003-03-18  Love Hörnquist Åstrand <lha@it.su.se>
+2003-03-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* su.c (krb5_start_session): krb5_afslog doesn't depend on KRB4
 	any more
diff --git a/crypto/heimdal/appl/su/Makefile.in b/crypto/heimdal/appl/su/Makefile.in
index f6eb065..0159272 100644
--- a/crypto/heimdal/appl/su/Makefile.in
+++ b/crypto/heimdal/appl/su/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.7 2001/08/28 08:31:22 assar Exp $
+# $Id: Makefile.am 21986 2007-10-19 05:22:57Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(su_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -50,16 +45,14 @@ bin_PROGRAMS = su$(EXEEXT)
 subdir = appl/su
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -72,6 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -80,19 +74,23 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)"
+am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(bin_PROGRAMS)
 am_su_OBJECTS = su.$(OBJEXT)
@@ -105,30 +103,27 @@ su_DEPENDENCIES = $(am__DEPENDENCIES_2) \
 	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
 	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(su_SOURCES)
 DIST_SOURCES = $(su_SOURCES)
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -138,8 +133,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -150,11 +143,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -162,42 +154,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -215,12 +192,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -230,15 +204,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -247,6 +220,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -258,15 +232,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -274,74 +243,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4) $(INCLUDE_hcrypto)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -358,20 +333,23 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 bin_SUIDS = su
-su_SOURCES = su.c
+su_SOURCES = su.c supaths.h
+man_MANS = su.1
 LDADD = $(LIB_kafs) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
+EXTRA_DIST = $(man_MANS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -403,7 +381,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -431,7 +409,7 @@ clean-binPROGRAMS:
 	done
 su$(EXEEXT): $(su_OBJECTS) $(su_DEPENDENCIES) 
 	@rm -f su$(EXEEXT)
-	$(LINK) $(su_LDFLAGS) $(su_OBJECTS) $(su_LDADD) $(LIBS)
+	$(LINK) $(su_OBJECTS) $(su_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -453,10 +431,51 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
+install-man1: $(man1_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
+	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    1*) ;; \
+	    *) ext='1' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst"; \
+	done
+uninstall-man1:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    1*) ;; \
+	    *) ext='1' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man1dir)/$$inst"; \
+	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -478,9 +497,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -505,23 +526,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -538,10 +557,10 @@ distdir: $(DISTFILES)
 check-am: all-am
 	$(MAKE) $(AM_MAKEFLAGS) check-local
 check: check-am
-all-am: Makefile $(PROGRAMS) all-local
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
-	for dir in "$(DESTDIR)$(bindir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -562,7 +581,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -574,7 +593,7 @@ clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -586,17 +605,25 @@ info: info-am
 
 info-am:
 
-install-data-am:
+install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
-install-man:
+install-man: install-man1
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
 
 installcheck-am:
 
@@ -617,20 +644,30 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+uninstall-man: uninstall-man1
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-binPROGRAMS clean-generic clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-binPROGRAMS \
-	install-data install-data-am install-exec install-exec-am \
-	install-info install-info-am install-man install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-binPROGRAMS \
-	uninstall-info-am
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-man install-man1 install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+	uninstall-am uninstall-binPROGRAMS uninstall-hook \
+	uninstall-man uninstall-man1
 
 
 install-suid-programs:
@@ -645,8 +682,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -656,19 +693,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -684,7 +733,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -754,14 +803,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/su/su.1 b/crypto/heimdal/appl/su/su.1
new file mode 100644
index 0000000..76f4dc5
--- /dev/null
+++ b/crypto/heimdal/appl/su/su.1
@@ -0,0 +1,123 @@
+.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden). 
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\" 
+.\" $Id: su.1 16528 2006-01-12 16:25:01Z joda $
+.\"
+.Dd January 12, 2006
+.Dt SU 1
+.Os HEIMDAL
+.Sh NAME
+.Nm su
+.Nd substitute user identity
+.Sh SYNOPSIS
+.Nm su
+.Op Fl K | Fl -no-kerberos
+.Op Fl f
+.Op Fl l | Fl -full
+.Op Fl m
+.Oo Fl i Ar instance \*(Ba Xo
+.Fl -instance= Ns Ar instance
+.Xc
+.Oc
+.Oo Fl c Ar command \*(Ba Xo
+.Fl -command= Ns Ar command
+.Xc
+.Oc
+.Op Ar login Op Ar "shell arguments"
+.Sh DESCRIPTION
+.Nm su
+will use Kerberos authentication provided that an instance for the
+user wanting to change effective UID is present in a file named
+.Pa .k5login
+in the target user id's home directory
+.Pp
+A special case exists where 
+.Ql root Ap s
+.Pa ~/.k5login
+needs to contain an entry for:
+.Ql user Ns / Ns Ao instance Ac Ns @ Ns REALM
+for
+.Nm su
+to succed (where 
+.Aq instance
+is
+.Ql root
+unless changed with 
+.Fl i ) .
+.Pp
+In the absence of either an entry for current user in said file or
+other problems like missing 
+.Ql host/hostname@REALM
+keys in the system's
+keytab, or user typing the wrong password, 
+.Nm su
+will fall back to traditional
+.Pa /etc/passwd
+authentication.
+.Pp
+When using
+.Pa /etc/passwd
+authentication,
+.Nm su 
+allows
+.Ql root
+access only to members of the group
+.Ql wheel ,
+or to any user (with knowledge of the
+.Ql root
+password) if that group
+does not exist, or has no members.
+.Pp
+The options are as follows:
+.Bl -item -width Ds
+.It
+.Fl K ,
+.Fl -no-kerberos
+don't use Kerberos.
+.It
+.Fl f
+don't read .cshrc.
+.It
+.Fl l ,
+.Fl -full
+simulate full login.
+.It
+.Fl m
+leave environment unmodified.
+.It
+.Fl i Ar instance ,
+.Fl -instance= Ns Ar instance
+root instance to use.
+.It
+.Fl c Ar command ,
+.Fl -command= Ns Ar command
+command to execute.
+.El
diff --git a/crypto/heimdal/appl/su/supaths.h b/crypto/heimdal/appl/su/supaths.h
new file mode 100644
index 0000000..c12a0c7
--- /dev/null
+++ b/crypto/heimdal/appl/su/supaths.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id$ */
+
+#ifndef __SU_PATH_H
+#define __SU_PATH_H
+
+#ifndef _PATH_DEFPATH
+#define _PATH_DEFPATH "/usr/bin:/bin"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+
+#ifndef _PATH_ETC_ENVIRONMENT
+#define _PATH_ETC_ENVIRONMENT SYSCONFDIR "/environment"
+#endif
+
+#endif /* __SU_PATH_H */
diff --git a/crypto/heimdal/appl/telnet/ChangeLog b/crypto/heimdal/appl/telnet/ChangeLog
index 6106557..473ab6b 100644
--- a/crypto/heimdal/appl/telnet/ChangeLog
+++ b/crypto/heimdal/appl/telnet/ChangeLog
@@ -1,21 +1,266 @@
-2004-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-12-31  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* telnet/network.c: 1.12: make network rings larger From: MAAAAA
-	MOOOR <huaraz@btinternet.com>
+	* telnetd/sys_term.c: Use strlcpy instead of strncpy, thanks to
+	Antoine Brodin.
 	
-	* telnetd/state.c: 1.14: make subbuffer larger XXX resize
-	dynamicly From: MAAAAA MOOOR <huaraz@btinternet.com>
+2007-07-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnetd/telnetd.c (usage): use exit_code, add --version and
+	--help.
+
+	* telnetd/telnetd.c: Add --help, reported by David Love.
+
+2007-07-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnet/main.c: Catch --help, reported by David Love.
+	
+2007-07-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnetd/sys_term.c: GLIBC made the choice that ut_tv should be
+	shared between 32 and 64 bit platforms so now we can no longer use
+	struct timeval functions to compare or set/get data that uses
+	pointer (gettimeofday for example) since ut_tv is now not a struct
+	timeval but rather a struct { int32_t tv_sec; int32_t tv_usec; };
+
+2006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnet/telnet_locl.h: Include roken.h before the local
+	headerfiles.
+
+	* telnetd/telnetd.h: HP/UX defines SE in sys/uio.h, #undef it.
+
+	* telnetd/sys_term.c: Dont't include some streamspty headers here.
+
+	* telnetd/telnetd.c: Dont't include some streamspty headers here.
+
+	* telnetd/telnetd.h: includes some STREAMSPTY header here to avoid
+	ioctl vs socket_wrapper horror.
+	
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnet/Makefile.am: more files
+	
+	* telnetd/Makefile.am: more files
+	
+2006-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* telnetd/telnetd.8: Add documentation for -e, require encryption.
+
+	* telnetd/telnetd.h: Add require_encryption.
+
+	* telnetd/telnetd.c: Allow encryption to be required, wait to the
+	client to turn it on, if failes, refuse the connection.
+
+	* telnetd/state.c: If encryption is required, don't allow it to be
+	turned off.
+	
+2006-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* libtelnet/kerberos5.c (kerberos5_forward): use KDCOptions2int on
+	flags before passing them to krb5_get_forwarded_creds.
+	
+2006-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Rename u_intXX_t to uintXX_t
+
+2006-03-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* libtelnet/encrypt.c: Spelling.
+
+2005-12-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* telnetd/telnetd.c: Initialize the slc mapping table before its
+	used.  Based on bug report from Russell Sanford
+	<rrs@clyde.dcccd.edu>
+	
+2005-11-03  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* telnet/telnet.c: Spelling in comments, from Dave Love
+	<fx@gnu.org>
+	
+2005-10-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* libtelnet/kerberos5.c (Data): Use right variable. From Tomas
+	Olsson
+	
+2005-10-22  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* telnet/commands.c: Check return value from asprintf instead of
+	string != NULL since it undefined behavior on Linux. From Björn
+	Sandell
+
+	* libtelnet/kerberos5.c: Check return value from asprintf instead
+	of string != NULL since it undefined behavior on Linux. From Björn
+	Sandell
+
+	* libtelnet/kerberos.c: Check return value from asprintf instead
+	of string != NULL since it undefined behavior on Linux. From Björn
+	Sandell
+	
+2005-08-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnetd/telnetd.c: Fix printing of /etc/issue{,.net}.
+	
+	* telnetd/utility.c: make writenet take const void * and size_t,
+	abort if size it too large
+
+	* telnetd/state.c: Fix ansi c warning.
+
+	* telnetd/sys_term.c: no need to typecast argument to writenet
+
+	* telnetd/ext.h: make writenet take const void * and size_t
+
+2005-07-07  Assar Westerlund  <assar@kth.se>
+
+	* libtelnet/kerberos.c: Do not assume that des_key_schedule is an
+	array.
+
+2005-05-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* libtelnet/kerberos5.c: case uid_t to unsigned long in printf
+	format
+
+	* telnetd/sys_term.c (set_termbuf): use {} around if to make else
+	unambiguous
+
+2005-05-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnetd/sys_term.c (start_login): put utmpx code into a new
+	scope to avoid pre c99 problems.
+
+2005-05-19  Dave Love  <fx@gnu.org>
+
+	* telnet/telnet.c,telnet_locl.h: Make solaris find tgetent
+
+2005-05-13  Johan Danielsson  <joda@pdc.kth.se>
+
+	* telnetd/sys_term.c (start_login): set encryption pointers to
+	NULL, so we don't try to do either
+	
+2005-05-11  Dave Love  <fx@gnu.org>
+
+	* telnet/telnet.c: undef ISASCII before we define our own (problem
+	on Irix)
+
+2005-04-28  Johan Danielsson  <joda@pdc.kth.se>
+
+	* telnetd/utility.c (putf): %t: the regular and streamspty case
+	are functionally equivalent, so merge them, this also makes it
+	work better on machines that puts their devices in a subdirectory
+	to /dev
+
+2005-04-27  Dave Love  <fx@gnu.org>
+
+	* telnetd/sys_term.c (getpty): Declare p.
+
+2005-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnetd/telnetd.c: use strlcpy
+	
+2005-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnetd/global.c, telnetd/state.c, telnetd/telnetd.c,
+	telentd/ext.h: remove another strcpy
+
+2005-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnetd/sys_term.c: rewrite getpty to make use openpty when its
+	found, save the slave fd so that cleanopen can use it if its
+	available
+
+2005-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnetd/sys_term.c: clean_ttyname might be unused, mark it so
+	with __attribute__
+	
+2005-04-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnetd/sys_term.c: use NULL as last argument to execl, not 0
+
+	* telnet/commands.c: use NULL as last argument to execl, not 0
+	
+2005-03-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnet/telnet.c: From FreeBSD:
+	
+	Correct a pair of buffer overflows in the telnet(1) command:
+	
+	 (CAN-2005-0468) A heap buffer overflow in env_opt_add() and related
+	 functions.
 	
-	* libtelnet/kerberos5.c: 1.54: (Data): allocate the data needed to
-	be send
+	 (CAN-2005-0469) A global uninitialized data section buffer overflow in
+	 slc_add_reply() and related functions.
+	
+	As a result of these vulnerabilities, it may be possible for a
+	malicious telnet server or active network attacker to cause
+	telnet(1) to execute arbitrary code with the privileges of the
+	user running it.
+	
+	Security: CAN-2005-0468, CAN-2005-0469 Security:
+	FreeBSD-SA-05:01.telnet Security:
+	http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
+	Security:
+	http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
+	
+	These fixes are based in part on patches Submitted by: Solar
+	Designer <solar@openwall.com>
+
+2005-03-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnetd/telnetd.c: remove setting of DES_check_key, all code
+	uses DES_set_key_checked
+
+	* libtelnet/enc_des.c: use DES_set_key_checked
+	
+2005-01-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnet/telnet.c: cast argument to toupper to unsigned char
+
+	* telnet/commands.c: cast argument to is* to unsigned char
+
+2004-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnet/network.c: make network rings larger From: MAAAAA MOOOR
+	<huaraz@btinternet.com>
+	
+	* telnetd/state.c: make subbuffer larger XXX resize dynamicly
 	From: MAAAAA MOOOR <huaraz@btinternet.com>
 	
+	* libtelnet/kerberos5.c (Data): allocate the data needed to be
+	send From: MAAAAA MOOOR <huaraz@btinternet.com>
+	
+2004-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnet/main.c: make encrypt, forwardable, forward use appdefault
+	(that also searches libdefaults), prompted by Thomas Nystrom
+	<thn@saeab.se>
+	
 2004-03-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
-        * telnetd/telnetd.c: call setprogname to make libvers happy
+	* telnetd/telnetd.c: call setprogname to make libvers happy
+
+	* telnet/main.c: call setprogname to make libvers happy
+
+2003-09-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* telnet/externs.h: export Scheduler and scheduler_lockout_tty
+	
+	* telnet/telnet.c (my_telnet): if telnet_spin returns failure,
+	complain that the server disconnected and exit
+	
+	* telnet/authenc.c (telnet_spin): if Scheduler() returns failure
+	(-1) propagate to higher level
+
+2003-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
 
-        * telnet/main.c: call setprogname to make libvers happy
+	* telnetd/telnetd.c: use new DES_ api
+	
+	* libtelnet/enc_des.c: use new DES_ api
+	
+2003-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
+	* telnet/telnet.1: replace <,> with \*[Lt],\*[Gt]
+	
 2002-09-02  Johan Danielsson  <joda@pdc.kth.se>
 
 	* libtelnet/kerberos5.c: set AP_OPTS_USE_SUBKEY
diff --git a/crypto/heimdal/appl/telnet/Makefile.am b/crypto/heimdal/appl/telnet/Makefile.am
index eec013b..61f0e86a 100644
--- a/crypto/heimdal/appl/telnet/Makefile.am
+++ b/crypto/heimdal/appl/telnet/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $
+# $Id: Makefile.am 5652 1999-03-20 13:58:20Z joda $
 
 include $(top_srcdir)/Makefile.am.common
 
diff --git a/crypto/heimdal/appl/telnet/Makefile.in b/crypto/heimdal/appl/telnet/Makefile.in
index b7c6296..83dc374 100644
--- a/crypto/heimdal/appl/telnet/Makefile.in
+++ b/crypto/heimdal/appl/telnet/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,20 +14,16 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $
+# $Id: Makefile.am 5652 1999-03-20 13:58:20Z joda $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -39,6 +35,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -46,16 +43,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = appl/telnet
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -68,6 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -76,16 +72,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 depcomp =
@@ -94,22 +94,19 @@ SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	html-recursive info-recursive install-data-recursive \
-	install-exec-recursive install-info-recursive \
-	install-recursive installcheck-recursive installdirs-recursive \
-	pdf-recursive ps-recursive uninstall-info-recursive \
-	uninstall-recursive
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = $(SUBDIRS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -119,8 +116,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -131,11 +126,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -143,42 +137,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -196,12 +175,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -211,15 +187,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -228,6 +203,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -239,15 +215,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -255,74 +226,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -339,13 +315,14 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 SUBDIRS = libtelnet telnet telnetd
 EXTRA_DIST = README.ORIG telnet.state
 all: all-recursive
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -382,10 +359,6 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
 # To change the values of `make' variables: instead of editing Makefiles,
@@ -393,7 +366,13 @@ uninstall-info-am:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	target=`echo $@ | sed s/-recursive//`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -405,15 +384,20 @@ $(RECURSIVE_TARGETS):
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done; \
 	if test "$$dot_seen" = "no"; then \
 	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
 	fi; test -z "$$fail"
 
-mostlyclean-recursive clean-recursive distclean-recursive \
-maintainer-clean-recursive:
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	case "$@" in \
 	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
@@ -434,7 +418,7 @@ maintainer-clean-recursive:
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done && test -z "$$fail"
 tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -459,14 +443,16 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	if (etags --etags-include --version) >/dev/null 2>&1; then \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
 	  include_option=--etags-include; \
+	  empty_fix=.; \
 	else \
 	  include_option=--include; \
+	  empty_fix=; \
 	fi; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -f $$subdir/TAGS && \
+	    test ! -f $$subdir/TAGS || \
 	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
@@ -476,9 +462,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -503,23 +491,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -530,15 +516,19 @@ distdir: $(DISTFILES)
 	    || exit 1; \
 	  fi; \
 	done
-	list='$(SUBDIRS)'; for subdir in $$list; do \
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test -d "$(distdir)/$$subdir" \
-	    || mkdir "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
 	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
 	    (cd $$subdir && \
 	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="../$(top_distdir)" \
-	        distdir="../$(distdir)/$$subdir" \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
 	        distdir) \
 	      || exit 1; \
 	  fi; \
@@ -571,7 +561,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -582,8 +572,7 @@ clean-am: clean-generic clean-libtool mostlyclean-am
 
 distclean: distclean-recursive
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool \
-	distclean-tags
+distclean-am: clean-am distclean-generic distclean-tags
 
 dvi: dvi-recursive
 
@@ -599,14 +588,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-recursive
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-recursive
+
 install-info: install-info-recursive
 
 install-man:
 
+install-pdf: install-pdf-recursive
+
+install-ps: install-ps-recursive
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
@@ -625,22 +622,27 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-info-am
-
-uninstall-info: uninstall-info-recursive
-
-.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \
-	check-am check-local clean clean-generic clean-libtool \
-	clean-recursive ctags ctags-recursive distclean \
-	distclean-generic distclean-libtool distclean-recursive \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am install-man \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	maintainer-clean-recursive mostlyclean mostlyclean-generic \
-	mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am uninstall-info-am
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
+	install-data-am install-exec-am install-strip uninstall-am
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool ctags ctags-recursive dist-hook \
+	distclean distclean-generic distclean-libtool distclean-tags \
+	distdir dvi dvi-am html html-am info info-am install \
+	install-am install-data install-data-am install-data-hook \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-exec-hook install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am uninstall-hook
 
 
 install-suid-programs:
@@ -655,8 +657,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -666,19 +668,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -694,7 +708,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -764,15 +778,40 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 dist-hook:
 	$(mkinstalldirs) $(distdir)/arpa
 	$(INSTALL_DATA) $(srcdir)/arpa/telnet.h $(distdir)/arpa
diff --git a/crypto/heimdal/appl/telnet/libtelnet/Makefile.am b/crypto/heimdal/appl/telnet/libtelnet/Makefile.am
index 2c30c2c..60786ba 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/Makefile.am
+++ b/crypto/heimdal/appl/telnet/libtelnet/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.9 2001/08/28 08:31:23 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des)
+AM_CPPFLAGS += -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_hcrypto)
 
 noinst_LIBRARIES = libtelnet.a
 
diff --git a/crypto/heimdal/appl/telnet/libtelnet/Makefile.in b/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
index e133fde..cb00e59 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
+++ b/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.9 2001/08/28 08:31:23 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(libtelnet_a_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -49,16 +44,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = appl/telnet/libtelnet
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -71,6 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -79,50 +73,49 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-ARFLAGS = cru
 LIBRARIES = $(noinst_LIBRARIES)
+ARFLAGS = cru
 libtelnet_a_AR = $(AR) $(ARFLAGS)
 libtelnet_a_LIBADD =
 am_libtelnet_a_OBJECTS = auth.$(OBJEXT) enc_des.$(OBJEXT) \
 	encrypt.$(OBJEXT) genget.$(OBJEXT) kerberos.$(OBJEXT) \
 	kerberos5.$(OBJEXT) misc.$(OBJEXT)
 libtelnet_a_OBJECTS = $(am_libtelnet_a_OBJECTS)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(libtelnet_a_SOURCES)
 DIST_SOURCES = $(libtelnet_a_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -132,8 +125,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -144,11 +135,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -156,42 +146,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -209,12 +184,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -224,15 +196,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -241,6 +212,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -252,15 +224,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -268,74 +235,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	-I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_hcrypto)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -352,6 +325,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 noinst_LIBRARIES = libtelnet.a
 libtelnet_a_SOURCES = \
@@ -373,7 +347,7 @@ EXTRA_DIST = krb4encpwd.c rsaencpwd.c spx.c
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -432,10 +406,6 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -456,9 +426,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -483,23 +455,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -537,7 +507,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -550,7 +520,7 @@ clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -566,14 +536,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -593,19 +571,26 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-generic clean-libtool clean-noinstLIBRARIES ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-exec install-exec-am install-info \
-	install-info-am install-man install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-info-am
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-hook
 
 
 install-suid-programs:
@@ -620,8 +605,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -631,19 +616,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -659,7 +656,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -729,14 +726,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/telnet/libtelnet/auth-proto.h b/crypto/heimdal/appl/telnet/libtelnet/auth-proto.h
index 89f1fbc..4f2e245 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/auth-proto.h
+++ b/crypto/heimdal/appl/telnet/libtelnet/auth-proto.h
@@ -53,7 +53,7 @@
  * or implied warranty.
  */
 
-/* $Id: auth-proto.h,v 1.11 2002/08/28 20:56:14 joda Exp $ */
+/* $Id: auth-proto.h 11288 2002-08-28 20:56:14Z joda $ */
 
 #ifdef AUTHENTICATION
 Authenticator *findauthenticator (int, int);
diff --git a/crypto/heimdal/appl/telnet/libtelnet/auth.c b/crypto/heimdal/appl/telnet/libtelnet/auth.c
index cbb7a78..1325303 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/auth.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/auth.c
@@ -53,7 +53,7 @@
 
 #include <config.h>
 
-RCSID("$Id: auth.c,v 1.25 2002/01/18 12:58:48 joda Exp $");
+RCSID("$Id: auth.c 10809 2002-01-18 12:58:49Z joda $");
 
 #if	defined(AUTHENTICATION)
 #include <stdio.h>
diff --git a/crypto/heimdal/appl/telnet/libtelnet/auth.h b/crypto/heimdal/appl/telnet/libtelnet/auth.h
index 83dd701..9248815 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/auth.h
+++ b/crypto/heimdal/appl/telnet/libtelnet/auth.h
@@ -53,7 +53,7 @@
  * or implied warranty.
  */
 
-/* $Id: auth.h,v 1.4 1998/06/09 19:24:41 joda Exp $ */
+/* $Id: auth.h 5027 1998-06-09 19:25:40Z joda $ */
 
 #ifndef	__AUTH__
 #define	__AUTH__
diff --git a/crypto/heimdal/appl/telnet/libtelnet/enc-proto.h b/crypto/heimdal/appl/telnet/libtelnet/enc-proto.h
index 3078848..a40893b 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/enc-proto.h
+++ b/crypto/heimdal/appl/telnet/libtelnet/enc-proto.h
@@ -55,7 +55,7 @@
  * or implied warranty.
  */
 
-/* $Id: enc-proto.h,v 1.11 2002/01/18 12:58:49 joda Exp $ */
+/* $Id: enc-proto.h 10809 2002-01-18 12:58:49Z joda $ */
 
 #if	defined(ENCRYPTION)
 Encryptions *findencryption (int);
diff --git a/crypto/heimdal/appl/telnet/libtelnet/enc_des.c b/crypto/heimdal/appl/telnet/libtelnet/enc_des.c
index 537d22f..13dd9da 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/enc_des.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/enc_des.c
@@ -33,7 +33,7 @@
 
 #include <config.h>
 
-RCSID("$Id: enc_des.c,v 1.21 2002/09/10 20:03:47 joda Exp $");
+RCSID("$Id: enc_des.c 14681 2005-03-23 16:19:31Z lha $");
 
 #if	defined(AUTHENTICATION) && defined(ENCRYPTION) && defined(DES_ENCRYPTION)
 #include <arpa/telnet.h>
@@ -66,19 +66,19 @@ extern int encrypt_debug_mode;
 
 
 struct stinfo {
-  des_cblock	str_output;
-  des_cblock	str_feed;
-  des_cblock	str_iv;
-  des_cblock	str_ikey;
-  des_key_schedule str_sched;
+  DES_cblock	str_output;
+  DES_cblock	str_feed;
+  DES_cblock	str_iv;
+  DES_cblock	str_ikey;
+  DES_key_schedule str_sched;
   int		str_index;
   int		str_flagshift;
 };
 
 struct fb {
-	des_cblock krbdes_key;
-	des_key_schedule krbdes_sched;
-	des_cblock temp_feed;
+	DES_cblock krbdes_key;
+	DES_key_schedule krbdes_sched;
+	DES_cblock temp_feed;
 	unsigned char fb_feed[64];
 	int need_start;
 	int state[2];
@@ -116,13 +116,13 @@ struct keyidlist {
 #define	FB64_IV_BAD	3
 
 
-void fb64_stream_iv (des_cblock, struct stinfo *);
+void fb64_stream_iv (DES_cblock, struct stinfo *);
 void fb64_init (struct fb *);
 static int fb64_start (struct fb *, int, int);
 int fb64_is (unsigned char *, int, struct fb *);
 int fb64_reply (unsigned char *, int, struct fb *);
 static void fb64_session (Session_Key *, int, struct fb *);
-void fb64_stream_key (des_cblock, struct stinfo *);
+void fb64_stream_key (DES_cblock, struct stinfo *);
 int fb64_keyid (int, unsigned char *, int *, struct fb *);
 void fb64_printsub(unsigned char *, int ,
 		   unsigned char *, int , char *);
@@ -211,7 +211,7 @@ static int fb64_start(struct fb *fbp, int dir, int server)
 		 * Create a random feed and send it over.
 		 */
 #ifndef OLD_DES_RANDOM_KEY
-		des_new_random_key(&fbp->temp_feed);
+		DES_random_key(&fbp->temp_feed);
 #else
 		/*
 		 * From des_cryp.man "If the des_check_key flag is non-zero,
@@ -219,18 +219,18 @@ static int fb64_start(struct fb *fbp, int dir, int server)
 		 *  of odd parity and is not a week or semi-weak key."
 		 */
 		do {
-			des_random_key(fbp->temp_feed);
-			des_set_odd_parity(fbp->temp_feed);
-		} while (des_is_weak_key(fbp->temp_feed));
+			DES_random_key(fbp->temp_feed);
+			DES_set_odd_parity(fbp->temp_feed);
+		} while (DES_is_weak_key(fbp->temp_feed));
 #endif
-		des_ecb_encrypt(&fbp->temp_feed,
+		DES_ecb_encrypt(&fbp->temp_feed,
 				&fbp->temp_feed,
-				fbp->krbdes_sched, 1);
+				&fbp->krbdes_sched, 1);
 		p = fbp->fb_feed + 3;
 		*p++ = ENCRYPT_IS;
 		p++;
 		*p++ = FB64_IV;
-		for (x = 0; x < sizeof(des_cblock); ++x) {
+		for (x = 0; x < sizeof(DES_cblock); ++x) {
 			if ((*p++ = fbp->temp_feed[x]) == IAC)
 				*p++ = IAC;
 		}
@@ -273,7 +273,7 @@ int fb64_is(unsigned char *data, int cnt, struct fb *fbp)
 
 	switch (*data++) {
 	case FB64_IV:
-		if (cnt != sizeof(des_cblock)) {
+		if (cnt != sizeof(DES_cblock)) {
 			if (encrypt_debug_mode)
 				printf("CFB64: initial vector failed on size\r\n");
 			state = FAILED;
@@ -362,7 +362,7 @@ int fb64_reply(unsigned char *data, int cnt, struct fb *fbp)
 		break;
 
 	case FB64_IV_BAD:
-		memset(fbp->temp_feed, 0, sizeof(des_cblock));
+		memset(fbp->temp_feed, 0, sizeof(DES_cblock));
 		fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
 		state = FAILED;
 		break;
@@ -400,18 +400,19 @@ static void fb64_session(Session_Key *key, int server, struct fb *fbp)
 				key ? key->type : -1, SK_DES);
 		return;
 	}
-	memcpy(fbp->krbdes_key, key->data, sizeof(des_cblock));
+	memcpy(fbp->krbdes_key, key->data, sizeof(DES_cblock));
 
 	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_ENCRYPT-1]);
 	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]);
 
 	if (fbp->once == 0) {
 #if !defined(OLD_DES_RANDOM_KEY) && !defined(HAVE_OPENSSL)
-		des_init_random_number_generator(&fbp->krbdes_key);
+		DES_init_random_number_generator(&fbp->krbdes_key);
 #endif
 		fbp->once = 1;
 	}
-	des_key_sched(&fbp->krbdes_key, fbp->krbdes_sched);
+	DES_set_key_checked((DES_cblock *)&fbp->krbdes_key,
+			    &fbp->krbdes_sched);
 	/*
 	 * Now look to see if krbdes_start() was was waiting for
 	 * the key to show up.  If so, go ahead an call it now
@@ -508,25 +509,25 @@ void ofb64_printsub(unsigned char *data, int cnt,
 	fb64_printsub(data, cnt, buf, buflen, "OFB64");
 }
 
-void fb64_stream_iv(des_cblock seed, struct stinfo *stp)
+void fb64_stream_iv(DES_cblock seed, struct stinfo *stp)
 {
 
-	memcpy(stp->str_iv, seed,sizeof(des_cblock));
-	memcpy(stp->str_output, seed, sizeof(des_cblock));
+	memcpy(stp->str_iv, seed,sizeof(DES_cblock));
+	memcpy(stp->str_output, seed, sizeof(DES_cblock));
 
-	des_key_sched(&stp->str_ikey, stp->str_sched);
+	DES_set_key_checked(&stp->str_ikey, &stp->str_sched);
 
-	stp->str_index = sizeof(des_cblock);
+	stp->str_index = sizeof(DES_cblock);
 }
 
-void fb64_stream_key(des_cblock key, struct stinfo *stp)
+void fb64_stream_key(DES_cblock key, struct stinfo *stp)
 {
-	memcpy(stp->str_ikey, key, sizeof(des_cblock));
-	des_key_sched((des_cblock*)key, stp->str_sched);
+	memcpy(stp->str_ikey, key, sizeof(DES_cblock));
+	DES_set_key_checked((DES_cblock*)key, &stp->str_sched);
 
-	memcpy(stp->str_output, stp->str_iv, sizeof(des_cblock));
+	memcpy(stp->str_output, stp->str_iv, sizeof(DES_cblock));
 
-	stp->str_index = sizeof(des_cblock);
+	stp->str_index = sizeof(DES_cblock);
 }
 
 /*
@@ -558,10 +559,10 @@ void cfb64_encrypt(unsigned char *s, int c)
 
 	index = stp->str_index;
 	while (c-- > 0) {
-		if (index == sizeof(des_cblock)) {
-			des_cblock b;
-			des_ecb_encrypt(&stp->str_output, &b,stp->str_sched, 1);
-			memcpy(stp->str_feed, b, sizeof(des_cblock));
+		if (index == sizeof(DES_cblock)) {
+			DES_cblock b;
+			DES_ecb_encrypt(&stp->str_output, &b,&stp->str_sched, 1);
+			memcpy(stp->str_feed, b, sizeof(DES_cblock));
 			index = 0;
 		}
 
@@ -590,10 +591,10 @@ int cfb64_decrypt(int data)
 	}
 
 	index = stp->str_index++;
-	if (index == sizeof(des_cblock)) {
-		des_cblock b;
-		des_ecb_encrypt(&stp->str_output,&b, stp->str_sched, 1);
-		memcpy(stp->str_feed, b, sizeof(des_cblock));
+	if (index == sizeof(DES_cblock)) {
+		DES_cblock b;
+		DES_ecb_encrypt(&stp->str_output,&b, &stp->str_sched, 1);
+		memcpy(stp->str_feed, b, sizeof(DES_cblock));
 		stp->str_index = 1;	/* Next time will be 1 */
 		index = 0;		/* But now use 0 */ 
 	}
@@ -630,10 +631,10 @@ void ofb64_encrypt(unsigned char *s, int c)
 
 	index = stp->str_index;
 	while (c-- > 0) {
-		if (index == sizeof(des_cblock)) {
-			des_cblock b;
-			des_ecb_encrypt(&stp->str_feed,&b, stp->str_sched, 1);
-			memcpy(stp->str_feed, b, sizeof(des_cblock));
+		if (index == sizeof(DES_cblock)) {
+			DES_cblock b;
+			DES_ecb_encrypt(&stp->str_feed,&b, &stp->str_sched, 1);
+			memcpy(stp->str_feed, b, sizeof(DES_cblock));
 			index = 0;
 		}
 		*s++ ^= stp->str_feed[index];
@@ -659,10 +660,10 @@ int ofb64_decrypt(int data)
 	}
 
 	index = stp->str_index++;
-	if (index == sizeof(des_cblock)) {
-		des_cblock b;
-		des_ecb_encrypt(&stp->str_feed,&b,stp->str_sched, 1);
-		memcpy(stp->str_feed, b, sizeof(des_cblock));
+	if (index == sizeof(DES_cblock)) {
+		DES_cblock b;
+		DES_ecb_encrypt(&stp->str_feed,&b,&stp->str_sched, 1);
+		memcpy(stp->str_feed, b, sizeof(DES_cblock));
 		stp->str_index = 1;	/* Next time will be 1 */
 		index = 0;		/* But now use 0 */ 
 	}
diff --git a/crypto/heimdal/appl/telnet/libtelnet/encrypt.c b/crypto/heimdal/appl/telnet/libtelnet/encrypt.c
index fca8a47..04dbe83 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/encrypt.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/encrypt.c
@@ -54,7 +54,7 @@
 
 #include <config.h>
 
-RCSID("$Id: encrypt.c,v 1.23 2002/01/18 12:58:49 joda Exp $");
+RCSID("$Id: encrypt.c 16802 2006-03-23 19:36:31Z lha $");
 
 #if	defined(ENCRYPTION)
 
@@ -636,7 +636,7 @@ encrypt_reply(unsigned char *data, int cnt)
 }
 
 /*
- * Called when a ENCRYPT START command is received.
+ * Called when ENCRYPT START is received.
  */
 void
 encrypt_start(unsigned char *data, int cnt)
diff --git a/crypto/heimdal/appl/telnet/libtelnet/encrypt.h b/crypto/heimdal/appl/telnet/libtelnet/encrypt.h
index 3b04bd5..814491c 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/encrypt.h
+++ b/crypto/heimdal/appl/telnet/libtelnet/encrypt.h
@@ -55,7 +55,7 @@
  * or implied warranty.
  */
 
-/* $Id: encrypt.h,v 1.8 2002/09/10 20:03:47 joda Exp $ */
+/* $Id: encrypt.h 11444 2002-09-10 20:03:49Z joda $ */
 
 #ifndef	__ENCRYPT__
 #define	__ENCRYPT__
diff --git a/crypto/heimdal/appl/telnet/libtelnet/genget.c b/crypto/heimdal/appl/telnet/libtelnet/genget.c
index 27d1d67..5785314 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/genget.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/genget.c
@@ -34,7 +34,7 @@
 #include <config.h>
 #include "misc-proto.h"
 
-RCSID("$Id: genget.c,v 1.7 2001/09/03 05:54:14 assar Exp $");
+RCSID("$Id: genget.c 10646 2001-09-03 05:54:18Z assar $");
 
 #include <ctype.h>
 
diff --git a/crypto/heimdal/appl/telnet/libtelnet/kerberos.c b/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
index 09d3073..1c86fe2 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
@@ -55,7 +55,7 @@
 #include <config.h>
 #endif
 
-RCSID("$Id: kerberos.c,v 1.54 2001/08/22 20:30:22 assar Exp $");
+RCSID("$Id: kerberos.c 22071 2007-11-14 20:04:50Z lha $");
 
 #ifdef	KRB4
 #ifdef HAVE_SYS_TYPES_H
@@ -347,14 +347,15 @@ kerberos4_is(Authenticator *ap, unsigned char *data, int cnt)
 	    Data(ap, KRB_ACCEPT, NULL, 0);
 	} else {
 	    char *msg;
+	    int ret;
 
-	    asprintf (&msg, "user `%s' is not authorized to "
-		      "login as `%s'", 
-		      krb_unparse_name_long(adat.pname, 
-					    adat.pinst, 
-					    adat.prealm), 
-		      UserNameRequested ? UserNameRequested : "<nobody>");
-	    if (msg == NULL)
+	    ret = asprintf (&msg, "user `%s' is not authorized to "
+			    "login as `%s'", 
+			    krb_unparse_name_long(adat.pname, 
+						  adat.pinst, 
+						  adat.prealm), 
+			    UserNameRequested ? UserNameRequested : "<nobody>");
+	    if (ret == -1)
 		Data(ap, KRB_REJECT, NULL, 0);
 	    else {
 		Data(ap, KRB_REJECT, (void *)msg, -1);
@@ -440,7 +441,7 @@ kerberos4_is(Authenticator *ap, unsigned char *data, int cnt)
 		}
 	    }
 	    memset(data, 0, cnt);
-	    memset(ks, 0, sizeof(ks));
+	    memset(&ks, 0, sizeof(ks));
 	    memset(&cred, 0, sizeof(cred));
 	}
 	
@@ -540,7 +541,7 @@ kerberos4_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
 {
     int i;
 
-    buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+    buf[buflen-1] = '\0';		/* make sure it's NULL terminated */
     buflen -= 1;
 
     switch(data[3]) {
@@ -651,7 +652,7 @@ static int
 unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred)
 {
     char *p = (char*)buf;
-    u_int32_t tmp;
+    uint32_t tmp;
 
     strncpy (cred->service, p, ANAME_SZ);
     cred->service[ANAME_SZ - 1] = '\0';
@@ -675,7 +676,7 @@ unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred)
     p += cred->ticket_st.length;
     p += krb_get_int(p, &tmp, 4, 0);
     cred->ticket_st.mbz = 0;
-    p += krb_get_int(p, (u_int32_t *)&cred->issue_date, 4, 0);
+    p += krb_get_int(p, (uint32_t *)&cred->issue_date, 4, 0);
 
     strncpy (cred->pname, p, ANAME_SZ);
     cred->pname[ANAME_SZ - 1] = '\0';
@@ -712,7 +713,7 @@ kerberos4_forward(Authenticator *ap, void *v)
     len = pack_cred(&cred, netcred);
     des_pcbc_encrypt((void*)netcred, (void*)netcred, len,
 		     ks, key, DES_ENCRYPT);
-    memset(ks, 0, sizeof(ks));
+    memset(&ks, 0, sizeof(ks));
     Data(ap, KRB_FORWARD, netcred, len);
     memset(netcred, 0, sizeof(netcred));
     return 0;
diff --git a/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c b/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c
index 9ea3759..cac80d0 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c
@@ -53,7 +53,7 @@
 
 #include <config.h>
 
-RCSID("$Id: kerberos5.c,v 1.53.2.1 2004/06/21 08:21:07 lha Exp $");
+RCSID("$Id: kerberos5.c 22071 2007-11-14 20:04:50Z lha $");
 
 #ifdef	KRB5
 
@@ -115,18 +115,18 @@ static krb5_context context;
 static krb5_auth_context auth_context;
 
 static int
-Data(Authenticator *ap, int type, void *d, int c)
+Data(Authenticator *ap, int type, const void *d, int c)
 {
-    unsigned char *cd = (unsigned char *)d;
+    const unsigned char *cp, *cd = d;
     unsigned char *p0, *p;
     size_t len = sizeof(str_data) + 3 + 2;
     int ret;
 
     if (c == -1)
-	c = strlen((char*)cd);
+	c = strlen((const char*)cd);
 
-    for (p = cd; p - cd < c; p++, len++)
-	if (*p == IAC)
+    for (cp = cd; cp - cd < c; cp++, len++)
+	if (*cp == IAC)
 	    len++;
 
     p0 = malloc(len);
@@ -198,7 +198,7 @@ kerberos5_send(char *name, Authenticator *ap)
     krb5_ccache ccache;
     int ap_opts;
     krb5_data cksum_data;
-    char foo[2];
+    char ap_msg[2];
     
     if (!UserNameRequested) {
 	if (auth_debug_mode) {
@@ -246,11 +246,11 @@ kerberos5_send(char *name, Authenticator *ap)
 
     krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES);
 
-    foo[0] = ap->type;
-    foo[1] = ap->way;
+    ap_msg[0] = ap->type;
+    ap_msg[1] = ap->way;
 
-    cksum_data.length = sizeof(foo);
-    cksum_data.data   = foo;
+    cksum_data.length = sizeof(ap_msg);
+    cksum_data.data   = ap_msg;
 
 
     {
@@ -324,6 +324,21 @@ kerberos5_send_oneway(Authenticator *ap)
     return kerberos5_send("KERBEROS5", ap);
 }
 
+static void log_message(const char *fmt, ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    if (auth_debug_mode) {
+	va_start(ap, fmt);
+	vfprintf(stdout, fmt, ap);
+	va_end(ap);
+	fprintf(stdout, "\r\n");
+    }
+    va_start(ap, fmt);
+    vsyslog(LOG_NOTICE, fmt, ap);
+    va_end(ap);
+}
+
 void
 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 {
@@ -347,9 +362,8 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 	if (ret) {
 	    Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
 	    auth_finished(ap, AUTH_REJECT);
-	    if (auth_debug_mode)
-		printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
-		       krb5_get_err_text(context, ret));
+	    log_message("Kerberos V5: krb5_auth_con_init failed (%s)",
+			krb5_get_err_text(context, ret));
 	    return;
 	}
 
@@ -359,10 +373,9 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 	if (ret) {
 	    Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
 	    auth_finished(ap, AUTH_REJECT);
-	    if (auth_debug_mode)
-		printf("Kerberos V5: "
-		       "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
-		       krb5_get_err_text(context, ret));
+	    log_message("Kerberos V5: "
+			"krb5_auth_con_setaddrs_from_fd failed (%s)",
+			krb5_get_err_text(context, ret));
 	    return;
 	}
 
@@ -374,10 +387,9 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 	if (ret) {
 	    Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
 	    auth_finished(ap, AUTH_REJECT);
-	    if (auth_debug_mode)
-		printf("Kerberos V5: "
-		       "krb5_sock_to_principal failed (%s)\r\n",
-		       krb5_get_err_text(context, ret));
+	    log_message("Kerberos V5: "
+			"krb5_sock_to_principal failed (%s)",
+			krb5_get_err_text(context, ret));
 	    return;
 	}
 
@@ -391,37 +403,46 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 
 	krb5_free_principal (context, server);
 	if (ret) {
+	    const char *errbuf2 = "Read req failed";
 	    char *errbuf;
-
-	    asprintf(&errbuf,
-		     "Read req failed: %s",
-		     krb5_get_err_text(context, ret));
-	    Data(ap, KRB_REJECT, errbuf, -1);
-	    if (auth_debug_mode)
-		printf("%s\r\n", errbuf);
-	    free (errbuf);
+	    int ret2;
+
+	    ret2 = asprintf(&errbuf,
+			    "Read req failed: %s",
+			    krb5_get_err_text(context, ret));
+	    if (ret2 != -1)
+		errbuf2 = errbuf;
+	    Data(ap, KRB_REJECT, errbuf2, -1);
+	    log_message("%s", errbuf2);
+	    if (ret2 != -1)
+		free (errbuf);
 	    return;
 	}
 	
 	{
-	    char foo[2];
+	    char ap_msg[2];
 	    
-	    foo[0] = ap->type;
-	    foo[1] = ap->way;
+	    ap_msg[0] = ap->type;
+	    ap_msg[1] = ap->way;
 	    
 	    ret = krb5_verify_authenticator_checksum(context,
 						     auth_context,
-						     foo, 
-						     sizeof(foo));
+						     ap_msg, 
+						     sizeof(ap_msg));
 
 	    if (ret) {
+		const char *errbuf2 = "Bad checksum";
 		char *errbuf;
-		asprintf(&errbuf, "Bad checksum: %s", 
-			 krb5_get_err_text(context, ret));
-		Data(ap, KRB_REJECT, errbuf, -1);
-		if (auth_debug_mode)
-		    printf ("%s\r\n", errbuf);
-		free(errbuf);
+		int ret2;
+
+		ret2 = asprintf(&errbuf, "Bad checksum: %s", 
+				krb5_get_err_text(context, ret));
+		if (ret2 != -1)
+		    errbuf2 = errbuf;
+		Data(ap, KRB_REJECT, errbuf2, -1);
+		log_message("%s", errbuf2);
+		if (ret2 != -1)
+		    free(errbuf);
 		return;
 	    }
 	}
@@ -432,10 +453,9 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 	if (ret) {
 	    Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
 	    auth_finished(ap, AUTH_REJECT);
-	    if (auth_debug_mode)
-		printf("Kerberos V5: "
-		       "krb5_auth_con_getremotesubkey failed (%s)\r\n",
-		       krb5_get_err_text(context, ret));
+	    log_message("Kerberos V5: "
+			"krb5_auth_con_getremotesubkey failed (%s)",
+			krb5_get_err_text(context, ret));
 	    return;
 	}
 
@@ -447,18 +467,16 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 	if (ret) {
 	    Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
 	    auth_finished(ap, AUTH_REJECT);
-	    if (auth_debug_mode)
-		printf("Kerberos V5: "
-		       "krb5_auth_con_getkey failed (%s)\r\n",
-		       krb5_get_err_text(context, ret));
+	    log_message("Kerberos V5: "
+			"krb5_auth_con_getkey failed (%s)",
+			krb5_get_err_text(context, ret));
 	    return;
 	}
 	if (key_block == NULL) {
 	    Data(ap, KRB_REJECT, "no subkey received", -1);
 	    auth_finished(ap, AUTH_REJECT);
-	    if (auth_debug_mode)
-		printf("Kerberos V5: "
-		       "krb5_auth_con_getremotesubkey returned NULL key\r\n");
+	    log_message("Kerberos V5: "
+			"krb5_auth_con_getremotesubkey returned NULL key");
 	    return;
 	}
 
@@ -468,10 +486,9 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 		Data(ap, KRB_REJECT,
 		     "krb5_mk_rep failed", -1);
 		auth_finished(ap, AUTH_REJECT);
-		if (auth_debug_mode)
-		    printf("Kerberos V5: "
-			   "krb5_mk_rep failed (%s)\r\n",
-			   krb5_get_err_text(context, ret));
+		log_message("Kerberos V5: "
+			    "krb5_mk_rep failed (%s)",
+			    krb5_get_err_text(context, ret));
 		return;
 	    }
 	    Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
@@ -483,10 +500,10 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 					     ticket->client,
 					     UserNameRequested)) {
 	    Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
-	    if (auth_debug_mode) {
-		printf("Kerberos5 identifies him as ``%s''\r\n",
-		       name ? name : "");
-	    }
+	    log_message("%s accepted as user %s from %s",
+			name ? name : "<unknown>", 
+			UserNameRequested ? UserNameRequested : "<unknown>",
+			RemoteHostName ? RemoteHostName : "<unknown>");
 
 	    if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
 	       key_block->keytype == ETYPE_DES_CBC_MD4 ||
@@ -500,18 +517,18 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 	    }
 
 	} else {
+	    const char *msg2 = "user is not authorized to login";
 	    char *msg;
 
-	    asprintf (&msg, "user `%s' is not authorized to "
-		      "login as `%s'", 
-		      name ? name : "<unknown>",
-		      UserNameRequested ? UserNameRequested : "<nobody>");
-	    if (msg == NULL)
-		Data(ap, KRB_REJECT, NULL, 0);
-	    else {
-		Data(ap, KRB_REJECT, (void *)msg, -1);
+	    ret = asprintf (&msg, "user `%s' is not authorized to "
+			    "login as `%s'", 
+			    name ? name : "<unknown>",
+			    UserNameRequested ? UserNameRequested : "<nobody>");
+	    if (ret != -1)
+		msg2 = msg;
+	    Data(ap, KRB_REJECT, (void *)msg2, -1);
+	    if (ret != -1)
 		free(msg);
-	    }
 	    auth_finished (ap, AUTH_REJECT);
 	    krb5_free_keyblock_contents(context, key_block);
 	    break;
@@ -533,12 +550,11 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 	    break;
 
 	snprintf (ccname, sizeof(ccname),
-		  "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
+		  "FILE:/tmp/krb5cc_%lu", (unsigned long)pwd->pw_uid);
 
 	ret = krb5_cc_resolve (context, ccname, &ccache);
 	if (ret) {
-	    if (auth_debug_mode)
-		printf ("Kerberos V5: could not get ccache: %s\r\n",
+	    log_message("Kerberos V5: could not get ccache: %s",
 			krb5_get_err_text(context, ret));
 	    break;
 	}
@@ -547,8 +563,7 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 				  ccache,
 				  ticket->client);
 	if (ret) {
-	    if (auth_debug_mode)
-		printf ("Kerberos V5: could not init ccache: %s\r\n",
+	    log_message("Kerberos V5: could not init ccache: %s",
 			krb5_get_err_text(context, ret));
 	    break;
 	}
@@ -561,19 +576,20 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 			     ccache,
 			     &inbuf);
 	if(ret) {
+	    const char *errbuf2 = "Read forwarded creds failed";
 	    char *errbuf;
-
-	    asprintf (&errbuf,
-		      "Read forwarded creds failed: %s",
-		      krb5_get_err_text (context, ret));
-	    if(errbuf == NULL)
-		Data(ap, KRB_FORWARD_REJECT, NULL, 0);
-	    else
-		Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
-	    if (auth_debug_mode)
-		printf("Could not read forwarded credentials: %s\r\n",
-		       errbuf);
-	    free (errbuf);
+	    int ret2;
+
+	    ret2 = asprintf (&errbuf,
+			     "Read forwarded creds failed: %s",
+			     krb5_get_err_text (context, ret));
+	    if (ret2 != -1)
+		errbuf2 = errbuf;
+	    Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
+	    log_message("Could not read forwarded credentials: %s", errbuf);
+
+	    if (ret2 != -1)
+		free (errbuf);
 	} else {
 	    Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
 #if defined(DCE)
@@ -581,13 +597,11 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
 #endif
 	}
 	chown (ccname + 5, pwd->pw_uid, -1);
-	if (auth_debug_mode)
-	    printf("Forwarded credentials obtained\r\n");
+	log_message("Forwarded credentials obtained");
 	break;
     }
     default:
-	if (auth_debug_mode)
-	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	log_message("Unknown Kerberos option %d", data[-1]);
 	Data(ap, KRB_REJECT, 0, 0);
 	break;
     }
@@ -712,7 +726,7 @@ kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
 {
     int i;
 
-    buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+    buf[buflen-1] = '\0';		/* make sure it's NULL terminated */
     buflen -= 1;
 
     switch(data[3]) {
@@ -773,7 +787,7 @@ kerberos5_forward(Authenticator *ap)
     krb5_error_code ret;
     krb5_ccache     ccache;
     krb5_creds      creds;
-    krb5_kdc_flags  flags;
+    KDCOptions	    flags;
     krb5_data       out_data;
     krb5_principal  principal;
 
@@ -814,15 +828,15 @@ kerberos5_forward(Authenticator *ap)
 
     creds.times.endtime = 0;
 
-    flags.i = 0;
-    flags.b.forwarded = 1;
+    memset(&flags, 0, sizeof(flags));
+    flags.forwarded = 1;
     if (forward_flags & OPTS_FORWARDABLE_CREDS)
-	flags.b.forwardable = 1;
+	flags.forwardable = 1;
 
     ret = krb5_get_forwarded_creds (context,
 				    auth_context,
 				    ccache,
-				    flags.i,
+				    KDCOptions2int(flags),
 				    RemoteHostName,
 				    &creds,
 				    &out_data);
diff --git a/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c b/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c
index 0a4ff86..f14bc7d 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c
@@ -33,7 +33,7 @@
 
 #include <config.h>
 
-RCSID("$Id: krb4encpwd.c,v 1.19 2001/02/15 04:20:52 assar Exp $");
+RCSID("$Id: krb4encpwd.c 22071 2007-11-14 20:04:50Z lha $");
 
 #ifdef	KRB4_ENCPWD
 /*
@@ -354,7 +354,7 @@ krb4encpwd_printsub(data, cnt, buf, buflen)
 {
 	int i;
 
-	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buf[buflen-1] = '\0';		/* make sure it's NULL terminated */
 	buflen -= 1;
 
 	switch(data[3]) {
diff --git a/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h b/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h
index 7bbafa5..07a2509 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h
+++ b/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h
@@ -53,7 +53,7 @@
  * or implied warranty.
  */
 
-/* $Id: misc-proto.h,v 1.9 2000/11/15 23:00:21 assar Exp $ */
+/* $Id: misc-proto.h 9187 2000-11-15 23:00:21Z assar $ */
 
 #ifndef	__MISC_PROTO__
 #define	__MISC_PROTO__
diff --git a/crypto/heimdal/appl/telnet/libtelnet/misc.c b/crypto/heimdal/appl/telnet/libtelnet/misc.c
index b7af237..f74e304 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/misc.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/misc.c
@@ -33,7 +33,7 @@
 
 #include <config.h>
 
-RCSID("$Id: misc.c,v 1.15 2000/01/25 23:24:58 assar Exp $");
+RCSID("$Id: misc.c 7822 2000-01-25 23:24:58Z assar $");
 
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/crypto/heimdal/appl/telnet/libtelnet/rsaencpwd.c b/crypto/heimdal/appl/telnet/libtelnet/rsaencpwd.c
index 4c5e875..cff096c 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/rsaencpwd.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/rsaencpwd.c
@@ -33,7 +33,7 @@
 
 #include <config.h>
 
-RCSID("$Id: rsaencpwd.c,v 1.19 2002/08/12 15:09:17 joda Exp $");
+RCSID("$Id: rsaencpwd.c 22071 2007-11-14 20:04:50Z lha $");
 
 #ifdef	RSA_ENCPWD
 /*
@@ -409,7 +409,7 @@ rsaencpwd_printsub(data, cnt, buf, buflen)
 {
 	int i;
 
-	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buf[buflen-1] = '\0';		/* make sure it's NULL terminated */
 	buflen -= 1;
 
 	switch(data[3]) {
diff --git a/crypto/heimdal/appl/telnet/libtelnet/spx.c b/crypto/heimdal/appl/telnet/libtelnet/spx.c
index 9155ef2..82fafdb 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/spx.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/spx.c
@@ -33,7 +33,7 @@
 
 #include <config.h>
 
-RCSID("$Id: spx.c,v 1.17 1999/09/16 20:41:34 assar Exp $");
+RCSID("$Id: spx.c 22071 2007-11-14 20:04:50Z lha $");
 
 #ifdef	SPX
 /*
@@ -532,7 +532,7 @@ spx_printsub(data, cnt, buf, buflen)
 {
 	int i;
 
-	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buf[buflen-1] = '\0';		/* make sure it's NULL terminated */
 	buflen -= 1;
 
 	switch(data[3]) {
diff --git a/crypto/heimdal/appl/telnet/telnet/Makefile.am b/crypto/heimdal/appl/telnet/telnet/Makefile.am
index cb516cb..a472ba9 100644
--- a/crypto/heimdal/appl/telnet/telnet/Makefile.am
+++ b/crypto/heimdal/appl/telnet/telnet/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.16 2001/08/28 11:21:16 joda Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des)
+AM_CPPFLAGS += -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_hcrypto)
 
 bin_PROGRAMS = telnet
 
@@ -17,7 +17,9 @@ man_MANS = telnet.1
 LDADD = ../libtelnet/libtelnet.a \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_tgetent) \
 	$(LIB_kdfs) \
 	$(LIB_roken)
+
+EXTRA_DIST = $(man_MANS)
diff --git a/crypto/heimdal/appl/telnet/telnet/Makefile.in b/crypto/heimdal/appl/telnet/telnet/Makefile.in
index db1f4a7..df9afb1 100644
--- a/crypto/heimdal/appl/telnet/telnet/Makefile.in
+++ b/crypto/heimdal/appl/telnet/telnet/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.16 2001/08/28 11:21:16 joda Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(telnet_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -50,16 +45,14 @@ bin_PROGRAMS = telnet$(EXEEXT)
 subdir = appl/telnet/telnet
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -72,6 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -80,16 +74,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"
@@ -101,25 +99,22 @@ am_telnet_OBJECTS = authenc.$(OBJEXT) commands.$(OBJEXT) \
 	utilities.$(OBJEXT)
 telnet_OBJECTS = $(am_telnet_OBJECTS)
 telnet_LDADD = $(LDADD)
-@KRB5_TRUE@am__DEPENDENCIES_1 = $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
-am__DEPENDENCIES_2 =
-@DCE_TRUE@am__DEPENDENCIES_3 = $(top_builddir)/lib/kdfs/libkdfs.la
-telnet_DEPENDENCIES = ../libtelnet/libtelnet.a $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_2) \
-	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) \
-	$(am__DEPENDENCIES_2)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+am__DEPENDENCIES_1 =
+telnet_DEPENDENCIES = ../libtelnet/libtelnet.a $(LIB_krb5) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(LIB_kdfs) $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(telnet_SOURCES)
 DIST_SOURCES = $(telnet_SOURCES)
 man1dir = $(mandir)/man1
@@ -128,13 +123,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -144,8 +133,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -156,11 +143,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -168,42 +154,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -221,12 +192,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -236,15 +204,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -253,6 +220,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -264,15 +232,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -280,74 +243,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	-I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_hcrypto)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -364,6 +333,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 CHECK_LOCAL = 
 telnet_SOURCES = authenc.c commands.c main.c network.c ring.c \
@@ -374,15 +344,16 @@ man_MANS = telnet.1
 LDADD = ../libtelnet/libtelnet.a \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_tgetent) \
 	$(LIB_kdfs) \
 	$(LIB_roken)
 
+EXTRA_DIST = $(man_MANS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -414,7 +385,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -442,7 +413,7 @@ clean-binPROGRAMS:
 	done
 telnet$(EXEEXT): $(telnet_OBJECTS) $(telnet_DEPENDENCIES) 
 	@rm -f telnet$(EXEEXT)
-	$(LINK) $(telnet_LDFLAGS) $(telnet_OBJECTS) $(telnet_LDADD) $(LIBS)
+	$(LINK) $(telnet_OBJECTS) $(telnet_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -464,13 +435,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man1: $(man1_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)"
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
 	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -534,9 +501,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -561,23 +530,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -597,7 +564,7 @@ check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -618,7 +585,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -630,7 +597,7 @@ clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -646,14 +613,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man1
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -673,23 +648,30 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man1
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-binPROGRAMS clean-generic clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-binPROGRAMS \
-	install-data install-data-am install-exec install-exec-am \
-	install-info install-info-am install-man install-man1 \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-binPROGRAMS uninstall-info-am uninstall-man \
-	uninstall-man1
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-man install-man1 install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+	uninstall-am uninstall-binPROGRAMS uninstall-hook \
+	uninstall-man uninstall-man1
 
 
 install-suid-programs:
@@ -704,8 +686,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -715,19 +697,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -743,7 +737,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -813,14 +807,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/telnet/telnet/authenc.c b/crypto/heimdal/appl/telnet/telnet/authenc.c
index f1da735..35a3bf7 100644
--- a/crypto/heimdal/appl/telnet/telnet/authenc.c
+++ b/crypto/heimdal/appl/telnet/telnet/authenc.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: authenc.c,v 1.12 2001/12/20 20:39:51 joda Exp $");
+RCSID("$Id: authenc.c 12921 2003-09-25 15:45:51Z lha $");
 
 #if	defined(AUTHENTICATION) || defined(ENCRYPTION)
 int
@@ -62,13 +62,14 @@ net_encrypt(void)
 int
 telnet_spin(void)
 {
-    extern int scheduler_lockout_tty;
+    int ret = 0;
 
     scheduler_lockout_tty = 1;
-    Scheduler(0);
+    if (Scheduler(0) == -1)
+	ret = 1;
     scheduler_lockout_tty = 0;
     
-    return 0;
+    return ret;
 
 }
 
diff --git a/crypto/heimdal/appl/telnet/telnet/commands.c b/crypto/heimdal/appl/telnet/telnet/commands.c
index 6c610a5..98031e8 100644
--- a/crypto/heimdal/appl/telnet/telnet/commands.c
+++ b/crypto/heimdal/appl/telnet/telnet/commands.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: commands.c,v 1.72 2002/08/28 21:04:59 joda Exp $");
+RCSID("$Id: commands.c 16224 2005-10-22 17:17:44Z lha $");
 
 #if	defined(IPPROTO_IP) && defined(IP_TOS)
 int tos = -1;
@@ -74,7 +74,7 @@ makeargv()
     }
     while ((c = *cp)) {
 	int inquote = 0;
-	while (isspace(c))
+	while (isspace((unsigned char)c))
 	    c = *++cp;
 	if (c == '\0')
 	    break;
@@ -96,7 +96,7 @@ makeargv()
 		} else if (c == '\'') {
 		    inquote = '\'';
 		    continue;
-		} else if (isspace(c))
+		} else if (isspace((unsigned char)c))
 		    break;
 	    }
 	    *cp2++ = c;
@@ -1318,9 +1318,9 @@ shell(int argc, char **argv)
 	    else
 		shellname++;
 	    if (argc > 1)
-		execl(shellp, shellname, "-c", &saveline[1], 0);
+		execl(shellp, shellname, "-c", &saveline[1], NULL);
 	    else
-		execl(shellp, shellname, 0);
+		execl(shellp, shellname, NULL);
 	    perror("Execl");
 	    _exit(1);
 	}
@@ -1582,6 +1582,7 @@ env_init(void)
 	    || strncmp((char *)ep->value, "unix:", 5) == 0)) {
 		char hbuf[256+1];
 		char *cp2 = strchr((char *)ep->value, ':');
+		int error;
 
 		/* XXX - should be k_gethostname? */
 		gethostname(hbuf, 256);
@@ -1590,7 +1591,6 @@ env_init(void)
 		/* If this is not the full name, try to get it via DNS */
 		if (strchr(hbuf, '.') == 0) {
 			struct addrinfo hints, *ai, *a;
-			int error;
 
 			memset (&hints, 0, sizeof(hints));
 			hints.ai_flags = AI_CANONNAME;
@@ -1608,9 +1608,11 @@ env_init(void)
 			}
 		}
 
-		asprintf (&cp, "%s%s", hbuf, cp2);
-		free (ep->value);
-		ep->value = (unsigned char *)cp;
+		error = asprintf (&cp, "%s%s", hbuf, cp2);
+		if (error != -1) {
+		    free (ep->value);
+		    ep->value = (unsigned char *)cp;
+		}
 	}
 	/*
 	 * If USER is not defined, but LOGNAME is, then add
@@ -2026,11 +2028,11 @@ cmdrc(char *m1, char *m2)
 	if (line[0] == '#')
 	    continue;
 	if (gotmachine) {
-	    if (!isspace(line[0]))
+	    if (!isspace((unsigned char)line[0]))
 		gotmachine = 0;
 	}
 	if (gotmachine == 0) {
-	    if (isspace(line[0]))
+	    if (isspace((unsigned char)line[0]))
 		continue;
 	    if (strncasecmp(line, m1, l1) == 0)
 		strncpy(line, &line[l1], sizeof(line) - l1);
diff --git a/crypto/heimdal/appl/telnet/telnet/externs.h b/crypto/heimdal/appl/telnet/telnet/externs.h
index 09f058c..badfca5 100644
--- a/crypto/heimdal/appl/telnet/telnet/externs.h
+++ b/crypto/heimdal/appl/telnet/telnet/externs.h
@@ -33,7 +33,7 @@
  *	@(#)externs.h	8.3 (Berkeley) 5/30/95
  */
 
-/* $Id: externs.h,v 1.25 2002/08/28 20:58:23 joda Exp $ */
+/* $Id: externs.h 21734 2007-07-31 01:55:45Z lha $ */
 
 #ifndef	BSD
 # define BSD 43
@@ -181,6 +181,10 @@ extern jmp_buf
     peerdied,
     toplevel;		/* For error conditions. */
 
+int Scheduler(int);
+extern int scheduler_lockout_tty;
+
+
 /* authenc.c */
 
 #if	defined(AUTHENTICATION) || defined(ENCRYPTION)
@@ -236,7 +240,6 @@ void command(int top, char *tbuf, int cnt);
 /* main.c */
 
 void tninit(void);
-void usage(void);
 void set_forward_options(void);
 
 /* network.c */
diff --git a/crypto/heimdal/appl/telnet/telnet/main.c b/crypto/heimdal/appl/telnet/telnet/main.c
index 3da3001..bb358a8 100644
--- a/crypto/heimdal/appl/telnet/telnet/main.c
+++ b/crypto/heimdal/appl/telnet/telnet/main.c
@@ -38,7 +38,7 @@ static char *copyright[] = {
 };
 
 #include "telnet_locl.h"
-RCSID("$Id: main.c,v 1.38.6.1 2004/03/22 18:16:35 lha Exp $");
+RCSID("$Id: main.c 21731 2007-07-30 20:01:26Z lha $");
 
 #if KRB5
 #define FORWARD
@@ -59,8 +59,8 @@ tninit(void)
     init_sys();
 }
 
-void
-usage(void)
+static void
+usage(int exit_code)
 {
   fprintf(stderr, "Usage: %s %s%s%s%s\n", prompt,
 #ifdef	AUTHENTICATION
@@ -77,7 +77,7 @@ usage(void)
 	  "[host-name [port]]"
 #endif
     );
-  exit(1);
+  exit(exit_code);
 }
 
 /*
@@ -112,7 +112,6 @@ set_forward_options(void)
 }
 
 #ifdef KRB5
-/* XXX ugly hack to setup dns-proxy stuff */
 #define Authenticator asn1_Authenticator
 #include <krb5.h>
 static void
@@ -120,24 +119,29 @@ krb5_init(void)
 {
     krb5_context context;
     krb5_error_code ret;
+    krb5_boolean ret_val;
 
     ret = krb5_init_context(&context);
     if (ret)
 	return;
 
-#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
-    if (krb5_config_get_bool (context, NULL,
-         "libdefaults", "forward", NULL)) {
+#if defined(AUTHENTICATION) && defined(FORWARD)
+    krb5_appdefault_boolean(context, NULL,
+			    NULL, "forward",
+			    0, &ret_val);
+    if (ret_val)
 	    kerberos5_set_forward(1);
-    }
-    if (krb5_config_get_bool (context, NULL,
-         "libdefaults", "forwardable", NULL)) {
+    krb5_appdefault_boolean(context, NULL,
+			    NULL, "forwardable",
+			    0, &ret_val);
+    if (ret_val)
 	    kerberos5_set_forwardable(1);
-    }
 #endif
 #ifdef  ENCRYPTION
-    if (krb5_config_get_bool (context, NULL,
-        "libdefaults", "encrypt", NULL)) {
+    krb5_appdefault_boolean(context, NULL, 
+			    NULL, "encrypt",
+			    0, &ret_val);
+    if (ret_val) {
           encrypt_auto(1);
           decrypt_auto(1); 
 	  wantencryption = 1;
@@ -190,6 +194,9 @@ main(int argc, char **argv)
 	    print_version(NULL);
 	    exit(0);
 	}
+	if (argc == 2 && strcmp(argv[1], "--help") == 0)
+	    usage(0);
+
 
 	while((ch = getopt(argc, argv,
 			   "78DEKLS:X:abcde:fFk:l:n:rxG")) != -1) {
@@ -263,7 +270,7 @@ main(int argc, char **argv)
 			    fprintf(stderr,
 				    "%s: Only one of -f, -F and -G allowed.\n",
 				    prompt);
-			    usage();
+			    usage(1);
 			}
 			forward_option = ch;
 #else
@@ -312,7 +319,7 @@ main(int argc, char **argv)
 
 		case '?':
 		default:
-			usage();
+			usage(1);
 			/* NOTREACHED */
 		}
 	}
@@ -338,7 +345,7 @@ main(int argc, char **argv)
 		char *args[7], **argp = args;
 
 		if (argc > 2)
-			usage();
+			usage(1);
 		*argp++ = prompt;
 		if (user) {
 			*argp++ = "-l";
diff --git a/crypto/heimdal/appl/telnet/telnet/network.c b/crypto/heimdal/appl/telnet/telnet/network.c
index 1bce3a1..4a56588 100644
--- a/crypto/heimdal/appl/telnet/telnet/network.c
+++ b/crypto/heimdal/appl/telnet/telnet/network.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: network.c,v 1.11.12.1 2004/06/21 08:22:35 lha Exp $");
+RCSID("$Id: network.c 13941 2004-06-20 17:01:28Z lha $");
 
 Ring		netoring, netiring;
 size_t		netobufsize = 64*1024;
diff --git a/crypto/heimdal/appl/telnet/telnet/ring.c b/crypto/heimdal/appl/telnet/telnet/ring.c
index 597c79a..fd93e94 100644
--- a/crypto/heimdal/appl/telnet/telnet/ring.c
+++ b/crypto/heimdal/appl/telnet/telnet/ring.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: ring.c,v 1.11 2000/02/06 05:15:21 assar Exp $");
+RCSID("$Id: ring.c 7853 2000-02-06 05:15:47Z assar $");
 
 /*
  * This defines a structure for a ring buffer.
diff --git a/crypto/heimdal/appl/telnet/telnet/ring.h b/crypto/heimdal/appl/telnet/telnet/ring.h
index 1644a96..d0c2ad7 100644
--- a/crypto/heimdal/appl/telnet/telnet/ring.h
+++ b/crypto/heimdal/appl/telnet/telnet/ring.h
@@ -33,7 +33,7 @@
  *	@(#)ring.h	8.1 (Berkeley) 6/6/93
  */
 
-/* $Id: ring.h,v 1.4 2000/02/06 05:15:47 assar Exp $ */
+/* $Id: ring.h 7853 2000-02-06 05:15:47Z assar $ */
 
 /*
  * This defines a structure for a ring buffer.
diff --git a/crypto/heimdal/appl/telnet/telnet/sys_bsd.c b/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
index 1144e8f..5bc2d12 100644
--- a/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
+++ b/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: sys_bsd.c,v 1.30 2002/04/18 16:18:43 joda Exp $");
+RCSID("$Id: sys_bsd.c 10941 2002-04-18 16:18:43Z joda $");
 
 /*
  * The following routines try to encapsulate what is system dependent
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.1 b/crypto/heimdal/appl/telnet/telnet/telnet.1
index 82852a7..37f588a 100644
--- a/crypto/heimdal/appl/telnet/telnet/telnet.1
+++ b/crypto/heimdal/appl/telnet/telnet/telnet.1
@@ -65,7 +65,7 @@ is invoked without the
 .Ar host
 argument, it enters command mode,
 indicated by its prompt
-.Pq Nm telnet\&> .
+.Pq Nm telnet\*[Gt] .
 In this mode, it accepts and executes the commands listed below.
 If it is invoked with arguments, it performs an
 .Ic open
@@ -1181,11 +1181,11 @@ option on output.
 If this is
 .Dv TRUE ,
 then carriage returns will be sent as
-.Li <CR><LF> .
+.Li \*[Lt]CR\*[Gt]\*[Lt]LF\*[Gt] .
 If this is
 .Dv FALSE ,
 then carriage returns will be send as
-.Li <CR><NUL> .
+.Li \*[Lt]CR\*[Gt]\*[Lt]NUL\*[Gt] .
 The initial value for this toggle is
 .Dv FALSE .
 .It Ic crmod
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.c b/crypto/heimdal/appl/telnet/telnet/telnet.c
index bbc9999..a90f212 100644
--- a/crypto/heimdal/appl/telnet/telnet/telnet.c
+++ b/crypto/heimdal/appl/telnet/telnet/telnet.c
@@ -32,11 +32,8 @@
  */
 
 #include "telnet_locl.h"
-#ifdef HAVE_TERMCAP_H
-#include <termcap.h>
-#endif
 
-RCSID("$Id: telnet.c,v 1.34 2002/05/03 10:19:43 joda Exp $");
+RCSID("$Id: telnet.c 16285 2005-11-03 18:38:57Z lha $");
 
 #define	strip(x) (eight ? (x) : ((x) & 0x7f))
 
@@ -503,7 +500,7 @@ dontoption(int option)
 
 /*
  * Given a buffer returned by tgetent(), this routine will turn
- * the pipe seperated list of names in the buffer into an array
+ * the pipe separated list of names in the buffer into an array
  * of pointers to null terminated names.  We toss out any bad,
  * duplicate, or verbose names (names with spaces).
  */
@@ -579,11 +576,12 @@ mklist(char *buf, char *name)
 		 * Skip entries with spaces or non-ascii values.
 		 * Convert lower case letters to upper case.
 		 */
+#undef ISASCII
 #define ISASCII(c) (!((c)&0x80))
 		if ((c == ' ') || !ISASCII(c))
 			n = 1;
 		else if (islower((unsigned char)c))
-			*cp = toupper(c);
+			*cp = toupper((unsigned char)c);
 	}
 
 	/*
@@ -1294,6 +1292,7 @@ slc_check()
 
 
 unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
 unsigned char *slc_replyp;
 
 void
@@ -1309,6 +1308,14 @@ slc_start_reply()
 void
 slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
 {
+	/* A sequence of up to 6 bytes my be written for this member of the SLC
+	 * suboption list by this function.  The end of negotiation command,
+	 * which is written by slc_end_reply(), will require 2 additional
+	 * bytes.  Do not proceed unless there is sufficient space for these
+	 * items.
+	 */
+	if (&slc_replyp[6+2] > slc_reply_eom)
+		return;
 	if ((*slc_replyp++ = func) == IAC)
 		*slc_replyp++ = IAC;
 	if ((*slc_replyp++ = flags) == IAC)
@@ -1322,6 +1329,9 @@ slc_end_reply()
 {
     int len;
 
+    /* The end of negotiation command requires 2 bytes. */
+    if (&slc_replyp[2] > slc_reply_eom)
+            return;
     *slc_replyp++ = IAC;
     *slc_replyp++ = SE;
     len = slc_replyp - slc_reply;
@@ -1415,7 +1425,7 @@ env_opt(unsigned char *buf, int len)
 	}
 }
 
-#define	OPT_REPLY_SIZE	256
+#define	OPT_REPLY_SIZE	(2 * SUBBUFSIZE)
 unsigned char *opt_reply;
 unsigned char *opt_replyp;
 unsigned char *opt_replyend;
@@ -1475,9 +1485,9 @@ env_opt_add(unsigned char *ep)
 		return;
 	}
 	vp = env_getvalue(ep);
-	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
-				strlen((char *)ep) + 6 > opt_replyend)
-	{
+        if (opt_replyp + (vp ? 2 * strlen((char *)vp) : 0) +
+                                2 * strlen((char *)ep) + 6 > opt_replyend)
+        {
 		int len;
 		void *tmp;
 		opt_replyend += OPT_REPLY_SIZE;
@@ -1503,6 +1513,8 @@ env_opt_add(unsigned char *ep)
 		*opt_replyp++ = ENV_USERVAR;
 	for (;;) {
 		while ((c = *ep++)) {
+			if (opt_replyp + (2 + 2) > opt_replyend)
+				return;
 			switch(c&0xff) {
 			case IAC:
 				*opt_replyp++ = IAC;
@@ -1517,6 +1529,8 @@ env_opt_add(unsigned char *ep)
 			*opt_replyp++ = c;
 		}
 		if ((ep = vp)) {
+			if (opt_replyp + (1 + 2 + 2) > opt_replyend)
+				return;
 #ifdef	OLD_ENVIRON
 			if (telopt_environ == TELOPT_OLD_ENVIRON)
 				*opt_replyp++ = old_env_value;
@@ -1547,7 +1561,9 @@ env_opt_end(int emptyok)
 {
 	int len;
 
-	len = opt_replyp - opt_reply + 2;
+	if (opt_replyp + 2 > opt_replyend)
+		return;
+	len = opt_replyp + 2 - opt_reply;
 	if (emptyok || len > 6) {
 		*opt_replyp++ = IAC;
 		*opt_replyp++ = SE;
@@ -1759,12 +1775,12 @@ process_iac:
 		    /*
 		     * This is an error.  We only expect to get
 		     * "IAC IAC" or "IAC SE".  Several things may
-		     * have happend.  An IAC was not doubled, the
+		     * have happened.  An IAC was not doubled, the
 		     * IAC SE was left off, or another option got
 		     * inserted into the suboption are all possibilities.
 		     * If we assume that the IAC was not doubled,
 		     * and really the IAC SE was left off, we could
-		     * get into an infinate loop here.  So, instead,
+		     * get into an infinite loop here.  So, instead,
 		     * we terminate the suboption, and process the
 		     * partial suboption if we can.
 		     */
@@ -2011,6 +2027,8 @@ Scheduler(int block) /* should we block in the select ? */
     return returnValue;
 }
 
+extern int auth_has_failed; /* XXX should be somewhere else */
+
 /*
  * Select from tty and network...
  */
@@ -2064,7 +2082,6 @@ my_telnet(char *user)
      * forever. 
      */
     if (telnetport && wantencryption) {
-	extern int auth_has_failed;
 	time_t timeout = time(0) + 60;
 
 	send_do(TELOPT_ENCRYPT, 1);
@@ -2080,7 +2097,7 @@ my_telnet(char *user)
 		}
 	    }
 	    if (auth_has_failed) {
-		printf("\nAuthentication negotation has failed,\n");
+		printf("\nAuthentication negotiation has failed,\n");
 		printf("which is required for encryption.\n");
 		Exit(1);
 	    }
@@ -2109,7 +2126,11 @@ my_telnet(char *user)
 		    printf("\nUser interrupt.\n");
 		    Exit(1);
 	    }
-	    telnet_spin();
+	    if (telnet_spin()) {
+		    printf("\nServer disconnected.\n");
+		    Exit(1);
+	    }
+		
 	}
 	if (printed_encrypt) {
 		printf("Encryption negotiated.\n");
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet_locl.h b/crypto/heimdal/appl/telnet/telnet/telnet_locl.h
index 1183b67..503191d 100644
--- a/crypto/heimdal/appl/telnet/telnet/telnet_locl.h
+++ b/crypto/heimdal/appl/telnet/telnet/telnet_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: telnet_locl.h,v 1.21 2001/12/20 20:39:52 joda Exp $ */
+/* $Id: telnet_locl.h 18776 2006-10-21 19:14:13Z lha $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -59,23 +59,27 @@
 #include <unistd.h>
 #endif
 
-/* termios.h *must* be included before curses.h */
-#ifdef HAVE_TERMIOS_H
+/* termios.h *must* be included before curses.h, but not on Solaris 9,
+   at least, where we end up with
+   "/usr/include/term.h", line 1060: incomplete struct/union/enum termio: Ottyb
+*/
+#if defined HAVE_TERMIOS_H && !defined __sun
 #include <termios.h>
 #endif
 
-#if defined(SOCKS) && defined(HAVE_CURSES_H)
+#if defined(HAVE_CURSES_H)
 #include <curses.h>
+#ifdef HAVE_TERM_H
+#include <term.h>
+#endif
+#elif defined(HAVE_TERMCAP_H)
+#include <termcap.h>
 #endif
 
 #if defined(HAVE_SYS_TERMIO_H) && !defined(HAVE_TERMIOS_H)
 #include <sys/termio.h>
 #endif
 
-#if defined(HAVE_TERMCAP_H)
-#include <termcap.h>
-#endif
-
 #ifdef HAVE_FCNTL_H
 #include <fcntl.h>
 #endif
@@ -153,10 +157,6 @@ struct ether_addr;
 #include <socks.h>
 #endif
 
-#include <err.h>
-#include <roken.h>
-/* krb.h? */
-
 #if	defined(AUTHENTICATION) || defined(ENCRYPTION)
 #include <libtelnet/auth.h>
 #include <libtelnet/encrypt.h>
@@ -169,6 +169,9 @@ struct ether_addr;
 #define KLUDGELINEMODE
 #endif
 
+#include <err.h>
+#include <roken.h>
+
 #include "ring.h"
 #include "externs.h"
 #include "defines.h"
diff --git a/crypto/heimdal/appl/telnet/telnet/terminal.c b/crypto/heimdal/appl/telnet/telnet/terminal.c
index 44e1611..2fbd3dc 100644
--- a/crypto/heimdal/appl/telnet/telnet/terminal.c
+++ b/crypto/heimdal/appl/telnet/telnet/terminal.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: terminal.c,v 1.11 2001/03/06 20:10:14 assar Exp $");
+RCSID("$Id: terminal.c 9733 2001-03-06 20:10:14Z assar $");
 
 Ring		ttyoring, ttyiring;
 unsigned char	ttyobuf[2*BUFSIZ], ttyibuf[BUFSIZ];
diff --git a/crypto/heimdal/appl/telnet/telnet/utilities.c b/crypto/heimdal/appl/telnet/telnet/utilities.c
index c326d5a..d62d572 100644
--- a/crypto/heimdal/appl/telnet/telnet/utilities.c
+++ b/crypto/heimdal/appl/telnet/telnet/utilities.c
@@ -37,7 +37,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: utilities.c,v 1.25 2001/08/29 00:45:21 assar Exp $");
+RCSID("$Id: utilities.c 10587 2001-08-29 00:45:23Z assar $");
 
 FILE	*NetTrace = 0;		/* Not in bss, since needs to stay */
 int	prettydump;
diff --git a/crypto/heimdal/appl/telnet/telnetd/Makefile.am b/crypto/heimdal/appl/telnet/telnetd/Makefile.am
index 19e10bc..df2b864 100644
--- a/crypto/heimdal/appl/telnet/telnetd/Makefile.am
+++ b/crypto/heimdal/appl/telnet/telnetd/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.18 2001/08/28 11:21:17 joda Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des)
+AM_CPPFLAGS += -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_hcrypto)
 
 libexec_PROGRAMS = telnetd
 
@@ -17,10 +17,12 @@ LDADD = \
 	../libtelnet/libtelnet.a \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_tgetent) \
 	$(LIB_logwtmp) \
 	$(LIB_logout) \
 	$(LIB_openpty) \
 	$(LIB_kdfs) \
 	$(LIB_roken)
+
+EXTRA_DIST = $(man_MANS)
diff --git a/crypto/heimdal/appl/telnet/telnetd/Makefile.in b/crypto/heimdal/appl/telnet/telnetd/Makefile.in
index 1a14fc4..ba4cd35 100644
--- a/crypto/heimdal/appl/telnet/telnetd/Makefile.in
+++ b/crypto/heimdal/appl/telnet/telnetd/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.18 2001/08/28 11:21:17 joda Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(telnetd_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -50,16 +45,14 @@ libexec_PROGRAMS = telnetd$(EXEEXT)
 subdir = appl/telnet/telnetd
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -72,6 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -80,16 +74,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)"
@@ -100,26 +98,24 @@ am_telnetd_OBJECTS = telnetd.$(OBJEXT) state.$(OBJEXT) \
 	utility.$(OBJEXT) global.$(OBJEXT) authenc.$(OBJEXT)
 telnetd_OBJECTS = $(am_telnetd_OBJECTS)
 telnetd_LDADD = $(LDADD)
-@KRB5_TRUE@am__DEPENDENCIES_1 = $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
-am__DEPENDENCIES_2 =
-@DCE_TRUE@am__DEPENDENCIES_3 = $(top_builddir)/lib/kdfs/libkdfs.la
-telnetd_DEPENDENCIES = ../libtelnet/libtelnet.a $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_2) \
-	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_2) \
-	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_2) \
-	$(am__DEPENDENCIES_3) $(am__DEPENDENCIES_2)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+am__DEPENDENCIES_1 =
+telnetd_DEPENDENCIES = ../libtelnet/libtelnet.a $(LIB_krb5) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(LIB_kdfs) \
+	$(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(telnetd_SOURCES)
 DIST_SOURCES = $(telnetd_SOURCES)
 man8dir = $(mandir)/man8
@@ -128,13 +124,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -144,8 +134,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -156,11 +144,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -168,42 +155,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -221,12 +193,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -236,15 +205,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -253,6 +221,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -264,15 +233,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -280,74 +244,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_des)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	-I$(srcdir)/.. $(INCLUDE_krb4) $(INCLUDE_hcrypto)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -364,6 +334,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 CHECK_LOCAL = 
 telnetd_SOURCES = telnetd.c state.c termstat.c slc.c sys_term.c \
@@ -374,7 +345,7 @@ LDADD = \
 	../libtelnet/libtelnet.a \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_tgetent) \
 	$(LIB_logwtmp) \
 	$(LIB_logout) \
@@ -382,10 +353,11 @@ LDADD = \
 	$(LIB_kdfs) \
 	$(LIB_roken)
 
+EXTRA_DIST = $(man_MANS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -417,7 +389,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)"
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -445,7 +417,7 @@ clean-libexecPROGRAMS:
 	done
 telnetd$(EXEEXT): $(telnetd_OBJECTS) $(telnetd_DEPENDENCIES) 
 	@rm -f telnetd$(EXEEXT)
-	$(LINK) $(telnetd_LDFLAGS) $(telnetd_OBJECTS) $(telnetd_LDADD) $(LIBS)
+	$(LINK) $(telnetd_OBJECTS) $(telnetd_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -467,13 +439,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man8: $(man8_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
 	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -537,9 +505,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -564,23 +534,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -600,7 +568,7 @@ check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -621,7 +589,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -634,7 +602,7 @@ clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -650,14 +618,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-libexecPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man8
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -677,24 +653,30 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS \
-	uninstall-man
+uninstall-am: uninstall-libexecPROGRAMS uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man8
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-generic clean-libexecPROGRAMS clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-exec install-exec-am install-info \
-	install-info-am install-libexecPROGRAMS install-man \
-	install-man8 install-strip installcheck installcheck-am \
-	installdirs maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
-	uninstall-am uninstall-info-am uninstall-libexecPROGRAMS \
-	uninstall-man uninstall-man8
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am \
+	install-libexecPROGRAMS install-man install-man8 install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-hook \
+	uninstall-libexecPROGRAMS uninstall-man uninstall-man8
 
 
 install-suid-programs:
@@ -709,8 +691,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -720,19 +702,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -748,7 +742,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -818,14 +812,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/telnet/telnetd/authenc.c b/crypto/heimdal/appl/telnet/telnetd/authenc.c
index 14594ea2..1fac6c0 100644
--- a/crypto/heimdal/appl/telnet/telnetd/authenc.c
+++ b/crypto/heimdal/appl/telnet/telnetd/authenc.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: authenc.c,v 1.10 2000/11/15 23:20:43 assar Exp $");
+RCSID("$Id: authenc.c 9200 2000-11-15 23:20:43Z assar $");
 
 #ifdef AUTHENTICATION
 
diff --git a/crypto/heimdal/appl/telnet/telnetd/ext.h b/crypto/heimdal/appl/telnet/telnetd/ext.h
index 8f99934..68b97bf 100644
--- a/crypto/heimdal/appl/telnet/telnetd/ext.h
+++ b/crypto/heimdal/appl/telnet/telnetd/ext.h
@@ -33,7 +33,7 @@
  *	@(#)ext.h	8.2 (Berkeley) 12/15/93
  */
 
-/* $Id: ext.h,v 1.23 2001/08/29 00:45:22 assar Exp $ */
+/* $Id: ext.h 15841 2005-08-08 13:34:26Z lha $ */
 
 #ifndef __EXT_H__
 #define __EXT_H__
@@ -57,7 +57,7 @@ extern const char *new_login;
 
 extern slcfun	slctab[NSLC + 1];	/* slc mapping table */
 
-extern char	*terminaltype;
+extern char	terminaltype[41];
 
 /*
  * I/O data buffers, pointers, and counters.
@@ -115,7 +115,7 @@ int tty_iscrnl (void);
 void tty_tspeed (int val);
 void tty_rspeed (int val);
 void getptyslave (void);
-int cleanopen (char *line);
+int cleanopen (char *);
 void startslave (const char *host, const char *, int autologin, char *autoname);
 void init_env (void);
 void start_login (const char *host, int autologin, char *name);
@@ -138,7 +138,7 @@ void ptyflush (void);
 char *nextitem (char *current);
 void netclear (void);
 void netflush (void);
-void writenet (unsigned char *ptr, int len);
+void writenet (const void *, size_t);
 void fatal (int f, char *msg);
 void fatalperror (int f, const char *msg);
 void fatalperror_errno (int f, const char *msg, int error);
diff --git a/crypto/heimdal/appl/telnet/telnetd/global.c b/crypto/heimdal/appl/telnet/telnetd/global.c
index 54d1a77..8b3c405 100644
--- a/crypto/heimdal/appl/telnet/telnetd/global.c
+++ b/crypto/heimdal/appl/telnet/telnetd/global.c
@@ -36,7 +36,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: global.c,v 1.13 2001/07/19 16:00:42 assar Exp $");
+RCSID("$Id: global.c 14939 2005-04-24 20:59:35Z lha $");
 
 /*
  * Telnet server variable declarations
@@ -54,7 +54,7 @@ int	require_otp;
 
 slcfun	slctab[NSLC + 1];	/* slc mapping table */
 
-char	*terminaltype;
+char	terminaltype[41];
 
 /*
  * I/O data buffers, pointers, and counters.
diff --git a/crypto/heimdal/appl/telnet/telnetd/slc.c b/crypto/heimdal/appl/telnet/telnetd/slc.c
index 799d2d8..b9ab121 100644
--- a/crypto/heimdal/appl/telnet/telnetd/slc.c
+++ b/crypto/heimdal/appl/telnet/telnetd/slc.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: slc.c,v 1.10 1997/05/11 06:30:00 assar Exp $");
+RCSID("$Id: slc.c 1695 1997-05-11 06:30:05Z assar $");
 
 /*
  * get_slc_defaults
diff --git a/crypto/heimdal/appl/telnet/telnetd/state.c b/crypto/heimdal/appl/telnet/telnetd/state.c
index 3bc7f63..32c3d0e 100644
--- a/crypto/heimdal/appl/telnet/telnetd/state.c
+++ b/crypto/heimdal/appl/telnet/telnetd/state.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: state.c,v 1.14.12.1 2004/06/21 08:21:58 lha Exp $");
+RCSID("$Id: state.c 18110 2006-09-19 08:25:20Z lha $");
 
 unsigned char	doopt[] = { IAC, DO, '%', 'c', 0 };
 unsigned char	dont[] = { IAC, DONT, '%', 'c', 0 };
@@ -427,14 +427,14 @@ send_do(int option, int init)
 extern void auth_request(void);
 #endif
 #ifdef	ENCRYPTION
-extern void encrypt_send_support();
+extern void encrypt_send_support(void);
 #endif
 
 void
 willoption(int option)
 {
     int changeok = 0;
-    void (*func)() = 0;
+    void (*func)(void) = NULL;
 
     /*
      * process input from peer.
@@ -939,7 +939,7 @@ suboption(void)
     }  /* end of case TELOPT_TSPEED */
 
     case TELOPT_TTYPE: {		/* Yaaaay! */
-	static char terminalname[41];
+	char *p;
 
 	if (his_state_is_wont(TELOPT_TTYPE))	/* Ignore if option disabled */
 	    break;
@@ -949,9 +949,9 @@ suboption(void)
 	    return;		/* ??? XXX but, this is the most robust */
 	}
 
-	terminaltype = terminalname;
+	p = terminaltype;
 
-	while ((terminaltype < (terminalname + sizeof terminalname-1)) &&
+	while ((p < (terminaltype + sizeof terminaltype-1)) &&
 	       !SB_EOF()) {
 	    int c;
 
@@ -959,10 +959,9 @@ suboption(void)
 	    if (isupper(c)) {
 		c = tolower(c);
 	    }
-	    *terminaltype++ = c;    /* accumulate name */
+	    *p++ = c;    /* accumulate name */
 	}
-	*terminaltype = 0;
-	terminaltype = terminalname;
+	*p = 0;
 	break;
     }  /* end of case TELOPT_TTYPE */
 
@@ -1246,6 +1245,8 @@ suboption(void)
 	    encrypt_start(subpointer, SB_LEN());
 	    break;
 	case ENCRYPT_END:
+	    if (require_encryption)
+		fatal(net, "Output encryption is not possible to turn off");
 	    encrypt_end();
 	    break;
 	case ENCRYPT_REQSTART:
@@ -1258,6 +1259,8 @@ suboption(void)
 	     * if we have been able to get in the correct mode
 	     * anyhow.
 	     */
+	    if (require_encryption)
+		fatal(net, "Input encryption is not possible to turn off");
 	    encrypt_request_end();
 	    break;
 	case ENCRYPT_ENC_KEYID:
diff --git a/crypto/heimdal/appl/telnet/telnetd/sys_term.c b/crypto/heimdal/appl/telnet/telnetd/sys_term.c
index 23b2468..852611f 100644
--- a/crypto/heimdal/appl/telnet/telnetd/sys_term.c
+++ b/crypto/heimdal/appl/telnet/telnetd/sys_term.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: sys_term.c,v 1.104 2001/09/17 02:09:04 assar Exp $");
+RCSID("$Id: sys_term.c 22390 2007-12-31 10:12:48Z lha $");
 
 #if defined(_CRAY) || (defined(__hpux) && !defined(HAVE_UTMPX_H))
 # define PARENT_DOES_UTMP
@@ -90,29 +90,6 @@ char	wtmpf[]	= "/etc/wtmp";
 #include <tmpdir.h>
 #endif	/* CRAY */
 
-#ifdef	STREAMSPTY
-
-#ifdef HAVE_SAC_H
-#include <sac.h>
-#endif
-
-#ifdef HAVE_SYS_STROPTS_H
-#include <sys/stropts.h>
-#endif
-
-#endif /* STREAMSPTY */
-
-#undef NOERROR
-
-#ifdef	HAVE_SYS_STREAM_H
-#ifdef  HAVE_SYS_UIO_H
-#include <sys/uio.h>
-#endif
-#ifdef __hpux
-#undef SE
-#endif
-#include <sys/stream.h>
-#endif
 #if !(defined(__sgi) || defined(__linux) || defined(_AIX)) && defined(HAVE_SYS_TTY)
 #include <sys/tty.h>
 #endif
@@ -215,13 +192,14 @@ set_termbuf(void)
     /*
      * Only make the necessary changes.
 	 */
-    if (memcmp(&termbuf, &termbuf2, sizeof(termbuf)))
+    if (memcmp(&termbuf, &termbuf2, sizeof(termbuf))) {
 # ifdef  STREAMSPTY
 	if (really_stream)
 	    tcsetattr(ttyfd, TCSANOW, &termbuf);
 	else
 # endif
 	    tcsetattr(ourpty, TCSANOW, &termbuf);
+    }
 }
 
 
@@ -358,6 +336,8 @@ getnpty()
  * Returns the file descriptor of the opened pty.
  */
 
+static int ptyslavefd = -1;
+
 static char Xline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
 char *line = Xline;
 
@@ -378,150 +358,151 @@ static char *ptsname(int fd)
 
 int getpty(int *ptynum)
 {
-#ifdef __osf__ /* XXX */
-    int master;
-    int slave;
-    if(openpty(&master, &slave, line, 0, 0) == 0){
-	close(slave);
-	return master;
+#if defined(HAVE_OPENPTY) || defined(__linux) || defined(__osf__) /* XXX */
+    {
+	int master;
+	int slave;
+	if(openpty(&master, &slave, line, 0, 0) == 0){
+	    ptyslavefd = slave;
+	    return master;
+	}
     }
-    return -1;
-#else
+#endif /* HAVE_OPENPTY .... */
 #ifdef HAVE__GETPTY
-    int master, slave;
-    char *p;
-    p = _getpty(&master, O_RDWR, 0600, 1);
-    if(p == NULL)
-	return -1;
-    strlcpy(line, p, sizeof(Xline));
-    return master;
-#else
-
-    int p;
-    char *cp, *p1, *p2;
-    int i;
-#if SunOS == 40
-    int dummy;
-#endif
-#if __linux
-    int master;
-    int slave;
-    if(openpty(&master, &slave, line, 0, 0) == 0){
-	close(slave);
+    {
+	int master;
+	char *p;
+	p = _getpty(&master, O_RDWR, 0600, 1);
+	if(p == NULL)
+	    return -1;
+	strlcpy(line, p, sizeof(Xline));
 	return master;
     }
-#else
+#endif
+    
 #ifdef	STREAMSPTY
-    char *clone[] = { "/dev/ptc", "/dev/ptmx", "/dev/ptm", 
-		      "/dev/ptym/clone", 0 };
-
-    char **q;
-    for(q=clone; *q; q++){
-	p=open(*q, O_RDWR);
-	if(p >= 0){
+    {
+	char *clone[] = { "/dev/ptc", "/dev/ptmx", "/dev/ptm", 
+			  "/dev/ptym/clone", 0 };
+	
+	char **q;
+	int p;
+	for(q=clone; *q; q++){
+	    p=open(*q, O_RDWR);
+	    if(p >= 0){
 #ifdef HAVE_GRANTPT
-	    grantpt(p);
+		grantpt(p);
 #endif
 #ifdef HAVE_UNLOCKPT
-	    unlockpt(p);
+		unlockpt(p);
 #endif
-	    strlcpy(line, ptsname(p), sizeof(Xline));
-	    really_stream = 1;
-	    return p;
+		strlcpy(line, ptsname(p), sizeof(Xline));
+		really_stream = 1;
+		return p;
+	    }
 	}
     }
 #endif /* STREAMSPTY */
 #ifndef _CRAY
-
+    {
+	int p;
+	char *cp, *p1, *p2;
+	int i;
+	
 #ifndef	__hpux
-    snprintf(line, sizeof(Xline), "/dev/ptyXX");
-    p1 = &line[8];
-    p2 = &line[9];
+	snprintf(line, sizeof(Xline), "/dev/ptyXX");
+	p1 = &line[8];
+	p2 = &line[9];
 #else
-    snprintf(line, sizeof(Xline), "/dev/ptym/ptyXX");
-    p1 = &line[13];
-    p2 = &line[14];
+	snprintf(line, sizeof(Xline), "/dev/ptym/ptyXX");
+	p1 = &line[13];
+	p2 = &line[14];
 #endif
-
 	
-    for (cp = "pqrstuvwxyzPQRST"; *cp; cp++) {
-	struct stat stb;
-
-	*p1 = *cp;
-	*p2 = '0';
-	/*
-	 * This stat() check is just to keep us from
-	 * looping through all 256 combinations if there
-	 * aren't that many ptys available.
-	 */
-	if (stat(line, &stb) < 0)
-	    break;
-	for (i = 0; i < 16; i++) {
-	    *p2 = "0123456789abcdef"[i];
-	    p = open(line, O_RDWR);
-	    if (p > 0) {
+	
+	for (cp = "pqrstuvwxyzPQRST"; *cp; cp++) {
+	    struct stat stb;
+	    
+	    *p1 = *cp;
+	    *p2 = '0';
+	    /*
+	     * This stat() check is just to keep us from
+	     * looping through all 256 combinations if there
+	     * aren't that many ptys available.
+	     */
+	    if (stat(line, &stb) < 0)
+		break;
+	    for (i = 0; i < 16; i++) {
+		*p2 = "0123456789abcdef"[i];
+		p = open(line, O_RDWR);
+		if (p > 0) {
+#if SunOS == 40
+		    int dummy;
+#endif
+		    
 #ifndef	__hpux
-		line[5] = 't';
+		    line[5] = 't';
 #else
-		for (p1 = &line[8]; *p1; p1++)
-		    *p1 = *(p1+1);
-		line[9] = 't';
+		    for (p1 = &line[8]; *p1; p1++)
+			*p1 = *(p1+1);
+		    line[9] = 't';
 #endif
-		chown(line, 0, 0);
-		chmod(line, 0600);
+		    chown(line, 0, 0);
+		    chmod(line, 0600);
 #if SunOS == 40
-		if (ioctl(p, TIOCGPGRP, &dummy) == 0
-		    || errno != EIO) {
-		    chmod(line, 0666);
-		    close(p);
-		    line[5] = 'p';
-		} else
+		    if (ioctl(p, TIOCGPGRP, &dummy) == 0
+			|| errno != EIO) {
+			chmod(line, 0666);
+			close(p);
+			line[5] = 'p';
+		    } else
 #endif /* SunOS == 40 */
-		    return(p);
+			return(p);
+		}
 	    }
 	}
     }
 #else	/* CRAY */
-    extern lowpty, highpty;
-    struct stat sb;
-
-    for (*ptynum = lowpty; *ptynum <= highpty; (*ptynum)++) {
-	snprintf(myline, sizeof(myline), "/dev/pty/%03d", *ptynum);
-	p = open(myline, 2);
-	if (p < 0)
-	    continue;
-	snprintf(line, sizeof(Xline), "/dev/ttyp%03d", *ptynum);
-	/*
-	 * Here are some shenanigans to make sure that there
-	 * are no listeners lurking on the line.
-	 */
-	if(stat(line, &sb) < 0) {
-	    close(p);
-	    continue;
-	}
-	if(sb.st_uid || sb.st_gid || sb.st_mode != 0600) {
-	    chown(line, 0, 0);
-	    chmod(line, 0600);
-	    close(p);
+    {
+	extern lowpty, highpty;
+	struct stat sb;
+	int p;
+	
+	for (*ptynum = lowpty; *ptynum <= highpty; (*ptynum)++) {
+	    snprintf(myline, sizeof(myline), "/dev/pty/%03d", *ptynum);
 	    p = open(myline, 2);
 	    if (p < 0)
 		continue;
-	}
-	/*
-	 * Now it should be safe...check for accessability.
-	 */
-	if (access(line, 6) == 0)
-	    return(p);
-	else {
-	    /* no tty side to pty so skip it */
-	    close(p);
+	    snprintf(line, sizeof(Xline), "/dev/ttyp%03d", *ptynum);
+	    /*
+	     * Here are some shenanigans to make sure that there
+	     * are no listeners lurking on the line.
+	     */
+	    if(stat(line, &sb) < 0) {
+		close(p);
+		continue;
+	    }
+	    if(sb.st_uid || sb.st_gid || sb.st_mode != 0600) {
+		chown(line, 0, 0);
+		chmod(line, 0600);
+		close(p);
+		p = open(myline, 2);
+		if (p < 0)
+		    continue;
+	    }
+	    /*
+	     * Now it should be safe...check for accessability.
+	     */
+	    if (access(line, 6) == 0)
+		return(p);
+	    else {
+		/* no tty side to pty so skip it */
+		close(p);
+	    }
 	}
     }
 #endif	/* CRAY */
-#endif	/* STREAMSPTY */
-#endif /* OPENPTY */
     return(-1);
-#endif
 }
 
 
@@ -966,6 +947,9 @@ int cleanopen(char *line)
 {
     int t;
 
+    if (ptyslavefd != -1)
+	return ptyslavefd;
+
 #ifdef STREAMSPTY
     if (!really_stream)
 #endif
@@ -1072,6 +1056,8 @@ int login_tty(int t)
  * Clean the tty name.  Return a pointer to the cleaned version.
  */
 
+static char * clean_ttyname (char *) __attribute__((unused));
+
 static char *
 clean_ttyname (char *tty)
 {
@@ -1135,7 +1121,7 @@ startslave(const char *host, const char *utmp_host,
 #ifdef ENCRYPTION
 	if (!no_warn && (encrypt_output == 0 || decrypt_input == 0))
 #endif
-	    writenet((unsigned char*)tbuf, strlen(tbuf));
+	    writenet(tbuf, strlen(tbuf));
     }
 # ifdef	PARENT_DOES_UTMP
     utmp_sig_init();
@@ -1262,7 +1248,7 @@ scrub_env(void)
 struct arg_val {
     int size;
     int argc;
-    const char **argv;
+    char **argv;
 };
 
 static void addarg(struct arg_val*, const char*);
@@ -1281,29 +1267,40 @@ start_login(const char *host, int autologin, char *name)
     char *user;
     int save_errno;
 
+#ifdef ENCRYPTION
+    encrypt_output = NULL;
+    decrypt_input = NULL;
+#endif
+    
 #ifdef HAVE_UTMPX_H
-    int pid = getpid();
-    struct utmpx utmpx;
-    char *clean_tty;
-
-    /*
-     * Create utmp entry for child
-     */
-
-    clean_tty = clean_ttyname(line);
-    memset(&utmpx, 0, sizeof(utmpx));
-    strncpy(utmpx.ut_user,  ".telnet", sizeof(utmpx.ut_user));
-    strncpy(utmpx.ut_line,  clean_tty, sizeof(utmpx.ut_line));
+    {
+	int pid = getpid();
+	struct utmpx utmpx;
+	struct timeval tv;
+	char *clean_tty;
+	
+	/*
+	 * Create utmp entry for child
+	 */
+	
+	clean_tty = clean_ttyname(line);
+	memset(&utmpx, 0, sizeof(utmpx));
+	strncpy(utmpx.ut_user,  ".telnet", sizeof(utmpx.ut_user));
+	strncpy(utmpx.ut_line,  clean_tty, sizeof(utmpx.ut_line));
 #ifdef HAVE_STRUCT_UTMP_UT_ID
-    strncpy(utmpx.ut_id, make_id(clean_tty), sizeof(utmpx.ut_id));
+	strncpy(utmpx.ut_id, make_id(clean_tty), sizeof(utmpx.ut_id));
 #endif
-    utmpx.ut_pid = pid;
+	utmpx.ut_pid = pid;
 	
-    utmpx.ut_type = LOGIN_PROCESS;
+	utmpx.ut_type = LOGIN_PROCESS;
+	
+	gettimeofday (&tv, NULL);
+	utmpx.ut_tv.tv_sec = tv.tv_sec;
+	utmpx.ut_tv.tv_usec = tv.tv_usec;
 
-    gettimeofday (&utmpx.ut_tv, NULL);
-    if (pututxline(&utmpx) == NULL)
-	fatal(net, "pututxline failed");
+	if (pututxline(&utmpx) == NULL)
+	    fatal(net, "pututxline failed");
+    }
 #endif
 
     scrub_env();
@@ -1376,7 +1373,7 @@ start_login(const char *host, int autologin, char *name)
 
     execv(new_login, argv.argv);
     save_errno = errno;
-    syslog(LOG_ERR, "%s: %m\n", new_login);
+    syslog(LOG_ERR, "%s: %m", new_login);
     fatalperror_errno(net, new_login, save_errno);
     /*NOTREACHED*/
 }
@@ -1390,7 +1387,8 @@ addarg(struct arg_val *argv, const char *val)
 	    fatal (net, "realloc: out of memory");
 	argv->size+=10;
     }
-    argv->argv[argv->argc++] = val;
+    if((argv->argv[argv->argc++] = strdup(val)) == NULL)
+	fatal (net, "strdup: out of memory");
     argv->argv[argv->argc]   = NULL;
 }
 
@@ -1420,6 +1418,7 @@ rmut(void)
     non_save_utxp = getutxline(&utmpx);
     if (non_save_utxp) {
 	struct utmpx *utxp;
+	struct timeval tv;
 	char user0;
 
 	utxp = malloc(sizeof(struct utmpx));
@@ -1439,7 +1438,10 @@ rmut(void)
 	utxp->ut_exit.e_exit = 0;
 #endif
 #endif
-	gettimeofday(&utxp->ut_tv, NULL);
+	gettimeofday (&tv, NULL);
+	utxp->ut_tv.tv_sec = tv.tv_sec;
+	utxp->ut_tv.tv_usec = tv.tv_usec;
+
 	pututxline(utxp);
 #ifdef WTMPX_FILE
 	utxp->ut_user[0] = user0;
@@ -1838,10 +1840,8 @@ jobend(jid, path, user)
     }
 
     if (path) {
-	strncpy(saved_path, path, sizeof(wtmp.ut_tpath));
-	strncpy(saved_user, user, sizeof(wtmp.ut_user));
-	saved_path[sizeof(saved_path)] = '\0';
-	saved_user[sizeof(saved_user)] = '\0';
+	strlcpy(saved_path, path, sizeof(saved_path));
+	strlcpy(saved_user, user, sizeof(saved_user));
     }
     if (saved_jid == 0) {
 	saved_jid = jid;
@@ -1883,7 +1883,7 @@ cleantmpdir(jid, tpath, user)
 	       tpath);
 	break;
     case 0:
-	execl(CLEANTMPCMD, CLEANTMPCMD, user, tpath, 0);
+	execl(CLEANTMPCMD, CLEANTMPCMD, user, tpath, NULL);
 	syslog(LOG_ERR, "TMPDIR cleanup(%s): execl(%s) failed: %m\n",
 	       tpath, CLEANTMPCMD);
 	exit(1);
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.8 b/crypto/heimdal/appl/telnet/telnetd/telnetd.8
index fd7d0bd..a7dd670 100644
--- a/crypto/heimdal/appl/telnet/telnetd/telnetd.8
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.8
@@ -31,7 +31,7 @@
 .\"
 .\"	@(#)telnetd.8	8.4 (Berkeley) 6/1/94
 .\"
-.Dd June 1, 1994
+.Dd September 19, 2006
 .Dt TELNETD 8
 .Os BSD 4.2
 .Sh NAME
@@ -41,7 +41,7 @@
 protocol server
 .Sh SYNOPSIS
 .Nm telnetd
-.Op Fl BUhkln
+.Op Fl BeUhkln
 .Op Fl D Ar debugmode
 .Op Fl S Ar tos
 .Op Fl X Ar authtype
@@ -173,6 +173,10 @@ Displays data written to the pty.
 .It Cm exercise
 Has not been implemented yet.
 .El
+.It Fl e
+require encryption to be turned on (in both direction) by the client
+and disconnects if the client tries to turn the encryption off (in
+either direction).
 .It Fl h
 Disables the printing of host-specific information before
 login has been completed.
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.c b/crypto/heimdal/appl/telnet/telnetd/telnetd.c
index e57eed7..033a0bf 100644
--- a/crypto/heimdal/appl/telnet/telnetd/telnetd.c
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: telnetd.c,v 1.69.6.1 2004/03/22 18:17:25 lha Exp $");
+RCSID("$Id: telnetd.c 21748 2007-07-31 18:57:20Z lha $");
 
 #ifdef _SC_CRAY_SECURE_SYS
 #include <sys/sysv.h>
@@ -51,21 +51,20 @@ struct	socksec ss;
 int	auth_level = 0;
 #endif
 
+#ifdef KRB5
+#define Authenticator k5_Authenticator
+#include <krb5.h>
+#undef Authenticator
+#endif
+
 extern	int utmp_len;
 int	registerd_host_only = 0;
-
-#undef NOERROR
-
-#ifdef	STREAMSPTY
-# include <stropts.h>
-# include <termios.h>
-#ifdef HAVE_SYS_UIO_H
-#include <sys/uio.h>
-#endif /* HAVE_SYS_UIO_H */
-#ifdef HAVE_SYS_STREAM_H
-#include <sys/stream.h>
+#ifdef ENCRYPTION
+int	require_encryption = 0;
 #endif
 
+#ifdef STREAMSPTY
+
 #ifdef _AIX
 #include <sys/termio.h>
 #endif
@@ -120,7 +119,7 @@ int debug = 0;
 int keepalive = 1;
 char *progname;
 
-static void usage (void);
+static void usage (int error_code);
 
 /*
  * The string to pass to getopt().  We do it this way so
@@ -131,6 +130,9 @@ char valid_opts[] = "Bd:hklnS:u:UL:y"
 #ifdef AUTHENTICATION
 		    "a:X:z"
 #endif
+#ifdef ENCRYPTION
+                     "e"
+#endif
 #ifdef DIAGNOSTICS
 		    "D:"
 #endif
@@ -141,10 +143,6 @@ char valid_opts[] = "Bd:hklnS:u:UL:y"
 
 static void doit(struct sockaddr*, int);
 
-#ifdef ENCRYPTION
-extern int des_check_key;
-#endif
-
 int
 main(int argc, char **argv)
 {
@@ -156,9 +154,6 @@ main(int argc, char **argv)
 #if	defined(IPPROTO_IP) && defined(IP_TOS)
     int tos = -1;
 #endif
-#ifdef ENCRYPTION
-    des_check_key = 1;	/* Kludge for Mac NCSA telnet 2.6 /bg */
-#endif
     pfrontp = pbackp = ptyobuf;
     netip = netibuf;
     nfrontp = nbackp = netobuf;
@@ -182,6 +177,8 @@ main(int argc, char **argv)
 	print_version(NULL);
 	exit(0);
     }
+    if (argc == 2 && strcmp(argv[1], "--help") == 0)
+	usage(0);
 
     while ((ch = getopt(argc, argv, valid_opts)) != -1) {
 	switch(ch) {
@@ -223,7 +220,7 @@ main(int argc, char **argv)
 		debug++;
 		break;
 	    }
-	    usage();
+	    usage(1);
 	    /* NOTREACHED */
 	    break;
 
@@ -243,12 +240,17 @@ main(int argc, char **argv)
 	    } else if (!strcmp(optarg, "options")) {
 		diagnostic |= TD_OPTIONS;
 	    } else {
-		usage();
+		usage(1);
 		/* NOT REACHED */
 	    }
 	    break;
 #endif /* DIAGNOSTICS */
 
+#ifdef ENCRYPTION
+	case 'e':
+	    require_encryption = 1;
+	    break;
+#endif
 
 	case 'h':
 	    hostinfo = 0;
@@ -283,7 +285,7 @@ main(int argc, char **argv)
 		    lowpty = atoi(optarg);
 		if ((lowpty > highpty) || (lowpty < 0) ||
 		    (highpty > 32767)) {
-		    usage();
+		    usage(1);
 		    /* NOT REACHED */
 		}
 		break;
@@ -341,7 +343,7 @@ main(int argc, char **argv)
 	    fprintf(stderr, "telnetd: %c: unknown option\n", ch);
 	    /* FALLTHROUGH */
 	case '?':
-	    usage();
+	    usage(0);
 	    /* NOTREACHED */
 	}
     }
@@ -354,7 +356,7 @@ main(int argc, char **argv)
 	struct servent *sp;
 
 	if (argc > 1) {
-	    usage ();
+	    usage (1);
 	} else if (argc == 1) {
 	    sp = roken_getservbyname (*argv, "tcp");
 	    if (sp)
@@ -370,7 +372,7 @@ main(int argc, char **argv)
 	}
 	mini_inetd (port);
     } else if (argc > 0) {
-	usage();
+	usage(1);
 	/* NOT REACHED */
     }
 
@@ -463,9 +465,11 @@ main(int argc, char **argv)
 }  /* end of main */
 
 static void
-usage(void)
+usage(int exit_code)
 {
     fprintf(stderr, "Usage: telnetd");
+    fprintf(stderr, " [--help]");
+    fprintf(stderr, " [--version]");
 #ifdef	AUTHENTICATION
     fprintf(stderr, " [-a (debug|other|otp|user|valid|off|none)]\n\t");
 #endif
@@ -491,7 +495,7 @@ usage(void)
 #endif
     fprintf(stderr, " [-u utmp_hostname_length] [-U]");
     fprintf(stderr, " [port]\n");
-    exit(1);
+    exit(exit_code);
 }
 
 /*
@@ -550,6 +554,15 @@ getterminaltype(char *name, size_t name_sz)
     if (his_state_is_will(TELOPT_ENCRYPT)) {
 	encrypt_wait();
     }
+    if (require_encryption) {
+
+	while (encrypt_delay())
+	    if (telnet_spin())
+		fatal(net, "Failed while waiting for encryption");
+
+	if (!encrypt_is_encrypting())
+	    fatal(net, "Encryption required but not turned on by client");
+    }
 #endif
     if (his_state_is_will(TELOPT_TSPEED)) {
 	static unsigned char sb[] =
@@ -636,7 +649,7 @@ getterminaltype(char *name, size_t name_sz)
 		     */
 		    _gettermname();
 		    if (strncmp(first, terminaltype, sizeof(first)) != 0)
-			strcpy(terminaltype, first);
+			strlcpy(terminaltype, first, sizeof(terminaltype));
 		    break;
 		}
 	    }
@@ -747,12 +760,21 @@ Please contact your net administrator");
 #endif
 
     init_env();
+
+    /* begin server processing */
+
+    /*
+     * Initialize the slc mapping table.
+     */
+
+    get_slc_defaults();
+
     /*
      * get terminal type.
      */
     *user_name = 0;
     level = getterminaltype(user_name, sizeof(user_name));
-    esetenv("TERM", terminaltype ? terminaltype : "network", 1);
+    esetenv("TERM", terminaltype[0] ? terminaltype : "network", 1);
 
 #ifdef _SC_CRAY_SECURE_SYS
     if (secflag) {
@@ -763,7 +785,6 @@ Please contact your net administrator");
     }
 #endif	/* _SC_CRAY_SECURE_SYS */
 
-    /* begin server processing */
     my_telnet(net, ourpty, remote_host_name, remote_utmp_name,
 	      level, user_name);
     /*NOTREACHED*/
@@ -779,9 +800,17 @@ show_issue(void)
     if(f == NULL)
 	f = fopen(SYSCONFDIR "/issue", "r");
     if(f){
-	while(fgets(buf, sizeof(buf)-2, f)){
-	    strcpy(buf + strcspn(buf, "\r\n"), "\r\n");
-	    writenet((unsigned char*)buf, strlen(buf));
+	while(fgets(buf, sizeof(buf), f) != NULL) {
+	    size_t len = strcspn(buf, "\r\n");
+	    if(len == strlen(buf)) {
+		/* there's no newline */
+		writenet(buf, len);
+	    } else {
+		/* replace newline with \r\n */
+		buf[len] = '\0';
+		writenet(buf, len);
+		writenet("\r\n", 2);
+	    }
 	}
 	fclose(f);
     }
@@ -803,11 +832,6 @@ my_telnet(int f, int p, const char *host, const char *utmp_host,
     time_t timeout;
 
     /*
-     * Initialize the slc mapping table.
-     */
-    get_slc_defaults();
-
-    /*
      * Do some tests where it is desireable to wait for a response.
      * Rather than doing them slowly, one at a time, do them all
      * at once.
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.h b/crypto/heimdal/appl/telnet/telnetd/telnetd.h
index 6504607..51a5725 100644
--- a/crypto/heimdal/appl/telnet/telnetd/telnetd.h
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.h
@@ -122,6 +122,30 @@
 #include <pty.h>
 #endif
 
+#ifdef	STREAMSPTY
+#ifdef HAVE_SAC_H
+#include <sac.h>
+#endif
+#ifdef HAVE_SYS_STROPTS_H
+#include <sys/stropts.h>
+#endif
+
+# include <stropts.h>
+
+#ifdef  HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#ifdef __hpux
+#undef SE
+#endif
+#endif
+#ifdef	HAVE_SYS_STREAM_H
+#include <sys/stream.h>
+#endif
+
+#endif /* STREAMSPTY */
+
+#undef NOERROR
+
 #include "defs.h"
 
 #ifndef _POSIX_VDISABLE
@@ -221,3 +245,7 @@ int output_data (const char *format, ...)
 __attribute__ ((format (printf, 1, 2)))
 #endif
 ;
+
+#ifdef ENCRYPTION
+extern int require_encryption;
+#endif
diff --git a/crypto/heimdal/appl/telnet/telnetd/termstat.c b/crypto/heimdal/appl/telnet/telnetd/termstat.c
index a223269..696a234 100644
--- a/crypto/heimdal/appl/telnet/telnetd/termstat.c
+++ b/crypto/heimdal/appl/telnet/telnetd/termstat.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: termstat.c,v 1.12 2001/08/29 00:45:23 assar Exp $");
+RCSID("$Id: termstat.c 10587 2001-08-29 00:45:23Z assar $");
 
 /*
  * local variables
diff --git a/crypto/heimdal/appl/telnet/telnetd/utility.c b/crypto/heimdal/appl/telnet/telnetd/utility.c
index a98b3fc..f55914f 100644
--- a/crypto/heimdal/appl/telnet/telnetd/utility.c
+++ b/crypto/heimdal/appl/telnet/telnetd/utility.c
@@ -34,7 +34,7 @@
 #define PRINTOPTIONS
 #include "telnetd.h"
 
-RCSID("$Id: utility.c,v 1.27 2001/09/03 05:54:17 assar Exp $");
+RCSID("$Id: utility.c 15844 2005-08-08 13:36:16Z lha $");
 
 /*
  * utility functions performing io related tasks
@@ -323,13 +323,15 @@ netflush(void)
  *    len - How many bytes to write
  */
 void
-writenet(unsigned char *ptr, int len)
+writenet(const void *ptr, size_t len)
 {
     /* flush buffer if no room for new data) */
     while ((&netobuf[BUFSIZ] - nfrontp) < len) {
 	/* if this fails, don't worry, buffer is a little big */
 	netflush();
     }
+    if ((&netobuf[BUFSIZ] - nfrontp) < len)
+	abort();
 
     memmove(nfrontp, ptr, len);
     nfrontp += len;
@@ -431,11 +433,7 @@ putchr(int cc)
     *putlocation++ = cc;
 }
 
-/*
- * This is split on two lines so that SCCS will not see the M
- * between two % signs and expand it...
- */
-static char fmtstr[] = { "%l:%M" "%P on %A, %d %B %Y" };
+static char fmtstr[] = { "%l:%M%P on %A, %d %B %Y" };
 
 void putf(char *cp, char *where)
 {
@@ -470,12 +468,7 @@ void putf(char *cp, char *where)
 	switch (*++cp) {
 
 	case 't':
-#ifdef	STREAMSPTY
-	    /* names are like /dev/pts/2 -- we want pts/2 */
 	    slash = strchr(line+1, '/');
-#else
-	    slash = strrchr(line, '/');
-#endif
 	    if (slash == (char *) 0)
 		putstr(line);
 	    else
diff --git a/crypto/heimdal/appl/test/Makefile.am b/crypto/heimdal/appl/test/Makefile.am
index 154b407..21f2013 100644
--- a/crypto/heimdal/appl/test/Makefile.am
+++ b/crypto/heimdal/appl/test/Makefile.am
@@ -1,9 +1,9 @@
-# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
 noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
-	uu_server uu_client nt_gss_server nt_gss_client
+	uu_server uu_client nt_gss_server nt_gss_client http_client
 
 tcp_client_SOURCES = tcp_client.c common.c test_locl.h
 
@@ -15,6 +15,9 @@ gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c \
 gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c \
 	gss_common.h test_locl.h
 
+http_client_SOURCES = http_client.c gss_common.c common.c \
+	gss_common.h test_locl.h
+
 uu_server_SOURCES = uu_server.c common.c test_locl.h
 
 uu_client_SOURCES = uu_client.c common.c test_locl.h
@@ -23,15 +26,17 @@ gssapi_server_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD)
 
 gssapi_client_LDADD = $(gssapi_server_LDADD)
 
-nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c common.c
+http_client_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD)
+
+nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c nt_gss_common.h common.c
 
-nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c
+nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c nt_gss_common.h
 
 nt_gss_client_LDADD = $(gssapi_server_LDADD)
 
 nt_gss_server_LDADD = $(nt_gss_client_LDADD)
 
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
diff --git a/crypto/heimdal/appl/test/Makefile.in b/crypto/heimdal/appl/test/Makefile.in
index 63ff46d..fb9e3688 100644
--- a/crypto/heimdal/appl/test/Makefile.in
+++ b/crypto/heimdal/appl/test/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) $(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) $(tcp_client_SOURCES) $(tcp_server_SOURCES) $(uu_client_SOURCES) $(uu_server_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -49,20 +44,18 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 noinst_PROGRAMS = tcp_client$(EXEEXT) tcp_server$(EXEEXT) \
 	gssapi_server$(EXEEXT) gssapi_client$(EXEEXT) \
 	uu_server$(EXEEXT) uu_client$(EXEEXT) nt_gss_server$(EXEEXT) \
-	nt_gss_client$(EXEEXT)
+	nt_gss_client$(EXEEXT) http_client$(EXEEXT)
 subdir = appl/test
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -75,6 +68,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -83,16 +77,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 PROGRAMS = $(noinst_PROGRAMS)
@@ -111,6 +109,11 @@ am_gssapi_server_OBJECTS = gssapi_server.$(OBJEXT) \
 gssapi_server_OBJECTS = $(am_gssapi_server_OBJECTS)
 gssapi_server_DEPENDENCIES = $(top_builddir)/lib/gssapi/libgssapi.la \
 	$(am__DEPENDENCIES_2)
+am_http_client_OBJECTS = http_client.$(OBJEXT) gss_common.$(OBJEXT) \
+	common.$(OBJEXT)
+http_client_OBJECTS = $(am_http_client_OBJECTS)
+http_client_DEPENDENCIES = $(top_builddir)/lib/gssapi/libgssapi.la \
+	$(am__DEPENDENCIES_2)
 am_nt_gss_client_OBJECTS = nt_gss_client.$(OBJEXT) \
 	nt_gss_common.$(OBJEXT) common.$(OBJEXT)
 nt_gss_client_OBJECTS = $(am_nt_gss_client_OBJECTS)
@@ -144,36 +147,33 @@ uu_server_LDADD = $(LDADD)
 uu_server_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \
 	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
 	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) \
-	$(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) \
-	$(tcp_client_SOURCES) $(tcp_server_SOURCES) \
-	$(uu_client_SOURCES) $(uu_server_SOURCES)
+	$(http_client_SOURCES) $(nt_gss_client_SOURCES) \
+	$(nt_gss_server_SOURCES) $(tcp_client_SOURCES) \
+	$(tcp_server_SOURCES) $(uu_client_SOURCES) \
+	$(uu_server_SOURCES)
 DIST_SOURCES = $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) \
-	$(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) \
-	$(tcp_client_SOURCES) $(tcp_server_SOURCES) \
-	$(uu_client_SOURCES) $(uu_server_SOURCES)
+	$(http_client_SOURCES) $(nt_gss_client_SOURCES) \
+	$(nt_gss_server_SOURCES) $(tcp_client_SOURCES) \
+	$(tcp_server_SOURCES) $(uu_client_SOURCES) \
+	$(uu_server_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -183,8 +183,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -195,11 +193,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -207,42 +204,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -260,12 +242,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -275,15 +254,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -292,6 +270,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -303,15 +282,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -319,74 +293,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -403,6 +382,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 tcp_client_SOURCES = tcp_client.c common.c test_locl.h
 tcp_server_SOURCES = tcp_server.c common.c test_locl.h
@@ -412,23 +392,27 @@ gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c \
 gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c \
 	gss_common.h test_locl.h
 
+http_client_SOURCES = http_client.c gss_common.c common.c \
+	gss_common.h test_locl.h
+
 uu_server_SOURCES = uu_server.c common.c test_locl.h
 uu_client_SOURCES = uu_client.c common.c test_locl.h
 gssapi_server_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD)
 gssapi_client_LDADD = $(gssapi_server_LDADD)
-nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c common.c
-nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c
+http_client_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD)
+nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c nt_gss_common.h common.c
+nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c nt_gss_common.h
 nt_gss_client_LDADD = $(gssapi_server_LDADD)
 nt_gss_server_LDADD = $(nt_gss_client_LDADD)
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -467,28 +451,31 @@ clean-noinstPROGRAMS:
 	done
 gssapi_client$(EXEEXT): $(gssapi_client_OBJECTS) $(gssapi_client_DEPENDENCIES) 
 	@rm -f gssapi_client$(EXEEXT)
-	$(LINK) $(gssapi_client_LDFLAGS) $(gssapi_client_OBJECTS) $(gssapi_client_LDADD) $(LIBS)
+	$(LINK) $(gssapi_client_OBJECTS) $(gssapi_client_LDADD) $(LIBS)
 gssapi_server$(EXEEXT): $(gssapi_server_OBJECTS) $(gssapi_server_DEPENDENCIES) 
 	@rm -f gssapi_server$(EXEEXT)
-	$(LINK) $(gssapi_server_LDFLAGS) $(gssapi_server_OBJECTS) $(gssapi_server_LDADD) $(LIBS)
+	$(LINK) $(gssapi_server_OBJECTS) $(gssapi_server_LDADD) $(LIBS)
+http_client$(EXEEXT): $(http_client_OBJECTS) $(http_client_DEPENDENCIES) 
+	@rm -f http_client$(EXEEXT)
+	$(LINK) $(http_client_OBJECTS) $(http_client_LDADD) $(LIBS)
 nt_gss_client$(EXEEXT): $(nt_gss_client_OBJECTS) $(nt_gss_client_DEPENDENCIES) 
 	@rm -f nt_gss_client$(EXEEXT)
-	$(LINK) $(nt_gss_client_LDFLAGS) $(nt_gss_client_OBJECTS) $(nt_gss_client_LDADD) $(LIBS)
+	$(LINK) $(nt_gss_client_OBJECTS) $(nt_gss_client_LDADD) $(LIBS)
 nt_gss_server$(EXEEXT): $(nt_gss_server_OBJECTS) $(nt_gss_server_DEPENDENCIES) 
 	@rm -f nt_gss_server$(EXEEXT)
-	$(LINK) $(nt_gss_server_LDFLAGS) $(nt_gss_server_OBJECTS) $(nt_gss_server_LDADD) $(LIBS)
+	$(LINK) $(nt_gss_server_OBJECTS) $(nt_gss_server_LDADD) $(LIBS)
 tcp_client$(EXEEXT): $(tcp_client_OBJECTS) $(tcp_client_DEPENDENCIES) 
 	@rm -f tcp_client$(EXEEXT)
-	$(LINK) $(tcp_client_LDFLAGS) $(tcp_client_OBJECTS) $(tcp_client_LDADD) $(LIBS)
+	$(LINK) $(tcp_client_OBJECTS) $(tcp_client_LDADD) $(LIBS)
 tcp_server$(EXEEXT): $(tcp_server_OBJECTS) $(tcp_server_DEPENDENCIES) 
 	@rm -f tcp_server$(EXEEXT)
-	$(LINK) $(tcp_server_LDFLAGS) $(tcp_server_OBJECTS) $(tcp_server_LDADD) $(LIBS)
+	$(LINK) $(tcp_server_OBJECTS) $(tcp_server_LDADD) $(LIBS)
 uu_client$(EXEEXT): $(uu_client_OBJECTS) $(uu_client_DEPENDENCIES) 
 	@rm -f uu_client$(EXEEXT)
-	$(LINK) $(uu_client_LDFLAGS) $(uu_client_OBJECTS) $(uu_client_LDADD) $(LIBS)
+	$(LINK) $(uu_client_OBJECTS) $(uu_client_LDADD) $(LIBS)
 uu_server$(EXEEXT): $(uu_server_OBJECTS) $(uu_server_DEPENDENCIES) 
 	@rm -f uu_server$(EXEEXT)
-	$(LINK) $(uu_server_LDFLAGS) $(uu_server_OBJECTS) $(uu_server_LDADD) $(LIBS)
+	$(LINK) $(uu_server_OBJECTS) $(uu_server_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -511,10 +498,6 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -535,9 +518,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -562,23 +547,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -616,7 +599,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -629,7 +612,7 @@ clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -645,14 +628,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -672,19 +663,26 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-generic clean-libtool clean-noinstPROGRAMS ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-exec install-exec-am install-info \
-	install-info-am install-man install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-info-am
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-hook
 
 
 install-suid-programs:
@@ -699,8 +697,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -710,19 +708,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -738,7 +748,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -808,14 +818,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/test/common.c b/crypto/heimdal/appl/test/common.c
index 58b9fdf..595c828 100644
--- a/crypto/heimdal/appl/test/common.c
+++ b/crypto/heimdal/appl/test/common.c
@@ -33,7 +33,7 @@
 
 #include "test_locl.h"
 
-RCSID("$Id: common.c,v 1.11 2000/08/27 04:29:34 assar Exp $");
+RCSID("$Id: common.c 12796 2003-09-09 03:38:04Z lha $");
 
 static int help_flag;
 static int version_flag;
@@ -41,12 +41,14 @@ static char *port_str;
 static char *keytab_str;
 krb5_keytab keytab;
 char *service = SERVICE;
+char *mech = "krb5";
 int fork_flag;
 
 static struct getargs args[] = {
     { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
     { "service", 's', arg_string, &service, "service to use", "service" },
     { "keytab", 'k', arg_string, &keytab_str, "keytab to use", "keytab" },
+    { "mech", 'm', arg_string, &mech, "gssapi mech to use", "mech" },
     { "fork", 'f', arg_flag, &fork_flag, "do fork" },
     { "help", 'h', arg_flag, &help_flag },
     { "version", 0, arg_flag, &version_flag }
diff --git a/crypto/heimdal/appl/test/gss_common.c b/crypto/heimdal/appl/test/gss_common.c
index 4b5319a..4c80e54 100644
--- a/crypto/heimdal/appl/test/gss_common.c
+++ b/crypto/heimdal/appl/test/gss_common.c
@@ -34,12 +34,12 @@
 #include "test_locl.h"
 #include <gssapi.h>
 #include "gss_common.h"
-RCSID("$Id: gss_common.c,v 1.9 2000/11/15 23:05:27 assar Exp $");
+RCSID("$Id: gss_common.c 19937 2007-01-16 21:56:01Z lha $");
 
 void
 write_token (int sock, gss_buffer_t buf)
 {
-    u_int32_t len, net_len;
+    uint32_t len, net_len;
     OM_uint32 min_stat;
 
     len = buf->length;
@@ -69,7 +69,7 @@ enet_read(int fd, void *buf, size_t len)
 void
 read_token (int sock, gss_buffer_t buf)
 {
-    u_int32_t len, net_len;
+    uint32_t len, net_len;
 
     enet_read (sock, &net_len, 4);
     len = ntohl(net_len);
@@ -93,7 +93,8 @@ gss_print_errors (int min_stat)
 				  GSS_C_NO_OID,
 				  &msg_ctx,
 				  &status_string);
-	fprintf (stderr, "%s\n", (char *)status_string.value);
+	fprintf (stderr, "%.*s\n", (int)status_string.length, 
+		 (char *)status_string.value);
 	gss_release_buffer (&new_stat, &status_string);
     } while (!GSS_ERROR(ret) && msg_ctx != 0);
 }
@@ -116,3 +117,36 @@ gss_err(int exitval, int status, const char *fmt, ...)
     va_end(args);
 }
 
+gss_OID
+select_mech(const char *mech)
+{
+    if (strcasecmp(mech, "krb5") == 0)
+	return GSS_KRB5_MECHANISM;
+    else if (strcasecmp(mech, "spnego") == 0)
+	return GSS_SPNEGO_MECHANISM;
+    else if (strcasecmp(mech, "no-oid") == 0)
+	return GSS_C_NO_OID;
+    else
+	errx (1, "Unknown mechanism '%s' (spnego, krb5, no-oid)", mech);
+}
+
+void
+print_gss_name(const char *prefix, gss_name_t name)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc name_token;
+
+    maj_stat = gss_display_name (&min_stat,
+				 name,
+				 &name_token,
+				 NULL);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_display_name");
+
+    fprintf (stderr, "%s `%.*s'\n", prefix,
+	     (int)name_token.length,
+	     (char *)name_token.value);
+
+    gss_release_buffer (&min_stat, &name_token);
+
+}
diff --git a/crypto/heimdal/appl/test/gss_common.h b/crypto/heimdal/appl/test/gss_common.h
index 775126b..598ac8c 100644
--- a/crypto/heimdal/appl/test/gss_common.h
+++ b/crypto/heimdal/appl/test/gss_common.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gss_common.h,v 1.5 1999/12/02 17:04:56 joda Exp $ */
+/* $Id: gss_common.h 14661 2005-03-19 03:13:14Z lha $ */
 
 void write_token (int sock, gss_buffer_t buf);
 void read_token (int sock, gss_buffer_t buf);
@@ -43,3 +43,7 @@ void gss_verr(int exitval, int status, const char *fmt, va_list ap)
 
 void gss_err(int exitval, int status, const char *fmt, ...)
     __attribute__ ((format (printf, 3, 4)));
+
+gss_OID select_mech(const char *);
+
+void print_gss_name(const char *, gss_name_t);
diff --git a/crypto/heimdal/appl/test/gssapi_client.c b/crypto/heimdal/appl/test/gssapi_client.c
index 126ce91..d10fc57 100644
--- a/crypto/heimdal/appl/test/gssapi_client.c
+++ b/crypto/heimdal/appl/test/gssapi_client.c
@@ -34,7 +34,7 @@
 #include "test_locl.h"
 #include <gssapi.h>
 #include "gss_common.h"
-RCSID("$Id: gssapi_client.c,v 1.16 2000/08/09 20:53:06 assar Exp $");
+RCSID("$Id: gssapi_client.c 21521 2007-07-12 13:13:40Z lha $");
 
 static int
 do_trans (int sock, gss_ctx_id_t context_hdl)
@@ -65,6 +65,17 @@ do_trans (int sock, gss_ctx_id_t context_hdl)
     input_token->length = 7;
     input_token->value  = "hemligt";
 
+    maj_stat = gss_wrap (&min_stat,
+			 context_hdl,
+			 0,
+			 GSS_C_QOP_DEFAULT,
+			 input_token,
+			 NULL,
+			 output_token);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_wrap");
+
+    write_token (sock, output_token);
 
     maj_stat = gss_wrap (&min_stat,
 			 context_hdl,
@@ -98,10 +109,17 @@ proto (int sock, const char *hostname, const char *service)
     struct gss_channel_bindings_struct input_chan_bindings;
     u_char init_buf[4];
     u_char acct_buf[4];
+    gss_OID mech_oid;
+    char *str;
 
-    name_token.length = asprintf ((char **)&name_token.value,
-				  "%s@%s", service, hostname);
+    mech_oid = select_mech(mech);
 
+    name_token.length = asprintf (&str,
+				  "%s@%s", service, hostname);
+    if (str == NULL)
+	errx(1, "malloc - out of memory");
+    name_token.value = str;
+	
     maj_stat = gss_import_name (&min_stat,
 				&name_token,
 				GSS_C_NT_HOSTBASED_SERVICE,
@@ -155,7 +173,7 @@ proto (int sock, const char *hostname, const char *service)
 				 GSS_C_NO_CREDENTIAL,
 				 &context_hdl,
 				 server,
-				 GSS_C_NO_OID,
+				 mech_oid,
 				 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG
 				 | GSS_C_DELEG_FLAG,
 				 0,
diff --git a/crypto/heimdal/appl/test/gssapi_server.c b/crypto/heimdal/appl/test/gssapi_server.c
index 3d4affd..e63a2bc 100644
--- a/crypto/heimdal/appl/test/gssapi_server.c
+++ b/crypto/heimdal/appl/test/gssapi_server.c
@@ -34,7 +34,7 @@
 #include "test_locl.h"
 #include <gssapi.h>
 #include "gss_common.h"
-RCSID("$Id: gssapi_server.c,v 1.15 2000/08/09 20:53:07 assar Exp $");
+RCSID("$Id: gssapi_server.c 14762 2005-04-10 14:47:41Z lha $");
 
 static int
 process_it(int sock,
@@ -43,22 +43,31 @@ process_it(int sock,
 	   )
 {
     OM_uint32 maj_stat, min_stat;
-    gss_buffer_desc name_token;
     gss_buffer_desc real_input_token, real_output_token;
     gss_buffer_t input_token = &real_input_token,
 	output_token = &real_output_token;
-
-    maj_stat = gss_display_name (&min_stat,
-				 client_name,
-				 &name_token,
-				 NULL);
+    gss_name_t server_name;
+    int conf_flag;
+
+    print_gss_name("User is", client_name);
+
+    maj_stat = gss_inquire_context(&min_stat,
+				   context_hdl,
+				   NULL,
+				   &server_name,
+				   NULL,
+				   NULL,
+				   NULL,
+				   NULL,
+				   NULL);
     if (GSS_ERROR(maj_stat))
-	gss_err (1, min_stat, "gss_display_name");
+	gss_err (1, min_stat, "gss_inquire_context");
 
-    fprintf (stderr, "User is `%.*s'\n", (int)name_token.length,
-	    (char *)name_token.value);
+    print_gss_name("Server is", server_name);
 
-    gss_release_buffer (&min_stat, &name_token);
+    maj_stat = gss_release_name(&min_stat, &server_name);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_release_name");
 
     /* gss_verify_mic */
 
@@ -87,13 +96,32 @@ process_it(int sock,
 			   context_hdl,
 			   input_token,
 			   output_token,
-			   NULL,
+			   &conf_flag,
+			   NULL);
+    if(GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_unwrap");
+
+    fprintf (stderr, "gss_unwrap: %.*s %s\n", (int)output_token->length,
+	    (char *)output_token->value,
+	     conf_flag ? "CONF" : "INT");
+
+    gss_release_buffer (&min_stat, input_token);
+    gss_release_buffer (&min_stat, output_token);
+
+    read_token (sock, input_token);
+
+    maj_stat = gss_unwrap (&min_stat,
+			   context_hdl,
+			   input_token,
+			   output_token,
+			   &conf_flag,
 			   NULL);
     if(GSS_ERROR(maj_stat))
 	gss_err (1, min_stat, "gss_unwrap");
 
-    fprintf (stderr, "gss_unwrap: %.*s\n", (int)output_token->length,
-	    (char *)output_token->value);
+    fprintf (stderr, "gss_unwrap: %.*s %s\n", (int)output_token->length,
+	     (char *)output_token->value,
+	     conf_flag ? "CONF" : "INT");
 
     gss_release_buffer (&min_stat, input_token);
     gss_release_buffer (&min_stat, output_token);
@@ -117,6 +145,8 @@ proto (int sock, const char *service)
     krb5_ccache ccache;
     u_char init_buf[4];
     u_char acct_buf[4];
+    gss_OID mech_oid;
+    char *mech, *p;
 
     addrlen = sizeof(local);
     if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
@@ -156,8 +186,7 @@ proto (int sock, const char *service)
     input_chan_bindings.application_data.value = NULL;
 #endif
     
-    delegated_cred_handle = emalloc(sizeof(*delegated_cred_handle));
-    memset((char*)delegated_cred_handle, 0, sizeof(*delegated_cred_handle));
+    delegated_cred_handle = GSS_C_NO_CREDENTIAL;
     
     do {
 	read_token (sock, input_token);
@@ -168,11 +197,11 @@ proto (int sock, const char *service)
 				    input_token,
 				    &input_chan_bindings,
 				    &client_name,
-				    NULL,
+				    &mech_oid,
 				    output_token,
 				    NULL,
 				    NULL,
-				    /*&delegated_cred_handle*/ NULL);
+				    &delegated_cred_handle);
 	if(GSS_ERROR(maj_stat))
 	    gss_err (1, min_stat, "gss_accept_sec_context");
 	if (output_token->length != 0)
@@ -186,15 +215,43 @@ proto (int sock, const char *service)
 	}
     } while(maj_stat & GSS_S_CONTINUE_NEEDED);
     
-    if (delegated_cred_handle->ccache) {
+    p = (char *)mech_oid->elements;
+    if (mech_oid->length == GSS_KRB5_MECHANISM->length
+	&& memcmp(p, GSS_KRB5_MECHANISM->elements, mech_oid->length) == 0)
+	mech = "Kerberos 5";
+    else if (mech_oid->length == GSS_SPNEGO_MECHANISM->length
+	&& memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_oid->length) == 0)
+	mech = "SPNEGO"; /* XXX Silly, wont show up */
+    else
+	mech = "Unknown";
+
+    printf("Using mech: %s\n", mech);
+
+    if (delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
        krb5_context context;
 
+       printf("Delegated cred found\n");
+
        maj_stat = krb5_init_context(&context);
        maj_stat = krb5_cc_resolve(context, "FILE:/tmp/krb5cc_test", &ccache);
-       maj_stat = krb5_cc_copy_cache(context,
-                                      delegated_cred_handle->ccache, ccache);
+       maj_stat = gss_krb5_copy_ccache(&min_stat,
+				       delegated_cred_handle,
+				       ccache);
+       if (maj_stat == 0) {
+	   krb5_principal p;
+	   maj_stat = krb5_cc_get_principal(context, ccache, &p);
+	   if (maj_stat == 0) {
+	       char *name;
+	       maj_stat = krb5_unparse_name(context, p, &name);
+	       if (maj_stat == 0) {
+		   printf("Delegated user is: `%s'\n", name);
+		   free(name);
+	       }
+	       krb5_free_principal(context, p);
+	   }
+       }
        krb5_cc_close(context, ccache);
-       krb5_cc_destroy(context, delegated_cred_handle->ccache);
+       gss_release_cred(&min_stat, &delegated_cred_handle);
     }
 
     if (fork_flag) {
diff --git a/crypto/heimdal/appl/test/http_client.c b/crypto/heimdal/appl/test/http_client.c
new file mode 100644
index 0000000..074ba37
--- /dev/null
+++ b/crypto/heimdal/appl/test/http_client.c
@@ -0,0 +1,504 @@
+/*
+ * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include "gss_common.h"
+#include <base64.h>
+
+RCSID("$Id: http_client.c 14861 2005-04-20 10:38:37Z lha $");
+
+/*
+ * A simplistic client implementing draft-brezak-spnego-http-04.txt
+ */
+
+static int
+do_connect (const char *hostname, const char *port)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    int s = -1;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_family = PF_UNSPEC;
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = 0;
+
+    error = getaddrinfo (hostname, port, &hints, &ai);
+    if (error)
+	errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error));
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", hostname);
+ 	    close (s);
+ 	    continue;
+	}
+	break;
+    }
+    freeaddrinfo (ai);
+    if (a == NULL)
+	errx (1, "failed to contact %s", hostname);
+
+    return s;
+}
+
+static void
+fdprintf(int s, const char *fmt, ...)
+{
+    size_t len;
+    ssize_t ret;
+    va_list ap;
+    char *str, *buf;
+    
+    va_start(ap, fmt);
+    vasprintf(&str, fmt, ap);
+    va_end(ap);
+
+    if (str == NULL)
+	errx(1, "vasprintf");
+
+    buf = str;
+    len = strlen(buf);
+    while (len) {
+	ret = write(s, buf, len);
+	if (ret == 0)
+	    err(1, "connection closed");
+	else if (ret < 0)
+	    err(1, "error");
+	len -= ret;
+	buf += ret;
+    }
+    free(str);
+}
+
+static int help_flag;
+static int version_flag;
+static int verbose_flag;
+static int mutual_flag = 1;
+static int delegate_flag;
+static char *port_str = "http";
+static char *gss_service = "HTTP";
+
+static struct getargs http_args[] = {
+    { "verbose", 'v', arg_flag, &verbose_flag, "verbose logging", },
+    { "port", 'p', arg_string, &port_str, "port to connect to", "port" },
+    { "delegate", 0, arg_flag, &delegate_flag, "gssapi delegate credential" },
+    { "gss-service", 's', arg_string, &gss_service, "gssapi service to use",
+      "service" },
+    { "mech", 'm', arg_string, &mech, "gssapi mech to use", "mech" },
+    { "mutual", 0, arg_negative_flag, &mutual_flag, "no gssapi mutual auth" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+static int num_http_args = sizeof(http_args) / sizeof(http_args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(http_args, num_http_args, NULL, "host [page]");
+    exit(code);
+}
+
+/*
+ *
+ */
+
+struct http_req {
+    char *response;
+    char **headers;
+    int num_headers;
+    void *body;
+    size_t body_size;
+};
+
+
+static void
+http_req_zero(struct http_req *req)
+{
+    req->response = NULL;
+    req->headers = NULL;
+    req->num_headers = 0;
+    req->body = NULL;
+    req->body_size = 0;
+}
+
+static void
+http_req_free(struct http_req *req)
+{
+    int i;
+
+    free(req->response);
+    for (i = 0; i < req->num_headers; i++)
+	free(req->headers[i]);
+    free(req->headers);
+    free(req->body);
+    http_req_zero(req);
+}
+
+static const char *
+http_find_header(struct http_req *req, const char *header)
+{
+    int i, len = strlen(header);
+
+    for (i = 0; i < req->num_headers; i++) {
+	if (strncasecmp(header, req->headers[i], len) == 0) {
+	    return req->headers[i] + len + 1;
+	}
+    }
+    return NULL;
+}
+
+
+static int
+http_query(const char *host, const char *page, 
+	   char **headers, int num_headers, struct http_req *req)
+{
+    enum { RESPONSE, HEADER, BODY } state;
+    ssize_t ret;
+    char in_buf[1024], *in_ptr = in_buf;
+    size_t in_len = 0;
+    int s, i;
+
+    http_req_zero(req);
+
+    s = do_connect(host, port_str);
+    if (s < 0)
+	errx(1, "connection failed");
+
+    fdprintf(s, "GET %s HTTP/1.0\r\n", page);
+    for (i = 0; i < num_headers; i++)
+	fdprintf(s, "%s\r\n", headers[i]);
+    fdprintf(s, "Host: %s\r\n\r\n", host);
+
+    state = RESPONSE;
+
+    while (1) {
+	ret = read (s, in_ptr, sizeof(in_buf) - in_len - 1);
+	if (ret == 0)
+	    break;
+	else if (ret < 0)
+	    err (1, "read: %lu", (unsigned long)ret);
+	
+	in_buf[ret + in_len] = '\0';
+
+	if (state == HEADER || state == RESPONSE) {
+	    char *p;
+
+	    in_len += ret;
+	    in_ptr += ret;
+
+	    while (1) {
+		p = strstr(in_buf, "\r\n");
+
+		if (p == NULL) {
+		    break;
+		} else if (p == in_buf) {
+		    memmove(in_buf, in_buf + 2, sizeof(in_buf) - 2);
+		    state = BODY;
+		    in_len -= 2;
+		    in_ptr -= 2;
+		    break;
+		} else if (state == RESPONSE) {
+		    req->response = strndup(in_buf, p - in_buf);
+		    state = HEADER;
+		} else {
+		    req->headers = realloc(req->headers,
+					   (req->num_headers + 1) * sizeof(req->headers[0]));
+		    req->headers[req->num_headers] = strndup(in_buf, p - in_buf);
+		    if (req->headers[req->num_headers] == NULL)
+			errx(1, "strdup");
+		    req->num_headers++;
+		}
+		memmove(in_buf, p + 2, sizeof(in_buf) - (p - in_buf) - 2);
+		in_len -= (p - in_buf) + 2;
+		in_ptr -= (p - in_buf) + 2;
+	    }
+	}
+
+	if (state == BODY) {
+
+	    req->body = erealloc(req->body, req->body_size + ret + 1);
+
+	    memcpy((char *)req->body + req->body_size, in_buf, ret);
+	    req->body_size += ret;
+	    ((char *)req->body)[req->body_size] = '\0';
+
+	    in_ptr = in_buf;
+	    in_len = 0;
+	} else
+	    abort();
+    }
+
+    if (verbose_flag) {
+	int i;
+	printf("response: %s\n", req->response);
+	for (i = 0; i < req->num_headers; i++)
+	    printf("header[%d] %s\n", i, req->headers[i]);
+	printf("body: %.*s\n", (int)req->body_size, (char *)req->body);
+    }
+
+    close(s);
+    return 0;
+}
+
+
+int
+main(int argc, char **argv)
+{
+    struct http_req req;
+    const char *host, *page;
+    int i, done, print_body, gssapi_done, gssapi_started;
+    char *headers[10]; /* XXX */
+    int num_headers;
+    gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+    gss_name_t server = GSS_C_NO_NAME;
+    int optind = 0;
+    gss_OID mech_oid;
+    OM_uint32 flags;
+
+    setprogname(argv[0]);
+
+    if(getarg(http_args, num_http_args, argc, argv, &optind))
+	usage(1);
+
+    if (help_flag)
+	usage (0);
+
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    mech_oid = select_mech(mech);
+
+    if (argc != 1 && argc != 2)
+	errx(1, "usage: %s host [page]", getprogname());
+    host = argv[0];
+    if (argc == 2)
+	page = argv[1];
+    else
+	page = "/";
+
+    flags = 0;
+    if (delegate_flag)
+	flags |= GSS_C_DELEG_FLAG;
+    if (mutual_flag)
+	flags |= GSS_C_MUTUAL_FLAG;
+
+    done = 0;
+    num_headers = 0;
+    gssapi_done = 1;
+    gssapi_started = 0;
+    do {
+	print_body = 0;
+
+	http_query(host, page, headers, num_headers, &req);
+	for (i = 0 ; i < num_headers; i++) 
+	    free(headers[i]);
+	num_headers = 0;
+
+	if (strstr(req.response, " 200 ") != NULL) {
+	    print_body = 1;
+	    done = 1;
+	} else if (strstr(req.response, " 401 ") != NULL) {
+	    if (http_find_header(&req, "WWW-Authenticate:") == NULL)
+		errx(1, "Got %s but missed `WWW-Authenticate'", req.response);
+	    gssapi_done = 0;
+	}
+
+	if (!gssapi_done) {
+	    const char *h = http_find_header(&req, "WWW-Authenticate:");
+	    if (h == NULL)
+		errx(1, "Got %s but missed `WWW-Authenticate'", req.response);
+
+	    if (strncasecmp(h, "Negotiate", 9) == 0) {
+		OM_uint32 maj_stat, min_stat;
+		gss_buffer_desc input_token, output_token;
+
+		if (verbose_flag)
+		    printf("Negotiate found\n");
+		
+		if (server == GSS_C_NO_NAME) {
+		    char *name;
+		    asprintf(&name, "%s@%s", gss_service, host);
+		    input_token.length = strlen(name);
+		    input_token.value = name;
+
+		    maj_stat = gss_import_name(&min_stat,
+					       &input_token,
+					       GSS_C_NT_HOSTBASED_SERVICE,
+					       &server);
+		    if (GSS_ERROR(maj_stat))
+			gss_err (1, min_stat, "gss_inport_name");
+		    free(name);
+		    input_token.length = 0;
+		    input_token.value = NULL;
+		}
+
+		i = 9;
+		while(h[i] && isspace((unsigned char)h[i]))
+		    i++;
+		if (h[i] != '\0') {
+		    int len = strlen(&h[i]);
+		    if (len == 0)
+			errx(1, "invalid Negotiate token");
+		    input_token.value = emalloc(len);
+		    len = base64_decode(&h[i], input_token.value);
+		    if (len < 0)
+			errx(1, "invalid base64 Negotiate token %s", &h[i]);
+		    input_token.length = len;
+		} else {
+		    if (gssapi_started)
+			errx(1, "Negotiate already started");
+		    gssapi_started = 1;
+
+		    input_token.length = 0;
+		    input_token.value = NULL;
+		}
+
+		maj_stat =
+		    gss_init_sec_context(&min_stat,
+					 GSS_C_NO_CREDENTIAL,
+					 &context_hdl,
+					 server,
+					 mech_oid,
+					 flags,
+					 0,
+					 GSS_C_NO_CHANNEL_BINDINGS,
+					 &input_token,
+					 NULL,
+					 &output_token,
+					 NULL,
+					 NULL);
+		if (GSS_ERROR(maj_stat))
+		    gss_err (1, min_stat, "gss_init_sec_context");
+		else if (maj_stat & GSS_S_CONTINUE_NEEDED)
+		    gssapi_done = 0;
+		else {
+		    gss_name_t targ_name, src_name;
+		    gss_buffer_desc name_buffer;
+		    gss_OID mech_type;
+
+		    gssapi_done = 1;
+
+		    printf("Negotiate done: %s\n", mech);
+
+		    maj_stat = gss_inquire_context(&min_stat,
+						   context_hdl,
+						   &src_name,
+						   &targ_name,
+						   NULL,
+						   &mech_type,
+						   NULL,
+						   NULL,
+						   NULL);
+		    if (GSS_ERROR(maj_stat))
+			gss_err (1, min_stat, "gss_inquire_context");
+
+		    maj_stat = gss_display_name(&min_stat,
+						src_name,
+						&name_buffer,
+						NULL);
+		    if (GSS_ERROR(maj_stat))
+			gss_err (1, min_stat, "gss_display_name");
+
+		    printf("Source: %.*s\n",
+			   (int)name_buffer.length,
+			   (char *)name_buffer.value);
+
+		    gss_release_buffer(&min_stat, &name_buffer);
+
+		    maj_stat = gss_display_name(&min_stat,
+						targ_name,
+						&name_buffer,
+						NULL);
+		    if (GSS_ERROR(maj_stat))
+			gss_err (1, min_stat, "gss_display_name");
+
+		    printf("Target: %.*s\n",
+			   (int)name_buffer.length,
+			   (char *)name_buffer.value);
+
+		    gss_release_name(&min_stat, &targ_name);
+		    gss_release_buffer(&min_stat, &name_buffer);
+		}
+
+		if (output_token.length) {
+		    char *neg_token;
+
+		    base64_encode(output_token.value,
+				  output_token.length,
+				  &neg_token);
+		    
+		    asprintf(&headers[0], "Authorization: Negotiate %s",
+			     neg_token);
+
+		    num_headers = 1;
+		    free(neg_token);
+		    gss_release_buffer(&min_stat, &output_token);
+		}
+		if (input_token.length)
+		    free(input_token.value);
+
+	    } else
+		done = 1;
+	} else
+	    done = 1;
+
+	if (verbose_flag) {
+	    printf("%s\n\n", req.response);
+
+	    for (i = 0; i < req.num_headers; i++)
+		printf("%s\n", req.headers[i]);
+	    printf("\n");
+	}
+	if (print_body || verbose_flag)
+	    printf("%.*s\n", (int)req.body_size, (char *)req.body);
+
+	http_req_free(&req);
+    } while (!done);
+
+    if (gssapi_done == 0)
+	errx(1, "gssapi not done but http dance done");
+
+    return 0;
+}
diff --git a/crypto/heimdal/appl/test/nt_gss_client.c b/crypto/heimdal/appl/test/nt_gss_client.c
index 4fabd66..3527799 100644
--- a/crypto/heimdal/appl/test/nt_gss_client.c
+++ b/crypto/heimdal/appl/test/nt_gss_client.c
@@ -35,7 +35,7 @@
 #include <gssapi.h>
 #include "nt_gss_common.h"
 
-RCSID("$Id: nt_gss_client.c,v 1.4 2000/08/09 20:53:07 assar Exp $");
+RCSID("$Id: nt_gss_client.c 21522 2007-07-12 13:15:04Z lha $");
 
 /*
  * This program tries to act as a client for the sample in `Sample
@@ -55,9 +55,13 @@ proto (int sock, const char *hostname, const char *service)
     OM_uint32 maj_stat, min_stat;
     gss_name_t server;
     gss_buffer_desc name_token;
+    char *str;
 
-    name_token.length = asprintf ((char **)&name_token.value,
+    name_token.length = asprintf (&str,
 				  "%s@%s", service, hostname);
+    if (str == NULL)
+	errx(1, "out of memory");
+    name_token.value = str;
 
     maj_stat = gss_import_name (&min_stat,
 				&name_token,
diff --git a/crypto/heimdal/appl/test/nt_gss_common.c b/crypto/heimdal/appl/test/nt_gss_common.c
index ab10355..ca07917 100644
--- a/crypto/heimdal/appl/test/nt_gss_common.c
+++ b/crypto/heimdal/appl/test/nt_gss_common.c
@@ -35,7 +35,7 @@
 #include <gssapi.h>
 #include "nt_gss_common.h"
 
-RCSID("$Id: nt_gss_common.c,v 1.3 1999/12/02 17:04:57 joda Exp $");
+RCSID("$Id: nt_gss_common.c 17450 2006-05-05 11:11:43Z lha $");
 
 /*
  * These are functions that are needed to interoperate with the
@@ -51,7 +51,7 @@ void
 nt_write_token (int sock, gss_buffer_t buf)
 {
     unsigned char net_len[4];
-    u_int32_t len;
+    uint32_t len;
     OM_uint32 min_stat;
 
     len = buf->length;
@@ -77,7 +77,7 @@ void
 nt_read_token (int sock, gss_buffer_t buf)
 {
     unsigned char net_len[4];
-    u_int32_t len;
+    uint32_t len;
 
     if (read(sock, net_len, 4) != 4)
 	err (1, "read");
diff --git a/crypto/heimdal/appl/test/nt_gss_common.h b/crypto/heimdal/appl/test/nt_gss_common.h
index 07428dd..50b5c83 100644
--- a/crypto/heimdal/appl/test/nt_gss_common.h
+++ b/crypto/heimdal/appl/test/nt_gss_common.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: nt_gss_common.h,v 1.2 1999/12/02 17:04:57 joda Exp $ */
+/* $Id: nt_gss_common.h 7464 1999-12-02 17:05:13Z joda $ */
 
 void nt_write_token (int sock, gss_buffer_t buf);
 void nt_read_token (int sock, gss_buffer_t buf);
diff --git a/crypto/heimdal/appl/test/nt_gss_server.c b/crypto/heimdal/appl/test/nt_gss_server.c
index 05b6bcb..df4a32e 100644
--- a/crypto/heimdal/appl/test/nt_gss_server.c
+++ b/crypto/heimdal/appl/test/nt_gss_server.c
@@ -36,7 +36,7 @@
 #include <krb5.h>
 #include "nt_gss_common.h"
 
-RCSID("$Id: nt_gss_server.c,v 1.5 2000/08/09 20:53:07 assar Exp $");
+RCSID("$Id: nt_gss_server.c 12323 2003-05-21 15:15:34Z lha $");
 
 /*
  * This program tries to act as a server for the sample in `Sample
@@ -116,13 +116,18 @@ proto (int sock, const char *service)
 
     if (auth_file != NULL) {
 	int fd = open (auth_file, O_WRONLY | O_CREAT, 0666);
-	krb5_ticket *ticket = context_hdl->ticket;
-	krb5_data *data = &ticket->ticket.authorization_data->val[0].ad_data;
+#if 0
+	krb5_ticket *ticket;
+	krb5_data *data;
+
+	ticket = context_hdl->ticket;
+	data = &ticket->ticket.authorization_data->val[0].ad_data;
 
 	if(fd < 0)
 	    err (1, "open %s", auth_file);
 	if (write (fd, data->data, data->length) != data->length)
 	    errx (1, "write to %s failed", auth_file);
+#endif
 	if (close (fd))
 	    err (1, "close %s", auth_file);
     }
diff --git a/crypto/heimdal/appl/test/tcp_client.c b/crypto/heimdal/appl/test/tcp_client.c
index 7affc43..f1a4cb2 100644
--- a/crypto/heimdal/appl/test/tcp_client.c
+++ b/crypto/heimdal/appl/test/tcp_client.c
@@ -32,7 +32,7 @@
  */
 
 #include "test_locl.h"
-RCSID("$Id: tcp_client.c,v 1.15 1999/12/16 10:30:17 assar Exp $");
+RCSID("$Id: tcp_client.c 17450 2006-05-05 11:11:43Z lha $");
 
 krb5_context context;
 
@@ -44,7 +44,7 @@ proto (int sock, const char *hostname, const char *service)
     krb5_principal server;
     krb5_data data;
     krb5_data packet;
-    u_int32_t len, net_len;
+    uint32_t len, net_len;
 
     status = krb5_auth_con_init (context, &auth_context);
     if (status)
diff --git a/crypto/heimdal/appl/test/tcp_server.c b/crypto/heimdal/appl/test/tcp_server.c
index 4469c58..97a9b11 100644
--- a/crypto/heimdal/appl/test/tcp_server.c
+++ b/crypto/heimdal/appl/test/tcp_server.c
@@ -32,7 +32,7 @@
  */
 
 #include "test_locl.h"
-RCSID("$Id: tcp_server.c,v 1.16 1999/12/16 10:31:08 assar Exp $");
+RCSID("$Id: tcp_server.c 17954 2006-09-01 09:01:03Z lha $");
 
 krb5_context context;
 
@@ -47,7 +47,7 @@ proto (int sock, const char *service)
     char hostname[MAXHOSTNAMELEN];
     krb5_data packet;
     krb5_data data;
-    u_int32_t len, net_len;
+    uint32_t len, net_len;
     ssize_t n;
 
     status = krb5_auth_con_init (context, &auth_context);
@@ -78,7 +78,7 @@ proto (int sock, const char *service)
 			    VERSION,
 			    server,
 			    0,
-			    NULL,
+			    keytab,
 			    &ticket);
     if (status)
 	krb5_err (context, 1, status, "krb5_recvauth");
diff --git a/crypto/heimdal/appl/test/test_locl.h b/crypto/heimdal/appl/test/test_locl.h
index 56f8745..b203787 100644
--- a/crypto/heimdal/appl/test/test_locl.h
+++ b/crypto/heimdal/appl/test/test_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: test_locl.h,v 1.9 2000/08/27 04:29:54 assar Exp $ */
+/* $Id: test_locl.h 12797 2003-09-09 03:38:51Z lha $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -79,6 +79,7 @@
 #define PORT "test"
 
 extern char *service;
+extern char *mech;
 extern krb5_keytab keytab;
 extern int fork_flag;
 int server_setup(krb5_context*, int, char**);
diff --git a/crypto/heimdal/appl/test/uu_client.c b/crypto/heimdal/appl/test/uu_client.c
index fae5bcb..6113b8b 100644
--- a/crypto/heimdal/appl/test/uu_client.c
+++ b/crypto/heimdal/appl/test/uu_client.c
@@ -32,7 +32,7 @@
  */
 
 #include "test_locl.h"
-RCSID("$Id: uu_client.c,v 1.7 2000/12/31 07:41:39 assar Exp $");
+RCSID("$Id: uu_client.c 14719 2005-04-03 19:53:32Z lha $");
 
 krb5_context context;
 
@@ -50,6 +50,7 @@ proto (int sock, const char *hostname, const char *service)
     krb5_data data;
     krb5_data packet;
     krb5_creds mcred, cred;
+    krb5_ticket *ticket;
 
     addrlen = sizeof(local);
     if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
@@ -88,6 +89,8 @@ proto (int sock, const char *hostname, const char *service)
     if (status)
 	krb5_err(context, 1, status, "krb5_auth_con_setaddr");
 
+    krb5_cc_clear_mcred(&mcred);
+
     status = krb5_cc_get_principal(context, ccache, &client);
     if(status)
 	krb5_err(context, 1, status, "krb5_cc_get_principal");
@@ -98,6 +101,7 @@ proto (int sock, const char *hostname, const char *service)
 				 NULL);
     if(status)
 	krb5_err(context, 1, status, "krb5_make_principal");
+    mcred.client = client;
     
     status = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
     if(status)
@@ -126,11 +130,25 @@ proto (int sock, const char *hostname, const char *service)
 	krb5_err(context, 1, status, "krb5_auth_con_setuserkey");
     
     status = krb5_recvauth(context, &auth_context, &sock, 
-			   VERSION, client, 0, NULL, NULL);
+			   VERSION, client, 0, NULL, &ticket);
 
     if (status)
 	krb5_err(context, 1, status, "krb5_recvauth");
     
+    if (ticket->ticket.authorization_data) {
+	AuthorizationData *authz;
+	int i;
+
+	printf("Authorization data:\n");
+
+	authz = ticket->ticket.authorization_data;
+	for (i = 0; i < authz->len; i++) {
+	    printf("\ttype %d, length %lu\n",
+		   authz->val[i].ad_type,
+		   (unsigned long)authz->val[i].ad_data.length);
+	}
+    }
+
     data.data   = "hej";
     data.length = 3;
 
diff --git a/crypto/heimdal/appl/test/uu_server.c b/crypto/heimdal/appl/test/uu_server.c
index 34a0927..6462363 100644
--- a/crypto/heimdal/appl/test/uu_server.c
+++ b/crypto/heimdal/appl/test/uu_server.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000, 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "test_locl.h"
-RCSID("$Id: uu_server.c,v 1.7 2000/08/09 20:53:08 assar Exp $");
+RCSID("$Id: uu_server.c 20880 2007-06-04 16:55:00Z lha $");
 
 krb5_context context;
 
@@ -121,8 +121,15 @@ proto (int sock, const char *service)
     if (status)
 	krb5_err(context, 1, status, "krb5_sendauth");
     
-    fprintf (stderr, "User is `%.*s'\n", (int)client_name.length,
-	    (char *)client_name.data);
+    {
+	char *str;
+	krb5_unparse_name(context, in_creds.server, &str);
+	printf ("User is `%s'\n", str);
+	free(str);
+	krb5_unparse_name(context, in_creds.client, &str);
+	printf ("Server is `%s'\n", str);
+	free(str);
+    }
 
     krb5_data_zero (&data);
     krb5_data_zero (&packet);
@@ -140,7 +147,7 @@ proto (int sock, const char *service)
 	errx (1, "krb5_rd_safe: %s",
 	      krb5_get_err_text(context, status));
 
-    fprintf (stderr, "safe packet: %.*s\n", (int)data.length,
+    printf ("safe packet: %.*s\n", (int)data.length,
 	    (char *)data.data);
 
     status = krb5_read_message(context, &sock, &packet);
@@ -156,7 +163,7 @@ proto (int sock, const char *service)
 	errx (1, "krb5_rd_priv: %s",
 	      krb5_get_err_text(context, status));
 
-    fprintf (stderr, "priv packet: %.*s\n", (int)data.length,
+    printf ("priv packet: %.*s\n", (int)data.length,
 	    (char *)data.data);
 
     return 0;
diff --git a/crypto/heimdal/autogen.sh b/crypto/heimdal/autogen.sh
new file mode 100644
index 0000000..c3facbf
--- /dev/null
+++ b/crypto/heimdal/autogen.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+# to really generate all files you need to run "make distcheck" in a
+# object tree, but this will do if you have all parts of the required
+# tool-chain installed
+autoreconf -f -i || { echo "autoreconf failed: $?"; exit 1; }
diff --git a/crypto/heimdal/cf/ChangeLog b/crypto/heimdal/cf/ChangeLog
index 1018925..0bd84c6 100644
--- a/crypto/heimdal/cf/ChangeLog
+++ b/crypto/heimdal/cf/ChangeLog
@@ -1,7 +1,424 @@
-2003-08-15  Love  <lha@stacken.kth.se>
+2007-10-01  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* check-compile-et.m4: 1.7->1.8: check if compile_et support
-	``error_table N M'' also, don't be overly aggressivly reset CFLAGS
+	* crypto.m4: openssl might require -ldl too, so lets check that.
+
+2007-07-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am.common (check-local::): exit on failure to perform
+	test.
+
+2007-07-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am.common (check-local): also check that --help works.
+	
+2007-07-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* crypto.m4: depend on EVP_CIPHER_iv_length
+
+2007-06-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am.common: Need absolute reference to the top source
+	directory and top build directory.
+	
+2007-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* wflags.m4: Add --enable-developer and make it cause -Werror to
+	be included.
+	
+2007-06-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am.common: Merge from samba config.
+
+	* Makefile.am.common (makedir-in-tree): depend on INFO_DEPS.
+
+	* valgrind-suppressions: Unknown suppression in runtime link
+	editor
+
+2007-06-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am.common: Add heimdal-lorikeet target distdir-in-tree
+
+2007-06-04  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* framework-security.m4: test for -framework Security
+	
+2007-05-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* roken-frag.m4: we have a fnmatch.h only if there is a working
+	implementation and a header file. If we do use roken, lets use our
+	own headerfile that does symbol renaming.
+	
+2007-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* version-script.m4: check if ld supports --version-script
+	
+2007-04-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-frag.m4: drop broken-getnameinfo.m4
+	
+	* roken-frag.m4: drop test for broken getnameinfo, that old aix is
+	no longer relevant.
+	
+2007-02-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* install-catman.sh: Stop overwriting cmd.
+	
+2007-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* install-catman.sh: Use test instead of [.
+
+	* install-catman.sh: Use = instead of ==, make solaris more happy.
+	
+2007-01-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-frag.m4: More headerfiles for iruserok prototype check.
+
+	* check-symbols.sh: Add fc_softc for AIX as ignore syms.
+	
+2007-01-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-frag.m4: Check if iruserok needs a prototype.
+	
+2006-12-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-compile-et.m4: set automake symbol COM_ERR when we build
+	local com_err
+	
+2006-11-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* valgrind-suppressions: We shouldn't be running /bin/ls under
+	valgrind, but for now, at least make it easier to see any other
+	warnings. From Andrew Bartlett.
+	
+2006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am.common: Add target for valgrind debugging
+	
+	* valgrind-suppressions: valgrind suppressions
+	
+2006-10-21  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* check-lex.m4: Borrow test for autoconf cvs to help hpux hosts
+	
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am.common: provide uninstall hook for cat/manpages.
+
+	* install-catman.sh: provide uninstall command
+	
+2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* roken-frag.m4: Add check for timegm.
+
+	* roken-frag.m4: Include sys/types.h for sys/socket.h and netdb.h.
+	
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am.common (install-build-headers): make this function
+	convoluted and deal with dist_, nodist, nobase and all its
+	friends.
+
+	* have-struct-field.m4: memset the structure to make sure that we
+	don't get compiler warnings.
+
+	* crypto.m4: OpenSSL_add_all_algorithms is not a openssl specific
+	requirement, hcrypto need to have to too.
+
+	* crypto.m4: Require openssl have OpenSSL_add_all_algorithms
+	
+2006-10-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* autobuild.m4: Add autobuild, GPLed, but free to use in projects
+	not avaible under GPL or LGPL (just like autoconf).
+	
+2006-09-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-frag.m4: Add samba_SOCKET_WRAPPER fragment
+	
+2006-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* socket-wrapper.m4: Add socket-wrapper test
+	
+2006-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* crypto.m4: Move up evp.h to please OpenSSL, from Douglas
+	E. Engert.
+
+2006-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-frag.m4: Add check for fnmatch.h, its needed to be done
+	for the automake conditional below.
+	
+2006-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* crypto.m4: Require SHA256
+	
+2006-01-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* crypto.m4 Check for <openssl/engine.h> if we are to consider
+	using OpenSSL, also check for <hcrypto/...> headers since
+	make_crypto.c assumes that the name of the files.
+	
+2006-01-13 Love Hörnquist Åstrand <lha@it.su.se>
+
+	* crypto.m4: libdes is renamed to hcrypto
+
+	* crypto.m4: Remove support for old hash names.
+	
+2005-10-26  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* install-catman.sh: Add variable INSTALL_CATPAGES that controls
+	if cat pages are installed, defaults to true. From Johnny Lam
+	<jlam@pkgsrc.org>.
+	
+2005-09-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-frag.m4: Check for <stdint.h> and uintptr_t
+	
+2005-09-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-frag.m4: Resolver check moved to rk_RESOLV, from Andrew
+	Bartlet <abartlet@samba.org>
+
+	* resolv.m4: Resolver checks, broken out so samba can use it From
+	Andrew Bartlet <abartlet@samba.org>
+	
+2005-08-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-frag.m4: Check for res_ndestroy.
+
+2005-08-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* crypto.m4: Add <sys/types.h>, OpenSSL 0.9.8 needs it for size_t.
+	From: Quanah Gibson-Mount <quanah@stanford.edu>
+
+2005-07-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-compile-et.m4: check that initialize_conf_error_table_r
+	have the right argument
+
+2005-07-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-symbols.sh: allow symbols to start with ., aix uses this
+
+2005-06-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb-bigendian.m4: use ansi c prototypes
+	
+	* krb-func-getcwd-broken.m4: use ansi c prototypes
+
+	* broken-snprintf.m4: use ansi c prototypes
+
+	* have-pragma-weak.m4: use ansi c declarations
+
+	* check-getpwnam_r-posix.m4: use ansi c declarations
+
+	* broken-realloc.m4: use ansi c declarations
+	
+	* check-compile-et.m4: use ansi c declarations
+	
+	* dlopen.m4: add headers and argument to dlopen
+	
+	* c-function.m4: use ansi c declarations
+	
+	* check-var.m4: use ansi c declarations
+
+	* pthreads.m4: disable threads on aix because of utmp/utmpx
+	problems
+
+	* broken-getaddrinfo.m4: check for brokenness in getaddrinfo on
+	AIX that can't handle "0" as port number.
+	
+2005-06-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* db.m4: Add an option to disable ndbm, from Stefan Metzmacher
+	<metze@samba.org>
+
+2005-06-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pthreads.m4: rework how pthreads support to turned on/off,
+	always run though the switch to figure out what the
+	linker/compiler flag are
+
+2005-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* pthreads.m4: s/else if/elif/
+	
+	* check-symbols.sh: AIX have a diffrent nm, use -B to get bsd like
+	output
+	
+	* pthreads.m4: aix case: assume gcc handles -pthread, in the
+	non-gcc case, use the compiler as hint (xlc vs xlc_r) if this
+	environment handles threads or not
+
+2005-05-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-symbols.sh: ignore weak symbols too
+
+2005-05-19  David Love  <fx@gnu.org>
+
+	* check-getpwnam_r-posix.m4: define _POSIX_PTHREAD_SEMANTICS to
+	make solaris provide the right getpwname_r
+
+2005-05-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-frag.m4: am_conditional have_cgetent
+	
+2005-05-10  David Love  <fx@gnu.org>
+
+	* roken-frag.m4: Get daemon declared on Solaris (it's in unistd.h
+	but masked by a feature test), just to avoid a warning, since it
+	has int args.
+
+2005-05-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-var.m4: AC_CHECK_DECL and AC_CHECK_DECLS have a subtile
+	diffrence, the later defines HAVE_ cpp symbols, the first doesn't.
+
+2005-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-symbols.sh: ignore N symbols too
+
+2005-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* broken-snprintf.m4: include checking if snprintf(NULL, 0, "")
+	works
+
+	* check-compile-et.m4: require compile_et to generate a
+	initialize_FOO_error_table_r (they are used in libkrb5), and
+	always check for initialize_error_table_r
+
+2005-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am.common: add LIB_com_err
+	
+2005-04-29  David Love  <fx@gnu.org>
+
+	* roken-frag.m4: Check for correct vis.h.
+	
+2005-04-28  David Love  <fx@gnu.org>
+
+	* pthreads.m4: Set PTHREADS_LIBS on Irix.
+
+2005-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* broken-realloc.m4: use rk_realloc if realloc is broken, this
+	makes "host-tools" not beeing able to use realloc
+
+	* pthreads.m4: Add support for Solaris, Irix, and modern
+	Linux. From David Love <fx@gnu.org>
+
+2005-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-symbols.sh: limit the units functions to
+	asn1_[A-Za-z0-9]*_units$
+
+2005-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-symbols.sh: this lib include com_err, add -com_err to
+	CHECK_SYMBOLS
+
+	* check-symbols.sh: print the type so I don't need to ask for it
+
+2005-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-symbols.sh: ignore filename symbols
+	
+2005-04-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-symbols.sh: assume symbols prefixed with _ is a sideeffekt
+	of the local linker and also just fine
+	
+2005-03-16 Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-frag.m4: include <sys/socket.h> for <netinet6/in6_var.h>
+	
+2005-03-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* sunos.m4: Match solaris 10.  From: Joakim Fallsjo
+	<fallsjo@sanchin.se>
+
+2004-12-29  Love  <lha@stacken.kth.se>
+
+	* check-symbols.sh: add -asn1compile symbols
+
+2004-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-symbols.sh: add exported symbols test
+	
+	* Makefile.am.common: add CHECK_SYMBOLS tests, so that we don't
+	export to much stuff
+	
+2004-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* make-proto.pl: add cpluscplus extern "C" support
+	
+2004-07-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pthreads.m4: add -pthread to LIBS since libtool doesn't preserve
+	it for us when adding is as a dependency on libs
+	
+2004-04-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* largefile.m4: like AC_SYS_LARGEFILE, but also add to CPPFLAGS
+	
+2004-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-compile-et.m4: even more evil stuff for cross-compiling
+	
+	* check-x.m4: use AC_RUN_IFELSE so we can handle cross compiling
+	
+	* check-compile-et.m4: use AC_RUN_IFELSE so we can handle cross
+	compiling
+
+2004-04-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* make-proto.pl: if -E, add windows standard calling conv to
+	headerfile if needed
+
+	* win32.m4: add rk_WIN32_EXPORT
+	
+2004-02-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* configure.in: rename AC_WFLAGS to rk_WFLAGS
+	
+	* *.m4: overquote to pacify automake1.8
+
+2004-02-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-frag.m4: resolv.h is even more special
+	
+	* roken-frag.m4: AC_CHECK_HEADERS(net/if.h netinet6/in6_var.h
+	sys/sysctl.h sys/proc.h, resolv.h) are all special and need extra
+	help
+
+	* test-package.m4: If there is a --with-PACKAGE=path but no
+	--with-PACKAGE-config, go seach for path/PACKEGE-config and use it
+	if it exists.  Inspired by Harald Barth <haba@pdc.kth.se>
+
+2003-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* crypto.m4: check for DES_, AES_, and if openssl UI_
+	
+2003-08-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* vararray.m4: test for variable-length arrays
+
+	* roken-frag.m4: test for poll and poll.h
+
+2003-08-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am.common: don't try doing local checks if CHECK_LOCAL
+	is set to no-check-local
+
+2003-08-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-compile-et.m4: check if compile_et support ``error_table N
+	M'' also, don't be overly aggressivly reset CFLAGS
+	
+2003-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pthreads.m4: pthread test
 	
 2003-05-08  Johan Danielsson  <joda@pdc.kth.se>
 
diff --git a/crypto/heimdal/cf/Makefile.am.common b/crypto/heimdal/cf/Makefile.am.common
index ddb86a4..bbc79a5 100644
--- a/crypto/heimdal/cf/Makefile.am.common
+++ b/crypto/heimdal/cf/Makefile.am.common
@@ -1,8 +1,8 @@
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 SUFFIXES = .et .h
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 
 if do_roken_rename
 ROKEN_RENAME = -DROKEN_RENAME
@@ -40,6 +40,8 @@ LIB_setsockopt		= @LIB_setsockopt@
 LIB_socket		= @LIB_socket@
 LIB_syslog		= @LIB_syslog@
 LIB_tgetent		= @LIB_tgetent@
+LIB_com_err		= @LIB_com_err@
+LIB_door_create		= @LIB_door_create@
 
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
@@ -69,8 +71,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -80,19 +82,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -108,10 +122,10 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
-SUFFIXES += .x
+SUFFIXES += .x .z
 
 .x.c:
 	@cmp -s $< $@ 2> /dev/null || cp $< $@
@@ -186,9 +200,13 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 
 .et.h:
@@ -202,8 +220,30 @@ if KRB5
 LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la
 LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 endif
 
 if DCE
 LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 endif
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
diff --git a/crypto/heimdal/cf/aix.m4 b/crypto/heimdal/cf/aix.m4
index 155cef2..32aeba6 100644
--- a/crypto/heimdal/cf/aix.m4
+++ b/crypto/heimdal/cf/aix.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: aix.m4,v 1.9.6.1 2004/04/01 07:27:32 joda Exp $
+dnl $Id: aix.m4 14147 2004-08-25 14:14:01Z joda $
 dnl
 
 AC_DEFUN([rk_AIX],[
@@ -19,7 +19,7 @@ AM_CONDITIONAL(AIX4, test "$aix" = 4)
 
 
 AC_ARG_ENABLE(dynamic-afs,
-	AC_HELP_STRING([--disable-dynamic-afs],
+	AS_HELP_STRING([--disable-dynamic-afs],
 		[do not use loaded AFS library with AIX]))
 
 if test "$aix" != no; then
diff --git a/crypto/heimdal/cf/auth-modules.m4 b/crypto/heimdal/cf/auth-modules.m4
index 5fb88f3..d2383c6 100644
--- a/crypto/heimdal/cf/auth-modules.m4
+++ b/crypto/heimdal/cf/auth-modules.m4
@@ -1,4 +1,4 @@
-dnl $Id: auth-modules.m4,v 1.5.6.1 2004/04/01 07:27:32 joda Exp $
+dnl $Id: auth-modules.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl Figure what authentication modules should be built
 dnl
diff --git a/crypto/heimdal/cf/autobuild.m4 b/crypto/heimdal/cf/autobuild.m4
new file mode 100644
index 0000000..bd1f4dc
--- /dev/null
+++ b/crypto/heimdal/cf/autobuild.m4
@@ -0,0 +1,34 @@
+# autobuild.m4 serial 2 (autobuild-3.3)
+# Copyright (C) 2004 Simon Josefsson
+#
+# This file is free software, distributed under the terms of the GNU
+# General Public License.  As a special exception to the GNU General
+# Public License, this file may be distributed as part of a program
+# that contains a configuration script generated by Autoconf, under
+# the same distribution terms as the rest of that program.
+#
+# This file can can be used in projects which are not available under
+# the GNU General Public License or the GNU Library General Public
+# License but which still want to provide support for Autobuild.
+
+# Usage: AB_INIT([MODE]).
+AC_DEFUN([AB_INIT],
+[
+	AC_REQUIRE([AC_CANONICAL_BUILD])
+	AC_REQUIRE([AC_CANONICAL_HOST])
+
+	AC_MSG_NOTICE([autobuild project... ${PACKAGE_NAME:-$PACKAGE}])
+	AC_MSG_NOTICE([autobuild revision... ${PACKAGE_VERSION:-$VERSION}])
+	hostname=`hostname`
+	if test "$hostname"; then
+	   AC_MSG_NOTICE([autobuild hostname... $hostname])
+	fi
+	ifelse([$1],[],,[AC_MSG_NOTICE([autobuild mode... $1])])
+	date=`date +%Y%m%d-%H%M%S`
+	if test "$?" != 0; then
+	   date=`date`
+	fi
+	if test "$date"; then
+	   AC_MSG_NOTICE([autobuild timestamp... $date])
+	fi
+])
diff --git a/crypto/heimdal/cf/broken-getaddrinfo.m4 b/crypto/heimdal/cf/broken-getaddrinfo.m4
index a97e438..b8d323c 100644
--- a/crypto/heimdal/cf/broken-getaddrinfo.m4
+++ b/crypto/heimdal/cf/broken-getaddrinfo.m4
@@ -1,10 +1,10 @@
-dnl $Id: broken-getaddrinfo.m4,v 1.3.6.1 2004/04/01 07:27:32 joda Exp $
+dnl $Id: broken-getaddrinfo.m4 15401 2005-06-16 16:10:50Z lha $
 dnl
 dnl test if getaddrinfo can handle numeric services
 
 AC_DEFUN([rk_BROKEN_GETADDRINFO],[
 AC_CACHE_CHECK([if getaddrinfo handles numeric services], ac_cv_func_getaddrinfo_numserv,
-AC_TRY_RUN([[#include <stdio.h>
+AC_RUN_IFELSE([AC_LANG_SOURCE([[#include <stdio.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
@@ -19,6 +19,8 @@ main(int argc, char **argv)
 	hints.ai_family = PF_UNSPEC;
 	if(getaddrinfo(NULL, "17", &hints, &ai) != 0)
 		return 1;
+	if(getaddrinfo(NULL, "0", &hints, &ai) != 0)
+		return 1;
 	return 0;
 }
-]], ac_cv_func_getaddrinfo_numserv=yes, ac_cv_func_getaddrinfo_numserv=no))])
+]])],[ac_cv_func_getaddrinfo_numserv=yes],[ac_cv_func_getaddrinfo_numserv=no]))])
diff --git a/crypto/heimdal/cf/broken-glob.m4 b/crypto/heimdal/cf/broken-glob.m4
index 4f4211a..a27e7ea 100644
--- a/crypto/heimdal/cf/broken-glob.m4
+++ b/crypto/heimdal/cf/broken-glob.m4
@@ -1,13 +1,13 @@
-dnl $Id: broken-glob.m4,v 1.4.12.1 2004/04/01 07:27:32 joda Exp $
+dnl $Id: broken-glob.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 dnl check for glob(3)
 dnl
 AC_DEFUN([AC_BROKEN_GLOB],[
 AC_CACHE_CHECK(for working glob, ac_cv_func_glob_working,
 ac_cv_func_glob_working=yes
-AC_TRY_LINK([
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #include <stdio.h>
-#include <glob.h>],[
+#include <glob.h>]],[[
 glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE|
 #ifdef GLOB_MAXPATH
 GLOB_MAXPATH
@@ -16,7 +16,7 @@ GLOB_LIMIT
 #endif
 ,
 NULL, NULL);
-],:,ac_cv_func_glob_working=no,:))
+]])],[:],[ac_cv_func_glob_working=no]))
 
 if test "$ac_cv_func_glob_working" = yes; then
 	AC_DEFINE(HAVE_GLOB, 1, [define if you have a glob() that groks 
diff --git a/crypto/heimdal/cf/broken-realloc.m4 b/crypto/heimdal/cf/broken-realloc.m4
index e34d23d..0b7c476 100644
--- a/crypto/heimdal/cf/broken-realloc.m4
+++ b/crypto/heimdal/cf/broken-realloc.m4
@@ -1,26 +1,25 @@
 dnl
-dnl $Id: broken-realloc.m4,v 1.1.12.1 2004/04/01 07:27:32 joda Exp $
+dnl $Id: broken-realloc.m4 15435 2005-06-16 19:45:52Z lha $
 dnl
 dnl Test for realloc that doesn't handle NULL as first parameter
 dnl
 AC_DEFUN([rk_BROKEN_REALLOC], [
 AC_CACHE_CHECK(if realloc if broken, ac_cv_func_realloc_broken, [
 ac_cv_func_realloc_broken=no
-AC_TRY_RUN([
+AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #include <stddef.h>
 #include <stdlib.h>
 
-int main()
+int main(int argc, char **argv)
 {
 	return realloc(NULL, 17) == NULL;
 }
-],:, ac_cv_func_realloc_broken=yes, :)
+]])],[:], [ac_cv_func_realloc_broken=yes],[:])
 ])
 if test "$ac_cv_func_realloc_broken" = yes ; then
 	AC_DEFINE(BROKEN_REALLOC, 1, [Define if realloc(NULL) doesn't work.])
 fi
 AH_BOTTOM([#ifdef BROKEN_REALLOC
-#define realloc(X, Y) isoc_realloc((X), (Y))
-#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#define realloc(X, Y) rk_realloc((X), (Y))
 #endif])
 ])
diff --git a/crypto/heimdal/cf/broken-snprintf.m4 b/crypto/heimdal/cf/broken-snprintf.m4
index 8436733..8e22874 100644
--- a/crypto/heimdal/cf/broken-snprintf.m4
+++ b/crypto/heimdal/cf/broken-snprintf.m4
@@ -1,17 +1,17 @@
-dnl $Id: broken-snprintf.m4,v 1.4.10.1 2004/04/01 07:27:32 joda Exp $
+dnl $Id: broken-snprintf.m4 15455 2005-06-16 21:03:43Z lha $
 dnl
 AC_DEFUN([AC_BROKEN_SNPRINTF], [
 AC_CACHE_CHECK(for working snprintf,ac_cv_func_snprintf_working,
 ac_cv_func_snprintf_working=yes
-AC_TRY_RUN([
+AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #include <stdio.h>
 #include <string.h>
-int main()
+int main(int argc, char **argv)
 {
 	char foo[[3]];
 	snprintf(foo, 2, "12");
-	return strcmp(foo, "1");
-}],:,ac_cv_func_snprintf_working=no,:))
+	return strcmp(foo, "1") || snprintf(NULL, 0, "%d", 12) != 2;
+}]])],[:],[ac_cv_func_snprintf_working=no],[:]))
 
 if test "$ac_cv_func_snprintf_working" = yes; then
 	AC_DEFINE_UNQUOTED(HAVE_SNPRINTF, 1, [define if you have a working snprintf])
@@ -24,7 +24,7 @@ fi
 AC_DEFUN([AC_BROKEN_VSNPRINTF],[
 AC_CACHE_CHECK(for working vsnprintf,ac_cv_func_vsnprintf_working,
 ac_cv_func_vsnprintf_working=yes
-AC_TRY_RUN([
+AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
@@ -39,11 +39,20 @@ int foo(int num, ...)
 	return strcmp(bar, "1");
 }
 
+int bar(int num, int len, ...)
+{
+	int r;
+	va_list arg;
+	va_start(arg, len);
+	r = vsnprintf(NULL, 0, "%s", arg);
+	va_end(arg);
+	return r != len;
+}
 
-int main()
+int main(int argc, char **argv)
 {
-	return foo(0, "12");
-}],:,ac_cv_func_vsnprintf_working=no,:))
+	return foo(0, "12") || bar(0, 2, "12");
+}]])],[:],[ac_cv_func_vsnprintf_working=no],[:]))
 
 if test "$ac_cv_func_vsnprintf_working" = yes; then
 	AC_DEFINE_UNQUOTED(HAVE_VSNPRINTF, 1, [define if you have a working vsnprintf])
diff --git a/crypto/heimdal/cf/broken.m4 b/crypto/heimdal/cf/broken.m4
index 92b84dd..6306ba7 100644
--- a/crypto/heimdal/cf/broken.m4
+++ b/crypto/heimdal/cf/broken.m4
@@ -1,4 +1,4 @@
-dnl $Id: broken.m4,v 1.6 2002/05/19 19:36:52 joda Exp $
+dnl $Id: broken.m4 11003 2002-05-19 19:37:08Z joda $
 dnl
 dnl
 dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal
diff --git a/crypto/heimdal/cf/broken2.m4 b/crypto/heimdal/cf/broken2.m4
index 56ed7a1..20d5163 100644
--- a/crypto/heimdal/cf/broken2.m4
+++ b/crypto/heimdal/cf/broken2.m4
@@ -1,4 +1,4 @@
-dnl $Id: broken2.m4,v 1.4 2002/05/19 22:16:46 joda Exp $
+dnl $Id: broken2.m4 14181 2004-08-31 12:53:36Z joda $
 dnl
 dnl AC_BROKEN but with more arguments
 
@@ -6,17 +6,16 @@ dnl AC_BROKEN2(func, includes, arguments)
 AC_DEFUN([AC_BROKEN2],
 [AC_MSG_CHECKING([for $1])
 AC_CACHE_VAL(ac_cv_func_[]$1,
-[AC_TRY_LINK([$2],
-[
+[AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2]],[[
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$1) || defined (__stub___$1)
 choke me
 #else
-$1($3)
+$1($3);
 #endif
-], [eval "ac_cv_func_[]$1=yes"], [eval "ac_cv_func_[]$1=no"])])
+]])], [eval "ac_cv_func_[]$1=yes"], [eval "ac_cv_func_[]$1=no"])])
 if eval "test \"\${ac_cv_func_[]$1}\" = yes"; then
   AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, define)
   AC_MSG_RESULT(yes)
diff --git a/crypto/heimdal/cf/c-attribute.m4 b/crypto/heimdal/cf/c-attribute.m4
index 6641b74..1025538 100644
--- a/crypto/heimdal/cf/c-attribute.m4
+++ b/crypto/heimdal/cf/c-attribute.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: c-attribute.m4,v 1.2.34.1 2004/04/01 07:27:32 joda Exp $
+dnl $Id: c-attribute.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 
 dnl
@@ -9,10 +9,7 @@ dnl
 AC_DEFUN([AC_C___ATTRIBUTE__], [
 AC_MSG_CHECKING(for __attribute__)
 AC_CACHE_VAL(ac_cv___attribute__, [
-AC_TRY_COMPILE([
-#include <stdlib.h>
-],
-[
+AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <stdlib.h>
 static void foo(void) __attribute__ ((noreturn));
 
 static void
@@ -20,9 +17,9 @@ foo(void)
 {
   exit(1);
 }
-],
-ac_cv___attribute__=yes,
-ac_cv___attribute__=no)])
+]])],
+[ac_cv___attribute__=yes],
+[ac_cv___attribute__=no])])
 if test "$ac_cv___attribute__" = "yes"; then
   AC_DEFINE(HAVE___ATTRIBUTE__, 1, [define if your compiler has __attribute__])
 fi
diff --git a/crypto/heimdal/cf/c-function.m4 b/crypto/heimdal/cf/c-function.m4
index 056b890..cb39705 100644
--- a/crypto/heimdal/cf/c-function.m4
+++ b/crypto/heimdal/cf/c-function.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: c-function.m4,v 1.2.34.1 2004/04/01 07:27:32 joda Exp $
+dnl $Id: c-function.m4 15422 2005-06-16 18:59:29Z lha $
 dnl
 
 dnl
@@ -9,22 +9,22 @@ dnl
 AC_DEFUN([AC_C___FUNCTION__], [
 AC_MSG_CHECKING(for __FUNCTION__)
 AC_CACHE_VAL(ac_cv___function__, [
-AC_TRY_RUN([
+AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #include <string.h>
 
-static char *foo()
+static char *foo(void)
 {
   return __FUNCTION__;
 }
 
-int main()
+int main(int argc, char **argc)
 {
   return strcmp(foo(), "foo") != 0;
 }
-],
-ac_cv___function__=yes,
-ac_cv___function__=no,
-ac_cv___function__=no)])
+]])],
+[ac_cv___function__=yes],
+[ac_cv___function__=no],
+[ac_cv___function__=no])])
 if test "$ac_cv___function__" = "yes"; then
   AC_DEFINE(HAVE___FUNCTION__, 1, [define if your compiler has __FUNCTION__])
 fi
diff --git a/crypto/heimdal/cf/capabilities.m4 b/crypto/heimdal/cf/capabilities.m4
index 9b258d5..12cbef8 100644
--- a/crypto/heimdal/cf/capabilities.m4
+++ b/crypto/heimdal/cf/capabilities.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: capabilities.m4,v 1.2.20.1 2004/04/01 07:27:32 joda Exp $
+dnl $Id: capabilities.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 
 dnl
diff --git a/crypto/heimdal/cf/check-compile-et.m4 b/crypto/heimdal/cf/check-compile-et.m4
index b71833c..583abdf 100644
--- a/crypto/heimdal/cf/check-compile-et.m4
+++ b/crypto/heimdal/cf/check-compile-et.m4
@@ -1,4 +1,4 @@
-dnl $Id: check-compile-et.m4,v 1.7.2.1 2003/08/15 14:40:42 lha Exp $
+dnl $Id: check-compile-et.m4 19252 2006-12-06 13:32:55Z lha $
 dnl
 dnl CHECK_COMPILE_ET
 AC_DEFUN([CHECK_COMPILE_ET], [
@@ -7,6 +7,7 @@ AC_CHECK_PROG(COMPILE_ET, compile_et, [compile_et])
 
 krb_cv_compile_et="no"
 krb_cv_com_err_need_r=""
+krb_cv_compile_et_cross=no
 if test "${COMPILE_ET}" = "compile_et"; then
 
 dnl We have compile_et.  Now let's see if it supports `prefix' and `index'.
@@ -27,24 +28,27 @@ if ${COMPILE_ET} conftest_et.et >/dev/null 2>&1; then
     CPPFLAGS="-I/usr/include/et ${CPPFLAGS}"
   fi
   dnl Check that the `prefix' and `index' directives were honored.
-  AC_TRY_RUN([
+  AC_RUN_IFELSE([
 #include <com_err.h>
 #include <string.h>
 #include "conftest_et.h"
-int main(){
+int main(int argc, char **argv){
 #ifndef ERROR_TABLE_BASE_conf
 #error compile_et does not handle error_table N M
 #endif
 return (CONFTEST_CODE2 - CONFTEST_CODE1) != 127;}
-  ], [krb_cv_compile_et="yes"],[CPPFLAGS="${save_CPPFLAGS}"])
+  ], [krb_cv_compile_et="yes"],[CPPFLAGS="${save_CPPFLAGS}"],
+  [krb_cv_compile_et="yes" krb_cv_compile_et_cross=yes] )
 fi
 AC_MSG_RESULT(${krb_cv_compile_et})
-if test "${krb_cv_compile_et}" = "yes"; then
-  AC_MSG_CHECKING(for if com_err needs to have a initialize_error_table_r)
-  AC_EGREP_CPP(initialize_error_table_r,[#include "conftest_et.c"],
-     [krb_cv_com_err_need_r="initialize_error_table_r(0,0,0,0);"])
+if test "${krb_cv_compile_et}" = "yes" -a "${krb_cv_compile_et_cross}" = no; then
+  AC_MSG_CHECKING([for if com_err generates a initialize_conf_error_table_r])
+  AC_EGREP_CPP([initialize_conf_error_table_r.*struct et_list],
+     [#include "conftest_et.h"],
+     [krb_cv_com_err_need_r="ok"])
   if test X"$krb_cv_com_err_need_r" = X ; then
     AC_MSG_RESULT(no)
+    krb_cv_compile_et=no
   else
     AC_MSG_RESULT(yes)
   fi
@@ -52,16 +56,18 @@ fi
 rm -fr conftest*
 fi
 
-if test "${krb_cv_compile_et}" = "yes"; then
+if test "${krb_cv_compile_et_cross}" = yes ; then
+  krb_cv_com_err="cross"
+elif test "${krb_cv_compile_et}" = "yes"; then
   dnl Since compile_et seems to work, let's check libcom_err
   krb_cv_save_LIBS="${LIBS}"
   LIBS="${LIBS} -lcom_err"
   AC_MSG_CHECKING(for com_err)
-  AC_TRY_LINK([#include <com_err.h>],[
+  AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <com_err.h>]],[[
     const char *p;
     p = error_message(0);
-    $krb_cv_com_err_need_r
-  ],[krb_cv_com_err="yes"],[krb_cv_com_err="no"; CPPFLAGS="${save_CPPFLAGS}"])
+    initialize_error_table_r(0,0,0,0);
+  ]])],[krb_cv_com_err="yes"],[krb_cv_com_err="no"; CPPFLAGS="${save_CPPFLAGS}"])
   AC_MSG_RESULT(${krb_cv_com_err})
   LIBS="${krb_cv_save_LIBS}"
 else
@@ -77,6 +83,14 @@ if test "${krb_cv_com_err}" = "yes"; then
     LIB_com_err_a=""
     LIB_com_err_so=""
     AC_MSG_NOTICE(Using the already-installed com_err)
+    localcomerr=no
+elif test "${krb_cv_com_err}" = "cross"; then
+    DIR_com_err="com_err"
+    LIB_com_err="\$(top_builddir)/lib/com_err/libcom_err.la"
+    LIB_com_err_a="\$(top_builddir)/lib/com_err/.libs/libcom_err.a"
+    LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so"
+    AC_MSG_NOTICE(Using our own com_err with toolchain compile_et)
+    localcomerr=yes
 else
     COMPILE_ET="\$(top_builddir)/lib/com_err/compile_et"
     DIR_com_err="com_err"
@@ -84,7 +98,9 @@ else
     LIB_com_err_a="\$(top_builddir)/lib/com_err/.libs/libcom_err.a"
     LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so"
     AC_MSG_NOTICE(Using our own com_err)
+    localcomerr=yes
 fi
+AM_CONDITIONAL(COM_ERR, test "$localcomerr" = yes)dnl
 AC_SUBST(DIR_com_err)
 AC_SUBST(LIB_com_err)
 AC_SUBST(LIB_com_err_a)
diff --git a/crypto/heimdal/cf/check-getpwnam_r-posix.m4 b/crypto/heimdal/cf/check-getpwnam_r-posix.m4
index d3b1e0f..bb7e388 100644
--- a/crypto/heimdal/cf/check-getpwnam_r-posix.m4
+++ b/crypto/heimdal/cf/check-getpwnam_r-posix.m4
@@ -1,4 +1,4 @@
-dnl $Id: check-getpwnam_r-posix.m4,v 1.2.34.1 2004/04/01 07:27:32 joda Exp $
+dnl $Id: check-getpwnam_r-posix.m4 15435 2005-06-16 19:45:52Z lha $
 dnl
 dnl check for getpwnam_r, and if it's posix or not
 
@@ -8,14 +8,15 @@ if test "$ac_cv_func_getpwnam_r" = yes; then
 	AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix,
 	ac_libs="$LIBS"
 	LIBS="$LIBS $LIB_getpwnam_r"
-	AC_TRY_RUN([
+	AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#define _POSIX_PTHREAD_SEMANTICS
 #include <pwd.h>
-int main()
+int main(int argc, char **argv)
 {
 	struct passwd pw, *pwd;
 	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
 }
-],ac_cv_func_getpwnam_r_posix=yes,ac_cv_func_getpwnam_r_posix=no,:)
+]])],[ac_cv_func_getpwnam_r_posix=yes],[ac_cv_func_getpwnam_r_posix=no],[:])
 LIBS="$ac_libs")
 if test "$ac_cv_func_getpwnam_r_posix" = yes; then
 	AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.])
diff --git a/crypto/heimdal/cf/check-man.m4 b/crypto/heimdal/cf/check-man.m4
index dd04666..7538cc8 100644
--- a/crypto/heimdal/cf/check-man.m4
+++ b/crypto/heimdal/cf/check-man.m4
@@ -1,4 +1,4 @@
-dnl $Id: check-man.m4,v 1.3.12.1 2004/04/01 07:27:32 joda Exp $
+dnl $Id: check-man.m4 13338 2004-02-12 14:21:14Z lha $
 dnl check how to format manual pages
 dnl
 
diff --git a/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4 b/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4
index f169a4f..64bb8f1 100644
--- a/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4
+++ b/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: check-netinet-ip-and-tcp.m4,v 1.3.12.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: check-netinet-ip-and-tcp.m4 14162 2004-08-26 11:27:32Z joda $
 dnl
 
 dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3
@@ -13,14 +13,14 @@ for i in netinet/ip.h netinet/tcp.h; do
 cv=`echo "$i" | sed 'y%./+-%__p_%'`
 
 AC_CACHE_CHECK([for $i],ac_cv_header_$cv,
-[AC_TRY_CPP([\
+[AC_PREPROC_IFELSE([AC_LANG_SOURCE([[
 #ifdef HAVE_STANDARDS_H
 #include <standards.h>
 #endif
 #include <$i>
-],
-eval "ac_cv_header_$cv=yes",
-eval "ac_cv_header_$cv=no")])
+]])],
+[eval "ac_cv_header_$cv=yes"],
+[eval "ac_cv_header_$cv=no"])])
 ac_res=`eval echo \\$ac_cv_header_$cv`
 if test "$ac_res" = yes; then
 	ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
diff --git a/crypto/heimdal/cf/check-type-extra.m4 b/crypto/heimdal/cf/check-type-extra.m4
index 08471a7..2778a9d 100644
--- a/crypto/heimdal/cf/check-type-extra.m4
+++ b/crypto/heimdal/cf/check-type-extra.m4
@@ -1,4 +1,4 @@
-dnl $Id: check-type-extra.m4,v 1.2.34.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: check-type-extra.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl ac_check_type + extra headers
 
diff --git a/crypto/heimdal/cf/check-var.m4 b/crypto/heimdal/cf/check-var.m4
index 1960f72..1e68465 100644
--- a/crypto/heimdal/cf/check-var.m4
+++ b/crypto/heimdal/cf/check-var.m4
@@ -1,19 +1,17 @@
-dnl $Id: check-var.m4,v 1.7 2003/02/17 00:44:57 lha Exp $
+dnl $Id: check-var.m4 15422 2005-06-16 18:59:29Z lha $
 dnl
 dnl rk_CHECK_VAR(variable, includes)
 AC_DEFUN([rk_CHECK_VAR], [
 AC_MSG_CHECKING(for $1)
 AC_CACHE_VAL(ac_cv_var_$1, [
 m4_ifval([$2],[
-	AC_TRY_LINK([$2
-	void * foo() { return &$1; }],
-	    [foo()],
-	    ac_cv_var_$1=yes, ac_cv_var_$1=no)])
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2
+	void * foo(void) { return &$1; }]],[[foo()]])],
+	    [ac_cv_var_$1=yes],[ac_cv_var_$1=no])])
 if test "$ac_cv_var_$1" != yes ; then
-AC_TRY_LINK([extern int $1;
-int foo() { return $1; }],
-	    [foo()],
-	    ac_cv_var_$1=yes, ac_cv_var_$1=no)
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[extern int $1;
+int foo(void) { return $1; }]],[[foo()]])],
+	    [ac_cv_var_$1=yes],[ac_cv_var_$1=no])
 fi
 ])
 ac_foo=`eval echo \\$ac_cv_var_$1`
@@ -21,7 +19,7 @@ AC_MSG_RESULT($ac_foo)
 if test "$ac_foo" = yes; then
 	AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, 
 		[Define if you have the `]$1[' variable.])
-	m4_ifval([$2], AC_CHECK_DECLARATION([$2],[$1]))
+	m4_ifval([$2], AC_CHECK_DECLS([$1],[],[],[$2]))
 fi
 ])
 
diff --git a/crypto/heimdal/cf/check-x.m4 b/crypto/heimdal/cf/check-x.m4
index 53a3d8c..07f7e2d 100644
--- a/crypto/heimdal/cf/check-x.m4
+++ b/crypto/heimdal/cf/check-x.m4
@@ -1,7 +1,7 @@
 dnl 
 dnl See if there is any X11 present
 dnl
-dnl $Id: check-x.m4,v 1.2.20.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: check-x.m4 15435 2005-06-16 19:45:52Z lha $
 
 AC_DEFUN([KRB_CHECK_X],[
 AC_PATH_XTRA
@@ -32,17 +32,18 @@ if test "$no_x" != yes; then
 			done
 		fi
 		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
-		AC_TRY_RUN([
+		AC_RUN_IFELSE([
 		#include <X11/Xlib.h>
-		foo()
+		foo(void)
 		{
 		XOpenDisplay(NULL);
 		}
-		main()
+		main(int argc, char **argv)
 		{
 		return 0;
 		}
-		], krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:)
+		],krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:,
+		krb_cv_sys_x_libs_rpath="" ; krb_cv_sys_x_libs="" ; break)
 	done
 	LIBS="$ac_save_libs"
 	CFLAGS="$ac_save_cflags"
diff --git a/crypto/heimdal/cf/check-xau.m4 b/crypto/heimdal/cf/check-xau.m4
index 94f9586..4d416fd 100644
--- a/crypto/heimdal/cf/check-xau.m4
+++ b/crypto/heimdal/cf/check-xau.m4
@@ -1,4 +1,4 @@
-dnl $Id: check-xau.m4,v 1.3.34.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: check-xau.m4 15454 2005-06-16 21:02:16Z lha $
 dnl
 dnl check for Xau{Read,Write}Auth and XauFileName
 dnl
@@ -16,12 +16,12 @@ LDFLAGS="$LDFLAGS $X_LIBS"
 ## could be done by checking for XauReadAuth in -lXau first, but this
 ## breaks in IRIX 6.5
 
-AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau)
+AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau,[#include <X11/Xauth.h>],[0,0])
 ac_xxx="$LIBS"
 LIBS="$LIB_XauWriteAuth $LIBS"
-AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau)
+AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau,[#include <X11/Xauth.h>],[0])
 LIBS="$LIB_XauReadAauth $LIBS"
-AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau)
+AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau,[#include <X11/Xauth.h>])
 LIBS="$ac_xxx"
 
 ## set LIB_XauReadAuth to union of these tests, since this is what the
diff --git a/crypto/heimdal/cf/crypto.m4 b/crypto/heimdal/cf/crypto.m4
index c79ba4c..69b2fc9 100644
--- a/crypto/heimdal/cf/crypto.m4
+++ b/crypto/heimdal/cf/crypto.m4
@@ -1,40 +1,38 @@
-dnl $Id: crypto.m4,v 1.16.2.1 2003/05/05 20:08:32 joda Exp $
+dnl $Id: crypto.m4 22080 2007-11-16 11:10:54Z lha $
 dnl
 dnl test for crypto libraries:
 dnl - libcrypto (from openssl)
-dnl - libdes (from krb4)
-dnl - own-built libdes
+dnl - own-built libhcrypto
 
 m4_define([test_headers], [
 		#undef KRB5 /* makes md4.h et al unhappy */
 		#ifdef HAVE_OPENSSL
+		#ifdef HAVE_SYS_TYPES_H
+		#include <sys/types.h>
+		#endif
+		#include <openssl/evp.h>
 		#include <openssl/md4.h>
 		#include <openssl/md5.h>
 		#include <openssl/sha.h>
-		#define OPENSSL_DES_LIBDES_COMPATIBILITY
 		#include <openssl/des.h>
 		#include <openssl/rc4.h>
+		#include <openssl/aes.h>
+		#include <openssl/engine.h>
+		#include <openssl/ui.h>
 		#include <openssl/rand.h>
+		#include <openssl/hmac.h>
+		#include <openssl/pkcs12.h>
 		#else
-		#include <md4.h>
-		#include <md5.h>
-		#include <sha.h>
-		#include <des.h>
-		#include <rc4.h>
-		#endif
-		#ifdef OLD_HASH_NAMES
-		typedef struct md4 MD4_CTX;
-		#define MD4_Init(C) md4_init((C))
-		#define MD4_Update(C, D, L) md4_update((C), (D), (L))
-		#define MD4_Final(D, C) md4_finito((C), (D))
-		typedef struct md5 MD5_CTX;
-		#define MD5_Init(C) md5_init((C))
-		#define MD5_Update(C, D, L) md5_update((C), (D), (L))
-		#define MD5_Final(D, C) md5_finito((C), (D))
-		typedef struct sha SHA_CTX;
-		#define SHA1_Init(C) sha_init((C))
-		#define SHA1_Update(C, D, L) sha_update((C), (D), (L))
-		#define SHA1_Final(D, C) sha_finito((C), (D))
+		#include <hcrypto/evp.h>
+		#include <hcrypto/md4.h>
+		#include <hcrypto/md5.h>
+		#include <hcrypto/sha.h>
+		#include <hcrypto/des.h>
+		#include <hcrypto/rc4.h>
+		#include <hcrypto/aes.h>
+		#include <hcrypto/engine.h>
+		#include <hcrypto/hmac.h>
+		#include <hcrypto/pkcs12.h>
 		#endif
 		])
 m4_define([test_body], [
@@ -42,15 +40,21 @@ m4_define([test_body], [
 		MD4_CTX md4;
 		MD5_CTX md5;
 		SHA_CTX sha1;
+		SHA256_CTX sha256;
 
 		MD4_Init(&md4);
 		MD5_Init(&md5);
 		SHA1_Init(&sha1);
+		SHA256_Init(&sha256);
+		EVP_CIPHER_iv_length(((EVP_CIPHER*)0));
 		#ifdef HAVE_OPENSSL
 		RAND_status();
+		UI_UTIL_read_pw_string(0,0,0,0);
 		#endif
 
-		des_cbc_encrypt(0, 0, 0, schedule, 0, 0);
+		OpenSSL_add_all_algorithms();
+		AES_encrypt(0,0,0);
+		DES_cbc_encrypt(0, 0, 0, schedule, 0, 0);
 		RC4(0, 0, 0, 0);])
 
 
@@ -58,12 +62,11 @@ AC_DEFUN([KRB_CRYPTO],[
 crypto_lib=unknown
 AC_WITH_ALL([openssl])
 
-DIR_des=
+DIR_hcrypto=
 
 AC_MSG_CHECKING([for crypto library])
 
 openssl=no
-old_hash=no
 
 if test "$crypto_lib" = "unknown" -a "$with_krb4" != "no"; then
 	save_CPPFLAGS="$CPPFLAGS"
@@ -83,24 +86,17 @@ if test "$crypto_lib" = "unknown" -a "$with_krb4" != "no"; then
 		for j in $cdirs; do
 			for k in $clibs; do
 				LIBS="$j $k $save_LIBS"
-				AC_TRY_LINK(test_headers, test_body,
-					openssl=yes ires="$i" lres="$j $k"; break 3)
+				AC_LINK_IFELSE([AC_LANG_PROGRAM([test_headers],
+						[test_body])],
+					[openssl=yes ires="$i" lres="$j $k"; break 3])
 			done
 		done
 		CFLAGS="$i $save_CFLAGS"
 		for j in $cdirs; do
 			for k in $clibs; do
 				LIBS="$j $k $save_LIBS"
-				AC_TRY_LINK(test_headers, test_body,
-					openssl=no ires="$i" lres="$j $k"; break 3)
-			done
-		done
-		CFLAGS="-DHAVE_OLD_HASH_NAMES $i $save_CFLAGS"
-		for j in $cdirs; do
-			for k in $clibs; do
-				LIBS="$j $k $save_LIBS"
-				AC_TRY_LINK(test_headers, test_body,
-					openssl=no ires="$i" lres="$j $k"; break 3)
+				AC_LINK_IFELSE([AC_LANG_PROGRAM([test_headers],[test_body])],
+					[openssl=no ires="$i" lres="$j $k"; break 3])
 			done
 		done
 	done
@@ -108,36 +104,36 @@ if test "$crypto_lib" = "unknown" -a "$with_krb4" != "no"; then
 	CFLAGS="$save_CFLAGS"
 	LIBS="$save_LIBS"
 	if test "$ires" -a "$lres"; then
-		INCLUDE_des="$ires"
-		LIB_des="$lres"
+		INCLUDE_hcrypto="$ires"
+		LIB_hcrypto="$lres"
 		crypto_lib=krb4
 		AC_MSG_RESULT([same as krb4])
-		LIB_des_a='$(LIB_des)'
-		LIB_des_so='$(LIB_des)'
-		LIB_des_appl='$(LIB_des)'
+		LIB_hcrypto_a='$(LIB_hcrypto)'
+		LIB_hcrypto_so='$(LIB_hcrypto)'
+		LIB_hcrypto_appl='$(LIB_hcrypto)'
 	fi
 fi
 
 if test "$crypto_lib" = "unknown" -a "$with_openssl" != "no"; then
 	save_CFLAGS="$CFLAGS"
 	save_LIBS="$LIBS"
-	INCLUDE_des=
-	LIB_des=
+	INCLUDE_hcrypto=
+	LIB_hcrypto=
 	if test "$with_openssl_include" != ""; then
-		INCLUDE_des="-I${with_openssl_include}"
+		INCLUDE_hcrypto="-I${with_openssl_include}"
 	fi
 	if test "$with_openssl_lib" != ""; then
-		LIB_des="-L${with_openssl_lib}"
+		LIB_hcrypto="-L${with_openssl_lib}"
 	fi
-	CFLAGS="-DHAVE_OPENSSL ${INCLUDE_des} ${CFLAGS}"
-	saved_LIB_des="$LIB_des"
-	for lres in "" "-lnsl -lsocket"; do
-		LIB_des="${saved_LIB_des} -lcrypto $lres"
-		LIB_des_a="$LIB_des"
-		LIB_des_so="$LIB_des"
-		LIB_des_appl="$LIB_des"
-		LIBS="${LIBS} ${LIB_des}"
-		AC_TRY_LINK(test_headers, test_body, [
+	CFLAGS="-DHAVE_OPENSSL ${INCLUDE_hcrypto} ${CFLAGS}"
+	saved_LIB_hcrypto="$LIB_hcrypto"
+	for lres in "" "-ldl" "-lnsl -lsocket" "-lnsl -lsocket -ldl"; do
+		LIB_hcrypto="${saved_LIB_hcrypto} -lcrypto $lres"
+		LIB_hcrypto_a="$LIB_hcrypto"
+		LIB_hcrypto_so="$LIB_hcrypto"
+		LIB_hcrypto_appl="$LIB_hcrypto"
+		LIBS="${LIBS} ${LIB_hcrypto}"
+		AC_LINK_IFELSE([AC_LANG_PROGRAM([test_headers],[test_body])], [
 			crypto_lib=libcrypto openssl=yes
 			AC_MSG_RESULT([libcrypto])
 		])
@@ -151,13 +147,13 @@ fi
 
 if test "$crypto_lib" = "unknown"; then
 
-  DIR_des='des'
-  LIB_des='$(top_builddir)/lib/des/libdes.la'
-  LIB_des_a='$(top_builddir)/lib/des/.libs/libdes.a'
-  LIB_des_so='$(top_builddir)/lib/des/.libs/libdes.so'
-  LIB_des_appl="-ldes"
+  DIR_hcrypto='hcrypto'
+  LIB_hcrypto='$(top_builddir)/lib/hcrypto/libhcrypto.la'
+  LIB_hcrypto_a='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.a'
+  LIB_hcrypto_so='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.so'
+  LIB_hcrypto_appl="-lhcrypto"
 
-  AC_MSG_RESULT([included libdes])
+  AC_MSG_RESULT([included libhcrypto])
 
 fi
 
@@ -170,16 +166,12 @@ fi
 if test "$openssl" = "yes"; then
   AC_DEFINE([HAVE_OPENSSL], 1, [define to use openssl's libcrypto])
 fi
-if test "$old_hash" = yes; then
-  AC_DEFINE([HAVE_OLD_HASH_NAMES], 1,
-		[define if you have hash functions like md4_finito()])
-fi
 AM_CONDITIONAL(HAVE_OPENSSL, test "$openssl" = yes)dnl
 
-AC_SUBST(DIR_des)
-AC_SUBST(INCLUDE_des)
-AC_SUBST(LIB_des)
-AC_SUBST(LIB_des_a)
-AC_SUBST(LIB_des_so)
-AC_SUBST(LIB_des_appl)
+AC_SUBST(DIR_hcrypto)
+AC_SUBST(INCLUDE_hcrypto)
+AC_SUBST(LIB_hcrypto)
+AC_SUBST(LIB_hcrypto_a)
+AC_SUBST(LIB_hcrypto_so)
+AC_SUBST(LIB_hcrypto_appl)
 ])
diff --git a/crypto/heimdal/cf/db.m4 b/crypto/heimdal/cf/db.m4
index 7646bf6..cc8b8ca 100644
--- a/crypto/heimdal/cf/db.m4
+++ b/crypto/heimdal/cf/db.m4
@@ -1,13 +1,18 @@
-dnl $Id: db.m4,v 1.9 2002/09/10 14:29:47 joda Exp $
+dnl $Id: db.m4 15456 2005-06-16 21:04:43Z lha $
 dnl
 dnl tests for various db libraries
 dnl
 AC_DEFUN([rk_DB],[
 AC_ARG_ENABLE(berkeley-db,
-                       AC_HELP_STRING([--disable-berkeley-db],
+                       AS_HELP_STRING([--disable-berkeley-db],
                                       [if you don't want berkeley db]),[
 ])
 
+AC_ARG_ENABLE(ndbm-db,
+                       AS_HELP_STRING([--disable-ndbm-db],
+                                      [if you don't want ndbm db]),[
+])
+
 have_ndbm=no
 db_type=unknown
 
@@ -95,70 +100,72 @@ dnl test for ndbm compatability
 
 fi # berkeley db
 
-if test "$db_type" = "unknown" -o "$ac_cv_func_dbm_firstkey" = ""; then
-
-  AC_CHECK_HEADERS([				\
-	dbm.h					\
-	ndbm.h					\
-  ])
+if test "$enable_ndbm_db" != "no"; then
 
-  AC_FIND_FUNC_NO_LIBS(dbm_firstkey, ndbm, [
-  #include <stdio.h>
-  #if defined(HAVE_NDBM_H)
-  #include <ndbm.h>
-  #elif defined(HAVE_DBM_H)
-  #include <dbm.h>
-  #endif
-  DBM *dbm;
-  ],[NULL])
-
-  if test "$ac_cv_func_dbm_firstkey" = "yes"; then
-    if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then
-      LIB_NDBM="$ac_cv_funclib_dbm_firstkey"
-    else
-      LIB_NDBM=""
-    fi
-    AC_DEFINE(HAVE_NDBM, 1, [define if you have a ndbm library])dnl
-    have_ndbm=yes
-    if test "$db_type" = "unknown"; then
-      db_type=ndbm
-      DBLIB="$LIB_NDBM"
-    fi
-  else
-
-    $as_unset ac_cv_func_dbm_firstkey
-    $as_unset ac_cv_funclib_dbm_firstkey
+  if test "$db_type" = "unknown" -o "$ac_cv_func_dbm_firstkey" = ""; then
 
     AC_CHECK_HEADERS([				\
-	  gdbm/ndbm.h				\
+  	dbm.h					\
+  	ndbm.h					\
     ])
-
-    AC_FIND_FUNC_NO_LIBS(dbm_firstkey, gdbm, [
+  
+    AC_FIND_FUNC_NO_LIBS(dbm_firstkey, ndbm, [
     #include <stdio.h>
-    #include <gdbm/ndbm.h>
+    #if defined(HAVE_NDBM_H)
+    #include <ndbm.h>
+    #elif defined(HAVE_DBM_H)
+    #include <dbm.h>
+    #endif
     DBM *dbm;
     ],[NULL])
-
+  
     if test "$ac_cv_func_dbm_firstkey" = "yes"; then
       if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then
-	LIB_NDBM="$ac_cv_funclib_dbm_firstkey"
+        LIB_NDBM="$ac_cv_funclib_dbm_firstkey"
       else
-	LIB_NDBM=""
+        LIB_NDBM=""
       fi
       AC_DEFINE(HAVE_NDBM, 1, [define if you have a ndbm library])dnl
       have_ndbm=yes
       if test "$db_type" = "unknown"; then
-	db_type=ndbm
-	DBLIB="$LIB_NDBM"
+        db_type=ndbm
+        DBLIB="$LIB_NDBM"
+      fi
+    else
+  
+      $as_unset ac_cv_func_dbm_firstkey
+      $as_unset ac_cv_funclib_dbm_firstkey
+  
+      AC_CHECK_HEADERS([				\
+  	  gdbm/ndbm.h				\
+      ])
+  
+      AC_FIND_FUNC_NO_LIBS(dbm_firstkey, gdbm, [
+      #include <stdio.h>
+      #include <gdbm/ndbm.h>
+      DBM *dbm;
+      ],[NULL])
+  
+      if test "$ac_cv_func_dbm_firstkey" = "yes"; then
+        if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then
+  	LIB_NDBM="$ac_cv_funclib_dbm_firstkey"
+        else
+  	LIB_NDBM=""
+        fi
+        AC_DEFINE(HAVE_NDBM, 1, [define if you have a ndbm library])dnl
+        have_ndbm=yes
+        if test "$db_type" = "unknown"; then
+  	db_type=ndbm
+  	DBLIB="$LIB_NDBM"
+        fi
       fi
     fi
-  fi
-
+  fi #enable_ndbm_db
 fi # unknown
 
 if test "$have_ndbm" = "yes"; then
   AC_MSG_CHECKING([if ndbm is implemented with db])
-  AC_TRY_RUN([
+  AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #include <unistd.h>
 #include <fcntl.h>
 #if defined(HAVE_GDBM_NDBM_H)
@@ -168,7 +175,7 @@ if test "$have_ndbm" = "yes"; then
 #elif defined(HAVE_DBM_H)
 #include <dbm.h>
 #endif
-int main()
+int main(int argc, char **argv)
 {
   DBM *d;
 
@@ -177,7 +184,7 @@ int main()
     return 1;
   dbm_close(d);
   return 0;
-}],[
+}]])],[
     if test -f conftest.db; then
       AC_MSG_RESULT([yes])
       AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files *.db)])
diff --git a/crypto/heimdal/cf/destdirs.m4 b/crypto/heimdal/cf/destdirs.m4
index 0d56e9c..6b75f65 100644
--- a/crypto/heimdal/cf/destdirs.m4
+++ b/crypto/heimdal/cf/destdirs.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: destdirs.m4,v 1.2 2002/08/12 15:12:50 joda Exp $
+dnl $Id: destdirs.m4 11082 2002-08-12 15:12:50Z joda $
 dnl
 
 AC_DEFUN([rk_DESTDIRS], [
diff --git a/crypto/heimdal/cf/dlopen.m4 b/crypto/heimdal/cf/dlopen.m4
index 322f8b9..310ca55 100644
--- a/crypto/heimdal/cf/dlopen.m4
+++ b/crypto/heimdal/cf/dlopen.m4
@@ -1,8 +1,11 @@
 dnl
-dnl $Id: dlopen.m4,v 1.1 2002/08/28 16:32:16 joda Exp $
+dnl $Id: dlopen.m4 15433 2005-06-16 19:40:59Z lha $
 dnl
 
 AC_DEFUN([rk_DLOPEN], [
-	AC_FIND_FUNC_NO_LIBS(dlopen, dl)
+	AC_FIND_FUNC_NO_LIBS(dlopen, dl,[
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif],[0,0])
 	AM_CONDITIONAL(HAVE_DLOPEN, test "$ac_cv_funclib_dlopen" != no)
 ])
diff --git a/crypto/heimdal/cf/find-func-no-libs.m4 b/crypto/heimdal/cf/find-func-no-libs.m4
index 4410330..76965a8 100644
--- a/crypto/heimdal/cf/find-func-no-libs.m4
+++ b/crypto/heimdal/cf/find-func-no-libs.m4
@@ -1,4 +1,4 @@
-dnl $Id: find-func-no-libs.m4,v 1.5.20.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: find-func-no-libs.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl
 dnl Look for function in any of the specified libraries
diff --git a/crypto/heimdal/cf/find-func-no-libs2.m4 b/crypto/heimdal/cf/find-func-no-libs2.m4
index 566504a..617a09e 100644
--- a/crypto/heimdal/cf/find-func-no-libs2.m4
+++ b/crypto/heimdal/cf/find-func-no-libs2.m4
@@ -1,4 +1,4 @@
-dnl $Id: find-func-no-libs2.m4,v 1.6.10.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: find-func-no-libs2.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 dnl
 dnl Look for function in any of the specified libraries
@@ -21,7 +21,7 @@ if eval "test \"\$ac_cv_func_$1\" != yes" ; then
 		*) ac_lib="-l$ac_lib" ;;
 		esac
 		LIBS="$6 $ac_lib $5 $ac_save_LIBS"
-		AC_TRY_LINK([$3],[$1($4)],eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break)
+		AC_LINK_IFELSE([AC_LANG_PROGRAM([[$3]],[[$1($4)]])],[eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break])
 	done
 	eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}"
 	LIBS="$ac_save_LIBS"
diff --git a/crypto/heimdal/cf/find-func.m4 b/crypto/heimdal/cf/find-func.m4
index a5916cd..2354f38 100644
--- a/crypto/heimdal/cf/find-func.m4
+++ b/crypto/heimdal/cf/find-func.m4
@@ -1,4 +1,4 @@
-dnl $Id: find-func.m4,v 1.1.42.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: find-func.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl AC_FIND_FUNC(func, libraries, includes, arguments)
 AC_DEFUN([AC_FIND_FUNC], [
diff --git a/crypto/heimdal/cf/find-if-not-broken.m4 b/crypto/heimdal/cf/find-if-not-broken.m4
index 87ea361..3e94638 100644
--- a/crypto/heimdal/cf/find-if-not-broken.m4
+++ b/crypto/heimdal/cf/find-if-not-broken.m4
@@ -1,4 +1,4 @@
-dnl $Id: find-if-not-broken.m4,v 1.4.8.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: find-if-not-broken.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl
 dnl Mix between AC_FIND_FUNC and AC_BROKEN
diff --git a/crypto/heimdal/cf/framework-security.m4 b/crypto/heimdal/cf/framework-security.m4
new file mode 100644
index 0000000..3358292
--- /dev/null
+++ b/crypto/heimdal/cf/framework-security.m4
@@ -0,0 +1,31 @@
+AC_DEFUN([rk_FRAMEWORK_SECURITY], [
+
+AC_MSG_CHECKING([for framework security])
+AC_CACHE_VAL(rk_cv_framework_security,
+[
+if test "$rk_cv_framework_security" != yes; then
+	ac_save_LIBS="$LIBS"
+	LIBS="$ac_save_LIBS -framework Security -framework CoreFoundation"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <Security/Security.h>
+]],
+[[SecKeychainSearchRef searchRef;
+SecKeychainSearchCreateFromAttributes(NULL,kSecCertificateItemClass,NULL, &searchRef);
+CFRelease(&searchRef);
+]])],[rk_cv_framework_security=yes])
+	LIBS="$ac_save_LIBS"
+fi
+])
+
+if test "$rk_cv_framework_security" = yes; then
+   AC_DEFINE(HAVE_FRAMEWORK_SECURITY, 1, [Have -framework Security])
+   AC_MSG_RESULT(yes)
+else
+   AC_MSG_RESULT(no)
+fi
+AM_CONDITIONAL(FRAMEWORK_SECURITY, test "$rk_cv_framework_security" = yes)
+
+if test "$rk_cv_framework_security" = yes; then
+   AC_NEED_PROTO([#include <Security/Security.h>],SecKeyGetCSPHandle)
+fi
+
+])
diff --git a/crypto/heimdal/cf/have-pragma-weak.m4 b/crypto/heimdal/cf/have-pragma-weak.m4
index a13016a..32b7a67 100644
--- a/crypto/heimdal/cf/have-pragma-weak.m4
+++ b/crypto/heimdal/cf/have-pragma-weak.m4
@@ -1,4 +1,4 @@
-dnl $Id: have-pragma-weak.m4,v 1.3.34.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: have-pragma-weak.m4 15435 2005-06-16 19:45:52Z lha $
 dnl
 AC_DEFUN([AC_HAVE_PRAGMA_WEAK], [
 if test "${enable_shared}" = "yes"; then
@@ -16,11 +16,11 @@ cat > conftest_bar.$ac_ext <<'EOF'
 #include "confdefs.h"
 extern int foo;
 
-int t() {
+int t(void) {
   return foo;
 }
 
-int main() {
+int main(int argc, char **argv) {
   return t();
 }
 EOF
diff --git a/crypto/heimdal/cf/have-struct-field.m4 b/crypto/heimdal/cf/have-struct-field.m4
index 341970a..8618bc0 100644
--- a/crypto/heimdal/cf/have-struct-field.m4
+++ b/crypto/heimdal/cf/have-struct-field.m4
@@ -1,4 +1,4 @@
-dnl $Id: have-struct-field.m4,v 1.6.22.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: have-struct-field.m4 18314 2006-10-07 17:31:56Z lha $
 dnl
 dnl check for fields in a structure
 dnl
@@ -7,9 +7,11 @@ dnl AC_HAVE_STRUCT_FIELD(struct, field, headers)
 AC_DEFUN([AC_HAVE_STRUCT_FIELD], [
 define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_]))
 AC_CACHE_CHECK([for $2 in $1], cache_val,[
-AC_TRY_COMPILE([$3],[$1 x; x.$2;],
-cache_val=yes,
-cache_val=no)])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$3]],
+	[[$1 x; memset(&x, 0, sizeof(x)); x.$2]])],
+	[cache_val=yes],
+	[cache_val=no])
+])
 if test "$cache_val" = yes; then
 	define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_]))
 	AC_DEFINE(foo, 1, [Define if $1 has field $2.])
diff --git a/crypto/heimdal/cf/have-type.m4 b/crypto/heimdal/cf/have-type.m4
index c764ed6..34d5bef 100644
--- a/crypto/heimdal/cf/have-type.m4
+++ b/crypto/heimdal/cf/have-type.m4
@@ -1,4 +1,4 @@
-dnl $Id: have-type.m4,v 1.6.12.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: have-type.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 dnl check for existance of a type
 
@@ -8,16 +8,16 @@ AC_REQUIRE([AC_HEADER_STDC])
 cv=`echo "$1" | sed 'y%./+- %__p__%'`
 AC_MSG_CHECKING(for $1)
 AC_CACHE_VAL([ac_cv_type_$cv],
-AC_TRY_COMPILE(
-[#include <sys/types.h>
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
 #include <stddef.h>
 #endif
-$2],
-[$1 foo;],
-eval "ac_cv_type_$cv=yes",
-eval "ac_cv_type_$cv=no"))dnl
+$2]],
+[[$1 foo;]])],
+[eval "ac_cv_type_$cv=yes"],
+[eval "ac_cv_type_$cv=no"]))dnl
 ac_foo=`eval echo \\$ac_cv_type_$cv`
 AC_MSG_RESULT($ac_foo)
 if test "$ac_foo" = yes; then
diff --git a/crypto/heimdal/cf/have-types.m4 b/crypto/heimdal/cf/have-types.m4
index e369910..79ceb97 100644
--- a/crypto/heimdal/cf/have-types.m4
+++ b/crypto/heimdal/cf/have-types.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: have-types.m4,v 1.2.12.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: have-types.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 
 AC_DEFUN([AC_HAVE_TYPES], [
diff --git a/crypto/heimdal/cf/install-catman.sh b/crypto/heimdal/cf/install-catman.sh
index 4a5aa8e..872e162 100755
--- a/crypto/heimdal/cf/install-catman.sh
+++ b/crypto/heimdal/cf/install-catman.sh
@@ -1,14 +1,16 @@
 #!/bin/sh
 #
-# $Id: install-catman.sh,v 1.3 2001/09/29 16:05:38 assar Exp $
+# $Id: install-catman.sh 20232 2007-02-16 11:03:13Z lha $
 #
 # install preformatted manual pages
 
+cmd="$1"; shift
 INSTALL_DATA="$1"; shift
 mkinstalldirs="$1"; shift
 srcdir="$1"; shift
 manbase="$1"; shift
 suffix="$1"; shift
+catinstall="${INSTALL_CATPAGES-yes}"
 
 for f in "$@"; do
 	base=`echo "$f" | sed 's/\(.*\)\.\([^.]*\)$/\1/'`
@@ -17,37 +19,54 @@ for f in "$@"; do
 	catdir="$manbase/cat$section"
 	c="$base.cat$section"
 
-	if test -f "$srcdir/$c"; then
-		if test \! -d "$catdir"; then
-			eval "$mkinstalldirs $catdir"
+	if test "$catinstall" = yes -a -f "$srcdir/$c"; then
+		if test "$cmd" = install ; then
+			if test \! -d "$catdir"; then
+				eval "$mkinstalldirs $catdir"
+			fi
+			eval "echo $INSTALL_DATA $srcdir/$c $catdir/$base.$suffix"
+			eval "$INSTALL_DATA $srcdir/$c $catdir/$base.$suffix"
+		elif test "$cmd" = uninstall ; then
+			eval "echo rm -f $catdir/$base.$suffix"
+			eval "rm -f $catdir/$base.$suffix"
 		fi
-		eval "echo $INSTALL_DATA $srcdir/$c $catdir/$base.$suffix"
-		eval "$INSTALL_DATA $srcdir/$c $catdir/$base.$suffix"
 	fi
 	for link in `sed -n -e '/SYNOPSIS/q;/DESCRIPTION/q;s/^\.Nm \([^ ]*\).*/\1/p' $srcdir/$f`; do
-		if [ "$link" != "$base" ]; then
+		if test "$link" = "$base" ; then
+			continue
+		fi
+		if test "$cmd" = install ; then
 			target="$mandir/$link.$section"
-			for cmd in "ln -f $mandir/$base.$section $target" \
+			for lncmd in "ln -f $mandir/$base.$section $target" \
 				   "ln -s $base.$section $target" \
 				   "cp -f $mandir/$base.$section $target"
 			do
-				if eval "$cmd"; then
-					eval echo "$cmd"
+				if eval "$lncmd"; then
+					eval echo "$lncmd"
 					break
 				fi
 			done
-			if test -f "$srcdir/$c"; then
+			if test "$catinstall" = yes -a -f "$srcdir/$c"; then
 				target="$catdir/$link.$suffix"
-				for cmd in "ln -f $catdir/$base.$suffix $target" \
+				for lncmd in "ln -f $catdir/$base.$suffix $target" \
 					   "ln -fs $base.$suffix $target" \
 					   "cp -f $catdir/$base.$suffix $target"
 				do
-					if eval "$cmd"; then
-						eval echo "$cmd"
+					if eval "$lncmd"; then
+						eval echo "$lncmd"
 						break
 					fi
 				done
 			fi
+		elif test "$cmd" = uninstall ; then
+			target="$mandir/$link.$section"
+			eval "echo rm -f $target"
+			eval "rm -f $target"
+			if test "$catinstall" = yes; then
+				target="$catdir/$link.$suffix"
+				eval "echo rm -f $target"
+				eval "rm -f $target"
+			fi
 		fi
 	done
 done
diff --git a/crypto/heimdal/cf/irix.m4 b/crypto/heimdal/cf/irix.m4
index b62e2c3..510b81f 100644
--- a/crypto/heimdal/cf/irix.m4
+++ b/crypto/heimdal/cf/irix.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: irix.m4,v 1.1 2002/08/28 19:11:44 joda Exp $
+dnl $Id: irix.m4 11267 2002-08-28 19:11:44Z joda $
 dnl
 
 AC_DEFUN([rk_IRIX],
diff --git a/crypto/heimdal/cf/krb-bigendian.m4 b/crypto/heimdal/cf/krb-bigendian.m4
index 672cc25..30e1a79 100644
--- a/crypto/heimdal/cf/krb-bigendian.m4
+++ b/crypto/heimdal/cf/krb-bigendian.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: krb-bigendian.m4,v 1.8.6.1 2004/04/01 07:27:33 joda Exp $
+dnl $Id: krb-bigendian.m4 15456 2005-06-16 21:04:43Z lha $
 dnl
 
 dnl check if this computer is little or big-endian
@@ -9,29 +9,29 @@ dnl it when cross-compiling
 
 AC_DEFUN([KRB_C_BIGENDIAN], [
 AC_ARG_ENABLE(bigendian,
-	AC_HELP_STRING([--enable-bigendian],[the target is big endian]),
+	AS_HELP_STRING([--enable-bigendian],[the target is big endian]),
 krb_cv_c_bigendian=yes)
 AC_ARG_ENABLE(littleendian,
-	AC_HELP_STRING([--enable-littleendian],[the target is little endian]),
+	AS_HELP_STRING([--enable-littleendian],[the target is little endian]),
 krb_cv_c_bigendian=no)
-AC_CACHE_CHECK(whether byte order is known at compile time,
+AC_CACHE_CHECK([whether byte order is known at compile time],
 krb_cv_c_bigendian_compile,
-[AC_TRY_COMPILE([
+[AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
 #include <sys/types.h>
-#include <sys/param.h>],[
+#include <sys/param.h>
 #if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
  bogus endian macros
-#endif], krb_cv_c_bigendian_compile=yes, krb_cv_c_bigendian_compile=no)])
+#endif]])],[krb_cv_c_bigendian_compile=yes],[krb_cv_c_bigendian_compile=no])])
 AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[
   if test "$krb_cv_c_bigendian_compile" = "yes"; then
-    AC_TRY_COMPILE([
+    AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
 #include <sys/types.h>
-#include <sys/param.h>],[
+#include <sys/param.h>
 #if BYTE_ORDER != BIG_ENDIAN
   not big endian
-#endif], krb_cv_c_bigendian=yes, krb_cv_c_bigendian=no)
+#endif]])],[krb_cv_c_bigendian=yes],[krb_cv_c_bigendian=no])
   else
-    AC_TRY_RUN([main () {
+    AC_RUN_IFELSE([AC_LANG_SOURCE([[main (int argc, char **argv) {
       /* Are we little or big endian?  From Harbison&Steele.  */
       union
       {
@@ -40,8 +40,8 @@ AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[
     } u;
     u.l = 1;
     exit (u.c[sizeof (long) - 1] == 1);
-  }], krb_cv_c_bigendian=no, krb_cv_c_bigendian=yes,
-  AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian]))
+  }]])],[krb_cv_c_bigendian=no],[krb_cv_c_bigendian=yes],
+  [AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian])])
   fi
 ])
 if test "$krb_cv_c_bigendian" = "yes"; then
diff --git a/crypto/heimdal/cf/krb-func-getcwd-broken.m4 b/crypto/heimdal/cf/krb-func-getcwd-broken.m4
index e3f9372..6ab4a26 100644
--- a/crypto/heimdal/cf/krb-func-getcwd-broken.m4
+++ b/crypto/heimdal/cf/krb-func-getcwd-broken.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-func-getcwd-broken.m4,v 1.3.8.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-func-getcwd-broken.m4 15455 2005-06-16 21:03:43Z lha $
 dnl
 dnl
 dnl test for broken getcwd in (SunOS braindamage)
@@ -10,7 +10,7 @@ AC_MSG_CHECKING(if getcwd is broken)
 AC_CACHE_VAL(ac_cv_func_getcwd_broken, [
 ac_cv_func_getcwd_broken=no
 
-AC_TRY_RUN([
+AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #include <errno.h>
 char *getcwd(char*, int);
 
@@ -20,7 +20,7 @@ void *popen(char *cmd, char *mode)
 	return 0;
 }
 
-int main()
+int main(int argc, char **argv)
 {
 	char *ret;
 	ret = getcwd(0, 1024);
@@ -28,7 +28,7 @@ int main()
 		return 0;
 	return 1;
 }
-], ac_cv_func_getcwd_broken=yes,:,:)
+]])], [ac_cv_func_getcwd_broken=yes],[:],[:])
 ])
 if test "$ac_cv_func_getcwd_broken" = yes; then
 	AC_DEFINE(BROKEN_GETCWD, 1, [Define if getcwd is broken (like in SunOS 4).])dnl
diff --git a/crypto/heimdal/cf/krb-func-getlogin.m4 b/crypto/heimdal/cf/krb-func-getlogin.m4
index ec091d7..03cecfc 100644
--- a/crypto/heimdal/cf/krb-func-getlogin.m4
+++ b/crypto/heimdal/cf/krb-func-getlogin.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: krb-func-getlogin.m4,v 1.1.32.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-func-getlogin.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl test for POSIX (broken) getlogin
 dnl
diff --git a/crypto/heimdal/cf/krb-ipv6.m4 b/crypto/heimdal/cf/krb-ipv6.m4
index 1afcbb2..ba0b000 100644
--- a/crypto/heimdal/cf/krb-ipv6.m4
+++ b/crypto/heimdal/cf/krb-ipv6.m4
@@ -1,10 +1,10 @@
-dnl $Id: krb-ipv6.m4,v 1.13.8.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-ipv6.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 dnl test for IPv6
 dnl
 AC_DEFUN([AC_KRB_IPV6], [
 AC_ARG_WITH(ipv6,
-	AC_HELP_STRING([--without-ipv6],[do not enable IPv6 support]),[
+	AS_HELP_STRING([--without-ipv6],[do not enable IPv6 support]),[
 if test "$withval" = "no"; then
 	ac_cv_lib_ipv6=no
 fi])
@@ -89,7 +89,7 @@ fi
 ])
 
 AC_CACHE_CHECK([for IPv6], ac_cv_lib_ipv6, [
-AC_TRY_LINK([
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
@@ -102,8 +102,8 @@ AC_TRY_LINK([
 #ifdef HAVE_NETINET_IN6_H
 #include <netinet/in6.h>
 #endif
-],
-[
+]],
+[[
  struct sockaddr_in6 sin6;
  int s;
 
@@ -113,9 +113,9 @@ AC_TRY_LINK([
  sin6.sin6_port = htons(17);
  sin6.sin6_addr = in6addr_any;
  bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
-],
-ac_cv_lib_ipv6=yes,
-ac_cv_lib_ipv6=no)])
+]])],
+[ac_cv_lib_ipv6=yes],
+[ac_cv_lib_ipv6=no])])
 if test "$ac_cv_lib_ipv6" = yes; then
   AC_DEFINE(HAVE_IPV6, 1, [Define if you have IPv6.])
 else
@@ -125,7 +125,7 @@ fi
 ## test for AIX missing in6addr_loopback
 if test "$ac_cv_lib_ipv6" = yes; then
 	AC_CACHE_CHECK([for in6addr_loopback],[ac_cv_var_in6addr_loopback],[
-	AC_TRY_LINK([
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
@@ -137,10 +137,10 @@ if test "$ac_cv_lib_ipv6" = yes; then
 #endif
 #ifdef HAVE_NETINET_IN6_H
 #include <netinet/in6.h>
-#endif],[
+#endif]],[[
 struct sockaddr_in6 sin6;
 sin6.sin6_addr = in6addr_loopback;
-],ac_cv_var_in6addr_loopback=yes,ac_cv_var_in6addr_loopback=no)])
+]])],[ac_cv_var_in6addr_loopback=yes],[ac_cv_var_in6addr_loopback=no])])
 	if test "$ac_cv_var_in6addr_loopback" = yes; then
 		AC_DEFINE(HAVE_IN6ADDR_LOOPBACK, 1, 
 			[Define if you have the in6addr_loopback variable])
diff --git a/crypto/heimdal/cf/krb-prog-ln-s.m4 b/crypto/heimdal/cf/krb-prog-ln-s.m4
index 16a4dff..e4bb7ca 100644
--- a/crypto/heimdal/cf/krb-prog-ln-s.m4
+++ b/crypto/heimdal/cf/krb-prog-ln-s.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-prog-ln-s.m4,v 1.1.42.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-prog-ln-s.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl
 dnl Better test for ln -s, ln or cp
diff --git a/crypto/heimdal/cf/krb-prog-ranlib.m4 b/crypto/heimdal/cf/krb-prog-ranlib.m4
index cf06193..6a851a2 100644
--- a/crypto/heimdal/cf/krb-prog-ranlib.m4
+++ b/crypto/heimdal/cf/krb-prog-ranlib.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-prog-ranlib.m4,v 1.1.42.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-prog-ranlib.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl
 dnl Also look for EMXOMF for OS/2
diff --git a/crypto/heimdal/cf/krb-prog-yacc.m4 b/crypto/heimdal/cf/krb-prog-yacc.m4
index 54dd8b4..10203e4 100644
--- a/crypto/heimdal/cf/krb-prog-yacc.m4
+++ b/crypto/heimdal/cf/krb-prog-yacc.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-prog-yacc.m4,v 1.3.16.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-prog-yacc.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl
 dnl We prefer byacc or yacc because they do not use `alloca'
diff --git a/crypto/heimdal/cf/krb-readline.m4 b/crypto/heimdal/cf/krb-readline.m4
index ed5aa0a..61a50c5 100644
--- a/crypto/heimdal/cf/krb-readline.m4
+++ b/crypto/heimdal/cf/krb-readline.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-readline.m4,v 1.5.6.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-readline.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 dnl Tests for readline functions
 dnl
@@ -9,11 +9,11 @@ AC_DEFUN([KRB_READLINE],[
 AC_FIND_FUNC_NO_LIBS(el_init, edit, [], [], [$LIB_tgetent])
 if test "$ac_cv_func_el_init" = yes ; then
 	AC_CACHE_CHECK(for four argument el_init, ac_cv_func_el_init_four,[
-		AC_TRY_COMPILE([#include <stdio.h>
-			#include <histedit.h>],
-			[el_init("", NULL, NULL, NULL);],
-			ac_cv_func_el_init_four=yes,
-			ac_cv_func_el_init_four=no)])
+		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <stdio.h>
+			#include <histedit.h>]],
+			[[el_init("", NULL, NULL, NULL);]])],
+			[ac_cv_func_el_init_four=yes],
+			[ac_cv_func_el_init_four=no])])
 	if test "$ac_cv_func_el_init_four" = yes; then
 		AC_DEFINE(HAVE_FOUR_VALUED_EL_INIT, 1, [Define if el_init takes four arguments.])
 	fi
diff --git a/crypto/heimdal/cf/krb-struct-spwd.m4 b/crypto/heimdal/cf/krb-struct-spwd.m4
index 49d8efd..17fb2a3 100644
--- a/crypto/heimdal/cf/krb-struct-spwd.m4
+++ b/crypto/heimdal/cf/krb-struct-spwd.m4
@@ -1,18 +1,17 @@
-dnl $Id: krb-struct-spwd.m4,v 1.3.32.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-struct-spwd.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 dnl Test for `struct spwd'
 
 AC_DEFUN([AC_KRB_STRUCT_SPWD], [
 AC_MSG_CHECKING(for struct spwd)
 AC_CACHE_VAL(ac_cv_struct_spwd, [
-AC_TRY_COMPILE(
-[#include <pwd.h>
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <pwd.h>
 #ifdef HAVE_SHADOW_H
 #include <shadow.h>
-#endif],
-[struct spwd foo;],
-ac_cv_struct_spwd=yes,
-ac_cv_struct_spwd=no)
+#endif]],[[struct spwd foo;]])],
+[ac_cv_struct_spwd=yes],
+[ac_cv_struct_spwd=no])
 ])
 AC_MSG_RESULT($ac_cv_struct_spwd)
 
diff --git a/crypto/heimdal/cf/krb-struct-winsize.m4 b/crypto/heimdal/cf/krb-struct-winsize.m4
index 3fcc527..06e5f5b 100644
--- a/crypto/heimdal/cf/krb-struct-winsize.m4
+++ b/crypto/heimdal/cf/krb-struct-winsize.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-struct-winsize.m4,v 1.3.10.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-struct-winsize.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl
 dnl Search for struct winsize
diff --git a/crypto/heimdal/cf/krb-sys-aix.m4 b/crypto/heimdal/cf/krb-sys-aix.m4
index 02ba585..544e779 100644
--- a/crypto/heimdal/cf/krb-sys-aix.m4
+++ b/crypto/heimdal/cf/krb-sys-aix.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-sys-aix.m4,v 1.1.42.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-sys-aix.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl
 dnl AIX have a very different syscall convention
diff --git a/crypto/heimdal/cf/krb-sys-nextstep.m4 b/crypto/heimdal/cf/krb-sys-nextstep.m4
index 1d098bc..dcf7e09 100644
--- a/crypto/heimdal/cf/krb-sys-nextstep.m4
+++ b/crypto/heimdal/cf/krb-sys-nextstep.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-sys-nextstep.m4,v 1.4.6.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-sys-nextstep.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl NEXTSTEP is not posix compliant by default,
 dnl you need a switch -posix to the compiler
diff --git a/crypto/heimdal/cf/krb-version.m4 b/crypto/heimdal/cf/krb-version.m4
index e452ad0..92d731f 100644
--- a/crypto/heimdal/cf/krb-version.m4
+++ b/crypto/heimdal/cf/krb-version.m4
@@ -1,4 +1,4 @@
-dnl $Id: krb-version.m4,v 1.3.6.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: krb-version.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl
 dnl output a C header-file with some version strings
diff --git a/crypto/heimdal/cf/largefile.m4 b/crypto/heimdal/cf/largefile.m4
new file mode 100644
index 0000000..972ba9c
--- /dev/null
+++ b/crypto/heimdal/cf/largefile.m4
@@ -0,0 +1,16 @@
+dnl $Id: largefile.m4 13768 2004-04-24 21:51:32Z joda $
+dnl
+dnl Figure out what flags we need for 64-bit file access, and also set
+dnl them on the command line.
+dnl
+AC_DEFUN([rk_SYS_LARGEFILE],[
+AC_REQUIRE([AC_SYS_LARGEFILE])dnl
+dnl need to set this on the command line, since it might otherwise break
+dnl with generated code, such as lex
+if test "$enable_largefile" != no -a "$ac_cv_sys_large_files" != no; then
+	CPPFLAGS="$CPPFLAGS -D_LARGE_FILES=$ac_cv_sys_large_files"
+fi
+if test "$enable_largefile" != no -a "$ac_cv_sys_file_offset_bits" != no; then
+	CPPFLAGS="$CPPFLAGS -D_FILE_OFFSET_BITS=$ac_cv_sys_file_offset_bits"
+fi
+])
diff --git a/crypto/heimdal/cf/make-proto.pl b/crypto/heimdal/cf/make-proto.pl
index 769d96c..f119b51 100644
--- a/crypto/heimdal/cf/make-proto.pl
+++ b/crypto/heimdal/cf/make-proto.pl
@@ -1,5 +1,5 @@
 # Make prototypes from .c files
-# $Id: make-proto.pl,v 1.16 2002/09/19 19:29:42 joda Exp $
+# $Id: make-proto.pl 14183 2004-09-03 08:50:57Z lha $
 
 ##use Getopt::Std;
 require 'getopts.pl';
@@ -10,7 +10,7 @@ $debug = 0;
 $oproto = 1;
 $private_func_re = "^_";
 
-do Getopts('o:p:dqR:P:') || die "foo";
+do Getopts('x:m:o:p:dqE:R:P:') || die "foo";
 
 if($opt_d) {
     $debug = 1;
@@ -23,6 +23,45 @@ if($opt_q) {
 if($opt_R) {
     $private_func_re = $opt_R;
 }
+%flags = (
+	  'multiline-proto' => 1,
+	  'header' => 1,
+	  'function-blocking' => 0,
+	  'gnuc-attribute' => 1,
+	  'cxx' => 1
+	  );
+if($opt_m) {
+    foreach $i (split(/,/, $opt_m)) {
+	if($i eq "roken") {
+	    $flags{"multiline-proto"} = 0;
+	    $flags{"header"} = 0;
+	    $flags{"function-blocking"} = 0;
+	    $flags{"gnuc-attribute"} = 0;
+	    $flags{"cxx"} = 0;
+	} else {
+	    if(substr($i, 0, 3) eq "no-") {
+		$flags{substr($i, 3)} = 0;
+	    } else {
+		$flags{$i} = 1;
+	    }
+	}
+    }
+}
+
+if($opt_x) {
+    open(EXP, $opt_x);
+    while(<EXP>) {
+	chomp;
+	s/\#.*//g;
+	s/\s+/ /g;
+	if(/^([a-zA-Z0-9_]+)\s?(.*)$/) {
+	    $exported{$1} = $2;
+	} else {
+	    print $_, "\n";
+	}
+    }
+    close EXP;
+}
 
 while(<>) {
     print $brace, " ", $_ if($debug);
@@ -68,6 +107,7 @@ while(<>) {
 		# remove parameter names 
 		if($opt_P eq "remove") {
 		    s/(\s*)([a-zA-Z0-9_]+)([,>])/$3/g;
+		    s/\s+\*/*/g;
 		    s/\(\*(\s*)([a-zA-Z0-9_]+)\)/(*)/g;
 		} elsif($opt_P eq "comment") {
 		    s/([a-zA-Z0-9_]+)([,>])/\/\*$1\*\/$2/g;
@@ -75,7 +115,11 @@ while(<>) {
 		}
 		s/\<\>/<void>/;
 		# add newlines before parameters
-		s/,\s*/,\n\t/g;
+		if($flags{"multiline-proto"}) {
+		    s/,\s*/,\n\t/g;
+		} else {
+		    s/,\s*/, /g;
+		}
 		# fix removed ,
 		s/\$/,/g;
 		# match function name
@@ -89,14 +133,16 @@ while(<>) {
 		    $RP = ")";
 		}
 		# only add newline if more than one parameter
-                if(/,/){ 
+                if($flags{"multiline-proto"} && /,/){ 
 		    s/\</ $LP\n\t/;
 		}else{
 		    s/\</ $LP/;
 		}
 		s/\>/$RP/;
 		# insert newline before function name
-		s/(.*)\s([a-zA-Z0-9_]+ \Q$LP\E)/$1\n$2/;
+		if($flags{"multiline-proto"}) {
+		    s/(.*)\s([a-zA-Z0-9_]+ \Q$LP\E)/$1\n$2/;
+		}
 		if($attr ne "") {
 		    $_ .= "\n    $attr";
 		}
@@ -142,13 +188,13 @@ if($opt_p) {
 $public_h = "";
 $private_h = "";
 
-$public_h_header = "/* This is a generated file */
+$public_h_header .= "/* This is a generated file */
 #ifndef $block
 #define $block
 
 ";
 if ($oproto) {
-$public_h_header .= "#ifdef __STDC__
+    $public_h_header .= "#ifdef __STDC__
 #include <stdarg.h>
 #ifndef __P
 #define __P(x) x
@@ -165,6 +211,7 @@ $public_h_header .= "#ifdef __STDC__
 
 ";
 }
+$public_h_trailer = "";
 
 $private_h_header = "/* This is a generated file */
 #ifndef $private
@@ -172,7 +219,7 @@ $private_h_header = "/* This is a generated file */
 
 ";
 if($oproto) {
-$private_h_header .= "#ifdef __STDC__
+    $private_h_header .= "#ifdef __STDC__
 #include <stdarg.h>
 #ifndef __P
 #define __P(x) x
@@ -189,43 +236,94 @@ $private_h_header .= "#ifdef __STDC__
 
 ";
 }
+$private_h_trailer = "";
+
 foreach(sort keys %funcs){
     if(/^(main)$/) { next }
-    if(/$private_func_re/) {
+    if(!defined($exported{$_}) && /$private_func_re/) {
 	$private_h .= $funcs{$_} . "\n\n";
 	if($funcs{$_} =~ /__attribute__/) {
 	    $private_attribute_seen = 1;
 	}
     } else {
-	$public_h .= $funcs{$_} . "\n\n";
+	if($flags{"function-blocking"}) {
+	    $fupper = uc $_;
+	    if($exported{$_} =~ /proto/) {
+		$public_h .= "#if !defined(HAVE_$fupper) || defined(NEED_${fupper}_PROTO)\n";
+	    } else {
+		$public_h .= "#ifndef HAVE_$fupper\n";
+	    }
+	}
+	$public_h .= $funcs{$_} . "\n";
 	if($funcs{$_} =~ /__attribute__/) {
 	    $public_attribute_seen = 1;
 	}
+	if($flags{"function-blocking"}) {
+	    $public_h .= "#endif\n";
+	}
+	$public_h .= "\n";
     }
 }
 
-if ($public_attribute_seen) {
-    $public_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__)
+if($flags{"gnuc-attribute"}) {
+    if ($public_attribute_seen) {
+	$public_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__)
 #define __attribute__(x)
 #endif
 
 ";
-}
+    }
 
-if ($private_attribute_seen) {
-    $private_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__)
+    if ($private_attribute_seen) {
+	$private_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__)
 #define __attribute__(x)
 #endif
 
 ";
+    }
 }
+if($flags{"cxx"}) {
+    $public_h_header .= "#ifdef __cplusplus
+extern \"C\" {
+#endif
+
+";
+    $public_h_trailer .= "#ifdef __cplusplus
+}
+#endif
+
+";
+
+}
+if ($opt_E) {
+    $public_h_header .= "#ifndef $opt_E
+#if defined(_WIN32)
+#define $opt_E _stdcall
+#else
+#define $opt_E
+#endif
+#endif
 
+";
+    
+    $private_h_header .= "#ifndef $opt_E
+#if defined(_WIN32)
+#define $opt_E _stdcall
+#else
+#define $opt_E
+#endif
+#endif
 
-if ($public_h ne "") {
-    $public_h = $public_h_header . $public_h . "#endif /* $block */\n";
+";
+}
+    
+if ($public_h ne "" && $flags{"header"}) {
+    $public_h = $public_h_header . $public_h . 
+	$public_h_trailer . "#endif /* $block */\n";
 }
-if ($private_h ne "") {
-    $private_h = $private_h_header . $private_h . "#endif /* $private */\n";
+if ($private_h ne "" && $flags{"header"}) {
+    $private_h = $private_h_header . $private_h .
+	$private_h_trailer . "#endif /* $private */\n";
 }
 
 if($opt_o) {
diff --git a/crypto/heimdal/cf/mips-abi.m4 b/crypto/heimdal/cf/mips-abi.m4
index 401ee91..2af513e 100644
--- a/crypto/heimdal/cf/mips-abi.m4
+++ b/crypto/heimdal/cf/mips-abi.m4
@@ -1,4 +1,4 @@
-dnl $Id: mips-abi.m4,v 1.6.8.1 2004/04/01 07:27:34 joda Exp $
+dnl $Id: mips-abi.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 dnl
 dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some
@@ -6,7 +6,7 @@ dnl value.
 
 AC_DEFUN([AC_MIPS_ABI], [
 AC_ARG_WITH(mips_abi,
-	AC_HELP_STRING([--with-mips-abi=abi],[ABI to use for IRIX (32, n32, or 64)]))
+	AS_HELP_STRING([--with-mips-abi=abi],[ABI to use for IRIX (32, n32, or 64)]))
 
 case "$host_os" in
 irix*)
@@ -39,7 +39,7 @@ AC_MSG_CHECKING([if $CC supports the $abi option])
 AC_CACHE_VAL($ac_foo, [
 save_CFLAGS="$CFLAGS"
 CFLAGS="$CFLAGS $abi"
-AC_TRY_COMPILE(,int x;, eval $ac_foo=yes, eval $ac_foo=no)
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[int x;]])],[eval $ac_foo=yes], [eval $ac_foo=no])dnl
 CFLAGS="$save_CFLAGS"
 ])
 ac_res=`eval echo \\\$$ac_foo`
@@ -50,7 +50,7 @@ case $abi in
 	-mabi=32) 
 	save_CFLAGS="$CFLAGS"
 	CFLAGS="$CFLAGS -mabi=n32"
-	AC_TRY_COMPILE(,int x;, ac_res=yes, ac_res=no)
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[int x;]])],[ac_res=yes],[ac_res=no])dnl
 	CLAGS="$save_CFLAGS"
 	if test $ac_res = yes; then
 		# New GCC
diff --git a/crypto/heimdal/cf/misc.m4 b/crypto/heimdal/cf/misc.m4
index a825834..042f30a5 100644
--- a/crypto/heimdal/cf/misc.m4
+++ b/crypto/heimdal/cf/misc.m4
@@ -1,5 +1,5 @@
 
-dnl $Id: misc.m4,v 1.5 2002/05/24 15:35:32 joda Exp $
+dnl $Id: misc.m4 11022 2002-05-24 15:35:32Z joda $
 dnl
 AC_DEFUN([upcase],[`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`])dnl
 AC_DEFUN([rk_LIBOBJ],[AC_LIBOBJ([$1])])dnl
diff --git a/crypto/heimdal/cf/need-proto.m4 b/crypto/heimdal/cf/need-proto.m4
index b319076..978abb1 100644
--- a/crypto/heimdal/cf/need-proto.m4
+++ b/crypto/heimdal/cf/need-proto.m4
@@ -1,4 +1,4 @@
-dnl $Id: need-proto.m4,v 1.4.6.1 2004/04/01 07:27:35 joda Exp $
+dnl $Id: need-proto.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 dnl
 dnl Check if we need the prototype for a function
@@ -9,13 +9,11 @@ dnl AC_NEED_PROTO(includes, function)
 AC_DEFUN([AC_NEED_PROTO], [
 if test "$ac_cv_func_$2+set" != set -o "$ac_cv_func_$2" = yes; then
 AC_CACHE_CHECK([if $2 needs a prototype], ac_cv_func_$2_noproto,
-AC_TRY_COMPILE([$1],
-[struct foo { int foo; } xx;
-extern int $2 (struct foo*);
-$2(&xx);
-],
-eval "ac_cv_func_$2_noproto=yes",
-eval "ac_cv_func_$2_noproto=no"))
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$1
+struct foo { int foo; } xx;
+extern int $2 (struct foo*);]],[[$2(&xx)]])],
+[eval "ac_cv_func_$2_noproto=yes"],
+[eval "ac_cv_func_$2_noproto=no"]))
 if test "$ac_cv_func_$2_noproto" = yes; then
 	AC_DEFINE(AS_TR_CPP(NEED_[]$2[]_PROTO), 1,
 		[define if the system is missing a prototype for $2()])
diff --git a/crypto/heimdal/cf/osfc2.m4 b/crypto/heimdal/cf/osfc2.m4
index 3ae889b..6366f7a 100644
--- a/crypto/heimdal/cf/osfc2.m4
+++ b/crypto/heimdal/cf/osfc2.m4
@@ -1,10 +1,10 @@
-dnl $Id: osfc2.m4,v 1.3.8.1 2004/04/01 07:27:35 joda Exp $
+dnl $Id: osfc2.m4 14147 2004-08-25 14:14:01Z joda $
 dnl
 dnl enable OSF C2 stuff
 
 AC_DEFUN([AC_CHECK_OSFC2],[
 AC_ARG_ENABLE(osfc2,
-	AC_HELP_STRING([--enable-osfc2],[enable some OSF C2 support]))
+	AS_HELP_STRING([--enable-osfc2],[enable some OSF C2 support]))
 LIB_security=
 if test "$enable_osfc2" = yes; then
 	AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.])
diff --git a/crypto/heimdal/cf/otp.m4 b/crypto/heimdal/cf/otp.m4
index 37265ef..fa6a530 100644
--- a/crypto/heimdal/cf/otp.m4
+++ b/crypto/heimdal/cf/otp.m4
@@ -1,11 +1,11 @@
-dnl $Id: otp.m4,v 1.2 2002/05/19 20:51:08 joda Exp $
+dnl $Id: otp.m4 14147 2004-08-25 14:14:01Z joda $
 dnl
 dnl check requirements for OTP library
 dnl
 AC_DEFUN([rk_OTP],[
 AC_REQUIRE([rk_DB])dnl
 AC_ARG_ENABLE(otp,
-	AC_HELP_STRING([--disable-otp],[if you don't want OTP support]))
+	AS_HELP_STRING([--disable-otp],[if you don't want OTP support]))
 if test "$enable_otp" = yes -a "$db_type" = unknown; then
 	AC_MSG_ERROR([OTP requires a NDBM/DB compatible library])
 fi
diff --git a/crypto/heimdal/cf/proto-compat.m4 b/crypto/heimdal/cf/proto-compat.m4
index a666a55..0da8b25 100644
--- a/crypto/heimdal/cf/proto-compat.m4
+++ b/crypto/heimdal/cf/proto-compat.m4
@@ -1,4 +1,4 @@
-dnl $Id: proto-compat.m4,v 1.3.34.1 2004/04/01 07:27:35 joda Exp $
+dnl $Id: proto-compat.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 dnl
 dnl Check if the prototype of a function is compatible with another one
@@ -9,10 +9,9 @@ dnl AC_PROTO_COMPAT(includes, function, prototype)
 AC_DEFUN([AC_PROTO_COMPAT], [
 AC_CACHE_CHECK([if $2 is compatible with system prototype],
 ac_cv_func_$2_proto_compat,
-AC_TRY_COMPILE([$1],
-[$3;],
-eval "ac_cv_func_$2_proto_compat=yes",
-eval "ac_cv_func_$2_proto_compat=no"))
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$1]],[[$3]])],
+[eval "ac_cv_func_$2_proto_compat=yes"],
+[eval "ac_cv_func_$2_proto_compat=no"]))
 define([foo], translit($2, [a-z], [A-Z])[_PROTO_COMPATIBLE])
 if test "$ac_cv_func_$2_proto_compat" = yes; then
 	AC_DEFINE(foo, 1, [define if prototype of $2 is compatible with
diff --git a/crypto/heimdal/cf/pthreads.m4 b/crypto/heimdal/cf/pthreads.m4
new file mode 100644
index 0000000..fd2c81b
--- /dev/null
+++ b/crypto/heimdal/cf/pthreads.m4
@@ -0,0 +1,75 @@
+dnl $Id: pthreads.m4 20295 2007-04-11 11:08:08Z lha $
+
+AC_DEFUN([KRB_PTHREADS], [
+AC_MSG_CHECKING(if compiling threadsafe libraries)
+
+AC_ARG_ENABLE(pthread-support,
+	AS_HELP_STRING([--enable-pthread-support],
+			[if you want thread safe libraries]),
+	[],[enable_pthread_support=maybe])
+
+case "$host" in 
+*-*-solaris2*)
+	native_pthread_support=yes
+	if test "$GCC" = yes; then
+		PTHREADS_CFLAGS=-pthreads
+		PTHREADS_LIBS=-pthreads
+	else
+		PTHREADS_CFLAGS=-mt
+		PTHREADS_LIBS=-mt
+	fi
+	;;
+*-*-netbsd*)
+	native_pthread_support="if running netbsd 1.6T or newer"
+	dnl heim_threads.h knows this
+	PTHREADS_LIBS=""
+	;;
+*-*-freebsd5*)
+	native_pthread_support=yes
+	;;
+*-*-linux* | *-*-linux-gnu)
+	case `uname -r` in
+	2.*)
+		native_pthread_support=yes
+		PTHREADS_CFLAGS=-pthread
+		PTHREADS_LIBS=-pthread
+		;;
+	esac
+	;;
+*-*-aix*)
+	dnl AIX is disabled since we don't handle the utmp/utmpx
+        dnl problems that aix causes when compiling with pthread support
+	native_pthread_support=no
+	;;
+mips-sgi-irix6.[[5-9]])  # maybe works for earlier versions too
+	native_pthread_support=yes
+	PTHREADS_LIBS="-lpthread"
+	;;
+*-*-darwin*)
+	native_pthread_support=yes
+	;;
+*)
+	native_pthread_support=no
+	;;
+esac
+
+if test "$enable_pthread_support" = maybe ; then
+	enable_pthread_support="$native_pthread_support"
+fi
+	
+if test "$enable_pthread_support" != no; then
+    AC_DEFINE(ENABLE_PTHREAD_SUPPORT, 1,
+	[Define if you want have a thread safe libraries])
+    dnl This sucks, but libtool doesn't save the depenecy on -pthread
+    dnl for libraries.
+    LIBS="$PTHREADS_LIBS $LIBS"
+else
+  PTHREADS_CFLAGS=""
+  PTHREADS_LIBS=""
+fi
+
+AC_SUBST(PTHREADS_CFLAGS)
+AC_SUBST(PTHREADS_LIBS)
+
+AC_MSG_RESULT($enable_pthread_support)
+])
diff --git a/crypto/heimdal/cf/resolv.m4 b/crypto/heimdal/cf/resolv.m4
new file mode 100644
index 0000000..8bb5e4e
--- /dev/null
+++ b/crypto/heimdal/cf/resolv.m4
@@ -0,0 +1,109 @@
+dnl stuff used by DNS resolv code in roken
+dnl
+dnl $Id: resolv.m4 16009 2005-09-02 10:17:38Z lha $
+dnl
+
+AC_DEFUN([rk_RESOLV],[
+
+AC_CHECK_HEADERS([arpa/nameser.h])
+
+AC_CHECK_HEADERS(resolv.h, , , [AC_INCLUDES_DEFAULT
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+])
+
+AC_FIND_FUNC(res_search, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_FIND_FUNC(res_nsearch, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0,0])
+
+AC_FIND_FUNC(res_ndestroy, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0])
+
+AC_FIND_FUNC(dn_expand, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+rk_CHECK_VAR(_res, 
+[#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif])
+
+])
diff --git a/crypto/heimdal/cf/retsigtype.m4 b/crypto/heimdal/cf/retsigtype.m4
index 465c654..2857bff 100644
--- a/crypto/heimdal/cf/retsigtype.m4
+++ b/crypto/heimdal/cf/retsigtype.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: retsigtype.m4,v 1.1.12.1 2004/04/01 07:27:35 joda Exp $
+dnl $Id: retsigtype.m4 13338 2004-02-12 14:21:14Z lha $
 dnl
 dnl Figure out return type of signal handlers, and define SIGRETURN macro
 dnl that can be used to return from one
diff --git a/crypto/heimdal/cf/roken-frag.m4 b/crypto/heimdal/cf/roken-frag.m4
index 569777a..eccbdbd 100644
--- a/crypto/heimdal/cf/roken-frag.m4
+++ b/crypto/heimdal/cf/roken-frag.m4
@@ -1,4 +1,4 @@
-dnl $Id: roken-frag.m4,v 1.45.2.1 2004/04/01 07:27:35 joda Exp $
+dnl $Id: roken-frag.m4 20639 2007-05-10 17:22:58Z lha $
 dnl
 dnl some code to get roken working
 dnl
@@ -26,7 +26,7 @@ dnl C characteristics
 AC_REQUIRE([AC_C___ATTRIBUTE__])
 AC_REQUIRE([AC_C_INLINE])
 AC_REQUIRE([AC_C_CONST])
-AC_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
+rk_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
 
 AC_REQUIRE([rk_DB])
 
@@ -46,37 +46,32 @@ AC_REQUIRE([AC_HEADER_TIME])
 
 AC_CHECK_HEADERS([\
 	arpa/inet.h				\
-	arpa/nameser.h				\
 	config.h				\
 	crypt.h					\
 	dirent.h				\
 	errno.h					\
 	err.h					\
 	fcntl.h					\
+	fnmatch.h				\
 	grp.h					\
 	ifaddrs.h				\
-	net/if.h				\
-	netdb.h					\
 	netinet/in.h				\
 	netinet/in6.h				\
 	netinet/in_systm.h			\
 	netinet6/in6.h				\
-	netinet6/in6_var.h			\
 	paths.h					\
+	poll.h					\
 	pwd.h					\
-	resolv.h				\
 	rpcsvc/ypclnt.h				\
 	shadow.h				\
+	stdint.h				\
 	sys/bswap.h				\
 	sys/ioctl.h				\
 	sys/mman.h				\
 	sys/param.h				\
-	sys/proc.h				\
 	sys/resource.h				\
-	sys/socket.h				\
 	sys/sockio.h				\
 	sys/stat.h				\
-	sys/sysctl.h				\
 	sys/time.h				\
 	sys/tty.h				\
 	sys/types.h				\
@@ -89,95 +84,80 @@ AC_CHECK_HEADERS([\
 	userconf.h				\
 	usersec.h				\
 	util.h					\
-	vis.h					\
 ])
-	
-AC_REQUIRE([CHECK_NETINET_IP_AND_TCP])
-
-AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes)
-AM_CONDITIONAL(have_fnmatch_h, test "$ac_cv_header_fnmatch_h" = yes)
-AM_CONDITIONAL(have_ifaddrs_h, test "$ac_cv_header_ifaddrs_h" = yes)
-AM_CONDITIONAL(have_vis_h, test "$ac_cv_header_vis_h" = yes)
-
-dnl Check for functions and libraries
-
-AC_FIND_FUNC(socket, socket)
-AC_FIND_FUNC(gethostbyname, nsl)
-AC_FIND_FUNC(syslog, syslog)
-
-AC_KRB_IPV6
 
-AC_FIND_FUNC(gethostbyname2, inet6 ip6)
+AC_HAVE_TYPE([uintptr_t],[#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif])
 
-AC_FIND_FUNC(res_search, resolv,
-[
-#include <stdio.h>
+dnl Sunpro 5.2 has a vis.h which is something different.
+AC_CHECK_HEADERS(vis.h, , , [
+#include <vis.h>
+#ifndef VIS_SP
+#error invis
+#endif])
+	
+AC_CHECK_HEADERS(netdb.h, , , [AC_INCLUDES_DEFAULT
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_NAMESER_H
-#include <arpa/nameser.h>
-#endif
-#ifdef HAVE_RESOLV_H
-#include <resolv.h>
-#endif
-],
-[0,0,0,0,0])
+])
 
-AC_FIND_FUNC(res_nsearch, resolv,
-[
-#include <stdio.h>
+AC_CHECK_HEADERS(sys/socket.h, , , [AC_INCLUDES_DEFAULT
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_NAMESER_H
-#include <arpa/nameser.h>
-#endif
-#ifdef HAVE_RESOLV_H
-#include <resolv.h>
-#endif
-],
-[0,0,0,0,0,0])
+])
 
-AC_FIND_FUNC(dn_expand, resolv,
-[
-#include <stdio.h>
+AC_CHECK_HEADERS(net/if.h, , , [AC_INCLUDES_DEFAULT
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_ARPA_NAMESER_H
-#include <arpa/nameser.h>
-#endif
-#ifdef HAVE_RESOLV_H
-#include <resolv.h>
-#endif
-],
-[0,0,0,0,0])
+#if HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif])
 
-rk_CHECK_VAR(_res, 
-[#include <stdio.h>
+AC_CHECK_HEADERS(netinet6/in6_var.h, , , [AC_INCLUDES_DEFAULT
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
+#if HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
 #endif
-#ifdef HAVE_ARPA_NAMESER_H
-#include <arpa/nameser.h>
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
 #endif
-#ifdef HAVE_RESOLV_H
-#include <resolv.h>
-#endif])
+])
+
+AC_CHECK_HEADERS(sys/sysctl.h, , , [AC_INCLUDES_DEFAULT
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+])
+
+AC_CHECK_HEADERS(sys/proc.h, , , [AC_INCLUDES_DEFAULT
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+])
+
+AC_REQUIRE([CHECK_NETINET_IP_AND_TCP])
 
+AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes)
+AM_CONDITIONAL(have_ifaddrs_h, test "$ac_cv_header_ifaddrs_h" = yes)
+AM_CONDITIONAL(have_vis_h, test "$ac_cv_header_vis_h" = yes)
+
+dnl Check for functions and libraries
+
+AC_FIND_FUNC(socket, socket)
+AC_FIND_FUNC(gethostbyname, nsl)
+AC_FIND_FUNC(syslog, syslog)
+
+AC_KRB_IPV6
+
+AC_FIND_FUNC(gethostbyname2, inet6 ip6)
+
+rk_RESOLV
 
 AC_BROKEN_SNPRINTF
 AC_BROKEN_VSNPRINTF
@@ -201,6 +181,7 @@ AC_CHECK_FUNCS([				\
 	initstate				\
 	issetugid				\
 	on_exit					\
+	poll					\
 	random					\
 	setprogname				\
 	setstate				\
@@ -221,6 +202,7 @@ AC_CHECK_FUNCS([				\
 if test "$ac_cv_func_cgetent" = no; then
 	AC_LIBOBJ(getcap)
 fi
+AM_CONDITIONAL(have_cgetent, test "$ac_cv_func_cgetent" = yes)
 
 AC_REQUIRE([AC_FUNC_GETLOGIN])
 
@@ -298,6 +280,7 @@ AC_FIND_IF_NOT_BROKEN(gai_strerror,,
 AC_BROKEN([					\
 	chown					\
 	copyhostent				\
+	closefrom				\
 	daemon					\
 	ecalloc					\
 	emalloc					\
@@ -353,6 +336,7 @@ AC_BROKEN([					\
 	strtok_r				\
 	strupr					\
 	swab					\
+	timegm					\
 	unsetenv				\
 	verr					\
 	verrx					\
@@ -364,6 +348,9 @@ AC_BROKEN([					\
 	writev					\
 ])
 
+AM_CONDITIONAL(have_fnmatch_h,
+	test "$ac_cv_header_fnmatch_h" = yes -a "$ac_cv_func_fnmatch" = yes)
+
 AC_FOREACH([rk_func], [strndup strsep strtok_r],
 	[AC_NEED_PROTO([#include <string.h>], rk_func)])
 
@@ -424,13 +411,6 @@ dnl
 AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include <sys/types.h>
 #include <sys/socket.h>])
 
-if test "$ac_cv_func_getnameinfo" = "yes"; then
-  rk_BROKEN_GETNAMEINFO
-  if test "$ac_cv_func_getnameinfo_broken" = yes; then
-	AC_LIBOBJ(getnameinfo)
-  fi
-fi
-
 if test "$ac_cv_func_getaddrinfo" = "yes"; then
   rk_BROKEN_GETADDRINFO
   if test "$ac_cv_func_getaddrinfo_numserv" = no; then
@@ -444,6 +424,27 @@ AC_NEED_PROTO([#include <stdlib.h>], unsetenv)
 AC_NEED_PROTO([#include <unistd.h>], gethostname)
 AC_NEED_PROTO([#include <unistd.h>], mkstemp)
 AC_NEED_PROTO([#include <unistd.h>], getusershell)
+AC_NEED_PROTO([#include <unistd.h>], daemon)
+AC_NEED_PROTO([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif],
+iruserok)
 
 AC_NEED_PROTO([
 #ifdef HAVE_SYS_TYPES_H
@@ -579,24 +580,11 @@ rk_CHECK_VAR([__progname],
 #include <err.h>
 #endif])
 
-AC_CHECK_DECLARATION([#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif], optarg)
-AC_CHECK_DECLARATION([#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif], optind)
-AC_CHECK_DECLARATION([#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif], opterr)
-AC_CHECK_DECLARATION([#include <stdlib.h>
+AC_CHECK_DECLS([optarg, optind, opterr, optopt, environ],[],[][
+#include <stdlib.h>
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
-#endif], optopt)
-
-AC_CHECK_DECLARATION([#include <stdlib.h>], environ)
+#endif])
 
 dnl
 dnl Check for fields in struct tm
@@ -612,11 +600,21 @@ dnl
 rk_CHECK_VAR(timezone,[#include <time.h>])
 rk_CHECK_VAR(altzone,[#include <time.h>])
 
-AC_HAVE_TYPE([sa_family_t],[#include <sys/socket.h>])
-AC_HAVE_TYPE([socklen_t],[#include <sys/socket.h>])
-AC_HAVE_TYPE([struct sockaddr], [#include <sys/socket.h>])
-AC_HAVE_TYPE([struct sockaddr_storage], [#include <sys/socket.h>])
-AC_HAVE_TYPE([struct addrinfo], [#include <netdb.h>])
+AC_HAVE_TYPE([sa_family_t],[
+#include <sys/types.h>
+#include <sys/socket.h>])
+AC_HAVE_TYPE([socklen_t],[
+#include <sys/types.h>
+#include <sys/socket.h>])
+AC_HAVE_TYPE([struct sockaddr], [
+#include <sys/types.h>
+#include <sys/socket.h>])
+AC_HAVE_TYPE([struct sockaddr_storage], [
+#include <sys/types.h>
+#include <sys/socket.h>])
+AC_HAVE_TYPE([struct addrinfo], [
+#include <sys/types.h>
+#include <netdb.h>])
 AC_HAVE_TYPE([struct ifaddrs], [#include <ifaddrs.h>])
 AC_HAVE_TYPE([struct iovec],[
 #include <sys/types.h>
@@ -639,6 +637,12 @@ dnl
 
 AC_KRB_STRUCT_SPWD
 
+#
+# Check if we want samba's socket wrapper
+#
+
+samba_SOCKET_WRAPPER
+
 dnl won't work with automake
 dnl moved to AC_OUTPUT in configure.in
 dnl AC_CONFIG_FILES($1/Makefile)
diff --git a/crypto/heimdal/cf/roken.m4 b/crypto/heimdal/cf/roken.m4
index 04a8076..7d8a7e8 100644
--- a/crypto/heimdal/cf/roken.m4
+++ b/crypto/heimdal/cf/roken.m4
@@ -1,4 +1,4 @@
-dnl $Id: roken.m4,v 1.3.8.1 2004/04/01 07:27:35 joda Exp $
+dnl $Id: roken.m4 14162 2004-08-26 11:27:32Z joda $
 dnl
 dnl try to look for an installed roken library with sufficient stuff
 dnl
@@ -10,7 +10,7 @@ dnl AC_ROKEN(version,directory-to-try,roken-dir,fallback-library,fallback-cppfla
 AC_DEFUN([AC_ROKEN], [
 
 AC_ARG_WITH(roken,
-	AC_HELP_STRING([--with-roken=dir],[use the roken library in dir]),
+	AS_HELP_STRING([--with-roken=dir],[use the roken library in dir]),
 [if test "$withval" = "no"; then
   AC_MSG_ERROR(roken is required)
 fi])
@@ -32,13 +32,13 @@ AC_MSG_CHECKING(for roken in $i)
 
 CPPFLAGS="-I$i/include ${CPPFLAGS}"
 
-AC_TRY_CPP(
-[#include <roken.h>
+AC_PREPROC_IFELSE([AC_LANG_SOURCE([[
+#include <roken.h>
 #if ROKEN_VERSION < $1
 #error old roken version, should be $1
 fail
 #endif
-],[roken_installed=yes; break])
+]])],[roken_installed=yes; break])
 
 AC_MSG_RESULT($roken_installed)
 
diff --git a/crypto/heimdal/cf/socket-wrapper.m4 b/crypto/heimdal/cf/socket-wrapper.m4
new file mode 100644
index 0000000..a2b934b
--- /dev/null
+++ b/crypto/heimdal/cf/socket-wrapper.m4
@@ -0,0 +1,16 @@
+dnl $Id: socket-wrapper.m4 18077 2006-09-12 17:33:07Z lha $
+dnl
+AC_DEFUN([samba_SOCKET_WRAPPER], [
+
+AC_ARG_ENABLE(socket-wrapper,
+	AS_HELP_STRING([--enable-socket-wrapper],
+		[use sambas socket-wrapper for testing]))
+
+AM_CONDITIONAL(have_socket_wrapper, test "x$enable_socket_wrapper" = xyes)dnl
+
+if test "x$enable_socket_wrapper" = xyes ; then
+       AC_DEFINE(SOCKET_WRAPPER_REPLACE, 1,
+               [Define if you want to use samba socket wrappers.])
+fi
+
+])
diff --git a/crypto/heimdal/cf/sunos.m4 b/crypto/heimdal/cf/sunos.m4
index 6572d0b..18876f5 100644
--- a/crypto/heimdal/cf/sunos.m4
+++ b/crypto/heimdal/cf/sunos.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: sunos.m4,v 1.2 2002/10/16 14:42:13 joda Exp $
+dnl $Id: sunos.m4 14608 2005-03-01 22:17:44Z lha $
 dnl
 
 AC_DEFUN([rk_SUNOS],[
@@ -11,7 +11,7 @@ case "$host" in
 *-*-solaris2.7)
 	sunos=57
 	;;
-*-*-solaris2.[[89]])
+*-*-solaris2.[[89]] | *-*-solaris2.10)
 	sunos=58
 	;;
 *-*-solaris2*)
diff --git a/crypto/heimdal/cf/telnet.m4 b/crypto/heimdal/cf/telnet.m4
index add065c..b2bef86 100644
--- a/crypto/heimdal/cf/telnet.m4
+++ b/crypto/heimdal/cf/telnet.m4
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: telnet.m4,v 1.1 2002/08/28 19:19:01 joda Exp $
+dnl $Id: telnet.m4 15435 2005-06-16 19:45:52Z lha $
 dnl
 dnl stuff used by telnet
 
@@ -31,11 +31,11 @@ case "$host" in
 	AC_CHECK_FUNC(getmsg)
 	if test "$ac_cv_func_getmsg" = "yes"; then
 		AC_CACHE_CHECK([if getmsg works], ac_cv_func_getmsg_works,
-		AC_TRY_RUN([
+		AC_RUN_IFELSE([AC_LANG_SOURCE([[
 			#include <stdio.h>
 			#include <errno.h>
 
-			int main()
+			int main(int argc, char **argv)
 			{
 			  int ret;
 			  ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL);
@@ -43,9 +43,9 @@ case "$host" in
 			    return 1;
 			  return 0;
 			}
-			], ac_cv_func_getmsg_works=yes, 
-			ac_cv_func_getmsg_works=no,
-			ac_cv_func_getmsg_works=no))
+			]])], [ac_cv_func_getmsg_works=yes], 
+			[ac_cv_func_getmsg_works=no],
+			[ac_cv_func_getmsg_works=no]))
 		if test "$ac_cv_func_getmsg_works" = "yes"; then
 			AC_DEFINE(HAVE_GETMSG, 1,
 				[Define if you have a working getmsg.])
diff --git a/crypto/heimdal/cf/test-package.m4 b/crypto/heimdal/cf/test-package.m4
index dd38e1e..8ef9ef7 100644
--- a/crypto/heimdal/cf/test-package.m4
+++ b/crypto/heimdal/cf/test-package.m4
@@ -1,27 +1,27 @@
-dnl $Id: test-package.m4,v 1.12.4.1 2004/04/01 07:27:35 joda Exp $
+dnl $Id: test-package.m4 14166 2004-08-26 12:35:42Z joda $
 dnl
 dnl rk_TEST_PACKAGE(package,headers,libraries,extra libs,
 dnl			default locations, conditional, config-program)
 
 AC_DEFUN([rk_TEST_PACKAGE],[
 AC_ARG_WITH($1,
-	AC_HELP_STRING([--with-$1=dir],[use $1 in dir]))
+	AS_HELP_STRING([--with-$1=dir],[use $1 in dir]))
 AC_ARG_WITH($1-lib,
-	AC_HELP_STRING([--with-$1-lib=dir],[use $1 libraries in dir]),
+	AS_HELP_STRING([--with-$1-lib=dir],[use $1 libraries in dir]),
 [if test "$withval" = "yes" -o "$withval" = "no"; then
   AC_MSG_ERROR([No argument for --with-$1-lib])
 elif test "X$with_$1" = "X"; then
   with_$1=yes
 fi])
 AC_ARG_WITH($1-include,
-	AC_HELP_STRING([--with-$1-include=dir],[use $1 headers in dir]),
+	AS_HELP_STRING([--with-$1-include=dir],[use $1 headers in dir]),
 [if test "$withval" = "yes" -o "$withval" = "no"; then
   AC_MSG_ERROR([No argument for --with-$1-include])
 elif test "X$with_$1" = "X"; then
   with_$1=yes
 fi])
 AC_ARG_WITH($1-config,
-	AC_HELP_STRING([--with-$1-config=path],[config program for $1]))
+	AS_HELP_STRING([--with-$1-config=path],[config program for $1]))
 
 m4_ifval([$6],
 	m4_define([rk_pkgname], $6),
@@ -68,6 +68,14 @@ $1_cflags=
 $1_libs=
 
 case "$with_$1_config" in
+yes|no|""|"$7")
+	if test -f $with_$1/bin/$7 ; then
+		with_$1_config=$with_$1/bin/$7
+	fi
+	;;
+esac
+
+case "$with_$1_config" in
 yes|no|"")
 	;;
 *)
@@ -83,7 +91,7 @@ if test "$with_$1" != no; then
 	if test "$[]$1_cflags" -a "$[]$1_libs"; then
 		CFLAGS="$[]$1_cflags $save_CFLAGS"
 		LIBS="$[]$1_libs $save_LIBS"
-		AC_TRY_LINK([$2],,[
+		AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2]],[[]])],[
 			INCLUDE_$1="$[]$1_cflags"
 			LIB_$1="$[]$1_libs"
 			AC_MSG_RESULT([from $with_$1_config])
@@ -93,11 +101,11 @@ if test "$with_$1" != no; then
 		ires= lres=
 		for i in $header_dirs; do
 			CFLAGS="-I$i $save_CFLAGS"
-			AC_TRY_COMPILE([$2],,ires=$i;break)
+			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$2]],[[]])],[ires=$i;break])
 		done
 		for i in $lib_dirs; do
 			LIBS="-L$i $3 $4 $save_LIBS"
-			AC_TRY_LINK([$2],,lres=$i;break)
+			AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2]],[[]])],[lres=$i;break])
 		done
 		if test "$ires" -a "$lres" -a "$with_$1" != "no"; then
 			INCLUDE_$1="-I$ires"
diff --git a/crypto/heimdal/cf/valgrind-suppressions b/crypto/heimdal/cf/valgrind-suppressions
new file mode 100644
index 0000000..1e32042
--- /dev/null
+++ b/crypto/heimdal/cf/valgrind-suppressions
@@ -0,0 +1,84 @@
+# $Id: valgrind-suppressions 21182 2007-06-20 02:57:13Z lha $
+{
+   linux db init brokenness
+   Memcheck:Param
+   pwrite64(buf)
+   fun:do_pwrite64
+   fun:__os_io
+   fun:__memp_pgwrite
+   fun:__memp_fsync
+   fun:__bam_read_root
+   fun:__bam_open
+   fun:__db_dbopen
+   fun:__db_open
+   fun:DB_open
+}
+{
+   linux strerror
+   Memcheck:Leak
+   fun:_vgrZU_libcZdsoZa_malloc
+   fun:rwlock_add_to_list
+   fun:rwlock_have_already
+   fun:pthread_rwlock_rdlock
+   fun:__dcigettext
+   fun:dcgettext
+   fun:strerror_r
+   fun:strerror
+}
+{
+   linux db close brokenness
+   Memcheck:Param
+   pwrite64(buf)
+   fun:do_pwrite64
+   fun:__os_io
+   fun:__memp_pgwrite
+   fun:__memp_fsync
+   fun:__db_sync
+   fun:__db_close
+   fun:DB_close
+}
+{
+   GLIBC 2.1.2 getservbyname defect
+   Memcheck:Leak
+   fun:_vgrZU_libcZdsoZa_malloc
+   fun:strdup
+   obj:*
+   obj:*
+   fun:getservbyname_r@@GLIBC_2.1.2
+   fun:getservbyname
+}
+{
+   glibc getaddrinfo defect
+   Memcheck:Leak
+   fun:_vgrZU_libcZdsoZa_malloc
+   fun:__libc_res_nsend
+   fun:__libc_res_nquery
+   fun:__libc_res_nquerydomain
+   fun:__libc_res_nsearch
+   obj:*
+   fun:gaih_inet
+   fun:getaddrinfo
+}
+{
+   glibc dlopen failure called from /bin/ls
+   Memcheck:Addr4
+   obj:/lib/ld-2.3.6.so
+   obj:/lib/ld-2.3.6.so
+   obj:/lib/ld-2.3.6.so
+}
+{
+   Unknown suppression in runtime link editor
+   Memcheck:Cond
+   obj:/lib/ld-2.5.so
+   obj:/lib/ld-2.5.so
+   obj:/lib/ld-2.5.so
+   obj:/lib/ld-2.5.so
+}
+{
+   Unknown suppression in runtime link editor
+   Memcheck:Addr4
+   obj:/lib/ld-2.5.so
+   obj:/lib/ld-2.5.so
+   obj:/lib/ld-2.5.so
+   obj:/lib/ld-2.5.so
+}
diff --git a/crypto/heimdal/cf/vararray.m4 b/crypto/heimdal/cf/vararray.m4
new file mode 100644
index 0000000..86f58d9
--- /dev/null
+++ b/crypto/heimdal/cf/vararray.m4
@@ -0,0 +1,16 @@
+dnl
+dnl $Id: vararray.m4 14166 2004-08-26 12:35:42Z joda $
+dnl
+dnl Test for variable size arrays.
+dnl
+
+AC_DEFUN([rk_C_VARARRAY], [
+	AC_CACHE_CHECK([if the compiler supports variable-length arrays],[rk_cv_c_vararray],[
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[int x = 0; { int y[x]; }]])],
+		[rk_cv_c_vararray=yes],
+		[rk_cv_c_vararray=no])])
+	if test "$rk_cv_c_vararray" = yes; then
+		AC_DEFINE([HAVE_VARIABLE_LENGTH_ARRAY], [1],
+			[Define if your compiler supports variable-length arrays.])
+	fi
+])
diff --git a/crypto/heimdal/cf/version-script.m4 b/crypto/heimdal/cf/version-script.m4
new file mode 100644
index 0000000..342e5ac
--- /dev/null
+++ b/crypto/heimdal/cf/version-script.m4
@@ -0,0 +1,40 @@
+dnl check if ld supports --version-script
+dnl
+AC_DEFUN([rk_VERSIONSCRIPT],[
+AC_CACHE_CHECK(for ld --version-script, rk_cv_version_script,[
+  rk_cv_version_script=no
+
+  cat > conftest.map <<EOF
+HEIM_GSS_V1 {
+        global: gss*;
+};
+HEIM_GSS_V1_1 {
+        global: gss_init_creds;
+} HEIM_GSS_V1;
+EOF
+cat > conftest.c <<EOF
+int gss_init_creds(int foo) { return 0; }
+EOF
+
+  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
+                               -o conftest.so conftest.c
+                               -Wl,--version-script,conftest.map]);
+  then
+    rk_cv_version_script=yes
+  fi
+rm -f conftest*
+])
+
+if test $rk_cv_version_script = yes ; then
+  doversioning=yes
+  LDFLAGS_VERSION_SCRIPT="-Wl,--version-script,"
+else
+  doversioning=no
+  LDFLAGS_VERSION_SCRIPT=
+fi
+AC_SUBST(VERSIONING)
+
+AM_CONDITIONAL(versionscript,test $doversioning = yes)
+AC_SUBST(LDFLAGS_VERSION_SCRIPT)
+
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/wflags.m4 b/crypto/heimdal/cf/wflags.m4
index 4051f29..d099151 100644
--- a/crypto/heimdal/cf/wflags.m4
+++ b/crypto/heimdal/cf/wflags.m4
@@ -1,8 +1,15 @@
-dnl $Id: wflags.m4,v 1.3.34.1 2004/04/01 07:27:35 joda Exp $
+dnl $Id: wflags.m4 21183 2007-06-20 03:07:07Z lha $
 dnl
 dnl set WFLAGS
 
-AC_DEFUN([AC_WFLAGS],[
+AC_DEFUN([rk_WFLAGS],[
+
+AC_ARG_ENABLE(developer, 
+	AS_HELP_STRING([--enable-developer], [enable developer warnings]))
+if test "X$enable_developer" = Xyes; then
+    dwflags="-Werror"
+fi
+
 WFLAGS_NOUNUSED=""
 WFLAGS_NOIMPLICITINT=""
 if test -z "$WFLAGS" -a "$GCC" = "yes"; then
@@ -11,7 +18,7 @@ if test -z "$WFLAGS" -a "$GCC" = "yes"; then
   #   -Wcast-align doesn't work well on alpha osf/1
   #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
   #   -Wmissing-declarations -Wnested-externs
-  WFLAGS="ifelse($#, 0,-Wall, $1)"
+  WFLAGS="ifelse($#, 0,-Wall, $1) $dwflags"
   WFLAGS_NOUNUSED="-Wno-unused"
   WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
 fi
diff --git a/crypto/heimdal/cf/win32.m4 b/crypto/heimdal/cf/win32.m4
new file mode 100644
index 0000000..0687ff7
--- /dev/null
+++ b/crypto/heimdal/cf/win32.m4
@@ -0,0 +1,12 @@
+dnl $Id: win32.m4 13709 2004-04-13 14:29:47Z lha $
+dnl rk_WIN32_EXPORT buildsymbol symbol-that-export
+AC_DEFUN([rk_WIN32_EXPORT],[AH_TOP([#ifdef $1
+#ifndef $2
+#ifdef _WIN32_
+#define $2 _export _stdcall
+#else
+#define $2
+#endif
+#endif
+#endif
+])])
diff --git a/crypto/heimdal/cf/with-all.m4 b/crypto/heimdal/cf/with-all.m4
index 1b9d39f..d518b45 100644
--- a/crypto/heimdal/cf/with-all.m4
+++ b/crypto/heimdal/cf/with-all.m4
@@ -1,16 +1,16 @@
 dnl
-dnl $Id: with-all.m4,v 1.1 2001/08/29 17:01:23 assar Exp $
+dnl $Id: with-all.m4 14147 2004-08-25 14:14:01Z joda $
 dnl
 
 dnl AC_WITH_ALL(name)
 
 AC_DEFUN([AC_WITH_ALL], [
 AC_ARG_WITH($1,
-	AC_HELP_STRING([--with-$1=dir],
+	AS_HELP_STRING([--with-$1=dir],
 		[use $1 in dir]))
 
 AC_ARG_WITH($1-lib,
-	AC_HELP_STRING([--with-$1-lib=dir],
+	AS_HELP_STRING([--with-$1-lib=dir],
 		[use $1 libraries in dir]),
 [if test "$withval" = "yes" -o "$withval" = "no"; then
   AC_MSG_ERROR([No argument for --with-$1-lib])
@@ -19,7 +19,7 @@ elif test "X$with_$1" = "X"; then
 fi])
 
 AC_ARG_WITH($1-include,
-	AC_HELP_STRING([--with-$1-include=dir],
+	AS_HELP_STRING([--with-$1-include=dir],
 		[use $1 headers in dir]),
 [if test "$withval" = "yes" -o "$withval" = "no"; then
   AC_MSG_ERROR([No argument for --with-$1-include])
diff --git a/crypto/heimdal/compile b/crypto/heimdal/compile
index a81e000..1b1d232 100755
--- a/crypto/heimdal/compile
+++ b/crypto/heimdal/compile
@@ -1,9 +1,9 @@
 #! /bin/sh
 # Wrapper for compilers which do not understand `-c -o'.
 
-scriptversion=2003-11-09.00
+scriptversion=2005-05-14.22
 
-# Copyright (C) 1999, 2000, 2003 Free Software Foundation, Inc.
+# Copyright (C) 1999, 2000, 2003, 2004, 2005 Free Software Foundation, Inc.
 # Written by Tom Tromey <tromey@cygnus.com>.
 #
 # This program is free software; you can redistribute it and/or modify
@@ -18,7 +18,7 @@ scriptversion=2003-11-09.00
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -47,45 +47,49 @@ right script to run: please start by reading the file `INSTALL'.
 
 Report bugs to <bug-automake@gnu.org>.
 EOF
-    exit 0
+    exit $?
     ;;
   -v | --v*)
     echo "compile $scriptversion"
-    exit 0
+    exit $?
     ;;
 esac
 
-
-prog=$1
-shift
-
 ofile=
 cfile=
-args=
-while test $# -gt 0; do
-  case "$1" in
-    -o)
-      # configure might choose to run compile as `compile cc -o foo foo.c'.
-      # So we do something ugly here.
-      ofile=$2
-      shift
-      case "$ofile" in
-	*.o | *.obj)
-	  ;;
-	*)
-	  args="$args -o $ofile"
-	  ofile=
-	  ;;
-      esac
-       ;;
-    *.c)
-      cfile=$1
-      args="$args $1"
-      ;;
-    *)
-      args="$args $1"
-      ;;
-  esac
+eat=
+
+for arg
+do
+  if test -n "$eat"; then
+    eat=
+  else
+    case $1 in
+      -o)
+	# configure might choose to run compile as `compile cc -o foo foo.c'.
+	# So we strip `-o arg' only if arg is an object.
+	eat=1
+	case $2 in
+	  *.o | *.obj)
+	    ofile=$2
+	    ;;
+	  *)
+	    set x "$@" -o "$2"
+	    shift
+	    ;;
+	esac
+	;;
+      *.c)
+	cfile=$1
+	set x "$@" "$1"
+	shift
+	;;
+      *)
+	set x "$@" "$1"
+	shift
+	;;
+    esac
+  fi
   shift
 done
 
@@ -95,36 +99,38 @@ if test -z "$ofile" || test -z "$cfile"; then
   # normal compilation that the losing compiler can handle.  If no
   # `.c' file was seen then we are probably linking.  That is also
   # ok.
-  exec "$prog" $args
+  exec "$@"
 fi
 
 # Name of file we expect compiler to create.
-cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
+cofile=`echo "$cfile" | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
 
 # Create the lock directory.
 # Note: use `[/.-]' here to ensure that we don't use the same name
 # that we are using for the .o file.  Also, base the name on the expected
 # object file name, since that is what matters with a parallel build.
-lockdir=`echo $cofile | sed -e 's|[/.-]|_|g'`.d
+lockdir=`echo "$cofile" | sed -e 's|[/.-]|_|g'`.d
 while true; do
-  if mkdir $lockdir > /dev/null 2>&1; then
+  if mkdir "$lockdir" >/dev/null 2>&1; then
     break
   fi
   sleep 1
 done
 # FIXME: race condition here if user kills between mkdir and trap.
-trap "rmdir $lockdir; exit 1" 1 2 15
+trap "rmdir '$lockdir'; exit 1" 1 2 15
 
 # Run the compile.
-"$prog" $args
-status=$?
+"$@"
+ret=$?
 
 if test -f "$cofile"; then
   mv "$cofile" "$ofile"
+elif test -f "${cofile}bj"; then
+  mv "${cofile}bj" "$ofile"
 fi
 
-rmdir $lockdir
-exit $status
+rmdir "$lockdir"
+exit $ret
 
 # Local Variables:
 # mode: shell-script
diff --git a/crypto/heimdal/config.guess b/crypto/heimdal/config.guess
index 0773d0f..396482d 100755
--- a/crypto/heimdal/config.guess
+++ b/crypto/heimdal/config.guess
@@ -1,9 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
+#   Inc.
 
-timestamp='2004-03-03'
+timestamp='2006-07-02'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -17,13 +18,15 @@ timestamp='2004-03-03'
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
+# 02110-1301, USA.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
 # configuration script generated by Autoconf, you may include it under
 # the same distribution terms that you use for the rest of that program.
 
+
 # Originally written by Per Bothner <per@bothner.com>.
 # Please send patches to <config-patches@gnu.org>.  Submit a context
 # diff and a properly formatted ChangeLog entry.
@@ -53,7 +56,7 @@ version="\
 GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
@@ -66,11 +69,11 @@ Try \`$me --help' for more information."
 while test $# -gt 0 ; do
   case $1 in
     --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit 0 ;;
+       echo "$timestamp" ; exit ;;
     --version | -v )
-       echo "$version" ; exit 0 ;;
+       echo "$version" ; exit ;;
     --help | --h* | -h )
-       echo "$usage"; exit 0 ;;
+       echo "$usage"; exit ;;
     -- )     # Stop option processing
        shift; break ;;
     - )	# Use stdin as input.
@@ -104,7 +107,7 @@ set_cc_for_build='
 trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
 trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
 : ${TMPDIR=/tmp} ;
- { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+ { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
  { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
  { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
  { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
@@ -123,7 +126,7 @@ case $CC_FOR_BUILD,$HOST_CC,$CC in
 	;;
  ,,*)   CC_FOR_BUILD=$CC ;;
  ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
-esac ;'
+esac ; set_cc_for_build= ;'
 
 # This is needed to find uname on a Pyramid OSx when run in the BSD universe.
 # (ghazi@noc.rutgers.edu 1994-08-24)
@@ -196,64 +199,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	# contains redundant information, the shorter form:
 	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
 	echo "${machine}-${os}${release}"
-	exit 0 ;;
-    amd64:OpenBSD:*:*)
-	echo x86_64-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    amiga:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    arc:OpenBSD:*:*)
-	echo mipsel-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    cats:OpenBSD:*:*)
-	echo arm-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    hp300:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mac68k:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    macppc:OpenBSD:*:*)
-	echo powerpc-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvme68k:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvme88k:OpenBSD:*:*)
-	echo m88k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvmeppc:OpenBSD:*:*)
-	echo powerpc-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    pegasos:OpenBSD:*:*)
-	echo powerpc-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    pmax:OpenBSD:*:*)
-	echo mipsel-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    sgi:OpenBSD:*:*)
-	echo mipseb-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    sun3:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    wgrisc:OpenBSD:*:*)
-	echo mipsel-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     *:OpenBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
+	UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
+	exit ;;
     *:ekkoBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
+    *:SolidBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE}
+	exit ;;
     macppc:MirBSD:*:*)
-	echo powerppc-unknown-mirbsd${UNAME_RELEASE}
-	exit 0 ;;
+	echo powerpc-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
     *:MirBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     alpha:OSF1:*:*)
 	case $UNAME_RELEASE in
 	*4.0)
@@ -306,40 +268,43 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	# A Xn.n version is an unreleased experimental baselevel.
 	# 1.2 uses "1.2" for uname -r.
 	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	exit 0 ;;
-    Alpha*:OpenVMS:*:*)
-	echo alpha-hp-vms
-	exit 0 ;;
+	exit ;;
     Alpha\ *:Windows_NT*:*)
 	# How do we know it's Interix rather than the generic POSIX subsystem?
 	# Should we change UNAME_MACHINE based on the output of uname instead
 	# of the specific Alpha model?
 	echo alpha-pc-interix
-	exit 0 ;;
+	exit ;;
     21064:Windows_NT:50:3)
 	echo alpha-dec-winnt3.5
-	exit 0 ;;
+	exit ;;
     Amiga*:UNIX_System_V:4.0:*)
 	echo m68k-unknown-sysv4
-	exit 0;;
+	exit ;;
     *:[Aa]miga[Oo][Ss]:*:*)
 	echo ${UNAME_MACHINE}-unknown-amigaos
-	exit 0 ;;
+	exit ;;
     *:[Mm]orph[Oo][Ss]:*:*)
 	echo ${UNAME_MACHINE}-unknown-morphos
-	exit 0 ;;
+	exit ;;
     *:OS/390:*:*)
 	echo i370-ibm-openedition
-	exit 0 ;;
+	exit ;;
+    *:z/VM:*:*)
+	echo s390-ibm-zvmoe
+	exit ;;
     *:OS400:*:*)
         echo powerpc-ibm-os400
-	exit 0 ;;
+	exit ;;
     arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
 	echo arm-acorn-riscix${UNAME_RELEASE}
-	exit 0;;
+	exit ;;
+    arm:riscos:*:*|arm:RISCOS:*:*)
+	echo arm-unknown-riscos
+	exit ;;
     SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
 	echo hppa1.1-hitachi-hiuxmpp
-	exit 0;;
+	exit ;;
     Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
 	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
 	if test "`(/bin/universe) 2>/dev/null`" = att ; then
@@ -347,32 +312,32 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	else
 		echo pyramid-pyramid-bsd
 	fi
-	exit 0 ;;
+	exit ;;
     NILE*:*:*:dcosx)
 	echo pyramid-pyramid-svr4
-	exit 0 ;;
+	exit ;;
     DRS?6000:unix:4.0:6*)
 	echo sparc-icl-nx6
-	exit 0 ;;
-    DRS?6000:UNIX_SV:4.2*:7*)
+	exit ;;
+    DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
 	case `/usr/bin/uname -p` in
-	    sparc) echo sparc-icl-nx7 && exit 0 ;;
+	    sparc) echo sparc-icl-nx7; exit ;;
 	esac ;;
     sun4H:SunOS:5.*:*)
 	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
+	exit ;;
     sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
 	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
+	exit ;;
     i86pc:SunOS:5.*:*)
 	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
+	exit ;;
     sun4*:SunOS:6*:*)
 	# According to config.sub, this is the proper way to canonicalize
 	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
 	# it's likely to be more like Solaris than SunOS4.
 	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
+	exit ;;
     sun4*:SunOS:*:*)
 	case "`/usr/bin/arch -k`" in
 	    Series*|S4*)
@@ -381,10 +346,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	esac
 	# Japanese Language versions have a version number like `4.1.3-JL'.
 	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
-	exit 0 ;;
+	exit ;;
     sun3*:SunOS:*:*)
 	echo m68k-sun-sunos${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     sun*:*:4.2BSD:*)
 	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
 	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
@@ -396,10 +361,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 		echo sparc-sun-sunos${UNAME_RELEASE}
 		;;
 	esac
-	exit 0 ;;
+	exit ;;
     aushp:SunOS:*:*)
 	echo sparc-auspex-sunos${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     # The situation for MiNT is a little confusing.  The machine name
     # can be virtually everything (everything which is not
     # "atarist" or "atariste" at least should have a processor
@@ -410,40 +375,40 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     # be no problem.
     atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
         echo m68k-atari-mint${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
 	echo m68k-atari-mint${UNAME_RELEASE}
-        exit 0 ;;
+        exit ;;
     *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
         echo m68k-atari-mint${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
         echo m68k-milan-mint${UNAME_RELEASE}
-        exit 0 ;;
+        exit ;;
     hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
         echo m68k-hades-mint${UNAME_RELEASE}
-        exit 0 ;;
+        exit ;;
     *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
         echo m68k-unknown-mint${UNAME_RELEASE}
-        exit 0 ;;
+        exit ;;
     m68k:machten:*:*)
 	echo m68k-apple-machten${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     powerpc:machten:*:*)
 	echo powerpc-apple-machten${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     RISC*:Mach:*:*)
 	echo mips-dec-mach_bsd4.3
-	exit 0 ;;
+	exit ;;
     RISC*:ULTRIX:*:*)
 	echo mips-dec-ultrix${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     VAX*:ULTRIX*:*:*)
 	echo vax-dec-ultrix${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     2020:CLIX:*:* | 2430:CLIX:*:*)
 	echo clipper-intergraph-clix${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     mips:*:*:UMIPS | mips:*:*:RISCos)
 	eval $set_cc_for_build
 	sed 's/^	//' << EOF >$dummy.c
@@ -467,32 +432,33 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	  exit (-1);
 	}
 EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c \
-	  && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
-	  && exit 0
+	$CC_FOR_BUILD -o $dummy $dummy.c &&
+	  dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
+	  SYSTEM_NAME=`$dummy $dummyarg` &&
+	    { echo "$SYSTEM_NAME"; exit; }
 	echo mips-mips-riscos${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     Motorola:PowerMAX_OS:*:*)
 	echo powerpc-motorola-powermax
-	exit 0 ;;
+	exit ;;
     Motorola:*:4.3:PL8-*)
 	echo powerpc-harris-powermax
-	exit 0 ;;
+	exit ;;
     Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
 	echo powerpc-harris-powermax
-	exit 0 ;;
+	exit ;;
     Night_Hawk:Power_UNIX:*:*)
 	echo powerpc-harris-powerunix
-	exit 0 ;;
+	exit ;;
     m88k:CX/UX:7*:*)
 	echo m88k-harris-cxux7
-	exit 0 ;;
+	exit ;;
     m88k:*:4*:R4*)
 	echo m88k-motorola-sysv4
-	exit 0 ;;
+	exit ;;
     m88k:*:3*:R3*)
 	echo m88k-motorola-sysv3
-	exit 0 ;;
+	exit ;;
     AViiON:dgux:*:*)
         # DG/UX returns AViiON for all architectures
         UNAME_PROCESSOR=`/usr/bin/uname -p`
@@ -508,29 +474,29 @@ EOF
 	else
 	    echo i586-dg-dgux${UNAME_RELEASE}
 	fi
- 	exit 0 ;;
+ 	exit ;;
     M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
 	echo m88k-dolphin-sysv3
-	exit 0 ;;
+	exit ;;
     M88*:*:R3*:*)
 	# Delta 88k system running SVR3
 	echo m88k-motorola-sysv3
-	exit 0 ;;
+	exit ;;
     XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
 	echo m88k-tektronix-sysv3
-	exit 0 ;;
+	exit ;;
     Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
 	echo m68k-tektronix-bsd
-	exit 0 ;;
+	exit ;;
     *:IRIX*:*:*)
 	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
-	exit 0 ;;
+	exit ;;
     ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
-	echo romp-ibm-aix      # uname -m gives an 8 hex-code CPU id
-	exit 0 ;;              # Note that: echo "'`uname -s`'" gives 'AIX '
+	echo romp-ibm-aix     # uname -m gives an 8 hex-code CPU id
+	exit ;;               # Note that: echo "'`uname -s`'" gives 'AIX '
     i*86:AIX:*:*)
 	echo i386-ibm-aix
-	exit 0 ;;
+	exit ;;
     ia64:AIX:*:*)
 	if [ -x /usr/bin/oslevel ] ; then
 		IBM_REV=`/usr/bin/oslevel`
@@ -538,7 +504,7 @@ EOF
 		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
 	fi
 	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
-	exit 0 ;;
+	exit ;;
     *:AIX:2:3)
 	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
 		eval $set_cc_for_build
@@ -553,14 +519,18 @@ EOF
 			exit(0);
 			}
 EOF
-		$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
-		echo rs6000-ibm-aix3.2.5
+		if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
+		then
+			echo "$SYSTEM_NAME"
+		else
+			echo rs6000-ibm-aix3.2.5
+		fi
 	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
 		echo rs6000-ibm-aix3.2.4
 	else
 		echo rs6000-ibm-aix3.2
 	fi
-	exit 0 ;;
+	exit ;;
     *:AIX:*:[45])
 	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
 	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
@@ -574,28 +544,28 @@ EOF
 		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
 	fi
 	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
-	exit 0 ;;
+	exit ;;
     *:AIX:*:*)
 	echo rs6000-ibm-aix
-	exit 0 ;;
+	exit ;;
     ibmrt:4.4BSD:*|romp-ibm:BSD:*)
 	echo romp-ibm-bsd4.4
-	exit 0 ;;
+	exit ;;
     ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
 	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
-	exit 0 ;;                           # report: romp-ibm BSD 4.3
+	exit ;;                             # report: romp-ibm BSD 4.3
     *:BOSX:*:*)
 	echo rs6000-bull-bosx
-	exit 0 ;;
+	exit ;;
     DPX/2?00:B.O.S.:*:*)
 	echo m68k-bull-sysv3
-	exit 0 ;;
+	exit ;;
     9000/[34]??:4.3bsd:1.*:*)
 	echo m68k-hp-bsd
-	exit 0 ;;
+	exit ;;
     hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
 	echo m68k-hp-bsd4.4
-	exit 0 ;;
+	exit ;;
     9000/[34678]??:HP-UX:*:*)
 	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
 	case "${UNAME_MACHINE}" in
@@ -657,9 +627,19 @@ EOF
 	esac
 	if [ ${HP_ARCH} = "hppa2.0w" ]
 	then
-	    # avoid double evaluation of $set_cc_for_build
-	    test -n "$CC_FOR_BUILD" || eval $set_cc_for_build
-	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null
+	    eval $set_cc_for_build
+
+	    # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
+	    # 32-bit code.  hppa64-hp-hpux* has the same kernel and a compiler
+	    # generating 64-bit code.  GNU and HP use different nomenclature:
+	    #
+	    # $ CC_FOR_BUILD=cc ./config.guess
+	    # => hppa2.0w-hp-hpux11.23
+	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
+	    # => hppa64-hp-hpux11.23
+
+	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+		grep __LP64__ >/dev/null
 	    then
 		HP_ARCH="hppa2.0w"
 	    else
@@ -667,11 +647,11 @@ EOF
 	    fi
 	fi
 	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
-	exit 0 ;;
+	exit ;;
     ia64:HP-UX:*:*)
 	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
 	echo ia64-hp-hpux${HPUX_REV}
-	exit 0 ;;
+	exit ;;
     3050*:HI-UX:*:*)
 	eval $set_cc_for_build
 	sed 's/^	//' << EOF >$dummy.c
@@ -699,163 +679,179 @@ EOF
 	  exit (0);
 	}
 EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
+	$CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
+		{ echo "$SYSTEM_NAME"; exit; }
 	echo unknown-hitachi-hiuxwe2
-	exit 0 ;;
+	exit ;;
     9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
 	echo hppa1.1-hp-bsd
-	exit 0 ;;
+	exit ;;
     9000/8??:4.3bsd:*:*)
 	echo hppa1.0-hp-bsd
-	exit 0 ;;
+	exit ;;
     *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
 	echo hppa1.0-hp-mpeix
-	exit 0 ;;
+	exit ;;
     hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
 	echo hppa1.1-hp-osf
-	exit 0 ;;
+	exit ;;
     hp8??:OSF1:*:*)
 	echo hppa1.0-hp-osf
-	exit 0 ;;
+	exit ;;
     i*86:OSF1:*:*)
 	if [ -x /usr/sbin/sysversion ] ; then
 	    echo ${UNAME_MACHINE}-unknown-osf1mk
 	else
 	    echo ${UNAME_MACHINE}-unknown-osf1
 	fi
-	exit 0 ;;
+	exit ;;
     parisc*:Lites*:*:*)
 	echo hppa1.1-hp-lites
-	exit 0 ;;
+	exit ;;
     C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
 	echo c1-convex-bsd
-        exit 0 ;;
+        exit ;;
     C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
 	if getsysinfo -f scalar_acc
 	then echo c32-convex-bsd
 	else echo c2-convex-bsd
 	fi
-        exit 0 ;;
+        exit ;;
     C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
 	echo c34-convex-bsd
-        exit 0 ;;
+        exit ;;
     C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
 	echo c38-convex-bsd
-        exit 0 ;;
+        exit ;;
     C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
 	echo c4-convex-bsd
-        exit 0 ;;
+        exit ;;
     CRAY*Y-MP:*:*:*)
 	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
+	exit ;;
     CRAY*[A-Z]90:*:*:*)
 	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
 	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
 	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
 	      -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
+	exit ;;
     CRAY*TS:*:*:*)
 	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
+	exit ;;
     CRAY*T3E:*:*:*)
 	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
+	exit ;;
     CRAY*SV1:*:*:*)
 	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
+	exit ;;
     *:UNICOS/mp:*:*)
-	echo nv1-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
+	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
     F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
 	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
         FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
         FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
         echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-        exit 0 ;;
+        exit ;;
     5000:UNIX_System_V:4.*:*)
         FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
         FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
         echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-	exit 0 ;;
+	exit ;;
     i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
 	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     sparc*:BSD/OS:*:*)
 	echo sparc-unknown-bsdi${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     *:BSD/OS:*:*)
 	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     *:FreeBSD:*:*)
-	# Determine whether the default compiler uses glibc.
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <features.h>
-	#if __GLIBC__ >= 2
-	LIBC=gnu
-	#else
-	LIBC=
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
-	# GNU/KFreeBSD systems have a "k" prefix to indicate we are using
-	# FreeBSD's kernel, but not the complete OS.
-	case ${LIBC} in gnu) kernel_only='k' ;; esac
-	echo ${UNAME_MACHINE}-unknown-${kernel_only}freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC}
-	exit 0 ;;
+	case ${UNAME_MACHINE} in
+	    pc98)
+		echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	    amd64)
+		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	    *)
+		echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	esac
+	exit ;;
     i*:CYGWIN*:*)
 	echo ${UNAME_MACHINE}-pc-cygwin
-	exit 0 ;;
+	exit ;;
     i*:MINGW*:*)
 	echo ${UNAME_MACHINE}-pc-mingw32
-	exit 0 ;;
+	exit ;;
+    i*:windows32*:*)
+    	# uname -m includes "-pc" on this system.
+    	echo ${UNAME_MACHINE}-mingw32
+	exit ;;
     i*:PW*:*)
 	echo ${UNAME_MACHINE}-pc-pw32
-	exit 0 ;;
-    x86:Interix*:[34]*)
-	echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
-	exit 0 ;;
+	exit ;;
+    x86:Interix*:[3456]*)
+	echo i586-pc-interix${UNAME_RELEASE}
+	exit ;;
+    EM64T:Interix*:[3456]*)
+	echo x86_64-unknown-interix${UNAME_RELEASE}
+	exit ;;
     [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
 	echo i${UNAME_MACHINE}-pc-mks
-	exit 0 ;;
+	exit ;;
     i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
 	# How do we know it's Interix rather than the generic POSIX subsystem?
 	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
 	# UNAME_MACHINE based on the output of uname instead of i386?
 	echo i586-pc-interix
-	exit 0 ;;
+	exit ;;
     i*:UWIN*:*)
 	echo ${UNAME_MACHINE}-pc-uwin
-	exit 0 ;;
+	exit ;;
+    amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
+	echo x86_64-unknown-cygwin
+	exit ;;
     p*:CYGWIN*:*)
 	echo powerpcle-unknown-cygwin
-	exit 0 ;;
+	exit ;;
     prep*:SunOS:5.*:*)
 	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
+	exit ;;
     *:GNU:*:*)
 	# the GNU system
 	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
-	exit 0 ;;
+	exit ;;
     *:GNU/*:*:*)
 	# other systems with GNU libc and userland
 	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
-	exit 0 ;;
+	exit ;;
     i*86:Minix:*:*)
 	echo ${UNAME_MACHINE}-pc-minix
-	exit 0 ;;
+	exit ;;
     arm*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
+	exit ;;
+    avr32*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
     cris:Linux:*:*)
 	echo cris-axis-linux-gnu
-	exit 0 ;;
+	exit ;;
+    crisv32:Linux:*:*)
+	echo crisv32-axis-linux-gnu
+	exit ;;
+    frv:Linux:*:*)
+    	echo frv-unknown-linux-gnu
+	exit ;;
     ia64:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
+	exit ;;
+    m32r*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
     m68*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
+	exit ;;
     mips:Linux:*:*)
 	eval $set_cc_for_build
 	sed 's/^	//' << EOF >$dummy.c
@@ -872,8 +868,12 @@ EOF
 	#endif
 	#endif
 EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
-	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
+	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
+	    /^CPU/{
+		s: ::g
+		p
+	    }'`"
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
 	;;
     mips64:Linux:*:*)
 	eval $set_cc_for_build
@@ -891,15 +891,22 @@ EOF
 	#endif
 	#endif
 EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
-	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
+	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
+	    /^CPU/{
+		s: ::g
+		p
+	    }'`"
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
 	;;
+    or32:Linux:*:*)
+	echo or32-unknown-linux-gnu
+	exit ;;
     ppc:Linux:*:*)
 	echo powerpc-unknown-linux-gnu
-	exit 0 ;;
+	exit ;;
     ppc64:Linux:*:*)
 	echo powerpc64-unknown-linux-gnu
-	exit 0 ;;
+	exit ;;
     alpha:Linux:*:*)
 	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
 	  EV5)   UNAME_MACHINE=alphaev5 ;;
@@ -913,7 +920,7 @@ EOF
 	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
 	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
 	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
-	exit 0 ;;
+	exit ;;
     parisc:Linux:*:* | hppa:Linux:*:*)
 	# Look for CPU level
 	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
@@ -921,25 +928,28 @@ EOF
 	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
 	  *)    echo hppa-unknown-linux-gnu ;;
 	esac
-	exit 0 ;;
+	exit ;;
     parisc64:Linux:*:* | hppa64:Linux:*:*)
 	echo hppa64-unknown-linux-gnu
-	exit 0 ;;
+	exit ;;
     s390:Linux:*:* | s390x:Linux:*:*)
 	echo ${UNAME_MACHINE}-ibm-linux
-	exit 0 ;;
+	exit ;;
     sh64*:Linux:*:*)
     	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
+	exit ;;
     sh*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
+	exit ;;
     sparc:Linux:*:* | sparc64:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
+	exit ;;
+    vax:Linux:*:*)
+	echo ${UNAME_MACHINE}-dec-linux-gnu
+	exit ;;
     x86_64:Linux:*:*)
 	echo x86_64-unknown-linux-gnu
-	exit 0 ;;
+	exit ;;
     i*86:Linux:*:*)
 	# The BFD linker knows what the default object file format is, so
 	# first see if it will tell us. cd to the root directory to prevent
@@ -957,15 +967,15 @@ EOF
 		;;
 	  a.out-i386-linux)
 		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
-		exit 0 ;;
+		exit ;;
 	  coff-i386)
 		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
-		exit 0 ;;
+		exit ;;
 	  "")
 		# Either a pre-BFD a.out linker (linux-gnuoldld) or
 		# one that does not give us useful --help.
 		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
-		exit 0 ;;
+		exit ;;
 	esac
 	# Determine whether the default compiler is a.out or elf
 	eval $set_cc_for_build
@@ -982,7 +992,7 @@ EOF
 	LIBC=gnulibc1
 	# endif
 	#else
-	#ifdef __INTEL_COMPILER
+	#if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC)
 	LIBC=gnu
 	#else
 	LIBC=gnuaout
@@ -992,16 +1002,23 @@ EOF
 	LIBC=dietlibc
 	#endif
 EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
-	test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0
-	test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
+	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
+	    /^LIBC/{
+		s: ::g
+		p
+	    }'`"
+	test x"${LIBC}" != x && {
+		echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+		exit
+	}
+	test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
 	;;
     i*86:DYNIX/ptx:4*:*)
 	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
 	# earlier versions are messed up and put the nodename in both
 	# sysname and nodename.
 	echo i386-sequent-sysv4
-	exit 0 ;;
+	exit ;;
     i*86:UNIX_SV:4.2MP:2.*)
         # Unixware is an offshoot of SVR4, but it has its own version
         # number series starting with 2...
@@ -1009,27 +1026,27 @@ EOF
 	# I just have to hope.  -- rms.
         # Use sysv4.2uw... so that sysv4* matches it.
 	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
-	exit 0 ;;
+	exit ;;
     i*86:OS/2:*:*)
 	# If we were able to find `uname', then EMX Unix compatibility
 	# is probably installed.
 	echo ${UNAME_MACHINE}-pc-os2-emx
-	exit 0 ;;
+	exit ;;
     i*86:XTS-300:*:STOP)
 	echo ${UNAME_MACHINE}-unknown-stop
-	exit 0 ;;
+	exit ;;
     i*86:atheos:*:*)
 	echo ${UNAME_MACHINE}-unknown-atheos
-	exit 0 ;;
-	i*86:syllable:*:*)
+	exit ;;
+    i*86:syllable:*:*)
 	echo ${UNAME_MACHINE}-pc-syllable
-	exit 0 ;;
+	exit ;;
     i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
 	echo i386-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     i*86:*DOS:*:*)
 	echo ${UNAME_MACHINE}-pc-msdosdjgpp
-	exit 0 ;;
+	exit ;;
     i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
 	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
 	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
@@ -1037,15 +1054,16 @@ EOF
 	else
 		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
 	fi
-	exit 0 ;;
-    i*86:*:5:[78]*)
+	exit ;;
+    i*86:*:5:[678]*)
+    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
 	case `/bin/uname -X | grep "^Machine"` in
 	    *486*)	     UNAME_MACHINE=i486 ;;
 	    *Pentium)	     UNAME_MACHINE=i586 ;;
 	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
 	esac
 	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
-	exit 0 ;;
+	exit ;;
     i*86:*:3.2:*)
 	if test -f /usr/options/cb.name; then
 		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
@@ -1063,73 +1081,73 @@ EOF
 	else
 		echo ${UNAME_MACHINE}-pc-sysv32
 	fi
-	exit 0 ;;
+	exit ;;
     pc:*:*:*)
 	# Left here for compatibility:
         # uname -m prints for DJGPP always 'pc', but it prints nothing about
         # the processor, so we play safe by assuming i386.
 	echo i386-pc-msdosdjgpp
-        exit 0 ;;
+        exit ;;
     Intel:Mach:3*:*)
 	echo i386-pc-mach3
-	exit 0 ;;
+	exit ;;
     paragon:*:*:*)
 	echo i860-intel-osf1
-	exit 0 ;;
+	exit ;;
     i860:*:4.*:*) # i860-SVR4
 	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
 	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
 	else # Add other i860-SVR4 vendors below as they are discovered.
 	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
 	fi
-	exit 0 ;;
+	exit ;;
     mini*:CTIX:SYS*5:*)
 	# "miniframe"
 	echo m68010-convergent-sysv
-	exit 0 ;;
+	exit ;;
     mc68k:UNIX:SYSTEM5:3.51m)
 	echo m68k-convergent-sysv
-	exit 0 ;;
+	exit ;;
     M680?0:D-NIX:5.3:*)
 	echo m68k-diab-dnix
-	exit 0 ;;
-    M68*:*:R3V[567]*:*)
-	test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
-    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0)
+	exit ;;
+    M68*:*:R3V[5678]*:*)
+	test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
+    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
 	OS_REL=''
 	test -r /etc/.relid \
 	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
 	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-	  && echo i486-ncr-sysv4.3${OS_REL} && exit 0
+	  && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
 	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
-	  && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
+	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
     3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
         /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-          && echo i486-ncr-sysv4 && exit 0 ;;
+          && { echo i486-ncr-sysv4; exit; } ;;
     m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
 	echo m68k-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     mc68030:UNIX_System_V:4.*:*)
 	echo m68k-atari-sysv4
-	exit 0 ;;
+	exit ;;
     TSUNAMI:LynxOS:2.*:*)
 	echo sparc-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     rs6000:LynxOS:2.*:*)
 	echo rs6000-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
 	echo powerpc-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     SM[BE]S:UNIX_SV:*:*)
 	echo mips-dde-sysv${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     RM*:ReliantUNIX-*:*:*)
 	echo mips-sni-sysv4
-	exit 0 ;;
+	exit ;;
     RM*:SINIX-*:*:*)
 	echo mips-sni-sysv4
-	exit 0 ;;
+	exit ;;
     *:SINIX-*:*:*)
 	if uname -p 2>/dev/null >/dev/null ; then
 		UNAME_MACHINE=`(uname -p) 2>/dev/null`
@@ -1137,68 +1155,72 @@ EOF
 	else
 		echo ns32k-sni-sysv
 	fi
-	exit 0 ;;
+	exit ;;
     PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
                       # says <Richard.M.Bartel@ccMail.Census.GOV>
         echo i586-unisys-sysv4
-        exit 0 ;;
+        exit ;;
     *:UNIX_System_V:4*:FTX*)
 	# From Gerald Hewes <hewes@openmarket.com>.
 	# How about differentiating between stratus architectures? -djm
 	echo hppa1.1-stratus-sysv4
-	exit 0 ;;
+	exit ;;
     *:*:*:FTX*)
 	# From seanf@swdc.stratus.com.
 	echo i860-stratus-sysv4
-	exit 0 ;;
+	exit ;;
+    i*86:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo ${UNAME_MACHINE}-stratus-vos
+	exit ;;
     *:VOS:*:*)
 	# From Paul.Green@stratus.com.
 	echo hppa1.1-stratus-vos
-	exit 0 ;;
+	exit ;;
     mc68*:A/UX:*:*)
 	echo m68k-apple-aux${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     news*:NEWS-OS:6*:*)
 	echo mips-sony-newsos6
-	exit 0 ;;
+	exit ;;
     R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
 	if [ -d /usr/nec ]; then
 	        echo mips-nec-sysv${UNAME_RELEASE}
 	else
 	        echo mips-unknown-sysv${UNAME_RELEASE}
 	fi
-        exit 0 ;;
+        exit ;;
     BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
 	echo powerpc-be-beos
-	exit 0 ;;
+	exit ;;
     BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
 	echo powerpc-apple-beos
-	exit 0 ;;
+	exit ;;
     BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
 	echo i586-pc-beos
-	exit 0 ;;
+	exit ;;
     SX-4:SUPER-UX:*:*)
 	echo sx4-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     SX-5:SUPER-UX:*:*)
 	echo sx5-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     SX-6:SUPER-UX:*:*)
 	echo sx6-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     Power*:Rhapsody:*:*)
 	echo powerpc-apple-rhapsody${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     *:Rhapsody:*:*)
 	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     *:Darwin:*:*)
-	case `uname -p` in
-	    *86) UNAME_PROCESSOR=i686 ;;
-	    powerpc) UNAME_PROCESSOR=powerpc ;;
+	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
+	case $UNAME_PROCESSOR in
+	    unknown) UNAME_PROCESSOR=powerpc ;;
 	esac
 	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     *:procnto*:*:* | *:QNX:[0123456789]*:*)
 	UNAME_PROCESSOR=`uname -p`
 	if test "$UNAME_PROCESSOR" = "x86"; then
@@ -1206,22 +1228,25 @@ EOF
 		UNAME_MACHINE=pc
 	fi
 	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     *:QNX:*:4*)
 	echo i386-pc-qnx
-	exit 0 ;;
+	exit ;;
+    NSE-?:NONSTOP_KERNEL:*:*)
+	echo nse-tandem-nsk${UNAME_RELEASE}
+	exit ;;
     NSR-?:NONSTOP_KERNEL:*:*)
 	echo nsr-tandem-nsk${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     *:NonStop-UX:*:*)
 	echo mips-compaq-nonstopux
-	exit 0 ;;
+	exit ;;
     BS2000:POSIX*:*:*)
 	echo bs2000-siemens-sysv
-	exit 0 ;;
+	exit ;;
     DS/*:UNIX_System_V:*:*)
 	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     *:Plan9:*:*)
 	# "uname -m" is not consistent, so use $cputype instead. 386
 	# is converted to i386 for consistency with other x86
@@ -1232,31 +1257,47 @@ EOF
 	    UNAME_MACHINE="$cputype"
 	fi
 	echo ${UNAME_MACHINE}-unknown-plan9
-	exit 0 ;;
+	exit ;;
     *:TOPS-10:*:*)
 	echo pdp10-unknown-tops10
-	exit 0 ;;
+	exit ;;
     *:TENEX:*:*)
 	echo pdp10-unknown-tenex
-	exit 0 ;;
+	exit ;;
     KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
 	echo pdp10-dec-tops20
-	exit 0 ;;
+	exit ;;
     XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
 	echo pdp10-xkl-tops20
-	exit 0 ;;
+	exit ;;
     *:TOPS-20:*:*)
 	echo pdp10-unknown-tops20
-	exit 0 ;;
+	exit ;;
     *:ITS:*:*)
 	echo pdp10-unknown-its
-	exit 0 ;;
+	exit ;;
     SEI:*:*:SEIUX)
         echo mips-sei-seiux${UNAME_RELEASE}
-	exit 0 ;;
+	exit ;;
     *:DragonFly:*:*)
 	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
-	exit 0 ;;
+	exit ;;
+    *:*VMS:*:*)
+    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	case "${UNAME_MACHINE}" in
+	    A*) echo alpha-dec-vms ; exit ;;
+	    I*) echo ia64-dec-vms ; exit ;;
+	    V*) echo vax-dec-vms ; exit ;;
+	esac ;;
+    *:XENIX:*:SysV)
+	echo i386-pc-xenix
+	exit ;;
+    i*86:skyos:*:*)
+	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+	exit ;;
+    i*86:rdos:*:*)
+	echo ${UNAME_MACHINE}-pc-rdos
+	exit ;;
 esac
 
 #echo '(No uname command or uname output not recognized.)' 1>&2
@@ -1288,7 +1329,7 @@ main ()
 #endif
 
 #if defined (__arm) && defined (__acorn) && defined (__unix)
-  printf ("arm-acorn-riscix"); exit (0);
+  printf ("arm-acorn-riscix\n"); exit (0);
 #endif
 
 #if defined (hp300) && !defined (hpux)
@@ -1377,11 +1418,12 @@ main ()
 }
 EOF
 
-$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0
+$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
+	{ echo "$SYSTEM_NAME"; exit; }
 
 # Apollos put the system type in the environment.
 
-test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
 
 # Convex versions that predate uname can use getsysinfo(1)
 
@@ -1390,22 +1432,22 @@ then
     case `getsysinfo -f cpu_type` in
     c1*)
 	echo c1-convex-bsd
-	exit 0 ;;
+	exit ;;
     c2*)
 	if getsysinfo -f scalar_acc
 	then echo c32-convex-bsd
 	else echo c2-convex-bsd
 	fi
-	exit 0 ;;
+	exit ;;
     c34*)
 	echo c34-convex-bsd
-	exit 0 ;;
+	exit ;;
     c38*)
 	echo c38-convex-bsd
-	exit 0 ;;
+	exit ;;
     c4*)
 	echo c4-convex-bsd
-	exit 0 ;;
+	exit ;;
     esac
 fi
 
@@ -1416,7 +1458,9 @@ This script, last modified $timestamp, has failed to recognize
 the operating system you are using. It is advised that you
 download the most up to date version of the config scripts from
 
-    ftp://ftp.gnu.org/pub/gnu/config/
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
+and
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
 
 If the version you run ($0) is already up to date, please
 send the following data and any information you think might be
diff --git a/crypto/heimdal/config.sub b/crypto/heimdal/config.sub
index 264f820..fab0aa3 100755
--- a/crypto/heimdal/config.sub
+++ b/crypto/heimdal/config.sub
@@ -1,9 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
+#   Inc.
 
-timestamp='2004-02-23'
+timestamp='2006-09-20'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -21,14 +22,15 @@ timestamp='2004-02-23'
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330,
-# Boston, MA 02111-1307, USA.
-
+# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
+# 02110-1301, USA.
+#
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
 # configuration script generated by Autoconf, you may include it under
 # the same distribution terms that you use for the rest of that program.
 
+
 # Please send patches to <config-patches@gnu.org>.  Submit a context
 # diff and a properly formatted ChangeLog entry.
 #
@@ -70,7 +72,7 @@ Report bugs and patches to <config-patches@gnu.org>."
 version="\
 GNU config.sub ($timestamp)
 
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
@@ -83,11 +85,11 @@ Try \`$me --help' for more information."
 while test $# -gt 0 ; do
   case $1 in
     --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit 0 ;;
+       echo "$timestamp" ; exit ;;
     --version | -v )
-       echo "$version" ; exit 0 ;;
+       echo "$version" ; exit ;;
     --help | --h* | -h )
-       echo "$usage"; exit 0 ;;
+       echo "$usage"; exit ;;
     -- )     # Stop option processing
        shift; break ;;
     - )	# Use stdin as input.
@@ -99,7 +101,7 @@ while test $# -gt 0 ; do
     *local*)
        # First pass through any local machine types.
        echo $1
-       exit 0;;
+       exit ;;
 
     * )
        break ;;
@@ -118,8 +120,9 @@ esac
 # Here we must recognize all the valid KERNEL-OS combinations.
 maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
-  nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
-  kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
+  nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \
+  uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \
+  storm-chaos* | os2-emx* | rtmk-nova*)
     os=-$maybe_os
     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
     ;;
@@ -145,7 +148,7 @@ case $os in
 	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
 	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
 	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-	-apple | -axis)
+	-apple | -axis | -knuth | -cray)
 		os=
 		basic_machine=$1
 		;;
@@ -170,6 +173,10 @@ case $os in
 	-hiux*)
 		os=-hiuxwe2
 		;;
+	-sco6)
+		os=-sco5v6
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
 	-sco5)
 		os=-sco3.2v5
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
@@ -186,6 +193,10 @@ case $os in
 		# Don't forget version if it is 3.2v4 or newer.
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
 		;;
+	-sco5v6*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
 	-sco*)
 		os=-sco3.2v2
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
@@ -230,14 +241,16 @@ case $basic_machine in
 	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
 	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
 	| am33_2.0 \
-	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
+	| bfin \
 	| c4x | clipper \
 	| d10v | d30v | dlx | dsp16xx \
 	| fr30 | frv \
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
 	| i370 | i860 | i960 | ia64 \
 	| ip2k | iq2000 \
-	| m32r | m68000 | m68k | m88k | mcore \
+	| m32c | m32r | m32rle | m68000 | m68k | m88k \
+	| maxq | mb | microblaze | mcore \
 	| mips | mipsbe | mipseb | mipsel | mipsle \
 	| mips16 \
 	| mips64 | mips64el \
@@ -246,6 +259,7 @@ case $basic_machine in
 	| mips64vr4100 | mips64vr4100el \
 	| mips64vr4300 | mips64vr4300el \
 	| mips64vr5000 | mips64vr5000el \
+	| mips64vr5900 | mips64vr5900el \
 	| mipsisa32 | mipsisa32el \
 	| mipsisa32r2 | mipsisa32r2el \
 	| mipsisa64 | mipsisa64el \
@@ -254,20 +268,24 @@ case $basic_machine in
 	| mipsisa64sr71k | mipsisa64sr71kel \
 	| mipstx39 | mipstx39el \
 	| mn10200 | mn10300 \
+	| mt \
 	| msp430 \
+	| nios | nios2 \
 	| ns16k | ns32k \
-	| openrisc | or32 \
+	| or32 \
 	| pdp10 | pdp11 | pj | pjl \
 	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
 	| pyramid \
-	| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
+	| score \
+	| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
-	| sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \
-	| strongarm \
+	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
+	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
+	| spu | strongarm \
 	| tahoe | thumb | tic4x | tic80 | tron \
 	| v850 | v850e \
 	| we32k \
-	| x86 | xscale | xstormy16 | xtensa \
+	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
 	| z8k)
 		basic_machine=$basic_machine-unknown
 		;;
@@ -278,6 +296,9 @@ case $basic_machine in
 		;;
 	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
 		;;
+	ms1)
+		basic_machine=mt-unknown
+		;;
 
 	# We use `pc' rather than `unknown'
 	# because (1) that's what they normally are, and
@@ -297,10 +318,10 @@ case $basic_machine in
 	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
 	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
 	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
-	| avr-* \
-	| bs2000-* \
+	| avr-* | avr32-* \
+	| bfin-* | bs2000-* \
 	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
-	| clipper-* | cydra-* \
+	| clipper-* | craynv-* | cydra-* \
 	| d10v-* | d30v-* | dlx-* \
 	| elxsi-* \
 	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
@@ -308,9 +329,9 @@ case $basic_machine in
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
 	| i*86-* | i860-* | i960-* | ia64-* \
 	| ip2k-* | iq2000-* \
-	| m32r-* \
+	| m32c-* | m32r-* | m32rle-* \
 	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-	| m88110-* | m88k-* | mcore-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* \
 	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
 	| mips16-* \
 	| mips64-* | mips64el-* \
@@ -319,6 +340,7 @@ case $basic_machine in
 	| mips64vr4100-* | mips64vr4100el-* \
 	| mips64vr4300-* | mips64vr4300el-* \
 	| mips64vr5000-* | mips64vr5000el-* \
+	| mips64vr5900-* | mips64vr5900el-* \
 	| mipsisa32-* | mipsisa32el-* \
 	| mipsisa32r2-* | mipsisa32r2el-* \
 	| mipsisa64-* | mipsisa64el-* \
@@ -326,24 +348,28 @@ case $basic_machine in
 	| mipsisa64sb1-* | mipsisa64sb1el-* \
 	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
 	| mipstx39-* | mipstx39el-* \
+	| mmix-* \
+	| mt-* \
 	| msp430-* \
-	| none-* | np1-* | nv1-* | ns16k-* | ns32k-* \
+	| nios-* | nios2-* \
+	| none-* | np1-* | ns16k-* | ns32k-* \
 	| orion-* \
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
 	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
 	| pyramid-* \
 	| romp-* | rs6000-* \
-	| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
+	| sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
-	| sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
-	| sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
+	| sparclite-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
 	| tahoe-* | thumb-* \
 	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
 	| tron-* \
 	| v850-* | v850e-* | vax-* \
 	| we32k-* \
-	| x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \
-	| xtensa-* \
+	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| xstormy16-* | xtensa-* \
 	| ymp-* \
 	| z8k-*)
 		;;
@@ -445,6 +471,10 @@ case $basic_machine in
 		basic_machine=j90-cray
 		os=-unicos
 		;;
+	craynv)
+		basic_machine=craynv-cray
+		os=-unicosmp
+		;;
 	cr16c)
 		basic_machine=cr16c-unknown
 		os=-elf
@@ -452,6 +482,9 @@ case $basic_machine in
 	crds | unos)
 		basic_machine=m68k-crds
 		;;
+	crisv32 | crisv32-* | etraxfs*)
+		basic_machine=crisv32-axis
+		;;
 	cris | cris-* | etrax*)
 		basic_machine=cris-axis
 		;;
@@ -481,6 +514,10 @@ case $basic_machine in
 		basic_machine=m88k-motorola
 		os=-sysv3
 		;;
+	djgpp)
+		basic_machine=i586-pc
+		os=-msdosdjgpp
+		;;
 	dpx20 | dpx20-*)
 		basic_machine=rs6000-bull
 		os=-bosx
@@ -659,10 +696,6 @@ case $basic_machine in
 	mips3*)
 		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
 		;;
-	mmix*)
-		basic_machine=mmix-knuth
-		os=-mmixware
-		;;
 	monitor)
 		basic_machine=m68k-rom68k
 		os=-coff
@@ -675,6 +708,9 @@ case $basic_machine in
 		basic_machine=i386-pc
 		os=-msdos
 		;;
+	ms1-*)
+		basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
+		;;
 	mvs)
 		basic_machine=i370-ibm
 		os=-mvs
@@ -743,10 +779,6 @@ case $basic_machine in
 	np1)
 		basic_machine=np1-gould
 		;;
-	nv1)
-		basic_machine=nv1-cray
-		os=-unicosmp
-		;;
 	nsr-tandem)
 		basic_machine=nsr-tandem
 		;;
@@ -754,9 +786,8 @@ case $basic_machine in
 		basic_machine=hppa1.1-oki
 		os=-proelf
 		;;
-	or32 | or32-*)
+	openrisc | openrisc-*)
 		basic_machine=or32-unknown
-		os=-coff
 		;;
 	os400)
 		basic_machine=powerpc-ibm
@@ -787,6 +818,12 @@ case $basic_machine in
 	pc532 | pc532-*)
 		basic_machine=ns32k-pc532
 		;;
+	pc98)
+		basic_machine=i386-pc
+		;;
+	pc98-*)
+		basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
 	pentium | p5 | k5 | k6 | nexgen | viac3)
 		basic_machine=i586-pc
 		;;
@@ -843,6 +880,10 @@ case $basic_machine in
 		basic_machine=i586-unknown
 		os=-pw32
 		;;
+	rdos)
+		basic_machine=i386-pc
+		os=-rdos
+		;;
 	rom68k)
 		basic_machine=m68k-rom68k
 		os=-coff
@@ -869,6 +910,10 @@ case $basic_machine in
 	sb1el)
 		basic_machine=mipsisa64sb1el-unknown
 		;;
+	sde)
+		basic_machine=mipsisa32-sde
+		os=-elf
+		;;
 	sei)
 		basic_machine=mips-sei
 		os=-seiux
@@ -1029,6 +1074,10 @@ case $basic_machine in
 		basic_machine=hppa1.1-winbond
 		os=-proelf
 		;;
+	xbox)
+		basic_machine=i686-pc
+		os=-mingw32
+		;;
 	xps | xps100)
 		basic_machine=xps100-honeywell
 		;;
@@ -1059,6 +1108,9 @@ case $basic_machine in
 	romp)
 		basic_machine=romp-ibm
 		;;
+	mmix)
+		basic_machine=mmix-knuth
+		;;
 	rs6000)
 		basic_machine=rs6000-ibm
 		;;
@@ -1075,13 +1127,10 @@ case $basic_machine in
 	we32k)
 		basic_machine=we32k-att
 		;;
-	sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele)
+	sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele)
 		basic_machine=sh-unknown
 		;;
-	sh64)
-		basic_machine=sh64-unknown
-		;;
-	sparc | sparcv9 | sparcv9b)
+	sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v)
 		basic_machine=sparc-sun
 		;;
 	cydra)
@@ -1154,20 +1203,23 @@ case $os in
 	      | -aos* \
 	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
 	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
-	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
+	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
+	      | -openbsd* | -solidbsd* \
 	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
 	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
 	      | -chorusos* | -chorusrdb* \
 	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \
+	      | -uxpv* | -beos* | -mpeix* | -udk* \
 	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
 	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
 	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
 	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
 	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
-	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly*)
+	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
+	      | -skyos* | -haiku* | -rdos* | -toppers*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
 	-qnx*)
@@ -1185,7 +1237,7 @@ case $os in
 		os=`echo $os | sed -e 's|nto|nto-qnx|'`
 		;;
 	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
-	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
 	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
 		;;
 	-mac*)
@@ -1294,6 +1346,9 @@ case $os in
 	-kaos*)
 		os=-kaos
 		;;
+	-zvmoe)
+		os=-zvmoe
+		;;
 	-none)
 		;;
 	*)
@@ -1316,6 +1371,12 @@ else
 # system, and we'll never get to this point.
 
 case $basic_machine in
+        score-*)
+		os=-elf
+		;;
+        spu-*)
+		os=-elf
+		;;
 	*-acorn)
 		os=-riscix1.2
 		;;
@@ -1325,9 +1386,9 @@ case $basic_machine in
 	arm*-semi)
 		os=-aout
 		;;
-    c4x-* | tic4x-*)
-        os=-coff
-        ;;
+        c4x-* | tic4x-*)
+        	os=-coff
+		;;
 	# This must come before the *-dec entry.
 	pdp10-*)
 		os=-tops20
@@ -1371,9 +1432,15 @@ case $basic_machine in
 	*-be)
 		os=-beos
 		;;
+	*-haiku)
+		os=-haiku
+		;;
 	*-ibm)
 		os=-aix
 		;;
+    	*-knuth)
+		os=-mmixware
+		;;
 	*-wec)
 		os=-proelf
 		;;
@@ -1539,7 +1606,7 @@ case $basic_machine in
 esac
 
 echo $basic_machine$os
-exit 0
+exit
 
 # Local variables:
 # eval: (add-hook 'write-file-hooks 'time-stamp)
diff --git a/crypto/heimdal/configure b/crypto/heimdal/configure
index f4e3787..e905a35 100755
--- a/crypto/heimdal/configure
+++ b/crypto/heimdal/configure
@@ -1,28 +1,57 @@
 #! /bin/sh
-# From configure.in Revision: 1.331.2.8 .
+# From configure.in Revision: 22513 .
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for Heimdal 0.6.3.
+# Generated by GNU Autoconf 2.61 for Heimdal 1.1.
 #
-# Report bugs to <heimdal-bugs@pdc.kth.se>.
+# Report bugs to <heimdal-bugs@h5l.org>.
 #
-# Copyright (C) 2003 Free Software Foundation, Inc.
+# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
 # This configure script is free software; the Free Software Foundation
 # gives unlimited permission to copy, distribute and modify it.
 ## --------------------- ##
 ## M4sh Initialization.  ##
 ## --------------------- ##
 
-# Be Bourne compatible
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
   # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
-  set -o posix
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
 fi
-DUALCASE=1; export DUALCASE # for MKS sh
 
 # Support unset when possible.
 if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
@@ -32,8 +61,43 @@ else
 fi
 
 
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+case $0 in
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  { (exit 1); exit 1; }
+fi
+
 # Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
 PS1='$ '
 PS2='> '
 PS4='+ '
@@ -47,18 +111,19 @@ do
   if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
     eval $as_var=C; export $as_var
   else
-    $as_unset $as_var
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
   fi
 done
 
 # Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
 else
   as_expr=false
 fi
 
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
   as_basename=basename
 else
   as_basename=false
@@ -66,157 +131,388 @@ fi
 
 
 # Name of the executable.
-as_me=`$as_basename "$0" ||
+as_me=`$as_basename -- "$0" ||
 $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
 	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)$' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
 echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\/\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
 
+# CDPATH.
+$as_unset CDPATH
 
-# PATH needs CR, and LINENO needs CR and PATH.
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
 
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
+if test "x$CONFIG_SHELL" = x; then
+  if (eval ":") 2>/dev/null; then
+  as_have_required=yes
+else
+  as_have_required=no
 fi
 
+  if test $as_have_required = yes && 	 (eval ":
+(as_func_return () {
+  (exit \$1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
 
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
 
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
-  fi
-  if test ! -f "$as_myself"; then
-    { echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0) || { (exit 1); exit 1; }
+
+(
+  as_lineno_1=\$LINENO
+  as_lineno_2=\$LINENO
+  test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
+  test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
+") 2> /dev/null; then
+  :
+else
+  as_candidate_shells=
     as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-	 case $as_dir in
+  case $as_dir in
 	 /*)
-	   if ("$as_dir/$as_base" -c '
+	   for as_base in sh bash ksh sh5; do
+	     as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
+	   done;;
+       esac
+done
+IFS=$as_save_IFS
+
+
+      for as_shell in $as_candidate_shells $SHELL; do
+	 # Try only shells that exist, to save several forks.
+	 if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+		{ ("$as_shell") 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+_ASEOF
+}; then
+  CONFIG_SHELL=$as_shell
+	       as_have_required=yes
+	       if { "$as_shell" 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+(as_func_return () {
+  (exit $1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = "$1" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test $exitcode = 0) || { (exit 1); exit 1; }
+
+(
   as_lineno_1=$LINENO
   as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
   test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-	     CONFIG_SHELL=$as_dir/$as_base
-	     export CONFIG_SHELL
-	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-	   fi;;
-	 esac
-       done
-done
-;;
-  esac
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
+
+_ASEOF
+}; then
+  break
+fi
+
+fi
+
+      done
+
+      if test "x$CONFIG_SHELL" != x; then
+  for as_var in BASH_ENV ENV
+        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+        done
+        export CONFIG_SHELL
+        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+fi
+
+
+    if test $as_have_required = no; then
+  echo This script requires a shell more modern than all the
+      echo shells that I found on your system.  Please install a
+      echo modern shell, or manually run the script under such a
+      echo shell if you do have one.
+      { (exit 1); exit 1; }
+fi
+
+
+fi
+
+fi
+
+
+
+(eval "as_func_return () {
+  (exit \$1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0") || {
+  echo No shell found that supports shell functions.
+  echo Please tell autoconf@gnu.org about your system,
+  echo including any error possibly output before this
+  echo message
+}
+
+
+
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
 
   # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
   # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
+  # line-number line after each line using $LINENO; the second 'sed'
+  # does the real work.  The second script uses 'N' to pair each
+  # line-number line with the line containing $LINENO, and appends
+  # trailing '-' during substitution so that $LINENO is not a special
+  # case at line end.
   # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
+  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+  # E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
     sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
       N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
       t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
+      s/-\n.*//
     ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
+  chmod +x "$as_me.lineno" ||
     { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
    { (exit 1); exit 1; }; }
 
   # Don't try to exec as it changes $[0], causing all sort of problems
   # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
   # Exit status is that of the last command.
   exit
 }
 
 
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
-  *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T='	' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+  case `echo 'x\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  *)   ECHO_C='\c';;
+  esac;;
+*)
+  ECHO_N='-n';;
 esac
 
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
 else
   as_expr=false
 fi
 
 rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir
+fi
 echo >conf$$.file
 if ln -s conf$$.file conf$$ 2>/dev/null; then
-  # We could just check for DJGPP; but this test a) works b) is more generic
-  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
-  if test -f conf$$.exe; then
-    # Don't use ln at all; we don't have any links
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
     as_ln_s='cp -p'
-  else
-    as_ln_s='ln -s'
-  fi
 elif ln conf$$.file conf$$ 2>/dev/null; then
   as_ln_s=ln
 else
   as_ln_s='cp -p'
 fi
-rm -f conf$$ conf$$.exe conf$$.file
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
 
 if mkdir -p . 2>/dev/null; then
   as_mkdir_p=:
@@ -225,7 +521,28 @@ else
   as_mkdir_p=false
 fi
 
-as_executable_p="test -f"
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
+else
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
+  else
+    as_ls_L_option=
+  fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+        test -d "$1/.";
+      else
+	case $1 in
+        -*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
+fi
+as_executable_p=$as_test_x
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -234,15 +551,6 @@ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
 as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
 
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" 	$as_nl"
-
-# CDPATH.
-$as_unset CDPATH
-
 
 
 # Check that we are running under the correct shell.
@@ -281,15 +589,15 @@ fi
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
 if test -z "$ECHO"; then
 if test "X${echo_test_string+set}" != Xset; then
 # find a string as large as possible, as long as the shell can cope with it
   for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
     # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-    if (echo_test_string="`eval $cmd`") 2>/dev/null &&
-       echo_test_string="`eval $cmd`" &&
+    if (echo_test_string=`eval $cmd`) 2>/dev/null &&
+       echo_test_string=`eval $cmd` &&
        (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
     then
       break
@@ -398,77 +706,340 @@ tagnames=${tagnames+${tagnames},}CXX
 
 tagnames=${tagnames+${tagnames},}F77
 
+exec 7<&0 </dev/null 6>&1
+
 # Name of the host.
 # hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
 # so uname gets run too.
 ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
 
-exec 6>&1
-
 #
 # Initializations.
 #
 ac_default_prefix=/usr/local
+ac_clean_files=
 ac_config_libobj_dir=.
+LIBOBJS=
 cross_compiling=no
 subdirs=
 MFLAGS=
 MAKEFLAGS=
 SHELL=${CONFIG_SHELL-/bin/sh}
 
-# Maximum number of lines to put in a shell here document.
-# This variable seems obsolete.  It should probably be removed, and
-# only ac_max_sed_lines should be used.
-: ${ac_max_here_lines=38}
-
 # Identity of this package.
 PACKAGE_NAME='Heimdal'
 PACKAGE_TARNAME='heimdal'
-PACKAGE_VERSION='0.6.3'
-PACKAGE_STRING='Heimdal 0.6.3'
-PACKAGE_BUGREPORT='heimdal-bugs@pdc.kth.se'
+PACKAGE_VERSION='1.1'
+PACKAGE_STRING='Heimdal 1.1'
+PACKAGE_BUGREPORT='heimdal-bugs@h5l.org'
 
 ac_unique_file="kuser/kinit.c"
 ac_default_prefix=/usr/heimdal
 # Factoring default headers for most tests.
 ac_includes_default="\
 #include <stdio.h>
-#if HAVE_SYS_TYPES_H
+#ifdef HAVE_SYS_TYPES_H
 # include <sys/types.h>
 #endif
-#if HAVE_SYS_STAT_H
+#ifdef HAVE_SYS_STAT_H
 # include <sys/stat.h>
 #endif
-#if STDC_HEADERS
+#ifdef STDC_HEADERS
 # include <stdlib.h>
 # include <stddef.h>
 #else
-# if HAVE_STDLIB_H
+# ifdef HAVE_STDLIB_H
 #  include <stdlib.h>
 # endif
 #endif
-#if HAVE_STRING_H
-# if !STDC_HEADERS && HAVE_MEMORY_H
+#ifdef HAVE_STRING_H
+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
 #  include <memory.h>
 # endif
 # include <string.h>
 #endif
-#if HAVE_STRINGS_H
+#ifdef HAVE_STRINGS_H
 # include <strings.h>
 #endif
-#if HAVE_INTTYPES_H
+#ifdef HAVE_INTTYPES_H
 # include <inttypes.h>
-#else
-# if HAVE_STDINT_H
-#  include <stdint.h>
-# endif
 #endif
-#if HAVE_UNISTD_H
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_UNISTD_H
 # include <unistd.h>
 #endif"
 
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO AMTAR install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE MAINT build build_cpu build_vendor build_os host host_cpu host_vendor host_os CANONICAL_HOST YACC LEX LEXLIB LEX_OUTPUT_ROOT LN_S EGREP ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL WFLAGS WFLAGS_NOUNUSED WFLAGS_NOIMPLICITINT INCLUDE_openldap LIB_openldap INCLUDE_krb4 LIB_krb4 EXTRA_LIB45 LIB_krb_enable_debug LIB_krb_disable_debug LIB_krb_get_our_ip_for_realm LIB_krb_kdctimeofday LIB_krb_get_kdc_time_diff KRB4_TRUE KRB4_FALSE KRB5_TRUE KRB5_FALSE do_roken_rename_TRUE do_roken_rename_FALSE LIB_kdb HAVE_OPENSSL_TRUE HAVE_OPENSSL_FALSE DIR_des INCLUDE_des LIB_des LIB_des_a LIB_des_so LIB_des_appl DCE_TRUE DCE_FALSE dpagaix_cflags dpagaix_ldadd dpagaix_ldflags LIB_db_create LIB_dbopen LIB_dbm_firstkey HAVE_DB1_TRUE HAVE_DB1_FALSE HAVE_DB3_TRUE HAVE_DB3_FALSE HAVE_NDBM_TRUE HAVE_NDBM_FALSE DBLIB LIB_NDBM VOID_RETSIGTYPE have_err_h_TRUE have_err_h_FALSE have_fnmatch_h_TRUE have_fnmatch_h_FALSE have_ifaddrs_h_TRUE have_ifaddrs_h_FALSE have_vis_h_TRUE have_vis_h_FALSE LIB_socket LIB_gethostbyname LIB_syslog LIB_gethostbyname2 LIB_res_search LIB_res_nsearch LIB_dn_expand LIBOBJS have_glob_h_TRUE have_glob_h_FALSE LIB_getsockopt LIB_setsockopt LIB_hstrerror LIB_bswap16 LIB_bswap32 LIB_pidfile LIB_getaddrinfo LIB_getnameinfo LIB_freeaddrinfo LIB_gai_strerror LIB_crypt DIR_roken LIB_roken INCLUDES_roken LIB_otp OTP_TRUE OTP_FALSE LIB_security NROFF GROFF CATMAN CATMAN_TRUE CATMAN_FALSE CATMANEXT INCLUDE_readline LIB_readline INCLUDE_hesiod LIB_hesiod AIX_TRUE AIX_FALSE AIX4_TRUE AIX4_FALSE LIB_dlopen HAVE_DLOPEN_TRUE HAVE_DLOPEN_FALSE LIB_loadquery AIX_DYNAMIC_AFS_TRUE AIX_DYNAMIC_AFS_FALSE AIX_EXTRA_KAFS IRIX_TRUE IRIX_FALSE X_CFLAGS X_PRE_LIBS X_LIBS X_EXTRA_LIBS HAVE_X_TRUE HAVE_X_FALSE LIB_XauWriteAuth LIB_XauReadAuth LIB_XauFileName NEED_WRITEAUTH_TRUE NEED_WRITEAUTH_FALSE LIB_logwtmp LIB_logout LIB_openpty LIB_tgetent LIB_getpwnam_r LIB_el_init el_compat_TRUE el_compat_FALSE COMPILE_ET DIR_com_err LIB_com_err LIB_com_err_a LIB_com_err_so LIB_AUTH_SUBDIRS LTLIBOBJS'
+ac_subst_vars='SHELL
+PATH_SEPARATOR
+PACKAGE_NAME
+PACKAGE_TARNAME
+PACKAGE_VERSION
+PACKAGE_STRING
+PACKAGE_BUGREPORT
+exec_prefix
+prefix
+program_transform_name
+bindir
+sbindir
+libexecdir
+datarootdir
+datadir
+sysconfdir
+sharedstatedir
+localstatedir
+includedir
+oldincludedir
+docdir
+infodir
+htmldir
+dvidir
+pdfdir
+psdir
+libdir
+localedir
+mandir
+DEFS
+ECHO_C
+ECHO_N
+ECHO_T
+LIBS
+build_alias
+host_alias
+target_alias
+INSTALL_PROGRAM
+INSTALL_SCRIPT
+INSTALL_DATA
+am__isrc
+CYGPATH_W
+PACKAGE
+VERSION
+ACLOCAL
+AUTOCONF
+AUTOMAKE
+AUTOHEADER
+MAKEINFO
+install_sh
+STRIP
+INSTALL_STRIP_PROGRAM
+mkdir_p
+AWK
+SET_MAKE
+am__leading_dot
+AMTAR
+am__tar
+am__untar
+MAINTAINER_MODE_TRUE
+MAINTAINER_MODE_FALSE
+MAINT
+CC
+CFLAGS
+LDFLAGS
+CPPFLAGS
+ac_ct_CC
+EXEEXT
+OBJEXT
+CPP
+build
+build_cpu
+build_vendor
+build_os
+host
+host_cpu
+host_vendor
+host_os
+CANONICAL_HOST
+YACC
+YFLAGS
+LEX
+LEX_OUTPUT_ROOT
+LEXLIB
+LN_S
+GREP
+EGREP
+ECHO
+AR
+RANLIB
+CXX
+CXXFLAGS
+ac_ct_CXX
+CXXCPP
+F77
+FFLAGS
+ac_ct_F77
+LIBTOOL
+ENABLE_SHARED_TRUE
+ENABLE_SHARED_FALSE
+VERSIONING
+versionscript_TRUE
+versionscript_FALSE
+LDFLAGS_VERSION_SCRIPT
+INCLUDE_openldap
+LIB_openldap
+OPENLDAP_MODULE_TRUE
+OPENLDAP_MODULE_FALSE
+PKINIT_TRUE
+PKINIT_FALSE
+DIR_hdbdir
+INCLUDE_krb4
+LIB_krb4
+KRB4_TRUE
+KRB4_FALSE
+KRB5_TRUE
+KRB5_FALSE
+do_roken_rename_TRUE
+do_roken_rename_FALSE
+LIB_kdb
+HAVE_OPENSSL_TRUE
+HAVE_OPENSSL_FALSE
+DIR_hcrypto
+INCLUDE_hcrypto
+LIB_hcrypto
+LIB_hcrypto_a
+LIB_hcrypto_so
+LIB_hcrypto_appl
+PTHREADS_CFLAGS
+PTHREADS_LIBS
+DCE_TRUE
+DCE_FALSE
+dpagaix_cflags
+dpagaix_ldadd
+dpagaix_ldflags
+LIB_db_create
+LIB_dbopen
+LIB_dbm_firstkey
+HAVE_DB1_TRUE
+HAVE_DB1_FALSE
+HAVE_DB3_TRUE
+HAVE_DB3_FALSE
+HAVE_NDBM_TRUE
+HAVE_NDBM_FALSE
+DBLIB
+LIB_NDBM
+WFLAGS
+WFLAGS_NOUNUSED
+WFLAGS_NOIMPLICITINT
+VOID_RETSIGTYPE
+have_err_h_TRUE
+have_err_h_FALSE
+have_ifaddrs_h_TRUE
+have_ifaddrs_h_FALSE
+have_vis_h_TRUE
+have_vis_h_FALSE
+LIB_socket
+LIB_gethostbyname
+LIB_syslog
+LIB_gethostbyname2
+LIB_res_search
+LIB_res_nsearch
+LIB_res_ndestroy
+LIB_dn_expand
+LIBOBJS
+have_glob_h_TRUE
+have_glob_h_FALSE
+have_cgetent_TRUE
+have_cgetent_FALSE
+LIB_getsockopt
+LIB_setsockopt
+LIB_hstrerror
+LIB_bswap16
+LIB_bswap32
+LIB_pidfile
+LIB_getaddrinfo
+LIB_getnameinfo
+LIB_freeaddrinfo
+LIB_gai_strerror
+have_fnmatch_h_TRUE
+have_fnmatch_h_FALSE
+LIB_crypt
+have_socket_wrapper_TRUE
+have_socket_wrapper_FALSE
+DIR_roken
+LIB_roken
+INCLUDES_roken
+LIBADD_roken
+LIB_otp
+OTP_TRUE
+OTP_FALSE
+LIB_security
+NROFF
+GROFF
+CATMAN
+CATMAN_TRUE
+CATMAN_FALSE
+CATMANEXT
+INCLUDE_readline
+LIB_readline
+INCLUDE_hesiod
+LIB_hesiod
+AIX_TRUE
+AIX_FALSE
+AIX4_TRUE
+AIX4_FALSE
+LIB_dlopen
+HAVE_DLOPEN_TRUE
+HAVE_DLOPEN_FALSE
+LIB_loadquery
+AIX_DYNAMIC_AFS_TRUE
+AIX_DYNAMIC_AFS_FALSE
+AIX_EXTRA_KAFS
+IRIX_TRUE
+IRIX_FALSE
+XMKMF
+X_CFLAGS
+X_PRE_LIBS
+X_LIBS
+X_EXTRA_LIBS
+HAVE_X_TRUE
+HAVE_X_FALSE
+LIB_XauWriteAuth
+LIB_XauReadAuth
+LIB_XauFileName
+NEED_WRITEAUTH_TRUE
+NEED_WRITEAUTH_FALSE
+LIB_logwtmp
+LIB_logout
+LIB_openpty
+LIB_tgetent
+LIB_getpwnam_r
+LIB_door_create
+KCM_TRUE
+KCM_FALSE
+FRAMEWORK_SECURITY_TRUE
+FRAMEWORK_SECURITY_FALSE
+LIB_el_init
+el_compat_TRUE
+el_compat_FALSE
+COMPILE_ET
+COM_ERR_TRUE
+COM_ERR_FALSE
+DIR_com_err
+LIB_com_err
+LIB_com_err_a
+LIB_com_err_so
+LIB_AUTH_SUBDIRS
+LTLIBOBJS'
 ac_subst_files=''
+      ac_precious_vars='build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+LIBS
+CPPFLAGS
+CPP
+YACC
+YFLAGS
+CXX
+CXXFLAGS
+CCC
+CXXCPP
+F77
+FFLAGS
+XMKMF'
+
 
 # Initialize some variables set by options.
 ac_init_help=
@@ -495,34 +1066,48 @@ x_libraries=NONE
 # and all the variables that are supposed to be based on exec_prefix
 # by default will actually change.
 # Use braces instead of parens because sh, perl, etc. also accept them.
+# (The list follows the same order as the GNU Coding Standards.)
 bindir='${exec_prefix}/bin'
 sbindir='${exec_prefix}/sbin'
 libexecdir='${exec_prefix}/libexec'
-datadir='${prefix}/share'
+datarootdir='${prefix}/share'
+datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
-libdir='${exec_prefix}/lib'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
-infodir='${prefix}/info'
-mandir='${prefix}/man'
+docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+infodir='${datarootdir}/info'
+htmldir='${docdir}'
+dvidir='${docdir}'
+pdfdir='${docdir}'
+psdir='${docdir}'
+libdir='${exec_prefix}/lib'
+localedir='${datarootdir}/locale'
+mandir='${datarootdir}/man'
 
 ac_prev=
+ac_dashdash=
 for ac_option
 do
   # If the previous option needs an argument, assign it.
   if test -n "$ac_prev"; then
-    eval "$ac_prev=\$ac_option"
+    eval $ac_prev=\$ac_option
     ac_prev=
     continue
   fi
 
-  ac_optarg=`expr "x$ac_option" : 'x[^=]*=\(.*\)'`
+  case $ac_option in
+  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+  *)	ac_optarg=yes ;;
+  esac
 
   # Accept the important Cygnus configure options, so we can diagnose typos.
 
-  case $ac_option in
+  case $ac_dashdash$ac_option in
+  --)
+    ac_dashdash=yes ;;
 
   -bindir | --bindir | --bindi | --bind | --bin | --bi)
     ac_prev=bindir ;;
@@ -544,33 +1129,45 @@ do
   --config-cache | -C)
     cache_file=config.cache ;;
 
-  -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
+  -datadir | --datadir | --datadi | --datad)
     ac_prev=datadir ;;
-  -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
-  | --da=*)
+  -datadir=* | --datadir=* | --datadi=* | --datad=*)
     datadir=$ac_optarg ;;
 
+  -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
+  | --dataroo | --dataro | --datar)
+    ac_prev=datarootdir ;;
+  -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
+  | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
+    datarootdir=$ac_optarg ;;
+
   -disable-* | --disable-*)
     ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid feature name: $ac_feature" >&2
    { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
-    eval "enable_$ac_feature=no" ;;
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=no ;;
+
+  -docdir | --docdir | --docdi | --doc | --do)
+    ac_prev=docdir ;;
+  -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
+    docdir=$ac_optarg ;;
+
+  -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
+    ac_prev=dvidir ;;
+  -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
+    dvidir=$ac_optarg ;;
 
   -enable-* | --enable-*)
     ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid feature name: $ac_feature" >&2
    { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
-    case $ac_option in
-      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
-      *) ac_optarg=yes ;;
-    esac
-    eval "enable_$ac_feature='$ac_optarg'" ;;
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=\$ac_optarg ;;
 
   -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
   | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
@@ -597,6 +1194,12 @@ do
   -host=* | --host=* | --hos=* | --ho=*)
     host_alias=$ac_optarg ;;
 
+  -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
+    ac_prev=htmldir ;;
+  -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
+  | --ht=*)
+    htmldir=$ac_optarg ;;
+
   -includedir | --includedir | --includedi | --included | --include \
   | --includ | --inclu | --incl | --inc)
     ac_prev=includedir ;;
@@ -621,13 +1224,16 @@ do
   | --libexe=* | --libex=* | --libe=*)
     libexecdir=$ac_optarg ;;
 
+  -localedir | --localedir | --localedi | --localed | --locale)
+    ac_prev=localedir ;;
+  -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
+    localedir=$ac_optarg ;;
+
   -localstatedir | --localstatedir | --localstatedi | --localstated \
-  | --localstate | --localstat | --localsta | --localst \
-  | --locals | --local | --loca | --loc | --lo)
+  | --localstate | --localstat | --localsta | --localst | --locals)
     ac_prev=localstatedir ;;
   -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
-  | --localstate=* | --localstat=* | --localsta=* | --localst=* \
-  | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
     localstatedir=$ac_optarg ;;
 
   -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
@@ -692,6 +1298,16 @@ do
   | --progr-tra=* | --program-tr=* | --program-t=*)
     program_transform_name=$ac_optarg ;;
 
+  -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
+    ac_prev=pdfdir ;;
+  -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
+    pdfdir=$ac_optarg ;;
+
+  -psdir | --psdir | --psdi | --psd | --ps)
+    ac_prev=psdir ;;
+  -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
+    psdir=$ac_optarg ;;
+
   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
@@ -744,24 +1360,20 @@ do
   -with-* | --with-*)
     ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid package name: $ac_package" >&2
    { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package| sed 's/-/_/g'`
-    case $ac_option in
-      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
-      *) ac_optarg=yes ;;
-    esac
-    eval "with_$ac_package='$ac_optarg'" ;;
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=\$ac_optarg ;;
 
   -without-* | --without-*)
     ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid package name: $ac_package" >&2
    { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package | sed 's/-/_/g'`
-    eval "with_$ac_package=no" ;;
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=no ;;
 
   --x)
     # Obsolete; use --with-x.
@@ -792,8 +1404,7 @@ Try \`$0 --help' for more information." >&2
     expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
    { (exit 1); exit 1; }; }
-    ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`
-    eval "$ac_envvar='$ac_optarg'"
+    eval $ac_envvar=\$ac_optarg
     export $ac_envvar ;;
 
   *)
@@ -813,27 +1424,19 @@ if test -n "$ac_prev"; then
    { (exit 1); exit 1; }; }
 fi
 
-# Be sure to have absolute paths.
-for ac_var in exec_prefix prefix
+# Be sure to have absolute directory names.
+for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
+		datadir sysconfdir sharedstatedir localstatedir includedir \
+		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+		libdir localedir mandir
 do
-  eval ac_val=$`echo $ac_var`
+  eval ac_val=\$$ac_var
   case $ac_val in
-    [\\/$]* | ?:[\\/]* | NONE | '' ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; };;
-  esac
-done
-
-# Be sure to have absolute paths.
-for ac_var in bindir sbindir libexecdir datadir sysconfdir sharedstatedir \
-	      localstatedir libdir includedir oldincludedir infodir mandir
-do
-  eval ac_val=$`echo $ac_var`
-  case $ac_val in
-    [\\/$]* | ?:[\\/]* ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; };;
+    [\\/$]* | ?:[\\/]* )  continue;;
+    NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
   esac
+  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+   { (exit 1); exit 1; }; }
 done
 
 # There might be people who depend on the old broken behavior: `$host'
@@ -860,94 +1463,76 @@ test -n "$host_alias" && ac_tool_prefix=$host_alias-
 test "$silent" = yes && exec 6>/dev/null
 
 
+ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ac_ls_di=`ls -di .` &&
+ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+  { echo "$as_me: error: Working directory cannot be determined" >&2
+   { (exit 1); exit 1; }; }
+test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+  { echo "$as_me: error: pwd does not report name of working directory" >&2
+   { (exit 1); exit 1; }; }
+
+
 # Find the source files, if location was not specified.
 if test -z "$srcdir"; then
   ac_srcdir_defaulted=yes
-  # Try the directory containing this script, then its parent.
-  ac_confdir=`(dirname "$0") 2>/dev/null ||
+  # Try the directory containing this script, then the parent directory.
+  ac_confdir=`$as_dirname -- "$0" ||
 $as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$0" : 'X\(//\)[^/]' \| \
 	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
 echo X"$0" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
   srcdir=$ac_confdir
-  if test ! -r $srcdir/$ac_unique_file; then
+  if test ! -r "$srcdir/$ac_unique_file"; then
     srcdir=..
   fi
 else
   ac_srcdir_defaulted=no
 fi
-if test ! -r $srcdir/$ac_unique_file; then
-  if test "$ac_srcdir_defaulted" = yes; then
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2
-   { (exit 1); exit 1; }; }
-  else
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+if test ! -r "$srcdir/$ac_unique_file"; then
+  test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
    { (exit 1); exit 1; }; }
-  fi
 fi
-(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null ||
-  { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2
+ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ac_abs_confdir=`(
+	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
    { (exit 1); exit 1; }; }
-srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'`
-ac_env_build_alias_set=${build_alias+set}
-ac_env_build_alias_value=$build_alias
-ac_cv_env_build_alias_set=${build_alias+set}
-ac_cv_env_build_alias_value=$build_alias
-ac_env_host_alias_set=${host_alias+set}
-ac_env_host_alias_value=$host_alias
-ac_cv_env_host_alias_set=${host_alias+set}
-ac_cv_env_host_alias_value=$host_alias
-ac_env_target_alias_set=${target_alias+set}
-ac_env_target_alias_value=$target_alias
-ac_cv_env_target_alias_set=${target_alias+set}
-ac_cv_env_target_alias_value=$target_alias
-ac_env_CC_set=${CC+set}
-ac_env_CC_value=$CC
-ac_cv_env_CC_set=${CC+set}
-ac_cv_env_CC_value=$CC
-ac_env_CFLAGS_set=${CFLAGS+set}
-ac_env_CFLAGS_value=$CFLAGS
-ac_cv_env_CFLAGS_set=${CFLAGS+set}
-ac_cv_env_CFLAGS_value=$CFLAGS
-ac_env_LDFLAGS_set=${LDFLAGS+set}
-ac_env_LDFLAGS_value=$LDFLAGS
-ac_cv_env_LDFLAGS_set=${LDFLAGS+set}
-ac_cv_env_LDFLAGS_value=$LDFLAGS
-ac_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_env_CPPFLAGS_value=$CPPFLAGS
-ac_cv_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_cv_env_CPPFLAGS_value=$CPPFLAGS
-ac_env_CPP_set=${CPP+set}
-ac_env_CPP_value=$CPP
-ac_cv_env_CPP_set=${CPP+set}
-ac_cv_env_CPP_value=$CPP
-ac_env_CXX_set=${CXX+set}
-ac_env_CXX_value=$CXX
-ac_cv_env_CXX_set=${CXX+set}
-ac_cv_env_CXX_value=$CXX
-ac_env_CXXFLAGS_set=${CXXFLAGS+set}
-ac_env_CXXFLAGS_value=$CXXFLAGS
-ac_cv_env_CXXFLAGS_set=${CXXFLAGS+set}
-ac_cv_env_CXXFLAGS_value=$CXXFLAGS
-ac_env_CXXCPP_set=${CXXCPP+set}
-ac_env_CXXCPP_value=$CXXCPP
-ac_cv_env_CXXCPP_set=${CXXCPP+set}
-ac_cv_env_CXXCPP_value=$CXXCPP
-ac_env_F77_set=${F77+set}
-ac_env_F77_value=$F77
-ac_cv_env_F77_set=${F77+set}
-ac_cv_env_F77_value=$F77
-ac_env_FFLAGS_set=${FFLAGS+set}
-ac_env_FFLAGS_value=$FFLAGS
-ac_cv_env_FFLAGS_set=${FFLAGS+set}
-ac_cv_env_FFLAGS_value=$FFLAGS
+	pwd)`
+# When building in place, set srcdir=.
+if test "$ac_abs_confdir" = "$ac_pwd"; then
+  srcdir=.
+fi
+# Remove unnecessary trailing slashes from srcdir.
+# Double slashes in file names in object file debugging info
+# mess up M-x gdb in Emacs.
+case $srcdir in
+*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
+esac
+for ac_var in $ac_precious_vars; do
+  eval ac_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_env_${ac_var}_value=\$${ac_var}
+  eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_cv_env_${ac_var}_value=\$${ac_var}
+done
 
 #
 # Report the --help message.
@@ -956,7 +1541,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Heimdal 0.6.3 to adapt to many kinds of systems.
+\`configure' configures Heimdal 1.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -976,9 +1561,6 @@ Configuration:
   -n, --no-create         do not create output files
       --srcdir=DIR        find the sources in DIR [configure dir or \`..']
 
-_ACEOF
-
-  cat <<_ACEOF
 Installation directories:
   --prefix=PREFIX         install architecture-independent files in PREFIX
 			  [$ac_default_prefix]
@@ -996,15 +1578,22 @@ Fine tuning of the installation directories:
   --bindir=DIR           user executables [EPREFIX/bin]
   --sbindir=DIR          system admin executables [EPREFIX/sbin]
   --libexecdir=DIR       program executables [EPREFIX/libexec]
-  --datadir=DIR          read-only architecture-independent data [PREFIX/share]
   --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
   --libdir=DIR           object code libraries [EPREFIX/lib]
   --includedir=DIR       C header files [PREFIX/include]
   --oldincludedir=DIR    C header files for non-gcc [/usr/include]
-  --infodir=DIR          info documentation [PREFIX/info]
-  --mandir=DIR           man documentation [PREFIX/man]
+  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
+  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
+  --infodir=DIR          info documentation [DATAROOTDIR/info]
+  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
+  --mandir=DIR           man documentation [DATAROOTDIR/man]
+  --docdir=DIR           documentation root [DATAROOTDIR/doc/heimdal]
+  --htmldir=DIR          html documentation [DOCDIR]
+  --dvidir=DIR           dvi documentation [DOCDIR]
+  --pdfdir=DIR           pdf documentation [DOCDIR]
+  --psdir=DIR            ps documentation [DOCDIR]
 _ACEOF
 
   cat <<\_ACEOF
@@ -1026,7 +1615,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Heimdal 0.6.3:";;
+     short | recursive ) echo "Configuration of Heimdal 1.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1036,22 +1625,33 @@ Optional Features:
   --enable-maintainer-mode  enable make rules and dependencies not useful
 			  (and sometimes confusing) to the casual installer
   --disable-largefile     omit support for large files
-  --enable-shared[=PKGS]
-                          build shared libraries [default=no]
-  --enable-static[=PKGS]
-                          build static libraries [default=yes]
+  --enable-shared[=PKGS]  build shared libraries [default=yes]
+  --enable-static[=PKGS]  build static libraries [default=yes]
   --enable-fast-install[=PKGS]
                           optimize for fast installation [default=yes]
   --disable-libtool-lock  avoid locking (might break parallel builds)
+  --enable-hdb-openldap-module
+                          if you want support to build openldap hdb as shared
+                          object
+  --disable-pk-init       if you want disable to PK-INIT support
+  --enable-pthread-support
+                          if you want thread safe libraries
   --enable-dce            if you want support for DCE/DFS PAG's
+  --disable-afs-support   if you don't want support for AFS
   --disable-berkeley-db   if you don't want berkeley db
+  --disable-ndbm-db       if you don't want ndbm db
+  --enable-developer      enable developer warnings
+  --enable-socket-wrapper use sambas socket-wrapper for testing
   --disable-otp           if you don't want OTP support
   --enable-osfc2          enable some OSF C2 support
   --disable-mmap          disable use of mmap
+  --disable-afs-string-to-key
+                          disable use of weak AFS string-to-key functions
   --enable-bigendian      the target is big endian
   --enable-littleendian   the target is little endian
   --disable-dynamic-afs   do not use loaded AFS library with AIX
   --enable-netinfo        enable netinfo for configuration lookup
+  --enable-kcm            enable Kerberos Credentials Manager
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -1060,18 +1660,15 @@ Optional Packages:
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
   --with-pic              try to use only PIC/non-PIC objects [default=use
                           both]
-  --with-tags[=TAGS]
-                          include additional configurations [automatic]
+  --with-tags[=TAGS]      include additional configurations [automatic]
   --with-openldap=dir     use openldap in dir
   --with-openldap-lib=dir use openldap libraries in dir
   --with-openldap-include=dir
                           use openldap headers in dir
   --with-openldap-config=path
                           config program for openldap
-  --with-krb4=dir         use krb4 in dir
-  --with-krb4-lib=dir     use krb4 libraries in dir
-  --with-krb4-include=dir use krb4 headers in dir
-  --with-krb4-config=path config program for krb4
+  --with-hdbdir           Default location for KDC database
+                          [default=/var/heimdal]
   --with-openssl=dir      use openssl in dir
   --with-openssl-lib=dir  use openssl libraries in dir
   --with-openssl-include=dir
@@ -1096,134 +1693,107 @@ Some influential environment variables:
   CFLAGS      C compiler flags
   LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
               nonstandard directory <lib dir>
-  CPPFLAGS    C/C++ preprocessor flags, e.g. -I<include dir> if you have
-              headers in a nonstandard directory <include dir>
+  LIBS        libraries to pass to the linker, e.g. -l<library>
+  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
+              you have headers in a nonstandard directory <include dir>
   CPP         C preprocessor
+  YACC        The `Yet Another C Compiler' implementation to use. Defaults to
+              the first program found out of: `bison -y', `byacc', `yacc'.
+  YFLAGS      The list of arguments that will be passed by default to $YACC.
+              This script will default YFLAGS to the empty string to avoid a
+              default value of `-d' given by some make applications.
   CXX         C++ compiler command
   CXXFLAGS    C++ compiler flags
   CXXCPP      C++ preprocessor
   F77         Fortran 77 compiler command
   FFLAGS      Fortran 77 compiler flags
+  XMKMF       Path to xmkmf, Makefile generator for X Window System
 
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
 
-Report bugs to <heimdal-bugs@pdc.kth.se>.
+Report bugs to <heimdal-bugs@h5l.org>.
 _ACEOF
+ac_status=$?
 fi
 
 if test "$ac_init_help" = "recursive"; then
   # If there are subdirs, report their specific --help.
-  ac_popdir=`pwd`
   for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
-    test -d $ac_dir || continue
+    test -d "$ac_dir" || continue
     ac_builddir=.
 
-if test "$ac_dir" != .; then
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
   ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A "../" for each directory in $ac_dir_suffix.
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
-  ac_dir_suffix= ac_top_builddir=
-fi
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
 
 case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
+  .)  # We are building in place.
     ac_srcdir=.
-    if test -z "$ac_top_builddir"; then
-       ac_top_srcdir=.
-    else
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
-    fi ;;
-  [\\/]* | ?:[\\/]* )  # Absolute path.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
     ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir ;;
-  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
 esac
-
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
-  case "$ac_dir" in
-  .) ac_abs_builddir=`pwd`;;
-  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
-  *) ac_abs_builddir=`pwd`/"$ac_dir";;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
-  case ${ac_top_builddir}. in
-  .) ac_abs_top_builddir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
-  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
-  case $ac_srcdir in
-  .) ac_abs_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
-  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
-  case $ac_top_srcdir in
-  .) ac_abs_top_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
-  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
-  esac;;
-esac
-
-    cd $ac_dir
-    # Check for guested configure; otherwise get Cygnus style configure.
-    if test -f $ac_srcdir/configure.gnu; then
-      echo
-      $SHELL $ac_srcdir/configure.gnu  --help=recursive
-    elif test -f $ac_srcdir/configure; then
-      echo
-      $SHELL $ac_srcdir/configure  --help=recursive
-    elif test -f $ac_srcdir/configure.ac ||
-	   test -f $ac_srcdir/configure.in; then
-      echo
-      $ac_configure --help
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+    cd "$ac_dir" || { ac_status=$?; continue; }
+    # Check for guested configure.
+    if test -f "$ac_srcdir/configure.gnu"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure.gnu" --help=recursive
+    elif test -f "$ac_srcdir/configure"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure" --help=recursive
     else
       echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
-    fi
-    cd $ac_popdir
+    fi || ac_status=$?
+    cd "$ac_pwd" || { ac_status=$?; break; }
   done
 fi
 
-test -n "$ac_init_help" && exit 0
+test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Heimdal configure 0.6.3
-generated by GNU Autoconf 2.59
+Heimdal configure 1.1
+generated by GNU Autoconf 2.61
 
-Copyright (C) 2003 Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
-  exit 0
+  exit
 fi
-exec 5>config.log
-cat >&5 <<_ACEOF
+cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Heimdal $as_me 0.6.3, which was
-generated by GNU Autoconf 2.59.  Invocation command line was
+It was created by Heimdal $as_me 1.1, which was
+generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
 
 _ACEOF
+exec 5>>config.log
 {
 cat <<_ASUNAME
 ## --------- ##
@@ -1242,7 +1812,7 @@ uname -v = `(uname -v) 2>/dev/null || echo unknown`
 /bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
 /usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
 /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
-hostinfo               = `(hostinfo) 2>/dev/null               || echo unknown`
+/usr/bin/hostinfo      = `(/usr/bin/hostinfo) 2>/dev/null      || echo unknown`
 /bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
 /usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
 /bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
@@ -1256,6 +1826,7 @@ do
   test -z "$as_dir" && as_dir=.
   echo "PATH: $as_dir"
 done
+IFS=$as_save_IFS
 
 } >&5
 
@@ -1277,7 +1848,6 @@ _ACEOF
 ac_configure_args=
 ac_configure_args0=
 ac_configure_args1=
-ac_sep=
 ac_must_keep_next=false
 for ac_pass in 1 2
 do
@@ -1288,7 +1858,7 @@ do
     -q | -quiet | --quiet | --quie | --qui | --qu | --q \
     | -silent | --silent | --silen | --sile | --sil)
       continue ;;
-    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
+    *\'*)
       ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
     esac
     case $ac_pass in
@@ -1310,9 +1880,7 @@ do
 	  -* ) ac_must_keep_next=true ;;
 	esac
       fi
-      ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'"
-      # Get rid of the leading space.
-      ac_sep=" "
+      ac_configure_args="$ac_configure_args '$ac_arg'"
       ;;
     esac
   done
@@ -1323,8 +1891,8 @@ $as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_
 # When interrupted or exit'd, cleanup temporary files, and complete
 # config.log.  We remove comments because anyway the quotes in there
 # would cause problems or look ugly.
-# WARNING: Be sure not to use single quotes in there, as some shells,
-# such as our DU 5.0 friend, will then `close' the trap.
+# WARNING: Use '\'' to represent an apostrophe within the trap.
+# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
 trap 'exit_status=$?
   # Save into config.log some information that might help in debugging.
   {
@@ -1337,20 +1905,34 @@ trap 'exit_status=$?
 _ASBOX
     echo
     # The following way of writing the cache mishandles newlines in values,
-{
+(
+  for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      *) $as_unset $ac_var ;;
+      esac ;;
+    esac
+  done
   (set) 2>&1 |
-    case `(ac_space='"'"' '"'"'; set | grep ac_space) 2>&1` in
-    *ac_space=\ *)
+    case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
       sed -n \
-	"s/'"'"'/'"'"'\\\\'"'"''"'"'/g;
-	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='"'"'\\2'"'"'/p"
-      ;;
+	"s/'\''/'\''\\\\'\'''\''/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
+      ;; #(
     *)
-      sed -n \
-	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
       ;;
-    esac;
-}
+    esac |
+    sort
+)
     echo
 
     cat <<\_ASBOX
@@ -1361,22 +1943,28 @@ _ASBOX
     echo
     for ac_var in $ac_subst_vars
     do
-      eval ac_val=$`echo $ac_var`
-      echo "$ac_var='"'"'$ac_val'"'"'"
+      eval ac_val=\$$ac_var
+      case $ac_val in
+      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+      esac
+      echo "$ac_var='\''$ac_val'\''"
     done | sort
     echo
 
     if test -n "$ac_subst_files"; then
       cat <<\_ASBOX
-## ------------- ##
-## Output files. ##
-## ------------- ##
+## ------------------- ##
+## File substitutions. ##
+## ------------------- ##
 _ASBOX
       echo
       for ac_var in $ac_subst_files
       do
-	eval ac_val=$`echo $ac_var`
-	echo "$ac_var='"'"'$ac_val'"'"'"
+	eval ac_val=\$$ac_var
+	case $ac_val in
+	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+	esac
+	echo "$ac_var='\''$ac_val'\''"
       done | sort
       echo
     fi
@@ -1388,26 +1976,24 @@ _ASBOX
 ## ----------- ##
 _ASBOX
       echo
-      sed "/^$/d" confdefs.h | sort
+      cat confdefs.h
       echo
     fi
     test "$ac_signal" != 0 &&
       echo "$as_me: caught signal $ac_signal"
     echo "$as_me: exit $exit_status"
   } >&5
-  rm -f core *.core &&
-  rm -rf conftest* confdefs* conf$$* $ac_clean_files &&
+  rm -f core *.core core.conftest.* &&
+    rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
     exit $exit_status
-     ' 0
+' 0
 for ac_signal in 1 2 13 15; do
   trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
 done
 ac_signal=0
 
 # confdefs.h avoids OS command line length limits that DEFS can exceed.
-rm -rf conftest* confdefs.h
-# AIX cpp loses on an empty file, so make sure it contains at least a newline.
-echo >confdefs.h
+rm -f -r conftest* confdefs.h
 
 # Predefined preprocessor variables.
 
@@ -1438,14 +2024,17 @@ _ACEOF
 
 # Let the site file select an alternate cache file if it wants to.
 # Prefer explicitly selected file to automatically selected ones.
-if test -z "$CONFIG_SITE"; then
-  if test "x$prefix" != xNONE; then
-    CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
-  else
-    CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
-  fi
+if test -n "$CONFIG_SITE"; then
+  set x "$CONFIG_SITE"
+elif test "x$prefix" != xNONE; then
+  set x "$prefix/share/config.site" "$prefix/etc/config.site"
+else
+  set x "$ac_default_prefix/share/config.site" \
+	"$ac_default_prefix/etc/config.site"
 fi
-for ac_site_file in $CONFIG_SITE; do
+shift
+for ac_site_file
+do
   if test -r "$ac_site_file"; then
     { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
 echo "$as_me: loading site script $ac_site_file" >&6;}
@@ -1461,8 +2050,8 @@ if test -r "$cache_file"; then
     { echo "$as_me:$LINENO: loading cache $cache_file" >&5
 echo "$as_me: loading cache $cache_file" >&6;}
     case $cache_file in
-      [\\/]* | ?:[\\/]* ) . $cache_file;;
-      *)                      . ./$cache_file;;
+      [\\/]* | ?:[\\/]* ) . "$cache_file";;
+      *)                      . "./$cache_file";;
     esac
   fi
 else
@@ -1474,12 +2063,11 @@ fi
 # Check that the precious variables saved in the cache have kept the same
 # value.
 ac_cache_corrupted=false
-for ac_var in `(set) 2>&1 |
-	       sed -n 's/^ac_env_\([a-zA-Z_0-9]*\)_set=.*/\1/p'`; do
+for ac_var in $ac_precious_vars; do
   eval ac_old_set=\$ac_cv_env_${ac_var}_set
   eval ac_new_set=\$ac_env_${ac_var}_set
-  eval ac_old_val="\$ac_cv_env_${ac_var}_value"
-  eval ac_new_val="\$ac_env_${ac_var}_value"
+  eval ac_old_val=\$ac_cv_env_${ac_var}_value
+  eval ac_new_val=\$ac_env_${ac_var}_value
   case $ac_old_set,$ac_new_set in
     set,)
       { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
@@ -1504,8 +2092,7 @@ echo "$as_me:   current value: $ac_new_val" >&2;}
   # Pass precious variables to config.status.
   if test "$ac_new_set" = set; then
     case $ac_new_val in
-    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
-      ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
     *) ac_arg=$ac_var=$ac_new_val ;;
     esac
     case " $ac_configure_args " in
@@ -1522,6 +2109,30 @@ echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start ov
    { (exit 1); exit 1; }; }
 fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -1530,49 +2141,391 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 
+ac_config_headers="$ac_config_headers include/config.h"
+
+
+am__api_version='1.10'
+
+ac_aux_dir=
+for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
+  if test -f "$ac_dir/install-sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f "$ac_dir/install.sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  elif test -f "$ac_dir/shtool"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/shtool install -c"
+    break
+  fi
+done
+if test -z "$ac_aux_dir"; then
+  { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5
+echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+# These three variables are undocumented and unsupported,
+# and are intended to be withdrawn in a future Autoconf release.
+# They can cause serious problems if a builder's source tree is in a directory
+# whose full name contains unusual characters.
+ac_config_guess="$SHELL $ac_aux_dir/config.guess"  # Please don't use this var.
+ac_config_sub="$SHELL $ac_aux_dir/config.sub"  # Please don't use this var.
+ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
+
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AmigaOS /C/install, which installs bootblocks on floppy discs
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# OS/2's system install, which has a completely different semantic
+# ./install, which can be erroneously created by make from ./install.sh.
+{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; }
+if test -z "$INSTALL"; then
+if test "${ac_cv_path_install+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  # Account for people who put trailing slashes in PATH elements.
+case $as_dir/ in
+  ./ | .// | /cC/* | \
+  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
+  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
+  /usr/ucb/* ) ;;
+  *)
+    # OSF1 and SCO ODT 3.0 have their own names for install.
+    # Don't use installbsd from OSF since it installs stuff as root
+    # by default.
+    for ac_prog in ginstall scoinst install; do
+      for ac_exec_ext in '' $ac_executable_extensions; do
+	if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
+	  if test $ac_prog = install &&
+	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # AIX install.  It has an incompatible calling convention.
+	    :
+	  elif test $ac_prog = install &&
+	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # program-specific install script used by HP pwplus--don't use.
+	    :
+	  else
+	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+	    break 3
+	  fi
+	fi
+      done
+    done
+    ;;
+esac
+done
+IFS=$as_save_IFS
+
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL=$ac_cv_path_install
+  else
+    # As a last resort, use the slow shell script.  Don't cache a
+    # value for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the value is a relative name.
+    INSTALL=$ac_install_sh
+  fi
+fi
+{ echo "$as_me:$LINENO: result: $INSTALL" >&5
+echo "${ECHO_T}$INSTALL" >&6; }
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+{ echo "$as_me:$LINENO: checking whether build environment is sane" >&5
+echo $ECHO_N "checking whether build environment is sane... $ECHO_C" >&6; }
+# Just in case
+sleep 1
+echo timestamp > conftest.file
+# Do `set' in a subshell so we don't clobber the current shell's
+# arguments.  Must try -L first in case configure is actually a
+# symlink; some systems play weird games with the mod time of symlinks
+# (eg FreeBSD returns the mod time of the symlink's containing
+# directory).
+if (
+   set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null`
+   if test "$*" = "X"; then
+      # -L didn't work.
+      set X `ls -t $srcdir/configure conftest.file`
+   fi
+   rm -f conftest.file
+   if test "$*" != "X $srcdir/configure conftest.file" \
+      && test "$*" != "X conftest.file $srcdir/configure"; then
+
+      # If neither matched, then we have a broken ls.  This can happen
+      # if, for instance, CONFIG_SHELL is bash and it inherits a
+      # broken ls alias from the environment.  This has actually
+      # happened.  Such a system could not be considered "sane".
+      { { echo "$as_me:$LINENO: error: ls -t appears to fail.  Make sure there is not a broken
+alias in your environment" >&5
+echo "$as_me: error: ls -t appears to fail.  Make sure there is not a broken
+alias in your environment" >&2;}
+   { (exit 1); exit 1; }; }
+   fi
+
+   test "$2" = conftest.file
+   )
+then
+   # Ok.
+   :
+else
+   { { echo "$as_me:$LINENO: error: newly created file is older than distributed files!
+Check your system clock" >&5
+echo "$as_me: error: newly created file is older than distributed files!
+Check your system clock" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+test "$program_prefix" != NONE &&
+  program_transform_name="s&^&$program_prefix&;$program_transform_name"
+# Use a double $ so make ignores it.
+test "$program_suffix" != NONE &&
+  program_transform_name="s&\$&$program_suffix&;$program_transform_name"
+# Double any \ or $.  echo might interpret backslashes.
+# By default was `s,x,x', remove it if useless.
+cat <<\_ACEOF >conftest.sed
+s/[\\$]/&&/g;s/;s,x,x,$//
+_ACEOF
+program_transform_name=`echo $program_transform_name | sed -f conftest.sed`
+rm -f conftest.sed
+
+# expand $ac_aux_dir to an absolute path
+am_aux_dir=`cd $ac_aux_dir && pwd`
+
+test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing"
+# Use eval to expand $SHELL
+if eval "$MISSING --run true"; then
+  am_missing_run="$MISSING --run "
+else
+  am_missing_run=
+  { echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5
+echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;}
+fi
+
+{ echo "$as_me:$LINENO: checking for a thread-safe mkdir -p" >&5
+echo $ECHO_N "checking for a thread-safe mkdir -p... $ECHO_C" >&6; }
+if test -z "$MKDIR_P"; then
+  if test "${ac_cv_path_mkdir+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in mkdir gmkdir; do
+	 for ac_exec_ext in '' $ac_executable_extensions; do
+	   { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue
+	   case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
+	     'mkdir (GNU coreutils) '* | \
+	     'mkdir (coreutils) '* | \
+	     'mkdir (fileutils) '4.1*)
+	       ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext
+	       break 3;;
+	   esac
+	 done
+       done
+done
+IFS=$as_save_IFS
 
+fi
 
+  if test "${ac_cv_path_mkdir+set}" = set; then
+    MKDIR_P="$ac_cv_path_mkdir -p"
+  else
+    # As a last resort, use the slow shell script.  Don't cache a
+    # value for MKDIR_P within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the value is a relative name.
+    test -d ./--version && rmdir ./--version
+    MKDIR_P="$ac_install_sh -d"
+  fi
+fi
+{ echo "$as_me:$LINENO: result: $MKDIR_P" >&5
+echo "${ECHO_T}$MKDIR_P" >&6; }
+
+mkdir_p="$MKDIR_P"
+case $mkdir_p in
+  [\\/$]* | ?:[\\/]*) ;;
+  */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;;
+esac
+
+for ac_prog in gawk mawk nawk awk
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_AWK+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$AWK"; then
+  ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_AWK="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
 
+fi
+fi
+AWK=$ac_cv_prog_AWK
+if test -n "$AWK"; then
+  { echo "$as_me:$LINENO: result: $AWK" >&5
+echo "${ECHO_T}$AWK" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
 
 
+  test -n "$AWK" && break
+done
 
+{ echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
+echo $ECHO_N "checking whether ${MAKE-make} sets \$(MAKE)... $ECHO_C" >&6; }
+set x ${MAKE-make}; ac_make=`echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
+if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.make <<\_ACEOF
+SHELL = /bin/sh
+all:
+	@echo '@@@%%%=$(MAKE)=@@@%%%'
+_ACEOF
+# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+case `${MAKE-make} -f conftest.make 2>/dev/null` in
+  *@@@%%%=?*=@@@%%%*)
+    eval ac_cv_prog_make_${ac_make}_set=yes;;
+  *)
+    eval ac_cv_prog_make_${ac_make}_set=no;;
+esac
+rm -f conftest.make
+fi
+if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+  SET_MAKE=
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+  SET_MAKE="MAKE=${MAKE-make}"
+fi
 
+rm -rf .tst 2>/dev/null
+mkdir .tst 2>/dev/null
+if test -d .tst; then
+  am__leading_dot=.
+else
+  am__leading_dot=_
+fi
+rmdir .tst 2>/dev/null
 
+if test "`cd $srcdir && pwd`" != "`pwd`"; then
+  # Use -I$(srcdir) only when $(srcdir) != ., so that make's output
+  # is not polluted with repeated "-I."
+  am__isrc=' -I$(srcdir)'
+  # test to see if srcdir already configured
+  if test -f $srcdir/config.status; then
+    { { echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5
+echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;}
+   { (exit 1); exit 1; }; }
+  fi
+fi
 
+# test whether we have cygpath
+if test -z "$CYGPATH_W"; then
+  if (cygpath --version) >/dev/null 2>/dev/null; then
+    CYGPATH_W='cygpath -w'
+  else
+    CYGPATH_W=echo
+  fi
+fi
 
 
+# Define the identity of the package.
+ PACKAGE='heimdal'
+ VERSION='1.1'
 
 
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE "$PACKAGE"
+_ACEOF
 
 
+cat >>confdefs.h <<_ACEOF
+#define VERSION "$VERSION"
+_ACEOF
 
+# Some tools Automake needs.
 
+ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"}
 
 
+AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"}
 
 
+AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"}
 
 
+AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"}
 
 
-          ac_config_headers="$ac_config_headers include/config.h"
+MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
 
+install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"}
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_CC+set}" = set; then
+# Installed binaries are usually stripped using `strip' when the user
+# run `make install-strip'.  However `strip' might not be the right
+# tool to use in cross-compilation environments, therefore Automake
+# will honor the `STRIP' environment variable to overrule this program.
+if test "$cross_compiling" != no; then
+  if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_STRIP+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -1580,37 +2533,39 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_CC="${ac_tool_prefix}gcc"
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  { echo "$as_me:$LINENO: result: $STRIP" >&5
+echo "${ECHO_T}$STRIP" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
 fi
-if test -z "$ac_cv_prog_CC"; then
-  ac_ct_CC=$CC
-  # Extract the first word of "gcc", so it can be a program name with args.
-set dummy gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+if test -z "$ac_cv_prog_STRIP"; then
+  ac_ct_STRIP=$STRIP
+  # Extract the first word of "strip", so it can be a program name with args.
+set dummy strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+  if test -n "$ac_ct_STRIP"; then
+  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -1618,36 +2573,93 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_CC="gcc"
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_STRIP="strip"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
+ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
+if test -n "$ac_ct_STRIP"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+echo "${ECHO_T}$ac_ct_STRIP" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-  CC=$ac_ct_CC
+  if test "x$ac_ct_STRIP" = x; then
+    STRIP=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    STRIP=$ac_ct_STRIP
+  fi
 else
-  CC="$ac_cv_prog_CC"
+  STRIP="$ac_cv_prog_STRIP"
 fi
 
-if test -z "$CC"; then
-  if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+fi
+INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
+
+# We need awk for the "check" target.  The system "awk" is bad on
+# some platforms.
+# Always define AMTAR for backward compatibility.
+
+AMTAR=${AMTAR-"${am_missing_run}tar"}
+
+am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking whether to enable maintainer-specific portions of Makefiles" >&5
+echo $ECHO_N "checking whether to enable maintainer-specific portions of Makefiles... $ECHO_C" >&6; }
+    # Check whether --enable-maintainer-mode was given.
+if test "${enable_maintainer_mode+set}" = set; then
+  enableval=$enable_maintainer_mode; USE_MAINTAINER_MODE=$enableval
+else
+  USE_MAINTAINER_MODE=no
+fi
+
+  { echo "$as_me:$LINENO: result: $USE_MAINTAINER_MODE" >&5
+echo "${ECHO_T}$USE_MAINTAINER_MODE" >&6; }
+   if test $USE_MAINTAINER_MODE = yes; then
+  MAINTAINER_MODE_TRUE=
+  MAINTAINER_MODE_FALSE='#'
+else
+  MAINTAINER_MODE_TRUE='#'
+  MAINTAINER_MODE_FALSE=
+fi
+
+  MAINT=$MAINTAINER_MODE_TRUE
+
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1660,32 +2672,34 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_CC="${ac_tool_prefix}cc"
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}gcc"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
 fi
 if test -z "$ac_cv_prog_CC"; then
   ac_ct_CC=$CC
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+  # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1698,36 +2712,91 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_CC="cc"
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CC="gcc"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-  CC=$ac_ct_CC
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
 else
   CC="$ac_cv_prog_CC"
 fi
 
+if test -z "$CC"; then
+          if test -n "$ac_tool_prefix"; then
+    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  fi
 fi
 if test -z "$CC"; then
   # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1741,7 +2810,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
        ac_prog_rejected=yes
        continue
@@ -1752,6 +2821,7 @@ do
   fi
 done
 done
+IFS=$as_save_IFS
 
 if test $ac_prog_rejected = yes; then
   # We found a bogon in the path, so make sure we never use it.
@@ -1769,22 +2839,23 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
 fi
 if test -z "$CC"; then
   if test -n "$ac_tool_prefix"; then
-  for ac_prog in cl
+  for ac_prog in cl.exe
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1797,36 +2868,38 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
     test -n "$CC" && break
   done
 fi
 if test -z "$CC"; then
   ac_ct_CC=$CC
-  for ac_prog in cl
+  for ac_prog in cl.exe
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1839,29 +2912,45 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CC="$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
   test -n "$ac_ct_CC" && break
 done
 
-  CC=$ac_ct_CC
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
 fi
 
 fi
@@ -1874,21 +2963,35 @@ See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
 
 # Provide some information about the compiler.
-echo "$as_me:$LINENO:" \
-     "checking for C compiler version" >&5
+echo "$as_me:$LINENO: checking for C compiler version" >&5
 ac_compiler=`set X $ac_compile; echo $2`
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
-  (eval $ac_compiler --version </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
-  (eval $ac_compiler -v </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
-  (eval $ac_compiler -V </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
@@ -1913,47 +3016,77 @@ ac_clean_files="$ac_clean_files a.out a.exe b.out"
 # Try to create an executable without -o first, disregard a.out.
 # It will help us diagnose broken compilers, and finding out an intuition
 # of exeext.
-echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
-echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
 ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-if { (eval echo "$as_me:$LINENO: \"$ac_link_default\"") >&5
-  (eval $ac_link_default) 2>&5
+#
+# List of possible output files, starting from the most likely.
+# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
+# only as a last resort.  b.out is created by i960 compilers.
+ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
+#
+# The IRIX 6 linker writes into existing files which may not be
+# executable, retaining their permissions.  Remove them first so a
+# subsequent execution test works.
+ac_rmfiles=
+for ac_file in $ac_files
+do
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
+    * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+  esac
+done
+rm -f $ac_rmfiles
+
+if { (ac_try="$ac_link_default"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link_default") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
-  # Find the output, starting from the most likely.  This scheme is
-# not robust to junk in `.', hence go to wildcards (a.*) only as a last
-# resort.
-
-# Be careful to initialize this variable, since it used to be cached.
-# Otherwise an old cache value of `no' led to `EXEEXT = no' in a Makefile.
-ac_cv_exeext=
-# b.out is created by i960 compilers.
-for ac_file in a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out
+  # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+# in a Makefile.  We should not override ac_cv_exeext if it was cached,
+# so that the user can short-circuit this test for compilers unknown to
+# Autoconf.
+for ac_file in $ac_files ''
 do
   test -f "$ac_file" || continue
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj )
-	;;
-    conftest.$ac_ext )
-	# This is the source file.
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
 	;;
     [ab].out )
 	# We found the default executable, but exeext='' is most
 	# certainly right.
 	break;;
     *.* )
-	ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	# FIXME: I believe we export ac_cv_exeext for Libtool,
-	# but it would be cool to find out if it's true.  Does anybody
-	# maintain Libtool? --akim.
-	export ac_cv_exeext
+        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+	then :; else
+	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	fi
+	# We set ac_cv_exeext here because the later test for it is not
+	# safe: cross compilers may not add the suffix if given an `-o'
+	# argument, so we may need to know it at that point already.
+	# Even if this section looks crufty: it has the advantage of
+	# actually working.
 	break;;
     * )
 	break;;
   esac
 done
+test "$ac_cv_exeext" = no && ac_cv_exeext=
+
 else
+  ac_file=''
+fi
+
+{ echo "$as_me:$LINENO: result: $ac_file" >&5
+echo "${ECHO_T}$ac_file" >&6; }
+if test -z "$ac_file"; then
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
@@ -1965,19 +3098,21 @@ See \`config.log' for more details." >&2;}
 fi
 
 ac_exeext=$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_file" >&5
-echo "${ECHO_T}$ac_file" >&6
 
-# Check the compiler produces executables we can run.  If not, either
+# Check that the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether the C compiler works" >&5
-echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
 # FIXME: These cross compiler hacks should be removed for Autoconf 3.0
 # If not cross compiling, check that we can run a simple program.
 if test "$cross_compiling" != yes; then
   if { ac_try='./$ac_file'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -1996,22 +3131,27 @@ See \`config.log' for more details." >&2;}
     fi
   fi
 fi
-echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 
 rm -f a.out a.exe conftest$ac_cv_exeext b.out
 ac_clean_files=$ac_clean_files_save
-# Check the compiler produces executables we can run.  If not, either
+# Check that the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
-echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $cross_compiling" >&5
-echo "${ECHO_T}$cross_compiling" >&6
-
-echo "$as_me:$LINENO: checking for suffix of executables" >&5
-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
+echo "${ECHO_T}$cross_compiling" >&6; }
+
+{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
+echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
@@ -2022,9 +3162,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
 for ac_file in conftest.exe conftest conftest.*; do
   test -f "$ac_file" || continue
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj ) ;;
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
     *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	  export ac_cv_exeext
 	  break;;
     * ) break;;
   esac
@@ -2038,14 +3177,14 @@ See \`config.log' for more details." >&2;}
 fi
 
 rm -f conftest$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
-echo "${ECHO_T}$ac_cv_exeext" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+echo "${ECHO_T}$ac_cv_exeext" >&6; }
 
 rm -f conftest.$ac_ext
 EXEEXT=$ac_cv_exeext
 ac_exeext=$EXEEXT
-echo "$as_me:$LINENO: checking for suffix of object files" >&5
-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
+echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
 if test "${ac_cv_objext+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2065,14 +3204,20 @@ main ()
 }
 _ACEOF
 rm -f conftest.o conftest.obj
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
-  for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do
+  for ac_file in conftest.o conftest.obj conftest.*; do
+  test -f "$ac_file" || continue;
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg ) ;;
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
     *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
        break;;
   esac
@@ -2090,12 +3235,12 @@ fi
 
 rm -f conftest.$ac_cv_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
-echo "${ECHO_T}$ac_cv_objext" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+echo "${ECHO_T}$ac_cv_objext" >&6; }
 OBJEXT=$ac_cv_objext
 ac_objext=$OBJEXT
-echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
 if test "${ac_cv_c_compiler_gnu+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2118,50 +3263,49 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_compiler_gnu=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_compiler_gnu=no
+	ac_compiler_gnu=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_cv_c_compiler_gnu=$ac_compiler_gnu
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
 GCC=`test $ac_compiler_gnu = yes && echo yes`
 ac_test_CFLAGS=${CFLAGS+set}
 ac_save_CFLAGS=$CFLAGS
-CFLAGS="-g"
-echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
 if test "${ac_cv_prog_cc_g+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
+  ac_save_c_werror_flag=$ac_c_werror_flag
+   ac_c_werror_flag=yes
+   ac_cv_prog_cc_g=no
+   CFLAGS="-g"
+   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -2177,38 +3321,118 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	CFLAGS=""
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_c_werror_flag=$ac_save_c_werror_flag
+	 CFLAGS="-g"
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_prog_cc_g=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_prog_cc_g=no
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_c_werror_flag=$ac_save_c_werror_flag
 fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
 if test "$ac_test_CFLAGS" = set; then
   CFLAGS=$ac_save_CFLAGS
 elif test $ac_cv_prog_cc_g = yes; then
@@ -2224,12 +3448,12 @@ else
     CFLAGS=
   fi
 fi
-echo "$as_me:$LINENO: checking for $CC option to accept ANSI C" >&5
-echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6
-if test "${ac_cv_prog_cc_stdc+set}" = set; then
+{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_c89+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_cv_prog_cc_stdc=no
+  ac_cv_prog_cc_c89=no
 ac_save_CC=$CC
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -2263,12 +3487,17 @@ static char *f (char * (*g) (char **, int), char **p, ...)
 /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
    function prototypes and stuff, but not '\xHH' hex character constants.
    These don't provoke an error unfortunately, instead are silently treated
-   as 'x'.  The following induces an error, until -std1 is added to get
+   as 'x'.  The following induces an error, until -std is added to get
    proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
    array size at least.  It's necessary to write '\x00'==0 to get something
-   that's true only with -std1.  */
+   that's true only with -std.  */
 int osf4_cc_array ['\x00' == 0 ? 1 : -1];
 
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+   inside strings and character constants.  */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
 int test (int i, double x);
 struct s1 {int (*f) (int a);};
 struct s2 {int (*f) (double a);};
@@ -2283,218 +3512,196 @@ return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
   return 0;
 }
 _ACEOF
-# Don't try gcc -ansi; that turns off useful extensions and
-# breaks some systems' header files.
-# AIX			-qlanglvl=ansi
-# Ultrix and OSF/1	-std1
-# HP-UX 10.20 and later	-Ae
-# HP-UX older versions	-Aa -D_HPUX_SOURCE
-# SVR4			-Xc -D__EXTENSIONS__
-for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
 do
   CC="$ac_save_CC $ac_arg"
   rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_prog_cc_stdc=$ac_arg
-break
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_c89=$ac_arg
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext
+
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c89" != "xno" && break
 done
-rm -f conftest.$ac_ext conftest.$ac_objext
+rm -f conftest.$ac_ext
 CC=$ac_save_CC
 
 fi
-
-case "x$ac_cv_prog_cc_stdc" in
-  x|xno)
-    echo "$as_me:$LINENO: result: none needed" >&5
-echo "${ECHO_T}none needed" >&6 ;;
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+  x)
+    { echo "$as_me:$LINENO: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6; } ;;
+  xno)
+    { echo "$as_me:$LINENO: result: unsupported" >&5
+echo "${ECHO_T}unsupported" >&6; } ;;
   *)
-    echo "$as_me:$LINENO: result: $ac_cv_prog_cc_stdc" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6
-    CC="$CC $ac_cv_prog_cc_stdc" ;;
+    CC="$CC $ac_cv_prog_cc_c89"
+    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
 esac
 
-# Some people use a C++ compiler to compile C.  Since we use `exit',
-# in C++ we need to declare it.  In case someone uses the same compiler
-# for both compiling C and C++ we need to have the C++ compiler decide
-# the declaration of exit, since it's the most demanding environment.
-cat >conftest.$ac_ext <<_ACEOF
-#ifndef __cplusplus
-  choke me
-#endif
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  for ac_declaration in \
-   '' \
-   'extern "C" void std::exit (int) throw (); using std::exit;' \
-   'extern "C" void std::exit (int); using std::exit;' \
-   'extern "C" void exit (int) throw ();' \
-   'extern "C" void exit (int);' \
-   'void exit (int);'
-do
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+if test "x$CC" != xcc; then
+  { echo "$as_me:$LINENO: checking whether $CC and cc understand -c and -o together" >&5
+echo $ECHO_N "checking whether $CC and cc understand -c and -o together... $ECHO_C" >&6; }
+else
+  { echo "$as_me:$LINENO: checking whether cc understands -c and -o together" >&5
+echo $ECHO_N "checking whether cc understands -c and -o together... $ECHO_C" >&6; }
+fi
+set dummy $CC; ac_cc=`echo $2 |
+		      sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
+if { as_var=ac_cv_prog_cc_${ac_cc}_c_o; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-$ac_declaration
-#include <stdlib.h>
+
 int
 main ()
 {
-exit (42);
+
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+# Make sure it works both with $CC and with simple cc.
+# We do the test twice because some compilers refuse to overwrite an
+# existing .o file with -o, though they will create one.
+ac_try='$CC -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
+rm -f conftest2.*
+if { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+   test -f conftest2.$ac_objext && { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  (exit $ac_status); };
+then
+  eval ac_cv_prog_cc_${ac_cc}_c_o=yes
+  if test "x$CC" != xcc; then
+    # Test first that cc exists at all.
+    if { ac_try='cc -c conftest.$ac_ext >&5'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-continue
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_declaration
-int
-main ()
-{
-exit (42);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+      ac_try='cc -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
+      rm -f conftest2.*
+      if { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+	 test -f conftest2.$ac_objext && { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  break
+  (exit $ac_status); };
+      then
+	# cc works too.
+	:
+      else
+	# cc exists but doesn't like -o.
+	eval ac_cv_prog_cc_${ac_cc}_c_o=no
+      fi
+    fi
+  fi
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-rm -f conftest*
-if test -n "$ac_declaration"; then
-  echo '#ifdef __cplusplus' >>confdefs.h
-  echo $ac_declaration      >>confdefs.h
-  echo '#endif'             >>confdefs.h
+  eval ac_cv_prog_cc_${ac_cc}_c_o=no
 fi
+rm -f core conftest*
 
+fi
+if eval test \$ac_cv_prog_cc_${ac_cc}_c_o = yes; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define NO_MINUS_C_MINUS_O 1
+_ACEOF
 
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+# FIXME: we rely on the cache variable name because
+# there is no other way.
+set dummy $CC
+ac_cc=`echo $2 | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
+if eval "test \"`echo '$ac_cv_prog_cc_'${ac_cc}_c_o`\" != yes"; then
+   # Losing compiler, so override with the script.
+   # FIXME: It is wrong to rewrite CC.
+   # But if we don't then we get into trouble of one sort or another.
+   # A longer-term fix would be to have automake use am__CC in this case,
+   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+   CC="$am_aux_dir/compile $CC"
+fi
+
 
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
-echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
-echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6; }
 # On Suns, sometimes $CPP names a directory.
 if test -n "$CPP" && test -d "$CPP"; then
   CPP=
@@ -2528,24 +3735,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 		     Syntax error
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   :
 else
   echo "$as_me: failed program was:" >&5
@@ -2554,9 +3759,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
   # Broken: fails on valid input.
 continue
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
-  # OK, works on sane cases.  Now check whether non-existent headers
+  # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -2566,24 +3772,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <ac_nonexistent.h>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   # Broken: success on invalid input.
 continue
 else
@@ -2594,6 +3798,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ac_preproc_ok=:
 break
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
 done
@@ -2611,8 +3816,8 @@ fi
 else
   ac_cv_prog_CPP=$CPP
 fi
-echo "$as_me:$LINENO: result: $CPP" >&5
-echo "${ECHO_T}$CPP" >&6
+{ echo "$as_me:$LINENO: result: $CPP" >&5
+echo "${ECHO_T}$CPP" >&6; }
 ac_preproc_ok=false
 for ac_c_preproc_warn_flag in '' yes
 do
@@ -2635,24 +3840,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 		     Syntax error
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   :
 else
   echo "$as_me: failed program was:" >&5
@@ -2661,9 +3864,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
   # Broken: fails on valid input.
 continue
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
-  # OK, works on sane cases.  Now check whether non-existent headers
+  # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -2673,24 +3877,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <ac_nonexistent.h>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   # Broken: success on invalid input.
 continue
 else
@@ -2701,6 +3903,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ac_preproc_ok=:
 break
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
 done
@@ -2724,528 +3927,130 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 
-am__api_version="1.8"
-ac_aux_dir=
-for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
-  if test -f $ac_dir/install-sh; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install-sh -c"
-    break
-  elif test -f $ac_dir/install.sh; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install.sh -c"
-    break
-  elif test -f $ac_dir/shtool; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/shtool install -c"
-    break
-  fi
-done
-if test -z "$ac_aux_dir"; then
-  { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&5
-echo "$as_me: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_config_guess="$SHELL $ac_aux_dir/config.guess"
-ac_config_sub="$SHELL $ac_aux_dir/config.sub"
-ac_configure="$SHELL $ac_aux_dir/configure" # This should be Cygnus configure.
-
-# Find a good install program.  We prefer a C program (faster),
-# so one script is as good as another.  But avoid the broken or
-# incompatible versions:
-# SysV /etc/install, /usr/sbin/install
-# SunOS /usr/etc/install
-# IRIX /sbin/install
-# AIX /bin/install
-# AmigaOS /C/install, which installs bootblocks on floppy discs
-# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
-# AFS /usr/afsws/bin/install, which mishandles nonexistent args
-# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
-# OS/2's system install, which has a completely different semantic
-# ./install, which can be erroneously created by make from ./install.sh.
-echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
-echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6
-if test -z "$INSTALL"; then
-if test "${ac_cv_path_install+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  # Account for people who put trailing slashes in PATH elements.
-case $as_dir/ in
-  ./ | .// | /cC/* | \
-  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
-  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
-  /usr/ucb/* ) ;;
-  *)
-    # OSF1 and SCO ODT 3.0 have their own names for install.
-    # Don't use installbsd from OSF since it installs stuff as root
-    # by default.
-    for ac_prog in ginstall scoinst install; do
-      for ac_exec_ext in '' $ac_executable_extensions; do
-	if $as_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
-	  if test $ac_prog = install &&
-	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # AIX install.  It has an incompatible calling convention.
-	    :
-	  elif test $ac_prog = install &&
-	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # program-specific install script used by HP pwplus--don't use.
-	    :
-	  else
-	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
-	    break 3
-	  fi
-	fi
-      done
-    done
-    ;;
-esac
-done
-
-
-fi
-  if test "${ac_cv_path_install+set}" = set; then
-    INSTALL=$ac_cv_path_install
-  else
-    # As a last resort, use the slow shell script.  We don't cache a
-    # path for INSTALL within a source directory, because that will
-    # break other packages using the cache if that directory is
-    # removed, or if the path is relative.
-    INSTALL=$ac_install_sh
-  fi
-fi
-echo "$as_me:$LINENO: result: $INSTALL" >&5
-echo "${ECHO_T}$INSTALL" >&6
-
-# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
-# It thinks the first close brace ends the variable substitution.
-test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
-
-test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
-
-test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
-
-echo "$as_me:$LINENO: checking whether build environment is sane" >&5
-echo $ECHO_N "checking whether build environment is sane... $ECHO_C" >&6
-# Just in case
-sleep 1
-echo timestamp > conftest.file
-# Do `set' in a subshell so we don't clobber the current shell's
-# arguments.  Must try -L first in case configure is actually a
-# symlink; some systems play weird games with the mod time of symlinks
-# (eg FreeBSD returns the mod time of the symlink's containing
-# directory).
-if (
-   set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null`
-   if test "$*" = "X"; then
-      # -L didn't work.
-      set X `ls -t $srcdir/configure conftest.file`
-   fi
-   rm -f conftest.file
-   if test "$*" != "X $srcdir/configure conftest.file" \
-      && test "$*" != "X conftest.file $srcdir/configure"; then
-
-      # If neither matched, then we have a broken ls.  This can happen
-      # if, for instance, CONFIG_SHELL is bash and it inherits a
-      # broken ls alias from the environment.  This has actually
-      # happened.  Such a system could not be considered "sane".
-      { { echo "$as_me:$LINENO: error: ls -t appears to fail.  Make sure there is not a broken
-alias in your environment" >&5
-echo "$as_me: error: ls -t appears to fail.  Make sure there is not a broken
-alias in your environment" >&2;}
-   { (exit 1); exit 1; }; }
-   fi
-
-   test "$2" = conftest.file
-   )
-then
-   # Ok.
-   :
-else
-   { { echo "$as_me:$LINENO: error: newly created file is older than distributed files!
-Check your system clock" >&5
-echo "$as_me: error: newly created file is older than distributed files!
-Check your system clock" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-test "$program_prefix" != NONE &&
-  program_transform_name="s,^,$program_prefix,;$program_transform_name"
-# Use a double $ so make ignores it.
-test "$program_suffix" != NONE &&
-  program_transform_name="s,\$,$program_suffix,;$program_transform_name"
-# Double any \ or $.  echo might interpret backslashes.
-# By default was `s,x,x', remove it if useless.
-cat <<\_ACEOF >conftest.sed
-s/[\\$]/&&/g;s/;s,x,x,$//
-_ACEOF
-program_transform_name=`echo $program_transform_name | sed -f conftest.sed`
-rm conftest.sed
-
-# expand $ac_aux_dir to an absolute path
-am_aux_dir=`cd $ac_aux_dir && pwd`
-
-test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing"
-# Use eval to expand $SHELL
-if eval "$MISSING --run true"; then
-  am_missing_run="$MISSING --run "
-else
-  am_missing_run=
-  { echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5
-echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;}
-fi
-
-if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then
-  # Keeping the `.' argument allows $(mkdir_p) to be used without
-  # argument.  Indeed, we sometimes output rules like
-  #   $(mkdir_p) $(somedir)
-  # where $(somedir) is conditionally defined.
-  # (`test -n '$(somedir)' && $(mkdir_p) $(somedir)' is a more
-  # expensive solution, as it forces Make to start a sub-shell.)
-  mkdir_p='mkdir -p -- .'
-else
-  # On NextStep and OpenStep, the `mkdir' command does not
-  # recognize any option.  It will interpret all options as
-  # directories to create, and then abort because `.' already
-  # exists.
-  for d in ./-p ./--version;
-  do
-    test -d $d && rmdir $d
-  done
-  # $(mkinstalldirs) is defined by Automake if mkinstalldirs exists.
-  if test -f "$ac_aux_dir/mkinstalldirs"; then
-    mkdir_p='$(mkinstalldirs)'
-  else
-    mkdir_p='$(install_sh) -d'
-  fi
-fi
-
-for ac_prog in gawk mawk nawk awk
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_AWK+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$AWK"; then
-  ac_cv_prog_AWK="$AWK" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_AWK="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-AWK=$ac_cv_prog_AWK
-if test -n "$AWK"; then
-  echo "$as_me:$LINENO: result: $AWK" >&5
-echo "${ECHO_T}$AWK" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  test -n "$AWK" && break
-done
-
-echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
-echo $ECHO_N "checking whether ${MAKE-make} sets \$(MAKE)... $ECHO_C" >&6
-set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y,:./+-,___p_,'`
-if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.make <<\_ACEOF
-all:
-	@echo 'ac_maketemp="$(MAKE)"'
-_ACEOF
-# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
-eval `${MAKE-make} -f conftest.make 2>/dev/null | grep temp=`
-if test -n "$ac_maketemp"; then
-  eval ac_cv_prog_make_${ac_make}_set=yes
-else
-  eval ac_cv_prog_make_${ac_make}_set=no
-fi
-rm -f conftest.make
-fi
-if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-  SET_MAKE=
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-  SET_MAKE="MAKE=${MAKE-make}"
-fi
-
-rm -rf .tst 2>/dev/null
-mkdir .tst 2>/dev/null
-if test -d .tst; then
-  am__leading_dot=.
-else
-  am__leading_dot=_
-fi
-rmdir .tst 2>/dev/null
-
-# test to see if srcdir already configured
-if test "`cd $srcdir && pwd`" != "`pwd`" &&
-   test -f $srcdir/config.status; then
-  { { echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5
-echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-# test whether we have cygpath
-if test -z "$CYGPATH_W"; then
-  if (cygpath --version) >/dev/null 2>/dev/null; then
-    CYGPATH_W='cygpath -w'
-  else
-    CYGPATH_W=echo
-  fi
-fi
-
-
-# Define the identity of the package.
- PACKAGE='heimdal'
- VERSION='0.6.3'
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE "$PACKAGE"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define VERSION "$VERSION"
-_ACEOF
-
-# Some tools Automake needs.
-
-ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"}
-
-
-AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"}
-
-
-AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"}
-
-
-AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"}
-
-
-MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
-
-
-AMTAR=${AMTAR-"${am_missing_run}tar"}
-
-install_sh=${install_sh-"$am_aux_dir/install-sh"}
-
-# Installed binaries are usually stripped using `strip' when the user
-# run `make install-strip'.  However `strip' might not be the right
-# tool to use in cross-compilation environments, therefore Automake
-# will honor the `STRIP' environment variable to overrule this program.
-if test "$cross_compiling" != no; then
-  if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
-set dummy ${ac_tool_prefix}strip; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$STRIP"; then
-  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-STRIP=$ac_cv_prog_STRIP
-if test -n "$STRIP"; then
-  echo "$as_me:$LINENO: result: $STRIP" >&5
-echo "${ECHO_T}$STRIP" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$ac_cv_prog_STRIP"; then
-  ac_ct_STRIP=$STRIP
-  # Extract the first word of "strip", so it can be a program name with args.
-set dummy strip; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_STRIP"; then
-  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_STRIP="strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-  test -z "$ac_cv_prog_ac_ct_STRIP" && ac_cv_prog_ac_ct_STRIP=":"
-fi
-fi
-ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
-if test -n "$ac_ct_STRIP"; then
-  echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
-echo "${ECHO_T}$ac_ct_STRIP" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  STRIP=$ac_ct_STRIP
-else
-  STRIP="$ac_cv_prog_STRIP"
-fi
-
-fi
-INSTALL_STRIP_PROGRAM="\${SHELL} \$(install_sh) -c -s"
-
-# We need awk for the "check" target.  The system "awk" is bad on
-# some platforms.
-
-
-
-echo "$as_me:$LINENO: checking whether to enable maintainer-specific portions of Makefiles" >&5
-echo $ECHO_N "checking whether to enable maintainer-specific portions of Makefiles... $ECHO_C" >&6
-    # Check whether --enable-maintainer-mode or --disable-maintainer-mode was given.
-if test "${enable_maintainer_mode+set}" = set; then
-  enableval="$enable_maintainer_mode"
-  USE_MAINTAINER_MODE=$enableval
-else
-  USE_MAINTAINER_MODE=no
-fi;
-  echo "$as_me:$LINENO: result: $USE_MAINTAINER_MODE" >&5
-echo "${ECHO_T}$USE_MAINTAINER_MODE" >&6
-
-
-if test $USE_MAINTAINER_MODE = yes; then
-  MAINTAINER_MODE_TRUE=
-  MAINTAINER_MODE_FALSE='#'
-else
-  MAINTAINER_MODE_TRUE='#'
-  MAINTAINER_MODE_FALSE=
-fi
-
-  MAINT=$MAINTAINER_MODE_TRUE
-
-
-
-
 
 test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
 test "$localstatedir" = '${prefix}/var' && localstatedir='/var/heimdal'
 
 # Make sure we can run config.sub.
-$ac_config_sub sun4 >/dev/null 2>&1 ||
-  { { echo "$as_me:$LINENO: error: cannot run $ac_config_sub" >&5
-echo "$as_me: error: cannot run $ac_config_sub" >&2;}
+$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
+  { { echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
+echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
    { (exit 1); exit 1; }; }
 
-echo "$as_me:$LINENO: checking build system type" >&5
-echo $ECHO_N "checking build system type... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking build system type" >&5
+echo $ECHO_N "checking build system type... $ECHO_C" >&6; }
 if test "${ac_cv_build+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_cv_build_alias=$build_alias
-test -z "$ac_cv_build_alias" &&
-  ac_cv_build_alias=`$ac_config_guess`
-test -z "$ac_cv_build_alias" &&
+  ac_build_alias=$build_alias
+test "x$ac_build_alias" = x &&
+  ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
+test "x$ac_build_alias" = x &&
   { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
 echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
    { (exit 1); exit 1; }; }
-ac_cv_build=`$ac_config_sub $ac_cv_build_alias` ||
-  { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_build_alias failed" >&5
-echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed" >&2;}
+ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
+  { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
+echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
    { (exit 1); exit 1; }; }
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_build" >&5
-echo "${ECHO_T}$ac_cv_build" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_build" >&5
+echo "${ECHO_T}$ac_cv_build" >&6; }
+case $ac_cv_build in
+*-*-*) ;;
+*) { { echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
+echo "$as_me: error: invalid value of canonical build" >&2;}
+   { (exit 1); exit 1; }; };;
+esac
 build=$ac_cv_build
-build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
-build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
-build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
-
-
-echo "$as_me:$LINENO: checking host system type" >&5
-echo $ECHO_N "checking host system type... $ECHO_C" >&6
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_build
+shift
+build_cpu=$1
+build_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+build_os=$*
+IFS=$ac_save_IFS
+case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
+
+
+{ echo "$as_me:$LINENO: checking host system type" >&5
+echo $ECHO_N "checking host system type... $ECHO_C" >&6; }
 if test "${ac_cv_host+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_cv_host_alias=$host_alias
-test -z "$ac_cv_host_alias" &&
-  ac_cv_host_alias=$ac_cv_build_alias
-ac_cv_host=`$ac_config_sub $ac_cv_host_alias` ||
-  { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_host_alias failed" >&5
-echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;}
+  if test "x$host_alias" = x; then
+  ac_cv_host=$ac_cv_build
+else
+  ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
+    { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
+echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
    { (exit 1); exit 1; }; }
+fi
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_host" >&5
-echo "${ECHO_T}$ac_cv_host" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_host" >&5
+echo "${ECHO_T}$ac_cv_host" >&6; }
+case $ac_cv_host in
+*-*-*) ;;
+*) { { echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
+echo "$as_me: error: invalid value of canonical host" >&2;}
+   { (exit 1); exit 1; }; };;
+esac
 host=$ac_cv_host
-host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
-host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
-host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_host
+shift
+host_cpu=$1
+host_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+host_os=$*
+IFS=$ac_save_IFS
+case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
 
 
 CANONICAL_HOST=$host
 
 
 
-# Check whether --enable-largefile or --disable-largefile was given.
+
+
+
+	{ echo "$as_me:$LINENO: autobuild project... ${PACKAGE_NAME:-$PACKAGE}" >&5
+echo "$as_me: autobuild project... ${PACKAGE_NAME:-$PACKAGE}" >&6;}
+	{ echo "$as_me:$LINENO: autobuild revision... ${PACKAGE_VERSION:-$VERSION}" >&5
+echo "$as_me: autobuild revision... ${PACKAGE_VERSION:-$VERSION}" >&6;}
+	hostname=`hostname`
+	if test "$hostname"; then
+	   { echo "$as_me:$LINENO: autobuild hostname... $hostname" >&5
+echo "$as_me: autobuild hostname... $hostname" >&6;}
+	fi
+
+	date=`date +%Y%m%d-%H%M%S`
+	if test "$?" != 0; then
+	   date=`date`
+	fi
+	if test "$date"; then
+	   { echo "$as_me:$LINENO: autobuild timestamp... $date" >&5
+echo "$as_me: autobuild timestamp... $date" >&6;}
+	fi
+
+
+
+# Check whether --enable-largefile was given.
 if test "${enable_largefile+set}" = set; then
-  enableval="$enable_largefile"
+  enableval=$enable_largefile;
+fi
 
-fi;
 if test "$enable_largefile" != no; then
 
-  echo "$as_me:$LINENO: checking for special C compiler options needed for large files" >&5
-echo $ECHO_N "checking for special C compiler options needed for large files... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for special C compiler options needed for large files" >&5
+echo $ECHO_N "checking for special C compiler options needed for large files... $ECHO_C" >&6; }
 if test "${ac_cv_sys_largefile_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3253,8 +4058,8 @@ else
      if test "$GCC" != yes; then
        ac_save_CC=$CC
        while :; do
-     	 # IRIX 6.2 and later do not support large files by default,
-     	 # so use the C compiler's -n32 option if that helps.
+	 # IRIX 6.2 and later do not support large files by default,
+	 # so use the C compiler's -n32 option if that helps.
 	 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3278,84 +4083,77 @@ main ()
   return 0;
 }
 _ACEOF
-     	 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+	 rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext
-     	 CC="$CC -n32"
-     	 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+
+rm -f core conftest.err conftest.$ac_objext
+	 CC="$CC -n32"
+	 rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_sys_largefile_CC=' -n32'; break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext
+
+rm -f core conftest.err conftest.$ac_objext
 	 break
        done
        CC=$ac_save_CC
        rm -f conftest.$ac_ext
     fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sys_largefile_CC" >&5
-echo "${ECHO_T}$ac_cv_sys_largefile_CC" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_sys_largefile_CC" >&5
+echo "${ECHO_T}$ac_cv_sys_largefile_CC" >&6; }
   if test "$ac_cv_sys_largefile_CC" != no; then
     CC=$CC$ac_cv_sys_largefile_CC
   fi
 
-  echo "$as_me:$LINENO: checking for _FILE_OFFSET_BITS value needed for large files" >&5
-echo $ECHO_N "checking for _FILE_OFFSET_BITS value needed for large files... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for _FILE_OFFSET_BITS value needed for large files" >&5
+echo $ECHO_N "checking for _FILE_OFFSET_BITS value needed for large files... $ECHO_C" >&6; }
 if test "${ac_cv_sys_file_offset_bits+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   while :; do
-  ac_cv_sys_file_offset_bits=no
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3380,34 +4178,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  break
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_sys_file_offset_bits=no; break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3433,54 +4228,53 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_sys_file_offset_bits=64; break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  ac_cv_sys_file_offset_bits=unknown
   break
 done
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sys_file_offset_bits" >&5
-echo "${ECHO_T}$ac_cv_sys_file_offset_bits" >&6
-if test "$ac_cv_sys_file_offset_bits" != no; then
-
+{ echo "$as_me:$LINENO: result: $ac_cv_sys_file_offset_bits" >&5
+echo "${ECHO_T}$ac_cv_sys_file_offset_bits" >&6; }
+case $ac_cv_sys_file_offset_bits in #(
+  no | unknown) ;;
+  *)
 cat >>confdefs.h <<_ACEOF
 #define _FILE_OFFSET_BITS $ac_cv_sys_file_offset_bits
 _ACEOF
-
-fi
+;;
+esac
 rm -f conftest*
-  echo "$as_me:$LINENO: checking for _LARGE_FILES value needed for large files" >&5
-echo $ECHO_N "checking for _LARGE_FILES value needed for large files... $ECHO_C" >&6
+  if test $ac_cv_sys_file_offset_bits = unknown; then
+    { echo "$as_me:$LINENO: checking for _LARGE_FILES value needed for large files" >&5
+echo $ECHO_N "checking for _LARGE_FILES value needed for large files... $ECHO_C" >&6; }
 if test "${ac_cv_sys_large_files+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   while :; do
-  ac_cv_sys_large_files=no
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3505,34 +4299,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  break
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_sys_large_files=no; break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3558,52 +4349,57 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_sys_large_files=1; break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  ac_cv_sys_large_files=unknown
   break
 done
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sys_large_files" >&5
-echo "${ECHO_T}$ac_cv_sys_large_files" >&6
-if test "$ac_cv_sys_large_files" != no; then
-
+{ echo "$as_me:$LINENO: result: $ac_cv_sys_large_files" >&5
+echo "${ECHO_T}$ac_cv_sys_large_files" >&6; }
+case $ac_cv_sys_large_files in #(
+  no | unknown) ;;
+  *)
 cat >>confdefs.h <<_ACEOF
 #define _LARGE_FILES $ac_cv_sys_large_files
 _ACEOF
-
-fi
+;;
+esac
 rm -f conftest*
+  fi
 fi
 
+
 if test "$enable_largefile" != no -a "$ac_cv_sys_large_files" != no; then
 	CPPFLAGS="$CPPFLAGS -D_LARGE_FILES=$ac_cv_sys_large_files"
 fi
+if test "$enable_largefile" != no -a "$ac_cv_sys_file_offset_bits" != no; then
+	CPPFLAGS="$CPPFLAGS -D_FILE_OFFSET_BITS=$ac_cv_sys_file_offset_bits"
+fi
+
 
 
 cat >>confdefs.h <<\_ACEOF
@@ -3618,8 +4414,8 @@ for ac_prog in 'bison -y' byacc
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_YACC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3632,25 +4428,27 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_YACC="$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 YACC=$ac_cv_prog_YACC
 if test -n "$YACC"; then
-  echo "$as_me:$LINENO: result: $YACC" >&5
-echo "${ECHO_T}$YACC" >&6
+  { echo "$as_me:$LINENO: result: $YACC" >&5
+echo "${ECHO_T}$YACC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
   test -n "$YACC" && break
 done
 test -n "$YACC" || YACC="yacc"
@@ -3659,8 +4457,8 @@ for ac_prog in flex lex
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_LEX+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3673,253 +4471,182 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_LEX="$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 LEX=$ac_cv_prog_LEX
 if test -n "$LEX"; then
-  echo "$as_me:$LINENO: result: $LEX" >&5
-echo "${ECHO_T}$LEX" >&6
+  { echo "$as_me:$LINENO: result: $LEX" >&5
+echo "${ECHO_T}$LEX" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
   test -n "$LEX" && break
 done
 test -n "$LEX" || LEX=":"
 
-if test -z "$LEXLIB"
-then
-  echo "$as_me:$LINENO: checking for yywrap in -lfl" >&5
-echo $ECHO_N "checking for yywrap in -lfl... $ECHO_C" >&6
-if test "${ac_cv_lib_fl_yywrap+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lfl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
+if test "x$LEX" != "x:"; then
+  cat >conftest.l <<_ACEOF
+%%
+a { ECHO; }
+b { REJECT; }
+c { yymore (); }
+d { yyless (1); }
+e { yyless (input () != 0); }
+f { unput (yytext[0]); }
+. { BEGIN INITIAL; }
+%%
+#ifdef YYTEXT_POINTER
+extern char *yytext;
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char yywrap ();
 int
-main ()
+main (void)
 {
-yywrap ();
-  ;
-  return 0;
+  return ! yylex () + ! yywrap ();
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+{ (ac_try="$LEX conftest.l"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$LEX conftest.l") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_fl_yywrap=yes
+  (exit $ac_status); }
+{ echo "$as_me:$LINENO: checking lex output file root" >&5
+echo $ECHO_N "checking lex output file root... $ECHO_C" >&6; }
+if test "${ac_cv_prog_lex_root+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_fl_yywrap=no
+if test -f lex.yy.c; then
+  ac_cv_prog_lex_root=lex.yy
+elif test -f lexyy.c; then
+  ac_cv_prog_lex_root=lexyy
+else
+  { { echo "$as_me:$LINENO: error: cannot find output from $LEX; giving up" >&5
+echo "$as_me: error: cannot find output from $LEX; giving up" >&2;}
+   { (exit 1); exit 1; }; }
 fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_fl_yywrap" >&5
-echo "${ECHO_T}$ac_cv_lib_fl_yywrap" >&6
-if test $ac_cv_lib_fl_yywrap = yes; then
-  LEXLIB="-lfl"
-else
-  echo "$as_me:$LINENO: checking for yywrap in -ll" >&5
-echo $ECHO_N "checking for yywrap in -ll... $ECHO_C" >&6
-if test "${ac_cv_lib_l_yywrap+set}" = set; then
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_lex_root" >&5
+echo "${ECHO_T}$ac_cv_prog_lex_root" >&6; }
+LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
+
+if test -z "${LEXLIB+set}"; then
+  { echo "$as_me:$LINENO: checking lex library" >&5
+echo $ECHO_N "checking lex library... $ECHO_C" >&6; }
+if test "${ac_cv_lib_lex+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ll  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char yywrap ();
-int
-main ()
-{
-yywrap ();
-  ;
-  return 0;
-}
+    ac_save_LIBS=$LIBS
+    ac_cv_lib_lex='none needed'
+    for ac_lib in '' -lfl -ll; do
+      LIBS="$ac_lib $ac_save_LIBS"
+      cat >conftest.$ac_ext <<_ACEOF
+`cat $LEX_OUTPUT_ROOT.c`
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_l_yywrap=yes
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_lex=$ac_lib
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_l_yywrap=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_l_yywrap" >&5
-echo "${ECHO_T}$ac_cv_lib_l_yywrap" >&6
-if test $ac_cv_lib_l_yywrap = yes; then
-  LEXLIB="-ll"
-fi
 
 fi
 
-fi
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+      test "$ac_cv_lib_lex" != 'none needed' && break
+    done
+    LIBS=$ac_save_LIBS
 
-if test "x$LEX" != "x:"; then
-  echo "$as_me:$LINENO: checking lex output file root" >&5
-echo $ECHO_N "checking lex output file root... $ECHO_C" >&6
-if test "${ac_cv_prog_lex_root+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # The minimal lex program is just a single line: %%.  But some broken lexes
-# (Solaris, I think it was) want two %% lines, so accommodate them.
-cat >conftest.l <<_ACEOF
-%%
-%%
-_ACEOF
-{ (eval echo "$as_me:$LINENO: \"$LEX conftest.l\"") >&5
-  (eval $LEX conftest.l) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-if test -f lex.yy.c; then
-  ac_cv_prog_lex_root=lex.yy
-elif test -f lexyy.c; then
-  ac_cv_prog_lex_root=lexyy
-else
-  { { echo "$as_me:$LINENO: error: cannot find output from $LEX; giving up" >&5
-echo "$as_me: error: cannot find output from $LEX; giving up" >&2;}
-   { (exit 1); exit 1; }; }
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_lex" >&5
+echo "${ECHO_T}$ac_cv_lib_lex" >&6; }
+  test "$ac_cv_lib_lex" != 'none needed' && LEXLIB=$ac_cv_lib_lex
 fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_lex_root" >&5
-echo "${ECHO_T}$ac_cv_prog_lex_root" >&6
-rm -f conftest.l
-LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
 
-echo "$as_me:$LINENO: checking whether yytext is a pointer" >&5
-echo $ECHO_N "checking whether yytext is a pointer... $ECHO_C" >&6
+
+{ echo "$as_me:$LINENO: checking whether yytext is a pointer" >&5
+echo $ECHO_N "checking whether yytext is a pointer... $ECHO_C" >&6; }
 if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   # POSIX says lex can declare yytext either as a pointer or an array; the
-# default is implementation-dependent. Figure out which it is, since
+# default is implementation-dependent.  Figure out which it is, since
 # not all implementations provide the %pointer and %array declarations.
 ac_cv_prog_lex_yytext_pointer=no
-echo 'extern char *yytext;' >>$LEX_OUTPUT_ROOT.c
 ac_save_LIBS=$LIBS
-LIBS="$LIBS $LEXLIB"
+LIBS="$LEXLIB $ac_save_LIBS"
 cat >conftest.$ac_ext <<_ACEOF
+#define YYTEXT_POINTER 1
 `cat $LEX_OUTPUT_ROOT.c`
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_prog_lex_yytext_pointer=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_save_LIBS
-rm -f "${LEX_OUTPUT_ROOT}.c"
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_lex_yytext_pointer" >&5
-echo "${ECHO_T}$ac_cv_prog_lex_yytext_pointer" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_lex_yytext_pointer" >&5
+echo "${ECHO_T}$ac_cv_prog_lex_yytext_pointer" >&6; }
 if test $ac_cv_prog_lex_yytext_pointer = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -3927,6 +4654,7 @@ cat >>confdefs.h <<\_ACEOF
 _ACEOF
 
 fi
+rm -f conftest.l $LEX_OUTPUT_ROOT.c
 
 fi
 if test "$LEX" = :; then
@@ -3936,8 +4664,8 @@ for ac_prog in gawk mawk nawk awk
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_AWK+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3950,30 +4678,32 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_AWK="$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 AWK=$ac_cv_prog_AWK
 if test -n "$AWK"; then
-  echo "$as_me:$LINENO: result: $AWK" >&5
-echo "${ECHO_T}$AWK" >&6
+  { echo "$as_me:$LINENO: result: $AWK" >&5
+echo "${ECHO_T}$AWK" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
   test -n "$AWK" && break
 done
 
-echo "$as_me:$LINENO: checking for ln -s or something else" >&5
-echo $ECHO_N "checking for ln -s or something else... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ln -s or something else" >&5
+echo $ECHO_N "checking for ln -s or something else... $ECHO_C" >&6; }
 if test "${ac_cv_prog_LN_S+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3993,17 +4723,17 @@ else
 fi
 fi
 LN_S="$ac_cv_prog_LN_S"
-echo "$as_me:$LINENO: result: $ac_cv_prog_LN_S" >&5
-echo "${ECHO_T}$ac_cv_prog_LN_S" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_LN_S" >&5
+echo "${ECHO_T}$ac_cv_prog_LN_S" >&6; }
 
 
 
 
-# Check whether --with-mips_abi or --without-mips_abi was given.
+# Check whether --with-mips_abi was given.
 if test "${with_mips_abi+set}" = set; then
-  withval="$with_mips_abi"
+  withval=$with_mips_abi;
+fi
 
-fi;
 
 case "$host_os" in
 irix*)
@@ -4030,9 +4760,9 @@ echo "$as_me: error: \"Invalid ABI specified\"" >&2;}
 esac
 if test -n "$abi" ; then
 ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
-echo "$as_me:$LINENO: checking if $CC supports the $abi option" >&5
-echo $ECHO_N "checking if $CC supports the $abi option... $ECHO_C" >&6
-if eval "test \"\${$ac_foo+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking if $CC supports the $abi option" >&5
+echo $ECHO_N "checking if $CC supports the $abi option... $ECHO_C" >&6; }
+if { as_var=$ac_foo; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
 
@@ -4054,42 +4784,37 @@ int x;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval $ac_foo=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval $ac_foo=no
+	eval $ac_foo=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-CFLAGS="$save_CFLAGS"
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_extCFLAGS="$save_CFLAGS"
 
 fi
 
 ac_res=`eval echo \\\$$ac_foo`
-echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6
+{ echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test $ac_res = no; then
 # Try to figure out why that failed...
 case $abi in
@@ -4112,36 +4837,31 @@ int x;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_res=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_res=no
+	ac_res=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-	CLAGS="$save_CFLAGS"
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext	CLAGS="$save_CFLAGS"
 	if test $ac_res = yes; then
 		# New GCC
 		{ { echo "$as_me:$LINENO: error: $CC does not support the $with_mips_abi ABI" >&5
@@ -4185,8 +4905,8 @@ CC="$CC $abi"
 libdir="$libdir$abilibdirext"
 
 
-echo "$as_me:$LINENO: checking for __attribute__" >&5
-echo $ECHO_N "checking for __attribute__... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for __attribute__" >&5
+echo $ECHO_N "checking for __attribute__... $ECHO_C" >&6; }
 if test "${ac_cv___attribute__+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4197,13 +4917,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-
 #include <stdlib.h>
-
-int
-main ()
-{
-
 static void foo(void) __attribute__ ((noreturn));
 
 static void
@@ -4212,40 +4926,33 @@ foo(void)
   exit(1);
 }
 
-  ;
-  return 0;
-}
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv___attribute__=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv___attribute__=no
+	ac_cv___attribute__=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 if test "$ac_cv___attribute__" = "yes"; then
@@ -4255,14 +4962,13 @@ cat >>confdefs.h <<\_ACEOF
 _ACEOF
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv___attribute__" >&5
-echo "${ECHO_T}$ac_cv___attribute__" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv___attribute__" >&5
+echo "${ECHO_T}$ac_cv___attribute__" >&6; }
 
 
-# Check whether --enable-shared or --disable-shared was given.
+# Check whether --enable-shared was given.
 if test "${enable_shared+set}" = set; then
-  enableval="$enable_shared"
-  p=${PACKAGE-default}
+  enableval=$enable_shared; p=${PACKAGE-default}
     case $enableval in
     yes) enable_shared=yes ;;
     no) enable_shared=no ;;
@@ -4280,13 +4986,13 @@ if test "${enable_shared+set}" = set; then
       ;;
     esac
 else
-  enable_shared=no
-fi;
+  enable_shared=yes
+fi
+
 
-# Check whether --enable-static or --disable-static was given.
+# Check whether --enable-static was given.
 if test "${enable_static+set}" = set; then
-  enableval="$enable_static"
-  p=${PACKAGE-default}
+  enableval=$enable_static; p=${PACKAGE-default}
     case $enableval in
     yes) enable_static=yes ;;
     no) enable_static=no ;;
@@ -4305,12 +5011,12 @@ if test "${enable_static+set}" = set; then
     esac
 else
   enable_static=yes
-fi;
+fi
+
 
-# Check whether --enable-fast-install or --disable-fast-install was given.
+# Check whether --enable-fast-install was given.
 if test "${enable_fast_install+set}" = set; then
-  enableval="$enable_fast_install"
-  p=${PACKAGE-default}
+  enableval=$enable_fast_install; p=${PACKAGE-default}
     case $enableval in
     yes) enable_fast_install=yes ;;
     no) enable_fast_install=no ;;
@@ -4329,10 +5035,11 @@ if test "${enable_fast_install+set}" = set; then
     esac
 else
   enable_fast_install=yes
-fi;
+fi
 
-echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
-echo $ECHO_N "checking for a sed that does not truncate output... $ECHO_C" >&6
+
+{ echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
+echo $ECHO_N "checking for a sed that does not truncate output... $ECHO_C" >&6; }
 if test "${lt_cv_path_SED+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4356,7 +5063,7 @@ lt_ac_count=0
 # Add /usr/xpg4/bin/sed as it is typically found on Solaris
 # along with /bin/sed that truncates output.
 for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
-  test ! -f $lt_ac_sed && break
+  test ! -f $lt_ac_sed && continue
   cat /dev/null > conftest.in
   lt_ac_count=0
   echo $ECHO_N "0123456789$ECHO_C" >conftest.in
@@ -4381,41 +5088,188 @@ for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
     fi
   done
 done
+
+fi
+
 SED=$lt_cv_path_SED
+{ echo "$as_me:$LINENO: result: $SED" >&5
+echo "${ECHO_T}$SED" >&6; }
+
+{ echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
+echo $ECHO_N "checking for grep that handles long lines and -e... $ECHO_C" >&6; }
+if test "${ac_cv_path_GREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # Extract the first word of "grep ggrep" to use in msg output
+if test -z "$GREP"; then
+set dummy grep ggrep; ac_prog_name=$2
+if test "${ac_cv_path_GREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_path_GREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in grep ggrep; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+    # Check for GNU ac_path_GREP and select it if it is found.
+  # Check for GNU $ac_path_GREP
+case `"$ac_path_GREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo 'GREP' >> "conftest.nl"
+    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_GREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_GREP="$ac_path_GREP"
+      ac_path_GREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+    $ac_path_GREP_found && break 3
+  done
+done
+
+done
+IFS=$as_save_IFS
+
 
 fi
 
-echo "$as_me:$LINENO: result: $SED" >&5
-echo "${ECHO_T}$SED" >&6
+GREP="$ac_cv_path_GREP"
+if test -z "$GREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+else
+  ac_cv_path_GREP=$GREP
+fi
+
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
+echo "${ECHO_T}$ac_cv_path_GREP" >&6; }
+ GREP="$ac_cv_path_GREP"
 
-echo "$as_me:$LINENO: checking for egrep" >&5
-echo $ECHO_N "checking for egrep... $ECHO_C" >&6
-if test "${ac_cv_prog_egrep+set}" = set; then
+
+{ echo "$as_me:$LINENO: checking for egrep" >&5
+echo $ECHO_N "checking for egrep... $ECHO_C" >&6; }
+if test "${ac_cv_path_EGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
+   then ac_cv_path_EGREP="$GREP -E"
+   else
+     # Extract the first word of "egrep" to use in msg output
+if test -z "$EGREP"; then
+set dummy egrep; ac_prog_name=$2
+if test "${ac_cv_path_EGREP+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if echo a | (grep -E '(a|b)') >/dev/null 2>&1
-    then ac_cv_prog_egrep='grep -E'
-    else ac_cv_prog_egrep='egrep'
+  ac_path_EGREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in egrep; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+    # Check for GNU ac_path_EGREP and select it if it is found.
+  # Check for GNU $ac_path_EGREP
+case `"$ac_path_EGREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo 'EGREP' >> "conftest.nl"
+    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_EGREP="$ac_path_EGREP"
+      ac_path_EGREP_max=$ac_count
     fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+    $ac_path_EGREP_found && break 3
+  done
+done
+
+done
+IFS=$as_save_IFS
+
+
+fi
+
+EGREP="$ac_cv_path_EGREP"
+if test -z "$EGREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+else
+  ac_cv_path_EGREP=$EGREP
 fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
-echo "${ECHO_T}$ac_cv_prog_egrep" >&6
- EGREP=$ac_cv_prog_egrep
 
 
+   fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+echo "${ECHO_T}$ac_cv_path_EGREP" >&6; }
+ EGREP="$ac_cv_path_EGREP"
+
 
-# Check whether --with-gnu-ld or --without-gnu-ld was given.
+
+# Check whether --with-gnu-ld was given.
 if test "${with_gnu_ld+set}" = set; then
-  withval="$with_gnu_ld"
-  test "$withval" = no || with_gnu_ld=yes
+  withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
 else
   with_gnu_ld=no
-fi;
+fi
+
 ac_prog=ld
 if test "$GCC" = yes; then
   # Check if gcc -print-prog-name=ld gives a path.
-  echo "$as_me:$LINENO: checking for ld used by $CC" >&5
-echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
   case $host in
   *-*-mingw*)
     # gcc leaves a trailing carriage return which upsets mingw
@@ -4444,11 +5298,11 @@ echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6
     ;;
   esac
 elif test "$with_gnu_ld" = yes; then
-  echo "$as_me:$LINENO: checking for GNU ld" >&5
-echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
 else
-  echo "$as_me:$LINENO: checking for non-GNU ld" >&5
-echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
 fi
 if test "${lt_cv_path_LD+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -4461,7 +5315,7 @@ else
     if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
       lt_cv_path_LD="$ac_dir/$ac_prog"
       # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some GNU ld's only accept -v.
+      # but apparently some variants of GNU ld only accept -v.
       # Break only if it was the GNU/non-GNU ld that we prefer.
       case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
       *GNU* | *'with BFD'*)
@@ -4481,21 +5335,21 @@ fi
 
 LD="$lt_cv_path_LD"
 if test -n "$LD"; then
-  echo "$as_me:$LINENO: result: $LD" >&5
-echo "${ECHO_T}$LD" >&6
+  { echo "$as_me:$LINENO: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
 echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
    { (exit 1); exit 1; }; }
-echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
-echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
 if test "${lt_cv_prog_gnu_ld+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  # I'd rather use --version here, but apparently some GNU ld's only accept -v.
+  # I'd rather use --version here, but apparently some GNU lds only accept -v.
 case `$LD -v 2>&1 </dev/null` in
 *GNU* | *'with BFD'*)
   lt_cv_prog_gnu_ld=yes
@@ -4505,29 +5359,38 @@ case `$LD -v 2>&1 </dev/null` in
   ;;
 esac
 fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
-echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
 with_gnu_ld=$lt_cv_prog_gnu_ld
 
 
-echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
-echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
+echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6; }
 if test "${lt_cv_ld_reload_flag+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_ld_reload_flag='-r'
 fi
-echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
-echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
+echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6; }
 reload_flag=$lt_cv_ld_reload_flag
 case $reload_flag in
 "" | " "*) ;;
 *) reload_flag=" $reload_flag" ;;
 esac
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
+case $host_os in
+  darwin*)
+    if test "$GCC" = yes; then
+      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
+    else
+      reload_cmds='$LD$reload_flag -o $output$reload_objs'
+    fi
+    ;;
+esac
 
-echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
-echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
+echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6; }
 if test "${lt_cv_path_NM+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4535,56 +5398,63 @@ else
   # Let the user override the test.
   lt_cv_path_NM="$NM"
 else
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    tmp_nm="$ac_dir/${ac_tool_prefix}nm"
-    if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
-      # Check to see if the nm accepts a BSD-compat flag.
-      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
-      #   nm: unknown option "B" ignored
-      # Tru64's nm complains that /dev/null is an invalid object file
-      case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
-      */dev/null* | *'Invalid file or object type'*)
-	lt_cv_path_NM="$tmp_nm -B"
-	break
-        ;;
-      *)
-	case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
-	*/dev/null*)
-	  lt_cv_path_NM="$tmp_nm -p"
+  lt_nm_to_check="${ac_tool_prefix}nm"
+  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
+    lt_nm_to_check="$lt_nm_to_check nm"
+  fi
+  for lt_tmp_nm in $lt_nm_to_check; do
+    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
+      IFS="$lt_save_ifs"
+      test -z "$ac_dir" && ac_dir=.
+      tmp_nm="$ac_dir/$lt_tmp_nm"
+      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+	# Check to see if the nm accepts a BSD-compat flag.
+	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
+	#   nm: unknown option "B" ignored
+	# Tru64's nm complains that /dev/null is an invalid object file
+	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+	*/dev/null* | *'Invalid file or object type'*)
+	  lt_cv_path_NM="$tmp_nm -B"
 	  break
 	  ;;
 	*)
-	  lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
-	  continue # so that we can try to find one that supports BSD flags
+	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	  */dev/null*)
+	    lt_cv_path_NM="$tmp_nm -p"
+	    break
+	    ;;
+	  *)
+	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	    continue # so that we can try to find one that supports BSD flags
+	    ;;
+	  esac
 	  ;;
 	esac
-      esac
-    fi
+      fi
+    done
+    IFS="$lt_save_ifs"
   done
-  IFS="$lt_save_ifs"
   test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
 fi
 fi
-echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
-echo "${ECHO_T}$lt_cv_path_NM" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
+echo "${ECHO_T}$lt_cv_path_NM" >&6; }
 NM="$lt_cv_path_NM"
 
-echo "$as_me:$LINENO: checking whether ln -s works" >&5
-echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether ln -s works" >&5
+echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6; }
 LN_S=$as_ln_s
 if test "$LN_S" = "ln -s"; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-  echo "$as_me:$LINENO: result: no, using $LN_S" >&5
-echo "${ECHO_T}no, using $LN_S" >&6
+  { echo "$as_me:$LINENO: result: no, using $LN_S" >&5
+echo "${ECHO_T}no, using $LN_S" >&6; }
 fi
 
-echo "$as_me:$LINENO: checking how to recognise dependent libraries" >&5
-echo $ECHO_N "checking how to recognise dependent libraries... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking how to recognise dependent libraries" >&5
+echo $ECHO_N "checking how to recognise dependent libraries... $ECHO_C" >&6; }
 if test "${lt_cv_deplibs_check_method+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4611,21 +5481,21 @@ beos*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-bsdi4*)
+bsdi[45]*)
   lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
   lt_cv_file_magic_cmd='/usr/bin/file -L'
   lt_cv_file_magic_test_file=/shlib/libc.so
   ;;
 
 cygwin*)
-  # win32_libid is a shell function defined in ltmain.sh
+  # func_win32_libid is a shell function defined in ltmain.sh
   lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='win32_libid'
+  lt_cv_file_magic_cmd='func_win32_libid'
   ;;
 
 mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
-  # win32_libid shell function, so use a weaker test based on 'objdump'.
+  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
   lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
   lt_cv_file_magic_cmd='$OBJDUMP -f'
   ;;
@@ -4634,13 +5504,13 @@ darwin* | rhapsody*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-freebsd* | kfreebsd*-gnu)
+freebsd* | kfreebsd*-gnu | dragonfly*)
   if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
     case $host_cpu in
     i*86 )
       # Not sure whether the presence of OpenBSD here was a mistake.
       # Let's accept both of them until this is cleared up.
-      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD)/i[3-9]86 (compact )?demand paged shared library'
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[3-9]86 (compact )?demand paged shared library'
       lt_cv_file_magic_cmd=/usr/bin/file
       lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
       ;;
@@ -4656,7 +5526,7 @@ gnu*)
 
 hpux10.20* | hpux11*)
   lt_cv_file_magic_cmd=/usr/bin/file
-  case "$host_cpu" in
+  case $host_cpu in
   ia64*)
     lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64'
     lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
@@ -4672,6 +5542,11 @@ hpux10.20* | hpux11*)
   esac
   ;;
 
+interix3*)
+  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
+  lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$'
+  ;;
+
 irix5* | irix6* | nonstopux*)
   case $LD in
   *-32|*"-32 ") libmagic=32-bit;;
@@ -4684,15 +5559,6 @@ irix5* | irix6* | nonstopux*)
 
 # This must be Linux ELF.
 linux*)
-  case $host_cpu in
-  alpha*|hppa*|i*86|ia64*|m68*|mips*|powerpc*|sparc*|s390*|sh*)
-    lt_cv_deplibs_check_method=pass_all ;;
-  *)
-    # glibc up to 2.1.1 does not perform some relocations on ARM
-    # this will be overridden with pass_all, but let us keep it just in case
-    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' ;;
-  esac
-  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -4715,12 +5581,10 @@ nto-qnx*)
   ;;
 
 openbsd*)
-  lt_cv_file_magic_cmd=/usr/bin/file
-  lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
   if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB shared object'
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$'
   else
-    lt_cv_deplibs_check_method='file_magic OpenBSD.* shared library'
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
   fi
   ;;
 
@@ -4728,15 +5592,11 @@ osf3* | osf4* | osf5*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-sco3.2v5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
 solaris*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+sysv4 | sysv4.3*)
   case $host_vendor in
   motorola)
     lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
@@ -4757,17 +5617,20 @@ sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
   siemens)
     lt_cv_deplibs_check_method=pass_all
     ;;
+  pc)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
   esac
   ;;
 
-sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[78]* | unixware7* | sysv4*uw2*)
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 esac
 
 fi
-echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
-echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
+echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6; }
 file_magic_cmd=$lt_cv_file_magic_cmd
 deplibs_check_method=$lt_cv_deplibs_check_method
 test -z "$deplibs_check_method" && deplibs_check_method=unknown
@@ -4776,14 +5639,17 @@ test -z "$deplibs_check_method" && deplibs_check_method=unknown
 # If no C compiler was specified, use CC.
 LTCC=${LTCC-"$CC"}
 
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
 # Allow CC to be a program name with arguments.
 compiler=$CC
 
-# Check whether --enable-libtool-lock or --disable-libtool-lock was given.
+# Check whether --enable-libtool-lock was given.
 if test "${enable_libtool_lock+set}" = set; then
-  enableval="$enable_libtool_lock"
+  enableval=$enable_libtool_lock;
+fi
 
-fi;
 test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
 
 # Some flags need to be propagated to the compiler or linker for good
@@ -4810,7 +5676,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 4813 "configure"' > conftest.$ac_ext
+  echo '#line 5679 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -4853,7 +5719,7 @@ x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
-    case "`/usr/bin/file conftest.o`" in
+    case `/usr/bin/file conftest.o` in
     *32-bit*)
       case $host in
         x86_64-*linux*)
@@ -4895,8 +5761,8 @@ x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
   # On SCO OpenServer 5, we need -belf to get full-featured binaries.
   SAVE_CFLAGS="$CFLAGS"
   CFLAGS="$CFLAGS -belf"
-  echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
-echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
+echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6; }
 if test "${lt_cv_cc_needs_belf+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4922,35 +5788,32 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   lt_cv_cc_needs_belf=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-lt_cv_cc_needs_belf=no
+	lt_cv_cc_needs_belf=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
      ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
@@ -4959,13 +5822,33 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 fi
-echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
-echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
+echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6; }
   if test x"$lt_cv_cc_needs_belf" != x"yes"; then
     # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
+sparc*-*solaris*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case `/usr/bin/file conftest.o` in
+    *64-bit*)
+      case $lt_cv_prog_gnu_ld in
+      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      *)    LD="${LD-ld} -64" ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
 
 esac
 
@@ -4973,8 +5856,8 @@ need_locks="$enable_libtool_lock"
 
 
 
-echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
 if test "${ac_cv_header_stdc+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4998,35 +5881,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_header_stdc=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_header_stdc=no
+	ac_cv_header_stdc=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 if test $ac_cv_header_stdc = yes; then
   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
@@ -5082,6 +5961,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <ctype.h>
+#include <stdlib.h>
 #if ((' ' & 0x0FF) == 0x020)
 # define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
 # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
@@ -5101,18 +5981,27 @@ main ()
   for (i = 0; i < 256; i++)
     if (XOR (islower (i), ISLOWER (i))
 	|| toupper (i) != TOUPPER (i))
-      exit(2);
-  exit (0);
+      return 2;
+  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -5125,12 +6014,14 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_header_stdc=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
 if test $ac_cv_header_stdc = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -5153,9 +6044,9 @@ for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
 		  inttypes.h stdint.h unistd.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -5169,38 +6060,35 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "$as_ac_Header=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_Header=no"
+	eval "$as_ac_Header=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
@@ -5215,18 +6103,19 @@ done
 for ac_header in dlfcn.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -5237,41 +6126,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -5280,24 +6165,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -5305,9 +6188,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -5331,25 +6215,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to heimdal-bugs@pdc.kth.se ##
-## -------------------------------------- ##
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -5361,18 +6244,22 @@ fi
 
 done
 
-ac_ext=cc
+ac_ext=cpp
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  for ac_prog in $CCC g++ c++ gpp aCC CC cxx cc++ cl FCC KCC RCC xlC_r xlC
+if test -z "$CXX"; then
+  if test -n "$CCC"; then
+    CXX=$CCC
+  else
+    if test -n "$ac_tool_prefix"; then
+  for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CXX+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5385,36 +6272,38 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CXX="$ac_tool_prefix$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 CXX=$ac_cv_prog_CXX
 if test -n "$CXX"; then
-  echo "$as_me:$LINENO: result: $CXX" >&5
-echo "${ECHO_T}$CXX" >&6
+  { echo "$as_me:$LINENO: result: $CXX" >&5
+echo "${ECHO_T}$CXX" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
     test -n "$CXX" && break
   done
 fi
 if test -z "$CXX"; then
   ac_ct_CXX=$CXX
-  for ac_prog in $CCC g++ c++ gpp aCC CC cxx cc++ cl FCC KCC RCC xlC_r xlC
+  for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CXX+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5427,55 +6316,85 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CXX="$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_CXX=$ac_cv_prog_ac_ct_CXX
 if test -n "$ac_ct_CXX"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5
-echo "${ECHO_T}$ac_ct_CXX" >&6
+  { echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5
+echo "${ECHO_T}$ac_ct_CXX" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
   test -n "$ac_ct_CXX" && break
 done
-test -n "$ac_ct_CXX" || ac_ct_CXX="g++"
 
-  CXX=$ac_ct_CXX
+  if test "x$ac_ct_CXX" = x; then
+    CXX="g++"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CXX=$ac_ct_CXX
+  fi
 fi
 
-
+  fi
+fi
 # Provide some information about the compiler.
-echo "$as_me:$LINENO:" \
-     "checking for C++ compiler version" >&5
+echo "$as_me:$LINENO: checking for C++ compiler version" >&5
 ac_compiler=`set X $ac_compile; echo $2`
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
-  (eval $ac_compiler --version </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
-  (eval $ac_compiler -v </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
-  (eval $ac_compiler -V </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 
-echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C++ compiler... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C++ compiler... $ECHO_C" >&6; }
 if test "${ac_cv_cxx_compiler_gnu+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5498,50 +6417,49 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_compiler_gnu=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_compiler_gnu=no
+	ac_compiler_gnu=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_cv_cxx_compiler_gnu=$ac_compiler_gnu
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_cxx_compiler_gnu" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_cxx_compiler_gnu" >&6; }
 GXX=`test $ac_compiler_gnu = yes && echo yes`
 ac_test_CXXFLAGS=${CXXFLAGS+set}
 ac_save_CXXFLAGS=$CXXFLAGS
-CXXFLAGS="-g"
-echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5
-echo $ECHO_N "checking whether $CXX accepts -g... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5
+echo $ECHO_N "checking whether $CXX accepts -g... $ECHO_C" >&6; }
 if test "${ac_cv_prog_cxx_g+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
+  ac_save_cxx_werror_flag=$ac_cxx_werror_flag
+   ac_cxx_werror_flag=yes
+   ac_cv_prog_cxx_g=no
+   CXXFLAGS="-g"
+   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -5557,172 +6475,151 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_prog_cxx_g=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_prog_cxx_g=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cxx_g" >&6
-if test "$ac_test_CXXFLAGS" = set; then
-  CXXFLAGS=$ac_save_CXXFLAGS
-elif test $ac_cv_prog_cxx_g = yes; then
-  if test "$GXX" = yes; then
-    CXXFLAGS="-g -O2"
-  else
-    CXXFLAGS="-g"
-  fi
-else
-  if test "$GXX" = yes; then
-    CXXFLAGS="-O2"
-  else
-    CXXFLAGS=
-  fi
-fi
-for ac_declaration in \
-   '' \
-   'extern "C" void std::exit (int) throw (); using std::exit;' \
-   'extern "C" void std::exit (int); using std::exit;' \
-   'extern "C" void exit (int) throw ();' \
-   'extern "C" void exit (int);' \
-   'void exit (int);'
-do
-  cat >conftest.$ac_ext <<_ACEOF
+	CXXFLAGS=""
+      cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-$ac_declaration
-#include <stdlib.h>
+
 int
 main ()
 {
-exit (42);
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   :
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-continue
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  cat >conftest.$ac_ext <<_ACEOF
+	ac_cxx_werror_flag=$ac_save_cxx_werror_flag
+	 CXXFLAGS="-g"
+	 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-$ac_declaration
+
 int
 main ()
 {
-exit (42);
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  break
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cxx_g=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-rm -f conftest*
-if test -n "$ac_declaration"; then
-  echo '#ifdef __cplusplus' >>confdefs.h
-  echo $ac_declaration      >>confdefs.h
-  echo '#endif'             >>confdefs.h
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
-ac_ext=cc
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_cxx_werror_flag=$ac_save_cxx_werror_flag
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cxx_g" >&6; }
+if test "$ac_test_CXXFLAGS" = set; then
+  CXXFLAGS=$ac_save_CXXFLAGS
+elif test $ac_cv_prog_cxx_g = yes; then
+  if test "$GXX" = yes; then
+    CXXFLAGS="-g -O2"
+  else
+    CXXFLAGS="-g"
+  fi
+else
+  if test "$GXX" = yes; then
+    CXXFLAGS="-O2"
+  else
+    CXXFLAGS=
+  fi
+fi
+ac_ext=cpp
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
 
-ac_ext=cc
+
+
+if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+    (test "X$CXX" != "Xg++"))) ; then
+  ac_ext=cpp
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-echo "$as_me:$LINENO: checking how to run the C++ preprocessor" >&5
-echo $ECHO_N "checking how to run the C++ preprocessor... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking how to run the C++ preprocessor" >&5
+echo $ECHO_N "checking how to run the C++ preprocessor... $ECHO_C" >&6; }
 if test -z "$CXXCPP"; then
   if test "${ac_cv_prog_CXXCPP+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -5752,24 +6649,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 		     Syntax error
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_cxx_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   :
 else
   echo "$as_me: failed program was:" >&5
@@ -5778,9 +6673,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
   # Broken: fails on valid input.
 continue
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
-  # OK, works on sane cases.  Now check whether non-existent headers
+  # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -5790,24 +6686,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <ac_nonexistent.h>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_cxx_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   # Broken: success on invalid input.
 continue
 else
@@ -5818,6 +6712,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ac_preproc_ok=:
 break
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
 done
@@ -5835,8 +6730,8 @@ fi
 else
   ac_cv_prog_CXXCPP=$CXXCPP
 fi
-echo "$as_me:$LINENO: result: $CXXCPP" >&5
-echo "${ECHO_T}$CXXCPP" >&6
+{ echo "$as_me:$LINENO: result: $CXXCPP" >&5
+echo "${ECHO_T}$CXXCPP" >&6; }
 ac_preproc_ok=false
 for ac_cxx_preproc_warn_flag in '' yes
 do
@@ -5859,24 +6754,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 		     Syntax error
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_cxx_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   :
 else
   echo "$as_me: failed program was:" >&5
@@ -5885,9 +6778,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
   # Broken: fails on valid input.
 continue
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
-  # OK, works on sane cases.  Now check whether non-existent headers
+  # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -5897,24 +6791,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <ac_nonexistent.h>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_cxx_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   # Broken: success on invalid input.
 continue
 else
@@ -5925,6 +6817,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ac_preproc_ok=:
 break
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
 done
@@ -5940,24 +6833,26 @@ See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
 fi
 
-ac_ext=cc
+ac_ext=cpp
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
 
+fi
+
 
 ac_ext=f
 ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
 ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_f77_compiler_gnu
 if test -n "$ac_tool_prefix"; then
-  for ac_prog in g77 f77 xlf frt pgf77 fort77 fl32 af77 f90 xlf90 pgf90 epcf90 f95 fort xlf95 ifc efc pgf95 lf95 gfortran
+  for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_F77+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5970,36 +6865,38 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_F77="$ac_tool_prefix$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 F77=$ac_cv_prog_F77
 if test -n "$F77"; then
-  echo "$as_me:$LINENO: result: $F77" >&5
-echo "${ECHO_T}$F77" >&6
+  { echo "$as_me:$LINENO: result: $F77" >&5
+echo "${ECHO_T}$F77" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
     test -n "$F77" && break
   done
 fi
 if test -z "$F77"; then
   ac_ct_F77=$F77
-  for ac_prog in g77 f77 xlf frt pgf77 fort77 fl32 af77 f90 xlf90 pgf90 epcf90 f95 fort xlf95 ifc efc pgf95 lf95 gfortran
+  for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_F77+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6012,48 +6909,78 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_F77="$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_F77=$ac_cv_prog_ac_ct_F77
 if test -n "$ac_ct_F77"; then
-  echo "$as_me:$LINENO: result: $ac_ct_F77" >&5
-echo "${ECHO_T}$ac_ct_F77" >&6
+  { echo "$as_me:$LINENO: result: $ac_ct_F77" >&5
+echo "${ECHO_T}$ac_ct_F77" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
   test -n "$ac_ct_F77" && break
 done
 
-  F77=$ac_ct_F77
+  if test "x$ac_ct_F77" = x; then
+    F77=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    F77=$ac_ct_F77
+  fi
 fi
 
 
 # Provide some information about the compiler.
-echo "$as_me:6042:" \
-     "checking for Fortran 77 compiler version" >&5
+echo "$as_me:$LINENO: checking for Fortran 77 compiler version" >&5
 ac_compiler=`set X $ac_compile; echo $2`
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
-  (eval $ac_compiler --version </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
-  (eval $ac_compiler -v </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
-  (eval $ac_compiler -V </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
@@ -6063,8 +6990,8 @@ rm -f a.out
 # input file.  (Note that this only needs to work for GNU compilers.)
 ac_save_ext=$ac_ext
 ac_ext=F
-echo "$as_me:$LINENO: checking whether we are using the GNU Fortran 77 compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU Fortran 77 compiler... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether we are using the GNU Fortran 77 compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU Fortran 77 compiler... $ECHO_C" >&6; }
 if test "${ac_cv_f77_compiler_gnu+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6077,46 +7004,42 @@ else
       end
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_f77_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_compiler_gnu=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_compiler_gnu=no
+	ac_compiler_gnu=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_cv_f77_compiler_gnu=$ac_compiler_gnu
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_f77_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_f77_compiler_gnu" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_f77_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_f77_compiler_gnu" >&6; }
 ac_ext=$ac_save_ext
 ac_test_FFLAGS=${FFLAGS+set}
 ac_save_FFLAGS=$FFLAGS
 FFLAGS=
-echo "$as_me:$LINENO: checking whether $F77 accepts -g" >&5
-echo $ECHO_N "checking whether $F77 accepts -g... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether $F77 accepts -g" >&5
+echo $ECHO_N "checking whether $F77 accepts -g... $ECHO_C" >&6; }
 if test "${ac_cv_prog_f77_g+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6127,39 +7050,35 @@ cat >conftest.$ac_ext <<_ACEOF
       end
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_f77_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_prog_f77_g=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_prog_f77_g=no
+	ac_cv_prog_f77_g=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_f77_g" >&5
-echo "${ECHO_T}$ac_cv_prog_f77_g" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_f77_g" >&5
+echo "${ECHO_T}$ac_cv_prog_f77_g" >&6; }
 if test "$ac_test_FFLAGS" = set; then
   FFLAGS=$ac_save_FFLAGS
 elif test $ac_cv_prog_f77_g = yes; then
@@ -6188,13 +7107,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 # Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
 
 # find the maximum length of command line arguments
-echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
-echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
+echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6; }
 if test "${lt_cv_sys_max_cmd_len+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
     i=0
-  testring="ABCD"
+  teststring="ABCD"
 
   case $build_os in
   msdosdjgpp*)
@@ -6229,20 +7148,64 @@ else
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
- *)
+  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
+    # This has been around since 386BSD, at least.  Likely further.
+    if test -x /sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
+    elif test -x /usr/sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
+    else
+      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
+    fi
+    # And add a safety zone
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    ;;
+
+  interix*)
+    # We know the value 262144 and hardcode it with a safety zone (like BSD)
+    lt_cv_sys_max_cmd_len=196608
+    ;;
+
+  osf*)
+    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
+    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
+    # nice to cause kernel panics so lets avoid the loop below.
+    # First set a reasonable default.
+    lt_cv_sys_max_cmd_len=16384
+    #
+    if test -x /sbin/sysconfig; then
+      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
+        *1*) lt_cv_sys_max_cmd_len=-1 ;;
+      esac
+    fi
+    ;;
+  sco3.2v5*)
+    lt_cv_sys_max_cmd_len=102400
+    ;;
+  sysv5* | sco5v6* | sysv4.2uw2*)
+    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
+    if test -n "$kargmax"; then
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[ 	]//'`
+    else
+      lt_cv_sys_max_cmd_len=32768
+    fi
+    ;;
+  *)
     # If test is not a shell built-in, we'll probably end up computing a
     # maximum length that is only half of the actual maximum length, but
     # we can't tell.
-    while (test "X"`$CONFIG_SHELL $0 --fallback-echo "X$testring" 2>/dev/null` \
-	       = "XX$testring") >/dev/null 2>&1 &&
-	    new_result=`expr "X$testring" : ".*" 2>&1` &&
+    SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
+    while (test "X"`$SHELL $0 --fallback-echo "X$teststring" 2>/dev/null` \
+	       = "XX$teststring") >/dev/null 2>&1 &&
+	    new_result=`expr "X$teststring" : ".*" 2>&1` &&
 	    lt_cv_sys_max_cmd_len=$new_result &&
 	    test $i != 17 # 1/2 MB should be enough
     do
       i=`expr $i + 1`
-      testring=$testring$testring
+      teststring=$teststring$teststring
     done
-    testring=
+    teststring=
     # Add a significant safety factor because C++ compilers can tack on massive
     # amounts of additional arguments before passing them to the linker.
     # It appears as though 1/2 is a usable value.
@@ -6253,19 +7216,19 @@ else
 fi
 
 if test -n $lt_cv_sys_max_cmd_len ; then
-  echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
-echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6
+  { echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
+echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6; }
 else
-  echo "$as_me:$LINENO: result: none" >&5
-echo "${ECHO_T}none" >&6
+  { echo "$as_me:$LINENO: result: none" >&5
+echo "${ECHO_T}none" >&6; }
 fi
 
 
 
 
 # Check for command to grab the raw symbol name followed by C symbol from nm.
-echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
-echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
+echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6; }
 if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6279,9 +7242,6 @@ symcode='[BCDEGRST]'
 # Regexp to match symbols that can be accessed directly from C.
 sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
 
-# Transform the above into a raw symbol and a C symbol.
-symxfrm='\1 \2\3 \3'
-
 # Transform an extracted symbol line into a proper C declaration
 lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
 
@@ -6303,15 +7263,31 @@ hpux*) # Its linker distinguishes data from code symbols
   lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
   lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
   ;;
+linux*)
+  if test "$host_cpu" = ia64; then
+    symcode='[ABCDGIRSTW]'
+    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  fi
+  ;;
 irix* | nonstopux*)
   symcode='[BCDEGRST]'
   ;;
 osf*)
   symcode='[BCDEGQRST]'
   ;;
-solaris* | sysv5*)
+solaris*)
   symcode='[BDRT]'
   ;;
+sco3.2v5*)
+  symcode='[DT]'
+  ;;
+sysv4.2uw2*)
+  symcode='[DT]'
+  ;;
+sysv5* | sco5v6* | unixware* | OpenUNIX*)
+  symcode='[ABDT]'
+  ;;
 sysv4)
   symcode='[DFNSTU]'
   ;;
@@ -6334,8 +7310,11 @@ esac
 # Try without a prefix undercore, then with it.
 for ac_symprfx in "" "_"; do
 
+  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
+  symxfrm="\\1 $ac_symprfx\\2 \\2"
+
   # Write the raw and C identifiers.
-  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ 	]\($symcode$symcode*\)[ 	][ 	]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'"
+  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ 	]\($symcode$symcode*\)[ 	][ 	]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
 
   # Check to see that the pipe works correctly.
   pipe_works=no
@@ -6453,15 +7432,15 @@ if test -z "$lt_cv_sys_global_symbol_pipe"; then
   lt_cv_sys_global_symbol_to_cdecl=
 fi
 if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
-  echo "$as_me:$LINENO: result: failed" >&5
-echo "${ECHO_T}failed" >&6
+  { echo "$as_me:$LINENO: result: failed" >&5
+echo "${ECHO_T}failed" >&6; }
 else
-  echo "$as_me:$LINENO: result: ok" >&5
-echo "${ECHO_T}ok" >&6
+  { echo "$as_me:$LINENO: result: ok" >&5
+echo "${ECHO_T}ok" >&6; }
 fi
 
-echo "$as_me:$LINENO: checking for objdir" >&5
-echo $ECHO_N "checking for objdir... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for objdir" >&5
+echo $ECHO_N "checking for objdir... $ECHO_C" >&6; }
 if test "${lt_cv_objdir+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6475,8 +7454,8 @@ else
 fi
 rmdir .libs 2>/dev/null
 fi
-echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
-echo "${ECHO_T}$lt_cv_objdir" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
+echo "${ECHO_T}$lt_cv_objdir" >&6; }
 objdir=$lt_cv_objdir
 
 
@@ -6497,7 +7476,7 @@ esac
 
 # Sed substitution that helps us do robust quoting.  It backslashifies
 # metacharacters that are still active within double-quoted strings.
-Xsed='sed -e s/^X//'
+Xsed='sed -e 1s/^X//'
 sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'
 
 # Same as above, but do not quote variable references.
@@ -6517,7 +7496,7 @@ rm="rm -f"
 default_ofile=libtool
 can_build_shared=yes
 
-# All known linkers require a `.a' archive for static linking (except M$VC,
+# All known linkers require a `.a' archive for static linking (except MSVC,
 # which needs '.lib').
 libext=a
 ltmain="$ac_aux_dir/ltmain.sh"
@@ -6527,8 +7506,8 @@ with_gnu_ld="$lt_cv_prog_gnu_ld"
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
 set dummy ${ac_tool_prefix}ar; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_AR+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6541,32 +7520,34 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_AR="${ac_tool_prefix}ar"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 AR=$ac_cv_prog_AR
 if test -n "$AR"; then
-  echo "$as_me:$LINENO: result: $AR" >&5
-echo "${ECHO_T}$AR" >&6
+  { echo "$as_me:$LINENO: result: $AR" >&5
+echo "${ECHO_T}$AR" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
 fi
 if test -z "$ac_cv_prog_AR"; then
   ac_ct_AR=$AR
   # Extract the first word of "ar", so it can be a program name with args.
 set dummy ar; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_AR+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6579,27 +7560,41 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_AR="ar"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
-  test -z "$ac_cv_prog_ac_ct_AR" && ac_cv_prog_ac_ct_AR="false"
 fi
 fi
 ac_ct_AR=$ac_cv_prog_ac_ct_AR
 if test -n "$ac_ct_AR"; then
-  echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
-echo "${ECHO_T}$ac_ct_AR" >&6
+  { echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
+echo "${ECHO_T}$ac_ct_AR" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-  AR=$ac_ct_AR
+  if test "x$ac_ct_AR" = x; then
+    AR="false"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    AR=$ac_ct_AR
+  fi
 else
   AR="$ac_cv_prog_AR"
 fi
@@ -6607,8 +7602,8 @@ fi
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
 set dummy ${ac_tool_prefix}ranlib; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_RANLIB+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6621,32 +7616,34 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 RANLIB=$ac_cv_prog_RANLIB
 if test -n "$RANLIB"; then
-  echo "$as_me:$LINENO: result: $RANLIB" >&5
-echo "${ECHO_T}$RANLIB" >&6
+  { echo "$as_me:$LINENO: result: $RANLIB" >&5
+echo "${ECHO_T}$RANLIB" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
 fi
 if test -z "$ac_cv_prog_RANLIB"; then
   ac_ct_RANLIB=$RANLIB
   # Extract the first word of "ranlib", so it can be a program name with args.
 set dummy ranlib; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6659,27 +7656,41 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_RANLIB="ranlib"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
-  test -z "$ac_cv_prog_ac_ct_RANLIB" && ac_cv_prog_ac_ct_RANLIB=":"
 fi
 fi
 ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
 if test -n "$ac_ct_RANLIB"; then
-  echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
-echo "${ECHO_T}$ac_ct_RANLIB" >&6
+  { echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
+echo "${ECHO_T}$ac_ct_RANLIB" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-  RANLIB=$ac_ct_RANLIB
+  if test "x$ac_ct_RANLIB" = x; then
+    RANLIB=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    RANLIB=$ac_ct_RANLIB
+  fi
 else
   RANLIB="$ac_cv_prog_RANLIB"
 fi
@@ -6687,8 +7698,8 @@ fi
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
 set dummy ${ac_tool_prefix}strip; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_STRIP+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6701,32 +7712,34 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 STRIP=$ac_cv_prog_STRIP
 if test -n "$STRIP"; then
-  echo "$as_me:$LINENO: result: $STRIP" >&5
-echo "${ECHO_T}$STRIP" >&6
+  { echo "$as_me:$LINENO: result: $STRIP" >&5
+echo "${ECHO_T}$STRIP" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
 fi
 if test -z "$ac_cv_prog_STRIP"; then
   ac_ct_STRIP=$STRIP
   # Extract the first word of "strip", so it can be a program name with args.
 set dummy strip; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6739,27 +7752,41 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_STRIP="strip"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
-  test -z "$ac_cv_prog_ac_ct_STRIP" && ac_cv_prog_ac_ct_STRIP=":"
 fi
 fi
 ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
 if test -n "$ac_ct_STRIP"; then
-  echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
-echo "${ECHO_T}$ac_ct_STRIP" >&6
+  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+echo "${ECHO_T}$ac_ct_STRIP" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-  STRIP=$ac_ct_STRIP
+  if test "x$ac_ct_STRIP" = x; then
+    STRIP=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    STRIP=$ac_ct_STRIP
+  fi
 else
   STRIP="$ac_cv_prog_STRIP"
 fi
@@ -6774,6 +7801,7 @@ test -z "$AR_FLAGS" && AR_FLAGS=cru
 test -z "$AS" && AS=as
 test -z "$CC" && CC=cc
 test -z "$LTCC" && LTCC=$CC
+test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
 test -z "$DLLTOOL" && DLLTOOL=dlltool
 test -z "$LD" && LD=ld
 test -z "$LN_S" && LN_S="ln -s"
@@ -6793,21 +7821,32 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="\$RANLIB -t \$oldlib~$old_postinstall_cmds"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
     ;;
   *)
-    old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
     ;;
   esac
   old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
 fi
 
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+
 # Only perform the check for file, if the check method requires it
 case $deplibs_check_method in
 file_magic*)
   if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
-echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6
+    { echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
+echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6; }
 if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6827,7 +7866,7 @@ else
       if test -n "$file_magic_test_file"; then
 	case $deplibs_check_method in
 	"file_magic "*)
-	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
 	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
 	    $EGREP "$file_magic_regex" > /dev/null; then
@@ -6859,17 +7898,17 @@ fi
 
 MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 if test -n "$MAGIC_CMD"; then
-  echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-echo "${ECHO_T}$MAGIC_CMD" >&6
+  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 if test -z "$lt_cv_path_MAGIC_CMD"; then
   if test -n "$ac_tool_prefix"; then
-    echo "$as_me:$LINENO: checking for file" >&5
-echo $ECHO_N "checking for file... $ECHO_C" >&6
+    { echo "$as_me:$LINENO: checking for file" >&5
+echo $ECHO_N "checking for file... $ECHO_C" >&6; }
 if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -6889,7 +7928,7 @@ else
       if test -n "$file_magic_test_file"; then
 	case $deplibs_check_method in
 	"file_magic "*)
-	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
 	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
 	    $EGREP "$file_magic_regex" > /dev/null; then
@@ -6921,11 +7960,11 @@ fi
 
 MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 if test -n "$MAGIC_CMD"; then
-  echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-echo "${ECHO_T}$MAGIC_CMD" >&6
+  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
   else
@@ -6940,21 +7979,21 @@ esac
 enable_dlopen=no
 enable_win32_dll=no
 
-# Check whether --enable-libtool-lock or --disable-libtool-lock was given.
+# Check whether --enable-libtool-lock was given.
 if test "${enable_libtool_lock+set}" = set; then
-  enableval="$enable_libtool_lock"
+  enableval=$enable_libtool_lock;
+fi
 
-fi;
 test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
 
 
-# Check whether --with-pic or --without-pic was given.
+# Check whether --with-pic was given.
 if test "${with_pic+set}" = set; then
-  withval="$with_pic"
-  pic_mode="$withval"
+  withval=$with_pic; pic_mode="$withval"
 else
   pic_mode=default
-fi;
+fi
+
 test -z "$pic_mode" && pic_mode=default
 
 # Use C for the default configuration in the libtool script
@@ -6984,68 +8023,25 @@ lt_simple_link_test_code='int main(){return(0);}\n'
 # If no C compiler was specified, use CC.
 LTCC=${LTCC-"$CC"}
 
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
 # Allow CC to be a program name with arguments.
 compiler=$CC
 
 
-#
-# Check for any special shared library compilation flags.
-#
-lt_prog_cc_shlib=
-if test "$GCC" = no; then
-  case $host_os in
-  sco3.2v5*)
-    lt_prog_cc_shlib='-belf'
-    ;;
-  esac
-fi
-if test -n "$lt_prog_cc_shlib"; then
-  { echo "$as_me:$LINENO: WARNING: \`$CC' requires \`$lt_prog_cc_shlib' to build shared libraries" >&5
-echo "$as_me: WARNING: \`$CC' requires \`$lt_prog_cc_shlib' to build shared libraries" >&2;}
-  if echo "$old_CC $old_CFLAGS " | grep "[ 	]$lt_prog_cc_shlib[ 	]" >/dev/null; then :
-  else
-    { echo "$as_me:$LINENO: WARNING: add \`$lt_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" >&5
-echo "$as_me: WARNING: add \`$lt_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" >&2;}
-    lt_cv_prog_cc_can_build_shared=no
-  fi
-fi
-
-
-#
-# Check to make sure the static flag actually works.
-#
-echo "$as_me:$LINENO: checking if $compiler static flag $lt_prog_compiler_static works" >&5
-echo $ECHO_N "checking if $compiler static flag $lt_prog_compiler_static works... $ECHO_C" >&6
-if test "${lt_prog_compiler_static_works+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_prog_compiler_static_works=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $lt_prog_compiler_static"
-   printf "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&5
-     else
-       lt_prog_compiler_static_works=yes
-     fi
-   fi
-   $rm conftest*
-   LDFLAGS="$save_LDFLAGS"
-
-fi
-echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works" >&5
-echo "${ECHO_T}$lt_prog_compiler_static_works" >&6
-
-if test x"$lt_prog_compiler_static_works" = xyes; then
-    :
-else
-    lt_prog_compiler_static=
-fi
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
 
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
 
 
 
@@ -7055,8 +8051,8 @@ if test "$GCC" = yes; then
   lt_prog_compiler_no_builtin_flag=' -fno-builtin'
 
 
-echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -7070,26 +8066,28 @@ else
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    # The option is referenced via a variable to avoid confusing sed.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7076: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8072: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7080: \$? = $ac_status" >&5
+   echo "$as_me:8076: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_rtti_exceptions=yes
      fi
    fi
    $rm conftest*
 
 fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
 
 if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
     lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions"
@@ -7103,8 +8101,8 @@ lt_prog_compiler_wl=
 lt_prog_compiler_pic=
 lt_prog_compiler_static=
 
-echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
   if test "$GCC" = yes; then
     lt_prog_compiler_wl='-Wl,'
@@ -7142,6 +8140,11 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_pic='-fno-common'
       ;;
 
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
     msdosdjgpp*)
       # Just because we use GCC doesn't mean we suddenly get shared libraries
       # on systems that don't support them.
@@ -7158,7 +8161,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
     hpux*)
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	# +Z the default
 	;;
@@ -7184,6 +8187,16 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         lt_prog_compiler_pic='-qnocommon'
+         lt_prog_compiler_wl='-Wl,'
+         ;;
+       esac
+       ;;
 
     mingw* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
@@ -7195,7 +8208,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_wl='-Wl,'
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	# +Z the default
 	;;
@@ -7219,12 +8232,19 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       ;;
 
     linux*)
-      case $CC in
+      case $cc_basename in
       icc* | ecc*)
 	lt_prog_compiler_wl='-Wl,'
 	lt_prog_compiler_pic='-KPIC'
 	lt_prog_compiler_static='-static'
         ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-fpic'
+	lt_prog_compiler_static='-Bstatic'
+        ;;
       ccc*)
         lt_prog_compiler_wl='-Wl,'
         # All Alpha code is PIC.
@@ -7239,15 +8259,15 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_static='-non_shared'
       ;;
 
-    sco3.2v5*)
-      lt_prog_compiler_pic='-Kpic'
-      lt_prog_compiler_static='-dn'
-      ;;
-
     solaris*)
-      lt_prog_compiler_wl='-Wl,'
       lt_prog_compiler_pic='-KPIC'
       lt_prog_compiler_static='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	lt_prog_compiler_wl='-Qoption ld ';;
+      *)
+	lt_prog_compiler_wl='-Wl,';;
+      esac
       ;;
 
     sunos4*)
@@ -7256,7 +8276,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_static='-Bstatic'
       ;;
 
-    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+    sysv4 | sysv4.2uw2* | sysv4.3*)
       lt_prog_compiler_wl='-Wl,'
       lt_prog_compiler_pic='-KPIC'
       lt_prog_compiler_static='-Bstatic'
@@ -7269,6 +8289,17 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       fi
       ;;
 
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    unicos*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_can_build_shared=no
+      ;;
+
     uts4*)
       lt_prog_compiler_pic='-pic'
       lt_prog_compiler_static='-Bstatic'
@@ -7280,16 +8311,16 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
     esac
   fi
 
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic" >&6
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic" >&6; }
 
 #
 # Check to make sure the PIC flag actually works.
 #
 if test -n "$lt_prog_compiler_pic"; then
 
-echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6; }
 if test "${lt_prog_compiler_pic_works+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -7303,26 +8334,28 @@ else
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    # The option is referenced via a variable to avoid confusing sed.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7309: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8340: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7313: \$? = $ac_status" >&5
+   echo "$as_me:8344: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_prog_compiler_pic_works=yes
      fi
    fi
    $rm conftest*
 
 fi
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_works" >&6
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works" >&6; }
 
 if test x"$lt_prog_compiler_pic_works" = xyes; then
     case $lt_prog_compiler_pic in
@@ -7335,7 +8368,7 @@ else
 fi
 
 fi
-case "$host_os" in
+case $host_os in
   # For platforms which do not support PIC, -DPIC is meaningless:
   *djgpp*)
     lt_prog_compiler_pic=
@@ -7345,8 +8378,50 @@ case "$host_os" in
     ;;
 esac
 
-echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_static_works+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_static_works=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_prog_compiler_static_works=yes
+       fi
+     else
+       lt_prog_compiler_static_works=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works" >&5
+echo "${ECHO_T}$lt_prog_compiler_static_works" >&6; }
+
+if test x"$lt_prog_compiler_static_works" = xyes; then
+    :
+else
+    lt_prog_compiler_static=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_c_o+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -7363,23 +8438,25 @@ else
    # Note that $ac_compile itself does not contain backslashes and begins
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7369: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8444: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7373: \$? = $ac_status" >&5
+   echo "$as_me:8448: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     if test ! -s out/conftest.err; then
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_c_o=yes
      fi
    fi
-   chmod u+w .
+   chmod u+w . 2>&5
    $rm conftest*
    # SGI C++ compiler will create directory out/ii_files/ for
    # template instantiation
@@ -7390,23 +8467,23 @@ else
    $rm conftest*
 
 fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; }
 
 
 hard_links="nottested"
 if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then
   # do not overwrite the value of need_locks provided by the user
-  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
   hard_links=yes
   $rm conftest*
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
   touch conftest.a
   ln conftest.a conftest.b 2>&5 || hard_links=no
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
   if test "$hard_links" = no; then
     { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
 echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
@@ -7416,8 +8493,8 @@ else
   need_locks=no
 fi
 
-echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
   runpath_var=
   allow_undefined_flag=
@@ -7455,6 +8532,16 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
   # rely on this symbol name, it's probably fine to never include it in
   # preloaded symbol tables.
   extract_expsyms_cmds=
+  # Just being paranoid about ensuring that cc_basename is set.
+  for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
 
   case $host_os in
   cygwin* | mingw* | pw32*)
@@ -7465,6 +8552,10 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
       with_gnu_ld=no
     fi
     ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
   openbsd*)
     with_gnu_ld=no
     ;;
@@ -7475,6 +8566,27 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
 
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
     # See if GNU ld supports shared libraries.
     case $host_os in
     aix3* | aix4* | aix5*)
@@ -7525,10 +8637,10 @@ EOF
       allow_undefined_flag=unsupported
       always_export_symbols=no
       enable_shared_with_static_runtimes=yes
-      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
 	# If the export-symbols file already is a .def file (1st line
 	# is EXPORTS), use it as is; otherwise, prepend...
 	archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -7537,7 +8649,53 @@ EOF
 	  echo EXPORTS > $output_objdir/$soname.def;
 	  cat $export_symbols >> $output_objdir/$soname.def;
 	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    interix3*)
+      hardcode_direct=no
+      hardcode_shlibpath_var=no
+      hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+      export_dynamic_flag_spec='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    linux*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	archive_cmds='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
       else
 	ld_shlibs=no
       fi
@@ -7553,7 +8711,7 @@ EOF
       fi
       ;;
 
-    solaris* | sysv5*)
+    solaris*)
       if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
 	ld_shlibs=no
 	cat <<EOF 1>&2
@@ -7574,6 +8732,33 @@ EOF
       fi
       ;;
 
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+	ld_shlibs=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    ld_shlibs=no
+	  fi
+	;;
+      esac
+      ;;
+
     sunos4*)
       archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       wlarc=
@@ -7581,31 +8766,6 @@ EOF
       hardcode_shlibpath_var=no
       ;;
 
-  linux*)
-    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
-        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_cmds="$tmp_archive_cmds"
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        archive_expsym_cmds="$tmp_archive_cmds"
-      fi
-    else
-      ld_shlibs=no
-    fi
-    ;;
-
     *)
       if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
 	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
@@ -7616,16 +8776,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       ;;
     esac
 
-    if test "$ld_shlibs" = yes; then
-      runpath_var=LD_RUN_PATH
-      hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir'
-      export_dynamic_flag_spec='${wl}--export-dynamic'
-      # ancient GNU ld didn't support --whole-archive et. al.
-      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
- 	whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec=
-      fi
+    if test "$ld_shlibs" = no; then
+      runpath_var=
+      hardcode_libdir_flag_spec=
+      export_dynamic_flag_spec=
+      whole_archive_flag_spec=
     fi
   else
     # PORTME fill in a description of your system's linker (not GNU ld)
@@ -7637,7 +8792,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       # Note: this linker hardcodes the directories in LIBPATH if there
       # are no directories specified by -L.
       hardcode_minus_L=yes
-      if test "$GCC" = yes && test -z "$link_static_flag"; then
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
 	# Neither direct hardcoding nor static linking is supported with a
 	# broken collect2.
 	hardcode_direct=unsupported
@@ -7671,6 +8826,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	    break
   	  fi
 	  done
+	  ;;
 	esac
 
 	exp_sym_flag='-bexport'
@@ -7689,7 +8845,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       link_all_deplibs=yes
 
       if test "$GCC" = yes; then
-	case $host_os in aix4.012|aix4.012.*)
+	case $host_os in aix4.[012]|aix4.[012].*)
 	# We only want to do this on AIX 4.2 and lower, the check
 	# below for broken collect2 doesn't work under 4.3+
 	  collect2name=`${CC} -print-prog-name=collect2`
@@ -7708,8 +8864,12 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	  hardcode_libdir_flag_spec='-L$libdir'
   	  hardcode_libdir_separator=
 	  fi
+	  ;;
 	esac
 	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
       else
 	# not using gcc
 	if test "$host_cpu" = ia64; then
@@ -7717,11 +8877,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	# chokes on -Wl,-G. The following line is correct:
 	  shared_flag='-G'
 	else
-  	if test "$aix_use_runtimelinking" = yes; then
+	  if test "$aix_use_runtimelinking" = yes; then
 	    shared_flag='${wl}-G'
 	  else
 	    shared_flag='${wl}-bM:SRE'
-  	fi
+	  fi
 	fi
       fi
 
@@ -7749,27 +8909,23 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
 }'`
@@ -7780,18 +8936,20 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
        hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+	archive_expsym_cmds="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
        else
 	if test "$host_cpu" = ia64; then
 	  hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
 	  allow_undefined_flag="-z nodefs"
-	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
 	else
 	 # Determine the default libpath from the value encoded in an empty executable.
 	 cat >conftest.$ac_ext <<_ACEOF
@@ -7810,27 +8968,23 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
 }'`
@@ -7841,8 +8995,10 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
@@ -7851,13 +9007,11 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	  # -berok will link without error, but may produce a broken library.
 	  no_undefined_flag=' ${wl}-bernotok'
 	  allow_undefined_flag=' ${wl}-berok'
-	  # -bexpall does not export symbols beginning with underscore (_)
-	  always_export_symbols=yes
 	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec=' '
+	  whole_archive_flag_spec='$convenience'
 	  archive_cmds_need_lc=yes
-	  # This is similar to how AIX traditionally builds it's shared libraries.
-	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
 	fi
       fi
       ;;
@@ -7870,7 +9024,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ld_shlibs=no
       ;;
 
-    bsdi4*)
+    bsdi[45]*)
       export_dynamic_flag_spec=-rdynamic
       ;;
 
@@ -7884,7 +9038,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Tell ltmain to make .lib files, not .a files.
       libext=lib
       # Tell ltmain to make .dll files, not .so files.
-      shrext=".dll"
+      shrext_cmds=".dll"
       # FIXME: Setting linknames here is a bad hack.
       archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
       # The linker will automatically build a .lib file if we build a DLL.
@@ -7896,52 +9050,52 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     darwin* | rhapsody*)
-    if test "$GXX" = yes ; then
-      archive_cmds_need_lc=no
-      case "$host_os" in
-      rhapsody* | darwin1.[012])
-	allow_undefined_flag='-undefined suppress'
-	;;
-      *) # Darwin 1.3 on
-      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-      	allow_undefined_flag='-flat_namespace -undefined suppress'
-      else
-        case ${MACOSX_DEPLOYMENT_TARGET} in
-          10.[012])
-            allow_undefined_flag='-flat_namespace -undefined suppress'
-            ;;
-          10.*)
-            allow_undefined_flag='-undefined dynamic_lookup'
-            ;;
-        esac
-      fi
-	;;
+      case $host_os in
+        rhapsody* | darwin1.[012])
+         allow_undefined_flag='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[012])
+               allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               allow_undefined_flag='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
       esac
-    	lt_int_apple_cc_single_mod=no
-    	output_verbose_link_cmd='echo'
-    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
-    	  lt_int_apple_cc_single_mod=yes
-    	fi
-    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-    	  archive_cmds='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-    	else
-        archive_cmds='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      fi
-      module_cmds='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-          archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-        else
-          archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-        fi
-          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      archive_cmds_need_lc=no
       hardcode_direct=no
       hardcode_automatic=yes
       hardcode_shlibpath_var=unsupported
-      whole_archive_flag_spec='-all_load $convenience'
+      whole_archive_flag_spec=''
       link_all_deplibs=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+      archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
     else
-      ld_shlibs=no
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         archive_cmds='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+         module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs=no
+          ;;
+      esac
     fi
       ;;
 
@@ -7975,7 +9129,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu)
+    freebsd* | kfreebsd*-gnu | dragonfly*)
       archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
       hardcode_libdir_flag_spec='-R$libdir'
       hardcode_direct=yes
@@ -7998,47 +9152,62 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       export_dynamic_flag_spec='${wl}-E'
       ;;
 
-    hpux10* | hpux11*)
+    hpux10*)
       if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*|ia64*)
+	archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator=:
+
+	hardcode_direct=yes
+	export_dynamic_flag_spec='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	hardcode_minus_L=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
 	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
+	ia64*)
+	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
 	*)
 	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       else
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  archive_cmds='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       fi
       if test "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*)
-	  hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
 	  hardcode_libdir_flag_spec_ld='+b $libdir'
-	  hardcode_libdir_separator=:
 	  hardcode_direct=no
 	  hardcode_shlibpath_var=no
 	  ;;
-	ia64*)
-	  hardcode_libdir_flag_spec='-L$libdir'
-	  hardcode_direct=no
-	  hardcode_shlibpath_var=no
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L=yes
-	  ;;
 	*)
-	  hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	  hardcode_libdir_separator=:
 	  hardcode_direct=yes
 	  export_dynamic_flag_spec='${wl}-E'
 
@@ -8086,6 +9255,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var=no
       if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
 	archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
 	hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec='${wl}-E'
       else
@@ -8131,7 +9301,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	allow_undefined_flag=' -expect_unresolved \*'
 	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
 
 	# Both c and cxx compiler support -rpath directly
 	hardcode_libdir_flag_spec='-rpath $libdir'
@@ -8139,21 +9309,15 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_libdir_separator=:
       ;;
 
-    sco3.2v5*)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var=no
-      export_dynamic_flag_spec='${wl}-Bexport'
-      runpath_var=LD_RUN_PATH
-      hardcode_runpath_var=yes
-      ;;
-
     solaris*)
       no_undefined_flag=' -z text'
       if test "$GCC" = yes; then
+	wlarc='${wl}'
 	archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
 	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
       else
+	wlarc=''
 	archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
 	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
   	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
@@ -8162,8 +9326,18 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var=no
       case $host_os in
       solaris2.[0-5] | solaris2.[0-5].*) ;;
-      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
-	whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;;
+      *)
+ 	# The compiler driver will combine linker options so we
+ 	# cannot just pass the convience library names through
+ 	# without $wl, iff we do not link with $LD.
+ 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+ 	case $wlarc in
+ 	'')
+ 	  whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;;
+ 	*)
+ 	  whole_archive_flag_spec='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
+ 	esac ;;
       esac
       link_all_deplibs=yes
       ;;
@@ -8220,36 +9394,45 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       fi
       ;;
 
-    sysv4.2uw2*)
-      archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct=yes
-      hardcode_minus_L=no
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*)
+      no_undefined_flag='${wl}-z,text'
+      archive_cmds_need_lc=no
       hardcode_shlibpath_var=no
-      hardcode_runpath_var=yes
-      runpath_var=LD_RUN_PATH
-      ;;
+      runpath_var='LD_RUN_PATH'
 
-   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[78]* | unixware7*)
-      no_undefined_flag='${wl}-z ${wl}text'
       if test "$GCC" = yes; then
-	archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
       else
-	archive_cmds='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
       fi
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var=no
       ;;
 
-    sysv5*)
-      no_undefined_flag=' -z text'
-      # $CC -shared without GNU ld will not create a library from C++
-      # object files and a static libstdc++, better avoid it by now
-      archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      hardcode_libdir_flag_spec=
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      no_undefined_flag='${wl}-z,text'
+      allow_undefined_flag='${wl}-z,nodefs'
+      archive_cmds_need_lc=no
       hardcode_shlibpath_var=no
+      hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      hardcode_libdir_separator=':'
+      link_all_deplibs=yes
+      export_dynamic_flag_spec='${wl}-Bexport'
       runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
       ;;
 
     uts4*)
@@ -8264,15 +9447,10 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     esac
   fi
 
-echo "$as_me:$LINENO: result: $ld_shlibs" >&5
-echo "${ECHO_T}$ld_shlibs" >&6
+{ echo "$as_me:$LINENO: result: $ld_shlibs" >&5
+echo "${ECHO_T}$ld_shlibs" >&6; }
 test "$ld_shlibs" = no && can_build_shared=no
 
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
 #
 # Do we need to explicitly link libc?
 #
@@ -8290,8 +9468,8 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
       printf "$lt_simple_compile_test_code" > conftest.$ac_ext
 
@@ -8305,6 +9483,7 @@ echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&
         libobjs=conftest.$ac_objext
         deplibs=
         wl=$lt_prog_compiler_wl
+	pic_flag=$lt_prog_compiler_pic
         compiler_flags=-v
         linker_flags=-v
         verstring=
@@ -8327,20 +9506,20 @@ echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&
         cat conftest.err 1>&5
       fi
       $rm conftest*
-      echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
-echo "${ECHO_T}$archive_cmds_need_lc" >&6
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
+echo "${ECHO_T}$archive_cmds_need_lc" >&6; }
       ;;
     esac
   fi
   ;;
 esac
 
-echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext=".so"
+shrext_cmds=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -8437,7 +9616,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi4*)
+bsdi[45]*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -8453,7 +9632,7 @@ bsdi4*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext=".dll"
+  shrext_cmds=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -8465,7 +9644,8 @@ cygwin* | mingw* | pw32*)
       dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
       dldir=$destdir/`dirname \$dlpath`~
       test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
     postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
       dlpath=$dir/\$dldll~
        $rm \$dlpath'
@@ -8495,7 +9675,7 @@ cygwin* | mingw* | pw32*)
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
     ;;
@@ -8514,11 +9694,11 @@ darwin* | rhapsody*)
   version_type=darwin
   need_lib_prefix=no
   need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext ${libname}${release}${versuffix}$shared_ext'
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -8553,8 +9733,17 @@ kfreebsd*-gnu)
   dynamic_linker='GNU ld.so'
   ;;
 
-freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
   version_type=freebsd-$objformat
   case $version_type in
     freebsd-elf*)
@@ -8572,14 +9761,19 @@ freebsd*)
   freebsd2*)
     shlibpath_overrides_runpath=yes
     ;;
-  freebsd3.01* | freebsdelf3.01*)
+  freebsd3.[01]* | freebsdelf3.[01]*)
     shlibpath_overrides_runpath=yes
     hardcode_into_libs=yes
     ;;
-  *) # from 3.2 on
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
     shlibpath_overrides_runpath=no
     hardcode_into_libs=yes
     ;;
+  freebsd*) # from 4.6 on
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
   esac
   ;;
 
@@ -8599,9 +9793,9 @@ hpux9* | hpux10* | hpux11*)
   version_type=sunos
   need_lib_prefix=no
   need_version=no
-  case "$host_cpu" in
+  case $host_cpu in
   ia64*)
-    shrext='.so'
+    shrext_cmds='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -8616,7 +9810,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext='.sl'
+     shrext_cmds='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -8627,7 +9821,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext='.sl'
+    shrext_cmds='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -8639,6 +9833,18 @@ hpux9* | hpux10* | hpux11*)
   postinstall_cmds='chmod 555 $lib'
   ;;
 
+interix3*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
 irix5* | irix6* | nonstopux*)
   case $host_os in
     nonstopux*) version_type=nonstopux ;;
@@ -8698,8 +9904,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -8760,8 +9966,13 @@ nto-qnx*)
 
 openbsd*)
   version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
   need_lib_prefix=no
-  need_version=yes
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -8781,7 +9992,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext=".dll"
+  shrext_cmds=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -8799,13 +10010,6 @@ osf3* | osf4* | osf5*)
   sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
   ;;
 
-sco3.2v5*)
-  version_type=osf
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
 solaris*)
   version_type=linux
   need_lib_prefix=no
@@ -8831,7 +10035,7 @@ sunos4*)
   need_version=yes
   ;;
 
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+sysv4 | sysv4.3*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -8864,6 +10068,29 @@ sysv4*MP*)
   fi
   ;;
 
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
 uts4*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -8875,16 +10102,21 @@ uts4*)
   dynamic_linker=no
   ;;
 esac
-echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
 test "$dynamic_linker" = no && can_build_shared=no
 
-echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
 hardcode_action=
 if test -n "$hardcode_libdir_flag_spec" || \
-   test -n "$runpath_var " || \
-   test "X$hardcode_automatic"="Xyes" ; then
+   test -n "$runpath_var" || \
+   test "X$hardcode_automatic" = "Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct" != no &&
@@ -8904,8 +10136,8 @@ else
   # directories.
   hardcode_action=unsupported
 fi
-echo "$as_me:$LINENO: result: $hardcode_action" >&5
-echo "${ECHO_T}$hardcode_action" >&6
+{ echo "$as_me:$LINENO: result: $hardcode_action" >&5
+echo "${ECHO_T}$hardcode_action" >&6; }
 
 if test "$hardcode_action" = relink; then
   # Fast installation is not supported
@@ -8918,29 +10150,29 @@ fi
 
 striplib=
 old_striplib=
-echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
+echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6; }
 if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
   test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
   test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
 # FIXME - insert some real tests, host_os isn't really good enough
   case $host_os in
    darwin*)
        if test -n "$STRIP" ; then
          striplib="$STRIP -x"
-         echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+         { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
        else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
        ;;
    *)
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
     ;;
   esac
 fi
@@ -8972,8 +10204,8 @@ else
 
   darwin*)
   # if libdl is installed we need to link against it
-    echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
+    { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
 if test "${ac_cv_lib_dl_dlopen+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -8986,56 +10218,53 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char dlopen ();
 int
 main ()
 {
-dlopen ();
+return dlopen ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_dl_dlopen=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_dl_dlopen=no
+	ac_cv_lib_dl_dlopen=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
 if test $ac_cv_lib_dl_dlopen = yes; then
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
@@ -9049,8 +10278,8 @@ fi
    ;;
 
   *)
-    echo "$as_me:$LINENO: checking for shl_load" >&5
-echo $ECHO_N "checking for shl_load... $ECHO_C" >&6
+    { echo "$as_me:$LINENO: checking for shl_load" >&5
+echo $ECHO_N "checking for shl_load... $ECHO_C" >&6; }
 if test "${ac_cv_func_shl_load+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -9077,73 +10306,64 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef shl_load
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char shl_load ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_shl_load) || defined (__stub___shl_load)
+#if defined __stub_shl_load || defined __stub___shl_load
 choke me
-#else
-char (*f) () = shl_load;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != shl_load;
+return shl_load ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_shl_load=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_shl_load=no
+	ac_cv_func_shl_load=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
-echo "${ECHO_T}$ac_cv_func_shl_load" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
+echo "${ECHO_T}$ac_cv_func_shl_load" >&6; }
 if test $ac_cv_func_shl_load = yes; then
   lt_cv_dlopen="shl_load"
 else
-  echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
-echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
+echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6; }
 if test "${ac_cv_lib_dld_shl_load+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -9156,61 +10376,58 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char shl_load ();
 int
 main ()
 {
-shl_load ();
+return shl_load ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_dld_shl_load=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_dld_shl_load=no
+	ac_cv_lib_dld_shl_load=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6; }
 if test $ac_cv_lib_dld_shl_load = yes; then
   lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"
 else
-  echo "$as_me:$LINENO: checking for dlopen" >&5
-echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for dlopen" >&5
+echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; }
 if test "${ac_cv_func_dlopen+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -9237,73 +10454,64 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef dlopen
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char dlopen ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_dlopen) || defined (__stub___dlopen)
+#if defined __stub_dlopen || defined __stub___dlopen
 choke me
-#else
-char (*f) () = dlopen;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != dlopen;
+return dlopen ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_dlopen=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_dlopen=no
+	ac_cv_func_dlopen=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
-echo "${ECHO_T}$ac_cv_func_dlopen" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
+echo "${ECHO_T}$ac_cv_func_dlopen" >&6; }
 if test $ac_cv_func_dlopen = yes; then
   lt_cv_dlopen="dlopen"
 else
-  echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
 if test "${ac_cv_lib_dl_dlopen+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -9316,61 +10524,58 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char dlopen ();
 int
 main ()
 {
-dlopen ();
+return dlopen ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_dl_dlopen=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_dl_dlopen=no
+	ac_cv_lib_dl_dlopen=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
 if test $ac_cv_lib_dl_dlopen = yes; then
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
-  echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
-echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
+echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6; }
 if test "${ac_cv_lib_svld_dlopen+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -9383,61 +10588,58 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char dlopen ();
 int
 main ()
 {
-dlopen ();
+return dlopen ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_svld_dlopen=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_svld_dlopen=no
+	ac_cv_lib_svld_dlopen=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6; }
 if test $ac_cv_lib_svld_dlopen = yes; then
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
 else
-  echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
-echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
+echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6; }
 if test "${ac_cv_lib_dld_dld_link+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -9450,56 +10652,53 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char dld_link ();
 int
 main ()
 {
-dld_link ();
+return dld_link ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_dld_dld_link=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_dld_dld_link=no
+	ac_cv_lib_dld_dld_link=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6; }
 if test $ac_cv_lib_dld_dld_link = yes; then
   lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"
 fi
@@ -9534,13 +10733,13 @@ fi
     test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
 
     save_LDFLAGS="$LDFLAGS"
-    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
 
     save_LIBS="$LIBS"
     LIBS="$lt_cv_dlopen_libs $LIBS"
 
-    echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
-echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6
+    { echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
+echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6; }
 if test "${lt_cv_dlopen_self+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -9550,7 +10749,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 9553 "configure"
+#line 10752 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -9607,6 +10806,8 @@ int main ()
       else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
       /* dlclose (self); */
     }
+  else
+    puts (dlerror ());
 
     exit (status);
 }
@@ -9616,12 +10817,12 @@ EOF
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
+    (./conftest; exit; ) >&5 2>/dev/null
     lt_status=$?
     case x$lt_status in
       x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
       x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self=no ;;
+      x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;;
     esac
   else :
     # compilation failed
@@ -9632,13 +10833,13 @@ rm -fr conftest*
 
 
 fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self" >&6; }
 
     if test "x$lt_cv_dlopen_self" = xyes; then
-      LDFLAGS="$LDFLAGS $link_static_flag"
-      echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
-echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6
+      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
+      { echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
+echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6; }
 if test "${lt_cv_dlopen_self_static+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -9648,7 +10849,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 9651 "configure"
+#line 10852 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -9705,6 +10906,8 @@ int main ()
       else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
       /* dlclose (self); */
     }
+  else
+    puts (dlerror ());
 
     exit (status);
 }
@@ -9714,12 +10917,12 @@ EOF
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
+    (./conftest; exit; ) >&5 2>/dev/null
     lt_status=$?
     case x$lt_status in
       x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
       x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self_static=no ;;
+      x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;;
     esac
   else :
     # compilation failed
@@ -9730,8 +10933,8 @@ rm -fr conftest*
 
 
 fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6; }
     fi
 
     CPPFLAGS="$save_CPPFLAGS"
@@ -9752,19 +10955,19 @@ echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
 fi
 
 
-# Report which librarie types wil actually be built
-echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
-echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $can_build_shared" >&5
-echo "${ECHO_T}$can_build_shared" >&6
+# Report which library types will actually be built
+{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
+echo "${ECHO_T}$can_build_shared" >&6; }
 
-echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
-echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
 test "$can_build_shared" = "no" && enable_shared=no
 
 # On AIX, shared libraries and static libraries use the same namespace, and
 # are all built from PIC.
-case "$host_os" in
+case $host_os in
 aix3*)
   test "$enable_shared" = yes && enable_static=no
   if test -n "$RANLIB"; then
@@ -9773,58 +10976,21 @@ aix3*)
   fi
   ;;
 
-aix4*)
+aix4* | aix5*)
   if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
     test "$enable_shared" = yes && enable_static=no
   fi
-  ;;
-  darwin* | rhapsody*)
-  if test "$GCC" = yes; then
-    archive_cmds_need_lc=no
-    case "$host_os" in
-    rhapsody* | darwin1.[012])
-      allow_undefined_flag='-undefined suppress'
-      ;;
-    *) # Darwin 1.3 on
-      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-      	allow_undefined_flag='-flat_namespace -undefined suppress'
-      else
-        case ${MACOSX_DEPLOYMENT_TARGET} in
-          10.[012])
-            allow_undefined_flag='-flat_namespace -undefined suppress'
-            ;;
-          10.*)
-            allow_undefined_flag='-undefined dynamic_lookup'
-            ;;
-        esac
-      fi
-      ;;
-    esac
-    output_verbose_link_cmd='echo'
-    archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring'
-    module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-    archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag  -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    hardcode_direct=no
-    hardcode_automatic=yes
-    hardcode_shlibpath_var=unsupported
-    whole_archive_flag_spec='-all_load $convenience'
-    link_all_deplibs=yes
-  else
-    ld_shlibs=no
-  fi
     ;;
 esac
-echo "$as_me:$LINENO: result: $enable_shared" >&5
-echo "${ECHO_T}$enable_shared" >&6
+{ echo "$as_me:$LINENO: result: $enable_shared" >&5
+echo "${ECHO_T}$enable_shared" >&6; }
 
-echo "$as_me:$LINENO: checking whether to build static libraries" >&5
-echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
 # Make sure either enable_shared or enable_static is yes.
 test "$enable_shared" = yes || enable_static=yes
-echo "$as_me:$LINENO: result: $enable_static" >&5
-echo "${ECHO_T}$enable_static" >&6
+{ echo "$as_me:$LINENO: result: $enable_static" >&5
+echo "${ECHO_T}$enable_static" >&6; }
 
 # The else clause should only fire when bootstrapping the
 # libtool distribution, otherwise you forgot to ship ltmain.sh
@@ -9839,7 +11005,7 @@ if test -f "$ltmain"; then
   # Now quote all the things that may contain metacharacters while being
   # careful not to overquote the AC_SUBSTed values.  We take copies of the
   # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
     SED SHELL STRIP \
     libname_spec library_names_spec soname_spec extract_expsyms_cmds \
     old_striplib striplib file_magic_cmd finish_cmds finish_eval \
@@ -9943,7 +11109,7 @@ echo "$as_me: creating $ofile" >&6;}
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -9954,11 +11120,11 @@ echo "$as_me: creating $ofile" >&6;}
 SED=$lt_SED
 
 # Sed that helps us avoid accidentally triggering echo(1) options like -n.
-Xsed="$SED -e s/^X//"
+Xsed="$SED -e 1s/^X//"
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
 # The names of the tagged configurations supported by this script.
 available_tags=
@@ -9988,6 +11154,12 @@ fast_install=$enable_fast_install
 # The host system.
 host_alias=$host_alias
 host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
 
 # An echo program that does not interpret backslashes.
 echo=$lt_echo
@@ -9999,6 +11171,9 @@ AR_FLAGS=$lt_AR_FLAGS
 # A C compiler.
 LTCC=$lt_LTCC
 
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
 # A language-specific compiler.
 CC=$lt_compiler
 
@@ -10049,7 +11224,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext='$shrext'
+shrext_cmds='$shrext_cmds'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -10064,7 +11239,7 @@ max_cmd_len=$lt_cv_sys_max_cmd_len
 # Does compiler simultaneously support -c and -o options?
 compiler_c_o=$lt_lt_cv_prog_compiler_c_o
 
-# Must we lock files when doing compilation ?
+# Must we lock files when doing compilation?
 need_locks=$lt_need_locks
 
 # Do we need the lib prefix for modules?
@@ -10307,11 +11482,11 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 CC="$lt_save_CC"
 
 
-# Check whether --with-tags or --without-tags was given.
+# Check whether --with-tags was given.
 if test "${with_tags+set}" = set; then
-  withval="$with_tags"
-  tagnames="$withval"
-fi;
+  withval=$with_tags; tagnames="$withval"
+fi
+
 
 if test -f "$ltmain" && test -n "$tagnames"; then
   if test ! -f "${ofile}"; then
@@ -10329,6 +11504,9 @@ echo "$as_me: WARNING: output file \`$ofile' does not look like a libtool script
 echo "$as_me: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&2;}
     fi
   fi
+  if test -z "$LTCFLAGS"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`"
+  fi
 
   # Extract list of available tagged configurations in $ofile.
   # Note that this assumes the entire list is on one line.
@@ -10359,8 +11537,10 @@ echo "$as_me: error: tag name \"$tagname\" already exists" >&2;}
 
       case $tagname in
       CXX)
-	if test -n "$CXX" && test "X$CXX" != "Xno"; then
-	  ac_ext=cc
+	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+	    (test "X$CXX" != "Xg++"))) ; then
+	  ac_ext=cpp
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
@@ -10379,6 +11559,7 @@ hardcode_libdir_flag_spec_CXX=
 hardcode_libdir_flag_spec_ld_CXX=
 hardcode_libdir_separator_CXX=
 hardcode_minus_L_CXX=no
+hardcode_shlibpath_var_CXX=unsupported
 hardcode_automatic_CXX=no
 module_cmds_CXX=
 module_expsym_cmds_CXX=
@@ -10396,7 +11577,7 @@ postdeps_CXX=
 compiler_lib_search_path_CXX=
 
 # Source file extension for C++ test sources.
-ac_ext=cc
+ac_ext=cpp
 
 # Object file extension for compiled C++ test sources.
 objext=o
@@ -10406,17 +11587,34 @@ objext_CXX=$objext
 lt_simple_compile_test_code="int some_variable = 0;\n"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='int main(int, char *) { return(0); }\n'
+lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n'
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 
 # If no C compiler was specified, use CC.
 LTCC=${LTCC-"$CC"}
 
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
 # Allow CC to be a program name with arguments.
 compiler=$CC
 
 
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
+
+
 # Allow CC to be a program name with arguments.
 lt_save_CC=$CC
 lt_save_LD=$LD
@@ -10427,18 +11625,27 @@ lt_save_path_LD=$lt_cv_path_LD
 if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
   lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
 else
-  unset lt_cv_prog_gnu_ld
+  $as_unset lt_cv_prog_gnu_ld
 fi
 if test -n "${lt_cv_path_LDCXX+set}"; then
   lt_cv_path_LD=$lt_cv_path_LDCXX
 else
-  unset lt_cv_path_LD
+  $as_unset lt_cv_path_LD
 fi
 test -z "${LDCXX+set}" || LD=$LDCXX
 CC=${CXX-"c++"}
 compiler=$CC
 compiler_CXX=$CC
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
 
 # We don't want -fno-exception wen compiling C++ code, so set the
 # no_builtin_flag separately
@@ -10452,18 +11659,18 @@ if test "$GXX" = yes; then
   # Set up default GNU C++ configuration
 
 
-# Check whether --with-gnu-ld or --without-gnu-ld was given.
+# Check whether --with-gnu-ld was given.
 if test "${with_gnu_ld+set}" = set; then
-  withval="$with_gnu_ld"
-  test "$withval" = no || with_gnu_ld=yes
+  withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
 else
   with_gnu_ld=no
-fi;
+fi
+
 ac_prog=ld
 if test "$GCC" = yes; then
   # Check if gcc -print-prog-name=ld gives a path.
-  echo "$as_me:$LINENO: checking for ld used by $CC" >&5
-echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
   case $host in
   *-*-mingw*)
     # gcc leaves a trailing carriage return which upsets mingw
@@ -10492,11 +11699,11 @@ echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6
     ;;
   esac
 elif test "$with_gnu_ld" = yes; then
-  echo "$as_me:$LINENO: checking for GNU ld" >&5
-echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
 else
-  echo "$as_me:$LINENO: checking for non-GNU ld" >&5
-echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
 fi
 if test "${lt_cv_path_LD+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10509,7 +11716,7 @@ else
     if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
       lt_cv_path_LD="$ac_dir/$ac_prog"
       # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some GNU ld's only accept -v.
+      # but apparently some variants of GNU ld only accept -v.
       # Break only if it was the GNU/non-GNU ld that we prefer.
       case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
       *GNU* | *'with BFD'*)
@@ -10529,21 +11736,21 @@ fi
 
 LD="$lt_cv_path_LD"
 if test -n "$LD"; then
-  echo "$as_me:$LINENO: result: $LD" >&5
-echo "${ECHO_T}$LD" >&6
+  { echo "$as_me:$LINENO: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
 echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
    { (exit 1); exit 1; }; }
-echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
-echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
 if test "${lt_cv_prog_gnu_ld+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  # I'd rather use --version here, but apparently some GNU ld's only accept -v.
+  # I'd rather use --version here, but apparently some GNU lds only accept -v.
 case `$LD -v 2>&1 </dev/null` in
 *GNU* | *'with BFD'*)
   lt_cv_prog_gnu_ld=yes
@@ -10553,8 +11760,8 @@ case `$LD -v 2>&1 </dev/null` in
   ;;
 esac
 fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
-echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
 with_gnu_ld=$lt_cv_prog_gnu_ld
 
 
@@ -10604,8 +11811,8 @@ else
 fi
 
 # PORTME: fill in a description of your system's C++ link characteristics
-echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 ld_shlibs_CXX=yes
 case $host_os in
   aix3*)
@@ -10634,6 +11841,7 @@ case $host_os in
 	    ;;
 	  esac
 	done
+	;;
       esac
 
       exp_sym_flag='-bexport'
@@ -10652,7 +11860,7 @@ case $host_os in
     link_all_deplibs_CXX=yes
 
     if test "$GXX" = yes; then
-      case $host_os in aix4.012|aix4.012.*)
+      case $host_os in aix4.[012]|aix4.[012].*)
       # We only want to do this on AIX 4.2 and lower, the check
       # below for broken collect2 doesn't work under 4.3+
 	collect2name=`${CC} -print-prog-name=collect2`
@@ -10671,8 +11879,12 @@ case $host_os in
 	  hardcode_libdir_flag_spec_CXX='-L$libdir'
 	  hardcode_libdir_separator_CXX=
 	fi
+	;;
       esac
       shared_flag='-shared'
+      if test "$aix_use_runtimelinking" = yes; then
+	shared_flag="$shared_flag "'${wl}-G'
+      fi
     else
       # not using gcc
       if test "$host_cpu" = ia64; then
@@ -10712,27 +11924,23 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
 }'`
@@ -10743,19 +11951,21 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
       hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
 
-      archive_expsym_cmds_CXX="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+      archive_expsym_cmds_CXX="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
      else
       if test "$host_cpu" = ia64; then
 	hardcode_libdir_flag_spec_CXX='${wl}-R $libdir:/usr/lib:/lib'
 	allow_undefined_flag_CXX="-z nodefs"
-	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
       else
 	# Determine the default libpath from the value encoded in an empty executable.
 	cat >conftest.$ac_ext <<_ACEOF
@@ -10774,27 +11984,23 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
 }'`
@@ -10805,8 +12011,10 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
@@ -10815,16 +12023,26 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	# -berok will link without error, but may produce a broken library.
 	no_undefined_flag_CXX=' ${wl}-bernotok'
 	allow_undefined_flag_CXX=' ${wl}-berok'
-	# -bexpall does not export symbols beginning with underscore (_)
-	always_export_symbols_CXX=yes
 	# Exported symbols can be pulled into shared objects from archives
-	whole_archive_flag_spec_CXX=' '
+	whole_archive_flag_spec_CXX='$convenience'
 	archive_cmds_need_lc_CXX=yes
-	# This is similar to how AIX traditionally builds it's shared libraries.
-	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	# This is similar to how AIX traditionally builds its shared libraries.
+	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
       fi
     fi
     ;;
+
+  beos*)
+    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+      allow_undefined_flag_CXX=unsupported
+      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+      # support --undefined.  This deserves some investigation.  FIXME
+      archive_cmds_CXX='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    else
+      ld_shlibs_CXX=no
+    fi
+    ;;
+
   chorus*)
     case $cc_basename in
       *)
@@ -10843,7 +12061,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     enable_shared_with_static_runtimes_CXX=yes
 
     if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-      archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+      archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
       # If the export-symbols file already is a .def file (1st line
       # is EXPORTS), use it as is; otherwise, prepend...
       archive_expsym_cmds_CXX='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -10852,70 +12070,81 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	echo EXPORTS > $output_objdir/$soname.def;
 	cat $export_symbols >> $output_objdir/$soname.def;
       fi~
-      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
     else
       ld_shlibs_CXX=no
     fi
   ;;
+      darwin* | rhapsody*)
+        case $host_os in
+        rhapsody* | darwin1.[012])
+         allow_undefined_flag_CXX='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[012])
+               allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               allow_undefined_flag_CXX='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+        esac
+      archive_cmds_need_lc_CXX=no
+      hardcode_direct_CXX=no
+      hardcode_automatic_CXX=yes
+      hardcode_shlibpath_var_CXX=unsupported
+      whole_archive_flag_spec_CXX=''
+      link_all_deplibs_CXX=yes
 
-  darwin* | rhapsody*)
-  if test "$GXX" = yes; then
-    archive_cmds_need_lc_CXX=no
-    case "$host_os" in
-    rhapsody* | darwin1.[012])
-      allow_undefined_flag_CXX='-undefined suppress'
-      ;;
-    *) # Darwin 1.3 on
-      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-      	allow_undefined_flag_CXX='-flat_namespace -undefined suppress'
+    if test "$GXX" = yes ; then
+      lt_int_apple_cc_single_mod=no
+      output_verbose_link_cmd='echo'
+      if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then
+       lt_int_apple_cc_single_mod=yes
+      fi
+      if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+       archive_cmds_CXX='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
       else
-        case ${MACOSX_DEPLOYMENT_TARGET} in
-          10.[012])
-            allow_undefined_flag_CXX='-flat_namespace -undefined suppress'
-            ;;
-          10.*)
-            allow_undefined_flag_CXX='-undefined dynamic_lookup'
-            ;;
-        esac
+          archive_cmds_CXX='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+        fi
+        module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+        # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+          if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+            archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          else
+            archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          fi
+            module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+          archive_cmds_CXX='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+          module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+          archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs_CXX=no
+          ;;
+      esac
       fi
-      ;;
-    esac
-    lt_int_apple_cc_single_mod=no
-    output_verbose_link_cmd='echo'
-    if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
-      lt_int_apple_cc_single_mod=yes
-    fi
-    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-      archive_cmds_CXX='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-    else
-      archive_cmds_CXX='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-    fi
-    module_cmds_CXX='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-
-    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-      archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    else
-      archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    fi
-    module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    hardcode_direct_CXX=no
-    hardcode_automatic_CXX=yes
-    hardcode_shlibpath_var_CXX=unsupported
-    whole_archive_flag_spec_CXX='-all_load $convenience'
-    link_all_deplibs_CXX=yes
-  else
-    ld_shlibs_CXX=no
-  fi
-    ;;
+        ;;
 
   dgux*)
     case $cc_basename in
-      ec++)
+      ec++*)
 	# FIXME: insert proper C++ library support
 	ld_shlibs_CXX=no
 	;;
-      ghcx)
+      ghcx*)
 	# Green Hills C++ Compiler
 	# FIXME: insert proper C++ library support
 	ld_shlibs_CXX=no
@@ -10926,14 +12155,14 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	;;
     esac
     ;;
-  freebsd12*)
+  freebsd[12]*)
     # C++ shared libraries reported to be fairly broken before switch to ELF
     ld_shlibs_CXX=no
     ;;
   freebsd-elf*)
     archive_cmds_need_lc_CXX=no
     ;;
-  freebsd* | kfreebsd*-gnu)
+  freebsd* | kfreebsd*-gnu | dragonfly*)
     # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
     # conventions
     ld_shlibs_CXX=yes
@@ -10950,11 +12179,11 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 				# location of the library.
 
     case $cc_basename in
-    CC)
+    CC*)
       # FIXME: insert proper C++ library support
       ld_shlibs_CXX=no
       ;;
-    aCC)
+    aCC*)
       archive_cmds_CXX='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       # Commands to make compiler produce verbose output that lists
       # what "hidden" libraries, object files and flags are used when
@@ -10964,7 +12193,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # explicitly linking system object files so we need to strip them
       # from the output so that they don't get included in the library
       # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | egrep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[-]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
       ;;
     *)
       if test "$GXX" = yes; then
@@ -10978,33 +12207,22 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     ;;
   hpux10*|hpux11*)
     if test $with_gnu_ld = no; then
-      case "$host_cpu" in
-      hppa*64*)
-	hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
+      hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator_CXX=:
+
+      case $host_cpu in
+      hppa*64*|ia64*)
 	hardcode_libdir_flag_spec_ld_CXX='+b $libdir'
-	hardcode_libdir_separator_CXX=:
-        ;;
-      ia64*)
-	hardcode_libdir_flag_spec_CXX='-L$libdir'
         ;;
       *)
-	hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator_CXX=:
 	export_dynamic_flag_spec_CXX='${wl}-E'
         ;;
       esac
     fi
-    case "$host_cpu" in
-    hppa*64*)
-      hardcode_direct_CXX=no
-      hardcode_shlibpath_var_CXX=no
-      ;;
-    ia64*)
+    case $host_cpu in
+    hppa*64*|ia64*)
       hardcode_direct_CXX=no
       hardcode_shlibpath_var_CXX=no
-      hardcode_minus_L_CXX=yes # Not in the search PATH,
-					      # but as the default
-					      # location of the library.
       ;;
     *)
       hardcode_direct_CXX=yes
@@ -11015,14 +12233,17 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     esac
 
     case $cc_basename in
-      CC)
+      CC*)
 	# FIXME: insert proper C++ library support
 	ld_shlibs_CXX=no
 	;;
-      aCC)
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  archive_cmds_CXX='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+      aCC*)
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	  ;;
 	*)
 	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
@@ -11041,9 +12262,12 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       *)
 	if test "$GXX" = yes; then
 	  if test $with_gnu_ld = no; then
-	    case "$host_cpu" in
-	    ia64*|hppa*64*)
-	      archive_cmds_CXX='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+	    case $host_cpu in
+	    hppa*64*)
+	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    ia64*)
+	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	      ;;
 	    *)
 	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
@@ -11057,11 +12281,25 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	;;
     esac
     ;;
+  interix3*)
+    hardcode_direct_CXX=no
+    hardcode_shlibpath_var_CXX=no
+    hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+    export_dynamic_flag_spec_CXX='${wl}-E'
+    # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+    # Instead, shared libraries are loaded at an image base (0x10000000 by
+    # default) and relocated if they conflict, which is a slow very memory
+    # consuming and fragmenting process.  To avoid this, we pick a random,
+    # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+    # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+    archive_cmds_CXX='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    archive_expsym_cmds_CXX='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    ;;
   irix5* | irix6*)
     case $cc_basename in
-      CC)
+      CC*)
 	# SGI C++
-	archive_cmds_CXX='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	archive_cmds_CXX='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 
 	# Archives containing C++ object files must be created using
 	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
@@ -11072,7 +12310,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       *)
 	if test "$GXX" = yes; then
 	  if test "$with_gnu_ld" = no; then
-	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	  else
 	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
 	  fi
@@ -11085,7 +12323,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     ;;
   linux*)
     case $cc_basename in
-      KCC)
+      KCC*)
 	# Kuck and Associates, Inc. (KAI) C++ Compiler
 
 	# KCC will only create a shared library if the output file
@@ -11110,17 +12348,41 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
 	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
 	;;
-      icpc)
+      icpc*)
 	# Intel C++
 	with_gnu_ld=yes
+	# version 8.0 and above of icpc choke on multiply defined symbols
+	# if we add $predep_objects and $postdep_objects, however 7.1 and
+	# earlier do not add the objects themselves.
+	case `$CC -V 2>&1` in
+	*"Version 7."*)
+  	  archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+  	  archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	*)  # Version 8.0 or newer
+	  tmp_idyn=
+	  case $host_cpu in
+	    ia64*) tmp_idyn=' -i_dynamic';;
+	  esac
+  	  archive_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	  archive_expsym_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	esac
 	archive_cmds_need_lc_CXX=no
-	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
 	whole_archive_flag_spec_CXX='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
 	;;
-      cxx)
+      pgCC*)
+        # Portland Group C++ compiler
+	archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+  	archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir'
+	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+	whole_archive_flag_spec_CXX='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+        ;;
+      cxx*)
 	# Compaq C++
 	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
@@ -11151,7 +12413,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     ;;
   mvs*)
     case $cc_basename in
-      cxx)
+      cxx*)
 	# FIXME: insert proper C++ library support
 	ld_shlibs_CXX=no
 	;;
@@ -11172,9 +12434,25 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     # Workaround some broken pre-1.5 toolchains
     output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
     ;;
+  openbsd2*)
+    # C++ shared libraries are fairly broken
+    ld_shlibs_CXX=no
+    ;;
+  openbsd*)
+    hardcode_direct_CXX=yes
+    hardcode_shlibpath_var_CXX=no
+    archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+    hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+    if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+      archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
+      export_dynamic_flag_spec_CXX='${wl}-E'
+      whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    fi
+    output_verbose_link_cmd='echo'
+    ;;
   osf3*)
     case $cc_basename in
-      KCC)
+      KCC*)
 	# Kuck and Associates, Inc. (KAI) C++ Compiler
 
 	# KCC will only create a shared library if the output file
@@ -11190,14 +12468,14 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
 
 	;;
-      RCC)
+      RCC*)
 	# Rational C++ 2.4.1
 	# FIXME: insert proper C++ library support
 	ld_shlibs_CXX=no
 	;;
-      cxx)
+      cxx*)
 	allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 
 	hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
 	hardcode_libdir_separator_CXX=:
@@ -11215,7 +12493,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       *)
 	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	  archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	  archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 
 	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
 	  hardcode_libdir_separator_CXX=:
@@ -11234,7 +12512,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     ;;
   osf4* | osf5*)
     case $cc_basename in
-      KCC)
+      KCC*)
 	# Kuck and Associates, Inc. (KAI) C++ Compiler
 
 	# KCC will only create a shared library if the output file
@@ -11249,17 +12527,17 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	# the KAI C++ compiler.
 	old_archive_cmds_CXX='$CC -o $oldlib $oldobjs'
 	;;
-      RCC)
+      RCC*)
 	# Rational C++ 2.4.1
 	# FIXME: insert proper C++ library support
 	ld_shlibs_CXX=no
 	;;
-      cxx)
+      cxx*)
 	allow_undefined_flag_CXX=' -expect_unresolved \*'
-	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 	archive_expsym_cmds_CXX='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
 	  echo "-hidden">> $lib.exp~
-	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry $objdir/so_locations -o $lib~
+	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry ${output_objdir}/so_locations -o $lib~
 	  $rm $lib.exp'
 
 	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
@@ -11278,7 +12556,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       *)
 	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	 archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	 archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 
 	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
 	  hardcode_libdir_separator_CXX=:
@@ -11299,27 +12577,14 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     # FIXME: insert proper C++ library support
     ld_shlibs_CXX=no
     ;;
-  sco*)
-    archive_cmds_need_lc_CXX=no
-    case $cc_basename in
-      CC)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
   sunos4*)
     case $cc_basename in
-      CC)
+      CC*)
 	# Sun C++ 4.x
 	# FIXME: insert proper C++ library support
 	ld_shlibs_CXX=no
 	;;
-      lcc)
+      lcc*)
 	# Lucid
 	# FIXME: insert proper C++ library support
 	ld_shlibs_CXX=no
@@ -11332,36 +12597,33 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     ;;
   solaris*)
     case $cc_basename in
-      CC)
+      CC*)
 	# Sun C++ 4.2, 5.x and Centerline C++
+        archive_cmds_need_lc_CXX=yes
 	no_undefined_flag_CXX=' -zdefs'
-	archive_cmds_CXX='$CC -G${allow_undefined_flag} -nolib -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	archive_cmds_CXX='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	$CC -G${allow_undefined_flag} -nolib ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+	$CC -G${allow_undefined_flag}  ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
 
 	hardcode_libdir_flag_spec_CXX='-R$libdir'
 	hardcode_shlibpath_var_CXX=no
 	case $host_os in
-	  solaris2.0-5 | solaris2.0-5.*) ;;
+	  solaris2.[0-5] | solaris2.[0-5].*) ;;
 	  *)
 	    # The C++ compiler is used as linker so we must use $wl
 	    # flag to pass the commands to the underlying system
-	    # linker.
+	    # linker. We must also pass each convience library through
+	    # to the system linker between allextract/defaultextract.
+	    # The C++ compiler will combine linker options so we
+	    # cannot just pass the convience library names through
+	    # without $wl.
 	    # Supported since Solaris 2.6 (maybe 2.5.1?)
-	    whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract'
 	    ;;
 	esac
 	link_all_deplibs_CXX=yes
 
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep "\-[LR]"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	output_verbose_link_cmd='echo'
 
 	# Archives containing C++ object files must be created using
 	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
@@ -11369,7 +12631,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	# in the archive.
 	old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs'
 	;;
-      gcx)
+      gcx*)
 	# Green Hills C++ Compiler
 	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
 
@@ -11407,12 +12669,63 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	;;
     esac
     ;;
-  sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[78]* | unixware7*)
+  sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
+    no_undefined_flag_CXX='${wl}-z,text'
     archive_cmds_need_lc_CXX=no
+    hardcode_shlibpath_var_CXX=no
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	archive_cmds_CXX='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	archive_cmds_CXX='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
+    ;;
+  sysv5* | sco3.2v5* | sco5v6*)
+    # Note: We can NOT use -z defs as we might desire, because we do not
+    # link with -lc, and that would cause any symbols used from libc to
+    # always be unresolved, which means just about no library would
+    # ever link correctly.  If we're not using GNU ld we use -z text
+    # though, which does catch some bad symbols but isn't as heavy-handed
+    # as -z defs.
+    # For security reasons, it is highly recommended that you always
+    # use absolute paths for naming shared libraries, and exclude the
+    # DT_RUNPATH tag from executables and libraries.  But doing so
+    # requires that you compile everything twice, which is a pain.
+    # So that behaviour is only enabled if SCOABSPATH is set to a
+    # non-empty value in the environment.  Most likely only useful for
+    # creating official distributions of packages.
+    # This is a hack until libtool officially supports absolute path
+    # names for shared libraries.
+    no_undefined_flag_CXX='${wl}-z,text'
+    allow_undefined_flag_CXX='${wl}-z,nodefs'
+    archive_cmds_need_lc_CXX=no
+    hardcode_shlibpath_var_CXX=no
+    hardcode_libdir_flag_spec_CXX='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+    hardcode_libdir_separator_CXX=':'
+    link_all_deplibs_CXX=yes
+    export_dynamic_flag_spec_CXX='${wl}-Bexport'
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	archive_cmds_CXX='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	archive_cmds_CXX='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
     ;;
   tandem*)
     case $cc_basename in
-      NCC)
+      NCC*)
 	# NonStop-UX NCC 3.20
 	# FIXME: insert proper C++ library support
 	ld_shlibs_CXX=no
@@ -11432,8 +12745,8 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     ld_shlibs_CXX=no
     ;;
 esac
-echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
-echo "${ECHO_T}$ld_shlibs_CXX" >&6
+{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
+echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
 test "$ld_shlibs_CXX" = no && can_build_shared=no
 
 GCC_CXX="$GXX"
@@ -11465,7 +12778,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   # The `*' in the case matches for architectures that use `case' in
   # $output_verbose_cmd can trigger glob expansion during the loop
   # eval without this substitution.
-  output_verbose_link_cmd="`$echo \"X$output_verbose_link_cmd\" | $Xsed -e \"$no_glob_subst\"`"
+  output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"`
 
   for p in `eval $output_verbose_link_cmd`; do
     case $p in
@@ -11541,6 +12854,29 @@ fi
 
 $rm -f confest.$objext
 
+# PORTME: override above test on systems where it is broken
+case $host_os in
+interix3*)
+  # Interix 3.5 installs completely hosed .la files for C++, so rather than
+  # hack all around it, let's just trust "g++" to DTRT.
+  predep_objects_CXX=
+  postdep_objects_CXX=
+  postdeps_CXX=
+  ;;
+
+solaris*)
+  case $cc_basename in
+  CC*)
+    # Adding this requires a known-good setup of shared libraries for
+    # Sun compiler versions before 5.6, else PIC objects from an old
+    # archive will be linked into the output, leading to subtle bugs.
+    postdeps_CXX='-lCstd -lCrun'
+    ;;
+  esac
+  ;;
+esac
+
+
 case " $postdeps_CXX " in
 *" -lc "*) archive_cmds_need_lc_CXX=no ;;
 esac
@@ -11549,8 +12885,8 @@ lt_prog_compiler_wl_CXX=
 lt_prog_compiler_pic_CXX=
 lt_prog_compiler_static_CXX=
 
-echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
   # C++ specific cases for pic, static, wl, etc.
   if test "$GXX" = yes; then
@@ -11588,6 +12924,10 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       # DJGPP does not support shared libraries at all
       lt_prog_compiler_pic_CXX=
       ;;
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
     sysv4*MP*)
       if test -d /usr/nec; then
 	lt_prog_compiler_pic_CXX=-Kconform_pic
@@ -11596,7 +12936,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
     hpux*)
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	;;
       *)
@@ -11621,18 +12961,28 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	;;
       chorus*)
 	case $cc_basename in
-	cxch68)
+	cxch68*)
 	  # Green Hills C++ Compiler
 	  # _LT_AC_TAGVAR(lt_prog_compiler_static, CXX)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
 	  ;;
 	esac
 	;;
+       darwin*)
+         # PIC is the default on this platform
+         # Common symbols not allowed in MH_DYLIB files
+         case $cc_basename in
+           xlc*)
+           lt_prog_compiler_pic_CXX='-qnocommon'
+           lt_prog_compiler_wl_CXX='-Wl,'
+           ;;
+         esac
+       ;;
       dgux*)
 	case $cc_basename in
-	  ec++)
+	  ec++*)
 	    lt_prog_compiler_pic_CXX='-KPIC'
 	    ;;
-	  ghcx)
+	  ghcx*)
 	    # Green Hills C++ Compiler
 	    lt_prog_compiler_pic_CXX='-pic'
 	    ;;
@@ -11640,22 +12990,22 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	    ;;
 	esac
 	;;
-      freebsd* | kfreebsd*-gnu)
+      freebsd* | kfreebsd*-gnu | dragonfly*)
 	# FreeBSD uses GNU C++
 	;;
       hpux9* | hpux10* | hpux11*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_static_CXX="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+	    lt_prog_compiler_static_CXX='${wl}-a ${wl}archive'
 	    if test "$host_cpu" != ia64; then
 	      lt_prog_compiler_pic_CXX='+Z'
 	    fi
 	    ;;
-	  aCC)
+	  aCC*)
 	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_static_CXX="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
-	    case "$host_cpu" in
+	    lt_prog_compiler_static_CXX='${wl}-a ${wl}archive'
+	    case $host_cpu in
 	    hppa*64*|ia64*)
 	      # +Z the default
 	      ;;
@@ -11668,9 +13018,13 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	    ;;
 	esac
 	;;
+      interix*)
+	# This is c89, which is MS Visual C++ (no shared libs)
+	# Anyone wants to do a port?
+	;;
       irix5* | irix6* | nonstopux*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    lt_prog_compiler_wl_CXX='-Wl,'
 	    lt_prog_compiler_static_CXX='-non_shared'
 	    # CC pic flag -KPIC is the default.
@@ -11681,18 +13035,24 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	;;
       linux*)
 	case $cc_basename in
-	  KCC)
+	  KCC*)
 	    # KAI C++ Compiler
 	    lt_prog_compiler_wl_CXX='--backend -Wl,'
 	    lt_prog_compiler_pic_CXX='-fPIC'
 	    ;;
-	  icpc)
+	  icpc* | ecpc*)
 	    # Intel C++
 	    lt_prog_compiler_wl_CXX='-Wl,'
 	    lt_prog_compiler_pic_CXX='-KPIC'
 	    lt_prog_compiler_static_CXX='-static'
 	    ;;
-	  cxx)
+	  pgCC*)
+	    # Portland Group C++ compiler.
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_pic_CXX='-fpic'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    ;;
+	  cxx*)
 	    # Compaq C++
 	    # Make sure the PIC flag is empty.  It appears that all Alpha
 	    # Linux and Compaq Tru64 Unix objects are PIC.
@@ -11709,7 +13069,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	;;
       mvs*)
 	case $cc_basename in
-	  cxx)
+	  cxx*)
 	    lt_prog_compiler_pic_CXX='-W c,exportall'
 	    ;;
 	  *)
@@ -11720,14 +13080,14 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	;;
       osf3* | osf4* | osf5*)
 	case $cc_basename in
-	  KCC)
+	  KCC*)
 	    lt_prog_compiler_wl_CXX='--backend -Wl,'
 	    ;;
-	  RCC)
+	  RCC*)
 	    # Rational C++ 2.4.1
 	    lt_prog_compiler_pic_CXX='-pic'
 	    ;;
-	  cxx)
+	  cxx*)
 	    # Digital/Compaq C++
 	    lt_prog_compiler_wl_CXX='-Wl,'
 	    # Make sure the PIC flag is empty.  It appears that all Alpha
@@ -11741,24 +13101,15 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	;;
       psos*)
 	;;
-      sco*)
-	case $cc_basename in
-	  CC)
-	    lt_prog_compiler_pic_CXX='-fPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
       solaris*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    # Sun C++ 4.2, 5.x and Centerline C++
 	    lt_prog_compiler_pic_CXX='-KPIC'
 	    lt_prog_compiler_static_CXX='-Bstatic'
 	    lt_prog_compiler_wl_CXX='-Qoption ld '
 	    ;;
-	  gcx)
+	  gcx*)
 	    # Green Hills C++ Compiler
 	    lt_prog_compiler_pic_CXX='-PIC'
 	    ;;
@@ -11768,12 +13119,12 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	;;
       sunos4*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    # Sun C++ 4.x
 	    lt_prog_compiler_pic_CXX='-pic'
 	    lt_prog_compiler_static_CXX='-Bstatic'
 	    ;;
-	  lcc)
+	  lcc*)
 	    # Lucid
 	    lt_prog_compiler_pic_CXX='-pic'
 	    ;;
@@ -11783,7 +13134,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	;;
       tandem*)
 	case $cc_basename in
-	  NCC)
+	  NCC*)
 	    # NonStop-UX NCC 3.20
 	    lt_prog_compiler_pic_CXX='-KPIC'
 	    ;;
@@ -11791,7 +13142,14 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	    ;;
 	esac
 	;;
-      unixware*)
+      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+	case $cc_basename in
+	  CC*)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    ;;
+	esac
 	;;
       vxworks*)
 	;;
@@ -11801,16 +13159,16 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
     esac
   fi
 
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_CXX" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_CXX" >&6
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_CXX" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_CXX" >&6; }
 
 #
 # Check to make sure the PIC flag actually works.
 #
 if test -n "$lt_prog_compiler_pic_CXX"; then
 
-echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works... $ECHO_C" >&6; }
 if test "${lt_prog_compiler_pic_works_CXX+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -11824,26 +13182,28 @@ else
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    # The option is referenced via a variable to avoid confusing sed.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11830: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13188: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:11834: \$? = $ac_status" >&5
+   echo "$as_me:13192: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_prog_compiler_pic_works_CXX=yes
      fi
    fi
    $rm conftest*
 
 fi
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_CXX" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_works_CXX" >&6
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_CXX" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works_CXX" >&6; }
 
 if test x"$lt_prog_compiler_pic_works_CXX" = xyes; then
     case $lt_prog_compiler_pic_CXX in
@@ -11856,7 +13216,7 @@ else
 fi
 
 fi
-case "$host_os" in
+case $host_os in
   # For platforms which do not support PIC, -DPIC is meaningless:
   *djgpp*)
     lt_prog_compiler_pic_CXX=
@@ -11866,8 +13226,50 @@ case "$host_os" in
     ;;
 esac
 
-echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl_CXX eval lt_tmp_static_flag=\"$lt_prog_compiler_static_CXX\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_static_works_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_static_works_CXX=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_prog_compiler_static_works_CXX=yes
+       fi
+     else
+       lt_prog_compiler_static_works_CXX=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works_CXX" >&5
+echo "${ECHO_T}$lt_prog_compiler_static_works_CXX" >&6; }
+
+if test x"$lt_prog_compiler_static_works_CXX" = xyes; then
+    :
+else
+    lt_prog_compiler_static_CXX=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_c_o_CXX+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -11884,23 +13286,25 @@ else
    # Note that $ac_compile itself does not contain backslashes and begins
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11890: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13292: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:11894: \$? = $ac_status" >&5
+   echo "$as_me:13296: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     if test ! -s out/conftest.err; then
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_c_o_CXX=yes
      fi
    fi
-   chmod u+w .
+   chmod u+w . 2>&5
    $rm conftest*
    # SGI C++ compiler will create directory out/ii_files/ for
    # template instantiation
@@ -11911,23 +13315,23 @@ else
    $rm conftest*
 
 fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_CXX" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_CXX" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_CXX" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_CXX" >&6; }
 
 
 hard_links="nottested"
 if test "$lt_cv_prog_compiler_c_o_CXX" = no && test "$need_locks" != no; then
   # do not overwrite the value of need_locks provided by the user
-  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
   hard_links=yes
   $rm conftest*
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
   touch conftest.a
   ln conftest.a conftest.b 2>&5 || hard_links=no
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
   if test "$hard_links" = no; then
     { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
 echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
@@ -11937,8 +13341,8 @@ else
   need_locks=no
 fi
 
-echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
   export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
   case $host_os in
@@ -11955,22 +13359,17 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
     export_symbols_cmds_CXX="$ltdll_cmds"
   ;;
   cygwin* | mingw*)
-    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/;/^.* __nm__/s/^.* __nm__\([^ ]*\) [^ ]*/\1 DATA/;/^I /d;/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
   ;;
   *)
     export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
   ;;
   esac
 
-echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
-echo "${ECHO_T}$ld_shlibs_CXX" >&6
+{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
+echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
 test "$ld_shlibs_CXX" = no && can_build_shared=no
 
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
 #
 # Do we need to explicitly link libc?
 #
@@ -11988,8 +13387,8 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
       printf "$lt_simple_compile_test_code" > conftest.$ac_ext
 
@@ -12003,6 +13402,7 @@ echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&
         libobjs=conftest.$ac_objext
         deplibs=
         wl=$lt_prog_compiler_wl_CXX
+	pic_flag=$lt_prog_compiler_pic_CXX
         compiler_flags=-v
         linker_flags=-v
         verstring=
@@ -12025,20 +13425,20 @@ echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&
         cat conftest.err 1>&5
       fi
       $rm conftest*
-      echo "$as_me:$LINENO: result: $archive_cmds_need_lc_CXX" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_CXX" >&6
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_CXX" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_CXX" >&6; }
       ;;
     esac
   fi
   ;;
 esac
 
-echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext=".so"
+shrext_cmds=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -12135,7 +13535,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi4*)
+bsdi[45]*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -12151,7 +13551,7 @@ bsdi4*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext=".dll"
+  shrext_cmds=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -12163,7 +13563,8 @@ cygwin* | mingw* | pw32*)
       dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
       dldir=$destdir/`dirname \$dlpath`~
       test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
     postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
       dlpath=$dir/\$dldll~
        $rm \$dlpath'
@@ -12193,7 +13594,7 @@ cygwin* | mingw* | pw32*)
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
     ;;
@@ -12212,11 +13613,11 @@ darwin* | rhapsody*)
   version_type=darwin
   need_lib_prefix=no
   need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext ${libname}${release}${versuffix}$shared_ext'
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -12251,8 +13652,17 @@ kfreebsd*-gnu)
   dynamic_linker='GNU ld.so'
   ;;
 
-freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
   version_type=freebsd-$objformat
   case $version_type in
     freebsd-elf*)
@@ -12270,14 +13680,19 @@ freebsd*)
   freebsd2*)
     shlibpath_overrides_runpath=yes
     ;;
-  freebsd3.01* | freebsdelf3.01*)
+  freebsd3.[01]* | freebsdelf3.[01]*)
     shlibpath_overrides_runpath=yes
     hardcode_into_libs=yes
     ;;
-  *) # from 3.2 on
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
     shlibpath_overrides_runpath=no
     hardcode_into_libs=yes
     ;;
+  freebsd*) # from 4.6 on
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
   esac
   ;;
 
@@ -12297,9 +13712,9 @@ hpux9* | hpux10* | hpux11*)
   version_type=sunos
   need_lib_prefix=no
   need_version=no
-  case "$host_cpu" in
+  case $host_cpu in
   ia64*)
-    shrext='.so'
+    shrext_cmds='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -12314,7 +13729,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext='.sl'
+     shrext_cmds='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -12325,7 +13740,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext='.sl'
+    shrext_cmds='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -12337,6 +13752,18 @@ hpux9* | hpux10* | hpux11*)
   postinstall_cmds='chmod 555 $lib'
   ;;
 
+interix3*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
 irix5* | irix6* | nonstopux*)
   case $host_os in
     nonstopux*) version_type=nonstopux ;;
@@ -12396,8 +13823,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -12458,8 +13885,13 @@ nto-qnx*)
 
 openbsd*)
   version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
   need_lib_prefix=no
-  need_version=yes
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -12479,7 +13911,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext=".dll"
+  shrext_cmds=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -12497,13 +13929,6 @@ osf3* | osf4* | osf5*)
   sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
   ;;
 
-sco3.2v5*)
-  version_type=osf
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
 solaris*)
   version_type=linux
   need_lib_prefix=no
@@ -12529,7 +13954,7 @@ sunos4*)
   need_version=yes
   ;;
 
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+sysv4 | sysv4.3*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -12562,6 +13987,29 @@ sysv4*MP*)
   fi
   ;;
 
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
 uts4*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -12573,16 +14021,21 @@ uts4*)
   dynamic_linker=no
   ;;
 esac
-echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
 test "$dynamic_linker" = no && can_build_shared=no
 
-echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
 hardcode_action_CXX=
 if test -n "$hardcode_libdir_flag_spec_CXX" || \
-   test -n "$runpath_var CXX" || \
-   test "X$hardcode_automatic_CXX"="Xyes" ; then
+   test -n "$runpath_var_CXX" || \
+   test "X$hardcode_automatic_CXX" = "Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct_CXX" != no &&
@@ -12602,8 +14055,8 @@ else
   # directories.
   hardcode_action_CXX=unsupported
 fi
-echo "$as_me:$LINENO: result: $hardcode_action_CXX" >&5
-echo "${ECHO_T}$hardcode_action_CXX" >&6
+{ echo "$as_me:$LINENO: result: $hardcode_action_CXX" >&5
+echo "${ECHO_T}$hardcode_action_CXX" >&6; }
 
 if test "$hardcode_action_CXX" = relink; then
   # Fast installation is not supported
@@ -12614,841 +14067,6 @@ elif test "$shlibpath_overrides_runpath" = yes ||
   enable_fast_install=needless
 fi
 
-striplib=
-old_striplib=
-echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-       else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-       ;;
-   *)
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-    ;;
-  esac
-fi
-
-if test "x$enable_dlopen" != xyes; then
-  enable_dlopen=unknown
-  enable_dlopen_self=unknown
-  enable_dlopen_self_static=unknown
-else
-  lt_cv_dlopen=no
-  lt_cv_dlopen_libs=
-
-  case $host_os in
-  beos*)
-    lt_cv_dlopen="load_add_on"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ;;
-
-  mingw* | pw32*)
-    lt_cv_dlopen="LoadLibrary"
-    lt_cv_dlopen_libs=
-   ;;
-
-  cygwin*)
-    lt_cv_dlopen="dlopen"
-    lt_cv_dlopen_libs=
-   ;;
-
-  darwin*)
-  # if libdl is installed we need to link against it
-    echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dl_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-
-    lt_cv_dlopen="dyld"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-
-fi
-
-   ;;
-
-  *)
-    echo "$as_me:$LINENO: checking for shl_load" >&5
-echo $ECHO_N "checking for shl_load... $ECHO_C" >&6
-if test "${ac_cv_func_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define shl_load innocuous_shl_load
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char shl_load (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef shl_load
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char shl_load ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_shl_load) || defined (__stub___shl_load)
-choke me
-#else
-char (*f) () = shl_load;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != shl_load;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_shl_load=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
-echo "${ECHO_T}$ac_cv_func_shl_load" >&6
-if test $ac_cv_func_shl_load = yes; then
-  lt_cv_dlopen="shl_load"
-else
-  echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
-echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6
-if test "${ac_cv_lib_dld_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char shl_load ();
-int
-main ()
-{
-shl_load ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dld_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dld_shl_load=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6
-if test $ac_cv_lib_dld_shl_load = yes; then
-  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"
-else
-  echo "$as_me:$LINENO: checking for dlopen" >&5
-echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
-if test "${ac_cv_func_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define dlopen innocuous_dlopen
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char dlopen (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef dlopen
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_dlopen) || defined (__stub___dlopen)
-choke me
-#else
-char (*f) () = dlopen;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != dlopen;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
-echo "${ECHO_T}$ac_cv_func_dlopen" >&6
-if test $ac_cv_func_dlopen = yes; then
-  lt_cv_dlopen="dlopen"
-else
-  echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dl_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-  echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
-echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6
-if test "${ac_cv_lib_svld_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lsvld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_svld_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_svld_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6
-if test $ac_cv_lib_svld_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
-else
-  echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
-echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6
-if test "${ac_cv_lib_dld_dld_link+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dld_link ();
-int
-main ()
-{
-dld_link ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dld_dld_link=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dld_dld_link=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6
-if test $ac_cv_lib_dld_dld_link = yes; then
-  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-    ;;
-  esac
-
-  if test "x$lt_cv_dlopen" != xno; then
-    enable_dlopen=yes
-  else
-    enable_dlopen=no
-  fi
-
-  case $lt_cv_dlopen in
-  dlopen)
-    save_CPPFLAGS="$CPPFLAGS"
-    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
-
-    save_LDFLAGS="$LDFLAGS"
-    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
-
-    save_LIBS="$LIBS"
-    LIBS="$lt_cv_dlopen_libs $LIBS"
-
-    echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
-echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6
-if test "${lt_cv_dlopen_self+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 13251 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self" >&6
-
-    if test "x$lt_cv_dlopen_self" = xyes; then
-      LDFLAGS="$LDFLAGS $link_static_flag"
-      echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
-echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6
-if test "${lt_cv_dlopen_self_static+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self_static=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 13349 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self_static=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self_static=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
-    fi
-
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-    ;;
-  esac
-
-  case $lt_cv_dlopen_self in
-  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
-  *) enable_dlopen_self=unknown ;;
-  esac
-
-  case $lt_cv_dlopen_self_static in
-  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
-  *) enable_dlopen_self_static=unknown ;;
-  esac
-fi
-
 
 # The else clause should only fire when bootstrapping the
 # libtool distribution, otherwise you forgot to ship ltmain.sh
@@ -13463,7 +14081,7 @@ if test -f "$ltmain"; then
   # Now quote all the things that may contain metacharacters while being
   # careful not to overquote the AC_SUBSTed values.  We take copies of the
   # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
     SED SHELL STRIP \
     libname_spec library_names_spec soname_spec extract_expsyms_cmds \
     old_striplib striplib file_magic_cmd finish_cmds finish_eval \
@@ -13564,6 +14182,12 @@ fast_install=$enable_fast_install
 # The host system.
 host_alias=$host_alias
 host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
 
 # An echo program that does not interpret backslashes.
 echo=$lt_echo
@@ -13575,6 +14199,9 @@ AR_FLAGS=$lt_AR_FLAGS
 # A C compiler.
 LTCC=$lt_LTCC
 
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
 # A language-specific compiler.
 CC=$lt_compiler_CXX
 
@@ -13625,7 +14252,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext='$shrext'
+shrext_cmds='$shrext_cmds'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -13640,7 +14267,7 @@ max_cmd_len=$lt_cv_sys_max_cmd_len
 # Does compiler simultaneously support -c and -o options?
 compiler_c_o=$lt_lt_cv_prog_compiler_c_o_CXX
 
-# Must we lock files when doing compilation ?
+# Must we lock files when doing compilation?
 need_locks=$lt_need_locks
 
 # Do we need the lib prefix for modules?
@@ -13917,29 +14544,55 @@ lt_simple_link_test_code="      program t\n      end\n"
 # If no C compiler was specified, use CC.
 LTCC=${LTCC-"$CC"}
 
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
 # Allow CC to be a program name with arguments.
 compiler=$CC
 
 
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
+
+
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
 CC=${F77-"f77"}
 compiler=$CC
 compiler_F77=$CC
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
 
-echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
-echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $can_build_shared" >&5
-echo "${ECHO_T}$can_build_shared" >&6
+{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
+echo "${ECHO_T}$can_build_shared" >&6; }
 
-echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
-echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
 test "$can_build_shared" = "no" && enable_shared=no
 
 # On AIX, shared libraries and static libraries use the same namespace, and
 # are all built from PIC.
-case "$host_os" in
+case $host_os in
 aix3*)
   test "$enable_shared" = yes && enable_static=no
   if test -n "$RANLIB"; then
@@ -13947,21 +14600,21 @@ aix3*)
     postinstall_cmds='$RANLIB $lib'
   fi
   ;;
-aix4*)
-  test "$enable_shared" = yes && enable_static=no
+aix4* | aix5*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
   ;;
 esac
-echo "$as_me:$LINENO: result: $enable_shared" >&5
-echo "${ECHO_T}$enable_shared" >&6
+{ echo "$as_me:$LINENO: result: $enable_shared" >&5
+echo "${ECHO_T}$enable_shared" >&6; }
 
-echo "$as_me:$LINENO: checking whether to build static libraries" >&5
-echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
 # Make sure either enable_shared or enable_static is yes.
 test "$enable_shared" = yes || enable_static=yes
-echo "$as_me:$LINENO: result: $enable_static" >&5
-echo "${ECHO_T}$enable_static" >&6
-
-test "$ld_shlibs_F77" = no && can_build_shared=no
+{ echo "$as_me:$LINENO: result: $enable_static" >&5
+echo "${ECHO_T}$enable_static" >&6; }
 
 GCC_F77="$G77"
 LD_F77="$LD"
@@ -13970,8 +14623,8 @@ lt_prog_compiler_wl_F77=
 lt_prog_compiler_pic_F77=
 lt_prog_compiler_static_F77=
 
-echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
   if test "$GCC" = yes; then
     lt_prog_compiler_wl_F77='-Wl,'
@@ -14009,6 +14662,11 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_pic_F77='-fno-common'
       ;;
 
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
     msdosdjgpp*)
       # Just because we use GCC doesn't mean we suddenly get shared libraries
       # on systems that don't support them.
@@ -14025,7 +14683,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
     hpux*)
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	# +Z the default
 	;;
@@ -14051,6 +14709,16 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	lt_prog_compiler_static_F77='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         lt_prog_compiler_pic_F77='-qnocommon'
+         lt_prog_compiler_wl_F77='-Wl,'
+         ;;
+       esac
+       ;;
 
     mingw* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
@@ -14062,7 +14730,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_wl_F77='-Wl,'
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	# +Z the default
 	;;
@@ -14086,12 +14754,19 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       ;;
 
     linux*)
-      case $CC in
+      case $cc_basename in
       icc* | ecc*)
 	lt_prog_compiler_wl_F77='-Wl,'
 	lt_prog_compiler_pic_F77='-KPIC'
 	lt_prog_compiler_static_F77='-static'
         ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	lt_prog_compiler_wl_F77='-Wl,'
+	lt_prog_compiler_pic_F77='-fpic'
+	lt_prog_compiler_static_F77='-Bstatic'
+        ;;
       ccc*)
         lt_prog_compiler_wl_F77='-Wl,'
         # All Alpha code is PIC.
@@ -14106,15 +14781,15 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_static_F77='-non_shared'
       ;;
 
-    sco3.2v5*)
-      lt_prog_compiler_pic_F77='-Kpic'
-      lt_prog_compiler_static_F77='-dn'
-      ;;
-
     solaris*)
-      lt_prog_compiler_wl_F77='-Wl,'
       lt_prog_compiler_pic_F77='-KPIC'
       lt_prog_compiler_static_F77='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	lt_prog_compiler_wl_F77='-Qoption ld ';;
+      *)
+	lt_prog_compiler_wl_F77='-Wl,';;
+      esac
       ;;
 
     sunos4*)
@@ -14123,7 +14798,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_static_F77='-Bstatic'
       ;;
 
-    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+    sysv4 | sysv4.2uw2* | sysv4.3*)
       lt_prog_compiler_wl_F77='-Wl,'
       lt_prog_compiler_pic_F77='-KPIC'
       lt_prog_compiler_static_F77='-Bstatic'
@@ -14136,6 +14811,17 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       fi
       ;;
 
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    unicos*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      lt_prog_compiler_can_build_shared_F77=no
+      ;;
+
     uts4*)
       lt_prog_compiler_pic_F77='-pic'
       lt_prog_compiler_static_F77='-Bstatic'
@@ -14147,16 +14833,16 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
     esac
   fi
 
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_F77" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_F77" >&6
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_F77" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_F77" >&6; }
 
 #
 # Check to make sure the PIC flag actually works.
 #
 if test -n "$lt_prog_compiler_pic_F77"; then
 
-echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works... $ECHO_C" >&6; }
 if test "${lt_prog_compiler_pic_works_F77+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -14170,26 +14856,28 @@ else
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    # The option is referenced via a variable to avoid confusing sed.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14176: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14862: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:14180: \$? = $ac_status" >&5
+   echo "$as_me:14866: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_prog_compiler_pic_works_F77=yes
      fi
    fi
    $rm conftest*
 
 fi
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_F77" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_works_F77" >&6
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_F77" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works_F77" >&6; }
 
 if test x"$lt_prog_compiler_pic_works_F77" = xyes; then
     case $lt_prog_compiler_pic_F77 in
@@ -14202,7 +14890,7 @@ else
 fi
 
 fi
-case "$host_os" in
+case $host_os in
   # For platforms which do not support PIC, -DPIC is meaningless:
   *djgpp*)
     lt_prog_compiler_pic_F77=
@@ -14212,8 +14900,50 @@ case "$host_os" in
     ;;
 esac
 
-echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl_F77 eval lt_tmp_static_flag=\"$lt_prog_compiler_static_F77\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_static_works_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_static_works_F77=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_prog_compiler_static_works_F77=yes
+       fi
+     else
+       lt_prog_compiler_static_works_F77=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works_F77" >&5
+echo "${ECHO_T}$lt_prog_compiler_static_works_F77" >&6; }
+
+if test x"$lt_prog_compiler_static_works_F77" = xyes; then
+    :
+else
+    lt_prog_compiler_static_F77=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_c_o_F77+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -14230,23 +14960,25 @@ else
    # Note that $ac_compile itself does not contain backslashes and begins
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14236: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14966: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:14240: \$? = $ac_status" >&5
+   echo "$as_me:14970: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     if test ! -s out/conftest.err; then
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_c_o_F77=yes
      fi
    fi
-   chmod u+w .
+   chmod u+w . 2>&5
    $rm conftest*
    # SGI C++ compiler will create directory out/ii_files/ for
    # template instantiation
@@ -14257,23 +14989,23 @@ else
    $rm conftest*
 
 fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_F77" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_F77" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_F77" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_F77" >&6; }
 
 
 hard_links="nottested"
 if test "$lt_cv_prog_compiler_c_o_F77" = no && test "$need_locks" != no; then
   # do not overwrite the value of need_locks provided by the user
-  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
   hard_links=yes
   $rm conftest*
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
   touch conftest.a
   ln conftest.a conftest.b 2>&5 || hard_links=no
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
   if test "$hard_links" = no; then
     { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
 echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
@@ -14283,8 +15015,8 @@ else
   need_locks=no
 fi
 
-echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
   runpath_var=
   allow_undefined_flag_F77=
@@ -14322,6 +15054,16 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
   # rely on this symbol name, it's probably fine to never include it in
   # preloaded symbol tables.
   extract_expsyms_cmds=
+  # Just being paranoid about ensuring that cc_basename is set.
+  for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
 
   case $host_os in
   cygwin* | mingw* | pw32*)
@@ -14332,6 +15074,10 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
       with_gnu_ld=no
     fi
     ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
   openbsd*)
     with_gnu_ld=no
     ;;
@@ -14342,6 +15088,27 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
 
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec_F77='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec_F77='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	whole_archive_flag_spec_F77="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec_F77=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
     # See if GNU ld supports shared libraries.
     case $host_os in
     aix3* | aix4* | aix5*)
@@ -14392,10 +15159,10 @@ EOF
       allow_undefined_flag_F77=unsupported
       always_export_symbols_F77=no
       enable_shared_with_static_runtimes_F77=yes
-      export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+      export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+        archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
 	# If the export-symbols file already is a .def file (1st line
 	# is EXPORTS), use it as is; otherwise, prepend...
 	archive_expsym_cmds_F77='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -14404,9 +15171,55 @@ EOF
 	  echo EXPORTS > $output_objdir/$soname.def;
 	  cat $export_symbols >> $output_objdir/$soname.def;
 	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
       else
-	ld_shlibs=no
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    interix3*)
+      hardcode_direct_F77=no
+      hardcode_shlibpath_var_F77=no
+      hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
+      export_dynamic_flag_spec_F77='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      archive_cmds_F77='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      archive_expsym_cmds_F77='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    linux*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	archive_cmds_F77='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  archive_expsym_cmds_F77='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
+      else
+	ld_shlibs_F77=no
       fi
       ;;
 
@@ -14420,7 +15233,7 @@ EOF
       fi
       ;;
 
-    solaris* | sysv5*)
+    solaris*)
       if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
 	ld_shlibs_F77=no
 	cat <<EOF 1>&2
@@ -14441,6 +15254,33 @@ EOF
       fi
       ;;
 
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+	ld_shlibs_F77=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    ld_shlibs_F77=no
+	  fi
+	;;
+      esac
+      ;;
+
     sunos4*)
       archive_cmds_F77='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       wlarc=
@@ -14448,31 +15288,6 @@ EOF
       hardcode_shlibpath_var_F77=no
       ;;
 
-  linux*)
-    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
-        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_cmds_F77="$tmp_archive_cmds"
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        archive_expsym_cmds_F77='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        archive_expsym_cmds_F77="$tmp_archive_cmds"
-      fi
-    else
-      ld_shlibs_F77=no
-    fi
-    ;;
-
     *)
       if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
 	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
@@ -14483,16 +15298,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       ;;
     esac
 
-    if test "$ld_shlibs_F77" = yes; then
-      runpath_var=LD_RUN_PATH
-      hardcode_libdir_flag_spec_F77='${wl}--rpath ${wl}$libdir'
-      export_dynamic_flag_spec_F77='${wl}--export-dynamic'
-      # ancient GNU ld didn't support --whole-archive et. al.
-      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
- 	whole_archive_flag_spec_F77="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec_F77=
-      fi
+    if test "$ld_shlibs_F77" = no; then
+      runpath_var=
+      hardcode_libdir_flag_spec_F77=
+      export_dynamic_flag_spec_F77=
+      whole_archive_flag_spec_F77=
     fi
   else
     # PORTME fill in a description of your system's linker (not GNU ld)
@@ -14504,7 +15314,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       # Note: this linker hardcodes the directories in LIBPATH if there
       # are no directories specified by -L.
       hardcode_minus_L_F77=yes
-      if test "$GCC" = yes && test -z "$link_static_flag"; then
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
 	# Neither direct hardcoding nor static linking is supported with a
 	# broken collect2.
 	hardcode_direct_F77=unsupported
@@ -14538,6 +15348,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	    break
   	  fi
 	  done
+	  ;;
 	esac
 
 	exp_sym_flag='-bexport'
@@ -14556,7 +15367,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       link_all_deplibs_F77=yes
 
       if test "$GCC" = yes; then
-	case $host_os in aix4.012|aix4.012.*)
+	case $host_os in aix4.[012]|aix4.[012].*)
 	# We only want to do this on AIX 4.2 and lower, the check
 	# below for broken collect2 doesn't work under 4.3+
 	  collect2name=`${CC} -print-prog-name=collect2`
@@ -14575,8 +15386,12 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	  hardcode_libdir_flag_spec_F77='-L$libdir'
   	  hardcode_libdir_separator_F77=
 	  fi
+	  ;;
 	esac
 	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
       else
 	# not using gcc
 	if test "$host_cpu" = ia64; then
@@ -14584,11 +15399,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	# chokes on -Wl,-G. The following line is correct:
 	  shared_flag='-G'
 	else
-  	if test "$aix_use_runtimelinking" = yes; then
+	  if test "$aix_use_runtimelinking" = yes; then
 	    shared_flag='${wl}-G'
 	  else
 	    shared_flag='${wl}-bM:SRE'
-  	fi
+	  fi
 	fi
       fi
 
@@ -14606,27 +15421,23 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       end
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_f77_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
 }'`
@@ -14637,18 +15448,20 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
        hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds_F77="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+	archive_expsym_cmds_F77="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
        else
 	if test "$host_cpu" = ia64; then
 	  hardcode_libdir_flag_spec_F77='${wl}-R $libdir:/usr/lib:/lib'
 	  allow_undefined_flag_F77="-z nodefs"
-	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
 	else
 	 # Determine the default libpath from the value encoded in an empty executable.
 	 cat >conftest.$ac_ext <<_ACEOF
@@ -14657,27 +15470,23 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       end
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_f77_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
 }'`
@@ -14688,8 +15497,10 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
@@ -14698,13 +15509,11 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	  # -berok will link without error, but may produce a broken library.
 	  no_undefined_flag_F77=' ${wl}-bernotok'
 	  allow_undefined_flag_F77=' ${wl}-berok'
-	  # -bexpall does not export symbols beginning with underscore (_)
-	  always_export_symbols_F77=yes
 	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec_F77=' '
+	  whole_archive_flag_spec_F77='$convenience'
 	  archive_cmds_need_lc_F77=yes
-	  # This is similar to how AIX traditionally builds it's shared libraries.
-	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
 	fi
       fi
       ;;
@@ -14717,7 +15526,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ld_shlibs_F77=no
       ;;
 
-    bsdi4*)
+    bsdi[45]*)
       export_dynamic_flag_spec_F77=-rdynamic
       ;;
 
@@ -14731,64 +15540,64 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Tell ltmain to make .lib files, not .a files.
       libext=lib
       # Tell ltmain to make .dll files, not .so files.
-      shrext=".dll"
+      shrext_cmds=".dll"
       # FIXME: Setting linknames here is a bad hack.
       archive_cmds_F77='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
       # The linker will automatically build a .lib file if we build a DLL.
       old_archive_From_new_cmds_F77='true'
       # FIXME: Should let the user specify the lib program.
       old_archive_cmds_F77='lib /OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      fix_srcfile_path_F77='`cygpath -w "$srcfile"`'
       enable_shared_with_static_runtimes_F77=yes
       ;;
 
     darwin* | rhapsody*)
-    if test "$GXX" = yes ; then
-      archive_cmds_need_lc_F77=no
-      case "$host_os" in
-      rhapsody* | darwin1.[012])
-	allow_undefined_flag_F77='-undefined suppress'
-	;;
-      *) # Darwin 1.3 on
-      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-      	allow_undefined_flag_F77='-flat_namespace -undefined suppress'
-      else
-        case ${MACOSX_DEPLOYMENT_TARGET} in
-          10.[012])
-            allow_undefined_flag_F77='-flat_namespace -undefined suppress'
-            ;;
-          10.*)
-            allow_undefined_flag_F77='-undefined dynamic_lookup'
-            ;;
-        esac
-      fi
-	;;
+      case $host_os in
+        rhapsody* | darwin1.[012])
+         allow_undefined_flag_F77='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[012])
+               allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               allow_undefined_flag_F77='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
       esac
-    	lt_int_apple_cc_single_mod=no
-    	output_verbose_link_cmd='echo'
-    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
-    	  lt_int_apple_cc_single_mod=yes
-    	fi
-    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-    	  archive_cmds_F77='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-    	else
-        archive_cmds_F77='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      fi
-      module_cmds_F77='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-          archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-        else
-          archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-        fi
-          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      archive_cmds_need_lc_F77=no
       hardcode_direct_F77=no
       hardcode_automatic_F77=yes
       hardcode_shlibpath_var_F77=unsupported
-      whole_archive_flag_spec_F77='-all_load $convenience'
+      whole_archive_flag_spec_F77=''
       link_all_deplibs_F77=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        archive_cmds_F77='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+      archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
     else
-      ld_shlibs_F77=no
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         archive_cmds_F77='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+         module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs_F77=no
+          ;;
+      esac
     fi
       ;;
 
@@ -14822,7 +15631,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu)
+    freebsd* | kfreebsd*-gnu | dragonfly*)
       archive_cmds_F77='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
       hardcode_libdir_flag_spec_F77='-R$libdir'
       hardcode_direct_F77=yes
@@ -14845,47 +15654,62 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       export_dynamic_flag_spec_F77='${wl}-E'
       ;;
 
-    hpux10* | hpux11*)
+    hpux10*)
       if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*|ia64*)
+	archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_F77=:
+
+	hardcode_direct_F77=yes
+	export_dynamic_flag_spec_F77='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	hardcode_minus_L_F77=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
 	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
+	ia64*)
+	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
 	*)
 	  archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       else
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  archive_cmds_F77='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  archive_cmds_F77='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       fi
       if test "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*)
-	  hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+	hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_F77=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
 	  hardcode_libdir_flag_spec_ld_F77='+b $libdir'
-	  hardcode_libdir_separator_F77=:
 	  hardcode_direct_F77=no
 	  hardcode_shlibpath_var_F77=no
 	  ;;
-	ia64*)
-	  hardcode_libdir_flag_spec_F77='-L$libdir'
-	  hardcode_direct_F77=no
-	  hardcode_shlibpath_var_F77=no
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L_F77=yes
-	  ;;
 	*)
-	  hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
-	  hardcode_libdir_separator_F77=:
 	  hardcode_direct_F77=yes
 	  export_dynamic_flag_spec_F77='${wl}-E'
 
@@ -14933,6 +15757,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var_F77=no
       if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
 	archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
 	hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec_F77='${wl}-E'
       else
@@ -14978,7 +15803,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	allow_undefined_flag_F77=' -expect_unresolved \*'
 	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 	archive_expsym_cmds_F77='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
 
 	# Both c and cxx compiler support -rpath directly
 	hardcode_libdir_flag_spec_F77='-rpath $libdir'
@@ -14986,21 +15811,15 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_libdir_separator_F77=:
       ;;
 
-    sco3.2v5*)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var_F77=no
-      export_dynamic_flag_spec_F77='${wl}-Bexport'
-      runpath_var=LD_RUN_PATH
-      hardcode_runpath_var=yes
-      ;;
-
     solaris*)
       no_undefined_flag_F77=' -z text'
       if test "$GCC" = yes; then
+	wlarc='${wl}'
 	archive_cmds_F77='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
 	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
       else
+	wlarc=''
 	archive_cmds_F77='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
 	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
   	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
@@ -15009,8 +15828,18 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var_F77=no
       case $host_os in
       solaris2.[0-5] | solaris2.[0-5].*) ;;
-      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
-	whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract' ;;
+      *)
+ 	# The compiler driver will combine linker options so we
+ 	# cannot just pass the convience library names through
+ 	# without $wl, iff we do not link with $LD.
+ 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+ 	case $wlarc in
+ 	'')
+ 	  whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract' ;;
+ 	*)
+ 	  whole_archive_flag_spec_F77='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
+ 	esac ;;
       esac
       link_all_deplibs_F77=yes
       ;;
@@ -15067,36 +15896,45 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       fi
       ;;
 
-    sysv4.2uw2*)
-      archive_cmds_F77='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_F77=yes
-      hardcode_minus_L_F77=no
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*)
+      no_undefined_flag_F77='${wl}-z,text'
+      archive_cmds_need_lc_F77=no
       hardcode_shlibpath_var_F77=no
-      hardcode_runpath_var=yes
-      runpath_var=LD_RUN_PATH
-      ;;
+      runpath_var='LD_RUN_PATH'
 
-   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[78]* | unixware7*)
-      no_undefined_flag_F77='${wl}-z ${wl}text'
       if test "$GCC" = yes; then
-	archive_cmds_F77='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_cmds_F77='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
       else
-	archive_cmds_F77='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_cmds_F77='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
       fi
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var_F77=no
       ;;
 
-    sysv5*)
-      no_undefined_flag_F77=' -z text'
-      # $CC -shared without GNU ld will not create a library from C++
-      # object files and a static libstdc++, better avoid it by now
-      archive_cmds_F77='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      hardcode_libdir_flag_spec_F77=
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      no_undefined_flag_F77='${wl}-z,text'
+      allow_undefined_flag_F77='${wl}-z,nodefs'
+      archive_cmds_need_lc_F77=no
       hardcode_shlibpath_var_F77=no
+      hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      hardcode_libdir_separator_F77=':'
+      link_all_deplibs_F77=yes
+      export_dynamic_flag_spec_F77='${wl}-Bexport'
       runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
       ;;
 
     uts4*)
@@ -15111,15 +15949,10 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     esac
   fi
 
-echo "$as_me:$LINENO: result: $ld_shlibs_F77" >&5
-echo "${ECHO_T}$ld_shlibs_F77" >&6
+{ echo "$as_me:$LINENO: result: $ld_shlibs_F77" >&5
+echo "${ECHO_T}$ld_shlibs_F77" >&6; }
 test "$ld_shlibs_F77" = no && can_build_shared=no
 
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
 #
 # Do we need to explicitly link libc?
 #
@@ -15137,8 +15970,8 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
       printf "$lt_simple_compile_test_code" > conftest.$ac_ext
 
@@ -15152,6 +15985,7 @@ echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&
         libobjs=conftest.$ac_objext
         deplibs=
         wl=$lt_prog_compiler_wl_F77
+	pic_flag=$lt_prog_compiler_pic_F77
         compiler_flags=-v
         linker_flags=-v
         verstring=
@@ -15174,20 +16008,20 @@ echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&
         cat conftest.err 1>&5
       fi
       $rm conftest*
-      echo "$as_me:$LINENO: result: $archive_cmds_need_lc_F77" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_F77" >&6
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_F77" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_F77" >&6; }
       ;;
     esac
   fi
   ;;
 esac
 
-echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext=".so"
+shrext_cmds=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -15284,7 +16118,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi4*)
+bsdi[45]*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -15300,7 +16134,7 @@ bsdi4*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext=".dll"
+  shrext_cmds=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -15312,7 +16146,8 @@ cygwin* | mingw* | pw32*)
       dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
       dldir=$destdir/`dirname \$dlpath`~
       test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
     postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
       dlpath=$dir/\$dldll~
        $rm \$dlpath'
@@ -15342,7 +16177,7 @@ cygwin* | mingw* | pw32*)
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
     ;;
@@ -15361,11 +16196,11 @@ darwin* | rhapsody*)
   version_type=darwin
   need_lib_prefix=no
   need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext ${libname}${release}${versuffix}$shared_ext'
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -15400,8 +16235,17 @@ kfreebsd*-gnu)
   dynamic_linker='GNU ld.so'
   ;;
 
-freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
   version_type=freebsd-$objformat
   case $version_type in
     freebsd-elf*)
@@ -15419,14 +16263,19 @@ freebsd*)
   freebsd2*)
     shlibpath_overrides_runpath=yes
     ;;
-  freebsd3.01* | freebsdelf3.01*)
+  freebsd3.[01]* | freebsdelf3.[01]*)
     shlibpath_overrides_runpath=yes
     hardcode_into_libs=yes
     ;;
-  *) # from 3.2 on
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
     shlibpath_overrides_runpath=no
     hardcode_into_libs=yes
     ;;
+  freebsd*) # from 4.6 on
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
   esac
   ;;
 
@@ -15446,9 +16295,9 @@ hpux9* | hpux10* | hpux11*)
   version_type=sunos
   need_lib_prefix=no
   need_version=no
-  case "$host_cpu" in
+  case $host_cpu in
   ia64*)
-    shrext='.so'
+    shrext_cmds='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -15463,7 +16312,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext='.sl'
+     shrext_cmds='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -15474,7 +16323,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext='.sl'
+    shrext_cmds='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -15486,6 +16335,18 @@ hpux9* | hpux10* | hpux11*)
   postinstall_cmds='chmod 555 $lib'
   ;;
 
+interix3*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
 irix5* | irix6* | nonstopux*)
   case $host_os in
     nonstopux*) version_type=nonstopux ;;
@@ -15545,8 +16406,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -15607,8 +16468,13 @@ nto-qnx*)
 
 openbsd*)
   version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
   need_lib_prefix=no
-  need_version=yes
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -15628,7 +16494,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext=".dll"
+  shrext_cmds=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -15646,13 +16512,6 @@ osf3* | osf4* | osf5*)
   sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
   ;;
 
-sco3.2v5*)
-  version_type=osf
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
 solaris*)
   version_type=linux
   need_lib_prefix=no
@@ -15678,7 +16537,7 @@ sunos4*)
   need_version=yes
   ;;
 
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+sysv4 | sysv4.3*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -15711,6 +16570,29 @@ sysv4*MP*)
   fi
   ;;
 
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
 uts4*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -15722,16 +16604,21 @@ uts4*)
   dynamic_linker=no
   ;;
 esac
-echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
 test "$dynamic_linker" = no && can_build_shared=no
 
-echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
 hardcode_action_F77=
 if test -n "$hardcode_libdir_flag_spec_F77" || \
-   test -n "$runpath_var F77" || \
-   test "X$hardcode_automatic_F77"="Xyes" ; then
+   test -n "$runpath_var_F77" || \
+   test "X$hardcode_automatic_F77" = "Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct_F77" != no &&
@@ -15751,8 +16638,8 @@ else
   # directories.
   hardcode_action_F77=unsupported
 fi
-echo "$as_me:$LINENO: result: $hardcode_action_F77" >&5
-echo "${ECHO_T}$hardcode_action_F77" >&6
+{ echo "$as_me:$LINENO: result: $hardcode_action_F77" >&5
+echo "${ECHO_T}$hardcode_action_F77" >&6; }
 
 if test "$hardcode_action_F77" = relink; then
   # Fast installation is not supported
@@ -15763,36 +16650,6 @@ elif test "$shlibpath_overrides_runpath" = yes ||
   enable_fast_install=needless
 fi
 
-striplib=
-old_striplib=
-echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-       else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-       ;;
-   *)
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-    ;;
-  esac
-fi
-
-
 
 # The else clause should only fire when bootstrapping the
 # libtool distribution, otherwise you forgot to ship ltmain.sh
@@ -15807,7 +16664,7 @@ if test -f "$ltmain"; then
   # Now quote all the things that may contain metacharacters while being
   # careful not to overquote the AC_SUBSTed values.  We take copies of the
   # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
     SED SHELL STRIP \
     libname_spec library_names_spec soname_spec extract_expsyms_cmds \
     old_striplib striplib file_magic_cmd finish_cmds finish_eval \
@@ -15908,6 +16765,12 @@ fast_install=$enable_fast_install
 # The host system.
 host_alias=$host_alias
 host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
 
 # An echo program that does not interpret backslashes.
 echo=$lt_echo
@@ -15919,6 +16782,9 @@ AR_FLAGS=$lt_AR_FLAGS
 # A C compiler.
 LTCC=$lt_LTCC
 
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
 # A language-specific compiler.
 CC=$lt_compiler_F77
 
@@ -15969,7 +16835,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext='$shrext'
+shrext_cmds='$shrext_cmds'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -15984,7 +16850,7 @@ max_cmd_len=$lt_cv_sys_max_cmd_len
 # Does compiler simultaneously support -c and -o options?
 compiler_c_o=$lt_lt_cv_prog_compiler_c_o_F77
 
-# Must we lock files when doing compilation ?
+# Must we lock files when doing compilation?
 need_locks=$lt_need_locks
 
 # Do we need the lib prefix for modules?
@@ -16210,7 +17076,6 @@ CC="$lt_save_CC"
 	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
 
 
-
 # Source file extension for Java test sources.
 ac_ext=java
 
@@ -16222,26 +17087,55 @@ objext_GCJ=$objext
 lt_simple_compile_test_code="class foo {}\n"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String argv) {}; }\n'
+lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }\n'
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 
 # If no C compiler was specified, use CC.
 LTCC=${LTCC-"$CC"}
 
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
 # Allow CC to be a program name with arguments.
 compiler=$CC
 
 
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
+
+
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
 CC=${GCJ-"gcj"}
 compiler=$CC
 compiler_GCJ=$CC
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
 
 # GCJ did not exist at the time GCC didn't implicitly link libc in.
 archive_cmds_need_lc_GCJ=no
 
+old_archive_cmds_GCJ=$old_archive_cmds
+
 
 lt_prog_compiler_no_builtin_flag_GCJ=
 
@@ -16249,8 +17143,8 @@ if test "$GCC" = yes; then
   lt_prog_compiler_no_builtin_flag_GCJ=' -fno-builtin'
 
 
-echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -16264,26 +17158,28 @@ else
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    # The option is referenced via a variable to avoid confusing sed.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16270: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17164: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16274: \$? = $ac_status" >&5
+   echo "$as_me:17168: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_rtti_exceptions=yes
      fi
    fi
    $rm conftest*
 
 fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
 
 if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
     lt_prog_compiler_no_builtin_flag_GCJ="$lt_prog_compiler_no_builtin_flag_GCJ -fno-rtti -fno-exceptions"
@@ -16297,8 +17193,8 @@ lt_prog_compiler_wl_GCJ=
 lt_prog_compiler_pic_GCJ=
 lt_prog_compiler_static_GCJ=
 
-echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
   if test "$GCC" = yes; then
     lt_prog_compiler_wl_GCJ='-Wl,'
@@ -16336,6 +17232,11 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_pic_GCJ='-fno-common'
       ;;
 
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
     msdosdjgpp*)
       # Just because we use GCC doesn't mean we suddenly get shared libraries
       # on systems that don't support them.
@@ -16352,7 +17253,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
     hpux*)
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	# +Z the default
 	;;
@@ -16378,6 +17279,16 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	lt_prog_compiler_static_GCJ='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         lt_prog_compiler_pic_GCJ='-qnocommon'
+         lt_prog_compiler_wl_GCJ='-Wl,'
+         ;;
+       esac
+       ;;
 
     mingw* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
@@ -16389,7 +17300,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_wl_GCJ='-Wl,'
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	# +Z the default
 	;;
@@ -16413,12 +17324,19 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       ;;
 
     linux*)
-      case $CC in
+      case $cc_basename in
       icc* | ecc*)
 	lt_prog_compiler_wl_GCJ='-Wl,'
 	lt_prog_compiler_pic_GCJ='-KPIC'
 	lt_prog_compiler_static_GCJ='-static'
         ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	lt_prog_compiler_wl_GCJ='-Wl,'
+	lt_prog_compiler_pic_GCJ='-fpic'
+	lt_prog_compiler_static_GCJ='-Bstatic'
+        ;;
       ccc*)
         lt_prog_compiler_wl_GCJ='-Wl,'
         # All Alpha code is PIC.
@@ -16433,15 +17351,15 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_static_GCJ='-non_shared'
       ;;
 
-    sco3.2v5*)
-      lt_prog_compiler_pic_GCJ='-Kpic'
-      lt_prog_compiler_static_GCJ='-dn'
-      ;;
-
     solaris*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
       lt_prog_compiler_pic_GCJ='-KPIC'
       lt_prog_compiler_static_GCJ='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	lt_prog_compiler_wl_GCJ='-Qoption ld ';;
+      *)
+	lt_prog_compiler_wl_GCJ='-Wl,';;
+      esac
       ;;
 
     sunos4*)
@@ -16450,7 +17368,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       lt_prog_compiler_static_GCJ='-Bstatic'
       ;;
 
-    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+    sysv4 | sysv4.2uw2* | sysv4.3*)
       lt_prog_compiler_wl_GCJ='-Wl,'
       lt_prog_compiler_pic_GCJ='-KPIC'
       lt_prog_compiler_static_GCJ='-Bstatic'
@@ -16463,6 +17381,17 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
       fi
       ;;
 
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    unicos*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      lt_prog_compiler_can_build_shared_GCJ=no
+      ;;
+
     uts4*)
       lt_prog_compiler_pic_GCJ='-pic'
       lt_prog_compiler_static_GCJ='-Bstatic'
@@ -16474,16 +17403,16 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
     esac
   fi
 
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_GCJ" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_GCJ" >&6
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_GCJ" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_GCJ" >&6; }
 
 #
 # Check to make sure the PIC flag actually works.
 #
 if test -n "$lt_prog_compiler_pic_GCJ"; then
 
-echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works... $ECHO_C" >&6; }
 if test "${lt_prog_compiler_pic_works_GCJ+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -16497,26 +17426,28 @@ else
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    # The option is referenced via a variable to avoid confusing sed.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16503: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17432: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16507: \$? = $ac_status" >&5
+   echo "$as_me:17436: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_prog_compiler_pic_works_GCJ=yes
      fi
    fi
    $rm conftest*
 
 fi
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_GCJ" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_works_GCJ" >&6
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_GCJ" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works_GCJ" >&6; }
 
 if test x"$lt_prog_compiler_pic_works_GCJ" = xyes; then
     case $lt_prog_compiler_pic_GCJ in
@@ -16529,7 +17460,7 @@ else
 fi
 
 fi
-case "$host_os" in
+case $host_os in
   # For platforms which do not support PIC, -DPIC is meaningless:
   *djgpp*)
     lt_prog_compiler_pic_GCJ=
@@ -16539,8 +17470,50 @@ case "$host_os" in
     ;;
 esac
 
-echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl_GCJ eval lt_tmp_static_flag=\"$lt_prog_compiler_static_GCJ\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_static_works_GCJ+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_static_works_GCJ=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_prog_compiler_static_works_GCJ=yes
+       fi
+     else
+       lt_prog_compiler_static_works_GCJ=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works_GCJ" >&5
+echo "${ECHO_T}$lt_prog_compiler_static_works_GCJ" >&6; }
+
+if test x"$lt_prog_compiler_static_works_GCJ" = xyes; then
+    :
+else
+    lt_prog_compiler_static_GCJ=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_c_o_GCJ+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -16557,23 +17530,25 @@ else
    # Note that $ac_compile itself does not contain backslashes and begins
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16563: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17536: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:16567: \$? = $ac_status" >&5
+   echo "$as_me:17540: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     if test ! -s out/conftest.err; then
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_c_o_GCJ=yes
      fi
    fi
-   chmod u+w .
+   chmod u+w . 2>&5
    $rm conftest*
    # SGI C++ compiler will create directory out/ii_files/ for
    # template instantiation
@@ -16584,23 +17559,23 @@ else
    $rm conftest*
 
 fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_GCJ" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_GCJ" >&6
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_GCJ" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_GCJ" >&6; }
 
 
 hard_links="nottested"
 if test "$lt_cv_prog_compiler_c_o_GCJ" = no && test "$need_locks" != no; then
   # do not overwrite the value of need_locks provided by the user
-  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
   hard_links=yes
   $rm conftest*
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
   touch conftest.a
   ln conftest.a conftest.b 2>&5 || hard_links=no
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
   if test "$hard_links" = no; then
     { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
 echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
@@ -16610,8 +17585,8 @@ else
   need_locks=no
 fi
 
-echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
   runpath_var=
   allow_undefined_flag_GCJ=
@@ -16649,6 +17624,16 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
   # rely on this symbol name, it's probably fine to never include it in
   # preloaded symbol tables.
   extract_expsyms_cmds=
+  # Just being paranoid about ensuring that cc_basename is set.
+  for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
 
   case $host_os in
   cygwin* | mingw* | pw32*)
@@ -16659,6 +17644,10 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
       with_gnu_ld=no
     fi
     ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
   openbsd*)
     with_gnu_ld=no
     ;;
@@ -16669,6 +17658,27 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
 
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec_GCJ='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec_GCJ='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	whole_archive_flag_spec_GCJ="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec_GCJ=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
     # See if GNU ld supports shared libraries.
     case $host_os in
     aix3* | aix4* | aix5*)
@@ -16719,10 +17729,10 @@ EOF
       allow_undefined_flag_GCJ=unsupported
       always_export_symbols_GCJ=no
       enable_shared_with_static_runtimes_GCJ=yes
-      export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+      export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+        archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
 	# If the export-symbols file already is a .def file (1st line
 	# is EXPORTS), use it as is; otherwise, prepend...
 	archive_expsym_cmds_GCJ='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -16731,9 +17741,55 @@ EOF
 	  echo EXPORTS > $output_objdir/$soname.def;
 	  cat $export_symbols >> $output_objdir/$soname.def;
 	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
       else
-	ld_shlibs=no
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    interix3*)
+      hardcode_direct_GCJ=no
+      hardcode_shlibpath_var_GCJ=no
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
+      export_dynamic_flag_spec_GCJ='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      archive_cmds_GCJ='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      archive_expsym_cmds_GCJ='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    linux*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	archive_cmds_GCJ='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  archive_expsym_cmds_GCJ='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
+      else
+	ld_shlibs_GCJ=no
       fi
       ;;
 
@@ -16747,7 +17803,7 @@ EOF
       fi
       ;;
 
-    solaris* | sysv5*)
+    solaris*)
       if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
 	ld_shlibs_GCJ=no
 	cat <<EOF 1>&2
@@ -16768,6 +17824,33 @@ EOF
       fi
       ;;
 
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+	ld_shlibs_GCJ=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    ld_shlibs_GCJ=no
+	  fi
+	;;
+      esac
+      ;;
+
     sunos4*)
       archive_cmds_GCJ='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       wlarc=
@@ -16775,31 +17858,6 @@ EOF
       hardcode_shlibpath_var_GCJ=no
       ;;
 
-  linux*)
-    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
-        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_cmds_GCJ="$tmp_archive_cmds"
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        archive_expsym_cmds_GCJ='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        archive_expsym_cmds_GCJ="$tmp_archive_cmds"
-      fi
-    else
-      ld_shlibs_GCJ=no
-    fi
-    ;;
-
     *)
       if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
 	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
@@ -16810,16 +17868,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       ;;
     esac
 
-    if test "$ld_shlibs_GCJ" = yes; then
-      runpath_var=LD_RUN_PATH
-      hardcode_libdir_flag_spec_GCJ='${wl}--rpath ${wl}$libdir'
-      export_dynamic_flag_spec_GCJ='${wl}--export-dynamic'
-      # ancient GNU ld didn't support --whole-archive et. al.
-      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
- 	whole_archive_flag_spec_GCJ="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec_GCJ=
-      fi
+    if test "$ld_shlibs_GCJ" = no; then
+      runpath_var=
+      hardcode_libdir_flag_spec_GCJ=
+      export_dynamic_flag_spec_GCJ=
+      whole_archive_flag_spec_GCJ=
     fi
   else
     # PORTME fill in a description of your system's linker (not GNU ld)
@@ -16831,7 +17884,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       # Note: this linker hardcodes the directories in LIBPATH if there
       # are no directories specified by -L.
       hardcode_minus_L_GCJ=yes
-      if test "$GCC" = yes && test -z "$link_static_flag"; then
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
 	# Neither direct hardcoding nor static linking is supported with a
 	# broken collect2.
 	hardcode_direct_GCJ=unsupported
@@ -16865,6 +17918,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	    break
   	  fi
 	  done
+	  ;;
 	esac
 
 	exp_sym_flag='-bexport'
@@ -16883,7 +17937,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       link_all_deplibs_GCJ=yes
 
       if test "$GCC" = yes; then
-	case $host_os in aix4.012|aix4.012.*)
+	case $host_os in aix4.[012]|aix4.[012].*)
 	# We only want to do this on AIX 4.2 and lower, the check
 	# below for broken collect2 doesn't work under 4.3+
 	  collect2name=`${CC} -print-prog-name=collect2`
@@ -16902,8 +17956,12 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	  hardcode_libdir_flag_spec_GCJ='-L$libdir'
   	  hardcode_libdir_separator_GCJ=
 	  fi
+	  ;;
 	esac
 	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
       else
 	# not using gcc
 	if test "$host_cpu" = ia64; then
@@ -16911,11 +17969,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	# chokes on -Wl,-G. The following line is correct:
 	  shared_flag='-G'
 	else
-  	if test "$aix_use_runtimelinking" = yes; then
+	  if test "$aix_use_runtimelinking" = yes; then
 	    shared_flag='${wl}-G'
 	  else
 	    shared_flag='${wl}-bM:SRE'
-  	fi
+	  fi
 	fi
       fi
 
@@ -16943,27 +18001,23 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
 }'`
@@ -16974,18 +18028,20 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
        hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds_GCJ="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+	archive_expsym_cmds_GCJ="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
        else
 	if test "$host_cpu" = ia64; then
 	  hardcode_libdir_flag_spec_GCJ='${wl}-R $libdir:/usr/lib:/lib'
 	  allow_undefined_flag_GCJ="-z nodefs"
-	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
 	else
 	 # Determine the default libpath from the value encoded in an empty executable.
 	 cat >conftest.$ac_ext <<_ACEOF
@@ -17004,27 +18060,23 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
 }'`
@@ -17035,8 +18087,10 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
@@ -17045,13 +18099,11 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	  # -berok will link without error, but may produce a broken library.
 	  no_undefined_flag_GCJ=' ${wl}-bernotok'
 	  allow_undefined_flag_GCJ=' ${wl}-berok'
-	  # -bexpall does not export symbols beginning with underscore (_)
-	  always_export_symbols_GCJ=yes
 	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec_GCJ=' '
+	  whole_archive_flag_spec_GCJ='$convenience'
 	  archive_cmds_need_lc_GCJ=yes
-	  # This is similar to how AIX traditionally builds it's shared libraries.
-	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
 	fi
       fi
       ;;
@@ -17064,7 +18116,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ld_shlibs_GCJ=no
       ;;
 
-    bsdi4*)
+    bsdi[45]*)
       export_dynamic_flag_spec_GCJ=-rdynamic
       ;;
 
@@ -17078,64 +18130,64 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Tell ltmain to make .lib files, not .a files.
       libext=lib
       # Tell ltmain to make .dll files, not .so files.
-      shrext=".dll"
+      shrext_cmds=".dll"
       # FIXME: Setting linknames here is a bad hack.
       archive_cmds_GCJ='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
       # The linker will automatically build a .lib file if we build a DLL.
       old_archive_From_new_cmds_GCJ='true'
       # FIXME: Should let the user specify the lib program.
       old_archive_cmds_GCJ='lib /OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      fix_srcfile_path_GCJ='`cygpath -w "$srcfile"`'
       enable_shared_with_static_runtimes_GCJ=yes
       ;;
 
     darwin* | rhapsody*)
-    if test "$GXX" = yes ; then
-      archive_cmds_need_lc_GCJ=no
-      case "$host_os" in
-      rhapsody* | darwin1.[012])
-	allow_undefined_flag_GCJ='-undefined suppress'
-	;;
-      *) # Darwin 1.3 on
-      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-      	allow_undefined_flag_GCJ='-flat_namespace -undefined suppress'
-      else
-        case ${MACOSX_DEPLOYMENT_TARGET} in
-          10.[012])
-            allow_undefined_flag_GCJ='-flat_namespace -undefined suppress'
-            ;;
-          10.*)
-            allow_undefined_flag_GCJ='-undefined dynamic_lookup'
-            ;;
-        esac
-      fi
-	;;
+      case $host_os in
+        rhapsody* | darwin1.[012])
+         allow_undefined_flag_GCJ='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[012])
+               allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               allow_undefined_flag_GCJ='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
       esac
-    	lt_int_apple_cc_single_mod=no
-    	output_verbose_link_cmd='echo'
-    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
-    	  lt_int_apple_cc_single_mod=yes
-    	fi
-    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-    	  archive_cmds_GCJ='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-    	else
-        archive_cmds_GCJ='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      fi
-      module_cmds_GCJ='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-          archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-        else
-          archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-        fi
-          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      archive_cmds_need_lc_GCJ=no
       hardcode_direct_GCJ=no
       hardcode_automatic_GCJ=yes
       hardcode_shlibpath_var_GCJ=unsupported
-      whole_archive_flag_spec_GCJ='-all_load $convenience'
+      whole_archive_flag_spec_GCJ=''
       link_all_deplibs_GCJ=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        archive_cmds_GCJ='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+      archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
     else
-      ld_shlibs_GCJ=no
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         archive_cmds_GCJ='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+         module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs_GCJ=no
+          ;;
+      esac
     fi
       ;;
 
@@ -17169,7 +18221,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu)
+    freebsd* | kfreebsd*-gnu | dragonfly*)
       archive_cmds_GCJ='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
       hardcode_libdir_flag_spec_GCJ='-R$libdir'
       hardcode_direct_GCJ=yes
@@ -17192,47 +18244,62 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       export_dynamic_flag_spec_GCJ='${wl}-E'
       ;;
 
-    hpux10* | hpux11*)
+    hpux10*)
       if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*|ia64*)
+	archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_GCJ=:
+
+	hardcode_direct_GCJ=yes
+	export_dynamic_flag_spec_GCJ='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	hardcode_minus_L_GCJ=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
 	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
+	ia64*)
+	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
 	*)
 	  archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       else
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  archive_cmds_GCJ='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  archive_cmds_GCJ='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       fi
       if test "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*)
-	  hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+	hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_GCJ=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
 	  hardcode_libdir_flag_spec_ld_GCJ='+b $libdir'
-	  hardcode_libdir_separator_GCJ=:
 	  hardcode_direct_GCJ=no
 	  hardcode_shlibpath_var_GCJ=no
 	  ;;
-	ia64*)
-	  hardcode_libdir_flag_spec_GCJ='-L$libdir'
-	  hardcode_direct_GCJ=no
-	  hardcode_shlibpath_var_GCJ=no
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L_GCJ=yes
-	  ;;
 	*)
-	  hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
-	  hardcode_libdir_separator_GCJ=:
 	  hardcode_direct_GCJ=yes
 	  export_dynamic_flag_spec_GCJ='${wl}-E'
 
@@ -17280,6 +18347,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var_GCJ=no
       if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
 	archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
 	hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec_GCJ='${wl}-E'
       else
@@ -17325,7 +18393,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	allow_undefined_flag_GCJ=' -expect_unresolved \*'
 	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 	archive_expsym_cmds_GCJ='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
 
 	# Both c and cxx compiler support -rpath directly
 	hardcode_libdir_flag_spec_GCJ='-rpath $libdir'
@@ -17333,21 +18401,15 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_libdir_separator_GCJ=:
       ;;
 
-    sco3.2v5*)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var_GCJ=no
-      export_dynamic_flag_spec_GCJ='${wl}-Bexport'
-      runpath_var=LD_RUN_PATH
-      hardcode_runpath_var=yes
-      ;;
-
     solaris*)
       no_undefined_flag_GCJ=' -z text'
       if test "$GCC" = yes; then
+	wlarc='${wl}'
 	archive_cmds_GCJ='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
 	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
       else
+	wlarc=''
 	archive_cmds_GCJ='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
 	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
   	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
@@ -17356,8 +18418,18 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var_GCJ=no
       case $host_os in
       solaris2.[0-5] | solaris2.[0-5].*) ;;
-      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
-	whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract' ;;
+      *)
+ 	# The compiler driver will combine linker options so we
+ 	# cannot just pass the convience library names through
+ 	# without $wl, iff we do not link with $LD.
+ 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+ 	case $wlarc in
+ 	'')
+ 	  whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract' ;;
+ 	*)
+ 	  whole_archive_flag_spec_GCJ='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
+ 	esac ;;
       esac
       link_all_deplibs_GCJ=yes
       ;;
@@ -17414,36 +18486,45 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       fi
       ;;
 
-    sysv4.2uw2*)
-      archive_cmds_GCJ='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_GCJ=yes
-      hardcode_minus_L_GCJ=no
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*)
+      no_undefined_flag_GCJ='${wl}-z,text'
+      archive_cmds_need_lc_GCJ=no
       hardcode_shlibpath_var_GCJ=no
-      hardcode_runpath_var=yes
-      runpath_var=LD_RUN_PATH
-      ;;
+      runpath_var='LD_RUN_PATH'
 
-   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[78]* | unixware7*)
-      no_undefined_flag_GCJ='${wl}-z ${wl}text'
       if test "$GCC" = yes; then
-	archive_cmds_GCJ='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_cmds_GCJ='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
       else
-	archive_cmds_GCJ='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_cmds_GCJ='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
       fi
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var_GCJ=no
       ;;
 
-    sysv5*)
-      no_undefined_flag_GCJ=' -z text'
-      # $CC -shared without GNU ld will not create a library from C++
-      # object files and a static libstdc++, better avoid it by now
-      archive_cmds_GCJ='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      hardcode_libdir_flag_spec_GCJ=
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      no_undefined_flag_GCJ='${wl}-z,text'
+      allow_undefined_flag_GCJ='${wl}-z,nodefs'
+      archive_cmds_need_lc_GCJ=no
       hardcode_shlibpath_var_GCJ=no
+      hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      hardcode_libdir_separator_GCJ=':'
+      link_all_deplibs_GCJ=yes
+      export_dynamic_flag_spec_GCJ='${wl}-Bexport'
       runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
       ;;
 
     uts4*)
@@ -17458,15 +18539,10 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     esac
   fi
 
-echo "$as_me:$LINENO: result: $ld_shlibs_GCJ" >&5
-echo "${ECHO_T}$ld_shlibs_GCJ" >&6
+{ echo "$as_me:$LINENO: result: $ld_shlibs_GCJ" >&5
+echo "${ECHO_T}$ld_shlibs_GCJ" >&6; }
 test "$ld_shlibs_GCJ" = no && can_build_shared=no
 
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
 #
 # Do we need to explicitly link libc?
 #
@@ -17484,8 +18560,8 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
       printf "$lt_simple_compile_test_code" > conftest.$ac_ext
 
@@ -17499,6 +18575,7 @@ echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&
         libobjs=conftest.$ac_objext
         deplibs=
         wl=$lt_prog_compiler_wl_GCJ
+	pic_flag=$lt_prog_compiler_pic_GCJ
         compiler_flags=-v
         linker_flags=-v
         verstring=
@@ -17521,20 +18598,20 @@ echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&
         cat conftest.err 1>&5
       fi
       $rm conftest*
-      echo "$as_me:$LINENO: result: $archive_cmds_need_lc_GCJ" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_GCJ" >&6
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_GCJ" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_GCJ" >&6; }
       ;;
     esac
   fi
   ;;
 esac
 
-echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext=".so"
+shrext_cmds=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -17631,7 +18708,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi4*)
+bsdi[45]*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -17647,7 +18724,7 @@ bsdi4*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext=".dll"
+  shrext_cmds=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -17659,7 +18736,8 @@ cygwin* | mingw* | pw32*)
       dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
       dldir=$destdir/`dirname \$dlpath`~
       test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
     postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
       dlpath=$dir/\$dldll~
        $rm \$dlpath'
@@ -17689,7 +18767,7 @@ cygwin* | mingw* | pw32*)
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
     ;;
@@ -17708,11 +18786,11 @@ darwin* | rhapsody*)
   version_type=darwin
   need_lib_prefix=no
   need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext ${libname}${release}${versuffix}$shared_ext'
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -17747,8 +18825,17 @@ kfreebsd*-gnu)
   dynamic_linker='GNU ld.so'
   ;;
 
-freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
   version_type=freebsd-$objformat
   case $version_type in
     freebsd-elf*)
@@ -17766,14 +18853,19 @@ freebsd*)
   freebsd2*)
     shlibpath_overrides_runpath=yes
     ;;
-  freebsd3.01* | freebsdelf3.01*)
+  freebsd3.[01]* | freebsdelf3.[01]*)
     shlibpath_overrides_runpath=yes
     hardcode_into_libs=yes
     ;;
-  *) # from 3.2 on
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
     shlibpath_overrides_runpath=no
     hardcode_into_libs=yes
     ;;
+  freebsd*) # from 4.6 on
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
   esac
   ;;
 
@@ -17793,9 +18885,9 @@ hpux9* | hpux10* | hpux11*)
   version_type=sunos
   need_lib_prefix=no
   need_version=no
-  case "$host_cpu" in
+  case $host_cpu in
   ia64*)
-    shrext='.so'
+    shrext_cmds='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -17810,7 +18902,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext='.sl'
+     shrext_cmds='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -17821,7 +18913,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext='.sl'
+    shrext_cmds='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -17833,6 +18925,18 @@ hpux9* | hpux10* | hpux11*)
   postinstall_cmds='chmod 555 $lib'
   ;;
 
+interix3*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
 irix5* | irix6* | nonstopux*)
   case $host_os in
     nonstopux*) version_type=nonstopux ;;
@@ -17892,8 +18996,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -17954,8 +19058,13 @@ nto-qnx*)
 
 openbsd*)
   version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
   need_lib_prefix=no
-  need_version=yes
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -17975,7 +19084,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext=".dll"
+  shrext_cmds=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -17993,13 +19102,6 @@ osf3* | osf4* | osf5*)
   sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
   ;;
 
-sco3.2v5*)
-  version_type=osf
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
 solaris*)
   version_type=linux
   need_lib_prefix=no
@@ -18025,7 +19127,7 @@ sunos4*)
   need_version=yes
   ;;
 
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+sysv4 | sysv4.3*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -18058,6 +19160,29 @@ sysv4*MP*)
   fi
   ;;
 
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
 uts4*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -18069,16 +19194,21 @@ uts4*)
   dynamic_linker=no
   ;;
 esac
-echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
 test "$dynamic_linker" = no && can_build_shared=no
 
-echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
 hardcode_action_GCJ=
 if test -n "$hardcode_libdir_flag_spec_GCJ" || \
-   test -n "$runpath_var GCJ" || \
-   test "X$hardcode_automatic_GCJ"="Xyes" ; then
+   test -n "$runpath_var_GCJ" || \
+   test "X$hardcode_automatic_GCJ" = "Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct_GCJ" != no &&
@@ -18098,8 +19228,8 @@ else
   # directories.
   hardcode_action_GCJ=unsupported
 fi
-echo "$as_me:$LINENO: result: $hardcode_action_GCJ" >&5
-echo "${ECHO_T}$hardcode_action_GCJ" >&6
+{ echo "$as_me:$LINENO: result: $hardcode_action_GCJ" >&5
+echo "${ECHO_T}$hardcode_action_GCJ" >&6; }
 
 if test "$hardcode_action_GCJ" = relink; then
   # Fast installation is not supported
@@ -18110,841 +19240,6 @@ elif test "$shlibpath_overrides_runpath" = yes ||
   enable_fast_install=needless
 fi
 
-striplib=
-old_striplib=
-echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-       else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-       ;;
-   *)
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-    ;;
-  esac
-fi
-
-if test "x$enable_dlopen" != xyes; then
-  enable_dlopen=unknown
-  enable_dlopen_self=unknown
-  enable_dlopen_self_static=unknown
-else
-  lt_cv_dlopen=no
-  lt_cv_dlopen_libs=
-
-  case $host_os in
-  beos*)
-    lt_cv_dlopen="load_add_on"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ;;
-
-  mingw* | pw32*)
-    lt_cv_dlopen="LoadLibrary"
-    lt_cv_dlopen_libs=
-   ;;
-
-  cygwin*)
-    lt_cv_dlopen="dlopen"
-    lt_cv_dlopen_libs=
-   ;;
-
-  darwin*)
-  # if libdl is installed we need to link against it
-    echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dl_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-
-    lt_cv_dlopen="dyld"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-
-fi
-
-   ;;
-
-  *)
-    echo "$as_me:$LINENO: checking for shl_load" >&5
-echo $ECHO_N "checking for shl_load... $ECHO_C" >&6
-if test "${ac_cv_func_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define shl_load innocuous_shl_load
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char shl_load (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef shl_load
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char shl_load ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_shl_load) || defined (__stub___shl_load)
-choke me
-#else
-char (*f) () = shl_load;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != shl_load;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_shl_load=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
-echo "${ECHO_T}$ac_cv_func_shl_load" >&6
-if test $ac_cv_func_shl_load = yes; then
-  lt_cv_dlopen="shl_load"
-else
-  echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
-echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6
-if test "${ac_cv_lib_dld_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char shl_load ();
-int
-main ()
-{
-shl_load ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dld_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dld_shl_load=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6
-if test $ac_cv_lib_dld_shl_load = yes; then
-  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"
-else
-  echo "$as_me:$LINENO: checking for dlopen" >&5
-echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
-if test "${ac_cv_func_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define dlopen innocuous_dlopen
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char dlopen (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef dlopen
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_dlopen) || defined (__stub___dlopen)
-choke me
-#else
-char (*f) () = dlopen;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != dlopen;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
-echo "${ECHO_T}$ac_cv_func_dlopen" >&6
-if test $ac_cv_func_dlopen = yes; then
-  lt_cv_dlopen="dlopen"
-else
-  echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dl_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-  echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
-echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6
-if test "${ac_cv_lib_svld_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lsvld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_svld_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_svld_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6
-if test $ac_cv_lib_svld_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
-else
-  echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
-echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6
-if test "${ac_cv_lib_dld_dld_link+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dld_link ();
-int
-main ()
-{
-dld_link ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dld_dld_link=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dld_dld_link=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6
-if test $ac_cv_lib_dld_dld_link = yes; then
-  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-    ;;
-  esac
-
-  if test "x$lt_cv_dlopen" != xno; then
-    enable_dlopen=yes
-  else
-    enable_dlopen=no
-  fi
-
-  case $lt_cv_dlopen in
-  dlopen)
-    save_CPPFLAGS="$CPPFLAGS"
-    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
-
-    save_LDFLAGS="$LDFLAGS"
-    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
-
-    save_LIBS="$LIBS"
-    LIBS="$lt_cv_dlopen_libs $LIBS"
-
-    echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
-echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6
-if test "${lt_cv_dlopen_self+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 18747 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self" >&6
-
-    if test "x$lt_cv_dlopen_self" = xyes; then
-      LDFLAGS="$LDFLAGS $link_static_flag"
-      echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
-echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6
-if test "${lt_cv_dlopen_self_static+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self_static=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 18845 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self_static=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self_static=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
-    fi
-
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-    ;;
-  esac
-
-  case $lt_cv_dlopen_self in
-  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
-  *) enable_dlopen_self=unknown ;;
-  esac
-
-  case $lt_cv_dlopen_self_static in
-  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
-  *) enable_dlopen_self_static=unknown ;;
-  esac
-fi
-
 
 # The else clause should only fire when bootstrapping the
 # libtool distribution, otherwise you forgot to ship ltmain.sh
@@ -18959,7 +19254,7 @@ if test -f "$ltmain"; then
   # Now quote all the things that may contain metacharacters while being
   # careful not to overquote the AC_SUBSTed values.  We take copies of the
   # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
     SED SHELL STRIP \
     libname_spec library_names_spec soname_spec extract_expsyms_cmds \
     old_striplib striplib file_magic_cmd finish_cmds finish_eval \
@@ -19060,6 +19355,12 @@ fast_install=$enable_fast_install
 # The host system.
 host_alias=$host_alias
 host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
 
 # An echo program that does not interpret backslashes.
 echo=$lt_echo
@@ -19071,6 +19372,9 @@ AR_FLAGS=$lt_AR_FLAGS
 # A C compiler.
 LTCC=$lt_LTCC
 
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
 # A language-specific compiler.
 CC=$lt_compiler_GCJ
 
@@ -19121,7 +19425,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext='$shrext'
+shrext_cmds='$shrext_cmds'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -19136,7 +19440,7 @@ max_cmd_len=$lt_cv_sys_max_cmd_len
 # Does compiler simultaneously support -c and -o options?
 compiler_c_o=$lt_lt_cv_prog_compiler_c_o_GCJ
 
-# Must we lock files when doing compilation ?
+# Must we lock files when doing compilation?
 need_locks=$lt_need_locks
 
 # Do we need the lib prefix for modules?
@@ -19361,7 +19665,6 @@ CC="$lt_save_CC"
       RC)
 
 
-
 # Source file extension for RC test sources.
 ac_ext=rc
 
@@ -19380,15 +19683,42 @@ lt_simple_link_test_code="$lt_simple_compile_test_code"
 # If no C compiler was specified, use CC.
 LTCC=${LTCC-"$CC"}
 
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
 # Allow CC to be a program name with arguments.
 compiler=$CC
 
 
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
+
+
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
 CC=${RC-"windres"}
 compiler=$CC
 compiler_RC=$CC
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
 lt_cv_prog_compiler_c_o_RC=yes
 
 # The else clause should only fire when bootstrapping the
@@ -19404,7 +19734,7 @@ if test -f "$ltmain"; then
   # Now quote all the things that may contain metacharacters while being
   # careful not to overquote the AC_SUBSTed values.  We take copies of the
   # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
     SED SHELL STRIP \
     libname_spec library_names_spec soname_spec extract_expsyms_cmds \
     old_striplib striplib file_magic_cmd finish_cmds finish_eval \
@@ -19505,6 +19835,12 @@ fast_install=$enable_fast_install
 # The host system.
 host_alias=$host_alias
 host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
 
 # An echo program that does not interpret backslashes.
 echo=$lt_echo
@@ -19516,6 +19852,9 @@ AR_FLAGS=$lt_AR_FLAGS
 # A C compiler.
 LTCC=$lt_LTCC
 
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
 # A language-specific compiler.
 CC=$lt_compiler_RC
 
@@ -19566,7 +19905,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext='$shrext'
+shrext_cmds='$shrext_cmds'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -19581,7 +19920,7 @@ max_cmd_len=$lt_cv_sys_max_cmd_len
 # Does compiler simultaneously support -c and -o options?
 compiler_c_o=$lt_lt_cv_prog_compiler_c_o_RC
 
-# Must we lock files when doing compilation ?
+# Must we lock files when doing compilation?
 need_locks=$lt_need_locks
 
 # Do we need the lib prefix for modules?
@@ -19857,63 +20196,115 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool'
 
 
 
+ if test "$enable_shared" = "yes"; then
+  ENABLE_SHARED_TRUE=
+  ENABLE_SHARED_FALSE='#'
+else
+  ENABLE_SHARED_TRUE='#'
+  ENABLE_SHARED_FALSE=
+fi
 
-WFLAGS_NOUNUSED=""
-WFLAGS_NOIMPLICITINT=""
-if test -z "$WFLAGS" -a "$GCC" = "yes"; then
-  # -Wno-implicit-int for broken X11 headers
-  # leave these out for now:
-  #   -Wcast-align doesn't work well on alpha osf/1
-  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
-  #   -Wmissing-declarations -Wnested-externs
-  WFLAGS="-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs"
-  WFLAGS_NOUNUSED="-Wno-unused"
-  WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+
+{ echo "$as_me:$LINENO: checking for ld --version-script" >&5
+echo $ECHO_N "checking for ld --version-script... $ECHO_C" >&6; }
+if test "${rk_cv_version_script+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+  rk_cv_version_script=no
+
+  cat > conftest.map <<EOF
+HEIM_GSS_V1 {
+        global: gss*;
+};
+HEIM_GSS_V1_1 {
+        global: gss_init_creds;
+} HEIM_GSS_V1;
+EOF
+cat > conftest.c <<EOF
+int gss_init_creds(int foo) { return 0; }
+EOF
+
+  if { ac_try='${CC-cc} $CFLAGS $LDFLAGS -shared
+                               -o conftest.so conftest.c
+                               -Wl,--version-script,conftest.map'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; };
+  then
+    rk_cv_version_script=yes
+  fi
+rm -f conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $rk_cv_version_script" >&5
+echo "${ECHO_T}$rk_cv_version_script" >&6; }
+
+if test $rk_cv_version_script = yes ; then
+  doversioning=yes
+  LDFLAGS_VERSION_SCRIPT="-Wl,--version-script,"
+else
+  doversioning=no
+  LDFLAGS_VERSION_SCRIPT=
+fi
+
+
+ if test $doversioning = yes; then
+  versionscript_TRUE=
+  versionscript_FALSE='#'
+else
+  versionscript_TRUE='#'
+  versionscript_FALSE=
 fi
 
 
 
 
-# Check whether --with-openldap or --without-openldap was given.
+
+
+
+# Check whether --with-openldap was given.
 if test "${with_openldap+set}" = set; then
-  withval="$with_openldap"
+  withval=$with_openldap;
+fi
 
-fi;
 
-# Check whether --with-openldap-lib or --without-openldap-lib was given.
+# Check whether --with-openldap-lib was given.
 if test "${with_openldap_lib+set}" = set; then
-  withval="$with_openldap_lib"
-  if test "$withval" = "yes" -o "$withval" = "no"; then
+  withval=$with_openldap_lib; if test "$withval" = "yes" -o "$withval" = "no"; then
   { { echo "$as_me:$LINENO: error: No argument for --with-openldap-lib" >&5
 echo "$as_me: error: No argument for --with-openldap-lib" >&2;}
    { (exit 1); exit 1; }; }
 elif test "X$with_openldap" = "X"; then
   with_openldap=yes
 fi
-fi;
+fi
 
-# Check whether --with-openldap-include or --without-openldap-include was given.
+
+# Check whether --with-openldap-include was given.
 if test "${with_openldap_include+set}" = set; then
-  withval="$with_openldap_include"
-  if test "$withval" = "yes" -o "$withval" = "no"; then
+  withval=$with_openldap_include; if test "$withval" = "yes" -o "$withval" = "no"; then
   { { echo "$as_me:$LINENO: error: No argument for --with-openldap-include" >&5
 echo "$as_me: error: No argument for --with-openldap-include" >&2;}
    { (exit 1); exit 1; }; }
 elif test "X$with_openldap" = "X"; then
   with_openldap=yes
 fi
-fi;
+fi
 
-# Check whether --with-openldap-config or --without-openldap-config was given.
+
+# Check whether --with-openldap-config was given.
 if test "${with_openldap_config+set}" = set; then
-  withval="$with_openldap_config"
+  withval=$with_openldap_config;
+fi
 
-fi;
 
 
 
-echo "$as_me:$LINENO: checking for openldap" >&5
-echo $ECHO_N "checking for openldap... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for openldap" >&5
+echo $ECHO_N "checking for openldap... $ECHO_C" >&6; }
 
 case "$with_openldap" in
 yes|"") d='' ;;
@@ -19954,6 +20345,14 @@ openldap_cflags=
 openldap_libs=
 
 case "$with_openldap_config" in
+yes|no|""|"")
+	if test -f $with_openldap/bin/ ; then
+		with_openldap_config=$with_openldap/bin/
+	fi
+	;;
+esac
+
+case "$with_openldap_config" in
 yes|no|"")
 	;;
 *)
@@ -19986,39 +20385,37 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 			INCLUDE_openldap="$openldap_cflags"
 			LIB_openldap="$openldap_libs"
-			echo "$as_me:$LINENO: result: from $with_openldap_config" >&5
-echo "${ECHO_T}from $with_openldap_config" >&6
+			{ echo "$as_me:$LINENO: result: from $with_openldap_config" >&5
+echo "${ECHO_T}from $with_openldap_config" >&6; }
 			found=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	fi
 	if test "$found" = no; then
@@ -20042,34 +20439,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ires=$i;break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 		done
 		for i in $lib_dirs; do
 			LIBS="-L$i -lldap -llber  $save_LIBS"
@@ -20090,42 +20484,40 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   lres=$i;break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 		done
 		if test "$ires" -a "$lres" -a "$with_openldap" != "no"; then
 			INCLUDE_openldap="-I$ires"
 			LIB_openldap="-L$lres -lldap -llber "
 			found=yes
-			echo "$as_me:$LINENO: result: headers $ires, libraries $lres" >&5
-echo "${ECHO_T}headers $ires, libraries $lres" >&6
+			{ echo "$as_me:$LINENO: result: headers $ires, libraries $lres" >&5
+echo "${ECHO_T}headers $ires, libraries $lres" >&6; }
 		fi
 	fi
 	CFLAGS="$save_CFLAGS"
@@ -20143,1746 +20535,73 @@ else
 	with_openldap=no
 	INCLUDE_openldap=
 	LIB_openldap=
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-
-
-
-
-
-
-# Check whether --with-krb4 or --without-krb4 was given.
-if test "${with_krb4+set}" = set; then
-  withval="$with_krb4"
-
-fi;
-
-# Check whether --with-krb4-lib or --without-krb4-lib was given.
-if test "${with_krb4_lib+set}" = set; then
-  withval="$with_krb4_lib"
-  if test "$withval" = "yes" -o "$withval" = "no"; then
-  { { echo "$as_me:$LINENO: error: No argument for --with-krb4-lib" >&5
-echo "$as_me: error: No argument for --with-krb4-lib" >&2;}
-   { (exit 1); exit 1; }; }
-elif test "X$with_krb4" = "X"; then
-  with_krb4=yes
-fi
-fi;
-
-# Check whether --with-krb4-include or --without-krb4-include was given.
-if test "${with_krb4_include+set}" = set; then
-  withval="$with_krb4_include"
-  if test "$withval" = "yes" -o "$withval" = "no"; then
-  { { echo "$as_me:$LINENO: error: No argument for --with-krb4-include" >&5
-echo "$as_me: error: No argument for --with-krb4-include" >&2;}
-   { (exit 1); exit 1; }; }
-elif test "X$with_krb4" = "X"; then
-  with_krb4=yes
-fi
-fi;
-
-# Check whether --with-krb4-config or --without-krb4-config was given.
-if test "${with_krb4_config+set}" = set; then
-  withval="$with_krb4_config"
-
-fi;
-
-
-
-echo "$as_me:$LINENO: checking for krb4" >&5
-echo $ECHO_N "checking for krb4... $ECHO_C" >&6
-
-case "$with_krb4" in
-yes|"") d='/usr/athena' ;;
-no)	d= ;;
-*)	d="$with_krb4" ;;
-esac
-
-header_dirs=
-lib_dirs=
-for i in $d; do
-	if test "$with_krb4_include" = ""; then
-		if test -d "$i/include/krb4"; then
-			header_dirs="$header_dirs $i/include/krb4"
-		fi
-		if test -d "$i/include"; then
-			header_dirs="$header_dirs $i/include"
-		fi
-	fi
-	if test "$with_krb4_lib" = ""; then
-		if test -d "$i/lib$abilibdirext"; then
-			lib_dirs="$lib_dirs $i/lib$abilibdirext"
-		fi
-	fi
-done
-
-if test "$with_krb4_include"; then
-	header_dirs="$with_krb4_include $header_dirs"
-fi
-if test "$with_krb4_lib"; then
-	lib_dirs="$with_krb4_lib $lib_dirs"
-fi
-
-if test "$with_krb4_config" = ""; then
-	with_krb4_config='krb4-config'
-fi
-
-krb4_cflags=
-krb4_libs=
-
-case "$with_krb4_config" in
-yes|no|"")
-	;;
-*)
-	krb4_cflags="`$with_krb4_config --cflags 2>&1`"
-	krb4_libs="`$with_krb4_config --libs 2>&1`"
-	;;
-esac
-
-found=no
-if test "$with_krb4" != no; then
-	save_CFLAGS="$CFLAGS"
-	save_LIBS="$LIBS"
-	if test "$krb4_cflags" -a "$krb4_libs"; then
-		CFLAGS="$krb4_cflags $save_CFLAGS"
-		LIBS="$krb4_libs $save_LIBS"
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <krb.h>
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-			INCLUDE_krb4="$krb4_cflags"
-			LIB_krb4="$krb4_libs"
-			echo "$as_me:$LINENO: result: from $with_krb4_config" >&5
-echo "${ECHO_T}from $with_krb4_config" >&6
-			found=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-	fi
-	if test "$found" = no; then
-		ires= lres=
-		for i in $header_dirs; do
-			CFLAGS="-I$i $save_CFLAGS"
-			cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <krb.h>
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ires=$i;break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-		done
-		for i in $lib_dirs; do
-			LIBS="-L$i -lkrb -ldes $save_LIBS"
-			cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <krb.h>
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  lres=$i;break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-		done
-		if test "$ires" -a "$lres" -a "$with_krb4" != "no"; then
-			INCLUDE_krb4="-I$ires"
-			LIB_krb4="-L$lres -lkrb -ldes"
-			found=yes
-			echo "$as_me:$LINENO: result: headers $ires, libraries $lres" >&5
-echo "${ECHO_T}headers $ires, libraries $lres" >&6
-		fi
-	fi
-	CFLAGS="$save_CFLAGS"
-	LIBS="$save_LIBS"
-fi
-
-if test "$found" = yes; then
-
-cat >>confdefs.h <<_ACEOF
-#define KRB4 1
-_ACEOF
-
-	with_krb4=yes
-else
-	with_krb4=no
-	INCLUDE_krb4=
-	LIB_krb4=
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-
-
-
-
-LIB_kdb=
-if test "$with_krb4" != "no"; then
-	save_CFLAGS="$CFLAGS"
-	CFLAGS="$CFLAGS $INCLUDE_krb4"
-	save_LIBS="$LIBS"
-	LIBS="$LIB_krb4 $LIBS"
-	EXTRA_LIB45=lib45.a
-
-	echo "$as_me:$LINENO: checking for four valued krb_put_int" >&5
-echo $ECHO_N "checking for four valued krb_put_int... $ECHO_C" >&6
-if test "${ac_cv_func_krb_put_int_four+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <krb.h>
-int
-main ()
-{
-
-		char tmp[4];
-		krb_put_int(17, tmp, 4, sizeof(tmp));
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_krb_put_int_four=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_krb_put_int_four=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_krb_put_int_four" >&5
-echo "${ECHO_T}$ac_cv_func_krb_put_int_four" >&6
-	if test "$ac_cv_func_krb_put_int_four" = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_FOUR_VALUED_KRB_PUT_INT 1
-_ACEOF
-
-	fi
-
-
-	echo "$as_me:$LINENO: checking for KRB_VERIFY_SECURE" >&5
-echo $ECHO_N "checking for KRB_VERIFY_SECURE... $ECHO_C" >&6
-if test "${ac_cv_func_krb_verify_secure+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <krb.h>
-int
-main ()
-{
-
-		int x = KRB_VERIFY_SECURE
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_krb_verify_secure=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_krb_verify_secure=no
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_krb_verify_secure" >&5
-echo "${ECHO_T}$ac_cv_func_krb_verify_secure" >&6
-	if test "$ac_cv_func_krb_verify_secure" != yes; then
 
-cat >>confdefs.h <<\_ACEOF
-#define KRB_VERIFY_SECURE 1
-_ACEOF
 
 
-cat >>confdefs.h <<\_ACEOF
-#define KRB_VERIFY_SECURE_FAIL 2
-_ACEOF
-
-	fi
-	echo "$as_me:$LINENO: checking for KRB_VERIFY_NOT_SECURE" >&5
-echo $ECHO_N "checking for KRB_VERIFY_NOT_SECURE... $ECHO_C" >&6
-if test "${ac_cv_func_krb_verify_not_secure+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <krb.h>
-int
-main ()
-{
-
-		int x = KRB_VERIFY_NOT_SECURE
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_krb_verify_not_secure=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_krb_verify_not_secure=no
+# Check whether --enable-hdb-openldap-module was given.
+if test "${enable_hdb_openldap_module+set}" = set; then
+  enableval=$enable_hdb_openldap_module;
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_krb_verify_not_secure" >&5
-echo "${ECHO_T}$ac_cv_func_krb_verify_not_secure" >&6
-	if test "$ac_cv_func_krb_verify_not_secure" != yes; then
+if test "$enable_hdb_openldap_module" = yes -a "$with_openldap" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
-#define KRB_VERIFY_NOT_SECURE 0
-_ACEOF
-
-	fi
-
-
-
-
-echo "$as_me:$LINENO: checking for krb_enable_debug" >&5
-echo $ECHO_N "checking for krb_enable_debug... $ECHO_C" >&6
-if test "${ac_cv_funclib_krb_enable_debug+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-
-if eval "test \"\$ac_cv_func_krb_enable_debug\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" ; do
-		case "$ac_lib" in
-		"") ;;
-		yes) ac_lib="" ;;
-		no) continue ;;
-		-l*) ;;
-		*) ac_lib="-l$ac_lib" ;;
-		esac
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-krb_enable_debug()
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_enable_debug=$ac_lib; else ac_cv_funclib_krb_enable_debug=yes; fi";break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-	done
-	eval "ac_cv_funclib_krb_enable_debug=\${ac_cv_funclib_krb_enable_debug-no}"
-	LIBS="$ac_save_LIBS"
-fi
-
-fi
-
-
-eval "ac_res=\$ac_cv_funclib_krb_enable_debug"
-
-if false; then
-
-for ac_func in krb_enable_debug
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != $ac_func;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-eval "$as_ac_var=no"
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-fi
-# krb_enable_debug
-eval "ac_tr_func=HAVE_`echo krb_enable_debug | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_krb_enable_debug=$ac_res"
-
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_krb_enable_debug=yes"
-	eval "LIB_krb_enable_debug="
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_func 1
-_ACEOF
-
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	;;
-	no)
-	eval "ac_cv_func_krb_enable_debug=no"
-	eval "LIB_krb_enable_debug="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	;;
-	*)
-	eval "ac_cv_func_krb_enable_debug=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_func 1
-_ACEOF
-
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_lib 1
-_ACEOF
-
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
-	;;
-esac
-
-
-if test -n "$LIB_krb_enable_debug"; then
-	LIBS="$LIB_krb_enable_debug $LIBS"
-fi
-
-
-
-
-
-echo "$as_me:$LINENO: checking for krb_disable_debug" >&5
-echo $ECHO_N "checking for krb_disable_debug... $ECHO_C" >&6
-if test "${ac_cv_funclib_krb_disable_debug+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-
-if eval "test \"\$ac_cv_func_krb_disable_debug\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" ; do
-		case "$ac_lib" in
-		"") ;;
-		yes) ac_lib="" ;;
-		no) continue ;;
-		-l*) ;;
-		*) ac_lib="-l$ac_lib" ;;
-		esac
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-krb_disable_debug()
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_disable_debug=$ac_lib; else ac_cv_funclib_krb_disable_debug=yes; fi";break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-	done
-	eval "ac_cv_funclib_krb_disable_debug=\${ac_cv_funclib_krb_disable_debug-no}"
-	LIBS="$ac_save_LIBS"
-fi
-
-fi
-
-
-eval "ac_res=\$ac_cv_funclib_krb_disable_debug"
-
-if false; then
-
-for ac_func in krb_disable_debug
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != $ac_func;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-eval "$as_ac_var=no"
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-fi
-# krb_disable_debug
-eval "ac_tr_func=HAVE_`echo krb_disable_debug | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_krb_disable_debug=$ac_res"
-
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_krb_disable_debug=yes"
-	eval "LIB_krb_disable_debug="
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_func 1
-_ACEOF
-
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	;;
-	no)
-	eval "ac_cv_func_krb_disable_debug=no"
-	eval "LIB_krb_disable_debug="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	;;
-	*)
-	eval "ac_cv_func_krb_disable_debug=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_func 1
-_ACEOF
-
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_lib 1
-_ACEOF
-
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
-	;;
-esac
-
-
-if test -n "$LIB_krb_disable_debug"; then
-	LIBS="$LIB_krb_disable_debug $LIBS"
-fi
-
-
-
-
-
-echo "$as_me:$LINENO: checking for krb_get_our_ip_for_realm" >&5
-echo $ECHO_N "checking for krb_get_our_ip_for_realm... $ECHO_C" >&6
-if test "${ac_cv_funclib_krb_get_our_ip_for_realm+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-
-if eval "test \"\$ac_cv_func_krb_get_our_ip_for_realm\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" ; do
-		case "$ac_lib" in
-		"") ;;
-		yes) ac_lib="" ;;
-		no) continue ;;
-		-l*) ;;
-		*) ac_lib="-l$ac_lib" ;;
-		esac
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-krb_get_our_ip_for_realm()
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_get_our_ip_for_realm=$ac_lib; else ac_cv_funclib_krb_get_our_ip_for_realm=yes; fi";break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-	done
-	eval "ac_cv_funclib_krb_get_our_ip_for_realm=\${ac_cv_funclib_krb_get_our_ip_for_realm-no}"
-	LIBS="$ac_save_LIBS"
-fi
-
-fi
-
-
-eval "ac_res=\$ac_cv_funclib_krb_get_our_ip_for_realm"
-
-if false; then
-
-for ac_func in krb_get_our_ip_for_realm
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != $ac_func;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-eval "$as_ac_var=no"
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-fi
-# krb_get_our_ip_for_realm
-eval "ac_tr_func=HAVE_`echo krb_get_our_ip_for_realm | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_krb_get_our_ip_for_realm=$ac_res"
-
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_krb_get_our_ip_for_realm=yes"
-	eval "LIB_krb_get_our_ip_for_realm="
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_func 1
-_ACEOF
-
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	;;
-	no)
-	eval "ac_cv_func_krb_get_our_ip_for_realm=no"
-	eval "LIB_krb_get_our_ip_for_realm="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	;;
-	*)
-	eval "ac_cv_func_krb_get_our_ip_for_realm=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_func 1
-_ACEOF
-
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_lib 1
-_ACEOF
-
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
-	;;
-esac
-
-
-if test -n "$LIB_krb_get_our_ip_for_realm"; then
-	LIBS="$LIB_krb_get_our_ip_for_realm $LIBS"
-fi
-
-
-
-
-
-echo "$as_me:$LINENO: checking for krb_kdctimeofday" >&5
-echo $ECHO_N "checking for krb_kdctimeofday... $ECHO_C" >&6
-if test "${ac_cv_funclib_krb_kdctimeofday+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-
-if eval "test \"\$ac_cv_func_krb_kdctimeofday\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" ; do
-		case "$ac_lib" in
-		"") ;;
-		yes) ac_lib="" ;;
-		no) continue ;;
-		-l*) ;;
-		*) ac_lib="-l$ac_lib" ;;
-		esac
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-krb_kdctimeofday()
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_kdctimeofday=$ac_lib; else ac_cv_funclib_krb_kdctimeofday=yes; fi";break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-	done
-	eval "ac_cv_funclib_krb_kdctimeofday=\${ac_cv_funclib_krb_kdctimeofday-no}"
-	LIBS="$ac_save_LIBS"
-fi
-
-fi
-
-
-eval "ac_res=\$ac_cv_funclib_krb_kdctimeofday"
-
-if false; then
-
-for ac_func in krb_kdctimeofday
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != $ac_func;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-eval "$as_ac_var=no"
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-fi
-# krb_kdctimeofday
-eval "ac_tr_func=HAVE_`echo krb_kdctimeofday | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_krb_kdctimeofday=$ac_res"
-
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_krb_kdctimeofday=yes"
-	eval "LIB_krb_kdctimeofday="
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_func 1
+#define OPENLDAP_MODULE 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	;;
-	no)
-	eval "ac_cv_func_krb_kdctimeofday=no"
-	eval "LIB_krb_kdctimeofday="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	;;
-	*)
-	eval "ac_cv_func_krb_kdctimeofday=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_func 1
-_ACEOF
-
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_lib 1
-_ACEOF
-
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
-	;;
-esac
-
-
-if test -n "$LIB_krb_kdctimeofday"; then
-	LIBS="$LIB_krb_kdctimeofday $LIBS"
-fi
-
-
-
-
-
-
-
-echo "$as_me:$LINENO: checking for krb_get_kdc_time_diff" >&5
-echo $ECHO_N "checking for krb_get_kdc_time_diff... $ECHO_C" >&6
-if test "${ac_cv_funclib_krb_get_kdc_time_diff+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-
-if eval "test \"\$ac_cv_func_krb_get_kdc_time_diff\" != yes" ; then
-	ac_save_LIBS="$LIBS"
-	for ac_lib in "" ; do
-		case "$ac_lib" in
-		"") ;;
-		yes) ac_lib="" ;;
-		no) continue ;;
-		-l*) ;;
-		*) ac_lib="-l$ac_lib" ;;
-		esac
-		LIBS=" $ac_lib  $ac_save_LIBS"
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-krb_get_kdc_time_diff()
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_get_kdc_time_diff=$ac_lib; else ac_cv_funclib_krb_get_kdc_time_diff=yes; fi";break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
 fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-	done
-	eval "ac_cv_funclib_krb_get_kdc_time_diff=\${ac_cv_funclib_krb_get_kdc_time_diff-no}"
-	LIBS="$ac_save_LIBS"
-fi
-
-fi
-
-
-eval "ac_res=\$ac_cv_funclib_krb_get_kdc_time_diff"
-
-if false; then
-
-for ac_func in krb_get_kdc_time_diff
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != $ac_func;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "$as_ac_var=yes"
+ if test "$enable_hdb_openldap_module" = yes -a "$with_openldap" = yes; then
+  OPENLDAP_MODULE_TRUE=
+  OPENLDAP_MODULE_FALSE='#'
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-eval "$as_ac_var=no"
+  OPENLDAP_MODULE_TRUE='#'
+  OPENLDAP_MODULE_FALSE=
 fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
 
-fi
-done
 
+# Check whether --enable-pk-init was given.
+if test "${enable_pk_init+set}" = set; then
+  enableval=$enable_pk_init;
 fi
-# krb_get_kdc_time_diff
-eval "ac_tr_func=HAVE_`echo krb_get_kdc_time_diff | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
-eval "LIB_krb_get_kdc_time_diff=$ac_res"
 
-case "$ac_res" in
-	yes)
-	eval "ac_cv_func_krb_get_kdc_time_diff=yes"
-	eval "LIB_krb_get_kdc_time_diff="
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_func 1
-_ACEOF
+if test "$enable_pk_init" != no ;then
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	;;
-	no)
-	eval "ac_cv_func_krb_get_kdc_time_diff=no"
-	eval "LIB_krb_get_kdc_time_diff="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	;;
-	*)
-	eval "ac_cv_func_krb_get_kdc_time_diff=yes"
-	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_func 1
-_ACEOF
-
-	cat >>confdefs.h <<_ACEOF
-#define $ac_tr_lib 1
+cat >>confdefs.h <<\_ACEOF
+#define PKINIT 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
-	;;
-esac
-
-
-if test -n "$LIB_krb_get_kdc_time_diff"; then
-	LIBS="$LIB_krb_get_kdc_time_diff $LIBS"
 fi
-
-
-
-	echo "$as_me:$LINENO: checking for KRB_SENDAUTH_VERS" >&5
-echo $ECHO_N "checking for KRB_SENDAUTH_VERS... $ECHO_C" >&6
-if test "${ac_cv_func_krb_sendauth_vers+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <krb.h>
-			#include <prot.h>
-int
-main ()
-{
-
-		char *x = KRB_SENDAUTH_VERS
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_krb_sendauth_vers=yes
+ if test "$enable_pk_init" != no; then
+  PKINIT_TRUE=
+  PKINIT_FALSE='#'
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_krb_sendauth_vers=no
+  PKINIT_TRUE='#'
+  PKINIT_FALSE=
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_krb_sendauth_vers" >&5
-echo "${ECHO_T}$ac_cv_func_krb_sendauth_vers" >&6
-	if test "$ac_cv_func_krb_sendauth_vers" != yes; then
 
-cat >>confdefs.h <<\_ACEOF
-#define KRB_SENDAUTH_VERS "AUTHV0.1"
-_ACEOF
 
-	fi
-	echo "$as_me:$LINENO: checking for krb_mk_req with const arguments" >&5
-echo $ECHO_N "checking for krb_mk_req with const arguments... $ECHO_C" >&6
-if test "${ac_cv_func_krb_mk_req_const+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <krb.h>
-		int krb_mk_req(KTEXT a, const char *s, const char *i,
-			       const char *r, int32_t checksum)
-		{ return 17; }
-int
-main ()
-{
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_krb_mk_req_const=yes
+# Check whether --with-hdbdir was given.
+if test "${with_hdbdir+set}" = set; then
+  withval=$with_hdbdir;
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_krb_mk_req_const=no
+  with_hdbdir=/var/heimdal
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_krb_mk_req_const" >&5
-echo "${ECHO_T}$ac_cv_func_krb_mk_req_const" >&6
-	if test "$ac_cv_func_krb_mk_req_const" = "yes"; then
+DIR_hdbdir="$with_hdbdir"
 
-cat >>confdefs.h <<\_ACEOF
-#define KRB_MK_REQ_CONST 1
-_ACEOF
 
-	fi
 
-	LIBS="$save_LIBS"
-	CFLAGS="$save_CFLAGS"
-	LIB_kdb="-lkdb -lkrb"
-fi
+with_krb4=no
 
 
-if test "$with_krb4" != "no"; then
+ if false; then
   KRB4_TRUE=
   KRB4_FALSE='#'
 else
@@ -21891,8 +20610,7 @@ else
 fi
 
 
-
-if true; then
+ if true; then
   KRB5_TRUE=
   KRB5_FALSE='#'
 else
@@ -21900,9 +20618,7 @@ else
   KRB5_FALSE=
 fi
 
-
-
-if true; then
+ if true; then
   do_roken_rename_TRUE=
   do_roken_rename_FALSE='#'
 else
@@ -21920,37 +20636,37 @@ _ACEOF
 crypto_lib=unknown
 
 
-# Check whether --with-openssl or --without-openssl was given.
+# Check whether --with-openssl was given.
 if test "${with_openssl+set}" = set; then
-  withval="$with_openssl"
+  withval=$with_openssl;
+fi
 
-fi;
 
 
-# Check whether --with-openssl-lib or --without-openssl-lib was given.
+# Check whether --with-openssl-lib was given.
 if test "${with_openssl_lib+set}" = set; then
-  withval="$with_openssl_lib"
-  if test "$withval" = "yes" -o "$withval" = "no"; then
+  withval=$with_openssl_lib; if test "$withval" = "yes" -o "$withval" = "no"; then
   { { echo "$as_me:$LINENO: error: No argument for --with-openssl-lib" >&5
 echo "$as_me: error: No argument for --with-openssl-lib" >&2;}
    { (exit 1); exit 1; }; }
 elif test "X$with_openssl" = "X"; then
   with_openssl=yes
 fi
-fi;
+fi
+
 
 
-# Check whether --with-openssl-include or --without-openssl-include was given.
+# Check whether --with-openssl-include was given.
 if test "${with_openssl_include+set}" = set; then
-  withval="$with_openssl_include"
-  if test "$withval" = "yes" -o "$withval" = "no"; then
+  withval=$with_openssl_include; if test "$withval" = "yes" -o "$withval" = "no"; then
   { { echo "$as_me:$LINENO: error: No argument for --with-openssl-include" >&5
 echo "$as_me: error: No argument for --with-openssl-include" >&2;}
    { (exit 1); exit 1; }; }
 elif test "X$with_openssl" = "X"; then
   with_openssl=yes
 fi
-fi;
+fi
+
 
 case "$with_openssl" in
 yes)	;;
@@ -21966,13 +20682,12 @@ no)	;;
 esac
 
 
-DIR_des=
+DIR_hcrypto=
 
-echo "$as_me:$LINENO: checking for crypto library" >&5
-echo $ECHO_N "checking for crypto library... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for crypto library" >&5
+echo $ECHO_N "checking for crypto library... $ECHO_C" >&6; }
 
 openssl=no
-old_hash=no
 
 if test "$crypto_lib" = "unknown" -a "$with_krb4" != "no"; then
 	save_CPPFLAGS="$CPPFLAGS"
@@ -22001,33 +20716,32 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 		#undef KRB5 /* makes md4.h et al unhappy */
 		#ifdef HAVE_OPENSSL
+		#ifdef HAVE_SYS_TYPES_H
+		#include <sys/types.h>
+		#endif
+		#include <openssl/evp.h>
 		#include <openssl/md4.h>
 		#include <openssl/md5.h>
 		#include <openssl/sha.h>
-		#define OPENSSL_DES_LIBDES_COMPATIBILITY
 		#include <openssl/des.h>
 		#include <openssl/rc4.h>
+		#include <openssl/aes.h>
+		#include <openssl/engine.h>
+		#include <openssl/ui.h>
 		#include <openssl/rand.h>
+		#include <openssl/hmac.h>
+		#include <openssl/pkcs12.h>
 		#else
-		#include <md4.h>
-		#include <md5.h>
-		#include <sha.h>
-		#include <des.h>
-		#include <rc4.h>
-		#endif
-		#ifdef OLD_HASH_NAMES
-		typedef struct md4 MD4_CTX;
-		#define MD4_Init(C) md4_init((C))
-		#define MD4_Update(C, D, L) md4_update((C), (D), (L))
-		#define MD4_Final(D, C) md4_finito((C), (D))
-		typedef struct md5 MD5_CTX;
-		#define MD5_Init(C) md5_init((C))
-		#define MD5_Update(C, D, L) md5_update((C), (D), (L))
-		#define MD5_Final(D, C) md5_finito((C), (D))
-		typedef struct sha SHA_CTX;
-		#define SHA1_Init(C) sha_init((C))
-		#define SHA1_Update(C, D, L) sha_update((C), (D), (L))
-		#define SHA1_Final(D, C) sha_finito((C), (D))
+		#include <hcrypto/evp.h>
+		#include <hcrypto/md4.h>
+		#include <hcrypto/md5.h>
+		#include <hcrypto/sha.h>
+		#include <hcrypto/des.h>
+		#include <hcrypto/rc4.h>
+		#include <hcrypto/aes.h>
+		#include <hcrypto/engine.h>
+		#include <hcrypto/hmac.h>
+		#include <hcrypto/pkcs12.h>
 		#endif
 
 int
@@ -22038,49 +20752,53 @@ main ()
 		MD4_CTX md4;
 		MD5_CTX md5;
 		SHA_CTX sha1;
+		SHA256_CTX sha256;
 
 		MD4_Init(&md4);
 		MD5_Init(&md5);
 		SHA1_Init(&sha1);
+		SHA256_Init(&sha256);
+		EVP_CIPHER_iv_length(((EVP_CIPHER*)0));
 		#ifdef HAVE_OPENSSL
 		RAND_status();
+		UI_UTIL_read_pw_string(0,0,0,0);
 		#endif
 
-		des_cbc_encrypt(0, 0, 0, schedule, 0, 0);
+		OpenSSL_add_all_algorithms();
+		AES_encrypt(0,0,0);
+		DES_cbc_encrypt(0, 0, 0, schedule, 0, 0);
 		RC4(0, 0, 0, 0);
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   openssl=yes ires="$i" lres="$j $k"; break 3
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 			done
 		done
@@ -22097,129 +20815,32 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 		#undef KRB5 /* makes md4.h et al unhappy */
 		#ifdef HAVE_OPENSSL
-		#include <openssl/md4.h>
-		#include <openssl/md5.h>
-		#include <openssl/sha.h>
-		#define OPENSSL_DES_LIBDES_COMPATIBILITY
-		#include <openssl/des.h>
-		#include <openssl/rc4.h>
-		#include <openssl/rand.h>
-		#else
-		#include <md4.h>
-		#include <md5.h>
-		#include <sha.h>
-		#include <des.h>
-		#include <rc4.h>
-		#endif
-		#ifdef OLD_HASH_NAMES
-		typedef struct md4 MD4_CTX;
-		#define MD4_Init(C) md4_init((C))
-		#define MD4_Update(C, D, L) md4_update((C), (D), (L))
-		#define MD4_Final(D, C) md4_finito((C), (D))
-		typedef struct md5 MD5_CTX;
-		#define MD5_Init(C) md5_init((C))
-		#define MD5_Update(C, D, L) md5_update((C), (D), (L))
-		#define MD5_Final(D, C) md5_finito((C), (D))
-		typedef struct sha SHA_CTX;
-		#define SHA1_Init(C) sha_init((C))
-		#define SHA1_Update(C, D, L) sha_update((C), (D), (L))
-		#define SHA1_Final(D, C) sha_finito((C), (D))
-		#endif
-
-int
-main ()
-{
-
-		void *schedule = 0;
-		MD4_CTX md4;
-		MD5_CTX md5;
-		SHA_CTX sha1;
-
-		MD4_Init(&md4);
-		MD5_Init(&md5);
-		SHA1_Init(&sha1);
-		#ifdef HAVE_OPENSSL
-		RAND_status();
+		#ifdef HAVE_SYS_TYPES_H
+		#include <sys/types.h>
 		#endif
-
-		des_cbc_encrypt(0, 0, 0, schedule, 0, 0);
-		RC4(0, 0, 0, 0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  openssl=no ires="$i" lres="$j $k"; break 3
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-			done
-		done
-		CFLAGS="-DHAVE_OLD_HASH_NAMES $i $save_CFLAGS"
-		for j in $cdirs; do
-			for k in $clibs; do
-				LIBS="$j $k $save_LIBS"
-				cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-		#undef KRB5 /* makes md4.h et al unhappy */
-		#ifdef HAVE_OPENSSL
+		#include <openssl/evp.h>
 		#include <openssl/md4.h>
 		#include <openssl/md5.h>
 		#include <openssl/sha.h>
-		#define OPENSSL_DES_LIBDES_COMPATIBILITY
 		#include <openssl/des.h>
 		#include <openssl/rc4.h>
+		#include <openssl/aes.h>
+		#include <openssl/engine.h>
+		#include <openssl/ui.h>
 		#include <openssl/rand.h>
+		#include <openssl/hmac.h>
+		#include <openssl/pkcs12.h>
 		#else
-		#include <md4.h>
-		#include <md5.h>
-		#include <sha.h>
-		#include <des.h>
-		#include <rc4.h>
-		#endif
-		#ifdef OLD_HASH_NAMES
-		typedef struct md4 MD4_CTX;
-		#define MD4_Init(C) md4_init((C))
-		#define MD4_Update(C, D, L) md4_update((C), (D), (L))
-		#define MD4_Final(D, C) md4_finito((C), (D))
-		typedef struct md5 MD5_CTX;
-		#define MD5_Init(C) md5_init((C))
-		#define MD5_Update(C, D, L) md5_update((C), (D), (L))
-		#define MD5_Final(D, C) md5_finito((C), (D))
-		typedef struct sha SHA_CTX;
-		#define SHA1_Init(C) sha_init((C))
-		#define SHA1_Update(C, D, L) sha_update((C), (D), (L))
-		#define SHA1_Final(D, C) sha_finito((C), (D))
+		#include <hcrypto/evp.h>
+		#include <hcrypto/md4.h>
+		#include <hcrypto/md5.h>
+		#include <hcrypto/sha.h>
+		#include <hcrypto/des.h>
+		#include <hcrypto/rc4.h>
+		#include <hcrypto/aes.h>
+		#include <hcrypto/engine.h>
+		#include <hcrypto/hmac.h>
+		#include <hcrypto/pkcs12.h>
 		#endif
 
 int
@@ -22230,49 +20851,53 @@ main ()
 		MD4_CTX md4;
 		MD5_CTX md5;
 		SHA_CTX sha1;
+		SHA256_CTX sha256;
 
 		MD4_Init(&md4);
 		MD5_Init(&md5);
 		SHA1_Init(&sha1);
+		SHA256_Init(&sha256);
+		EVP_CIPHER_iv_length(((EVP_CIPHER*)0));
 		#ifdef HAVE_OPENSSL
 		RAND_status();
+		UI_UTIL_read_pw_string(0,0,0,0);
 		#endif
 
-		des_cbc_encrypt(0, 0, 0, schedule, 0, 0);
+		OpenSSL_add_all_algorithms();
+		AES_encrypt(0,0,0);
+		DES_cbc_encrypt(0, 0, 0, schedule, 0, 0);
 		RC4(0, 0, 0, 0);
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   openssl=no ires="$i" lres="$j $k"; break 3
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 			done
 		done
@@ -22281,36 +20906,36 @@ rm -f conftest.err conftest.$ac_objext \
 	CFLAGS="$save_CFLAGS"
 	LIBS="$save_LIBS"
 	if test "$ires" -a "$lres"; then
-		INCLUDE_des="$ires"
-		LIB_des="$lres"
+		INCLUDE_hcrypto="$ires"
+		LIB_hcrypto="$lres"
 		crypto_lib=krb4
-		echo "$as_me:$LINENO: result: same as krb4" >&5
-echo "${ECHO_T}same as krb4" >&6
-		LIB_des_a='$(LIB_des)'
-		LIB_des_so='$(LIB_des)'
-		LIB_des_appl='$(LIB_des)'
+		{ echo "$as_me:$LINENO: result: same as krb4" >&5
+echo "${ECHO_T}same as krb4" >&6; }
+		LIB_hcrypto_a='$(LIB_hcrypto)'
+		LIB_hcrypto_so='$(LIB_hcrypto)'
+		LIB_hcrypto_appl='$(LIB_hcrypto)'
 	fi
 fi
 
 if test "$crypto_lib" = "unknown" -a "$with_openssl" != "no"; then
 	save_CFLAGS="$CFLAGS"
 	save_LIBS="$LIBS"
-	INCLUDE_des=
-	LIB_des=
+	INCLUDE_hcrypto=
+	LIB_hcrypto=
 	if test "$with_openssl_include" != ""; then
-		INCLUDE_des="-I${with_openssl_include}"
+		INCLUDE_hcrypto="-I${with_openssl_include}"
 	fi
 	if test "$with_openssl_lib" != ""; then
-		LIB_des="-L${with_openssl_lib}"
+		LIB_hcrypto="-L${with_openssl_lib}"
 	fi
-	CFLAGS="-DHAVE_OPENSSL ${INCLUDE_des} ${CFLAGS}"
-	saved_LIB_des="$LIB_des"
-	for lres in "" "-lnsl -lsocket"; do
-		LIB_des="${saved_LIB_des} -lcrypto $lres"
-		LIB_des_a="$LIB_des"
-		LIB_des_so="$LIB_des"
-		LIB_des_appl="$LIB_des"
-		LIBS="${LIBS} ${LIB_des}"
+	CFLAGS="-DHAVE_OPENSSL ${INCLUDE_hcrypto} ${CFLAGS}"
+	saved_LIB_hcrypto="$LIB_hcrypto"
+	for lres in "" "-ldl" "-lnsl -lsocket" "-lnsl -lsocket -ldl"; do
+		LIB_hcrypto="${saved_LIB_hcrypto} -lcrypto $lres"
+		LIB_hcrypto_a="$LIB_hcrypto"
+		LIB_hcrypto_so="$LIB_hcrypto"
+		LIB_hcrypto_appl="$LIB_hcrypto"
+		LIBS="${LIBS} ${LIB_hcrypto}"
 		cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -22320,33 +20945,32 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 		#undef KRB5 /* makes md4.h et al unhappy */
 		#ifdef HAVE_OPENSSL
+		#ifdef HAVE_SYS_TYPES_H
+		#include <sys/types.h>
+		#endif
+		#include <openssl/evp.h>
 		#include <openssl/md4.h>
 		#include <openssl/md5.h>
 		#include <openssl/sha.h>
-		#define OPENSSL_DES_LIBDES_COMPATIBILITY
 		#include <openssl/des.h>
 		#include <openssl/rc4.h>
+		#include <openssl/aes.h>
+		#include <openssl/engine.h>
+		#include <openssl/ui.h>
 		#include <openssl/rand.h>
+		#include <openssl/hmac.h>
+		#include <openssl/pkcs12.h>
 		#else
-		#include <md4.h>
-		#include <md5.h>
-		#include <sha.h>
-		#include <des.h>
-		#include <rc4.h>
-		#endif
-		#ifdef OLD_HASH_NAMES
-		typedef struct md4 MD4_CTX;
-		#define MD4_Init(C) md4_init((C))
-		#define MD4_Update(C, D, L) md4_update((C), (D), (L))
-		#define MD4_Final(D, C) md4_finito((C), (D))
-		typedef struct md5 MD5_CTX;
-		#define MD5_Init(C) md5_init((C))
-		#define MD5_Update(C, D, L) md5_update((C), (D), (L))
-		#define MD5_Final(D, C) md5_finito((C), (D))
-		typedef struct sha SHA_CTX;
-		#define SHA1_Init(C) sha_init((C))
-		#define SHA1_Update(C, D, L) sha_update((C), (D), (L))
-		#define SHA1_Final(D, C) sha_finito((C), (D))
+		#include <hcrypto/evp.h>
+		#include <hcrypto/md4.h>
+		#include <hcrypto/md5.h>
+		#include <hcrypto/sha.h>
+		#include <hcrypto/des.h>
+		#include <hcrypto/rc4.h>
+		#include <hcrypto/aes.h>
+		#include <hcrypto/engine.h>
+		#include <hcrypto/hmac.h>
+		#include <hcrypto/pkcs12.h>
 		#endif
 
 int
@@ -22357,53 +20981,57 @@ main ()
 		MD4_CTX md4;
 		MD5_CTX md5;
 		SHA_CTX sha1;
+		SHA256_CTX sha256;
 
 		MD4_Init(&md4);
 		MD5_Init(&md5);
 		SHA1_Init(&sha1);
+		SHA256_Init(&sha256);
+		EVP_CIPHER_iv_length(((EVP_CIPHER*)0));
 		#ifdef HAVE_OPENSSL
 		RAND_status();
+		UI_UTIL_read_pw_string(0,0,0,0);
 		#endif
 
-		des_cbc_encrypt(0, 0, 0, schedule, 0, 0);
+		OpenSSL_add_all_algorithms();
+		AES_encrypt(0,0,0);
+		DES_cbc_encrypt(0, 0, 0, schedule, 0, 0);
 		RC4(0, 0, 0, 0);
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 			crypto_lib=libcrypto openssl=yes
-			echo "$as_me:$LINENO: result: libcrypto" >&5
-echo "${ECHO_T}libcrypto" >&6
+			{ echo "$as_me:$LINENO: result: libcrypto" >&5
+echo "${ECHO_T}libcrypto" >&6; }
 
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 		if test "$crypto_lib" = libcrypto ; then
 			break;
@@ -22415,14 +21043,14 @@ fi
 
 if test "$crypto_lib" = "unknown"; then
 
-  DIR_des='des'
-  LIB_des='$(top_builddir)/lib/des/libdes.la'
-  LIB_des_a='$(top_builddir)/lib/des/.libs/libdes.a'
-  LIB_des_so='$(top_builddir)/lib/des/.libs/libdes.so'
-  LIB_des_appl="-ldes"
+  DIR_hcrypto='hcrypto'
+  LIB_hcrypto='$(top_builddir)/lib/hcrypto/libhcrypto.la'
+  LIB_hcrypto_a='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.a'
+  LIB_hcrypto_so='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.so'
+  LIB_hcrypto_appl="-lhcrypto"
 
-  echo "$as_me:$LINENO: result: included libdes" >&5
-echo "${ECHO_T}included libdes" >&6
+  { echo "$as_me:$LINENO: result: included libhcrypto" >&5
+echo "${ECHO_T}included libhcrypto" >&6; }
 
 fi
 
@@ -22443,16 +21071,7 @@ cat >>confdefs.h <<\_ACEOF
 _ACEOF
 
 fi
-if test "$old_hash" = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_OLD_HASH_NAMES 1
-_ACEOF
-
-fi
-
-
-if test "$openssl" = yes; then
+ if test "$openssl" = yes; then
   HAVE_OPENSSL_TRUE=
   HAVE_OPENSSL_FALSE='#'
 else
@@ -22468,21 +21087,96 @@ fi
 
 
 
-# Check whether --enable-dce or --disable-dce was given.
-if test "${enable_dce+set}" = set; then
-  enableval="$enable_dce"
 
-fi;
-if test "$enable_dce" = yes; then
+{ echo "$as_me:$LINENO: checking if compiling threadsafe libraries" >&5
+echo $ECHO_N "checking if compiling threadsafe libraries... $ECHO_C" >&6; }
+
+# Check whether --enable-pthread-support was given.
+if test "${enable_pthread_support+set}" = set; then
+  enableval=$enable_pthread_support;
+else
+  enable_pthread_support=maybe
+fi
+
+
+case "$host" in
+*-*-solaris2*)
+	native_pthread_support=yes
+	if test "$GCC" = yes; then
+		PTHREADS_CFLAGS=-pthreads
+		PTHREADS_LIBS=-pthreads
+	else
+		PTHREADS_CFLAGS=-mt
+		PTHREADS_LIBS=-mt
+	fi
+	;;
+*-*-netbsd*)
+	native_pthread_support="if running netbsd 1.6T or newer"
+		PTHREADS_LIBS=""
+	;;
+*-*-freebsd5*)
+	native_pthread_support=yes
+	;;
+*-*-linux* | *-*-linux-gnu)
+	case `uname -r` in
+	2.*)
+		native_pthread_support=yes
+		PTHREADS_CFLAGS=-pthread
+		PTHREADS_LIBS=-pthread
+		;;
+	esac
+	;;
+*-*-aix*)
+	        	native_pthread_support=no
+	;;
+mips-sgi-irix6.[5-9])  # maybe works for earlier versions too
+	native_pthread_support=yes
+	PTHREADS_LIBS="-lpthread"
+	;;
+*-*-darwin*)
+	native_pthread_support=yes
+	;;
+*)
+	native_pthread_support=no
+	;;
+esac
+
+if test "$enable_pthread_support" = maybe ; then
+	enable_pthread_support="$native_pthread_support"
+fi
+
+if test "$enable_pthread_support" != no; then
 
 cat >>confdefs.h <<\_ACEOF
-#define DCE 1
+#define ENABLE_PTHREAD_SUPPORT 1
 _ACEOF
 
+            LIBS="$PTHREADS_LIBS $LIBS"
+else
+  PTHREADS_CFLAGS=""
+  PTHREADS_LIBS=""
 fi
 
 
+
+
+{ echo "$as_me:$LINENO: result: $enable_pthread_support" >&5
+echo "${ECHO_T}$enable_pthread_support" >&6; }
+
+
+# Check whether --enable-dce was given.
+if test "${enable_dce+set}" = set; then
+  enableval=$enable_dce;
+fi
+
 if test "$enable_dce" = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define DCE 1
+_ACEOF
+
+fi
+ if test "$enable_dce" = yes; then
   DCE_TRUE=
   DCE_FALSE='#'
 else
@@ -22505,13 +21199,33 @@ fi
 
 
 
+# Check whether --enable-afs-support was given.
+if test "${enable_afs_support+set}" = set; then
+  enableval=$enable_afs_support;
+fi
+
+if test "$enable_afs_support" = no; then
 
-# Check whether --enable-berkeley-db or --disable-berkeley-db was given.
+cat >>confdefs.h <<\_ACEOF
+#define NO_AFS 1
+_ACEOF
+
+fi
+
+
+# Check whether --enable-berkeley-db was given.
 if test "${enable_berkeley_db+set}" = set; then
-  enableval="$enable_berkeley_db"
+  enableval=$enable_berkeley_db;
+
+fi
 
 
-fi;
+# Check whether --enable-ndbm-db was given.
+if test "${enable_ndbm_db+set}" = set; then
+  enableval=$enable_ndbm_db;
+
+fi
+
 
 have_ndbm=no
 db_type=unknown
@@ -22530,18 +21244,19 @@ for ac_header in 				\
 
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -22552,41 +21267,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -22595,24 +21306,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -22620,9 +21329,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -22646,25 +21356,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to heimdal-bugs@pdc.kth.se ##
-## -------------------------------------- ##
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -22681,8 +21390,8 @@ done
 
 
 
-echo "$as_me:$LINENO: checking for db_create" >&5
-echo $ECHO_N "checking for db_create... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for db_create" >&5
+echo $ECHO_N "checking for db_create... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_db_create+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -22723,34 +21432,32 @@ db_create(NULL, NULL, 0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_db_create=$ac_lib; else ac_cv_funclib_db_create=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_db_create=\${ac_cv_funclib_db_create-no}"
@@ -22767,9 +21474,9 @@ if false; then
 for ac_func in db_create
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -22795,68 +21502,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -22879,14 +21578,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_db_create=no"
 	eval "LIB_db_create="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_db_create=yes"
@@ -22899,8 +21598,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -22924,8 +21623,8 @@ _ACEOF
 
 
 
-echo "$as_me:$LINENO: checking for dbopen" >&5
-echo $ECHO_N "checking for dbopen... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for dbopen" >&5
+echo $ECHO_N "checking for dbopen... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_dbopen+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -22968,34 +21667,32 @@ dbopen(NULL, 0, 0, 0, NULL)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbopen=$ac_lib; else ac_cv_funclib_dbopen=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_dbopen=\${ac_cv_funclib_dbopen-no}"
@@ -23012,9 +21709,9 @@ if false; then
 for ac_func in dbopen
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -23040,68 +21737,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -23124,14 +21813,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_dbopen=no"
 	eval "LIB_dbopen="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_dbopen=yes"
@@ -23144,8 +21833,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -23170,8 +21859,8 @@ _ACEOF
   if test "$ac_cv_func_dbm_firstkey" != yes; then
 
 
-echo "$as_me:$LINENO: checking for dbm_firstkey" >&5
-echo $ECHO_N "checking for dbm_firstkey... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for dbm_firstkey" >&5
+echo $ECHO_N "checking for dbm_firstkey... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_dbm_firstkey+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -23208,34 +21897,32 @@ dbm_firstkey(NULL)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbm_firstkey=$ac_lib; else ac_cv_funclib_dbm_firstkey=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_dbm_firstkey=\${ac_cv_funclib_dbm_firstkey-no}"
@@ -23252,9 +21939,9 @@ if false; then
 for ac_func in dbm_firstkey
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -23280,68 +21967,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -23364,14 +22043,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_dbm_firstkey=no"
 	eval "LIB_dbm_firstkey="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_dbm_firstkey=yes"
@@ -23384,8 +22063,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -23415,28 +22094,31 @@ _ACEOF
 
 fi # berkeley db
 
-if test "$db_type" = "unknown" -o "$ac_cv_func_dbm_firstkey" = ""; then
+if test "$enable_ndbm_db" != "no"; then
+
+  if test "$db_type" = "unknown" -o "$ac_cv_func_dbm_firstkey" = ""; then
 
 
 
 for ac_header in 				\
-	dbm.h					\
-	ndbm.h					\
+  	dbm.h					\
+  	ndbm.h					\
 
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -23447,41 +22129,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -23490,24 +22168,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -23515,9 +22191,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -23541,25 +22218,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to heimdal-bugs@pdc.kth.se ##
-## -------------------------------------- ##
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -23575,8 +22251,8 @@ done
 
 
 
-echo "$as_me:$LINENO: checking for dbm_firstkey" >&5
-echo $ECHO_N "checking for dbm_firstkey... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for dbm_firstkey" >&5
+echo $ECHO_N "checking for dbm_firstkey... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_dbm_firstkey+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -23599,13 +22275,13 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-  #include <stdio.h>
-  #if defined(HAVE_NDBM_H)
-  #include <ndbm.h>
-  #elif defined(HAVE_DBM_H)
-  #include <dbm.h>
-  #endif
-  DBM *dbm;
+    #include <stdio.h>
+    #if defined(HAVE_NDBM_H)
+    #include <ndbm.h>
+    #elif defined(HAVE_DBM_H)
+    #include <dbm.h>
+    #endif
+    DBM *dbm;
 
 int
 main ()
@@ -23616,34 +22292,32 @@ dbm_firstkey(NULL)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbm_firstkey=$ac_lib; else ac_cv_funclib_dbm_firstkey=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_dbm_firstkey=\${ac_cv_funclib_dbm_firstkey-no}"
@@ -23660,9 +22334,9 @@ if false; then
 for ac_func in dbm_firstkey
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -23688,68 +22362,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -23772,14 +22438,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_dbm_firstkey=no"
 	eval "LIB_dbm_firstkey="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_dbm_firstkey=yes"
@@ -23792,51 +22458,52 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
 
 
-  if test "$ac_cv_func_dbm_firstkey" = "yes"; then
-    if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then
-      LIB_NDBM="$ac_cv_funclib_dbm_firstkey"
-    else
-      LIB_NDBM=""
-    fi
+    if test "$ac_cv_func_dbm_firstkey" = "yes"; then
+      if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then
+        LIB_NDBM="$ac_cv_funclib_dbm_firstkey"
+      else
+        LIB_NDBM=""
+      fi
 
 cat >>confdefs.h <<\_ACEOF
 #define HAVE_NDBM 1
 _ACEOF
-    have_ndbm=yes
-    if test "$db_type" = "unknown"; then
-      db_type=ndbm
-      DBLIB="$LIB_NDBM"
-    fi
-  else
+      have_ndbm=yes
+      if test "$db_type" = "unknown"; then
+        db_type=ndbm
+        DBLIB="$LIB_NDBM"
+      fi
+    else
 
-    $as_unset ac_cv_func_dbm_firstkey
-    $as_unset ac_cv_funclib_dbm_firstkey
+      $as_unset ac_cv_func_dbm_firstkey
+      $as_unset ac_cv_funclib_dbm_firstkey
 
 
 for ac_header in 				\
-	  gdbm/ndbm.h				\
+  	  gdbm/ndbm.h				\
 
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -23847,41 +22514,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -23890,24 +22553,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -23915,9 +22576,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -23941,25 +22603,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to heimdal-bugs@pdc.kth.se ##
-## -------------------------------------- ##
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -23975,8 +22636,8 @@ done
 
 
 
-echo "$as_me:$LINENO: checking for dbm_firstkey" >&5
-echo $ECHO_N "checking for dbm_firstkey... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for dbm_firstkey" >&5
+echo $ECHO_N "checking for dbm_firstkey... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_dbm_firstkey+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -23999,9 +22660,9 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-    #include <stdio.h>
-    #include <gdbm/ndbm.h>
-    DBM *dbm;
+      #include <stdio.h>
+      #include <gdbm/ndbm.h>
+      DBM *dbm;
 
 int
 main ()
@@ -24012,34 +22673,32 @@ dbm_firstkey(NULL)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbm_firstkey=$ac_lib; else ac_cv_funclib_dbm_firstkey=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_dbm_firstkey=\${ac_cv_funclib_dbm_firstkey-no}"
@@ -24056,9 +22715,9 @@ if false; then
 for ac_func in dbm_firstkey
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -24084,68 +22743,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -24168,14 +22819,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_dbm_firstkey=no"
 	eval "LIB_dbm_firstkey="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_dbm_firstkey=yes"
@@ -24188,36 +22839,36 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
 
 
-    if test "$ac_cv_func_dbm_firstkey" = "yes"; then
-      if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then
-	LIB_NDBM="$ac_cv_funclib_dbm_firstkey"
-      else
-	LIB_NDBM=""
-      fi
+      if test "$ac_cv_func_dbm_firstkey" = "yes"; then
+        if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then
+  	LIB_NDBM="$ac_cv_funclib_dbm_firstkey"
+        else
+  	LIB_NDBM=""
+        fi
 
 cat >>confdefs.h <<\_ACEOF
 #define HAVE_NDBM 1
 _ACEOF
-      have_ndbm=yes
-      if test "$db_type" = "unknown"; then
-	db_type=ndbm
-	DBLIB="$LIB_NDBM"
+        have_ndbm=yes
+        if test "$db_type" = "unknown"; then
+  	db_type=ndbm
+  	DBLIB="$LIB_NDBM"
+        fi
       fi
     fi
-  fi
-
+  fi #enable_ndbm_db
 fi # unknown
 
 if test "$have_ndbm" = "yes"; then
-  echo "$as_me:$LINENO: checking if ndbm is implemented with db" >&5
-echo $ECHO_N "checking if ndbm is implemented with db... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking if ndbm is implemented with db" >&5
+echo $ECHO_N "checking if ndbm is implemented with db... $ECHO_C" >&6; }
   if test "$cross_compiling" = yes; then
   { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
 See \`config.log' for more details." >&5
@@ -24241,7 +22892,7 @@ cat >>conftest.$ac_ext <<_ACEOF
 #elif defined(HAVE_DBM_H)
 #include <dbm.h>
 #endif
-int main()
+int main(int argc, char **argv)
 {
   DBM *d;
 
@@ -24253,28 +22904,37 @@ int main()
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
 
     if test -f conftest.db; then
-      echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+      { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 
 cat >>confdefs.h <<\_ACEOF
 #define HAVE_NEW_DB 1
 _ACEOF
 
     else
-      echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+      { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
     fi
 else
   echo "$as_me: program exited with status $ac_status" >&5
@@ -24282,34 +22942,30 @@ echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
+fi
 
-if test "$db_type" = db1; then
+ if test "$db_type" = db1; then
   HAVE_DB1_TRUE=
   HAVE_DB1_FALSE='#'
 else
   HAVE_DB1_TRUE='#'
   HAVE_DB1_FALSE=
 fi
-
-
-if test "$db_type" = db3; then
+ if test "$db_type" = db3; then
   HAVE_DB3_TRUE=
   HAVE_DB3_FALSE='#'
 else
   HAVE_DB3_TRUE='#'
   HAVE_DB3_FALSE=
 fi
-
-
-if test "$db_type" = ndbm; then
+ if test "$db_type" = ndbm; then
   HAVE_NDBM_TRUE=
   HAVE_NDBM_FALSE='#'
 else
@@ -24331,8 +22987,8 @@ DBLIB="$z $DBLIB"
 
 
 
-echo "$as_me:$LINENO: checking for inline" >&5
-echo $ECHO_N "checking for inline... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for inline" >&5
+echo $ECHO_N "checking for inline... $ECHO_C" >&6; }
 if test "${ac_cv_c_inline+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -24352,39 +23008,37 @@ $ac_kw foo_t foo () {return 0; }
 
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_c_inline=$ac_kw; break
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_c_inline=$ac_kw
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  test "$ac_cv_c_inline" != no && break
 done
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5
-echo "${ECHO_T}$ac_cv_c_inline" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5
+echo "${ECHO_T}$ac_cv_c_inline" >&6; }
 
 
 case $ac_cv_c_inline in
@@ -24402,8 +23056,8 @@ _ACEOF
     ;;
 esac
 
-echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
-echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
+echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6; }
 if test "${ac_cv_c_const+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -24421,10 +23075,10 @@ main ()
 #ifndef __cplusplus
   /* Ultrix mips cc rejects this.  */
   typedef int charset[2];
-  const charset x;
+  const charset cs;
   /* SunOS 4.1.1 cc rejects this.  */
-  char const *const *ccp;
-  char **p;
+  char const *const *pcpcc;
+  char **ppc;
   /* NEC SVR4.0.2 mips cc rejects this.  */
   struct point {int x, y;};
   static struct point const zero = {0,0};
@@ -24433,16 +23087,17 @@ main ()
      an arm of an if-expression whose if-part is not a constant
      expression */
   const char *g = "string";
-  ccp = &g + (g ? g-g : 0);
+  pcpcc = &g + (g ? g-g : 0);
   /* HPUX 7.0 cc rejects these. */
-  ++ccp;
-  p = (char**) ccp;
-  ccp = (char const *const *) p;
+  ++pcpcc;
+  ppc = (char**) pcpcc;
+  pcpcc = (char const *const *) ppc;
   { /* SCO 3.2v4 cc rejects this.  */
     char *t;
     char const *s = 0 ? (char *) 0 : (char const *) 0;
 
     *t++ = 0;
+    if (s) return 0;
   }
   { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
     int x[] = {25, 17};
@@ -24461,7 +23116,9 @@ main ()
   }
   { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
     const int foo = 10;
+    if (!foo) return 0;
   }
+  return !cs[0] && !zero.x;
 #endif
 
   ;
@@ -24469,38 +23126,34 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_c_const=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_c_const=no
+	ac_cv_c_const=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
-echo "${ECHO_T}$ac_cv_c_const" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
+echo "${ECHO_T}$ac_cv_c_const" >&6; }
 if test $ac_cv_c_const = no; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -24509,8 +23162,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for size_t" >&5
-echo $ECHO_N "checking for size_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for size_t" >&5
+echo $ECHO_N "checking for size_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_size_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -24521,62 +23174,59 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef size_t ac__type_new_;
 int
 main ()
 {
-if ((size_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (size_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_size_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_size_t=no
+	ac_cv_type_size_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
-echo "${ECHO_T}$ac_cv_type_size_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
+echo "${ECHO_T}$ac_cv_type_size_t" >&6; }
 if test $ac_cv_type_size_t = yes; then
   :
 else
 
 cat >>confdefs.h <<_ACEOF
-#define size_t unsigned
+#define size_t unsigned int
 _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for pid_t" >&5
-echo $ECHO_N "checking for pid_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for pid_t" >&5
+echo $ECHO_N "checking for pid_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_pid_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -24587,50 +23237,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef pid_t ac__type_new_;
 int
 main ()
 {
-if ((pid_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (pid_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_pid_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_pid_t=no
+	ac_cv_type_pid_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_pid_t" >&5
-echo "${ECHO_T}$ac_cv_type_pid_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_pid_t" >&5
+echo "${ECHO_T}$ac_cv_type_pid_t" >&6; }
 if test $ac_cv_type_pid_t = yes; then
   :
 else
@@ -24641,8 +23288,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for uid_t in sys/types.h" >&5
-echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uid_t in sys/types.h" >&5
+echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6; }
 if test "${ac_cv_type_uid_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -24664,8 +23311,8 @@ fi
 rm -f conftest*
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uid_t" >&5
-echo "${ECHO_T}$ac_cv_type_uid_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uid_t" >&5
+echo "${ECHO_T}$ac_cv_type_uid_t" >&6; }
 if test $ac_cv_type_uid_t = no; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -24680,8 +23327,8 @@ _ACEOF
 fi
 
 
-echo "$as_me:$LINENO: checking return type of signal handlers" >&5
-echo $ECHO_N "checking return type of signal handlers... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking return type of signal handlers" >&5
+echo $ECHO_N "checking return type of signal handlers... $ECHO_C" >&6; }
 if test "${ac_cv_type_signal+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -24693,56 +23340,44 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <sys/types.h>
 #include <signal.h>
-#ifdef signal
-# undef signal
-#endif
-#ifdef __cplusplus
-extern "C" void (*signal (int, void (*)(int)))(int);
-#else
-void (*signal ()) ();
-#endif
 
 int
 main ()
 {
-int i;
+return *(signal (0, 0)) (0) == 1;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_type_signal=void
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_type_signal=int
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_signal=int
+	ac_cv_type_signal=void
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_signal" >&5
-echo "${ECHO_T}$ac_cv_type_signal" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_signal" >&5
+echo "${ECHO_T}$ac_cv_type_signal" >&6; }
 
 cat >>confdefs.h <<_ACEOF
 #define RETSIGTYPE $ac_cv_type_signal
@@ -24760,8 +23395,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
-echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6; }
 if test "${ac_cv_header_time+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -24785,38 +23420,34 @@ return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_header_time=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_header_time=no
+	ac_cv_header_time=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
-echo "${ECHO_T}$ac_cv_header_time" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6; }
 if test $ac_cv_header_time = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -24830,18 +23461,19 @@ fi
 for ac_header in standards.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -24852,41 +23484,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -24895,24 +23523,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -24920,9 +23546,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -24946,25 +23573,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to heimdal-bugs@pdc.kth.se ##
-## -------------------------------------- ##
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -24980,9 +23606,9 @@ for i in netinet/ip.h netinet/tcp.h; do
 
 cv=`echo "$i" | sed 'y%./+-%__p_%'`
 
-echo "$as_me:$LINENO: checking for $i" >&5
-echo $ECHO_N "checking for $i... $ECHO_C" >&6
-if eval "test \"\${ac_cv_header_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $i" >&5
+echo $ECHO_N "checking for $i... $ECHO_C" >&6; }
+if { as_var=ac_cv_header_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -24991,31 +23617,29 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-\
+
 #ifdef HAVE_STANDARDS_H
 #include <standards.h>
 #endif
 #include <$i>
 
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   eval "ac_cv_header_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
@@ -25023,10 +23647,12 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   eval "ac_cv_header_$cv=no"
 fi
+
 rm -f conftest.err conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'ac_cv_header_$cv'}'`" >&5
-echo "${ECHO_T}`eval echo '${'ac_cv_header_$cv'}'`" >&6
+ac_res=`eval echo '${'ac_cv_header_$cv'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 ac_res=`eval echo \\$ac_cv_header_$cv`
 if test "$ac_res" = yes; then
 	ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
@@ -25042,18 +23668,19 @@ if false;then
 for ac_header in netinet/ip.h netinet/tcp.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -25064,41 +23691,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -25107,24 +23730,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -25132,9 +23753,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -25158,25 +23780,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to heimdal-bugs@pdc.kth.se ##
-## -------------------------------------- ##
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -25196,9 +23817,9 @@ fi
 for ac_func in getlogin setlogin
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -25224,68 +23845,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -25295,8 +23908,8 @@ fi
 done
 
 if test "$ac_cv_func_getlogin" = yes; then
-echo "$as_me:$LINENO: checking if getlogin is posix" >&5
-echo $ECHO_N "checking if getlogin is posix... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if getlogin is posix" >&5
+echo $ECHO_N "checking if getlogin is posix... $ECHO_C" >&6; }
 if test "${ac_cv_func_getlogin_posix+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -25308,8 +23921,8 @@ else
 fi
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getlogin_posix" >&5
-echo "${ECHO_T}$ac_cv_func_getlogin_posix" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getlogin_posix" >&5
+echo "${ECHO_T}$ac_cv_func_getlogin_posix" >&6; }
 if test "$ac_cv_func_getlogin_posix" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -25324,18 +23937,19 @@ fi
 for ac_header in stdlib.h unistd.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -25346,41 +23960,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -25389,24 +23999,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -25414,9 +24022,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -25440,25 +24049,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to heimdal-bugs@pdc.kth.se ##
-## -------------------------------------- ##
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -25474,9 +24082,9 @@ done
 for ac_func in getpagesize
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -25502,68 +24110,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -25572,8 +24172,8 @@ _ACEOF
 fi
 done
 
-echo "$as_me:$LINENO: checking for working mmap" >&5
-echo $ECHO_N "checking for working mmap... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for working mmap" >&5
+echo $ECHO_N "checking for working mmap... $ECHO_C" >&6; }
 if test "${ac_cv_func_mmap_fixed_mapped+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -25615,21 +24215,21 @@ $ac_includes_default
 #include <fcntl.h>
 #include <sys/mman.h>
 
-#if !STDC_HEADERS && !HAVE_STDLIB_H
+#if !defined STDC_HEADERS && !defined HAVE_STDLIB_H
 char *malloc ();
 #endif
 
 /* This mess was copied from the GNU getpagesize.h.  */
-#if !HAVE_GETPAGESIZE
+#ifndef HAVE_GETPAGESIZE
 /* Assume that all systems that can run configure have sys/param.h.  */
-# if !HAVE_SYS_PARAM_H
+# ifndef HAVE_SYS_PARAM_H
 #  define HAVE_SYS_PARAM_H 1
 # endif
 
 # ifdef _SC_PAGESIZE
 #  define getpagesize() sysconf(_SC_PAGESIZE)
 # else /* no _SC_PAGESIZE */
-#  if HAVE_SYS_PARAM_H
+#  ifdef HAVE_SYS_PARAM_H
 #   include <sys/param.h>
 #   ifdef EXEC_PAGESIZE
 #    define getpagesize() EXEC_PAGESIZE
@@ -25668,15 +24268,15 @@ main ()
   /* First, make a file with some known garbage in it. */
   data = (char *) malloc (pagesize);
   if (!data)
-    exit (1);
+    return 1;
   for (i = 0; i < pagesize; ++i)
     *(data + i) = rand ();
   umask (0);
   fd = creat ("conftest.mmap", 0600);
   if (fd < 0)
-    exit (1);
+    return 1;
   if (write (fd, data, pagesize) != pagesize)
-    exit (1);
+    return 1;
   close (fd);
 
   /* Next, try to mmap the file at a fixed address which already has
@@ -25684,17 +24284,17 @@ main ()
      we see the same garbage.  */
   fd = open ("conftest.mmap", O_RDWR);
   if (fd < 0)
-    exit (1);
+    return 1;
   data2 = (char *) malloc (2 * pagesize);
   if (!data2)
-    exit (1);
-  data2 += (pagesize - ((long) data2 & (pagesize - 1))) & (pagesize - 1);
+    return 1;
+  data2 += (pagesize - ((long int) data2 & (pagesize - 1))) & (pagesize - 1);
   if (data2 != mmap (data2, pagesize, PROT_READ | PROT_WRITE,
 		     MAP_PRIVATE | MAP_FIXED, fd, 0L))
-    exit (1);
+    return 1;
   for (i = 0; i < pagesize; ++i)
     if (*(data + i) != *(data2 + i))
-      exit (1);
+      return 1;
 
   /* Finally, make sure that changes to the mapped area do not
      percolate back to the file as seen by read().  (This is a bug on
@@ -25703,24 +24303,33 @@ main ()
     *(data2 + i) = *(data2 + i) + 1;
   data3 = (char *) malloc (pagesize);
   if (!data3)
-    exit (1);
+    return 1;
   if (read (fd, data3, pagesize) != pagesize)
-    exit (1);
+    return 1;
   for (i = 0; i < pagesize; ++i)
     if (*(data + i) != *(data3 + i))
-      exit (1);
+      return 1;
   close (fd);
-  exit (0);
+  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -25733,11 +24342,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_mmap_fixed_mapped=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_mmap_fixed_mapped" >&5
-echo "${ECHO_T}$ac_cv_func_mmap_fixed_mapped" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_mmap_fixed_mapped" >&5
+echo "${ECHO_T}$ac_cv_func_mmap_fixed_mapped" >&6; }
 if test $ac_cv_func_mmap_fixed_mapped = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -25748,8 +24359,8 @@ fi
 rm -f conftest.mmap
 
 
-echo "$as_me:$LINENO: checking if realloc if broken" >&5
-echo $ECHO_N "checking if realloc if broken... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if realloc if broken" >&5
+echo $ECHO_N "checking if realloc if broken... $ECHO_C" >&6; }
 if test "${ac_cv_func_realloc_broken+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -25768,20 +24379,29 @@ cat >>conftest.$ac_ext <<_ACEOF
 #include <stddef.h>
 #include <stdlib.h>
 
-int main()
+int main(int argc, char **argv)
 {
 	return realloc(NULL, 17) == NULL;
 }
 
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -25794,12 +24414,14 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_realloc_broken=yes
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_realloc_broken" >&5
-echo "${ECHO_T}$ac_cv_func_realloc_broken" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_realloc_broken" >&5
+echo "${ECHO_T}$ac_cv_func_realloc_broken" >&6; }
 if test "$ac_cv_func_realloc_broken" = yes ; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -25831,6 +24453,16 @@ INCLUDES_roken='-I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken'
 
 
 
+
+# Check whether --enable-developer was given.
+if test "${enable_developer+set}" = set; then
+  enableval=$enable_developer;
+fi
+
+if test "X$enable_developer" = Xyes; then
+    dwflags="-Werror"
+fi
+
 WFLAGS_NOUNUSED=""
 WFLAGS_NOIMPLICITINT=""
 if test -z "$WFLAGS" -a "$GCC" = "yes"; then
@@ -25839,7 +24471,7 @@ if test -z "$WFLAGS" -a "$GCC" = "yes"; then
   #   -Wcast-align doesn't work well on alpha osf/1
   #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
   #   -Wmissing-declarations -Wnested-externs
-  WFLAGS="-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs"
+  WFLAGS="-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs $dwflags"
   WFLAGS_NOUNUSED="-Wno-unused"
   WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
 fi
@@ -25852,9 +24484,9 @@ fi
 
 
 cv=`echo "ssize_t" | sed 'y%./+- %__p__%'`
-echo "$as_me:$LINENO: checking for ssize_t" >&5
-echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6
-if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for ssize_t" >&5
+echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -25863,6 +24495,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
@@ -25878,44 +24511,40 @@ ssize_t foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_type_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_type_$cv=no"
+	eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 ac_foo=`eval echo \\$ac_cv_type_$cv`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo ssize_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
 if false; then
-	echo "$as_me:$LINENO: checking for ssize_t" >&5
-echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for ssize_t" >&5
+echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_ssize_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -25926,50 +24555,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef ssize_t ac__type_new_;
 int
 main ()
 {
-if ((ssize_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (ssize_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_ssize_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_ssize_t=no
+	ac_cv_type_ssize_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_ssize_t" >&5
-echo "${ECHO_T}$ac_cv_type_ssize_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_ssize_t" >&5
+echo "${ECHO_T}$ac_cv_type_ssize_t" >&6; }
 if test $ac_cv_type_ssize_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -25992,9 +24618,9 @@ fi
 
 
 cv=`echo "long long" | sed 'y%./+- %__p__%'`
-echo "$as_me:$LINENO: checking for long long" >&5
-echo $ECHO_N "checking for long long... $ECHO_C" >&6
-if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -26003,6 +24629,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
@@ -26018,44 +24645,40 @@ long long foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_type_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_type_$cv=no"
+	eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 ac_foo=`eval echo \\$ac_cv_type_$cv`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo long long | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
 if false; then
-	echo "$as_me:$LINENO: checking for long long" >&5
-echo $ECHO_N "checking for long long... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6; }
 if test "${ac_cv_type_long_long+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -26066,50 +24689,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef long long ac__type_new_;
 int
 main ()
 {
-if ((long long *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (long long))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_long_long=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_long_long=no
+	ac_cv_type_long_long=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_long_long" >&5
-echo "${ECHO_T}$ac_cv_type_long_long" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_long_long" >&5
+echo "${ECHO_T}$ac_cv_type_long_long" >&6; }
 if test $ac_cv_type_long_long = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -26172,45 +24792,34 @@ fi
 
 
 
-
-
-
-
-
-
 for ac_header in \
 	arpa/inet.h				\
-	arpa/nameser.h				\
 	config.h				\
 	crypt.h					\
 	dirent.h				\
 	errno.h					\
 	err.h					\
 	fcntl.h					\
+	fnmatch.h				\
 	grp.h					\
 	ifaddrs.h				\
-	net/if.h				\
-	netdb.h					\
 	netinet/in.h				\
 	netinet/in6.h				\
 	netinet/in_systm.h			\
 	netinet6/in6.h				\
-	netinet6/in6_var.h			\
 	paths.h					\
+	poll.h					\
 	pwd.h					\
-	resolv.h				\
 	rpcsvc/ypclnt.h				\
 	shadow.h				\
+	stdint.h				\
 	sys/bswap.h				\
 	sys/ioctl.h				\
 	sys/mman.h				\
 	sys/param.h				\
-	sys/proc.h				\
 	sys/resource.h				\
-	sys/socket.h				\
 	sys/sockio.h				\
 	sys/stat.h				\
-	sys/sysctl.h				\
 	sys/time.h				\
 	sys/tty.h				\
 	sys/types.h				\
@@ -26223,22 +24832,22 @@ for ac_header in \
 	userconf.h				\
 	usersec.h				\
 	util.h					\
-	vis.h					\
 
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -26249,41 +24858,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -26292,24 +24897,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -26317,9 +24920,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -26343,25 +24947,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to heimdal-bugs@pdc.kth.se ##
-## -------------------------------------- ##
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -26376,29 +24979,599 @@ done
 
 
 
+cv=`echo "uintptr_t" | sed 'y%./+- %__p__%'`
+{ echo "$as_me:$LINENO: checking for uintptr_t" >&5
+echo $ECHO_N "checking for uintptr_t... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+int
+main ()
+{
+uintptr_t foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
-if test "$ac_cv_header_err_h" = yes; then
-  have_err_h_TRUE=
-  have_err_h_FALSE='#'
+	eval "ac_cv_type_$cv=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo uintptr_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	{ echo "$as_me:$LINENO: checking for uintptr_t" >&5
+echo $ECHO_N "checking for uintptr_t... $ECHO_C" >&6; }
+if test "${ac_cv_type_uintptr_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  have_err_h_TRUE='#'
-  have_err_h_FALSE=
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+typedef uintptr_t ac__type_new_;
+int
+main ()
+{
+if ((ac__type_new_ *) 0)
+  return 0;
+if (sizeof (ac__type_new_))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_type_uintptr_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_type_uintptr_t=no
 fi
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uintptr_t" >&5
+echo "${ECHO_T}$ac_cv_type_uintptr_t" >&6; }
+if test $ac_cv_type_uintptr_t = yes; then
 
+cat >>confdefs.h <<_ACEOF
+#define HAVE_UINTPTR_T 1
+_ACEOF
 
-if test "$ac_cv_header_fnmatch_h" = yes; then
-  have_fnmatch_h_TRUE=
-  have_fnmatch_h_FALSE='#'
+
+fi
+
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define $ac_tr_hdr 1
+_ACEOF
+
+fi
+
+
+
+for ac_header in vis.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  have_fnmatch_h_TRUE='#'
-  have_fnmatch_h_FALSE=
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <vis.h>
+#ifndef VIS_SP
+#error invis
+#endif
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in netdb.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in sys/socket.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in net/if.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#if HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in netinet6/in6_var.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#if HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in sys/sysctl.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in sys/proc.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
 fi
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
 
 
-if test "$ac_cv_header_ifaddrs_h" = yes; then
+
+ if test "$ac_cv_header_err_h" = yes; then
+  have_err_h_TRUE=
+  have_err_h_FALSE='#'
+else
+  have_err_h_TRUE='#'
+  have_err_h_FALSE=
+fi
+
+ if test "$ac_cv_header_ifaddrs_h" = yes; then
   have_ifaddrs_h_TRUE=
   have_ifaddrs_h_FALSE='#'
 else
@@ -26406,9 +25579,7 @@ else
   have_ifaddrs_h_FALSE=
 fi
 
-
-
-if test "$ac_cv_header_vis_h" = yes; then
+ if test "$ac_cv_header_vis_h" = yes; then
   have_vis_h_TRUE=
   have_vis_h_FALSE='#'
 else
@@ -26422,8 +25593,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for socket" >&5
-echo $ECHO_N "checking for socket... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for socket" >&5
+echo $ECHO_N "checking for socket... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_socket+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -26455,34 +25626,32 @@ socket()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_socket=$ac_lib; else ac_cv_funclib_socket=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_socket=\${ac_cv_funclib_socket-no}"
@@ -26499,9 +25668,9 @@ if false; then
 for ac_func in socket
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -26527,68 +25696,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -26611,14 +25772,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_socket=no"
 	eval "LIB_socket="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_socket=yes"
@@ -26631,8 +25792,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -26645,8 +25806,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for gethostbyname" >&5
-echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for gethostbyname" >&5
+echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_gethostbyname+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -26678,34 +25839,32 @@ gethostbyname()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname=$ac_lib; else ac_cv_funclib_gethostbyname=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_gethostbyname=\${ac_cv_funclib_gethostbyname-no}"
@@ -26722,9 +25881,9 @@ if false; then
 for ac_func in gethostbyname
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -26750,68 +25909,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -26834,14 +25985,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_gethostbyname=no"
 	eval "LIB_gethostbyname="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_gethostbyname=yes"
@@ -26854,8 +26005,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -26868,8 +26019,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for syslog" >&5
-echo $ECHO_N "checking for syslog... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for syslog" >&5
+echo $ECHO_N "checking for syslog... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_syslog+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -26901,34 +26052,32 @@ syslog()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_syslog=$ac_lib; else ac_cv_funclib_syslog=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_syslog=\${ac_cv_funclib_syslog-no}"
@@ -26945,9 +26094,9 @@ if false; then
 for ac_func in syslog
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -26973,68 +26122,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -27057,14 +26198,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_syslog=no"
 	eval "LIB_syslog="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_syslog=yes"
@@ -27077,8 +26218,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -27090,17 +26231,17 @@ fi
 
 
 
-# Check whether --with-ipv6 or --without-ipv6 was given.
+# Check whether --with-ipv6 was given.
 if test "${with_ipv6+set}" = set; then
-  withval="$with_ipv6"
-
+  withval=$with_ipv6;
 if test "$withval" = "no"; then
 	ac_cv_lib_ipv6=no
 fi
-fi;
+fi
+
 save_CFLAGS="${CFLAGS}"
-echo "$as_me:$LINENO: checking for IPv6 stack type" >&5
-echo $ECHO_N "checking for IPv6 stack type... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for IPv6 stack type" >&5
+echo $ECHO_N "checking for IPv6 stack type... $ECHO_C" >&6; }
 if test "${v6type+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -27241,11 +26382,11 @@ if test "$v6lib" != "none"; then
 fi
 
 fi
-echo "$as_me:$LINENO: result: $v6type" >&5
-echo "${ECHO_T}$v6type" >&6
+{ echo "$as_me:$LINENO: result: $v6type" >&5
+echo "${ECHO_T}$v6type" >&6; }
 
-echo "$as_me:$LINENO: checking for IPv6" >&5
-echo $ECHO_N "checking for IPv6... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for IPv6" >&5
+echo $ECHO_N "checking for IPv6... $ECHO_C" >&6; }
 if test "${ac_cv_lib_ipv6+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -27289,39 +26430,36 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_ipv6=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_ipv6=no
+	ac_cv_lib_ipv6=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_ipv6" >&5
-echo "${ECHO_T}$ac_cv_lib_ipv6" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_ipv6" >&5
+echo "${ECHO_T}$ac_cv_lib_ipv6" >&6; }
 if test "$ac_cv_lib_ipv6" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -27334,8 +26472,8 @@ fi
 
 ## test for AIX missing in6addr_loopback
 if test "$ac_cv_lib_ipv6" = yes; then
-	echo "$as_me:$LINENO: checking for in6addr_loopback" >&5
-echo $ECHO_N "checking for in6addr_loopback... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for in6addr_loopback" >&5
+echo $ECHO_N "checking for in6addr_loopback... $ECHO_C" >&6; }
 if test "${ac_cv_var_in6addr_loopback+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -27371,39 +26509,36 @@ sin6.sin6_addr = in6addr_loopback;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var_in6addr_loopback=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var_in6addr_loopback=no
+	ac_cv_var_in6addr_loopback=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_var_in6addr_loopback" >&5
-echo "${ECHO_T}$ac_cv_var_in6addr_loopback" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_var_in6addr_loopback" >&5
+echo "${ECHO_T}$ac_cv_var_in6addr_loopback" >&6; }
 	if test "$ac_cv_var_in6addr_loopback" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -27418,8 +26553,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for gethostbyname2" >&5
-echo $ECHO_N "checking for gethostbyname2... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for gethostbyname2" >&5
+echo $ECHO_N "checking for gethostbyname2... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_gethostbyname2+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -27451,34 +26586,32 @@ gethostbyname2()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname2=$ac_lib; else ac_cv_funclib_gethostbyname2=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_gethostbyname2=\${ac_cv_funclib_gethostbyname2-no}"
@@ -27495,9 +26628,9 @@ if false; then
 for ac_func in gethostbyname2
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -27523,68 +26656,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -27607,14 +26732,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_gethostbyname2=no"
 	eval "LIB_gethostbyname2="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_gethostbyname2=yes"
@@ -27627,8 +26752,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -27641,9 +26766,226 @@ fi
 
 
 
+for ac_header in arpa/nameser.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
+_ASBOX
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in resolv.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
 
-echo "$as_me:$LINENO: checking for res_search" >&5
-echo $ECHO_N "checking for res_search... $ECHO_C" >&6
+
+
+
+{ echo "$as_me:$LINENO: checking for res_search" >&5
+echo $ECHO_N "checking for res_search... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_res_search+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -27689,34 +27031,32 @@ res_search(0,0,0,0,0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_res_search=$ac_lib; else ac_cv_funclib_res_search=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_res_search=\${ac_cv_funclib_res_search-no}"
@@ -27733,9 +27073,9 @@ if false; then
 for ac_func in res_search
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -27761,68 +27101,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -27845,14 +27177,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_res_search=no"
 	eval "LIB_res_search="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_res_search=yes"
@@ -27865,8 +27197,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -27880,8 +27212,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for res_nsearch" >&5
-echo $ECHO_N "checking for res_nsearch... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for res_nsearch" >&5
+echo $ECHO_N "checking for res_nsearch... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_res_nsearch+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -27927,34 +27259,32 @@ res_nsearch(0,0,0,0,0,0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_res_nsearch=$ac_lib; else ac_cv_funclib_res_nsearch=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_res_nsearch=\${ac_cv_funclib_res_nsearch-no}"
@@ -27971,9 +27301,9 @@ if false; then
 for ac_func in res_nsearch
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -27999,68 +27329,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -28083,14 +27405,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_res_nsearch=no"
 	eval "LIB_res_nsearch="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_res_nsearch=yes"
@@ -28103,8 +27425,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -28118,13 +27440,13 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for dn_expand" >&5
-echo $ECHO_N "checking for dn_expand... $ECHO_C" >&6
-if test "${ac_cv_funclib_dn_expand+set}" = set; then
+{ echo "$as_me:$LINENO: checking for res_ndestroy" >&5
+echo $ECHO_N "checking for res_ndestroy... $ECHO_C" >&6; }
+if test "${ac_cv_funclib_res_ndestroy+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
 
-if eval "test \"\$ac_cv_func_dn_expand\" != yes" ; then
+if eval "test \"\$ac_cv_func_res_ndestroy\" != yes" ; then
 	ac_save_LIBS="$LIBS"
 	for ac_lib in "" resolv; do
 		case "$ac_lib" in
@@ -28159,40 +27481,266 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-dn_expand(0,0,0,0,0)
+res_ndestroy(0)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_res_ndestroy=$ac_lib; else ac_cv_funclib_res_ndestroy=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_res_ndestroy=\${ac_cv_funclib_res_ndestroy-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_res_ndestroy"
+
+if false; then
+
+for ac_func in res_ndestroy
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+fi
+# res_ndestroy
+eval "ac_tr_func=HAVE_`echo res_ndestroy | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_res_ndestroy=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_res_ndestroy=yes"
+	eval "LIB_res_ndestroy="
+	cat >>confdefs.h <<_ACEOF
+#define $ac_tr_func 1
+_ACEOF
+
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	;;
+	no)
+	eval "ac_cv_func_res_ndestroy=no"
+	eval "LIB_res_ndestroy="
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+	;;
+	*)
+	eval "ac_cv_func_res_ndestroy=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<_ACEOF
+#define $ac_tr_func 1
+_ACEOF
+
+	cat >>confdefs.h <<_ACEOF
+#define $ac_tr_lib 1
+_ACEOF
+
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
+	;;
+esac
+
+
+if test -n "$LIB_res_ndestroy"; then
+	LIBS="$LIB_res_ndestroy $LIBS"
+fi
+
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking for dn_expand" >&5
+echo $ECHO_N "checking for dn_expand... $ECHO_C" >&6; }
+if test "${ac_cv_funclib_dn_expand+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_dn_expand\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		case "$ac_lib" in
+		"") ;;
+		yes) ac_lib="" ;;
+		no) continue ;;
+		-l*) ;;
+		*) ac_lib="-l$ac_lib" ;;
+		esac
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+int
+main ()
+{
+dn_expand(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_dn_expand=$ac_lib; else ac_cv_funclib_dn_expand=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_dn_expand=\${ac_cv_funclib_dn_expand-no}"
@@ -28209,9 +27757,9 @@ if false; then
 for ac_func in dn_expand
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -28237,68 +27785,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -28321,14 +27861,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_dn_expand=no"
 	eval "LIB_dn_expand="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_dn_expand=yes"
@@ -28341,8 +27881,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -28353,8 +27893,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for _res" >&5
-echo $ECHO_N "checking for _res... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for _res" >&5
+echo $ECHO_N "checking for _res... $ECHO_C" >&6; }
 if test "${ac_cv_var__res+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -28379,7 +27919,7 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_RESOLV_H
 #include <resolv.h>
 #endif
-	void * foo() { return &_res; }
+	void * foo(void) { return &_res; }
 int
 main ()
 {
@@ -28389,35 +27929,32 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var__res=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var__res=no
+	ac_cv_var__res=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test "$ac_cv_var__res" != yes ; then
 cat >conftest.$ac_ext <<_ACEOF
@@ -28427,7 +27964,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 extern int _res;
-int foo() { return _res; }
+int foo(void) { return _res; }
 int
 main ()
 {
@@ -28437,57 +27974,52 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var__res=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var__res=no
+	ac_cv_var__res=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
 
 fi
 
 ac_foo=`eval echo \\$ac_cv_var__res`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE__RES 1
 _ACEOF
 
-
-echo "$as_me:$LINENO: checking if _res is properly declared" >&5
-echo $ECHO_N "checking if _res is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var__res_declaration+set}" = set; then
+	{ echo "$as_me:$LINENO: checking whether _res is declared" >&5
+echo $ECHO_N "checking whether _res is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl__res+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -28506,59 +28038,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_RESOLV_H
 #include <resolv.h>
 #endif
-extern struct { int foo; } _res;
+
 int
 main ()
 {
-_res.foo = 1;
+#ifndef _res
+  (void) _res;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var__res_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl__res=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var__res_declaration=yes"
+	ac_cv_have_decl__res=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl__res" >&5
+echo "${ECHO_T}$ac_cv_have_decl__res" >&6; }
+if test $ac_cv_have_decl__res = yes; then
 
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL__RES 1
+_ACEOF
 
 
-
-echo "$as_me:$LINENO: result: $ac_cv_var__res_declaration" >&5
-echo "${ECHO_T}$ac_cv_var__res_declaration" >&6
-if eval "test \"\$ac_cv_var__res_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE__RES_DECLARATION 1
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL__RES 0
 _ACEOF
 
+
 fi
 
 
@@ -28567,8 +28100,9 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for working snprintf" >&5
-echo $ECHO_N "checking for working snprintf... $ECHO_C" >&6
+
+{ echo "$as_me:$LINENO: checking for working snprintf" >&5
+echo $ECHO_N "checking for working snprintf... $ECHO_C" >&6; }
 if test "${ac_cv_func_snprintf_working+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -28585,21 +28119,30 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #include <stdio.h>
 #include <string.h>
-int main()
+int main(int argc, char **argv)
 {
 	char foo[3];
 	snprintf(foo, 2, "12");
-	return strcmp(foo, "1");
+	return strcmp(foo, "1") || snprintf(NULL, 0, "%d", 12) != 2;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -28612,11 +28155,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_snprintf_working=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_snprintf_working" >&5
-echo "${ECHO_T}$ac_cv_func_snprintf_working" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_snprintf_working" >&5
+echo "${ECHO_T}$ac_cv_func_snprintf_working" >&6; }
 
 if test "$ac_cv_func_snprintf_working" = yes; then
 
@@ -28628,8 +28173,8 @@ fi
 if test "$ac_cv_func_snprintf_working" = yes; then
 
 if test "$ac_cv_func_snprintf+set" != set -o "$ac_cv_func_snprintf" = yes; then
-echo "$as_me:$LINENO: checking if snprintf needs a prototype" >&5
-echo $ECHO_N "checking if snprintf needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if snprintf needs a prototype" >&5
+echo $ECHO_N "checking if snprintf needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_snprintf_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -28640,50 +28185,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <stdio.h>
+struct foo { int foo; } xx;
+extern int snprintf (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int snprintf (struct foo*);
-snprintf(&xx);
-
+snprintf(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_snprintf_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_snprintf_noproto=no"
+	eval "ac_cv_func_snprintf_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_snprintf_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_snprintf_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_snprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_snprintf_noproto" >&6; }
 if test "$ac_cv_func_snprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -28696,8 +28236,8 @@ fi
 fi
 
 
-echo "$as_me:$LINENO: checking for working vsnprintf" >&5
-echo $ECHO_N "checking for working vsnprintf... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for working vsnprintf" >&5
+echo $ECHO_N "checking for working vsnprintf... $ECHO_C" >&6; }
 if test "${ac_cv_func_vsnprintf_working+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -28726,20 +28266,38 @@ int foo(int num, ...)
 	return strcmp(bar, "1");
 }
 
+int bar(int num, int len, ...)
+{
+	int r;
+	va_list arg;
+	va_start(arg, len);
+	r = vsnprintf(NULL, 0, "%s", arg);
+	va_end(arg);
+	return r != len;
+}
 
-int main()
+int main(int argc, char **argv)
 {
-	return foo(0, "12");
+	return foo(0, "12") || bar(0, 2, "12");
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -28752,11 +28310,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_vsnprintf_working=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf_working" >&5
-echo "${ECHO_T}$ac_cv_func_vsnprintf_working" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf_working" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf_working" >&6; }
 
 if test "$ac_cv_func_vsnprintf_working" = yes; then
 
@@ -28768,8 +28328,8 @@ fi
 if test "$ac_cv_func_vsnprintf_working" = yes; then
 
 if test "$ac_cv_func_vsnprintf+set" != set -o "$ac_cv_func_vsnprintf" = yes; then
-echo "$as_me:$LINENO: checking if vsnprintf needs a prototype" >&5
-echo $ECHO_N "checking if vsnprintf needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if vsnprintf needs a prototype" >&5
+echo $ECHO_N "checking if vsnprintf needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_vsnprintf_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -28780,50 +28340,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <stdio.h>
+struct foo { int foo; } xx;
+extern int vsnprintf (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int vsnprintf (struct foo*);
-vsnprintf(&xx);
-
+vsnprintf(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_vsnprintf_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_vsnprintf_noproto=no"
+	eval "ac_cv_func_vsnprintf_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_vsnprintf_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf_noproto" >&6; }
 if test "$ac_cv_func_vsnprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -28837,8 +28392,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for working glob" >&5
-echo $ECHO_N "checking for working glob... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for working glob" >&5
+echo $ECHO_N "checking for working glob... $ECHO_C" >&6; }
 if test "${ac_cv_func_glob_working+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -28870,39 +28425,36 @@ NULL, NULL);
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   :
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_glob_working=no
+	ac_cv_func_glob_working=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_glob_working" >&5
-echo "${ECHO_T}$ac_cv_func_glob_working" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_glob_working" >&5
+echo "${ECHO_T}$ac_cv_func_glob_working" >&6; }
 
 if test "$ac_cv_func_glob_working" = yes; then
 
@@ -28914,8 +28466,8 @@ fi
 if test "$ac_cv_func_glob_working" = yes; then
 
 if test "$ac_cv_func_glob+set" != set -o "$ac_cv_func_glob" = yes; then
-echo "$as_me:$LINENO: checking if glob needs a prototype" >&5
-echo $ECHO_N "checking if glob needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if glob needs a prototype" >&5
+echo $ECHO_N "checking if glob needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_glob_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -28927,50 +28479,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <stdio.h>
 #include <glob.h>
+struct foo { int foo; } xx;
+extern int glob (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int glob (struct foo*);
-glob(&xx);
-
+glob(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_glob_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_glob_noproto=no"
+	eval "ac_cv_func_glob_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_glob_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_glob_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_glob_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_glob_noproto" >&6; }
 if test "$ac_cv_func_glob_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -28983,18 +28530,14 @@ fi
 fi
 
 if test "$ac_cv_func_glob_working" != yes; then
-	case $LIBOBJS in
-    "glob.$ac_objext"   | \
-  *" glob.$ac_objext"   | \
-    "glob.$ac_objext "* | \
+	case " $LIBOBJS " in
   *" glob.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS glob.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS glob.$ac_objext"
+ ;;
 esac
 
 fi
-
-
-if test "$ac_cv_func_glob_working" = yes; then
+ if test "$ac_cv_func_glob_working" = yes; then
   have_glob_h_TRUE=
   have_glob_h_FALSE='#'
 else
@@ -29030,6 +28573,7 @@ fi
 
 
 
+
 for ac_func in 				\
 	asnprintf				\
 	asprintf				\
@@ -29042,6 +28586,7 @@ for ac_func in 				\
 	initstate				\
 	issetugid				\
 	on_exit					\
+	poll					\
 	random					\
 	setprogname				\
 	setstate				\
@@ -29060,9 +28605,9 @@ for ac_func in 				\
 
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -29088,68 +28633,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -29160,15 +28697,21 @@ done
 
 
 if test "$ac_cv_func_cgetent" = no; then
-	case $LIBOBJS in
-    "getcap.$ac_objext"   | \
-  *" getcap.$ac_objext"   | \
-    "getcap.$ac_objext "* | \
+	case " $LIBOBJS " in
   *" getcap.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getcap.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getcap.$ac_objext"
+ ;;
 esac
 
 fi
+ if test "$ac_cv_func_cgetent" = yes; then
+  have_cgetent_TRUE=
+  have_cgetent_FALSE='#'
+else
+  have_cgetent_TRUE='#'
+  have_cgetent_FALSE=
+fi
+
 
 
 
@@ -29177,8 +28720,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for getsockopt" >&5
-echo $ECHO_N "checking for getsockopt... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getsockopt" >&5
+echo $ECHO_N "checking for getsockopt... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_getsockopt+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -29215,34 +28758,32 @@ getsockopt(0,0,0,0,0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_getsockopt=$ac_lib; else ac_cv_funclib_getsockopt=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_getsockopt=\${ac_cv_funclib_getsockopt-no}"
@@ -29259,9 +28800,9 @@ if false; then
 for ac_func in getsockopt
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -29287,68 +28828,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -29371,14 +28904,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_getsockopt=no"
 	eval "LIB_getsockopt="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_getsockopt=yes"
@@ -29391,8 +28924,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -29400,8 +28933,8 @@ esac
 
 
 
-echo "$as_me:$LINENO: checking for setsockopt" >&5
-echo $ECHO_N "checking for setsockopt... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for setsockopt" >&5
+echo $ECHO_N "checking for setsockopt... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_setsockopt+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -29438,34 +28971,32 @@ setsockopt(0,0,0,0,0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_setsockopt=$ac_lib; else ac_cv_funclib_setsockopt=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_setsockopt=\${ac_cv_funclib_setsockopt-no}"
@@ -29482,9 +29013,9 @@ if false; then
 for ac_func in setsockopt
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -29510,68 +29041,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -29594,14 +29117,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_setsockopt=no"
 	eval "LIB_setsockopt="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_setsockopt=yes"
@@ -29614,8 +29137,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -29625,8 +29148,8 @@ esac
 
 
 
-echo "$as_me:$LINENO: checking for hstrerror" >&5
-echo $ECHO_N "checking for hstrerror... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for hstrerror" >&5
+echo $ECHO_N "checking for hstrerror... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_hstrerror+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -29660,34 +29183,32 @@ hstrerror(17)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_hstrerror=$ac_lib; else ac_cv_funclib_hstrerror=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_hstrerror=\${ac_cv_funclib_hstrerror-no}"
@@ -29704,9 +29225,9 @@ if false; then
 for ac_func in hstrerror
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -29732,68 +29253,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -29816,14 +29329,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_hstrerror=no"
 	eval "LIB_hstrerror="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_hstrerror=yes"
@@ -29836,8 +29349,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -29847,20 +29360,18 @@ if test -n "$LIB_hstrerror"; then
 fi
 
 if eval "test \"$ac_cv_func_hstrerror\" != yes"; then
-	case $LIBOBJS in
-    "hstrerror.$ac_objext"   | \
-  *" hstrerror.$ac_objext"   | \
-    "hstrerror.$ac_objext "* | \
+	case " $LIBOBJS " in
   *" hstrerror.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS hstrerror.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS hstrerror.$ac_objext"
+ ;;
 esac
 
 fi
 
 
 if test "$ac_cv_func_hstrerror+set" != set -o "$ac_cv_func_hstrerror" = yes; then
-echo "$as_me:$LINENO: checking if hstrerror needs a prototype" >&5
-echo $ECHO_N "checking if hstrerror needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if hstrerror needs a prototype" >&5
+echo $ECHO_N "checking if hstrerror needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_hstrerror_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -29874,50 +29385,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
 #endif
+struct foo { int foo; } xx;
+extern int hstrerror (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int hstrerror (struct foo*);
-hstrerror(&xx);
-
+hstrerror(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_hstrerror_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_hstrerror_noproto=no"
+	eval "ac_cv_func_hstrerror_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_hstrerror_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_hstrerror_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_hstrerror_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_hstrerror_noproto" >&6; }
 if test "$ac_cv_func_hstrerror_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -29930,8 +29436,8 @@ fi
 
 
 if test "$ac_cv_func_asprintf+set" != set -o "$ac_cv_func_asprintf" = yes; then
-echo "$as_me:$LINENO: checking if asprintf needs a prototype" >&5
-echo $ECHO_N "checking if asprintf needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if asprintf needs a prototype" >&5
+echo $ECHO_N "checking if asprintf needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_asprintf_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -29944,50 +29450,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 	#include <stdio.h>
 	#include <string.h>
+struct foo { int foo; } xx;
+extern int asprintf (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int asprintf (struct foo*);
-asprintf(&xx);
-
+asprintf(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_asprintf_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_asprintf_noproto=no"
+	eval "ac_cv_func_asprintf_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_asprintf_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_asprintf_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_asprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_asprintf_noproto" >&6; }
 if test "$ac_cv_func_asprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -29998,8 +29499,8 @@ fi
 fi
 
 if test "$ac_cv_func_vasprintf+set" != set -o "$ac_cv_func_vasprintf" = yes; then
-echo "$as_me:$LINENO: checking if vasprintf needs a prototype" >&5
-echo $ECHO_N "checking if vasprintf needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if vasprintf needs a prototype" >&5
+echo $ECHO_N "checking if vasprintf needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_vasprintf_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -30012,50 +29513,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 	#include <stdio.h>
 	#include <string.h>
+struct foo { int foo; } xx;
+extern int vasprintf (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int vasprintf (struct foo*);
-vasprintf(&xx);
-
+vasprintf(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_vasprintf_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_vasprintf_noproto=no"
+	eval "ac_cv_func_vasprintf_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_vasprintf_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_vasprintf_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_vasprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vasprintf_noproto" >&6; }
 if test "$ac_cv_func_vasprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -30066,8 +29562,8 @@ fi
 fi
 
 if test "$ac_cv_func_asnprintf+set" != set -o "$ac_cv_func_asnprintf" = yes; then
-echo "$as_me:$LINENO: checking if asnprintf needs a prototype" >&5
-echo $ECHO_N "checking if asnprintf needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if asnprintf needs a prototype" >&5
+echo $ECHO_N "checking if asnprintf needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_asnprintf_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -30080,50 +29576,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 	#include <stdio.h>
 	#include <string.h>
+struct foo { int foo; } xx;
+extern int asnprintf (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int asnprintf (struct foo*);
-asnprintf(&xx);
-
+asnprintf(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_asnprintf_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_asnprintf_noproto=no"
+	eval "ac_cv_func_asnprintf_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_asnprintf_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_asnprintf_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_asnprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_asnprintf_noproto" >&6; }
 if test "$ac_cv_func_asnprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -30134,8 +29625,8 @@ fi
 fi
 
 if test "$ac_cv_func_vasnprintf+set" != set -o "$ac_cv_func_vasnprintf" = yes; then
-echo "$as_me:$LINENO: checking if vasnprintf needs a prototype" >&5
-echo $ECHO_N "checking if vasnprintf needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if vasnprintf needs a prototype" >&5
+echo $ECHO_N "checking if vasnprintf needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_vasnprintf_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -30148,50 +29639,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 	#include <stdio.h>
 	#include <string.h>
+struct foo { int foo; } xx;
+extern int vasnprintf (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int vasnprintf (struct foo*);
-vasnprintf(&xx);
-
+vasnprintf(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_vasnprintf_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_vasnprintf_noproto=no"
+	eval "ac_cv_func_vasnprintf_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_vasnprintf_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_vasnprintf_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_vasnprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vasnprintf_noproto" >&6; }
 if test "$ac_cv_func_vasnprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -30205,8 +29691,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for bswap16" >&5
-echo $ECHO_N "checking for bswap16... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for bswap16" >&5
+echo $ECHO_N "checking for bswap16... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_bswap16+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -30240,34 +29726,32 @@ bswap16(0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_bswap16=$ac_lib; else ac_cv_funclib_bswap16=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_bswap16=\${ac_cv_funclib_bswap16-no}"
@@ -30284,9 +29768,9 @@ if false; then
 for ac_func in bswap16
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -30312,68 +29796,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -30396,14 +29872,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_bswap16=no"
 	eval "LIB_bswap16="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_bswap16=yes"
@@ -30416,8 +29892,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -30426,8 +29902,8 @@ esac
 
 
 
-echo "$as_me:$LINENO: checking for bswap32" >&5
-echo $ECHO_N "checking for bswap32... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for bswap32" >&5
+echo $ECHO_N "checking for bswap32... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_bswap32+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -30461,34 +29937,32 @@ bswap32(0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_bswap32=$ac_lib; else ac_cv_funclib_bswap32=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_bswap32=\${ac_cv_funclib_bswap32-no}"
@@ -30505,9 +29979,9 @@ if false; then
 for ac_func in bswap32
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -30533,68 +30007,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -30617,14 +30083,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_bswap32=no"
 	eval "LIB_bswap32="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_bswap32=yes"
@@ -30637,8 +30103,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -30647,8 +30113,8 @@ esac
 
 
 
-echo "$as_me:$LINENO: checking for pidfile" >&5
-echo $ECHO_N "checking for pidfile... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for pidfile" >&5
+echo $ECHO_N "checking for pidfile... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_pidfile+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -30682,34 +30148,32 @@ pidfile(0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_pidfile=$ac_lib; else ac_cv_funclib_pidfile=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_pidfile=\${ac_cv_funclib_pidfile-no}"
@@ -30726,9 +30190,9 @@ if false; then
 for ac_func in pidfile
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -30754,68 +30218,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -30838,14 +30294,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_pidfile=no"
 	eval "LIB_pidfile="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_pidfile=yes"
@@ -30858,8 +30314,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -30869,8 +30325,8 @@ esac
 
 
 
-echo "$as_me:$LINENO: checking for getaddrinfo" >&5
-echo $ECHO_N "checking for getaddrinfo... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getaddrinfo" >&5
+echo $ECHO_N "checking for getaddrinfo... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_getaddrinfo+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -30904,34 +30360,32 @@ getaddrinfo(0,0,0,0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_getaddrinfo=$ac_lib; else ac_cv_funclib_getaddrinfo=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_getaddrinfo=\${ac_cv_funclib_getaddrinfo-no}"
@@ -30948,9 +30402,9 @@ if false; then
 for ac_func in getaddrinfo
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -30976,68 +30430,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -31060,14 +30506,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_getaddrinfo=no"
 	eval "LIB_getaddrinfo="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_getaddrinfo=yes"
@@ -31080,8 +30526,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -31091,12 +30537,10 @@ if test -n "$LIB_getaddrinfo"; then
 fi
 
 if eval "test \"$ac_cv_func_getaddrinfo\" != yes"; then
-	case $LIBOBJS in
-    "getaddrinfo.$ac_objext"   | \
-  *" getaddrinfo.$ac_objext"   | \
-    "getaddrinfo.$ac_objext "* | \
+	case " $LIBOBJS " in
   *" getaddrinfo.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getaddrinfo.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getaddrinfo.$ac_objext"
+ ;;
 esac
 
 fi
@@ -31106,8 +30550,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for getnameinfo" >&5
-echo $ECHO_N "checking for getnameinfo... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getnameinfo" >&5
+echo $ECHO_N "checking for getnameinfo... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_getnameinfo+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -31141,34 +30585,32 @@ getnameinfo(0,0,0,0,0,0,0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_getnameinfo=$ac_lib; else ac_cv_funclib_getnameinfo=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_getnameinfo=\${ac_cv_funclib_getnameinfo-no}"
@@ -31185,9 +30627,9 @@ if false; then
 for ac_func in getnameinfo
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -31213,68 +30655,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -31297,14 +30731,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_getnameinfo=no"
 	eval "LIB_getnameinfo="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_getnameinfo=yes"
@@ -31317,8 +30751,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -31328,12 +30762,10 @@ if test -n "$LIB_getnameinfo"; then
 fi
 
 if eval "test \"$ac_cv_func_getnameinfo\" != yes"; then
-	case $LIBOBJS in
-    "getnameinfo.$ac_objext"   | \
-  *" getnameinfo.$ac_objext"   | \
-    "getnameinfo.$ac_objext "* | \
+	case " $LIBOBJS " in
   *" getnameinfo.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getnameinfo.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getnameinfo.$ac_objext"
+ ;;
 esac
 
 fi
@@ -31343,8 +30775,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for freeaddrinfo" >&5
-echo $ECHO_N "checking for freeaddrinfo... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for freeaddrinfo" >&5
+echo $ECHO_N "checking for freeaddrinfo... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_freeaddrinfo+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -31378,34 +30810,32 @@ freeaddrinfo(0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_freeaddrinfo=$ac_lib; else ac_cv_funclib_freeaddrinfo=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_freeaddrinfo=\${ac_cv_funclib_freeaddrinfo-no}"
@@ -31422,9 +30852,9 @@ if false; then
 for ac_func in freeaddrinfo
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -31450,68 +30880,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -31534,14 +30956,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_freeaddrinfo=no"
 	eval "LIB_freeaddrinfo="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_freeaddrinfo=yes"
@@ -31554,8 +30976,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -31565,12 +30987,10 @@ if test -n "$LIB_freeaddrinfo"; then
 fi
 
 if eval "test \"$ac_cv_func_freeaddrinfo\" != yes"; then
-	case $LIBOBJS in
-    "freeaddrinfo.$ac_objext"   | \
-  *" freeaddrinfo.$ac_objext"   | \
-    "freeaddrinfo.$ac_objext "* | \
+	case " $LIBOBJS " in
   *" freeaddrinfo.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS freeaddrinfo.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS freeaddrinfo.$ac_objext"
+ ;;
 esac
 
 fi
@@ -31580,8 +31000,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for gai_strerror" >&5
-echo $ECHO_N "checking for gai_strerror... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for gai_strerror" >&5
+echo $ECHO_N "checking for gai_strerror... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_gai_strerror+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -31615,34 +31035,32 @@ gai_strerror(0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_gai_strerror=$ac_lib; else ac_cv_funclib_gai_strerror=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_gai_strerror=\${ac_cv_funclib_gai_strerror-no}"
@@ -31659,9 +31077,9 @@ if false; then
 for ac_func in gai_strerror
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -31687,68 +31105,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -31771,14 +31181,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_gai_strerror=no"
 	eval "LIB_gai_strerror="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_gai_strerror=yes"
@@ -31791,8 +31201,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -31802,19 +31212,17 @@ if test -n "$LIB_gai_strerror"; then
 fi
 
 if eval "test \"$ac_cv_func_gai_strerror\" != yes"; then
-	case $LIBOBJS in
-    "gai_strerror.$ac_objext"   | \
-  *" gai_strerror.$ac_objext"   | \
-    "gai_strerror.$ac_objext "* | \
+	case " $LIBOBJS " in
   *" gai_strerror.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS gai_strerror.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS gai_strerror.$ac_objext"
+ ;;
 esac
 
 fi
 
 
-echo "$as_me:$LINENO: checking for chown" >&5
-echo $ECHO_N "checking for chown... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for chown" >&5
+echo $ECHO_N "checking for chown... $ECHO_C" >&6; }
 if test "${ac_cv_func_chown+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -31841,68 +31249,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef chown
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char chown ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_chown) || defined (__stub___chown)
+#if defined __stub_chown || defined __stub___chown
 choke me
-#else
-char (*f) () = chown;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != chown;
+return chown ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_chown=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_chown=no
+	ac_cv_func_chown=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_chown" >&5
-echo "${ECHO_T}$ac_cv_func_chown" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_chown" >&5
+echo "${ECHO_T}$ac_cv_func_chown" >&6; }
 if test $ac_cv_func_chown = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -31910,17 +31309,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "chown.$ac_objext"   | \
-  *" chown.$ac_objext"   | \
-    "chown.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" chown.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS chown.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS chown.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for copyhostent" >&5
-echo $ECHO_N "checking for copyhostent... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for copyhostent" >&5
+echo $ECHO_N "checking for copyhostent... $ECHO_C" >&6; }
 if test "${ac_cv_func_copyhostent+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -31947,68 +31344,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef copyhostent
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char copyhostent ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_copyhostent) || defined (__stub___copyhostent)
+#if defined __stub_copyhostent || defined __stub___copyhostent
 choke me
-#else
-char (*f) () = copyhostent;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != copyhostent;
+return copyhostent ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_copyhostent=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_copyhostent=no
+	ac_cv_func_copyhostent=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_copyhostent" >&5
-echo "${ECHO_T}$ac_cv_func_copyhostent" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_copyhostent" >&5
+echo "${ECHO_T}$ac_cv_func_copyhostent" >&6; }
 if test $ac_cv_func_copyhostent = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -32016,17 +31404,110 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "copyhostent.$ac_objext"   | \
-  *" copyhostent.$ac_objext"   | \
-    "copyhostent.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" copyhostent.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS copyhostent.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS copyhostent.$ac_objext"
+ ;;
+esac
+
+fi
+{ echo "$as_me:$LINENO: checking for closefrom" >&5
+echo $ECHO_N "checking for closefrom... $ECHO_C" >&6; }
+if test "${ac_cv_func_closefrom+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define closefrom to an innocuous variant, in case <limits.h> declares closefrom.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define closefrom innocuous_closefrom
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char closefrom (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef closefrom
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char closefrom ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_closefrom || defined __stub___closefrom
+choke me
+#endif
+
+int
+main ()
+{
+return closefrom ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_closefrom=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_closefrom=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_closefrom" >&5
+echo "${ECHO_T}$ac_cv_func_closefrom" >&6; }
+if test $ac_cv_func_closefrom = yes; then
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_CLOSEFROM 1
+_ACEOF
+
+else
+  case " $LIBOBJS " in
+  *" closefrom.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS closefrom.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for daemon" >&5
-echo $ECHO_N "checking for daemon... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for daemon" >&5
+echo $ECHO_N "checking for daemon... $ECHO_C" >&6; }
 if test "${ac_cv_func_daemon+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -32053,68 +31534,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef daemon
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char daemon ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_daemon) || defined (__stub___daemon)
+#if defined __stub_daemon || defined __stub___daemon
 choke me
-#else
-char (*f) () = daemon;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != daemon;
+return daemon ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_daemon=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_daemon=no
+	ac_cv_func_daemon=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_daemon" >&5
-echo "${ECHO_T}$ac_cv_func_daemon" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_daemon" >&5
+echo "${ECHO_T}$ac_cv_func_daemon" >&6; }
 if test $ac_cv_func_daemon = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -32122,17 +31594,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "daemon.$ac_objext"   | \
-  *" daemon.$ac_objext"   | \
-    "daemon.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" daemon.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS daemon.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS daemon.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for ecalloc" >&5
-echo $ECHO_N "checking for ecalloc... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ecalloc" >&5
+echo $ECHO_N "checking for ecalloc... $ECHO_C" >&6; }
 if test "${ac_cv_func_ecalloc+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -32159,68 +31629,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef ecalloc
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char ecalloc ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_ecalloc) || defined (__stub___ecalloc)
+#if defined __stub_ecalloc || defined __stub___ecalloc
 choke me
-#else
-char (*f) () = ecalloc;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != ecalloc;
+return ecalloc ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_ecalloc=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_ecalloc=no
+	ac_cv_func_ecalloc=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_ecalloc" >&5
-echo "${ECHO_T}$ac_cv_func_ecalloc" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_ecalloc" >&5
+echo "${ECHO_T}$ac_cv_func_ecalloc" >&6; }
 if test $ac_cv_func_ecalloc = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -32228,17 +31689,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "ecalloc.$ac_objext"   | \
-  *" ecalloc.$ac_objext"   | \
-    "ecalloc.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" ecalloc.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS ecalloc.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS ecalloc.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for emalloc" >&5
-echo $ECHO_N "checking for emalloc... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for emalloc" >&5
+echo $ECHO_N "checking for emalloc... $ECHO_C" >&6; }
 if test "${ac_cv_func_emalloc+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -32265,68 +31724,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef emalloc
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char emalloc ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_emalloc) || defined (__stub___emalloc)
+#if defined __stub_emalloc || defined __stub___emalloc
 choke me
-#else
-char (*f) () = emalloc;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != emalloc;
+return emalloc ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_emalloc=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_emalloc=no
+	ac_cv_func_emalloc=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_emalloc" >&5
-echo "${ECHO_T}$ac_cv_func_emalloc" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_emalloc" >&5
+echo "${ECHO_T}$ac_cv_func_emalloc" >&6; }
 if test $ac_cv_func_emalloc = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -32334,17 +31784,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "emalloc.$ac_objext"   | \
-  *" emalloc.$ac_objext"   | \
-    "emalloc.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" emalloc.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS emalloc.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS emalloc.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for erealloc" >&5
-echo $ECHO_N "checking for erealloc... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for erealloc" >&5
+echo $ECHO_N "checking for erealloc... $ECHO_C" >&6; }
 if test "${ac_cv_func_erealloc+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -32371,68 +31819,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef erealloc
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char erealloc ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_erealloc) || defined (__stub___erealloc)
+#if defined __stub_erealloc || defined __stub___erealloc
 choke me
-#else
-char (*f) () = erealloc;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != erealloc;
+return erealloc ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_erealloc=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_erealloc=no
+	ac_cv_func_erealloc=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_erealloc" >&5
-echo "${ECHO_T}$ac_cv_func_erealloc" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_erealloc" >&5
+echo "${ECHO_T}$ac_cv_func_erealloc" >&6; }
 if test $ac_cv_func_erealloc = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -32440,17 +31879,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "erealloc.$ac_objext"   | \
-  *" erealloc.$ac_objext"   | \
-    "erealloc.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" erealloc.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS erealloc.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS erealloc.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for estrdup" >&5
-echo $ECHO_N "checking for estrdup... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for estrdup" >&5
+echo $ECHO_N "checking for estrdup... $ECHO_C" >&6; }
 if test "${ac_cv_func_estrdup+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -32477,68 +31914,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef estrdup
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char estrdup ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_estrdup) || defined (__stub___estrdup)
+#if defined __stub_estrdup || defined __stub___estrdup
 choke me
-#else
-char (*f) () = estrdup;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != estrdup;
+return estrdup ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_estrdup=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_estrdup=no
+	ac_cv_func_estrdup=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_estrdup" >&5
-echo "${ECHO_T}$ac_cv_func_estrdup" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_estrdup" >&5
+echo "${ECHO_T}$ac_cv_func_estrdup" >&6; }
 if test $ac_cv_func_estrdup = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -32546,17 +31974,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "estrdup.$ac_objext"   | \
-  *" estrdup.$ac_objext"   | \
-    "estrdup.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" estrdup.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS estrdup.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS estrdup.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for err" >&5
-echo $ECHO_N "checking for err... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for err" >&5
+echo $ECHO_N "checking for err... $ECHO_C" >&6; }
 if test "${ac_cv_func_err+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -32583,68 +32009,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef err
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char err ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_err) || defined (__stub___err)
+#if defined __stub_err || defined __stub___err
 choke me
-#else
-char (*f) () = err;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != err;
+return err ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_err=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_err=no
+	ac_cv_func_err=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_err" >&5
-echo "${ECHO_T}$ac_cv_func_err" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_err" >&5
+echo "${ECHO_T}$ac_cv_func_err" >&6; }
 if test $ac_cv_func_err = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -32652,17 +32069,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "err.$ac_objext"   | \
-  *" err.$ac_objext"   | \
-    "err.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" err.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS err.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS err.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for errx" >&5
-echo $ECHO_N "checking for errx... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for errx" >&5
+echo $ECHO_N "checking for errx... $ECHO_C" >&6; }
 if test "${ac_cv_func_errx+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -32689,68 +32104,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef errx
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char errx ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_errx) || defined (__stub___errx)
+#if defined __stub_errx || defined __stub___errx
 choke me
-#else
-char (*f) () = errx;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != errx;
+return errx ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_errx=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_errx=no
+	ac_cv_func_errx=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_errx" >&5
-echo "${ECHO_T}$ac_cv_func_errx" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_errx" >&5
+echo "${ECHO_T}$ac_cv_func_errx" >&6; }
 if test $ac_cv_func_errx = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -32758,17 +32164,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "errx.$ac_objext"   | \
-  *" errx.$ac_objext"   | \
-    "errx.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" errx.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS errx.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS errx.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for fchown" >&5
-echo $ECHO_N "checking for fchown... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for fchown" >&5
+echo $ECHO_N "checking for fchown... $ECHO_C" >&6; }
 if test "${ac_cv_func_fchown+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -32795,68 +32199,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef fchown
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char fchown ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_fchown) || defined (__stub___fchown)
+#if defined __stub_fchown || defined __stub___fchown
 choke me
-#else
-char (*f) () = fchown;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != fchown;
+return fchown ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_fchown=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_fchown=no
+	ac_cv_func_fchown=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_fchown" >&5
-echo "${ECHO_T}$ac_cv_func_fchown" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_fchown" >&5
+echo "${ECHO_T}$ac_cv_func_fchown" >&6; }
 if test $ac_cv_func_fchown = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -32864,17 +32259,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "fchown.$ac_objext"   | \
-  *" fchown.$ac_objext"   | \
-    "fchown.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" fchown.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS fchown.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS fchown.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for flock" >&5
-echo $ECHO_N "checking for flock... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for flock" >&5
+echo $ECHO_N "checking for flock... $ECHO_C" >&6; }
 if test "${ac_cv_func_flock+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -32901,68 +32294,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef flock
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char flock ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_flock) || defined (__stub___flock)
+#if defined __stub_flock || defined __stub___flock
 choke me
-#else
-char (*f) () = flock;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != flock;
+return flock ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_flock=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_flock=no
+	ac_cv_func_flock=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_flock" >&5
-echo "${ECHO_T}$ac_cv_func_flock" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_flock" >&5
+echo "${ECHO_T}$ac_cv_func_flock" >&6; }
 if test $ac_cv_func_flock = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -32970,17 +32354,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "flock.$ac_objext"   | \
-  *" flock.$ac_objext"   | \
-    "flock.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" flock.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS flock.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS flock.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for fnmatch" >&5
-echo $ECHO_N "checking for fnmatch... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for fnmatch" >&5
+echo $ECHO_N "checking for fnmatch... $ECHO_C" >&6; }
 if test "${ac_cv_func_fnmatch+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -33007,68 +32389,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef fnmatch
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char fnmatch ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_fnmatch) || defined (__stub___fnmatch)
+#if defined __stub_fnmatch || defined __stub___fnmatch
 choke me
-#else
-char (*f) () = fnmatch;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != fnmatch;
+return fnmatch ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_fnmatch=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_fnmatch=no
+	ac_cv_func_fnmatch=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_fnmatch" >&5
-echo "${ECHO_T}$ac_cv_func_fnmatch" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_fnmatch" >&5
+echo "${ECHO_T}$ac_cv_func_fnmatch" >&6; }
 if test $ac_cv_func_fnmatch = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -33076,17 +32449,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "fnmatch.$ac_objext"   | \
-  *" fnmatch.$ac_objext"   | \
-    "fnmatch.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" fnmatch.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS fnmatch.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS fnmatch.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for freehostent" >&5
-echo $ECHO_N "checking for freehostent... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for freehostent" >&5
+echo $ECHO_N "checking for freehostent... $ECHO_C" >&6; }
 if test "${ac_cv_func_freehostent+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -33113,68 +32484,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef freehostent
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char freehostent ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_freehostent) || defined (__stub___freehostent)
+#if defined __stub_freehostent || defined __stub___freehostent
 choke me
-#else
-char (*f) () = freehostent;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != freehostent;
+return freehostent ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_freehostent=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_freehostent=no
+	ac_cv_func_freehostent=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_freehostent" >&5
-echo "${ECHO_T}$ac_cv_func_freehostent" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_freehostent" >&5
+echo "${ECHO_T}$ac_cv_func_freehostent" >&6; }
 if test $ac_cv_func_freehostent = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -33182,17 +32544,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "freehostent.$ac_objext"   | \
-  *" freehostent.$ac_objext"   | \
-    "freehostent.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" freehostent.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS freehostent.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS freehostent.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for getcwd" >&5
-echo $ECHO_N "checking for getcwd... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getcwd" >&5
+echo $ECHO_N "checking for getcwd... $ECHO_C" >&6; }
 if test "${ac_cv_func_getcwd+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -33219,68 +32579,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef getcwd
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char getcwd ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getcwd) || defined (__stub___getcwd)
+#if defined __stub_getcwd || defined __stub___getcwd
 choke me
-#else
-char (*f) () = getcwd;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != getcwd;
+return getcwd ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getcwd=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_getcwd=no
+	ac_cv_func_getcwd=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getcwd" >&5
-echo "${ECHO_T}$ac_cv_func_getcwd" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getcwd" >&5
+echo "${ECHO_T}$ac_cv_func_getcwd" >&6; }
 if test $ac_cv_func_getcwd = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -33288,17 +32639,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "getcwd.$ac_objext"   | \
-  *" getcwd.$ac_objext"   | \
-    "getcwd.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" getcwd.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getcwd.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getcwd.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for getdtablesize" >&5
-echo $ECHO_N "checking for getdtablesize... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getdtablesize" >&5
+echo $ECHO_N "checking for getdtablesize... $ECHO_C" >&6; }
 if test "${ac_cv_func_getdtablesize+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -33325,68 +32674,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef getdtablesize
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char getdtablesize ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getdtablesize) || defined (__stub___getdtablesize)
+#if defined __stub_getdtablesize || defined __stub___getdtablesize
 choke me
-#else
-char (*f) () = getdtablesize;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != getdtablesize;
+return getdtablesize ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getdtablesize=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_getdtablesize=no
+	ac_cv_func_getdtablesize=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getdtablesize" >&5
-echo "${ECHO_T}$ac_cv_func_getdtablesize" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getdtablesize" >&5
+echo "${ECHO_T}$ac_cv_func_getdtablesize" >&6; }
 if test $ac_cv_func_getdtablesize = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -33394,17 +32734,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "getdtablesize.$ac_objext"   | \
-  *" getdtablesize.$ac_objext"   | \
-    "getdtablesize.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" getdtablesize.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getdtablesize.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getdtablesize.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for getegid" >&5
-echo $ECHO_N "checking for getegid... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getegid" >&5
+echo $ECHO_N "checking for getegid... $ECHO_C" >&6; }
 if test "${ac_cv_func_getegid+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -33431,68 +32769,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef getegid
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char getegid ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getegid) || defined (__stub___getegid)
+#if defined __stub_getegid || defined __stub___getegid
 choke me
-#else
-char (*f) () = getegid;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != getegid;
+return getegid ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getegid=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_getegid=no
+	ac_cv_func_getegid=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getegid" >&5
-echo "${ECHO_T}$ac_cv_func_getegid" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getegid" >&5
+echo "${ECHO_T}$ac_cv_func_getegid" >&6; }
 if test $ac_cv_func_getegid = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -33500,17 +32829,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "getegid.$ac_objext"   | \
-  *" getegid.$ac_objext"   | \
-    "getegid.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" getegid.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getegid.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getegid.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for geteuid" >&5
-echo $ECHO_N "checking for geteuid... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for geteuid" >&5
+echo $ECHO_N "checking for geteuid... $ECHO_C" >&6; }
 if test "${ac_cv_func_geteuid+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -33537,68 +32864,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef geteuid
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char geteuid ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_geteuid) || defined (__stub___geteuid)
+#if defined __stub_geteuid || defined __stub___geteuid
 choke me
-#else
-char (*f) () = geteuid;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != geteuid;
+return geteuid ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_geteuid=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_geteuid=no
+	ac_cv_func_geteuid=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_geteuid" >&5
-echo "${ECHO_T}$ac_cv_func_geteuid" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_geteuid" >&5
+echo "${ECHO_T}$ac_cv_func_geteuid" >&6; }
 if test $ac_cv_func_geteuid = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -33606,17 +32924,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "geteuid.$ac_objext"   | \
-  *" geteuid.$ac_objext"   | \
-    "geteuid.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" geteuid.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS geteuid.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS geteuid.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for getgid" >&5
-echo $ECHO_N "checking for getgid... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getgid" >&5
+echo $ECHO_N "checking for getgid... $ECHO_C" >&6; }
 if test "${ac_cv_func_getgid+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -33643,68 +32959,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef getgid
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char getgid ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getgid) || defined (__stub___getgid)
+#if defined __stub_getgid || defined __stub___getgid
 choke me
-#else
-char (*f) () = getgid;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != getgid;
+return getgid ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getgid=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_getgid=no
+	ac_cv_func_getgid=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getgid" >&5
-echo "${ECHO_T}$ac_cv_func_getgid" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getgid" >&5
+echo "${ECHO_T}$ac_cv_func_getgid" >&6; }
 if test $ac_cv_func_getgid = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -33712,17 +33019,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "getgid.$ac_objext"   | \
-  *" getgid.$ac_objext"   | \
-    "getgid.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" getgid.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getgid.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getgid.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for gethostname" >&5
-echo $ECHO_N "checking for gethostname... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for gethostname" >&5
+echo $ECHO_N "checking for gethostname... $ECHO_C" >&6; }
 if test "${ac_cv_func_gethostname+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -33749,68 +33054,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef gethostname
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char gethostname ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_gethostname) || defined (__stub___gethostname)
+#if defined __stub_gethostname || defined __stub___gethostname
 choke me
-#else
-char (*f) () = gethostname;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != gethostname;
+return gethostname ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_gethostname=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_gethostname=no
+	ac_cv_func_gethostname=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_gethostname" >&5
-echo "${ECHO_T}$ac_cv_func_gethostname" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_gethostname" >&5
+echo "${ECHO_T}$ac_cv_func_gethostname" >&6; }
 if test $ac_cv_func_gethostname = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -33818,17 +33114,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "gethostname.$ac_objext"   | \
-  *" gethostname.$ac_objext"   | \
-    "gethostname.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" gethostname.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS gethostname.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS gethostname.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for getifaddrs" >&5
-echo $ECHO_N "checking for getifaddrs... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getifaddrs" >&5
+echo $ECHO_N "checking for getifaddrs... $ECHO_C" >&6; }
 if test "${ac_cv_func_getifaddrs+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -33855,68 +33149,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef getifaddrs
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char getifaddrs ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getifaddrs) || defined (__stub___getifaddrs)
+#if defined __stub_getifaddrs || defined __stub___getifaddrs
 choke me
-#else
-char (*f) () = getifaddrs;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != getifaddrs;
+return getifaddrs ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getifaddrs=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_getifaddrs=no
+	ac_cv_func_getifaddrs=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getifaddrs" >&5
-echo "${ECHO_T}$ac_cv_func_getifaddrs" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getifaddrs" >&5
+echo "${ECHO_T}$ac_cv_func_getifaddrs" >&6; }
 if test $ac_cv_func_getifaddrs = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -33924,17 +33209,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "getifaddrs.$ac_objext"   | \
-  *" getifaddrs.$ac_objext"   | \
-    "getifaddrs.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" getifaddrs.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getifaddrs.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getifaddrs.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for getipnodebyaddr" >&5
-echo $ECHO_N "checking for getipnodebyaddr... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getipnodebyaddr" >&5
+echo $ECHO_N "checking for getipnodebyaddr... $ECHO_C" >&6; }
 if test "${ac_cv_func_getipnodebyaddr+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -33961,68 +33244,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef getipnodebyaddr
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char getipnodebyaddr ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getipnodebyaddr) || defined (__stub___getipnodebyaddr)
+#if defined __stub_getipnodebyaddr || defined __stub___getipnodebyaddr
 choke me
-#else
-char (*f) () = getipnodebyaddr;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != getipnodebyaddr;
+return getipnodebyaddr ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getipnodebyaddr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_getipnodebyaddr=no
+	ac_cv_func_getipnodebyaddr=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getipnodebyaddr" >&5
-echo "${ECHO_T}$ac_cv_func_getipnodebyaddr" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getipnodebyaddr" >&5
+echo "${ECHO_T}$ac_cv_func_getipnodebyaddr" >&6; }
 if test $ac_cv_func_getipnodebyaddr = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -34030,17 +33304,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "getipnodebyaddr.$ac_objext"   | \
-  *" getipnodebyaddr.$ac_objext"   | \
-    "getipnodebyaddr.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" getipnodebyaddr.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getipnodebyaddr.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getipnodebyaddr.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for getipnodebyname" >&5
-echo $ECHO_N "checking for getipnodebyname... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getipnodebyname" >&5
+echo $ECHO_N "checking for getipnodebyname... $ECHO_C" >&6; }
 if test "${ac_cv_func_getipnodebyname+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -34067,68 +33339,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef getipnodebyname
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char getipnodebyname ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getipnodebyname) || defined (__stub___getipnodebyname)
+#if defined __stub_getipnodebyname || defined __stub___getipnodebyname
 choke me
-#else
-char (*f) () = getipnodebyname;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != getipnodebyname;
+return getipnodebyname ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getipnodebyname=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_getipnodebyname=no
+	ac_cv_func_getipnodebyname=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getipnodebyname" >&5
-echo "${ECHO_T}$ac_cv_func_getipnodebyname" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getipnodebyname" >&5
+echo "${ECHO_T}$ac_cv_func_getipnodebyname" >&6; }
 if test $ac_cv_func_getipnodebyname = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -34136,17 +33399,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "getipnodebyname.$ac_objext"   | \
-  *" getipnodebyname.$ac_objext"   | \
-    "getipnodebyname.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" getipnodebyname.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getipnodebyname.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getipnodebyname.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for getopt" >&5
-echo $ECHO_N "checking for getopt... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getopt" >&5
+echo $ECHO_N "checking for getopt... $ECHO_C" >&6; }
 if test "${ac_cv_func_getopt+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -34173,68 +33434,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef getopt
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char getopt ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getopt) || defined (__stub___getopt)
+#if defined __stub_getopt || defined __stub___getopt
 choke me
-#else
-char (*f) () = getopt;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != getopt;
+return getopt ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getopt=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_getopt=no
+	ac_cv_func_getopt=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getopt" >&5
-echo "${ECHO_T}$ac_cv_func_getopt" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getopt" >&5
+echo "${ECHO_T}$ac_cv_func_getopt" >&6; }
 if test $ac_cv_func_getopt = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -34242,17 +33494,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "getopt.$ac_objext"   | \
-  *" getopt.$ac_objext"   | \
-    "getopt.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" getopt.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getopt.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getopt.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for gettimeofday" >&5
-echo $ECHO_N "checking for gettimeofday... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for gettimeofday" >&5
+echo $ECHO_N "checking for gettimeofday... $ECHO_C" >&6; }
 if test "${ac_cv_func_gettimeofday+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -34279,68 +33529,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef gettimeofday
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char gettimeofday ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_gettimeofday) || defined (__stub___gettimeofday)
+#if defined __stub_gettimeofday || defined __stub___gettimeofday
 choke me
-#else
-char (*f) () = gettimeofday;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != gettimeofday;
+return gettimeofday ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_gettimeofday=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_gettimeofday=no
+	ac_cv_func_gettimeofday=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_gettimeofday" >&5
-echo "${ECHO_T}$ac_cv_func_gettimeofday" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_gettimeofday" >&5
+echo "${ECHO_T}$ac_cv_func_gettimeofday" >&6; }
 if test $ac_cv_func_gettimeofday = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -34348,17 +33589,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "gettimeofday.$ac_objext"   | \
-  *" gettimeofday.$ac_objext"   | \
-    "gettimeofday.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" gettimeofday.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS gettimeofday.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS gettimeofday.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for getuid" >&5
-echo $ECHO_N "checking for getuid... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getuid" >&5
+echo $ECHO_N "checking for getuid... $ECHO_C" >&6; }
 if test "${ac_cv_func_getuid+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -34385,68 +33624,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef getuid
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char getuid ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getuid) || defined (__stub___getuid)
+#if defined __stub_getuid || defined __stub___getuid
 choke me
-#else
-char (*f) () = getuid;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != getuid;
+return getuid ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getuid=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_getuid=no
+	ac_cv_func_getuid=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getuid" >&5
-echo "${ECHO_T}$ac_cv_func_getuid" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getuid" >&5
+echo "${ECHO_T}$ac_cv_func_getuid" >&6; }
 if test $ac_cv_func_getuid = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -34454,17 +33684,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "getuid.$ac_objext"   | \
-  *" getuid.$ac_objext"   | \
-    "getuid.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" getuid.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getuid.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getuid.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for getusershell" >&5
-echo $ECHO_N "checking for getusershell... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getusershell" >&5
+echo $ECHO_N "checking for getusershell... $ECHO_C" >&6; }
 if test "${ac_cv_func_getusershell+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -34491,68 +33719,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef getusershell
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char getusershell ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getusershell) || defined (__stub___getusershell)
+#if defined __stub_getusershell || defined __stub___getusershell
 choke me
-#else
-char (*f) () = getusershell;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != getusershell;
+return getusershell ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getusershell=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_getusershell=no
+	ac_cv_func_getusershell=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getusershell" >&5
-echo "${ECHO_T}$ac_cv_func_getusershell" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getusershell" >&5
+echo "${ECHO_T}$ac_cv_func_getusershell" >&6; }
 if test $ac_cv_func_getusershell = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -34560,17 +33779,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "getusershell.$ac_objext"   | \
-  *" getusershell.$ac_objext"   | \
-    "getusershell.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" getusershell.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getusershell.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getusershell.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for initgroups" >&5
-echo $ECHO_N "checking for initgroups... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for initgroups" >&5
+echo $ECHO_N "checking for initgroups... $ECHO_C" >&6; }
 if test "${ac_cv_func_initgroups+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -34597,68 +33814,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef initgroups
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char initgroups ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_initgroups) || defined (__stub___initgroups)
+#if defined __stub_initgroups || defined __stub___initgroups
 choke me
-#else
-char (*f) () = initgroups;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != initgroups;
+return initgroups ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_initgroups=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_initgroups=no
+	ac_cv_func_initgroups=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_initgroups" >&5
-echo "${ECHO_T}$ac_cv_func_initgroups" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_initgroups" >&5
+echo "${ECHO_T}$ac_cv_func_initgroups" >&6; }
 if test $ac_cv_func_initgroups = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -34666,17 +33874,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "initgroups.$ac_objext"   | \
-  *" initgroups.$ac_objext"   | \
-    "initgroups.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" initgroups.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS initgroups.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS initgroups.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for innetgr" >&5
-echo $ECHO_N "checking for innetgr... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for innetgr" >&5
+echo $ECHO_N "checking for innetgr... $ECHO_C" >&6; }
 if test "${ac_cv_func_innetgr+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -34703,68 +33909,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef innetgr
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char innetgr ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_innetgr) || defined (__stub___innetgr)
+#if defined __stub_innetgr || defined __stub___innetgr
 choke me
-#else
-char (*f) () = innetgr;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != innetgr;
+return innetgr ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_innetgr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_innetgr=no
+	ac_cv_func_innetgr=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_innetgr" >&5
-echo "${ECHO_T}$ac_cv_func_innetgr" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_innetgr" >&5
+echo "${ECHO_T}$ac_cv_func_innetgr" >&6; }
 if test $ac_cv_func_innetgr = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -34772,17 +33969,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "innetgr.$ac_objext"   | \
-  *" innetgr.$ac_objext"   | \
-    "innetgr.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" innetgr.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS innetgr.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS innetgr.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for iruserok" >&5
-echo $ECHO_N "checking for iruserok... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for iruserok" >&5
+echo $ECHO_N "checking for iruserok... $ECHO_C" >&6; }
 if test "${ac_cv_func_iruserok+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -34809,68 +34004,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef iruserok
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char iruserok ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_iruserok) || defined (__stub___iruserok)
+#if defined __stub_iruserok || defined __stub___iruserok
 choke me
-#else
-char (*f) () = iruserok;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != iruserok;
+return iruserok ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_iruserok=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_iruserok=no
+	ac_cv_func_iruserok=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_iruserok" >&5
-echo "${ECHO_T}$ac_cv_func_iruserok" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_iruserok" >&5
+echo "${ECHO_T}$ac_cv_func_iruserok" >&6; }
 if test $ac_cv_func_iruserok = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -34878,17 +34064,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "iruserok.$ac_objext"   | \
-  *" iruserok.$ac_objext"   | \
-    "iruserok.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" iruserok.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS iruserok.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS iruserok.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for localtime_r" >&5
-echo $ECHO_N "checking for localtime_r... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for localtime_r" >&5
+echo $ECHO_N "checking for localtime_r... $ECHO_C" >&6; }
 if test "${ac_cv_func_localtime_r+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -34915,68 +34099,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef localtime_r
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char localtime_r ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_localtime_r) || defined (__stub___localtime_r)
+#if defined __stub_localtime_r || defined __stub___localtime_r
 choke me
-#else
-char (*f) () = localtime_r;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != localtime_r;
+return localtime_r ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_localtime_r=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_localtime_r=no
+	ac_cv_func_localtime_r=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_localtime_r" >&5
-echo "${ECHO_T}$ac_cv_func_localtime_r" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_localtime_r" >&5
+echo "${ECHO_T}$ac_cv_func_localtime_r" >&6; }
 if test $ac_cv_func_localtime_r = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -34984,17 +34159,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "localtime_r.$ac_objext"   | \
-  *" localtime_r.$ac_objext"   | \
-    "localtime_r.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" localtime_r.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS localtime_r.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS localtime_r.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for lstat" >&5
-echo $ECHO_N "checking for lstat... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for lstat" >&5
+echo $ECHO_N "checking for lstat... $ECHO_C" >&6; }
 if test "${ac_cv_func_lstat+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -35021,68 +34194,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef lstat
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char lstat ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_lstat) || defined (__stub___lstat)
+#if defined __stub_lstat || defined __stub___lstat
 choke me
-#else
-char (*f) () = lstat;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != lstat;
+return lstat ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_lstat=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_lstat=no
+	ac_cv_func_lstat=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_lstat" >&5
-echo "${ECHO_T}$ac_cv_func_lstat" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_lstat" >&5
+echo "${ECHO_T}$ac_cv_func_lstat" >&6; }
 if test $ac_cv_func_lstat = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -35090,17 +34254,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "lstat.$ac_objext"   | \
-  *" lstat.$ac_objext"   | \
-    "lstat.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" lstat.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS lstat.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS lstat.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for memmove" >&5
-echo $ECHO_N "checking for memmove... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for memmove" >&5
+echo $ECHO_N "checking for memmove... $ECHO_C" >&6; }
 if test "${ac_cv_func_memmove+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -35127,68 +34289,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef memmove
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char memmove ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_memmove) || defined (__stub___memmove)
+#if defined __stub_memmove || defined __stub___memmove
 choke me
-#else
-char (*f) () = memmove;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != memmove;
+return memmove ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_memmove=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_memmove=no
+	ac_cv_func_memmove=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_memmove" >&5
-echo "${ECHO_T}$ac_cv_func_memmove" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_memmove" >&5
+echo "${ECHO_T}$ac_cv_func_memmove" >&6; }
 if test $ac_cv_func_memmove = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -35196,17 +34349,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "memmove.$ac_objext"   | \
-  *" memmove.$ac_objext"   | \
-    "memmove.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" memmove.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS memmove.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS memmove.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for mkstemp" >&5
-echo $ECHO_N "checking for mkstemp... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for mkstemp" >&5
+echo $ECHO_N "checking for mkstemp... $ECHO_C" >&6; }
 if test "${ac_cv_func_mkstemp+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -35233,68 +34384,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef mkstemp
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char mkstemp ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_mkstemp) || defined (__stub___mkstemp)
+#if defined __stub_mkstemp || defined __stub___mkstemp
 choke me
-#else
-char (*f) () = mkstemp;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != mkstemp;
+return mkstemp ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_mkstemp=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_mkstemp=no
+	ac_cv_func_mkstemp=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_mkstemp" >&5
-echo "${ECHO_T}$ac_cv_func_mkstemp" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_mkstemp" >&5
+echo "${ECHO_T}$ac_cv_func_mkstemp" >&6; }
 if test $ac_cv_func_mkstemp = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -35302,17 +34444,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "mkstemp.$ac_objext"   | \
-  *" mkstemp.$ac_objext"   | \
-    "mkstemp.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" mkstemp.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS mkstemp.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS mkstemp.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for putenv" >&5
-echo $ECHO_N "checking for putenv... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for putenv" >&5
+echo $ECHO_N "checking for putenv... $ECHO_C" >&6; }
 if test "${ac_cv_func_putenv+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -35339,68 +34479,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef putenv
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char putenv ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_putenv) || defined (__stub___putenv)
+#if defined __stub_putenv || defined __stub___putenv
 choke me
-#else
-char (*f) () = putenv;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != putenv;
+return putenv ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_putenv=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_putenv=no
+	ac_cv_func_putenv=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_putenv" >&5
-echo "${ECHO_T}$ac_cv_func_putenv" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_putenv" >&5
+echo "${ECHO_T}$ac_cv_func_putenv" >&6; }
 if test $ac_cv_func_putenv = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -35408,17 +34539,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "putenv.$ac_objext"   | \
-  *" putenv.$ac_objext"   | \
-    "putenv.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" putenv.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS putenv.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS putenv.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for rcmd" >&5
-echo $ECHO_N "checking for rcmd... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for rcmd" >&5
+echo $ECHO_N "checking for rcmd... $ECHO_C" >&6; }
 if test "${ac_cv_func_rcmd+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -35445,68 +34574,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef rcmd
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char rcmd ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_rcmd) || defined (__stub___rcmd)
+#if defined __stub_rcmd || defined __stub___rcmd
 choke me
-#else
-char (*f) () = rcmd;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != rcmd;
+return rcmd ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_rcmd=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_rcmd=no
+	ac_cv_func_rcmd=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_rcmd" >&5
-echo "${ECHO_T}$ac_cv_func_rcmd" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_rcmd" >&5
+echo "${ECHO_T}$ac_cv_func_rcmd" >&6; }
 if test $ac_cv_func_rcmd = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -35514,17 +34634,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "rcmd.$ac_objext"   | \
-  *" rcmd.$ac_objext"   | \
-    "rcmd.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" rcmd.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS rcmd.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS rcmd.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for readv" >&5
-echo $ECHO_N "checking for readv... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for readv" >&5
+echo $ECHO_N "checking for readv... $ECHO_C" >&6; }
 if test "${ac_cv_func_readv+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -35551,68 +34669,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef readv
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char readv ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_readv) || defined (__stub___readv)
+#if defined __stub_readv || defined __stub___readv
 choke me
-#else
-char (*f) () = readv;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != readv;
+return readv ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_readv=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_readv=no
+	ac_cv_func_readv=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_readv" >&5
-echo "${ECHO_T}$ac_cv_func_readv" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_readv" >&5
+echo "${ECHO_T}$ac_cv_func_readv" >&6; }
 if test $ac_cv_func_readv = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -35620,17 +34729,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "readv.$ac_objext"   | \
-  *" readv.$ac_objext"   | \
-    "readv.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" readv.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS readv.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS readv.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for recvmsg" >&5
-echo $ECHO_N "checking for recvmsg... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for recvmsg" >&5
+echo $ECHO_N "checking for recvmsg... $ECHO_C" >&6; }
 if test "${ac_cv_func_recvmsg+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -35657,68 +34764,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef recvmsg
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char recvmsg ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_recvmsg) || defined (__stub___recvmsg)
+#if defined __stub_recvmsg || defined __stub___recvmsg
 choke me
-#else
-char (*f) () = recvmsg;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != recvmsg;
+return recvmsg ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_recvmsg=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_recvmsg=no
+	ac_cv_func_recvmsg=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_recvmsg" >&5
-echo "${ECHO_T}$ac_cv_func_recvmsg" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_recvmsg" >&5
+echo "${ECHO_T}$ac_cv_func_recvmsg" >&6; }
 if test $ac_cv_func_recvmsg = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -35726,17 +34824,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "recvmsg.$ac_objext"   | \
-  *" recvmsg.$ac_objext"   | \
-    "recvmsg.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" recvmsg.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS recvmsg.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS recvmsg.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for sendmsg" >&5
-echo $ECHO_N "checking for sendmsg... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for sendmsg" >&5
+echo $ECHO_N "checking for sendmsg... $ECHO_C" >&6; }
 if test "${ac_cv_func_sendmsg+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -35763,68 +34859,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef sendmsg
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char sendmsg ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_sendmsg) || defined (__stub___sendmsg)
+#if defined __stub_sendmsg || defined __stub___sendmsg
 choke me
-#else
-char (*f) () = sendmsg;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != sendmsg;
+return sendmsg ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_sendmsg=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_sendmsg=no
+	ac_cv_func_sendmsg=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_sendmsg" >&5
-echo "${ECHO_T}$ac_cv_func_sendmsg" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_sendmsg" >&5
+echo "${ECHO_T}$ac_cv_func_sendmsg" >&6; }
 if test $ac_cv_func_sendmsg = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -35832,17 +34919,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "sendmsg.$ac_objext"   | \
-  *" sendmsg.$ac_objext"   | \
-    "sendmsg.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" sendmsg.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS sendmsg.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS sendmsg.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for setegid" >&5
-echo $ECHO_N "checking for setegid... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for setegid" >&5
+echo $ECHO_N "checking for setegid... $ECHO_C" >&6; }
 if test "${ac_cv_func_setegid+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -35869,68 +34954,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef setegid
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char setegid ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_setegid) || defined (__stub___setegid)
+#if defined __stub_setegid || defined __stub___setegid
 choke me
-#else
-char (*f) () = setegid;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != setegid;
+return setegid ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_setegid=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_setegid=no
+	ac_cv_func_setegid=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setegid" >&5
-echo "${ECHO_T}$ac_cv_func_setegid" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_setegid" >&5
+echo "${ECHO_T}$ac_cv_func_setegid" >&6; }
 if test $ac_cv_func_setegid = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -35938,17 +35014,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "setegid.$ac_objext"   | \
-  *" setegid.$ac_objext"   | \
-    "setegid.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" setegid.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS setegid.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS setegid.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for setenv" >&5
-echo $ECHO_N "checking for setenv... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for setenv" >&5
+echo $ECHO_N "checking for setenv... $ECHO_C" >&6; }
 if test "${ac_cv_func_setenv+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -35975,68 +35049,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef setenv
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char setenv ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_setenv) || defined (__stub___setenv)
+#if defined __stub_setenv || defined __stub___setenv
 choke me
-#else
-char (*f) () = setenv;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != setenv;
+return setenv ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_setenv=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_setenv=no
+	ac_cv_func_setenv=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setenv" >&5
-echo "${ECHO_T}$ac_cv_func_setenv" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_setenv" >&5
+echo "${ECHO_T}$ac_cv_func_setenv" >&6; }
 if test $ac_cv_func_setenv = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -36044,17 +35109,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "setenv.$ac_objext"   | \
-  *" setenv.$ac_objext"   | \
-    "setenv.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" setenv.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS setenv.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS setenv.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for seteuid" >&5
-echo $ECHO_N "checking for seteuid... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for seteuid" >&5
+echo $ECHO_N "checking for seteuid... $ECHO_C" >&6; }
 if test "${ac_cv_func_seteuid+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -36081,68 +35144,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef seteuid
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char seteuid ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_seteuid) || defined (__stub___seteuid)
+#if defined __stub_seteuid || defined __stub___seteuid
 choke me
-#else
-char (*f) () = seteuid;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != seteuid;
+return seteuid ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_seteuid=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_seteuid=no
+	ac_cv_func_seteuid=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_seteuid" >&5
-echo "${ECHO_T}$ac_cv_func_seteuid" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_seteuid" >&5
+echo "${ECHO_T}$ac_cv_func_seteuid" >&6; }
 if test $ac_cv_func_seteuid = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -36150,17 +35204,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "seteuid.$ac_objext"   | \
-  *" seteuid.$ac_objext"   | \
-    "seteuid.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" seteuid.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS seteuid.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS seteuid.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strcasecmp" >&5
-echo $ECHO_N "checking for strcasecmp... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strcasecmp" >&5
+echo $ECHO_N "checking for strcasecmp... $ECHO_C" >&6; }
 if test "${ac_cv_func_strcasecmp+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -36187,68 +35239,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strcasecmp
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strcasecmp ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strcasecmp) || defined (__stub___strcasecmp)
+#if defined __stub_strcasecmp || defined __stub___strcasecmp
 choke me
-#else
-char (*f) () = strcasecmp;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strcasecmp;
+return strcasecmp ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strcasecmp=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strcasecmp=no
+	ac_cv_func_strcasecmp=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strcasecmp" >&5
-echo "${ECHO_T}$ac_cv_func_strcasecmp" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strcasecmp" >&5
+echo "${ECHO_T}$ac_cv_func_strcasecmp" >&6; }
 if test $ac_cv_func_strcasecmp = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -36256,17 +35299,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strcasecmp.$ac_objext"   | \
-  *" strcasecmp.$ac_objext"   | \
-    "strcasecmp.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strcasecmp.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strcasecmp.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strcasecmp.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strdup" >&5
-echo $ECHO_N "checking for strdup... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strdup" >&5
+echo $ECHO_N "checking for strdup... $ECHO_C" >&6; }
 if test "${ac_cv_func_strdup+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -36293,68 +35334,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strdup
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strdup ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strdup) || defined (__stub___strdup)
+#if defined __stub_strdup || defined __stub___strdup
 choke me
-#else
-char (*f) () = strdup;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strdup;
+return strdup ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strdup=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strdup=no
+	ac_cv_func_strdup=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strdup" >&5
-echo "${ECHO_T}$ac_cv_func_strdup" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strdup" >&5
+echo "${ECHO_T}$ac_cv_func_strdup" >&6; }
 if test $ac_cv_func_strdup = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -36362,17 +35394,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strdup.$ac_objext"   | \
-  *" strdup.$ac_objext"   | \
-    "strdup.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strdup.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strdup.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strdup.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strerror" >&5
-echo $ECHO_N "checking for strerror... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strerror" >&5
+echo $ECHO_N "checking for strerror... $ECHO_C" >&6; }
 if test "${ac_cv_func_strerror+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -36399,68 +35429,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strerror
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strerror ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strerror) || defined (__stub___strerror)
+#if defined __stub_strerror || defined __stub___strerror
 choke me
-#else
-char (*f) () = strerror;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strerror;
+return strerror ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strerror=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strerror=no
+	ac_cv_func_strerror=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strerror" >&5
-echo "${ECHO_T}$ac_cv_func_strerror" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strerror" >&5
+echo "${ECHO_T}$ac_cv_func_strerror" >&6; }
 if test $ac_cv_func_strerror = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -36468,17 +35489,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strerror.$ac_objext"   | \
-  *" strerror.$ac_objext"   | \
-    "strerror.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strerror.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strerror.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strerror.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strftime" >&5
-echo $ECHO_N "checking for strftime... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strftime" >&5
+echo $ECHO_N "checking for strftime... $ECHO_C" >&6; }
 if test "${ac_cv_func_strftime+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -36505,68 +35524,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strftime
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strftime ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strftime) || defined (__stub___strftime)
+#if defined __stub_strftime || defined __stub___strftime
 choke me
-#else
-char (*f) () = strftime;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strftime;
+return strftime ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strftime=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strftime=no
+	ac_cv_func_strftime=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strftime" >&5
-echo "${ECHO_T}$ac_cv_func_strftime" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strftime" >&5
+echo "${ECHO_T}$ac_cv_func_strftime" >&6; }
 if test $ac_cv_func_strftime = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -36574,17 +35584,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strftime.$ac_objext"   | \
-  *" strftime.$ac_objext"   | \
-    "strftime.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strftime.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strftime.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strftime.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strlcat" >&5
-echo $ECHO_N "checking for strlcat... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strlcat" >&5
+echo $ECHO_N "checking for strlcat... $ECHO_C" >&6; }
 if test "${ac_cv_func_strlcat+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -36611,68 +35619,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strlcat
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strlcat ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strlcat) || defined (__stub___strlcat)
+#if defined __stub_strlcat || defined __stub___strlcat
 choke me
-#else
-char (*f) () = strlcat;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strlcat;
+return strlcat ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strlcat=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strlcat=no
+	ac_cv_func_strlcat=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strlcat" >&5
-echo "${ECHO_T}$ac_cv_func_strlcat" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strlcat" >&5
+echo "${ECHO_T}$ac_cv_func_strlcat" >&6; }
 if test $ac_cv_func_strlcat = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -36680,17 +35679,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strlcat.$ac_objext"   | \
-  *" strlcat.$ac_objext"   | \
-    "strlcat.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strlcat.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strlcat.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strlcat.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strlcpy" >&5
-echo $ECHO_N "checking for strlcpy... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strlcpy" >&5
+echo $ECHO_N "checking for strlcpy... $ECHO_C" >&6; }
 if test "${ac_cv_func_strlcpy+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -36717,68 +35714,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strlcpy
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strlcpy ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strlcpy) || defined (__stub___strlcpy)
+#if defined __stub_strlcpy || defined __stub___strlcpy
 choke me
-#else
-char (*f) () = strlcpy;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strlcpy;
+return strlcpy ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strlcpy=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strlcpy=no
+	ac_cv_func_strlcpy=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strlcpy" >&5
-echo "${ECHO_T}$ac_cv_func_strlcpy" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strlcpy" >&5
+echo "${ECHO_T}$ac_cv_func_strlcpy" >&6; }
 if test $ac_cv_func_strlcpy = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -36786,17 +35774,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strlcpy.$ac_objext"   | \
-  *" strlcpy.$ac_objext"   | \
-    "strlcpy.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strlcpy.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strlcpy.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strlcpy.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strlwr" >&5
-echo $ECHO_N "checking for strlwr... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strlwr" >&5
+echo $ECHO_N "checking for strlwr... $ECHO_C" >&6; }
 if test "${ac_cv_func_strlwr+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -36823,68 +35809,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strlwr
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strlwr ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strlwr) || defined (__stub___strlwr)
+#if defined __stub_strlwr || defined __stub___strlwr
 choke me
-#else
-char (*f) () = strlwr;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strlwr;
+return strlwr ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strlwr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strlwr=no
+	ac_cv_func_strlwr=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strlwr" >&5
-echo "${ECHO_T}$ac_cv_func_strlwr" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strlwr" >&5
+echo "${ECHO_T}$ac_cv_func_strlwr" >&6; }
 if test $ac_cv_func_strlwr = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -36892,17 +35869,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strlwr.$ac_objext"   | \
-  *" strlwr.$ac_objext"   | \
-    "strlwr.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strlwr.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strlwr.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strlwr.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strncasecmp" >&5
-echo $ECHO_N "checking for strncasecmp... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strncasecmp" >&5
+echo $ECHO_N "checking for strncasecmp... $ECHO_C" >&6; }
 if test "${ac_cv_func_strncasecmp+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -36929,68 +35904,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strncasecmp
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strncasecmp ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strncasecmp) || defined (__stub___strncasecmp)
+#if defined __stub_strncasecmp || defined __stub___strncasecmp
 choke me
-#else
-char (*f) () = strncasecmp;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strncasecmp;
+return strncasecmp ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strncasecmp=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strncasecmp=no
+	ac_cv_func_strncasecmp=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strncasecmp" >&5
-echo "${ECHO_T}$ac_cv_func_strncasecmp" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strncasecmp" >&5
+echo "${ECHO_T}$ac_cv_func_strncasecmp" >&6; }
 if test $ac_cv_func_strncasecmp = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -36998,17 +35964,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strncasecmp.$ac_objext"   | \
-  *" strncasecmp.$ac_objext"   | \
-    "strncasecmp.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strncasecmp.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strncasecmp.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strncasecmp.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strndup" >&5
-echo $ECHO_N "checking for strndup... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strndup" >&5
+echo $ECHO_N "checking for strndup... $ECHO_C" >&6; }
 if test "${ac_cv_func_strndup+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -37035,68 +35999,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strndup
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strndup ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strndup) || defined (__stub___strndup)
+#if defined __stub_strndup || defined __stub___strndup
 choke me
-#else
-char (*f) () = strndup;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strndup;
+return strndup ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strndup=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strndup=no
+	ac_cv_func_strndup=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strndup" >&5
-echo "${ECHO_T}$ac_cv_func_strndup" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strndup" >&5
+echo "${ECHO_T}$ac_cv_func_strndup" >&6; }
 if test $ac_cv_func_strndup = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -37104,17 +36059,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strndup.$ac_objext"   | \
-  *" strndup.$ac_objext"   | \
-    "strndup.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strndup.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strndup.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strndup.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strnlen" >&5
-echo $ECHO_N "checking for strnlen... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strnlen" >&5
+echo $ECHO_N "checking for strnlen... $ECHO_C" >&6; }
 if test "${ac_cv_func_strnlen+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -37141,68 +36094,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strnlen
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strnlen ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strnlen) || defined (__stub___strnlen)
+#if defined __stub_strnlen || defined __stub___strnlen
 choke me
-#else
-char (*f) () = strnlen;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strnlen;
+return strnlen ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strnlen=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strnlen=no
+	ac_cv_func_strnlen=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strnlen" >&5
-echo "${ECHO_T}$ac_cv_func_strnlen" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strnlen" >&5
+echo "${ECHO_T}$ac_cv_func_strnlen" >&6; }
 if test $ac_cv_func_strnlen = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -37210,17 +36154,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strnlen.$ac_objext"   | \
-  *" strnlen.$ac_objext"   | \
-    "strnlen.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strnlen.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strnlen.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strnlen.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strptime" >&5
-echo $ECHO_N "checking for strptime... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strptime" >&5
+echo $ECHO_N "checking for strptime... $ECHO_C" >&6; }
 if test "${ac_cv_func_strptime+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -37247,68 +36189,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strptime
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strptime ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strptime) || defined (__stub___strptime)
+#if defined __stub_strptime || defined __stub___strptime
 choke me
-#else
-char (*f) () = strptime;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strptime;
+return strptime ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strptime=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strptime=no
+	ac_cv_func_strptime=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strptime" >&5
-echo "${ECHO_T}$ac_cv_func_strptime" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strptime" >&5
+echo "${ECHO_T}$ac_cv_func_strptime" >&6; }
 if test $ac_cv_func_strptime = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -37316,17 +36249,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strptime.$ac_objext"   | \
-  *" strptime.$ac_objext"   | \
-    "strptime.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strptime.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strptime.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strptime.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strsep" >&5
-echo $ECHO_N "checking for strsep... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strsep" >&5
+echo $ECHO_N "checking for strsep... $ECHO_C" >&6; }
 if test "${ac_cv_func_strsep+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -37353,68 +36284,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strsep
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strsep ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strsep) || defined (__stub___strsep)
+#if defined __stub_strsep || defined __stub___strsep
 choke me
-#else
-char (*f) () = strsep;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strsep;
+return strsep ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strsep=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strsep=no
+	ac_cv_func_strsep=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strsep" >&5
-echo "${ECHO_T}$ac_cv_func_strsep" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strsep" >&5
+echo "${ECHO_T}$ac_cv_func_strsep" >&6; }
 if test $ac_cv_func_strsep = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -37422,17 +36344,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strsep.$ac_objext"   | \
-  *" strsep.$ac_objext"   | \
-    "strsep.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strsep.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strsep.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strsep.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strsep_copy" >&5
-echo $ECHO_N "checking for strsep_copy... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strsep_copy" >&5
+echo $ECHO_N "checking for strsep_copy... $ECHO_C" >&6; }
 if test "${ac_cv_func_strsep_copy+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -37459,68 +36379,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strsep_copy
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strsep_copy ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strsep_copy) || defined (__stub___strsep_copy)
+#if defined __stub_strsep_copy || defined __stub___strsep_copy
 choke me
-#else
-char (*f) () = strsep_copy;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strsep_copy;
+return strsep_copy ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strsep_copy=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strsep_copy=no
+	ac_cv_func_strsep_copy=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strsep_copy" >&5
-echo "${ECHO_T}$ac_cv_func_strsep_copy" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strsep_copy" >&5
+echo "${ECHO_T}$ac_cv_func_strsep_copy" >&6; }
 if test $ac_cv_func_strsep_copy = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -37528,17 +36439,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strsep_copy.$ac_objext"   | \
-  *" strsep_copy.$ac_objext"   | \
-    "strsep_copy.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strsep_copy.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strsep_copy.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strsep_copy.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strtok_r" >&5
-echo $ECHO_N "checking for strtok_r... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strtok_r" >&5
+echo $ECHO_N "checking for strtok_r... $ECHO_C" >&6; }
 if test "${ac_cv_func_strtok_r+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -37565,68 +36474,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strtok_r
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strtok_r ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strtok_r) || defined (__stub___strtok_r)
+#if defined __stub_strtok_r || defined __stub___strtok_r
 choke me
-#else
-char (*f) () = strtok_r;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strtok_r;
+return strtok_r ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strtok_r=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strtok_r=no
+	ac_cv_func_strtok_r=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strtok_r" >&5
-echo "${ECHO_T}$ac_cv_func_strtok_r" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strtok_r" >&5
+echo "${ECHO_T}$ac_cv_func_strtok_r" >&6; }
 if test $ac_cv_func_strtok_r = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -37634,17 +36534,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strtok_r.$ac_objext"   | \
-  *" strtok_r.$ac_objext"   | \
-    "strtok_r.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strtok_r.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strtok_r.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strtok_r.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for strupr" >&5
-echo $ECHO_N "checking for strupr... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strupr" >&5
+echo $ECHO_N "checking for strupr... $ECHO_C" >&6; }
 if test "${ac_cv_func_strupr+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -37671,68 +36569,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef strupr
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strupr ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strupr) || defined (__stub___strupr)
+#if defined __stub_strupr || defined __stub___strupr
 choke me
-#else
-char (*f) () = strupr;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != strupr;
+return strupr ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strupr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_strupr=no
+	ac_cv_func_strupr=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strupr" >&5
-echo "${ECHO_T}$ac_cv_func_strupr" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strupr" >&5
+echo "${ECHO_T}$ac_cv_func_strupr" >&6; }
 if test $ac_cv_func_strupr = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -37740,17 +36629,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "strupr.$ac_objext"   | \
-  *" strupr.$ac_objext"   | \
-    "strupr.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" strupr.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS strupr.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS strupr.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for swab" >&5
-echo $ECHO_N "checking for swab... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for swab" >&5
+echo $ECHO_N "checking for swab... $ECHO_C" >&6; }
 if test "${ac_cv_func_swab+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -37777,68 +36664,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef swab
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char swab ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_swab) || defined (__stub___swab)
+#if defined __stub_swab || defined __stub___swab
 choke me
-#else
-char (*f) () = swab;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != swab;
+return swab ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_swab=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_swab=no
+	ac_cv_func_swab=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_swab" >&5
-echo "${ECHO_T}$ac_cv_func_swab" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_swab" >&5
+echo "${ECHO_T}$ac_cv_func_swab" >&6; }
 if test $ac_cv_func_swab = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -37846,17 +36724,110 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "swab.$ac_objext"   | \
-  *" swab.$ac_objext"   | \
-    "swab.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" swab.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS swab.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS swab.$ac_objext"
+ ;;
+esac
+
+fi
+{ echo "$as_me:$LINENO: checking for timegm" >&5
+echo $ECHO_N "checking for timegm... $ECHO_C" >&6; }
+if test "${ac_cv_func_timegm+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define timegm to an innocuous variant, in case <limits.h> declares timegm.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define timegm innocuous_timegm
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char timegm (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef timegm
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char timegm ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_timegm || defined __stub___timegm
+choke me
+#endif
+
+int
+main ()
+{
+return timegm ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_timegm=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_timegm=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_timegm" >&5
+echo "${ECHO_T}$ac_cv_func_timegm" >&6; }
+if test $ac_cv_func_timegm = yes; then
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_TIMEGM 1
+_ACEOF
+
+else
+  case " $LIBOBJS " in
+  *" timegm.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS timegm.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for unsetenv" >&5
-echo $ECHO_N "checking for unsetenv... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for unsetenv" >&5
+echo $ECHO_N "checking for unsetenv... $ECHO_C" >&6; }
 if test "${ac_cv_func_unsetenv+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -37883,68 +36854,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef unsetenv
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char unsetenv ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_unsetenv) || defined (__stub___unsetenv)
+#if defined __stub_unsetenv || defined __stub___unsetenv
 choke me
-#else
-char (*f) () = unsetenv;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != unsetenv;
+return unsetenv ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_unsetenv=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_unsetenv=no
+	ac_cv_func_unsetenv=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_unsetenv" >&5
-echo "${ECHO_T}$ac_cv_func_unsetenv" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_unsetenv" >&5
+echo "${ECHO_T}$ac_cv_func_unsetenv" >&6; }
 if test $ac_cv_func_unsetenv = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -37952,17 +36914,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "unsetenv.$ac_objext"   | \
-  *" unsetenv.$ac_objext"   | \
-    "unsetenv.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" unsetenv.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS unsetenv.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS unsetenv.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for verr" >&5
-echo $ECHO_N "checking for verr... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for verr" >&5
+echo $ECHO_N "checking for verr... $ECHO_C" >&6; }
 if test "${ac_cv_func_verr+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -37989,68 +36949,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef verr
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char verr ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_verr) || defined (__stub___verr)
+#if defined __stub_verr || defined __stub___verr
 choke me
-#else
-char (*f) () = verr;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != verr;
+return verr ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_verr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_verr=no
+	ac_cv_func_verr=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_verr" >&5
-echo "${ECHO_T}$ac_cv_func_verr" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_verr" >&5
+echo "${ECHO_T}$ac_cv_func_verr" >&6; }
 if test $ac_cv_func_verr = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -38058,17 +37009,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "verr.$ac_objext"   | \
-  *" verr.$ac_objext"   | \
-    "verr.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" verr.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS verr.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS verr.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for verrx" >&5
-echo $ECHO_N "checking for verrx... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for verrx" >&5
+echo $ECHO_N "checking for verrx... $ECHO_C" >&6; }
 if test "${ac_cv_func_verrx+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -38095,68 +37044,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef verrx
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char verrx ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_verrx) || defined (__stub___verrx)
+#if defined __stub_verrx || defined __stub___verrx
 choke me
-#else
-char (*f) () = verrx;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != verrx;
+return verrx ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_verrx=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_verrx=no
+	ac_cv_func_verrx=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_verrx" >&5
-echo "${ECHO_T}$ac_cv_func_verrx" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_verrx" >&5
+echo "${ECHO_T}$ac_cv_func_verrx" >&6; }
 if test $ac_cv_func_verrx = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -38164,17 +37104,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "verrx.$ac_objext"   | \
-  *" verrx.$ac_objext"   | \
-    "verrx.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" verrx.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS verrx.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS verrx.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for vsyslog" >&5
-echo $ECHO_N "checking for vsyslog... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for vsyslog" >&5
+echo $ECHO_N "checking for vsyslog... $ECHO_C" >&6; }
 if test "${ac_cv_func_vsyslog+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -38201,68 +37139,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef vsyslog
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char vsyslog ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_vsyslog) || defined (__stub___vsyslog)
+#if defined __stub_vsyslog || defined __stub___vsyslog
 choke me
-#else
-char (*f) () = vsyslog;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != vsyslog;
+return vsyslog ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_vsyslog=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_vsyslog=no
+	ac_cv_func_vsyslog=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_vsyslog" >&5
-echo "${ECHO_T}$ac_cv_func_vsyslog" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_vsyslog" >&5
+echo "${ECHO_T}$ac_cv_func_vsyslog" >&6; }
 if test $ac_cv_func_vsyslog = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -38270,17 +37199,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "vsyslog.$ac_objext"   | \
-  *" vsyslog.$ac_objext"   | \
-    "vsyslog.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" vsyslog.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS vsyslog.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS vsyslog.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for vwarn" >&5
-echo $ECHO_N "checking for vwarn... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for vwarn" >&5
+echo $ECHO_N "checking for vwarn... $ECHO_C" >&6; }
 if test "${ac_cv_func_vwarn+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -38307,68 +37234,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef vwarn
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char vwarn ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_vwarn) || defined (__stub___vwarn)
+#if defined __stub_vwarn || defined __stub___vwarn
 choke me
-#else
-char (*f) () = vwarn;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != vwarn;
+return vwarn ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_vwarn=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_vwarn=no
+	ac_cv_func_vwarn=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_vwarn" >&5
-echo "${ECHO_T}$ac_cv_func_vwarn" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_vwarn" >&5
+echo "${ECHO_T}$ac_cv_func_vwarn" >&6; }
 if test $ac_cv_func_vwarn = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -38376,17 +37294,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "vwarn.$ac_objext"   | \
-  *" vwarn.$ac_objext"   | \
-    "vwarn.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" vwarn.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS vwarn.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS vwarn.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for vwarnx" >&5
-echo $ECHO_N "checking for vwarnx... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for vwarnx" >&5
+echo $ECHO_N "checking for vwarnx... $ECHO_C" >&6; }
 if test "${ac_cv_func_vwarnx+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -38413,68 +37329,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef vwarnx
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char vwarnx ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_vwarnx) || defined (__stub___vwarnx)
+#if defined __stub_vwarnx || defined __stub___vwarnx
 choke me
-#else
-char (*f) () = vwarnx;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != vwarnx;
+return vwarnx ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_vwarnx=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_vwarnx=no
+	ac_cv_func_vwarnx=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_vwarnx" >&5
-echo "${ECHO_T}$ac_cv_func_vwarnx" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_vwarnx" >&5
+echo "${ECHO_T}$ac_cv_func_vwarnx" >&6; }
 if test $ac_cv_func_vwarnx = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -38482,17 +37389,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "vwarnx.$ac_objext"   | \
-  *" vwarnx.$ac_objext"   | \
-    "vwarnx.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" vwarnx.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS vwarnx.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS vwarnx.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for warn" >&5
-echo $ECHO_N "checking for warn... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for warn" >&5
+echo $ECHO_N "checking for warn... $ECHO_C" >&6; }
 if test "${ac_cv_func_warn+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -38519,68 +37424,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef warn
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char warn ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_warn) || defined (__stub___warn)
+#if defined __stub_warn || defined __stub___warn
 choke me
-#else
-char (*f) () = warn;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != warn;
+return warn ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_warn=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_warn=no
+	ac_cv_func_warn=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_warn" >&5
-echo "${ECHO_T}$ac_cv_func_warn" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_warn" >&5
+echo "${ECHO_T}$ac_cv_func_warn" >&6; }
 if test $ac_cv_func_warn = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -38588,17 +37484,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "warn.$ac_objext"   | \
-  *" warn.$ac_objext"   | \
-    "warn.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" warn.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS warn.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS warn.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for warnx" >&5
-echo $ECHO_N "checking for warnx... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for warnx" >&5
+echo $ECHO_N "checking for warnx... $ECHO_C" >&6; }
 if test "${ac_cv_func_warnx+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -38625,68 +37519,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef warnx
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char warnx ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_warnx) || defined (__stub___warnx)
+#if defined __stub_warnx || defined __stub___warnx
 choke me
-#else
-char (*f) () = warnx;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != warnx;
+return warnx ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_warnx=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_warnx=no
+	ac_cv_func_warnx=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_warnx" >&5
-echo "${ECHO_T}$ac_cv_func_warnx" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_warnx" >&5
+echo "${ECHO_T}$ac_cv_func_warnx" >&6; }
 if test $ac_cv_func_warnx = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -38694,17 +37579,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "warnx.$ac_objext"   | \
-  *" warnx.$ac_objext"   | \
-    "warnx.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" warnx.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS warnx.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS warnx.$ac_objext"
+ ;;
 esac
 
 fi
-echo "$as_me:$LINENO: checking for writev" >&5
-echo $ECHO_N "checking for writev... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for writev" >&5
+echo $ECHO_N "checking for writev... $ECHO_C" >&6; }
 if test "${ac_cv_func_writev+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -38731,68 +37614,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef writev
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char writev ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_writev) || defined (__stub___writev)
+#if defined __stub_writev || defined __stub___writev
 choke me
-#else
-char (*f) () = writev;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != writev;
+return writev ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_writev=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_writev=no
+	ac_cv_func_writev=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_writev" >&5
-echo "${ECHO_T}$ac_cv_func_writev" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_writev" >&5
+echo "${ECHO_T}$ac_cv_func_writev" >&6; }
 if test $ac_cv_func_writev = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -38800,21 +37674,28 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 else
-  case $LIBOBJS in
-    "writev.$ac_objext"   | \
-  *" writev.$ac_objext"   | \
-    "writev.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" writev.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS writev.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS writev.$ac_objext"
+ ;;
 esac
 
 fi
 
 
+ if test "$ac_cv_header_fnmatch_h" = yes -a "$ac_cv_func_fnmatch" = yes; then
+  have_fnmatch_h_TRUE=
+  have_fnmatch_h_FALSE='#'
+else
+  have_fnmatch_h_TRUE='#'
+  have_fnmatch_h_FALSE=
+fi
+
+
 
 if test "$ac_cv_func_strndup+set" != set -o "$ac_cv_func_strndup" = yes; then
-echo "$as_me:$LINENO: checking if strndup needs a prototype" >&5
-echo $ECHO_N "checking if strndup needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if strndup needs a prototype" >&5
+echo $ECHO_N "checking if strndup needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_strndup_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -38825,50 +37706,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <string.h>
+struct foo { int foo; } xx;
+extern int strndup (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int strndup (struct foo*);
-strndup(&xx);
-
+strndup(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_strndup_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_strndup_noproto=no"
+	eval "ac_cv_func_strndup_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strndup_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_strndup_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strndup_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_strndup_noproto" >&6; }
 if test "$ac_cv_func_strndup_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -38879,8 +37755,8 @@ fi
 fi
 
 if test "$ac_cv_func_strsep+set" != set -o "$ac_cv_func_strsep" = yes; then
-echo "$as_me:$LINENO: checking if strsep needs a prototype" >&5
-echo $ECHO_N "checking if strsep needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if strsep needs a prototype" >&5
+echo $ECHO_N "checking if strsep needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_strsep_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -38891,50 +37767,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <string.h>
+struct foo { int foo; } xx;
+extern int strsep (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int strsep (struct foo*);
-strsep(&xx);
-
+strsep(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_strsep_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_strsep_noproto=no"
+	eval "ac_cv_func_strsep_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strsep_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_strsep_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strsep_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_strsep_noproto" >&6; }
 if test "$ac_cv_func_strsep_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -38945,8 +37816,8 @@ fi
 fi
 
 if test "$ac_cv_func_strtok_r+set" != set -o "$ac_cv_func_strtok_r" = yes; then
-echo "$as_me:$LINENO: checking if strtok_r needs a prototype" >&5
-echo $ECHO_N "checking if strtok_r needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if strtok_r needs a prototype" >&5
+echo $ECHO_N "checking if strtok_r needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_strtok_r_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -38957,50 +37828,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <string.h>
+struct foo { int foo; } xx;
+extern int strtok_r (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int strtok_r (struct foo*);
-strtok_r(&xx);
-
+strtok_r(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_strtok_r_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_strtok_r_noproto=no"
+	eval "ac_cv_func_strtok_r_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strtok_r_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_strtok_r_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strtok_r_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_strtok_r_noproto" >&6; }
 if test "$ac_cv_func_strtok_r_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -39013,8 +37879,8 @@ fi
 
 
 if test "$ac_cv_func_strsvis+set" != set -o "$ac_cv_func_strsvis" = yes; then
-echo "$as_me:$LINENO: checking if strsvis needs a prototype" >&5
-echo $ECHO_N "checking if strsvis needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if strsvis needs a prototype" >&5
+echo $ECHO_N "checking if strsvis needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_strsvis_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39027,50 +37893,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_VIS_H
 #include <vis.h>
 #endif
+struct foo { int foo; } xx;
+extern int strsvis (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int strsvis (struct foo*);
-strsvis(&xx);
-
+strsvis(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_strsvis_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_strsvis_noproto=no"
+	eval "ac_cv_func_strsvis_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strsvis_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_strsvis_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strsvis_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_strsvis_noproto" >&6; }
 if test "$ac_cv_func_strsvis_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -39081,8 +37942,8 @@ fi
 fi
 
 if test "$ac_cv_func_strunvis+set" != set -o "$ac_cv_func_strunvis" = yes; then
-echo "$as_me:$LINENO: checking if strunvis needs a prototype" >&5
-echo $ECHO_N "checking if strunvis needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if strunvis needs a prototype" >&5
+echo $ECHO_N "checking if strunvis needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_strunvis_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39095,50 +37956,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_VIS_H
 #include <vis.h>
 #endif
+struct foo { int foo; } xx;
+extern int strunvis (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int strunvis (struct foo*);
-strunvis(&xx);
-
+strunvis(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_strunvis_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_strunvis_noproto=no"
+	eval "ac_cv_func_strunvis_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strunvis_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_strunvis_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strunvis_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_strunvis_noproto" >&6; }
 if test "$ac_cv_func_strunvis_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -39149,8 +38005,8 @@ fi
 fi
 
 if test "$ac_cv_func_strvis+set" != set -o "$ac_cv_func_strvis" = yes; then
-echo "$as_me:$LINENO: checking if strvis needs a prototype" >&5
-echo $ECHO_N "checking if strvis needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if strvis needs a prototype" >&5
+echo $ECHO_N "checking if strvis needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_strvis_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39163,50 +38019,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_VIS_H
 #include <vis.h>
 #endif
+struct foo { int foo; } xx;
+extern int strvis (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int strvis (struct foo*);
-strvis(&xx);
-
+strvis(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_strvis_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_strvis_noproto=no"
+	eval "ac_cv_func_strvis_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strvis_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_strvis_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strvis_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_strvis_noproto" >&6; }
 if test "$ac_cv_func_strvis_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -39217,8 +38068,8 @@ fi
 fi
 
 if test "$ac_cv_func_strvisx+set" != set -o "$ac_cv_func_strvisx" = yes; then
-echo "$as_me:$LINENO: checking if strvisx needs a prototype" >&5
-echo $ECHO_N "checking if strvisx needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if strvisx needs a prototype" >&5
+echo $ECHO_N "checking if strvisx needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_strvisx_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39231,50 +38082,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_VIS_H
 #include <vis.h>
 #endif
+struct foo { int foo; } xx;
+extern int strvisx (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int strvisx (struct foo*);
-strvisx(&xx);
-
+strvisx(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_strvisx_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_strvisx_noproto=no"
+	eval "ac_cv_func_strvisx_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strvisx_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_strvisx_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strvisx_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_strvisx_noproto" >&6; }
 if test "$ac_cv_func_strvisx_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -39285,8 +38131,8 @@ fi
 fi
 
 if test "$ac_cv_func_svis+set" != set -o "$ac_cv_func_svis" = yes; then
-echo "$as_me:$LINENO: checking if svis needs a prototype" >&5
-echo $ECHO_N "checking if svis needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if svis needs a prototype" >&5
+echo $ECHO_N "checking if svis needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_svis_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39299,50 +38145,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_VIS_H
 #include <vis.h>
 #endif
+struct foo { int foo; } xx;
+extern int svis (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int svis (struct foo*);
-svis(&xx);
-
+svis(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_svis_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_svis_noproto=no"
+	eval "ac_cv_func_svis_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_svis_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_svis_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_svis_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_svis_noproto" >&6; }
 if test "$ac_cv_func_svis_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -39353,8 +38194,8 @@ fi
 fi
 
 if test "$ac_cv_func_unvis+set" != set -o "$ac_cv_func_unvis" = yes; then
-echo "$as_me:$LINENO: checking if unvis needs a prototype" >&5
-echo $ECHO_N "checking if unvis needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if unvis needs a prototype" >&5
+echo $ECHO_N "checking if unvis needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_unvis_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39367,50 +38208,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_VIS_H
 #include <vis.h>
 #endif
+struct foo { int foo; } xx;
+extern int unvis (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int unvis (struct foo*);
-unvis(&xx);
-
+unvis(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_unvis_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_unvis_noproto=no"
+	eval "ac_cv_func_unvis_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_unvis_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_unvis_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_unvis_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_unvis_noproto" >&6; }
 if test "$ac_cv_func_unvis_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -39421,8 +38257,8 @@ fi
 fi
 
 if test "$ac_cv_func_vis+set" != set -o "$ac_cv_func_vis" = yes; then
-echo "$as_me:$LINENO: checking if vis needs a prototype" >&5
-echo $ECHO_N "checking if vis needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if vis needs a prototype" >&5
+echo $ECHO_N "checking if vis needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_vis_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39435,50 +38271,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_VIS_H
 #include <vis.h>
 #endif
+struct foo { int foo; } xx;
+extern int vis (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int vis (struct foo*);
-vis(&xx);
-
+vis(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_vis_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_vis_noproto=no"
+	eval "ac_cv_func_vis_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_vis_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_vis_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_vis_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vis_noproto" >&6; }
 if test "$ac_cv_func_vis_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -39489,8 +38320,8 @@ fi
 fi
 
 
-echo "$as_me:$LINENO: checking for inet_aton" >&5
-echo $ECHO_N "checking for inet_aton... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for inet_aton" >&5
+echo $ECHO_N "checking for inet_aton... $ECHO_C" >&6; }
 if test "${ac_cv_func_inet_aton+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39522,7 +38353,7 @@ main ()
 #if defined (__stub_inet_aton) || defined (__stub___inet_aton)
 choke me
 #else
-inet_aton(0,0)
+inet_aton(0,0);
 #endif
 
   ;
@@ -39530,35 +38361,32 @@ inet_aton(0,0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "ac_cv_func_inet_aton=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_inet_aton=no"
+	eval "ac_cv_func_inet_aton=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
 
@@ -39568,23 +38396,21 @@ cat >>confdefs.h <<_ACEOF
 #define HAVE_INET_ATON 1
 _ACEOF
 
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-  case $LIBOBJS in
-    "inet_aton.$ac_objext"   | \
-  *" inet_aton.$ac_objext"   | \
-    "inet_aton.$ac_objext "* | \
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+  case " $LIBOBJS " in
   *" inet_aton.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS inet_aton.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS inet_aton.$ac_objext"
+ ;;
 esac
 
 fi
 
-echo "$as_me:$LINENO: checking for inet_ntop" >&5
-echo $ECHO_N "checking for inet_ntop... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for inet_ntop" >&5
+echo $ECHO_N "checking for inet_ntop... $ECHO_C" >&6; }
 if test "${ac_cv_func_inet_ntop+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39616,7 +38442,7 @@ main ()
 #if defined (__stub_inet_ntop) || defined (__stub___inet_ntop)
 choke me
 #else
-inet_ntop(0, 0, 0, 0)
+inet_ntop(0, 0, 0, 0);
 #endif
 
   ;
@@ -39624,35 +38450,32 @@ inet_ntop(0, 0, 0, 0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "ac_cv_func_inet_ntop=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_inet_ntop=no"
+	eval "ac_cv_func_inet_ntop=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
 
@@ -39662,23 +38485,21 @@ cat >>confdefs.h <<_ACEOF
 #define HAVE_INET_NTOP 1
 _ACEOF
 
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-  case $LIBOBJS in
-    "inet_ntop.$ac_objext"   | \
-  *" inet_ntop.$ac_objext"   | \
-    "inet_ntop.$ac_objext "* | \
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+  case " $LIBOBJS " in
   *" inet_ntop.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS inet_ntop.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS inet_ntop.$ac_objext"
+ ;;
 esac
 
 fi
 
-echo "$as_me:$LINENO: checking for inet_pton" >&5
-echo $ECHO_N "checking for inet_pton... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for inet_pton" >&5
+echo $ECHO_N "checking for inet_pton... $ECHO_C" >&6; }
 if test "${ac_cv_func_inet_pton+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39710,7 +38531,7 @@ main ()
 #if defined (__stub_inet_pton) || defined (__stub___inet_pton)
 choke me
 #else
-inet_pton(0,0,0)
+inet_pton(0,0,0);
 #endif
 
   ;
@@ -39718,35 +38539,32 @@ inet_pton(0,0,0)
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "ac_cv_func_inet_pton=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_inet_pton=no"
+	eval "ac_cv_func_inet_pton=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
 
@@ -39756,25 +38574,23 @@ cat >>confdefs.h <<_ACEOF
 #define HAVE_INET_PTON 1
 _ACEOF
 
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-  case $LIBOBJS in
-    "inet_pton.$ac_objext"   | \
-  *" inet_pton.$ac_objext"   | \
-    "inet_pton.$ac_objext "* | \
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+  case " $LIBOBJS " in
   *" inet_pton.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS inet_pton.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS inet_pton.$ac_objext"
+ ;;
 esac
 
 fi
 
 
 
-echo "$as_me:$LINENO: checking for sa_len in struct sockaddr" >&5
-echo $ECHO_N "checking for sa_len in struct sockaddr... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for sa_len in struct sockaddr" >&5
+echo $ECHO_N "checking for sa_len in struct sockaddr... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_sockaddr_sa_len+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39790,44 +38606,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct sockaddr x; x.sa_len;
+struct sockaddr x; memset(&x, 0, sizeof(x)); x.sa_len
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_sockaddr_sa_len=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_sockaddr_sa_len=no
+	ac_cv_type_struct_sockaddr_sa_len=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_sockaddr_sa_len" >&5
-echo "${ECHO_T}$ac_cv_type_struct_sockaddr_sa_len" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_sockaddr_sa_len" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr_sa_len" >&6; }
 if test "$ac_cv_type_struct_sockaddr_sa_len" = yes; then
 
 
@@ -39840,90 +38653,10 @@ fi
 
 
 
-if test "$ac_cv_func_getnameinfo" = "yes"; then
-
-echo "$as_me:$LINENO: checking if getnameinfo is broken" >&5
-echo $ECHO_N "checking if getnameinfo is broken... $ECHO_C" >&6
-if test "${ac_cv_func_getnameinfo_broken+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netdb.h>
-
-int
-main(int argc, char **argv)
-{
-  struct sockaddr_in sin;
-  char host[256];
-  memset(&sin, 0, sizeof(sin));
-#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
-  sin.sin_len = sizeof(sin);
-#endif
-  sin.sin_family = AF_INET;
-  sin.sin_addr.s_addr = 0xffffffff;
-  sin.sin_port = 0;
-  return getnameinfo((struct sockaddr*)&sin, sizeof(sin), host, sizeof(host),
-	      NULL, 0, 0);
-}
-
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getnameinfo_broken=no
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_func_getnameinfo_broken=yes
-fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getnameinfo_broken" >&5
-echo "${ECHO_T}$ac_cv_func_getnameinfo_broken" >&6
-  if test "$ac_cv_func_getnameinfo_broken" = yes; then
-	case $LIBOBJS in
-    "getnameinfo.$ac_objext"   | \
-  *" getnameinfo.$ac_objext"   | \
-    "getnameinfo.$ac_objext "* | \
-  *" getnameinfo.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getnameinfo.$ac_objext" ;;
-esac
-
-  fi
-fi
-
 if test "$ac_cv_func_getaddrinfo" = "yes"; then
 
-echo "$as_me:$LINENO: checking if getaddrinfo handles numeric services" >&5
-echo $ECHO_N "checking if getaddrinfo handles numeric services... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if getaddrinfo handles numeric services" >&5
+echo $ECHO_N "checking if getaddrinfo handles numeric services... $ECHO_C" >&6; }
 if test "${ac_cv_func_getaddrinfo_numserv+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -39955,18 +38688,29 @@ main(int argc, char **argv)
 	hints.ai_family = PF_UNSPEC;
 	if(getaddrinfo(NULL, "17", &hints, &ai) != 0)
 		return 1;
+	if(getaddrinfo(NULL, "0", &hints, &ai) != 0)
+		return 1;
 	return 0;
 }
 
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -39979,26 +38723,24 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_getaddrinfo_numserv=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getaddrinfo_numserv" >&5
-echo "${ECHO_T}$ac_cv_func_getaddrinfo_numserv" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getaddrinfo_numserv" >&5
+echo "${ECHO_T}$ac_cv_func_getaddrinfo_numserv" >&6; }
   if test "$ac_cv_func_getaddrinfo_numserv" = no; then
-	case $LIBOBJS in
-    "getaddrinfo.$ac_objext"   | \
-  *" getaddrinfo.$ac_objext"   | \
-    "getaddrinfo.$ac_objext "* | \
+	case " $LIBOBJS " in
   *" getaddrinfo.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS getaddrinfo.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS getaddrinfo.$ac_objext"
+ ;;
 esac
 
-	case $LIBOBJS in
-    "freeaddrinfo.$ac_objext"   | \
-  *" freeaddrinfo.$ac_objext"   | \
-    "freeaddrinfo.$ac_objext "* | \
+	case " $LIBOBJS " in
   *" freeaddrinfo.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS freeaddrinfo.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS freeaddrinfo.$ac_objext"
+ ;;
 esac
 
   fi
@@ -40006,8 +38748,8 @@ fi
 
 
 if test "$ac_cv_func_setenv+set" != set -o "$ac_cv_func_setenv" = yes; then
-echo "$as_me:$LINENO: checking if setenv needs a prototype" >&5
-echo $ECHO_N "checking if setenv needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if setenv needs a prototype" >&5
+echo $ECHO_N "checking if setenv needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_setenv_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40018,50 +38760,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <stdlib.h>
+struct foo { int foo; } xx;
+extern int setenv (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int setenv (struct foo*);
-setenv(&xx);
-
+setenv(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_setenv_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_setenv_noproto=no"
+	eval "ac_cv_func_setenv_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setenv_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_setenv_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_setenv_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_setenv_noproto" >&6; }
 if test "$ac_cv_func_setenv_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -40073,8 +38810,8 @@ fi
 
 
 if test "$ac_cv_func_unsetenv+set" != set -o "$ac_cv_func_unsetenv" = yes; then
-echo "$as_me:$LINENO: checking if unsetenv needs a prototype" >&5
-echo $ECHO_N "checking if unsetenv needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if unsetenv needs a prototype" >&5
+echo $ECHO_N "checking if unsetenv needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_unsetenv_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40085,50 +38822,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <stdlib.h>
+struct foo { int foo; } xx;
+extern int unsetenv (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int unsetenv (struct foo*);
-unsetenv(&xx);
-
+unsetenv(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_unsetenv_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_unsetenv_noproto=no"
+	eval "ac_cv_func_unsetenv_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_unsetenv_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_unsetenv_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_unsetenv_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_unsetenv_noproto" >&6; }
 if test "$ac_cv_func_unsetenv_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -40140,8 +38872,8 @@ fi
 
 
 if test "$ac_cv_func_gethostname+set" != set -o "$ac_cv_func_gethostname" = yes; then
-echo "$as_me:$LINENO: checking if gethostname needs a prototype" >&5
-echo $ECHO_N "checking if gethostname needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if gethostname needs a prototype" >&5
+echo $ECHO_N "checking if gethostname needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_gethostname_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40152,50 +38884,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <unistd.h>
+struct foo { int foo; } xx;
+extern int gethostname (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int gethostname (struct foo*);
-gethostname(&xx);
-
+gethostname(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_gethostname_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_gethostname_noproto=no"
+	eval "ac_cv_func_gethostname_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_gethostname_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_gethostname_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_gethostname_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_gethostname_noproto" >&6; }
 if test "$ac_cv_func_gethostname_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -40207,8 +38934,8 @@ fi
 
 
 if test "$ac_cv_func_mkstemp+set" != set -o "$ac_cv_func_mkstemp" = yes; then
-echo "$as_me:$LINENO: checking if mkstemp needs a prototype" >&5
-echo $ECHO_N "checking if mkstemp needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if mkstemp needs a prototype" >&5
+echo $ECHO_N "checking if mkstemp needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_mkstemp_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40219,50 +38946,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <unistd.h>
+struct foo { int foo; } xx;
+extern int mkstemp (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int mkstemp (struct foo*);
-mkstemp(&xx);
-
+mkstemp(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_mkstemp_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_mkstemp_noproto=no"
+	eval "ac_cv_func_mkstemp_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_mkstemp_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_mkstemp_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_mkstemp_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_mkstemp_noproto" >&6; }
 if test "$ac_cv_func_mkstemp_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -40274,8 +38996,8 @@ fi
 
 
 if test "$ac_cv_func_getusershell+set" != set -o "$ac_cv_func_getusershell" = yes; then
-echo "$as_me:$LINENO: checking if getusershell needs a prototype" >&5
-echo $ECHO_N "checking if getusershell needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if getusershell needs a prototype" >&5
+echo $ECHO_N "checking if getusershell needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_getusershell_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40286,54 +39008,191 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <unistd.h>
+struct foo { int foo; } xx;
+extern int getusershell (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int getusershell (struct foo*);
-getusershell(&xx);
-
+getusershell(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_getusershell_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "ac_cv_func_getusershell_noproto=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getusershell_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_getusershell_noproto" >&6; }
+if test "$ac_cv_func_getusershell_noproto" = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define NEED_GETUSERSHELL_PROTO 1
+_ACEOF
+
+fi
+fi
+
+
+if test "$ac_cv_func_daemon+set" != set -o "$ac_cv_func_daemon" = yes; then
+{ echo "$as_me:$LINENO: checking if daemon needs a prototype" >&5
+echo $ECHO_N "checking if daemon needs a prototype... $ECHO_C" >&6; }
+if test "${ac_cv_func_daemon_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <unistd.h>
+struct foo { int foo; } xx;
+extern int daemon (struct foo*);
+int
+main ()
+{
+daemon(&xx)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_daemon_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "ac_cv_func_daemon_noproto=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_daemon_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_daemon_noproto" >&6; }
+if test "$ac_cv_func_daemon_noproto" = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define NEED_DAEMON_PROTO 1
+_ACEOF
+
+fi
+fi
+
+
+if test "$ac_cv_func_iruserok+set" != set -o "$ac_cv_func_iruserok" = yes; then
+{ echo "$as_me:$LINENO: checking if iruserok needs a prototype" >&5
+echo $ECHO_N "checking if iruserok needs a prototype... $ECHO_C" >&6; }
+if test "${ac_cv_func_iruserok_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+struct foo { int foo; } xx;
+extern int iruserok (struct foo*);
+int
+main ()
+{
+iruserok(&xx)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_func_getusershell_noproto=yes"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_iruserok_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_getusershell_noproto=no"
+	eval "ac_cv_func_iruserok_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getusershell_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_getusershell_noproto" >&6
-if test "$ac_cv_func_getusershell_noproto" = yes; then
+{ echo "$as_me:$LINENO: result: $ac_cv_func_iruserok_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_iruserok_noproto" >&6; }
+if test "$ac_cv_func_iruserok_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
-#define NEED_GETUSERSHELL_PROTO 1
+#define NEED_IRUSEROK_PROTO 1
 _ACEOF
 
 fi
@@ -40342,8 +39201,8 @@ fi
 
 
 if test "$ac_cv_func_inet_aton+set" != set -o "$ac_cv_func_inet_aton" = yes; then
-echo "$as_me:$LINENO: checking if inet_aton needs a prototype" >&5
-echo $ECHO_N "checking if inet_aton needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if inet_aton needs a prototype" >&5
+echo $ECHO_N "checking if inet_aton needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_inet_aton_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40366,50 +39225,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_ARPA_INET_H
 #include <arpa/inet.h>
 #endif
+struct foo { int foo; } xx;
+extern int inet_aton (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int inet_aton (struct foo*);
-inet_aton(&xx);
-
+inet_aton(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_inet_aton_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_inet_aton_noproto=no"
+	eval "ac_cv_func_inet_aton_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_inet_aton_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_inet_aton_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_inet_aton_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_inet_aton_noproto" >&6; }
 if test "$ac_cv_func_inet_aton_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -40423,8 +39277,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for crypt" >&5
-echo $ECHO_N "checking for crypt... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for crypt" >&5
+echo $ECHO_N "checking for crypt... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_crypt+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40456,34 +39310,32 @@ crypt()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_crypt=$ac_lib; else ac_cv_funclib_crypt=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_crypt=\${ac_cv_funclib_crypt-no}"
@@ -40500,9 +39352,9 @@ if false; then
 for ac_func in crypt
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -40528,68 +39380,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -40612,14 +39456,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_crypt=no"
 	eval "LIB_crypt="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_crypt=yes"
@@ -40632,8 +39476,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -40642,8 +39486,8 @@ esac
 
 
 
-echo "$as_me:$LINENO: checking if gethostbyname is compatible with system prototype" >&5
-echo $ECHO_N "checking if gethostbyname is compatible with system prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if gethostbyname is compatible with system prototype" >&5
+echo $ECHO_N "checking if gethostbyname is compatible with system prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_gethostbyname_proto_compat+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40673,44 +39517,40 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct hostent *gethostbyname(const char *);
+struct hostent *gethostbyname(const char *)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_gethostbyname_proto_compat=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_gethostbyname_proto_compat=no"
+	eval "ac_cv_func_gethostbyname_proto_compat=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_gethostbyname_proto_compat" >&5
-echo "${ECHO_T}$ac_cv_func_gethostbyname_proto_compat" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_gethostbyname_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_gethostbyname_proto_compat" >&6; }
 
 if test "$ac_cv_func_gethostbyname_proto_compat" = yes; then
 
@@ -40723,8 +39563,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking if gethostbyaddr is compatible with system prototype" >&5
-echo $ECHO_N "checking if gethostbyaddr is compatible with system prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if gethostbyaddr is compatible with system prototype" >&5
+echo $ECHO_N "checking if gethostbyaddr is compatible with system prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_gethostbyaddr_proto_compat+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40754,44 +39594,40 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct hostent *gethostbyaddr(const void *, size_t, int);
+struct hostent *gethostbyaddr(const void *, size_t, int)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_gethostbyaddr_proto_compat=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_gethostbyaddr_proto_compat=no"
+	eval "ac_cv_func_gethostbyaddr_proto_compat=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_gethostbyaddr_proto_compat" >&5
-echo "${ECHO_T}$ac_cv_func_gethostbyaddr_proto_compat" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_gethostbyaddr_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_gethostbyaddr_proto_compat" >&6; }
 
 if test "$ac_cv_func_gethostbyaddr_proto_compat" = yes; then
 
@@ -40804,8 +39640,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking if getservbyname is compatible with system prototype" >&5
-echo $ECHO_N "checking if getservbyname is compatible with system prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if getservbyname is compatible with system prototype" >&5
+echo $ECHO_N "checking if getservbyname is compatible with system prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_getservbyname_proto_compat+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40835,44 +39671,40 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct servent *getservbyname(const char *, const char *);
+struct servent *getservbyname(const char *, const char *)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_getservbyname_proto_compat=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_getservbyname_proto_compat=no"
+	eval "ac_cv_func_getservbyname_proto_compat=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getservbyname_proto_compat" >&5
-echo "${ECHO_T}$ac_cv_func_getservbyname_proto_compat" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getservbyname_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_getservbyname_proto_compat" >&6; }
 
 if test "$ac_cv_func_getservbyname_proto_compat" = yes; then
 
@@ -40885,8 +39717,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking if getsockname is compatible with system prototype" >&5
-echo $ECHO_N "checking if getsockname is compatible with system prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if getsockname is compatible with system prototype" >&5
+echo $ECHO_N "checking if getsockname is compatible with system prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_getsockname_proto_compat+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40907,44 +39739,40 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-int getsockname(int, struct sockaddr*, socklen_t*);
+int getsockname(int, struct sockaddr*, socklen_t*)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_getsockname_proto_compat=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_getsockname_proto_compat=no"
+	eval "ac_cv_func_getsockname_proto_compat=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getsockname_proto_compat" >&5
-echo "${ECHO_T}$ac_cv_func_getsockname_proto_compat" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getsockname_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_getsockname_proto_compat" >&6; }
 
 if test "$ac_cv_func_getsockname_proto_compat" = yes; then
 
@@ -40957,8 +39785,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking if openlog is compatible with system prototype" >&5
-echo $ECHO_N "checking if openlog is compatible with system prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if openlog is compatible with system prototype" >&5
+echo $ECHO_N "checking if openlog is compatible with system prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_openlog_proto_compat+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -40976,44 +39804,40 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-void openlog(const char *, int, int);
+void openlog(const char *, int, int)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_openlog_proto_compat=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_openlog_proto_compat=no"
+	eval "ac_cv_func_openlog_proto_compat=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_openlog_proto_compat" >&5
-echo "${ECHO_T}$ac_cv_func_openlog_proto_compat" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_openlog_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_openlog_proto_compat" >&6; }
 
 if test "$ac_cv_func_openlog_proto_compat" = yes; then
 
@@ -41027,8 +39851,8 @@ fi
 
 
 if test "$ac_cv_func_crypt+set" != set -o "$ac_cv_func_crypt" = yes; then
-echo "$as_me:$LINENO: checking if crypt needs a prototype" >&5
-echo $ECHO_N "checking if crypt needs a prototype... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking if crypt needs a prototype" >&5
+echo $ECHO_N "checking if crypt needs a prototype... $ECHO_C" >&6; }
 if test "${ac_cv_func_crypt_noproto+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -41046,50 +39870,45 @@ cat >>conftest.$ac_ext <<_ACEOF
 #include <unistd.h>
 #endif
 
+struct foo { int foo; } xx;
+extern int crypt (struct foo*);
 int
 main ()
 {
-struct foo { int foo; } xx;
-extern int crypt (struct foo*);
-crypt(&xx);
-
+crypt(&xx)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_func_crypt_noproto=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_func_crypt_noproto=no"
+	eval "ac_cv_func_crypt_noproto=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_crypt_noproto" >&5
-echo "${ECHO_T}$ac_cv_func_crypt_noproto" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_crypt_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_crypt_noproto" >&6; }
 if test "$ac_cv_func_crypt_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -41102,8 +39921,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for h_errno" >&5
-echo $ECHO_N "checking for h_errno... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for h_errno" >&5
+echo $ECHO_N "checking for h_errno... $ECHO_C" >&6; }
 if test "${ac_cv_var_h_errno+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -41121,7 +39940,7 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
 #endif
-	void * foo() { return &h_errno; }
+	void * foo(void) { return &h_errno; }
 int
 main ()
 {
@@ -41131,35 +39950,32 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var_h_errno=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var_h_errno=no
+	ac_cv_var_h_errno=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test "$ac_cv_var_h_errno" != yes ; then
 cat >conftest.$ac_ext <<_ACEOF
@@ -41169,7 +39985,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 extern int h_errno;
-int foo() { return h_errno; }
+int foo(void) { return h_errno; }
 int
 main ()
 {
@@ -41179,57 +39995,52 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var_h_errno=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var_h_errno=no
+	ac_cv_var_h_errno=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
 
 fi
 
 ac_foo=`eval echo \\$ac_cv_var_h_errno`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_H_ERRNO 1
 _ACEOF
 
-
-echo "$as_me:$LINENO: checking if h_errno is properly declared" >&5
-echo $ECHO_N "checking if h_errno is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var_h_errno_declaration+set}" = set; then
+	{ echo "$as_me:$LINENO: checking whether h_errno is declared" >&5
+echo $ECHO_N "checking whether h_errno is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_h_errno+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -41241,59 +40052,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
 #endif
-extern struct { int foo; } h_errno;
+
 int
 main ()
 {
-h_errno.foo = 1;
+#ifndef h_errno
+  (void) h_errno;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var_h_errno_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_h_errno=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var_h_errno_declaration=yes"
+	ac_cv_have_decl_h_errno=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_h_errno" >&5
+echo "${ECHO_T}$ac_cv_have_decl_h_errno" >&6; }
+if test $ac_cv_have_decl_h_errno = yes; then
 
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_H_ERRNO 1
+_ACEOF
 
 
-
-echo "$as_me:$LINENO: result: $ac_cv_var_h_errno_declaration" >&5
-echo "${ECHO_T}$ac_cv_var_h_errno_declaration" >&6
-if eval "test \"\$ac_cv_var_h_errno_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_H_ERRNO_DECLARATION 1
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_H_ERRNO 0
 _ACEOF
 
+
 fi
 
 
@@ -41301,8 +40113,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for h_errlist" >&5
-echo $ECHO_N "checking for h_errlist... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for h_errlist" >&5
+echo $ECHO_N "checking for h_errlist... $ECHO_C" >&6; }
 if test "${ac_cv_var_h_errlist+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -41317,7 +40129,7 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
 #endif
-	void * foo() { return &h_errlist; }
+	void * foo(void) { return &h_errlist; }
 int
 main ()
 {
@@ -41327,35 +40139,32 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var_h_errlist=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var_h_errlist=no
+	ac_cv_var_h_errlist=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test "$ac_cv_var_h_errlist" != yes ; then
 cat >conftest.$ac_ext <<_ACEOF
@@ -41365,7 +40174,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 extern int h_errlist;
-int foo() { return h_errlist; }
+int foo(void) { return h_errlist; }
 int
 main ()
 {
@@ -41375,57 +40184,52 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var_h_errlist=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var_h_errlist=no
+	ac_cv_var_h_errlist=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
 
 fi
 
 ac_foo=`eval echo \\$ac_cv_var_h_errlist`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_H_ERRLIST 1
 _ACEOF
 
-
-echo "$as_me:$LINENO: checking if h_errlist is properly declared" >&5
-echo $ECHO_N "checking if h_errlist is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var_h_errlist_declaration+set}" = set; then
+	{ echo "$as_me:$LINENO: checking whether h_errlist is declared" >&5
+echo $ECHO_N "checking whether h_errlist is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_h_errlist+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -41434,59 +40238,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
 #endif
-extern struct { int foo; } h_errlist;
+
 int
 main ()
 {
-h_errlist.foo = 1;
+#ifndef h_errlist
+  (void) h_errlist;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var_h_errlist_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_h_errlist=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var_h_errlist_declaration=yes"
+	ac_cv_have_decl_h_errlist=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_h_errlist" >&5
+echo "${ECHO_T}$ac_cv_have_decl_h_errlist" >&6; }
+if test $ac_cv_have_decl_h_errlist = yes; then
 
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_H_ERRLIST 1
+_ACEOF
 
 
-
-echo "$as_me:$LINENO: result: $ac_cv_var_h_errlist_declaration" >&5
-echo "${ECHO_T}$ac_cv_var_h_errlist_declaration" >&6
-if eval "test \"\$ac_cv_var_h_errlist_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_H_ERRLIST_DECLARATION 1
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_H_ERRLIST 0
 _ACEOF
 
+
 fi
 
 
@@ -41494,8 +40299,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for h_nerr" >&5
-echo $ECHO_N "checking for h_nerr... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for h_nerr" >&5
+echo $ECHO_N "checking for h_nerr... $ECHO_C" >&6; }
 if test "${ac_cv_var_h_nerr+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -41510,7 +40315,7 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
 #endif
-	void * foo() { return &h_nerr; }
+	void * foo(void) { return &h_nerr; }
 int
 main ()
 {
@@ -41520,35 +40325,32 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var_h_nerr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var_h_nerr=no
+	ac_cv_var_h_nerr=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test "$ac_cv_var_h_nerr" != yes ; then
 cat >conftest.$ac_ext <<_ACEOF
@@ -41558,7 +40360,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 extern int h_nerr;
-int foo() { return h_nerr; }
+int foo(void) { return h_nerr; }
 int
 main ()
 {
@@ -41568,57 +40370,52 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var_h_nerr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var_h_nerr=no
+	ac_cv_var_h_nerr=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
 
 fi
 
 ac_foo=`eval echo \\$ac_cv_var_h_nerr`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_H_NERR 1
 _ACEOF
 
-
-echo "$as_me:$LINENO: checking if h_nerr is properly declared" >&5
-echo $ECHO_N "checking if h_nerr is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var_h_nerr_declaration+set}" = set; then
+	{ echo "$as_me:$LINENO: checking whether h_nerr is declared" >&5
+echo $ECHO_N "checking whether h_nerr is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_h_nerr+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -41627,59 +40424,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
 #endif
-extern struct { int foo; } h_nerr;
+
 int
 main ()
 {
-h_nerr.foo = 1;
+#ifndef h_nerr
+  (void) h_nerr;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var_h_nerr_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_h_nerr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var_h_nerr_declaration=yes"
+	ac_cv_have_decl_h_nerr=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_h_nerr" >&5
+echo "${ECHO_T}$ac_cv_have_decl_h_nerr" >&6; }
+if test $ac_cv_have_decl_h_nerr = yes; then
 
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_H_NERR 1
+_ACEOF
 
 
-
-echo "$as_me:$LINENO: result: $ac_cv_var_h_nerr_declaration" >&5
-echo "${ECHO_T}$ac_cv_var_h_nerr_declaration" >&6
-if eval "test \"\$ac_cv_var_h_nerr_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_H_NERR_DECLARATION 1
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_H_NERR 0
 _ACEOF
 
+
 fi
 
 
@@ -41687,8 +40485,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for __progname" >&5
-echo $ECHO_N "checking for __progname... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for __progname" >&5
+echo $ECHO_N "checking for __progname... $ECHO_C" >&6; }
 if test "${ac_cv_var___progname+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -41703,7 +40501,7 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_ERR_H
 #include <err.h>
 #endif
-	void * foo() { return &__progname; }
+	void * foo(void) { return &__progname; }
 int
 main ()
 {
@@ -41713,35 +40511,32 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var___progname=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var___progname=no
+	ac_cv_var___progname=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test "$ac_cv_var___progname" != yes ; then
 cat >conftest.$ac_ext <<_ACEOF
@@ -41751,7 +40546,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 extern int __progname;
-int foo() { return __progname; }
+int foo(void) { return __progname; }
 int
 main ()
 {
@@ -41761,57 +40556,52 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var___progname=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var___progname=no
+	ac_cv_var___progname=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
 
 fi
 
 ac_foo=`eval echo \\$ac_cv_var___progname`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE___PROGNAME 1
 _ACEOF
 
-
-echo "$as_me:$LINENO: checking if __progname is properly declared" >&5
-echo $ECHO_N "checking if __progname is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var___progname_declaration+set}" = set; then
+	{ echo "$as_me:$LINENO: checking whether __progname is declared" >&5
+echo $ECHO_N "checking whether __progname is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl___progname+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -41820,425 +40610,415 @@ cat >>conftest.$ac_ext <<_ACEOF
 #ifdef HAVE_ERR_H
 #include <err.h>
 #endif
-extern struct { int foo; } __progname;
+
 int
 main ()
 {
-__progname.foo = 1;
+#ifndef __progname
+  (void) __progname;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var___progname_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl___progname=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var___progname_declaration=yes"
+	ac_cv_have_decl___progname=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl___progname" >&5
+echo "${ECHO_T}$ac_cv_have_decl___progname" >&6; }
+if test $ac_cv_have_decl___progname = yes; then
 
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL___PROGNAME 1
+_ACEOF
 
 
-
-echo "$as_me:$LINENO: result: $ac_cv_var___progname_declaration" >&5
-echo "${ECHO_T}$ac_cv_var___progname_declaration" >&6
-if eval "test \"\$ac_cv_var___progname_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE___PROGNAME_DECLARATION 1
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL___PROGNAME 0
 _ACEOF
 
+
 fi
 
 
 fi
 
 
-
-echo "$as_me:$LINENO: checking if optarg is properly declared" >&5
-echo $ECHO_N "checking if optarg is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var_optarg_declaration+set}" = set; then
+{ echo "$as_me:$LINENO: checking whether optarg is declared" >&5
+echo $ECHO_N "checking whether optarg is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_optarg+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-extern struct { int foo; } optarg;
+$ac_includes_default
 int
 main ()
 {
-optarg.foo = 1;
+#ifndef optarg
+  (void) optarg;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var_optarg_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_optarg=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var_optarg_declaration=yes"
+	ac_cv_have_decl_optarg=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_optarg" >&5
+echo "${ECHO_T}$ac_cv_have_decl_optarg" >&6; }
+if test $ac_cv_have_decl_optarg = yes; then
 
-
-
-
-echo "$as_me:$LINENO: result: $ac_cv_var_optarg_declaration" >&5
-echo "${ECHO_T}$ac_cv_var_optarg_declaration" >&6
-if eval "test \"\$ac_cv_var_optarg_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_OPTARG_DECLARATION 1
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_OPTARG 1
 _ACEOF
 
-fi
 
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_OPTARG 0
+_ACEOF
 
 
-echo "$as_me:$LINENO: checking if optind is properly declared" >&5
-echo $ECHO_N "checking if optind is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var_optind_declaration+set}" = set; then
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+fi
+{ echo "$as_me:$LINENO: checking whether optind is declared" >&5
+echo $ECHO_N "checking whether optind is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_optind+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-extern struct { int foo; } optind;
+$ac_includes_default
 int
 main ()
 {
-optind.foo = 1;
+#ifndef optind
+  (void) optind;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var_optind_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_optind=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var_optind_declaration=yes"
+	ac_cv_have_decl_optind=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_optind" >&5
+echo "${ECHO_T}$ac_cv_have_decl_optind" >&6; }
+if test $ac_cv_have_decl_optind = yes; then
 
-
-
-
-echo "$as_me:$LINENO: result: $ac_cv_var_optind_declaration" >&5
-echo "${ECHO_T}$ac_cv_var_optind_declaration" >&6
-if eval "test \"\$ac_cv_var_optind_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_OPTIND_DECLARATION 1
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_OPTIND 1
 _ACEOF
 
-fi
 
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_OPTIND 0
+_ACEOF
 
 
-echo "$as_me:$LINENO: checking if opterr is properly declared" >&5
-echo $ECHO_N "checking if opterr is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var_opterr_declaration+set}" = set; then
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+fi
+{ echo "$as_me:$LINENO: checking whether opterr is declared" >&5
+echo $ECHO_N "checking whether opterr is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_opterr+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-extern struct { int foo; } opterr;
+$ac_includes_default
 int
 main ()
 {
-opterr.foo = 1;
+#ifndef opterr
+  (void) opterr;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var_opterr_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_opterr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var_opterr_declaration=yes"
+	ac_cv_have_decl_opterr=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_opterr" >&5
+echo "${ECHO_T}$ac_cv_have_decl_opterr" >&6; }
+if test $ac_cv_have_decl_opterr = yes; then
 
-
-
-
-echo "$as_me:$LINENO: result: $ac_cv_var_opterr_declaration" >&5
-echo "${ECHO_T}$ac_cv_var_opterr_declaration" >&6
-if eval "test \"\$ac_cv_var_opterr_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_OPTERR_DECLARATION 1
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_OPTERR 1
 _ACEOF
 
-fi
 
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_OPTERR 0
+_ACEOF
 
 
-echo "$as_me:$LINENO: checking if optopt is properly declared" >&5
-echo $ECHO_N "checking if optopt is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var_optopt_declaration+set}" = set; then
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+fi
+{ echo "$as_me:$LINENO: checking whether optopt is declared" >&5
+echo $ECHO_N "checking whether optopt is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_optopt+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include <stdlib.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-extern struct { int foo; } optopt;
+$ac_includes_default
 int
 main ()
 {
-optopt.foo = 1;
+#ifndef optopt
+  (void) optopt;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var_optopt_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_optopt=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var_optopt_declaration=yes"
+	ac_cv_have_decl_optopt=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_optopt" >&5
+echo "${ECHO_T}$ac_cv_have_decl_optopt" >&6; }
+if test $ac_cv_have_decl_optopt = yes; then
 
-
-
-
-echo "$as_me:$LINENO: result: $ac_cv_var_optopt_declaration" >&5
-echo "${ECHO_T}$ac_cv_var_optopt_declaration" >&6
-if eval "test \"\$ac_cv_var_optopt_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_OPTOPT_DECLARATION 1
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_OPTOPT 1
 _ACEOF
 
-fi
-
 
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_OPTOPT 0
+_ACEOF
 
 
-echo "$as_me:$LINENO: checking if environ is properly declared" >&5
-echo $ECHO_N "checking if environ is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var_environ_declaration+set}" = set; then
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+fi
+{ echo "$as_me:$LINENO: checking whether environ is declared" >&5
+echo $ECHO_N "checking whether environ is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_environ+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include <stdlib.h>
-extern struct { int foo; } environ;
+$ac_includes_default
 int
 main ()
 {
-environ.foo = 1;
+#ifndef environ
+  (void) environ;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var_environ_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_environ=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var_environ_declaration=yes"
+	ac_cv_have_decl_environ=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_environ" >&5
+echo "${ECHO_T}$ac_cv_have_decl_environ" >&6; }
+if test $ac_cv_have_decl_environ = yes; then
 
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_ENVIRON 1
+_ACEOF
 
 
-
-echo "$as_me:$LINENO: result: $ac_cv_var_environ_declaration" >&5
-echo "${ECHO_T}$ac_cv_var_environ_declaration" >&6
-if eval "test \"\$ac_cv_var_environ_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_ENVIRON_DECLARATION 1
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_ENVIRON 0
 _ACEOF
 
+
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
 fi
 
 
@@ -42246,8 +41026,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for tm_gmtoff in struct tm" >&5
-echo $ECHO_N "checking for tm_gmtoff in struct tm... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for tm_gmtoff in struct tm" >&5
+echo $ECHO_N "checking for tm_gmtoff in struct tm... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_tm_tm_gmtoff+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -42262,44 +41042,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct tm x; x.tm_gmtoff;
+struct tm x; memset(&x, 0, sizeof(x)); x.tm_gmtoff
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_tm_tm_gmtoff=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_tm_tm_gmtoff=no
+	ac_cv_type_struct_tm_tm_gmtoff=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_tm_tm_gmtoff" >&5
-echo "${ECHO_T}$ac_cv_type_struct_tm_tm_gmtoff" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_tm_tm_gmtoff" >&5
+echo "${ECHO_T}$ac_cv_type_struct_tm_tm_gmtoff" >&6; }
 if test "$ac_cv_type_struct_tm_tm_gmtoff" = yes; then
 
 
@@ -42313,8 +41090,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for tm_zone in struct tm" >&5
-echo $ECHO_N "checking for tm_zone in struct tm... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for tm_zone in struct tm" >&5
+echo $ECHO_N "checking for tm_zone in struct tm... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_tm_tm_zone+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -42329,44 +41106,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct tm x; x.tm_zone;
+struct tm x; memset(&x, 0, sizeof(x)); x.tm_zone
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_tm_tm_zone=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_tm_tm_zone=no
+	ac_cv_type_struct_tm_tm_zone=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_tm_tm_zone" >&5
-echo "${ECHO_T}$ac_cv_type_struct_tm_tm_zone" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_tm_tm_zone" >&5
+echo "${ECHO_T}$ac_cv_type_struct_tm_tm_zone" >&6; }
 if test "$ac_cv_type_struct_tm_tm_zone" = yes; then
 
 
@@ -42381,8 +41155,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for timezone" >&5
-echo $ECHO_N "checking for timezone... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for timezone" >&5
+echo $ECHO_N "checking for timezone... $ECHO_C" >&6; }
 if test "${ac_cv_var_timezone+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -42395,7 +41169,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <time.h>
-	void * foo() { return &timezone; }
+	void * foo(void) { return &timezone; }
 int
 main ()
 {
@@ -42405,35 +41179,32 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var_timezone=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var_timezone=no
+	ac_cv_var_timezone=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test "$ac_cv_var_timezone" != yes ; then
 cat >conftest.$ac_ext <<_ACEOF
@@ -42443,7 +41214,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 extern int timezone;
-int foo() { return timezone; }
+int foo(void) { return timezone; }
 int
 main ()
 {
@@ -42453,124 +41224,120 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var_timezone=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var_timezone=no
+	ac_cv_var_timezone=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
 
 fi
 
 ac_foo=`eval echo \\$ac_cv_var_timezone`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_TIMEZONE 1
 _ACEOF
 
-
-echo "$as_me:$LINENO: checking if timezone is properly declared" >&5
-echo $ECHO_N "checking if timezone is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var_timezone_declaration+set}" = set; then
+	{ echo "$as_me:$LINENO: checking whether timezone is declared" >&5
+echo $ECHO_N "checking whether timezone is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_timezone+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <time.h>
-extern struct { int foo; } timezone;
+
 int
 main ()
 {
-timezone.foo = 1;
+#ifndef timezone
+  (void) timezone;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var_timezone_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_timezone=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var_timezone_declaration=yes"
+	ac_cv_have_decl_timezone=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_timezone" >&5
+echo "${ECHO_T}$ac_cv_have_decl_timezone" >&6; }
+if test $ac_cv_have_decl_timezone = yes; then
 
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_TIMEZONE 1
+_ACEOF
 
 
-
-echo "$as_me:$LINENO: result: $ac_cv_var_timezone_declaration" >&5
-echo "${ECHO_T}$ac_cv_var_timezone_declaration" >&6
-if eval "test \"\$ac_cv_var_timezone_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_TIMEZONE_DECLARATION 1
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_TIMEZONE 0
 _ACEOF
 
+
 fi
 
 
 fi
 
 
-echo "$as_me:$LINENO: checking for altzone" >&5
-echo $ECHO_N "checking for altzone... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for altzone" >&5
+echo $ECHO_N "checking for altzone... $ECHO_C" >&6; }
 if test "${ac_cv_var_altzone+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -42583,7 +41350,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <time.h>
-	void * foo() { return &altzone; }
+	void * foo(void) { return &altzone; }
 int
 main ()
 {
@@ -42593,35 +41360,32 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var_altzone=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var_altzone=no
+	ac_cv_var_altzone=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test "$ac_cv_var_altzone" != yes ; then
 cat >conftest.$ac_ext <<_ACEOF
@@ -42631,7 +41395,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 extern int altzone;
-int foo() { return altzone; }
+int foo(void) { return altzone; }
 int
 main ()
 {
@@ -42641,116 +41405,112 @@ foo()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_var_altzone=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_var_altzone=no
+	ac_cv_var_altzone=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
 
 fi
 
 ac_foo=`eval echo \\$ac_cv_var_altzone`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_ALTZONE 1
 _ACEOF
 
-
-echo "$as_me:$LINENO: checking if altzone is properly declared" >&5
-echo $ECHO_N "checking if altzone is properly declared... $ECHO_C" >&6
-if test "${ac_cv_var_altzone_declaration+set}" = set; then
+	{ echo "$as_me:$LINENO: checking whether altzone is declared" >&5
+echo $ECHO_N "checking whether altzone is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_altzone+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <time.h>
-extern struct { int foo; } altzone;
+
 int
 main ()
 {
-altzone.foo = 1;
+#ifndef altzone
+  (void) altzone;
+#endif
+
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "ac_cv_var_altzone_declaration=no"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_altzone=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_var_altzone_declaration=yes"
+	ac_cv_have_decl_altzone=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_altzone" >&5
+echo "${ECHO_T}$ac_cv_have_decl_altzone" >&6; }
+if test $ac_cv_have_decl_altzone = yes; then
 
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_ALTZONE 1
+_ACEOF
 
 
-
-echo "$as_me:$LINENO: result: $ac_cv_var_altzone_declaration" >&5
-echo "${ECHO_T}$ac_cv_var_altzone_declaration" >&6
-if eval "test \"\$ac_cv_var_altzone_declaration\" = yes"; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_ALTZONE_DECLARATION 1
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_ALTZONE 0
 _ACEOF
 
+
 fi
 
 
@@ -42760,9 +41520,9 @@ fi
 
 
 cv=`echo "sa_family_t" | sed 'y%./+- %__p__%'`
-echo "$as_me:$LINENO: checking for sa_family_t" >&5
-echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6
-if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for sa_family_t" >&5
+echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -42771,11 +41531,14 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
 #include <stddef.h>
 #endif
+
+#include <sys/types.h>
 #include <sys/socket.h>
 int
 main ()
@@ -42786,44 +41549,40 @@ sa_family_t foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_type_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_type_$cv=no"
+	eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 ac_foo=`eval echo \\$ac_cv_type_$cv`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo sa_family_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
 if false; then
-	echo "$as_me:$LINENO: checking for sa_family_t" >&5
-echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for sa_family_t" >&5
+echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_sa_family_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -42834,50 +41593,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef sa_family_t ac__type_new_;
 int
 main ()
 {
-if ((sa_family_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (sa_family_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_sa_family_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_sa_family_t=no
+	ac_cv_type_sa_family_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_sa_family_t" >&5
-echo "${ECHO_T}$ac_cv_type_sa_family_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_sa_family_t" >&5
+echo "${ECHO_T}$ac_cv_type_sa_family_t" >&6; }
 if test $ac_cv_type_sa_family_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -42898,9 +41654,9 @@ fi
 
 
 cv=`echo "socklen_t" | sed 'y%./+- %__p__%'`
-echo "$as_me:$LINENO: checking for socklen_t" >&5
-echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
-if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for socklen_t" >&5
+echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -42909,11 +41665,14 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
 #include <stddef.h>
 #endif
+
+#include <sys/types.h>
 #include <sys/socket.h>
 int
 main ()
@@ -42924,44 +41683,40 @@ socklen_t foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_type_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_type_$cv=no"
+	eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 ac_foo=`eval echo \\$ac_cv_type_$cv`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo socklen_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
 if false; then
-	echo "$as_me:$LINENO: checking for socklen_t" >&5
-echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for socklen_t" >&5
+echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_socklen_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -42972,50 +41727,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef socklen_t ac__type_new_;
 int
 main ()
 {
-if ((socklen_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (socklen_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_socklen_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_socklen_t=no
+	ac_cv_type_socklen_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_socklen_t" >&5
-echo "${ECHO_T}$ac_cv_type_socklen_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_socklen_t" >&5
+echo "${ECHO_T}$ac_cv_type_socklen_t" >&6; }
 if test $ac_cv_type_socklen_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -43036,9 +41788,9 @@ fi
 
 
 cv=`echo "struct sockaddr" | sed 'y%./+- %__p__%'`
-echo "$as_me:$LINENO: checking for struct sockaddr" >&5
-echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6
-if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for struct sockaddr" >&5
+echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -43047,11 +41799,14 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
 #include <stddef.h>
 #endif
+
+#include <sys/types.h>
 #include <sys/socket.h>
 int
 main ()
@@ -43062,44 +41817,40 @@ struct sockaddr foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_type_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_type_$cv=no"
+	eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 ac_foo=`eval echo \\$ac_cv_type_$cv`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo struct sockaddr | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
 if false; then
-	echo "$as_me:$LINENO: checking for struct sockaddr" >&5
-echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for struct sockaddr" >&5
+echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_sockaddr+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -43110,50 +41861,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef struct sockaddr ac__type_new_;
 int
 main ()
 {
-if ((struct sockaddr *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (struct sockaddr))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_sockaddr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_sockaddr=no
+	ac_cv_type_struct_sockaddr=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_sockaddr" >&5
-echo "${ECHO_T}$ac_cv_type_struct_sockaddr" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_sockaddr" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr" >&6; }
 if test $ac_cv_type_struct_sockaddr = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -43174,9 +41922,9 @@ fi
 
 
 cv=`echo "struct sockaddr_storage" | sed 'y%./+- %__p__%'`
-echo "$as_me:$LINENO: checking for struct sockaddr_storage" >&5
-echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6
-if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for struct sockaddr_storage" >&5
+echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -43185,11 +41933,14 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
 #include <stddef.h>
 #endif
+
+#include <sys/types.h>
 #include <sys/socket.h>
 int
 main ()
@@ -43200,44 +41951,40 @@ struct sockaddr_storage foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_type_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_type_$cv=no"
+	eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 ac_foo=`eval echo \\$ac_cv_type_$cv`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo struct sockaddr_storage | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
 if false; then
-	echo "$as_me:$LINENO: checking for struct sockaddr_storage" >&5
-echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for struct sockaddr_storage" >&5
+echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_sockaddr_storage+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -43248,50 +41995,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef struct sockaddr_storage ac__type_new_;
 int
 main ()
 {
-if ((struct sockaddr_storage *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (struct sockaddr_storage))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_sockaddr_storage=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_sockaddr_storage=no
+	ac_cv_type_struct_sockaddr_storage=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_sockaddr_storage" >&5
-echo "${ECHO_T}$ac_cv_type_struct_sockaddr_storage" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_sockaddr_storage" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr_storage" >&6; }
 if test $ac_cv_type_struct_sockaddr_storage = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -43312,9 +42056,9 @@ fi
 
 
 cv=`echo "struct addrinfo" | sed 'y%./+- %__p__%'`
-echo "$as_me:$LINENO: checking for struct addrinfo" >&5
-echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
-if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -43323,11 +42067,14 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
 #include <stddef.h>
 #endif
+
+#include <sys/types.h>
 #include <netdb.h>
 int
 main ()
@@ -43338,44 +42085,40 @@ struct addrinfo foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_type_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_type_$cv=no"
+	eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 ac_foo=`eval echo \\$ac_cv_type_$cv`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo struct addrinfo | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
 if false; then
-	echo "$as_me:$LINENO: checking for struct addrinfo" >&5
-echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_addrinfo+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -43386,50 +42129,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef struct addrinfo ac__type_new_;
 int
 main ()
 {
-if ((struct addrinfo *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (struct addrinfo))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_addrinfo=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_addrinfo=no
+	ac_cv_type_struct_addrinfo=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_addrinfo" >&5
-echo "${ECHO_T}$ac_cv_type_struct_addrinfo" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_addrinfo" >&5
+echo "${ECHO_T}$ac_cv_type_struct_addrinfo" >&6; }
 if test $ac_cv_type_struct_addrinfo = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -43450,9 +42190,9 @@ fi
 
 
 cv=`echo "struct ifaddrs" | sed 'y%./+- %__p__%'`
-echo "$as_me:$LINENO: checking for struct ifaddrs" >&5
-echo $ECHO_N "checking for struct ifaddrs... $ECHO_C" >&6
-if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for struct ifaddrs" >&5
+echo $ECHO_N "checking for struct ifaddrs... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -43461,6 +42201,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
@@ -43476,44 +42217,40 @@ struct ifaddrs foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_type_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_type_$cv=no"
+	eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 ac_foo=`eval echo \\$ac_cv_type_$cv`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo struct ifaddrs | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
 if false; then
-	echo "$as_me:$LINENO: checking for struct ifaddrs" >&5
-echo $ECHO_N "checking for struct ifaddrs... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for struct ifaddrs" >&5
+echo $ECHO_N "checking for struct ifaddrs... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_ifaddrs+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -43524,50 +42261,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef struct ifaddrs ac__type_new_;
 int
 main ()
 {
-if ((struct ifaddrs *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (struct ifaddrs))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_ifaddrs=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_ifaddrs=no
+	ac_cv_type_struct_ifaddrs=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_ifaddrs" >&5
-echo "${ECHO_T}$ac_cv_type_struct_ifaddrs" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_ifaddrs" >&5
+echo "${ECHO_T}$ac_cv_type_struct_ifaddrs" >&6; }
 if test $ac_cv_type_struct_ifaddrs = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -43588,9 +42322,9 @@ fi
 
 
 cv=`echo "struct iovec" | sed 'y%./+- %__p__%'`
-echo "$as_me:$LINENO: checking for struct iovec" >&5
-echo $ECHO_N "checking for struct iovec... $ECHO_C" >&6
-if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for struct iovec" >&5
+echo $ECHO_N "checking for struct iovec... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -43599,6 +42333,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
@@ -43617,44 +42352,40 @@ struct iovec foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_type_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_type_$cv=no"
+	eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 ac_foo=`eval echo \\$ac_cv_type_$cv`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo struct iovec | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
 if false; then
-	echo "$as_me:$LINENO: checking for struct iovec" >&5
-echo $ECHO_N "checking for struct iovec... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for struct iovec" >&5
+echo $ECHO_N "checking for struct iovec... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_iovec+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -43665,50 +42396,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef struct iovec ac__type_new_;
 int
 main ()
 {
-if ((struct iovec *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (struct iovec))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_iovec=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_iovec=no
+	ac_cv_type_struct_iovec=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_iovec" >&5
-echo "${ECHO_T}$ac_cv_type_struct_iovec" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_iovec" >&5
+echo "${ECHO_T}$ac_cv_type_struct_iovec" >&6; }
 if test $ac_cv_type_struct_iovec = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -43729,9 +42457,9 @@ fi
 
 
 cv=`echo "struct msghdr" | sed 'y%./+- %__p__%'`
-echo "$as_me:$LINENO: checking for struct msghdr" >&5
-echo $ECHO_N "checking for struct msghdr... $ECHO_C" >&6
-if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for struct msghdr" >&5
+echo $ECHO_N "checking for struct msghdr... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -43740,6 +42468,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
@@ -43758,44 +42487,40 @@ struct msghdr foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_type_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_type_$cv=no"
+	eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 ac_foo=`eval echo \\$ac_cv_type_$cv`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo struct msghdr | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
 if false; then
-	echo "$as_me:$LINENO: checking for struct msghdr" >&5
-echo $ECHO_N "checking for struct msghdr... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for struct msghdr" >&5
+echo $ECHO_N "checking for struct msghdr... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_msghdr+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -43806,50 +42531,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef struct msghdr ac__type_new_;
 int
 main ()
 {
-if ((struct msghdr *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (struct msghdr))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_msghdr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_msghdr=no
+	ac_cv_type_struct_msghdr=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_msghdr" >&5
-echo "${ECHO_T}$ac_cv_type_struct_msghdr" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_msghdr" >&5
+echo "${ECHO_T}$ac_cv_type_struct_msghdr" >&6; }
 if test $ac_cv_type_struct_msghdr = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -43870,8 +42592,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for struct winsize" >&5
-echo $ECHO_N "checking for struct winsize... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for struct winsize" >&5
+echo $ECHO_N "checking for struct winsize... $ECHO_C" >&6; }
 if test "${ac_cv_struct_winsize+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -43903,8 +42625,8 @@ cat >>confdefs.h <<\_ACEOF
 _ACEOF
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_struct_winsize" >&5
-echo "${ECHO_T}$ac_cv_struct_winsize" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_struct_winsize" >&5
+echo "${ECHO_T}$ac_cv_struct_winsize" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -43947,8 +42669,8 @@ rm -f conftest*
 
 
 
-echo "$as_me:$LINENO: checking for struct spwd" >&5
-echo $ECHO_N "checking for struct spwd... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for struct spwd" >&5
+echo $ECHO_N "checking for struct spwd... $ECHO_C" >&6; }
 if test "${ac_cv_struct_spwd+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -43959,6 +42681,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <pwd.h>
 #ifdef HAVE_SHADOW_H
 #include <shadow.h>
@@ -43972,40 +42695,36 @@ struct spwd foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_struct_spwd=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_struct_spwd=no
+	ac_cv_struct_spwd=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 fi
 
-echo "$as_me:$LINENO: result: $ac_cv_struct_spwd" >&5
-echo "${ECHO_T}$ac_cv_struct_spwd" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_struct_spwd" >&5
+echo "${ECHO_T}$ac_cv_struct_spwd" >&6; }
 
 if test "$ac_cv_struct_spwd" = "yes"; then
 
@@ -44016,18 +42735,49 @@ _ACEOF
 fi
 
 
+#
+# Check if we want samba's socket wrapper
+#
+
+
+
+# Check whether --enable-socket-wrapper was given.
+if test "${enable_socket_wrapper+set}" = set; then
+  enableval=$enable_socket_wrapper;
+fi
+
+
+ if test "x$enable_socket_wrapper" = xyes; then
+  have_socket_wrapper_TRUE=
+  have_socket_wrapper_FALSE='#'
+else
+  have_socket_wrapper_TRUE='#'
+  have_socket_wrapper_FALSE=
+fi
+
+if test "x$enable_socket_wrapper" = xyes ; then
+
+cat >>confdefs.h <<\_ACEOF
+#define SOCKET_WRAPPER_REPLACE 1
+_ACEOF
+
+fi
+
+
+
 
 LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)"
 
 
+LIBADD_roken="$LIB_roken"
 LIB_roken="\$(top_builddir)/lib/vers/libvers.la $LIB_roken"
 
 
-# Check whether --enable-otp or --disable-otp was given.
+# Check whether --enable-otp was given.
 if test "${enable_otp+set}" = set; then
-  enableval="$enable_otp"
+  enableval=$enable_otp;
+fi
 
-fi;
 if test "$enable_otp" = yes -a "$db_type" = unknown; then
 	{ { echo "$as_me:$LINENO: error: OTP requires a NDBM/DB compatible library" >&5
 echo "$as_me: error: OTP requires a NDBM/DB compatible library" >&2;}
@@ -44049,13 +42799,11 @@ _ACEOF
 	LIB_otp='$(top_builddir)/lib/otp/libotp.la'
 
 fi
-echo "$as_me:$LINENO: checking whether to enable OTP library" >&5
-echo $ECHO_N "checking whether to enable OTP library... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $enable_otp" >&5
-echo "${ECHO_T}$enable_otp" >&6
-
-
-if test "$enable_otp" = yes; then
+{ echo "$as_me:$LINENO: checking whether to enable OTP library" >&5
+echo $ECHO_N "checking whether to enable OTP library... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $enable_otp" >&5
+echo "${ECHO_T}$enable_otp" >&6; }
+ if test "$enable_otp" = yes; then
   OTP_TRUE=
   OTP_FALSE='#'
 else
@@ -44065,11 +42813,11 @@ fi
 
 
 
-# Check whether --enable-osfc2 or --disable-osfc2 was given.
+# Check whether --enable-osfc2 was given.
 if test "${enable_osfc2+set}" = set; then
-  enableval="$enable_osfc2"
+  enableval=$enable_osfc2;
+fi
 
-fi;
 LIB_security=
 if test "$enable_osfc2" = yes; then
 
@@ -44082,11 +42830,11 @@ fi
 
 
 
-# Check whether --enable-mmap or --disable-mmap was given.
+# Check whether --enable-mmap was given.
 if test "${enable_mmap+set}" = set; then
-  enableval="$enable_mmap"
+  enableval=$enable_mmap;
+fi
 
-fi;
 if test "$enable_mmap" = "no"; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -44095,10 +42843,27 @@ _ACEOF
 
 fi
 
+# Check whether --enable-afs-string-to-key was given.
+if test "${enable_afs_string_to_key+set}" = set; then
+  enableval=$enable_afs_string_to_key;
+else
+  enable_afs_string_to_key=yes
+fi
+
+
+if test "$enable_afs_string_to_key" = "yes"; then
+
+cat >>confdefs.h <<\_ACEOF
+#define ENABLE_AFS_STRING_TO_KEY 1
+_ACEOF
+
+fi
+
+
 # Extract the first word of "nroff", so it can be a program name with args.
 set dummy nroff; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_NROFF+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -44113,31 +42878,32 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_NROFF="$as_dir/$ac_word$ac_exec_ext"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
   ;;
 esac
 fi
 NROFF=$ac_cv_path_NROFF
-
 if test -n "$NROFF"; then
-  echo "$as_me:$LINENO: result: $NROFF" >&5
-echo "${ECHO_T}$NROFF" >&6
+  { echo "$as_me:$LINENO: result: $NROFF" >&5
+echo "${ECHO_T}$NROFF" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
 # Extract the first word of "groff", so it can be a program name with args.
 set dummy groff; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_GROFF+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -44152,29 +42918,30 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_GROFF="$as_dir/$ac_word$ac_exec_ext"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
   ;;
 esac
 fi
 GROFF=$ac_cv_path_GROFF
-
 if test -n "$GROFF"; then
-  echo "$as_me:$LINENO: result: $GROFF" >&5
-echo "${ECHO_T}$GROFF" >&6
+  { echo "$as_me:$LINENO: result: $GROFF" >&5
+echo "${ECHO_T}$GROFF" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-echo "$as_me:$LINENO: checking how to format man pages" >&5
-echo $ECHO_N "checking how to format man pages... $ECHO_C" >&6
+
+{ echo "$as_me:$LINENO: checking how to format man pages" >&5
+echo $ECHO_N "checking how to format man pages... $ECHO_C" >&6; }
 if test "${ac_cv_sys_man_format+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -44210,15 +42977,13 @@ if test "$ac_cv_sys_man_format"; then
 fi
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sys_man_format" >&5
-echo "${ECHO_T}$ac_cv_sys_man_format" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_sys_man_format" >&5
+echo "${ECHO_T}$ac_cv_sys_man_format" >&6; }
 if test "$ac_cv_sys_man_format"; then
 	CATMAN="$ac_cv_sys_man_format"
 
 fi
-
-
-if test "$CATMAN"; then
+ if test "$CATMAN"; then
   CATMAN_TRUE=
   CATMAN_FALSE='#'
 else
@@ -44226,8 +42991,8 @@ else
   CATMAN_FALSE=
 fi
 
-echo "$as_me:$LINENO: checking extension of pre-formatted manual pages" >&5
-echo $ECHO_N "checking extension of pre-formatted manual pages... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking extension of pre-formatted manual pages" >&5
+echo $ECHO_N "checking extension of pre-formatted manual pages... $ECHO_C" >&6; }
 if test "${ac_cv_sys_catman_ext+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -44238,8 +43003,8 @@ else
 fi
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sys_catman_ext" >&5
-echo "${ECHO_T}$ac_cv_sys_catman_ext" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_sys_catman_ext" >&5
+echo "${ECHO_T}$ac_cv_sys_catman_ext" >&6; }
 if test "$ac_cv_sys_catman_ext" = number; then
 	CATMANEXT='$$section'
 else
@@ -44250,46 +43015,46 @@ fi
 
 
 
-# Check whether --with-readline or --without-readline was given.
+# Check whether --with-readline was given.
 if test "${with_readline+set}" = set; then
-  withval="$with_readline"
+  withval=$with_readline;
+fi
 
-fi;
 
-# Check whether --with-readline-lib or --without-readline-lib was given.
+# Check whether --with-readline-lib was given.
 if test "${with_readline_lib+set}" = set; then
-  withval="$with_readline_lib"
-  if test "$withval" = "yes" -o "$withval" = "no"; then
+  withval=$with_readline_lib; if test "$withval" = "yes" -o "$withval" = "no"; then
   { { echo "$as_me:$LINENO: error: No argument for --with-readline-lib" >&5
 echo "$as_me: error: No argument for --with-readline-lib" >&2;}
    { (exit 1); exit 1; }; }
 elif test "X$with_readline" = "X"; then
   with_readline=yes
 fi
-fi;
+fi
+
 
-# Check whether --with-readline-include or --without-readline-include was given.
+# Check whether --with-readline-include was given.
 if test "${with_readline_include+set}" = set; then
-  withval="$with_readline_include"
-  if test "$withval" = "yes" -o "$withval" = "no"; then
+  withval=$with_readline_include; if test "$withval" = "yes" -o "$withval" = "no"; then
   { { echo "$as_me:$LINENO: error: No argument for --with-readline-include" >&5
 echo "$as_me: error: No argument for --with-readline-include" >&2;}
    { (exit 1); exit 1; }; }
 elif test "X$with_readline" = "X"; then
   with_readline=yes
 fi
-fi;
+fi
+
 
-# Check whether --with-readline-config or --without-readline-config was given.
+# Check whether --with-readline-config was given.
 if test "${with_readline_config+set}" = set; then
-  withval="$with_readline_config"
+  withval=$with_readline_config;
+fi
 
-fi;
 
 
 
-echo "$as_me:$LINENO: checking for readline" >&5
-echo $ECHO_N "checking for readline... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for readline" >&5
+echo $ECHO_N "checking for readline... $ECHO_C" >&6; }
 
 case "$with_readline" in
 yes|"") d='' ;;
@@ -44330,6 +43095,14 @@ readline_cflags=
 readline_libs=
 
 case "$with_readline_config" in
+yes|no|""|"")
+	if test -f $with_readline/bin/ ; then
+		with_readline_config=$with_readline/bin/
+	fi
+	;;
+esac
+
+case "$with_readline_config" in
 yes|no|"")
 	;;
 *)
@@ -44362,39 +43135,37 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 			INCLUDE_readline="$readline_cflags"
 			LIB_readline="$readline_libs"
-			echo "$as_me:$LINENO: result: from $with_readline_config" >&5
-echo "${ECHO_T}from $with_readline_config" >&6
+			{ echo "$as_me:$LINENO: result: from $with_readline_config" >&5
+echo "${ECHO_T}from $with_readline_config" >&6; }
 			found=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	fi
 	if test "$found" = no; then
@@ -44418,34 +43189,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ires=$i;break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 		done
 		for i in $lib_dirs; do
 			LIBS="-L$i -lreadline  $save_LIBS"
@@ -44466,42 +43234,40 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   lres=$i;break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 		done
 		if test "$ires" -a "$lres" -a "$with_readline" != "no"; then
 			INCLUDE_readline="-I$ires"
 			LIB_readline="-L$lres -lreadline "
 			found=yes
-			echo "$as_me:$LINENO: result: headers $ires, libraries $lres" >&5
-echo "${ECHO_T}headers $ires, libraries $lres" >&6
+			{ echo "$as_me:$LINENO: result: headers $ires, libraries $lres" >&5
+echo "${ECHO_T}headers $ires, libraries $lres" >&6; }
 		fi
 	fi
 	CFLAGS="$save_CFLAGS"
@@ -44519,8 +43285,8 @@ else
 	with_readline=no
 	INCLUDE_readline=
 	LIB_readline=
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -44529,46 +43295,46 @@ fi
 
 
 
-# Check whether --with-hesiod or --without-hesiod was given.
+# Check whether --with-hesiod was given.
 if test "${with_hesiod+set}" = set; then
-  withval="$with_hesiod"
+  withval=$with_hesiod;
+fi
 
-fi;
 
-# Check whether --with-hesiod-lib or --without-hesiod-lib was given.
+# Check whether --with-hesiod-lib was given.
 if test "${with_hesiod_lib+set}" = set; then
-  withval="$with_hesiod_lib"
-  if test "$withval" = "yes" -o "$withval" = "no"; then
+  withval=$with_hesiod_lib; if test "$withval" = "yes" -o "$withval" = "no"; then
   { { echo "$as_me:$LINENO: error: No argument for --with-hesiod-lib" >&5
 echo "$as_me: error: No argument for --with-hesiod-lib" >&2;}
    { (exit 1); exit 1; }; }
 elif test "X$with_hesiod" = "X"; then
   with_hesiod=yes
 fi
-fi;
+fi
 
-# Check whether --with-hesiod-include or --without-hesiod-include was given.
+
+# Check whether --with-hesiod-include was given.
 if test "${with_hesiod_include+set}" = set; then
-  withval="$with_hesiod_include"
-  if test "$withval" = "yes" -o "$withval" = "no"; then
+  withval=$with_hesiod_include; if test "$withval" = "yes" -o "$withval" = "no"; then
   { { echo "$as_me:$LINENO: error: No argument for --with-hesiod-include" >&5
 echo "$as_me: error: No argument for --with-hesiod-include" >&2;}
    { (exit 1); exit 1; }; }
 elif test "X$with_hesiod" = "X"; then
   with_hesiod=yes
 fi
-fi;
+fi
+
 
-# Check whether --with-hesiod-config or --without-hesiod-config was given.
+# Check whether --with-hesiod-config was given.
 if test "${with_hesiod_config+set}" = set; then
-  withval="$with_hesiod_config"
+  withval=$with_hesiod_config;
+fi
 
-fi;
 
 
 
-echo "$as_me:$LINENO: checking for hesiod" >&5
-echo $ECHO_N "checking for hesiod... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for hesiod" >&5
+echo $ECHO_N "checking for hesiod... $ECHO_C" >&6; }
 
 case "$with_hesiod" in
 yes|"") d='' ;;
@@ -44609,6 +43375,14 @@ hesiod_cflags=
 hesiod_libs=
 
 case "$with_hesiod_config" in
+yes|no|""|"")
+	if test -f $with_hesiod/bin/ ; then
+		with_hesiod_config=$with_hesiod/bin/
+	fi
+	;;
+esac
+
+case "$with_hesiod_config" in
 yes|no|"")
 	;;
 *)
@@ -44640,39 +43414,37 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 			INCLUDE_hesiod="$hesiod_cflags"
 			LIB_hesiod="$hesiod_libs"
-			echo "$as_me:$LINENO: result: from $with_hesiod_config" >&5
-echo "${ECHO_T}from $with_hesiod_config" >&6
+			{ echo "$as_me:$LINENO: result: from $with_hesiod_config" >&5
+echo "${ECHO_T}from $with_hesiod_config" >&6; }
 			found=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	fi
 	if test "$found" = no; then
@@ -44695,34 +43467,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ires=$i;break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 		done
 		for i in $lib_dirs; do
 			LIBS="-L$i -lhesiod  $save_LIBS"
@@ -44742,42 +43511,40 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   lres=$i;break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 		done
 		if test "$ires" -a "$lres" -a "$with_hesiod" != "no"; then
 			INCLUDE_hesiod="-I$ires"
 			LIB_hesiod="-L$lres -lhesiod "
 			found=yes
-			echo "$as_me:$LINENO: result: headers $ires, libraries $lres" >&5
-echo "${ECHO_T}headers $ires, libraries $lres" >&6
+			{ echo "$as_me:$LINENO: result: headers $ires, libraries $lres" >&5
+echo "${ECHO_T}headers $ires, libraries $lres" >&6; }
 		fi
 	fi
 	CFLAGS="$save_CFLAGS"
@@ -44795,8 +43562,8 @@ else
 	with_hesiod=no
 	INCLUDE_hesiod=
 	LIB_hesiod=
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -44804,18 +43571,18 @@ fi
 
 
 
-# Check whether --enable-bigendian or --disable-bigendian was given.
+# Check whether --enable-bigendian was given.
 if test "${enable_bigendian+set}" = set; then
-  enableval="$enable_bigendian"
-  krb_cv_c_bigendian=yes
-fi;
-# Check whether --enable-littleendian or --disable-littleendian was given.
+  enableval=$enable_bigendian; krb_cv_c_bigendian=yes
+fi
+
+# Check whether --enable-littleendian was given.
 if test "${enable_littleendian+set}" = set; then
-  enableval="$enable_littleendian"
-  krb_cv_c_bigendian=no
-fi;
-echo "$as_me:$LINENO: checking whether byte order is known at compile time" >&5
-echo $ECHO_N "checking whether byte order is known at compile time... $ECHO_C" >&6
+  enableval=$enable_littleendian; krb_cv_c_bigendian=no
+fi
+
+{ echo "$as_me:$LINENO: checking whether byte order is known at compile time" >&5
+echo $ECHO_N "checking whether byte order is known at compile time... $ECHO_C" >&6; }
 if test "${krb_cv_c_bigendian_compile+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -44828,52 +43595,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #include <sys/types.h>
 #include <sys/param.h>
-int
-main ()
-{
-
 #if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
  bogus endian macros
 #endif
-  ;
-  return 0;
-}
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   krb_cv_c_bigendian_compile=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-krb_cv_c_bigendian_compile=no
+	krb_cv_c_bigendian_compile=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $krb_cv_c_bigendian_compile" >&5
-echo "${ECHO_T}$krb_cv_c_bigendian_compile" >&6
-echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5
-echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: result: $krb_cv_c_bigendian_compile" >&5
+echo "${ECHO_T}$krb_cv_c_bigendian_compile" >&6; }
+{ echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5
+echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6; }
 if test "${krb_cv_c_bigendian+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -44888,47 +43644,36 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #include <sys/types.h>
 #include <sys/param.h>
-int
-main ()
-{
-
 #if BYTE_ORDER != BIG_ENDIAN
   not big endian
 #endif
-  ;
-  return 0;
-}
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   krb_cv_c_bigendian=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-krb_cv_c_bigendian=no
+	krb_cv_c_bigendian=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
   else
     if test "$cross_compiling" = yes; then
   { { echo "$as_me:$LINENO: error: specify either --enable-bigendian or --enable-littleendian" >&5
@@ -44941,7 +43686,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-main () {
+main (int argc, char **argv) {
       /* Are we little or big endian?  From Harbison&Steele.  */
       union
       {
@@ -44953,13 +43698,22 @@ main () {
   }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -44972,13 +43726,15 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 krb_cv_c_bigendian=yes
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
   fi
 
 fi
-echo "$as_me:$LINENO: result: $krb_cv_c_bigendian" >&5
-echo "${ECHO_T}$krb_cv_c_bigendian" >&6
+{ echo "$as_me:$LINENO: result: $krb_cv_c_bigendian" >&5
+echo "${ECHO_T}$krb_cv_c_bigendian" >&6; }
 if test "$krb_cv_c_bigendian" = "yes"; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -44994,8 +43750,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for inline" >&5
-echo $ECHO_N "checking for inline... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for inline" >&5
+echo $ECHO_N "checking for inline... $ECHO_C" >&6; }
 if test "${ac_cv_c_inline+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -45015,39 +43771,37 @@ $ac_kw foo_t foo () {return 0; }
 
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_c_inline=$ac_kw; break
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_c_inline=$ac_kw
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  test "$ac_cv_c_inline" != no && break
 done
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5
-echo "${ECHO_T}$ac_cv_c_inline" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5
+echo "${ECHO_T}$ac_cv_c_inline" >&6; }
 
 
 case $ac_cv_c_inline in
@@ -45070,8 +43824,8 @@ esac
 
 
 
-echo "$as_me:$LINENO: checking for dlopen" >&5
-echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for dlopen" >&5
+echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_dlopen+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -45094,43 +43848,44 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
 int
 main ()
 {
-dlopen()
+dlopen(0,0)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_dlopen=$ac_lib; else ac_cv_funclib_dlopen=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_dlopen=\${ac_cv_funclib_dlopen-no}"
@@ -45147,9 +43902,9 @@ if false; then
 for ac_func in dlopen
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -45175,68 +43930,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -45259,14 +44006,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_dlopen=no"
 	eval "LIB_dlopen="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_dlopen=yes"
@@ -45279,15 +44026,13 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
 
-
-
-if test "$ac_cv_funclib_dlopen" != no; then
+	 if test "$ac_cv_funclib_dlopen" != no; then
   HAVE_DLOPEN_TRUE=
   HAVE_DLOPEN_FALSE='#'
 else
@@ -45308,18 +44053,14 @@ case "$host" in
 	;;
 esac
 
-
-
-if test "$aix" != no; then
+ if test "$aix" != no; then
   AIX_TRUE=
   AIX_FALSE='#'
 else
   AIX_TRUE='#'
   AIX_FALSE=
 fi
-
-
-if test "$aix" = 4; then
+ if test "$aix" = 4; then
   AIX4_TRUE=
   AIX4_FALSE='#'
 else
@@ -45329,11 +44070,11 @@ fi
 
 
 
-# Check whether --enable-dynamic-afs or --disable-dynamic-afs was given.
+# Check whether --enable-dynamic-afs was given.
 if test "${enable_dynamic_afs+set}" = set; then
-  enableval="$enable_dynamic_afs"
+  enableval=$enable_dynamic_afs;
+fi
 
-fi;
 
 if test "$aix" != no; then
 	if test "$enable_dynamic_afs" != no; then
@@ -45342,8 +44083,8 @@ if test "$aix" != no; then
 
 
 
-echo "$as_me:$LINENO: checking for loadquery" >&5
-echo $ECHO_N "checking for loadquery... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for loadquery" >&5
+echo $ECHO_N "checking for loadquery... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_loadquery+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -45375,34 +44116,32 @@ loadquery()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_loadquery=$ac_lib; else ac_cv_funclib_loadquery=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_loadquery=\${ac_cv_funclib_loadquery-no}"
@@ -45419,9 +44158,9 @@ if false; then
 for ac_func in loadquery
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -45447,68 +44186,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -45531,14 +44262,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_loadquery=no"
 	eval "LIB_loadquery="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_loadquery=yes"
@@ -45551,8 +44282,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -45573,9 +44304,7 @@ echo "$as_me: not using dynloaded AFS library" >&6;}
 	fi
 fi
 
-
-
-if test "$enable_dynamic_afs" != no; then
+ if test "$enable_dynamic_afs" != no; then
   AIX_DYNAMIC_AFS_TRUE=
   AIX_DYNAMIC_AFS_FALSE='#'
 else
@@ -45602,9 +44331,7 @@ _ACEOF
 	irix=yes
 	;;
 esac
-
-
-if test "$irix" != no; then
+ if test "$irix" != no; then
   IRIX_TRUE=
   IRIX_FALSE='#'
 else
@@ -45624,7 +44351,7 @@ case "$host" in
 *-*-solaris2.7)
 	sunos=57
 	;;
-*-*-solaris2.[89])
+*-*-solaris2.[89] | *-*-solaris2.10)
 	sunos=58
 	;;
 *-*-solaris2*)
@@ -45640,44 +44367,49 @@ _ACEOF
 fi
 
 
-echo "$as_me:$LINENO: checking for X" >&5
-echo $ECHO_N "checking for X... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for X" >&5
+echo $ECHO_N "checking for X... $ECHO_C" >&6; }
 
 
-# Check whether --with-x or --without-x was given.
+# Check whether --with-x was given.
 if test "${with_x+set}" = set; then
-  withval="$with_x"
+  withval=$with_x;
+fi
 
-fi;
 # $have_x is `yes', `no', `disabled', or empty when we do not yet know.
 if test "x$with_x" = xno; then
   # The user explicitly disabled X.
   have_x=disabled
 else
-  if test "x$x_includes" != xNONE && test "x$x_libraries" != xNONE; then
-    # Both variables are already set.
-    have_x=yes
-  else
-    if test "${ac_cv_have_x+set}" = set; then
+  case $x_includes,$x_libraries in #(
+    *\'*) { { echo "$as_me:$LINENO: error: Cannot use X directory names containing '" >&5
+echo "$as_me: error: Cannot use X directory names containing '" >&2;}
+   { (exit 1); exit 1; }; };; #(
+    *,NONE | NONE,*) if test "${ac_cv_have_x+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   # One or both of the vars are not set, and there is no cached value.
 ac_x_includes=no ac_x_libraries=no
-rm -fr conftest.dir
+rm -f -r conftest.dir
 if mkdir conftest.dir; then
   cd conftest.dir
-  # Make sure to not put "make" in the Imakefile rules, since we grep it out.
   cat >Imakefile <<'_ACEOF'
-acfindx:
-	@echo 'ac_im_incroot="${INCROOT}"; ac_im_usrlibdir="${USRLIBDIR}"; ac_im_libdir="${LIBDIR}"'
-_ACEOF
-  if (xmkmf) >/dev/null 2>/dev/null && test -f Makefile; then
+incroot:
+	@echo incroot='${INCROOT}'
+usrlibdir:
+	@echo usrlibdir='${USRLIBDIR}'
+libdir:
+	@echo libdir='${LIBDIR}'
+_ACEOF
+  if (export CC; ${XMKMF-xmkmf}) >/dev/null 2>/dev/null && test -f Makefile; then
     # GNU make sometimes prints "make[1]: Entering...", which would confuse us.
-    eval `${MAKE-make} acfindx 2>/dev/null | grep -v make`
+    for ac_var in incroot usrlibdir libdir; do
+      eval "ac_im_$ac_var=\`\${MAKE-make} $ac_var 2>/dev/null | sed -n 's/^$ac_var=//p'\`"
+    done
     # Open Windows xmkmf reportedly sets LIBDIR instead of USRLIBDIR.
     for ac_extension in a so sl; do
-      if test ! -f $ac_im_usrlibdir/libX11.$ac_extension &&
-	 test -f $ac_im_libdir/libX11.$ac_extension; then
+      if test ! -f "$ac_im_usrlibdir/libX11.$ac_extension" &&
+	 test -f "$ac_im_libdir/libX11.$ac_extension"; then
 	ac_im_usrlibdir=$ac_im_libdir; break
       fi
     done
@@ -45685,7 +44417,7 @@ _ACEOF
     # bogus both because they are the default anyway, and because
     # using them would break gcc on systems where it needs fixed includes.
     case $ac_im_incroot in
-	/usr/include) ;;
+	/usr/include) ac_x_includes= ;;
 	*) test -f "$ac_im_incroot/X11/Xos.h" && ac_x_includes=$ac_im_incroot;;
     esac
     case $ac_im_usrlibdir in
@@ -45694,7 +44426,7 @@ _ACEOF
     esac
   fi
   cd ..
-  rm -fr conftest.dir
+  rm -f -r conftest.dir
 fi
 
 # Standard set of common directories for X headers.
@@ -45735,7 +44467,7 @@ ac_x_header_dirs='
 /usr/openwin/share/include'
 
 if test "$ac_x_includes" = no; then
-  # Guess where to find include files, by looking for Intrinsic.h.
+  # Guess where to find include files, by looking for Xlib.h.
   # First, try using that file with no special directory specified.
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -45743,26 +44475,24 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include <X11/Intrinsic.h>
+#include <X11/Xlib.h>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   # We can compile using X headers with no special include directory.
 ac_x_includes=
 else
@@ -45770,12 +44500,13 @@ else
 sed 's/^/| /' conftest.$ac_ext >&5
 
   for ac_dir in $ac_x_header_dirs; do
-  if test -r "$ac_dir/X11/Intrinsic.h"; then
+  if test -r "$ac_dir/X11/Xlib.h"; then
     ac_x_includes=$ac_dir
     break
   fi
 done
 fi
+
 rm -f conftest.err conftest.$ac_ext
 fi # $ac_x_includes = no
 
@@ -45784,44 +44515,40 @@ if test "$ac_x_libraries" = no; then
   # See if we find them without any special options.
   # Don't add to $LIBS permanently.
   ac_save_LIBS=$LIBS
-  LIBS="-lXt $LIBS"
+  LIBS="-lX11 $LIBS"
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include <X11/Intrinsic.h>
+#include <X11/Xlib.h>
 int
 main ()
 {
-XtMalloc (0)
+XrmInitialize ()
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   LIBS=$ac_save_LIBS
 # We can link X programs with no special library path.
 ac_x_libraries=
@@ -45829,49 +44556,54 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-LIBS=$ac_save_LIBS
+	LIBS=$ac_save_LIBS
 for ac_dir in `echo "$ac_x_includes $ac_x_header_dirs" | sed s/include/lib/g`
 do
   # Don't even attempt the hair of trying to link an X program!
   for ac_extension in a so sl; do
-    if test -r $ac_dir/libXt.$ac_extension; then
+    if test -r "$ac_dir/libX11.$ac_extension"; then
       ac_x_libraries=$ac_dir
       break 2
     fi
   done
 done
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi # $ac_x_libraries = no
 
-if test "$ac_x_includes" = no || test "$ac_x_libraries" = no; then
-  # Didn't find X anywhere.  Cache the known absence of X.
-  ac_cv_have_x="have_x=no"
-else
-  # Record where we found X for the cache.
-  ac_cv_have_x="have_x=yes \
-		ac_x_includes=$ac_x_includes ac_x_libraries=$ac_x_libraries"
-fi
+case $ac_x_includes,$ac_x_libraries in #(
+  no,* | *,no | *\'*)
+    # Didn't find X, or a directory has "'" in its name.
+    ac_cv_have_x="have_x=no";; #(
+  *)
+    # Record where we found X for the cache.
+    ac_cv_have_x="have_x=yes\
+	ac_x_includes='$ac_x_includes'\
+	ac_x_libraries='$ac_x_libraries'"
+esac
 fi
-
-  fi
+;; #(
+    *) have_x=yes;;
+  esac
   eval "$ac_cv_have_x"
 fi # $with_x != no
 
 if test "$have_x" != yes; then
-  echo "$as_me:$LINENO: result: $have_x" >&5
-echo "${ECHO_T}$have_x" >&6
+  { echo "$as_me:$LINENO: result: $have_x" >&5
+echo "${ECHO_T}$have_x" >&6; }
   no_x=yes
 else
   # If each of the values was on the command line, it overrides each guess.
   test "x$x_includes" = xNONE && x_includes=$ac_x_includes
   test "x$x_libraries" = xNONE && x_libraries=$ac_x_libraries
   # Update the cache value to reflect the command line values.
-  ac_cv_have_x="have_x=yes \
-		ac_x_includes=$x_includes ac_x_libraries=$x_libraries"
-  echo "$as_me:$LINENO: result: libraries $x_libraries, headers $x_includes" >&5
-echo "${ECHO_T}libraries $x_libraries, headers $x_includes" >&6
+  ac_cv_have_x="have_x=yes\
+	ac_x_includes='$x_includes'\
+	ac_x_libraries='$x_libraries'"
+  { echo "$as_me:$LINENO: result: libraries $x_libraries, headers $x_includes" >&5
+echo "${ECHO_T}libraries $x_libraries, headers $x_includes" >&6; }
 fi
 
 
@@ -45893,12 +44625,12 @@ else
     X_LIBS="$X_LIBS -L$x_libraries"
     # For Solaris; some versions of Sun CC require a space after -R and
     # others require no space.  Words are not sufficient . . . .
-    case `(uname -sr) 2>/dev/null` in
-    "SunOS 5"*)
-      echo "$as_me:$LINENO: checking whether -R must be followed by a space" >&5
-echo $ECHO_N "checking whether -R must be followed by a space... $ECHO_C" >&6
-      ac_xsave_LIBS=$LIBS; LIBS="$LIBS -R$x_libraries"
-      cat >conftest.$ac_ext <<_ACEOF
+    { echo "$as_me:$LINENO: checking whether -R must be followed by a space" >&5
+echo $ECHO_N "checking whether -R must be followed by a space... $ECHO_C" >&6; }
+    ac_xsave_LIBS=$LIBS; LIBS="$LIBS -R$x_libraries"
+    ac_xsave_c_werror_flag=$ac_c_werror_flag
+    ac_c_werror_flag=yes
+    cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -45914,43 +44646,32 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_R_nospace=yes
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+       X_LIBS="$X_LIBS -R$x_libraries"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_R_nospace=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-      if test $ac_R_nospace = yes; then
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	X_LIBS="$X_LIBS -R$x_libraries"
-      else
 	LIBS="$ac_xsave_LIBS -R $x_libraries"
-	cat >conftest.$ac_ext <<_ACEOF
+       cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -45966,47 +44687,42 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_R_space=yes
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	  X_LIBS="$X_LIBS -R $x_libraries"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_R_space=no
+	{ echo "$as_me:$LINENO: result: neither works" >&5
+echo "${ECHO_T}neither works" >&6; }
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
-	if test $ac_R_space = yes; then
-	  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	  X_LIBS="$X_LIBS -R $x_libraries"
-	else
-	  echo "$as_me:$LINENO: result: neither works" >&5
-echo "${ECHO_T}neither works" >&6
-	fi
-      fi
-      LIBS=$ac_xsave_LIBS
-    esac
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+    ac_c_werror_flag=$ac_xsave_c_werror_flag
+    LIBS=$ac_xsave_LIBS
   fi
 
   # Check for system-dependent libraries X programs must link with.
@@ -46027,50 +44743,46 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char XOpenDisplay ();
 int
 main ()
 {
-XOpenDisplay ();
+return XOpenDisplay ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   :
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-echo "$as_me:$LINENO: checking for dnet_ntoa in -ldnet" >&5
-echo $ECHO_N "checking for dnet_ntoa in -ldnet... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for dnet_ntoa in -ldnet" >&5
+echo $ECHO_N "checking for dnet_ntoa in -ldnet... $ECHO_C" >&6; }
 if test "${ac_cv_lib_dnet_dnet_ntoa+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46083,63 +44795,60 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char dnet_ntoa ();
 int
 main ()
 {
-dnet_ntoa ();
+return dnet_ntoa ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_dnet_dnet_ntoa=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_dnet_dnet_ntoa=no
+	ac_cv_lib_dnet_dnet_ntoa=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dnet_dnet_ntoa" >&5
-echo "${ECHO_T}$ac_cv_lib_dnet_dnet_ntoa" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dnet_dnet_ntoa" >&5
+echo "${ECHO_T}$ac_cv_lib_dnet_dnet_ntoa" >&6; }
 if test $ac_cv_lib_dnet_dnet_ntoa = yes; then
   X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet"
 fi
 
     if test $ac_cv_lib_dnet_dnet_ntoa = no; then
-      echo "$as_me:$LINENO: checking for dnet_ntoa in -ldnet_stub" >&5
-echo $ECHO_N "checking for dnet_ntoa in -ldnet_stub... $ECHO_C" >&6
+      { echo "$as_me:$LINENO: checking for dnet_ntoa in -ldnet_stub" >&5
+echo $ECHO_N "checking for dnet_ntoa in -ldnet_stub... $ECHO_C" >&6; }
 if test "${ac_cv_lib_dnet_stub_dnet_ntoa+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46152,63 +44861,61 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char dnet_ntoa ();
 int
 main ()
 {
-dnet_ntoa ();
+return dnet_ntoa ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_dnet_stub_dnet_ntoa=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_dnet_stub_dnet_ntoa=no
+	ac_cv_lib_dnet_stub_dnet_ntoa=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dnet_stub_dnet_ntoa" >&5
-echo "${ECHO_T}$ac_cv_lib_dnet_stub_dnet_ntoa" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dnet_stub_dnet_ntoa" >&5
+echo "${ECHO_T}$ac_cv_lib_dnet_stub_dnet_ntoa" >&6; }
 if test $ac_cv_lib_dnet_stub_dnet_ntoa = yes; then
   X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet_stub"
 fi
 
     fi
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
     LIBS="$ac_xsave_LIBS"
 
@@ -46220,8 +44927,8 @@ rm -f conftest.err conftest.$ac_objext \
     # on Irix 5.2, according to T.E. Dickey.
     # The functions gethostbyname, getservbyname, and inet_addr are
     # in -lbsd on LynxOS 3.0.1/i386, according to Lars Hecking.
-    echo "$as_me:$LINENO: checking for gethostbyname" >&5
-echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6
+    { echo "$as_me:$LINENO: checking for gethostbyname" >&5
+echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6; }
 if test "${ac_cv_func_gethostbyname+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46248,72 +44955,63 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef gethostbyname
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char gethostbyname ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_gethostbyname) || defined (__stub___gethostbyname)
+#if defined __stub_gethostbyname || defined __stub___gethostbyname
 choke me
-#else
-char (*f) () = gethostbyname;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != gethostbyname;
+return gethostbyname ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_gethostbyname=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_gethostbyname=no
+	ac_cv_func_gethostbyname=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_gethostbyname" >&5
-echo "${ECHO_T}$ac_cv_func_gethostbyname" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_gethostbyname" >&5
+echo "${ECHO_T}$ac_cv_func_gethostbyname" >&6; }
 
     if test $ac_cv_func_gethostbyname = no; then
-      echo "$as_me:$LINENO: checking for gethostbyname in -lnsl" >&5
-echo $ECHO_N "checking for gethostbyname in -lnsl... $ECHO_C" >&6
+      { echo "$as_me:$LINENO: checking for gethostbyname in -lnsl" >&5
+echo $ECHO_N "checking for gethostbyname in -lnsl... $ECHO_C" >&6; }
 if test "${ac_cv_lib_nsl_gethostbyname+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46326,63 +45024,60 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char gethostbyname ();
 int
 main ()
 {
-gethostbyname ();
+return gethostbyname ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_nsl_gethostbyname=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_nsl_gethostbyname=no
+	ac_cv_lib_nsl_gethostbyname=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_gethostbyname" >&5
-echo "${ECHO_T}$ac_cv_lib_nsl_gethostbyname" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_gethostbyname" >&5
+echo "${ECHO_T}$ac_cv_lib_nsl_gethostbyname" >&6; }
 if test $ac_cv_lib_nsl_gethostbyname = yes; then
   X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl"
 fi
 
       if test $ac_cv_lib_nsl_gethostbyname = no; then
-	echo "$as_me:$LINENO: checking for gethostbyname in -lbsd" >&5
-echo $ECHO_N "checking for gethostbyname in -lbsd... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for gethostbyname in -lbsd" >&5
+echo $ECHO_N "checking for gethostbyname in -lbsd... $ECHO_C" >&6; }
 if test "${ac_cv_lib_bsd_gethostbyname+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46395,56 +45090,53 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char gethostbyname ();
 int
 main ()
 {
-gethostbyname ();
+return gethostbyname ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_bsd_gethostbyname=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_bsd_gethostbyname=no
+	ac_cv_lib_bsd_gethostbyname=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_bsd_gethostbyname" >&5
-echo "${ECHO_T}$ac_cv_lib_bsd_gethostbyname" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_bsd_gethostbyname" >&5
+echo "${ECHO_T}$ac_cv_lib_bsd_gethostbyname" >&6; }
 if test $ac_cv_lib_bsd_gethostbyname = yes; then
   X_EXTRA_LIBS="$X_EXTRA_LIBS -lbsd"
 fi
@@ -46459,8 +45151,8 @@ fi
     # variants that don't use the name server (or something).  -lsocket
     # must be given before -lnsl if both are needed.  We assume that
     # if connect needs -lnsl, so does gethostbyname.
-    echo "$as_me:$LINENO: checking for connect" >&5
-echo $ECHO_N "checking for connect... $ECHO_C" >&6
+    { echo "$as_me:$LINENO: checking for connect" >&5
+echo $ECHO_N "checking for connect... $ECHO_C" >&6; }
 if test "${ac_cv_func_connect+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46487,72 +45179,63 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef connect
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char connect ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_connect) || defined (__stub___connect)
+#if defined __stub_connect || defined __stub___connect
 choke me
-#else
-char (*f) () = connect;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != connect;
+return connect ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_connect=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_connect=no
+	ac_cv_func_connect=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_connect" >&5
-echo "${ECHO_T}$ac_cv_func_connect" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_connect" >&5
+echo "${ECHO_T}$ac_cv_func_connect" >&6; }
 
     if test $ac_cv_func_connect = no; then
-      echo "$as_me:$LINENO: checking for connect in -lsocket" >&5
-echo $ECHO_N "checking for connect in -lsocket... $ECHO_C" >&6
+      { echo "$as_me:$LINENO: checking for connect in -lsocket" >&5
+echo $ECHO_N "checking for connect in -lsocket... $ECHO_C" >&6; }
 if test "${ac_cv_lib_socket_connect+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46565,56 +45248,53 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char connect ();
 int
 main ()
 {
-connect ();
+return connect ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_socket_connect=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_socket_connect=no
+	ac_cv_lib_socket_connect=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_socket_connect" >&5
-echo "${ECHO_T}$ac_cv_lib_socket_connect" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_socket_connect" >&5
+echo "${ECHO_T}$ac_cv_lib_socket_connect" >&6; }
 if test $ac_cv_lib_socket_connect = yes; then
   X_EXTRA_LIBS="-lsocket $X_EXTRA_LIBS"
 fi
@@ -46622,8 +45302,8 @@ fi
     fi
 
     # Guillermo Gomez says -lposix is necessary on A/UX.
-    echo "$as_me:$LINENO: checking for remove" >&5
-echo $ECHO_N "checking for remove... $ECHO_C" >&6
+    { echo "$as_me:$LINENO: checking for remove" >&5
+echo $ECHO_N "checking for remove... $ECHO_C" >&6; }
 if test "${ac_cv_func_remove+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46650,72 +45330,63 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef remove
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char remove ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_remove) || defined (__stub___remove)
+#if defined __stub_remove || defined __stub___remove
 choke me
-#else
-char (*f) () = remove;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != remove;
+return remove ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_remove=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_remove=no
+	ac_cv_func_remove=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_remove" >&5
-echo "${ECHO_T}$ac_cv_func_remove" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_remove" >&5
+echo "${ECHO_T}$ac_cv_func_remove" >&6; }
 
     if test $ac_cv_func_remove = no; then
-      echo "$as_me:$LINENO: checking for remove in -lposix" >&5
-echo $ECHO_N "checking for remove in -lposix... $ECHO_C" >&6
+      { echo "$as_me:$LINENO: checking for remove in -lposix" >&5
+echo $ECHO_N "checking for remove in -lposix... $ECHO_C" >&6; }
 if test "${ac_cv_lib_posix_remove+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46728,56 +45399,53 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char remove ();
 int
 main ()
 {
-remove ();
+return remove ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_posix_remove=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_posix_remove=no
+	ac_cv_lib_posix_remove=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_posix_remove" >&5
-echo "${ECHO_T}$ac_cv_lib_posix_remove" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_posix_remove" >&5
+echo "${ECHO_T}$ac_cv_lib_posix_remove" >&6; }
 if test $ac_cv_lib_posix_remove = yes; then
   X_EXTRA_LIBS="$X_EXTRA_LIBS -lposix"
 fi
@@ -46785,8 +45453,8 @@ fi
     fi
 
     # BSDI BSD/OS 2.1 needs -lipc for XOpenDisplay.
-    echo "$as_me:$LINENO: checking for shmat" >&5
-echo $ECHO_N "checking for shmat... $ECHO_C" >&6
+    { echo "$as_me:$LINENO: checking for shmat" >&5
+echo $ECHO_N "checking for shmat... $ECHO_C" >&6; }
 if test "${ac_cv_func_shmat+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46813,72 +45481,63 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef shmat
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char shmat ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_shmat) || defined (__stub___shmat)
+#if defined __stub_shmat || defined __stub___shmat
 choke me
-#else
-char (*f) () = shmat;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != shmat;
+return shmat ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_shmat=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_shmat=no
+	ac_cv_func_shmat=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_shmat" >&5
-echo "${ECHO_T}$ac_cv_func_shmat" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_shmat" >&5
+echo "${ECHO_T}$ac_cv_func_shmat" >&6; }
 
     if test $ac_cv_func_shmat = no; then
-      echo "$as_me:$LINENO: checking for shmat in -lipc" >&5
-echo $ECHO_N "checking for shmat in -lipc... $ECHO_C" >&6
+      { echo "$as_me:$LINENO: checking for shmat in -lipc" >&5
+echo $ECHO_N "checking for shmat in -lipc... $ECHO_C" >&6; }
 if test "${ac_cv_lib_ipc_shmat+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46891,56 +45550,53 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char shmat ();
 int
 main ()
 {
-shmat ();
+return shmat ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_ipc_shmat=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_ipc_shmat=no
+	ac_cv_lib_ipc_shmat=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_ipc_shmat" >&5
-echo "${ECHO_T}$ac_cv_lib_ipc_shmat" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_ipc_shmat" >&5
+echo "${ECHO_T}$ac_cv_lib_ipc_shmat" >&6; }
 if test $ac_cv_lib_ipc_shmat = yes; then
   X_EXTRA_LIBS="$X_EXTRA_LIBS -lipc"
 fi
@@ -46957,8 +45613,8 @@ fi
   # These have to be linked with before -lX11, unlike the other
   # libraries we check for below, so use a different variable.
   # John Interrante, Karl Berry
-  echo "$as_me:$LINENO: checking for IceConnectionNumber in -lICE" >&5
-echo $ECHO_N "checking for IceConnectionNumber in -lICE... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for IceConnectionNumber in -lICE" >&5
+echo $ECHO_N "checking for IceConnectionNumber in -lICE... $ECHO_C" >&6; }
 if test "${ac_cv_lib_ICE_IceConnectionNumber+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -46971,56 +45627,53 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char IceConnectionNumber ();
 int
 main ()
 {
-IceConnectionNumber ();
+return IceConnectionNumber ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_ICE_IceConnectionNumber=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_ICE_IceConnectionNumber=no
+	ac_cv_lib_ICE_IceConnectionNumber=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_ICE_IceConnectionNumber" >&5
-echo "${ECHO_T}$ac_cv_lib_ICE_IceConnectionNumber" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_ICE_IceConnectionNumber" >&5
+echo "${ECHO_T}$ac_cv_lib_ICE_IceConnectionNumber" >&6; }
 if test $ac_cv_lib_ICE_IceConnectionNumber = yes; then
   X_PRE_LIBS="$X_PRE_LIBS -lSM -lICE"
 fi
@@ -47033,8 +45686,8 @@ fi
 # try to figure out if we need any additional ld flags, like -R
 # and yes, the autoconf X test is utterly broken
 if test "$no_x" != yes; then
-	echo "$as_me:$LINENO: checking for special X linker flags" >&5
-echo $ECHO_N "checking for special X linker flags... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for special X linker flags" >&5
+echo $ECHO_N "checking for special X linker flags... $ECHO_C" >&6; }
 if test "${krb_cv_sys_x_libs_rpath+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -47062,38 +45715,38 @@ else
 		fi
 		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
 		if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
+  krb_cv_sys_x_libs_rpath="" ; krb_cv_sys_x_libs="" ; break
 else
   cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
 		#include <X11/Xlib.h>
-		foo()
+		foo(void)
 		{
 		XOpenDisplay(NULL);
 		}
-		main()
+		main(int argc, char **argv)
 		{
 		return 0;
 		}
 
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -47106,22 +45759,22 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 :
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 	done
 	LIBS="$ac_save_libs"
 	CFLAGS="$ac_save_cflags"
 
 fi
-echo "$as_me:$LINENO: result: $krb_cv_sys_x_libs_rpath" >&5
-echo "${ECHO_T}$krb_cv_sys_x_libs_rpath" >&6
+{ echo "$as_me:$LINENO: result: $krb_cv_sys_x_libs_rpath" >&5
+echo "${ECHO_T}$krb_cv_sys_x_libs_rpath" >&6; }
 	X_LIBS="$krb_cv_sys_x_libs"
 fi
 
 
-
-
-if test "$no_x" != yes; then
+ if test "$no_x" != yes; then
   HAVE_X_TRUE=
   HAVE_X_FALSE='#'
 else
@@ -47146,8 +45799,8 @@ LDFLAGS="$LDFLAGS $X_LIBS"
 
 
 
-echo "$as_me:$LINENO: checking for XauWriteAuth" >&5
-echo $ECHO_N "checking for XauWriteAuth... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for XauWriteAuth" >&5
+echo $ECHO_N "checking for XauWriteAuth... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_XauWriteAuth+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -47169,44 +45822,42 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-
+#include <X11/Xauth.h>
 int
 main ()
 {
-XauWriteAuth()
+XauWriteAuth(0,0)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauWriteAuth=$ac_lib; else ac_cv_funclib_XauWriteAuth=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_XauWriteAuth=\${ac_cv_funclib_XauWriteAuth-no}"
@@ -47223,9 +45874,9 @@ if false; then
 for ac_func in XauWriteAuth
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -47251,68 +45902,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -47335,14 +45978,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_XauWriteAuth=no"
 	eval "LIB_XauWriteAuth="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_XauWriteAuth=yes"
@@ -47355,8 +45998,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -47366,8 +46009,8 @@ LIBS="$LIB_XauWriteAuth $LIBS"
 
 
 
-echo "$as_me:$LINENO: checking for XauReadAuth" >&5
-echo $ECHO_N "checking for XauReadAuth... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for XauReadAuth" >&5
+echo $ECHO_N "checking for XauReadAuth... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_XauReadAuth+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -47389,44 +46032,42 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-
+#include <X11/Xauth.h>
 int
 main ()
 {
-XauReadAuth()
+XauReadAuth(0)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauReadAuth=$ac_lib; else ac_cv_funclib_XauReadAuth=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_XauReadAuth=\${ac_cv_funclib_XauReadAuth-no}"
@@ -47443,9 +46084,9 @@ if false; then
 for ac_func in XauReadAuth
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -47471,68 +46112,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -47555,14 +46188,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_XauReadAuth=no"
 	eval "LIB_XauReadAuth="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_XauReadAuth=yes"
@@ -47575,8 +46208,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -47585,8 +46218,8 @@ LIBS="$LIB_XauReadAauth $LIBS"
 
 
 
-echo "$as_me:$LINENO: checking for XauFileName" >&5
-echo $ECHO_N "checking for XauFileName... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for XauFileName" >&5
+echo $ECHO_N "checking for XauFileName... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_XauFileName+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -47608,7 +46241,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-
+#include <X11/Xauth.h>
 int
 main ()
 {
@@ -47618,34 +46251,32 @@ XauFileName()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauFileName=$ac_lib; else ac_cv_funclib_XauFileName=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_XauFileName=\${ac_cv_funclib_XauFileName-no}"
@@ -47662,9 +46293,9 @@ if false; then
 for ac_func in XauFileName
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -47690,68 +46321,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -47774,14 +46397,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_XauFileName=no"
 	eval "LIB_XauFileName="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_XauFileName=yes"
@@ -47794,8 +46417,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -47824,9 +46447,7 @@ no)	;;
 esac
 
 if test "$AUTOMAKE" != ""; then
-
-
-if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+	 if test "$ac_cv_func_XauWriteAuth" != "yes"; then
   NEED_WRITEAUTH_TRUE=
   NEED_WRITEAUTH_FALSE='#'
 else
@@ -47851,8 +46472,8 @@ LDFLAGS=$save_LDFLAGS
 
 
 
-echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
-echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
+echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6; }
 if test "${ac_cv_c_const+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -47870,10 +46491,10 @@ main ()
 #ifndef __cplusplus
   /* Ultrix mips cc rejects this.  */
   typedef int charset[2];
-  const charset x;
+  const charset cs;
   /* SunOS 4.1.1 cc rejects this.  */
-  char const *const *ccp;
-  char **p;
+  char const *const *pcpcc;
+  char **ppc;
   /* NEC SVR4.0.2 mips cc rejects this.  */
   struct point {int x, y;};
   static struct point const zero = {0,0};
@@ -47882,16 +46503,17 @@ main ()
      an arm of an if-expression whose if-part is not a constant
      expression */
   const char *g = "string";
-  ccp = &g + (g ? g-g : 0);
+  pcpcc = &g + (g ? g-g : 0);
   /* HPUX 7.0 cc rejects these. */
-  ++ccp;
-  p = (char**) ccp;
-  ccp = (char const *const *) p;
+  ++pcpcc;
+  ppc = (char**) pcpcc;
+  pcpcc = (char const *const *) ppc;
   { /* SCO 3.2v4 cc rejects this.  */
     char *t;
     char const *s = 0 ? (char *) 0 : (char const *) 0;
 
     *t++ = 0;
+    if (s) return 0;
   }
   { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
     int x[] = {25, 17};
@@ -47910,7 +46532,9 @@ main ()
   }
   { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
     const int foo = 10;
+    if (!foo) return 0;
   }
+  return !cs[0] && !zero.x;
 #endif
 
   ;
@@ -47918,38 +46542,34 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_c_const=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_c_const=no
+	ac_cv_c_const=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
-echo "${ECHO_T}$ac_cv_c_const" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
+echo "${ECHO_T}$ac_cv_c_const" >&6; }
 if test $ac_cv_c_const = no; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -47958,8 +46578,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for off_t" >&5
-echo $ECHO_N "checking for off_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for off_t" >&5
+echo $ECHO_N "checking for off_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_off_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -47970,62 +46590,59 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef off_t ac__type_new_;
 int
 main ()
 {
-if ((off_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (off_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_off_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_off_t=no
+	ac_cv_type_off_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_off_t" >&5
-echo "${ECHO_T}$ac_cv_type_off_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_off_t" >&5
+echo "${ECHO_T}$ac_cv_type_off_t" >&6; }
 if test $ac_cv_type_off_t = yes; then
   :
 else
 
 cat >>confdefs.h <<_ACEOF
-#define off_t long
+#define off_t long int
 _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for mode_t" >&5
-echo $ECHO_N "checking for mode_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for mode_t" >&5
+echo $ECHO_N "checking for mode_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_mode_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -48051,8 +46668,8 @@ fi
 rm -f conftest*
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_mode_t" >&5
-echo "${ECHO_T}$ac_cv_type_mode_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_mode_t" >&5
+echo "${ECHO_T}$ac_cv_type_mode_t" >&6; }
 if test $ac_cv_type_mode_t = no; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -48061,8 +46678,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for sig_atomic_t" >&5
-echo $ECHO_N "checking for sig_atomic_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for sig_atomic_t" >&5
+echo $ECHO_N "checking for sig_atomic_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_sig_atomic_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -48088,8 +46705,8 @@ fi
 rm -f conftest*
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_sig_atomic_t" >&5
-echo "${ECHO_T}$ac_cv_type_sig_atomic_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_sig_atomic_t" >&5
+echo "${ECHO_T}$ac_cv_type_sig_atomic_t" >&6; }
 if test $ac_cv_type_sig_atomic_t = no; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -48101,9 +46718,9 @@ fi
 
 
 cv=`echo "long long" | sed 'y%./+- %__p__%'`
-echo "$as_me:$LINENO: checking for long long" >&5
-echo $ECHO_N "checking for long long... $ECHO_C" >&6
-if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6; }
+if { as_var=ac_cv_type_$cv; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -48112,6 +46729,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+
 #include <sys/types.h>
 #if STDC_HEADERS
 #include <stdlib.h>
@@ -48127,44 +46745,40 @@ long long foo;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "ac_cv_type_$cv=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "ac_cv_type_$cv=no"
+	eval "ac_cv_type_$cv=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 ac_foo=`eval echo \\$ac_cv_type_$cv`
-echo "$as_me:$LINENO: result: $ac_foo" >&5
-echo "${ECHO_T}$ac_foo" >&6
+{ echo "$as_me:$LINENO: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6; }
 if test "$ac_foo" = yes; then
   ac_tr_hdr=HAVE_`echo long long | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
 if false; then
-	echo "$as_me:$LINENO: checking for long long" >&5
-echo $ECHO_N "checking for long long... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6; }
 if test "${ac_cv_type_long_long+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -48175,50 +46789,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef long long ac__type_new_;
 int
 main ()
 {
-if ((long long *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (long long))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_long_long=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_long_long=no
+	ac_cv_type_long_long=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_long_long" >&5
-echo "${ECHO_T}$ac_cv_type_long_long" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_long_long" >&5
+echo "${ECHO_T}$ac_cv_type_long_long" >&6; }
 if test $ac_cv_type_long_long = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -48236,8 +46847,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
-echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6; }
 if test "${ac_cv_header_time+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -48261,38 +46872,34 @@ return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_header_time=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_header_time=no
+	ac_cv_header_time=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
-echo "${ECHO_T}$ac_cv_header_time" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6; }
 if test $ac_cv_header_time = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -48301,8 +46908,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking whether struct tm is in sys/time.h or time.h" >&5
-echo $ECHO_N "checking whether struct tm is in sys/time.h or time.h... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether struct tm is in sys/time.h or time.h" >&5
+echo $ECHO_N "checking whether struct tm is in sys/time.h or time.h... $ECHO_C" >&6; }
 if test "${ac_cv_struct_tm+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -48318,44 +46925,42 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct tm *tp; tp->tm_sec;
+struct tm tm;
+				     int *p = &tm.tm_sec;
+ 				     return !p;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_struct_tm=time.h
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_struct_tm=sys/time.h
+	ac_cv_struct_tm=sys/time.h
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_struct_tm" >&5
-echo "${ECHO_T}$ac_cv_struct_tm" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_struct_tm" >&5
+echo "${ECHO_T}$ac_cv_struct_tm" >&6; }
 if test $ac_cv_struct_tm = sys/time.h; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -48365,8 +46970,8 @@ _ACEOF
 fi
 
 
-echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
 if test "${ac_cv_header_stdc+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -48390,35 +46995,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_header_stdc=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_header_stdc=no
+	ac_cv_header_stdc=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 if test $ac_cv_header_stdc = yes; then
   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
@@ -48474,6 +47075,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <ctype.h>
+#include <stdlib.h>
 #if ((' ' & 0x0FF) == 0x020)
 # define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
 # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
@@ -48493,18 +47095,27 @@ main ()
   for (i = 0; i < 256; i++)
     if (XOR (islower (i), ISLOWER (i))
 	|| toupper (i) != TOUPPER (i))
-      exit(2);
-  exit (0);
+      return 2;
+  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -48517,12 +47128,14 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_header_stdc=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
 if test $ac_cv_header_stdc = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -48582,6 +47195,8 @@ fi
 
 
 
+
+
 for ac_header in \
 	arpa/ftp.h				\
 	arpa/telnet.h				\
@@ -48601,10 +47216,10 @@ for ac_header in \
 	pthread.h				\
 	pty.h					\
 	sac.h					\
-	security/pam_modules.h			\
 	sgtty.h					\
 	siad.h					\
 	signal.h				\
+	strings.h				\
 	stropts.h				\
 	sys/bitypes.h				\
 	sys/category.h				\
@@ -48612,42 +47227,45 @@ for ac_header in \
 	sys/filio.h				\
 	sys/ioccom.h				\
 	sys/mman.h				\
+	sys/param.h				\
 	sys/pty.h				\
 	sys/ptyio.h				\
-	sys/ptyvar.h				\
 	sys/select.h				\
+	sys/socket.h				\
 	sys/str_tty.h				\
 	sys/stream.h				\
 	sys/stropts.h				\
-	sys/strtty.h				\
 	sys/syscall.h				\
 	sys/termio.h				\
 	sys/timeb.h				\
 	sys/times.h				\
+	sys/types.h				\
 	sys/un.h				\
-	term.h					\
 	termcap.h				\
 	termio.h				\
+	termios.h				\
 	time.h					\
 	tmpdir.h				\
 	udb.h					\
+	util.h					\
 	utmp.h					\
 	utmpx.h					\
 
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -48658,41 +47276,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -48701,24 +47315,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -48726,9 +47338,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -48752,27 +47365,397 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to heimdal-bugs@pdc.kth.se ##
-## -------------------------------------- ##
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in term.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  eval "$as_ac_Header=no"
+fi
+
+rm -f conftest.err conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in net/if.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#if HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in sys/ptyvar.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#if HAVE_SYS_TTY_H
+#include <sys/tty.h>
+#endif
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in sys/strtty.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#if HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+#if HAVE_SYS_STREAM_H
+#include <sys/stream.h>
+#endif
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in sys/ucred.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#if HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#if HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+for ac_header in security/pam_modules.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <security/pam_appl.h>
+
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
 
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
@@ -48783,11 +47766,11 @@ fi
 done
 
 
-# Check whether --enable-netinfo or --disable-netinfo was given.
+# Check whether --enable-netinfo was given.
 if test "${enable_netinfo+set}" = set; then
-  enableval="$enable_netinfo"
+  enableval=$enable_netinfo;
+fi
 
-fi;
 
 if test "$ac_cv_header_netinfo_ni_h" = yes -a "$enable_netinfo" = yes; then
 
@@ -48801,8 +47784,13 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for logwtmp" >&5
-echo $ECHO_N "checking for logwtmp... $ECHO_C" >&6
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking for logwtmp" >&5
+echo $ECHO_N "checking for logwtmp... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_logwtmp+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -48825,43 +47813,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+
 int
 main ()
 {
-logwtmp()
+logwtmp(0,0,0)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_logwtmp=$ac_lib; else ac_cv_funclib_logwtmp=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_logwtmp=\${ac_cv_funclib_logwtmp-no}"
@@ -48878,9 +47868,9 @@ if false; then
 for ac_func in logwtmp
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -48906,68 +47896,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -48990,14 +47972,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_logwtmp=no"
 	eval "LIB_logwtmp="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_logwtmp=yes"
@@ -49010,8 +47992,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -49019,8 +48001,8 @@ esac
 
 
 
-echo "$as_me:$LINENO: checking for logout" >&5
-echo $ECHO_N "checking for logout... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for logout" >&5
+echo $ECHO_N "checking for logout... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_logout+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -49043,43 +48025,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+
 int
 main ()
 {
-logout()
+logout(0)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_logout=$ac_lib; else ac_cv_funclib_logout=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_logout=\${ac_cv_funclib_logout-no}"
@@ -49096,9 +48080,9 @@ if false; then
 for ac_func in logout
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -49124,68 +48108,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -49208,14 +48184,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_logout=no"
 	eval "LIB_logout="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_logout=yes"
@@ -49228,8 +48204,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -49237,8 +48213,8 @@ esac
 
 
 
-echo "$as_me:$LINENO: checking for openpty" >&5
-echo $ECHO_N "checking for openpty... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for openpty" >&5
+echo $ECHO_N "checking for openpty... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_openpty+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -49261,43 +48237,45 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+
 int
 main ()
 {
-openpty()
+openpty(0,0,0,0,0)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_openpty=$ac_lib; else ac_cv_funclib_openpty=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_openpty=\${ac_cv_funclib_openpty-no}"
@@ -49314,9 +48292,9 @@ if false; then
 for ac_func in openpty
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -49342,68 +48320,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -49426,14 +48396,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_openpty=no"
 	eval "LIB_openpty="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_openpty=yes"
@@ -49446,8 +48416,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -49455,8 +48425,9 @@ esac
 
 
 
-echo "$as_me:$LINENO: checking for tgetent" >&5
-echo $ECHO_N "checking for tgetent... $ECHO_C" >&6
+
+{ echo "$as_me:$LINENO: checking for tgetent" >&5
+echo $ECHO_N "checking for tgetent... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_tgetent+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -49479,43 +48450,48 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
+#ifdef HAVE_TERMCAP_H
+#include <termcap.h>
+#endif
+#ifdef HAVE_CURSES_H
+#include <curses.h>
+#endif
+
 int
 main ()
 {
-tgetent()
+tgetent(0,0)
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_tgetent=$ac_lib; else ac_cv_funclib_tgetent=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_tgetent=\${ac_cv_funclib_tgetent-no}"
@@ -49532,9 +48508,9 @@ if false; then
 for ac_func in tgetent
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -49560,68 +48536,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -49644,14 +48612,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_tgetent=no"
 	eval "LIB_tgetent="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_tgetent=yes"
@@ -49664,8 +48632,8 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
@@ -49700,10 +48668,15 @@ esac
 
 
 
+
+
 for ac_func in 				\
 	_getpty					\
 	_scrsize				\
+	arc4random				\
 	fcntl					\
+	getpeereid				\
+	getpeerucred				\
 	grantpt					\
 	mktime					\
 	ptsname					\
@@ -49722,7 +48695,6 @@ for ac_func in 				\
 	setutent				\
 	sigaction				\
 	strstr					\
-	timegm					\
 	ttyname					\
 	ttyslot					\
 	umask					\
@@ -49732,9 +48704,9 @@ for ac_func in 				\
 
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -49760,68 +48732,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -49836,18 +48800,19 @@ done
 for ac_header in stdlib.h unistd.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -49858,41 +48823,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -49901,24 +48862,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -49926,9 +48885,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -49952,25 +48912,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to heimdal-bugs@pdc.kth.se ##
-## -------------------------------------- ##
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -49986,9 +48945,9 @@ done
 for ac_func in getpagesize
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -50014,68 +48973,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -50084,8 +49035,8 @@ _ACEOF
 fi
 done
 
-echo "$as_me:$LINENO: checking for working mmap" >&5
-echo $ECHO_N "checking for working mmap... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for working mmap" >&5
+echo $ECHO_N "checking for working mmap... $ECHO_C" >&6; }
 if test "${ac_cv_func_mmap_fixed_mapped+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -50127,21 +49078,21 @@ $ac_includes_default
 #include <fcntl.h>
 #include <sys/mman.h>
 
-#if !STDC_HEADERS && !HAVE_STDLIB_H
+#if !defined STDC_HEADERS && !defined HAVE_STDLIB_H
 char *malloc ();
 #endif
 
 /* This mess was copied from the GNU getpagesize.h.  */
-#if !HAVE_GETPAGESIZE
+#ifndef HAVE_GETPAGESIZE
 /* Assume that all systems that can run configure have sys/param.h.  */
-# if !HAVE_SYS_PARAM_H
+# ifndef HAVE_SYS_PARAM_H
 #  define HAVE_SYS_PARAM_H 1
 # endif
 
 # ifdef _SC_PAGESIZE
 #  define getpagesize() sysconf(_SC_PAGESIZE)
 # else /* no _SC_PAGESIZE */
-#  if HAVE_SYS_PARAM_H
+#  ifdef HAVE_SYS_PARAM_H
 #   include <sys/param.h>
 #   ifdef EXEC_PAGESIZE
 #    define getpagesize() EXEC_PAGESIZE
@@ -50180,15 +49131,15 @@ main ()
   /* First, make a file with some known garbage in it. */
   data = (char *) malloc (pagesize);
   if (!data)
-    exit (1);
+    return 1;
   for (i = 0; i < pagesize; ++i)
     *(data + i) = rand ();
   umask (0);
   fd = creat ("conftest.mmap", 0600);
   if (fd < 0)
-    exit (1);
+    return 1;
   if (write (fd, data, pagesize) != pagesize)
-    exit (1);
+    return 1;
   close (fd);
 
   /* Next, try to mmap the file at a fixed address which already has
@@ -50196,17 +49147,17 @@ main ()
      we see the same garbage.  */
   fd = open ("conftest.mmap", O_RDWR);
   if (fd < 0)
-    exit (1);
+    return 1;
   data2 = (char *) malloc (2 * pagesize);
   if (!data2)
-    exit (1);
-  data2 += (pagesize - ((long) data2 & (pagesize - 1))) & (pagesize - 1);
+    return 1;
+  data2 += (pagesize - ((long int) data2 & (pagesize - 1))) & (pagesize - 1);
   if (data2 != mmap (data2, pagesize, PROT_READ | PROT_WRITE,
 		     MAP_PRIVATE | MAP_FIXED, fd, 0L))
-    exit (1);
+    return 1;
   for (i = 0; i < pagesize; ++i)
     if (*(data + i) != *(data2 + i))
-      exit (1);
+      return 1;
 
   /* Finally, make sure that changes to the mapped area do not
      percolate back to the file as seen by read().  (This is a bug on
@@ -50215,24 +49166,33 @@ main ()
     *(data2 + i) = *(data2 + i) + 1;
   data3 = (char *) malloc (pagesize);
   if (!data3)
-    exit (1);
+    return 1;
   if (read (fd, data3, pagesize) != pagesize)
-    exit (1);
+    return 1;
   for (i = 0; i < pagesize; ++i)
     if (*(data + i) != *(data3 + i))
-      exit (1);
+      return 1;
   close (fd);
-  exit (0);
+  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -50245,11 +49205,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_mmap_fixed_mapped=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_mmap_fixed_mapped" >&5
-echo "${ECHO_T}$ac_cv_func_mmap_fixed_mapped" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_mmap_fixed_mapped" >&5
+echo "${ECHO_T}$ac_cv_func_mmap_fixed_mapped" >&6; }
 if test $ac_cv_func_mmap_fixed_mapped = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -50267,18 +49229,19 @@ rm -f conftest.mmap
 for ac_header in capability.h sys/capability.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -50289,41 +49252,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -50332,24 +49291,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -50357,9 +49314,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -50383,25 +49341,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to heimdal-bugs@pdc.kth.se ##
-## -------------------------------------- ##
+    ( cat <<\_ASBOX
+## ----------------------------------- ##
+## Report this to heimdal-bugs@h5l.org ##
+## ----------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -50419,9 +49376,9 @@ done
 for ac_func in sgi_getcapabilitybyname cap_set_proc
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -50447,68 +49404,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -50523,8 +49472,8 @@ done
 
 
 
-echo "$as_me:$LINENO: checking for getpwnam_r" >&5
-echo $ECHO_N "checking for getpwnam_r... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for getpwnam_r" >&5
+echo $ECHO_N "checking for getpwnam_r... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_getpwnam_r+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -50556,34 +49505,32 @@ getpwnam_r()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_getpwnam_r=$ac_lib; else ac_cv_funclib_getpwnam_r=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_getpwnam_r=\${ac_cv_funclib_getpwnam_r-no}"
@@ -50600,9 +49547,9 @@ if false; then
 for ac_func in getpwnam_r
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -50628,68 +49575,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -50712,14 +49651,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_getpwnam_r=no"
 	eval "LIB_getpwnam_r="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_getpwnam_r=yes"
@@ -50732,15 +49671,15 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
 
 if test "$ac_cv_func_getpwnam_r" = yes; then
-	echo "$as_me:$LINENO: checking if getpwnam_r is posix" >&5
-echo $ECHO_N "checking if getpwnam_r is posix... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking if getpwnam_r is posix" >&5
+echo $ECHO_N "checking if getpwnam_r is posix... $ECHO_C" >&6; }
 if test "${ac_cv_func_getpwnam_r_posix+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -50756,8 +49695,9 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
+#define _POSIX_PTHREAD_SEMANTICS
 #include <pwd.h>
-int main()
+int main(int argc, char **argv)
 {
 	struct passwd pw, *pwd;
 	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
@@ -50765,13 +49705,22 @@ int main()
 
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -50784,12 +49733,14 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_getpwnam_r_posix=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 LIBS="$ac_libs"
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getpwnam_r_posix" >&5
-echo "${ECHO_T}$ac_cv_func_getpwnam_r_posix" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getpwnam_r_posix" >&5
+echo "${ECHO_T}$ac_cv_func_getpwnam_r_posix" >&6; }
 if test "$ac_cv_func_getpwnam_r_posix" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -50800,14 +49751,90 @@ fi
 fi
 
 
+if test "$enable_pthread_support" != no; then
+   saved_LIBS="$LIBS"
+   LIBS="$LIBS $PTHREADS_LIBS"
 
 
-for ac_func in getudbnam setlim
+
+{ echo "$as_me:$LINENO: checking for door_create" >&5
+echo $ECHO_N "checking for door_create... $ECHO_C" >&6; }
+if test "${ac_cv_funclib_door_create+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_door_create\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" door; do
+		case "$ac_lib" in
+		"") ;;
+		yes) ac_lib="" ;;
+		no) continue ;;
+		-l*) ;;
+		*) ac_lib="-l$ac_lib" ;;
+		esac
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+door_create()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_door_create=$ac_lib; else ac_cv_funclib_door_create=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_door_create=\${ac_cv_funclib_door_create-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_door_create"
+
+if false; then
+
+for ac_func in door_create
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -50833,68 +49860,229 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+fi
+# door_create
+eval "ac_tr_func=HAVE_`echo door_create | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_door_create=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_door_create=yes"
+	eval "LIB_door_create="
+	cat >>confdefs.h <<_ACEOF
+#define $ac_tr_func 1
+_ACEOF
+
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	;;
+	no)
+	eval "ac_cv_func_door_create=no"
+	eval "LIB_door_create="
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+	;;
+	*)
+	eval "ac_cv_func_door_create=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<_ACEOF
+#define $ac_tr_func 1
+_ACEOF
+
+	cat >>confdefs.h <<_ACEOF
+#define $ac_tr_lib 1
+_ACEOF
+
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
+	;;
+esac
+
+
+   LIBS="$saved_LIBS"
+fi
+
+# Check whether --enable-kcm was given.
+if test "${enable_kcm+set}" = set; then
+  enableval=$enable_kcm;
+else
+  enable_kcm=yes
+fi
+
+
+if test "$enable_kcm" = yes ; then
+   if test  "$ac_cv_header_sys_un_h" != yes -a "$ac_cv_funclib_door_create" != yes ; then
+  	enable_kcm=no
+   fi
+fi
+if test "$enable_kcm" = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_KCM 1
+_ACEOF
+
+fi
+ if test "$enable_kcm" = yes; then
+  KCM_TRUE=
+  KCM_FALSE='#'
+else
+  KCM_TRUE='#'
+  KCM_FALSE=
+fi
+
+
+
+
+
+
+for ac_func in getudbnam setlim
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
 #else
-char (*f) () = $ac_func;
+# include <assert.h>
 #endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
-}
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -50908,8 +50096,8 @@ done
 
 
 
-echo "$as_me:$LINENO: checking for ut_addr in struct utmp" >&5
-echo $ECHO_N "checking for ut_addr in struct utmp... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ut_addr in struct utmp" >&5
+echo $ECHO_N "checking for ut_addr in struct utmp... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_utmp_ut_addr+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -50924,44 +50112,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct utmp x; x.ut_addr;
+struct utmp x; memset(&x, 0, sizeof(x)); x.ut_addr
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_utmp_ut_addr=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_utmp_ut_addr=no
+	ac_cv_type_struct_utmp_ut_addr=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_addr" >&5
-echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_addr" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_addr" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_addr" >&6; }
 if test "$ac_cv_type_struct_utmp_ut_addr" = yes; then
 
 
@@ -50975,8 +50160,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for ut_host in struct utmp" >&5
-echo $ECHO_N "checking for ut_host in struct utmp... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ut_host in struct utmp" >&5
+echo $ECHO_N "checking for ut_host in struct utmp... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_utmp_ut_host+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -50991,44 +50176,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct utmp x; x.ut_host;
+struct utmp x; memset(&x, 0, sizeof(x)); x.ut_host
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_utmp_ut_host=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_utmp_ut_host=no
+	ac_cv_type_struct_utmp_ut_host=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_host" >&5
-echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_host" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_host" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_host" >&6; }
 if test "$ac_cv_type_struct_utmp_ut_host" = yes; then
 
 
@@ -51042,8 +50224,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for ut_id in struct utmp" >&5
-echo $ECHO_N "checking for ut_id in struct utmp... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ut_id in struct utmp" >&5
+echo $ECHO_N "checking for ut_id in struct utmp... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_utmp_ut_id+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51058,44 +50240,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct utmp x; x.ut_id;
+struct utmp x; memset(&x, 0, sizeof(x)); x.ut_id
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_utmp_ut_id=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_utmp_ut_id=no
+	ac_cv_type_struct_utmp_ut_id=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_id" >&5
-echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_id" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_id" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_id" >&6; }
 if test "$ac_cv_type_struct_utmp_ut_id" = yes; then
 
 
@@ -51109,8 +50288,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for ut_pid in struct utmp" >&5
-echo $ECHO_N "checking for ut_pid in struct utmp... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ut_pid in struct utmp" >&5
+echo $ECHO_N "checking for ut_pid in struct utmp... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_utmp_ut_pid+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51125,44 +50304,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct utmp x; x.ut_pid;
+struct utmp x; memset(&x, 0, sizeof(x)); x.ut_pid
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_utmp_ut_pid=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_utmp_ut_pid=no
+	ac_cv_type_struct_utmp_ut_pid=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_pid" >&5
-echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_pid" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_pid" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_pid" >&6; }
 if test "$ac_cv_type_struct_utmp_ut_pid" = yes; then
 
 
@@ -51176,8 +50352,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for ut_type in struct utmp" >&5
-echo $ECHO_N "checking for ut_type in struct utmp... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ut_type in struct utmp" >&5
+echo $ECHO_N "checking for ut_type in struct utmp... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_utmp_ut_type+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51192,44 +50368,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct utmp x; x.ut_type;
+struct utmp x; memset(&x, 0, sizeof(x)); x.ut_type
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_utmp_ut_type=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_utmp_ut_type=no
+	ac_cv_type_struct_utmp_ut_type=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_type" >&5
-echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_type" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_type" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_type" >&6; }
 if test "$ac_cv_type_struct_utmp_ut_type" = yes; then
 
 
@@ -51243,8 +50416,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for ut_user in struct utmp" >&5
-echo $ECHO_N "checking for ut_user in struct utmp... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ut_user in struct utmp" >&5
+echo $ECHO_N "checking for ut_user in struct utmp... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_utmp_ut_user+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51259,44 +50432,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct utmp x; x.ut_user;
+struct utmp x; memset(&x, 0, sizeof(x)); x.ut_user
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_utmp_ut_user=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_utmp_ut_user=no
+	ac_cv_type_struct_utmp_ut_user=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_user" >&5
-echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_user" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmp_ut_user" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_user" >&6; }
 if test "$ac_cv_type_struct_utmp_ut_user" = yes; then
 
 
@@ -51310,8 +50480,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for ut_exit in struct utmpx" >&5
-echo $ECHO_N "checking for ut_exit in struct utmpx... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ut_exit in struct utmpx" >&5
+echo $ECHO_N "checking for ut_exit in struct utmpx... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_utmpx_ut_exit+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51326,44 +50496,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct utmpx x; x.ut_exit;
+struct utmpx x; memset(&x, 0, sizeof(x)); x.ut_exit
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_utmpx_ut_exit=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_utmpx_ut_exit=no
+	ac_cv_type_struct_utmpx_ut_exit=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmpx_ut_exit" >&5
-echo "${ECHO_T}$ac_cv_type_struct_utmpx_ut_exit" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmpx_ut_exit" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmpx_ut_exit" >&6; }
 if test "$ac_cv_type_struct_utmpx_ut_exit" = yes; then
 
 
@@ -51377,8 +50544,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for ut_syslen in struct utmpx" >&5
-echo $ECHO_N "checking for ut_syslen in struct utmpx... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ut_syslen in struct utmpx" >&5
+echo $ECHO_N "checking for ut_syslen in struct utmpx... $ECHO_C" >&6; }
 if test "${ac_cv_type_struct_utmpx_ut_syslen+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51393,44 +50560,41 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct utmpx x; x.ut_syslen;
+struct utmpx x; memset(&x, 0, sizeof(x)); x.ut_syslen
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_struct_utmpx_ut_syslen=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_struct_utmpx_ut_syslen=no
+	ac_cv_type_struct_utmpx_ut_syslen=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmpx_ut_syslen" >&5
-echo "${ECHO_T}$ac_cv_type_struct_utmpx_ut_syslen" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_struct_utmpx_ut_syslen" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmpx_ut_syslen" >&6; }
 if test "$ac_cv_type_struct_utmpx_ut_syslen" = yes; then
 
 
@@ -51443,8 +50607,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking for int8_t" >&5
-echo $ECHO_N "checking for int8_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for int8_t" >&5
+echo $ECHO_N "checking for int8_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_int8_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51472,50 +50636,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef int8_t ac__type_new_;
 int
 main ()
 {
-if ((int8_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (int8_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_int8_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_int8_t=no
+	ac_cv_type_int8_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_int8_t" >&5
-echo "${ECHO_T}$ac_cv_type_int8_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_int8_t" >&5
+echo "${ECHO_T}$ac_cv_type_int8_t" >&6; }
 if test $ac_cv_type_int8_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -51524,8 +50685,8 @@ _ACEOF
 
 
 fi
-echo "$as_me:$LINENO: checking for int16_t" >&5
-echo $ECHO_N "checking for int16_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for int16_t" >&5
+echo $ECHO_N "checking for int16_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_int16_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51553,50 +50714,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef int16_t ac__type_new_;
 int
 main ()
 {
-if ((int16_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (int16_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_int16_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_int16_t=no
+	ac_cv_type_int16_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_int16_t" >&5
-echo "${ECHO_T}$ac_cv_type_int16_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_int16_t" >&5
+echo "${ECHO_T}$ac_cv_type_int16_t" >&6; }
 if test $ac_cv_type_int16_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -51605,8 +50763,8 @@ _ACEOF
 
 
 fi
-echo "$as_me:$LINENO: checking for int32_t" >&5
-echo $ECHO_N "checking for int32_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for int32_t" >&5
+echo $ECHO_N "checking for int32_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_int32_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51634,50 +50792,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef int32_t ac__type_new_;
 int
 main ()
 {
-if ((int32_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (int32_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_int32_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_int32_t=no
+	ac_cv_type_int32_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_int32_t" >&5
-echo "${ECHO_T}$ac_cv_type_int32_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_int32_t" >&5
+echo "${ECHO_T}$ac_cv_type_int32_t" >&6; }
 if test $ac_cv_type_int32_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -51686,8 +50841,8 @@ _ACEOF
 
 
 fi
-echo "$as_me:$LINENO: checking for int64_t" >&5
-echo $ECHO_N "checking for int64_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for int64_t" >&5
+echo $ECHO_N "checking for int64_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_int64_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51715,50 +50870,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef int64_t ac__type_new_;
 int
 main ()
 {
-if ((int64_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (int64_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_int64_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_int64_t=no
+	ac_cv_type_int64_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_int64_t" >&5
-echo "${ECHO_T}$ac_cv_type_int64_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_int64_t" >&5
+echo "${ECHO_T}$ac_cv_type_int64_t" >&6; }
 if test $ac_cv_type_int64_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -51767,8 +50919,8 @@ _ACEOF
 
 
 fi
-echo "$as_me:$LINENO: checking for u_int8_t" >&5
-echo $ECHO_N "checking for u_int8_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for u_int8_t" >&5
+echo $ECHO_N "checking for u_int8_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_u_int8_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51796,50 +50948,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef u_int8_t ac__type_new_;
 int
 main ()
 {
-if ((u_int8_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (u_int8_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_u_int8_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_u_int8_t=no
+	ac_cv_type_u_int8_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_u_int8_t" >&5
-echo "${ECHO_T}$ac_cv_type_u_int8_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_u_int8_t" >&5
+echo "${ECHO_T}$ac_cv_type_u_int8_t" >&6; }
 if test $ac_cv_type_u_int8_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -51848,8 +50997,8 @@ _ACEOF
 
 
 fi
-echo "$as_me:$LINENO: checking for u_int16_t" >&5
-echo $ECHO_N "checking for u_int16_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for u_int16_t" >&5
+echo $ECHO_N "checking for u_int16_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_u_int16_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51877,50 +51026,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef u_int16_t ac__type_new_;
 int
 main ()
 {
-if ((u_int16_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (u_int16_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_u_int16_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_u_int16_t=no
+	ac_cv_type_u_int16_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_u_int16_t" >&5
-echo "${ECHO_T}$ac_cv_type_u_int16_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_u_int16_t" >&5
+echo "${ECHO_T}$ac_cv_type_u_int16_t" >&6; }
 if test $ac_cv_type_u_int16_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -51929,8 +51075,8 @@ _ACEOF
 
 
 fi
-echo "$as_me:$LINENO: checking for u_int32_t" >&5
-echo $ECHO_N "checking for u_int32_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for u_int32_t" >&5
+echo $ECHO_N "checking for u_int32_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_u_int32_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -51958,50 +51104,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef u_int32_t ac__type_new_;
 int
 main ()
 {
-if ((u_int32_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (u_int32_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_u_int32_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_u_int32_t=no
+	ac_cv_type_u_int32_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_u_int32_t" >&5
-echo "${ECHO_T}$ac_cv_type_u_int32_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_u_int32_t" >&5
+echo "${ECHO_T}$ac_cv_type_u_int32_t" >&6; }
 if test $ac_cv_type_u_int32_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -52010,8 +51153,8 @@ _ACEOF
 
 
 fi
-echo "$as_me:$LINENO: checking for u_int64_t" >&5
-echo $ECHO_N "checking for u_int64_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for u_int64_t" >&5
+echo $ECHO_N "checking for u_int64_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_u_int64_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -52039,50 +51182,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef u_int64_t ac__type_new_;
 int
 main ()
 {
-if ((u_int64_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (u_int64_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_u_int64_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_u_int64_t=no
+	ac_cv_type_u_int64_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_u_int64_t" >&5
-echo "${ECHO_T}$ac_cv_type_u_int64_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_u_int64_t" >&5
+echo "${ECHO_T}$ac_cv_type_u_int64_t" >&6; }
 if test $ac_cv_type_u_int64_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -52091,8 +51231,8 @@ _ACEOF
 
 
 fi
-echo "$as_me:$LINENO: checking for uint8_t" >&5
-echo $ECHO_N "checking for uint8_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uint8_t" >&5
+echo $ECHO_N "checking for uint8_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_uint8_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -52120,50 +51260,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef uint8_t ac__type_new_;
 int
 main ()
 {
-if ((uint8_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (uint8_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_uint8_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_uint8_t=no
+	ac_cv_type_uint8_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uint8_t" >&5
-echo "${ECHO_T}$ac_cv_type_uint8_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uint8_t" >&5
+echo "${ECHO_T}$ac_cv_type_uint8_t" >&6; }
 if test $ac_cv_type_uint8_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -52172,8 +51309,8 @@ _ACEOF
 
 
 fi
-echo "$as_me:$LINENO: checking for uint16_t" >&5
-echo $ECHO_N "checking for uint16_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uint16_t" >&5
+echo $ECHO_N "checking for uint16_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_uint16_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -52201,50 +51338,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef uint16_t ac__type_new_;
 int
 main ()
 {
-if ((uint16_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (uint16_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_uint16_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_uint16_t=no
+	ac_cv_type_uint16_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uint16_t" >&5
-echo "${ECHO_T}$ac_cv_type_uint16_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uint16_t" >&5
+echo "${ECHO_T}$ac_cv_type_uint16_t" >&6; }
 if test $ac_cv_type_uint16_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -52253,8 +51387,8 @@ _ACEOF
 
 
 fi
-echo "$as_me:$LINENO: checking for uint32_t" >&5
-echo $ECHO_N "checking for uint32_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uint32_t" >&5
+echo $ECHO_N "checking for uint32_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_uint32_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -52282,50 +51416,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef uint32_t ac__type_new_;
 int
 main ()
 {
-if ((uint32_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (uint32_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_uint32_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_uint32_t=no
+	ac_cv_type_uint32_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uint32_t" >&5
-echo "${ECHO_T}$ac_cv_type_uint32_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uint32_t" >&5
+echo "${ECHO_T}$ac_cv_type_uint32_t" >&6; }
 if test $ac_cv_type_uint32_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -52334,8 +51465,8 @@ _ACEOF
 
 
 fi
-echo "$as_me:$LINENO: checking for uint64_t" >&5
-echo $ECHO_N "checking for uint64_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uint64_t" >&5
+echo $ECHO_N "checking for uint64_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_uint64_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -52363,50 +51494,47 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 
 
+typedef uint64_t ac__type_new_;
 int
 main ()
 {
-if ((uint64_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (uint64_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_uint64_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_uint64_t=no
+	ac_cv_type_uint64_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uint64_t" >&5
-echo "${ECHO_T}$ac_cv_type_uint64_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uint64_t" >&5
+echo "${ECHO_T}$ac_cv_type_uint64_t" >&6; }
 if test $ac_cv_type_uint64_t = yes; then
 
 cat >>confdefs.h <<_ACEOF
@@ -52419,10 +51547,162 @@ fi
 
 
 
+{ echo "$as_me:$LINENO: checking for framework security" >&5
+echo $ECHO_N "checking for framework security... $ECHO_C" >&6; }
+if test "${rk_cv_framework_security+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if test "$rk_cv_framework_security" != yes; then
+	ac_save_LIBS="$LIBS"
+	LIBS="$ac_save_LIBS -framework Security -framework CoreFoundation"
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <Security/Security.h>
+
+int
+main ()
+{
+SecKeychainSearchRef searchRef;
+SecKeychainSearchCreateFromAttributes(NULL,kSecCertificateItemClass,NULL, &searchRef);
+CFRelease(&searchRef);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  rk_cv_framework_security=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+if test "$rk_cv_framework_security" = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_FRAMEWORK_SECURITY 1
+_ACEOF
+
+   { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+   { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+ if test "$rk_cv_framework_security" = yes; then
+  FRAMEWORK_SECURITY_TRUE=
+  FRAMEWORK_SECURITY_FALSE='#'
+else
+  FRAMEWORK_SECURITY_TRUE='#'
+  FRAMEWORK_SECURITY_FALSE=
+fi
+
+
+if test "$rk_cv_framework_security" = yes; then
+
+if test "$ac_cv_func_SecKeyGetCSPHandle+set" != set -o "$ac_cv_func_SecKeyGetCSPHandle" = yes; then
+{ echo "$as_me:$LINENO: checking if SecKeyGetCSPHandle needs a prototype" >&5
+echo $ECHO_N "checking if SecKeyGetCSPHandle needs a prototype... $ECHO_C" >&6; }
+if test "${ac_cv_func_SecKeyGetCSPHandle_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <Security/Security.h>
+struct foo { int foo; } xx;
+extern int SecKeyGetCSPHandle (struct foo*);
+int
+main ()
+{
+SecKeyGetCSPHandle(&xx)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_SecKeyGetCSPHandle_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "ac_cv_func_SecKeyGetCSPHandle_noproto=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_SecKeyGetCSPHandle_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_SecKeyGetCSPHandle_noproto" >&6; }
+if test "$ac_cv_func_SecKeyGetCSPHandle_noproto" = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define NEED_SECKEYGETCSPHANDLE_PROTO 1
+_ACEOF
+
+fi
+fi
+
+fi
+
+
+
+
 
 
-echo "$as_me:$LINENO: checking for el_init" >&5
-echo $ECHO_N "checking for el_init... $ECHO_C" >&6
+
+{ echo "$as_me:$LINENO: checking for el_init" >&5
+echo $ECHO_N "checking for el_init... $ECHO_C" >&6; }
 if test "${ac_cv_funclib_el_init+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -52454,34 +51734,32 @@ el_init()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "if test -n \"$ac_lib\";then ac_cv_funclib_el_init=$ac_lib; else ac_cv_funclib_el_init=yes; fi";break
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 	done
 	eval "ac_cv_funclib_el_init=\${ac_cv_funclib_el_init-no}"
@@ -52498,9 +51776,9 @@ if false; then
 for ac_func in el_init
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -52526,68 +51804,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -52610,14 +51880,14 @@ case "$ac_res" in
 #define $ac_tr_func 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	;;
 	no)
 	eval "ac_cv_func_el_init=no"
 	eval "LIB_el_init="
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	;;
 	*)
 	eval "ac_cv_func_el_init=yes"
@@ -52630,15 +51900,15 @@ _ACEOF
 #define $ac_tr_lib 1
 _ACEOF
 
-	echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
-echo "${ECHO_T}yes, in $ac_res" >&6
+	{ echo "$as_me:$LINENO: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6; }
 	;;
 esac
 
 
 if test "$ac_cv_func_el_init" = yes ; then
-	echo "$as_me:$LINENO: checking for four argument el_init" >&5
-echo $ECHO_N "checking for four argument el_init... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for four argument el_init" >&5
+echo $ECHO_N "checking for four argument el_init... $ECHO_C" >&6; }
 if test "${ac_cv_func_el_init_four+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -52660,38 +51930,34 @@ el_init("", NULL, NULL, NULL);
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_func_el_init_four=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_el_init_four=no
+	ac_cv_func_el_init_four=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_el_init_four" >&5
-echo "${ECHO_T}$ac_cv_func_el_init_four" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_el_init_four" >&5
+echo "${ECHO_T}$ac_cv_func_el_init_four" >&6; }
 	if test "$ac_cv_func_el_init_four" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -52713,9 +51979,7 @@ elif test "$ac_cv_func_el_init" = yes; then
 else
 	LIB_readline="\$(top_builddir)/lib/editline/libeditline.la \$(LIB_tgetent)"
 fi
-
-
-if test "$ac_foo" = yes; then
+ if test "$ac_foo" = yes; then
   el_compat_TRUE=
   el_compat_FALSE='#'
 else
@@ -52768,8 +52032,8 @@ case "$host" in
 *-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux1[01]*)
 	;;
 *)
-	echo "$as_me:$LINENO: checking for getmsg" >&5
-echo $ECHO_N "checking for getmsg... $ECHO_C" >&6
+	{ echo "$as_me:$LINENO: checking for getmsg" >&5
+echo $ECHO_N "checking for getmsg... $ECHO_C" >&6; }
 if test "${ac_cv_func_getmsg+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -52796,72 +52060,63 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef getmsg
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char getmsg ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getmsg) || defined (__stub___getmsg)
+#if defined __stub_getmsg || defined __stub___getmsg
 choke me
-#else
-char (*f) () = getmsg;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != getmsg;
+return getmsg ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getmsg=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_getmsg=no
+	ac_cv_func_getmsg=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getmsg" >&5
-echo "${ECHO_T}$ac_cv_func_getmsg" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getmsg" >&5
+echo "${ECHO_T}$ac_cv_func_getmsg" >&6; }
 
 	if test "$ac_cv_func_getmsg" = "yes"; then
-		echo "$as_me:$LINENO: checking if getmsg works" >&5
-echo $ECHO_N "checking if getmsg works... $ECHO_C" >&6
+		{ echo "$as_me:$LINENO: checking if getmsg works" >&5
+echo $ECHO_N "checking if getmsg works... $ECHO_C" >&6; }
 if test "${ac_cv_func_getmsg_works+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -52878,7 +52133,7 @@ cat >>conftest.$ac_ext <<_ACEOF
 			#include <stdio.h>
 			#include <errno.h>
 
-			int main()
+			int main(int argc, char **argv)
 			{
 			  int ret;
 			  ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL);
@@ -52889,13 +52144,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -52908,11 +52172,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_getmsg_works=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getmsg_works" >&5
-echo "${ECHO_T}$ac_cv_func_getmsg_works" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getmsg_works" >&5
+echo "${ECHO_T}$ac_cv_func_getmsg_works" >&6; }
 		if test "$ac_cv_func_getmsg_works" = "yes"; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -52937,8 +52203,8 @@ esac
 
 # Extract the first word of "compile_et", so it can be a program name with args.
 set dummy compile_et; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_COMPILE_ET+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -52951,32 +52217,35 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_COMPILE_ET="compile_et"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 COMPILE_ET=$ac_cv_prog_COMPILE_ET
 if test -n "$COMPILE_ET"; then
-  echo "$as_me:$LINENO: result: $COMPILE_ET" >&5
-echo "${ECHO_T}$COMPILE_ET" >&6
+  { echo "$as_me:$LINENO: result: $COMPILE_ET" >&5
+echo "${ECHO_T}$COMPILE_ET" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
+
 krb_cv_compile_et="no"
 krb_cv_com_err_need_r=""
+krb_cv_compile_et_cross=no
 if test "${COMPILE_ET}" = "compile_et"; then
 
-echo "$as_me:$LINENO: checking whether compile_et has the features we need" >&5
-echo $ECHO_N "checking whether compile_et has the features we need... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether compile_et has the features we need" >&5
+echo $ECHO_N "checking whether compile_et has the features we need... $ECHO_C" >&6; }
 cat > conftest_et.et <<'EOF'
 error_table test conf
 prefix CONFTEST
@@ -52992,23 +52261,14 @@ if ${COMPILE_ET} conftest_et.et >/dev/null 2>&1; then
     CPPFLAGS="-I/usr/include/et ${CPPFLAGS}"
   fi
     if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
+  krb_cv_compile_et="yes" krb_cv_compile_et_cross=yes
 else
   cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
 #include <com_err.h>
 #include <string.h>
 #include "conftest_et.h"
-int main(){
+int main(int argc, char **argv){
 #ifndef ERROR_TABLE_BASE_conf
 #error compile_et does not handle error_table N M
 #endif
@@ -53016,13 +52276,22 @@ return (CONFTEST_CODE2 - CONFTEST_CODE1) != 127;}
 
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -53035,44 +52304,49 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 CPPFLAGS="${save_CPPFLAGS}"
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: ${krb_cv_compile_et}" >&5
-echo "${ECHO_T}${krb_cv_compile_et}" >&6
-if test "${krb_cv_compile_et}" = "yes"; then
-  echo "$as_me:$LINENO: checking for if com_err needs to have a initialize_error_table_r" >&5
-echo $ECHO_N "checking for if com_err needs to have a initialize_error_table_r... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: result: ${krb_cv_compile_et}" >&5
+echo "${ECHO_T}${krb_cv_compile_et}" >&6; }
+if test "${krb_cv_compile_et}" = "yes" -a "${krb_cv_compile_et_cross}" = no; then
+  { echo "$as_me:$LINENO: checking for if com_err generates a initialize_conf_error_table_r" >&5
+echo $ECHO_N "checking for if com_err generates a initialize_conf_error_table_r... $ECHO_C" >&6; }
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include "conftest_et.c"
+#include "conftest_et.h"
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "initialize_error_table_r" >/dev/null 2>&1; then
-  krb_cv_com_err_need_r="initialize_error_table_r(0,0,0,0);"
+  $EGREP "initialize_conf_error_table_r.*struct et_list" >/dev/null 2>&1; then
+  krb_cv_com_err_need_r="ok"
 fi
 rm -f conftest*
 
   if test X"$krb_cv_com_err_need_r" = X ; then
-    echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+    { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+    krb_cv_compile_et=no
   else
-    echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+    { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
   fi
 fi
 rm -fr conftest*
 fi
 
-if test "${krb_cv_compile_et}" = "yes"; then
+if test "${krb_cv_compile_et_cross}" = yes ; then
+  krb_cv_com_err="cross"
+elif test "${krb_cv_compile_et}" = "yes"; then
     krb_cv_save_LIBS="${LIBS}"
   LIBS="${LIBS} -lcom_err"
-  echo "$as_me:$LINENO: checking for com_err" >&5
-echo $ECHO_N "checking for com_err... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for com_err" >&5
+echo $ECHO_N "checking for com_err... $ECHO_C" >&6; }
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -53086,45 +52360,42 @@ main ()
 
     const char *p;
     p = error_message(0);
-    $krb_cv_com_err_need_r
+    initialize_error_table_r(0,0,0,0);
 
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   krb_cv_com_err="yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-krb_cv_com_err="no"; CPPFLAGS="${save_CPPFLAGS}"
+	krb_cv_com_err="no"; CPPFLAGS="${save_CPPFLAGS}"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
-  echo "$as_me:$LINENO: result: ${krb_cv_com_err}" >&5
-echo "${ECHO_T}${krb_cv_com_err}" >&6
+  { echo "$as_me:$LINENO: result: ${krb_cv_com_err}" >&5
+echo "${ECHO_T}${krb_cv_com_err}" >&6; }
   LIBS="${krb_cv_save_LIBS}"
 else
     krb_cv_com_err="no"
@@ -53137,6 +52408,15 @@ if test "${krb_cv_com_err}" = "yes"; then
     LIB_com_err_so=""
     { echo "$as_me:$LINENO: Using the already-installed com_err" >&5
 echo "$as_me: Using the already-installed com_err" >&6;}
+    localcomerr=no
+elif test "${krb_cv_com_err}" = "cross"; then
+    DIR_com_err="com_err"
+    LIB_com_err="\$(top_builddir)/lib/com_err/libcom_err.la"
+    LIB_com_err_a="\$(top_builddir)/lib/com_err/.libs/libcom_err.a"
+    LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so"
+    { echo "$as_me:$LINENO: Using our own com_err with toolchain compile_et" >&5
+echo "$as_me: Using our own com_err with toolchain compile_et" >&6;}
+    localcomerr=yes
 else
     COMPILE_ET="\$(top_builddir)/lib/com_err/compile_et"
     DIR_com_err="com_err"
@@ -53145,6 +52425,14 @@ else
     LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so"
     { echo "$as_me:$LINENO: Using our own com_err" >&5
 echo "$as_me: Using our own com_err" >&6;}
+    localcomerr=yes
+fi
+ if test "$localcomerr" = yes; then
+  COM_ERR_TRUE=
+  COM_ERR_FALSE='#'
+else
+  COM_ERR_TRUE='#'
+  COM_ERR_FALSE=
 fi
 
 
@@ -53154,8 +52442,8 @@ fi
 
 
 
-echo "$as_me:$LINENO: checking which authentication modules should be built" >&5
-echo $ECHO_N "checking which authentication modules should be built... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking which authentication modules should be built" >&5
+echo $ECHO_N "checking which authentication modules should be built... $ECHO_C" >&6; }
 
 z='sia afskauthlib'
 LIB_AUTH_SUBDIRS=
@@ -53186,11 +52474,11 @@ esac
 esac
 done
 if test "$LIB_AUTH_SUBDIRS"; then
-	echo "$as_me:$LINENO: result: $LIB_AUTH_SUBDIRS" >&5
-echo "${ECHO_T}$LIB_AUTH_SUBDIRS" >&6
+	{ echo "$as_me:$LINENO: result: $LIB_AUTH_SUBDIRS" >&5
+echo "${ECHO_T}$LIB_AUTH_SUBDIRS" >&6; }
 else
-	echo "$as_me:$LINENO: result: none" >&5
-echo "${ECHO_T}none" >&6
+	{ echo "$as_me:$LINENO: result: none" >&5
+echo "${ECHO_T}none" >&6; }
 fi
 
 
@@ -53269,14 +52557,36 @@ _ACEOF
 
 
 
-LTLIBOBJS=`echo "$LIBOBJS" |
-	sed 's,\.[^.]* ,.lo ,g;s,\.[^.]*$,.lo,'`
 
 
+# Check whether --enable-developer was given.
+if test "${enable_developer+set}" = set; then
+  enableval=$enable_developer;
+fi
 
+if test "X$enable_developer" = Xyes; then
+    dwflags="-Werror"
+fi
 
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+if test -z "$WFLAGS" -a "$GCC" = "yes"; then
+  # -Wno-implicit-int for broken X11 headers
+  # leave these out for now:
+  #   -Wcast-align doesn't work well on alpha osf/1
+  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
+  #   -Wmissing-declarations -Wnested-externs
+  WFLAGS="-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs $dwflags"
+  WFLAGS_NOUNUSED="-Wno-unused"
+  WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+fi
 
-                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ac_config_files="$ac_config_files Makefile include/Makefile include/kadm5/Makefile lib/Makefile lib/45/Makefile lib/auth/Makefile lib/auth/afskauthlib/Makefile lib/auth/pam/Makefile lib/auth/sia/Makefile lib/asn1/Makefile lib/com_err/Makefile lib/des/Makefile lib/editline/Makefile lib/gssapi/Makefile lib/hdb/Makefile lib/kadm5/Makefile lib/kafs/Makefile lib/kdfs/Makefile lib/krb5/Makefile lib/otp/Makefile lib/roken/Makefile lib/sl/Makefile lib/vers/Makefile kuser/Makefile kpasswd/Makefile kadmin/Makefile admin/Makefile kdc/Makefile appl/Makefile appl/afsutil/Makefile appl/ftp/Makefile appl/ftp/common/Makefile appl/ftp/ftp/Makefile appl/ftp/ftpd/Makefile appl/kx/Makefile appl/login/Makefile appl/otp/Makefile appl/popper/Makefile appl/push/Makefile appl/rsh/Makefile appl/rcp/Makefile appl/su/Makefile appl/xnlock/Makefile appl/telnet/Makefile appl/telnet/libtelnet/Makefile appl/telnet/telnet/Makefile appl/telnet/telnetd/Makefile appl/test/Makefile appl/kf/Makefile appl/dceutils/Makefile doc/Makefile tools/Makefile"
+
+
+
+
+
+ac_config_files="$ac_config_files Makefile etc/Makefile include/Makefile include/gssapi/Makefile include/hcrypto/Makefile include/kadm5/Makefile lib/Makefile lib/45/Makefile lib/auth/Makefile lib/auth/afskauthlib/Makefile lib/auth/pam/Makefile lib/auth/sia/Makefile lib/asn1/Makefile lib/com_err/Makefile lib/hcrypto/Makefile lib/editline/Makefile lib/hx509/Makefile lib/gssapi/Makefile lib/ntlm/Makefile lib/hdb/Makefile lib/kadm5/Makefile lib/kafs/Makefile lib/kdfs/Makefile lib/krb5/Makefile lib/otp/Makefile lib/roken/Makefile lib/sl/Makefile lib/vers/Makefile kuser/Makefile kpasswd/Makefile kadmin/Makefile admin/Makefile kcm/Makefile kdc/Makefile appl/Makefile appl/afsutil/Makefile appl/ftp/Makefile appl/ftp/common/Makefile appl/ftp/ftp/Makefile appl/ftp/ftpd/Makefile appl/gssmask/Makefile appl/kx/Makefile appl/login/Makefile appl/otp/Makefile appl/popper/Makefile appl/push/Makefile appl/rsh/Makefile appl/rcp/Makefile appl/su/Makefile appl/xnlock/Makefile appl/telnet/Makefile appl/telnet/libtelnet/Makefile appl/telnet/telnet/Makefile appl/telnet/telnetd/Makefile appl/test/Makefile appl/kf/Makefile appl/dceutils/Makefile tests/Makefile tests/can/Makefile tests/db/Makefile tests/kdc/Makefile tests/ldap/Makefile tests/gss/Makefile tests/java/Makefile tests/plugin/Makefile packages/Makefile packages/mac/Makefile packages/debian/Makefile doc/Makefile tools/Makefile"
 
 
 cat >confcache <<\_ACEOF
@@ -53297,39 +52607,58 @@ _ACEOF
 
 # The following way of writing the cache mishandles newlines in values,
 # but we know of no workaround that is simple, portable, and efficient.
-# So, don't put newlines in cache variables' values.
+# So, we kill variables containing newlines.
 # Ultrix sh set writes to stderr and can't be redirected directly,
 # and sets the high bit in the cache file unless we assign to the vars.
-{
+(
+  for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      *) $as_unset $ac_var ;;
+      esac ;;
+    esac
+  done
+
   (set) 2>&1 |
-    case `(ac_space=' '; set | grep ac_space) 2>&1` in
-    *ac_space=\ *)
+    case $as_nl`(ac_space=' '; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
       # `set' does not quote correctly, so add quotes (double-quote
       # substitution turns \\\\ into \\, and sed turns \\ into \).
       sed -n \
 	"s/'/'\\\\''/g;
 	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
-      ;;
+      ;; #(
     *)
       # `set' quotes correctly as required by POSIX, so do not add quotes.
-      sed -n \
-	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
       ;;
-    esac;
-} |
+    esac |
+    sort
+) |
   sed '
+     /^ac_cv_env_/b end
      t clear
-     : clear
+     :clear
      s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
      t end
-     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
-     : end' >>confcache
-if diff $cache_file confcache >/dev/null 2>&1; then :; else
-  if test -w $cache_file; then
-    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
+     s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     :end' >>confcache
+if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+  if test -w "$cache_file"; then
+    test "x$cache_file" != "x/dev/null" &&
+      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
+echo "$as_me: updating cache $cache_file" >&6;}
     cat confcache >$cache_file
   else
-    echo "not updating unwritable cache $cache_file"
+    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+echo "$as_me: not updating unwritable cache $cache_file" >&6;}
   fi
 fi
 rm -f confcache
@@ -53338,32 +52667,18 @@ test "x$prefix" = xNONE && prefix=$ac_default_prefix
 # Let make expand exec_prefix.
 test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
 
-# VPATH may cause trouble with some makes, so we remove $(srcdir),
-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
-# trailing colons and then remove the whole line if VPATH becomes empty
-# (actually we leave an empty line to preserve line numbers).
-if test "x$srcdir" = x.; then
-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
-s/:*\$(srcdir):*/:/;
-s/:*\${srcdir}:*/:/;
-s/:*@srcdir@:*/:/;
-s/^\([^=]*=[	 ]*\):*/\1/;
-s/:*$//;
-s/^[^=]*=[	 ]*$//;
-}'
-fi
-
 DEFS=-DHAVE_CONFIG_H
 
 ac_libobjs=
 ac_ltlibobjs=
 for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
   # 1. Remove the extension, and $U if already installed.
-  ac_i=`echo "$ac_i" |
-	 sed 's/\$U\././;s/\.o$//;s/\.obj$//'`
-  # 2. Add them.
-  ac_libobjs="$ac_libobjs $ac_i\$U.$ac_objext"
-  ac_ltlibobjs="$ac_ltlibobjs $ac_i"'$U.lo'
+  ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+  ac_i=`echo "$ac_i" | sed "$ac_script"`
+  # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
+  #    will be set to the directory where LIBOBJS objects are built.
+  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
 done
 LIBOBJS=$ac_libobjs
 
@@ -53377,6 +52692,34 @@ echo "$as_me: error: conditional \"MAINTAINER_MODE\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${ENABLE_SHARED_TRUE}" && test -z "${ENABLE_SHARED_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"ENABLE_SHARED\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"ENABLE_SHARED\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${versionscript_TRUE}" && test -z "${versionscript_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"versionscript\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"versionscript\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${OPENLDAP_MODULE_TRUE}" && test -z "${OPENLDAP_MODULE_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"OPENLDAP_MODULE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"OPENLDAP_MODULE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${PKINIT_TRUE}" && test -z "${PKINIT_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"PKINIT\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"PKINIT\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${KRB4_TRUE}" && test -z "${KRB4_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"KRB4\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -53440,13 +52783,6 @@ echo "$as_me: error: conditional \"have_err_h\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
-if test -z "${have_fnmatch_h_TRUE}" && test -z "${have_fnmatch_h_FALSE}"; then
-  { { echo "$as_me:$LINENO: error: conditional \"have_fnmatch_h\" was never defined.
-Usually this means the macro was only invoked conditionally." >&5
-echo "$as_me: error: conditional \"have_fnmatch_h\" was never defined.
-Usually this means the macro was only invoked conditionally." >&2;}
-   { (exit 1); exit 1; }; }
-fi
 if test -z "${have_ifaddrs_h_TRUE}" && test -z "${have_ifaddrs_h_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"have_ifaddrs_h\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -53468,6 +52804,27 @@ echo "$as_me: error: conditional \"have_glob_h\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${have_cgetent_TRUE}" && test -z "${have_cgetent_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"have_cgetent\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"have_cgetent\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${have_fnmatch_h_TRUE}" && test -z "${have_fnmatch_h_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"have_fnmatch_h\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"have_fnmatch_h\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${have_socket_wrapper_TRUE}" && test -z "${have_socket_wrapper_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"have_socket_wrapper\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"have_socket_wrapper\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${OTP_TRUE}" && test -z "${OTP_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"OTP\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -53531,6 +52888,20 @@ echo "$as_me: error: conditional \"NEED_WRITEAUTH\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${KCM_TRUE}" && test -z "${KCM_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"KCM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"KCM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${FRAMEWORK_SECURITY_TRUE}" && test -z "${FRAMEWORK_SECURITY_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"FRAMEWORK_SECURITY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"FRAMEWORK_SECURITY\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${el_compat_TRUE}" && test -z "${el_compat_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"el_compat\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -53538,6 +52909,13 @@ echo "$as_me: error: conditional \"el_compat\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${COM_ERR_TRUE}" && test -z "${COM_ERR_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"COM_ERR\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"COM_ERR\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 
 : ${CONFIG_STATUS=./config.status}
 ac_clean_files_save=$ac_clean_files
@@ -53562,17 +52940,45 @@ cat >>$CONFIG_STATUS <<\_ACEOF
 ## M4sh Initialization.  ##
 ## --------------------- ##
 
-# Be Bourne compatible
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
   # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
-  set -o posix
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
 fi
-DUALCASE=1; export DUALCASE # for MKS sh
 
 # Support unset when possible.
 if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
@@ -53582,8 +52988,43 @@ else
 fi
 
 
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+case $0 in
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  { (exit 1); exit 1; }
+fi
+
 # Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
 PS1='$ '
 PS2='> '
 PS4='+ '
@@ -53597,18 +53038,19 @@ do
   if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
     eval $as_var=C; export $as_var
   else
-    $as_unset $as_var
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
   fi
 done
 
 # Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
 else
   as_expr=false
 fi
 
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
   as_basename=basename
 else
   as_basename=false
@@ -53616,159 +53058,120 @@ fi
 
 
 # Name of the executable.
-as_me=`$as_basename "$0" ||
+as_me=`$as_basename -- "$0" ||
 $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
 	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)$' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
 echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\/\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
 
-
-# PATH needs CR, and LINENO needs CR and PATH.
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
-fi
+# CDPATH.
+$as_unset CDPATH
 
 
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
 
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
-  fi
-  if test ! -f "$as_myself"; then
-    { { echo "$as_me:$LINENO: error: cannot find myself; rerun with an absolute path" >&5
-echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;}
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-	 case $as_dir in
-	 /*)
-	   if ("$as_dir/$as_base" -c '
   as_lineno_1=$LINENO
   as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
   test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-	     CONFIG_SHELL=$as_dir/$as_base
-	     export CONFIG_SHELL
-	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-	   fi;;
-	 esac
-       done
-done
-;;
-  esac
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
 
   # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
   # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
+  # line-number line after each line using $LINENO; the second 'sed'
+  # does the real work.  The second script uses 'N' to pair each
+  # line-number line with the line containing $LINENO, and appends
+  # trailing '-' during substitution so that $LINENO is not a special
+  # case at line end.
   # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
+  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+  # E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
     sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
       N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
       t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
+      s/-\n.*//
     ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
-    { { echo "$as_me:$LINENO: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5
-echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;}
+  chmod +x "$as_me.lineno" ||
+    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
    { (exit 1); exit 1; }; }
 
   # Don't try to exec as it changes $[0], causing all sort of problems
   # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
   # Exit status is that of the last command.
   exit
 }
 
 
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
-  *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T='	' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+  case `echo 'x\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  *)   ECHO_C='\c';;
+  esac;;
+*)
+  ECHO_N='-n';;
 esac
 
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
 else
   as_expr=false
 fi
 
 rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir
+fi
 echo >conf$$.file
 if ln -s conf$$.file conf$$ 2>/dev/null; then
-  # We could just check for DJGPP; but this test a) works b) is more generic
-  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
-  if test -f conf$$.exe; then
-    # Don't use ln at all; we don't have any links
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
     as_ln_s='cp -p'
-  else
-    as_ln_s='ln -s'
-  fi
 elif ln conf$$.file conf$$ 2>/dev/null; then
   as_ln_s=ln
 else
   as_ln_s='cp -p'
 fi
-rm -f conf$$ conf$$.exe conf$$.file
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
 
 if mkdir -p . 2>/dev/null; then
   as_mkdir_p=:
@@ -53777,7 +53180,28 @@ else
   as_mkdir_p=false
 fi
 
-as_executable_p="test -f"
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
+else
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
+  else
+    as_ls_L_option=
+  fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+        test -d "$1/.";
+      else
+	case $1 in
+        -*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
+fi
+as_executable_p=$as_test_x
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -53786,31 +53210,14 @@ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
 as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
 
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" 	$as_nl"
-
-# CDPATH.
-$as_unset CDPATH
-
 exec 6>&1
 
-# Open the log real soon, to keep \$[0] and so on meaningful, and to
+# Save the log message, to keep $[0] and so on meaningful, and to
 # report actual input values of CONFIG_FILES etc. instead of their
-# values after options handling.  Logging --version etc. is OK.
-exec 5>>config.log
-{
-  echo
-  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
-## Running $as_me. ##
-_ASBOX
-} >&5
-cat >&5 <<_CSEOF
-
-This file was extended by Heimdal $as_me 0.6.3, which was
-generated by GNU Autoconf 2.59.  Invocation command line was
+# values after options handling.
+ac_log="
+This file was extended by Heimdal $as_me 1.1, which was
+generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -53818,30 +53225,19 @@ generated by GNU Autoconf 2.59.  Invocation command line was
   CONFIG_COMMANDS = $CONFIG_COMMANDS
   $ $0 $@
 
-_CSEOF
-echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5
-echo >&5
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+"
+
 _ACEOF
 
+cat >>$CONFIG_STATUS <<_ACEOF
 # Files that config.status was made for.
-if test -n "$ac_config_files"; then
-  echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_headers"; then
-  echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_links"; then
-  echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS
-fi
+config_files="$ac_config_files"
+config_headers="$ac_config_headers"
 
-if test -n "$ac_config_commands"; then
-  echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS
-fi
+_ACEOF
 
 cat >>$CONFIG_STATUS <<\_ACEOF
-
 ac_cs_usage="\
 \`$as_me' instantiates files from templates according to the
 current configuration.
@@ -53849,7 +53245,7 @@ current configuration.
 Usage: $0 [OPTIONS] [FILE]...
 
   -h, --help       print this help, then exit
-  -V, --version    print version number, then exit
+  -V, --version    print version number and configuration settings, then exit
   -q, --quiet      do not print progress messages
   -d, --debug      don't remove temporary files
       --recheck    update $as_me by reconfiguring in the same conditions
@@ -53865,19 +53261,22 @@ Configuration headers:
 $config_headers
 
 Report bugs to <bug-autoconf@gnu.org>."
-_ACEOF
 
+_ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-Heimdal config.status 0.6.3
-configured by $0, generated by GNU Autoconf 2.59,
-  with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
+Heimdal config.status 1.1
+configured by $0, generated by GNU Autoconf 2.61,
+  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
-Copyright (C) 2003 Free Software Foundation, Inc.
+Copyright (C) 2006 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
-srcdir=$srcdir
-INSTALL="$INSTALL"
+
+ac_pwd='$ac_pwd'
+srcdir='$srcdir'
+INSTALL='$INSTALL'
+MKDIR_P='$MKDIR_P'
 _ACEOF
 
 cat >>$CONFIG_STATUS <<\_ACEOF
@@ -53888,39 +53287,24 @@ while test $# != 0
 do
   case $1 in
   --*=*)
-    ac_option=`expr "x$1" : 'x\([^=]*\)='`
-    ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'`
+    ac_option=`expr "X$1" : 'X\([^=]*\)='`
+    ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
     ac_shift=:
     ;;
-  -*)
+  *)
     ac_option=$1
     ac_optarg=$2
     ac_shift=shift
     ;;
-  *) # This is not an option, so the user has probably given explicit
-     # arguments.
-     ac_option=$1
-     ac_need_defaults=false;;
   esac
 
   case $ac_option in
   # Handling of the options.
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
   -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
     ac_cs_recheck=: ;;
-  --version | --vers* | -V )
-    echo "$ac_cs_version"; exit 0 ;;
-  --he | --h)
-    # Conflict between --help and --header
-    { { echo "$as_me:$LINENO: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&2;}
-   { (exit 1); exit 1; }; };;
-  --help | --hel | -h )
-    echo "$ac_cs_usage"; exit 0 ;;
-  --debug | --d* | -d )
+  --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+    echo "$ac_cs_version"; exit ;;
+  --debug | --debu | --deb | --de | --d | -d )
     debug=: ;;
   --file | --fil | --fi | --f )
     $ac_shift
@@ -53930,18 +53314,24 @@ Try \`$0 --help' for more information." >&2;}
     $ac_shift
     CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
     ac_need_defaults=false;;
+  --he | --h)
+    # Conflict between --help and --header
+    { echo "$as_me: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&2
+   { (exit 1); exit 1; }; };;
+  --help | --hel | -h )
+    echo "$ac_cs_usage"; exit ;;
   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
   | -silent | --silent | --silen | --sile | --sil | --si | --s)
     ac_cs_silent=: ;;
 
   # This is an error.
-  -*) { { echo "$as_me:$LINENO: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&2;}
+  -*) { echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2
    { (exit 1); exit 1; }; } ;;
 
-  *) ac_config_targets="$ac_config_targets $1" ;;
+  *) ac_config_targets="$ac_config_targets $1"
+     ac_need_defaults=false ;;
 
   esac
   shift
@@ -53957,80 +53347,112 @@ fi
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 if \$ac_cs_recheck; then
-  echo "running $SHELL $0 " $ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
-  exec $SHELL $0 $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+  CONFIG_SHELL=$SHELL
+  export CONFIG_SHELL
+  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
 fi
 
 _ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+exec 5>>config.log
+{
+  echo
+  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+  echo "$ac_log"
+} >&5
 
-
-
-
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+_ACEOF
 
 cat >>$CONFIG_STATUS <<\_ACEOF
+
+# Handling of arguments.
 for ac_config_target in $ac_config_targets
 do
-  case "$ac_config_target" in
-  # Handling of arguments.
-  "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;;
-  "include/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/Makefile" ;;
-  "include/kadm5/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/kadm5/Makefile" ;;
-  "lib/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/Makefile" ;;
-  "lib/45/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/45/Makefile" ;;
-  "lib/auth/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/Makefile" ;;
-  "lib/auth/afskauthlib/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/afskauthlib/Makefile" ;;
-  "lib/auth/pam/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/pam/Makefile" ;;
-  "lib/auth/sia/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/auth/sia/Makefile" ;;
-  "lib/asn1/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/asn1/Makefile" ;;
-  "lib/com_err/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/com_err/Makefile" ;;
-  "lib/des/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/des/Makefile" ;;
-  "lib/editline/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/editline/Makefile" ;;
-  "lib/gssapi/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/gssapi/Makefile" ;;
-  "lib/hdb/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/hdb/Makefile" ;;
-  "lib/kadm5/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/kadm5/Makefile" ;;
-  "lib/kafs/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/kafs/Makefile" ;;
-  "lib/kdfs/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/kdfs/Makefile" ;;
-  "lib/krb5/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/krb5/Makefile" ;;
-  "lib/otp/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/otp/Makefile" ;;
-  "lib/roken/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/roken/Makefile" ;;
-  "lib/sl/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/sl/Makefile" ;;
-  "lib/vers/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/vers/Makefile" ;;
-  "kuser/Makefile" ) CONFIG_FILES="$CONFIG_FILES kuser/Makefile" ;;
-  "kpasswd/Makefile" ) CONFIG_FILES="$CONFIG_FILES kpasswd/Makefile" ;;
-  "kadmin/Makefile" ) CONFIG_FILES="$CONFIG_FILES kadmin/Makefile" ;;
-  "admin/Makefile" ) CONFIG_FILES="$CONFIG_FILES admin/Makefile" ;;
-  "kdc/Makefile" ) CONFIG_FILES="$CONFIG_FILES kdc/Makefile" ;;
-  "appl/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/Makefile" ;;
-  "appl/afsutil/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/afsutil/Makefile" ;;
-  "appl/ftp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/Makefile" ;;
-  "appl/ftp/common/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/common/Makefile" ;;
-  "appl/ftp/ftp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/ftp/Makefile" ;;
-  "appl/ftp/ftpd/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/ftp/ftpd/Makefile" ;;
-  "appl/kx/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/kx/Makefile" ;;
-  "appl/login/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/login/Makefile" ;;
-  "appl/otp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/otp/Makefile" ;;
-  "appl/popper/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/popper/Makefile" ;;
-  "appl/push/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/push/Makefile" ;;
-  "appl/rsh/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/rsh/Makefile" ;;
-  "appl/rcp/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/rcp/Makefile" ;;
-  "appl/su/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/su/Makefile" ;;
-  "appl/xnlock/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/xnlock/Makefile" ;;
-  "appl/telnet/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/Makefile" ;;
-  "appl/telnet/libtelnet/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/libtelnet/Makefile" ;;
-  "appl/telnet/telnet/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/telnet/Makefile" ;;
-  "appl/telnet/telnetd/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/telnet/telnetd/Makefile" ;;
-  "appl/test/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/test/Makefile" ;;
-  "appl/kf/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/kf/Makefile" ;;
-  "appl/dceutils/Makefile" ) CONFIG_FILES="$CONFIG_FILES appl/dceutils/Makefile" ;;
-  "doc/Makefile" ) CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
-  "tools/Makefile" ) CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;;
-  "include/config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS include/config.h" ;;
+  case $ac_config_target in
+    "include/config.h") CONFIG_HEADERS="$CONFIG_HEADERS include/config.h" ;;
+    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+    "etc/Makefile") CONFIG_FILES="$CONFIG_FILES etc/Makefile" ;;
+    "include/Makefile") CONFIG_FILES="$CONFIG_FILES include/Makefile" ;;
+    "include/gssapi/Makefile") CONFIG_FILES="$CONFIG_FILES include/gssapi/Makefile" ;;
+    "include/hcrypto/Makefile") CONFIG_FILES="$CONFIG_FILES include/hcrypto/Makefile" ;;
+    "include/kadm5/Makefile") CONFIG_FILES="$CONFIG_FILES include/kadm5/Makefile" ;;
+    "lib/Makefile") CONFIG_FILES="$CONFIG_FILES lib/Makefile" ;;
+    "lib/45/Makefile") CONFIG_FILES="$CONFIG_FILES lib/45/Makefile" ;;
+    "lib/auth/Makefile") CONFIG_FILES="$CONFIG_FILES lib/auth/Makefile" ;;
+    "lib/auth/afskauthlib/Makefile") CONFIG_FILES="$CONFIG_FILES lib/auth/afskauthlib/Makefile" ;;
+    "lib/auth/pam/Makefile") CONFIG_FILES="$CONFIG_FILES lib/auth/pam/Makefile" ;;
+    "lib/auth/sia/Makefile") CONFIG_FILES="$CONFIG_FILES lib/auth/sia/Makefile" ;;
+    "lib/asn1/Makefile") CONFIG_FILES="$CONFIG_FILES lib/asn1/Makefile" ;;
+    "lib/com_err/Makefile") CONFIG_FILES="$CONFIG_FILES lib/com_err/Makefile" ;;
+    "lib/hcrypto/Makefile") CONFIG_FILES="$CONFIG_FILES lib/hcrypto/Makefile" ;;
+    "lib/editline/Makefile") CONFIG_FILES="$CONFIG_FILES lib/editline/Makefile" ;;
+    "lib/hx509/Makefile") CONFIG_FILES="$CONFIG_FILES lib/hx509/Makefile" ;;
+    "lib/gssapi/Makefile") CONFIG_FILES="$CONFIG_FILES lib/gssapi/Makefile" ;;
+    "lib/ntlm/Makefile") CONFIG_FILES="$CONFIG_FILES lib/ntlm/Makefile" ;;
+    "lib/hdb/Makefile") CONFIG_FILES="$CONFIG_FILES lib/hdb/Makefile" ;;
+    "lib/kadm5/Makefile") CONFIG_FILES="$CONFIG_FILES lib/kadm5/Makefile" ;;
+    "lib/kafs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/kafs/Makefile" ;;
+    "lib/kdfs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/kdfs/Makefile" ;;
+    "lib/krb5/Makefile") CONFIG_FILES="$CONFIG_FILES lib/krb5/Makefile" ;;
+    "lib/otp/Makefile") CONFIG_FILES="$CONFIG_FILES lib/otp/Makefile" ;;
+    "lib/roken/Makefile") CONFIG_FILES="$CONFIG_FILES lib/roken/Makefile" ;;
+    "lib/sl/Makefile") CONFIG_FILES="$CONFIG_FILES lib/sl/Makefile" ;;
+    "lib/vers/Makefile") CONFIG_FILES="$CONFIG_FILES lib/vers/Makefile" ;;
+    "kuser/Makefile") CONFIG_FILES="$CONFIG_FILES kuser/Makefile" ;;
+    "kpasswd/Makefile") CONFIG_FILES="$CONFIG_FILES kpasswd/Makefile" ;;
+    "kadmin/Makefile") CONFIG_FILES="$CONFIG_FILES kadmin/Makefile" ;;
+    "admin/Makefile") CONFIG_FILES="$CONFIG_FILES admin/Makefile" ;;
+    "kcm/Makefile") CONFIG_FILES="$CONFIG_FILES kcm/Makefile" ;;
+    "kdc/Makefile") CONFIG_FILES="$CONFIG_FILES kdc/Makefile" ;;
+    "appl/Makefile") CONFIG_FILES="$CONFIG_FILES appl/Makefile" ;;
+    "appl/afsutil/Makefile") CONFIG_FILES="$CONFIG_FILES appl/afsutil/Makefile" ;;
+    "appl/ftp/Makefile") CONFIG_FILES="$CONFIG_FILES appl/ftp/Makefile" ;;
+    "appl/ftp/common/Makefile") CONFIG_FILES="$CONFIG_FILES appl/ftp/common/Makefile" ;;
+    "appl/ftp/ftp/Makefile") CONFIG_FILES="$CONFIG_FILES appl/ftp/ftp/Makefile" ;;
+    "appl/ftp/ftpd/Makefile") CONFIG_FILES="$CONFIG_FILES appl/ftp/ftpd/Makefile" ;;
+    "appl/gssmask/Makefile") CONFIG_FILES="$CONFIG_FILES appl/gssmask/Makefile" ;;
+    "appl/kx/Makefile") CONFIG_FILES="$CONFIG_FILES appl/kx/Makefile" ;;
+    "appl/login/Makefile") CONFIG_FILES="$CONFIG_FILES appl/login/Makefile" ;;
+    "appl/otp/Makefile") CONFIG_FILES="$CONFIG_FILES appl/otp/Makefile" ;;
+    "appl/popper/Makefile") CONFIG_FILES="$CONFIG_FILES appl/popper/Makefile" ;;
+    "appl/push/Makefile") CONFIG_FILES="$CONFIG_FILES appl/push/Makefile" ;;
+    "appl/rsh/Makefile") CONFIG_FILES="$CONFIG_FILES appl/rsh/Makefile" ;;
+    "appl/rcp/Makefile") CONFIG_FILES="$CONFIG_FILES appl/rcp/Makefile" ;;
+    "appl/su/Makefile") CONFIG_FILES="$CONFIG_FILES appl/su/Makefile" ;;
+    "appl/xnlock/Makefile") CONFIG_FILES="$CONFIG_FILES appl/xnlock/Makefile" ;;
+    "appl/telnet/Makefile") CONFIG_FILES="$CONFIG_FILES appl/telnet/Makefile" ;;
+    "appl/telnet/libtelnet/Makefile") CONFIG_FILES="$CONFIG_FILES appl/telnet/libtelnet/Makefile" ;;
+    "appl/telnet/telnet/Makefile") CONFIG_FILES="$CONFIG_FILES appl/telnet/telnet/Makefile" ;;
+    "appl/telnet/telnetd/Makefile") CONFIG_FILES="$CONFIG_FILES appl/telnet/telnetd/Makefile" ;;
+    "appl/test/Makefile") CONFIG_FILES="$CONFIG_FILES appl/test/Makefile" ;;
+    "appl/kf/Makefile") CONFIG_FILES="$CONFIG_FILES appl/kf/Makefile" ;;
+    "appl/dceutils/Makefile") CONFIG_FILES="$CONFIG_FILES appl/dceutils/Makefile" ;;
+    "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;;
+    "tests/can/Makefile") CONFIG_FILES="$CONFIG_FILES tests/can/Makefile" ;;
+    "tests/db/Makefile") CONFIG_FILES="$CONFIG_FILES tests/db/Makefile" ;;
+    "tests/kdc/Makefile") CONFIG_FILES="$CONFIG_FILES tests/kdc/Makefile" ;;
+    "tests/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES tests/ldap/Makefile" ;;
+    "tests/gss/Makefile") CONFIG_FILES="$CONFIG_FILES tests/gss/Makefile" ;;
+    "tests/java/Makefile") CONFIG_FILES="$CONFIG_FILES tests/java/Makefile" ;;
+    "tests/plugin/Makefile") CONFIG_FILES="$CONFIG_FILES tests/plugin/Makefile" ;;
+    "packages/Makefile") CONFIG_FILES="$CONFIG_FILES packages/Makefile" ;;
+    "packages/mac/Makefile") CONFIG_FILES="$CONFIG_FILES packages/mac/Makefile" ;;
+    "packages/debian/Makefile") CONFIG_FILES="$CONFIG_FILES packages/debian/Makefile" ;;
+    "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
+    "tools/Makefile") CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;;
+
   *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
 echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
    { (exit 1); exit 1; }; };;
   esac
 done
 
+
 # If the user did not use the arguments to specify the items to instantiate,
 # then the envvar interface is used.  Set only those that are not.
 # We use the long form for the default assignment because of an extremely
@@ -54041,722 +53463,782 @@ if $ac_need_defaults; then
 fi
 
 # Have a temporary directory for convenience.  Make it in the build tree
-# simply because there is no reason to put it here, and in addition,
+# simply because there is no reason against having it here, and in addition,
 # creating and moving files from /tmp can sometimes cause problems.
-# Create a temporary directory, and hook for its removal unless debugging.
+# Hook for its removal unless debugging.
+# Note that there is a small window in which the directory will not be cleaned:
+# after its creation but before its name has been assigned to `$tmp'.
 $debug ||
 {
-  trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
+  tmp=
+  trap 'exit_status=$?
+  { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+' 0
   trap '{ (exit 1); exit 1; }' 1 2 13 15
 }
-
 # Create a (secure) tmp directory for tmp files.
 
 {
-  tmp=`(umask 077 && mktemp -d -q "./confstatXXXXXX") 2>/dev/null` &&
+  tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
   test -n "$tmp" && test -d "$tmp"
 }  ||
 {
-  tmp=./confstat$$-$RANDOM
-  (umask 077 && mkdir $tmp)
+  tmp=./conf$$-$RANDOM
+  (umask 077 && mkdir "$tmp")
 } ||
 {
    echo "$me: cannot create a temporary directory in ." >&2
    { (exit 1); exit 1; }
 }
 
-_ACEOF
-
-cat >>$CONFIG_STATUS <<_ACEOF
-
 #
-# CONFIG_FILES section.
+# Set up the sed scripts for CONFIG_FILES section.
 #
 
 # No need to generate the scripts if there are no CONFIG_FILES.
 # This happens for instance when ./config.status config.h
-if test -n "\$CONFIG_FILES"; then
-  # Protect against being on the right side of a sed subst in config.status.
-  sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g;
-   s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF
-s,@SHELL@,$SHELL,;t t
-s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t
-s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t
-s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t
-s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t
-s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t
-s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t
-s,@exec_prefix@,$exec_prefix,;t t
-s,@prefix@,$prefix,;t t
-s,@program_transform_name@,$program_transform_name,;t t
-s,@bindir@,$bindir,;t t
-s,@sbindir@,$sbindir,;t t
-s,@libexecdir@,$libexecdir,;t t
-s,@datadir@,$datadir,;t t
-s,@sysconfdir@,$sysconfdir,;t t
-s,@sharedstatedir@,$sharedstatedir,;t t
-s,@localstatedir@,$localstatedir,;t t
-s,@libdir@,$libdir,;t t
-s,@includedir@,$includedir,;t t
-s,@oldincludedir@,$oldincludedir,;t t
-s,@infodir@,$infodir,;t t
-s,@mandir@,$mandir,;t t
-s,@build_alias@,$build_alias,;t t
-s,@host_alias@,$host_alias,;t t
-s,@target_alias@,$target_alias,;t t
-s,@DEFS@,$DEFS,;t t
-s,@ECHO_C@,$ECHO_C,;t t
-s,@ECHO_N@,$ECHO_N,;t t
-s,@ECHO_T@,$ECHO_T,;t t
-s,@LIBS@,$LIBS,;t t
-s,@CC@,$CC,;t t
-s,@CFLAGS@,$CFLAGS,;t t
-s,@LDFLAGS@,$LDFLAGS,;t t
-s,@CPPFLAGS@,$CPPFLAGS,;t t
-s,@ac_ct_CC@,$ac_ct_CC,;t t
-s,@EXEEXT@,$EXEEXT,;t t
-s,@OBJEXT@,$OBJEXT,;t t
-s,@CPP@,$CPP,;t t
-s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t
-s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t
-s,@INSTALL_DATA@,$INSTALL_DATA,;t t
-s,@CYGPATH_W@,$CYGPATH_W,;t t
-s,@PACKAGE@,$PACKAGE,;t t
-s,@VERSION@,$VERSION,;t t
-s,@ACLOCAL@,$ACLOCAL,;t t
-s,@AUTOCONF@,$AUTOCONF,;t t
-s,@AUTOMAKE@,$AUTOMAKE,;t t
-s,@AUTOHEADER@,$AUTOHEADER,;t t
-s,@MAKEINFO@,$MAKEINFO,;t t
-s,@AMTAR@,$AMTAR,;t t
-s,@install_sh@,$install_sh,;t t
-s,@STRIP@,$STRIP,;t t
-s,@ac_ct_STRIP@,$ac_ct_STRIP,;t t
-s,@INSTALL_STRIP_PROGRAM@,$INSTALL_STRIP_PROGRAM,;t t
-s,@mkdir_p@,$mkdir_p,;t t
-s,@AWK@,$AWK,;t t
-s,@SET_MAKE@,$SET_MAKE,;t t
-s,@am__leading_dot@,$am__leading_dot,;t t
-s,@MAINTAINER_MODE_TRUE@,$MAINTAINER_MODE_TRUE,;t t
-s,@MAINTAINER_MODE_FALSE@,$MAINTAINER_MODE_FALSE,;t t
-s,@MAINT@,$MAINT,;t t
-s,@build@,$build,;t t
-s,@build_cpu@,$build_cpu,;t t
-s,@build_vendor@,$build_vendor,;t t
-s,@build_os@,$build_os,;t t
-s,@host@,$host,;t t
-s,@host_cpu@,$host_cpu,;t t
-s,@host_vendor@,$host_vendor,;t t
-s,@host_os@,$host_os,;t t
-s,@CANONICAL_HOST@,$CANONICAL_HOST,;t t
-s,@YACC@,$YACC,;t t
-s,@LEX@,$LEX,;t t
-s,@LEXLIB@,$LEXLIB,;t t
-s,@LEX_OUTPUT_ROOT@,$LEX_OUTPUT_ROOT,;t t
-s,@LN_S@,$LN_S,;t t
-s,@EGREP@,$EGREP,;t t
-s,@ECHO@,$ECHO,;t t
-s,@AR@,$AR,;t t
-s,@ac_ct_AR@,$ac_ct_AR,;t t
-s,@RANLIB@,$RANLIB,;t t
-s,@ac_ct_RANLIB@,$ac_ct_RANLIB,;t t
-s,@CXX@,$CXX,;t t
-s,@CXXFLAGS@,$CXXFLAGS,;t t
-s,@ac_ct_CXX@,$ac_ct_CXX,;t t
-s,@CXXCPP@,$CXXCPP,;t t
-s,@F77@,$F77,;t t
-s,@FFLAGS@,$FFLAGS,;t t
-s,@ac_ct_F77@,$ac_ct_F77,;t t
-s,@LIBTOOL@,$LIBTOOL,;t t
-s,@WFLAGS@,$WFLAGS,;t t
-s,@WFLAGS_NOUNUSED@,$WFLAGS_NOUNUSED,;t t
-s,@WFLAGS_NOIMPLICITINT@,$WFLAGS_NOIMPLICITINT,;t t
-s,@INCLUDE_openldap@,$INCLUDE_openldap,;t t
-s,@LIB_openldap@,$LIB_openldap,;t t
-s,@INCLUDE_krb4@,$INCLUDE_krb4,;t t
-s,@LIB_krb4@,$LIB_krb4,;t t
-s,@EXTRA_LIB45@,$EXTRA_LIB45,;t t
-s,@LIB_krb_enable_debug@,$LIB_krb_enable_debug,;t t
-s,@LIB_krb_disable_debug@,$LIB_krb_disable_debug,;t t
-s,@LIB_krb_get_our_ip_for_realm@,$LIB_krb_get_our_ip_for_realm,;t t
-s,@LIB_krb_kdctimeofday@,$LIB_krb_kdctimeofday,;t t
-s,@LIB_krb_get_kdc_time_diff@,$LIB_krb_get_kdc_time_diff,;t t
-s,@KRB4_TRUE@,$KRB4_TRUE,;t t
-s,@KRB4_FALSE@,$KRB4_FALSE,;t t
-s,@KRB5_TRUE@,$KRB5_TRUE,;t t
-s,@KRB5_FALSE@,$KRB5_FALSE,;t t
-s,@do_roken_rename_TRUE@,$do_roken_rename_TRUE,;t t
-s,@do_roken_rename_FALSE@,$do_roken_rename_FALSE,;t t
-s,@LIB_kdb@,$LIB_kdb,;t t
-s,@HAVE_OPENSSL_TRUE@,$HAVE_OPENSSL_TRUE,;t t
-s,@HAVE_OPENSSL_FALSE@,$HAVE_OPENSSL_FALSE,;t t
-s,@DIR_des@,$DIR_des,;t t
-s,@INCLUDE_des@,$INCLUDE_des,;t t
-s,@LIB_des@,$LIB_des,;t t
-s,@LIB_des_a@,$LIB_des_a,;t t
-s,@LIB_des_so@,$LIB_des_so,;t t
-s,@LIB_des_appl@,$LIB_des_appl,;t t
-s,@DCE_TRUE@,$DCE_TRUE,;t t
-s,@DCE_FALSE@,$DCE_FALSE,;t t
-s,@dpagaix_cflags@,$dpagaix_cflags,;t t
-s,@dpagaix_ldadd@,$dpagaix_ldadd,;t t
-s,@dpagaix_ldflags@,$dpagaix_ldflags,;t t
-s,@LIB_db_create@,$LIB_db_create,;t t
-s,@LIB_dbopen@,$LIB_dbopen,;t t
-s,@LIB_dbm_firstkey@,$LIB_dbm_firstkey,;t t
-s,@HAVE_DB1_TRUE@,$HAVE_DB1_TRUE,;t t
-s,@HAVE_DB1_FALSE@,$HAVE_DB1_FALSE,;t t
-s,@HAVE_DB3_TRUE@,$HAVE_DB3_TRUE,;t t
-s,@HAVE_DB3_FALSE@,$HAVE_DB3_FALSE,;t t
-s,@HAVE_NDBM_TRUE@,$HAVE_NDBM_TRUE,;t t
-s,@HAVE_NDBM_FALSE@,$HAVE_NDBM_FALSE,;t t
-s,@DBLIB@,$DBLIB,;t t
-s,@LIB_NDBM@,$LIB_NDBM,;t t
-s,@VOID_RETSIGTYPE@,$VOID_RETSIGTYPE,;t t
-s,@have_err_h_TRUE@,$have_err_h_TRUE,;t t
-s,@have_err_h_FALSE@,$have_err_h_FALSE,;t t
-s,@have_fnmatch_h_TRUE@,$have_fnmatch_h_TRUE,;t t
-s,@have_fnmatch_h_FALSE@,$have_fnmatch_h_FALSE,;t t
-s,@have_ifaddrs_h_TRUE@,$have_ifaddrs_h_TRUE,;t t
-s,@have_ifaddrs_h_FALSE@,$have_ifaddrs_h_FALSE,;t t
-s,@have_vis_h_TRUE@,$have_vis_h_TRUE,;t t
-s,@have_vis_h_FALSE@,$have_vis_h_FALSE,;t t
-s,@LIB_socket@,$LIB_socket,;t t
-s,@LIB_gethostbyname@,$LIB_gethostbyname,;t t
-s,@LIB_syslog@,$LIB_syslog,;t t
-s,@LIB_gethostbyname2@,$LIB_gethostbyname2,;t t
-s,@LIB_res_search@,$LIB_res_search,;t t
-s,@LIB_res_nsearch@,$LIB_res_nsearch,;t t
-s,@LIB_dn_expand@,$LIB_dn_expand,;t t
-s,@LIBOBJS@,$LIBOBJS,;t t
-s,@have_glob_h_TRUE@,$have_glob_h_TRUE,;t t
-s,@have_glob_h_FALSE@,$have_glob_h_FALSE,;t t
-s,@LIB_getsockopt@,$LIB_getsockopt,;t t
-s,@LIB_setsockopt@,$LIB_setsockopt,;t t
-s,@LIB_hstrerror@,$LIB_hstrerror,;t t
-s,@LIB_bswap16@,$LIB_bswap16,;t t
-s,@LIB_bswap32@,$LIB_bswap32,;t t
-s,@LIB_pidfile@,$LIB_pidfile,;t t
-s,@LIB_getaddrinfo@,$LIB_getaddrinfo,;t t
-s,@LIB_getnameinfo@,$LIB_getnameinfo,;t t
-s,@LIB_freeaddrinfo@,$LIB_freeaddrinfo,;t t
-s,@LIB_gai_strerror@,$LIB_gai_strerror,;t t
-s,@LIB_crypt@,$LIB_crypt,;t t
-s,@DIR_roken@,$DIR_roken,;t t
-s,@LIB_roken@,$LIB_roken,;t t
-s,@INCLUDES_roken@,$INCLUDES_roken,;t t
-s,@LIB_otp@,$LIB_otp,;t t
-s,@OTP_TRUE@,$OTP_TRUE,;t t
-s,@OTP_FALSE@,$OTP_FALSE,;t t
-s,@LIB_security@,$LIB_security,;t t
-s,@NROFF@,$NROFF,;t t
-s,@GROFF@,$GROFF,;t t
-s,@CATMAN@,$CATMAN,;t t
-s,@CATMAN_TRUE@,$CATMAN_TRUE,;t t
-s,@CATMAN_FALSE@,$CATMAN_FALSE,;t t
-s,@CATMANEXT@,$CATMANEXT,;t t
-s,@INCLUDE_readline@,$INCLUDE_readline,;t t
-s,@LIB_readline@,$LIB_readline,;t t
-s,@INCLUDE_hesiod@,$INCLUDE_hesiod,;t t
-s,@LIB_hesiod@,$LIB_hesiod,;t t
-s,@AIX_TRUE@,$AIX_TRUE,;t t
-s,@AIX_FALSE@,$AIX_FALSE,;t t
-s,@AIX4_TRUE@,$AIX4_TRUE,;t t
-s,@AIX4_FALSE@,$AIX4_FALSE,;t t
-s,@LIB_dlopen@,$LIB_dlopen,;t t
-s,@HAVE_DLOPEN_TRUE@,$HAVE_DLOPEN_TRUE,;t t
-s,@HAVE_DLOPEN_FALSE@,$HAVE_DLOPEN_FALSE,;t t
-s,@LIB_loadquery@,$LIB_loadquery,;t t
-s,@AIX_DYNAMIC_AFS_TRUE@,$AIX_DYNAMIC_AFS_TRUE,;t t
-s,@AIX_DYNAMIC_AFS_FALSE@,$AIX_DYNAMIC_AFS_FALSE,;t t
-s,@AIX_EXTRA_KAFS@,$AIX_EXTRA_KAFS,;t t
-s,@IRIX_TRUE@,$IRIX_TRUE,;t t
-s,@IRIX_FALSE@,$IRIX_FALSE,;t t
-s,@X_CFLAGS@,$X_CFLAGS,;t t
-s,@X_PRE_LIBS@,$X_PRE_LIBS,;t t
-s,@X_LIBS@,$X_LIBS,;t t
-s,@X_EXTRA_LIBS@,$X_EXTRA_LIBS,;t t
-s,@HAVE_X_TRUE@,$HAVE_X_TRUE,;t t
-s,@HAVE_X_FALSE@,$HAVE_X_FALSE,;t t
-s,@LIB_XauWriteAuth@,$LIB_XauWriteAuth,;t t
-s,@LIB_XauReadAuth@,$LIB_XauReadAuth,;t t
-s,@LIB_XauFileName@,$LIB_XauFileName,;t t
-s,@NEED_WRITEAUTH_TRUE@,$NEED_WRITEAUTH_TRUE,;t t
-s,@NEED_WRITEAUTH_FALSE@,$NEED_WRITEAUTH_FALSE,;t t
-s,@LIB_logwtmp@,$LIB_logwtmp,;t t
-s,@LIB_logout@,$LIB_logout,;t t
-s,@LIB_openpty@,$LIB_openpty,;t t
-s,@LIB_tgetent@,$LIB_tgetent,;t t
-s,@LIB_getpwnam_r@,$LIB_getpwnam_r,;t t
-s,@LIB_el_init@,$LIB_el_init,;t t
-s,@el_compat_TRUE@,$el_compat_TRUE,;t t
-s,@el_compat_FALSE@,$el_compat_FALSE,;t t
-s,@COMPILE_ET@,$COMPILE_ET,;t t
-s,@DIR_com_err@,$DIR_com_err,;t t
-s,@LIB_com_err@,$LIB_com_err,;t t
-s,@LIB_com_err_a@,$LIB_com_err_a,;t t
-s,@LIB_com_err_so@,$LIB_com_err_so,;t t
-s,@LIB_AUTH_SUBDIRS@,$LIB_AUTH_SUBDIRS,;t t
-s,@LTLIBOBJS@,$LTLIBOBJS,;t t
-CEOF
-
-_ACEOF
-
-  cat >>$CONFIG_STATUS <<\_ACEOF
-  # Split the substitutions into bite-sized pieces for seds with
-  # small command number limits, like on Digital OSF/1 and HP-UX.
-  ac_max_sed_lines=48
-  ac_sed_frag=1 # Number of current file.
-  ac_beg=1 # First line for current file.
-  ac_end=$ac_max_sed_lines # Line after last line for current file.
-  ac_more_lines=:
-  ac_sed_cmds=
-  while $ac_more_lines; do
-    if test $ac_beg -gt 1; then
-      sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
-    else
-      sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
-    fi
-    if test ! -s $tmp/subs.frag; then
-      ac_more_lines=false
-    else
-      # The purpose of the label and of the branching condition is to
-      # speed up the sed processing (if there are no `@' at all, there
-      # is no need to browse any of the substitutions).
-      # These are the two extra sed commands mentioned above.
-      (echo ':t
-  /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed
-      if test -z "$ac_sed_cmds"; then
-	ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed"
-      else
-	ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed"
-      fi
-      ac_sed_frag=`expr $ac_sed_frag + 1`
-      ac_beg=$ac_end
-      ac_end=`expr $ac_end + $ac_max_sed_lines`
-    fi
-  done
-  if test -z "$ac_sed_cmds"; then
-    ac_sed_cmds=cat
+if test -n "$CONFIG_FILES"; then
+
+_ACEOF
+
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+SHELL!$SHELL$ac_delim
+PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
+PACKAGE_NAME!$PACKAGE_NAME$ac_delim
+PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
+PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
+PACKAGE_STRING!$PACKAGE_STRING$ac_delim
+PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
+exec_prefix!$exec_prefix$ac_delim
+prefix!$prefix$ac_delim
+program_transform_name!$program_transform_name$ac_delim
+bindir!$bindir$ac_delim
+sbindir!$sbindir$ac_delim
+libexecdir!$libexecdir$ac_delim
+datarootdir!$datarootdir$ac_delim
+datadir!$datadir$ac_delim
+sysconfdir!$sysconfdir$ac_delim
+sharedstatedir!$sharedstatedir$ac_delim
+localstatedir!$localstatedir$ac_delim
+includedir!$includedir$ac_delim
+oldincludedir!$oldincludedir$ac_delim
+docdir!$docdir$ac_delim
+infodir!$infodir$ac_delim
+htmldir!$htmldir$ac_delim
+dvidir!$dvidir$ac_delim
+pdfdir!$pdfdir$ac_delim
+psdir!$psdir$ac_delim
+libdir!$libdir$ac_delim
+localedir!$localedir$ac_delim
+mandir!$mandir$ac_delim
+DEFS!$DEFS$ac_delim
+ECHO_C!$ECHO_C$ac_delim
+ECHO_N!$ECHO_N$ac_delim
+ECHO_T!$ECHO_T$ac_delim
+LIBS!$LIBS$ac_delim
+build_alias!$build_alias$ac_delim
+host_alias!$host_alias$ac_delim
+target_alias!$target_alias$ac_delim
+INSTALL_PROGRAM!$INSTALL_PROGRAM$ac_delim
+INSTALL_SCRIPT!$INSTALL_SCRIPT$ac_delim
+INSTALL_DATA!$INSTALL_DATA$ac_delim
+am__isrc!$am__isrc$ac_delim
+CYGPATH_W!$CYGPATH_W$ac_delim
+PACKAGE!$PACKAGE$ac_delim
+VERSION!$VERSION$ac_delim
+ACLOCAL!$ACLOCAL$ac_delim
+AUTOCONF!$AUTOCONF$ac_delim
+AUTOMAKE!$AUTOMAKE$ac_delim
+AUTOHEADER!$AUTOHEADER$ac_delim
+MAKEINFO!$MAKEINFO$ac_delim
+install_sh!$install_sh$ac_delim
+STRIP!$STRIP$ac_delim
+INSTALL_STRIP_PROGRAM!$INSTALL_STRIP_PROGRAM$ac_delim
+mkdir_p!$mkdir_p$ac_delim
+AWK!$AWK$ac_delim
+SET_MAKE!$SET_MAKE$ac_delim
+am__leading_dot!$am__leading_dot$ac_delim
+AMTAR!$AMTAR$ac_delim
+am__tar!$am__tar$ac_delim
+am__untar!$am__untar$ac_delim
+MAINTAINER_MODE_TRUE!$MAINTAINER_MODE_TRUE$ac_delim
+MAINTAINER_MODE_FALSE!$MAINTAINER_MODE_FALSE$ac_delim
+MAINT!$MAINT$ac_delim
+CC!$CC$ac_delim
+CFLAGS!$CFLAGS$ac_delim
+LDFLAGS!$LDFLAGS$ac_delim
+CPPFLAGS!$CPPFLAGS$ac_delim
+ac_ct_CC!$ac_ct_CC$ac_delim
+EXEEXT!$EXEEXT$ac_delim
+OBJEXT!$OBJEXT$ac_delim
+CPP!$CPP$ac_delim
+build!$build$ac_delim
+build_cpu!$build_cpu$ac_delim
+build_vendor!$build_vendor$ac_delim
+build_os!$build_os$ac_delim
+host!$host$ac_delim
+host_cpu!$host_cpu$ac_delim
+host_vendor!$host_vendor$ac_delim
+host_os!$host_os$ac_delim
+CANONICAL_HOST!$CANONICAL_HOST$ac_delim
+YACC!$YACC$ac_delim
+YFLAGS!$YFLAGS$ac_delim
+LEX!$LEX$ac_delim
+LEX_OUTPUT_ROOT!$LEX_OUTPUT_ROOT$ac_delim
+LEXLIB!$LEXLIB$ac_delim
+LN_S!$LN_S$ac_delim
+GREP!$GREP$ac_delim
+EGREP!$EGREP$ac_delim
+ECHO!$ECHO$ac_delim
+AR!$AR$ac_delim
+RANLIB!$RANLIB$ac_delim
+CXX!$CXX$ac_delim
+CXXFLAGS!$CXXFLAGS$ac_delim
+ac_ct_CXX!$ac_ct_CXX$ac_delim
+CXXCPP!$CXXCPP$ac_delim
+F77!$F77$ac_delim
+FFLAGS!$FFLAGS$ac_delim
+ac_ct_F77!$ac_ct_F77$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
   fi
-fi # test -n "$CONFIG_FILES"
+done
 
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
 _ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+CEOF$ac_eof
+_ACEOF
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+LIBTOOL!$LIBTOOL$ac_delim
+ENABLE_SHARED_TRUE!$ENABLE_SHARED_TRUE$ac_delim
+ENABLE_SHARED_FALSE!$ENABLE_SHARED_FALSE$ac_delim
+VERSIONING!$VERSIONING$ac_delim
+versionscript_TRUE!$versionscript_TRUE$ac_delim
+versionscript_FALSE!$versionscript_FALSE$ac_delim
+LDFLAGS_VERSION_SCRIPT!$LDFLAGS_VERSION_SCRIPT$ac_delim
+INCLUDE_openldap!$INCLUDE_openldap$ac_delim
+LIB_openldap!$LIB_openldap$ac_delim
+OPENLDAP_MODULE_TRUE!$OPENLDAP_MODULE_TRUE$ac_delim
+OPENLDAP_MODULE_FALSE!$OPENLDAP_MODULE_FALSE$ac_delim
+PKINIT_TRUE!$PKINIT_TRUE$ac_delim
+PKINIT_FALSE!$PKINIT_FALSE$ac_delim
+DIR_hdbdir!$DIR_hdbdir$ac_delim
+INCLUDE_krb4!$INCLUDE_krb4$ac_delim
+LIB_krb4!$LIB_krb4$ac_delim
+KRB4_TRUE!$KRB4_TRUE$ac_delim
+KRB4_FALSE!$KRB4_FALSE$ac_delim
+KRB5_TRUE!$KRB5_TRUE$ac_delim
+KRB5_FALSE!$KRB5_FALSE$ac_delim
+do_roken_rename_TRUE!$do_roken_rename_TRUE$ac_delim
+do_roken_rename_FALSE!$do_roken_rename_FALSE$ac_delim
+LIB_kdb!$LIB_kdb$ac_delim
+HAVE_OPENSSL_TRUE!$HAVE_OPENSSL_TRUE$ac_delim
+HAVE_OPENSSL_FALSE!$HAVE_OPENSSL_FALSE$ac_delim
+DIR_hcrypto!$DIR_hcrypto$ac_delim
+INCLUDE_hcrypto!$INCLUDE_hcrypto$ac_delim
+LIB_hcrypto!$LIB_hcrypto$ac_delim
+LIB_hcrypto_a!$LIB_hcrypto_a$ac_delim
+LIB_hcrypto_so!$LIB_hcrypto_so$ac_delim
+LIB_hcrypto_appl!$LIB_hcrypto_appl$ac_delim
+PTHREADS_CFLAGS!$PTHREADS_CFLAGS$ac_delim
+PTHREADS_LIBS!$PTHREADS_LIBS$ac_delim
+DCE_TRUE!$DCE_TRUE$ac_delim
+DCE_FALSE!$DCE_FALSE$ac_delim
+dpagaix_cflags!$dpagaix_cflags$ac_delim
+dpagaix_ldadd!$dpagaix_ldadd$ac_delim
+dpagaix_ldflags!$dpagaix_ldflags$ac_delim
+LIB_db_create!$LIB_db_create$ac_delim
+LIB_dbopen!$LIB_dbopen$ac_delim
+LIB_dbm_firstkey!$LIB_dbm_firstkey$ac_delim
+HAVE_DB1_TRUE!$HAVE_DB1_TRUE$ac_delim
+HAVE_DB1_FALSE!$HAVE_DB1_FALSE$ac_delim
+HAVE_DB3_TRUE!$HAVE_DB3_TRUE$ac_delim
+HAVE_DB3_FALSE!$HAVE_DB3_FALSE$ac_delim
+HAVE_NDBM_TRUE!$HAVE_NDBM_TRUE$ac_delim
+HAVE_NDBM_FALSE!$HAVE_NDBM_FALSE$ac_delim
+DBLIB!$DBLIB$ac_delim
+LIB_NDBM!$LIB_NDBM$ac_delim
+WFLAGS!$WFLAGS$ac_delim
+WFLAGS_NOUNUSED!$WFLAGS_NOUNUSED$ac_delim
+WFLAGS_NOIMPLICITINT!$WFLAGS_NOIMPLICITINT$ac_delim
+VOID_RETSIGTYPE!$VOID_RETSIGTYPE$ac_delim
+have_err_h_TRUE!$have_err_h_TRUE$ac_delim
+have_err_h_FALSE!$have_err_h_FALSE$ac_delim
+have_ifaddrs_h_TRUE!$have_ifaddrs_h_TRUE$ac_delim
+have_ifaddrs_h_FALSE!$have_ifaddrs_h_FALSE$ac_delim
+have_vis_h_TRUE!$have_vis_h_TRUE$ac_delim
+have_vis_h_FALSE!$have_vis_h_FALSE$ac_delim
+LIB_socket!$LIB_socket$ac_delim
+LIB_gethostbyname!$LIB_gethostbyname$ac_delim
+LIB_syslog!$LIB_syslog$ac_delim
+LIB_gethostbyname2!$LIB_gethostbyname2$ac_delim
+LIB_res_search!$LIB_res_search$ac_delim
+LIB_res_nsearch!$LIB_res_nsearch$ac_delim
+LIB_res_ndestroy!$LIB_res_ndestroy$ac_delim
+LIB_dn_expand!$LIB_dn_expand$ac_delim
+LIBOBJS!$LIBOBJS$ac_delim
+have_glob_h_TRUE!$have_glob_h_TRUE$ac_delim
+have_glob_h_FALSE!$have_glob_h_FALSE$ac_delim
+have_cgetent_TRUE!$have_cgetent_TRUE$ac_delim
+have_cgetent_FALSE!$have_cgetent_FALSE$ac_delim
+LIB_getsockopt!$LIB_getsockopt$ac_delim
+LIB_setsockopt!$LIB_setsockopt$ac_delim
+LIB_hstrerror!$LIB_hstrerror$ac_delim
+LIB_bswap16!$LIB_bswap16$ac_delim
+LIB_bswap32!$LIB_bswap32$ac_delim
+LIB_pidfile!$LIB_pidfile$ac_delim
+LIB_getaddrinfo!$LIB_getaddrinfo$ac_delim
+LIB_getnameinfo!$LIB_getnameinfo$ac_delim
+LIB_freeaddrinfo!$LIB_freeaddrinfo$ac_delim
+LIB_gai_strerror!$LIB_gai_strerror$ac_delim
+have_fnmatch_h_TRUE!$have_fnmatch_h_TRUE$ac_delim
+have_fnmatch_h_FALSE!$have_fnmatch_h_FALSE$ac_delim
+LIB_crypt!$LIB_crypt$ac_delim
+have_socket_wrapper_TRUE!$have_socket_wrapper_TRUE$ac_delim
+have_socket_wrapper_FALSE!$have_socket_wrapper_FALSE$ac_delim
+DIR_roken!$DIR_roken$ac_delim
+LIB_roken!$LIB_roken$ac_delim
+INCLUDES_roken!$INCLUDES_roken$ac_delim
+LIBADD_roken!$LIBADD_roken$ac_delim
+LIB_otp!$LIB_otp$ac_delim
+OTP_TRUE!$OTP_TRUE$ac_delim
+OTP_FALSE!$OTP_FALSE$ac_delim
+LIB_security!$LIB_security$ac_delim
+NROFF!$NROFF$ac_delim
+GROFF!$GROFF$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-2.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+CEOF$ac_eof
+_ACEOF
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+CATMAN!$CATMAN$ac_delim
+CATMAN_TRUE!$CATMAN_TRUE$ac_delim
+CATMAN_FALSE!$CATMAN_FALSE$ac_delim
+CATMANEXT!$CATMANEXT$ac_delim
+INCLUDE_readline!$INCLUDE_readline$ac_delim
+LIB_readline!$LIB_readline$ac_delim
+INCLUDE_hesiod!$INCLUDE_hesiod$ac_delim
+LIB_hesiod!$LIB_hesiod$ac_delim
+AIX_TRUE!$AIX_TRUE$ac_delim
+AIX_FALSE!$AIX_FALSE$ac_delim
+AIX4_TRUE!$AIX4_TRUE$ac_delim
+AIX4_FALSE!$AIX4_FALSE$ac_delim
+LIB_dlopen!$LIB_dlopen$ac_delim
+HAVE_DLOPEN_TRUE!$HAVE_DLOPEN_TRUE$ac_delim
+HAVE_DLOPEN_FALSE!$HAVE_DLOPEN_FALSE$ac_delim
+LIB_loadquery!$LIB_loadquery$ac_delim
+AIX_DYNAMIC_AFS_TRUE!$AIX_DYNAMIC_AFS_TRUE$ac_delim
+AIX_DYNAMIC_AFS_FALSE!$AIX_DYNAMIC_AFS_FALSE$ac_delim
+AIX_EXTRA_KAFS!$AIX_EXTRA_KAFS$ac_delim
+IRIX_TRUE!$IRIX_TRUE$ac_delim
+IRIX_FALSE!$IRIX_FALSE$ac_delim
+XMKMF!$XMKMF$ac_delim
+X_CFLAGS!$X_CFLAGS$ac_delim
+X_PRE_LIBS!$X_PRE_LIBS$ac_delim
+X_LIBS!$X_LIBS$ac_delim
+X_EXTRA_LIBS!$X_EXTRA_LIBS$ac_delim
+HAVE_X_TRUE!$HAVE_X_TRUE$ac_delim
+HAVE_X_FALSE!$HAVE_X_FALSE$ac_delim
+LIB_XauWriteAuth!$LIB_XauWriteAuth$ac_delim
+LIB_XauReadAuth!$LIB_XauReadAuth$ac_delim
+LIB_XauFileName!$LIB_XauFileName$ac_delim
+NEED_WRITEAUTH_TRUE!$NEED_WRITEAUTH_TRUE$ac_delim
+NEED_WRITEAUTH_FALSE!$NEED_WRITEAUTH_FALSE$ac_delim
+LIB_logwtmp!$LIB_logwtmp$ac_delim
+LIB_logout!$LIB_logout$ac_delim
+LIB_openpty!$LIB_openpty$ac_delim
+LIB_tgetent!$LIB_tgetent$ac_delim
+LIB_getpwnam_r!$LIB_getpwnam_r$ac_delim
+LIB_door_create!$LIB_door_create$ac_delim
+KCM_TRUE!$KCM_TRUE$ac_delim
+KCM_FALSE!$KCM_FALSE$ac_delim
+FRAMEWORK_SECURITY_TRUE!$FRAMEWORK_SECURITY_TRUE$ac_delim
+FRAMEWORK_SECURITY_FALSE!$FRAMEWORK_SECURITY_FALSE$ac_delim
+LIB_el_init!$LIB_el_init$ac_delim
+el_compat_TRUE!$el_compat_TRUE$ac_delim
+el_compat_FALSE!$el_compat_FALSE$ac_delim
+COMPILE_ET!$COMPILE_ET$ac_delim
+COM_ERR_TRUE!$COM_ERR_TRUE$ac_delim
+COM_ERR_FALSE!$COM_ERR_FALSE$ac_delim
+DIR_com_err!$DIR_com_err$ac_delim
+LIB_com_err!$LIB_com_err$ac_delim
+LIB_com_err_a!$LIB_com_err_a$ac_delim
+LIB_com_err_so!$LIB_com_err_so$ac_delim
+LIB_AUTH_SUBDIRS!$LIB_AUTH_SUBDIRS$ac_delim
+LTLIBOBJS!$LTLIBOBJS$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 55; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-3.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+:end
+s/|#_!!_#|//g
+CEOF$ac_eof
+_ACEOF
+
+
+# VPATH may cause trouble with some makes, so we remove $(srcdir),
+# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
+s/:*\$(srcdir):*/:/
+s/:*\${srcdir}:*/:/
+s/:*@srcdir@:*/:/
+s/^\([^=]*=[	 ]*\):*/\1/
+s/:*$//
+s/^[^=]*=[	 ]*$//
+}'
+fi
+
 cat >>$CONFIG_STATUS <<\_ACEOF
-for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
-  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
-  case $ac_file in
-  - | *:- | *:-:* ) # input from stdin
-	cat >$tmp/stdin
-	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  * )   ac_file_in=$ac_file.in ;;
+fi # test -n "$CONFIG_FILES"
+
+
+for ac_tag in  :F $CONFIG_FILES  :H $CONFIG_HEADERS
+do
+  case $ac_tag in
+  :[FHLC]) ac_mode=$ac_tag; continue;;
+  esac
+  case $ac_mode$ac_tag in
+  :[FHL]*:*);;
+  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+   { (exit 1); exit 1; }; };;
+  :[FH]-) ac_tag=-:-;;
+  :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
   esac
+  ac_save_IFS=$IFS
+  IFS=:
+  set x $ac_tag
+  IFS=$ac_save_IFS
+  shift
+  ac_file=$1
+  shift
+
+  case $ac_mode in
+  :L) ac_source=$1;;
+  :[FH])
+    ac_file_inputs=
+    for ac_f
+    do
+      case $ac_f in
+      -) ac_f="$tmp/stdin";;
+      *) # Look for the file first in the build tree, then in the source tree
+	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
+	 # because $ac_f cannot contain `:'.
+	 test -f "$ac_f" ||
+	   case $ac_f in
+	   [\\/$]*) false;;
+	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+	   esac ||
+	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+   { (exit 1); exit 1; }; };;
+      esac
+      ac_file_inputs="$ac_file_inputs $ac_f"
+    done
 
-  # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories.
-  ac_dir=`(dirname "$ac_file") 2>/dev/null ||
+    # Let's still pretend it is `configure' which instantiates (i.e., don't
+    # use $as_me), people would be surprised to read:
+    #    /* config.h.  Generated by config.status.  */
+    configure_input="Generated from "`IFS=:
+	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
+    if test x"$ac_file" != x-; then
+      configure_input="$ac_file.  $configure_input"
+      { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+    fi
+
+    case $ac_tag in
+    *:-:* | *:-) cat >"$tmp/stdin";;
+    esac
+    ;;
+  esac
+
+  ac_dir=`$as_dirname -- "$ac_file" ||
 $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$ac_file" : 'X\(//\)[^/]' \| \
 	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
 echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-  { if $as_mkdir_p; then
-    mkdir -p "$ac_dir"
-  else
-    as_dir="$ac_dir"
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  { as_dir="$ac_dir"
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
     as_dirs=
-    while test ! -d "$as_dir"; do
-      as_dirs="$as_dir $as_dirs"
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
 $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$as_dir" : 'X\(//\)[^/]' \| \
 	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
 echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
     done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+echo "$as_me: error: cannot create directory $as_dir" >&2;}
    { (exit 1); exit 1; }; }; }
-
   ac_builddir=.
 
-if test "$ac_dir" != .; then
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
   ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A "../" for each directory in $ac_dir_suffix.
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
-  ac_dir_suffix= ac_top_builddir=
-fi
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
 
 case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
+  .)  # We are building in place.
     ac_srcdir=.
-    if test -z "$ac_top_builddir"; then
-       ac_top_srcdir=.
-    else
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
-    fi ;;
-  [\\/]* | ?:[\\/]* )  # Absolute path.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
     ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir ;;
-  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
 esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
 
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
-  case "$ac_dir" in
-  .) ac_abs_builddir=`pwd`;;
-  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
-  *) ac_abs_builddir=`pwd`/"$ac_dir";;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
-  case ${ac_top_builddir}. in
-  .) ac_abs_top_builddir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
-  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
-  case $ac_srcdir in
-  .) ac_abs_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
-  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
-  case $ac_top_srcdir in
-  .) ac_abs_top_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
-  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
-  esac;;
-esac
 
+  case $ac_mode in
+  :F)
+  #
+  # CONFIG_FILE
+  #
 
   case $INSTALL in
   [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
-  *) ac_INSTALL=$ac_top_builddir$INSTALL ;;
+  *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
   esac
+  ac_MKDIR_P=$MKDIR_P
+  case $MKDIR_P in
+  [\\/$]* | ?:[\\/]* ) ;;
+  */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;;
+  esac
+_ACEOF
 
-  if test x"$ac_file" != x-; then
-    { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-    rm -f "$ac_file"
-  fi
-  # Let's still pretend it is `configure' which instantiates (i.e., don't
-  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
-  if test x"$ac_file" = x-; then
-    configure_input=
-  else
-    configure_input="$ac_file.  "
-  fi
-  configure_input=$configure_input"Generated from `echo $ac_file_in |
-				     sed 's,.*/,,'` by configure."
-
-  # First look for the input files in the build tree, otherwise in the
-  # src tree.
-  ac_file_inputs=`IFS=:
-    for f in $ac_file_in; do
-      case $f in
-      -) echo $tmp/stdin ;;
-      [\\/$]*)
-	 # Absolute (can't be DOS-style, as IFS=:)
-	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 echo "$f";;
-      *) # Relative
-	 if test -f "$f"; then
-	   # Build tree
-	   echo "$f"
-	 elif test -f "$srcdir/$f"; then
-	   # Source tree
-	   echo "$srcdir/$f"
-	 else
-	   # /dev/null tree
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 fi;;
-      esac
-    done` || { (exit 1); exit 1; }
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If the template does not know about datarootdir, expand it.
+# FIXME: This hack should be removed a few years after 2.60.
+ac_datarootdir_hack=; ac_datarootdir_seen=
+
+case `sed -n '/datarootdir/ {
+  p
+  q
+}
+/@datadir@/p
+/@docdir@/p
+/@infodir@/p
+/@localedir@/p
+/@mandir@/p
+' $ac_file_inputs` in
+*datarootdir*) ac_datarootdir_seen=yes;;
+*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
+  ac_datarootdir_hack='
+  s&@datadir@&$datadir&g
+  s&@docdir@&$docdir&g
+  s&@infodir@&$infodir&g
+  s&@localedir@&$localedir&g
+  s&@mandir@&$mandir&g
+    s&\\\${datarootdir}&$datarootdir&g' ;;
+esac
+_ACEOF
+
+# Neutralize VPATH when `$srcdir' = `.'.
+# Shell code in configure.ac might set extrasub.
+# FIXME: do we really want to maintain this feature?
+cat >>$CONFIG_STATUS <<_ACEOF
   sed "$ac_vpsub
 $extrasub
 _ACEOF
 cat >>$CONFIG_STATUS <<\_ACEOF
 :t
 /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-s,@configure_input@,$configure_input,;t t
-s,@srcdir@,$ac_srcdir,;t t
-s,@abs_srcdir@,$ac_abs_srcdir,;t t
-s,@top_srcdir@,$ac_top_srcdir,;t t
-s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t
-s,@builddir@,$ac_builddir,;t t
-s,@abs_builddir@,$ac_abs_builddir,;t t
-s,@top_builddir@,$ac_top_builddir,;t t
-s,@abs_top_builddir@,$ac_abs_top_builddir,;t t
-s,@INSTALL@,$ac_INSTALL,;t t
-" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out
-  rm -f $tmp/stdin
-  if test x"$ac_file" != x-; then
-    mv $tmp/out $ac_file
-  else
-    cat $tmp/out
-    rm -f $tmp/out
-  fi
-
-done
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-
-#
-# CONFIG_HEADER section.
-#
-
-# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
-# NAME is the cpp macro being defined and VALUE is the value it is being given.
-#
-# ac_d sets the value in "#define NAME VALUE" lines.
-ac_dA='s,^\([	 ]*\)#\([	 ]*define[	 ][	 ]*\)'
-ac_dB='[	 ].*$,\1#\2'
-ac_dC=' '
-ac_dD=',;t'
-# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
-ac_uA='s,^\([	 ]*\)#\([	 ]*\)undef\([	 ][	 ]*\)'
-ac_uB='$,\1#\2define\3'
-ac_uC=' '
-ac_uD=',;t'
-
-for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue
-  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+s&@configure_input@&$configure_input&;t t
+s&@top_builddir@&$ac_top_builddir_sub&;t t
+s&@srcdir@&$ac_srcdir&;t t
+s&@abs_srcdir@&$ac_abs_srcdir&;t t
+s&@top_srcdir@&$ac_top_srcdir&;t t
+s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
+s&@builddir@&$ac_builddir&;t t
+s&@abs_builddir@&$ac_abs_builddir&;t t
+s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+s&@INSTALL@&$ac_INSTALL&;t t
+s&@MKDIR_P@&$ac_MKDIR_P&;t t
+$ac_datarootdir_hack
+" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" >$tmp/out
+
+test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+  { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
+  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&5
+echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&2;}
+
+  rm -f "$tmp/stdin"
   case $ac_file in
-  - | *:- | *:-:* ) # input from stdin
-	cat >$tmp/stdin
-	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  * )   ac_file_in=$ac_file.in ;;
+  -) cat "$tmp/out"; rm -f "$tmp/out";;
+  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
   esac
+ ;;
+  :H)
+  #
+  # CONFIG_HEADER
+  #
+_ACEOF
 
-  test x"$ac_file" != x- && { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-
-  # First look for the input files in the build tree, otherwise in the
-  # src tree.
-  ac_file_inputs=`IFS=:
-    for f in $ac_file_in; do
-      case $f in
-      -) echo $tmp/stdin ;;
-      [\\/$]*)
-	 # Absolute (can't be DOS-style, as IFS=:)
-	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 # Do quote $f, to prevent DOS paths from being IFS'd.
-	 echo "$f";;
-      *) # Relative
-	 if test -f "$f"; then
-	   # Build tree
-	   echo "$f"
-	 elif test -f "$srcdir/$f"; then
-	   # Source tree
-	   echo "$srcdir/$f"
-	 else
-	   # /dev/null tree
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 fi;;
-      esac
-    done` || { (exit 1); exit 1; }
-  # Remove the trailing spaces.
-  sed 's/[	 ]*$//' $ac_file_inputs >$tmp/in
-
-_ACEOF
-
-# Transform confdefs.h into two sed scripts, `conftest.defines' and
-# `conftest.undefs', that substitutes the proper values into
-# config.h.in to produce config.h.  The first handles `#define'
-# templates, and the second `#undef' templates.
-# And first: Protect against being on the right side of a sed subst in
-# config.status.  Protect against being in an unquoted here document
-# in config.status.
-rm -f conftest.defines conftest.undefs
-# Using a here document instead of a string reduces the quoting nightmare.
-# Putting comments in sed scripts is not portable.
-#
-# `end' is used to avoid that the second main sed command (meant for
-# 0-ary CPP macros) applies to n-ary macro definitions.
-# See the Autoconf documentation for `clear'.
-cat >confdef2sed.sed <<\_ACEOF
-s/[\\&,]/\\&/g
-s,[\\$`],\\&,g
-t clear
-: clear
-s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*\)\(([^)]*)\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1\2${ac_dC}\3${ac_dD},gp
-t end
-s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp
-: end
-_ACEOF
-# If some macros were called several times there might be several times
-# the same #defines, which is useless.  Nevertheless, we may not want to
-# sort them, since we want the *last* AC-DEFINE to be honored.
-uniq confdefs.h | sed -n -f confdef2sed.sed >conftest.defines
-sed 's/ac_d/ac_u/g' conftest.defines >conftest.undefs
-rm -f confdef2sed.sed
-
-# This sed command replaces #undef with comments.  This is necessary, for
+# Transform confdefs.h into a sed script `conftest.defines', that
+# substitutes the proper values into config.h.in to produce config.h.
+rm -f conftest.defines conftest.tail
+# First, append a space to every undef/define line, to ease matching.
+echo 's/$/ /' >conftest.defines
+# Then, protect against being on the right side of a sed subst, or in
+# an unquoted here document, in config.status.  If some macros were
+# called several times there might be several #defines for the same
+# symbol, which is useless.  But do not sort them, since the last
+# AC_DEFINE must be honored.
+ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]*
+# These sed commands are passed to sed as "A NAME B PARAMS C VALUE D", where
+# NAME is the cpp macro being defined, VALUE is the value it is being given.
+# PARAMS is the parameter list in the macro definition--in most cases, it's
+# just an empty string.
+ac_dA='s,^\\([	 #]*\\)[^	 ]*\\([	 ]*'
+ac_dB='\\)[	 (].*,\\1define\\2'
+ac_dC=' '
+ac_dD=' ,'
+
+uniq confdefs.h |
+  sed -n '
+	t rset
+	:rset
+	s/^[	 ]*#[	 ]*define[	 ][	 ]*//
+	t ok
+	d
+	:ok
+	s/[\\&,]/\\&/g
+	s/^\('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/ '"$ac_dA"'\1'"$ac_dB"'\2'"${ac_dC}"'\3'"$ac_dD"'/p
+	s/^\('"$ac_word_re"'\)[	 ]*\(.*\)/'"$ac_dA"'\1'"$ac_dB$ac_dC"'\2'"$ac_dD"'/p
+  ' >>conftest.defines
+
+# Remove the space that was appended to ease matching.
+# Then replace #undef with comments.  This is necessary, for
 # example, in the case of _POSIX_SOURCE, which is predefined and required
 # on some systems where configure will not decide to define it.
-cat >>conftest.undefs <<\_ACEOF
-s,^[	 ]*#[	 ]*undef[	 ][	 ]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */,
-_ACEOF
-
-# Break up conftest.defines because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo '  # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS
-echo '  if grep "^[	 ]*#[	 ]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
-echo '  # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS
-echo '  :' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.defines >/dev/null
+# (The regexp can be short, since the line contains either #define or #undef.)
+echo 's/ $//
+s,^[	 #]*u.*,/* & */,' >>conftest.defines
+
+# Break up conftest.defines:
+ac_max_sed_lines=50
+
+# First sed command is:	 sed -f defines.sed $ac_file_inputs >"$tmp/out1"
+# Second one is:	 sed -f defines.sed "$tmp/out1" >"$tmp/out2"
+# Third one will be:	 sed -f defines.sed "$tmp/out2" >"$tmp/out1"
+# et cetera.
+ac_in='$ac_file_inputs'
+ac_out='"$tmp/out1"'
+ac_nxt='"$tmp/out2"'
+
+while :
 do
-  # Write a limited-size here document to $tmp/defines.sed.
-  echo '  cat >$tmp/defines.sed <<CEOF' >>$CONFIG_STATUS
-  # Speed up: don't consider the non `#define' lines.
-  echo '/^[	 ]*#[	 ]*define/!b' >>$CONFIG_STATUS
-  # Work around the forget-to-reset-the-flag bug.
-  echo 't clr' >>$CONFIG_STATUS
-  echo ': clr' >>$CONFIG_STATUS
-  sed ${ac_max_here_lines}q conftest.defines >>$CONFIG_STATUS
+  # Write a here document:
+    cat >>$CONFIG_STATUS <<_ACEOF
+    # First, check the format of the line:
+    cat >"\$tmp/defines.sed" <<\\CEOF
+/^[	 ]*#[	 ]*undef[	 ][	 ]*$ac_word_re[	 ]*\$/b def
+/^[	 ]*#[	 ]*define[	 ][	 ]*$ac_word_re[(	 ]/b def
+b
+:def
+_ACEOF
+  sed ${ac_max_sed_lines}q conftest.defines >>$CONFIG_STATUS
   echo 'CEOF
-  sed -f $tmp/defines.sed $tmp/in >$tmp/out
-  rm -f $tmp/in
-  mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
-  sed 1,${ac_max_here_lines}d conftest.defines >conftest.tail
+    sed -f "$tmp/defines.sed"' "$ac_in >$ac_out" >>$CONFIG_STATUS
+  ac_in=$ac_out; ac_out=$ac_nxt; ac_nxt=$ac_in
+  sed 1,${ac_max_sed_lines}d conftest.defines >conftest.tail
+  grep . conftest.tail >/dev/null || break
   rm -f conftest.defines
   mv conftest.tail conftest.defines
 done
-rm -f conftest.defines
-echo '  fi # grep' >>$CONFIG_STATUS
-echo >>$CONFIG_STATUS
-
-# Break up conftest.undefs because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo '  # Handle all the #undef templates' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.undefs >/dev/null
-do
-  # Write a limited-size here document to $tmp/undefs.sed.
-  echo '  cat >$tmp/undefs.sed <<CEOF' >>$CONFIG_STATUS
-  # Speed up: don't consider the non `#undef'
-  echo '/^[	 ]*#[	 ]*undef/!b' >>$CONFIG_STATUS
-  # Work around the forget-to-reset-the-flag bug.
-  echo 't clr' >>$CONFIG_STATUS
-  echo ': clr' >>$CONFIG_STATUS
-  sed ${ac_max_here_lines}q conftest.undefs >>$CONFIG_STATUS
-  echo 'CEOF
-  sed -f $tmp/undefs.sed $tmp/in >$tmp/out
-  rm -f $tmp/in
-  mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
-  sed 1,${ac_max_here_lines}d conftest.undefs >conftest.tail
-  rm -f conftest.undefs
-  mv conftest.tail conftest.undefs
-done
-rm -f conftest.undefs
+rm -f conftest.defines conftest.tail
 
+echo "ac_result=$ac_in" >>$CONFIG_STATUS
 cat >>$CONFIG_STATUS <<\_ACEOF
-  # Let's still pretend it is `configure' which instantiates (i.e., don't
-  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
-  if test x"$ac_file" = x-; then
-    echo "/* Generated by configure.  */" >$tmp/config.h
-  else
-    echo "/* $ac_file.  Generated by configure.  */" >$tmp/config.h
-  fi
-  cat $tmp/in >>$tmp/config.h
-  rm -f $tmp/in
   if test x"$ac_file" != x-; then
-    if diff $ac_file $tmp/config.h >/dev/null 2>&1; then
+    echo "/* $configure_input  */" >"$tmp/config.h"
+    cat "$ac_result" >>"$tmp/config.h"
+    if diff $ac_file "$tmp/config.h" >/dev/null 2>&1; then
       { echo "$as_me:$LINENO: $ac_file is unchanged" >&5
 echo "$as_me: $ac_file is unchanged" >&6;}
     else
-      ac_dir=`(dirname "$ac_file") 2>/dev/null ||
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$ac_file" : 'X\(//\)[^/]' \| \
-	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-      { if $as_mkdir_p; then
-    mkdir -p "$ac_dir"
-  else
-    as_dir="$ac_dir"
-    as_dirs=
-    while test ! -d "$as_dir"; do
-      as_dirs="$as_dir $as_dirs"
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-    done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
-   { (exit 1); exit 1; }; }; }
-
       rm -f $ac_file
-      mv $tmp/config.h $ac_file
+      mv "$tmp/config.h" $ac_file
     fi
   else
-    cat $tmp/config.h
-    rm -f $tmp/config.h
+    echo "/* $configure_input  */"
+    cat "$ac_result"
   fi
+  rm -f "$tmp/out12"
 # Compute $ac_file's index in $config_headers.
 _am_stamp_count=1
 for _am_header in $config_headers :; do
@@ -54767,22 +54249,36 @@ for _am_header in $config_headers :; do
       _am_stamp_count=`expr $_am_stamp_count + 1` ;;
   esac
 done
-echo "timestamp for $ac_file" >`(dirname $ac_file) 2>/dev/null ||
+echo "timestamp for $ac_file" >`$as_dirname -- $ac_file ||
 $as_expr X$ac_file : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X$ac_file : 'X\(//\)[^/]' \| \
 	 X$ac_file : 'X\(//\)$' \| \
-	 X$ac_file : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X$ac_file : 'X\(/\)' \| . 2>/dev/null ||
 echo X$ac_file |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`/stamp-h$_am_stamp_count
-done
-_ACEOF
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`/stamp-h$_am_stamp_count
+ ;;
+
+
+  esac
+
+done # for ac_tag
 
-cat >>$CONFIG_STATUS <<\_ACEOF
 
 { (exit 0); exit 0; }
 _ACEOF
@@ -54815,7 +54311,7 @@ fi
 
 cat > include/newversion.h.in <<EOF
 const char *heimdal_long_version = "@(#)\$Version: $PACKAGE_STRING by @USER@ on @HOST@ ($host) @DATE@ \$";
-const char *heimdal_version = "Heimdal 0.6.3";
+const char *heimdal_version = "Heimdal 1.1";
 EOF
 
 if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
diff --git a/crypto/heimdal/configure.in b/crypto/heimdal/configure.in
index a12eeb1..a039a71 100644
--- a/crypto/heimdal/configure.in
+++ b/crypto/heimdal/configure.in
@@ -1,18 +1,18 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_REVISION($Revision: 1.331.2.8 $)
-AC_PREREQ(2.53)
-##test -z "$CFLAGS" && CFLAGS="-g"
-AC_INIT([Heimdal], [0.6.3], [heimdal-bugs@pdc.kth.se])
+AC_REVISION($Revision: 22513 $)
+AC_PREREQ([2.59])
+test -z "$CFLAGS" && CFLAGS="-g"
+AC_INIT([Heimdal],[1.1],[heimdal-bugs@h5l.org])
 AC_CONFIG_SRCDIR([kuser/kinit.c])
-AM_CONFIG_HEADER(include/config.h)
+AC_CONFIG_HEADERS(include/config.h)
+
+AM_INIT_AUTOMAKE([foreign no-dependencies 1.8])
+AM_MAINTAINER_MODE
 
 dnl Checks for programs.
 AC_PROG_CC
+AM_PROG_CC_C_O
 AC_PROG_CPP
-AC_PROG_CC_STDC
-
-AM_INIT_AUTOMAKE([foreign no-dependencies 1.7])
-AM_MAINTAINER_MODE
 
 AC_PREFIX_DEFAULT(/usr/heimdal)
 
@@ -23,12 +23,10 @@ AC_CANONICAL_HOST
 CANONICAL_HOST=$host
 AC_SUBST(CANONICAL_HOST)
 
-AC_SYS_LARGEFILE
-dnl need to set this on the command line, since it might otherwise break
-dnl with generated code, such as lex
-if test "$enable_largefile" != no -a "$ac_cv_sys_large_files" != no; then
-	CPPFLAGS="$CPPFLAGS -D_LARGE_FILES=$ac_cv_sys_large_files"
-fi
+dnl Hints for autobuild
+AB_INIT
+
+rk_SYS_LARGEFILE
 
 dnl
 dnl this is needed to run the configure tests against glibc
@@ -52,110 +50,49 @@ libdir="$libdir$abilibdirext"
 
 AC_C___ATTRIBUTE__
 
-AC_ENABLE_SHARED(no)
 AC_PROG_LIBTOOL
 
-AC_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
+AM_CONDITIONAL(ENABLE_SHARED, test "$enable_shared" = "yes")
+rk_VERSIONSCRIPT
 
 rk_TEST_PACKAGE(openldap,
 [#include <lber.h>
 #include <ldap.h>],
 [-lldap -llber],,,OPENLDAP)
 
-rk_TEST_PACKAGE(krb4,[#include <krb.h>],-lkrb,-ldes,/usr/athena, KRB4, krb4-config)
-
-LIB_kdb=
-if test "$with_krb4" != "no"; then
-	save_CFLAGS="$CFLAGS"
-	CFLAGS="$CFLAGS $INCLUDE_krb4"
-	save_LIBS="$LIBS"
-	LIBS="$LIB_krb4 $LIBS"
-	EXTRA_LIB45=lib45.a
-	AC_SUBST(EXTRA_LIB45)
-	AC_CACHE_CHECK(for four valued krb_put_int, ac_cv_func_krb_put_int_four,
-		[AC_TRY_COMPILE([#include <krb.h>],[
-		char tmp[4];
-		krb_put_int(17, tmp, 4, sizeof(tmp));],
-		ac_cv_func_krb_put_int_four=yes,
-		ac_cv_func_krb_put_int_four=no)
-	])
-	if test "$ac_cv_func_krb_put_int_four" = yes; then
-		AC_DEFINE(HAVE_FOUR_VALUED_KRB_PUT_INT, 1,
-			[define if krb_put_int takes four arguments.])
-	fi
-	AH_BOTTOM([#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
-#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
-#else
-#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S))
-#endif
-])
-	AC_CACHE_CHECK(for KRB_VERIFY_SECURE, ac_cv_func_krb_verify_secure,
-		[AC_TRY_COMPILE([#include <krb.h>],[
-		int x = KRB_VERIFY_SECURE],
-		ac_cv_func_krb_verify_secure=yes,
-		ac_cv_func_krb_verify_secure=no)
-	])
-	if test "$ac_cv_func_krb_verify_secure" != yes; then
-		AC_DEFINE(KRB_VERIFY_SECURE, 1,
-			[Define to one if your krb.h doesn't])
-		AC_DEFINE(KRB_VERIFY_SECURE_FAIL, 2,
-			[Define to two if your krb.h doesn't])
-	fi
-	AC_CACHE_CHECK(for KRB_VERIFY_NOT_SECURE,
-		ac_cv_func_krb_verify_not_secure,
-		[AC_TRY_COMPILE([#include <krb.h>],[
-		int x = KRB_VERIFY_NOT_SECURE],
-		ac_cv_func_krb_verify_not_secure=yes,
-		ac_cv_func_krb_verify_not_secure=no)
-	])
-	if test "$ac_cv_func_krb_verify_not_secure" != yes; then
-		AC_DEFINE(KRB_VERIFY_NOT_SECURE, 0,
-			[Define to zero if your krb.h doesn't])
-	fi
-	AC_FIND_FUNC(krb_enable_debug)
-	AC_FIND_FUNC(krb_disable_debug)
-	AC_FIND_FUNC(krb_get_our_ip_for_realm)
-	AC_FIND_FUNC(krb_kdctimeofday)
-	AH_BOTTOM(
-	[#ifndef HAVE_KRB_KDCTIMEOFDAY
-#define krb_kdctimeofday(X) gettimeofday((X), NULL)
-#endif])
-	AC_FIND_FUNC(krb_get_kdc_time_diff)
-	AH_BOTTOM(
-	[#ifndef HAVE_KRB_GET_KDC_TIME_DIFF
-#define krb_get_kdc_time_diff() (0)
-#endif])
-	AC_CACHE_CHECK([for KRB_SENDAUTH_VERS],
-		ac_cv_func_krb_sendauth_vers,
-		[AC_TRY_COMPILE([#include <krb.h>
-			#include <prot.h>],[
-		char *x = KRB_SENDAUTH_VERS],
-		ac_cv_func_krb_sendauth_vers=yes,
-		ac_cv_func_krb_sendauth_vers=no)
-	])
-	if test "$ac_cv_func_krb_sendauth_vers" != yes; then
-		AC_DEFINE(KRB_SENDAUTH_VERS, ["AUTHV0.1"],
-			[This is the krb4 sendauth version.])
-	fi
-	AC_CACHE_CHECK(for krb_mk_req with const arguments,
-		ac_cv_func_krb_mk_req_const,
-		[AC_TRY_COMPILE([#include <krb.h>
-		int krb_mk_req(KTEXT a, const char *s, const char *i,
-			       const char *r, int32_t checksum)
-		{ return 17; }], [],
-		ac_cv_func_krb_mk_req_const=yes,
-		ac_cv_func_krb_mk_req_const=no)
-	])
-	if test "$ac_cv_func_krb_mk_req_const" = "yes"; then
-		AC_DEFINE(KRB_MK_REQ_CONST, 1,
-			[Define if krb_mk_req takes const char *])
-	fi
-
-	LIBS="$save_LIBS"
-	CFLAGS="$save_CFLAGS"
-	LIB_kdb="-lkdb -lkrb"
+AC_ARG_ENABLE(hdb-openldap-module, 
+	AS_HELP_STRING([--enable-hdb-openldap-module],
+		[if you want support to build openldap hdb as shared object]))
+if test "$enable_hdb_openldap_module" = yes -a "$with_openldap" = yes; then
+    AC_DEFINE(OPENLDAP_MODULE, 1, [Define if you want support for hdb ldap module])
 fi
-AM_CONDITIONAL(KRB4, test "$with_krb4" != "no")
+AM_CONDITIONAL(OPENLDAP_MODULE, test "$enable_hdb_openldap_module" = yes -a "$with_openldap" = yes)
+
+AC_ARG_ENABLE(pk-init, 
+	AS_HELP_STRING([--disable-pk-init],
+		[if you want disable to PK-INIT support]))
+if test "$enable_pk_init" != no ;then
+	AC_DEFINE([PKINIT], 1, [Define to enable PKINIT.])
+fi
+AM_CONDITIONAL(PKINIT, test "$enable_pk_init" != no)
+
+
+dnl path where the hdb directory is stored
+AC_ARG_WITH([hdbdir], 
+	[AC_HELP_STRING([--with-hdbdir],
+		[Default location for KDC database @<:@default=/var/heimdal@:>@])],
+	[],
+	[with_hdbdir=/var/heimdal])
+DIR_hdbdir="$with_hdbdir"
+AC_SUBST([DIR_hdbdir])
+
+
+dnl no kerberos4 any more
+with_krb4=no
+AC_SUBST(INCLUDE_krb4)
+AC_SUBST(LIB_krb4)
+AM_CONDITIONAL(KRB4, false)
+
 AM_CONDITIONAL(KRB5, true)
 AM_CONDITIONAL(do_roken_rename, true)
 
@@ -164,8 +101,10 @@ AC_SUBST(LIB_kdb)dnl
 
 KRB_CRYPTO
 
+KRB_PTHREADS
+
 AC_ARG_ENABLE(dce, 
-	AC_HELP_STRING([--enable-dce],[if you want support for DCE/DFS PAG's]))
+	AS_HELP_STRING([--enable-dce],[if you want support for DCE/DFS PAG's]))
 if test "$enable_dce" = yes; then
     AC_DEFINE(DCE, 1, [Define if you want support for DCE/DFS PAG's.])
 fi
@@ -185,11 +124,20 @@ AC_SUBST(dpagaix_cflags)
 AC_SUBST(dpagaix_ldadd)
 AC_SUBST(dpagaix_ldflags)
 
+AC_ARG_ENABLE([afs-support],
+	AC_HELP_STRING([--disable-afs-support],
+		[if you don't want support for AFS]))
+if test "$enable_afs_support" = no; then
+	AC_DEFINE(NO_AFS, 1, [Define if you don't wan't support for AFS.])
+fi
+
 rk_DB
 
 dnl AC_ROKEN(10,[/usr/heimdal /usr/athena],[lib/roken],[$(top_builddir)/lib/roken/libroken.la],[-I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken])
 
 rk_ROKEN(lib/roken)
+LIBADD_roken="$LIB_roken"
+AC_SUBST(LIBADD_roken)dnl
 LIB_roken="\$(top_builddir)/lib/vers/libvers.la $LIB_roken"
 
 rk_OTP
@@ -197,11 +145,21 @@ rk_OTP
 AC_CHECK_OSFC2
 
 AC_ARG_ENABLE(mmap,
-	AC_HELP_STRING([--disable-mmap],[disable use of mmap]))
+	AS_HELP_STRING([--disable-mmap],[disable use of mmap]))
 if test "$enable_mmap" = "no"; then
 	AC_DEFINE(NO_MMAP, 1, [Define if you don't want to use mmap.])
 fi
 
+AC_ARG_ENABLE(afs-string-to-key,
+	AS_HELP_STRING([--disable-afs-string-to-key],
+	[disable use of weak AFS string-to-key functions]),
+	[], [enable_afs_string_to_key=yes])
+
+if test "$enable_afs_string_to_key" = "yes"; then
+	AC_DEFINE(ENABLE_AFS_STRING_TO_KEY, 1, [Define if want to use the weak AFS string to key functions.])
+fi
+
+
 rk_CHECK_MAN
 
 rk_TEST_PACKAGE(readline,
@@ -256,10 +214,10 @@ AC_CHECK_HEADERS([\
 	pthread.h				\
 	pty.h					\
 	sac.h					\
-	security/pam_modules.h			\
 	sgtty.h					\
 	siad.h					\
 	signal.h				\
+	strings.h				\
 	stropts.h				\
 	sys/bitypes.h				\
 	sys/category.h				\
@@ -267,50 +225,113 @@ AC_CHECK_HEADERS([\
 	sys/filio.h				\
 	sys/ioccom.h				\
 	sys/mman.h				\
+	sys/param.h				\
 	sys/pty.h				\
 	sys/ptyio.h				\
-	sys/ptyvar.h				\
 	sys/select.h				\
+	sys/socket.h				\
 	sys/str_tty.h				\
 	sys/stream.h				\
 	sys/stropts.h				\
-	sys/strtty.h				\
 	sys/syscall.h				\
 	sys/termio.h				\
 	sys/timeb.h				\
 	sys/times.h				\
+	sys/types.h				\
 	sys/un.h				\
-	term.h					\
 	termcap.h				\
 	termio.h				\
+	termios.h				\
 	time.h					\
 	tmpdir.h				\
 	udb.h					\
+	util.h					\
 	utmp.h					\
 	utmpx.h					\
 ])
 
+dnl On Solaris 8 there's a compilation warning for term.h because
+dnl it doesn't define `bool'.
+AC_CHECK_HEADERS(term.h, , , -)
+
+AC_CHECK_HEADERS(net/if.h, , , [AC_INCLUDES_DEFAULT
+#if HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif])
+
+AC_CHECK_HEADERS(sys/ptyvar.h, , , [AC_INCLUDES_DEFAULT
+#if HAVE_SYS_TTY_H
+#include <sys/tty.h>
+#endif])
+
+AC_CHECK_HEADERS(sys/strtty.h, , , [AC_INCLUDES_DEFAULT
+#if HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+#if HAVE_SYS_STREAM_H
+#include <sys/stream.h>
+#endif])
+
+AC_CHECK_HEADERS(sys/ucred.h, , , [AC_INCLUDES_DEFAULT
+#if HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#if HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif])
+
+AC_CHECK_HEADERS(security/pam_modules.h, , , [AC_INCLUDES_DEFAULT
+#include <security/pam_appl.h>
+])
+
 AC_ARG_ENABLE(netinfo,
-	AC_HELP_STRING([--enable-netinfo],[enable netinfo for configuration lookup]))
+	AS_HELP_STRING([--enable-netinfo],[enable netinfo for configuration lookup]))
 
 if test "$ac_cv_header_netinfo_ni_h" = yes -a "$enable_netinfo" = yes; then
        AC_DEFINE(HAVE_NETINFO, 1,
                [Define if you want to use Netinfo instead of krb5.conf.])
 fi
 
+dnl export symbols
+rk_WIN32_EXPORT(BUILD_KRB5_LIB, KRB5_LIB_FUNCTION)
+rk_WIN32_EXPORT(BUILD_ROKEN_LIB, ROKEN_LIB_FUNCTION)
+
 dnl Checks for libraries.
 
-AC_FIND_FUNC_NO_LIBS(logwtmp, util)
-AC_FIND_FUNC_NO_LIBS(logout, util)
-AC_FIND_FUNC_NO_LIBS(openpty, util)
-AC_FIND_FUNC_NO_LIBS(tgetent, termcap ncurses curses)
+AC_FIND_FUNC_NO_LIBS(logwtmp, util,[
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+],[0,0,0])
+AC_FIND_FUNC_NO_LIBS(logout, util,[
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+],[0])
+AC_FIND_FUNC_NO_LIBS(openpty, util,[
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+],[0,0,0,0,0])
+
+AC_FIND_FUNC_NO_LIBS(tgetent, termcap ncurses curses,[
+#ifdef HAVE_TERMCAP_H
+#include <termcap.h>
+#endif
+#ifdef HAVE_CURSES_H
+#include <curses.h>
+#endif
+],[0,0])
 
 dnl Checks for library functions.
 
 AC_CHECK_FUNCS([				\
 	_getpty					\
 	_scrsize				\
+	arc4random				\
 	fcntl					\
+	getpeereid				\
+	getpeerucred				\
 	grantpt					\
 	mktime					\
 	ptsname					\
@@ -329,7 +350,6 @@ AC_CHECK_FUNCS([				\
 	setutent				\
 	sigaction				\
 	strstr					\
-	timegm					\
 	ttyname					\
 	ttyslot					\
 	umask					\
@@ -344,6 +364,31 @@ KRB_CAPABILITIES
 
 AC_CHECK_GETPWNAM_R_POSIX
 
+dnl detect doors on solaris
+if test "$enable_pthread_support" != no; then
+   saved_LIBS="$LIBS"
+   LIBS="$LIBS $PTHREADS_LIBS"
+   AC_FIND_FUNC_NO_LIBS(door_create, door)
+   LIBS="$saved_LIBS"
+fi
+
+AC_ARG_ENABLE(kcm,
+	AS_HELP_STRING([--enable-kcm],[enable Kerberos Credentials Manager]),
+,[enable_kcm=yes])
+
+if test "$enable_kcm" = yes ; then
+   if test  "$ac_cv_header_sys_un_h" != yes -a "$ac_cv_funclib_door_create" != yes ; then
+  	enable_kcm=no
+   fi
+fi
+if test "$enable_kcm" = yes; then
+       AC_DEFINE(HAVE_KCM, 1,
+               [Define if you want to use the Kerberos Credentials Manager.])
+fi
+AM_CONDITIONAL(KCM, test "$enable_kcm" = yes)
+
+
+
 dnl Cray stuff
 AC_CHECK_FUNCS(getudbnam setlim)
 
@@ -382,6 +427,8 @@ AC_CHECK_TYPES([int8_t, int16_t, int32_t, int64_t,
 #endif
 ])
 
+rk_FRAMEWORK_SECURITY
+
 KRB_READLINE
 
 rk_TELNET
@@ -393,16 +440,18 @@ rk_AUTH_MODULES([sia afskauthlib])
 
 rk_DESTDIRS
 
-LTLIBOBJS=`echo "$LIB@&t@OBJS" |
-	sed 's,\.[[^.]]* ,.lo ,g;s,\.[[^.]]*$,.lo,'`
-AC_SUBST(LTLIBOBJS)
+rk_WFLAGS([-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs])
+
 
 AH_BOTTOM([#ifdef ROKEN_RENAME
 #include "roken_rename.h"
 #endif])
 
 AC_CONFIG_FILES(Makefile 		\
+	etc/Makefile			\
 	include/Makefile		\
+	include/gssapi/Makefile		\
+	include/hcrypto/Makefile	\
 	include/kadm5/Makefile		\
 	lib/Makefile			\
 	lib/45/Makefile			\
@@ -412,9 +461,11 @@ AC_CONFIG_FILES(Makefile 		\
 	lib/auth/sia/Makefile		\
 	lib/asn1/Makefile		\
 	lib/com_err/Makefile		\
-	lib/des/Makefile		\
+	lib/hcrypto/Makefile		\
 	lib/editline/Makefile		\
+	lib/hx509/Makefile		\
 	lib/gssapi/Makefile		\
+	lib/ntlm/Makefile		\
 	lib/hdb/Makefile		\
 	lib/kadm5/Makefile		\
 	lib/kafs/Makefile		\
@@ -428,6 +479,7 @@ AC_CONFIG_FILES(Makefile 		\
 	kpasswd/Makefile		\
 	kadmin/Makefile			\
 	admin/Makefile			\
+	kcm/Makefile			\
 	kdc/Makefile			\
 	appl/Makefile			\
 	appl/afsutil/Makefile		\
@@ -435,6 +487,7 @@ AC_CONFIG_FILES(Makefile 		\
 	appl/ftp/common/Makefile	\
 	appl/ftp/ftp/Makefile		\
 	appl/ftp/ftpd/Makefile		\
+	appl/gssmask/Makefile		\
 	appl/kx/Makefile		\
 	appl/login/Makefile		\
 	appl/otp/Makefile		\
@@ -451,6 +504,17 @@ AC_CONFIG_FILES(Makefile 		\
 	appl/test/Makefile		\
 	appl/kf/Makefile		\
 	appl/dceutils/Makefile		\
+	tests/Makefile			\
+	tests/can/Makefile		\
+	tests/db/Makefile		\
+	tests/kdc/Makefile		\
+	tests/ldap/Makefile		\
+	tests/gss/Makefile		\
+	tests/java/Makefile		\
+	tests/plugin/Makefile		\
+	packages/Makefile		\
+	packages/mac/Makefile		\
+	packages/debian/Makefile	\
 	doc/Makefile			\
 	tools/Makefile			\
 )
diff --git a/crypto/heimdal/doc/Makefile.am b/crypto/heimdal/doc/Makefile.am
index 6507fff..87473fe 100644
--- a/crypto/heimdal/doc/Makefile.am
+++ b/crypto/heimdal/doc/Makefile.am
@@ -1,8 +1,85 @@
-# $Id: Makefile.am,v 1.6.26.1 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am 22284 2007-12-13 20:39:37Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
 AUTOMAKE_OPTIONS = no-texinfo.tex
 
-info_TEXINFOS = heimdal.texi
-heimdal_TEXINFOS = intro.texi install.texi setup.texi kerberos4.texi
+MAKEINFOFLAGS = --no-split --css-include=$(srcdir)/heimdal.css
+
+TEXI2DVI = true # ARGH, make distcheck can't be disabled to not build dvifiles
+
+info_TEXINFOS = heimdal.texi hx509.texi
+
+dxy_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]objdir[@],.,g' \
+	-e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g'
+
+krb5.dxy: krb5.din Makefile
+	$(dxy_subst) < $(srcdir)/krb5.din > krb5.dxy.tmp
+	chmod +x krb5.dxy.tmp
+	mv krb5.dxy.tmp krb5.dxy
+
+ntlm.dxy: ntlm.din Makefile
+	$(dxy_subst) < $(srcdir)/ntlm.din > ntlm.dxy.tmp
+	chmod +x ntlm.dxy.tmp
+	mv ntlm.dxy.tmp ntlm.dxy
+
+hx509.dxy: hx509.din Makefile
+	$(dxy_subst) < $(srcdir)/hx509.din > hx509.dxy.tmp
+	chmod +x hx509.dxy.tmp
+	mv hx509.dxy.tmp hx509.dxy
+
+hcrypto.dxy: hcrypto.din Makefile
+	$(dxy_subst) < $(srcdir)/hcrypto.din > hcrypto.dxy.tmp
+	chmod +x hcrypto.dxy.tmp
+	mv hcrypto.dxy.tmp hcrypto.dxy
+
+
+texi_subst = sed -e 's,[@]dbdir[@],$(localstatedir),g' \
+	-e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g'
+
+vars.texi: vars.tin Makefile
+	$(texi_subst) < $(srcdir)/vars.tin > vars.texi.tmp
+	chmod +x vars.texi.tmp
+	mv vars.texi.tmp vars.texi
+
+doxygen: krb5.dxy ntlm.dxy hx509.dxy hcrypto.dxy
+	doxygen krb5.dxy
+	doxygen ntlm.dxy
+	doxygen hx509.dxy
+	doxygen hcrypto.dxy
+
+heimdal_TEXINFOS = \
+	ack.texi \
+	apps.texi \
+	heimdal.texi \
+	install.texi \
+	intro.texi \
+	kerberos4.texi \
+	migration.texi \
+	misc.texi \
+	programming.texi \
+	setup.texi \
+	vars.texi \
+	whatis.texi \
+	win2k.texi
+
+EXTRA_DIST = \
+	krb5.din \
+	ntlm.din \
+	hx509.din \
+	hcrypto.din \
+	heimdal.css \
+	init-creds \
+	latin1.tex \
+	layman.asc \
+	doxytmpl.dxy \
+	vars.tin
+
+CLEANFILES = \
+	krb5.dxy* \
+	ntlm.dxy* \
+	hx509.dxy* \
+	hcrypto.dxy* \
+	vars.texi*
+
diff --git a/crypto/heimdal/doc/Makefile.in b/crypto/heimdal/doc/Makefile.in
index ebf4395..b79a7e3 100644
--- a/crypto/heimdal/doc/Makefile.in
+++ b/crypto/heimdal/doc/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,20 +14,16 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.6.26.1 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am 22284 2007-12-13 20:39:37Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -39,6 +35,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(heimdal_TEXINFOS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
@@ -46,16 +43,14 @@ DIST_COMMON = $(heimdal_TEXINFOS) $(srcdir)/Makefile.am \
 subdir = doc
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -68,6 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -76,44 +72,47 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 depcomp =
 am__depfiles_maybe =
 SOURCES =
 DIST_SOURCES =
-INFO_DEPS = $(srcdir)/heimdal.info
+INFO_DEPS = $(srcdir)/heimdal.info $(srcdir)/hx509.info
 am__TEXINFO_TEX_DIR = $(srcdir)
-DVIS = heimdal.dvi
-PDFS = heimdal.pdf
-PSS = heimdal.ps
-HTMLS = heimdal.html
-TEXINFOS = heimdal.texi
-TEXI2DVI = texi2dvi
+DVIS = heimdal.dvi hx509.dvi
+PDFS = heimdal.pdf hx509.pdf
+PSS = heimdal.ps hx509.ps
+HTMLS = heimdal.html hx509.html
+TEXINFOS = heimdal.texi hx509.texi
 TEXI2PDF = $(TEXI2DVI) --pdf --batch
 MAKEINFOHTML = $(MAKEINFO) --html
 AM_MAKEINFOHTMLFLAGS = $(AM_MAKEINFOFLAGS)
 DVIPS = dvips
 am__installdirs = "$(DESTDIR)$(infodir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -123,8 +122,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -135,11 +132,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -147,42 +143,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -200,12 +181,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -215,15 +193,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -232,6 +209,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -243,15 +221,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -259,74 +232,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -343,14 +321,57 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 AUTOMAKE_OPTIONS = no-texinfo.tex
-info_TEXINFOS = heimdal.texi
-heimdal_TEXINFOS = intro.texi install.texi setup.texi kerberos4.texi
+MAKEINFOFLAGS = --no-split --css-include=$(srcdir)/heimdal.css
+TEXI2DVI = true # ARGH, make distcheck can't be disabled to not build dvifiles
+info_TEXINFOS = heimdal.texi hx509.texi
+dxy_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]objdir[@],.,g' \
+	-e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g'
+
+texi_subst = sed -e 's,[@]dbdir[@],$(localstatedir),g' \
+	-e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g'
+
+heimdal_TEXINFOS = \
+	ack.texi \
+	apps.texi \
+	heimdal.texi \
+	install.texi \
+	intro.texi \
+	kerberos4.texi \
+	migration.texi \
+	misc.texi \
+	programming.texi \
+	setup.texi \
+	vars.texi \
+	whatis.texi \
+	win2k.texi
+
+EXTRA_DIST = \
+	krb5.din \
+	ntlm.din \
+	hx509.din \
+	hcrypto.din \
+	heimdal.css \
+	init-creds \
+	latin1.tex \
+	layman.asc \
+	doxytmpl.dxy \
+	vars.tin
+
+CLEANFILES = \
+	krb5.dxy* \
+	ntlm.dxy* \
+	hx509.dxy* \
+	hcrypto.dxy* \
+	vars.texi*
+
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .dvi .html .info .pdf .ps .texi
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .dvi .html .info .pdf .ps .texi
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -387,20 +408,15 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-
 .texi.info:
-	restore=: && \
-	backupdir="$(am__leading_dot)am$$$$" && \
+	restore=: && backupdir="$(am__leading_dot)am$$$$" && \
 	am__cwd=`pwd` && cd $(srcdir) && \
 	rm -rf $$backupdir && mkdir $$backupdir && \
-	for f in $@ $@-[0-9] $@-[0-9][0-9] $(@:.info=).i[0-9] $(@:.info=).i[0-9][0-9]; do \
-	  if test -f $$f; then \
-	    mv $$f $$backupdir; \
-	    restore=mv; \
-	  fi; \
-	done; \
+	if ($(MAKEINFO) --version) >/dev/null 2>&1; then \
+	  for f in $@ $@-[0-9] $@-[0-9][0-9] $(@:.info=).i[0-9] $(@:.info=).i[0-9][0-9]; do \
+	    if test -f $$f; then mv $$f $$backupdir; restore=mv; else :; fi; \
+	  done; \
+	else :; fi && \
 	cd "$$am__cwd"; \
 	if $(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) -I $(srcdir) \
 	 -o $@ $<; \
@@ -412,8 +428,7 @@ distclean-libtool:
 	  cd $(srcdir) && \
 	  $$restore $$backupdir/* `echo "./$@" | sed 's|[^/]*$$||'`; \
 	fi; \
-	rm -rf $$backupdir; \
-	exit $$rc
+	rm -rf $$backupdir; exit $$rc
 
 .texi.dvi:
 	TEXINPUTS="$(am__TEXINFO_TEX_DIR)$(PATH_SEPARATOR)$$TEXINPUTS" \
@@ -426,20 +441,50 @@ distclean-libtool:
 	$(TEXI2PDF) $<
 
 .texi.html:
-	$(MAKEINFOHTML) $(AM_MAKEINFOHTMLFLAGS) $(MAKEINFOFLAGS) -I $(srcdir) \
-	 -o $@ $<
-	if test ! -d $@ && test -d $(@:.html=); then \
-	  mv $(@:.html=) $@; else :; fi
+	rm -rf $(@:.html=.htp)
+	if $(MAKEINFOHTML) $(AM_MAKEINFOHTMLFLAGS) $(MAKEINFOFLAGS) -I $(srcdir) \
+	 -o $(@:.html=.htp) $<; \
+	then \
+	  rm -rf $@; \
+	  if test ! -d $(@:.html=.htp) && test -d $(@:.html=); then \
+	    mv $(@:.html=) $@; else mv $(@:.html=.htp) $@; fi; \
+	else \
+	  if test ! -d $(@:.html=.htp) && test -d $(@:.html=); then \
+	    rm -rf $(@:.html=); else rm -Rf $(@:.html=.htp) $@; fi; \
+	  exit 1; \
+	fi
 $(srcdir)/heimdal.info: heimdal.texi $(heimdal_TEXINFOS)
 heimdal.dvi: heimdal.texi $(heimdal_TEXINFOS)
 heimdal.pdf: heimdal.texi $(heimdal_TEXINFOS)
 heimdal.html: heimdal.texi $(heimdal_TEXINFOS)
+$(srcdir)/hx509.info: hx509.texi 
+hx509.dvi: hx509.texi 
+hx509.pdf: hx509.texi 
+hx509.html: hx509.texi 
 .dvi.ps:
+	TEXINPUTS="$(am__TEXINFO_TEX_DIR)$(PATH_SEPARATOR)$$TEXINPUTS" \
 	$(DVIPS) -o $@ $<
 
+uninstall-dvi-am:
+	@$(NORMAL_UNINSTALL)
+	@list='$(DVIS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(dvidir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(dvidir)/$$f"; \
+	done
+
+uninstall-html-am:
+	@$(NORMAL_UNINSTALL)
+	@list='$(HTMLS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -rf '$(DESTDIR)$(htmldir)/$$f'"; \
+	  rm -rf "$(DESTDIR)$(htmldir)/$$f"; \
+	done
+
 uninstall-info-am:
-	$(PRE_UNINSTALL)
-	@if (install-info --version && \
+	@$(PRE_UNINSTALL)
+	@if test -d '$(DESTDIR)$(infodir)' && \
+	    (install-info --version && \
 	     install-info --version 2>&1 | sed 1q | grep -i -v debian) >/dev/null 2>&1; then \
 	  list='$(INFO_DEPS)'; \
 	  for file in $$list; do \
@@ -453,12 +498,28 @@ uninstall-info-am:
 	for file in $$list; do \
 	  relfile=`echo "$$file" | sed 's|^.*/||'`; \
 	  relfile_i=`echo "$$relfile" | sed 's|\.info$$||;s|$$|.i|'`; \
-	  (if cd "$(DESTDIR)$(infodir)"; then \
-	     echo " rm -f $$relfile $$relfile-[0-9] $$relfile-[0-9][0-9] $$relfile_i[0-9] $$relfile_i[0-9][0-9])"; \
+	  (if test -d "$(DESTDIR)$(infodir)" && cd "$(DESTDIR)$(infodir)"; then \
+	     echo " cd '$(DESTDIR)$(infodir)' && rm -f $$relfile $$relfile-[0-9] $$relfile-[0-9][0-9] $$relfile_i[0-9] $$relfile_i[0-9][0-9]"; \
 	     rm -f $$relfile $$relfile-[0-9] $$relfile-[0-9][0-9] $$relfile_i[0-9] $$relfile_i[0-9][0-9]; \
 	   else :; fi); \
 	done
 
+uninstall-pdf-am:
+	@$(NORMAL_UNINSTALL)
+	@list='$(PDFS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(pdfdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(pdfdir)/$$f"; \
+	done
+
+uninstall-ps-am:
+	@$(NORMAL_UNINSTALL)
+	@list='$(PSS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(psdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(psdir)/$$f"; \
+	done
+
 dist-info: $(INFO_DEPS)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
 	list='$(INFO_DEPS)'; \
@@ -467,10 +528,13 @@ dist-info: $(INFO_DEPS)
 	    $(srcdir)/*) base=`echo "$$base" | sed "s|^$$srcdirstrip/||"`;; \
 	  esac; \
 	  if test -f $$base; then d=.; else d=$(srcdir); fi; \
-	  for file in $$d/$$base*; do \
-	    relfile=`expr "$$file" : "$$d/\(.*\)"`; \
-	    test -f $(distdir)/$$relfile || \
-	      cp -p $$file $(distdir)/$$relfile; \
+	  base_i=`echo "$$base" | sed 's|\.info$$||;s|$$|.i|'`; \
+	  for file in $$d/$$base $$d/$$base-[0-9] $$d/$$base-[0-9][0-9] $$d/$$base_i[0-9] $$d/$$base_i[0-9][0-9]; do \
+	    if test -f $$file; then \
+	      relfile=`expr "$$file" : "$$d/\(.*\)"`; \
+	      test -f $(distdir)/$$relfile || \
+		cp -p $$file $(distdir)/$$relfile; \
+	    else :; fi; \
 	  done; \
 	done
 
@@ -478,7 +542,10 @@ mostlyclean-aminfo:
 	-rm -rf heimdal.aux heimdal.cp heimdal.cps heimdal.fn heimdal.fns heimdal.ky \
 	  heimdal.kys heimdal.log heimdal.pg heimdal.tmp heimdal.toc \
 	  heimdal.tp heimdal.tps heimdal.vr heimdal.vrs heimdal.dvi \
-	  heimdal.pdf heimdal.ps heimdal.html
+	  heimdal.pdf heimdal.ps heimdal.html hx509.aux hx509.cp \
+	  hx509.cps hx509.fn hx509.fns hx509.ky hx509.kys hx509.log \
+	  hx509.pg hx509.tmp hx509.toc hx509.tp hx509.tps hx509.vr \
+	  hx509.vrs hx509.dvi hx509.pdf hx509.ps hx509.html
 
 maintainer-clean-aminfo:
 	@list='$(INFO_DEPS)'; for i in $$list; do \
@@ -494,23 +561,21 @@ CTAGS:
 
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/.. $(distdir)/../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -530,7 +595,7 @@ check: check-am
 all-am: Makefile $(INFO_DEPS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(infodir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -549,9 +614,10 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -562,7 +628,7 @@ clean-am: clean-generic clean-libtool mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool
+distclean-am: clean-am distclean-generic
 
 dvi: dvi-am
 
@@ -580,15 +646,44 @@ install-data-am: install-info-am
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
+install-dvi-am: $(DVIS)
+	@$(NORMAL_INSTALL)
+	test -z "$(dvidir)" || $(MKDIR_P) "$(DESTDIR)$(dvidir)"
+	@list='$(DVIS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(INSTALL_DATA) '$$d$$p' '$(DESTDIR)$(dvidir)/$$f'"; \
+	  $(INSTALL_DATA) "$$d$$p" "$(DESTDIR)$(dvidir)/$$f"; \
+	done
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
+install-html-am: $(HTMLS)
+	@$(NORMAL_INSTALL)
+	test -z "$(htmldir)" || $(MKDIR_P) "$(DESTDIR)$(htmldir)"
+	@list='$(HTMLS)'; for p in $$list; do \
+	  if test -f "$$p" || test -d "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  if test -d "$$d$$p"; then \
+	    echo " $(MKDIR_P) '$(DESTDIR)$(htmldir)/$$f'"; \
+	    $(MKDIR_P) "$(DESTDIR)$(htmldir)/$$f" || exit 1; \
+	    echo " $(INSTALL_DATA) '$$d$$p'/* '$(DESTDIR)$(htmldir)/$$f'"; \
+	    $(INSTALL_DATA) "$$d$$p"/* "$(DESTDIR)$(htmldir)/$$f"; \
+	  else \
+	    echo " $(INSTALL_DATA) '$$d$$p' '$(DESTDIR)$(htmldir)/$$f'"; \
+	    $(INSTALL_DATA) "$$d$$p" "$(DESTDIR)$(htmldir)/$$f"; \
+	  fi; \
+	done
 install-info: install-info-am
 
 install-info-am: $(INFO_DEPS)
 	@$(NORMAL_INSTALL)
-	test -z "$(infodir)" || $(mkdir_p) "$(DESTDIR)$(infodir)"
+	test -z "$(infodir)" || $(MKDIR_P) "$(DESTDIR)$(infodir)"
 	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
 	list='$(INFO_DEPS)'; \
 	for file in $$list; do \
@@ -618,6 +713,28 @@ install-info-am: $(INFO_DEPS)
 	else : ; fi
 install-man:
 
+install-pdf: install-pdf-am
+
+install-pdf-am: $(PDFS)
+	@$(NORMAL_INSTALL)
+	test -z "$(pdfdir)" || $(MKDIR_P) "$(DESTDIR)$(pdfdir)"
+	@list='$(PDFS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(INSTALL_DATA) '$$d$$p' '$(DESTDIR)$(pdfdir)/$$f'"; \
+	  $(INSTALL_DATA) "$$d$$p" "$(DESTDIR)$(pdfdir)/$$f"; \
+	done
+install-ps: install-ps-am
+
+install-ps-am: $(PSS)
+	@$(NORMAL_INSTALL)
+	test -z "$(psdir)" || $(MKDIR_P) "$(DESTDIR)$(psdir)"
+	@list='$(PSS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(INSTALL_DATA) '$$d$$p' '$(DESTDIR)$(psdir)/$$f'"; \
+	  $(INSTALL_DATA) "$$d$$p" "$(DESTDIR)$(psdir)/$$f"; \
+	done
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -638,18 +755,29 @@ ps: ps-am
 
 ps-am: $(PSS)
 
-uninstall-am: uninstall-info-am
+uninstall-am: uninstall-dvi-am uninstall-html-am uninstall-info-am \
+	uninstall-pdf-am uninstall-ps-am
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: all all-am all-local check check-am check-local clean \
-	clean-generic clean-libtool dist-info distclean \
+	clean-generic clean-libtool dist-hook dist-info distclean \
 	distclean-generic distclean-libtool distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-exec install-exec-am install-info \
-	install-info-am install-man install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-aminfo maintainer-clean-generic mostlyclean \
-	mostlyclean-aminfo mostlyclean-generic mostlyclean-libtool pdf \
-	pdf-am ps ps-am uninstall uninstall-am uninstall-info-am
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-aminfo \
+	maintainer-clean-generic mostlyclean mostlyclean-aminfo \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-dvi-am uninstall-hook \
+	uninstall-html-am uninstall-info-am uninstall-pdf-am \
+	uninstall-ps-am
 
 
 install-suid-programs:
@@ -664,8 +792,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -675,19 +803,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -703,7 +843,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -773,14 +913,70 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+krb5.dxy: krb5.din Makefile
+	$(dxy_subst) < $(srcdir)/krb5.din > krb5.dxy.tmp
+	chmod +x krb5.dxy.tmp
+	mv krb5.dxy.tmp krb5.dxy
+
+ntlm.dxy: ntlm.din Makefile
+	$(dxy_subst) < $(srcdir)/ntlm.din > ntlm.dxy.tmp
+	chmod +x ntlm.dxy.tmp
+	mv ntlm.dxy.tmp ntlm.dxy
+
+hx509.dxy: hx509.din Makefile
+	$(dxy_subst) < $(srcdir)/hx509.din > hx509.dxy.tmp
+	chmod +x hx509.dxy.tmp
+	mv hx509.dxy.tmp hx509.dxy
+
+hcrypto.dxy: hcrypto.din Makefile
+	$(dxy_subst) < $(srcdir)/hcrypto.din > hcrypto.dxy.tmp
+	chmod +x hcrypto.dxy.tmp
+	mv hcrypto.dxy.tmp hcrypto.dxy
+
+vars.texi: vars.tin Makefile
+	$(texi_subst) < $(srcdir)/vars.tin > vars.texi.tmp
+	chmod +x vars.texi.tmp
+	mv vars.texi.tmp vars.texi
+
+doxygen: krb5.dxy ntlm.dxy hx509.dxy hcrypto.dxy
+	doxygen krb5.dxy
+	doxygen ntlm.dxy
+	doxygen hx509.dxy
+	doxygen hcrypto.dxy
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/doc/ack.texi b/crypto/heimdal/doc/ack.texi
index d6586ba..3c41f50 100644
--- a/crypto/heimdal/doc/ack.texi
+++ b/crypto/heimdal/doc/ack.texi
@@ -1,67 +1,71 @@
-@c $Id: ack.texi,v 1.16.2.1 2003/09/18 20:46:05 lha Exp $
+@c $Id: ack.texi 21228 2007-06-20 10:18:03Z lha $
 
 @node  Acknowledgments, , Migration, Top
 @comment  node-name,  next,  previous,  up
 @appendix Acknowledgments
 
-Eric Young wrote ``libdes''.
+Eric Young wrote ``libdes''. Heimdal used to use libdes, without it
+kth-krb would never have existed. Since there are no longer any Eric
+Young code left in the library, we renamed it to libhcrypto.
+
+All functions in libhcrypto have been re-implemented or used available
+public domain code. The core AES function where written by Vincent
+Rijmen, Antoon Bosselaers and Paulo Barreto.  The core DES SBOX
+transformation was written by Richard Outerbridge. @code{imath} that
+is used for public key crypto support is written by Michael
+J. Fromberger.
 
 The University of California at Berkeley initially wrote @code{telnet},
 and @code{telnetd}.  The authentication and encryption code of
 @code{telnet} and @code{telnetd} was added by David Borman (then of Cray
 Research, Inc).  The encryption code was removed when this was exported
-and then added back by Juha Eskelinen, @email{esc@@magic.fi}.
+and then added back by Juha Eskelinen.
 
 The @code{popper} was also a Berkeley program initially.
 
 Some of the functions in @file{libroken} also come from Berkeley by way
 of NetBSD/FreeBSD.
 
-@code{editline} was written by Simmule Turner and Rich Salz.
+@code{editline} was written by Simmule Turner and Rich Salz. Heimdal
+contains a modifed copy.
 
 The @code{getifaddrs} implementation for Linux was written by Hideaki
 YOSHIFUJI for the Usagi project.
 
+The @code{pkcs11.h} headerfile was written by the Scute project.
+
 Bugfixes, documentation, encouragement, and code has been contributed by:
 @table @asis
+@item Alexander Boström
+@item Andreaw Bartlett
+@item Björn Sandell
+@item Brandon S. Allbery KF8NH
+@item Brian A May
+@item Chaskiel M Grundman
+@item Cizzi Storm
+@item Daniel Kouril
+@item David Love
 @item Derrick J Brashear
-@email{shadow@@dementia.org}
-@item Ken Hornstein
-@email{kenh@@cmf.nrl.navy.mil}
+@item Douglas E Engert
+@item Frank van der Linden
+@item Jason McIntyre
 @item Johan Ihrén
-@email{johani@@pdc.kth.se}
-@item Love Hörnquist-Åstrand
-@email{lha@@stacken.kth.se}
+@item Jun-ichiro itojun Hagino
+@item Ken Hornstein
 @item Magnus Ahltorp
-@email{map@@stacken.kth.se}
-@item Mark Eichin
-@email{eichin@@cygnus.com}
 @item Marc Horowitz
-@email{marc@@cygnus.com}
-@item Luke Howard
-@email{lukeh@@PADL.COM}
-@item Brandon S. Allbery KF8NH
-@email{allbery@@kf8nh.apk.net}
-@item Jun-ichiro itojun Hagino
-@email{itojun@@kame.net}
-@item Daniel Kouril
-@email{kouril@@informatics.muni.cz}
-@item Åke Sandgren 
-@email{ake@@cs.umu.se}
+@item Mario Strasser
+@item Mark Eichin
+@item Mattias Amnefelt
+@item Michael B Allen
+@item Michael Fromberger
 @item Michal Vocu
-@email{michal@@karlin.mff.cuni.cz}
 @item Miroslav Ruda
-@email{ruda@@ics.muni.cz}
-@item Brian A May
-@email{bmay@@snoopy.apana.org.au}
-@item Chaskiel M Grundman
-@email{cg2v@@andrew.cmu.edu}
+@item Petr Holub
+@item Phil Fisher
+@item Rafal Malinowski
 @item Richard Nyberg
-@email{rnyberg@@it.su.se}
-@item Frank van der Linden
-@email{fvdl@@netbsd.org}
-@item Cizzi Storm
-@email{cizzi@@it.su.se}
+@item Åke Sandgren 
 @item and we hope that those not mentioned here will forgive us.
 @end table
 
diff --git a/crypto/heimdal/doc/apps.texi b/crypto/heimdal/doc/apps.texi
new file mode 100644
index 0000000..9d451b6
--- /dev/null
+++ b/crypto/heimdal/doc/apps.texi
@@ -0,0 +1,244 @@
+@c $Id: apps.texi 22071 2007-11-14 20:04:50Z lha $
+
+@node Applications, Things in search for a better place, Setting up a realm, Top
+
+@chapter Applications
+
+@menu
+* Authentication modules::
+* AFS::
+@end menu
+
+@node  Authentication modules, AFS, Applications, Applications
+@section Authentication modules
+
+The problem of having different authentication mechanisms has been
+recognised by several vendors, and several solutions have appeared. In
+most cases these solutions involve some kind of shared modules that are
+loaded at run-time.  Modules for some of these systems can be found in
+@file{lib/auth}.  Presently there are modules for Digital's SIA,
+and IRIX' @code{login} and @code{xdm} (in
+@file{lib/auth/afskauthlib}).
+
+@menu
+* Digital SIA::                 
+* IRIX::                        
+@end menu
+
+@node Digital SIA, IRIX, Authentication modules, Authentication modules
+@subsection Digital SIA
+
+How to install the SIA module depends on which OS version you're
+running. Tru64 5.0 has a new command, @file{siacfg}, which makes this
+process quite simple. If you have this program, you should just be able
+to run:
+@example
+siacfg -a KRB5 /usr/athena/lib/libsia_krb5.so
+@end example
+
+On older versions, or if you want to do it by hand, you have to do the
+following (not tested by us on Tru64 5.0):
+
+@itemize @bullet
+
+@item
+Make sure @file{libsia_krb5.so} is available in
+@file{/usr/athena/lib}. If @file{/usr/athena} is not on local disk, you
+might want to put it in @file{/usr/shlib} or someplace else. If you do,
+you'll have to edit @file{krb5_matrix.conf} to reflect the new location
+(you will also have to do this if you installed in some other directory
+than @file{/usr/athena}). If you built with shared libraries, you will
+have to copy the shared @file{libkrb.so}, @file{libdes.so},
+@file{libkadm.so}, and @file{libkafs.so} to a place where the loader can
+find them (such as @file{/usr/shlib}).
+@item
+Copy (your possibly edited) @file{krb5_matrix.conf} to @file{/etc/sia}.
+@item
+Apply @file{security.patch} to @file{/sbin/init.d/security}.
+@item
+Turn on KRB5 security by issuing @kbd{rcmgr set SECURITY KRB5} and
+@kbd{rcmgr set KRB5_MATRIX_CONF krb5_matrix.conf}.
+@item
+Digital thinks you should reboot your machine, but that really shouldn't
+be necessary.  It's usually sufficient just to run
+@kbd{/sbin/init.d/security start} (and restart any applications that use
+SIA, like @code{xdm}.)
+@end itemize
+
+Users with local passwords (like @samp{root}) should be able to login
+safely.
+
+When using Digital's xdm the @samp{KRB5CCNAME} environment variable isn't
+passed along as it should (since xdm zaps the environment). Instead you
+have to set @samp{KRB5CCNAME} to the correct value in
+@file{/usr/lib/X11/xdm/Xsession}. Add a line similar to
+@example
+KRB5CCNAME=FILE:/tmp/krb5cc`id -u`_`ps -o ppid= -p $$`; export KRB5CCNAME
+@end example
+If you use CDE, @code{dtlogin} allows you to specify which additional
+environment variables it should export. To add @samp{KRB5CCNAME} to this
+list, edit @file{/usr/dt/config/Xconfig}, and look for the definition of
+@samp{exportList}. You want to add something like:
+@example
+Dtlogin.exportList:     KRB5CCNAME
+@end example
+
+@subsubheading Notes to users with Enhanced security
+
+Digital's @samp{ENHANCED} (C2) security, and Kerberos solve two
+different problems. C2 deals with local security, adds better control of
+who can do what, auditing, and similar things. Kerberos deals with
+network security.
+
+To make C2 security work with Kerberos you will have to do the
+following.
+
+@itemize @bullet
+@item
+Replace all occurrences of @file{krb5_matrix.conf} with
+@file{krb5+c2_matrix.conf} in the directions above.
+@item
+You must enable ``vouching'' in the @samp{default} database.  This will
+make the OSFC2 module trust other SIA modules, so you can login without
+giving your C2 password. To do this use @samp{edauth} to edit the
+default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a
+@samp{d_accept_alternate_vouching} capability, if not already present.
+@item
+For each user who does @emph{not} have a local C2 password, you should
+set the password expiration field to zero. You can do this for each
+user, or in the @samp{default} table. To do this use @samp{edauth} to
+set (or change) the @samp{u_exp} capability to @samp{u_exp#0}.
+@item
+You also need to be aware that the shipped @file{login}, @file{rcp}, and
+@file{rshd}, don't do any particular C2 magic (such as checking for
+various forms of disabled accounts), so if you rely on those features,
+you shouldn't use those programs. If you configure with
+@samp{--enable-osfc2}, these programs will, however, set the login
+UID. Still: use at your own risk.
+@end itemize
+
+At present @samp{su} does not accept the vouching flag, so it will not
+work as expected.
+
+Also, kerberised ftp will not work with C2 passwords. You can solve this
+by using both Digital's ftpd and our on different ports.
+
+@strong{Remember}, if you do these changes you will get a system that
+most certainly does @emph{not} fulfil the requirements of a C2
+system. If C2 is what you want, for instance if someone else is forcing
+you to use it, you're out of luck.  If you use enhanced security because
+you want a system that is more secure than it would otherwise be, you
+probably got an even more secure system. Passwords will not be sent in
+the clear, for instance.
+
+@node IRIX, , Digital SIA, Authentication modules
+@subsection IRIX
+
+The IRIX support is a module that is compatible with Transarc's
+@file{afskauthlib.so}.  It should work with all programs that use this
+library. This should include @command{login} and @command{xdm}.
+
+The interface is not very documented but it seems that you have to copy
+@file{libkafs.so}, @file{libkrb.so}, and @file{libdes.so} to
+@file{/usr/lib}, or build your @file{afskauthlib.so} statically.
+
+The @file{afskauthlib.so} itself is able to reside in
+@file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory
+(wherever that is).
+
+IRIX 6.4 and newer seem to have all programs (including @command{xdm} and
+@command{login}) in the N32 object format, whereas in older versions they
+were O32. For it to work, the @file{afskauthlib.so} library has to be in
+the same object format as the program that tries to load it. This might
+require that you have to configure and build for O32 in addition to the
+default N32.
+
+Apart from this it should ``just work''; there are no configuration
+files.
+
+Note that recent Irix 6.5 versions (at least 6.5.22) have PAM,
+including a @file{pam_krb5.so} module.  Not all relevant programs use
+PAM, though, e.g.@: @command{ssh}. In particular, for console
+graphical login you need to turn off @samp{visuallogin} and turn on
+@samp{xdm} with @command{chkconfig}.
+
+@node AFS, , Authentication modules, Applications
+@section AFS
+
+@cindex AFS
+AFS is a distributed filesystem that uses Kerberos for authentication.
+
+@cindex OpenAFS
+@cindex Arla
+For more information about AFS see OpenAFS
+@url{http://www.openafs.org/} and Arla
+@url{http://www.stacken.kth.se/projekt/arla/}.
+
+@subsection How to get a KeyFile
+
+@file{ktutil -k AFSKEYFILE:KeyFile get afs@@MY.REALM}
+
+or you can extract it with kadmin
+
+@example
+kadmin> ext -k AFSKEYFILE:/usr/afs/etc/KeyFile afs@@My.CELL.NAME
+@end example
+
+You have to make sure you have a @code{des-cbc-md5} encryption type since that
+is the enctype that will be converted.
+
+@subsection How to convert a srvtab to a KeyFile
+
+You need a @file{/usr/vice/etc/ThisCell} containing the cellname of your
+AFS-cell.
+
+@file{ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile}.
+
+If keyfile already exists, this will add the new key in afs-srvtab to
+KeyFile.
+
+@section Using 2b tokens with AFS
+
+@subsection What is 2b ?
+
+2b is the name of the proposal that was implemented to give basic
+Kerberos 5 support to AFS in rxkad. It's not real Kerberos 5 support
+since it still uses fcrypt for data encryption and not Kerberos
+encryption types.
+
+Its only possible (in all cases) to do this for DES encryption types
+because only then the token (the AFS equivalent of a ticket) will be
+smaller than the maximum size that can fit in the token cache in the
+OpenAFS/Transarc client. It is a so tight fit that some extra wrapping
+on the ASN1/DER encoding is removed from the Kerberos ticket.
+
+2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for
+the part of the ticket that is encrypted with the service's key. The
+client doesn't know what's inside the encrypted data so to the client
+it doesn't matter.
+
+To  differentiate between Kerberos 4 tickets and Kerberos 5 tickets, 2b
+uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens.
+
+Its a requirement that all AFS servers that support 2b also support
+native Kerberos 5 in rxkad.
+
+@subsection Configuring a Heimdal kdc to use 2b tokens
+
+Support for 2b tokens in the kdc are turned on for specific principals
+by adding them to the string list option @code{[kdc]use_2b} in the
+kdc's @file{krb5.conf} file.
+
+@example
+[kdc]
+	use_2b = @{
+		afs@@SU.SE = yes
+		afs/it.su.se@@SU.SE = yes
+	@}
+@end example
+
+@subsection Configuring AFS clients for 2b support
+
+There is no need to configure AFS clients for 2b support. The only
+software that needs to be installed/upgrade is a Kerberos 5 enabled
+@file{afslog}.
diff --git a/crypto/heimdal/doc/doxytmpl.dxy b/crypto/heimdal/doc/doxytmpl.dxy
new file mode 100644
index 0000000..bb7f25c
--- /dev/null
+++ b/crypto/heimdal/doc/doxytmpl.dxy
@@ -0,0 +1,257 @@
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+DOXYFILE_ENCODING      = UTF-8
+CREATE_SUBDIRS         = NO
+OUTPUT_LANGUAGE        = English
+BRIEF_MEMBER_DESC      = YES
+REPEAT_BRIEF           = YES
+ABBREVIATE_BRIEF       = "The $name class " \
+                         "The $name widget " \
+                         "The $name file " \
+                         is \
+                         provides \
+                         specifies \
+                         contains \
+                         represents \
+                         a \
+                         an \
+                         the
+ALWAYS_DETAILED_SEC    = NO
+INLINE_INHERITED_MEMB  = NO
+FULL_PATH_NAMES        = YES
+STRIP_FROM_PATH        = /Applications/
+STRIP_FROM_INC_PATH    = 
+SHORT_NAMES            = NO
+JAVADOC_AUTOBRIEF      = NO
+QT_AUTOBRIEF           = NO
+MULTILINE_CPP_IS_BRIEF = NO
+DETAILS_AT_TOP         = NO
+INHERIT_DOCS           = YES
+SEPARATE_MEMBER_PAGES  = NO
+TAB_SIZE               = 8
+ALIASES                = 
+OPTIMIZE_OUTPUT_FOR_C  = YES
+OPTIMIZE_OUTPUT_JAVA   = NO
+BUILTIN_STL_SUPPORT    = NO
+CPP_CLI_SUPPORT        = NO
+DISTRIBUTE_GROUP_DOC   = NO
+SUBGROUPING            = YES
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+EXTRACT_ALL            = NO
+EXTRACT_PRIVATE        = NO
+EXTRACT_STATIC         = NO
+EXTRACT_LOCAL_CLASSES  = YES
+EXTRACT_LOCAL_METHODS  = NO
+EXTRACT_ANON_NSPACES   = NO
+HIDE_UNDOC_MEMBERS     = YES
+HIDE_UNDOC_CLASSES     = YES
+HIDE_FRIEND_COMPOUNDS  = NO
+HIDE_IN_BODY_DOCS      = NO
+INTERNAL_DOCS          = NO
+CASE_SENSE_NAMES       = NO
+HIDE_SCOPE_NAMES       = NO
+SHOW_INCLUDE_FILES     = YES
+INLINE_INFO            = YES
+SORT_MEMBER_DOCS       = YES
+SORT_BRIEF_DOCS        = NO
+SORT_BY_SCOPE_NAME     = NO
+GENERATE_TODOLIST      = YES
+GENERATE_TESTLIST      = YES
+GENERATE_BUGLIST       = YES
+GENERATE_DEPRECATEDLIST= YES
+ENABLED_SECTIONS       = 
+MAX_INITIALIZER_LINES  = 30
+SHOW_USED_FILES        = YES
+SHOW_DIRECTORIES       = NO
+FILE_VERSION_FILTER    = 
+#---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+QUIET                  = YES
+WARNINGS               = YES
+WARN_IF_DOC_ERROR      = YES
+WARN_NO_PARAMDOC       = YES
+WARN_FORMAT            = "$file:$line: $text "
+WARN_LOGFILE           = 
+#---------------------------------------------------------------------------
+# configuration options related to the input files
+#---------------------------------------------------------------------------
+INPUT_ENCODING         = UTF-8
+FILE_PATTERNS          = *.c \
+                         *.cc \
+                         *.cxx \
+                         *.cpp \
+                         *.c++ \
+                         *.d \
+                         *.java \
+                         *.ii \
+                         *.ixx \
+                         *.ipp \
+                         *.i++ \
+                         *.inl \
+                         *.h \
+                         *.hh \
+                         *.hxx \
+                         *.hpp \
+                         *.h++ \
+                         *.idl \
+                         *.odl \
+                         *.cs \
+                         *.php \
+                         *.php3 \
+                         *.inc \
+                         *.m \
+                         *.mm \
+                         *.dox \
+                         *.py
+RECURSIVE              = YES
+EXCLUDE                = 
+EXCLUDE_SYMLINKS       = NO
+EXCLUDE_PATTERNS       = */.svn
+EXCLUDE_SYMBOLS        = 
+EXAMPLE_PATH           = 
+EXAMPLE_PATTERNS       = *
+EXAMPLE_RECURSIVE      = NO
+IMAGE_PATH             = 
+INPUT_FILTER           = 
+FILTER_PATTERNS        = 
+FILTER_SOURCE_FILES    = NO
+#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+SOURCE_BROWSER         = NO
+INLINE_SOURCES         = NO
+STRIP_CODE_COMMENTS    = YES
+REFERENCED_BY_RELATION = NO
+REFERENCES_RELATION    = NO
+REFERENCES_LINK_SOURCE = YES
+USE_HTAGS              = NO
+VERBATIM_HEADERS       = NO
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+ALPHABETICAL_INDEX     = NO
+COLS_IN_ALPHA_INDEX    = 5
+IGNORE_PREFIX          = 
+#---------------------------------------------------------------------------
+# configuration options related to the HTML output
+#---------------------------------------------------------------------------
+GENERATE_HTML          = YES
+HTML_OUTPUT            = html
+HTML_FILE_EXTENSION    = .html
+HTML_STYLESHEET        = 
+HTML_ALIGN_MEMBERS     = YES
+GENERATE_HTMLHELP      = NO
+HTML_DYNAMIC_SECTIONS  = NO
+CHM_FILE               = 
+HHC_LOCATION           = 
+GENERATE_CHI           = NO
+BINARY_TOC             = NO
+TOC_EXPAND             = NO
+DISABLE_INDEX          = NO
+ENUM_VALUES_PER_LINE   = 4
+GENERATE_TREEVIEW      = NO
+TREEVIEW_WIDTH         = 250
+#---------------------------------------------------------------------------
+# configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+GENERATE_LATEX         = NO
+LATEX_OUTPUT           = latex
+LATEX_CMD_NAME         = latex
+MAKEINDEX_CMD_NAME     = makeindex
+COMPACT_LATEX          = NO
+PAPER_TYPE             = a4wide
+EXTRA_PACKAGES         = 
+LATEX_HEADER           = 
+PDF_HYPERLINKS         = NO
+USE_PDFLATEX           = NO
+LATEX_BATCHMODE        = NO
+LATEX_HIDE_INDICES     = NO
+#---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+GENERATE_RTF           = NO
+RTF_OUTPUT             = rtf
+COMPACT_RTF            = NO
+RTF_HYPERLINKS         = NO
+RTF_STYLESHEET_FILE    = 
+RTF_EXTENSIONS_FILE    = 
+#---------------------------------------------------------------------------
+# configuration options related to the man page output
+#---------------------------------------------------------------------------
+GENERATE_MAN           = YES
+MAN_OUTPUT             = man
+MAN_EXTENSION          = .3
+MAN_LINKS              = YES
+#---------------------------------------------------------------------------
+# configuration options related to the XML output
+#---------------------------------------------------------------------------
+GENERATE_XML           = NO
+XML_OUTPUT             = xml
+XML_SCHEMA             = 
+XML_DTD                = 
+XML_PROGRAMLISTING     = YES
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+GENERATE_AUTOGEN_DEF   = NO
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+GENERATE_PERLMOD       = NO
+PERLMOD_LATEX          = NO
+PERLMOD_PRETTY         = YES
+PERLMOD_MAKEVAR_PREFIX = 
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor   
+#---------------------------------------------------------------------------
+ENABLE_PREPROCESSING   = YES
+MACRO_EXPANSION        = NO
+EXPAND_ONLY_PREDEF     = NO
+SEARCH_INCLUDES        = YES
+INCLUDE_PATH           = 
+INCLUDE_FILE_PATTERNS  = 
+PREDEFINED             = 
+EXPAND_AS_DEFINED      = 
+SKIP_FUNCTION_MACROS   = YES
+#---------------------------------------------------------------------------
+# Configuration::additions related to external references   
+#---------------------------------------------------------------------------
+TAGFILES               = 
+GENERATE_TAGFILE       = 
+ALLEXTERNALS           = NO
+EXTERNAL_GROUPS        = YES
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool   
+#---------------------------------------------------------------------------
+CLASS_DIAGRAMS         = NO
+MSCGEN_PATH            = /Applications/Doxygen.app/Contents/Resources/
+HIDE_UNDOC_RELATIONS   = YES
+HAVE_DOT               = YES
+CLASS_GRAPH            = YES
+COLLABORATION_GRAPH    = YES
+GROUP_GRAPHS           = YES
+UML_LOOK               = NO
+TEMPLATE_RELATIONS     = NO
+INCLUDE_GRAPH          = YES
+INCLUDED_BY_GRAPH      = YES
+CALL_GRAPH             = NO
+CALLER_GRAPH           = NO
+GRAPHICAL_HIERARCHY    = YES
+DIRECTORY_GRAPH        = YES
+DOT_IMAGE_FORMAT       = png
+DOT_PATH               = /Applications/Doxygen.app/Contents/Resources/
+DOTFILE_DIRS           = 
+DOT_GRAPH_MAX_NODES    = 50
+MAX_DOT_GRAPH_DEPTH    = 1000
+DOT_TRANSPARENT        = NO
+DOT_MULTI_TARGETS      = NO
+GENERATE_LEGEND        = YES
+DOT_CLEANUP            = YES
+#---------------------------------------------------------------------------
+# Configuration::additions related to the search engine   
+#---------------------------------------------------------------------------
+SEARCHENGINE           = NO
diff --git a/crypto/heimdal/doc/hcrypto.din b/crypto/heimdal/doc/hcrypto.din
new file mode 100644
index 0000000..55f1ed7
--- /dev/null
+++ b/crypto/heimdal/doc/hcrypto.din
@@ -0,0 +1,15 @@
+# Doxyfile 1.5.3
+
+PROJECT_NAME           = "Heimdal crypto library"
+PROJECT_NUMBER         = @PACKAGE_VERSION@
+OUTPUT_DIRECTORY       = @objdir@/hcrypto
+INPUT                  = @srcdir@/../lib/hcrypto
+
+WARN_IF_UNDOCUMENTED   = YES
+
+PERL_PATH              = /usr/bin/perl
+
+HTML_HEADER = "@srcdir@/header.html"
+HTML_FOOTER = "@srcdir@/footer.html"
+
+@INCLUDE = "@srcdir@/doxytmpl.dxy"
diff --git a/crypto/heimdal/doc/heimdal.css b/crypto/heimdal/doc/heimdal.css
new file mode 100644
index 0000000..2e5b374
--- /dev/null
+++ b/crypto/heimdal/doc/heimdal.css
@@ -0,0 +1,53 @@
+body {
+	color: black;
+	background-color: #fdfdfd;
+	font-family: serif;
+	max-width: 40em;
+}
+h1, h2, h3 {
+	font-family: sans-serif;
+	font-weight: bold;
+}
+h1 {
+    padding: 0.5em 0 0.5em 5%;
+    color: white;
+    background: #3366cc;
+    border-bottom: solid 1px black;
+}
+h1 {
+	font-size: 200%;
+}
+h2 {
+	font-size: 150%;
+}
+h3 {
+	font-size: 120%;
+}
+h4 {
+	font-weight: bold;
+}
+pre.example {
+	margin-left: 2em;
+	padding: 1em 0em;
+	border: 2px dashed #c0c0c0;
+	background: #f0f0f0;
+}
+a:link {
+  color: blue;
+  text-decoration: none;
+}
+a:visited {
+  color: red;
+  text-decoration: none
+}
+a:hover {
+  text-decoration: underline
+}
+span.literal {
+	font-family: monospace;
+}
+hr {
+	border-style: none;
+	background-color: black;
+	height: 1px;
+}
diff --git a/crypto/heimdal/doc/heimdal.texi b/crypto/heimdal/doc/heimdal.texi
index 6bc92a9..1b999d3 100644
--- a/crypto/heimdal/doc/heimdal.texi
+++ b/crypto/heimdal/doc/heimdal.texi
@@ -1,6 +1,6 @@
 \input texinfo @c -*- texinfo -*-
 @c %**start of header
-@c $Id: heimdal.texi,v 1.17 2001/02/24 05:09:24 assar Exp $
+@c $Id: heimdal.texi 22191 2007-12-06 17:26:30Z lha $
 @setfilename heimdal.info
 @settitle HEIMDAL
 @iftex
@@ -14,13 +14,14 @@
 @syncodeindex pg cp
 @c %**end of header
 
-@c not yet @include version.texi
-@set UPDATED $Date: 2001/02/24 05:09:24 $
-@set EDITION 0.1
-@set VERSION 0.3a
+@include vars.texi
+
+@set UPDATED $Date: 2007-12-06 09:26:30 -0800 (Tor, 06 Dec 2007) $
+@set VERSION @value{PACKAGE_VERSION}
+@set EDITION 1.0
 
 @ifinfo
-@dircategory Heimdal
+@dircategory Security
 @direntry
 * Heimdal: (heimdal).           The Kerberos 5 distribution from KTH
 @end direntry
@@ -31,8 +32,9 @@
 @title Heimdal
 @subtitle Kerberos 5 from KTH
 @subtitle Edition @value{EDITION}, for version @value{VERSION}
-@subtitle 1999
+@subtitle 2007
 @author Johan Danielsson
+@author Love Hörnquist Åstrand
 @author Assar Westerlund
 @author last updated @value{UPDATED}
 
@@ -41,7 +43,7 @@
 @def@copyrightend{}
 @page
 @copyrightstart
-Copyright (c) 1997-2000 Kungliga Tekniska Högskolan 
+Copyright (c) 1997-2007 Kungliga Tekniska Högskolan 
 (Royal Institute of Technology, Stockholm, Sweden).
 All rights reserved.
 
@@ -74,52 +76,6 @@ SUCH DAMAGE.
 
 @copynext
 
-Copyright (C) 1995-1997 Eric Young (eay@@mincom.oz.au)
-All rights reserved.
-
-This package is an DES implementation written by Eric Young (eay@@mincom.oz.au).
-The implementation was written so as to conform with MIT's libdes.
-
-This library is free for commercial and non-commercial use as long as
-the following conditions are aheared to.  The following conditions
-apply to all code found in this distribution.
-
-Copyright remains Eric Young's, and as such any Copyright notices in
-the code are not to be removed.
-If this package is used in a product, Eric Young should be given attribution
-as the author of that the SSL library.  This can be in the form of a textual
-message at program startup or in documentation (online or textual) provided
-with the package.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-1. Redistributions of source code must retain the copyright
-   notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-3. All advertising materials mentioning features or use of this software
-   must display the following acknowledgement:
-   This product includes software developed by Eric Young (eay@@mincom.oz.au)
-
-THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-@copynext
-
 Copyright (C) 1990 by the Massachusetts Institute of Technology
 
 Export of this software from the United States of America may
@@ -154,12 +110,7 @@ are met:
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
 
-3. All advertising materials mentioning features or use of this software
-   must display the following acknowledgement:
-     This product includes software developed by the University of
-     California, Berkeley and its contributors.
-
-4. Neither the name of the University nor the names of its contributors
+3. Neither the name of the University nor the names of its contributors
    may be used to endorse or promote products derived from this software
    without specific prior written permission.
 
@@ -199,9 +150,115 @@ to the following restrictions:
 
 4. This notice may not be removed or altered.
 
+@copynext
+
+IMath is Copyright 2002-2005 Michael J. Fromberger
+You may use it subject to the following Licensing Terms:
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+@copynext
+
+Copyright (c) 2005 Doug Rabson
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (c) 2005 Marko Kreen
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+       notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.	IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (c) 2006,2007
+NTT (Nippon Telegraph and Telephone Corporation) . All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer as
+  the first lines of this file unmodified.
+2. Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in the
+  documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY NTT ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 @copyrightend
 @end titlepage
 
+@macro manpage{man, section}
+@cite{\man\(\section\)}
+@end macro
+
 @c Less filling! Tastes great!
 @iftex
 @parindent=0pt
@@ -214,29 +271,92 @@ to the following restrictions:
 @paragraphindent 0
 @end ifinfo
 
-@ifinfo
+@ifnottex
 @node Top, Introduction, (dir), (dir)
 @top Heimdal
-@end ifinfo
+@end ifnottex
+
+This manual is last updated @value{UPDATED} for version
+@value{VERSION} of Heimdal.
 
 @menu
 * Introduction::                
 * What is Kerberos?::           
 * Building and Installing::     
 * Setting up a realm::          
+* Applications::                
 * Things in search for a better place::  
 * Kerberos 4 issues::           
-* Windows 2000 compatability::
-* Programming with Kerberos::
-* Migration::
+* Windows 2000 compatability::  
+* Programming with Kerberos::   
+* Migration::                   
 * Acknowledgments::             
 
+@detailmenu
+ --- The Detailed Node Listing ---
+
+Setting up a realm
+
+* Configuration file::          
+* Creating the database::       
+* Modifying the database::      
+* keytabs::                     
+* Serving Kerberos 4/524/kaserver::  
+* Remote administration::       
+* Password changing::           
+* Testing clients and servers::  
+* Slave Servers::               
+* Incremental propagation::     
+* Encryption types and salting::                     
+* Cross realm::                 
+* Transit policy::              
+* Setting up DNS::              
+* Using LDAP to store the database::  
+* Providing Kerberos credentials to servers and programs::  
+* Setting up PK-INIT::
+
+Applications
+
+* Authentication modules::      
+* AFS::                         
+
+Authentication modules
+
+* Digital SIA::                 
+* IRIX::                        
+
+Kerberos 4 issues
+
+* Principal conversion issues::  
+* Converting a version 4 database::  
+* kaserver::                    
+
+Windows 2000 compatability
+
+* Configuring Windows 2000 to use a Heimdal KDC::  
+* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::  
+* Create account mappings::     
+* Encryption types::            
+* Authorisation data::          
+* Quirks of Windows 2000 KDC::  
+* Useful links when reading about the Windows 2000::  
+
+Programming with Kerberos
+
+* Kerberos 5 API Overview::     
+* Walkthrough of a sample Kerberos 5 client::  
+* Validating a password in a server application::  
+* API differences to MIT Kerberos::  
+* File formats::
+
+@end detailmenu
 @end menu
 
 @include intro.texi
 @include whatis.texi
 @include install.texi
 @include setup.texi
+@include apps.texi
 @include misc.texi
 @include kerberos4.texi
 @include win2k.texi
diff --git a/crypto/heimdal/doc/hx509.din b/crypto/heimdal/doc/hx509.din
new file mode 100644
index 0000000..e28429f
--- /dev/null
+++ b/crypto/heimdal/doc/hx509.din
@@ -0,0 +1,15 @@
+# Doxyfile 1.5.3
+
+PROJECT_NAME           = Heimdal x509 library
+PROJECT_NUMBER         = @PACKAGE_VERSION@
+OUTPUT_DIRECTORY       = @objdir@/hx509
+INPUT                  = @srcdir@/../lib/hx509
+
+WARN_IF_UNDOCUMENTED   = YES
+
+PERL_PATH              = /usr/bin/perl
+
+HTML_HEADER = "@srcdir@/header.html"
+HTML_FOOTER = "@srcdir@/footer.html"
+
+@INCLUDE = "@srcdir@/doxytmpl.dxy"
diff --git a/crypto/heimdal/doc/hx509.texi b/crypto/heimdal/doc/hx509.texi
new file mode 100644
index 0000000..dbb5261
--- /dev/null
+++ b/crypto/heimdal/doc/hx509.texi
@@ -0,0 +1,633 @@
+\input texinfo @c -*- texinfo -*-
+@c %**start of header
+@c $Id: hx509.texi 22071 2007-11-14 20:04:50Z lha $
+@setfilename hx509.info
+@settitle HX509
+@iftex
+@afourpaper
+@end iftex
+@c some sensible characters, please?
+@tex
+\input latin1.tex
+@end tex
+@setchapternewpage on
+@syncodeindex pg cp
+@c %**end of header
+
+@set UPDATED $Date: 2007-11-14 12:04:50 -0800 (Ons, 14 Nov 2007) $
+@set VERSION 1.0
+@set EDITION 1.0
+
+@ifinfo
+@dircategory Security
+@direntry
+* hx509: (hx509).           The X.509 distribution from KTH
+@end direntry
+@end ifinfo
+
+@c title page
+@titlepage
+@title HX509
+@subtitle X.509 distribution from KTH
+@subtitle Edition @value{EDITION}, for version @value{VERSION}
+@subtitle 2007
+@author Love Hörnquist Åstrand
+@author last updated @value{UPDATED}
+
+@def@copynext{@vskip 20pt plus 1fil@penalty-1000}
+@def@copyrightstart{}
+@def@copyrightend{}
+@page
+@copyrightstart
+Copyright (c) 1994-2007 Kungliga Tekniska Högskolan
+(Royal Institute of Technology, Stockholm, Sweden).
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the Institute nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (C) 1990 by the Massachusetts Institute of Technology
+
+Export of this software from the United States of America may
+require a specific license from the United States Government.
+It is the responsibility of any person or organization contemplating
+export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+@copynext
+
+Copyright (c) 1988, 1990, 1993
+     The Regents of the University of California.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the University nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright 1992 Simmule Turner and Rich Salz.  All rights reserved.
+
+This software is not subject to any license of the American Telephone
+and Telegraph Company or of the Regents of the University of California.
+
+Permission is granted to anyone to use this software for any purpose on
+any computer system, and to alter it and redistribute it freely, subject
+to the following restrictions:
+
+1. The authors are not responsible for the consequences of use of this
+   software, no matter how awful, even if they arise from flaws in it.
+
+2. The origin of this software must not be misrepresented, either by
+   explicit claim or by omission.  Since few users ever read sources,
+   credits must appear in the documentation.
+
+3. Altered versions must be plainly marked as such, and must not be
+   misrepresented as being the original software.  Since few users
+   ever read sources, credits must appear in the documentation.
+
+4. This notice may not be removed or altered.
+
+@copynext
+
+IMath is Copyright 2002-2005 Michael J. Fromberger
+You may use it subject to the following Licensing Terms:
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+@copyrightend
+@end titlepage
+
+@macro manpage{man, section}
+@cite{\man\(\section\)}
+@end macro
+
+@c Less filling! Tastes great!
+@iftex
+@parindent=0pt
+@global@parskip 6pt plus 1pt
+@global@chapheadingskip = 15pt plus 4pt minus 2pt
+@global@secheadingskip = 12pt plus 3pt minus 2pt
+@global@subsecheadingskip = 9pt plus 2pt minus 2pt
+@end iftex
+@ifinfo
+@paragraphindent 0
+@end ifinfo
+
+@ifnottex
+@node Top, Introduction, (dir), (dir)
+@top Heimdal
+@end ifnottex
+
+This manual is last updated @value{UPDATED} for version
+@value{VERSION} of hx509.
+
+@menu
+* Introduction::
+* What is X.509 ?::
+* Setting up a CA::
+* CMS signing and encryption::
+
+@detailmenu
+ --- The Detailed Node Listing ---
+
+Setting up a CA
+
+@c * Issuing certificates::
+* Creating a CA certificate::
+* Issuing certificates::
+* Issuing CRLs::
+@c * Issuing a proxy certificate::
+@c * Creating a user certificate::
+@c * Validating a certificate::
+@c * Validating a certificate path::
+* Application requirements::
+
+CMS signing and encryption
+
+* CMS background::
+
+@end detailmenu
+@end menu
+
+@node Introduction, What is X.509 ?, Top, Top
+@chapter Introduction
+
+hx509 is a somewhat complete X.509 stack that can handle CMS messages
+(crypto system used in S/MIME and Kerberos PK-INIT) and basic
+certificate processing tasks, path construction, path validation, OCSP
+and CRL validation, PKCS10 message construction, CMS Encrypted (shared
+secret encrypted), CMS SignedData (certificate signed), and CMS
+EnvelopedData (certificate encrypted).
+
+hx509 can use PKCS11 tokens, PKCS12 files, PEM files, DER encoded files.
+
+@node What is X.509 ?, Setting up a CA, Introduction, Top
+@chapter What is X.509, PKIX, PKCS7 and CMS ? 
+
+X.509 is from the beginning created by CCITT (later ITU) for the X.500
+directory service. But today when people are talking about X.509 they
+are commonly referring to IETF's PKIX Certificate and CRL Profile of the
+X.509 v3 certificate standard, as specified in RFC 3280.
+
+ITU continues to develop the X.509 standard together in a complicated
+dance with IETF.
+
+X.509 is public key based security system that have associated data
+stored within a so called certificate. From the beginning X.509 was a
+strict hierarchical system with one root. This didn't not work so over
+time X.509 got support for multiple policy roots, bridges, and mesh
+solutions. You can even use it as a peer to peer system, but this is not
+very common.
+
+@section Type of certificates
+
+There are several flavors of certificate in X.509.
+
+@itemize @bullet
+
+@item Trust anchors
+
+Trust anchors are strictly not certificate, but commonly stored in
+certificate since they are easier to handle then. Trust anchor are the
+keys that you trust to validate other certificate. This is done by
+building a path from the certificate you wan to validate to to any of
+the trust anchors you have.
+
+@item End Entity (EE) certificates
+
+End entity certificates is the most common type of certificate. End
+entity certificates can't issue certificate them-self and is used to
+authenticate and authorize user and services.
+
+@item Certification Authority (CA) certificates
+
+Certificate authority are certificates that have the right to issue
+other certificate, they may be End entity certificates or Certificate
+Authority certificates. There is no limit to how many certificates a CA
+may issue, but there might other restrictions, like the maximum path
+depth.
+
+@item Proxy certificates
+
+Remember that End Entity can't issue certificates by them own, it's not
+really true. There there is an extension called proxy certificates,
+defined in RFC3820, that allows certificates to be issued by end entity
+certificates. The service that receives the proxy certificates must have
+explicitly turned on support for proxy certificates, so their use is
+somewhat limited.
+
+Proxy certificates can be limited by policy stored in the certificate to
+what they can be used for. This allows users to delegate the proxy
+certificate to services (by sending over the certificate and private
+key) so the service can access services on behalf of the user.
+
+One example of this would be a print service. The user wants to print a
+large job in the middle of the night when the printer isn't used that
+much, so the user creates a proxy certificate with the policy that it
+can only be used to access files related to this print job, creates the
+print job description and send both the description and proxy
+certificate with key over to print service. Later at night will the
+print service, without the help of the user, access the files for the
+the print job using the proxy certificate and print the job. Because of
+the policy (limitation) in the proxy certificate, it can't be used for
+any other purposes.
+
+@end itemize
+
+@section Building a path
+
+Before validating a path the path must be constructed. Given a
+certificate (EE, CA, Proxy, or any other type), the path construction
+algorithm will try to find a path to one of the trust anchors.
+
+It start with looking at whom issued the certificate, by name or Key
+Identifier, and tries to find that certificate while at the same time
+evaluates the policy.
+
+@node Setting up a CA, Creating a CA certificate, What is X.509 ?, Top
+@chapter Setting up a CA
+
+Do not let this chapter scare you off, it's just to give you an idea how
+to complicated setting up a CA can be. If you are just playing around,
+skip all this and go to the next chapter, @pxref{Creating a CA
+certificate}.
+
+Creating a CA certificate should be more the just creating a
+certificate, there is the policy of the CA. If it's just you and your
+friend that is playing around then it probably doesn't matter what the
+policy is. But then it comes to trust in an organisation, it will
+probably matter more whom your users and sysadmins will find it
+acceptable to trust.
+
+At the same time, try to keep thing simple, it's not very hard to run a
+Certificate authority and the process to get new certificates should
+simple.
+
+Fill all this in later.
+
+How do you trust your CA.
+
+What is the CA responsibility.
+
+Review of CA activity.
+
+How much process should it be to issue certificate.
+
+Who is allowed to issue certificates.
+
+Who is allowed to requests certificates.
+
+How to handle certificate revocation, issuing CRLs and maintain OCSP
+services.
+
+@node Creating a CA certificate, Issuing certificates, Setting up a CA, Top
+@section Creating a CA certificate
+
+This section describes how to create a CA certificate and what to think
+about.
+
+@subsection Lifetime CA certificate
+
+You probably want to create a CA certificate with a long lifetime, 10
+years at the shortest. This because you don't want to push out the
+certificate (as a trust anchor) to all you users once again when the old
+one just expired. A trust anchor can't really expire, but not all
+software works that way.
+
+Keep in mind the security requirements might be different 10-20 years
+into the future. For example, SHA1 is going to be withdrawn in 2010, so
+make sure you have enough buffering in your choice of digest/hash
+algorithms, signature algorithms and key lengths.
+
+@subsection Create a CA certificate
+
+This command below will create a CA certificate in the file ca.pem.
+
+@example
+hxtool issue-certificate \
+    --self-signed \
+    --issue-ca \
+    --generate-key=rsa \
+    --subject="CN=CertificateAuthority,DC=test,DC=h5l,DC=se" \
+    --lifetime=10years \
+    --certificate="FILE:ca.pem"
+@end example
+
+@subsection Extending lifetime of a CA certificate
+
+You just realised that your CA certificate is going to expire soon and
+that you need replace it with something else, the easiest way to do that
+is to extend the lifetime of your CA certificate.
+
+The example below will extend the CA certificate 10 years into the
+future. You should compare this new certificate if it contains all the
+special tweaks as the old certificate had.
+
+@example
+hxtool issue-certificate \
+    --self-signed \
+    --issue-ca \
+    --lifetime="10years" \
+    --template-certificate="FILE:ca.pem" \
+    --template-fields="serialNumber,notBefore,subject,SPKI" \
+    --ca-private-key=FILE:ca.pem \
+    --certificate="FILE:new-ca.pem"
+@end example
+
+@subsection Subordinate CA
+
+This example create a new subordinate certificate authority.
+
+@example
+hxtool issue-certificate \
+    --ca-certificate=FILE:ca.pem \
+    --issue-ca \
+    --generate-key=rsa \
+    --subject="CN=CertificateAuthority,DC=dev,DC=test,DC=h5l,DC=se" \
+    --certificate="FILE:dev-ca.pem"
+@end example
+
+
+@node Issuing certificates, Issuing CRLs, Creating a CA certificate, Top
+@section Issuing certificates
+
+First you'll create a CA certificate, after that you have to deal with
+your users and servers and issue certificate to them.
+
+CA can generate the key for the user.
+
+Can receive PKCS10 certificate requests from the users. PKCS10 is a
+request for a certificate. The user can specified what DN the user wants
+and what public key. To prove the user have the key, the whole request
+is signed by the private key of the user.
+
+@subsection Name space management
+
+What people might want to see.
+
+Re-issue certificates just because people moved within the organization.
+
+Expose privacy information.
+
+Using Sub-component name (+ notation).
+
+@subsection Certificate Revocation, CRL and OCSP
+
+Sonetimes people loose smartcard or computers and certificates have to
+be make not valid any more, this is called revoking certificates. There
+are two main protocols for doing this Certificate Revocations Lists
+(CRL) and Online Certificate Status Protocol (OCSP).
+
+If you know that the certificate is destroyed then there is no need to
+revoke the certificate because it can not be used by someone else.
+
+The main reason you as a CA administrator have to deal with CRLs however
+will be that some software require there to be CRLs. Example of this is
+Windows, so you have to deal with this somehow.
+
+@node Issuing CRLs, Application requirements, Issuing certificates, Top
+@section Issuing CRLs
+
+Create an empty CRL with not certificates revoked. Default expiration
+value is one year from now.
+
+@example
+hxtool crl-sign \
+	--crl-file=crl.der \
+	--signer=FILE:ca.pem
+@end example
+
+Create a CRL with all certificates in the directory
+@file{/path/to/revoked/dir} included in the CRL as revoked.  Also make
+it expire one month from now.
+
+@example
+hxtool crl-sign \
+	--crl-file=crl.der \
+        --signer=FILE:ca.pem \
+	--lifetime='1 month' \
+        DIR:/path/to/revoked/dir
+@end example
+
+@node Application requirements, CMS signing and encryption, Issuing CRLs, Top
+@section Application requirements
+
+Application have different requirements on certificates. This section
+tries to expand what they are and how to use hxtool to generate
+certificates for those services.
+
+@subsection HTTPS - server
+
+@example
+hxtool issue-certificate \
+	  --subject="CN=www.test.h5l.se,DC=test,DC=h5l,DC=se" \
+	  --type="https-server" \
+          --hostname="www.test.h5l.se" \
+          --hostname="www2.test.h5l.se" \
+          ...
+@end example
+
+@subsection HTTPS - client
+
+@example
+hxtool issue-certificate \
+	  --subject="UID=testus,DC=test,DC=h5l,DC=se" \
+	  --type="https-client" \
+          ...
+@end example
+
+@subsection S/MIME - email
+
+There are two things that should be set in S/MIME certificates, one or
+more email addresses and an extended eku usage (EKU), emailProtection.
+
+The email address format used in S/MIME certificates is defined in
+RFC2822, section 3.4.1 and it should be an ``addr-spec''.
+
+There are two ways to specifify email address in certificates. The old
+ways is in the subject distinguished name, this should not be used. The
+new way is using a Subject Alternative Name (SAN).
+
+But even though email address is stored in certificates, they don't need
+to, email reader programs are required to accept certificates that
+doesn't have either of the two methods of storing email in certificates.
+In that case, they try to protect the user by printing the name of the
+certificate instead.
+
+S/MIME certificate can be used in another special way. They can be
+issued with a NULL subject distinguished name plus the email in SAN,
+this is a valid certificate. This is used when you wont want to share
+more information then you need to.
+
+hx509 issue-certificate supports adding the email SAN to certificate by
+using the --email option, --email also gives an implicit emailProtection
+eku. If you want to create an certificate without an email address, the
+option --type=email will add the emailProtection EKU.
+
+@example
+hxtool issue-certificate \
+	  --subject="UID=testus-email,DC=test,DC=h5l,DC=se" \
+	  --type=email \
+	  --email="testus@@test.h5l.se" \
+          ...
+@end example
+
+An example of an certificate without and subject distinguished name with
+an email address in a SAN.
+
+@example
+hxtool issue-certificate \
+	  --subject="" \
+	  --type=email \
+	  --email="testus@@test.h5l.se" \
+          ...
+@end example
+
+@subsection PK-INIT
+
+How to create a certificate for a KDC.
+
+@example
+hxtool issue-certificate \
+    --type="pkinit-kdc" \
+    --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
+    --hostname kerberos.test.h5l.se \
+    --hostname pal.test.h5l.se \
+    ...
+@end example
+
+How to create a certificate for a user.
+
+@example
+hxtool issue-certificate \
+    --type="pkinit-client" \
+    --pk-init-principal="user@@TEST.H5L.SE" \
+    ...
+@end example
+
+@subsection XMPP/Jabber
+
+The jabber server certificate should have a dNSname that is the same as
+the user entered into the application, not the same as the host name of
+the machine.
+
+@example
+hxtool issue-certificate \
+	  --subject="CN=xmpp1.test.h5l.se,DC=test,DC=h5l,DC=se" \
+          --hostname="xmpp1.test.h5l.se" \
+          --hostname="test.h5l.se" \
+          ...
+@end example
+
+The certificate may also contain a jabber identifier (JID) that, if the
+receiver allows it, authorises the server or client to use that JID.
+
+When storing a JID inside the certificate, both for server and client,
+it's stored inside a UTF8String within an otherName entity inside the
+subjectAltName, using the OID id-on-xmppAddr (1.3.6.1.5.5.7.8.5).
+
+To read more about the requirements, see RFC3920, Extensible Messaging
+and Presence Protocol (XMPP): Core.
+
+hxtool issue-certificate have support to add jid to the certificate
+using the option @kbd{--jid}.
+
+@example
+hxtool issue-certificate \
+	  --subject="CN=Love,DC=test,DC=h5l,DC=se" \
+          --jid="lha@@test.h5l.se" \
+          ...
+@end example
+
+
+@node CMS signing and encryption, CMS background, Application requirements, Top
+@chapter CMS signing and encryption
+
+CMS is the Cryptographic Message System that among other, is used by
+S/MIME (secure email) and Kerberos PK-INIT. It's an extended version of
+the RSA, Inc standard PKCS7.
+
+@node CMS background, , CMS signing and encryption, Top
+@section CMS background
+
+
+@c @shortcontents
+@contents
+
+@bye
diff --git a/crypto/heimdal/doc/init-creds b/crypto/heimdal/doc/init-creds
index 13667e0..8892d29 100644
--- a/crypto/heimdal/doc/init-creds
+++ b/crypto/heimdal/doc/init-creds
@@ -93,7 +93,7 @@ and will not be doing any other kerberos functions, then a NULL
 pointer may be specified, and the credential will be destroyed.
 
 If the client name is non-NULL, the initial ticket requested will be
-for that principal.  Otherwise, the principal will be the the username
+for that principal.  Otherwise, the principal will be the username
 specified by the USER environment variable, or if the USER environment
 variable is not set, the username corresponding to the real user id of
 the caller.
diff --git a/crypto/heimdal/doc/install.texi b/crypto/heimdal/doc/install.texi
index d12ace9..3d4b78d 100644
--- a/crypto/heimdal/doc/install.texi
+++ b/crypto/heimdal/doc/install.texi
@@ -1,4 +1,4 @@
-@c $Id: install.texi,v 1.18 2002/09/04 03:18:48 assar Exp $
+@c $Id: install.texi 16768 2006-02-27 12:26:49Z joda $
 
 @node Building and Installing, Setting up a realm, What is Kerberos?, Top
 @comment  node-name,  next,  previous,  up
@@ -35,7 +35,7 @@ install}. The default location for installation is @file{/usr/heimdal},
 but this can be changed by running @code{configure} with
 @samp{--prefix=/some/other/place}.
 
-If you need to change the default behavior, configure understands the
+If you need to change the default behaviour, configure understands the
 following options:
 
 @table @asis
@@ -46,9 +46,10 @@ instead, you can use this option.
 @item @kbd{--with-krb4=@file{dir}}
 Gives the location of Kerberos 4 libraries and headers. This enables
 Kerberos 4 support in the applications (telnet, rsh, popper, etc) and
-the KDC. It is automatically check for in @file{/usr/athena}. If you
-keep libraries and headers in different places, you can instead give the
-path to each with the @kbd{--with-krb4-lib=@file{dir}}, and
+the KDC. It is automatically found if present under
+@file{/usr/athena}.  If you keep libraries and headers in different
+places, you can instead give the path to each with the
+@kbd{--with-krb4-lib=@file{dir}}, and
 @kbd{--with-krb4-include=@file{dir}} options.
 
 You will need a fairly recent version of our Kerberos 4 distribution for
@@ -84,7 +85,7 @@ Disable the IPv6 support.
 @item @kbd{--with-openldap}
 Compile Heimdal with support for storing the database in LDAP.  Requires
 OpenLDAP @url{http://www.openldap.org}.  See
-@url{http://www.padl.com/~lukeh/heimdal/} for more information.
+@url{http://www.padl.com/Research/Heimdal.html} for more information.
 
 @item @kbd{--enable-bigendian}
 @item @kbd{--enable-littleendian}
diff --git a/crypto/heimdal/doc/intro.texi b/crypto/heimdal/doc/intro.texi
index c190fe2..e1a96e1 100644
--- a/crypto/heimdal/doc/intro.texi
+++ b/crypto/heimdal/doc/intro.texi
@@ -1,4 +1,4 @@
-@c $Id: intro.texi,v 1.13 2003/03/15 13:42:16 lha Exp $
+@c $Id: intro.texi 22509 2008-01-23 18:28:01Z lha $
 
 @node Introduction, What is Kerberos?, Top, Top
 @c @node Introduction, What is Kerberos?, Top, Top
@@ -14,7 +14,8 @@ Heimdal is a free implementation of Kerberos 5. The goals are to:
 have an implementation that can be freely used by anyone
 @item
 be protocol compatible with existing implementations and, if not in
-conflict, with RFC 1510 (and any future updated RFC)
+conflict, with RFC 4120 (and any future updated RFC). RFC 4120
+replaced RFC 1510.
 @item
 be reasonably compatible with the M.I.T Kerberos V5 API
 @item
@@ -39,10 +40,7 @@ stuff
 a @code{libkrb5} library that should be possible to get to work with
 simple applications
 @item
-a GSS-API library that should have all the important functions for
-building applications
-@item
-Eric Young's @file{libdes}
+a GSS-API library
 @item
 @file{kinit}, @file{klist}, @file{kdestroy}
 @item
@@ -78,7 +76,7 @@ Kerberos V4 support in many of the applications.
 If you find bugs in this software, make sure it is a genuine bug and not
 just a part of the code that isn't implemented.
 
-Bug reports should be sent to @email{heimdal-bugs@@pdc.kth.se}. Please
+Bug reports should be sent to @email{heimdal-bugs@@h5l.org}. Please
 include information on what machine and operating system (including
 version) you are running, what you are trying to do, what happens, what
 you think should have happened, an example for us to repeat, the output
diff --git a/crypto/heimdal/doc/kerberos4.texi b/crypto/heimdal/doc/kerberos4.texi
index 42a5f89..fb490f3 100644
--- a/crypto/heimdal/doc/kerberos4.texi
+++ b/crypto/heimdal/doc/kerberos4.texi
@@ -1,11 +1,11 @@
-@c $Id: kerberos4.texi,v 1.16 2001/07/19 17:17:46 assar Exp $
+@c $Id: kerberos4.texi 16370 2005-12-12 12:11:51Z lha $
 
 @node Kerberos 4 issues, Windows 2000 compatability, Things in search for a better place, Top
 @comment  node-name,  next,  previous,  up
 @chapter Kerberos 4 issues
 
-If compiled with version 4 support, the KDC can serve requests from a
-Kerberos 4 client. There are a few things you must do for this to work.
+The KDC has built-in version 4 support. It is not enabled by default,
+see setup how to set it up.
 
 The KDC will also have kaserver emulation and be able to handle
 AFS-clients that use @code{klog}.
diff --git a/crypto/heimdal/doc/krb5.din b/crypto/heimdal/doc/krb5.din
new file mode 100644
index 0000000..2af9947
--- /dev/null
+++ b/crypto/heimdal/doc/krb5.din
@@ -0,0 +1,16 @@
+# Doxyfile 1.5.3
+
+PROJECT_NAME           = Heimdal Kerberos 5 library
+PROJECT_NUMBER         = @PACKAGE_VERSION@
+OUTPUT_DIRECTORY       = @objdir@/krb5
+INPUT                  = @srcdir@/../lib/krb5
+
+WARN_IF_UNDOCUMENTED   = NO
+
+PERL_PATH              = /usr/bin/perl
+
+HTML_HEADER = "@srcdir@/header.html"
+HTML_FOOTER = "@srcdir@/footer.html"
+
+@INCLUDE = "@srcdir@/doxytmpl.dxy"
+
diff --git a/crypto/heimdal/doc/migration.texi b/crypto/heimdal/doc/migration.texi
index 67b843a..586d488 100644
--- a/crypto/heimdal/doc/migration.texi
+++ b/crypto/heimdal/doc/migration.texi
@@ -1,4 +1,4 @@
-@c $Id: migration.texi,v 1.3 2001/02/24 05:09:24 assar Exp $
+@c $Id: migration.texi 9718 2001-02-24 05:09:24Z assar $
 
 @node Migration, Acknowledgments, Programming with Kerberos, Top
 @chapter Migration
diff --git a/crypto/heimdal/doc/misc.texi b/crypto/heimdal/doc/misc.texi
index 83c2a4a..ea22609 100644
--- a/crypto/heimdal/doc/misc.texi
+++ b/crypto/heimdal/doc/misc.texi
@@ -1,6 +1,6 @@
-@c $Id: misc.texi,v 1.13 2003/03/30 21:30:59 lha Exp $
+@c $Id: misc.texi 12197 2003-05-04 13:32:37Z lha $
 
-@node Things in search for a better place, Kerberos 4 issues, Setting up a realm, Top
+@node Things in search for a better place, Kerberos 4 issues, Applications, Top
 @chapter Things in search for a better place
 
 @section Making things work on Ciscos
@@ -56,71 +56,3 @@ protocol.
 A working solution would be to hook up a machine with a real operating
 system to the console of the Cisco and then use it as a backwards
 terminal server.
-
-@section Making things work on Transarc/OpenAFS AFS
-
-@subsection How to get a KeyFile
-
-@file{ktutil -k AFSKEYFILE:KeyFile get afs@@MY.REALM}
-
-or you can extract it with kadmin
-
-@example
-kadmin> ext -k AFSKEYFILE:/usr/afs/etc/KeyFile afs@@My.CELL.NAME
-@end example
-
-You have to make sure you have a @code{des-cbc-md5} encryption type since that
-is the key that will be converted.
-
-@subsection How to convert a srvtab to a KeyFile
-
-You need a @file{/usr/vice/etc/ThisCell} containing the cellname of you
-AFS-cell.
-
-@file{ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile}.
-
-If keyfile already exists, this will add the new key in afs-srvtab to
-KeyFile.
-
-@section Using 2b tokens with AFS
-
-@subsection What is 2b ?
-
-2b is the name of the proposal that was implemented to give basic
-Kerberos 5 support to AFS in rxkad. Its not real Kerberos 5 support
-since it still uses fcrypt for data encryption and not Kerberos
-encryption types.
-
-Its only possible (in all cases) to do this for DES encryption types because
-only then the token (the AFS equivalent of a ticket) will be be smaller
-than the maximum size that can fit in the token cache in
-OpenAFS/Transarc client. Its so tight fit that some extra wrapping on the ASN1/DER encoding is removed from the Kerberos ticket.
-
-2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for
-the part of the ticket that is encrypted with the service's key. The
-client doesn't know what's inside the encrypted data so to the client it doesn't matter.
-
-To  differentiate between Kerberos 4 tickets and Kerberos 5 tickets 2b
-uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens.
-
-Its a requirement that all AFS servers that support 2b also support
-native Kerberos 5 in rxkad.
-
-@subsection Configuring Heimdal to use 2b tokens
-
-Support for 2b tokens are turned on for specific principals by adding
-them to the string list option @code{[kdc]use_2b} in the kdc's
-@file{krb5.conf} file.
-
-@example
-[kdc]
-	use_2b = @{
-		afs@@SU.SE = yes
-		afs/it.su.se@@SU.SE = yes
-	@}
-@end example
-
-@subsection Configuring AFS clients
-
-There is no need to configure AFS clients. The only software that
-needs to be installed/upgrade is a Kerberos 5 enabled @file{afslog}.
diff --git a/crypto/heimdal/doc/ntlm.din b/crypto/heimdal/doc/ntlm.din
new file mode 100644
index 0000000..bbf1087
--- /dev/null
+++ b/crypto/heimdal/doc/ntlm.din
@@ -0,0 +1,15 @@
+# Doxyfile 1.5.3
+
+PROJECT_NAME           = Heimdal ntlm library
+PROJECT_NUMBER         = @PACKAGE_VERSION@
+OUTPUT_DIRECTORY       = @objdir@/ntlm
+INPUT                  = @srcdir@/../lib/ntlm
+
+WARN_IF_UNDOCUMENTED   = YES
+
+PERL_PATH              = /usr/bin/perl
+
+HTML_HEADER = "@srcdir@/header.html"
+HTML_FOOTER = "@srcdir@/footer.html"
+
+@INCLUDE = "@srcdir@/doxytmpl.dxy"
diff --git a/crypto/heimdal/doc/programming.texi b/crypto/heimdal/doc/programming.texi
index 63f0715..528348b 100644
--- a/crypto/heimdal/doc/programming.texi
+++ b/crypto/heimdal/doc/programming.texi
@@ -1,37 +1,36 @@
-@c $Id: programming.texi,v 1.2.8.1 2003/04/24 11:55:45 lha Exp $
+@c $Id: programming.texi 22071 2007-11-14 20:04:50Z lha $
 
-@node Programming with Kerberos
+@node Programming with Kerberos, Migration, Windows 2000 compatability, Top
 @chapter Programming with Kerberos
 
 First you need to know how the Kerberos model works, go read the
 introduction text (@pxref{What is Kerberos?}).
 
-@macro manpage{man, section}
-@cite{\man\(\section\)}
-@end macro
-
 @menu
 * Kerberos 5 API Overview::     
-* Walkthru a sample Kerberos 5 client::  
+* Walkthrough of a sample Kerberos 5 client::  
 * Validating a password in a server application::  
+* API differences to MIT Kerberos::  
+* File formats::
 @end menu
 
-@node Kerberos 5 API Overview, Walkthru a sample Kerberos 5 client, Programming with Kerberos, Programming with Kerberos
+@node Kerberos 5 API Overview, Walkthrough of a sample Kerberos 5 client, Programming with Kerberos, Programming with Kerberos
 @section Kerberos 5 API Overview
 
-Most functions are documenteded in manual pages.  This overview only
-tries to point to where to look for a specific function.
+All functions are documented in manual pages.  This section tries to
+give an overview of the major components used in Kerberos library, and
+point to where to look for a specific function.
 
 @subsection Kerberos context
 
 A kerberos context (@code{krb5_context}) holds all per thread state. All global variables that
-are context specific are stored in this struture, including default
-encryption types, credential-cache (ticket file), and default realms.
+are context specific are stored in this structure, including default
+encryption types, credential cache (for example, a ticket file), and default realms.
 
 See the manual pages for @manpage{krb5_context,3} and
 @manpage{krb5_init_context,3}.
 
-@subsection Kerberos authenication context
+@subsection Kerberos authentication context
 
 Kerberos authentication context (@code{krb5_auth_context}) holds all
 context related to an authenticated connection, in a similar way to the
@@ -45,16 +44,85 @@ replay cache, and checksum types.
 
 See the manual page for @manpage{krb5_auth_context,3}.
 
+@subsection Kerberos principal
+
+The Kerberos principal is the structure that identifies a user or
+service in Kerberos. The structure that holds the principal is the
+@code{krb5_principal}. There are function to extract the realm and
+elements of the principal, but most applications have no reason to
+inspect the content of the structure.
+
+The are several ways to create a principal (with different degree of
+portability), and one way to free it.
+
+See manual page for @manpage{krb5_principal,3} for more information
+about the functions.
+
+@subsection Credential cache
+
+A credential cache holds the tickets for a user. A given user can have
+several credential caches, one for each realm where the user have the
+initial tickets (the first krbtgt).
+
+The credential cache data can be stored internally in different way, each of them for
+different proposes.  File credential (FILE) caches and processes based
+(KCM) caches are for permanent storage. While memory caches (MEMORY)
+are local caches to the local process.
+
+Caches are opened with @manpage{krb5_cc_resolve,3} or created with
+@manpage{krb5_cc_gen_unique,3}.
+
+If the cache needs to be opened again (using
+@manpage{krb5_cc_resolve,3}) @manpage{krb5_cc_close,3} will close the
+handle, but not the remove the cache. @manpage{krb5_cc_destroy,3} will
+zero out the cache, remove the cache so it can no longer be
+referenced.
+
+See also manual page for @manpage{krb5_ccache,3}
+
+@subsection Kerberos errors
+
+Kerberos errors are based on the com_err library.  All error codes are
+32-bit signed numbers, the first 24 bits define what subsystem the
+error originates from, and last 8 bits are 255 error codes within the
+library.  Each error code have fixed string associated with it.  For
+example, the error-code -1765328383 have the symbolic name
+KRB5KDC_ERR_NAME_EXP, and associated error string ``Client's entry in
+database has expired''.
+
+This is a great improvement compared to just getting one of the unix
+error-codes back.  However, Heimdal have an extention to pass back
+customised errors messages.  Instead of getting ``Key table entry not
+found'', the user might back ``failed to find
+host/host.example.com@@EXAMLE.COM(kvno 3) in keytab /etc/krb5.keytab
+(des-cbc-crc)''.  This improves the chance that the user find the
+cause of the error so you should use the customised error message
+whenever it's available.
+
+See also manual page for @manpage{krb5_get_error_string,3} and
+@manpage{krb5_get_err_text,3}.
+
 @subsection Keytab management
 
 A keytab is a storage for locally stored keys. Heimdal includes keytab
 support for Kerberos 5 keytabs, Kerberos 4 srvtab, AFS-KeyFile's,
 and for storing keys in memory.
 
+Keytabs are used for servers and long-running services.
+
 See also manual page for @manpage{krb5_keytab,3}
 
-@node Walkthru a sample Kerberos 5 client, Validating a password in a server application, Kerberos 5 API Overview, Programming with Kerberos
-@section Walkthru a sample Kerberos 5 client
+@subsection Kerberos crypto
+
+Heimdal includes a implementation of the Kerberos crypto framework,
+all crypto operations.
+
+See also manual page for @manpage{krb5_crypto_init,3},
+@manpage{krb5_keyblock,3}, @manpage{krb5_create_checksum,3}, 
+and @manpage{krb5_encrypt,3}.
+
+@node Walkthrough of a sample Kerberos 5 client, Validating a password in a server application, Kerberos 5 API Overview, Programming with Kerberos
+@section Walkthrough of a sample Kerberos 5 client
 
 This example contains parts of a sample TCP Kerberos 5 clients, if you
 want a real working client, please look in @file{appl/test} directory in
@@ -63,17 +131,17 @@ the Heimdal distribution.
 All Kerberos error-codes that are returned from kerberos functions in
 this program are passed to @code{krb5_err}, that will print a
 descriptive text of the error code and exit. Graphical programs can
-convert error-code to a humal readable error-string with the
+convert error-code to a human readable error-string with the
 @manpage{krb5_get_err_text,3} function.
 
 Note that you should not use any Kerberos function before
 @code{krb5_init_context()} have completed successfully. That is the
-reson @code{err()} is used when @code{krb5_init_context()} fails.
+reason @code{err()} is used when @code{krb5_init_context()} fails.
 
-First the client needs to call @code{krb5_init_context} to initialize
+First the client needs to call @code{krb5_init_context} to initialise
 the Kerberos 5 library. This is only needed once per thread
 in the program. If the function returns a non-zero value it indicates
-that either the Kerberos implemtation is failing or its disabled on
+that either the Kerberos implementation is failing or it's disabled on
 this host.
 
 @example
@@ -137,7 +205,7 @@ connection (see @manpage{krb5_auth_context,3}).
 @end example
 
 For setting the address in the authentication there is a help function
-@code{krb5_auth_con_setaddrs_from_fd} that does everthing that is needed
+@code{krb5_auth_con_setaddrs_from_fd} that does everything that is needed
 when given a connected file descriptor to the socket.
 
 @example
@@ -169,8 +237,8 @@ out itself.
 The server program is using the function @manpage{krb5_recvauth,3} to
 receive the Kerberos 5 authenticator.
 
-In this case, mutual authenication will be tried. That means that the server
-will authenticate to the client. Using mutual authenication
+In this case, mutual authentication will be tried. That means that the server
+will authenticate to the client. Using mutual authentication
 is good since it enables the user to verify that they are talking to the
 right server (a server that knows the key).
 
@@ -268,12 +336,48 @@ And send it over the network.
 The server is using @manpage{krb5_rd_safe,3} and
 @manpage{krb5_rd_priv,3} to verify the signature and decrypt the packet.
 
-@node Validating a password in a server application,  , Walkthru a sample Kerberos 5 client, Programming with Kerberos
+@node Validating a password in a server application, API differences to MIT Kerberos, Walkthrough of a sample Kerberos 5 client, Programming with Kerberos
 @section Validating a password in an application
 
 See the manual page for @manpage{krb5_verify_user,3}.
 
-@c @node Why you should use GSS-API for new applications, Walkthru a sample GSS-API client, Validating a password in a server application, Programming with Kerberos
+@node API differences to MIT Kerberos, File formats, Validating a password in a server application, Programming with Kerberos
+@section API differences to MIT Kerberos
+
+This section is somewhat disorganised, but so far there is no overall
+structure to the differences, though some of the have their root in
+that Heimdal uses an ASN.1 compiler and MIT doesn't.
+
+@subsection Principal and realms
+
+Heimdal stores the realm as a @code{krb5_realm}, that is a @code{char *}.
+MIT Kerberos uses a @code{krb5_data} to store a realm.
+
+In Heimdal @code{krb5_principal} doesn't contain the component
+@code{name_type}; it's instead stored in component
+@code{name.name_type}. To get and set the nametype in Heimdal, use
+@manpage{krb5_principal_get_type,3} and
+@manpage{krb5_principal_set_type,3}.
+
+For more information about principal and realms, see
+@manpage{krb5_principal,3}.
+
+@subsection Error messages
+
+To get the error string, Heimdal uses
+@manpage{krb5_get_error_string,3} or, if @code{NULL} is returned,
+@manpage{krb5_get_err_text,3}. This is to return custom error messages
+(like ``Can't find host/datan.example.com@@EXAMPLE.COM in
+/etc/krb5.conf.'' instead of a ``Key table entry not found'' that
+@manpage{error_message,3} returns.
+
+Heimdal uses a threadsafe(r) version of the com_err interface; the
+global @code{com_err} table isn't initialised.  Then
+@manpage{error_message,3} returns quite a boring error string (just
+the error code itself).
+
+
+@c @node Why you should use GSS-API for new applications, Walkthrough of a sample GSS-API client, Validating a password in a server application, Programming with Kerberos
 @c @section Why you should use GSS-API for new applications
 @c 
 @c SSPI, bah, bah, microsoft, bah, bah, almost GSS-API.
@@ -281,7 +385,258 @@ See the manual page for @manpage{krb5_verify_user,3}.
 @c It would also be possible for other mechanisms then Kerberos, but that
 @c doesn't exist any other GSS-API implementations today.
 @c 
-@c @node Walkthru a sample GSS-API client, , Why you should use GSS-API for new applications, Programming with Kerberos
-@c @section Walkthru a sample GSS-API client
+@c @node Walkthrough of a sample GSS-API client, , Why you should use GSS-API for new applications, Programming with Kerberos
+@c @section Walkthrough of a sample GSS-API client
 @c 
 @c Write about how gssapi_clent.c works.
+
+@node File formats,  , API differences to MIT Kerberos, Programming with Kerberos
+@section File formats
+
+This section documents the diffrent file formats that are used in
+Heimdal and other Kerberos implementations.
+
+@subsection keytab
+
+The keytab binary format is not a standard format. The format has
+evolved and may continue to. It is however understood by several
+Kerberos implementations including Heimdal, MIT, Sun's Java ktab and
+are created by the ktpass.exe utility from Windows. So it has
+established itself as the defacto format for storing Kerberos keys.
+
+The following C-like structure definitions illustrate the MIT keytab
+file format. All values are in network byte order. All text is ASCII.
+
+@example
+  keytab @{
+      uint16_t file_format_version;                    /* 0x502 */
+      keytab_entry entries[*];
+  @};
+
+  keytab_entry @{
+      int32_t size;
+      uint16_t num_components;   /* subtract 1 if version 0x501 */
+      counted_octet_string realm;
+      counted_octet_string components[num_components];
+      uint32_t name_type;       /* not present if version 0x501 */
+      uint32_t timestamp;
+      uint8_t vno8;
+      keyblock key;
+      uint32_t vno; /* only present if >= 4 bytes left in entry */
+  @};
+
+  counted_octet_string @{
+      uint16_t length;
+      uint8_t data[length];
+  @};
+
+  keyblock @{
+      uint16_t type;
+      counted_octet_string;
+  @};
+@end example
+
+All numbers are stored in network byteorder (big endian) format.
+
+The keytab file format begins with the 16 bit file_format_version which
+at the time this document was authored is 0x502. The format of older
+keytabs is described at the end of this document.
+
+The file_format_version is immediately followed by an array of
+keytab_entry structures which are prefixed with a 32 bit size indicating
+the number of bytes that follow in the entry. Note that the size should be
+evaluated as signed. This is because a negative value indicates that the
+entry is in fact empty (e.g. it has been deleted) and that the negative
+value of that negative value (which is of course a positive value) is
+the offset to the next keytab_entry. Based on these size values alone
+the entire keytab file can be traversed.
+
+The size is followed by a 16 bit num_components field indicating the
+number of counted_octet_string components in the components array.
+
+The num_components field is followed by a counted_octet_string
+representing the realm of the principal.
+
+A counted_octet_string is simply an array of bytes prefixed with a 16
+bit length. For the realm and name components, the counted_octet_string
+bytes are ASCII encoded text with no zero terminator.
+
+Following the realm is the components array that represents the name of
+the principal. The text of these components may be joined with slashs
+to construct the typical SPN representation. For example, the service
+principal HTTP/www.foo.net@@FOO.NET would consist of name components
+"HTTP" followed by "www.foo.net".
+
+Following the components array is the 32 bit name_type (e.g. 1 is
+KRB5_NT_PRINCIPAL, 2 is KRB5_NT_SRV_INST, 5 is KRB5_NT_UID, etc). In
+practice the name_type is almost certainly 1 meaning KRB5_NT_PRINCIPAL.
+
+The 32 bit timestamp indicates the time the key was established for that
+principal. The value represents the number of seconds since Jan 1, 1970.
+
+The 8 bit vno8 field is the version number of the key. This value is
+overridden by the 32 bit vno field if it is present. The vno8 field is
+filled with the lower 8 bits of the 32 bit protocol kvno field.
+
+The keyblock structure consists of a 16 bit value indicating the
+encryption type and is a counted_octet_string containing the key.  The
+encryption type is the same as the Kerberos standard (e.g. 3 is
+des-cbc-md5, 23 is arcfour-hmac-md5, etc).
+
+The last field of the keytab_entry structure is optional. If the size of
+the keytab_entry indicates that there are at least 4 bytes remaining,
+a 32 bit value representing the key version number is present. This
+value supersedes the 8 bit vno8 value preceeding the keyblock.
+
+Older keytabs with a file_format_version of 0x501 are different in
+three ways:
+
+@table @asis
+@item All integers are in host byte order [1].
+@item The num_components field is 1 too large (i.e. after decoding, decrement by 1).
+@item The 32 bit name_type field is not present.
+@end table
+
+[1] The file_format_version field should really be treated as two
+separate 8 bit quantities representing the major and minor version
+number respectively.
+
+@subsection Heimdal database dump file
+
+Format of the Heimdal text dump file as of Heimdal 0.6.3:
+
+Each line in the dump file is one entry in the database.
+
+Each field of a line is separated by one or more spaces, with the
+exception of fields consisting of principals containing spaces, where
+space can be quoted with \ and \ is quoted by \.
+
+Fields and their types are:
+
+@example
+	Quoted princial (quote character is \) [string]
+	Keys [keys]
+	Created by [event]
+	Modified by [event optional]
+	Valid start time [time optional]
+	Valid end time [time optional]
+	Password end valid time [time optional]
+	Max lifetime of ticket [time optional]
+	Max renew time of ticket [integer optional]
+	Flags [hdb flags]
+	Generation number [generation optional]
+	Extensions [extentions optional]
+@end example
+
+Fields following these silently are ignored.
+
+All optional fields will be skipped if they fail to parse (or comprise
+the optional field marker of "-", w/o quotes).
+
+Example:
+
+@example
+fred@@EXAMPLE.COM 27:1:16:e8b4c8fc7e60b9e641dcf4cff3f08a701d982a2f89ba373733d26ca59ba6c789666f6b8bfcf169412bb1e5dceb9b33cda29f3412:-:1:3:4498a933881178c744f4232172dcd774c64e81fa6d05ecdf643a7e390624a0ebf3c7407a:-:1:2:b01934b13eb795d76f3a80717d469639b4da0cfb644161340ef44fdeb375e54d684dbb85:-:1:1:ea8e16d8078bf60c781da90f508d4deccba70595258b9d31888d33987cd31af0c9cced2e:- 20020415130120:admin@@EXAMPLE.COM 20041221112428:fred@@EXAMPLE.COM - - - 86400 604800 126 20020415130120:793707:28 -
+@end example
+
+Encoding of types are as follows:
+
+@table @asis
+@item keys
+
+@example
+kvno:[masterkvno:keytype:keydata:salt]@{zero or more separated by :@}
+@end example
+
+kvno is the key version number.
+
+keydata is hex-encoded
+
+masterkvno is the kvno of the database master key.  If this field is
+empty, the kadmin load and merge operations will encrypt the key data
+with the master key if there is one.  Otherwise the key data will be
+imported asis.
+
+salt is encoded as "-" (no/default salt) or
+
+@example
+salt-type /
+salt-type / "string"
+salt-type / hex-encoded-data
+@end example
+
+keytype is the protocol enctype number; see enum ENCTYPE in
+include/krb5_asn1.h for values.
+
+Example:
+@example
+27:1:16:e8b4c8fc7e60b9e641dcf4cff3f08a701d982a2f89ba373733d26ca59ba6c789666f6b8bfcf169412bb1e5dceb9b33cda29f3412:-:1:3:4498a933881178c744f4232172dcd774c64e81fa6d05ecdf643a7e390624a0ebf3c7407a:-:1:2:b01934b13eb795d76f3a80717d469639b4da0cfb644161340ef44fdeb375e54d684dbb85:-:1:1:ea8e16d8078bf60c781da90f508d4deccba70595258b9d31888d33987cd31af0c9cced2e:-
+@end example
+
+
+@example
+kvno=27,@{key: masterkvno=1,keytype=des3-cbc-sha1,keydata=..., default salt@}...
+@end example
+
+@item time
+	
+Format of the time is: YYYYmmddHHMMSS, corresponding to strftime
+format "%Y%m%d%k%M%S".
+
+Time is expressed in UTC.
+
+Time can be optional (using -), when the time 0 is used.
+
+Example:
+
+@example
+20041221112428
+@end example
+
+@item event
+
+@example
+	time:principal
+@end example
+
+time is as given in format time
+
+principal is a string.  Not quoting it may not work in earlier
+versions of Heimdal.
+
+Example:
+@example
+20041221112428:bloggs@@EXAMPLE.COM
+@end example
+
+@item hdb flags
+
+Integer encoding of HDB flags, see HDBFlags in lib/hdb/hdb.asn1. Each
+bit in the integer is the same as the bit in the specification.
+
+@item generation:
+
+@example
+time:usec:gen
+@end example
+
+
+usec is a the microsecond, integer.
+gen is generation number, integer.
+
+The generation can be defaulted (using '-') or the empty string
+
+@item extensions:
+
+@example
+first-hex-encoded-HDB-Extension[:second-...]
+@end example
+
+HDB-extension is encoded the DER encoded HDB-Extension from
+lib/hdb/hdb.asn1. Consumers HDB extensions should be aware that
+unknown entires needs to be preserved even thought the ASN.1 data
+content might be unknown. There is a critical flag in the data to show
+to the KDC that the entry MUST be understod if the entry is to be
+used.
+
+@end table
diff --git a/crypto/heimdal/doc/setup.texi b/crypto/heimdal/doc/setup.texi
index 55f321c..02e7972 100644
--- a/crypto/heimdal/doc/setup.texi
+++ b/crypto/heimdal/doc/setup.texi
@@ -1,25 +1,9 @@
-@c $Id: setup.texi,v 1.27.2.2 2003/10/21 21:37:56 lha Exp $
+@c $Id: setup.texi 22191 2007-12-06 17:26:30Z lha $
 
-@node Setting up a realm, Things in search for a better place, Building and Installing, Top
+@node Setting up a realm, Applications, Building and Installing, Top
 
 @chapter Setting up a realm
 
-@menu
-* Configuration file::          
-* Creating the database::       
-* keytabs::                     
-* Serving Kerberos 4/524/kaserver::
-* Remote administration::       
-* Password changing::           
-* Testing clients and servers::  
-* Slave Servers::               
-* Incremental propagation::     
-* Salting::
-* Cross realm::
-* Transit policy::
-* Setting up DNS::
-@end menu
-
 A
 @cindex realm
 realm is an administrative domain.  The name of a Kerberos realm is
@@ -27,6 +11,27 @@ usually the Internet domain name in uppercase.  Call your realm the same
 as your Internet domain name if you do not have strong reasons for not
 doing so.  It will make life easier for you and everyone else.
 
+@menu
+* Configuration file::
+* Creating the database::
+* Modifying the database::
+* Checking the setup::
+* keytabs::
+* Serving Kerberos 4/524/kaserver::
+* Remote administration::
+* Password changing::
+* Testing clients and servers::
+* Slave Servers::
+* Incremental propagation::
+* Encryption types and salting::
+* Cross realm::
+* Transit policy::
+* Setting up DNS::
+* Using LDAP to store the database::
+* Providing Kerberos credentials to servers and programs::
+* Setting up PK-INIT::
+@end menu
+
 @node  Configuration file, Creating the database, Setting up a realm, Setting up a realm
 @section Configuration file
 
@@ -39,10 +44,10 @@ There is a sample @file{krb5.conf} supplied with the distribution.
 The configuration file is a hierarchical structure consisting of
 sections, each containing a list of bindings (either variable
 assignments or subsections). A section starts with
-@samp{[section-name]}.  A binding consists of a left hand side, an equal
+@samp{[@samp{section-name}]}.  A binding consists of a left hand side, an equal sign
 (@samp{=}) and a right hand side (the left hand side tag must be
-separated from the equal with some whitespace.) Subsections has a
-@samp{@{} as the first non-whitespace character after the equal. All
+separated from the equal sign with some whitespace). Subsections have a
+@samp{@{} as the first non-whitespace character after the equal sign. All
 other bindings are treated as variable assignments. The value of a
 variable extends to the end of the line.
 
@@ -51,7 +56,7 @@ variable extends to the end of the line.
         a-subsection = @{
                 var = value1
                 other-var = value with @{@}
-                sub-sub-section = @{ 
+                sub-sub-section = @{
                         var = 123
                 @}
         @}
@@ -71,7 +76,7 @@ are briefly described here.
 The @samp{libdefaults} section contains a list of library configuration
 parameters, such as the default realm and the timeout for KDC
 responses. The @samp{realms} section contains information about specific
-realms, such as where they hide their KDC. This section serves the same
+realms, such as where they hide their KDC@. This section serves the same
 purpose as the Kerberos 4 @file{krb.conf} file, but can contain more
 information. Finally the @samp{domain_realm} section contains a list of
 mappings from domains to realms, equivalent to the Kerberos 4
@@ -94,16 +99,16 @@ with contents similar to the following.
 @end example
 
 If you use a realm name equal to your domain name, you can omit the
-@samp{libdefaults}, and @samp{domain_realm}, sections. If you have a
-SRV-record for your realm, or your Kerberos server has CNAME called
+@samp{libdefaults}, and @samp{domain_realm}, sections. If you have a DNS
+SRV-record for your realm, or your Kerberos server has DNS CNAME
 @samp{kerberos.my.realm}, you can omit the @samp{realms} section too.
 
-@node Creating the database, keytabs, Configuration file, Setting up a realm
+@node Creating the database, Modifying the database, Configuration file, Setting up a realm
 @section Creating the database
 
 The database library will look for the database in the directory
-@file{/var/heimdal}, so you should probably create that directory.
-Make sure the directory have restrictive permissions.
+@file{@value{dbdir}}, so you should probably create that directory.
+Make sure the directory has restrictive permissions.
 
 @example
 # mkdir /var/heimdal
@@ -117,22 +122,29 @@ master key, run @samp{kstash} to create this master key:
 
 @example
 # kstash
-Master key: 
-Verifying password - Master key: 
+Master key:
+Verifying password - Master key:
 @end example
 
-To initialise the database use the @code{kadmin} program, with the
-@samp{-l} option (to enable local database mode). First issue a
+If you want to generate a random master key you can use the
+@kbd{--random-key} flag to kstash. This will make sure you have a good key
+on which attackers can't do a dictionary attack.
+
+If you have a master key, make sure you make a backup of your master
+key file; without it backups of the database are of no use.
+
+To initialise the database use the @command{kadmin} program, with the
+@kbd{-l} option (to enable local database mode). First issue a
 @kbd{init MY.REALM} command. This will create the database and insert
 default principals for that realm. You can have more than one realm in
 one database, so @samp{init} does not destroy any old database.
 
 Before creating the database, @samp{init} will ask you some questions
-about max ticket lifetimes.
+about maximum ticket lifetimes.
 
 After creating the database you should probably add yourself to it. You
 do this with the @samp{add} command. It takes as argument the name of a
-principal. The principal should contain a realm, so if you haven't setup
+principal. The principal should contain a realm, so if you haven't set up
 a default realm, you will need to explicitly include the realm.
 
 @example
@@ -140,12 +152,12 @@ a default realm, you will need to explicitly include the realm.
 kadmin> init MY.REALM
 Realm max ticket life [unlimited]:
 Realm max renewable ticket life [unlimited]:
-kadmin> add me  
+kadmin> add me
 Max ticket life [unlimited]:
 Max renewable life [unlimited]:
 Attributes []:
-Password: 
-Verifying password - Password: 
+Password:
+Verifying password - Password:
 @end example
 
 Now start the KDC and try getting a ticket.
@@ -175,10 +187,93 @@ krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
 kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
 @end smallexample
 
-@node keytabs, Serving Kerberos 4/524/kaserver, Creating the database, Setting up a realm
+@node Modifying the database, Checking the setup, Creating the database, Setting up a realm
+@section Modifying the database
+
+All modifications of principals are done with with kadmin.
+
+A principal has several attributes and lifetimes associated with it.
+
+Principals are added, renamed, modified, and deleted with the kadmin
+commands @samp{add}, @samp{rename}, @samp{modify}, @samp{delete}.
+Both interactive editing and command line flags can be used (use --help
+to list the available options).
+
+There are different kinds of types for the fields in the database;
+attributes, absolute time times and relative times.
+
+@subsection Attributes
+
+When doing interactive editing, attributes are listed with @samp{?}.
+
+The attributes are given in a comma (@samp{,}) separated list.
+Attributes are removed from the list by prefixing them with @samp{-}.
+
+@smallexample
+kadmin> modify me
+Max ticket life [1 day]:
+Max renewable life [1 week]:
+Principal expiration time [never]:
+Password expiration time [never]:
+Attributes [disallow-renewable]: requires-pre-auth,-disallow-renewable
+kadmin> get me
+            Principal: me@@MY.REALM
+[...]
+           Attributes: requires-pre-auth
+@end smallexample
+
+@subsection Absolute times
+
+The format for absolute times are any of the following:
+
+@smallexample
+never
+now
+YYYY-mm-dd
+YYYY-mm-dd HH:MM:SS
+@end smallexample
+
+
+@subsection Relative times
+
+The format for relative times are any of the following combined:
+
+@smallexample
+N year
+M month
+O day
+P hour
+Q minute
+R second
+@end smallexample
+
+@c Describe more of kadmin commands here...
+
+@node Checking the setup, keytabs, Modifying the database, Setting up a realm
+@section Checking the setup
+
+There are two tools that can check the consistency of the Kerberos
+configuration file and the Kerberos database.
+
+The Kerberos configuration file is checked using
+@command{verify_krb5_conf}. The tool checks for common errors, but
+commonly there are several uncommon configuration entries that are
+never added to the tool and thus generates ``unknown entry'' warnings.
+This is usually nothing to worry about.
+
+The database check is built into the kadmin tool. It will check for
+common configuration error that will cause problems later. Common
+check are for existence and flags on important principals. The
+database check by run by the following command :
+
+@example
+kadmin check REALM.EXAMPLE.ORG
+@end example
+
+@node keytabs, Serving Kerberos 4/524/kaserver, Checking the setup, Setting up a realm
 @section keytabs
 
-To extract a service ticket from the database and put it in a keytab you
+To extract a service ticket from the database and put it in a keytab, you
 need to first create the principal in the database with @samp{ank}
 (using the @kbd{--random-key} flag to get a random key) and then
 extract it with @samp{ext_keytab}.
@@ -189,6 +284,7 @@ Max ticket life [unlimited]:
 Max renewable life [unlimited]:
 Attributes []:
 kadmin> ext host/my.host.name
+kadmin> exit
 # ktutil list
 Version  Type             Principal
      1   des-cbc-md5      host/my.host.name@@MY.REALM
@@ -201,8 +297,10 @@ Version  Type             Principal
 @section Serving Kerberos 4/524/kaserver
 
 Heimdal can be configured to support 524, Kerberos 4 or kaserver. All
-theses services are default turned off. Kerberos 4 support also
-depends on if Kerberos 4 support is compiled in with Heimdal.
+these services are turned off by default. Kerberos 4 is always
+supported by the KDC, but the Kerberos 4 client support also depends
+on Kerberos 4 support having been included at compile-time, using
+@kbd{--with-krb4=dir}.
 
 @subsection 524
 
@@ -219,9 +317,10 @@ tokens with AFS in @xref{Things in search for a better place}.
 
 @subsection Kerberos 4
 
-Kerberos 4 is the predecessor to to Kerberos 5. It only support single
-DES. You should only enable Kerberos 4 support if you have a need for
-for compatibility with an installed base of Kerberos 4 clients/servers.
+Kerberos 4 is the predecessor to to Kerberos 5. It only supports
+single DES@. You should only enable Kerberos 4 support if you have
+needs for compatibility with an installed base of Kerberos 4
+clients/servers.
 
 Kerberos 4 can be turned on by adding this to the configuration file
 
@@ -232,11 +331,11 @@ Kerberos 4 can be turned on by adding this to the configuration file
 
 @subsection kaserver
 
-Kaserver is a Kerberos 4 that is used in AFS, the protocol have some
-features over plain Kerberos 4, but like Kerberos 4 only use single
-DES too.
+Kaserver is a Kerberos 4 that is used in AFS@.  The protocol has some
+extra features over plain Kerberos 4, but like Kerberos 4, only uses
+single DES@.
 
-You should only enable Kerberos 4 support if you have a need for for
+You should only enable Kaserver support if you have needs for
 compatibility with an installed base of AFS machines.
 
 Kaserver can be turned on by adding this to the configuration file
@@ -249,9 +348,9 @@ Kaserver can be turned on by adding this to the configuration file
 @node Remote administration, Password changing, Serving Kerberos 4/524/kaserver, Setting up a realm
 @section Remote administration
 
-The administration server, @samp{kadmind}, can be started by
-@samp{inetd} (which isn't recommended) or run as a normal daemon. If you
-want to start it from @samp{inetd} you should add a line similar to the
+The administration server, @command{kadmind}, can be started by
+@command{inetd} (which isn't recommended) or run as a normal daemon. If you
+want to start it from @command{inetd} you should add a line similar to the
 one below to your @file{/etc/inetd.conf}.
 
 @example
@@ -259,29 +358,29 @@ kerberos-adm stream     tcp     nowait  root /usr/heimdal/libexec/kadmind kadmin
 @end example
 
 You might need to add @samp{kerberos-adm} to your @file{/etc/services}
-as 749/tcp.
+as @samp{749/tcp}.
 
-Access to the administration server is controlled by an acl-file, (default
-@file{/var/heimdal/kadmind.acl}.) The lines in the access file, has the
-following syntax:
+Access to the administration server is controlled by an ACL file,
+(default @file{/var/heimdal/kadmind.acl}.) The file has the following
+syntax:
 @smallexample
 principal       [priv1,priv2,...]       [glob-pattern]
 @end smallexample
 
-The matching is from top to bottom for matching principal (and if given,
-glob-pattern).  When there is a match, the rights of that lines are
-used.
+The matching is from top to bottom for matching principals (and if given,
+glob-pattern).  When there is a match, the access rights of that line are
+applied.
 
 The privileges you can assign to a principal are: @samp{add},
 @samp{change-password} (or @samp{cpw} for short), @samp{delete},
 @samp{get}, @samp{list}, and @samp{modify}, or the special privilege
-@samp{all}. All of these roughly corresponds to the different commands
-in @samp{kadmin}.
+@samp{all}. All of these roughly correspond to the different commands
+in @command{kadmin}.
 
-If a @var{glob-pattern} is given on a line, it restricts the right for
-the principal to only apply for the subjects that match the pattern.
-The patters are of the same type as those used in shell globbing, see
-@url{none,,fnmatch(3)}.
+If a @var{glob-pattern} is given on a line, it restricts the access
+rights for the principal to only apply for subjects that match the
+pattern.  The patterns are of the same type as those used in shell
+globbing, see @url{none,,fnmatch(3)}.
 
 In the example below @samp{lha/admin} can change every principal in the
 database. @samp{jimmy/admin} can only modify principals that belong to
@@ -300,49 +399,100 @@ mille/admin@@E.KTH.SE	change-password	*@@E.KTH.SE
 @node Password changing, Testing clients and servers, Remote administration, Setting up a realm
 @section Password changing
 
-To allow users to change their passwords, you should run @samp{kpasswdd}.
-It is not run from @samp{inetd}.
+To allow users to change their passwords, you should run @command{kpasswdd}.
+It is not run from @command{inetd}.
 
 You might need to add @samp{kpasswd} to your @file{/etc/services} as
-464/udp.
+@samp{464/udp}.
 
 @subsection Password quality assurance
 
 It is important that users have good passwords, both to make it harder
-to guess them and to avoid off-line attacks (pre-authentication provides
-some defense against off-line attacks).  To ensure that the users choose
-good passwords, you can enable password quality controls in
-@samp{kpasswdd}.  The controls themselves are done in a shared library
-that is used by @samp{kpasswdd}.  To configure in these controls, add
-lines similar to the following to your @file{/etc/krb5.conf}:
+to guess them and to avoid off-line attacks (although
+pre-authentication provides some defence against off-line attacks).
+To ensure that the users choose good passwords, you can enable
+password quality controls in @command{kpasswdd} and @command{kadmind}.
+The controls themselves are done in a shared library or an external
+program that is used by @command{kpasswdd}.  To configure in these
+controls, add lines similar to the following to your
+@file{/etc/krb5.conf}:
 
 @example
 [password_quality]
-        check_library = @var{library}
-        check_function = @var{function}
+	policies = external-check builtin:minimum-length module:policyname
+	external_program = /bin/false
+	policy_libraries = @var{library1.so} @var{library2.so}
 @end example
 
-The function @var{function} in the shared library @var{library} will be
-called for proposed new passwords.  The function should be declared as:
+In @samp{[password_quality]policies} the module name is optional if
+the policy name is unique in all modules (members of
+@samp{policy_libraries}).
+
+The built-in polices are
+
+@itemize @bullet
 
+@item external-check
+
+Executes the program specified by @samp{[password_quality]external_program}.
+
+A number of key/value pairs are passed as input to the program, one per
+line, ending with the string @samp{end}.  The key/value lines are of
+the form
 @example
-const char *
-function(krb5_context context, krb5_principal principal, krb5_data *pwd);
+principal: @var{principal}
+new-password: @var{password}
 @end example
+where @var{password} is the password to check for the previous
+@var{principal}.
+
+If the external application approves the password, it should return
+@samp{APPROVED} on standard out and exit with exit code 0.  If it
+doesn't approve the password, an one line error message explaining the
+problem should be returned on standard error and the application
+should exit with exit code 0.  In case of a fatal error, the
+application should, if possible, print an error message on standard
+error and exit with a non-zero error code.
+
+@item minimum-length
+
+The minimum length password quality check reads the configuration file
+stanza @samp{[password_quality]min_length} and requires the password
+to be at least this length.
+
+@item character-class
+
+The character-class password quality check reads the configuration
+file stanza @samp{[password_quality]min_classes}. The policy requires
+the password to have characters from at least that many character
+classes. Default value if not given is 3.
+
+The four different characters classes are, uppercase, lowercase,
+number, special characters.
+
+@end itemize
 
-The function should verify that @var{pwd} is a good password for
-@var{principal} and if so return @code{NULL}.  If it is deemed to be of
-low quality, it should return a string explaining why that password
-should not be used.
+If you want to write your own shared object to check password
+policies, see the manual page @manpage{kadm5_pwcheck,3}.
 
 Code for a password quality checking function that uses the cracklib
-library can be found in @file{lib/kadm5/sample_password_check.c} in the
-source code distribution.  It requires the cracklib library built with
-the patch available at
+library can be found in @file{lib/kadm5/sample_password_check.c} in
+the source code distribution.  It requires that the cracklib library
+be built with the patch available at
 @url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
 
-If no password quality checking function is configured, it is only
-verified that it is at least six characters of length.
+A sample policy external program is included in
+@file{lib/kadm5/check-cracklib.pl}.
+
+If no password quality checking function is configured, the only check
+performed is that the password is at least six characters long.
+
+To check the password policy settings, use the command
+@command{password-quality} in @command{kadmin} program. The password
+verification is only performed locally, on the client.  It may be
+convenient to set the environment variable @samp{KRB5_CONFIG} to point
+to a test version of @file{krb5.conf} while you're testing the
+@samp{[password_quality]} stanza that way.
 
 @node Testing clients and servers, Slave Servers, Password changing, Setting up a realm
 @section Testing clients and servers
@@ -357,21 +507,21 @@ It is desirable to have at least one backup (slave) server in case the
 master server fails. It is possible to have any number of such slave
 servers but more than three usually doesn't buy much more redundancy.
 
-All Kerberos servers for a realm shall have the same database so that
-they present the same service to all the users.  The
+All Kerberos servers for a realm must have the same database so that
+they present the same service to the users.  The
 @pindex hprop
-@code{hprop} program, running on the master, will propagate the database
+@command{hprop} program, running on the master, will propagate the database
 to the slaves, running
 @pindex hpropd
-@code{hpropd} processes.
+@command{hpropd} processes.
 
 Every slave needs a database directory, the master key (if it was used
 for the database) and a keytab with the principal
 @samp{hprop/@var{hostname}}.  Add the principal with the
 @pindex ktutil
-@code{ktutil} command and start
+@command{ktutil} command and start
 @pindex hpropd
-@code{propd}, as follows:
+@command{hpropd}, as follows:
 
 @example
 slave# ktutil get -p foo/admin hprop/`hostname`
@@ -392,39 +542,40 @@ Then run
 master# hprop slave
 @end example
 
-This was just an on-hands example to make sure that everything was
-working properly.  Doing it manually is of course the wrong way and to
+This was just an hands-on example to make sure that everything was
+working properly.  Doing it manually is of course the wrong way, and to
 automate this you will want to start
 @pindex hpropd
-@code{hpropd} from @code{inetd} on the slave(s) and regularly run
+@command{hpropd} from @command{inetd} on the slave(s) and regularly run
 @pindex hprop
-@code{hprop} on the master to regularly propagate the database.
-Starting the propagation once an hour from @code{cron} is probably a
+@command{hprop} on the master to regularly propagate the database.
+Starting the propagation once an hour from @command{cron} is probably a
 good idea.
 
-@node Incremental propagation, Salting , Slave Servers, Setting up a realm
+@node Incremental propagation, Encryption types and salting, Slave Servers, Setting up a realm
 @section Incremental propagation
 
-There is also a newer and still somewhat experimental mechanism for
+There is also a newer, and still somewhat experimental, mechanism for
 doing incremental propagation in Heimdal.  Instead of sending the whole
 database regularly, it sends the changes as they happen on the master to
-the slaves.  The master keeps track of all the changes by assigned a
+the slaves.  The master keeps track of all the changes by assigning a
 version number to every change to the database.  The slaves know which
 was the latest version they saw and in this way it can be determined if
-they are in sync or not.  A log of all the changes is kept on the master
-and when a slave is at an older versioner than the oldest one in the
+they are in sync or not.  A log of all the changes is kept on the master,
+and when a slave is at an older version than the oldest one in the
 log, the whole database has to be sent.
 
-Protocol-wise, all the slaves connects to the master and as a greeting
+Protocol-wise, all the slaves connect to the master and as a greeting
 tell it the latest version that they have (@samp{IHAVE} message).  The
 master then responds by sending all the changes between that version and
 the current version at the master (a series of @samp{FORYOU} messages)
-or the whole database in a @samp{TELLYOUEVERYTHING} message.
+or the whole database in a @samp{TELLYOUEVERYTHING} message.  There is
+also a keep-alive protocol that makes sure all slaves are up and running.
 
 @subsection Configuring incremental propagation
 
-The program that runs on the master is @code{ipropd-master} and all
-clients run @code{ipropd-slave}.
+The program that runs on the master is @command{ipropd-master} and all
+clients run @command{ipropd-slave}.
 
 Create the file @file{/var/heimdal/slaves} on the master containing all
 the slaves that the database should be propagated to.  Each line contains
@@ -436,7 +587,7 @@ You should already have @samp{iprop/tcp} defined as 2121, in your
 for some peculiar reason, you can use the @kbd{--port} option.  This is
 useful when you have multiple realms to distribute from one server.
 
-Then you need to create these principals that you added in the
+Then you need to create those principals that you added in the
 configuration file.  Create one @samp{iprop/hostname} for the master and
 for every slave.
 
@@ -445,83 +596,95 @@ for every slave.
 master# /usr/heimdal/sbin/ktutil get iprop/`hostname`
 @end example
 
-The next step is to start the @code{ipropd-master} process on the master
-server.  The @code{ipropd-master} listens on the UNIX-socket
+The next step is to start the @command{ipropd-master} process on the master
+server.  The @command{ipropd-master} listens on the UNIX domain socket
 @file{/var/heimdal/signal} to know when changes have been made to the
 database so they can be propagated to the slaves.  There is also a
 safety feature of testing the version number regularly (every 30
 seconds) to see if it has been modified by some means that do not raise
-this signal.  Then, start @code{ipropd-slave} on all the slaves:
+this signal.  Then, start @command{ipropd-slave} on all the slaves:
 
 @example
 master# /usr/heimdal/libexec/ipropd-master &
 slave#  /usr/heimdal/libexec/ipropd-slave master &
 @end example
 
-@node Salting, Cross realm, Incremental propagation, Setting up a realm
-@section Salting
+To manage the iprop log file you should use the @command{iprop-log}
+command. With it you can dump, truncate and replay the logfile.
+
+@node Encryption types and salting, Cross realm, Incremental propagation, Setting up a realm
+@section Encryption types and salting
 @cindex Salting
+@cindex Encryption types
+
+The encryption types that the KDC is going to assign by default is
+possible to change. Since the keys used for user authentication is
+salted the encryption types are described together with the salt
+strings.
 
-Salting is used to make it harder to precalculate all possible
+Salting is used to make it harder to pre-calculate all possible
 keys. Using a salt increases the search space to make it almost
-impossible to precalculate all keys. Salting is the process of mixing a
+impossible to pre-calculate all keys. Salting is the process of mixing a
 public string (the salt) with the password, then sending it through an
-encryption-type specific string-to-key function that will output the
+encryption type specific string-to-key function that will output the
 fixed size encryption key.
 
-In Kerberos 5 the salt is determined by the encryption-type, except
-in some special cases.
+In Kerberos 5 the salt is determined by the encryption type, except in
+some special cases.
 
 In @code{des} there is the Kerberos 4 salt
 (none at all) or the afs-salt (using the cell (realm in
-afs-lingo)).
+AFS lingo)).
 
 In @code{arcfour} (the encryption type that Microsoft Windows 2000 uses)
 there is no salt. This is to be compatible with NTLM keys in Windows
 NT 4.
 
 @code{[kadmin]default_keys} in @file{krb5.conf} controls
-what salting to use,
+what salting to use.
 
 The syntax of @code{[kadmin]default_keys} is
 @samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
-type (des, des3, arcfour), @code{salt-type} is the type of salt (pw-salt
-or afs3-salt), and the salt-string is the string that will be used as
-salt (remember that if the salt is appended/prepended, the empty salt ""
-is the same thing as no salt at all).
+type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96),
+@code{salt-type} is the type of salt (pw-salt or afs3-salt), and the
+salt-string is the string that will be used as salt (remember that if
+the salt is appended/prepended, the empty salt "" is the same thing as
+no salt at all).
 
-Common types of salting includes
+Common types of salting include
 
 @itemize @bullet
 @item @code{v4} (or @code{des:pw-salt:})
 
-The Kerberos 4 salting is using no salt att all. Reason there is colon
-that the end or the salt string is that it makes the salt the empty
+The Kerberos 4 salting is using no salt at all. Reason there is colon
+at the end of the salt string is that it makes the salt the empty
 string (same as no salt).
 
 @item @code{v5} (or @code{pw-salt})
 
-@code{pw-salt} means all regular encryption-types that is regular 
+@code{pw-salt} uses the default salt for each encryption type is
+specified for. If the encryption type @samp{etype} isn't given, all
+default encryption will be used.
 
 @item @code{afs3-salt}
 
-@code{afs3-salt} is the salting that is used with Transarc kaserver. Its
-the cell appended to the password.
+@code{afs3-salt} is the salt that is used with Transarc kaserver. It's
+the cell name appended to the password.
 
 @end itemize
 
-@node Cross realm, Transit policy , Salting, Setting up a realm
+@node Cross realm, Transit policy, Encryption types and salting, Setting up a realm
 @section Cross realm
 @cindex Cross realm
 
-Suppose you are residing in the realm @samp{MY.REALM}, how do you
+Suppose you reside in the realm @samp{MY.REALM}, how do you
 authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in
-@samp{MY.REALM} allows you to communicate with kerberised services in that
+@samp{MY.REALM} allows you to communicate with Kerberised services in that
 realm. However, the computer in the other realm does not have a secret
 key shared with the Kerberos server in your realm.
 
-It is possible to add a share keys between two realms that trust each
-other. When a client program, such as @code{telnet} or @code{ssh},
+It is possible to share keys between two realms that trust each
+other. When a client program, such as @command{telnet} or @command{ssh},
 finds that the other computer is in a different realm, it will try to
 get a ticket granting ticket for that other realm, but from the local
 Kerberos server. With that ticket granting ticket, it will then obtain
@@ -534,7 +697,7 @@ add the following principals to each realm. The principals should be
 @samp{krbtgt/MY.REALM@@OTHER.REALM} and
 @samp{krbtgt/OTHER.REALM@@MY.REALM}in @samp{OTHER.REALM}.
 
-In Kerberos 5 the trust can be one configured to be one way. So that
+In Kerberos 5 the trust can be configured to be one way. So that
 users from @samp{MY.REALM} can authenticate to services in
 @samp{OTHER.REALM}, but not the opposite. In the example above, the
 @samp{krbtgt/MY.REALM@@OTHER.REALM} then should be removed.
@@ -544,13 +707,12 @@ same set of encryption types. Remember to transfer the two keys in a
 safe manner.
 
 @example
-@cartouche
 vr$ klist
 Credentials cache: FILE:/tmp/krb5cc_913.console
         Principal: lha@@E.KTH.SE
 
-  Issued           Expires          Principal                   
-May  3 13:55:52  May  3 23:55:54  krbtgt/E.KTH.SE@@E.KTH.SE      
+  Issued           Expires          Principal
+May  3 13:55:52  May  3 23:55:54  krbtgt/E.KTH.SE@@E.KTH.SE
 
 vr$ telnet -l lha hummel.it.su.se
 Trying 2001:6b0:5:1095:250:fcff:fe24:dbf...
@@ -567,47 +729,43 @@ vr$ klist
 Credentials cache: FILE:/tmp/krb5cc_913.console
         Principal: lha@@E.KTH.SE
 
-  Issued           Expires          Principal                   
-May  3 13:55:52  May  3 23:55:54  krbtgt/E.KTH.SE@@E.KTH.SE      
-May  3 13:55:56  May  3 23:55:54  krbtgt/SU.SE@@E.KTH.SE         
-May  3 14:10:54  May  3 23:55:54  host/hummel.it.su.se@@SU.SE    
+  Issued           Expires          Principal
+May  3 13:55:52  May  3 23:55:54  krbtgt/E.KTH.SE@@E.KTH.SE
+May  3 13:55:56  May  3 23:55:54  krbtgt/SU.SE@@E.KTH.SE
+May  3 14:10:54  May  3 23:55:54  host/hummel.it.su.se@@SU.SE
 
-@end cartouche
 @end example
 
-@node Transit policy, Setting up DNS , Cross realm, Setting up a realm
+@node Transit policy, Setting up DNS, Cross realm, Setting up a realm
 @section Transit policy
 @cindex Transit policy
 
 If you want to use cross realm authentication through an intermediate
-realm it must be explicitly allowed by either the KDCs or the server
+realm, it must be explicitly allowed by either the KDCs or the server
 receiving the request. This is done in @file{krb5.conf} in the
 @code{[capaths]} section.
 
 When the ticket transits through a realm to another realm, the
 destination realm adds its peer to the "transited-realms" field in the
-ticket. The field is unordered, this is since there is no way to know if
+ticket. The field is unordered, since there is no way to know if
 know if one of the transited-realms changed the order of the list.
 
 The syntax for @code{[capaths]} section:
 
 @example
-@cartouche
 [capaths]
         CLIENT-REALM = @{
                 SERVER-REALM = PERMITTED-CROSS-REALMS ...
         @}
-@end cartouche
 @end example
 
 The realm @code{STACKEN.KTH.SE} allows clients from @code{SU.SE} and
-@code{DSV.SU.SE} to cross in. Since @code{STACKEN.KTH.SE} only have
-direct cross realm with @code{KTH.SE}, and @code{DSV.SU.SE} only have direct cross
-realm with @code{SU.SE} they need to use both @code{SU.SE} and
-@code{KTH.SE} as transit realms.
+@code{DSV.SU.SE} to cross it. Since @code{STACKEN.KTH.SE} only has
+direct cross realm setup with @code{KTH.SE}, and @code{DSV.SU.SE} only
+has direct cross realm setup with @code{SU.SE} they need to use both
+@code{SU.SE} and @code{KTH.SE} as transit realms.
 
 @example
-@cartouche
 [capaths]
 	SU.SE = @{
                     STACKEN.KTH.SE = KTH.SE
@@ -616,36 +774,46 @@ realm with @code{SU.SE} they need to use both @code{SU.SE} and
                     STACKEN.KTH.SE = SU.SE KTH.SE
 	@}
 
-@end cartouche
 @end example
 
+The order of the @code{PERMITTED-CROSS-REALMS} is not important when
+doing transit cross realm verification.
+
+However, the order is important when the @code{[capaths]} section is used
+to figure out the intermediate realm to go to when doing multi-realm
+transit. When figuring out the next realm, the first realm of the list
+of @code{PERMITTED-CROSS-REALMS} is chosen. This is done in both the
+client kerberos library and the KDC.
+
 @c To test the cross realm configuration, use:
 @c    kmumble transit-check client server transit-realms ...
 
-@node Setting up DNS, , Transit policy, Setting up a realm
+@node Setting up DNS, Using LDAP to store the database, Transit policy, Setting up a realm
 @section Setting up DNS
 @cindex Setting up DNS
 
+@subsection Using DNS to find KDC
+
 If there is information about where to find the KDC or kadmind for a
 realm in the @file{krb5.conf} for a realm, that information will be
-preferred and DNS will not be queried.
+preferred, and DNS will not be queried.
 
 Heimdal will try to use DNS to find the KDCs for a realm. First it
-will try to find @code{SRV} resource record (RR) for the realm. If no
-SRV RRs are found, it will fall back to looking for a @code{A} RR for
+will try to find a @code{SRV} resource record (RR) for the realm. If no
+SRV RRs are found, it will fall back to looking for an @code{A} RR for
 a machine named kerberos.REALM, and then kerberos-1.REALM, etc
 
-Adding this information to DNS makes the client have less
-configuration (in the common case, no configuration) and allows the
+Adding this information to DNS minimises the client configuration (in
+the common case, resulting in no configuration needed) and allows the
 system administrator to change the number of KDCs and on what machines
 they are running without caring about clients.
 
-The backside of using DNS that the client might be fooled to use the
+The downside of using DNS is that the client might be fooled to use the
 wrong server if someone fakes DNS replies/data, but storing the IP
 addresses of the KDC on all the clients makes it very hard to change
 the infrastructure.
 
-Example of the configuration for the realm @code{EXAMPLE.COM},
+An example of the configuration for the realm @code{EXAMPLE.COM}:
 
 @example
 
@@ -662,3 +830,626 @@ _kerberos-adm._tcp	SRV	10 1 749 kerberos.example.com.
 More information about DNS SRV resource records can be found in
 RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
 
+@subsection Using DNS to map hostname to Kerberos realm
+
+Heimdal also supports a way to lookup a realm from a hostname. This to
+minimise configuration needed on clients. Using this has the drawback
+that clients can be redirected by an attacker to realms within the
+same cross realm trust and made to believe they are talking to the
+right server (since Kerberos authentication will succeed).
+
+An example configuration that informs clients that for the realms
+it.example.com and srv.example.com, they should use the realm
+EXAMPLE.COM:
+
+@example
+
+$ORIGIN example.com.
+_kerberos.it		TXT     "EXAMPLE.COM"
+_kerberos.srv		TXT     "EXAMPLE.COM"
+
+@end example
+
+@node Using LDAP to store the database, Providing Kerberos credentials to servers and programs, Setting up DNS, Setting up a realm
+@section Using LDAP to store the database
+@cindex Using the LDAP backend
+
+This document describes how to install the LDAP backend for
+Heimdal. Note that before attempting to configure such an
+installation, you should be aware of the implications of storing
+private information (such as users' keys) in a directory service
+primarily designed for public information. Nonetheless, with a
+suitable authorisation policy, it is possible to set this up in a
+secure fashion. A knowledge of LDAP, Kerberos, and C is necessary to
+install this backend. The HDB schema was devised by Leif Johansson.
+
+Requirements:
+
+@itemize @bullet
+
+@item
+A current release of Heimdal, configured with
+@code{--with-openldap=/usr/local} (adjust according to where you have
+installed OpenLDAP).
+
+You can verify that you manage to configure LDAP support by running
+@file{kdc --builtin-hdb}, and checking that @samp{ldap:} is one entry
+in the list.
+
+Its also possible to configure the ldap backend as a shared module,
+see option --hdb-openldap-module to configure.
+
+@item
+OpenLDAP 2.0.x. Configure OpenLDAP with @kbd{--enable-local} to enable the
+local transport. (A patch to support SASL EXTERNAL authentication is
+necessary in order to use OpenLDAP 2.1.x.)
+
+@item
+Add the hdb schema to the LDAP server, it's included in the source-tree
+in @file{lib/hdb/hdb.schema}. Example from slapd.conf:
+
+@example
+include /usr/local/etc/openldap/schema/hdb.schema
+@end example
+
+@item
+Configure the LDAP server ACLs to accept writes from clients over the
+local transport. For example:
+
+@example
+access to *
+        by dn.exact="uid=heimdal,dc=services,dc=example,dc=com" write
+        ...
+
+sasl-regexp "uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth"
+	"uid=heimdal,dc=services,dc=example,dc=com"
+
+@end example
+
+The sasl-regexp is for mapping between the SASL/EXTERNAL and a user in
+a tree.  The user that the key is mapped to should be have a
+krb5Principal aux object with krb5PrincipalName set so that the
+``creator'' and ``modifier'' is right in @file{kadmin}.
+
+Another option is to create an admins group and add the dn to that
+group.
+
+Since Heimdal talks to the LDAP server over a UNIX domain socket, and
+uses external sasl authentication, it's not possible to require
+security layer quality (ssf in cyrus-sasl lingo). So that requirement
+has to be turned off in OpenLDAP @command{slapd} configuration file
+@file{slapd.conf}.
+
+@example
+sasl-secprops minssf=0
+@end example
+
+@item
+
+Start @command{slapd} with the local listener (as well as the default TCP/IP
+listener on port 389) as follows:
+
+@example
+    slapd -h "ldapi:/// ldap:///"
+@end example
+
+Note: These is a bug in @command{slapd} where it appears to corrupt the krb5Key
+binary attribute on shutdown. This may be related to our use of the V3
+schema definition syntax instead of the old UMich-style, V2 syntax.
+
+@item
+You should specify the distinguished name under which your
+principals will be stored in @file{krb5.conf}. Also you need to
+enter the path to the kadmin acl file:
+
+
+@example
+[kdc]
+        database = @{
+                dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com
+                hdb-ldap-structural-object = inetOrgPerson
+                acl_file = /path/to/kadmind.acl
+                mkey_file = /path/to/mkey
+        @}
+@end example
+
+@samp{mkey_file} can be excluded if you feel that you trust your ldap
+directory to have the raw keys inside it.  The
+hdb-ldap-structural-object is not necessary if you do not need Samba
+comatibility.
+
+
+
+@item
+Once you have built Heimdal and started the LDAP server, run kadmin
+(as usual) to initialise the database. Note that the instructions for
+stashing a master key are as per any Heimdal installation.
+
+@example
+kdc# kadmin -l
+kadmin> init EXAMPLE.COM
+Realm max ticket life [unlimited]:
+Realm max renewable ticket life [unlimited]:
+kadmin> ank lukeh
+Max ticket life [1 day]:
+Max renewable life [1 week]:
+Principal expiration time [never]:
+Password expiration time [never]:
+Attributes []:
+lukeh@@EXAMPLE.COM's Password:
+Verifying password - lukeh@@EXAMPLE.COM's Password:
+kadmin> exit
+@end example
+
+Verify that the principal database has indeed been stored in the
+directory with the following command:
+
+@example
+kdc# ldapsearch -L -h localhost -D cn=manager \
+ -w secret -b ou=KerberosPrincipals,dc=example,dc=com \
+ 'objectclass=krb5KDCEntry'
+@end example
+
+@item
+Now consider adding indexes to the database to speed up the access, at
+least theses should be added to slapd.conf.
+
+@example
+index	objectClass		eq
+index	cn			eq,sub,pres
+index	uid			eq,sub,pres
+index	displayName		eq,sub,pres
+index	krb5PrincipalName	eq
+@end example
+
+@end itemize
+
+@subsection Troubleshooting guide
+
+@url{https://sec.miljovern.no/bin/view/Info/TroubleshootingGuide}
+
+
+@subsection Using Samba LDAP password database
+@cindex Samba
+
+@c @node Using Samba LDAP password database, Providing Kerberos credentials to servers and programs, Using LDAP to store the database, Setting up a realm
+@c @section Using Samba LDAP password database
+
+The Samba domain and the Kerberos realm can have different names since
+arcfour's string to key functions principal/realm independent.  So now
+will be your first and only chance name your Kerberos realm without
+needing to deal with old configuration files.
+
+First, you should set up Samba and get that working with LDAP backend.
+
+Now you can proceed as in @xref{Using LDAP to store the database}.
+Heimdal will pick up the Samba LDAP entries if they are in the same
+search space as the Kerberos entries.
+
+@node Providing Kerberos credentials to servers and programs, Setting up PK-INIT, Using LDAP to store the database, Setting up a realm
+@section Providing Kerberos credentials to servers and programs
+
+Some services require Kerberos credentials when they start to make
+connections to other services or need to use them when they have started.
+
+The easiest way to get tickets for a service is to store the key in a
+keytab. Both ktutil get and kadmin ext can be used to get a
+keytab. ktutil get is better in that way it changes the key/password
+for the user. This is also the problem with ktutil. If ktutil is used
+for the same service principal on several hosts, they keytab will only
+be useful on the last host. In that case, run the extract command on
+one host and then securely copy the keytab around to all other hosts
+that need it.
+
+@example
+host# ktutil -k /etc/krb5-service.keytab \
+      get -p lha/admin@@EXAMPLE.ORG service-principal@@EXAMPLE.ORG
+lha/admin@@EXAMPLE.ORG's Password:
+@end example
+
+To get a Kerberos credential file for the service, use kinit in the
+@kbd{--keytab} mode. This will not ask for a password but instead fetch the
+key from the keytab.
+
+@example
+service@@host$ kinit --cache=/var/run/service_krb5_cache \
+               --keytab=/etc/krb5-service.keytab \
+       service-principal@@EXAMPLE.ORG
+@end example
+
+Long running services might need credentials longer then the
+expiration time of the tickets. kinit can run in a mode that refreshes
+the tickets before they expire. This is useful for services that write
+into AFS and other distributed file systems using Kerberos. To run the
+long running script, just append the program and arguments (if any)
+after the principal. kinit will stop refreshing credentials and remove
+the credentials when the script-to-start-service exits.
+
+@example
+service@@host$ kinit --cache=/var/run/service_krb5_cache \
+       --keytab=/etc/krb5-service.keytab \
+       service-principal@@EXAMPLE.ORG \
+       script-to-start-service argument1 argument2
+@end example
+
+
+@node Setting up PK-INIT, , Providing Kerberos credentials to servers and programs, Setting up a realm
+@section Setting up PK-INIT
+
+PK-INIT is levering the existing PKI infrastructure to use
+certificates to get the initial ticket, that is usually the krbtgt.
+
+To use PK-INIT you must first have a PKI, so if you don't have one,
+it is time to create it. Note that you should read the whole chapter
+of the document to see the requirements on the CA software.
+
+There needs to exist a mapping between the certificate and what
+principals that certificate is allowed to use. There are several ways
+to do this. The administrator can use a configuration file, storing
+the principal in the SubjectAltName extension of the certificate, or store the
+mapping in the principals entry in the kerberos database.
+
+@section Certificates
+
+This section documents the requirements on the KDC and client
+certificates and the format used in the id-pkinit-san OtherName
+extention.
+
+@subsection KDC certificate
+
+The certificate for the KDC have serveral requirements.
+
+First the certificate should have an Extended Key Usage (EKU)
+id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second there must be a
+subjectAltName otherName using oid id-pkinit-san (1.3.6.1.5.2.2) in
+the type field and a DER encoded KRB5PrincipalName that matches the
+name of the TGS of the target realm.
+
+Both of these two requirements are not required by the standard to be
+checked by the client if it have external information what the
+certificate the KDC is supposed to be used. So it's in the interest of
+minimum amount of configuration on the clients they should be included.
+
+Remember that if the client would accept any certificate as the KDC's
+certificate, the client could be fooled into trusting something that
+isn't a KDC and thus expose the user to giving away information (like
+password or other private information) that it is supposed to secret.
+
+Also, if the certificate has a nameConstraints extention with a
+Generalname with dNSName or iPAdress it must match the hostname or
+adress of the KDC.
+
+@subsection Client certificate
+
+The client certificate may need to have a EKU id-pkekuoid
+(1.3.6.1.5.2.3.4) set depending on the certifiate on the KDC.
+
+It possible to store the principal (if allowed by the KDC) in the
+certificate and thus delegate responsibility to do the mapping between
+certificates and principals to the CA.
+
+@subsubsection Using KRB5PrincipalName in id-pkinit-san
+
+OtherName extention in the GeneralName is used to do the
+mapping between certifiate and principal in the certifiate or storing
+the krbtgt principal in the KDC certificate.
+
+The principal is stored in a SubjectAltName in the certificate using
+OtherName. The oid in the type is id-pkinit-san.
+
+@example
+id-pkinit-san OBJECT IDENTIFIER ::= @{ iso (1) org (3) dod (6)
+internet (1) security (5) kerberosv5 (2) 2 @}
+@end example
+
+The data part of the OtherName is filled with the following DER
+encoded ASN.1 structure:
+
+@example
+KRB5PrincipalName ::= SEQUENCE @{
+	realm [0] Realm,
+	principalName [1] PrincipalName
+@}
+@end example
+
+where Realm and PrincipalName is defined by the Kerberos ASN.1 specification.
+
+@section Naming certificate using hx509
+
+hx509 is the X.509 software used in Heimdal to handle
+certificates. hx509 uses different syntaxes to specify the different
+formats the certificates are stored in and what formats they exist in.
+
+There are several formats that can be used, PEM, embedded into PKCS12
+files, embedded into PKCS11 devices and raw DER encoded certificates.
+Below is a list of types to use.
+
+
+@table @asis
+
+@item DIR:
+
+DIR is reading all certificates in a directory that is DER or PEM
+formatted.
+
+The main feature of DIR is that the directory is read on demand when
+iterating over certificates, that way applictions can for some cases
+avoid to store all certificates in memory. It's very useful for tests
+that iterate over larger amount of certificates.
+
+Syntax is:
+
+@example
+DIR:/path/to/der/files
+@end example
+
+@item FILE:
+
+FILE: is used to have the lib pick up a certificate chain and a
+private key. The file can be either a PEM (openssl) file or a raw DER
+encoded certificate. If it's a PEM file it can contain several keys and
+certificates and the code will try to match the private key and
+certificate together.
+
+Its useful to have one PEM file that contains all the trust anchors.
+
+Syntax is:
+
+@example
+FILE:certificate.pem,private-key.key,other-cert.pem,....
+@end example
+
+@item PKCS11:
+
+PKCS11: is used to handle smartcards via PKCS11 drivers, for example
+soft-token, opensc, or muscle. The default is to use all slots on the
+device/token.
+
+Syntax is:
+
+@example
+PKCS11:shared-object.so
+@end example
+
+@item PKCS12:
+
+PKCS12: is used to handle PKCS12 files. PKCS12 files commonly have the
+extension pfx or p12.
+
+Syntax is:
+
+@example
+PKCS12:/path/to/file.pfx
+@end example
+
+@end table
+
+@section Configure the Kerberos software
+
+First configure the client's trust anchors and what parameters to
+verify, see subsection below how to do that. Now you can use kinit to
+get yourself tickets. One example how that can look like is:
+
+@example
+$ kinit -C FILE:$HOME/.certs/lha.crt,$HOME/.certs/lha.key lha@@EXAMPLE.ORG
+Enter your private key passphrase:
+: lha@@nutcracker ; klist
+Credentials cache: FILE:/tmp/krb5cc_19100a
+        Principal: lha@@EXAMPLE.ORG
+
+  Issued           Expires          Principal
+Apr 20 02:08:08  Apr 20 12:08:08  krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
+@end example
+
+Using PKCS11 it can look like this instead:
+
+@example
+$ kinit -C PKCS11:/tmp/pkcs11/lib/soft-pkcs11.so lha@@EXAMPLE.ORG
+PIN code for SoftToken (slot):
+$ klist
+Credentials cache: API:4
+        Principal: lha@@EXAMPLE.ORG
+
+  Issued           Expires          Principal
+Mar 26 23:40:10  Mar 27 09:40:10  krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
+@end example
+
+
+Write about the kdc.
+
+@section Configure the client
+
+@example
+[appdefaults]
+	pkinit_anchors = FILE:/path/to/trust-anchors.pem
+
+[realms]
+        EXAMPLE.COM = @{
+		pkinit_require_eku = true
+		pkinit_require_krbtgt_otherName = true
+		pkinit_win2k = no
+		pkinit_win2k_require_binding = yes
+	@}
+
+@end example
+
+@section Configure the KDC
+
+@example
+[kdc]
+	enable-pkinit = yes
+	pkinit_identity = FILE:/secure/kdc.crt,/secure/kdc.key
+	pkinit_anchors = FILE:/path/to/trust-anchors.pem
+	pkinit_pool = PKCS12:/path/to/useful-intermediate-certs.pfx
+	pkinit_pool = FILE:/path/to/other-useful-intermediate-certs.pem
+	pkinit_allow_proxy_certificate = false
+	pkinit_win2k_require_binding = yes
+@end example
+
+@subsection Using pki-mapping file
+
+Note that the file name is space sensitive.
+
+@example
+# cat /var/heimdal/pki-mapping
+# comments starts with #
+lha@@EXAMPLE.ORG:C=SE,O=Stockholm universitet,CN=Love,UID=lha
+lha@@EXAMPLE.ORG:CN=Love,UID=lha
+@end example
+
+@subsection Using the Kerberos database
+
+@section Use hxtool to create certificates
+
+@subsection Generate certificates
+
+First you need to generate a CA certificate, change the --subject to
+something appropriate, the CA certificate will be valid for 10 years.
+
+You need to change --subject in the command below.
+
+@example
+hxtool issue-certificate \
+    --self-signed \
+    --issue-ca \
+    --generate-key=rsa \
+    --subject="CN=CA,DC=test,DC=h5l,DC=se" \
+    --lifetime=10years \
+    --certificate="FILE:ca.pem"
+@end example
+
+The KDC needs to have a certificate, so generate a certificate of the
+type ``pkinit-kdc'' and set the PK-INIT specifial SubjectAltName to the
+name of the krbtgt of the realm.
+
+You need to change --subject and --pk-init-principal in the command below.
+
+@example
+hxtool issue-certificate \
+    --ca-certificate=FILE:ca.pem \
+    --generate-key=rsa \
+    --type="pkinit-kdc" \
+    --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
+    --subject="uid=kdc,DC=test,DC=h5l,DC=se" \
+    --certificate="FILE:kdc.pem"
+@end example
+
+The users also needs to have a certificate, so generate a certificate
+of the type ``pkinit-client''. The client doesn't need to have the PK-INIT
+SubjectAltName set, you can have the Subject DN in the ACL file
+(pki-mapping) instead.
+
+You need to change --subject and --pk-init-principal in the command below.
+
+@example
+hxtool issue-certificate \
+    --ca-certificate=FILE:ca.pem \
+    --generate-key=rsa \
+    --type="pkinit-client" \
+    --pk-init-principal="lha@@TEST.H5L.SE" \
+    --subject="uid=lha,DC=test,DC=h5l,DC=se" \
+    --certificate="FILE:user.pem"
+@end example
+
+@subsection Validate the certificate
+
+hxtool also contains a tool that will validate certificates according to
+rules from the PKIX document. These checks are not complete, but a good test
+to check if you got all of the basic bits right in your certificates.
+
+@example
+hxtool validate FILE:user.pem
+@end example
+
+@section Use OpenSSL to create certificates
+
+This section tries to give the CA owners hints how to create
+certificates using OpenSSL (or CA software based on OpenSSL).
+
+@subsection Using OpenSSL to create certificates with krb5PrincipalName
+
+To make OpenSSL create certificates with krb5PrincipalName use
+@file{openssl.cnf} as described below. To see a complete example of
+creating client and KDC certificates, see the test-data generation
+script @file{lib/hx509/data/gen-req.sh} in the source-tree. The
+certicates it creates are used to test the PK-INIT functionality in
+@file{tests/kdc/check-kdc.in}.
+
+To use this example you have to use OpenSSL 0.9.8a or later.
+
+@example
+
+[user_certificate]
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
+
+[princ_name]
+realm = EXP:0, GeneralString:MY.REALM
+principal_name = EXP:1, SEQUENCE:principal_seq
+
+[principal_seq]
+name_type = EXP:0, INTEGER:1
+name_string = EXP:1, SEQUENCE:principals
+
+[principals]
+princ1 = GeneralString:userid
+
+@end example
+
+Command usage
+
+@example
+openssl x509 -extensions user_certificate
+openssl ca -extensions user_certificate
+@end example
+
+
+@c --- ms certificate
+@c
+@c [ new_oids ]
+@c msCertificateTemplateName       = 1.3.6.1.4.1.311.20.2
+@c
+@c
+@c [ req_smartcard ]
+@c keyUsage                = digitalSignature, keyEncipherment
+@c extendedKeyUsage        = msSmartcardLogin, clientAuth
+@c msCertificateTemplateName       = ASN1:BMP:SmartcardLogon
+@c subjectAltName          = otherName:msUPN;UTF8:lukeh@dsg.padl.com
+@c #subjectAltName         = email:copy
+
+
+@section Using PK-INIT with Windows
+
+@subsection Client configration
+
+Clients using a Windows KDC with PK-INIT need configuration since
+windows uses pre-standard format and this can't be autodetected.
+
+The pkinit_win2k_require_binding option requires the reply for the KDC
+to be of the new, secure, type that binds the request to reply. Before
+clients should fake the reply from the KDC. To use this option you
+have to apply a fix from Microsoft.
+
+@example
+[realms]
+        MY.MS.REALM = @{
+                pkinit_win2k = yes
+                pkinit_win2k_require_binding = no
+	@}
+@end example
+
+@subsection Certificates
+
+The client certificates need to have the extended keyusage ``Microsoft
+Smartcardlogin'' (openssl have the oid shortname msSmartcardLogin).
+
+See Microsoft Knowledge Base Article - 281245 ``Guidelines for Enabling
+Smart Card Logon with Third-Party Certification Authorities'' for a
+more extensive description of how set setup an external CA to it
+includes all information that will make a Windows KDC happy.
+
+@subsection Configure Windows 2000 CA
+
+To enable Microsoft Smartcardlogin> for certificates in your Windows
+2000 CA, you want to look at Microsoft Knowledge Base Article -
+313274 ``HOW TO: Configure a Certification Authority to Issue
+Smart Card Certificates in Windows''.
diff --git a/crypto/heimdal/doc/vars.texi b/crypto/heimdal/doc/vars.texi
new file mode 100755
index 0000000..c2e6671
--- /dev/null
+++ b/crypto/heimdal/doc/vars.texi
@@ -0,0 +1,7 @@
+
+@c
+@c Variables depending on installation
+@c
+
+@set dbdir /var/heimdal
+@set PACKAGE_VERSION 1.1
diff --git a/crypto/heimdal/doc/vars.tin b/crypto/heimdal/doc/vars.tin
new file mode 100644
index 0000000..d3e67b7
--- /dev/null
+++ b/crypto/heimdal/doc/vars.tin
@@ -0,0 +1,7 @@
+
+@c
+@c Variables depending on installation
+@c
+
+@set dbdir @dbdir@
+@set PACKAGE_VERSION @PACKAGE_VERSION@
diff --git a/crypto/heimdal/doc/whatis.texi b/crypto/heimdal/doc/whatis.texi
index eff52d7..307c5a2 100644
--- a/crypto/heimdal/doc/whatis.texi
+++ b/crypto/heimdal/doc/whatis.texi
@@ -1,4 +1,4 @@
-@c $Id: whatis.texi,v 1.5 2001/01/28 22:11:23 assar Exp $
+@c $Id: whatis.texi 16769 2006-02-27 12:26:50Z joda $
 
 @node What is Kerberos?, Building and Installing, Introduction, Top
 @chapter What is Kerberos?
@@ -42,12 +42,22 @@ services can authenticate each other.
 
 @ifhtml
 @macro sub{arg}
-<\arg\>
+@html
+<sub>\arg\</sub>
+@end html
 @end macro
 @end ifhtml
 
+@c ifdocbook
+@c macro sub{arg}
+@c docbook
+@c <subscript>\arg\</subscript>
+@c end docbook
+@c end macro
+@c end ifdocbook
+
 @quotation
-@strong{Note:} This discussion is about Kerberos version 4, but version
+@strong{Note} This discussion is about Kerberos version 4, but version
 5 works similarly.
 @end quotation
 
@@ -113,7 +123,7 @@ attack.
 her credentials, @var{C} just pretend to verify them. @var{C} can't
 be sure that she is talking to @var{A}.
 
-@section Defense strategies
+@section Defence strategies
 
 It would be possible to add a @dfn{replay cache}
 @cindex replay cache
diff --git a/crypto/heimdal/doc/win2k.texi b/crypto/heimdal/doc/win2k.texi
index 2db4da1..7bc9b2a 100644
--- a/crypto/heimdal/doc/win2k.texi
+++ b/crypto/heimdal/doc/win2k.texi
@@ -1,4 +1,4 @@
-@c $Id: win2k.texi,v 1.15 2001/07/19 16:44:41 assar Exp $
+@c $Id: win2k.texi 21991 2007-10-19 13:28:07Z lha $
 
 @node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top
 @comment  node-name,  next,  previous,  up
@@ -10,19 +10,20 @@ peculiarities, and bugs.  This chapter is a short summary of the things
 that we have found out while trying to test Heimdal against Windows
 2000.  Another big problem with the Kerberos implementation in Windows
 2000 is that the available documentation is more focused on getting
-things to work rather than how they work and not that useful in figuring
+things to work rather than how they work, and not that useful in figuring
 out how things really work.
 
 This information should apply to Heimdal @value{VERSION} and Windows
-2000 Professional.  It's of course subject all the time and mostly consists of
-our not so inspired guesses.  Hopefully it's still somewhat useful.
+2000 Professional.  It's of course subject to change all the time and
+mostly consists of our not so inspired guesses.  Hopefully it's still
+somewhat useful.
 
 @menu
 * Configuring Windows 2000 to use a Heimdal KDC::  
 * Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::  
 * Create account mappings::     
 * Encryption types::            
-* Authorization data::          
+* Authorisation data::          
 * Quirks of Windows 2000 KDC::  
 * Useful links when reading about the Windows 2000::  
 @end menu
@@ -31,47 +32,53 @@ our not so inspired guesses.  Hopefully it's still somewhat useful.
 @comment node-name, next, precious, up
 @section Configuring Windows 2000 to use a Heimdal KDC
 
-You need the command line program called @code{ksetup.exe} which is available
-in the file @code{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
+You need the command line program called @command{ksetup.exe} which is available
+in the file @file{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
 CD-ROM. This program is used to configure the Kerberos settings on a
 Workstation.
 
-@code{Ksetup} store the domain information under the registry key:
+@command{Ksetup} store the domain information under the registry key:
 @code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}.
 
-Use the kadmin program in Heimdal to create a host principal in the
+Use the @command{kadmin} program in Heimdal to create a host principal in the
 Kerberos realm.
 
 @example
 unix% kadmin
-kadmin> ank -pw password host/datan.my.domain
+kadmin> ank --password=password host/datan.example.com
 @end example
 
-You must configure the Workstation as a member of a workgroup, as opposed
+The name @samp{datan.example.com} should be replaced with DNS name of
+the workstation.
+
+You must configure the workstation as a member of a workgroup, as opposed
 to a member in an NT domain, and specify the KDC server of the realm
 as follows:
 @example
-C:> ksetup /setdomain MY.REALM
-C:> ksetup /addkdc MY.REALM kdc.my.domain
+C:> ksetup /setdomain EXAMPLE.COM
+C:> ksetup /addkdc EXAMPLE.COM kdc.example.com
 @end example
 
-Set the machine password, i.e. create the local keytab:
+Set the machine password, i.e.@: create the local keytab:
 @example
-C:> ksetup /setmachpassword password
+C:> ksetup /SetComputerPassword password
 @end example
 
+The password used in @kbd{ksetup /setmachpassword} must be the same
+as the password used in the @kbd{kadmin ank} command.
+
 The workstation must now be rebooted.
 
-A mapping between local NT users and Kerberos principals must be specified,
-you have two choices:
+A mapping between local NT users and Kerberos principals must be specified.
+You have two choices. First:
 
 @example
 C:> ksetup /mapuser user@@MY.REALM nt_user
 @end example
 
-This will map a user to a specific principal, this allows you to have
+This will map a user to a specific principal; this allows you to have
 other usernames in the realm than in your NT user database. (Don't ask
-me why on earth you would want that...)
+me why on earth you would want that@enddots{})
 
 You can also say:
 @example
@@ -92,17 +99,18 @@ Server) for the domain.
 
 By default the trust will be non-transitive. This means that only users
 directly from the trusted domain may authenticate. This can be changed
-to transitive by using the @code{netdom.exe} tool.
+to transitive by using the @command{netdom.exe} tool. @command{netdom.exe} 
+can also be used to add the trust between two realms.
 
 You need to tell Windows 2000 on what hosts to find the KDCs for the
-non-Windows realm with @code{ksetup}, see @xref{Configuring Windows 2000
+non-Windows realm with @command{ksetup}, see @xref{Configuring Windows 2000
 to use a Heimdal KDC}.
 
-This need to be done on all computers that want enable cross-realm
-login with @code{Mapped Names}.
+This needs to be done on all computers that want enable cross-realm
+login with @code{Mapped Names}. @c XXX probably shouldn't be @code
 
-Then you need to add the inter-realm keys on the Windows kdc. Start the
-Domain Tree Management tool. (Found in Programs, Administrative tools,
+Then you need to add the inter-realm keys on the Windows KDC@. Start the
+Domain Tree Management tool (found in Programs, Administrative tools,
 Active Directory Domains and Trusts).
 
 Right click on Properties of your domain, select the Trust tab.  Press
@@ -110,19 +118,17 @@ Add on the appropriate trust windows and enter domain name and
 password. When prompted if this is a non-Windows Kerberos realm, press
 OK.
 
-Do not forget to add trusts in both directions.
+Do not forget to add trusts in both directions (if that's what you want).
 
-You also need to add the inter-realm keys to the Heimdal KDC. There are
-some tweaks that you need to do to @file{krb5.conf} beforehand.
+If you want to use @command{netdom.exe} instead of the Domain Tree
+Management tool, you do it like this:
 
 @example
-[libdefaults]
-	default_etypes = des-cbc-crc
-	default_etypes_des = des-cbc-crc
+netdom trust NT.REALM.EXAMPLE.COM /Domain:EXAMPLE.COM /add /realm /passwordt:TrustPassword
 @end example
 
-since otherwise checksum types that are not understood by Windows 2000
-will be generated (@xref{Quirks of Windows 2000 KDC}.).
+You also need to add the inter-realm keys to the Heimdal KDC. Make sure
+you have matching encryption types (DES, Arcfour and AES in case of Longhorn)
 
 Another issue is salting.  Since Windows 2000 does not seem to
 understand Kerberos 4 salted hashes you might need to turn off anything
@@ -130,10 +136,22 @@ similar to the following if you have it, at least while adding the
 principals that are going to share keys with Windows 2000.
 
 @example
-	[kadmin]default_keys = v5 v4
+[kadmin]
+        default_keys = v5 v4
 @end example
 
-You must also set:
+So remove v4 from default keys.
+
+What you probably want to use is this:
+
+@example
+[kadmin]
+        default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt
+@end example
+
+@c XXX check this
+@c It is definitely not supported in base 2003.  I haven't been able to
+@c get SP1 installed here, but it is supposed to work in that.
 
 Once that is also done, you can add the required inter-realm keys:
 
@@ -144,9 +162,9 @@ kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM
 
 Use the same passwords for both keys.
 
-Do not forget to reboot before trying the new realm-trust (after running
-@code{ksetup}). It looks like it might work, but packets are never sent to the
-non-Windows KDC.
+Do not forget to reboot before trying the new realm-trust (after
+running @command{ksetup}). It looks like it might work, but packets are
+never sent to the non-Windows KDC.
 
 @node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability
 @comment node-name, next, precious, up
@@ -160,26 +178,28 @@ are going to do a name mapping for and choose Name mapping.
 Click on the Kerberos Names tab and add a new principal from the
 non-Windows domain.
 
-@node Encryption types, Authorization data, Create account mappings, Windows 2000 compatability
+@c XXX check entry name then I have network again
+This adds @samp{authorizationNames} entry to the users LDAP entry to
+the Active Directory LDAP catalog. When you create users by script you
+can add this entry instead.
+
+@node Encryption types, Authorisation data, Create account mappings, Windows 2000 compatability
 @comment  node-name,  next,  previous,  up
 @section Encryption types
 
-Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
-des-cbc-md5) and its own proprietary encryption that is based on MD4 and
-rc4 that is documented in and is supposed to be described in
+Windows 2000 supports both the standard DES encryptions (@samp{des-cbc-crc} and
+@samp{des-cbc-md5}) and its own proprietary encryption that is based on MD4 and
+RC4 that is documented in and is supposed to be described in
 @file{draft-brezak-win2k-krb-rc4-hmac-03.txt}.  New users will get both
 MD4 and DES keys.  Users that are converted from a NT4 database, will
 only have MD4 passwords and will need a password change to get a DES
 key.
 
-Heimdal implements both of these encryption types, but since DES is the
-standard and the hmac-code is somewhat newer, it is likely to work better.
-
-@node Authorization data, Quirks of Windows 2000 KDC, Encryption types, Windows 2000 compatability
+@node Authorisation data, Quirks of Windows 2000 KDC, Encryption types, Windows 2000 compatability
 @comment  node-name,  next,  previous,  up
-@section Authorization data
+@section Authorisation data
 
-The Windows 2000 KDC also adds extra authorization data in tickets.
+The Windows 2000 KDC also adds extra authorisation data in tickets.
 It is at this point unclear what triggers it to do this.  The format of
 this data is only available under a ``secret'' license from Microsoft,
 which prohibits you implementing it.
@@ -196,29 +216,28 @@ database.  Make sure it has a DES key.
 @item Run @kbd{ktutil add} to add the key for that principal to a
 keytab.
 @item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp
---dump-auth=file} where file is an appropriate file.
-@item It should authenticate and dump for you the authorization data in
+@kbd{--dump-auth}=@var{file}} where @var{file} is an appropriate file.
+@item It should authenticate and dump for you the authorisation data in
 the file.
 @item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for
-analyzing the data.
+analysing the data.
 @end enumerate
 
-@node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorization data, Windows 2000 compatability
+@node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorisation data, Windows 2000 compatability
 @comment  node-name,  next,  previous,  up
 @section Quirks of Windows 2000 KDC
 
-There are some issues with salts and Windows 2000.  Using an empty salt,
-which is the only one that Kerberos 4 supported and is therefore known
-as a Kerberos 4 compatible salt does not work, as far as we can tell
-from out experiments and users reports.  Therefore, you have to make
+There are some issues with salts and Windows 2000.  Using an empty salt---which is the only one that Kerberos 4 supported, and is therefore known
+as a Kerberos 4 compatible salt---does not work, as far as we can tell
+from out experiments and users' reports.  Therefore, you have to make
 sure you keep around keys with all the different types of salts that are
-required.
+required.  Microsoft have fixed this issue post Windows 2003.
 
 Microsoft seems also to have forgotten to implement the checksum
 algorithms @samp{rsa-md4-des} and @samp{rsa-md5-des}. This can make Name
-mapping (@pxref{Create account mappings}) fail if a @code{des-cbc-md5} key
-is used. To make the KDC return only @code{des-cbc-crc} you must delete
-the @code{des-cbc-md5} key from the kdc using the @code{kadmin
+mapping (@pxref{Create account mappings}) fail if a @samp{des-cbc-md5} key
+is used. To make the KDC return only @samp{des-cbc-crc} you must delete
+the @samp{des-cbc-md5} key from the kdc using the @kbd{kadmin
 del_enctype} command.
 
 @example
@@ -240,43 +259,43 @@ unsupported types are generated.
 @comment  node-name,  next,  previous,  up
 @section Useful links when reading about the Windows 2000
 
-See also our paper presented at the 2001 usenix Annual Technical
+See also our paper presented at the 2001 Usenix Annual Technical
 Conference, available in the proceedings or at
-@url{http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html}.
+@uref{http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html}.
 
-There are lots of text about Kerberos on Microsoft's web site, here is a
+There are lots of texts about Kerberos on Microsoft's web site, here is a
 short list of the interesting documents that we have managed to find.
 
 @itemize @bullet
 
-@item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability -
-@url{http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp}
-Kerberos GSS-API (in Windows-ize SSPI), Windows as a client in a
+@item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability:
+@uref{http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx}.
+Kerberos GSS-API (in Windows-eze SSPI), Windows as a client in a
 non-Windows KDC realm, adding unix clients to a Windows 2000 KDC, and
-adding cross-realm trust (@xref{Inter-Realm keys (trust) between Windows 2000
-and a Heimdal KDC}.).
+adding cross-realm trust (@pxref{Inter-Realm keys (trust) between Windows 2000
+and a Heimdal KDC}).
 
-@item Windows 2000 Kerberos Authentication - 
-@url{http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp}
+@item Windows 2000 Kerberos Authentication:
+@uref{www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/kerberos.mspx}.
 White paper that describes how Kerberos is used in Windows 2000.
 
-@item Overview of kerberos -
-@url{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP}
+@item Overview of Kerberos:
+@uref{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP}.
 Links to useful other links.
 
-@item Klist for windows - 
-@url{http://msdn.microsoft.com/library/periodic/period00/security0500.htm}
-Describes where to get a klist for Windows 2000.
+@c @item Klist for Windows:
+@c @uref{http://msdn.microsoft.com/library/periodic/period00/security0500.htm}.
+@c Describes where to get a klist for Windows 2000.
 
-@item Event logging for kerberos -
-@url{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}.
-Basicly it say that you can add a registry key
+@item Event logging for Kerberos:
+@uref{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}.
+Basically it say that you can add a registry key
 @code{HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel}
 with value DWORD equal to 1, and then you'll get logging in the Event
 Logger.
 
-@item Access to the active directory through LDAP
-@url{http://msdn.microsoft.com/library/techart/kerberossamp.htm}
+@c @item Access to the Active Directory through LDAP:
+@c @uref{http://msdn.microsoft.com/library/techart/kerberossamp.htm}
 
 @end itemize
 
@@ -284,5 +303,4 @@ Other useful programs include these:
 
 @itemize @bullet
 @item pwdump2
-@url{http://www.webspan.net/~tas/pwdump2/}
-@end itemize
+@uref{http://www.bindview.com/Support/RAZOR/Utilities/Windows/pwdump2_readme.cfm}@end itemize
diff --git a/crypto/heimdal/etc/Makefile.am b/crypto/heimdal/etc/Makefile.am
new file mode 100644
index 0000000..d5675d5
--- /dev/null
+++ b/crypto/heimdal/etc/Makefile.am
@@ -0,0 +1,5 @@
+# $Id: Makefile.am 20565 2007-04-27 13:52:30Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+EXTRA_DIST = services.append
diff --git a/crypto/heimdal/etc/Makefile.in b/crypto/heimdal/etc/Makefile.in
new file mode 100644
index 0000000..fef8bd2
--- /dev/null
+++ b/crypto/heimdal/etc/Makefile.in
@@ -0,0 +1,658 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 20565 2007-04-27 13:52:30Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+subdir = etc
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+EXTRA_DIST = services.append
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps etc/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps etc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+all-am: Makefile all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/etc/services.append b/crypto/heimdal/etc/services.append
index 9ee650d..2eff2f7 100644
--- a/crypto/heimdal/etc/services.append
+++ b/crypto/heimdal/etc/services.append
@@ -1,5 +1,5 @@
 #
-# $Id: services.append,v 1.6 2001/08/08 15:48:37 assar Exp $
+# $Id: services.append 10452 2001-08-08 15:48:37Z assar $
 #
 # Kerberos services
 #
diff --git a/crypto/heimdal/include/Makefile.am b/crypto/heimdal/include/Makefile.am
index c283cd2..a63c227 100644
--- a/crypto/heimdal/include/Makefile.am
+++ b/crypto/heimdal/include/Makefile.am
@@ -1,16 +1,16 @@
-# $Id: Makefile.am,v 1.33 2002/09/10 19:59:25 joda Exp $
+# $Id: Makefile.am 22396 2008-01-01 19:35:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-SUBDIRS = kadm5
+SUBDIRS = kadm5 hcrypto gssapi
 
 noinst_PROGRAMS = bits make_crypto
-CHECK_LOCAL =
+CHECK_LOCAL = no-check-local
 
-INCLUDES += -DHOST=\"$(CANONICAL_HOST)\"
+AM_CPPFLAGS += -DHOST=\"$(CANONICAL_HOST)\"
 
-include_HEADERS = krb5-types.h
-noinst_HEADERS = crypto-headers.h
+nodist_include_HEADERS = krb5-types.h
+nodist_noinst_HEADERS = crypto-headers.h
 
 krb5-types.h: bits$(EXEEXT)
 	./bits$(EXEEXT) krb5-types.h
@@ -18,39 +18,70 @@ krb5-types.h: bits$(EXEEXT)
 crypto-headers.h: make_crypto$(EXEEXT)
 	./make_crypto$(EXEEXT) crypto-headers.h
 
-CLEANFILES =		\
-	asn1.h		\
-	asn1_err.h	\
-	base64.h	\
-	com_err.h	\
-	com_right.h	\
-	crypto-headers.h\
-	der.h		\
-	des.h		\
-	editline.h	\
-	err.h		\
-	getarg.h	\
-	glob.h		\
-	gssapi.h	\
-	hdb.h		\
-	hdb_asn1.h	\
-	hdb_err.h	\
-	heim_err.h	\
-	kafs.h		\
-	krb5-protos.h	\
-	krb5-private.h	\
-	krb5-types.h	\
-	krb5.h		\
-	krb5_err.h	\
-	md4.h		\
-	md5.h		\
-	rc4.h		\
-	otp.h		\
-	parse_time.h	\
-	parse_units.h	\
-	resolve.h	\
-	roken-common.h	\
-	roken.h		\
-	sha.h		\
-	sl.h		\
+CLEANFILES =			\
+	cms_asn1.h 		\
+	der-protos.h 		\
+	digest_asn1.h 		\
+	hdb-protos.h		\
+	heim_asn1.h		\
+	heim_threads.h		\
+	hex.h			\
+	hx509-protos.h		\
+	hx509.h			\
+	hx509_err.h		\
+	kx509_asn1.h		\
+	kx509_err.h		\
+	k524_err.h		\
+	kdc-protos.h		\
+	kdc.h			\
+	krb5_asn1.h		\
+	krb5_ccapi.h		\
+	parse_bytes.h		\
+	pkcs12_asn1.h		\
+	pkcs8_asn1.h		\
+	pkcs9_asn1.h		\
+	pkinit_asn1.h		\
+	rfc2459_asn1.h		\
+	rtbl.h			\
+	test-mem.h		\
+	vers.h			\
+	vis.h			\
+	asn1.h			\
+	asn1_err.h		\
+	base64.h		\
+	com_err.h		\
+	com_right.h		\
+	crypto-headers.h	\
+	der.h			\
+	editline.h		\
+	err.h			\
+	getarg.h		\
+	glob.h			\
+	gssapi.h		\
+	hdb.h			\
+	hdb_asn1.h		\
+	hdb_err.h		\
+	heim_err.h		\
+	heimntlm.h		\
+	heimntlm-protos.h	\
+	kafs.h			\
+	krb_err.h		\
+	krb5-protos.h		\
+	krb5-private.h		\
+	krb5-types.h		\
+	krb5.h			\
+	krb5_err.h		\
+	otp.h			\
+	parse_time.h		\
+	parse_units.h		\
+	resolve.h		\
+	roken-common.h		\
+	roken.h			\
+	sl.h			\
+	windc_plugin.h		\
+	locate_plugin.h		\
 	xdbm.h
+
+DISTCLEANFILES = 	\
+	version.h	\
+	version.h.in
diff --git a/crypto/heimdal/include/Makefile.in b/crypto/heimdal/include/Makefile.in
index 7b18f68..3822744 100644
--- a/crypto/heimdal/include/Makefile.in
+++ b/crypto/heimdal/include/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,24 +14,18 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.33 2002/09/10 19:59:25 joda Exp $
+# $Id: Makefile.am 22396 2008-01-01 19:35:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
-SOURCES = bits.c make_crypto.c
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -43,25 +37,23 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
-DIST_COMMON = $(include_HEADERS) $(noinst_HEADERS) \
-	$(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(srcdir)/config.h.in $(top_srcdir)/Makefile.am.common \
 	$(top_srcdir)/cf/Makefile.am.common
 noinst_PROGRAMS = bits$(EXEEXT) make_crypto$(EXEEXT)
 subdir = include
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -74,6 +66,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -82,16 +75,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = config.h
 CONFIG_CLEAN_FILES =
 PROGRAMS = $(noinst_PROGRAMS)
@@ -101,40 +98,44 @@ bits_LDADD = $(LDADD)
 make_crypto_SOURCES = make_crypto.c
 make_crypto_OBJECTS = make_crypto.$(OBJEXT)
 make_crypto_LDADD = $(LDADD)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I.
+DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = bits.c make_crypto.c
 DIST_SOURCES = bits.c make_crypto.c
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	html-recursive info-recursive install-data-recursive \
-	install-exec-recursive install-info-recursive \
-	install-recursive installcheck-recursive installdirs-recursive \
-	pdf-recursive ps-recursive uninstall-info-recursive \
-	uninstall-recursive
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
 am__installdirs = "$(DESTDIR)$(includedir)"
-includeHEADERS_INSTALL = $(INSTALL_HEADER)
-HEADERS = $(include_HEADERS) $(noinst_HEADERS)
+nodist_includeHEADERS_INSTALL = $(INSTALL_HEADER)
+HEADERS = $(nodist_include_HEADERS) $(nodist_noinst_HEADERS)
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = $(SUBDIRS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -144,8 +145,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -156,11 +155,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -168,42 +166,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -221,12 +204,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -236,15 +216,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -253,6 +232,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -264,15 +244,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -280,74 +255,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -DHOST=\"$(CANONICAL_HOST)\"
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	-DHOST=\"$(CANONICAL_HOST)\"
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -364,53 +345,85 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-SUBDIRS = kadm5
-CHECK_LOCAL = 
-include_HEADERS = krb5-types.h
-noinst_HEADERS = crypto-headers.h
+SUBDIRS = kadm5 hcrypto gssapi
+CHECK_LOCAL = no-check-local
+nodist_include_HEADERS = krb5-types.h
+nodist_noinst_HEADERS = crypto-headers.h
 CLEANFILES = \
-	asn1.h		\
-	asn1_err.h	\
-	base64.h	\
-	com_err.h	\
-	com_right.h	\
-	crypto-headers.h\
-	der.h		\
-	des.h		\
-	editline.h	\
-	err.h		\
-	getarg.h	\
-	glob.h		\
-	gssapi.h	\
-	hdb.h		\
-	hdb_asn1.h	\
-	hdb_err.h	\
-	heim_err.h	\
-	kafs.h		\
-	krb5-protos.h	\
-	krb5-private.h	\
-	krb5-types.h	\
-	krb5.h		\
-	krb5_err.h	\
-	md4.h		\
-	md5.h		\
-	rc4.h		\
-	otp.h		\
-	parse_time.h	\
-	parse_units.h	\
-	resolve.h	\
-	roken-common.h	\
-	roken.h		\
-	sha.h		\
-	sl.h		\
+	cms_asn1.h 		\
+	der-protos.h 		\
+	digest_asn1.h 		\
+	hdb-protos.h		\
+	heim_asn1.h		\
+	heim_threads.h		\
+	hex.h			\
+	hx509-protos.h		\
+	hx509.h			\
+	hx509_err.h		\
+	kx509_asn1.h		\
+	kx509_err.h		\
+	k524_err.h		\
+	kdc-protos.h		\
+	kdc.h			\
+	krb5_asn1.h		\
+	krb5_ccapi.h		\
+	parse_bytes.h		\
+	pkcs12_asn1.h		\
+	pkcs8_asn1.h		\
+	pkcs9_asn1.h		\
+	pkinit_asn1.h		\
+	rfc2459_asn1.h		\
+	rtbl.h			\
+	test-mem.h		\
+	vers.h			\
+	vis.h			\
+	asn1.h			\
+	asn1_err.h		\
+	base64.h		\
+	com_err.h		\
+	com_right.h		\
+	crypto-headers.h	\
+	der.h			\
+	editline.h		\
+	err.h			\
+	getarg.h		\
+	glob.h			\
+	gssapi.h		\
+	hdb.h			\
+	hdb_asn1.h		\
+	hdb_err.h		\
+	heim_err.h		\
+	heimntlm.h		\
+	heimntlm-protos.h	\
+	kafs.h			\
+	krb_err.h		\
+	krb5-protos.h		\
+	krb5-private.h		\
+	krb5-types.h		\
+	krb5.h			\
+	krb5_err.h		\
+	otp.h			\
+	parse_time.h		\
+	parse_units.h		\
+	resolve.h		\
+	roken-common.h		\
+	roken.h			\
+	sl.h			\
+	windc_plugin.h		\
+	locate_plugin.h		\
 	xdbm.h
 
+DISTCLEANFILES = \
+	version.h	\
+	version.h.in
+
 all: config.h
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -444,7 +457,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 config.h: stamp-h1
 	@if test ! -f $@; then \
 	  rm -f stamp-h1; \
-	  $(MAKE) stamp-h1; \
+	  $(MAKE) $(AM_MAKEFLAGS) stamp-h1; \
 	else :; fi
 
 stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
@@ -466,10 +479,10 @@ clean-noinstPROGRAMS:
 	done
 bits$(EXEEXT): $(bits_OBJECTS) $(bits_DEPENDENCIES) 
 	@rm -f bits$(EXEEXT)
-	$(LINK) $(bits_LDFLAGS) $(bits_OBJECTS) $(bits_LDADD) $(LIBS)
+	$(LINK) $(bits_OBJECTS) $(bits_LDADD) $(LIBS)
 make_crypto$(EXEEXT): $(make_crypto_OBJECTS) $(make_crypto_DEPENDENCIES) 
 	@rm -f make_crypto$(EXEEXT)
-	$(LINK) $(make_crypto_LDFLAGS) $(make_crypto_OBJECTS) $(make_crypto_LDADD) $(LIBS)
+	$(LINK) $(make_crypto_OBJECTS) $(make_crypto_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -491,24 +504,20 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-install-includeHEADERS: $(include_HEADERS)
+install-nodist_includeHEADERS: $(nodist_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)"
-	@list='$(include_HEADERS)'; for p in $$list; do \
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
-	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
-	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	  f=$(am__strip_dir) \
+	  echo " $(nodist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(nodist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
 	done
 
-uninstall-includeHEADERS:
+uninstall-nodist_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(include_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -520,7 +529,13 @@ uninstall-includeHEADERS:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	target=`echo $@ | sed s/-recursive//`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -532,15 +547,20 @@ $(RECURSIVE_TARGETS):
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done; \
 	if test "$$dot_seen" = "no"; then \
 	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
 	fi; test -z "$$fail"
 
-mostlyclean-recursive clean-recursive distclean-recursive \
-maintainer-clean-recursive:
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	case "$@" in \
 	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
@@ -561,7 +581,7 @@ maintainer-clean-recursive:
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done && test -z "$$fail"
 tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -586,14 +606,16 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	if (etags --etags-include --version) >/dev/null 2>&1; then \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
 	  include_option=--etags-include; \
+	  empty_fix=.; \
 	else \
 	  include_option=--include; \
+	  empty_fix=; \
 	fi; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -f $$subdir/TAGS && \
+	    test ! -f $$subdir/TAGS || \
 	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
@@ -603,9 +625,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS: ctags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -630,23 +654,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/.. $(distdir)/../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -657,15 +679,19 @@ distdir: $(DISTFILES)
 	    || exit 1; \
 	  fi; \
 	done
-	list='$(SUBDIRS)'; for subdir in $$list; do \
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test -d "$(distdir)/$$subdir" \
-	    || mkdir "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
 	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
 	    (cd $$subdir && \
 	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="../$(top_distdir)" \
-	        distdir="../$(distdir)/$$subdir" \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
 	        distdir) \
 	      || exit 1; \
 	  fi; \
@@ -680,7 +706,7 @@ all-am: Makefile $(PROGRAMS) $(HEADERS) config.h all-local
 installdirs: installdirs-recursive
 installdirs-am:
 	for dir in "$(DESTDIR)$(includedir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-recursive
 install-exec: install-exec-recursive
@@ -702,7 +728,8 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -715,7 +742,7 @@ clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
 distclean: distclean-recursive
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-hdr distclean-libtool distclean-tags
+	distclean-hdr distclean-tags
 
 dvi: dvi-recursive
 
@@ -727,18 +754,26 @@ info: info-recursive
 
 info-am:
 
-install-data-am: install-includeHEADERS
+install-data-am: install-nodist_includeHEADERS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-recursive
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-recursive
+
 install-info: install-info-recursive
 
 install-man:
 
+install-pdf: install-pdf-recursive
+
+install-ps: install-ps-recursive
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
@@ -758,25 +793,30 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-includeHEADERS uninstall-info-am
-
-uninstall-info: uninstall-info-recursive
-
-.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \
-	check-am check-local clean clean-generic clean-libtool \
-	clean-noinstPROGRAMS clean-recursive ctags ctags-recursive \
-	distclean distclean-compile distclean-generic distclean-hdr \
-	distclean-libtool distclean-recursive distclean-tags distdir \
-	dvi dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-exec install-exec-am \
-	install-includeHEADERS install-info install-info-am \
-	install-man install-strip installcheck installcheck-am \
-	installdirs installdirs-am maintainer-clean \
-	maintainer-clean-generic maintainer-clean-recursive \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am \
-	uninstall-includeHEADERS uninstall-info-am
+uninstall-am: uninstall-nodist_includeHEADERS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
+	install-data-am install-exec-am install-strip uninstall-am
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool clean-noinstPROGRAMS ctags \
+	ctags-recursive dist-hook distclean distclean-compile \
+	distclean-generic distclean-hdr distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am \
+	install-data-hook install-dvi install-dvi-am install-exec \
+	install-exec-am install-exec-hook install-html install-html-am \
+	install-info install-info-am install-man \
+	install-nodist_includeHEADERS install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-recursive uninstall uninstall-am uninstall-hook \
+	uninstall-nodist_includeHEADERS
 
 
 install-suid-programs:
@@ -791,8 +831,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -802,19 +842,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -830,7 +882,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -900,15 +952,40 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 krb5-types.h: bits$(EXEEXT)
 	./bits$(EXEEXT) krb5-types.h
 
diff --git a/crypto/heimdal/include/bits.c b/crypto/heimdal/include/bits.c
index 3c51742..3fdaee4 100644
--- a/crypto/heimdal/include/bits.c
+++ b/crypto/heimdal/include/bits.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: bits.c,v 1.22 2002/08/28 16:08:44 joda Exp $");
+RCSID("$Id: bits.c 18703 2006-10-20 20:33:58Z lha $");
 #endif
 #include <stdio.h>
 #include <string.h>
@@ -112,8 +112,13 @@ int main(int argc, char **argv)
 {
     FILE *f;
     int flag;
-    char *fn, *hb;
+    const char *fn, *hb;
     
+    if (argc > 1 && strcmp(argv[1], "--version") == 0) {
+	printf("some version");
+	return 0;
+    }
+
     if(argc < 2){
 	fn = "bits.h";
 	hb = "__BITS_H__";
@@ -121,9 +126,10 @@ int main(int argc, char **argv)
     } else {
 	char *p;
 	fn = argv[1];
-	hb = malloc(strlen(fn) + 5);
-	sprintf(hb, "__%s__", fn);
-	for(p = hb; *p; p++){
+	p = malloc(strlen(fn) + 5);
+	sprintf(p, "__%s__", fn);
+	hb = p;
+	for(; *p; p++){
 	    if(!isalnum((unsigned char)*p))
 		*p = '_';
 	}
@@ -131,7 +137,7 @@ int main(int argc, char **argv)
     }
     fprintf(f, "/* %s -- this file was generated for %s by\n", fn, HOST);
     fprintf(f, "   %*s    %s */\n\n", (int)strlen(fn), "", 
-	    "$Id: bits.c,v 1.22 2002/08/28 16:08:44 joda Exp $");
+	    "$Id: bits.c 18703 2006-10-20 20:33:58Z lha $");
     fprintf(f, "#ifndef %s\n", hb);
     fprintf(f, "#define %s\n", hb);
     fprintf(f, "\n");
@@ -168,12 +174,10 @@ int main(int argc, char **argv)
     flag = print_bt(f, flag);
     try_signed (f, 32);
 #endif /* HAVE_INT32_T */
-#if 0
 #ifndef HAVE_INT64_T
     flag = print_bt(f, flag);
     try_signed (f, 64);
 #endif /* HAVE_INT64_T */
-#endif
 
 #ifndef HAVE_UINT8_T
     flag = print_bt(f, flag);
@@ -187,12 +191,10 @@ int main(int argc, char **argv)
     flag = print_bt(f, flag);
     try_unsigned (f, 32);
 #endif /* HAVE_UINT32_T */
-#if 0
 #ifndef HAVE_UINT64_T
     flag = print_bt(f, flag);
     try_unsigned (f, 64);
 #endif /* HAVE_UINT64_T */
-#endif
 
 #define X(S) fprintf(f, "typedef uint" #S "_t u_int" #S "_t;\n")
 #ifndef HAVE_U_INT8_T
@@ -207,12 +209,10 @@ int main(int argc, char **argv)
     flag = print_bt(f, flag);
     X(32);
 #endif /* HAVE_U_INT32_T */
-#if 0
 #ifndef HAVE_U_INT64_T
     flag = print_bt(f, flag);
     X(64);
 #endif /* HAVE_U_INT64_T */
-#endif
 
     if(flag){
 	fprintf(f, "\n");
diff --git a/crypto/heimdal/include/config.h.in b/crypto/heimdal/include/config.h.in
index 147b3ce..50cf5b1 100644
--- a/crypto/heimdal/include/config.h.in
+++ b/crypto/heimdal/include/config.h.in
@@ -11,6 +11,28 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 
 
 
+#ifdef BUILD_KRB5_LIB
+#ifndef KRB5_LIB_FUNCTION
+#ifdef _WIN32_
+#define KRB5_LIB_FUNCTION _export _stdcall
+#else
+#define KRB5_LIB_FUNCTION
+#endif
+#endif
+#endif
+
+
+#ifdef BUILD_ROKEN_LIB
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32_
+#define ROKEN_LIB_FUNCTION _export _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+#endif
+
+
 /* Define if you want authentication support in telnet. */
 #undef AUTHENTICATION
 
@@ -29,6 +51,12 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define this to enable diagnostics in telnet. */
 #undef DIAGNOSTICS
 
+/* Define if want to use the weak AFS string to key functions. */
+#undef ENABLE_AFS_STRING_TO_KEY
+
+/* Define if you want have a thread safe libraries */
+#undef ENABLE_PTHREAD_SUPPORT
+
 /* Define if you want encryption support in telnet. */
 #undef ENCRYPTION
 
@@ -57,8 +85,8 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define if you have the `altzone' variable. */
 #undef HAVE_ALTZONE
 
-/* define if your system declares altzone */
-#undef HAVE_ALTZONE_DECLARATION
+/* Define to 1 if you have the `arc4random' function. */
+#undef HAVE_ARC4RANDOM
 
 /* Define to 1 if you have the <arpa/ftp.h> header file. */
 #undef HAVE_ARPA_FTP_H
@@ -105,6 +133,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define if you have the function `chown'. */
 #undef HAVE_CHOWN
 
+/* Define if you have the function `closefrom'. */
+#undef HAVE_CLOSEFROM
+
 /* Define to 1 if you have the <config.h> header file. */
 #undef HAVE_CONFIG_H
 
@@ -156,6 +187,54 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* define if you have ndbm compat in db */
 #undef HAVE_DB_NDBM
 
+/* Define to 1 if you have the declaration of `altzone', and to 0 if you
+   don't. */
+#undef HAVE_DECL_ALTZONE
+
+/* Define to 1 if you have the declaration of `environ', and to 0 if you
+   don't. */
+#undef HAVE_DECL_ENVIRON
+
+/* Define to 1 if you have the declaration of `h_errlist', and to 0 if you
+   don't. */
+#undef HAVE_DECL_H_ERRLIST
+
+/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
+   don't. */
+#undef HAVE_DECL_H_ERRNO
+
+/* Define to 1 if you have the declaration of `h_nerr', and to 0 if you don't.
+   */
+#undef HAVE_DECL_H_NERR
+
+/* Define to 1 if you have the declaration of `optarg', and to 0 if you don't.
+   */
+#undef HAVE_DECL_OPTARG
+
+/* Define to 1 if you have the declaration of `opterr', and to 0 if you don't.
+   */
+#undef HAVE_DECL_OPTERR
+
+/* Define to 1 if you have the declaration of `optind', and to 0 if you don't.
+   */
+#undef HAVE_DECL_OPTIND
+
+/* Define to 1 if you have the declaration of `optopt', and to 0 if you don't.
+   */
+#undef HAVE_DECL_OPTOPT
+
+/* Define to 1 if you have the declaration of `timezone', and to 0 if you
+   don't. */
+#undef HAVE_DECL_TIMEZONE
+
+/* Define to 1 if you have the declaration of `_res', and to 0 if you don't.
+   */
+#undef HAVE_DECL__RES
+
+/* Define to 1 if you have the declaration of `__progname', and to 0 if you
+   don't. */
+#undef HAVE_DECL___PROGNAME
+
 /* Define to 1 if you have the <dirent.h> header file. */
 #undef HAVE_DIRENT_H
 
@@ -168,6 +247,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to 1 if you have the `dn_expand' function. */
 #undef HAVE_DN_EXPAND
 
+/* Define to 1 if you have the `door_create' function. */
+#undef HAVE_DOOR_CREATE
+
 /* Define if you have the function `ecalloc'. */
 #undef HAVE_ECALLOC
 
@@ -177,9 +259,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define if you have the function `emalloc'. */
 #undef HAVE_EMALLOC
 
-/* define if your system declares environ */
-#undef HAVE_ENVIRON_DECLARATION
-
 /* Define if you have the function `erealloc'. */
 #undef HAVE_EREALLOC
 
@@ -219,8 +298,8 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define if el_init takes four arguments. */
 #undef HAVE_FOUR_VALUED_EL_INIT
 
-/* define if krb_put_int takes four arguments. */
-#undef HAVE_FOUR_VALUED_KRB_PUT_INT
+/* Have -framework Security */
+#undef HAVE_FRAMEWORK_SECURITY
 
 /* Define to 1 if you have the `freeaddrinfo' function. */
 #undef HAVE_FREEADDRINFO
@@ -288,6 +367,12 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to 1 if you have the `getpagesize' function. */
 #undef HAVE_GETPAGESIZE
 
+/* Define to 1 if you have the `getpeereid' function. */
+#undef HAVE_GETPEEREID
+
+/* Define to 1 if you have the `getpeerucred' function. */
+#undef HAVE_GETPEERUCRED
+
 /* Define to 1 if you have the `getprogname' function. */
 #undef HAVE_GETPROGNAME
 
@@ -331,21 +416,12 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define if you have the `h_errlist' variable. */
 #undef HAVE_H_ERRLIST
 
-/* define if your system declares h_errlist */
-#undef HAVE_H_ERRLIST_DECLARATION
-
 /* Define if you have the `h_errno' variable. */
 #undef HAVE_H_ERRNO
 
-/* define if your system declares h_errno */
-#undef HAVE_H_ERRNO_DECLARATION
-
 /* Define if you have the `h_nerr' variable. */
 #undef HAVE_H_NERR
 
-/* define if your system declares h_nerr */
-#undef HAVE_H_NERR_DECLARATION
-
 /* Define to 1 if you have the <ifaddrs.h> header file. */
 #undef HAVE_IFADDRS_H
 
@@ -397,20 +473,8 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to 1 if you have the `issetugid' function. */
 #undef HAVE_ISSETUGID
 
-/* Define to 1 if you have the `krb_disable_debug' function. */
-#undef HAVE_KRB_DISABLE_DEBUG
-
-/* Define to 1 if you have the `krb_enable_debug' function. */
-#undef HAVE_KRB_ENABLE_DEBUG
-
-/* Define to 1 if you have the `krb_get_kdc_time_diff' function. */
-#undef HAVE_KRB_GET_KDC_TIME_DIFF
-
-/* Define to 1 if you have the `krb_get_our_ip_for_realm' function. */
-#undef HAVE_KRB_GET_OUR_IP_FOR_REALM
-
-/* Define to 1 if you have the `krb_kdctimeofday' function. */
-#undef HAVE_KRB_KDCTIMEOFDAY
+/* Define if you want to use the Kerberos Credentials Manager. */
+#undef HAVE_KCM
 
 /* Define to 1 if you have the <libutil.h> header file. */
 #undef HAVE_LIBUTIL_H
@@ -502,9 +566,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define if NDBM really is DB (creates files *.db) */
 #undef HAVE_NEW_DB
 
-/* define if you have hash functions like md4_finito() */
-#undef HAVE_OLD_HASH_NAMES
-
 /* Define to 1 if you have the `on_exit' function. */
 #undef HAVE_ON_EXIT
 
@@ -514,18 +575,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* define to use openssl's libcrypto */
 #undef HAVE_OPENSSL
 
-/* define if your system declares optarg */
-#undef HAVE_OPTARG_DECLARATION
-
-/* define if your system declares opterr */
-#undef HAVE_OPTERR_DECLARATION
-
-/* define if your system declares optind */
-#undef HAVE_OPTIND_DECLARATION
-
-/* define if your system declares optopt */
-#undef HAVE_OPTOPT_DECLARATION
-
 /* Define to enable basic OSF C2 support. */
 #undef HAVE_OSFC2
 
@@ -535,6 +584,12 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to 1 if you have the `pidfile' function. */
 #undef HAVE_PIDFILE
 
+/* Define to 1 if you have the `poll' function. */
+#undef HAVE_POLL
+
+/* Define to 1 if you have the <poll.h> header file. */
+#undef HAVE_POLL_H
+
 /* Define to 1 if you have the <pthread.h> header file. */
 #undef HAVE_PTHREAD_H
 
@@ -571,6 +626,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to 1 if you have the <resolv.h> header file. */
 #undef HAVE_RESOLV_H
 
+/* Define to 1 if you have the `res_ndestroy' function. */
+#undef HAVE_RES_NDESTROY
+
 /* Define to 1 if you have the `res_nsearch' function. */
 #undef HAVE_RES_NSEARCH
 
@@ -928,6 +986,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 
+/* Define to 1 if you have the <sys/ucred.h> header file. */
+#undef HAVE_SYS_UCRED_H
+
 /* Define to 1 if you have the <sys/uio.h> header file. */
 #undef HAVE_SYS_UIO_H
 
@@ -955,15 +1016,12 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to 1 if you have the `tgetent' function. */
 #undef HAVE_TGETENT
 
-/* Define to 1 if you have the `timegm' function. */
+/* Define if you have the function `timegm'. */
 #undef HAVE_TIMEGM
 
 /* Define if you have the `timezone' variable. */
 #undef HAVE_TIMEZONE
 
-/* define if your system declares timezone */
-#undef HAVE_TIMEZONE_DECLARATION
-
 /* Define to 1 if you have the <time.h> header file. */
 #undef HAVE_TIME_H
 
@@ -991,6 +1049,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to 1 if the system has the type `uint8_t'. */
 #undef HAVE_UINT8_T
 
+/* Define to 1 if the system has the type `uintptr_t'. */
+#undef HAVE_UINTPTR_T
+
 /* Define to 1 if you have the `umask' function. */
 #undef HAVE_UMASK
 
@@ -1102,9 +1163,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define if you have the `_res' variable. */
 #undef HAVE__RES
 
-/* define if your system declares _res */
-#undef HAVE__RES_DECLARATION
-
 /* Define to 1 if you have the `_scrsize' function. */
 #undef HAVE__SCRSIZE
 
@@ -1114,36 +1172,15 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define if you have the `__progname' variable. */
 #undef HAVE___PROGNAME
 
-/* define if your system declares __progname */
-#undef HAVE___PROGNAME_DECLARATION
-
 /* Define if you have the hesiod package. */
 #undef HESIOD
 
 /* Define if you are running IRIX 4. */
 #undef IRIX4
 
-/* Define if you have the krb4 package. */
-#undef KRB4
-
 /* Enable Kerberos 5 support in applications. */
 #undef KRB5
 
-/* Define if krb_mk_req takes const char * */
-#undef KRB_MK_REQ_CONST
-
-/* This is the krb4 sendauth version. */
-#undef KRB_SENDAUTH_VERS
-
-/* Define to zero if your krb.h doesn't */
-#undef KRB_VERIFY_NOT_SECURE
-
-/* Define to one if your krb.h doesn't */
-#undef KRB_VERIFY_SECURE
-
-/* Define to two if your krb.h doesn't */
-#undef KRB_VERIFY_SECURE_FAIL
-
 /* path to lib */
 #undef LIBDIR
 
@@ -1162,6 +1199,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* define if the system is missing a prototype for crypt() */
 #undef NEED_CRYPT_PROTO
 
+/* define if the system is missing a prototype for daemon() */
+#undef NEED_DAEMON_PROTO
+
 /* define if the system is missing a prototype for gethostname() */
 #undef NEED_GETHOSTNAME_PROTO
 
@@ -1177,9 +1217,15 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* define if the system is missing a prototype for inet_aton() */
 #undef NEED_INET_ATON_PROTO
 
+/* define if the system is missing a prototype for iruserok() */
+#undef NEED_IRUSEROK_PROTO
+
 /* define if the system is missing a prototype for mkstemp() */
 #undef NEED_MKSTEMP_PROTO
 
+/* define if the system is missing a prototype for SecKeyGetCSPHandle() */
+#undef NEED_SECKEYGETCSPHANDLE_PROTO
+
 /* define if the system is missing a prototype for setenv() */
 #undef NEED_SETENV_PROTO
 
@@ -1228,6 +1274,12 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* define if the system is missing a prototype for vsnprintf() */
 #undef NEED_VSNPRINTF_PROTO
 
+/* Define if you don't wan't support for AFS. */
+#undef NO_AFS
+
+/* Define to 1 if your C compiler doesn't accept -c and -o together. */
+#undef NO_MINUS_C_MINUS_O
+
 /* Define if you don't want to use mmap. */
 #undef NO_MMAP
 
@@ -1237,6 +1289,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define if you have the openldap package. */
 #undef OPENLDAP
 
+/* Define if you want support for hdb ldap module */
+#undef OPENLDAP_MODULE
+
 /* define if prototype of openlog is compatible with void openlog(const char
    *, int, int) */
 #undef OPENLOG_PROTO_COMPATIBLE
@@ -1262,6 +1317,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to the version of this package. */
 #undef PACKAGE_VERSION
 
+/* Define to enable PKINIT. */
+#undef PKINIT
+
 /* Define if getlogin has POSIX flavour (and not BSD). */
 #undef POSIX_GETLOGIN
 
@@ -1277,6 +1335,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* path to sbin */
 #undef SBINDIR
 
+/* Define if you want to use samba socket wrappers. */
+#undef SOCKET_WRAPPER_REPLACE
+
 /* Define to 1 if you have the ANSI C header files. */
 #undef STDC_HEADERS
 
@@ -1335,7 +1396,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define this to what the type mode_t should be. */
 #undef mode_t
 
-/* Define to `long' if <sys/types.h> does not define. */
+/* Define to `long int' if <sys/types.h> does not define. */
 #undef off_t
 
 /* Define to `int' if <sys/types.h> does not define. */
@@ -1344,51 +1405,16 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define this to what the type sig_atomic_t should be. */
 #undef sig_atomic_t
 
-/* Define to `unsigned' if <sys/types.h> does not define. */
+/* Define to `unsigned int' if <sys/types.h> does not define. */
 #undef size_t
 
 /* Define to `int' if <sys/types.h> doesn't define. */
 #undef uid_t
 
-#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
-#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
-#else
-#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S))
-#endif
-
-
-
-#if defined(ENCRYPTION) && !defined(AUTHENTICATION)
-#define AUTHENTICATION 1
-#endif
-
-/* Set this to the default system lead string for telnetd 
- * can contain %-escapes: %s=sysname, %m=machine, %r=os-release
- * %v=os-version, %t=tty, %h=hostname, %d=date and time
- */
-#undef USE_IM
-
-/* Used with login -p */
-#undef LOGIN_ARGS
-
-/* set this to a sensible login */
-#ifndef LOGIN_PATH
-#define LOGIN_PATH BINDIR "/login"
-#endif
-
-
 #ifdef ROKEN_RENAME
 #include "roken_rename.h"
 #endif
 
-#ifndef HAVE_KRB_KDCTIMEOFDAY
-#define krb_kdctimeofday(X) gettimeofday((X), NULL)
-#endif
-
-#ifndef HAVE_KRB_GET_KDC_TIME_DIFF
-#define krb_get_kdc_time_diff() (0)
-#endif
-
 #ifdef VOID_RETSIGTYPE
 #define SIGRETURN(x) return
 #else
@@ -1396,8 +1422,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 #endif
 
 #ifdef BROKEN_REALLOC
-#define realloc(X, Y) isoc_realloc((X), (Y))
-#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#define realloc(X, Y) rk_realloc((X), (Y))
 #endif
 
 
@@ -1425,3 +1450,23 @@ struct sockaddr_in;
 #define __STDC__ 0
 #endif
 
+
+
+#if defined(ENCRYPTION) && !defined(AUTHENTICATION)
+#define AUTHENTICATION 1
+#endif
+
+/* Set this to the default system lead string for telnetd 
+ * can contain %-escapes: %s=sysname, %m=machine, %r=os-release
+ * %v=os-version, %t=tty, %h=hostname, %d=date and time
+ */
+#undef USE_IM
+
+/* Used with login -p */
+#undef LOGIN_ARGS
+
+/* set this to a sensible login */
+#ifndef LOGIN_PATH
+#define LOGIN_PATH BINDIR "/login"
+#endif
+
diff --git a/crypto/heimdal/include/gssapi/Makefile.am b/crypto/heimdal/include/gssapi/Makefile.am
new file mode 100644
index 0000000..7173395
--- /dev/null
+++ b/crypto/heimdal/include/gssapi/Makefile.am
@@ -0,0 +1,6 @@
+# $Id: Makefile.am 18701 2006-10-20 20:32:01Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+CLEANFILES = gssapi.h gssapi_krb5.h gssapi_spnego.h
+
diff --git a/crypto/heimdal/include/gssapi/Makefile.in b/crypto/heimdal/include/gssapi/Makefile.in
new file mode 100644
index 0000000..0aef05d
--- /dev/null
+++ b/crypto/heimdal/include/gssapi/Makefile.in
@@ -0,0 +1,659 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 18701 2006-10-20 20:32:01Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+subdir = include/gssapi
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+CLEANFILES = gssapi.h gssapi_krb5.h gssapi_spnego.h
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps include/gssapi/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps include/gssapi/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+all-am: Makefile all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/include/hcrypto/Makefile.am b/crypto/heimdal/include/hcrypto/Makefile.am
new file mode 100644
index 0000000..c5299a3
--- /dev/null
+++ b/crypto/heimdal/include/hcrypto/Makefile.am
@@ -0,0 +1,23 @@
+# $Id: Makefile.am 16553 2006-01-13 13:43:32Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+CLEANFILES =		\
+	aes.h		\
+	bn.h		\
+	des.h		\
+	dh.h		\
+	dsa.h		\
+	engine.h	\
+	evp.h		\
+	hmac.h		\
+	md2.h		\
+	md4.h		\
+	md5.h		\
+	pkcs12.h	\
+	rand.h		\
+	rc2.h		\
+	rc4.h		\
+	rsa.h		\
+	sha.h		\
+	ui.h
diff --git a/crypto/heimdal/include/hcrypto/Makefile.in b/crypto/heimdal/include/hcrypto/Makefile.in
new file mode 100644
index 0000000..9896a2a
--- /dev/null
+++ b/crypto/heimdal/include/hcrypto/Makefile.in
@@ -0,0 +1,678 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 16553 2006-01-13 13:43:32Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+subdir = include/hcrypto
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+CLEANFILES = \
+	aes.h		\
+	bn.h		\
+	des.h		\
+	dh.h		\
+	dsa.h		\
+	engine.h	\
+	evp.h		\
+	hmac.h		\
+	md2.h		\
+	md4.h		\
+	md5.h		\
+	pkcs12.h	\
+	rand.h		\
+	rc2.h		\
+	rc4.h		\
+	rsa.h		\
+	sha.h		\
+	ui.h
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps include/hcrypto/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps include/hcrypto/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+all-am: Makefile all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/include/kadm5/Makefile.am b/crypto/heimdal/include/kadm5/Makefile.am
index e0647b8..6ccf564 100644
--- a/crypto/heimdal/include/kadm5/Makefile.am
+++ b/crypto/heimdal/include/kadm5/Makefile.am
@@ -1,5 +1,5 @@
-# $Id: Makefile.am,v 1.6 1999/03/20 13:58:17 joda Exp $
+# $Id: Makefile.am 18696 2006-10-20 20:25:13Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-CLEANFILES = admin.h kadm5_err.h private.h
+CLEANFILES = admin.h kadm5_err.h private.h kadm5-private.h kadm5-protos.h
diff --git a/crypto/heimdal/include/kadm5/Makefile.in b/crypto/heimdal/include/kadm5/Makefile.in
index 10c34e1..a553ab9 100644
--- a/crypto/heimdal/include/kadm5/Makefile.in
+++ b/crypto/heimdal/include/kadm5/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,20 +14,16 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.6 1999/03/20 13:58:17 joda Exp $
+# $Id: Makefile.am 18696 2006-10-20 20:25:13Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -39,6 +35,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -46,16 +43,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = include/kadm5
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -68,6 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -76,16 +72,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 depcomp =
@@ -94,13 +94,7 @@ SOURCES =
 DIST_SOURCES =
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -110,8 +104,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -122,11 +114,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -134,42 +125,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -187,12 +163,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -202,15 +175,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -219,6 +191,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -230,15 +203,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -246,74 +214,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -330,12 +303,13 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-CLEANFILES = admin.h kadm5_err.h private.h
+CLEANFILES = admin.h kadm5_err.h private.h kadm5-private.h kadm5-protos.h
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -371,10 +345,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 tags: TAGS
 TAGS:
 
@@ -383,23 +353,21 @@ CTAGS:
 
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -438,7 +406,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -449,7 +417,7 @@ clean-am: clean-generic clean-libtool mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool
+distclean-am: clean-am distclean-generic
 
 dvi: dvi-am
 
@@ -465,14 +433,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -491,17 +467,25 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: all all-am all-local check check-am check-local clean \
-	clean-generic clean-libtool distclean distclean-generic \
-	distclean-libtool distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am install-man \
+	clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
 	install-strip installcheck installcheck-am installdirs \
 	maintainer-clean maintainer-clean-generic mostlyclean \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	uninstall uninstall-am uninstall-info-am
+	uninstall uninstall-am uninstall-hook
 
 
 install-suid-programs:
@@ -516,8 +500,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -527,19 +511,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -555,7 +551,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -625,14 +621,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/include/make_crypto.c b/crypto/heimdal/include/make_crypto.c
index 2215f3f..2df17a5 100644
--- a/crypto/heimdal/include/make_crypto.c
+++ b/crypto/heimdal/include/make_crypto.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 2002 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: make_crypto.c,v 1.4.2.1 2003/05/05 20:10:27 joda Exp $");
+RCSID("$Id: make_crypto.c 19477 2006-12-20 19:51:53Z lha $");
 #endif
 #include <stdio.h>
 #include <string.h>
@@ -49,49 +49,61 @@ main(int argc, char **argv)
 	fprintf(stderr, "Usage: make_crypto file\n");
 	exit(1);
     }
+    if (strcmp(argv[1], "--version") == 0) {
+	printf("some version");
+	return 0;
+    }
     f = fopen(argv[1], "w");
     if(f == NULL) {
 	perror(argv[1]);
 	exit(1);
     }
     for(p = argv[1]; *p; p++)
-	if(!isalnum((int)*p))
+	if(!isalnum((unsigned char)*p))
 	    *p = '_';
     fprintf(f, "#ifndef __%s__\n", argv[1]);
     fprintf(f, "#define __%s__\n", argv[1]);
 #ifdef HAVE_OPENSSL
+    fputs("#ifndef OPENSSL_DES_LIBDES_COMPATIBILITY\n", f);
     fputs("#define OPENSSL_DES_LIBDES_COMPATIBILITY\n", f);
+    fputs("#endif\n", f);
+    fputs("#include <openssl/evp.h>\n", f);
     fputs("#include <openssl/des.h>\n", f);
     fputs("#include <openssl/rc4.h>\n", f);
+    fputs("#include <openssl/rc2.h>\n", f);
+    fputs("#include <openssl/md2.h>\n", f);
     fputs("#include <openssl/md4.h>\n", f);
     fputs("#include <openssl/md5.h>\n", f);
     fputs("#include <openssl/sha.h>\n", f);
-#if ENABLE_AES
     fputs("#include <openssl/aes.h>\n", f);
-#endif    
+    fputs("#include <openssl/ui.h>\n", f);
+    fputs("#include <openssl/rand.h>\n", f);
+    fputs("#include <openssl/engine.h>\n", f);
+    fputs("#include <openssl/pkcs12.h>\n", f);
+    fputs("#include <openssl/pem.h>\n", f);
+    fputs("#include <openssl/hmac.h>\n", f);
+    fputs("#ifndef BN_is_negative\n", f);
+    fputs("#define BN_set_negative(bn, flag) ((bn)->neg=(flag)?1:0)\n", f);
+    fputs("#define BN_is_negative(bn) ((bn)->neg != 0)\n", f);
+    fputs("#endif\n", f);
 #else
-    fputs("#include <des.h>\n", f);
-    fputs("#include <md4.h>\n", f);
-    fputs("#include <md5.h>\n", f);
-    fputs("#include <sha.h>\n", f);
-    fputs("#include <rc4.h>\n", f);
-#ifdef HAVE_OLD_HASH_NAMES
-    fputs("\n", f);
-    fputs("    typedef struct md4 MD4_CTX;\n", f);
-    fputs("#define MD4_Init md4_init\n", f);
-    fputs("#define MD4_Update md4_update\n", f);
-    fputs("#define MD4_Final(D, C) md4_finito((C), (D))\n", f);
-    fputs("\n", f);
-    fputs("    typedef struct md5 MD5_CTX;\n", f);
-    fputs("#define MD5_Init md5_init\n", f);
-    fputs("#define MD5_Update md5_update\n", f);
-    fputs("#define MD5_Final(D, C) md5_finito((C), (D))\n", f);
-    fputs("\n", f);
-    fputs("    typedef struct sha SHA_CTX;\n", f);
-    fputs("#define SHA1_Init sha_init\n", f);
-    fputs("#define SHA1_Update sha_update\n", f);
-    fputs("#define SHA1_Final(D, C) sha_finito((C), (D))\n", f);
-#endif
+    fputs("#ifdef KRB5\n", f);
+    fputs("#include <krb5-types.h>\n", f);
+    fputs("#endif\n", f);
+    fputs("#include <hcrypto/evp.h>\n", f);
+    fputs("#include <hcrypto/des.h>\n", f);
+    fputs("#include <hcrypto/md2.h>\n", f);
+    fputs("#include <hcrypto/md4.h>\n", f);
+    fputs("#include <hcrypto/md5.h>\n", f);
+    fputs("#include <hcrypto/sha.h>\n", f);
+    fputs("#include <hcrypto/rc4.h>\n", f);
+    fputs("#include <hcrypto/rc2.h>\n", f);
+    fputs("#include <hcrypto/aes.h>\n", f);
+    fputs("#include <hcrypto/ui.h>\n", f);
+    fputs("#include <hcrypto/rand.h>\n", f);
+    fputs("#include <hcrypto/engine.h>\n", f);
+    fputs("#include <hcrypto/pkcs12.h>\n", f);
+    fputs("#include <hcrypto/hmac.h>\n", f);
 #endif
     fprintf(f, "#endif /* __%s__ */\n", argv[1]);
     fclose(f);
diff --git a/crypto/heimdal/install-sh b/crypto/heimdal/install-sh
index 77bc381..4fbbae7 100755
--- a/crypto/heimdal/install-sh
+++ b/crypto/heimdal/install-sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # install - install a program, script, or datafile
 
-scriptversion=2004-02-15.20
+scriptversion=2006-10-14.15
 
 # This originates from X11R5 (mit/util/scripts/install.sh), which was
 # later released in X11R6 (xc/config/util/install.sh) with the
@@ -39,15 +39,24 @@ scriptversion=2004-02-15.20
 # when there is no Makefile.
 #
 # This script is compatible with the BSD install script, but was written
-# from scratch.  It can only install one file at a time, a restriction
-# shared with many OS's install programs.
+# from scratch.
+
+nl='
+'
+IFS=" ""	$nl"
 
 # set DOITPROG to echo to test this script
 
 # Don't use :- since 4.3BSD and earlier shells don't like it.
 doit="${DOITPROG-}"
+if test -z "$doit"; then
+  doit_exec=exec
+else
+  doit_exec=$doit
+fi
 
-# put in absolute paths if you don't have them in your path; or use env. vars.
+# Put in absolute file names if you don't have them in your path;
+# or use environment vars.
 
 mvprog="${MVPROG-mv}"
 cpprog="${CPPROG-cp}"
@@ -58,10 +67,13 @@ stripprog="${STRIPPROG-strip}"
 rmprog="${RMPROG-rm}"
 mkdirprog="${MKDIRPROG-mkdir}"
 
-transformbasename=
-transform_arg=
-instcmd="$mvprog"
-chmodcmd="$chmodprog 0755"
+posix_glob=
+posix_mkdir=
+
+# Desired mode of installed file.
+mode=0755
+
+chmodcmd=$chmodprog
 chowncmd=
 chgrpcmd=
 stripcmd=
@@ -70,23 +82,27 @@ mvcmd="$mvprog"
 src=
 dst=
 dir_arg=
+dstarg=
+no_target_directory=
 
-usage="Usage: $0 [OPTION]... SRCFILE DSTFILE
+usage="Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
    or: $0 [OPTION]... SRCFILES... DIRECTORY
-   or: $0 -d DIRECTORIES...
+   or: $0 [OPTION]... -t DIRECTORY SRCFILES...
+   or: $0 [OPTION]... -d DIRECTORIES...
 
-In the first form, install SRCFILE to DSTFILE, removing SRCFILE by default.
-In the second, create the directory path DIR.
+In the 1st form, copy SRCFILE to DSTFILE.
+In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
+In the 4th, create DIRECTORIES.
 
 Options:
--b=TRANSFORMBASENAME
--c         copy source (using $cpprog) instead of moving (using $mvprog).
+-c         (ignored)
 -d         create directories instead of installing files.
--g GROUP   $chgrp installed files to GROUP.
--m MODE    $chmod installed files to MODE.
--o USER    $chown installed files to USER.
--s         strip installed files (using $stripprog).
--t=TRANSFORM
+-g GROUP   $chgrpprog installed files to GROUP.
+-m MODE    $chmodprog installed files to MODE.
+-o USER    $chownprog installed files to USER.
+-s         $stripprog installed files.
+-t DIRECTORY  install into DIRECTORY.
+-T         report an error if DSTFILE is a directory.
 --help     display this help and exit.
 --version  display version info and exit.
 
@@ -94,14 +110,9 @@ Environment variables override the default commands:
   CHGRPPROG CHMODPROG CHOWNPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG
 "
 
-while test -n "$1"; do
+while test $# -ne 0; do
   case $1 in
-    -b=*) transformbasename=`echo $1 | sed 's/-b=//'`
-        shift
-        continue;;
-
-    -c) instcmd=$cpprog
-        shift
+    -c) shift
         continue;;
 
     -d) dir_arg=true
@@ -113,11 +124,17 @@ while test -n "$1"; do
         shift
         continue;;
 
-    --help) echo "$usage"; exit 0;;
+    --help) echo "$usage"; exit $?;;
 
-    -m) chmodcmd="$chmodprog $2"
+    -m) mode=$2
         shift
         shift
+	case $mode in
+	  *' '* | *'	'* | *'
+'*	  | *'*'* | *'?'* | *'['*)
+	    echo "$0: invalid mode: $mode" >&2
+	    exit 1;;
+	esac
         continue;;
 
     -o) chowncmd="$chownprog $2"
@@ -129,30 +146,44 @@ while test -n "$1"; do
         shift
         continue;;
 
-    -t=*) transformarg=`echo $1 | sed 's/-t=//'`
-        shift
-        continue;;
+    -t) dstarg=$2
+	shift
+	shift
+	continue;;
 
-    --version) echo "$0 $scriptversion"; exit 0;;
-
-    *)  # When -d is used, all remaining arguments are directories to create.
-	test -n "$dir_arg" && break
-        # Otherwise, the last argument is the destination.  Remove it from $@.
-	for arg
-	do
-          if test -n "$dstarg"; then
-	    # $@ is not empty: it contains at least $arg.
-	    set fnord "$@" "$dstarg"
-	    shift # fnord
-	  fi
-	  shift # arg
-	  dstarg=$arg
-	done
+    -T) no_target_directory=true
+	shift
+	continue;;
+
+    --version) echo "$0 $scriptversion"; exit $?;;
+
+    --)	shift
 	break;;
+
+    -*)	echo "$0: invalid option: $1" >&2
+	exit 1;;
+
+    *)  break;;
   esac
 done
 
-if test -z "$1"; then
+if test $# -ne 0 && test -z "$dir_arg$dstarg"; then
+  # When -d is used, all remaining arguments are directories to create.
+  # When -t is used, the destination is already specified.
+  # Otherwise, the last argument is the destination.  Remove it from $@.
+  for arg
+  do
+    if test -n "$dstarg"; then
+      # $@ is not empty: it contains at least $arg.
+      set fnord "$@" "$dstarg"
+      shift # fnord
+    fi
+    shift # arg
+    dstarg=$arg
+  done
+fi
+
+if test $# -eq 0; then
   if test -z "$dir_arg"; then
     echo "$0: no input file specified." >&2
     exit 1
@@ -162,6 +193,33 @@ if test -z "$1"; then
   exit 0
 fi
 
+if test -z "$dir_arg"; then
+  trap '(exit $?); exit' 1 2 13 15
+
+  # Set umask so as not to create temps with too-generous modes.
+  # However, 'strip' requires both read and write access to temps.
+  case $mode in
+    # Optimize common cases.
+    *644) cp_umask=133;;
+    *755) cp_umask=22;;
+
+    *[0-7])
+      if test -z "$stripcmd"; then
+	u_plus_rw=
+      else
+	u_plus_rw='% 200'
+      fi
+      cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
+    *)
+      if test -z "$stripcmd"; then
+	u_plus_rw=
+      else
+	u_plus_rw=,u+rw
+      fi
+      cp_umask=$mode$u_plus_rw;;
+  esac
+fi
+
 for src
 do
   # Protect names starting with `-'.
@@ -171,16 +229,12 @@ do
 
   if test -n "$dir_arg"; then
     dst=$src
-    src=
-
-    if test -d "$dst"; then
-      instcmd=:
-      chmodcmd=
-    else
-      instcmd=$mkdirprog
-    fi
+    dstdir=$dst
+    test -d "$dstdir"
+    dstdir_status=$?
   else
-    # Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+
+    # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
     # might cause directories to be created, which would be especially bad
     # if $src (and thus $dsttmp) contains '*'.
     if test ! -f "$src" && test ! -d "$src"; then
@@ -202,112 +256,249 @@ do
     # If destination is a directory, append the input filename; won't work
     # if double slashes aren't ignored.
     if test -d "$dst"; then
-      dst=$dst/`basename "$src"`
+      if test -n "$no_target_directory"; then
+	echo "$0: $dstarg: Is a directory" >&2
+	exit 1
+      fi
+      dstdir=$dst
+      dst=$dstdir/`basename "$src"`
+      dstdir_status=0
+    else
+      # Prefer dirname, but fall back on a substitute if dirname fails.
+      dstdir=`
+	(dirname "$dst") 2>/dev/null ||
+	expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	     X"$dst" : 'X\(//\)[^/]' \| \
+	     X"$dst" : 'X\(//\)$' \| \
+	     X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
+	echo X"$dst" |
+	    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+		   s//\1/
+		   q
+		 }
+		 /^X\(\/\/\)[^/].*/{
+		   s//\1/
+		   q
+		 }
+		 /^X\(\/\/\)$/{
+		   s//\1/
+		   q
+		 }
+		 /^X\(\/\).*/{
+		   s//\1/
+		   q
+		 }
+		 s/.*/./; q'
+      `
+
+      test -d "$dstdir"
+      dstdir_status=$?
     fi
   fi
 
-  # This sed command emulates the dirname command.
-  dstdir=`echo "$dst" | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
-
-  # Make sure that the destination directory exists.
-
-  # Skip lots of stat calls in the usual case.
-  if test ! -d "$dstdir"; then
-    defaultIFS='
-	 '
-    IFS="${IFS-$defaultIFS}"
-
-    oIFS=$IFS
-    # Some sh's can't handle IFS=/ for some reason.
-    IFS='%'
-    set - `echo "$dstdir" | sed -e 's@/@%@g' -e 's@^%@/@'`
-    IFS=$oIFS
+  obsolete_mkdir_used=false
+
+  if test $dstdir_status != 0; then
+    case $posix_mkdir in
+      '')
+	# Create intermediate dirs using mode 755 as modified by the umask.
+	# This is like FreeBSD 'install' as of 1997-10-28.
+	umask=`umask`
+	case $stripcmd.$umask in
+	  # Optimize common cases.
+	  *[2367][2367]) mkdir_umask=$umask;;
+	  .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
+
+	  *[0-7])
+	    mkdir_umask=`expr $umask + 22 \
+	      - $umask % 100 % 40 + $umask % 20 \
+	      - $umask % 10 % 4 + $umask % 2
+	    `;;
+	  *) mkdir_umask=$umask,go-w;;
+	esac
+
+	# With -d, create the new directory with the user-specified mode.
+	# Otherwise, rely on $mkdir_umask.
+	if test -n "$dir_arg"; then
+	  mkdir_mode=-m$mode
+	else
+	  mkdir_mode=
+	fi
+
+	posix_mkdir=false
+	case $umask in
+	  *[123567][0-7][0-7])
+	    # POSIX mkdir -p sets u+wx bits regardless of umask, which
+	    # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
+	    ;;
+	  *)
+	    tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
+	    trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
+
+	    if (umask $mkdir_umask &&
+		exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
+	    then
+	      if test -z "$dir_arg" || {
+		   # Check for POSIX incompatibilities with -m.
+		   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
+		   # other-writeable bit of parent directory when it shouldn't.
+		   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
+		   ls_ld_tmpdir=`ls -ld "$tmpdir"`
+		   case $ls_ld_tmpdir in
+		     d????-?r-*) different_mode=700;;
+		     d????-?--*) different_mode=755;;
+		     *) false;;
+		   esac &&
+		   $mkdirprog -m$different_mode -p -- "$tmpdir" && {
+		     ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
+		     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
+		   }
+		 }
+	      then posix_mkdir=:
+	      fi
+	      rmdir "$tmpdir/d" "$tmpdir"
+	    else
+	      # Remove any dirs left behind by ancient mkdir implementations.
+	      rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
+	    fi
+	    trap '' 0;;
+	esac;;
+    esac
 
-    pathcomp=
+    if
+      $posix_mkdir && (
+	umask $mkdir_umask &&
+	$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
+      )
+    then :
+    else
 
-    while test $# -ne 0 ; do
-      pathcomp=$pathcomp$1
+      # The umask is ridiculous, or mkdir does not conform to POSIX,
+      # or it failed possibly due to a race condition.  Create the
+      # directory the slow way, step by step, checking for races as we go.
+
+      case $dstdir in
+	/*) prefix=/ ;;
+	-*) prefix=./ ;;
+	*)  prefix= ;;
+      esac
+
+      case $posix_glob in
+        '')
+	  if (set -f) 2>/dev/null; then
+	    posix_glob=true
+	  else
+	    posix_glob=false
+	  fi ;;
+      esac
+
+      oIFS=$IFS
+      IFS=/
+      $posix_glob && set -f
+      set fnord $dstdir
       shift
-      if test ! -d "$pathcomp"; then
-        $mkdirprog "$pathcomp" || lasterr=$?
-	# mkdir can fail with a `File exist' error in case several
-	# install-sh are creating the directory concurrently.  This
-	# is OK.
-	test ! -d "$pathcomp" && { (exit ${lasterr-1}); exit; }
+      $posix_glob && set +f
+      IFS=$oIFS
+
+      prefixes=
+
+      for d
+      do
+	test -z "$d" && continue
+
+	prefix=$prefix$d
+	if test -d "$prefix"; then
+	  prefixes=
+	else
+	  if $posix_mkdir; then
+	    (umask=$mkdir_umask &&
+	     $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
+	    # Don't fail if two instances are running concurrently.
+	    test -d "$prefix" || exit 1
+	  else
+	    case $prefix in
+	      *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
+	      *) qprefix=$prefix;;
+	    esac
+	    prefixes="$prefixes '$qprefix'"
+	  fi
+	fi
+	prefix=$prefix/
+      done
+
+      if test -n "$prefixes"; then
+	# Don't fail if two instances are running concurrently.
+	(umask $mkdir_umask &&
+	 eval "\$doit_exec \$mkdirprog $prefixes") ||
+	  test -d "$dstdir" || exit 1
+	obsolete_mkdir_used=true
       fi
-      pathcomp=$pathcomp/
-    done
+    fi
   fi
 
   if test -n "$dir_arg"; then
-    $doit $instcmd "$dst" \
-      && { test -z "$chowncmd" || $doit $chowncmd "$dst"; } \
-      && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } \
-      && { test -z "$stripcmd" || $doit $stripcmd "$dst"; } \
-      && { test -z "$chmodcmd" || $doit $chmodcmd "$dst"; }
-
+    { test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
+    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
+    { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
+      test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
   else
-    # If we're going to rename the final executable, determine the name now.
-    if test -z "$transformarg"; then
-      dstfile=`basename "$dst"`
-    else
-      dstfile=`basename "$dst" $transformbasename \
-               | sed $transformarg`$transformbasename
-    fi
-
-    # don't allow the sed command to completely eliminate the filename.
-    test -z "$dstfile" && dstfile=`basename "$dst"`
 
     # Make a couple of temp file names in the proper directory.
     dsttmp=$dstdir/_inst.$$_
     rmtmp=$dstdir/_rm.$$_
 
     # Trap to clean up those temp files at exit.
-    trap 'status=$?; rm -f "$dsttmp" "$rmtmp" && exit $status' 0
-    trap '(exit $?); exit' 1 2 13 15
+    trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
 
-    # Move or copy the file name to the temp name
-    $doit $instcmd "$src" "$dsttmp" &&
+    # Copy the file name to the temp name.
+    (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
 
     # and set any options; do chmod last to preserve setuid bits.
     #
     # If any of these fail, we abort the whole thing.  If we want to
     # ignore errors from any of these, just make sure not to ignore
-    # errors from the above "$doit $instcmd $src $dsttmp" command.
+    # errors from the above "$doit $cpprog $src $dsttmp" command.
     #
     { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } \
       && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } \
       && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } \
-      && { test -z "$chmodcmd" || $doit $chmodcmd "$dsttmp"; } &&
-
-    # Now remove or move aside any old file at destination location.  We
-    # try this two ways since rm can't unlink itself on some systems and
-    # the destination file might be busy for other reasons.  In this case,
-    # the final cleanup might fail but the new file should still install
-    # successfully.
-    {
-      if test -f "$dstdir/$dstfile"; then
-        $doit $rmcmd -f "$dstdir/$dstfile" 2>/dev/null \
-        || $doit $mvcmd -f "$dstdir/$dstfile" "$rmtmp" 2>/dev/null \
-        || {
-	  echo "$0: cannot unlink or rename $dstdir/$dstfile" >&2
-	  (exit 1); exit
-        }
-      else
-        :
-      fi
-    } &&
+      && { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
 
     # Now rename the file to the real destination.
-    $doit $mvcmd "$dsttmp" "$dstdir/$dstfile"
-  fi || { (exit 1); exit; }
+    { $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null \
+      || {
+	   # The rename failed, perhaps because mv can't rename something else
+	   # to itself, or perhaps because mv is so ancient that it does not
+	   # support -f.
+
+	   # Now remove or move aside any old file at destination location.
+	   # We try this two ways since rm can't unlink itself on some
+	   # systems and the destination file might be busy for other
+	   # reasons.  In this case, the final cleanup might fail but the new
+	   # file should still install successfully.
+	   {
+	     if test -f "$dst"; then
+	       $doit $rmcmd -f "$dst" 2>/dev/null \
+	       || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null \
+		     && { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }; }\
+	       || {
+		 echo "$0: cannot unlink or rename $dst" >&2
+		 (exit 1); exit 1
+	       }
+	     else
+	       :
+	     fi
+	   } &&
+
+	   # Now rename the file to the real destination.
+	   $doit $mvcmd "$dsttmp" "$dst"
+	 }
+    } || exit 1
+
+    trap '' 0
+  fi
 done
 
-# The final little trick to "correctly" pass the exit status to the exit trap.
-{
-  (exit 0); exit
-}
-
 # Local variables:
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
diff --git a/crypto/heimdal/kadmin/ChangeLog b/crypto/heimdal/kadmin/ChangeLog
index 8bfbeed..ef1d458 100644
--- a/crypto/heimdal/kadmin/ChangeLog
+++ b/crypto/heimdal/kadmin/ChangeLog
@@ -1,9 +1,399 @@
+2007-12-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kadmin.c: Use hdb_db_dir().
+
+	* kadmind.c: Use hdb_db_dir().
+
+2007-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* util.c: Clear error string, just to be sure.
+
+2007-05-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kadmin-commands.in: modify --pkinit-acl
+
+	* mod.c: add pk-init command
+	
+2007-02-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kadmin.8: document kadmin add_enctype functionallity.
+
+	* Makefile.am: Add new command, add_enctype.
+
+	* kadmin-commands.in: Add new command, add_enctype.
+
+	* add_enctype.c: Add support for adding a random key enctype to a
+	principal.
+	
+2007-02-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* mod.c: add setting and displaying aliases
+
+	* get.c: add setting and displaying aliases
+
+	* kadmin-commands.in: add setting and displaying aliases
+
+2006-12-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* util.c: Make str2time_t parser more robust.
+
+	* Makefile.am: Add test_util test program.
+
+	* test_util.c: Test str2time_t parser.
+	
+2006-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* add-random-users.c: Use strcspn to remove \n from fgets
+	result. Prompted by change by Ray Lai of OpenBSD via Björn
+	Sandell.
+	
+2006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* mod.c: Try to not leak memory.
+
+	* check.c: Try to not leak memory.
+	
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: split build files into dist_ and noinst_ SOURCES
+	
+2006-08-28  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* kadmin.c (help): use sl_slc_help().
+	
+2006-08-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* util.c: Add KRB5_KDB_ALLOW_DIGEST
+	
+2006-07-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* get.c (format_field): optionally print issuer and anchor.
+	
+2006-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* check.c: Check if afs@REALM and afs/cellname@REALM both exists.
+	
+2006-06-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* util.c (kdb_attrs): Add KRB5_KDB_ALLOW_KERBEROS4
+	
+2006-06-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mod.c (do_mod_entry): Add setting 1 delegation entry
+	
+2006-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* server.c: Less shadowing.
+	
+2006-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: kadmin_SOURCES += add check.c
+
+	* kadmin_locl.h: Avoid shadowing.
+
+	* kadmin.8: Document the new check command.
+
+	* kadmin-commands.in: Add check command
+
+	* check.c: Check database for strange configurations on default
+	principals.
+	
+2006-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* server.c (kadm_get_privs): one less "pointer targets in passing
+	argument differ in signedness" warning.
+	
+2006-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* dump-format.txt: Moved to info documentation.
+
+	* Rename u_intXX_t to uintXX_t
+	
+2006-05-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kadmin.8: spelling, update .Dd
+	
+2006-04-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* add-random-users.c: Catch empty file case. From Tobias
+	Stoeckmann.
+	
+2006-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* random_password.c (generate_password): memory leak in error
+	condition case From Coverity NetBSD CID#1887
+	
+2006-02-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cpw.c (cpw_entry): make sure ret have a defined value
+
+	* del.c (del_entry): make sure ret have a defined value
+
+	* mod.c: Return error code so that toplevel function can catch
+	them.
+	
+2006-01-25  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* cpw.c (cpw_entry): return 1 on failure.
+
+	* rename.c (rename_entry): return 1 on failure.
+
+	* del.c (del_entry): return 1 on failure.
+
+	* ank.c (add_new_key): return 1 on failure.
+
+	* get.c: Add printing of pkinit-acls. Don't print password by
+	default. Return 1 on failure processing any of the principals.
+
+	* util.c (foreach_principal): If any of calls to `func' failes,
+	the first error is returned when all principals are processed.
+	
+2005-12-01  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* kadmin-commands.in: Add ank as an alias to add, it lost in
+	transition to slc, from Måns Nilsson.
+	
+2005-09-14  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* dump-format.txt: Add extensions, fill in missing fields.
+
+2005-09-08  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* init.c (create_random_entry): create principal with random
+	password even though its disabled. From Andrew Bartlet
+	<abartlet@samba.org>
+	
+2005-09-01  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadm_conn.c: Use socket_set_reuseaddr and socket_set_ipv6only.
+	
+2005-08-11  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* get.c: Remove structure that is never used (sneaked in the large
+	TL_DATA patch).
+
+	* kadmin-commands.in: Rename password-quality to
+	verify-password-quality.
+	
+	* get.c: Indent.
+	
+	* server.c: Avoid shadowing exp().
+
+	* load.c: Parse extensions.
+
+	* kadmin_locl.h: Include <hex.h>.
+	
+	* get.c: Extend struct field_name to have a subvalue and a
+	extra_mask.  Use that to implement printing of KADM5_TL_DATA
+	options and fix a dependency bug (keys needed principal to print
+	the salting).
+	
+2005-07-08  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* lower amount of shadow and const warnings
+
+2005-06-07  David Love  <fx@gnu.org>
+
+	* dump-format.txt: Clarify, spelling and add examples.
+	
+2005-05-30  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* util.c (kdb_attrs): add ok-as-delegate
+
+	* get.c (getit): init data.mask to 0.  Problem found by Andrew
+	Bartlett <abartlet@samba.org>
+
+2005-05-09  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadmin.c (main): catch -2 as EOF
+
+2005-05-03  Dave Love  <d.love@dl.ac.uk>
+
+	* init.c (init): Don't disable forwardable for kadmin/changepw.
+
+2005-05-02  Dave Love  <d.love@dl.ac.uk>
+
+	* kadmin.c (help): Don't use non-constant initializer for `fake'.
+
+2005-04-20  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* util.c (foreach_principal): initialize ret to make sure it have
+	a value
+
+2005-04-04  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadmind.c: add verifier libraries with
+	kadm5_add_passwd_quality_verifier
+
+	* kadmin.c: add verifier libraries with
+	kadm5_add_passwd_quality_verifier
+
+	* load.c: max-life and max-renew is of unsigned int in asn1
+	compiler, use that for the parser too
+
+2005-03-26  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadmin.8: List of attributes, from James F.  Hranicky
+	<jfh@cise.ufl.edu>
+
+2005-01-19  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* dump.c (dump): handle errors
+
+2005-01-08 Love Hörquist Åstrand <lha@it.su.se>
+
+	* dump-format.txt: text dump format
+
+2004-12-08  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadmind.8: use keeps around options, from OpenBSD
+	
+	* kadmin.8: use keeps around options, "improve" spelling, from
+	openbsd
+
+2004-11-01  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* get.c (getit): always free columns
+	
+	* ank.c (add_one_principal): catch error from
+	UI_UTIL_read_pw_string
+
+2004-10-31  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* del_enctype.c (del_enctype): fix off-by-one error in del_enctype
+	From: <ragge@ludd.luth.se>
+	
+2004-08-13  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* get.c: print keytypes on long format
+	
+2004-07-06  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* get.c (format_field): allow mod_name to be optional
+	
+	* ext.c (do_ext_keytab): if there isn't any keydata, try using
+	kadm5_randkey_principal
+
+2004-07-02  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* load.c: make merge/load work again
+	
+	* del.c: fix usage string
+	
+	* ank.c: fix slc lossage
+	
+2004-06-28  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadmin.c: use kadm5_ad_init_with_password_ctx
+	
+2004-06-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadmin.8: document get -o and stash
+	
+	* get.c: implement output column selection, similar to ps -o
+	
+	* kadmin-commands.in: make get -l the default again, and add
+	column selection flag; sync list with get
+	
+2004-06-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadmin-commands.in: mod needs default kvno of -1
+	
+2004-06-21  Johan Danielsson  <joda@pdc.kth.se>
+	
+	* kadmin: convert to use slc; also add stash subcommand
+
+2004-06-15  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadmin.c (main): keytab mode requires principal name
+	
+2004-06-12  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadmind.c: drop keyfile, not used, found by
+	Elrond <elrond@samba-tng.org>
+	
+	* kadmin.c: if keyfile is set, pass in to libkadm5 bug pointed out
+	by Elrond <elrond@samba-tng.org>
+	
+2004-05-31  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadmin.c: add --ad flag, XXX rewrite the init kadm5 interface
+	
+2004-05-13  Johan Danielsson  <joda@pdc.kth.se>
+
+	* nuke kerberos 4 kadmin goo
+
+2004-05-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* util.c (str2time_t): fix end-of-day logic, from Duncan
+	McEwan/Mark Davies.
+
 2004-04-29  Love Hörquist Åstrand  <lha@it.su.se>
 
-	* version4.c: 1.30: (handle_v4): make sure length is longer then
-	2, Pointed out by Evgeny Demidov <demidov@gleg.net>
+	* version4.c (handle_v4): make sure length is longer then 2,
+	Pointed out by Evgeny Demidov <demidov@gleg.net>
+	
+	* kadmind.c: make kerberos4 support default turned off
+	
+2004-03-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadmin.8: update manpage
+	
+	* mod.c: allow wildcarding principals, and make parameters a work
+	same as if prompted
+	
+2004-03-08  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadmin.8: document password-quality
+	
+	* kadmin_locl.h: add prototype for password_quality
+	
+	* kadmin.c: add password-quality/pwq command
+	
+	* Makefile.am: kadmin_SOURCES += pw_quality.c
+	
+	* pw_quality.c: test run the password quality function
+	
+2004-03-07  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* ank.c (add_one_principal): even though the principal is disabled
+	(creation of random key/keydata), create it with a random password
 	
-	* kadmind.c: 1.31: make kerberos4 support default turned off
+2003-12-07  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* init.c (create_random_entry): print error message on failure
+	
+	* ank.c (add_one_principal): pass right argument to
+	kadm5_free_principal_ent From Panasas, Inc
+	
+2003-11-18  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadmind.c (main): move opening the logfile to after reading
+	kdc.conf move the loading of hdb keytab ops closer to where its
+	used From: Jeffrey Hutzelman <jhutz@cmu.edu>
+	
+2003-10-04  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* util.c (str2time_t): allow whitespace between date and time
+	From: Bob Beck <beck@cvs.openbsd.org> and adharw@yahoo.com
+	
+2003-09-03  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* ank.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
+	
+	* cpw.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
+	
+2003-08-21  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* get.c (print_entry_terse): handle error when unparsing name
+	
+2003-08-18  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* kadmind.c (main): use krb5_prepend_config_files_default, now all
+	options in kdc.conf is parsed, not just [kdc]key-file=
+	
+	* kadmin.c (main): use krb5_prepend_config_files_default, now all
+	options in kdc.conf is parsed, not just [kdc]key-file=
 	
 2003-04-14  Love Hörquist Åstrand  <lha@it.su.se>
 
@@ -36,6 +426,25 @@
 	change it own password to a key, since that password might violate
 	the password quality check.
 
+2002-12-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* util.c (get_response): print a newline if interrupted
+
+	* mod.c (mod_entry): check return value from edit_entry
+
+	* ank.c (add_one_principal): check return value from edit_entry
+
+	* ank.c (add_one_principal): don't continue if create_principal
+	fails
+
+	* init.c: check return value from edit_deltat
+
+	* init.c: add --help
+
+2002-10-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* version4.c: speling (from Tomas Olsson)
+
 2002-10-23  Assar Westerlund  <assar@kth.se>
 
 	* version4.c (decode_packet): check the length of the version
diff --git a/crypto/heimdal/kadmin/Makefile.am b/crypto/heimdal/kadmin/Makefile.am
index 3e9e406..323439a 100644
--- a/crypto/heimdal/kadmin/Makefile.am
+++ b/crypto/heimdal/kadmin/Makefile.am
@@ -1,19 +1,23 @@
-# $Id: Makefile.am,v 1.34 2001/08/28 08:31:26 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5
+AM_CPPFLAGS += $(INCLUDE_readline) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5
 
 sbin_PROGRAMS = kadmin
 
 libexec_PROGRAMS = kadmind
 
+SLC = $(top_builddir)/lib/sl/slc
+
 man_MANS = kadmin.8 kadmind.8
 
 noinst_PROGRAMS = add_random_users
 
-kadmin_SOURCES =				\
+dist_kadmin_SOURCES =				\
 	ank.c					\
+	add_enctype.c				\
+	check.c					\
 	cpw.c					\
 	del.c					\
 	del_enctype.c				\
@@ -25,14 +29,22 @@ kadmin_SOURCES =				\
 	load.c					\
 	mod.c					\
 	rename.c				\
+	stash.c					\
 	util.c					\
+	pw_quality.c				\
 	random_password.c			\
 	kadmin_locl.h
 
-if KRB4
-KRB4LIB = $(LIB_krb4)
-version4_c = version4.c
-endif
+nodist_kadmin_SOURCES =				\
+	kadmin-commands.c			\
+	kadmin-commands.h
+
+$(kadmin_OBJECTS): kadmin-commands.h
+
+CLEANFILES = kadmin-commands.h kadmin-commands.c
+
+kadmin-commands.c kadmin-commands.h: kadmin-commands.in
+	$(SLC) $(srcdir)/kadmin-commands.in
 
 kadmind_SOURCES =				\
 	kadmind.c				\
@@ -41,20 +53,24 @@ kadmind_SOURCES =				\
 	$(version4_c)				\
 	kadm_conn.c
 
-EXTRA_kadmind_SOURCES = version4.c
-
 add_random_users_SOURCES = add-random-users.c
 
+test_util_SOURCES = test_util.c util.c
+
+TESTS = test_util
+
+check_PROGRAMS = $(TESTS)
+
 LDADD_common = \
 	$(top_builddir)/lib/hdb/libhdb.la \
 	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB)
 
-kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \
+kadmind_LDADD = $(top_builddir)/lib/kadm5/libkadm5srv.la \
 	$(LDADD_common) \
 	$(LIB_pidfile) \
 	$(LIB_dlopen)
@@ -72,3 +88,7 @@ add_random_users_LDADD = \
 	$(top_builddir)/lib/kadm5/libkadm5srv.la \
 	$(LDADD_common) \
 	$(LIB_dlopen)
+
+test_util_LDADD = $(kadmin_LDADD)
+
+EXTRA_DIST = $(man_MANS) kadmin-commands.in
diff --git a/crypto/heimdal/kadmin/Makefile.in b/crypto/heimdal/kadmin/Makefile.in
index 19d7215..746cb48 100644
--- a/crypto/heimdal/kadmin/Makefile.in
+++ b/crypto/heimdal/kadmin/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.34 2001/08/28 08:31:26 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) $(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -49,19 +44,19 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 sbin_PROGRAMS = kadmin$(EXEEXT)
 libexec_PROGRAMS = kadmind$(EXEEXT)
 noinst_PROGRAMS = add_random_users$(EXEEXT)
+TESTS = test_util$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
 subdir = kadmin
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -74,6 +69,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -82,19 +78,25 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
+am__EXEEXT_1 = test_util$(EXEEXT)
+am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" \
+	"$(DESTDIR)$(man8dir)"
 libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(libexec_PROGRAMS) $(noinst_PROGRAMS) $(sbin_PROGRAMS)
@@ -109,54 +111,55 @@ add_random_users_DEPENDENCIES =  \
 	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
 	$(top_builddir)/lib/kadm5/libkadm5srv.la $(am__DEPENDENCIES_2) \
 	$(am__DEPENDENCIES_1)
-am_kadmin_OBJECTS = ank.$(OBJEXT) cpw.$(OBJEXT) del.$(OBJEXT) \
+dist_kadmin_OBJECTS = ank.$(OBJEXT) add_enctype.$(OBJEXT) \
+	check.$(OBJEXT) cpw.$(OBJEXT) del.$(OBJEXT) \
 	del_enctype.$(OBJEXT) dump.$(OBJEXT) ext.$(OBJEXT) \
 	get.$(OBJEXT) init.$(OBJEXT) kadmin.$(OBJEXT) load.$(OBJEXT) \
-	mod.$(OBJEXT) rename.$(OBJEXT) util.$(OBJEXT) \
-	random_password.$(OBJEXT)
-kadmin_OBJECTS = $(am_kadmin_OBJECTS)
+	mod.$(OBJEXT) rename.$(OBJEXT) stash.$(OBJEXT) util.$(OBJEXT) \
+	pw_quality.$(OBJEXT) random_password.$(OBJEXT)
+nodist_kadmin_OBJECTS = kadmin-commands.$(OBJEXT)
+kadmin_OBJECTS = $(dist_kadmin_OBJECTS) $(nodist_kadmin_OBJECTS)
 kadmin_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5clnt.la \
 	$(top_builddir)/lib/kadm5/libkadm5srv.la \
 	$(top_builddir)/lib/sl/libsl.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1)
-am__kadmind_SOURCES_DIST = kadmind.c server.c kadmin_locl.h version4.c \
-	kadm_conn.c
-@KRB4_TRUE@am__objects_1 = version4.$(OBJEXT)
 am_kadmind_OBJECTS = kadmind.$(OBJEXT) server.$(OBJEXT) \
-	$(am__objects_1) kadm_conn.$(OBJEXT)
+	kadm_conn.$(OBJEXT)
 kadmind_OBJECTS = $(am_kadmind_OBJECTS)
-@KRB4_TRUE@am__DEPENDENCIES_3 = $(am__DEPENDENCIES_1)
-kadmind_DEPENDENCIES = $(am__DEPENDENCIES_3) \
-	$(top_builddir)/lib/kadm5/libkadm5srv.la $(am__DEPENDENCIES_2) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+kadmind_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+am_test_util_OBJECTS = test_util.$(OBJEXT) util.$(OBJEXT)
+test_util_OBJECTS = $(am_test_util_OBJECTS)
+am__DEPENDENCIES_3 = $(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(top_builddir)/lib/sl/libsl.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1)
+test_util_DEPENDENCIES = $(am__DEPENDENCIES_3)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) \
-	$(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES)
-DIST_SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) \
-	$(am__kadmind_SOURCES_DIST) $(EXTRA_kadmind_SOURCES)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(add_random_users_SOURCES) $(dist_kadmin_SOURCES) \
+	$(nodist_kadmin_SOURCES) $(kadmind_SOURCES) \
+	$(test_util_SOURCES)
+DIST_SOURCES = $(add_random_users_SOURCES) $(dist_kadmin_SOURCES) \
+	$(kadmind_SOURCES) $(test_util_SOURCES)
 man8dir = $(mandir)/man8
 MANS = $(man_MANS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -166,8 +169,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -178,11 +179,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -190,42 +190,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -243,12 +228,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -258,15 +240,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -275,6 +256,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -286,15 +268,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -302,74 +279,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_readline) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -386,10 +369,14 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+SLC = $(top_builddir)/lib/sl/slc
 man_MANS = kadmin.8 kadmind.8
-kadmin_SOURCES = \
+dist_kadmin_SOURCES = \
 	ank.c					\
+	add_enctype.c				\
+	check.c					\
 	cpw.c					\
 	del.c					\
 	del_enctype.c				\
@@ -401,12 +388,17 @@ kadmin_SOURCES = \
 	load.c					\
 	mod.c					\
 	rename.c				\
+	stash.c					\
 	util.c					\
+	pw_quality.c				\
 	random_password.c			\
 	kadmin_locl.h
 
-@KRB4_TRUE@KRB4LIB = $(LIB_krb4)
-@KRB4_TRUE@version4_c = version4.c
+nodist_kadmin_SOURCES = \
+	kadmin-commands.c			\
+	kadmin-commands.h
+
+CLEANFILES = kadmin-commands.h kadmin-commands.c
 kadmind_SOURCES = \
 	kadmind.c				\
 	server.c				\
@@ -414,18 +406,18 @@ kadmind_SOURCES = \
 	$(version4_c)				\
 	kadm_conn.c
 
-EXTRA_kadmind_SOURCES = version4.c
 add_random_users_SOURCES = add-random-users.c
+test_util_SOURCES = test_util.c util.c
 LDADD_common = \
 	$(top_builddir)/lib/hdb/libhdb.la \
 	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB)
 
-kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \
+kadmind_LDADD = $(top_builddir)/lib/kadm5/libkadm5srv.la \
 	$(LDADD_common) \
 	$(LIB_pidfile) \
 	$(LIB_dlopen)
@@ -444,10 +436,12 @@ add_random_users_LDADD = \
 	$(LDADD_common) \
 	$(LIB_dlopen)
 
+test_util_LDADD = $(kadmin_LDADD)
+EXTRA_DIST = $(man_MANS) kadmin-commands.in
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -477,9 +471,16 @@ $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
 install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)"
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -514,7 +515,7 @@ clean-noinstPROGRAMS:
 	done
 install-sbinPROGRAMS: $(sbin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)"
+	test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
 	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -542,13 +543,16 @@ clean-sbinPROGRAMS:
 	done
 add_random_users$(EXEEXT): $(add_random_users_OBJECTS) $(add_random_users_DEPENDENCIES) 
 	@rm -f add_random_users$(EXEEXT)
-	$(LINK) $(add_random_users_LDFLAGS) $(add_random_users_OBJECTS) $(add_random_users_LDADD) $(LIBS)
+	$(LINK) $(add_random_users_OBJECTS) $(add_random_users_LDADD) $(LIBS)
 kadmin$(EXEEXT): $(kadmin_OBJECTS) $(kadmin_DEPENDENCIES) 
 	@rm -f kadmin$(EXEEXT)
-	$(LINK) $(kadmin_LDFLAGS) $(kadmin_OBJECTS) $(kadmin_LDADD) $(LIBS)
+	$(LINK) $(kadmin_OBJECTS) $(kadmin_LDADD) $(LIBS)
 kadmind$(EXEEXT): $(kadmind_OBJECTS) $(kadmind_DEPENDENCIES) 
 	@rm -f kadmind$(EXEEXT)
-	$(LINK) $(kadmind_LDFLAGS) $(kadmind_OBJECTS) $(kadmind_LDADD) $(LIBS)
+	$(LINK) $(kadmind_OBJECTS) $(kadmind_LDADD) $(LIBS)
+test_util$(EXEEXT): $(test_util_OBJECTS) $(test_util_DEPENDENCIES) 
+	@rm -f test_util$(EXEEXT)
+	$(LINK) $(test_util_OBJECTS) $(test_util_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -570,13 +574,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man8: $(man8_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
 	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -640,9 +640,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -666,24 +668,95 @@ GTAGS:
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
-distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/.. $(distdir)/../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
 	  else \
-	    dir=''; \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
 	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -698,12 +771,13 @@ distdir: $(DISTFILES)
 	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
 	  dist-hook
 check-am: all-am
-	$(MAKE) $(AM_MAKEFLAGS) check-local
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
 check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -722,22 +796,24 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \
-	clean-noinstPROGRAMS clean-sbinPROGRAMS mostlyclean-am
+clean-am: clean-checkPROGRAMS clean-generic clean-libexecPROGRAMS \
+	clean-libtool clean-noinstPROGRAMS clean-sbinPROGRAMS \
+	mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -753,14 +829,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-libexecPROGRAMS install-sbinPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man8
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -780,24 +864,31 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS \
-	uninstall-man uninstall-sbinPROGRAMS
+uninstall-am: uninstall-libexecPROGRAMS uninstall-man \
+	uninstall-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man8
 
-.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
-	clean clean-generic clean-libexecPROGRAMS clean-libtool \
-	clean-noinstPROGRAMS clean-sbinPROGRAMS ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am \
-	install-libexecPROGRAMS install-man install-man8 \
-	install-sbinPROGRAMS install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-info-am \
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
+	check-local clean clean-checkPROGRAMS clean-generic \
+	clean-libexecPROGRAMS clean-libtool clean-noinstPROGRAMS \
+	clean-sbinPROGRAMS ctags dist-hook distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-libexecPROGRAMS install-man install-man8 install-pdf \
+	install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-hook \
 	uninstall-libexecPROGRAMS uninstall-man uninstall-man8 \
 	uninstall-sbinPROGRAMS
 
@@ -814,8 +905,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -825,19 +916,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -853,7 +956,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -923,14 +1026,44 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+$(kadmin_OBJECTS): kadmin-commands.h
+
+kadmin-commands.c kadmin-commands.h: kadmin-commands.in
+	$(SLC) $(srcdir)/kadmin-commands.in
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/kadmin/add-random-users.c b/crypto/heimdal/kadmin/add-random-users.c
index ebd1149..b797143 100644
--- a/crypto/heimdal/kadmin/add-random-users.c
+++ b/crypto/heimdal/kadmin/add-random-users.c
@@ -33,7 +33,7 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$Id: add-random-users.c,v 1.6 2001/09/20 09:17:33 assar Exp $");
+RCSID("$Id: add-random-users.c 19213 2006-12-04 23:36:36Z lha $");
 
 #define WORDS_FILENAME "/usr/share/dict/words"
 
@@ -57,8 +57,7 @@ read_words (const char *filename, char ***ret_w)
     while (fgets (buf, sizeof(buf), f) != NULL) {
 	size_t len;
 
-	if (buf[strlen (buf) - 1] == '\n')
-	    buf[strlen (buf) - 1] = '\0';
+	buf[strcspn(buf, "\r\n")] = '\0';
 	if (n >= alloc) {
 	    alloc = max(alloc + 16, alloc * 2);
 	    w = erealloc (w, alloc * sizeof(char **));
@@ -72,6 +71,8 @@ read_words (const char *filename, char ***ret_w)
 	w[n++] = wptr;
 	wptr += len + 1;
     }
+    if (n == 0)
+	errx(1, "%s is an empty file, no words to try", filename);
     *ret_w = w;
     return n;
 }
@@ -156,12 +157,12 @@ usage (int ret)
 int
 main(int argc, char **argv)
 {
-    int optind = 0;
+    int optidx = 0;
     int n = NUSERS;
     const char *filename = WORDS_FILENAME;
 
     setprogname(argv[0]);
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
     if (help_flag)
 	usage (0);
@@ -170,8 +171,8 @@ main(int argc, char **argv)
 	return 0;
     }
     srand (0);
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     if (argc > 0) {
 	if (argc > 1)
diff --git a/crypto/heimdal/kadmin/add_enctype.c b/crypto/heimdal/kadmin/add_enctype.c
new file mode 100644
index 0000000..65337e6
--- /dev/null
+++ b/crypto/heimdal/kadmin/add_enctype.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (c) 1999-2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include "kadmin-commands.h"
+
+RCSID("$Id: add_enctype.c 20287 2007-02-22 03:12:30Z lha $");
+
+/*
+ * del_enctype principal enctypes...
+ */
+
+int
+add_enctype(struct add_enctype_options*opt, int argc, char **argv)
+{
+    kadm5_principal_ent_rec princ;
+    krb5_principal princ_ent = NULL;
+    krb5_error_code ret;
+    const char *princ_name;
+    int i, j;
+    krb5_key_data *new_key_data;
+    int n_etypes;
+    krb5_enctype *etypes;
+
+    if (!opt->random_key_flag) {
+	krb5_warnx (context, "only random key is supported now");
+	return 0;
+    }
+
+    memset (&princ, 0, sizeof(princ));
+    princ_name = argv[0];
+    n_etypes   = argc - 1;
+    etypes     = malloc (n_etypes * sizeof(*etypes));
+    if (etypes == NULL) {
+	krb5_warnx (context, "out of memory");
+	return 0;
+    }
+    argv++;
+    for (i = 0; i < n_etypes; ++i) {
+	ret = krb5_string_to_enctype (context, argv[i], &etypes[i]);
+	if (ret) {
+	    krb5_warnx (context, "bad enctype \"%s\"", argv[i]);
+	    goto out2;
+	}
+    }
+
+    ret = krb5_parse_name(context, princ_name, &princ_ent);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_parse_name %s", princ_name);
+	goto out2;
+    }
+
+    ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
+			      KADM5_PRINCIPAL | KADM5_KEY_DATA);
+    if (ret) {
+	krb5_free_principal (context, princ_ent);
+	krb5_warnx (context, "no such principal: %s", princ_name);
+	goto out2;
+    }
+
+    new_key_data   = malloc((princ.n_key_data + n_etypes)
+			    * sizeof(*new_key_data));
+    if (new_key_data == NULL) {
+	krb5_warnx (context, "out of memory");
+	goto out;
+    }
+
+    for (i = 0; i < princ.n_key_data; ++i) {
+	krb5_key_data *key = &princ.key_data[i];
+
+	for (j = 0; j < n_etypes; ++j) {
+	    if (etypes[j] == key->key_data_type[0]) {
+		krb5_warnx(context, "enctype %d already exists",
+			   (int)etypes[j]);
+		goto out;
+	    }
+	}
+	new_key_data[i] = *key;
+    }
+
+    for (i = 0; i < n_etypes; ++i) {
+	int n = princ.n_key_data + i;
+	krb5_keyblock keyblock;
+
+	memset(&new_key_data[n], 0, sizeof(new_key_data[n]));
+	new_key_data[n].key_data_ver = 2;
+	new_key_data[n].key_data_kvno = 0;
+
+	ret = krb5_generate_random_keyblock (context, etypes[i], &keyblock);
+	if (ret) {
+	    krb5_warnx(context, "genernate enctype %d failed", (int)etypes[i]);
+	    while (--i >= 0)
+		free(new_key_data[--n].key_data_contents[0]);
+	    goto out;
+	}
+
+	/* key */
+	new_key_data[n].key_data_type[0] = etypes[i];
+	new_key_data[n].key_data_contents[0] = malloc(keyblock.keyvalue.length);
+	if (new_key_data[n].key_data_contents[0] == NULL) {
+	    ret = ENOMEM;
+	    krb5_warn(context, ret, "out of memory");
+	    while (--i >= 0)
+		free(new_key_data[--n].key_data_contents[0]);
+	    goto out;
+	}
+	new_key_data[n].key_data_length[0]   = keyblock.keyvalue.length;
+	memcpy(new_key_data[n].key_data_contents[0],
+	       keyblock.keyvalue.data,
+	       keyblock.keyvalue.length);
+	krb5_free_keyblock_contents(context, &keyblock);
+
+	/* salt */
+	new_key_data[n].key_data_type[1]     = KRB5_PW_SALT;
+	new_key_data[n].key_data_length[1]   = 0;
+	new_key_data[n].key_data_contents[1] = NULL;
+
+    }
+
+    free (princ.key_data);
+    princ.n_key_data += n_etypes;
+    princ.key_data   = new_key_data;
+    new_key_data = NULL;
+
+    ret = kadm5_modify_principal (kadm_handle, &princ, KADM5_KEY_DATA);
+    if (ret)
+	krb5_warn(context, ret, "kadm5_modify_principal");
+out:
+    krb5_free_principal (context, princ_ent);
+    kadm5_free_principal_ent(kadm_handle, &princ);
+out2:
+    free (etypes);
+    return ret != 0;
+}
diff --git a/crypto/heimdal/kadmin/ank.c b/crypto/heimdal/kadmin/ank.c
index a166fb2..7e7cfa8 100644
--- a/crypto/heimdal/kadmin/ank.c
+++ b/crypto/heimdal/kadmin/ank.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,8 +32,9 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 
-RCSID("$Id: ank.c,v 1.25 2002/12/03 14:11:24 joda Exp $");
+RCSID("$Id: ank.c 16658 2006-01-25 12:29:46Z lha $");
 
 /*
  * fetch the default principal corresponding to `princ'
@@ -117,7 +118,7 @@ add_one_principal (const char *name,
     if(rand_key || key_data) {
 	princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
 	mask |= KADM5_ATTRIBUTES;
-	strlcpy (pwbuf, "hemlig", sizeof(pwbuf));
+	random_password (pwbuf, sizeof(pwbuf));
 	password = pwbuf;
     } else if (rand_password) {
 	random_password (pwbuf, sizeof(pwbuf));
@@ -129,10 +130,13 @@ add_one_principal (const char *name,
 	krb5_unparse_name(context, princ_ent, &princ_name);
 	asprintf (&prompt, "%s's Password: ", princ_name);
 	free (princ_name);
-	ret = des_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1);
+	ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1);
 	free (prompt);
-	if (ret)
+	if (ret) {
+	    krb5_set_error_string(context, "failed to verify password");
+	    ret = KRB5_LIBOS_BADPWDMATCH;
 	    goto out;
+	}
 	password = pwbuf;
     }
     
@@ -176,14 +180,14 @@ add_one_principal (const char *name,
 	char *princ_name;
 
 	krb5_unparse_name(context, princ_ent, &princ_name);
-	printf ("added %s with password `%s'\n", princ_name, password);
+	printf ("added %s with password \"%s\"\n", princ_name, password);
 	free (princ_name);
     }
 out:
     if (princ_ent)
 	krb5_free_principal (context, princ_ent);
     if(default_ent)
-	kadm5_free_principal_ent (context, default_ent);
+	kadm5_free_principal_ent (kadm_handle, default_ent);
     if (password != NULL)
 	memset (password, 0, strlen(password));
     return ret;
@@ -197,112 +201,58 @@ out:
  * the ank command
  */
 
-static struct getargs args[] = {
-    { "random-key",	'r',	arg_flag,	NULL, "set random key" },
-    { "random-password", 0,	arg_flag,	NULL, "set random password" },
-    { "password",	'p',	arg_string,	NULL, "princial's password" },
-    { "key",		0,	arg_string,	NULL, "DES-key in hex" },
-    { "max-ticket-life",  0,	arg_string,	NULL, "max ticket lifetime",
-      "lifetime"},
-    { "max-renewable-life",  0,	arg_string,	NULL,
-      "max renewable lifetime", "lifetime" },
-    { "attributes",	0,	arg_string,	NULL, "principal attributes",
-      "attributes"},
-    { "expiration-time",0,	arg_string,	NULL, "expiration time",
-      "time"},
-    { "pw-expiration-time", 0,  arg_string,	NULL,
-      "password expiration time", "time"},
-    { "use-defaults",	0,	arg_flag,	NULL, "use default values" }
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(void)
-{
-    arg_printusage (args, num_args, "add", "principal...");
-}
-
 /*
  * Parse arguments and add all the principals.
  */
 
 int
-add_new_key(int argc, char **argv)
+add_new_key(struct add_options *opt, int argc, char **argv)
 {
-    char *password = NULL;
-    char *key = NULL;
-    int random_key = 0;
-    int random_password = 0;
-    int optind = 0;
-    krb5_error_code ret;
-    char *max_ticket_life	= NULL;
-    char *max_renewable_life	= NULL;
-    char *attributes		= NULL;
-    char *expiration		= NULL;
-    char *pw_expiration		= NULL;
-    int use_defaults = 0;
+    krb5_error_code ret = 0;
     int i;
     int num;
     krb5_key_data key_data[3];
     krb5_key_data *kdp = NULL;
 
-    args[0].value = &random_key;
-    args[1].value = &random_password;
-    args[2].value = &password;
-    args[3].value = &key;
-    args[4].value = &max_ticket_life;
-    args[5].value = &max_renewable_life;
-    args[6].value = &attributes;
-    args[7].value = &expiration;
-    args[8].value = &pw_expiration;
-    args[9].value = &use_defaults;
-    
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	usage ();
-	return 0;
-    }
-    if(optind == argc) {
-	usage ();
-	return 0;
-    }
-
     num = 0;
-    if (random_key)
+    if (opt->random_key_flag)
 	++num;
-    if (random_password)
+    if (opt->random_password_flag)
 	++num;
-    if (password)
+    if (opt->password_string)
 	++num;
-    if (key)
+    if (opt->key_string)
 	++num;
 
     if (num > 1) {
-	printf ("give only one of "
+	fprintf (stderr, "give only one of "
 		"--random-key, --random-password, --password, --key\n");
-	return 0;
+	return 1;
     }
 
-    if (key) {
+    if (opt->key_string) {
 	const char *error;
 
-	if (parse_des_key (key, key_data, &error)) {
-	    printf ("failed parsing key `%s': %s\n", key, error);
-	    return 0;
+	if (parse_des_key (opt->key_string, key_data, &error)) {
+	    fprintf (stderr, "failed parsing key \"%s\": %s\n", 
+		     opt->key_string, error);
+	    return 1;
 	}
 	kdp = key_data;
     }
 
-    for (i = optind; i < argc; ++i) {
-	ret = add_one_principal (argv[i], random_key, random_password,
-				 use_defaults, 
-				 password,
+    for(i = 0; i < argc; i++) {
+	ret = add_one_principal (argv[i], 
+				 opt->random_key_flag, 
+				 opt->random_password_flag,
+				 opt->use_defaults_flag, 
+				 opt->password_string,
 				 kdp,
-				 max_ticket_life,
-				 max_renewable_life,
-				 attributes,
-				 expiration,
-				 pw_expiration);
+				 opt->max_ticket_life_string,
+				 opt->max_renewable_life_string,
+				 opt->attributes_string,
+				 opt->expiration_time_string,
+				 opt->pw_expiration_time_string);
 	if (ret) {
 	    krb5_warn (context, ret, "adding %s", argv[i]);
 	    break;
@@ -312,5 +262,5 @@ add_new_key(int argc, char **argv)
 	int16_t dummy = 3;
 	kadm5_free_key_data (kadm_handle, &dummy, key_data);
     }
-    return 0;
+    return ret != 0;
 }
diff --git a/crypto/heimdal/kadmin/check.c b/crypto/heimdal/kadmin/check.c
new file mode 100644
index 0000000..bd4f270
--- /dev/null
+++ b/crypto/heimdal/kadmin/check.c
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ * Check database for strange configurations on default principals
+ */
+
+#include "kadmin_locl.h"
+#include "kadmin-commands.h"
+
+RCSID("$Id: check.c 20962 2007-06-07 05:09:24Z lha $");
+
+static int
+get_check_entry(const char *name, kadm5_principal_ent_rec *ent)
+{
+    krb5_error_code ret;
+    krb5_principal principal;
+
+    ret = krb5_parse_name(context, name, &principal);
+    if (ret) {
+	krb5_warn(context, ret, "krb5_unparse_name: %s", name);
+	return 1;
+    }
+
+    memset(ent, 0, sizeof(*ent));
+    ret = kadm5_get_principal(kadm_handle, principal, ent, 0);
+    krb5_free_principal(context, principal);
+    if(ret)
+	return 1;
+
+    return 0;
+}
+
+
+static int
+do_check_entry(krb5_principal principal, void *data)
+{
+    krb5_error_code ret;
+    kadm5_principal_ent_rec princ;
+    char *name;
+    int i;
+    
+    ret = krb5_unparse_name(context, principal, &name);
+    if (ret)
+	return 1;
+
+    memset (&princ, 0, sizeof(princ));
+    ret = kadm5_get_principal(kadm_handle, principal, &princ,
+			      KADM5_PRINCIPAL | KADM5_KEY_DATA);
+    if(ret) {
+	krb5_warn(context, ret, "Failed to get principal: %s", name);
+	free(name);
+	return 0;
+    }
+
+    for (i = 0; i < princ.n_key_data; i++) {
+	size_t keysize;
+	ret = krb5_enctype_keysize(context, 
+				   princ.key_data[i].key_data_type[0],
+				   &keysize);
+	if (ret == 0 && keysize != princ.key_data[i].key_data_length[0]) {
+	    krb5_warnx(context,
+		       "Principal %s enctype %d, wrong length: %lu\n",
+		       name, princ.key_data[i].key_data_type[0],
+		       (unsigned long)princ.key_data[i].key_data_length);
+	}
+    }
+
+    free(name);
+    kadm5_free_principal_ent(kadm_handle, &princ);
+
+    return 0;
+}
+
+int
+check(void *opt, int argc, char **argv)
+{
+    kadm5_principal_ent_rec ent;
+    krb5_error_code ret;
+    char *realm = NULL, *p, *p2;
+    int found;
+
+    if (argc == 0) {
+	ret = krb5_get_default_realm(context, &realm);
+	if (ret) {
+	    krb5_warn(context, ret, "krb5_get_default_realm");
+	    goto fail;
+	}
+    } else {
+	realm = strdup(argv[0]);
+	if (realm == NULL) {
+	    krb5_warnx(context, "malloc");
+	    goto fail;
+	}
+    }
+
+    /*
+     * Check krbtgt/REALM@REALM
+     *
+     * For now, just check existance
+     */
+
+    if (asprintf(&p, "%s/%s@%s", KRB5_TGS_NAME, realm, realm) == -1) {
+	krb5_warn(context, errno, "asprintf");
+	goto fail;
+    }
+
+    ret = get_check_entry(p, &ent);
+    if (ret) {
+	printf("%s doesn't exist, are you sure %s is a realm in your database",
+	       p, realm);
+	free(p);
+	goto fail;
+    }
+    free(p);    
+
+    kadm5_free_principal_ent(kadm_handle, &ent);
+
+    /*
+     * Check kadmin/admin@REALM
+     */
+
+    if (asprintf(&p, "kadmin/admin@%s", realm) == -1) {
+	krb5_warn(context, errno, "asprintf");
+	goto fail;
+    }
+
+    ret = get_check_entry(p, &ent);
+    if (ret) {
+	printf("%s doesn't exist, "
+	       "there is no way to do remote administration", p);
+	free(p);
+	goto fail;
+    }
+    free(p);
+
+    kadm5_free_principal_ent(kadm_handle, &ent);
+
+    /*
+     * Check kadmin/changepw@REALM
+     */
+
+    if (asprintf(&p, "kadmin/changepw@%s", realm) == -1) {
+	krb5_warn(context, errno, "asprintf");
+	goto fail;
+    }
+
+    ret = get_check_entry(p, &ent);
+    if (ret) {
+	printf("%s doesn't exist, "
+	       "there is no way to do change password", p);
+	free(p);
+	goto fail;
+    }
+    free(p);
+
+    kadm5_free_principal_ent(kadm_handle, &ent);
+
+    /*
+     * Check for duplicate afs keys 
+     */
+
+    p2 = strdup(realm);
+    if (p2 == NULL) {
+	krb5_warn(context, errno, "malloc");
+	free(p);
+	goto fail;
+    }
+    strlwr(p2);
+
+    if (asprintf(&p, "afs/%s@%s", p2, realm) == -1) {
+	krb5_warn(context, errno, "asprintf");
+	free(p2);
+	goto fail;
+    }
+    free(p2);
+
+    ret = get_check_entry(p, &ent);
+    free(p);
+    if (ret == 0) {
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	found = 1;
+    } else
+	found = 0;
+
+    if (asprintf(&p, "afs@%s", realm) == -1) {
+	krb5_warn(context, errno, "asprintf");
+	goto fail;
+    }
+
+    ret = get_check_entry(p, &ent);
+    free(p);
+    if (ret == 0) {
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	if (found) {
+	    krb5_warnx(context, "afs@REALM and afs/cellname@REALM both exists");
+	    goto fail;
+	}
+    }
+
+    foreach_principal("*", do_check_entry, "check", NULL);
+
+    free(realm);
+    return 0;
+fail:
+    free(realm);
+    return 1;
+}
diff --git a/crypto/heimdal/kadmin/cpw.c b/crypto/heimdal/kadmin/cpw.c
index 50c1cb2..c5fa9ed 100644
--- a/crypto/heimdal/kadmin/cpw.c
+++ b/crypto/heimdal/kadmin/cpw.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,8 +32,9 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 
-RCSID("$Id: cpw.c,v 1.13 2001/08/10 08:05:35 joda Exp $");
+RCSID("$Id: cpw.c 16755 2006-02-18 23:30:32Z lha $");
 
 struct cpw_entry_data {
     int random_key;
@@ -42,21 +43,6 @@ struct cpw_entry_data {
     krb5_key_data *key_data;
 };
 
-static struct getargs args[] = {
-    { "random-key",	'r',	arg_flag,	NULL, "set random key" },
-    { "random-password", 0,	arg_flag,	NULL, "set random password" },
-    { "password",	'p',	arg_string,	NULL, "princial's password" },
-    { "key",		 0,	arg_string,	NULL, "DES key in hex" }
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(void)
-{
-    arg_printusage(args, num_args, "passwd", "principal...");
-}
-
 static int
 set_random_key (krb5_principal principal)
 {
@@ -87,7 +73,7 @@ set_random_password (krb5_principal principal)
 
 	krb5_unparse_name(context, principal, &princ_name);
 
-	printf ("%s's password set to `%s'\n", princ_name, pw);
+	printf ("%s's password set to \"%s\"\n", princ_name, pw);
 	free (princ_name);
     }
     memset (pw, 0, sizeof(pw));
@@ -107,7 +93,7 @@ set_password (krb5_principal principal, char *password)
 	krb5_unparse_name(context, principal, &princ_name);
 	asprintf(&prompt, "%s's Password: ", princ_name);
 	free (princ_name);
-	ret = des_read_pw_string(pwbuf, sizeof(pwbuf), prompt, 1);
+	ret = UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), prompt, 1);
 	free (prompt);
 	if(ret){
 	    return 0; /* XXX error code? */
@@ -146,32 +132,19 @@ do_cpw_entry(krb5_principal principal, void *data)
 }
 
 int
-cpw_entry(int argc, char **argv)
+cpw_entry(struct passwd_options *opt, int argc, char **argv)
 {
-    krb5_error_code ret;
+    krb5_error_code ret = 0;
     int i;
-    int optind = 0;
     struct cpw_entry_data data;
     int num;
-    char *key_string;
     krb5_key_data key_data[3];
 
-    data.random_key      = 0;
-    data.random_password = 0;
-    data.password        = NULL;
+    data.random_key = opt->random_key_flag;
+    data.random_password = opt->random_password_flag;
+    data.password = opt->password_string;
     data.key_data	 = NULL;
 
-    key_string = NULL;
-
-    args[0].value = &data.random_key;
-    args[1].value = &data.random_password;
-    args[2].value = &data.password;
-    args[3].value = &key_string;
-    if(getarg(args, num_args, argc, argv, &optind)){
-	usage();
-	return 0;
-    }
-
     num = 0;
     if (data.random_key)
 	++num;
@@ -179,28 +152,26 @@ cpw_entry(int argc, char **argv)
 	++num;
     if (data.password)
 	++num;
-    if (key_string)
+    if (opt->key_string)
 	++num;
 
     if (num > 1) {
-	printf ("give only one of "
+	fprintf (stderr, "give only one of "
 		"--random-key, --random-password, --password, --key\n");
-	return 0;
+	return 1;
     }
 	
-    if (key_string) {
+    if (opt->key_string) {
 	const char *error;
 
-	if (parse_des_key (key_string, key_data, &error)) {
-	    printf ("failed parsing key `%s': %s\n", key_string, error);
-	    return 0;
+	if (parse_des_key (opt->key_string, key_data, &error)) {
+	    fprintf (stderr, "failed parsing key \"%s\": %s\n", 
+		     opt->key_string, error);
+	    return 1;
 	}
 	data.key_data = key_data;
     }
 
-    argc -= optind;
-    argv += optind;
-
     for(i = 0; i < argc; i++)
 	ret = foreach_principal(argv[i], do_cpw_entry, "cpw", &data);
 
@@ -209,5 +180,5 @@ cpw_entry(int argc, char **argv)
 	kadm5_free_key_data (kadm_handle, &dummy, key_data);
     }
 
-    return 0;
+    return ret != 0;
 }
diff --git a/crypto/heimdal/kadmin/del.c b/crypto/heimdal/kadmin/del.c
index 1697656..a7db479 100644
--- a/crypto/heimdal/kadmin/del.c
+++ b/crypto/heimdal/kadmin/del.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,8 +32,9 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 
-RCSID("$Id: del.c,v 1.6 2001/05/07 05:30:50 assar Exp $");
+RCSID("$Id: del.c 16754 2006-02-18 23:29:43Z lha $");
 
 static int
 do_del_entry(krb5_principal principal, void *data)
@@ -41,40 +42,16 @@ do_del_entry(krb5_principal principal, void *data)
     return kadm5_delete_principal(kadm_handle, principal);
 }
 
-static struct getargs args[] = {
-    { "help", 'h', arg_flag, NULL }
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(void)
-{
-    arg_printusage (args, num_args, "delete", "principal...");
-}
-
-
 int
-del_entry(int argc, char **argv)
+del_entry(void *opt, int argc, char **argv)
 {
-    int optind = 0;
-    int help_flag = 0;
-
     int i;
-    krb5_error_code ret;
-
-    args[0].value = &help_flag;
-
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	usage ();
-	return 0;
-    }
-    if(optind == argc || help_flag) {
-	usage ();
-	return 0;
-    }
+    krb5_error_code ret = 0;
 
-    for(i = 1; i < argc; i++)
+    for(i = 0; i < argc; i++) {
 	ret = foreach_principal(argv[i], do_del_entry, "del", NULL);
-    return 0;
+	if (ret)
+	    break;
+    }
+    return ret != 0;
 }
diff --git a/crypto/heimdal/kadmin/del_enctype.c b/crypto/heimdal/kadmin/del_enctype.c
index 985cc84..26921f2 100644
--- a/crypto/heimdal/kadmin/del_enctype.c
+++ b/crypto/heimdal/kadmin/del_enctype.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999-2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,32 +32,17 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 
-RCSID("$Id: del_enctype.c,v 1.7 2001/04/19 07:26:52 joda Exp $");
+RCSID("$Id: del_enctype.c 16658 2006-01-25 12:29:46Z lha $");
 
 /*
  * del_enctype principal enctypes...
  */
 
-static struct getargs args[] = {
-    { "help", 'h', arg_flag, NULL }
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(void)
-{
-    arg_printusage (args, num_args, "del_enctype", "principal enctypes...");
-}
-
-
 int
-del_enctype(int argc, char **argv)
+del_enctype(void *opt, int argc, char **argv)
 {
-    int optind = 0;
-    int help_flag = 0;
-
     kadm5_principal_ent_rec princ;
     krb5_principal princ_ent = NULL;
     krb5_error_code ret;
@@ -67,29 +52,19 @@ del_enctype(int argc, char **argv)
     int n_etypes;
     krb5_enctype *etypes;
 
-    args[0].value = &help_flag;
-
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	usage ();
-	return 0;
-    }
-    if(argc - optind < 2 || help_flag) {
-	usage ();
-	return 0;
-    }
-
     memset (&princ, 0, sizeof(princ));
-    princ_name = argv[1];
-    n_etypes   = argc - 2;
+    princ_name = argv[0];
+    n_etypes   = argc - 1;
     etypes     = malloc (n_etypes * sizeof(*etypes));
     if (etypes == NULL) {
 	krb5_warnx (context, "out of memory");
 	return 0;
     }
+    argv++;
     for (i = 0; i < n_etypes; ++i) {
-	ret = krb5_string_to_enctype (context, argv[i + 2], &etypes[i]);
+	ret = krb5_string_to_enctype (context, argv[i], &etypes[i]);
 	if (ret) {
-	    krb5_warnx (context, "bad enctype `%s'", argv[i + 2]);
+	    krb5_warnx (context, "bad enctype \"%s\"", argv[i]);
 	    goto out2;
 	}
     }
@@ -144,5 +119,5 @@ out:
     kadm5_free_principal_ent(kadm_handle, &princ);
 out2:
     free (etypes);
-    return 0;
+    return ret != 0;
 }
diff --git a/crypto/heimdal/kadmin/dump.c b/crypto/heimdal/kadmin/dump.c
index a57309c..97ec667 100644
--- a/crypto/heimdal/kadmin/dump.c
+++ b/crypto/heimdal/kadmin/dump.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,49 +32,48 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 #include <kadm5/private.h>
 
-RCSID("$Id: dump.c,v 1.26 1999/12/02 17:04:58 joda Exp $");
+RCSID("$Id: dump.c 14518 2005-01-19 17:09:56Z lha $");
+
+extern int local_flag;
 
 int
-dump(int argc, char **argv)
+dump(struct dump_options *opt, int argc, char **argv)
 {
     krb5_error_code ret;
     FILE *f;
-    HDB *db = _kadm5_s_get_db(kadm_handle);
-    int decrypt = 0;
-    int optind = 0;
-
-    struct getargs args[] = {
-	{ "decrypt", 'd', arg_flag, NULL, "decrypt keys" }
-    };
-    args[0].value = &decrypt;
-
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) {
-	arg_printusage(args, sizeof(args) / sizeof(args[0]), "kadmin dump", 
-		       "[dump-file]");
+    HDB *db = NULL;
+    
+    if(!local_flag) {
+	krb5_warnx(context, "dump is only available in local (-l) mode");
 	return 0;
     }
 
-    argc -= optind;
-    argv += optind;
-    if(argc < 1)
+    db = _kadm5_s_get_db(kadm_handle);
+
+    if(argc == 0)
 	f = stdout;
     else
 	f = fopen(argv[0], "w");
     
-    ret = db->open(context, db, O_RDONLY, 0600);
-    if(ret){
+    if(f == NULL) {
+	krb5_warn(context, errno, "open: %s", argv[0]);
+	goto out;
+    }
+    ret = db->hdb_open(context, db, O_RDONLY, 0600);
+    if(ret) {
 	krb5_warn(context, ret, "hdb_open");
-	if(f != stdout)
-	    fclose(f);
-	return 0;
+	goto out;
     }
 
-    hdb_foreach(context, db, decrypt ? HDB_F_DECRYPT : 0, hdb_print_entry, f);
+    hdb_foreach(context, db, opt->decrypt_flag ? HDB_F_DECRYPT : 0, 
+		hdb_print_entry, f);
 
-    if(f != stdout)
+    db->hdb_close(context, db);
+out:
+    if(f && f != stdout)
 	fclose(f);
-    db->close(context, db);
     return 0;
 }
diff --git a/crypto/heimdal/kadmin/ext.c b/crypto/heimdal/kadmin/ext.c
index c945fea..f80272f 100644
--- a/crypto/heimdal/kadmin/ext.c
+++ b/crypto/heimdal/kadmin/ext.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,85 +32,108 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 
-RCSID("$Id: ext.c,v 1.8 2002/02/11 14:29:52 joda Exp $");
+RCSID("$Id: ext.c 16658 2006-01-25 12:29:46Z lha $");
 
 struct ext_keytab_data {
     krb5_keytab keytab;
 };
 
-static struct getargs args[] = {
-    { "keytab",		'k',	arg_string,	NULL, "keytab to use" },
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(void)
-{
-    arg_printusage(args, num_args, "ext", "principal...");
-}
-
 static int
 do_ext_keytab(krb5_principal principal, void *data)
 {
     krb5_error_code ret;
-    int i;
     kadm5_principal_ent_rec princ;
     struct ext_keytab_data *e = data;
-
+    krb5_keytab_entry *keys = NULL;
+    krb5_keyblock *k = NULL;
+    int i, n_k;
+    
     ret = kadm5_get_principal(kadm_handle, principal, &princ, 
 			      KADM5_PRINCIPAL|KADM5_KVNO|KADM5_KEY_DATA);
     if(ret)
 	return ret;
-    for(i = 0; i < princ.n_key_data; i++){
-	krb5_keytab_entry key;
-	krb5_key_data *k = &princ.key_data[i];
-	key.principal = princ.principal;
-	key.vno = k->key_data_kvno;
-	key.keyblock.keytype = k->key_data_type[0];
-	key.keyblock.keyvalue.length = k->key_data_length[0];
-	key.keyblock.keyvalue.data = k->key_data_contents[0];
-	key.timestamp = time(NULL);
-	ret = krb5_kt_add_entry(context, e->keytab, &key);
+
+    if (princ.n_key_data) {
+	keys = malloc(sizeof(*keys) * princ.n_key_data);
+	if (keys == NULL) {
+	    kadm5_free_principal_ent(kadm_handle, &princ);
+	    krb5_clear_error_string(context);
+	    return ENOMEM;
+	}
+	for (i = 0; i < princ.n_key_data; i++) {
+	    krb5_key_data *kd = &princ.key_data[i];
+
+	    keys[i].principal = princ.principal;
+	    keys[i].vno = kd->key_data_kvno;
+	    keys[i].keyblock.keytype = kd->key_data_type[0];
+	    keys[i].keyblock.keyvalue.length = kd->key_data_length[0];
+	    keys[i].keyblock.keyvalue.data = kd->key_data_contents[0];
+	    keys[i].timestamp = time(NULL);
+	}
+
+	n_k = princ.n_key_data;
+    } else {
+	ret = kadm5_randkey_principal(kadm_handle, principal, &k, &n_k);
+	if (ret) {
+	    kadm5_free_principal_ent(kadm_handle, &princ);
+	    return ret;
+	}
+	keys = malloc(sizeof(*keys) * n_k);
+	if (keys == NULL) {
+	    kadm5_free_principal_ent(kadm_handle, &princ);
+	    krb5_clear_error_string(context);
+	    return ENOMEM;
+	}
+	for (i = 0; i < n_k; i++) {
+	    keys[i].principal = principal;
+	    keys[i].vno = princ.kvno + 1; /* XXX get entry again */
+	    keys[i].keyblock = k[i];
+	    keys[i].timestamp = time(NULL);
+	}
+    }
+
+    for(i = 0; i < n_k; i++) {
+	ret = krb5_kt_add_entry(context, e->keytab, &keys[i]);
 	if(ret)
-	    krb5_warn(context, ret, "krb5_kt_add_entry");
+	    krb5_warn(context, ret, "krb5_kt_add_entry(%d)", i);
     }
+
+    if (k) {
+	memset(k, 0, n_k * sizeof(*k));
+	free(k);
+    }
+    if (keys)
+	free(keys);
     kadm5_free_principal_ent(kadm_handle, &princ);
     return 0;
 }
 
 int
-ext_keytab(int argc, char **argv)
+ext_keytab(struct ext_keytab_options *opt, int argc, char **argv)
 {
     krb5_error_code ret;
     int i;
-    int optind = 0;
-    char *keytab = NULL;
     struct ext_keytab_data data;
-    
-    args[0].value = &keytab;
-    if(getarg(args, num_args, argc, argv, &optind)){
-	usage();
-	return 0;
-    }
-    if (keytab == NULL)
+
+    if (opt->keytab_string == NULL)
 	ret = krb5_kt_default(context, &data.keytab);
     else
-	ret = krb5_kt_resolve(context, keytab, &data.keytab);
+	ret = krb5_kt_resolve(context, opt->keytab_string, &data.keytab);
 
     if(ret){
 	krb5_warn(context, ret, "krb5_kt_resolve");
-	return 0;
+	return 1;
     }
 
-    argc -= optind;
-    argv += optind;
-
-    for(i = 0; i < argc; i++) 
-	foreach_principal(argv[i], do_ext_keytab, "ext", &data);
+    for(i = 0; i < argc; i++) {
+	ret = foreach_principal(argv[i], do_ext_keytab, "ext", &data);
+	if (ret)
+	    break;
+    }
 
     krb5_kt_close(context, data.keytab);
 
-    return 0;
+    return ret != 0;
 }
diff --git a/crypto/heimdal/kadmin/get.c b/crypto/heimdal/kadmin/get.c
index 30eea9d..6e09f91 100644
--- a/crypto/heimdal/kadmin/get.c
+++ b/crypto/heimdal/kadmin/get.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,74 +32,77 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 #include <parse_units.h>
+#include <rtbl.h>
 
-RCSID("$Id: get.c,v 1.13 2001/05/07 05:31:43 assar Exp $");
+RCSID("$Id: get.c 21745 2007-07-31 16:11:25Z lha $");
 
-struct get_entry_data {
-    void (*header)(void);
-    void (*format)(kadm5_principal_ent_t);
+static struct field_name {
+    const char *fieldname;
+    unsigned int fieldvalue;
+    unsigned int subvalue;
+    uint32_t extra_mask;
+    const char *default_header;
+    const char *def_longheader;
+    unsigned int flags;
+} field_names[] = {
+    { "principal", KADM5_PRINCIPAL, 0, 0, "Principal", "Principal", 0 },
+    { "princ_expire_time", KADM5_PRINC_EXPIRE_TIME, 0, 0, "Expiration", "Principal expires", 0 },
+    { "pw_expiration", KADM5_PW_EXPIRATION, 0, 0, "PW-exp", "Password expires", 0 },
+    { "last_pwd_change", KADM5_LAST_PWD_CHANGE, 0, 0, "PW-change", "Last password change", 0 },
+    { "max_life", KADM5_MAX_LIFE, 0, 0, "Max life", "Max ticket life", 0 },
+    { "max_rlife", KADM5_MAX_RLIFE, 0, 0, "Max renew", "Max renewable life", 0 },
+    { "mod_time", KADM5_MOD_TIME, 0, 0, "Mod time", "Last modified", 0 },
+    { "mod_name", KADM5_MOD_NAME, 0, 0, "Modifier", "Modifier", 0 },
+    { "attributes", KADM5_ATTRIBUTES, 0, 0, "Attributes", "Attributes", 0 },
+    { "kvno", KADM5_KVNO, 0, 0, "Kvno", "Kvno", RTBL_ALIGN_RIGHT  },
+    { "mkvno", KADM5_MKVNO, 0, 0, "Mkvno", "Mkvno", RTBL_ALIGN_RIGHT },
+    { "last_success", KADM5_LAST_SUCCESS, 0, 0, "Last login", "Last successful login", 0 },
+    { "last_failed", KADM5_LAST_FAILED, 0, 0, "Last fail", "Last failed login", 0 },
+    { "fail_auth_count", KADM5_FAIL_AUTH_COUNT, 0, 0, "Fail count", "Failed login count", RTBL_ALIGN_RIGHT },
+    { "policy", KADM5_POLICY, 0, 0, "Policy", "Policy", 0 },
+    { "keytypes", KADM5_KEY_DATA, 0, KADM5_PRINCIPAL, "Keytypes", "Keytypes", 0 },
+    { "password", KADM5_TL_DATA, KRB5_TL_PASSWORD, KADM5_KEY_DATA, "Password", "Password", 0 },
+    { "pkinit-acl", KADM5_TL_DATA, KRB5_TL_PKINIT_ACL, 0, "PK-INIT ACL", "PK-INIT ACL", 0 },
+    { "aliases", KADM5_TL_DATA, KRB5_TL_ALIASES, 0, "Aliases", "Aliases", 0 },
+    { NULL }
 };
 
-static void
-print_entry_terse(kadm5_principal_ent_t princ)
-{
-    char *p;
-    krb5_unparse_name(context, princ->principal, &p);
-    printf("  %s\n", p);
-    free(p);
-}
-
-static void
-print_header_short(void)
-{
-    printf("%-20s ", "Principal");
-    
-    printf("%-10s ", "Expires");
-	    
-    printf("%-10s ", "PW-exp");
-	    
-    printf("%-10s ", "PW-change");
-	
-    printf("%-9s ", "Max life");
+struct field_info {
+    struct field_name *ff;
+    char *header;
+    struct field_info *next;
+};
 
-    printf("%-9s ", "Max renew");
-    
-    printf("\n");
-}
+struct get_entry_data {
+    void (*format)(struct get_entry_data*, kadm5_principal_ent_t);
+    rtbl_t table;
+    uint32_t mask;
+    uint32_t extra_mask;
+    struct field_info *chead, **ctail;
+};
 
-static void
-print_entry_short(kadm5_principal_ent_t princ)
+static int
+add_column(struct get_entry_data *data, struct field_name *ff, const char *header)
 {
-    char buf[1024];
-    
-    krb5_unparse_name_fixed_short(context, princ->principal, buf, sizeof(buf));
-    printf("%-20s ", buf);
-    
-    time_t2str(princ->princ_expire_time, buf, sizeof(buf), 0);
-    printf("%-10s ", buf);
-	    
-    time_t2str(princ->pw_expiration, buf, sizeof(buf), 0);
-    printf("%-10s ", buf);
-	    
-    time_t2str(princ->last_pwd_change, buf, sizeof(buf), 0);
-    printf("%-10s ", buf);
-	
-    deltat2str(princ->max_life, buf, sizeof(buf));
-    printf("%-9s ", buf);
-
-    deltat2str(princ->max_renewable_life, buf, sizeof(buf));
-    printf("%-9s ", buf);
-
-#if 0
-    time_t2str(princ->mod_date, buf, sizeof(buf), 0);
-    printf("%-10s ", buf);
-
-    krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf));
-    printf("%-24s", buf);
-#endif
-    
-    printf("\n");
+    struct field_info *f = malloc(sizeof(*f));
+    if (f == NULL)
+	return ENOMEM;
+    f->ff = ff;
+    if(header)
+	f->header = strdup(header);
+    else
+	f->header = NULL;
+    f->next = NULL;
+    *data->ctail = f;
+    data->ctail = &f->next;
+    data->mask |= ff->fieldvalue;
+    data->extra_mask |= ff->extra_mask;
+    if(data->table != NULL)
+	rtbl_add_column_by_id(data->table, ff->fieldvalue, 
+			      header ? header : ff->default_header, ff->flags);
+    return 0;
 }
 
 /*
@@ -118,83 +121,244 @@ cmp_salt (const krb5_salt *salt, const krb5_key_data *k)
 }
 
 static void
-print_entry_long(kadm5_principal_ent_t princ)
+format_keytype(krb5_key_data *k, krb5_salt *def_salt, char *buf, size_t buf_len)
 {
-    char buf[1024];
-    int i;
-    krb5_salt def_salt;
+    krb5_error_code ret;
+    char *s;
+
+    ret = krb5_enctype_to_string (context,
+				  k->key_data_type[0],
+				  &s);
+    if (ret)
+	asprintf (&s, "unknown(%d)", k->key_data_type[0]);
+    strlcpy(buf, s, buf_len);
+    free(s);
+
+    strlcat(buf, "(", buf_len);
+
+    ret = krb5_salttype_to_string (context,
+				   k->key_data_type[0],
+				   k->key_data_type[1],
+				   &s);
+    if (ret)
+	asprintf (&s, "unknown(%d)", k->key_data_type[1]);
+    strlcat(buf, s, buf_len);
+    free(s);
+
+    if (cmp_salt(def_salt, k) == 0)
+	s = strdup("");
+    else if(k->key_data_length[1] == 0)
+	s = strdup("()");
+    else
+	asprintf (&s, "(%.*s)", k->key_data_length[1],
+		  (char *)k->key_data_contents[1]);
+    strlcat(buf, s, buf_len);
+    free(s);
+
+    strlcat(buf, ")", buf_len);
+}
+
+static void
+format_field(kadm5_principal_ent_t princ, unsigned int field, 
+	     unsigned int subfield, char *buf, size_t buf_len, int condensed)
+{
+    switch(field) {
+    case KADM5_PRINCIPAL:
+	if(condensed)
+	    krb5_unparse_name_fixed_short(context, princ->principal, buf, buf_len);
+	else
+	    krb5_unparse_name_fixed(context, princ->principal, buf, buf_len);
+	break;
     
-    krb5_unparse_name_fixed(context, princ->principal, buf, sizeof(buf));
-    printf("%24s: %s\n", "Principal", buf);
-    time_t2str(princ->princ_expire_time, buf, sizeof(buf), 1);
-    printf("%24s: %s\n", "Principal expires", buf);
+    case KADM5_PRINC_EXPIRE_TIME:
+	time_t2str(princ->princ_expire_time, buf, buf_len, !condensed);
+	break;
 	    
-    time_t2str(princ->pw_expiration, buf, sizeof(buf), 1);
-    printf("%24s: %s\n", "Password expires", buf);
+    case KADM5_PW_EXPIRATION:
+	time_t2str(princ->pw_expiration, buf, buf_len, !condensed);
+	break;
 	    
-    time_t2str(princ->last_pwd_change, buf, sizeof(buf), 1);
-    printf("%24s: %s\n", "Last password change", buf);
-	
-    deltat2str(princ->max_life, buf, sizeof(buf));
-    printf("%24s: %s\n", "Max ticket life", buf);
-
-    deltat2str(princ->max_renewable_life, buf, sizeof(buf));
-    printf("%24s: %s\n", "Max renewable life", buf);
-    printf("%24s: %d\n", "Kvno", princ->kvno);
-    printf("%24s: %d\n", "Mkvno", princ->mkvno);
-    printf("%24s: %s\n", "Policy", princ->policy ? princ->policy : "none");
-    time_t2str(princ->last_success, buf, sizeof(buf), 1);
-    printf("%24s: %s\n", "Last successful login", buf);
-    time_t2str(princ->last_failed, buf, sizeof(buf), 1);
-    printf("%24s: %s\n", "Last failed login", buf);
-    printf("%24s: %d\n", "Failed login count", princ->fail_auth_count);
-    time_t2str(princ->mod_date, buf, sizeof(buf), 1);
-    printf("%24s: %s\n", "Last modified", buf);
-    if(princ->mod_name != NULL) {
-	krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf));
-	printf("%24s: %s\n", "Modifier", buf);
-    }
-    attributes2str (princ->attributes, buf, sizeof(buf));
-    printf("%24s: %s\n", "Attributes", buf);
-
-    printf("%24s: ", "Keytypes(salttype[(salt-value)])");
-
-    krb5_get_pw_salt (context, princ->principal, &def_salt);
-
-    for (i = 0; i < princ->n_key_data; ++i) {
-	krb5_key_data *k = &princ->key_data[i];
-	krb5_error_code ret;
-	char *e_string, *s_string, *salt;
-
-	ret = krb5_enctype_to_string (context,
-				      k->key_data_type[0],
-				      &e_string);
-	if (ret)
-	    asprintf (&e_string, "unknown(%d)", k->key_data_type[0]);
-
-	ret = krb5_salttype_to_string (context,
-				       k->key_data_type[0],
-				       k->key_data_type[1],
-				       &s_string);
-	if (ret)
-	    asprintf (&s_string, "unknown(%d)", k->key_data_type[1]);
-
-	if (cmp_salt(&def_salt, k) == 0)
-	    salt = strdup("");
-	else if(k->key_data_length[1] == 0)
-	    salt = strdup("()");
+    case KADM5_LAST_PWD_CHANGE:
+	time_t2str(princ->last_pwd_change, buf, buf_len, !condensed);
+	break;
+	    
+    case KADM5_MAX_LIFE:
+	deltat2str(princ->max_life, buf, buf_len);
+	break;
+	    
+    case KADM5_MAX_RLIFE:
+	deltat2str(princ->max_renewable_life, buf, buf_len);
+	break;
+	    
+    case KADM5_MOD_TIME:
+	time_t2str(princ->mod_date, buf, buf_len, !condensed);
+	break;
+
+    case KADM5_MOD_NAME:
+	if (princ->mod_name == NULL)
+	    strlcpy(buf, "unknown", buf_len);
+	else if(condensed)
+	    krb5_unparse_name_fixed_short(context, princ->mod_name, buf, buf_len);
+	else
+	    krb5_unparse_name_fixed(context, princ->mod_name, buf, buf_len);
+	break;
+    case KADM5_ATTRIBUTES:
+	attributes2str (princ->attributes, buf, buf_len);
+	break;
+    case KADM5_KVNO:
+	snprintf(buf, buf_len, "%d", princ->kvno);
+	break;
+    case KADM5_MKVNO:
+	snprintf(buf, buf_len, "%d", princ->mkvno);
+	break;
+    case KADM5_LAST_SUCCESS:
+	time_t2str(princ->last_success, buf, buf_len, !condensed);
+	break;
+    case KADM5_LAST_FAILED:
+	time_t2str(princ->last_failed, buf, buf_len, !condensed);
+	break;
+    case KADM5_FAIL_AUTH_COUNT:
+	snprintf(buf, buf_len, "%d", princ->fail_auth_count);
+	break;
+    case KADM5_POLICY:
+	if(princ->policy != NULL)
+	    strlcpy(buf, princ->policy, buf_len);
 	else
-	    asprintf (&salt, "(%.*s)", k->key_data_length[1],
-		      (char *)k->key_data_contents[1]);
+	    strlcpy(buf, "none", buf_len);
+	break;
+    case KADM5_KEY_DATA:{
+	krb5_salt def_salt;
+	int i;
+	char buf2[1024];
+	krb5_get_pw_salt (context, princ->principal, &def_salt);
+
+	*buf = '\0';
+	for (i = 0; i < princ->n_key_data; ++i) {
+	    format_keytype(&princ->key_data[i], &def_salt, buf2, sizeof(buf2));
+	    if(i > 0)
+		strlcat(buf, ", ", buf_len);
+	    strlcat(buf, buf2, buf_len);
+	}
+	krb5_free_salt (context, def_salt);
+	break;
+    }
+    case KADM5_TL_DATA: {
+	krb5_tl_data *tl;
 
+	for (tl = princ->tl_data; tl != NULL; tl = tl->tl_data_next)
+	    if (tl->tl_data_type == subfield)
+		break;
+	if (tl == NULL) {
+	    strlcpy(buf, "", buf_len);
+	    break;
+	}
+
+	switch (subfield) {
+	case KRB5_TL_PASSWORD:
+	    snprintf(buf, buf_len, "\"%.*s\"",
+		     (int)tl->tl_data_length,
+		     (const char *)tl->tl_data_contents);
+	    break;
+	case KRB5_TL_PKINIT_ACL: {
+	    HDB_Ext_PKINIT_acl acl;
+	    size_t size;
+	    int i, ret;
 
-	printf ("%s%s(%s%s)", (i != 0) ? ", " : "", e_string, s_string, salt);
-	free (e_string);
-	free (s_string);
-	free (salt);
+	    ret = decode_HDB_Ext_PKINIT_acl(tl->tl_data_contents,
+					    tl->tl_data_length,
+					    &acl,
+					    &size);
+	    if (ret) {
+		snprintf(buf, buf_len, "failed to decode ACL");
+		break;
+	    }
+
+	    buf[0] = '\0';
+	    for (i = 0; i < acl.len; i++) {
+		strlcat(buf, "subject: ", buf_len);
+		strlcat(buf, acl.val[i].subject, buf_len);
+		if (acl.val[i].issuer) {
+		    strlcat(buf, " issuer:", buf_len);
+		    strlcat(buf, *acl.val[i].issuer, buf_len);
+		}
+		if (acl.val[i].anchor) {
+		    strlcat(buf, " anchor:", buf_len);
+		    strlcat(buf, *acl.val[i].anchor, buf_len);
+		}
+		if (i + 1 < acl.len)
+		    strlcat(buf, ", ", buf_len);
+	    }
+	    free_HDB_Ext_PKINIT_acl(&acl);
+	    break;
+	}
+	case KRB5_TL_ALIASES: {
+	    HDB_Ext_Aliases alias;
+	    size_t size;
+	    int i, ret;
+
+	    ret = decode_HDB_Ext_Aliases(tl->tl_data_contents,
+					 tl->tl_data_length,
+					 &alias,
+					 &size);
+	    if (ret) {
+		snprintf(buf, buf_len, "failed to decode alias");
+		break;
+	    }
+	    buf[0] = '\0';
+	    for (i = 0; i < alias.aliases.len; i++) {
+		char *p;
+		ret = krb5_unparse_name(context, &alias.aliases.val[i], &p);
+		if (ret)
+		    break;
+		if (i < 0)
+		    strlcat(buf, " ", buf_len);
+		strlcat(buf, p, buf_len);
+		free(p);
+	    }
+	    free_HDB_Ext_Aliases(&alias);
+	    break;
+	}
+	default:
+	    snprintf(buf, buf_len, "unknown type %d", subfield);
+	    break;
+	}
+	break;
+    }
+    default:
+	strlcpy(buf, "<unknown>", buf_len);
+	break;
     }
-    krb5_free_salt (context, def_salt);
-    printf("\n\n");
+}
+
+static void
+print_entry_short(struct get_entry_data *data, kadm5_principal_ent_t princ)
+{
+    char buf[1024];
+    struct field_info *f;
+    
+    for(f = data->chead; f != NULL; f = f->next) {
+	format_field(princ, f->ff->fieldvalue, f->ff->subvalue, buf, sizeof(buf), 1);
+	rtbl_add_column_entry_by_id(data->table, f->ff->fieldvalue, buf);
+    }
+}
+
+static void
+print_entry_long(struct get_entry_data *data, kadm5_principal_ent_t princ)
+{
+    char buf[1024];
+    struct field_info *f;
+    int width = 0;
+    
+    for(f = data->chead; f != NULL; f = f->next) {
+	int w = strlen(f->header ? f->header : f->ff->def_longheader);
+	if(w > width)
+	    width = w;
+    }
+    for(f = data->chead; f != NULL; f = f->next) {
+	format_field(princ, f->ff->fieldvalue, f->ff->subvalue, buf, sizeof(buf), 0);
+	printf("%*s: %s\n", width, f->header ? f->header : f->ff->def_longheader, buf);
+    }
+    printf("\n");
 }
 
 static int
@@ -207,84 +371,128 @@ do_get_entry(krb5_principal principal, void *data)
     memset(&princ, 0, sizeof(princ));
     ret = kadm5_get_principal(kadm_handle, principal, 
 			      &princ,
-			      KADM5_PRINCIPAL_NORMAL_MASK|KADM5_KEY_DATA);
+			      e->mask | e->extra_mask);
     if(ret)
 	return ret;
     else {
-	if(e->header) {
-	    (*e->header)();
-	    e->header = NULL; /* XXX only once */
-	}
-	(e->format)(&princ);
+	(e->format)(e, &princ);
 	kadm5_free_principal_ent(kadm_handle, &princ);
     }
     return 0;
 }
 
+static void
+free_columns(struct get_entry_data *data)
+{
+    struct field_info *f, *next;
+    for(f = data->chead; f != NULL; f = next) {
+	free(f->header);
+	next = f->next;
+	free(f);
+    }
+    data->chead = NULL;
+    data->ctail = &data->chead;
+}
+
+static int
+setup_columns(struct get_entry_data *data, const char *column_info)
+{
+    char buf[1024], *q;
+    char *field, *header;
+    struct field_name *f;
+
+    while(strsep_copy(&column_info, ",", buf, sizeof(buf)) != -1) {
+	q = buf;
+	field = strsep(&q, "=");
+	header = strsep(&q, "=");
+	for(f = field_names; f->fieldname != NULL; f++) {
+	    if(strcasecmp(field, f->fieldname) == 0) {
+		add_column(data, f, header);
+		break;
+	    }
+	}
+	if(f->fieldname == NULL) {
+	    krb5_warnx(context, "unknown field name \"%s\"", field);
+	    free_columns(data);
+	    return -1;
+	}
+    }
+    return 0;
+}
+
+#define DEFAULT_COLUMNS_SHORT "principal,princ_expire_time,pw_expiration,last_pwd_change,max_life,max_rlife"
+#define DEFAULT_COLUMNS_LONG "principal,princ_expire_time,pw_expiration,last_pwd_change,max_life,max_rlife,kvno,mkvno,last_success,last_failed,fail_auth_count,mod_time,mod_name,attributes,keytypes,pkinit-acl,aliases"
+#define DEFAULT_COLUMNS_TERSE "principal="
+
 static int
-getit(const char *name, int terse_flag, int argc, char **argv)
+getit(struct get_options *opt, const char *name, int argc, char **argv)
 {
     int i;
     krb5_error_code ret;
     struct get_entry_data data;
-    struct getargs args[] = {
-	{ "long",	'l',	arg_flag,	NULL, "long format" },
-	{ "short",	's',	arg_flag,	NULL, "short format" },
-	{ "terse",	't',	arg_flag,	NULL, "terse format" },
-    };
-    int num_args = sizeof(args) / sizeof(args[0]);
-    int optind = 0;
-    int long_flag = -1;
-    int short_flag = -1;
     
-    args[0].value = &long_flag;
-    args[1].value = &short_flag;
-    args[2].value = &terse_flag;
-
-    if(getarg(args, num_args, argc, argv, &optind))
-	goto usage;
-    if(optind == argc)
-	goto usage;
-
-    if(long_flag == -1 && (short_flag == 1 || terse_flag == 1))
-	long_flag = 0;
-    if(short_flag == -1 && (long_flag == 1 || terse_flag == 1))
-	short_flag = 0;
-    if(terse_flag == -1 && (long_flag == 1 || short_flag == 1))
-	terse_flag = 0;
-    if(long_flag == 0 && short_flag == 0 && terse_flag == 0)
-	short_flag = 1;
-
-    if(long_flag) {
-	data.format = print_entry_long;
-	data.header = NULL;
-    } else if(short_flag){
-	data.format = print_entry_short;
-	data.header = print_header_short;
-    } else if(terse_flag) {
-	data.format = print_entry_terse;
-	data.header = NULL;
-    }
+    if(opt->long_flag == -1 && (opt->short_flag == 1 || opt->terse_flag == 1))
+	opt->long_flag = 0;
+    if(opt->short_flag == -1 && (opt->long_flag == 1 || opt->terse_flag == 1))
+	opt->short_flag = 0;
+    if(opt->terse_flag == -1 && (opt->long_flag == 1 || opt->short_flag == 1))
+	opt->terse_flag = 0;
+    if(opt->long_flag == 0 && opt->short_flag == 0 && opt->terse_flag == 0)
+	opt->short_flag = 1;
 
-    argc -= optind;
-    argv += optind;
+    data.table = NULL;
+    data.chead = NULL;
+    data.ctail = &data.chead;
+    data.mask = 0;
+    data.extra_mask = 0;
 
+    if(opt->short_flag || opt->terse_flag) {
+	data.table = rtbl_create();
+	rtbl_set_separator(data.table, "  ");
+	data.format = print_entry_short;
+    } else
+	data.format = print_entry_long;
+    if(opt->column_info_string == NULL) {
+	if(opt->long_flag)
+	    ret = setup_columns(&data, DEFAULT_COLUMNS_LONG);
+	else if(opt->short_flag)
+	    ret = setup_columns(&data, DEFAULT_COLUMNS_SHORT);
+	else {
+	    ret = setup_columns(&data, DEFAULT_COLUMNS_TERSE);
+	    rtbl_set_flags(data.table, RTBL_HEADER_STYLE_NONE);
+	}
+    } else
+	ret = setup_columns(&data, opt->column_info_string);
+	
+    if(ret != 0) {
+	if(data.table != NULL)
+	    rtbl_destroy(data.table);
+	return 0;
+    }
+    
     for(i = 0; i < argc; i++)
 	ret = foreach_principal(argv[i], do_get_entry, "get", &data);
-    return 0;
-usage:
-    arg_printusage (args, num_args, name, "principal...");
-    return 0;
+    
+    if(data.table != NULL) {
+	rtbl_format(data.table, stdout);
+	rtbl_destroy(data.table);
+    }
+    free_columns(&data);
+    return ret != 0;
 }
 
 int
-get_entry(int argc, char **argv)
+get_entry(struct get_options *opt, int argc, char **argv)
 {
-    return getit("get", 0, argc, argv);
+    return getit(opt, "get", argc, argv);
 }
 
 int
-list_princs(int argc, char **argv)
+list_princs(struct list_options *opt, int argc, char **argv)
 {
-    return getit("list", 1, argc, argv);
+    if(sizeof(struct get_options) != sizeof(struct list_options)) {
+	krb5_warnx(context, "programmer error: sizeof(struct get_options) != sizeof(struct list_options)");
+	return 0;
+    }
+    return getit((struct get_options*)opt, "list", argc, argv);
 }
diff --git a/crypto/heimdal/kadmin/init.c b/crypto/heimdal/kadmin/init.c
index 587458b..8b512f9 100644
--- a/crypto/heimdal/kadmin/init.c
+++ b/crypto/heimdal/kadmin/init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,21 +32,34 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 #include <kadm5/private.h>
 
-RCSID("$Id: init.c,v 1.29 2002/12/03 14:08:17 joda Exp $");
+RCSID("$Id: init.c 17447 2006-05-05 10:52:01Z lha $");
 
 static kadm5_ret_t
 create_random_entry(krb5_principal princ,
 		    unsigned max_life,
 		    unsigned max_rlife,
-		    u_int32_t attributes)
+		    uint32_t attributes)
 {
     kadm5_principal_ent_rec ent;
     kadm5_ret_t ret;
     int mask = 0;
     krb5_keyblock *keys;
     int n_keys, i;
+    char *name;
+    const char *password;
+    char pwbuf[512];
+
+    random_password(pwbuf, sizeof(pwbuf));
+    password = pwbuf;
+
+    ret = krb5_unparse_name(context, princ, &name);
+    if (ret) {
+	krb5_warn(context, ret, "failed to unparse principal name");
+	return ret;
+    }
 
     memset(&ent, 0, sizeof(ent));
     ent.principal = princ;
@@ -62,93 +75,85 @@ create_random_entry(krb5_principal princ,
     ent.attributes |= attributes | KRB5_KDB_DISALLOW_ALL_TIX;
     mask |= KADM5_ATTRIBUTES;
 
-    ret = kadm5_create_principal(kadm_handle, &ent, mask, "hemlig");
-    if(ret)
-	return ret;
+    /* Create the entry with a random password */
+    ret = kadm5_create_principal(kadm_handle, &ent, mask, password);
+    if(ret) {
+	krb5_warn(context, ret, "create_random_entry(%s): randkey failed", 
+		  name);
+	goto out;
+    }
+    
+    /* Replace the string2key based keys with real random bytes */
     ret = kadm5_randkey_principal(kadm_handle, princ, &keys, &n_keys);
-    if(ret)
-	return ret;
+    if(ret) {
+	krb5_warn(context, ret, "create_random_entry*%s): randkey failed",
+		  name);
+	goto out;
+    }
     for(i = 0; i < n_keys; i++)
 	krb5_free_keyblock_contents(context, &keys[i]);
     free(keys);
     ret = kadm5_get_principal(kadm_handle, princ, &ent, 
 			      KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
-    if(ret)
-	return ret;
+    if(ret) {
+	krb5_warn(context, ret, "create_random_entry(%s): "
+		  "unable to get principal", name);
+	goto out;
+    }
     ent.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
     ent.kvno = 1;
     ret = kadm5_modify_principal(kadm_handle, &ent, 
 				 KADM5_ATTRIBUTES|KADM5_KVNO);
     kadm5_free_principal_ent (kadm_handle, &ent);
-    if(ret)
-	return ret;
-    return 0;
+    if(ret) {
+	krb5_warn(context, ret, "create_random_entry(%s): "
+		  "unable to modify principal", name);
+	goto out;
+    }
+ out:
+    free(name);
+    return ret;
 }
 
-static struct getargs args[] = {
-    { "realm-max-ticket-life",  0,	arg_string,	NULL,
-      "realm max ticket lifetime" },
-    { "realm-max-renewable-life",  0,	arg_string,	NULL,
-      "realm max renewable lifetime" },
-    { "help", 'h', arg_flag, NULL },
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(void)
-{
-    arg_printusage (args, num_args, "init", "realm...");
-}
+extern int local_flag;
 
 int
-init(int argc, char **argv)
+init(struct init_options *opt, int argc, char **argv)
 {
     kadm5_ret_t ret;
     int i;
-    char *realm_max_life  = NULL;
-    char *realm_max_rlife = NULL;
-    int help_flag = 0;
     HDB *db;
-    int optind = 0;
     krb5_deltat max_life, max_rlife;
 
-    args[0].value = &realm_max_life;
-    args[1].value = &realm_max_rlife;
-    args[2].value = &help_flag;
-
-    if(getarg(args, num_args, argc, argv, &optind) || help_flag) {
-	usage();
-	return 0;
-    }
-
-    if(argc - optind < 1) {
-	usage();
+    if(!local_flag) {
+	krb5_warnx(context, "init is only available in local (-l) mode");
 	return 0;
     }
 
-    if (realm_max_life) {
-	if (str2deltat (realm_max_life, &max_life) != 0) {
-	    krb5_warnx (context, "unable to parse `%s'", realm_max_life);
+    if (opt->realm_max_ticket_life_string) {
+	if (str2deltat (opt->realm_max_ticket_life_string, &max_life) != 0) {
+	    krb5_warnx (context, "unable to parse \"%s\"", 
+			opt->realm_max_ticket_life_string);
 	    return 0;
 	}
     }
-    if (realm_max_rlife) {
-	if (str2deltat (realm_max_rlife, &max_rlife) != 0) {
-	    krb5_warnx (context, "unable to parse `%s'", realm_max_rlife);
+    if (opt->realm_max_renewable_life_string) {
+	if (str2deltat (opt->realm_max_renewable_life_string, &max_rlife) != 0) {
+	    krb5_warnx (context, "unable to parse \"%s\"", 
+			opt->realm_max_renewable_life_string);
 	    return 0;
 	}
     }
 
     db = _kadm5_s_get_db(kadm_handle);
 
-    ret = db->open(context, db, O_RDWR | O_CREAT, 0600);
+    ret = db->hdb_open(context, db, O_RDWR | O_CREAT, 0600);
     if(ret){
 	krb5_warn(context, ret, "hdb_open");
 	return 0;
     }
-    db->close(context, db);
-    for(i = optind; i < argc; i++){
+    db->hdb_close(context, db);
+    for(i = 0; i < argc; i++){
 	krb5_principal princ;
 	const char *realm = argv[i];
 
@@ -157,14 +162,14 @@ init(int argc, char **argv)
 				  KRB5_TGS_NAME, realm, NULL);
 	if(ret)
 	    return 0;
-	if (realm_max_life == NULL) {
+	if (opt->realm_max_ticket_life_string == NULL) {
 	    max_life = 0;
 	    if(edit_deltat ("Realm max ticket life", &max_life, NULL, 0)) {
 		krb5_free_principal(context, princ);
 		return 0;
 	    }
 	}
-	if (realm_max_rlife == NULL) {
+	if (opt->realm_max_renewable_life_string == NULL) {
 	    max_rlife = 0;
 	    if(edit_deltat("Realm max renewable ticket life", &max_rlife,
 			   NULL, 0)) {
@@ -178,11 +183,16 @@ init(int argc, char **argv)
 	/* Create `kadmin/changepw' */
 	krb5_make_principal(context, &princ, realm, 
 			    "kadmin", "changepw", NULL);
+	/*
+	 * The Windows XP (at least) password changing protocol
+	 * request the `kadmin/changepw' ticket with `renewable_ok,
+	 * renewable, forwardable' and so fails if we disallow
+	 * forwardable here.
+	 */
 	create_random_entry(princ, 5*60, 5*60, 
 			    KRB5_KDB_DISALLOW_TGT_BASED|
 			    KRB5_KDB_PWCHANGE_SERVICE|
 			    KRB5_KDB_DISALLOW_POSTDATED|
-			    KRB5_KDB_DISALLOW_FORWARDABLE|
 			    KRB5_KDB_DISALLOW_RENEWABLE|
 			    KRB5_KDB_DISALLOW_PROXIABLE|
 			    KRB5_KDB_REQUIRES_PRE_AUTH);
diff --git a/crypto/heimdal/kadmin/kadm_conn.c b/crypto/heimdal/kadmin/kadm_conn.c
index ae44c43..f2a0828 100644
--- a/crypto/heimdal/kadmin/kadm_conn.c
+++ b/crypto/heimdal/kadmin/kadm_conn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -36,7 +36,7 @@
 #include <sys/wait.h>
 #endif
 
-RCSID("$Id: kadm_conn.c,v 1.14 2002/10/21 13:21:24 joda Exp $");
+RCSID("$Id: kadm_conn.c 16007 2005-09-01 18:49:57Z lha $");
 
 struct kadm_port {
     char *port;
@@ -62,16 +62,10 @@ add_kadm_port(krb5_context context, const char *service, unsigned int port)
     kadm_ports = p;
 }
 
-extern int do_kerberos4;
-
 static void
 add_standard_ports (krb5_context context)
 {
     add_kadm_port(context, "kerberos-adm", 749);
-#ifdef KRB4
-    if(do_kerberos4)
-	add_kadm_port(context, "kerberos-master", 751);
-#endif
 }
 
 /*
@@ -261,17 +255,15 @@ start_server(krb5_context context)
 	}
 	socks = tmp;
 	for(ap = ai; ap; ap = ap->ai_next) {
-	    int one = 1;
 	    int s = socket(ap->ai_family, ap->ai_socktype, ap->ai_protocol);
 	    if(s < 0) {
 		krb5_warn(context, errno, "socket");
 		continue;
 	    }
-#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT)
-	    if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&one,
-			  sizeof(one)) < 0)
-		krb5_warn(context, errno, "setsockopt");
-#endif
+
+	    socket_set_reuseaddr(s, 1);
+	    socket_set_ipv6only(s, 1);
+
 	    if (bind (s, ap->ai_addr, ap->ai_addrlen) < 0) {
 		krb5_warn(context, errno, "bind");
 		close(s);
diff --git a/crypto/heimdal/kadmin/kadmin-commands.in b/crypto/heimdal/kadmin/kadmin-commands.in
new file mode 100644
index 0000000..019b99c
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmin-commands.in
@@ -0,0 +1,420 @@
+/*
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: kadmin-commands.in 21969 2007-10-18 18:51:11Z lha $ */
+
+command = {
+	name = "stash"
+	name = "kstash"
+	option = {
+		long = "enctype"
+		short = "e"
+		type = "string"
+		help = "encryption type"
+		default = "des3-cbc-sha1"
+	}
+	option = {
+		long = "key-file"
+		short = "k"
+		type = "string"
+		argument = "file"
+		help = "master key file"
+	}
+	option = {
+		long = "convert-file"
+		type = "flag"
+		help = "just convert keyfile to new format"
+	}
+	option = {
+		long = "master-key-fd"
+		type = "integer"
+		argument = "fd"
+		help = "filedescriptor to read passphrase from"
+		default = "-1"
+	}
+	help = "Writes the Kerberos master key to a file used by the KDC. \nLocal (-l) mode only."
+}
+command = {
+	name = "dump"
+	option = {
+		long = "decrypt"
+		short = "d"
+		type = "flag"
+		help = "decrypt keys"
+	}
+	argument = "[dump-file]"
+	min_args = "0"
+	max_args = "1"
+	help = "Dumps the database in a human readable format to the specified file, \nor the standard out. Local (-l) mode only."
+}
+
+command = {
+	name = "init"
+	option = {
+		long = "realm-max-ticket-life"
+		type = "string"
+		help = "realm max ticket lifetime"
+	}
+	option = {
+		long = "realm-max-renewable-life"
+		type = "string"
+		help = "realm max renewable lifetime"
+	}
+	argument = "realm..."
+	min_args = "1"
+	help = "Initializes the default principals for a realm. Creates the database\nif necessary. Local (-l) mode only."
+}
+command = {
+	name = "load"
+	argument = "file"
+	min_args = "1"
+	max_args = "1"
+	help = "Loads a previously dumped file. Local (-l) mode only."
+}
+command = {
+	name = "merge"
+	argument = "file"
+	min_args = "1"
+	max_args = "1"
+	help = "Merges the contents of a dump file into the database. Local (-l) mode only."
+}
+command = {
+	name = "add"
+	name = "ank"
+	name = "add_new_key"
+	function = "add_new_key"
+	option = {
+		long = "random-key"
+		short = "r"
+		type = "flag"
+		help = "set random key"
+	}
+	option = {
+		long = "random-password"
+		type = "flag"
+		help = "set random password"
+	}
+	option = {
+		long = "password"
+		short = "p"
+		type = "string"
+		help = "principal's password"
+	}
+	option = {
+		long = "key"
+		type = "string"
+		help = "DES-key in hex"
+	}
+	option = {
+		long = "max-ticket-life"
+		type = "string"
+		argument ="lifetime"
+		help = "max ticket lifetime"
+	}
+	option = {
+		long = "max-renewable-life"
+		type = "string"
+		argument = "lifetime"
+		help = "max renewable life"
+	}
+	option = {
+		long = "attributes"
+		type = "string"
+		argument = "attributes"
+		help = "principal attributes"
+	}
+	option = {
+		long = "expiration-time"
+		type = "string"
+		argument = "time"
+		help = "principal expiration time"
+	}
+	option = {
+		long = "pw-expiration-time"
+		type = "string"
+		argument = "time"
+		help = "password expiration time"
+	}
+	option = {
+		long = "use-defaults"
+		type = "flag"
+		help = "use default values"
+	}
+	argument = "principal..."
+	min_args = "1"
+	help = "Adds a principal to the database."
+}
+command = {
+	name = "passwd"
+	name = "cpw"
+	name = "change_password"
+	function = "cpw_entry"
+	option = {
+		long = "random-key"
+		short = "r"
+		type = "flag"
+		help = "set random key"
+	}
+	option = {
+		long = "random-password"
+		type = "flag"
+		help = "set random password"
+	}
+	option = {
+		long = "password"
+		short = "p"
+		type = "string"
+		help = "princial's password"
+	}
+	option = {
+		long = "key"
+		type = "string"
+		help = "DES key in hex"
+	}
+	argument = "principal..."
+	min_args = "1"
+	help = "Changes the password of one or more principals matching the expressions."
+}
+command = {
+	name = "delete"
+	name = "del"
+	name = "del_entry"
+	function = "del_entry"
+	argument = "principal..."
+	min_args = "1"
+	help = "Deletes all principals matching the expressions."
+}
+command = {
+	name = "del_enctype"
+	argument = "principal enctype..."
+	min_args = "2"
+	help = "Delete all the mentioned enctypes for principal."
+}
+command = {
+	name = "add_enctype"
+	option = {
+		long = "random-key"
+		short = "r"
+		type = "flag"
+		help = "set random key"
+	}
+	argument = "principal enctype..."
+	min_args = "2"
+	help = "Add new enctypes for principal."
+}
+command = {
+	name = "ext_keytab"
+	option = {
+		long = "keytab"
+		short = "k"
+		type = "string"
+		help = "keytab to use"
+	}
+	argument = "principal..."
+	min_args = "1"
+	help = "Extracts the keys of all principals matching the expressions, and stores them in a keytab." 
+}
+command = {
+	name = "get"
+	name = "get_entry"
+	function = "get_entry"
+	/* XXX sync options with "list" */
+	option = {
+		long = "long"
+		short = "l"
+		type = "flag"
+		help = "long format"
+		default = "-1"
+	}
+	option = {
+		long = "short"
+		short = "s"
+		type = "flag"
+		help = "short format"
+	}
+	option = {
+		long = "terse"
+		short = "t"
+		type = "flag"
+		help = "terse format"
+	}
+	option = {
+		long = "column-info"
+		short = "o"
+		type = "string"
+		help = "columns to print for short output"
+	}
+	argument = "principal..."
+	min_args = "1"
+	help = "Shows information about principals matching the expressions."
+}
+command = {
+	name = "rename"
+	function = "rename_entry"
+	argument = "from to"
+	min_args = "2"
+	max_args = "2"
+	help = "Renames a principal."
+}
+command = {
+	name = "modify"
+	function = "mod_entry"
+	option = {
+		long = "max-ticket-life"
+		type = "string"
+		argument ="lifetime"
+		help = "max ticket lifetime"
+	}
+	option = {
+		long = "max-renewable-life"
+		type = "string"
+		argument = "lifetime"
+		help = "max renewable life"
+	}
+	option = {
+		long = "attributes"
+		short = "a"
+		type = "string"
+		argument = "attributes"
+		help = "principal attributes"
+	}
+	option = {
+		long = "expiration-time"
+		type = "string"
+		argument = "time"
+		help = "principal expiration time"
+	}
+	option = {
+		long = "pw-expiration-time"
+		type = "string"
+		argument = "time"
+		help = "password expiration time"
+	}
+	option = {
+		long = "kvno"
+		type = "integer"
+		help = "key version number"
+		default = "-1"
+	}
+	option = {
+		long = "constrained-delegation"
+		type = "strings"
+		argument = "principal"
+		help = "allowed target principals"
+	}
+	option = {
+		long = "alias"
+		type = "strings"
+		argument = "principal"
+		help = "aliases"
+	}
+	option = {
+		long = "pkinit-acl"
+		type = "strings"
+		argument = "subject dn"
+		help = "aliases"
+	}
+	argument = "principal"
+	min_args = "1"
+	max_args = "1"
+	help = "Modifies some attributes of the specified principal."
+}
+command = {
+	name = "privileges"
+	name = "privs"
+	function = "get_privs"
+	help = "Shows which operations you are allowed to perform."
+}
+command = {
+	name = "list"
+	function = "list_princs"
+	/* XXX sync options with "get" */
+	option = {
+		long = "long"
+		short = "l"
+		type = "flag"
+		help = "long format"
+	}
+	option = {
+		long = "short"
+		short = "s"
+		type = "flag"
+		help = "short format"
+	}
+	option = {
+		long = "terse"
+		short = "t"
+		type = "flag"
+		help = "terse format"
+		default = "-1"
+	}
+	option = {
+		long = "column-info"
+		short = "o"
+		type = "string"
+		help = "columns to print for short output"
+	}
+	argument = "principal..."
+	min_args = "1"
+	help = "Lists principals in a terse format. Equivalent to \"get -t\"." 
+}
+command = {
+	name = "verify-password-quality"
+	name = "pwq"
+	function = "password_quality"
+	argument = "principal password"
+	min_args = "2"
+	max_args = "2"
+	help = "Try run the password quality function locally (not doing RPC out to server)."
+}
+command = {
+	name = "check"
+	function = "check"
+	argument = "[realm]"
+	min_args = "0"
+	max_args = "1"
+	help = "Check the realm (if not given, the default realm) for configuration errors."
+}
+command = {
+	name = "help"
+	name = "?"
+	argument = "[command]"
+	min_args = "0"
+	max_args = "1"
+	help = "Help! I need somebody."
+}
+command = {
+	name = "exit"
+	name = "quit"
+	function = "exit_kadmin"
+	help = "Quits."
+}
diff --git a/crypto/heimdal/kadmin/kadmin.8 b/crypto/heimdal/kadmin/kadmin.8
index cf7ebe8..06fe3d0 100644
--- a/crypto/heimdal/kadmin/kadmin.8
+++ b/crypto/heimdal/kadmin/kadmin.8
@@ -1,37 +1,37 @@
-.\" Copyright (c) 2000 - 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\" 
-.\" $Id: kadmin.8,v 1.10 2003/03/31 10:42:32 lha Exp $
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.Dd September 10, 2000
+.\" $Id: kadmin.8 21739 2007-07-31 15:55:32Z lha $
+.\"
+.Dd Feb  22, 2007
 .Dt KADMIN 8
 .Os HEIMDAL
 .Sh NAME
@@ -39,6 +39,7 @@
 .Nd Kerberos administration utility
 .Sh SYNOPSIS
 .Nm
+.Bk -words
 .Oo Fl p Ar string \*(Ba Xo
 .Fl -principal= Ns Ar string
 .Xc
@@ -71,6 +72,7 @@
 .Op Fl h | Fl -help
 .Op Fl v | Fl -version
 .Op Ar command
+.Ek
 .Sh DESCRIPTION
 The
 .Nm
@@ -128,7 +130,18 @@ If no
 .Ar command
 is given on the command line,
 .Nm
-will prompt for commands to process. Commands include:
+will prompt for commands to process. Some of the commands that take
+one or more principals as argument
+.Ns ( Nm delete ,
+.Nm ext_keytab ,
+.Nm get ,
+.Nm modify ,
+and
+.Nm passwd )
+will accept a glob style wildcard, and perform the operation on all
+matching principals.
+.Pp
+Commands include:
 .\" not using a list here, since groff apparently gets confused
 .\" with nested Xo/Xc
 .Bd -ragged -offset indent
@@ -148,36 +161,33 @@ will prompt for commands to process. Commands include:
 .Ar principal...
 .Pp
 .Bd -ragged -offset indent
-creates a new principal
+Adds a new principal to the database. The options not passed on the
+command line will be promped for.
 .Ed
 .Pp
-.Nm passwd
+.Nm add_enctype
 .Op Fl r | Fl -random-key
-.Op Fl -random-password
-.Oo Fl p Ar string \*(Ba Xo
-.Fl -password= Ns Ar string
-.Xc
-.Oc
-.Op Fl -key= Ns Ar string
-.Ar principal...
+.Ar principal enctypes...
 .Pp
 .Bd -ragged -offset indent
-changes the password of an existing principal
+Adds a new encryption type to the principal, only random key are
+supported.
 .Ed
 .Pp
 .Nm delete
 .Ar principal...
 .Pp
 .Bd -ragged -offset indent
-removes a principal
+Removes a principal.
 .Ed
 .Pp
 .Nm del_enctype
 .Ar principal enctypes...
 .Pp
 .Bd -ragged -offset indent
-removes some enctypes from a principal. This can be useful the service
-belonging to the principal is known to not handle certain enctypes
+Removes some enctypes from a principal; this can be useful if the
+service belonging to the principal is known to not handle certain
+enctypes.
 .Ed
 .Pp
 .Nm ext_keytab
@@ -188,26 +198,49 @@ belonging to the principal is known to not handle certain enctypes
 .Ar principal...
 .Pp
 .Bd -ragged -offset indent
-creates a keytab with the keys of the specified principals
+Creates a keytab with the keys of the specified principals.
 .Ed
 .Pp
 .Nm get
 .Op Fl l | Fl -long
 .Op Fl s | Fl -short
 .Op Fl t | Fl -terse
-.Ar expression...
+.Op Fl o Ar string | Fl -column-info= Ns Ar string
+.Ar principal...
 .Pp
 .Bd -ragged -offset indent
-lists the principals that match the expressions (which are shell glob
-like), long format gives more information, and terse just prints the
-names
-.Ed
+Lists the matching principals, short prints the result as a table,
+while long format produces a more verbose output. Which columns to
+print can be selected with the
+.Fl o
+option. The argument is a comma separated list of column names
+optionally appended with an equal sign
+.Pq Sq =
+and a column header. Which columns are printed by default differ
+slightly between short and long output.
 .Pp
-.Nm rename
-.Ar from to
+The default terse output format is similar to
+.Fl s o Ar principal= ,
+just printing the names of matched principals.
 .Pp
-.Bd -ragged -offset indent
-renames a principal
+Possible column names include:
+.Li principal ,
+.Li princ_expire_time ,
+.Li pw_expiration ,
+.Li last_pwd_change ,
+.Li max_life ,
+.Li max_rlife ,
+.Li mod_time ,
+.Li mod_name ,
+.Li attributes ,
+.Li kvno ,
+.Li mkvno ,
+.Li last_success ,
+.Li last_failed ,
+.Li fail_auth_count ,
+.Li policy ,
+and
+.Li keytypes .
 .Ed
 .Pp
 .Nm modify
@@ -220,16 +253,91 @@ renames a principal
 .Op Fl -expiration-time= Ns Ar time
 .Op Fl -pw-expiration-time= Ns Ar time
 .Op Fl -kvno= Ns Ar number
+.Ar principal...
+.Pp
+.Bd -ragged -offset indent
+Modifies certain attributes of a principal. If run without command
+line options, you will be prompted. With command line options, it will
+only change the ones specified.
+.Pp
+Possible attributes are:
+.Li new-princ ,
+.Li support-desmd5 ,
+.Li pwchange-service ,
+.Li disallow-svr ,
+.Li requires-pw-change ,
+.Li requires-hw-auth ,
+.Li requires-pre-auth ,
+.Li disallow-all-tix ,
+.Li disallow-dup-skey ,
+.Li disallow-proxiable ,
+.Li disallow-renewable ,
+.Li disallow-tgt-based ,
+.Li disallow-forwardable ,
+.Li disallow-postdated
+.Pp
+Attributes may be negated with a "-", e.g., 
+.Pp 
+kadmin -l modify -a -disallow-proxiable user
+.Ed
+.Pp
+.Nm passwd
+.Op Fl r | Fl -random-key
+.Op Fl -random-password
+.Oo Fl p Ar string \*(Ba Xo
+.Fl -password= Ns Ar string
+.Xc
+.Oc
+.Op Fl -key= Ns Ar string
+.Ar principal...
+.Pp
+.Bd -ragged -offset indent
+Changes the password of an existing principal.
+.Ed
+.Pp
+.Nm password-quality
 .Ar principal
+.Ar password
 .Pp
 .Bd -ragged -offset indent
-modifies certain attributes of a principal
+Run the password quality check function locally.
+You can run this on the host that is configured to run the kadmind
+process to verify that your configuration file is correct.
+The verification is done locally, if kadmin is run in remote mode,
+no rpc call is done to the server.
 .Ed
 .Pp
 .Nm privileges
 .Pp
 .Bd -ragged -offset indent
-lists the operations you are allowed to perform
+Lists the operations you are allowed to perform. These include
+.Li add ,
+.Li add_enctype ,
+.Li change-password ,
+.Li delete ,
+.Li del_enctype ,
+.Li get ,
+.Li list ,
+and
+.Li modify .
+.Ed
+.Pp
+.Nm rename
+.Ar from to
+.Pp
+.Bd -ragged -offset indent
+Renames a principal. This is normally transparent, but since keys are
+salted with the principal name, they will have a non-standard salt,
+and clients which are unable to cope with this will fail. Kerberos 4
+suffers from this.
+.Ed
+.Pp
+.Nm check
+.Op Ar realm
+.Pp
+.Bd -ragged -offset indent
+Check database for strange configurations on important principals. If
+no realm is given, the default realm is used.
 .Ed
 .Pp
 .Ed
@@ -241,9 +349,12 @@ When running in local mode, the following commands can also be used:
 .Op Ar dump-file
 .Pp
 .Bd -ragged -offset indent
-writes the database in
+Writes the database in
 .Dq human readable
-form to the specified file, or standard out
+form to the specified file, or standard out. If the database is
+encrypted, the dump will also have encrypted keys, unless
+.Fl -decrypt
+is used.
 .Ed
 .Pp
 .Nm init
@@ -252,24 +363,41 @@ form to the specified file, or standard out
 .Ar realm
 .Pp
 .Bd -ragged -offset indent
-initializes the Kerberos database with entries for a new realm. It's
-possible to have more than one realm served by one server
+Initializes the Kerberos database with entries for a new realm. It's
+possible to have more than one realm served by one server.
 .Ed
 .Pp
 .Nm load
 .Ar file
 .Pp
 .Bd -ragged -offset indent
-reads a previously dumped database, and re-creates that database from scratch
+Reads a previously dumped database, and re-creates that database from
+scratch.
 .Ed
 .Pp
 .Nm merge
 .Ar file
 .Pp
 .Bd -ragged -offset indent
-similar to
-.Nm list
-but just modifies the database with the entries in the dump file
+Similar to
+.Nm load
+but just modifies the database with the entries in the dump file.
+.Ed
+.Pp
+.Nm stash
+.Oo Fl e Ar enctype \*(Ba Xo
+.Fl -enctype= Ns Ar enctype
+.Xc
+.Oc
+.Oo Fl k Ar keyfile \*(Ba Xo
+.Fl -key-file= Ns Ar keyfile
+.Xc
+.Oc
+.Op Fl -convert-file
+.Op Fl -master-key-fd= Ns Ar fd
+.Pp
+.Bd -ragged -offset indent
+Writes the Kerberos master key to a file used by the KDC.
 .Ed
 .Pp
 .Ed
diff --git a/crypto/heimdal/kadmin/kadmin.c b/crypto/heimdal/kadmin/kadmin.c
index 9438587..da9b894 100644
--- a/crypto/heimdal/kadmin/kadmin.c
+++ b/crypto/heimdal/kadmin/kadmin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,13 +32,15 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 #include <sl.h>
 
-RCSID("$Id: kadmin.c,v 1.42 2003/03/31 10:20:19 lha Exp $");
+RCSID("$Id: kadmin.c 22253 2007-12-09 06:00:00Z lha $");
 
 static char *config_file;
 static char *keyfile;
-static int local_flag;
+int local_flag;
+static int ad_flag;
 static int help_flag;
 static int version_flag;
 static char *realm;
@@ -46,6 +48,9 @@ static char *admin_server;
 static int server_port = 0;
 static char *client_name;
 static char *keytab;
+static char *check_library  = NULL;
+static char *check_function = NULL;
+static getarg_strings policy_libraries = { 0, NULL };
 
 static struct getargs args[] = {
     {	"principal", 	'p',	arg_string,	&client_name,
@@ -72,6 +77,15 @@ static struct getargs args[] = {
 	"server-port",	's',	arg_integer,   &server_port, 
 	"port to use", "port number" 
     },
+    {	"ad", 		0, arg_flag, &ad_flag, "active directory admin mode" },
+#ifdef HAVE_DLOPEN
+    { "check-library", 0, arg_string, &check_library, 
+      "library to load password check function from", "library" },
+    { "check-function", 0, arg_string, &check_function,
+      "password check function to load", "function" },
+    { "policy-libraries", 0, arg_strings, &policy_libraries,
+      "password check function to load", "function" },
+#endif
     {	"local", 'l', arg_flag, &local_flag, "local admin mode" },
     {	"help",		'h',	arg_flag,   &help_flag },
     {	"version",	'v',	arg_flag,   &version_flag }
@@ -79,100 +93,24 @@ static struct getargs args[] = {
 
 static int num_args = sizeof(args) / sizeof(args[0]);
 
-static SL_cmd commands[] = {
-    /* commands that are only available with `-l' */
-    { 
-	"dump",		dump,		"dump [file]",
-	"Dumps the database in a human readable format to the\n"
-	"specified file, or the standard out." 
-    },
-    { 
-	"load",		load,		"load file",
-	"Loads a previously dumped file."
-    },
-    { 
-	"merge",	merge,		"merge file" ,
-	"Merges the contents of a dump file into the database."
-    },
-    { 
-	"init",		init,		"init realm...",
-	"Initializes the default principals for a realm.\n"
-	"Creates the database if necessary."
-    },
-    /* common commands */
-    { 
-	"add",	add_new_key, 	"add principal" ,
-	"Adds a principal to the database."
-    },
-    { "add_new_key"},
-    { "ank"},
-    { 
-	"passwd",	cpw_entry, 	"passwd expression..." ,
-	"Changes the password of one or more principals\n"
-	"matching the expressions."
-    },
-    { "change_password"},
-    { "cpw"},
-    { 
-	"delete",	del_entry, 	"delete expression...",
-	"Deletes all principals matching the expressions."
-    },
-    { "del_entry" },
-    { "del" },
-    {
-	"del_enctype",	del_enctype,	"del_enctype principal enctype...",
-	"Delete all the mentioned enctypes for principal."
-    },
-    { 
-	"ext_keytab",	ext_keytab, 	"ext_keytab expression...",
-	"Extracts the keys of all principals matching the expressions,\n"
-	"and stores them in a keytab." 
-    },
-    { 
-	"get",		get_entry, 	"get expression...",
-	"Shows information about principals matching the expressions."
-    },
-    { "get_entry" },
-    { 
-	"rename",	rename_entry, 	"rename source target",
-	"Renames `source' to `target'."
-    },
-    { 
-	"modify",	mod_entry, 	"modify principal",
-	"Modifies some attributes of the specified principal."
-    },
-    { 
-	"privileges",	get_privs,	"privileges",
-	"Shows which kinds of operations you are allowed to perform."
-    },
-    { "privs" },
-    { 
-	"list",		list_princs,	"list expression...", 
-	"Lists principals in a terse format. The same as `get -t'." 
-    },
-    { "help",		help, "help"},
-    { "?"},
-    { "exit",		exit_kadmin, "exit"},
-    { "quit" },
-    { NULL}
-};
 
 krb5_context context;
 void *kadm_handle;
 
-static SL_cmd *actual_cmds;
-
 int
-help(int argc, char **argv)
+help(void *opt, int argc, char **argv)
 {
-    sl_help(actual_cmds, argc, argv);
+    sl_slc_help(commands, argc, argv);
     return 0;
 }
 
+static int exit_seen = 0;
+
 int
-exit_kadmin (int argc, char **argv)
+exit_kadmin (void *opt, int argc, char **argv)
 {
-    return 1;
+    exit_seen = 1;
+    return 0;
 }
 
 static void
@@ -183,30 +121,12 @@ usage(int ret)
 }
 
 int
-get_privs(int argc, char **argv)
+get_privs(void *opt, int argc, char **argv)
 {
-    u_int32_t privs;
+    uint32_t privs;
     char str[128];
     kadm5_ret_t ret;
     
-    int help_flag = 0;
-    struct getargs args[] = {
-	{ "help",	'h',	arg_flag,	NULL }
-    };
-    int num_args = sizeof(args) / sizeof(args[0]);
-    int optind = 0;
-
-    args[0].value = &help_flag;
-
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	arg_printusage (args, num_args, "privileges", NULL);
-	return 0;
-    }
-    if(help_flag) {
-	arg_printusage (args, num_args, "privileges", NULL);
-	return 0;
-    }
-
     ret = kadm5_get_privs(kadm_handle, &privs);
     if(ret)
 	krb5_warn(context, ret, "kadm5_get_privs");
@@ -221,9 +141,10 @@ int
 main(int argc, char **argv)
 {
     krb5_error_code ret;
-    krb5_config_section *cf = NULL;
+    char **files;
     kadm5_config_params conf;
-    int optind = 0;
+    int optidx = 0;
+    int exit_status = 0;
 
     setprogname(argv[0]);
 
@@ -231,7 +152,7 @@ main(int argc, char **argv)
     if (ret)
 	errx (1, "krb5_init_context failed: %d", ret);
     
-    if(getarg(args, num_args, argc, argv, &optind))
+    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
 
     if (help_flag)
@@ -242,20 +163,24 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
-
-    if (config_file == NULL)
-	config_file = HDB_DB_DIR "/kdc.conf";
+    argc -= optidx;
+    argv += optidx;
 
-    if(krb5_config_parse_file(context, config_file, &cf) == 0) {
-	const char *p = krb5_config_get_string (context, cf, 
-						"kdc", "key-file", NULL);
-	if (p)
-	    keyfile = strdup(p);
+    if (config_file == NULL) {
+	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (config_file == NULL)
+	    errx(1, "out of memory");
     }
-    krb5_clear_error_string (context);
 
+    ret = krb5_prepend_config_files_default(config_file, &files);
+    if (ret)
+	krb5_err(context, 1, ret, "getting configuration files");
+    
+    ret = krb5_set_config_files(context, files);
+    krb5_free_config_files(files);
+    if(ret) 
+	krb5_err(context, 1, ret, "reading configuration files");
+    
     memset(&conf, 0, sizeof(conf));
     if(realm) {
 	krb5_set_default_realm(context, realm); /* XXX should be fixed
@@ -274,31 +199,58 @@ main(int argc, char **argv)
 	conf.mask |= KADM5_CONFIG_KADMIND_PORT;
     }
 
-    if(local_flag){
+    if (keyfile) {
+	conf.stash_file = keyfile;
+	conf.mask |= KADM5_CONFIG_STASH_FILE;
+    }
+
+    if(local_flag) {
+	int i;
+
+	kadm5_setup_passwd_quality_check (context, 
+					  check_library, check_function);
+	
+	for (i = 0; i < policy_libraries.num_strings; i++) {
+	    ret = kadm5_add_passwd_quality_verifier(context, 
+						    policy_libraries.strings[i]);
+	    if (ret)
+		krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
+	}
+	ret = kadm5_add_passwd_quality_verifier(context, NULL);
+	if (ret)
+	    krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
+	
 	ret = kadm5_s_init_with_password_ctx(context, 
 					     KADM5_ADMIN_SERVICE,
 					     NULL,
 					     KADM5_ADMIN_SERVICE,
 					     &conf, 0, 0, 
 					     &kadm_handle);
-	actual_cmds = commands;
+    } else if (ad_flag) {
+	if (client_name == NULL)
+	    krb5_errx(context, 1, "keytab mode require principal name");
+	ret = kadm5_ad_init_with_password_ctx(context,
+					      client_name,
+					      NULL,
+					      KADM5_ADMIN_SERVICE,
+					      &conf, 0, 0,
+					      &kadm_handle);
     } else if (keytab) {
+	if (client_name == NULL)
+	    krb5_errx(context, 1, "keytab mode require principal name");
         ret = kadm5_c_init_with_skey_ctx(context,
 					 client_name,
 					 keytab,
 					 KADM5_ADMIN_SERVICE,
                                          &conf, 0, 0,
                                          &kadm_handle);
-        actual_cmds = commands + 4; /* XXX */
-    } else {
+    } else
 	ret = kadm5_c_init_with_password_ctx(context, 
 					     client_name,
 					     NULL,
 					     KADM5_ADMIN_SERVICE,
 					     &conf, 0, 0, 
 					     &kadm_handle);
-	actual_cmds = commands + 4; /* XXX */
-    }
     
     if(ret)
 	krb5_err(context, 1, ret, "kadm5_init_with_password");
@@ -309,14 +261,24 @@ main(int argc, char **argv)
                                 each function, f.i `get' might be
                                 interruptable, but not `create' */
     if (argc != 0) {
-	ret = sl_command (actual_cmds, argc, argv);
+	ret = sl_command (commands, argc, argv);
 	if(ret == -1)
 	    krb5_warnx (context, "unrecognized command: %s", argv[0]);
-    } else
-	ret = sl_loop (actual_cmds, "kadmin> ") != 0;
+	else if (ret == -2)
+	    ret = 0;
+	if(ret != 0)
+	    exit_status = 1;
+    } else {
+	while(!exit_seen) {
+	    ret = sl_command_loop(commands, "kadmin> ", NULL);
+	    if (ret == -2)
+		exit_seen = 1;
+	    else if (ret != 0)
+		exit_status = 1;
+	}
+    }
 
     kadm5_destroy(kadm_handle);
-    krb5_config_file_free (context, cf);
     krb5_free_context(context);
-    return ret;
+    return exit_status;
 }
diff --git a/crypto/heimdal/kadmin/kadmind.8 b/crypto/heimdal/kadmin/kadmind.8
index 5663225..4715da9 100644
--- a/crypto/heimdal/kadmin/kadmind.8
+++ b/crypto/heimdal/kadmin/kadmind.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan
+.\" Copyright (c) 2002 - 2004 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: kadmind.8,v 1.14 2003/04/06 17:47:57 lha Exp $
+.\" $Id: kadmind.8 14370 2004-12-08 17:20:21Z lha $
 .\"
-.Dd March 5, 2002
+.Dd December  8, 2004
 .Dt KADMIND 8
 .Os HEIMDAL
 .Sh NAME
@@ -39,6 +39,7 @@
 .Nd "server for administrative access to Kerberos database"
 .Sh SYNOPSIS
 .Nm
+.Bk -words
 .Oo Fl c Ar file \*(Ba Xo
 .Fl -config-file= Ns Ar file
 .Xc
@@ -57,7 +58,7 @@
 .Fl -ports= Ns Ar port
 .Xc
 .Oc
-.Op Fl -no-kerberos4
+.Ek
 .Sh DESCRIPTION
 .Nm
 listens for requests for changes to the Kerberos database and performs
@@ -71,11 +72,7 @@ option causes
 .Nm
 to accept exactly one connection, which is useful for debugging.
 .Pp
-If built with krb4 support, it implements both the Heimdal Kerberos 5
-administrative protocol and the Kerberos 4 protocol. Password changes
-via the Kerberos 4 protocol are also performed by
-.Nm kadmind ,
-but the
+The
 .Xr kpasswdd 8
 daemon is responsible for the Kerberos 5 password changing protocol
 (used by
@@ -149,17 +146,12 @@ enable debugging
 .Fl p Ar port ,
 .Fl -ports= Ns Ar port
 .Xc
-ports to listen to. By default, if run as a daemon, it listens to ports
-749, and 751 (if Kerberos 4 support is built and enabled), but you can
-add any number of ports with this option. The port string is a
-whitespace separated list of port specifications, with the special
-string
+ports to listen to. By default, if run as a daemon, it listens to port
+749, but you can add any number of ports with this option. The port
+string is a whitespace separated list of port specifications, with the
+special string
 .Dq +
-representing the default set of ports.
-.It Fl -no-kerberos4
-make 
-.Nm 
-ignore Kerberos 4 kadmin requests.
+representing the default port.
 .El
 .\".Sh ENVIRONMENT
 .Sh FILES
diff --git a/crypto/heimdal/kadmin/kadmind.c b/crypto/heimdal/kadmin/kadmind.c
index 7c52637..4d1c2ec 100644
--- a/crypto/heimdal/kadmin/kadmind.c
+++ b/crypto/heimdal/kadmin/kadmind.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,21 +33,18 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$Id: kadmind.c,v 1.28.2.1 2004/04/29 12:30:32 lha Exp $");
+RCSID("$Id: kadmind.c 22250 2007-12-09 05:57:31Z lha $");
 
 static char *check_library  = NULL;
 static char *check_function = NULL;
+static getarg_strings policy_libraries = { 0, NULL };
 static char *config_file;
-static char *keyfile;
 static char *keytab_str = "HDB:";
 static int help_flag;
 static int version_flag;
 static int debug_flag;
 static char *port_str;
 char *realm;
-#ifdef KRB4
-int do_kerberos4 = 0;
-#endif
 
 static struct getargs args[] = {
     { 
@@ -55,10 +52,6 @@ static struct getargs args[] = {
 	"location of config file",	"file" 
     },
     {
-	"key-file",	'k',	arg_string, &keyfile, 
-	"location of master key file", "file"
-    },
-    {
 	"keytab",	0,	arg_string, &keytab_str,
 	"what keytab to use", "keytab"
     },
@@ -70,15 +63,12 @@ static struct getargs args[] = {
       "library to load password check function from", "library" },
     { "check-function", 0, arg_string, &check_function,
       "password check function to load", "function" },
+    { "policy-libraries", 0, arg_strings, &policy_libraries,
+      "password check function to load", "function" },
 #endif
     {	"debug",	'd',	arg_flag,   &debug_flag, 
 	"enable debugging" 
     },
-#ifdef KRB4
-    {	"kerberos4", 0,		arg_flag,   &do_kerberos4,
-	"don't respond to kerberos 4 requests"
-    },
-#endif
     {	"ports",	'p',	arg_string, &port_str, 
 	"ports to listen to", "port" },
     {	"help",		'h',	arg_flag,   &help_flag },
@@ -100,10 +90,10 @@ int
 main(int argc, char **argv)
 {
     krb5_error_code ret;
-    krb5_config_section *cf;
-    int optind = 0;
-    int e;
-    krb5_log_facility *logf;
+    char **files;
+    int optidx = 0;
+    int e, i;
+    krb5_log_facility *logfacility;
     krb5_keytab keytab;
 
     setprogname(argv[0]);
@@ -112,11 +102,8 @@ main(int argc, char **argv)
     if (ret)
 	errx (1, "krb5_init_context failed: %d", ret);
 
-    ret = krb5_openlog(context, "kadmind", &logf);
-    ret = krb5_set_warn_dest(context, logf);
-
-    while((e = getarg(args, num_args, argc, argv, &optind)))
-	warnx("error at argument `%s'", argv[optind]);
+    while((e = getarg(args, num_args, argc, argv, &optidx)))
+	warnx("error at argument `%s'", argv[optidx]);
 
     if (help_flag)
 	usage (0);
@@ -126,29 +113,51 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
+
+    if (config_file == NULL) {
+	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (config_file == NULL)
+	    errx(1, "out of memory");
+    }
+    
+    ret = krb5_prepend_config_files_default(config_file, &files);
+    if (ret)
+	krb5_err(context, 1, ret, "getting configuration files");
+    
+    ret = krb5_set_config_files(context, files);
+    krb5_free_config_files(files);
+    if(ret) 
+	krb5_err(context, 1, ret, "reading configuration files");
+    
+    ret = krb5_openlog(context, "kadmind", &logfacility);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_openlog");
+    ret = krb5_set_warn_dest(context, logfacility);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_set_warn_dest");
 
     ret = krb5_kt_register(context, &hdb_kt_ops);
     if(ret)
 	krb5_err(context, 1, ret, "krb5_kt_register");
 
-    if (config_file == NULL)
-	config_file = HDB_DB_DIR "/kdc.conf";
-
-    if(krb5_config_parse_file(context, config_file, &cf) == 0) {
-	const char *p = krb5_config_get_string (context, cf, 
-						"kdc", "key-file", NULL);
-	if (p)
-	    keyfile = strdup(p);
-    }
-
     ret = krb5_kt_resolve(context, keytab_str, &keytab);
     if(ret)
 	krb5_err(context, 1, ret, "krb5_kt_resolve");
 
     kadm5_setup_passwd_quality_check (context, check_library, check_function);
 
+    for (i = 0; i < policy_libraries.num_strings; i++) {
+	ret = kadm5_add_passwd_quality_verifier(context, 
+						policy_libraries.strings[i]);
+	if (ret)
+	    krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
+    }
+    ret = kadm5_add_passwd_quality_verifier(context, NULL);
+    if (ret)
+	krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
+
     {
 	int fd = 0;
 	struct sockaddr_storage __ss;
diff --git a/crypto/heimdal/kadmin/load.c b/crypto/heimdal/kadmin/load.c
index 3635023..30e6d93 100644
--- a/crypto/heimdal/kadmin/load.c
+++ b/crypto/heimdal/kadmin/load.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,9 +32,10 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 #include <kadm5/private.h>
 
-RCSID("$Id: load.c,v 1.44 2002/09/04 20:44:35 joda Exp $");
+RCSID("$Id: load.c 16658 2006-01-25 12:29:46Z lha $");
 
 struct entry {
     char *principal;
@@ -48,6 +49,7 @@ struct entry {
     char *pw_end;
     char *flags;
     char *generation;
+    char *extensions;
 };
 
 static char *
@@ -116,7 +118,7 @@ parse_time_string_alloc (time_t **t, const char *s)
  */
 
 static int
-parse_integer(unsigned *u, const char *s)
+parse_integer(unsigned int *u, const char *s)
 {
     if(strcmp(s, "-") == 0)
 	return 0;
@@ -126,9 +128,9 @@ parse_integer(unsigned *u, const char *s)
 }
 
 static int
-parse_integer_alloc (int **u, const char *s)
+parse_integer_alloc (unsigned int **u, const char *s)
 {
-    unsigned tmp;
+    unsigned int tmp;
     int ret;
 
     *u = NULL;
@@ -274,7 +276,7 @@ static int
 parse_hdbflags2int(HDBFlags *f, const char *s)
 {
     int ret;
-    unsigned tmp;
+    unsigned int tmp;
 
     ret = parse_integer (&tmp, s);
     if (ret == 1)
@@ -308,6 +310,49 @@ parse_generation(char *str, GENERATION **gen)
     return 0;
 }
 
+static int
+parse_extensions(char *str, HDB_extensions **e)
+{
+    char *p;
+    int ret;
+
+    if(strcmp(str, "-") == 0 || *str == '\0') {
+	*e = NULL;
+	return 0;
+    }
+    *e = calloc(1, sizeof(**e));
+
+    p = strsep(&str, ":");
+
+    while (p) {
+	HDB_extension ext;
+	ssize_t len;
+	void *d;
+
+	len = strlen(p);
+	d = malloc(len);
+
+	len = hex_decode(p, d, len);
+	if (len < 0)
+	    return -1;
+
+	ret = decode_HDB_extension(d, len, &ext, NULL);
+	free(d);
+	if (ret)
+	    return -1;
+	d = realloc((*e)->val, ((*e)->len + 1) * sizeof((*e)->val[0]));
+	if (d == NULL)
+	    abort();
+	(*e)->val = d;
+	(*e)->val[(*e)->len] = ext;
+	(*e)->len++;
+
+	p = strsep(&str, ":");
+    }
+
+    return 0;
+}
+
 
 /*
  * Parse the dump file in `filename' and create the database (merging
@@ -315,7 +360,7 @@ parse_generation(char *str, GENERATION **gen)
  */
 
 static int
-doit(const char *filename, int merge)
+doit(const char *filename, int mergep)
 {
     krb5_error_code ret;
     FILE *f;
@@ -324,7 +369,7 @@ doit(const char *filename, int merge)
     int line;
     int flags = O_RDWR;
     struct entry e;
-    hdb_entry ent;
+    hdb_entry_ex ent;
     HDB *db = _kadm5_s_get_db(kadm_handle);
 
     f = fopen(filename, "r");
@@ -339,9 +384,9 @@ doit(const char *filename, int merge)
 	return 1;
     }
 
-    if(!merge)
+    if(!mergep)
 	flags |= O_CREAT | O_TRUNC;
-    ret = db->open(context, db, flags, 0600);
+    ret = db->hdb_open(context, db, flags, 0600);
     if(ret){
 	krb5_warn(context, ret, "hdb_open");
 	fclose(f);
@@ -352,7 +397,12 @@ doit(const char *filename, int merge)
     while(fgets(s, sizeof(s), f) != NULL) {
 	ret = 0;
 	line++;
-	e.principal = s;
+
+	p = s;
+	while (isspace((unsigned char)*p))
+	    p++;
+
+	e.principal = p;
 	for(p = s; *p; p++){
 	    if(*p == '\\')
 		p++;
@@ -393,8 +443,11 @@ doit(const char *filename, int merge)
 	e.generation = p;
 	p = skip_next(p);
 
+	e.extensions = p;
+	p = skip_next(p);
+
 	memset(&ent, 0, sizeof(ent));
-	ret = krb5_parse_name(context, e.principal, &ent.principal);
+	ret = krb5_parse_name(context, e.principal, &ent.entry.principal);
 	if(ret) {
 	    fprintf(stderr, "%s:%d:%s (%s)\n", 
 		    filename, 
@@ -404,137 +457,113 @@ doit(const char *filename, int merge)
 	    continue;
 	}
 	
-	if (parse_keys(&ent, e.key)) {
+	if (parse_keys(&ent.entry, e.key)) {
 	    fprintf (stderr, "%s:%d:error parsing keys (%s)\n",
 		     filename, line, e.key);
 	    hdb_free_entry (context, &ent);
 	    continue;
 	}
 	
-	if (parse_event(&ent.created_by, e.created) == -1) {
+	if (parse_event(&ent.entry.created_by, e.created) == -1) {
 	    fprintf (stderr, "%s:%d:error parsing created event (%s)\n",
 		     filename, line, e.created);
 	    hdb_free_entry (context, &ent);
 	    continue;
 	}
-	if (parse_event_alloc (&ent.modified_by, e.modified) == -1) {
+	if (parse_event_alloc (&ent.entry.modified_by, e.modified) == -1) {
 	    fprintf (stderr, "%s:%d:error parsing event (%s)\n",
 		     filename, line, e.modified);
 	    hdb_free_entry (context, &ent);
 	    continue;
 	}
-	if (parse_time_string_alloc (&ent.valid_start, e.valid_start) == -1) {
+	if (parse_time_string_alloc (&ent.entry.valid_start, e.valid_start) == -1) {
 	    fprintf (stderr, "%s:%d:error parsing time (%s)\n",
 		     filename, line, e.valid_start);
 	    hdb_free_entry (context, &ent);
 	    continue;
 	}
-	if (parse_time_string_alloc (&ent.valid_end,   e.valid_end) == -1) {
+	if (parse_time_string_alloc (&ent.entry.valid_end,   e.valid_end) == -1) {
 	    fprintf (stderr, "%s:%d:error parsing time (%s)\n",
 		     filename, line, e.valid_end);
 	    hdb_free_entry (context, &ent);
 	    continue;
 	}
-	if (parse_time_string_alloc (&ent.pw_end,      e.pw_end) == -1) {
+	if (parse_time_string_alloc (&ent.entry.pw_end,      e.pw_end) == -1) {
 	    fprintf (stderr, "%s:%d:error parsing time (%s)\n",
 		     filename, line, e.pw_end);
 	    hdb_free_entry (context, &ent);
 	    continue;
 	}
 
-	if (parse_integer_alloc (&ent.max_life,  e.max_life) == -1) {
+	if (parse_integer_alloc (&ent.entry.max_life,  e.max_life) == -1) {
 	    fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n",
 		     filename, line, e.max_life);
 	    hdb_free_entry (context, &ent);
 	    continue;
 
 	}
-	if (parse_integer_alloc (&ent.max_renew, e.max_renew) == -1) {
+	if (parse_integer_alloc (&ent.entry.max_renew, e.max_renew) == -1) {
 	    fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n",
 		     filename, line, e.max_renew);
 	    hdb_free_entry (context, &ent);
 	    continue;
 	}
 
-	if (parse_hdbflags2int (&ent.flags, e.flags) != 1) {
+	if (parse_hdbflags2int (&ent.entry.flags, e.flags) != 1) {
 	    fprintf (stderr, "%s:%d:error parsing flags (%s)\n",
 		     filename, line, e.flags);
 	    hdb_free_entry (context, &ent);
 	    continue;
 	}
 
-	if(parse_generation(e.generation, &ent.generation) == -1) {
+	if(parse_generation(e.generation, &ent.entry.generation) == -1) {
 	    fprintf (stderr, "%s:%d:error parsing generation (%s)\n",
 		     filename, line, e.generation);
 	    hdb_free_entry (context, &ent);
 	    continue;
 	}
 
-	ret = db->store(context, db, HDB_F_REPLACE, &ent);
+	if(parse_extensions(e.extensions, &ent.entry.extensions) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing extension (%s)\n",
+		     filename, line, e.extensions);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+
+	ret = db->hdb_store(context, db, HDB_F_REPLACE, &ent);
 	hdb_free_entry (context, &ent);
 	if (ret) {
 	    krb5_warn(context, ret, "db_store");
 	    break;
 	}
     }
-    db->close(context, db);
+    db->hdb_close(context, db);
     fclose(f);
     return ret != 0;
 }
 
 
-static struct getargs args[] = {
-    { "help", 'h', arg_flag, NULL }
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(const char *name)
-{
-    arg_printusage (args, num_args, name, "file");
-}
-
-
+extern int local_flag;
 
-int
-load(int argc, char **argv)
+static int
+loadit(int mergep, const char *name, int argc, char **argv)
 {
-    int optind = 0;
-    int help_flag = 0;
-
-    args[0].value = &help_flag;
-
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	usage ("load");
-	return 0;
-    }
-    if(argc - optind != 1 || help_flag) {
-	usage ("load");
+    if(!local_flag) {
+	krb5_warnx(context, "%s is only available in local (-l) mode", name);
 	return 0;
     }
 
-    doit(argv[optind], 0);
-    return 0;
+    return doit(argv[0], mergep);
 }
-
+ 
 int
-merge(int argc, char **argv)
+load(void *opt, int argc, char **argv)
 {
-    int optind = 0;
-    int help_flag = 0;
-
-    args[0].value = &help_flag;
-
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	usage ("merge");
-	return 0;
-    }
-    if(argc - optind != 1 || help_flag) {
-	usage ("merge");
-	return 0;
-    }
-
-    doit(argv[optind], 1);
-    return 0;
+    return loadit(0, "load", argc, argv);
+}
+ 
+int
+merge(void *opt, int argc, char **argv)
+{
+    return loadit(1, "merge", argc, argv);
 }
diff --git a/crypto/heimdal/kadmin/mod.c b/crypto/heimdal/kadmin/mod.c
index 0e9cd08..f5f9e04 100644
--- a/crypto/heimdal/kadmin/mod.c
+++ b/crypto/heimdal/kadmin/mod.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,120 +32,230 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 
-RCSID("$Id: mod.c,v 1.11 2002/12/03 14:12:30 joda Exp $");
+RCSID("$Id: mod.c 21968 2007-10-18 18:50:33Z lha $");
 
-static int parse_args (krb5_context context, kadm5_principal_ent_t ent,
-		       int argc, char **argv, int *optind, char *name,
-		       int *mask);
+static void
+add_tl(kadm5_principal_ent_rec *princ, int type, krb5_data *data)
+{
+    krb5_tl_data *tl, **ptl;
 
-static int
-parse_args(krb5_context context, kadm5_principal_ent_t ent,
-	    int argc, char **argv, int *optind, char *name,
-	    int *mask)
+    tl = ecalloc(1, sizeof(*tl));
+    tl->tl_data_next = NULL;
+    tl->tl_data_type = KRB5_TL_EXTENSION;
+    tl->tl_data_length = data->length;
+    tl->tl_data_contents = data->data;
+    
+    princ->n_tl_data++;
+    ptl = &princ->tl_data;
+    while (*ptl != NULL)
+	ptl = &(*ptl)->tl_data_next;
+    *ptl = tl;
+
+    return;
+}
+
+static void
+add_constrained_delegation(krb5_context context,
+			   kadm5_principal_ent_rec *princ,
+			   struct getarg_strings *strings)
 {
-    char *attr_str = NULL;
-    char *max_life_str = NULL;
-    char *max_rlife_str = NULL;
-    char *expiration_str = NULL;
-    char *pw_expiration_str = NULL;
-    int new_kvno = -1;
-    int ret, i;
-
-    struct getargs args[] = {
-	{"attributes",	'a',	arg_string, NULL, "Attributies",
-	 "attributes"},
-	{"max-ticket-life", 0,	arg_string, NULL, "max ticket lifetime",
-	 "lifetime"},
-	{"max-renewable-life",  0, arg_string,	NULL,
-	 "max renewable lifetime", "lifetime" },
-	{"expiration-time",	0,	arg_string, 
-	 NULL, "Expiration time", "time"},
-	{"pw-expiration-time",  0,	arg_string, 
-	 NULL, "Password expiration time", "time"},
-	{"kvno",  0,	arg_integer, 
-	 NULL, "Key version number", "number"},
-    };
-
-    i = 0;
-    args[i++].value = &attr_str;
-    args[i++].value = &max_life_str;
-    args[i++].value = &max_rlife_str;
-    args[i++].value = &expiration_str;
-    args[i++].value = &pw_expiration_str;
-    args[i++].value = &new_kvno;
-
-    *optind = 0; /* XXX */
-
-    if(getarg(args, sizeof(args) / sizeof(args[0]), 
-	      argc, argv, optind)){
-	arg_printusage(args, 
-		       sizeof(args) / sizeof(args[0]), 
-		       name ? name : "",
-		       "principal");
-	return -1;
+    krb5_error_code ret;
+    HDB_extension ext;
+    krb5_data buf;
+    size_t size;
+	    
+    memset(&ext, 0, sizeof(ext));
+    ext.mandatory = FALSE;
+    ext.data.element = choice_HDB_extension_data_allowed_to_delegate_to;
+
+    if (strings->num_strings == 1 && strings->strings[0][0] == '\0') {
+	ext.data.u.allowed_to_delegate_to.val = NULL;
+	ext.data.u.allowed_to_delegate_to.len = 0;
+    } else {
+	krb5_principal p;
+	int i;
+
+	ext.data.u.allowed_to_delegate_to.val = 
+	    calloc(strings->num_strings, 
+		   sizeof(ext.data.u.allowed_to_delegate_to.val[0]));
+	ext.data.u.allowed_to_delegate_to.len = strings->num_strings;
+	
+	for (i = 0; i < strings->num_strings; i++) {
+	    ret = krb5_parse_name(context, strings->strings[i], &p);
+	    ret = copy_Principal(p, &ext.data.u.allowed_to_delegate_to.val[i]);
+	    krb5_free_principal(context, p);
+	}
     }
-    
-    ret = set_entry(context, ent, mask, max_life_str, max_rlife_str, 
-		    expiration_str, pw_expiration_str, attr_str);
+
+    ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length,
+		       &ext, &size, ret);
+    free_HDB_extension(&ext);
     if (ret)
-	return ret;
+	abort();
+    if (buf.length != size)
+	abort();
 
-    if(new_kvno != -1) {
-	ent->kvno = new_kvno;
-	*mask |= KADM5_KVNO;
-    }
-    return 0;
+    add_tl(princ, KRB5_TL_EXTENSION, &buf);
 }
 
-int
-mod_entry(int argc, char **argv)
+static void
+add_aliases(krb5_context context, kadm5_principal_ent_rec *princ,
+	    struct getarg_strings *strings)
 {
-    kadm5_principal_ent_rec princ;
-    int mask = 0;
     krb5_error_code ret;
-    krb5_principal princ_ent = NULL;
-    int optind;
+    HDB_extension ext;
+    krb5_data buf;
+    krb5_principal p;
+    size_t size;
+    int i;
+    
+    memset(&ext, 0, sizeof(ext));
+    ext.mandatory = FALSE;
+    ext.data.element = choice_HDB_extension_data_aliases;
+    ext.data.u.aliases.case_insensitive = 0;
 
-    memset (&princ, 0, sizeof(princ));
+    if (strings->num_strings == 1 && strings->strings[0][0] == '\0') {
+	ext.data.u.aliases.aliases.val = NULL;
+	ext.data.u.aliases.aliases.len = 0;
+    } else {
+	ext.data.u.aliases.aliases.val = 
+	    calloc(strings->num_strings, 
+		   sizeof(ext.data.u.aliases.aliases.val[0]));
+	ext.data.u.aliases.aliases.len = strings->num_strings;
+	
+	for (i = 0; i < strings->num_strings; i++) {
+	    ret = krb5_parse_name(context, strings->strings[i], &p);
+	    ret = copy_Principal(p, &ext.data.u.aliases.aliases.val[i]);
+	    krb5_free_principal(context, p);
+	}
+    }
 
-    ret = parse_args (context, &princ, argc, argv,
-		      &optind, "mod", &mask);
+    ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length,
+		       &ext, &size, ret);
+    free_HDB_extension(&ext);
     if (ret)
-	return 0;
+	abort();
+    if (buf.length != size)
+	abort();
+    
+    add_tl(princ, KRB5_TL_EXTENSION, &buf);
+}
 
-    argc -= optind;
-    argv += optind;
+static void
+add_pkinit_acl(krb5_context context, kadm5_principal_ent_rec *princ,
+	       struct getarg_strings *strings)
+{
+    krb5_error_code ret;
+    HDB_extension ext;
+    krb5_data buf;
+    size_t size;
+    int i;
     
-    if (argc != 1) {
-	printf ("Usage: mod [options] principal\n");
-	return 0;
-    }
+    memset(&ext, 0, sizeof(ext));
+    ext.mandatory = FALSE;
+    ext.data.element = choice_HDB_extension_data_pkinit_acl;
+    ext.data.u.aliases.case_insensitive = 0;
 
-    krb5_parse_name(context, argv[0], &princ_ent);
-
-    if (mask == 0) {
-	memset(&princ, 0, sizeof(princ));
-	ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, 
-				  KADM5_PRINCIPAL | KADM5_ATTRIBUTES | 
-				  KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
-				  KADM5_PRINC_EXPIRE_TIME |
-				  KADM5_PW_EXPIRATION);
-	krb5_free_principal (context, princ_ent);
-	if (ret) {
-	    printf ("no such principal: %s\n", argv[0]);
-	    return 0;
-	}
-	if(edit_entry(&princ, &mask, NULL, 0))
-	    goto out;
+    if (strings->num_strings == 1 && strings->strings[0][0] == '\0') {
+	ext.data.u.pkinit_acl.val = NULL;
+	ext.data.u.pkinit_acl.len = 0;
     } else {
-	princ.principal = princ_ent;
+	ext.data.u.pkinit_acl.val = 
+	    calloc(strings->num_strings, 
+		   sizeof(ext.data.u.pkinit_acl.val[0]));
+	ext.data.u.pkinit_acl.len = strings->num_strings;
+	
+	for (i = 0; i < strings->num_strings; i++) {
+	    ext.data.u.pkinit_acl.val[i].subject = estrdup(strings->strings[i]);
+	}
     }
 
-    ret = kadm5_modify_principal(kadm_handle, &princ, mask);
-    if(ret)
-	krb5_warn(context, ret, "kadm5_modify_principal");
-  out:
+    ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length,
+		       &ext, &size, ret);
+    free_HDB_extension(&ext);
+    if (ret)
+	abort();
+    if (buf.length != size)
+	abort();
+    
+    add_tl(princ, KRB5_TL_EXTENSION, &buf);
+}
+
+static int
+do_mod_entry(krb5_principal principal, void *data)
+{
+    krb5_error_code ret;
+    kadm5_principal_ent_rec princ;
+    int mask = 0;
+    struct modify_options *e = data;
+    
+    memset (&princ, 0, sizeof(princ));
+    ret = kadm5_get_principal(kadm_handle, principal, &princ,
+			      KADM5_PRINCIPAL | KADM5_ATTRIBUTES | 
+			      KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
+			      KADM5_PRINC_EXPIRE_TIME |
+			      KADM5_PW_EXPIRATION);
+    if(ret) 
+	return ret;
+
+    if(e->max_ticket_life_string || 
+       e->max_renewable_life_string ||
+       e->expiration_time_string ||
+       e->pw_expiration_time_string ||
+       e->attributes_string ||
+       e->kvno_integer != -1 ||
+       e->constrained_delegation_strings.num_strings ||
+       e->alias_strings.num_strings ||
+       e->pkinit_acl_strings.num_strings) {
+	ret = set_entry(context, &princ, &mask, 
+			e->max_ticket_life_string, 
+			e->max_renewable_life_string, 
+			e->expiration_time_string, 
+			e->pw_expiration_time_string, 
+			e->attributes_string);
+	if(e->kvno_integer != -1) {
+	    princ.kvno = e->kvno_integer;
+	    mask |= KADM5_KVNO;
+	}
+	if (e->constrained_delegation_strings.num_strings) {
+	    add_constrained_delegation(context, &princ,
+				       &e->constrained_delegation_strings);
+	    mask |= KADM5_TL_DATA;
+	}
+	if (e->alias_strings.num_strings) {
+	    add_aliases(context, &princ, &e->alias_strings);
+	    mask |= KADM5_TL_DATA;
+	}
+	if (e->pkinit_acl_strings.num_strings) {
+	    add_pkinit_acl(context, &princ, &e->pkinit_acl_strings);
+	    mask |= KADM5_TL_DATA;
+	}
+
+    } else
+	ret = edit_entry(&princ, &mask, NULL, 0);
+    if(ret == 0) {
+	ret = kadm5_modify_principal(kadm_handle, &princ, mask);
+	if(ret)
+	    krb5_warn(context, ret, "kadm5_modify_principal");
+    }
+    
     kadm5_free_principal_ent(kadm_handle, &princ);
-    return 0;
+    return ret;
 }
+
+int
+mod_entry(struct modify_options *opt, int argc, char **argv)
+{
+    krb5_error_code ret = 0;
+    int i;
+
+    for(i = 0; i < argc; i++) {
+	ret = foreach_principal(argv[i], do_mod_entry, "mod", opt);
+	if (ret)
+	    break;
+    }
+    return ret != 0;
+}
+
diff --git a/crypto/heimdal/kadmin/pw_quality.c b/crypto/heimdal/kadmin/pw_quality.c
new file mode 100644
index 0000000..8d1e9cc
--- /dev/null
+++ b/crypto/heimdal/kadmin/pw_quality.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2003-2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include "kadmin-commands.h"
+
+RCSID("$Id: pw_quality.c 14026 2004-07-05 11:41:22Z joda $");
+
+int
+password_quality(void *opt, int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_principal principal;
+    krb5_data pw_data;
+    const char *s;
+
+    ret = krb5_parse_name(context, argv[0], &principal);
+    if(ret){
+	krb5_warn(context, ret, "krb5_parse_name(%s)", argv[0]);
+	return 0;
+    }
+    pw_data.data = argv[1];
+    pw_data.length = strlen(argv[1]);
+
+    s = kadm5_check_password_quality (context, principal, &pw_data);
+    if (s)
+	krb5_warnx(context, "kadm5_check_password_quality: %s", s);
+
+    krb5_free_principal(context, principal);
+
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/random_password.c b/crypto/heimdal/kadmin/random_password.c
index 92fb2fc..d56dd94 100644
--- a/crypto/heimdal/kadmin/random_password.c
+++ b/crypto/heimdal/kadmin/random_password.c
@@ -33,7 +33,7 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$Id: random_password.c,v 1.4 2001/02/15 04:20:53 assar Exp $");
+RCSID("$Id: random_password.c 21745 2007-07-31 16:11:25Z lha $");
 
 /* This file defines some a function that generates a random password,
    that can be used when creating a large amount of principals (such
@@ -123,7 +123,11 @@ generate_password(char **pw, int num_classes, ...)
     unsigned char rbuf[8]; /* random buffer */
     int rleft = 0;
 
+    *pw = NULL;
+
     classes = malloc(num_classes * sizeof(*classes));
+    if(classes == NULL)
+	return;
     va_start(ap, num_classes);
     len = 0;
     for(i = 0; i < num_classes; i++){
@@ -134,8 +138,10 @@ generate_password(char **pw, int num_classes, ...)
     }
     va_end(ap);
     *pw = malloc(len + 1);
-    if(*pw == NULL)
+    if(*pw == NULL) {
+	free(classes);
 	return;
+    }
     for(i = 0; i < len; i++) {
 	int j;
 	int x = RND(rbuf, sizeof(rbuf), &rleft) % (len - i);
diff --git a/crypto/heimdal/kadmin/rename.c b/crypto/heimdal/kadmin/rename.c
index ac5f4d6..9309db5 100644
--- a/crypto/heimdal/kadmin/rename.c
+++ b/crypto/heimdal/kadmin/rename.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,57 +32,32 @@
  */
 
 #include "kadmin_locl.h"
+#include "kadmin-commands.h"
 
-RCSID("$Id: rename.c,v 1.4 2001/05/04 13:07:03 joda Exp $");
-
-static struct getargs args[] = {
-    { "help", 'h', arg_flag, NULL }
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(void)
-{
-    arg_printusage (args, num_args, "rename", "from to");
-}
+RCSID("$Id: rename.c 17007 2006-04-07 13:11:24Z lha $");
 
 int
-rename_entry(int argc, char **argv)
+rename_entry(void *opt, int argc, char **argv)
 {
-    int optind = 0;
-    int help_flag = 0;
-
     krb5_error_code ret;
     krb5_principal princ1, princ2;
 
-    args[0].value = &help_flag;
-
-    if(getarg(args, num_args, argc, argv, &optind)) {
-	usage ();
-	return 0;
-    }
-    if(argc - optind != 2 || help_flag) {
-	usage ();
-	return 0;
-    }
-
-    ret = krb5_parse_name(context, argv[1], &princ1);
+    ret = krb5_parse_name(context, argv[0], &princ1);
     if(ret){
-	krb5_warn(context, ret, "krb5_parse_name(%s)", argv[1]);
-	return 0;
+	krb5_warn(context, ret, "krb5_parse_name(%s)", argv[0]);
+	return ret != 0;
     }
-    ret = krb5_parse_name(context, argv[2], &princ2);
+    ret = krb5_parse_name(context, argv[1], &princ2);
     if(ret){
-	krb5_free_principal(context, princ2);
-	krb5_warn(context, ret, "krb5_parse_name(%s)", argv[2]);
-	return 0;
+	krb5_free_principal(context, princ1);
+	krb5_warn(context, ret, "krb5_parse_name(%s)", argv[1]);
+	return ret != 0;
     }
     ret = kadm5_rename_principal(kadm_handle, princ1, princ2);
     if(ret)
 	krb5_warn(context, ret, "rename");
     krb5_free_principal(context, princ1);
     krb5_free_principal(context, princ2);
-    return 0;
+    return ret != 0;
 }
 
diff --git a/crypto/heimdal/kadmin/server.c b/crypto/heimdal/kadmin/server.c
index adaf6cf..07dd9a5 100644
--- a/crypto/heimdal/kadmin/server.c
+++ b/crypto/heimdal/kadmin/server.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "kadmin_locl.h"
 #include <krb5-private.h>
 
-RCSID("$Id: server.c,v 1.38 2003/01/29 12:33:05 lha Exp $");
+RCSID("$Id: server.c 17611 2006-06-02 22:10:21Z lha $");
 
 static kadm5_ret_t
 kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
@@ -47,7 +47,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
     char *op = "";
     krb5_principal princ, princ2;
     kadm5_principal_ent_rec ent;
-    char *password, *exp;
+    char *password, *expression;
     krb5_keyblock *new_keys;
     int n_keys;
     char **princs;
@@ -192,6 +192,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 					   princ);
 	if(ret){
 	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(context->context, princ2);
 	    goto fail;
 	}
 	ret = kadm5_rename_principal(kadm_handle, princ, princ2);
@@ -370,12 +371,13 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	break;
     }
     case kadm_get_privs:{
-	ret = kadm5_get_privs(kadm_handle, &mask);
+	uint32_t privs;
+	ret = kadm5_get_privs(kadm_handle, &privs);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
 	krb5_store_int32(sp, ret);
 	if(ret == 0)
-	    krb5_store_int32(sp, mask);
+	    krb5_store_uint32(sp, privs);
 	break;
     }
     case kadm_get_princs:{
@@ -384,19 +386,20 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	if(ret)
 	    goto fail;
 	if(tmp){
-	    ret = krb5_ret_string(sp, &exp);
+	    ret = krb5_ret_string(sp, &expression);
 	    if(ret)
 		goto fail;
 	}else
-	    exp = NULL;
-	krb5_warnx(context->context, "%s: %s %s", client, op, exp ? exp : "*");
+	    expression = NULL;
+	krb5_warnx(context->context, "%s: %s %s", client, op,
+		   expression ? expression : "*");
 	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_LIST, NULL);
 	if(ret){
-	    free(exp);
+	    free(expression);
 	    goto fail;
 	}
-	ret = kadm5_get_principals(kadm_handle, exp, &princs, &n_princs);
-	free(exp);
+	ret = kadm5_get_principals(kadm_handle, expression, &princs, &n_princs);
+	free(expression);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
 	krb5_store_int32(sp, ret);
@@ -542,8 +545,6 @@ handle_v5(krb5_context context,
     v5_loop (context, ac, initial, kadm_handle, fd);
 }
 
-extern int do_kerberos4;
-
 krb5_error_code
 kadmind_loop(krb5_context context,
 	     krb5_auth_context ac,
@@ -560,16 +561,15 @@ kadmind_loop(krb5_context context,
     if(n < 0)
 	krb5_err(context, 1, errno, "read");
     _krb5_get_int(tmp, &len, 4);
+    /* this v4 test could probably also go away */
     if(len > 0xffff && (len & 0xffff) == ('K' << 8) + 'A') {
-	len >>= 16;
-#ifdef KRB4
-	if(do_kerberos4)
-	    handle_v4(context, keytab, len, fd);
-	else
-	    krb5_errx(context, 1, "version 4 kadmin is disabled");
-#else
+	unsigned char v4reply[] = { 
+	    0x00, 0x0c, 
+	    'K', 'Y', 'O', 'U', 'L', 'O', 'S', 'E', 
+	    0x95, 0xb7, 0xa7, 0x08 /* KADM_BAD_VER */
+	};
+	krb5_net_write(context, &fd, v4reply, sizeof(v4reply));
 	krb5_errx(context, 1, "packet appears to be version 4");
-#endif
     } else {
 	handle_v5(context, ac, keytab, len, fd);
     }
diff --git a/crypto/heimdal/kadmin/stash.c b/crypto/heimdal/kadmin/stash.c
new file mode 100644
index 0000000..d5b65ee
--- /dev/null
+++ b/crypto/heimdal/kadmin/stash.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include "kadmin-commands.h"
+
+RCSID("$Id: stash.c 22251 2007-12-09 05:58:43Z lha $");
+
+extern int local_flag;
+
+int
+stash(struct stash_options *opt, int argc, char **argv)
+{
+    char buf[1024];
+    krb5_error_code ret;
+    krb5_enctype enctype;
+    hdb_master_key mkey;
+    
+    if(!local_flag) {
+	krb5_warnx(context, "stash is only available in local (-l) mode");
+	return 0;
+    }
+
+    ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype);
+    if(ret) {
+	krb5_warn(context, ret, "%s", opt->enctype_string);
+	return 0;
+    }
+
+    if(opt->key_file_string == NULL) {
+	asprintf(&opt->key_file_string, "%s/m-key", hdb_db_dir(context));
+	if (opt->key_file_string == NULL)
+	    errx(1, "out of memory");
+    }
+
+    ret = hdb_read_master_key(context, opt->key_file_string, &mkey);
+    if(ret && ret != ENOENT) {
+	krb5_warn(context, ret, "reading master key from %s", 
+		  opt->key_file_string);
+	return 0;
+    }
+
+    if (opt->convert_file_flag) {
+	if (ret)
+	    krb5_warn(context, ret, "reading master key from %s", 
+		      opt->key_file_string);
+	return 0;
+    } else {
+	krb5_keyblock key;
+	krb5_salt salt;
+	salt.salttype = KRB5_PW_SALT;
+	/* XXX better value? */
+	salt.saltvalue.data = NULL;
+	salt.saltvalue.length = 0;
+	if(opt->master_key_fd_integer != -1) {
+	    ssize_t n;
+	    n = read(opt->master_key_fd_integer, buf, sizeof(buf));
+	    if(n == 0)
+		krb5_warnx(context, "end of file reading passphrase");
+	    else if(n < 0)
+		krb5_warn(context, errno, "reading passphrase");
+	    buf[n] = '\0';
+	    buf[strcspn(buf, "\r\n")] = '\0';
+	} else {
+	    if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1)) {
+		hdb_free_master_key(context, mkey);
+		return 0;
+	    }
+	}
+	ret = krb5_string_to_key_salt(context, enctype, buf, salt, &key);
+	ret = hdb_add_master_key(context, &key, &mkey);
+	krb5_free_keyblock_contents(context, &key);
+    }
+    
+    {
+	char *new, *old;
+	asprintf(&old, "%s.old", opt->key_file_string);
+	asprintf(&new, "%s.new", opt->key_file_string);
+	if(old == NULL || new == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	    
+	if(unlink(new) < 0 && errno != ENOENT) {
+	    ret = errno;
+	    goto out;
+	}
+	krb5_warnx(context, "writing key to \"%s\"", opt->key_file_string);
+	ret = hdb_write_master_key(context, new, mkey);
+	if(ret)
+	    unlink(new);
+	else {
+	    unlink(old);
+	    if(link(opt->key_file_string, old) < 0 && errno != ENOENT) {
+		ret = errno;
+		unlink(new);
+	    } else if(rename(new, opt->key_file_string) < 0) {
+		ret = errno;
+	    }
+	}
+    out:
+	free(old);
+	free(new);
+	if(ret)
+	    krb5_warn(context, errno, "writing master key file");
+    }
+
+    hdb_free_master_key(context, mkey);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/test_util.c b/crypto/heimdal/kadmin/test_util.c
new file mode 100644
index 0000000..0f59f60
--- /dev/null
+++ b/crypto/heimdal/kadmin/test_util.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: test_util.c 19486 2006-12-22 17:25:59Z lha $");
+
+krb5_context context;
+void *kadm_handle;
+
+struct {
+    const char *str;
+    int ret;
+    time_t t;
+} ts[] = {
+    { "2006-12-22 18:09:00", 0, 1166810940 },
+    { "2006-12-22", 0, 1166831999 },
+    { "2006-12-22 23:59:59", 0, 1166831999 }
+};
+
+static int
+test_time(void)
+{
+    int i, errors = 0;
+
+    for (i = 0; i < sizeof(ts)/sizeof(ts[0]); i++) {
+	time_t t;
+	int ret;
+
+	ret = str2time_t (ts[i].str, &t);
+	if (ret != ts[i].ret) {
+	    printf("%d: %d is wrong ret\n", i, ret);
+	    errors++;
+	} 
+	else if (t != ts[i].t) {
+	    printf("%d: %d is wrong time\n", i, (int)t);
+	    errors++;
+	}
+    }
+    
+    return errors;
+}
+
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+
+    setprogname(argv[0]);
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    ret = 0;
+    ret += test_time();
+
+    krb5_free_context(context);
+
+    return ret;
+}
+    
diff --git a/crypto/heimdal/kadmin/util.c b/crypto/heimdal/kadmin/util.c
index b25bf2a..3c12dcb 100644
--- a/crypto/heimdal/kadmin/util.c
+++ b/crypto/heimdal/kadmin/util.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "kadmin_locl.h"
 #include <parse_units.h>
 
-RCSID("$Id: util.c,v 1.39 2003/04/14 11:55:27 lha Exp $");
+RCSID("$Id: util.c 21745 2007-07-31 16:11:25Z lha $");
 
 /*
  * util.c - functions for parsing, unparsing, and editing different
@@ -49,6 +49,10 @@ get_response(const char *prompt, const char *def, char *buf, size_t len);
  */
 
 struct units kdb_attrs[] = {
+    { "allow-digest",		KRB5_KDB_ALLOW_DIGEST },
+    { "allow-kerberos4",	KRB5_KDB_ALLOW_KERBEROS4 },
+    { "trusted-for-delegation",	KRB5_KDB_TRUSTED_FOR_DELEGATION },
+    { "ok-as-delegate",		KRB5_KDB_OK_AS_DELEGATE },
     { "new-princ",		KRB5_KDB_NEW_PRINC },
     { "support-desmd5",		KRB5_KDB_SUPPORT_DESMD5 },
     { "pwchange-service",	KRB5_KDB_PWCHANGE_SERVICE },
@@ -114,7 +118,7 @@ parse_attributes (const char *resp, krb5_flags *attr, int *mask, int bit)
     } else if(*resp == '?') {
 	print_flags_table (kdb_attrs, stderr);
     } else {
-	fprintf (stderr, "Unable to parse '%s'\n", resp);
+	fprintf (stderr, "Unable to parse \"%s\"\n", resp);
     }
     return -1;
 }
@@ -178,6 +182,7 @@ str2time_t (const char *str, time_t *t)
     struct tm tm, tm2;
 
     memset (&tm, 0, sizeof (tm));
+    memset (&tm2, 0, sizeof (tm2));
 
     if(strcasecmp(str, "never") == 0) {
 	*t = 0;
@@ -194,15 +199,20 @@ str2time_t (const char *str, time_t *t)
     if (p == NULL)
 	return -1;
 
-    /* Do it on the end of the day */
-    tm2.tm_hour = 23;
-    tm2.tm_min  = 59;
-    tm2.tm_sec  = 59;
+    while(isspace((unsigned char)*p))
+	p++;
 
-    if(strptime (p, "%H:%M:%S", &tm2) != NULL) {
+    /* XXX this is really a bit optimistic, we should really complain
+       if there was a problem parsing the time */
+    if(p[0] != '\0' && strptime (p, "%H:%M:%S", &tm2) != NULL) {
 	tm.tm_hour = tm2.tm_hour;
 	tm.tm_min  = tm2.tm_min;
 	tm.tm_sec  = tm2.tm_sec;
+    } else {
+	/* Do it on the end of the day */
+	tm.tm_hour = 23;
+	tm.tm_min  = 59;
+	tm.tm_sec  = 59;
     }
 
     *t = tm2time (tm, 0);
@@ -223,11 +233,10 @@ parse_timet (const char *resp, krb5_timestamp *value, int *mask, int bit)
 	if(mask)
 	    *mask |= bit;
 	return 0;
-    } else if(*resp == '?') {
-	printf ("Print date on format YYYY-mm-dd [hh:mm:ss]\n");
-    } else {
-	fprintf (stderr, "Unable to parse time '%s'\n", resp);
-    }
+    } 
+    if(*resp != '?')
+	fprintf (stderr, "Unable to parse time \"%s\"\n", resp);
+    fprintf (stderr, "Print date on format YYYY-mm-dd [hh:mm:ss]\n");
     return -1;
 }
 
@@ -313,7 +322,7 @@ parse_deltat (const char *resp, krb5_deltat *value, int *mask, int bit)
     } else if(*resp == '?') {
 	print_time_table (stderr);
     } else {
-	fprintf (stderr, "Unable to parse time '%s'\n", resp);
+	fprintf (stderr, "Unable to parse time \"%s\"\n", resp);
     }
     return -1;
 }
@@ -482,9 +491,13 @@ is_expression(const char *string)
     return 0;
 }
 
-/* loop over all principals matching exp */
+/*
+ * Loop over all principals matching exp.  If any of calls to `func'
+ * failes, the first error is returned when all principals are
+ * processed.
+ */
 int
-foreach_principal(const char *exp, 
+foreach_principal(const char *exp_str, 
 		  int (*func)(krb5_principal, void*), 
 		  const char *funcname,
 		  void *data)
@@ -492,15 +505,15 @@ foreach_principal(const char *exp,
     char **princs;
     int num_princs;
     int i;
-    krb5_error_code ret;
+    krb5_error_code saved_ret = 0, ret = 0;
     krb5_principal princ_ent;
     int is_expr;
 
     /* if this isn't an expression, there is no point in wading
        through the whole database looking for matches */
-    is_expr = is_expression(exp);
+    is_expr = is_expression(exp_str);
     if(is_expr)
-	ret = kadm5_get_principals(kadm_handle, exp, &princs, &num_princs);
+	ret = kadm5_get_principals(kadm_handle, exp_str, &princs, &num_princs);
     if(!is_expr || ret == KADM5_AUTH_LIST) {
 	/* we might be able to perform the requested opreration even
            if we're not allowed to list principals */
@@ -508,7 +521,7 @@ foreach_principal(const char *exp,
 	princs = malloc(sizeof(*princs));
 	if(princs == NULL)
 	    return ENOMEM;
-	princs[0] = strdup(exp);
+	princs[0] = strdup(exp_str);
 	if(princs[0] == NULL){ 
 	    free(princs);
 	    return ENOMEM;
@@ -524,12 +537,18 @@ foreach_principal(const char *exp,
 	    continue;
 	}
 	ret = (*func)(princ_ent, data);
-	if(ret)
+	if(ret) {
+	    krb5_clear_error_string(context);
 	    krb5_warn(context, ret, "%s %s", funcname, princs[i]);
+	    if (saved_ret == 0)
+		saved_ret = ret;
+	}
 	krb5_free_principal(context, princ_ent);
     }
+    if (ret == 0 && saved_ret != 0)
+	ret = saved_ret;
     kadm5_free_name_list(kadm_handle, princs, &num_princs);
-    return 0;
+    return ret;
 }
 
 /*
@@ -556,11 +575,11 @@ get_response(const char *prompt, const char *def, char *buf, size_t len)
     osig = signal(SIGINT, interrupt);
     if(setjmp(jmpbuf)) {
 	signal(SIGINT, osig);
-	printf("\n");
+	fprintf(stderr, "\n");
 	return 1;
     }
 
-    printf("%s [%s]:", prompt, def);
+    fprintf(stderr, "%s [%s]:", prompt, def);
     if(fgets(buf, len, stdin) == NULL) {
 	int save_errno = errno;
 	if(ferror(stdin))
@@ -601,14 +620,14 @@ hex2n (char c)
 
 int
 parse_des_key (const char *key_string, krb5_key_data *key_data,
-	       const char **err)
+	       const char **error)
 {
     const char *p = key_string;
     unsigned char bits[8];
     int i;
 
     if (strlen (key_string) != 16) {
-	*err = "bad length, should be 16 for DES key";
+	*error = "bad length, should be 16 for DES key";
 	return 1;
     }
     for (i = 0; i < 8; ++i) {
@@ -617,7 +636,7 @@ parse_des_key (const char *key_string, krb5_key_data *key_data,
 	d1 = hex2n(p[2 * i]);
 	d2 = hex2n(p[2 * i + 1]);
 	if (d1 < 0 || d2 < 0) {
-	    *err = "non-hex character";
+	    *error = "non-hex character";
 	    return 1;
 	}
 	bits[i] = (d1 << 4) | d2;
@@ -629,6 +648,10 @@ parse_des_key (const char *key_string, krb5_key_data *key_data,
 	key_data[i].key_data_type[0]     = ETYPE_DES_CBC_CRC;
 	key_data[i].key_data_length[0]   = 8;
 	key_data[i].key_data_contents[0] = malloc(8);
+	if (key_data[i].key_data_contents[0] == NULL) {
+	    *error = "malloc";
+	    return ENOMEM;
+	}
 	memcpy (key_data[i].key_data_contents[0], bits, 8);
 	/* salt */
 	key_data[i].key_data_type[1]     = KRB5_PW_SALT;
diff --git a/crypto/heimdal/kcm/Makefile.am b/crypto/heimdal/kcm/Makefile.am
new file mode 100644
index 0000000..baf89ac
--- /dev/null
+++ b/crypto/heimdal/kcm/Makefile.am
@@ -0,0 +1,44 @@
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5
+
+libexec_PROGRAMS = kcm
+
+kcm_SOURCES =		\
+	acl.c		\
+	acquire.c	\
+	cache.c		\
+	client.c	\
+	config.c	\
+	connect.c	\
+	cursor.c	\
+	events.c	\
+	glue.c		\
+	headers.h	\
+	kcm_locl.h	\
+	kcm_protos.h	\
+	log.c		\
+	main.c		\
+	protocol.c	\
+	renew.c
+
+$(srcdir)/kcm_protos.h:
+	cd $(srcdir); perl ../cf/make-proto.pl -o kcm_protos.h -q -P comment $(kcm_SOURCES) || rm -f kcm_protos.h
+
+$(kcm_OBJECTS): $(srcdir)/kcm_protos.h
+
+man_MANS = kcm.8
+
+LDADD = $(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(LIB_door_create) \
+	$(LIB_pidfile)
+
+EXTRA_DIST = $(man_MANS)
diff --git a/crypto/heimdal/kcm/Makefile.in b/crypto/heimdal/kcm/Makefile.in
new file mode 100644
index 0000000..c3996df
--- /dev/null
+++ b/crypto/heimdal/kcm/Makefile.in
@@ -0,0 +1,868 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+libexec_PROGRAMS = kcm$(EXEEXT)
+subdir = kcm
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)"
+libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(libexec_PROGRAMS)
+am_kcm_OBJECTS = acl.$(OBJEXT) acquire.$(OBJEXT) cache.$(OBJEXT) \
+	client.$(OBJEXT) config.$(OBJEXT) connect.$(OBJEXT) \
+	cursor.$(OBJEXT) events.$(OBJEXT) glue.$(OBJEXT) log.$(OBJEXT) \
+	main.$(OBJEXT) protocol.$(OBJEXT) renew.$(OBJEXT)
+kcm_OBJECTS = $(am_kcm_OBJECTS)
+kcm_LDADD = $(LDADD)
+am__DEPENDENCIES_1 =
+kcm_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \
+	$(am__DEPENDENCIES_1) $(top_builddir)/lib/krb5/libkrb5.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
+depcomp =
+am__depfiles_maybe =
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(kcm_SOURCES)
+DIST_SOURCES = $(kcm_SOURCES)
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+kcm_SOURCES = \
+	acl.c		\
+	acquire.c	\
+	cache.c		\
+	client.c	\
+	config.c	\
+	connect.c	\
+	cursor.c	\
+	events.c	\
+	glue.c		\
+	headers.h	\
+	kcm_locl.h	\
+	kcm_protos.h	\
+	log.c		\
+	main.c		\
+	protocol.c	\
+	renew.c
+
+man_MANS = kcm.8
+LDADD = $(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(LIB_door_create) \
+	$(LIB_pidfile)
+
+EXTRA_DIST = $(man_MANS)
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps kcm/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps kcm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(libexecdir)/$$f"; \
+	done
+
+clean-libexecPROGRAMS:
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+kcm$(EXEEXT): $(kcm_OBJECTS) $(kcm_DEPENDENCIES) 
+	@rm -f kcm$(EXEEXT)
+	$(LINK) $(kcm_OBJECTS) $(kcm_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+.c.o:
+	$(COMPILE) -c $<
+
+.c.obj:
+	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-man8: $(man8_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+installdirs:
+	for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am: install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man: install-man8
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-libexecPROGRAMS uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+uninstall-man: uninstall-man8
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
+	clean clean-generic clean-libexecPROGRAMS clean-libtool ctags \
+	dist-hook distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am \
+	install-libexecPROGRAMS install-man install-man8 install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-hook \
+	uninstall-libexecPROGRAMS uninstall-man uninstall-man8
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+$(srcdir)/kcm_protos.h:
+	cd $(srcdir); perl ../cf/make-proto.pl -o kcm_protos.h -q -P comment $(kcm_SOURCES) || rm -f kcm_protos.h
+
+$(kcm_OBJECTS): $(srcdir)/kcm_protos.h
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/kcm/acl.c b/crypto/heimdal/kcm/acl.c
new file mode 100644
index 0000000..1b96204
--- /dev/null
+++ b/crypto/heimdal/kcm/acl.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kcm_locl.h"
+
+RCSID("$Id: acl.c 20472 2007-04-20 10:43:25Z lha $");
+
+krb5_error_code
+kcm_access(krb5_context context,
+	   kcm_client *client,
+	   kcm_operation opcode,
+	   kcm_ccache ccache)
+{
+    int read_p = 0;
+    int write_p = 0;
+    uint16_t mask;
+    krb5_error_code ret;
+
+    KCM_ASSERT_VALID(ccache);
+
+    switch (opcode) {
+    case KCM_OP_INITIALIZE:
+    case KCM_OP_DESTROY:
+    case KCM_OP_STORE:
+    case KCM_OP_REMOVE_CRED:
+    case KCM_OP_SET_FLAGS:
+    case KCM_OP_CHOWN:
+    case KCM_OP_CHMOD:
+    case KCM_OP_GET_INITIAL_TICKET:
+    case KCM_OP_GET_TICKET:
+	write_p = 1;
+	read_p = 0;
+	break;
+    case KCM_OP_NOOP:
+    case KCM_OP_GET_NAME:
+    case KCM_OP_RESOLVE:
+    case KCM_OP_GEN_NEW:
+    case KCM_OP_RETRIEVE:
+    case KCM_OP_GET_PRINCIPAL:
+    case KCM_OP_GET_FIRST:
+    case KCM_OP_GET_NEXT:
+    case KCM_OP_END_GET:
+    case KCM_OP_MAX:
+	write_p = 0;
+	read_p = 1;
+	break;
+    }
+
+    if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM) {
+	/* System caches cannot be reinitialized or destroyed by users */
+	if (opcode == KCM_OP_INITIALIZE ||
+	    opcode == KCM_OP_DESTROY ||
+	    opcode == KCM_OP_REMOVE_CRED) {
+	    ret = KRB5_FCC_PERM;
+	    goto out;
+	}
+
+	/* Let root always read system caches */
+	if (client->uid == 0) {
+	    ret = 0;
+	    goto out;
+	}
+    }
+
+    mask = 0;
+
+    /* Root may do whatever they like */
+    if (client->uid == ccache->uid || CLIENT_IS_ROOT(client)) {
+	if (read_p)
+	    mask |= S_IRUSR;
+	if (write_p)
+	    mask |= S_IWUSR;
+    } else if (client->gid == ccache->gid || CLIENT_IS_ROOT(client)) {
+	if (read_p)
+	    mask |= S_IRGRP;
+	if (write_p)
+	    mask |= S_IWGRP;
+    } else {
+	if (read_p)
+	    mask |= S_IROTH;
+	if (write_p)
+	    mask |= S_IWOTH;
+    }
+
+    ret = ((ccache->mode & mask) == mask) ? 0 : KRB5_FCC_PERM;
+
+out:
+    if (ret) {
+	kcm_log(2, "Process %d is not permitted to call %s on cache %s",
+		client->pid, kcm_op2string(opcode), ccache->name);
+    }
+
+    return ret;
+}
+
+krb5_error_code
+kcm_chmod(krb5_context context,
+	  kcm_client *client,
+	  kcm_ccache ccache,
+	  uint16_t mode)
+{
+    KCM_ASSERT_VALID(ccache);
+
+    /* System cache mode can only be set at startup */
+    if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM)
+	return KRB5_FCC_PERM;
+
+    if (ccache->uid != client->uid)
+	return KRB5_FCC_PERM;
+
+    if (ccache->gid != client->gid)
+	return KRB5_FCC_PERM;
+
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+
+    ccache->mode = mode;
+
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return 0;
+}
+
+krb5_error_code
+kcm_chown(krb5_context context,
+	  kcm_client *client,
+	  kcm_ccache ccache,
+	  uid_t uid,
+	  gid_t gid)
+{
+    KCM_ASSERT_VALID(ccache);
+
+    /* System cache owner can only be set at startup */
+    if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM)
+	return KRB5_FCC_PERM;
+
+    if (ccache->uid != client->uid)
+	return KRB5_FCC_PERM;
+
+    if (ccache->gid != client->gid)
+	return KRB5_FCC_PERM;
+
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+
+    ccache->uid = uid;
+    ccache->gid = gid;
+
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return 0;
+}
+
diff --git a/crypto/heimdal/kcm/acquire.c b/crypto/heimdal/kcm/acquire.c
new file mode 100644
index 0000000..416881a
--- /dev/null
+++ b/crypto/heimdal/kcm/acquire.c
@@ -0,0 +1,531 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kcm_locl.h"
+
+RCSID("$Id: acquire.c 22118 2007-12-03 21:44:00Z lha $");
+
+static krb5_error_code
+change_pw_and_update_keytab(krb5_context context, kcm_ccache ccache);
+
+/*
+ * Get a new ticket using a keytab/cached key and swap it into
+ * an existing redentials cache
+ */
+
+krb5_error_code
+kcm_ccache_acquire(krb5_context context,
+		   kcm_ccache ccache,
+		   krb5_creds **credp)
+{
+    krb5_error_code ret = 0;
+    krb5_creds cred;
+    krb5_const_realm realm;
+    krb5_get_init_creds_opt opt;
+    krb5_ccache_data ccdata;
+    char *in_tkt_service = NULL;
+    int done = 0;
+
+    memset(&cred, 0, sizeof(cred));
+
+    KCM_ASSERT_VALID(ccache);
+
+    /* We need a cached key or keytab to acquire credentials */
+    if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) {
+	if (ccache->key.keyblock.keyvalue.length == 0)
+	    krb5_abortx(context,
+			"kcm_ccache_acquire: KCM_FLAGS_USE_CACHED_KEY without key");
+    } else if (ccache->flags & KCM_FLAGS_USE_KEYTAB) {
+	if (ccache->key.keytab == NULL)
+	    krb5_abortx(context,
+			"kcm_ccache_acquire: KCM_FLAGS_USE_KEYTAB without keytab");
+    } else {
+	kcm_log(0, "Cannot acquire initial credentials for cache %s without key",
+		ccache->name);
+	return KRB5_FCC_INTERNAL;
+    }
+	
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+
+    /* Fake up an internal ccache */
+    kcm_internal_ccache(context, ccache, &ccdata);
+
+    /* Now, actually acquire the creds */
+    if (ccache->server != NULL) {
+	ret = krb5_unparse_name(context, ccache->server, &in_tkt_service);
+	if (ret) {
+	    kcm_log(0, "Failed to unparse service principal name for cache %s: %s",
+		    ccache->name, krb5_get_err_text(context, ret));
+	    return ret;
+	}
+    }
+
+    realm = krb5_principal_get_realm(context, ccache->client);
+
+    krb5_get_init_creds_opt_init(&opt);
+    krb5_get_init_creds_opt_set_default_flags(context, "kcm", realm, &opt);
+    if (ccache->tkt_life != 0)
+	krb5_get_init_creds_opt_set_tkt_life(&opt, ccache->tkt_life);
+    if (ccache->renew_life != 0)
+	krb5_get_init_creds_opt_set_renew_life(&opt, ccache->renew_life);
+
+    if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) {
+	ret = krb5_get_init_creds_keyblock(context,
+					   &cred,
+					   ccache->client,
+					   &ccache->key.keyblock,
+					   0,
+					   in_tkt_service,
+					   &opt);
+    } else {
+	/* loosely based on lib/krb5/init_creds_pw.c */
+	while (!done) {
+	    ret = krb5_get_init_creds_keytab(context,
+					     &cred,
+					     ccache->client,
+					     ccache->key.keytab,
+					     0,
+					     in_tkt_service,
+					     &opt);
+	    switch (ret) {
+	    case KRB5KDC_ERR_KEY_EXPIRED:
+		if (in_tkt_service != NULL &&
+		    strcmp(in_tkt_service, "kadmin/changepw") == 0) {
+		    goto out;
+		}
+
+		ret = change_pw_and_update_keytab(context, ccache);
+		if (ret)
+		    goto out;
+		break;
+	    case 0:
+	    default:
+		done = 1;
+		break;
+	    }
+	}
+    }
+
+    if (ret) {
+	kcm_log(0, "Failed to acquire credentials for cache %s: %s",
+		ccache->name, krb5_get_err_text(context, ret));
+	if (in_tkt_service != NULL)
+	    free(in_tkt_service);
+	goto out;
+    }
+
+    if (in_tkt_service != NULL)
+	free(in_tkt_service);
+
+    /* Swap them in */
+    kcm_ccache_remove_creds_internal(context, ccache);
+
+    ret = kcm_ccache_store_cred_internal(context, ccache, &cred, 0, credp);
+    if (ret) {
+	kcm_log(0, "Failed to store credentials for cache %s: %s",
+		ccache->name, krb5_get_err_text(context, ret));
+	krb5_free_cred_contents(context, &cred);
+	goto out;
+    }
+
+out:
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return ret;
+}
+
+static krb5_error_code
+change_pw(krb5_context context,
+	  kcm_ccache ccache,
+	  char *cpn,
+	  char *newpw)
+{
+    krb5_error_code ret;
+    krb5_creds cpw_cred;
+    int result_code;
+    krb5_data result_code_string;
+    krb5_data result_string;
+    krb5_get_init_creds_opt options;
+
+    memset(&cpw_cred, 0, sizeof(cpw_cred));
+
+    krb5_get_init_creds_opt_init(&options);
+    krb5_get_init_creds_opt_set_tkt_life(&options, 60);
+    krb5_get_init_creds_opt_set_forwardable(&options, FALSE);
+    krb5_get_init_creds_opt_set_proxiable(&options, FALSE);
+
+    krb5_data_zero(&result_code_string);
+    krb5_data_zero(&result_string);
+
+    ret = krb5_get_init_creds_keytab(context,
+				     &cpw_cred,
+				     ccache->client,
+				     ccache->key.keytab,
+				     0,
+				     "kadmin/changepw",
+				     &options);
+    if (ret) {
+	kcm_log(0, "Failed to acquire password change credentials "
+		"for principal %s: %s", 
+		cpn, krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    ret = krb5_set_password(context,
+			    &cpw_cred,
+			    newpw,
+			    ccache->client,
+			    &result_code,
+			    &result_code_string,
+			    &result_string);
+    if (ret) {
+	kcm_log(0, "Failed to change password for principal %s: %s",
+		cpn, krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    if (result_code) {
+	kcm_log(0, "Failed to change password for principal %s: %.*s",
+		cpn,
+		(int)result_string.length,
+		result_string.length > 0 ? (char *)result_string.data : "");
+	goto out;
+    }
+
+out:
+    krb5_data_free(&result_string);
+    krb5_data_free(&result_code_string);
+    krb5_free_cred_contents(context, &cpw_cred);
+
+    return ret;
+}
+
+struct kcm_keyseed_data {
+    krb5_salt salt;
+    const char *password;
+};
+
+static krb5_error_code
+kcm_password_key_proc(krb5_context context,
+		      krb5_enctype etype,
+		      krb5_salt salt,
+		      krb5_const_pointer keyseed,
+		      krb5_keyblock **key)
+{
+    krb5_error_code ret;
+    struct kcm_keyseed_data *s = (struct kcm_keyseed_data *)keyseed;
+
+    /* we may be called multiple times */
+    krb5_free_salt(context, s->salt);
+    krb5_data_zero(&s->salt.saltvalue);
+
+    /* stash the salt */
+    s->salt.salttype = salt.salttype;
+
+    ret = krb5_data_copy(&s->salt.saltvalue,
+		         salt.saltvalue.data,
+			 salt.saltvalue.length);
+    if (ret)
+	return ret;
+
+    *key = (krb5_keyblock *)malloc(sizeof(**key));
+    if (*key == NULL) {
+	return ENOMEM;
+    }
+
+    ret = krb5_string_to_key_salt(context, etype, s->password,
+				  s->salt, *key);
+    if (ret) {
+	free(*key);
+	*key = NULL;
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+get_salt_and_kvno(krb5_context context,
+		  kcm_ccache ccache,
+		  krb5_enctype *etypes,
+		  char *cpn,
+		  char *newpw,
+		  krb5_salt *salt,
+		  unsigned *kvno)
+{
+    krb5_error_code ret;
+    krb5_creds creds;
+    krb5_ccache_data ccdata;
+    krb5_flags options = 0;
+    krb5_kdc_rep reply;
+    struct kcm_keyseed_data s;
+
+    memset(&creds, 0, sizeof(creds));
+    memset(&reply, 0, sizeof(reply));
+
+    s.password = NULL;
+    s.salt.salttype = (int)ETYPE_NULL;
+    krb5_data_zero(&s.salt.saltvalue);
+
+    *kvno = 0;
+    kcm_internal_ccache(context, ccache, &ccdata);
+    s.password = newpw;
+
+    /* Do an AS-REQ to determine salt and key version number */
+    ret = krb5_copy_principal(context, ccache->client, &creds.client);
+    if (ret)
+	return ret;
+
+    /* Yes, get a ticket to ourselves */
+    ret = krb5_copy_principal(context, ccache->client, &creds.server);
+    if (ret) {
+	krb5_free_principal(context, creds.client);
+	return ret;
+    }
+	
+    ret = krb5_get_in_tkt(context,
+			  options,
+			  NULL,
+			  etypes,
+			  NULL,
+			  kcm_password_key_proc,
+			  &s,
+			  NULL,
+			  NULL,
+			  &creds,
+			  &ccdata,
+			  &reply);
+    if (ret) {
+	kcm_log(0, "Failed to get self ticket for principal %s: %s",
+		cpn, krb5_get_err_text(context, ret));
+	krb5_free_salt(context, s.salt);
+    } else {
+	*salt = s.salt; /* retrieve stashed salt */
+	if (reply.kdc_rep.enc_part.kvno != NULL)
+	    *kvno = *(reply.kdc_rep.enc_part.kvno);
+    }
+    /* ccache may have been modified but it will get trashed anyway */
+
+    krb5_free_cred_contents(context, &creds);
+    krb5_free_kdc_rep(context, &reply);
+
+    return ret;
+}
+
+static krb5_error_code
+update_keytab_entry(krb5_context context,
+		    kcm_ccache ccache,
+		    krb5_enctype etype,
+		    char *cpn,
+		    char *spn,
+		    char *newpw,
+		    krb5_salt salt,
+		    unsigned kvno)
+{
+    krb5_error_code ret;
+    krb5_keytab_entry entry;
+    krb5_data pw;
+
+    memset(&entry, 0, sizeof(entry));
+
+    pw.data = (char *)newpw;
+    pw.length = strlen(newpw);
+
+    ret = krb5_string_to_key_data_salt(context, etype, pw,
+				       salt, &entry.keyblock);
+    if (ret) {
+	kcm_log(0, "String to key conversion failed for principal %s "
+		"and etype %d: %s",
+		cpn, etype, krb5_get_err_text(context, ret)); 
+	return ret;
+    }
+
+    if (spn == NULL) {
+	ret = krb5_copy_principal(context, ccache->client,
+				  &entry.principal);
+	if (ret) {
+	    kcm_log(0, "Failed to copy principal name %s: %s",
+		    cpn, krb5_get_err_text(context, ret));
+	    return ret;
+	}
+    } else {
+	ret = krb5_parse_name(context, spn, &entry.principal);
+	if (ret) {
+	    kcm_log(0, "Failed to parse SPN alias %s: %s",
+		    spn, krb5_get_err_text(context, ret));
+	    return ret;
+	}
+    }
+
+    entry.vno = kvno;
+    entry.timestamp = time(NULL);
+
+    ret = krb5_kt_add_entry(context, ccache->key.keytab, &entry);
+    if (ret) {
+	kcm_log(0, "Failed to update keytab for principal %s "
+		"and etype %d: %s",
+		cpn, etype, krb5_get_err_text(context, ret));
+    }
+
+    krb5_kt_free_entry(context, &entry);
+
+    return ret; 
+}
+
+static krb5_error_code
+update_keytab_entries(krb5_context context,
+		      kcm_ccache ccache,
+		      krb5_enctype *etypes,
+		      char *cpn,
+		      char *spn,
+		      char *newpw,
+		      krb5_salt salt,
+		      unsigned kvno)
+{
+    krb5_error_code ret = 0;
+    int i;
+
+    for (i = 0; etypes[i] != ETYPE_NULL; i++) {
+	ret = update_keytab_entry(context, ccache, etypes[i],
+				  cpn, spn, newpw, salt, kvno);
+	if (ret)
+	    break;
+    }
+
+    return ret;
+}
+
+static void
+generate_random_pw(krb5_context context,
+		   char *buf,
+		   size_t bufsiz)
+{
+    unsigned char x[512], *p;
+    size_t i;
+
+    memset(x, 0, sizeof(x));
+    krb5_generate_random_block(x, sizeof(x));
+    p = x;
+
+    for (i = 0; i < bufsiz; i++) {
+	while (isprint(*p) == 0)
+	    p++;
+
+	if (p - x >= sizeof(x)) {
+	    krb5_generate_random_block(x, sizeof(x));
+	    p = x;
+	}
+	buf[i] = (char)*p++;
+    }
+    buf[bufsiz - 1] = '\0';
+    memset(x, 0, sizeof(x));
+}
+
+static krb5_error_code
+change_pw_and_update_keytab(krb5_context context,
+			    kcm_ccache ccache)
+{
+    char newpw[121];
+    krb5_error_code ret;
+    unsigned kvno;
+    krb5_salt salt;
+    krb5_enctype *etypes = NULL;
+    int i;
+    char *cpn = NULL;
+    char **spns = NULL;
+
+    krb5_data_zero(&salt.saltvalue);
+
+    ret = krb5_unparse_name(context, ccache->client, &cpn);
+    if (ret) {
+	kcm_log(0, "Failed to unparse name: %s",
+		krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    ret = krb5_get_default_in_tkt_etypes(context, &etypes);
+    if (ret) {
+	kcm_log(0, "Failed to determine default encryption types: %s",
+		krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    /* Generate a random password (there is no set keys protocol) */
+    generate_random_pw(context, newpw, sizeof(newpw));
+
+    /* Change it */
+    ret = change_pw(context, ccache, cpn, newpw);
+    if (ret)
+	goto out;
+
+    /* Do an AS-REQ to determine salt and key version number */
+    ret = get_salt_and_kvno(context, ccache, etypes, cpn, newpw,
+			    &salt, &kvno);
+    if (ret) {
+	kcm_log(0, "Failed to determine salting principal for principal %s: %s",
+		cpn, krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    /* Add canonical name */
+    ret = update_keytab_entries(context, ccache, etypes, cpn,
+				NULL, newpw, salt, kvno);
+    if (ret)
+	goto out;
+
+    /* Add SPN aliases, if any */
+    spns = krb5_config_get_strings(context, NULL, "kcm",
+				   "system_ccache", "spn_aliases", NULL);
+    if (spns != NULL) {
+	for (i = 0; spns[i] != NULL; i++) {
+	    ret = update_keytab_entries(context, ccache, etypes, cpn,
+					spns[i], newpw, salt, kvno);
+	    if (ret)
+		goto out;
+	}
+    }
+
+    kcm_log(0, "Changed expired password for principal %s in cache %s",
+	    cpn, ccache->name);
+
+out:
+    if (cpn != NULL)
+	free(cpn);
+    if (spns != NULL)
+	krb5_config_free_strings(spns);
+    if (etypes != NULL)
+	free(etypes);
+    krb5_free_salt(context, salt);
+    memset(newpw, 0, sizeof(newpw));
+
+    return ret;
+}
+
diff --git a/crypto/heimdal/kcm/cache.c b/crypto/heimdal/kcm/cache.c
new file mode 100644
index 0000000..aeb30cc
--- /dev/null
+++ b/crypto/heimdal/kcm/cache.c
@@ -0,0 +1,636 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kcm_locl.h"
+
+RCSID("$Id: cache.c 14566 2005-02-06 01:22:49Z lukeh $");
+
+static HEIMDAL_MUTEX ccache_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static kcm_ccache_data *ccache_head = NULL;
+static unsigned int ccache_nextid = 0; 
+
+char *kcm_ccache_nextid(pid_t pid, uid_t uid, gid_t gid)
+{
+    unsigned n;
+    char *name;
+
+    HEIMDAL_MUTEX_lock(&ccache_mutex);
+    n = ++ccache_nextid;
+    HEIMDAL_MUTEX_unlock(&ccache_mutex);
+
+    asprintf(&name, "%d:%u", uid, n);
+
+    return name;
+}
+
+static krb5_error_code
+kcm_ccache_resolve_internal(krb5_context context,
+			    const char *name,
+			    kcm_ccache *ccache)
+{
+    kcm_ccache p;
+    krb5_error_code ret;
+
+    *ccache = NULL;
+
+    ret = KRB5_FCC_NOFILE;
+
+    HEIMDAL_MUTEX_lock(&ccache_mutex);
+
+    for (p = ccache_head; p != NULL; p = p->next) {
+	if ((p->flags & KCM_FLAGS_VALID) == 0)
+	    continue;
+	if (strcmp(p->name, name) == 0) {
+	    ret = 0;
+	    break;
+	}
+    }
+
+    if (ret == 0) {
+	kcm_retain_ccache(context, p);
+	*ccache = p;
+    }
+
+    HEIMDAL_MUTEX_unlock(&ccache_mutex);
+
+    return ret;
+}
+
+krb5_error_code kcm_debug_ccache(krb5_context context)
+{
+    kcm_ccache p;
+
+    for (p = ccache_head; p != NULL; p = p->next) {
+	char *cpn = NULL, *spn = NULL;
+	int ncreds = 0;
+	struct kcm_creds *k;
+
+	if ((p->flags & KCM_FLAGS_VALID) == 0) {
+	    kcm_log(7, "cache %08x: empty slot");
+	    continue;
+	}
+
+	KCM_ASSERT_VALID(p);
+
+	for (k = p->creds; k != NULL; k = k->next)
+	    ncreds++;
+
+	if (p->client != NULL)
+	    krb5_unparse_name(context, p->client, &cpn);
+	if (p->server != NULL)
+	    krb5_unparse_name(context, p->server, &spn);
+	
+	kcm_log(7, "cache %08x: name %s refcnt %d flags %04x mode %04o "
+		"uid %d gid %d client %s server %s ncreds %d",
+		p, p->name, p->refcnt, p->flags, p->mode, p->uid, p->gid,
+		(cpn == NULL) ? "<none>" : cpn,
+		(spn == NULL) ? "<none>" : spn,
+		ncreds);
+
+	if (cpn != NULL)
+	    free(cpn);
+	if (spn != NULL)
+	    free(spn);
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+kcm_ccache_destroy_internal(krb5_context context, const char *name)
+{
+    kcm_ccache *p;
+    krb5_error_code ret;
+
+    ret = KRB5_FCC_NOFILE;
+
+    HEIMDAL_MUTEX_lock(&ccache_mutex);
+    for (p = &ccache_head; *p != NULL; p = &(*p)->next) {
+	if (((*p)->flags & KCM_FLAGS_VALID) == 0)
+	    continue;
+	if (strcmp((*p)->name, name) == 0) {
+	    ret = 0;
+	    break;
+	}
+    }
+
+    if (ret)
+	goto out;
+
+    kcm_release_ccache(context, p);
+
+out:
+    HEIMDAL_MUTEX_unlock(&ccache_mutex);
+
+    return ret;
+}
+
+static krb5_error_code
+kcm_ccache_alloc(krb5_context context,
+		 const char *name,
+		 kcm_ccache *ccache)
+{
+    kcm_ccache slot = NULL, p;
+    krb5_error_code ret;
+    int new_slot = 0;
+
+    *ccache = NULL;
+
+    /* First, check for duplicates */
+    HEIMDAL_MUTEX_lock(&ccache_mutex);
+    ret = 0;
+    for (p = ccache_head; p != NULL; p = p->next) {
+	if (p->flags & KCM_FLAGS_VALID) {
+	    if (strcmp(p->name, name) == 0) {
+		ret = KRB5_CC_WRITE;
+		break;
+	    }
+	} else if (slot == NULL)
+	    slot = p;
+    }
+
+    if (ret)
+	goto out;
+
+    /*
+     * Then try and find an empty slot
+     * XXX we need to recycle slots for this to actually do anything
+     */
+    if (slot == NULL) {
+	for (; p != NULL; p = p->next) {
+	    if ((p->flags & KCM_FLAGS_VALID) == 0) {
+		slot = p;
+		break;
+	    }
+	}
+
+	if (slot == NULL) {
+	    slot = (kcm_ccache_data *)malloc(sizeof(*slot));
+	    if (slot == NULL) {
+		ret = KRB5_CC_NOMEM;
+		goto out;
+	    }
+	    slot->next = ccache_head;
+	    HEIMDAL_MUTEX_init(&slot->mutex);
+	    new_slot = 1;
+	}
+    }
+
+    slot->name = strdup(name);
+    if (slot->name == NULL) {
+	ret = KRB5_CC_NOMEM;
+	goto out;
+    }
+
+    slot->refcnt = 1;
+    slot->flags = KCM_FLAGS_VALID;
+    slot->mode = S_IRUSR | S_IWUSR;
+    slot->uid = -1;
+    slot->gid = -1;
+    slot->client = NULL;
+    slot->server = NULL;
+    slot->creds = NULL;
+    slot->n_cursor = 0;
+    slot->cursors = NULL;
+    slot->key.keytab = NULL;
+    slot->tkt_life = 0;
+    slot->renew_life = 0;
+
+    if (new_slot)
+	ccache_head = slot;
+
+    *ccache = slot;
+
+    HEIMDAL_MUTEX_unlock(&ccache_mutex);
+    return 0;
+
+out:
+    HEIMDAL_MUTEX_unlock(&ccache_mutex);
+    if (new_slot && slot != NULL) {
+	HEIMDAL_MUTEX_destroy(&slot->mutex);
+	free(slot);
+    }
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_remove_creds_internal(krb5_context context,
+				 kcm_ccache ccache)
+{
+    struct kcm_creds *k;
+    struct kcm_cursor *c;
+
+    k = ccache->creds;
+    while (k != NULL) {
+	struct kcm_creds *old;
+
+	krb5_free_cred_contents(context, &k->cred);
+	old = k;
+	k = k->next;
+	free(old);
+    }
+    ccache->creds = NULL;
+
+    /* remove anything that would have pointed into the creds too */
+
+    ccache->n_cursor = 0;
+
+    c = ccache->cursors;
+    while (c != NULL) {
+	struct kcm_cursor *old;
+
+	old = c;
+	c = c->next;
+	free(old);
+    }
+    ccache->cursors = NULL;
+
+    return 0;
+}
+
+krb5_error_code
+kcm_ccache_remove_creds(krb5_context context,
+			kcm_ccache ccache)
+{
+    krb5_error_code ret;
+
+    KCM_ASSERT_VALID(ccache);
+
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+    ret = kcm_ccache_remove_creds_internal(context, ccache);
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return ret;
+}
+
+krb5_error_code
+kcm_zero_ccache_data_internal(krb5_context context,
+			      kcm_ccache_data *cache)
+{
+    if (cache->client != NULL) {
+	krb5_free_principal(context, cache->client);
+	cache->client = NULL;
+    }
+
+    if (cache->server != NULL) {
+	krb5_free_principal(context, cache->server);
+	cache->server = NULL;
+    }
+
+    kcm_ccache_remove_creds_internal(context, cache);
+
+    return 0;
+}
+
+krb5_error_code
+kcm_zero_ccache_data(krb5_context context,
+		     kcm_ccache cache)
+{
+    krb5_error_code ret;
+
+    KCM_ASSERT_VALID(cache);
+
+    HEIMDAL_MUTEX_lock(&cache->mutex);
+    ret = kcm_zero_ccache_data_internal(context, cache);
+    HEIMDAL_MUTEX_unlock(&cache->mutex);
+
+    return ret;
+}
+
+static krb5_error_code
+kcm_free_ccache_data_internal(krb5_context context,
+			      kcm_ccache_data *cache)
+{
+    KCM_ASSERT_VALID(cache);
+
+    if (cache->name != NULL) {
+	free(cache->name);
+	cache->name = NULL;
+    }
+
+    if (cache->flags & KCM_FLAGS_USE_KEYTAB) {
+	krb5_kt_close(context, cache->key.keytab);
+	cache->key.keytab = NULL;
+    } else if (cache->flags & KCM_FLAGS_USE_CACHED_KEY) {
+	krb5_free_keyblock_contents(context, &cache->key.keyblock);
+	krb5_keyblock_zero(&cache->key.keyblock);
+    }
+
+    cache->flags = 0;
+    cache->mode = 0;
+    cache->uid = -1;
+    cache->gid = -1;
+
+    kcm_zero_ccache_data_internal(context, cache);
+
+    cache->tkt_life = 0;
+    cache->renew_life = 0;
+
+    cache->next = NULL;
+    cache->refcnt = 0;
+
+    HEIMDAL_MUTEX_unlock(&cache->mutex);
+    HEIMDAL_MUTEX_destroy(&cache->mutex);
+
+    return 0;
+}
+
+krb5_error_code
+kcm_retain_ccache(krb5_context context,
+		  kcm_ccache ccache)
+{
+    KCM_ASSERT_VALID(ccache);
+
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+    ccache->refcnt++;
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return 0;
+}
+
+krb5_error_code
+kcm_release_ccache(krb5_context context,
+		   kcm_ccache *ccache)
+{
+    kcm_ccache c = *ccache;
+    krb5_error_code ret = 0;
+
+    KCM_ASSERT_VALID(c);
+
+    HEIMDAL_MUTEX_lock(&c->mutex);
+    if (c->refcnt == 1) {
+	ret = kcm_free_ccache_data_internal(context, c);
+	if (ret == 0)
+	    free(c);
+    } else {
+	c->refcnt--;
+	HEIMDAL_MUTEX_unlock(&c->mutex);
+    }
+
+    *ccache = NULL;
+
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_gen_new(krb5_context context,
+		   pid_t pid,
+		   uid_t uid,
+		   gid_t gid,
+		   kcm_ccache *ccache)
+{
+    krb5_error_code ret;
+    char *name;
+
+    name = kcm_ccache_nextid(pid, uid, gid);
+    if (name == NULL) {
+	return KRB5_CC_NOMEM;
+    }
+
+    ret = kcm_ccache_new(context, name, ccache);
+
+    free(name);
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_new(krb5_context context,
+	       const char *name,
+	       kcm_ccache *ccache)
+{
+    krb5_error_code ret;
+
+    ret = kcm_ccache_alloc(context, name, ccache);
+    if (ret == 0) {
+	/*
+	 * one reference is held by the linked list,
+	 * one by the caller
+	 */
+	kcm_retain_ccache(context, *ccache);
+    }
+
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_resolve(krb5_context context,
+		   const char *name,
+		   kcm_ccache *ccache)
+{
+    krb5_error_code ret;
+
+    ret = kcm_ccache_resolve_internal(context, name, ccache);
+
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_destroy(krb5_context context,
+		   const char *name)
+{
+    krb5_error_code ret;
+
+    ret = kcm_ccache_destroy_internal(context, name);
+
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_destroy_if_empty(krb5_context context,
+			    kcm_ccache ccache)
+{
+    krb5_error_code ret;
+
+    KCM_ASSERT_VALID(ccache);
+    
+    if (ccache->creds == NULL) {
+	ret = kcm_ccache_destroy_internal(context, ccache->name);
+    } else
+	ret = 0;
+
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_store_cred(krb5_context context,
+		      kcm_ccache ccache,
+		      krb5_creds *creds,
+		      int copy)
+{
+    krb5_error_code ret;
+    krb5_creds *tmp;
+
+    KCM_ASSERT_VALID(ccache);
+    
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+    ret = kcm_ccache_store_cred_internal(context, ccache, creds, copy, &tmp);
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_store_cred_internal(krb5_context context,
+			       kcm_ccache ccache,
+			       krb5_creds *creds,
+			       int copy,
+			       krb5_creds **credp)
+{
+    struct kcm_creds **c;
+    krb5_error_code ret;
+
+    for (c = &ccache->creds; *c != NULL; c = &(*c)->next)
+	;
+
+    *c = (struct kcm_creds *)malloc(sizeof(struct kcm_creds));
+    if (*c == NULL) {
+	return KRB5_CC_NOMEM;
+    }
+
+    *credp = &(*c)->cred;
+
+    if (copy) {
+	ret = krb5_copy_creds_contents(context, creds, *credp);
+	if (ret) {
+	    free(*c);
+	    *c = NULL;
+	}
+    } else {
+	**credp = *creds;
+	ret = 0;
+    }
+
+    (*c)->next = NULL;
+
+    return ret;
+}
+
+static void
+remove_cred(krb5_context context,
+	    struct kcm_creds **c)
+{
+    struct kcm_creds *cred;
+
+    cred = *c;
+
+    *c = cred->next;
+
+    krb5_free_cred_contents(context, &cred->cred);
+    free(cred);
+}
+
+krb5_error_code
+kcm_ccache_remove_cred_internal(krb5_context context,
+				kcm_ccache ccache,
+				krb5_flags whichfields,
+				const krb5_creds *mcreds)
+{
+    krb5_error_code ret;
+    struct kcm_creds **c;
+
+    ret = KRB5_CC_NOTFOUND;
+
+    for (c = &ccache->creds; *c != NULL; c = &(*c)->next) {
+	if (krb5_compare_creds(context, whichfields, mcreds, &(*c)->cred)) {
+	    remove_cred(context, c);
+	    ret = 0;
+	}
+    }
+
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_remove_cred(krb5_context context,
+		       kcm_ccache ccache,
+		       krb5_flags whichfields,
+		       const krb5_creds *mcreds)
+{
+    krb5_error_code ret;
+
+    KCM_ASSERT_VALID(ccache);
+
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+    ret = kcm_ccache_remove_cred_internal(context, ccache, whichfields, mcreds);
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_retrieve_cred_internal(krb5_context context,
+			 	  kcm_ccache ccache,
+			 	  krb5_flags whichfields,
+			 	  const krb5_creds *mcreds,
+			 	  krb5_creds **creds)
+{
+    krb5_boolean match;
+    struct kcm_creds *c;
+    krb5_error_code ret;
+
+    memset(creds, 0, sizeof(*creds));
+
+    ret = KRB5_CC_END;
+
+    match = FALSE;
+    for (c = ccache->creds; c != NULL; c = c->next) {
+	match = krb5_compare_creds(context, whichfields, mcreds, &c->cred);
+	if (match)
+	    break;
+    }
+
+    if (match) {
+	ret = 0;
+	*creds = &c->cred;
+    }
+
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_retrieve_cred(krb5_context context,
+			 kcm_ccache ccache,
+			 krb5_flags whichfields,
+			 const krb5_creds *mcreds,
+			 krb5_creds **credp)
+{
+    krb5_error_code ret;
+
+    KCM_ASSERT_VALID(ccache);
+    
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+    ret = kcm_ccache_retrieve_cred_internal(context, ccache,
+					    whichfields, mcreds, credp);
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return ret;
+}
diff --git a/crypto/heimdal/kcm/client.c b/crypto/heimdal/kcm/client.c
new file mode 100644
index 0000000..f075894
--- /dev/null
+++ b/crypto/heimdal/kcm/client.c
@@ -0,0 +1,185 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kcm_locl.h"
+#include <pwd.h>
+
+RCSID("$Id: client.c 20487 2007-04-21 06:25:06Z lha $");
+
+krb5_error_code
+kcm_ccache_resolve_client(krb5_context context,
+			  kcm_client *client,
+			  kcm_operation opcode,
+			  const char *name,
+			  kcm_ccache *ccache)
+{
+    krb5_error_code ret;
+
+    ret = kcm_ccache_resolve(context, name, ccache);
+    if (ret) {
+	kcm_log(1, "Failed to resolve cache %s: %s",
+		name, krb5_get_err_text(context, ret));
+	return ret;
+    }
+
+    ret = kcm_access(context, client, opcode, *ccache);
+    if (ret) {
+	ret = KRB5_FCC_NOFILE; /* don't disclose */
+	kcm_release_ccache(context, ccache);
+    }
+
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_destroy_client(krb5_context context,
+			  kcm_client *client,
+			  const char *name)
+{
+    krb5_error_code ret;
+    kcm_ccache ccache;
+
+    ret = kcm_ccache_resolve(context, name, &ccache);
+    if (ret) {
+	kcm_log(1, "Failed to resolve cache %s: %s",
+		name, krb5_get_err_text(context, ret));
+	return ret;
+    }
+
+    ret = kcm_access(context, client, KCM_OP_DESTROY, ccache);
+    if (ret) {
+	kcm_release_ccache(context, &ccache);
+	return ret;
+    }
+
+    ret = kcm_ccache_destroy(context, ccache->name);
+    if (ret == 0) {
+	/* don't leave any events dangling */
+	kcm_cleanup_events(context, ccache);
+    }
+
+    kcm_release_ccache(context, &ccache);
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_new_client(krb5_context context,
+		      kcm_client *client,
+		      const char *name,
+		      kcm_ccache *ccache_p)
+{
+    krb5_error_code ret;
+    kcm_ccache ccache;
+
+    /* We insist the ccache name starts with UID or UID: */
+    if (name_constraints != 0) {
+	char prefix[64];
+	size_t prefix_len;
+	int bad = 1;
+
+	snprintf(prefix, sizeof(prefix), "%ld:", (long)client->uid);
+	prefix_len = strlen(prefix);
+
+	if (strncmp(name, prefix, prefix_len) == 0)
+	    bad = 0;
+	else {
+	    prefix[prefix_len - 1] = '\0';
+	    if (strcmp(name, prefix) == 0)
+		bad = 0;
+	}
+
+	/* Allow root to create badly-named ccaches */
+	if (bad && !CLIENT_IS_ROOT(client))
+	    return KRB5_CC_BADNAME;
+    }
+	
+    ret = kcm_ccache_resolve(context, name, &ccache);
+    if (ret == 0) {
+	if ((ccache->uid != client->uid ||
+	     ccache->gid != client->gid) && !CLIENT_IS_ROOT(client))
+	    return KRB5_FCC_PERM;
+    } else if (ret != KRB5_FCC_NOFILE && !(CLIENT_IS_ROOT(client) && ret == KRB5_FCC_PERM)) {
+		return ret;
+    }
+
+    if (ret == KRB5_FCC_NOFILE) {
+	ret = kcm_ccache_new(context, name, &ccache);
+	if (ret) {
+	    kcm_log(1, "Failed to initialize cache %s: %s",
+		    name, krb5_get_err_text(context, ret));
+	    return ret;
+	}
+
+	/* bind to current client */
+	ccache->uid = client->uid;
+	ccache->gid = client->gid;
+    } else {
+	ret = kcm_zero_ccache_data(context, ccache);
+	if (ret) {
+	    kcm_log(1, "Failed to empty cache %s: %s",
+		    name, krb5_get_err_text(context, ret));
+	    kcm_release_ccache(context, &ccache);
+	    return ret;
+	}
+	kcm_cleanup_events(context, ccache);
+    }
+
+    ret = kcm_access(context, client, KCM_OP_INITIALIZE, ccache);
+    if (ret) {
+	kcm_release_ccache(context, &ccache);
+	kcm_ccache_destroy(context, name);
+	return ret;
+    }
+
+    /* 
+     * Finally, if the user is root and the cache was created under
+     * another user's name, chown the cache to that user and their
+     * default gid.
+     */
+    if (CLIENT_IS_ROOT(client)) {
+	unsigned long uid;
+	int matches = sscanf(name,"%ld:",&uid);
+	if (matches == 0)
+	    matches = sscanf(name,"%ld",&uid);
+	if (matches == 1) {
+	    struct passwd *pwd = getpwuid(uid);
+	    if (pwd != NULL) {
+		gid_t gid = pwd->pw_gid;
+		kcm_chown(context, client, ccache, uid, gid);
+	    }
+	}
+    }
+    
+    *ccache_p = ccache;
+    return 0;
+}
+
diff --git a/crypto/heimdal/kcm/config.c b/crypto/heimdal/kcm/config.c
new file mode 100644
index 0000000..5de797e
--- /dev/null
+++ b/crypto/heimdal/kcm/config.c
@@ -0,0 +1,390 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kcm_locl.h"
+#include <getarg.h>
+#include <parse_bytes.h>
+
+RCSID("$Id: config.c 15296 2005-05-30 10:17:43Z lha $");
+
+static const char *config_file;	/* location of kcm config file */
+
+size_t max_request = 0;		/* maximal size of a request */
+char *socket_path = NULL;
+char *door_path = NULL;
+
+static char *max_request_str;	/* `max_request' as a string */
+
+int detach_from_console = -1;
+#define DETACH_IS_DEFAULT FALSE
+
+static const char *system_cache_name = NULL;
+static const char *system_keytab = NULL;
+static const char *system_principal = NULL;
+static const char *system_server = NULL;
+static const char *system_perms = NULL;
+static const char *system_user = NULL;
+static const char *system_group = NULL;
+
+static const char *renew_life = NULL;
+static const char *ticket_life = NULL;
+
+int disallow_getting_krbtgt = -1;
+int name_constraints = -1;
+
+static int help_flag;
+static int version_flag;
+
+static struct getargs args[] = {
+    { 
+	"cache-name",	0,	arg_string,	&system_cache_name, 
+	"system cache name", "cachename" 
+    },
+    { 
+	"config-file",	'c',	arg_string,	&config_file, 
+	"location of config file",	"file" 
+    },
+    { 
+	"group",	'g',	arg_string,	&system_group, 
+	"system cache group",	"group" 
+    },
+    { 
+	"max-request",	0,	arg_string, &max_request, 
+	"max size for a kcm-request", "size"
+    },
+#if DETACH_IS_DEFAULT
+    {
+	"detach",       'D',      arg_negative_flag, &detach_from_console, 
+	"don't detach from console"
+    },
+#else
+    {
+	"detach",       0 ,      arg_flag, &detach_from_console, 
+	"detach from console"
+    },
+#endif
+    {	"help",		'h',	arg_flag,   &help_flag },
+    { 
+	"system-principal",	'k',	arg_string,	&system_principal, 
+	"system principal name",	"principal" 
+    },
+    {
+	"lifetime",	'l', arg_string, &ticket_life,
+	"lifetime of system tickets", "time"
+    },
+    {
+	"mode",		'm', arg_string, &system_perms,
+	"octal mode of system cache", "mode"
+    },
+    {
+	"name-constraints",	'n', arg_negative_flag, &name_constraints,
+	"disable credentials cache name constraints"
+    },
+    {
+	"disallow-getting-krbtgt", 0, arg_flag, &disallow_getting_krbtgt,
+	"disable fetching krbtgt from the cache"
+    },
+    {
+	"renewable-life",	'r', arg_string, &renew_life,
+    	"renewable lifetime of system tickets", "time"
+    },
+    {
+	"socket-path",		's', arg_string, &socket_path,
+    	"path to kcm domain socket", "path"
+    },
+#ifdef HAVE_DOOR_CREATE
+    {
+	"door-path",		's', arg_string, &door_path,
+    	"path to kcm door", "path"
+    },
+#endif
+    {
+	"server",		'S', arg_string, &system_server,
+    	"server to get system ticket for", "principal"
+    },
+    { 
+	"keytab",	't',	arg_string,	&system_keytab, 
+	"system keytab name",	"keytab" 
+    },
+    { 
+	"user",		'u',	arg_string,	&system_user, 
+	"system cache owner",	"user" 
+    },
+    {	"version",	'v',	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "");
+    exit (ret);
+}
+
+static int parse_owners(kcm_ccache ccache)
+{
+    uid_t uid = 0;
+    gid_t gid = 0;
+    struct passwd *pw;
+    struct group *gr;
+    int uid_p = 0;
+    int gid_p = 0;
+
+    if (system_user != NULL) {
+	if (isdigit((unsigned char)system_user[0])) {
+	    pw = getpwuid(atoi(system_user));
+	} else {
+	    pw = getpwnam(system_user);
+	}
+	if (pw == NULL) {
+	    return errno;
+	}
+
+	system_user = strdup(pw->pw_name);
+	if (system_user == NULL) {
+	    return ENOMEM;
+	}
+
+	uid = pw->pw_uid; uid_p = 1;
+	gid = pw->pw_gid; gid_p = 1;
+    }
+
+    if (system_group != NULL) {
+	if (isdigit((unsigned char)system_group[0])) {
+	    gr = getgrgid(atoi(system_group));
+	} else {
+	    gr = getgrnam(system_group);
+	}
+	if (gr == NULL) {
+	    return errno;
+	}
+
+	gid = gr->gr_gid; gid_p = 1;
+    }
+
+    if (uid_p)
+	ccache->uid = uid;
+    else
+	ccache->uid = 0; /* geteuid() XXX */
+
+    if (gid_p)
+	ccache->gid = gid;
+    else
+	ccache->gid = 0; /* getegid() XXX */
+
+    return 0;
+}
+
+static const char *
+kcm_system_config_get_string(const char *string)
+{
+    return krb5_config_get_string(kcm_context, NULL, "kcm",
+				  "system_ccache", string, NULL);
+}
+
+static krb5_error_code
+ccache_init_system(void)
+{
+    kcm_ccache ccache;
+    krb5_error_code ret;
+
+    if (system_cache_name == NULL)
+	system_cache_name = kcm_system_config_get_string("cc_name");
+
+    ret = kcm_ccache_new(kcm_context,
+			 system_cache_name ? system_cache_name : "SYSTEM",
+			 &ccache);
+    if (ret)
+	return ret;
+
+    ccache->flags |= KCM_FLAGS_OWNER_IS_SYSTEM;
+    ccache->flags |= KCM_FLAGS_USE_KEYTAB;
+
+    ret = parse_owners(ccache);
+    if (ret)
+	return ret;
+
+    ret = krb5_parse_name(kcm_context, system_principal, &ccache->client);
+    if (ret) {
+	kcm_release_ccache(kcm_context, &ccache);
+	return ret;
+    }
+
+    if (system_server == NULL)
+	system_server = kcm_system_config_get_string("server");
+
+    if (system_server != NULL) {
+	ret = krb5_parse_name(kcm_context, system_server, &ccache->server);
+	if (ret) {
+	    kcm_release_ccache(kcm_context, &ccache);
+	    return ret;
+	}
+    }
+
+    if (system_keytab == NULL)
+	system_keytab = kcm_system_config_get_string("keytab_name");
+
+    if (system_keytab != NULL) {
+	ret = krb5_kt_resolve(kcm_context, system_keytab, &ccache->key.keytab);
+    } else {
+	ret = krb5_kt_default(kcm_context, &ccache->key.keytab);
+    }
+    if (ret) {
+	kcm_release_ccache(kcm_context, &ccache);
+	return ret;
+    }
+
+    if (renew_life == NULL)
+	renew_life = kcm_system_config_get_string("renew_life");
+
+    if (renew_life == NULL)
+	renew_life = "1 month";
+
+    if (renew_life != NULL) {
+	ccache->renew_life = parse_time(renew_life, "s");
+	if (ccache->renew_life < 0) {
+	    kcm_release_ccache(kcm_context, &ccache);
+	    return EINVAL;
+	}
+    }
+
+    if (ticket_life == NULL)
+	ticket_life = kcm_system_config_get_string("ticket_life");
+
+    if (ticket_life != NULL) {
+	ccache->tkt_life = parse_time(ticket_life, "s");
+	if (ccache->tkt_life < 0) {
+	    kcm_release_ccache(kcm_context, &ccache);
+	    return EINVAL;
+	}
+    }
+
+    if (system_perms == NULL)
+	system_perms = kcm_system_config_get_string("mode");
+
+    if (system_perms != NULL) {
+	int mode;
+
+	if (sscanf(system_perms, "%o", &mode) != 1)
+	    return EINVAL;
+
+	ccache->mode = mode;
+    }
+
+    if (disallow_getting_krbtgt == -1) {
+	disallow_getting_krbtgt =
+	    krb5_config_get_bool_default(kcm_context, NULL, FALSE, "kcm",
+					 "disallow-getting-krbtgt", NULL);
+    }
+
+    /* enqueue default actions for credentials cache */
+    ret = kcm_ccache_enqueue_default(kcm_context, ccache, NULL);
+
+    kcm_release_ccache(kcm_context, &ccache); /* retained by event queue */
+
+    return ret;
+}
+
+void
+kcm_configure(int argc, char **argv)
+{
+    krb5_error_code ret;
+    int optind = 0;
+    const char *p;
+    
+    while(getarg(args, num_args, argc, argv, &optind))
+	warnx("error at argument `%s'", argv[optind]);
+
+    if(help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0)
+	usage(1);
+    
+    {
+	char **files;
+
+	if(config_file == NULL)
+	    config_file = _PATH_KCM_CONF;
+
+	ret = krb5_prepend_config_files_default(config_file, &files);
+	if (ret)
+	    krb5_err(kcm_context, 1, ret, "getting configuration files");
+	    
+	ret = krb5_set_config_files(kcm_context, files);
+	krb5_free_config_files(files);
+	if(ret) 
+	    krb5_err(kcm_context, 1, ret, "reading configuration files");
+    }
+
+    if(max_request_str)
+	max_request = parse_bytes(max_request_str, NULL);
+
+    if(max_request == 0){
+	p = krb5_config_get_string (kcm_context,
+				    NULL,
+				    "kcm",
+				    "max-request",
+				    NULL);
+	if(p)
+	    max_request = parse_bytes(p, NULL);
+    }
+
+    if (system_principal == NULL) {
+	system_principal = kcm_system_config_get_string("principal");
+    }
+
+    if (system_principal != NULL) {
+	ret = ccache_init_system();
+	if (ret)
+	    krb5_err(kcm_context, 1, ret, "initializing system ccache");
+    }
+
+    if(detach_from_console == -1) 
+	detach_from_console = krb5_config_get_bool_default(kcm_context, NULL,
+							   DETACH_IS_DEFAULT,
+							   "kcm",
+							   "detach", NULL);
+    kcm_openlog();
+    if(max_request == 0)
+	max_request = 64 * 1024;
+}
+
diff --git a/crypto/heimdal/kcm/connect.c b/crypto/heimdal/kcm/connect.c
new file mode 100644
index 0000000..b3a21aa
--- /dev/null
+++ b/crypto/heimdal/kcm/connect.c
@@ -0,0 +1,688 @@
+/*
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kcm_locl.h"
+
+RCSID("$Id: connect.c 16314 2005-11-29 19:03:50Z lha $");
+
+struct descr {
+    int s;
+    int type;
+    char *path;
+    unsigned char *buf;
+    size_t size;
+    size_t len;
+    time_t timeout;
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa;
+    socklen_t sock_len;
+    kcm_client peercred;
+};
+
+static void
+init_descr(struct descr *d)
+{
+    memset(d, 0, sizeof(*d));
+    d->sa = (struct sockaddr *)&d->__ss;
+    d->s = -1;
+}
+
+/*
+ * re-initialize all `n' ->sa in `d'.
+ */
+
+static void
+reinit_descrs (struct descr *d, int n)
+{
+    int i;
+
+    for (i = 0; i < n; ++i)
+	d[i].sa = (struct sockaddr *)&d[i].__ss;
+}
+
+/*
+ * Update peer credentials from socket.
+ *
+ * SCM_CREDS can only be updated the first time there is read data to
+ * read from the filedescriptor, so if we read do it before this
+ * point, the cred data might not be is not there yet.
+ */
+
+static int
+update_client_creds(int s, kcm_client *peer)
+{
+#ifdef GETPEERUCRED
+    /* Solaris 10 */
+    {
+	ucred_t *peercred;
+	
+	if (getpeerucred(s, &peercred) != 0) {
+	    peer->uid = ucred_geteuid(peercred);
+	    peer->gid = ucred_getegid(peercred);
+	    peer->pid = 0;
+	    ucred_free(peercred);
+	    return 0;
+	}
+    } 
+#endif
+#ifdef GETPEEREID
+    /* FreeBSD, OpenBSD */
+    {
+	uid_t uid;
+	gid_t gid;
+
+	if (getpeereid(s, &uid, &gid) == 0) {
+	    peer->uid = uid;
+	    peer->gid = gid;
+	    peer->pid = 0;
+	    return 0;
+	}
+    }
+#endif
+#ifdef SO_PEERCRED
+    /* Linux */
+    {
+	struct ucred pc;
+	socklen_t pclen = sizeof(pc);
+
+	if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, (void *)&pc, &pclen) == 0) {
+	    peer->uid = pc.uid;
+	    peer->gid = pc.gid;
+	    peer->pid = pc.pid;
+	    return 0;
+	}
+    }
+#endif
+#if defined(LOCAL_PEERCRED) && defined(XUCRED_VERSION)
+    {
+	struct xucred peercred;
+	socklen_t peercredlen = sizeof(peercred);
+
+	if (getsockopt(s, LOCAL_PEERCRED, 1,
+		       (void *)&peercred, &peercredlen) == 0
+	    && peercred.cr_version == XUCRED_VERSION)
+	{
+	    peer->uid = peercred.cr_uid;
+	    peer->gid = peercred.cr_gid;
+	    peer->pid = 0;
+	    return 0;
+	}
+    }
+#endif
+#if defined(SOCKCREDSIZE) && defined(SCM_CREDS)
+    /* NetBSD */
+    if (peer->uid == -1) {
+	struct msghdr msg;
+	socklen_t crmsgsize;
+	void *crmsg;
+	struct cmsghdr *cmp;
+	struct sockcred *sc;
+	
+	memset(&msg, 0, sizeof(msg));
+	crmsgsize = CMSG_SPACE(SOCKCREDSIZE(NGROUPS));
+	if (crmsgsize == 0)
+	    return 1 ;
+
+	crmsg = malloc(crmsgsize);
+	if (crmsg == NULL)
+	    goto failed_scm_creds;
+
+	memset(crmsg, 0, crmsgsize);
+	
+	msg.msg_control = crmsg;
+	msg.msg_controllen = crmsgsize;
+	
+	if (recvmsg(s, &msg, 0) < 0) {
+	    free(crmsg);
+	    goto failed_scm_creds;
+	}	
+	
+	if (msg.msg_controllen == 0 || (msg.msg_flags & MSG_CTRUNC) != 0) {
+	    free(crmsg);
+	    goto failed_scm_creds;
+	}	
+	
+	cmp = CMSG_FIRSTHDR(&msg);
+	if (cmp->cmsg_level != SOL_SOCKET || cmp->cmsg_type != SCM_CREDS) {
+	    free(crmsg);
+	    goto failed_scm_creds;
+	}	
+	
+	sc = (struct sockcred *)(void *)CMSG_DATA(cmp);
+	
+	peer->uid = sc->sc_euid;
+	peer->gid = sc->sc_egid;
+	peer->pid = 0;
+	
+	free(crmsg);
+	return 0;
+    } else {
+	/* we already got the cred, just return it */
+	return 0;
+    }
+ failed_scm_creds:
+#endif
+    krb5_warn(kcm_context, errno, "failed to determine peer identity");
+    return 1;
+}
+
+
+/*
+ * Create the socket (family, type, port) in `d'
+ */
+
+static void 
+init_socket(struct descr *d)
+{
+    struct sockaddr_un un;
+    struct sockaddr *sa = (struct sockaddr *)&un;
+    krb5_socklen_t sa_size = sizeof(un);
+
+    init_descr (d);
+
+    un.sun_family = AF_UNIX;
+
+    if (socket_path != NULL)
+	d->path = socket_path;
+    else
+	d->path = _PATH_KCM_SOCKET;
+
+    strlcpy(un.sun_path, d->path, sizeof(un.sun_path));
+
+    d->s = socket(AF_UNIX, SOCK_STREAM, 0);
+    if (d->s < 0){
+	krb5_warn(kcm_context, errno, "socket(%d, %d, 0)", AF_UNIX, SOCK_STREAM);
+	d->s = -1;
+	return;
+    }
+#if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_REUSEADDR)
+    {
+	int one = 1;
+	setsockopt(d->s, SOL_SOCKET, SO_REUSEADDR, (void *)&one, sizeof(one));
+    }
+#endif
+#ifdef LOCAL_CREDS
+    {
+	int one = 1;
+	setsockopt(d->s, 0, LOCAL_CREDS, (void *)&one, sizeof(one));
+    }
+#endif
+
+    d->type = SOCK_STREAM;
+
+    unlink(d->path);
+
+    if (bind(d->s, sa, sa_size) < 0) {
+	krb5_warn(kcm_context, errno, "bind %s", un.sun_path);
+	close(d->s);
+	d->s = -1;
+	return;
+    }
+
+    if (listen(d->s, SOMAXCONN) < 0) {
+	krb5_warn(kcm_context, errno, "listen %s", un.sun_path);
+	close(d->s);
+	d->s = -1;
+	return;
+    }
+
+    chmod(d->path, 0777);
+
+    return;
+}
+
+/*
+ * Allocate descriptors for all the sockets that we should listen on
+ * and return the number of them.
+ */
+
+static int
+init_sockets(struct descr **desc)
+{
+    struct descr *d;
+    size_t num = 0;
+
+    d = (struct descr *)malloc(sizeof(*d));
+    if (d == NULL) {
+	krb5_errx(kcm_context, 1, "malloc failed");
+    }
+
+    init_socket(d);
+    if (d->s != -1) {
+	kcm_log(5, "listening on domain socket %s", d->path);
+	num++;
+    }
+
+    reinit_descrs (d, num);
+    *desc = d;
+
+    return num;
+}
+
+/*
+ * handle the request in `buf, len', from `addr' (or `from' as a string),
+ * sending a reply in `reply'.
+ */
+
+static int
+process_request(unsigned char *buf, 
+		size_t len, 
+		krb5_data *reply,
+		kcm_client *client)
+{
+    krb5_data request;
+   
+    if (len < 4) {
+	kcm_log(1, "malformed request from process %d (too short)", 
+		client->pid);
+	return -1;
+    }
+
+    if (buf[0] != KCM_PROTOCOL_VERSION_MAJOR ||
+	buf[1] != KCM_PROTOCOL_VERSION_MINOR) {
+	kcm_log(1, "incorrect protocol version %d.%d from process %d",
+		buf[0], buf[1], client->pid);
+	return -1;
+    }
+
+    buf += 2;
+    len -= 2;
+
+    /* buf is now pointing at opcode */
+
+    request.data = buf;
+    request.length = len;
+
+    return kcm_dispatch(kcm_context, client, &request, reply);
+}
+
+/*
+ * Handle the request in `buf, len' to socket `d'
+ */
+
+static void
+do_request(void *buf, size_t len, struct descr *d)
+{
+    krb5_error_code ret;
+    krb5_data reply;
+
+    reply.length = 0;
+
+    ret = process_request(buf, len, &reply, &d->peercred);
+    if (reply.length != 0) {
+	unsigned char len[4];
+	struct msghdr msghdr;
+	struct iovec iov[2];
+
+	kcm_log(5, "sending %lu bytes to process %d", 
+		(unsigned long)reply.length,
+		(int)d->peercred.pid);
+
+	memset (&msghdr, 0, sizeof(msghdr));
+	msghdr.msg_name       = NULL;
+	msghdr.msg_namelen    = 0;
+	msghdr.msg_iov        = iov;
+	msghdr.msg_iovlen     = sizeof(iov)/sizeof(*iov);
+#if 0
+	msghdr.msg_control    = NULL;
+	msghdr.msg_controllen = 0;
+#endif
+
+	len[0] = (reply.length >> 24) & 0xff;
+	len[1] = (reply.length >> 16) & 0xff;
+	len[2] = (reply.length >> 8) & 0xff;
+	len[3] = reply.length & 0xff;
+
+	iov[0].iov_base       = (void*)len;
+	iov[0].iov_len        = 4;
+	iov[1].iov_base       = reply.data;
+	iov[1].iov_len        = reply.length;
+
+	if (sendmsg (d->s, &msghdr, 0) < 0) {
+	    kcm_log (0, "sendmsg(%d): %d %s", (int)d->peercred.pid,
+		     errno, strerror(errno));
+	    krb5_data_free(&reply);
+	    return;
+	}
+
+	krb5_data_free(&reply);
+    }
+
+    if (ret) {
+	kcm_log(0, "Failed processing %lu byte request from process %d", 
+		(unsigned long)len, d->peercred.pid);
+    }
+}
+
+static void
+clear_descr(struct descr *d)
+{
+    if(d->buf)
+	memset(d->buf, 0, d->size);
+    d->len = 0;
+    if(d->s != -1)
+	close(d->s);
+    d->s = -1;
+}
+
+#define STREAM_TIMEOUT 4
+
+/*
+ * accept a new stream connection on `d[parent]' and store it in `d[child]'
+ */
+
+static void
+add_new_stream (struct descr *d, int parent, int child)
+{
+    int s;
+
+    if (child == -1)
+	return;
+
+    d[child].peercred.pid = -1;
+    d[child].peercred.uid = -1;
+    d[child].peercred.gid = -1;
+
+    d[child].sock_len = sizeof(d[child].__ss);
+    s = accept(d[parent].s, d[child].sa, &d[child].sock_len);
+    if(s < 0) {
+	krb5_warn(kcm_context, errno, "accept");
+	return;
+    }
+
+    if (s >= FD_SETSIZE) {
+	krb5_warnx(kcm_context, "socket FD too large");
+	close (s);
+	return;
+    }
+
+    d[child].s = s;
+    d[child].timeout = time(NULL) + STREAM_TIMEOUT;
+    d[child].type = SOCK_STREAM;
+}
+
+/*
+ * Grow `d' to handle at least `n'.
+ * Return != 0 if fails
+ */
+
+static int
+grow_descr (struct descr *d, size_t n)
+{
+    if (d->size - d->len < n) {
+	unsigned char *tmp;
+	size_t grow;
+
+	grow = max(1024, d->len + n);
+	if (d->size + grow > max_request) {
+	    kcm_log(0, "Request exceeds max request size (%lu bytes).",
+		    (unsigned long)d->size + grow);
+	    clear_descr(d);
+	    return -1;
+	}
+	tmp = realloc (d->buf, d->size + grow);
+	if (tmp == NULL) {
+	    kcm_log(0, "Failed to re-allocate %lu bytes.",
+		    (unsigned long)d->size + grow);
+	    clear_descr(d);
+	    return -1;
+	}
+	d->size += grow;
+	d->buf = tmp;
+    }
+    return 0;
+}
+
+/*
+ * Handle incoming data to the stream socket in `d[index]'
+ */
+
+static void
+handle_stream(struct descr *d, int index, int min_free)
+{
+    unsigned char buf[1024];
+    int n;
+    int ret = 0;
+
+    if (d[index].timeout == 0) {
+	add_new_stream (d, index, min_free);
+	return;
+    }
+
+    if (update_client_creds(d[index].s, &d[index].peercred)) {
+	krb5_warnx(kcm_context, "failed to update peer identity");
+	clear_descr(d + index);
+	return;
+    }
+
+    if (d[index].peercred.uid == -1) {
+	krb5_warnx(kcm_context, "failed to determine peer identity");
+	clear_descr (d + index);
+	return;
+    }
+
+    n = recvfrom(d[index].s, buf, sizeof(buf), 0, NULL, NULL);
+    if (n < 0) {
+	krb5_warn(kcm_context, errno, "recvfrom");
+	return;
+    } else if (n == 0) {
+	krb5_warnx(kcm_context, "connection closed before end of data "
+		   "after %lu bytes from process %ld",
+		   (unsigned long) d[index].len, (long) d[index].peercred.pid);
+	clear_descr (d + index);
+	return;
+    }
+    if (grow_descr (&d[index], n))
+	return;
+    memcpy(d[index].buf + d[index].len, buf, n);
+    d[index].len += n;
+    if (d[index].len > 4) {
+	krb5_storage *sp;
+	int32_t len;
+
+	sp = krb5_storage_from_mem(d[index].buf, d[index].len);
+	if (sp == NULL) {
+	    kcm_log (0, "krb5_storage_from_mem failed");
+	    ret = -1;
+	} else {
+	    krb5_ret_int32(sp, &len);
+	    krb5_storage_free(sp);
+	    if (d[index].len - 4 >= len) {
+		memmove(d[index].buf, d[index].buf + 4, d[index].len - 4);
+		ret = 1;
+	    } else
+		ret = 0;
+	}
+    }
+    if (ret < 0)
+	return;
+    else if (ret == 1) {
+	do_request(d[index].buf, d[index].len, &d[index]);
+	clear_descr(d + index);
+    }
+}
+
+#ifdef HAVE_DOOR_CREATE
+
+static void
+kcm_door_server(void  *cookie, char *argp, size_t arg_size,
+		door_desc_t *dp, uint_t n_desc)
+{
+    kcm_client peercred;
+    door_cred_t cred;
+    krb5_error_code ret;
+    krb5_data reply;
+    size_t length;
+    char *p;
+
+    reply.length = 0;
+
+    p = NULL;
+    length = 0;
+
+    if (door_cred(&cred) != 0) {
+	kcm_log(0, "door_cred failed with %s", strerror(errno));
+	goto out;
+    }
+
+    peercred.uid = cred.dc_euid;
+    peercred.gid = cred.dc_egid;
+    peercred.pid = cred.dc_pid;
+
+    ret = process_request((unsigned char*)argp, arg_size, &reply, &peercred);
+    if (reply.length != 0) {
+	p = alloca(reply.length); /* XXX don't use alloca */
+	if (p) {
+	    memcpy(p, reply.data, reply.length);
+	    length = reply.length;
+	}
+	krb5_data_free(&reply);
+    }
+
+ out:
+    door_return(p, length, NULL, 0);
+}
+
+static void
+kcm_setup_door(void)
+{
+    int fd, ret;
+    char *path;
+
+    fd = door_create(kcm_door_server, NULL, 0);
+    if (fd < 0)
+	krb5_err(kcm_context, 1, errno, "Failed to create door");
+
+    if (door_path != NULL)
+	path = door_path;
+    else
+	path = _PATH_KCM_DOOR;
+
+    unlink(path);
+    ret = open(path, O_RDWR | O_CREAT, 0666);
+    if (ret < 0)
+	krb5_err(kcm_context, 1, errno, "Failed to create/open door");
+    close(ret);
+
+    ret = fattach(fd, path);
+    if (ret < 0)
+	krb5_err(kcm_context, 1, errno, "Failed to attach door");
+
+}
+#endif /* HAVE_DOOR_CREATE */
+
+
+void
+kcm_loop(void)
+{
+    struct descr *d;
+    int ndescr;
+
+#ifdef HAVE_DOOR_CREATE
+    kcm_setup_door();
+#endif
+
+    ndescr = init_sockets(&d);
+    if (ndescr <= 0) {
+	krb5_warnx(kcm_context, "No sockets!");
+#ifndef HAVE_DOOR_CREATE
+	exit(1);
+#endif
+    }
+    while (exit_flag == 0){
+	struct timeval tmout;
+	fd_set fds;
+	int min_free = -1;
+	int max_fd = 0;
+	int i;
+
+	FD_ZERO(&fds);
+	for(i = 0; i < ndescr; i++) {
+	    if (d[i].s >= 0){
+		if(d[i].type == SOCK_STREAM && 
+		   d[i].timeout && d[i].timeout < time(NULL)) {
+		    kcm_log(1, "Stream connection from %d expired after %lu bytes",
+			    d[i].peercred.pid, (unsigned long)d[i].len);
+		    clear_descr(&d[i]);
+		    continue;
+		}
+		if (max_fd < d[i].s)
+		    max_fd = d[i].s;
+		if (max_fd >= FD_SETSIZE)
+		    krb5_errx(kcm_context, 1, "fd too large");
+		FD_SET(d[i].s, &fds);
+	    } else if (min_free < 0 || i < min_free)
+		min_free = i;
+	}
+	if (min_free == -1) {
+	    struct descr *tmp;
+	    tmp = realloc(d, (ndescr + 4) * sizeof(*d));
+	    if(tmp == NULL)
+		krb5_warnx(kcm_context, "No memory");
+	    else {
+		d = tmp;
+		reinit_descrs (d, ndescr);
+		memset(d + ndescr, 0, 4 * sizeof(*d));
+		for(i = ndescr; i < ndescr + 4; i++)
+		    init_descr (&d[i]);
+		min_free = ndescr;
+		ndescr += 4;
+	    }
+	}
+
+	tmout.tv_sec = STREAM_TIMEOUT;
+	tmout.tv_usec = 0;
+	switch (select(max_fd + 1, &fds, 0, 0, &tmout)){
+	case 0:
+	    kcm_run_events(kcm_context, time(NULL));
+	    break;
+	case -1:
+	    if (errno != EINTR)
+		krb5_warn(kcm_context, errno, "select");
+	    break;
+	default:
+	    for(i = 0; i < ndescr; i++) {
+		if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds)) {
+		    if (d[i].type == SOCK_STREAM)
+			handle_stream(d, i, min_free);
+		}
+	    }
+	    kcm_run_events(kcm_context, time(NULL));
+	    break;
+	}
+    }
+    if (d->path != NULL)
+	unlink(d->path);
+    free(d);
+}
+
diff --git a/crypto/heimdal/kcm/cursor.c b/crypto/heimdal/kcm/cursor.c
new file mode 100644
index 0000000..701f770
--- /dev/null
+++ b/crypto/heimdal/kcm/cursor.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kcm_locl.h"
+
+RCSID("$Id: cursor.c 17447 2006-05-05 10:52:01Z lha $");
+
+krb5_error_code
+kcm_cursor_new(krb5_context context,
+	       pid_t pid,
+	       kcm_ccache ccache,
+	       uint32_t *cursor)
+{
+    kcm_cursor **p;
+    krb5_error_code ret;
+
+    *cursor = 0;
+
+    KCM_ASSERT_VALID(ccache);
+
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+    for (p = &ccache->cursors; *p != NULL; p = &(*p)->next)
+	;
+
+    *p = (kcm_cursor *)malloc(sizeof(kcm_cursor));
+    if (*p == NULL) {
+	ret = KRB5_CC_NOMEM;
+	goto out;
+    }
+
+    (*p)->pid = pid;
+    (*p)->key = ++ccache->n_cursor;
+    (*p)->credp = ccache->creds;
+    (*p)->next = NULL;
+
+    *cursor = (*p)->key;
+
+    ret = 0;
+
+out:
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return ret;
+}
+
+krb5_error_code
+kcm_cursor_find(krb5_context context,
+		pid_t pid,
+		kcm_ccache ccache,
+		uint32_t key,
+		kcm_cursor **cursor)
+{
+    kcm_cursor *p;
+    krb5_error_code ret;
+
+    KCM_ASSERT_VALID(ccache);
+
+    if (key == 0)
+	return KRB5_CC_NOTFOUND;
+
+    ret = KRB5_CC_END;
+
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+
+    for (p = ccache->cursors; p != NULL; p = p->next) {
+	if (p->key == key) {
+	    if (p->pid != pid)
+		ret = KRB5_FCC_PERM;
+	    else
+		ret = 0;
+	    break;
+	}
+    }
+
+    if (ret == 0)
+	*cursor = p;
+
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return ret;
+}
+
+krb5_error_code
+kcm_cursor_delete(krb5_context context,
+	     	  pid_t pid,
+		  kcm_ccache ccache,
+		  uint32_t key)
+{
+    kcm_cursor **p;
+    krb5_error_code ret;
+
+    KCM_ASSERT_VALID(ccache);
+
+    if (key == 0)
+	return KRB5_CC_NOTFOUND;
+
+    ret = KRB5_CC_END;
+
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+
+    for (p = &ccache->cursors; *p != NULL; p = &(*p)->next) {
+	if ((*p)->key == key) {
+	    if ((*p)->pid != pid)
+		ret = KRB5_FCC_PERM;
+	    else
+		ret = 0;
+	    break;
+	}
+    }
+
+    if (ret == 0) {
+	kcm_cursor *x = *p;
+
+	*p = x->next;
+	free(x);
+    }
+
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return ret;
+}
+
diff --git a/crypto/heimdal/kcm/events.c b/crypto/heimdal/kcm/events.c
new file mode 100644
index 0000000..f1110d1
--- /dev/null
+++ b/crypto/heimdal/kcm/events.c
@@ -0,0 +1,440 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kcm_locl.h"
+
+RCSID("$Id: events.c 15294 2005-05-30 01:43:23Z lukeh $");
+
+/* thread-safe in case we multi-thread later */
+static HEIMDAL_MUTEX events_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static kcm_event *events_head = NULL;
+static time_t last_run = 0;
+
+static char *action_strings[] = {
+	"NONE", "ACQUIRE_CREDS", "RENEW_CREDS",
+	"DESTROY_CREDS", "DESTROY_EMPTY_CACHE" };
+
+krb5_error_code
+kcm_enqueue_event(krb5_context context,
+		  kcm_event *event)
+{
+    krb5_error_code ret;
+
+    if (event->action == KCM_EVENT_NONE) {
+	return 0;
+    }
+
+    HEIMDAL_MUTEX_lock(&events_mutex);
+    ret = kcm_enqueue_event_internal(context, event);
+    HEIMDAL_MUTEX_unlock(&events_mutex);
+
+    return ret;
+}
+
+static void
+print_times(time_t time, char buf[64])
+{
+    if (time)
+	strftime(buf, 64, "%m-%dT%H:%M", gmtime(&time));
+    else
+	strlcpy(buf, "never", 64);
+}
+
+static void
+log_event(kcm_event *event, char *msg)
+{
+    char fire_time[64], expire_time[64];
+
+    print_times(event->fire_time, fire_time);
+    print_times(event->expire_time, expire_time);
+
+    kcm_log(7, "%s event %08x: fire_time %s fire_count %d expire_time %s "
+	    "backoff_time %d action %s cache %s",
+	    msg, event, fire_time, event->fire_count, expire_time,
+	    event->backoff_time, action_strings[event->action],
+	    event->ccache->name);
+}
+
+krb5_error_code
+kcm_enqueue_event_internal(krb5_context context,
+			   kcm_event *event)
+{
+    kcm_event **e;
+
+    if (event->action == KCM_EVENT_NONE)
+	return 0;
+
+    for (e = &events_head; *e != NULL; e = &(*e)->next)
+	;
+
+    *e = (kcm_event *)malloc(sizeof(kcm_event));
+    if (*e == NULL) {
+	return KRB5_CC_NOMEM;
+    }
+
+    (*e)->valid = 1;
+    (*e)->fire_time = event->fire_time;
+    (*e)->fire_count = 0;
+    (*e)->expire_time = event->expire_time;
+    (*e)->backoff_time = event->backoff_time;
+
+    (*e)->action = event->action;
+
+    kcm_retain_ccache(context, event->ccache);
+    (*e)->ccache = event->ccache;
+    (*e)->next = NULL;
+
+    log_event(*e, "enqueuing");
+
+    return 0;
+}
+
+/*
+ * Dump events list on SIGUSR2
+ */
+krb5_error_code
+kcm_debug_events(krb5_context context)
+{
+    kcm_event *e;
+
+    for (e = events_head; e != NULL; e = e->next)
+	log_event(e, "debug");
+
+    return 0;
+}
+
+krb5_error_code
+kcm_enqueue_event_relative(krb5_context context,
+			   kcm_event *event)
+{
+    krb5_error_code ret;
+    kcm_event e;
+
+    e = *event;
+    e.backoff_time = e.fire_time;
+    e.fire_time += time(NULL);
+
+    ret = kcm_enqueue_event(context, &e);
+
+    return ret;
+}
+
+static krb5_error_code
+kcm_remove_event_internal(krb5_context context,
+			  kcm_event **e)
+{
+    kcm_event *next;
+
+    next = (*e)->next;
+
+    (*e)->valid = 0;
+    (*e)->fire_time = 0;
+    (*e)->fire_count = 0;
+    (*e)->expire_time = 0;
+    (*e)->backoff_time = 0;
+    kcm_release_ccache(context, &(*e)->ccache);
+    (*e)->next = NULL;
+    free(*e);
+
+    *e = next;
+
+    return 0;
+}
+
+static int
+is_primary_credential_p(krb5_context context,
+			kcm_ccache ccache,
+			krb5_creds *newcred)
+{
+    krb5_flags whichfields;
+
+    if (ccache->client == NULL)
+	return 0;
+
+    if (newcred->client == NULL ||
+	!krb5_principal_compare(context, ccache->client, newcred->client))
+	return 0;
+
+    /* XXX just checks whether it's the first credential in the cache */
+    if (ccache->creds == NULL)
+	return 0;
+
+    whichfields = KRB5_TC_MATCH_KEYTYPE | KRB5_TC_MATCH_FLAGS_EXACT |
+		  KRB5_TC_MATCH_TIMES_EXACT | KRB5_TC_MATCH_AUTHDATA |
+		  KRB5_TC_MATCH_2ND_TKT | KRB5_TC_MATCH_IS_SKEY;
+
+    return krb5_compare_creds(context, whichfields, newcred, &ccache->creds->cred);
+}
+
+/*
+ * Setup default events for a new credential
+ */
+static krb5_error_code
+kcm_ccache_make_default_event(krb5_context context,
+			      kcm_event *event,
+			      krb5_creds *newcred)
+{
+    krb5_error_code ret = 0;
+    kcm_ccache ccache = event->ccache;
+
+    event->fire_time = 0; 
+    event->expire_time = 0;
+    event->backoff_time = KCM_EVENT_DEFAULT_BACKOFF_TIME;
+
+    if (newcred == NULL) {
+	/* no creds, must be acquire creds request */
+	if ((ccache->flags & KCM_MASK_KEY_PRESENT) == 0) {
+	    kcm_log(0, "Cannot acquire credentials without a key");
+	    return KRB5_FCC_INTERNAL;
+	}
+
+	event->fire_time = time(NULL); /* right away */
+	event->action = KCM_EVENT_ACQUIRE_CREDS;
+    } else if (is_primary_credential_p(context, ccache, newcred)) {
+	if (newcred->flags.b.renewable) {
+	    event->action = KCM_EVENT_RENEW_CREDS;
+	    ccache->flags |= KCM_FLAGS_RENEWABLE;
+	} else {
+	    if (ccache->flags & KCM_MASK_KEY_PRESENT)
+		event->action = KCM_EVENT_ACQUIRE_CREDS;
+	    else
+		event->action = KCM_EVENT_NONE;
+	    ccache->flags &= ~(KCM_FLAGS_RENEWABLE);
+	}
+	/* requeue with some slop factor */
+	event->fire_time = newcred->times.endtime - KCM_EVENT_QUEUE_INTERVAL;
+    } else {
+	event->action = KCM_EVENT_NONE;
+    }
+
+    return ret;
+}
+
+krb5_error_code
+kcm_ccache_enqueue_default(krb5_context context,
+			   kcm_ccache ccache,
+			   krb5_creds *newcred)
+{
+    kcm_event event;
+    krb5_error_code ret;
+
+    memset(&event, 0, sizeof(event));
+    event.ccache = ccache;
+
+    ret = kcm_ccache_make_default_event(context, &event, newcred);
+    if (ret)
+	return ret;
+
+    ret = kcm_enqueue_event_internal(context, &event);
+    if (ret)
+	return ret;
+
+    return 0;
+}
+
+krb5_error_code
+kcm_remove_event(krb5_context context,
+		 kcm_event *event)
+{
+    krb5_error_code ret;
+    kcm_event **e;
+    int found = 0;
+
+    log_event(event, "removing");
+
+    HEIMDAL_MUTEX_lock(&events_mutex);
+    for (e = &events_head; *e != NULL; e = &(*e)->next) {
+	if (event == *e) {
+	    *e = event->next;
+	    found++;
+	    break;
+	}
+    }
+
+    if (!found) {
+	ret = KRB5_CC_NOTFOUND;
+	goto out;
+    }
+
+    ret = kcm_remove_event_internal(context, &event);
+
+out:
+    HEIMDAL_MUTEX_unlock(&events_mutex);
+
+    return ret;
+}
+
+krb5_error_code
+kcm_cleanup_events(krb5_context context,
+		   kcm_ccache ccache)
+{
+    kcm_event **e;
+
+    KCM_ASSERT_VALID(ccache);
+
+    HEIMDAL_MUTEX_lock(&events_mutex);
+
+    for (e = &events_head; *e != NULL; e = &(*e)->next) {
+	if ((*e)->valid && (*e)->ccache == ccache) {
+	    kcm_remove_event_internal(context, e);
+	}
+	if (*e == NULL)
+	    break;
+    }
+
+    HEIMDAL_MUTEX_unlock(&events_mutex);
+
+    return 0;
+}
+
+static krb5_error_code
+kcm_fire_event(krb5_context context,
+	       kcm_event **e)
+{
+    kcm_event *event;
+    krb5_error_code ret;
+    krb5_creds *credp = NULL;
+    int oneshot = 1;
+
+    event = *e;
+
+    switch (event->action) {
+    case KCM_EVENT_ACQUIRE_CREDS:
+	ret = kcm_ccache_acquire(context, event->ccache, &credp);
+	oneshot = 0;
+	break;
+    case KCM_EVENT_RENEW_CREDS:
+	ret = kcm_ccache_refresh(context, event->ccache, &credp);
+	if (ret == KRB5KRB_AP_ERR_TKT_EXPIRED) {
+	    ret = kcm_ccache_acquire(context, event->ccache, &credp);
+	}
+	oneshot = 0;
+	break;
+    case KCM_EVENT_DESTROY_CREDS:
+	ret = kcm_ccache_destroy(context, event->ccache->name);
+	break;
+    case KCM_EVENT_DESTROY_EMPTY_CACHE:
+	ret = kcm_ccache_destroy_if_empty(context, event->ccache);
+	break;
+    default:
+	ret = KRB5_FCC_INTERNAL;
+	break;
+    }
+
+    event->fire_count++;
+
+    if (ret) {
+	/* Reschedule failed event for another time */ 
+	event->fire_time += event->backoff_time;
+	if (event->backoff_time < KCM_EVENT_MAX_BACKOFF_TIME)
+	    event->backoff_time *= 2;
+
+	/* Remove it if it would never get executed */
+	if (event->expire_time &&
+	    event->fire_time > event->expire_time)
+	    kcm_remove_event_internal(context, e);
+    } else {
+	if (!oneshot) {
+	    char *cpn;
+
+	    if (krb5_unparse_name(context, event->ccache->client,
+				  &cpn))
+		cpn = NULL;
+
+	    kcm_log(0, "%s credentials in cache %s for principal %s",
+		    (event->action == KCM_EVENT_ACQUIRE_CREDS) ?
+			"Acquired" : "Renewed",
+		    event->ccache->name,
+		    (cpn != NULL) ? cpn : "<none>");
+
+	    if (cpn != NULL)
+		free(cpn);
+
+	    /* Succeeded, but possibly replaced with another event */
+	    ret = kcm_ccache_make_default_event(context, event, credp);
+	    if (ret || event->action == KCM_EVENT_NONE)
+		oneshot = 1;
+	    else
+		log_event(event, "requeuing");
+	}
+	if (oneshot)
+	    kcm_remove_event_internal(context, e);
+    }
+
+    return ret;
+}
+
+krb5_error_code
+kcm_run_events(krb5_context context,
+	       time_t now)
+{
+    krb5_error_code ret;
+    kcm_event **e;
+
+    HEIMDAL_MUTEX_lock(&events_mutex);
+
+    /* Only run event queue every N seconds */
+    if (now < last_run + KCM_EVENT_QUEUE_INTERVAL) {
+	HEIMDAL_MUTEX_unlock(&events_mutex);
+	return 0;
+    }
+
+    /* go through events list, fire and expire */
+    for (e = &events_head; *e != NULL; e = &(*e)->next) {
+	if ((*e)->valid == 0)
+	    continue;
+
+	if (now >= (*e)->fire_time) {
+	    ret = kcm_fire_event(context, e);
+	    if (ret) {
+		kcm_log(1, "Could not fire event for cache %s: %s",
+			(*e)->ccache->name, krb5_get_err_text(context, ret));
+	    }
+	} else if ((*e)->expire_time && now >= (*e)->expire_time) {
+	    ret = kcm_remove_event_internal(context, e);
+	    if (ret) {
+		kcm_log(1, "Could not expire event for cache %s: %s",
+			(*e)->ccache->name, krb5_get_err_text(context, ret));
+	    }
+	}
+
+	if (*e == NULL)
+	    break;
+    }
+
+    last_run = now;
+
+    HEIMDAL_MUTEX_unlock(&events_mutex);
+
+    return 0;
+}
+
diff --git a/crypto/heimdal/kcm/glue.c b/crypto/heimdal/kcm/glue.c
new file mode 100644
index 0000000..be217f3
--- /dev/null
+++ b/crypto/heimdal/kcm/glue.c
@@ -0,0 +1,279 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kcm_locl.h"
+
+RCSID("$Id: glue.c 14566 2005-02-06 01:22:49Z lukeh $");
+
+/*
+ * Server-side loopback glue for credentials cache operations; this
+ * must be initialized with kcm_internal_ccache(), it is not for real
+ * use. This entire file assumes the cache is locked, it does not do
+ * any concurrency checking for multithread applications.
+ */
+
+#define KCMCACHE(X)	((kcm_ccache)(X)->data.data)
+#define CACHENAME(X)	(KCMCACHE(X)->name)
+
+static const char *
+kcmss_get_name(krb5_context context,
+	       krb5_ccache id)
+{
+    return CACHENAME(id);
+}
+
+static krb5_error_code
+kcmss_resolve(krb5_context context, krb5_ccache *id, const char *res)
+{
+    return KRB5_FCC_INTERNAL;
+}
+
+static krb5_error_code
+kcmss_gen_new(krb5_context context, krb5_ccache *id)
+{
+    return KRB5_FCC_INTERNAL;
+}
+
+static krb5_error_code
+kcmss_initialize(krb5_context context,
+		 krb5_ccache id,
+		 krb5_principal primary_principal)
+{
+    krb5_error_code ret;
+    kcm_ccache c = KCMCACHE(id);
+
+    KCM_ASSERT_VALID(c);
+
+    ret = kcm_zero_ccache_data_internal(context, c);
+    if (ret)
+	return ret;
+
+    ret = krb5_copy_principal(context, primary_principal,
+			      &c->client);
+
+    return ret;
+}
+
+static krb5_error_code
+kcmss_close(krb5_context context,
+	    krb5_ccache id)
+{
+    kcm_ccache c = KCMCACHE(id);
+
+    KCM_ASSERT_VALID(c);
+
+    id->data.data = NULL;
+    id->data.length = 0;
+
+    return 0;
+}
+
+static krb5_error_code
+kcmss_destroy(krb5_context context,
+	      krb5_ccache id)
+{
+    krb5_error_code ret;
+    kcm_ccache c = KCMCACHE(id);
+
+    KCM_ASSERT_VALID(c);
+
+    ret = kcm_ccache_destroy(context, CACHENAME(id));
+
+    return ret;
+}
+
+static krb5_error_code
+kcmss_store_cred(krb5_context context,
+		 krb5_ccache id,
+		 krb5_creds *creds)
+{
+    krb5_error_code ret;
+    kcm_ccache c = KCMCACHE(id);
+    krb5_creds *tmp;
+
+    KCM_ASSERT_VALID(c);
+
+    ret = kcm_ccache_store_cred_internal(context, c, creds, 1, &tmp);
+
+    return ret;
+}
+
+static krb5_error_code
+kcmss_retrieve(krb5_context context,
+	       krb5_ccache id,
+	       krb5_flags which,
+	       const krb5_creds *mcred,
+	       krb5_creds *creds)
+{
+    krb5_error_code ret;
+    kcm_ccache c = KCMCACHE(id);
+    krb5_creds *credp;
+
+    KCM_ASSERT_VALID(c);
+
+    ret = kcm_ccache_retrieve_cred_internal(context, c, which,
+					    mcred, &credp);
+    if (ret)
+	return ret;
+
+    ret = krb5_copy_creds_contents(context, credp, creds);
+    if (ret)
+	return ret;
+
+    return 0;
+}
+
+static krb5_error_code
+kcmss_get_principal(krb5_context context,
+		    krb5_ccache id,
+		    krb5_principal *principal)
+{
+    krb5_error_code ret;
+    kcm_ccache c = KCMCACHE(id);
+
+    KCM_ASSERT_VALID(c);
+
+    ret = krb5_copy_principal(context, c->client,
+			      principal);
+
+    return ret;
+}
+
+static krb5_error_code
+kcmss_get_first (krb5_context context,
+		 krb5_ccache id,
+		 krb5_cc_cursor *cursor)
+{
+    kcm_ccache c = KCMCACHE(id);
+
+    KCM_ASSERT_VALID(c);
+
+    *cursor = c->creds;
+
+    return (*cursor == NULL) ? KRB5_CC_END : 0;
+}
+
+static krb5_error_code
+kcmss_get_next (krb5_context context,
+		krb5_ccache id,
+		krb5_cc_cursor *cursor,
+		krb5_creds *creds)
+{
+    krb5_error_code ret;
+    kcm_ccache c = KCMCACHE(id);
+
+    KCM_ASSERT_VALID(c);
+
+    ret = krb5_copy_creds_contents(context,
+				   &((struct kcm_creds *)cursor)->cred,
+				   creds);
+    if (ret)
+	return ret;
+
+    *cursor = ((struct kcm_creds *)cursor)->next;
+    if (*cursor == 0)
+	ret = KRB5_CC_END;
+
+    return ret;
+}
+
+static krb5_error_code
+kcmss_end_get (krb5_context context,
+	       krb5_ccache id,
+	       krb5_cc_cursor *cursor)
+{
+    *cursor = NULL;
+    return 0;
+}
+
+static krb5_error_code
+kcmss_remove_cred(krb5_context context,
+		  krb5_ccache id,
+		  krb5_flags which,
+		  krb5_creds *cred)
+{
+    krb5_error_code ret;
+    kcm_ccache c = KCMCACHE(id);
+
+    KCM_ASSERT_VALID(c);
+
+    ret = kcm_ccache_remove_cred_internal(context, c, which, cred);
+
+    return ret;
+}
+
+static krb5_error_code
+kcmss_set_flags(krb5_context context,
+		krb5_ccache id,
+		krb5_flags flags)
+{
+    return 0;
+}
+
+static krb5_error_code
+kcmss_get_version(krb5_context context,
+		  krb5_ccache id)
+{
+    return 0;
+}
+
+static const krb5_cc_ops krb5_kcmss_ops = {
+    "KCM",
+    kcmss_get_name,
+    kcmss_resolve,
+    kcmss_gen_new,
+    kcmss_initialize,
+    kcmss_destroy,
+    kcmss_close,
+    kcmss_store_cred,
+    kcmss_retrieve,
+    kcmss_get_principal,
+    kcmss_get_first,
+    kcmss_get_next,
+    kcmss_end_get,
+    kcmss_remove_cred,
+    kcmss_set_flags,
+    kcmss_get_version
+};
+
+krb5_error_code
+kcm_internal_ccache(krb5_context context,
+		    kcm_ccache c,
+		    krb5_ccache id)
+{
+    id->ops = &krb5_kcmss_ops;
+    id->data.length = sizeof(*c);
+    id->data.data = c;
+
+    return 0;
+}
+
diff --git a/crypto/heimdal/kcm/headers.h b/crypto/heimdal/kcm/headers.h
new file mode 100644
index 0000000..1042dd8
--- /dev/null
+++ b/crypto/heimdal/kcm/headers.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef __HEADERS_H__
+#define __HEADERS_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <signal.h>
+#include <stdarg.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
+#ifdef HAVE_SYS_UCRED_H
+#include <sys/ucred.h>
+#endif
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
+#ifdef HAVE_GETPEERUCRED
+#include <ucred.h>
+#endif
+#ifdef HAVE_DOOR_CREATE
+#include <door.h>
+#include <alloca.h>
+#endif
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#include <base64.h>
+#include <parse_units.h>
+#include <krb5.h>
+#include <krb5_locl.h>
+
+#endif /* __HEADERS_H__ */
+
diff --git a/crypto/heimdal/kcm/kcm.8 b/crypto/heimdal/kcm/kcm.8
new file mode 100644
index 0000000..4a72eb3
--- /dev/null
+++ b/crypto/heimdal/kcm/kcm.8
@@ -0,0 +1,224 @@
+.\" Copyright (c) 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden). 
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\"
+.\" $Id: kcm.8 15497 2005-06-20 13:32:44Z lha $
+.\"
+.Dd May 29, 2005
+.Dt KCM 8
+.Os Heimdal
+.Sh NAME
+.Nm kcm
+.Nd
+is a process based credential cache for Kerberos tickets.
+.Sh SYNOPSIS
+.Nm
+.Op Fl -cache-name= Ns Ar cachename
+.Oo Fl c Ar file \*(Ba Xo
+.Fl -config-file= Ns Ar file
+.Xc
+.Oc
+.Oo Fl g Ar group \*(Ba Xo
+.Fl -group= Ns Ar group
+.Xc
+.Oc
+.Op Fl -max-request= Ns Ar size
+.Op Fl -disallow-getting-krbtgt
+.Op Fl -detach
+.Op Fl h | Fl -help
+.Oo Fl k Ar principal \*(Ba Xo
+.Fl -system-principal= Ns Ar principal
+.Xc
+.Oc
+.Oo Fl l Ar time \*(Ba Xo
+.Fl -lifetime= Ns Ar time
+.Xc
+.Oc
+.Oo Fl m Ar mode \*(Ba Xo
+.Fl -mode= Ns Ar mode
+.Xc
+.Oc
+.Op Fl n | Fl -no-name-constraints
+.Oo Fl r Ar time \*(Ba Xo
+.Fl -renewable-life= Ns Ar time
+.Xc
+.Oc
+.Oo Fl s Ar path \*(Ba Xo
+.Fl -socket-path= Ns Ar path
+.Xc
+.Oc
+.Oo Xo
+.Fl -door-path= Ns Ar path
+.Xc
+.Oc
+.Oo Fl S Ar principal \*(Ba Xo
+.Fl -server= Ns Ar principal
+.Xc
+.Oc
+.Oo Fl t Ar keytab \*(Ba Xo
+.Fl -keytab= Ns Ar keytab
+.Xc
+.Oc
+.Oo Fl u Ar user \*(Ba Xo
+.Fl -user= Ns Ar user
+.Xc
+.Oc
+.Op Fl v | Fl -version
+.Sh DESCRIPTION
+.Nm
+is a process based credential cache.
+To use it, set the
+.Ev KRB5CCNAME
+enviroment variable to
+.Ql KCM: Ns Ar uid
+or add the stanza
+.Bd -literal
+
+[libdefaults]
+        default_cc_name = KCM:%{uid}
+
+.Ed
+to the
+.Pa /etc/krb5.conf
+configuration file and make sure
+.Nm kcm
+is started in the system startup files.
+.Pp
+The
+.Nm
+daemon can hold the credentials for all users in the system.  Access
+control is done with Unix-like permissions.  The daemon checks the
+access on all operations based on the uid and gid of the user.  The
+tickets are renewed as long as is permitted by the KDC's policy.
+.Pp
+The
+.Nm
+daemon can also keep a SYSTEM credential that server processes can
+use to access services.  One example of usage might be an nss_ldap
+module that quickly needs to get credentials and doesn't want to renew
+the ticket itself. 
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl -cache-name= Ns Ar cachename
+.Xc
+system cache name
+.It Xo
+.Fl c Ar file ,
+.Fl -config-file= Ns Ar file
+.Xc
+location of config file
+.It Xo
+.Fl g Ar group ,
+.Fl -group= Ns Ar group
+.Xc
+system cache group
+.It Xo
+.Fl -max-request= Ns Ar size
+.Xc
+max size for a kcm-request
+.It Xo
+.Fl -disallow-getting-krbtgt
+.Xc
+disallow extracting any krbtgt from the
+.Nm kcm
+daemon.
+.It Xo
+.Fl -detach
+.Xc
+detach from console
+.It Xo
+.Fl h ,
+.Fl -help
+.Xc
+.It Xo
+.Fl k Ar principal ,
+.Fl -system-principal= Ns Ar principal
+.Xc
+system principal name
+.It Xo
+.Fl l Ar time ,
+.Fl -lifetime= Ns Ar time
+.Xc
+lifetime of system tickets
+.It Xo
+.Fl m Ar mode ,
+.Fl -mode= Ns Ar mode
+.Xc
+octal mode of system cache
+.It Xo
+.Fl n ,
+.Fl -no-name-constraints
+.Xc
+disable credentials cache name constraints
+.It Xo
+.Fl r Ar time ,
+.Fl -renewable-life= Ns Ar time
+.Xc
+renewable lifetime of system tickets
+.It Xo
+.Fl s Ar path ,
+.Fl -socket-path= Ns Ar path
+.Xc
+path to kcm domain socket
+.It Xo
+.Fl -door-path= Ns Ar path
+.Xc
+path to kcm door socket
+.It Xo
+.Fl S Ar principal ,
+.Fl -server= Ns Ar principal
+.Xc
+server to get system ticket for
+.It Xo
+.Fl t Ar keytab ,
+.Fl -keytab= Ns Ar keytab
+.Xc
+system keytab name
+.It Xo
+.Fl u Ar user ,
+.Fl -user= Ns Ar user
+.Xc
+system cache owner
+.It Xo
+.Fl v ,
+.Fl -version
+.Xc
+.El
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
+.\".Sh SEE ALSO
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/kcm/kcm_locl.h b/crypto/heimdal/kcm/kcm_locl.h
new file mode 100644
index 0000000..75e55ee
--- /dev/null
+++ b/crypto/heimdal/kcm/kcm_locl.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* 
+ * $Id: kcm_locl.h 20470 2007-04-20 10:41:11Z lha $ 
+ */
+
+#ifndef __KCM_LOCL_H__
+#define __KCM_LOCL_H__
+
+#include "headers.h"
+
+#include <kcm.h>
+
+#define KCM_LOG_REQUEST(_context, _client, _opcode)	do { \
+    kcm_log(1, "%s request by process %d/uid %d", \
+	    kcm_op2string(_opcode), (_client)->pid, (_client)->uid); \
+    } while (0)
+
+#define KCM_LOG_REQUEST_NAME(_context, _client, _opcode, _name)	do { \
+    kcm_log(1, "%s request for cache %s by process %d/uid %d", \
+	    kcm_op2string(_opcode), (_name), (_client)->pid, (_client)->uid); \
+    } while (0)
+
+/* Cache management */
+
+#define KCM_FLAGS_VALID			0x0001
+#define KCM_FLAGS_USE_KEYTAB		0x0002
+#define KCM_FLAGS_RENEWABLE		0x0004
+#define KCM_FLAGS_OWNER_IS_SYSTEM	0x0008
+#define KCM_FLAGS_USE_CACHED_KEY	0x0010
+
+#define KCM_MASK_KEY_PRESENT		( KCM_FLAGS_USE_KEYTAB | \
+					  KCM_FLAGS_USE_CACHED_KEY )
+
+struct kcm_ccache_data;
+struct kcm_creds;
+
+typedef struct kcm_cursor {
+    pid_t pid;
+    uint32_t key;
+    struct kcm_creds *credp;		/* pointer to next credential */ 
+    struct kcm_cursor *next;
+} kcm_cursor;
+
+typedef struct kcm_ccache_data {
+    char *name;
+    unsigned refcnt;
+    uint16_t flags;
+    uint16_t mode;
+    uid_t uid;
+    gid_t gid;
+    krb5_principal client; /* primary client principal */
+    krb5_principal server; /* primary server principal (TGS if NULL) */
+    struct kcm_creds {
+	krb5_creds cred; /* XXX would be useful for have ACLs on creds */
+	struct kcm_creds *next;
+    } *creds;
+    uint32_t n_cursor;
+    kcm_cursor *cursors;
+    krb5_deltat tkt_life;
+    krb5_deltat renew_life;
+    union {
+	krb5_keytab keytab;
+	krb5_keyblock keyblock;
+    } key;
+    HEIMDAL_MUTEX mutex;
+    struct kcm_ccache_data *next;
+} kcm_ccache_data;
+
+#define KCM_ASSERT_VALID(_ccache)		do { \
+    if (((_ccache)->flags & KCM_FLAGS_VALID) == 0) \
+	krb5_abortx(context, "kcm_free_ccache_data: ccache invalid"); \
+    else if ((_ccache)->refcnt == 0) \
+	krb5_abortx(context, "kcm_free_ccache_data: ccache refcnt == 0"); \
+    } while (0)
+
+typedef kcm_ccache_data *kcm_ccache;
+
+/* Event management */
+
+typedef struct kcm_event {
+    int valid;
+    time_t fire_time;
+    unsigned fire_count;
+    time_t expire_time;
+    time_t backoff_time;
+    enum {
+	KCM_EVENT_NONE = 0,
+	KCM_EVENT_ACQUIRE_CREDS,
+	KCM_EVENT_RENEW_CREDS,
+	KCM_EVENT_DESTROY_CREDS,
+	KCM_EVENT_DESTROY_EMPTY_CACHE
+    } action;
+    kcm_ccache ccache;
+    struct kcm_event *next;
+} kcm_event;
+
+/* wakeup interval for event queue */
+#define KCM_EVENT_QUEUE_INTERVAL		60
+#define KCM_EVENT_DEFAULT_BACKOFF_TIME		5
+#define KCM_EVENT_MAX_BACKOFF_TIME		(12 * 60 * 60)
+
+
+/* Request format is  LENGTH | MAJOR | MINOR | OPERATION | request */
+/* Response format is LENGTH | STATUS | response */
+
+typedef struct kcm_client {
+    pid_t pid;
+    uid_t uid;
+    gid_t gid;
+} kcm_client;
+
+#define CLIENT_IS_ROOT(client) ((client)->uid == 0)
+
+/* Dispatch table */
+/* passed in OPERATION | ... ; returns STATUS | ... */
+typedef krb5_error_code (*kcm_method)(krb5_context, kcm_client *, kcm_operation, krb5_storage *, krb5_storage *);
+
+struct kcm_op {
+    const char *name;
+    kcm_method method;
+};
+
+#define DEFAULT_LOG_DEST    "0/FILE:" LOCALSTATEDIR "/log/kcmd.log"
+#define _PATH_KCM_CONF	    SYSCONFDIR "/kcm.conf"
+
+extern krb5_context kcm_context;
+extern char *socket_path;
+extern char *door_path;
+extern size_t max_request;
+extern sig_atomic_t exit_flag;
+extern int name_constraints;
+extern int detach_from_console;
+extern int disallow_getting_krbtgt;
+
+#if 0
+extern const krb5_cc_ops krb5_kcmss_ops;
+#endif
+
+#include <kcm_protos.h>
+
+#endif /* __KCM_LOCL_H__ */
+
diff --git a/crypto/heimdal/kcm/kcm_protos.h b/crypto/heimdal/kcm/kcm_protos.h
new file mode 100644
index 0000000..0fcea75
--- /dev/null
+++ b/crypto/heimdal/kcm/kcm_protos.h
@@ -0,0 +1,288 @@
+/* This is a generated file */
+#ifndef __kcm_protos_h__
+#define __kcm_protos_h__
+
+#include <stdarg.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+krb5_error_code
+kcm_access (
+	krb5_context /*context*/,
+	kcm_client */*client*/,
+	kcm_operation /*opcode*/,
+	kcm_ccache /*ccache*/);
+
+krb5_error_code
+kcm_ccache_acquire (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/,
+	krb5_creds **/*credp*/);
+
+krb5_error_code
+kcm_ccache_destroy (
+	krb5_context /*context*/,
+	const char */*name*/);
+
+krb5_error_code
+kcm_ccache_destroy_client (
+	krb5_context /*context*/,
+	kcm_client */*client*/,
+	const char */*name*/);
+
+krb5_error_code
+kcm_ccache_destroy_if_empty (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/);
+
+krb5_error_code
+kcm_ccache_enqueue_default (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/,
+	krb5_creds */*newcred*/);
+
+krb5_error_code
+kcm_ccache_gen_new (
+	krb5_context /*context*/,
+	pid_t /*pid*/,
+	uid_t /*uid*/,
+	gid_t /*gid*/,
+	kcm_ccache */*ccache*/);
+
+krb5_error_code
+kcm_ccache_new (
+	krb5_context /*context*/,
+	const char */*name*/,
+	kcm_ccache */*ccache*/);
+
+krb5_error_code
+kcm_ccache_new_client (
+	krb5_context /*context*/,
+	kcm_client */*client*/,
+	const char */*name*/,
+	kcm_ccache */*ccache_p*/);
+
+char *kcm_ccache_nextid (
+	pid_t /*pid*/,
+	uid_t /*uid*/,
+	gid_t /*gid*/);
+
+krb5_error_code
+kcm_ccache_refresh (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/,
+	krb5_creds **/*credp*/);
+
+krb5_error_code
+kcm_ccache_remove_cred (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/,
+	krb5_flags /*whichfields*/,
+	const krb5_creds */*mcreds*/);
+
+krb5_error_code
+kcm_ccache_remove_cred_internal (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/,
+	krb5_flags /*whichfields*/,
+	const krb5_creds */*mcreds*/);
+
+krb5_error_code
+kcm_ccache_remove_creds (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/);
+
+krb5_error_code
+kcm_ccache_remove_creds_internal (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/);
+
+krb5_error_code
+kcm_ccache_resolve (
+	krb5_context /*context*/,
+	const char */*name*/,
+	kcm_ccache */*ccache*/);
+
+krb5_error_code
+kcm_ccache_resolve_client (
+	krb5_context /*context*/,
+	kcm_client */*client*/,
+	kcm_operation /*opcode*/,
+	const char */*name*/,
+	kcm_ccache */*ccache*/);
+
+krb5_error_code
+kcm_ccache_retrieve_cred (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/,
+	krb5_flags /*whichfields*/,
+	const krb5_creds */*mcreds*/,
+	krb5_creds **/*credp*/);
+
+krb5_error_code
+kcm_ccache_retrieve_cred_internal (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/,
+	krb5_flags /*whichfields*/,
+	const krb5_creds */*mcreds*/,
+	krb5_creds **/*creds*/);
+
+krb5_error_code
+kcm_ccache_store_cred (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/,
+	krb5_creds */*creds*/,
+	int /*copy*/);
+
+krb5_error_code
+kcm_ccache_store_cred_internal (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/,
+	krb5_creds */*creds*/,
+	int /*copy*/,
+	krb5_creds **/*credp*/);
+
+krb5_error_code
+kcm_chmod (
+	krb5_context /*context*/,
+	kcm_client */*client*/,
+	kcm_ccache /*ccache*/,
+	uint16_t /*mode*/);
+
+krb5_error_code
+kcm_chown (
+	krb5_context /*context*/,
+	kcm_client */*client*/,
+	kcm_ccache /*ccache*/,
+	uid_t /*uid*/,
+	gid_t /*gid*/);
+
+krb5_error_code
+kcm_cleanup_events (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/);
+
+void
+kcm_configure (
+	int /*argc*/,
+	char **/*argv*/);
+
+krb5_error_code
+kcm_cursor_delete (
+	krb5_context /*context*/,
+	pid_t /*pid*/,
+	kcm_ccache /*ccache*/,
+	uint32_t /*key*/);
+
+krb5_error_code
+kcm_cursor_find (
+	krb5_context /*context*/,
+	pid_t /*pid*/,
+	kcm_ccache /*ccache*/,
+	uint32_t /*key*/,
+	kcm_cursor **/*cursor*/);
+
+krb5_error_code
+kcm_cursor_new (
+	krb5_context /*context*/,
+	pid_t /*pid*/,
+	kcm_ccache /*ccache*/,
+	uint32_t */*cursor*/);
+
+krb5_error_code
+kcm_debug_ccache (krb5_context /*context*/);
+
+krb5_error_code
+kcm_debug_events (krb5_context /*context*/);
+
+krb5_error_code
+kcm_dispatch (
+	krb5_context /*context*/,
+	kcm_client */*client*/,
+	krb5_data */*req_data*/,
+	krb5_data */*resp_data*/);
+
+krb5_error_code
+kcm_enqueue_event (
+	krb5_context /*context*/,
+	kcm_event */*event*/);
+
+krb5_error_code
+kcm_enqueue_event_internal (
+	krb5_context /*context*/,
+	kcm_event */*event*/);
+
+krb5_error_code
+kcm_enqueue_event_relative (
+	krb5_context /*context*/,
+	kcm_event */*event*/);
+
+krb5_error_code
+kcm_internal_ccache (
+	krb5_context /*context*/,
+	kcm_ccache /*c*/,
+	krb5_ccache /*id*/);
+
+void
+kcm_log (
+	int /*level*/,
+	const char */*fmt*/,
+	...);
+
+char*
+kcm_log_msg (
+	int /*level*/,
+	const char */*fmt*/,
+	...);
+
+char*
+kcm_log_msg_va (
+	int /*level*/,
+	const char */*fmt*/,
+	va_list /*ap*/);
+
+void
+kcm_loop (void);
+
+const char *kcm_op2string (kcm_operation /*opcode*/);
+
+void
+kcm_openlog (void);
+
+krb5_error_code
+kcm_release_ccache (
+	krb5_context /*context*/,
+	kcm_ccache */*ccache*/);
+
+krb5_error_code
+kcm_remove_event (
+	krb5_context /*context*/,
+	kcm_event */*event*/);
+
+krb5_error_code
+kcm_retain_ccache (
+	krb5_context /*context*/,
+	kcm_ccache /*ccache*/);
+
+krb5_error_code
+kcm_run_events (
+	krb5_context /*context*/,
+	time_t /*now*/);
+
+krb5_error_code
+kcm_zero_ccache_data (
+	krb5_context /*context*/,
+	kcm_ccache /*cache*/);
+
+krb5_error_code
+kcm_zero_ccache_data_internal (
+	krb5_context /*context*/,
+	kcm_ccache_data */*cache*/);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __kcm_protos_h__ */
diff --git a/crypto/heimdal/kcm/log.c b/crypto/heimdal/kcm/log.c
new file mode 100644
index 0000000..351782e
--- /dev/null
+++ b/crypto/heimdal/kcm/log.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 1997, 1998, 2002 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kcm_locl.h"
+
+RCSID("$Id: log.c 14566 2005-02-06 01:22:49Z lukeh $");
+
+static krb5_log_facility *logf;
+
+void
+kcm_openlog(void)
+{
+    char **s = NULL, **p;
+    krb5_initlog(kcm_context, "kcm", &logf);
+    s = krb5_config_get_strings(kcm_context, NULL, "kcm", "logging", NULL);
+    if(s == NULL)
+	s = krb5_config_get_strings(kcm_context, NULL, "logging", "kcm", NULL);
+    if(s){
+	for(p = s; *p; p++)
+	    krb5_addlog_dest(kcm_context, logf, *p);
+	krb5_config_free_strings(s);
+    }else
+	krb5_addlog_dest(kcm_context, logf, DEFAULT_LOG_DEST);
+    krb5_set_warn_dest(kcm_context, logf);
+}
+
+char*
+kcm_log_msg_va(int level, const char *fmt, va_list ap)
+{
+    char *msg;
+    krb5_vlog_msg(kcm_context, logf, &msg, level, fmt, ap);
+    return msg;
+}
+
+char*
+kcm_log_msg(int level, const char *fmt, ...)
+{
+    va_list ap;
+    char *s;
+    va_start(ap, fmt);
+    s = kcm_log_msg_va(level, fmt, ap);
+    va_end(ap);
+    return s;
+}
+
+void
+kcm_log(int level, const char *fmt, ...)
+{
+    va_list ap;
+    char *s;
+    va_start(ap, fmt);
+    s = kcm_log_msg_va(level, fmt, ap);
+    if(s) free(s);
+    va_end(ap);
+}
diff --git a/crypto/heimdal/kcm/main.c b/crypto/heimdal/kcm/main.c
new file mode 100644
index 0000000..da88a2c
--- /dev/null
+++ b/crypto/heimdal/kcm/main.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kcm_locl.h"
+
+RCSID("$Id: main.c 15298 2005-05-30 10:58:14Z lha $");
+
+sig_atomic_t exit_flag = 0;
+
+krb5_context kcm_context = NULL;
+
+static RETSIGTYPE
+sigterm(int sig)
+{
+    exit_flag = 1;
+}
+
+static RETSIGTYPE
+sigusr1(int sig)
+{
+    kcm_debug_ccache(kcm_context);
+}
+
+static RETSIGTYPE
+sigusr2(int sig)
+{
+    kcm_debug_events(kcm_context);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    setprogname(argv[0]);
+
+    ret = krb5_init_context(&kcm_context);
+    if (ret) {
+	errx (1, "krb5_init_context failed: %d", ret);
+	return ret;
+    }
+
+    kcm_configure(argc, argv);
+    
+#ifdef HAVE_SIGACTION
+    {
+	struct sigaction sa;
+
+	sa.sa_flags = 0;
+	sa.sa_handler = sigterm;
+	sigemptyset(&sa.sa_mask);
+
+	sigaction(SIGINT, &sa, NULL);
+	sigaction(SIGTERM, &sa, NULL);
+
+	sa.sa_handler = sigusr1;
+	sigaction(SIGUSR1, &sa, NULL);
+
+	sa.sa_handler = sigusr2;
+	sigaction(SIGUSR2, &sa, NULL);
+
+	sa.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &sa, NULL);
+    }
+#else
+    signal(SIGINT, sigterm);
+    signal(SIGTERM, sigterm);
+    signal(SIGUSR1, sigusr1);
+    signal(SIGUSR2, sigusr2);
+    signal(SIGPIPE, SIG_IGN);
+#endif
+    if (detach_from_console)
+	daemon(0, 0);
+    pidfile(NULL);
+    kcm_loop();
+    krb5_free_context(kcm_context);
+    return 0;
+}
diff --git a/crypto/heimdal/kcm/protocol.c b/crypto/heimdal/kcm/protocol.c
new file mode 100644
index 0000000..bb3c653
--- /dev/null
+++ b/crypto/heimdal/kcm/protocol.c
@@ -0,0 +1,1046 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kcm_locl.h"
+
+RCSID("$Id: protocol.c 22112 2007-12-03 19:34:33Z lha $");
+
+static krb5_error_code
+kcm_op_noop(krb5_context context,
+	    kcm_client *client,
+	    kcm_operation opcode,
+	    krb5_storage *request,
+	    krb5_storage *response)
+{
+    KCM_LOG_REQUEST(context, client, opcode);
+
+    return 0;	
+}
+
+/*
+ * Request:
+ *	NameZ
+ * Response:
+ *	NameZ
+ *
+ */
+static krb5_error_code
+kcm_op_get_name(krb5_context context,
+		kcm_client *client,
+		kcm_operation opcode,
+		krb5_storage *request,
+		krb5_storage *response)
+
+{
+    krb5_error_code ret;
+    char *name = NULL;
+    kcm_ccache ccache;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = krb5_store_stringz(response, ccache->name);
+    if (ret) {
+	kcm_release_ccache(context, &ccache);
+	free(name);
+	return ret;
+    }
+
+    free(name);
+    kcm_release_ccache(context, &ccache);
+    return 0;
+}
+
+/*
+ * Request:
+ *	
+ * Response:
+ *	NameZ
+ */
+static krb5_error_code
+kcm_op_gen_new(krb5_context context,
+	       kcm_client *client,
+	       kcm_operation opcode,
+	       krb5_storage *request,
+	       krb5_storage *response)
+{
+    krb5_error_code ret;
+    char *name;
+
+    KCM_LOG_REQUEST(context, client, opcode);
+
+    name = kcm_ccache_nextid(client->pid, client->uid, client->gid);
+    if (name == NULL) {
+	return KRB5_CC_NOMEM;
+    }
+
+    ret = krb5_store_stringz(response, name);
+    free(name);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *	Principal
+ *	
+ * Response:
+ *	
+ */
+static krb5_error_code
+kcm_op_initialize(krb5_context context,
+		  kcm_client *client,
+		  kcm_operation opcode,
+		  krb5_storage *request,
+		  krb5_storage *response)
+{
+    kcm_ccache ccache;
+    krb5_principal principal;
+    krb5_error_code ret;
+    char *name;
+#if 0
+    kcm_event event;
+#endif
+
+    KCM_LOG_REQUEST(context, client, opcode);
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    ret = krb5_ret_principal(request, &principal);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_ccache_new_client(context, client, name, &ccache);
+    if (ret) {
+	free(name);
+	krb5_free_principal(context, principal);
+	return ret;
+    }
+
+    ccache->client = principal;
+
+    free(name);
+
+#if 0
+    /*
+     * Create a new credentials cache. To mitigate DoS attacks we will
+     * expire it in 30 minutes unless it has some credentials added
+     * to it
+     */
+
+    event.fire_time = 30 * 60;
+    event.expire_time = 0;
+    event.backoff_time = 0;
+    event.action = KCM_EVENT_DESTROY_EMPTY_CACHE;
+    event.ccache = ccache;
+
+    ret = kcm_enqueue_event_relative(context, &event);
+#endif
+
+    kcm_release_ccache(context, &ccache);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *	
+ * Response:
+ *	
+ */
+static krb5_error_code
+kcm_op_destroy(krb5_context context,
+	       kcm_client *client,
+	       kcm_operation opcode,
+	       krb5_storage *request,
+	       krb5_storage *response)
+{
+    krb5_error_code ret;
+    char *name;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = kcm_ccache_destroy_client(context, client, name);
+
+    free(name);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *	Creds
+ *	
+ * Response:
+ *	
+ */
+static krb5_error_code
+kcm_op_store(krb5_context context,
+	     kcm_client *client,
+	     kcm_operation opcode,
+	     krb5_storage *request,
+	     krb5_storage *response)
+{
+    krb5_creds creds;
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    char *name;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = krb5_ret_creds(request, &creds);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	free(name);
+	krb5_free_cred_contents(context, &creds);
+	return ret;
+    }
+
+    ret = kcm_ccache_store_cred(context, ccache, &creds, 0);
+    if (ret) {
+	free(name);
+	krb5_free_cred_contents(context, &creds);
+	kcm_release_ccache(context, &ccache);
+	return ret;
+    }
+
+    kcm_ccache_enqueue_default(context, ccache, &creds);
+
+    free(name);
+    kcm_release_ccache(context, &ccache);
+
+    return 0;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *	WhichFields
+ *	MatchCreds
+ *
+ * Response:
+ *	Creds
+ *	
+ */
+static krb5_error_code
+kcm_op_retrieve(krb5_context context,
+		kcm_client *client,
+		kcm_operation opcode,
+		krb5_storage *request,
+		krb5_storage *response)
+{
+    uint32_t flags;
+    krb5_creds mcreds;
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    char *name;
+    krb5_creds *credp;
+    int free_creds = 0;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = krb5_ret_uint32(request, &flags);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = krb5_ret_creds_tag(request, &mcreds);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    if (disallow_getting_krbtgt &&
+	mcreds.server->name.name_string.len == 2 &&
+	strcmp(mcreds.server->name.name_string.val[0], KRB5_TGS_NAME) == 0)
+    {
+	free(name);
+	krb5_free_cred_contents(context, &mcreds);
+	return KRB5_FCC_PERM;
+    }
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	free(name);
+	krb5_free_cred_contents(context, &mcreds);
+	return ret;
+    }
+
+    ret = kcm_ccache_retrieve_cred(context, ccache, flags,
+				   &mcreds, &credp);
+    if (ret && ((flags & KRB5_GC_CACHED) == 0)) {
+	krb5_ccache_data ccdata;
+
+	/* try and acquire */
+	HEIMDAL_MUTEX_lock(&ccache->mutex);
+
+	/* Fake up an internal ccache */
+	kcm_internal_ccache(context, ccache, &ccdata);
+
+	/* glue cc layer will store creds */
+	ret = krb5_get_credentials(context, 0, &ccdata, &mcreds, &credp);
+	if (ret == 0)
+	    free_creds = 1;
+
+	HEIMDAL_MUTEX_unlock(&ccache->mutex);
+    }
+
+    if (ret == 0) {
+	ret = krb5_store_creds(response, credp);
+    }
+
+    free(name);
+    krb5_free_cred_contents(context, &mcreds);
+    kcm_release_ccache(context, &ccache);
+
+    if (free_creds)
+	krb5_free_cred_contents(context, credp);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *
+ * Response:
+ *	Principal
+ */
+static krb5_error_code
+kcm_op_get_principal(krb5_context context,
+		     kcm_client *client,
+		     kcm_operation opcode,
+		     krb5_storage *request,
+		     krb5_storage *response)
+{
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    char *name;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    if (ccache->client == NULL)
+	ret = KRB5_CC_NOTFOUND;
+    else
+	ret = krb5_store_principal(response, ccache->client);
+
+    free(name);
+    kcm_release_ccache(context, &ccache);
+
+    return 0;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *
+ * Response:
+ *	Cursor
+ *	
+ */
+static krb5_error_code
+kcm_op_get_first(krb5_context context,
+		 kcm_client *client,
+		 kcm_operation opcode,
+		 krb5_storage *request,
+		 krb5_storage *response)
+{
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    uint32_t cursor;
+    char *name;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_cursor_new(context, client->pid, ccache, &cursor);
+    if (ret) {
+	kcm_release_ccache(context, &ccache);
+	free(name);
+	return ret;
+    }
+
+    ret = krb5_store_int32(response, cursor);
+
+    free(name);
+    kcm_release_ccache(context, &ccache);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *	Cursor
+ *
+ * Response:
+ *	Creds
+ */
+static krb5_error_code
+kcm_op_get_next(krb5_context context,
+		kcm_client *client,
+		kcm_operation opcode,
+		krb5_storage *request,
+		krb5_storage *response)
+{
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    char *name;
+    uint32_t cursor;
+    kcm_cursor *c;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = krb5_ret_uint32(request, &cursor);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_cursor_find(context, client->pid, ccache, cursor, &c);
+    if (ret) {
+	kcm_release_ccache(context, &ccache);
+	free(name);
+	return ret;
+    }
+
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+    if (c->credp == NULL) {
+	ret = KRB5_CC_END;
+    } else {
+	ret = krb5_store_creds(response, &c->credp->cred);
+	c->credp = c->credp->next;
+    }
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    free(name);
+    kcm_release_ccache(context, &ccache);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *	Cursor
+ *
+ * Response:
+ *	
+ */
+static krb5_error_code
+kcm_op_end_get(krb5_context context,
+	       kcm_client *client,
+	       kcm_operation opcode,
+	       krb5_storage *request,
+	       krb5_storage *response)
+{
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    uint32_t cursor;
+    char *name;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = krb5_ret_uint32(request, &cursor);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_cursor_delete(context, client->pid, ccache, cursor);
+
+    free(name);
+    kcm_release_ccache(context, &ccache);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *	WhichFields
+ *	MatchCreds
+ *
+ * Response:
+ *	
+ */
+static krb5_error_code
+kcm_op_remove_cred(krb5_context context,
+		   kcm_client *client,
+		   kcm_operation opcode,
+		   krb5_storage *request,
+		   krb5_storage *response)
+{
+    uint32_t whichfields;
+    krb5_creds mcreds;
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    char *name;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = krb5_ret_uint32(request, &whichfields);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = krb5_ret_creds_tag(request, &mcreds);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	free(name);
+	krb5_free_cred_contents(context, &mcreds);
+	return ret;
+    }
+
+    ret = kcm_ccache_remove_cred(context, ccache, whichfields, &mcreds);
+
+    /* XXX need to remove any events that match */
+
+    free(name);
+    krb5_free_cred_contents(context, &mcreds);
+    kcm_release_ccache(context, &ccache);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *	Flags
+ *
+ * Response:
+ *	
+ */
+static krb5_error_code
+kcm_op_set_flags(krb5_context context,
+		 kcm_client *client,
+		 kcm_operation opcode,
+		 krb5_storage *request,
+		 krb5_storage *response)
+{
+    uint32_t flags;
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    char *name;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = krb5_ret_uint32(request, &flags);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    /* we don't really support any flags yet */
+    free(name);
+    kcm_release_ccache(context, &ccache);
+
+    return 0;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *	UID
+ *	GID
+ *
+ * Response:
+ *	
+ */
+static krb5_error_code
+kcm_op_chown(krb5_context context,
+	     kcm_client *client,
+	     kcm_operation opcode,
+	     krb5_storage *request,
+	     krb5_storage *response)
+{
+    uint32_t uid;
+    uint32_t gid;
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    char *name;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = krb5_ret_uint32(request, &uid);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = krb5_ret_uint32(request, &gid);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_chown(context, client, ccache, uid, gid);
+
+    free(name);
+    kcm_release_ccache(context, &ccache);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *	Mode
+ *
+ * Response:
+ *	
+ */
+static krb5_error_code
+kcm_op_chmod(krb5_context context,
+	     kcm_client *client,
+	     kcm_operation opcode,
+	     krb5_storage *request,
+	     krb5_storage *response)
+{
+    uint16_t mode;
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    char *name;
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = krb5_ret_uint16(request, &mode);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_chmod(context, client, ccache, mode);
+
+    free(name);
+    kcm_release_ccache(context, &ccache);
+
+    return ret;
+}
+
+/*
+ * Protocol extensions for moving ticket acquisition responsibility
+ * from client to KCM follow.
+ */
+
+/*
+ * Request:
+ *	NameZ
+ *	ServerPrincipalPresent
+ *	ServerPrincipal OPTIONAL
+ *	Key
+ *
+ * Repsonse:
+ *
+ */
+static krb5_error_code
+kcm_op_get_initial_ticket(krb5_context context,
+			  kcm_client *client,
+			  kcm_operation opcode,
+			  krb5_storage *request,
+			  krb5_storage *response)
+{
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    char *name;
+    int8_t not_tgt = 0;
+    krb5_principal server = NULL;
+    krb5_keyblock key;
+
+    krb5_keyblock_zero(&key);
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = krb5_ret_int8(request, &not_tgt);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    if (not_tgt) {
+	ret = krb5_ret_principal(request, &server);
+	if (ret) {
+	    free(name);
+	    return ret;
+	}
+    }
+
+    ret = krb5_ret_keyblock(request, &key);
+    if (ret) {
+	free(name);
+	if (server != NULL)
+	    krb5_free_principal(context, server);
+	return ret;
+    }
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret == 0) {
+	HEIMDAL_MUTEX_lock(&ccache->mutex);
+
+	if (ccache->server != NULL) {
+	    krb5_free_principal(context, ccache->server);
+	    ccache->server = NULL;
+	}
+
+	krb5_free_keyblock(context, &ccache->key.keyblock);
+
+	ccache->server = server;
+	ccache->key.keyblock = key;
+    	ccache->flags |= KCM_FLAGS_USE_CACHED_KEY;
+
+	ret = kcm_ccache_enqueue_default(context, ccache, NULL);
+	if (ret) {
+	    ccache->server = NULL;
+	    krb5_keyblock_zero(&ccache->key.keyblock);
+	    ccache->flags &= ~(KCM_FLAGS_USE_CACHED_KEY);
+	}
+
+	HEIMDAL_MUTEX_unlock(&ccache->mutex);
+    }
+
+    free(name);
+
+    if (ret != 0) {
+	krb5_free_principal(context, server);
+	krb5_free_keyblock(context, &key);
+    }
+
+    kcm_release_ccache(context, &ccache);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *	NameZ
+ *	ServerPrincipal
+ *	KDCFlags
+ *	EncryptionType
+ *
+ * Repsonse:
+ *
+ */
+static krb5_error_code
+kcm_op_get_ticket(krb5_context context,
+		  kcm_client *client,
+		  kcm_operation opcode,
+		  krb5_storage *request,
+		  krb5_storage *response)
+{
+    krb5_error_code ret;
+    kcm_ccache ccache;
+    char *name;
+    krb5_principal server = NULL;
+    krb5_ccache_data ccdata;
+    krb5_creds in, *out;
+    krb5_kdc_flags flags;
+
+    memset(&in, 0, sizeof(in));
+
+    ret = krb5_ret_stringz(request, &name);
+    if (ret)
+	return ret;
+
+    KCM_LOG_REQUEST_NAME(context, client, opcode, name);
+
+    ret = krb5_ret_uint32(request, &flags.i);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = krb5_ret_int32(request, &in.session.keytype);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = krb5_ret_principal(request, &server);
+    if (ret) {
+	free(name);
+	return ret;
+    }
+
+    ret = kcm_ccache_resolve_client(context, client, opcode,
+				    name, &ccache);
+    if (ret) {
+	krb5_free_principal(context, server);
+	free(name);
+	return ret;
+    }
+ 
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+
+    /* Fake up an internal ccache */
+    kcm_internal_ccache(context, ccache, &ccdata);
+
+    in.client = ccache->client;
+    in.server = server;
+    in.times.endtime = 0;
+
+    /* glue cc layer will store creds */
+    ret = krb5_get_credentials_with_flags(context, 0, flags,
+					  &ccdata, &in, &out);
+
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    if (ret == 0)
+	krb5_free_cred_contents(context, out);
+
+    free(name);
+
+    return ret;
+}
+
+static struct kcm_op kcm_ops[] = {
+    { "NOOP", 			kcm_op_noop },
+    { "GET_NAME",		kcm_op_get_name },
+    { "RESOLVE",		kcm_op_noop },
+    { "GEN_NEW", 		kcm_op_gen_new },
+    { "INITIALIZE",		kcm_op_initialize },
+    { "DESTROY",		kcm_op_destroy },
+    { "STORE",			kcm_op_store },
+    { "RETRIEVE",		kcm_op_retrieve },
+    { "GET_PRINCIPAL",		kcm_op_get_principal },
+    { "GET_FIRST",		kcm_op_get_first },
+    { "GET_NEXT",		kcm_op_get_next },
+    { "END_GET",		kcm_op_end_get },
+    { "REMOVE_CRED",		kcm_op_remove_cred },
+    { "SET_FLAGS",		kcm_op_set_flags },
+    { "CHOWN",			kcm_op_chown },
+    { "CHMOD",			kcm_op_chmod },
+    { "GET_INITIAL_TICKET",	kcm_op_get_initial_ticket },
+    { "GET_TICKET",		kcm_op_get_ticket }
+};
+
+
+const char *kcm_op2string(kcm_operation opcode)
+{
+    if (opcode >= sizeof(kcm_ops)/sizeof(kcm_ops[0]))
+	return "Unknown operation";
+
+    return kcm_ops[opcode].name;
+}
+
+krb5_error_code
+kcm_dispatch(krb5_context context,
+	     kcm_client *client,
+	     krb5_data *req_data,
+	     krb5_data *resp_data)
+{
+    krb5_error_code ret;
+    kcm_method method;
+    krb5_storage *req_sp = NULL;
+    krb5_storage *resp_sp = NULL;
+    uint16_t opcode;
+
+    resp_sp = krb5_storage_emem();
+    if (resp_sp == NULL) {
+	return ENOMEM;
+    }
+
+    if (client->pid == -1) {
+	kcm_log(0, "Client had invalid process number");
+	ret = KRB5_FCC_INTERNAL;
+	goto out;
+    }
+
+    req_sp = krb5_storage_from_data(req_data);
+    if (req_sp == NULL) {
+	kcm_log(0, "Process %d: failed to initialize storage from data",
+		client->pid);
+	ret = KRB5_CC_IO;
+	goto out;
+    }
+
+    ret = krb5_ret_uint16(req_sp, &opcode);
+    if (ret) {
+	kcm_log(0, "Process %d: didn't send a message", client->pid);
+	goto out;
+    }
+
+    if (opcode >= sizeof(kcm_ops)/sizeof(kcm_ops[0])) {
+	kcm_log(0, "Process %d: invalid operation code %d",
+		client->pid, opcode);
+	ret = KRB5_FCC_INTERNAL;
+	goto out;
+    }
+    method = kcm_ops[opcode].method;
+
+    /* seek past place for status code */
+    krb5_storage_seek(resp_sp, 4, SEEK_SET);
+
+    ret = (*method)(context, client, opcode, req_sp, resp_sp);
+
+out:
+    if (req_sp != NULL) {
+	krb5_storage_free(req_sp);
+    }
+
+    krb5_storage_seek(resp_sp, 0, SEEK_SET);
+    krb5_store_int32(resp_sp, ret);
+
+    ret = krb5_storage_to_data(resp_sp, resp_data);
+    krb5_storage_free(resp_sp);
+
+    return ret;
+}
+
diff --git a/crypto/heimdal/kcm/renew.c b/crypto/heimdal/kcm/renew.c
new file mode 100644
index 0000000..9450209
--- /dev/null
+++ b/crypto/heimdal/kcm/renew.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kcm_locl.h"
+
+RCSID("$Id: renew.c 14566 2005-02-06 01:22:49Z lukeh $");
+
+krb5_error_code
+kcm_ccache_refresh(krb5_context context,
+		   kcm_ccache ccache,
+		   krb5_creds **credp)
+{
+    krb5_error_code ret;
+    krb5_creds in, *out;
+    krb5_kdc_flags flags;
+    krb5_const_realm realm;
+    krb5_ccache_data ccdata;
+
+    memset(&in, 0, sizeof(in));
+
+    KCM_ASSERT_VALID(ccache);
+
+    if (ccache->client == NULL) {
+	/* no primary principal */
+	kcm_log(0, "Refresh credentials requested but no client principal");
+	return KRB5_CC_NOTFOUND;
+    }
+
+    HEIMDAL_MUTEX_lock(&ccache->mutex);
+
+    /* Fake up an internal ccache */
+    kcm_internal_ccache(context, ccache, &ccdata);
+
+    /* Find principal */
+    in.client = ccache->client;
+
+    if (ccache->server != NULL) {
+	ret = krb5_copy_principal(context, ccache->server, &in.server);
+	if (ret) {
+	    kcm_log(0, "Failed to copy service principal: %s",
+		    krb5_get_err_text(context, ret));
+	    goto out;
+	}
+    } else {
+	realm = krb5_principal_get_realm(context, in.client);
+	ret = krb5_make_principal(context, &in.server, realm,
+				  KRB5_TGS_NAME, realm, NULL);
+	if (ret) {
+	    kcm_log(0, "Failed to make TGS principal for realm %s: %s",
+		    realm, krb5_get_err_text(context, ret));
+	    goto out;
+	}
+    }
+
+    if (ccache->tkt_life)
+	in.times.endtime = time(NULL) + ccache->tkt_life;
+    if (ccache->renew_life)
+	in.times.renew_till = time(NULL) + ccache->renew_life;
+
+    flags.i = 0;
+    flags.b.renewable = TRUE;
+    flags.b.renew = TRUE;
+
+    ret = krb5_get_kdc_cred(context,
+			    &ccdata,
+			    flags,
+			    NULL,
+			    NULL,
+			    &in,
+			    &out);
+    if (ret) {
+	kcm_log(0, "Failed to renew credentials for cache %s: %s",
+		ccache->name, krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    /* Swap them in */
+    kcm_ccache_remove_creds_internal(context, ccache);
+
+    ret = kcm_ccache_store_cred_internal(context, ccache, out, 0, credp);
+    if (ret) {
+	kcm_log(0, "Failed to store credentials for cache %s: %s",
+		ccache->name, krb5_get_err_text(context, ret));
+	krb5_free_creds(context, out);
+	goto out;
+    }
+
+    free(out); /* but not contents */
+
+out:
+    HEIMDAL_MUTEX_unlock(&ccache->mutex);
+
+    return ret;
+}
+
diff --git a/crypto/heimdal/kdc/524.c b/crypto/heimdal/kdc/524.c
index 225594e..3e4ad29 100644
--- a/crypto/heimdal/kdc/524.c
+++ b/crypto/heimdal/kdc/524.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,11 +33,9 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: 524.c,v 1.29 2003/03/17 05:35:47 assar Exp $");
+RCSID("$Id: 524.c 18270 2006-10-06 17:06:30Z lha $");
 
-#ifndef KRB4
 #include <krb5-v4compat.h>
-#endif
 
 /*
  * fetch the server from `t', returning the name in malloced memory in
@@ -45,30 +43,35 @@ RCSID("$Id: 524.c,v 1.29 2003/03/17 05:35:47 assar Exp $");
  */
 
 static krb5_error_code
-fetch_server (const Ticket *t,
+fetch_server (krb5_context context, 
+	      krb5_kdc_configuration *config,
+	      const Ticket *t,
 	      char **spn,
-	      hdb_entry **server,
+	      hdb_entry_ex **server,
 	      const char *from)
 {
     krb5_error_code ret;
     krb5_principal sprinc;
 
-    ret = principalname2krb5_principal(&sprinc, t->sname, t->realm);
+    ret = _krb5_principalname2krb5_principal(context, &sprinc,
+					     t->sname, t->realm);
     if (ret) {
-	kdc_log(0, "principalname2krb5_principal: %s",
+	kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
 		krb5_get_err_text(context, ret));
 	return ret;
     }
     ret = krb5_unparse_name(context, sprinc, spn);
     if (ret) {
 	krb5_free_principal(context, sprinc);
-	kdc_log(0, "krb5_unparse_name: %s", krb5_get_err_text(context, ret));
+	kdc_log(context, config, 0, "krb5_unparse_name: %s",
+		krb5_get_err_text(context, ret));
 	return ret;
     }
-    ret = db_fetch(sprinc, server);
+    ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER, 
+			NULL, server);
     krb5_free_principal(context, sprinc);
     if (ret) {
-	kdc_log(0,
+	kdc_log(context, config, 0,
 	"Request to convert ticket from %s for unknown principal %s: %s",
 		from, *spn, krb5_get_err_text(context, ret));
 	if (ret == HDB_ERR_NOENTRY)
@@ -79,7 +82,9 @@ fetch_server (const Ticket *t,
 }
 
 static krb5_error_code
-log_524 (const EncTicketPart *et,
+log_524 (krb5_context context, 
+	 krb5_kdc_configuration *config,
+	 const EncTicketPart *et,
 	 const char *from,
 	 const char *spn)
 {
@@ -87,35 +92,38 @@ log_524 (const EncTicketPart *et,
     char *cpn;
     krb5_error_code ret;
 
-    ret = principalname2krb5_principal(&client, et->cname, et->crealm);
+    ret = _krb5_principalname2krb5_principal(context, &client, 
+					     et->cname, et->crealm);
     if (ret) {
-	kdc_log(0, "principalname2krb5_principal: %s",
+	kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
 		krb5_get_err_text (context, ret));
 	return ret;
     }
     ret = krb5_unparse_name(context, client, &cpn);
     if (ret) {
 	krb5_free_principal(context, client);
-	kdc_log(0, "krb5_unparse_name: %s",
+	kdc_log(context, config, 0, "krb5_unparse_name: %s",
 		krb5_get_err_text (context, ret));
 	return ret;
     }
-    kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn);
+    kdc_log(context, config, 1, "524-REQ %s from %s for %s", cpn, from, spn);
     free(cpn);
     krb5_free_principal(context, client);
     return 0;
 }
 
 static krb5_error_code
-verify_flags (const EncTicketPart *et,
+verify_flags (krb5_context context, 
+	      krb5_kdc_configuration *config,
+	      const EncTicketPart *et,
 	      const char *spn)
 {
     if(et->endtime < kdc_time){
-	kdc_log(0, "Ticket expired (%s)", spn);
+	kdc_log(context, config, 0, "Ticket expired (%s)", spn);
 	return KRB5KRB_AP_ERR_TKT_EXPIRED;
     }
     if(et->flags.invalid){
-	kdc_log(0, "Ticket not valid (%s)", spn);
+	kdc_log(context, config, 0, "Ticket not valid (%s)", spn);
 	return KRB5KRB_AP_ERR_TKT_NYV;
     }
     return 0;
@@ -127,7 +135,9 @@ verify_flags (const EncTicketPart *et,
  */
 
 static krb5_error_code
-set_address (EncTicketPart *et,
+set_address (krb5_context context, 
+	     krb5_kdc_configuration *config,
+	     EncTicketPart *et,
 	     struct sockaddr *addr,
 	     const char *from)
 {
@@ -141,12 +151,12 @@ set_address (EncTicketPart *et,
     ret = krb5_sockaddr2address(context, addr, v4_addr);
     if(ret) {
 	free (v4_addr);
-	kdc_log(0, "Failed to convert address (%s)", from);
+	kdc_log(context, config, 0, "Failed to convert address (%s)", from);
 	return ret;
     }
 	    
     if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) {
-	kdc_log(0, "Incorrect network address (%s)", from);
+	kdc_log(context, config, 0, "Incorrect network address (%s)", from);
 	krb5_free_address(context, v4_addr);
 	free (v4_addr);
 	return KRB5KRB_AP_ERR_BADADDR;
@@ -177,7 +187,9 @@ set_address (EncTicketPart *et,
 
 
 static krb5_error_code
-encrypt_v4_ticket(void *buf, 
+encrypt_v4_ticket(krb5_context context, 
+		  krb5_kdc_configuration *config,
+		  void *buf, 
 		  size_t len, 
 		  krb5_keyblock *skey, 
 		  EncryptedData *reply)
@@ -187,7 +199,7 @@ encrypt_v4_ticket(void *buf,
     ret = krb5_crypto_init(context, skey, ETYPE_DES_PCBC_NONE, &crypto);
     if (ret) {
 	free(buf);
-	kdc_log(0, "krb5_crypto_init failed: %s",
+	kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
 		krb5_get_err_text(context, ret));
 	return ret;
     }
@@ -201,7 +213,7 @@ encrypt_v4_ticket(void *buf,
 				     reply);
     krb5_crypto_destroy(context, crypto);
     if(ret) {
-	kdc_log(0, "Failed to encrypt data: %s",
+	kdc_log(context, config, 0, "Failed to encrypt data: %s",
 		krb5_get_err_text(context, ret));
 	return ret;
     }
@@ -209,8 +221,11 @@ encrypt_v4_ticket(void *buf,
 }
 
 static krb5_error_code
-encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
-		    hdb_entry *server, EncryptedData *ticket, int *kvno)
+encode_524_response(krb5_context context, 
+		    krb5_kdc_configuration *config,
+		    const char *spn, const EncTicketPart et,
+		    const Ticket *t, hdb_entry_ex *server, 
+		    EncryptedData *ticket, int *kvno)
 {
     krb5_error_code ret;
     int use_2b;
@@ -223,7 +238,8 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
 			   &t->enc_part, &len, ret);
 	
 	if (ret) {
-	    kdc_log(0, "Failed to encode v4 (2b) ticket (%s)", spn);
+	    kdc_log(context, config, 0, 
+		    "Failed to encode v4 (2b) ticket (%s)", spn);
 	    return ret;
 	}
 	
@@ -234,30 +250,34 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
 	unsigned char buf[MAX_KTXT_LEN + 4 * 4];
 	Key *skey;
 	
-	if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
-	    kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm,
+	if (!config->enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
+	    kdc_log(context, config, 0, "524 cross-realm %s -> %s disabled", et.crealm,
 		    t->realm);
 	    return KRB5KDC_ERR_POLICY;
 	}
 
-	ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
-			       &et, &t->sname, &len);
+	ret = _kdc_encode_v4_ticket(context, config, 
+				    buf + sizeof(buf) - 1, sizeof(buf),
+				    &et, &t->sname, &len);
 	if(ret){
-	    kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
+	    kdc_log(context, config, 0,
+		    "Failed to encode v4 ticket (%s)", spn);
 	    return ret;
 	}
-	ret = get_des_key(server, TRUE, FALSE, &skey);
+	ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
 	if(ret){
-	    kdc_log(0, "no suitable DES key for server (%s)", spn);
+	    kdc_log(context, config, 0,
+		    "no suitable DES key for server (%s)", spn);
 	    return ret;
 	}
-	ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len, 
+	ret = encrypt_v4_ticket(context, config, buf + sizeof(buf) - len, len, 
 				&skey->key, ticket);
 	if(ret){
-	    kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
+	    kdc_log(context, config, 0,
+		    "Failed to encrypt v4 ticket (%s)", spn);
 	    return ret;
 	}
-	*kvno = server->kvno;
+	*kvno = server->entry.kvno;
     }
 
     return 0;
@@ -269,12 +289,14 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
  */
 
 krb5_error_code
-do_524(const Ticket *t, krb5_data *reply,
-       const char *from, struct sockaddr *addr)
+_kdc_do_524(krb5_context context, 
+	    krb5_kdc_configuration *config,
+	    const Ticket *t, krb5_data *reply,
+	    const char *from, struct sockaddr *addr)
 {
     krb5_error_code ret = 0;
     krb5_crypto crypto;
-    hdb_entry *server = NULL;
+    hdb_entry_ex *server = NULL;
     Key *skey;
     krb5_data et_data;
     EncTicketPart et;
@@ -283,27 +305,29 @@ do_524(const Ticket *t, krb5_data *reply,
     char *spn = NULL;
     unsigned char buf[MAX_KTXT_LEN + 4 * 4];
     size_t len;
-    int kvno;
+    int kvno = 0;
     
-    if(!enable_524) {
+    if(!config->enable_524) {
 	ret = KRB5KDC_ERR_POLICY;
-	kdc_log(0, "Rejected ticket conversion request from %s", from);
+	kdc_log(context, config, 0,
+		"Rejected ticket conversion request from %s", from);
 	goto out;
     }
 
-    ret = fetch_server (t, &spn, &server, from);
+    ret = fetch_server (context, config, t, &spn, &server, from);
     if (ret) {
 	goto out;
     }
 
-    ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey);
+    ret = hdb_enctype2key(context, &server->entry, t->enc_part.etype, &skey);
     if(ret){
-	kdc_log(0, "No suitable key found for server (%s) from %s", spn, from);
+	kdc_log(context, config, 0,
+		"No suitable key found for server (%s) from %s", spn, from);
 	goto out;
     }
     ret = krb5_crypto_init(context, &skey->key, 0, &crypto);
     if (ret) {
-	kdc_log(0, "krb5_crypto_init failed: %s",
+	kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
 		krb5_get_err_text(context, ret));
 	goto out;
     }
@@ -314,58 +338,63 @@ do_524(const Ticket *t, krb5_data *reply,
 				      &et_data);
     krb5_crypto_destroy(context, crypto);
     if(ret){
-	kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn);
+	kdc_log(context, config, 0,
+		"Failed to decrypt ticket from %s for %s", from, spn);
 	goto out;
     }
     ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length, 
 				    &et, &len);
     krb5_data_free(&et_data);
     if(ret){
-	kdc_log(0, "Failed to decode ticket from %s for %s", from, spn);
+	kdc_log(context, config, 0,
+		"Failed to decode ticket from %s for %s", from, spn);
 	goto out;
     }
 
-    ret = log_524 (&et, from, spn);
+    ret = log_524 (context, config, &et, from, spn);
     if (ret) {
 	free_EncTicketPart(&et);
 	goto out;
     }
 
-    ret = verify_flags (&et, spn);
+    ret = verify_flags (context, config, &et, spn);
     if (ret) {
 	free_EncTicketPart(&et);
 	goto out;
     }
 
-    ret = set_address (&et, addr, from);
+    ret = set_address (context, config, &et, addr, from);
     if (ret) {
 	free_EncTicketPart(&et);
 	goto out;
     }
 
-    ret = encode_524_response(spn, et, t, server, &ticket, &kvno);
+    ret = encode_524_response(context, config, spn, et, t,
+			      server, &ticket, &kvno);
     free_EncTicketPart(&et);
 
-out:
+ out:
     /* make reply */
     memset(buf, 0, sizeof(buf));
     sp = krb5_storage_from_mem(buf, sizeof(buf));
-    krb5_store_int32(sp, ret);
-    if(ret == 0){
-	krb5_store_int32(sp, kvno);
-	krb5_store_data(sp, ticket.cipher);
-	/* Aargh! This is coded as a KTEXT_ST. */
-	krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
-	krb5_store_int32(sp, 0); /* mbz */
-	free_EncryptedData(&ticket);
-    }
-    ret = krb5_storage_to_data(sp, reply);
-    reply->length = krb5_storage_seek(sp, 0, SEEK_CUR);
-    krb5_storage_free(sp);
-    
+    if (sp) {
+	krb5_store_int32(sp, ret);
+	if(ret == 0){
+	    krb5_store_int32(sp, kvno);
+	    krb5_store_data(sp, ticket.cipher);
+	    /* Aargh! This is coded as a KTEXT_ST. */
+	    krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
+	    krb5_store_int32(sp, 0); /* mbz */
+	    free_EncryptedData(&ticket);
+	}
+	ret = krb5_storage_to_data(sp, reply);
+	reply->length = krb5_storage_seek(sp, 0, SEEK_CUR);
+	krb5_storage_free(sp);
+    } else
+	krb5_data_zero(reply);
     if(spn)
 	free(spn);
     if(server)
-	free_ent (server);
+	_kdc_free_ent (context, server);
     return ret;
 }
diff --git a/crypto/heimdal/kdc/Makefile.am b/crypto/heimdal/kdc/Makefile.am
index f41f46e..ff20bde 100644
--- a/crypto/heimdal/kdc/Makefile.am
+++ b/crypto/heimdal/kdc/Makefile.am
@@ -1,8 +1,10 @@
-# $Id: Makefile.am,v 1.44 2003/01/14 05:47:06 lha Exp $
+# $Id: Makefile.am 22489 2008-01-21 11:49:06Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5
+AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5
+
+lib_LTLIBRARIES = libkdc.la
 
 bin_PROGRAMS = string2key
 
@@ -10,6 +12,8 @@ sbin_PROGRAMS = kstash
 
 libexec_PROGRAMS = hprop hpropd kdc
 
+noinst_PROGRAMS = kdc-replay
+
 man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8
 
 hprop_SOURCES = hprop.c mit_dump.c v4_dump.c hprop.h kadb.h 
@@ -19,23 +23,45 @@ kstash_SOURCES = kstash.c headers.h
 
 string2key_SOURCES = string2key.c headers.h
 
-if KRB4
-krb4_sources = kaserver.c rx.h
-else
-krb4_sources =
+kdc_SOURCES = connect.c	\
+	config.c	\
+	main.c
+
+libkdc_la_SOURCES = 		\
+	kdc-private.h	 	\
+	kdc-protos.h	 	\
+	default_config.c 	\
+	set_dbinfo.c	 	\
+	digest.c		\
+	kdc_locl.h		\
+	kerberos5.c		\
+	krb5tgs.c		\
+	pkinit.c		\
+	log.c			\
+	misc.c			\
+	524.c			\
+	kerberos4.c		\
+	kaserver.c		\
+	kx509.c			\
+	process.c		\
+	windc.c			\
+	rx.h
+
+
+$(libkdc_la_OBJECTS): $(srcdir)/kdc-protos.h $(srcdir)/kdc-private.h
+
+libkdc_la_LDFLAGS = -version-info 2:0:0
+
+if versionscript
+libkdc_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 endif
+$(libkdc_la_OBJECTS): $(srcdir)/version-script.map
 
-kdc_SOURCES = \
-	config.c	\
-	connect.c	\
-	kdc_locl.h	\
-	kerberos5.c	\
-	log.c		\
-	main.c		\
-	misc.c		\
-	524.c		\
-	kerberos4.c	\
-	$(krb4_sources)
+$(srcdir)/kdc-protos.h:
+	cd $(srcdir) && perl ../cf/make-proto.pl -q -P comment -o kdc-protos.h $(libkdc_la_SOURCES) || rm -f kdc-protos.h
+
+$(srcdir)/kdc-private.h:
+	cd $(srcdir) && perl ../cf/make-proto.pl -q -P comment -p kdc-private.h $(libkdc_la_SOURCES) || rm -f kdc-private.h
 
 
 hprop_LDADD = \
@@ -43,7 +69,7 @@ hprop_LDADD = \
 	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_kdb) $(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB) 
@@ -53,7 +79,23 @@ hpropd_LDADD = \
 	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_kdb) $(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB) 
+
+if PKINIT
+LIB_pkinit = $(top_builddir)/lib/hx509/libhx509.la
+endif
+
+libkdc_la_LIBADD = \
+	$(LIB_pkinit) \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_kdb) $(LIB_krb4) \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB) 
@@ -62,10 +104,19 @@ LDADD = $(top_builddir)/lib/hdb/libhdb.la \
 	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB)
 
-kdc_LDADD = $(LDADD) $(LIB_pidfile)
+kdc_LDADD = libkdc.la $(LDADD) $(LIB_pidfile)
+kdc_replay_LDADD = $(kdc_LDADD)
+
+include_HEADERS = kdc.h kdc-protos.h
+
+krb5dir = $(includedir)/krb5
+krb5_HEADERS = windc_plugin.h
+
+build_HEADERZ = $(krb5_HEADERS) # XXX
 
+EXTRA_DIST = $(man_MANS) version-script.map
diff --git a/crypto/heimdal/kdc/Makefile.in b/crypto/heimdal/kdc/Makefile.in
index 6e5f5ca..d7e623a 100644
--- a/crypto/heimdal/kdc/Makefile.in
+++ b/crypto/heimdal/kdc/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,19 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.44 2003/01/14 05:47:06 lha Exp $
+# $Id: Makefile.am 22489 2008-01-21 11:49:06Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
 
-SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) $(kstash_SOURCES) $(string2key_SOURCES)
 
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,26 +38,27 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
-	$(top_srcdir)/Makefile.am.common \
+DIST_COMMON = $(include_HEADERS) $(krb5_HEADERS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
 	$(top_srcdir)/cf/Makefile.am.common
 bin_PROGRAMS = string2key$(EXEEXT)
 sbin_PROGRAMS = kstash$(EXEEXT)
 libexec_PROGRAMS = hprop$(EXEEXT) hpropd$(EXEEXT) kdc$(EXEEXT)
+noinst_PROGRAMS = kdc-replay$(EXEEXT)
+@versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 subdir = kdc
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -74,6 +71,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -82,27 +80,56 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \
+	"$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" \
+	"$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" \
+	"$(DESTDIR)$(krb5dir)"
+libLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(lib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libkdc_la_DEPENDENCIES = $(LIB_pkinit) \
+	$(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+am_libkdc_la_OBJECTS = default_config.lo set_dbinfo.lo digest.lo \
+	kerberos5.lo krb5tgs.lo pkinit.lo log.lo misc.lo 524.lo \
+	kerberos4.lo kaserver.lo kx509.lo process.lo windc.lo
+libkdc_la_OBJECTS = $(am_libkdc_la_OBJECTS)
+libkdc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libkdc_la_LDFLAGS) $(LDFLAGS) -o $@
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) $(sbin_PROGRAMS)
+PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) $(noinst_PROGRAMS) \
+	$(sbin_PROGRAMS)
 am_hprop_OBJECTS = hprop.$(OBJEXT) mit_dump.$(OBJEXT) \
 	v4_dump.$(OBJEXT)
 hprop_OBJECTS = $(am_hprop_OBJECTS)
-am__DEPENDENCIES_1 =
 hprop_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \
 	$(am__DEPENDENCIES_1) $(top_builddir)/lib/krb5/libkrb5.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
@@ -115,20 +142,20 @@ hpropd_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am__kdc_SOURCES_DIST = config.c connect.c kdc_locl.h kerberos5.c log.c \
-	main.c misc.c 524.c kerberos4.c kaserver.c rx.h
-@KRB4_TRUE@am__objects_1 = kaserver.$(OBJEXT)
-am_kdc_OBJECTS = config.$(OBJEXT) connect.$(OBJEXT) \
-	kerberos5.$(OBJEXT) log.$(OBJEXT) main.$(OBJEXT) \
-	misc.$(OBJEXT) 524.$(OBJEXT) kerberos4.$(OBJEXT) \
-	$(am__objects_1)
+am_kdc_OBJECTS = connect.$(OBJEXT) config.$(OBJEXT) main.$(OBJEXT)
 kdc_OBJECTS = $(am_kdc_OBJECTS)
 am__DEPENDENCIES_2 = $(top_builddir)/lib/hdb/libhdb.la \
 	$(am__DEPENDENCIES_1) $(top_builddir)/lib/krb5/libkrb5.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
-kdc_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1)
+kdc_DEPENDENCIES = libkdc.la $(am__DEPENDENCIES_2) \
+	$(am__DEPENDENCIES_1)
+kdc_replay_SOURCES = kdc-replay.c
+kdc_replay_OBJECTS = kdc-replay.$(OBJEXT)
+am__DEPENDENCIES_3 = libkdc.la $(am__DEPENDENCIES_2) \
+	$(am__DEPENDENCIES_1)
+kdc_replay_DEPENDENCIES = $(am__DEPENDENCIES_3)
 am_kstash_OBJECTS = kstash.$(OBJEXT)
 kstash_OBJECTS = $(am_kstash_OBJECTS)
 kstash_LDADD = $(LDADD)
@@ -145,35 +172,34 @@ string2key_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) \
-	$(kstash_SOURCES) $(string2key_SOURCES)
-DIST_SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) \
-	$(am__kdc_SOURCES_DIST) $(kstash_SOURCES) \
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libkdc_la_SOURCES) $(hprop_SOURCES) $(hpropd_SOURCES) \
+	$(kdc_SOURCES) kdc-replay.c $(kstash_SOURCES) \
+	$(string2key_SOURCES)
+DIST_SOURCES = $(libkdc_la_SOURCES) $(hprop_SOURCES) $(hpropd_SOURCES) \
+	$(kdc_SOURCES) kdc-replay.c $(kstash_SOURCES) \
 	$(string2key_SOURCES)
 man8dir = $(mandir)/man8
 MANS = $(man_MANS)
+includeHEADERS_INSTALL = $(INSTALL_HEADER)
+krb5HEADERS_INSTALL = $(INSTALL_HEADER)
+HEADERS = $(include_HEADERS) $(krb5_HEADERS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -183,8 +209,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -195,11 +219,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -207,42 +230,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -260,12 +268,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -275,15 +280,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -292,6 +296,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -303,15 +308,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -319,74 +319,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -403,32 +409,45 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+lib_LTLIBRARIES = libkdc.la
 man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8
 hprop_SOURCES = hprop.c mit_dump.c v4_dump.c hprop.h kadb.h 
 hpropd_SOURCES = hpropd.c hprop.h
 kstash_SOURCES = kstash.c headers.h
 string2key_SOURCES = string2key.c headers.h
-@KRB4_FALSE@krb4_sources = 
-@KRB4_TRUE@krb4_sources = kaserver.c rx.h
-kdc_SOURCES = \
+kdc_SOURCES = connect.c	\
 	config.c	\
-	connect.c	\
-	kdc_locl.h	\
-	kerberos5.c	\
-	log.c		\
-	main.c		\
-	misc.c		\
-	524.c		\
-	kerberos4.c	\
-	$(krb4_sources)
-
+	main.c
+
+libkdc_la_SOURCES = \
+	kdc-private.h	 	\
+	kdc-protos.h	 	\
+	default_config.c 	\
+	set_dbinfo.c	 	\
+	digest.c		\
+	kdc_locl.h		\
+	kerberos5.c		\
+	krb5tgs.c		\
+	pkinit.c		\
+	log.c			\
+	misc.c			\
+	524.c			\
+	kerberos4.c		\
+	kaserver.c		\
+	kx509.c			\
+	process.c		\
+	windc.c			\
+	rx.h
+
+libkdc_la_LDFLAGS = -version-info 2:0:0 $(am__append_1)
 hprop_LDADD = \
 	$(top_builddir)/lib/hdb/libhdb.la \
 	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_kdb) $(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB) 
@@ -438,7 +457,20 @@ hpropd_LDADD = \
 	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_kdb) $(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB) 
+
+@PKINIT_TRUE@LIB_pkinit = $(top_builddir)/lib/hx509/libhx509.la
+libkdc_la_LIBADD = \
+	$(LIB_pkinit) \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_kdb) $(LIB_krb4) \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB) 
@@ -447,16 +479,22 @@ LDADD = $(top_builddir)/lib/hdb/libhdb.la \
 	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_krb4) \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DBLIB)
 
-kdc_LDADD = $(LDADD) $(LIB_pidfile)
+kdc_LDADD = libkdc.la $(LDADD) $(LIB_pidfile)
+kdc_replay_LDADD = $(kdc_LDADD)
+include_HEADERS = kdc.h kdc-protos.h
+krb5dir = $(includedir)/krb5
+krb5_HEADERS = windc_plugin.h
+build_HEADERZ = $(krb5_HEADERS) # XXX
+EXTRA_DIST = $(man_MANS) version-script.map
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -486,9 +524,38 @@ $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
+	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
+	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
+	done
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libkdc.la: $(libkdc_la_OBJECTS) $(libkdc_la_DEPENDENCIES) 
+	$(libkdc_la_LINK) -rpath $(libdir) $(libkdc_la_OBJECTS) $(libkdc_la_LIBADD) $(LIBS)
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -516,7 +583,7 @@ clean-binPROGRAMS:
 	done
 install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)"
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -542,9 +609,16 @@ clean-libexecPROGRAMS:
 	  echo " rm -f $$p $$f"; \
 	  rm -f $$p $$f ; \
 	done
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
 install-sbinPROGRAMS: $(sbin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)"
+	test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
 	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -572,19 +646,22 @@ clean-sbinPROGRAMS:
 	done
 hprop$(EXEEXT): $(hprop_OBJECTS) $(hprop_DEPENDENCIES) 
 	@rm -f hprop$(EXEEXT)
-	$(LINK) $(hprop_LDFLAGS) $(hprop_OBJECTS) $(hprop_LDADD) $(LIBS)
+	$(LINK) $(hprop_OBJECTS) $(hprop_LDADD) $(LIBS)
 hpropd$(EXEEXT): $(hpropd_OBJECTS) $(hpropd_DEPENDENCIES) 
 	@rm -f hpropd$(EXEEXT)
-	$(LINK) $(hpropd_LDFLAGS) $(hpropd_OBJECTS) $(hpropd_LDADD) $(LIBS)
+	$(LINK) $(hpropd_OBJECTS) $(hpropd_LDADD) $(LIBS)
 kdc$(EXEEXT): $(kdc_OBJECTS) $(kdc_DEPENDENCIES) 
 	@rm -f kdc$(EXEEXT)
-	$(LINK) $(kdc_LDFLAGS) $(kdc_OBJECTS) $(kdc_LDADD) $(LIBS)
+	$(LINK) $(kdc_OBJECTS) $(kdc_LDADD) $(LIBS)
+kdc-replay$(EXEEXT): $(kdc_replay_OBJECTS) $(kdc_replay_DEPENDENCIES) 
+	@rm -f kdc-replay$(EXEEXT)
+	$(LINK) $(kdc_replay_OBJECTS) $(kdc_replay_LDADD) $(LIBS)
 kstash$(EXEEXT): $(kstash_OBJECTS) $(kstash_DEPENDENCIES) 
 	@rm -f kstash$(EXEEXT)
-	$(LINK) $(kstash_LDFLAGS) $(kstash_OBJECTS) $(kstash_LDADD) $(LIBS)
+	$(LINK) $(kstash_OBJECTS) $(kstash_LDADD) $(LIBS)
 string2key$(EXEEXT): $(string2key_OBJECTS) $(string2key_DEPENDENCIES) 
 	@rm -f string2key$(EXEEXT)
-	$(LINK) $(string2key_LDFLAGS) $(string2key_OBJECTS) $(string2key_LDADD) $(LIBS)
+	$(LINK) $(string2key_OBJECTS) $(string2key_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -606,13 +683,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man8: $(man8_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
 	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -655,6 +728,40 @@ uninstall-man8:
 	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
 	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
 	done
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
+	done
+install-krb5HEADERS: $(krb5_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(krb5dir)" || $(MKDIR_P) "$(DESTDIR)$(krb5dir)"
+	@list='$(krb5_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(krb5HEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(krb5dir)/$$f'"; \
+	  $(krb5HEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(krb5dir)/$$f"; \
+	done
+
+uninstall-krb5HEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(krb5_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(krb5dir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(krb5dir)/$$f"; \
+	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -676,9 +783,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -703,23 +812,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/.. $(distdir)/../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -736,10 +843,13 @@ distdir: $(DISTFILES)
 check-am: all-am
 	$(MAKE) $(AM_MAKEFLAGS) check-local
 check: check-am
-all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \
+		all-local
+install-binPROGRAMS: install-libLTLIBRARIES
+
 installdirs:
-	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(krb5dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -760,20 +870,21 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
-	clean-libtool clean-sbinPROGRAMS mostlyclean-am
+clean-am: clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \
+	clean-libexecPROGRAMS clean-libtool clean-noinstPROGRAMS \
+	clean-sbinPROGRAMS mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -785,19 +896,28 @@ info: info-am
 
 info-am:
 
-install-data-am: install-man
+install-data-am: install-includeHEADERS install-krb5HEADERS \
+	install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
-install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \
-	install-sbinPROGRAMS
+install-dvi: install-dvi-am
+
+install-exec-am: install-binPROGRAMS install-libLTLIBRARIES \
+	install-libexecPROGRAMS install-sbinPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man8
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -817,26 +937,38 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am \
+uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \
+	uninstall-krb5HEADERS uninstall-libLTLIBRARIES \
 	uninstall-libexecPROGRAMS uninstall-man uninstall-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man8
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
-	clean clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
-	clean-libtool clean-sbinPROGRAMS ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-binPROGRAMS install-data \
-	install-data-am install-exec install-exec-am install-info \
-	install-info-am install-libexecPROGRAMS install-man \
-	install-man8 install-sbinPROGRAMS install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-binPROGRAMS \
-	uninstall-info-am uninstall-libexecPROGRAMS uninstall-man \
-	uninstall-man8 uninstall-sbinPROGRAMS
+	clean clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \
+	clean-libexecPROGRAMS clean-libtool clean-noinstPROGRAMS \
+	clean-sbinPROGRAMS ctags dist-hook distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-binPROGRAMS install-data install-data-am \
+	install-data-hook install-dvi install-dvi-am install-exec \
+	install-exec-am install-exec-hook install-html install-html-am \
+	install-includeHEADERS install-info install-info-am \
+	install-krb5HEADERS install-libLTLIBRARIES \
+	install-libexecPROGRAMS install-man install-man8 install-pdf \
+	install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-binPROGRAMS uninstall-hook uninstall-includeHEADERS \
+	uninstall-krb5HEADERS uninstall-libLTLIBRARIES \
+	uninstall-libexecPROGRAMS uninstall-man uninstall-man8 \
+	uninstall-sbinPROGRAMS
 
 
 install-suid-programs:
@@ -851,8 +983,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -862,19 +994,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -890,7 +1034,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -960,14 +1104,48 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+$(libkdc_la_OBJECTS): $(srcdir)/kdc-protos.h $(srcdir)/kdc-private.h
+$(libkdc_la_OBJECTS): $(srcdir)/version-script.map
+
+$(srcdir)/kdc-protos.h:
+	cd $(srcdir) && perl ../cf/make-proto.pl -q -P comment -o kdc-protos.h $(libkdc_la_SOURCES) || rm -f kdc-protos.h
+
+$(srcdir)/kdc-private.h:
+	cd $(srcdir) && perl ../cf/make-proto.pl -q -P comment -p kdc-private.h $(libkdc_la_SOURCES) || rm -f kdc-private.h
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/kdc/config.c b/crypto/heimdal/kdc/config.c
index 8ab826a..a4d40fc 100644
--- a/crypto/heimdal/kdc/config.c
+++ b/crypto/heimdal/kdc/config.c
@@ -1,6 +1,7 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
+ *
  * All rights reserved. 
  *
  * Redistribution and use in source and binary forms, with or without 
@@ -35,52 +36,33 @@
 #include <getarg.h>
 #include <parse_bytes.h>
 
-RCSID("$Id: config.c,v 1.46.2.2 2003/10/27 11:06:52 joda Exp $");
-
-static const char *config_file;	/* location of kdc config file */
+RCSID("$Id: config.c 22248 2007-12-08 23:52:12Z lha $");
 
-int require_preauth = -1;	/* 1 == require preauth for all principals */
+struct dbinfo {
+    char *realm;
+    char *dbname;
+    char *mkey_file;
+    struct dbinfo *next;
+};
 
-size_t max_request;		/* maximal size of a request */
+static char *config_file;	/* location of kdc config file */
 
+static int require_preauth = -1; /* 1 == require preauth for all principals */
 static char *max_request_str;	/* `max_request' as a string */
 
-time_t kdc_warn_pwexpire;	/* time before expiration to print a warning */
-
-struct dbinfo *databases;
-HDB **db;
-int num_db;
-
-const char *port_str;
+static int disable_des = -1;
+static int enable_v4 = -1;
+static int enable_kaserver = -1;
+static int enable_524 = -1;
+static int enable_v4_cross_realm = -1;
 
-#ifdef HAVE_DAEMON
-int detach_from_console = -1;
-#define DETACH_IS_DEFAULT FALSE
-#endif
-
-int enable_http = -1;
-krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
-
-krb5_boolean check_ticket_addresses;
-krb5_boolean allow_null_ticket_addresses;
-krb5_boolean allow_anonymous;
-int trpolicy;
-static const char *trpolicy_str;
+static int builtin_hdb_flag;
+static int help_flag;
+static int version_flag;
 
 static struct getarg_strings addresses_str;	/* addresses to listen on */
-krb5_addresses explicit_addresses;
-
-#ifdef KRB4
-char *v4_realm;
-int enable_v4 = -1;
-int enable_kaserver = -1;
-#endif
 
-int enable_524 = -1;
-int enable_v4_cross_realm = -1;
-
-static int help_flag;
-static int version_flag;
+static char *v4_realm;
 
 static struct getargs args[] = {
     { 
@@ -95,17 +77,10 @@ static struct getargs args[] = {
 	"max-request",	0,	arg_string, &max_request, 
 	"max size for a kdc-request", "size"
     },
-#if 0
-    {
-	"database",	'd', 	arg_string, &databases,
-	"location of database", "database"
-    },
-#endif
     { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
     {	"524",		0, 	arg_negative_flag, &enable_524,
 	"don't respond to 524 requests" 
     },
-#ifdef KRB4
     {
 	"kaserver", 'K', arg_flag,   &enable_kaserver,
 	"enable kaserver support"
@@ -117,7 +92,6 @@ static struct getargs args[] = {
 	"v4-realm",	'r',	arg_string, &v4_realm, 
 	"realm to serve v4-requests for"
     },
-#endif
     {	"kerberos4-cross-realm",	0, 	arg_flag,
 	&enable_v4_cross_realm,
 	"respond to kerberos 4 requests from foreign realms" 
@@ -125,7 +99,6 @@ static struct getargs args[] = {
     {	"ports",	'P', 	arg_string, &port_str,
 	"ports to listen to", "portspec"
     },
-#ifdef HAVE_DAEMON
 #if DETACH_IS_DEFAULT
     {
 	"detach",       'D',      arg_negative_flag, &detach_from_console, 
@@ -137,9 +110,12 @@ static struct getargs args[] = {
 	"detach from console"
     },
 #endif
-#endif
     {	"addresses",	0,	arg_strings, &addresses_str,
 	"addresses to listen on", "list of addresses" },
+    {	"disable-des",	0,	arg_flag, &disable_des,
+	"disable DES" },
+    {	"builtin-hdb",	0,	arg_flag,   &builtin_hdb_flag,
+	"list builtin hdb backends"},
     {	"help",		'h',	arg_flag,   &help_flag },
     {	"version",	'v',	arg_flag,   &version_flag }
 };
@@ -154,86 +130,7 @@ usage(int ret)
 }
 
 static void
-get_dbinfo(void)
-{
-    const krb5_config_binding *top_binding = NULL;
-    const krb5_config_binding *db_binding;
-    const krb5_config_binding *default_binding = NULL;
-    struct dbinfo *di, **dt;
-    const char *default_dbname = HDB_DEFAULT_DB;
-    const char *default_mkey = HDB_DB_DIR "/m-key";
-    const char *p;
-
-    databases = NULL;
-    dt = &databases;
-    while((db_binding = (const krb5_config_binding *)
-	   krb5_config_get_next(context, NULL, &top_binding, 
-				krb5_config_list, 
-				"kdc", 
-				"database",
-				NULL))) {
-	p = krb5_config_get_string(context, db_binding, "realm", NULL);
-	if(p == NULL) {
-	    if(default_binding) {
-		krb5_warnx(context, "WARNING: more than one realm-less "
-			   "database specification");
-		krb5_warnx(context, "WARNING: using the first encountered");
-	    } else
-		default_binding = db_binding;
-	    continue;
-	}
-	di = calloc(1, sizeof(*di));
-	di->realm = strdup(p);
-	p = krb5_config_get_string(context, db_binding, "dbname", NULL);
-	if(p)
-	    di->dbname = strdup(p);
-	p = krb5_config_get_string(context, db_binding, "mkey_file", NULL);
-	if(p)
-	    di->mkey_file = strdup(p);
-	*dt = di;
-	dt = &di->next;
-    }
-    if(default_binding) {
-	di = calloc(1, sizeof(*di));
-	p = krb5_config_get_string(context, default_binding, "dbname", NULL);
-	if(p) {
-	    di->dbname = strdup(p);
-	    default_dbname = p;
-	}
-	p = krb5_config_get_string(context, default_binding, "mkey_file", NULL);
-	if(p) {
-	    di->mkey_file = strdup(p);
-	    default_mkey = p;
-	}
-	*dt = di;
-	dt = &di->next;
-    } else if(databases == NULL) {
-	/* if there are none specified, use some default */
-	di = calloc(1, sizeof(*di));
-	di->dbname = strdup(default_dbname);
-	di->mkey_file = strdup(default_mkey);
-	*dt = di;
-	dt = &di->next;
-    }
-    for(di = databases; di; di = di->next) {
-	if(di->dbname == NULL)
-	    di->dbname = strdup(default_dbname);
-	if(di->mkey_file == NULL) {
-	    p = strrchr(di->dbname, '.');
-	    if(p == NULL || strchr(p, '/') != NULL)
-		/* final pathname component does not contain a . */
-		asprintf(&di->mkey_file, "%s.mkey", di->dbname);
-	    else
-		/* the filename is something.else, replace .else with
-                   .mkey */
-		asprintf(&di->mkey_file, "%.*s.mkey", 
-			 (int)(p - di->dbname), di->dbname);
-	}
-    }
-}
-
-static void
-add_one_address (const char *str, int first)
+add_one_address (krb5_context context, const char *str, int first)
 {
     krb5_error_code ret;
     krb5_addresses tmp;
@@ -248,15 +145,16 @@ add_one_address (const char *str, int first)
     krb5_free_addresses (context, &tmp);
 }
 
-void
-configure(int argc, char **argv)
+krb5_kdc_configuration *
+configure(krb5_context context, int argc, char **argv)
 {
-    int optind = 0;
-    int e;
+    krb5_kdc_configuration *config;
+    krb5_error_code ret;
+    int optidx = 0;
     const char *p;
     
-    while((e = getarg(args, num_args, argc, argv, &optind)))
-	warnx("error at argument `%s'", argv[optind]);
+    while(getarg(args, num_args, argc, argv, &optidx))
+	warnx("error at argument `%s'", argv[optidx]);
 
     if(help_flag)
 	usage (0);
@@ -266,35 +164,51 @@ configure(int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    if (builtin_hdb_flag) {
+	char *list;
+	ret = hdb_list_builtin(context, &list);
+	if (ret)
+	    krb5_err(context, 1, ret, "listing builtin hdb backends");
+	printf("builtin hdb backends: %s\n", list);
+	free(list);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
 
     if (argc != 0)
 	usage(1);
     
     {
-	krb5_error_code ret;
 	char **files;
-	char *tmp;
-	if(config_file == NULL)
-	    config_file = _PATH_KDC_CONF;
-	asprintf(&tmp, "%s:%s", config_file, krb5_config_file);
-	if(tmp == NULL)
-	    krb5_errx(context, 1, "out of memory");
-	    
-	krb5_config_file = tmp;
 
-	ret = krb5_get_default_config_files(&files);
-	if(ret) 
-	    krb5_err(context, 1, ret, "reading configuration files");
+	if (config_file == NULL) {
+	    asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	    if (config_file == NULL)
+		errx(1, "out of memory");
+	}
+
+	ret = krb5_prepend_config_files_default(config_file, &files);
+	if (ret)
+	    krb5_err(context, 1, ret, "getting configuration files");
+	    
 	ret = krb5_set_config_files(context, files);
 	krb5_free_config_files(files);
 	if(ret) 
 	    krb5_err(context, 1, ret, "reading configuration files");
     }
 
-    get_dbinfo();
-    
+    ret = krb5_kdc_get_config(context, &config);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kdc_default_config");
+
+    kdc_openlog(context, config);
+
+    ret = krb5_kdc_set_dbinfo(context, config);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kdc_set_dbinfo");
+
     if(max_request_str)
 	max_request = parse_bytes(max_request_str, NULL);
 
@@ -308,9 +222,8 @@ configure(int argc, char **argv)
 	    max_request = parse_bytes(p, NULL);
     }
     
-    if(require_preauth == -1)
-	require_preauth = krb5_config_get_bool(context, NULL, "kdc", 
-					       "require-preauth", NULL);
+    if(require_preauth != -1)
+	config->require_preauth = require_preauth;
 
     if(port_str == NULL){
 	p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL);
@@ -324,114 +237,86 @@ configure(int argc, char **argv)
 	int i;
 
 	for (i = 0; i < addresses_str.num_strings; ++i)
-	    add_one_address (addresses_str.strings[i], i == 0);
+	    add_one_address (context, addresses_str.strings[i], i == 0);
 	free_getarg_strings (&addresses_str);
     } else {
 	char **foo = krb5_config_get_strings (context, NULL,
 					      "kdc", "addresses", NULL);
 
 	if (foo != NULL) {
-	    add_one_address (*foo++, TRUE);
+	    add_one_address (context, *foo++, TRUE);
 	    while (*foo)
-		add_one_address (*foo++, FALSE);
+		add_one_address (context, *foo++, FALSE);
 	}
     }
 
-#ifdef KRB4
-    if(enable_v4 == -1)
-	enable_v4 = krb5_config_get_bool_default(context, NULL, FALSE, "kdc", 
-					 "enable-kerberos4", NULL);
-#else
-#define enable_v4 0
-#endif
-    if(enable_v4_cross_realm == -1)
-	enable_v4_cross_realm =
-	    krb5_config_get_bool_default(context, NULL,
-					 FALSE, "kdc", 
-					 "enable-kerberos4-cross-realm",
-					 NULL);
-    if(enable_524 == -1)
-	enable_524 = krb5_config_get_bool_default(context, NULL, enable_v4, 
-						  "kdc", "enable-524", NULL);
+    if(enable_v4 != -1)
+	config->enable_v4 = enable_v4;
+
+    if(enable_v4_cross_realm != -1)
+	config->enable_v4_cross_realm = enable_v4_cross_realm;
+
+    if(enable_524 != -1)
+	config->enable_524 = enable_524;
 
     if(enable_http == -1)
 	enable_http = krb5_config_get_bool(context, NULL, "kdc", 
 					   "enable-http", NULL);
-    check_ticket_addresses = 
-	krb5_config_get_bool_default(context, NULL, TRUE, "kdc", 
-				     "check-ticket-addresses", NULL);
-    allow_null_ticket_addresses = 
-	krb5_config_get_bool_default(context, NULL, TRUE, "kdc", 
-				     "allow-null-ticket-addresses", NULL);
-
-    allow_anonymous = 
-	krb5_config_get_bool(context, NULL, "kdc", 
-			     "allow-anonymous", NULL);
-    trpolicy_str = 
-	krb5_config_get_string_default(context, NULL, "always-check", "kdc", 
-				       "transited-policy", NULL);
-    if(strcasecmp(trpolicy_str, "always-check") == 0)
-	trpolicy = TRPOLICY_ALWAYS_CHECK;
-    else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0)
-	trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
-    else if(strcasecmp(trpolicy_str, "always-honour-request") == 0)
-	trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
-    else {
-	kdc_log(0, "unknown transited-policy: %s, reverting to always-check", 
-		trpolicy_str);
-	trpolicy = TRPOLICY_ALWAYS_CHECK;
-    }
-	
-	krb5_config_get_bool_default(context, NULL, TRUE, "kdc", 
-				     "enforce-transited-policy", NULL);
-#ifdef KRB4
-    if(v4_realm == NULL){
-	p = krb5_config_get_string (context, NULL, 
-				    "kdc",
-				    "v4-realm",
-				    NULL);
-	if(p != NULL) {
-	    v4_realm = strdup(p);
-	    if (v4_realm == NULL)
-		krb5_errx(context, 1, "out of memory");
-	}
-    }
-    if (enable_kaserver == -1)
-	enable_kaserver = krb5_config_get_bool_default(context, NULL, FALSE,
-						       "kdc",
-						       "enable-kaserver",
-						       NULL);
-#endif
 
-    encode_as_rep_as_tgs_rep = krb5_config_get_bool(context, NULL, "kdc", 
-						    "encode_as_rep_as_tgs_rep", 
-						    NULL);
+    if(request_log == NULL)
+	request_log = krb5_config_get_string(context, NULL, 
+					     "kdc", 
+					     "kdc-request-log", 
+					     NULL);
 
-    kdc_warn_pwexpire = krb5_config_get_time (context, NULL,
-					      "kdc",
-					      "kdc_warn_pwexpire",
-					      NULL);
+    if (krb5_config_get_string(context, NULL, "kdc", 
+			       "enforce-transited-policy", NULL))
+	krb5_errx(context, 1, "enforce-transited-policy deprecated, "
+		  "use [kdc]transited-policy instead");
+
+    if (enable_kaserver != -1)
+	config->enable_kaserver = enable_kaserver;
 
-#ifdef HAVE_DAEMON
     if(detach_from_console == -1) 
 	detach_from_console = krb5_config_get_bool_default(context, NULL, 
 							   DETACH_IS_DEFAULT,
 							   "kdc",
 							   "detach", NULL);
-#endif
-    kdc_openlog();
+
     if(max_request == 0)
 	max_request = 64 * 1024;
-    if(require_preauth == -1)
-	require_preauth = 1;
+
     if (port_str == NULL)
 	port_str = "+";
-#ifdef KRB4
-    if(v4_realm == NULL){
-	v4_realm = malloc(40); /* REALM_SZ */
-	if (v4_realm == NULL)
-	    krb5_errx(context, 1, "out of memory");
-	krb_get_lrealm(v4_realm, 1);
+
+    if (v4_realm)
+	config->v4_realm = v4_realm;
+
+    if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4))
+	krb5_errx(context, 1, "Kerberos 4 enabled but no realm configured");
+
+    if(disable_des == -1)
+	disable_des = krb5_config_get_bool_default(context, NULL, 
+						   FALSE,
+						   "kdc",
+						   "disable-des", NULL);
+    if(disable_des) {
+	krb5_enctype_disable(context, ETYPE_DES_CBC_CRC);
+	krb5_enctype_disable(context, ETYPE_DES_CBC_MD4);
+	krb5_enctype_disable(context, ETYPE_DES_CBC_MD5);
+	krb5_enctype_disable(context, ETYPE_DES_CBC_NONE);
+	krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
+	krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
+
+	kdc_log(context, config, 
+		0, "DES was disabled, turned off Kerberos V4, 524 "
+		"and kaserver");
+	config->enable_v4 = 0;
+	config->enable_524 = 0;
+	config->enable_kaserver = 0;
     }
-#endif
+
+    krb5_kdc_windc_init(context);
+
+    return config;
 }
diff --git a/crypto/heimdal/kdc/connect.c b/crypto/heimdal/kdc/connect.c
index 9e9e481..c2df088 100644
--- a/crypto/heimdal/kdc/connect.c
+++ b/crypto/heimdal/kdc/connect.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,20 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: connect.c,v 1.90.2.2 2004/04/02 20:50:53 lha Exp $");
+RCSID("$Id: connect.c 22434 2008-01-14 09:21:37Z lha $");
+
+/* Should we enable the HTTP hack? */
+int enable_http = -1;
+
+/* Log over requests to the KDC */
+const char *request_log;
+
+/* A string describing on what ports to listen */
+const char *port_str;
+
+krb5_addresses explicit_addresses;
+
+size_t max_request;		/* maximal size of a request */
 
 /*
  * a tuple describing on what to listen
@@ -55,7 +68,8 @@ static int num_ports;
  */
 
 static void
-add_port(int family, int port, const char *protocol)
+add_port(krb5_context context, 
+	 int family, int port, const char *protocol)
 {
     int type;
     int i;
@@ -87,11 +101,12 @@ add_port(int family, int port, const char *protocol)
  */
 
 static void
-add_port_service(int family, const char *service, int port,
+add_port_service(krb5_context context, 
+		 int family, const char *service, int port,
 		 const char *protocol)
 {
     port = krb5_getportbyname (context, service, protocol, port);
-    add_port (family, port, protocol);
+    add_port (context, family, port, protocol);
 }
 
 /*
@@ -100,22 +115,23 @@ add_port_service(int family, const char *service, int port,
  */
 
 static void
-add_port_string (int family, const char *port_str, const char *protocol)
+add_port_string (krb5_context context, 
+		 int family, const char *str, const char *protocol)
 {
     struct servent *sp;
     int port;
 
-    sp = roken_getservbyname (port_str, protocol);
+    sp = roken_getservbyname (str, protocol);
     if (sp != NULL) {
 	port = sp->s_port;
     } else {
 	char *end;
 
-	port = htons(strtol(port_str, &end, 0));
-	if (end == port_str)
+	port = htons(strtol(str, &end, 0));
+	if (end == str)
 	    return;
     }
-    add_port (family, port, protocol);
+    add_port (context, family, port, protocol);
 }
 
 /*
@@ -123,26 +139,31 @@ add_port_string (int family, const char *port_str, const char *protocol)
  */
 
 static void
-add_standard_ports (int family)
+add_standard_ports (krb5_context context, 		 
+		    krb5_kdc_configuration *config,
+		    int family)
 {
-    add_port_service(family, "kerberos", 88, "udp");
-    add_port_service(family, "kerberos", 88, "tcp");
-    add_port_service(family, "kerberos-sec", 88, "udp");
-    add_port_service(family, "kerberos-sec", 88, "tcp");
+    add_port_service(context, family, "kerberos", 88, "udp");
+    add_port_service(context, family, "kerberos", 88, "tcp");
+    add_port_service(context, family, "kerberos-sec", 88, "udp");
+    add_port_service(context, family, "kerberos-sec", 88, "tcp");
     if(enable_http)
-	add_port_service(family, "http", 80, "tcp");
-    if(enable_524) {
-	add_port_service(family, "krb524", 4444, "udp");
-	add_port_service(family, "krb524", 4444, "tcp");
-    }
-#ifdef KRB4
-    if(enable_v4) {
-	add_port_service(family, "kerberos-iv", 750, "udp");
-	add_port_service(family, "kerberos-iv", 750, "tcp");
-    }
-    if (enable_kaserver)
-	add_port_service(family, "afs3-kaserver", 7004, "udp");
-#endif
+	add_port_service(context, family, "http", 80, "tcp");
+    if(config->enable_524) {
+	add_port_service(context, family, "krb524", 4444, "udp");
+	add_port_service(context, family, "krb524", 4444, "tcp");
+    }
+    if(config->enable_v4) {
+	add_port_service(context, family, "kerberos-iv", 750, "udp");
+	add_port_service(context, family, "kerberos-iv", 750, "tcp");
+    }
+    if (config->enable_kaserver)
+	add_port_service(context, family, "afs3-kaserver", 7004, "udp");
+    if(config->enable_kx509) {
+	add_port_service(context, family, "kca_service", 9878, "udp");
+	add_port_service(context, family, "kca_service", 9878, "tcp");
+    }
+
 }
 
 /*
@@ -152,7 +173,9 @@ add_standard_ports (int family)
  */
 
 static void
-parse_ports(const char *str)
+parse_ports(krb5_context context, 		 
+	    krb5_kdc_configuration *config,
+	    const char *str)
 {
     char *pos = NULL;
     char *p;
@@ -162,24 +185,24 @@ parse_ports(const char *str)
     while(p != NULL) {
 	if(strcmp(p, "+") == 0) {
 #ifdef HAVE_IPV6
-	    add_standard_ports(AF_INET6);
+	    add_standard_ports(context, config, AF_INET6);
 #endif
-	    add_standard_ports(AF_INET);
+	    add_standard_ports(context, config, AF_INET);
 	} else {
 	    char *q = strchr(p, '/');
 	    if(q){
 		*q++ = 0;
 #ifdef HAVE_IPV6
-		add_port_string(AF_INET6, p, q);
+		add_port_string(context, AF_INET6, p, q);
 #endif
-		add_port_string(AF_INET, p, q);
+		add_port_string(context, AF_INET, p, q);
 	    }else {
 #ifdef HAVE_IPV6
-		add_port_string(AF_INET6, p, "udp");
-		add_port_string(AF_INET6, p, "tcp");
+		add_port_string(context, AF_INET6, p, "udp");
+		add_port_string(context, AF_INET6, p, "tcp");
 #endif
-		add_port_string(AF_INET, p, "udp");
-		add_port_string(AF_INET, p, "tcp");
+		add_port_string(context, AF_INET, p, "udp");
+		add_port_string(context, AF_INET, p, "tcp");
 	    }
 	}
 	    
@@ -195,6 +218,7 @@ parse_ports(const char *str)
 struct descr {
     int s;
     int type;
+    int port;
     unsigned char *buf;
     size_t size;
     size_t len;
@@ -231,12 +255,14 @@ reinit_descrs (struct descr *d, int n)
  */
 
 static void 
-init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
+init_socket(krb5_context context, 
+	    krb5_kdc_configuration *config,
+	    struct descr *d, krb5_address *a, int family, int type, int port)
 {
     krb5_error_code ret;
     struct sockaddr_storage __ss;
     struct sockaddr *sa = (struct sockaddr *)&__ss;
-    int sa_size = sizeof(__ss);
+    krb5_socklen_t sa_size = sizeof(__ss);
 
     init_descr (d);
 
@@ -264,6 +290,7 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
     }
 #endif
     d->type = type;
+    d->port = port;
 
     if(bind(d->s, sa, sa_size) < 0){
 	char a_str[256];
@@ -293,7 +320,9 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
  */
 
 static int
-init_sockets(struct descr **desc)
+init_sockets(krb5_context context, 
+	     krb5_kdc_configuration *config,
+	     struct descr **desc)
 {
     krb5_error_code ret;
     int i, j;
@@ -308,7 +337,7 @@ init_sockets(struct descr **desc)
 	if (ret)
 	    krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
     }
-    parse_ports(port_str);
+    parse_ports(context, config, port_str);
     d = malloc(addresses.len * num_ports * sizeof(*d));
     if (d == NULL)
 	krb5_errx(context, 1, "malloc(%lu) failed",
@@ -316,7 +345,7 @@ init_sockets(struct descr **desc)
 
     for (i = 0; i < num_ports; i++){
 	for (j = 0; j < addresses.len; ++j) {
-	    init_socket(&d[num], &addresses.val[j],
+	    init_socket(context, config, &d[num], &addresses.val[j],
 			ports[i].family, ports[i].type, ports[i].port);
 	    if(d[num].s != -1){
 		char a_str[80];
@@ -325,7 +354,7 @@ init_sockets(struct descr **desc)
 		krb5_print_address (&addresses.val[j], a_str,
 				    sizeof(a_str), &len);
 
-		kdc_log(5, "listening on %s port %u/%s",
+		kdc_log(context, config, 5, "listening on %s port %u/%s",
 			a_str,
 			ntohs(ports[i].port), 
 			(ports[i].type == SOCK_STREAM) ? "tcp" : "udp");
@@ -345,52 +374,22 @@ init_sockets(struct descr **desc)
 }
 
 /*
- * handle the request in `buf, len', from `addr' (or `from' as a string),
- * sending a reply in `reply'.
+ *
  */
 
-static int
-process_request(unsigned char *buf, 
-		size_t len, 
-		krb5_data *reply,
-		int *sendlength,
-		const char *from,
-		struct sockaddr *addr)
+static const char *
+descr_type(struct descr *d)
 {
-    KDC_REQ req;
-    Ticket ticket;
-    krb5_error_code ret;
-    size_t i;
-
-    gettimeofday(&now, NULL);
-    if(decode_AS_REQ(buf, len, &req, &i) == 0){
-	ret = as_rep(&req, reply, from, addr);
-	free_AS_REQ(&req);
-	return ret;
-    }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
-	ret = tgs_rep(&req, reply, from, addr);
-	free_TGS_REQ(&req);
-	return ret;
-    }else if(decode_Ticket(buf, len, &ticket, &i) == 0){
-	ret = do_524(&ticket, reply, from, addr);
-	free_Ticket(&ticket);
-	return ret;
-#ifdef KRB4
-    } else if(maybe_version4(buf, len)){
-	*sendlength = 0; /* elbitapmoc sdrawkcab XXX */
-	do_version4(buf, len, reply, from, (struct sockaddr_in*)addr);
-	return 0;
-    } else if (enable_kaserver) {
-	ret = do_kaserver (buf, len, reply, from, (struct sockaddr_in*)addr);
-	return ret;
-#endif
-    }
-			  
-    return -1;
+    if (d->type == SOCK_DGRAM)
+	return "udp";
+    else if (d->type == SOCK_STREAM)
+	return "tcp";
+    return "unknown";
 }
 
 static void
-addr_to_string(struct sockaddr *addr, size_t addr_len, char *str, size_t len)
+addr_to_string(krb5_context context, 		 
+	       struct sockaddr *addr, size_t addr_len, char *str, size_t len)
 {
     krb5_address a;
     if(krb5_sockaddr2address(context, addr, &a) == 0) {
@@ -404,43 +403,68 @@ addr_to_string(struct sockaddr *addr, size_t addr_len, char *str, size_t len)
 }
 
 /*
+ *
+ */
+
+static void
+send_reply(krb5_context context, 
+	   krb5_kdc_configuration *config,
+	   krb5_boolean prependlength,
+	   struct descr *d,
+	   krb5_data *reply)
+{
+    kdc_log(context, config, 5,
+	    "sending %lu bytes to %s", (unsigned long)reply->length,
+	    d->addr_string);
+    if(prependlength){
+	unsigned char l[4];
+	l[0] = (reply->length >> 24) & 0xff;
+	l[1] = (reply->length >> 16) & 0xff;
+	l[2] = (reply->length >> 8) & 0xff;
+	l[3] = reply->length & 0xff;
+	if(sendto(d->s, l, sizeof(l), 0, d->sa, d->sock_len) < 0) {
+	    kdc_log (context, config, 
+		     0, "sendto(%s): %s", d->addr_string, strerror(errno));
+	    return;
+	}
+    }
+    if(sendto(d->s, reply->data, reply->length, 0, d->sa, d->sock_len) < 0) {
+	kdc_log (context, config, 
+		 0, "sendto(%s): %s", d->addr_string, strerror(errno));
+	return;
+    }
+}
+
+/*
  * Handle the request in `buf, len' to socket `d'
  */
 
 static void
-do_request(void *buf, size_t len, int sendlength,
+do_request(krb5_context context, 
+	   krb5_kdc_configuration *config,
+	   void *buf, size_t len, krb5_boolean prependlength,
 	   struct descr *d)
 {
     krb5_error_code ret;
     krb5_data reply;
-    
-    reply.length = 0;
-    ret = process_request(buf, len, &reply, &sendlength,
-			  d->addr_string, d->sa);
+    int datagram_reply = (d->type == SOCK_DGRAM);
+
+    krb5_kdc_update_time(NULL);
+
+    krb5_data_zero(&reply);
+    ret = krb5_kdc_process_request(context, config, 
+				   buf, len, &reply, &prependlength,
+				   d->addr_string, d->sa,
+				   datagram_reply);
+    if(request_log)
+	krb5_kdc_save_request(context, request_log, buf, len, &reply, d->sa);
     if(reply.length){
-	kdc_log(5, "sending %lu bytes to %s", (unsigned long)reply.length,
-		d->addr_string);
-	if(sendlength){
-	    unsigned char len[4];
-	    len[0] = (reply.length >> 24) & 0xff;
-	    len[1] = (reply.length >> 16) & 0xff;
-	    len[2] = (reply.length >> 8) & 0xff;
-	    len[3] = reply.length & 0xff;
-	    if(sendto(d->s, len, sizeof(len), 0, d->sa, d->sock_len) < 0) {
-		kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno));
-		krb5_data_free(&reply);
-		return;
-	    }
-	}
-	if(sendto(d->s, reply.data, reply.length, 0, d->sa, d->sock_len) < 0) {
-	    kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno));
-	    krb5_data_free(&reply);
-	    return;
-	}
+	send_reply(context, config, prependlength, d, &reply);
 	krb5_data_free(&reply);
     }
     if(ret)
-	kdc_log(0, "Failed processing %lu byte request from %s", 
+	kdc_log(context, config, 0, 
+		"Failed processing %lu byte request from %s", 
 		(unsigned long)len, d->addr_string);
 }
 
@@ -449,14 +473,16 @@ do_request(void *buf, size_t len, int sendlength,
  */
 
 static void
-handle_udp(struct descr *d)
+handle_udp(krb5_context context, 
+	   krb5_kdc_configuration *config,
+	   struct descr *d)
 {
     unsigned char *buf;
     int n;
 
     buf = malloc(max_request);
     if(buf == NULL){
-	kdc_log(0, "Failed to allocate %lu bytes", (unsigned long)max_request);
+	kdc_log(context, config, 0, "Failed to allocate %lu bytes", (unsigned long)max_request);
 	return;
     }
 
@@ -465,9 +491,9 @@ handle_udp(struct descr *d)
     if(n < 0)
 	krb5_warn(context, errno, "recvfrom");
     else {
-	addr_to_string (d->sa, d->sock_len,
+	addr_to_string (context, d->sa, d->sock_len,
 			d->addr_string, sizeof(d->addr_string));
-	do_request(buf, n, 0, d);
+	do_request(context, config, buf, n, FALSE, d);
     }
     free (buf);
 }
@@ -488,11 +514,11 @@ clear_descr(struct descr *d)
 static int
 de_http(char *buf)
 {
-    char *p, *q;
-    for(p = q = buf; *p; p++, q++) {
+    unsigned char *p, *q;
+    for(p = q = (unsigned char *)buf; *p; p++, q++) {
 	if(*p == '%' && isxdigit(p[1]) && isxdigit(p[2])) {
 	    unsigned int x;
-	    if(sscanf(p + 1, "%2x", &x) != 1)
+	    if(sscanf((char *)p + 1, "%2x", &x) != 1)
 		return -1;
 	    *q = x;
 	    p += 2;
@@ -510,7 +536,9 @@ de_http(char *buf)
  */
 
 static void
-add_new_tcp (struct descr *d, int parent, int child)
+add_new_tcp (krb5_context context, 
+	     krb5_kdc_configuration *config,
+	     struct descr *d, int parent, int child)
 {
     int s;
 
@@ -533,7 +561,8 @@ add_new_tcp (struct descr *d, int parent, int child)
     d[child].s = s;
     d[child].timeout = time(NULL) + TCP_TIMEOUT;
     d[child].type = SOCK_STREAM;
-    addr_to_string (d[child].sa, d[child].sock_len,
+    addr_to_string (context, 
+		    d[child].sa, d[child].sock_len,
 		    d[child].addr_string, sizeof(d[child].addr_string));
 }
 
@@ -543,7 +572,9 @@ add_new_tcp (struct descr *d, int parent, int child)
  */
 
 static int
-grow_descr (struct descr *d, size_t n)
+grow_descr (krb5_context context, 
+	    krb5_kdc_configuration *config,
+	    struct descr *d, size_t n)
 {
     if (d->size - d->len < n) {
 	unsigned char *tmp;
@@ -551,14 +582,14 @@ grow_descr (struct descr *d, size_t n)
 
 	grow = max(1024, d->len + n);
 	if (d->size + grow > max_request) {
-	    kdc_log(0, "Request exceeds max request size (%lu bytes).",
+	    kdc_log(context, config, 0, "Request exceeds max request size (%lu bytes).",
 		    (unsigned long)d->size + grow);
 	    clear_descr(d);
 	    return -1;
 	}
 	tmp = realloc (d->buf, d->size + grow);
 	if (tmp == NULL) {
-	    kdc_log(0, "Failed to re-allocate %lu bytes.",
+	    kdc_log(context, config, 0, "Failed to re-allocate %lu bytes.",
 		    (unsigned long)d->size + grow);
 	    clear_descr(d);
 	    return -1;
@@ -575,20 +606,23 @@ grow_descr (struct descr *d, size_t n)
  */
 
 static int
-handle_vanilla_tcp (struct descr *d)
+handle_vanilla_tcp (krb5_context context, 
+		    krb5_kdc_configuration *config,
+		    struct descr *d)
 {
     krb5_storage *sp;
-    int32_t len;
+    uint32_t len;
 
     sp = krb5_storage_from_mem(d->buf, d->len);
     if (sp == NULL) {
-	kdc_log (0, "krb5_storage_from_mem failed");
+	kdc_log (context, config, 0, "krb5_storage_from_mem failed");
 	return -1;
     }
-    krb5_ret_int32(sp, &len);
+    krb5_ret_uint32(sp, &len);
     krb5_storage_free(sp);
     if(d->len - 4 >= len) {
 	memmove(d->buf, d->buf + 4, d->len - 4);
+	d->len -= 4;
 	return 1;
     }
     return 0;
@@ -600,7 +634,9 @@ handle_vanilla_tcp (struct descr *d)
  */
 
 static int
-handle_http_tcp (struct descr *d)
+handle_http_tcp (krb5_context context, 
+		 krb5_kdc_configuration *config,
+		 struct descr *d)
 {
     char *s, *p, *t;
     void *data;
@@ -611,7 +647,7 @@ handle_http_tcp (struct descr *d)
 
     p = strstr(s, "\r\n");
     if (p == NULL) {
-	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
 	return -1;
     }
     *p = 0;
@@ -619,31 +655,31 @@ handle_http_tcp (struct descr *d)
     p = NULL;
     t = strtok_r(s, " \t", &p);
     if (t == NULL) {
-	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
 	return -1;
     }
     t = strtok_r(NULL, " \t", &p);
     if(t == NULL) {
-	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
 	return -1;
     }
     data = malloc(strlen(t));
     if (data == NULL) {
-	kdc_log(0, "Failed to allocate %lu bytes",
+	kdc_log(context, config, 0, "Failed to allocate %lu bytes",
 		(unsigned long)strlen(t));
 	return -1;
     }
     if(*t == '/')
 	t++;
     if(de_http(t) != 0) {
-	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
-	kdc_log(5, "Request: %s", t);
+	kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
+	kdc_log(context, config, 5, "HTTP request: %s", t);
 	free(data);
 	return -1;
     }
     proto = strtok_r(NULL, " \t", &p);
     if (proto == NULL) {
-	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
 	free(data);
 	return -1;
     }
@@ -659,12 +695,20 @@ handle_http_tcp (struct descr *d)
 	    "<TITLE>404 Not found</TITLE>\r\n"
 	    "<H1>404 Not found</H1>\r\n"
 	    "That page doesn't exist, maybe you are looking for "
-	    "<A HREF=\"http://www.pdc.kth.se/heimdal/\">Heimdal</A>?\r\n";
-	write(d->s, proto, strlen(proto));
-	write(d->s, msg, strlen(msg));
-	kdc_log(0, "HTTP request from %s is non KDC request", d->addr_string);
-	kdc_log(5, "Request: %s", t);
+	    "<A HREF=\"http://www.h5l.org/\">Heimdal</A>?\r\n";
+	kdc_log(context, config, 0, "HTTP request from %s is non KDC request", d->addr_string);
+	kdc_log(context, config, 5, "HTTP request: %s", t);
 	free(data);
+	if (write(d->s, proto, strlen(proto)) < 0) {
+	    kdc_log(context, config, 0, "HTTP write failed: %s: %s", 
+		    d->addr_string, strerror(errno));
+	    return -1;
+	}
+	if (write(d->s, msg, strlen(msg)) < 0) {
+	    kdc_log(context, config, 0, "HTTP write failed: %s: %s", 
+		    d->addr_string, strerror(errno));
+	    return -1;
+	}
 	return -1;
     }
     {
@@ -675,8 +719,16 @@ handle_http_tcp (struct descr *d)
 	    "Pragma: no-cache\r\n"
 	    "Content-type: application/octet-stream\r\n"
 	    "Content-transfer-encoding: binary\r\n\r\n";
-	write(d->s, proto, strlen(proto));
-	write(d->s, msg, strlen(msg));
+	if (write(d->s, proto, strlen(proto)) < 0) {
+	    kdc_log(context, config, 0, "HTTP write failed: %s: %s", 
+		    d->addr_string, strerror(errno));
+	    return -1;
+	}
+	if (write(d->s, msg, strlen(msg)) < 0) {
+	    kdc_log(context, config, 0, "HTTP write failed: %s: %s", 
+		    d->addr_string, strerror(errno));
+	    return -1;
+	}
     }
     memcpy(d->buf, data, len);
     d->len = len;
@@ -689,63 +741,94 @@ handle_http_tcp (struct descr *d)
  */
 
 static void
-handle_tcp(struct descr *d, int index, int min_free)
+handle_tcp(krb5_context context, 
+	   krb5_kdc_configuration *config,
+	   struct descr *d, int idx, int min_free)
 {
     unsigned char buf[1024];
     int n;
     int ret = 0;
 
-    if (d[index].timeout == 0) {
-	add_new_tcp (d, index, min_free);
+    if (d[idx].timeout == 0) {
+	add_new_tcp (context, config, d, idx, min_free);
 	return;
     }
 
-    n = recvfrom(d[index].s, buf, sizeof(buf), 0, NULL, NULL);
+    n = recvfrom(d[idx].s, buf, sizeof(buf), 0, NULL, NULL);
     if(n < 0){
-	krb5_warn(context, errno, "recvfrom");
+	krb5_warn(context, errno, "recvfrom failed from %s to %s/%d",
+		  d[idx].addr_string, descr_type(d + idx), 
+		  ntohs(d[idx].port));
 	return;
     } else if (n == 0) {
 	krb5_warnx(context, "connection closed before end of data after %lu "
-		   "bytes from %s",
-		   (unsigned long)d[index].len, d[index].addr_string);
-	clear_descr (d + index);
+		   "bytes from %s to %s/%d", (unsigned long)d[idx].len, 
+		   d[idx].addr_string, descr_type(d + idx), 
+		   ntohs(d[idx].port));
+	clear_descr (d + idx);
 	return;
     }
-    if (grow_descr (&d[index], n))
+    if (grow_descr (context, config, &d[idx], n))
 	return;
-    memcpy(d[index].buf + d[index].len, buf, n);
-    d[index].len += n;
-    if(d[index].len > 4 && d[index].buf[0] == 0) {
-	ret = handle_vanilla_tcp (&d[index]);
+    memcpy(d[idx].buf + d[idx].len, buf, n);
+    d[idx].len += n;
+    if(d[idx].len > 4 && d[idx].buf[0] == 0) {
+	ret = handle_vanilla_tcp (context, config, &d[idx]);
     } else if(enable_http &&
-	      d[index].len >= 4 &&
-	      strncmp((char *)d[index].buf, "GET ", 4) == 0 && 
-	      strncmp((char *)d[index].buf + d[index].len - 4,
+	      d[idx].len >= 4 &&
+	      strncmp((char *)d[idx].buf, "GET ", 4) == 0 && 
+	      strncmp((char *)d[idx].buf + d[idx].len - 4,
 		      "\r\n\r\n", 4) == 0) {
-	ret = handle_http_tcp (&d[index]);
+	ret = handle_http_tcp (context, config, &d[idx]);
 	if (ret < 0)
-	    clear_descr (d + index);
-    } else if (d[index].len > 4) {
-	kdc_log (0, "TCP data of strange type from %s", d[index].addr_string);
+	    clear_descr (d + idx);
+    } else if (d[idx].len > 4) {
+	kdc_log (context, config, 
+		 0, "TCP data of strange type from %s to %s/%d",
+		 d[idx].addr_string, descr_type(d + idx), 
+		 ntohs(d[idx].port));
+	if (d[idx].buf[0] & 0x80) {
+	    krb5_data reply;
+
+	    kdc_log (context, config, 0, "TCP extension not supported");
+
+	    ret = krb5_mk_error(context,
+				KRB5KRB_ERR_FIELD_TOOLONG,
+				NULL,
+				NULL,
+				NULL,
+				NULL,
+				NULL,
+				NULL,
+				&reply);
+	    if (ret == 0) {
+		send_reply(context, config, TRUE, d + idx, &reply);
+		krb5_data_free(&reply);
+	    }
+	}
+	clear_descr(d + idx);
 	return;
     }
     if (ret < 0)
 	return;
     else if (ret == 1) {
-	do_request(d[index].buf, d[index].len, 1, &d[index]);
-	clear_descr(d + index);
+	do_request(context, config, 
+		   d[idx].buf, d[idx].len, TRUE, &d[idx]);
+	clear_descr(d + idx);
     }
 }
 
 void
-loop(void)
+loop(krb5_context context, 
+     krb5_kdc_configuration *config)
 {
     struct descr *d;
     int ndescr;
 
-    ndescr = init_sockets(&d);
+    ndescr = init_sockets(context, config, &d);
     if(ndescr <= 0)
 	krb5_errx(context, 1, "No sockets!");
+    kdc_log(context, config, 0, "KDC started");
     while(exit_flag == 0){
 	struct timeval tmout;
 	fd_set fds;
@@ -758,7 +841,8 @@ loop(void)
 	    if(d[i].s >= 0){
 		if(d[i].type == SOCK_STREAM && 
 		   d[i].timeout && d[i].timeout < time(NULL)) {
-		    kdc_log(1, "TCP-connection from %s expired after %lu bytes",
+		    kdc_log(context, config, 1, 
+			    "TCP-connection from %s expired after %lu bytes",
 			    d[i].addr_string, (unsigned long)d[i].len);
 		    clear_descr(&d[i]);
 		    continue;
@@ -800,11 +884,17 @@ loop(void)
 	    for(i = 0; i < ndescr; i++)
 		if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds)) {
 		    if(d[i].type == SOCK_DGRAM)
-			handle_udp(&d[i]);
+			handle_udp(context, config, &d[i]);
 		    else if(d[i].type == SOCK_STREAM)
-			handle_tcp(d, i, min_free);
+			handle_tcp(context, config, d, i, min_free);
 		}
 	}
     }
+    if(exit_flag == SIGXCPU)
+	kdc_log(context, config, 0, "CPU time limit exceeded");
+    else if(exit_flag == SIGINT || exit_flag == SIGTERM)
+	kdc_log(context, config, 0, "Terminated");
+    else
+	kdc_log(context, config, 0, "Unexpected exit reason: %d", exit_flag);
     free (d);
 }
diff --git a/crypto/heimdal/kdc/default_config.c b/crypto/heimdal/kdc/default_config.c
new file mode 100644
index 0000000..5f336e3
--- /dev/null
+++ b/crypto/heimdal/kdc/default_config.c
@@ -0,0 +1,285 @@
+/*
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ *
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+#include <getarg.h>
+#include <parse_bytes.h>
+
+RCSID("$Id: default_config.c 21405 2007-07-04 10:35:45Z lha $");
+
+krb5_error_code
+krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
+{
+    krb5_kdc_configuration *c;
+
+    c = calloc(1, sizeof(*c));
+    if (c == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    c->require_preauth = TRUE;
+    c->kdc_warn_pwexpire = 0;
+    c->encode_as_rep_as_tgs_rep = FALSE;
+    c->check_ticket_addresses = TRUE;
+    c->allow_null_ticket_addresses = TRUE;
+    c->allow_anonymous = FALSE;
+    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
+    c->enable_v4 = FALSE;
+    c->enable_kaserver = FALSE;
+    c->enable_524 = FALSE;
+    c->enable_v4_cross_realm = FALSE;
+    c->enable_pkinit = FALSE;
+    c->pkinit_princ_in_cert = TRUE;
+    c->pkinit_require_binding = TRUE;
+    c->db = NULL;
+    c->num_db = 0;
+    c->logf = NULL;
+
+    c->require_preauth =
+	krb5_config_get_bool_default(context, NULL, 
+				     c->require_preauth,
+				     "kdc", "require-preauth", NULL);
+    c->enable_v4 = 
+	krb5_config_get_bool_default(context, NULL, 
+				     c->enable_v4, 
+				     "kdc", "enable-kerberos4", NULL);
+    c->enable_v4_cross_realm =
+	krb5_config_get_bool_default(context, NULL,
+				     c->enable_v4_cross_realm, 
+				     "kdc",
+				     "enable-kerberos4-cross-realm", NULL);
+    c->enable_524 =
+	krb5_config_get_bool_default(context, NULL, 
+				     c->enable_v4, 
+				     "kdc", "enable-524", NULL);
+    c->enable_digest = 
+	krb5_config_get_bool_default(context, NULL, 
+				     FALSE,
+				     "kdc", "enable-digest", NULL);
+
+    {
+	const char *digests;
+
+	digests = krb5_config_get_string(context, NULL, 
+					 "kdc", 
+					 "digests_allowed", NULL);
+	if (digests == NULL)
+	    digests = "ntlm-v2";
+	c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
+	if (c->digests_allowed == -1) {
+	    kdc_log(context, c, 0,
+		    "unparsable digest units (%s), turning off digest",
+		    digests);
+	    c->enable_digest = 0;
+	} else if (c->digests_allowed == 0) {
+	    kdc_log(context, c, 0,
+		    "no digest enable, turning digest off",
+		    digests);
+	    c->enable_digest = 0;
+	}
+    }
+
+    c->enable_kx509 = 
+	krb5_config_get_bool_default(context, NULL, 
+				     FALSE, 
+				     "kdc", "enable-kx509", NULL);
+
+    if (c->enable_kx509) {
+	c->kx509_template =
+	    krb5_config_get_string(context, NULL, 
+				   "kdc", "kx509_template", NULL);
+	c->kx509_ca =
+	    krb5_config_get_string(context, NULL, 
+				   "kdc", "kx509_ca", NULL);
+	if (c->kx509_ca == NULL || c->kx509_template == NULL) {
+	    kdc_log(context, c, 0,
+		    "missing kx509 configuration, turning off");
+	    c->enable_kx509 = FALSE;
+	}
+    }
+
+    c->check_ticket_addresses = 
+	krb5_config_get_bool_default(context, NULL, 
+				     c->check_ticket_addresses, 
+				     "kdc", 
+				     "check-ticket-addresses", NULL);
+    c->allow_null_ticket_addresses = 
+	krb5_config_get_bool_default(context, NULL, 
+				     c->allow_null_ticket_addresses, 
+				     "kdc", 
+				     "allow-null-ticket-addresses", NULL);
+
+    c->allow_anonymous = 
+	krb5_config_get_bool_default(context, NULL, 
+				     c->allow_anonymous,
+				     "kdc", 
+				     "allow-anonymous", NULL);
+
+    c->max_datagram_reply_length =
+	krb5_config_get_int_default(context, 
+				    NULL, 
+				    1400,
+				    "kdc",
+				    "max-kdc-datagram-reply-length",
+				    NULL);
+
+    {
+	const char *trpolicy_str;
+
+	trpolicy_str = 
+	    krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", 
+					   "transited-policy", NULL);
+	if(strcasecmp(trpolicy_str, "always-check") == 0) {
+	    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
+	} else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
+	    c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
+	} else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
+	    c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
+	} else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { 
+	    /* default */
+	} else {
+	    kdc_log(context, c, 0,
+		    "unknown transited-policy: %s, "
+		    "reverting to default (always-check)", 
+		    trpolicy_str);
+	}
+    }
+
+    {
+	const char *p;
+	p = krb5_config_get_string (context, NULL, 
+				    "kdc",
+				    "v4-realm",
+				    NULL);
+	if(p != NULL) {
+	    c->v4_realm = strdup(p);
+	    if (c->v4_realm == NULL)
+		krb5_errx(context, 1, "out of memory");
+	} else {
+	    c->v4_realm = NULL;
+	}
+    }
+
+    c->enable_kaserver = 
+	krb5_config_get_bool_default(context, 
+				     NULL, 
+				     c->enable_kaserver,
+				     "kdc", "enable-kaserver", NULL);
+
+
+    c->encode_as_rep_as_tgs_rep =
+	krb5_config_get_bool_default(context, NULL, 
+				     c->encode_as_rep_as_tgs_rep, 
+				     "kdc", 
+				     "encode_as_rep_as_tgs_rep", NULL);
+    
+    c->kdc_warn_pwexpire =
+	krb5_config_get_time_default (context, NULL,
+				      c->kdc_warn_pwexpire,
+				      "kdc", "kdc_warn_pwexpire", NULL);
+
+
+#ifdef PKINIT
+    c->enable_pkinit = 
+	krb5_config_get_bool_default(context, 
+				     NULL, 
+				     c->enable_pkinit,
+				     "kdc",
+				     "enable-pkinit",
+				     NULL);
+    if (c->enable_pkinit) {
+	const char *user_id, *anchors, *ocsp_file;
+	char **pool_list, **revoke_list;
+
+	user_id = 
+	    krb5_config_get_string(context, NULL,
+				   "kdc", "pkinit_identity", NULL);
+	if (user_id == NULL)
+	    krb5_errx(context, 1, "pkinit enabled but no identity");
+
+	anchors = krb5_config_get_string(context, NULL,
+					 "kdc", "pkinit_anchors", NULL);
+	if (anchors == NULL)
+	    krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
+
+	pool_list =
+	    krb5_config_get_strings(context, NULL,
+				    "kdc", "pkinit_pool", NULL);
+
+	revoke_list =
+	    krb5_config_get_strings(context, NULL,
+				    "kdc", "pkinit_revoke", NULL);
+
+	ocsp_file = 
+	    krb5_config_get_string(context, NULL,
+				   "kdc", "pkinit_kdc_ocsp", NULL);
+	if (ocsp_file) {
+	    c->pkinit_kdc_ocsp_file = strdup(ocsp_file);
+	    if (c->pkinit_kdc_ocsp_file == NULL)
+		krb5_errx(context, 1, "out of memory");
+	}
+
+	_kdc_pk_initialize(context, c, user_id, anchors, 
+			   pool_list, revoke_list);
+
+	krb5_config_free_strings(pool_list);
+	krb5_config_free_strings(revoke_list);
+
+	c->pkinit_princ_in_cert = 
+	    krb5_config_get_bool_default(context, NULL,
+					 c->pkinit_princ_in_cert,
+					 "kdc",
+					 "pkinit_principal_in_certificate",
+					 NULL);
+
+	c->pkinit_require_binding = 
+	    krb5_config_get_bool_default(context, NULL,
+					 c->pkinit_require_binding,
+					 "kdc",
+					 "pkinit_win2k_require_binding",
+					 NULL);
+    }
+
+    c->pkinit_dh_min_bits =
+	krb5_config_get_int_default(context, NULL, 
+				    0,
+				    "kdc", "pkinit_dh_min_bits", NULL);
+
+#endif
+
+    *config = c;
+
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/digest.c b/crypto/heimdal/kdc/digest.c
new file mode 100644
index 0000000..b845b0f
--- /dev/null
+++ b/crypto/heimdal/kdc/digest.c
@@ -0,0 +1,1456 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+#include <hex.h>
+
+RCSID("$Id: digest.c 22374 2007-12-28 18:36:52Z lha $");
+
+#define MS_CHAP_V2	0x20
+#define CHAP_MD5	0x10
+#define DIGEST_MD5	0x08
+#define NTLM_V2		0x04
+#define NTLM_V1_SESSION	0x02
+#define NTLM_V1		0x01
+
+const struct units _kdc_digestunits[] = {
+	{"ms-chap-v2",		1U << 5},
+	{"chap-md5",		1U << 4},
+	{"digest-md5",		1U << 3},
+	{"ntlm-v2",		1U << 2},
+	{"ntlm-v1-session",	1U << 1},
+	{"ntlm-v1",		1U << 0},
+	{NULL,	0}
+};
+
+
+static krb5_error_code
+get_digest_key(krb5_context context,
+	       krb5_kdc_configuration *config,
+	       hdb_entry_ex *server,
+	       krb5_crypto *crypto)
+{
+    krb5_error_code ret;
+    krb5_enctype enctype;
+    Key *key;
+    
+    ret = _kdc_get_preferred_key(context,
+				 config,
+				 server,
+				 "digest-service",
+				 &enctype,
+				 &key);
+    if (ret)
+	return ret;
+    return krb5_crypto_init(context, &key->key, 0, crypto);
+}
+
+/*
+ *
+ */
+
+static char *
+get_ntlm_targetname(krb5_context context,
+		    hdb_entry_ex *client)
+{
+    char *targetname, *p;
+
+    targetname = strdup(krb5_principal_get_realm(context,
+						 client->entry.principal));
+    if (targetname == NULL)
+	return NULL;
+
+    p = strchr(targetname, '.');
+    if (p)
+	*p = '\0';
+
+    strupr(targetname);
+    return targetname;
+}
+
+static krb5_error_code
+fill_targetinfo(krb5_context context,
+		char *targetname,
+		hdb_entry_ex *client,
+		krb5_data *data)
+{
+    struct ntlm_targetinfo ti;
+    krb5_error_code ret;
+    struct ntlm_buf d;
+    krb5_principal p;
+    const char *str;
+
+    memset(&ti, 0, sizeof(ti));
+
+    ti.domainname = targetname;
+    p = client->entry.principal;
+    str = krb5_principal_get_comp_string(context, p, 0);
+    if (str != NULL && 
+	(strcmp("host", str) == 0 || 
+	 strcmp("ftp", str) == 0 ||
+	 strcmp("imap", str) == 0 ||
+	 strcmp("pop", str) == 0 ||
+	 strcmp("smtp", str)))
+    {
+	str = krb5_principal_get_comp_string(context, p, 1);
+	ti.dnsservername = rk_UNCONST(str);
+    }
+    
+    ret = heim_ntlm_encode_targetinfo(&ti, 1, &d);
+    if (ret)
+	return ret;
+
+    data->data = d.data;
+    data->length = d.length;
+
+    return 0;
+}
+
+
+static const unsigned char ms_chap_v2_magic1[39] = {
+    0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
+    0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
+    0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
+    0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
+};
+static const unsigned char ms_chap_v2_magic2[41] = {
+    0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
+    0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
+    0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
+    0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
+    0x6E
+};
+static const unsigned char ms_rfc3079_magic1[27] = {
+    0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
+    0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
+    0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79
+};
+
+/*
+ *
+ */
+
+static krb5_error_code
+get_password_entry(krb5_context context,
+		   krb5_kdc_configuration *config,
+		   const char *username,
+		   char **password)
+{
+    krb5_principal clientprincipal;
+    krb5_error_code ret;
+    hdb_entry_ex *user;
+    HDB *db;
+
+    /* get username */
+    ret = krb5_parse_name(context, username, &clientprincipal);
+    if (ret)
+	return ret;
+
+    ret = _kdc_db_fetch(context, config, clientprincipal,
+			HDB_F_GET_CLIENT, &db, &user);
+    krb5_free_principal(context, clientprincipal);
+    if (ret)
+	return ret;
+
+    ret = hdb_entry_get_password(context, db, &user->entry, password);
+    if (ret || password == NULL) {
+	if (ret == 0) {
+	    ret = EINVAL;
+	    krb5_set_error_string(context, "password missing");
+	}
+	memset(user, 0, sizeof(*user));
+    }
+    _kdc_free_ent (context, user);
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+_kdc_do_digest(krb5_context context, 
+	       krb5_kdc_configuration *config,
+	       const DigestREQ *req, krb5_data *reply,
+	       const char *from, struct sockaddr *addr)
+{
+    krb5_error_code ret = 0;
+    krb5_ticket *ticket = NULL;
+    krb5_auth_context ac = NULL;
+    krb5_keytab id = NULL;
+    krb5_crypto crypto = NULL;
+    DigestReqInner ireq;
+    DigestRepInner r;
+    DigestREP rep;
+    krb5_flags ap_req_options;
+    krb5_data buf;
+    size_t size;
+    krb5_storage *sp = NULL;
+    Checksum res;
+    hdb_entry_ex *server = NULL, *user = NULL;
+    hdb_entry_ex *client = NULL;
+    char *client_name = NULL, *password = NULL;
+    krb5_data serverNonce;
+
+    if(!config->enable_digest) {
+	kdc_log(context, config, 0, 
+		"Rejected digest request (disabled) from %s", from);
+	return KRB5KDC_ERR_POLICY;
+    }
+
+    krb5_data_zero(&buf);
+    krb5_data_zero(reply);
+    krb5_data_zero(&serverNonce);
+    memset(&ireq, 0, sizeof(ireq));
+    memset(&r, 0, sizeof(r));
+    memset(&rep, 0, sizeof(rep));
+
+    kdc_log(context, config, 0, "Digest request from %s", from);
+
+    ret = krb5_kt_resolve(context, "HDB:", &id);
+    if (ret) {
+	kdc_log(context, config, 0, "Can't open database for digest");
+	goto out;
+    }
+
+    ret = krb5_rd_req(context, 
+		      &ac,
+		      &req->apReq,
+		      NULL,
+		      id,
+		      &ap_req_options,
+		      &ticket);
+    if (ret)
+	goto out;
+
+    /* check the server principal in the ticket matches digest/R@R */
+    {
+	krb5_principal principal = NULL;
+	const char *p, *r;
+
+	ret = krb5_ticket_get_server(context, ticket, &principal);
+	if (ret)
+	    goto out;
+
+	ret = EINVAL;
+	krb5_set_error_string(context, "Wrong digest server principal used");
+	p = krb5_principal_get_comp_string(context, principal, 0);
+	if (p == NULL) {
+	    krb5_free_principal(context, principal);
+	    goto out;
+	}
+	if (strcmp(p, KRB5_DIGEST_NAME) != 0) {
+	    krb5_free_principal(context, principal);
+	    goto out;
+	}
+
+	p = krb5_principal_get_comp_string(context, principal, 1);
+	if (p == NULL) {
+	    krb5_free_principal(context, principal);
+	    goto out;
+	}
+	r = krb5_principal_get_realm(context, principal);
+	if (r == NULL) {
+	    krb5_free_principal(context, principal);
+	    goto out;
+	}
+	if (strcmp(p, r) != 0) {
+	    krb5_free_principal(context, principal);
+	    goto out;
+	}
+	krb5_clear_error_string(context);
+
+	ret = _kdc_db_fetch(context, config, principal,
+			    HDB_F_GET_SERVER, NULL, &server);
+	if (ret)
+	    goto out;
+
+	krb5_free_principal(context, principal);
+    }
+
+    /* check the client is allowed to do digest auth */
+    {
+	krb5_principal principal = NULL;
+
+	ret = krb5_ticket_get_client(context, ticket, &principal);
+	if (ret)
+	    goto out;
+
+	ret = krb5_unparse_name(context, principal, &client_name);
+	if (ret) {
+	    krb5_free_principal(context, principal);
+	    goto out;
+	}
+
+	ret = _kdc_db_fetch(context, config, principal,
+			    HDB_F_GET_CLIENT, NULL, &client);
+	krb5_free_principal(context, principal);
+	if (ret)
+	    goto out;
+
+	if (client->entry.flags.allow_digest == 0) {
+	    kdc_log(context, config, 0, 
+		    "Client %s tried to use digest "
+		    "but is not allowed to", 
+		    client_name);
+	    krb5_set_error_string(context, 
+				  "Client is not permitted to use digest");
+	    ret = KRB5KDC_ERR_POLICY;
+	    goto out;
+	}
+    }
+
+    /* unpack request */
+    {
+	krb5_keyblock *key;
+
+	ret = krb5_auth_con_getremotesubkey(context, ac, &key);
+	if (ret)
+	    goto out;
+	if (key == NULL) {
+	    krb5_set_error_string(context, "digest: remote subkey not found");
+	    ret = EINVAL;
+	    goto out;
+	}
+
+	ret = krb5_crypto_init(context, key, 0, &crypto);
+	krb5_free_keyblock (context, key);
+	if (ret)
+	    goto out;
+    }
+
+    ret = krb5_decrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT,
+				     &req->innerReq, &buf);
+    krb5_crypto_destroy(context, crypto);
+    crypto = NULL;
+    if (ret)
+	goto out;
+	   
+    ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL);
+    krb5_data_free(&buf);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to decode digest inner request");
+	goto out;
+    }
+
+    kdc_log(context, config, 0, "Valid digest request from %s (%s)", 
+	    client_name, from);
+
+    /*
+     * Process the inner request
+     */
+
+    switch (ireq.element) {
+    case choice_DigestReqInner_init: {
+	unsigned char server_nonce[16], identifier;
+
+	RAND_pseudo_bytes(&identifier, sizeof(identifier));
+	RAND_pseudo_bytes(server_nonce, sizeof(server_nonce));
+
+	server_nonce[0] = kdc_time & 0xff;
+	server_nonce[1] = (kdc_time >> 8) & 0xff;
+	server_nonce[2] = (kdc_time >> 16) & 0xff;
+	server_nonce[3] = (kdc_time >> 24) & 0xff;
+
+	r.element = choice_DigestRepInner_initReply;
+
+	hex_encode(server_nonce, sizeof(server_nonce), &r.u.initReply.nonce);
+	if (r.u.initReply.nonce == NULL) {
+	    krb5_set_error_string(context, "Failed to decode server nonce");
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	sp = krb5_storage_emem();
+	if (sp == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "out of memory");
+	    goto out;
+	}
+	ret = krb5_store_stringz(sp, ireq.u.init.type);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+
+	if (ireq.u.init.channel) {
+	    char *s;
+
+	    asprintf(&s, "%s-%s:%s", r.u.initReply.nonce,
+		     ireq.u.init.channel->cb_type,
+		     ireq.u.init.channel->cb_binding);
+	    if (s == NULL) {
+		krb5_set_error_string(context, "Failed to allocate "
+				      "channel binding");
+		ret = ENOMEM;
+		goto out;
+	    }
+	    free(r.u.initReply.nonce);
+	    r.u.initReply.nonce = s;
+	}
+	
+	ret = krb5_store_stringz(sp, r.u.initReply.nonce);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+
+	if (strcasecmp(ireq.u.init.type, "CHAP") == 0) {
+	    r.u.initReply.identifier = 
+		malloc(sizeof(*r.u.initReply.identifier));
+	    if (r.u.initReply.identifier == NULL) {
+		krb5_set_error_string(context, "out of memory");
+		ret = ENOMEM;
+		goto out;
+	    }
+
+	    asprintf(r.u.initReply.identifier, "%02X", identifier & 0xff);
+	    if (*r.u.initReply.identifier == NULL) {
+		krb5_set_error_string(context, "out of memory");
+		ret = ENOMEM;
+		goto out;
+	    }
+
+	} else
+	    r.u.initReply.identifier = NULL;
+
+	if (ireq.u.init.hostname) {
+	    ret = krb5_store_stringz(sp, *ireq.u.init.hostname);
+	    if (ret) {
+		krb5_clear_error_string(context);
+		goto out;
+	    }
+	}
+
+	ret = krb5_storage_to_data(sp, &buf);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+
+	ret = get_digest_key(context, config, server, &crypto);
+	if (ret)
+	    goto out;
+
+	ret = krb5_create_checksum(context,
+				   crypto,
+				   KRB5_KU_DIGEST_OPAQUE,
+				   0,
+				   buf.data,
+				   buf.length,
+				   &res);
+	krb5_crypto_destroy(context, crypto);
+	crypto = NULL;
+	krb5_data_free(&buf);
+	if (ret)
+	    goto out;
+	
+	ASN1_MALLOC_ENCODE(Checksum, buf.data, buf.length, &res, &size, ret);
+	free_Checksum(&res);
+	if (ret) {
+	    krb5_set_error_string(context, "Failed to encode "
+				  "checksum in digest request");
+	    goto out;
+	}
+	if (size != buf.length)
+	    krb5_abortx(context, "ASN1 internal error");
+
+	hex_encode(buf.data, buf.length, &r.u.initReply.opaque);
+	free(buf.data);
+	if (r.u.initReply.opaque == NULL) {
+	    krb5_clear_error_string(context);
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	kdc_log(context, config, 0, "Digest %s init request successful from %s",
+		ireq.u.init.type, from);
+
+	break;
+    }
+    case choice_DigestReqInner_digestRequest: {
+	sp = krb5_storage_emem();
+	if (sp == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "out of memory");
+	    goto out;
+	}
+	ret = krb5_store_stringz(sp, ireq.u.digestRequest.type);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+
+	krb5_store_stringz(sp, ireq.u.digestRequest.serverNonce);
+
+	if (ireq.u.digestRequest.hostname) {
+	    ret = krb5_store_stringz(sp, *ireq.u.digestRequest.hostname);
+	    if (ret) {
+		krb5_clear_error_string(context);
+		goto out;
+	    }
+	}
+
+	buf.length = strlen(ireq.u.digestRequest.opaque);
+	buf.data = malloc(buf.length);
+	if (buf.data == NULL) {
+	    krb5_set_error_string(context, "out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	ret = hex_decode(ireq.u.digestRequest.opaque, buf.data, buf.length);
+	if (ret <= 0) {
+	    krb5_set_error_string(context, "Failed to decode opaque");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	buf.length = ret;
+
+	ret = decode_Checksum(buf.data, buf.length, &res, NULL);
+	free(buf.data);
+	if (ret) {
+	    krb5_set_error_string(context, "Failed to decode digest Checksum");
+	    goto out;
+	}
+	
+	ret = krb5_storage_to_data(sp, &buf);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+
+	serverNonce.length = strlen(ireq.u.digestRequest.serverNonce);
+	serverNonce.data = malloc(serverNonce.length);
+	if (serverNonce.data == NULL) {
+	    krb5_set_error_string(context, "out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	    
+	/*
+	 * CHAP does the checksum of the raw nonce, but do it for all
+	 * types, since we need to check the timestamp.
+	 */
+	{
+	    ssize_t ssize;
+	    
+	    ssize = hex_decode(ireq.u.digestRequest.serverNonce, 
+			       serverNonce.data, serverNonce.length);
+	    if (ssize <= 0) {
+		krb5_set_error_string(context, "Failed to decode serverNonce");
+		ret = ENOMEM;
+		goto out;
+	    }
+	    serverNonce.length = ssize;
+	}
+
+	ret = get_digest_key(context, config, server, &crypto);
+	if (ret)
+	    goto out;
+
+	ret = krb5_verify_checksum(context, crypto, 
+				   KRB5_KU_DIGEST_OPAQUE,
+				   buf.data, buf.length, &res);
+	krb5_crypto_destroy(context, crypto);
+	crypto = NULL;
+	if (ret)
+	    goto out;
+
+	/* verify time */
+	{
+	    unsigned char *p = serverNonce.data;
+	    uint32_t t;
+	    
+	    if (serverNonce.length < 4) {
+		krb5_set_error_string(context, "server nonce too short");
+		ret = EINVAL;
+		goto out;
+	    }
+	    t = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+
+	    if (abs((kdc_time & 0xffffffff) - t) > context->max_skew) {
+		krb5_set_error_string(context, "time screw in server nonce ");
+		ret = EINVAL;
+		goto out;
+	    }
+	}
+
+	if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) {
+	    MD5_CTX ctx;
+	    unsigned char md[MD5_DIGEST_LENGTH];
+	    char *mdx;
+	    char id;
+
+	    if ((config->digests_allowed & CHAP_MD5) == 0) {
+		kdc_log(context, config, 0, "Digest CHAP MD5 not allowed");
+		goto out;
+	    }
+
+	    if (ireq.u.digestRequest.identifier == NULL) {
+		krb5_set_error_string(context, "Identifier missing "
+				      "from CHAP request");
+		ret = EINVAL;
+		goto out;
+	    }
+	    
+	    if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) {
+		krb5_set_error_string(context, "failed to decode identifier");
+		ret = EINVAL;
+		goto out;
+	    }
+	    
+	    ret = get_password_entry(context, config, 
+				     ireq.u.digestRequest.username,
+				     &password);
+	    if (ret)
+		goto out;
+
+	    MD5_Init(&ctx);
+	    MD5_Update(&ctx, &id, 1);
+	    MD5_Update(&ctx, password, strlen(password));
+	    MD5_Update(&ctx, serverNonce.data, serverNonce.length);
+	    MD5_Final(md, &ctx);
+
+	    hex_encode(md, sizeof(md), &mdx);
+	    if (mdx == NULL) {
+		krb5_clear_error_string(context);
+		ret = ENOMEM;
+		goto out;
+	    }
+
+	    r.element = choice_DigestRepInner_response;
+
+	    ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
+	    free(mdx);
+	    if (ret == 0) {
+		r.u.response.success = TRUE;
+	    } else {
+		kdc_log(context, config, 0, 
+			"CHAP reply mismatch for %s",
+			ireq.u.digestRequest.username);
+		r.u.response.success = FALSE;
+	    }
+
+	} else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
+	    MD5_CTX ctx;
+	    unsigned char md[MD5_DIGEST_LENGTH];
+	    char *mdx;
+	    char *A1, *A2;
+
+	    if ((config->digests_allowed & DIGEST_MD5) == 0) {
+		kdc_log(context, config, 0, "Digest SASL MD5 not allowed");
+		goto out;
+	    }
+
+	    if (ireq.u.digestRequest.nonceCount == NULL) 
+		goto out;
+	    if (ireq.u.digestRequest.clientNonce == NULL) 
+		goto out;
+	    if (ireq.u.digestRequest.qop == NULL) 
+		goto out;
+	    if (ireq.u.digestRequest.realm == NULL) 
+		goto out;
+	    
+	    ret = get_password_entry(context, config, 
+				     ireq.u.digestRequest.username,
+				     &password);
+	    if (ret)
+		goto failed;
+
+	    MD5_Init(&ctx);
+	    MD5_Update(&ctx, ireq.u.digestRequest.username,
+		       strlen(ireq.u.digestRequest.username));
+	    MD5_Update(&ctx, ":", 1);
+	    MD5_Update(&ctx, *ireq.u.digestRequest.realm,
+		       strlen(*ireq.u.digestRequest.realm));
+	    MD5_Update(&ctx, ":", 1);
+	    MD5_Update(&ctx, password, strlen(password));
+	    MD5_Final(md, &ctx);
+	    
+	    MD5_Init(&ctx);
+	    MD5_Update(&ctx, md, sizeof(md));
+	    MD5_Update(&ctx, ":", 1);
+	    MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
+		       strlen(ireq.u.digestRequest.serverNonce));
+	    MD5_Update(&ctx, ":", 1);
+	    MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
+		       strlen(*ireq.u.digestRequest.nonceCount));
+	    if (ireq.u.digestRequest.authid) {
+		MD5_Update(&ctx, ":", 1);
+		MD5_Update(&ctx, *ireq.u.digestRequest.authid,
+			   strlen(*ireq.u.digestRequest.authid));
+	    }
+	    MD5_Final(md, &ctx);
+	    hex_encode(md, sizeof(md), &A1);
+	    if (A1 == NULL) {
+		krb5_set_error_string(context, "out of memory");
+		ret = ENOMEM;
+		goto failed;
+	    }
+	    
+	    MD5_Init(&ctx);
+	    MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
+	    MD5_Update(&ctx, *ireq.u.digestRequest.uri,
+		       strlen(*ireq.u.digestRequest.uri));
+	
+	    /* conf|int */
+	    if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
+		static char conf_zeros[] = ":00000000000000000000000000000000";
+		MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1);
+	    }
+	    
+	    MD5_Final(md, &ctx);
+	    hex_encode(md, sizeof(md), &A2);
+	    if (A2 == NULL) {
+		krb5_set_error_string(context, "out of memory");
+		ret = ENOMEM;
+		free(A1);
+		goto failed;
+	    }
+
+	    MD5_Init(&ctx);
+	    MD5_Update(&ctx, A1, strlen(A2));
+	    MD5_Update(&ctx, ":", 1);
+	    MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
+		       strlen(ireq.u.digestRequest.serverNonce));
+	    MD5_Update(&ctx, ":", 1);
+	    MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
+		       strlen(*ireq.u.digestRequest.nonceCount));
+	    MD5_Update(&ctx, ":", 1);
+	    MD5_Update(&ctx, *ireq.u.digestRequest.clientNonce,
+		       strlen(*ireq.u.digestRequest.clientNonce));
+	    MD5_Update(&ctx, ":", 1);
+	    MD5_Update(&ctx, *ireq.u.digestRequest.qop,
+		       strlen(*ireq.u.digestRequest.qop));
+	    MD5_Update(&ctx, ":", 1);
+	    MD5_Update(&ctx, A2, strlen(A2));
+
+	    MD5_Final(md, &ctx);
+
+	    free(A1);
+	    free(A2);
+
+	    hex_encode(md, sizeof(md), &mdx);
+	    if (mdx == NULL) {
+		krb5_clear_error_string(context);
+		ret = ENOMEM;
+		goto out;
+	    }
+
+	    r.element = choice_DigestRepInner_response;
+	    ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
+	    free(mdx);
+	    if (ret == 0) {
+		r.u.response.success = TRUE;
+	    } else {
+		kdc_log(context, config, 0, 
+			"DIGEST-MD5 reply mismatch for %s",
+			ireq.u.digestRequest.username);
+		r.u.response.success = FALSE;
+	    }
+
+	} else if (strcasecmp(ireq.u.digestRequest.type, "MS-CHAP-V2") == 0) {
+	    unsigned char md[SHA_DIGEST_LENGTH], challange[SHA_DIGEST_LENGTH];
+	    krb5_principal clientprincipal = NULL;
+	    char *mdx;
+	    const char *username;
+	    struct ntlm_buf answer;
+	    Key *key = NULL;
+	    SHA_CTX ctx;
+
+	    if ((config->digests_allowed & MS_CHAP_V2) == 0) {
+		kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
+		goto failed;
+	    }
+
+	    if (ireq.u.digestRequest.clientNonce == NULL)  {
+		krb5_set_error_string(context, 
+				      "MS-CHAP-V2 clientNonce missing");
+		ret = EINVAL;
+		goto failed;
+	    }	    
+	    if (serverNonce.length != 16) {
+		krb5_set_error_string(context, 
+				      "MS-CHAP-V2 serverNonce wrong length");
+		ret = EINVAL;
+		goto failed;
+	    }
+
+	    /* strip of the domain component */
+	    username = strchr(ireq.u.digestRequest.username, '\\');
+	    if (username == NULL)
+		username = ireq.u.digestRequest.username;
+	    else
+		username++;
+
+	    /* ChallangeHash */
+	    SHA1_Init(&ctx);
+	    {
+		ssize_t ssize;
+		krb5_data clientNonce;
+		
+		clientNonce.length = strlen(*ireq.u.digestRequest.clientNonce);
+		clientNonce.data = malloc(clientNonce.length);
+		if (clientNonce.data == NULL) {
+		    ret = ENOMEM;
+		    krb5_set_error_string(context, "out of memory");
+		    goto out;
+		}
+
+		ssize = hex_decode(*ireq.u.digestRequest.clientNonce, 
+				   clientNonce.data, clientNonce.length);
+		if (ssize != 16) {
+		    krb5_set_error_string(context, 
+					  "Failed to decode clientNonce");
+		    ret = ENOMEM;
+		    goto out;
+		}
+		SHA1_Update(&ctx, clientNonce.data, ssize);
+		free(clientNonce.data);
+	    }
+	    SHA1_Update(&ctx, serverNonce.data, serverNonce.length);
+	    SHA1_Update(&ctx, username, strlen(username));
+	    SHA1_Final(challange, &ctx);
+
+	    /* NtPasswordHash */
+	    ret = krb5_parse_name(context, username, &clientprincipal);
+	    if (ret)
+		goto failed;
+	    
+	    ret = _kdc_db_fetch(context, config, clientprincipal,
+				HDB_F_GET_CLIENT, NULL, &user);
+	    krb5_free_principal(context, clientprincipal);
+	    if (ret) {
+		krb5_set_error_string(context, 
+				      "MS-CHAP-V2 user %s not in database",
+				      username);
+		goto failed;
+	    }
+
+	    ret = hdb_enctype2key(context, &user->entry, 
+				  ETYPE_ARCFOUR_HMAC_MD5, &key);
+	    if (ret) {
+		krb5_set_error_string(context, 
+				      "MS-CHAP-V2 missing arcfour key %s",
+				      username);
+		goto failed;
+	    }
+
+	    /* ChallengeResponse */
+	    ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
+					    key->key.keyvalue.length,
+					    challange, &answer);
+	    if (ret) {
+		krb5_set_error_string(context, "NTLM missing arcfour key");
+		goto failed;
+	    }
+	    
+	    hex_encode(answer.data, answer.length, &mdx);
+	    if (mdx == NULL) {
+		free(answer.data);
+		krb5_clear_error_string(context);
+		ret = ENOMEM;
+		goto out;
+	    }
+
+	    r.element = choice_DigestRepInner_response;
+	    ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
+	    if (ret == 0) {
+		r.u.response.success = TRUE;
+	    } else {
+		kdc_log(context, config, 0, 
+			"MS-CHAP-V2 hash mismatch for %s",
+			ireq.u.digestRequest.username);
+		r.u.response.success = FALSE;
+	    }
+	    free(mdx);
+
+	    if (r.u.response.success) {
+		unsigned char hashhash[MD4_DIGEST_LENGTH];
+
+		/* hashhash */
+		{
+		    MD4_CTX hctx;
+
+		    MD4_Init(&hctx);
+		    MD4_Update(&hctx, key->key.keyvalue.data, 
+			       key->key.keyvalue.length);
+		    MD4_Final(hashhash, &hctx);
+		}
+
+		/* GenerateAuthenticatorResponse */
+		SHA1_Init(&ctx);
+		SHA1_Update(&ctx, hashhash, sizeof(hashhash));
+		SHA1_Update(&ctx, answer.data, answer.length);
+		SHA1_Update(&ctx, ms_chap_v2_magic1,sizeof(ms_chap_v2_magic1));
+		SHA1_Final(md, &ctx);
+
+		SHA1_Init(&ctx);
+		SHA1_Update(&ctx, md, sizeof(md));
+		SHA1_Update(&ctx, challange, 8);
+		SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2));
+		SHA1_Final(md, &ctx);
+
+		r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
+		if (r.u.response.rsp == NULL) {
+		    free(answer.data);
+		    krb5_clear_error_string(context);
+		    ret = ENOMEM;
+		    goto out;
+		}
+
+		hex_encode(md, sizeof(md), r.u.response.rsp);
+		if (r.u.response.rsp == NULL) {
+		    free(answer.data);
+		    krb5_clear_error_string(context);
+		    ret = ENOMEM;
+		    goto out;
+		}
+
+		/* get_master, rfc 3079 3.4 */
+		SHA1_Init(&ctx);
+		SHA1_Update(&ctx, hashhash, 16); /* md4(hash) */
+		SHA1_Update(&ctx, answer.data, answer.length);
+		SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1));
+		SHA1_Final(md, &ctx);
+
+		free(answer.data);
+
+		r.u.response.session_key = 
+		    calloc(1, sizeof(*r.u.response.session_key));
+		if (r.u.response.session_key == NULL) {
+		    krb5_clear_error_string(context);
+		    ret = ENOMEM;
+		    goto out;
+		}
+
+		ret = krb5_data_copy(r.u.response.session_key, md, 16);
+		if (ret) {
+		    krb5_clear_error_string(context);
+		    goto out;
+		}
+	    }
+
+	} else {
+	    r.element = choice_DigestRepInner_error;
+	    asprintf(&r.u.error.reason, "Unsupported digest type %s", 
+		     ireq.u.digestRequest.type);
+	    if (r.u.error.reason == NULL) {
+		krb5_set_error_string(context, "out of memory");
+		ret = ENOMEM;
+		goto out;
+	    }
+	    r.u.error.code = EINVAL;
+	}
+
+	kdc_log(context, config, 0, "Digest %s request successful %s",
+		ireq.u.digestRequest.type, ireq.u.digestRequest.username);
+
+	break;
+    }
+    case choice_DigestReqInner_ntlmInit:
+
+	if ((config->digests_allowed & (NTLM_V1|NTLM_V1_SESSION|NTLM_V2)) == 0) {
+	    kdc_log(context, config, 0, "NTLM not allowed");
+	    goto failed;
+	}
+
+	r.element = choice_DigestRepInner_ntlmInitReply;
+
+	r.u.ntlmInitReply.flags = NTLM_NEG_UNICODE;
+
+	if ((ireq.u.ntlmInit.flags & NTLM_NEG_UNICODE) == 0) {
+	    kdc_log(context, config, 0, "NTLM client have no unicode");
+	    goto failed;
+	}
+
+	if (ireq.u.ntlmInit.flags & NTLM_NEG_NTLM)
+	    r.u.ntlmInitReply.flags |= NTLM_NEG_NTLM;
+	else {
+	    kdc_log(context, config, 0, "NTLM client doesn't support NTLM");
+	    goto failed;
+	}
+
+	r.u.ntlmInitReply.flags |= 
+	    NTLM_NEG_TARGET |
+	    NTLM_TARGET_DOMAIN |
+	    NTLM_ENC_128;
+
+#define ALL					\
+	NTLM_NEG_SIGN|				\
+	    NTLM_NEG_SEAL|			\
+	    NTLM_NEG_ALWAYS_SIGN|		\
+	    NTLM_NEG_NTLM2_SESSION|		\
+	    NTLM_NEG_KEYEX
+
+	r.u.ntlmInitReply.flags |= (ireq.u.ntlmInit.flags & (ALL));
+
+#undef ALL
+
+	r.u.ntlmInitReply.targetname = 
+	    get_ntlm_targetname(context, client);
+	if (r.u.ntlmInitReply.targetname == NULL) {
+	    krb5_set_error_string(context, "out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	r.u.ntlmInitReply.challange.data = malloc(8);
+	if (r.u.ntlmInitReply.challange.data == NULL) {
+	    krb5_set_error_string(context, "out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	r.u.ntlmInitReply.challange.length = 8;
+	if (RAND_bytes(r.u.ntlmInitReply.challange.data,
+		       r.u.ntlmInitReply.challange.length) != 1) 
+	{
+	    krb5_set_error_string(context, "out of random error");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	/* XXX fix targetinfo */
+	ALLOC(r.u.ntlmInitReply.targetinfo);
+	if (r.u.ntlmInitReply.targetinfo == NULL) {
+	    krb5_set_error_string(context, "out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	ret = fill_targetinfo(context,
+			      r.u.ntlmInitReply.targetname,
+			      client,
+			      r.u.ntlmInitReply.targetinfo);
+	if (ret) {
+	    krb5_set_error_string(context, "out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	/* 
+	 * Save data encryted in opaque for the second part of the
+	 * ntlm authentication
+	 */
+	sp = krb5_storage_emem();
+	if (sp == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "out of memory");
+	    goto out;
+	}
+	
+	ret = krb5_storage_write(sp, r.u.ntlmInitReply.challange.data, 8);
+	if (ret != 8) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "storage write challange");
+	    goto out;
+	}
+	ret = krb5_store_uint32(sp, r.u.ntlmInitReply.flags);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+
+	ret = krb5_storage_to_data(sp, &buf);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+
+	ret = get_digest_key(context, config, server, &crypto);
+	if (ret)
+	    goto out;
+
+	ret = krb5_encrypt(context, crypto, KRB5_KU_DIGEST_OPAQUE,
+			   buf.data, buf.length, &r.u.ntlmInitReply.opaque);
+	krb5_data_free(&buf);
+	krb5_crypto_destroy(context, crypto);
+	crypto = NULL;
+	if (ret)
+	    goto out;
+
+	kdc_log(context, config, 0, "NTLM init from %s", from);
+
+	break;
+
+    case choice_DigestReqInner_ntlmRequest: {
+	krb5_principal clientprincipal;
+	unsigned char sessionkey[16];
+	unsigned char challange[8];
+	uint32_t flags;
+	Key *key = NULL;
+	int version;
+	    
+	r.element = choice_DigestRepInner_ntlmResponse;
+	r.u.ntlmResponse.success = 0;
+	r.u.ntlmResponse.flags = 0;
+	r.u.ntlmResponse.sessionkey = NULL;
+	r.u.ntlmResponse.tickets = NULL;
+
+	/* get username */
+	ret = krb5_parse_name(context,
+			      ireq.u.ntlmRequest.username,
+			      &clientprincipal);
+	if (ret)
+	    goto failed;
+
+	ret = _kdc_db_fetch(context, config, clientprincipal,
+			    HDB_F_GET_CLIENT, NULL, &user);
+	krb5_free_principal(context, clientprincipal);
+	if (ret) {
+	    krb5_set_error_string(context, "NTLM user %s not in database",
+				  ireq.u.ntlmRequest.username);
+	    goto failed;
+	}
+
+	ret = get_digest_key(context, config, server, &crypto);
+	if (ret)
+	    goto failed;
+
+	ret = krb5_decrypt(context, crypto, KRB5_KU_DIGEST_OPAQUE,
+			   ireq.u.ntlmRequest.opaque.data,
+			   ireq.u.ntlmRequest.opaque.length, &buf);
+	krb5_crypto_destroy(context, crypto);
+	crypto = NULL;
+	if (ret) {
+	    kdc_log(context, config, 0, 
+		    "Failed to decrypt nonce from %s", from);
+	    goto failed;
+	}
+
+	sp = krb5_storage_from_data(&buf);
+	if (sp == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "out of memory");
+	    goto out;
+	}
+	
+	ret = krb5_storage_read(sp, challange, sizeof(challange));
+	if (ret != sizeof(challange)) {
+	    krb5_set_error_string(context, "NTLM storage read challange");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ret = krb5_ret_uint32(sp, &flags);
+	if (ret) {
+	    krb5_set_error_string(context, "NTLM storage read flags");
+	    goto out;
+	}
+	krb5_data_free(&buf);
+
+	if ((flags & NTLM_NEG_NTLM) == 0) {
+	    ret = EINVAL;
+	    krb5_set_error_string(context, "NTLM not negotiated");
+	    goto out;
+	}
+
+	ret = hdb_enctype2key(context, &user->entry, 
+			      ETYPE_ARCFOUR_HMAC_MD5, &key);
+	if (ret) {
+	    krb5_set_error_string(context, "NTLM missing arcfour key");
+	    goto out;
+	}
+
+	/* check if this is NTLMv2 */
+	if (ireq.u.ntlmRequest.ntlm.length != 24) {
+	    struct ntlm_buf infotarget, answer;
+	    char *targetname;
+
+	    if ((config->digests_allowed & NTLM_V2) == 0) {
+		kdc_log(context, config, 0, "NTLM v2 not allowed");
+		goto out;
+	    }
+
+	    version = 2;
+
+	    targetname = get_ntlm_targetname(context, client);
+	    if (targetname == NULL) {
+		krb5_set_error_string(context, "out of memory");
+		ret = ENOMEM;
+		goto out;
+	    }
+
+	    answer.length = ireq.u.ntlmRequest.ntlm.length;
+	    answer.data = ireq.u.ntlmRequest.ntlm.data;
+
+	    ret = heim_ntlm_verify_ntlm2(key->key.keyvalue.data,
+					 key->key.keyvalue.length,
+					 ireq.u.ntlmRequest.username,
+					 targetname,
+					 0,
+					 challange,
+					 &answer,
+					 &infotarget,
+					 sessionkey);
+	    free(targetname);
+	    if (ret) {
+		krb5_set_error_string(context, "NTLM v2 verify failed");
+		goto failed;
+	    }
+
+	    /* XXX verify infotarget matches client (checksum ?) */
+
+	    free(infotarget.data);
+	    /* */
+
+	} else {
+	    struct ntlm_buf answer;
+
+	    version = 1;
+
+	    if (flags & NTLM_NEG_NTLM2_SESSION) {
+		unsigned char sessionhash[MD5_DIGEST_LENGTH];
+		MD5_CTX md5ctx;
+		
+		if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
+		    kdc_log(context, config, 0, "NTLM v1-session not allowed");
+		    ret = EINVAL;
+		    goto failed;
+		}
+
+		if (ireq.u.ntlmRequest.lm.length != 24) {
+		    krb5_set_error_string(context, "LM hash have wrong length "
+					  "for NTLM session key");
+		    ret = EINVAL;
+		    goto failed;
+		}
+		
+		MD5_Init(&md5ctx);
+		MD5_Update(&md5ctx, challange, sizeof(challange));
+		MD5_Update(&md5ctx, ireq.u.ntlmRequest.lm.data, 8);
+		MD5_Final(sessionhash, &md5ctx);
+		memcpy(challange, sessionhash, sizeof(challange));
+	    } else {
+		if ((config->digests_allowed & NTLM_V1) == 0) {
+		    kdc_log(context, config, 0, "NTLM v1 not allowed");
+		    goto failed;
+		}
+	    }
+	    
+	    ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
+					    key->key.keyvalue.length,
+					    challange, &answer);
+	    if (ret) {
+		krb5_set_error_string(context, "NTLM missing arcfour key");
+		goto failed;
+	    }
+	    
+	    if (ireq.u.ntlmRequest.ntlm.length != answer.length ||
+		memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0)
+	    {
+		free(answer.data);
+		ret = EINVAL;
+		krb5_set_error_string(context, "NTLM hash mismatch");
+		goto failed;
+	    }
+	    free(answer.data);
+
+	    {
+		MD4_CTX ctx;
+
+		MD4_Init(&ctx);
+		MD4_Update(&ctx, 
+			   key->key.keyvalue.data, key->key.keyvalue.length);
+		MD4_Final(sessionkey, &ctx);
+	    }
+	}
+
+	if (ireq.u.ntlmRequest.sessionkey) {
+	    unsigned char masterkey[MD4_DIGEST_LENGTH];
+	    RC4_KEY rc4;
+	    size_t len;
+	    
+	    if ((flags & NTLM_NEG_KEYEX) == 0) {
+		krb5_set_error_string(context,
+				      "NTLM client failed to neg key "
+				      "exchange but still sent key");
+		ret = EINVAL;
+		goto failed;
+	    }
+	    
+	    len = ireq.u.ntlmRequest.sessionkey->length;
+	    if (len != sizeof(masterkey)){
+		krb5_set_error_string(context,
+				      "NTLM master key wrong length: %lu",
+				      (unsigned long)len);
+		goto failed;
+	    }
+	    
+	    RC4_set_key(&rc4, sizeof(sessionkey), sessionkey);
+	    
+	    RC4(&rc4, sizeof(masterkey),
+		ireq.u.ntlmRequest.sessionkey->data, 
+		masterkey);
+	    memset(&rc4, 0, sizeof(rc4));
+	    
+	    r.u.ntlmResponse.sessionkey = 
+		malloc(sizeof(*r.u.ntlmResponse.sessionkey));
+	    if (r.u.ntlmResponse.sessionkey == NULL) {
+		krb5_set_error_string(context, "out of memory");
+		goto out;
+	    }
+	    
+	    ret = krb5_data_copy(r.u.ntlmResponse.sessionkey,
+				 masterkey, sizeof(masterkey));
+	    if (ret) {
+		krb5_set_error_string(context, "out of memory");
+		goto out;
+	    }
+	}
+
+	r.u.ntlmResponse.success = 1;
+	kdc_log(context, config, 0, "NTLM version %d successful for %s",
+		version, ireq.u.ntlmRequest.username);
+	break;
+    }
+    case choice_DigestReqInner_supportedMechs:
+
+	kdc_log(context, config, 0, "digest supportedMechs from %s", from);
+
+	r.element = choice_DigestRepInner_supportedMechs;
+	memset(&r.u.supportedMechs, 0, sizeof(r.u.supportedMechs));
+
+	if (config->digests_allowed & NTLM_V1)
+	    r.u.supportedMechs.ntlm_v1 = 1;
+	if (config->digests_allowed & NTLM_V1_SESSION)
+	    r.u.supportedMechs.ntlm_v1_session = 1;
+	if (config->digests_allowed & NTLM_V2)
+	    r.u.supportedMechs.ntlm_v2 = 1;
+	if (config->digests_allowed & DIGEST_MD5)
+	    r.u.supportedMechs.digest_md5 = 1;
+	if (config->digests_allowed & CHAP_MD5)
+	    r.u.supportedMechs.chap_md5 = 1;
+	if (config->digests_allowed & MS_CHAP_V2)
+	    r.u.supportedMechs.ms_chap_v2 = 1;
+	break;
+
+    default: {
+	char *s;
+	krb5_set_error_string(context, "unknown operation to digest");
+	ret = EINVAL;
+
+    failed:
+
+	s = krb5_get_error_message(context, ret);
+	if (s == NULL) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+	
+	kdc_log(context, config, 0, "Digest failed with: %s", s);
+
+	r.element = choice_DigestRepInner_error;
+	r.u.error.reason = strdup("unknown error");
+	krb5_free_error_string(context, s);
+	if (r.u.error.reason == NULL) {
+	    krb5_set_error_string(context, "out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	r.u.error.code = EINVAL;
+	break;
+    }
+    }
+
+    ASN1_MALLOC_ENCODE(DigestRepInner, buf.data, buf.length, &r, &size, ret);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to encode inner digest reply");
+	goto out;
+    }
+    if (size != buf.length)
+	krb5_abortx(context, "ASN1 internal error");
+
+    krb5_auth_con_addflags(context, ac, KRB5_AUTH_CONTEXT_USE_SUBKEY, NULL);
+
+    ret = krb5_mk_rep (context, ac, &rep.apRep);
+    if (ret)
+	goto out;
+
+    {
+	krb5_keyblock *key;
+
+	ret = krb5_auth_con_getlocalsubkey(context, ac, &key);
+	if (ret)
+	    goto out;
+
+	ret = krb5_crypto_init(context, key, 0, &crypto);
+	krb5_free_keyblock (context, key);
+	if (ret)
+	    goto out;
+    }
+
+    ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT, 
+				     buf.data, buf.length, 0,
+				     &rep.innerRep);
+    
+    ASN1_MALLOC_ENCODE(DigestREP, reply->data, reply->length, &rep, &size, ret);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to encode digest reply");
+	goto out;
+    }
+    if (size != reply->length)
+	krb5_abortx(context, "ASN1 internal error");
+
+    
+out:
+    if (ac)
+	krb5_auth_con_free(context, ac);
+    if (ret)
+	krb5_warn(context, ret, "Digest request from %s failed", from);
+    if (ticket)
+	krb5_free_ticket(context, ticket);
+    if (id)
+	krb5_kt_close(context, id);
+    if (crypto)
+	krb5_crypto_destroy(context, crypto);
+    if (sp)
+	krb5_storage_free(sp);
+    if (user)
+	_kdc_free_ent (context, user);
+    if (server)
+	_kdc_free_ent (context, server);
+    if (client)
+	_kdc_free_ent (context, client);
+    if (password) {
+	memset(password, 0, strlen(password));
+	free (password);
+    }
+    if (client_name)
+	free (client_name);
+    krb5_data_free(&buf);
+    krb5_data_free(&serverNonce);
+    free_DigestREP(&rep);
+    free_DigestRepInner(&r);
+    free_DigestReqInner(&ireq);
+
+    return ret;
+}
diff --git a/crypto/heimdal/kdc/hprop.8 b/crypto/heimdal/kdc/hprop.8
index f5e3879..99fc978 100644
--- a/crypto/heimdal/kdc/hprop.8
+++ b/crypto/heimdal/kdc/hprop.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2000 - 2003 Kungliga Tekniska Högskolan
+.\" Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: hprop.8,v 1.18 2003/02/16 21:10:19 lha Exp $
+.\" $Id: hprop.8 20456 2007-04-19 20:29:42Z lha $
 .\"
-.Dd June 19, 2000
+.Dd December  8, 2004
 .Dt HPROP 8
 .Os HEIMDAL
 .Sh NAME
@@ -39,6 +39,7 @@
 .Nd propagate the KDC database
 .Sh SYNOPSIS
 .Nm
+.Bk -words
 .Oo Fl m Ar file \*(Ba Xo
 .Fl -master-key= Ns Pa file
 .Xc
@@ -47,7 +48,7 @@
 .Fl -database= Ns Pa file
 .Xc
 .Oc
-.Op Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|krb4-db|kaserver
+.Op Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|kaserver
 .Oo Fl r Ar string \*(Ba Xo
 .Fl -v4-realm= Ns Ar string
 .Xc
@@ -73,6 +74,7 @@
 .Op Fl h | Fl -help
 .Op Ar host Ns Op : Ns Ar port
 .Ar ...
+.Ek
 .Sh DESCRIPTION
 .Nm
 takes a principal database in a specified format and converts it into
@@ -99,7 +101,7 @@ Where to find the master key to encrypt or decrypt keys with.
 .Xc
 The database to be propagated.
 .It Xo
-.Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|krb4-db|kaserver
+.Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|kaserver
 .Xc
 Specifies the type of the source database. Alternatives include:
 .Pp
@@ -108,8 +110,6 @@ Specifies the type of the source database. Alternatives include:
 a Heimdal database
 .It mit-dump
 a MIT Kerberos 5 dump file
-.It krb4-db
-a Kerberos 4 database
 .It krb4-dump
 a Kerberos 4 dump file
 .It kaserver
@@ -168,12 +168,6 @@ The AFS cell name, used if reading a kaserver database.
 .Xc
 Also dump the principals marked as special in the kaserver database.
 .It Xo
-.Fl 4 ,
-.Fl -v4-db
-.Xc
-Deprecated, identical to
-.Sq --source=krb4-db .
-.It Xo
 .Fl K ,
 .Fl -ka-db
 .Xc
@@ -183,16 +177,11 @@ Deprecated, identical to
 .Sh EXAMPLES
 The following will propagate a database to another machine (which
 should run
-.Xr hpropd 8):
+.Xr hpropd 8 ):
 .Bd -literal -offset indent
 $ hprop slave-1 slave-2
 .Ed
 .Pp
-Copy a Kerberos 4 database to a Kerberos 5 slave:
-.Bd -literal -offset indent
-$ hprop --source=krb4-db -E krb5-slave
-.Ed
-.Pp
 Convert a Kerberos 4 dump-file for use with a Heimdal KDC:
 .Bd -literal -offset indent
 $ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump --master-key=/.k | hpropd -n
diff --git a/crypto/heimdal/kdc/hprop.c b/crypto/heimdal/kdc/hprop.c
index 3bc066f..e5b7fd1 100644
--- a/crypto/heimdal/kdc/hprop.c
+++ b/crypto/heimdal/kdc/hprop.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "hprop.h"
 
-RCSID("$Id: hprop.c,v 1.70 2002/09/04 18:19:41 joda Exp $");
+RCSID("$Id: hprop.c 21745 2007-07-31 16:11:25Z lha $");
 
 static int version_flag;
 static int help_flag;
@@ -93,28 +93,28 @@ open_socket(krb5_context context, const char *hostname, const char *port)
 }
 
 krb5_error_code
-v5_prop(krb5_context context, HDB *db, hdb_entry *entry, void *appdata)
+v5_prop(krb5_context context, HDB *db, hdb_entry_ex *entry, void *appdata)
 {
     krb5_error_code ret;
     struct prop_data *pd = appdata;
     krb5_data data;
 
     if(encrypt_flag) {
-	ret = hdb_seal_keys_mkey(context, entry, mkey5);
+	ret = hdb_seal_keys_mkey(context, &entry->entry, mkey5);
 	if (ret) {
 	    krb5_warn(context, ret, "hdb_seal_keys_mkey");
 	    return ret;
 	}
     }
     if(decrypt_flag) {
-	ret = hdb_unseal_keys_mkey(context, entry, mkey5);
+	ret = hdb_unseal_keys_mkey(context, &entry->entry, mkey5);
 	if (ret) {
 	    krb5_warn(context, ret, "hdb_unseal_keys_mkey");
 	    return ret;
 	}
     }	
 
-    ret = hdb_entry2value(context, entry, &data);
+    ret = hdb_entry2value(context, &entry->entry, &data);
     if(ret) {
 	krb5_warn(context, ret, "hdb_entry2value");
 	return ret;
@@ -129,88 +129,17 @@ v5_prop(krb5_context context, HDB *db, hdb_entry *entry, void *appdata)
     return ret;
 }
 
-#ifdef KRB4
-
-static char realm_buf[REALM_SZ];
-
-static int
-kdb_prop(void *arg, Principal *p)
-{
-    int ret;
-    struct v4_principal pr;
-
-    memset(&pr, 0, sizeof(pr));
-
-    if(p->attributes != 0) {
-	warnx("%s.%s has non-zero attributes - skipping", 
-	      p->name, p->instance);
-	    return 0;
-    }
-    strlcpy(pr.name, p->name, sizeof(pr.name));
-    strlcpy(pr.instance, p->instance, sizeof(pr.instance));
-
-    copy_to_key(&p->key_low, &p->key_high, pr.key);
-    pr.exp_date = p->exp_date;
-    pr.mod_date = p->mod_date;
-    strlcpy(pr.mod_name, p->mod_name, sizeof(pr.mod_name));
-    strlcpy(pr.mod_instance, p->mod_instance, sizeof(pr.mod_instance));
-    pr.max_life = p->max_life;
-    pr.mkvno = p->kdc_key_ver;
-    pr.kvno = p->key_version;
-    
-    ret = v4_prop(arg, &pr);
-    memset(&pr, 0, sizeof(pr));
-    return ret;
-}
-
-#endif /* KRB4 */
-
-#ifndef KRB4
-static time_t
-krb_life_to_time(time_t start, int life)
-{
-    static int lifetimes[] = {
-	  38400,   41055,   43894,   46929,   50174,   53643,   57352,   61318,
-	  65558,   70091,   74937,   80119,   85658,   91581,   97914,  104684,
-	 111922,  119661,  127935,  136781,  146239,  156350,  167161,  178720,
-	 191077,  204289,  218415,  233517,  249664,  266926,  285383,  305116,
-	 326213,  348769,  372885,  398668,  426234,  455705,  487215,  520904,
-	 556921,  595430,  636601,  680618,  727680,  777995,  831789,  889303,
-	 950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247,
-	1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000
-    };
-
-#if 0
-    int i;
-    double q = exp((log(2592000.0) - log(38400.0)) / 63);
-    double x = 38400;
-    for(i = 0; i < 64; i++) {
-	lifetimes[i] = (int)x;
-	x *= q;
-    }
-#endif
-
-    if(life == 0xff)
-	return NEVERDATE;
-    if(life < 0x80)
-	return start + life * 5 * 60;
-    if(life > 0xbf)
-	life = 0xbf;
-    return start + lifetimes[life - 0x80];
-}
-#endif /* !KRB4 */
-
 int
 v4_prop(void *arg, struct v4_principal *p)
 {
     struct prop_data *pd = arg;
-    hdb_entry ent;
+    hdb_entry_ex ent;
     krb5_error_code ret;
 
     memset(&ent, 0, sizeof(ent));
 
     ret = krb5_425_conv_principal(pd->context, p->name, p->instance, v4_realm,
-				  &ent.principal);
+				  &ent.entry.principal);
     if(ret) {
 	krb5_warn(pd->context, ret,
 		  "krb5_425_conv_principal %s.%s@%s",
@@ -220,49 +149,55 @@ v4_prop(void *arg, struct v4_principal *p)
 
     if(verbose_flag) {
 	char *s;
-	krb5_unparse_name_short(pd->context, ent.principal, &s);
+	krb5_unparse_name_short(pd->context, ent.entry.principal, &s);
 	krb5_warnx(pd->context, "%s.%s -> %s", p->name, p->instance, s);
 	free(s);
     }
 
-    ent.kvno = p->kvno;
-    ent.keys.len = 3;
-    ent.keys.val = malloc(ent.keys.len * sizeof(*ent.keys.val));
+    ent.entry.kvno = p->kvno;
+    ent.entry.keys.len = 3;
+    ent.entry.keys.val = malloc(ent.entry.keys.len * sizeof(*ent.entry.keys.val));
+    if (ent.entry.keys.val == NULL)
+	krb5_errx(pd->context, ENOMEM, "malloc");
     if(p->mkvno != -1) {
-	ent.keys.val[0].mkvno = malloc (sizeof(*ent.keys.val[0].mkvno));
-	*(ent.keys.val[0].mkvno) = p->mkvno;
+	ent.entry.keys.val[0].mkvno = malloc (sizeof(*ent.entry.keys.val[0].mkvno));
+	if (ent.entry.keys.val[0].mkvno == NULL)
+	    krb5_errx(pd->context, ENOMEM, "malloc");
+	*(ent.entry.keys.val[0].mkvno) = p->mkvno;
     } else
-	ent.keys.val[0].mkvno = NULL;
-    ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt));
-    ent.keys.val[0].salt->type = KRB5_PADATA_PW_SALT;
-    ent.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
-    krb5_data_alloc(&ent.keys.val[0].key.keyvalue, sizeof(des_cblock));
-    memcpy(ent.keys.val[0].key.keyvalue.data, p->key, 8);
-
-    copy_Key(&ent.keys.val[0], &ent.keys.val[1]);
-    ent.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
-    copy_Key(&ent.keys.val[0], &ent.keys.val[2]);
-    ent.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
+	ent.entry.keys.val[0].mkvno = NULL;
+    ent.entry.keys.val[0].salt = calloc(1, sizeof(*ent.entry.keys.val[0].salt));
+    if (ent.entry.keys.val[0].salt == NULL)
+	krb5_errx(pd->context, ENOMEM, "calloc");
+    ent.entry.keys.val[0].salt->type = KRB5_PADATA_PW_SALT;
+    ent.entry.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
+    krb5_data_alloc(&ent.entry.keys.val[0].key.keyvalue, DES_KEY_SZ);
+    memcpy(ent.entry.keys.val[0].key.keyvalue.data, p->key, 8);
+
+    copy_Key(&ent.entry.keys.val[0], &ent.entry.keys.val[1]);
+    ent.entry.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
+    copy_Key(&ent.entry.keys.val[0], &ent.entry.keys.val[2]);
+    ent.entry.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
 
     {
-	int life = krb_life_to_time(0, p->max_life);
+	int life = _krb5_krb_life_to_time(0, p->max_life);
 	if(life == NEVERDATE){
-	    ent.max_life = NULL;
+	    ent.entry.max_life = NULL;
 	} else {
 	    /* clean up lifetime a bit */
 	    if(life > 86400)
 		life = (life + 86399) / 86400 * 86400;
 	    else if(life > 3600)
 		life = (life + 3599) / 3600 * 3600;
-	    ALLOC(ent.max_life);
-	    *ent.max_life = life;
+	    ALLOC(ent.entry.max_life);
+	    *ent.entry.max_life = life;
 	}
     }
 
-    ALLOC(ent.valid_end);
-    *ent.valid_end = p->exp_date;
+    ALLOC(ent.entry.valid_end);
+    *ent.entry.valid_end = p->exp_date;
 
-    ret = krb5_make_principal(pd->context, &ent.created_by.principal,
+    ret = krb5_make_principal(pd->context, &ent.entry.created_by.principal,
 			      v4_realm,
 			      "kadmin",
 			      "hprop",
@@ -272,44 +207,44 @@ v4_prop(void *arg, struct v4_principal *p)
 	ret = 0;
 	goto out;
     }
-    ent.created_by.time = time(NULL);
-    ALLOC(ent.modified_by);
+    ent.entry.created_by.time = time(NULL);
+    ALLOC(ent.entry.modified_by);
     ret = krb5_425_conv_principal(pd->context, p->mod_name, p->mod_instance, 
-				  v4_realm, &ent.modified_by->principal);
+				  v4_realm, &ent.entry.modified_by->principal);
     if(ret){
 	krb5_warn(pd->context, ret, "%s.%s@%s", p->name, p->instance, v4_realm);
-	ent.modified_by->principal = NULL;
+	ent.entry.modified_by->principal = NULL;
 	ret = 0;
 	goto out;
     }
-    ent.modified_by->time = p->mod_date;
-
-    ent.flags.forwardable = 1;
-    ent.flags.renewable = 1;
-    ent.flags.proxiable = 1;
-    ent.flags.postdate = 1;
-    ent.flags.client = 1;
-    ent.flags.server = 1;
+    ent.entry.modified_by->time = p->mod_date;
+
+    ent.entry.flags.forwardable = 1;
+    ent.entry.flags.renewable = 1;
+    ent.entry.flags.proxiable = 1;
+    ent.entry.flags.postdate = 1;
+    ent.entry.flags.client = 1;
+    ent.entry.flags.server = 1;
     
     /* special case password changing service */
     if(strcmp(p->name, "changepw") == 0 && 
        strcmp(p->instance, "kerberos") == 0) {
-	ent.flags.forwardable = 0;
-	ent.flags.renewable = 0;
-	ent.flags.proxiable = 0;
-	ent.flags.postdate = 0;
-	ent.flags.initial = 1;
-	ent.flags.change_pw = 1;
+	ent.entry.flags.forwardable = 0;
+	ent.entry.flags.renewable = 0;
+	ent.entry.flags.proxiable = 0;
+	ent.entry.flags.postdate = 0;
+	ent.entry.flags.initial = 1;
+	ent.entry.flags.change_pw = 1;
     }
 
     ret = v5_prop(pd->context, NULL, &ent, pd);
 
     if (strcmp (p->name, "krbtgt") == 0
 	&& strcmp (v4_realm, p->instance) != 0) {
-	krb5_free_principal (pd->context, ent.principal);
+	krb5_free_principal (pd->context, ent.entry.principal);
 	ret = krb5_425_conv_principal (pd->context, p->name,
 				       v4_realm, p->instance,
-				       &ent.principal);
+				       &ent.entry.principal);
 	if (ret == 0)
 	    ret = v5_prop (pd->context, NULL, &ent, pd);
     }
@@ -345,87 +280,96 @@ ka_convert(struct prop_data *pd, int fd, struct ka_entry *ent)
 {
     int32_t flags = ntohl(ent->flags);
     krb5_error_code ret;
-    hdb_entry hdb;
+    hdb_entry_ex hdb;
 
     if(!kaspecials_flag
        && (flags & KAFNORMAL) == 0) /* remove special entries */
 	return 0;
     memset(&hdb, 0, sizeof(hdb));
     ret = krb5_425_conv_principal(pd->context, ent->name, ent->instance, 
-				  v4_realm, &hdb.principal);
+				  v4_realm, &hdb.entry.principal);
     if(ret) {
 	krb5_warn(pd->context, ret,
 		  "krb5_425_conv_principal (%s.%s@%s)",
 		  ent->name, ent->instance, v4_realm);
 	return 0;
     }
-    hdb.kvno = ntohl(ent->kvno);
-    hdb.keys.len = 3;
-    hdb.keys.val = malloc(hdb.keys.len * sizeof(*hdb.keys.val));
-    hdb.keys.val[0].mkvno = NULL;
-    hdb.keys.val[0].salt = calloc(1, sizeof(*hdb.keys.val[0].salt));
+    hdb.entry.kvno = ntohl(ent->kvno);
+    hdb.entry.keys.len = 3;
+    hdb.entry.keys.val = 
+	malloc(hdb.entry.keys.len * sizeof(*hdb.entry.keys.val));
+    if (hdb.entry.keys.val == NULL)
+	krb5_errx(pd->context, ENOMEM, "malloc");
+    hdb.entry.keys.val[0].mkvno = NULL;
+    hdb.entry.keys.val[0].salt = calloc(1, sizeof(*hdb.entry.keys.val[0].salt));
+    if (hdb.entry.keys.val[0].salt == NULL)
+	krb5_errx(pd->context, ENOMEM, "calloc");
     if (ka_use_null_salt) {
-	hdb.keys.val[0].salt->type = hdb_pw_salt;
-	hdb.keys.val[0].salt->salt.data = NULL;
-	hdb.keys.val[0].salt->salt.length = 0;
+	hdb.entry.keys.val[0].salt->type = hdb_pw_salt;
+	hdb.entry.keys.val[0].salt->salt.data = NULL;
+	hdb.entry.keys.val[0].salt->salt.length = 0;
     } else {
-	hdb.keys.val[0].salt->type = hdb_afs3_salt;
-	hdb.keys.val[0].salt->salt.data = strdup(afs_cell);
-	hdb.keys.val[0].salt->salt.length = strlen(afs_cell);
+	hdb.entry.keys.val[0].salt->type = hdb_afs3_salt;
+	hdb.entry.keys.val[0].salt->salt.data = strdup(afs_cell);
+	if (hdb.entry.keys.val[0].salt->salt.data == NULL)
+	    krb5_errx(pd->context, ENOMEM, "strdup");
+	hdb.entry.keys.val[0].salt->salt.length = strlen(afs_cell);
     }
     
-    hdb.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
-    krb5_data_copy(&hdb.keys.val[0].key.keyvalue, ent->key, sizeof(ent->key));
-    copy_Key(&hdb.keys.val[0], &hdb.keys.val[1]);
-    hdb.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
-    copy_Key(&hdb.keys.val[0], &hdb.keys.val[2]);
-    hdb.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
-
-    ALLOC(hdb.max_life);
-    *hdb.max_life = ntohl(ent->max_life);
-
-    if(ntohl(ent->valid_end) != NEVERDATE && ntohl(ent->valid_end) != -1){
-	ALLOC(hdb.valid_end);
-	*hdb.valid_end = ntohl(ent->valid_end);
+    hdb.entry.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
+    krb5_data_copy(&hdb.entry.keys.val[0].key.keyvalue,
+		   ent->key,
+		   sizeof(ent->key));
+    copy_Key(&hdb.entry.keys.val[0], &hdb.entry.keys.val[1]);
+    hdb.entry.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
+    copy_Key(&hdb.entry.keys.val[0], &hdb.entry.keys.val[2]);
+    hdb.entry.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
+
+    ALLOC(hdb.entry.max_life);
+    *hdb.entry.max_life = ntohl(ent->max_life);
+
+    if(ntohl(ent->valid_end) != NEVERDATE && ntohl(ent->valid_end) != 0xffffffff) {
+	ALLOC(hdb.entry.valid_end);
+	*hdb.entry.valid_end = ntohl(ent->valid_end);
     }
     
     if (ntohl(ent->pw_change) != NEVERDATE && 
 	ent->pw_expire != 255 &&
 	ent->pw_expire != 0) {
-	ALLOC(hdb.pw_end);
-	*hdb.pw_end = ntohl(ent->pw_change)
+	ALLOC(hdb.entry.pw_end);
+	*hdb.entry.pw_end = ntohl(ent->pw_change)
 	    + 24 * 60 * 60 * ent->pw_expire;
     }
 
-    ret = krb5_make_principal(pd->context, &hdb.created_by.principal,
+    ret = krb5_make_principal(pd->context, &hdb.entry.created_by.principal,
 			      v4_realm,
 			      "kadmin",
 			      "hprop",
 			      NULL);
-    hdb.created_by.time = time(NULL);
+    hdb.entry.created_by.time = time(NULL);
 
     if(ent->mod_ptr){
 	struct ka_entry mod;
-	ALLOC(hdb.modified_by);
+	ALLOC(hdb.entry.modified_by);
 	read_block(pd->context, fd, ntohl(ent->mod_ptr), &mod, sizeof(mod));
 	
 	krb5_425_conv_principal(pd->context, mod.name, mod.instance, v4_realm, 
-				&hdb.modified_by->principal);
-	hdb.modified_by->time = ntohl(ent->mod_time);
+				&hdb.entry.modified_by->principal);
+	hdb.entry.modified_by->time = ntohl(ent->mod_time);
 	memset(&mod, 0, sizeof(mod));
     }
 
-    hdb.flags.forwardable = 1;
-    hdb.flags.renewable = 1;
-    hdb.flags.proxiable = 1;
-    hdb.flags.postdate = 1;
+    hdb.entry.flags.forwardable = 1;
+    hdb.entry.flags.renewable = 1;
+    hdb.entry.flags.proxiable = 1;
+    hdb.entry.flags.postdate = 1;
     /* XXX - AFS 3.4a creates krbtgt.REALMOFCELL as NOTGS+NOSEAL */
     if (strcmp(ent->name, "krbtgt") == 0 &&
 	(flags & (KAFNOTGS|KAFNOSEAL)) == (KAFNOTGS|KAFNOSEAL))
 	flags &= ~(KAFNOTGS|KAFNOSEAL);
 
-    hdb.flags.client = (flags & KAFNOTGS) == 0;
-    hdb.flags.server = (flags & KAFNOSEAL) == 0;
+    hdb.entry.flags.client = (flags & KAFNOTGS) == 0;
+    hdb.entry.flags.server = (flags & KAFNOSEAL) == 0;
 
     ret = v5_prop(pd->context, NULL, &hdb, pd);
     hdb_free_entry(pd->context, &hdb);
@@ -469,9 +413,6 @@ struct getargs args[] = {
       "heimdal"
       "|mit-dump"
       "|krb4-dump"
-#ifdef KRB4
-      "|krb4-db"
-#endif
       "|kaserver"
     },
       
@@ -503,7 +444,7 @@ get_creds(krb5_context context, krb5_ccache *cache)
     krb5_keytab keytab;
     krb5_principal client;
     krb5_error_code ret;
-    krb5_get_init_creds_opt init_opts;
+    krb5_get_init_creds_opt *init_opts;
     krb5_preauthtype preauth = KRB5_PADATA_ENC_TIMESTAMP;
     krb5_creds creds;
     
@@ -517,11 +458,14 @@ get_creds(krb5_context context, krb5_ccache *cache)
 			      "kadmin", HPROP_NAME, NULL);
     if(ret) krb5_err(context, 1, ret, "krb5_make_principal");
 
-    krb5_get_init_creds_opt_init(&init_opts);
-    krb5_get_init_creds_opt_set_preauth_list(&init_opts, &preauth, 1);
+    ret = krb5_get_init_creds_opt_alloc(context, &init_opts);
+    if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
+    krb5_get_init_creds_opt_set_preauth_list(init_opts, &preauth, 1);
 
-    ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 0, NULL, &init_opts);
+    ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 0, NULL, init_opts);
     if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
+
+    krb5_get_init_creds_opt_free(context, init_opts);
     
     ret = krb5_kt_close(context, keytab);
     if(ret) krb5_err(context, 1, ret, "krb5_kt_close");
@@ -537,18 +481,17 @@ get_creds(krb5_context context, krb5_ccache *cache)
     ret = krb5_cc_store_cred(context, *cache, &creds);
     if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
 
-    krb5_free_creds_contents(context, &creds);
+    krb5_free_cred_contents(context, &creds);
 }
 
 enum hprop_source {
     HPROP_HEIMDAL = 1,
-    HPROP_KRB4_DB,
     HPROP_KRB4_DUMP,
     HPROP_KASERVER,
     HPROP_MIT_DUMP
 };
 
-#define IS_TYPE_V4(X) ((X) == HPROP_KRB4_DB || (X) == HPROP_KRB4_DUMP || (X) == HPROP_KASERVER)
+#define IS_TYPE_V4(X) ((X) == HPROP_KRB4_DUMP || (X) == HPROP_KASERVER)
 
 struct {
     int type;
@@ -556,9 +499,6 @@ struct {
 } types[] = {
     { HPROP_HEIMDAL,	"heimdal" },
     { HPROP_KRB4_DUMP,	"krb4-dump" },
-#ifdef KRB4
-    { HPROP_KRB4_DB,	"krb4-db" },
-#endif
     { HPROP_KASERVER, 	"kaserver" },
     { HPROP_MIT_DUMP,	"mit-dump" }
 };
@@ -574,9 +514,9 @@ parse_source_type(const char *s)
     return 0;
 }
 
-static void
+static int
 iterate (krb5_context context,
-	 const char *database,
+	 const char *database_name,
 	 HDB *db,
 	 int type,
 	 struct prop_data *pd)
@@ -585,38 +525,36 @@ iterate (krb5_context context,
 
     switch(type) {
     case HPROP_KRB4_DUMP:
-	ret = v4_prop_dump(pd, database);
-	break;
-#ifdef KRB4
-    case HPROP_KRB4_DB:
-	ret = kerb_db_iterate ((k_iter_proc_t)kdb_prop, pd);
+	ret = v4_prop_dump(pd, database_name);
 	if(ret)
-	    krb5_errx(context, 1, "kerb_db_iterate: %s", 
-		      krb_get_err_text(ret));
+	    krb5_warnx(context, "v4_prop_dump: %s", 
+		       krb5_get_err_text(context, ret));
 	break;
-#endif /* KRB4 */
     case HPROP_KASERVER:
-	ret = ka_dump(pd, database);
+	ret = ka_dump(pd, database_name);
 	if(ret)
-	    krb5_err(context, 1, ret, "ka_dump");
+	    krb5_warn(context, ret, "ka_dump");
 	break;
     case HPROP_MIT_DUMP:
-	ret = mit_prop_dump(pd, database);
+	ret = mit_prop_dump(pd, database_name);
 	if (ret)
-	    krb5_errx(context, 1, "mit_prop_dump: %s",
+	    krb5_warnx(context, "mit_prop_dump: %s",
 		      krb5_get_err_text(context, ret));
 	break;
     case HPROP_HEIMDAL:
 	ret = hdb_foreach(context, db, HDB_F_DECRYPT, v5_prop, pd);
 	if(ret)
-	    krb5_err(context, 1, ret, "hdb_foreach");
+	    krb5_warn(context, ret, "hdb_foreach");
 	break;
+    default:
+	krb5_errx(context, 1, "unknown prop type: %d", type);
     }
+    return ret;
 }
 
 static int
 dump_database (krb5_context context, int type,
-	       const char *database, HDB *db)
+	       const char *database_name, HDB *db)
 {
     krb5_error_code ret;
     struct prop_data pd;
@@ -626,7 +564,9 @@ dump_database (krb5_context context, int type,
     pd.auth_context = NULL;
     pd.sock         = STDOUT_FILENO;
 	
-    iterate (context, database, db, type, &pd);
+    ret = iterate (context, database_name, db, type, &pd);
+    if (ret)
+	krb5_errx(context, 1, "iterate failure");
     krb5_data_zero (&data);
     ret = krb5_write_message (context, &pd.sock, &data);
     if (ret)
@@ -637,23 +577,24 @@ dump_database (krb5_context context, int type,
 
 static int
 propagate_database (krb5_context context, int type,
-		    const char *database, 
+		    const char *database_name, 
 		    HDB *db, krb5_ccache ccache,
-		    int optind, int argc, char **argv)
+		    int optidx, int argc, char **argv)
 {
     krb5_principal server;
     krb5_error_code ret;
-    int i;
+    int i, failed = 0;
 
-    for(i = optind; i < argc; i++){
+    for(i = optidx; i < argc; i++){
 	krb5_auth_context auth_context;
 	int fd;
 	struct prop_data pd;
 	krb5_data data;
 
 	char *port, portstr[NI_MAXSERV];
-	
-	port = strchr(argv[i], ':');
+	char *host = argv[i];
+
+	port = strchr(host, ':');
 	if(port == NULL) {
 	    snprintf(portstr, sizeof(portstr), "%u", 
 		     ntohs(krb5_getportbyname (context, "hprop", "tcp", 
@@ -662,16 +603,18 @@ propagate_database (krb5_context context, int type,
 	} else
 	    *port++ = '\0';
 
-	fd = open_socket(context, argv[i], port);
+	fd = open_socket(context, host, port);
 	if(fd < 0) {
-	    krb5_warn (context, errno, "connect %s", argv[i]);
+	    failed++;
+	    krb5_warn (context, errno, "connect %s", host);
 	    continue;
 	}
 
 	ret = krb5_sname_to_principal(context, argv[i],
 				      HPROP_NAME, KRB5_NT_SRV_HST, &server);
 	if(ret) {
-	    krb5_warn(context, ret, "krb5_sname_to_principal(%s)", argv[i]);
+	    failed++;
+	    krb5_warn(context, ret, "krb5_sname_to_principal(%s)", host);
 	    close(fd);
 	    continue;
 	}
@@ -702,31 +645,45 @@ propagate_database (krb5_context context, int type,
 	krb5_free_principal(context, server);
 
 	if(ret) {
-	    krb5_warn(context, ret, "krb5_sendauth");
+	    failed++;
+	    krb5_warn(context, ret, "krb5_sendauth (%s)", host);
 	    close(fd);
-	    continue;
+	    goto next_host;
 	}
 	
 	pd.context      = context;
 	pd.auth_context = auth_context;
 	pd.sock         = fd;
 
-	iterate (context, database, db, type, &pd);
+	ret = iterate (context, database_name, db, type, &pd);
+	if (ret) {
+	    krb5_warnx(context, "iterate to host %s failed", host);
+	    failed++;
+	    goto next_host;
+	}
 
 	krb5_data_zero (&data);
 	ret = krb5_write_priv_message(context, auth_context, &fd, &data);
-	if(ret)
+	if(ret) {
 	    krb5_warn(context, ret, "krb5_write_priv_message");
+	    failed++;
+	    goto next_host;
+	}
 
 	ret = krb5_read_priv_message(context, auth_context, &fd, &data);
-	if(ret)
-	    krb5_warn(context, ret, "krb5_read_priv_message");
-	else
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_read_priv_message: %s", host);
+	    failed++;
+	    goto next_host;
+	} else
 	    krb5_data_free (&data);
 	
+    next_host:
 	krb5_auth_con_free(context, auth_context);
 	close(fd);
     }
+    if (failed)
+	return 1;
     return 0;
 }
 
@@ -737,13 +694,13 @@ main(int argc, char **argv)
     krb5_context context;
     krb5_ccache ccache = NULL;
     HDB *db = NULL;
-    int optind = 0;
+    int optidx = 0;
 
-    int type = 0;
+    int type, exit_code;
 
     setprogname(argv[0]);
 
-    if(getarg(args, num_args, argc, argv, &optind))
+    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
 
     if(help_flag)
@@ -780,12 +737,10 @@ main(int argc, char **argv)
 		  "only one of `--encrypt' and `--decrypt' is meaningful");
 
     if(source_type != NULL) {
-	if(type != 0)
-	    krb5_errx(context, 1, "more than one database type specified");
 	type = parse_source_type(source_type);
 	if(type == 0)
 	    krb5_errx(context, 1, "unknown source type `%s'", source_type);
-    } else if(type == 0)
+    } else
 	type = HPROP_HEIMDAL;
 
     if(!to_stdout)
@@ -799,27 +754,11 @@ main(int argc, char **argv)
 	    krb5_errx(context, 1, "No master key file found");
     }
     
-#ifdef KRB4
-    if (IS_TYPE_V4(type)) {
-	int e;
-
-	if (v4_realm == NULL) {
-	    e = krb_get_lrealm(realm_buf, 1);
-	    if(e)
-		krb5_errx(context, 1, "krb_get_lrealm: %s",
-			  krb_get_err_text(e));
-	    v4_realm = realm_buf;
-	}
-    }
-#endif
+    if (IS_TYPE_V4(type) && v4_realm == NULL)
+	krb5_errx(context, 1, "Its a Kerberos 4 database "
+		  "but no realm configured");
 
     switch(type) {
-#ifdef KRB4
-    case HPROP_KRB4_DB:
-	if (database == NULL)
-	    krb5_errx(context, 1, "no database specified");
-	break;
-#endif
     case HPROP_KASERVER:
 	if (database == NULL)
 	    database = DEFAULT_DATABASE;
@@ -842,9 +781,9 @@ main(int argc, char **argv)
 	ret = hdb_create (context, &db, database);
 	if(ret)
 	    krb5_err(context, 1, ret, "hdb_create: %s", database);
-	ret = db->open(context, db, O_RDONLY, 0);
+	ret = db->hdb_open(context, db, O_RDONLY, 0);
 	if(ret)
-	    krb5_err(context, 1, ret, "db->open");
+	    krb5_err(context, 1, ret, "db->hdb_open");
 	break;
     default:
 	krb5_errx(context, 1, "unknown dump type `%d'", type);
@@ -852,17 +791,17 @@ main(int argc, char **argv)
     }
 
     if (to_stdout)
-	dump_database (context, type, database, db);
+	exit_code = dump_database (context, type, database, db);
     else
-	propagate_database (context, type, database, 
-			    db, ccache, optind, argc, argv);
+	exit_code = propagate_database (context, type, database, 
+					db, ccache, optidx, argc, argv);
 
     if(ccache != NULL)
 	krb5_cc_destroy(context, ccache);
 	
     if(db != NULL)
-	(*db->destroy)(context, db);
+	(*db->hdb_destroy)(context, db);
 
     krb5_free_context(context);
-    return 0;
+    return exit_code;
 }
diff --git a/crypto/heimdal/kdc/hprop.h b/crypto/heimdal/kdc/hprop.h
index 0bcab88..d43d04c 100644
--- a/crypto/heimdal/kdc/hprop.h
+++ b/crypto/heimdal/kdc/hprop.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: hprop.h,v 1.13 2001/01/26 15:54:19 joda Exp $ */
+/* $Id: hprop.h 16378 2005-12-12 12:40:12Z lha $ */
 
 #ifndef __HPROP_H__
 #define __HPROP_H__
@@ -53,13 +53,13 @@ struct prop_data{
 #define NEVERDATE ((1U << 31) - 1)
 #endif
 
-krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry*, void*);
+krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry_ex*, void*);
 int mit_prop_dump(void*, const char*);
 
 struct v4_principal {
     char name[64];
     char instance[64];
-    des_cblock key;
+    DES_cblock key;
     int kvno;
     int mkvno;
     time_t exp_date;
diff --git a/crypto/heimdal/kdc/hpropd.8 b/crypto/heimdal/kdc/hpropd.8
index 7bb2deb..74a3dad 100644
--- a/crypto/heimdal/kdc/hpropd.8
+++ b/crypto/heimdal/kdc/hpropd.8
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: hpropd.8,v 1.11 2003/02/16 21:10:20 lha Exp $
+.\" $Id: hpropd.8 14381 2004-12-10 09:44:05Z lha $
 .\"
 .Dd August 27, 1997
 .Dt HPROPD 8
@@ -39,6 +39,7 @@
 .Nd receive a propagated database
 .Sh SYNOPSIS
 .Nm
+.Bk -words
 .Oo Fl d Ar file \*(Ba Xo
 .Fl -database= Ns Ar file
 .Xc
@@ -51,6 +52,7 @@
 .Xc
 .Oc
 .Op Fl 4 | Fl -v4dump
+.Ek
 .Sh DESCRIPTION
 .Nm
 receives a database sent by
@@ -65,7 +67,7 @@ if stdin is a socket and expects to receive the dumped database over
 stdin otherwise.
 If the database is sent over the network, it is authenticated and
 encrypted.
-Only connections from
+Only connections authenticated with the principal
 .Nm kadmin Ns / Ns Nm hprop
 are accepted.
 .Pp
diff --git a/crypto/heimdal/kdc/hpropd.c b/crypto/heimdal/kdc/hpropd.c
index d27ff25..12a9766 100644
--- a/crypto/heimdal/kdc/hpropd.c
+++ b/crypto/heimdal/kdc/hpropd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,142 +33,15 @@
 
 #include "hprop.h"
 
-RCSID("$Id: hpropd.c,v 1.36 2003/04/16 15:46:32 lha Exp $");
-
-#ifdef KRB4
-static des_cblock mkey4;
-static des_key_schedule msched4;
-
-static char *
-time2str(time_t t)
-{
-    static char buf[128];
-    strftime(buf, sizeof(buf), "%Y%m%d%H%M", gmtime(&t));
-    return buf;
-}
-
-static int 
-dump_krb4(krb5_context context, hdb_entry *ent, int fd)
-{
-    char name[ANAME_SZ];  
-    char instance[INST_SZ];
-    char realm[REALM_SZ];
-    char buf[1024];
-    char *p;
-    int i;
-    int ret;
-    char *princ_name;
-    Event *modifier;
-    krb5_realm *realms;
-    int cmp;
-  
-    ret = krb5_524_conv_principal(context, ent->principal,
-				  name, instance, realm);
-    if (ret) {
-	krb5_unparse_name(context, ent->principal, &princ_name);
-	krb5_warn(context, ret, "%s", princ_name);
-	free(princ_name);
-	return -1;
-    }
-
-    ret = krb5_get_default_realms (context, &realms);
-    if (ret) {
-	krb5_warn(context, ret, "krb5_get_default_realms");
-	return -1;
-    }
-
-    cmp = strcmp (realms[0], ent->principal->realm);
-    krb5_free_host_realm (context, realms);
-    if (cmp != 0)
-        return -1;
-
-    snprintf (buf, sizeof(buf), "%s %s ", name,
-	      (strlen(instance) != 0) ? instance : "*");
-
-    if (ent->max_life) { 
-	asprintf(&p, "%d", krb_time_to_life(0, *ent->max_life));
-	strlcat(buf, p, sizeof(buf));
-	free(p);
-    } else 
-	strlcat(buf, "255", sizeof(buf)); 
-    strlcat(buf, " ", sizeof(buf));
-
-    i = 0;
-    while (i < ent->keys.len &&
-	   ent->keys.val[i].key.keytype != KEYTYPE_DES)
-	++i;
-
-    if (i == ent->keys.len) {
-	krb5_warnx(context, "No DES key for %s.%s", name, instance);
-	return -1;
-    }
-
-    if (ent->keys.val[i].mkvno)
-	asprintf(&p, "%d ", *ent->keys.val[i].mkvno);
-    else
-	asprintf(&p, "%d ", 1);
-    strlcat(buf, p, sizeof(buf));
-    free(p);
-
-    asprintf(&p, "%d ", ent->kvno);
-    strlcat(buf, p, sizeof(buf));
-    free(p);
-
-    asprintf(&p, "%d ", 0); /* Attributes are always 0*/  
-    strlcat(buf, p, sizeof(buf));
-    free(p);
-
-    { 
-	u_int32_t *key = ent->keys.val[i].key.keyvalue.data;
-	kdb_encrypt_key((des_cblock*)key, (des_cblock*)key,
-			&mkey4, msched4, DES_ENCRYPT);
-	asprintf(&p, "%x %x ", (int)htonl(*key), (int)htonl(*(key+1)));
-	strlcat(buf, p, sizeof(buf));
-	free(p);
-    }
- 
-    if (ent->valid_end == NULL)
-	strlcat(buf, time2str(60*60*24*365*50), sizeof(buf)); /*no expiration*/
-    else
-	strlcat(buf, time2str(*ent->valid_end), sizeof(buf));
-    strlcat(buf, " ", sizeof(buf));
-
-    if (ent->modified_by == NULL) 
-	modifier = &ent->created_by;
-    else  
-	modifier = ent->modified_by;
-    
-    ret = krb5_524_conv_principal(context, modifier->principal,
-				  name, instance, realm);
-    if (ret) { 
-	krb5_unparse_name(context, modifier->principal, &princ_name);
-	krb5_warn(context, ret, "%s", princ_name);
-	free(princ_name);
-	return -1;
-    } 
-    asprintf(&p, "%s %s %s\n", time2str(modifier->time), 
-	     (strlen(name) != 0) ? name : "*", 
-	     (strlen(instance) != 0) ? instance : "*");
-    strlcat(buf, p, sizeof(buf));
-    free(p);
-
-    ret = write(fd, buf, strlen(buf));
-    if (ret == -1)
-	krb5_warnx(context, "write");
-    return 0;
-}
-#endif /* KRB4 */
+RCSID("$Id: hpropd.c 22245 2007-12-08 23:48:52Z lha $");
 
 static int inetd_flag = -1;
 static int help_flag;
 static int version_flag;
 static int print_dump;
-static const char *database = HDB_DEFAULT_DB;
+static const char *database;
 static int from_stdin;
 static char *local_realm;
-#ifdef KRB4
-static int v4dump;
-#endif
 static char *ktname = NULL;
 
 struct getargs args[] = {
@@ -179,9 +52,6 @@ struct getargs args[] = {
       "Not started from inetd" },
     { "keytab",   'k',	arg_string, &ktname,	"keytab to use for authentication", "keytab" },
     { "realm",   'r',	arg_string, &local_realm, "realm to use" },
-#ifdef KRB4
-    { "v4dump",       '4',  arg_flag, &v4dump, "create v4 type DB" },
-#endif
     { "version",    0, arg_flag, &version_flag, NULL, NULL },
     { "help",    'h',  arg_flag, &help_flag, NULL, NULL}
 };
@@ -206,14 +76,10 @@ main(int argc, char **argv)
     krb5_keytab keytab;
     int fd;
     HDB *db;
-    int optind = 0;
+    int optidx = 0;
     char *tmp_db;
     krb5_log_facility *fac;
     int nprincs;
-#ifdef KRB4
-    int e;
-    int fd_out = -1;
-#endif
 
     setprogname(argv[0]);
 
@@ -226,14 +92,9 @@ main(int argc, char **argv)
 	;
     krb5_set_warn_dest(context, fac);
   
-    if(getarg(args, num_args, argc, argv, &optind))
+    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
 
-#ifdef KRB4
-    if (v4dump && database == HDB_DEFAULT_DB)
-       database = "/var/kerberos/524_dump";
-#endif /* KRB4 */
-
     if(local_realm != NULL)
 	krb5_set_default_realm(context, local_realm);
     
@@ -244,12 +105,15 @@ main(int argc, char **argv)
 	exit(0);
     }
     
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     if (argc != 0)
 	usage(1);
 
+    if (database == NULL)
+	database = hdb_default_db(context);
+
     if(from_stdin)
 	fd = STDIN_FILENO;
     else {
@@ -280,7 +144,7 @@ main(int argc, char **argv)
 		      addr_name,
 		      sizeof(addr_name)) == NULL)
 	    strlcpy (addr_name, "unknown address",
-			     sizeof(addr_name));
+		     sizeof(addr_name));
 
 	krb5_log(context, fac, 0, "Connection from %s", addr_name);
     
@@ -319,10 +183,13 @@ main(int argc, char **argv)
 	ret = krb5_make_principal(context, &c1, NULL, "kadmin", "hprop", NULL);
 	if(ret)
 	    krb5_err(context, 1, ret, "krb5_make_principal");
-	principalname2krb5_principal(&c2, authent->cname, authent->crealm);
+	_krb5_principalname2krb5_principal(context, &c2, 
+					   authent->cname, authent->crealm);
 	if(!krb5_principal_compare(context, c1, c2)) {
 	    char *s;
-	    krb5_unparse_name(context, c2, &s);
+	    ret = krb5_unparse_name(context, c2, &s);
+	    if (ret)
+		s = "unparseable name";
 	    krb5_errx(context, 1, "Unauthorized connection from %s", s);
 	}
 	krb5_free_principal(context, c1);
@@ -335,37 +202,19 @@ main(int argc, char **argv)
     
     if(!print_dump) {
 	asprintf(&tmp_db, "%s~", database);
-#ifdef KRB4
-	if (v4dump) {
-	    fd_out = open(tmp_db, O_WRONLY | O_CREAT | O_TRUNC, 0600);
-	    if (fd_out == -1)
-		krb5_errx(context, 1, "%s", strerror(errno));
-	}
-	else
-#endif /* KRB4 */
-	{
-	    ret = hdb_create(context, &db, tmp_db);
-	    if(ret)
-		krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db);
-	    ret = db->open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600);
-	    if(ret)
-		krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db);
-	}
-    }
 
-#ifdef KRB4
-    if (v4dump) {
-	e = kdb_get_master_key(0, &mkey4, msched4);
-	if(e)
-	    krb5_errx(context, 1, "kdb_get_master_key: %s",
-		      krb_get_err_text(e));
+	ret = hdb_create(context, &db, tmp_db);
+	if(ret)
+	    krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db);
+	ret = db->hdb_open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600);
+	if(ret)
+	    krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db);
     }
-#endif /* KRB4 */
 
     nprincs = 0;
     while(1){
 	krb5_data data;
-	hdb_entry entry;
+	hdb_entry_ex entry;
 
 	if(from_stdin) {
 	    ret = krb5_read_message(context, &fd, &data);
@@ -384,52 +233,35 @@ main(int argc, char **argv)
 		krb5_write_priv_message(context, ac, &fd, &data);
 	    }
 	    if(!print_dump) {
-#ifdef KRB4
-		if (v4dump) {
-		    ret = rename(tmp_db, database);
-		    if (ret)
-			krb5_errx(context, 1, "rename");
-		    ret = close(fd_out);
-		    if (ret)
-			krb5_errx(context, 1, "close");
-		} else
-#endif /* KRB4 */
-		{
-		    ret = db->rename(context, db, database);
-		    if(ret)
-			krb5_err(context, 1, ret, "db_rename");
-		    ret = db->close(context, db);
-		    if(ret)
-			krb5_err(context, 1, ret, "db_close");
-		}
+		ret = db->hdb_rename(context, db, database);
+		if(ret)
+		    krb5_err(context, 1, ret, "db_rename");
+		ret = db->hdb_close(context, db);
+		if(ret)
+		    krb5_err(context, 1, ret, "db_close");
 	    }
 	    break;
 	}
-	ret = hdb_value2entry(context, &data, &entry);
+	memset(&entry, 0, sizeof(entry));
+	ret = hdb_value2entry(context, &data, &entry.entry);
+	krb5_data_free(&data);
 	if(ret)
 	    krb5_err(context, 1, ret, "hdb_value2entry");
 	if(print_dump)
 	    hdb_print_entry(context, db, &entry, stdout);
 	else {
-#ifdef KRB4
-	    if (v4dump) {
-		ret = dump_krb4(context, &entry, fd_out);
-		if(!ret) nprincs++;
-	    }
+	    ret = db->hdb_store(context, db, 0, &entry);
+	    if(ret == HDB_ERR_EXISTS) {
+		char *s;
+		ret = krb5_unparse_name(context, entry.entry.principal, &s);
+		if (ret)
+		    s = strdup("unparseable name");
+		krb5_warnx(context, "Entry exists: %s", s);
+		free(s);
+	    } else if(ret) 
+		krb5_err(context, 1, ret, "db_store");
 	    else
-#endif /* KRB4 */
-	    {
-		ret = db->store(context, db, 0, &entry);
-		if(ret == HDB_ERR_EXISTS) {
-		    char *s;
-		    krb5_unparse_name(context, entry.principal, &s);
-		    krb5_warnx(context, "Entry exists: %s", s);
-		    free(s);
-		} else if(ret) 
-		    krb5_err(context, 1, ret, "db_store");
-		else
-		    nprincs++;
-	    }
+		nprincs++;
 	}
 	hdb_free_entry(context, &entry);
     }
diff --git a/crypto/heimdal/kdc/kadb.h b/crypto/heimdal/kdc/kadb.h
index 5c98ccc..4b59abe 100644
--- a/crypto/heimdal/kdc/kadb.h
+++ b/crypto/heimdal/kdc/kadb.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: kadb.h,v 1.3 2000/03/03 12:36:26 assar Exp $ */
+/* $Id: kadb.h 7997 2000-03-03 12:36:26Z assar $ */
 
 #ifndef __kadb_h__
 #define __kadb_h__
diff --git a/crypto/heimdal/kdc/kaserver.c b/crypto/heimdal/kdc/kaserver.c
index 8694471..27f497e 100644
--- a/crypto/heimdal/kdc/kaserver.c
+++ b/crypto/heimdal/kdc/kaserver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,9 +33,9 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kaserver.c,v 1.21.2.1 2003/10/06 21:02:35 lha Exp $");
-
+RCSID("$Id: kaserver.c 21654 2007-07-21 17:30:18Z lha $");
 
+#include <krb5-v4compat.h>
 #include <rx.h>
 
 #define KA_AUTHENTICATION_SERVICE 731
@@ -107,38 +107,69 @@ RCSID("$Id: kaserver.c,v 1.21.2.1 2003/10/06 21:02:35 lha Exp $");
 #define KATOOSOON                                (180521L)
 #define KALOCKED                                 (180522L)
 
-static void
+
+static krb5_error_code
 decode_rx_header (krb5_storage *sp,
 		  struct rx_header *h)
 {
-    krb5_ret_int32(sp, &h->epoch);
-    krb5_ret_int32(sp, &h->connid);
-    krb5_ret_int32(sp, &h->callid);
-    krb5_ret_int32(sp, &h->seqno);
-    krb5_ret_int32(sp, &h->serialno);
-    krb5_ret_int8(sp,  &h->type);
-    krb5_ret_int8(sp,  &h->flags);
-    krb5_ret_int8(sp,  &h->status);
-    krb5_ret_int8(sp,  &h->secindex);
-    krb5_ret_int16(sp, &h->reserved);
-    krb5_ret_int16(sp, &h->serviceid);
+    krb5_error_code ret;
+
+    ret = krb5_ret_uint32(sp, &h->epoch);
+    if (ret) return ret;
+    ret = krb5_ret_uint32(sp, &h->connid);
+    if (ret) return ret;
+    ret = krb5_ret_uint32(sp, &h->callid);
+    if (ret) return ret;
+    ret = krb5_ret_uint32(sp, &h->seqno);
+    if (ret) return ret;
+    ret = krb5_ret_uint32(sp, &h->serialno);
+    if (ret) return ret;
+    ret = krb5_ret_uint8(sp,  &h->type);
+    if (ret) return ret;
+    ret = krb5_ret_uint8(sp,  &h->flags);
+    if (ret) return ret;
+    ret = krb5_ret_uint8(sp,  &h->status);
+    if (ret) return ret;
+    ret = krb5_ret_uint8(sp,  &h->secindex);
+    if (ret) return ret;
+    ret = krb5_ret_uint16(sp, &h->reserved);
+    if (ret) return ret;
+    ret = krb5_ret_uint16(sp, &h->serviceid);
+    if (ret) return ret;
+
+    return 0;
 }
 
-static void
+static krb5_error_code
 encode_rx_header (struct rx_header *h,
 		  krb5_storage *sp)
 {
-    krb5_store_int32(sp, h->epoch);
-    krb5_store_int32(sp, h->connid);
-    krb5_store_int32(sp, h->callid);
-    krb5_store_int32(sp, h->seqno);
-    krb5_store_int32(sp, h->serialno);
-    krb5_store_int8(sp,  h->type);
-    krb5_store_int8(sp,  h->flags);
-    krb5_store_int8(sp,  h->status);
-    krb5_store_int8(sp,  h->secindex);
-    krb5_store_int16(sp, h->reserved);
-    krb5_store_int16(sp, h->serviceid);
+    krb5_error_code ret;
+
+    ret = krb5_store_uint32(sp, h->epoch);
+    if (ret) return ret;
+    ret = krb5_store_uint32(sp, h->connid);
+    if (ret) return ret;
+    ret = krb5_store_uint32(sp, h->callid);
+    if (ret) return ret;
+    ret = krb5_store_uint32(sp, h->seqno);
+    if (ret) return ret;
+    ret = krb5_store_uint32(sp, h->serialno);
+    if (ret) return ret;
+    ret = krb5_store_uint8(sp,  h->type);
+    if (ret) return ret;
+    ret = krb5_store_uint8(sp,  h->flags);
+    if (ret) return ret;
+    ret = krb5_store_uint8(sp,  h->status);
+    if (ret) return ret;
+    ret = krb5_store_uint8(sp,  h->secindex);
+    if (ret) return ret;
+    ret = krb5_store_uint16(sp, h->reserved);
+    if (ret) return ret;
+    ret = krb5_store_uint16(sp, h->serviceid);
+    if (ret) return ret;
+
+    return 0;
 }
 
 static void
@@ -160,19 +191,28 @@ init_reply_header (struct rx_header *hdr,
     reply_hdr->serviceid = hdr->serviceid;
 }
 
+/*
+ * Create an error `reply´ using for the packet `hdr' with the error
+ * `error´ code.
+ */
 static void
 make_error_reply (struct rx_header *hdr,
-		  u_int32_t ret,
+		  uint32_t error,
 		  krb5_data *reply)
 
 {
-    krb5_storage *sp;
     struct rx_header reply_hdr;
+    krb5_error_code ret;
+    krb5_storage *sp;
 
     init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
     sp = krb5_storage_emem();
-    encode_rx_header (&reply_hdr, sp);
-    krb5_store_int32(sp, ret);
+    if (sp == NULL)
+	return;
+    ret = encode_rx_header (&reply_hdr, sp);
+    if (ret)
+	return;
+    krb5_store_int32(sp, error);
     krb5_storage_to_data (sp, reply);
     krb5_storage_free (sp);
 }
@@ -240,7 +280,8 @@ krb5_store_xdr_data(krb5_storage *sp,
 
 
 static krb5_error_code
-create_reply_ticket (struct rx_header *hdr,
+create_reply_ticket (krb5_context context, 
+		     struct rx_header *hdr,
 		     Key *skey,
 		     char *name, char *instance, char *realm,
 		     struct sockaddr_in *addr,
@@ -248,29 +289,38 @@ create_reply_ticket (struct rx_header *hdr,
 		     int kvno,
 		     int32_t max_seq_len,
 		     const char *sname, const char *sinstance,
-		     u_int32_t challenge,
+		     uint32_t challenge,
 		     const char *label,
-		     des_cblock *key,
+		     krb5_keyblock *key,
 		     krb5_data *reply)
 {
-    KTEXT_ST ticket;
-    des_cblock session;
+    krb5_error_code ret;
+    krb5_data ticket;
+    krb5_keyblock session;
     krb5_storage *sp;
     krb5_data enc_data;
-    des_key_schedule schedule;
     struct rx_header reply_hdr;
-    des_cblock zero;
+    char zero[8];
     size_t pad;
     unsigned fyrtiosjuelva;
 
     /* create the ticket */
 
-    des_new_random_key(&session);
-
-    krb_create_ticket (&ticket, 0, name, instance, realm,
-		       addr->sin_addr.s_addr,
-		       &session, life, kdc_time,
-		       sname, sinstance, skey->key.keyvalue.data);
+    krb5_generate_random_keyblock(context, ETYPE_DES_PCBC_NONE, &session);
+
+    _krb5_krb_create_ticket(context,
+			    0,
+			    name,
+			    instance,
+			    realm,
+			    addr->sin_addr.s_addr,
+			    &session,
+			    life,
+			    kdc_time,
+			    sname,
+			    sinstance,
+			    &skey->key,
+			    &ticket);
 
     /* create the encrypted part of the reply */
     sp = krb5_storage_emem ();
@@ -278,10 +328,10 @@ create_reply_ticket (struct rx_header *hdr,
     fyrtiosjuelva &= 0xffffffff;
     krb5_store_int32 (sp, fyrtiosjuelva);
     krb5_store_int32 (sp, challenge);
-    krb5_storage_write  (sp, session, 8);
-    memset (&session, 0, sizeof(session));
+    krb5_storage_write  (sp, session.keyvalue.data, 8);
+    krb5_free_keyblock_contents(context, &session);
     krb5_store_int32 (sp, kdc_time);
-    krb5_store_int32 (sp, kdc_time + krb_life_to_time (0, life));
+    krb5_store_int32 (sp, kdc_time + _krb5_krb_life_to_time (0, life));
     krb5_store_int32 (sp, kvno);
     krb5_store_int32 (sp, ticket.length);
     krb5_store_stringz (sp, name);
@@ -293,7 +343,7 @@ create_reply_ticket (struct rx_header *hdr,
 #endif
     krb5_store_stringz (sp, sname);
     krb5_store_stringz (sp, sinstance);
-    krb5_storage_write (sp, ticket.dat, ticket.length);
+    krb5_storage_write (sp, ticket.data, ticket.length);
     krb5_storage_write (sp, label, strlen(label));
 
     /* pad to DES block */
@@ -311,19 +361,26 @@ create_reply_ticket (struct rx_header *hdr,
     }
 
     /* encrypt it */
-    des_set_key (key, schedule);
-    des_pcbc_encrypt (enc_data.data,
-		      enc_data.data,
-		      enc_data.length,
-		      schedule,
-		      key,
-		      DES_ENCRYPT);
-    memset (&schedule, 0, sizeof(schedule));
+    {
+        DES_key_schedule schedule;
+	DES_cblock deskey;
+	
+	memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+	DES_set_key (&deskey, &schedule);
+	DES_pcbc_encrypt (enc_data.data,
+			  enc_data.data,
+			  enc_data.length,
+			  &schedule,
+			  &deskey,
+			  DES_ENCRYPT);
+	memset (&schedule, 0, sizeof(schedule));
+	memset (&deskey, 0, sizeof(deskey));
+    }
 
     /* create the reply packet */
     init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST);
     sp = krb5_storage_emem ();
-    encode_rx_header (&reply_hdr, sp);
+    ret = encode_rx_header (&reply_hdr, sp);
     krb5_store_int32 (sp, max_seq_len);
     krb5_store_xdr_data (sp, enc_data);
     krb5_data_free (&enc_data);
@@ -373,9 +430,12 @@ unparse_auth_args (krb5_storage *sp,
 }
 
 static void
-do_authenticate (struct rx_header *hdr,
+do_authenticate (krb5_context context, 
+		 krb5_kdc_configuration *config,
+		 struct rx_header *hdr,
 		 krb5_storage *sp,
 		 struct sockaddr_in *addr,
+		 const char *from,
 		 krb5_data *reply)
 {
     krb5_error_code ret;
@@ -385,87 +445,99 @@ do_authenticate (struct rx_header *hdr,
     time_t end_time;
     krb5_data request;
     int32_t max_seq_len;
-    hdb_entry *client_entry = NULL;
-    hdb_entry *server_entry = NULL;
+    hdb_entry_ex *client_entry = NULL;
+    hdb_entry_ex *server_entry = NULL;
     Key *ckey = NULL;
     Key *skey = NULL;
-    des_cblock key;
-    des_key_schedule schedule;
     krb5_storage *reply_sp;
     time_t max_life;
-    u_int8_t life;
+    uint8_t life;
     int32_t chal;
     char client_name[256];
     char server_name[256];
 	
     krb5_data_zero (&request);
 
-    unparse_auth_args (sp, &name, &instance, &start_time, &end_time,
-		       &request, &max_seq_len);
-    if (request.length < 8) {
+    ret = unparse_auth_args (sp, &name, &instance, &start_time, &end_time,
+			     &request, &max_seq_len);
+    if (ret != 0 || request.length < 8) {
 	make_error_reply (hdr, KABADREQUEST, reply);
 	goto out;
     }
 
     snprintf (client_name, sizeof(client_name), "%s.%s@%s",
-	      name, instance, v4_realm);
+	      name, instance, config->v4_realm);
+    snprintf (server_name, sizeof(server_name), "%s.%s@%s",
+	      "krbtgt", config->v4_realm, config->v4_realm);
 
-    ret = db_fetch4 (name, instance, v4_realm, &client_entry);
+    kdc_log(context, config, 0, "AS-REQ (kaserver) %s from %s for %s",
+	    client_name, from, server_name);
+
+    ret = _kdc_db_fetch4 (context, config, name, instance, 
+			  config->v4_realm, HDB_F_GET_CLIENT,
+			  &client_entry);
     if (ret) {
-	kdc_log(0, "Client not found in database: %s: %s",
+	kdc_log(context, config, 0, "Client not found in database: %s: %s",
 		client_name, krb5_get_err_text(context, ret));
 	make_error_reply (hdr, KANOENT, reply);
 	goto out;
     }
 
-    snprintf (server_name, sizeof(server_name), "%s.%s@%s",
-	      "krbtgt", v4_realm, v4_realm);
-
-    ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &server_entry);
+    ret = _kdc_db_fetch4 (context, config, "krbtgt", 
+			  config->v4_realm, config->v4_realm, 
+			  HDB_F_GET_KRBTGT, &server_entry);
     if (ret) {
-	kdc_log(0, "Server not found in database: %s: %s",
+	kdc_log(context, config, 0, "Server not found in database: %s: %s",
 		server_name, krb5_get_err_text(context, ret));
 	make_error_reply (hdr, KANOENT, reply);
 	goto out;
     }
 
-    ret = check_flags (client_entry, client_name,
-		       server_entry, server_name,
-		       TRUE);
+    ret = _kdc_check_flags (context, config,
+			    client_entry, client_name,
+			    server_entry, server_name,
+			    TRUE);
     if (ret) {
 	make_error_reply (hdr, KAPWEXPIRED, reply);
 	goto out;
     }
 
     /* find a DES key */
-    ret = get_des_key(client_entry, FALSE, TRUE, &ckey);
+    ret = _kdc_get_des_key(context, client_entry, FALSE, TRUE, &ckey);
     if(ret){
-	kdc_log(0, "no suitable DES key for client");
+	kdc_log(context, config, 0, "no suitable DES key for client");
 	make_error_reply (hdr, KANOKEYS, reply);
 	goto out;
     }
 
     /* find a DES key */
-    ret = get_des_key(server_entry, TRUE, TRUE, &skey);
+    ret = _kdc_get_des_key(context, server_entry, TRUE, TRUE, &skey);
     if(ret){
-	kdc_log(0, "no suitable DES key for server");
+	kdc_log(context, config, 0, "no suitable DES key for server");
 	make_error_reply (hdr, KANOKEYS, reply);
 	goto out;
     }
 
-    /* try to decode the `request' */
-    memcpy (&key, ckey->key.keyvalue.data, sizeof(key));
-    des_set_key (&key, schedule);
-    des_pcbc_encrypt (request.data,
-		      request.data,
-		      request.length,
-		      schedule,
-		      &key,
-		      DES_DECRYPT);
-    memset (&schedule, 0, sizeof(schedule));
+    {
+	DES_cblock key;
+	DES_key_schedule schedule;
+	
+	/* try to decode the `request' */
+	memcpy (&key, ckey->key.keyvalue.data, sizeof(key));
+	DES_set_key (&key, &schedule);
+	DES_pcbc_encrypt (request.data,
+			  request.data,
+			  request.length,
+			  &schedule,
+			  &key,
+			  DES_DECRYPT);
+	memset (&schedule, 0, sizeof(schedule));
+	memset (&key, 0, sizeof(key));
+    }
 
     /* check for the magic label */
     if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) {
+	kdc_log(context, config, 0, "preauth failed for %s", client_name);
 	make_error_reply (hdr, KABADREQUEST, reply);
 	goto out;
     }
@@ -485,23 +557,23 @@ do_authenticate (struct rx_header *hdr,
        time skew between client and server. Let's make sure it is postive */
     if(max_life < 1)
 	max_life = 1;
-    if (client_entry->max_life)
-	max_life = min(max_life, *client_entry->max_life);
-    if (server_entry->max_life)
-	max_life = min(max_life, *server_entry->max_life);
+    if (client_entry->entry.max_life)
+	max_life = min(max_life, *client_entry->entry.max_life);
+    if (server_entry->entry.max_life)
+	max_life = min(max_life, *server_entry->entry.max_life);
 
     life = krb_time_to_life(kdc_time, kdc_time + max_life);
 
-    create_reply_ticket (hdr, skey,
-			 name, instance, v4_realm,
-			 addr, life, server_entry->kvno,
+    create_reply_ticket (context, 
+			 hdr, skey,
+			 name, instance, config->v4_realm,
+			 addr, life, server_entry->entry.kvno,
 			 max_seq_len,
-			 "krbtgt", v4_realm,
+			 "krbtgt", config->v4_realm,
 			 chal + 1, "tgsT",
-			 &key, reply);
-    memset (&key, 0, sizeof(key));
+			 &ckey->key, reply);
 
-out:
+ out:
     if (request.length) {
 	memset (request.data, 0, request.length);
 	krb5_data_free (&request);
@@ -511,9 +583,9 @@ out:
     if (instance)
 	free (instance);
     if (client_entry)
-	free_ent (client_entry);
+	_kdc_free_ent (context, client_entry);
     if (server_entry)
-	free_ent (server_entry);
+	_kdc_free_ent (context, server_entry);
 }
 
 static krb5_error_code
@@ -571,9 +643,12 @@ unparse_getticket_args (krb5_storage *sp,
 }
 
 static void
-do_getticket (struct rx_header *hdr,
+do_getticket (krb5_context context, 
+	      krb5_kdc_configuration *config,
+	      struct rx_header *hdr,
 	      krb5_storage *sp,
 	      struct sockaddr_in *addr,
+	      const char *from,
 	      krb5_data *reply)
 {
     krb5_error_code ret;
@@ -584,24 +659,26 @@ do_getticket (struct rx_header *hdr,
     char *instance = NULL;
     krb5_data times;
     int32_t max_seq_len;
-    hdb_entry *server_entry = NULL;
-    hdb_entry *krbtgt_entry = NULL;
+    hdb_entry_ex *server_entry = NULL;
+    hdb_entry_ex *client_entry = NULL;
+    hdb_entry_ex *krbtgt_entry = NULL;
     Key *kkey = NULL;
     Key *skey = NULL;
-    des_cblock key;
-    des_key_schedule schedule;
-    des_cblock session;
+    DES_cblock key;
+    DES_key_schedule schedule;
+    DES_cblock session;
     time_t max_life;
     int8_t life;
     time_t start_time, end_time;
-    char pname[ANAME_SZ];
-    char pinst[INST_SZ];
-    char prealm[REALM_SZ];
     char server_name[256];
+    char client_name[256];
+    struct _krb5_krb_auth_data ad;
 
     krb5_data_zero (&aticket);
     krb5_data_zero (&times);
 
+    memset(&ad, 0, sizeof(ad));
+
     unparse_getticket_args (sp, &kvno, &auth_domain, &aticket,
 			    &name, &instance, &times, &max_seq_len);
     if (times.length < 8) {
@@ -611,44 +688,40 @@ do_getticket (struct rx_header *hdr,
     }
 
     snprintf (server_name, sizeof(server_name),
-	      "%s.%s@%s", name, instance, v4_realm);
+	      "%s.%s@%s", name, instance, config->v4_realm);
 
-    ret = db_fetch4 (name, instance, v4_realm, &server_entry);
+    ret = _kdc_db_fetch4 (context, config, name, instance, 
+			  config->v4_realm, HDB_F_GET_SERVER, &server_entry);
     if (ret) {
-	kdc_log(0, "Server not found in database: %s: %s",
+	kdc_log(context, config, 0, "Server not found in database: %s: %s",
 		server_name, krb5_get_err_text(context, ret));
 	make_error_reply (hdr, KANOENT, reply);
 	goto out;
     }
 
-    ret = check_flags (NULL, NULL,
-		       server_entry, server_name,
-		       FALSE);
+    ret = _kdc_db_fetch4 (context, config, "krbtgt", 
+		     config->v4_realm, config->v4_realm, HDB_F_GET_KRBTGT, &krbtgt_entry);
     if (ret) {
-	make_error_reply (hdr, KAPWEXPIRED, reply);
-	goto out;
-    }
-
-    ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &krbtgt_entry);
-    if (ret) {
-	kdc_log(0, "Server not found in database: %s.%s@%s: %s",
-		"krbtgt", v4_realm, v4_realm, krb5_get_err_text(context, ret));
+	kdc_log(context, config, 0,
+		"Server not found in database: %s.%s@%s: %s",
+		"krbtgt", config->v4_realm,  config->v4_realm,
+		krb5_get_err_text(context, ret));
 	make_error_reply (hdr, KANOENT, reply);
 	goto out;
     }
 
     /* find a DES key */
-    ret = get_des_key(krbtgt_entry, TRUE, TRUE, &kkey);
+    ret = _kdc_get_des_key(context, krbtgt_entry, TRUE, TRUE, &kkey);
     if(ret){
-	kdc_log(0, "no suitable DES key for krbtgt");
+	kdc_log(context, config, 0, "no suitable DES key for krbtgt");
 	make_error_reply (hdr, KANOKEYS, reply);
 	goto out;
     }
 
     /* find a DES key */
-    ret = get_des_key(server_entry, TRUE, TRUE, &skey);
+    ret = _kdc_get_des_key(context, server_entry, TRUE, TRUE, &skey);
     if(ret){
-	kdc_log(0, "no suitable DES key for server");
+	kdc_log(context, config, 0, "no suitable DES key for server");
 	make_error_reply (hdr, KANOKEYS, reply);
 	goto out;
     }
@@ -658,67 +731,95 @@ do_getticket (struct rx_header *hdr,
 
     /* unpack the ticket */
     {
-	KTEXT_ST ticket;
-	u_char flags;
-	int life;
-	u_int32_t time_sec;
-	char sname[ANAME_SZ];
-	char sinstance[SNAME_SZ];
-	u_int32_t paddress;
-
-	if (aticket.length > sizeof(ticket.dat)) {
-	    kdc_log(0, "ticket too long (%u > %u)",
-		    (unsigned)aticket.length,
-		    (unsigned)sizeof(ticket.dat));
+	char *sname = NULL;
+	char *sinstance = NULL;
+
+	ret = _krb5_krb_decomp_ticket(context, &aticket, &kkey->key, 
+				      config->v4_realm, &sname,
+				      &sinstance, &ad);
+	if (ret) {
+	    kdc_log(context, config, 0,
+		    "kaserver: decomp failed for %s.%s with %d",
+		    sname, sinstance, ret);
 	    make_error_reply (hdr, KABADTICKET, reply);
 	    goto out;
 	}
 
-	ticket.length = aticket.length;
-	memcpy (ticket.dat, aticket.data, ticket.length);
-
-	des_set_key (&key, schedule);
-	decomp_ticket (&ticket, &flags, pname, pinst, prealm,
-		       &paddress, session, &life, &time_sec,
-		       sname, sinstance, 
-		       &key, schedule);
-
 	if (strcmp (sname, "krbtgt") != 0
-	    || strcmp (sinstance, v4_realm) != 0) {
-	    kdc_log(0, "no TGT: %s.%s for %s.%s@%s",
+	    || strcmp (sinstance, config->v4_realm) != 0) {
+	    kdc_log(context, config, 0, "no TGT: %s.%s for %s.%s@%s",
 		    sname, sinstance,
-		    pname, pinst, prealm);
+		    ad.pname, ad.pinst, ad.prealm);
 	    make_error_reply (hdr, KABADTICKET, reply);
+	    free(sname);
+	    free(sinstance);
 	    goto out;
 	}
+	free(sname);
+	free(sinstance);
 
-	if (kdc_time > krb_life_to_time(time_sec, life)) {
-	    kdc_log(0, "TGT expired: %s.%s@%s",
-		    pname, pinst, prealm);
+	if (kdc_time > _krb5_krb_life_to_time(ad.time_sec, ad.life)) {
+	    kdc_log(context, config, 0, "TGT expired: %s.%s@%s",
+		    ad.pname, ad.pinst, ad.prealm);
 	    make_error_reply (hdr, KABADTICKET, reply);
 	    goto out;
 	}
     }
 
+    snprintf (client_name, sizeof(client_name),
+	      "%s.%s@%s", ad.pname, ad.pinst, ad.prealm);
+
+    kdc_log(context, config, 0, "TGS-REQ (kaserver) %s from %s for %s",
+	    client_name, from, server_name);
+
+    ret = _kdc_db_fetch4 (context, config, 
+			  ad.pname, ad.pinst, ad.prealm, HDB_F_GET_CLIENT,
+			  &client_entry);
+    if(ret && ret != HDB_ERR_NOENTRY) {
+	kdc_log(context, config, 0,
+		"Client not found in database: (krb4) %s: %s",
+		client_name, krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOENT, reply);
+	goto out;
+    }
+    if (client_entry == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
+	kdc_log(context, config, 0, 
+		"Local client not found in database: (krb4) "
+		"%s", client_name);
+	make_error_reply (hdr, KANOENT, reply);
+	goto out;
+    }
+
+    ret = _kdc_check_flags (context, config, 
+			    client_entry, client_name,
+			    server_entry, server_name,
+			    FALSE);
+    if (ret) {
+	make_error_reply (hdr, KAPWEXPIRED, reply);
+	goto out;
+    }
+
     /* decrypt the times */
-    des_set_key (&session, schedule);
-    des_ecb_encrypt (times.data,
+    memcpy(&session, ad.session.keyvalue.data, sizeof(session));
+    DES_set_key (&session, &schedule);
+    DES_ecb_encrypt (times.data,
 		     times.data,
-		     schedule,
+		     &schedule,
 		     DES_DECRYPT);
     memset (&schedule, 0, sizeof(schedule));
+    memset (&session, 0, sizeof(session));
 
     /* and extract them */
     {
-	krb5_storage *sp;
+	krb5_storage *tsp;
 	int32_t tmp;
 
-	sp = krb5_storage_from_mem (times.data, times.length);
-	krb5_ret_int32 (sp, &tmp);
+	tsp = krb5_storage_from_mem (times.data, times.length);
+	krb5_ret_int32 (tsp, &tmp);
 	start_time = tmp;
-	krb5_ret_int32 (sp, &tmp);
+	krb5_ret_int32 (tsp, &tmp);
 	end_time = tmp;
-	krb5_storage_free (sp);
+	krb5_storage_free (tsp);
     }
 
     /* life */
@@ -727,23 +828,28 @@ do_getticket (struct rx_header *hdr,
        time skew between client and server. Let's make sure it is postive */
     if(max_life < 1)
 	max_life = 1;
-    if (krbtgt_entry->max_life)
-	max_life = min(max_life, *krbtgt_entry->max_life);
-    if (server_entry->max_life)
-	max_life = min(max_life, *server_entry->max_life);
-
-    life = krb_time_to_life(kdc_time, kdc_time + max_life);
-
-    create_reply_ticket (hdr, skey,
-			 pname, pinst, prealm,
-			 addr, life, server_entry->kvno,
+    if (krbtgt_entry->entry.max_life)
+	max_life = min(max_life, *krbtgt_entry->entry.max_life);
+    if (server_entry->entry.max_life)
+	max_life = min(max_life, *server_entry->entry.max_life);
+    /* if this is a cross realm request, the client_entry will likely
+       be NULL */
+    if (client_entry && client_entry->entry.max_life)
+	max_life = min(max_life, *client_entry->entry.max_life);
+
+    life = _krb5_krb_time_to_life(kdc_time, kdc_time + max_life);
+
+    create_reply_ticket (context, 
+			 hdr, skey,
+			 ad.pname, ad.pinst, ad.prealm,
+			 addr, life, server_entry->entry.kvno,
 			 max_seq_len,
 			 name, instance,
 			 0, "gtkt",
-			 &session, reply);
-    memset (&session, 0, sizeof(session));
+			 &ad.session, reply);
     
-out:
+ out:
+    _krb5_krb_free_auth_data(context, &ad);
     if (aticket.length) {
 	memset (aticket.data, 0, aticket.length);
 	krb5_data_free (&aticket);
@@ -759,28 +865,32 @@ out:
     if (instance)
 	free (instance);
     if (krbtgt_entry)
-	free_ent (krbtgt_entry);
+	_kdc_free_ent (context, krbtgt_entry);
     if (server_entry)
-	free_ent (server_entry);
+	_kdc_free_ent (context, server_entry);
 }
 
 krb5_error_code
-do_kaserver(unsigned char *buf,
-	    size_t len,
-	    krb5_data *reply,
-	    const char *from,
-	    struct sockaddr_in *addr)
+_kdc_do_kaserver(krb5_context context, 
+		 krb5_kdc_configuration *config,
+		 unsigned char *buf,
+		 size_t len,
+		 krb5_data *reply,
+		 const char *from,
+		 struct sockaddr_in *addr)
 {
     krb5_error_code ret = 0;
     struct rx_header hdr;
-    u_int32_t op;
+    uint32_t op;
     krb5_storage *sp;
 
     if (len < RX_HEADER_SIZE)
 	return -1;
     sp = krb5_storage_from_mem (buf, len);
 
-    decode_rx_header (sp, &hdr);
+    ret = decode_rx_header (sp, &hdr);
+    if (ret)
+	goto out;
     buf += RX_HEADER_SIZE;
     len -= RX_HEADER_SIZE;
 
@@ -806,13 +916,16 @@ do_kaserver(unsigned char *buf,
 	goto out;
     }
 
-    krb5_ret_int32(sp, &op);
+    ret = krb5_ret_uint32(sp, &op);
+    if (ret)
+	goto out;
     switch (op) {
     case AUTHENTICATE :
-	do_authenticate (&hdr, sp, addr, reply);
+    case AUTHENTICATE_V2 :
+	do_authenticate (context, config, &hdr, sp, addr, from, reply);
 	break;
     case GETTICKET :
-	do_getticket (&hdr, sp, addr, reply);
+	do_getticket (context, config, &hdr, sp, addr, from, reply);
 	break;
     case AUTHENTICATE_OLD :
     case CHANGEPASSWORD :
@@ -827,7 +940,6 @@ do_kaserver(unsigned char *buf,
     case DEBUG :
     case GETPASSWORD :
     case GETRANDOMKEY :
-    case AUTHENTICATE_V2 :
     default :
 	make_error_reply (&hdr, RXGEN_OPCODE, reply);
 	break;
diff --git a/crypto/heimdal/kdc/kdc-private.h b/crypto/heimdal/kdc/kdc-private.h
new file mode 100644
index 0000000..030be9a
--- /dev/null
+++ b/crypto/heimdal/kdc/kdc-private.h
@@ -0,0 +1,286 @@
+/* This is a generated file */
+#ifndef __kdc_private_h__
+#define __kdc_private_h__
+
+#include <stdarg.h>
+
+krb5_error_code
+_kdc_add_KRB5SignedPath (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	hdb_entry_ex */*krbtgt*/,
+	krb5_enctype /*enctype*/,
+	krb5_const_principal /*server*/,
+	KRB5SignedPathPrincipals */*principals*/,
+	EncTicketPart */*tkt*/);
+
+krb5_error_code
+_kdc_add_inital_verified_cas (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	pk_client_params */*params*/,
+	EncTicketPart */*tkt*/);
+
+krb5_error_code
+_kdc_as_rep (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	KDC_REQ */*req*/,
+	const krb5_data */*req_buffer*/,
+	krb5_data */*reply*/,
+	const char */*from*/,
+	struct sockaddr */*from_addr*/,
+	int /*datagram_reply*/);
+
+krb5_boolean
+_kdc_check_addresses (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	HostAddresses */*addresses*/,
+	const struct sockaddr */*from*/);
+
+krb5_error_code
+_kdc_check_flags (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	hdb_entry_ex */*client_ex*/,
+	const char */*client_name*/,
+	hdb_entry_ex */*server_ex*/,
+	const char */*server_name*/,
+	krb5_boolean /*is_as_req*/);
+
+krb5_error_code
+_kdc_db_fetch (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	krb5_const_principal /*principal*/,
+	unsigned /*flags*/,
+	HDB **/*db*/,
+	hdb_entry_ex **/*h*/);
+
+krb5_error_code
+_kdc_db_fetch4 (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	const char */*name*/,
+	const char */*instance*/,
+	const char */*realm*/,
+	unsigned /*flags*/,
+	hdb_entry_ex **/*ent*/);
+
+krb5_error_code
+_kdc_do_524 (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	const Ticket */*t*/,
+	krb5_data */*reply*/,
+	const char */*from*/,
+	struct sockaddr */*addr*/);
+
+krb5_error_code
+_kdc_do_digest (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	const DigestREQ */*req*/,
+	krb5_data */*reply*/,
+	const char */*from*/,
+	struct sockaddr */*addr*/);
+
+krb5_error_code
+_kdc_do_kaserver (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	unsigned char */*buf*/,
+	size_t /*len*/,
+	krb5_data */*reply*/,
+	const char */*from*/,
+	struct sockaddr_in */*addr*/);
+
+krb5_error_code
+_kdc_do_kx509 (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	const Kx509Request */*req*/,
+	krb5_data */*reply*/,
+	const char */*from*/,
+	struct sockaddr */*addr*/);
+
+krb5_error_code
+_kdc_do_version4 (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	unsigned char */*buf*/,
+	size_t /*len*/,
+	krb5_data */*reply*/,
+	const char */*from*/,
+	struct sockaddr_in */*addr*/);
+
+krb5_error_code
+_kdc_encode_reply (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	KDC_REP */*rep*/,
+	const EncTicketPart */*et*/,
+	EncKDCRepPart */*ek*/,
+	krb5_enctype /*etype*/,
+	int /*skvno*/,
+	const EncryptionKey */*skey*/,
+	int /*ckvno*/,
+	const EncryptionKey */*ckey*/,
+	const char **/*e_text*/,
+	krb5_data */*reply*/);
+
+krb5_error_code
+_kdc_encode_v4_ticket (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	void */*buf*/,
+	size_t /*len*/,
+	const EncTicketPart */*et*/,
+	const PrincipalName */*service*/,
+	size_t */*size*/);
+
+krb5_error_code
+_kdc_find_etype (
+	krb5_context /*context*/,
+	const hdb_entry_ex */*princ*/,
+	krb5_enctype */*etypes*/,
+	unsigned /*len*/,
+	Key **/*ret_key*/,
+	krb5_enctype */*ret_etype*/);
+
+const PA_DATA*
+_kdc_find_padata (
+	const KDC_REQ */*req*/,
+	int */*start*/,
+	int /*type*/);
+
+void
+_kdc_fix_time (time_t **/*t*/);
+
+void
+_kdc_free_ent (
+	krb5_context /*context*/,
+	hdb_entry_ex */*ent*/);
+
+krb5_error_code
+_kdc_get_des_key (
+	krb5_context /*context*/,
+	hdb_entry_ex */*principal*/,
+	krb5_boolean /*is_server*/,
+	krb5_boolean /*prefer_afs_key*/,
+	Key **/*ret_key*/);
+
+krb5_error_code
+_kdc_get_preferred_key (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	hdb_entry_ex */*h*/,
+	const char */*name*/,
+	krb5_enctype */*enctype*/,
+	Key **/*key*/);
+
+void
+_kdc_log_timestamp (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	const char */*type*/,
+	KerberosTime /*authtime*/,
+	KerberosTime */*starttime*/,
+	KerberosTime /*endtime*/,
+	KerberosTime */*renew_till*/);
+
+krb5_error_code
+_kdc_make_anonymous_principalname (PrincipalName */*pn*/);
+
+int
+_kdc_maybe_version4 (
+	unsigned char */*buf*/,
+	int /*len*/);
+
+krb5_error_code
+_kdc_pac_generate (
+	krb5_context /*context*/,
+	hdb_entry_ex */*client*/,
+	krb5_pac */*pac*/);
+
+krb5_error_code
+_kdc_pac_verify (
+	krb5_context /*context*/,
+	const krb5_principal /*client_principal*/,
+	hdb_entry_ex */*client*/,
+	hdb_entry_ex */*server*/,
+	krb5_pac */*pac*/);
+
+krb5_error_code
+_kdc_pk_check_client (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	const hdb_entry_ex */*client*/,
+	pk_client_params */*client_params*/,
+	char **/*subject_name*/);
+
+void
+_kdc_pk_free_client_param (
+	krb5_context /*context*/,
+	pk_client_params */*client_params*/);
+
+krb5_error_code
+_kdc_pk_initialize (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	const char */*user_id*/,
+	const char */*anchors*/,
+	char **/*pool*/,
+	char **/*revoke_list*/);
+
+krb5_error_code
+_kdc_pk_mk_pa_reply (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	pk_client_params */*client_params*/,
+	const hdb_entry_ex */*client*/,
+	const KDC_REQ */*req*/,
+	const krb5_data */*req_buffer*/,
+	krb5_keyblock **/*reply_key*/,
+	METHOD_DATA */*md*/);
+
+krb5_error_code
+_kdc_pk_rd_padata (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	const KDC_REQ */*req*/,
+	const PA_DATA */*pa*/,
+	pk_client_params **/*ret_params*/);
+
+krb5_error_code
+_kdc_tgs_rep (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	KDC_REQ */*req*/,
+	krb5_data */*data*/,
+	const char */*from*/,
+	struct sockaddr */*from_addr*/,
+	int /*datagram_reply*/);
+
+krb5_error_code
+_kdc_tkt_add_if_relevant_ad (
+	krb5_context /*context*/,
+	EncTicketPart */*tkt*/,
+	int /*type*/,
+	const krb5_data */*data*/);
+
+krb5_error_code
+_kdc_try_kx509_request (
+	void */*ptr*/,
+	size_t /*len*/,
+	Kx509Request */*req*/,
+	size_t */*size*/);
+
+krb5_error_code
+_kdc_windc_client_access (
+	krb5_context /*context*/,
+	struct hdb_entry_ex */*client*/,
+	KDC_REQ */*req*/);
+
+#endif /* __kdc_private_h__ */
diff --git a/crypto/heimdal/kdc/kdc-protos.h b/crypto/heimdal/kdc/kdc-protos.h
new file mode 100644
index 0000000..15e8c29
--- /dev/null
+++ b/crypto/heimdal/kdc/kdc-protos.h
@@ -0,0 +1,92 @@
+/* This is a generated file */
+#ifndef __kdc_protos_h__
+#define __kdc_protos_h__
+
+#include <stdarg.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+void
+kdc_log (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	int /*level*/,
+	const char */*fmt*/,
+	...);
+
+char*
+kdc_log_msg (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	int /*level*/,
+	const char */*fmt*/,
+	...);
+
+char*
+kdc_log_msg_va (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	int /*level*/,
+	const char */*fmt*/,
+	va_list /*ap*/);
+
+void
+kdc_openlog (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/);
+
+krb5_error_code
+krb5_kdc_get_config (
+	krb5_context /*context*/,
+	krb5_kdc_configuration **/*config*/);
+
+int
+krb5_kdc_process_krb5_request (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	unsigned char */*buf*/,
+	size_t /*len*/,
+	krb5_data */*reply*/,
+	const char */*from*/,
+	struct sockaddr */*addr*/,
+	int /*datagram_reply*/);
+
+int
+krb5_kdc_process_request (
+	krb5_context /*context*/,
+	krb5_kdc_configuration */*config*/,
+	unsigned char */*buf*/,
+	size_t /*len*/,
+	krb5_data */*reply*/,
+	krb5_boolean */*prependlength*/,
+	const char */*from*/,
+	struct sockaddr */*addr*/,
+	int /*datagram_reply*/);
+
+int
+krb5_kdc_save_request (
+	krb5_context /*context*/,
+	const char */*fn*/,
+	const unsigned char */*buf*/,
+	size_t /*len*/,
+	const krb5_data */*reply*/,
+	const struct sockaddr */*sa*/);
+
+krb5_error_code
+krb5_kdc_set_dbinfo (
+	krb5_context /*context*/,
+	struct krb5_kdc_configuration */*c*/);
+
+void
+krb5_kdc_update_time (struct timeval */*tv*/);
+
+krb5_error_code
+krb5_kdc_windc_init (krb5_context /*context*/);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __kdc_protos_h__ */
diff --git a/crypto/heimdal/kdc/kdc-replay.c b/crypto/heimdal/kdc/kdc-replay.c
new file mode 100644
index 0000000..966831d
--- /dev/null
+++ b/crypto/heimdal/kdc/kdc-replay.c
@@ -0,0 +1,197 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: kdc-replay.c 21945 2007-10-03 21:52:24Z lha $");
+
+static int version_flag;
+static int help_flag;
+
+struct getargs args[] = {
+    { "version",   0,	arg_flag, &version_flag },
+    { "help",     'h',	arg_flag, &help_flag }
+};
+
+const static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "kdc-request-log-file");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_kdc_configuration *config;
+    krb5_storage *sp;
+    int fd, optidx = 0;
+
+    setprogname(argv[0]);
+    
+    if(getarg(args, num_args, argc, argv, &optidx))
+	usage(1);
+
+    if(help_flag)
+	usage(0);
+    
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed to parse configuration file");
+
+    ret = krb5_kdc_get_config(context, &config);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kdc_default_config");
+
+    kdc_openlog(context, config);
+
+    ret = krb5_kdc_set_dbinfo(context, config);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kdc_set_dbinfo");
+
+    if (argc != 2)
+	errx(1, "argc != 2");
+
+    printf("kdc replay\n");
+
+    fd = open(argv[1], O_RDONLY);
+    if (fd < 0)
+	err(1, "open: %s", argv[1]);
+
+    sp = krb5_storage_from_fd(fd);
+    if (sp == NULL)
+	krb5_errx(context, 1, "krb5_storage_from_fd");
+
+    while(1) {
+	struct sockaddr_storage sa;
+	krb5_socklen_t salen = sizeof(sa);
+	struct timeval tv;
+	krb5_address a;
+	krb5_data d, r;
+	uint32_t t, clty, tag;
+	char astr[80];
+
+	ret = krb5_ret_uint32(sp, &t);
+	if (ret == HEIM_ERR_EOF)
+	    break;
+	else if (ret)
+	    krb5_errx(context, 1, "krb5_ret_uint32(version)");
+	if (t != 1)
+	    krb5_errx(context, 1, "version not 1");
+	ret = krb5_ret_uint32(sp, &t);
+	if (ret)
+	    krb5_errx(context, 1, "krb5_ret_uint32(time)");
+	ret = krb5_ret_address(sp, &a);
+	if (ret)
+	    krb5_errx(context, 1, "krb5_ret_address");
+	ret = krb5_ret_data(sp, &d);
+	if (ret)
+	    krb5_errx(context, 1, "krb5_ret_data");
+	ret = krb5_ret_uint32(sp, &clty);
+	if (ret)
+	    krb5_errx(context, 1, "krb5_ret_uint32(class|type)");
+	ret = krb5_ret_uint32(sp, &tag);
+	if (ret)
+	    krb5_errx(context, 1, "krb5_ret_uint32(tag)");
+
+
+	ret = krb5_addr2sockaddr (context, &a, (struct sockaddr *)&sa,
+				  &salen, 88);
+	if (ret == KRB5_PROG_ATYPE_NOSUPP)
+	    goto out;
+	else if (ret)
+	    krb5_err(context, 1, ret, "krb5_addr2sockaddr");
+
+	ret = krb5_print_address(&a, astr, sizeof(astr), NULL);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_print_address");
+
+	printf("processing request from %s, %lu bytes\n", 
+	       astr, (unsigned long)d.length);
+
+	r.length = 0;
+	r.data = NULL;
+
+	tv.tv_sec = t;
+	tv.tv_usec = 0;
+
+	krb5_kdc_update_time(&tv);
+	krb5_set_real_time(context, tv.tv_sec, 0);
+
+	ret = krb5_kdc_process_request(context, config, d.data, d.length,
+				       &r, NULL, astr,
+				       (struct sockaddr *)&sa, 0);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_kdc_process_request");
+
+	if (r.length) {
+	    Der_class cl;
+	    Der_type ty;
+	    unsigned int tag2;
+	    ret = der_get_tag (r.data, r.length,
+			       &cl, &ty, &tag2, NULL);
+	    if (MAKE_TAG(cl, ty, 0) != clty)
+		krb5_errx(context, 1, "class|type mismatch: %d != %d",
+			  (int)MAKE_TAG(cl, ty, 0), (int)clty);
+	    if (tag != tag2)
+		krb5_errx(context, 1, "tag mismatch");
+
+	    krb5_data_free(&r);
+	} else {
+	    if (clty != 0xffffffff)
+		krb5_errx(context, 1, "clty not invalid");
+	    if (tag != 0xffffffff)
+		krb5_errx(context, 1, "tag not invalid");
+	}
+
+    out:
+	krb5_data_free(&d);
+	krb5_free_address(context, &a);
+    }
+
+    krb5_storage_free(sp);
+    krb5_free_context(context);
+
+    printf("done\n");
+
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8
index 29cca73..331682f 100644
--- a/crypto/heimdal/kdc/kdc.8
+++ b/crypto/heimdal/kdc/kdc.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
+.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\"
-.\" $Id: kdc.8,v 1.23.2.1 2003/10/21 20:06:01 lha Exp $
+.\" $Id: kdc.8 18419 2006-10-12 10:05:57Z lha $
 .\"
-.Dd October 21, 2003
+.Dd August 24, 2006
 .Dt KDC 8
 .Os HEIMDAL
 .Sh NAME
@@ -39,6 +39,7 @@
 .Nd Kerberos 5 server
 .Sh SYNOPSIS
 .Nm
+.Bk -words
 .Oo Fl c Ar file \*(Ba Xo
 .Fl -config-file= Ns Ar file
 .Xc
@@ -59,7 +60,9 @@
 .Xc
 .Oc
 .Op Fl -detach
+.Op Fl -disable-DES
 .Op Fl -addresses= Ns Ar list of addresses
+.Ek
 .Sh DESCRIPTION
 .Nm
 serves requests for tickets.
@@ -147,6 +150,10 @@ By default, the kdc will listen on all the locally configured
 addresses.
 If only a subset is desired, or the automatic detection fails, this
 option might be used.
+.It Fl -detach
+detach from pty and run as a daemon.
+.It Fl -disable-DES
+disable add des encryption types, makes the kdc not use them.
 .El
 .Pp
 All activities are logged to one or more destinations, see
@@ -177,18 +184,41 @@ specified as:
 And there are some configuration options which do not have
 command-line equivalents:
 .Bl -tag -width "xxx" -offset indent
+.It Li enable-digest = Va boolean
+turn on support for digest processing in the KDC.
+The default is FALSE.
 .It Li check-ticket-addresses = Va boolean
 Check the addresses in the ticket when processing TGS requests.
-The default is FALSE.
+The default is TRUE.
 .It Li allow-null-ticket-addresses = Va boolean
 Permit tickets with no addresses.
 This option is only relevant when check-ticket-addresses is TRUE.
 .It Li allow-anonymous = Va boolean
 Permit anonymous tickets with no addresses.
-.It Li enforce-transited-policy = Va boolean
-Always verify the transited policy, ignoring the
-.Va disable-transited-check 
-flag if set in the KDC client request.
+.It Li max-kdc-datagram-reply-length = Va number
+Maximum packet size the UDP rely that the KDC will transmit, instead
+the KDC sends back a reply telling the client to use TCP instead.
+.It Li transited-policy = Xo
+.Li always-check \*(Ba
+.Li allow-per-principal |
+.Li always-honour-request
+.Xc
+This controls how KDC requests with the
+.Li disable-transited-check
+flag are handled. It can be one of:
+.Bl -tag -width "xxx" -offset indent
+.It Li always-check
+Always check transited encoding, this is the default.
+.It Li allow-per-principal
+Currently this is identical to
+.Li always-check .
+In a future release, it will be possible to mark a principal as able
+to handle unchecked requests.
+.It Li always-honour-request
+Always do what the client asked.
+In a future release, it will be possible to force a check per
+principal.
+.El
 .It encode_as_rep_as_tgs_rep = Va boolean
 Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.
 The Heimdal clients allow both.
@@ -209,7 +239,6 @@ An example of a config file:
 [kdc]
 	require-preauth = no
 	v4-realm = FOO.SE
-	key-file = /key-file
 .Ed
 .Sh BUGS
 If the machine running the KDC has new addresses added to it, the KDC
diff --git a/crypto/heimdal/kdc/kdc.h b/crypto/heimdal/kdc/kdc.h
new file mode 100644
index 0000000..6c129f3
--- /dev/null
+++ b/crypto/heimdal/kdc/kdc.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ *
+ * Copyright (c) 2005 Andrew Bartlett <abartlet@samba.org>
+ * 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* 
+ * $Id: kdc.h 21287 2007-06-25 14:09:03Z lha $ 
+ */
+
+#ifndef __KDC_H__
+#define __KDC_H__
+
+#include <krb5.h>
+
+enum krb5_kdc_trpolicy {
+    TRPOLICY_ALWAYS_CHECK,
+    TRPOLICY_ALLOW_PER_PRINCIPAL, 
+    TRPOLICY_ALWAYS_HONOUR_REQUEST
+};
+
+typedef struct krb5_kdc_configuration {
+    krb5_boolean require_preauth; /* require preauth for all principals */
+    time_t kdc_warn_pwexpire; /* time before expiration to print a warning */
+
+    struct HDB **db;
+    int num_db;
+
+    krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
+	
+    krb5_boolean check_ticket_addresses;
+    krb5_boolean allow_null_ticket_addresses;
+    krb5_boolean allow_anonymous;
+    enum krb5_kdc_trpolicy trpolicy;
+
+    char *v4_realm;
+    krb5_boolean enable_v4;
+    krb5_boolean enable_v4_cross_realm;
+    krb5_boolean enable_v4_per_principal;
+
+    krb5_boolean enable_kaserver;
+
+    krb5_boolean enable_524;
+
+    krb5_boolean enable_pkinit;
+    krb5_boolean pkinit_princ_in_cert;
+    char *pkinit_kdc_ocsp_file;
+    int pkinit_dh_min_bits;
+    int pkinit_require_binding;
+
+    krb5_log_facility *logf;
+
+    int enable_digest;
+    int digests_allowed;
+
+    size_t max_datagram_reply_length;
+
+    int enable_kx509;
+    const char *kx509_template;
+    const char *kx509_ca;
+
+} krb5_kdc_configuration;
+
+#include <kdc-protos.h>
+
+#endif
diff --git a/crypto/heimdal/kdc/kdc_locl.h b/crypto/heimdal/kdc/kdc_locl.h
index ed69f54..fe05236 100644
--- a/crypto/heimdal/kdc/kdc_locl.h
+++ b/crypto/heimdal/kdc/kdc_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,94 +32,41 @@
  */
 
 /* 
- * $Id: kdc_locl.h,v 1.58.2.2 2003/10/27 11:07:16 joda Exp $ 
+ * $Id: kdc_locl.h 22247 2007-12-08 23:49:41Z lha $ 
  */
 
 #ifndef __KDC_LOCL_H__
 #define __KDC_LOCL_H__
 
 #include "headers.h"
+#include "kdc.h"
 
-extern krb5_context context;
+typedef struct pk_client_params pk_client_params;
+#include <kdc-private.h>
 
-extern int require_preauth;
 extern sig_atomic_t exit_flag;
 extern size_t max_request;
-extern time_t kdc_warn_pwexpire;
-extern struct dbinfo {
-    char *realm;
-    char *dbname;
-    char *mkey_file;
-    struct dbinfo *next;
-} *databases;
-extern HDB **db;
-extern int num_db;
+extern const char *request_log;
 extern const char *port_str;
 extern krb5_addresses explicit_addresses;
 
 extern int enable_http;
-extern krb5_boolean encode_as_rep_as_tgs_rep;
-extern krb5_boolean check_ticket_addresses;
-extern krb5_boolean allow_null_ticket_addresses;
-extern krb5_boolean allow_anonymous;
-enum { TRPOLICY_ALWAYS_CHECK,
-       TRPOLICY_ALLOW_PER_PRINCIPAL, 
-       TRPOLICY_ALWAYS_HONOUR_REQUEST };
-extern int trpolicy;
-extern int enable_524;
-extern int enable_v4_cross_realm;
 
-#ifdef KRB4
-extern char *v4_realm;
-extern int enable_v4;
-extern krb5_boolean enable_kaserver;
-#endif
+#define DETACH_IS_DEFAULT FALSE
 
-#define _PATH_KDC_CONF		HDB_DB_DIR "/kdc.conf"
-#define DEFAULT_LOG_DEST	"0-1/FILE:" HDB_DB_DIR "/kdc.log"
+extern int detach_from_console;
 
-extern struct timeval now;
-#define kdc_time (now.tv_sec)
+extern const struct units _kdc_digestunits[];
 
-krb5_error_code as_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
-void configure (int, char**);
-krb5_error_code db_fetch (krb5_principal, hdb_entry**);
-void free_ent(hdb_entry *);
-void kdc_log (int, const char*, ...)
-    __attribute__ ((format (printf, 2,3)));
+#define KDC_LOG_FILE		"kdc.log"
 
-char* kdc_log_msg (int, const char*, ...)
-    __attribute__ ((format (printf, 2,3)));
-char* kdc_log_msg_va (int, const char*, va_list)
-    __attribute__ ((format (printf, 2,0)));
-void kdc_openlog (void);
-void loop (void);
-void set_master_key (EncryptionKey);
-krb5_error_code tgs_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr *);
-Key* unseal_key (Key*);
-krb5_error_code check_flags(hdb_entry *client, const char *client_name,
-			    hdb_entry *server, const char *server_name,
-			    krb5_boolean is_as_req);
+extern struct timeval _kdc_now;
+#define kdc_time (_kdc_now.tv_sec)
 
-krb5_error_code get_des_key(hdb_entry*, krb5_boolean, krb5_boolean, Key**);
-krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*, 
-				  const PrincipalName*, size_t*);
-krb5_error_code do_524 (const Ticket*, krb5_data*, const char*, struct sockaddr*);
+void
+loop(krb5_context context, krb5_kdc_configuration *config);
 
-#ifdef KRB4
-krb5_error_code db_fetch4 (const char*, const char*, const char*, hdb_entry**);
-krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*, 
-			     struct sockaddr_in*);
-int maybe_version4 (unsigned char*, int);
-#endif
-
-#ifdef KRB4
-krb5_error_code do_kaserver (unsigned char*, size_t, krb5_data*, const char*, 
-			     struct sockaddr_in*);
-#endif
-
-#ifdef HAVE_OPENSSL
-#define des_new_random_key des_random_key
-#endif
+krb5_kdc_configuration *
+configure(krb5_context context, int argc, char **argv);
 
 #endif /* __KDC_LOCL_H__ */
diff --git a/crypto/heimdal/kdc/kerberos4.c b/crypto/heimdal/kdc/kerberos4.c
index 050db5d..cbba649 100644
--- a/crypto/heimdal/kdc/kerberos4.c
+++ b/crypto/heimdal/kdc/kerberos4.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,13 +33,13 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos4.c,v 1.45.2.1 2004/03/30 10:29:27 lha Exp $");
+#include <krb5-v4compat.h>
 
-#ifdef KRB4
+RCSID("$Id: kerberos4.c 21577 2007-07-16 08:14:06Z lha $");
 
 #ifndef swap32
-static u_int32_t
-swap32(u_int32_t x)
+static uint32_t
+swap32(uint32_t x)
 {
     return ((x << 24) & 0xff000000) |
 	((x << 8) & 0xff0000) |
@@ -49,66 +49,74 @@ swap32(u_int32_t x)
 #endif /* swap32 */
 
 int
-maybe_version4(unsigned char *buf, int len)
+_kdc_maybe_version4(unsigned char *buf, int len)
 {
     return len > 0 && *buf == 4;
 }
 
 static void
-make_err_reply(krb5_data *reply, int code, const char *msg)
+make_err_reply(krb5_context context, krb5_data *reply,
+	       int code, const char *msg)
 {
-    KTEXT_ST er;
-
-    /* name, instance and realm are not checked in most (all?)
-       implementations; msg is also never used, but we send it anyway
-       (for debugging purposes) */
-
-    if(msg == NULL)
-	msg = krb_get_err_text(code);
-    cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg);
-    krb5_data_copy(reply, er.dat, er.length);
+    _krb5_krb_cr_err_reply(context, "", "", "", 
+			   kdc_time, code, msg, reply);
 }
 
+struct valid_princ_ctx {
+    krb5_kdc_configuration *config;
+    unsigned flags;
+};
+
 static krb5_boolean
-valid_princ(krb5_context context, krb5_principal princ)
+valid_princ(krb5_context context,
+	    void *funcctx,
+	    krb5_principal princ)
 {
+    struct valid_princ_ctx *ctx = funcctx;
     krb5_error_code ret;
     char *s;
-    hdb_entry *ent;
+    hdb_entry_ex *ent;
 
     ret = krb5_unparse_name(context, princ, &s);
     if (ret)
 	return FALSE;
-    ret = db_fetch(princ, &ent);
+    ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, NULL, &ent);
     if (ret) {
-	kdc_log(7, "Lookup %s failed: %s", s,
+	kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
 		krb5_get_err_text (context, ret));
 	free(s);
 	return FALSE;
     }
-    kdc_log(7, "Lookup %s succeeded", s);
+    kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s);
     free(s);
-    free_ent(ent);
+    _kdc_free_ent(context, ent);
     return TRUE;
 }
 
 krb5_error_code
-db_fetch4(const char *name, const char *instance, const char *realm,
-	  hdb_entry **ent)
+_kdc_db_fetch4(krb5_context context,
+	       krb5_kdc_configuration *config,
+	       const char *name, const char *instance, const char *realm,
+	       unsigned flags,
+	       hdb_entry_ex **ent)
 {
     krb5_principal p;
     krb5_error_code ret;
+    struct valid_princ_ctx ctx;
+
+    ctx.config = config;
+    ctx.flags = flags;
     
-    ret = krb5_425_conv_principal_ext(context, name, instance, realm, 
-				      valid_princ, 0, &p);
+    ret = krb5_425_conv_principal_ext2(context, name, instance, realm, 
+				       valid_princ, &ctx, 0, &p);
     if(ret)
 	return ret;
-    ret = db_fetch(p, ent);
+    ret = _kdc_db_fetch(context, config, p, flags, NULL, ent);
     krb5_free_principal(context, p);
     return ret;
 }
 
-#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
+#define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;}
 
 /*
  * Process the v4 request in `buf, len' (received from `addr'
@@ -117,15 +125,17 @@ db_fetch4(const char *name, const char *instance, const char *realm,
  */
 
 krb5_error_code
-do_version4(unsigned char *buf,
-	    size_t len,
-	    krb5_data *reply,
-	    const char *from,
-	    struct sockaddr_in *addr)
+_kdc_do_version4(krb5_context context, 
+		 krb5_kdc_configuration *config,
+		 unsigned char *buf,
+		 size_t len,
+		 krb5_data *reply,
+		 const char *from,
+		 struct sockaddr_in *addr)
 {
     krb5_storage *sp;
     krb5_error_code ret;
-    hdb_entry *client = NULL, *server = NULL;
+    hdb_entry_ex *client = NULL, *server = NULL;
     Key *ckey, *skey;
     int8_t pvno;
     int8_t msg_type;
@@ -133,67 +143,93 @@ do_version4(unsigned char *buf,
     char *name = NULL, *inst = NULL, *realm = NULL;
     char *sname = NULL, *sinst = NULL;
     int32_t req_time;
-    time_t max_life, max_end, actual_end, issue_time;
-    u_int8_t life;
+    time_t max_life;
+    uint8_t life;
     char client_name[256];
     char server_name[256];
 
-    if(!enable_v4) {
-	kdc_log(0, "Rejected version 4 request from %s", from);
-	make_err_reply(reply, KDC_GEN_ERR, "function not enabled");
+    if(!config->enable_v4) {
+	kdc_log(context, config, 0,
+		"Rejected version 4 request from %s", from);
+	make_err_reply(context, reply, KRB4ET_KDC_GEN_ERR,
+		       "Function not enabled");
 	return 0;
     }
 
     sp = krb5_storage_from_mem(buf, len);
     RCHECK(krb5_ret_int8(sp, &pvno), out);
     if(pvno != 4){
-	kdc_log(0, "Protocol version mismatch (krb4) (%d)", pvno);
-	make_err_reply(reply, KDC_PKT_VER, NULL);
+	kdc_log(context, config, 0,
+		"Protocol version mismatch (krb4) (%d)", pvno);
+	make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch");
 	goto out;
     }
     RCHECK(krb5_ret_int8(sp, &msg_type), out);
     lsb = msg_type & 1;
     msg_type &= ~1;
     switch(msg_type){
-    case AUTH_MSG_KDC_REQUEST:
+    case AUTH_MSG_KDC_REQUEST: {
+	krb5_data ticket, cipher;
+	krb5_keyblock session;
+	
+	krb5_data_zero(&ticket);
+	krb5_data_zero(&cipher);
+
 	RCHECK(krb5_ret_stringz(sp, &name), out1);
 	RCHECK(krb5_ret_stringz(sp, &inst), out1);
 	RCHECK(krb5_ret_stringz(sp, &realm), out1);
 	RCHECK(krb5_ret_int32(sp, &req_time), out1);
 	if(lsb)
 	    req_time = swap32(req_time);
-	RCHECK(krb5_ret_int8(sp, &life), out1);
+	RCHECK(krb5_ret_uint8(sp, &life), out1);
 	RCHECK(krb5_ret_stringz(sp, &sname), out1);
 	RCHECK(krb5_ret_stringz(sp, &sinst), out1);
 	snprintf (client_name, sizeof(client_name),
 		  "%s.%s@%s", name, inst, realm);
 	snprintf (server_name, sizeof(server_name),
-		  "%s.%s@%s", sname, sinst, v4_realm);
+		  "%s.%s@%s", sname, sinst, config->v4_realm);
 	
-	kdc_log(0, "AS-REQ (krb4) %s from %s for %s",
+	kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
 		client_name, from, server_name);
 
-	ret = db_fetch4(name, inst, realm, &client);
+	ret = _kdc_db_fetch4(context, config, name, inst, realm, 
+			     HDB_F_GET_CLIENT, &client);
 	if(ret) {
-	    kdc_log(0, "Client not found in database: %s: %s",
+	    kdc_log(context, config, 0, "Client not found in database: %s: %s",
 		    client_name, krb5_get_err_text(context, ret));
-	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
+			   "principal unknown");
 	    goto out1;
 	}
-	ret = db_fetch4(sname, sinst, v4_realm, &server);
+	ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
+			     HDB_F_GET_SERVER, &server);
 	if(ret){
-	    kdc_log(0, "Server not found in database: %s: %s",
+	    kdc_log(context, config, 0, "Server not found in database: %s: %s",
 		    server_name, krb5_get_err_text(context, ret));
-	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
+			   "principal unknown");
 	    goto out1;
 	}
 
-	ret = check_flags (client, client_name,
-			   server, server_name,
-			   TRUE);
+	ret = _kdc_check_flags (context, config, 
+				client, client_name,
+				server, server_name,
+				TRUE);
 	if (ret) {
 	    /* good error code? */
-	    make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
+	    make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
+			   "operation not allowed");
+	    goto out1;
+	}
+
+	if (config->enable_v4_per_principal &&
+	    client->entry.flags.allow_kerberos4 == 0)
+	{
+	    kdc_log(context, config, 0,
+		    "Per principal Kerberos 4 flag not turned on for %s",
+		    client_name);
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
+			   "allow kerberos4 flag required");
 	    goto out1;
 	}
 
@@ -202,21 +238,22 @@ do_version4(unsigned char *buf,
 	 * good error code to return if preauthentication is required.
 	 */
 
-	if (require_preauth
-	    || client->flags.require_preauth
-	    || server->flags.require_preauth) {
-	    kdc_log(0,
+	if (config->require_preauth
+	    || client->entry.flags.require_preauth
+	    || server->entry.flags.require_preauth) {
+	    kdc_log(context, config, 0,
 		    "Pre-authentication required for v4-request: "
 		    "%s for %s",
 		    client_name, server_name);
-	    make_err_reply(reply, KERB_ERR_NULL_KEY, NULL);
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
+			   "preauth required");
 	    goto out1;
 	}
 
-	ret = get_des_key(client, FALSE, FALSE, &ckey);
+	ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
 	if(ret){
-	    kdc_log(0, "no suitable DES key for client");
-	    make_err_reply(reply, KDC_NULL_KEY, 
+	    kdc_log(context, config, 0, "no suitable DES key for client");
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
 			   "no suitable DES key for client");
 	    goto out1;
 	}
@@ -225,106 +262,154 @@ do_version4(unsigned char *buf,
 	/* this is not necessary with the new code in libkrb */
 	/* find a properly salted key */
 	while(ckey->salt == NULL || ckey->salt->salt.length != 0)
-	    ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
+	    ret = hdb_next_keytype2key(context, &client->entry, KEYTYPE_DES, &ckey);
 	if(ret){
-	    kdc_log(0, "No version-4 salted key in database -- %s.%s@%s", 
+	    kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s", 
 		    name, inst, realm);
-	    make_err_reply(reply, KDC_NULL_KEY, 
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
 			   "No version-4 salted key in database");
 	    goto out1;
 	}
 #endif
 	
-	ret = get_des_key(server, TRUE, FALSE, &skey);
+	ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
 	if(ret){
-	    kdc_log(0, "no suitable DES key for server");
-	    /* XXX */
-	    make_err_reply(reply, KDC_NULL_KEY, 
+	    kdc_log(context, config, 0, "no suitable DES key for server");
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
 			   "no suitable DES key for server");
 	    goto out1;
 	}
 
-	max_life = krb_life_to_time(0, life);
-	if(client->max_life)
-	    max_life = min(max_life, *client->max_life);
-	if(server->max_life)
-	    max_life = min(max_life, *server->max_life);
+	max_life = _krb5_krb_life_to_time(0, life);
+	if(client->entry.max_life)
+	    max_life = min(max_life, *client->entry.max_life);
+	if(server->entry.max_life)
+	    max_life = min(max_life, *server->entry.max_life);
 
 	life = krb_time_to_life(kdc_time, kdc_time + max_life);
     
-	{
-	    KTEXT_ST cipher, ticket;
-	    KTEXT r;
-	    des_cblock session;
-
-	    des_new_random_key(&session);
-
-	    krb_create_ticket(&ticket, 0, name, inst, v4_realm,
-			      addr->sin_addr.s_addr, session, life, kdc_time, 
-			      sname, sinst, skey->key.keyvalue.data);
+	ret = krb5_generate_random_keyblock(context,
+					    ETYPE_DES_PCBC_NONE,
+					    &session);
+	if (ret) {
+	    make_err_reply(context, reply, KFAILURE,
+			   "Not enough random i KDC");
+	    goto out1;
+	}
 	
-	    create_ciph(&cipher, session, sname, sinst, v4_realm,
-			life, server->kvno % 256, &ticket, kdc_time, 
-			ckey->key.keyvalue.data);
-	    memset(&session, 0, sizeof(session));
-	    r = create_auth_reply(name, inst, realm, req_time, 0, 
-				  client->pw_end ? *client->pw_end : 0, 
-				  client->kvno % 256, &cipher);
-	    krb5_data_copy(reply, r->dat, r->length);
-	    memset(&cipher, 0, sizeof(cipher));
-	    memset(&ticket, 0, sizeof(ticket));
+	ret = _krb5_krb_create_ticket(context,
+				      0,
+				      name,
+				      inst,
+				      config->v4_realm,
+				      addr->sin_addr.s_addr,
+				      &session,
+				      life,
+				      kdc_time,
+				      sname,
+				      sinst,
+				      &skey->key,
+				      &ticket);
+	if (ret) {
+	    krb5_free_keyblock_contents(context, &session);
+	    make_err_reply(context, reply, KFAILURE,
+			   "failed to create v4 ticket");
+	    goto out1;
+	}
+
+	ret = _krb5_krb_create_ciph(context,
+				    &session,
+				    sname,
+				    sinst,
+				    config->v4_realm,
+				    life,
+				    server->entry.kvno % 255,
+				    &ticket,
+				    kdc_time,
+				    &ckey->key,
+				    &cipher);
+	krb5_free_keyblock_contents(context, &session);
+	krb5_data_free(&ticket);
+	if (ret) {
+	    make_err_reply(context, reply, KFAILURE, 
+			   "Failed to create v4 cipher");
+	    goto out1;
 	}
+	
+	ret = _krb5_krb_create_auth_reply(context,
+					  name,
+					  inst,
+					  realm,
+					  req_time,
+					  0,
+					  client->entry.pw_end ? *client->entry.pw_end : 0,
+					  client->entry.kvno % 256,
+					  &cipher,
+					  reply);
+	krb5_data_free(&cipher);
+
     out1:
 	break;
+    }
     case AUTH_MSG_APPL_REQUEST: {
+	struct _krb5_krb_auth_data ad;
 	int8_t kvno;
 	int8_t ticket_len;
 	int8_t req_len;
-	KTEXT_ST auth;
-	AUTH_DAT ad;
+	krb5_data auth;
+	int32_t address;
 	size_t pos;
 	krb5_principal tgt_princ = NULL;
-	hdb_entry *tgt = NULL;
+	hdb_entry_ex *tgt = NULL;
 	Key *tkey;
+	time_t max_end, actual_end, issue_time;
 	
+	memset(&ad, 0, sizeof(ad));
+	krb5_data_zero(&auth);
+
 	RCHECK(krb5_ret_int8(sp, &kvno), out2);
 	RCHECK(krb5_ret_stringz(sp, &realm), out2);
 	
-	ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
+	ret = krb5_425_conv_principal(context, "krbtgt", realm,
+				      config->v4_realm,
 				      &tgt_princ);
 	if(ret){
-	    kdc_log(0, "Converting krbtgt principal (krb4): %s", 
+	    kdc_log(context, config, 0,
+		    "Converting krbtgt principal (krb4): %s", 
 		    krb5_get_err_text(context, ret));
-	    make_err_reply(reply, KFAILURE, 
+	    make_err_reply(context, reply, KFAILURE, 
 			   "Failed to convert v4 principal (krbtgt)");
 	    goto out2;
 	}
 
-	ret = db_fetch(tgt_princ, &tgt);
+	ret = _kdc_db_fetch(context, config, tgt_princ,
+			    HDB_F_GET_KRBTGT, NULL, &tgt);
 	if(ret){
 	    char *s;
-	    s = kdc_log_msg(0, "Ticket-granting ticket not "
+	    s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
 			    "found in database (krb4): krbtgt.%s@%s: %s", 
-			    realm, v4_realm,
+			    realm, config->v4_realm,
 			    krb5_get_err_text(context, ret));
-	    make_err_reply(reply, KFAILURE, s);
+	    make_err_reply(context, reply, KFAILURE, s);
 	    free(s);
 	    goto out2;
 	}
 	
-	if(tgt->kvno % 256 != kvno){
-	    kdc_log(0, "tgs-req (krb4) with old kvno %d (current %d) for "
-		    "krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm);
-	    make_err_reply(reply, KDC_AUTH_EXP,
+	if(tgt->entry.kvno % 256 != kvno){
+	    kdc_log(context, config, 0,
+		    "tgs-req (krb4) with old kvno %d (current %d) for "
+		    "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256, 
+		    realm, config->v4_realm);
+	    make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP,
 			   "old krbtgt kvno used");
 	    goto out2;
 	}
 
-	ret = get_des_key(tgt, TRUE, FALSE, &tkey);
+	ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey);
 	if(ret){
-	    kdc_log(0, "no suitable DES key for krbtgt (krb4)");
-	    /* XXX */
-	    make_err_reply(reply, KDC_NULL_KEY, 
+	    kdc_log(context, config, 0, 
+		    "no suitable DES key for krbtgt (krb4)");
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
 			   "no suitable DES key for krbtgt");
 	    goto out2;
 	}
@@ -334,107 +419,130 @@ do_version4(unsigned char *buf,
 	
 	pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
 	
-	memset(&auth, 0, sizeof(auth));
-	memcpy(&auth.dat, buf, pos);
+	auth.data = buf;
 	auth.length = pos;
-	krb_set_key(tkey->key.keyvalue.data, 0);
 
-	krb_ignore_ip_address = !check_ticket_addresses;
+	if (config->check_ticket_addresses)
+	    address = addr->sin_addr.s_addr;
+	else
+	    address = 0;
 
-	ret = krb_rd_req(&auth, "krbtgt", realm, 
-			 addr->sin_addr.s_addr, &ad, 0);
+	ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm, 
+			       config->v4_realm,
+			       address, &tkey->key, &ad);
 	if(ret){
-	    kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret));
-	    make_err_reply(reply, ret, NULL);
+	    kdc_log(context, config, 0, "krb_rd_req: %d", ret);
+	    make_err_reply(context, reply, ret, "failed to parse request");
 	    goto out2;
 	}
 	
 	RCHECK(krb5_ret_int32(sp, &req_time), out2);
 	if(lsb)
 	    req_time = swap32(req_time);
-	RCHECK(krb5_ret_int8(sp, &life), out2);
+	RCHECK(krb5_ret_uint8(sp, &life), out2);
 	RCHECK(krb5_ret_stringz(sp, &sname), out2);
 	RCHECK(krb5_ret_stringz(sp, &sinst), out2);
 	snprintf (server_name, sizeof(server_name),
 		  "%s.%s@%s",
-		  sname, sinst, v4_realm);
+		  sname, sinst, config->v4_realm);
+	snprintf (client_name, sizeof(client_name),
+		  "%s.%s@%s",
+		  ad.pname, ad.pinst, ad.prealm);
 
-	kdc_log(0, "TGS-REQ (krb4) %s.%s@%s from %s for %s",
-		ad.pname, ad.pinst, ad.prealm, from, server_name);
+	kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s",
+		client_name, from, server_name);
 	
 	if(strcmp(ad.prealm, realm)){
-	    kdc_log(0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
-	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+	    kdc_log(context, config, 0, 
+		    "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, 
 			   "Can't hop realms");
 	    goto out2;
 	}
 
-	if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) {
-	    kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm);
-	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+	if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) {
+	    kdc_log(context, config, 0, 
+		    "krb4 Cross-realm %s -> %s disabled",
+		    realm, config->v4_realm);
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
 			   "Can't hop realms");
 	    goto out2;
 	}
 
 	if(strcmp(sname, "changepw") == 0){
-	    kdc_log(0, "Bad request for changepw ticket (krb4)");
-	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+	    kdc_log(context, config, 0, 
+		    "Bad request for changepw ticket (krb4)");
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, 
 			   "Can't authorize password change based on TGT");
 	    goto out2;
 	}
 	
-#if 0
-	ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
-	if(ret){
+	ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm,
+			     HDB_F_GET_CLIENT, &client);
+	if(ret && ret != HDB_ERR_NOENTRY) {
 	    char *s;
-	    s = kdc_log_msg(0, "Client not found in database: (krb4) "
-			    "%s.%s@%s: %s",
-			    ad.pname, ad.pinst, ad.prealm,
-			    krb5_get_err_text(context, ret));
-	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+	    s = kdc_log_msg(context, config, 0,
+			    "Client not found in database: (krb4) %s: %s",
+			    client_name, krb5_get_err_text(context, ret));
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
 	    free(s);
 	    goto out2;
 	}
-#endif
-	
-	ret = db_fetch4(sname, sinst, v4_realm, &server);
+	if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
+	    char *s;
+	    s = kdc_log_msg(context, config, 0,
+			    "Local client not found in database: (krb4) "
+			    "%s", client_name);
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
+	    free(s);
+	    goto out2;
+	}
+
+	ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
+			     HDB_F_GET_SERVER, &server);
 	if(ret){
 	    char *s;
-	    s = kdc_log_msg(0, "Server not found in database (krb4): %s: %s",
+	    s = kdc_log_msg(context, config, 0,
+			    "Server not found in database (krb4): %s: %s",
 			    server_name, krb5_get_err_text(context, ret));
-	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
 	    free(s);
 	    goto out2;
 	}
 
-	ret = check_flags (NULL, NULL,
-			   server, server_name,
-			   FALSE);
+	ret = _kdc_check_flags (context, config, 
+				client, client_name,
+				server, server_name,
+				FALSE);
 	if (ret) {
-	    /* good error code? */
-	    make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
+	    make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
+			   "operation not allowed");
 	    goto out2;
 	}
 
-	ret = get_des_key(server, TRUE, FALSE, &skey);
+	ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
 	if(ret){
-	    kdc_log(0, "no suitable DES key for server (krb4)");
-	    /* XXX */
-	    make_err_reply(reply, KDC_NULL_KEY, 
+	    kdc_log(context, config, 0, 
+		    "no suitable DES key for server (krb4)");
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
 			   "no suitable DES key for server");
 	    goto out2;
 	}
 
-	max_end = krb_life_to_time(ad.time_sec, ad.life);
-	max_end = min(max_end, krb_life_to_time(kdc_time, life));
+	max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life);
+	max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life));
+	if(server->entry.max_life)
+	    max_end = min(max_end, kdc_time + *server->entry.max_life);
+	if(client && client->entry.max_life)
+	    max_end = min(max_end, kdc_time + *client->entry.max_life);
 	life = min(life, krb_time_to_life(kdc_time, max_end));
 	
 	issue_time = kdc_time;
-	actual_end = krb_life_to_time(issue_time, life);
+	actual_end = _krb5_krb_life_to_time(issue_time, life);
 	while (actual_end > max_end && life > 1) {
 	    /* move them into the next earlier lifetime bracket */
 	    life--;
-	    actual_end = krb_life_to_time(issue_time, life);
+	    actual_end = _krb5_krb_life_to_time(issue_time, life);
 	}
 	if (actual_end > max_end) {
 	    /* if life <= 1 and it's still too long, backdate the ticket */
@@ -442,46 +550,88 @@ do_version4(unsigned char *buf,
 	}
 
 	{
-	    KTEXT_ST cipher, ticket;
-	    KTEXT r;
-	    des_cblock session;
-	    des_new_random_key(&session);
-
-	    krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
-			      addr->sin_addr.s_addr, &session, life, 
-			      issue_time,
-			      sname, sinst, skey->key.keyvalue.data);
-	    
-	    create_ciph(&cipher, session, sname, sinst, v4_realm,
-			life, server->kvno % 256, &ticket,
-			issue_time, &ad.session);
+	    krb5_data ticket, cipher;
+	    krb5_keyblock session;
+
+	    krb5_data_zero(&ticket);
+	    krb5_data_zero(&cipher);
+
+	    ret = krb5_generate_random_keyblock(context,
+						ETYPE_DES_PCBC_NONE,
+						&session);
+	    if (ret) {
+		make_err_reply(context, reply, KFAILURE,
+			       "Not enough random i KDC");
+		goto out2;
+	    }
+	
+	    ret = _krb5_krb_create_ticket(context,
+					  0,
+					  ad.pname,
+					  ad.pinst,
+					  ad.prealm,
+					  addr->sin_addr.s_addr,
+					  &session,
+					  life,
+					  issue_time,
+					  sname,
+					  sinst,
+					  &skey->key,
+					  &ticket);
+	    if (ret) {
+		krb5_free_keyblock_contents(context, &session);
+		make_err_reply(context, reply, KFAILURE,
+			       "failed to create v4 ticket");
+		goto out2;
+	    }
+
+	    ret = _krb5_krb_create_ciph(context,
+					&session,
+					sname,
+					sinst,
+					config->v4_realm,
+					life,
+					server->entry.kvno % 255,
+					&ticket,
+					issue_time,
+					&ad.session,
+					&cipher);
+	    krb5_free_keyblock_contents(context, &session);
+	    if (ret) {
+		make_err_reply(context, reply, KFAILURE,
+			       "failed to create v4 cipher");
+		goto out2;
+	    }
 	    
-	    memset(&session, 0, sizeof(session));
-	    memset(ad.session, 0, sizeof(ad.session));
-
-	    r = create_auth_reply(ad.pname, ad.pinst, ad.prealm, 
-				  req_time, 0, 0, 0, &cipher);
-	    krb5_data_copy(reply, r->dat, r->length);
-	    memset(&cipher, 0, sizeof(cipher));
-	    memset(&ticket, 0, sizeof(ticket));
+	    ret = _krb5_krb_create_auth_reply(context,
+					      ad.pname,
+					      ad.pinst,
+					      ad.prealm,
+					      req_time,
+					      0,
+					      0,
+					      0,
+					      &cipher,
+					      reply);
+	    krb5_data_free(&cipher);
 	}
     out2:
+	_krb5_krb_free_auth_data(context, &ad);
 	if(tgt_princ)
 	    krb5_free_principal(context, tgt_princ);
 	if(tgt)
-	    free_ent(tgt);
+	    _kdc_free_ent(context, tgt);
 	break;
     }
-    
     case AUTH_MSG_ERR_REPLY:
 	break;
     default:
-	kdc_log(0, "Unknown message type (krb4): %d from %s", 
+	kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s", 
 		msg_type, from);
 	
-	make_err_reply(reply, KFAILURE, "Unknown message type");
+	make_err_reply(context, reply, KFAILURE, "Unknown message type");
     }
-out:
+ out:
     if(name)
 	free(name);
     if(inst)
@@ -493,22 +643,18 @@ out:
     if(sinst)
 	free(sinst);
     if(client)
-	free_ent(client);
+	_kdc_free_ent(context, client);
     if(server)
-	free_ent(server);
+	_kdc_free_ent(context, server);
     krb5_storage_free(sp);
     return 0;
 }
 
-#else /* KRB4 */
-
-#include <krb5-v4compat.h>
-
-#endif /* KRB4 */
-
 krb5_error_code
-encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
-		 const PrincipalName *service, size_t *size)
+_kdc_encode_v4_ticket(krb5_context context, 
+		      krb5_kdc_configuration *config,
+		      void *buf, size_t len, const EncTicketPart *et,
+		      const PrincipalName *service, size_t *size)
 {
     krb5_storage *sp;
     krb5_error_code ret;
@@ -517,9 +663,10 @@ encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
 
     {
 	krb5_principal princ;
-	principalname2krb5_principal(&princ,
-				     *service,
-				     et->crealm);
+	_krb5_principalname2krb5_principal(context,
+					   &princ,
+					   *service,
+					   et->crealm);
 	ret = krb5_524_conv_principal(context, 
 				      princ,
 				      sname,
@@ -529,9 +676,10 @@ encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
 	if(ret)
 	    return ret;
 
-	principalname2krb5_principal(&princ,
-				     et->cname,
-				     et->crealm);
+	_krb5_principalname2krb5_principal(context,
+					   &princ,
+					   et->cname,
+					   et->crealm);
 				     
 	ret = krb5_524_conv_principal(context, 
 				      princ,
@@ -594,8 +742,9 @@ encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
 }
 
 krb5_error_code
-get_des_key(hdb_entry *principal, krb5_boolean is_server, 
-	    krb5_boolean prefer_afs_key, Key **ret_key)
+_kdc_get_des_key(krb5_context context, 
+		 hdb_entry_ex *principal, krb5_boolean is_server, 
+		 krb5_boolean prefer_afs_key, Key **ret_key)
 {
     Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
     int i;
@@ -609,7 +758,7 @@ get_des_key(hdb_entry *principal, krb5_boolean is_server,
 		afs_key == NULL || server_key == NULL);
 	++i) {
 	Key *key = NULL;
-	while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) {
+	while(hdb_next_enctype2key(context, &principal->entry, etypes[i], &key) == 0) {
 	    if(key->salt == NULL) {
 		if(v5_key == NULL)
 		    v5_key = key;
@@ -635,7 +784,7 @@ get_des_key(hdb_entry *principal, krb5_boolean is_server,
 	else if(is_server && server_key)
 	    *ret_key = server_key;
 	else
-	    return KERB_ERR_NULL_KEY;
+	    return KRB4ET_KDC_NULL_KEY;
     } else {
 	if(v4_key)
 	    *ret_key = v4_key;
@@ -646,11 +795,11 @@ get_des_key(hdb_entry *principal, krb5_boolean is_server,
 	else if(is_server && server_key)
 	    *ret_key = server_key;
 	else
-	    return KERB_ERR_NULL_KEY;
+	    return KRB4ET_KDC_NULL_KEY;
     }
 
     if((*ret_key)->key.keyvalue.length == 0)
-	return KERB_ERR_NULL_KEY;
+	return KRB4ET_KDC_NULL_KEY;
     return 0;
 }
 
diff --git a/crypto/heimdal/kdc/kerberos5.c b/crypto/heimdal/kdc/kerberos5.c
index f2736fd..9582cd8 100644
--- a/crypto/heimdal/kdc/kerberos5.c
+++ b/crypto/heimdal/kdc/kerberos5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,12 +33,12 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c,v 1.145.2.4 2004/08/13 19:28:26 lha Exp $");
+RCSID("$Id: kerberos5.c 22071 2007-11-14 20:04:50Z lha $");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
-static void
-fix_time(time_t **t)
+void
+_kdc_fix_time(time_t **t)
 {
     if(*t == NULL){
 	ALLOC(*t);
@@ -47,22 +47,35 @@ fix_time(time_t **t)
     if(**t == 0) **t = MAX_TIME; /* fix for old clients */
 }
 
+static int
+realloc_method_data(METHOD_DATA *md)
+{
+    PA_DATA *pa;
+    pa = realloc(md->val, (md->len + 1) * sizeof(*md->val));
+    if(pa == NULL)
+	return ENOMEM;
+    md->val = pa;
+    md->len++;
+    return 0;
+}
+
 static void
-set_salt_padata (METHOD_DATA **m, Salt *salt)
+set_salt_padata (METHOD_DATA *md, Salt *salt)
 {
     if (salt) {
-	ALLOC(*m);
-	(*m)->len = 1;
-	ALLOC((*m)->val);
-	(*m)->val->padata_type = salt->type;
-	copy_octet_string(&salt->salt,
-			  &(*m)->val->padata_value);
+	realloc_method_data(md);
+	md->val[md->len - 1].padata_type = salt->type;
+	der_copy_octet_string(&salt->salt,
+			      &md->val[md->len - 1].padata_value);
     }
 }
 
-static PA_DATA*
-find_padata(KDC_REQ *req, int *start, int type)
+const PA_DATA*
+_kdc_find_padata(const KDC_REQ *req, int *start, int type)
 {
+    if (req->padata == NULL)
+	return NULL;
+
     while(*start < req->padata->len){
 	(*start)++;
 	if(req->padata->val[*start - 1].padata_type == type)
@@ -72,22 +85,45 @@ find_padata(KDC_REQ *req, int *start, int type)
 }
 
 /*
+ * Detect if `key' is the using the the precomputed `default_salt'.
+ */
+
+static krb5_boolean
+is_default_salt_p(const krb5_salt *default_salt, const Key *key)
+{
+    if (key->salt == NULL)
+	return TRUE;
+    if (default_salt->salttype != key->salt->type)
+	return FALSE;
+    if (krb5_data_cmp(&default_salt->saltvalue, &key->salt->salt))
+	return FALSE;
+    return TRUE;
+}
+
+/*
  * return the first appropriate key of `princ' in `ret_key'.  Look for
  * all the etypes in (`etypes', `len'), stopping as soon as we find
  * one, but preferring one that has default salt
  */
 
-static krb5_error_code
-find_etype(hdb_entry *princ, krb5_enctype *etypes, unsigned len, 
-	   Key **ret_key, krb5_enctype *ret_etype)
+krb5_error_code
+_kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
+		krb5_enctype *etypes, unsigned len, 
+		Key **ret_key, krb5_enctype *ret_etype)
 {
     int i;
     krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
+    krb5_salt def_salt;
+
+    krb5_get_pw_salt (context, princ->entry.principal, &def_salt);
 
     for(i = 0; ret != 0 && i < len ; i++) {
 	Key *key = NULL;
 
-	while (hdb_next_enctype2key(context, princ, etypes[i], &key) == 0) {
+	if (krb5_enctype_valid(context, etypes[i]) != 0)
+	    continue;
+
+	while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
 	    if (key->key.keyvalue.length == 0) {
 		ret = KRB5KDC_ERR_NULL_KEY;
 		continue;
@@ -95,47 +131,18 @@ find_etype(hdb_entry *princ, krb5_enctype *etypes, unsigned len,
 	    *ret_key   = key;
 	    *ret_etype = etypes[i];
 	    ret = 0;
-	    if (key->salt == NULL)
+	    if (is_default_salt_p(&def_salt, key)) {
+		krb5_free_salt (context, def_salt);
 		return ret;
+	    }
 	}
     }
+    krb5_free_salt (context, def_salt);
     return ret;
 }
 
-static krb5_error_code
-find_keys(hdb_entry *client,
-	  hdb_entry *server, 
-	  Key **ckey,
-	  krb5_enctype *cetype,
-	  Key **skey,
-	  krb5_enctype *setype, 
-	  krb5_enctype *etypes,
-	  unsigned num_etypes)
-{
-    krb5_error_code ret;
-
-    if(client){
-	/* find client key */
-	ret = find_etype(client, etypes, num_etypes, ckey, cetype);
-	if (ret) {
-	    kdc_log(0, "Client has no support for etypes");
-	    return ret;
-	}
-    }
-
-    if(server){
-	/* find server key */
-	ret = find_etype(server, etypes, num_etypes, skey, setype);
-	if (ret) {
-	    kdc_log(0, "Server has no support for etypes");
-	    return ret;
-	}
-    }
-    return 0;
-}
-
-static krb5_error_code
-make_anonymous_principalname (PrincipalName *pn)
+krb5_error_code
+_kdc_make_anonymous_principalname (PrincipalName *pn)
 {
     pn->name_type = KRB5_NT_PRINCIPAL;
     pn->name_string.len = 1;
@@ -151,13 +158,92 @@ make_anonymous_principalname (PrincipalName *pn)
     return 0;
 }
 
-static krb5_error_code
-encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek, 
-	     krb5_enctype etype, 
-	     int skvno, EncryptionKey *skey,
-	     int ckvno, EncryptionKey *ckey,
-	     const char **e_text,
-	     krb5_data *reply)
+void
+_kdc_log_timestamp(krb5_context context, 
+		   krb5_kdc_configuration *config,
+		   const char *type,
+		   KerberosTime authtime, KerberosTime *starttime, 
+		   KerberosTime endtime, KerberosTime *renew_till)
+{
+    char authtime_str[100], starttime_str[100], 
+	endtime_str[100], renewtime_str[100];
+    
+    krb5_format_time(context, authtime, 
+		     authtime_str, sizeof(authtime_str), TRUE); 
+    if (starttime)
+	krb5_format_time(context, *starttime, 
+			 starttime_str, sizeof(starttime_str), TRUE); 
+    else
+	strlcpy(starttime_str, "unset", sizeof(starttime_str));
+    krb5_format_time(context, endtime, 
+		     endtime_str, sizeof(endtime_str), TRUE); 
+    if (renew_till)
+	krb5_format_time(context, *renew_till, 
+			 renewtime_str, sizeof(renewtime_str), TRUE); 
+    else
+	strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
+    
+    kdc_log(context, config, 5,
+	    "%s authtime: %s starttime: %s endtime: %s renew till: %s",
+	    type, authtime_str, starttime_str, endtime_str, renewtime_str);
+}
+
+static void
+log_patypes(krb5_context context, 
+	    krb5_kdc_configuration *config,
+	    METHOD_DATA *padata)
+{
+    struct rk_strpool *p = NULL;
+    char *str;
+    int i;
+	    
+    for (i = 0; i < padata->len; i++) {
+	switch(padata->val[i].padata_type) {
+	case KRB5_PADATA_PK_AS_REQ:
+	    p = rk_strpoolprintf(p, "PK-INIT(ietf)");
+	    break;
+	case KRB5_PADATA_PK_AS_REQ_WIN:
+	    p = rk_strpoolprintf(p, "PK-INIT(win2k)");
+	    break;
+	case KRB5_PADATA_PA_PK_OCSP_RESPONSE:
+	    p = rk_strpoolprintf(p, "OCSP");
+	    break;
+	case KRB5_PADATA_ENC_TIMESTAMP:
+	    p = rk_strpoolprintf(p, "encrypted-timestamp");
+	    break;
+	default:
+	    p = rk_strpoolprintf(p, "%d", padata->val[i].padata_type);
+	    break;
+	}
+	if (p && i + 1 < padata->len)
+	    p = rk_strpoolprintf(p, ", ");
+	if (p == NULL) {
+	    kdc_log(context, config, 0, "out of memory");
+	    return;
+	}
+    }
+    if (p == NULL)
+	p = rk_strpoolprintf(p, "none");
+	
+    str = rk_strpoolcollect(p);
+    kdc_log(context, config, 0, "Client sent patypes: %s", str);
+    free(str);
+}
+
+/*
+ *
+ */
+
+
+krb5_error_code
+_kdc_encode_reply(krb5_context context,
+		  krb5_kdc_configuration *config,
+		  KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek, 
+		  krb5_enctype etype, 
+		  int skvno, const EncryptionKey *skey,
+		  int ckvno, const EncryptionKey *ckey,
+		  const char **e_text,
+		  krb5_data *reply)
 {
     unsigned char *buf;
     size_t buf_size;
@@ -167,13 +253,13 @@ encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek,
 
     ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret);
     if(ret) {
-	kdc_log(0, "Failed to encode ticket: %s", 
+	kdc_log(context, config, 0, "Failed to encode ticket: %s", 
 		krb5_get_err_text(context, ret));
 	return ret;
     }
     if(buf_size != len) {
 	free(buf);
-	kdc_log(0, "Internal error in ASN.1 encoder");
+	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
 	*e_text = "KDC internal error";
 	return KRB5KRB_ERR_GENERIC;
     }
@@ -181,7 +267,7 @@ encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek,
     ret = krb5_crypto_init(context, skey, etype, &crypto);
     if (ret) {
 	free(buf);
-	kdc_log(0, "krb5_crypto_init failed: %s",
+	kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
 		krb5_get_err_text(context, ret));
 	return ret;
     }
@@ -196,30 +282,30 @@ encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek,
     free(buf);
     krb5_crypto_destroy(context, crypto);
     if(ret) {
-	kdc_log(0, "Failed to encrypt data: %s",
+	kdc_log(context, config, 0, "Failed to encrypt data: %s",
 		krb5_get_err_text(context, ret));
 	return ret;
     }
     
-    if(rep->msg_type == krb_as_rep && !encode_as_rep_as_tgs_rep)
+    if(rep->msg_type == krb_as_rep && !config->encode_as_rep_as_tgs_rep)
 	ASN1_MALLOC_ENCODE(EncASRepPart, buf, buf_size, ek, &len, ret);
     else
 	ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret);
     if(ret) {
-	kdc_log(0, "Failed to encode KDC-REP: %s", 
+	kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", 
 		krb5_get_err_text(context, ret));
 	return ret;
     }
     if(buf_size != len) {
 	free(buf);
-	kdc_log(0, "Internal error in ASN.1 encoder");
+	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
 	*e_text = "KDC internal error";
 	return KRB5KRB_ERR_GENERIC;
     }
     ret = krb5_crypto_init(context, ckey, 0, &crypto);
     if (ret) {
 	free(buf);
-	kdc_log(0, "krb5_crypto_init failed: %s",
+	kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
 		krb5_get_err_text(context, ret));
 	return ret;
     }
@@ -246,13 +332,13 @@ encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek,
     }
     krb5_crypto_destroy(context, crypto);
     if(ret) {
-	kdc_log(0, "Failed to encode KDC-REP: %s", 
+	kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", 
 		krb5_get_err_text(context, ret));
 	return ret;
     }
     if(buf_size != len) {
 	free(buf);
-	kdc_log(0, "Internal error in ASN.1 encoder");
+	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
 	*e_text = "KDC internal error";
 	return KRB5KRB_ERR_GENERIC;
     }
@@ -261,31 +347,64 @@ encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek,
     return 0;
 }
 
+/*
+ * Return 1 if the client have only older enctypes, this is for
+ * determining if the server should send ETYPE_INFO2 or not.
+ */
+
 static int
-realloc_method_data(METHOD_DATA *md)
+older_enctype(krb5_enctype enctype)
 {
-    PA_DATA *pa;
-    pa = realloc(md->val, (md->len + 1) * sizeof(*md->val));
-    if(pa == NULL)
-	return ENOMEM;
-    md->val = pa;
-    md->len++;
-    return 0;
+    switch (enctype) {
+    case ETYPE_DES_CBC_CRC:
+    case ETYPE_DES_CBC_MD4:
+    case ETYPE_DES_CBC_MD5:
+    case ETYPE_DES3_CBC_SHA1:
+    case ETYPE_ARCFOUR_HMAC_MD5:
+    case ETYPE_ARCFOUR_HMAC_MD5_56:
+    /* 
+     * The following three is "old" windows enctypes and is needed for
+     * windows 2000 hosts.
+     */
+    case ETYPE_ARCFOUR_MD4:
+    case ETYPE_ARCFOUR_HMAC_OLD:
+    case ETYPE_ARCFOUR_HMAC_OLD_EXP:
+	return 1;
+    default:
+	return 0;
+    }
 }
 
+static int
+only_older_enctype_p(const KDC_REQ *req)
+{
+    int i;
+
+    for(i = 0; i < req->req_body.etype.len; i++) {
+	if (!older_enctype(req->req_body.etype.val[i]))
+	    return 0;
+    }
+    return 1;
+}
+
+/*
+ *
+ */
+
 static krb5_error_code
-make_etype_info_entry(ETYPE_INFO_ENTRY *ent, Key *key)
+make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key)
 {
     ent->etype = key->key.keytype;
     if(key->salt){
-	ALLOC(ent->salttype);
 #if 0
+	ALLOC(ent->salttype);
+
 	if(key->salt->type == hdb_pw_salt)
 	    *ent->salttype = 0; /* or 1? or NULL? */
 	else if(key->salt->type == hdb_afs3_salt)
 	    *ent->salttype = 2;
 	else {
-	    kdc_log(0, "unknown salt-type: %d", 
+	    kdc_log(context, config, 0, "unknown salt-type: %d", 
 		    key->salt->type);
 	    return KRB5KRB_ERR_GENERIC;
 	}
@@ -294,8 +413,17 @@ make_etype_info_entry(ETYPE_INFO_ENTRY *ent, Key *key)
 	   *know* what cell you are using (e.g by assuming
 	   that the cell is the same as the realm in lower
 	   case) */
-#else
+#elif 0
+	ALLOC(ent->salttype);
 	*ent->salttype = key->salt->type;
+#else
+	/* 
+	 * We shouldn't sent salttype since it is incompatible with the
+	 * specification and it breaks windows clients.  The afs
+	 * salting problem is solved by using KRB5-PADATA-AFS3-SALT
+	 * implemented in Heimdal 0.7 and later.
+	 */
+	ent->salttype = NULL;
 #endif
 	krb5_copy_data(context, &key->salt->salt,
 		       &ent->salt);
@@ -312,7 +440,9 @@ make_etype_info_entry(ETYPE_INFO_ENTRY *ent, Key *key)
 }
 
 static krb5_error_code
-get_pa_etype_info(METHOD_DATA *md, hdb_entry *client, 
+get_pa_etype_info(krb5_context context, 
+		  krb5_kdc_configuration *config,
+		  METHOD_DATA *md, hdb_entry *client, 
 		  ENCTYPE *etypes, unsigned int etypes_len)
 {
     krb5_error_code ret = 0;
@@ -329,41 +459,55 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client,
     pa.val = malloc(pa.len * sizeof(*pa.val));
     if(pa.val == NULL)
 	return ENOMEM;
+    memset(pa.val, 0, pa.len * sizeof(*pa.val));
 
-    for(j = 0; j < etypes_len; j++) {
-	for (i = 0; i < n; i++)
-	    if (pa.val[i].etype == etypes[j])
+    for(i = 0; i < client->keys.len; i++) {
+	for (j = 0; j < n; j++)
+	    if (pa.val[j].etype == client->keys.val[i].key.keytype)
 		goto skip1;
-	for(i = 0; i < client->keys.len; i++) {
-	    if(client->keys.val[i].key.keytype == etypes[j])
-		if((ret = make_etype_info_entry(&pa.val[n++], 
+	for(j = 0; j < etypes_len; j++) {
+	    if(client->keys.val[i].key.keytype == etypes[j]) {
+ 		if (krb5_enctype_valid(context, etypes[j]) != 0)
+ 		    continue;
+		if (!older_enctype(etypes[j]))
+ 		    continue;
+		if (n >= pa.len)
+		    krb5_abortx(context, "internal error: n >= p.len");
+		if((ret = make_etype_info_entry(context, 
+						&pa.val[n++], 
 						&client->keys.val[i])) != 0) {
 		    free_ETYPE_INFO(&pa);
 		    return ret;
 		}
+		break;
+	    }
 	}
     skip1:;
     }
     for(i = 0; i < client->keys.len; i++) {
+	/* already added? */
 	for(j = 0; j < etypes_len; j++) {
 	    if(client->keys.val[i].key.keytype == etypes[j])
 		goto skip2;
 	}
-	if((ret = make_etype_info_entry(&pa.val[n++], 
+	if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
+	    continue;
+	if (!older_enctype(etypes[j]))
+	    continue;
+	if (n >= pa.len)
+	    krb5_abortx(context, "internal error: n >= p.len");
+	if((ret = make_etype_info_entry(context, 
+					&pa.val[n++], 
 					&client->keys.val[i])) != 0) {
 	    free_ETYPE_INFO(&pa);
 	    return ret;
 	}
-      skip2:;
+    skip2:;
     }
     
-    if(n != pa.len) {
-	char *name;
-	krb5_unparse_name(context, client->principal, &name);
-	kdc_log(0, "internal error in get_pa_etype_info(%s): %d != %d", 
-		name, n, pa.len);
-	free(name);
-	pa.len = n;
+    if(n < pa.len) {
+	/* stripped out dups, newer enctypes, and not valid enctypes */
+ 	pa.len = n;
     }
 
     ASN1_MALLOC_ENCODE(ETYPE_INFO, buf, len, &pa, &len, ret);
@@ -382,77 +526,335 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client,
 }
 
 /*
+ *
+ */
+
+extern int _krb5_AES_string_to_default_iterator;
+
+static krb5_error_code
+make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key)
+{
+    ent->etype = key->key.keytype;
+    if(key->salt) {
+	ALLOC(ent->salt);
+	if (ent->salt == NULL)
+	    return ENOMEM;
+	*ent->salt = malloc(key->salt->salt.length + 1);
+	if (*ent->salt == NULL) {
+	    free(ent->salt);
+	    ent->salt = NULL;
+	    return ENOMEM;
+	}
+	memcpy(*ent->salt, key->salt->salt.data, key->salt->salt.length);
+	(*ent->salt)[key->salt->salt.length] = '\0';
+    } else
+	ent->salt = NULL;
+
+    ent->s2kparams = NULL;
+
+    switch (key->key.keytype) {
+    case ETYPE_AES128_CTS_HMAC_SHA1_96:
+    case ETYPE_AES256_CTS_HMAC_SHA1_96:
+	ALLOC(ent->s2kparams);
+	if (ent->s2kparams == NULL)
+	    return ENOMEM;
+	ent->s2kparams->length = 4;
+	ent->s2kparams->data = malloc(ent->s2kparams->length);
+	if (ent->s2kparams->data == NULL) {
+	    free(ent->s2kparams);
+	    ent->s2kparams = NULL;
+	    return ENOMEM;
+	}
+	_krb5_put_int(ent->s2kparams->data, 
+		      _krb5_AES_string_to_default_iterator, 
+		      ent->s2kparams->length);
+	break;
+    case ETYPE_DES_CBC_CRC:
+    case ETYPE_DES_CBC_MD4:
+    case ETYPE_DES_CBC_MD5:
+	/* Check if this was a AFS3 salted key */
+	if(key->salt && key->salt->type == hdb_afs3_salt){
+	    ALLOC(ent->s2kparams);
+	    if (ent->s2kparams == NULL)
+		return ENOMEM;
+	    ent->s2kparams->length = 1;
+	    ent->s2kparams->data = malloc(ent->s2kparams->length);
+	    if (ent->s2kparams->data == NULL) {
+		free(ent->s2kparams);
+		ent->s2kparams = NULL;
+		return ENOMEM;
+	    }
+	    _krb5_put_int(ent->s2kparams->data, 
+			  1,
+			  ent->s2kparams->length);
+	}
+	break;
+    default:
+	break;
+    }
+    return 0;
+}
+
+/*
+ * Return an ETYPE-INFO2. Enctypes are storted the same way as in the
+ * database (client supported enctypes first, then the unsupported
+ * enctypes).
+ */
+
+static krb5_error_code
+get_pa_etype_info2(krb5_context context, 
+		   krb5_kdc_configuration *config,
+		   METHOD_DATA *md, hdb_entry *client, 
+		   ENCTYPE *etypes, unsigned int etypes_len)
+{
+    krb5_error_code ret = 0;
+    int i, j;
+    unsigned int n = 0;
+    ETYPE_INFO2 pa;
+    unsigned char *buf;
+    size_t len;
+
+    pa.len = client->keys.len;
+    if(pa.len > UINT_MAX/sizeof(*pa.val))
+	return ERANGE;
+    pa.val = malloc(pa.len * sizeof(*pa.val));
+    if(pa.val == NULL)
+	return ENOMEM;
+    memset(pa.val, 0, pa.len * sizeof(*pa.val));
+
+    for(i = 0; i < client->keys.len; i++) {
+	for (j = 0; j < n; j++)
+	    if (pa.val[j].etype == client->keys.val[i].key.keytype)
+		goto skip1;
+	for(j = 0; j < etypes_len; j++) {
+	    if(client->keys.val[i].key.keytype == etypes[j]) {
+		if (krb5_enctype_valid(context, etypes[j]) != 0)
+		    continue;
+		if (n >= pa.len)
+		    krb5_abortx(context, "internal error: n >= p.len");
+		if((ret = make_etype_info2_entry(&pa.val[n++], 
+						 &client->keys.val[i])) != 0) {
+		    free_ETYPE_INFO2(&pa);
+		    return ret;
+		}
+		break;
+	    }
+	}
+    skip1:;
+    }
+    /* send enctypes that the client doesn't know about too */
+    for(i = 0; i < client->keys.len; i++) {
+	/* already added? */
+	for(j = 0; j < etypes_len; j++) {
+	    if(client->keys.val[i].key.keytype == etypes[j])
+		goto skip2;
+	}
+	if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
+	    continue;
+	if (n >= pa.len)
+	    krb5_abortx(context, "internal error: n >= p.len");
+	if((ret = make_etype_info2_entry(&pa.val[n++],
+					 &client->keys.val[i])) != 0) {
+	    free_ETYPE_INFO2(&pa);
+	    return ret;
+	}
+      skip2:;
+    }
+    
+    if(n < pa.len) {
+	/* stripped out dups, and not valid enctypes */
+ 	pa.len = n;
+    }
+
+    ASN1_MALLOC_ENCODE(ETYPE_INFO2, buf, len, &pa, &len, ret);
+    free_ETYPE_INFO2(&pa);
+    if(ret)
+	return ret;
+    ret = realloc_method_data(md);
+    if(ret) {
+	free(buf);
+	return ret;
+    }
+    md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO2;
+    md->val[md->len - 1].padata_value.length = len;
+    md->val[md->len - 1].padata_value.data = buf;
+    return 0;
+}
+
+/*
+ *
+ */
+
+static void
+log_as_req(krb5_context context,
+	   krb5_kdc_configuration *config,
+	   krb5_enctype cetype,
+	   krb5_enctype setype,
+	   const KDC_REQ_BODY *b)
+{
+    krb5_error_code ret;
+    struct rk_strpool *p = NULL;
+    char *str;
+    int i;
+    
+    for (i = 0; i < b->etype.len; i++) {
+	ret = krb5_enctype_to_string(context, b->etype.val[i], &str);
+	if (ret == 0) {
+	    p = rk_strpoolprintf(p, "%s", str);
+	    free(str);
+	} else
+	    p = rk_strpoolprintf(p, "%d", b->etype.val[i]);
+	if (p && i + 1 < b->etype.len)
+	    p = rk_strpoolprintf(p, ", ");
+	if (p == NULL) {
+	    kdc_log(context, config, 0, "out of memory");
+	    return;
+	}
+    }
+    if (p == NULL)
+	p = rk_strpoolprintf(p, "no encryption types");
+    
+    str = rk_strpoolcollect(p);
+    kdc_log(context, config, 0, "Client supported enctypes: %s", str);
+    free(str);
+
+    {
+	char *cet;
+	char *set;
+
+	ret = krb5_enctype_to_string(context, cetype, &cet);
+	if(ret == 0) {
+	    ret = krb5_enctype_to_string(context, setype, &set);
+	    if (ret == 0) {
+		kdc_log(context, config, 5, "Using %s/%s", cet, set);
+		free(set);
+	    }
+	    free(cet);
+	}
+	if (ret != 0)
+	    kdc_log(context, config, 5, "Using e-types %d/%d", cetype, setype);
+    }
+    
+    {
+	char fixedstr[128];
+	unparse_flags(KDCOptions2int(b->kdc_options), asn1_KDCOptions_units(), 
+		      fixedstr, sizeof(fixedstr));
+	if(*fixedstr)
+	    kdc_log(context, config, 2, "Requested flags: %s", fixedstr);
+    }
+}
+
+/*
  * verify the flags on `client' and `server', returning 0
  * if they are OK and generating an error messages and returning
  * and error code otherwise.
  */
 
 krb5_error_code
-check_flags(hdb_entry *client, const char *client_name,
-	    hdb_entry *server, const char *server_name,
-	    krb5_boolean is_as_req)
+_kdc_check_flags(krb5_context context, 
+		 krb5_kdc_configuration *config,
+		 hdb_entry_ex *client_ex, const char *client_name,
+		 hdb_entry_ex *server_ex, const char *server_name,
+		 krb5_boolean is_as_req)
 {
-    if(client != NULL) {
+    if(client_ex != NULL) {
+	hdb_entry *client = &client_ex->entry;
+
 	/* check client */
 	if (client->flags.invalid) {
-	    kdc_log(0, "Client (%s) has invalid bit set", client_name);
+	    kdc_log(context, config, 0, 
+		    "Client (%s) has invalid bit set", client_name);
 	    return KRB5KDC_ERR_POLICY;
 	}
 	
 	if(!client->flags.client){
-	    kdc_log(0, "Principal may not act as client -- %s", 
-		    client_name);
+	    kdc_log(context, config, 0,
+		    "Principal may not act as client -- %s", client_name);
 	    return KRB5KDC_ERR_POLICY;
 	}
 	
 	if (client->valid_start && *client->valid_start > kdc_time) {
-	    kdc_log(0, "Client not yet valid -- %s", client_name);
+	    char starttime_str[100];
+	    krb5_format_time(context, *client->valid_start, 
+			     starttime_str, sizeof(starttime_str), TRUE); 
+	    kdc_log(context, config, 0,
+		    "Client not yet valid until %s -- %s", 
+		    starttime_str, client_name);
 	    return KRB5KDC_ERR_CLIENT_NOTYET;
 	}
 	
 	if (client->valid_end && *client->valid_end < kdc_time) {
-	    kdc_log(0, "Client expired -- %s", client_name);
+	    char endtime_str[100];
+	    krb5_format_time(context, *client->valid_end, 
+			     endtime_str, sizeof(endtime_str), TRUE); 
+	    kdc_log(context, config, 0,
+		    "Client expired at %s -- %s",
+		    endtime_str, client_name);
 	    return KRB5KDC_ERR_NAME_EXP;
 	}
 	
-	if (client->pw_end && *client->pw_end < kdc_time
-	    && !server->flags.change_pw) {
-	    kdc_log(0, "Client's key has expired -- %s", client_name);
+	if (client->pw_end && *client->pw_end < kdc_time 
+	    && (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
+	    char pwend_str[100];
+	    krb5_format_time(context, *client->pw_end, 
+			     pwend_str, sizeof(pwend_str), TRUE); 
+	    kdc_log(context, config, 0,
+		    "Client's key has expired at %s -- %s", 
+		    pwend_str, client_name);
 	    return KRB5KDC_ERR_KEY_EXPIRED;
 	}
     }
 
     /* check server */
     
-    if (server != NULL) {
+    if (server_ex != NULL) {
+	hdb_entry *server = &server_ex->entry;
+
 	if (server->flags.invalid) {
-	    kdc_log(0, "Server has invalid flag set -- %s", server_name);
+	    kdc_log(context, config, 0,
+		    "Server has invalid flag set -- %s", server_name);
 	    return KRB5KDC_ERR_POLICY;
 	}
 
 	if(!server->flags.server){
-	    kdc_log(0, "Principal may not act as server -- %s", 
-		    server_name);
+	    kdc_log(context, config, 0,
+		    "Principal may not act as server -- %s", server_name);
 	    return KRB5KDC_ERR_POLICY;
 	}
 
 	if(!is_as_req && server->flags.initial) {
-	    kdc_log(0, "AS-REQ is required for server -- %s", server_name);
+	    kdc_log(context, config, 0,
+		    "AS-REQ is required for server -- %s", server_name);
 	    return KRB5KDC_ERR_POLICY;
 	}
 
 	if (server->valid_start && *server->valid_start > kdc_time) {
-	    kdc_log(0, "Server not yet valid -- %s", server_name);
+	    char starttime_str[100];
+	    krb5_format_time(context, *server->valid_start, 
+			     starttime_str, sizeof(starttime_str), TRUE); 
+	    kdc_log(context, config, 0,
+		    "Server not yet valid until %s -- %s",
+		    starttime_str, server_name);
 	    return KRB5KDC_ERR_SERVICE_NOTYET;
 	}
 
 	if (server->valid_end && *server->valid_end < kdc_time) {
-	    kdc_log(0, "Server expired -- %s", server_name);
+	    char endtime_str[100];
+	    krb5_format_time(context, *server->valid_end, 
+			     endtime_str, sizeof(endtime_str), TRUE); 
+	    kdc_log(context, config, 0,
+		    "Server expired at %s -- %s", 
+		    endtime_str, server_name);
 	    return KRB5KDC_ERR_SERVICE_EXP;
 	}
 
 	if (server->pw_end && *server->pw_end < kdc_time) {
-	    kdc_log(0, "Server's key has expired -- %s", server_name);
+	    char pwend_str[100];
+	    krb5_format_time(context, *server->pw_end, 
+			     pwend_str, sizeof(pwend_str), TRUE); 
+	    kdc_log(context, config, 0,
+		    "Server's key has expired at -- %s", 
+		    pwend_str, server_name);
 	    return KRB5KDC_ERR_KEY_EXPIRED;
 	}
     }
@@ -465,19 +867,38 @@ check_flags(hdb_entry *client, const char *client_name,
  * these checks
  */
 
-static krb5_boolean
-check_addresses(HostAddresses *addresses, const struct sockaddr *from)
+krb5_boolean
+_kdc_check_addresses(krb5_context context,        
+		     krb5_kdc_configuration *config,
+		     HostAddresses *addresses, const struct sockaddr *from)
 {
     krb5_error_code ret;
     krb5_address addr;
     krb5_boolean result;
+    krb5_boolean only_netbios = TRUE;
+    int i;
     
-    if(check_ticket_addresses == 0)
+    if(config->check_ticket_addresses == 0)
 	return TRUE;
 
     if(addresses == NULL)
-	return allow_null_ticket_addresses;
+	return config->allow_null_ticket_addresses;
     
+    for (i = 0; i < addresses->len; ++i) {
+	if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) {
+	    only_netbios = FALSE;
+	}
+    }
+
+    /* Windows sends it's netbios name, which I can only assume is
+     * used for the 'allowed workstations' check.  This is painful,
+     * but we still want to check IP addresses if they happen to be
+     * present.
+     */
+
+    if(only_netbios)
+	return config->allow_null_ticket_addresses;
+
     ret = krb5_sockaddr2address (context, from, &addr);
     if(ret)
 	return FALSE;
@@ -487,17 +908,55 @@ check_addresses(HostAddresses *addresses, const struct sockaddr *from)
     return result;
 }
 
+/*
+ *
+ */
+
+static krb5_boolean
+send_pac_p(krb5_context context, KDC_REQ *req)
+{
+    krb5_error_code ret;
+    PA_PAC_REQUEST pacreq;
+    const PA_DATA *pa;
+    int i = 0;
+    
+    pa = _kdc_find_padata(req, &i, KRB5_PADATA_PA_PAC_REQUEST);
+    if (pa == NULL)
+	return TRUE;
+
+    ret = decode_PA_PAC_REQUEST(pa->padata_value.data,
+				pa->padata_value.length,
+				&pacreq,
+				NULL);
+    if (ret)
+	return TRUE;
+    i = pacreq.include_pac;
+    free_PA_PAC_REQUEST(&pacreq);
+    if (i == 0)
+	return FALSE;
+    return TRUE;
+}
+
+/*
+ *
+ */
+
 krb5_error_code
-as_rep(KDC_REQ *req, 
-       krb5_data *reply,
-       const char *from,
-       struct sockaddr *from_addr)
+_kdc_as_rep(krb5_context context, 
+	    krb5_kdc_configuration *config,
+	    KDC_REQ *req, 
+	    const krb5_data *req_buffer, 
+	    krb5_data *reply,
+	    const char *from,
+	    struct sockaddr *from_addr,
+	    int datagram_reply)
 {
     KDC_REQ_BODY *b = &req->req_body;
     AS_REP rep;
     KDCOptions f = b->kdc_options;
-    hdb_entry *client = NULL, *server = NULL;
-    krb5_enctype cetype, setype;
+    hdb_entry_ex *client = NULL, *server = NULL;
+    krb5_enctype cetype, setype, sessionetype;
+    krb5_data e_data;
     EncTicketPart et;
     EncKDCRepPart ek;
     krb5_principal client_princ = NULL, server_princ = NULL;
@@ -506,18 +965,32 @@ as_rep(KDC_REQ *req,
     const char *e_text = NULL;
     krb5_crypto crypto;
     Key *ckey, *skey;
+    EncryptionKey *reply_key;
+    int flags = 0;
+#ifdef PKINIT
+    pk_client_params *pkp = NULL;
+#endif
 
     memset(&rep, 0, sizeof(rep));
+    krb5_data_zero(&e_data);
+
+    if (f.canonicalize)
+	flags |= HDB_F_CANON;
 
     if(b->sname == NULL){
 	ret = KRB5KRB_ERR_GENERIC;
 	e_text = "No server in request";
     } else{
-	principalname2krb5_principal (&server_princ, *(b->sname), b->realm);
-	krb5_unparse_name(context, server_princ, &server_name);
+	ret = _krb5_principalname2krb5_principal (context,
+						  &server_princ,
+						  *(b->sname),
+						  b->realm);
+	if (ret == 0)
+	    ret = krb5_unparse_name(context, server_princ, &server_name);
     }
     if (ret) {
-	kdc_log(0, "AS-REQ malformed server name from %s", from);
+	kdc_log(context, config, 0, 
+		"AS-REQ malformed server name from %s", from);
 	goto out;
     }
     
@@ -525,33 +998,66 @@ as_rep(KDC_REQ *req,
 	ret = KRB5KRB_ERR_GENERIC;
 	e_text = "No client in request";
     } else {
-	principalname2krb5_principal (&client_princ, *(b->cname), b->realm);
-	krb5_unparse_name(context, client_princ, &client_name);
+
+	if (b->cname->name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+	    if (b->cname->name_string.len != 1) {
+		kdc_log(context, config, 0,
+			"AS-REQ malformed canon request from %s, "
+			"enterprise name with %d name components", 
+			from, b->cname->name_string.len);
+		ret = KRB5_PARSE_MALFORMED;
+		goto out;
+	    }
+	    ret = krb5_parse_name(context, b->cname->name_string.val[0],
+				  &client_princ);
+	    if (ret)
+		goto out;
+	} else {
+	    ret = _krb5_principalname2krb5_principal (context,
+						      &client_princ,
+						      *(b->cname),
+						      b->realm);
+	    if (ret)
+		goto out;
+	}
+	ret = krb5_unparse_name(context, client_princ, &client_name);
     }
     if (ret) {
-	kdc_log(0, "AS-REQ malformed client name from %s", from);
+	kdc_log(context, config, 0,
+		"AS-REQ malformed client name from %s", from);
 	goto out;
     }
 
-    kdc_log(0, "AS-REQ %s from %s for %s", client_name, from, server_name);
+    kdc_log(context, config, 0, "AS-REQ %s from %s for %s", 
+	    client_name, from, server_name);
 
-    ret = db_fetch(client_princ, &client);
+    ret = _kdc_db_fetch(context, config, client_princ, 
+			HDB_F_GET_CLIENT | flags, NULL, &client);
     if(ret){
-	kdc_log(0, "UNKNOWN -- %s: %s", client_name,
+	kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name,
 		krb5_get_err_text(context, ret));
 	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 	goto out;
     }
 
-    ret = db_fetch(server_princ, &server);
+    ret = _kdc_db_fetch(context, config, server_princ,
+			HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
+			NULL, &server);
     if(ret){
-	kdc_log(0, "UNKNOWN -- %s: %s", server_name,
+	kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name,
 		krb5_get_err_text(context, ret));
 	ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
 	goto out;
     }
 
-    ret = check_flags(client, client_name, server, server_name, TRUE);
+    ret = _kdc_windc_client_access(context, client, req);
+    if(ret)
+	goto out;
+
+    ret = _kdc_check_flags(context, config, 
+			   client, client_name,
+			   server, server_name,
+			   TRUE);
     if(ret)
 	goto out;
 
@@ -559,17 +1065,77 @@ as_rep(KDC_REQ *req,
     memset(&ek, 0, sizeof(ek));
 
     if(req->padata){
-	int i = 0;
-	PA_DATA *pa;
+	int i;
+	const PA_DATA *pa;
 	int found_pa = 0;
-	kdc_log(5, "Looking for pa-data -- %s", client_name);
-	while((pa = find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){
+
+	log_patypes(context, config, req->padata);
+
+#ifdef PKINIT
+	kdc_log(context, config, 5, 
+		"Looking for PKINIT pa-data -- %s", client_name);
+
+	e_text = "No PKINIT PA found";
+
+	i = 0;
+	if ((pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ)))
+	    ;
+	if (pa == NULL) {
+	    i = 0;
+	    if((pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_WIN)))
+		;
+	}
+	if (pa) {
+	    char *client_cert = NULL;
+
+	    ret = _kdc_pk_rd_padata(context, config, req, pa, &pkp);
+	    if (ret) {
+		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+		kdc_log(context, config, 5, 
+			"Failed to decode PKINIT PA-DATA -- %s", 
+			client_name);
+		goto ts_enc;
+	    }
+	    if (ret == 0 && pkp == NULL)
+		goto ts_enc;
+
+	    ret = _kdc_pk_check_client(context,
+				       config,
+				       client,
+				       pkp,
+				       &client_cert);
+	    if (ret) {
+		e_text = "PKINIT certificate not allowed to "
+		    "impersonate principal";
+		_kdc_pk_free_client_param(context, pkp);
+
+		kdc_log(context, config, 0, "%s", e_text);
+		pkp = NULL;
+		goto out;
+	    }
+	    found_pa = 1;
+	    et.flags.pre_authent = 1;
+	    kdc_log(context, config, 0,
+		    "PKINIT pre-authentication succeeded -- %s using %s", 
+		    client_name, client_cert);
+	    free(client_cert);
+	    if (pkp)
+		goto preauth_done;
+	}
+    ts_enc:
+#endif
+	kdc_log(context, config, 5, "Looking for ENC-TS pa-data -- %s", 
+		client_name);
+
+	i = 0;
+	e_text = "No ENC-TS found";
+	while((pa = _kdc_find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){
 	    krb5_data ts_data;
 	    PA_ENC_TS_ENC p;
-	    time_t patime;
 	    size_t len;
 	    EncryptedData enc_data;
 	    Key *pa_key;
+	    char *str;
 	    
 	    found_pa = 1;
 	    
@@ -579,23 +1145,26 @@ as_rep(KDC_REQ *req,
 				       &len);
 	    if (ret) {
 		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-		kdc_log(5, "Failed to decode PA-DATA -- %s", 
+		kdc_log(context, config, 5, "Failed to decode PA-DATA -- %s", 
 			client_name);
 		goto out;
 	    }
 	    
-	    ret = hdb_enctype2key(context, client, enc_data.etype, &pa_key);
+	    ret = hdb_enctype2key(context, &client->entry, 
+				  enc_data.etype, &pa_key);
 	    if(ret){
 		char *estr;
 		e_text = "No key matches pa-data";
-		ret = KRB5KDC_ERR_PREAUTH_FAILED;
+		ret = KRB5KDC_ERR_ETYPE_NOSUPP;
 		if(krb5_enctype_to_string(context, enc_data.etype, &estr))
 		    estr = NULL;
 		if(estr == NULL)
-		    kdc_log(5, "No client key matching pa-data (%d) -- %s", 
+		    kdc_log(context, config, 5, 
+			    "No client key matching pa-data (%d) -- %s", 
 			    enc_data.etype, client_name);
 		else
-		    kdc_log(5, "No client key matching pa-data (%s) -- %s", 
+		    kdc_log(context, config, 5,
+			    "No client key matching pa-data (%s) -- %s", 
 			    estr, client_name);
 		free(estr);
 		    
@@ -603,10 +1172,10 @@ as_rep(KDC_REQ *req,
 		continue;
 	    }
 
-	  try_next_key:
+	try_next_key:
 	    ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto);
 	    if (ret) {
-		kdc_log(0, "krb5_crypto_init failed: %s",
+		kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
 			krb5_get_err_text(context, ret));
 		free_EncryptedData(&enc_data);
 		continue;
@@ -619,14 +1188,26 @@ as_rep(KDC_REQ *req,
 					      &ts_data);
 	    krb5_crypto_destroy(context, crypto);
 	    if(ret){
-		if(hdb_next_enctype2key(context, client, 
+		krb5_error_code ret2;
+		ret2 = krb5_enctype_to_string(context, 
+					      pa_key->key.keytype, &str);
+		if (ret2)
+		    str = NULL;
+		kdc_log(context, config, 5, 
+			"Failed to decrypt PA-DATA -- %s "
+			"(enctype %s) error %s",
+			client_name,
+			str ? str : "unknown enctype", 
+			krb5_get_err_text(context, ret));
+		free(str);
+
+		if(hdb_next_enctype2key(context, &client->entry, 
 					enc_data.etype, &pa_key) == 0)
 		    goto try_next_key;
-		free_EncryptedData(&enc_data);
 		e_text = "Failed to decrypt PA-DATA";
-		kdc_log (5, "Failed to decrypt PA-DATA -- %s",
-			 client_name);
-		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+
+		free_EncryptedData(&enc_data);
+		ret = KRB5KDC_ERR_PREAUTH_FAILED;
 		continue;
 	    }
 	    free_EncryptedData(&enc_data);
@@ -637,42 +1218,75 @@ as_rep(KDC_REQ *req,
 	    krb5_data_free(&ts_data);
 	    if(ret){
 		e_text = "Failed to decode PA-ENC-TS-ENC";
-		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-		kdc_log (5, "Failed to decode PA-ENC-TS_ENC -- %s",
-			 client_name);
+		ret = KRB5KDC_ERR_PREAUTH_FAILED;
+		kdc_log(context, config, 
+			5, "Failed to decode PA-ENC-TS_ENC -- %s",
+			client_name);
 		continue;
 	    }
-	    patime = p.patimestamp;
 	    free_PA_ENC_TS_ENC(&p);
 	    if (abs(kdc_time - p.patimestamp) > context->max_skew) {
-		ret = KRB5KDC_ERR_PREAUTH_FAILED;
+		char client_time[100];
+		
+		krb5_format_time(context, p.patimestamp, 
+				 client_time, sizeof(client_time), TRUE); 
+
+ 		ret = KRB5KRB_AP_ERR_SKEW;
+ 		kdc_log(context, config, 0,
+			"Too large time skew, "
+			"client time %s is out by %u > %u seconds -- %s", 
+			client_time, 
+			(unsigned)abs(kdc_time - p.patimestamp), 
+			context->max_skew,
+			client_name);
+#if 0
+		/* This code is from samba, needs testing */
+		/* 
+		 * the following is needed to make windows clients
+		 * to retry using the timestamp in the error message
+		 *
+		 * this is maybe a bug in windows to not trying when e_text
+		 * is present...
+		 */
+		e_text = NULL;
+#else
 		e_text = "Too large time skew";
-		kdc_log(0, "Too large time skew -- %s", client_name);
+#endif
 		goto out;
 	    }
 	    et.flags.pre_authent = 1;
-	    kdc_log(2, "Pre-authentication succeded -- %s", client_name);
+
+	    ret = krb5_enctype_to_string(context,pa_key->key.keytype, &str);
+	    if (ret)
+		str = NULL;
+
+	    kdc_log(context, config, 2,
+		    "ENC-TS Pre-authentication succeeded -- %s using %s", 
+		    client_name, str ? str : "unknown enctype");
+	    free(str);
 	    break;
 	}
-	if(found_pa == 0 && require_preauth)
+#ifdef PKINIT
+    preauth_done:
+#endif
+	if(found_pa == 0 && config->require_preauth)
 	    goto use_pa;
 	/* We come here if we found a pa-enc-timestamp, but if there
            was some problem with it, other than too large skew */
 	if(found_pa && et.flags.pre_authent == 0){
-	    kdc_log(0, "%s -- %s", e_text, client_name);
+	    kdc_log(context, config, 0, "%s -- %s", e_text, client_name);
 	    e_text = NULL;
 	    goto out;
 	}
-    }else if (require_preauth
-	      || client->flags.require_preauth
-	      || server->flags.require_preauth) {
+    }else if (config->require_preauth
+	      || client->entry.flags.require_preauth
+	      || server->entry.flags.require_preauth) {
 	METHOD_DATA method_data;
 	PA_DATA *pa;
 	unsigned char *buf;
 	size_t len;
-	krb5_data foo_data;
 
-      use_pa: 
+    use_pa: 
 	method_data.len = 0;
 	method_data.val = NULL;
 
@@ -682,113 +1296,196 @@ as_rep(KDC_REQ *req,
 	pa->padata_value.length	= 0;
 	pa->padata_value.data	= NULL;
 
-	ret = get_pa_etype_info(&method_data, client, 
-				b->etype.val, b->etype.len); /* XXX check ret */
+#ifdef PKINIT
+	ret = realloc_method_data(&method_data);
+	pa = &method_data.val[method_data.len-1];
+	pa->padata_type		= KRB5_PADATA_PK_AS_REQ;
+	pa->padata_value.length	= 0;
+	pa->padata_value.data	= NULL;
+
+	ret = realloc_method_data(&method_data);
+	pa = &method_data.val[method_data.len-1];
+	pa->padata_type		= KRB5_PADATA_PK_AS_REQ_WIN;
+	pa->padata_value.length	= 0;
+	pa->padata_value.data	= NULL;
+#endif
+
+	/* 
+	 * RFC4120 requires: 
+	 * - If the client only knows about old enctypes, then send
+	 *   both info replies (we send 'info' first in the list).
+	 * - If the client is 'modern', because it knows about 'new'
+	 *   enctype types, then only send the 'info2' reply.
+	 */
+
+	/* XXX check ret */
+	if (only_older_enctype_p(req))
+	    ret = get_pa_etype_info(context, config,
+				    &method_data, &client->entry, 
+				    b->etype.val, b->etype.len); 
+	/* XXX check ret */
+	ret = get_pa_etype_info2(context, config, &method_data, 
+				 &client->entry, b->etype.val, b->etype.len);
+
 	
 	ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
 	free_METHOD_DATA(&method_data);
-	foo_data.data   = buf;
-	foo_data.length = len;
-	
+
+	e_data.data   = buf;
+	e_data.length = len;
+	e_text ="Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
+
 	ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
-	krb5_mk_error(context,
-		      ret,
-		      "Need to use PA-ENC-TIMESTAMP",
-		      &foo_data,
-		      client_princ,
-		      server_princ,
-		      NULL,
-		      NULL,
-		      reply);
-	free(buf);
-	kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name);
-	ret = 0;
-	goto out2;
+
+	kdc_log(context, config, 0,
+		"No preauth found, returning PREAUTH-REQUIRED -- %s",
+		client_name);
+	goto out;
     }
     
-    ret = find_keys(client, server, &ckey, &cetype, &skey, &setype,
-		    b->etype.val, b->etype.len);
-    if(ret) {
-	kdc_log(0, "Server/client has no support for etypes");
+    /*
+     * Find the client key (for preauth ENC-TS verification and reply
+     * encryption).  Then the best encryption type for the KDC and
+     * last the best session key that shared between the client and
+     * KDC runtime enctypes.
+     */
+
+    ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len,
+			  &ckey, &cetype);
+    if (ret) {
+	kdc_log(context, config, 0, 
+		"Client (%s) has no support for etypes", client_name);
 	goto out;
     }
 	
+    ret = _kdc_get_preferred_key(context, config,
+				 server, server_name,
+				 &setype, &skey);
+    if(ret)
+	goto out;
+
+    /* 
+     * Select a session enctype from the list of the crypto systems
+     * supported enctype, is supported by the client and is one of the
+     * enctype of the enctype of the krbtgt.
+     *
+     * The later is used as a hint what enctype all KDC are supporting
+     * to make sure a newer version of KDC wont generate a session
+     * enctype that and older version of a KDC in the same realm can't
+     * decrypt.
+     *
+     * But if the KDC admin is paranoid and doesn't want to have "no
+     * the best" enctypes on the krbtgt, lets save the best pick from
+     * the client list and hope that that will work for any other
+     * KDCs.
+     */
     {
-	char *cet;
-	char *set;
+	const krb5_enctype *p;
+	krb5_enctype clientbest = ETYPE_NULL;
+	int i, j;
 
-	ret = krb5_enctype_to_string(context, cetype, &cet);
-	if(ret == 0) {
-	    ret = krb5_enctype_to_string(context, setype, &set);
-	    if (ret == 0) {
-		kdc_log(5, "Using %s/%s", cet, set);
-		free(set);
+	p = krb5_kerberos_enctypes(context);
+
+	sessionetype = ETYPE_NULL;
+
+	for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
+	    if (krb5_enctype_valid(context, p[i]) != 0)
+		continue;
+
+	    for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
+		Key *dummy;
+		/* check with client */
+		if (p[i] != b->etype.val[j])
+		    continue; 
+		/* save best of union of { client, crypto system } */
+		if (clientbest == ETYPE_NULL)
+		    clientbest = p[i];
+		/* check with krbtgt */
+		ret = hdb_enctype2key(context, &server->entry, p[i], &dummy);
+		if (ret) 
+		    continue;
+		sessionetype = p[i];
 	    }
-	    free(cet);
 	}
-	if (ret != 0)
-	    kdc_log(5, "Using e-types %d/%d", cetype, setype);
-    }
-    
-    {
-	char str[128];
-	unparse_flags(KDCOptions2int(f), KDCOptions_units, str, sizeof(str));
-	if(*str)
-	    kdc_log(2, "Requested flags: %s", str);
+	/* if krbtgt had no shared keys with client, pick clients best */
+	if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) {
+	    sessionetype = clientbest;
+	} else if (sessionetype == ETYPE_NULL) {
+	    kdc_log(context, config, 0,
+		    "Client (%s) from %s has no common enctypes with KDC"
+		    "to use for the session key", 
+		    client_name, from); 
+	    goto out;
+	}
     }
-    
+
+    log_as_req(context, config, cetype, setype, b);
 
     if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
-       || (f.request_anonymous && !allow_anonymous)) {
+       || (f.request_anonymous && !config->allow_anonymous)) {
 	ret = KRB5KDC_ERR_BADOPTION;
-	kdc_log(0, "Bad KDC options -- %s", client_name);
+	kdc_log(context, config, 0, "Bad KDC options -- %s", client_name);
 	goto out;
     }
     
     rep.pvno = 5;
     rep.msg_type = krb_as_rep;
-    copy_Realm(&b->realm, &rep.crealm);
+    copy_Realm(&client->entry.principal->realm, &rep.crealm);
     if (f.request_anonymous)
-	make_anonymous_principalname (&rep.cname);
+	_kdc_make_anonymous_principalname (&rep.cname);
     else
-	copy_PrincipalName(b->cname, &rep.cname);
+	_krb5_principal2principalname(&rep.cname, 
+				      client->entry.principal);
     rep.ticket.tkt_vno = 5;
-    copy_Realm(&b->realm, &rep.ticket.realm);
-    copy_PrincipalName(b->sname, &rep.ticket.sname);
+    copy_Realm(&server->entry.principal->realm, &rep.ticket.realm);
+    _krb5_principal2principalname(&rep.ticket.sname, 
+				  server->entry.principal);
+    /* java 1.6 expects the name to be the same type, lets allow that
+     * uncomplicated name-types. */
+#define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
+    if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))
+	rep.ticket.sname.name_type = b->sname->name_type;
+#undef CNT
 
     et.flags.initial = 1;
-    if(client->flags.forwardable && server->flags.forwardable)
+    if(client->entry.flags.forwardable && server->entry.flags.forwardable)
 	et.flags.forwardable = f.forwardable;
     else if (f.forwardable) {
 	ret = KRB5KDC_ERR_POLICY;
-	kdc_log(0, "Ticket may not be forwardable -- %s", client_name);
+	kdc_log(context, config, 0,
+		"Ticket may not be forwardable -- %s", client_name);
 	goto out;
     }
-    if(client->flags.proxiable && server->flags.proxiable)
+    if(client->entry.flags.proxiable && server->entry.flags.proxiable)
 	et.flags.proxiable = f.proxiable;
     else if (f.proxiable) {
 	ret = KRB5KDC_ERR_POLICY;
-	kdc_log(0, "Ticket may not be proxiable -- %s", client_name);
+	kdc_log(context, config, 0, 
+		"Ticket may not be proxiable -- %s", client_name);
 	goto out;
     }
-    if(client->flags.postdate && server->flags.postdate)
+    if(client->entry.flags.postdate && server->entry.flags.postdate)
 	et.flags.may_postdate = f.allow_postdate;
     else if (f.allow_postdate){
 	ret = KRB5KDC_ERR_POLICY;
-	kdc_log(0, "Ticket may not be postdatable -- %s", client_name);
+	kdc_log(context, config, 0,
+		"Ticket may not be postdatable -- %s", client_name);
 	goto out;
     }
 
     /* check for valid set of addresses */
-    if(!check_addresses(b->addresses, from_addr)) {
+    if(!_kdc_check_addresses(context, config, b->addresses, from_addr)) {
 	ret = KRB5KRB_AP_ERR_BADADDR;
-	kdc_log(0, "Bad address list requested -- %s", client_name);
+	kdc_log(context, config, 0,
+		"Bad address list requested -- %s", client_name);
 	goto out;
     }
 
-    krb5_generate_random_keyblock(context, setype, &et.key);
+    ret = krb5_generate_random_keyblock(context, sessionetype, &et.key);
+    if (ret)
+	goto out;
     copy_PrincipalName(&rep.cname, &et.cname);
-    copy_Realm(&b->realm, &et.crealm);
+    copy_Realm(&rep.crealm, &et.crealm);
     
     {
 	time_t start;
@@ -802,15 +1499,15 @@ as_rep(KDC_REQ *req,
 	    et.flags.invalid = 1;
 	    et.flags.postdated = 1; /* XXX ??? */
 	}
-	fix_time(&b->till);
+	_kdc_fix_time(&b->till);
 	t = *b->till;
 
 	/* be careful not overflowing */
 
-	if(client->max_life)
-	    t = start + min(t - start, *client->max_life);
-	if(server->max_life)
-	    t = start + min(t - start, *server->max_life);
+	if(client->entry.max_life)
+	    t = start + min(t - start, *client->entry.max_life);
+	if(server->entry.max_life)
+	    t = start + min(t - start, *server->entry.max_life);
 #if 0
 	t = min(t, start + realm->max_life);
 #endif
@@ -828,10 +1525,10 @@ as_rep(KDC_REQ *req,
 	    t = *b->rtime;
 	    if(t == 0)
 		t = MAX_TIME;
-	    if(client->max_renew)
-		t = start + min(t - start, *client->max_renew);
-	    if(server->max_renew)
-		t = start + min(t - start, *server->max_renew);
+	    if(client->entry.max_renew)
+		t = start + min(t - start, *client->entry.max_renew);
+	    if(server->entry.max_renew)
+		t = start + min(t - start, *server->entry.max_renew);
 #if 0
 	    t = min(t, start + realm->max_renew);
 #endif
@@ -864,17 +1561,21 @@ as_rep(KDC_REQ *req,
      * otherwise just a dummy lr.
      */
     ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
+    if (ek.last_req.val == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
     ek.last_req.len = 0;
-    if (client->pw_end
-	&& (kdc_warn_pwexpire == 0
-	    || kdc_time + kdc_warn_pwexpire <= *client->pw_end)) {
+    if (client->entry.pw_end
+	&& (config->kdc_warn_pwexpire == 0
+	    || kdc_time + config->kdc_warn_pwexpire >= *client->entry.pw_end)) {
 	ek.last_req.val[ek.last_req.len].lr_type  = LR_PW_EXPTIME;
-	ek.last_req.val[ek.last_req.len].lr_value = *client->pw_end;
+	ek.last_req.val[ek.last_req.len].lr_value = *client->entry.pw_end;
 	++ek.last_req.len;
     }
-    if (client->valid_end) {
+    if (client->entry.valid_end) {
 	ek.last_req.val[ek.last_req.len].lr_type  = LR_ACCT_EXPTIME;
-	ek.last_req.val[ek.last_req.len].lr_value = *client->valid_end;
+	ek.last_req.val[ek.last_req.len].lr_value = *client->entry.valid_end;
 	++ek.last_req.len;
     }
     if (ek.last_req.len == 0) {
@@ -883,15 +1584,16 @@ as_rep(KDC_REQ *req,
 	++ek.last_req.len;
     }
     ek.nonce = b->nonce;
-    if (client->valid_end || client->pw_end) {
+    if (client->entry.valid_end || client->entry.pw_end) {
 	ALLOC(ek.key_expiration);
-	if (client->valid_end) {
-	    if (client->pw_end)
-		*ek.key_expiration = min(*client->valid_end, *client->pw_end);
+	if (client->entry.valid_end) {
+	    if (client->entry.pw_end)
+		*ek.key_expiration = min(*client->entry.valid_end, 
+					 *client->entry.pw_end);
 	    else
-		*ek.key_expiration = *client->valid_end;
+		*ek.key_expiration = *client->entry.valid_end;
 	} else
-	    *ek.key_expiration = *client->pw_end;
+	    *ek.key_expiration = *client->entry.pw_end;
     } else
 	ek.key_expiration = NULL;
     ek.flags = et.flags;
@@ -912,1004 +1614,239 @@ as_rep(KDC_REQ *req,
 	copy_HostAddresses(et.caddr, ek.caddr);
     }
 
-    set_salt_padata (&rep.padata, ckey->salt);
-    ret = encode_reply(&rep, &et, &ek, setype, server->kvno, &skey->key,
-		       client->kvno, &ckey->key, &e_text, reply);
-    free_EncTicketPart(&et);
-    free_EncKDCRepPart(&ek);
-  out:
-    free_AS_REP(&rep);
-    if(ret){
-	krb5_mk_error(context,
-		      ret,
-		      e_text,
-		      NULL,
-		      client_princ,
-		      server_princ,
-		      NULL,
-		      NULL,
-		      reply);
-	ret = 0;
-    }
-  out2:
-    if (client_princ)
-	krb5_free_principal(context, client_princ);
-    free(client_name);
-    if (server_princ)
-	krb5_free_principal(context, server_princ);
-    free(server_name);
-    if(client)
-	free_ent(client);
-    if(server)
-	free_ent(server);
-    return ret;
-}
-
-
-static krb5_error_code
-check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et)
-{
-    KDCOptions f = b->kdc_options;
-	
-    if(f.validate){
-	if(!tgt->flags.invalid || tgt->starttime == NULL){
-	    kdc_log(0, "Bad request to validate ticket");
-	    return KRB5KDC_ERR_BADOPTION;
-	}
-	if(*tgt->starttime > kdc_time){
-	    kdc_log(0, "Early request to validate ticket");
-	    return KRB5KRB_AP_ERR_TKT_NYV;
-	}
-	/* XXX  tkt = tgt */
-	et->flags.invalid = 0;
-    }else if(tgt->flags.invalid){
-	kdc_log(0, "Ticket-granting ticket has INVALID flag set");
-	return KRB5KRB_AP_ERR_TKT_INVALID;
-    }
-
-    if(f.forwardable){
-	if(!tgt->flags.forwardable){
-	    kdc_log(0, "Bad request for forwardable ticket");
-	    return KRB5KDC_ERR_BADOPTION;
-	}
-	et->flags.forwardable = 1;
-    }
-    if(f.forwarded){
-	if(!tgt->flags.forwardable){
-	    kdc_log(0, "Request to forward non-forwardable ticket");
-	    return KRB5KDC_ERR_BADOPTION;
-	}
-	et->flags.forwarded = 1;
-	et->caddr = b->addresses;
-    }
-    if(tgt->flags.forwarded)
-	et->flags.forwarded = 1;
-	
-    if(f.proxiable){
-	if(!tgt->flags.proxiable){
-	    kdc_log(0, "Bad request for proxiable ticket");
-	    return KRB5KDC_ERR_BADOPTION;
-	}
-	et->flags.proxiable = 1;
-    }
-    if(f.proxy){
-	if(!tgt->flags.proxiable){
-	    kdc_log(0, "Request to proxy non-proxiable ticket");
-	    return KRB5KDC_ERR_BADOPTION;
-	}
-	et->flags.proxy = 1;
-	et->caddr = b->addresses;
-    }
-    if(tgt->flags.proxy)
-	et->flags.proxy = 1;
-
-    if(f.allow_postdate){
-	if(!tgt->flags.may_postdate){
-	    kdc_log(0, "Bad request for post-datable ticket");
-	    return KRB5KDC_ERR_BADOPTION;
-	}
-	et->flags.may_postdate = 1;
-    }
-    if(f.postdated){
-	if(!tgt->flags.may_postdate){
-	    kdc_log(0, "Bad request for postdated ticket");
-	    return KRB5KDC_ERR_BADOPTION;
-	}
-	if(b->from)
-	    *et->starttime = *b->from;
-	et->flags.postdated = 1;
-	et->flags.invalid = 1;
-    }else if(b->from && *b->from > kdc_time + context->max_skew){
-	kdc_log(0, "Ticket cannot be postdated");
-	return KRB5KDC_ERR_CANNOT_POSTDATE;
-    }
-
-    if(f.renewable){
-	if(!tgt->flags.renewable){
-	    kdc_log(0, "Bad request for renewable ticket");
-	    return KRB5KDC_ERR_BADOPTION;
-	}
-	et->flags.renewable = 1;
-	ALLOC(et->renew_till);
-	fix_time(&b->rtime);
-	*et->renew_till = *b->rtime;
-    }
-    if(f.renew){
-	time_t old_life;
-	if(!tgt->flags.renewable || tgt->renew_till == NULL){
-	    kdc_log(0, "Request to renew non-renewable ticket");
-	    return KRB5KDC_ERR_BADOPTION;
-	}
-	old_life = tgt->endtime;
-	if(tgt->starttime)
-	    old_life -= *tgt->starttime;
-	else
-	    old_life -= tgt->authtime;
-	et->endtime = *et->starttime + old_life;
-	if (et->renew_till != NULL)
-	    et->endtime = min(*et->renew_till, et->endtime);
-    }	    
-    
-    /* checks for excess flags */
-    if(f.request_anonymous && !allow_anonymous){
-	kdc_log(0, "Request for anonymous ticket");
-	return KRB5KDC_ERR_BADOPTION;
-    }
-    return 0;
-}
-
-static krb5_error_code
-fix_transited_encoding(krb5_boolean check_policy,
-		       TransitedEncoding *tr, 
-		       EncTicketPart *et, 
-		       const char *client_realm, 
-		       const char *server_realm, 
-		       const char *tgt_realm)
-{
-    krb5_error_code ret = 0;
-    char **realms, **tmp;
-    int num_realms;
-    int i;
-
-    if(tr->tr_type != DOMAIN_X500_COMPRESS) {
-	kdc_log(0, "Unknown transited type: %u", tr->tr_type);
-	return KRB5KDC_ERR_TRTYPE_NOSUPP;
-    }
-
-    ret = krb5_domain_x500_decode(context, 
-				  tr->contents,
-				  &realms, 
-				  &num_realms,
-				  client_realm,
-				  server_realm);
-    if(ret){
-	krb5_warn(context, ret, "Decoding transited encoding");
-	return ret;
-    }
-    if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
-	/* not us, so add the previous realm to transited set */
-	if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) {
-	    ret = ERANGE;
-	    goto free_realms;
-	}
-	tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
-	if(tmp == NULL){
-	    ret = ENOMEM;
-	    goto free_realms;
-	}
-	realms = tmp;
-	realms[num_realms] = strdup(tgt_realm);
-	if(realms[num_realms] == NULL){
-	    ret = ENOMEM;
-	    goto free_realms;
-	}
-	num_realms++;
-    }
-    if(num_realms == 0) {
-	if(strcmp(client_realm, server_realm)) 
-	    kdc_log(0, "cross-realm %s -> %s", client_realm, server_realm);
-    } else {
-	size_t l = 0;
-	char *rs;
-	for(i = 0; i < num_realms; i++)
-	    l += strlen(realms[i]) + 2;
-	rs = malloc(l);
-	if(rs != NULL) {
-	    *rs = '\0';
-	    for(i = 0; i < num_realms; i++) {
-		if(i > 0)
-		    strlcat(rs, ", ", l);
-		strlcat(rs, realms[i], l);
-	    }
-	    kdc_log(0, "cross-realm %s -> %s via [%s]", client_realm, server_realm, rs);
-	    free(rs);
-	}
-    }
-    if(check_policy) {
-	ret = krb5_check_transited(context, client_realm, 
-				   server_realm, 
-				   realms, num_realms, NULL);
-	if(ret) {
-	    krb5_warn(context, ret, "cross-realm %s -> %s", 
-		      client_realm, server_realm);
-	    goto free_realms;
-	}
-	et->flags.transited_policy_checked = 1;
-    }
-    et->transited.tr_type = DOMAIN_X500_COMPRESS;
-    ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
-    if(ret)
-	krb5_warn(context, ret, "Encoding transited encoding");
-  free_realms:
-    for(i = 0; i < num_realms; i++)
-	free(realms[i]);
-    free(realms);
-    return ret;
-}
-
-
-static krb5_error_code
-tgs_make_reply(KDC_REQ_BODY *b, 
-	       EncTicketPart *tgt, 
-	       EncTicketPart *adtkt, 
-	       AuthorizationData *auth_data,
-	       hdb_entry *server, 
-	       hdb_entry *client, 
-	       krb5_principal client_principal, 
-	       hdb_entry *krbtgt,
-	       krb5_enctype cetype,
-	       const char **e_text,
-	       krb5_data *reply)
-{
-    KDC_REP rep;
-    EncKDCRepPart ek;
-    EncTicketPart et;
-    KDCOptions f = b->kdc_options;
-    krb5_error_code ret;
-    krb5_enctype etype;
-    Key *skey;
-    EncryptionKey *ekey;
-    
-    if(adtkt) {
-	int i;
-	krb5_keytype kt;
-	ekey = &adtkt->key;
-	for(i = 0; i < b->etype.len; i++){
-	    ret = krb5_enctype_to_keytype(context, b->etype.val[i], &kt);
-	    if(ret)
-		continue;
-	    if(adtkt->key.keytype == kt)
-		break;
-	}
-	if(i == b->etype.len)
-	    return KRB5KDC_ERR_ETYPE_NOSUPP;
-	etype = b->etype.val[i];
-    }else{
-	ret = find_keys(NULL, server, NULL, NULL, &skey, &etype, 
-			b->etype.val, b->etype.len);
-	if(ret) {
-	    kdc_log(0, "Server has no support for etypes");
-	    return ret;
-	}
-	ekey = &skey->key;
-    }
-    
-    memset(&rep, 0, sizeof(rep));
-    memset(&et, 0, sizeof(et));
-    memset(&ek, 0, sizeof(ek));
-    
-    rep.pvno = 5;
-    rep.msg_type = krb_tgs_rep;
-
-    et.authtime = tgt->authtime;
-    fix_time(&b->till);
-    et.endtime = min(tgt->endtime, *b->till);
-    ALLOC(et.starttime);
-    *et.starttime = kdc_time;
-    
-    ret = check_tgs_flags(b, tgt, &et);
-    if(ret)
-	goto out;
-
-    /* We should check the transited encoding if:
-       1) the request doesn't ask not to be checked
-       2) globally enforcing a check
-       3) principal requires checking
-       4) we allow non-check per-principal, but principal isn't marked as allowing this
-       5) we don't globally allow this
-    */
-
-#define GLOBAL_FORCE_TRANSITED_CHECK		(trpolicy == TRPOLICY_ALWAYS_CHECK)
-#define GLOBAL_ALLOW_PER_PRINCIPAL		(trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
-#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK	(trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
-/* these will consult the database in future release */
-#define PRINCIPAL_FORCE_TRANSITED_CHECK(P)		0
-#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P)	0
-
-    ret = fix_transited_encoding(!f.disable_transited_check ||
-				 GLOBAL_FORCE_TRANSITED_CHECK ||
-				 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
-				 !((GLOBAL_ALLOW_PER_PRINCIPAL && 
-				    PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
-				   GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
-				 &tgt->transited, &et,
-				 *krb5_princ_realm(context, client_principal),
-				 *krb5_princ_realm(context, server->principal),
-				 *krb5_princ_realm(context, krbtgt->principal));
-    if(ret)
-	goto out;
-
-    copy_Realm(krb5_princ_realm(context, server->principal), 
-	       &rep.ticket.realm);
-    krb5_principal2principalname(&rep.ticket.sname, server->principal);
-    copy_Realm(&tgt->crealm, &rep.crealm);
-    if (f.request_anonymous)
-	make_anonymous_principalname (&tgt->cname);
-    else
-	copy_PrincipalName(&tgt->cname, &rep.cname);
-    rep.ticket.tkt_vno = 5;
-
-    ek.caddr = et.caddr;
-    if(et.caddr == NULL)
-	et.caddr = tgt->caddr;
+    ALLOC(rep.padata);
+    rep.padata->len = 0;
+    rep.padata->val = NULL;
 
-    {
-	time_t life;
-	life = et.endtime - *et.starttime;
-	if(client && client->max_life)
-	    life = min(life, *client->max_life);
-	if(server->max_life)
-	    life = min(life, *server->max_life);
-	et.endtime = *et.starttime + life;
-    }
-    if(f.renewable_ok && tgt->flags.renewable && 
-       et.renew_till == NULL && et.endtime < *b->till){
-	et.flags.renewable = 1;
-	ALLOC(et.renew_till);
-	*et.renew_till = *b->till;
-    }
-    if(et.renew_till){
-	time_t renew;
-	renew = *et.renew_till - et.authtime;
-	if(client && client->max_renew)
-	    renew = min(renew, *client->max_renew);
-	if(server->max_renew)
-	    renew = min(renew, *server->max_renew);
-	*et.renew_till = et.authtime + renew;
-    }
-	    
-    if(et.renew_till){
-	*et.renew_till = min(*et.renew_till, *tgt->renew_till);
-	*et.starttime = min(*et.starttime, *et.renew_till);
-	et.endtime = min(et.endtime, *et.renew_till);
-    }
-    
-    *et.starttime = min(*et.starttime, et.endtime);
-
-    if(*et.starttime == et.endtime){
-	ret = KRB5KDC_ERR_NEVER_VALID;
-	goto out;
-    }
-    if(et.renew_till && et.endtime == *et.renew_till){
-	free(et.renew_till);
-	et.renew_till = NULL;
-	et.flags.renewable = 0;
-    }
-    
-    et.flags.pre_authent = tgt->flags.pre_authent;
-    et.flags.hw_authent  = tgt->flags.hw_authent;
-    et.flags.anonymous   = tgt->flags.anonymous;
-	    
-    /* XXX Check enc-authorization-data */
-    et.authorization_data = auth_data;
-
-    krb5_generate_random_keyblock(context, etype, &et.key);
-    et.crealm = tgt->crealm;
-    et.cname = tgt->cname;
-	    
-    ek.key = et.key;
-    /* MIT must have at least one last_req */
-    ek.last_req.len = 1;
-    ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
-    ek.nonce = b->nonce;
-    ek.flags = et.flags;
-    ek.authtime = et.authtime;
-    ek.starttime = et.starttime;
-    ek.endtime = et.endtime;
-    ek.renew_till = et.renew_till;
-    ek.srealm = rep.ticket.realm;
-    ek.sname = rep.ticket.sname;
-	    
-    /* It is somewhat unclear where the etype in the following
-       encryption should come from. What we have is a session
-       key in the passed tgt, and a list of preferred etypes
-       *for the new ticket*. Should we pick the best possible
-       etype, given the keytype in the tgt, or should we look
-       at the etype list here as well?  What if the tgt
-       session key is DES3 and we want a ticket with a (say)
-       CAST session key. Should the DES3 etype be added to the
-       etype list, even if we don't want a session key with
-       DES3? */
-    ret = encode_reply(&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey,
-		       0, &tgt->key, e_text, reply);
-  out:
-    free_TGS_REP(&rep);
-    free_TransitedEncoding(&et.transited);
-    if(et.starttime)
-	free(et.starttime);
-    if(et.renew_till)
-	free(et.renew_till);
-    free_LastReq(&ek.last_req);
-    memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
-    free_EncryptionKey(&et.key);
-    return ret;
-}
-
-static krb5_error_code
-tgs_check_authenticator(krb5_auth_context ac,
-			KDC_REQ_BODY *b, 
-			const char **e_text,
-			krb5_keyblock *key)
-{
-    krb5_authenticator auth;
-    size_t len;
-    unsigned char *buf;
-    size_t buf_size;
-    krb5_error_code ret;
-    krb5_crypto crypto;
-    
-    krb5_auth_con_getauthenticator(context, ac, &auth);
-    if(auth->cksum == NULL){
-	kdc_log(0, "No authenticator in request");
-	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
-	goto out;
+    reply_key = &ckey->key;
+#if PKINIT
+    if (pkp) {
+	ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, 
+				  req, req_buffer, 
+				  &reply_key, rep.padata);
+	if (ret)
+	    goto out;
+	ret = _kdc_add_inital_verified_cas(context,
+					   config,
+					   pkp,
+					   &et);
+	if (ret)
+	    goto out;
     }
-    /*
-     * according to RFC1510 it doesn't need to be keyed,
-     * but according to the latest draft it needs to.
-     */
-    if (
-#if 0
-!krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
-	||
 #endif
- !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
-	kdc_log(0, "Bad checksum type in authenticator: %d", 
-		auth->cksum->cksumtype);
-	ret =  KRB5KRB_AP_ERR_INAPP_CKSUM;
-	goto out;
-    }
-		
-    /* XXX should not re-encode this */
-    ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
-    if(ret){
-	kdc_log(0, "Failed to encode KDC-REQ-BODY: %s", 
-		krb5_get_err_text(context, ret));
-	goto out;
-    }
-    if(buf_size != len) {
-	free(buf);
-	kdc_log(0, "Internal error in ASN.1 encoder");
-	*e_text = "KDC internal error";
-	ret = KRB5KRB_ERR_GENERIC;
-	goto out;
-    }
-    ret = krb5_crypto_init(context, key, 0, &crypto);
-    if (ret) {
-	free(buf);
-	kdc_log(0, "krb5_crypto_init failed: %s",
-		krb5_get_err_text(context, ret));
-	goto out;
-    }
-    ret = krb5_verify_checksum(context,
-			       crypto,
-			       KRB5_KU_TGS_REQ_AUTH_CKSUM,
-			       buf, 
-			       len,
-			       auth->cksum);
-    free(buf);
-    krb5_crypto_destroy(context, crypto);
-    if(ret){
-	kdc_log(0, "Failed to verify checksum: %s", 
-		krb5_get_err_text(context, ret));
-    }
-out:
-    free_Authenticator(auth);
-    free(auth);
-    return ret;
-}
-
-/*
- * return the realm of a krbtgt-ticket or NULL
- */
 
-static Realm 
-get_krbtgt_realm(const PrincipalName *p)
-{
-    if(p->name_string.len == 2
-       && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
-	return p->name_string.val[1];
-    else
-	return NULL;
-}
-
-static Realm
-find_rpath(Realm crealm, Realm srealm)
-{
-    const char *new_realm = krb5_config_get_string(context,
-						   NULL,
-						   "capaths", 
-						   crealm,
-						   srealm,
-						   NULL);
-    return (Realm)new_realm;
-}
-	    
+    set_salt_padata (rep.padata, ckey->salt);
 
-static krb5_boolean
-need_referral(krb5_principal server, krb5_realm **realms)
-{
-    if(server->name.name_type != KRB5_NT_SRV_INST ||
-       server->name.name_string.len != 2)
-	return FALSE;
- 
-    return krb5_get_host_realm_int(context, server->name.name_string.val[1],
-				   FALSE, realms) == 0;
-}
+    /* Add signing of alias referral */
+    if (f.canonicalize) {
+	PA_ClientCanonicalized canon;
+	krb5_data data;
+	PA_DATA pa;
+	krb5_crypto crypto;
+	size_t len;
 
-static krb5_error_code
-tgs_rep2(KDC_REQ_BODY *b,
-	 PA_DATA *tgs_req,
-	 krb5_data *reply,
-	 const char *from,
-	 const struct sockaddr *from_addr,
-	 time_t **csec,
-	 int **cusec)
-{
-    krb5_ap_req ap_req;
-    krb5_error_code ret;
-    krb5_principal princ;
-    krb5_auth_context ac = NULL;
-    krb5_ticket *ticket = NULL;
-    krb5_flags ap_req_options;
-    krb5_flags verify_ap_req_flags;
-    const char *e_text = NULL;
-    krb5_crypto crypto;
+	memset(&canon, 0, sizeof(canon));
 
-    hdb_entry *krbtgt = NULL;
-    EncTicketPart *tgt;
-    Key *tkey;
-    krb5_enctype cetype;
-    krb5_principal cp = NULL;
-    krb5_principal sp = NULL;
-    AuthorizationData *auth_data = NULL;
+	canon.names.requested_name = *b->cname;
+	canon.names.real_name = client->entry.principal->name;
 
-    *csec  = NULL;
-    *cusec = NULL;
+	ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
+			   &canon.names, &len, ret);
+	if (ret) 
+	    goto out;
+	if (data.length != len)
+	    krb5_abortx(context, "internal asn.1 error");
 
-    memset(&ap_req, 0, sizeof(ap_req));
-    ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
-    if(ret){
-	kdc_log(0, "Failed to decode AP-REQ: %s", 
-		krb5_get_err_text(context, ret));
-	goto out2;
-    }
-    
-    if(!get_krbtgt_realm(&ap_req.ticket.sname)){
-	/* XXX check for ticket.sname == req.sname */
-	kdc_log(0, "PA-DATA is not a ticket-granting ticket");
-	ret = KRB5KDC_ERR_POLICY; /* ? */
-	goto out2;
-    }
-    
-    principalname2krb5_principal(&princ,
-				 ap_req.ticket.sname,
-				 ap_req.ticket.realm);
-    
-    ret = db_fetch(princ, &krbtgt);
+	/* sign using "returned session key" */
+	ret = krb5_crypto_init(context, &et.key, 0, &crypto);
+	if (ret) {
+	    free(data.data);
+	    goto out;
+	}
 
-    if(ret) {
-	char *p;
-	krb5_unparse_name(context, princ, &p);
-	krb5_free_principal(context, princ);
-	kdc_log(0, "Ticket-granting ticket not found in database: %s: %s",
-		p, krb5_get_err_text(context, ret));
-	free(p);
-	ret = KRB5KRB_AP_ERR_NOT_US;
-	goto out2;
-    }
-    
-    if(ap_req.ticket.enc_part.kvno && 
-       *ap_req.ticket.enc_part.kvno != krbtgt->kvno){
-	char *p;
-
-	krb5_unparse_name (context, princ, &p);
-	krb5_free_principal(context, princ);
-	kdc_log(0, "Ticket kvno = %d, DB kvno = %d (%s)", 
-		*ap_req.ticket.enc_part.kvno,
-		krbtgt->kvno,
-		p);
-	free (p);
-	ret = KRB5KRB_AP_ERR_BADKEYVER;
-	goto out2;
-    }
-
-    ret = hdb_enctype2key(context, krbtgt, ap_req.ticket.enc_part.etype, &tkey);
-    if(ret){
-	char *str;
-	krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
-	kdc_log(0, "No server key found for %s", str);
-	free(str);
-	ret = KRB5KRB_AP_ERR_BADKEYVER;
-	goto out2;
-    }
-    
-    if (b->kdc_options.validate)
-	verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
-    else
-	verify_ap_req_flags = 0;
-
-    ret = krb5_verify_ap_req2(context,
-			      &ac,
-			      &ap_req,
-			      princ,
-			      &tkey->key,
-			      verify_ap_req_flags,
-			      &ap_req_options,
-			      &ticket,
-			      KRB5_KU_TGS_REQ_AUTH);
-			     
-    krb5_free_principal(context, princ);
-    if(ret) {
-	kdc_log(0, "Failed to verify AP-REQ: %s", 
-		krb5_get_err_text(context, ret));
-	goto out2;
+	ret = krb5_create_checksum(context, crypto, 
+				   KRB5_KU_CANONICALIZED_NAMES, 0,
+				   data.data, data.length,
+				   &canon.canon_checksum);
+	free(data.data);
+	krb5_crypto_destroy(context, crypto);
+	if (ret)
+	    goto out;
+	  
+	ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length,
+			   &canon, &len, ret);
+	free_Checksum(&canon.canon_checksum);
+	if (ret) 
+	    goto out;
+	if (data.length != len)
+	    krb5_abortx(context, "internal asn.1 error");
+
+	pa.padata_type = KRB5_PADATA_CLIENT_CANONICALIZED;
+	pa.padata_value = data;
+	ret = add_METHOD_DATA(rep.padata, &pa);
+	free(data.data);
+	if (ret)
+	    goto out;
     }
 
-    {
-	krb5_authenticator auth;
-
-	ret = krb5_auth_con_getauthenticator(context, ac, &auth);
-	if (ret == 0) {
-	    *csec   = malloc(sizeof(**csec));
-	    if (*csec == NULL) {
-		krb5_free_authenticator(context, &auth);
-		kdc_log(0, "malloc failed");
-		goto out2;
-	    }
-	    **csec  = auth->ctime;
-	    *cusec  = malloc(sizeof(**cusec));
-	    if (*cusec == NULL) {
-		krb5_free_authenticator(context, &auth);
-		kdc_log(0, "malloc failed");
-		goto out2;
-	    }
-	    **csec  = auth->cusec;
-	    krb5_free_authenticator(context, &auth);
-	}
+    if (rep.padata->len == 0) {
+	free(rep.padata);
+	rep.padata = NULL;
     }
 
-    cetype = ap_req.authenticator.etype;
-
-    tgt = &ticket->ticket;
-
-    ret = tgs_check_authenticator(ac, b, &e_text, &tgt->key);
+    /* Add the PAC */
+    if (send_pac_p(context, req)) {
+	krb5_pac p = NULL;
+	krb5_data data;
 
-    if (b->enc_authorization_data) {
-	krb5_keyblock *subkey;
-	krb5_data ad;
-	ret = krb5_auth_con_getremotesubkey(context,
-					    ac,
-					    &subkey);
-	if(ret){
-	    krb5_auth_con_free(context, ac);
-	    kdc_log(0, "Failed to get remote subkey: %s", 
-		    krb5_get_err_text(context, ret));
-	    goto out2;
-	}
-	if(subkey == NULL){
-	    ret = krb5_auth_con_getkey(context, ac, &subkey);
-	    if(ret) {
-		krb5_auth_con_free(context, ac);
-		kdc_log(0, "Failed to get session key: %s", 
-			krb5_get_err_text(context, ret));
-		goto out2;
-	    }
-	}
-	if(subkey == NULL){
-	    krb5_auth_con_free(context, ac);
-	    kdc_log(0, "Failed to get key for enc-authorization-data");
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
-	    goto out2;
-	}
-	ret = krb5_crypto_init(context, subkey, 0, &crypto);
+	ret = _kdc_pac_generate(context, client, &p);
 	if (ret) {
-	    krb5_auth_con_free(context, ac);
-	    kdc_log(0, "krb5_crypto_init failed: %s",
-		    krb5_get_err_text(context, ret));
-	    goto out2;
-	}
-	ret = krb5_decrypt_EncryptedData (context,
-					  crypto,
-					  KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
-					  b->enc_authorization_data,
-					  &ad);
-	krb5_crypto_destroy(context, crypto);
-	if(ret){
-	    krb5_auth_con_free(context, ac);
-	    kdc_log(0, "Failed to decrypt enc-authorization-data");
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
-	    goto out2;
-	}
-	krb5_free_keyblock(context, subkey);
-	ALLOC(auth_data);
-	ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
-	if(ret){
-	    krb5_auth_con_free(context, ac);
-	    free(auth_data);
-	    auth_data = NULL;
-	    kdc_log(0, "Failed to decode authorization data");
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
-	    goto out2;
+	    kdc_log(context, config, 0, "PAC generation failed for -- %s", 
+		    client_name);
+	    goto out;
 	}
-    }
-
-    krb5_auth_con_free(context, ac);
-
-    if(ret){
-	kdc_log(0, "Failed to verify authenticator: %s", 
-		krb5_get_err_text(context, ret));
-	goto out2;
-    }
-    
-    {
-	PrincipalName *s;
-	Realm r;
-	char *spn = NULL, *cpn = NULL;
-	hdb_entry *server = NULL, *client = NULL;
-	int loop = 0;
-	EncTicketPart adtkt;
-	char opt_str[128];
-
-	s = b->sname;
-	r = b->realm;
-	if(b->kdc_options.enc_tkt_in_skey){
-	    Ticket *t;
-	    hdb_entry *uu;
-	    krb5_principal p;
-	    Key *tkey;
-	    
-	    if(b->additional_tickets == NULL || 
-	       b->additional_tickets->len == 0){
-		ret = KRB5KDC_ERR_BADOPTION; /* ? */
-		kdc_log(0, "No second ticket present in request");
-		goto out;
-	    }
-	    t = &b->additional_tickets->val[0];
-	    if(!get_krbtgt_realm(&t->sname)){
-		kdc_log(0, "Additional ticket is not a ticket-granting ticket");
-		ret = KRB5KDC_ERR_POLICY;
-		goto out2;
-	    }
-	    principalname2krb5_principal(&p, t->sname, t->realm);
-	    ret = db_fetch(p, &uu);
-	    krb5_free_principal(context, p);
-	    if(ret){
-		if (ret == HDB_ERR_NOENTRY)
-		    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
-		goto out;
-	    }
-	    ret = hdb_enctype2key(context, uu, t->enc_part.etype, &tkey);
-	    if(ret){
-		ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
+	if (p != NULL) {
+	    ret = _krb5_pac_sign(context, p, et.authtime,
+				 client->entry.principal,
+				 &skey->key, /* Server key */ 
+				 &skey->key, /* FIXME: should be krbtgt key */
+				 &data);
+	    krb5_pac_free(context, p);
+	    if (ret) {
+		kdc_log(context, config, 0, "PAC signing failed for -- %s", 
+			client_name);
 		goto out;
 	    }
-	    ret = krb5_decrypt_ticket(context, t, &tkey->key, &adtkt, 0);
 
-	    if(ret)
+	    ret = _kdc_tkt_add_if_relevant_ad(context, &et,
+					      KRB5_AUTHDATA_WIN2K_PAC,
+					      &data);
+	    krb5_data_free(&data);
+	    if (ret)
 		goto out;
-	    s = &adtkt.cname;
-	    r = adtkt.crealm;
-	}
-
-	principalname2krb5_principal(&sp, *s, r);
-	krb5_unparse_name(context, sp, &spn);	
-	principalname2krb5_principal(&cp, tgt->cname, tgt->crealm);
-	krb5_unparse_name(context, cp, &cpn);
-	unparse_flags (KDCOptions2int(b->kdc_options), KDCOptions_units,
-		       opt_str, sizeof(opt_str));
-	if(*opt_str)
-	    kdc_log(0, "TGS-REQ %s from %s for %s [%s]", 
-		    cpn, from, spn, opt_str);
-	else
-	    kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn);
-    server_lookup:
-	ret = db_fetch(sp, &server);
-
-	if(ret){
-	    Realm req_rlm, new_rlm;
-	    krb5_realm *realms;
-
-	    if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
-		if(loop++ < 2) {
-		    new_rlm = find_rpath(tgt->crealm, req_rlm);
-		    if(new_rlm) {
-			kdc_log(5, "krbtgt for realm %s not found, trying %s", 
-				req_rlm, new_rlm);
-			krb5_free_principal(context, sp);
-			free(spn);
-			krb5_make_principal(context, &sp, r, 
-					    KRB5_TGS_NAME, new_rlm, NULL);
-			krb5_unparse_name(context, sp, &spn);	
-			goto server_lookup;
-		    }
-		}
-	    } else if(need_referral(sp, &realms)) {
-		if (strcmp(realms[0], sp->realm) != 0) {
-		    kdc_log(5, "returning a referral to realm %s for "
-			    "server %s that was not found",
-			    realms[0], spn);
-		    krb5_free_principal(context, sp);
-		    free(spn);
-		    krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
-					realms[0], NULL);
-		    krb5_unparse_name(context, sp, &spn);
-		    krb5_free_host_realm(context, realms);
-		    goto server_lookup;
-		}
-		krb5_free_host_realm(context, realms);
-	    }
-	    kdc_log(0, "Server not found in database: %s: %s", spn,
-		    krb5_get_err_text(context, ret));
-	    if (ret == HDB_ERR_NOENTRY)
-		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
-	    goto out;
-	}
-
-	ret = db_fetch(cp, &client);
-	if(ret)
-	    kdc_log(1, "Client not found in database: %s: %s",
-		    cpn, krb5_get_err_text(context, ret));
-#if 0
-	/* XXX check client only if same realm as krbtgt-instance */
-	if(ret){
-	    kdc_log(0, "Client not found in database: %s: %s",
-		    cpn, krb5_get_err_text(context, ret));
-	    if (ret == HDB_ERR_NOENTRY)
-		ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
-	    goto out;
 	}
-#endif
+    }
 
-	if(strcmp(krb5_principal_get_realm(context, sp),
-		  krb5_principal_get_comp_string(context, krbtgt->principal, 1)) != 0) {
-	    char *tpn;
-	    ret = krb5_unparse_name(context, krbtgt->principal, &tpn);
-	    kdc_log(0, "Request with wrong krbtgt: %s", (ret == 0) ? tpn : "<unknown>");
-	    if(ret == 0)
-		free(tpn);
-	    ret = KRB5KRB_AP_ERR_NOT_US;
-	    goto out;
-	    
-	}
+    _kdc_log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime, 
+		       et.endtime, et.renew_till);
 
-	ret = check_flags(client, cpn, server, spn, FALSE);
-	if(ret)
-	    goto out;
+    /* do this as the last thing since this signs the EncTicketPart */
+    ret = _kdc_add_KRB5SignedPath(context,
+				  config,
+				  server,
+				  setype,
+				  NULL,
+				  NULL,
+				  &et);
+    if (ret)
+	goto out;
 
-	if((b->kdc_options.validate || b->kdc_options.renew) && 
-	   !krb5_principal_compare(context, 
-				   krbtgt->principal,
-				   server->principal)){
-	    kdc_log(0, "Inconsistent request.");
-	    ret = KRB5KDC_ERR_SERVER_NOMATCH;
-	    goto out;
-	}
+    ret = _kdc_encode_reply(context, config, 
+			    &rep, &et, &ek, setype, server->entry.kvno, 
+			    &skey->key, client->entry.kvno, 
+			    reply_key, &e_text, reply);
+    free_EncTicketPart(&et);
+    free_EncKDCRepPart(&ek);
+    if (ret)
+	goto out;
 
-	/* check for valid set of addresses */
-	if(!check_addresses(tgt->caddr, from_addr)) {
-	    ret = KRB5KRB_AP_ERR_BADADDR;
-	    kdc_log(0, "Request from wrong address");
-	    goto out;
-	}
-	
-	ret = tgs_make_reply(b, 
-			     tgt, 
-			     b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, 
-			     auth_data,
-			     server, 
-			     client, 
-			     cp, 
-			     krbtgt, 
-			     cetype, 
-			     &e_text,
-			     reply);
-	
-    out:
-	free(spn);
-	free(cpn);
-	    
-	if(server)
-	    free_ent(server);
-	if(client)
-	    free_ent(client);
+    /* */
+    if (datagram_reply && reply->length > config->max_datagram_reply_length) {
+	krb5_data_free(reply);
+	ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
+	e_text = "Reply packet too large";
     }
-out2:
-    if(ret) {
+
+out:
+    free_AS_REP(&rep);
+    if(ret){
 	krb5_mk_error(context,
 		      ret,
 		      e_text,
-		      NULL,
-		      cp,
-		      sp,
+		      (e_data.data ? &e_data : NULL),
+		      client_princ,
+		      server_princ,
 		      NULL,
 		      NULL,
 		      reply);
-	free(*csec);
-	free(*cusec);
-	*csec  = NULL;
-	*cusec = NULL;
-    }
-    krb5_free_principal(context, cp);
-    krb5_free_principal(context, sp);
-    if (ticket) {
-	krb5_free_ticket(context, ticket);
-	free(ticket);
-    }
-    free_AP_REQ(&ap_req);
-    if(auth_data){
-	free_AuthorizationData(auth_data);
-	free(auth_data);
+	ret = 0;
     }
-
-    if(krbtgt)
-	free_ent(krbtgt);
-
+#ifdef PKINIT
+    if (pkp)
+	_kdc_pk_free_client_param(context, pkp);
+#endif
+    if (e_data.data)
+        free(e_data.data);
+    if (client_princ)
+	krb5_free_principal(context, client_princ);
+    free(client_name);
+    if (server_princ)
+	krb5_free_principal(context, server_princ);
+    free(server_name);
+    if(client)
+	_kdc_free_ent(context, client);
+    if(server)
+	_kdc_free_ent(context, server);
     return ret;
 }
 
+/*
+ * Add the AuthorizationData `data´ of `type´ to the last element in
+ * the sequence of authorization_data in `tkt´ wrapped in an IF_RELEVANT
+ */
 
 krb5_error_code
-tgs_rep(KDC_REQ *req, 
-	krb5_data *data,
-	const char *from,
-	struct sockaddr *from_addr)
+_kdc_tkt_add_if_relevant_ad(krb5_context context,
+			    EncTicketPart *tkt,
+			    int type,
+			    const krb5_data *data)
 {
     krb5_error_code ret;
-    int i = 0;
-    PA_DATA *tgs_req = NULL;
-    time_t *csec = NULL;
-    int *cusec = NULL;
+    size_t size;
 
-    if(req->padata == NULL){
-	ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
-	kdc_log(0, "TGS-REQ from %s without PA-DATA", from);
-	goto out;
+    if (tkt->authorization_data == NULL) {
+	tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
+	if (tkt->authorization_data == NULL) {
+	    krb5_set_error_string(context, "out of memory");
+	    return ENOMEM;
+	}
     }
-    
-    tgs_req = find_padata(req, &i, KRB5_PADATA_TGS_REQ);
+	
+    /* add the entry to the last element */
+    {
+	AuthorizationData ad = { 0, NULL };
+	AuthorizationDataElement ade;
+
+	ade.ad_type = type;
+	ade.ad_data = *data;
 
-    if(tgs_req == NULL){
-	ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+	ret = add_AuthorizationData(&ad, &ade);
+	if (ret) {
+	    krb5_set_error_string(context, "add AuthorizationData failed");
+	    return ret;
+	}
+
+	ade.ad_type = KRB5_AUTHDATA_IF_RELEVANT;
+
+	ASN1_MALLOC_ENCODE(AuthorizationData, 
+			   ade.ad_data.data, ade.ad_data.length, 
+			   &ad, &size, ret);
+	free_AuthorizationData(&ad);
+	if (ret) {
+	    krb5_set_error_string(context, "ASN.1 encode of "
+				  "AuthorizationData failed");
+	    return ret;
+	}
+	if (ade.ad_data.length != size)
+	    krb5_abortx(context, "internal asn.1 encoder error");
 	
-	kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from);
-	goto out;
-    }
-    ret = tgs_rep2(&req->req_body, tgs_req, data, from, from_addr,
-		   &csec, &cusec);
-out:
-    if(ret && data->data == NULL){
-	krb5_mk_error(context,
-		      ret,
-		      NULL,
-		      NULL,
-		      NULL,
-		      NULL,
-		      csec,
-		      cusec,
-		      data);
+	ret = add_AuthorizationData(tkt->authorization_data, &ade);
+	der_free_octet_string(&ade.ad_data);
+	if (ret) {
+	    krb5_set_error_string(context, "add AuthorizationData failed");
+	    return ret;
+	}
     }
-    free(csec);
-    free(cusec);
+
     return 0;
 }
diff --git a/crypto/heimdal/kdc/krb5tgs.c b/crypto/heimdal/kdc/krb5tgs.c
new file mode 100644
index 0000000..32bdee9
--- /dev/null
+++ b/crypto/heimdal/kdc/krb5tgs.c
@@ -0,0 +1,1914 @@
+/*
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: krb5tgs.c 22071 2007-11-14 20:04:50Z lha $");
+
+/*
+ * return the realm of a krbtgt-ticket or NULL
+ */
+
+static Realm 
+get_krbtgt_realm(const PrincipalName *p)
+{
+    if(p->name_string.len == 2
+       && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
+	return p->name_string.val[1];
+    else
+	return NULL;
+}
+
+/*
+ * The KDC might add a signed path to the ticket authorization data
+ * field. This is to avoid server impersonating clients and the
+ * request constrained delegation.
+ *
+ * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
+ * entry of type KRB5SignedPath.
+ */
+
+static krb5_error_code
+find_KRB5SignedPath(krb5_context context,
+		    const AuthorizationData *ad,
+		    krb5_data *data)
+{
+    AuthorizationData child;
+    krb5_error_code ret;
+    int pos;
+	
+    if (ad == NULL || ad->len == 0)
+	return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+
+    pos = ad->len - 1;
+
+    if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
+	return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+
+    ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
+				   ad->val[pos].ad_data.length,
+				   &child,
+				   NULL);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to decode "
+			      "IF_RELEVANT with %d", ret);
+	return ret;
+    }
+
+    if (child.len != 1) {
+	free_AuthorizationData(&child);
+	return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+    }
+
+    if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
+	free_AuthorizationData(&child);
+	return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+    }
+
+    if (data)
+	ret = der_copy_octet_string(&child.val[0].ad_data, data);
+    free_AuthorizationData(&child);
+    return ret;
+}
+
+krb5_error_code
+_kdc_add_KRB5SignedPath(krb5_context context,
+			krb5_kdc_configuration *config,
+			hdb_entry_ex *krbtgt,
+			krb5_enctype enctype,
+			krb5_const_principal server,
+			KRB5SignedPathPrincipals *principals,
+			EncTicketPart *tkt)
+{
+    krb5_error_code ret;
+    KRB5SignedPath sp;
+    krb5_data data;
+    krb5_crypto crypto = NULL;
+    size_t size;
+
+    if (server && principals) {
+	ret = add_KRB5SignedPathPrincipals(principals, server);
+	if (ret)
+	    return ret;
+    }
+
+    {
+	KRB5SignedPathData spd;
+	
+	spd.encticket = *tkt;
+	spd.delegated = principals;
+	
+	ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
+			   &spd, &size, ret);
+	if (ret)
+	    return ret;
+	if (data.length != size)
+	    krb5_abortx(context, "internal asn.1 encoder error");
+    }
+
+    {
+	Key *key;
+	ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
+	if (ret == 0)
+	    ret = krb5_crypto_init(context, &key->key, 0, &crypto);
+	if (ret) {
+	    free(data.data);
+	    return ret;
+	}
+    }
+
+    /*
+     * Fill in KRB5SignedPath
+     */
+
+    sp.etype = enctype;
+    sp.delegated = principals;
+
+    ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
+			       data.data, data.length, &sp.cksum);
+    krb5_crypto_destroy(context, crypto);
+    free(data.data);
+    if (ret)
+	return ret;
+
+    ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
+    free_Checksum(&sp.cksum);
+    if (ret)
+	return ret;
+    if (data.length != size)
+	krb5_abortx(context, "internal asn.1 encoder error");
+
+    
+    /*
+     * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
+     * authorization data field.
+     */
+
+    ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
+				      KRB5_AUTHDATA_SIGNTICKET, &data);
+    krb5_data_free(&data);
+
+    return ret;
+}
+
+static krb5_error_code
+check_KRB5SignedPath(krb5_context context,
+		     krb5_kdc_configuration *config,
+		     hdb_entry_ex *krbtgt,
+		     EncTicketPart *tkt,
+		     KRB5SignedPathPrincipals **delegated,
+		     int require_signedpath)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    krb5_crypto crypto = NULL;
+
+    *delegated = NULL;
+
+    ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
+    if (ret == 0) {
+	KRB5SignedPathData spd;
+	KRB5SignedPath sp;
+	AuthorizationData *ad;
+	size_t size;
+
+	ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
+	krb5_data_free(&data);
+	if (ret)
+	    return ret;
+
+	spd.encticket = *tkt;
+	/* the KRB5SignedPath is the last entry */
+	ad = spd.encticket.authorization_data;
+	if (--ad->len == 0)
+	    spd.encticket.authorization_data = NULL;
+	spd.delegated = sp.delegated;
+
+	ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
+			   &spd, &size, ret);
+	ad->len++;
+	spd.encticket.authorization_data = ad;
+	if (ret) {
+	    free_KRB5SignedPath(&sp);
+	    return ret;
+	}
+	if (data.length != size)
+	    krb5_abortx(context, "internal asn.1 encoder error");
+
+	{
+	    Key *key;
+	    ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
+	    if (ret == 0)
+		ret = krb5_crypto_init(context, &key->key, 0, &crypto);
+	    if (ret) {
+		free(data.data);
+		free_KRB5SignedPath(&sp);
+		return ret;
+	    }
+	}
+	ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 
+				   data.data, data.length, 
+				   &sp.cksum);
+	krb5_crypto_destroy(context, crypto);
+	free(data.data);
+	if (ret) {
+	    free_KRB5SignedPath(&sp);
+	    return ret;
+	}
+
+	if (sp.delegated) {
+
+	    *delegated = malloc(sizeof(*sp.delegated));
+	    if (*delegated == NULL) {
+		free_KRB5SignedPath(&sp);
+		return ENOMEM;
+	    }
+
+	    ret = copy_KRB5SignedPathPrincipals(*delegated, sp.delegated);
+	    if (ret) {
+		free_KRB5SignedPath(&sp);
+		free(*delegated);
+		*delegated = NULL;
+		return ret;
+	    }
+	}
+	free_KRB5SignedPath(&sp);
+	
+    } else {
+	if (require_signedpath)
+	    return KRB5KDC_ERR_BADOPTION;
+    }
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+check_PAC(krb5_context context,
+	  krb5_kdc_configuration *config,
+	  const krb5_principal client_principal,
+	  hdb_entry_ex *client,
+	  hdb_entry_ex *server,
+	  const EncryptionKey *server_key,
+	  const EncryptionKey *krbtgt_key,
+	  EncTicketPart *tkt,
+	  krb5_data *rspac,
+	  int *require_signedpath)
+{
+    AuthorizationData *ad = tkt->authorization_data;
+    unsigned i, j;
+    krb5_error_code ret;
+
+    if (ad == NULL || ad->len == 0)
+	return 0;
+
+    for (i = 0; i < ad->len; i++) {
+	AuthorizationData child;
+
+	if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
+	    continue;
+
+	ret = decode_AuthorizationData(ad->val[i].ad_data.data,
+				       ad->val[i].ad_data.length,
+				       &child,
+				       NULL);
+	if (ret) {
+	    krb5_set_error_string(context, "Failed to decode "
+				  "IF_RELEVANT with %d", ret);
+	    return ret;
+	}
+	for (j = 0; j < child.len; j++) {
+
+	    if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
+		krb5_pac pac;
+
+		/* Found PAC */
+		ret = krb5_pac_parse(context,
+				     child.val[j].ad_data.data,
+				     child.val[j].ad_data.length,
+				     &pac);
+		free_AuthorizationData(&child);
+		if (ret)
+		    return ret;
+
+		ret = krb5_pac_verify(context, pac, tkt->authtime, 
+				      client_principal,
+				      krbtgt_key, NULL);
+		if (ret) {
+		    krb5_pac_free(context, pac);
+		    return ret;
+		}
+
+		ret = _kdc_pac_verify(context, client_principal, 
+				      client, server, &pac);
+		if (ret) {
+		    krb5_pac_free(context, pac);
+		    return ret;
+		}
+		*require_signedpath = 0;
+
+		ret = _krb5_pac_sign(context, pac, tkt->authtime,
+				     client_principal,
+				     server_key, krbtgt_key, rspac);
+
+		krb5_pac_free(context, pac);
+
+		return ret;
+	    }
+	}
+	free_AuthorizationData(&child);
+    }
+    return 0;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+check_tgs_flags(krb5_context context,        
+		krb5_kdc_configuration *config,
+		KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
+{
+    KDCOptions f = b->kdc_options;
+	
+    if(f.validate){
+	if(!tgt->flags.invalid || tgt->starttime == NULL){
+	    kdc_log(context, config, 0,
+		    "Bad request to validate ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	if(*tgt->starttime > kdc_time){
+	    kdc_log(context, config, 0,
+		    "Early request to validate ticket");
+	    return KRB5KRB_AP_ERR_TKT_NYV;
+	}
+	/* XXX  tkt = tgt */
+	et->flags.invalid = 0;
+    }else if(tgt->flags.invalid){
+	kdc_log(context, config, 0, 
+		"Ticket-granting ticket has INVALID flag set");
+	return KRB5KRB_AP_ERR_TKT_INVALID;
+    }
+
+    if(f.forwardable){
+	if(!tgt->flags.forwardable){
+	    kdc_log(context, config, 0,
+		    "Bad request for forwardable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.forwardable = 1;
+    }
+    if(f.forwarded){
+	if(!tgt->flags.forwardable){
+	    kdc_log(context, config, 0,
+		    "Request to forward non-forwardable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.forwarded = 1;
+	et->caddr = b->addresses;
+    }
+    if(tgt->flags.forwarded)
+	et->flags.forwarded = 1;
+	
+    if(f.proxiable){
+	if(!tgt->flags.proxiable){
+	    kdc_log(context, config, 0,
+		    "Bad request for proxiable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.proxiable = 1;
+    }
+    if(f.proxy){
+	if(!tgt->flags.proxiable){
+	    kdc_log(context, config, 0,
+		    "Request to proxy non-proxiable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.proxy = 1;
+	et->caddr = b->addresses;
+    }
+    if(tgt->flags.proxy)
+	et->flags.proxy = 1;
+
+    if(f.allow_postdate){
+	if(!tgt->flags.may_postdate){
+	    kdc_log(context, config, 0,
+		    "Bad request for post-datable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.may_postdate = 1;
+    }
+    if(f.postdated){
+	if(!tgt->flags.may_postdate){
+	    kdc_log(context, config, 0,
+		    "Bad request for postdated ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	if(b->from)
+	    *et->starttime = *b->from;
+	et->flags.postdated = 1;
+	et->flags.invalid = 1;
+    }else if(b->from && *b->from > kdc_time + context->max_skew){
+	kdc_log(context, config, 0, "Ticket cannot be postdated");
+	return KRB5KDC_ERR_CANNOT_POSTDATE;
+    }
+
+    if(f.renewable){
+	if(!tgt->flags.renewable){
+	    kdc_log(context, config, 0,
+		    "Bad request for renewable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.renewable = 1;
+	ALLOC(et->renew_till);
+	_kdc_fix_time(&b->rtime);
+	*et->renew_till = *b->rtime;
+    }
+    if(f.renew){
+	time_t old_life;
+	if(!tgt->flags.renewable || tgt->renew_till == NULL){
+	    kdc_log(context, config, 0,
+		    "Request to renew non-renewable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	old_life = tgt->endtime;
+	if(tgt->starttime)
+	    old_life -= *tgt->starttime;
+	else
+	    old_life -= tgt->authtime;
+	et->endtime = *et->starttime + old_life;
+	if (et->renew_till != NULL)
+	    et->endtime = min(*et->renew_till, et->endtime);
+    }	    
+    
+#if 0
+    /* checks for excess flags */
+    if(f.request_anonymous && !config->allow_anonymous){
+	kdc_log(context, config, 0,
+		"Request for anonymous ticket");
+	return KRB5KDC_ERR_BADOPTION;
+    }
+#endif
+    return 0;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+check_constrained_delegation(krb5_context context, 
+			     krb5_kdc_configuration *config,
+			     hdb_entry_ex *client,
+			     krb5_const_principal server)
+{
+    const HDB_Ext_Constrained_delegation_acl *acl;
+    krb5_error_code ret;
+    int i;
+
+    ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
+    if (ret) {
+	krb5_clear_error_string(context);
+	return ret;
+    }
+
+    if (acl) {
+	for (i = 0; i < acl->len; i++) {
+	    if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
+		return 0;
+	}
+    }
+    kdc_log(context, config, 0,
+	    "Bad request for constrained delegation");
+    return KRB5KDC_ERR_BADOPTION;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+verify_flags (krb5_context context, 
+	      krb5_kdc_configuration *config,
+	      const EncTicketPart *et,
+	      const char *pstr)
+{
+    if(et->endtime < kdc_time){
+	kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
+	return KRB5KRB_AP_ERR_TKT_EXPIRED;
+    }
+    if(et->flags.invalid){
+	kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
+	return KRB5KRB_AP_ERR_TKT_NYV;
+    }
+    return 0;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+fix_transited_encoding(krb5_context context, 
+		       krb5_kdc_configuration *config,
+		       krb5_boolean check_policy,
+		       const TransitedEncoding *tr, 
+		       EncTicketPart *et, 
+		       const char *client_realm, 
+		       const char *server_realm, 
+		       const char *tgt_realm)
+{
+    krb5_error_code ret = 0;
+    char **realms, **tmp;
+    int num_realms;
+    int i;
+
+    switch (tr->tr_type) {
+    case DOMAIN_X500_COMPRESS:
+	break;
+    case 0:
+	/*
+	 * Allow empty content of type 0 because that is was Microsoft
+	 * generates in their TGT.
+	 */
+	if (tr->contents.length == 0)
+	    break;
+	kdc_log(context, config, 0,
+		"Transited type 0 with non empty content");
+	return KRB5KDC_ERR_TRTYPE_NOSUPP;
+    default:
+	kdc_log(context, config, 0,
+		"Unknown transited type: %u", tr->tr_type);
+	return KRB5KDC_ERR_TRTYPE_NOSUPP;
+    }
+
+    ret = krb5_domain_x500_decode(context, 
+				  tr->contents,
+				  &realms, 
+				  &num_realms,
+				  client_realm,
+				  server_realm);
+    if(ret){
+	krb5_warn(context, ret,
+		  "Decoding transited encoding");
+	return ret;
+    }
+    if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
+	/* not us, so add the previous realm to transited set */
+	if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+	    ret = ERANGE;
+	    goto free_realms;
+	}
+	tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
+	if(tmp == NULL){
+	    ret = ENOMEM;
+	    goto free_realms;
+	}
+	realms = tmp;
+	realms[num_realms] = strdup(tgt_realm);
+	if(realms[num_realms] == NULL){
+	    ret = ENOMEM;
+	    goto free_realms;
+	}
+	num_realms++;
+    }
+    if(num_realms == 0) {
+	if(strcmp(client_realm, server_realm)) 
+	    kdc_log(context, config, 0,
+		    "cross-realm %s -> %s", client_realm, server_realm);
+    } else {
+	size_t l = 0;
+	char *rs;
+	for(i = 0; i < num_realms; i++)
+	    l += strlen(realms[i]) + 2;
+	rs = malloc(l);
+	if(rs != NULL) {
+	    *rs = '\0';
+	    for(i = 0; i < num_realms; i++) {
+		if(i > 0)
+		    strlcat(rs, ", ", l);
+		strlcat(rs, realms[i], l);
+	    }
+	    kdc_log(context, config, 0,
+		    "cross-realm %s -> %s via [%s]",
+		    client_realm, server_realm, rs);
+	    free(rs);
+	}
+    }
+    if(check_policy) {
+	ret = krb5_check_transited(context, client_realm, 
+				   server_realm, 
+				   realms, num_realms, NULL);
+	if(ret) {
+	    krb5_warn(context, ret, "cross-realm %s -> %s", 
+		      client_realm, server_realm);
+	    goto free_realms;
+	}
+	et->flags.transited_policy_checked = 1;
+    }
+    et->transited.tr_type = DOMAIN_X500_COMPRESS;
+    ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
+    if(ret)
+	krb5_warn(context, ret, "Encoding transited encoding");
+  free_realms:
+    for(i = 0; i < num_realms; i++)
+	free(realms[i]);
+    free(realms);
+    return ret;
+}
+
+
+static krb5_error_code
+tgs_make_reply(krb5_context context, 
+	       krb5_kdc_configuration *config,
+	       KDC_REQ_BODY *b, 
+	       krb5_const_principal tgt_name,
+	       const EncTicketPart *tgt, 
+	       const EncryptionKey *serverkey,
+	       const krb5_keyblock *sessionkey,
+	       krb5_kvno kvno,
+	       AuthorizationData *auth_data,
+	       hdb_entry_ex *server, 
+	       const char *server_name, 
+	       hdb_entry_ex *client, 
+	       krb5_principal client_principal, 
+	       hdb_entry_ex *krbtgt,
+	       krb5_enctype krbtgt_etype,
+	       KRB5SignedPathPrincipals *spp,
+	       const krb5_data *rspac,
+	       const char **e_text,
+	       krb5_data *reply)
+{
+    KDC_REP rep;
+    EncKDCRepPart ek;
+    EncTicketPart et;
+    KDCOptions f = b->kdc_options;
+    krb5_error_code ret;
+    
+    memset(&rep, 0, sizeof(rep));
+    memset(&et, 0, sizeof(et));
+    memset(&ek, 0, sizeof(ek));
+    
+    rep.pvno = 5;
+    rep.msg_type = krb_tgs_rep;
+
+    et.authtime = tgt->authtime;
+    _kdc_fix_time(&b->till);
+    et.endtime = min(tgt->endtime, *b->till);
+    ALLOC(et.starttime);
+    *et.starttime = kdc_time;
+    
+    ret = check_tgs_flags(context, config, b, tgt, &et);
+    if(ret)
+	goto out;
+
+    /* We should check the transited encoding if:
+       1) the request doesn't ask not to be checked
+       2) globally enforcing a check
+       3) principal requires checking
+       4) we allow non-check per-principal, but principal isn't marked as allowing this
+       5) we don't globally allow this
+    */
+
+#define GLOBAL_FORCE_TRANSITED_CHECK		\
+    (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
+#define GLOBAL_ALLOW_PER_PRINCIPAL			\
+    (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
+#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK			\
+    (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
+
+/* these will consult the database in future release */
+#define PRINCIPAL_FORCE_TRANSITED_CHECK(P)		0
+#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P)	0
+
+    ret = fix_transited_encoding(context, config, 
+				 !f.disable_transited_check ||
+				 GLOBAL_FORCE_TRANSITED_CHECK ||
+				 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
+				 !((GLOBAL_ALLOW_PER_PRINCIPAL && 
+				    PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
+				   GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
+				 &tgt->transited, &et,
+				 *krb5_princ_realm(context, client_principal),
+				 *krb5_princ_realm(context, server->entry.principal),
+				 *krb5_princ_realm(context, krbtgt->entry.principal));
+    if(ret)
+	goto out;
+
+    copy_Realm(krb5_princ_realm(context, server->entry.principal), 
+	       &rep.ticket.realm);
+    _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal);
+    copy_Realm(&tgt_name->realm, &rep.crealm);
+/*
+    if (f.request_anonymous)
+	_kdc_make_anonymous_principalname (&rep.cname);
+    else */
+
+    copy_PrincipalName(&tgt_name->name, &rep.cname);
+    rep.ticket.tkt_vno = 5;
+
+    ek.caddr = et.caddr;
+    if(et.caddr == NULL)
+	et.caddr = tgt->caddr;
+
+    {
+	time_t life;
+	life = et.endtime - *et.starttime;
+	if(client && client->entry.max_life)
+	    life = min(life, *client->entry.max_life);
+	if(server->entry.max_life)
+	    life = min(life, *server->entry.max_life);
+	et.endtime = *et.starttime + life;
+    }
+    if(f.renewable_ok && tgt->flags.renewable && 
+       et.renew_till == NULL && et.endtime < *b->till){
+	et.flags.renewable = 1;
+	ALLOC(et.renew_till);
+	*et.renew_till = *b->till;
+    }
+    if(et.renew_till){
+	time_t renew;
+	renew = *et.renew_till - et.authtime;
+	if(client && client->entry.max_renew)
+	    renew = min(renew, *client->entry.max_renew);
+	if(server->entry.max_renew)
+	    renew = min(renew, *server->entry.max_renew);
+	*et.renew_till = et.authtime + renew;
+    }
+	    
+    if(et.renew_till){
+	*et.renew_till = min(*et.renew_till, *tgt->renew_till);
+	*et.starttime = min(*et.starttime, *et.renew_till);
+	et.endtime = min(et.endtime, *et.renew_till);
+    }
+    
+    *et.starttime = min(*et.starttime, et.endtime);
+
+    if(*et.starttime == et.endtime){
+	ret = KRB5KDC_ERR_NEVER_VALID;
+	goto out;
+    }
+    if(et.renew_till && et.endtime == *et.renew_till){
+	free(et.renew_till);
+	et.renew_till = NULL;
+	et.flags.renewable = 0;
+    }
+    
+    et.flags.pre_authent = tgt->flags.pre_authent;
+    et.flags.hw_authent  = tgt->flags.hw_authent;
+    et.flags.anonymous   = tgt->flags.anonymous;
+    et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
+	    
+    if (auth_data) {
+	/* XXX Check enc-authorization-data */
+	et.authorization_data = calloc(1, sizeof(*et.authorization_data));
+	if (et.authorization_data == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ret = copy_AuthorizationData(auth_data, et.authorization_data);
+	if (ret)
+	    goto out;
+
+	/* Filter out type KRB5SignedPath */
+	ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
+	if (ret == 0) {
+	    if (et.authorization_data->len == 1) {
+		free_AuthorizationData(et.authorization_data);
+		free(et.authorization_data);
+		et.authorization_data = NULL;
+	    } else {
+		AuthorizationData *ad = et.authorization_data;
+		free_AuthorizationDataElement(&ad->val[ad->len - 1]);
+		ad->len--;
+	    }
+	}
+    }
+
+    if(rspac->length) {
+	/*
+	 * No not need to filter out the any PAC from the
+	 * auth_data since it's signed by the KDC.
+	 */
+	ret = _kdc_tkt_add_if_relevant_ad(context, &et,
+					  KRB5_AUTHDATA_WIN2K_PAC,
+					  rspac);
+	if (ret)
+	    goto out;
+    }
+
+    ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
+    if (ret)
+	goto out;
+    et.crealm = tgt->crealm;
+    et.cname = tgt_name->name;
+	    
+    ek.key = et.key;
+    /* MIT must have at least one last_req */
+    ek.last_req.len = 1;
+    ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
+    if (ek.last_req.val == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    ek.nonce = b->nonce;
+    ek.flags = et.flags;
+    ek.authtime = et.authtime;
+    ek.starttime = et.starttime;
+    ek.endtime = et.endtime;
+    ek.renew_till = et.renew_till;
+    ek.srealm = rep.ticket.realm;
+    ek.sname = rep.ticket.sname;
+    
+    _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime, 
+		       et.endtime, et.renew_till);
+
+    /* Don't sign cross realm tickets, they can't be checked anyway */
+    {
+	char *r = get_krbtgt_realm(&ek.sname);
+
+	if (r == NULL || strcmp(r, ek.srealm) == 0) {
+	    ret = _kdc_add_KRB5SignedPath(context,
+					  config,
+					  krbtgt,
+					  krbtgt_etype,
+					  NULL,
+					  spp,
+					  &et);
+	    if (ret)
+		goto out;
+	}
+    }
+
+    /* It is somewhat unclear where the etype in the following
+       encryption should come from. What we have is a session
+       key in the passed tgt, and a list of preferred etypes
+       *for the new ticket*. Should we pick the best possible
+       etype, given the keytype in the tgt, or should we look
+       at the etype list here as well?  What if the tgt
+       session key is DES3 and we want a ticket with a (say)
+       CAST session key. Should the DES3 etype be added to the
+       etype list, even if we don't want a session key with
+       DES3? */
+    ret = _kdc_encode_reply(context, config, 
+			    &rep, &et, &ek, et.key.keytype,
+			    kvno, 
+			    serverkey, 0, &tgt->key, e_text, reply);
+out:
+    free_TGS_REP(&rep);
+    free_TransitedEncoding(&et.transited);
+    if(et.starttime)
+	free(et.starttime);
+    if(et.renew_till)
+	free(et.renew_till);
+    if(et.authorization_data) {
+	free_AuthorizationData(et.authorization_data);
+	free(et.authorization_data);
+    }
+    free_LastReq(&ek.last_req);
+    memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
+    free_EncryptionKey(&et.key);
+    return ret;
+}
+
+static krb5_error_code
+tgs_check_authenticator(krb5_context context, 
+			krb5_kdc_configuration *config,
+	                krb5_auth_context ac,
+			KDC_REQ_BODY *b, 
+			const char **e_text,
+			krb5_keyblock *key)
+{
+    krb5_authenticator auth;
+    size_t len;
+    unsigned char *buf;
+    size_t buf_size;
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    
+    krb5_auth_con_getauthenticator(context, ac, &auth);
+    if(auth->cksum == NULL){
+	kdc_log(context, config, 0, "No authenticator in request");
+	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+	goto out;
+    }
+    /*
+     * according to RFC1510 it doesn't need to be keyed,
+     * but according to the latest draft it needs to.
+     */
+    if (
+#if 0
+!krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
+	||
+#endif
+ !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
+	kdc_log(context, config, 0, "Bad checksum type in authenticator: %d", 
+		auth->cksum->cksumtype);
+	ret =  KRB5KRB_AP_ERR_INAPP_CKSUM;
+	goto out;
+    }
+		
+    /* XXX should not re-encode this */
+    ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
+    if(ret){
+	kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", 
+		krb5_get_err_text(context, ret));
+	goto out;
+    }
+    if(buf_size != len) {
+	free(buf);
+	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
+	*e_text = "KDC internal error";
+	ret = KRB5KRB_ERR_GENERIC;
+	goto out;
+    }
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret) {
+	free(buf);
+	kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
+		krb5_get_err_text(context, ret));
+	goto out;
+    }
+    ret = krb5_verify_checksum(context,
+			       crypto,
+			       KRB5_KU_TGS_REQ_AUTH_CKSUM,
+			       buf, 
+			       len,
+			       auth->cksum);
+    free(buf);
+    krb5_crypto_destroy(context, crypto);
+    if(ret){
+	kdc_log(context, config, 0,
+		"Failed to verify authenticator checksum: %s", 
+		krb5_get_err_text(context, ret));
+    }
+out:
+    free_Authenticator(auth);
+    free(auth);
+    return ret;
+}
+
+/*
+ *
+ */
+
+static const char *
+find_rpath(krb5_context context, Realm crealm, Realm srealm)
+{
+    const char *new_realm = krb5_config_get_string(context,
+						   NULL,
+						   "capaths", 
+						   crealm,
+						   srealm,
+						   NULL);
+    return new_realm;
+}
+	    
+
+static krb5_boolean
+need_referral(krb5_context context, krb5_principal server, krb5_realm **realms)
+{
+    if(server->name.name_type != KRB5_NT_SRV_INST ||
+       server->name.name_string.len != 2)
+	return FALSE;
+ 
+    return _krb5_get_host_realm_int(context, server->name.name_string.val[1],
+				    FALSE, realms) == 0;
+}
+
+static krb5_error_code
+tgs_parse_request(krb5_context context, 
+		  krb5_kdc_configuration *config,
+		  KDC_REQ_BODY *b,
+		  const PA_DATA *tgs_req,
+		  hdb_entry_ex **krbtgt,
+		  krb5_enctype *krbtgt_etype,
+		  krb5_ticket **ticket,
+		  const char **e_text,
+		  const char *from,
+		  const struct sockaddr *from_addr,
+		  time_t **csec,
+		  int **cusec,
+		  AuthorizationData **auth_data)
+{
+    krb5_ap_req ap_req;
+    krb5_error_code ret;
+    krb5_principal princ;
+    krb5_auth_context ac = NULL;
+    krb5_flags ap_req_options;
+    krb5_flags verify_ap_req_flags;
+    krb5_crypto crypto;
+    Key *tkey;
+
+    *auth_data = NULL;
+    *csec  = NULL;
+    *cusec = NULL;
+
+    memset(&ap_req, 0, sizeof(ap_req));
+    ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
+    if(ret){
+	kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", 
+		krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    if(!get_krbtgt_realm(&ap_req.ticket.sname)){
+	/* XXX check for ticket.sname == req.sname */
+	kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
+	ret = KRB5KDC_ERR_POLICY; /* ? */
+	goto out;
+    }
+    
+    _krb5_principalname2krb5_principal(context,
+				       &princ,
+				       ap_req.ticket.sname,
+				       ap_req.ticket.realm);
+    
+    ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
+
+    if(ret) {
+	char *p;
+	ret = krb5_unparse_name(context, princ, &p);
+	if (ret != 0)
+	    p = "<unparse_name failed>";
+	krb5_free_principal(context, princ);
+	kdc_log(context, config, 0,
+		"Ticket-granting ticket not found in database: %s: %s",
+		p, krb5_get_err_text(context, ret));
+	if (ret == 0)
+	    free(p);
+	ret = KRB5KRB_AP_ERR_NOT_US;
+	goto out;
+    }
+    
+    if(ap_req.ticket.enc_part.kvno && 
+       *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
+	char *p;
+
+	ret = krb5_unparse_name (context, princ, &p);
+	krb5_free_principal(context, princ);
+	if (ret != 0)
+	    p = "<unparse_name failed>";
+	kdc_log(context, config, 0,
+		"Ticket kvno = %d, DB kvno = %d (%s)", 
+		*ap_req.ticket.enc_part.kvno,
+		(*krbtgt)->entry.kvno,
+		p);
+	if (ret == 0)
+	    free (p);
+	ret = KRB5KRB_AP_ERR_BADKEYVER;
+	goto out;
+    }
+
+    *krbtgt_etype = ap_req.ticket.enc_part.etype;
+
+    ret = hdb_enctype2key(context, &(*krbtgt)->entry, 
+			  ap_req.ticket.enc_part.etype, &tkey);
+    if(ret){
+	char *str = NULL, *p = NULL;
+
+	krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
+	krb5_unparse_name(context, princ, &p);
+ 	kdc_log(context, config, 0,
+		"No server key with enctype %s found for %s",
+		str ? str : "<unknown enctype>",
+		p ? p : "<unparse_name failed>");
+	free(str);
+	free(p);
+	ret = KRB5KRB_AP_ERR_BADKEYVER;
+	goto out;
+    }
+    
+    if (b->kdc_options.validate)
+	verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
+    else
+	verify_ap_req_flags = 0;
+
+    ret = krb5_verify_ap_req2(context,
+			      &ac,
+			      &ap_req,
+			      princ,
+			      &tkey->key,
+			      verify_ap_req_flags,
+			      &ap_req_options,
+			      ticket,
+			      KRB5_KU_TGS_REQ_AUTH);
+			     
+    krb5_free_principal(context, princ);
+    if(ret) {
+	kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", 
+		krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    {
+	krb5_authenticator auth;
+
+	ret = krb5_auth_con_getauthenticator(context, ac, &auth);
+	if (ret == 0) {
+	    *csec   = malloc(sizeof(**csec));
+	    if (*csec == NULL) {
+		krb5_free_authenticator(context, &auth);
+		kdc_log(context, config, 0, "malloc failed");
+		goto out;
+	    }
+	    **csec  = auth->ctime;
+	    *cusec  = malloc(sizeof(**cusec));
+	    if (*cusec == NULL) {
+		krb5_free_authenticator(context, &auth);
+		kdc_log(context, config, 0, "malloc failed");
+		goto out;
+	    }
+	    **cusec  = auth->cusec;
+	    krb5_free_authenticator(context, &auth);
+	}
+    }
+
+    ret = tgs_check_authenticator(context, config, 
+				  ac, b, e_text, &(*ticket)->ticket.key);
+    if (ret) {
+	krb5_auth_con_free(context, ac);
+	goto out;
+    }
+
+    if (b->enc_authorization_data) {
+	unsigned usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
+	krb5_keyblock *subkey;
+	krb5_data ad;
+
+	ret = krb5_auth_con_getremotesubkey(context,
+					    ac,
+					    &subkey);
+	if(ret){
+	    krb5_auth_con_free(context, ac);
+	    kdc_log(context, config, 0, "Failed to get remote subkey: %s", 
+		    krb5_get_err_text(context, ret));
+	    goto out;
+	}
+	if(subkey == NULL){
+	    usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
+	    ret = krb5_auth_con_getkey(context, ac, &subkey);
+	    if(ret) {
+		krb5_auth_con_free(context, ac);
+		kdc_log(context, config, 0, "Failed to get session key: %s", 
+			krb5_get_err_text(context, ret));
+		goto out;
+	    }
+	}
+	if(subkey == NULL){
+	    krb5_auth_con_free(context, ac);
+	    kdc_log(context, config, 0,
+		    "Failed to get key for enc-authorization-data");
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out;
+	}
+	ret = krb5_crypto_init(context, subkey, 0, &crypto);
+	if (ret) {
+	    krb5_auth_con_free(context, ac);
+	    kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
+		    krb5_get_err_text(context, ret));
+	    goto out;
+	}
+	ret = krb5_decrypt_EncryptedData (context,
+					  crypto,
+					  usage,
+					  b->enc_authorization_data,
+					  &ad);
+	krb5_crypto_destroy(context, crypto);
+	if(ret){
+	    krb5_auth_con_free(context, ac);
+	    kdc_log(context, config, 0, 
+		    "Failed to decrypt enc-authorization-data");
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out;
+	}
+	krb5_free_keyblock(context, subkey);
+	ALLOC(*auth_data);
+	if (*auth_data == NULL) {
+	    krb5_auth_con_free(context, ac);
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out;
+	}
+	ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
+	if(ret){
+	    krb5_auth_con_free(context, ac);
+	    free(*auth_data);
+	    *auth_data = NULL;
+	    kdc_log(context, config, 0, "Failed to decode authorization data");
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out;
+	}
+    }
+
+    krb5_auth_con_free(context, ac);
+    
+out:
+    free_AP_REQ(&ap_req);
+    
+    return ret;
+}
+
+static krb5_error_code
+tgs_build_reply(krb5_context context, 
+		krb5_kdc_configuration *config,
+		KDC_REQ *req, 
+		KDC_REQ_BODY *b,
+		hdb_entry_ex *krbtgt,
+		krb5_enctype krbtgt_etype,
+		krb5_ticket *ticket,
+		krb5_data *reply,
+		const char *from,
+		const char **e_text,
+		AuthorizationData *auth_data,
+		const struct sockaddr *from_addr,
+		int datagram_reply)
+{
+    krb5_error_code ret;
+    krb5_principal cp = NULL, sp = NULL;
+    krb5_principal client_principal = NULL;
+    char *spn = NULL, *cpn = NULL;
+    hdb_entry_ex *server = NULL, *client = NULL;
+    EncTicketPart *tgt = &ticket->ticket;
+    KRB5SignedPathPrincipals *spp = NULL;
+    const EncryptionKey *ekey;
+    krb5_keyblock sessionkey;
+    krb5_kvno kvno;
+    krb5_data rspac;
+    int cross_realm = 0;
+
+    PrincipalName *s;
+    Realm r;
+    int nloop = 0;
+    EncTicketPart adtkt;
+    char opt_str[128];
+    int require_signedpath = 0;
+
+    memset(&sessionkey, 0, sizeof(sessionkey));
+    memset(&adtkt, 0, sizeof(adtkt));
+    krb5_data_zero(&rspac);
+
+    s = b->sname;
+    r = b->realm;
+
+    if(b->kdc_options.enc_tkt_in_skey){
+	Ticket *t;
+	hdb_entry_ex *uu;
+	krb5_principal p;
+	Key *uukey;
+	    
+	if(b->additional_tickets == NULL || 
+	   b->additional_tickets->len == 0){
+	    ret = KRB5KDC_ERR_BADOPTION; /* ? */
+	    kdc_log(context, config, 0,
+		    "No second ticket present in request");
+	    goto out;
+	}
+	t = &b->additional_tickets->val[0];
+	if(!get_krbtgt_realm(&t->sname)){
+	    kdc_log(context, config, 0,
+		    "Additional ticket is not a ticket-granting ticket");
+	    ret = KRB5KDC_ERR_POLICY;
+	    goto out;
+	}
+	_krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
+	ret = _kdc_db_fetch(context, config, p, 
+			    HDB_F_GET_CLIENT|HDB_F_GET_SERVER, 
+			    NULL, &uu);
+	krb5_free_principal(context, p);
+	if(ret){
+	    if (ret == HDB_ERR_NOENTRY)
+		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	    goto out;
+	}
+	ret = hdb_enctype2key(context, &uu->entry, 
+			      t->enc_part.etype, &uukey);
+	if(ret){
+	    _kdc_free_ent(context, uu);
+	    ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
+	    goto out;
+	}
+	ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
+	_kdc_free_ent(context, uu);
+	if(ret)
+	    goto out;
+
+	ret = verify_flags(context, config, &adtkt, spn);
+	if (ret)
+	    goto out;
+
+	s = &adtkt.cname;
+	r = adtkt.crealm;
+    }
+
+    _krb5_principalname2krb5_principal(context, &sp, *s, r);
+    ret = krb5_unparse_name(context, sp, &spn);	
+    if (ret)
+	goto out;
+    _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
+    ret = krb5_unparse_name(context, cp, &cpn);
+    if (ret)
+	goto out;
+    unparse_flags (KDCOptions2int(b->kdc_options),
+		   asn1_KDCOptions_units(),
+		   opt_str, sizeof(opt_str));
+    if(*opt_str)
+	kdc_log(context, config, 0,
+		"TGS-REQ %s from %s for %s [%s]", 
+		cpn, from, spn, opt_str);
+    else
+	kdc_log(context, config, 0,
+		"TGS-REQ %s from %s for %s", cpn, from, spn);
+
+    /*
+     * Fetch server
+     */
+
+server_lookup:
+    ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, NULL, &server);
+
+    if(ret){
+	const char *new_rlm;
+	Realm req_rlm;
+	krb5_realm *realms;
+
+	if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
+	    if(nloop++ < 2) {
+		new_rlm = find_rpath(context, tgt->crealm, req_rlm);
+		if(new_rlm) {
+		    kdc_log(context, config, 5, "krbtgt for realm %s "
+			    "not found, trying %s", 
+			    req_rlm, new_rlm);
+		    krb5_free_principal(context, sp);
+		    free(spn);
+		    krb5_make_principal(context, &sp, r, 
+					KRB5_TGS_NAME, new_rlm, NULL);
+		    ret = krb5_unparse_name(context, sp, &spn);	
+		    if (ret)
+			goto out;
+		    auth_data = NULL; /* ms don't handle AD in referals */
+		    goto server_lookup;
+		}
+	    }
+	} else if(need_referral(context, sp, &realms)) {
+	    if (strcmp(realms[0], sp->realm) != 0) {
+		kdc_log(context, config, 5,
+			"Returning a referral to realm %s for "
+			"server %s that was not found",
+			realms[0], spn);
+		krb5_free_principal(context, sp);
+		free(spn);
+		krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
+				    realms[0], NULL);
+		ret = krb5_unparse_name(context, sp, &spn);
+		if (ret)
+		    goto out;
+		krb5_free_host_realm(context, realms);
+		auth_data = NULL; /* ms don't handle AD in referals */
+		goto server_lookup;
+	    }
+	    krb5_free_host_realm(context, realms);
+	}
+	kdc_log(context, config, 0,
+		"Server not found in database: %s: %s", spn,
+		krb5_get_err_text(context, ret));
+	if (ret == HDB_ERR_NOENTRY)
+	    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	goto out;
+    }
+
+    ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client);
+    if(ret) {
+	const char *krbtgt_realm; 
+
+	/*
+	 * If the client belongs to the same realm as our krbtgt, it
+	 * should exist in the local database.
+	 *
+	 */
+
+	krbtgt_realm = 
+	    krb5_principal_get_comp_string(context, 
+					   krbtgt->entry.principal, 1);
+
+	if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
+	    if (ret == HDB_ERR_NOENTRY)
+		ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	    kdc_log(context, config, 1, "Client no longer in database: %s",
+		    cpn);
+	    goto out;
+	}
+	
+	kdc_log(context, config, 1, "Client not found in database: %s: %s",
+		cpn, krb5_get_err_text(context, ret));
+
+	cross_realm = 1;
+    }
+    
+    /*
+     * Check that service is in the same realm as the krbtgt. If it's
+     * not the same, it's someone that is using a uni-directional trust
+     * backward.
+     */
+    
+    if (strcmp(krb5_principal_get_realm(context, sp),
+	       krb5_principal_get_comp_string(context, 
+					      krbtgt->entry.principal, 
+					      1)) != 0) {
+	char *tpn;
+	ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
+	kdc_log(context, config, 0,
+		"Request with wrong krbtgt: %s",
+		(ret == 0) ? tpn : "<unknown>");
+	if(ret == 0)
+	    free(tpn);
+	ret = KRB5KRB_AP_ERR_NOT_US;
+	goto out;
+    }
+
+    /*
+     *
+     */
+
+    client_principal = cp;
+
+    if (client) {
+	const PA_DATA *sdata;
+	int i = 0;
+
+	sdata = _kdc_find_padata(req, &i, KRB5_PADATA_S4U2SELF);
+	if (sdata) {
+	    krb5_crypto crypto;
+	    krb5_data datack;
+	    PA_S4U2Self self;
+	    char *selfcpn = NULL;
+	    const char *str;
+
+	    ret = decode_PA_S4U2Self(sdata->padata_value.data, 
+				     sdata->padata_value.length,
+				     &self, NULL);
+	    if (ret) {
+		kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
+		goto out;
+	    }
+
+	    ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
+	    if (ret)
+		goto out;
+
+	    ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
+	    if (ret) {
+		free_PA_S4U2Self(&self);
+		krb5_data_free(&datack);
+		kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
+			krb5_get_err_text(context, ret));
+		goto out;
+	    }
+
+	    ret = krb5_verify_checksum(context,
+				       crypto,
+				       KRB5_KU_OTHER_CKSUM,
+				       datack.data, 
+				       datack.length, 
+				       &self.cksum);
+	    krb5_data_free(&datack);
+	    krb5_crypto_destroy(context, crypto);
+	    if (ret) {
+		free_PA_S4U2Self(&self);
+		kdc_log(context, config, 0, 
+			"krb5_verify_checksum failed for S4U2Self: %s",
+			krb5_get_err_text(context, ret));
+		goto out;
+	    }
+
+	    ret = _krb5_principalname2krb5_principal(context,
+						     &client_principal,
+						     self.name,
+						     self.realm);
+	    free_PA_S4U2Self(&self);
+	    if (ret)
+		goto out;
+
+	    ret = krb5_unparse_name(context, client_principal, &selfcpn);	
+	    if (ret)
+		goto out;
+
+	    /*
+	     * Check that service doing the impersonating is
+	     * requesting a ticket to it-self.
+	     */
+	    if (krb5_principal_compare(context, cp, sp) != TRUE) {
+		kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
+			"to impersonate some other user "
+			"(tried for user %s to service %s)",
+			cpn, selfcpn, spn);
+		free(selfcpn);
+		ret = KRB5KDC_ERR_BADOPTION; /* ? */
+		goto out;
+	    }
+
+	    /*
+	     * If the service isn't trusted for authentication to
+	     * delegation, remove the forward flag.
+	     */
+
+	    if (client->entry.flags.trusted_for_delegation) {
+		str = "[forwardable]";
+	    } else {
+		b->kdc_options.forwardable = 0;
+		str = "";
+	    }
+	    kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
+		    "service %s %s", cpn, selfcpn, spn, str);
+	    free(selfcpn);
+	}
+    }
+
+    /*
+     * Constrained delegation
+     */
+
+    if (client != NULL
+	&& b->additional_tickets != NULL
+	&& b->additional_tickets->len != 0
+	&& b->kdc_options.enc_tkt_in_skey == 0)
+    {
+	Key *clientkey;
+	Ticket *t;
+	char *str;
+
+	t = &b->additional_tickets->val[0];
+
+	ret = hdb_enctype2key(context, &client->entry, 
+			      t->enc_part.etype, &clientkey);
+	if(ret){
+	    ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
+	    goto out;
+	}
+
+	ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
+	if (ret) {
+	    kdc_log(context, config, 0,
+		    "failed to decrypt ticket for "
+		    "constrained delegation from %s to %s ", spn, cpn);
+	    goto out;
+	}
+
+	/* check that ticket is valid */
+
+	if (adtkt.flags.forwardable == 0) {
+	    kdc_log(context, config, 0,
+		    "Missing forwardable flag on ticket for "
+		    "constrained delegation from %s to %s ", spn, cpn);
+	    ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
+	    goto out;
+	}
+
+	ret = check_constrained_delegation(context, config, client, sp);
+	if (ret) {
+	    kdc_log(context, config, 0,
+		    "constrained delegation from %s to %s not allowed", 
+		    spn, cpn);
+	    goto out;
+	}
+
+	ret = _krb5_principalname2krb5_principal(context,
+						 &client_principal,
+						 adtkt.cname,
+						 adtkt.crealm);
+	if (ret)
+	    goto out;
+
+	ret = krb5_unparse_name(context, client_principal, &str);
+	if (ret)
+	    goto out;
+
+	ret = verify_flags(context, config, &adtkt, str);
+	if (ret) {
+	    free(str);
+	    goto out;
+	}
+
+	/*
+	 * Check KRB5SignedPath in authorization data and add new entry to
+	 * make sure servers can't fake a ticket to us.
+	 */
+
+	ret = check_KRB5SignedPath(context,
+				   config,
+				   krbtgt,
+				   &adtkt,
+				   &spp,
+				   1);
+	if (ret) {
+	    kdc_log(context, config, 0,
+		    "KRB5SignedPath check from service %s failed "
+		    "for delegation to %s for client %s "
+		    "from %s failed with %s",
+		    spn, str, cpn, from, krb5_get_err_text(context, ret));
+	    free(str);
+	    goto out;
+	}
+
+	kdc_log(context, config, 0, "constrained delegation for %s "
+		"from %s to %s", str, cpn, spn);
+	free(str);
+
+	/* 
+	 * Also require that the KDC have issue the service's krbtgt
+	 * used to do the request. 
+	 */
+	require_signedpath = 1;
+    }
+
+    /*
+     * Check flags
+     */
+
+    ret = _kdc_check_flags(context, config, 
+			   client, cpn,
+			   server, spn,
+			   FALSE);
+    if(ret)
+	goto out;
+
+    if((b->kdc_options.validate || b->kdc_options.renew) && 
+       !krb5_principal_compare(context, 
+			       krbtgt->entry.principal,
+			       server->entry.principal)){
+	kdc_log(context, config, 0, "Inconsistent request.");
+	ret = KRB5KDC_ERR_SERVER_NOMATCH;
+	goto out;
+    }
+
+    /* check for valid set of addresses */
+    if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
+	ret = KRB5KRB_AP_ERR_BADADDR;
+	kdc_log(context, config, 0, "Request from wrong address");
+	goto out;
+    }
+	
+    /*
+     * Select enctype, return key and kvno.
+     */
+
+    {
+	krb5_enctype etype;
+
+	if(b->kdc_options.enc_tkt_in_skey) {
+	    int i;
+	    ekey = &adtkt.key;
+	    for(i = 0; i < b->etype.len; i++)
+		if (b->etype.val[i] == adtkt.key.keytype)
+		    break;
+	    if(i == b->etype.len) {
+		krb5_clear_error_string(context);
+		return KRB5KDC_ERR_ETYPE_NOSUPP;
+	    }
+	    etype = b->etype.val[i];
+	    kvno = 0;
+	} else {
+	    Key *skey;
+	    
+	    ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
+				  &skey, &etype);
+	    if(ret) {
+		kdc_log(context, config, 0, 
+			"Server (%s) has no support for etypes", spp);
+		return ret;
+	    }
+	    ekey = &skey->key;
+	    kvno = server->entry.kvno;
+	}
+	
+	ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
+	if (ret)
+	    goto out;
+    }
+
+    /* check PAC if not cross realm and if there is one */
+    if (!cross_realm) {
+	Key *tkey;
+
+	ret = hdb_enctype2key(context, &krbtgt->entry, 
+			      krbtgt_etype, &tkey);
+	if(ret) {
+	    kdc_log(context, config, 0,
+		    "Failed to find key for krbtgt PAC check");
+	    goto out;
+	}
+
+	ret = check_PAC(context, config, client_principal, 
+			client, server, ekey, &tkey->key,
+			tgt, &rspac, &require_signedpath);
+	if (ret) {
+	    kdc_log(context, config, 0,
+		    "Verify PAC failed for %s (%s) from %s with %s",
+		    spn, cpn, from, krb5_get_err_text(context, ret));
+	    goto out;
+	}
+    }
+
+    /* also check the krbtgt for signature */
+    ret = check_KRB5SignedPath(context,
+			       config,
+			       krbtgt,
+			       tgt,
+			       &spp,
+			       require_signedpath);
+    if (ret) {
+	kdc_log(context, config, 0,
+		"KRB5SignedPath check failed for %s (%s) from %s with %s",
+		spn, cpn, from, krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    /*
+     *
+     */
+
+    ret = tgs_make_reply(context,
+			 config, 
+			 b, 
+			 client_principal,
+			 tgt, 
+			 ekey,
+			 &sessionkey,
+			 kvno,
+			 auth_data,
+			 server, 
+			 spn,
+			 client, 
+			 cp, 
+			 krbtgt, 
+			 krbtgt_etype,
+			 spp,
+			 &rspac,
+			 e_text,
+			 reply);
+	
+out:
+    free(spn);
+    free(cpn);
+	    
+    krb5_data_free(&rspac);
+    krb5_free_keyblock_contents(context, &sessionkey);
+    if(server)
+	_kdc_free_ent(context, server);
+    if(client)
+	_kdc_free_ent(context, client);
+
+    if (client_principal && client_principal != cp)
+	krb5_free_principal(context, client_principal);
+    if (cp)
+	krb5_free_principal(context, cp);
+    if (sp)
+	krb5_free_principal(context, sp);
+
+    free_EncTicketPart(&adtkt);
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+_kdc_tgs_rep(krb5_context context, 
+	     krb5_kdc_configuration *config,
+	     KDC_REQ *req, 
+	     krb5_data *data,
+	     const char *from,
+	     struct sockaddr *from_addr,
+	     int datagram_reply)
+{
+    AuthorizationData *auth_data = NULL;
+    krb5_error_code ret;
+    int i = 0;
+    const PA_DATA *tgs_req;
+
+    hdb_entry_ex *krbtgt = NULL;
+    krb5_ticket *ticket = NULL;
+    const char *e_text = NULL;
+    krb5_enctype krbtgt_etype = ETYPE_NULL;
+
+    time_t *csec = NULL;
+    int *cusec = NULL;
+
+    if(req->padata == NULL){
+	ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
+	kdc_log(context, config, 0,
+		"TGS-REQ from %s without PA-DATA", from);
+	goto out;
+    }
+    
+    tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
+
+    if(tgs_req == NULL){
+	ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+	
+	kdc_log(context, config, 0, 
+		"TGS-REQ from %s without PA-TGS-REQ", from);
+	goto out;
+    }
+    ret = tgs_parse_request(context, config, 
+			    &req->req_body, tgs_req,
+			    &krbtgt,
+			    &krbtgt_etype,
+			    &ticket,
+			    &e_text,
+			    from, from_addr,
+			    &csec, &cusec,
+			    &auth_data);
+    if (ret) {
+	kdc_log(context, config, 0, 
+		"Failed parsing TGS-REQ from %s", from);
+	goto out;
+    }
+
+    ret = tgs_build_reply(context,
+			  config,
+			  req,
+			  &req->req_body,
+			  krbtgt,
+			  krbtgt_etype,
+			  ticket,
+			  data,
+			  from,
+			  &e_text,
+			  auth_data,
+			  from_addr,
+			  datagram_reply);
+    if (ret) {
+	kdc_log(context, config, 0, 
+		"Failed building TGS-REP to %s", from);
+	goto out;
+    }
+
+    /* */
+    if (datagram_reply && data->length > config->max_datagram_reply_length) {
+	krb5_data_free(data);
+	ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
+	e_text = "Reply packet too large";
+    }
+
+out:
+    if(ret && data->data == NULL){
+	krb5_mk_error(context,
+		      ret,
+		      NULL,
+		      NULL,
+		      NULL,
+		      NULL,
+		      csec,
+		      cusec,
+		      data);
+    }
+    free(csec);
+    free(cusec);
+    if (ticket)
+	krb5_free_ticket(context, ticket);
+    if(krbtgt)
+	_kdc_free_ent(context, krbtgt);
+
+    if (auth_data) {
+	free_AuthorizationData(auth_data);
+	free(auth_data);
+    }
+
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/kstash.8 b/crypto/heimdal/kdc/kstash.8
index 3bd46c63..f30eac6 100644
--- a/crypto/heimdal/kdc/kstash.8
+++ b/crypto/heimdal/kdc/kstash.8
@@ -1,6 +1,37 @@
-.\" $Id: kstash.8,v 1.7 2002/08/20 16:37:14 joda Exp $
+.\" Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden). 
+.\" All rights reserved. 
 .\"
-.Dd September  1, 2000
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\"
+.\" $Id: kstash.8 20316 2007-04-11 11:53:20Z lha $
+.\"
+.Dd April 10, 2007
 .Dt KSTASH 8
 .Os HEIMDAL
 .Sh NAME
@@ -8,6 +39,7 @@
 .Nd "store the KDC master password in a file"
 .Sh SYNOPSIS
 .Nm
+.Bk -words
 .Oo Fl e Ar string \*(Ba Xo
 .Fl -enctype= Ns Ar string
 .Xc
@@ -17,9 +49,12 @@
 .Xc
 .Oc
 .Op Fl -convert-file
+.Op Fl -random-key
 .Op Fl -master-key-fd= Ns Ar fd
+.Op Fl -random-key
 .Op Fl h | Fl -help
 .Op Fl -version
+.Ek
 .Sh DESCRIPTION
 .Nm
 reads the Kerberos master key and stores it in a file that will be
@@ -31,25 +66,34 @@ Supported options:
 .Fl e Ar string ,
 .Fl -enctype= Ns Ar string
 .Xc
-the encryption type to use, defaults to DES3-CBC-SHA1
+the encryption type to use, defaults to DES3-CBC-SHA1.
 .It Xo
 .Fl k Ar file ,
 .Fl -key-file= Ns Ar file
 .Xc
-the name of the master key file
+the name of the master key file.
 .It Xo
 .Fl -convert-file
 .Xc
 don't ask for a new master key, just read an old master key file, and
-write it back in the new keyfile format
+write it back in the new keyfile format.
+.It Xo
+.Fl -random-key
+.Xc
+generate a random master key.
 .It Xo
 .Fl -master-key-fd= Ns Ar fd
 .Xc
 filedescriptor to read passphrase from, if not specified the
-passphrase will be read from the terminal
+passphrase will be read from the terminal.
 .El
 .\".Sh ENVIRONMENT
-.\".Sh FILES
+.Sh FILES
+.Pa /var/heimdal/m-key
+is the default keyfile if no other keyfile is specified.
+The format of a Heimdal master key is the same as a keytab, so
+.Nm ktutil
+list can be used to list the content of the file.
 .\".Sh EXAMPLES
 .\".Sh DIAGNOSTICS
 .Sh SEE ALSO
diff --git a/crypto/heimdal/kdc/kstash.c b/crypto/heimdal/kdc/kstash.c
index dc0621a..9e499a1 100644
--- a/crypto/heimdal/kdc/kstash.c
+++ b/crypto/heimdal/kdc/kstash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,26 +33,28 @@
 
 #include "headers.h"
 
-RCSID("$Id: kstash.c,v 1.15 2002/04/18 09:47:25 joda Exp $");
+RCSID("$Id: kstash.c 22244 2007-12-08 23:47:42Z lha $");
 
 krb5_context context;
 
-const char *keyfile = HDB_DB_DIR "/m-key";
-int convert_flag;
-int help_flag;
-int version_flag;
+static char *keyfile;
+static int convert_flag;
+static int help_flag;
+static int version_flag;
 
-int master_key_fd = -1;
+static int master_key_fd = -1;
+static int random_key_flag;
 
-const char *enctype_str = "des3-cbc-sha1";
+static const char *enctype_str = "des3-cbc-sha1";
 
-struct getargs args[] = {
+static struct getargs args[] = {
     { "enctype", 'e', arg_string, &enctype_str, "encryption type" },
     { "key-file", 'k', arg_string, &keyfile, "master key file", "file" },
     { "convert-file", 0, arg_flag, &convert_flag, 
       "just convert keyfile to new format" },
     { "master-key-fd", 0, arg_integer, &master_key_fd, 
       "filedescriptor to read passphrase from", "fd" },
+    { "random-key", 0, arg_flag, &random_key_flag, "generate a random master key" },
     { "help", 'h', arg_flag, &help_flag },
     { "version", 0, arg_flag, &version_flag }
 };
@@ -78,6 +80,13 @@ main(int argc, char **argv)
 	exit(0);
     }
 
+    if (master_key_fd != -1 && random_key_flag)
+	krb5_errx(context, 1, "random-key and master-key-fd "
+		  "is mutual exclusive");
+
+    if (keyfile == NULL)
+	asprintf(&keyfile, "%s/m-key", hdb_db_dir(context));
+
     ret = krb5_string_to_enctype(context, enctype_str, &enctype);
     if(ret)
 	krb5_err(context, 1, ret, "krb5_string_to_enctype");
@@ -96,18 +105,26 @@ main(int argc, char **argv)
 	/* XXX better value? */
 	salt.saltvalue.data = NULL;
 	salt.saltvalue.length = 0;
-	if(master_key_fd != -1) {
-	    ssize_t n;
-	    n = read(master_key_fd, buf, sizeof(buf));
-	    if(n <= 0)
-		krb5_err(context, 1, errno, "failed to read passphrase");
-	    buf[n] = '\0';
-	    buf[strcspn(buf, "\r\n")] = '\0';
+	if (random_key_flag) {
+	    ret = krb5_generate_random_keyblock(context, enctype, &key);
+	    if (ret)
+		krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
 	} else {
-	    if(des_read_pw_string(buf, sizeof(buf), "Master key: ", 1))
-		exit(1);
+	    if(master_key_fd != -1) {
+		ssize_t n;
+		n = read(master_key_fd, buf, sizeof(buf));
+		if(n <= 0)
+		    krb5_err(context, 1, errno, "failed to read passphrase");
+		buf[n] = '\0';
+		buf[strcspn(buf, "\r\n")] = '\0';
+		
+	    } else {
+		if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1))
+		    exit(1);
+	    }
+	    krb5_string_to_key_salt(context, enctype, buf, salt, &key);
 	}
-	krb5_string_to_key_salt(context, enctype, buf, salt, &key);
 	ret = hdb_add_master_key(context, &key, &mkey);
 	
 	krb5_free_keyblock_contents(context, &key);
diff --git a/crypto/heimdal/kdc/kx509.c b/crypto/heimdal/kdc/kx509.c
new file mode 100644
index 0000000..b1b861e
--- /dev/null
+++ b/crypto/heimdal/kdc/kx509.c
@@ -0,0 +1,460 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+#include <hex.h>
+#include <rfc2459_asn1.h>
+#include <hx509.h>
+
+RCSID("$Id: kx509.c 21607 2007-07-17 07:04:52Z lha $");
+
+/*
+ *
+ */
+
+krb5_error_code
+_kdc_try_kx509_request(void *ptr, size_t len, Kx509Request *req, size_t *size)
+{
+    if (len < 4)
+	return -1;
+    if (memcmp("\x00\x00\x02\x00", ptr, 4) != 0)
+	return -1;
+    return decode_Kx509Request(((unsigned char *)ptr) + 4, len - 4, req, size);
+}
+
+/*
+ *
+ */
+
+static const unsigned char version_2_0[4] = {0 , 0, 2, 0};
+
+static krb5_error_code
+verify_req_hash(krb5_context context, 
+		const Kx509Request *req,
+		krb5_keyblock *key)
+{
+    unsigned char digest[SHA_DIGEST_LENGTH];
+    HMAC_CTX ctx;
+    
+    if (req->pk_hash.length != sizeof(digest)) {
+	krb5_set_error_string(context, "pk-hash have wrong length: %lu",
+			      (unsigned long)req->pk_hash.length);
+	return KRB5KDC_ERR_PREAUTH_FAILED;
+    }
+
+    HMAC_CTX_init(&ctx);
+    HMAC_Init_ex(&ctx, 
+		 key->keyvalue.data, key->keyvalue.length, 
+		 EVP_sha1(), NULL);
+    if (sizeof(digest) != HMAC_size(&ctx))
+	krb5_abortx(context, "runtime error, hmac buffer wrong size in kx509");
+    HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
+    HMAC_Update(&ctx, req->pk_key.data, req->pk_key.length);
+    HMAC_Final(&ctx, digest, 0);
+    HMAC_CTX_cleanup(&ctx);
+
+    if (memcmp(req->pk_hash.data, digest, sizeof(digest)) != 0) {
+	krb5_set_error_string(context, "pk-hash is not correct");
+	return KRB5KDC_ERR_PREAUTH_FAILED;
+    }
+    return 0;
+}
+
+static krb5_error_code
+calculate_reply_hash(krb5_context context,
+		     krb5_keyblock *key,
+		     Kx509Response *rep)
+{
+    HMAC_CTX ctx;
+    
+    HMAC_CTX_init(&ctx);
+
+    HMAC_Init_ex(&ctx, 
+		 key->keyvalue.data, key->keyvalue.length, 
+		 EVP_sha1(), NULL);
+    rep->hash->length = HMAC_size(&ctx);
+    rep->hash->data = malloc(rep->hash->length);
+    if (rep->hash->data == NULL) {
+	HMAC_CTX_cleanup(&ctx);
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+
+    HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
+    if (rep->error_code) {
+	int32_t t = *rep->error_code;
+	do {
+	    unsigned char p = (t & 0xff);
+	    HMAC_Update(&ctx, &p, 1);
+	    t >>= 8;
+	} while (t);
+    }
+    if (rep->certificate)
+	HMAC_Update(&ctx, rep->certificate->data, rep->certificate->length);
+    if (rep->e_text)
+	HMAC_Update(&ctx, (unsigned char *)*rep->e_text, strlen(*rep->e_text));
+
+    HMAC_Final(&ctx, rep->hash->data, 0);
+    HMAC_CTX_cleanup(&ctx);
+
+    return 0;
+}
+
+/*
+ * Build a certifate for `principal´ that will expire at `endtime´.
+ */
+
+static krb5_error_code
+build_certificate(krb5_context context, 
+		  krb5_kdc_configuration *config,
+		  const krb5_data *key,
+		  time_t endtime,
+		  krb5_principal principal,
+		  krb5_data *certificate)
+{
+    hx509_context hxctx = NULL;
+    hx509_ca_tbs tbs = NULL;
+    hx509_env env = NULL;
+    hx509_cert cert = NULL;
+    hx509_cert signer = NULL;
+    int ret;
+
+    if (krb5_principal_get_comp_string(context, principal, 1) != NULL) {
+	kdc_log(context, config, 0, "Principal is not a user");
+	return EINVAL;
+    }
+
+    ret = hx509_context_init(&hxctx);
+    if (ret)
+	goto out;
+
+    ret = hx509_env_init(hxctx, &env);
+    if (ret)
+	goto out;
+
+    ret = hx509_env_add(hxctx, env, "principal-name", 
+			krb5_principal_get_comp_string(context, principal, 0));
+    if (ret)
+	goto out;
+
+    {
+	hx509_certs certs;
+	hx509_query *q;
+
+	ret = hx509_certs_init(hxctx, config->kx509_ca, 0,
+			       NULL, &certs);
+	if (ret) {
+	    kdc_log(context, config, 0, "Failed to load CA %s",
+		    config->kx509_ca);
+	    goto out;
+	}
+	ret = hx509_query_alloc(hxctx, &q);
+	if (ret) {
+	    hx509_certs_free(&certs);
+	    goto out;
+	}
+
+	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
+
+	ret = hx509_certs_find(hxctx, certs, q, &signer);
+	hx509_query_free(hxctx, q);
+	hx509_certs_free(&certs);
+	if (ret) {
+	    kdc_log(context, config, 0, "Failed to find a CA in %s",
+		    config->kx509_ca);
+	    goto out;
+	}
+    }
+
+    ret = hx509_ca_tbs_init(hxctx, &tbs);
+    if (ret)
+	goto out;
+
+    {
+	SubjectPublicKeyInfo spki;
+	heim_any any;
+
+	memset(&spki, 0, sizeof(spki));
+
+	spki.subjectPublicKey.data = key->data;
+	spki.subjectPublicKey.length = key->length * 8;
+
+	ret = der_copy_oid(oid_id_pkcs1_rsaEncryption(), 
+			   &spki.algorithm.algorithm);
+
+	any.data = "\x05\x00";
+	any.length = 2;
+	spki.algorithm.parameters = &any;
+
+	ret = hx509_ca_tbs_set_spki(hxctx, tbs, &spki);
+	der_free_oid(&spki.algorithm.algorithm);
+	if (ret)
+	    goto out;
+    }
+
+    {
+	hx509_certs certs;
+	hx509_cert template;
+
+	ret = hx509_certs_init(hxctx, config->kx509_template, 0,
+			       NULL, &certs);
+	if (ret) {
+	    kdc_log(context, config, 0, "Failed to load template %s",
+		    config->kx509_template);
+	    goto out;
+	}
+	ret = hx509_get_one_cert(hxctx, certs, &template);
+	hx509_certs_free(&certs);
+	if (ret) {
+	    kdc_log(context, config, 0, "Failed to find template in %s",
+		    config->kx509_template);
+	    goto out;
+	}
+	ret = hx509_ca_tbs_set_template(hxctx, tbs, 
+					HX509_CA_TEMPLATE_SUBJECT|
+					HX509_CA_TEMPLATE_KU|
+					HX509_CA_TEMPLATE_EKU,
+					template);
+	hx509_cert_free(template);
+	if (ret)
+	    goto out;
+    }
+
+    hx509_ca_tbs_set_notAfter(hxctx, tbs, endtime);
+
+    hx509_ca_tbs_subject_expand(hxctx, tbs, env);
+    hx509_env_free(&env);
+
+    ret = hx509_ca_sign(hxctx, tbs, signer, &cert);
+    hx509_cert_free(signer);
+    if (ret)
+	goto out;
+
+    hx509_ca_tbs_free(&tbs);
+
+    ret = hx509_cert_binary(hxctx, cert, certificate);
+    hx509_cert_free(cert);
+    if (ret)
+	goto out;
+		      
+    hx509_context_free(&hxctx);
+
+    return 0;
+out:
+    if (env)
+	hx509_env_free(&env);
+    if (tbs)
+	hx509_ca_tbs_free(&tbs);
+    if (signer)
+	hx509_cert_free(signer);
+    if (hxctx)
+	hx509_context_free(&hxctx);
+    krb5_set_error_string(context, "cert creation failed");
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+_kdc_do_kx509(krb5_context context, 
+	      krb5_kdc_configuration *config,
+	      const Kx509Request *req, krb5_data *reply,
+	      const char *from, struct sockaddr *addr)
+{
+    krb5_error_code ret;
+    krb5_ticket *ticket = NULL;
+    krb5_flags ap_req_options;
+    krb5_auth_context ac = NULL;
+    krb5_keytab id = NULL;
+    krb5_principal sprincipal = NULL, cprincipal = NULL;
+    char *cname = NULL;
+    Kx509Response rep;
+    size_t size;
+    krb5_keyblock *key = NULL;
+
+    krb5_data_zero(reply);
+    memset(&rep, 0, sizeof(rep));
+
+    if(!config->enable_kx509) {
+	kdc_log(context, config, 0, 
+		"Rejected kx509 request (disabled) from %s", from);
+	return KRB5KDC_ERR_POLICY;
+    }
+
+    kdc_log(context, config, 0, "Kx509 request from %s", from);
+
+    ret = krb5_kt_resolve(context, "HDB:", &id);
+    if (ret) {
+	kdc_log(context, config, 0, "Can't open database for digest");
+	goto out;
+    }
+
+    ret = krb5_rd_req(context, 
+		      &ac,
+		      &req->authenticator,
+		      NULL,
+		      id,
+		      &ap_req_options,
+		      &ticket);
+    if (ret)
+	goto out;
+
+    ret = krb5_ticket_get_client(context, ticket, &cprincipal);
+    if (ret)
+	goto out;
+
+    ret = krb5_unparse_name(context, cprincipal, &cname);
+    if (ret)
+	goto out;
+    
+    /* verify server principal */
+
+    ret = krb5_sname_to_principal(context, NULL, "kca_service",
+				  KRB5_NT_UNKNOWN, &sprincipal);
+    if (ret)
+	goto out;
+
+    {
+	krb5_principal principal = NULL;
+
+	ret = krb5_ticket_get_server(context, ticket, &principal);
+	if (ret)
+	    goto out;
+
+	ret = krb5_principal_compare(context, sprincipal, principal);
+	krb5_free_principal(context, principal);
+	if (ret != TRUE) {
+	    ret = KRB5KDC_ERR_SERVER_NOMATCH;
+	    krb5_set_error_string(context, 
+				  "User %s used wrong Kx509 service principal",
+				  cname);
+	    goto out;
+	}
+    }
+    
+    ret = krb5_auth_con_getkey(context, ac, &key);
+    if (ret || key == NULL) {
+	krb5_set_error_string(context, "Kx509 can't get session key");
+	goto out;
+    }
+    
+    ret = verify_req_hash(context, req, key);
+    if (ret)
+	goto out;
+
+    /* Verify that the key is encoded RSA key */
+    {
+	RSAPublicKey key;
+	size_t size;
+
+	ret = decode_RSAPublicKey(req->pk_key.data, req->pk_key.length,
+				  &key, &size);
+	if (ret)
+	    goto out;
+	free_RSAPublicKey(&key);
+	if (size != req->pk_key.length)
+	    ;
+    }
+
+    ALLOC(rep.certificate);
+    if (rep.certificate == NULL)
+	goto out;
+    krb5_data_zero(rep.certificate);
+    ALLOC(rep.hash);
+    if (rep.hash == NULL)
+	goto out;
+    krb5_data_zero(rep.hash);
+
+    ret = build_certificate(context, config, &req->pk_key, 
+			    krb5_ticket_get_endtime(context, ticket),
+			    cprincipal, rep.certificate);
+    if (ret)
+	goto out;
+
+    ret = calculate_reply_hash(context, key, &rep);
+    if (ret)
+	goto out;
+
+    /*
+     * Encode reply, [ version | Kx509Response ]
+     */
+
+    {
+	krb5_data data;
+
+	ASN1_MALLOC_ENCODE(Kx509Response, data.data, data.length, &rep,
+			   &size, ret);
+	if (ret) {
+	    krb5_set_error_string(context, "Failed to encode kx509 reply");
+	    goto out;
+	}
+	if (size != data.length)
+	    krb5_abortx(context, "ASN1 internal error");
+
+	ret = krb5_data_alloc(reply, data.length + sizeof(version_2_0));
+	if (ret) {
+	    free(data.data);
+	    goto out;
+	}
+	memcpy(reply->data, version_2_0, sizeof(version_2_0));
+	memcpy(((unsigned char *)reply->data) + sizeof(version_2_0),
+	       data.data, data.length);
+	free(data.data);
+    }
+
+    kdc_log(context, config, 0, "Successful Kx509 request for %s", cname);
+
+out:
+    if (ac)
+	krb5_auth_con_free(context, ac);
+    if (ret)
+	krb5_warn(context, ret, "Kx509 request from %s failed", from);
+    if (ticket)
+	krb5_free_ticket(context, ticket);
+    if (id)
+	krb5_kt_close(context, id);
+    if (sprincipal)
+	krb5_free_principal(context, sprincipal);
+    if (cprincipal)
+	krb5_free_principal(context, cprincipal);
+    if (key)
+	krb5_free_keyblock (context, key);
+    if (cname)
+	free(cname);
+    free_Kx509Response(&rep);
+
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/log.c b/crypto/heimdal/kdc/log.c
index aa430aa..8cf967f 100644
--- a/crypto/heimdal/kdc/log.c
+++ b/crypto/heimdal/kdc/log.c
@@ -32,53 +32,62 @@
  */
 
 #include "kdc_locl.h"
-RCSID("$Id: log.c,v 1.14 2002/08/19 12:17:49 joda Exp $");
-
-static krb5_log_facility *logf;
+RCSID("$Id: log.c 22254 2007-12-09 06:01:05Z lha $");
 
 void
-kdc_openlog(void)
+kdc_openlog(krb5_context context, 
+	    krb5_kdc_configuration *config)
 {
     char **s = NULL, **p;
-    krb5_initlog(context, "kdc", &logf);
+    krb5_initlog(context, "kdc", &config->logf);
     s = krb5_config_get_strings(context, NULL, "kdc", "logging", NULL);
     if(s == NULL)
 	s = krb5_config_get_strings(context, NULL, "logging", "kdc", NULL);
     if(s){
 	for(p = s; *p; p++)
-	    krb5_addlog_dest(context, logf, *p);
+	    krb5_addlog_dest(context, config->logf, *p);
 	krb5_config_free_strings(s);
-    }else
-	krb5_addlog_dest(context, logf, DEFAULT_LOG_DEST);
-    krb5_set_warn_dest(context, logf);
+    }else {
+	char *s;
+	asprintf(&s, "0-1/FILE:%s/%s", hdb_db_dir(context), KDC_LOG_FILE);
+	krb5_addlog_dest(context, config->logf, s);
+	free(s);
+    }
+    krb5_set_warn_dest(context, config->logf);
 }
 
 char*
-kdc_log_msg_va(int level, const char *fmt, va_list ap)
+kdc_log_msg_va(krb5_context context, 
+	       krb5_kdc_configuration *config,
+	       int level, const char *fmt, va_list ap)
 {
     char *msg;
-    krb5_vlog_msg(context, logf, &msg, level, fmt, ap);
+    krb5_vlog_msg(context, config->logf, &msg, level, fmt, ap);
     return msg;
 }
 
 char*
-kdc_log_msg(int level, const char *fmt, ...)
+kdc_log_msg(krb5_context context, 
+	    krb5_kdc_configuration *config,
+	    int level, const char *fmt, ...)
 {
     va_list ap;
     char *s;
     va_start(ap, fmt);
-    s = kdc_log_msg_va(level, fmt, ap);
+    s = kdc_log_msg_va(context, config, level, fmt, ap);
     va_end(ap);
     return s;
 }
 
 void
-kdc_log(int level, const char *fmt, ...)
+kdc_log(krb5_context context, 
+	krb5_kdc_configuration *config,
+	int level, const char *fmt, ...)
 {
     va_list ap;
     char *s;
     va_start(ap, fmt);
-    s = kdc_log_msg_va(level, fmt, ap);
+    s = kdc_log_msg_va(context, config, level, fmt, ap);
     if(s) free(s);
     va_end(ap);
 }
diff --git a/crypto/heimdal/kdc/main.c b/crypto/heimdal/kdc/main.c
index 32ae20f..9195b04 100644
--- a/crypto/heimdal/kdc/main.c
+++ b/crypto/heimdal/kdc/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -36,57 +36,38 @@
 #include <util.h>
 #endif
 
-RCSID("$Id: main.c,v 1.27 2002/08/28 21:27:16 joda Exp $");
+RCSID("$Id: main.c 20454 2007-04-19 20:21:51Z lha $");
 
 sig_atomic_t exit_flag = 0;
-krb5_context context;
 
-#ifdef HAVE_DAEMON
-extern int detach_from_console;
-#endif
+int detach_from_console = -1;
 
 static RETSIGTYPE
 sigterm(int sig)
 {
-    exit_flag = 1;
+    exit_flag = sig;
 }
 
 int
 main(int argc, char **argv)
 {
     krb5_error_code ret;
+    krb5_context context;
+    krb5_kdc_configuration *config;
+
     setprogname(argv[0]);
     
     ret = krb5_init_context(&context);
-    if (ret)
+    if (ret == KRB5_CONFIG_BADFORMAT)
+	errx (1, "krb5_init_context failed to parse configuration file");
+    else if (ret)
 	errx (1, "krb5_init_context failed: %d", ret);
 
-    configure(argc, argv);
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if (ret)
+	errx (1, "krb5_kt_register(HDB) failed: %d", ret);
 
-    if(databases == NULL) {
-	db = malloc(sizeof(*db));
-	num_db = 1;
-	ret = hdb_create(context, &db[0], NULL);
-	if(ret)
-	    krb5_err(context, 1, ret, "hdb_create %s", HDB_DEFAULT_DB);
-	ret = hdb_set_master_keyfile(context, db[0], NULL);
-	if (ret)
-	    krb5_err(context, 1, ret, "hdb_set_master_keyfile");
-    } else {
-	struct dbinfo *d;
-	int i;
-	/* count databases */
-	for(d = databases, i = 0; d; d = d->next, i++);
-	db = malloc(i * sizeof(*db));
-	for(d = databases, num_db = 0; d; d = d->next, num_db++) {
-	    ret = hdb_create(context, &db[num_db], d->dbname);
-	    if(ret)
-		krb5_err(context, 1, ret, "hdb_create %s", d->dbname);
-	    ret = hdb_set_master_keyfile(context, db[num_db], d->mkey_file);
-	    if (ret)
-		krb5_err(context, 1, ret, "hdb_set_master_keyfile");
-	}
-    }
+    config = configure(context, argc, argv);
 
 #ifdef HAVE_SIGACTION
     {
@@ -98,17 +79,21 @@ main(int argc, char **argv)
 
 	sigaction(SIGINT, &sa, NULL);
 	sigaction(SIGTERM, &sa, NULL);
+	sigaction(SIGXCPU, &sa, NULL);
+
+	sa.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &sa, NULL);
     }
 #else
     signal(SIGINT, sigterm);
     signal(SIGTERM, sigterm);
+    signal(SIGXCPU, sigterm);
+    signal(SIGPIPE, SIG_IGN);
 #endif
-#ifdef HAVE_DAEMON
     if (detach_from_console)
 	daemon(0, 0);
-#endif
     pidfile(NULL);
-    loop();
+    loop(context, config);
     krb5_free_context(context);
     return 0;
 }
diff --git a/crypto/heimdal/kdc/misc.c b/crypto/heimdal/kdc/misc.c
index aebdc68..072df44 100644
--- a/crypto/heimdal/kdc/misc.c
+++ b/crypto/heimdal/kdc/misc.c
@@ -33,44 +33,90 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: misc.c,v 1.22 2001/01/30 03:54:21 assar Exp $");
+RCSID("$Id: misc.c 21106 2007-06-18 10:18:11Z lha $");
 
-struct timeval now;
+struct timeval _kdc_now;
 
 krb5_error_code
-db_fetch(krb5_principal principal, hdb_entry **h)
+_kdc_db_fetch(krb5_context context,
+	      krb5_kdc_configuration *config,
+	      krb5_const_principal principal,
+	      unsigned flags,
+	      HDB **db,
+	      hdb_entry_ex **h)
 {
-    hdb_entry *ent;
-    krb5_error_code ret = HDB_ERR_NOENTRY;
+    hdb_entry_ex *ent;
+    krb5_error_code ret;
     int i;
 
-    ent = malloc (sizeof (*ent));
-    if (ent == NULL)
+    ent = calloc (1, sizeof (*ent));
+    if (ent == NULL) {
+	krb5_set_error_string(context, "out of memory");
 	return ENOMEM;
-    ent->principal = principal;
+    }
 
-    for(i = 0; i < num_db; i++) {
-	ret = db[i]->open(context, db[i], O_RDONLY, 0);
+    for(i = 0; i < config->num_db; i++) {
+	ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0);
 	if (ret) {
-	    kdc_log(0, "Failed to open database: %s", 
+	    kdc_log(context, config, 0, "Failed to open database: %s", 
 		    krb5_get_err_text(context, ret));
 	    continue;
 	}
-	ret = db[i]->fetch(context, db[i], HDB_F_DECRYPT, ent);
-	db[i]->close(context, db[i]);
+	ret = config->db[i]->hdb_fetch(context, 
+				       config->db[i],
+				       principal,
+				       flags | HDB_F_DECRYPT,
+				       ent);
+	config->db[i]->hdb_close(context, config->db[i]);
 	if(ret == 0) {
+	    if (db)
+		*db = config->db[i];
 	    *h = ent;
 	    return 0;
 	}
     }
     free(ent);
-    return ret;
+    krb5_set_error_string(context, "no such entry found in hdb");
+    return  HDB_ERR_NOENTRY;
 }
 
 void
-free_ent(hdb_entry *ent)
+_kdc_free_ent(krb5_context context, hdb_entry_ex *ent)
 {
     hdb_free_entry (context, ent);
     free (ent);
 }
 
+/*
+ * Use the order list of preferred encryption types and sort the
+ * available keys and return the most preferred key.
+ */
+
+krb5_error_code
+_kdc_get_preferred_key(krb5_context context,
+		       krb5_kdc_configuration *config,
+		       hdb_entry_ex *h,
+		       const char *name,
+		       krb5_enctype *enctype,
+		       Key **key)
+{
+    const krb5_enctype *p;
+    krb5_error_code ret;
+    int i;
+
+    p = krb5_kerberos_enctypes(context);
+
+    for (i = 0; p[i] != ETYPE_NULL; i++) {
+	if (krb5_enctype_valid(context, p[i]) != 0)
+	    continue;
+	ret = hdb_enctype2key(context, &h->entry, p[i], key);
+	if (ret == 0) {
+	    *enctype = p[i];
+	    return 0;
+	}
+    }
+
+    krb5_set_error_string(context, "No valid kerberos key found for %s", name);
+    return EINVAL;
+}
+
diff --git a/crypto/heimdal/kdc/mit_dump.c b/crypto/heimdal/kdc/mit_dump.c
index 336d265..dd2f5d7 100644
--- a/crypto/heimdal/kdc/mit_dump.c
+++ b/crypto/heimdal/kdc/mit_dump.c
@@ -33,7 +33,7 @@
 
 #include "hprop.h"
 
-RCSID("$Id: mit_dump.c,v 1.3 2000/08/09 09:57:37 joda Exp $");
+RCSID("$Id: mit_dump.c 21745 2007-07-31 16:11:25Z lha $");
 
 /*
 can have any number of princ stanzas.
@@ -168,7 +168,6 @@ fix_salt(krb5_context context, hdb_entry *ent, int key_num)
     {
 	size_t len;
 	int i;
-	krb5_error_code ret;
 	char *p;
 	    
 	len = 0;
@@ -219,10 +218,10 @@ int
 mit_prop_dump(void *arg, const char *file)
 {
     krb5_error_code ret;
-    char buf [1024];
+    char line [2048];
     FILE *f;
     int lineno = 0;
-    struct hdb_entry ent;
+    struct hdb_entry_ex ent;
 
     struct prop_data *pd = arg;
 
@@ -230,8 +229,8 @@ mit_prop_dump(void *arg, const char *file)
     if(f == NULL)
 	return errno;
     
-    while(fgets(buf, sizeof(buf), f)) {
-	char *p = buf, *q;
+    while(fgets(line, sizeof(line), f)) {
+	char *p = line, *q;
 
 	int i;
 
@@ -275,28 +274,28 @@ mit_prop_dump(void *arg, const char *file)
 	num_key_data = getint(&p); /* number of key-data */
 	extra_data_length = getint(&p);  /* length of extra data */
 	q = nexttoken(&p); /* principal name */
-	krb5_parse_name(pd->context, q, &ent.principal);
+	krb5_parse_name(pd->context, q, &ent.entry.principal);
 	attributes = getint(&p); /* attributes */
-	attr_to_flags(attributes, &ent.flags);
+	attr_to_flags(attributes, &ent.entry.flags);
 	tmp = getint(&p); /* max life */
 	if(tmp != 0) {
-	    ALLOC(ent.max_life);
-	    *ent.max_life = tmp;
+	    ALLOC(ent.entry.max_life);
+	    *ent.entry.max_life = tmp;
 	}
 	tmp = getint(&p); /* max renewable life */
 	if(tmp != 0) {
-	    ALLOC(ent.max_renew);
-	    *ent.max_renew = tmp;
+	    ALLOC(ent.entry.max_renew);
+	    *ent.entry.max_renew = tmp;
 	}
 	tmp = getint(&p); /* expiration */
 	if(tmp != 0 && tmp != 2145830400) {
-	    ALLOC(ent.valid_end);
-	    *ent.valid_end = tmp;
+	    ALLOC(ent.entry.valid_end);
+	    *ent.entry.valid_end = tmp;
 	}
 	tmp = getint(&p); /* pw expiration */
 	if(tmp != 0) {
-	    ALLOC(ent.pw_end);
-	    *ent.pw_end = tmp;
+	    ALLOC(ent.entry.pw_end);
+	    *ent.entry.pw_end = tmp;
 	}
 	q = nexttoken(&p); /* last auth */
 	q = nexttoken(&p); /* last failed auth */
@@ -310,61 +309,65 @@ mit_prop_dump(void *arg, const char *file)
 	    tl_type = getint(&p); /* data type */
 	    tl_length = getint(&p); /* data length */
 
-#define KRB5_TL_LAST_PWD_CHANGE	1
-#define KRB5_TL_MOD_PRINC	2
+#define mit_KRB5_TL_LAST_PWD_CHANGE	1
+#define mit_KRB5_TL_MOD_PRINC		2
 	    switch(tl_type) {
-	    case KRB5_TL_MOD_PRINC:
+	    case mit_KRB5_TL_MOD_PRINC:
 		buf = malloc(tl_length);
+		if (buf == NULL)
+		    errx(ENOMEM, "malloc");
 		getdata(&p, buf, tl_length); /* data itself */
 		val = buf[0] | (buf[1] << 8) | (buf[2] << 16) | (buf[3] << 24);
-		ret = krb5_parse_name(pd->context, buf + 4, &princ);
+		ret = krb5_parse_name(pd->context, (char *)buf + 4, &princ);
 		free(buf);
-		ALLOC(ent.modified_by);
-		ent.modified_by->time = val;
-		ent.modified_by->principal = princ;
+		ALLOC(ent.entry.modified_by);
+		ent.entry.modified_by->time = val;
+		ent.entry.modified_by->principal = princ;
 		break;
 	    default:
 		nexttoken(&p);
 		break;
 	    }
 	}
-	ALLOC_SEQ(&ent.keys, num_key_data);
+	ALLOC_SEQ(&ent.entry.keys, num_key_data);
 	for(i = 0; i < num_key_data; i++) {
 	    int key_versions;
 	    key_versions = getint(&p); /* key data version */
-	    ent.kvno = getint(&p); /* XXX kvno */
+	    ent.entry.kvno = getint(&p); /* XXX kvno */
 	    
-	    ALLOC(ent.keys.val[i].mkvno);
-	    *ent.keys.val[i].mkvno = 0;
+	    ALLOC(ent.entry.keys.val[i].mkvno);
+	    *ent.entry.keys.val[i].mkvno = 0;
 	    
 	    /* key version 0 -- actual key */
-	    ent.keys.val[i].key.keytype = getint(&p); /* key type */
+	    ent.entry.keys.val[i].key.keytype = getint(&p); /* key type */
 	    tmp = getint(&p); /* key length */
 	    /* the first two bytes of the key is the key length --
 	       skip it */
-	    krb5_data_alloc(&ent.keys.val[i].key.keyvalue, tmp - 2);
+	    krb5_data_alloc(&ent.entry.keys.val[i].key.keyvalue, tmp - 2);
 	    q = nexttoken(&p); /* key itself */
-	    hex_to_octet_string(q + 4, &ent.keys.val[i].key.keyvalue);
+	    hex_to_octet_string(q + 4, &ent.entry.keys.val[i].key.keyvalue);
 
 	    if(key_versions > 1) {
 		/* key version 1 -- optional salt */
-		ALLOC(ent.keys.val[i].salt);
-		ent.keys.val[i].salt->type = getint(&p); /* salt type */
+		ALLOC(ent.entry.keys.val[i].salt);
+		ent.entry.keys.val[i].salt->type = getint(&p); /* salt type */
 		tmp = getint(&p); /* salt length */
 		if(tmp > 0) {
-		    krb5_data_alloc(&ent.keys.val[i].salt->salt, tmp - 2);
+		    krb5_data_alloc(&ent.entry.keys.val[i].salt->salt, tmp - 2);
 		    q = nexttoken(&p); /* salt itself */
-		    hex_to_octet_string(q + 4, &ent.keys.val[i].salt->salt);
+		    hex_to_octet_string(q + 4,
+					&ent.entry.keys.val[i].salt->salt);
 		} else {
-		    ent.keys.val[i].salt->salt.length = 0;
-		    ent.keys.val[i].salt->salt.data = NULL;
+		    ent.entry.keys.val[i].salt->salt.length = 0;
+		    ent.entry.keys.val[i].salt->salt.data = NULL;
 		    tmp = getint(&p);	/* -1, if no data. */
 		}
-		fix_salt(pd->context, &ent, i);
+		fix_salt(pd->context, &ent.entry, i);
 	    }
 	}
 	q = nexttoken(&p); /* extra data */
 	v5_prop(pd->context, NULL, &ent, arg);
     }
+    fclose(f);
     return 0;
 }
diff --git a/crypto/heimdal/kdc/pkinit.c b/crypto/heimdal/kdc/pkinit.c
new file mode 100644
index 0000000..bf248af
--- /dev/null
+++ b/crypto/heimdal/kdc/pkinit.c
@@ -0,0 +1,1673 @@
+/*
+ * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: pkinit.c 22243 2007-12-08 23:39:30Z lha $");
+
+#ifdef PKINIT
+
+#include <heim_asn1.h>
+#include <rfc2459_asn1.h>
+#include <cms_asn1.h>
+#include <pkinit_asn1.h>
+
+#include <hx509.h>
+#include "crypto-headers.h"
+
+/* XXX copied from lib/krb5/pkinit.c */
+struct krb5_pk_identity {
+    hx509_context hx509ctx;
+    hx509_verify_ctx verify_ctx;
+    hx509_certs certs;
+    hx509_certs anchors;
+    hx509_certs certpool;
+    hx509_revoke_ctx revoke;
+};
+
+enum pkinit_type {
+    PKINIT_COMPAT_WIN2K = 1,
+    PKINIT_COMPAT_27 = 3
+};
+
+struct pk_client_params {
+    enum pkinit_type type;
+    BIGNUM *dh_public_key;
+    hx509_cert cert;
+    unsigned nonce;
+    DH *dh;
+    EncryptionKey reply_key;
+    char *dh_group_name;
+    hx509_peer_info peer;
+    hx509_certs client_anchors;
+};
+
+struct pk_principal_mapping {
+    unsigned int len;
+    struct pk_allowed_princ {
+	krb5_principal principal;
+	char *subject;
+    } *val;
+};
+
+static struct krb5_pk_identity *kdc_identity;
+static struct pk_principal_mapping principal_mappings;
+static struct krb5_dh_moduli **moduli;
+
+static struct {
+    krb5_data data;
+    time_t expire;
+    time_t next_update;
+} ocsp;
+
+/*
+ *
+ */
+
+static krb5_error_code
+pk_check_pkauthenticator_win2k(krb5_context context,
+			       PKAuthenticator_Win2k *a,
+			       const KDC_REQ *req)
+{
+    krb5_timestamp now;
+
+    krb5_timeofday (context, &now);
+
+    /* XXX cusec */
+    if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) {
+	krb5_clear_error_string(context);
+	return KRB5KRB_AP_ERR_SKEW;
+    }
+    return 0;
+}
+
+static krb5_error_code
+pk_check_pkauthenticator(krb5_context context,
+			 PKAuthenticator *a,
+			 const KDC_REQ *req)
+{
+    u_char *buf = NULL;
+    size_t buf_size;
+    krb5_error_code ret;
+    size_t len;
+    krb5_timestamp now;
+    Checksum checksum;
+
+    krb5_timeofday (context, &now);
+
+    /* XXX cusec */
+    if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) {
+	krb5_clear_error_string(context);
+	return KRB5KRB_AP_ERR_SKEW;
+    }
+
+    ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
+    if (ret) {
+	krb5_clear_error_string(context);
+	return ret;
+    }
+    if (buf_size != len)
+	krb5_abortx(context, "Internal error in ASN.1 encoder");
+
+    ret = krb5_create_checksum(context,
+			       NULL,
+			       0,
+			       CKSUMTYPE_SHA1,
+			       buf,
+			       len,
+			       &checksum);
+    free(buf);
+    if (ret) {
+	krb5_clear_error_string(context);
+	return ret;
+    }
+	
+    if (a->paChecksum == NULL) {
+	krb5_clear_error_string(context);
+	ret = KRB5_KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED;
+	goto out;
+    }
+
+    if (der_heim_octet_string_cmp(a->paChecksum, &checksum.checksum) != 0) {
+	krb5_clear_error_string(context);
+	ret = KRB5KRB_ERR_GENERIC;
+    }
+
+out:
+    free_Checksum(&checksum);
+
+    return ret;
+}
+
+void
+_kdc_pk_free_client_param(krb5_context context, 
+			  pk_client_params *client_params)
+{
+    if (client_params->cert)
+	hx509_cert_free(client_params->cert);
+    if (client_params->dh)
+	DH_free(client_params->dh);
+    if (client_params->dh_public_key)
+	BN_free(client_params->dh_public_key);
+    krb5_free_keyblock_contents(context, &client_params->reply_key);
+    if (client_params->dh_group_name)
+	free(client_params->dh_group_name);
+    if (client_params->peer)
+	hx509_peer_info_free(client_params->peer);
+    if (client_params->client_anchors)
+	hx509_certs_free(&client_params->client_anchors);
+    memset(client_params, 0, sizeof(*client_params));
+    free(client_params);
+}
+
+static krb5_error_code
+generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
+                     krb5_enctype enctype, krb5_keyblock *reply_key)
+{
+    unsigned char *dh_gen_key = NULL;
+    krb5_keyblock key;
+    krb5_error_code ret;
+    size_t dh_gen_keylen, size;
+
+    memset(&key, 0, sizeof(key));
+
+    if (!DH_generate_key(client_params->dh)) {
+	krb5_set_error_string(context, "Can't generate Diffie-Hellman keys");
+	ret = KRB5KRB_ERR_GENERIC;
+	goto out;
+    }
+    if (client_params->dh_public_key == NULL) {
+	krb5_set_error_string(context, "dh_public_key");
+	ret = KRB5KRB_ERR_GENERIC;
+	goto out;
+    }
+
+    dh_gen_keylen = DH_size(client_params->dh);
+    size = BN_num_bytes(client_params->dh->p);
+    if (size < dh_gen_keylen)
+	size = dh_gen_keylen;
+
+    dh_gen_key = malloc(size);
+    if (dh_gen_key == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+    memset(dh_gen_key, 0, size - dh_gen_keylen);
+
+    dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen),
+				   client_params->dh_public_key,
+				   client_params->dh);
+    if (dh_gen_keylen == -1) {
+	krb5_set_error_string(context, "Can't compute Diffie-Hellman key");
+	ret = KRB5KRB_ERR_GENERIC;
+	goto out;
+    }
+
+    ret = _krb5_pk_octetstring2key(context,
+				   enctype,
+				   dh_gen_key, dh_gen_keylen,
+				   NULL, NULL,
+				   reply_key);
+
+ out:
+    if (dh_gen_key)
+	free(dh_gen_key);
+    if (key.keyvalue.data)
+	krb5_free_keyblock_contents(context, &key);
+
+    return ret;
+}
+
+static BIGNUM *
+integer_to_BN(krb5_context context, const char *field, heim_integer *f)
+{
+    BIGNUM *bn;
+
+    bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL);
+    if (bn == NULL) {
+	krb5_set_error_string(context, "PKINIT: parsing BN failed %s", field);
+	return NULL;
+    }
+    BN_set_negative(bn, f->negative);
+    return bn;
+}
+
+static krb5_error_code
+get_dh_param(krb5_context context,
+	     krb5_kdc_configuration *config,
+	     SubjectPublicKeyInfo *dh_key_info,
+	     pk_client_params *client_params)
+{
+    DomainParameters dhparam;
+    DH *dh = NULL;
+    krb5_error_code ret;
+
+    memset(&dhparam, 0, sizeof(dhparam));
+
+    if (der_heim_oid_cmp(&dh_key_info->algorithm.algorithm, oid_id_dhpublicnumber())) {
+	krb5_set_error_string(context,
+			      "PKINIT invalid oid in clientPublicValue");
+	return KRB5_BADMSGTYPE;
+    }
+
+    if (dh_key_info->algorithm.parameters == NULL) {
+	krb5_set_error_string(context, "PKINIT missing algorithm parameter "
+			      "in clientPublicValue");
+	return KRB5_BADMSGTYPE;
+    }
+
+    ret = decode_DomainParameters(dh_key_info->algorithm.parameters->data,
+				  dh_key_info->algorithm.parameters->length,
+				  &dhparam,
+				  NULL);
+    if (ret) {
+	krb5_set_error_string(context, "Can't decode algorithm "
+			      "parameters in clientPublicValue");
+	goto out;
+    }
+
+    if ((dh_key_info->subjectPublicKey.length % 8) != 0) {
+	ret = KRB5_BADMSGTYPE;
+	krb5_set_error_string(context, "PKINIT: subjectPublicKey not aligned "
+			      "to 8 bit boundary");
+	goto out;
+    }
+
+
+    ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits, 
+			    &dhparam.p, &dhparam.g, &dhparam.q, moduli,
+			    &client_params->dh_group_name);
+    if (ret) {
+	/* XXX send back proposal of better group */
+	goto out;
+    }
+
+    dh = DH_new();
+    if (dh == NULL) {
+	krb5_set_error_string(context, "Cannot create DH structure");
+	ret = ENOMEM;
+	goto out;
+    }
+    ret = KRB5_BADMSGTYPE;
+    dh->p = integer_to_BN(context, "DH prime", &dhparam.p);
+    if (dh->p == NULL)
+	goto out;
+    dh->g = integer_to_BN(context, "DH base", &dhparam.g);
+    if (dh->g == NULL)
+	goto out;
+    dh->q = integer_to_BN(context, "DH p-1 factor", &dhparam.q);
+    if (dh->g == NULL)
+	goto out;
+
+    {
+	heim_integer glue;
+	size_t size;
+
+	ret = decode_DHPublicKey(dh_key_info->subjectPublicKey.data,
+				 dh_key_info->subjectPublicKey.length / 8,
+				 &glue,
+				 &size);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    return ret;
+	}
+
+	client_params->dh_public_key = integer_to_BN(context,
+						     "subjectPublicKey",
+						     &glue);
+	der_free_heim_integer(&glue);
+	if (client_params->dh_public_key == NULL)
+	    goto out;
+    }
+
+    client_params->dh = dh;
+    dh = NULL;
+    ret = 0;
+    
+ out:
+    if (dh)
+	DH_free(dh);
+    free_DomainParameters(&dhparam);
+    return ret;
+}
+
+krb5_error_code
+_kdc_pk_rd_padata(krb5_context context,
+		  krb5_kdc_configuration *config,
+		  const KDC_REQ *req,
+		  const PA_DATA *pa,
+		  pk_client_params **ret_params)
+{
+    pk_client_params *client_params;
+    krb5_error_code ret;
+    heim_oid eContentType = { 0, NULL }, contentInfoOid = { 0, NULL };
+    krb5_data eContent = { 0, NULL };
+    krb5_data signed_content = { 0, NULL };
+    const char *type = "unknown type";
+    int have_data = 0;
+
+    *ret_params = NULL;
+    
+    if (!config->enable_pkinit) {
+	kdc_log(context, config, 0, "PK-INIT request but PK-INIT not enabled");
+	krb5_clear_error_string(context);
+	return 0;
+    }
+
+    hx509_verify_set_time(kdc_identity->verify_ctx, _kdc_now.tv_sec);
+
+    client_params = calloc(1, sizeof(*client_params));
+    if (client_params == NULL) {
+	krb5_clear_error_string(context);
+	ret = ENOMEM;
+	goto out;
+    }
+
+    if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) {
+	PA_PK_AS_REQ_Win2k r;
+
+	type = "PK-INIT-Win2k";
+
+	ret = decode_PA_PK_AS_REQ_Win2k(pa->padata_value.data,
+					pa->padata_value.length,
+					&r,
+					NULL);
+	if (ret) {
+	    krb5_set_error_string(context, "Can't decode "
+				  "PK-AS-REQ-Win2k: %d", ret);
+	    goto out;
+	}
+	
+	ret = hx509_cms_unwrap_ContentInfo(&r.signed_auth_pack,
+					   &contentInfoOid,
+					   &signed_content,
+					   &have_data);
+	free_PA_PK_AS_REQ_Win2k(&r);
+	if (ret) {
+	    krb5_set_error_string(context, "Can't decode PK-AS-REQ: %d", ret);
+	    goto out;
+	}
+
+    } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) {
+	PA_PK_AS_REQ r;
+
+	type = "PK-INIT-IETF";
+
+	ret = decode_PA_PK_AS_REQ(pa->padata_value.data,
+				  pa->padata_value.length,
+				  &r,
+				  NULL);
+	if (ret) {
+	    krb5_set_error_string(context, "Can't decode PK-AS-REQ: %d", ret);
+	    goto out;
+	}
+	
+	/* XXX look at r.kdcPkId */
+	if (r.trustedCertifiers) {
+	    ExternalPrincipalIdentifiers *edi = r.trustedCertifiers;
+	    unsigned int i;
+
+	    ret = hx509_certs_init(kdc_identity->hx509ctx,
+				   "MEMORY:client-anchors",
+				   0, NULL,
+				   &client_params->client_anchors);
+	    if (ret) {
+		krb5_set_error_string(context, "Can't allocate client anchors: %d", ret);
+		goto out;
+
+	    }
+	    for (i = 0; i < edi->len; i++) {
+		IssuerAndSerialNumber iasn;
+		hx509_query *q;
+		hx509_cert cert;
+		size_t size;
+
+		if (edi->val[i].issuerAndSerialNumber == NULL)
+		    continue;
+
+		ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
+		if (ret) {
+		    krb5_set_error_string(context, 
+					  "Failed to allocate hx509_query");
+		    goto out;
+		}
+		
+		ret = decode_IssuerAndSerialNumber(edi->val[i].issuerAndSerialNumber->data,
+						   edi->val[i].issuerAndSerialNumber->length,
+						   &iasn,
+						   &size);
+		if (ret) {
+		    hx509_query_free(kdc_identity->hx509ctx, q);
+		    continue;
+		}
+		ret = hx509_query_match_issuer_serial(q, &iasn.issuer, &iasn.serialNumber);
+		free_IssuerAndSerialNumber(&iasn);
+		if (ret)
+		    continue;
+
+		ret = hx509_certs_find(kdc_identity->hx509ctx,
+				       kdc_identity->certs,
+				       q,
+				       &cert);
+		hx509_query_free(kdc_identity->hx509ctx, q);
+		if (ret)
+		    continue;
+		hx509_certs_add(kdc_identity->hx509ctx, 
+				client_params->client_anchors, cert);
+		hx509_cert_free(cert);
+	    }
+	}
+
+	ret = hx509_cms_unwrap_ContentInfo(&r.signedAuthPack,
+					   &contentInfoOid,
+					   &signed_content,
+					   &have_data);
+	free_PA_PK_AS_REQ(&r);
+	if (ret) {
+	    krb5_set_error_string(context, "Can't unwrap ContentInfo: %d", ret);
+	    goto out;
+	}
+
+    } else { 
+	krb5_clear_error_string(context);
+	ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+	goto out;
+    }
+
+    ret = der_heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData());
+    if (ret != 0) {
+	krb5_set_error_string(context, "PK-AS-REQ-Win2k invalid content "
+			      "type oid");
+	ret = KRB5KRB_ERR_GENERIC;
+	goto out;
+    }
+	
+    if (!have_data) {
+	krb5_set_error_string(context,
+			      "PK-AS-REQ-Win2k no signed auth pack");
+	ret = KRB5KRB_ERR_GENERIC;
+	goto out;
+    }
+
+    {
+	hx509_certs signer_certs;
+
+	ret = hx509_cms_verify_signed(kdc_identity->hx509ctx,
+				      kdc_identity->verify_ctx,
+				      signed_content.data,
+				      signed_content.length,
+				      NULL,
+				      kdc_identity->certpool,
+				      &eContentType,
+				      &eContent,
+				      &signer_certs);
+	if (ret) {
+	    char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret);
+	    krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d",
+		       s, ret);
+	    free(s);
+	    goto out;
+	}
+
+	ret = hx509_get_one_cert(kdc_identity->hx509ctx, signer_certs,
+				 &client_params->cert);
+	hx509_certs_free(&signer_certs);
+	if (ret)
+	    goto out;
+    }
+
+    /* Signature is correct, now verify the signed message */
+    if (der_heim_oid_cmp(&eContentType, oid_id_pkcs7_data()) != 0 &&
+	der_heim_oid_cmp(&eContentType, oid_id_pkauthdata()) != 0)
+    {
+	krb5_set_error_string(context, "got wrong oid for pkauthdata");
+	ret = KRB5_BADMSGTYPE;
+	goto out;
+    }
+
+    if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) {
+	AuthPack_Win2k ap;
+
+	ret = decode_AuthPack_Win2k(eContent.data,
+				    eContent.length,
+				    &ap,
+				    NULL);
+	if (ret) {
+	    krb5_set_error_string(context, "can't decode AuthPack: %d", ret);
+	    goto out;
+	}
+  
+	ret = pk_check_pkauthenticator_win2k(context, 
+					     &ap.pkAuthenticator,
+					     req);
+	if (ret) {
+	    free_AuthPack_Win2k(&ap);
+	    goto out;
+	}
+
+	client_params->type = PKINIT_COMPAT_WIN2K;
+	client_params->nonce = ap.pkAuthenticator.nonce;
+
+	if (ap.clientPublicValue) {
+	    krb5_set_error_string(context, "DH not supported for windows");
+	    ret = KRB5KRB_ERR_GENERIC;
+	    goto out;
+	}
+	free_AuthPack_Win2k(&ap);
+
+    } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) {
+	AuthPack ap;
+
+	ret = decode_AuthPack(eContent.data,
+			      eContent.length,
+			      &ap,
+			      NULL);
+	if (ret) {
+	    krb5_set_error_string(context, "can't decode AuthPack: %d", ret);
+	    free_AuthPack(&ap);
+	    goto out;
+	}
+  
+	ret = pk_check_pkauthenticator(context, 
+				       &ap.pkAuthenticator,
+				       req);
+	if (ret) {
+	    free_AuthPack(&ap);
+	    goto out;
+	}
+
+	client_params->type = PKINIT_COMPAT_27;
+	client_params->nonce = ap.pkAuthenticator.nonce;
+
+	if (ap.clientPublicValue) {
+	    ret = get_dh_param(context, config, 
+			       ap.clientPublicValue, client_params);
+	    if (ret) {
+		free_AuthPack(&ap);
+		goto out;
+	    }
+	}
+
+	if (ap.supportedCMSTypes) {
+	    ret = hx509_peer_info_alloc(kdc_identity->hx509ctx,
+					&client_params->peer);
+	    if (ret) {
+		free_AuthPack(&ap);
+		goto out;
+	    }
+	    ret = hx509_peer_info_set_cms_algs(kdc_identity->hx509ctx,
+					       client_params->peer,
+					       ap.supportedCMSTypes->val,
+					       ap.supportedCMSTypes->len);
+	    if (ret) {
+		free_AuthPack(&ap);
+		goto out;
+	    }
+	}
+	free_AuthPack(&ap);
+    } else
+	krb5_abortx(context, "internal pkinit error");
+
+    kdc_log(context, config, 0, "PK-INIT request of type %s", type);
+
+out:
+    if (ret)
+	krb5_warn(context, ret, "PKINIT");
+
+    if (signed_content.data)
+	free(signed_content.data);
+    krb5_data_free(&eContent);
+    der_free_oid(&eContentType);
+    der_free_oid(&contentInfoOid);
+    if (ret)
+	_kdc_pk_free_client_param(context, client_params);
+    else
+	*ret_params = client_params;
+    return ret;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer)
+{
+    integer->length = BN_num_bytes(bn);
+    integer->data = malloc(integer->length);
+    if (integer->data == NULL) {
+	krb5_clear_error_string(context);
+	return ENOMEM;
+    }
+    BN_bn2bin(bn, integer->data);
+    integer->negative = BN_is_negative(bn);
+    return 0;
+}
+
+static krb5_error_code
+pk_mk_pa_reply_enckey(krb5_context context,
+		      krb5_kdc_configuration *config,
+		      pk_client_params *client_params,
+		      const KDC_REQ *req,
+		      const krb5_data *req_buffer,
+		      krb5_keyblock *reply_key,
+		      ContentInfo *content_info)
+{
+    const heim_oid *envelopedAlg = NULL, *sdAlg = NULL;
+    krb5_error_code ret;
+    krb5_data buf, signed_data;
+    size_t size;
+    int do_win2k = 0;
+
+    krb5_data_zero(&buf);
+    krb5_data_zero(&signed_data);
+
+    /*
+     * If the message client is a win2k-type but it send pa data
+     * 09-binding it expects a IETF (checksum) reply so there can be
+     * no replay attacks.
+     */
+
+    switch (client_params->type) {
+    case PKINIT_COMPAT_WIN2K: {
+	int i = 0;
+	if (_kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_09_BINDING) == NULL
+	    && config->pkinit_require_binding == 0)
+	{
+	    do_win2k = 1;
+	}
+	break;
+    }
+    case PKINIT_COMPAT_27:
+	break;
+    default:
+	krb5_abortx(context, "internal pkinit error");
+    }	    
+
+    if (do_win2k) {
+	ReplyKeyPack_Win2k kp;
+	memset(&kp, 0, sizeof(kp));
+
+	envelopedAlg = oid_id_rsadsi_des_ede3_cbc();
+	sdAlg = oid_id_pkcs7_data();
+
+	ret = copy_EncryptionKey(reply_key, &kp.replyKey);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+	kp.nonce = client_params->nonce;
+	
+	ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k, 
+			   buf.data, buf.length,
+			   &kp, &size,ret);
+	free_ReplyKeyPack_Win2k(&kp);
+    } else {
+	krb5_crypto ascrypto;
+	ReplyKeyPack kp;
+	memset(&kp, 0, sizeof(kp));
+
+	sdAlg = oid_id_pkrkeydata();
+
+	ret = copy_EncryptionKey(reply_key, &kp.replyKey);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+
+	ret = krb5_crypto_init(context, reply_key, 0, &ascrypto);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+
+	ret = krb5_create_checksum(context, ascrypto, 6, 0,
+				   req_buffer->data, req_buffer->length,
+				   &kp.asChecksum);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+			     
+	ret = krb5_crypto_destroy(context, ascrypto);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+	ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);
+	free_ReplyKeyPack(&kp);
+    }
+    if (ret) {
+	krb5_set_error_string(context, "ASN.1 encoding of ReplyKeyPack "
+			      "failed (%d)", ret);
+	goto out;
+    }
+    if (buf.length != size)
+	krb5_abortx(context, "Internal ASN.1 encoder error");
+
+    {
+	hx509_query *q;
+	hx509_cert cert;
+	
+	ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
+	if (ret)
+	    goto out;
+	
+	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+	
+	ret = hx509_certs_find(kdc_identity->hx509ctx, 
+			       kdc_identity->certs, 
+			       q, 
+			       &cert);
+	hx509_query_free(kdc_identity->hx509ctx, q);
+	if (ret)
+	    goto out;
+	
+	ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
+					0,
+					sdAlg,
+					buf.data,
+					buf.length,
+					NULL,
+					cert,
+					client_params->peer,
+					client_params->client_anchors,
+					kdc_identity->certpool,
+					&signed_data);
+	hx509_cert_free(cert);
+    }
+
+    krb5_data_free(&buf);
+    if (ret) 
+	goto out;
+
+    if (client_params->type == PKINIT_COMPAT_WIN2K) {
+	ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(),
+					 &signed_data,
+					 &buf);
+	if (ret)
+	    goto out;
+	krb5_data_free(&signed_data);
+	signed_data = buf;
+    }
+
+    ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
+			       0,
+			       client_params->cert,
+			       signed_data.data, signed_data.length, 
+			       envelopedAlg,
+			       oid_id_pkcs7_signedData(), &buf);
+    if (ret)
+	goto out;
+    
+    ret = _krb5_pk_mk_ContentInfo(context,
+				  &buf,
+				  oid_id_pkcs7_envelopedData(),
+				  content_info);
+out:
+    krb5_data_free(&buf);
+    krb5_data_free(&signed_data);
+    return ret;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+pk_mk_pa_reply_dh(krb5_context context,
+                  DH *kdc_dh,
+      		  pk_client_params *client_params,
+                  krb5_keyblock *reply_key,
+		  ContentInfo *content_info,
+		  hx509_cert *kdc_cert)
+{
+    KDCDHKeyInfo dh_info;
+    krb5_data signed_data, buf;
+    ContentInfo contentinfo;
+    krb5_error_code ret;
+    size_t size;
+    heim_integer i;
+
+    memset(&contentinfo, 0, sizeof(contentinfo));
+    memset(&dh_info, 0, sizeof(dh_info));
+    krb5_data_zero(&buf);
+    krb5_data_zero(&signed_data);
+
+    *kdc_cert = NULL;
+
+    ret = BN_to_integer(context, kdc_dh->pub_key, &i);
+    if (ret)
+	return ret;
+
+    ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);
+    if (ret) {
+	krb5_set_error_string(context, "ASN.1 encoding of "
+			      "DHPublicKey failed (%d)", ret);
+	krb5_clear_error_string(context);
+	return ret;
+    }
+    if (buf.length != size)
+	krb5_abortx(context, "Internal ASN.1 encoder error");
+
+    dh_info.subjectPublicKey.length = buf.length * 8;
+    dh_info.subjectPublicKey.data = buf.data;
+    
+    dh_info.nonce = client_params->nonce;
+
+    ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size, 
+		       ret);
+    if (ret) {
+	krb5_set_error_string(context, "ASN.1 encoding of "
+			      "KdcDHKeyInfo failed (%d)", ret);
+	goto out;
+    }
+    if (buf.length != size)
+	krb5_abortx(context, "Internal ASN.1 encoder error");
+
+    /* 
+     * Create the SignedData structure and sign the KdcDHKeyInfo
+     * filled in above
+     */
+
+    {
+	hx509_query *q;
+	hx509_cert cert;
+	
+	ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
+	if (ret)
+	    goto out;
+	
+	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+	
+	ret = hx509_certs_find(kdc_identity->hx509ctx, 
+			       kdc_identity->certs, 
+			       q, 
+			       &cert);
+	hx509_query_free(kdc_identity->hx509ctx, q);
+	if (ret)
+	    goto out;
+	
+	ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
+					0,
+					oid_id_pkdhkeydata(),
+					buf.data,
+					buf.length,
+					NULL,
+					cert,
+					client_params->peer,
+					client_params->client_anchors,
+					kdc_identity->certpool,
+					&signed_data);
+	*kdc_cert = cert;
+    }
+    if (ret)
+	goto out;
+
+    ret = _krb5_pk_mk_ContentInfo(context,
+				  &signed_data,
+				  oid_id_pkcs7_signedData(),
+				  content_info);
+    if (ret)
+	goto out;
+
+ out:
+    if (ret && *kdc_cert) {
+	hx509_cert_free(*kdc_cert);
+	*kdc_cert = NULL;
+    }
+
+    krb5_data_free(&buf);
+    krb5_data_free(&signed_data);
+    free_KDCDHKeyInfo(&dh_info);
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+_kdc_pk_mk_pa_reply(krb5_context context,
+		    krb5_kdc_configuration *config,
+		    pk_client_params *client_params,
+		    const hdb_entry_ex *client,
+		    const KDC_REQ *req,
+		    const krb5_data *req_buffer,
+		    krb5_keyblock **reply_key,
+		    METHOD_DATA *md)
+{
+    krb5_error_code ret;
+    void *buf;
+    size_t len, size;
+    krb5_enctype enctype;
+    int pa_type;
+    hx509_cert kdc_cert = NULL;
+    int i;
+
+    if (!config->enable_pkinit) {
+	krb5_clear_error_string(context);
+	return 0;
+    }
+
+    if (req->req_body.etype.len > 0) {
+	for (i = 0; i < req->req_body.etype.len; i++)
+	    if (krb5_enctype_valid(context, req->req_body.etype.val[i]) == 0)
+		break;
+	if (req->req_body.etype.len <= i) {
+	    ret = KRB5KRB_ERR_GENERIC;
+	    krb5_set_error_string(context,
+				  "No valid enctype available from client");
+	    goto out;
+	}	
+	enctype = req->req_body.etype.val[i];
+    } else
+	enctype = ETYPE_DES3_CBC_SHA1;
+
+    if (client_params->type == PKINIT_COMPAT_27) {
+	PA_PK_AS_REP rep;
+	const char *type, *other = "";
+
+	memset(&rep, 0, sizeof(rep));
+
+	pa_type = KRB5_PADATA_PK_AS_REP;
+
+	if (client_params->dh == NULL) {
+	    ContentInfo info;
+
+	    type = "enckey";
+
+	    rep.element = choice_PA_PK_AS_REP_encKeyPack;
+
+	    ret = krb5_generate_random_keyblock(context, enctype, 
+						&client_params->reply_key);
+	    if (ret) {
+		free_PA_PK_AS_REP(&rep);
+		goto out;
+	    }
+	    ret = pk_mk_pa_reply_enckey(context,
+					config,
+					client_params,
+					req,
+					req_buffer,
+					&client_params->reply_key,
+					&info);
+	    if (ret) {
+		free_PA_PK_AS_REP(&rep);
+		goto out;
+	    }
+	    ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, 
+			       rep.u.encKeyPack.length, &info, &size, 
+			       ret);
+	    free_ContentInfo(&info);
+	    if (ret) {
+		krb5_set_error_string(context, "encoding of Key ContentInfo "
+				      "failed %d", ret);
+		free_PA_PK_AS_REP(&rep);
+		goto out;
+	    }
+	    if (rep.u.encKeyPack.length != size)
+		krb5_abortx(context, "Internal ASN.1 encoder error");
+
+	} else {
+	    ContentInfo info;
+
+	    type = "dh";
+	    if (client_params->dh_group_name)
+		other = client_params->dh_group_name;
+
+	    rep.element = choice_PA_PK_AS_REP_dhInfo;
+
+	    ret = generate_dh_keyblock(context, client_params, enctype,
+				       &client_params->reply_key);
+	    if (ret)
+		return ret;
+
+	    ret = pk_mk_pa_reply_dh(context, client_params->dh,
+				    client_params, 
+				    &client_params->reply_key,
+				    &info,
+				    &kdc_cert);
+
+	    ASN1_MALLOC_ENCODE(ContentInfo, rep.u.dhInfo.dhSignedData.data,
+			       rep.u.dhInfo.dhSignedData.length, &info, &size,
+			       ret);
+	    free_ContentInfo(&info);
+	    if (ret) {
+		krb5_set_error_string(context, "encoding of Key ContentInfo "
+				      "failed %d", ret);
+		free_PA_PK_AS_REP(&rep);
+		goto out;
+	    }
+	    if (rep.u.encKeyPack.length != size)
+		krb5_abortx(context, "Internal ASN.1 encoder error");
+
+	}
+	if (ret) {
+	    free_PA_PK_AS_REP(&rep);
+	    goto out;
+	}
+
+	ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret);
+	free_PA_PK_AS_REP(&rep);
+	if (ret) {
+	    krb5_set_error_string(context, "encode PA-PK-AS-REP failed %d",
+				  ret);
+	    goto out;
+	}
+	if (len != size)
+	    krb5_abortx(context, "Internal ASN.1 encoder error");
+
+	kdc_log(context, config, 0, "PK-INIT using %s %s", type, other);
+
+    } else if (client_params->type == PKINIT_COMPAT_WIN2K) {
+	PA_PK_AS_REP_Win2k rep;
+	ContentInfo info;
+
+	if (client_params->dh) {
+	    krb5_set_error_string(context, "Windows PK-INIT doesn't support DH");
+	    ret = KRB5KRB_ERR_GENERIC;
+	    goto out;
+	}
+
+	memset(&rep, 0, sizeof(rep));
+
+	pa_type = KRB5_PADATA_PK_AS_REP_19;
+	rep.element = choice_PA_PK_AS_REP_encKeyPack;
+
+	ret = krb5_generate_random_keyblock(context, enctype, 
+					    &client_params->reply_key);
+	if (ret) {
+	    free_PA_PK_AS_REP_Win2k(&rep);
+	    goto out;
+	}
+	ret = pk_mk_pa_reply_enckey(context,
+				    config,
+				    client_params,
+				    req,
+				    req_buffer,
+				    &client_params->reply_key,
+				    &info);
+	if (ret) {
+	    free_PA_PK_AS_REP_Win2k(&rep);
+	    goto out;
+	}
+	ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, 
+			   rep.u.encKeyPack.length, &info, &size, 
+			   ret);
+	free_ContentInfo(&info);
+	if (ret) {
+	    krb5_set_error_string(context, "encoding of Key ContentInfo "
+				  "failed %d", ret);
+	    free_PA_PK_AS_REP_Win2k(&rep);
+	    goto out;
+	}
+	if (rep.u.encKeyPack.length != size)
+	    krb5_abortx(context, "Internal ASN.1 encoder error");
+
+	ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
+	free_PA_PK_AS_REP_Win2k(&rep);
+	if (ret) {
+	    krb5_set_error_string(context, 
+				  "encode PA-PK-AS-REP-Win2k failed %d", ret);
+	    goto out;
+	}
+	if (len != size)
+	    krb5_abortx(context, "Internal ASN.1 encoder error");
+
+    } else
+	krb5_abortx(context, "PK-INIT internal error");
+
+
+    ret = krb5_padata_add(context, md, pa_type, buf, len);
+    if (ret) {
+	krb5_set_error_string(context, "failed adding PA-PK-AS-REP %d", ret);
+	free(buf);
+	goto out;
+    }
+
+    if (config->pkinit_kdc_ocsp_file) {
+
+	if (ocsp.expire == 0 && ocsp.next_update > kdc_time) {
+	    struct stat sb;
+	    int fd;
+
+	    krb5_data_free(&ocsp.data);
+
+	    ocsp.expire = 0;
+	    ocsp.next_update = kdc_time + 60 * 5;
+
+	    fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
+	    if (fd < 0) {
+		kdc_log(context, config, 0, 
+			"PK-INIT failed to open ocsp data file %d", errno);
+		goto out_ocsp;
+	    }
+	    ret = fstat(fd, &sb);
+	    if (ret) {
+		ret = errno;
+		close(fd);
+		kdc_log(context, config, 0, 
+			"PK-INIT failed to stat ocsp data %d", ret);
+		goto out_ocsp;
+	    }
+	    
+	    ret = krb5_data_alloc(&ocsp.data, sb.st_size);
+	    if (ret) {
+		close(fd);
+		kdc_log(context, config, 0, 
+			"PK-INIT failed to stat ocsp data %d", ret);
+		goto out_ocsp;
+	    }
+	    ocsp.data.length = sb.st_size;
+	    ret = read(fd, ocsp.data.data, sb.st_size);
+	    close(fd);
+	    if (ret != sb.st_size) {
+		kdc_log(context, config, 0, 
+			"PK-INIT failed to read ocsp data %d", errno);
+		goto out_ocsp;
+	    }
+
+	    ret = hx509_ocsp_verify(kdc_identity->hx509ctx,
+				    kdc_time,
+				    kdc_cert,
+				    0,
+				    ocsp.data.data, ocsp.data.length,
+				    &ocsp.expire);
+	    if (ret) {
+		kdc_log(context, config, 0, 
+			"PK-INIT failed to verify ocsp data %d", ret);
+		krb5_data_free(&ocsp.data);
+		ocsp.expire = 0;
+	    } else if (ocsp.expire > 180) {
+		ocsp.expire -= 180; /* refetch the ocsp before it expire */
+		ocsp.next_update = ocsp.expire;
+	    } else {
+		ocsp.next_update = kdc_time;
+	    }
+	out_ocsp:
+	    ret = 0;
+	}
+
+	if (ocsp.expire != 0 && ocsp.expire > kdc_time) {
+
+	    ret = krb5_padata_add(context, md, 
+				  KRB5_PADATA_PA_PK_OCSP_RESPONSE,
+				  ocsp.data.data, ocsp.data.length);
+	    if (ret) {
+		krb5_set_error_string(context, 
+				      "Failed adding OCSP response %d", ret);
+		goto out;
+	    }
+	}
+    }
+
+out:
+    if (kdc_cert)
+	hx509_cert_free(kdc_cert);
+
+    if (ret == 0)
+	*reply_key = &client_params->reply_key;
+    return ret;
+}
+
+static int
+match_rfc_san(krb5_context context, 
+	      krb5_kdc_configuration *config,
+	      hx509_context hx509ctx,
+	      hx509_cert client_cert, 
+	      krb5_const_principal match)
+{
+    hx509_octet_string_list list;
+    int ret, i, found = 0;
+
+    memset(&list, 0 , sizeof(list));
+
+    ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
+						   client_cert,
+						   oid_id_pkinit_san(),
+						   &list);
+    if (ret)
+	goto out;
+
+    for (i = 0; !found && i < list.len; i++) {
+	krb5_principal_data principal;
+	KRB5PrincipalName kn;
+	size_t size;
+
+	ret = decode_KRB5PrincipalName(list.val[i].data, 
+				       list.val[i].length,
+				       &kn, &size);
+	if (ret) {
+	    kdc_log(context, config, 0,
+		    "Decoding kerberos name in certificate failed: %s",
+		    krb5_get_err_text(context, ret));
+	    break;
+	}
+	if (size != list.val[i].length) {
+	    kdc_log(context, config, 0,
+		    "Decoding kerberos name have extra bits on the end");
+	    return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+	}
+
+	principal.name = kn.principalName;
+	principal.realm = kn.realm;
+
+	if (krb5_principal_compare(context, &principal, match) == TRUE)
+	    found = 1;
+	free_KRB5PrincipalName(&kn);
+    }
+
+out:
+    hx509_free_octet_string_list(&list);    
+    if (ret)
+	return ret;
+
+    if (!found)
+	return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+
+    return 0;
+}
+
+static int
+match_ms_upn_san(krb5_context context, 
+		 krb5_kdc_configuration *config,
+		 hx509_context hx509ctx,
+		 hx509_cert client_cert, 
+		 krb5_const_principal match)
+{
+    hx509_octet_string_list list;
+    krb5_principal principal = NULL;
+    int ret, found = 0;
+    MS_UPN_SAN upn;
+    size_t size;
+
+    memset(&list, 0 , sizeof(list));
+
+    ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
+						   client_cert,
+						   oid_id_pkinit_ms_san(),
+						   &list);
+    if (ret)
+	goto out;
+
+    if (list.len != 1) {
+	kdc_log(context, config, 0,
+		"More then one PK-INIT MS UPN SAN");
+	goto out;
+    }
+
+    ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length, &upn, &size);
+    if (ret) {
+	kdc_log(context, config, 0, "Decode of MS-UPN-SAN failed");
+	goto out;
+    }
+
+    kdc_log(context, config, 0, "found MS UPN SAN: %s", upn);
+
+    ret = krb5_parse_name(context, upn, &principal);
+    free_MS_UPN_SAN(&upn);
+    if (ret) {
+	kdc_log(context, config, 0, "Failed to parse principal in MS UPN SAN");
+	goto out;
+    }
+
+    /* 
+     * This is very wrong, but will do for now, should really and a
+     * plugin to the windc layer to very this ACL.
+    */
+    strupr(principal->realm);
+
+    if (krb5_principal_compare(context, principal, match) == TRUE)
+	found = 1;
+
+out:
+    if (principal)
+	krb5_free_principal(context, principal);
+    hx509_free_octet_string_list(&list);    
+    if (ret)
+	return ret;
+
+    if (!found)
+	return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+
+    return 0;
+}
+
+krb5_error_code
+_kdc_pk_check_client(krb5_context context,
+		     krb5_kdc_configuration *config,
+		     const hdb_entry_ex *client,
+		     pk_client_params *client_params,
+		     char **subject_name)
+{
+    const HDB_Ext_PKINIT_acl *acl;
+    krb5_error_code ret;
+    hx509_name name;
+    int i;
+
+    ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx,
+				      client_params->cert,
+				      &name);
+    if (ret)
+	return ret;
+
+    ret = hx509_name_to_string(name, subject_name);
+    hx509_name_free(&name);
+    if (ret)
+	return ret;
+
+    kdc_log(context, config, 0,
+	    "Trying to authorize PK-INIT subject DN %s", 
+	    *subject_name);
+
+    if (config->pkinit_princ_in_cert) {
+	ret = match_rfc_san(context, config,
+			    kdc_identity->hx509ctx,
+			    client_params->cert,
+			    client->entry.principal);
+	if (ret == 0) {
+	    kdc_log(context, config, 5,
+		    "Found matching PK-INIT SAN in certificate");
+	    return 0;
+	}
+	ret = match_ms_upn_san(context, config,
+			       kdc_identity->hx509ctx,
+			       client_params->cert,
+			       client->entry.principal);
+	if (ret == 0) {
+	    kdc_log(context, config, 5,
+		    "Found matching MS UPN SAN in certificate");
+	    return 0;
+	}
+    }
+
+    ret = hdb_entry_get_pkinit_acl(&client->entry, &acl);
+    if (ret == 0 && acl != NULL) {
+	/*
+	 * Cheat here and compare the generated name with the string
+	 * and not the reverse.
+	 */
+	for (i = 0; i < acl->len; i++) {
+	    if (strcmp(*subject_name, acl->val[0].subject) != 0)
+		continue;
+
+	    /* Don't support isser and anchor checking right now */
+	    if (acl->val[0].issuer)
+		continue;
+	    if (acl->val[0].anchor)
+		continue;
+
+	    kdc_log(context, config, 5,
+		    "Found matching PK-INIT database ACL");
+	    return 0;
+	}
+    }
+
+    for (i = 0; i < principal_mappings.len; i++) {
+	krb5_boolean b;
+
+	b = krb5_principal_compare(context,
+				   client->entry.principal,
+				   principal_mappings.val[i].principal);
+	if (b == FALSE)
+	    continue;
+	if (strcmp(principal_mappings.val[i].subject, *subject_name) != 0)
+	    continue;
+	kdc_log(context, config, 5,
+		"Found matching PK-INIT FILE ACL");
+	return 0;
+    }
+
+    krb5_set_error_string(context,
+			  "PKINIT no matching principals for %s",
+			  *subject_name);
+
+    kdc_log(context, config, 5,
+	    "PKINIT no matching principals for %s",
+	    *subject_name);
+
+    free(*subject_name);
+    *subject_name = NULL;
+
+    return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+}
+
+static krb5_error_code
+add_principal_mapping(krb5_context context, 
+		      const char *principal_name,
+		      const char * subject)
+{
+   struct pk_allowed_princ *tmp;
+   krb5_principal principal;
+   krb5_error_code ret;
+
+   tmp = realloc(principal_mappings.val,
+	         (principal_mappings.len + 1) * sizeof(*tmp));
+   if (tmp == NULL)
+       return ENOMEM;
+   principal_mappings.val = tmp;
+
+   ret = krb5_parse_name(context, principal_name, &principal);
+   if (ret)
+       return ret;
+
+   principal_mappings.val[principal_mappings.len].principal = principal;
+
+   principal_mappings.val[principal_mappings.len].subject = strdup(subject);
+   if (principal_mappings.val[principal_mappings.len].subject == NULL) {
+       krb5_free_principal(context, principal);
+       return ENOMEM;
+   }
+   principal_mappings.len++;
+
+   return 0;
+}
+
+krb5_error_code
+_kdc_add_inital_verified_cas(krb5_context context,
+			     krb5_kdc_configuration *config,
+			     pk_client_params *params,
+			     EncTicketPart *tkt)
+{
+    AD_INITIAL_VERIFIED_CAS cas;
+    krb5_error_code ret;
+    krb5_data data;
+    size_t size;
+
+    memset(&cas, 0, sizeof(cas));
+    
+    /* XXX add CAs to cas here */
+
+    ASN1_MALLOC_ENCODE(AD_INITIAL_VERIFIED_CAS, data.data, data.length,
+		       &cas, &size, ret);
+    if (ret)
+	return ret;
+    if (data.length != size)
+	krb5_abortx(context, "internal asn.1 encoder error");
+
+    ret = _kdc_tkt_add_if_relevant_ad(context, tkt, 
+				      KRB5_AUTHDATA_INITIAL_VERIFIED_CAS,
+				      &data);
+    krb5_data_free(&data);
+    return ret;
+}
+
+/*
+ *
+ */
+
+static void
+load_mappings(krb5_context context, const char *fn)
+{
+    krb5_error_code ret;
+    char buf[1024];
+    unsigned long lineno = 0;
+    FILE *f;
+
+    f = fopen(fn, "r");
+    if (f == NULL)
+	return;
+
+    while (fgets(buf, sizeof(buf), f) != NULL) {
+	char *subject_name, *p;
+    
+	buf[strcspn(buf, "\n")] = '\0';
+	lineno++;
+
+	p = buf + strspn(buf, " \t");
+
+	if (*p == '#' || *p == '\0')
+	    continue;
+
+	subject_name = strchr(p, ':');
+	if (subject_name == NULL) {
+	    krb5_warnx(context, "pkinit mapping file line %lu "
+		       "missing \":\" :%s",
+		       lineno, buf);
+	    continue;
+	}
+	*subject_name++ = '\0';
+
+	ret = add_principal_mapping(context, p, subject_name);
+	if (ret) {
+	    krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n",
+		      lineno, buf);
+	    continue;
+	}
+    } 
+
+    fclose(f);
+}
+		   
+/*
+ *
+ */
+
+krb5_error_code
+_kdc_pk_initialize(krb5_context context,
+		   krb5_kdc_configuration *config,
+		   const char *user_id,
+		   const char *anchors,
+		   char **pool,
+		   char **revoke_list)
+{
+    const char *file;
+    char *fn = NULL;
+    krb5_error_code ret;
+
+    file = krb5_config_get_string(context, NULL,
+				  "libdefaults", "moduli", NULL);
+
+    ret = _krb5_parse_moduli(context, file, &moduli);
+    if (ret)
+	krb5_err(context, 1, ret, "PKINIT: failed to load modidi file");
+
+    principal_mappings.len = 0;
+    principal_mappings.val = NULL;
+
+    ret = _krb5_pk_load_id(context,
+			   &kdc_identity,
+			   user_id,
+			   anchors,
+			   pool,
+			   revoke_list,
+			   NULL,
+			   NULL,
+			   NULL);
+    if (ret) {
+	krb5_warn(context, ret, "PKINIT: ");
+	config->enable_pkinit = 0;
+	return ret;
+    }
+
+    {
+	hx509_query *q;
+	hx509_cert cert;
+	
+	ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
+	if (ret) {
+	    krb5_warnx(context, "PKINIT: out of memory");
+	    return ENOMEM;
+	}
+	
+	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+	
+	ret = hx509_certs_find(kdc_identity->hx509ctx,
+			       kdc_identity->certs,
+			       q,
+			       &cert);
+	hx509_query_free(kdc_identity->hx509ctx, q);
+	if (ret == 0) {
+	    if (hx509_cert_check_eku(kdc_identity->hx509ctx, cert,
+				     oid_id_pkkdcekuoid(), 0))
+		krb5_warnx(context, "WARNING Found KDC certificate "
+			   "is missing the PK-INIT KDC EKU, this is bad for "
+			   "interoperability.");
+	    hx509_cert_free(cert);
+	} else
+	    krb5_warnx(context, "PKINIT: failed to find a signing "
+		       "certifiate with a public key");
+    }
+
+    ret = krb5_config_get_bool_default(context, 
+				       NULL,
+				       FALSE,
+				       "kdc",
+				       "pkinit_allow_proxy_certificate",
+				       NULL);
+    _krb5_pk_allow_proxy_certificate(kdc_identity, ret);
+
+    file = krb5_config_get_string(context, 
+				  NULL,
+				  "kdc",
+				  "pkinit_mappings_file",
+				  NULL);
+    if (file == NULL) {
+	asprintf(&fn, "%s/pki-mapping", hdb_db_dir(context));
+	file = fn;
+    }
+
+    load_mappings(context, file);
+    if (fn)
+	free(fn);
+
+    return 0;
+}
+
+#endif /* PKINIT */
diff --git a/crypto/heimdal/kdc/process.c b/crypto/heimdal/kdc/process.c
new file mode 100644
index 0000000..1d0a01a
--- /dev/null
+++ b/crypto/heimdal/kdc/process.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ *
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: process.c 20959 2007-06-07 04:46:06Z lha $");
+
+/*
+ *
+ */
+
+void
+krb5_kdc_update_time(struct timeval *tv)
+{
+    if (tv == NULL)
+	gettimeofday(&_kdc_now, NULL);
+    else
+	_kdc_now = *tv;
+}
+
+/*
+ * handle the request in `buf, len', from `addr' (or `from' as a string),
+ * sending a reply in `reply'.
+ */
+
+int
+krb5_kdc_process_request(krb5_context context, 
+			 krb5_kdc_configuration *config,
+			 unsigned char *buf, 
+			 size_t len, 
+			 krb5_data *reply,
+			 krb5_boolean *prependlength,
+			 const char *from,
+			 struct sockaddr *addr,
+			 int datagram_reply)
+{
+    KDC_REQ req;
+    Ticket ticket;
+    DigestREQ digestreq;
+    Kx509Request kx509req;
+    krb5_error_code ret;
+    size_t i;
+
+    if(decode_AS_REQ(buf, len, &req, &i) == 0){
+	krb5_data req_buffer;
+
+	req_buffer.data = buf;
+	req_buffer.length = len;
+
+	ret = _kdc_as_rep(context, config, &req, &req_buffer, 
+			  reply, from, addr, datagram_reply);
+	free_AS_REQ(&req);
+	return ret;
+    }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
+	ret = _kdc_tgs_rep(context, config, &req, reply, from, addr, datagram_reply);
+	free_TGS_REQ(&req);
+	return ret;
+    }else if(decode_Ticket(buf, len, &ticket, &i) == 0){
+	ret = _kdc_do_524(context, config, &ticket, reply, from, addr);
+	free_Ticket(&ticket);
+	return ret;
+    }else if(decode_DigestREQ(buf, len, &digestreq, &i) == 0){
+	ret = _kdc_do_digest(context, config, &digestreq, reply, from, addr);
+	free_DigestREQ(&digestreq);
+	return ret;
+    } else if (_kdc_try_kx509_request(buf, len, &kx509req, &i) == 0) {
+	ret = _kdc_do_kx509(context, config, &kx509req, reply, from, addr);
+	free_Kx509Request(&kx509req);
+	return ret;
+    } else if(_kdc_maybe_version4(buf, len)){
+	*prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */
+	_kdc_do_version4(context, config, buf, len, reply, from, 
+			 (struct sockaddr_in*)addr);
+	return 0;
+    } else if (config->enable_kaserver) {
+	ret = _kdc_do_kaserver(context, config, buf, len, reply, from,
+			       (struct sockaddr_in*)addr);
+	return ret;
+    }
+			  
+    return -1;
+}
+
+/*
+ * handle the request in `buf, len', from `addr' (or `from' as a string),
+ * sending a reply in `reply'.
+ *
+ * This only processes krb5 requests
+ */
+
+int
+krb5_kdc_process_krb5_request(krb5_context context, 
+			      krb5_kdc_configuration *config,
+			      unsigned char *buf, 
+			      size_t len, 
+			      krb5_data *reply,
+			      const char *from,
+			      struct sockaddr *addr,
+			      int datagram_reply)
+{
+    KDC_REQ req;
+    krb5_error_code ret;
+    size_t i;
+
+    if(decode_AS_REQ(buf, len, &req, &i) == 0){
+	krb5_data req_buffer;
+
+	req_buffer.data = buf;
+	req_buffer.length = len;
+
+	ret = _kdc_as_rep(context, config, &req, &req_buffer,
+			  reply, from, addr, datagram_reply);
+	free_AS_REQ(&req);
+	return ret;
+    }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
+	ret = _kdc_tgs_rep(context, config, &req, reply, from, addr, datagram_reply);
+	free_TGS_REQ(&req);
+	return ret;
+    }
+    return -1;
+}
+
+/*
+ *
+ */
+
+int
+krb5_kdc_save_request(krb5_context context, 
+		      const char *fn,
+		      const unsigned char *buf,
+		      size_t len,
+		      const krb5_data *reply,
+		      const struct sockaddr *sa)
+{
+    krb5_storage *sp;
+    krb5_address a;
+    int fd, ret;
+    uint32_t t;
+    krb5_data d;
+
+    memset(&a, 0, sizeof(a));
+
+    d.data = rk_UNCONST(buf);
+    d.length = len;
+    t = _kdc_now.tv_sec;
+
+    fd = open(fn, O_WRONLY|O_CREAT|O_APPEND, 0600);
+    if (fd < 0) {
+	krb5_set_error_string(context, "Failed to open: %s", fn);
+	return errno;
+    }
+    
+    sp = krb5_storage_from_fd(fd);
+    close(fd);
+    if (sp == NULL) {
+	krb5_set_error_string(context, "Storage failed to open fd");
+	return ENOMEM;
+    }
+
+    ret = krb5_sockaddr2address(context, sa, &a);
+    if (ret)
+	goto out;
+
+    krb5_store_uint32(sp, 1);
+    krb5_store_uint32(sp, t);
+    krb5_store_address(sp, a);
+    krb5_store_data(sp, d);
+    {
+	Der_class cl;
+	Der_type ty;
+	unsigned int tag;
+	ret = der_get_tag (reply->data, reply->length,
+			   &cl, &ty, &tag, NULL);
+	if (ret) {
+	    krb5_store_uint32(sp, 0xffffffff);
+	    krb5_store_uint32(sp, 0xffffffff);
+	} else {
+	    krb5_store_uint32(sp, MAKE_TAG(cl, ty, 0));
+	    krb5_store_uint32(sp, tag);
+	}
+    }
+
+    krb5_free_address(context, &a);
+out:
+    krb5_storage_free(sp);
+
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/rx.h b/crypto/heimdal/kdc/rx.h
index ab8ec805..18806d7 100644
--- a/crypto/heimdal/kdc/rx.h
+++ b/crypto/heimdal/kdc/rx.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: rx.h,v 1.4 1999/12/02 17:05:00 joda Exp $ */
+/* $Id: rx.h 17447 2006-05-05 10:52:01Z lha $ */
 
 #ifndef __RX_H__
 #define __RX_H__
@@ -59,17 +59,17 @@ enum rx_header_flag {
 };
 
 struct rx_header {
-     u_int32_t epoch;
-     u_int32_t connid;		/* And channel ID */
-     u_int32_t callid;
-     u_int32_t seqno;
-     u_int32_t serialno;
+     uint32_t epoch;
+     uint32_t connid;		/* And channel ID */
+     uint32_t callid;
+     uint32_t seqno;
+     uint32_t serialno;
      u_char type;
      u_char flags;
      u_char status;
      u_char secindex;
-     u_int16_t reserved;	/* ??? verifier? */
-     u_int16_t serviceid;
+     uint16_t reserved;	/* ??? verifier? */
+     uint16_t serviceid;
 /* This should be the other way around according to everything but */
 /* tcpdump */
 };
diff --git a/crypto/heimdal/kdc/set_dbinfo.c b/crypto/heimdal/kdc/set_dbinfo.c
new file mode 100644
index 0000000..651f4c4
--- /dev/null
+++ b/crypto/heimdal/kdc/set_dbinfo.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ *
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: default_config.c 21296 2007-06-25 14:49:11Z lha $");
+
+krb5_error_code
+krb5_kdc_set_dbinfo(krb5_context context, struct krb5_kdc_configuration *c)
+{
+    struct hdb_dbinfo *info, *d;
+    krb5_error_code ret;
+    int i;
+
+    /* fetch the databases */
+    ret = hdb_get_dbinfo(context, &info);
+    if (ret)
+	return ret;
+    
+    d = NULL;
+    while ((d = hdb_dbinfo_get_next(info, d)) != NULL) {
+	void *ptr;
+	
+	ptr = realloc(c->db, (c->num_db + 1) * sizeof(*c->db));
+	if (ptr == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "out of memory");
+	    goto out;
+	}
+	c->db = ptr;
+	
+	ret = hdb_create(context, &c->db[c->num_db], 
+			 hdb_dbinfo_get_dbname(context, d));
+	if(ret)
+	    goto out;
+	
+	ret = hdb_set_master_keyfile(context, c->db[c->num_db], 
+				     hdb_dbinfo_get_mkey_file(context, d));
+	if (ret)
+	    goto out;
+	
+	c->num_db++;
+
+	kdc_log(context, c, 0, "label: %s",
+		hdb_dbinfo_get_label(context, d));
+	kdc_log(context, c, 0, "\tdbname: %s",
+		hdb_dbinfo_get_dbname(context, d));
+	kdc_log(context, c, 0, "\tmkey_file: %s",
+		hdb_dbinfo_get_mkey_file(context, d));
+	kdc_log(context, c, 0, "\tacl_file: %s",
+		hdb_dbinfo_get_acl_file(context, d));
+    }
+    hdb_free_dbinfo(context, &info);
+
+    return 0;
+out:
+    for (i = 0; i < c->num_db; i++)
+	if (c->db[i] && c->db[i]->hdb_destroy)
+	    (*c->db[i]->hdb_destroy)(context, c->db[i]);
+    c->num_db = 0;
+    free(c->db);
+    c->db = NULL;
+ 
+    hdb_free_dbinfo(context, &info);
+
+    return ret;
+}
+
+
diff --git a/crypto/heimdal/kdc/string2key.8 b/crypto/heimdal/kdc/string2key.8
index dc9d63b..8f2d562 100644
--- a/crypto/heimdal/kdc/string2key.8
+++ b/crypto/heimdal/kdc/string2key.8
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: string2key.8,v 1.6 2003/02/16 21:10:21 lha Exp $
+.\" $Id: string2key.8 11648 2003-02-16 21:10:32Z lha $
 .\"
 .Dd March  4, 2000
 .Dt STRING2KEY 8
diff --git a/crypto/heimdal/kdc/string2key.c b/crypto/heimdal/kdc/string2key.c
index 8a38442..4211bf7 100644
--- a/crypto/heimdal/kdc/string2key.c
+++ b/crypto/heimdal/kdc/string2key.c
@@ -34,7 +34,7 @@
 #include "headers.h"
 #include <getarg.h>
 
-RCSID("$Id: string2key.c,v 1.20 2003/03/25 12:28:52 joda Exp $");
+RCSID("$Id: string2key.c 19213 2006-12-04 23:36:36Z lha $");
 
 int version5;
 int version4;
@@ -70,21 +70,28 @@ usage(int status)
 static void
 tokey(krb5_context context, 
       krb5_enctype enctype, 
-      const char *password, 
+      const char *pw, 
       krb5_salt salt, 
       const char *label)
 {
+    krb5_error_code ret;
     int i;
     krb5_keyblock key;
     char *e;
-    krb5_string_to_key_salt(context, enctype, password, salt, &key);
-    krb5_enctype_to_string(context, enctype, &e);
+
+    ret = krb5_string_to_key_salt(context, enctype, pw, salt, &key);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_string_to_key_salt");
+    ret = krb5_enctype_to_string(context, enctype, &e);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_enctype_to_string");
     printf(label, e);
     printf(": ");
     for(i = 0; i < key.keyvalue.length; i++)
 	printf("%02x", ((unsigned char*)key.keyvalue.data)[i]);
     printf("\n");
     krb5_free_keyblock_contents(context, &key);
+    free(e);
 }
 
 int
@@ -93,12 +100,12 @@ main(int argc, char **argv)
     krb5_context context;
     krb5_principal princ;
     krb5_salt salt;
-    int optind;
+    int optidx;
     char buf[1024];
     krb5_enctype etype;
     krb5_error_code ret;
 
-    optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    optidx = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
 
     if(help)
 	usage(0);
@@ -108,8 +115,8 @@ main(int argc, char **argv)
 	return 0;
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     if (argc > 1)
 	usage(1);
@@ -122,6 +129,7 @@ main(int argc, char **argv)
 	krb5_keytype keytype;
 	int *etypes;
 	unsigned num;
+	char *str;
 	ret = krb5_string_to_keytype(context, keytype_str, &keytype);
 	if(ret)
 	    krb5_err(context, 1, ret, "%s", keytype_str);
@@ -131,7 +139,8 @@ main(int argc, char **argv)
 	if(num == 0)
 	    krb5_errx(context, 1, "there are no encryption types for that keytype");
 	etype = etypes[0];
-	krb5_enctype_to_string(context, etype, &keytype_str);
+	krb5_enctype_to_string(context, etype, &str);
+	keytype_str = str;
 	if(num > 1 && version5)
 	    krb5_warnx(context, "ambiguous keytype, using %s", keytype_str);
     }
@@ -152,22 +161,20 @@ main(int argc, char **argv)
 	printf("Kerberos v5 principal: ");
 	if(fgets(buf, sizeof(buf), stdin) == NULL)
 	    return 1;
-	if(buf[strlen(buf) - 1] == '\n')
-	    buf[strlen(buf) - 1] = '\0';
+	buf[strcspn(buf, "\r\n")] = '\0';
 	principal = estrdup(buf);
     }
     if(afs && cell == NULL){
 	printf("AFS cell: ");
 	if(fgets(buf, sizeof(buf), stdin) == NULL)
 	    return 1;
-	if(buf[strlen(buf) - 1] == '\n')
-	    buf[strlen(buf) - 1] = '\0';
+	buf[strcspn(buf, "\r\n")] = '\0';
 	cell = estrdup(buf);
     }
     if(argv[0])
 	password = argv[0];
     if(password == NULL){
-	if(des_read_pw_string(buf, sizeof(buf), "Password: ", 0))
+	if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ", 0))
 	    return 1;
 	password = buf;
     }
diff --git a/crypto/heimdal/kdc/v4_dump.c b/crypto/heimdal/kdc/v4_dump.c
index ddf8222..93c56f8 100644
--- a/crypto/heimdal/kdc/v4_dump.c
+++ b/crypto/heimdal/kdc/v4_dump.c
@@ -33,7 +33,7 @@
 
 #include "hprop.h"
 
-RCSID("$Id: v4_dump.c,v 1.4.8.1 2003/04/28 12:24:54 lha Exp $");
+RCSID("$Id: v4_dump.c 17023 2006-04-09 17:41:47Z lha $");
 
 static time_t
 time_parse(const char *cp)
@@ -138,5 +138,6 @@ v4_prop_dump(void *arg, const char *file)
 	v4_prop(arg, &pr);
 	memset(&pr, 0, sizeof(pr));
     }
+    fclose(f);
     return 0;
 }
diff --git a/crypto/heimdal/kdc/version-script.map b/crypto/heimdal/kdc/version-script.map
new file mode 100644
index 0000000..2612b8e
--- /dev/null
+++ b/crypto/heimdal/kdc/version-script.map
@@ -0,0 +1,18 @@
+# $Id: version-script.map 21110 2007-06-18 10:52:20Z lha $
+
+HEIMDAL_KDC_1.0 {
+	global:
+		kdc_log;
+		kdc_log_msg;
+		kdc_log_msg_va;
+		kdc_openlog;
+		krb5_kdc_windc_init;
+		krb5_kdc_get_config;
+		krb5_kdc_set_dbinfo;
+		krb5_kdc_process_krb5_request;
+		krb5_kdc_process_request;
+		krb5_kdc_save_request;
+		krb5_kdc_update_time;
+	local:
+		*;
+};
diff --git a/crypto/heimdal/kdc/windc.c b/crypto/heimdal/kdc/windc.c
new file mode 100644
index 0000000..395ab73
--- /dev/null
+++ b/crypto/heimdal/kdc/windc.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: windc.c 20559 2007-04-24 16:00:07Z lha $");
+
+static krb5plugin_windc_ftable *windcft;
+static void *windcctx;
+
+/*
+ * Pick the first WINDC module that we find.
+ */
+
+krb5_error_code
+krb5_kdc_windc_init(krb5_context context)
+{
+    struct krb5_plugin *list = NULL, *e;
+    krb5_error_code ret;
+
+    ret = _krb5_plugin_find(context, PLUGIN_TYPE_DATA, "windc", &list);
+    if(ret != 0 || list == NULL)
+	return 0;
+
+    for (e = list; e != NULL; e = _krb5_plugin_get_next(e)) {
+
+	windcft = _krb5_plugin_get_symbol(e);
+	if (windcft->minor_version < KRB5_WINDC_PLUGING_MINOR)
+	    continue;
+	
+	(*windcft->init)(context, &windcctx);
+	break;
+    }
+    if (e == NULL) {
+	_krb5_plugin_free(list);
+	krb5_set_error_string(context, "Did not find any WINDC plugin");
+	windcft = NULL;
+	return ENOENT;
+    }
+
+    return 0;
+}
+
+
+krb5_error_code 
+_kdc_pac_generate(krb5_context context,
+		  hdb_entry_ex *client, 
+		  krb5_pac *pac)
+{
+    *pac = NULL;
+    if (windcft == NULL)
+	return 0;
+    return (windcft->pac_generate)(windcctx, context, client, pac);
+}
+
+krb5_error_code 
+_kdc_pac_verify(krb5_context context, 
+		const krb5_principal client_principal,
+		hdb_entry_ex *client,
+		hdb_entry_ex *server,
+		krb5_pac *pac)
+{
+    if (windcft == NULL) {
+	krb5_set_error_string(context, "Can't verify PAC, no function");
+	return EINVAL;
+    }
+    return (windcft->pac_verify)(windcctx, context, 
+				 client_principal, client, server, pac);
+}
+
+krb5_error_code
+_kdc_windc_client_access(krb5_context context,
+			 struct hdb_entry_ex *client,
+			 KDC_REQ *req)
+{
+    if (windcft == NULL)
+	return 0;
+    return (windcft->client_access)(windcctx, context, client, req);
+}
diff --git a/crypto/heimdal/kdc/windc_plugin.h b/crypto/heimdal/kdc/windc_plugin.h
new file mode 100644
index 0000000..ec480cf
--- /dev/null
+++ b/crypto/heimdal/kdc/windc_plugin.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: windc_plugin.h 19798 2007-01-10 15:24:51Z lha $ */
+
+#ifndef HEIMDAL_KRB5_PAC_PLUGIN_H
+#define HEIMDAL_KRB5_PAC_PLUGIN_H 1
+
+#include <krb5.h>
+
+/*
+ * The PAC generate function should allocate a krb5_pac using
+ * krb5_pac_init and fill in the PAC structure for the principal using
+ * krb5_pac_add_buffer.
+ *
+ * The PAC verify function should verify all components in the PAC
+ * using krb5_pac_get_types and krb5_pac_get_buffer for all types.
+ *
+ * Check client access function check if the client is authorized.
+ */
+
+struct hdb_entry_ex;
+
+typedef krb5_error_code 
+(*krb5plugin_windc_pac_generate)(void *, krb5_context,
+				 struct hdb_entry_ex *, krb5_pac *);
+
+typedef krb5_error_code 
+(*krb5plugin_windc_pac_verify)(void *, krb5_context,
+			       const krb5_principal,
+			       struct hdb_entry_ex *, 
+			       struct hdb_entry_ex *,
+			       krb5_pac *);
+
+typedef krb5_error_code 
+(*krb5plugin_windc_client_access)(
+    void *, krb5_context, struct hdb_entry_ex *, KDC_REQ *);
+
+
+#define KRB5_WINDC_PLUGING_MINOR		2
+
+typedef struct krb5plugin_windc_ftable {
+    int			minor_version;
+    krb5_error_code	(*init)(krb5_context, void **);
+    void		(*fini)(void *);
+    krb5plugin_windc_pac_generate	pac_generate;
+    krb5plugin_windc_pac_verify		pac_verify;
+    krb5plugin_windc_client_access	client_access;
+} krb5plugin_windc_ftable;
+
+#endif /* HEIMDAL_KRB5_PAC_PLUGIN_H */
+
diff --git a/crypto/heimdal/kpasswd/Makefile.am b/crypto/heimdal/kpasswd/Makefile.am
index 5e287a9..ecfb752 100644
--- a/crypto/heimdal/kpasswd/Makefile.am
+++ b/crypto/heimdal/kpasswd/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.16 2001/08/28 08:31:29 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_des)
+AM_CPPFLAGS += $(INCLUDE_hcrypto)
 
 man_MANS = kpasswd.1 kpasswdd.8
 
@@ -26,6 +26,8 @@ kpasswdd_LDADD = \
 	$(DBLIB)
 
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
+
+EXTRA_DIST = $(man_MANS)
diff --git a/crypto/heimdal/kpasswd/Makefile.in b/crypto/heimdal/kpasswd/Makefile.in
index f29cde7..5c0e6db 100644
--- a/crypto/heimdal/kpasswd/Makefile.in
+++ b/crypto/heimdal/kpasswd/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.16 2001/08/28 08:31:29 assar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(kpasswd_SOURCES) kpasswd-generator.c $(kpasswdd_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -52,16 +47,14 @@ noinst_PROGRAMS = kpasswd-generator$(EXEEXT)
 subdir = kpasswd
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -74,6 +67,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -82,19 +76,24 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" \
+	"$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) $(noinst_PROGRAMS)
@@ -120,17 +119,18 @@ kpasswdd_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5srv.la \
 	$(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(kpasswd_SOURCES) kpasswd-generator.c $(kpasswdd_SOURCES)
 DIST_SOURCES = $(kpasswd_SOURCES) kpasswd-generator.c \
 	$(kpasswdd_SOURCES)
@@ -141,13 +141,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -157,8 +151,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -169,11 +161,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -181,42 +172,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -234,12 +210,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -249,15 +222,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -266,6 +238,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -277,15 +250,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -293,74 +261,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_des)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_hcrypto)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -377,6 +351,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 man_MANS = kpasswd.1 kpasswdd.8
 kpasswd_SOURCES = kpasswd.c kpasswd_locl.h
@@ -391,14 +366,15 @@ kpasswdd_LDADD = \
 	$(DBLIB)
 
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
+EXTRA_DIST = $(man_MANS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -430,7 +406,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -458,7 +434,7 @@ clean-binPROGRAMS:
 	done
 install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)"
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -493,13 +469,13 @@ clean-noinstPROGRAMS:
 	done
 kpasswd$(EXEEXT): $(kpasswd_OBJECTS) $(kpasswd_DEPENDENCIES) 
 	@rm -f kpasswd$(EXEEXT)
-	$(LINK) $(kpasswd_LDFLAGS) $(kpasswd_OBJECTS) $(kpasswd_LDADD) $(LIBS)
+	$(LINK) $(kpasswd_OBJECTS) $(kpasswd_LDADD) $(LIBS)
 kpasswd-generator$(EXEEXT): $(kpasswd_generator_OBJECTS) $(kpasswd_generator_DEPENDENCIES) 
 	@rm -f kpasswd-generator$(EXEEXT)
-	$(LINK) $(kpasswd_generator_LDFLAGS) $(kpasswd_generator_OBJECTS) $(kpasswd_generator_LDADD) $(LIBS)
+	$(LINK) $(kpasswd_generator_OBJECTS) $(kpasswd_generator_LDADD) $(LIBS)
 kpasswdd$(EXEEXT): $(kpasswdd_OBJECTS) $(kpasswdd_DEPENDENCIES) 
 	@rm -f kpasswdd$(EXEEXT)
-	$(LINK) $(kpasswdd_LDFLAGS) $(kpasswdd_OBJECTS) $(kpasswdd_LDADD) $(LIBS)
+	$(LINK) $(kpasswdd_OBJECTS) $(kpasswdd_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -521,13 +497,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man1: $(man1_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)"
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
 	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -572,7 +544,7 @@ uninstall-man1:
 	done
 install-man8: $(man8_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
 	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -636,9 +608,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -663,23 +637,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/.. $(distdir)/../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -699,7 +671,7 @@ check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -720,7 +692,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -733,7 +705,7 @@ clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -749,14 +721,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS install-libexecPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man1 install-man8
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -776,26 +756,33 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am \
-	uninstall-libexecPROGRAMS uninstall-man
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+	uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man1 uninstall-man8
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
-	clean-libtool clean-noinstPROGRAMS ctags distclean \
+	clean-libtool clean-noinstPROGRAMS ctags dist-hook distclean \
 	distclean-compile distclean-generic distclean-libtool \
 	distclean-tags distdir dvi dvi-am html html-am info info-am \
 	install install-am install-binPROGRAMS install-data \
-	install-data-am install-exec install-exec-am install-info \
-	install-info-am install-libexecPROGRAMS install-man \
-	install-man1 install-man8 install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-binPROGRAMS \
-	uninstall-info-am uninstall-libexecPROGRAMS uninstall-man \
-	uninstall-man1 uninstall-man8
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am \
+	install-libexecPROGRAMS install-man install-man1 install-man8 \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-binPROGRAMS uninstall-hook uninstall-libexecPROGRAMS \
+	uninstall-man uninstall-man1 uninstall-man8
 
 
 install-suid-programs:
@@ -810,8 +797,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -821,19 +808,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -849,7 +848,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -919,14 +918,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/kpasswd/kpasswd-generator.c b/crypto/heimdal/kpasswd/kpasswd-generator.c
index 202dcfc..e37f869 100644
--- a/crypto/heimdal/kpasswd/kpasswd-generator.c
+++ b/crypto/heimdal/kpasswd/kpasswd-generator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kpasswd_locl.h"
 
-RCSID("$Id: kpasswd-generator.c,v 1.5 2001/07/31 02:44:42 assar Exp $");
+RCSID("$Id: kpasswd-generator.c 19233 2006-12-06 08:04:05Z lha $");
 
 static unsigned
 read_words (const char *filename, char ***ret_w)
@@ -48,8 +48,7 @@ read_words (const char *filename, char ***ret_w)
 	err (1, "cannot open %s", filename);
     alloc = n = 0;
     while (fgets (buf, sizeof(buf), f) != NULL) {
-	if (buf[strlen (buf) - 1] == '\n')
-	    buf[strlen (buf) - 1] = '\0';
+	buf[strcspn(buf, "\r\n")] = '\0';
 	if (n >= alloc) {
 	    alloc += 16;
 	    w = erealloc (w, alloc * sizeof(char **));
@@ -57,6 +56,8 @@ read_words (const char *filename, char ***ret_w)
 	w[n++] = estrdup (buf);
     }
     *ret_w = w;
+    if (n == 0)
+	errx(1, "%s is an empty file, no words to try", filename);
     return n;
 }
 
@@ -88,17 +89,17 @@ generate_requests (const char *filename, unsigned nreq)
 
     for (i = 0; i < nreq; ++i) {
 	char *name = words[rand() % nwords];
-	krb5_get_init_creds_opt opt;
+	krb5_get_init_creds_opt *opt;
 	krb5_creds cred;
 	krb5_principal principal;
 	int result_code;
 	krb5_data result_code_string, result_string;
 	char *old_pwd, *new_pwd;
 
-	krb5_get_init_creds_opt_init (&opt);
-	krb5_get_init_creds_opt_set_tkt_life (&opt, 300);
-	krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
-	krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
+	krb5_get_init_creds_opt_alloc (context, &opt);
+	krb5_get_init_creds_opt_set_tkt_life (opt, 300);
+	krb5_get_init_creds_opt_set_forwardable (opt, FALSE);
+	krb5_get_init_creds_opt_set_proxiable (opt, FALSE);
 
 	ret = krb5_parse_name (context, name, &principal);
 	if (ret)
@@ -115,7 +116,7 @@ generate_requests (const char *filename, unsigned nreq)
 					    NULL,
 					    0,
 					    "kadmin/changepw",
-					    &opt);
+					    opt);
 	if( ret == KRB5KRB_AP_ERR_BAD_INTEGRITY
 	    || ret == KRB5KRB_AP_ERR_MODIFIED) {
 	    char *tmp;
@@ -132,7 +133,7 @@ generate_requests (const char *filename, unsigned nreq)
 						NULL,
 						0,
 						"kadmin/changepw",
-						&opt);
+						opt);
 	}
 	if (ret)
 	    krb5_err (context, 1, ret, "krb5_get_init_creds_password");
@@ -148,7 +149,8 @@ generate_requests (const char *filename, unsigned nreq)
 
 	free (old_pwd);
 	free (new_pwd);
-	krb5_free_creds_contents (context, &cred);
+	krb5_free_cred_contents (context, &cred);
+	krb5_get_init_creds_opt_free(context, opt);
     }
 }
 
diff --git a/crypto/heimdal/kpasswd/kpasswd.1 b/crypto/heimdal/kpasswd/kpasswd.1
index 1c2e26c..6d2c7c9 100644
--- a/crypto/heimdal/kpasswd/kpasswd.1
+++ b/crypto/heimdal/kpasswd/kpasswd.1
@@ -1,4 +1,4 @@
-.\" Copyright (c) 1997, 2000 - 2002 Kungliga Tekniska Högskolan
+.\" Copyright (c) 1997, 2000 - 2005 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: kpasswd.1,v 1.5 2003/02/16 21:10:22 lha Exp $
+.\" $Id: kpasswd.1 14478 2005-01-05 16:08:58Z lha $
 .\"
-.Dd August 27, 1997
+.Dd January  5, 2005
 .Dt KPASSWD 1
 .Os HEIMDAL
 .Sh NAME
@@ -39,10 +39,28 @@
 .Nd Kerberos 5 password changing program
 .Sh SYNOPSIS
 .Nm
-.Op Ar principal
+.Op Fl -admin-principal= Ns Ar principal
+.Oo Fl c Ar cache \*(Ba Xo
+.Fl -cache= Ns Ar cache
+.Xc
+.Oc
+.Op Ar principal ...
 .Sh DESCRIPTION
 .Nm
 is the client for changing passwords.
+.Pp
+If administrator principal is given that principal is used to change
+the password.
+.Pp
+Multiple passwords for different users can be changed at the same time,
+then the administrator principal will be used.
+If the administrator isn't specified on the command prompt, the
+principal of the default credential cache will be used.
+.Pp
+If a credential cache is given, the
+.Fl -admin-principal
+flag is ignored and use the default name of the credential cache is
+used instead.
 .Sh DIAGNOSTICS
 If the password quality check fails or some other error occurs, an
 explanation is printed.
diff --git a/crypto/heimdal/kpasswd/kpasswd.c b/crypto/heimdal/kpasswd/kpasswd.c
index 02f9557..b844628 100644
--- a/crypto/heimdal/kpasswd/kpasswd.c
+++ b/crypto/heimdal/kpasswd/kpasswd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,12 +32,16 @@
  */
 
 #include "kpasswd_locl.h"
-RCSID("$Id: kpasswd.c,v 1.24 2001/09/27 01:29:40 assar Exp $");
+RCSID("$Id: kpasswd.c 19078 2006-11-20 18:12:41Z lha $");
 
 static int version_flag;
 static int help_flag;
+static char *admin_principal_str;
+static char *cred_cache_str;
 
 static struct getargs args[] = {
+    { "admin-principal",	0,   arg_string, &admin_principal_str },
+    { "cache",			'c', arg_string, &cred_cache_str },
     { "version", 		0,   arg_flag, &version_flag },
     { "help",			0,   arg_flag, &help_flag }
 };
@@ -45,10 +49,68 @@ static struct getargs args[] = {
 static void
 usage (int ret, struct getargs *a, int num_args)
 {
-    arg_printusage (a, num_args, NULL, "[principal]");
+    arg_printusage (a, num_args, NULL, "[principal ...]");
     exit (ret);
 }
 
+static int
+change_password(krb5_context context,
+		krb5_principal principal,
+		krb5_ccache id)
+{
+    krb5_data result_code_string, result_string;
+    int result_code;
+    krb5_error_code ret;
+    char pwbuf[BUFSIZ];
+    char *msg, *name;
+
+    krb5_data_zero (&result_code_string);
+    krb5_data_zero (&result_string);
+
+    name = msg = NULL;
+    if (principal == NULL)
+	asprintf(&msg, "New password: ");
+    else {
+	ret = krb5_unparse_name(context, principal, &name);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_unparse_name");
+
+	asprintf(&msg, "New password for %s: ", name);
+    }
+
+    if (msg == NULL)
+	krb5_errx (context, 1, "out of memory");
+
+    ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), msg, 1);
+    free(msg);
+    if (name)
+	free(name);
+    if (ret != 0) {
+	return 1;
+    }
+
+    ret = krb5_set_password_using_ccache (context, id, pwbuf,
+					  principal,
+					  &result_code,
+					  &result_code_string,
+					  &result_string);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_set_password_using_ccache");
+	return 1;
+    }
+
+    printf ("%s%s%.*s\n", krb5_passwd_result_to_string(context, result_code),
+	    result_string.length > 0 ? " : " : "",
+	    (int)result_string.length,
+	    result_string.length > 0 ? (char *)result_string.data : "");
+
+    krb5_data_free (&result_code_string);
+    krb5_data_free (&result_string);
+
+    return ret != 0;
+}
+
+
 int
 main (int argc, char **argv)
 {
@@ -56,11 +118,9 @@ main (int argc, char **argv)
     krb5_context context;
     krb5_principal principal;
     int optind = 0;
-    krb5_get_init_creds_opt opt;
-    krb5_creds cred;
-    int result_code;
-    krb5_data result_code_string, result_string;
-    char pwbuf[BUFSIZ];
+    krb5_get_init_creds_opt *opt;
+    krb5_ccache id = NULL;
+    int exit_value;
 
     optind = krb5_program_setup(&context, argc, argv,
 				args, sizeof(args) / sizeof(args[0]), usage);
@@ -73,74 +133,115 @@ main (int argc, char **argv)
 	exit(0);
     }
 
-    krb5_get_init_creds_opt_init (&opt);
-    
-    krb5_get_init_creds_opt_set_tkt_life (&opt, 300);
-    krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
-    krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
-
     argc -= optind;
     argv += optind;
 
-    if (argc > 1)
-	usage (1, args, sizeof(args) / sizeof(args[0]));
-
     ret = krb5_init_context (&context);
     if (ret)
 	errx (1, "krb5_init_context failed: %d", ret);
   
-    if(argv[0]) {
-	ret = krb5_parse_name (context, argv[0], &principal);
+    ret = krb5_get_init_creds_opt_alloc (context, &opt);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
+    
+    krb5_get_init_creds_opt_set_tkt_life (opt, 300);
+    krb5_get_init_creds_opt_set_forwardable (opt, FALSE);
+    krb5_get_init_creds_opt_set_proxiable (opt, FALSE);
+
+    if (cred_cache_str) {
+	ret = krb5_cc_resolve(context, cred_cache_str, &id);
 	if (ret)
-	    krb5_err (context, 1, ret, "krb5_parse_name");
-    } else
-	principal = NULL;
-
-    ret = krb5_get_init_creds_password (context,
-					&cred,
-					principal,
-					NULL,
-					krb5_prompter_posix,
-					NULL,
-					0,
-					"kadmin/changepw",
-					&opt);
-    switch (ret) {
-    case 0:
-	break;
-    case KRB5_LIBOS_PWDINTR :
-	return 1;
-    case KRB5KRB_AP_ERR_BAD_INTEGRITY :
-    case KRB5KRB_AP_ERR_MODIFIED :
-	krb5_errx(context, 1, "Password incorrect");
-	break;
-    default:
-	krb5_err(context, 1, ret, "krb5_get_init_creds");
+	    krb5_err (context, 1, ret, "krb5_cc_resolve");
+    } else {
+	ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_cc_gen_new");
     }
 
-    krb5_data_zero (&result_code_string);
-    krb5_data_zero (&result_string);
+    if (cred_cache_str == NULL) {
+	krb5_principal admin_principal = NULL;
+	krb5_creds cred;
+
+	if (admin_principal_str) {
+	    ret = krb5_parse_name (context, admin_principal_str,
+				   &admin_principal);
+	    if (ret)
+		krb5_err (context, 1, ret, "krb5_parse_name");
+	} else if (argc == 1) {
+	    ret = krb5_parse_name (context, argv[0], &admin_principal);
+	    if (ret)
+		krb5_err (context, 1, ret, "krb5_parse_name");
+	} else {
+	    ret = krb5_get_default_principal (context, &admin_principal);
+	    if (ret)
+		krb5_err (context, 1, ret, "krb5_get_default_principal");
+	}
+
+	ret = krb5_get_init_creds_password (context,
+					    &cred,
+					    admin_principal,
+					    NULL,
+					    krb5_prompter_posix,
+					    NULL,
+					    0,
+					    "kadmin/changepw",
+					    opt);
+	switch (ret) {
+	case 0:
+	    break;
+	case KRB5_LIBOS_PWDINTR :
+	    return 1;
+	case KRB5KRB_AP_ERR_BAD_INTEGRITY :
+	case KRB5KRB_AP_ERR_MODIFIED :
+	    krb5_errx(context, 1, "Password incorrect");
+	    break;
+	default:
+	    krb5_err(context, 1, ret, "krb5_get_init_creds");
+	}
+	
+	krb5_get_init_creds_opt_free(context, opt);
+	
+	ret = krb5_cc_initialize(context, id, admin_principal);
+	krb5_free_principal(context, admin_principal);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_cc_initialize");
 
-    if(des_read_pw_string (pwbuf, sizeof(pwbuf), "New password: ", 1) != 0)
-	return 1;
+	ret = krb5_cc_store_cred(context, id, &cred);    
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_cc_store_cred");
+	
+	krb5_free_cred_contents (context, &cred);
+    }
 
-    ret = krb5_change_password (context, &cred, pwbuf,
-				&result_code,
-				&result_code_string,
-				&result_string);
-    if (ret)
-	krb5_err (context, 1, ret, "krb5_change_password");
+    if (argc == 0) {
+	exit_value = change_password(context, NULL, id);
+    } else {
+	exit_value = 0;
 
-    printf ("%s%s%.*s\n", krb5_passwd_result_to_string(context,
-						       result_code),
-	    result_string.length > 0 ? " : " : "",
-	    (int)result_string.length,
-	    (char *)result_string.data);
+	while (argc-- > 0) {
+
+	    ret = krb5_parse_name (context, argv[0], &principal);
+	    if (ret)
+		krb5_err (context, 1, ret, "krb5_parse_name");
+
+	    ret = change_password(context, principal, id);
+	    if (ret)
+		exit_value = 1;
+	    krb5_free_principal(context, principal);
+	    argv++;
+	}
+    }
+
+    if (cred_cache_str == NULL) {
+	ret = krb5_cc_destroy(context, id);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_cc_destroy");
+    } else {
+	ret = krb5_cc_close(context, id);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_cc_close");
+    }
 
-    krb5_data_free (&result_code_string);
-    krb5_data_free (&result_string);
-    
-    krb5_free_creds_contents (context, &cred);
     krb5_free_context (context);
-    return result_code;
+    return ret;
 }
diff --git a/crypto/heimdal/kpasswd/kpasswd_locl.h b/crypto/heimdal/kpasswd/kpasswd_locl.h
index c254f6f..b797ceb 100644
--- a/crypto/heimdal/kpasswd/kpasswd_locl.h
+++ b/crypto/heimdal/kpasswd/kpasswd_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: kpasswd_locl.h,v 1.13 2002/09/10 20:03:48 joda Exp $ */
+/* $Id: kpasswd_locl.h 11444 2002-09-10 20:03:49Z joda $ */
 
 #ifndef __KPASSWD_LOCL_H__
 #define __KPASSWD_LOCL_H__
diff --git a/crypto/heimdal/kpasswd/kpasswdd.8 b/crypto/heimdal/kpasswd/kpasswdd.8
index 899b3a3..ab750bd 100644
--- a/crypto/heimdal/kpasswd/kpasswdd.8
+++ b/crypto/heimdal/kpasswd/kpasswdd.8
@@ -1,4 +1,4 @@
-.\" $Id: kpasswdd.8,v 1.8 2003/02/04 21:48:01 lha Exp $
+.\" $Id: kpasswdd.8 14481 2005-01-05 18:07:44Z lha $
 .\"
 .Dd April 19, 1999
 .Dt KPASSWDD 8
@@ -8,6 +8,8 @@
 .Nd Kerberos 5 password changing server
 .Sh SYNOPSIS
 .Nm
+.Bk -words
+.Op Fl -addresses= Ns Ar address
 .Op Fl -check-library= Ns Ar library
 .Op Fl -check-function= Ns Ar function
 .Oo Fl k Ar kspec \*(Ba Xo
@@ -24,6 +26,7 @@
 .Oc
 .Op Fl -version
 .Op Fl -help
+.Ek
 .Sh DESCRIPTION
 .Nm
 serves request for password changes. It listens on UDP port 464
@@ -33,6 +36,11 @@ the database directly and should thus only run on the master KDC.
 Supported options:
 .Bl -tag -width Ds
 .It Xo
+.Fl -addresses= Ns Ar address
+.Xc
+For each till the argument is given, add the address to what kpasswdd
+should listen too.
+.It Xo
 .Fl -check-library= Ns Ar library
 .Xc
 If your system has support for dynamic loading of shared libraries,
@@ -59,12 +67,12 @@ is not zero terminated.
 .Fl k Ar kspec ,
 .Fl -keytab= Ns Ar kspec
 .Xc
-Keytab to get authentication key from
+Keytab to get authentication key from.
 .It Xo
 .Fl r Ar realm ,
 .Fl -realm= Ns Ar realm
 .Xc
-Default realm
+Default realm.
 .It Xo
 .Fl p Ar string ,
 .Fl -port= Ns Ar string
diff --git a/crypto/heimdal/kpasswd/kpasswdd.c b/crypto/heimdal/kpasswd/kpasswdd.c
index 6b33732..5b4119c 100644
--- a/crypto/heimdal/kpasswd/kpasswdd.c
+++ b/crypto/heimdal/kpasswd/kpasswdd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "kpasswd_locl.h"
-RCSID("$Id: kpasswdd.c,v 1.54 2002/12/02 14:31:52 joda Exp $");
+RCSID("$Id: kpasswdd.c 22252 2007-12-09 05:59:34Z lha $");
 
 #include <kadm5/admin.h>
 #ifdef HAVE_SYS_UN_H
@@ -44,9 +44,28 @@ RCSID("$Id: kpasswdd.c,v 1.54 2002/12/02 14:31:52 joda Exp $");
 static krb5_context context;
 static krb5_log_facility *log_facility;
 
+static struct getarg_strings addresses_str;
+krb5_addresses explicit_addresses;
+
 static sig_atomic_t exit_flag = 0;
 
 static void
+add_one_address (const char *str, int first)
+{
+    krb5_error_code ret;
+    krb5_addresses tmp;
+
+    ret = krb5_parse_address (context, str, &tmp);
+    if (ret)
+	krb5_err (context, 1, ret, "parse_address `%s'", str);
+    if (first)
+	krb5_copy_addresses(context, &tmp, &explicit_addresses);
+    else
+	krb5_append_addresses(context, &explicit_addresses, &tmp);
+    krb5_free_addresses (context, &tmp);
+}
+
+static void
 send_reply (int s,
 	    struct sockaddr *sa,
 	    int sa_size,
@@ -55,7 +74,7 @@ send_reply (int s,
 {
     struct msghdr msghdr;
     struct iovec iov[3];
-    u_int16_t len, ap_rep_len;
+    uint16_t len, ap_rep_len;
     u_char header[6];
     u_char *p;
 
@@ -101,40 +120,52 @@ send_reply (int s,
 
 static int
 make_result (krb5_data *data,
-	     u_int16_t result_code,
+	     uint16_t result_code,
 	     const char *expl)
 {
+    char *str;
     krb5_data_zero (data);
 
-    data->length = asprintf ((char **)&data->data,
+    data->length = asprintf (&str,
 			     "%c%c%s",
 			     (result_code >> 8) & 0xFF,
 			     result_code & 0xFF,
 			     expl);
 
-    if (data->data == NULL) {
+    if (str == NULL) {
 	krb5_warnx (context, "Out of memory generating error reply");
 	return 1;
     }
+    data->data = str;
     return 0;
 }
 
 static void
-reply_error (krb5_principal server,
+reply_error (krb5_realm realm,
 	     int s,
 	     struct sockaddr *sa,
 	     int sa_size,
 	     krb5_error_code error_code,
-	     u_int16_t result_code,
+	     uint16_t result_code,
 	     const char *expl)
 {
     krb5_error_code ret;
     krb5_data error_data;
     krb5_data e_data;
+    krb5_principal server = NULL;
 
     if (make_result(&e_data, result_code, expl))
 	return;
 
+    if (realm) {
+	ret = krb5_make_principal (context, &server, realm,
+				   "kadmin", "changepw", NULL);
+	if (ret) {
+	    krb5_data_free (&e_data);
+	    return;
+	}
+    }
+
     ret = krb5_mk_error (context,
 			 error_code,
 			 NULL,
@@ -144,6 +175,8 @@ reply_error (krb5_principal server,
 			 NULL,
 			 NULL,
 			 &error_data);
+    if (server)
+	krb5_free_principal(context, server);
     krb5_data_free (&e_data);
     if (ret) {
 	krb5_warn (context, ret, "Could not even generate error reply");
@@ -158,7 +191,7 @@ reply_priv (krb5_auth_context auth_context,
 	    int s,
 	    struct sockaddr *sa,
 	    int sa_size,
-	    u_int16_t result_code,
+	    uint16_t result_code,
 	    const char *expl)
 {
     krb5_error_code ret;
@@ -199,78 +232,207 @@ reply_priv (krb5_auth_context auth_context,
 
 static void
 change (krb5_auth_context auth_context,
-	krb5_principal principal,
+	krb5_principal admin_principal,
+	uint16_t version,
 	int s,
 	struct sockaddr *sa,
 	int sa_size,
-	krb5_data *pwd_data)
+	krb5_data *in_data)
 {
     krb5_error_code ret;
-    char *client;
+    char *client = NULL, *admin = NULL;
     const char *pwd_reason;
     kadm5_config_params conf;
-    void *kadm5_handle;
+    void *kadm5_handle = NULL;
+    krb5_principal principal;
+    krb5_data *pwd_data = NULL;
     char *tmp;
+    ChangePasswdDataMS chpw;
 
     memset (&conf, 0, sizeof(conf));
+    memset(&chpw, 0, sizeof(chpw));
     
-    krb5_unparse_name (context, principal, &client);
+    if (version == KRB5_KPASSWD_VERS_CHANGEPW) {
+	ret = krb5_copy_data(context, in_data, &pwd_data);
+	if (ret) {
+	    krb5_warn (context, ret, "krb5_copy_data");
+	    reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
+			"out out memory copying password");
+	    return;
+	}
+	principal = admin_principal;
+    } else if (version == KRB5_KPASSWD_VERS_SETPW) {
+	size_t len;
+
+	ret = decode_ChangePasswdDataMS(in_data->data, in_data->length,
+					&chpw, &len);
+	if (ret) {
+	    krb5_warn (context, ret, "decode_ChangePasswdDataMS");
+	    reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
+			"malformed ChangePasswdData");
+	    return;
+	}
+	
+
+	ret = krb5_copy_data(context, &chpw.newpasswd, &pwd_data);
+	if (ret) {
+	    krb5_warn (context, ret, "krb5_copy_data");
+	    reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
+			"out out memory copying password");
+	    goto out;
+	}
+
+	if (chpw.targname == NULL && chpw.targrealm != NULL) {
+	    krb5_warn (context, ret, "kadm5_init_with_password_ctx");
+	    reply_priv (auth_context, s, sa, sa_size, 
+			KRB5_KPASSWD_MALFORMED,
+			"targrealm but not targname");
+	    goto out;
+	}
+
+	if (chpw.targname) {
+	    krb5_principal_data princ;
+
+	    princ.name = *chpw.targname;
+	    princ.realm = *chpw.targrealm;
+	    if (princ.realm == NULL) {
+		ret = krb5_get_default_realm(context, &princ.realm);
+
+		if (ret) {
+		    krb5_warnx (context, 
+				"kadm5_init_with_password_ctx: "
+				"failed to allocate realm");
+		    reply_priv (auth_context, s, sa, sa_size, 
+				KRB5_KPASSWD_SOFTERROR,
+				"failed to allocate realm");
+		    goto out;
+		}
+	    }
+	    ret = krb5_copy_principal(context, &princ, &principal);
+	    if (*chpw.targrealm == NULL)
+		free(princ.realm);
+	    if (ret) {
+		krb5_warn(context, ret, "krb5_copy_principal");
+		reply_priv(auth_context, s, sa, sa_size, 
+			   KRB5_KPASSWD_HARDERROR,
+			   "failed to allocate principal");
+		goto out;
+	    }
+	} else
+	    principal = admin_principal;
+    } else {
+	krb5_warnx (context, "kadm5_init_with_password_ctx: unknown proto");
+	reply_priv (auth_context, s, sa, sa_size, 
+		    KRB5_KPASSWD_HARDERROR,
+		    "Unknown protocol used");
+	return;
+    }
+
+    ret = krb5_unparse_name (context, admin_principal, &admin);
+    if (ret) {
+	krb5_warn (context, ret, "unparse_name failed");
+	reply_priv (auth_context, s, sa, sa_size, 
+		    KRB5_KPASSWD_HARDERROR, "out of memory error");
+	goto out;
+    }
+
+    conf.realm = principal->realm;
+    conf.mask |= KADM5_CONFIG_REALM;
 
     ret = kadm5_init_with_password_ctx(context, 
-				       client,
+				       admin,
 				       NULL,
 				       KADM5_ADMIN_SERVICE,
 				       &conf, 0, 0, 
 				       &kadm5_handle);
     if (ret) {
-	free (client);
 	krb5_warn (context, ret, "kadm5_init_with_password_ctx");
 	reply_priv (auth_context, s, sa, sa_size, 2,
 		    "Internal error");
-	return;
+	goto out;
     }
 
-    krb5_warnx (context, "Changing password for %s", client);
-    free (client);
+    ret = krb5_unparse_name(context, principal, &client);
+    if (ret) {
+	krb5_warn (context, ret, "unparse_name failed");
+	reply_priv (auth_context, s, sa, sa_size, 
+		    KRB5_KPASSWD_HARDERROR, "out of memory error");
+	goto out;
+    }
 
-    pwd_reason = kadm5_check_password_quality (context, principal, pwd_data);
-    if (pwd_reason != NULL ) {
-	krb5_warnx (context, "%s", pwd_reason);
-	reply_priv (auth_context, s, sa, sa_size, 4, pwd_reason);
-	kadm5_destroy (kadm5_handle);
-	return;
+    /*
+     * Check password quality if not changing as administrator
+     */
+
+    if (krb5_principal_compare(context, admin_principal, principal) == TRUE) {
+
+	pwd_reason = kadm5_check_password_quality (context, principal, 
+						   pwd_data);
+	if (pwd_reason != NULL ) {
+	    krb5_warnx (context, 
+			"%s didn't pass password quality check with error: %s",
+			client, pwd_reason);
+	    reply_priv (auth_context, s, sa, sa_size, 
+			KRB5_KPASSWD_SOFTERROR, pwd_reason);
+	    goto out;
+	}
+	krb5_warnx (context, "Changing password for %s", client);
+    } else {
+	ret = _kadm5_acl_check_permission(kadm5_handle, KADM5_PRIV_CPW, 
+					  principal);
+	if (ret) {
+	    krb5_warn (context, ret, 
+		       "Check ACL failed for %s for changing %s password",
+		       admin, client);
+	    reply_priv (auth_context, s, sa, sa_size, 
+			KRB5_KPASSWD_HARDERROR, "permission denied");
+	    goto out;
+	}
+	krb5_warnx (context, "%s is changing password for %s", admin, client);
     }
 
-    tmp = malloc (pwd_data->length + 1);
-    if (tmp == NULL) {
-	krb5_warnx (context, "malloc: out of memory");
-	reply_priv (auth_context, s, sa, sa_size, 2,
+    ret = krb5_data_realloc(pwd_data, pwd_data->length + 1);
+    if (ret) {
+	krb5_warn (context, ret, "malloc: out of memory");
+	reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_HARDERROR,
 		    "Internal error");
 	goto out;
     }
-    memcpy (tmp, pwd_data->data, pwd_data->length);
-    tmp[pwd_data->length] = '\0';
+    tmp = pwd_data->data;
+    tmp[pwd_data->length - 1] = '\0';
 
     ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, tmp);
-    memset (tmp, 0, pwd_data->length);
-    free (tmp);
+    krb5_free_data (context, pwd_data);
+    pwd_data = NULL;
     if (ret) {
-	krb5_warn (context, ret, "kadm5_s_chpass_principal_cond");
-	reply_priv (auth_context, s, sa, sa_size, 2,
-		    "Internal error");
+	char *str = krb5_get_error_message(context, ret);
+	krb5_warnx(context, "kadm5_s_chpass_principal_cond: %s", str);
+	reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SOFTERROR,
+		    str ? str : "Internal error");
+	krb5_free_error_string(context, str);
 	goto out;
     }
-    reply_priv (auth_context, s, sa, sa_size, 0, "Password changed");
+    reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SUCCESS,
+		"Password changed");
 out:
-    kadm5_destroy (kadm5_handle);
+    free_ChangePasswdDataMS(&chpw);
+    if (admin)
+	free(admin);
+    if (client)
+	free(client);
+    if (pwd_data)
+	krb5_free_data(context, pwd_data);
+    if (kadm5_handle)
+	kadm5_destroy (kadm5_handle);
 }
 
 static int
 verify (krb5_auth_context *auth_context,
-	krb5_principal server,
+	krb5_realm *realms,
 	krb5_keytab keytab,
 	krb5_ticket **ticket,
 	krb5_data *out_data,
+	uint16_t *version,
 	int s,
 	struct sockaddr *sa,
 	int sa_size,
@@ -278,9 +440,10 @@ verify (krb5_auth_context *auth_context,
 	size_t len)
 {
     krb5_error_code ret;
-    u_int16_t pkt_len, pkt_ver, ap_req_len;
+    uint16_t pkt_len, pkt_ver, ap_req_len;
     krb5_data ap_req_data;
     krb5_data krb_priv_data;
+    krb5_realm *r;
 
     pkt_len = (msg[0] << 8) | (msg[1]);
     pkt_ver = (msg[2] << 8) | (msg[3]);
@@ -288,14 +451,16 @@ verify (krb5_auth_context *auth_context,
     if (pkt_len != len) {
 	krb5_warnx (context, "Strange len: %ld != %ld", 
 		    (long)pkt_len, (long)len);
-	reply_error (server, s, sa, sa_size, 0, 1, "Bad request");
+	reply_error (NULL, s, sa, sa_size, 0, 1, "Bad request");
 	return 1;
     }
-    if (pkt_ver != 0x0001) {
+    if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW &&
+	pkt_ver != KRB5_KPASSWD_VERS_SETPW) {
 	krb5_warnx (context, "Bad version (%d)", pkt_ver);
-	reply_error (server, s, sa, sa_size, 0, 1, "Wrong program version");
+	reply_error (NULL, s, sa, sa_size, 0, 1, "Wrong program version");
 	return 1;
     }
+    *version = pkt_ver;
 
     ap_req_data.data   = msg + 6;
     ap_req_data.length = ap_req_len;
@@ -303,26 +468,56 @@ verify (krb5_auth_context *auth_context,
     ret = krb5_rd_req (context,
 		       auth_context,
 		       &ap_req_data,
-		       server,
+		       NULL,
 		       keytab,
 		       NULL,
 		       ticket);
     if (ret) {
-	if(ret == KRB5_KT_NOTFOUND) {
-	    char *name;
-	    krb5_unparse_name(context, server, &name);
-	    krb5_warnx (context, "krb5_rd_req: %s (%s)", 
-			krb5_get_err_text(context, ret), name);
-	    free(name);
-	} else
-	    krb5_warn (context, ret, "krb5_rd_req");
-	reply_error (server, s, sa, sa_size, ret, 3, "Authentication failed");
+	krb5_warn (context, ret, "krb5_rd_req");
+	reply_error (NULL, s, sa, sa_size, ret, 3, "Authentication failed");
 	return 1;
     }
 
+    /* verify realm and principal */
+    for (r = realms; *r != NULL; r++) {
+	krb5_principal principal;
+	krb5_boolean same;
+
+	ret = krb5_make_principal (context, 
+				   &principal,
+				   *r,
+				   "kadmin",
+				   "changepw",
+				   NULL);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_make_principal");
+
+	same = krb5_principal_compare(context, principal, (*ticket)->server);
+	krb5_free_principal(context, principal);
+	if (same == TRUE)
+	    break;
+    }
+    if (*r == NULL) {
+	char *str;
+	krb5_unparse_name(context, (*ticket)->server, &str);
+	krb5_warnx (context, "client used not valid principal %s", str);
+	free(str);
+	reply_error (NULL, s, sa, sa_size, ret, 1,
+		     "Bad request");
+	goto out;
+    }
+
+    if (strcmp((*ticket)->server->realm, (*ticket)->client->realm) != 0) {
+	krb5_warnx (context, "server realm (%s) not same a client realm (%s)",
+		    (*ticket)->server->realm, (*ticket)->client->realm);
+	reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1,
+		     "Bad request");
+	goto out;
+    }
+
     if (!(*ticket)->ticket.flags.initial) {
 	krb5_warnx (context, "initial flag not set");
-	reply_error (server, s, sa, sa_size, ret, 1,
+	reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1,
 		     "Bad request");
 	goto out;
     }
@@ -337,17 +532,19 @@ verify (krb5_auth_context *auth_context,
     
     if (ret) {
 	krb5_warn (context, ret, "krb5_rd_priv");
-	reply_error (server, s, sa, sa_size, ret, 3, "Bad request");
+	reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 3, 
+		     "Bad request");
 	goto out;
     }
     return 0;
 out:
     krb5_free_ticket (context, *ticket);
+    ticket = NULL;
     return 1;
 }
 
 static void
-process (krb5_principal server,
+process (krb5_realm *realms,
 	 krb5_keytab keytab,
 	 int s,
 	 krb5_address *this_addr,
@@ -361,6 +558,8 @@ process (krb5_principal server,
     krb5_data out_data;
     krb5_ticket *ticket;
     krb5_address other_addr;
+    uint16_t version;
+
 
     krb5_data_zero (&out_data);
 
@@ -389,16 +588,16 @@ process (krb5_principal server,
 	goto out;
     }
 
-    if (verify (&auth_context, server, keytab, &ticket, &out_data,
-		s, sa, sa_size, msg, len) == 0) {
+    if (verify (&auth_context, realms, keytab, &ticket, &out_data,
+		&version, s, sa, sa_size, msg, len) == 0) {
 	change (auth_context,
 		ticket->client,
+		version,
 		s,
 		sa, sa_size,
 		&out_data);
 	memset (out_data.data, 0, out_data.length);
 	krb5_free_ticket (context, ticket);
-	free (ticket);
     }
 
 out:
@@ -410,36 +609,26 @@ static int
 doit (krb5_keytab keytab, int port)
 {
     krb5_error_code ret;
-    krb5_principal server;
     int *sockets;
     int maxfd;
-    char *realm;
+    krb5_realm *realms;
     krb5_addresses addrs;
     unsigned n, i;
     fd_set real_fdset;
     struct sockaddr_storage __ss;
     struct sockaddr *sa = (struct sockaddr *)&__ss;
 
-    ret = krb5_get_default_realm (context, &realm);
+    ret = krb5_get_default_realms(context, &realms);
     if (ret)
-	krb5_err (context, 1, ret, "krb5_get_default_realm");
-
-    ret = krb5_build_principal (context,
-				&server,
-				strlen(realm),
-				realm,
-				"kadmin",
-				"changepw",
-				NULL);
-    if (ret)
-	krb5_err (context, 1, ret, "krb5_build_principal");
-
-    free (realm);
-
-    ret = krb5_get_all_server_addrs (context, &addrs);
-    if (ret)
-	krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
+	krb5_err (context, 1, ret, "krb5_get_default_realms");
 
+    if (explicit_addresses.len) {
+	addrs = explicit_addresses;
+    } else {
+	ret = krb5_get_all_server_addrs (context, &addrs);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
+    }
     n = addrs.len;
 
     sockets = malloc (n * sizeof(*sockets));
@@ -448,7 +637,7 @@ doit (krb5_keytab keytab, int port)
     maxfd = -1;
     FD_ZERO(&real_fdset);
     for (i = 0; i < n; ++i) {
-	int sa_size = sizeof(__ss);
+	krb5_socklen_t sa_size = sizeof(__ss);
 
 	krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port);
 	
@@ -499,14 +688,19 @@ doit (krb5_keytab keytab, int port)
 			krb5_err (context, 1, errno, "recvfrom");
 		}
 
-		process (server, keytab, sockets[i],
+		process (realms, keytab, sockets[i],
 			 &addrs.val[i],
 			 sa, addrlen,
 			 buf, ret);
 	    }
     }
+
+    for (i = 0; i < n; ++i)
+	close(sockets[i]);
+    free(sockets);
+
     krb5_free_addresses (context, &addrs);
-    krb5_free_principal (context, server);
+    krb5_free_host_realm (context, realms);
     krb5_free_context (context);
     return 0;
 }
@@ -517,13 +711,15 @@ sigterm(int sig)
     exit_flag = 1;
 }
 
-const char *check_library  = NULL;
-const char *check_function = NULL;
-char *keytab_str = "HDB:";
-char *realm_str;
-int version_flag;
-int help_flag;
-char *port_str;
+static const char *check_library  = NULL;
+static const char *check_function = NULL;
+static getarg_strings policy_libraries = { 0, NULL };
+static char *keytab_str = "HDB:";
+static char *realm_str;
+static int version_flag;
+static int help_flag;
+static char *port_str;
+static char *config_file;
 
 struct getargs args[] = {
 #ifdef HAVE_DLOPEN
@@ -531,9 +727,14 @@ struct getargs args[] = {
       "library to load password check function from", "library" },
     { "check-function", 0, arg_string, &check_function,
       "password check function to load", "function" },
+    { "policy-libraries", 0, arg_strings, &policy_libraries,
+      "password check function to load", "function" },
 #endif
+    { "addresses",	0,	arg_strings, &addresses_str,
+      "addresses to listen on", "list of addresses" },
     { "keytab", 'k', arg_string, &keytab_str, 
       "keytab to get authentication key from", "kspec" },
+    { "config-file", 'c', arg_string, &config_file },
     { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
     { "port",  'p', arg_string, &port_str, "port" },
     { "version", 0, arg_flag, &version_flag },
@@ -547,7 +748,8 @@ main (int argc, char **argv)
     int optind;
     krb5_keytab keytab;
     krb5_error_code ret;
-    int port;
+    char **files;
+    int port, i;
     
     optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
     
@@ -558,6 +760,21 @@ main (int argc, char **argv)
 	exit(0);
     }
 
+    if (config_file == NULL) {
+	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (config_file == NULL)
+	    errx(1, "out of memory");
+    }
+
+    ret = krb5_prepend_config_files_default(config_file, &files);
+    if (ret)
+	krb5_err(context, 1, ret, "getting configuration files");
+
+    ret = krb5_set_config_files(context, files);
+    krb5_free_config_files(files);
+    if (ret)
+	krb5_err(context, 1, ret, "reading configuration files");
+
     if(realm_str)
 	krb5_set_default_realm(context, realm_str);
     
@@ -590,6 +807,36 @@ main (int argc, char **argv)
     
     kadm5_setup_passwd_quality_check (context, check_library, check_function);
 
+    for (i = 0; i < policy_libraries.num_strings; i++) {
+	ret = kadm5_add_passwd_quality_verifier(context, 
+						policy_libraries.strings[i]);
+	if (ret)
+	    krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
+    }
+    ret = kadm5_add_passwd_quality_verifier(context, NULL);
+    if (ret)
+	krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
+
+
+    explicit_addresses.len = 0;
+
+    if (addresses_str.num_strings) {
+	int i;
+
+	for (i = 0; i < addresses_str.num_strings; ++i)
+	    add_one_address (addresses_str.strings[i], i == 0);
+	free_getarg_strings (&addresses_str);
+    } else {
+	char **foo = krb5_config_get_strings (context, NULL,
+					      "kdc", "addresses", NULL);
+
+	if (foo != NULL) {
+	    add_one_address (*foo++, TRUE);
+	    while (*foo)
+		add_one_address (*foo++, FALSE);
+	}
+    }
+
 #ifdef HAVE_SIGACTION
     {
 	struct sigaction sa;
diff --git a/crypto/heimdal/kuser/Makefile.am b/crypto/heimdal/kuser/Makefile.am
index e33b948..619d8f8 100644
--- a/crypto/heimdal/kuser/Makefile.am
+++ b/crypto/heimdal/kuser/Makefile.am
@@ -1,20 +1,28 @@
-# $Id: Makefile.am,v 1.31 2003/03/18 13:15:27 lha Exp $
+# $Id: Makefile.am 22285 2007-12-13 20:40:57Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5
+AM_CPPFLAGS += $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5
 
-man_MANS = kinit.1 klist.1 kdestroy.1 kgetcred.1
+man_MANS = \
+	kinit.1 \
+	klist.1 \
+	kdestroy.1 \
+	kgetcred.1 \
+	kimpersonate.1
+
+SLC = $(top_builddir)/lib/sl/slc
 
 bin_PROGRAMS = kinit klist kdestroy kgetcred
+libexec_PROGRAMS = kdigest kimpersonate
 
-noinst_PROGRAMS = kverify kdecode_ticket generate-requests
+noinst_PROGRAMS = kverify kdecode_ticket generate-requests copy_cred_cache
 
 kinit_LDADD = \
 	$(LIB_kafs) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_krb4) \
-	$(LIB_des) \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
@@ -22,12 +30,35 @@ kdestroy_LDADD	= $(kinit_LDADD)
 
 klist_LDADD	= $(kinit_LDADD)
 
+kimpersonate_LDADD = $(kinit_LDADD)
+
+dist_kdigest_SOURCES = kdigest.c
+nodist_kdigest_SOURCES = kdigest-commands.c
+
+kdigest_LDADD = \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_roken)
+
+$(kdigest_OBJECTS): kdigest-commands.h
+
+CLEANFILES = kdigest-commands.h kdigest-commands.c
+
+kdigest-commands.c kdigest-commands.h: kdigest-commands.in
+	$(SLC) $(srcdir)/kdigest-commands.in
+
 LDADD = \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
 # make sure install-exec-hook doesn't have any commands in Makefile.am.common
 install-exec-hook:
 	(cd $(DESTDIR)$(bindir) && rm -f kauth && $(LN_S) kinit kauth)
+
+EXTRA_DIST = $(man_MANS) kuser_locl.h kdigest-commands.in copy_cred_cache.1
+
diff --git a/crypto/heimdal/kuser/Makefile.in b/crypto/heimdal/kuser/Makefile.in
index 01e24a6..8616bf3 100644
--- a/crypto/heimdal/kuser/Makefile.in
+++ b/crypto/heimdal/kuser/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.31 2003/03/18 13:15:27 lha Exp $
+# $Id: Makefile.am 22285 2007-12-13 20:40:57Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = generate-requests.c kdecode_ticket.c kdestroy.c kgetcred.c kinit.c klist.c kverify.c
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,27 +36,27 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
 	$(top_srcdir)/cf/Makefile.am.common
 bin_PROGRAMS = kinit$(EXEEXT) klist$(EXEEXT) kdestroy$(EXEEXT) \
 	kgetcred$(EXEEXT)
+libexec_PROGRAMS = kdigest$(EXEEXT) kimpersonate$(EXEEXT)
 noinst_PROGRAMS = kverify$(EXEEXT) kdecode_ticket$(EXEEXT) \
-	generate-requests$(EXEEXT)
+	generate-requests$(EXEEXT) copy_cred_cache$(EXEEXT)
 subdir = kuser
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -75,6 +69,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -83,25 +78,37 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"
+am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" \
+	"$(DESTDIR)$(man1dir)"
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS)
+libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) $(noinst_PROGRAMS)
+copy_cred_cache_SOURCES = copy_cred_cache.c
+copy_cred_cache_OBJECTS = copy_cred_cache.$(OBJEXT)
+copy_cred_cache_LDADD = $(LDADD)
+am__DEPENDENCIES_1 =
+copy_cred_cache_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
+	$(am__DEPENDENCIES_1)
 generate_requests_SOURCES = generate-requests.c
 generate_requests_OBJECTS = generate-requests.$(OBJEXT)
 generate_requests_LDADD = $(LDADD)
-am__DEPENDENCIES_1 =
 generate_requests_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \
 	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
 	$(am__DEPENDENCIES_1)
@@ -116,22 +123,32 @@ kdestroy_OBJECTS = kdestroy.$(OBJEXT)
 am__DEPENDENCIES_2 = $(top_builddir)/lib/kafs/libkafs.la \
 	$(am__DEPENDENCIES_1)
 am__DEPENDENCIES_3 = $(am__DEPENDENCIES_2) \
-	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
-	$(am__DEPENDENCIES_1)
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/ntlm/libheimntlm.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
 kdestroy_DEPENDENCIES = $(am__DEPENDENCIES_3)
+dist_kdigest_OBJECTS = kdigest.$(OBJEXT)
+nodist_kdigest_OBJECTS = kdigest-commands.$(OBJEXT)
+kdigest_OBJECTS = $(dist_kdigest_OBJECTS) $(nodist_kdigest_OBJECTS)
+kdigest_DEPENDENCIES = $(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/sl/libsl.la $(am__DEPENDENCIES_1)
 kgetcred_SOURCES = kgetcred.c
 kgetcred_OBJECTS = kgetcred.$(OBJEXT)
 kgetcred_LDADD = $(LDADD)
 kgetcred_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \
 	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
 	$(am__DEPENDENCIES_1)
+kimpersonate_SOURCES = kimpersonate.c
+kimpersonate_OBJECTS = kimpersonate.$(OBJEXT)
+kimpersonate_DEPENDENCIES = $(am__DEPENDENCIES_3)
 kinit_SOURCES = kinit.c
 kinit_OBJECTS = kinit.$(OBJEXT)
 kinit_DEPENDENCIES = $(am__DEPENDENCIES_2) \
-	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
-	$(am__DEPENDENCIES_1)
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/ntlm/libheimntlm.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
 klist_SOURCES = klist.c
 klist_OBJECTS = klist.$(OBJEXT)
 klist_DEPENDENCIES = $(am__DEPENDENCIES_3)
@@ -141,34 +158,31 @@ kverify_LDADD = $(LDADD)
 kverify_DEPENDENCIES = $(top_builddir)/lib/krb5/libkrb5.la \
 	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
 	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-SOURCES = generate-requests.c kdecode_ticket.c kdestroy.c kgetcred.c \
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = copy_cred_cache.c generate-requests.c kdecode_ticket.c \
+	kdestroy.c $(dist_kdigest_SOURCES) $(nodist_kdigest_SOURCES) \
+	kgetcred.c kimpersonate.c kinit.c klist.c kverify.c
+DIST_SOURCES = copy_cred_cache.c generate-requests.c kdecode_ticket.c \
+	kdestroy.c $(dist_kdigest_SOURCES) kgetcred.c kimpersonate.c \
 	kinit.c klist.c kverify.c
-DIST_SOURCES = generate-requests.c kdecode_ticket.c kdestroy.c \
-	kgetcred.c kinit.c klist.c kverify.c
 man1dir = $(mandir)/man1
 MANS = $(man_MANS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -178,8 +192,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -190,11 +202,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -202,42 +213,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -255,12 +251,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -270,15 +263,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -287,6 +279,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -298,15 +291,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -314,74 +302,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -398,28 +392,49 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-man_MANS = kinit.1 klist.1 kdestroy.1 kgetcred.1
+man_MANS = \
+	kinit.1 \
+	klist.1 \
+	kdestroy.1 \
+	kgetcred.1 \
+	kimpersonate.1
+
+SLC = $(top_builddir)/lib/sl/slc
 kinit_LDADD = \
 	$(LIB_kafs) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_krb4) \
-	$(LIB_des) \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
 kdestroy_LDADD = $(kinit_LDADD)
 klist_LDADD = $(kinit_LDADD)
+kimpersonate_LDADD = $(kinit_LDADD)
+dist_kdigest_SOURCES = kdigest.c
+nodist_kdigest_SOURCES = kdigest-commands.c
+kdigest_LDADD = \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_roken)
+
+CLEANFILES = kdigest-commands.h kdigest-commands.c
 LDADD = \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
+EXTRA_DIST = $(man_MANS) kuser_locl.h kdigest-commands.in copy_cred_cache.1
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -451,7 +466,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -477,6 +492,34 @@ clean-binPROGRAMS:
 	  echo " rm -f $$p $$f"; \
 	  rm -f $$p $$f ; \
 	done
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(libexecdir)/$$f"; \
+	done
+
+clean-libexecPROGRAMS:
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
 
 clean-noinstPROGRAMS:
 	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
@@ -484,27 +527,36 @@ clean-noinstPROGRAMS:
 	  echo " rm -f $$p $$f"; \
 	  rm -f $$p $$f ; \
 	done
+copy_cred_cache$(EXEEXT): $(copy_cred_cache_OBJECTS) $(copy_cred_cache_DEPENDENCIES) 
+	@rm -f copy_cred_cache$(EXEEXT)
+	$(LINK) $(copy_cred_cache_OBJECTS) $(copy_cred_cache_LDADD) $(LIBS)
 generate-requests$(EXEEXT): $(generate_requests_OBJECTS) $(generate_requests_DEPENDENCIES) 
 	@rm -f generate-requests$(EXEEXT)
-	$(LINK) $(generate_requests_LDFLAGS) $(generate_requests_OBJECTS) $(generate_requests_LDADD) $(LIBS)
+	$(LINK) $(generate_requests_OBJECTS) $(generate_requests_LDADD) $(LIBS)
 kdecode_ticket$(EXEEXT): $(kdecode_ticket_OBJECTS) $(kdecode_ticket_DEPENDENCIES) 
 	@rm -f kdecode_ticket$(EXEEXT)
-	$(LINK) $(kdecode_ticket_LDFLAGS) $(kdecode_ticket_OBJECTS) $(kdecode_ticket_LDADD) $(LIBS)
+	$(LINK) $(kdecode_ticket_OBJECTS) $(kdecode_ticket_LDADD) $(LIBS)
 kdestroy$(EXEEXT): $(kdestroy_OBJECTS) $(kdestroy_DEPENDENCIES) 
 	@rm -f kdestroy$(EXEEXT)
-	$(LINK) $(kdestroy_LDFLAGS) $(kdestroy_OBJECTS) $(kdestroy_LDADD) $(LIBS)
+	$(LINK) $(kdestroy_OBJECTS) $(kdestroy_LDADD) $(LIBS)
+kdigest$(EXEEXT): $(kdigest_OBJECTS) $(kdigest_DEPENDENCIES) 
+	@rm -f kdigest$(EXEEXT)
+	$(LINK) $(kdigest_OBJECTS) $(kdigest_LDADD) $(LIBS)
 kgetcred$(EXEEXT): $(kgetcred_OBJECTS) $(kgetcred_DEPENDENCIES) 
 	@rm -f kgetcred$(EXEEXT)
-	$(LINK) $(kgetcred_LDFLAGS) $(kgetcred_OBJECTS) $(kgetcred_LDADD) $(LIBS)
+	$(LINK) $(kgetcred_OBJECTS) $(kgetcred_LDADD) $(LIBS)
+kimpersonate$(EXEEXT): $(kimpersonate_OBJECTS) $(kimpersonate_DEPENDENCIES) 
+	@rm -f kimpersonate$(EXEEXT)
+	$(LINK) $(kimpersonate_OBJECTS) $(kimpersonate_LDADD) $(LIBS)
 kinit$(EXEEXT): $(kinit_OBJECTS) $(kinit_DEPENDENCIES) 
 	@rm -f kinit$(EXEEXT)
-	$(LINK) $(kinit_LDFLAGS) $(kinit_OBJECTS) $(kinit_LDADD) $(LIBS)
+	$(LINK) $(kinit_OBJECTS) $(kinit_LDADD) $(LIBS)
 klist$(EXEEXT): $(klist_OBJECTS) $(klist_DEPENDENCIES) 
 	@rm -f klist$(EXEEXT)
-	$(LINK) $(klist_LDFLAGS) $(klist_OBJECTS) $(klist_LDADD) $(LIBS)
+	$(LINK) $(klist_OBJECTS) $(klist_LDADD) $(LIBS)
 kverify$(EXEEXT): $(kverify_OBJECTS) $(kverify_DEPENDENCIES) 
 	@rm -f kverify$(EXEEXT)
-	$(LINK) $(kverify_LDFLAGS) $(kverify_OBJECTS) $(kverify_LDADD) $(LIBS)
+	$(LINK) $(kverify_OBJECTS) $(kverify_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -526,13 +578,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man1: $(man1_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)"
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
 	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -596,9 +644,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -623,23 +673,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/.. $(distdir)/../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -658,8 +706,8 @@ check-am: all-am
 check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS) all-local
 installdirs:
-	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man1dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -678,22 +726,23 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-binPROGRAMS clean-generic clean-libtool \
-	clean-noinstPROGRAMS mostlyclean-am
+clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
+	clean-libtool clean-noinstPROGRAMS mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -709,14 +758,22 @@ install-data-am: install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
-install-exec-am: install-binPROGRAMS
+install-dvi: install-dvi-am
+
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man1
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -736,23 +793,33 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am uninstall-man
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+	uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man1
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
-	clean clean-binPROGRAMS clean-generic clean-libtool \
-	clean-noinstPROGRAMS ctags distclean distclean-compile \
-	distclean-generic distclean-libtool distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-binPROGRAMS install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am install-man \
-	install-man1 install-strip installcheck installcheck-am \
-	installdirs maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
-	uninstall-am uninstall-binPROGRAMS uninstall-info-am \
-	uninstall-man uninstall-man1
+	clean clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
+	clean-libtool clean-noinstPROGRAMS ctags dist-hook distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-binPROGRAMS install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am \
+	install-libexecPROGRAMS install-man install-man1 install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-binPROGRAMS \
+	uninstall-hook uninstall-libexecPROGRAMS uninstall-man \
+	uninstall-man1
 
 
 install-suid-programs:
@@ -767,8 +834,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -778,19 +845,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -806,7 +885,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -876,15 +955,45 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+$(kdigest_OBJECTS): kdigest-commands.h
+
+kdigest-commands.c kdigest-commands.h: kdigest-commands.in
+	$(SLC) $(srcdir)/kdigest-commands.in
+
 # make sure install-exec-hook doesn't have any commands in Makefile.am.common
 install-exec-hook:
 	(cd $(DESTDIR)$(bindir) && rm -f kauth && $(LN_S) kinit kauth)
diff --git a/crypto/heimdal/kuser/copy_cred_cache.1 b/crypto/heimdal/kuser/copy_cred_cache.1
new file mode 100644
index 0000000..b589735
--- /dev/null
+++ b/crypto/heimdal/kuser/copy_cred_cache.1
@@ -0,0 +1,97 @@
+.\" Copyright (c) 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: copy_cred_cache.1 13783 2004-04-25 16:03:45Z joda $
+.\"
+.Dd April 24, 2004
+.Dt COPY_CRED_CACHE 1
+.Os HEIMDAL
+.Sh NAME
+.Nm copy_cred_cache
+.Nd
+copy credentials from one cache to another
+.Sh SYNOPSIS
+.Nm
+.Op Fl -krbtgt-only
+.Op Fl -service= Ns Ar principal
+.Op Fl -enctype= Ns Ar enctype
+.Op Fl -flags= Ns Ar ticketflags
+.Op Fl -valid-for= Ns Ar time
+.Op Fl -fcache-version= Ns Ar integer
+.Op Aq Ar from-cache
+.Aq Ar to-cache
+.Sh DESCRIPTION
+.Nm
+copies credentials from
+.Aq Ar from-cache
+(or the default cache) to
+.Aq Ar to-cache .
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Fl -krbtgt-only
+Copies only krbtgt credentials for the client's realm. This is
+equivalent to
+.Fl -service= Ns Li krbtgt/ Ns Ao Ar CLIENTREALM Ac Ns Li @ Ns Ao Ar CLIENTREALM Ac .
+.It Fl -service= Ns Ar principal
+Copies only credentials matching this service principal.
+.It Fl -enctype= Ns Ar enctype
+Copies only credentials a matching enctype.
+.It Fl -flags= Ns Ar ticketflags
+Copies only credentials with these ticket flags set.
+.It Fl -valid-for= Ns Ar time
+Copies only credentials that are valid for at least this long. This
+does not take renewable creds into account.
+.It Fl -fcache-version= Ns Ar integer
+The created cache, If a standard
+.Li FILE
+cache is created, it will have this file format version.
+.El
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.Sh EXAMPLES
+To copy only credentials that are valid for at least one day and with
+the
+.Li initial
+flag set, try something like:
+.Bd -literal -offset indent
+$ copy_cred_cache --valid-for=1d --flags=initial FILE:/some/cache
+.Ed
+.Sh DIAGNOSTICS
+The
+.Nm
+utility exits 0 on success, and \*[Gt]0 if an error occurs, or of no
+credentials where actually copied.
+.\".Sh SEE ALSO
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/kuser/copy_cred_cache.c b/crypto/heimdal/kuser/copy_cred_cache.c
new file mode 100644
index 0000000..8faf82d
--- /dev/null
+++ b/crypto/heimdal/kuser/copy_cred_cache.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: copy_cred_cache.c 15542 2005-07-01 07:20:54Z lha $");
+#endif
+
+#include <stdlib.h>
+#include <krb5.h>
+#include <roken.h>
+#include <getarg.h>
+#include <parse_units.h>
+#include <parse_time.h>
+
+static int krbtgt_only_flag;
+static char *service_string;
+static char *enctype_string;
+static char *flags_string;
+static char *valid_string;
+static int fcache_version;
+static int help_flag;
+static int version_flag;
+
+static struct getargs args[] = {
+    { "krbtgt-only", 0, arg_flag, &krbtgt_only_flag,
+      "only copy local krbtgt" },
+    { "service", 0, arg_string, &service_string,
+      "limit to this service", "principal" },
+    { "enctype", 0, arg_string, &enctype_string,
+      "limit to this enctype", "enctype" },
+    { "flags", 0, arg_string, &flags_string,
+      "limit to these flags", "ticketflags" },
+    { "valid-for", 0, arg_string, &valid_string, 
+      "limit to creds valid for at least this long", "time" },
+    { "fcache-version", 0, arg_integer, &fcache_version,
+      "file cache version to create" },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 'h', arg_flag, &help_flag }
+};
+
+static void
+usage(int ret)
+{
+    arg_printusage(args,
+		   sizeof(args) / sizeof(*args),
+		   NULL,
+		   "[from-cache] to-cache");
+    exit(ret);
+}
+
+static int32_t
+bitswap32(int32_t b)
+{
+    int32_t r = 0;
+    int i;
+    for (i = 0; i < 32; i++) {
+	r = r << 1 | (b & 1);
+	b = b >> 1;
+    }
+    return r;
+}
+
+static void
+parse_ticket_flags(krb5_context context,
+		   const char *string, krb5_ticket_flags *ret_flags)
+{
+    TicketFlags ff;
+    int flags = parse_flags(string, asn1_TicketFlags_units(), 0);
+    if (flags == -1)	/* XXX */
+	krb5_errx(context, 1, "bad flags specified: \"%s\"", string);
+
+    memset(&ff, 0, sizeof(ff));
+    ff.proxy = 1;
+    if (parse_flags("proxy", asn1_TicketFlags_units(), 0) == TicketFlags2int(ff))
+	ret_flags->i = flags;
+    else
+	ret_flags->i = bitswap32(flags);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    int optidx = 0;
+    const char *from_name, *to_name;
+    krb5_ccache from_ccache, to_ccache;
+    krb5_flags whichfields = 0;
+    krb5_creds mcreds;
+    unsigned int matched;
+
+    setprogname(argv[0]);
+
+    memset(&mcreds, 0, sizeof(mcreds));
+
+    if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+
+    if (help_flag)
+	usage(0);
+
+    if (version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    argc -= optidx;
+    argv += optidx;
+
+    if (argc < 1 || argc > 2)
+	usage(1);
+
+    if (krb5_init_context(&context))
+	errx(1, "krb5_init_context failed");
+
+    if (service_string) {
+	ret = krb5_parse_name(context, service_string, &mcreds.server);
+	if (ret)
+	    krb5_err(context, 1, ret, "%s", service_string);
+    }
+    if (enctype_string) {
+	krb5_enctype enctype;
+	ret = krb5_string_to_enctype(context, enctype_string, &enctype);
+	if (ret)
+	    krb5_err(context, 1, ret, "%s", enctype_string);
+	whichfields |= KRB5_TC_MATCH_KEYTYPE;
+	mcreds.session.keytype = enctype;
+    }
+    if (flags_string) {
+	parse_ticket_flags(context, flags_string, &mcreds.flags);
+	whichfields |= KRB5_TC_MATCH_FLAGS;
+    }
+    if (valid_string) {
+	time_t t = parse_time(valid_string, "s");
+	if(t < 0)
+	    errx(1, "unknown time \"%s\"", valid_string);
+	mcreds.times.endtime = time(NULL) + t;
+	whichfields |= KRB5_TC_MATCH_TIMES;
+    }
+    if (fcache_version)
+	krb5_set_fcache_version(context, fcache_version);
+
+    if (argc == 1) {
+	from_name = krb5_cc_default_name(context);
+	to_name = argv[0];
+    } else {
+	from_name = argv[0];
+	to_name = argv[1];
+    }
+
+    ret = krb5_cc_resolve(context, from_name, &from_ccache);
+    if (ret)
+	krb5_err(context, 1, ret, "%s", from_name);
+
+    if (krbtgt_only_flag) {
+	krb5_principal client;
+	ret = krb5_cc_get_principal(context, from_ccache, &client);
+	if (ret)
+	    krb5_err(context, 1, ret, "getting default principal");
+	ret = krb5_make_principal(context, &mcreds.server,
+				  krb5_principal_get_realm(context, client),
+				  KRB5_TGS_NAME,
+				  krb5_principal_get_realm(context, client),
+				  NULL);
+	if (ret)
+	    krb5_err(context, 1, ret, "constructing krbtgt principal");
+	krb5_free_principal(context, client);
+    }
+    ret = krb5_cc_resolve(context, to_name, &to_ccache);
+    if (ret)
+	krb5_err(context, 1, ret, "%s", to_name);
+
+    ret = krb5_cc_copy_cache_match(context, from_ccache, to_ccache,
+				   whichfields, &mcreds, &matched);
+    if (ret)
+	krb5_err(context, 1, ret, "copying cred cache");
+
+    krb5_cc_close(context, from_ccache);
+    if(matched == 0)
+	krb5_cc_destroy(context, to_ccache);
+    else
+	krb5_cc_close(context, to_ccache);
+    krb5_free_context(context);
+    return matched == 0;
+}
diff --git a/crypto/heimdal/kuser/generate-requests.c b/crypto/heimdal/kuser/generate-requests.c
index 993a8b0..95d8dc9 100644
--- a/crypto/heimdal/kuser/generate-requests.c
+++ b/crypto/heimdal/kuser/generate-requests.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kuser_locl.h"
 
-RCSID("$Id: generate-requests.c,v 1.4 2001/08/24 01:07:22 assar Exp $");
+RCSID("$Id: generate-requests.c 19233 2006-12-06 08:04:05Z lha $");
 
 static krb5_error_code
 null_key_proc (krb5_context context,
@@ -58,8 +58,7 @@ read_words (const char *filename, char ***ret_w)
 	err (1, "cannot open %s", filename);
     alloc = n = 0;
     while (fgets (buf, sizeof(buf), f) != NULL) {
-	if (buf[strlen (buf) - 1] == '\n')
-	    buf[strlen (buf) - 1] = '\0';
+	buf[strcspn(buf, "\r\n")] = '\0';
 	if (n >= alloc) {
 	    alloc += 16;
 	    w = erealloc (w, alloc * sizeof(char **));
@@ -67,6 +66,8 @@ read_words (const char *filename, char ***ret_w)
 	w[n++] = estrdup (buf);
     }
     *ret_w = w;
+    if (n == 0)
+	errx(1, "%s is an empty file, no words to try", filename);
     return n;
 }
 
@@ -105,7 +106,7 @@ generate_requests (const char *filename, unsigned nreq)
 	ret = krb5_get_in_cred (context, 0, NULL, NULL, NULL, NULL,
 				null_key_proc, NULL, NULL, NULL,
 				&cred, NULL);
-	krb5_free_creds_contents (context, &cred);
+	krb5_free_cred_contents (context, &cred);
     }
 }
 
@@ -130,12 +131,12 @@ usage (int ret)
 int
 main(int argc, char **argv)
 {
-    int optind = 0;
+    int optidx = 0;
     int nreq;
     char *end;
 
     setprogname(argv[0]);
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
 
     if (help_flag)
@@ -146,8 +147,8 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     if (argc != 2)
 	usage (1);
diff --git a/crypto/heimdal/kuser/kdecode_ticket.c b/crypto/heimdal/kuser/kdecode_ticket.c
index 74ca5af..968478d 100644
--- a/crypto/heimdal/kuser/kdecode_ticket.c
+++ b/crypto/heimdal/kuser/kdecode_ticket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kuser_locl.h"
 
-RCSID("$Id: kdecode_ticket.c,v 1.5 2001/02/20 01:44:51 assar Exp $");
+RCSID("$Id: kdecode_ticket.c 15541 2005-07-01 07:14:58Z lha $");
 
 static char *etype_str;
 static int version_flag;
@@ -101,7 +101,7 @@ main(int argc, char **argv)
     krb5_context context;
     krb5_ccache cache;
     krb5_creds in, *out;
-    int optind = 0;
+    int optidx = 0;
 
     setprogname (argv[0]);
 
@@ -109,7 +109,7 @@ main(int argc, char **argv)
     if (ret)
 	errx(1, "krb5_init_context failed: %d", ret);
   
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
     
     if (help_flag)
@@ -120,8 +120,8 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     if (argc != 1)
 	usage (1);
@@ -157,6 +157,6 @@ main(int argc, char **argv)
     print_and_decode_tkt (context, &out->ticket, out->server,
 			  out->session.keytype);
 
-    krb5_free_creds_contents(context, out);
+    krb5_free_cred_contents(context, out);
     return 0;
 }
diff --git a/crypto/heimdal/kuser/kdestroy.1 b/crypto/heimdal/kuser/kdestroy.1
index 8910e9a..5e18701 100644
--- a/crypto/heimdal/kuser/kdestroy.1
+++ b/crypto/heimdal/kuser/kdestroy.1
@@ -1,4 +1,4 @@
-.\" Copyright (c) 1997, 1999, 2001 Kungliga Tekniska Högskolan
+.\" Copyright (c) 1997, 1999, 2001, 2004, 2006 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,28 +29,35 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: kdestroy.1,v 1.4 2003/02/16 21:10:23 lha Exp $
+.\" $Id: kdestroy.1 22071 2007-11-14 20:04:50Z lha $
 .\"
-.Dd August 27, 1997
+.Dd April 27, 2006
 .Dt KDESTROY 1
 .Os HEIMDAL
 .Sh NAME
 .Nm kdestroy
-.Nd destroy the current ticket file
+.Nd remove one credental or destroy the current ticket file
 .Sh SYNOPSIS
 .Nm
+.Bk -words
 .Op Fl c Ar cachefile
+.Op Fl -credential= Ns Ar principal
 .Op Fl -cache= Ns Ar cachefile
 .Op Fl -no-unlog
 .Op Fl -no-delete-v4
 .Op Fl -version
 .Op Fl -help
+.Ek
 .Sh DESCRIPTION
 .Nm
-remove the current set of tickets.
+remove one or the current set of tickets.
 .Pp
 Supported options:
 .Bl -tag -width Ds
+.It Fl credential= Ns Ar principal
+remove
+.Fa principal
+from the credential cache if it exists.
 .It Fl c Ar cachefile
 .It Fl cache= Ns Ar cachefile
 The cache file to remove.
diff --git a/crypto/heimdal/kuser/kdestroy.c b/crypto/heimdal/kuser/kdestroy.c
index 4d23245..5358fcd 100644
--- a/crypto/heimdal/kuser/kdestroy.c
+++ b/crypto/heimdal/kuser/kdestroy.c
@@ -32,15 +32,18 @@
  */
 
 #include "kuser_locl.h"
-RCSID("$Id: kdestroy.c,v 1.14.2.1 2003/05/08 18:59:17 lha Exp $");
+RCSID("$Id: kdestroy.c 20458 2007-04-19 20:41:27Z lha $");
 
 static const char *cache;
+static const char *credential;
 static int help_flag;
 static int version_flag;
 static int unlog_flag = 1;
 static int dest_tkt_flag = 1;
 
 struct getargs args[] = {
+    { "credential",	0,   arg_string, &credential,
+      "remove one credential", "principal" },
     { "cache",		'c', arg_string, &cache, "cache to destroy", "cache" },
     { "unlog",		0,   arg_negative_flag, &unlog_flag,
       "do not destroy tokens", NULL },
@@ -65,12 +68,12 @@ main (int argc, char **argv)
     krb5_error_code ret;
     krb5_context context;
     krb5_ccache  ccache;
-    int optind = 0;
+    int optidx = 0;
     int exit_val = 0;
 
     setprogname (argv[0]);
 
-    if(getarg(args, num_args, argc, argv, &optind))
+    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
   
     if (help_flag)
@@ -81,8 +84,8 @@ main (int argc, char **argv)
 	exit(0);
     }
   
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     if (argc != 0)
 	usage (1);
@@ -99,11 +102,32 @@ main (int argc, char **argv)
 	}
     }
 
-    ret =  krb5_cc_resolve(context, 
+    ret =  krb5_cc_resolve(context,
 			   cache, 
 			   &ccache);
 
     if (ret == 0) {
+	if (credential) {
+	    krb5_creds mcred;
+	    
+	    krb5_cc_clear_mcred(&mcred);
+
+	    ret = krb5_parse_name(context, credential, &mcred.server);
+	    if (ret)
+		krb5_err(context, 1, ret,
+			 "Can't parse principal %s", credential);
+
+	    ret = krb5_cc_remove_cred(context, ccache, 0, &mcred);
+	    if (ret)
+		krb5_err(context, 1, ret, 
+			 "Failed to remove principal %s", credential);
+
+	    krb5_cc_close(context, ccache);
+	    krb5_free_principal(context, mcred.server);
+	    krb5_free_context(context);
+	    return 0;
+	}
+
 	ret = krb5_cc_destroy (context, ccache);
 	if (ret) {
 	    warnx ("krb5_cc_destroy: %s", krb5_get_err_text(context, ret));
@@ -117,10 +141,6 @@ main (int argc, char **argv)
 
     krb5_free_context (context);
 
-#if KRB4
-    if(dest_tkt_flag && dest_tkt ())
-	exit_val = 1;
-#endif
     if (unlog_flag && k_hasafs ()) {
 	if (k_unlog ())
 	    exit_val = 1;
diff --git a/crypto/heimdal/kuser/kdigest-commands.in b/crypto/heimdal/kuser/kdigest-commands.in
new file mode 100644
index 0000000..c980b18
--- /dev/null
+++ b/crypto/heimdal/kuser/kdigest-commands.in
@@ -0,0 +1,280 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: kdigest-commands.in 22157 2007-12-04 20:03:29Z lha $ */
+
+command = {
+	name = "digest-probe"
+	option = {
+		long = "realm"
+		type = "string"
+		help = "Kerberos realm to communicate with"
+	}
+	help = "probe what mech is allowed/supported for this server"
+}
+command = {
+	name = "digest-server-init"
+	option = {
+		long = "type"
+		type = "string"
+		help = "digest type"
+		default = "sasl"
+	}
+	option = {
+		long = "kerberos-realm"
+		type = "string"
+		argument = "realm"
+		help = ""
+	}
+	option = {
+		long = "digest"
+		type = "string"
+		argument = "digest-type"
+		help = "digest type to use in the algorithm"
+	}
+	option = {
+		long = "cb-type"
+		type = "string"
+		argument = "type"
+		help = "type of channel bindings"
+	}
+	option = {
+		long = "cb-value"
+		type = "string"
+		argument = "value"
+		help = "value of channel bindings"
+	}
+	option = {
+		long = "hostname"
+		type = "string"
+		argument = "hostname"
+		help = "hostname of the server"
+	}
+	option = {
+		long = "realm"
+		type = "string"
+		help = "Kerberos realm to communicate with"
+	}
+	help = "Sets up a digest context and return initial parameters"
+}
+command = {
+	name = "digest-server-request"
+	option = {
+		long = "type"
+		type = "string"
+		help = "digest type"
+		default = "sasl"
+	}
+	option = {
+		long = "kerberos-realm"
+		type = "string"
+		argument = "realm"
+		help = ""
+	}
+	option = {
+		long = "username"
+		type = "string"
+		argument = "name"
+		help = "digest type"
+	}
+	option = {
+		long = "server-nonce"
+		type = "string"
+		argument = "nonce"
+		help = ""
+	}
+	option = {
+		long = "server-identifier"
+		type = "string"
+		argument = "nonce"
+		help = ""
+	}
+	option = {
+		long = "client-nonce"
+		type = "string"
+		argument = "nonce"
+		help = ""
+	}
+	option = {
+		long = "client-response"
+		type = "string"
+		argument = "response"
+		help = ""
+	}
+	option = {
+		long = "opaque"
+		type = "string"
+		argument = "string"
+		help = ""
+	}
+	option = {
+		long = "authentication-name"
+		type = "string"
+		argument = "name"
+		help = ""
+	}
+	option = {
+		long = "realm"
+		type = "string"
+		argument = "realm"
+		help = ""
+	}
+	option = {
+		long = "method"
+		type = "string"
+		argument = "method"
+		help = ""
+	}
+	option = {
+		long = "uri"
+		type = "string"
+		argument = "uri"
+		help = ""
+	}
+	option = {
+		long = "nounce-count"
+		type = "string"
+		argument = "count"
+		help = ""
+	}
+	option = {
+		long = "qop"
+		type = "string"
+		argument = "qop"
+		help = ""
+	}
+	option = {
+		long = "ccache"
+		type = "string"
+		argument = "ccache"
+		help = "Where the the credential cache is created when the KDC returns tickets"
+	}
+	help = "Completes digest negotiation and return final parameters"
+}
+command = {
+	name = "digest-client-request"
+	option = {
+		long = "type"
+		type = "string"
+		help = "digest type"
+		default = "sasl"
+	}
+	option = {
+		long = "username"
+		type = "string"
+		argument = "name"
+		help = "digest type"
+	}
+	option = {
+		long = "password"
+		type = "string"
+		argument = "password"
+	}
+	option = {
+		long = "server-nonce"
+		type = "string"
+		argument = "nonce"
+		help = ""
+	}
+	option = {
+		long = "server-identifier"
+		type = "string"
+		argument = "nonce"
+		help = ""
+	}
+	option = {
+		long = "client-nonce"
+		type = "string"
+		argument = "nonce"
+		help = ""
+	}
+	option = {
+		long = "opaque"
+		type = "string"
+		argument = "string"
+		help = ""
+	}
+	option = {
+		long = "realm"
+		type = "string"
+		argument = "realm"
+		help = ""
+	}
+	option = {
+		long = "method"
+		type = "string"
+		argument = "method"
+		help = ""
+	}
+	option = {
+		long = "uri"
+		type = "string"
+		argument = "uri"
+		help = ""
+	}
+	option = {
+		long = "nounce-count"
+		type = "string"
+		argument = "count"
+		help = ""
+	}
+	option = {
+		long = "qop"
+		type = "string"
+		argument = "qop"
+		help = ""
+	}
+	help = "Client part of a digest exchange"
+}
+command = {
+	name = "ntlm-server-init"
+	option = {
+		long = "version"
+		type = "integer"
+		help = "ntlm version"
+		default = "1"
+	}
+	option = {
+		long = "kerberos-realm"
+		type = "string"
+		help = "Kerberos realm to communicate with"
+	}
+	help = "Sets up a digest context and return initial parameters"
+}
+command = {
+	name = "help"
+	name = "?"
+	argument = "[command]"
+	min_args = "0"
+	max_args = "1"
+	help = "Help! I need somebody."
+}
diff --git a/crypto/heimdal/kuser/kdigest.c b/crypto/heimdal/kuser/kdigest.c
new file mode 100644
index 0000000..418aedb
--- /dev/null
+++ b/crypto/heimdal/kuser/kdigest.c
@@ -0,0 +1,551 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+RCSID("$Id: kdigest.c 22158 2007-12-04 20:04:01Z lha $");
+#include <kdigest-commands.h>
+#include <hex.h>
+#include <base64.h>
+#include <heimntlm.h>
+#include "crypto-headers.h"
+
+static int version_flag = 0;
+static int help_flag	= 0;
+static char *ccache_string;
+static krb5_ccache id;
+
+static struct getargs args[] = {
+    {"ccache",	0,	arg_string,	&ccache_string, "credential cache", NULL },
+    {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args),
+		    NULL, "");
+    exit (ret);
+}
+
+static krb5_context context;
+
+int
+digest_probe(struct digest_probe_options *opt,
+	     int argc, char ** argv)
+{
+    krb5_error_code ret;
+    krb5_realm realm;
+    unsigned flags;
+
+    realm = opt->realm_string;
+
+    if (realm == NULL)
+	errx(1, "realm missing");
+
+    ret = krb5_digest_probe(context, realm, id, &flags);
+    if (ret)
+	krb5_err(context, 1, ret, "digest_probe");
+
+    printf("flags: %u\n", flags);
+
+    return 0;
+}
+
+int
+digest_server_init(struct digest_server_init_options *opt,
+		   int argc, char ** argv)
+{
+    krb5_error_code ret;
+    krb5_digest digest;
+
+    ret = krb5_digest_alloc(context, &digest);
+    if (ret)
+	krb5_err(context, 1, ret, "digest_alloc");
+
+    ret = krb5_digest_set_type(context, digest, opt->type_string);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_digest_set_type");
+
+    if (opt->cb_type_string && opt->cb_value_string) {
+	ret = krb5_digest_set_server_cb(context, digest, 
+					opt->cb_type_string,
+					opt->cb_value_string);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_digest_set_server_cb");
+    }
+    ret = krb5_digest_init_request(context,
+				   digest,
+				   opt->kerberos_realm_string,
+				   id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_digest_init_request");
+
+    printf("type=%s\n", opt->type_string);
+    printf("server-nonce=%s\n", 
+	   krb5_digest_get_server_nonce(context, digest));
+    {
+	const char *s = krb5_digest_get_identifier(context, digest);
+	if (s)
+	    printf("identifier=%s\n", s);
+    }
+    printf("opaque=%s\n", krb5_digest_get_opaque(context, digest));
+
+    return 0;
+}
+
+int
+digest_server_request(struct digest_server_request_options *opt, 
+		      int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_digest digest;
+    const char *status, *rsp;
+    krb5_data session_key;
+
+    if (opt->server_nonce_string == NULL)
+	errx(1, "server nonce missing");
+    if (opt->type_string == NULL)
+	errx(1, "type missing");
+    if (opt->opaque_string == NULL)
+	errx(1, "opaque missing");
+    if (opt->client_response_string == NULL)
+	errx(1, "client response missing");
+
+    ret = krb5_digest_alloc(context, &digest);
+    if (ret)
+	krb5_err(context, 1, ret, "digest_alloc");
+
+    if (strcasecmp(opt->type_string, "CHAP") == 0) {
+	if (opt->server_identifier_string == NULL)
+	    errx(1, "server identifier missing");
+
+	ret = krb5_digest_set_identifier(context, digest, 
+					 opt->server_identifier_string);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_digest_set_type");
+    }
+
+    ret = krb5_digest_set_type(context, digest, opt->type_string);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_digest_set_type");
+
+    ret = krb5_digest_set_username(context, digest, opt->username_string);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_digest_set_username");
+
+    ret = krb5_digest_set_server_nonce(context, digest, 
+				       opt->server_nonce_string);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_digest_set_server_nonce");
+
+    if(opt->client_nonce_string) {
+	ret = krb5_digest_set_client_nonce(context, digest, 
+					   opt->client_nonce_string);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_digest_set_client_nonce");
+    }
+
+
+    ret = krb5_digest_set_opaque(context, digest, opt->opaque_string);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_digest_set_opaque");
+
+    ret = krb5_digest_set_responseData(context, digest, 
+				       opt->client_response_string);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_digest_set_responseData");
+
+    ret = krb5_digest_request(context, digest,
+			      opt->kerberos_realm_string, id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_digest_request");
+
+    status = krb5_digest_rep_get_status(context, digest) ? "ok" : "failed";
+    rsp = krb5_digest_get_rsp(context, digest);
+
+    printf("status=%s\n", status);
+    if (rsp)
+	printf("rsp=%s\n", rsp);
+    printf("tickets=no\n");
+
+    ret = krb5_digest_get_session_key(context, digest, &session_key);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_digest_get_session_key");
+
+    if (session_key.length) {
+	char *key;
+	hex_encode(session_key.data, session_key.length, &key);
+	if (key == NULL)
+	    krb5_errx(context, 1, "hex_encode");
+	krb5_data_free(&session_key);
+	printf("session-key=%s\n", key);
+	free(key);
+    }
+
+    return 0;
+}
+
+static void
+client_chap(const void *server_nonce, size_t snoncelen,
+	    unsigned char server_identifier,
+	    const char *password)
+{
+    MD5_CTX ctx;
+    unsigned char md[MD5_DIGEST_LENGTH];
+    char *h;
+
+    MD5_Init(&ctx);
+    MD5_Update(&ctx, &server_identifier, 1);
+    MD5_Update(&ctx, password, strlen(password));
+    MD5_Update(&ctx, server_nonce, snoncelen);
+    MD5_Final(md, &ctx);
+
+    hex_encode(md, 16, &h);
+
+    printf("responseData=%s\n", h);
+    free(h);
+}
+
+static const unsigned char ms_chap_v2_magic1[39] = {
+    0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
+    0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
+    0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
+    0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
+};
+static const unsigned char ms_chap_v2_magic2[41] = {
+    0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
+    0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
+    0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
+    0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
+    0x6E
+};
+static const unsigned char ms_rfc3079_magic1[27] = {
+    0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
+    0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
+    0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79
+};
+
+static void
+client_mschapv2(const void *server_nonce, size_t snoncelen,
+		const void *client_nonce, size_t cnoncelen,
+		const char *username,
+		const char *password)
+{
+    SHA_CTX ctx;
+    MD4_CTX hctx;
+    unsigned char md[SHA_DIGEST_LENGTH], challange[SHA_DIGEST_LENGTH];
+    unsigned char hmd[MD4_DIGEST_LENGTH];
+    struct ntlm_buf answer;
+    int i, len, ret;
+    char *h;
+
+    SHA1_Init(&ctx);
+    SHA1_Update(&ctx, client_nonce, cnoncelen);
+    SHA1_Update(&ctx, server_nonce, snoncelen);
+    SHA1_Update(&ctx, username, strlen(username));
+    SHA1_Final(md, &ctx);
+
+    MD4_Init(&hctx);
+    len = strlen(password);
+    for (i = 0; i < len; i++) {
+	MD4_Update(&hctx, &password[i], 1);
+	MD4_Update(&hctx, &password[len], 1);
+    }	
+    MD4_Final(hmd, &hctx);
+
+    /* ChallengeResponse */
+    ret = heim_ntlm_calculate_ntlm1(hmd, sizeof(hmd), md, &answer);
+    if (ret)
+	errx(1, "heim_ntlm_calculate_ntlm1");
+
+    hex_encode(answer.data, answer.length, &h);
+    printf("responseData=%s\n", h);
+    free(h);
+
+    /* PasswordHash */
+    MD4_Init(&hctx);
+    MD4_Update(&hctx, hmd, sizeof(hmd));
+    MD4_Final(hmd, &hctx);
+
+    /* GenerateAuthenticatorResponse */
+    SHA1_Init(&ctx);
+    SHA1_Update(&ctx, hmd, sizeof(hmd));
+    SHA1_Update(&ctx, answer.data, answer.length);
+    SHA1_Update(&ctx, ms_chap_v2_magic1, sizeof(ms_chap_v2_magic1));
+    SHA1_Final(md, &ctx);
+    
+    /* ChallengeHash */
+    SHA1_Init(&ctx);
+    SHA1_Update(&ctx, client_nonce, cnoncelen);
+    SHA1_Update(&ctx, server_nonce, snoncelen);
+    SHA1_Update(&ctx, username, strlen(username));
+    SHA1_Final(challange, &ctx);
+
+    SHA1_Init(&ctx);
+    SHA1_Update(&ctx, md, sizeof(md));
+    SHA1_Update(&ctx, challange, 8);
+    SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2));
+    SHA1_Final(md, &ctx);
+
+    hex_encode(md, sizeof(md), &h);
+    printf("AuthenticatorResponse=%s\n", h);
+    free(h);
+
+    /* get_master, rfc 3079 3.4 */
+    SHA1_Init(&ctx);
+    SHA1_Update(&ctx, hmd, sizeof(hmd));
+    SHA1_Update(&ctx, answer.data, answer.length);
+    SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1));
+    SHA1_Final(md, &ctx);
+
+    free(answer.data);
+
+    hex_encode(md, 16, &h);
+    printf("session-key=%s\n", h);
+    free(h);
+}
+
+
+int
+digest_client_request(struct digest_client_request_options *opt, 
+		      int argc, char **argv)
+{
+    char *server_nonce, *client_nonce = NULL, server_identifier;
+    ssize_t snoncelen, cnoncelen = 0;
+
+    if (opt->server_nonce_string == NULL)
+	errx(1, "server nonce missing");
+    if (opt->password_string == NULL)
+	errx(1, "password missing");
+
+    if (opt->opaque_string == NULL)
+	errx(1, "opaque missing");
+
+    snoncelen = strlen(opt->server_nonce_string);
+    server_nonce = malloc(snoncelen);
+    if (server_nonce == NULL)
+	errx(1, "server_nonce");
+
+    snoncelen = hex_decode(opt->server_nonce_string, server_nonce, snoncelen);
+    if (snoncelen <= 0) 
+	errx(1, "server nonce wrong");
+
+    if (opt->client_nonce_string) {
+	cnoncelen = strlen(opt->client_nonce_string);
+	client_nonce = malloc(cnoncelen);
+	if (client_nonce == NULL)
+	    errx(1, "client_nonce");
+	
+	cnoncelen = hex_decode(opt->client_nonce_string, 
+			       client_nonce, cnoncelen);
+	if (cnoncelen <= 0) 
+	    errx(1, "client nonce wrong");
+    }
+
+    if (opt->server_identifier_string) {
+	int ret;
+
+	ret = hex_decode(opt->server_identifier_string, &server_identifier, 1);
+	if (ret != 1)
+	    errx(1, "server identifier wrong length");
+    }
+
+    if (strcasecmp(opt->type_string, "CHAP") == 0) {
+	if (opt->server_identifier_string == NULL)
+	    errx(1, "server identifier missing");
+
+	client_chap(server_nonce, snoncelen, server_identifier, 
+		    opt->password_string);
+
+    } else if (strcasecmp(opt->type_string, "MS-CHAP-V2") == 0) {
+	if (opt->client_nonce_string == NULL)
+	    errx(1, "client nonce missing");
+	if (opt->username_string == NULL)
+	    errx(1, "client nonce missing");
+
+	client_mschapv2(server_nonce, snoncelen,
+			client_nonce, cnoncelen, 
+			opt->username_string,
+			opt->password_string);
+    }
+	
+
+    return 0;
+}
+
+#include <heimntlm.h>
+
+int
+ntlm_server_init(struct ntlm_server_init_options *opt,
+		 int argc, char ** argv)
+{
+    krb5_error_code ret;
+    krb5_ntlm ntlm;
+    struct ntlm_type2 type2;
+    krb5_data challange, opaque;
+    struct ntlm_buf data;
+    char *s;
+
+    memset(&type2, 0, sizeof(type2));
+
+    ret = krb5_ntlm_alloc(context, &ntlm);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_ntlm_alloc");
+
+    ret = krb5_ntlm_init_request(context, 
+				 ntlm,
+				 opt->kerberos_realm_string,
+				 id,
+				 NTLM_NEG_UNICODE|NTLM_NEG_NTLM,
+				 "NUTCRACKER",
+				 "L");
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_ntlm_init_request");
+
+    /*
+     *
+     */
+
+    ret = krb5_ntlm_init_get_challange(context, ntlm, &challange);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_ntlm_init_get_challange");
+
+    if (challange.length != sizeof(type2.challange))
+	krb5_errx(context, 1, "ntlm challange have wrong length");
+    memcpy(type2.challange, challange.data, sizeof(type2.challange));
+    krb5_data_free(&challange);
+
+    ret = krb5_ntlm_init_get_flags(context, ntlm, &type2.flags);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_ntlm_init_get_flags");
+
+    krb5_ntlm_init_get_targetname(context, ntlm, &type2.targetname);
+    type2.targetinfo.data = "\x00\x00";
+    type2.targetinfo.length = 2;
+	
+    ret = heim_ntlm_encode_type2(&type2, &data);
+    if (ret)
+	krb5_errx(context, 1, "heim_ntlm_encode_type2");
+
+    free(type2.targetname);
+	
+    /*
+     *
+     */
+
+    base64_encode(data.data, data.length, &s);
+    free(data.data);
+    printf("type2=%s\n", s);
+    free(s);
+
+    /*
+     *
+     */
+
+    ret = krb5_ntlm_init_get_opaque(context, ntlm, &opaque);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_ntlm_init_get_opaque");
+
+    base64_encode(opaque.data, opaque.length, &s);
+    krb5_data_free(&opaque);
+    printf("opaque=%s\n", s);
+    free(s);
+
+    /*
+     *
+     */
+
+    krb5_ntlm_free(context, ntlm);
+
+    return 0;
+}
+
+
+/*
+ *
+ */
+
+int
+help(void *opt, int argc, char **argv)
+{
+    sl_slc_help(commands, argc, argv);
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    int optidx = 0;
+
+    setprogname(argv[0]);
+
+    ret = krb5_init_context (&context);
+    if (ret == KRB5_CONFIG_BADFORMAT)
+	errx (1, "krb5_init_context failed to parse configuration file");
+    else if (ret)
+	errx(1, "krb5_init_context failed: %d", ret);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    if (argc == 0) {
+	help(NULL, argc, argv);
+	return 1;
+    }
+
+    if (ccache_string) {
+	ret = krb5_cc_resolve(context, ccache_string, &id);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_cc_resolve");
+    }
+
+    ret = sl_command (commands, argc, argv);
+    if (ret == -1) {
+	help(NULL, argc, argv);
+	return 1;
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/kuser/kgetcred.1 b/crypto/heimdal/kuser/kgetcred.1
index f69e411..1949ff7 100644
--- a/crypto/heimdal/kuser/kgetcred.1
+++ b/crypto/heimdal/kuser/kgetcred.1
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: kgetcred.1,v 1.6 2003/02/16 21:10:24 lha Exp $
+.\" $Id: kgetcred.1 14090 2004-08-05 18:49:47Z lha $
 .\"
-.Dd May 14, 1999
+.Dd March 12, 2004
 .Dt KGETCRED 1
 .Os HEIMDAL
 .Sh NAME
@@ -39,10 +39,16 @@
 .Nd "get a ticket for a particular service"
 .Sh SYNOPSIS
 .Nm
+.Op Fl -canonicalize
+.Oo Fl c cache \*(Ba Xo
+.Fl -cache= Ns Ar cache
+.Xc
+.Oc
 .Oo Fl e Ar enctype \*(Ba Xo
 .Fl -enctype= Ns Ar enctype
 .Xc
 .Oc
+.Op Fl -no-transit-check
 .Op Fl -version
 .Op Fl -help
 .Ar service
@@ -56,10 +62,23 @@ ticket or of a special type.
 Supported options:
 .Bl -tag -width Ds
 .It Xo
+.Fl -canonicalize
+.Xc
+requests that the KDC canonicalize the principal.
+.It Xo
+.Fl c Ar cache ,
+.Fl -cache= Ns Ar cache
+.Xc
+the credential cache to use.
+.It Xo
 .Fl e Ar enctype ,
 .Fl -enctype= Ns Ar enctype
 .Xc
-encryption type to use
+encryption type to use.
+.It Xo
+.Fl -no-transit-check
+.Xc
+requests that the KDC doesn't do trasnit checking.
 .It Xo
 .Fl -version
 .Xc
diff --git a/crypto/heimdal/kuser/kgetcred.c b/crypto/heimdal/kuser/kgetcred.c
index 6707455..a842e00 100644
--- a/crypto/heimdal/kuser/kgetcred.c
+++ b/crypto/heimdal/kuser/kgetcred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,15 +33,34 @@
 
 #include "kuser_locl.h"
 
-RCSID("$Id: kgetcred.c,v 1.5 2001/02/20 01:44:51 assar Exp $");
+RCSID("$Id: kgetcred.c 22276 2007-12-12 02:42:31Z lha $");
 
+static char *cache_str;
+static char *out_cache_str;
+static char *delegation_cred_str;
 static char *etype_str;
+static int transit_flag = 1;
+static int forwardable_flag;
+static char *impersonate_str;
+static char *nametype_str;
 static int version_flag;
 static int help_flag;
 
 struct getargs args[] = {
+    { "cache",		'c', arg_string, &cache_str,
+      "credential cache to use", "cache"},
+    { "out-cache",	0,   arg_string, &out_cache_str,
+      "credential cache to store credential in", "cache"},
+    { "delegation-credential-cache",0,arg_string, &delegation_cred_str,
+      "where to find the ticket use for delegation", "cache"},
+    { "forwardable",	0, arg_flag, &forwardable_flag,
+      "forwardable ticket requested"},
+    { "transit-check",	0,   arg_negative_flag, &transit_flag },
     { "enctype",	'e', arg_string, &etype_str,
       "encryption type to use", "enctype"},
+    { "impersonate",	0,   arg_string, &impersonate_str,
+      "client to impersonate", "principal"},
+    { "name-type",		0,   arg_string, &nametype_str },
     { "version", 	0,   arg_flag, &version_flag },
     { "help",		0,   arg_flag, &help_flag }
 };
@@ -62,8 +81,11 @@ main(int argc, char **argv)
     krb5_error_code ret;
     krb5_context context;
     krb5_ccache cache;
-    krb5_creds in, *out;
-    int optind = 0;
+    krb5_creds *out;
+    int optidx = 0;
+    krb5_get_creds_opt opt;
+    krb5_principal server;
+    krb5_principal impersonate = NULL;
 
     setprogname (argv[0]);
 
@@ -71,7 +93,7 @@ main(int argc, char **argv)
     if (ret)
 	errx(1, "krb5_init_context failed: %d", ret);
   
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
     
     if (help_flag)
@@ -82,17 +104,25 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     if (argc != 1)
 	usage (1);
 
-    ret = krb5_cc_default(context, &cache);
-    if (ret)
-	krb5_err (context, 1, ret, "krb5_cc_default");
+    if(cache_str) {
+	ret = krb5_cc_resolve(context, cache_str, &cache);
+	if (ret)
+	    krb5_err (context, 1, ret, "%s", cache_str);
+    } else {
+	ret = krb5_cc_default (context, &cache);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_cc_resolve");
+    }
 
-    memset(&in, 0, sizeof(in));
+    ret = krb5_get_creds_opt_alloc(context, &opt);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_creds_opt_alloc");
 
     if (etype_str) {
 	krb5_enctype enctype;
@@ -100,22 +130,99 @@ main(int argc, char **argv)
 	ret = krb5_string_to_enctype(context, etype_str, &enctype);
 	if (ret)
 	    krb5_errx (context, 1, "unrecognized enctype: %s", etype_str);
-	in.session.keytype = enctype;
+	krb5_get_creds_opt_set_enctype(context, opt, enctype);
     }
 
-    ret = krb5_cc_get_principal(context, cache, &in.client);
-    if (ret)
-	krb5_err (context, 1, ret, "krb5_cc_get_principal");
+    if (impersonate_str) {
+	ret = krb5_parse_name(context, impersonate_str, &impersonate);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name %s", impersonate_str);
+	krb5_get_creds_opt_set_impersonate(context, opt, impersonate);
+	krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
+    }
+
+    if (out_cache_str)
+	krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
+
+    if (forwardable_flag)
+	krb5_get_creds_opt_add_options(context, opt, KRB5_GC_FORWARDABLE);
+    if (!transit_flag)
+	krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_TRANSIT_CHECK);
+
+    if (delegation_cred_str) {
+	krb5_ccache id;
+	krb5_creds c, mc;
+	Ticket ticket;
+
+	krb5_cc_clear_mcred(&mc);
+	ret = krb5_cc_get_principal(context, cache, &mc.server);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_cc_get_principal");
+
+	ret = krb5_cc_resolve(context, delegation_cred_str, &id);
+	if(ret)
+	    krb5_err (context, 1, ret, "krb5_cc_resolve");
+
+	ret = krb5_cc_retrieve_cred(context, id, 0, &mc, &c);
+	if(ret)
+	    krb5_err (context, 1, ret, "krb5_cc_retrieve_cred");
 
-    ret = krb5_parse_name(context, argv[0], &in.server);
+	ret = decode_Ticket(c.ticket.data, c.ticket.length, &ticket, NULL);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    krb5_err (context, 1, ret, "decode_Ticket");
+	}
+	krb5_free_cred_contents(context, &c);
+
+	ret = krb5_get_creds_opt_set_ticket(context, opt, &ticket);
+	if(ret)
+	    krb5_err (context, 1, ret, "krb5_get_creds_opt_set_ticket");
+	free_Ticket(&ticket);
+
+	krb5_cc_close (context, id);
+	krb5_free_principal(context, mc.server);
+
+	krb5_get_creds_opt_add_options(context, opt, 
+				       KRB5_GC_CONSTRAINED_DELEGATION);
+    }
+
+    ret = krb5_parse_name(context, argv[0], &server);
     if (ret)
 	krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]);
 
-    in.times.endtime = 0;
-    ret = krb5_get_credentials(context, 0, cache, &in, &out);
+    if (nametype_str) {
+	ret = krb5_parse_nametype(context, nametype_str,
+				  &server->name.name_type);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_parse_nametype");
+    }
+
+    ret = krb5_get_creds(context, opt, cache, server, &out);
     if (ret)
-	krb5_err (context, 1, ret, "krb5_get_credentials");
+	krb5_err (context, 1, ret, "krb5_get_creds");
+
+    if (out_cache_str) {
+	krb5_ccache id;
+
+	ret = krb5_cc_resolve(context, out_cache_str, &id);
+	if(ret)
+	    krb5_err (context, 1, ret, "krb5_cc_resolve");
+
+	ret = krb5_cc_initialize(context, id, out->client);
+	if(ret)
+	    krb5_err (context, 1, ret, "krb5_cc_initialize");
+
+	ret = krb5_cc_store_cred(context, id, out);
+	if(ret)
+	    krb5_err (context, 1, ret, "krb5_cc_store_cred");
+	krb5_cc_close (context, id);
+    }
+
+    krb5_free_creds(context, out);
+    krb5_free_principal(context, server);
+    krb5_get_creds_opt_free(context, opt);
+    krb5_cc_close (context, cache);
+    krb5_free_context (context);
 
-    krb5_free_creds_contents(context, out);
     return 0;
 }
diff --git a/crypto/heimdal/kuser/kimpersonate.1 b/crypto/heimdal/kuser/kimpersonate.1
new file mode 100644
index 0000000..b9cd8d6
--- /dev/null
+++ b/crypto/heimdal/kuser/kimpersonate.1
@@ -0,0 +1,152 @@
+.\" Copyright (c) 2002 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden). 
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\" 
+.\" $Id: kimpersonate.1 20259 2007-02-17 23:49:54Z lha $
+.\"
+.Dd September 18, 2006
+.Dt KERBEROS 1
+.Os Heimdal
+.Sh NAME
+.Nm kimpersonate
+.Nd
+impersonate a user when there exist a srvtab, keyfile or KeyFile
+.Sh SYNOPSIS
+.Nm
+.Oo Fl s Ar string \*(Ba Xo
+.Fl -server= Ns Ar string Oc
+.Xc
+.Oo Fl c Ar string \*(Ba Xo
+.Fl -client= Ns Ar string Oc
+.Xc
+.Oo Fl k Ar string \*(Ba Xo
+.Fl -keytab= Ns Ar string Oc
+.Xc
+.Op Fl 5 | Fl -krb5
+.Oo Fl e Ar integer \*(Ba Xo
+.Fl -expire-time= Ns Ar integer Oc
+.Xc
+.Oo Fl a Ar string \*(Ba Xo
+.Fl -client-address= Ns Ar string Oc
+.Xc
+.Oo Fl t Ar string \*(Ba Xo
+.Fl -enc-type= Ns Ar string Oc
+.Xc
+.Oo Fl f Ar string \*(Ba Xo
+.Fl -ticket-flags= Ns Ar string Oc
+.Xc
+.Op Fl -verbose
+.Op Fl -version
+.Op Fl -help
+.Sh DESCRIPTION
+The
+.Nm
+program creates a "fake" ticket using the service-key of the service.
+The service key can be read from a Kerberos 5 keytab, AFS KeyFile or
+(if compiled with support for Kerberos 4) a Kerberos 4 srvtab.
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl s Ar string Ns ,
+.Fl -server= Ns Ar string
+.Xc
+name of server principal
+.It Xo
+.Fl c Ar string Ns ,
+.Fl -client= Ns Ar string
+.Xc
+name of client principal
+.It Xo
+.Fl k Ar string Ns ,
+.Fl -keytab= Ns Ar string
+.Xc
+name of keytab file
+.It Xo
+.Fl 5 Ns ,
+.Fl -krb5
+.Xc
+create a Kerberos 5 ticket
+.It Xo
+.Fl e Ar integer Ns ,
+.Fl -expire-time= Ns Ar integer
+.Xc
+lifetime of ticket in seconds
+.It Xo
+.Fl a Ar string Ns ,
+.Fl -client-address= Ns Ar string
+.Xc
+address of client
+.It Xo
+.Fl t Ar string Ns ,
+.Fl -enc-type= Ns Ar string
+.Xc
+encryption type
+.It Xo
+.Fl f Ar string Ns ,
+.Fl -ticket-flags= Ns Ar string
+.Xc
+ticket flags for krb5 ticket
+.It Xo
+.Fl -verbose
+.Xc
+Verbose output
+.It Xo
+.Fl -version
+.Xc
+Print version
+.It Xo
+.Fl -help
+.Xc
+.El
+.Sh FILES
+Uses
+.Pa /etc/krb5.keytab,
+.Pa /etc/srvtab
+and
+.Pa /usr/afs/etc/KeyFile
+when avalible and the the
+.Fl k
+is used with appropriate prefix.
+.Sh EXAMPLES
+.Nm
+can be used in
+.Nm samba
+root preexec option
+or for debugging.
+.Nm
+-s host/hummel.e.kth.se@E.KTH.SE -c lha@E.KTH.SE -5
+will create a Kerberos 5 ticket for lha@E.KTH.SE for the host
+hummel.e.kth.se if there exists a keytab entry for it in
+.Pa /etc/krb5.keytab .
+.Sh SEE ALSO
+.Xr kinit 1 ,
+.Xr klist 1
+.Sh AUTHORS
+Love Hornquist Astrand <lha@kth.se>
diff --git a/crypto/heimdal/kuser/kimpersonate.c b/crypto/heimdal/kuser/kimpersonate.c
new file mode 100644
index 0000000..9ef99af
--- /dev/null
+++ b/crypto/heimdal/kuser/kimpersonate.c
@@ -0,0 +1,330 @@
+/*
+ * Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kuser_locl.h"
+RCSID("$Id: kimpersonate.c 22117 2007-12-03 21:24:16Z lha $");
+#include <parse_units.h>
+
+static char *client_principal_str = NULL;
+static krb5_principal client_principal;
+static char *server_principal_str = NULL;
+static krb5_principal server_principal;
+
+static char *ccache_str = NULL;
+
+static char *ticket_flags_str = NULL;
+static TicketFlags ticket_flags;
+static char *keytab_file = NULL;
+static char *enc_type = "des-cbc-md5";
+static int   expiration_time = 3600;
+static struct getarg_strings client_addresses;
+static int   version_flag = 0;
+static int   help_flag = 0;
+static int   use_krb5 = 1;
+
+/*
+ *
+ */
+
+static void
+encode_ticket (krb5_context context, 
+	       EncryptionKey *skey,
+	       krb5_enctype etype,
+	       int skvno,
+	       krb5_creds *cred)
+{
+    size_t len, size;
+    char *buf;
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    EncryptedData enc_part;
+    EncTicketPart et;    
+    Ticket ticket;
+
+    memset (&enc_part, 0, sizeof(enc_part));
+    memset (&ticket, 0, sizeof(ticket));
+    
+    /*
+     * Set up `enc_part'
+     */
+
+    et.flags = cred->flags.b;
+    et.key = cred->session;
+    et.crealm = *krb5_princ_realm (context, cred->client);
+    copy_PrincipalName(&cred->client->name, &et.cname);
+    {
+	krb5_data empty_string;
+	
+	krb5_data_zero(&empty_string); 
+	et.transited.tr_type = DOMAIN_X500_COMPRESS;
+	et.transited.contents = empty_string;
+    }
+    et.authtime = cred->times.authtime;
+    et.starttime = NULL;
+    et.endtime = cred->times.endtime;
+    et.renew_till = NULL;
+    et.caddr = &cred->addresses;
+    et.authorization_data = NULL; /* XXX allow random authorization_data */
+
+    /*
+     * Encrypt `enc_part' of ticket with service key
+     */
+
+    ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, &et, &size, ret);
+    if (ret)
+	krb5_err(context, 1, ret, "EncTicketPart");
+
+    krb5_crypto_init(context, skey, etype, &crypto);
+    krb5_encrypt_EncryptedData (context, 
+				crypto,
+				KRB5_KU_TICKET,
+				buf,
+				len,
+				skvno,
+				&ticket.enc_part);
+    free(buf);
+    krb5_crypto_destroy(context, crypto);
+
+    /*
+     * Encode ticket
+     */
+
+    ticket.tkt_vno = 5;
+    ticket.realm = *krb5_princ_realm (context, cred->server);
+    copy_PrincipalName(&cred->server->name, &ticket.sname);
+    
+    ASN1_MALLOC_ENCODE(Ticket, buf, len, &ticket, &size, ret);
+    if(ret)
+	krb5_err (context, 1, ret, "encode_Ticket");
+
+    krb5_data_copy(&cred->ticket, buf, len);
+}
+
+/*
+ *
+ */
+
+static int
+create_krb5_tickets (krb5_context context, krb5_keytab kt)
+{
+    krb5_error_code ret;
+    krb5_keytab_entry entry;
+    krb5_creds cred;
+    krb5_enctype etype;
+    krb5_ccache ccache;
+    
+    memset (&cred, 0, sizeof(cred));
+    
+    ret = krb5_string_to_enctype (context, enc_type, &etype);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_string_to_enctype");
+    ret = krb5_kt_get_entry (context, kt, server_principal, 
+			     0, etype, &entry);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_kt_get_entry");
+
+    /*
+     * setup cred
+     */
+
+
+    ret = krb5_copy_principal (context, client_principal, &cred.client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_copy_principal");
+    ret = krb5_copy_principal (context, server_principal, &cred.server);
+    if (ret) 
+	krb5_err (context, 1, ret, "krb5_copy_principal");
+    krb5_generate_random_keyblock(context, etype, &cred.session);    
+
+    cred.times.authtime = time(NULL);
+    cred.times.starttime = time(NULL);
+    cred.times.endtime = time(NULL) + expiration_time;
+    cred.times.renew_till = 0;
+    krb5_data_zero(&cred.second_ticket); 
+
+    ret = krb5_get_all_client_addrs (context, &cred.addresses);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_all_client_addrs");
+    cred.flags.b = ticket_flags;
+    
+    
+    /*
+     * Encode encrypted part of ticket
+     */
+
+    encode_ticket (context, &entry.keyblock, etype, entry.vno, &cred);    
+
+    /*
+     * Write to cc
+     */
+
+    if (ccache_str) {
+	ret = krb5_cc_resolve(context, ccache_str, &ccache);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_cc_resolve");
+    } else {
+	ret = krb5_cc_default (context, &ccache);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_cc_default");
+    }
+
+    ret = krb5_cc_initialize (context, ccache, cred.client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_initialize");
+    
+    ret = krb5_cc_store_cred (context, ccache, &cred);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_store_cred");
+
+    krb5_free_cred_contents (context, &cred);
+    krb5_cc_close (context, ccache);
+    
+    return 0;
+}
+
+/*
+ *
+ */
+
+static void
+setup_env (krb5_context context, krb5_keytab *kt)
+{
+    krb5_error_code ret;
+
+    if (keytab_file)
+	ret = krb5_kt_resolve (context, keytab_file, kt);
+    else
+	ret = krb5_kt_default (context, kt);
+    if (ret)
+	krb5_err (context, 1, ret, "resolving keytab");
+
+    if (client_principal_str == NULL)
+	krb5_errx (context, 1, "missing client principal");
+    ret = krb5_parse_name (context, client_principal_str, &client_principal);
+    if (ret)
+	krb5_err (context, 1, ret, "resolvning client name");
+
+    if (server_principal_str == NULL)
+	krb5_errx (context, 1, "missing server principal");
+    ret = krb5_parse_name (context, server_principal_str, &server_principal);
+    if (ret)
+	krb5_err (context, 1, ret, "resolvning client name");
+
+    if (ticket_flags_str) {
+	int ticket_flags_int;
+
+	ticket_flags_int = parse_flags(ticket_flags_str, 
+				       asn1_TicketFlags_units(), 0);
+	if (ticket_flags_int <= 0) {
+	    krb5_warnx (context, "bad ticket flags: `%s'", ticket_flags_str);
+	    print_flags_table (asn1_TicketFlags_units(), stderr);
+	    exit (1);
+	}
+	if (ticket_flags_int)
+	    ticket_flags = int2TicketFlags (ticket_flags_int);
+    }
+}
+
+/*
+ *
+ */
+
+struct getargs args[] = {
+    { "ccache", 0, arg_string, &ccache_str,
+      "name of kerberos 5 credential cache", "cache-name"},
+    { "server", 's', arg_string, &server_principal_str, 
+      "name of server principal" },
+    { "client", 'c', arg_string, &client_principal_str, 
+      "name of client principal" },
+    { "keytab", 'k', arg_string, &keytab_file,
+      "name of keytab file" },
+    { "krb5", '5', arg_flag,	 &use_krb5,
+      "create a kerberos 5 ticket"},
+    { "expire-time", 'e', arg_integer, &expiration_time,
+      "lifetime of ticket in seconds" },
+    { "client-addresses", 'a', arg_strings, &client_addresses,
+      "addresses of client" },
+    { "enc-type", 't', arg_string, 	&enc_type,
+      "encryption type" },
+    { "ticket-flags", 'f', arg_string,   &ticket_flags_str,
+      "ticket flags for krb5 ticket" },
+    { "version", 0,  arg_flag,		&version_flag,	"Print version",
+      NULL },
+    { "help",	 0,  arg_flag,		&help_flag,	NULL,
+      NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "");
+    exit (ret);
+}
+
+int
+main (int argc, char **argv)
+{
+    int optind = 0;
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_keytab kt;
+
+    setprogname (argv[0]);
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx(1, "krb5_init_context failed: %u", ret);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version(NULL);
+	return 0;
+    }
+
+    setup_env (context, &kt);
+
+    if (use_krb5)
+	create_krb5_tickets (context, kt);
+
+    krb5_kt_close (context, kt);
+    return 0;
+}
diff --git a/crypto/heimdal/kuser/kinit.1 b/crypto/heimdal/kuser/kinit.1
index 97ed2af..01fac26 100644
--- a/crypto/heimdal/kuser/kinit.1
+++ b/crypto/heimdal/kuser/kinit.1
@@ -1,4 +1,4 @@
-.\" Copyright (c) 1998 - 2002 Kungliga Tekniska Högskolan
+.\" Copyright (c) 1998 - 2003, 2006 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: kinit.1,v 1.23 2003/04/06 17:49:05 lha Exp $
+.\" $Id: kinit.1 17822 2006-07-10 14:46:58Z lha $
 .\"
-.Dd May 29, 1998
+.Dd April 25, 2006
 .Dt KINIT 1
 .Os HEIMDAL
 .Sh NAME
@@ -81,8 +81,9 @@
 .Fl -extra-addresses= Ns Ar addresses
 .Xc
 .Oc
-.Op Fl -fcache-version= Ns Ar integer
-.Op Fl -no-addresses
+.Op Fl -password-file= Ns Ar filename
+.Op Fl -fcache-version= Ns Ar version-number
+.Op Fl A | Fl -no-addresses
 .Op Fl -anonymous
 .Op Fl -version
 .Op Fl -help
@@ -125,8 +126,9 @@ keytab.
 .Fl l Ar time ,
 .Fl -lifetime= Ns Ar time
 .Xc
-Specifies the lifetime of the ticket. The argument can either be in
-seconds, or a more human readable string like
+Specifies the lifetime of the ticket.
+The argument can either be in seconds, or a more human readable string
+like
 .Sq 1h .
 .It Xo
 .Fl p ,
@@ -137,7 +139,8 @@ Request tickets with the proxiable flag set.
 .Fl R ,
 .Fl -renew
 .Xc
-Try to renew ticket. The ticket must have the
+Try to renew ticket.
+The ticket must have the
 .Sq renewable
 flag set, and must not be expired.
 .It Fl -renewable
@@ -182,22 +185,35 @@ Try to validate an invalid ticket.
 .Xc
 Request tickets with this particular enctype.
 .It Xo
-.Fl -fcache-version= Ns Ar version
+.Fl -password-file= Ns Ar filename
+.Xc
+read the password from the first line of
+.Ar filename .
+If the
+.Ar filename
+is
+.Ar STDIN ,
+the password will be read from the standard input.
+.It Xo
+.Fl -fcache-version= Ns Ar version-number
 .Xc
 Create a credentials cache of version
-.Nm version .
+.Ar version-number .
 .It Xo
 .Fl a ,
 .Fl -extra-addresses= Ns Ar enctypes
 .Xc
 Adds a set of addresses that will, in addition to the systems local
-addresses, be put in the ticket. This can be useful if all addresses a
-client can use can't be automatically figured out. One such example is
-if the client is behind a firewall. Also settable via
+addresses, be put in the ticket.
+This can be useful if all addresses a client can use can't be
+automatically figured out.
+One such example is if the client is behind a firewall.
+Also settable via
 .Li libdefaults/extra_addresses
 in
 .Xr krb5.conf 5 .
 .It Xo
+.Fl A ,
 .Fl -no-addresses
 .Xc
 Request a ticket with no addresses.
@@ -218,8 +234,8 @@ has been compiled with support for Kerberos 4.
 .Fl -524init
 .Xc
 Try to convert the obtained Kerberos 5 krbtgt to a version 4
-compatible ticket. It will store this ticket in the default Kerberos 4
-ticket file.
+compatible ticket.
+It will store this ticket in the default Kerberos 4 ticket file.
 .It Xo
 .Fl 9 ,
 .Fl -524convert
@@ -227,7 +243,8 @@ ticket file.
 only convert ticket to version 4
 .It Fl -afslog
 Gets AFS tickets, converts them to version 4 format, and stores them
-in the kernel. Only useful if you have AFS.
+in the kernel.
+Only useful if you have AFS.
 .El
 .Pp
 The
@@ -245,16 +262,17 @@ If  a
 .Ar command
 is given,
 .Nm kinit
-will setup new credentials caches, and AFS PAG, and then run the given
-command. When it finishes the credentials will be removed.
+will set up new credentials caches, and AFS PAG, and then run the given
+command.
+When it finishes the credentials will be removed.
 .Sh ENVIRONMENT
 .Bl -tag -width Ds
 .It Ev KRB5CCNAME
 Specifies the default credentials cache.
 .It Ev KRB5_CONFIG
 The file name of
-.Pa krb5.conf
-, the default being
+.Pa krb5.conf ,
+the default being
 .Pa /etc/krb5.conf .
 .It Ev KRBTKFILE
 Specifies the Kerberos 4 ticket file to store version 4 tickets in.
diff --git a/crypto/heimdal/kuser/kinit.c b/crypto/heimdal/kuser/kinit.c
index 4b8b24a..2676309 100644
--- a/crypto/heimdal/kuser/kinit.c
+++ b/crypto/heimdal/kuser/kinit.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,41 +32,60 @@
  */
 
 #include "kuser_locl.h"
-RCSID("$Id: kinit.c,v 1.90.4.5 2004/06/21 08:17:06 lha Exp $");
+RCSID("$Id: kinit.c 22116 2007-12-03 21:22:58Z lha $");
+
+#include "krb5-v4compat.h"
+
+#include "heimntlm.h"
 
 int forwardable_flag	= -1;
 int proxiable_flag	= -1;
 int renewable_flag	= -1;
 int renew_flag		= 0;
+int pac_flag		= -1;
 int validate_flag	= 0;
 int version_flag	= 0;
 int help_flag		= 0;
-int addrs_flag		= 1;
+int addrs_flag		= -1;
 struct getarg_strings extra_addresses;
 int anonymous_flag	= 0;
 char *lifetime 		= NULL;
 char *renew_life	= NULL;
-char *server		= NULL;
+char *server_str	= NULL;
 char *cred_cache	= NULL;
 char *start_str		= NULL;
 struct getarg_strings etype_str;
 int use_keytab		= 0;
 char *keytab_str	= NULL;
 int do_afslog		= -1;
-#ifdef KRB4
 int get_v4_tgt		= -1;
-int convert_524;
-#endif
+int convert_524		= 0;
 int fcache_version;
+char *password_file	= NULL;
+char *pk_user_id	= NULL;
+char *pk_x509_anchors	= NULL;
+int pk_use_enckey	= 0;
+static int canonicalize_flag = 0;
+static char *ntlm_domain;
+
+static char *krb4_cc_name;
 
 static struct getargs args[] = {
-#ifdef KRB4
+    /* 
+     * used by MIT
+     * a: ~A
+     * V: verbose
+     * F: ~f
+     * P: ~p
+     * C: v4 cache name?
+     * 5: 
+     */
     { "524init", 	'4', arg_flag, &get_v4_tgt,
       "obtain version 4 TGT" },
-    
+
     { "524convert", 	'9', arg_flag, &convert_524,
       "only convert ticket to version 4" },
-#endif
+
     { "afslog", 	0  , arg_flag, &do_afslog,
       "obtain afs tokens"  },
 
@@ -94,7 +113,7 @@ static struct getargs args[] = {
     { "renewable-life",	'r', arg_string, &renew_life,
       "renewable lifetime of tickets", "time" },
 
-    { "server", 	'S', arg_string, &server,
+    { "server", 	'S', arg_string, &server_str,
       "server to get ticket for", "principal" },
 
     { "start-time",	's', arg_string, &start_str,
@@ -112,7 +131,7 @@ static struct getargs args[] = {
     { "fcache-version", 0,   arg_integer, &fcache_version,
       "file cache version to create" },
 
-    { "addresses",	0,   arg_negative_flag,	&addrs_flag,
+    { "addresses",	'A',   arg_negative_flag,	&addrs_flag,
       "request a ticket with no addresses" },
 
     { "extra-addresses",'a', arg_strings,	&extra_addresses,
@@ -121,6 +140,27 @@ static struct getargs args[] = {
     { "anonymous",	0,   arg_flag,	&anonymous_flag,
       "request an anonymous ticket" },
 
+    { "request-pac",	0,   arg_flag,	&pac_flag,
+      "request a Windows PAC" },
+
+    { "password-file",	0,   arg_string, &password_file,
+      "read the password from a file" },
+
+    { "canonicalize",0,   arg_flag, &canonicalize_flag,
+      "canonicalize client principal" },
+#ifdef PKINIT
+    { "pk-user",	'C',	arg_string,	&pk_user_id,
+      "principal's public/private/certificate identifier", "id" },
+
+    { "x509-anchors",	'D',  arg_string, &pk_x509_anchors,
+      "directory with CA certificates", "directory" },
+
+    { "pk-use-enckey",	0,  arg_flag, &pk_use_enckey,
+      "Use RSA encrypted reply (instead of DH)" },
+#endif
+    { "ntlm-domain",	0,  arg_string, &ntlm_domain,
+      "NTLM domain", "domain" },
+
     { "version", 	0,   arg_flag, &version_flag },
     { "help",		0,   arg_flag, &help_flag }
 };
@@ -135,130 +175,6 @@ usage (int ret)
     exit (ret);
 }
 
-#ifdef KRB4
-/* for when the KDC tells us it's a v4 one, we try to talk that */
-
-static int
-key_to_key(const char *user,
-	   char *instance,
-	   const char *realm,
-	   const void *arg,
-	   des_cblock *key)
-{
-    memcpy(key, arg, sizeof(des_cblock));
-    return 0;
-}
-
-static int
-do_v4_fallback (krb5_context context,
-		const krb5_principal principal,
-		int lifetime,
-		int use_srvtab, const char *srvtab_str,
-		const char *passwd)
-{
-    int ret;
-    krb_principal princ;
-    des_cblock key;
-    krb5_error_code kret;
-
-    if (lifetime == 0)
-	lifetime = DEFAULT_TKT_LIFE;
-    else
-	lifetime = krb_time_to_life (0, lifetime);
-
-    kret = krb5_524_conv_principal (context, principal,
-				    princ.name,
-				    princ.instance,
-				    princ.realm);
-    if (kret) {
-	krb5_warn (context, kret, "krb5_524_conv_principal");
-	return 1;
-    }
-
-    if (use_srvtab || srvtab_str) {
-	if (srvtab_str == NULL)
-	    srvtab_str = KEYFILE;
-
-	ret = read_service_key (princ.name, princ.instance, princ.realm,
-				0, srvtab_str, (char *)&key);
-	if (ret) {
-	    warnx ("read_service_key %s: %s", srvtab_str,
-		   krb_get_err_text (ret));
-	    return 1;
-	}
-	ret = krb_get_in_tkt (princ.name, princ.instance, princ.realm,
-			      KRB_TICKET_GRANTING_TICKET, princ.realm,
-			      lifetime, key_to_key, NULL, key);
-    } else {
-	ret = krb_get_pw_in_tkt(princ.name, princ.instance, princ.realm, 
-				KRB_TICKET_GRANTING_TICKET, princ.realm, 
-				lifetime, passwd);
-    }
-    memset (key, 0, sizeof(key));
-    if (ret) {
-	warnx ("%s", krb_get_err_text(ret));
-	return 1;
-    }
-    if (do_afslog && k_hasafs()) {
-	if ((ret = krb_afslog(NULL, NULL)) != 0 && ret != KDC_PR_UNKNOWN) {
-	    if(ret > 0)
-		warnx ("%s", krb_get_err_text(ret));
-	    else
-		warnx ("failed to store AFS token");
-	}
-    }
-    return 0;
-}
-
-
-/*
- * the special version of get_default_principal that takes v4 into account
- */
-
-static krb5_error_code
-kinit_get_default_principal (krb5_context context,
-			     krb5_principal *princ)
-{
-    krb5_error_code ret;
-    krb5_ccache id;
-    krb_principal v4_princ;
-    int kret;
-
-    ret = krb5_cc_default (context, &id);
-    if (ret == 0) {
-	ret = krb5_cc_get_principal (context, id, princ);
-	krb5_cc_close (context, id);
-	if (ret == 0)
-	    return 0;
-    }
-
-    kret = krb_get_tf_fullname (tkt_string(),
-				v4_princ.name,
-				v4_princ.instance,
-				v4_princ.realm);
-    if (kret == KSUCCESS) {
-	ret = krb5_425_conv_principal (context,
-				       v4_princ.name,
-				       v4_princ.instance,
-				       v4_princ.realm,
-				       princ);
-	if (ret == 0)
-	    return 0;
-    }
-    return krb5_get_default_principal (context, princ);
-}
-
-#else /* !KRB4 */
-
-static krb5_error_code
-kinit_get_default_principal (krb5_context context,
-			     krb5_principal *princ)
-{
-    return krb5_get_default_principal (context, princ);
-}
-
-#endif /* !KRB4 */
-
 static krb5_error_code
 get_server(krb5_context context,
 	   krb5_principal client,
@@ -274,13 +190,13 @@ get_server(krb5_context context,
 			       KRB5_TGS_NAME, *client_realm, NULL);
 }
 
-#ifdef KRB4
 static krb5_error_code
 do_524init(krb5_context context, krb5_ccache ccache, 
 	   krb5_creds *creds, const char *server)
 {
     krb5_error_code ret;
-    CREDENTIALS c;
+
+    struct credentials c;
     krb5_creds in_creds, *real_creds;
 
     if(creds != NULL)
@@ -305,9 +221,9 @@ do_524init(krb5_context context, krb5_ccache ccache,
     if(ret)
 	krb5_warn(context, ret, "converting creds");
     else {
-	int tret = tf_setup(&c, c.pname, c.pinst);
+	krb5_error_code tret = _krb5_krb_tf_setup(context, &c, NULL, 0);
 	if(tret)
-	    krb5_warnx(context, "saving v4 creds: %s", krb_get_err_text(tret));
+	    krb5_warn(context, tret, "saving v4 creds");
     }
 
     if(creds == NULL)
@@ -316,7 +232,6 @@ do_524init(krb5_context context, krb5_ccache ccache,
 
     return ret;
 }
-#endif
 
 static int
 renew_validate(krb5_context context, 
@@ -327,7 +242,7 @@ renew_validate(krb5_context context,
 	       krb5_deltat life)
 {
     krb5_error_code ret;
-    krb5_creds in, *out;
+    krb5_creds in, *out = NULL;
     krb5_kdc_flags flags;
 
     memset(&in, 0, sizeof(in));
@@ -342,18 +257,40 @@ renew_validate(krb5_context context,
 	krb5_warn(context, ret, "get_server");
 	goto out;
     }
+
+    if (renew) {
+	/* 
+	 * no need to check the error here, it's only to be 
+	 * friendly to the user
+	 */
+	krb5_get_credentials(context, KRB5_GC_CACHED, cache, &in, &out);
+    }
+
     flags.i = 0;
     flags.b.renewable         = flags.b.renew = renew;
     flags.b.validate          = validate;
+
     if (forwardable_flag != -1)
 	flags.b.forwardable       = forwardable_flag;
+    else if (out)
+	flags.b.forwardable 	  = out->flags.b.forwardable;
+
     if (proxiable_flag != -1)
 	flags.b.proxiable         = proxiable_flag;
+    else if (out)
+	flags.b.proxiable 	  = out->flags.b.proxiable;
+
     if (anonymous_flag != -1)
 	flags.b.request_anonymous = anonymous_flag;
     if(life)
 	in.times.endtime = time(NULL) + life;
 
+    if (out) {
+	krb5_free_creds (context, out);
+	out = NULL;
+    }
+
+
     ret = krb5_get_kdc_cred(context,
 			    cache,
 			    flags,
@@ -374,11 +311,9 @@ renew_validate(krb5_context context,
     ret = krb5_cc_store_cred(context, cache, out);
 
     if(ret == 0 && server == NULL) {
-#ifdef KRB4
 	/* only do this if it's a general renew-my-tgt request */
 	if(get_v4_tgt)
 	    do_524init(context, cache, out, NULL);
-#endif
 	if(do_afslog && k_hasafs())
 	    krb5_afslog(context, cache, NULL, NULL);
     }
@@ -389,57 +324,137 @@ renew_validate(krb5_context context,
 	goto out;
     }
 out:
-    krb5_free_creds_contents(context, &in);
+    krb5_free_cred_contents(context, &in);
     return ret;
 }
 
 static krb5_error_code
+store_ntlmkey(krb5_context context, krb5_ccache id, 
+	      const char *domain, krb5_const_principal client,
+	      struct ntlm_buf *buf)
+{
+    krb5_error_code ret;
+    krb5_creds cred;
+    
+    memset(&cred, 0, sizeof(cred));
+
+    ret = krb5_make_principal(context, &cred.server,
+			      krb5_principal_get_realm(context, client),
+			      "@ntlm-key", domain, NULL);
+    if (ret)
+	goto out;
+    ret = krb5_copy_principal(context, client, &cred.client);
+    if (ret)
+	goto out;
+    
+    cred.times.authtime = time(NULL);
+    cred.times.endtime = time(NULL) + 3600 * 24 * 30; /* XXX */
+    cred.session.keytype = ENCTYPE_ARCFOUR_HMAC_MD5;
+    ret = krb5_data_copy(&cred.session.keyvalue, buf->data, buf->length);
+    if (ret)
+	goto out;
+
+    ret = krb5_cc_store_cred(context, id, &cred);
+
+out:
+    krb5_free_cred_contents (context, &cred);
+    return 0;
+}
+
+static krb5_error_code
 get_new_tickets(krb5_context context, 
 		krb5_principal principal,
 		krb5_ccache ccache,
-		krb5_deltat ticket_life)
+		krb5_deltat ticket_life,
+		int interactive)
 {
     krb5_error_code ret;
-    krb5_get_init_creds_opt opt;
-    krb5_addresses no_addrs;
+    krb5_get_init_creds_opt *opt;
     krb5_creds cred;
     char passwd[256];
     krb5_deltat start_time = 0;
     krb5_deltat renew = 0;
+    char *renewstr = NULL;
+    krb5_enctype *enctype = NULL;
+    struct ntlm_buf ntlmkey;
+    krb5_ccache tempccache;
+
+    memset(&ntlmkey, 0, sizeof(ntlmkey));
+    passwd[0] = '\0';
+
+    if (password_file) {
+	FILE *f;
+
+	if (strcasecmp("STDIN", password_file) == 0)
+	    f = stdin;
+	else
+	    f = fopen(password_file, "r");
+	if (f == NULL)
+	    krb5_errx(context, 1, "Failed to open the password file %s",
+		      password_file);
+
+	if (fgets(passwd, sizeof(passwd), f) == NULL)
+	    krb5_errx(context, 1, 
+		      "Failed to read password from file %s", password_file);
+	if (f != stdin)
+	    fclose(f);
+	passwd[strcspn(passwd, "\n")] = '\0';
+    }
+
 
     memset(&cred, 0, sizeof(cred));
 
-    krb5_get_init_creds_opt_init (&opt);
+    ret = krb5_get_init_creds_opt_alloc (context, &opt);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
     
-    krb5_get_init_creds_opt_set_default_flags(context, "kinit", 
-					      /* XXX */principal->realm, &opt);
+    krb5_get_init_creds_opt_set_default_flags(context, "kinit",
+	krb5_principal_get_realm(context, principal), opt);
 
     if(forwardable_flag != -1)
-	krb5_get_init_creds_opt_set_forwardable (&opt, forwardable_flag);
+	krb5_get_init_creds_opt_set_forwardable (opt, forwardable_flag);
     if(proxiable_flag != -1)
-	krb5_get_init_creds_opt_set_proxiable (&opt, proxiable_flag);
+	krb5_get_init_creds_opt_set_proxiable (opt, proxiable_flag);
     if(anonymous_flag != -1)
-	krb5_get_init_creds_opt_set_anonymous (&opt, anonymous_flag);
-
-    if (!addrs_flag) {
-	no_addrs.len = 0;
-	no_addrs.val = NULL;
-
-	krb5_get_init_creds_opt_set_address_list (&opt, &no_addrs);
+	krb5_get_init_creds_opt_set_anonymous (opt, anonymous_flag);
+    if (pac_flag != -1)
+	krb5_get_init_creds_opt_set_pac_request(context, opt, 
+						pac_flag ? TRUE : FALSE);
+    if (canonicalize_flag)
+	krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
+    if (pk_user_id) {
+	ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
+						 principal,
+						 pk_user_id,
+						 pk_x509_anchors,
+						 NULL,
+						 NULL,
+						 pk_use_enckey ? 2 : 0,
+						 krb5_prompter_posix,
+						 NULL,
+						 passwd);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
     }
 
+    if (addrs_flag != -1)
+	krb5_get_init_creds_opt_set_addressless(context, opt, 
+						addrs_flag ? FALSE : TRUE);
+
     if (renew_life == NULL && renewable_flag)
-	renew_life = "1 month";
-    if(renew_life) {
-	renew = parse_time (renew_life, "s");
+	renewstr = "1 month";
+    if (renew_life)
+	renewstr = renew_life;
+    if (renewstr) {
+	renew = parse_time (renewstr, "s");
 	if (renew < 0)
-	    errx (1, "unparsable time: %s", renew_life);
-
-	krb5_get_init_creds_opt_set_renew_life (&opt, renew);
+	    errx (1, "unparsable time: %s", renewstr);
+	
+	krb5_get_init_creds_opt_set_renew_life (opt, renew);
     }
 
     if(ticket_life != 0)
-	krb5_get_init_creds_opt_set_tkt_life (&opt, ticket_life);
+	krb5_get_init_creds_opt_set_tkt_life (opt, ticket_life);
 
     if(start_str) {
 	int tmp = parse_time (start_str, "s");
@@ -450,8 +465,8 @@ get_new_tickets(krb5_context context,
     }
 
     if(etype_str.num_strings) {
-	krb5_enctype *enctype = NULL;
 	int i;
+
 	enctype = malloc(etype_str.num_strings * sizeof(*enctype));
 	if(enctype == NULL)
 	    errx(1, "out of memory");
@@ -462,7 +477,7 @@ get_new_tickets(krb5_context context,
 	    if(ret)
 		errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
 	}
-	krb5_get_init_creds_opt_set_etype_list(&opt, enctype, 
+	krb5_get_init_creds_opt_set_etype_list(opt, enctype, 
 					       etype_str.num_strings);
     }
 
@@ -479,23 +494,40 @@ get_new_tickets(krb5_context context,
 					  principal,
 					  kt,
 					  start_time,
-					  server,
-					  &opt);
+					  server_str,
+					  opt);
 	krb5_kt_close(context, kt);
+    } else if (pk_user_id) {
+	ret = krb5_get_init_creds_password (context,
+					    &cred,
+					    principal,
+					    passwd,
+					    krb5_prompter_posix,
+					    NULL,
+					    start_time,
+					    server_str,
+					    opt);
+    } else if (!interactive) {
+	krb5_warnx(context, "Not interactive, failed to get initial ticket");
+	krb5_get_init_creds_opt_free(context, opt);
+	return 0;
     } else {
-	char *p, *prompt;
-
-	krb5_unparse_name (context, principal, &p);
-	asprintf (&prompt, "%s's Password: ", p);
-	free (p);
 
-	if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
-	    memset(passwd, 0, sizeof(passwd));
-	    exit(1);
+	if (passwd[0] == '\0') {
+	    char *p, *prompt;
+	    
+	    krb5_unparse_name (context, principal, &p);
+	    asprintf (&prompt, "%s's Password: ", p);
+	    free (p);
+	    
+	    if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
+		memset(passwd, 0, sizeof(passwd));
+		exit(1);
+	    }
+	    free (prompt);
 	}
 
-	free (prompt);
-
+	
 	ret = krb5_get_init_creds_password (context,
 					    &cred,
 					    principal,
@@ -503,22 +535,12 @@ get_new_tickets(krb5_context context,
 					    krb5_prompter_posix,
 					    NULL,
 					    start_time,
-					    server,
-					    &opt);
+					    server_str,
+					    opt);
     }
-#ifdef KRB4
-    if (ret == KRB5KRB_AP_ERR_V4_REPLY || ret == KRB5_KDC_UNREACH) {
-	int exit_val;
-
-	exit_val = do_v4_fallback (context, principal, ticket_life,
-				   use_keytab, keytab_str, passwd);
-	get_v4_tgt = 0;
-	do_afslog  = 0;
-	memset(passwd, 0, sizeof(passwd));
-	if (exit_val == 0 || ret == KRB5KRB_AP_ERR_V4_REPLY)
-	    return exit_val;
-    }
-#endif
+    krb5_get_init_creds_opt_free(context, opt);
+    if (ntlm_domain && passwd[0])
+	heim_ntlm_nt_key(passwd, &ntlmkey);
     memset(passwd, 0, sizeof(passwd));
 
     switch(ret){
@@ -528,43 +550,136 @@ get_new_tickets(krb5_context context,
 	exit(1);
     case KRB5KRB_AP_ERR_BAD_INTEGRITY:
     case KRB5KRB_AP_ERR_MODIFIED:
+    case KRB5KDC_ERR_PREAUTH_FAILED:
 	krb5_errx(context, 1, "Password incorrect");
 	break;
+    case KRB5KRB_AP_ERR_V4_REPLY:
+	krb5_errx(context, 1, "Looks like a Kerberos 4 reply");
+	break;
     default:
 	krb5_err(context, 1, ret, "krb5_get_init_creds");
     }
 
     if(ticket_life != 0) {
 	if(abs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) {
-	    char life[32];
-	    unparse_time(cred.times.endtime - cred.times.starttime, 
-			 life, sizeof(life));
+	    char life[64];
+	    unparse_time_approx(cred.times.endtime - cred.times.starttime, 
+				life, sizeof(life));
 	    krb5_warnx(context, "NOTICE: ticket lifetime is %s", life);
 	}
     }
-    if(renew != 0) {
+    if(renew_life) {
 	if(abs(cred.times.renew_till - cred.times.starttime - renew) > 30) {
-	    char life[32];
-	    unparse_time(cred.times.renew_till - cred.times.starttime, 
-			 life, sizeof(life));
+	    char life[64];
+	    unparse_time_approx(cred.times.renew_till - cred.times.starttime, 
+				life, sizeof(life));
 	    krb5_warnx(context, "NOTICE: ticket renewable lifetime is %s", 
 		       life);
 	}
     }
 
-    ret = krb5_cc_initialize (context, ccache, cred.client);
+    ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache), 
+			     NULL, &tempccache);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_new_unique");
+
+    ret = krb5_cc_initialize (context, tempccache, cred.client);
     if (ret)
 	krb5_err (context, 1, ret, "krb5_cc_initialize");
     
-    ret = krb5_cc_store_cred (context, ccache, &cred);
+    ret = krb5_cc_store_cred (context, tempccache, &cred);
     if (ret)
 	krb5_err (context, 1, ret, "krb5_cc_store_cred");
 
-    krb5_free_creds_contents (context, &cred);
+    krb5_free_cred_contents (context, &cred);
+
+    ret = krb5_cc_move(context, tempccache, ccache);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_move");
+
+    if (ntlm_domain && ntlmkey.data)
+	store_ntlmkey(context, ccache, ntlm_domain, principal, &ntlmkey);
+
+    if (enctype)
+	free(enctype);
 
     return 0;
 }
 
+static time_t
+ticket_lifetime(krb5_context context, krb5_ccache cache, 
+		krb5_principal client, const char *server)
+{
+    krb5_creds in_cred, *cred;
+    krb5_error_code ret;
+    time_t timeout;
+
+    memset(&in_cred, 0, sizeof(in_cred));
+
+    ret = krb5_cc_get_principal(context, cache, &in_cred.client);
+    if(ret) {
+	krb5_warn(context, ret, "krb5_cc_get_principal");
+	return 0;
+    }
+    ret = get_server(context, in_cred.client, server, &in_cred.server);
+    if(ret) {
+	krb5_free_principal(context, in_cred.client);
+	krb5_warn(context, ret, "get_server");
+	return 0;
+    }
+
+    ret = krb5_get_credentials(context, KRB5_GC_CACHED,
+			       cache, &in_cred, &cred);
+    krb5_free_principal(context, in_cred.client);
+    krb5_free_principal(context, in_cred.server);
+    if(ret) {
+	krb5_warn(context, ret, "krb5_get_credentials");
+	return 0;
+    }
+    timeout = cred->times.endtime - cred->times.starttime;
+    if (timeout < 0)
+	timeout = 0;
+    krb5_free_creds(context, cred);
+    return timeout;
+}
+
+struct renew_ctx {
+    krb5_context context;
+    krb5_ccache  ccache;
+    krb5_principal principal;
+    krb5_deltat ticket_life;
+};
+
+static time_t
+renew_func(void *ptr)
+{
+    struct renew_ctx *ctx = ptr;
+    krb5_error_code ret;
+    time_t expire;
+    int new_tickets = 0;
+
+    if (renewable_flag) {
+	ret = renew_validate(ctx->context, renewable_flag, validate_flag,
+			     ctx->ccache, server_str, ctx->ticket_life);
+	if (ret)
+	    new_tickets = 1;
+    } else
+	new_tickets = 1;
+
+    if (new_tickets)
+	get_new_tickets(ctx->context, ctx->principal, 
+			ctx->ccache, ctx->ticket_life, 0);
+
+    if(get_v4_tgt || convert_524)
+	do_524init(ctx->context, ctx->ccache, NULL, server_str);
+    if(do_afslog && k_hasafs())
+	krb5_afslog(ctx->context, ctx->ccache, NULL, NULL);
+
+    expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
+			     server_str) / 2;
+    return expire + 1;
+}
+
 int
 main (int argc, char **argv)
 {
@@ -572,16 +687,19 @@ main (int argc, char **argv)
     krb5_context context;
     krb5_ccache  ccache;
     krb5_principal principal;
-    int optind = 0;
+    int optidx = 0;
     krb5_deltat ticket_life = 0;
+    int parseflags = 0;
 
     setprogname (argv[0]);
     
     ret = krb5_init_context (&context);
-    if (ret)
+    if (ret == KRB5_CONFIG_BADFORMAT)
+	errx (1, "krb5_init_context failed to parse configuration file");
+    else if (ret)
 	errx(1, "krb5_init_context failed: %d", ret);
   
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
     
     if (help_flag)
@@ -592,15 +710,18 @@ main (int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
+
+    if (canonicalize_flag)
+	parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
 
     if (argv[0]) {
-	ret = krb5_parse_name (context, argv[0], &principal);
+	ret = krb5_parse_name_flags (context, argv[0], parseflags, &principal);
 	if (ret)
 	    krb5_err (context, 1, ret, "krb5_parse_name");
     } else {
-	ret = kinit_get_default_principal (context, &principal);
+	ret = krb5_get_default_principal (context, &principal);
 	if (ret)
 	    krb5_err (context, 1, ret, "krb5_get_default_principal");
     }
@@ -608,6 +729,20 @@ main (int argc, char **argv)
     if(fcache_version)
 	krb5_set_fcache_version(context, fcache_version);
 
+    if(renewable_flag == -1)
+	/* this seems somewhat pointless, but whatever */
+	krb5_appdefault_boolean(context, "kinit",
+				krb5_principal_get_realm(context, principal),
+				"renewable", FALSE, &renewable_flag);
+    if(get_v4_tgt == -1)
+	krb5_appdefault_boolean(context, "kinit", 
+				krb5_principal_get_realm(context, principal), 
+				"krb4_get_tickets", FALSE, &get_v4_tgt);
+    if(do_afslog == -1)
+	krb5_appdefault_boolean(context, "kinit", 
+				krb5_principal_get_realm(context, principal), 
+				"afslog", TRUE, &do_afslog);
+
     if(cred_cache) 
 	ret = krb5_cc_resolve(context, cred_cache, &ccache);
     else {
@@ -620,23 +755,28 @@ main (int argc, char **argv)
 		     krb5_cc_get_type(context, ccache),
 		     krb5_cc_get_name(context, ccache));
 	    setenv("KRB5CCNAME", s, 1);
-#ifdef KRB4
-	    {
+	    if (get_v4_tgt) {
 		int fd;
-		snprintf(s, sizeof(s), "%s_XXXXXX", TKT_ROOT);
-		if((fd = mkstemp(s)) >= 0) {
+		if (asprintf(&krb4_cc_name, "%s_XXXXXX", TKT_ROOT) < 0)
+		    krb5_errx(context, 1, "out of memory");
+		if((fd = mkstemp(krb4_cc_name)) >= 0) {
 		    close(fd);
-		    setenv("KRBTKFILE", s, 1);
+		    setenv("KRBTKFILE", krb4_cc_name, 1);
+		} else {
+		    free(krb4_cc_name);
+		    krb4_cc_name = NULL;
 		}
 	    }
-#endif
-	} else
-	    ret = krb5_cc_default (context, &ccache);
+	} else {
+	    ret = krb5_cc_cache_match(context, principal, NULL, &ccache);
+	    if (ret)
+		ret = krb5_cc_default (context, &ccache);
+	}
     }
     if (ret)
 	krb5_err (context, 1, ret, "resolving credentials cache");
 
-    if (argc > 1 && k_hasafs ())
+    if(argc > 1 && k_hasafs ())
 	k_setpag();
 
     if (lifetime) {
@@ -646,18 +786,8 @@ main (int argc, char **argv)
 
 	ticket_life = tmp;
     }
-#ifdef KRB4
-    if(get_v4_tgt == -1)
-	krb5_appdefault_boolean(context, "kinit", 
-				krb5_principal_get_realm(context, principal), 
-				"krb4_get_tickets", TRUE, &get_v4_tgt);
-#endif
-    if(do_afslog == -1)
-	krb5_appdefault_boolean(context, "kinit", 
-				krb5_principal_get_realm(context, principal), 
-				"afslog", TRUE, &do_afslog);
 
-    if(!addrs_flag && extra_addresses.num_strings > 0)
+    if(addrs_flag == 0 && extra_addresses.num_strings > 0)
 	krb5_errx(context, 1, "specifying both extra addresses and "
 		  "no addresses makes no sense");
     {
@@ -675,30 +805,41 @@ main (int argc, char **argv)
 	free_getarg_strings(&extra_addresses);
     }
 
-    
     if(renew_flag || validate_flag) {
 	ret = renew_validate(context, renew_flag, validate_flag, 
-			     ccache, server, ticket_life);
+			     ccache, server_str, ticket_life);
 	exit(ret != 0);
     }
 
-#ifdef KRB4
     if(!convert_524)
-#endif
-	get_new_tickets(context, principal, ccache, ticket_life);
+	get_new_tickets(context, principal, ccache, ticket_life, 1);
 
-#ifdef KRB4
-    if(get_v4_tgt)
-	do_524init(context, ccache, NULL, server);
-#endif
+    if(get_v4_tgt || convert_524)
+	do_524init(context, ccache, NULL, server_str);
     if(do_afslog && k_hasafs())
 	krb5_afslog(context, ccache, NULL, NULL);
     if(argc > 1) {
-	ret = simple_execvp(argv[1], argv+1);
+	struct renew_ctx ctx;
+	time_t timeout;
+
+	timeout = ticket_lifetime(context, ccache, principal, server_str) / 2;
+
+	ctx.context = context;
+	ctx.ccache = ccache;
+	ctx.principal = principal;
+	ctx.ticket_life = ticket_life;
+
+	ret = simple_execvp_timed(argv[1], argv+1, 
+				  renew_func, &ctx, timeout);
+#define EX_NOEXEC	126
+#define EX_NOTFOUND	127
+	if(ret == EX_NOEXEC)
+	    krb5_warnx(context, "permission denied: %s", argv[1]);
+	else if(ret == EX_NOTFOUND)
+	    krb5_warnx(context, "command not found: %s", argv[1]);
+	
 	krb5_cc_destroy(context, ccache);
-#ifdef KRB4
-	dest_tkt();
-#endif
+	_krb5_krb_dest_tkt(context, krb4_cc_name);
 	if(k_hasafs())
 	    k_unlog();
     } else {
diff --git a/crypto/heimdal/kuser/klist.1 b/crypto/heimdal/kuser/klist.1
index a144365..65ed7d3 100644
--- a/crypto/heimdal/kuser/klist.1
+++ b/crypto/heimdal/kuser/klist.1
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan
+.\" Copyright (c) 2000 - 2005 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: klist.1,v 1.12 2003/02/16 21:10:26 lha Exp $
+.\" $Id: klist.1 20458 2007-04-19 20:41:27Z lha $
 .\"
-.Dd July 8, 2000
+.Dd October  6, 2005
 .Dt KLIST 1
 .Os HEIMDAL
 .Sh NAME
@@ -39,21 +39,23 @@
 .Nd list Kerberos credentials
 .Sh SYNOPSIS
 .Nm
+.Bk -words
 .Oo Fl c Ar cache \*(Ba Xo
 .Fl -cache= Ns Ar cache
 .Xc
 .Oc
 .Op Fl s | Fl t | Fl -test
-.Op Fl 4 | Fl -v4
 .Op Fl T | Fl -tokens
 .Op Fl 5 | Fl -v5
 .Op Fl v | Fl -verbose
+.Op Fl l | Fl -list-caches
 .Op Fl f
 .Op Fl -version
 .Op Fl -help
+.Ek
 .Sh DESCRIPTION
 .Nm
-reads and displays the current tickets in the crential cache (also
+reads and displays the current tickets in the credential cache (also
 known as the ticket file).
 .Pp
 Options supported:
@@ -62,7 +64,7 @@ Options supported:
 .Fl c Ar cache ,
 .Fl -cache= Ns Ar cache
 .Xc
-credentials cache to list
+credential cache to list
 .It Xo
 .Fl s ,
 .Fl t ,
@@ -71,11 +73,6 @@ credentials cache to list
 Test for there being an active and valid TGT for the local realm of
 the user in the credential cache.
 .It Xo
-.Fl 4 ,
-.Fl -v4
-.Xc
-display v4 tickets
-.It Xo
 .Fl T ,
 .Fl -tokens
 .Xc
@@ -86,7 +83,7 @@ display AFS tokens
 .Xc
 display v5 cred cache (this is the default)
 .It Fl f
-Include ticket flags in short form, each charcted stands for a
+Include ticket flags in short form, each character stands for a
 specific flag, as follows:
 .Bl -tag -width  XXX -compact -offset indent
 .It F
@@ -123,9 +120,9 @@ option, but in a more verbose way.
 Verbose output. Include all possible information:
 .Bl -tag -width XXXX -offset indent
 .It Server
-the princial the ticket is for
+the principal the ticket is for
 .It Ticket etype
-the encryption type use in the ticket, followed by the key version of
+the encryption type used in the ticket, followed by the key version of
 the ticket, if it is available
 .It Session key
 the encryption type of the session key, if it's different from the
@@ -133,7 +130,7 @@ encryption type of the ticket
 .It Auth time
 the time the authentication exchange took place
 .It Start time
-the time that this tickets is valid from (only printed if it's
+the time that this ticket is valid from (only printed if it's
 different from the auth time)
 .It End time
 when the ticket expires, if it has already expired this is also noted
@@ -144,6 +141,13 @@ the flags set on the ticket
 .It Addresses
 the set of addresses from which this ticket is valid
 .El
+.It Xo
+.Fl l ,
+.Fl -list-caches
+.Xc
+List the credential caches for the current users, not all cache types
+supports listing multiple caches.
+.Pp
 .El
 .Sh SEE ALSO
 .Xr kdestroy 1 ,
diff --git a/crypto/heimdal/kuser/klist.c b/crypto/heimdal/kuser/klist.c
index 3521e2e..3148ddc 100644
--- a/crypto/heimdal/kuser/klist.c
+++ b/crypto/heimdal/kuser/klist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,13 +34,13 @@
 #include "kuser_locl.h"
 #include "rtbl.h"
 
-RCSID("$Id: klist.c,v 1.68.2.2 2003/10/13 15:13:39 joda Exp $");
+RCSID("$Id: klist.c 20516 2007-04-22 10:40:41Z lha $");
 
 static char*
 printable_time(time_t t)
 {
     static char s[128];
-    strcpy(s, ctime(&t)+ 4);
+    strlcpy(s, ctime(&t)+ 4, sizeof(s));
     s[15] = 0;
     return s;
 }
@@ -49,7 +49,7 @@ static char*
 printable_time_long(time_t t)
 {
     static char s[128];
-    strcpy(s, ctime(&t)+ 4);
+    strlcpy(s, ctime(&t)+ 4, sizeof(s));
     s[20] = 0;
     return s;
 }
@@ -59,6 +59,7 @@ printable_time_long(time_t t)
 #define COL_FLAGS		"Flags"
 #define COL_PRINCIPAL		"  Principal"
 #define COL_PRINCIPAL_KVNO	"  Principal (kvno)"
+#define COL_CACHENAME		"  Cache name"
 
 static void
 print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags)
@@ -132,6 +133,13 @@ print_cred_verbose(krb5_context context, krb5_creds *cred)
 	exit(1);
     printf("Server: %s\n", str);
     free (str);
+
+    ret = krb5_unparse_name(context, cred->client, &str);
+    if(ret)
+	exit(1);
+    printf("Client: %s\n", str);
+    free (str);
+
     {
 	Ticket t;
 	size_t len;
@@ -150,10 +158,7 @@ print_cred_verbose(krb5_context context, krb5_creds *cred)
 	    printf(", kvno %d", *t.enc_part.kvno);
 	printf("\n");
 	if(cred->session.keytype != t.enc_part.etype) {
-	    ret = krb5_keytype_to_string(context, cred->session.keytype, &str);
-	    if(ret == KRB5_PROG_KEYTYPE_NOSUPP)
-		ret = krb5_enctype_to_string(context, cred->session.keytype, 
-					     &str);
+	    ret = krb5_enctype_to_string(context, cred->session.keytype, &str);
 	    if(ret)
 		krb5_warn(context, ret, "session keytype");
 	    else {
@@ -162,6 +167,7 @@ print_cred_verbose(krb5_context context, krb5_creds *cred)
 	    }
 	}
 	free_Ticket(&t);
+	printf("Ticket length: %lu\n", (unsigned long)cred->ticket.length);
     }
     printf("Auth time:  %s\n", printable_time_long(cred->times.authtime));
     if(cred->times.authtime != cred->times.starttime)
@@ -193,15 +199,19 @@ print_cred_verbose(krb5_context context, krb5_creds *cred)
     PRINT_FLAG(anonymous);
     printf("\n");
     printf("Addresses: ");
-    for(j = 0; j < cred->addresses.len; j++){
-	char buf[128];
-	size_t len;
-	if(j) printf(", ");
-	ret = krb5_print_address(&cred->addresses.val[j], 
-				 buf, sizeof(buf), &len);
-
-	if(ret == 0)
-	    printf("%s", buf);
+    if (cred->addresses.len != 0) {
+	for(j = 0; j < cred->addresses.len; j++){
+	    char buf[128];
+	    size_t len;
+	    if(j) printf(", ");
+	    ret = krb5_print_address(&cred->addresses.val[j], 
+				     buf, sizeof(buf), &len);
+	    
+	    if(ret == 0)
+		printf("%s", buf);
+	}
+    } else {
+	printf("addressless");
     }
     printf("\n\n");
 }
@@ -215,12 +225,14 @@ print_tickets (krb5_context context,
 	       krb5_ccache ccache,
 	       krb5_principal principal,
 	       int do_verbose,
-	       int do_flags)
+	       int do_flags,
+	       int do_hidden)
 {
     krb5_error_code ret;
     char *str;
     krb5_cc_cursor cursor;
     krb5_creds creds;
+    int32_t sec, usec;
 
     rtbl_t ct = NULL;
 
@@ -239,12 +251,14 @@ print_tickets (krb5_context context,
 	printf ("%17s: %d\n", "Cache version",
 		krb5_cc_get_version(context, ccache));
     
-    if (do_verbose && context->kdc_sec_offset) {
+    krb5_get_kdc_sec_offset(context, &sec, &usec);
+
+    if (do_verbose && sec != 0) {
 	char buf[BUFSIZ];
 	int val;
 	int sig;
 
-	val = context->kdc_sec_offset;
+	val = sec;
 	sig = 1;
 	if (val < 0) {
 	    sig = -1;
@@ -270,19 +284,22 @@ print_tickets (krb5_context context,
 	if(do_flags)
 	    rtbl_add_column(ct, COL_FLAGS, 0);
 	rtbl_add_column(ct, COL_PRINCIPAL, 0);
-	rtbl_set_prefix(ct, "  ");
-	rtbl_set_column_prefix(ct, COL_ISSUED, "");
+	rtbl_set_separator(ct, "  ");
     }
     while ((ret = krb5_cc_next_cred (context,
 				     ccache,
 				     &cursor,
 				     &creds)) == 0) {
-	if(do_verbose){
+	const char *str;
+	str = krb5_principal_get_comp_string(context, creds.server, 0);
+	if (!do_hidden && str && str[0] == '@') {
+	    ;
+	}else if(do_verbose){
 	    print_cred_verbose(context, &creds);
 	}else{
 	    print_cred(context, &creds, ct, do_flags);
 	}
-	krb5_free_creds_contents (context, &creds);
+	krb5_free_cred_contents (context, &creds);
     }
     if(ret != KRB5_CC_END)
 	krb5_err(context, 1, ret, "krb5_cc_get_next");
@@ -303,7 +320,8 @@ print_tickets (krb5_context context,
 static int
 check_for_tgt (krb5_context context,
 	       krb5_ccache ccache,
-	       krb5_principal principal)
+	       krb5_principal principal,
+	       time_t *expiration)
 {
     krb5_error_code ret;
     krb5_creds pattern;
@@ -311,6 +329,8 @@ check_for_tgt (krb5_context context,
     krb5_realm *client_realm;
     int expired;
 
+    krb5_cc_clear_mcred(&pattern);
+
     client_realm = krb5_princ_realm (context, principal);
 
     ret = krb5_make_principal (context, &pattern.server,
@@ -318,157 +338,25 @@ check_for_tgt (krb5_context context,
 			       NULL);
     if (ret)
 	krb5_err (context, 1, ret, "krb5_make_principal");
+    pattern.client = principal;
 
     ret = krb5_cc_retrieve_cred (context, ccache, 0, &pattern, &creds);
-    expired = time(NULL) > creds.times.endtime;
     krb5_free_principal (context, pattern.server);
-    krb5_free_creds_contents (context, &creds);
     if (ret) {
 	if (ret == KRB5_CC_END)
 	    return 1;
 	krb5_err (context, 1, ret, "krb5_cc_retrieve_cred");
     }
-    return expired;
-}
-
-#ifdef KRB4
-/* prints the approximate kdc time differential as something human
-   readable */
-
-static void
-print_time_diff(int do_verbose)
-{
-    int d = abs(krb_get_kdc_time_diff());
-    char buf[80];
-
-    if ((do_verbose && d > 0) || d > 60) {
-	unparse_time_approx (d, buf, sizeof(buf));
-	printf ("Time diff:\t%s\n", buf);
-    }
-}
-
-/*
- * return a short representation of `dp' in string form.
- */
-
-static char *
-short_date(int32_t dp)
-{
-    char *cp;
-    time_t t = (time_t)dp;
-
-    if (t == (time_t)(-1L)) return "***  Never  *** ";
-    cp = ctime(&t) + 4;
-    cp[15] = '\0';
-    return (cp);
-}
-
-/*
- * Print a list of all the v4 tickets
- */
-
-static int
-display_v4_tickets (int do_verbose)
-{
-    char *file;
-    int ret;
-    krb_principal princ;
-    CREDENTIALS cred;
-    int found = 0;
-
-    rtbl_t ct;
-
-    file = getenv ("KRBTKFILE");
-    if (file == NULL)
-	file = TKT_FILE;
-
-    printf("%17s: %s\n", "V4-ticket file", file);
-
-    ret = krb_get_tf_realm (file, princ.realm);
-    if (ret) {
-	warnx ("%s", krb_get_err_text(ret));
-	return 1;
-    }
 
-    ret = tf_init (file, R_TKT_FIL);
-    if (ret) {
-	warnx ("tf_init: %s", krb_get_err_text(ret));
-	return 1;
-    }
-    ret = tf_get_pname (princ.name);
-    if (ret) {
-	tf_close ();
-	warnx ("tf_get_pname: %s", krb_get_err_text(ret));
-	return 1;
-    }
-    ret = tf_get_pinst (princ.instance);
-    if (ret) {
-	tf_close ();
-	warnx ("tf_get_pname: %s", krb_get_err_text(ret));
-	return 1;
-    }
+    expired = time(NULL) > creds.times.endtime;
 
-    printf ("%17s: %s\n", "Principal", krb_unparse_name(&princ));
-    print_time_diff(do_verbose);
-    printf("\n");
+    if (expiration)
+	*expiration = creds.times.endtime;
 
-    ct = rtbl_create();
-    rtbl_add_column(ct, COL_ISSUED, 0);
-    rtbl_add_column(ct, COL_EXPIRES, 0);
-    if (do_verbose)
-	rtbl_add_column(ct, COL_PRINCIPAL_KVNO, 0);
-    else
-	rtbl_add_column(ct, COL_PRINCIPAL, 0);
-    rtbl_set_prefix(ct, "  ");
-    rtbl_set_column_prefix(ct, COL_ISSUED, "");
+    krb5_free_cred_contents (context, &creds);
 
-    while ((ret = tf_get_cred(&cred)) == KSUCCESS) {
-	struct timeval tv;
-	char buf1[20], buf2[20];
-	const char *pp;
-
-	found++;
-
-	strlcpy(buf1,
-		short_date(cred.issue_date),
-		sizeof(buf1));
-	cred.issue_date = krb_life_to_time(cred.issue_date, cred.lifetime);
-	krb_kdctimeofday(&tv);
-	if (do_verbose || tv.tv_sec < (unsigned long) cred.issue_date)
-	    strlcpy(buf2,
-		    short_date(cred.issue_date),
-		    sizeof(buf2));
-	else
-	    strlcpy(buf2,
-		    ">>> Expired <<<",
-		    sizeof(buf2));
-	rtbl_add_column_entry(ct, COL_ISSUED, buf1);
-	rtbl_add_column_entry(ct, COL_EXPIRES, buf2);
-	pp = krb_unparse_name_long(cred.service,
-				   cred.instance,
-				   cred.realm);
-	if (do_verbose) {
-	    char *tmp;
-
-	    asprintf(&tmp, "%s (%d)", pp, cred.kvno);
-	    rtbl_add_column_entry(ct, COL_PRINCIPAL_KVNO, tmp);
-	    free(tmp);
-	} else {
-	    rtbl_add_column_entry(ct, COL_PRINCIPAL, pp);
-	}
-    }
-    rtbl_format(ct, stdout);
-    rtbl_destroy(ct);
-    if (!found && ret == EOF)
-	printf("No tickets in file.\n");
-    tf_close();
-    
-    /*
-     * should do NAT stuff here
-     */
-    return 0;
+    return expired;
 }
-#endif /* KRB4 */
 
 /*
  * Print a list of all AFS tokens
@@ -477,7 +365,7 @@ display_v4_tickets (int do_verbose)
 static void
 display_tokens(int do_verbose)
 {
-    u_int32_t i;
+    uint32_t i;
     unsigned char t[4096];
     struct ViceIoctl parms;
 
@@ -546,7 +434,7 @@ display_tokens(int do_verbose)
 
 static int
 display_v5_ccache (const char *cred_cache, int do_test, int do_verbose, 
-		   int do_flags)
+		   int do_flags, int do_hidden)
 {
     krb5_error_code ret;
     krb5_context context;
@@ -579,9 +467,10 @@ display_v5_ccache (const char *cred_cache, int do_test, int do_verbose,
 	    krb5_err (context, 1, ret, "krb5_cc_get_principal");
     }
     if (do_test)
-	exit_status = check_for_tgt (context, ccache, principal);
+	exit_status = check_for_tgt (context, ccache, principal, NULL);
     else
-	print_tickets (context, ccache, principal, do_verbose, do_flags);
+	print_tickets (context, ccache, principal, do_verbose,
+		       do_flags, do_hidden);
 
     ret = krb5_cc_close (context, ccache);
     if (ret)
@@ -592,17 +481,82 @@ display_v5_ccache (const char *cred_cache, int do_test, int do_verbose,
     return exit_status;
 }
 
-static int version_flag = 0;
-static int help_flag	= 0;
-static int do_verbose	= 0;
-static int do_test	= 0;
-#ifdef KRB4
-static int do_v4	= 1;
-#endif
-static int do_tokens	= 0;
-static int do_v5	= 1;
+/*
+ *
+ */
+
+static int
+list_caches(void)
+{
+    krb5_cc_cache_cursor cursor;
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_ccache id;
+    rtbl_t ct;
+    
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    ret = krb5_cc_cache_get_first (context, NULL, &cursor);
+    if (ret == KRB5_CC_NOSUPP)
+	return 0;
+    else if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_cache_get_first");
+
+    ct = rtbl_create();
+    rtbl_add_column(ct, COL_PRINCIPAL, 0);
+    rtbl_add_column(ct, COL_CACHENAME, 0);
+    rtbl_add_column(ct, COL_EXPIRES, 0);
+    rtbl_set_prefix(ct, "   ");
+    rtbl_set_column_prefix(ct, COL_PRINCIPAL, "");
+
+    while ((ret = krb5_cc_cache_next (context, cursor, &id)) == 0) {
+	krb5_principal principal;
+	char *name;
+
+	ret = krb5_cc_get_principal(context, id, &principal);
+	if (ret == 0) {
+	    time_t t;
+	    int expired = check_for_tgt (context, id, principal, &t);
+
+	    ret = krb5_unparse_name(context, principal, &name);
+	    if (ret == 0) {
+		rtbl_add_column_entry(ct, COL_PRINCIPAL, name);
+		rtbl_add_column_entry(ct, COL_CACHENAME,
+				      krb5_cc_get_name(context, id));
+		rtbl_add_column_entry(ct, COL_EXPIRES,
+				      expired ? ">>> Expired <<<" : 
+				      printable_time(t));
+		free(name);
+		krb5_free_principal(context, principal);
+	    }
+	}
+	krb5_cc_close(context, id);
+    }
+
+    krb5_cc_cache_end_seq_get(context, cursor);
+
+    rtbl_format(ct, stdout);
+    rtbl_destroy(ct);
+    
+    return 0;
+}
+
+/*
+ *
+ */
+
+static int version_flag		= 0;
+static int help_flag		= 0;
+static int do_verbose		= 0;
+static int do_list_caches	= 0;
+static int do_test		= 0;
+static int do_tokens		= 0;
+static int do_v5		= 1;
 static char *cred_cache;
-static int do_flags = 0;
+static int do_flags	 	= 0;
+static int do_hidden	 	= 0;
 
 static struct getargs args[] = {
     { NULL, 'f', arg_flag, &do_flags },
@@ -611,16 +565,16 @@ static struct getargs args[] = {
     { "test",			't', arg_flag, &do_test,
       "test for having tickets", NULL },
     { NULL,			's', arg_flag, &do_test },
-#ifdef KRB4
-    { "v4",			'4',	arg_flag, &do_v4,
-      "display v4 tickets", NULL },
-#endif
     { "tokens",			'T',   arg_flag, &do_tokens,
       "display AFS tokens", NULL },
     { "v5",			'5',	arg_flag, &do_v5,
       "display v5 cred cache", NULL},
+    { "list-caches",		'l', arg_flag, &do_list_caches,
+      "verbose output", NULL },
     { "verbose",		'v', arg_flag, &do_verbose,
       "verbose output", NULL },
+    { "hidden",			0,   arg_flag, &do_hidden,
+      "display hidden credentials", NULL },
     { NULL,			'a', arg_flag, &do_verbose },
     { NULL,			'n', arg_flag, &do_verbose },
     { "version", 		0,   arg_flag, &version_flag, 
@@ -642,12 +596,12 @@ usage (int ret)
 int
 main (int argc, char **argv)
 {
-    int optind = 0;
+    int optidx = 0;
     int exit_status = 0;
 
     setprogname (argv[0]);
 
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
     
     if (help_flag)
@@ -658,31 +612,25 @@ main (int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     if (argc != 0)
 	usage (1);
 
+    if (do_list_caches) {
+	exit_status = list_caches();
+	return exit_status;
+    }
+
     if (do_v5)
 	exit_status = display_v5_ccache (cred_cache, do_test, 
-					 do_verbose, do_flags);
+					 do_verbose, do_flags, do_hidden);
 
     if (!do_test) {
-#ifdef KRB4
-	if (do_v4) {
-	    if (do_v5)
-		printf ("\n");
-	    display_v4_tickets (do_verbose);
-	}
-#endif
 	if (do_tokens && k_hasafs ()) {
 	    if (do_v5)
 		printf ("\n");
-#ifdef KRB4
-	    else if (do_v4)
-		printf ("\n");
-#endif
 	    display_tokens (do_verbose);
 	}
     }
diff --git a/crypto/heimdal/kuser/kuser_locl.h b/crypto/heimdal/kuser/kuser_locl.h
index 06403cb..36ea01a 100644
--- a/crypto/heimdal/kuser/kuser_locl.h
+++ b/crypto/heimdal/kuser/kuser_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: kuser_locl.h,v 1.13 2003/01/21 14:13:51 nectar Exp $ */
+/* $Id: kuser_locl.h 20458 2007-04-19 20:41:27Z lha $ */
 
 #ifndef __KUSER_LOCL_H__
 #define __KUSER_LOCL_H__
@@ -75,9 +75,6 @@
 #include <err.h>
 #include <krb5.h>
 
-#ifdef KRB4
-#include <krb.h>
-#endif
 #if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
 #include <sys/ioctl.h>
 #endif
diff --git a/crypto/heimdal/kuser/kverify.c b/crypto/heimdal/kuser/kverify.c
index 3501f00..888658d 100644
--- a/crypto/heimdal/kuser/kverify.c
+++ b/crypto/heimdal/kuser/kverify.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005, 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kuser_locl.h"
 
-RCSID("$Id: kverify.c,v 1.6 2001/08/24 01:08:13 assar Exp $");
+RCSID("$Id: kverify.c 19920 2007-01-15 23:21:32Z lha $");
 
 static int help_flag = 0;
 static int version_flag = 0;
@@ -60,13 +60,14 @@ main(int argc, char **argv)
     krb5_error_code ret;
     krb5_creds cred;
     krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP};
-    krb5_get_init_creds_opt get_options;
+    krb5_get_init_creds_opt *get_options;
     krb5_verify_init_creds_opt verify_options;
-    int optind = 0;
+    krb5_principal principal = NULL;
+    int optidx = 0;
 
     setprogname (argv[0]);
 
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
     
     if (help_flag)
@@ -76,28 +77,39 @@ main(int argc, char **argv)
 	print_version(NULL);
 	exit(0);
     }
+    
+    argc -= optidx;
+    argv += optidx;
 
     ret = krb5_init_context(&context);
     if (ret)
 	errx (1, "krb5_init_context failed: %d", ret);
 
-    krb5_get_init_creds_opt_init (&get_options);
+    ret = krb5_get_init_creds_opt_alloc (context, &get_options);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
 
-    krb5_get_init_creds_opt_set_preauth_list (&get_options,
+    krb5_get_init_creds_opt_set_preauth_list (get_options,
 					      pre_auth_types,
 					      1);
 
     krb5_verify_init_creds_opt_init (&verify_options);
     
+    if (argc) {
+	ret = krb5_parse_name(context, argv[0], &principal);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_parse_name: %s", argv[0]);
+    }
+
     ret = krb5_get_init_creds_password (context,
 					&cred,
-					NULL,
+					principal,
 					NULL,
 					krb5_prompter_posix,
 					NULL,
 					0,
 					NULL,
-					&get_options);
+					get_options);
     if (ret)
 	errx (1, "krb5_get_init_creds: %s", krb5_get_err_text(context, ret));
 
@@ -110,7 +122,7 @@ main(int argc, char **argv)
     if (ret)
 	errx (1, "krb5_verify_init_creds: %s",
 	      krb5_get_err_text(context, ret));
-    krb5_free_creds_contents (context, &cred);
+    krb5_free_cred_contents (context, &cred);
     krb5_free_context (context);
     return 0;
 }
diff --git a/crypto/heimdal/lib/45/Makefile.am b/crypto/heimdal/lib/45/Makefile.am
index 50d47fd..7ffa8c3 100644
--- a/crypto/heimdal/lib/45/Makefile.am
+++ b/crypto/heimdal/lib/45/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.5 1999/03/20 13:58:17 joda Exp $
+# $Id: Makefile.am 14164 2004-08-26 11:55:29Z joda $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4)
+AM_CPPFLAGS += $(INCLUDE_krb4)
 
 lib_LIBRARIES = @EXTRA_LIB45@
 
diff --git a/crypto/heimdal/lib/45/Makefile.in b/crypto/heimdal/lib/45/Makefile.in
index cef1000..fc6ff54 100644
--- a/crypto/heimdal/lib/45/Makefile.in
+++ b/crypto/heimdal/lib/45/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,23 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.5 1999/03/20 13:58:17 joda Exp $
+# $Id: Makefile.am 14164 2004-08-26 11:55:29Z joda $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-SOURCES = $(lib45_a_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -42,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -49,16 +44,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = lib/45
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -71,6 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -79,50 +73,55 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-ARFLAGS = cru
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
 am__installdirs = "$(DESTDIR)$(libdir)"
 libLIBRARIES_INSTALL = $(INSTALL_DATA)
 LIBRARIES = $(lib_LIBRARIES)
+ARFLAGS = cru
 lib45_a_AR = $(AR) $(ARFLAGS)
 lib45_a_LIBADD =
 am_lib45_a_OBJECTS = get_ad_tkt.$(OBJEXT) mk_req.$(OBJEXT)
 lib45_a_OBJECTS = $(am_lib45_a_OBJECTS)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(lib45_a_SOURCES)
 DIST_SOURCES = $(lib45_a_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -132,8 +131,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -144,11 +141,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -156,42 +152,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -209,12 +190,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -224,15 +202,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -241,6 +218,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -252,15 +230,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -268,74 +241,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -352,6 +331,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 lib_LIBRARIES = @EXTRA_LIB45@
 EXTRA_LIBRARIES = lib45.a
@@ -359,7 +339,7 @@ lib45_a_SOURCES = get_ad_tkt.c mk_req.c 45_locl.h
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -391,10 +371,10 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libLIBRARIES: $(lib_LIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    f="`echo $$p | sed -e 's|^.*/||'`"; \
+	    f=$(am__strip_dir) \
 	    echo " $(libLIBRARIES_INSTALL) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
 	    $(libLIBRARIES_INSTALL) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
 	  else :; fi; \
@@ -402,7 +382,7 @@ install-libLIBRARIES: $(lib_LIBRARIES)
 	@$(POST_INSTALL)
 	@list='$(lib_LIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    p="`echo $$p | sed -e 's|^.*/||'`"; \
+	    p=$(am__strip_dir) \
 	    echo " $(RANLIB) '$(DESTDIR)$(libdir)/$$p'"; \
 	    $(RANLIB) "$(DESTDIR)$(libdir)/$$p"; \
 	  else :; fi; \
@@ -411,7 +391,7 @@ install-libLIBRARIES: $(lib_LIBRARIES)
 uninstall-libLIBRARIES:
 	@$(NORMAL_UNINSTALL)
 	@list='$(lib_LIBRARIES)'; for p in $$list; do \
-	  p="`echo $$p | sed -e 's|^.*/||'`"; \
+	  p=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(libdir)/$$p'"; \
 	  rm -f "$(DESTDIR)$(libdir)/$$p"; \
 	done
@@ -444,10 +424,6 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -468,9 +444,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -495,23 +473,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -531,7 +507,7 @@ check: check-am
 all-am: Makefile $(LIBRARIES) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(libdir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -552,7 +528,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -565,7 +541,7 @@ clean-am: clean-generic clean-libLIBRARIES clean-libtool \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -581,14 +557,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-libLIBRARIES
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -608,19 +592,27 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am uninstall-libLIBRARIES
+uninstall-am: uninstall-libLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-generic clean-libLIBRARIES clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-exec install-exec-am install-info \
-	install-info-am install-libLIBRARIES install-man install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am \
+	install-libLIBRARIES install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-info-am \
+	tags uninstall uninstall-am uninstall-hook \
 	uninstall-libLIBRARIES
 
 
@@ -636,8 +628,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -647,19 +639,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -675,7 +679,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -745,14 +749,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/lib/45/get_ad_tkt.c b/crypto/heimdal/lib/45/get_ad_tkt.c
index 3be18a1..0d14235 100644
--- a/crypto/heimdal/lib/45/get_ad_tkt.c
+++ b/crypto/heimdal/lib/45/get_ad_tkt.c
@@ -33,7 +33,7 @@
 
 #include "45_locl.h"
 
-RCSID("$Id: get_ad_tkt.c,v 1.4 2001/06/18 13:11:05 assar Exp $");
+RCSID("$Id: get_ad_tkt.c 10113 2001-06-18 13:11:33Z assar $");
 
 /* get an additional version 4 ticket via the 524 protocol */
 
diff --git a/crypto/heimdal/lib/45/mk_req.c b/crypto/heimdal/lib/45/mk_req.c
index b06f558..af63f0b 100644
--- a/crypto/heimdal/lib/45/mk_req.c
+++ b/crypto/heimdal/lib/45/mk_req.c
@@ -35,14 +35,14 @@
 
 #include "45_locl.h"
 
-RCSID("$Id: mk_req.c,v 1.7 2002/05/24 15:21:00 joda Exp $");
+RCSID("$Id: mk_req.c 17445 2006-05-05 10:37:46Z lha $");
 
 static int lifetime = 255;
 
 static void
 build_request(KTEXT req,
 	      const char *name, const char *inst, const char *realm, 
-	      u_int32_t checksum)
+	      uint32_t checksum)
 {
     struct timeval tv;
     krb5_storage *sp;
diff --git a/crypto/heimdal/lib/Makefile.am b/crypto/heimdal/lib/Makefile.am
index 3c8dc71..f1e26e1 100644
--- a/crypto/heimdal/lib/Makefile.am
+++ b/crypto/heimdal/lib/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.22 2001/08/28 18:44:41 nectar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -11,6 +11,12 @@ endif
 if DCE
 dir_dce = kdfs
 endif
+if COM_ERR
+dir_com_err = com_err
+endif
+if !HAVE_OPENSSL
+dir_hcrypto = hcrypto
+endif
 
-SUBDIRS = @DIR_roken@ vers editline @DIR_com_err@ sl asn1 @DIR_des@ krb5 \
-	kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp) $(dir_dce)
+SUBDIRS = roken vers editline $(dir_com_err) sl asn1 $(dir_hcrypto) hx509 \
+	krb5 ntlm kafs gssapi hdb kadm5 auth $(dir_45) $(dir_otp) $(dir_dce)
diff --git a/crypto/heimdal/lib/Makefile.in b/crypto/heimdal/lib/Makefile.in
index 1d2a76a..6884c24 100644
--- a/crypto/heimdal/lib/Makefile.in
+++ b/crypto/heimdal/lib/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,20 +14,16 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.22 2001/08/28 18:44:41 nectar Exp $
+# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -39,6 +35,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -46,16 +43,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = lib
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -68,6 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -76,16 +72,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 depcomp =
@@ -94,23 +94,20 @@ SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	html-recursive info-recursive install-data-recursive \
-	install-exec-recursive install-info-recursive \
-	install-recursive installcheck-recursive installdirs-recursive \
-	pdf-recursive ps-recursive uninstall-info-recursive \
-	uninstall-recursive
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = @DIR_roken@ vers editline @DIR_com_err@ sl asn1 \
-	@DIR_des@ krb5 kafs hdb kadm5 gssapi auth 45 otp kdfs
+DIST_SUBDIRS = roken vers editline com_err sl asn1 hcrypto hx509 krb5 \
+	ntlm kafs gssapi hdb kadm5 auth 45 otp kdfs
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -120,8 +117,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -132,11 +127,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -144,42 +138,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -197,12 +176,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -212,15 +188,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -229,6 +204,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -240,15 +216,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -256,74 +227,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -340,17 +316,20 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 @KRB4_TRUE@dir_45 = 45
 @OTP_TRUE@dir_otp = otp
 @DCE_TRUE@dir_dce = kdfs
-SUBDIRS = @DIR_roken@ vers editline @DIR_com_err@ sl asn1 @DIR_des@ krb5 \
-	kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp) $(dir_dce)
+@COM_ERR_TRUE@dir_com_err = com_err
+@HAVE_OPENSSL_FALSE@dir_hcrypto = hcrypto
+SUBDIRS = roken vers editline $(dir_com_err) sl asn1 $(dir_hcrypto) hx509 \
+	krb5 ntlm kafs gssapi hdb kadm5 auth $(dir_45) $(dir_otp) $(dir_dce)
 
 all: all-recursive
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -387,10 +366,6 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
 # To change the values of `make' variables: instead of editing Makefiles,
@@ -398,7 +373,13 @@ uninstall-info-am:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	target=`echo $@ | sed s/-recursive//`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -410,15 +391,20 @@ $(RECURSIVE_TARGETS):
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done; \
 	if test "$$dot_seen" = "no"; then \
 	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
 	fi; test -z "$$fail"
 
-mostlyclean-recursive clean-recursive distclean-recursive \
-maintainer-clean-recursive:
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	case "$@" in \
 	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
@@ -439,7 +425,7 @@ maintainer-clean-recursive:
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done && test -z "$$fail"
 tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -464,14 +450,16 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	if (etags --etags-include --version) >/dev/null 2>&1; then \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
 	  include_option=--etags-include; \
+	  empty_fix=.; \
 	else \
 	  include_option=--include; \
+	  empty_fix=; \
 	fi; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -f $$subdir/TAGS && \
+	    test ! -f $$subdir/TAGS || \
 	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
@@ -481,9 +469,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -508,23 +498,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/.. $(distdir)/../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -538,12 +526,16 @@ distdir: $(DISTFILES)
 	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test -d "$(distdir)/$$subdir" \
-	    || mkdir "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
 	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
 	    (cd $$subdir && \
 	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="../$(top_distdir)" \
-	        distdir="../$(distdir)/$$subdir" \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
 	        distdir) \
 	      || exit 1; \
 	  fi; \
@@ -576,7 +568,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -587,8 +579,7 @@ clean-am: clean-generic clean-libtool mostlyclean-am
 
 distclean: distclean-recursive
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool \
-	distclean-tags
+distclean-am: clean-am distclean-generic distclean-tags
 
 dvi: dvi-recursive
 
@@ -604,14 +595,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-recursive
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-recursive
+
 install-info: install-info-recursive
 
 install-man:
 
+install-pdf: install-pdf-recursive
+
+install-ps: install-ps-recursive
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
@@ -630,22 +629,27 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-info-am
-
-uninstall-info: uninstall-info-recursive
-
-.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \
-	check-am check-local clean clean-generic clean-libtool \
-	clean-recursive ctags ctags-recursive distclean \
-	distclean-generic distclean-libtool distclean-recursive \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am install-man \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	maintainer-clean-recursive mostlyclean mostlyclean-generic \
-	mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am uninstall-info-am
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
+	install-data-am install-exec-am install-strip uninstall-am
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool ctags ctags-recursive dist-hook \
+	distclean distclean-generic distclean-libtool distclean-tags \
+	distdir dvi dvi-am html html-am info info-am install \
+	install-am install-data install-data-am install-data-hook \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-exec-hook install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am uninstall-hook
 
 
 install-suid-programs:
@@ -660,8 +664,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -671,19 +675,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -699,7 +715,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -769,14 +785,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/lib/asn1/CMS.asn1 b/crypto/heimdal/lib/asn1/CMS.asn1
new file mode 100644
index 0000000..685f0b1
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/CMS.asn1
@@ -0,0 +1,157 @@
+-- From RFC 3369 --
+-- $Id: CMS.asn1 18054 2006-09-07 12:20:42Z lha $ --
+
+CMS DEFINITIONS ::= BEGIN
+
+IMPORTS CertificateSerialNumber, AlgorithmIdentifier, Name,
+	Attribute, Certificate, Name, SubjectKeyIdentifier FROM rfc2459
+	heim_any, heim_any_set FROM heim;
+
+id-pkcs7 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+         us(840) rsadsi(113549) pkcs(1) pkcs7(7) }
+
+id-pkcs7-data OBJECT IDENTIFIER ::= 			{ id-pkcs7 1 }
+id-pkcs7-signedData OBJECT IDENTIFIER ::= 		{ id-pkcs7 2 }
+id-pkcs7-envelopedData OBJECT IDENTIFIER ::= 		{ id-pkcs7 3 }
+id-pkcs7-signedAndEnvelopedData OBJECT IDENTIFIER ::= 	{ id-pkcs7 4 }
+id-pkcs7-digestedData OBJECT IDENTIFIER ::= 		{ id-pkcs7 5 }
+id-pkcs7-encryptedData OBJECT IDENTIFIER ::= 		{ id-pkcs7 6 }
+
+CMSVersion ::= INTEGER {
+	   CMSVersion_v0(0), 
+	   CMSVersion_v1(1), 
+	   CMSVersion_v2(2),
+	   CMSVersion_v3(3),
+	   CMSVersion_v4(4)
+}
+
+DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
+SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
+
+ContentType ::= OBJECT IDENTIFIER
+MessageDigest ::= OCTET STRING
+
+ContentInfo ::= SEQUENCE {
+	contentType ContentType,
+	content [0] EXPLICIT heim_any OPTIONAL --  DEFINED BY contentType 
+}
+
+EncapsulatedContentInfo ::= SEQUENCE {
+	eContentType ContentType,
+	eContent [0] EXPLICIT OCTET STRING OPTIONAL
+}
+
+CertificateSet ::= SET OF heim_any
+
+CertificateList ::= Certificate
+
+CertificateRevocationLists ::= SET OF CertificateList
+
+IssuerAndSerialNumber ::= SEQUENCE {
+	issuer Name,
+	serialNumber CertificateSerialNumber
+}
+
+-- RecipientIdentifier is same as SignerIdentifier, 
+-- lets glue them togheter and save some bytes and share code for them
+
+CMSIdentifier ::= CHOICE {
+	issuerAndSerialNumber IssuerAndSerialNumber,
+	subjectKeyIdentifier [0] SubjectKeyIdentifier
+}
+
+SignerIdentifier ::= CMSIdentifier
+RecipientIdentifier ::= CMSIdentifier
+
+--- CMSAttributes are the combined UnsignedAttributes and SignedAttributes
+--- to store space and share code
+
+CMSAttributes ::= SET OF Attribute		-- SIZE (1..MAX) 
+
+SignatureValue ::= OCTET STRING
+
+SignerInfo ::= SEQUENCE {
+	version CMSVersion,
+	sid SignerIdentifier,
+	digestAlgorithm DigestAlgorithmIdentifier,
+	signedAttrs [0] IMPLICIT -- CMSAttributes --
+		SET OF Attribute OPTIONAL,
+	signatureAlgorithm SignatureAlgorithmIdentifier,
+	signature SignatureValue,
+	unsignedAttrs [1] IMPLICIT -- CMSAttributes -- 
+		SET OF Attribute OPTIONAL
+}
+
+SignerInfos ::= SET OF SignerInfo
+
+SignedData ::= SEQUENCE {
+	version CMSVersion,
+	digestAlgorithms DigestAlgorithmIdentifiers,
+	encapContentInfo EncapsulatedContentInfo,
+	certificates [0] IMPLICIT -- CertificateSet --
+		SET OF heim_any OPTIONAL,
+	crls [1] IMPLICIT -- CertificateRevocationLists --
+		heim_any OPTIONAL,
+	signerInfos SignerInfos
+}
+
+OriginatorInfo ::= SEQUENCE {
+	certs [0] IMPLICIT -- CertificateSet --
+		SET OF heim_any OPTIONAL,
+	crls [1] IMPLICIT --CertificateRevocationLists --
+		heim_any OPTIONAL
+}
+
+KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+
+EncryptedKey ::= OCTET STRING
+
+KeyTransRecipientInfo ::= SEQUENCE {
+	version CMSVersion,  -- always set to 0 or 2
+	rid RecipientIdentifier,
+	keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
+	encryptedKey EncryptedKey
+}
+
+RecipientInfo ::= KeyTransRecipientInfo
+
+RecipientInfos ::= SET OF RecipientInfo
+
+EncryptedContent ::= OCTET STRING
+
+EncryptedContentInfo ::= SEQUENCE {
+	contentType ContentType,
+	contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
+	encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL
+}
+
+UnprotectedAttributes ::= SET OF Attribute	-- SIZE (1..MAX)
+
+CMSEncryptedData ::= SEQUENCE {
+	version CMSVersion,
+	encryptedContentInfo EncryptedContentInfo,
+        unprotectedAttrs [1] IMPLICIT -- UnprotectedAttributes --
+		heim_any OPTIONAL
+}
+
+EnvelopedData ::= SEQUENCE {
+	version CMSVersion,
+	originatorInfo [0] IMPLICIT -- OriginatorInfo -- heim_any OPTIONAL,
+	recipientInfos RecipientInfos,
+	encryptedContentInfo EncryptedContentInfo,
+	unprotectedAttrs [1] IMPLICIT -- UnprotectedAttributes --
+		heim_any OPTIONAL
+}
+
+-- Data ::= OCTET STRING
+
+CMSRC2CBCParameter ::= SEQUENCE {
+	rc2ParameterVersion	INTEGER (0..4294967295),
+	iv			OCTET STRING -- exactly 8 octets
+}
+
+CMSCBCParameter ::= OCTET STRING
+
+END
diff --git a/crypto/heimdal/lib/asn1/ChangeLog b/crypto/heimdal/lib/asn1/ChangeLog
new file mode 100644
index 0000000..9039e25
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/ChangeLog
@@ -0,0 +1,1649 @@
+2008-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* asn1-common.h gen.c der.c gen_encode.c: add and use der_{malloc,free}
+
+2007-12-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* libasn1.h: remove, not used.
+
+2007-12-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add DigestTypes, add --seq to antoher type.
+
+	* digest.asn1: Add supportedMechs request.
+	
+2007-10-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* k5.asn1: Some "old" windows enctypes. From Andy Polyakov.
+	
+2007-07-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Fold in pk-init-alg-agilty.
+
+	* pkinit.asn1: Fold in pk-init-alg-agilty.
+
+2007-07-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* parse.y: Passe object id is its part of the module defintion
+	statement.
+
+2007-07-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-gen.c: test SEQ OF SIZE (...)
+
+	* Makefile.am: Include more sizeof tests.
+
+2007-07-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* try to avoid aliasing of pointers enum {} vs int
+
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test.asn1: Test SIZE attribute for SEQ and OCTET STRING
+
+	* parse.y (OctetStringType): add SIZE to OCTET STRING.
+
+	* Makefile.am: New library version.
+
+2007-07-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rfc2459.asn1: Re-add size limits. 
+	
+	* k5.asn1: Add size limits from RFC 4120.
+
+	* gen_decode.c: Check range on SEQ OF and OCTET STRING.
+
+	* asn1_err.et (min|max|exact) constraints.
+
+	* parse.y: Parse size limitations to SEQ OF.
+
+2007-06-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add AuthorityInfoAccessSyntax.
+
+	* rfc2459.asn1: Add AuthorityInfoAccessSyntax.
+
+	* rfc2459.asn1: Add authorityInfoAccess, rename proxyCertInfo.
+	
+	* Makefile.am: Add authorityInfoAccess, rename proxyCertInfo.
+
+2007-06-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* der_get.c (der_get_time): avoid using wrapping of octet_string
+	and realloc.
+
+	* der_get.c: No need to undef timetm, we don't use it any more.
+
+	* timegm.c: Fix spelling caused by too much query-replace.
+
+	* gen.c: Include <limits.h> for UINT_MAX.
+
+	* gen_decode.c: Check for multipication overrun.
+
+	* gen_encode.c: Paranoia check in buffer overun in output
+	function.
+
+	* check-der.c: Test boolean.
+
+	* check-der.c: test universal strings.
+
+	* check-der.c: Test failure cases for der_get_tag.
+
+	* check-der.c: test dates from last century.
+
+	* check-der.c: Move zero length integercheck to a better place.
+
+	* check-der.c: Test zero length integer.
+
+2007-06-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-der.c: Init data to something.
+
+2007-06-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* k5.asn1: Add KRB5-AUTHDATA-INITIAL-VERIFIED-CAS.
+
+2007-06-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pkinit.asn1: Make the pkinit nonce signed (like the kerberos
+	nonce).
+
+2007-06-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-der.c: Free more memory.
+
+	* der_format.c: Don't accect zero length hex numbers.
+
+	* check-der.c: Also free right memory.
+
+	* main.c: Close asn1 file when done.
+
+	* check-der.c: more check for der_parse_hex_heim_integer
+
+	* der_format.c (der_parse_hex_heim_integer): check length before
+	reading data.
+	
+	* check-gen.c (test_authenticator): free memory
+	
+2007-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add MS-UPN-SAN
+
+	* pkinit.asn1: add MS-UPN-SAN
+
+	* rfc2459.asn1: Do evil things to handle IMPLICIT encoded
+	structures.  Add id-ms-client-authentication.
+	
+2007-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add asn1_id_ms_cert_enroll_domaincontroller.x
+	
+2007-05-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* gen.c: Add struct units; as a forward declaration. Pointed out
+	by Marcus Watts.
+
+	* rfc2459.asn1: Netscape extentions
+
+	* Makefile.am: add U.S. Federal PKI Common Policy Framework
+
+	* rfc2459.asn1: add U.S. Federal PKI Common Policy Framework
+	
+2007-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_seq.c: Handle the case of resize to 0 and realloc that
+	returns NULL.
+
+	* check-gen.c (check_seq): free seq.
+	
+2007-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-der.c (test_heim_oid_format_same): avoid leaking memory in
+	the non failure case too
+	
+2007-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: remove extra ^Q
+	
+2007-04-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* der_get.c: Allow trailing NULs. We allow this since MIT Kerberos
+	sends an strings in the NEED_PREAUTH case that includes a trailing
+	NUL.
+	
+2007-02-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	
+	* Makefile.am: Add PA-ClientCanonicalized and friends.
+
+	* k5.asn1: Add PA-ClientCanonicalized and friends.
+	
+2007-02-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-der.c: Drop one over INT_MAX test-case.
+	
+2007-02-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* pkinit.asn1: add id-pkinit-ms-eku
+	
+	* pkinit.asn1: fill in more bits of id-pkinit-ms-san
+	
+2007-02-02  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* digest.asn1: rename hash-a1 to session key
+	
+2007-02-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* digest.asn1: Add elements to send in requestResponse to KDC and
+	get status of the request.
+	
+2007-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: seq rules for CRLDistributionPoints
+	
+2007-01-30  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: add CRLDistributionPoints and friends
+	
+2007-01-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* check-der.c: check BMPstring oddlength more
+
+	* check-der.c: Test for NUL char in string in GENERAL STRING.
+
+	* der_get.c: Check for NUL characters in string and return
+	ASN1_BAD_CHARACTER error-code if we find them.
+
+	* asn1_err.et: Add BAD_CHARACTER error.
+	
+2007-01-16  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* Makefile.am: Add id-at-streetAddress.
+
+	* rfc2459.asn1: Add id-at-streetAddress.
+	
+2007-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* rfc2459.asn1: Add PKIXXmppAddr and id-pkix-on-xmppAddr.
+	
+2006-12-30  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Add id-pkix-kp oids.
+
+	* rfc2459.asn1: Add id-pkix-kp oids.
+	
+2006-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_encode.c: Named bit strings have this horrible, disgusting,
+	compress bits until they are no longer really there but stuff in
+	an initial octet anyway encoding scheme. Try to get it right and
+	calculate the initial octet runtime instead of compiletime.
+
+	* check-gen.c: Check all other silly bitstring combinations.
+
+	* Makefile.am: Add --sequence=Extensions to rfc2459.
+	
+2006-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kx509.asn1: Add kx509.
+
+	* Makefile.am: Add kx509.
+
+	* Add VisibleString parsing
+
+2006-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add ntlm files.
+
+	* digest.asn1: Add bits for handling NTLM.
+	
+2006-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add pkix proxy cert policy lang oids
+
+	* rfc2459.asn1: add pkix proxy cert policy lang oids
+	
+2006-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* rfc2459.asn1: unbreak id-pe-proxyCertInfo
+
+	* rfc2459.asn1: Add id-pkix-on-dnsSRV and related oids
+
+2006-11-28  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Add explicit depenency to LIB_roken for libasn1.la,
+	make AIX happy.
+	
+2006-11-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* der_format.c (der_print_heim_oid): oid with zero length is
+	invalid, fail to print.
+	
+2006-11-24  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* der_format.c (der_print_heim_oid): use delim when printing.
+	
+2006-11-21  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* k5.asn1: Make KRB5-PADATA-S4U2SELF pa type 129.
+	
+2006-10-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* asn1_err.et: add EXTRA_DATA
+	
+2006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-gen.c: avoid leaking memory
+
+	* check-der.c: avoid leaking memory
+
+	* der_format.c (der_parse_heim_oid): avoid leaking memory
+
+	* check-common.c: Print size_t as (unsigned long) and cast.
+
+	* check-common.c: Try to align data, IA64's gets upset if its
+	unaligned.
+
+	* lex.l: add missing */
+	
+	* lex.c: need %e for hpux lex
+
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: remove dups from gen_files_test, add check-timegm.
+	
+	* Makefile.am: include more test.asn1 built files
+
+	* Makefile.am: More files, now for make check.
+	
+2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add missing files
+
+	* Makefile.am (asn1_compile_SOURCES): add gen_locl.h
+
+	* check-timegm.c: Add check for _der_timegm.
+
+	* der_get.c (generalizedtime2time): always use _der_timegm.
+
+	* timegm.c: make more strict
+
+	* der_locl.h: Rename timegm to _der_timegm.
+	
+2006-10-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* timegm.c: vJust fail if tm_mon is out of range for now XXXX this
+	is wrong.
+	
+2006-10-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: extra depencies on der-protos.h
+	
+2006-10-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+	* check-der.c: Prefix primitive types with der_.
+
+	* timegm.c: rename the buildin timegm to _der_timegm
+
+	* heim_asn1.h: move prototype away from here.
+
+	* der_format.c: Add der_parse_heim_oid
+	
+	* gen_free.c: prefix primitive types with der_
+
+	* der_copy.c: prefix primitive types with der_
+
+	* gen_length.c: prefix primitive types with der_
+
+	* der_length.c: prefix primitive types with der_
+
+	* der_cmp.c: prefix primitive types with der_
+
+	* gen_free.c: prefix primitive types with der_
+
+	* der_free.c: prefix primitive types with der_
+
+	* gen_copy.c: prefix primitive types with der_
+
+	* der_copy.c: rename copy_ to der_copy_
+
+	* Makefile.am: Add der-protos.h to nodist_include_HEADERS.
+	
+	* der.h: use newly built <der-protos.h>
+
+	* Makefile.am: Generate der prototypes.
+
+	* gen.c: move any definitions here.
+
+	* asn1-common.h: move any definitions here.
+
+	* der.h: remove der_parse_oid prototype, it was never implemented.
+
+	* der.h: New der_print_heim_oid signature.  Test
+	der_parse_heim_oid
+
+	* check-der.c: New der_print_heim_oid signature.  Test
+	der_parse_heim_oid
+	
+2006-10-07  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* lex.l: Grow an even larger output table size.
+
+	* Makefile.am: split build files into dist_ and noinst_ SOURCES
+	
+2006-10-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_seq.c: In generation of remove_TYPE: if you just removed the
+	last element, you must not memmove memory beyond the array.  From
+	Andrew Bartlett
+	
+2006-10-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lex.l: Grow (%p, %a, %n) tables for Solaris 10 lex. From Harald
+	Barth.
+	
+2006-09-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_decode.c (decode_type): drop unused variable realtype.
+	
+2006-09-11  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* Makefile.am: Add KRB5SignedPath and friends.
+
+	* k5.asn1: Add KRB5SignedPath and friends.
+
+	* Makefile.am: Add new sequence generation for GeneralNames.
+
+2006-09-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* CMS.asn1 (CMSVersion): rename versions from v0 to CMSVersion_v0,
+	...
+	
+2006-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add TESTSeqOf for testing sequence generation code.
+
+	* check-gen.c: Add sequence tests.
+
+	* test.asn1: Add TESTSeqOf for testing sequence generation code.
+
+	* gen_seq.c: fix warning.
+
+	* gen_seq.c: make generated data work
+
+	* setchgpw2.asn1: enctype is part of the krb5 module now, use that
+	instead of locally defining it.
+
+	* Makefile.am: asn1_compile += gen_seq.c
+
+	* gen_locl.h: add new prototypes, remove unused ones.
+
+	* gen.c: Generate sequence function.
+
+	* main.c: add --sequence
+
+	* gen_seq.c: Add generated add_ and remove_ for "SEQUENCE OF
+	TType". I'm tried of writing realloc(foo->data,
+	sizeof(foo->data[0]) + (foo->len + 1)); Only generated for those
+	type that is enabled by the command flag --sequence.
+	
+2006-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* digest.asn1 (DigestRequest): add authid
+
+	* digest.asn1: Comment describing on how to communicate the sasl
+	int/conf mode.
+	
+2006-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* digest.asn1: Add some missing fields needed for digest.
+	
+2006-08-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* digest.asn1: Tweak to make consisten and more easier to use.
+	
+2006-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Remove CMS symmetric encryption support.  Add
+	DigestProtocol.
+
+	* digest.asn1: DigestProtocol
+
+	* k5.asn1: Remove CMS symmetric encryption support.
+	
+2006-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* check-der.c (check_fail_heim_integer): disable test
+
+	* der_get.c (der_get_heim_integer): revert part of previous
+
+	* der_get.c (der_get_heim_integer): Add more checks
+
+	* asn1_print.c: Add printing of bignums and use der_print_heim_oid
+
+	* check-der.c (test_heim_oid_format_same): add printing on failure
+
+	* check-der.c: Add one check for heim_int, add checking for oid
+	printing
+	
+2006-06-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Impersonation support bits (and sort)
+
+	* k5.asn1: Impersonation support bits.
+	
+2006-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* der_format.c (der_parse_hex_heim_integer): avoid shadowing.
+	
+2006-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Add ExternalPrincipalIdentifiers, shared between
+	several elements.
+
+	* pkinit.asn1: Add ExternalPrincipalIdentifiers, shared between
+	several elements.
+	
+2006-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* parse.y: Add missing ;'s, found by bison on a SuSE 8.2 machine.
+	
+2006-04-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add definitions from RFC 3820, Proxy Certificate
+	Profile.
+
+	* rfc2459.asn1: Add definitions from RFC 3820, Proxy Certificate
+	Profile.
+	
+2006-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rfc2459.asn1: Add id-Userid
+
+	* Makefile.am: Add UID and email
+
+	* pkcs9.asn1: Add id-pkcs9-emailAddress
+	
+	* Makefile.am: Add attribute type oids from X520 and RFC 2247 DC
+	oid
+
+	* rfc2459.asn1: Add attribute type oids from X520 and RFC 2247 DC
+	oid
+	
+2006-04-21  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* Makefile.am: add sha-1 and sha-2
+
+	* rfc2459.asn1: add sha-1 and sha-2
+	
+2006-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add id-pkcs1-sha256WithRSAEncryption and friends
+
+	* rfc2459.asn1: Add id-pkcs1-sha256WithRSAEncryption and friends
+
+	* CMS.asn1: Turn CMSRC2CBCParameter.rc2ParameterVersion into a
+	constrained integer
+	
+2006-04-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hash.c (hashtabnew): check for NULL before setting structure.
+	Coverity, NetBSD CID#4
+	
+2006-03-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: gen_files_rfc2459 += asn1_ExtKeyUsage.x
+	
+	* rfc2459.asn1: Add ExtKeyUsage.
+
+	* gen.c (generate_header_of_codefile): remove unused variable.
+	
+2006-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen.c: Put all the IMPORTed headers into the headerfile to avoid
+	hidden depencies.
+	
+2006-03-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add id-pkinit-ms-san.
+
+	* pkinit.asn1: Add id-pkinit-ms-san.
+
+	* k5.asn1 (PADATA-TYPE): Add KRB5-PADATA-PA-PK-OCSP-RESPONSE
+	
+2006-03-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add pkinit-san.
+
+	* pkinit.asn1: Rename id-pksan to id-pkinit-san
+	
+2006-03-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen.c (init_generate): Nothing in the generated files needs
+	timegm(), so no need to provide a prototype for it.
+	
+2006-02-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pkinit.asn1: paChecksum is now OPTIONAL so it can be upgraded to
+	something better then SHA1
+	
+2006-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* extra.c: Stub-generator now generates alloc statements for
+	tagless ANY OPTIONAL, remove workaround.
+
+	* check-gen.c: check for "tagless ANY OPTIONAL"
+
+	* test.asn1: check for "tagless ANY OPTIONAL"
+	
+2006-01-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* der.h: UniversalString and BMPString are both implemented.
+
+	* der.h: Remove , after the last element of enum.
+
+	* asn1_gen.c: Spelling.
+	
+2006-01-20  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* der_length.c (length_heim_integer): Try handle negative length
+	of integers better.
+
+	* der_get.c (der_get_heim_integer): handle negative integers.
+	
+	* check-der.c: check heim_integer.
+	
+2006-01-18  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* Makefile.am: Its cRLReason, not cRLReasons
+
+	* canthandle.asn1: "Allocation is done on CONTEXT tags" works just
+	fine.
+
+	* rfc2459.asn1: Add CRL structures and OIDs.
+
+	* Makefile.am: Add CRL and TESTAlloc structures and OIDs.
+
+	* check-gen.c: Check OPTIONAL context-tagless elements.
+
+	* test.asn1: Check OPTIONAL context-tagless elements.
+
+	* der_cmp.c (heim_integer_cmp): make it work with negative
+	numbers.
+	
+2006-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-der.c: check that der_parse_hex_heim_integer() handles odd
+	length numbers.
+
+	* der_format.c (der_parse_hex_heim_integer): make more resiliant
+	to errors, handle odd length numbers.
+
+2006-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Add RSAPrivateKey
+	
+	* rfc2459.asn1: Add RSAPrivateKey.
+	
+2006-01-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* der_copy.c (copy_heim_integer): copy the negative flag
+	
+2005-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* parse.y: Drop ExceptionSpec for now, its not used.
+	
+2005-12-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test.asn1: Add test string for constraints.
+
+	* symbol.h: Add support for part of the Constraint-s
+
+	* gen.c: Set new constraints pointer in Type to NULL for inline
+	constructed types.
+
+	* parse.y: Add support for parsing part of the Constraint-s
+	
+2005-10-29  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Add some X9.57 (DSA) oids, sort lines
+
+	* rfc2459.asn1: Add some X9.57 (DSA) oids.
+	
+2005-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Remove pk-init-19 support.
+	
+	* pkinit.asn1: Fix comment
+	
+	* check-der.c: Add tests for parse and print functions for
+	heim_integer.
+
+	* Makefile.am: Add parse and print functions for heim_integer.
+	
+	* der_format.c: Add parse and print functions for heim_integer.
+
+	* der.h: Add parse and print functions for heim_integer.
+	
+2005-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am (gen_files_rfc2459) += asn1_DHPublicKey.x
+	
+	* rfc2459.asn1: Add DHPublicKey, and INTEGER to for storing the DH
+	public key in the SubjectPublicKeyInfo.subjectPublicKey BIT
+	STRING.
+	
+2005-09-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_decode.c: TSequenceOf/TSetOf: Increase the length of the
+	array after successful decoding the next element, so that the
+	array don't contain heap-data.
+	
+2005-09-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-der.c: Avoid empty array initiators.
+	
+	* pkcs8.asn1 (PKCS8PrivateKeyInfo): Inline SET OF to avoid
+	compiler "feature"
+	
+	* check-common.c: Avoid signedness warnings.
+	
+	* check-common.h: Makes bytes native platform signed to avoid
+	casting everywhere
+	
+	* check-der.c: Don't depend on malloc(very-very-larger-value) will
+	fail.  Cast to unsigned long before printing size_t.
+	
+	* check-gen.c: Don't depend on malloc(very-very-larger-value) will
+	fail.
+	
+	* check-gen.c: Fix signedness warnings.
+	
+	* lex.l: unput() have to hanppen in actions for flex 2.5.31, can
+	do them in user code sesction, so move up handle_comment and
+	handle_string into action, not much sharing was done anyway.
+	
+2005-09-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-der.c (test_one_int): len and len_len is size_t
+
+2005-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_encode.c: Change name of oldret for each instance its used
+	to avoid shadow warning. From: Stefan Metzmacher
+	<metze@samba.org>.
+
+	* gen_length.c: Change name of oldret for each instance its used
+	to avoid shadow warning. From: Stefan Metzmacher
+	<metze@samba.org>.
+
+	* gen_decode.c: Change name of oldret for each instance its used
+	to avoid shadow warning. From: Stefan Metzmacher
+	<metze@samba.org>.
+	
+	* parse.y: Const poision yyerror.
+
+	* gen.c: Const poision.
+	
+2005-08-22 Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* k5.asn1: Add KRB5-PADATA-PK-AS-09-BINDING, client send
+	this (with an empty pa-data.padata-value) to tell the KDC that the
+	client support the binding the PA-REP to the AS-REQ packet. This
+	is to fix the problem lack of binding the AS-REQ to the PK-AS-REP
+	in pre PK-INIT-27. The nonce is replaced with a asCheckSum.
+	
+2005-08-11 Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* canthandle.asn1: Allocation is done on CONTEXT tags.
+
+	* asn1_gen.c: rename optind to optidx to avoid shadow warnings
+
+2005-07-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rfc2459.asn1: add id-rsadsi-rc2-cbc
+
+	* Makefile.am: add another oid for rc2
+
+2005-07-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-der.c: Make variable initiation constant by moving them to
+	global context
+
+	* check-gen.c: change to c89 comment
+
+2005-07-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: remove duplicate asn1_CMSAttributes.x
+
+2005-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* asn1_print.c: rename optind to optidx
+
+	* Makefile.am: Update to pkinit-27
+
+	* pkinit.asn1: Update to pkinit-27
+	
+2005-07-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-der.c: make it work for non c99 compilers too
+	
+	* check-der.c: start testing BIT STRING
+
+	* der_cmp.c (heim_bit_string_cmp): try handle corner cases better
+	
+	* gen_free.c (free_type): free bignum integers
+
+2005-07-23   Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add PKCS12-OctetString
+
+	* pkcs12.asn1: add PKCS12-OctetString
+
+	* Makefile.am: add new files
+
+	* rfc2459.asn1: include SET OF in Attribute to make the type more
+	useful
+
+	* CMS.asn1: handle IMPLICIT and share some common structures
+
+2005-07-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rfc2459.asn1: Include enough workarounds that this even might
+	work.
+
+	* check-gen.c: Two implicit tests, one with all structures inlined
+	
+	* test.asn1: fix workaround for IMPLICIT CONS case
+	
+	* canthandle.asn1: fix workaround for IMPLICIT CONS case
+	
+	* asn1_print.c: hint that there are IMPLICIT content when we find
+	it
+
+	* check-gen.c: Added #ifdef out test for IMPLICIT tagging.
+
+	* Makefile.am: test several IMPLICIT tag level deep
+	
+	* test.asn1: test several IMPLICIT tag level deep
+
+	* test.asn1: tests for IMPLICIT
+
+	* Makefile.am: tests for IMPLICIT
+
+	* canthandle.asn1: Expand on what is wrong with the IMPLICIT
+	tagging
+
+	* rfc2459.asn1: some of the structure are in the IMPLICIT TAGS
+	module
+
+2005-07-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* asn1_print.c: print size_t by casting to unsigned long and use
+	right printf format tags are unsigned integers
+
+	* gen.c (generate_constant): oid elements are unsigned
+
+	* gen_decode.c (decode_type): tagdatalen should be an size_t.
+
+	* extra.c (decode_heim_any): tag is unsigned int.
+
+	* der_get.c (der_match_tag): tag is unsigned int.
+
+	* gen_length.c (length_type): cast size_t argument to unsigned
+	long and use appropriate printf format
+
+	* check-der.c (check_fail_bitstring): check for length overflow
+
+	* der_get.c: rewrite integer overflow tests w/o SIZE_T_MAX
+
+	* check-common.c (generic_decode_fail): only copy in if checklen
+	its less then 0xffffff and larger than 0.
+
+	* gen_decode.c (find_tag): find external references, we can't
+	handle those, so tell user that instead of crashing
+
+2005-07-18  Dave Love  <fx@gnu.org>
+
+	* extra.c (free_heim_any_set): Fix return.
+
+	* gen_decode.c (find_tag): Fix return in TType case.
+
+2005-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_encode.c (TChoice): add () to make sure variable expression
+	is evaluated correctly
+
+	* gen_length.c (TChoice): add () to make sure variable expression
+	is evaluated correctly
+
+	* k5.asn1: reapply 1.43 that got lost in the merge: rename pvno to
+	krb5-pvno
+
+2005-07-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_decode.c (decode_type): TChoice: set the label
+
+	* check-gen.c (cmp_Name): do at least some checking
+
+	* gen_locl.h: rename function filename() to get_filename() to
+	avoid shadowing
+
+	* lex.l: rename function filename() to get_filename() to avoid
+	shadowing
+
+	* gen.c: rename function filename() to get_filename() to avoid
+	shadowing
+
+	* check-der.c: add failure checks for large oid elements
+
+	* check-gen.c: add failure checks for tag (and large tags)
+
+	* der_get.c: Check for integer overflows in tags and oid elements.
+
+2005-07-10  Assar Westerlund  <assar@kth.se>
+
+	* gen_decode.c: Fix decoding of choices to select which branch to
+	try based on the tag and return an error if that branch fails.
+
+	* check-gen.c: Fix short choice test cases.
+
+2005-07-09  Assar Westerlund  <assar@kth.se>
+
+	* symbol.c:
+	* parse.y:
+	* main.c:
+	* lex.l:
+	* gen_length.c:
+	* gen_free.c:
+	* gen_encode.c:
+	* gen_decode.c:
+	* gen_copy.c:
+	* gen.c:
+	* extra.c:
+	* check-gen.c:
+	* check-der.c:
+	* check-common.c:
+	* asn1_print.c:
+	* asn1_gen.c:
+	Use emalloc, ecalloc, and estrdup.
+	Check return value from asprintf.
+	Make sure that malloc(0) returning NULL is not treated as an
+	error.
+
+2005-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-gen.c: test cases for CHOICE, its too liberal right now,
+	it don't fail hard on failure on after it successfully decoded the
+	first tag in a choice branch
+
+	* asn1_gen.c: calculate the basename for the output file,
+	pretty-print tag number
+
+	* test.gen: sample for asn1_gen
+
+	* check-gen.c: check errors in SEQUENCE
+
+	* Makefile.am: build asn1_gen, TESTSeq and new, and class/type/tag
+	string<->num converter.
+
+	* test.asn1: TESTSeq, for testing SEQUENCE
+
+	* asn1_gen.c: generator for asn1 data
+
+	* asn1_print.c: use class/type/tag string<->num converter.
+
+	* der.c: Add class/type/tag string<->num converter.
+
+	* der.h: Add class/type/tag string<->num converter.
+	Prototypes/structures for new time bits.
+
+2005-07-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* der_get.c (der_get_unsigned) check for length overflow
+	(der_get_integer) ditto
+	(der_get_general_string) ditto
+
+	* der_get.c: check for overruns using SIZE_T_MAX
+
+	* check-der.c: check BIT STRING and OBJECT IDENTIFIER error cases
+
+	* check-common.c (generic_decode_fail): allocate 4K for the over
+	sized memory test
+
+	* der_get.c (der_get_oid): check for integer overruns and
+	unterminated oid correctly
+
+	* check-common.h (map_alloc, generic_decode_fail): prototypes
+
+	* check-common.c (map_alloc): make input buffer const
+	(generic_decode_fail): verify decoding failures
+
+2005-07-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_encode.c: split up the printf for SET OF, also use the
+	generate name for the symbol in the SET OF, if not, the name might
+	contain non valid variable name characters (like -)
+
+2005-07-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: move pkcs12 defines into their own namespace
+
+	* pkcs12.asn1: move pkcs12 defines into their own namespace
+
+	* pkcs9.asn1: add PKCS9-friendlyName with workaround for SET OF
+	bug
+
+	* heim_asn1.h: reuse heim_octet_string for heim_any types
+
+	* main.c: use optidx, handle the case where name is missing and
+	use base of filename then
+
+	* asn1-common.h: include ASN1_MALLOC_ENCODE
+
+	* gen_decode.c: use less context so lower indentention level, add
+	missing {} where needed
+
+2005-07-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_copy.c: Use a global variable to keep track of if the 'goto
+	fail' was used, and use that to only generate the label if needed.
+
+	* asn1_print.c: do indefinite form loop detection and stop after
+	10000 recursive indefinite forms, stops crashing due to running
+	out of stack
+
+	* asn1_print.c: catch badly formated indefinite length data
+	(missing EndOfContent tag) add (negative) indent flag to speed up
+	testing
+
+2005-07-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* canthandle.asn1: Can't handle primitives in CHOICE
+
+	* gen_decode.c: Check if malloc failes
+
+	* gen_copy.c: Make sure to free memory on failure
+
+	* gen_decode.c: Check if malloc failes, rename "reallen" to
+	tagdatalen since that is what it is.
+
+2005-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* prefix Der_class with ASN1_C_ to avoid problems with system
+	headerfiles that pollute the name space
+
+2005-05-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pkcs12.asn1: add PKCS12CertBag
+
+	* pkcs9.asn1: add pkcs9 certtype x509 certificate
+
+	* Makefile.am: add pkcs12 certbag and pkcs9 certtype x509
+	certificate
+
+	* pkcs12.asn1: split off PKCS12Attributes from SafeBag so it can
+	be reused
+
+	* Makefile.am: add PKCS12Attributes
+
+2005-05-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* canthandle.asn1: fix tags in example
+
+2005-05-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pkinit.asn1: Let the Windows nonce be an int32 (signed), if not
+	it will fail when using Windows PK-INIT.
+
+2005-05-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add pkcs12-PBEParams
+
+	* pkcs12.asn1: add pkcs12-PBEParams
+
+	* parse.y: objid_element: exit when the condition fails
+
+2005-04-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_glue.c: 1.8: switch the units variable to a
+	function. gcc-4.1 needs the size of the structure if its defined
+	as extern struct units foo_units[] an we don't want to include
+	<parse_units.h> in the generate headerfile
+
+2005-03-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add the des-ede3-cbc oid that ansi x9.52 uses
+
+	* rfc2459.asn1: add the des-ede3-cbc oid that ansi x9.52 uses
+
+	* Makefile.am: add oids for x509
+
+	* rfc2459.asn1: add oids now when the compiler can handle them
+
+2005-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add pkcs9 files
+
+	* pkcs9.asn1: add small number of oids from pkcs9
+
+2005-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add a bunch of pkcs1/pkcs2/pkcs3/aes oids
+
+	* rfc2459.asn1: add a bunch of pkcs1/pkcs2/pkcs3/aes oids
+
+2005-03-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* k5.asn1: merge pa-numbers
+
+2005-03-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add oid's
+
+	* rfc2459.asn1: add encryption oids
+
+	* CMS.asn1: add signedAndEnvelopedData oid
+
+	* pkcs12.asn1: add pkcs12 oids
+
+	* CMS.asn1: add pkcs7 oids
+
+2005-03-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen.c (generate_header_of_codefile): break out the header
+	section generation
+	(generate_constant): generate a function that return the oid
+	inside a heim_oid
+
+	* parse.y: fix the ordering of the oid's
+
+	* parse.y: handle OBJECT IDENTIFIER as value construct
+
+2005-02-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Preserve content of CHOICE element that is unknown if ellipsis
+	was used when defining the structure
+
+2005-02-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* parse.y: use ANS1_TAILQ macros
+
+	* *.[ch]: use ASN1_TAILQ macros
+
+	* asn1_queue.h: inline bsd sys/queue.h and rename TAILQ to
+	ASN1_TAILQ to avoid problems with name polluting headerfiles
+
+2005-01-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen.c: pull in <krb5-types.h>
+
+2005-01-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Add BMPString and UniversalString
+
+	* k5.asn1 (EtypeList): make INTEGER constrained (use krb5int32)
+
+2005-01-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rfc2459.asn1: add GeneralNames
+
+2004-11-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen.c: use unsigned integer for len of SequenceOf/SetOf and
+	bitstring names
+
+2004-11-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: switch to krb5int32 and krb5uint32
+
+	* Unify that three integer types TInteger TUInteger and TBigInteger.
+	Start to use constrained integers where appropriate.
+
+2004-10-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* CMS.asn1: remove no longer used commented out elements
+
+	* gen_glue.c: make units structures const
+
+2004-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lex.l: handle hex number with [a-fA-F] in them
+
+2004-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_free.c: free _save for CHOICE too
+
+	* rfc2459.asn1: use Name and not heim_any
+
+	* gen_decode.c: if malloc for _save failes, goto fail so we free
+	the structure
+
+	* gen_copy.c: copy _save for CHOICE too
+
+	* gen.c: add _save for CHOICE too
+
+	* CMS.asn1: RecipientIdentifier and SignerIdentifier is the same
+	name is CMSIdentifier and add glue for that so we can share code
+	use Name and not heim_any
+
+2004-10-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: drop AlgorithmIdentifierNonOpt add
+	{RC2CBC,}CBCParameter here where they belong
+
+	* CMS.asn1: add {RC2CBC,}CBCParameter here where they belong
+
+	* rfc2459.asn1: drop AlgorithmIdentifierNonOpt
+
+	* rfc2459.asn1: stop using AlgorithmIdentifierNonOpt hint that we
+	really want to use Name and some MS stuff
+
+2004-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* asn1_print.c: handle end of content, this is part BER support,
+	however, OCTET STRING need some tweeking too.
+
+	* der.h: add UT_EndOfContent
+
+	* test.asn1: test asn1 spec file
+
+	* check-gen.c: check larget tags
+
+	* Makefile.am: add test asn1 spec file that we can use for testing
+	constructs that doesn't exists in already existing spec (like
+	large tags)
+
+	* der_put.c (der_put_tag): make sure there are space for the head
+	tag when we are dealing with large tags (>30)
+
+	* check-gen.c: add test for tag length
+
+	* check-common.c: export the map_ functions for OVERRUN/UNDERRUN
+	detection restore the SIGSEGV handler when test is done
+
+	* check-common.h: export the map_ functions for OVERRUN/UNDERRUN
+	detection
+
+	* gen_decode.c: check that the tag-length is not longer the length
+	use forwstr on some more places
+
+	* parse.y: revert part of 1.14.2.21, multiple IMPORT isn't allowed
+
+	* pkinit.asn1: correct usage of IMPORT
+
+	* CMS.asn1: correct usage of IMPORT
+
+	* pkcs8.asn1: pkcs8, encrypting private key
+
+	* pkcs12.asn1: pkcs12, key/crl/certificate file transport PDU
+
+	* Makefile.am: add pkcs8 and pkcs12
+
+	* der_free.c: reset length when freing primitives
+
+	* CMS.asn1: add EncryptedData
+
+2004-08-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_decode.c (decode_type): if the entry is already optional
+	when parsing a tag and we allocate the structure, not pass down
+	optional since that will case the subtype's decode_type also to
+	allocate an entry. and we'll leak an entry. Bug from Luke Howard
+	<lukeh@padl.com>. While here, use calloc.
+
+2004-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* k5.asn1: shift the last added etypes one step so rc2 doesn't
+	stomp on cram-md5
+
+2004-04-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* k5.asn1: add ETYPE_AESNNN_CBC_NONE
+
+	* CMS.asn1: add CMS symmetrical parameters moved to k5.asn1
+
+	* k5.asn1: add CMS symmetrical parameters here, more nametypes
+	enctype rc2-cbc
+
+2004-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_decode.c: free data on decode failure
+
+2004-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add CBCParameter and RC2CBCParameter
+
+	* CMS.asn1: add CBCParameter and RC2CBCParameter
+
+2004-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-der.c: add simple test for oid's, used to trigger malloc
+	bugs in you have picky malloc (like valgrind/purify/third)
+
+	* der_get.c (der_get_oid): handle all oid components being smaller
+	then 127 and allocate one extra element since first byte is split
+	to to elements.
+
+2004-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* canthandle.asn1: one thing handled
+
+	* gen_decode.c: handle OPTIONAL CONS-tag-less elements
+
+	* der_length.c (length_len): since length is no longer the same as
+	an unsigned, do the length counting here. ("unsigned" is zero
+	padded when most significate bit is set, length is not)
+
+2004-04-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* canthandle.asn1: document by example what the encoder can't
+	handle right now
+
+	* Makefile.am: add more stuff needed whem implementing x509
+	preserve TBSCertificate
+
+	* rfc2459.asn1: add more stuff needed whem implementing x509
+
+	* CMS.asn1: move some type to rfc2459.asn1 where they belong (and
+	import them)
+
+	* gen.c: preserve the raw data when asked too
+
+	* gen_decode.c: preserve the raw data when asked too
+
+	* gen_copy.c: preserve the raw data when asked too
+
+	* gen_free.c: preserve the raw data when asked too
+
+	* gen_locl.h: add preserve_type
+
+	* heim_asn1.h: add heim_any_cmp
+
+	* main.c: add flag --preserve-binary=Symbol1,Symbol2,... that make
+	the compiler generate stubs to save the raw data, its not used
+	right now when generating the stat
+
+	* k5.asn1: Windows uses PADATA 15 for the request too
+
+	* extra.c: add heim_any_cmp
+
+	* der_put.c: implement UTCtime correctly
+
+	* der_locl.h: remove #ifdef HAVE_TIMEGM\ntimegm\n#endif here from
+	der.h so one day der.h can get installed
+
+	* der_length.c: implement UTCtime correctly
+
+	* der_get.c: implement UTCtime correctly, prefix dce_fix with
+	_heim_fix
+
+	* der_copy.c: make copy_bit_string work again
+
+	* der_cmp.c: add octet_string, integer, bit_string cmp functions
+
+	* der.h: hide away more symbols, add more _cmp functions
+
+2004-03-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add more pkix types make k5 use rfc150 bitstrings,
+	everything else use der bitstrings
+
+	* main.c: as a compile time option, handle no rfc1510 bitstrings
+
+	* gen_locl.h: rfc1510 bitstrings flag
+
+	* gen_length.c: as a compile time option, handle no rfc1510
+	bitstrings
+
+	* gen_encode.c: as a compile time option, handle no rfc1510
+	bitstrings
+
+	* gen_decode.c: handle no rfc1510 bitstrings
+
+	* check-gen.c: test for bitstrings
+
+	* rfc2459.asn1: add Certificates and KeyUsage
+
+2004-02-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pkinit.asn1: use Name from PKIX
+
+	* rfc2459.asn1: add more silly string types to DirectoryString
+
+	* gen_encode.c: add checks for data overflow when encoding
+	TBitString with members encode SET OF correctly by bytewise
+	sorting the members
+
+	* gen_decode.c: add checks for data overrun when encoding
+	TBitString with members
+
+	* der_put.c: add _heim_der_set_sort
+
+	* der_cmp.c: rename oid_cmp to heim_oid_cmp
+
+	* der.h: rename oid_cmp to heim_oid_cmp, add _heim_der_set_sort
+
+	* check-gen.c: add check for Name and (commented out) heim_integer
+
+	* check-der.c: test for "der_length.c: Fix len_unsigned for
+	certain negative integers, it got the length wrong" , from
+	Panasas, Inc.
+
+	* der_length.c: Fix len_unsigned for certain negative integers, it
+	got the length wrong, fix from Panasas, Inc.
+
+	rename len_int and len_unsigned to _heim_\&
+
+	* gen_length.c: 1.14: (length_type): TSequenceOf: add up the size
+	of all the elements, don't use just the size of the last element.
+
+2004-02-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rfc2459.asn1: include defintion of Name
+
+	* pkinit.asn1: no need for ContentType, its cms internal
+
+	* CMS.asn1: move ContentInfo to CMS
+
+	* pkinit.asn1: update to pk-init-18, move ContentInfo to CMS
+
+	* Makefile.am: align with pk-init-18, move contentinfo to cms
+
+2004-02-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* der_get.c: rewrite previous commit
+
+	* der_get.c (der_get_heim_integer): handle positive integer
+	starting with 0
+
+	* der_length.c (der_put_heim_integer): try handle negative
+	integers better (?)
+
+	* der_put.c (der_put_heim_integer): try handle negative integers
+	better
+
+	* der_get.c (der_get_heim_integer): dont abort on negative integer just
+	return ASN1_OVERRUN for now
+
+	* parse.y: add ia5string, and printablestring
+
+	* gen_length.c: add ia5string, and printablestring
+
+	* gen_free.c: add ia5string, and printablestring
+
+	* gen_decode.c: add ia5string, and printablestring
+
+	* gen_copy.c: add ia5string, and printablestring
+
+	* gen.c: add ia5string, printablestring, and utf8string change
+	implemetation of heim_integer and store the data as bigendian byte
+	array with a external flag for signedness
+
+	* der_put.c: add ia5string, printablestring, and utf8string change
+	implemetation of heim_integer and store the data as bigendian byte
+	array with a external flag for signedness
+
+	* der_length.c: add ia5string, printablestring, and utf8string
+	change implemetation of heim_integer and store the data as
+	bigendian byte array with a external flag for signedness
+
+	* der_get.c: add ia5string, printablestring, and utf8string change
+	implemetation of heim_integer and store the data as bigendian byte
+	array with a external flag for signedness
+
+	* der_free.c: add ia5string, printablestring, and utf8string
+
+	* der_copy.c: add ia5string, printablestring, and utf8string
+
+	* der.h: add ia5string, printablestring, and utf8string
+
+	* asn1-common.h: add signedness flag to heim_integer, add
+	ia5string and printablestring
+
+2004-02-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rfc2459.asn1: use BIGINTEGER where appropriate
+
+	* setchgpw2.asn1: spelling and add op-req again
+
+2004-02-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: clean up better
+
+2004-02-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_decode.c (decode_type): TTag, don't overshare the reallen
+	variable
+
+	* Makefile.am: adapt to log file name change
+
+	* gen.c: genereate log file name based on base name
+
+2003-11-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: += asn1_AlgorithmIdentifierNonOpt.x
+
+	* rfc2459.asn1: add AlgorithmIdentifierNonOpt and use it where
+	it's needed, make DomainParameters.validationParms heim_any as a
+	hack. Both are workarounds for the problem with heimdal's asn1
+	compiler have with decoing context tagless OPTIONALs.
+
+	* pkinit.asn1: don't import AlgorithmIdentifier
+
+2003-11-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* der_put.c (der_put_bit_string): make it work somewhat better
+	(should really prune off all trailing zeros)
+
+	* gen_encode.c (encode_type): bit string is not a constructed type
+
+	* der_length.c (length_bit_string): calculate right length for
+	bitstrings
+
+2003-11-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* der_cmp.c (oid_cmp): compare the whole array, not just
+	length/sizeof(component)
+
+	* check-common.c: mmap the scratch areas, mprotect before and
+	after, align data to the edge of the mprotect()ed area to provoke
+	bugs
+
+	* Makefile.am: add DomainParameters, ValidationParms
+
+	* rfc2459.asn1: add DomainParameters, ValidationParms
+
+	* check-der.c: add free function
+
+	* check-common.h: add free function
+
+	* check-common.c: add free function
+
+	* check-gen.c: check KRB-ERROR
+
+	* asn1_print.c: check end of tag_names loop into APPL class tags
+
+2003-11-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* der_put.c (der_put_generalized_time): check size, not *size
+
+2003-11-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_decode.c (decode_type/TBitString): skip over
+	skipped-bits-in-last-octet octet
+
+	* gen_glue.c (generate_units): generate units in reverse order to
+	keep unparse_units happy
+
+2003-11-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: generate all silly pkinit files
+
+	* pkinit.asn1: make it work again, add strange ms structures
+
+	* k5.asn1: PROV-SRV-LOCATION, PacketCable provisioning server
+	location, PKT-SP-SEC-I09-030728
+
+	* asn1-common.h: add bit string
+
+	* der_put.c: add bit string and utctime
+
+	* gen.c: add bit string and utctime
+
+	* gen_copy.c: add bit string and utctime
+
+	* der_copy.c: add bit string
+
+	* gen_decode.c: add utctime and bitstring
+
+	* gen_encode.c: add utctime and bitstring
+
+	* gen_free.c: add utctime and bitstring
+
+	* gen_glue.c: don't generate glue for member-less bit strings
+
+	* der_cmp.c: compare function for oids
+
+	* gen_length.c: add utc time, make bit string work for bits
+	strings w/o any members
+
+	* der_cmp.c: compare function for oids
+
+	* der.h: update boolean prototypes add utctime and bit_string
+
+	* der_free.c: add free_bit_string
+
+	* der_get.c: add bit string and utctime
+
+	* der_length.c: add bit string and utctime, fix memory leak in
+	length_generalized_time
+
+	* CMS.asn1: make EncryptedContentInfo.encryptedContent a OCTET
+	STRING to make the generator do the right thing with IMPLICIT
+	mumble OPTIONAL, make CertificateSet a heim_any_set
+
+	* extra.c, heim_asn1.h: add any_set, instead of just consuming one
+	der object, its consumes the rest of the data avaible
+
+	* extra.c, heim_asn1.h: extern implementation of ANY, decoder
+	needs to have hack removed when generator handles tagless optional
+	data
+
+	* pkinit.asn1: add KdcDHKeyInfo-Win2k
+
+2003-11-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* der_copy.c (copy_oid): copy all components
+
+	* parse.y: parse UTCTime, allow multiple IMPORT
+
+	* symbol.h: add TUTCTime
+
+	* rfc2459.asn1: update
+
+	* x509.asn1: update
+
+	* pkinit.asn1: update
+
+	* CMS.asn1: new file
+
+	* asn1_print.c: print some more lengths, check length before
+	steping out in the void, parse SET, only go down CONTEXT of type
+	CONS (not PRIM)
+
+2003-09-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_encode.c (TChoice, TSequence): code element in reverse
+	order...
+
+2003-09-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen.c: store NULL's as int's for now
+
+	* parse.y: remove dup of type def of UsefulType
+
+2003-09-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_decode.c (decode_type): if malloc failes, return ENOMEM
+
+2003-09-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* parse.y: kw_UTF8String is a token put tag around the OID
+
+	* asn1_print.c (UT_Integer): when the integer is larger then int
+	can handle, just print BIG INT and its size
+
+2003-09-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gen_decode.c (decode_type): TTag, try to generate prettier code
+	in the non optional case, also remember to update length
+
+2003-01-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* gen_decode.c: add flag to decode broken DCE BER encoding
+
+	* gen_locl.h: add flag to decode broken DCE BER encoding
+
+	* main.c: add flag to decode broken DCE BER encoding
+
diff --git a/crypto/heimdal/lib/asn1/Makefile.am b/crypto/heimdal/lib/asn1/Makefile.am
index f6ece75..af300f0 100644
--- a/crypto/heimdal/lib/asn1/Makefile.am
+++ b/crypto/heimdal/lib/asn1/Makefile.am
@@ -1,83 +1,463 @@
-# $Id: Makefile.am,v 1.69.2.3 2004/06/21 08:26:44 lha Exp $
+# $Id: Makefile.am 22445 2008-01-14 21:23:36Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-YFLAGS = -d
+YFLAGS = -d -t
 
 lib_LTLIBRARIES = libasn1.la
-libasn1_la_LDFLAGS = -version-info 6:2:0
+libasn1_la_LDFLAGS = -version-info 8:0:0
 
-libasn1_la_LIBADD = @LIB_com_err@
+libasn1_la_LIBADD = \
+	@LIB_com_err@ \
+	$(LIBADD_roken)
 
-BUILT_SOURCES =			\
-	$(gen_files:.x=.c)	\
-	asn1_err.h		\
+BUILT_SOURCES =				\
+	$(gen_files_rfc2459:.x=.c)	\
+	$(gen_files_cms:.x=.c)		\
+	$(gen_files_k5:.x=.c)		\
+	$(gen_files_pkinit:.x=.c)	\
+	$(gen_files_pkcs8:.x=.c)	\
+	$(gen_files_pkcs9:.x=.c)	\
+	$(gen_files_pkcs12:.x=.c)	\
+	$(gen_files_digest:.x=.c)	\
+	$(gen_files_kx509:.x=.c)	\
+	asn1_err.h			\
 	asn1_err.c
 
-gen_files =					\
-	asn1_APOptions.x			\
-	asn1_AP_REP.x				\
-	asn1_AP_REQ.x				\
-	asn1_AS_REP.x				\
-	asn1_AS_REQ.x				\
-	asn1_Authenticator.x			\
-	asn1_AuthorizationData.x		\
-	asn1_CKSUMTYPE.x			\
-	asn1_ChangePasswdDataMS.x		\
-	asn1_Checksum.x				\
-	asn1_ENCTYPE.x				\
-	asn1_ETYPE_INFO.x			\
-	asn1_ETYPE_INFO_ENTRY.x			\
-	asn1_EncAPRepPart.x			\
-	asn1_EncASRepPart.x			\
-	asn1_EncKDCRepPart.x			\
-	asn1_EncKrbCredPart.x			\
-	asn1_EncKrbPrivPart.x			\
-	asn1_EncTGSRepPart.x			\
-	asn1_EncTicketPart.x			\
-	asn1_EncryptedData.x			\
-	asn1_EncryptionKey.x			\
-	asn1_HostAddress.x			\
-	asn1_HostAddresses.x			\
-	asn1_KDCOptions.x			\
-	asn1_KDC_REP.x				\
-	asn1_KDC_REQ.x				\
-	asn1_KDC_REQ_BODY.x			\
-	asn1_KRB_CRED.x				\
-	asn1_KRB_ERROR.x			\
-	asn1_KRB_PRIV.x				\
-	asn1_KRB_SAFE.x				\
-	asn1_KRB_SAFE_BODY.x			\
-	asn1_KerberosTime.x			\
-	asn1_KrbCredInfo.x			\
-	asn1_LastReq.x				\
-	asn1_LR_TYPE.x				\
-	asn1_MESSAGE_TYPE.x			\
-	asn1_METHOD_DATA.x			\
-	asn1_NAME_TYPE.x			\
-	asn1_PADATA_TYPE.x			\
-	asn1_PA_DATA.x				\
-	asn1_PA_ENC_TS_ENC.x			\
-	asn1_Principal.x			\
-	asn1_PrincipalName.x			\
-	asn1_Realm.x				\
-	asn1_TGS_REP.x				\
-	asn1_TGS_REQ.x				\
-	asn1_Ticket.x				\
-	asn1_TicketFlags.x			\
-	asn1_TransitedEncoding.x		\
-	asn1_UNSIGNED.x
-
-
-noinst_PROGRAMS = asn1_compile asn1_print
-check_PROGRAMS = check-der check-gen
-TESTS = check-der check-gen
-
-check_der_SOURCES = check-der.c check-common.c
-check_gen_SOURCES = check-gen.c check-common.c
+gen_files_k5 =						\
+	asn1_AD_AND_OR.x				\
+	asn1_AD_IF_RELEVANT.x				\
+	asn1_AD_KDCIssued.x				\
+	asn1_AD_MANDATORY_FOR_KDC.x			\
+	asn1_AD_LoginAlias.x				\
+	asn1_APOptions.x				\
+	asn1_AP_REP.x					\
+	asn1_AP_REQ.x					\
+	asn1_AS_REP.x					\
+	asn1_AS_REQ.x					\
+	asn1_AUTHDATA_TYPE.x				\
+	asn1_Authenticator.x				\
+	asn1_AuthorizationData.x			\
+	asn1_AuthorizationDataElement.x			\
+	asn1_CKSUMTYPE.x				\
+	asn1_ChangePasswdDataMS.x			\
+	asn1_Checksum.x					\
+	asn1_ENCTYPE.x					\
+	asn1_ETYPE_INFO.x				\
+	asn1_ETYPE_INFO2.x				\
+	asn1_ETYPE_INFO2_ENTRY.x			\
+	asn1_ETYPE_INFO_ENTRY.x				\
+	asn1_EncAPRepPart.x				\
+	asn1_EncASRepPart.x				\
+	asn1_EncKDCRepPart.x				\
+	asn1_EncKrbCredPart.x				\
+	asn1_EncKrbPrivPart.x				\
+	asn1_EncTGSRepPart.x				\
+	asn1_EncTicketPart.x				\
+	asn1_EncryptedData.x				\
+	asn1_EncryptionKey.x				\
+	asn1_EtypeList.x				\
+	asn1_HostAddress.x				\
+	asn1_HostAddresses.x				\
+	asn1_KDCOptions.x				\
+	asn1_KDC_REP.x					\
+	asn1_KDC_REQ.x					\
+	asn1_KDC_REQ_BODY.x				\
+	asn1_KRB_CRED.x					\
+	asn1_KRB_ERROR.x				\
+	asn1_KRB_PRIV.x					\
+	asn1_KRB_SAFE.x					\
+	asn1_KRB_SAFE_BODY.x				\
+	asn1_KerberosString.x				\
+	asn1_KerberosTime.x				\
+	asn1_KrbCredInfo.x				\
+	asn1_LR_TYPE.x					\
+	asn1_LastReq.x					\
+	asn1_MESSAGE_TYPE.x				\
+	asn1_METHOD_DATA.x				\
+	asn1_NAME_TYPE.x				\
+	asn1_PADATA_TYPE.x				\
+	asn1_PA_DATA.x					\
+	asn1_PA_ENC_SAM_RESPONSE_ENC.x         		\
+	asn1_PA_ENC_TS_ENC.x				\
+	asn1_PA_PAC_REQUEST.x				\
+	asn1_PA_S4U2Self.x				\
+	asn1_PA_SAM_CHALLENGE_2.x               	\
+	asn1_PA_SAM_CHALLENGE_2_BODY.x 			\
+	asn1_PA_SAM_REDIRECT.x				\
+	asn1_PA_SAM_RESPONSE_2.x			\
+	asn1_PA_SAM_TYPE.x				\
+	asn1_PA_ClientCanonicalized.x			\
+	asn1_PA_ClientCanonicalizedNames.x		\
+	asn1_PA_SvrReferralData.x			\
+	asn1_PROV_SRV_LOCATION.x			\
+	asn1_Principal.x				\
+	asn1_PrincipalName.x				\
+	asn1_Realm.x					\
+	asn1_SAMFlags.x					\
+	asn1_TGS_REP.x					\
+	asn1_TGS_REQ.x					\
+	asn1_TYPED_DATA.x				\
+	asn1_Ticket.x					\
+	asn1_TicketFlags.x				\
+	asn1_TransitedEncoding.x			\
+	asn1_TypedData.x				\
+	asn1_krb5int32.x				\
+	asn1_krb5uint32.x				\
+	asn1_KRB5SignedPathData.x			\
+	asn1_KRB5SignedPathPrincipals.x			\
+	asn1_KRB5SignedPath.x
 
+gen_files_cms =						\
+	asn1_CMSAttributes.x				\
+	asn1_CMSCBCParameter.x				\
+	asn1_CMSEncryptedData.x				\
+	asn1_CMSIdentifier.x				\
+	asn1_CMSRC2CBCParameter.x			\
+	asn1_CMSVersion.x				\
+	asn1_CertificateList.x				\
+	asn1_CertificateRevocationLists.x		\
+	asn1_CertificateSet.x				\
+	asn1_ContentEncryptionAlgorithmIdentifier.x	\
+	asn1_ContentInfo.x				\
+	asn1_ContentType.x				\
+	asn1_DigestAlgorithmIdentifier.x		\
+	asn1_DigestAlgorithmIdentifiers.x		\
+	asn1_EncapsulatedContentInfo.x			\
+	asn1_EncryptedContent.x				\
+	asn1_EncryptedContentInfo.x			\
+	asn1_EncryptedKey.x				\
+	asn1_EnvelopedData.x				\
+	asn1_IssuerAndSerialNumber.x			\
+	asn1_KeyEncryptionAlgorithmIdentifier.x		\
+	asn1_KeyTransRecipientInfo.x			\
+	asn1_MessageDigest.x				\
+	asn1_OriginatorInfo.x				\
+	asn1_RecipientIdentifier.x			\
+	asn1_RecipientInfo.x				\
+	asn1_RecipientInfos.x				\
+	asn1_SignatureAlgorithmIdentifier.x		\
+	asn1_SignatureValue.x				\
+	asn1_SignedData.x				\
+	asn1_SignerIdentifier.x				\
+	asn1_SignerInfo.x				\
+	asn1_SignerInfos.x				\
+	asn1_id_pkcs7.x					\
+	asn1_id_pkcs7_data.x				\
+	asn1_id_pkcs7_digestedData.x			\
+	asn1_id_pkcs7_encryptedData.x			\
+	asn1_id_pkcs7_envelopedData.x			\
+	asn1_id_pkcs7_signedAndEnvelopedData.x		\
+	asn1_id_pkcs7_signedData.x			\
+	asn1_UnprotectedAttributes.x
+
+gen_files_rfc2459 =					\
+	asn1_Version.x					\
+	asn1_id_pkcs_1.x				\
+	asn1_id_pkcs1_rsaEncryption.x			\
+	asn1_id_pkcs1_md2WithRSAEncryption.x		\
+	asn1_id_pkcs1_md5WithRSAEncryption.x		\
+	asn1_id_pkcs1_sha1WithRSAEncryption.x		\
+	asn1_id_pkcs1_sha256WithRSAEncryption.x		\
+	asn1_id_pkcs1_sha384WithRSAEncryption.x		\
+	asn1_id_pkcs1_sha512WithRSAEncryption.x		\
+	asn1_id_heim_rsa_pkcs1_x509.x			\
+	asn1_id_pkcs_2.x				\
+	asn1_id_pkcs2_md2.x				\
+	asn1_id_pkcs2_md4.x				\
+	asn1_id_pkcs2_md5.x				\
+	asn1_id_rsa_digestAlgorithm.x			\
+	asn1_id_rsa_digest_md2.x			\
+	asn1_id_rsa_digest_md4.x			\
+	asn1_id_rsa_digest_md5.x			\
+	asn1_id_pkcs_3.x				\
+	asn1_id_pkcs3_rc2_cbc.x				\
+	asn1_id_pkcs3_rc4.x				\
+	asn1_id_pkcs3_des_ede3_cbc.x			\
+	asn1_id_rsadsi_encalg.x				\
+	asn1_id_rsadsi_rc2_cbc.x			\
+	asn1_id_rsadsi_des_ede3_cbc.x			\
+	asn1_id_secsig_sha_1.x				\
+	asn1_id_nistAlgorithm.x				\
+	asn1_id_nist_aes_algs.x				\
+	asn1_id_aes_128_cbc.x				\
+	asn1_id_aes_192_cbc.x				\
+	asn1_id_aes_256_cbc.x				\
+	asn1_id_nist_sha_algs.x				\
+	asn1_id_sha256.x				\
+	asn1_id_sha224.x				\
+	asn1_id_sha384.x				\
+	asn1_id_sha512.x				\
+	asn1_id_dhpublicnumber.x			\
+	asn1_id_x9_57.x					\
+	asn1_id_dsa.x					\
+	asn1_id_dsa_with_sha1.x				\
+	asn1_id_x520_at.x				\
+	asn1_id_at_commonName.x				\
+	asn1_id_at_surname.x				\
+	asn1_id_at_serialNumber.x			\
+	asn1_id_at_countryName.x			\
+	asn1_id_at_localityName.x			\
+	asn1_id_at_streetAddress.x			\
+	asn1_id_at_stateOrProvinceName.x		\
+	asn1_id_at_organizationName.x			\
+	asn1_id_at_organizationalUnitName.x		\
+	asn1_id_at_name.x				\
+	asn1_id_at_givenName.x				\
+	asn1_id_at_initials.x				\
+	asn1_id_at_generationQualifier.x		\
+	asn1_id_at_pseudonym.x				\
+	asn1_id_Userid.x				\
+	asn1_id_domainComponent.x			\
+	asn1_id_x509_ce.x				\
+	asn1_id_uspkicommon_card_id.x			\
+	asn1_id_uspkicommon_piv_interim.x		\
+	asn1_id_netscape.x				\
+	asn1_id_netscape_cert_comment.x			\
+	asn1_id_ms_cert_enroll_domaincontroller.x	\
+	asn1_id_ms_client_authentication.x		\
+	asn1_AlgorithmIdentifier.x			\
+	asn1_AttributeType.x				\
+	asn1_AttributeValue.x				\
+	asn1_TeletexStringx.x				\
+	asn1_DirectoryString.x				\
+	asn1_Attribute.x				\
+	asn1_AttributeTypeAndValue.x			\
+	asn1_AuthorityInfoAccessSyntax.x		\
+	asn1_AccessDescription.x			\
+	asn1_RelativeDistinguishedName.x		\
+	asn1_RDNSequence.x				\
+	asn1_Name.x					\
+	asn1_CertificateSerialNumber.x			\
+	asn1_Time.x					\
+	asn1_Validity.x					\
+	asn1_UniqueIdentifier.x				\
+	asn1_SubjectPublicKeyInfo.x			\
+	asn1_Extension.x				\
+	asn1_Extensions.x				\
+	asn1_TBSCertificate.x				\
+	asn1_Certificate.x				\
+	asn1_Certificates.x				\
+	asn1_ValidationParms.x				\
+	asn1_DomainParameters.x				\
+	asn1_DHPublicKey.x				\
+	asn1_OtherName.x				\
+	asn1_GeneralName.x				\
+	asn1_GeneralNames.x				\
+	asn1_id_x509_ce_keyUsage.x			\
+	asn1_KeyUsage.x					\
+	asn1_id_x509_ce_authorityKeyIdentifier.x	\
+	asn1_KeyIdentifier.x				\
+	asn1_AuthorityKeyIdentifier.x			\
+	asn1_id_x509_ce_subjectKeyIdentifier.x		\
+	asn1_SubjectKeyIdentifier.x			\
+	asn1_id_x509_ce_basicConstraints.x		\
+	asn1_BasicConstraints.x				\
+	asn1_id_x509_ce_nameConstraints.x		\
+	asn1_BaseDistance.x				\
+	asn1_GeneralSubtree.x				\
+	asn1_GeneralSubtrees.x				\
+	asn1_NameConstraints.x				\
+	asn1_id_x509_ce_privateKeyUsagePeriod.x		\
+	asn1_id_x509_ce_certificatePolicies.x		\
+	asn1_id_x509_ce_policyMappings.x		\
+	asn1_id_x509_ce_subjectAltName.x		\
+	asn1_id_x509_ce_issuerAltName.x			\
+	asn1_id_x509_ce_subjectDirectoryAttributes.x	\
+	asn1_id_x509_ce_policyConstraints.x		\
+	asn1_id_x509_ce_extKeyUsage.x			\
+	asn1_ExtKeyUsage.x				\
+	asn1_id_x509_ce_cRLDistributionPoints.x		\
+	asn1_id_x509_ce_deltaCRLIndicator.x		\
+	asn1_id_x509_ce_issuingDistributionPoint.x	\
+	asn1_id_x509_ce_holdInstructionCode.x		\
+	asn1_id_x509_ce_invalidityDate.x		\
+	asn1_id_x509_ce_certificateIssuer.x		\
+	asn1_id_x509_ce_inhibitAnyPolicy.x		\
+	asn1_DistributionPointReasonFlags.x		\
+	asn1_DistributionPointName.x			\
+	asn1_DistributionPoint.x			\
+	asn1_CRLDistributionPoints.x			\
+	asn1_DSASigValue.x				\
+	asn1_DSAPublicKey.x				\
+	asn1_DSAParams.x				\
+	asn1_RSAPublicKey.x				\
+	asn1_RSAPrivateKey.x				\
+	asn1_DigestInfo.x				\
+	asn1_TBSCRLCertList.x				\
+	asn1_CRLCertificateList.x			\
+	asn1_id_x509_ce_cRLNumber.x			\
+	asn1_id_x509_ce_freshestCRL.x			\
+	asn1_id_x509_ce_cRLReason.x			\
+	asn1_CRLReason.x				\
+	asn1_PKIXXmppAddr.x				\
+	asn1_id_pkix.x					\
+	asn1_id_pkix_on.x				\
+	asn1_id_pkix_on_dnsSRV.x			\
+	asn1_id_pkix_on_xmppAddr.x			\
+	asn1_id_pkix_kp.x				\
+	asn1_id_pkix_kp_serverAuth.x			\
+	asn1_id_pkix_kp_clientAuth.x			\
+	asn1_id_pkix_kp_emailProtection.x		\
+	asn1_id_pkix_kp_timeStamping.x			\
+	asn1_id_pkix_kp_OCSPSigning.x			\
+	asn1_id_pkix_pe.x				\
+	asn1_id_pkix_pe_authorityInfoAccess.x		\
+	asn1_id_pkix_pe_proxyCertInfo.x			\
+	asn1_id_pkix_ppl.x				\
+	asn1_id_pkix_ppl_anyLanguage.x			\
+	asn1_id_pkix_ppl_inheritAll.x			\
+	asn1_id_pkix_ppl_independent.x			\
+	asn1_ProxyPolicy.x				\
+	asn1_ProxyCertInfo.x 
+
+gen_files_pkinit =					\
+	asn1_id_pkinit.x				\
+	asn1_id_pkauthdata.x				\
+	asn1_id_pkdhkeydata.x				\
+	asn1_id_pkrkeydata.x				\
+	asn1_id_pkekuoid.x				\
+	asn1_id_pkkdcekuoid.x				\
+	asn1_id_pkinit_san.x				\
+	asn1_id_pkinit_ms_eku.x				\
+	asn1_id_pkinit_ms_san.x				\
+	asn1_MS_UPN_SAN.x				\
+	asn1_DHNonce.x					\
+	asn1_KDFAlgorithmId.x				\
+	asn1_TrustedCA.x				\
+	asn1_ExternalPrincipalIdentifier.x		\
+	asn1_ExternalPrincipalIdentifiers.x		\
+	asn1_PA_PK_AS_REQ.x				\
+	asn1_PKAuthenticator.x				\
+	asn1_AuthPack.x					\
+	asn1_TD_TRUSTED_CERTIFIERS.x			\
+	asn1_TD_INVALID_CERTIFICATES.x			\
+	asn1_KRB5PrincipalName.x			\
+	asn1_AD_INITIAL_VERIFIED_CAS.x			\
+	asn1_DHRepInfo.x				\
+	asn1_PA_PK_AS_REP.x				\
+	asn1_KDCDHKeyInfo.x				\
+	asn1_ReplyKeyPack.x				\
+	asn1_TD_DH_PARAMETERS.x				\
+	asn1_PKAuthenticator_Win2k.x			\
+	asn1_AuthPack_Win2k.x				\
+	asn1_TrustedCA_Win2k.x				\
+	asn1_PA_PK_AS_REQ_Win2k.x			\
+	asn1_PA_PK_AS_REP_Win2k.x			\
+	asn1_KDCDHKeyInfo_Win2k.x			\
+	asn1_ReplyKeyPack_Win2k.x			\
+	asn1_PkinitSuppPubInfo.x 
+
+gen_files_pkcs12 =					\
+	asn1_id_pkcs_12.x				\
+	asn1_id_pkcs_12PbeIds.x				\
+	asn1_id_pbeWithSHAAnd128BitRC4.x		\
+	asn1_id_pbeWithSHAAnd40BitRC4.x			\
+	asn1_id_pbeWithSHAAnd3_KeyTripleDES_CBC.x	\
+	asn1_id_pbeWithSHAAnd2_KeyTripleDES_CBC.x	\
+	asn1_id_pbeWithSHAAnd128BitRC2_CBC.x		\
+	asn1_id_pbewithSHAAnd40BitRC2_CBC.x		\
+	asn1_id_pkcs12_bagtypes.x			\
+	asn1_id_pkcs12_keyBag.x				\
+	asn1_id_pkcs12_pkcs8ShroudedKeyBag.x		\
+	asn1_id_pkcs12_certBag.x			\
+	asn1_id_pkcs12_crlBag.x				\
+	asn1_id_pkcs12_secretBag.x			\
+	asn1_id_pkcs12_safeContentsBag.x		\
+	asn1_PKCS12_MacData.x				\
+	asn1_PKCS12_PFX.x				\
+	asn1_PKCS12_AuthenticatedSafe.x			\
+	asn1_PKCS12_CertBag.x				\
+	asn1_PKCS12_Attribute.x				\
+	asn1_PKCS12_Attributes.x			\
+	asn1_PKCS12_SafeBag.x				\
+	asn1_PKCS12_SafeContents.x			\
+	asn1_PKCS12_OctetString.x			\
+	asn1_PKCS12_PBEParams.x
+
+gen_files_pkcs8 =					\
+	asn1_PKCS8PrivateKeyAlgorithmIdentifier.x	\
+	asn1_PKCS8PrivateKey.x				\
+	asn1_PKCS8PrivateKeyInfo.x			\
+	asn1_PKCS8Attributes.x				\
+	asn1_PKCS8EncryptedPrivateKeyInfo.x		\
+	asn1_PKCS8EncryptedData.x
+
+gen_files_pkcs9 =					\
+	asn1_id_pkcs_9.x				\
+	asn1_id_pkcs9_contentType.x			\
+	asn1_id_pkcs9_emailAddress.x			\
+	asn1_id_pkcs9_messageDigest.x			\
+	asn1_id_pkcs9_signingTime.x			\
+	asn1_id_pkcs9_countersignature.x		\
+	asn1_id_pkcs_9_at_friendlyName.x		\
+	asn1_id_pkcs_9_at_localKeyId.x			\
+	asn1_id_pkcs_9_at_certTypes.x			\
+	asn1_id_pkcs_9_at_certTypes_x509.x		\
+	asn1_PKCS9_BMPString.x				\
+	asn1_PKCS9_friendlyName.x
+
+gen_files_test =					\
+	asn1_TESTAlloc.x				\
+	asn1_TESTAllocInner.x				\
+	asn1_TESTCONTAINING.x				\
+	asn1_TESTCONTAININGENCODEDBY.x			\
+	asn1_TESTCONTAININGENCODEDBY2.x			\
+	asn1_TESTChoice1.x				\
+	asn1_TESTChoice2.x				\
+	asn1_TESTDer.x					\
+	asn1_TESTENCODEDBY.x				\
+	asn1_TESTImplicit.x				\
+	asn1_TESTImplicit2.x				\
+	asn1_TESTInteger.x				\
+	asn1_TESTInteger2.x				\
+	asn1_TESTInteger3.x				\
+	asn1_TESTLargeTag.x				\
+	asn1_TESTSeq.x					\
+	asn1_TESTUSERCONSTRAINED.x			\
+	asn1_TESTSeqOf.x				\
+	asn1_TESTOSSize1.x				\
+	asn1_TESTSeqSizeOf1.x				\
+	asn1_TESTSeqSizeOf2.x				\
+	asn1_TESTSeqSizeOf3.x				\
+	asn1_TESTSeqSizeOf4.x
+
+gen_files_digest =					\
+	asn1_DigestError.x				\
+	asn1_DigestInit.x				\
+	asn1_DigestInitReply.x				\
+	asn1_DigestREP.x				\
+	asn1_DigestREQ.x				\
+	asn1_DigestRepInner.x				\
+	asn1_DigestReqInner.x				\
+	asn1_DigestRequest.x				\
+	asn1_DigestResponse.x				\
+	asn1_DigestTypes.x				\
+	asn1_NTLMInit.x					\
+	asn1_NTLMInitReply.x				\
+	asn1_NTLMRequest.x				\
+	asn1_NTLMResponse.x
+
+gen_files_kx509 =					\
+	asn1_Kx509Response.x				\
+	asn1_Kx509Request.x
+
+noinst_PROGRAMS = asn1_compile asn1_print asn1_gen
+
+TESTS = check-der check-gen check-timegm
+check_PROGRAMS = $(TESTS)
+
+asn1_gen_SOURCES = asn1_gen.c
+asn1_print_SOURCES = asn1_print.c
+check_der_SOURCES = check-der.c check-common.c check-common.h
+
+dist_check_gen_SOURCES = check-gen.c check-common.c check-common.h
+nodist_check_gen_SOURCES = $(gen_files_test:.x=.c)
 
 asn1_compile_SOURCES = 				\
+	asn1-common.h				\
+	asn1_queue.h				\
+	der.h					\
 	gen.c					\
 	gen_copy.c				\
 	gen_decode.c				\
@@ -85,20 +465,34 @@ asn1_compile_SOURCES = 				\
 	gen_free.c				\
 	gen_glue.c				\
 	gen_length.c				\
+	gen_locl.h				\
+	gen_seq.c				\
 	hash.c					\
+	hash.h					\
 	lex.l					\
+	lex.h					\
 	main.c					\
 	parse.y					\
-	symbol.c
+	symbol.c				\
+	symbol.h
 
-libasn1_la_SOURCES =				\
+dist_libasn1_la_SOURCES =			\
+	der-protos.h 				\
+	der_locl.h 				\
+	der.c					\
+	der.h					\
 	der_get.c				\
 	der_put.c				\
 	der_free.c				\
 	der_length.c				\
 	der_copy.c				\
-	timegm.c				\
-	$(BUILT_SOURCES)
+	der_cmp.c				\
+	der_format.c				\
+	heim_asn1.h				\
+	extra.c					\
+	timegm.c
+
+nodist_libasn1_la_SOURCES = $(BUILT_SOURCES)
 
 asn1_compile_LDADD = \
 	$(LIB_roken) $(LEXLIB)
@@ -109,21 +503,108 @@ check_der_LDADD = \
 
 check_gen_LDADD = $(check_der_LDADD)
 asn1_print_LDADD = $(check_der_LDADD)
+asn1_gen_LDADD = $(check_der_LDADD)
+check_timegm_LDADD = $(check_der_LDADD)
 
-CLEANFILES = lex.c parse.c parse.h krb5_asn1.h $(BUILT_SOURCES) \
-	$(gen_files) asn1_files
+CLEANFILES = \
+	$(BUILT_SOURCES) \
+	$(gen_files_rfc2459) \
+	$(gen_files_cms) \
+	$(gen_files_k5) \
+	$(gen_files_pkinit) \
+	$(gen_files_pkcs8) \
+	$(gen_files_pkcs9) \
+	$(gen_files_pkcs12) \
+	$(gen_files_digest) \
+	$(gen_files_kx509) \
+	$(gen_files_test) $(nodist_check_gen_SOURCES) \
+	rfc2459_asn1_files rfc2459_asn1.h \
+	cms_asn1_files cms_asn1.h \
+	krb5_asn1_files krb5_asn1.h \
+	pkinit_asn1_files pkinit_asn1.h \
+	pkcs8_asn1_files pkcs8_asn1.h \
+	pkcs9_asn1_files pkcs9_asn1.h \
+	pkcs12_asn1_files pkcs12_asn1.h \
+	digest_asn1_files digest_asn1.h \
+	kx509_asn1_files kx509_asn1.h \
+	test_asn1_files test_asn1.h
 
-include_HEADERS = krb5_asn1.h asn1_err.h der.h
+dist_include_HEADERS = der.h heim_asn1.h der-protos.h
 
-$(asn1_compile_OBJECTS): parse.h parse.c
+nodist_include_HEADERS = asn1_err.h
+nodist_include_HEADERS += krb5_asn1.h
+nodist_include_HEADERS += pkinit_asn1.h
+nodist_include_HEADERS += cms_asn1.h
+nodist_include_HEADERS += rfc2459_asn1.h
+nodist_include_HEADERS += pkcs8_asn1.h
+nodist_include_HEADERS += pkcs9_asn1.h
+nodist_include_HEADERS += pkcs12_asn1.h
+nodist_include_HEADERS += digest_asn1.h
+nodist_include_HEADERS += kx509_asn1.h
 
-$(gen_files) krb5_asn1.h: asn1_files
+$(asn1_compile_OBJECTS): parse.h parse.c $(srcdir)/der-protos.h
+$(libasn1_la_OBJECTS): krb5_asn1.h asn1_err.h $(srcdir)/der-protos.h
+$(check_gen_OBJECTS): test_asn1.h
+$(asn1_print_OBJECTS): krb5_asn1.h
 
-asn1_files: asn1_compile$(EXEEXT) $(srcdir)/k5.asn1
-	./asn1_compile$(EXEEXT) $(srcdir)/k5.asn1 krb5_asn1
+parse.h: parse.c
 
-$(libasn1_la_OBJECTS): krb5_asn1.h asn1_err.h
+$(gen_files_k5) krb5_asn1.h: krb5_asn1_files
+$(gen_files_pkinit) pkinit_asn1.h: pkinit_asn1_files
+$(gen_files_pkcs8) pkcs8_asn1.h: pkcs8_asn1_files
+$(gen_files_pkcs9) pkcs9_asn1.h: pkcs9_asn1_files
+$(gen_files_pkcs12) pkcs12_asn1.h: pkcs12_asn1_files
+$(gen_files_digest) digest_asn1.h: digest_asn1_files
+$(gen_files_kx509) kx509_asn1.h: kx509_asn1_files
+$(gen_files_rfc2459) rfc2459_asn1.h: rfc2459_asn1_files
+$(gen_files_cms) cms_asn1.h: cms_asn1_files
+$(gen_files_test) test_asn1.h: test_asn1_files
 
-$(asn1_print_OBJECTS): krb5_asn1.h
+rfc2459_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/rfc2459.asn1
+	./asn1_compile$(EXEEXT) --preserve-binary=TBSCertificate --preserve-binary=TBSCRLCertList --preserve-binary=Name --sequence=GeneralNames --sequence=Extensions --sequence=CRLDistributionPoints $(srcdir)/rfc2459.asn1 rfc2459_asn1 || (rm -f rfc2459_asn1_files ; exit 1)
+
+cms_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/CMS.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/CMS.asn1 cms_asn1 || (rm -f cms_asn1_files ; exit 1)
+
+krb5_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/k5.asn1
+	./asn1_compile$(EXEEXT) --encode-rfc1510-bit-string --sequence=KRB5SignedPathPrincipals --sequence=AuthorizationData --sequence=METHOD-DATA --sequence=ETYPE-INFO --sequence=ETYPE-INFO2 $(srcdir)/k5.asn1 krb5_asn1 || (rm -f krb5_asn1_files ; exit 1)
+
+pkinit_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkinit.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/pkinit.asn1 pkinit_asn1 || (rm -f pkinit_asn1_files ; exit 1)
+
+pkcs8_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkcs8.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/pkcs8.asn1 pkcs8_asn1 || (rm -f pkcs8_asn1_files ; exit 1)
+
+pkcs9_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkcs9.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/pkcs9.asn1 pkcs9_asn1 || (rm -f pkcs9_asn1_files ; exit 1)
+
+pkcs12_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkcs12.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/pkcs12.asn1 pkcs12_asn1 || (rm -f pkcs12_asn1_files ; exit 1)
+
+digest_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/digest.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/digest.asn1 digest_asn1 || (rm -f digest_asn1_files ; exit 1)
+
+kx509_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/kx509.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/kx509.asn1 kx509_asn1 || (rm -f kx509_asn1_files ; exit 1)
+
+test_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/test.asn1
+	./asn1_compile$(EXEEXT) --sequence=TESTSeqOf $(srcdir)/test.asn1 test_asn1 || (rm -f test_asn1_files ; exit 1)
+
+EXTRA_DIST =		\
+	asn1_err.et	\
+	canthandle.asn1	\
+	CMS.asn1	\
+	digest.asn1	\
+	k5.asn1		\
+	kx509.asn1	\
+	test.asn1	\
+	setchgpw2.asn1	\
+	pkcs12.asn1	\
+	pkcs8.asn1	\
+	pkcs9.asn1	\
+	pkinit.asn1	\
+	rfc2459.asn1	\
+	test.gen
 
-EXTRA_DIST = asn1_err.et
+$(srcdir)/der-protos.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o der-protos.h $(dist_libasn1_la_SOURCES) || rm -f der-protos.h
diff --git a/crypto/heimdal/lib/asn1/Makefile.in b/crypto/heimdal/lib/asn1/Makefile.in
index 491040d..0a3783a 100644
--- a/crypto/heimdal/lib/asn1/Makefile.in
+++ b/crypto/heimdal/lib/asn1/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,25 +14,19 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.69.2.3 2004/06/21 08:26:44 lha Exp $
+# $Id: Makefile.am 22445 2008-01-14 21:23:36Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
 
-SOURCES = $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) asn1_print.c $(check_der_SOURCES) $(check_gen_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -44,25 +38,27 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
-DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \
+DIST_COMMON = $(dist_include_HEADERS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
-	$(top_srcdir)/cf/Makefile.am.common lex.c parse.c parse.h
-noinst_PROGRAMS = asn1_compile$(EXEEXT) asn1_print$(EXEEXT)
-check_PROGRAMS = check-der$(EXEEXT) check-gen$(EXEEXT)
+	$(top_srcdir)/cf/Makefile.am.common ChangeLog lex.c parse.c \
+	parse.h
+noinst_PROGRAMS = asn1_compile$(EXEEXT) asn1_print$(EXEEXT) \
+	asn1_gen$(EXEEXT)
+TESTS = check-der$(EXEEXT) check-gen$(EXEEXT) check-timegm$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
 subdir = lib/asn1
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -75,6 +71,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -83,98 +80,325 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" \
+	"$(DESTDIR)$(includedir)"
 libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
-libasn1_la_DEPENDENCIES =
-am__objects_1 = asn1_APOptions.lo asn1_AP_REP.lo asn1_AP_REQ.lo \
-	asn1_AS_REP.lo asn1_AS_REQ.lo asn1_Authenticator.lo \
-	asn1_AuthorizationData.lo asn1_CKSUMTYPE.lo \
-	asn1_ChangePasswdDataMS.lo asn1_Checksum.lo asn1_ENCTYPE.lo \
-	asn1_ETYPE_INFO.lo asn1_ETYPE_INFO_ENTRY.lo \
+am__DEPENDENCIES_1 =
+libasn1_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+dist_libasn1_la_OBJECTS = der.lo der_get.lo der_put.lo der_free.lo \
+	der_length.lo der_copy.lo der_cmp.lo der_format.lo extra.lo \
+	timegm.lo
+am__objects_1 = asn1_Version.lo asn1_id_pkcs_1.lo \
+	asn1_id_pkcs1_rsaEncryption.lo \
+	asn1_id_pkcs1_md2WithRSAEncryption.lo \
+	asn1_id_pkcs1_md5WithRSAEncryption.lo \
+	asn1_id_pkcs1_sha1WithRSAEncryption.lo \
+	asn1_id_pkcs1_sha256WithRSAEncryption.lo \
+	asn1_id_pkcs1_sha384WithRSAEncryption.lo \
+	asn1_id_pkcs1_sha512WithRSAEncryption.lo \
+	asn1_id_heim_rsa_pkcs1_x509.lo asn1_id_pkcs_2.lo \
+	asn1_id_pkcs2_md2.lo asn1_id_pkcs2_md4.lo asn1_id_pkcs2_md5.lo \
+	asn1_id_rsa_digestAlgorithm.lo asn1_id_rsa_digest_md2.lo \
+	asn1_id_rsa_digest_md4.lo asn1_id_rsa_digest_md5.lo \
+	asn1_id_pkcs_3.lo asn1_id_pkcs3_rc2_cbc.lo \
+	asn1_id_pkcs3_rc4.lo asn1_id_pkcs3_des_ede3_cbc.lo \
+	asn1_id_rsadsi_encalg.lo asn1_id_rsadsi_rc2_cbc.lo \
+	asn1_id_rsadsi_des_ede3_cbc.lo asn1_id_secsig_sha_1.lo \
+	asn1_id_nistAlgorithm.lo asn1_id_nist_aes_algs.lo \
+	asn1_id_aes_128_cbc.lo asn1_id_aes_192_cbc.lo \
+	asn1_id_aes_256_cbc.lo asn1_id_nist_sha_algs.lo \
+	asn1_id_sha256.lo asn1_id_sha224.lo asn1_id_sha384.lo \
+	asn1_id_sha512.lo asn1_id_dhpublicnumber.lo asn1_id_x9_57.lo \
+	asn1_id_dsa.lo asn1_id_dsa_with_sha1.lo asn1_id_x520_at.lo \
+	asn1_id_at_commonName.lo asn1_id_at_surname.lo \
+	asn1_id_at_serialNumber.lo asn1_id_at_countryName.lo \
+	asn1_id_at_localityName.lo asn1_id_at_streetAddress.lo \
+	asn1_id_at_stateOrProvinceName.lo \
+	asn1_id_at_organizationName.lo \
+	asn1_id_at_organizationalUnitName.lo asn1_id_at_name.lo \
+	asn1_id_at_givenName.lo asn1_id_at_initials.lo \
+	asn1_id_at_generationQualifier.lo asn1_id_at_pseudonym.lo \
+	asn1_id_Userid.lo asn1_id_domainComponent.lo \
+	asn1_id_x509_ce.lo asn1_id_uspkicommon_card_id.lo \
+	asn1_id_uspkicommon_piv_interim.lo asn1_id_netscape.lo \
+	asn1_id_netscape_cert_comment.lo \
+	asn1_id_ms_cert_enroll_domaincontroller.lo \
+	asn1_id_ms_client_authentication.lo \
+	asn1_AlgorithmIdentifier.lo asn1_AttributeType.lo \
+	asn1_AttributeValue.lo asn1_TeletexStringx.lo \
+	asn1_DirectoryString.lo asn1_Attribute.lo \
+	asn1_AttributeTypeAndValue.lo \
+	asn1_AuthorityInfoAccessSyntax.lo asn1_AccessDescription.lo \
+	asn1_RelativeDistinguishedName.lo asn1_RDNSequence.lo \
+	asn1_Name.lo asn1_CertificateSerialNumber.lo asn1_Time.lo \
+	asn1_Validity.lo asn1_UniqueIdentifier.lo \
+	asn1_SubjectPublicKeyInfo.lo asn1_Extension.lo \
+	asn1_Extensions.lo asn1_TBSCertificate.lo asn1_Certificate.lo \
+	asn1_Certificates.lo asn1_ValidationParms.lo \
+	asn1_DomainParameters.lo asn1_DHPublicKey.lo asn1_OtherName.lo \
+	asn1_GeneralName.lo asn1_GeneralNames.lo \
+	asn1_id_x509_ce_keyUsage.lo asn1_KeyUsage.lo \
+	asn1_id_x509_ce_authorityKeyIdentifier.lo \
+	asn1_KeyIdentifier.lo asn1_AuthorityKeyIdentifier.lo \
+	asn1_id_x509_ce_subjectKeyIdentifier.lo \
+	asn1_SubjectKeyIdentifier.lo \
+	asn1_id_x509_ce_basicConstraints.lo asn1_BasicConstraints.lo \
+	asn1_id_x509_ce_nameConstraints.lo asn1_BaseDistance.lo \
+	asn1_GeneralSubtree.lo asn1_GeneralSubtrees.lo \
+	asn1_NameConstraints.lo \
+	asn1_id_x509_ce_privateKeyUsagePeriod.lo \
+	asn1_id_x509_ce_certificatePolicies.lo \
+	asn1_id_x509_ce_policyMappings.lo \
+	asn1_id_x509_ce_subjectAltName.lo \
+	asn1_id_x509_ce_issuerAltName.lo \
+	asn1_id_x509_ce_subjectDirectoryAttributes.lo \
+	asn1_id_x509_ce_policyConstraints.lo \
+	asn1_id_x509_ce_extKeyUsage.lo asn1_ExtKeyUsage.lo \
+	asn1_id_x509_ce_cRLDistributionPoints.lo \
+	asn1_id_x509_ce_deltaCRLIndicator.lo \
+	asn1_id_x509_ce_issuingDistributionPoint.lo \
+	asn1_id_x509_ce_holdInstructionCode.lo \
+	asn1_id_x509_ce_invalidityDate.lo \
+	asn1_id_x509_ce_certificateIssuer.lo \
+	asn1_id_x509_ce_inhibitAnyPolicy.lo \
+	asn1_DistributionPointReasonFlags.lo \
+	asn1_DistributionPointName.lo asn1_DistributionPoint.lo \
+	asn1_CRLDistributionPoints.lo asn1_DSASigValue.lo \
+	asn1_DSAPublicKey.lo asn1_DSAParams.lo asn1_RSAPublicKey.lo \
+	asn1_RSAPrivateKey.lo asn1_DigestInfo.lo \
+	asn1_TBSCRLCertList.lo asn1_CRLCertificateList.lo \
+	asn1_id_x509_ce_cRLNumber.lo asn1_id_x509_ce_freshestCRL.lo \
+	asn1_id_x509_ce_cRLReason.lo asn1_CRLReason.lo \
+	asn1_PKIXXmppAddr.lo asn1_id_pkix.lo asn1_id_pkix_on.lo \
+	asn1_id_pkix_on_dnsSRV.lo asn1_id_pkix_on_xmppAddr.lo \
+	asn1_id_pkix_kp.lo asn1_id_pkix_kp_serverAuth.lo \
+	asn1_id_pkix_kp_clientAuth.lo \
+	asn1_id_pkix_kp_emailProtection.lo \
+	asn1_id_pkix_kp_timeStamping.lo asn1_id_pkix_kp_OCSPSigning.lo \
+	asn1_id_pkix_pe.lo asn1_id_pkix_pe_authorityInfoAccess.lo \
+	asn1_id_pkix_pe_proxyCertInfo.lo asn1_id_pkix_ppl.lo \
+	asn1_id_pkix_ppl_anyLanguage.lo asn1_id_pkix_ppl_inheritAll.lo \
+	asn1_id_pkix_ppl_independent.lo asn1_ProxyPolicy.lo \
+	asn1_ProxyCertInfo.lo
+am__objects_2 = asn1_CMSAttributes.lo asn1_CMSCBCParameter.lo \
+	asn1_CMSEncryptedData.lo asn1_CMSIdentifier.lo \
+	asn1_CMSRC2CBCParameter.lo asn1_CMSVersion.lo \
+	asn1_CertificateList.lo asn1_CertificateRevocationLists.lo \
+	asn1_CertificateSet.lo \
+	asn1_ContentEncryptionAlgorithmIdentifier.lo \
+	asn1_ContentInfo.lo asn1_ContentType.lo \
+	asn1_DigestAlgorithmIdentifier.lo \
+	asn1_DigestAlgorithmIdentifiers.lo \
+	asn1_EncapsulatedContentInfo.lo asn1_EncryptedContent.lo \
+	asn1_EncryptedContentInfo.lo asn1_EncryptedKey.lo \
+	asn1_EnvelopedData.lo asn1_IssuerAndSerialNumber.lo \
+	asn1_KeyEncryptionAlgorithmIdentifier.lo \
+	asn1_KeyTransRecipientInfo.lo asn1_MessageDigest.lo \
+	asn1_OriginatorInfo.lo asn1_RecipientIdentifier.lo \
+	asn1_RecipientInfo.lo asn1_RecipientInfos.lo \
+	asn1_SignatureAlgorithmIdentifier.lo asn1_SignatureValue.lo \
+	asn1_SignedData.lo asn1_SignerIdentifier.lo asn1_SignerInfo.lo \
+	asn1_SignerInfos.lo asn1_id_pkcs7.lo asn1_id_pkcs7_data.lo \
+	asn1_id_pkcs7_digestedData.lo asn1_id_pkcs7_encryptedData.lo \
+	asn1_id_pkcs7_envelopedData.lo \
+	asn1_id_pkcs7_signedAndEnvelopedData.lo \
+	asn1_id_pkcs7_signedData.lo asn1_UnprotectedAttributes.lo
+am__objects_3 = asn1_AD_AND_OR.lo asn1_AD_IF_RELEVANT.lo \
+	asn1_AD_KDCIssued.lo asn1_AD_MANDATORY_FOR_KDC.lo \
+	asn1_AD_LoginAlias.lo asn1_APOptions.lo asn1_AP_REP.lo \
+	asn1_AP_REQ.lo asn1_AS_REP.lo asn1_AS_REQ.lo \
+	asn1_AUTHDATA_TYPE.lo asn1_Authenticator.lo \
+	asn1_AuthorizationData.lo asn1_AuthorizationDataElement.lo \
+	asn1_CKSUMTYPE.lo asn1_ChangePasswdDataMS.lo asn1_Checksum.lo \
+	asn1_ENCTYPE.lo asn1_ETYPE_INFO.lo asn1_ETYPE_INFO2.lo \
+	asn1_ETYPE_INFO2_ENTRY.lo asn1_ETYPE_INFO_ENTRY.lo \
 	asn1_EncAPRepPart.lo asn1_EncASRepPart.lo \
 	asn1_EncKDCRepPart.lo asn1_EncKrbCredPart.lo \
 	asn1_EncKrbPrivPart.lo asn1_EncTGSRepPart.lo \
 	asn1_EncTicketPart.lo asn1_EncryptedData.lo \
-	asn1_EncryptionKey.lo asn1_HostAddress.lo \
+	asn1_EncryptionKey.lo asn1_EtypeList.lo asn1_HostAddress.lo \
 	asn1_HostAddresses.lo asn1_KDCOptions.lo asn1_KDC_REP.lo \
 	asn1_KDC_REQ.lo asn1_KDC_REQ_BODY.lo asn1_KRB_CRED.lo \
 	asn1_KRB_ERROR.lo asn1_KRB_PRIV.lo asn1_KRB_SAFE.lo \
-	asn1_KRB_SAFE_BODY.lo asn1_KerberosTime.lo asn1_KrbCredInfo.lo \
-	asn1_LastReq.lo asn1_LR_TYPE.lo asn1_MESSAGE_TYPE.lo \
-	asn1_METHOD_DATA.lo asn1_NAME_TYPE.lo asn1_PADATA_TYPE.lo \
-	asn1_PA_DATA.lo asn1_PA_ENC_TS_ENC.lo asn1_Principal.lo \
-	asn1_PrincipalName.lo asn1_Realm.lo asn1_TGS_REP.lo \
-	asn1_TGS_REQ.lo asn1_Ticket.lo asn1_TicketFlags.lo \
-	asn1_TransitedEncoding.lo asn1_UNSIGNED.lo
-am__objects_2 = $(am__objects_1) asn1_err.lo
-am_libasn1_la_OBJECTS = der_get.lo der_put.lo der_free.lo \
-	der_length.lo der_copy.lo timegm.lo $(am__objects_2)
-libasn1_la_OBJECTS = $(am_libasn1_la_OBJECTS)
+	asn1_KRB_SAFE_BODY.lo asn1_KerberosString.lo \
+	asn1_KerberosTime.lo asn1_KrbCredInfo.lo asn1_LR_TYPE.lo \
+	asn1_LastReq.lo asn1_MESSAGE_TYPE.lo asn1_METHOD_DATA.lo \
+	asn1_NAME_TYPE.lo asn1_PADATA_TYPE.lo asn1_PA_DATA.lo \
+	asn1_PA_ENC_SAM_RESPONSE_ENC.lo asn1_PA_ENC_TS_ENC.lo \
+	asn1_PA_PAC_REQUEST.lo asn1_PA_S4U2Self.lo \
+	asn1_PA_SAM_CHALLENGE_2.lo asn1_PA_SAM_CHALLENGE_2_BODY.lo \
+	asn1_PA_SAM_REDIRECT.lo asn1_PA_SAM_RESPONSE_2.lo \
+	asn1_PA_SAM_TYPE.lo asn1_PA_ClientCanonicalized.lo \
+	asn1_PA_ClientCanonicalizedNames.lo asn1_PA_SvrReferralData.lo \
+	asn1_PROV_SRV_LOCATION.lo asn1_Principal.lo \
+	asn1_PrincipalName.lo asn1_Realm.lo asn1_SAMFlags.lo \
+	asn1_TGS_REP.lo asn1_TGS_REQ.lo asn1_TYPED_DATA.lo \
+	asn1_Ticket.lo asn1_TicketFlags.lo asn1_TransitedEncoding.lo \
+	asn1_TypedData.lo asn1_krb5int32.lo asn1_krb5uint32.lo \
+	asn1_KRB5SignedPathData.lo asn1_KRB5SignedPathPrincipals.lo \
+	asn1_KRB5SignedPath.lo
+am__objects_4 = asn1_id_pkinit.lo asn1_id_pkauthdata.lo \
+	asn1_id_pkdhkeydata.lo asn1_id_pkrkeydata.lo \
+	asn1_id_pkekuoid.lo asn1_id_pkkdcekuoid.lo \
+	asn1_id_pkinit_san.lo asn1_id_pkinit_ms_eku.lo \
+	asn1_id_pkinit_ms_san.lo asn1_MS_UPN_SAN.lo asn1_DHNonce.lo \
+	asn1_KDFAlgorithmId.lo asn1_TrustedCA.lo \
+	asn1_ExternalPrincipalIdentifier.lo \
+	asn1_ExternalPrincipalIdentifiers.lo asn1_PA_PK_AS_REQ.lo \
+	asn1_PKAuthenticator.lo asn1_AuthPack.lo \
+	asn1_TD_TRUSTED_CERTIFIERS.lo asn1_TD_INVALID_CERTIFICATES.lo \
+	asn1_KRB5PrincipalName.lo asn1_AD_INITIAL_VERIFIED_CAS.lo \
+	asn1_DHRepInfo.lo asn1_PA_PK_AS_REP.lo asn1_KDCDHKeyInfo.lo \
+	asn1_ReplyKeyPack.lo asn1_TD_DH_PARAMETERS.lo \
+	asn1_PKAuthenticator_Win2k.lo asn1_AuthPack_Win2k.lo \
+	asn1_TrustedCA_Win2k.lo asn1_PA_PK_AS_REQ_Win2k.lo \
+	asn1_PA_PK_AS_REP_Win2k.lo asn1_KDCDHKeyInfo_Win2k.lo \
+	asn1_ReplyKeyPack_Win2k.lo asn1_PkinitSuppPubInfo.lo
+am__objects_5 = asn1_PKCS8PrivateKeyAlgorithmIdentifier.lo \
+	asn1_PKCS8PrivateKey.lo asn1_PKCS8PrivateKeyInfo.lo \
+	asn1_PKCS8Attributes.lo asn1_PKCS8EncryptedPrivateKeyInfo.lo \
+	asn1_PKCS8EncryptedData.lo
+am__objects_6 = asn1_id_pkcs_9.lo asn1_id_pkcs9_contentType.lo \
+	asn1_id_pkcs9_emailAddress.lo asn1_id_pkcs9_messageDigest.lo \
+	asn1_id_pkcs9_signingTime.lo asn1_id_pkcs9_countersignature.lo \
+	asn1_id_pkcs_9_at_friendlyName.lo \
+	asn1_id_pkcs_9_at_localKeyId.lo asn1_id_pkcs_9_at_certTypes.lo \
+	asn1_id_pkcs_9_at_certTypes_x509.lo asn1_PKCS9_BMPString.lo \
+	asn1_PKCS9_friendlyName.lo
+am__objects_7 = asn1_id_pkcs_12.lo asn1_id_pkcs_12PbeIds.lo \
+	asn1_id_pbeWithSHAAnd128BitRC4.lo \
+	asn1_id_pbeWithSHAAnd40BitRC4.lo \
+	asn1_id_pbeWithSHAAnd3_KeyTripleDES_CBC.lo \
+	asn1_id_pbeWithSHAAnd2_KeyTripleDES_CBC.lo \
+	asn1_id_pbeWithSHAAnd128BitRC2_CBC.lo \
+	asn1_id_pbewithSHAAnd40BitRC2_CBC.lo \
+	asn1_id_pkcs12_bagtypes.lo asn1_id_pkcs12_keyBag.lo \
+	asn1_id_pkcs12_pkcs8ShroudedKeyBag.lo \
+	asn1_id_pkcs12_certBag.lo asn1_id_pkcs12_crlBag.lo \
+	asn1_id_pkcs12_secretBag.lo asn1_id_pkcs12_safeContentsBag.lo \
+	asn1_PKCS12_MacData.lo asn1_PKCS12_PFX.lo \
+	asn1_PKCS12_AuthenticatedSafe.lo asn1_PKCS12_CertBag.lo \
+	asn1_PKCS12_Attribute.lo asn1_PKCS12_Attributes.lo \
+	asn1_PKCS12_SafeBag.lo asn1_PKCS12_SafeContents.lo \
+	asn1_PKCS12_OctetString.lo asn1_PKCS12_PBEParams.lo
+am__objects_8 = asn1_DigestError.lo asn1_DigestInit.lo \
+	asn1_DigestInitReply.lo asn1_DigestREP.lo asn1_DigestREQ.lo \
+	asn1_DigestRepInner.lo asn1_DigestReqInner.lo \
+	asn1_DigestRequest.lo asn1_DigestResponse.lo \
+	asn1_DigestTypes.lo asn1_NTLMInit.lo asn1_NTLMInitReply.lo \
+	asn1_NTLMRequest.lo asn1_NTLMResponse.lo
+am__objects_9 = asn1_Kx509Response.lo asn1_Kx509Request.lo
+am__objects_10 = $(am__objects_1) $(am__objects_2) $(am__objects_3) \
+	$(am__objects_4) $(am__objects_5) $(am__objects_6) \
+	$(am__objects_7) $(am__objects_8) $(am__objects_9) asn1_err.lo
+nodist_libasn1_la_OBJECTS = $(am__objects_10)
+libasn1_la_OBJECTS = $(dist_libasn1_la_OBJECTS) \
+	$(nodist_libasn1_la_OBJECTS)
+libasn1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libasn1_la_LDFLAGS) $(LDFLAGS) -o $@
+am__EXEEXT_1 = check-der$(EXEEXT) check-gen$(EXEEXT) \
+	check-timegm$(EXEEXT)
 PROGRAMS = $(noinst_PROGRAMS)
 am_asn1_compile_OBJECTS = gen.$(OBJEXT) gen_copy.$(OBJEXT) \
 	gen_decode.$(OBJEXT) gen_encode.$(OBJEXT) gen_free.$(OBJEXT) \
-	gen_glue.$(OBJEXT) gen_length.$(OBJEXT) hash.$(OBJEXT) \
-	lex.$(OBJEXT) main.$(OBJEXT) parse.$(OBJEXT) symbol.$(OBJEXT)
+	gen_glue.$(OBJEXT) gen_length.$(OBJEXT) gen_seq.$(OBJEXT) \
+	hash.$(OBJEXT) lex.$(OBJEXT) main.$(OBJEXT) parse.$(OBJEXT) \
+	symbol.$(OBJEXT)
 asn1_compile_OBJECTS = $(am_asn1_compile_OBJECTS)
-am__DEPENDENCIES_1 =
 asn1_compile_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
-asn1_print_SOURCES = asn1_print.c
-asn1_print_OBJECTS = asn1_print.$(OBJEXT)
+am_asn1_gen_OBJECTS = asn1_gen.$(OBJEXT)
+asn1_gen_OBJECTS = $(am_asn1_gen_OBJECTS)
 am__DEPENDENCIES_2 = libasn1.la $(am__DEPENDENCIES_1)
+asn1_gen_DEPENDENCIES = $(am__DEPENDENCIES_2)
+am_asn1_print_OBJECTS = asn1_print.$(OBJEXT)
+asn1_print_OBJECTS = $(am_asn1_print_OBJECTS)
 asn1_print_DEPENDENCIES = $(am__DEPENDENCIES_2)
 am_check_der_OBJECTS = check-der.$(OBJEXT) check-common.$(OBJEXT)
 check_der_OBJECTS = $(am_check_der_OBJECTS)
 check_der_DEPENDENCIES = libasn1.la $(am__DEPENDENCIES_1)
-am_check_gen_OBJECTS = check-gen.$(OBJEXT) check-common.$(OBJEXT)
-check_gen_OBJECTS = $(am_check_gen_OBJECTS)
+dist_check_gen_OBJECTS = check-gen.$(OBJEXT) check-common.$(OBJEXT)
+am__objects_11 = asn1_TESTAlloc.$(OBJEXT) \
+	asn1_TESTAllocInner.$(OBJEXT) asn1_TESTCONTAINING.$(OBJEXT) \
+	asn1_TESTCONTAININGENCODEDBY.$(OBJEXT) \
+	asn1_TESTCONTAININGENCODEDBY2.$(OBJEXT) \
+	asn1_TESTChoice1.$(OBJEXT) asn1_TESTChoice2.$(OBJEXT) \
+	asn1_TESTDer.$(OBJEXT) asn1_TESTENCODEDBY.$(OBJEXT) \
+	asn1_TESTImplicit.$(OBJEXT) asn1_TESTImplicit2.$(OBJEXT) \
+	asn1_TESTInteger.$(OBJEXT) asn1_TESTInteger2.$(OBJEXT) \
+	asn1_TESTInteger3.$(OBJEXT) asn1_TESTLargeTag.$(OBJEXT) \
+	asn1_TESTSeq.$(OBJEXT) asn1_TESTUSERCONSTRAINED.$(OBJEXT) \
+	asn1_TESTSeqOf.$(OBJEXT) asn1_TESTOSSize1.$(OBJEXT) \
+	asn1_TESTSeqSizeOf1.$(OBJEXT) asn1_TESTSeqSizeOf2.$(OBJEXT) \
+	asn1_TESTSeqSizeOf3.$(OBJEXT) asn1_TESTSeqSizeOf4.$(OBJEXT)
+nodist_check_gen_OBJECTS = $(am__objects_11)
+check_gen_OBJECTS = $(dist_check_gen_OBJECTS) \
+	$(nodist_check_gen_OBJECTS)
 check_gen_DEPENDENCIES = $(am__DEPENDENCIES_2)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+check_timegm_SOURCES = check-timegm.c
+check_timegm_OBJECTS = check-timegm.$(OBJEXT)
+check_timegm_DEPENDENCIES = $(am__DEPENDENCIES_2)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MAINTAINER_MODE_FALSE@am__skiplex = test -f $@ ||
 LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+YLWRAP = $(top_srcdir)/ylwrap
+@MAINTAINER_MODE_FALSE@am__skipyacc = test -f $@ ||
 YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) \
-	$(AM_YFLAGS)
-SOURCES = $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) asn1_print.c \
-	$(check_der_SOURCES) $(check_gen_SOURCES)
-DIST_SOURCES = $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) \
-	asn1_print.c $(check_der_SOURCES) $(check_gen_SOURCES)
-includeHEADERS_INSTALL = $(INSTALL_HEADER)
-HEADERS = $(include_HEADERS)
+LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+SOURCES = $(dist_libasn1_la_SOURCES) $(nodist_libasn1_la_SOURCES) \
+	$(asn1_compile_SOURCES) $(asn1_gen_SOURCES) \
+	$(asn1_print_SOURCES) $(check_der_SOURCES) \
+	$(dist_check_gen_SOURCES) $(nodist_check_gen_SOURCES) \
+	check-timegm.c
+DIST_SOURCES = $(dist_libasn1_la_SOURCES) $(asn1_compile_SOURCES) \
+	$(asn1_gen_SOURCES) $(asn1_print_SOURCES) $(check_der_SOURCES) \
+	$(dist_check_gen_SOURCES) check-timegm.c
+dist_includeHEADERS_INSTALL = $(INSTALL_HEADER)
+nodist_includeHEADERS_INSTALL = $(INSTALL_HEADER)
+HEADERS = $(dist_include_HEADERS) $(nodist_include_HEADERS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -184,8 +408,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -196,11 +418,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -208,42 +429,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -261,12 +467,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -276,15 +479,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -293,6 +495,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -304,15 +507,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -320,74 +518,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = -d -t
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -404,74 +607,454 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-YFLAGS = -d
 lib_LTLIBRARIES = libasn1.la
-libasn1_la_LDFLAGS = -version-info 6:2:0
-libasn1_la_LIBADD = @LIB_com_err@
+libasn1_la_LDFLAGS = -version-info 8:0:0
+libasn1_la_LIBADD = \
+	@LIB_com_err@ \
+	$(LIBADD_roken)
+
 BUILT_SOURCES = \
-	$(gen_files:.x=.c)	\
-	asn1_err.h		\
+	$(gen_files_rfc2459:.x=.c)	\
+	$(gen_files_cms:.x=.c)		\
+	$(gen_files_k5:.x=.c)		\
+	$(gen_files_pkinit:.x=.c)	\
+	$(gen_files_pkcs8:.x=.c)	\
+	$(gen_files_pkcs9:.x=.c)	\
+	$(gen_files_pkcs12:.x=.c)	\
+	$(gen_files_digest:.x=.c)	\
+	$(gen_files_kx509:.x=.c)	\
+	asn1_err.h			\
 	asn1_err.c
 
-gen_files = \
-	asn1_APOptions.x			\
-	asn1_AP_REP.x				\
-	asn1_AP_REQ.x				\
-	asn1_AS_REP.x				\
-	asn1_AS_REQ.x				\
-	asn1_Authenticator.x			\
-	asn1_AuthorizationData.x		\
-	asn1_CKSUMTYPE.x			\
-	asn1_ChangePasswdDataMS.x		\
-	asn1_Checksum.x				\
-	asn1_ENCTYPE.x				\
-	asn1_ETYPE_INFO.x			\
-	asn1_ETYPE_INFO_ENTRY.x			\
-	asn1_EncAPRepPart.x			\
-	asn1_EncASRepPart.x			\
-	asn1_EncKDCRepPart.x			\
-	asn1_EncKrbCredPart.x			\
-	asn1_EncKrbPrivPart.x			\
-	asn1_EncTGSRepPart.x			\
-	asn1_EncTicketPart.x			\
-	asn1_EncryptedData.x			\
-	asn1_EncryptionKey.x			\
-	asn1_HostAddress.x			\
-	asn1_HostAddresses.x			\
-	asn1_KDCOptions.x			\
-	asn1_KDC_REP.x				\
-	asn1_KDC_REQ.x				\
-	asn1_KDC_REQ_BODY.x			\
-	asn1_KRB_CRED.x				\
-	asn1_KRB_ERROR.x			\
-	asn1_KRB_PRIV.x				\
-	asn1_KRB_SAFE.x				\
-	asn1_KRB_SAFE_BODY.x			\
-	asn1_KerberosTime.x			\
-	asn1_KrbCredInfo.x			\
-	asn1_LastReq.x				\
-	asn1_LR_TYPE.x				\
-	asn1_MESSAGE_TYPE.x			\
-	asn1_METHOD_DATA.x			\
-	asn1_NAME_TYPE.x			\
-	asn1_PADATA_TYPE.x			\
-	asn1_PA_DATA.x				\
-	asn1_PA_ENC_TS_ENC.x			\
-	asn1_Principal.x			\
-	asn1_PrincipalName.x			\
-	asn1_Realm.x				\
-	asn1_TGS_REP.x				\
-	asn1_TGS_REQ.x				\
-	asn1_Ticket.x				\
-	asn1_TicketFlags.x			\
-	asn1_TransitedEncoding.x		\
-	asn1_UNSIGNED.x
-
-TESTS = check-der check-gen
-check_der_SOURCES = check-der.c check-common.c
-check_gen_SOURCES = check-gen.c check-common.c
+gen_files_k5 = \
+	asn1_AD_AND_OR.x				\
+	asn1_AD_IF_RELEVANT.x				\
+	asn1_AD_KDCIssued.x				\
+	asn1_AD_MANDATORY_FOR_KDC.x			\
+	asn1_AD_LoginAlias.x				\
+	asn1_APOptions.x				\
+	asn1_AP_REP.x					\
+	asn1_AP_REQ.x					\
+	asn1_AS_REP.x					\
+	asn1_AS_REQ.x					\
+	asn1_AUTHDATA_TYPE.x				\
+	asn1_Authenticator.x				\
+	asn1_AuthorizationData.x			\
+	asn1_AuthorizationDataElement.x			\
+	asn1_CKSUMTYPE.x				\
+	asn1_ChangePasswdDataMS.x			\
+	asn1_Checksum.x					\
+	asn1_ENCTYPE.x					\
+	asn1_ETYPE_INFO.x				\
+	asn1_ETYPE_INFO2.x				\
+	asn1_ETYPE_INFO2_ENTRY.x			\
+	asn1_ETYPE_INFO_ENTRY.x				\
+	asn1_EncAPRepPart.x				\
+	asn1_EncASRepPart.x				\
+	asn1_EncKDCRepPart.x				\
+	asn1_EncKrbCredPart.x				\
+	asn1_EncKrbPrivPart.x				\
+	asn1_EncTGSRepPart.x				\
+	asn1_EncTicketPart.x				\
+	asn1_EncryptedData.x				\
+	asn1_EncryptionKey.x				\
+	asn1_EtypeList.x				\
+	asn1_HostAddress.x				\
+	asn1_HostAddresses.x				\
+	asn1_KDCOptions.x				\
+	asn1_KDC_REP.x					\
+	asn1_KDC_REQ.x					\
+	asn1_KDC_REQ_BODY.x				\
+	asn1_KRB_CRED.x					\
+	asn1_KRB_ERROR.x				\
+	asn1_KRB_PRIV.x					\
+	asn1_KRB_SAFE.x					\
+	asn1_KRB_SAFE_BODY.x				\
+	asn1_KerberosString.x				\
+	asn1_KerberosTime.x				\
+	asn1_KrbCredInfo.x				\
+	asn1_LR_TYPE.x					\
+	asn1_LastReq.x					\
+	asn1_MESSAGE_TYPE.x				\
+	asn1_METHOD_DATA.x				\
+	asn1_NAME_TYPE.x				\
+	asn1_PADATA_TYPE.x				\
+	asn1_PA_DATA.x					\
+	asn1_PA_ENC_SAM_RESPONSE_ENC.x         		\
+	asn1_PA_ENC_TS_ENC.x				\
+	asn1_PA_PAC_REQUEST.x				\
+	asn1_PA_S4U2Self.x				\
+	asn1_PA_SAM_CHALLENGE_2.x               	\
+	asn1_PA_SAM_CHALLENGE_2_BODY.x 			\
+	asn1_PA_SAM_REDIRECT.x				\
+	asn1_PA_SAM_RESPONSE_2.x			\
+	asn1_PA_SAM_TYPE.x				\
+	asn1_PA_ClientCanonicalized.x			\
+	asn1_PA_ClientCanonicalizedNames.x		\
+	asn1_PA_SvrReferralData.x			\
+	asn1_PROV_SRV_LOCATION.x			\
+	asn1_Principal.x				\
+	asn1_PrincipalName.x				\
+	asn1_Realm.x					\
+	asn1_SAMFlags.x					\
+	asn1_TGS_REP.x					\
+	asn1_TGS_REQ.x					\
+	asn1_TYPED_DATA.x				\
+	asn1_Ticket.x					\
+	asn1_TicketFlags.x				\
+	asn1_TransitedEncoding.x			\
+	asn1_TypedData.x				\
+	asn1_krb5int32.x				\
+	asn1_krb5uint32.x				\
+	asn1_KRB5SignedPathData.x			\
+	asn1_KRB5SignedPathPrincipals.x			\
+	asn1_KRB5SignedPath.x
+
+gen_files_cms = \
+	asn1_CMSAttributes.x				\
+	asn1_CMSCBCParameter.x				\
+	asn1_CMSEncryptedData.x				\
+	asn1_CMSIdentifier.x				\
+	asn1_CMSRC2CBCParameter.x			\
+	asn1_CMSVersion.x				\
+	asn1_CertificateList.x				\
+	asn1_CertificateRevocationLists.x		\
+	asn1_CertificateSet.x				\
+	asn1_ContentEncryptionAlgorithmIdentifier.x	\
+	asn1_ContentInfo.x				\
+	asn1_ContentType.x				\
+	asn1_DigestAlgorithmIdentifier.x		\
+	asn1_DigestAlgorithmIdentifiers.x		\
+	asn1_EncapsulatedContentInfo.x			\
+	asn1_EncryptedContent.x				\
+	asn1_EncryptedContentInfo.x			\
+	asn1_EncryptedKey.x				\
+	asn1_EnvelopedData.x				\
+	asn1_IssuerAndSerialNumber.x			\
+	asn1_KeyEncryptionAlgorithmIdentifier.x		\
+	asn1_KeyTransRecipientInfo.x			\
+	asn1_MessageDigest.x				\
+	asn1_OriginatorInfo.x				\
+	asn1_RecipientIdentifier.x			\
+	asn1_RecipientInfo.x				\
+	asn1_RecipientInfos.x				\
+	asn1_SignatureAlgorithmIdentifier.x		\
+	asn1_SignatureValue.x				\
+	asn1_SignedData.x				\
+	asn1_SignerIdentifier.x				\
+	asn1_SignerInfo.x				\
+	asn1_SignerInfos.x				\
+	asn1_id_pkcs7.x					\
+	asn1_id_pkcs7_data.x				\
+	asn1_id_pkcs7_digestedData.x			\
+	asn1_id_pkcs7_encryptedData.x			\
+	asn1_id_pkcs7_envelopedData.x			\
+	asn1_id_pkcs7_signedAndEnvelopedData.x		\
+	asn1_id_pkcs7_signedData.x			\
+	asn1_UnprotectedAttributes.x
+
+gen_files_rfc2459 = \
+	asn1_Version.x					\
+	asn1_id_pkcs_1.x				\
+	asn1_id_pkcs1_rsaEncryption.x			\
+	asn1_id_pkcs1_md2WithRSAEncryption.x		\
+	asn1_id_pkcs1_md5WithRSAEncryption.x		\
+	asn1_id_pkcs1_sha1WithRSAEncryption.x		\
+	asn1_id_pkcs1_sha256WithRSAEncryption.x		\
+	asn1_id_pkcs1_sha384WithRSAEncryption.x		\
+	asn1_id_pkcs1_sha512WithRSAEncryption.x		\
+	asn1_id_heim_rsa_pkcs1_x509.x			\
+	asn1_id_pkcs_2.x				\
+	asn1_id_pkcs2_md2.x				\
+	asn1_id_pkcs2_md4.x				\
+	asn1_id_pkcs2_md5.x				\
+	asn1_id_rsa_digestAlgorithm.x			\
+	asn1_id_rsa_digest_md2.x			\
+	asn1_id_rsa_digest_md4.x			\
+	asn1_id_rsa_digest_md5.x			\
+	asn1_id_pkcs_3.x				\
+	asn1_id_pkcs3_rc2_cbc.x				\
+	asn1_id_pkcs3_rc4.x				\
+	asn1_id_pkcs3_des_ede3_cbc.x			\
+	asn1_id_rsadsi_encalg.x				\
+	asn1_id_rsadsi_rc2_cbc.x			\
+	asn1_id_rsadsi_des_ede3_cbc.x			\
+	asn1_id_secsig_sha_1.x				\
+	asn1_id_nistAlgorithm.x				\
+	asn1_id_nist_aes_algs.x				\
+	asn1_id_aes_128_cbc.x				\
+	asn1_id_aes_192_cbc.x				\
+	asn1_id_aes_256_cbc.x				\
+	asn1_id_nist_sha_algs.x				\
+	asn1_id_sha256.x				\
+	asn1_id_sha224.x				\
+	asn1_id_sha384.x				\
+	asn1_id_sha512.x				\
+	asn1_id_dhpublicnumber.x			\
+	asn1_id_x9_57.x					\
+	asn1_id_dsa.x					\
+	asn1_id_dsa_with_sha1.x				\
+	asn1_id_x520_at.x				\
+	asn1_id_at_commonName.x				\
+	asn1_id_at_surname.x				\
+	asn1_id_at_serialNumber.x			\
+	asn1_id_at_countryName.x			\
+	asn1_id_at_localityName.x			\
+	asn1_id_at_streetAddress.x			\
+	asn1_id_at_stateOrProvinceName.x		\
+	asn1_id_at_organizationName.x			\
+	asn1_id_at_organizationalUnitName.x		\
+	asn1_id_at_name.x				\
+	asn1_id_at_givenName.x				\
+	asn1_id_at_initials.x				\
+	asn1_id_at_generationQualifier.x		\
+	asn1_id_at_pseudonym.x				\
+	asn1_id_Userid.x				\
+	asn1_id_domainComponent.x			\
+	asn1_id_x509_ce.x				\
+	asn1_id_uspkicommon_card_id.x			\
+	asn1_id_uspkicommon_piv_interim.x		\
+	asn1_id_netscape.x				\
+	asn1_id_netscape_cert_comment.x			\
+	asn1_id_ms_cert_enroll_domaincontroller.x	\
+	asn1_id_ms_client_authentication.x		\
+	asn1_AlgorithmIdentifier.x			\
+	asn1_AttributeType.x				\
+	asn1_AttributeValue.x				\
+	asn1_TeletexStringx.x				\
+	asn1_DirectoryString.x				\
+	asn1_Attribute.x				\
+	asn1_AttributeTypeAndValue.x			\
+	asn1_AuthorityInfoAccessSyntax.x		\
+	asn1_AccessDescription.x			\
+	asn1_RelativeDistinguishedName.x		\
+	asn1_RDNSequence.x				\
+	asn1_Name.x					\
+	asn1_CertificateSerialNumber.x			\
+	asn1_Time.x					\
+	asn1_Validity.x					\
+	asn1_UniqueIdentifier.x				\
+	asn1_SubjectPublicKeyInfo.x			\
+	asn1_Extension.x				\
+	asn1_Extensions.x				\
+	asn1_TBSCertificate.x				\
+	asn1_Certificate.x				\
+	asn1_Certificates.x				\
+	asn1_ValidationParms.x				\
+	asn1_DomainParameters.x				\
+	asn1_DHPublicKey.x				\
+	asn1_OtherName.x				\
+	asn1_GeneralName.x				\
+	asn1_GeneralNames.x				\
+	asn1_id_x509_ce_keyUsage.x			\
+	asn1_KeyUsage.x					\
+	asn1_id_x509_ce_authorityKeyIdentifier.x	\
+	asn1_KeyIdentifier.x				\
+	asn1_AuthorityKeyIdentifier.x			\
+	asn1_id_x509_ce_subjectKeyIdentifier.x		\
+	asn1_SubjectKeyIdentifier.x			\
+	asn1_id_x509_ce_basicConstraints.x		\
+	asn1_BasicConstraints.x				\
+	asn1_id_x509_ce_nameConstraints.x		\
+	asn1_BaseDistance.x				\
+	asn1_GeneralSubtree.x				\
+	asn1_GeneralSubtrees.x				\
+	asn1_NameConstraints.x				\
+	asn1_id_x509_ce_privateKeyUsagePeriod.x		\
+	asn1_id_x509_ce_certificatePolicies.x		\
+	asn1_id_x509_ce_policyMappings.x		\
+	asn1_id_x509_ce_subjectAltName.x		\
+	asn1_id_x509_ce_issuerAltName.x			\
+	asn1_id_x509_ce_subjectDirectoryAttributes.x	\
+	asn1_id_x509_ce_policyConstraints.x		\
+	asn1_id_x509_ce_extKeyUsage.x			\
+	asn1_ExtKeyUsage.x				\
+	asn1_id_x509_ce_cRLDistributionPoints.x		\
+	asn1_id_x509_ce_deltaCRLIndicator.x		\
+	asn1_id_x509_ce_issuingDistributionPoint.x	\
+	asn1_id_x509_ce_holdInstructionCode.x		\
+	asn1_id_x509_ce_invalidityDate.x		\
+	asn1_id_x509_ce_certificateIssuer.x		\
+	asn1_id_x509_ce_inhibitAnyPolicy.x		\
+	asn1_DistributionPointReasonFlags.x		\
+	asn1_DistributionPointName.x			\
+	asn1_DistributionPoint.x			\
+	asn1_CRLDistributionPoints.x			\
+	asn1_DSASigValue.x				\
+	asn1_DSAPublicKey.x				\
+	asn1_DSAParams.x				\
+	asn1_RSAPublicKey.x				\
+	asn1_RSAPrivateKey.x				\
+	asn1_DigestInfo.x				\
+	asn1_TBSCRLCertList.x				\
+	asn1_CRLCertificateList.x			\
+	asn1_id_x509_ce_cRLNumber.x			\
+	asn1_id_x509_ce_freshestCRL.x			\
+	asn1_id_x509_ce_cRLReason.x			\
+	asn1_CRLReason.x				\
+	asn1_PKIXXmppAddr.x				\
+	asn1_id_pkix.x					\
+	asn1_id_pkix_on.x				\
+	asn1_id_pkix_on_dnsSRV.x			\
+	asn1_id_pkix_on_xmppAddr.x			\
+	asn1_id_pkix_kp.x				\
+	asn1_id_pkix_kp_serverAuth.x			\
+	asn1_id_pkix_kp_clientAuth.x			\
+	asn1_id_pkix_kp_emailProtection.x		\
+	asn1_id_pkix_kp_timeStamping.x			\
+	asn1_id_pkix_kp_OCSPSigning.x			\
+	asn1_id_pkix_pe.x				\
+	asn1_id_pkix_pe_authorityInfoAccess.x		\
+	asn1_id_pkix_pe_proxyCertInfo.x			\
+	asn1_id_pkix_ppl.x				\
+	asn1_id_pkix_ppl_anyLanguage.x			\
+	asn1_id_pkix_ppl_inheritAll.x			\
+	asn1_id_pkix_ppl_independent.x			\
+	asn1_ProxyPolicy.x				\
+	asn1_ProxyCertInfo.x 
+
+gen_files_pkinit = \
+	asn1_id_pkinit.x				\
+	asn1_id_pkauthdata.x				\
+	asn1_id_pkdhkeydata.x				\
+	asn1_id_pkrkeydata.x				\
+	asn1_id_pkekuoid.x				\
+	asn1_id_pkkdcekuoid.x				\
+	asn1_id_pkinit_san.x				\
+	asn1_id_pkinit_ms_eku.x				\
+	asn1_id_pkinit_ms_san.x				\
+	asn1_MS_UPN_SAN.x				\
+	asn1_DHNonce.x					\
+	asn1_KDFAlgorithmId.x				\
+	asn1_TrustedCA.x				\
+	asn1_ExternalPrincipalIdentifier.x		\
+	asn1_ExternalPrincipalIdentifiers.x		\
+	asn1_PA_PK_AS_REQ.x				\
+	asn1_PKAuthenticator.x				\
+	asn1_AuthPack.x					\
+	asn1_TD_TRUSTED_CERTIFIERS.x			\
+	asn1_TD_INVALID_CERTIFICATES.x			\
+	asn1_KRB5PrincipalName.x			\
+	asn1_AD_INITIAL_VERIFIED_CAS.x			\
+	asn1_DHRepInfo.x				\
+	asn1_PA_PK_AS_REP.x				\
+	asn1_KDCDHKeyInfo.x				\
+	asn1_ReplyKeyPack.x				\
+	asn1_TD_DH_PARAMETERS.x				\
+	asn1_PKAuthenticator_Win2k.x			\
+	asn1_AuthPack_Win2k.x				\
+	asn1_TrustedCA_Win2k.x				\
+	asn1_PA_PK_AS_REQ_Win2k.x			\
+	asn1_PA_PK_AS_REP_Win2k.x			\
+	asn1_KDCDHKeyInfo_Win2k.x			\
+	asn1_ReplyKeyPack_Win2k.x			\
+	asn1_PkinitSuppPubInfo.x 
+
+gen_files_pkcs12 = \
+	asn1_id_pkcs_12.x				\
+	asn1_id_pkcs_12PbeIds.x				\
+	asn1_id_pbeWithSHAAnd128BitRC4.x		\
+	asn1_id_pbeWithSHAAnd40BitRC4.x			\
+	asn1_id_pbeWithSHAAnd3_KeyTripleDES_CBC.x	\
+	asn1_id_pbeWithSHAAnd2_KeyTripleDES_CBC.x	\
+	asn1_id_pbeWithSHAAnd128BitRC2_CBC.x		\
+	asn1_id_pbewithSHAAnd40BitRC2_CBC.x		\
+	asn1_id_pkcs12_bagtypes.x			\
+	asn1_id_pkcs12_keyBag.x				\
+	asn1_id_pkcs12_pkcs8ShroudedKeyBag.x		\
+	asn1_id_pkcs12_certBag.x			\
+	asn1_id_pkcs12_crlBag.x				\
+	asn1_id_pkcs12_secretBag.x			\
+	asn1_id_pkcs12_safeContentsBag.x		\
+	asn1_PKCS12_MacData.x				\
+	asn1_PKCS12_PFX.x				\
+	asn1_PKCS12_AuthenticatedSafe.x			\
+	asn1_PKCS12_CertBag.x				\
+	asn1_PKCS12_Attribute.x				\
+	asn1_PKCS12_Attributes.x			\
+	asn1_PKCS12_SafeBag.x				\
+	asn1_PKCS12_SafeContents.x			\
+	asn1_PKCS12_OctetString.x			\
+	asn1_PKCS12_PBEParams.x
+
+gen_files_pkcs8 = \
+	asn1_PKCS8PrivateKeyAlgorithmIdentifier.x	\
+	asn1_PKCS8PrivateKey.x				\
+	asn1_PKCS8PrivateKeyInfo.x			\
+	asn1_PKCS8Attributes.x				\
+	asn1_PKCS8EncryptedPrivateKeyInfo.x		\
+	asn1_PKCS8EncryptedData.x
+
+gen_files_pkcs9 = \
+	asn1_id_pkcs_9.x				\
+	asn1_id_pkcs9_contentType.x			\
+	asn1_id_pkcs9_emailAddress.x			\
+	asn1_id_pkcs9_messageDigest.x			\
+	asn1_id_pkcs9_signingTime.x			\
+	asn1_id_pkcs9_countersignature.x		\
+	asn1_id_pkcs_9_at_friendlyName.x		\
+	asn1_id_pkcs_9_at_localKeyId.x			\
+	asn1_id_pkcs_9_at_certTypes.x			\
+	asn1_id_pkcs_9_at_certTypes_x509.x		\
+	asn1_PKCS9_BMPString.x				\
+	asn1_PKCS9_friendlyName.x
+
+gen_files_test = \
+	asn1_TESTAlloc.x				\
+	asn1_TESTAllocInner.x				\
+	asn1_TESTCONTAINING.x				\
+	asn1_TESTCONTAININGENCODEDBY.x			\
+	asn1_TESTCONTAININGENCODEDBY2.x			\
+	asn1_TESTChoice1.x				\
+	asn1_TESTChoice2.x				\
+	asn1_TESTDer.x					\
+	asn1_TESTENCODEDBY.x				\
+	asn1_TESTImplicit.x				\
+	asn1_TESTImplicit2.x				\
+	asn1_TESTInteger.x				\
+	asn1_TESTInteger2.x				\
+	asn1_TESTInteger3.x				\
+	asn1_TESTLargeTag.x				\
+	asn1_TESTSeq.x					\
+	asn1_TESTUSERCONSTRAINED.x			\
+	asn1_TESTSeqOf.x				\
+	asn1_TESTOSSize1.x				\
+	asn1_TESTSeqSizeOf1.x				\
+	asn1_TESTSeqSizeOf2.x				\
+	asn1_TESTSeqSizeOf3.x				\
+	asn1_TESTSeqSizeOf4.x
+
+gen_files_digest = \
+	asn1_DigestError.x				\
+	asn1_DigestInit.x				\
+	asn1_DigestInitReply.x				\
+	asn1_DigestREP.x				\
+	asn1_DigestREQ.x				\
+	asn1_DigestRepInner.x				\
+	asn1_DigestReqInner.x				\
+	asn1_DigestRequest.x				\
+	asn1_DigestResponse.x				\
+	asn1_DigestTypes.x				\
+	asn1_NTLMInit.x					\
+	asn1_NTLMInitReply.x				\
+	asn1_NTLMRequest.x				\
+	asn1_NTLMResponse.x
+
+gen_files_kx509 = \
+	asn1_Kx509Response.x				\
+	asn1_Kx509Request.x
+
+asn1_gen_SOURCES = asn1_gen.c
+asn1_print_SOURCES = asn1_print.c
+check_der_SOURCES = check-der.c check-common.c check-common.h
+dist_check_gen_SOURCES = check-gen.c check-common.c check-common.h
+nodist_check_gen_SOURCES = $(gen_files_test:.x=.c)
 asn1_compile_SOURCES = \
+	asn1-common.h				\
+	asn1_queue.h				\
+	der.h					\
 	gen.c					\
 	gen_copy.c				\
 	gen_decode.c				\
@@ -479,21 +1062,34 @@ asn1_compile_SOURCES = \
 	gen_free.c				\
 	gen_glue.c				\
 	gen_length.c				\
+	gen_locl.h				\
+	gen_seq.c				\
 	hash.c					\
+	hash.h					\
 	lex.l					\
+	lex.h					\
 	main.c					\
 	parse.y					\
-	symbol.c
-
-libasn1_la_SOURCES = \
+	symbol.c				\
+	symbol.h
+
+dist_libasn1_la_SOURCES = \
+	der-protos.h 				\
+	der_locl.h 				\
+	der.c					\
+	der.h					\
 	der_get.c				\
 	der_put.c				\
 	der_free.c				\
 	der_length.c				\
 	der_copy.c				\
-	timegm.c				\
-	$(BUILT_SOURCES)
+	der_cmp.c				\
+	der_format.c				\
+	heim_asn1.h				\
+	extra.c					\
+	timegm.c
 
+nodist_libasn1_la_SOURCES = $(BUILT_SOURCES)
 asn1_compile_LDADD = \
 	$(LIB_roken) $(LEXLIB)
 
@@ -503,16 +1099,56 @@ check_der_LDADD = \
 
 check_gen_LDADD = $(check_der_LDADD)
 asn1_print_LDADD = $(check_der_LDADD)
-CLEANFILES = lex.c parse.c parse.h krb5_asn1.h $(BUILT_SOURCES) \
-	$(gen_files) asn1_files
+asn1_gen_LDADD = $(check_der_LDADD)
+check_timegm_LDADD = $(check_der_LDADD)
+CLEANFILES = \
+	$(BUILT_SOURCES) \
+	$(gen_files_rfc2459) \
+	$(gen_files_cms) \
+	$(gen_files_k5) \
+	$(gen_files_pkinit) \
+	$(gen_files_pkcs8) \
+	$(gen_files_pkcs9) \
+	$(gen_files_pkcs12) \
+	$(gen_files_digest) \
+	$(gen_files_kx509) \
+	$(gen_files_test) $(nodist_check_gen_SOURCES) \
+	rfc2459_asn1_files rfc2459_asn1.h \
+	cms_asn1_files cms_asn1.h \
+	krb5_asn1_files krb5_asn1.h \
+	pkinit_asn1_files pkinit_asn1.h \
+	pkcs8_asn1_files pkcs8_asn1.h \
+	pkcs9_asn1_files pkcs9_asn1.h \
+	pkcs12_asn1_files pkcs12_asn1.h \
+	digest_asn1_files digest_asn1.h \
+	kx509_asn1_files kx509_asn1.h \
+	test_asn1_files test_asn1.h
+
+dist_include_HEADERS = der.h heim_asn1.h der-protos.h
+nodist_include_HEADERS = asn1_err.h krb5_asn1.h pkinit_asn1.h \
+	cms_asn1.h rfc2459_asn1.h pkcs8_asn1.h pkcs9_asn1.h \
+	pkcs12_asn1.h digest_asn1.h kx509_asn1.h
+EXTRA_DIST = \
+	asn1_err.et	\
+	canthandle.asn1	\
+	CMS.asn1	\
+	digest.asn1	\
+	k5.asn1		\
+	kx509.asn1	\
+	test.asn1	\
+	setchgpw2.asn1	\
+	pkcs12.asn1	\
+	pkcs8.asn1	\
+	pkcs9.asn1	\
+	pkinit.asn1	\
+	rfc2459.asn1	\
+	test.gen
 
-include_HEADERS = krb5_asn1.h asn1_err.h der.h
-EXTRA_DIST = asn1_err.et
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -544,10 +1180,10 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    f="`echo $$p | sed -e 's|^.*/||'`"; \
+	    f=$(am__strip_dir) \
 	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
 	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
 	  else :; fi; \
@@ -556,7 +1192,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	    p="`echo $$p | sed -e 's|^.*/||'`"; \
+	  p=$(am__strip_dir) \
 	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
 	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
 	done
@@ -565,12 +1201,12 @@ clean-libLTLIBRARIES:
 	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" = "$$p" && dir=.; \
+	  test "$$dir" != "$$p" || dir=.; \
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
 libasn1.la: $(libasn1_la_OBJECTS) $(libasn1_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libasn1_la_LDFLAGS) $(libasn1_la_OBJECTS) $(libasn1_la_LIBADD) $(LIBS)
+	$(libasn1_la_LINK) -rpath $(libdir) $(libasn1_la_OBJECTS) $(libasn1_la_LIBADD) $(LIBS)
 
 clean-checkPROGRAMS:
 	@list='$(check_PROGRAMS)'; for p in $$list; do \
@@ -585,23 +1221,24 @@ clean-noinstPROGRAMS:
 	  echo " rm -f $$p $$f"; \
 	  rm -f $$p $$f ; \
 	done
-parse.h: parse.c
-	@if test ! -f $@; then \
-	  rm -f parse.c; \
-	  $(MAKE) parse.c; \
-	else :; fi
 asn1_compile$(EXEEXT): $(asn1_compile_OBJECTS) $(asn1_compile_DEPENDENCIES) 
 	@rm -f asn1_compile$(EXEEXT)
-	$(LINK) $(asn1_compile_LDFLAGS) $(asn1_compile_OBJECTS) $(asn1_compile_LDADD) $(LIBS)
+	$(LINK) $(asn1_compile_OBJECTS) $(asn1_compile_LDADD) $(LIBS)
+asn1_gen$(EXEEXT): $(asn1_gen_OBJECTS) $(asn1_gen_DEPENDENCIES) 
+	@rm -f asn1_gen$(EXEEXT)
+	$(LINK) $(asn1_gen_OBJECTS) $(asn1_gen_LDADD) $(LIBS)
 asn1_print$(EXEEXT): $(asn1_print_OBJECTS) $(asn1_print_DEPENDENCIES) 
 	@rm -f asn1_print$(EXEEXT)
-	$(LINK) $(asn1_print_LDFLAGS) $(asn1_print_OBJECTS) $(asn1_print_LDADD) $(LIBS)
+	$(LINK) $(asn1_print_OBJECTS) $(asn1_print_LDADD) $(LIBS)
 check-der$(EXEEXT): $(check_der_OBJECTS) $(check_der_DEPENDENCIES) 
 	@rm -f check-der$(EXEEXT)
-	$(LINK) $(check_der_LDFLAGS) $(check_der_OBJECTS) $(check_der_LDADD) $(LIBS)
+	$(LINK) $(check_der_OBJECTS) $(check_der_LDADD) $(LIBS)
 check-gen$(EXEEXT): $(check_gen_OBJECTS) $(check_gen_DEPENDENCIES) 
 	@rm -f check-gen$(EXEEXT)
-	$(LINK) $(check_gen_LDFLAGS) $(check_gen_OBJECTS) $(check_gen_LDADD) $(LIBS)
+	$(LINK) $(check_gen_OBJECTS) $(check_gen_LDADD) $(LIBS)
+check-timegm$(EXEEXT): $(check_timegm_OBJECTS) $(check_timegm_DEPENDENCIES) 
+	@rm -f check-timegm$(EXEEXT)
+	$(LINK) $(check_timegm_OBJECTS) $(check_timegm_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -619,53 +1256,47 @@ distclean-compile:
 	$(LTCOMPILE) -c -o $@ $<
 
 .l.c:
-	$(LEXCOMPILE) $<
-	sed '/^#/ s|$(LEX_OUTPUT_ROOT)\.c|$@|' $(LEX_OUTPUT_ROOT).c >$@
-	rm -f $(LEX_OUTPUT_ROOT).c
+	$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
 
 .y.c:
-	$(YACCCOMPILE) $<
-	if test -f y.tab.h; then \
-	  to=`echo "$*_H" | sed \
-                -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \
-                -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \
-	  sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \
-	  rm -f y.tab.h; \
-	  if cmp -s $*.ht $*.h; then \
-	    rm -f $*.ht ;\
-	  else \
-	    mv $*.ht $*.h; \
-	  fi; \
-	fi
-	if test -f y.output; then \
-	  mv y.output $*.output; \
-	fi
-	sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@t && mv $@t $@
-	rm -f y.tab.c
+	$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
+install-dist_includeHEADERS: $(dist_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@list='$(dist_include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(dist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(dist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	done
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-install-includeHEADERS: $(include_HEADERS)
+uninstall-dist_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
+	done
+install-nodist_includeHEADERS: $(nodist_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)"
-	@list='$(include_HEADERS)'; for p in $$list; do \
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
-	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
-	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	  f=$(am__strip_dir) \
+	  echo " $(nodist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(nodist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
 	done
 
-uninstall-includeHEADERS:
+uninstall-nodist_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(include_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -690,9 +1321,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -717,9 +1350,9 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 check-TESTS: $(TESTS)
-	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
 	srcdir=$(srcdir); export srcdir; \
-	list='$(TESTS)'; \
+	list=' $(TESTS) '; \
 	if test -n "$$list"; then \
 	  for tst in $$list; do \
 	    if test -f ./$$tst; then dir=./; \
@@ -728,7 +1361,7 @@ check-TESTS: $(TESTS)
 	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
 	      all=`expr $$all + 1`; \
 	      case " $(XFAIL_TESTS) " in \
-	      *" $$tst "*) \
+	      *$$ws$$tst$$ws*) \
 		xpass=`expr $$xpass + 1`; \
 		failed=`expr $$failed + 1`; \
 		echo "XPASS: $$tst"; \
@@ -740,7 +1373,7 @@ check-TESTS: $(TESTS)
 	    elif test $$? -ne 77; then \
 	      all=`expr $$all + 1`; \
 	      case " $(XFAIL_TESTS) " in \
-	      *" $$tst "*) \
+	      *$$ws$$tst$$ws*) \
 		xfail=`expr $$xfail + 1`; \
 		echo "XFAIL: $$tst"; \
 	      ;; \
@@ -771,42 +1404,40 @@ check-TESTS: $(TESTS)
 	  skipped=""; \
 	  if test "$$skip" -ne 0; then \
 	    skipped="($$skip tests were not run)"; \
-	    test `echo "$$skipped" | wc -c` -gt `echo "$$banner" | wc -c` && \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
 	      dashes="$$skipped"; \
 	  fi; \
 	  report=""; \
 	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
 	    report="Please report to $(PACKAGE_BUGREPORT)"; \
-	    test `echo "$$report" | wc -c` -gt `echo "$$banner" | wc -c` && \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
 	      dashes="$$report"; \
 	  fi; \
 	  dashes=`echo "$$dashes" | sed s/./=/g`; \
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
-	  test -n "$$skipped" && echo "$$skipped"; \
-	  test -n "$$report" && echo "$$report"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
 	  echo "$$dashes"; \
 	  test "$$failed" -eq 0; \
 	else :; fi
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -827,8 +1458,8 @@ check: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) check-am
 all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
 installdirs:
-	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) install-am
@@ -851,15 +1482,15 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
-	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
-	-rm -f parse.h
 	-rm -f lex.c
 	-rm -f parse.c
+	-rm -f parse.h
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
 clean: clean-am
 
 clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
@@ -868,7 +1499,7 @@ clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -880,18 +1511,27 @@ info: info-am
 
 info-am:
 
-install-data-am: install-includeHEADERS
+install-data-am: install-dist_includeHEADERS \
+	install-nodist_includeHEADERS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-libLTLIBRARIES
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -911,23 +1551,32 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-includeHEADERS uninstall-info-am \
-	uninstall-libLTLIBRARIES
+uninstall-am: uninstall-dist_includeHEADERS uninstall-libLTLIBRARIES \
+	uninstall-nodist_includeHEADERS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
 	check-local clean clean-checkPROGRAMS clean-generic \
 	clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-exec install-exec-am \
-	install-includeHEADERS install-info install-info-am \
-	install-libLTLIBRARIES install-man install-strip installcheck \
+	install-data-am install-data-hook install-dist_includeHEADERS \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-exec-hook install-html install-html-am install-info \
+	install-info-am install-libLTLIBRARIES install-man \
+	install-nodist_includeHEADERS install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
 	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-includeHEADERS \
-	uninstall-info-am uninstall-libLTLIBRARIES
+	tags uninstall uninstall-am uninstall-dist_includeHEADERS \
+	uninstall-hook uninstall-libLTLIBRARIES \
+	uninstall-nodist_includeHEADERS
 
 
 install-suid-programs:
@@ -942,8 +1591,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -953,19 +1602,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -981,7 +1642,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -1051,25 +1712,90 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
-$(asn1_compile_OBJECTS): parse.h parse.c
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+$(asn1_compile_OBJECTS): parse.h parse.c $(srcdir)/der-protos.h
+$(libasn1_la_OBJECTS): krb5_asn1.h asn1_err.h $(srcdir)/der-protos.h
+$(check_gen_OBJECTS): test_asn1.h
+$(asn1_print_OBJECTS): krb5_asn1.h
+
+parse.h: parse.c
 
-$(gen_files) krb5_asn1.h: asn1_files
+$(gen_files_k5) krb5_asn1.h: krb5_asn1_files
+$(gen_files_pkinit) pkinit_asn1.h: pkinit_asn1_files
+$(gen_files_pkcs8) pkcs8_asn1.h: pkcs8_asn1_files
+$(gen_files_pkcs9) pkcs9_asn1.h: pkcs9_asn1_files
+$(gen_files_pkcs12) pkcs12_asn1.h: pkcs12_asn1_files
+$(gen_files_digest) digest_asn1.h: digest_asn1_files
+$(gen_files_kx509) kx509_asn1.h: kx509_asn1_files
+$(gen_files_rfc2459) rfc2459_asn1.h: rfc2459_asn1_files
+$(gen_files_cms) cms_asn1.h: cms_asn1_files
+$(gen_files_test) test_asn1.h: test_asn1_files
 
-asn1_files: asn1_compile$(EXEEXT) $(srcdir)/k5.asn1
-	./asn1_compile$(EXEEXT) $(srcdir)/k5.asn1 krb5_asn1
+rfc2459_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/rfc2459.asn1
+	./asn1_compile$(EXEEXT) --preserve-binary=TBSCertificate --preserve-binary=TBSCRLCertList --preserve-binary=Name --sequence=GeneralNames --sequence=Extensions --sequence=CRLDistributionPoints $(srcdir)/rfc2459.asn1 rfc2459_asn1 || (rm -f rfc2459_asn1_files ; exit 1)
 
-$(libasn1_la_OBJECTS): krb5_asn1.h asn1_err.h
+cms_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/CMS.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/CMS.asn1 cms_asn1 || (rm -f cms_asn1_files ; exit 1)
 
-$(asn1_print_OBJECTS): krb5_asn1.h
+krb5_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/k5.asn1
+	./asn1_compile$(EXEEXT) --encode-rfc1510-bit-string --sequence=KRB5SignedPathPrincipals --sequence=AuthorizationData --sequence=METHOD-DATA --sequence=ETYPE-INFO --sequence=ETYPE-INFO2 $(srcdir)/k5.asn1 krb5_asn1 || (rm -f krb5_asn1_files ; exit 1)
+
+pkinit_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkinit.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/pkinit.asn1 pkinit_asn1 || (rm -f pkinit_asn1_files ; exit 1)
+
+pkcs8_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkcs8.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/pkcs8.asn1 pkcs8_asn1 || (rm -f pkcs8_asn1_files ; exit 1)
+
+pkcs9_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkcs9.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/pkcs9.asn1 pkcs9_asn1 || (rm -f pkcs9_asn1_files ; exit 1)
+
+pkcs12_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkcs12.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/pkcs12.asn1 pkcs12_asn1 || (rm -f pkcs12_asn1_files ; exit 1)
+
+digest_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/digest.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/digest.asn1 digest_asn1 || (rm -f digest_asn1_files ; exit 1)
+
+kx509_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/kx509.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/kx509.asn1 kx509_asn1 || (rm -f kx509_asn1_files ; exit 1)
+
+test_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/test.asn1
+	./asn1_compile$(EXEEXT) --sequence=TESTSeqOf $(srcdir)/test.asn1 test_asn1 || (rm -f test_asn1_files ; exit 1)
+
+$(srcdir)/der-protos.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o der-protos.h $(dist_libasn1_la_SOURCES) || rm -f der-protos.h
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/lib/asn1/asn1-common.h b/crypto/heimdal/lib/asn1/asn1-common.h
index 251d401..5789e0f 100644
--- a/crypto/heimdal/lib/asn1/asn1-common.h
+++ b/crypto/heimdal/lib/asn1/asn1-common.h
@@ -1,4 +1,4 @@
-/* $Id: asn1-common.h,v 1.2 2001/09/25 13:39:25 assar Exp $ */
+/* $Id: asn1-common.h 22429 2008-01-13 10:25:50Z lha $ */
 
 #include <stddef.h>
 #include <time.h>
@@ -6,16 +6,61 @@
 #ifndef __asn1_common_definitions__
 #define __asn1_common_definitions__
 
-typedef struct octet_string {
+typedef struct heim_integer {
     size_t length;
     void *data;
-} octet_string;
+    int negative;
+} heim_integer;
 
-typedef char *general_string;
+typedef struct heim_octet_string {
+    size_t length;
+    void *data;
+} heim_octet_string;
 
-typedef struct oid {
+typedef char *heim_general_string;
+typedef char *heim_utf8_string;
+typedef char *heim_printable_string;
+typedef char *heim_ia5_string;
+
+typedef struct heim_bmp_string {
+    size_t length;
+    uint16_t *data;
+} heim_bmp_string;
+
+typedef struct heim_universal_string {
+    size_t length;
+    uint32_t *data;
+} heim_universal_string;
+
+typedef char *heim_visible_string;
+
+typedef struct heim_oid {
     size_t length;
     unsigned *components;
-} oid;
+} heim_oid;
+
+typedef struct heim_bit_string {
+    size_t length;
+    void *data;
+} heim_bit_string;
+
+typedef struct heim_octet_string heim_any;
+typedef struct heim_octet_string heim_any_set;
+
+#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R)                  \
+  do {                                                         \
+    (BL) = length_##T((S));                                    \
+    (B) = malloc((BL));                                        \
+    if((B) == NULL) {                                          \
+      (R) = ENOMEM;                                            \
+    } else {                                                   \
+      (R) = encode_##T(((unsigned char*)(B)) + (BL) - 1, (BL), \
+                       (S), (L));                              \
+      if((R) != 0) {                                           \
+        free((B));                                             \
+        (B) = NULL;                                            \
+      }                                                        \
+    }                                                          \
+  } while (0)
 
 #endif
diff --git a/crypto/heimdal/lib/asn1/asn1_err.et b/crypto/heimdal/lib/asn1/asn1_err.et
index 8f1f272..c624e21 100644
--- a/crypto/heimdal/lib/asn1/asn1_err.et
+++ b/crypto/heimdal/lib/asn1/asn1_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: asn1_err.et,v 1.5 1998/02/16 16:17:17 joda Exp $"
+id "$Id: asn1_err.et 21394 2007-07-02 10:14:43Z lha $"
 
 error_table asn1
 prefix ASN1
@@ -17,4 +17,9 @@ error_code BAD_ID,		"ASN.1 identifier doesn't match expected value"
 error_code BAD_LENGTH,		"ASN.1 length doesn't match expected value"
 error_code BAD_FORMAT,		"ASN.1 badly-formatted encoding"
 error_code PARSE_ERROR,		"ASN.1 parse error"
+error_code EXTRA_DATA,		"ASN.1 extra data past end of end structure"
+error_code BAD_CHARACTER,	"ASN.1 invalid character in string"
+error_code MIN_CONSTRAINT,	"ASN.1 too few elements"
+error_code MAX_CONSTRAINT,	"ASN.1 too many elements"
+error_code EXACT_CONSTRAINT,	"ASN.1 wrong number of elements"
 end
diff --git a/crypto/heimdal/lib/asn1/asn1_gen.c b/crypto/heimdal/lib/asn1/asn1_gen.c
new file mode 100644
index 0000000..65b382e
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/asn1_gen.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+#include <com_err.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <ctype.h>
+#include <getarg.h>
+#include <hex.h>
+#include <err.h>
+
+RCSID("$Id: asn1_gen.c 16666 2006-01-30 15:06:03Z lha $");
+
+static int
+doit(const char *fn)
+{
+    char buf[2048];
+    char *fnout;
+    const char *bname;
+    unsigned long line = 0;
+    FILE *f, *fout;
+    size_t offset = 0;
+
+    f = fopen(fn, "r");
+    if (f == NULL)
+	err(1, "fopen");
+
+    bname = strrchr(fn, '/');
+    if (bname)
+	bname++;
+    else
+	bname = fn;
+
+    asprintf(&fnout, "%s.out", bname);
+    if (fnout == NULL)
+	errx(1, "malloc");
+
+    fout = fopen(fnout, "w");
+    if (fout == NULL)
+	err(1, "fopen: output file");
+
+    while (fgets(buf, sizeof(buf), f) != NULL) {
+	char *ptr, *class, *type, *tag, *length, *data, *foo;
+	int ret, l, c, ty, ta;
+	unsigned char p[6], *pdata;
+	size_t sz;
+
+	line++;
+
+	buf[strcspn(buf, "\r\n")] = '\0';
+	if (buf[0] == '#' || buf[0] == '\0')
+	    continue;
+
+	ptr = buf;
+	while (isspace((unsigned char)*ptr))
+	       ptr++;
+
+	class = strtok_r(ptr, " \t\n", &foo);
+	if (class == NULL) errx(1, "class missing on line %lu", line);
+	type = strtok_r(NULL, " \t\n", &foo);
+	if (type == NULL) errx(1, "type missing on line %lu", line);
+	tag = strtok_r(NULL, " \t\n", &foo);
+	if (tag == NULL) errx(1, "tag missing on line %lu", line);
+	length = strtok_r(NULL, " \t\n", &foo);
+	if (length == NULL) errx(1, "length missing on line %lu", line);
+	data = strtok_r(NULL, " \t\n", &foo);
+
+	c = der_get_class_num(class);
+	if (c == -1) errx(1, "no valid class on line %lu", line);
+	ty = der_get_type_num(type);
+	if (ty == -1) errx(1, "no valid type on line %lu", line);
+	ta = der_get_tag_num(tag);
+	if (ta == -1)
+	    ta = atoi(tag);
+
+	l = atoi(length);
+
+	printf("line: %3lu offset: %3lu class: %d type: %d "
+	       "tag: %3d length: %3d %s\n", 
+	       line, (unsigned long)offset, c, ty, ta, l, 
+	       data ? "<have data>" : "<no data>");
+
+	ret = der_put_length_and_tag(p + sizeof(p) - 1, sizeof(p),
+				     l,
+				     c,
+				     ty,
+				     ta,
+				     &sz);
+	if (ret)
+	    errx(1, "der_put_length_and_tag: %d", ret);
+	
+	if (fwrite(p + sizeof(p) - sz , sz, 1, fout) != 1)
+	    err(1, "fwrite length/tag failed");
+	offset += sz;
+	
+	if (data) {
+	    size_t datalen;
+	    
+	    datalen = strlen(data) / 2;
+	    pdata = emalloc(sz);
+	    
+	    if (hex_decode(data, pdata, datalen) != datalen)
+		errx(1, "failed to decode data");
+	    
+	    if (fwrite(pdata, datalen, 1, fout) != 1)
+		err(1, "fwrite data failed");
+	    offset += datalen;
+	    
+	    free(pdata);
+	}
+    }
+    printf("line: eof offset: %lu\n", (unsigned long)offset);
+    
+    fclose(fout);
+    fclose(f);
+    return 0;
+}
+
+
+static int version_flag;
+static int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "parse-file");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optidx = 0;
+
+    setprogname (argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optidx))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    argv += optidx;
+    argc -= optidx;
+    if (argc != 1)
+	usage (1);
+
+    return doit (argv[0]);
+}
diff --git a/crypto/heimdal/lib/asn1/asn1_print.c b/crypto/heimdal/lib/asn1/asn1_print.c
index d3199e8..e00bf10 100644
--- a/crypto/heimdal/lib/asn1/asn1_print.c
+++ b/crypto/heimdal/lib/asn1/asn1_print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -37,63 +37,30 @@
 #include <sys/stat.h>
 #include <getarg.h>
 #include <err.h>
+#include <der.h>
 
-RCSID("$Id: asn1_print.c,v 1.11 2002/08/29 20:45:35 assar Exp $");
+RCSID("$Id: asn1_print.c 19539 2006-12-28 17:15:05Z lha $");
 
-const char *class_names[] = {
-    "UNIV",			/* 0 */
-    "APPL",			/* 1 */
-    "CONTEXT",			/* 2 */
-    "PRIVATE"			/* 3 */
-};
-
-const char *type_names[] = {
-    "PRIM",			/* 0 */
-    "CONS"			/* 1 */
-};
+static int indent_flag = 1;
 
-const char *tag_names[] = {
-    NULL,			/* 0 */
-    NULL,			/* 1 */
-    "Integer",			/* 2 */
-    "BitString",		/* 3 */
-    "OctetString",		/* 4 */
-    "Null",			/* 5 */
-    "ObjectID",			/* 6 */
-    NULL,			/* 7 */
-    NULL,			/* 8 */
-    NULL,			/* 9 */
-    NULL,			/* 10 */
-    NULL,			/* 11 */
-    NULL,			/* 12 */
-    NULL,			/* 13 */
-    NULL,			/* 14 */
-    NULL,			/* 15 */
-    "Sequence",			/* 16 */
-    "Set",			/* 17 */
-    NULL,			/* 18 */
-    "PrintableString",		/* 19 */
-    NULL,			/* 20 */
-    NULL,			/* 21 */
-    "IA5String",		/* 22 */
-    "UTCTime",			/* 23 */
-    "GeneralizedTime",		/* 24 */
-    NULL,			/* 25 */
-    "VisibleString",		/* 26 */
-    "GeneralString"		/* 27 */
-};
+static unsigned long indefinite_form_loop;
+static unsigned long indefinite_form_loop_max = 10000;
 
-static int
+static size_t
 loop (unsigned char *buf, size_t len, int indent)
 {
+    unsigned char *start_buf = buf;
+
     while (len > 0) {
 	int ret;
 	Der_class class;
 	Der_type type;
-	int tag;
+	unsigned int tag;
 	size_t sz;
 	size_t length;
-	int i;
+	size_t loop_length = 0;
+	int end_tag = 0;
+	const char *tagname;
 
 	ret = der_get_tag (buf, len, &class, &type, &tag, &sz);
 	if (ret)
@@ -103,42 +70,101 @@ loop (unsigned char *buf, size_t len, int indent)
 		  (unsigned)sz, (unsigned)len);
 	buf += sz;
 	len -= sz;
-	for (i = 0; i < indent; ++i)
-	    printf (" ");
-	printf ("%s %s ", class_names[class], type_names[type]);
-	if (tag_names[tag])
-	    printf ("%s = ", tag_names[tag]);
+	if (indent_flag) {
+	    int i;
+	    for (i = 0; i < indent; ++i)
+		printf (" ");
+	}
+	printf ("%s %s ", der_get_class_name(class), der_get_type_name(type));
+	tagname = der_get_tag_name(tag);
+	if (class == ASN1_C_UNIV && tagname != NULL)
+	    printf ("%s = ", tagname);
 	else
 	    printf ("tag %d = ", tag);
 	ret = der_get_length (buf, len, &length, &sz);
 	if (ret)
 	    errx (1, "der_get_tag: %s", error_message (ret));
+	if (sz > len)
+	    errx (1, "unreasonable tag length (%u) > %u",
+		  (unsigned)sz, (unsigned)len);
 	buf += sz;
 	len -= sz;
-
-	if (class == CONTEXT) {
-	    printf ("[%d]\n", tag);
-	    loop (buf, length, indent);
-	} else if (class == UNIV) {
+	if (length == ASN1_INDEFINITE) {
+	    if ((class == ASN1_C_UNIV && type == PRIM && tag == UT_OctetString) ||
+		(class == ASN1_C_CONTEXT && type == CONS) ||
+		(class == ASN1_C_UNIV && type == CONS && tag == UT_Sequence) ||
+		(class == ASN1_C_UNIV && type == CONS && tag == UT_Set)) {
+		printf("*INDEFINITE FORM*");
+	    } else {
+		fflush(stdout);
+		errx(1, "indef form used on unsupported object");
+	    }
+	    end_tag = 1;
+	    if (indefinite_form_loop > indefinite_form_loop_max)
+		errx(1, "indefinite form used recursively more then %lu "
+		     "times, aborting", indefinite_form_loop_max);
+	    indefinite_form_loop++;
+	    length = len;
+	} else if (length > len) {
+	    printf("\n");
+	    fflush(stdout);
+	    errx (1, "unreasonable inner length (%u) > %u",
+		  (unsigned)length, (unsigned)len);
+	}
+	if (class == ASN1_C_CONTEXT || class == ASN1_C_APPL) {
+	    printf ("%lu bytes [%u]", (unsigned long)length, tag);
+	    if (type == CONS) {
+		printf("\n");
+		loop_length = loop (buf, length, indent + 2);
+	    } else {
+		printf(" IMPLICIT content\n");
+	    }
+	} else if (class == ASN1_C_UNIV) {
 	    switch (tag) {
+	    case UT_EndOfContent:
+		printf (" INDEFINITE length was %lu\n",
+			(unsigned long)(buf - start_buf));
+		break;
+	    case UT_Set :
 	    case UT_Sequence :
-		printf ("{\n");
-		loop (buf, length, indent + 2);
-		for (i = 0; i < indent; ++i)
-		    printf (" ");
-		printf ("}\n");
+		printf ("%lu bytes {\n", (unsigned long)length);
+		loop_length = loop (buf, length, indent + 2);
+		if (indent_flag) {
+		    int i;
+		    for (i = 0; i < indent; ++i)
+			printf (" ");
+		    printf ("}\n");
+		} else
+		    printf ("} indent = %d\n", indent / 2);
 		break;
 	    case UT_Integer : {
 		int val;
 
-		ret = der_get_int (buf, length, &val, NULL);
-		if (ret)
-		    errx (1, "der_get_int: %s", error_message (ret));
-		printf ("integer %d\n", val);
+		if (length <= sizeof(val)) {
+		    ret = der_get_integer (buf, length, &val, NULL);
+		    if (ret)
+			errx (1, "der_get_integer: %s", error_message (ret));
+		    printf ("integer %d\n", val);
+		} else {
+		    heim_integer vali;
+		    char *p;
+
+		    ret = der_get_heim_integer(buf, length, &vali, NULL);
+		    if (ret)
+			errx (1, "der_get_heim_integer: %s", 
+			      error_message (ret));
+		    ret = der_print_hex_heim_integer(&vali, &p);
+		    if (ret)
+			errx (1, "der_print_hex_heim_integer: %s", 
+			      error_message (ret));
+		    printf ("BIG NUM integer: length %lu %s\n", 
+			    (unsigned long)length, p);
+		    free(p);
+		}
 		break;
 	    }
 	    case UT_OctetString : {
-		octet_string str;
+		heim_octet_string str;
 		int i;
 		unsigned char *uc;
 
@@ -147,15 +173,17 @@ loop (unsigned char *buf, size_t len, int indent)
 		    errx (1, "der_get_octet_string: %s", error_message (ret));
 		printf ("(length %lu), ", (unsigned long)length);
 		uc = (unsigned char *)str.data;
-		for (i = 0; i < 16; ++i)
+		for (i = 0; i < min(16,length); ++i)
 		    printf ("%02x", uc[i]);
 		printf ("\n");
 		free (str.data);
 		break;
 	    }
 	    case UT_GeneralizedTime :
-	    case UT_GeneralString : {
-		general_string str;
+	    case UT_GeneralString :
+	    case UT_PrintableString :
+	    case UT_VisibleString : {
+		heim_general_string str;
 
 		ret = der_get_general_string (buf, length, &str, NULL);
 		if (ret)
@@ -166,18 +194,29 @@ loop (unsigned char *buf, size_t len, int indent)
 		break;
 	    }
 	    case UT_OID: {
-		oid o;
-		int i;
+		heim_oid o;
+		char *p;
 
 		ret = der_get_oid(buf, length, &o, NULL);
 		if (ret)
 		    errx (1, "der_get_oid: %s", error_message (ret));
+		ret = der_print_heim_oid(&o, '.', &p);
+		der_free_oid(&o);
+		if (ret)
+		    errx (1, "der_print_heim_oid: %s", error_message (ret));
+		printf("%s\n", p);
+		free(p);
+
+		break;
+	    }
+	    case UT_Enumerated: {
+		int num;
+
+		ret = der_get_integer (buf, length, &num, NULL);
+		if (ret)
+		    errx (1, "der_get_enum: %s", error_message (ret));
 		
-		for (i = 0; i < o.length ; i++)
-		    printf("%d%s", o.components[i],
-			   i < o.length - 1 ? "." : "");
-		printf("\n");
-		free_oid(&o);
+		printf("%u\n", num);
 		break;
 	    }
 	    default :
@@ -185,6 +224,17 @@ loop (unsigned char *buf, size_t len, int indent)
 		break;
 	    }
 	}
+	if (end_tag) {
+	    if (loop_length == 0)
+		errx(1, "zero length INDEFINITE data ? indent = %d\n", 
+		     indent / 2);
+	    if (loop_length < length)
+		length = loop_length;
+	    if (indefinite_form_loop == 0)
+		errx(1, "internal error in indefinite form loop detection");
+	    indefinite_form_loop--;
+	} else if (loop_length)
+	    errx(1, "internal error for INDEFINITE form");
 	buf += length;
 	len -= length;
     }
@@ -205,21 +255,20 @@ doit (const char *filename)
     if (fstat (fd, &sb) < 0)
 	err (1, "stat %s", filename);
     len = sb.st_size;
-    buf = malloc (len);
-    if (buf == NULL)
-	err (1, "malloc %u", (unsigned)len);
+    buf = emalloc (len);
     if (read (fd, buf, len) != len)
 	errx (1, "read failed");
     close (fd);
     ret = loop (buf, len, 0);
     free (buf);
-    return ret;
+    return 0;
 }
 
 
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
+    { "indent", 0, arg_negative_flag, &indent_flag },
     { "version", 0, arg_flag, &version_flag },
     { "help", 0, arg_flag, &help_flag }
 };
@@ -235,11 +284,11 @@ usage(int code)
 int
 main(int argc, char **argv)
 {
-    int optind = 0;
+    int optidx = 0;
 
     setprogname (argv[0]);
     initialize_asn1_error_table ();
-    if(getarg(args, num_args, argc, argv, &optind))
+    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
     if(help_flag)
 	usage(0);
@@ -247,8 +296,8 @@ main(int argc, char **argv)
 	print_version(NULL);
 	exit(0);
     }
-    argv += optind;
-    argc -= optind;
+    argv += optidx;
+    argc -= optidx;
     if (argc != 1)
 	usage (1);
     return doit (argv[0]);
diff --git a/crypto/heimdal/lib/asn1/asn1_queue.h b/crypto/heimdal/lib/asn1/asn1_queue.h
new file mode 100644
index 0000000..3659b38
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/asn1_queue.h
@@ -0,0 +1,167 @@
+/*	$NetBSD: queue.h,v 1.38 2004/04/18 14:12:05 lukem Exp $	*/
+/*	$Id: asn1_queue.h 15617 2005-07-12 06:27:42Z lha $ */
+
+/*
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)queue.h	8.5 (Berkeley) 8/20/94
+ */
+
+#ifndef	_ASN1_QUEUE_H_
+#define	_ASN1_QUEUE_H_
+
+/*
+ * Tail queue definitions.
+ */
+#define	ASN1_TAILQ_HEAD(name, type)					\
+struct name {								\
+	struct type *tqh_first;	/* first element */			\
+	struct type **tqh_last;	/* addr of last next element */		\
+}
+
+#define	ASN1_TAILQ_HEAD_INITIALIZER(head)				\
+	{ NULL, &(head).tqh_first }
+#define	ASN1_TAILQ_ENTRY(type)						\
+struct {								\
+	struct type *tqe_next;	/* next element */			\
+	struct type **tqe_prev;	/* address of previous next element */	\
+}
+
+/*
+ * Tail queue functions.
+ */
+#if defined(_KERNEL) && defined(QUEUEDEBUG)
+#define	QUEUEDEBUG_ASN1_TAILQ_INSERT_HEAD(head, elm, field)		\
+	if ((head)->tqh_first &&					\
+	    (head)->tqh_first->field.tqe_prev != &(head)->tqh_first)	\
+		panic("ASN1_TAILQ_INSERT_HEAD %p %s:%d", (head), __FILE__, __LINE__);
+#define	QUEUEDEBUG_ASN1_TAILQ_INSERT_TAIL(head, elm, field)		\
+	if (*(head)->tqh_last != NULL)					\
+		panic("ASN1_TAILQ_INSERT_TAIL %p %s:%d", (head), __FILE__, __LINE__);
+#define	QUEUEDEBUG_ASN1_TAILQ_OP(elm, field)				\
+	if ((elm)->field.tqe_next &&					\
+	    (elm)->field.tqe_next->field.tqe_prev !=			\
+	    &(elm)->field.tqe_next)					\
+		panic("ASN1_TAILQ_* forw %p %s:%d", (elm), __FILE__, __LINE__);\
+	if (*(elm)->field.tqe_prev != (elm))				\
+		panic("ASN1_TAILQ_* back %p %s:%d", (elm), __FILE__, __LINE__);
+#define	QUEUEDEBUG_ASN1_TAILQ_PREREMOVE(head, elm, field)		\
+	if ((elm)->field.tqe_next == NULL &&				\
+	    (head)->tqh_last != &(elm)->field.tqe_next)			\
+		panic("ASN1_TAILQ_PREREMOVE head %p elm %p %s:%d",	\
+		      (head), (elm), __FILE__, __LINE__);
+#define	QUEUEDEBUG_ASN1_TAILQ_POSTREMOVE(elm, field)			\
+	(elm)->field.tqe_next = (void *)1L;				\
+	(elm)->field.tqe_prev = (void *)1L;
+#else
+#define	QUEUEDEBUG_ASN1_TAILQ_INSERT_HEAD(head, elm, field)
+#define	QUEUEDEBUG_ASN1_TAILQ_INSERT_TAIL(head, elm, field)
+#define	QUEUEDEBUG_ASN1_TAILQ_OP(elm, field)
+#define	QUEUEDEBUG_ASN1_TAILQ_PREREMOVE(head, elm, field)
+#define	QUEUEDEBUG_ASN1_TAILQ_POSTREMOVE(elm, field)
+#endif
+
+#define	ASN1_TAILQ_INIT(head) do {					\
+	(head)->tqh_first = NULL;					\
+	(head)->tqh_last = &(head)->tqh_first;				\
+} while (/*CONSTCOND*/0)
+
+#define	ASN1_TAILQ_INSERT_HEAD(head, elm, field) do {			\
+	QUEUEDEBUG_ASN1_TAILQ_INSERT_HEAD((head), (elm), field)		\
+	if (((elm)->field.tqe_next = (head)->tqh_first) != NULL)	\
+		(head)->tqh_first->field.tqe_prev =			\
+		    &(elm)->field.tqe_next;				\
+	else								\
+		(head)->tqh_last = &(elm)->field.tqe_next;		\
+	(head)->tqh_first = (elm);					\
+	(elm)->field.tqe_prev = &(head)->tqh_first;			\
+} while (/*CONSTCOND*/0)
+
+#define	ASN1_TAILQ_INSERT_TAIL(head, elm, field) do {			\
+	QUEUEDEBUG_ASN1_TAILQ_INSERT_TAIL((head), (elm), field)		\
+	(elm)->field.tqe_next = NULL;					\
+	(elm)->field.tqe_prev = (head)->tqh_last;			\
+	*(head)->tqh_last = (elm);					\
+	(head)->tqh_last = &(elm)->field.tqe_next;			\
+} while (/*CONSTCOND*/0)
+
+#define	ASN1_TAILQ_INSERT_AFTER(head, listelm, elm, field) do {		\
+	QUEUEDEBUG_ASN1_TAILQ_OP((listelm), field)			\
+	if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\
+		(elm)->field.tqe_next->field.tqe_prev = 		\
+		    &(elm)->field.tqe_next;				\
+	else								\
+		(head)->tqh_last = &(elm)->field.tqe_next;		\
+	(listelm)->field.tqe_next = (elm);				\
+	(elm)->field.tqe_prev = &(listelm)->field.tqe_next;		\
+} while (/*CONSTCOND*/0)
+
+#define	ASN1_TAILQ_INSERT_BEFORE(listelm, elm, field) do {		\
+	QUEUEDEBUG_ASN1_TAILQ_OP((listelm), field)			\
+	(elm)->field.tqe_prev = (listelm)->field.tqe_prev;		\
+	(elm)->field.tqe_next = (listelm);				\
+	*(listelm)->field.tqe_prev = (elm);				\
+	(listelm)->field.tqe_prev = &(elm)->field.tqe_next;		\
+} while (/*CONSTCOND*/0)
+
+#define	ASN1_TAILQ_REMOVE(head, elm, field) do {			\
+	QUEUEDEBUG_ASN1_TAILQ_PREREMOVE((head), (elm), field)		\
+	QUEUEDEBUG_ASN1_TAILQ_OP((elm), field)				\
+	if (((elm)->field.tqe_next) != NULL)				\
+		(elm)->field.tqe_next->field.tqe_prev = 		\
+		    (elm)->field.tqe_prev;				\
+	else								\
+		(head)->tqh_last = (elm)->field.tqe_prev;		\
+	*(elm)->field.tqe_prev = (elm)->field.tqe_next;			\
+	QUEUEDEBUG_ASN1_TAILQ_POSTREMOVE((elm), field);			\
+} while (/*CONSTCOND*/0)
+
+#define	ASN1_TAILQ_FOREACH(var, head, field)				\
+	for ((var) = ((head)->tqh_first);				\
+		(var);							\
+		(var) = ((var)->field.tqe_next))
+
+#define	ASN1_TAILQ_FOREACH_REVERSE(var, head, headname, field)		\
+	for ((var) = (*(((struct headname *)((head)->tqh_last))->tqh_last)); \
+		(var);							\
+		(var) = (*(((struct headname *)((var)->field.tqe_prev))->tqh_last)))
+
+/*
+ * Tail queue access methods.
+ */
+#define	ASN1_TAILQ_EMPTY(head)		((head)->tqh_first == NULL)
+#define	ASN1_TAILQ_FIRST(head)		((head)->tqh_first)
+#define	ASN1_TAILQ_NEXT(elm, field)		((elm)->field.tqe_next)
+
+#define	ASN1_TAILQ_LAST(head, headname) \
+	(*(((struct headname *)((head)->tqh_last))->tqh_last))
+#define	ASN1_TAILQ_PREV(elm, headname, field) \
+	(*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
+
+
+#endif	/* !_ASN1_QUEUE_H_ */
diff --git a/crypto/heimdal/lib/asn1/canthandle.asn1 b/crypto/heimdal/lib/asn1/canthandle.asn1
new file mode 100644
index 0000000..5ba3e38
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/canthandle.asn1
@@ -0,0 +1,34 @@
+-- $Id: canthandle.asn1 22071 2007-11-14 20:04:50Z lha $ --
+
+CANTHANDLE DEFINITIONS ::= BEGIN
+
+-- Code the tag [1] but not the [ CONTEXT CONS UT_Sequence ] for Kaka2
+-- Workaround: use inline the structure directly
+-- Code the tag [2] but it should be primitive since KAKA3 is
+-- Workaround: use the INTEGER type directly
+
+Kaka2  ::= SEQUENCE { 
+        kaka2-1 [0] INTEGER
+}
+
+Kaka3  ::= INTEGER
+
+Foo ::= SEQUENCE {
+        kaka1 [0] IMPLICIT INTEGER OPTIONAL,
+        kaka2 [1] IMPLICIT Kaka2 OPTIONAL,
+        kaka3 [2] IMPLICIT Kaka3 OPTIONAL
+}
+
+-- Don't code kaka if it's 1
+-- Workaround is to use OPTIONAL and check for in the encoder stubs
+
+Bar ::= SEQUENCE {
+        kaka [0] INTEGER DEFAULT 1
+}
+
+--  Can't handle primitives in SET OF
+--  Workaround is to define a type that is only an integer and use that
+
+Baz ::= SET OF INTEGER
+
+END
diff --git a/crypto/heimdal/lib/asn1/check-common.c b/crypto/heimdal/lib/asn1/check-common.c
index 20a41ad..adf95f6 100644
--- a/crypto/heimdal/lib/asn1/check-common.c
+++ b/crypto/heimdal/lib/asn1/check-common.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,6 +34,9 @@
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
 #include <stdio.h>
 #include <string.h>
 #include <err.h>
@@ -41,7 +44,116 @@
 
 #include "check-common.h"
 
-RCSID("$Id: check-common.c,v 1.1 2003/01/23 10:21:36 lha Exp $");
+RCSID("$Id: check-common.c 18751 2006-10-21 14:49:13Z lha $");
+
+struct map_page {
+    void *start;
+    size_t size;
+    void *data_start;
+    size_t data_size;
+    enum map_type type;
+};
+
+/* #undef HAVE_MMAP */
+
+void *
+map_alloc(enum map_type type, const void *buf, 
+	  size_t size, struct map_page **map)
+{
+#ifndef HAVE_MMAP
+    unsigned char *p;
+    size_t len = size + sizeof(long) * 2;
+    int i;
+    
+    *map = ecalloc(1, sizeof(**map));
+
+    p = emalloc(len);
+    (*map)->type = type;
+    (*map)->start = p;
+    (*map)->size = len;
+    (*map)->data_start = p + sizeof(long);
+    for (i = sizeof(long); i > 0; i--)
+	p[sizeof(long) - i] = 0xff - i;
+    for (i = sizeof(long); i > 0; i--)
+	p[len - i] = 0xff - i;
+#else
+    unsigned char *p;
+    int flags, ret, fd;
+    size_t pagesize = getpagesize();
+
+    *map = ecalloc(1, sizeof(**map));
+
+    (*map)->type = type;
+
+#ifdef MAP_ANON
+    flags = MAP_ANON;
+    fd = -1;
+#else
+    flags = 0;
+    fd = open ("/dev/zero", O_RDONLY);
+    if(fd < 0)
+	err (1, "open /dev/zero");
+#endif
+    flags |= MAP_PRIVATE;
+
+    (*map)->size = size + pagesize - (size % pagesize) + pagesize * 2;
+
+    p = (unsigned char *)mmap(0, (*map)->size, PROT_READ | PROT_WRITE,
+			      flags, fd, 0);
+    if (p == (unsigned char *)MAP_FAILED)
+	err (1, "mmap");
+
+    (*map)->start = p;
+
+    ret = mprotect (p, pagesize, 0);
+    if (ret < 0)
+	err (1, "mprotect");
+
+    ret = mprotect (p + (*map)->size - pagesize, pagesize, 0);
+    if (ret < 0)
+	err (1, "mprotect");
+
+    switch (type) {
+    case OVERRUN:
+	(*map)->data_start = p + (*map)->size - pagesize - size;
+	break;
+    case UNDERRUN:
+	(*map)->data_start = p + pagesize;
+	break;
+   default:
+	abort();
+    }
+#endif
+    (*map)->data_size = size;
+    if (buf)
+	memcpy((*map)->data_start, buf, size);
+    return (*map)->data_start;
+}
+
+void
+map_free(struct map_page *map, const char *test_name, const char *map_name)
+{
+#ifndef HAVE_MMAP
+    unsigned char *p = map->start;
+    int i;
+    
+    for (i = sizeof(long); i > 0; i--)
+	if (p[sizeof(long) - i] != 0xff - i)
+	    errx(1, "%s: %s underrun %d\n", test_name, map_name, i);
+    for (i = sizeof(long); i > 0; i--)
+	if (p[map->size - i] != 0xff - i)
+	    errx(1, "%s: %s overrun %lu\n", test_name, map_name, 
+		 (unsigned long)map->size - i);
+    free(map->start);
+#else
+    int ret;
+    
+    ret = munmap (map->start, map->size);
+    if (ret < 0)
+	err (1, "munmap");
+#endif
+    free(map);
+}
 
 static void
 print_bytes (unsigned const char *buf, size_t len)
@@ -52,6 +164,31 @@ print_bytes (unsigned const char *buf, size_t len)
 	printf ("%02x ", buf[i]);
 }
 
+#ifndef MAP_FAILED
+#define MAP_FAILED (-1)
+#endif
+
+static char *current_test = "<uninit>";
+static char *current_state = "<uninit>";
+
+static RETSIGTYPE
+segv_handler(int sig)
+{
+    int fd;
+    char msg[] = "SIGSEGV i current test: ";
+    
+    fd = open("/dev/stdout", O_WRONLY, 0600);
+    if (fd >= 0) {
+	write(fd, msg, sizeof(msg));
+	write(fd, current_test, strlen(current_test));
+	write(fd, " ", 1);
+	write(fd, current_state, strlen(current_state));
+	write(fd, "\n", 1);
+	close(fd);
+    }
+    _exit(1);
+}
+
 int
 generic_test (const struct test_case *tests,
 	      unsigned ntests,
@@ -59,67 +196,181 @@ generic_test (const struct test_case *tests,
 	      int (*encode)(unsigned char *, size_t, void *, size_t *),
 	      int (*length)(void *),
 	      int (*decode)(unsigned char *, size_t, void *, size_t *),
+	      int (*free_data)(void *),
 	      int (*cmp)(void *a, void *b))
 {
-    unsigned char buf[4711];
+    unsigned char *buf, *buf2;
     int i;
     int failures = 0;
-    void *val = malloc (data_size);
+    void *data;
+    struct map_page *data_map, *buf_map, *buf2_map;
 
-    if (data_size != 0 && val == NULL)
-	err (1, "malloc");
+    struct sigaction sa, osa;
 
     for (i = 0; i < ntests; ++i) {
 	int ret;
-	size_t sz, consumed_sz, length_sz;
-	unsigned char *beg;
+	size_t sz, consumed_sz, length_sz, buf_sz;
+
+	current_test = tests[i].name;
 
-	ret = (*encode) (buf + sizeof(buf) - 1, sizeof(buf),
+	current_state = "init";
+
+	sigemptyset (&sa.sa_mask);
+	sa.sa_flags = 0;
+#ifdef SA_RESETHAND
+	sa.sa_flags |= SA_RESETHAND;
+#endif
+	sa.sa_handler = segv_handler;
+	sigaction (SIGSEGV, &sa, &osa);
+
+	data = map_alloc(OVERRUN, NULL, data_size, &data_map);
+
+	buf_sz = tests[i].byte_len;
+	buf = map_alloc(UNDERRUN, NULL, buf_sz, &buf_map);
+
+	current_state = "encode";
+	ret = (*encode) (buf + buf_sz - 1, buf_sz,
 			 tests[i].val, &sz);
-	beg = buf + sizeof(buf) - sz;
 	if (ret != 0) {
-	    printf ("encoding of %s failed\n", tests[i].name);
+	    printf ("encoding of %s failed %d\n", tests[i].name, ret);
 	    ++failures;
+	    continue;
 	}
 	if (sz != tests[i].byte_len) {
 	    printf ("encoding of %s has wrong len (%lu != %lu)\n",
 		    tests[i].name, 
 		    (unsigned long)sz, (unsigned long)tests[i].byte_len);
 	    ++failures;
+	    continue;
 	}
 
+	current_state = "length";
 	length_sz = (*length) (tests[i].val);
 	if (sz != length_sz) {
 	    printf ("length for %s is bad (%lu != %lu)\n",
 		    tests[i].name, (unsigned long)length_sz, (unsigned long)sz);
 	    ++failures;
+	    continue;
 	}
 
-	if (memcmp (beg, tests[i].bytes, tests[i].byte_len) != 0) {
+	current_state = "memcmp";
+	if (memcmp (buf, tests[i].bytes, tests[i].byte_len) != 0) {
 	    printf ("encoding of %s has bad bytes:\n"
 		    "correct: ", tests[i].name);
-	    print_bytes (tests[i].bytes, tests[i].byte_len);
+	    print_bytes ((unsigned char *)tests[i].bytes, tests[i].byte_len);
 	    printf ("\nactual:  ");
-	    print_bytes (beg, sz);
+	    print_bytes (buf, sz);
 	    printf ("\n");
 	    ++failures;
+	    continue;
 	}
-	ret = (*decode) (beg, sz, val, &consumed_sz);
+
+	buf2 = map_alloc(OVERRUN, buf, sz, &buf2_map);
+
+	current_state = "decode";
+	ret = (*decode) (buf2, sz, data, &consumed_sz);
 	if (ret != 0) {
-	    printf ("decoding of %s failed\n", tests[i].name);
+	    printf ("decoding of %s failed %d\n", tests[i].name, ret);
 	    ++failures;
+	    continue;
 	}
 	if (sz != consumed_sz) {
 	    printf ("different length decoding %s (%ld != %ld)\n",
 		    tests[i].name, 
 		    (unsigned long)sz, (unsigned long)consumed_sz);
 	    ++failures;
+	    continue;
 	}
-	if ((*cmp)(val, tests[i].val) != 0) {
+	current_state = "cmp";
+	if ((*cmp)(data, tests[i].val) != 0) {
 	    printf ("%s: comparison failed\n", tests[i].name);
 	    ++failures;
+	    continue;
+	}
+	current_state = "free";
+	if (free_data)
+	    (*free_data)(data);
+
+	current_state = "free";
+	map_free(buf_map, tests[i].name, "encode");
+	map_free(buf2_map, tests[i].name, "decode");
+	map_free(data_map, tests[i].name, "data");
+
+	sigaction (SIGSEGV, &osa, NULL);
+    }
+    current_state = "done";
+    return failures;
+}
+
+/*
+ * check for failures
+ * 
+ * a test size (byte_len) of -1 means that the test tries to trigger a
+ * integer overflow (and later a malloc of to little memory), just
+ * allocate some memory and hope that is enough for that test.
+ */
+
+int
+generic_decode_fail (const struct test_case *tests,
+		     unsigned ntests,
+		     size_t data_size,
+		     int (*decode)(unsigned char *, size_t, void *, size_t *))
+{
+    unsigned char *buf;
+    int i;
+    int failures = 0;
+    void *data;
+    struct map_page *data_map, *buf_map;
+
+    struct sigaction sa, osa;
+
+    for (i = 0; i < ntests; ++i) {
+	int ret;
+	size_t sz;
+	const void *bytes;
+	
+	current_test = tests[i].name;
+
+	current_state = "init";
+
+	sigemptyset (&sa.sa_mask);
+	sa.sa_flags = 0;
+#ifdef SA_RESETHAND
+	sa.sa_flags |= SA_RESETHAND;
+#endif
+	sa.sa_handler = segv_handler;
+	sigaction (SIGSEGV, &sa, &osa);
+
+	data = map_alloc(OVERRUN, NULL, data_size, &data_map);
+
+	if (tests[i].byte_len < 0xffffff && tests[i].byte_len >= 0) {
+	    sz = tests[i].byte_len;
+	    bytes = tests[i].bytes;
+	} else {
+	    sz = 4096;
+	    bytes = NULL;
+	}
+		
+	buf = map_alloc(OVERRUN, bytes, sz, &buf_map);
+
+	if (tests[i].byte_len == -1)
+	    memset(buf, 0, sz);
+
+	current_state = "decode";
+	ret = (*decode) (buf, tests[i].byte_len, data, &sz);
+	if (ret == 0) {
+	    printf ("sucessfully decoded %s\n", tests[i].name);
+	    ++failures;
+	    continue;
 	}
+
+	current_state = "free";
+	if (buf)
+	    map_free(buf_map, tests[i].name, "encode");
+	map_free(data_map, tests[i].name, "data");
+
+	sigaction (SIGSEGV, &osa, NULL);
     }
-    free (val);
+    current_state = "done";
     return failures;
 }
diff --git a/crypto/heimdal/lib/asn1/check-common.h b/crypto/heimdal/lib/asn1/check-common.h
index 52d59cb..b1cb647 100644
--- a/crypto/heimdal/lib/asn1/check-common.h
+++ b/crypto/heimdal/lib/asn1/check-common.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,13 +34,14 @@
 struct test_case {
     void *val;
     int byte_len;
-    const unsigned char *bytes;
+    const char *bytes;
     char *name;
 };
 
 typedef int (*generic_encode)(unsigned char *, size_t, void *, size_t *);
 typedef int (*generic_length)(void *);
 typedef int (*generic_decode)(unsigned char *, size_t, void *, size_t *);
+typedef int (*generic_free)(void *);
 
 int
 generic_test (const struct test_case *tests,
@@ -49,5 +50,21 @@ generic_test (const struct test_case *tests,
 	      int (*encode)(unsigned char *, size_t, void *, size_t *),
 	      int (*length)(void *),
 	      int (*decode)(unsigned char *, size_t, void *, size_t *),
+	      int (*free_data)(void *),
 	      int (*cmp)(void *a, void *b));
 
+int
+generic_decode_fail(const struct test_case *tests,
+		    unsigned ntests,
+		    size_t data_size,
+		    int (*decode)(unsigned char *, size_t, void *, size_t *));
+
+
+struct map_page;
+
+enum map_type { OVERRUN, UNDERRUN };
+
+struct map_page;
+
+void *	map_alloc(enum map_type, const void *, size_t, struct map_page **);
+void	map_free(struct map_page *, const char *, const char *);
diff --git a/crypto/heimdal/lib/asn1/check-der.c b/crypto/heimdal/lib/asn1/check-der.c
index 7cb0577..9ba2601 100644
--- a/crypto/heimdal/lib/asn1/check-der.c
+++ b/crypto/heimdal/lib/asn1/check-der.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,11 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-#include <stdio.h>
-#include <string.h>
+#include "der_locl.h"
 #include <err.h>
 #include <roken.h>
 
@@ -45,7 +41,7 @@
 
 #include "check-common.h"
 
-RCSID("$Id: check-der.c,v 1.9 2003/01/23 10:19:49 lha Exp $");
+RCSID("$Id: check-der.c 21359 2007-06-27 08:15:41Z lha $");
 
 static int
 cmp_integer (void *a, void *b)
@@ -60,41 +56,168 @@ static int
 test_integer (void)
 {
     struct test_case tests[] = {
-	{NULL, 3, "\x02\x01\x00"},
-	{NULL, 3, "\x02\x01\x7f"},
-	{NULL, 4, "\x02\x02\x00\x80"},
-	{NULL, 4, "\x02\x02\x01\x00"},
-	{NULL, 3, "\x02\x01\x80"},
-	{NULL, 4, "\x02\x02\xff\x7f"},
-	{NULL, 3, "\x02\x01\xff"},
-	{NULL, 4, "\x02\x02\xff\x01"},
-	{NULL, 4, "\x02\x02\x00\xff"},
-	{NULL, 6, "\x02\x04\x80\x00\x00\x00"},
-	{NULL, 6, "\x02\x04\x7f\xff\xff\xff"}
+	{NULL, 1, "\x00"},
+	{NULL, 1, "\x7f"},
+	{NULL, 2, "\x00\x80"},
+	{NULL, 2, "\x01\x00"},
+	{NULL, 1, "\x80"},
+	{NULL, 2, "\xff\x7f"},
+	{NULL, 1, "\xff"},
+	{NULL, 2, "\xff\x01"},
+	{NULL, 2, "\x00\xff"},
+	{NULL, 4, "\x7f\xff\xff\xff"}
     };
 
     int values[] = {0, 127, 128, 256, -128, -129, -1, -255, 255,
-		    0x80000000, 0x7fffffff};
-    int i;
+		    0x7fffffff};
+    int i, ret;
     int ntests = sizeof(tests) / sizeof(*tests);
 
     for (i = 0; i < ntests; ++i) {
 	tests[i].val = &values[i];
 	asprintf (&tests[i].name, "integer %d", values[i]);
+	if (tests[i].name == NULL)
+	    errx(1, "malloc");
     }
 
-    return generic_test (tests, ntests, sizeof(int),
-			 (generic_encode)encode_integer,
-			 (generic_length) length_integer,
-			 (generic_decode)decode_integer,
+    ret = generic_test (tests, ntests, sizeof(int),
+			(generic_encode)der_put_integer,
+			 (generic_length) der_length_integer,
+			 (generic_decode)der_get_integer,
+			 (generic_free)NULL,
 			 cmp_integer);
+
+    for (i = 0; i < ntests; ++i)
+	free (tests[i].name);
+    return ret;
+}
+
+static int
+test_one_int(int val)
+{
+    int ret, dval;
+    unsigned char *buf;
+    size_t len_len, len;
+
+    len = _heim_len_int(val);
+
+    buf = emalloc(len + 2);
+
+    buf[0] = '\xff';
+    buf[len + 1] = '\xff';
+    memset(buf + 1, 0, len);
+
+    ret = der_put_integer(buf + 1 + len - 1, len, &val, &len_len);
+    if (ret) {
+	printf("integer %d encode failed %d\n", val, ret);
+	return 1;
+    }
+    if (len != len_len) {
+	printf("integer %d encode fail with %d len %lu, result len %lu\n",
+	       val, ret, (unsigned long)len, (unsigned long)len_len);
+	return 1;
+    }
+
+    ret = der_get_integer(buf + 1, len, &dval, &len_len);
+    if (ret) {
+	printf("integer %d decode failed %d\n", val, ret);
+	return 1;
+    }
+    if (len != len_len) {
+	printf("integer %d decoded diffrent len %lu != %lu",
+	       val, (unsigned long)len, (unsigned long)len_len);
+	return 1;
+    }
+    if (val != dval) {
+	printf("decode decoded to diffrent value %d != %d",
+	       val, dval);
+	return 1;
+    }
+
+    if (buf[0] != (unsigned char)'\xff') {
+	printf("precanary dead %d\n", val);
+	return 1;
+    }
+    if (buf[len + 1] != (unsigned char)'\xff') {
+	printf("postecanary dead %d\n", val);
+	return 1;
+    }
+    free(buf);
+    return 0;
+}
+
+static int
+test_integer_more (void)
+{
+    int i, n1, n2, n3, n4, n5, n6;
+
+    n2 = 0;
+    for (i = 0; i < (sizeof(int) * 8); i++) {
+	n1 = 0x01 << i;
+	n2 = n2 | n1;
+	n3 = ~n1;
+	n4 = ~n2;
+	n5 = (-1) & ~(0x3f << i);
+	n6 = (-1) & ~(0x7f << i);
+
+	test_one_int(n1);
+	test_one_int(n2);
+	test_one_int(n3);
+	test_one_int(n4);
+	test_one_int(n5);
+	test_one_int(n6);
+    }
+    return 0;
+}
+
+static int
+cmp_unsigned (void *a, void *b)
+{
+    return *(unsigned int*)b - *(unsigned int*)a;
+}
+
+static int
+test_unsigned (void)
+{
+    struct test_case tests[] = {
+	{NULL, 1, "\x00"},
+	{NULL, 1, "\x7f"},
+	{NULL, 2, "\x00\x80"},
+	{NULL, 2, "\x01\x00"},
+	{NULL, 2, "\x02\x00"},
+	{NULL, 3, "\x00\x80\x00"},
+	{NULL, 5, "\x00\x80\x00\x00\x00"},
+	{NULL, 4, "\x7f\xff\xff\xff"}
+    };
+
+    unsigned int values[] = {0, 127, 128, 256, 512, 32768, 
+			     0x80000000, 0x7fffffff};
+    int i, ret;
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    for (i = 0; i < ntests; ++i) {
+	tests[i].val = &values[i];
+	asprintf (&tests[i].name, "unsigned %u", values[i]);
+	if (tests[i].name == NULL)
+	    errx(1, "malloc");
+    }
+
+    ret = generic_test (tests, ntests, sizeof(int),
+			(generic_encode)der_put_unsigned,
+			(generic_length)der_length_unsigned,
+			(generic_decode)der_get_unsigned,
+			(generic_free)NULL,
+			cmp_unsigned);
+    for (i = 0; i < ntests; ++i) 
+	free (tests[i].name);
+    return ret;
 }
 
 static int
 cmp_octet_string (void *a, void *b)
 {
-    octet_string *oa = (octet_string *)a;
-    octet_string *ob = (octet_string *)b;
+    heim_octet_string *oa = (heim_octet_string *)a;
+    heim_octet_string *ob = (heim_octet_string *)b;
 
     if (oa->length != ob->length)
 	return ob->length - oa->length;
@@ -105,28 +228,124 @@ cmp_octet_string (void *a, void *b)
 static int
 test_octet_string (void)
 {
-    octet_string s1 = {8, "\x01\x23\x45\x67\x89\xab\xcd\xef"};
+    heim_octet_string s1 = {8, "\x01\x23\x45\x67\x89\xab\xcd\xef"};
 
     struct test_case tests[] = {
-	{NULL, 10, "\x04\x08\x01\x23\x45\x67\x89\xab\xcd\xef"}
+	{NULL, 8, "\x01\x23\x45\x67\x89\xab\xcd\xef"}
     };
     int ntests = sizeof(tests) / sizeof(*tests);
+    int ret;
 
     tests[0].val = &s1;
     asprintf (&tests[0].name, "a octet string");
+    if (tests[0].name == NULL)
+	errx(1, "malloc");
+
+    ret = generic_test (tests, ntests, sizeof(heim_octet_string),
+			(generic_encode)der_put_octet_string,
+			(generic_length)der_length_octet_string,
+			(generic_decode)der_get_octet_string,
+			(generic_free)der_free_octet_string,
+			cmp_octet_string);
+    free(tests[0].name);
+    return ret;
+}
+
+static int
+cmp_bmp_string (void *a, void *b)
+{
+    heim_bmp_string *oa = (heim_bmp_string *)a;
+    heim_bmp_string *ob = (heim_bmp_string *)b;
+
+    return der_heim_bmp_string_cmp(oa, ob);
+}
+
+static uint16_t bmp_d1[] = { 32 };
+static uint16_t bmp_d2[] = { 32, 32 };
+
+static int
+test_bmp_string (void)
+{
+    heim_bmp_string s1 = { 1, bmp_d1 };
+    heim_bmp_string s2 = { 2, bmp_d2 };
+
+    struct test_case tests[] = {
+	{NULL, 2, "\x00\x20"},
+	{NULL, 4, "\x00\x20\x00\x20"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+    int ret;
+
+    tests[0].val = &s1;
+    asprintf (&tests[0].name, "a bmp string");
+    if (tests[0].name == NULL)
+	errx(1, "malloc");
+    tests[1].val = &s2;
+    asprintf (&tests[1].name, "second bmp string");
+    if (tests[1].name == NULL)
+	errx(1, "malloc");
+
+    ret = generic_test (tests, ntests, sizeof(heim_bmp_string),
+			(generic_encode)der_put_bmp_string,
+			(generic_length)der_length_bmp_string,
+			(generic_decode)der_get_bmp_string,
+			(generic_free)der_free_bmp_string,
+			cmp_bmp_string);
+    free(tests[0].name);
+    free(tests[1].name);
+    return ret;
+}
+
+static int
+cmp_universal_string (void *a, void *b)
+{
+    heim_universal_string *oa = (heim_universal_string *)a;
+    heim_universal_string *ob = (heim_universal_string *)b;
+
+    return der_heim_universal_string_cmp(oa, ob);
+}
+
+static uint32_t universal_d1[] = { 32 };
+static uint32_t universal_d2[] = { 32, 32 };
+
+static int
+test_universal_string (void)
+{
+    heim_universal_string s1 = { 1, universal_d1 };
+    heim_universal_string s2 = { 2, universal_d2 };
+
+    struct test_case tests[] = {
+	{NULL, 4, "\x00\x00\x00\x20"},
+	{NULL, 8, "\x00\x00\x00\x20\x00\x00\x00\x20"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+    int ret;
+
+    tests[0].val = &s1;
+    asprintf (&tests[0].name, "a universal string");
+    if (tests[0].name == NULL)
+	errx(1, "malloc");
+    tests[1].val = &s2;
+    asprintf (&tests[1].name, "second universal string");
+    if (tests[1].name == NULL)
+	errx(1, "malloc");
 
-    return generic_test (tests, ntests, sizeof(octet_string),
-			 (generic_encode)encode_octet_string,
-			 (generic_length)length_octet_string,
-			 (generic_decode)decode_octet_string,
-			 cmp_octet_string);
+    ret = generic_test (tests, ntests, sizeof(heim_universal_string),
+			(generic_encode)der_put_universal_string,
+			(generic_length)der_length_universal_string,
+			(generic_decode)der_get_universal_string,
+			(generic_free)der_free_universal_string,
+			cmp_universal_string);
+    free(tests[0].name);
+    free(tests[1].name);
+    return ret;
 }
 
 static int
 cmp_general_string (void *a, void *b)
 {
-    unsigned char **sa = (unsigned char **)a;
-    unsigned char **sb = (unsigned char **)b;
+    char **sa = (char **)a;
+    char **sb = (char **)b;
 
     return strcmp (*sa, *sb);
 }
@@ -134,21 +353,26 @@ cmp_general_string (void *a, void *b)
 static int
 test_general_string (void)
 {
-    unsigned char *s1 = "Test User 1";
+    char *s1 = "Test User 1";
 
     struct test_case tests[] = {
-	{NULL, 13, "\x1b\x0b\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31"}
+	{NULL, 11, "\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31"}
     };
-    int ntests = sizeof(tests) / sizeof(*tests);
+    int ret, ntests = sizeof(tests) / sizeof(*tests);
 
     tests[0].val = &s1;
     asprintf (&tests[0].name, "the string \"%s\"", s1);
+    if (tests[0].name == NULL)
+	errx(1, "malloc");
 
-    return generic_test (tests, ntests, sizeof(unsigned char *),
-			 (generic_encode)encode_general_string,
-			 (generic_length)length_general_string,
-			 (generic_decode)decode_general_string,
-			 cmp_general_string);
+    ret = generic_test (tests, ntests, sizeof(unsigned char *),
+			(generic_encode)der_put_general_string,
+			(generic_length)der_length_general_string,
+			(generic_decode)der_get_general_string,
+			(generic_free)der_free_general_string,
+			cmp_general_string);
+    free(tests[0].name);
+    return ret;
 }
 
 static int
@@ -164,23 +388,665 @@ static int
 test_generalized_time (void)
 {
     struct test_case tests[] = {
-	{NULL, 17, "\x18\x0f""19700101000000Z"},
-	{NULL, 17, "\x18\x0f""19851106210627Z"}
+	{NULL, 15, "19700101000000Z"},
+	{NULL, 15, "19851106210627Z"}
     };
     time_t values[] = {0, 500159187};
-    int i;
+    int i, ret;
     int ntests = sizeof(tests) / sizeof(*tests);
 
     for (i = 0; i < ntests; ++i) {
 	tests[i].val = &values[i];
 	asprintf (&tests[i].name, "time %d", (int)values[i]);
+	if (tests[i].name == NULL)
+	    errx(1, "malloc");
+    }
+
+    ret = generic_test (tests, ntests, sizeof(time_t),
+			(generic_encode)der_put_generalized_time,
+			(generic_length)der_length_generalized_time,
+			(generic_decode)der_get_generalized_time,
+			(generic_free)NULL,
+			cmp_generalized_time);
+    for (i = 0; i < ntests; ++i)
+	free(tests[i].name);
+    return ret;
+}
+
+static int
+test_cmp_oid (void *a, void *b)
+{
+    return der_heim_oid_cmp((heim_oid *)a, (heim_oid *)b);
+}
+
+static unsigned oid_comp1[] = { 1, 1, 1 };
+static unsigned oid_comp2[] = { 1, 1 };
+static unsigned oid_comp3[] = { 6, 15, 1 };
+static unsigned oid_comp4[] = { 6, 15 };
+
+static int
+test_oid (void)
+{
+    struct test_case tests[] = {
+	{NULL, 2, "\x29\x01"},
+	{NULL, 1, "\x29"},
+	{NULL, 2, "\xff\x01"},
+	{NULL, 1, "\xff"}
+    };
+    heim_oid values[] = {
+	{ 3, oid_comp1 },
+	{ 2, oid_comp2 },
+	{ 3, oid_comp3 },
+	{ 2, oid_comp4 }
+    };
+    int i, ret;
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    for (i = 0; i < ntests; ++i) {
+	tests[i].val = &values[i];
+	asprintf (&tests[i].name, "oid %d", i);
+	if (tests[i].name == NULL)
+	    errx(1, "malloc");
+    }
+
+    ret = generic_test (tests, ntests, sizeof(heim_oid),
+			(generic_encode)der_put_oid,
+			(generic_length)der_length_oid,
+			(generic_decode)der_get_oid,
+			(generic_free)der_free_oid,
+			test_cmp_oid);
+    for (i = 0; i < ntests; ++i)
+	free(tests[i].name);
+    return ret;
+}
+
+static int
+test_cmp_bit_string (void *a, void *b)
+{
+    return der_heim_bit_string_cmp((heim_bit_string *)a, (heim_bit_string *)b);
+}
+
+static int
+test_bit_string (void)
+{
+    struct test_case tests[] = {
+	{NULL, 1, "\x00"}
+    };
+    heim_bit_string values[] = {
+	{ 0, "" }
+    };
+    int i, ret;
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    for (i = 0; i < ntests; ++i) {
+	tests[i].val = &values[i];
+	asprintf (&tests[i].name, "bit_string %d", i);
+	if (tests[i].name == NULL)
+	    errx(1, "malloc");
+    }
+
+    ret = generic_test (tests, ntests, sizeof(heim_bit_string),
+			(generic_encode)der_put_bit_string,
+			(generic_length)der_length_bit_string,
+			(generic_decode)der_get_bit_string,
+			(generic_free)der_free_bit_string,
+			test_cmp_bit_string);
+    for (i = 0; i < ntests; ++i)
+	free(tests[i].name);
+    return ret;
+}
+
+static int
+test_cmp_heim_integer (void *a, void *b)
+{
+    return der_heim_integer_cmp((heim_integer *)a, (heim_integer *)b);
+}
+
+static int
+test_heim_integer (void)
+{
+    struct test_case tests[] = {
+	{NULL, 2, "\xfe\x01"},
+	{NULL, 2, "\xef\x01"},
+	{NULL, 3, "\xff\x00\xff"},
+	{NULL, 3, "\xff\x01\x00"},
+	{NULL, 1, "\x00"},
+	{NULL, 1, "\x01"},
+	{NULL, 2, "\x00\x80"}
+    };
+
+    heim_integer values[] = {
+	{ 2, "\x01\xff", 1 },
+	{ 2, "\x10\xff", 1 },
+	{ 2, "\xff\x01", 1 },
+	{ 2, "\xff\x00", 1 },
+	{ 0, "", 0 },
+	{ 1, "\x01", 0 },
+	{ 1, "\x80", 0 }
+    };
+    int i, ret;
+    int ntests = sizeof(tests) / sizeof(tests[0]);
+    size_t size;
+    heim_integer i2;
+
+    for (i = 0; i < ntests; ++i) {
+	tests[i].val = &values[i];
+	asprintf (&tests[i].name, "heim_integer %d", i);
+	if (tests[i].name == NULL)
+	    errx(1, "malloc");
+    }
+
+    ret = generic_test (tests, ntests, sizeof(heim_integer),
+			(generic_encode)der_put_heim_integer,
+			(generic_length)der_length_heim_integer,
+			(generic_decode)der_get_heim_integer,
+			(generic_free)der_free_heim_integer,
+			test_cmp_heim_integer);
+    for (i = 0; i < ntests; ++i) 
+	free (tests[i].name);
+    if (ret)
+	return ret;
+
+    /* test zero length integer (BER format) */
+    ret = der_get_heim_integer(NULL, 0, &i2, &size);
+    if (ret)
+	errx(1, "der_get_heim_integer");
+    if (i2.length != 0)
+	errx(1, "der_get_heim_integer wrong length");
+    der_free_heim_integer(&i2);
+
+    return 0;
+}
+
+static int
+test_cmp_boolean (void *a, void *b)
+{
+    return !!*(int *)a != !!*(int *)b;
+}
+
+static int
+test_boolean (void)
+{
+    struct test_case tests[] = {
+	{NULL, 1, "\xff"},
+	{NULL, 1, "\x00"}
+    };
+
+    int values[] = { 1, 0 };
+    int i, ret;
+    int ntests = sizeof(tests) / sizeof(tests[0]);
+    size_t size;
+    heim_integer i2;
+
+    for (i = 0; i < ntests; ++i) {
+	tests[i].val = &values[i];
+	asprintf (&tests[i].name, "heim_boolean %d", i);
+	if (tests[i].name == NULL)
+	    errx(1, "malloc");
+    }
+
+    ret = generic_test (tests, ntests, sizeof(int),
+			(generic_encode)der_put_boolean,
+			(generic_length)der_length_boolean,
+			(generic_decode)der_get_boolean,
+			(generic_free)NULL,
+			test_cmp_boolean);
+    for (i = 0; i < ntests; ++i) 
+	free (tests[i].name);
+    if (ret)
+	return ret;
+
+    /* test zero length integer (BER format) */
+    ret = der_get_heim_integer(NULL, 0, &i2, &size);
+    if (ret)
+	errx(1, "der_get_heim_integer");
+    if (i2.length != 0)
+	errx(1, "der_get_heim_integer wrong length");
+    der_free_heim_integer(&i2);
+
+    return 0;
+}
+
+static int
+check_fail_unsigned(void)
+{
+    struct test_case tests[] = {
+	{NULL, sizeof(unsigned) + 1,
+	 "\x01\x01\x01\x01\x01\x01\x01\x01\x01", "data overrun" }
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(unsigned),
+			       (generic_decode)der_get_unsigned);
+}
+
+static int
+check_fail_integer(void)
+{
+    struct test_case tests[] = {
+	{NULL, sizeof(int) + 1,
+	 "\x01\x01\x01\x01\x01\x01\x01\x01\x01", "data overrun" }
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(int),
+			       (generic_decode)der_get_integer);
+}
+
+static int
+check_fail_length(void)
+{
+    struct test_case tests[] = {
+	{NULL, 0, "", "empty input data"},
+	{NULL, 1, "\x82", "internal length overrun" }
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(size_t),
+			       (generic_decode)der_get_length);
+}
+
+static int
+check_fail_boolean(void)
+{
+    struct test_case tests[] = {
+	{NULL, 0, "", "empty input data"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(int),
+			       (generic_decode)der_get_boolean);
+}
+
+static int
+check_fail_general_string(void)
+{
+    struct test_case tests[] = {
+	{ NULL, 3, "A\x00i", "NUL char in string"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(heim_general_string),
+			       (generic_decode)der_get_general_string);
+}
+
+static int
+check_fail_bmp_string(void)
+{
+    struct test_case tests[] = {
+	{NULL, 1, "\x00", "odd (1) length bmpstring"},
+	{NULL, 3, "\x00\x00\x00", "odd (3) length bmpstring"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(heim_bmp_string),
+			       (generic_decode)der_get_bmp_string);
+}
+
+static int
+check_fail_universal_string(void)
+{
+    struct test_case tests[] = {
+	{NULL, 1, "\x00", "x & 3 == 1 universal string"},
+	{NULL, 2, "\x00\x00", "x & 3 == 2 universal string"},
+	{NULL, 3, "\x00\x00\x00", "x & 3 == 3 universal string"},
+	{NULL, 5, "\x00\x00\x00\x00\x00", "x & 3 == 1 universal string"},
+	{NULL, 6, "\x00\x00\x00\x00\x00\x00", "x & 3 == 2 universal string"},
+	{NULL, 7, "\x00\x00\x00\x00\x00\x00\x00", "x & 3 == 3 universal string"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(heim_universal_string),
+			       (generic_decode)der_get_universal_string);
+}
+
+static int
+check_fail_heim_integer(void)
+{
+#if 0
+    struct test_case tests[] = {
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(heim_integer),
+			       (generic_decode)der_get_heim_integer);
+#else
+    return 0;
+#endif
+}
+
+static int
+check_fail_generalized_time(void)
+{
+    struct test_case tests[] = {
+	{NULL, 1, "\x00", "no time"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(time_t),
+			       (generic_decode)der_get_generalized_time);
+}
+
+static int
+check_fail_oid(void)
+{
+    struct test_case tests[] = {
+	{NULL, 0, "", "empty input data"},
+	{NULL, 2, "\x00\x80", "last byte continuation" },
+	{NULL, 11, "\x00\x81\x80\x80\x80\x80\x80\x80\x80\x80\x00", 
+	"oid element overflow" }
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(heim_oid),
+			       (generic_decode)der_get_oid);
+}
+
+static int
+check_fail_bitstring(void)
+{
+    struct test_case tests[] = {
+	{NULL, 0, "", "empty input data"},
+	{NULL, 1, "\x08", "larger then 8 bits trailer"},
+	{NULL, 1, "\x01", "to few bytes for bits"},
+	{NULL, -2, "\x00", "length overrun"},
+	{NULL, -1, "", "length to short"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(heim_bit_string),
+			       (generic_decode)der_get_bit_string);
+}
+
+static int
+check_heim_integer_same(const char *p, const char *norm_p, heim_integer *i)
+{
+    heim_integer i2;
+    char *str;
+    int ret;
+
+    ret = der_print_hex_heim_integer(i, &str);
+    if (ret)
+	errx(1, "der_print_hex_heim_integer: %d", ret);
+
+    if (strcmp(str, norm_p) != 0)
+	errx(1, "der_print_hex_heim_integer: %s != %s", str, p);
+
+    ret = der_parse_hex_heim_integer(str, &i2);
+    if (ret)
+	errx(1, "der_parse_hex_heim_integer: %d", ret);
+
+    if (der_heim_integer_cmp(i, &i2) != 0)
+	errx(1, "der_heim_integer_cmp: p %s", p);
+
+    der_free_heim_integer(&i2);
+    free(str);
+
+    ret = der_parse_hex_heim_integer(p, &i2);
+    if (ret)
+	errx(1, "der_parse_hex_heim_integer: %d", ret);
+
+    if (der_heim_integer_cmp(i, &i2) != 0)
+	errx(1, "der_heim_integer_cmp: norm");
+
+    der_free_heim_integer(&i2);
+
+    return 0;
+}
+
+static int
+test_heim_int_format(void)
+{
+    heim_integer i = { 1, "\x10", 0 };
+    heim_integer i2 = { 1, "\x10", 1 };
+    heim_integer i3 = { 1, "\01", 0 };
+    char *p =
+	"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
+	"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
+	"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
+	"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
+	"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
+	"FFFFFFFF" "FFFFFFFF";
+    heim_integer bni = {
+	128, 
+	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xC9\x0F\xDA\xA2"
+	"\x21\x68\xC2\x34\xC4\xC6\x62\x8B\x80\xDC\x1C\xD1"
+	"\x29\x02\x4E\x08\x8A\x67\xCC\x74\x02\x0B\xBE\xA6"
+	"\x3B\x13\x9B\x22\x51\x4A\x08\x79\x8E\x34\x04\xDD"
+	"\xEF\x95\x19\xB3\xCD\x3A\x43\x1B\x30\x2B\x0A\x6D"
+	"\xF2\x5F\x14\x37\x4F\xE1\x35\x6D\x6D\x51\xC2\x45"
+	"\xE4\x85\xB5\x76\x62\x5E\x7E\xC6\xF4\x4C\x42\xE9"
+	"\xA6\x37\xED\x6B\x0B\xFF\x5C\xB6\xF4\x06\xB7\xED"
+	"\xEE\x38\x6B\xFB\x5A\x89\x9F\xA5\xAE\x9F\x24\x11"
+	"\x7C\x4B\x1F\xE6\x49\x28\x66\x51\xEC\xE6\x53\x81"
+	"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF",
+	0
+    };
+    heim_integer f;
+    int ret = 0;
+
+    ret += check_heim_integer_same(p, p, &bni);
+    ret += check_heim_integer_same("10", "10", &i);
+    ret += check_heim_integer_same("00000010", "10", &i);
+    ret += check_heim_integer_same("-10", "-10", &i2);
+    ret += check_heim_integer_same("-00000010", "-10", &i2);
+    ret += check_heim_integer_same("01", "01", &i3);
+    ret += check_heim_integer_same("1", "01", &i3);
+
+    {
+	int r;
+	r = der_parse_hex_heim_integer("-", &f);
+	if (r == 0) {
+	    der_free_heim_integer(&f);
+	    ret++;
+	}
+	/* used to cause UMR */
+	r = der_parse_hex_heim_integer("00", &f);
+	if (r == 0)
+	    der_free_heim_integer(&f);
+	else
+	    ret++;
+    }
+
+    return ret;
+}
+
+static int
+test_heim_oid_format_same(const char *str, const heim_oid *oid)
+{
+    int ret;
+    char *p;
+    heim_oid o2;
+
+    ret = der_print_heim_oid(oid, ' ', &p);
+    if (ret) {
+	printf("fail to print oid: %s\n", str);
+	return 1;
     }
+    ret = strcmp(p, str);
+    if (ret) {
+	printf("oid %s != formated oid %s\n", str, p);
+	free(p);
+	return ret;
+    }
+
+    ret = der_parse_heim_oid(p, " ", &o2);
+    if (ret) {
+	printf("failed to parse %s\n", p);
+	free(p);
+	return ret;
+    }
+    free(p);
+    ret = der_heim_oid_cmp(&o2, oid);
+    der_free_oid(&o2);
 
-    return generic_test (tests, ntests, sizeof(time_t),
-			 (generic_encode)encode_generalized_time,
-			 (generic_length)length_generalized_time,
-			 (generic_decode)decode_generalized_time,
-			 cmp_generalized_time);
+    return ret;
+}
+
+static unsigned sha1_oid_tree[] = { 1, 3, 14, 3, 2, 26 };
+
+static int
+test_heim_oid_format(void)
+{
+    heim_oid sha1 = { 6, sha1_oid_tree };
+    int ret = 0;
+
+    ret += test_heim_oid_format_same("1 3 14 3 2 26", &sha1);
+
+    return ret;
+}
+
+static int
+check_trailing_nul(void)
+{
+    int i, ret;
+    struct {
+	int fail;
+	const unsigned char *p;
+	size_t len;
+	const char *s;
+	size_t size;
+    } foo[] = {
+	{ 1, (const unsigned char *)"foo\x00o", 5, NULL, 0 },
+	{ 1, (const unsigned char *)"\x00o", 2, NULL, 0 },
+	{ 0, (const unsigned char *)"\x00\x00\x00\x00\x00", 5, "", 5 },
+	{ 0, (const unsigned char *)"\x00", 1, "", 1 },
+	{ 0, (const unsigned char *)"", 0, "", 0 },
+	{ 0, (const unsigned char *)"foo\x00\x00", 5, "foo", 5 },
+	{ 0, (const unsigned char *)"foo\0", 4, "foo", 4 },
+	{ 0, (const unsigned char *)"foo", 3, "foo", 3 }
+    };
+    
+    for (i = 0; i < sizeof(foo)/sizeof(foo[0]); i++) {
+	char *s;
+	size_t size;
+	ret = der_get_general_string(foo[i].p, foo[i].len, &s, &size);
+	if (foo[i].fail) {
+	    if (ret == 0)
+		errx(1, "check %d NULL didn't fail", i);
+	    continue;
+	}
+	if (ret)
+	    errx(1, "NULL check %d der_get_general_string failed", i);
+	if (foo[i].size != size)
+	    errx(1, "NUL check i = %d size failed", i);
+	if (strcmp(foo[i].s, s) != 0)
+	    errx(1, "NUL check i = %d content failed", i);
+	free(s);
+    }
+    return 0;
+}
+
+static int
+test_misc_cmp(void)
+{
+    int ret;
+
+    /* diffrent lengths are diffrent */
+    {
+	const heim_octet_string os1 = { 1, "a" } , os2 = { 0, NULL };
+	ret = der_heim_octet_string_cmp(&os1, &os2);
+	if (ret == 0)
+	    return 1;
+    }
+    /* diffrent data are diffrent */
+    {
+	const heim_octet_string os1 = { 1, "a" } , os2 = { 1, "b" };
+	ret = der_heim_octet_string_cmp(&os1, &os2);
+	if (ret == 0)
+	    return 1;
+    }
+    /* diffrent lengths are diffrent */
+    {
+	const heim_bit_string bs1 = { 8, "a" } , bs2 = { 7, "a" };
+	ret = der_heim_bit_string_cmp(&bs1, &bs2);
+	if (ret == 0)
+	    return 1;
+    }
+    /* diffrent data are diffrent */
+    {
+	const heim_bit_string bs1 = { 7, "\x0f" } , bs2 = { 7, "\x02" };
+	ret = der_heim_bit_string_cmp(&bs1, &bs2);
+	if (ret == 0)
+	    return 1;
+    }
+    /* diffrent lengths are diffrent */
+    {
+	uint16_t data = 1;
+	heim_bmp_string bs1 = { 1, NULL } , bs2 = { 0, NULL };
+	bs1.data = &data;
+	ret = der_heim_bmp_string_cmp(&bs1, &bs2);
+	if (ret == 0)
+	    return 1;
+    }
+    /* diffrent lengths are diffrent */
+    {
+	uint32_t data;
+	heim_universal_string us1 = { 1, NULL } , us2 = { 0, NULL };
+	us1.data = &data;
+	ret = der_heim_universal_string_cmp(&us1, &us2);
+	if (ret == 0)
+	    return 1;
+    }
+    /* same */
+    {
+	uint32_t data = (uint32_t)'a';
+	heim_universal_string us1 = { 1, NULL } , us2 = { 1, NULL };
+	us1.data = &data;
+	us2.data = &data;
+	ret = der_heim_universal_string_cmp(&us1, &us2);
+	if (ret != 0)
+	    return 1;
+    }
+
+    return 0;
+}
+
+static int
+corner_generalized_time(void)
+{
+    const char *str = "760520140000Z";
+    size_t size;
+    time_t t;
+    int ret;
+
+    ret = der_get_generalized_time((const unsigned char*)str, strlen(str),
+				   &t, &size);
+    if (ret)
+	return 1;
+    return 0;
+}
+
+static int
+corner_tag(void)
+{
+    struct {
+	int ok;
+	const char *ptr;
+	size_t len;
+    } tests[] = { 
+	{ 1, "\x00", 1 },
+	{ 0, "\xff", 1 },
+	{ 0, "\xff\xff\xff\xff\xff\xff\xff\xff", 8 }
+    };
+    int i, ret;
+    Der_class cl;
+    Der_type ty;
+    unsigned int tag;
+    size_t size;
+
+    for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
+	ret = der_get_tag((const unsigned char*)tests[i].ptr, 
+			  tests[i].len, &cl, &ty, &tag, &size);
+	if (ret) {
+	    if (tests[i].ok)
+		errx(1, "failed while shouldn't");
+	} else {
+	    if (!tests[i].ok)
+		errx(1, "passed while shouldn't");
+	}
+    }
+    return 0;
 }
 
 int
@@ -189,9 +1055,35 @@ main(int argc, char **argv)
     int ret = 0;
 
     ret += test_integer ();
+    ret += test_integer_more();
+    ret += test_unsigned ();
     ret += test_octet_string ();
+    ret += test_bmp_string ();
+    ret += test_universal_string ();
     ret += test_general_string ();
     ret += test_generalized_time ();
+    ret += test_oid ();
+    ret += test_bit_string();
+    ret += test_heim_integer();
+    ret += test_boolean();
+
+    ret += check_fail_unsigned();
+    ret += check_fail_integer();
+    ret += check_fail_length();
+    ret += check_fail_boolean();
+    ret += check_fail_general_string();
+    ret += check_fail_bmp_string();
+    ret += check_fail_universal_string();
+    ret += check_fail_heim_integer();
+    ret += check_fail_generalized_time();
+    ret += check_fail_oid();
+    ret += check_fail_bitstring();
+    ret += test_heim_int_format();
+    ret += test_heim_oid_format();
+    ret += check_trailing_nul();
+    ret += test_misc_cmp();
+    ret += corner_generalized_time();
+    ret += corner_tag();
 
     return ret;
 }
diff --git a/crypto/heimdal/lib/asn1/check-gen.c b/crypto/heimdal/lib/asn1/check-gen.c
index 0b0bec9..a18a21d 100644
--- a/crypto/heimdal/lib/asn1/check-gen.c
+++ b/crypto/heimdal/lib/asn1/check-gen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -43,16 +43,26 @@
 #include <asn1_err.h>
 #include <der.h>
 #include <krb5_asn1.h>
+#include <heim_asn1.h>
+#include <rfc2459_asn1.h>
+#include <test_asn1.h>
 
 #include "check-common.h"
 
-RCSID("$Id: check-gen.c,v 1.2.2.1 2003/05/06 16:49:57 joda Exp $");
+RCSID("$Id: check-gen.c 21539 2007-07-14 16:12:04Z lha $");
 
-static char *lha_princ[] = { "lha" };
+static char *lha_principal[] = { "lha" };
 static char *lharoot_princ[] = { "lha", "root" };
 static char *datan_princ[] = { "host", "nutcracker.e.kth.se" };
+static char *nada_tgt_principal[] = { "krbtgt", "NADA.KTH.SE" };
 
 
+#define IF_OPT_COMPARE(ac,bc,e) \
+	if (((ac)->e == NULL && (bc)->e != NULL) || (((ac)->e != NULL && (bc)->e == NULL))) return 1; if ((ab)->e)
+#define COMPARE_OPT_STRING(ac,bc,e) \
+	do { if (strcmp(*(ac)->e, *(bc)->e) != 0) return 1; } while(0)
+#define COMPARE_OPT_OCTECT_STRING(ac,bc,e) \
+	do { if ((ac)->e->length != (bc)->e->length || memcmp((ac)->e->data, (bc)->e->data, (ac)->e->length) != 0) return 1; } while(0)
 #define COMPARE_STRING(ac,bc,e) \
 	do { if (strcmp((ac)->e, (bc)->e) != 0) return 1; } while(0)
 #define COMPARE_INTEGER(ac,bc,e) \
@@ -83,16 +93,16 @@ test_principal (void)
 
     struct test_case tests[] = {
 	{ NULL, 29, 
-	  (unsigned char*)"\x30\x1b\xa0\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b"
+	  "\x30\x1b\xa0\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b"
 	  "\x03\x6c\x68\x61\xa1\x07\x1b\x05\x53\x55\x2e\x53\x45"
 	},
 	{ NULL, 35,
-	  (unsigned char*)"\x30\x21\xa0\x16\x30\x14\xa0\x03\x02\x01\x01\xa1\x0d\x30\x0b\x1b"
+	  "\x30\x21\xa0\x16\x30\x14\xa0\x03\x02\x01\x01\xa1\x0d\x30\x0b\x1b"
 	  "\x03\x6c\x68\x61\x1b\x04\x72\x6f\x6f\x74\xa1\x07\x1b\x05\x53\x55"
 	  "\x2e\x53\x45"
 	},
 	{ NULL, 54, 
-	  (unsigned char*)"\x30\x34\xa0\x26\x30\x24\xa0\x03\x02\x01\x03\xa1\x1d\x30\x1b\x1b"
+	  "\x30\x34\xa0\x26\x30\x24\xa0\x03\x02\x01\x03\xa1\x1d\x30\x1b\x1b"
 	  "\x04\x68\x6f\x73\x74\x1b\x13\x6e\x75\x74\x63\x72\x61\x63\x6b\x65"
 	  "\x72\x2e\x65\x2e\x6b\x74\x68\x2e\x73\x65\xa1\x0a\x1b\x08\x45\x2e"
 	  "\x4b\x54\x48\x2e\x53\x45"
@@ -101,11 +111,11 @@ test_principal (void)
 
 
     Principal values[] = { 
-	{ { KRB5_NT_PRINCIPAL, { 1, lha_princ } },  "SU.SE" },
+	{ { KRB5_NT_PRINCIPAL, { 1, lha_principal } },  "SU.SE" },
 	{ { KRB5_NT_PRINCIPAL, { 2, lharoot_princ } },  "SU.SE" },
 	{ { KRB5_NT_SRV_HST, { 2, datan_princ } },  "E.KTH.SE" }
     };
-    int i;
+    int i, ret;
     int ntests = sizeof(tests) / sizeof(*tests);
 
     for (i = 0; i < ntests; ++i) {
@@ -113,11 +123,16 @@ test_principal (void)
 	asprintf (&tests[i].name, "Principal %d", i);
     }
 
-    return generic_test (tests, ntests, sizeof(Principal),
-			 (generic_encode)encode_Principal,
-			 (generic_length)length_Principal,
-			 (generic_decode)decode_Principal,
-			 cmp_principal);
+    ret = generic_test (tests, ntests, sizeof(Principal),
+			(generic_encode)encode_Principal,
+			(generic_length)length_Principal,
+			(generic_decode)decode_Principal,
+			(generic_free)free_Principal,
+			cmp_principal);
+    for (i = 0; i < ntests; ++i)
+	free (tests[i].name);
+
+    return ret;
 }
 
 static int
@@ -144,14 +159,14 @@ test_authenticator (void)
 {
     struct test_case tests[] = {
 	{ NULL, 63, 
-	  (unsigned char*)"\x62\x3d\x30\x3b\xa0\x03\x02\x01\x05\xa1\x0a\x1b\x08"
+	  "\x62\x3d\x30\x3b\xa0\x03\x02\x01\x05\xa1\x0a\x1b\x08"
 	  "\x45\x2e\x4b\x54\x48\x2e\x53\x45\xa2\x10\x30\x0e\xa0"
 	  "\x03\x02\x01\x01\xa1\x07\x30\x05\x1b\x03\x6c\x68\x61"
 	  "\xa4\x03\x02\x01\x0a\xa5\x11\x18\x0f\x31\x39\x37\x30"
 	  "\x30\x31\x30\x31\x30\x30\x30\x31\x33\x39\x5a"
 	},
 	{ NULL, 67, 
-	  (unsigned char*)"\x62\x41\x30\x3f\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05"
+	  "\x62\x41\x30\x3f\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05"
 	  "\x53\x55\x2e\x53\x45\xa2\x16\x30\x14\xa0\x03\x02\x01"
 	  "\x01\xa1\x0d\x30\x0b\x1b\x03\x6c\x68\x61\x1b\x04\x72"
 	  "\x6f\x6f\x74\xa4\x04\x02\x02\x01\x24\xa5\x11\x18\x0f"
@@ -161,12 +176,12 @@ test_authenticator (void)
     };
 
     Authenticator values[] = {
-	{ 5, "E.KTH.SE", { KRB5_NT_PRINCIPAL, { 1, lha_princ } },
+	{ 5, "E.KTH.SE", { KRB5_NT_PRINCIPAL, { 1, lha_principal } },
 	  NULL, 10, 99, NULL, NULL, NULL },
 	{ 5, "SU.SE", { KRB5_NT_PRINCIPAL, { 2, lharoot_princ } },
 	  NULL, 292, 999, NULL, NULL, NULL }
     };
-    int i;
+    int i, ret;
     int ntests = sizeof(tests) / sizeof(*tests);
 
     for (i = 0; i < ntests; ++i) {
@@ -174,13 +189,743 @@ test_authenticator (void)
 	asprintf (&tests[i].name, "Authenticator %d", i);
     }
 
-    return generic_test (tests, ntests, sizeof(Authenticator),
-			 (generic_encode)encode_Authenticator,
-			 (generic_length)length_Authenticator,
-			 (generic_decode)decode_Authenticator,
-			 cmp_authenticator);
+    ret = generic_test (tests, ntests, sizeof(Authenticator),
+			(generic_encode)encode_Authenticator,
+			(generic_length)length_Authenticator,
+			(generic_decode)decode_Authenticator,
+			(generic_free)free_Authenticator,
+			cmp_authenticator);
+    for (i = 0; i < ntests; ++i)
+	free(tests[i].name);
+
+    return ret;
+}
+
+static int
+cmp_KRB_ERROR (void *a, void *b)
+{
+    KRB_ERROR *aa = a;
+    KRB_ERROR *ab = b;
+    int i;
+
+    COMPARE_INTEGER(aa,ab,pvno);
+    COMPARE_INTEGER(aa,ab,msg_type);
+
+    IF_OPT_COMPARE(aa,ab,ctime) {
+	COMPARE_INTEGER(aa,ab,ctime);
+    }
+    IF_OPT_COMPARE(aa,ab,cusec) {
+	COMPARE_INTEGER(aa,ab,cusec);
+    }
+    COMPARE_INTEGER(aa,ab,stime);
+    COMPARE_INTEGER(aa,ab,susec);
+    COMPARE_INTEGER(aa,ab,error_code);
+
+    IF_OPT_COMPARE(aa,ab,crealm) {
+	COMPARE_OPT_STRING(aa,ab,crealm);
+    }
+#if 0
+    IF_OPT_COMPARE(aa,ab,cname) {
+	COMPARE_OPT_STRING(aa,ab,cname);
+    }
+#endif
+    COMPARE_STRING(aa,ab,realm);
+
+    COMPARE_INTEGER(aa,ab,sname.name_string.len);
+    for (i = 0; i < aa->sname.name_string.len; i++)
+	COMPARE_STRING(aa,ab,sname.name_string.val[i]);
+
+    IF_OPT_COMPARE(aa,ab,e_text) {
+	COMPARE_OPT_STRING(aa,ab,e_text);
+    }
+    IF_OPT_COMPARE(aa,ab,e_data) {
+	/* COMPARE_OPT_OCTECT_STRING(aa,ab,e_data); */
+    }
+
+    return 0;
+}
+
+static int
+test_krb_error (void)
+{
+    struct test_case tests[] = {
+	{ NULL, 127, 
+	  "\x7e\x7d\x30\x7b\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11"
+	  "\x18\x0f\x32\x30\x30\x33\x31\x31\x32\x34\x30\x30\x31\x31\x31\x39"
+	  "\x5a\xa5\x05\x02\x03\x04\xed\xa5\xa6\x03\x02\x01\x1f\xa7\x0d\x1b"
+	  "\x0b\x4e\x41\x44\x41\x2e\x4b\x54\x48\x2e\x53\x45\xa8\x10\x30\x0e"
+	  "\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b\x03\x6c\x68\x61\xa9\x0d"
+	  "\x1b\x0b\x4e\x41\x44\x41\x2e\x4b\x54\x48\x2e\x53\x45\xaa\x20\x30"
+	  "\x1e\xa0\x03\x02\x01\x01\xa1\x17\x30\x15\x1b\x06\x6b\x72\x62\x74"
+	  "\x67\x74\x1b\x0b\x4e\x41\x44\x41\x2e\x4b\x54\x48\x2e\x53\x45",
+	  "KRB-ERROR Test 1"
+	}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+    KRB_ERROR e1;
+    PrincipalName lhaprincipalname = { 1, { 1, lha_principal } };
+    PrincipalName tgtprincipalname = { 1, { 2, nada_tgt_principal } };
+    char *realm = "NADA.KTH.SE";
+
+    e1.pvno = 5;
+    e1.msg_type = 30;
+    e1.ctime = NULL;
+    e1.cusec = NULL;
+    e1.stime = 1069632679;
+    e1.susec = 322981;
+    e1.error_code = 31;
+    e1.crealm = &realm;
+    e1.cname = &lhaprincipalname;
+    e1.realm = "NADA.KTH.SE";
+    e1.sname = tgtprincipalname;
+    e1.e_text = NULL;
+    e1.e_data = NULL;
+
+    tests[0].val = &e1;
+
+    return generic_test (tests, ntests, sizeof(KRB_ERROR),
+			 (generic_encode)encode_KRB_ERROR,
+			 (generic_length)length_KRB_ERROR,
+			 (generic_decode)decode_KRB_ERROR,
+			 (generic_free)free_KRB_ERROR,
+			 cmp_KRB_ERROR);
+}
+
+static int
+cmp_Name (void *a, void *b)
+{
+    Name *aa = a;
+    Name *ab = b;
+
+    COMPARE_INTEGER(aa,ab,element);
+
+    return 0;
+}
+
+static int
+test_Name (void)
+{
+    struct test_case tests[] = {
+	{ NULL, 35, 
+	  "\x30\x21\x31\x1f\x30\x0b\x06\x03\x55\x04\x03\x13\x04\x4c\x6f\x76"
+	  "\x65\x30\x10\x06\x03\x55\x04\x07\x13\x09\x53\x54\x4f\x43\x4b\x48"
+	  "\x4f\x4c\x4d",
+	  "Name CN=Love+L=STOCKHOLM"
+	},
+	{ NULL, 35, 
+	  "\x30\x21\x31\x1f\x30\x0b\x06\x03\x55\x04\x03\x13\x04\x4c\x6f\x76"
+	  "\x65\x30\x10\x06\x03\x55\x04\x07\x13\x09\x53\x54\x4f\x43\x4b\x48"
+	  "\x4f\x4c\x4d",
+	  "Name L=STOCKHOLM+CN=Love"
+	}
+    };
+
+    int ntests = sizeof(tests) / sizeof(*tests);
+    Name n1, n2;
+    RelativeDistinguishedName rdn1[1];
+    RelativeDistinguishedName rdn2[1];
+    AttributeTypeAndValue atv1[2];
+    AttributeTypeAndValue atv2[2];
+    unsigned cmp_CN[] = { 2, 5, 4, 3 };
+    unsigned cmp_L[] = { 2, 5, 4, 7 };
+
+    /* n1 */
+    n1.element = choice_Name_rdnSequence;
+    n1.u.rdnSequence.val = rdn1;
+    n1.u.rdnSequence.len = sizeof(rdn1)/sizeof(rdn1[0]);
+    rdn1[0].val = atv1;
+    rdn1[0].len = sizeof(atv1)/sizeof(atv1[0]);
+
+    atv1[0].type.length = sizeof(cmp_CN)/sizeof(cmp_CN[0]);
+    atv1[0].type.components = cmp_CN;
+    atv1[0].value.element = choice_DirectoryString_printableString;
+    atv1[0].value.u.printableString = "Love";
+
+    atv1[1].type.length = sizeof(cmp_L)/sizeof(cmp_L[0]);
+    atv1[1].type.components = cmp_L;
+    atv1[1].value.element = choice_DirectoryString_printableString;
+    atv1[1].value.u.printableString = "STOCKHOLM";
+
+    /* n2 */
+    n2.element = choice_Name_rdnSequence;
+    n2.u.rdnSequence.val = rdn2;
+    n2.u.rdnSequence.len = sizeof(rdn2)/sizeof(rdn2[0]);
+    rdn2[0].val = atv2;
+    rdn2[0].len = sizeof(atv2)/sizeof(atv2[0]);
+
+    atv2[0].type.length = sizeof(cmp_L)/sizeof(cmp_L[0]);
+    atv2[0].type.components = cmp_L;
+    atv2[0].value.element = choice_DirectoryString_printableString;
+    atv2[0].value.u.printableString = "STOCKHOLM";
+
+    atv2[1].type.length = sizeof(cmp_CN)/sizeof(cmp_CN[0]);
+    atv2[1].type.components = cmp_CN;
+    atv2[1].value.element = choice_DirectoryString_printableString;
+    atv2[1].value.u.printableString = "Love";
+
+    /* */
+    tests[0].val = &n1;
+    tests[1].val = &n2;
+
+    return generic_test (tests, ntests, sizeof(Name),
+			 (generic_encode)encode_Name,
+			 (generic_length)length_Name,
+			 (generic_decode)decode_Name,
+			 (generic_free)free_Name,
+			 cmp_Name);
+}
+
+static int
+cmp_KeyUsage (void *a, void *b)
+{
+    KeyUsage *aa = a;
+    KeyUsage *ab = b;
+
+    return KeyUsage2int(*aa) != KeyUsage2int(*ab);
+}
+
+static int
+test_bit_string (void)
+{
+    struct test_case tests[] = {
+	{ NULL, 4,
+	  "\x03\x02\x07\x80",
+	  "bitstring 1"
+	},
+	{ NULL, 4,
+	  "\x03\x02\x05\xa0",
+	  "bitstring 2"
+	},
+	{ NULL, 5,
+	  "\x03\x03\x07\x00\x80",
+	  "bitstring 3"
+	},
+	{ NULL, 3,
+	  "\x03\x01\x00",
+	  "bitstring 4"
+	}
+    };
+
+    int ntests = sizeof(tests) / sizeof(*tests);
+    KeyUsage ku1, ku2, ku3, ku4;
+
+    memset(&ku1, 0, sizeof(ku1));
+    ku1.digitalSignature = 1;
+    tests[0].val = &ku1;
+
+    memset(&ku2, 0, sizeof(ku2));
+    ku2.digitalSignature = 1;
+    ku2.keyEncipherment = 1;
+    tests[1].val = &ku2;
+
+    memset(&ku3, 0, sizeof(ku3));
+    ku3.decipherOnly = 1;
+    tests[2].val = &ku3;
+
+    memset(&ku4, 0, sizeof(ku4));
+    tests[3].val = &ku4;
+
+
+    return generic_test (tests, ntests, sizeof(KeyUsage),
+			 (generic_encode)encode_KeyUsage,
+			 (generic_length)length_KeyUsage,
+			 (generic_decode)decode_KeyUsage,
+			 (generic_free)free_KeyUsage,
+			 cmp_KeyUsage);
+}
+
+static int
+cmp_TESTLargeTag (void *a, void *b)
+{
+    TESTLargeTag *aa = a;
+    TESTLargeTag *ab = b;
+
+    COMPARE_INTEGER(aa,ab,foo);
+    return 0;
+}
+
+static int
+test_large_tag (void)
+{
+    struct test_case tests[] = {
+	{ NULL,  8,  "\x30\x06\xbf\x7f\x03\x02\x01\x01", "large tag 1" }
+    };
+
+    int ntests = sizeof(tests) / sizeof(*tests);
+    TESTLargeTag lt1;
+
+    memset(&lt1, 0, sizeof(lt1));
+    lt1.foo = 1;
+
+    tests[0].val = &lt1;
+
+    return generic_test (tests, ntests, sizeof(TESTLargeTag),
+			 (generic_encode)encode_TESTLargeTag,
+			 (generic_length)length_TESTLargeTag,
+			 (generic_decode)decode_TESTLargeTag,
+			 (generic_free)free_TESTLargeTag,
+			 cmp_TESTLargeTag);
+}
+
+struct test_data {
+    int ok;
+    size_t len;
+    size_t expected_len;
+    void *data;
+};
+
+static int
+check_tag_length(void)
+{
+    struct test_data td[] = {
+	{ 1, 3, 3, "\x02\x01\x00"},
+	{ 1, 3, 3, "\x02\x01\x7f"},
+	{ 1, 4, 4, "\x02\x02\x00\x80"},
+	{ 1, 4, 4, "\x02\x02\x01\x00"},
+	{ 1, 4, 4, "\x02\x02\x02\x00"},
+	{ 0, 3, 0, "\x02\x02\x00"},
+	{ 0, 3, 0, "\x02\x7f\x7f"},
+	{ 0, 4, 0, "\x02\x03\x00\x80"},
+	{ 0, 4, 0, "\x02\x7f\x01\x00"},
+	{ 0, 5, 0, "\x02\xff\x7f\x02\x00"}
+    };
+    size_t sz;
+    krb5uint32 values[] = {0, 127, 128, 256, 512,
+			 0, 127, 128, 256, 512 };
+    krb5uint32 u;
+    int i, ret, failed = 0;
+    void *buf;
+
+    for (i = 0; i < sizeof(td)/sizeof(td[0]); i++) {
+	struct map_page *page;
+
+	buf = map_alloc(OVERRUN, td[i].data, td[i].len, &page);
+
+	ret = decode_krb5uint32(buf, td[i].len, &u, &sz);
+	if (ret) {
+	    if (td[i].ok) {
+		printf("failed with tag len test %d\n", i);
+		failed = 1;
+	    }
+	} else {
+	    if (td[i].ok == 0) {
+		printf("failed with success for tag len test %d\n", i);
+		failed = 1;
+	    }
+	    if (td[i].expected_len != sz) {
+		printf("wrong expected size for tag test %d\n", i);
+		failed = 1;
+	    }
+	    if (values[i] != u) {
+		printf("wrong value for tag test %d\n", i);
+		failed = 1;
+	    }
+	}
+	map_free(page, "test", "decode");
+    }
+    return failed;
+}
+
+static int
+cmp_TESTChoice (void *a, void *b)
+{
+    return 0;
 }
 
+static int
+test_choice (void)
+{
+    struct test_case tests[] = {
+	{ NULL,  5,  "\xa1\x03\x02\x01\x01", "large choice 1" },
+	{ NULL,  5,  "\xa2\x03\x02\x01\x02", "large choice 2" }
+    };
+
+    int ret = 0, ntests = sizeof(tests) / sizeof(*tests);
+    TESTChoice1 c1;
+    TESTChoice1 c2_1;
+    TESTChoice2 c2_2;
+
+    memset(&c1, 0, sizeof(c1));
+    c1.element = choice_TESTChoice1_i1;
+    c1.u.i1 = 1;
+    tests[0].val = &c1;
+
+    memset(&c2_1, 0, sizeof(c2_1));
+    c2_1.element = choice_TESTChoice1_i2;
+    c2_1.u.i2 = 2;
+    tests[1].val = &c2_1;
+
+    ret += generic_test (tests, ntests, sizeof(TESTChoice1),
+			 (generic_encode)encode_TESTChoice1,
+			 (generic_length)length_TESTChoice1,
+			 (generic_decode)decode_TESTChoice1,
+			 (generic_free)free_TESTChoice1,
+			 cmp_TESTChoice);
+
+    memset(&c2_2, 0, sizeof(c2_2));
+    c2_2.element = choice_TESTChoice2_asn1_ellipsis;
+    c2_2.u.asn1_ellipsis.data = "\xa2\x03\x02\x01\x02";
+    c2_2.u.asn1_ellipsis.length = 5;
+    tests[1].val = &c2_2;
+
+    ret += generic_test (tests, ntests, sizeof(TESTChoice2),
+			 (generic_encode)encode_TESTChoice2,
+			 (generic_length)length_TESTChoice2,
+			 (generic_decode)decode_TESTChoice2,
+			 (generic_free)free_TESTChoice2,
+			 cmp_TESTChoice);
+
+    return ret;
+}
+
+static int
+cmp_TESTImplicit (void *a, void *b)
+{
+    TESTImplicit *aa = a;
+    TESTImplicit *ab = b;
+
+    COMPARE_INTEGER(aa,ab,ti1);
+    COMPARE_INTEGER(aa,ab,ti2.foo);
+    COMPARE_INTEGER(aa,ab,ti3);
+    return 0;
+}
+
+/*
+UNIV CONS Sequence 14
+  CONTEXT PRIM 0 1 00
+  CONTEXT CONS 1 6
+   CONTEXT CONS 127 3
+     UNIV PRIM Integer 1 02
+  CONTEXT PRIM 2 1 03
+*/
+
+static int
+test_implicit (void)
+{
+    struct test_case tests[] = {
+	{ NULL,  16,  
+	  "\x30\x0e\x80\x01\x00\xa1\x06\xbf"
+	  "\x7f\x03\x02\x01\x02\x82\x01\x03", 
+	  "implicit 1" }
+    };
+
+    int ret = 0, ntests = sizeof(tests) / sizeof(*tests);
+    TESTImplicit c0;
+
+    memset(&c0, 0, sizeof(c0));
+    c0.ti1 = 0;
+    c0.ti2.foo = 2;
+    c0.ti3 = 3;
+    tests[0].val = &c0;
+
+    ret += generic_test (tests, ntests, sizeof(TESTImplicit),
+			 (generic_encode)encode_TESTImplicit,
+			 (generic_length)length_TESTImplicit,
+			 (generic_decode)decode_TESTImplicit,
+			 (generic_free)free_TESTImplicit,
+			 cmp_TESTImplicit);
+
+#ifdef IMPLICIT_TAGGING_WORKS
+    ret += generic_test (tests, ntests, sizeof(TESTImplicit2),
+			 (generic_encode)encode_TESTImplicit2,
+			 (generic_length)length_TESTImplicit2,
+			 (generic_decode)decode_TESTImplicit2,
+			 (generic_free)free_TESTImplicit2,
+			 cmp_TESTImplicit);
+
+#endif /* IMPLICIT_TAGGING_WORKS */
+    return ret;
+}
+
+static int
+cmp_TESTAlloc (void *a, void *b)
+{
+    TESTAlloc *aa = a;
+    TESTAlloc *ab = b;
+
+    IF_OPT_COMPARE(aa,ab,tagless) {
+	COMPARE_INTEGER(aa,ab,tagless->ai);
+    }
+
+    COMPARE_INTEGER(aa,ab,three);
+
+    IF_OPT_COMPARE(aa,ab,tagless2) {
+	COMPARE_OPT_OCTECT_STRING(aa, ab, tagless2);
+    }
+
+    return 0;
+}
+
+/*
+UNIV CONS Sequence 12
+  UNIV CONS Sequence 5
+    CONTEXT CONS 0 3
+      UNIV PRIM Integer 1 01
+  CONTEXT CONS 1 3
+    UNIV PRIM Integer 1 03
+
+UNIV CONS Sequence 5
+  CONTEXT CONS 1 3
+    UNIV PRIM Integer 1 03
+
+UNIV CONS Sequence 8
+  CONTEXT CONS 1 3
+    UNIV PRIM Integer 1 04
+  UNIV PRIM Integer 1 05
+
+*/
+
+static int
+test_taglessalloc (void)
+{
+    struct test_case tests[] = {
+	{ NULL,  14,  
+	  "\x30\x0c\x30\x05\xa0\x03\x02\x01\x01\xa1\x03\x02\x01\x03", 
+	  "alloc 1" },
+	{ NULL,  7,  
+	  "\x30\x05\xa1\x03\x02\x01\x03", 
+	  "alloc 2" },
+	{ NULL,  10,  
+	  "\x30\x08\xa1\x03\x02\x01\x04\x02\x01\x05", 
+	  "alloc 3" }
+    };
+
+    int ret = 0, ntests = sizeof(tests) / sizeof(*tests);
+    TESTAlloc c1, c2, c3;
+    heim_any any3;
+
+    memset(&c1, 0, sizeof(c1));
+    c1.tagless = ecalloc(1, sizeof(*c1.tagless));
+    c1.tagless->ai = 1;
+    c1.three = 3;
+    tests[0].val = &c1;
+
+    memset(&c2, 0, sizeof(c2));
+    c2.tagless = NULL;
+    c2.three = 3;
+    tests[1].val = &c2;
+
+    memset(&c3, 0, sizeof(c3));
+    c3.tagless = NULL;
+    c3.three = 4;
+    c3.tagless2 = &any3;
+    any3.data = "\x02\x01\x05";
+    any3.length = 3;
+    tests[2].val = &c3;
+
+    ret += generic_test (tests, ntests, sizeof(TESTAlloc),
+			 (generic_encode)encode_TESTAlloc,
+			 (generic_length)length_TESTAlloc,
+			 (generic_decode)decode_TESTAlloc,
+			 (generic_free)free_TESTAlloc,
+			 cmp_TESTAlloc);
+
+    free(c1.tagless);
+
+    return ret;
+}
+
+
+static int
+check_fail_largetag(void)
+{
+    struct test_case tests[] = {
+	{NULL, 14, "\x30\x0c\xbf\x87\xff\xff\xff\xff\xff\x7f\x03\x02\x01\x01",
+	 "tag overflow"},
+	{NULL, 0, "", "empty buffer"},
+	{NULL, 7, "\x30\x05\xa1\x03\x02\x02\x01",
+	 "one too short" },
+	{NULL, 7, "\x30\x04\xa1\x03\x02\x02\x01"
+	 "two too short" },
+	{NULL, 7, "\x30\x03\xa1\x03\x02\x02\x01",
+	 "three too short" },
+	{NULL, 7, "\x30\x02\xa1\x03\x02\x02\x01",
+	 "four too short" },
+	{NULL, 7, "\x30\x01\xa1\x03\x02\x02\x01",
+	 "five too short" },
+	{NULL, 7, "\x30\x00\xa1\x03\x02\x02\x01",
+	 "six too short" },
+	{NULL, 7, "\x30\x05\xa1\x04\x02\x02\x01",
+	 "inner one too long" },
+	{NULL, 7, "\x30\x00\xa1\x02\x02\x02\x01",
+	 "inner one too short" },
+	{NULL, 8, "\x30\x05\xbf\x7f\x03\x02\x02\x01",
+	 "inner one too short"},
+	{NULL, 8, "\x30\x06\xbf\x64\x03\x02\x01\x01",
+	 "wrong tag"},
+	{NULL, 10, "\x30\x08\xbf\x9a\x9b\x38\x03\x02\x01\x01",
+	 "still wrong tag"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(TESTLargeTag),
+			       (generic_decode)decode_TESTLargeTag);
+}
+
+
+static int
+check_fail_sequence(void)
+{
+    struct test_case tests[] = {
+	{NULL, 0, "", "empty buffer"},
+	{NULL, 24, 
+	 "\x30\x16\xa0\x03\x02\x01\x01\xa1\x08\x30\x06\xbf\x7f\x03\x02\x01\x01"
+	 "\x02\x01\x01\xa2\x03\x02\x01\x01"
+	 "missing one byte from the end, internal length ok"},
+	{NULL, 25,
+	 "\x30\x18\xa0\x03\x02\x01\x01\xa1\x08\x30\x06\xbf\x7f\x03\x02\x01\x01"
+	 "\x02\x01\x01\xa2\x03\x02\x01\x01",
+	 "inner length one byte too long"},
+	{NULL, 24, 
+	 "\x30\x17\xa0\x03\x02\x01\x01\xa1\x08\x30\x06\xbf\x7f\x03\x02\x01"
+	 "\x01\x02\x01\x01\xa2\x03\x02\x01\x01",
+	 "correct buffer but missing one too short"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(TESTSeq),
+			       (generic_decode)decode_TESTSeq);
+}
+
+static int
+check_fail_choice(void)
+{
+    struct test_case tests[] = {
+	{NULL, 6,
+	 "\xa1\x02\x02\x01\x01",
+	 "one too short"},
+	{NULL, 6,
+	 "\xa1\x03\x02\x02\x01",
+	 "one too short inner"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    return generic_decode_fail(tests, ntests, sizeof(TESTChoice1),
+			       (generic_decode)decode_TESTChoice1);
+}
+
+static int
+check_seq(void)
+{
+    TESTSeqOf seq;
+    TESTInteger i;
+    int ret;
+
+    seq.val = NULL;
+    seq.len = 0;
+
+    ret = add_TESTSeqOf(&seq, &i);
+    if (ret) { printf("failed adding\n"); goto out; }
+    ret = add_TESTSeqOf(&seq, &i);
+    if (ret) { printf("failed adding\n"); goto out; }
+    ret = add_TESTSeqOf(&seq, &i);
+    if (ret) { printf("failed adding\n"); goto out; }
+    ret = add_TESTSeqOf(&seq, &i);
+    if (ret) { printf("failed adding\n"); goto out; }
+
+    ret = remove_TESTSeqOf(&seq, seq.len - 1);
+    if (ret) { printf("failed removing\n"); goto out; }
+    ret = remove_TESTSeqOf(&seq, 2);
+    if (ret) { printf("failed removing\n"); goto out; }
+    ret = remove_TESTSeqOf(&seq, 0);
+    if (ret) { printf("failed removing\n"); goto out; }
+    ret = remove_TESTSeqOf(&seq, 0);
+    if (ret) { printf("failed removing\n"); goto out; }
+    ret = remove_TESTSeqOf(&seq, 0);
+    if (ret == 0) {
+	printf("can remove from empty list");
+	return 1;
+    }
+
+    if (seq.len != 0) {
+	printf("seq not empty!");
+	return 1;
+    }
+    free_TESTSeqOf(&seq);
+    ret = 0;
+
+out:
+
+    return ret;
+}
+
+#define test_seq_of(type, ok, ptr)					\
+{									\
+    heim_octet_string os;						\
+    size_t size;							\
+    type decode;							\
+    ASN1_MALLOC_ENCODE(type, os.data, os.length, ptr, &size, ret);	\
+    if (ret)								\
+	return ret;							\
+    if (os.length != size)						\
+	abort();							\
+    ret = decode_##type(os.data, os.length, &decode, &size);		\
+    free(os.data);							\
+    if (ret) {								\
+	if (ok)								\
+	    return 1;							\
+    } else {								\
+	free_##type(&decode);						\
+	if (!ok)							\
+	    return 1;							\
+	if (size != 0)							\
+            return 1;							\
+    }									\
+    return 0;								\
+}
+
+static int
+check_seq_of_size(void)
+{
+    TESTInteger integers[4] = { 1, 2, 3, 4 };
+    int ret;
+
+    {
+	TESTSeqSizeOf1 ssof1f1 = { 1, integers };
+	TESTSeqSizeOf1 ssof1ok1 = { 2, integers };
+	TESTSeqSizeOf1 ssof1f2 = { 3, integers };
+
+	test_seq_of(TESTSeqSizeOf1, 0, &ssof1f1);
+	test_seq_of(TESTSeqSizeOf1, 1, &ssof1ok1);
+	test_seq_of(TESTSeqSizeOf1, 0, &ssof1f2);
+    }
+    {
+	TESTSeqSizeOf2 ssof2f1 = { 0, NULL };
+	TESTSeqSizeOf2 ssof2ok1 = { 1, integers };
+	TESTSeqSizeOf2 ssof2ok2 = { 2, integers };
+	TESTSeqSizeOf2 ssof2f2 = { 3, integers };
+	
+	test_seq_of(TESTSeqSizeOf2, 0, &ssof2f1);
+	test_seq_of(TESTSeqSizeOf2, 1, &ssof2ok1);
+	test_seq_of(TESTSeqSizeOf2, 1, &ssof2ok2);
+	test_seq_of(TESTSeqSizeOf2, 0, &ssof2f2);
+    }
+    {
+	TESTSeqSizeOf3 ssof3f1 = { 0, NULL };
+	TESTSeqSizeOf3 ssof3ok1 = { 1, integers };
+	TESTSeqSizeOf3 ssof3ok2 = { 2, integers };
+	
+	test_seq_of(TESTSeqSizeOf3, 0, &ssof3f1);
+	test_seq_of(TESTSeqSizeOf3, 1, &ssof3ok1);
+	test_seq_of(TESTSeqSizeOf3, 1, &ssof3ok2);
+    }
+    {
+	TESTSeqSizeOf4 ssof4ok1 = { 0, NULL };
+	TESTSeqSizeOf4 ssof4ok2 = { 1, integers };
+	TESTSeqSizeOf4 ssof4ok3 = { 2, integers };
+	TESTSeqSizeOf4 ssof4f1  = { 3, integers };
+	
+	test_seq_of(TESTSeqSizeOf4, 1, &ssof4ok1);
+	test_seq_of(TESTSeqSizeOf4, 1, &ssof4ok2); 
+	test_seq_of(TESTSeqSizeOf4, 1, &ssof4ok3);
+	test_seq_of(TESTSeqSizeOf4, 0, &ssof4f1);
+   }
+
+    return 0;
+}
+
+
+
 int
 main(int argc, char **argv)
 {
@@ -188,6 +933,23 @@ main(int argc, char **argv)
 
     ret += test_principal ();
     ret += test_authenticator();
+    ret += test_krb_error();
+    ret += test_Name();
+    ret += test_bit_string();
+
+    ret += check_tag_length();
+    ret += test_large_tag();
+    ret += test_choice();
+
+    ret += test_implicit();
+    ret += test_taglessalloc();
+
+    ret += check_fail_largetag();
+    ret += check_fail_sequence();
+    ret += check_fail_choice();
+
+    ret += check_seq();
+    ret += check_seq_of_size();
 
     return ret;
 }
diff --git a/crypto/heimdal/lib/asn1/check-timegm.c b/crypto/heimdal/lib/asn1/check-timegm.c
new file mode 100644
index 0000000..7d33455
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/check-timegm.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <der_locl.h>
+
+RCSID("$Id: check-timegm.c 18610 2006-10-19 16:33:24Z lha $");
+
+static int
+test_timegm(void)
+{
+    int ret = 0;
+    struct tm tm;
+    time_t t;
+
+    memset(&tm, 0, sizeof(tm));
+    tm.tm_year = 106;
+    tm.tm_mon = 9;
+    tm.tm_mday = 1;
+    tm.tm_hour = 10;
+    tm.tm_min = 3;
+
+    t = _der_timegm(&tm);
+    if (t != 1159696980)
+	ret += 1;
+
+    tm.tm_mday = 0;
+    t = _der_timegm(&tm);
+    if (t != -1)
+	ret += 1;
+
+    return ret;
+}
+
+int
+main(int argc, char **argv)
+{
+    int ret = 0;
+
+    ret += test_timegm();
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/asn1/der-protos.h b/crypto/heimdal/lib/asn1/der-protos.h
new file mode 100644
index 0000000..7bfe02e
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der-protos.h
@@ -0,0 +1,567 @@
+/* This is a generated file */
+#ifndef __der_protos_h__
+#define __der_protos_h__
+
+#include <stdarg.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int
+copy_heim_any (
+	const heim_any */*from*/,
+	heim_any */*to*/);
+
+int
+copy_heim_any_set (
+	const heim_any_set */*from*/,
+	heim_any_set */*to*/);
+
+int
+decode_heim_any (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_any */*data*/,
+	size_t */*size*/);
+
+int
+decode_heim_any_set (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_any_set */*data*/,
+	size_t */*size*/);
+
+int
+der_copy_bit_string (
+	const heim_bit_string */*from*/,
+	heim_bit_string */*to*/);
+
+int
+der_copy_bmp_string (
+	const heim_bmp_string */*from*/,
+	heim_bmp_string */*to*/);
+
+int
+der_copy_general_string (
+	const heim_general_string */*from*/,
+	heim_general_string */*to*/);
+
+int
+der_copy_heim_integer (
+	const heim_integer */*from*/,
+	heim_integer */*to*/);
+
+int
+der_copy_ia5_string (
+	const heim_printable_string */*from*/,
+	heim_printable_string */*to*/);
+
+int
+der_copy_octet_string (
+	const heim_octet_string */*from*/,
+	heim_octet_string */*to*/);
+
+int
+der_copy_oid (
+	const heim_oid */*from*/,
+	heim_oid */*to*/);
+
+int
+der_copy_printable_string (
+	const heim_printable_string */*from*/,
+	heim_printable_string */*to*/);
+
+int
+der_copy_universal_string (
+	const heim_universal_string */*from*/,
+	heim_universal_string */*to*/);
+
+int
+der_copy_utf8string (
+	const heim_utf8_string */*from*/,
+	heim_utf8_string */*to*/);
+
+int
+der_copy_visible_string (
+	const heim_visible_string */*from*/,
+	heim_visible_string */*to*/);
+
+void
+der_free_bit_string (heim_bit_string */*k*/);
+
+void
+der_free_bmp_string (heim_bmp_string */*k*/);
+
+void
+der_free_general_string (heim_general_string */*str*/);
+
+void
+der_free_heim_integer (heim_integer */*k*/);
+
+void
+der_free_ia5_string (heim_ia5_string */*str*/);
+
+void
+der_free_octet_string (heim_octet_string */*k*/);
+
+void
+der_free_oid (heim_oid */*k*/);
+
+void
+der_free_printable_string (heim_printable_string */*str*/);
+
+void
+der_free_universal_string (heim_universal_string */*k*/);
+
+void
+der_free_utf8string (heim_utf8_string */*str*/);
+
+void
+der_free_visible_string (heim_visible_string */*str*/);
+
+int
+der_get_bit_string (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_bit_string */*data*/,
+	size_t */*size*/);
+
+int
+der_get_bmp_string (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_bmp_string */*data*/,
+	size_t */*size*/);
+
+int
+der_get_boolean (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	int */*data*/,
+	size_t */*size*/);
+
+const char *
+der_get_class_name (unsigned /*num*/);
+
+int
+der_get_class_num (const char */*name*/);
+
+int
+der_get_general_string (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_general_string */*str*/,
+	size_t */*size*/);
+
+int
+der_get_generalized_time (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	time_t */*data*/,
+	size_t */*size*/);
+
+int
+der_get_heim_integer (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_integer */*data*/,
+	size_t */*size*/);
+
+int
+der_get_ia5_string (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_ia5_string */*str*/,
+	size_t */*size*/);
+
+int
+der_get_integer (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	int */*ret*/,
+	size_t */*size*/);
+
+int
+der_get_length (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	size_t */*val*/,
+	size_t */*size*/);
+
+int
+der_get_octet_string (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_octet_string */*data*/,
+	size_t */*size*/);
+
+int
+der_get_oid (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_oid */*data*/,
+	size_t */*size*/);
+
+int
+der_get_printable_string (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_printable_string */*str*/,
+	size_t */*size*/);
+
+int
+der_get_tag (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	Der_class */*class*/,
+	Der_type */*type*/,
+	unsigned int */*tag*/,
+	size_t */*size*/);
+
+const char *
+der_get_tag_name (unsigned /*num*/);
+
+int
+der_get_tag_num (const char */*name*/);
+
+const char *
+der_get_type_name (unsigned /*num*/);
+
+int
+der_get_type_num (const char */*name*/);
+
+int
+der_get_universal_string (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_universal_string */*data*/,
+	size_t */*size*/);
+
+int
+der_get_unsigned (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	unsigned */*ret*/,
+	size_t */*size*/);
+
+int
+der_get_utctime (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	time_t */*data*/,
+	size_t */*size*/);
+
+int
+der_get_utf8string (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_utf8_string */*str*/,
+	size_t */*size*/);
+
+int
+der_get_visible_string (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	heim_visible_string */*str*/,
+	size_t */*size*/);
+
+int
+der_heim_bit_string_cmp (
+	const heim_bit_string */*p*/,
+	const heim_bit_string */*q*/);
+
+int
+der_heim_bmp_string_cmp (
+	const heim_bmp_string */*p*/,
+	const heim_bmp_string */*q*/);
+
+int
+der_heim_integer_cmp (
+	const heim_integer */*p*/,
+	const heim_integer */*q*/);
+
+int
+der_heim_octet_string_cmp (
+	const heim_octet_string */*p*/,
+	const heim_octet_string */*q*/);
+
+int
+der_heim_oid_cmp (
+	const heim_oid */*p*/,
+	const heim_oid */*q*/);
+
+int
+der_heim_universal_string_cmp (
+	const heim_universal_string */*p*/,
+	const heim_universal_string */*q*/);
+
+size_t
+der_length_bit_string (const heim_bit_string */*k*/);
+
+size_t
+der_length_bmp_string (const heim_bmp_string */*data*/);
+
+size_t
+der_length_boolean (const int */*k*/);
+
+size_t
+der_length_enumerated (const unsigned */*data*/);
+
+size_t
+der_length_general_string (const heim_general_string */*data*/);
+
+size_t
+der_length_generalized_time (const time_t */*t*/);
+
+size_t
+der_length_heim_integer (const heim_integer */*k*/);
+
+size_t
+der_length_ia5_string (const heim_ia5_string */*data*/);
+
+size_t
+der_length_integer (const int */*data*/);
+
+size_t
+der_length_len (size_t /*len*/);
+
+size_t
+der_length_octet_string (const heim_octet_string */*k*/);
+
+size_t
+der_length_oid (const heim_oid */*k*/);
+
+size_t
+der_length_printable_string (const heim_printable_string */*data*/);
+
+size_t
+der_length_universal_string (const heim_universal_string */*data*/);
+
+size_t
+der_length_unsigned (const unsigned */*data*/);
+
+size_t
+der_length_utctime (const time_t */*t*/);
+
+size_t
+der_length_utf8string (const heim_utf8_string */*data*/);
+
+size_t
+der_length_visible_string (const heim_visible_string */*data*/);
+
+int
+der_match_tag (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	Der_class /*class*/,
+	Der_type /*type*/,
+	unsigned int /*tag*/,
+	size_t */*size*/);
+
+int
+der_match_tag_and_length (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	Der_class /*class*/,
+	Der_type /*type*/,
+	unsigned int /*tag*/,
+	size_t */*length_ret*/,
+	size_t */*size*/);
+
+int
+der_parse_heim_oid (
+	const char */*str*/,
+	const char */*sep*/,
+	heim_oid */*data*/);
+
+int
+der_parse_hex_heim_integer (
+	const char */*p*/,
+	heim_integer */*data*/);
+
+int
+der_print_heim_oid (
+	const heim_oid */*oid*/,
+	char /*delim*/,
+	char **/*str*/);
+
+int
+der_print_hex_heim_integer (
+	const heim_integer */*data*/,
+	char **/*p*/);
+
+int
+der_put_bit_string (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_bit_string */*data*/,
+	size_t */*size*/);
+
+int
+der_put_bmp_string (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_bmp_string */*data*/,
+	size_t */*size*/);
+
+int
+der_put_boolean (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const int */*data*/,
+	size_t */*size*/);
+
+int
+der_put_general_string (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_general_string */*str*/,
+	size_t */*size*/);
+
+int
+der_put_generalized_time (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const time_t */*data*/,
+	size_t */*size*/);
+
+int
+der_put_heim_integer (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_integer */*data*/,
+	size_t */*size*/);
+
+int
+der_put_ia5_string (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_ia5_string */*str*/,
+	size_t */*size*/);
+
+int
+der_put_integer (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const int */*v*/,
+	size_t */*size*/);
+
+int
+der_put_length (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	size_t /*val*/,
+	size_t */*size*/);
+
+int
+der_put_length_and_tag (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	size_t /*len_val*/,
+	Der_class /*class*/,
+	Der_type /*type*/,
+	unsigned int /*tag*/,
+	size_t */*size*/);
+
+int
+der_put_octet_string (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_octet_string */*data*/,
+	size_t */*size*/);
+
+int
+der_put_oid (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_oid */*data*/,
+	size_t */*size*/);
+
+int
+der_put_printable_string (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_printable_string */*str*/,
+	size_t */*size*/);
+
+int
+der_put_tag (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	Der_class /*class*/,
+	Der_type /*type*/,
+	unsigned int /*tag*/,
+	size_t */*size*/);
+
+int
+der_put_universal_string (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_universal_string */*data*/,
+	size_t */*size*/);
+
+int
+der_put_unsigned (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const unsigned */*v*/,
+	size_t */*size*/);
+
+int
+der_put_utctime (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const time_t */*data*/,
+	size_t */*size*/);
+
+int
+der_put_utf8string (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_utf8_string */*str*/,
+	size_t */*size*/);
+
+int
+der_put_visible_string (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_visible_string */*str*/,
+	size_t */*size*/);
+
+int
+encode_heim_any (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_any */*data*/,
+	size_t */*size*/);
+
+int
+encode_heim_any_set (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const heim_any_set */*data*/,
+	size_t */*size*/);
+
+void
+free_heim_any (heim_any */*data*/);
+
+void
+free_heim_any_set (heim_any_set */*data*/);
+
+int
+heim_any_cmp (
+	const heim_any_set */*p*/,
+	const heim_any_set */*q*/);
+
+size_t
+length_heim_any (const heim_any */*data*/);
+
+size_t
+length_heim_any_set (const heim_any */*data*/);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __der_protos_h__ */
diff --git a/crypto/heimdal/lib/asn1/der.c b/crypto/heimdal/lib/asn1/der.c
new file mode 100644
index 0000000..120dc08
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+#include <com_err.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <getarg.h>
+#include <err.h>
+
+RCSID("$Id: der.c 22429 2008-01-13 10:25:50Z lha $");
+
+
+static const char *class_names[] = {
+    "UNIV",			/* 0 */
+    "APPL",			/* 1 */
+    "CONTEXT",			/* 2 */
+    "PRIVATE"			/* 3 */
+};
+
+static const char *type_names[] = {
+    "PRIM",			/* 0 */
+    "CONS"			/* 1 */
+};
+
+static const char *tag_names[] = {
+    "EndOfContent",		/* 0 */
+    "Boolean",			/* 1 */
+    "Integer",			/* 2 */
+    "BitString",		/* 3 */
+    "OctetString",		/* 4 */
+    "Null",			/* 5 */
+    "ObjectID",			/* 6 */
+    NULL,			/* 7 */
+    NULL,			/* 8 */
+    NULL,			/* 9 */
+    "Enumerated",		/* 10 */
+    NULL,			/* 11 */
+    NULL,			/* 12 */
+    NULL,			/* 13 */
+    NULL,			/* 14 */
+    NULL,			/* 15 */
+    "Sequence",			/* 16 */
+    "Set",			/* 17 */
+    NULL,			/* 18 */
+    "PrintableString",		/* 19 */
+    NULL,			/* 20 */
+    NULL,			/* 21 */
+    "IA5String",		/* 22 */
+    "UTCTime",			/* 23 */
+    "GeneralizedTime",		/* 24 */
+    NULL,			/* 25 */
+    "VisibleString",		/* 26 */
+    "GeneralString",		/* 27 */
+    NULL,			/* 28 */
+    NULL,			/* 29 */
+    "BMPString"			/* 30 */
+};
+
+static int
+get_type(const char *name, const char *list[], unsigned len)
+{
+    unsigned i;
+    for (i = 0; i < len; i++)
+	if (list[i] && strcasecmp(list[i], name) == 0)
+	    return i;
+    return -1;
+}
+
+#define SIZEOF_ARRAY(a) (sizeof((a))/sizeof((a)[0]))
+
+const char *
+der_get_class_name(unsigned num)
+{
+    if (num >= SIZEOF_ARRAY(class_names))
+	return NULL;
+    return class_names[num];
+}
+
+int
+der_get_class_num(const char *name)
+{
+    return get_type(name, class_names, SIZEOF_ARRAY(class_names));
+}
+
+const char *
+der_get_type_name(unsigned num)
+{
+    if (num >= SIZEOF_ARRAY(type_names))
+	return NULL;
+    return type_names[num];
+}
+
+int
+der_get_type_num(const char *name)
+{
+    return get_type(name, type_names, SIZEOF_ARRAY(type_names));
+}
+
+const char *
+der_get_tag_name(unsigned num)
+{
+    if (num >= SIZEOF_ARRAY(tag_names))
+	return NULL;
+    return tag_names[num];
+}
+
+int
+der_get_tag_num(const char *name)
+{
+    return get_type(name, tag_names, SIZEOF_ARRAY(tag_names));
+}
diff --git a/crypto/heimdal/lib/asn1/der.h b/crypto/heimdal/lib/asn1/der.h
index 738c8d7..13e3932 100644
--- a/crypto/heimdal/lib/asn1/der.h
+++ b/crypto/heimdal/lib/asn1/der.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,122 +31,73 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: der.h,v 1.22 2001/09/27 16:20:35 assar Exp $ */
+/* $Id: der.h 18437 2006-10-14 05:16:08Z lha $ */
 
 #ifndef __DER_H__
 #define __DER_H__
 
-#include <time.h>
-
-typedef enum {UNIV = 0, APPL = 1, CONTEXT = 2 , PRIVATE = 3} Der_class;
+typedef enum {
+    ASN1_C_UNIV = 0,
+    ASN1_C_APPL = 1,
+    ASN1_C_CONTEXT = 2,
+    ASN1_C_PRIVATE = 3
+} Der_class;
 
 typedef enum {PRIM = 0, CONS = 1} Der_type;
 
+#define MAKE_TAG(CLASS, TYPE, TAG)  (((CLASS) << 6) | ((TYPE) << 5) | (TAG))
+
 /* Universal tags */
 
 enum {
-     UT_Boolean		= 1,
-     UT_Integer		= 2,
-     UT_BitString	= 3,
-     UT_OctetString	= 4,
-     UT_Null		= 5,
-     UT_OID		= 6,
-     UT_Enumerated	= 10,
-     UT_Sequence	= 16,
-     UT_Set		= 17,
-     UT_PrintableString	= 19,
-     UT_IA5String	= 22,
-     UT_UTCTime		= 23,
-     UT_GeneralizedTime	= 24,
-     UT_VisibleString	= 26,
-     UT_GeneralString	= 27
+    UT_EndOfContent	= 0,
+    UT_Boolean		= 1,
+    UT_Integer		= 2,	
+    UT_BitString	= 3,
+    UT_OctetString	= 4,
+    UT_Null		= 5,
+    UT_OID		= 6,
+    UT_Enumerated	= 10,
+    UT_UTF8String	= 12,
+    UT_Sequence		= 16,
+    UT_Set		= 17,
+    UT_PrintableString	= 19,
+    UT_IA5String	= 22,
+    UT_UTCTime		= 23,
+    UT_GeneralizedTime	= 24,
+    UT_UniversalString	= 25,
+    UT_VisibleString	= 26,
+    UT_GeneralString	= 27,
+    UT_BMPString	= 30,
+    /* unsupported types */
+    UT_ObjectDescriptor = 7,
+    UT_External		= 8,
+    UT_Real		= 9,
+    UT_EmbeddedPDV	= 11,
+    UT_RelativeOID	= 13,
+    UT_NumericString	= 18,
+    UT_TeletexString	= 20,
+    UT_VideotexString	= 21,
+    UT_GraphicString	= 25
 };
 
 #define ASN1_INDEFINITE 0xdce0deed
 
-#ifndef HAVE_TIMEGM
-time_t timegm (struct tm *);
-#endif
-
-int time2generalizedtime (time_t t, octet_string *s);
-
-int der_get_int (const unsigned char *p, size_t len, int *ret, size_t *size);
-int der_get_length (const unsigned char *p, size_t len,
-		    size_t *val, size_t *size);
-int der_get_general_string (const unsigned char *p, size_t len, 
-			    general_string *str, size_t *size);
-int der_get_octet_string (const unsigned char *p, size_t len, 
-			  octet_string *data, size_t *size);
-int der_get_oid (const unsigned char *p, size_t len,
-		 oid *data, size_t *size);
-int der_get_tag (const unsigned char *p, size_t len, 
-		 Der_class *class, Der_type *type,
-		 int *tag, size_t *size);
-
-int der_match_tag (const unsigned char *p, size_t len, 
-		   Der_class class, Der_type type,
-		   int tag, size_t *size);
-int der_match_tag_and_length (const unsigned char *p, size_t len,
-			      Der_class class, Der_type type, int tag,
-			      size_t *length_ret, size_t *size);
-
-int decode_integer (const unsigned char*, size_t, int*, size_t*);
-int decode_unsigned (const unsigned char*, size_t, unsigned*, size_t*);
-int decode_enumerated (const unsigned char*, size_t, unsigned*, size_t*);
-int decode_general_string (const unsigned char*, size_t,
-			   general_string*, size_t*);
-int decode_oid (const unsigned char *p, size_t len, 
-		oid *k, size_t *size);
-int decode_octet_string (const unsigned char*, size_t, octet_string*, size_t*);
-int decode_generalized_time (const unsigned char*, size_t, time_t*, size_t*);
-
-int der_put_int (unsigned char *p, size_t len, int val, size_t*);
-int der_put_length (unsigned char *p, size_t len, size_t val, size_t*);
-int der_put_general_string (unsigned char *p, size_t len,
-			    const general_string *str, size_t*);
-int der_put_octet_string (unsigned char *p, size_t len,
-			  const octet_string *data, size_t*);
-int der_put_oid (unsigned char *p, size_t len,
-		 const oid *data, size_t *size);
-int der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type,
-		 int tag, size_t*);
-int der_put_length_and_tag (unsigned char*, size_t, size_t, 
-			    Der_class, Der_type, int, size_t*);
-
-int encode_integer (unsigned char *p, size_t len,
-		    const int *data, size_t*);
-int encode_unsigned (unsigned char *p, size_t len,
-		     const unsigned *data, size_t*);
-int encode_enumerated (unsigned char *p, size_t len,
-		       const unsigned *data, size_t*);
-int encode_general_string (unsigned char *p, size_t len, 
-			   const general_string *data, size_t*);
-int encode_octet_string (unsigned char *p, size_t len,
-			 const octet_string *k, size_t*);
-int encode_oid (unsigned char *p, size_t len,
-		const oid *k, size_t*);
-int encode_generalized_time (unsigned char *p, size_t len,
-			     const time_t *t, size_t*);
-
-void free_integer (int *num);
-void free_general_string (general_string *str);
-void free_octet_string (octet_string *k);
-void free_oid (oid *k);
-void free_generalized_time (time_t *t);
+typedef struct heim_der_time_t {
+    time_t dt_sec;
+    unsigned long dt_nsec;
+} heim_der_time_t;
 
-size_t length_len (size_t len);
-size_t length_integer (const int *data);
-size_t length_unsigned (const unsigned *data);
-size_t length_enumerated (const unsigned *data);
-size_t length_general_string (const general_string *data);
-size_t length_octet_string (const octet_string *k);
-size_t length_oid (const oid *k);
-size_t length_generalized_time (const time_t *t);
+typedef struct heim_ber_time_t {
+    time_t bt_sec;
+    unsigned bt_nsec;
+    int bt_zone;
+} heim_ber_time_t;
 
-int copy_general_string (const general_string *from, general_string *to);
-int copy_octet_string (const octet_string *from, octet_string *to);
-int copy_oid (const oid *from, oid *to);
+#include <der-protos.h>
 
-int fix_dce(size_t reallen, size_t *len);
+int _heim_fix_dce(size_t reallen, size_t *len);
+int _heim_der_set_sort(const void *, const void *);
+int _heim_time2generalizedtime (time_t, heim_octet_string *, int);
 
 #endif /* __DER_H__ */
diff --git a/crypto/heimdal/lib/asn1/der_cmp.c b/crypto/heimdal/lib/asn1/der_cmp.c
new file mode 100644
index 0000000..f27f03c
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_cmp.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2003-2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+int
+der_heim_oid_cmp(const heim_oid *p, const heim_oid *q)
+{
+    if (p->length != q->length)
+	return p->length - q->length;
+    return memcmp(p->components, 
+		  q->components,
+		  p->length * sizeof(*p->components));
+}
+
+int
+der_heim_octet_string_cmp(const heim_octet_string *p, 
+			  const heim_octet_string *q)
+{
+    if (p->length != q->length)
+	return p->length - q->length;
+    return memcmp(p->data, q->data, p->length);
+}
+
+int
+der_heim_bit_string_cmp(const heim_bit_string *p,
+			const heim_bit_string *q)
+{
+    int i, r1, r2;
+    if (p->length != q->length)
+	return p->length - q->length;
+    i = memcmp(p->data, q->data, p->length / 8);
+    if (i)
+	return i;
+    if ((p->length % 8) == 0)
+	return 0;
+    i = (p->length / 8);
+    r1 = ((unsigned char *)p->data)[i];
+    r2 = ((unsigned char *)q->data)[i];
+    i = 8 - (p->length % 8);
+    r1 = r1 >> i;
+    r2 = r2 >> i;
+    return r1 - r2;
+}
+
+int
+der_heim_integer_cmp(const heim_integer *p,
+		     const heim_integer *q)
+{
+    if (p->negative != q->negative)
+	return q->negative - p->negative;
+    if (p->length != q->length)
+	return p->length - q->length;
+    return memcmp(p->data, q->data, p->length);
+}
+
+int
+der_heim_bmp_string_cmp(const heim_bmp_string *p, const heim_bmp_string *q)
+{
+    if (p->length != q->length)
+	return p->length - q->length;
+    return memcmp(p->data, q->data, q->length * sizeof(q->data[0]));
+}
+
+int
+der_heim_universal_string_cmp(const heim_universal_string *p, 
+			      const heim_universal_string *q)
+{
+    if (p->length != q->length)
+	return p->length - q->length;
+    return memcmp(p->data, q->data, q->length * sizeof(q->data[0]));
+}
diff --git a/crypto/heimdal/lib/asn1/der_copy.c b/crypto/heimdal/lib/asn1/der_copy.c
index eefc914..04c4531 100644
--- a/crypto/heimdal/lib/asn1/der_copy.c
+++ b/crypto/heimdal/lib/asn1/der_copy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,10 +33,11 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_copy.c,v 1.10 2003/04/17 07:13:08 lha Exp $");
+RCSID("$Id: der_copy.c 19539 2006-12-28 17:15:05Z lha $");
 
 int
-copy_general_string (const general_string *from, general_string *to)
+der_copy_general_string (const heim_general_string *from, 
+			 heim_general_string *to)
 {
     *to = strdup(*from);
     if(*to == NULL)
@@ -45,7 +46,57 @@ copy_general_string (const general_string *from, general_string *to)
 }
 
 int
-copy_octet_string (const octet_string *from, octet_string *to)
+der_copy_utf8string (const heim_utf8_string *from, heim_utf8_string *to)
+{
+    return der_copy_general_string(from, to);
+}
+
+int
+der_copy_printable_string (const heim_printable_string *from, 
+		       heim_printable_string *to)
+{
+    return der_copy_general_string(from, to);
+}
+
+int
+der_copy_ia5_string (const heim_printable_string *from, 
+		     heim_printable_string *to)
+{
+    return der_copy_general_string(from, to);
+}
+
+int
+der_copy_bmp_string (const heim_bmp_string *from, heim_bmp_string *to)
+{
+    to->length = from->length;
+    to->data   = malloc(to->length * sizeof(to->data[0]));
+    if(to->length != 0 && to->data == NULL)
+	return ENOMEM;
+    memcpy(to->data, from->data, to->length * sizeof(to->data[0]));
+    return 0;
+}
+
+int
+der_copy_universal_string (const heim_universal_string *from,
+			   heim_universal_string *to)
+{
+    to->length = from->length;
+    to->data   = malloc(to->length * sizeof(to->data[0]));
+    if(to->length != 0 && to->data == NULL)
+	return ENOMEM;
+    memcpy(to->data, from->data, to->length * sizeof(to->data[0]));
+    return 0;
+}
+
+int
+der_copy_visible_string (const heim_visible_string *from, 
+			 heim_visible_string *to)
+{
+    return der_copy_general_string(from, to);
+}
+
+int
+der_copy_octet_string (const heim_octet_string *from, heim_octet_string *to)
 {
     to->length = from->length;
     to->data   = malloc(to->length);
@@ -56,12 +107,39 @@ copy_octet_string (const octet_string *from, octet_string *to)
 }
 
 int
-copy_oid (const oid *from, oid *to)
+der_copy_heim_integer (const heim_integer *from, heim_integer *to)
+{
+    to->length = from->length;
+    to->data   = malloc(to->length);
+    if(to->length != 0 && to->data == NULL)
+	return ENOMEM;
+    memcpy(to->data, from->data, to->length);
+    to->negative = from->negative;
+    return 0;
+}
+
+int
+der_copy_oid (const heim_oid *from, heim_oid *to)
 {
     to->length     = from->length;
     to->components = malloc(to->length * sizeof(*to->components));
     if (to->length != 0 && to->components == NULL)
 	return ENOMEM;
-    memcpy(to->components, from->components, to->length);
+    memcpy(to->components, from->components,
+	   to->length * sizeof(*to->components));
+    return 0;
+}
+
+int
+der_copy_bit_string (const heim_bit_string *from, heim_bit_string *to)
+{
+    size_t len;
+
+    len = (from->length + 7) / 8;
+    to->length = from->length;
+    to->data   = malloc(len);
+    if(len != 0 && to->data == NULL)
+	return ENOMEM;
+    memcpy(to->data, from->data, len);
     return 0;
 }
diff --git a/crypto/heimdal/lib/asn1/der_format.c b/crypto/heimdal/lib/asn1/der_format.c
new file mode 100644
index 0000000..6908bdd
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_format.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+#include <hex.h>
+
+RCSID("$Id: der_format.c 20861 2007-06-03 20:18:29Z lha $");
+
+int
+der_parse_hex_heim_integer (const char *p, heim_integer *data)
+{
+    ssize_t len;
+
+    data->length = 0;
+    data->negative = 0;
+    data->data = NULL;
+
+    if (*p == '-') {
+	p++;
+	data->negative = 1;
+    }
+
+    len = strlen(p);
+    if (len <= 0) {
+	data->data = NULL;
+	data->length = 0;
+	return EINVAL;
+    }
+    
+    data->length = (len / 2) + 1;
+    data->data = malloc(data->length);
+    if (data->data == NULL) {
+	data->length = 0;
+	return ENOMEM;
+    }
+
+    len = hex_decode(p, data->data, data->length);
+    if (len < 0) {
+	free(data->data);
+	data->data = NULL;
+	data->length = 0;
+	return EINVAL;
+    }
+
+    {
+	unsigned char *q = data->data;
+	while(len > 0 && *q == 0) {
+	    q++;
+	    len--;
+	}
+	data->length = len;
+	memmove(data->data, q, len);
+    }
+    return 0;
+}
+
+int
+der_print_hex_heim_integer (const heim_integer *data, char **p)
+{
+    ssize_t len;
+    char *q;
+
+    len = hex_encode(data->data, data->length, p);
+    if (len < 0)
+	return ENOMEM;
+
+    if (data->negative) {
+	len = asprintf(&q, "-%s", *p);
+	free(*p);
+	if (len < 0)
+	    return ENOMEM;
+	*p = q;
+    }
+    return 0;
+}
+
+int
+der_print_heim_oid (const heim_oid *oid, char delim, char **str)
+{
+    struct rk_strpool *p = NULL;
+    int i;
+
+    if (oid->length == 0)
+	return EINVAL;
+
+    for (i = 0; i < oid->length ; i++) {
+	p = rk_strpoolprintf(p, "%d", oid->components[i]);
+	if (p && i < oid->length - 1)
+	    p = rk_strpoolprintf(p, "%c", delim);
+	if (p == NULL) {
+	    *str = NULL;
+	    return ENOMEM;
+	}
+    }
+
+    *str = rk_strpoolcollect(p);
+    if (*str == NULL)
+	return ENOMEM;
+    return 0;
+}
+
+int
+der_parse_heim_oid (const char *str, const char *sep, heim_oid *data)
+{
+    char *s, *w, *brkt, *endptr;
+    unsigned int *c;
+    long l;
+
+    data->length = 0;
+    data->components = NULL;
+
+    if (sep == NULL)
+	sep = ".";
+
+    s = strdup(str);
+
+    for (w = strtok_r(s, sep, &brkt); 
+	 w != NULL; 
+	 w = strtok_r(NULL, sep, &brkt)) {
+
+	c = realloc(data->components,
+		    (data->length + 1) * sizeof(data->components[0]));
+	if (c == NULL) {
+	    der_free_oid(data);
+	    free(s);
+	    return ENOMEM;
+	}
+	data->components = c;
+
+	l = strtol(w, &endptr, 10);
+	if (*endptr != '\0' || l < 0 || l > INT_MAX) {
+	    der_free_oid(data);
+	    free(s);
+	    return EINVAL;
+	}
+	data->components[data->length++] = l;
+    }
+    free(s);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/asn1/der_free.c b/crypto/heimdal/lib/asn1/der_free.c
index 8cedeb7..851cb1d 100644
--- a/crypto/heimdal/lib/asn1/der_free.c
+++ b/crypto/heimdal/lib/asn1/der_free.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,25 +33,87 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_free.c,v 1.8.6.1 2003/08/20 16:24:20 joda Exp $");
+RCSID("$Id: der_free.c 19539 2006-12-28 17:15:05Z lha $");
 
 void
-free_general_string (general_string *str)
+der_free_general_string (heim_general_string *str)
 {
     free(*str);
     *str = NULL;
 }
 
 void
-free_octet_string (octet_string *k)
+der_free_utf8string (heim_utf8_string *str)
+{
+    free(*str);
+    *str = NULL;
+}
+
+void
+der_free_printable_string (heim_printable_string *str)
+{
+    free(*str);
+    *str = NULL;
+}
+
+void
+der_free_ia5_string (heim_ia5_string *str)
+{
+    free(*str);
+    *str = NULL;
+}
+
+void
+der_free_bmp_string (heim_bmp_string *k)
+{
+    free(k->data);
+    k->data = NULL;
+    k->length = 0;
+}
+
+void
+der_free_universal_string (heim_universal_string *k)
 {
     free(k->data);
     k->data = NULL;
+    k->length = 0;
 }
 
 void
-free_oid (oid *k)
+der_free_visible_string (heim_visible_string *str)
+{
+    free(*str);
+    *str = NULL;
+}
+
+void
+der_free_octet_string (heim_octet_string *k)
+{
+    free(k->data);
+    k->data = NULL;
+    k->length = 0;
+}
+
+void
+der_free_heim_integer (heim_integer *k)
+{
+    free(k->data);
+    k->data = NULL;
+    k->length = 0;
+}
+
+void
+der_free_oid (heim_oid *k)
 {
     free(k->components);
     k->components = NULL;
+    k->length = 0;
+}
+
+void
+der_free_bit_string (heim_bit_string *k)
+{
+    free(k->data);
+    k->data = NULL;
+    k->length = 0;
 }
diff --git a/crypto/heimdal/lib/asn1/der_get.c b/crypto/heimdal/lib/asn1/der_get.c
index 429fd66..f232ce9 100644
--- a/crypto/heimdal/lib/asn1/der_get.c
+++ b/crypto/heimdal/lib/asn1/der_get.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_get.c,v 1.33 2002/09/03 16:21:49 nectar Exp $");
+RCSID("$Id: der_get.c 21369 2007-06-27 10:14:39Z lha $");
 
 #include <version.h>
 
@@ -45,13 +45,18 @@ RCSID("$Id: der_get.c,v 1.33 2002/09/03 16:21:49 nectar Exp $");
  * Either 0 or an error code is returned.
  */
 
-static int
+int
 der_get_unsigned (const unsigned char *p, size_t len,
 		  unsigned *ret, size_t *size)
 {
     unsigned val = 0;
     size_t oldlen = len;
 
+    if (len == sizeof(unsigned) + 1 && p[0] == 0)
+	;
+    else if (len > sizeof(unsigned))
+	return ASN1_OVERRUN;
+
     while (len--)
 	val = val * 256 + *p++;
     *ret = val;
@@ -60,12 +65,15 @@ der_get_unsigned (const unsigned char *p, size_t len,
 }
 
 int
-der_get_int (const unsigned char *p, size_t len,
-	     int *ret, size_t *size)
+der_get_integer (const unsigned char *p, size_t len,
+		 int *ret, size_t *size)
 {
     int val = 0;
     size_t oldlen = len;
 
+    if (len > sizeof(int))
+	return ASN1_OVERRUN;
+
     if (len > 0) {
 	val = (signed char)*p++;
 	while (--len)
@@ -111,11 +119,40 @@ der_get_length (const unsigned char *p, size_t len,
 }
 
 int
+der_get_boolean(const unsigned char *p, size_t len, int *data, size_t *size)
+{
+    if(len < 1)
+	return ASN1_OVERRUN;
+    if(*p != 0)
+	*data = 1;
+    else
+	*data = 0;
+    *size = 1;
+    return 0;
+}
+
+int
 der_get_general_string (const unsigned char *p, size_t len, 
-			general_string *str, size_t *size)
+			heim_general_string *str, size_t *size)
 {
+    const unsigned char *p1;
     char *s;
 
+    p1 = memchr(p, 0, len);
+    if (p1 != NULL) {
+	/* 
+	 * Allow trailing NULs. We allow this since MIT Kerberos sends
+	 * an strings in the NEED_PREAUTH case that includes a
+	 * trailing NUL.
+	 */
+	while (p1 - p < len && *p1 == '\0')
+	    p1++;
+       if (p1 - p != len)
+	    return ASN1_BAD_CHARACTER;
+    }
+    if (len > len + 1)
+	return ASN1_BAD_LENGTH;
+
     s = malloc (len + 1);
     if (s == NULL)
 	return ENOMEM;
@@ -127,8 +164,83 @@ der_get_general_string (const unsigned char *p, size_t len,
 }
 
 int
+der_get_utf8string (const unsigned char *p, size_t len, 
+		    heim_utf8_string *str, size_t *size)
+{
+    return der_get_general_string(p, len, str, size);
+}
+
+int
+der_get_printable_string (const unsigned char *p, size_t len, 
+			  heim_printable_string *str, size_t *size)
+{
+    return der_get_general_string(p, len, str, size);
+}
+
+int
+der_get_ia5_string (const unsigned char *p, size_t len, 
+		    heim_ia5_string *str, size_t *size)
+{
+    return der_get_general_string(p, len, str, size);
+}
+
+int
+der_get_bmp_string (const unsigned char *p, size_t len, 
+		    heim_bmp_string *data, size_t *size)
+{
+    size_t i;
+
+    if (len & 1)
+	return ASN1_BAD_FORMAT;
+    data->length = len / 2;
+    if (data->length > UINT_MAX/sizeof(data->data[0]))
+	return ERANGE;
+    data->data = malloc(data->length * sizeof(data->data[0]));
+    if (data->data == NULL && data->length != 0)
+	return ENOMEM;
+
+    for (i = 0; i < data->length; i++) {
+	data->data[i] = (p[0] << 8) | p[1];
+	p += 2;
+    }
+    if (size) *size = len;
+
+    return 0;
+}
+
+int
+der_get_universal_string (const unsigned char *p, size_t len, 
+			  heim_universal_string *data, size_t *size)
+{
+    size_t i;
+
+    if (len & 3)
+	return ASN1_BAD_FORMAT;
+    data->length = len / 4;
+    if (data->length > UINT_MAX/sizeof(data->data[0]))
+	return ERANGE;
+    data->data = malloc(data->length * sizeof(data->data[0]));
+    if (data->data == NULL && data->length != 0)
+	return ENOMEM;
+
+    for (i = 0; i < data->length; i++) {
+	data->data[i] = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+	p += 4;
+    }
+    if (size) *size = len;
+    return 0;
+}
+
+int
+der_get_visible_string (const unsigned char *p, size_t len, 
+			heim_visible_string *str, size_t *size)
+{
+    return der_get_general_string(p, len, str, size);
+}
+
+int
 der_get_octet_string (const unsigned char *p, size_t len, 
-		      octet_string *data, size_t *size)
+		      heim_octet_string *data, size_t *size)
 {
     data->length = len;
     data->data = malloc(len);
@@ -140,33 +252,166 @@ der_get_octet_string (const unsigned char *p, size_t len,
 }
 
 int
+der_get_heim_integer (const unsigned char *p, size_t len, 
+		      heim_integer *data, size_t *size)
+{
+    data->length = 0;
+    data->negative = 0;
+    data->data = NULL;
+
+    if (len == 0) {
+	if (size)
+	    *size = 0;
+	return 0;
+    }
+    if (p[0] & 0x80) {
+	unsigned char *q;
+	int carry = 1;
+	data->negative = 1;
+
+	data->length = len;
+
+	if (p[0] == 0xff) {
+	    p++;
+	    data->length--;
+	}
+	data->data = malloc(data->length);
+	if (data->data == NULL) {
+	    data->length = 0;
+	    if (size)
+		*size = 0;
+	    return ENOMEM;
+	}
+	q = &((unsigned char*)data->data)[data->length - 1];
+	p += data->length - 1;
+	while (q >= (unsigned char*)data->data) {
+	    *q = *p ^ 0xff;
+	    if (carry)
+		carry = !++*q;
+	    p--;
+	    q--;
+	}
+    } else {
+	data->negative = 0;
+	data->length = len;
+
+	if (p[0] == 0) {
+	    p++;
+	    data->length--;
+	}
+	data->data = malloc(data->length);
+	if (data->data == NULL && data->length != 0) {
+	    data->length = 0;
+	    if (size)
+		*size = 0;
+	    return ENOMEM;
+	}
+	memcpy(data->data, p, data->length);
+    }
+    if (size)
+	*size = len;
+    return 0;
+}
+
+static int
+generalizedtime2time (const char *s, time_t *t)
+{
+    struct tm tm;
+
+    memset(&tm, 0, sizeof(tm));
+    if (sscanf (s, "%04d%02d%02d%02d%02d%02dZ",
+		&tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
+		&tm.tm_min, &tm.tm_sec) != 6) {
+	if (sscanf (s, "%02d%02d%02d%02d%02d%02dZ",
+		    &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
+		    &tm.tm_min, &tm.tm_sec) != 6)
+	    return ASN1_BAD_TIMEFORMAT;
+	if (tm.tm_year < 50)
+	    tm.tm_year += 2000;
+	else
+	    tm.tm_year += 1900;
+    }
+    tm.tm_year -= 1900;
+    tm.tm_mon -= 1;
+    *t = _der_timegm (&tm);
+    return 0;
+}
+
+static int
+der_get_time (const unsigned char *p, size_t len, 
+	      time_t *data, size_t *size)
+{
+    char *times;
+    int e;
+
+    if (len > len + 1 || len == 0)
+	return ASN1_BAD_LENGTH;
+
+    times = malloc(len + 1);
+    if (times == NULL)
+	return ENOMEM;
+    memcpy(times, p, len);
+    times[len] = '\0';
+    e = generalizedtime2time(times, data);
+    free (times);
+    if(size) *size = len;
+    return e;
+}
+
+int
+der_get_generalized_time (const unsigned char *p, size_t len, 
+			  time_t *data, size_t *size)
+{
+    return der_get_time(p, len, data, size);
+}
+
+int
+der_get_utctime (const unsigned char *p, size_t len, 
+			  time_t *data, size_t *size)
+{
+    return der_get_time(p, len, data, size);
+}
+
+int
 der_get_oid (const unsigned char *p, size_t len,
-	     oid *data, size_t *size)
+	     heim_oid *data, size_t *size)
 {
-    int n;
+    size_t n;
     size_t oldlen = len;
 
     if (len < 1)
 	return ASN1_OVERRUN;
 
-    data->components = malloc(len * sizeof(*data->components));
-    if (data->components == NULL && len != 0)
+    if (len > len + 1)
+	return ASN1_BAD_LENGTH;
+
+    if (len + 1 > UINT_MAX/sizeof(data->components[0]))
+	return ERANGE;
+
+    data->components = malloc((len + 1) * sizeof(data->components[0]));
+    if (data->components == NULL)
 	return ENOMEM;
     data->components[0] = (*p) / 40;
     data->components[1] = (*p) % 40;
     --len;
     ++p;
     for (n = 2; len > 0; ++n) {
-	unsigned u = 0;
-
+	unsigned u = 0, u1;
+	
 	do {
 	    --len;
-	    u = u * 128 + (*p++ % 128);
+	    u1 = u * 128 + (*p++ % 128);
+	    /* check that we don't overflow the element */
+	    if (u1 < u) {
+		der_free_oid(data);
+		return ASN1_OVERRUN;
+	    }
+	    u = u1;
 	} while (len > 0 && p[-1] & 0x80);
 	data->components[n] = u;
     }
-    if (p[-1] & 0x80) {
-	free_oid (data);
+    if (n > 2 && p[-1] & 0x80) {
+	der_free_oid (data);
 	return ASN1_OVERRUN;
     }
     data->length = n;
@@ -178,26 +423,44 @@ der_get_oid (const unsigned char *p, size_t len,
 int
 der_get_tag (const unsigned char *p, size_t len,
 	     Der_class *class, Der_type *type,
-	     int *tag, size_t *size)
+	     unsigned int *tag, size_t *size)
 {
+    size_t ret = 0;
     if (len < 1)
 	return ASN1_OVERRUN;
     *class = (Der_class)(((*p) >> 6) & 0x03);
     *type = (Der_type)(((*p) >> 5) & 0x01);
-    *tag = (*p) & 0x1F;
-    if(size) *size = 1;
+    *tag = (*p) & 0x1f;
+    p++; len--; ret++;
+    if(*tag == 0x1f) {
+	unsigned int continuation;
+	unsigned int tag1;
+	*tag = 0;
+	do {
+	    if(len < 1)
+		return ASN1_OVERRUN;
+	    continuation = *p & 128;
+	    tag1 = *tag * 128 + (*p % 128);
+	    /* check that we don't overflow the tag */
+	    if (tag1 < *tag)
+		return ASN1_OVERFLOW;
+	    *tag = tag1;
+	    p++; len--; ret++;
+	} while(continuation);
+    }
+    if(size) *size = ret;
     return 0;
 }
 
 int
 der_match_tag (const unsigned char *p, size_t len,
 	       Der_class class, Der_type type,
-	       int tag, size_t *size)
+	       unsigned int tag, size_t *size)
 {
     size_t l;
     Der_class thisclass;
     Der_type thistype;
-    int thistag;
+    unsigned int thistag;
     int e;
 
     e = der_get_tag (p, len, &thisclass, &thistype, &thistag, &l);
@@ -214,7 +477,7 @@ der_match_tag (const unsigned char *p, size_t len,
 
 int
 der_match_tag_and_length (const unsigned char *p, size_t len,
-			  Der_class class, Der_type type, int tag,
+			  Der_class class, Der_type type, unsigned int tag,
 			  size_t *length_ret, size_t *size)
 {
     size_t l, ret = 0;
@@ -234,250 +497,50 @@ der_match_tag_and_length (const unsigned char *p, size_t len,
     return 0;
 }
 
-int
-decode_integer (const unsigned char *p, size_t len,
-		int *num, size_t *size)
-{
-    size_t ret = 0;
-    size_t l, reallen;
-    int e;
-
-    e = der_match_tag (p, len, UNIV, PRIM, UT_Integer, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    e = der_get_length (p, len, &reallen, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if (reallen > len)
-	return ASN1_OVERRUN;
-    e = der_get_int (p, reallen, num, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if(size) *size = ret;
-    return 0;
-}
-
-int
-decode_unsigned (const unsigned char *p, size_t len,
-		 unsigned *num, size_t *size)
-{
-    size_t ret = 0;
-    size_t l, reallen;
-    int e;
-
-    e = der_match_tag (p, len, UNIV, PRIM, UT_Integer, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    e = der_get_length (p, len, &reallen, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if (reallen > len)
-	return ASN1_OVERRUN;
-    e = der_get_unsigned (p, reallen, num, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if(size) *size = ret;
-    return 0;
-}
-
-int
-decode_enumerated (const unsigned char *p, size_t len,
-		   unsigned *num, size_t *size)
-{
-    size_t ret = 0;
-    size_t l, reallen;
-    int e;
-
-    e = der_match_tag (p, len, UNIV, PRIM, UT_Enumerated, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    e = der_get_length (p, len, &reallen, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    e = der_get_int (p, reallen, num, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if(size) *size = ret;
-    return 0;
-}
-
-int
-decode_general_string (const unsigned char *p, size_t len, 
-		       general_string *str, size_t *size)
-{
-    size_t ret = 0;
-    size_t l;
-    int e;
-    size_t slen;
-
-    e = der_match_tag (p, len, UNIV, PRIM, UT_GeneralString, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-
-    e = der_get_length (p, len, &slen, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if (len < slen)
-	return ASN1_OVERRUN;
-
-    e = der_get_general_string (p, slen, str, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if(size) *size = ret;
-    return 0;
-}
+/* 
+ * Old versions of DCE was based on a very early beta of the MIT code,
+ * which used MAVROS for ASN.1 encoding. MAVROS had the interesting
+ * feature that it encoded data in the forward direction, which has
+ * it's problems, since you have no idea how long the data will be
+ * until after you're done. MAVROS solved this by reserving one byte
+ * for length, and later, if the actual length was longer, it reverted
+ * to indefinite, BER style, lengths. The version of MAVROS used by
+ * the DCE people could apparently generate correct X.509 DER encodings, and
+ * did this by making space for the length after encoding, but
+ * unfortunately this feature wasn't used with Kerberos. 
+ */
 
 int
-decode_octet_string (const unsigned char *p, size_t len, 
-		     octet_string *k, size_t *size)
+_heim_fix_dce(size_t reallen, size_t *len)
 {
-    size_t ret = 0;
-    size_t l;
-    int e;
-    size_t slen;
-
-    e = der_match_tag (p, len, UNIV, PRIM, UT_OctetString, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-
-    e = der_get_length (p, len, &slen, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if (len < slen)
-	return ASN1_OVERRUN;
-
-    e = der_get_octet_string (p, slen, k, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if(size) *size = ret;
+    if(reallen == ASN1_INDEFINITE)
+	return 1;
+    if(*len < reallen)
+	return -1;
+    *len = reallen;
     return 0;
 }
 
 int
-decode_oid (const unsigned char *p, size_t len, 
-	    oid *k, size_t *size)
+der_get_bit_string (const unsigned char *p, size_t len, 
+		    heim_bit_string *data, size_t *size)
 {
-    size_t ret = 0;
-    size_t l;
-    int e;
-    size_t slen;
-
-    e = der_match_tag (p, len, UNIV, PRIM, UT_OID, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-
-    e = der_get_length (p, len, &slen, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if (len < slen)
+    if (len < 1)
 	return ASN1_OVERRUN;
-
-    e = der_get_oid (p, slen, k, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if(size) *size = ret;
-    return 0;
-}
-
-static void
-generalizedtime2time (const char *s, time_t *t)
-{
-    struct tm tm;
-
-    memset(&tm, 0, sizeof(tm));
-    sscanf (s, "%04d%02d%02d%02d%02d%02dZ",
-	    &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
-	    &tm.tm_min, &tm.tm_sec);
-    tm.tm_year -= 1900;
-    tm.tm_mon -= 1;
-    *t = timegm (&tm);
-}
-
-int
-decode_generalized_time (const unsigned char *p, size_t len,
-			 time_t *t, size_t *size)
-{
-    octet_string k;
-    char *times;
-    size_t ret = 0;
-    size_t l;
-    int e;
-    size_t slen;
-
-    e = der_match_tag (p, len, UNIV, PRIM, UT_GeneralizedTime, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-
-    e = der_get_length (p, len, &slen, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    if (len < slen)
+    if (p[0] > 7)
+	return ASN1_BAD_FORMAT;
+    if (len - 1 == 0 && p[0] != 0)
+	return ASN1_BAD_FORMAT;
+    /* check if any of the three upper bits are set
+     * any of them will cause a interger overrun */
+    if ((len - 1) >> (sizeof(len) * 8 - 3))
 	return ASN1_OVERRUN;
-    e = der_get_octet_string (p, slen, &k, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    times = realloc(k.data, k.length + 1);
-    if (times == NULL){
-	free(k.data);
+    data->length = (len - 1) * 8;
+    data->data = malloc(len - 1);
+    if (data->data == NULL && (len - 1) != 0)
 	return ENOMEM;
-    }
-    times[k.length] = 0;
-    generalizedtime2time (times, t);
-    free (times);
-    if(size) *size = ret;
-    return 0;
-}
-
-
-int
-fix_dce(size_t reallen, size_t *len)
-{
-    if(reallen == ASN1_INDEFINITE)
-	return 1;
-    if(*len < reallen)
-	return -1;
-    *len = reallen;
+    memcpy (data->data, p + 1, len - 1);
+    data->length -= p[0];
+    if(size) *size = len;
     return 0;
 }
diff --git a/crypto/heimdal/lib/asn1/der_length.c b/crypto/heimdal/lib/asn1/der_length.c
index 913a1f8..a7f8f59 100644
--- a/crypto/heimdal/lib/asn1/der_length.c
+++ b/crypto/heimdal/lib/asn1/der_length.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,18 +33,24 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_length.c,v 1.12.6.2 2004/02/12 18:45:51 joda Exp $");
+RCSID("$Id: der_length.c 19539 2006-12-28 17:15:05Z lha $");
 
 size_t
 _heim_len_unsigned (unsigned val)
 {
-  size_t ret = 0;
+    size_t ret = 0;
+    int last_val_gt_128;
+    
+    do {
+	++ret;
+	last_val_gt_128 = (val >= 128);
+	val /= 256;
+    } while (val);
 
-  do {
-    ++ret;
-    val /= 256;
-  } while (val);
-  return ret;
+    if(last_val_gt_128)
+	ret++;
+
+    return ret;
 }
 
 size_t
@@ -75,7 +81,7 @@ _heim_len_int (int val)
 }
 
 static size_t
-len_oid (const oid *oid)
+len_oid (const heim_oid *oid)
 {
     size_t ret = 1;
     int n;
@@ -83,79 +89,144 @@ len_oid (const oid *oid)
     for (n = 2; n < oid->length; ++n) {
 	unsigned u = oid->components[n];
 
-	++ret;
-	u /= 128;
-	while (u > 0) {
+	do {
 	    ++ret;
 	    u /= 128;
-	}
+	} while(u > 0);
     }
     return ret;
 }
 
 size_t
-length_len (size_t len)
+der_length_len (size_t len)
 {
     if (len < 128)
 	return 1;
-    else
-	return _heim_len_unsigned (len) + 1;
+    else {
+	int ret = 0;
+	do {
+	    ++ret;
+	    len /= 256;
+	} while (len);
+	return ret + 1;
+    }
 }
 
 size_t
-length_integer (const int *data)
+der_length_integer (const int *data)
 {
-    size_t len = _heim_len_int (*data);
+    return _heim_len_int (*data);
+}
 
-  return 1 + length_len(len) + len;
+size_t
+der_length_unsigned (const unsigned *data)
+{
+    return _heim_len_unsigned(*data);
 }
 
 size_t
-length_unsigned (const unsigned *data)
+der_length_enumerated (const unsigned *data)
 {
-  size_t len = _heim_len_unsigned (*data);
+  return _heim_len_int (*data);
+}
 
-  return 1 + length_len(len) + len;
+size_t
+der_length_general_string (const heim_general_string *data)
+{
+    return strlen(*data);
 }
 
 size_t
-length_enumerated (const unsigned *data)
+der_length_utf8string (const heim_utf8_string *data)
 {
-    size_t len = _heim_len_int (*data);
+    return strlen(*data);
+}
 
-  return 1 + length_len(len) + len;
+size_t
+der_length_printable_string (const heim_printable_string *data)
+{
+    return strlen(*data);
 }
 
 size_t
-length_general_string (const general_string *data)
+der_length_ia5_string (const heim_ia5_string *data)
 {
-  char *str = *data;
-  size_t len = strlen(str);
-  return 1 + length_len(len) + len;
+    return strlen(*data);
 }
 
 size_t
-length_octet_string (const octet_string *k)
+der_length_bmp_string (const heim_bmp_string *data)
 {
-  return 1 + length_len(k->length) + k->length;
+    return data->length * 2;
 }
 
 size_t
-length_oid (const oid *k)
+der_length_universal_string (const heim_universal_string *data)
 {
-  size_t len = len_oid (k);
+    return data->length * 4;
+}
 
-  return 1 + length_len(len) + len;
+size_t
+der_length_visible_string (const heim_visible_string *data)
+{
+    return strlen(*data);
 }
 
 size_t
-length_generalized_time (const time_t *t)
+der_length_octet_string (const heim_octet_string *k)
 {
-  octet_string k;
-  size_t ret;
+    return k->length;
+}
 
-  time2generalizedtime (*t, &k);
-  ret = 1 + length_len(k.length) + k.length;
-  free (k.data);
-  return ret;
+size_t
+der_length_heim_integer (const heim_integer *k)
+{
+    if (k->length == 0)
+	return 1;
+    if (k->negative)
+	return k->length + (((~(((unsigned char *)k->data)[0])) & 0x80) ? 0 : 1);
+    else
+	return k->length + ((((unsigned char *)k->data)[0] & 0x80) ? 1 : 0);
+}
+
+size_t
+der_length_oid (const heim_oid *k)
+{
+    return len_oid (k);
+}
+
+size_t
+der_length_generalized_time (const time_t *t)
+{
+    heim_octet_string k;
+    size_t ret;
+
+    _heim_time2generalizedtime (*t, &k, 1);
+    ret = k.length;
+    free(k.data);
+    return ret;
+}
+
+size_t
+der_length_utctime (const time_t *t)
+{
+    heim_octet_string k;
+    size_t ret;
+
+    _heim_time2generalizedtime (*t, &k, 0);
+    ret = k.length;
+    free(k.data);
+    return ret;
+}
+
+size_t
+der_length_boolean (const int *k)
+{
+    return 1;
+}
+
+size_t
+der_length_bit_string (const heim_bit_string *k)
+{
+    return (k->length + 7) / 8 + 1;
 }
diff --git a/crypto/heimdal/lib/asn1/der_locl.h b/crypto/heimdal/lib/asn1/der_locl.h
index 1d931d3..5b97557 100644
--- a/crypto/heimdal/lib/asn1/der_locl.h
+++ b/crypto/heimdal/lib/asn1/der_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2002, 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: der_locl.h,v 1.4.6.1 2004/02/09 17:54:05 lha Exp $ */
+/* $Id: der_locl.h 18608 2006-10-19 16:24:02Z lha $ */
 
 #ifndef __DER_LOCL_H__
 #define __DER_LOCL_H__
@@ -53,6 +53,7 @@
 #include <asn1_err.h>
 #include <der.h>
 
+time_t _der_timegm (struct tm *);
 size_t _heim_len_unsigned (unsigned);
 size_t _heim_len_int (int);
 
diff --git a/crypto/heimdal/lib/asn1/der_put.c b/crypto/heimdal/lib/asn1/der_put.c
index 41733c5..1fdbfe1 100644
--- a/crypto/heimdal/lib/asn1/der_put.c
+++ b/crypto/heimdal/lib/asn1/der_put.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_put.c,v 1.28 2003/04/17 07:12:24 lha Exp $");
+RCSID("$Id: der_put.c 19539 2006-12-28 17:15:05Z lha $");
 
 /*
  * All encoding functions take a pointer `p' to first position in
@@ -43,10 +43,11 @@ RCSID("$Id: der_put.c,v 1.28 2003/04/17 07:12:24 lha Exp $");
  * The return value is 0 or an error.
  */
 
-static int
-der_put_unsigned (unsigned char *p, size_t len, unsigned val, size_t *size)
+int
+der_put_unsigned (unsigned char *p, size_t len, const unsigned *v, size_t *size)
 {
     unsigned char *base = p;
+    unsigned val = *v;
 
     if (val) {
 	while (len > 0 && val) {
@@ -57,6 +58,11 @@ der_put_unsigned (unsigned char *p, size_t len, unsigned val, size_t *size)
 	if (val != 0)
 	    return ASN1_OVERFLOW;
 	else {
+	    if(p[1] >= 128) {
+		if(len < 1)
+		    return ASN1_OVERFLOW;
+		*p-- = 0;
+	    }
 	    *size = base - p;
 	    return 0;
 	}
@@ -70,9 +76,10 @@ der_put_unsigned (unsigned char *p, size_t len, unsigned val, size_t *size)
 }
 
 int
-der_put_int (unsigned char *p, size_t len, int val, size_t *size)
+der_put_integer (unsigned char *p, size_t len, const int *v, size_t *size)
 {
     unsigned char *base = p;
+    int val = *v;
 
     if(val >= 0) {
 	do {
@@ -114,27 +121,44 @@ der_put_length (unsigned char *p, size_t len, size_t val, size_t *size)
 {
     if (len < 1)
 	return ASN1_OVERFLOW;
+
     if (val < 128) {
 	*p = val;
 	*size = 1;
-	return 0;
     } else {
-	size_t l;
-	int e;
+	size_t l = 0;
 
-	e = der_put_unsigned (p, len - 1, val, &l);
-	if (e)
-	    return e;
-	p -= l;
+	while(val > 0) {
+	    if(len < 2)
+		return ASN1_OVERFLOW;
+	    *p-- = val % 256;
+	    val /= 256;
+	    len--;
+	    l++;
+	}
 	*p = 0x80 | l;
-	*size = l + 1;
-	return 0;
+	if(size)
+	    *size = l + 1;
     }
+    return 0;
+}
+
+int
+der_put_boolean(unsigned char *p, size_t len, const int *data, size_t *size)
+{
+    if(len < 1)
+	return ASN1_OVERFLOW;
+    if(*data != 0)
+	*p = 0xff;
+    else
+	*p = 0;
+    *size = 1;
+    return 0;
 }
 
 int
 der_put_general_string (unsigned char *p, size_t len, 
-			const general_string *str, size_t *size)
+			const heim_general_string *str, size_t *size)
 {
     size_t slen = strlen(*str);
 
@@ -148,221 +172,254 @@ der_put_general_string (unsigned char *p, size_t len,
 }
 
 int
-der_put_octet_string (unsigned char *p, size_t len, 
-		      const octet_string *data, size_t *size)
+der_put_utf8string (unsigned char *p, size_t len, 
+		    const heim_utf8_string *str, size_t *size)
 {
-    if (len < data->length)
-	return ASN1_OVERFLOW;
-    p -= data->length;
-    len -= data->length;
-    memcpy (p+1, data->data, data->length);
-    *size = data->length;
-    return 0;
+    return der_put_general_string(p, len, str, size);
 }
 
 int
-der_put_oid (unsigned char *p, size_t len,
-	     const oid *data, size_t *size)
+der_put_printable_string (unsigned char *p, size_t len, 
+			  const heim_printable_string *str, size_t *size)
 {
-    unsigned char *base = p;
-    int n;
+    return der_put_general_string(p, len, str, size);
+}
 
-    for (n = data->length - 1; n >= 2; --n) {
-	unsigned u = data->components[n];
+int
+der_put_ia5_string (unsigned char *p, size_t len, 
+		    const heim_ia5_string *str, size_t *size)
+{
+    return der_put_general_string(p, len, str, size);
+}
 
-	if (len < 1)
-	    return ASN1_OVERFLOW;
-	*p-- = u % 128;
-	u /= 128;
-	--len;
-	while (u > 0) {
-	    if (len < 1)
-		return ASN1_OVERFLOW;
-	    *p-- = 128 + u % 128;
-	    u /= 128;
-	    --len;
-	}
-    }
-    if (len < 1)
+int
+der_put_bmp_string (unsigned char *p, size_t len, 
+		    const heim_bmp_string *data, size_t *size)
+{
+    size_t i;
+    if (len / 2 < data->length)
 	return ASN1_OVERFLOW;
-    *p-- = 40 * data->components[0] + data->components[1];
-    *size = base - p;
+    p -= data->length * 2;
+    len -= data->length * 2;
+    for (i = 0; i < data->length; i++) {
+	p[1] = (data->data[i] >> 8) & 0xff;
+	p[2] = data->data[i] & 0xff;
+	p += 2;
+    }
+    if (size) *size = data->length * 2;
     return 0;
 }
 
 int
-der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type,
-	     int tag, size_t *size)
+der_put_universal_string (unsigned char *p, size_t len, 
+			  const heim_universal_string *data, size_t *size)
 {
-    if (len < 1)
+    size_t i;
+    if (len / 4 < data->length)
 	return ASN1_OVERFLOW;
-    *p = (class << 6) | (type << 5) | tag; /* XXX */
-    *size = 1;
+    p -= data->length * 4;
+    len -= data->length * 4;
+    for (i = 0; i < data->length; i++) {
+	p[1] = (data->data[i] >> 24) & 0xff;
+	p[2] = (data->data[i] >> 16) & 0xff;
+	p[3] = (data->data[i] >> 8) & 0xff;
+	p[4] = data->data[i] & 0xff;
+	p += 4;
+    }
+    if (size) *size = data->length * 4;
     return 0;
 }
 
 int
-der_put_length_and_tag (unsigned char *p, size_t len, size_t len_val,
-			Der_class class, Der_type type, int tag, size_t *size)
+der_put_visible_string (unsigned char *p, size_t len, 
+			 const heim_visible_string *str, size_t *size)
 {
-    size_t ret = 0;
-    size_t l;
-    int e;
-
-    e = der_put_length (p, len, len_val, &l);
-    if(e)
-	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    e = der_put_tag (p, len, class, type, tag, &l);
-    if(e)
-	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    *size = ret;
-    return 0;
+    return der_put_general_string(p, len, str, size);
 }
 
 int
-encode_integer (unsigned char *p, size_t len, const int *data, size_t *size)
+der_put_octet_string (unsigned char *p, size_t len, 
+		      const heim_octet_string *data, size_t *size)
 {
-    int num = *data;
-    size_t ret = 0;
-    size_t l;
-    int e;
-    
-    e = der_put_int (p, len, num, &l);
-    if(e)
-	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l);
-    if (e)
-	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    *size = ret;
+    if (len < data->length)
+	return ASN1_OVERFLOW;
+    p -= data->length;
+    len -= data->length;
+    memcpy (p+1, data->data, data->length);
+    *size = data->length;
     return 0;
 }
 
 int
-encode_unsigned (unsigned char *p, size_t len, const unsigned *data,
-		 size_t *size)
+der_put_heim_integer (unsigned char *p, size_t len, 
+		     const heim_integer *data, size_t *size)
 {
-    unsigned num = *data;
-    size_t ret = 0;
-    size_t l;
-    int e;
-    
-    e = der_put_unsigned (p, len, num, &l);
-    if(e)
-	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l);
-    if (e)
-	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    *size = ret;
+    unsigned char *buf = data->data;
+    int hibitset = 0;
+
+    if (data->length == 0) {
+	if (len < 1)
+	    return ASN1_OVERFLOW;
+	*p-- = 0;
+	if (size)
+	    *size = 1;
+	return 0;
+    }
+    if (len < data->length)
+	return ASN1_OVERFLOW;
+
+    len -= data->length;
+
+    if (data->negative) {
+	int i, carry;
+	for (i = data->length - 1, carry = 1; i >= 0; i--) {
+	    *p = buf[i] ^ 0xff;
+	    if (carry)
+		carry = !++*p;
+	    p--;
+	}
+	if (p[1] < 128) {
+	    if (len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = 0xff;
+	    len--;
+	    hibitset = 1;
+	}
+    } else {
+	p -= data->length;
+	memcpy(p + 1, buf, data->length);
+
+	if (p[1] >= 128) {
+	    if (len < 1)
+		return ASN1_OVERFLOW;
+	    p[0] = 0;
+	    len--;
+	    hibitset = 1;
+	}
+    }
+    if (size)
+	*size = data->length + hibitset;
     return 0;
 }
 
 int
-encode_enumerated (unsigned char *p, size_t len, const unsigned *data,
-		   size_t *size)
+der_put_generalized_time (unsigned char *p, size_t len, 
+			  const time_t *data, size_t *size)
 {
-    unsigned num = *data;
-    size_t ret = 0;
+    heim_octet_string k;
     size_t l;
     int e;
-    
-    e = der_put_int (p, len, num, &l);
-    if(e)
-	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Enumerated, &l);
+
+    e = _heim_time2generalizedtime (*data, &k, 1);
     if (e)
 	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    *size = ret;
+    e = der_put_octet_string(p, len, &k, &l);
+    free(k.data);
+    if(e)
+	return e;
+    if(size)
+	*size = l;
     return 0;
 }
 
 int
-encode_general_string (unsigned char *p, size_t len, 
-		       const general_string *data, size_t *size)
+der_put_utctime (unsigned char *p, size_t len, 
+		 const time_t *data, size_t *size)
 {
-    size_t ret = 0;
+    heim_octet_string k;
     size_t l;
     int e;
 
-    e = der_put_general_string (p, len, data, &l);
+    e = _heim_time2generalizedtime (*data, &k, 0);
     if (e)
 	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_GeneralString, &l);
-    if (e)
+    e = der_put_octet_string(p, len, &k, &l);
+    free(k.data);
+    if(e)
 	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    *size = ret;
+    if(size)
+	*size = l;
     return 0;
 }
 
 int
-encode_octet_string (unsigned char *p, size_t len, 
-		     const octet_string *k, size_t *size)
+der_put_oid (unsigned char *p, size_t len,
+	     const heim_oid *data, size_t *size)
 {
-    size_t ret = 0;
-    size_t l;
-    int e;
+    unsigned char *base = p;
+    int n;
 
-    e = der_put_octet_string (p, len, k, &l);
-    if (e)
-	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_OctetString, &l);
-    if (e)
-	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    *size = ret;
+    for (n = data->length - 1; n >= 2; --n) {
+	unsigned u = data->components[n];
+
+	if (len < 1)
+	    return ASN1_OVERFLOW;
+	*p-- = u % 128;
+	u /= 128;
+	--len;
+	while (u > 0) {
+	    if (len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = 128 + u % 128;
+	    u /= 128;
+	    --len;
+	}
+    }
+    if (len < 1)
+	return ASN1_OVERFLOW;
+    *p-- = 40 * data->components[0] + data->components[1];
+    *size = base - p;
+    return 0;
+}
+
+int
+der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type,
+	     unsigned int tag, size_t *size)
+{
+    if (tag <= 30) {
+	if (len < 1)
+	    return ASN1_OVERFLOW;
+	*p = MAKE_TAG(class, type, tag);
+	*size = 1;
+    } else {
+	size_t ret = 0;
+	unsigned int continuation = 0;
+	
+	do {
+	    if (len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = tag % 128 | continuation;
+	    len--;
+	    ret++;
+	    tag /= 128;
+	    continuation = 0x80;
+	} while(tag > 0);
+	if (len < 1)
+	    return ASN1_OVERFLOW;
+	*p-- = MAKE_TAG(class, type, 0x1f);
+	ret++;
+	*size = ret;
+    }
     return 0;
 }
 
 int
-encode_oid(unsigned char *p, size_t len,
-	   const oid *k, size_t *size)
+der_put_length_and_tag (unsigned char *p, size_t len, size_t len_val,
+			Der_class class, Der_type type, 
+			unsigned int tag, size_t *size)
 {
     size_t ret = 0;
     size_t l;
     int e;
 
-    e = der_put_oid (p, len, k, &l);
-    if (e)
+    e = der_put_length (p, len, len_val, &l);
+    if(e)
 	return e;
     p -= l;
     len -= l;
     ret += l;
-    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_OID, &l);
-    if (e)
+    e = der_put_tag (p, len, class, type, tag, &l);
+    if(e)
 	return e;
     p -= l;
     len -= l;
@@ -372,50 +429,55 @@ encode_oid(unsigned char *p, size_t len,
 }
 
 int
-time2generalizedtime (time_t t, octet_string *s)
+_heim_time2generalizedtime (time_t t, heim_octet_string *s, int gtimep)
 {
      struct tm *tm;
-     size_t len;
-
-     len = 15;
+     const size_t len = gtimep ? 15 : 13;
 
      s->data = malloc(len + 1);
      if (s->data == NULL)
 	 return ENOMEM;
      s->length = len;
      tm = gmtime (&t);
-     snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ", 
-	       tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, 
-	       tm->tm_hour, tm->tm_min, tm->tm_sec);
+     if (gtimep)
+	 snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ", 
+		   tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, 
+		   tm->tm_hour, tm->tm_min, tm->tm_sec);
+     else
+	 snprintf (s->data, len + 1, "%02d%02d%02d%02d%02d%02dZ", 
+		   tm->tm_year % 100, tm->tm_mon + 1, tm->tm_mday, 
+		   tm->tm_hour, tm->tm_min, tm->tm_sec);
+
      return 0;
 }
 
 int
-encode_generalized_time (unsigned char *p, size_t len,
-			 const time_t *t, size_t *size)
+der_put_bit_string (unsigned char *p, size_t len, 
+		    const heim_bit_string *data, size_t *size)
 {
-    size_t ret = 0;
-    size_t l;
-    octet_string k;
-    int e;
-
-    e = time2generalizedtime (*t, &k);
-    if (e)
-	return e;
-    e = der_put_octet_string (p, len, &k, &l);
-    free (k.data);
-    if (e)
-	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    e = der_put_length_and_tag (p, len, k.length, UNIV, PRIM, 
-				UT_GeneralizedTime, &l);
-    if (e)
-	return e;
-    p -= l;
-    len -= l;
-    ret += l;
-    *size = ret;
+    size_t data_size = (data->length + 7) / 8;
+    if (len < data_size + 1)
+	return ASN1_OVERFLOW;
+    p -= data_size + 1;
+    len -= data_size + 1;
+    memcpy (p+2, data->data, data_size);
+    if (data->length && (data->length % 8) != 0)
+	p[1] = 8 - (data->length % 8);
+    else
+	p[1] = 0;
+    *size = data_size + 1;
     return 0;
 }
+
+int 
+_heim_der_set_sort(const void *a1, const void *a2)
+{
+    const struct heim_octet_string *s1 = a1, *s2 = a2;
+    int ret;
+
+    ret = memcmp(s1->data, s2->data, 
+		 s1->length < s2->length ? s1->length : s2->length);
+    if(ret)
+	return ret;
+    return s1->length - s2->length;
+}
diff --git a/crypto/heimdal/lib/asn1/digest.asn1 b/crypto/heimdal/lib/asn1/digest.asn1
new file mode 100644
index 0000000..eafe48e
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/digest.asn1
@@ -0,0 +1,164 @@
+-- $Id: digest.asn1 22152 2007-12-04 19:59:18Z lha $
+
+DIGEST DEFINITIONS ::=
+BEGIN
+
+IMPORTS EncryptedData, Principal FROM krb5;
+
+DigestTypes ::= BIT STRING {
+	ntlm-v1(0),
+	ntlm-v1-session(1),
+	ntlm-v2(2),
+	digest-md5(3),
+	chap-md5(4),
+	ms-chap-v2(5)
+}
+
+DigestInit ::= SEQUENCE {
+    type		UTF8String, -- http, sasl, chap, cram-md5 --
+    channel		[0] SEQUENCE {
+    	cb-type		UTF8String,
+    	cb-binding	UTF8String
+    } OPTIONAL,
+    hostname		[1] UTF8String OPTIONAL -- for chap/cram-md5
+}
+
+DigestInitReply ::= SEQUENCE {
+    nonce		UTF8String,	-- service nonce/challange
+    opaque		UTF8String,	-- server state
+    identifier		[0] UTF8String OPTIONAL
+}
+
+
+DigestRequest ::= SEQUENCE  {
+    type		UTF8String, -- http, sasl-md5, chap, cram-md5 --
+    digest		UTF8String, -- http:md5/md5-sess sasl:clear/int/conf --
+    username		UTF8String, -- username user used
+    responseData	UTF8String, -- client response
+    authid		[0] UTF8String OPTIONAL,
+    authentication-user	[1] Principal OPTIONAL, -- principal to get key from
+    realm		[2] UTF8String OPTIONAL,
+    method		[3] UTF8String OPTIONAL,
+    uri			[4] UTF8String OPTIONAL,
+    serverNonce		UTF8String, -- same as "DigestInitReply.nonce"
+    clientNonce		[5] UTF8String OPTIONAL,
+    nonceCount		[6] UTF8String OPTIONAL,
+    qop			[7] UTF8String OPTIONAL,
+    identifier		[8] UTF8String OPTIONAL,
+    hostname		[9] UTF8String OPTIONAL,
+    opaque		UTF8String -- same as "DigestInitReply.opaque"
+}
+-- opaque = hex(cksum(type|serverNonce|identifier|hostname,digest-key))
+-- serverNonce = hex(time[4bytes]random[12bytes])(-cbType:cbBinding)
+
+
+DigestError ::= SEQUENCE {
+    reason		UTF8String,
+    code		INTEGER (-2147483648..2147483647)
+}
+
+DigestResponse ::= SEQUENCE  {
+    success		BOOLEAN,
+    rsp			[0] UTF8String OPTIONAL,
+    tickets		[1] SEQUENCE OF OCTET STRING OPTIONAL,
+    channel		[2] SEQUENCE {
+    	cb-type		UTF8String,
+    	cb-binding	UTF8String
+    } OPTIONAL,
+    session-key		[3] OCTET STRING OPTIONAL
+}
+
+NTLMInit ::= SEQUENCE {
+    flags		[0] INTEGER (0..4294967295),
+    hostname		[1] UTF8String OPTIONAL,
+    domain		[1] UTF8String OPTIONAL
+}
+
+NTLMInitReply ::= SEQUENCE {
+    flags		[0] INTEGER (0..4294967295),
+    opaque		[1] OCTET STRING,
+    targetname		[2] UTF8String,
+    challange		[3] OCTET STRING,
+    targetinfo		[4] OCTET STRING OPTIONAL
+}
+
+NTLMRequest ::= SEQUENCE {
+    flags		[0] INTEGER (0..4294967295),
+    opaque		[1] OCTET STRING,
+    username		[2] UTF8String,
+    targetname		[3] UTF8String,
+    targetinfo		[4] OCTET STRING OPTIONAL,
+    lm			[5] OCTET STRING,
+    ntlm		[6] OCTET STRING,
+    sessionkey		[7] OCTET STRING OPTIONAL
+}
+
+NTLMResponse ::= SEQUENCE {
+    success		[0] BOOLEAN,
+    flags		[1] INTEGER (0..4294967295),
+    sessionkey		[2] OCTET STRING OPTIONAL,
+    tickets		[3] SEQUENCE OF OCTET STRING OPTIONAL
+}
+
+DigestReqInner ::= CHOICE {
+    init		[0] DigestInit,
+    digestRequest	[1] DigestRequest,
+    ntlmInit		[2] NTLMInit,
+    ntlmRequest		[3] NTLMRequest,
+    supportedMechs	[4] NULL
+}
+
+DigestREQ ::= [APPLICATION 128] SEQUENCE {
+    apReq		[0] OCTET STRING,
+    innerReq		[1] EncryptedData
+}
+
+DigestRepInner ::= CHOICE {
+    error		[0] DigestError,
+    initReply		[1] DigestInitReply,
+    response		[2] DigestResponse,
+    ntlmInitReply	[3] NTLMInitReply,
+    ntlmResponse	[4] NTLMResponse,
+    supportedMechs	[5] DigestTypes,
+    ...
+}
+
+DigestREP ::= [APPLICATION 129] SEQUENCE {
+    apRep		[0] OCTET STRING,
+    innerRep		[1] EncryptedData
+}
+
+
+-- HTTP
+
+-- md5
+-- A1 = unq(username-value) ":" unq(realm-value) ":" passwd
+-- md5-sess
+-- A1 = HEX(H(unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value))
+
+-- qop == auth
+-- A2 = Method ":" digest-uri-value
+-- qop == auth-int
+-- A2 = Method ":" digest-uri-value ":" H(entity-body) 
+
+-- request-digest  = HEX(KD(HEX(H(A1)),
+--    unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2))))
+-- no "qop"
+-- request-digest  = HEX(KD(HEX(H(A1)), unq(nonce-value) ":" HEX(H(A2))))
+
+
+-- SASL:
+-- SS = H( { unq(username-value), ":", unq(realm-value), ":", password } )
+-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) }
+-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value), ":", unq(authzid-value) }
+
+-- A2 = "AUTHENTICATE:", ":", digest-uri-value
+-- qop == auth-int,auth-conf
+-- A2 = "AUTHENTICATE:", ":", digest-uri-value, ":00000000000000000000000000000000"
+
+-- response-value = HEX( KD ( HEX(H(A1)),
+--                 { unq(nonce-value), ":" nc-value, ":",
+--                   unq(cnonce-value), ":", qop-value, ":",
+--                   HEX(H(A2)) }))
+
+END
diff --git a/crypto/heimdal/lib/asn1/extra.c b/crypto/heimdal/lib/asn1/extra.c
new file mode 100644
index 0000000..e29a437
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/extra.c
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+#include "heim_asn1.h"
+
+RCSID("$Id: extra.c 16672 2006-01-31 09:44:54Z lha $");
+
+int
+encode_heim_any(unsigned char *p, size_t len, 
+		const heim_any *data, size_t *size)
+{
+    if (data->length > len)
+	return ASN1_OVERFLOW;
+    p -= data->length;
+    len -= data->length;
+    memcpy (p+1, data->data, data->length);
+    *size = data->length;
+    return 0;
+}
+
+int
+decode_heim_any(const unsigned char *p, size_t len, 
+		heim_any *data, size_t *size)
+{
+    size_t len_len, length, l;
+    Der_class thisclass;
+    Der_type thistype;
+    unsigned int thistag;
+    int e;
+
+    memset(data, 0, sizeof(*data));
+
+    e = der_get_tag (p, len, &thisclass, &thistype, &thistag, &l);
+    if (e) return e;
+    if (l > len)
+	return ASN1_OVERFLOW;
+    e = der_get_length(p + l, len - l, &length, &len_len);
+    if (e) return e;
+    if (length + len_len + l > len)
+	return ASN1_OVERFLOW;
+
+    data->data = malloc(length + len_len + l);
+    if (data->data == NULL)
+	return ENOMEM;
+    data->length = length + len_len + l;
+    memcpy(data->data, p, length + len_len + l);
+
+    if (size)
+	*size = length + len_len + l;
+
+    return 0;
+}
+
+void
+free_heim_any(heim_any *data)
+{
+    free(data->data);
+    data->data = NULL;
+}
+
+size_t
+length_heim_any(const heim_any *data)
+{
+    return data->length;
+}
+
+int
+copy_heim_any(const heim_any *from, heim_any *to)
+{
+    to->data = malloc(from->length);
+    if (to->data == NULL && from->length != 0)
+	return ENOMEM;
+    memcpy(to->data, from->data, from->length);
+    to->length = from->length;
+    return 0;
+}
+
+int
+encode_heim_any_set(unsigned char *p, size_t len, 
+		    const heim_any_set *data, size_t *size)
+{
+    return encode_heim_any(p, len, data, size);
+}
+
+
+int
+decode_heim_any_set(const unsigned char *p, size_t len, 
+		heim_any_set *data, size_t *size)
+{
+    memset(data, 0, sizeof(*data));
+    data->data = malloc(len);
+    if (data->data == NULL && len != 0)
+	return ENOMEM;
+    data->length = len;
+    memcpy(data->data, p, len);
+    if (size) *size = len;
+    return 0;
+}
+
+void
+free_heim_any_set(heim_any_set *data)
+{
+    free_heim_any(data);
+}
+
+size_t
+length_heim_any_set(const heim_any *data)
+{
+    return length_heim_any(data);
+}
+
+int
+copy_heim_any_set(const heim_any_set *from, heim_any_set *to)
+{
+    return copy_heim_any(from, to);
+}
+
+int
+heim_any_cmp(const heim_any_set *p, const heim_any_set *q)
+{
+    if (p->length != q->length)
+	return p->length - q->length;
+    return memcmp(p->data, q->data, p->length);
+}
diff --git a/crypto/heimdal/lib/asn1/gen.c b/crypto/heimdal/lib/asn1/gen.c
index 8580360..499f8ea 100644
--- a/crypto/heimdal/lib/asn1/gen.c
+++ b/crypto/heimdal/lib/asn1/gen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen.c,v 1.50 2003/04/17 07:09:18 lha Exp $");
+RCSID("$Id: gen.c 22429 2008-01-13 10:25:50Z lha $");
 
 FILE *headerfile, *codefile, *logfile;
 
@@ -41,7 +41,7 @@ FILE *headerfile, *codefile, *logfile;
 
 static const char *orig_filename;
 static char *header;
-static char *headerbase = STEM;
+static const char *headerbase = STEM;
 
 /*
  * list of all IMPORTs
@@ -62,10 +62,12 @@ add_import (const char *module)
     tmp->module = module;
     tmp->next   = imports;
     imports     = tmp;
+
+    fprintf (headerfile, "#include <%s_asn1.h>\n", module);
 }
 
 const char *
-filename (void)
+get_filename (void)
 {
     return orig_filename;
 }
@@ -73,10 +75,17 @@ filename (void)
 void
 init_generate (const char *filename, const char *base)
 {
+    char *fn;
+
     orig_filename = filename;
-    if(base)
-	asprintf(&headerbase, "%s", base);
+    if (base != NULL) {
+	headerbase = strdup(base);
+	if (headerbase == NULL)
+	    errx(1, "strdup");
+    }
     asprintf(&header, "%s.h", headerbase);
+    if (header == NULL)
+	errx(1, "malloc");
     headerfile = fopen (header, "w");
     if (headerfile == NULL)
 	err (1, "open %s", header);
@@ -90,25 +99,58 @@ init_generate (const char *filename, const char *base)
     fprintf (headerfile, 
 	     "#include <stddef.h>\n"
 	     "#include <time.h>\n\n");
-#ifndef HAVE_TIMEGM
-    fprintf (headerfile, "time_t timegm (struct tm*);\n\n");
-#endif
     fprintf (headerfile,
 	     "#ifndef __asn1_common_definitions__\n"
 	     "#define __asn1_common_definitions__\n\n");
     fprintf (headerfile,
-	     "typedef struct octet_string {\n"
+	     "typedef struct heim_integer {\n"
+	     "  size_t length;\n"
+	     "  void *data;\n"
+	     "  int negative;\n"
+	     "} heim_integer;\n\n");
+    fprintf (headerfile,
+	     "typedef struct heim_octet_string {\n"
 	     "  size_t length;\n"
 	     "  void *data;\n"
-	     "} octet_string;\n\n");
+	     "} heim_octet_string;\n\n");
+    fprintf (headerfile,
+	     "typedef char *heim_general_string;\n\n"
+	     );
     fprintf (headerfile,
-	     "typedef char *general_string;\n\n"
+	     "typedef char *heim_utf8_string;\n\n"
 	     );
     fprintf (headerfile,
-	     "typedef struct oid {\n"
+	     "typedef char *heim_printable_string;\n\n"
+	     );
+    fprintf (headerfile,
+	     "typedef char *heim_ia5_string;\n\n"
+	     );
+    fprintf (headerfile,
+	     "typedef struct heim_bmp_string {\n"
+	     "  size_t length;\n"
+	     "  uint16_t *data;\n"
+	     "} heim_bmp_string;\n\n");
+    fprintf (headerfile,
+	     "typedef struct heim_universal_string {\n"
+	     "  size_t length;\n"
+	     "  uint32_t *data;\n"
+	     "} heim_universal_string;\n\n");
+    fprintf (headerfile,
+	     "typedef char *heim_visible_string;\n\n"
+	     );
+    fprintf (headerfile,
+	     "typedef struct heim_oid {\n"
 	     "  size_t length;\n"
 	     "  unsigned *components;\n"
-	     "} oid;\n\n");
+	     "} heim_oid;\n\n");
+    fprintf (headerfile,
+	     "typedef struct heim_bit_string {\n"
+	     "  size_t length;\n"
+	     "  void *data;\n"
+	     "} heim_bit_string;\n\n");
+    fprintf (headerfile,
+	     "typedef struct heim_octet_string heim_any;\n"
+	     "typedef struct heim_octet_string heim_any_set;\n\n");
     fputs("#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R)                  \\\n"
 	  "  do {                                                         \\\n"
 	  "    (BL) = length_##T((S));                                    \\\n"
@@ -125,10 +167,14 @@ init_generate (const char *filename, const char *base)
 	  "    }                                                          \\\n"
 	  "  } while (0)\n\n",
 	  headerfile);
+    fprintf (headerfile, "struct units;\n\n");
     fprintf (headerfile, "#endif\n\n");
-    logfile = fopen(STEM "_files", "w");
+    asprintf(&fn, "%s_files", base);
+    if (fn == NULL)
+	errx(1, "malloc");
+    logfile = fopen(fn, "w");
     if (logfile == NULL)
-	err (1, "open " STEM "_files");
+	err (1, "open %s", fn);
 }
 
 void
@@ -142,10 +188,160 @@ close_generate (void)
 }
 
 void
+gen_assign_defval(const char *var, struct value *val)
+{
+    switch(val->type) {
+    case stringvalue:
+	fprintf(codefile, "if((%s = strdup(\"%s\")) == NULL)\nreturn ENOMEM;\n", var, val->u.stringvalue);
+	break;
+    case integervalue:
+	fprintf(codefile, "%s = %d;\n", var, val->u.integervalue);
+	break;
+    case booleanvalue:
+	if(val->u.booleanvalue)
+	    fprintf(codefile, "%s = TRUE;\n", var);
+	else
+	    fprintf(codefile, "%s = FALSE;\n", var);
+	break;
+    default:
+	abort();
+    }
+}
+
+void
+gen_compare_defval(const char *var, struct value *val)
+{
+    switch(val->type) {
+    case stringvalue:
+	fprintf(codefile, "if(strcmp(%s, \"%s\") != 0)\n", var, val->u.stringvalue);
+	break;
+    case integervalue:
+	fprintf(codefile, "if(%s != %d)\n", var, val->u.integervalue);
+	break;
+    case booleanvalue:
+	if(val->u.booleanvalue)
+	    fprintf(codefile, "if(!%s)\n", var);
+	else
+	    fprintf(codefile, "if(%s)\n", var);
+	break;
+    default:
+	abort();
+    }
+}
+
+static void
+generate_header_of_codefile(const char *name)
+{
+    char *filename;
+
+    if (codefile != NULL)
+	abort();
+
+    asprintf (&filename, "%s_%s.x", STEM, name);
+    if (filename == NULL)
+	errx(1, "malloc");
+    codefile = fopen (filename, "w");
+    if (codefile == NULL)
+	err (1, "fopen %s", filename);
+    fprintf(logfile, "%s ", filename);
+    free(filename);
+    fprintf (codefile, 
+	     "/* Generated from %s */\n"
+	     "/* Do not edit */\n\n"
+	     "#include <stdio.h>\n"
+	     "#include <stdlib.h>\n"
+	     "#include <time.h>\n"
+	     "#include <string.h>\n"
+	     "#include <errno.h>\n"
+	     "#include <limits.h>\n"
+	     "#include <krb5-types.h>\n",
+	     orig_filename);
+
+    fprintf (codefile,
+	     "#include <%s.h>\n",
+	     headerbase);
+    fprintf (codefile,
+	     "#include <asn1_err.h>\n"
+	     "#include <der.h>\n"
+	     "#include <parse_units.h>\n\n");
+
+}
+
+static void
+close_codefile(void)
+{
+    if (codefile == NULL)
+	abort();
+
+    fclose(codefile);
+    codefile = NULL;
+}
+
+
+void
 generate_constant (const Symbol *s)
 {
-  fprintf (headerfile, "enum { %s = %d };\n\n",
-	   s->gen_name, s->constant);
+    switch(s->value->type) {
+    case booleanvalue:
+	break;
+    case integervalue:
+	fprintf (headerfile, "enum { %s = %d };\n\n",
+		 s->gen_name, s->value->u.integervalue);
+	break;
+    case nullvalue:
+	break;
+    case stringvalue:
+	break;
+    case objectidentifiervalue: {
+	struct objid *o, **list;
+	int i, len;
+
+	generate_header_of_codefile(s->gen_name);
+
+	len = 0;
+	for (o = s->value->u.objectidentifiervalue; o != NULL; o = o->next)
+	    len++;
+	list = emalloc(sizeof(*list) * len);
+
+	i = 0;
+	for (o = s->value->u.objectidentifiervalue; o != NULL; o = o->next)
+	    list[i++] = o;
+
+	fprintf (headerfile, "/* OBJECT IDENTIFIER %s ::= { ", s->name);
+	for (i = len - 1 ; i >= 0; i--) {
+	    o = list[i];
+	    fprintf(headerfile, "%s(%d) ",
+		    o->label ? o->label : "label-less", o->value);
+	}
+
+	fprintf (headerfile, "} */\n");
+	fprintf (headerfile, "const heim_oid *oid_%s(void);\n\n",
+		 s->gen_name);
+
+	fprintf (codefile, "static unsigned oid_%s_variable_num[%d] =  {",
+		 s->gen_name, len);
+	for (i = len - 1 ; i >= 0; i--) {
+	    fprintf(codefile, "%d%s ", list[i]->value, i > 0 ? "," : "");
+	}
+	fprintf(codefile, "};\n");
+
+	fprintf (codefile, "static const heim_oid oid_%s_variable = "
+		 "{ %d, oid_%s_variable_num };\n\n", 
+		 s->gen_name, len, s->gen_name);
+
+	fprintf (codefile, "const heim_oid *oid_%s(void)\n"
+		 "{\n"
+		 "return &oid_%s_variable;\n"
+		 "}\n\n",
+		 s->gen_name, s->gen_name);
+
+	close_codefile();
+
+	break;
+    }
+    default:
+	abort();
+    }
 }
 
 static void
@@ -155,93 +351,108 @@ space(int level)
 	fprintf(headerfile, "  ");
 }
 
+static const char *
+last_member_p(struct member *m)
+{
+    struct member *n = ASN1_TAILQ_NEXT(m, members);
+    if (n == NULL)
+	return "";
+    if (n->ellipsis && ASN1_TAILQ_NEXT(n, members) == NULL)
+	return "";
+    return ",";
+}
+
+static struct member *
+have_ellipsis(Type *t)
+{
+    struct member *m;
+    ASN1_TAILQ_FOREACH(m, t->members, members) {
+	if (m->ellipsis)
+	    return m;
+    }
+    return NULL;
+}
+
 static void
 define_asn1 (int level, Type *t)
 {
     switch (t->type) {
     case TType:
-	space(level);
 	fprintf (headerfile, "%s", t->symbol->name);
 	break;
     case TInteger:
-	space(level);
-	fprintf (headerfile, "INTEGER");
+	if(t->members == NULL) {
+            fprintf (headerfile, "INTEGER");
+	    if (t->range)
+		fprintf (headerfile, " (%d..%d)",
+			 t->range->min, t->range->max);
+        } else {
+	    Member *m;
+            fprintf (headerfile, "INTEGER {\n");
+	    ASN1_TAILQ_FOREACH(m, t->members, members) {
+                space (level + 1);
+		fprintf(headerfile, "%s(%d)%s\n", m->gen_name, m->val, 
+			last_member_p(m));
+            }
+	    space(level);
+            fprintf (headerfile, "}");
+        }
 	break;
-    case TUInteger:
-	space(level);
-	fprintf (headerfile, "UNSIGNED INTEGER");
+    case TBoolean:
+	fprintf (headerfile, "BOOLEAN");
 	break;
     case TOctetString:
-	space(level);
 	fprintf (headerfile, "OCTET STRING");
 	break;
-    case TOID :
-	space(level);
-	fprintf(headerfile, "OBJECT IDENTIFIER");
-	break;
+    case TEnumerated :
     case TBitString: {
 	Member *m;
-	int tag = -1;
 
 	space(level);
-	fprintf (headerfile, "BIT STRING {\n");
-	for (m = t->members; m && m->val != tag; m = m->next) {
-	    if (tag == -1)
-		tag = m->val;
+	if(t->type == TBitString)
+	    fprintf (headerfile, "BIT STRING {\n");
+	else
+	    fprintf (headerfile, "ENUMERATED {\n");
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    space(level + 1);
 	    fprintf (headerfile, "%s(%d)%s\n", m->name, m->val, 
-		     m->next->val == tag?"":",");
-
-	}
-	space(level);
-	fprintf (headerfile, "}");
-	break;
-    }
-    case TEnumerated : {
-	Member *m;
-	int tag = -1;
-
-	space(level);
-	fprintf (headerfile, "ENUMERATED {\n");
-	for (m = t->members; m && m->val != tag; m = m->next) {
-	    if (tag == -1)
-		tag = m->val;
-	    space(level + 1);
-	    fprintf (headerfile, "%s(%d)%s\n", m->name, m->val, 
-		     m->next->val == tag?"":",");
-
+		     last_member_p(m));
 	}
 	space(level);
 	fprintf (headerfile, "}");
 	break;
     }
+    case TChoice:
+    case TSet:
     case TSequence: {
 	Member *m;
-	int tag;
 	int max_width = 0;
 
-	space(level);
-	fprintf (headerfile, "SEQUENCE {\n");
-	for (m = t->members, tag = -1; m && m->val != tag; m = m->next) {
-	    if (tag == -1)
-		tag = m->val;
-	    if(strlen(m->name) + (m->val > 9) > max_width)
-		max_width = strlen(m->name) + (m->val > 9);
+	if(t->type == TChoice)
+	    fprintf(headerfile, "CHOICE {\n");
+	else if(t->type == TSet)
+	    fprintf(headerfile, "SET {\n");
+	else
+	    fprintf(headerfile, "SEQUENCE {\n");
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
+	    if(strlen(m->name) > max_width)
+		max_width = strlen(m->name);
 	}
-	max_width += 3 + 2;
+	max_width += 3;
 	if(max_width < 16) max_width = 16;
-	for (m = t->members, tag = -1 ; m && m->val != tag; m = m->next) {
-	    int width;
-	    if (tag == -1)
-		tag = m->val;
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
+	    int width = max_width;
 	    space(level + 1);
-	    fprintf(headerfile, "%s[%d]", m->name, m->val);
-	    width = max_width - strlen(m->name) - 3 - (m->val > 9) - 2;
-	    fprintf(headerfile, "%*s", width, "");
-	    define_asn1(level + 1, m->type);
-	    if(m->optional)
-		fprintf(headerfile, " OPTIONAL");
-	    if(m->next->val != tag)
+	    if (m->ellipsis) {
+		fprintf (headerfile, "...");
+	    } else {
+		width -= fprintf(headerfile, "%s", m->name);
+		fprintf(headerfile, "%*s", width, "");
+		define_asn1(level + 1, m->type);
+		if(m->optional)
+		    fprintf(headerfile, " OPTIONAL");
+	    }
+	    if(last_member_p(m))
 		fprintf (headerfile, ",");
 	    fprintf (headerfile, "\n");
 	}
@@ -249,31 +460,74 @@ define_asn1 (int level, Type *t)
 	fprintf (headerfile, "}");
 	break;
     }
-    case TSequenceOf: {
-	space(level);
+    case TSequenceOf:
 	fprintf (headerfile, "SEQUENCE OF ");
 	define_asn1 (0, t->subtype);
 	break;
-    }
+    case TSetOf:
+	fprintf (headerfile, "SET OF ");
+	define_asn1 (0, t->subtype);
+	break;
     case TGeneralizedTime:
-	space(level);
 	fprintf (headerfile, "GeneralizedTime");
 	break;
     case TGeneralString:
-	space(level);
 	fprintf (headerfile, "GeneralString");
 	break;
-    case TApplication:
-	fprintf (headerfile, "[APPLICATION %d] ", t->application);
+    case TTag: {
+	const char *classnames[] = { "UNIVERSAL ", "APPLICATION ", 
+				     "" /* CONTEXT */, "PRIVATE " };
+	if(t->tag.tagclass != ASN1_C_UNIV)
+	    fprintf (headerfile, "[%s%d] ", 
+		     classnames[t->tag.tagclass],
+		     t->tag.tagvalue);
+	if(t->tag.tagenv == TE_IMPLICIT)
+	    fprintf (headerfile, "IMPLICIT ");
 	define_asn1 (level, t->subtype);
 	break;
+    }
+    case TUTCTime:
+	fprintf (headerfile, "UTCTime");
+	break;
+    case TUTF8String:
+	space(level);
+	fprintf (headerfile, "UTF8String");
+	break;
+    case TPrintableString:
+	space(level);
+	fprintf (headerfile, "PrintableString");
+	break;
+    case TIA5String:
+	space(level);
+	fprintf (headerfile, "IA5String");
+	break;
+    case TBMPString:
+	space(level);
+	fprintf (headerfile, "BMPString");
+	break;
+    case TUniversalString:
+	space(level);
+	fprintf (headerfile, "UniversalString");
+	break;
+    case TVisibleString:
+	space(level);
+	fprintf (headerfile, "VisibleString");
+	break;
+    case TOID :
+	space(level);
+	fprintf(headerfile, "OBJECT IDENTIFIER");
+	break;
+    case TNull:
+	space(level);
+	fprintf (headerfile, "NULL");
+	break;
     default:
 	abort ();
     }
 }
 
 static void
-define_type (int level, char *name, Type *t, int typedefp)
+define_type (int level, const char *name, Type *t, int typedefp, int preservep)
 {
     switch (t->type) {
     case TType:
@@ -282,104 +536,123 @@ define_type (int level, char *name, Type *t, int typedefp)
 	break;
     case TInteger:
 	space(level);
-        if(t->members == NULL) {
-            fprintf (headerfile, "int %s;\n", name);
-        } else {
+	if(t->members) {
             Member *m;
-            int tag = -1;
             fprintf (headerfile, "enum %s {\n", typedefp ? name : "");
-	    for (m = t->members; m && m->val != tag; m = m->next) {
-                if(tag == -1)
-                    tag = m->val;
+	    ASN1_TAILQ_FOREACH(m, t->members, members) {
                 space (level + 1);
                 fprintf(headerfile, "%s = %d%s\n", m->gen_name, m->val, 
-                        m->next->val == tag ? "" : ",");
+                        last_member_p(m));
             }
             fprintf (headerfile, "} %s;\n", name);
-        }
+	} else if (t->range == NULL) {
+	    fprintf (headerfile, "heim_integer %s;\n", name);
+	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
+	    fprintf (headerfile, "int %s;\n", name);
+	} else if (t->range->min == 0 && t->range->max == UINT_MAX) {
+	    fprintf (headerfile, "unsigned int %s;\n", name);
+	} else if (t->range->min == 0 && t->range->max == INT_MAX) {
+	    fprintf (headerfile, "unsigned int %s;\n", name);
+	} else
+	    errx(1, "%s: unsupported range %d -> %d", 
+		 name, t->range->min, t->range->max);
 	break;
-    case TUInteger:
+    case TBoolean:
 	space(level);
-	fprintf (headerfile, "unsigned int %s;\n", name);
+	fprintf (headerfile, "int %s;\n", name);
 	break;
     case TOctetString:
 	space(level);
-	fprintf (headerfile, "octet_string %s;\n", name);
-	break;
-    case TOID :
-	space(level);
-	fprintf (headerfile, "oid %s;\n", name);
+	fprintf (headerfile, "heim_octet_string %s;\n", name);
 	break;
     case TBitString: {
 	Member *m;
 	Type i;
-	int tag = -1;
+	struct range range = { 0, INT_MAX };
+
+	i.type = TInteger;
+	i.range = &range;
+	i.members = NULL;
+	i.constraint = NULL;
 
-	i.type = TUInteger;
 	space(level);
-	fprintf (headerfile, "struct %s {\n", typedefp ? name : "");
-	for (m = t->members; m && m->val != tag; m = m->next) {
-	    char *n;
-
-	    asprintf (&n, "%s:1", m->gen_name);
-	    define_type (level + 1, n, &i, FALSE);
-	    free (n);
-	    if (tag == -1)
-		tag = m->val;
+	if(ASN1_TAILQ_EMPTY(t->members)) 
+	    fprintf (headerfile, "heim_bit_string %s;\n", name);
+	else {
+	    fprintf (headerfile, "struct %s {\n", typedefp ? name : "");
+	    ASN1_TAILQ_FOREACH(m, t->members, members) {
+		char *n;
+		
+		asprintf (&n, "%s:1", m->gen_name);
+		if (n == NULL)
+		    errx(1, "malloc");
+		define_type (level + 1, n, &i, FALSE, FALSE);
+		free (n);
+	    }
+	    space(level);
+	    fprintf (headerfile, "} %s;\n\n", name);
 	}
-	space(level);
-	fprintf (headerfile, "} %s;\n\n", name);
 	break;
     }
     case TEnumerated: {
 	Member *m;
-	int tag = -1;
 
 	space(level);
 	fprintf (headerfile, "enum %s {\n", typedefp ? name : "");
-	for (m = t->members; m && m->val != tag; m = m->next) {
-	    if (tag == -1)
-		tag = m->val;
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    space(level + 1);
-	    fprintf (headerfile, "%s = %d%s\n", m->gen_name, m->val,
-                        m->next->val == tag ? "" : ",");
+	    if (m->ellipsis)
+		fprintf (headerfile, "/* ... */\n");
+	    else
+		fprintf (headerfile, "%s = %d%s\n", m->gen_name, m->val,
+			 last_member_p(m));
 	}
 	space(level);
 	fprintf (headerfile, "} %s;\n\n", name);
 	break;
     }
+    case TSet:
     case TSequence: {
 	Member *m;
-	int tag = -1;
 
 	space(level);
 	fprintf (headerfile, "struct %s {\n", typedefp ? name : "");
-	for (m = t->members; m && m->val != tag; m = m->next) {
-	    if (m->optional) {
+	if (t->type == TSequence && preservep) {
+	    space(level + 1);
+	    fprintf(headerfile, "heim_octet_string _save;\n");
+	}
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
+	    if (m->ellipsis) {
+		;
+	    } else if (m->optional) {
 		char *n;
 
 		asprintf (&n, "*%s", m->gen_name);
-		define_type (level + 1, n, m->type, FALSE);
+		if (n == NULL)
+		    errx(1, "malloc");
+		define_type (level + 1, n, m->type, FALSE, FALSE);
 		free (n);
 	    } else
-		define_type (level + 1, m->gen_name, m->type, FALSE);
-	    if (tag == -1)
-		tag = m->val;
+		define_type (level + 1, m->gen_name, m->type, FALSE, FALSE);
 	}
 	space(level);
 	fprintf (headerfile, "} %s;\n", name);
 	break;
     }
+    case TSetOf:
     case TSequenceOf: {
 	Type i;
+	struct range range = { 0, INT_MAX };
 
-	i.type = TUInteger;
-	i.application = 0;
+	i.type = TInteger;
+	i.range = &range;
+	i.members = NULL;
+	i.constraint = NULL;
 
 	space(level);
 	fprintf (headerfile, "struct %s {\n", typedefp ? name : "");
-	define_type (level + 1, "len", &i, FALSE);
-	define_type (level + 1, "*val", t->subtype, FALSE);
+	define_type (level + 1, "len", &i, FALSE, FALSE);
+	define_type (level + 1, "*val", t->subtype, FALSE, FALSE);
 	space(level);
 	fprintf (headerfile, "} %s;\n", name);
 	break;
@@ -390,10 +663,99 @@ define_type (int level, char *name, Type *t, int typedefp)
 	break;
     case TGeneralString:
 	space(level);
-	fprintf (headerfile, "general_string %s;\n", name);
+	fprintf (headerfile, "heim_general_string %s;\n", name);
 	break;
-    case TApplication:
-	define_type (level, name, t->subtype, FALSE);
+    case TTag:
+	define_type (level, name, t->subtype, typedefp, preservep);
+	break;
+    case TChoice: {
+	int first = 1;
+	Member *m;
+
+	space(level);
+	fprintf (headerfile, "struct %s {\n", typedefp ? name : "");
+	if (preservep) {
+	    space(level + 1);
+	    fprintf(headerfile, "heim_octet_string _save;\n");
+	}
+	space(level + 1);
+	fprintf (headerfile, "enum {\n");
+	m = have_ellipsis(t);
+	if (m) {
+	    space(level + 2);
+	    fprintf (headerfile, "%s = 0,\n", m->label); 
+	    first = 0;
+	}
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
+	    space(level + 2);
+	    if (m->ellipsis)
+		fprintf (headerfile, "/* ... */\n");
+	    else
+		fprintf (headerfile, "%s%s%s\n", m->label, 
+			 first ? " = 1" : "", 
+			 last_member_p(m));
+	    first = 0;
+	}
+	space(level + 1);
+	fprintf (headerfile, "} element;\n");
+	space(level + 1);
+	fprintf (headerfile, "union {\n");
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
+	    if (m->ellipsis) {
+		space(level + 2);
+		fprintf(headerfile, "heim_octet_string asn1_ellipsis;\n");
+	    } else if (m->optional) {
+		char *n;
+
+		asprintf (&n, "*%s", m->gen_name);
+		if (n == NULL)
+		    errx(1, "malloc");
+		define_type (level + 2, n, m->type, FALSE, FALSE);
+		free (n);
+	    } else
+		define_type (level + 2, m->gen_name, m->type, FALSE, FALSE);
+	}
+	space(level + 1);
+	fprintf (headerfile, "} u;\n");
+	space(level);
+	fprintf (headerfile, "} %s;\n", name);
+	break;
+    }
+    case TUTCTime:
+	space(level);
+	fprintf (headerfile, "time_t %s;\n", name);
+	break;
+    case TUTF8String:
+	space(level);
+	fprintf (headerfile, "heim_utf8_string %s;\n", name);
+	break;
+    case TPrintableString:
+	space(level);
+	fprintf (headerfile, "heim_printable_string %s;\n", name);
+	break;
+    case TIA5String:
+	space(level);
+	fprintf (headerfile, "heim_ia5_string %s;\n", name);
+	break;
+    case TBMPString:
+	space(level);
+	fprintf (headerfile, "heim_bmp_string %s;\n", name);
+	break;
+    case TUniversalString:
+	space(level);
+	fprintf (headerfile, "heim_universal_string %s;\n", name);
+	break;
+    case TVisibleString:
+	space(level);
+	fprintf (headerfile, "heim_visible_string %s;\n", name);
+	break;
+    case TOID :
+	space(level);
+	fprintf (headerfile, "heim_oid %s;\n", name);
+	break;
+    case TNull:
+	space(level);
+	fprintf (headerfile, "int %s;\n", name);
 	break;
     default:
 	abort ();
@@ -403,13 +765,15 @@ define_type (int level, char *name, Type *t, int typedefp)
 static void
 generate_type_header (const Symbol *s)
 {
+    int preservep = preserve_type(s->name) ? TRUE : FALSE;
+
     fprintf (headerfile, "/*\n");
     fprintf (headerfile, "%s ::= ", s->name);
     define_asn1 (0, s->type);
     fprintf (headerfile, "\n*/\n\n");
 
     fprintf (headerfile, "typedef ");
-    define_type (0, s->gen_name, s->type, TRUE);
+    define_type (0, s->gen_name, s->type, TRUE, preservep);
 
     fprintf (headerfile, "\n");
 }
@@ -418,43 +782,16 @@ generate_type_header (const Symbol *s)
 void
 generate_type (const Symbol *s)
 {
-    struct import *i;
-    char *filename;
-
-    asprintf (&filename, "%s_%s.x", STEM, s->gen_name);
-    codefile = fopen (filename, "w");
-    if (codefile == NULL)
-	err (1, "fopen %s", filename);
-    fprintf(logfile, "%s ", filename);
-    free(filename);
-    fprintf (codefile, 
-	     "/* Generated from %s */\n"
-	     "/* Do not edit */\n\n"
-	     "#include <stdio.h>\n"
-	     "#include <stdlib.h>\n"
-	     "#include <time.h>\n"
-	     "#include <string.h>\n"
-	     "#include <errno.h>\n",
-	     orig_filename);
+    generate_header_of_codefile(s->gen_name);
 
-    for (i = imports; i != NULL; i = i->next)
-	fprintf (codefile,
-		 "#include <%s_asn1.h>\n",
-		 i->module);
-    fprintf (codefile,
-	     "#include <%s.h>\n",
-	     headerbase);
-    fprintf (codefile,
-	     "#include <asn1_err.h>\n"
-	     "#include <der.h>\n"
-	     "#include <parse_units.h>\n\n");
     generate_type_header (s);
     generate_type_encode (s);
     generate_type_decode (s);
     generate_type_free (s);
     generate_type_length (s);
     generate_type_copy (s);
-    generate_glue (s);
+    generate_type_seq (s);
+    generate_glue (s->type, s->gen_name);
     fprintf(headerfile, "\n\n");
-    fclose(codefile);
+    close_codefile();
 }
diff --git a/crypto/heimdal/lib/asn1/gen_copy.c b/crypto/heimdal/lib/asn1/gen_copy.c
index 20f0d5b..abf1185 100644
--- a/crypto/heimdal/lib/asn1/gen_copy.c
+++ b/crypto/heimdal/lib/asn1/gen_copy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,119 +33,217 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_copy.c,v 1.12 2001/09/25 13:39:26 assar Exp $");
+RCSID("$Id: gen_copy.c 19539 2006-12-28 17:15:05Z lha $");
+
+static int used_fail;
 
 static void
 copy_primitive (const char *typename, const char *from, const char *to)
 {
-    fprintf (codefile, "if(copy_%s(%s, %s)) return ENOMEM;\n", 
+    fprintf (codefile, "if(der_copy_%s(%s, %s)) goto fail;\n", 
 	     typename, from, to);
+    used_fail++;
 }
 
 static void
-copy_type (const char *from, const char *to, const Type *t)
+copy_type (const char *from, const char *to, const Type *t, int preserve)
 {
-  switch (t->type) {
-  case TType:
+    switch (t->type) {
+    case TType:
 #if 0
-      copy_type (from, to, t->symbol->type);
+	copy_type (from, to, t->symbol->type, preserve);
 #endif
-      fprintf (codefile, "if(copy_%s(%s, %s)) return ENOMEM;\n", 
-	       t->symbol->gen_name, from, to);
-      break;
-  case TInteger:
-  case TUInteger:
-  case TEnumerated :
-      fprintf(codefile, "*(%s) = *(%s);\n", to, from);
-      break;
-  case TOctetString:
-      copy_primitive ("octet_string", from, to);
-      break;
-  case TOID:
-      copy_primitive ("oid", from, to);
-      break;
-  case TBitString: {
-      fprintf(codefile, "*(%s) = *(%s);\n", to, from);
-      break;
-  }
-  case TSequence: {
-      Member *m;
-      int tag = -1;
-
-      if (t->members == NULL)
-	  break;
+	fprintf (codefile, "if(copy_%s(%s, %s)) goto fail;\n", 
+		 t->symbol->gen_name, from, to);
+	used_fail++;
+	break;
+    case TInteger:
+	if (t->range == NULL && t->members == NULL) {
+	    copy_primitive ("heim_integer", from, to);
+	    break;
+	}
+    case TBoolean:
+    case TEnumerated :
+	fprintf(codefile, "*(%s) = *(%s);\n", to, from);
+	break;
+    case TOctetString:
+	copy_primitive ("octet_string", from, to);
+	break;
+    case TBitString:
+	if (ASN1_TAILQ_EMPTY(t->members))
+	    copy_primitive ("bit_string", from, to);
+	else
+	    fprintf(codefile, "*(%s) = *(%s);\n", to, from);
+	break;
+    case TSet:
+    case TSequence:
+    case TChoice: {
+	Member *m, *have_ellipsis = NULL;
+
+	if(t->members == NULL)
+	    break;
       
-      for (m = t->members; m && tag != m->val; m = m->next) {
-	  char *f;
-	  char *t;
-
-	  asprintf (&f, "%s(%s)->%s",
-		    m->optional ? "" : "&", from, m->gen_name);
-	  asprintf (&t, "%s(%s)->%s",
-		    m->optional ? "" : "&", to, m->gen_name);
-	  if(m->optional){
-	      fprintf(codefile, "if(%s) {\n", f);
-	      fprintf(codefile, "%s = malloc(sizeof(*%s));\n", t, t);
-	      fprintf(codefile, "if(%s == NULL) return ENOMEM;\n", t);
-	  }
-	  copy_type (f, t, m->type);
-	  if(m->optional){
-	      fprintf(codefile, "}else\n");
-	      fprintf(codefile, "%s = NULL;\n", t);
-	  }
-	  if (tag == -1)
-	      tag = m->val;
-	  free (f);
-	  free (t);
-      }
-      break;
-  }
-  case TSequenceOf: {
-      char *f;
-      char *T;
-
-      fprintf (codefile, "if(((%s)->val = "
-	       "malloc((%s)->len * sizeof(*(%s)->val))) == NULL && (%s)->len != 0)\n", 
-	       to, from, to, from);
-      fprintf (codefile, "return ENOMEM;\n");
-      fprintf(codefile,
-	      "for((%s)->len = 0; (%s)->len < (%s)->len; (%s)->len++){\n",
-	      to, to, from, to);
-      asprintf(&f, "&(%s)->val[(%s)->len]", from, to);
-      asprintf(&T, "&(%s)->val[(%s)->len]", to, to);
-      copy_type(f, T, t->subtype);
-      fprintf(codefile, "}\n");
-      free(f);
-      free(T);
-      break;
-  }
-  case TGeneralizedTime:
-      fprintf(codefile, "*(%s) = *(%s);\n", to, from);
-      break;
-  case TGeneralString:
-      copy_primitive ("general_string", from, to);
-      break;
-  case TApplication:
-      copy_type (from, to, t->subtype);
-      break;
-  default :
-      abort ();
-  }
+	if ((t->type == TSequence || t->type == TChoice) && preserve) {
+	    fprintf(codefile,
+		    "{ int ret;\n"
+		    "ret = der_copy_octet_string(&(%s)->_save, &(%s)->_save);\n"
+		    "if (ret) goto fail;\n"
+		    "}\n",
+		    from, to);
+	    used_fail++;
+	}
+
+	if(t->type == TChoice) {
+	    fprintf(codefile, "(%s)->element = (%s)->element;\n", to, from);
+	    fprintf(codefile, "switch((%s)->element) {\n", from);
+	}
+
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
+	    char *fs;
+	    char *ts;
+
+	    if (m->ellipsis) {
+		have_ellipsis = m;
+		continue;
+	    }
+
+	    if(t->type == TChoice)
+		fprintf(codefile, "case %s:\n", m->label);
+
+	    asprintf (&fs, "%s(%s)->%s%s",
+		      m->optional ? "" : "&", from, 
+		      t->type == TChoice ? "u." : "", m->gen_name);
+	    if (fs == NULL)
+		errx(1, "malloc");
+	    asprintf (&ts, "%s(%s)->%s%s",
+		      m->optional ? "" : "&", to, 
+		      t->type == TChoice ? "u." : "", m->gen_name);
+	    if (ts == NULL)
+		errx(1, "malloc");
+	    if(m->optional){
+		fprintf(codefile, "if(%s) {\n", fs);
+		fprintf(codefile, "%s = malloc(sizeof(*%s));\n", ts, ts);
+		fprintf(codefile, "if(%s == NULL) goto fail;\n", ts);
+		used_fail++;
+	    }
+	    copy_type (fs, ts, m->type, FALSE);
+	    if(m->optional){
+		fprintf(codefile, "}else\n");
+		fprintf(codefile, "%s = NULL;\n", ts);
+	    }
+	    free (fs);
+	    free (ts);
+	    if(t->type == TChoice)
+		fprintf(codefile, "break;\n");
+	}
+	if(t->type == TChoice) {
+	    if (have_ellipsis) {
+		fprintf(codefile, "case %s: {\n"
+			"int ret;\n"
+			"ret=der_copy_octet_string(&(%s)->u.%s, &(%s)->u.%s);\n"
+			"if (ret) goto fail;\n"
+			"break;\n"
+			"}\n",
+			have_ellipsis->label,
+			from, have_ellipsis->gen_name, 
+			to, have_ellipsis->gen_name);
+		used_fail++;
+	    }
+	    fprintf(codefile, "}\n");	
+	}
+	break;
+    }
+    case TSetOf:
+    case TSequenceOf: {
+	char *f;
+	char *T;
+
+	fprintf (codefile, "if(((%s)->val = "
+		 "malloc((%s)->len * sizeof(*(%s)->val))) == NULL && (%s)->len != 0)\n", 
+		 to, from, to, from);
+	fprintf (codefile, "goto fail;\n");
+	used_fail++;
+	fprintf(codefile,
+		"for((%s)->len = 0; (%s)->len < (%s)->len; (%s)->len++){\n",
+		to, to, from, to);
+	asprintf(&f, "&(%s)->val[(%s)->len]", from, to);
+	if (f == NULL)
+	    errx(1, "malloc");
+	asprintf(&T, "&(%s)->val[(%s)->len]", to, to);
+	if (T == NULL)
+	    errx(1, "malloc");
+	copy_type(f, T, t->subtype, FALSE);
+	fprintf(codefile, "}\n");
+	free(f);
+	free(T);
+	break;
+    }
+    case TGeneralizedTime:
+	fprintf(codefile, "*(%s) = *(%s);\n", to, from);
+	break;
+    case TGeneralString:
+	copy_primitive ("general_string", from, to);
+	break;
+    case TUTCTime:
+	fprintf(codefile, "*(%s) = *(%s);\n", to, from);
+	break;
+    case TUTF8String:
+	copy_primitive ("utf8string", from, to);
+	break;
+    case TPrintableString:
+	copy_primitive ("printable_string", from, to);
+	break;
+    case TIA5String:
+	copy_primitive ("ia5_string", from, to);
+	break;
+    case TBMPString:
+	copy_primitive ("bmp_string", from, to);
+	break;
+    case TUniversalString:
+	copy_primitive ("universal_string", from, to);
+	break;
+    case TVisibleString:
+	copy_primitive ("visible_string", from, to);
+	break;
+    case TTag:
+	copy_type (from, to, t->subtype, preserve);
+	break;
+    case TOID:
+	copy_primitive ("oid", from, to);
+	break;
+    case TNull:
+	break;
+    default :
+	abort ();
+    }
 }
 
 void
 generate_type_copy (const Symbol *s)
 {
+  int preserve = preserve_type(s->name) ? TRUE : FALSE;
+
+  used_fail = 0;
+
   fprintf (headerfile,
 	   "int    copy_%s  (const %s *, %s *);\n",
 	   s->gen_name, s->gen_name, s->gen_name);
 
   fprintf (codefile, "int\n"
 	   "copy_%s(const %s *from, %s *to)\n"
-	   "{\n",
+	   "{\n"
+	   "memset(to, 0, sizeof(*to));\n",
 	   s->gen_name, s->gen_name, s->gen_name);
+  copy_type ("from", "to", s->type, preserve);
+  fprintf (codefile, "return 0;\n");
+
+  if (used_fail)
+      fprintf (codefile, "fail:\n"
+	       "free_%s(to);\n"
+	       "return ENOMEM;\n",
+	       s->gen_name);
 
-  copy_type ("from", "to", s->type);
-  fprintf (codefile, "return 0;\n}\n\n");
+  fprintf(codefile,
+	  "}\n\n");
 }
 
diff --git a/crypto/heimdal/lib/asn1/gen_decode.c b/crypto/heimdal/lib/asn1/gen_decode.c
index 7237e4e..face9ba 100644
--- a/crypto/heimdal/lib/asn1/gen_decode.c
+++ b/crypto/heimdal/lib/asn1/gen_decode.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,363 +32,689 @@
  */
 
 #include "gen_locl.h"
+#include "lex.h"
 
-RCSID("$Id: gen_decode.c,v 1.18 2002/08/09 15:37:34 joda Exp $");
+RCSID("$Id: gen_decode.c 21503 2007-07-12 11:57:19Z lha $");
 
 static void
-decode_primitive (const char *typename, const char *name)
+decode_primitive (const char *typename, const char *name, const char *forwstr)
 {
+#if 0
     fprintf (codefile,
 	     "e = decode_%s(p, len, %s, &l);\n"
-	     "FORW;\n",
+	     "%s;\n",
+	     typename,
+	     name,
+	     forwstr);
+#else
+    fprintf (codefile,
+	     "e = der_get_%s(p, len, %s, &l);\n"
+	     "if(e) %s;\np += l; len -= l; ret += l;\n",
 	     typename,
-	     name);
+	     name,
+	     forwstr);
+#endif
+}
+
+static int
+is_primitive_type(int type)
+{
+    switch(type) {
+    case TInteger:
+    case TBoolean:
+    case TOctetString:
+    case TBitString:
+    case TEnumerated:
+    case TGeneralizedTime:
+    case TGeneralString:
+    case TOID:
+    case TUTCTime:
+    case TUTF8String:
+    case TPrintableString:
+    case TIA5String:
+    case TBMPString:
+    case TUniversalString:
+    case TVisibleString:
+    case TNull:
+	return 1;
+    default:
+	return 0;
+    }
 }
 
 static void
-decode_type (const char *name, const Type *t)
+find_tag (const Type *t,
+	  Der_class *cl, Der_type *ty, unsigned *tag)
 {
     switch (t->type) {
-    case TType:
-#if 0
-	decode_type (name, t->symbol->type);
-#endif
+    case TBitString:
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_BitString;
+	break;
+    case TBoolean:
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_Boolean;
+	break;
+    case TChoice: 
+	errx(1, "Cannot have recursive CHOICE");
+    case TEnumerated:
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_Enumerated;
+	break;
+    case TGeneralString: 
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_GeneralString;
+	break;
+    case TGeneralizedTime: 
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_GeneralizedTime;
+	break;
+    case TIA5String:
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_IA5String;
+	break;
+    case TInteger: 
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_Integer;
+	break;
+    case TNull:
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_Null;
+	break;
+    case TOID: 
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_OID;
+	break;
+    case TOctetString: 
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_OctetString;
+	break;
+    case TPrintableString:
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_PrintableString;
+	break;
+    case TSequence: 
+    case TSequenceOf:
+	*cl  = ASN1_C_UNIV;
+	*ty  = CONS;
+	*tag = UT_Sequence;
+	break;
+    case TSet: 
+    case TSetOf:
+	*cl  = ASN1_C_UNIV;
+	*ty  = CONS;
+	*tag = UT_Set;
+	break;
+    case TTag: 
+	*cl  = t->tag.tagclass;
+	*ty  = is_primitive_type(t->subtype->type) ? PRIM : CONS;
+	*tag = t->tag.tagvalue;
+	break;
+    case TType: 
+	if ((t->symbol->stype == Stype && t->symbol->type == NULL)
+	    || t->symbol->stype == SUndefined) {
+	    error_message("%s is imported or still undefined, "
+			  " can't generate tag checking data in CHOICE "
+			  "without this information",
+			  t->symbol->name);
+	    exit(1);
+	}
+	find_tag(t->symbol->type, cl, ty, tag);
+	return;
+    case TUTCTime: 
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_UTCTime;
+	break;
+    case TUTF8String:
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_UTF8String;
+	break;
+    case TBMPString:
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_BMPString;
+	break;
+    case TUniversalString:
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_UniversalString;
+	break;
+    case TVisibleString:
+	*cl  = ASN1_C_UNIV;
+	*ty  = PRIM;
+	*tag = UT_VisibleString;
+	break;
+    default:
+	abort();
+    }
+}
+
+static void
+range_check(const char *name,
+	    const char *length,
+	    const char *forwstr, 
+	    struct range *r)
+{
+    if (r->min == r->max + 2 || r->min < r->max)
 	fprintf (codefile,
-		 "e = decode_%s(p, len, %s, &l);\n"
-		 "FORW;\n",
+		 "if ((%s)->%s > %d) {\n"
+		 "e = ASN1_MAX_CONSTRAINT; %s;\n"
+		 "}\n",
+		 name, length, r->max, forwstr);
+    if (r->min - 1 == r->max || r->min < r->max)
+	fprintf (codefile,
+		 "if ((%s)->%s < %d) {\n"
+		 "e = ASN1_MIN_CONSTRAINT; %s;\n"
+		 "}\n",
+		 name, length, r->min, forwstr);
+    if (r->max == r->min)
+	fprintf (codefile,
+		 "if ((%s)->%s != %d) {\n"
+		 "e = ASN1_EXACT_CONSTRAINT; %s;\n"
+		 "}\n",
+		 name, length, r->min, forwstr);
+}
+
+static int
+decode_type (const char *name, const Type *t, int optional, 
+	     const char *forwstr, const char *tmpstr)
+{
+    switch (t->type) {
+    case TType: {
+	if (optional)
+	    fprintf(codefile, 
+		    "%s = calloc(1, sizeof(*%s));\n"
+		    "if (%s == NULL) %s;\n",
+		    name, name, name, forwstr);
+	fprintf (codefile,
+		 "e = decode_%s(p, len, %s, &l);\n",
 		 t->symbol->gen_name, name);
-	break;
-    case TInteger:
-	if(t->members == NULL)
-	    decode_primitive ("integer", name);
-	else {
-	    char *s;
-	    asprintf(&s, "(int*)%s", name);
-	    if(s == NULL)
-		errx (1, "out of memory");
-	    decode_primitive ("integer", s);
-	    free(s);
+	if (optional) {
+	    fprintf (codefile,
+		     "if(e) {\n"
+		     "free(%s);\n"
+		     "%s = NULL;\n"
+		     "} else {\n"
+		     "p += l; len -= l; ret += l;\n"
+		     "}\n",
+		     name, name);
+	} else {
+	    fprintf (codefile,
+		     "if(e) %s;\n",
+		     forwstr);
+	    fprintf (codefile,
+		     "p += l; len -= l; ret += l;\n");
 	}
 	break;
-    case TUInteger:
-	decode_primitive ("unsigned", name);
+    }
+    case TInteger:
+	if(t->members) {
+	    fprintf(codefile,
+		    "{\n"
+		    "int enumint;\n");
+	    decode_primitive ("integer", "&enumint", forwstr);
+	    fprintf(codefile,
+		    "*%s = enumint;\n"
+		    "}\n",
+		    name);
+	} else if (t->range == NULL) {
+	    decode_primitive ("heim_integer", name, forwstr);
+	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
+	    decode_primitive ("integer", name, forwstr);
+	} else if (t->range->min == 0 && t->range->max == UINT_MAX) {
+	    decode_primitive ("unsigned", name, forwstr);
+	} else if (t->range->min == 0 && t->range->max == INT_MAX) {
+	    decode_primitive ("unsigned", name, forwstr);
+	} else
+	    errx(1, "%s: unsupported range %d -> %d", 
+		 name, t->range->min, t->range->max);
 	break;
+    case TBoolean:
+      decode_primitive ("boolean", name, forwstr);
+      break;
     case TEnumerated:
-	decode_primitive ("enumerated", name);
+	decode_primitive ("enumerated", name, forwstr);
 	break;
     case TOctetString:
-	decode_primitive ("octet_string", name);
-	break;
-    case TOID :
-	decode_primitive ("oid", name);
+	decode_primitive ("octet_string", name, forwstr);
+	if (t->range)
+	    range_check(name, "length", forwstr, t->range);
 	break;
     case TBitString: {
 	Member *m;
-	int tag = -1;
-	int pos;
+	int pos = 0;
 
-	fprintf (codefile,
-		 "e = der_match_tag_and_length (p, len, UNIV, PRIM, UT_BitString,"
-		 "&reallen, &l);\n"
-		 "FORW;\n"
-		 "if(len < reallen)\n"
-		 "return ASN1_OVERRUN;\n"
-		 "p++;\n"
-		 "len--;\n"
-		 "reallen--;\n"
-		 "ret++;\n");
-	pos = 0;
-	for (m = t->members; m && tag != m->val; m = m->next) {
+	if (ASN1_TAILQ_EMPTY(t->members)) {
+	    decode_primitive ("bit_string", name, forwstr);
+	    break;
+	}
+	fprintf(codefile,
+		"if (len < 1) return ASN1_OVERRUN;\n"
+		"p++; len--; ret++;\n");
+	fprintf(codefile,
+		"do {\n"
+		"if (len < 1) break;\n");
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    while (m->val / 8 > pos / 8) {
 		fprintf (codefile,
-			 "p++; len--; reallen--; ret++;\n");
+			 "p++; len--; ret++;\n"
+			 "if (len < 1) break;\n");
 		pos += 8;
 	    }
 	    fprintf (codefile,
-		     "%s->%s = (*p >> %d) & 1;\n",
+		     "(%s)->%s = (*p >> %d) & 1;\n",
 		     name, m->gen_name, 7 - m->val % 8);
-	    if (tag == -1)
-		tag = m->val;
 	}
+	fprintf(codefile,
+		"} while(0);\n");
 	fprintf (codefile,
-		 "p += reallen; len -= reallen; ret += reallen;\n");
+		 "p += len; ret += len;\n");
 	break;
     }
     case TSequence: {
 	Member *m;
-	int tag = -1;
 
 	if (t->members == NULL)
 	    break;
 
-	fprintf (codefile,
-		 "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence,"
-		 "&reallen, &l);\n"
-		 "FORW;\n"
-		 "{\n"
-		 "int dce_fix;\n"
-		 "if((dce_fix = fix_dce(reallen, &len)) < 0)\n"
-		 "return ASN1_BAD_FORMAT;\n");
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
+	    char *s;
+
+	    if (m->ellipsis)
+		continue;
 
-	for (m = t->members; m && tag != m->val; m = m->next) {
+	    asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&",
+		      name, m->gen_name);
+	    if (s == NULL)
+		errx(1, "malloc");
+	    decode_type (s, m->type, m->optional, forwstr, m->gen_name);
+	    free (s);
+	}
+	
+	break;
+    }
+    case TSet: {
+	Member *m;
+	unsigned int memno;
+
+	if(t->members == NULL)
+	    break;
+
+	fprintf(codefile, "{\n");
+	fprintf(codefile, "unsigned int members = 0;\n");
+	fprintf(codefile, "while(len > 0) {\n");
+	fprintf(codefile, 
+		"Der_class class;\n"
+		"Der_type type;\n"
+		"int tag;\n"
+		"e = der_get_tag (p, len, &class, &type, &tag, NULL);\n"
+		"if(e) %s;\n", forwstr);
+	fprintf(codefile, "switch (MAKE_TAG(class, type, tag)) {\n");
+	memno = 0;
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    char *s;
 
+	    assert(m->type->type == TTag);
+
+	    fprintf(codefile, "case MAKE_TAG(%s, %s, %s):\n",
+		    classname(m->type->tag.tagclass),
+		    is_primitive_type(m->type->subtype->type) ? "PRIM" : "CONS",
+		    valuename(m->type->tag.tagclass, m->type->tag.tagvalue));
+
 	    asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
-	    if (0 && m->type->type == TType){
-		if(m->optional)
-		    fprintf (codefile,
-			     "%s = malloc(sizeof(*%s));\n"
-			     "if(%s == NULL) return ENOMEM;\n", s, s, s);
-		fprintf (codefile, 
-			 "e = decode_seq_%s(p, len, %d, %d, %s, &l);\n",
-			 m->type->symbol->gen_name,
-			 m->val, 
-			 m->optional,
-			 s);
-		if(m->optional)
-		    fprintf (codefile, 
-			     "if (e == ASN1_MISSING_FIELD) {\n"
-			     "free(%s);\n"
-			     "%s = NULL;\n"
-			     "e = l = 0;\n"
-			     "}\n",
-			     s, s);
-	  
-		fprintf (codefile, "FORW;\n");
-	  
-	    }else{
-		fprintf (codefile, "{\n"
-			 "size_t newlen, oldlen;\n\n"
-			 "e = der_match_tag (p, len, CONTEXT, CONS, %d, &l);\n",
-			 m->val);
-		fprintf (codefile,
-			 "if (e)\n");
-		if(m->optional)
-		    /* XXX should look at e */
-		    fprintf (codefile,
-			     "%s = NULL;\n", s);
-		else
-		    fprintf (codefile,
-			     "return e;\n");
-		fprintf (codefile, 
-			 "else {\n");
-		fprintf (codefile,
-			 "p += l;\n"
-			 "len -= l;\n"
-			 "ret += l;\n"
-			 "e = der_get_length (p, len, &newlen, &l);\n"
-			 "FORW;\n"
-			 "{\n"
-	       
-			 "int dce_fix;\n"
-			 "oldlen = len;\n"
-			 "if((dce_fix = fix_dce(newlen, &len)) < 0)"
-			 "return ASN1_BAD_FORMAT;\n");
-		if (m->optional)
-		    fprintf (codefile,
-			     "%s = malloc(sizeof(*%s));\n"
-			     "if(%s == NULL) return ENOMEM;\n", s, s, s);
-		decode_type (s, m->type);
-		fprintf (codefile,
-			 "if(dce_fix){\n"
-			 "e = der_match_tag_and_length (p, len, "
-			 "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
-			 "FORW;\n"
-			 "}else \n"
-			 "len = oldlen - newlen;\n"
-			 "}\n"
-			 "}\n");
-		fprintf (codefile,
-			 "}\n");
-	    }
-	    if (tag == -1)
-		tag = m->val;
+	    if (s == NULL)
+		errx(1, "malloc");
+	    if(m->optional)
+		fprintf(codefile, 
+			"%s = calloc(1, sizeof(*%s));\n"
+			"if (%s == NULL) { e = ENOMEM; %s; }\n",
+			s, s, s, forwstr);
+	    decode_type (s, m->type, 0, forwstr, m->gen_name);
 	    free (s);
+
+	    fprintf(codefile, "members |= (1 << %d);\n", memno);
+	    memno++;
+	    fprintf(codefile, "break;\n");
 	}
-	fprintf(codefile,
-		"if(dce_fix){\n"
-		"e = der_match_tag_and_length (p, len, "
-		"(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
-		"FORW;\n"
-		"}\n"
-		"}\n");
+	fprintf(codefile, 
+		"default:\n"
+		"return ASN1_MISPLACED_FIELD;\n"
+		"break;\n");
+	fprintf(codefile, "}\n");
+	fprintf(codefile, "}\n");
+	memno = 0;
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
+	    char *s;
 
+	    asprintf (&s, "%s->%s", name, m->gen_name);
+	    if (s == NULL)
+		errx(1, "malloc");
+	    fprintf(codefile, "if((members & (1 << %d)) == 0)\n", memno);
+	    if(m->optional)
+		fprintf(codefile, "%s = NULL;\n", s);
+	    else if(m->defval)
+		gen_assign_defval(s, m->defval);
+	    else
+		fprintf(codefile, "return ASN1_MISSING_FIELD;\n");
+	    free(s);
+	    memno++;
+	}
+	fprintf(codefile, "}\n");
 	break;
     }
+    case TSetOf:
     case TSequenceOf: {
 	char *n;
-
-	fprintf (codefile,
-		 "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence,"
-		 "&reallen, &l);\n"
-		 "FORW;\n"
-		 "if(len < reallen)\n"
-		 "return ASN1_OVERRUN;\n"
-		 "len = reallen;\n");
+	char *sname;
 
 	fprintf (codefile,
 		 "{\n"
-		 "size_t origlen = len;\n"
-		 "int oldret = ret;\n"
+		 "size_t %s_origlen = len;\n"
+		 "size_t %s_oldret = ret;\n"
+		 "size_t %s_olen = 0;\n"
+		 "void *%s_tmp;\n"
 		 "ret = 0;\n"
 		 "(%s)->len = 0;\n"
-		 "(%s)->val = NULL;\n"
-		 "while(ret < origlen) {\n"
-		 "(%s)->len++;\n"
-		 "(%s)->val = realloc((%s)->val, sizeof(*((%s)->val)) * (%s)->len);\n",
-		 name, name, name, name, name, name, name);
-	asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
-	decode_type (n, t->subtype);
+		 "(%s)->val = NULL;\n",
+		 tmpstr,
+		 tmpstr,
+		 tmpstr,
+		 tmpstr,
+		 name,
+		 name);
+
+	fprintf (codefile,
+		 "while(ret < %s_origlen) {\n"
+		 "size_t %s_nlen = %s_olen + sizeof(*((%s)->val));\n"
+		 "if (%s_olen > %s_nlen) { e = ASN1_OVERFLOW; %s; }\n"
+		 "%s_olen = %s_nlen;\n"
+		 "%s_tmp = realloc((%s)->val, %s_olen);\n"
+		 "if (%s_tmp == NULL) { e = ENOMEM; %s; }\n"
+		 "(%s)->val = %s_tmp;\n",
+		 tmpstr,
+		 tmpstr, tmpstr, name,
+		 tmpstr, tmpstr, forwstr,
+		 tmpstr, tmpstr,
+		 tmpstr, name, tmpstr,
+		 tmpstr, forwstr, 
+		 name, tmpstr);
+
+	asprintf (&n, "&(%s)->val[(%s)->len]", name, name);
+	if (n == NULL)
+	    errx(1, "malloc");
+	asprintf (&sname, "%s_s_of", tmpstr);
+	if (sname == NULL)
+	    errx(1, "malloc");
+	decode_type (n, t->subtype, 0, forwstr, sname);
 	fprintf (codefile, 
-		 "len = origlen - ret;\n"
+		 "(%s)->len++;\n"
+		 "len = %s_origlen - ret;\n"
 		 "}\n"
-		 "ret += oldret;\n"
-		 "}\n");
+		 "ret += %s_oldret;\n"
+		 "}\n",
+		 name,
+		 tmpstr, tmpstr);
+	if (t->range)
+	    range_check(name, "len", forwstr, t->range);
 	free (n);
+	free (sname);
 	break;
     }
     case TGeneralizedTime:
-	decode_primitive ("generalized_time", name);
+	decode_primitive ("generalized_time", name, forwstr);
 	break;
     case TGeneralString:
-	decode_primitive ("general_string", name);
+	decode_primitive ("general_string", name, forwstr);
 	break;
-    case TApplication:
+    case TTag:{
+    	char *tname;
+
+	fprintf(codefile, 
+		"{\n"
+		"size_t %s_datalen, %s_oldlen;\n",
+		tmpstr, tmpstr);
+	if(dce_fix)
+	    fprintf(codefile, 
+		    "int dce_fix;\n");
+	fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, %s, %s, "
+		"&%s_datalen, &l);\n",
+		classname(t->tag.tagclass),
+		is_primitive_type(t->subtype->type) ? "PRIM" : "CONS",
+		valuename(t->tag.tagclass, t->tag.tagvalue),
+		tmpstr);
+	if(optional) {
+	    fprintf(codefile, 
+		    "if(e) {\n"
+		    "%s = NULL;\n"
+		    "} else {\n"
+		     "%s = calloc(1, sizeof(*%s));\n"
+		     "if (%s == NULL) { e = ENOMEM; %s; }\n",
+		     name, name, name, name, forwstr);
+	} else {
+	    fprintf(codefile, "if(e) %s;\n", forwstr);
+	}
 	fprintf (codefile,
-		 "e = der_match_tag_and_length (p, len, APPL, CONS, %d, "
-		 "&reallen, &l);\n"
-		 "FORW;\n"
-		 "{\n"
-		 "int dce_fix;\n"
-		 "if((dce_fix = fix_dce(reallen, &len)) < 0)\n"
-		 "return ASN1_BAD_FORMAT;\n", 
-		 t->application);
-	decode_type (name, t->subtype);
-	fprintf(codefile,
-		"if(dce_fix){\n"
-		"e = der_match_tag_and_length (p, len, "
-		"(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
-		"FORW;\n"
-		"}\n"
+		 "p += l; len -= l; ret += l;\n"
+		 "%s_oldlen = len;\n",
+		 tmpstr);
+	if(dce_fix)
+	    fprintf (codefile,
+		     "if((dce_fix = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
+		     "{ e = ASN1_BAD_FORMAT; %s; }\n",
+		     tmpstr, forwstr);
+	else
+	    fprintf(codefile, 
+		    "if (%s_datalen > len) { e = ASN1_OVERRUN; %s; }\n"
+		    "len = %s_datalen;\n", tmpstr, forwstr, tmpstr);
+	asprintf (&tname, "%s_Tag", tmpstr);
+	if (tname == NULL)
+	    errx(1, "malloc");
+	decode_type (name, t->subtype, 0, forwstr, tname);
+	if(dce_fix)
+	    fprintf(codefile,
+		    "if(dce_fix){\n"
+		    "e = der_match_tag_and_length (p, len, "
+		    "(Der_class)0,(Der_type)0, UT_EndOfContent, "
+		    "&%s_datalen, &l);\n"
+		    "if(e) %s;\np += l; len -= l; ret += l;\n"
+		    "} else \n", tmpstr, forwstr);
+	fprintf(codefile, 
+		"len = %s_oldlen - %s_datalen;\n",
+		tmpstr, tmpstr);
+	if(optional)
+	    fprintf(codefile, 
+		    "}\n");
+	fprintf(codefile, 
 		"}\n");
+	free(tname);
+	break;
+    }
+    case TChoice: {
+	Member *m, *have_ellipsis = NULL;
+	const char *els = "";
 
+	if (t->members == NULL)
+	    break;
+
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
+	    const Type *tt = m->type;
+	    char *s;
+	    Der_class cl;
+	    Der_type  ty;
+	    unsigned  tag;
+	    
+	    if (m->ellipsis) {
+		have_ellipsis = m;
+		continue;
+	    }
+
+	    find_tag(tt, &cl, &ty, &tag);
+
+	    fprintf(codefile,
+		    "%sif (der_match_tag(p, len, %s, %s, %s, NULL) == 0) {\n",
+		    els,
+		    classname(cl),
+		    ty ? "CONS" : "PRIM",
+		    valuename(cl, tag));
+	    asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
+		      name, m->gen_name);
+	    if (s == NULL)
+		errx(1, "malloc");
+	    decode_type (s, m->type, m->optional, forwstr, m->gen_name);
+	    fprintf(codefile,
+		    "(%s)->element = %s;\n",
+		    name, m->label);
+	    free(s);
+	    fprintf(codefile,
+		    "}\n");
+	    els = "else ";
+	}
+	if (have_ellipsis) {
+	    fprintf(codefile,
+		    "else {\n"
+		    "(%s)->u.%s.data = calloc(1, len);\n"
+		    "if ((%s)->u.%s.data == NULL) {\n"
+		    "e = ENOMEM; %s;\n"
+		    "}\n"
+		    "(%s)->u.%s.length = len;\n"
+		    "memcpy((%s)->u.%s.data, p, len);\n"
+		    "(%s)->element = %s;\n"
+		    "p += len;\n"
+		    "ret += len;\n"
+		    "len -= len;\n"
+		    "}\n",
+		    name, have_ellipsis->gen_name,
+		    name, have_ellipsis->gen_name,
+		    forwstr, 
+		    name, have_ellipsis->gen_name,
+		    name, have_ellipsis->gen_name,
+		    name, have_ellipsis->label);
+	} else {
+	    fprintf(codefile,
+		    "else {\n"
+		    "e = ASN1_PARSE_ERROR;\n"
+		    "%s;\n"
+		    "}\n",
+		    forwstr);
+	}
+	break;
+    }
+    case TUTCTime:
+	decode_primitive ("utctime", name, forwstr);
+	break;
+    case TUTF8String:
+	decode_primitive ("utf8string", name, forwstr);
+	break;
+    case TPrintableString:
+	decode_primitive ("printable_string", name, forwstr);
+	break;
+    case TIA5String:
+	decode_primitive ("ia5_string", name, forwstr);
+	break;
+    case TBMPString:
+	decode_primitive ("bmp_string", name, forwstr);
+	break;
+    case TUniversalString:
+	decode_primitive ("universal_string", name, forwstr);
+	break;
+    case TVisibleString:
+	decode_primitive ("visible_string", name, forwstr);
+	break;
+    case TNull:
+	fprintf (codefile, "/* NULL */\n");
+	break;
+    case TOID:
+	decode_primitive ("oid", name, forwstr);
 	break;
     default :
 	abort ();
     }
+    return 0;
 }
 
 void
 generate_type_decode (const Symbol *s)
 {
-  fprintf (headerfile,
-	   "int    "
-	   "decode_%s(const unsigned char *, size_t, %s *, size_t *);\n",
-	   s->gen_name, s->gen_name);
-
-  fprintf (codefile, "#define FORW "
-	   "if(e) goto fail; "
-	   "p += l; "
-	   "len -= l; "
-	   "ret += l\n\n");
-
-
-  fprintf (codefile, "int\n"
-	   "decode_%s(const unsigned char *p,"
-	   " size_t len, %s *data, size_t *size)\n"
-	   "{\n",
-	   s->gen_name, s->gen_name);
-
-  switch (s->type->type) {
-  case TInteger:
-  case TUInteger:
-  case TOctetString:
-  case TOID:
-  case TGeneralizedTime:
-  case TGeneralString:
-  case TBitString:
-  case TSequence:
-  case TSequenceOf:
-  case TApplication:
-  case TType:
-    fprintf (codefile,
-	     "size_t ret = 0, reallen;\n"
-	     "size_t l;\n"
-	     "int e;\n\n");
-    fprintf (codefile, "memset(data, 0, sizeof(*data));\n");
-    fprintf (codefile, "reallen = 0;\n"); /* hack to avoid `unused variable' */
-
-    decode_type ("data", s->type);
-    fprintf (codefile, 
-	     "if(size) *size = ret;\n"
-	     "return 0;\n");
-    fprintf (codefile,
-	     "fail:\n"
-	     "free_%s(data);\n"
-	     "return e;\n",
-	     s->gen_name);
-    break;
-  default:
-    abort ();
-  }
-  fprintf (codefile, "}\n\n");
-}
+    int preserve = preserve_type(s->name) ? TRUE : FALSE;
 
-void
-generate_seq_type_decode (const Symbol *s)
-{
     fprintf (headerfile,
-	     "int decode_seq_%s(const unsigned char *, size_t, int, int, "
-	     "%s *, size_t *);\n",
+	     "int    "
+	     "decode_%s(const unsigned char *, size_t, %s *, size_t *);\n",
 	     s->gen_name, s->gen_name);
 
     fprintf (codefile, "int\n"
-	     "decode_seq_%s(const unsigned char *p, size_t len, int tag, "
-	     "int optional, %s *data, size_t *size)\n"
+	     "decode_%s(const unsigned char *p,"
+	     " size_t len, %s *data, size_t *size)\n"
 	     "{\n",
 	     s->gen_name, s->gen_name);
 
-    fprintf (codefile,
-	     "size_t newlen, oldlen;\n"
-	     "size_t l, ret = 0;\n"
-	     "int e;\n"
-	     "int dce_fix;\n");
-    
-    fprintf (codefile,
-	     "e = der_match_tag(p, len, CONTEXT, CONS, tag, &l);\n"
-	     "if (e)\n"
-	     "return e;\n");
-    fprintf (codefile, 
-	     "p += l;\n"
-	     "len -= l;\n"
-	     "ret += l;\n"
-	     "e = der_get_length(p, len, &newlen, &l);\n"
-	     "if (e)\n"
-	     "return e;\n"
-	     "p += l;\n"
-	     "len -= l;\n"
-	     "ret += l;\n"
-	     "oldlen = len;\n"
-	     "if ((dce_fix = fix_dce(newlen, &len)) < 0)\n"
-	     "return ASN1_BAD_FORMAT;\n"
-	     "e = decode_%s(p, len, data, &l);\n"
-	     "if (e)\n"
-	     "return e;\n"
-	     "p += l;\n"
-	     "len -= l;\n"
-	     "ret += l;\n"
-	     "if (dce_fix) {\n"
-	     "size_t reallen;\n\n"
-	     "e = der_match_tag_and_length(p, len, "
-	     "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
-	     "if (e)\n"
-	     "return e;\n"
-	     "ret += l;\n"
-	     "}\n",
-	     s->gen_name);
-    fprintf (codefile, 
-	     "if(size) *size = ret;\n"
-	     "return 0;\n");
+    switch (s->type->type) {
+    case TInteger:
+    case TBoolean:
+    case TOctetString:
+    case TOID:
+    case TGeneralizedTime:
+    case TGeneralString:
+    case TUTF8String:
+    case TPrintableString:
+    case TIA5String:
+    case TBMPString:
+    case TUniversalString:
+    case TVisibleString:
+    case TUTCTime:
+    case TNull:
+    case TEnumerated:
+    case TBitString:
+    case TSequence:
+    case TSequenceOf:
+    case TSet:
+    case TSetOf:
+    case TTag:
+    case TType:
+    case TChoice:
+	fprintf (codefile,
+		 "size_t ret = 0;\n"
+		 "size_t l;\n"
+		 "int e;\n");
+	if (preserve)
+	    fprintf (codefile, "const unsigned char *begin = p;\n");
+
+	fprintf (codefile, "\n");
+	fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */
 
+	decode_type ("data", s->type, 0, "goto fail", "Top");
+	if (preserve)
+	    fprintf (codefile,
+		     "data->_save.data = calloc(1, ret);\n"
+		     "if (data->_save.data == NULL) { \n"
+		     "e = ENOMEM; goto fail; \n"
+		     "}\n"
+		     "data->_save.length = ret;\n"
+		     "memcpy(data->_save.data, begin, ret);\n");
+	fprintf (codefile, 
+		 "if(size) *size = ret;\n"
+		 "return 0;\n");
+	fprintf (codefile,
+		 "fail:\n"
+		 "free_%s(data);\n"
+		 "return e;\n",
+		 s->gen_name);
+	break;
+    default:
+	abort ();
+    }
     fprintf (codefile, "}\n\n");
 }
diff --git a/crypto/heimdal/lib/asn1/gen_encode.c b/crypto/heimdal/lib/asn1/gen_encode.c
index ba50d5d..08f1a94 100644
--- a/crypto/heimdal/lib/asn1/gen_encode.c
+++ b/crypto/heimdal/lib/asn1/gen_encode.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,21 +33,82 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_encode.c,v 1.12 2001/09/25 13:39:26 assar Exp $");
+RCSID("$Id: gen_encode.c 22429 2008-01-13 10:25:50Z lha $");
 
 static void
 encode_primitive (const char *typename, const char *name)
 {
     fprintf (codefile,
-	     "e = encode_%s(p, len, %s, &l);\n"
-	     "BACK;\n",
+	     "e = der_put_%s(p, len, %s, &l);\n"
+	     "if (e) return e;\np -= l; len -= l; ret += l;\n\n",
 	     typename,
 	     name);
 }
 
-static void
-encode_type (const char *name, const Type *t)
+const char *
+classname(Der_class class)
+{
+    const char *cn[] = { "ASN1_C_UNIV", "ASN1_C_APPL",
+			 "ASN1_C_CONTEXT", "ASN1_C_PRIV" };
+    if(class < ASN1_C_UNIV || class > ASN1_C_PRIVATE)
+	return "???";
+    return cn[class];
+}
+
+
+const char *
+valuename(Der_class class, int value)
+{
+    static char s[32];
+    struct { 
+	int value;
+	const char *s;
+    } *p, values[] = {
+#define X(Y) { Y, #Y }
+	X(UT_BMPString),
+	X(UT_BitString),
+	X(UT_Boolean),
+	X(UT_EmbeddedPDV),
+	X(UT_Enumerated),
+	X(UT_External),
+	X(UT_GeneralString),
+	X(UT_GeneralizedTime),
+	X(UT_GraphicString),
+	X(UT_IA5String),
+	X(UT_Integer),
+	X(UT_Null),
+	X(UT_NumericString),
+	X(UT_OID),
+	X(UT_ObjectDescriptor),
+	X(UT_OctetString),
+	X(UT_PrintableString),
+	X(UT_Real),
+	X(UT_RelativeOID),
+	X(UT_Sequence),
+	X(UT_Set),
+	X(UT_TeletexString),
+	X(UT_UTCTime),
+	X(UT_UTF8String),
+	X(UT_UniversalString),
+	X(UT_VideotexString),
+	X(UT_VisibleString),
+#undef X
+	{ -1, NULL }
+    };
+    if(class == ASN1_C_UNIV) {
+	for(p = values; p->value != -1; p++)
+	    if(p->value == value)
+		return p->s;
+    }
+    snprintf(s, sizeof(s), "%d", value);
+    return s;
+}
+
+static int
+encode_type (const char *name, const Type *t, const char *tmpstr)
 {
+    int constructed = 1;
+
     switch (t->type) {
     case TType:
 #if 0
@@ -55,45 +116,60 @@ encode_type (const char *name, const Type *t)
 #endif
 	fprintf (codefile,
 		 "e = encode_%s(p, len, %s, &l);\n"
-		 "BACK;\n",
+		 "if (e) return e;\np -= l; len -= l; ret += l;\n\n",
 		 t->symbol->gen_name, name);
 	break;
     case TInteger:
-	if(t->members == NULL)
+	if(t->members) {
+	    fprintf(codefile,
+		    "{\n"
+		    "int enumint = (int)*%s;\n",
+		    name);
+	    encode_primitive ("integer", "&enumint");
+	    fprintf(codefile, "}\n;");
+	} else if (t->range == NULL) {
+	    encode_primitive ("heim_integer", name);
+	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
 	    encode_primitive ("integer", name);
-	else {
-	    char *s;
-	    asprintf(&s, "(const int*)%s", name);
-	    if(s == NULL)
-		errx(1, "out of memory");
-	    encode_primitive ("integer", s);
-	    free(s);
-	}
+	} else if (t->range->min == 0 && t->range->max == UINT_MAX) {
+	    encode_primitive ("unsigned", name);
+	} else if (t->range->min == 0 && t->range->max == INT_MAX) {
+	    encode_primitive ("unsigned", name);
+	} else
+	    errx(1, "%s: unsupported range %d -> %d", 
+		 name, t->range->min, t->range->max);
+	constructed = 0;
 	break;
-    case TUInteger:
-	encode_primitive ("unsigned", name);
+    case TBoolean:
+	encode_primitive ("boolean", name);
+	constructed = 0;
 	break;
     case TOctetString:
 	encode_primitive ("octet_string", name);
-	break;
-    case TOID :
-	encode_primitive ("oid", name);
+	constructed = 0;
 	break;
     case TBitString: {
 	Member *m;
 	int pos;
-	int rest;
-	int tag = -1;
 
-	if (t->members == NULL)
+	if (ASN1_TAILQ_EMPTY(t->members)) {
+	    encode_primitive("bit_string", name);
+	    constructed = 0;
 	    break;
+	}
 
 	fprintf (codefile, "{\n"
 		 "unsigned char c = 0;\n");
+	if (!rfc1510_bitstring)
+	    fprintf (codefile,
+		     "int rest = 0;\n"
+		     "int bit_set = 0;\n");
+#if 0
 	pos = t->members->prev->val;
 	/* fix for buggy MIT (and OSF?) code */
 	if (pos > 31)
 	    abort ();
+#endif
 	/*
 	 * It seems that if we do not always set pos to 31 here, the MIT
 	 * code will do the wrong thing.
@@ -101,165 +177,381 @@ encode_type (const char *name, const Type *t)
 	 * I hate ASN.1 (and DER), but I hate it even more when everybody
 	 * has to screw it up differently.
 	 */
-	pos = 31;
-	rest = 7 - (pos % 8);
+	pos = ASN1_TAILQ_LAST(t->members, memhead)->val;
+	if (rfc1510_bitstring) {
+	    if (pos < 31)
+		pos = 31;
+	}
 
-	for (m = t->members->prev; m && tag != m->val; m = m->prev) {
+	ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) {
 	    while (m->val / 8 < pos / 8) {
+		if (!rfc1510_bitstring)
+		    fprintf (codefile,
+			     "if (c != 0 || bit_set) {\n");
+		fprintf (codefile,
+			 "if (len < 1) return ASN1_OVERFLOW;\n"
+			 "*p-- = c; len--; ret++;\n");
+		if (!rfc1510_bitstring)
+		    fprintf (codefile,
+			     "if (!bit_set) {\n"
+			     "rest = 0;\n"
+			     "while(c) { \n"
+			     "if (c & 1) break;\n"
+			     "c = c >> 1;\n"
+			     "rest++;\n"
+			     "}\n"
+			     "bit_set = 1;\n"
+			     "}\n"
+			     "}\n");
 		fprintf (codefile,
-			 "*p-- = c; len--; ret++;\n"
 			 "c = 0;\n");
 		pos -= 8;
 	    }
 	    fprintf (codefile,
-		     "if(%s->%s) c |= 1<<%d;\n", name, m->gen_name,
-		     7 - m->val % 8);
-
-	    if (tag == -1)
-		tag = m->val;
+		     "if((%s)->%s) {\n"
+		     "c |= 1<<%d;\n", 
+		     name, m->gen_name, 7 - m->val % 8);
+	    fprintf (codefile,
+		     "}\n");
 	}
 
+	if (!rfc1510_bitstring)
+	    fprintf (codefile,
+		     "if (c != 0 || bit_set) {\n");
+	fprintf (codefile, 
+		 "if (len < 1) return ASN1_OVERFLOW;\n"
+		 "*p-- = c; len--; ret++;\n");
+	if (!rfc1510_bitstring)
+	    fprintf (codefile,
+		     "if (!bit_set) {\n"
+		     "rest = 0;\n"
+		     "if(c) { \n"
+		     "while(c) { \n"
+		     "if (c & 1) break;\n"
+		     "c = c >> 1;\n"
+		     "rest++;\n"
+		     "}\n"
+		     "}\n"
+		     "}\n"
+		     "}\n");
+
 	fprintf (codefile, 
-		 "*p-- = c;\n"
-		 "*p-- = %d;\n"
-		 "len -= 2;\n"
-		 "ret += 2;\n"
-		 "}\n\n"
-		 "e = der_put_length_and_tag (p, len, ret, UNIV, PRIM,"
-		 "UT_BitString, &l);\n"
-		 "BACK;\n",
-		 rest);
+		 "if (len < 1) return ASN1_OVERFLOW;\n"
+		 "*p-- = %s;\n"
+		 "len -= 1;\n"
+		 "ret += 1;\n"
+		 "}\n\n",
+		 rfc1510_bitstring ? "0" : "rest");
+	constructed = 0;
 	break;
     }
     case TEnumerated : {
 	encode_primitive ("enumerated", name);
+	constructed = 0;
 	break;
     }
+
+    case TSet:
     case TSequence: {
 	Member *m;
-	int tag = -1;
 
 	if (t->members == NULL)
 	    break;
-
-	for (m = t->members->prev; m && tag != m->val; m = m->prev) {
+	
+	ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) {
 	    char *s;
 
+	    if (m->ellipsis)
+		continue;
+
 	    asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
+	    if (s == NULL)
+		errx(1, "malloc");
+	    fprintf(codefile, "/* %s */\n", m->name);
 	    if (m->optional)
 		fprintf (codefile,
-			 "if(%s)\n",
+			 "if(%s) ",
 			 s);
-#if 1
-	    fprintf (codefile, "{\n"
-		     "int oldret = ret;\n"
-		     "ret = 0;\n");
-#endif
-	    encode_type (s, m->type);
-	    fprintf (codefile,
-		     "e = der_put_length_and_tag (p, len, ret, CONTEXT, CONS, "
-		     "%d, &l);\n"
-		     "BACK;\n",
-		     m->val);
-#if 1
-	    fprintf (codefile,
-		     "ret += oldret;\n"
-		     "}\n");
-#endif
-	    if (tag == -1)
-		tag = m->val;
+	    else if(m->defval)
+		gen_compare_defval(s + 1, m->defval);
+	    fprintf (codefile, "{\n");
+	    fprintf (codefile, "size_t %s_oldret = ret;\n", tmpstr);
+	    fprintf (codefile, "ret = 0;\n");
+	    encode_type (s, m->type, m->gen_name);
+	    fprintf (codefile, "ret += %s_oldret;\n", tmpstr);
+	    fprintf (codefile, "}\n");
 	    free (s);
 	}
+	break;
+    }
+    case TSetOf: {
+
+	fprintf(codefile,
+		"{\n"
+		"struct heim_octet_string *val;\n"
+		"size_t elen, totallen = 0;\n"
+		"int eret;\n");
+
+	fprintf(codefile,
+		"if ((%s)->len > UINT_MAX/sizeof(val[0]))\n"
+		"return ERANGE;\n",
+		name);
+
+	fprintf(codefile,
+		"val = malloc(sizeof(val[0]) * (%s)->len);\n"
+		"if (val == NULL && (%s)->len != 0) return ENOMEM;\n",
+		name, name);
+
+	fprintf(codefile,
+		"for(i = 0; i < (%s)->len; i++) {\n",
+		name);
+
+	fprintf(codefile,
+		"ASN1_MALLOC_ENCODE(%s, val[i].data, "
+		"val[i].length, &(%s)->val[i], &elen, eret);\n",
+		t->subtype->symbol->gen_name,
+		name);
+
+	fprintf(codefile,
+		"if(eret) {\n"
+		"i--;\n"
+		"while (i >= 0) {\n"
+		"free(val[i].data);\n"
+		"i--;\n"
+		"}\n"
+		"free(val);\n"
+		"return eret;\n"
+		"}\n"
+		"totallen += elen;\n"
+		"}\n");
+
+	fprintf(codefile,
+		"if (totallen > len) {\n"
+		"for (i = 0; i < (%s)->len; i++) {\n"
+		"free(val[i].data);\n"
+		"}\n"
+		"free(val);\n"
+		"return ASN1_OVERFLOW;\n"
+		"}\n",
+		name);
+
+	fprintf(codefile,
+		"qsort(val, (%s)->len, sizeof(val[0]), _heim_der_set_sort);\n",
+		name);
+
 	fprintf (codefile,
-		 "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n"
-		 "BACK;\n");
+		 "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+		 "p -= val[i].length;\n"
+		 "ret += val[i].length;\n"
+		 "memcpy(p + 1, val[i].data, val[i].length);\n"
+		 "free(val[i].data);\n"
+		 "}\n"
+		 "free(val);\n"
+		 "}\n",
+		 name);
 	break;
     }
     case TSequenceOf: {
 	char *n;
+	char *sname;
 
 	fprintf (codefile,
 		 "for(i = (%s)->len - 1; i >= 0; --i) {\n"
-#if 1
-		 "int oldret = ret;\n"
+		 "size_t %s_for_oldret = ret;\n"
 		 "ret = 0;\n",
-#else
-		 ,
-#endif
-		 name);
+		 name, tmpstr);
 	asprintf (&n, "&(%s)->val[i]", name);
-	encode_type (n, t->subtype);
+	if (n == NULL)
+	    errx(1, "malloc");
+	asprintf (&sname, "%s_S_Of", tmpstr);
+	if (sname == NULL)
+	    errx(1, "malloc");
+	encode_type (n, t->subtype, sname);
 	fprintf (codefile,
-#if 1
-		 "ret += oldret;\n"
-#endif
-		 "}\n"
-		 "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n"
-		 "BACK;\n");
+		 "ret += %s_for_oldret;\n"
+		 "}\n",
+		 tmpstr);
 	free (n);
+	free (sname);
 	break;
     }
     case TGeneralizedTime:
 	encode_primitive ("generalized_time", name);
+	constructed = 0;
 	break;
     case TGeneralString:
 	encode_primitive ("general_string", name);
+	constructed = 0;
 	break;
-    case TApplication:
-	encode_type (name, t->subtype);
+    case TTag: {
+    	char *tname;
+	int c;
+	asprintf (&tname, "%s_tag", tmpstr);
+	if (tname == NULL)
+	    errx(1, "malloc");	
+	c = encode_type (name, t->subtype, tname);
 	fprintf (codefile,
-		 "e = der_put_length_and_tag (p, len, ret, APPL, CONS, %d, &l);\n"
-		 "BACK;\n",
-		 t->application);
+		 "e = der_put_length_and_tag (p, len, ret, %s, %s, %s, &l);\n"
+		 "if (e) return e;\np -= l; len -= l; ret += l;\n\n",
+		 classname(t->tag.tagclass),
+		 c ? "CONS" : "PRIM", 
+		 valuename(t->tag.tagclass, t->tag.tagvalue));
+	free (tname);
+	break;
+    }
+    case TChoice:{
+	Member *m, *have_ellipsis = NULL;
+	char *s;
+
+	if (t->members == NULL)
+	    break;
+
+	fprintf(codefile, "\n");
+
+	asprintf (&s, "(%s)", name);
+	if (s == NULL)
+	    errx(1, "malloc");
+	fprintf(codefile, "switch(%s->element) {\n", s);
+
+	ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) {
+	    char *s2;
+
+	    if (m->ellipsis) {
+		have_ellipsis = m;
+		continue;
+	    }
+
+	    fprintf (codefile, "case %s: {", m->label); 
+	    asprintf(&s2, "%s(%s)->u.%s", m->optional ? "" : "&", 
+		     s, m->gen_name);
+	    if (s2 == NULL)
+		errx(1, "malloc");
+	    if (m->optional)
+		fprintf (codefile, "if(%s) {\n", s2);
+	    fprintf (codefile, "size_t %s_oldret = ret;\n", tmpstr);
+	    fprintf (codefile, "ret = 0;\n");
+	    constructed = encode_type (s2, m->type, m->gen_name);
+	    fprintf (codefile, "ret += %s_oldret;\n", tmpstr);
+	    if(m->optional)
+		fprintf (codefile, "}\n");
+	    fprintf(codefile, "break;\n");
+	    fprintf(codefile, "}\n");
+	    free (s2);
+	}
+	free (s);
+	if (have_ellipsis) {
+	    fprintf(codefile,
+		    "case %s: {\n"
+		    "if (len < (%s)->u.%s.length)\n"
+		    "return ASN1_OVERFLOW;\n"
+		    "p -= (%s)->u.%s.length;\n"
+		    "ret += (%s)->u.%s.length;\n"
+		    "memcpy(p + 1, (%s)->u.%s.data, (%s)->u.%s.length);\n"
+		    "break;\n"
+		    "}\n",
+		    have_ellipsis->label,
+		    name, have_ellipsis->gen_name,
+		    name, have_ellipsis->gen_name,
+		    name, have_ellipsis->gen_name,
+		    name, have_ellipsis->gen_name,
+		    name, have_ellipsis->gen_name);
+	}
+	fprintf(codefile, "};\n");
+	break;
+    }
+    case TOID:
+	encode_primitive ("oid", name);
+	constructed = 0;
+	break;
+    case TUTCTime:
+	encode_primitive ("utctime", name);
+	constructed = 0;
+	break;
+    case TUTF8String:
+	encode_primitive ("utf8string", name);
+	constructed = 0;
+	break;
+    case TPrintableString:
+	encode_primitive ("printable_string", name);
+	constructed = 0;
+	break;
+    case TIA5String:
+	encode_primitive ("ia5_string", name);
+	constructed = 0;
+	break;
+    case TBMPString:
+	encode_primitive ("bmp_string", name);
+	constructed = 0;
+	break;
+    case TUniversalString:
+	encode_primitive ("universal_string", name);
+	constructed = 0;
+	break;
+    case TVisibleString:
+	encode_primitive ("visible_string", name);
+	constructed = 0;
+	break;
+    case TNull:
+	fprintf (codefile, "/* NULL */\n");
+	constructed = 0;
 	break;
     default:
 	abort ();
     }
+    return constructed;
 }
 
 void
 generate_type_encode (const Symbol *s)
 {
-  fprintf (headerfile,
-	   "int    "
-	   "encode_%s(unsigned char *, size_t, const %s *, size_t *);\n",
-	   s->gen_name, s->gen_name);
-
-  fprintf (codefile, "#define BACK if (e) return e; p -= l; len -= l; ret += l\n\n");
-
-
-  fprintf (codefile, "int\n"
-	   "encode_%s(unsigned char *p, size_t len,"
-	   " const %s *data, size_t *size)\n"
-	   "{\n",
-	   s->gen_name, s->gen_name);
-
-  switch (s->type->type) {
-  case TInteger:
-  case TUInteger:
-  case TOctetString:
-  case TGeneralizedTime:
-  case TGeneralString:
-  case TBitString:
-  case TEnumerated:
-  case TOID:
-  case TSequence:
-  case TSequenceOf:
-  case TApplication:
-  case TType:
-    fprintf (codefile,
-	     "size_t ret = 0;\n"
-	     "size_t l;\n"
-	     "int i, e;\n\n");
-    fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */
+    fprintf (headerfile,
+	     "int    "
+	     "encode_%s(unsigned char *, size_t, const %s *, size_t *);\n",
+	     s->gen_name, s->gen_name);
+
+    fprintf (codefile, "int\n"
+	     "encode_%s(unsigned char *p, size_t len,"
+	     " const %s *data, size_t *size)\n"
+	     "{\n",
+	     s->gen_name, s->gen_name);
+
+    switch (s->type->type) {
+    case TInteger:
+    case TBoolean:
+    case TOctetString:
+    case TGeneralizedTime:
+    case TGeneralString:
+    case TUTCTime:
+    case TUTF8String:
+    case TPrintableString:
+    case TIA5String:
+    case TBMPString:
+    case TUniversalString:
+    case TVisibleString:
+    case TNull:
+    case TBitString:
+    case TEnumerated:
+    case TOID:
+    case TSequence:
+    case TSequenceOf:
+    case TSet:
+    case TSetOf:
+    case TTag:
+    case TType:
+    case TChoice:
+	fprintf (codefile,
+		 "size_t ret = 0;\n"
+		 "size_t l;\n"
+		 "int i, e;\n\n");
+	fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */
     
-      encode_type("data", s->type);
-
-    fprintf (codefile, "*size = ret;\n"
-	     "return 0;\n");
-    break;
-  default:
-    abort ();
-  }
-  fprintf (codefile, "}\n\n");
+	encode_type("data", s->type, "Top");
+
+	fprintf (codefile, "*size = ret;\n"
+		 "return 0;\n");
+	break;
+    default:
+	abort ();
+    }
+    fprintf (codefile, "}\n\n");
 }
diff --git a/crypto/heimdal/lib/asn1/gen_free.c b/crypto/heimdal/lib/asn1/gen_free.c
index 9487c42..d667c5d 100644
--- a/crypto/heimdal/lib/asn1/gen_free.c
+++ b/crypto/heimdal/lib/asn1/gen_free.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,95 +33,152 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_free.c,v 1.9.6.1 2003/08/20 16:25:01 joda Exp $");
+RCSID("$Id: gen_free.c 19539 2006-12-28 17:15:05Z lha $");
 
 static void
 free_primitive (const char *typename, const char *name)
 {
-    fprintf (codefile, "free_%s(%s);\n", typename, name);
+    fprintf (codefile, "der_free_%s(%s);\n", typename, name);
 }
 
 static void
-free_type (const char *name, const Type *t)
+free_type (const char *name, const Type *t, int preserve)
 {
-  switch (t->type) {
-  case TType:
+    switch (t->type) {
+    case TType:
 #if 0
-      free_type (name, t->symbol->type);
+	free_type (name, t->symbol->type, preserve);
 #endif
-      fprintf (codefile, "free_%s(%s);\n", t->symbol->gen_name, name);
-      break;
-  case TInteger:
-  case TUInteger:
-  case TEnumerated :
-      break;
-  case TOctetString:
-      free_primitive ("octet_string", name);
-      break;
-  case TOID :
-      free_primitive ("oid", name);
-      break;
-  case TBitString: {
-      break;
-  }
-  case TSequence: {
-      Member *m;
-      int tag = -1;
+	fprintf (codefile, "free_%s(%s);\n", t->symbol->gen_name, name);
+	break;
+    case TInteger:
+	if (t->range == NULL && t->members == NULL) {
+	    free_primitive ("heim_integer", name);
+	    break;
+	}
+    case TBoolean:
+    case TEnumerated :
+    case TNull:
+    case TGeneralizedTime:
+    case TUTCTime:
+	break;
+    case TBitString:
+	if (ASN1_TAILQ_EMPTY(t->members))
+	    free_primitive("bit_string", name);
+	break;
+    case TOctetString:
+	free_primitive ("octet_string", name);
+	break;
+    case TChoice:
+    case TSet:
+    case TSequence: {
+	Member *m, *have_ellipsis = NULL;
 
-      if (t->members == NULL)
-	  break;
+	if (t->members == NULL)
+	    break;
+
+	if ((t->type == TSequence || t->type == TChoice) && preserve)
+	    fprintf(codefile, "der_free_octet_string(&data->_save);\n");
+
+	if(t->type == TChoice)
+	    fprintf(codefile, "switch((%s)->element) {\n", name);
       
-      for (m = t->members; m && tag != m->val; m = m->next) {
-	  char *s;
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
+	    char *s;
 
-	  asprintf (&s, "%s(%s)->%s",
-		    m->optional ? "" : "&", name, m->gen_name);
-	  if(m->optional)
-	      fprintf(codefile, "if(%s) {\n", s);
-	  free_type (s, m->type);
-	  if(m->optional)
-	      fprintf(codefile, 
-		      "free(%s);\n"
-		      "%s = NULL;\n"
-		      "}\n", s, s);
-	  if (tag == -1)
-	      tag = m->val;
-	  free (s);
-      }
-      break;
-  }
-  case TSequenceOf: {
-      char *n;
+	    if (m->ellipsis){
+		have_ellipsis = m;
+		continue;
+	    }
 
-      fprintf (codefile, "while((%s)->len){\n", name);
-      asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
-      free_type(n, t->subtype);
-      fprintf(codefile, 
-	      "(%s)->len--;\n"
-	      "}\n",
-	      name);
-      fprintf(codefile,
-	      "free((%s)->val);\n"
-	      "(%s)->val = NULL;\n", name, name);
-      free(n);
-      break;
-  }
-  case TGeneralizedTime:
-      break;
-  case TGeneralString:
-      free_primitive ("general_string", name);
-      break;
-  case TApplication:
-      free_type (name, t->subtype);
-      break;
-  default :
-      abort ();
-  }
+	    if(t->type == TChoice)
+		fprintf(codefile, "case %s:\n", m->label);
+	    asprintf (&s, "%s(%s)->%s%s",
+		      m->optional ? "" : "&", name, 
+		      t->type == TChoice ? "u." : "", m->gen_name);
+	    if (s == NULL)
+		errx(1, "malloc");
+	    if(m->optional)
+		fprintf(codefile, "if(%s) {\n", s);
+	    free_type (s, m->type, FALSE);
+	    if(m->optional)
+		fprintf(codefile, 
+			"free(%s);\n"
+			"%s = NULL;\n"
+			"}\n",s, s);
+	    free (s);
+	    if(t->type == TChoice)
+		fprintf(codefile, "break;\n");
+	}
+	
+	if(t->type == TChoice) {
+	    if (have_ellipsis)
+		fprintf(codefile,
+			"case %s:\n"
+			"der_free_octet_string(&(%s)->u.%s);\n"
+			"break;",
+			have_ellipsis->label,
+			name, have_ellipsis->gen_name);
+	    fprintf(codefile, "}\n");
+	}
+	break;
+    }
+    case TSetOf:
+    case TSequenceOf: {
+	char *n;
+
+	fprintf (codefile, "while((%s)->len){\n", name);
+	asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
+	if (n == NULL)
+	    errx(1, "malloc");
+	free_type(n, t->subtype, FALSE);
+	fprintf(codefile, 
+		"(%s)->len--;\n"
+		"}\n",
+		name);
+	fprintf(codefile,
+		"free((%s)->val);\n"
+		"(%s)->val = NULL;\n", name, name);
+	free(n);
+	break;
+    }
+    case TGeneralString:
+	free_primitive ("general_string", name);
+	break;
+    case TUTF8String:
+	free_primitive ("utf8string", name);
+	break;
+    case TPrintableString:
+	free_primitive ("printable_string", name);
+	break;
+    case TIA5String:
+	free_primitive ("ia5_string", name);
+	break;
+    case TBMPString:
+	free_primitive ("bmp_string", name);
+	break;
+    case TUniversalString:
+	free_primitive ("universal_string", name);
+	break;
+    case TVisibleString:
+	free_primitive ("visible_string", name);
+	break;
+    case TTag:
+	free_type (name, t->subtype, preserve);
+	break;
+    case TOID :
+	free_primitive ("oid", name);
+	break;
+    default :
+	abort ();
+    }
 }
 
 void
 generate_type_free (const Symbol *s)
 {
+  int preserve = preserve_type(s->name) ? TRUE : FALSE;
+
   fprintf (headerfile,
 	   "void   free_%s  (%s *);\n",
 	   s->gen_name, s->gen_name);
@@ -131,7 +188,7 @@ generate_type_free (const Symbol *s)
 	   "{\n",
 	   s->gen_name, s->gen_name);
 
-  free_type ("data", s->type);
+  free_type ("data", s->type, preserve);
   fprintf (codefile, "}\n\n");
 }
 
diff --git a/crypto/heimdal/lib/asn1/gen_glue.c b/crypto/heimdal/lib/asn1/gen_glue.c
index 2f6280a..8d8bd15 100644
--- a/crypto/heimdal/lib/asn1/gen_glue.c
+++ b/crypto/heimdal/lib/asn1/gen_glue.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997, 1999, 2000, 2003 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,59 +33,51 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_glue.c,v 1.7 1999/12/02 17:05:02 joda Exp $");
+RCSID("$Id: gen_glue.c 15617 2005-07-12 06:27:42Z lha $");
 
 static void
-generate_2int (const Symbol *s)
+generate_2int (const Type *t, const char *gen_name)
 {
-    Type *t = s->type;
     Member *m;
-    int tag = -1;
 
     fprintf (headerfile,
 	     "unsigned %s2int(%s);\n",
-	     s->gen_name, s->gen_name);
+	     gen_name, gen_name);
 
     fprintf (codefile,
 	     "unsigned %s2int(%s f)\n"
 	     "{\n"
 	     "unsigned r = 0;\n",
-	     s->gen_name, s->gen_name);
+	     gen_name, gen_name);
 
-    for (m = t->members; m && m->val != tag; m = m->next) {
+    ASN1_TAILQ_FOREACH(m, t->members, members) {
 	fprintf (codefile, "if(f.%s) r |= (1U << %d);\n",
 		 m->gen_name, m->val);
-	
-	if (tag == -1)
-	    tag = m->val;
     }
     fprintf (codefile, "return r;\n"
 	     "}\n\n");
 }
 
 static void
-generate_int2 (const Symbol *s)
+generate_int2 (const Type *t, const char *gen_name)
 {
-    Type *t = s->type;
     Member *m;
-    int tag = -1;
 
     fprintf (headerfile,
 	     "%s int2%s(unsigned);\n",
-	     s->gen_name, s->gen_name);
+	     gen_name, gen_name);
 
     fprintf (codefile,
 	     "%s int2%s(unsigned n)\n"
 	     "{\n"
 	     "\t%s flags;\n\n",
-	     s->gen_name, s->gen_name, s->gen_name);
+	     gen_name, gen_name, gen_name);
 
-    for (m = t->members; m && m->val != tag; m = m->next) {
-	fprintf (codefile, "\tflags.%s = (n >> %d) & 1;\n",
-		 m->gen_name, m->val);
-	
-	if (tag == -1)
-	    tag = m->val;
+    if(t->members) {
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
+	    fprintf (codefile, "\tflags.%s = (n >> %d) & 1;\n",
+		     m->gen_name, m->val);
+	}
     }
     fprintf (codefile, "\treturn flags;\n"
 	     "}\n\n");
@@ -96,42 +88,51 @@ generate_int2 (const Symbol *s)
  */
 
 static void
-generate_units (const Symbol *s)
+generate_units (const Type *t, const char *gen_name)
 {
-    Type *t = s->type;
     Member *m;
-    int tag = -1;
 
     fprintf (headerfile,
-	     "extern struct units %s_units[];",
-	     s->gen_name);
+	     "const struct units * asn1_%s_units(void);",
+	     gen_name);
 
     fprintf (codefile,
-	     "struct units %s_units[] = {\n",
-	     s->gen_name);
+	     "static struct units %s_units[] = {\n",
+	     gen_name);
 
-    if(t->members)
-	for (m = t->members->prev; m && m->val != tag; m = m->prev) {
+    if(t->members) {
+	ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) {
 	    fprintf (codefile,
 		     "\t{\"%s\",\t1U << %d},\n", m->gen_name, m->val);
-	    
-	    if (tag == -1)
-		tag = m->val;
 	}
+    }
 
     fprintf (codefile,
 	     "\t{NULL,\t0}\n"
 	     "};\n\n");
+
+    fprintf (codefile,
+	     "const struct units * asn1_%s_units(void){\n"
+	     "return %s_units;\n"
+	     "}\n\n",
+	     gen_name, gen_name);
+
+
 }
 
 void
-generate_glue (const Symbol *s)
+generate_glue (const Type *t, const char *gen_name)
 {
-    switch(s->type->type) {
+    switch(t->type) {
+    case TTag:
+	generate_glue(t->subtype, gen_name);
+	break;
     case TBitString :
-	generate_2int (s);
-	generate_int2 (s);
-	generate_units (s);
+	if (!ASN1_TAILQ_EMPTY(t->members)) {
+	    generate_2int (t, gen_name);
+	    generate_int2 (t, gen_name);
+	    generate_units (t, gen_name);
+	}
 	break;
     default :
 	break;
diff --git a/crypto/heimdal/lib/asn1/gen_length.c b/crypto/heimdal/lib/asn1/gen_length.c
index 6b60997..4cb5d45 100644
--- a/crypto/heimdal/lib/asn1/gen_length.c
+++ b/crypto/heimdal/lib/asn1/gen_length.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,18 +33,34 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_length.c,v 1.11.6.1 2004/01/26 09:26:10 lha Exp $");
+RCSID("$Id: gen_length.c 21503 2007-07-12 11:57:19Z lha $");
 
 static void
 length_primitive (const char *typename,
 		  const char *name,
 		  const char *variable)
 {
-    fprintf (codefile, "%s += length_%s(%s);\n", variable, typename, name);
+    fprintf (codefile, "%s += der_length_%s(%s);\n", variable, typename, name);
 }
 
-static void
-length_type (const char *name, const Type *t, const char *variable)
+static size_t
+length_tag(unsigned int tag)
+{
+    size_t len = 0;
+    
+    if(tag <= 30)
+	return 1;
+    while(tag) {
+	tag /= 128;
+	len++;
+    }
+    return len + 1;
+}
+
+
+static int
+length_type (const char *name, const Type *t, 
+	     const char *variable, const char *tmpstr)
 {
     switch (t->type) {
     case TType:
@@ -55,19 +71,27 @@ length_type (const char *name, const Type *t, const char *variable)
 		 variable, t->symbol->gen_name, name);
 	break;
     case TInteger:
-        if(t->members == NULL)
-            length_primitive ("integer", name, variable);
-        else {
-            char *s;
-            asprintf(&s, "(const int*)%s", name);
-            if(s == NULL)
-		errx (1, "out of memory");
-            length_primitive ("integer", s, variable);
-            free(s);
-        }
-	break;
-    case TUInteger:
-	length_primitive ("unsigned", name, variable);
+	if(t->members) {
+	    fprintf(codefile,
+		    "{\n"
+		    "int enumint = *%s;\n", name);
+	    length_primitive ("integer", "&enumint", variable);
+	    fprintf(codefile, "}\n");
+	} else if (t->range == NULL) {
+	    length_primitive ("heim_integer", name, variable);
+	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
+	    length_primitive ("integer", name, variable);
+	} else if (t->range->min == 0 && t->range->max == UINT_MAX) {
+	    length_primitive ("unsigned", name, variable);
+	} else if (t->range->min == 0 && t->range->max == INT_MAX) {
+	    length_primitive ("unsigned", name, variable);
+	} else
+	    errx(1, "%s: unsupported range %d -> %d", 
+		 name, t->range->min, t->range->max);
+
+	break;
+    case TBoolean:
+	fprintf (codefile, "%s += 1;\n", variable);
 	break;
     case TEnumerated :
 	length_primitive ("enumerated", name, variable);
@@ -75,69 +99,118 @@ length_type (const char *name, const Type *t, const char *variable)
     case TOctetString:
 	length_primitive ("octet_string", name, variable);
 	break;
-    case TOID :
-	length_primitive ("oid", name, variable);
-	break;
     case TBitString: {
-	/*
-	 * XXX - Hope this is correct
-	 * look at TBitString case in `encode_type'
-	 */
-	fprintf (codefile, "%s += 7;\n", variable);
+	if (ASN1_TAILQ_EMPTY(t->members))
+	    length_primitive("bit_string", name, variable);
+	else {
+	    if (!rfc1510_bitstring) {
+		Member *m;
+		int pos = ASN1_TAILQ_LAST(t->members, memhead)->val;
+
+		fprintf(codefile,
+			"do {\n");
+		ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) {
+		    while (m->val / 8 < pos / 8) {
+			pos -= 8;
+		    }
+		    fprintf (codefile,
+			     "if((%s)->%s) { %s += %d; break; }\n",
+			     name, m->gen_name, variable, (pos + 8) / 8);
+		}
+		fprintf(codefile,
+			"} while(0);\n");
+		fprintf (codefile, "%s += 1;\n", variable);
+	    } else {
+		fprintf (codefile, "%s += 5;\n", variable);
+	    }
+	}
 	break;
     }
-    case TSequence: {
-	Member *m;
-	int tag = -1;
+    case TSet:
+    case TSequence:
+    case TChoice: {
+	Member *m, *have_ellipsis = NULL;
 
 	if (t->members == NULL)
 	    break;
       
-	for (m = t->members; m && tag != m->val; m = m->next) {
+	if(t->type == TChoice)
+	    fprintf (codefile, "switch((%s)->element) {\n", name);
+
+	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    char *s;
+	    
+	    if (m->ellipsis) {
+		have_ellipsis = m;
+		continue;
+	    }
+
+	    if(t->type == TChoice)
+		fprintf(codefile, "case %s:\n", m->label);
 
-	    asprintf (&s, "%s(%s)->%s",
-		      m->optional ? "" : "&", name, m->gen_name);
+	    asprintf (&s, "%s(%s)->%s%s",
+		      m->optional ? "" : "&", name, 
+		      t->type == TChoice ? "u." : "", m->gen_name);
+	    if (s == NULL)
+		errx(1, "malloc");
 	    if (m->optional)
 		fprintf (codefile, "if(%s)", s);
+	    else if(m->defval)
+		gen_compare_defval(s + 1, m->defval);
 	    fprintf (codefile, "{\n"
-		     "int oldret = %s;\n"
-		     "%s = 0;\n", variable, variable);
-	    length_type (s, m->type, "ret");
-	    fprintf (codefile, "%s += 1 + length_len(%s) + oldret;\n",
-		     variable, variable);
+		     "size_t %s_oldret = %s;\n"
+		     "%s = 0;\n", tmpstr, variable, variable);
+	    length_type (s, m->type, "ret", m->gen_name);
+	    fprintf (codefile, "ret += %s_oldret;\n", tmpstr);
 	    fprintf (codefile, "}\n");
-	    if (tag == -1)
-		tag = m->val;
 	    free (s);
+	    if(t->type == TChoice)
+		fprintf(codefile, "break;\n");
+	}
+	if(t->type == TChoice) {
+	    if (have_ellipsis)
+		fprintf(codefile,
+			"case %s:\n"
+			"ret += (%s)->u.%s.length;\n"
+			"break;\n",
+			have_ellipsis->label,
+			name,
+			have_ellipsis->gen_name);
+	    fprintf (codefile, "}\n"); /* switch */
 	}
-	fprintf (codefile,
-		 "%s += 1 + length_len(%s);\n", variable, variable);
 	break;
     }
+    case TSetOf:
     case TSequenceOf: {
 	char *n;
+	char *sname;
 
 	fprintf (codefile,
 		 "{\n"
-		 "int oldret = %s;\n"
+		 "int %s_oldret = %s;\n"
 		 "int i;\n"
 		 "%s = 0;\n",
-		 variable, variable);
+		 tmpstr, variable, variable);
 
 	fprintf (codefile, "for(i = (%s)->len - 1; i >= 0; --i){\n", name);
-	fprintf (codefile, "int oldret = %s;\n"
-		 "%s = 0;\n", variable, variable);
+	fprintf (codefile, "int %s_for_oldret = %s;\n"
+		 "%s = 0;\n", tmpstr, variable, variable);
 	asprintf (&n, "&(%s)->val[i]", name);
-	length_type(n, t->subtype, variable);
-	fprintf (codefile, "%s += oldret;\n",
-		 variable);
+	if (n == NULL)
+	    errx(1, "malloc");
+	asprintf (&sname, "%s_S_Of", tmpstr);
+	if (sname == NULL)
+	    errx(1, "malloc");
+	length_type(n, t->subtype, variable, sname);
+	fprintf (codefile, "%s += %s_for_oldret;\n",
+		 variable, tmpstr);
 	fprintf (codefile, "}\n");
 
 	fprintf (codefile,
-		 "%s += 1 + length_len(%s) + oldret;\n"
-		 "}\n", variable, variable);
+		 "%s += %s_oldret;\n"
+		 "}\n", variable, tmpstr);
 	free(n);
+	free(sname);
 	break;
     }
     case TGeneralizedTime:
@@ -146,30 +219,65 @@ length_type (const char *name, const Type *t, const char *variable)
     case TGeneralString:
 	length_primitive ("general_string", name, variable);
 	break;
-    case TApplication:
-	length_type (name, t->subtype, variable);
-	fprintf (codefile, "ret += 1 + length_len (ret);\n");
+    case TUTCTime:
+	length_primitive ("utctime", name, variable);
+	break;
+    case TUTF8String:
+	length_primitive ("utf8string", name, variable);
+	break;
+    case TPrintableString:
+	length_primitive ("printable_string", name, variable);
+	break;
+    case TIA5String:
+	length_primitive ("ia5_string", name, variable);
+	break;
+    case TBMPString:
+	length_primitive ("bmp_string", name, variable);
+	break;
+    case TUniversalString:
+	length_primitive ("universal_string", name, variable);
+	break;
+    case TVisibleString:
+	length_primitive ("visible_string", name, variable);
+	break;
+    case TNull:
+	fprintf (codefile, "/* NULL */\n");
+	break;
+    case TTag:{
+    	char *tname;
+	asprintf(&tname, "%s_tag", tmpstr);
+	if (tname == NULL)
+	    errx(1, "malloc");
+	length_type (name, t->subtype, variable, tname);
+	fprintf (codefile, "ret += %lu + der_length_len (ret);\n", 
+		 (unsigned long)length_tag(t->tag.tagvalue));
+	free(tname);
+	break;
+    }
+    case TOID:
+	length_primitive ("oid", name, variable);
 	break;
     default :
 	abort ();
     }
+    return 0;
 }
 
 void
 generate_type_length (const Symbol *s)
 {
-  fprintf (headerfile,
-	   "size_t length_%s(const %s *);\n",
-	   s->gen_name, s->gen_name);
-
-  fprintf (codefile,
-	   "size_t\n"
-	   "length_%s(const %s *data)\n"
-	   "{\n"
-	   "size_t ret = 0;\n",
-	   s->gen_name, s->gen_name);
-
-  length_type ("data", s->type, "ret");
-  fprintf (codefile, "return ret;\n}\n\n");
+    fprintf (headerfile,
+	     "size_t length_%s(const %s *);\n",
+	     s->gen_name, s->gen_name);
+    
+    fprintf (codefile,
+	     "size_t\n"
+	     "length_%s(const %s *data)\n"
+	     "{\n"
+	     "size_t ret = 0;\n",
+	     s->gen_name, s->gen_name);
+    
+    length_type ("data", s->type, "ret", "Top");
+    fprintf (codefile, "return ret;\n}\n\n");
 }
 
diff --git a/crypto/heimdal/lib/asn1/gen_locl.h b/crypto/heimdal/lib/asn1/gen_locl.h
index 212c321..8cd4dba 100644
--- a/crypto/heimdal/lib/asn1/gen_locl.h
+++ b/crypto/heimdal/lib/asn1/gen_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gen_locl.h,v 1.9 2001/09/27 16:21:47 assar Exp $ */
+/* $Id: gen_locl.h 18008 2006-09-05 12:29:18Z lha $ */
 
 #ifndef __GEN_LOCL_H__
 #define __GEN_LOCL_H__
@@ -51,24 +51,39 @@
 #include <roken.h>
 #include "hash.h"
 #include "symbol.h"
+#include "asn1-common.h"
+#include "der.h"
 
 void generate_type (const Symbol *);
 void generate_constant (const Symbol *);
-void generate_type_encode (const Symbol *s);
-void generate_type_decode (const Symbol *s);
-void generate_seq_type_decode (const Symbol *s);
-void generate_type_free (const Symbol *s);
-void generate_type_length (const Symbol *s);
-void generate_type_copy (const Symbol *s);
-void generate_type_maybe (const Symbol *s);
-void generate_glue (const Symbol *s);
+void generate_type_encode (const Symbol *);
+void generate_type_decode (const Symbol *);
+void generate_type_free (const Symbol *);
+void generate_type_length (const Symbol *);
+void generate_type_copy (const Symbol *);
+void generate_type_seq (const Symbol *);
+void generate_glue (const Type *, const char*);
 
-void init_generate (const char *filename, const char *basename);
-const char *filename (void);
+const char *classname(Der_class);
+const char *valuename(Der_class, int);
+
+void gen_compare_defval(const char *, struct value *);
+void gen_assign_defval(const char *, struct value *);
+
+
+void init_generate (const char *, const char *);
+const char *get_filename (void);
 void close_generate(void);
-void add_import(const char *module);
+void add_import(const char *);
 int yyparse(void);
 
+int preserve_type(const char *);
+int seq_type(const char *);
+
 extern FILE *headerfile, *codefile, *logfile;
+extern int dce_fix;
+extern int rfc1510_bitstring;
+
+extern int error_flag;
 
 #endif /* __GEN_LOCL_H__ */
diff --git a/crypto/heimdal/lib/asn1/gen_seq.c b/crypto/heimdal/lib/asn1/gen_seq.c
new file mode 100644
index 0000000..5477675
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_seq.c
@@ -0,0 +1,119 @@
+/*
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_seq.c 20561 2007-04-24 16:14:30Z lha $");
+
+void
+generate_type_seq (const Symbol *s)
+{
+    char *subname;
+    Type *type;
+
+    if (!seq_type(s->name))
+	return;
+    type = s->type;
+    while(type->type == TTag)
+	type = type->subtype;
+
+    if (type->type != TSequenceOf) {
+	printf("%s not seq of %d\n", s->name, (int)type->type);
+	return;
+    }
+
+    /*
+     * Require the subtype to be a type so we can name it and use
+     * copy_/free_
+     */
+    
+    if (type->subtype->type != TType) {
+	fprintf(stderr, "%s subtype is not a type, can't generate "
+	       "sequence code for this case: %d\n",
+		s->name, (int)type->subtype->type);
+	exit(1);
+    }
+
+    subname = type->subtype->symbol->gen_name;
+
+    fprintf (headerfile,
+	     "int   add_%s  (%s *, const %s *);\n"
+	     "int   remove_%s  (%s *, unsigned int);\n",
+	     s->gen_name, s->gen_name, subname,
+	     s->gen_name, s->gen_name);
+
+    fprintf (codefile, "int\n"
+	     "add_%s(%s *data, const %s *element)\n"
+	     "{\n",
+	     s->gen_name, s->gen_name, subname);
+
+    fprintf (codefile, 
+	     "int ret;\n"
+	     "void *ptr;\n"
+	     "\n"
+	     "ptr = realloc(data->val, \n"
+	     "\t(data->len + 1) * sizeof(data->val[0]));\n"
+	     "if (ptr == NULL) return ENOMEM;\n"
+	     "data->val = ptr;\n\n"
+	     "ret = copy_%s(element, &data->val[data->len]);\n"
+	     "if (ret) return ret;\n"
+	     "data->len++;\n"
+	     "return 0;\n",
+	     subname);
+
+    fprintf (codefile, "}\n\n");
+    
+    fprintf (codefile, "int\n"
+	     "remove_%s(%s *data, unsigned int element)\n"
+	     "{\n",
+	     s->gen_name, s->gen_name);
+
+    fprintf (codefile, 
+	     "void *ptr;\n"
+	     "\n"
+	     "if (data->len == 0 || element >= data->len)\n"
+	     "\treturn ASN1_OVERRUN;\n"
+	     "free_%s(&data->val[element]);\n"
+	     "data->len--;\n"
+	     /* don't move if its the last element */
+	     "if (element < data->len)\n"
+	     "\tmemmove(&data->val[element], &data->val[element + 1], \n"
+	     "\t\tsizeof(data->val[0]) * data->len);\n"
+	     /* resize but don't care about failures since it doesn't matter */
+	     "ptr = realloc(data->val, data->len * sizeof(data->val[0]));\n"
+	     "if (ptr != NULL || data->len == 0) data->val = ptr;\n"
+	     "return 0;\n",
+	     subname);
+
+    fprintf (codefile, "}\n\n");
+}
diff --git a/crypto/heimdal/lib/asn1/hash.c b/crypto/heimdal/lib/asn1/hash.c
index a8d3eb3..eeb6b6d 100644
--- a/crypto/heimdal/lib/asn1/hash.c
+++ b/crypto/heimdal/lib/asn1/hash.c
@@ -37,7 +37,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: hash.c,v 1.8 1999/12/02 17:05:02 joda Exp $");
+RCSID("$Id: hash.c 17016 2006-04-07 22:16:00Z lha $");
 
 static Hashentry *_search(Hashtab * htab,	/* The hash table */
 			  void *ptr);	/* And key */
@@ -53,17 +53,16 @@ hashtabnew(int sz,
     assert(sz > 0);
 
     htab = (Hashtab *) malloc(sizeof(Hashtab) + (sz - 1) * sizeof(Hashentry *));
+    if (htab == NULL)
+	return NULL;
+
     for (i = 0; i < sz; ++i)
 	htab->tab[i] = NULL;
 
-    if (htab == NULL) {
-	return NULL;
-    } else {
-	htab->cmp = cmp;
-	htab->hash = hash;
-	htab->sz = sz;
-	return htab;
-    }
+    htab->cmp = cmp;
+    htab->hash = hash;
+    htab->sz = sz;
+    return htab;
 }
 
 /* Intern search function */
@@ -183,7 +182,7 @@ hashcaseadd(const char *s)
     assert(s);
 
     for (i = 0; *s; ++s)
-	i += toupper(*s);
+	i += toupper((unsigned char)*s);
     return i;
 }
 
diff --git a/crypto/heimdal/lib/asn1/hash.h b/crypto/heimdal/lib/asn1/hash.h
index b54e102..10d8ce9 100644
--- a/crypto/heimdal/lib/asn1/hash.h
+++ b/crypto/heimdal/lib/asn1/hash.h
@@ -35,7 +35,7 @@
  * hash.h. Header file for hash table functions
  */
 
-/* $Id: hash.h,v 1.3 1999/12/02 17:05:02 joda Exp $ */
+/* $Id: hash.h 7464 1999-12-02 17:05:13Z joda $ */
 
 struct hashentry {		/* Entry in bucket */
      struct hashentry **prev;
diff --git a/crypto/heimdal/lib/asn1/heim_asn1.h b/crypto/heimdal/lib/asn1/heim_asn1.h
new file mode 100644
index 0000000..afee6f4
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/heim_asn1.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2003-2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifndef __HEIM_ANY_H__
+#define __HEIM_ANY_H__ 1
+
+int	encode_heim_any(unsigned char *, size_t, const heim_any *, size_t *);
+int	decode_heim_any(const unsigned char *, size_t, heim_any *, size_t *);
+void	free_heim_any(heim_any *);
+size_t	length_heim_any(const heim_any *);
+int	copy_heim_any(const heim_any *, heim_any *);
+
+int	encode_heim_any_set(unsigned char *, size_t,
+			    const heim_any_set *, size_t *);
+int	decode_heim_any_set(const unsigned char *, size_t,
+			    heim_any_set *,size_t *);
+void	free_heim_any_set(heim_any_set *);
+size_t	length_heim_any_set(const heim_any_set *);
+int	copy_heim_any_set(const heim_any_set *, heim_any_set *);
+int	heim_any_cmp(const heim_any_set *, const heim_any_set *);
+
+#endif /* __HEIM_ANY_H__ */
diff --git a/crypto/heimdal/lib/asn1/k5.asn1 b/crypto/heimdal/lib/asn1/k5.asn1
index d9be266..18f1e15 100644
--- a/crypto/heimdal/lib/asn1/k5.asn1
+++ b/crypto/heimdal/lib/asn1/k5.asn1
@@ -1,4 +1,4 @@
--- $Id: k5.asn1,v 1.28.2.1 2004/06/21 08:25:45 lha Exp $
+-- $Id: k5.asn1 21965 2007-10-18 18:24:36Z lha $
 
 KERBEROS5 DEFINITIONS ::=
 BEGIN
@@ -10,7 +10,12 @@ NAME-TYPE ::= INTEGER {
 	KRB5_NT_SRV_HST(3),	-- Service with host name as instance
 	KRB5_NT_SRV_XHST(4),	-- Service with host as remaining components
 	KRB5_NT_UID(5),		-- Unique ID
-	KRB5_NT_X500_PRINCIPAL(6) -- PKINIT
+	KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
+	KRB5_NT_SMTP_NAME(7),	-- Name in form of SMTP email name
+	KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
+	KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
+	KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
+	KRB5_NT_MS_PRINCIPAL_AND_ID(-129) -- NT style name and SID
 }
 
 -- message types
@@ -46,16 +51,50 @@ PADATA-TYPE ::= INTEGER {
 	KRB5-PADATA-ETYPE-INFO(11),
 	KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
 	KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
-	KRB5-PADATA-PK-AS-REQ(14), -- (PKINIT)
-	KRB5-PADATA-PK-AS-REP(15), -- (PKINIT)
-	KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT)
-	KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT)
-	KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT)
+	KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
+	KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
+	KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
+	KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
+	KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
+	KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
 	KRB5-PADATA-ETYPE-INFO2(19),
 	KRB5-PADATA-USE-SPECIFIED-KVNO(20),
+	KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
 	KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
 	KRB5-PADATA-GET-FROM-TYPED-DATA(22),
-	KRB5-PADATA-SAM-ETYPE-INFO(23)
+	KRB5-PADATA-SAM-ETYPE-INFO(23),
+	KRB5-PADATA-SERVER-REFERRAL(25),
+	KRB5-PADATA-TD-KRB-PRINCIPAL(102),	-- PrincipalName
+	KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
+	KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
+	KRB5-PADATA-TD-APP-DEFINED-ERROR(106),	-- application specific
+	KRB5-PADATA-TD-REQ-NONCE(107),		-- INTEGER
+	KRB5-PADATA-TD-REQ-SEQ(108),		-- INTEGER
+	KRB5-PADATA-PA-PAC-REQUEST(128),	-- jbrezak@exchange.microsoft.com
+	KRB5-PADATA-S4U2SELF(129),
+	KRB5-PADATA-PK-AS-09-BINDING(132),	-- client send this to 
+						-- tell KDC that is supports 
+						-- the asCheckSum in the
+						--  PK-AS-REP
+	KRB5-PADATA-CLIENT-CANONICALIZED(133)	-- 
+}
+
+AUTHDATA-TYPE ::= INTEGER {
+	KRB5-AUTHDATA-IF-RELEVANT(1),
+	KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
+	KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
+	KRB5-AUTHDATA-KDC-ISSUED(4),
+	KRB5-AUTHDATA-AND-OR(5),
+	KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
+	KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
+	KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
+	KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
+	KRB5-AUTHDATA-OSF-DCE(64),
+	KRB5-AUTHDATA-SESAME(65),
+	KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
+	KRB5-AUTHDATA-WIN2K-PAC(128),
+	KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
+	KRB5-AUTHDATA-SIGNTICKET(-17)
 }
 
 -- checksumtypes
@@ -71,10 +110,11 @@ CKSUMTYPE ::= INTEGER {
 	CKSUMTYPE_RSA_MD5(7),
 	CKSUMTYPE_RSA_MD5_DES(8),
 	CKSUMTYPE_RSA_MD5_DES3(9),
-	CKSUMTYPE_HMAC_SHA1_96_AES_128(10),
-	CKSUMTYPE_HMAC_SHA1_96_AES_256(11),
+	CKSUMTYPE_SHA1_OTHER(10),
 	CKSUMTYPE_HMAC_SHA1_DES3(12),
-	CKSUMTYPE_SHA1(1000),		-- correct value? 10 (9 also)
+	CKSUMTYPE_SHA1(14),
+	CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
+	CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
 	CKSUMTYPE_GSSAPI(0x8003),
 	CKSUMTYPE_HMAC_MD5(-138),	-- unofficial microsoft number
 	CKSUMTYPE_HMAC_MD5_ENC(-1138)	-- even more unofficial
@@ -97,16 +137,28 @@ ENCTYPE ::= INTEGER {
 	ETYPE_ARCFOUR_HMAC_MD5(23),
 	ETYPE_ARCFOUR_HMAC_MD5_56(24),
 	ETYPE_ENCTYPE_PK_CROSS(48),
+-- some "old" windows types
+	ETYPE_ARCFOUR_MD4(-128),
+	ETYPE_ARCFOUR_HMAC_OLD(-133),
+	ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
 -- these are for Heimdal internal use
 	ETYPE_DES_CBC_NONE(-0x1000),
 	ETYPE_DES3_CBC_NONE(-0x1001),
 	ETYPE_DES_CFB64_NONE(-0x1002),
-	ETYPE_DES_PCBC_NONE(-0x1003)
+	ETYPE_DES_PCBC_NONE(-0x1003),
+	ETYPE_DIGEST_MD5_NONE(-0x1004),		-- private use, lukeh@padl.com
+	ETYPE_CRAM_MD5_NONE(-0x1005)		-- private use, lukeh@padl.com
 }
 
+
+
+
 -- this is sugar to make something ASN1 does not have: unsigned
 
-UNSIGNED ::= INTEGER (0..4294967295)
+krb5uint32 ::= INTEGER (0..4294967295)
+krb5int32 ::= INTEGER (-2147483648..2147483647)
+
+KerberosString  ::= GeneralString
 
 Realm ::= GeneralString
 PrincipalName ::= SEQUENCE {
@@ -121,14 +173,14 @@ Principal ::= SEQUENCE {
 }
 
 HostAddress ::= SEQUENCE  {
-	addr-type[0]		INTEGER,
+	addr-type[0]		krb5int32,
 	address[1]		OCTET STRING
 }
 
 -- This is from RFC1510.
 --
 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
--- 	addr-type[0]		INTEGER,
+-- 	addr-type[0]		krb5int32,
 --	address[1]		OCTET STRING
 -- }
 
@@ -138,11 +190,13 @@ HostAddresses ::= SEQUENCE OF HostAddress
 
 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
 
-AuthorizationData ::= SEQUENCE OF SEQUENCE {
-	ad-type[0]		INTEGER,
+AuthorizationDataElement ::= SEQUENCE {
+	ad-type[0]		krb5int32,
 	ad-data[1]		OCTET STRING
 }
 
+AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
+
 APOptions ::= BIT STRING {
 	reserved(0),
 	use-session-key(1),
@@ -182,6 +236,7 @@ KDCOptions ::= BIT STRING {
 	unused11(11),
 	request-anonymous(14),
 	canonicalize(15),
+	constrained-delegation(16), -- ms extension
 	disable-transited-check(26),
 	renewable-ok(27),
 	enc-tkt-in-skey(28),
@@ -208,23 +263,23 @@ LastReq ::= SEQUENCE OF SEQUENCE {
 
 EncryptedData ::= SEQUENCE {
 	etype[0] 		ENCTYPE, -- EncryptionType
-	kvno[1]			INTEGER OPTIONAL,
+	kvno[1]			krb5int32 OPTIONAL,
 	cipher[2]		OCTET STRING -- ciphertext
 }
 
 EncryptionKey ::= SEQUENCE {
-	keytype[0]		INTEGER,
+	keytype[0]		krb5int32,
 	keyvalue[1]		OCTET STRING
 }
 
 -- encoded Transited field
 TransitedEncoding ::= SEQUENCE {
-	tr-type[0]		INTEGER, -- must be registered
+	tr-type[0]		krb5int32, -- must be registered
 	contents[1]		OCTET STRING
 }
 
 Ticket ::= [APPLICATION 1] SEQUENCE {
-	tkt-vno[0]		INTEGER,
+	tkt-vno[0]		krb5int32,
 	realm[1]		Realm,
 	sname[2]		PrincipalName,
 	enc-part[3]		EncryptedData
@@ -250,16 +305,16 @@ Checksum ::= SEQUENCE {
 }
 
 Authenticator ::= [APPLICATION 2] SEQUENCE    {
-	authenticator-vno[0]	INTEGER,
+	authenticator-vno[0]	krb5int32,
 	crealm[1]		Realm,
 	cname[2]		PrincipalName,
 	cksum[3]		Checksum OPTIONAL,
-	cusec[4]		INTEGER,
+	cusec[4]		krb5int32,
 	ctime[5]		KerberosTime,
 	subkey[6]		EncryptionKey OPTIONAL,
-	seq-number[7]		UNSIGNED OPTIONAL,
+	seq-number[7]		krb5uint32 OPTIONAL,
 	authorization-data[8]	AuthorizationData OPTIONAL
-	}
+}
 
 PA-DATA ::= SEQUENCE {
 	-- might be encoded AP-REQ
@@ -270,13 +325,28 @@ PA-DATA ::= SEQUENCE {
 ETYPE-INFO-ENTRY ::= SEQUENCE {
 	etype[0]		ENCTYPE,
 	salt[1]			OCTET STRING OPTIONAL,
-	salttype[2]		INTEGER OPTIONAL
+	salttype[2]		krb5int32 OPTIONAL
 }
 
 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
 
+ETYPE-INFO2-ENTRY ::= SEQUENCE {
+	etype[0]		ENCTYPE,
+	salt[1]			KerberosString OPTIONAL,
+	s2kparams[2]		OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
 METHOD-DATA ::= SEQUENCE OF PA-DATA
 
+TypedData ::=   SEQUENCE {
+	data-type[0]		krb5int32,
+	data-value[1]		OCTET STRING OPTIONAL
+}
+
+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
+
 KDC-REQ-BODY ::= SEQUENCE {
 	kdc-options[0]		KDCOptions,
 	cname[1]		PrincipalName OPTIONAL, -- Used only in AS-REQ
@@ -286,7 +356,7 @@ KDC-REQ-BODY ::= SEQUENCE {
 	from[4]			KerberosTime OPTIONAL,
 	till[5]			KerberosTime OPTIONAL,
 	rtime[6]		KerberosTime OPTIONAL,
-	nonce[7]		INTEGER,
+	nonce[7]		krb5int32,
 	etype[8]		SEQUENCE OF ENCTYPE, -- EncryptionType,
 					-- in preference order
 	addresses[9]		HostAddresses OPTIONAL,
@@ -296,7 +366,7 @@ KDC-REQ-BODY ::= SEQUENCE {
 }
 
 KDC-REQ ::= SEQUENCE {
-	pvno[1]			INTEGER,
+	pvno[1]			krb5int32,
 	msg-type[2]		MESSAGE-TYPE,
 	padata[3]		METHOD-DATA OPTIONAL,
 	req-body[4]		KDC-REQ-BODY
@@ -310,11 +380,20 @@ TGS-REQ ::= [APPLICATION 12] KDC-REQ
 
 PA-ENC-TS-ENC ::= SEQUENCE {
 	patimestamp[0]		KerberosTime, -- client's time
-	pausec[1]		INTEGER OPTIONAL
+	pausec[1]		krb5int32 OPTIONAL
 }
 
+-- draft-brezak-win2k-krb-authz-01
+PA-PAC-REQUEST ::= SEQUENCE {
+	include-pac[0]		BOOLEAN -- Indicates whether a PAC 
+					-- should be included or not
+}
+
+-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
+PROV-SRV-LOCATION ::= GeneralString
+
 KDC-REP ::= SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	padata[2]		METHOD-DATA OPTIONAL,
 	crealm[3]		Realm,
@@ -329,7 +408,7 @@ TGS-REP ::= [APPLICATION 13] KDC-REP
 EncKDCRepPart ::= SEQUENCE {
 	key[0]			EncryptionKey,
 	last-req[1]		LastReq,
-	nonce[2]		INTEGER,
+	nonce[2]		krb5int32,
 	key-expiration[3]	KerberosTime OPTIONAL,
 	flags[4]		TicketFlags,
 	authtime[5]		KerberosTime,
@@ -338,14 +417,15 @@ EncKDCRepPart ::= SEQUENCE {
 	renew-till[8]		KerberosTime OPTIONAL,
 	srealm[9]		Realm,
 	sname[10]		PrincipalName,
-	caddr[11]		HostAddresses OPTIONAL
+	caddr[11]		HostAddresses OPTIONAL,
+	encrypted-pa-data[12]	METHOD-DATA OPTIONAL
 }
 
 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
 
 AP-REQ ::= [APPLICATION 14] SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	ap-options[2]		APOptions,
 	ticket[3]		Ticket,
@@ -353,50 +433,50 @@ AP-REQ ::= [APPLICATION 14] SEQUENCE {
 }
 
 AP-REP ::= [APPLICATION 15] SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	enc-part[2]		EncryptedData
 }
 
 EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
 	ctime[0]		KerberosTime,
-	cusec[1]		INTEGER,
+	cusec[1]		krb5int32,
 	subkey[2]		EncryptionKey OPTIONAL,
-	seq-number[3]		UNSIGNED OPTIONAL
+	seq-number[3]		krb5uint32 OPTIONAL
 }
 
 KRB-SAFE-BODY ::= SEQUENCE {
 	user-data[0]		OCTET STRING,
 	timestamp[1]		KerberosTime OPTIONAL,
-	usec[2]			INTEGER OPTIONAL,
-	seq-number[3]		UNSIGNED OPTIONAL,
+	usec[2]			krb5int32 OPTIONAL,
+	seq-number[3]		krb5uint32 OPTIONAL,
 	s-address[4]		HostAddress OPTIONAL,
 	r-address[5]		HostAddress OPTIONAL
 }
 
 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	safe-body[2]		KRB-SAFE-BODY,
 	cksum[3]		Checksum
 }
 
 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	enc-part[3]		EncryptedData
 }
 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
 	user-data[0]		OCTET STRING,
 	timestamp[1]		KerberosTime OPTIONAL,
-	usec[2]			INTEGER OPTIONAL,
-	seq-number[3]		UNSIGNED OPTIONAL,
+	usec[2]			krb5int32 OPTIONAL,
+	seq-number[3]		krb5uint32 OPTIONAL,
 	s-address[4]		HostAddress OPTIONAL, -- sender's addr
 	r-address[5]		HostAddress OPTIONAL  -- recip's addr
 }
 
 KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE, -- KRB_CRED
 	tickets[2]		SEQUENCE OF Ticket,
 	enc-part[3]		EncryptedData
@@ -418,21 +498,21 @@ KrbCredInfo ::= SEQUENCE {
 
 EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
 	ticket-info[0]		SEQUENCE OF KrbCredInfo,
-	nonce[1]		INTEGER OPTIONAL,
+	nonce[1]		krb5int32 OPTIONAL,
 	timestamp[2]		KerberosTime OPTIONAL,
-	usec[3]			INTEGER OPTIONAL,
+	usec[3]			krb5int32 OPTIONAL,
 	s-address[4]		HostAddress OPTIONAL,
 	r-address[5]		HostAddress OPTIONAL
 }
 
 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	ctime[2]		KerberosTime OPTIONAL,
-	cusec[3]		INTEGER OPTIONAL,
+	cusec[3]		krb5int32 OPTIONAL,
 	stime[4]		KerberosTime,
-	susec[5]		INTEGER,
-	error-code[6]		INTEGER,
+	susec[5]		krb5int32,
+	error-code[6]		krb5int32,
 	crealm[7]		Realm OPTIONAL,
 	cname[8]		PrincipalName OPTIONAL,
 	realm[9]		Realm, -- Correct realm
@@ -447,11 +527,132 @@ ChangePasswdDataMS ::= SEQUENCE {
 	targrealm[2]		Realm OPTIONAL
 }
 
-pvno INTEGER ::= 5 -- current Kerberos protocol version number
+EtypeList ::= SEQUENCE OF krb5int32
+	-- the client's proposed enctype list in
+	-- decreasing preference order, favorite choice first
+
+krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
 
 -- transited encodings
 
-DOMAIN-X500-COMPRESS	INTEGER ::= 1
+DOMAIN-X500-COMPRESS	krb5int32 ::= 1
+
+-- authorization data primitives
+
+AD-IF-RELEVANT ::= AuthorizationData
+
+AD-KDCIssued ::= SEQUENCE {
+	ad-checksum[0]		Checksum,
+	i-realm[1]		Realm OPTIONAL,
+	i-sname[2]		PrincipalName OPTIONAL,
+	elements[3]		AuthorizationData
+}
+
+AD-AND-OR ::= SEQUENCE {
+	condition-count[0]	INTEGER,
+	elements[1]		AuthorizationData
+}
+
+AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
+
+PA-SAM-TYPE ::= INTEGER {
+	PA_SAM_TYPE_ENIGMA(1),		-- Enigma Logic
+	PA_SAM_TYPE_DIGI_PATH(2),	-- Digital Pathways
+	PA_SAM_TYPE_SKEY_K0(3),		-- S/key where  KDC has key 0
+	PA_SAM_TYPE_SKEY(4),		-- Traditional S/Key
+	PA_SAM_TYPE_SECURID(5),		-- Security Dynamics
+	PA_SAM_TYPE_CRYPTOCARD(6)	-- CRYPTOCard
+}
+
+PA-SAM-REDIRECT ::= HostAddresses
+
+SAMFlags ::= BIT STRING {
+	use-sad-as-key(0),
+	send-encrypted-sad(1),
+	must-pk-encrypt-sad(2)
+}
+
+PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
+	sam-type[0]		krb5int32,
+	sam-flags[1]		SAMFlags,
+	sam-type-name[2]	GeneralString OPTIONAL,
+	sam-track-id[3]		GeneralString OPTIONAL,
+	sam-challenge-label[4]	GeneralString OPTIONAL,
+	sam-challenge[5]	GeneralString OPTIONAL,
+	sam-response-prompt[6]	GeneralString OPTIONAL,
+	sam-pk-for-sad[7]	EncryptionKey OPTIONAL,
+	sam-nonce[8]		krb5int32,
+	sam-etype[9]		krb5int32,
+	...
+}
+
+PA-SAM-CHALLENGE-2 ::= SEQUENCE {
+	sam-body[0]		PA-SAM-CHALLENGE-2-BODY,
+	sam-cksum[1]		SEQUENCE OF Checksum, -- (1..MAX)
+	...
+}
+
+PA-SAM-RESPONSE-2 ::= SEQUENCE {
+	sam-type[0]		krb5int32,
+	sam-flags[1]		SAMFlags,
+	sam-track-id[2]		GeneralString OPTIONAL,
+	sam-enc-nonce-or-sad[3]	EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
+	sam-nonce[4]		krb5int32,
+	...
+}
+
+PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
+	sam-nonce[0]		krb5int32,
+	sam-sad[1]		GeneralString OPTIONAL,
+	...
+}
+
+PA-S4U2Self ::= SEQUENCE {
+	name[0]		PrincipalName,
+        realm[1]	Realm,
+        cksum[2]	Checksum,
+        auth[3]		GeneralString
+}
+
+KRB5SignedPathPrincipals ::= SEQUENCE OF Principal
+
+-- never encoded on the wire, just used to checksum over
+KRB5SignedPathData ::= SEQUENCE {
+	encticket[0]	EncTicketPart,
+	delegated[1]	KRB5SignedPathPrincipals OPTIONAL
+}
+
+KRB5SignedPath ::= SEQUENCE {
+	-- DERcoded KRB5SignedPathData
+	-- krbtgt key (etype), KeyUsage = XXX 
+	etype[0]	ENCTYPE,
+	cksum[1]	Checksum,
+	-- srvs delegated though
+	delegated[2]	KRB5SignedPathPrincipals OPTIONAL
+}
+
+PA-ClientCanonicalizedNames ::= SEQUENCE{
+	requested-name [0] PrincipalName,
+	real-name      [1] PrincipalName
+}
+
+PA-ClientCanonicalized ::= SEQUENCE {
+	names          [0] PA-ClientCanonicalizedNames,
+	canon-checksum [1] Checksum
+}
+
+AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
+	login-alias  [0] PrincipalName,
+	checksum     [1] Checksum
+}
+
+-- old ms referral
+PA-SvrReferralData ::= SEQUENCE {
+	referred-name   [1] PrincipalName OPTIONAL,
+	referred-realm  [0] Realm
+}
 
 END
 
diff --git a/crypto/heimdal/lib/asn1/kx509.asn1 b/crypto/heimdal/lib/asn1/kx509.asn1
new file mode 100644
index 0000000..fc6a696
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/kx509.asn1
@@ -0,0 +1,20 @@
+-- $Id: kx509.asn1 19546 2006-12-28 21:05:23Z lha $
+
+KX509 DEFINITIONS ::=
+BEGIN
+
+Kx509Request ::= SEQUENCE {
+	authenticator OCTET STRING,
+	pk-hash OCTET STRING,
+	pk-key OCTET STRING
+}
+
+Kx509Response ::= SEQUENCE {
+	error-code[0]	INTEGER (-2147483648..2147483647)
+	      OPTIONAL -- DEFAULT 0 --,
+	hash[1]		OCTET STRING OPTIONAL,
+	certificate[2]	OCTET STRING OPTIONAL,
+	e-text[3]	VisibleString OPTIONAL
+}
+
+END
diff --git a/crypto/heimdal/lib/asn1/lex.c b/crypto/heimdal/lib/asn1/lex.c
new file mode 100644
index 0000000..812bce1
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/lex.c
@@ -0,0 +1,2693 @@
+
+#line 3 "lex.c"
+
+#define  YY_INT_ALIGNED short int
+
+/* A lexical scanner generated by flex */
+
+#define FLEX_SCANNER
+#define YY_FLEX_MAJOR_VERSION 2
+#define YY_FLEX_MINOR_VERSION 5
+#define YY_FLEX_SUBMINOR_VERSION 33
+#if YY_FLEX_SUBMINOR_VERSION > 0
+#define FLEX_BETA
+#endif
+
+/* First, we deal with  platform-specific or compiler-specific issues. */
+
+/* begin standard C headers. */
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+
+/* end standard C headers. */
+
+/* flex integer type definitions */
+
+#ifndef FLEXINT_H
+#define FLEXINT_H
+
+/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
+
+#if __STDC_VERSION__ >= 199901L
+
+/* C99 says to define __STDC_LIMIT_MACROS before including stdint.h,
+ * if you want the limit (max/min) macros for int types. 
+ */
+#ifndef __STDC_LIMIT_MACROS
+#define __STDC_LIMIT_MACROS 1
+#endif
+
+#include <inttypes.h>
+typedef int8_t flex_int8_t;
+typedef uint8_t flex_uint8_t;
+typedef int16_t flex_int16_t;
+typedef uint16_t flex_uint16_t;
+typedef int32_t flex_int32_t;
+typedef uint32_t flex_uint32_t;
+#else
+typedef signed char flex_int8_t;
+typedef short int flex_int16_t;
+typedef int flex_int32_t;
+typedef unsigned char flex_uint8_t; 
+typedef unsigned short int flex_uint16_t;
+typedef unsigned int flex_uint32_t;
+#endif /* ! C99 */
+
+/* Limits of integral types. */
+#ifndef INT8_MIN
+#define INT8_MIN               (-128)
+#endif
+#ifndef INT16_MIN
+#define INT16_MIN              (-32767-1)
+#endif
+#ifndef INT32_MIN
+#define INT32_MIN              (-2147483647-1)
+#endif
+#ifndef INT8_MAX
+#define INT8_MAX               (127)
+#endif
+#ifndef INT16_MAX
+#define INT16_MAX              (32767)
+#endif
+#ifndef INT32_MAX
+#define INT32_MAX              (2147483647)
+#endif
+#ifndef UINT8_MAX
+#define UINT8_MAX              (255U)
+#endif
+#ifndef UINT16_MAX
+#define UINT16_MAX             (65535U)
+#endif
+#ifndef UINT32_MAX
+#define UINT32_MAX             (4294967295U)
+#endif
+
+#endif /* ! FLEXINT_H */
+
+#ifdef __cplusplus
+
+/* The "const" storage-class-modifier is valid. */
+#define YY_USE_CONST
+
+#else	/* ! __cplusplus */
+
+#if __STDC__
+
+#define YY_USE_CONST
+
+#endif	/* __STDC__ */
+#endif	/* ! __cplusplus */
+
+#ifdef YY_USE_CONST
+#define yyconst const
+#else
+#define yyconst
+#endif
+
+/* Returned upon end-of-file. */
+#define YY_NULL 0
+
+/* Promotes a possibly negative, possibly signed char to an unsigned
+ * integer for use as an array index.  If the signed char is negative,
+ * we want to instead treat it as an 8-bit unsigned char, hence the
+ * double cast.
+ */
+#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+
+/* Enter a start condition.  This macro really ought to take a parameter,
+ * but we do it the disgusting crufty way forced on us by the ()-less
+ * definition of BEGIN.
+ */
+#define BEGIN (yy_start) = 1 + 2 *
+
+/* Translate the current start state into a value that can be later handed
+ * to BEGIN to return to the state.  The YYSTATE alias is for lex
+ * compatibility.
+ */
+#define YY_START (((yy_start) - 1) / 2)
+#define YYSTATE YY_START
+
+/* Action number for EOF rule of a given start state. */
+#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
+
+/* Special action meaning "start processing a new file". */
+#define YY_NEW_FILE yyrestart(yyin  )
+
+#define YY_END_OF_BUFFER_CHAR 0
+
+/* Size of default input buffer. */
+#ifndef YY_BUF_SIZE
+#define YY_BUF_SIZE 16384
+#endif
+
+/* The state buf must be large enough to hold one state per character in the main buffer.
+ */
+#define YY_STATE_BUF_SIZE   ((YY_BUF_SIZE + 2) * sizeof(yy_state_type))
+
+#ifndef YY_TYPEDEF_YY_BUFFER_STATE
+#define YY_TYPEDEF_YY_BUFFER_STATE
+typedef struct yy_buffer_state *YY_BUFFER_STATE;
+#endif
+
+extern int yyleng;
+
+extern FILE *yyin, *yyout;
+
+#define EOB_ACT_CONTINUE_SCAN 0
+#define EOB_ACT_END_OF_FILE 1
+#define EOB_ACT_LAST_MATCH 2
+
+    #define YY_LESS_LINENO(n)
+    
+/* Return all but the first "n" matched characters back to the input stream. */
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+        int yyless_macro_arg = (n); \
+        YY_LESS_LINENO(yyless_macro_arg);\
+		*yy_cp = (yy_hold_char); \
+		YY_RESTORE_YY_MORE_OFFSET \
+		(yy_c_buf_p) = yy_cp = yy_bp + yyless_macro_arg - YY_MORE_ADJ; \
+		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
+		} \
+	while ( 0 )
+
+#define unput(c) yyunput( c, (yytext_ptr)  )
+
+/* The following is because we cannot portably get our hands on size_t
+ * (without autoconf's help, which isn't available because we want
+ * flex-generated scanners to compile on their own).
+ */
+
+#ifndef YY_TYPEDEF_YY_SIZE_T
+#define YY_TYPEDEF_YY_SIZE_T
+typedef unsigned int yy_size_t;
+#endif
+
+#ifndef YY_STRUCT_YY_BUFFER_STATE
+#define YY_STRUCT_YY_BUFFER_STATE
+struct yy_buffer_state
+	{
+	FILE *yy_input_file;
+
+	char *yy_ch_buf;		/* input buffer */
+	char *yy_buf_pos;		/* current position in input buffer */
+
+	/* Size of input buffer in bytes, not including room for EOB
+	 * characters.
+	 */
+	yy_size_t yy_buf_size;
+
+	/* Number of characters read into yy_ch_buf, not including EOB
+	 * characters.
+	 */
+	int yy_n_chars;
+
+	/* Whether we "own" the buffer - i.e., we know we created it,
+	 * and can realloc() it to grow it, and should free() it to
+	 * delete it.
+	 */
+	int yy_is_our_buffer;
+
+	/* Whether this is an "interactive" input source; if so, and
+	 * if we're using stdio for input, then we want to use getc()
+	 * instead of fread(), to make sure we stop fetching input after
+	 * each newline.
+	 */
+	int yy_is_interactive;
+
+	/* Whether we're considered to be at the beginning of a line.
+	 * If so, '^' rules will be active on the next match, otherwise
+	 * not.
+	 */
+	int yy_at_bol;
+
+    int yy_bs_lineno; /**< The line count. */
+    int yy_bs_column; /**< The column count. */
+    
+	/* Whether to try to fill the input buffer when we reach the
+	 * end of it.
+	 */
+	int yy_fill_buffer;
+
+	int yy_buffer_status;
+
+#define YY_BUFFER_NEW 0
+#define YY_BUFFER_NORMAL 1
+	/* When an EOF's been seen but there's still some text to process
+	 * then we mark the buffer as YY_EOF_PENDING, to indicate that we
+	 * shouldn't try reading from the input source any more.  We might
+	 * still have a bunch of tokens to match, though, because of
+	 * possible backing-up.
+	 *
+	 * When we actually see the EOF, we change the status to "new"
+	 * (via yyrestart()), so that the user can continue scanning by
+	 * just pointing yyin at a new input file.
+	 */
+#define YY_BUFFER_EOF_PENDING 2
+
+	};
+#endif /* !YY_STRUCT_YY_BUFFER_STATE */
+
+/* Stack of input buffers. */
+static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */
+static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */
+static YY_BUFFER_STATE * yy_buffer_stack = 0; /**< Stack as an array. */
+
+/* We provide macros for accessing buffer states in case in the
+ * future we want to put the buffer states in a more general
+ * "scanner state".
+ *
+ * Returns the top of the stack, or NULL.
+ */
+#define YY_CURRENT_BUFFER ( (yy_buffer_stack) \
+                          ? (yy_buffer_stack)[(yy_buffer_stack_top)] \
+                          : NULL)
+
+/* Same as previous macro, but useful when we know that the buffer stack is not
+ * NULL or when we need an lvalue. For internal use only.
+ */
+#define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)]
+
+/* yy_hold_char holds the character lost when yytext is formed. */
+static char yy_hold_char;
+static int yy_n_chars;		/* number of characters read into yy_ch_buf */
+int yyleng;
+
+/* Points to current character in buffer. */
+static char *yy_c_buf_p = (char *) 0;
+static int yy_init = 0;		/* whether we need to initialize */
+static int yy_start = 0;	/* start state number */
+
+/* Flag which is used to allow yywrap()'s to do buffer switches
+ * instead of setting up a fresh yyin.  A bit of a hack ...
+ */
+static int yy_did_buffer_switch_on_eof;
+
+void yyrestart (FILE *input_file  );
+void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer  );
+YY_BUFFER_STATE yy_create_buffer (FILE *file,int size  );
+void yy_delete_buffer (YY_BUFFER_STATE b  );
+void yy_flush_buffer (YY_BUFFER_STATE b  );
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer  );
+void yypop_buffer_state (void );
+
+static void yyensure_buffer_stack (void );
+static void yy_load_buffer_state (void );
+static void yy_init_buffer (YY_BUFFER_STATE b,FILE *file  );
+
+#define YY_FLUSH_BUFFER yy_flush_buffer(YY_CURRENT_BUFFER )
+
+YY_BUFFER_STATE yy_scan_buffer (char *base,yy_size_t size  );
+YY_BUFFER_STATE yy_scan_string (yyconst char *yy_str  );
+YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,int len  );
+
+void *yyalloc (yy_size_t  );
+void *yyrealloc (void *,yy_size_t  );
+void yyfree (void *  );
+
+#define yy_new_buffer yy_create_buffer
+
+#define yy_set_interactive(is_interactive) \
+	{ \
+	if ( ! YY_CURRENT_BUFFER ){ \
+        yyensure_buffer_stack (); \
+		YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+	} \
+	YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
+	}
+
+#define yy_set_bol(at_bol) \
+	{ \
+	if ( ! YY_CURRENT_BUFFER ){\
+        yyensure_buffer_stack (); \
+		YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+	} \
+	YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
+	}
+
+#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
+
+/* Begin user sect3 */
+
+typedef unsigned char YY_CHAR;
+
+FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
+
+typedef int yy_state_type;
+
+extern int yylineno;
+
+int yylineno = 1;
+
+extern char *yytext;
+#define yytext_ptr yytext
+
+static yy_state_type yy_get_previous_state (void );
+static yy_state_type yy_try_NUL_trans (yy_state_type current_state  );
+static int yy_get_next_buffer (void );
+static void yy_fatal_error (yyconst char msg[]  );
+
+/* Done after the current pattern has been matched and before the
+ * corresponding action - sets up yytext.
+ */
+#define YY_DO_BEFORE_ACTION \
+	(yytext_ptr) = yy_bp; \
+	yyleng = (size_t) (yy_cp - yy_bp); \
+	(yy_hold_char) = *yy_cp; \
+	*yy_cp = '\0'; \
+	(yy_c_buf_p) = yy_cp;
+
+#define YY_NUM_RULES 95
+#define YY_END_OF_BUFFER 96
+/* This struct is not used in this scanner,
+   but its presence is necessary. */
+struct yy_trans_info
+	{
+	flex_int32_t yy_verify;
+	flex_int32_t yy_nxt;
+	};
+static yyconst flex_int16_t yy_accept[568] =
+    {   0,
+        0,    0,   96,   94,   90,   91,   87,   81,   81,   94,
+       94,   88,   88,   94,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   82,   83,   85,   88,   88,   93,   86,
+        0,    0,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   10,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   51,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   92,   88,   84,
+
+       89,    3,   89,   89,   89,    7,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   22,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   44,   45,   89,   89,   89,   89,   89,   89,
+       89,   55,   89,   89,   89,   89,   89,   89,   89,   63,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   89,   30,   89,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+
+       47,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   60,   89,   89,   64,   89,   89,   89,   68,   69,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       80,   89,   89,   89,   89,    6,   89,   89,   89,   89,
+       13,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   29,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   50,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   72,   89,   89,   89,   89,   89,
+       89,   89,    1,   89,   89,   89,   89,   89,   89,   12,
+
+       89,   89,   89,   89,   89,   89,   89,   89,   24,   89,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   49,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   65,   66,   89,
+       89,   89,   73,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,    9,   89,   89,   89,   89,   18,   89,
+       89,   21,   89,   89,   26,   89,   89,   89,   89,   89,
+       89,   89,   37,   38,   89,   89,   41,   89,   89,   89,
+       89,   89,   89,   54,   89,   57,   58,   89,   89,   89,
+       89,   89,   89,   89,   75,   89,   89,   89,   89,   89,
+
+       89,   89,   89,   89,   89,   89,   89,   89,   20,   89,
+       25,   89,   28,   89,   89,   89,   89,   89,   36,   39,
+       40,   89,   89,   89,   89,   52,   89,   89,   89,   89,
+       62,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,    5,    8,   11,   14,   89,   89,   89,   89,   89,
+       89,   89,   89,   34,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   67,   89,   89,   74,   89,   89,   89,
+       89,   89,   89,   15,   89,   17,   89,   23,   89,   89,
+       89,   89,   35,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   76,   89,   89,   89,   89,    4,   16,
+
+       19,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   89,   89,   89,   89,   89,   89,   89,
+       89,   89,   89,   42,   43,   89,   89,   89,   89,   89,
+       61,   89,   89,   89,   89,   89,   89,   27,   31,   89,
+       33,   89,   48,   89,   56,   89,   89,   71,   89,   89,
+       79,   89,   89,   46,   89,   89,   89,   89,   78,    2,
+       32,   89,   59,   70,   77,   53,    0
+    } ;
+
+static yyconst flex_int32_t yy_ec[256] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    2,    1,    4,    1,    1,    1,    1,    1,    5,
+        5,    6,    1,    5,    7,    8,    9,   10,   11,   12,
+       12,   13,   14,   15,   12,   16,   12,   17,    5,    1,
+       18,    1,    1,    1,   19,   20,   21,   22,   23,   24,
+       25,   26,   27,   28,   29,   30,   31,   32,   33,   34,
+       35,   36,   37,   38,   39,   40,   41,   42,   43,   44,
+       45,    1,   46,    1,   47,    1,   48,   49,   50,   51,
+
+       52,   53,   54,   55,   56,   57,   29,   58,   59,   60,
+       61,   62,   29,   63,   64,   65,   66,   67,   29,   68,
+       29,   69,    5,    5,    5,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1
+    } ;
+
+static yyconst flex_int32_t yy_meta[70] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    2,    1,    1,    3,
+        3,    3,    3,    3,    3,    3,    1,    1,    3,    3,
+        3,    3,    3,    3,    2,    2,    2,    2,    2,    2,
+        2,    2,    2,    2,    2,    2,    2,    2,    2,    2,
+        2,    2,    2,    2,    1,    1,    2,    3,    3,    3,
+        3,    3,    3,    2,    2,    2,    2,    2,    2,    2,
+        2,    2,    2,    2,    2,    2,    2,    2,    2
+    } ;
+
+static yyconst flex_int16_t yy_base[570] =
+    {   0,
+        0,    0,  636,  637,  637,  637,  637,  637,   63,  627,
+      628,   70,   77,  616,   74,   72,   76,  609,   65,   81,
+       49,    0,   92,   91,   32,  101,   97,  608,  103,  113,
+       99,  574,  602,  637,  637,  637,  156,  163,  620,  637,
+        0,  609,    0,  589,  595,  590,  585,  597,  583,  586,
+      586,    0,  101,  599,  108,  593,  596,  122,  124,  585,
+      581,  553,  564,  597,  587,  575,  115,  575,  565,  574,
+      575,  545,  575,  564,    0,  563,  543,  561,  558,  558,
+      124,  540,  161,  119,  551,  558,  561,  581,  566,  551,
+      555,  530,  560,  160,  530,   91,  547,  637,    0,  637,
+
+      125,    0,  554,  550,  555,    0,  544,  550,  543,  551,
+      540,  542,  145,  166,  552,  541,    0,  542,  549,  156,
+      548,  533,  538,  516,  505,  529,  533,  157,  534,  525,
+      539,  546,    0,  521,  529,  506,  534,  533,  528,  502,
+      515,    0,  515,  514,  510,  489,  518,  528,  507,    0,
+      522,  517,  505,  505,  504,  517,  516,  486,  159,  499,
+      520,  468,  482,  477,  506,  499,  494,  502,  497,  495,
+      461,  502,  505,  502,  485,  488,  482,  500,  479,  485,
+      494,  493,  491,  479,  485,  475,  164,  487,    0,  446,
+      453,  442,  468,  478,  468,  464,  483,  170,  488,  463,
+
+        0,  436,  477,  459,  463,  445,  471,  486,  469,  472,
+      425,    0,  451,  465,    0,  455,  467,  420,    0,    0,
+      477,  418,  450,  442,  457,  423,  441,  425,  415,  426,
+        0,  436,  454,  451,  452,    0,  407,  450,  447,  444,
+        0,  434,  429,  437,  433,  435,  439,  437,  423,  420,
+      436,  418,  418,  422,    0,  405,  396,  388,  423,  180,
+      411,  426,  415,  423,  408,  429,  436,  386,  403,    0,
+      408,  374,  402,  410,  404,  397,  386,  406,  400,  406,
+      388,  366,  401,  375,    0,  403,  389,  365,  358,  359,
+      356,  362,    0,  398,  399,  379,  360,  383,  376,    0,
+
+      390,  393,  379,  372,  371,  385,  385,  387,    0,  378,
+      367,  376,  383,  343,  350,  343,  374,  370,  374,  358,
+      371,  372,  356,  368,  353,  362,  338,    0,  368,  364,
+      353,  352,  345,  359,  332,  340,  358,    0,    0,  322,
+      355,  308,    0,  338,  322,  310,  308,  319,  318,  331,
+      330,  340,  306,    0,  342,  332,  336,  335,    0,  334,
+      338,    0,  321,  320,    0,  337,  326,  151,  318,  294,
+      326,  314,    0,    0,  314,  327,    0,  328,  283,  315,
+      309,  315,  292,    0,  319,    0,    0,  284,  318,  317,
+      279,  315,  300,  317,    0,  279,  286,  265,  295,  324,
+
+      303,  308,  274,  291,  288,  293,  292,  290,    0,  299,
+        0,  294,    0,  255,  250,  253,  263,  293,    0,    0,
+        0,  277,  251,  289,  247,    0,  247,  283,  257,  261,
+        0,  253,  274,  240,  274,  243,  244,  264,  235,  262,
+      265,    0,    0,    0,  260,  273,  270,  262,  271,  262,
+      228,  238,  226,    0,  252,  260,  230,  258,  221,  233,
+      250,  244,  247,    0,  241,  215,    0,  223,  239,  210,
+      211,  230,  240,    0,  249,    0,  233,    0,  242,  212,
+      216,  210,    0,  232,  204,  231,  206,  198,  233,  194,
+      231,  230,  200,    0,  190,  191,  197,  220,    0,    0,
+
+        0,  213,  190,  211,  188,  215,  192,  218,  184,  187,
+      204,  178,  218,  215,  178,  174,  180,  175,  196,  190,
+      178,  175,  176,    0,    0,  191,  174,  165,  180,  166,
+        0,  194,  166,  163,  158,  163,  197,    0,    0,  156,
+        0,  171,    0,  148,    0,  152,  188,    0,  150,  155,
+        0,  166,  153,    0,  143,  148,  162,  143,    0,    0,
+        0,  101,    0,    0,    0,    0,  637,  223,   69
+    } ;
+
+static yyconst flex_int16_t yy_def[570] =
+    {   0,
+      567,    1,  567,  567,  567,  567,  567,  567,  567,  567,
+      567,  567,  567,  567,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  567,  567,  567,  567,  567,  567,  567,
+      569,  567,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  567,  569,  567,
+
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,  568,  568,  568,  568,
+      568,  568,  568,  568,  568,  568,    0,  567,  567
+    } ;
+
+static yyconst flex_int16_t yy_nxt[707] =
+    {   0,
+        4,    5,    6,    7,    8,    4,    9,   10,   11,   12,
+       13,   13,   13,   13,   13,   13,   14,    4,   15,   16,
+       17,   18,   19,   20,   21,   22,   23,   22,   22,   22,
+       24,   25,   26,   27,   22,   28,   29,   30,   31,   32,
+       33,   22,   22,   22,   34,   35,    4,   22,   22,   22,
+       22,   22,   22,   22,   22,   22,   22,   22,   22,   22,
+       22,   22,   22,   22,   22,   22,   22,   22,   22,   36,
+       71,   99,   37,   38,   38,   38,   38,   38,   38,   38,
+       38,   38,   38,   38,   38,   38,   38,   38,   38,   38,
+       38,   38,   38,   44,   48,   57,   58,   72,   49,   60,
+
+       62,   53,   50,   45,   51,   54,   59,   46,   55,   69,
+       64,   63,   47,   65,   52,   78,   61,   70,   79,  109,
+       73,   74,   66,   67,   75,   84,   80,   88,   68,   85,
+       93,   89,   81,  110,   76,  129,   94,   41,  112,  113,
+       86,  163,  116,  117,  119,   87,  144,  166,   90,   77,
+      145,  130,  131,  149,  164,   91,  150,  120,   95,   82,
+      118,  121,  167,  566,   92,   38,   38,   38,   38,   38,
+       38,   38,   38,   38,   38,   38,   38,   38,   38,  147,
+      160,  177,  178,  161,  179,  185,  194,  414,  186,  195,
+      148,  223,  180,  224,  264,  253,  565,  564,  225,  254,
+
+      318,  563,  319,  562,  561,  265,  415,  560,  559,  558,
+      557,  556,  555,  554,  553,  552,  551,  550,  549,  548,
+      547,  546,  545,   41,   43,   43,  544,  543,  542,  541,
+      540,  539,  538,  537,  536,  535,  534,  533,  532,  531,
+      530,  529,  528,  527,  526,  525,  524,  523,  522,  521,
+      520,  519,  518,  517,  516,  515,  514,  513,  512,  511,
+      510,  509,  508,  507,  506,  505,  504,  503,  502,  501,
+      500,  499,  498,  497,  496,  495,  494,  493,  492,  491,
+      490,  489,  488,  487,  486,  485,  484,  483,  482,  481,
+      480,  479,  478,  477,  476,  475,  474,  473,  472,  471,
+
+      470,  469,  468,  467,  466,  465,  464,  463,  462,  461,
+      460,  459,  458,  457,  456,  455,  454,  453,  452,  451,
+      450,  449,  448,  447,  446,  445,  444,  443,  442,  441,
+      440,  439,  438,  437,  436,  435,  434,  433,  432,  431,
+      430,  429,  428,  427,  426,  425,  424,  423,  422,  421,
+      420,  419,  418,  417,  416,  413,  412,  411,  410,  409,
+      408,  407,  406,  405,  404,  403,  402,  401,  400,  399,
+      398,  397,  396,  395,  394,  393,  392,  391,  390,  389,
+      388,  387,  386,  385,  384,  383,  382,  381,  380,  379,
+      378,  377,  376,  375,  374,  373,  372,  371,  370,  369,
+
+      368,  367,  366,  365,  364,  363,  362,  361,  360,  359,
+      358,  357,  356,  355,  354,  353,  352,  351,  350,  349,
+      348,  347,  346,  345,  344,  343,  342,  341,  340,  339,
+      338,  337,  336,  335,  334,  333,  332,  331,  330,  329,
+      328,  327,  326,  325,  324,  323,  322,  321,  320,  317,
+      316,  315,  314,  313,  312,  311,  310,  309,  308,  307,
+      306,  305,  304,  303,  302,  301,  300,  299,  298,  297,
+      296,  295,  294,  293,  292,  291,  290,  289,  288,  287,
+      286,  285,  284,  283,  282,  281,  280,  279,  278,  277,
+      276,  275,  274,  273,  272,  271,  270,  269,  268,  267,
+
+      266,  263,  262,  261,  260,  259,  258,  257,  256,  255,
+      252,  251,  250,  249,  248,  247,  246,  245,  244,  243,
+      242,  241,  240,  239,  238,  237,  236,  235,  234,  233,
+      232,  231,  230,  229,  228,  227,  226,  222,  221,  220,
+      219,  218,  217,  216,  215,  214,  213,  212,  211,  210,
+      209,  208,  207,  206,  205,  204,  203,  202,  201,  200,
+      199,  198,  197,  196,  193,  192,  191,  190,  189,  188,
+      187,  184,  183,  182,  181,  176,  175,  174,  173,  172,
+      171,  170,  169,  168,  165,  162,  159,  158,  157,  156,
+      155,  154,  153,  152,  151,  146,  143,  142,  141,  140,
+
+      139,  138,  137,  136,  135,  134,  133,  132,  128,  127,
+      126,  125,  124,  123,  122,  115,  114,  111,  108,  107,
+      106,  105,  104,  103,  102,  101,  100,   98,   97,   96,
+       83,   56,   42,   40,   39,  567,    3,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+
+      567,  567,  567,  567,  567,  567
+    } ;
+
+static yyconst flex_int16_t yy_chk[707] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    9,
+       25,  569,    9,    9,    9,    9,    9,    9,    9,   12,
+       12,   12,   12,   12,   12,   12,   13,   13,   13,   13,
+       13,   13,   13,   15,   16,   19,   19,   25,   16,   20,
+
+       21,   17,   16,   15,   16,   17,   19,   15,   17,   24,
+       23,   21,   15,   23,   16,   27,   20,   24,   27,   53,
+       26,   26,   23,   23,   26,   29,   27,   30,   23,   29,
+       31,   30,   27,   53,   26,   67,   31,   12,   55,   55,
+       29,   96,   58,   58,   59,   29,   81,  101,   30,   26,
+       81,   67,   67,   84,   96,   30,   84,   59,   31,   27,
+       58,   59,  101,  562,   30,   37,   37,   37,   37,   37,
+       37,   37,   38,   38,   38,   38,   38,   38,   38,   83,
+       94,  113,  113,   94,  114,  120,  128,  368,  120,  128,
+       83,  159,  114,  159,  198,  187,  558,  557,  159,  187,
+
+      260,  556,  260,  555,  553,  198,  368,  552,  550,  549,
+      547,  546,  544,  542,  540,  537,  536,  535,  534,  533,
+      532,  530,  529,   37,  568,  568,  528,  527,  526,  523,
+      522,  521,  520,  519,  518,  517,  516,  515,  514,  513,
+      512,  511,  510,  509,  508,  507,  506,  505,  504,  503,
+      502,  498,  497,  496,  495,  493,  492,  491,  490,  489,
+      488,  487,  486,  485,  484,  482,  481,  480,  479,  477,
+      475,  473,  472,  471,  470,  469,  468,  466,  465,  463,
+      462,  461,  460,  459,  458,  457,  456,  455,  453,  452,
+      451,  450,  449,  448,  447,  446,  445,  441,  440,  439,
+
+      438,  437,  436,  435,  434,  433,  432,  430,  429,  428,
+      427,  425,  424,  423,  422,  418,  417,  416,  415,  414,
+      412,  410,  408,  407,  406,  405,  404,  403,  402,  401,
+      400,  399,  398,  397,  396,  394,  393,  392,  391,  390,
+      389,  388,  385,  383,  382,  381,  380,  379,  378,  376,
+      375,  372,  371,  370,  369,  367,  366,  364,  363,  361,
+      360,  358,  357,  356,  355,  353,  352,  351,  350,  349,
+      348,  347,  346,  345,  344,  342,  341,  340,  337,  336,
+      335,  334,  333,  332,  331,  330,  329,  327,  326,  325,
+      324,  323,  322,  321,  320,  319,  318,  317,  316,  315,
+
+      314,  313,  312,  311,  310,  308,  307,  306,  305,  304,
+      303,  302,  301,  299,  298,  297,  296,  295,  294,  292,
+      291,  290,  289,  288,  287,  286,  284,  283,  282,  281,
+      280,  279,  278,  277,  276,  275,  274,  273,  272,  271,
+      269,  268,  267,  266,  265,  264,  263,  262,  261,  259,
+      258,  257,  256,  254,  253,  252,  251,  250,  249,  248,
+      247,  246,  245,  244,  243,  242,  240,  239,  238,  237,
+      235,  234,  233,  232,  230,  229,  228,  227,  226,  225,
+      224,  223,  222,  221,  218,  217,  216,  214,  213,  211,
+      210,  209,  208,  207,  206,  205,  204,  203,  202,  200,
+
+      199,  197,  196,  195,  194,  193,  192,  191,  190,  188,
+      186,  185,  184,  183,  182,  181,  180,  179,  178,  177,
+      176,  175,  174,  173,  172,  171,  170,  169,  168,  167,
+      166,  165,  164,  163,  162,  161,  160,  158,  157,  156,
+      155,  154,  153,  152,  151,  149,  148,  147,  146,  145,
+      144,  143,  141,  140,  139,  138,  137,  136,  135,  134,
+      132,  131,  130,  129,  127,  126,  125,  124,  123,  122,
+      121,  119,  118,  116,  115,  112,  111,  110,  109,  108,
+      107,  105,  104,  103,   97,   95,   93,   92,   91,   90,
+       89,   88,   87,   86,   85,   82,   80,   79,   78,   77,
+
+       76,   74,   73,   72,   71,   70,   69,   68,   66,   65,
+       64,   63,   62,   61,   60,   57,   56,   54,   51,   50,
+       49,   48,   47,   46,   45,   44,   42,   39,   33,   32,
+       28,   18,   14,   11,   10,    3,  567,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+      567,  567,  567,  567,  567,  567,  567,  567,  567,  567,
+
+      567,  567,  567,  567,  567,  567
+    } ;
+
+static yy_state_type yy_last_accepting_state;
+static char *yy_last_accepting_cpos;
+
+extern int yy_flex_debug;
+int yy_flex_debug = 0;
+
+/* The intent behind this definition is that it'll catch
+ * any uses of REJECT which flex missed.
+ */
+#define REJECT reject_used_but_not_detected
+#define yymore() yymore_used_but_not_detected
+#define YY_MORE_ADJ 0
+#define YY_RESTORE_YY_MORE_OFFSET
+char *yytext;
+#line 1 "lex.l"
+#line 2 "lex.l"
+/*
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: lex.l 18738 2006-10-21 11:57:22Z lha $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#undef ECHO
+#include "symbol.h"
+#include "parse.h"
+#include "lex.h"
+#include "gen_locl.h"
+
+static unsigned lineno = 1;
+
+#undef ECHO
+
+static void unterminated(const char *, unsigned);
+
+/* This is for broken old lexes (solaris 10 and hpux) */
+#line 855 "lex.c"
+
+#define INITIAL 0
+
+#ifndef YY_NO_UNISTD_H
+/* Special case for "unistd.h", since it is non-ANSI. We include it way
+ * down here because we want the user's section 1 to have been scanned first.
+ * The user has a chance to override it with an option.
+ */
+#include <unistd.h>
+#endif
+
+#ifndef YY_EXTRA_TYPE
+#define YY_EXTRA_TYPE void *
+#endif
+
+static int yy_init_globals (void );
+
+/* Macros after this point can all be overridden by user definitions in
+ * section 1.
+ */
+
+#ifndef YY_SKIP_YYWRAP
+#ifdef __cplusplus
+extern "C" int yywrap (void );
+#else
+extern int yywrap (void );
+#endif
+#endif
+
+    static void yyunput (int c,char *buf_ptr  );
+    
+#ifndef yytext_ptr
+static void yy_flex_strncpy (char *,yyconst char *,int );
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen (yyconst char * );
+#endif
+
+#ifndef YY_NO_INPUT
+
+#ifdef __cplusplus
+static int yyinput (void );
+#else
+static int input (void );
+#endif
+
+#endif
+
+/* Amount of stuff to slurp up with each read. */
+#ifndef YY_READ_BUF_SIZE
+#define YY_READ_BUF_SIZE 8192
+#endif
+
+/* Copy whatever the last rule matched to the standard output. */
+#ifndef ECHO
+/* This used to be an fputs(), but since the string might contain NUL's,
+ * we now use fwrite().
+ */
+#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
+#endif
+
+/* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
+ * is returned in "result".
+ */
+#ifndef YY_INPUT
+#define YY_INPUT(buf,result,max_size) \
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
+		{ \
+		int c = '*'; \
+		size_t n; \
+		for ( n = 0; n < max_size && \
+			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
+			buf[n] = (char) c; \
+		if ( c == '\n' ) \
+			buf[n++] = (char) c; \
+		if ( c == EOF && ferror( yyin ) ) \
+			YY_FATAL_ERROR( "input in flex scanner failed" ); \
+		result = n; \
+		} \
+	else \
+		{ \
+		errno=0; \
+		while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \
+			{ \
+			if( errno != EINTR) \
+				{ \
+				YY_FATAL_ERROR( "input in flex scanner failed" ); \
+				break; \
+				} \
+			errno=0; \
+			clearerr(yyin); \
+			} \
+		}\
+\
+
+#endif
+
+/* No semi-colon after return; correct usage is to write "yyterminate();" -
+ * we don't want an extra ';' after the "return" because that will cause
+ * some compilers to complain about unreachable statements.
+ */
+#ifndef yyterminate
+#define yyterminate() return YY_NULL
+#endif
+
+/* Number of entries by which start-condition stack grows. */
+#ifndef YY_START_STACK_INCR
+#define YY_START_STACK_INCR 25
+#endif
+
+/* Report a fatal error. */
+#ifndef YY_FATAL_ERROR
+#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
+#endif
+
+/* end tables serialization structures and prototypes */
+
+/* Default declaration of generated scanner - a define so the user can
+ * easily add parameters.
+ */
+#ifndef YY_DECL
+#define YY_DECL_IS_OURS 1
+
+extern int yylex (void);
+
+#define YY_DECL int yylex (void)
+#endif /* !YY_DECL */
+
+/* Code executed at the beginning of each rule, after yytext and yyleng
+ * have been set up.
+ */
+#ifndef YY_USER_ACTION
+#define YY_USER_ACTION
+#endif
+
+/* Code executed at the end of each rule. */
+#ifndef YY_BREAK
+#define YY_BREAK break;
+#endif
+
+#define YY_RULE_SETUP \
+	YY_USER_ACTION
+
+/** The main scanner function which does all the work.
+ */
+YY_DECL
+{
+	register yy_state_type yy_current_state;
+	register char *yy_cp, *yy_bp;
+	register int yy_act;
+    
+#line 68 "lex.l"
+
+#line 1010 "lex.c"
+
+	if ( !(yy_init) )
+		{
+		(yy_init) = 1;
+
+#ifdef YY_USER_INIT
+		YY_USER_INIT;
+#endif
+
+		if ( ! (yy_start) )
+			(yy_start) = 1;	/* first start state */
+
+		if ( ! yyin )
+			yyin = stdin;
+
+		if ( ! yyout )
+			yyout = stdout;
+
+		if ( ! YY_CURRENT_BUFFER ) {
+			yyensure_buffer_stack ();
+			YY_CURRENT_BUFFER_LVALUE =
+				yy_create_buffer(yyin,YY_BUF_SIZE );
+		}
+
+		yy_load_buffer_state( );
+		}
+
+	while ( 1 )		/* loops until end-of-file is reached */
+		{
+		yy_cp = (yy_c_buf_p);
+
+		/* Support of yytext. */
+		*yy_cp = (yy_hold_char);
+
+		/* yy_bp points to the position in yy_ch_buf of the start of
+		 * the current run.
+		 */
+		yy_bp = yy_cp;
+
+		yy_current_state = (yy_start);
+yy_match:
+		do
+			{
+			register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
+			if ( yy_accept[yy_current_state] )
+				{
+				(yy_last_accepting_state) = yy_current_state;
+				(yy_last_accepting_cpos) = yy_cp;
+				}
+			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+				{
+				yy_current_state = (int) yy_def[yy_current_state];
+				if ( yy_current_state >= 568 )
+					yy_c = yy_meta[(unsigned int) yy_c];
+				}
+			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+			++yy_cp;
+			}
+		while ( yy_base[yy_current_state] != 637 );
+
+yy_find_action:
+		yy_act = yy_accept[yy_current_state];
+		if ( yy_act == 0 )
+			{ /* have to back up */
+			yy_cp = (yy_last_accepting_cpos);
+			yy_current_state = (yy_last_accepting_state);
+			yy_act = yy_accept[yy_current_state];
+			}
+
+		YY_DO_BEFORE_ACTION;
+
+do_action:	/* This label is used only to access EOF actions. */
+
+		switch ( yy_act )
+	{ /* beginning of action switch */
+			case 0: /* must back up */
+			/* undo the effects of YY_DO_BEFORE_ACTION */
+			*yy_cp = (yy_hold_char);
+			yy_cp = (yy_last_accepting_cpos);
+			yy_current_state = (yy_last_accepting_state);
+			goto yy_find_action;
+
+case 1:
+YY_RULE_SETUP
+#line 69 "lex.l"
+{ return kw_ABSENT; }
+	YY_BREAK
+case 2:
+YY_RULE_SETUP
+#line 70 "lex.l"
+{ return kw_ABSTRACT_SYNTAX; }
+	YY_BREAK
+case 3:
+YY_RULE_SETUP
+#line 71 "lex.l"
+{ return kw_ALL; }
+	YY_BREAK
+case 4:
+YY_RULE_SETUP
+#line 72 "lex.l"
+{ return kw_APPLICATION; }
+	YY_BREAK
+case 5:
+YY_RULE_SETUP
+#line 73 "lex.l"
+{ return kw_AUTOMATIC; }
+	YY_BREAK
+case 6:
+YY_RULE_SETUP
+#line 74 "lex.l"
+{ return kw_BEGIN; }
+	YY_BREAK
+case 7:
+YY_RULE_SETUP
+#line 75 "lex.l"
+{ return kw_BIT; }
+	YY_BREAK
+case 8:
+YY_RULE_SETUP
+#line 76 "lex.l"
+{ return kw_BMPString; }
+	YY_BREAK
+case 9:
+YY_RULE_SETUP
+#line 77 "lex.l"
+{ return kw_BOOLEAN; }
+	YY_BREAK
+case 10:
+YY_RULE_SETUP
+#line 78 "lex.l"
+{ return kw_BY; }
+	YY_BREAK
+case 11:
+YY_RULE_SETUP
+#line 79 "lex.l"
+{ return kw_CHARACTER; }
+	YY_BREAK
+case 12:
+YY_RULE_SETUP
+#line 80 "lex.l"
+{ return kw_CHOICE; }
+	YY_BREAK
+case 13:
+YY_RULE_SETUP
+#line 81 "lex.l"
+{ return kw_CLASS; }
+	YY_BREAK
+case 14:
+YY_RULE_SETUP
+#line 82 "lex.l"
+{ return kw_COMPONENT; }
+	YY_BREAK
+case 15:
+YY_RULE_SETUP
+#line 83 "lex.l"
+{ return kw_COMPONENTS; }
+	YY_BREAK
+case 16:
+YY_RULE_SETUP
+#line 84 "lex.l"
+{ return kw_CONSTRAINED; }
+	YY_BREAK
+case 17:
+YY_RULE_SETUP
+#line 85 "lex.l"
+{ return kw_CONTAINING; }
+	YY_BREAK
+case 18:
+YY_RULE_SETUP
+#line 86 "lex.l"
+{ return kw_DEFAULT; }
+	YY_BREAK
+case 19:
+YY_RULE_SETUP
+#line 87 "lex.l"
+{ return kw_DEFINITIONS; }
+	YY_BREAK
+case 20:
+YY_RULE_SETUP
+#line 88 "lex.l"
+{ return kw_EMBEDDED; }
+	YY_BREAK
+case 21:
+YY_RULE_SETUP
+#line 89 "lex.l"
+{ return kw_ENCODED; }
+	YY_BREAK
+case 22:
+YY_RULE_SETUP
+#line 90 "lex.l"
+{ return kw_END; }
+	YY_BREAK
+case 23:
+YY_RULE_SETUP
+#line 91 "lex.l"
+{ return kw_ENUMERATED; }
+	YY_BREAK
+case 24:
+YY_RULE_SETUP
+#line 92 "lex.l"
+{ return kw_EXCEPT; }
+	YY_BREAK
+case 25:
+YY_RULE_SETUP
+#line 93 "lex.l"
+{ return kw_EXPLICIT; }
+	YY_BREAK
+case 26:
+YY_RULE_SETUP
+#line 94 "lex.l"
+{ return kw_EXPORTS; }
+	YY_BREAK
+case 27:
+YY_RULE_SETUP
+#line 95 "lex.l"
+{ return kw_EXTENSIBILITY; }
+	YY_BREAK
+case 28:
+YY_RULE_SETUP
+#line 96 "lex.l"
+{ return kw_EXTERNAL; }
+	YY_BREAK
+case 29:
+YY_RULE_SETUP
+#line 97 "lex.l"
+{ return kw_FALSE; }
+	YY_BREAK
+case 30:
+YY_RULE_SETUP
+#line 98 "lex.l"
+{ return kw_FROM; }
+	YY_BREAK
+case 31:
+YY_RULE_SETUP
+#line 99 "lex.l"
+{ return kw_GeneralString; }
+	YY_BREAK
+case 32:
+YY_RULE_SETUP
+#line 100 "lex.l"
+{ return kw_GeneralizedTime; }
+	YY_BREAK
+case 33:
+YY_RULE_SETUP
+#line 101 "lex.l"
+{ return kw_GraphicString; }
+	YY_BREAK
+case 34:
+YY_RULE_SETUP
+#line 102 "lex.l"
+{ return kw_IA5String; }
+	YY_BREAK
+case 35:
+YY_RULE_SETUP
+#line 103 "lex.l"
+{ return kw_IDENTIFIER; }
+	YY_BREAK
+case 36:
+YY_RULE_SETUP
+#line 104 "lex.l"
+{ return kw_IMPLICIT; }
+	YY_BREAK
+case 37:
+YY_RULE_SETUP
+#line 105 "lex.l"
+{ return kw_IMPLIED; }
+	YY_BREAK
+case 38:
+YY_RULE_SETUP
+#line 106 "lex.l"
+{ return kw_IMPORTS; }
+	YY_BREAK
+case 39:
+YY_RULE_SETUP
+#line 107 "lex.l"
+{ return kw_INCLUDES; }
+	YY_BREAK
+case 40:
+YY_RULE_SETUP
+#line 108 "lex.l"
+{ return kw_INSTANCE; }
+	YY_BREAK
+case 41:
+YY_RULE_SETUP
+#line 109 "lex.l"
+{ return kw_INTEGER; }
+	YY_BREAK
+case 42:
+YY_RULE_SETUP
+#line 110 "lex.l"
+{ return kw_INTERSECTION; }
+	YY_BREAK
+case 43:
+YY_RULE_SETUP
+#line 111 "lex.l"
+{ return kw_ISO646String; }
+	YY_BREAK
+case 44:
+YY_RULE_SETUP
+#line 112 "lex.l"
+{ return kw_MAX; }
+	YY_BREAK
+case 45:
+YY_RULE_SETUP
+#line 113 "lex.l"
+{ return kw_MIN; }
+	YY_BREAK
+case 46:
+YY_RULE_SETUP
+#line 114 "lex.l"
+{ return kw_MINUS_INFINITY; }
+	YY_BREAK
+case 47:
+YY_RULE_SETUP
+#line 115 "lex.l"
+{ return kw_NULL; }
+	YY_BREAK
+case 48:
+YY_RULE_SETUP
+#line 116 "lex.l"
+{ return kw_NumericString; }
+	YY_BREAK
+case 49:
+YY_RULE_SETUP
+#line 117 "lex.l"
+{ return kw_OBJECT; }
+	YY_BREAK
+case 50:
+YY_RULE_SETUP
+#line 118 "lex.l"
+{ return kw_OCTET; }
+	YY_BREAK
+case 51:
+YY_RULE_SETUP
+#line 119 "lex.l"
+{ return kw_OF; }
+	YY_BREAK
+case 52:
+YY_RULE_SETUP
+#line 120 "lex.l"
+{ return kw_OPTIONAL; }
+	YY_BREAK
+case 53:
+YY_RULE_SETUP
+#line 121 "lex.l"
+{ return kw_ObjectDescriptor; }
+	YY_BREAK
+case 54:
+YY_RULE_SETUP
+#line 122 "lex.l"
+{ return kw_PATTERN; }
+	YY_BREAK
+case 55:
+YY_RULE_SETUP
+#line 123 "lex.l"
+{ return kw_PDV; }
+	YY_BREAK
+case 56:
+YY_RULE_SETUP
+#line 124 "lex.l"
+{ return kw_PLUS_INFINITY; }
+	YY_BREAK
+case 57:
+YY_RULE_SETUP
+#line 125 "lex.l"
+{ return kw_PRESENT; }
+	YY_BREAK
+case 58:
+YY_RULE_SETUP
+#line 126 "lex.l"
+{ return kw_PRIVATE; }
+	YY_BREAK
+case 59:
+YY_RULE_SETUP
+#line 127 "lex.l"
+{ return kw_PrintableString; }
+	YY_BREAK
+case 60:
+YY_RULE_SETUP
+#line 128 "lex.l"
+{ return kw_REAL; }
+	YY_BREAK
+case 61:
+YY_RULE_SETUP
+#line 129 "lex.l"
+{ return kw_RELATIVE_OID; }
+	YY_BREAK
+case 62:
+YY_RULE_SETUP
+#line 130 "lex.l"
+{ return kw_SEQUENCE; }
+	YY_BREAK
+case 63:
+YY_RULE_SETUP
+#line 131 "lex.l"
+{ return kw_SET; }
+	YY_BREAK
+case 64:
+YY_RULE_SETUP
+#line 132 "lex.l"
+{ return kw_SIZE; }
+	YY_BREAK
+case 65:
+YY_RULE_SETUP
+#line 133 "lex.l"
+{ return kw_STRING; }
+	YY_BREAK
+case 66:
+YY_RULE_SETUP
+#line 134 "lex.l"
+{ return kw_SYNTAX; }
+	YY_BREAK
+case 67:
+YY_RULE_SETUP
+#line 135 "lex.l"
+{ return kw_T61String; }
+	YY_BREAK
+case 68:
+YY_RULE_SETUP
+#line 136 "lex.l"
+{ return kw_TAGS; }
+	YY_BREAK
+case 69:
+YY_RULE_SETUP
+#line 137 "lex.l"
+{ return kw_TRUE; }
+	YY_BREAK
+case 70:
+YY_RULE_SETUP
+#line 138 "lex.l"
+{ return kw_TYPE_IDENTIFIER; }
+	YY_BREAK
+case 71:
+YY_RULE_SETUP
+#line 139 "lex.l"
+{ return kw_TeletexString; }
+	YY_BREAK
+case 72:
+YY_RULE_SETUP
+#line 140 "lex.l"
+{ return kw_UNION; }
+	YY_BREAK
+case 73:
+YY_RULE_SETUP
+#line 141 "lex.l"
+{ return kw_UNIQUE; }
+	YY_BREAK
+case 74:
+YY_RULE_SETUP
+#line 142 "lex.l"
+{ return kw_UNIVERSAL; }
+	YY_BREAK
+case 75:
+YY_RULE_SETUP
+#line 143 "lex.l"
+{ return kw_UTCTime; }
+	YY_BREAK
+case 76:
+YY_RULE_SETUP
+#line 144 "lex.l"
+{ return kw_UTF8String; }
+	YY_BREAK
+case 77:
+YY_RULE_SETUP
+#line 145 "lex.l"
+{ return kw_UniversalString; }
+	YY_BREAK
+case 78:
+YY_RULE_SETUP
+#line 146 "lex.l"
+{ return kw_VideotexString; }
+	YY_BREAK
+case 79:
+YY_RULE_SETUP
+#line 147 "lex.l"
+{ return kw_VisibleString; }
+	YY_BREAK
+case 80:
+YY_RULE_SETUP
+#line 148 "lex.l"
+{ return kw_WITH; }
+	YY_BREAK
+case 81:
+YY_RULE_SETUP
+#line 149 "lex.l"
+{ return *yytext; }
+	YY_BREAK
+case 82:
+YY_RULE_SETUP
+#line 150 "lex.l"
+{ return *yytext; }
+	YY_BREAK
+case 83:
+YY_RULE_SETUP
+#line 151 "lex.l"
+{ return *yytext; }
+	YY_BREAK
+case 84:
+YY_RULE_SETUP
+#line 152 "lex.l"
+{ return EEQUAL; }
+	YY_BREAK
+case 85:
+YY_RULE_SETUP
+#line 153 "lex.l"
+{ 
+			    int c, start_lineno = lineno;
+			    int f = 0;
+			    while((c = input()) != EOF) {
+				if(f && c == '-')
+				    break;
+				if(c == '-') {
+				    f = 1;
+				    continue;
+				}
+				if(c == '\n') {
+				    lineno++;
+				    break;
+				}
+				f = 0;
+			    }
+			    if(c == EOF)
+				unterminated("comment", start_lineno);
+			}
+	YY_BREAK
+case 86:
+YY_RULE_SETUP
+#line 172 "lex.l"
+{ 
+			    int c, start_lineno = lineno;
+			    int level = 1;
+			    int seen_star = 0;
+			    int seen_slash = 0;
+			    while((c = input()) != EOF) {
+				if(c == '/') {
+				    if(seen_star) {
+					if(--level == 0)
+					    break;
+					seen_star = 0;
+					continue;
+				    }
+				    seen_slash = 1;
+				    continue;
+				}
+				if(seen_star && c == '/') {
+				    if(--level == 0)
+					break;
+				    seen_star = 0;
+				    continue;
+				}
+				if(c == '*') {
+				    if(seen_slash) {
+					level++;
+					seen_star = seen_slash = 0;
+					continue;
+				    } 
+				    seen_star = 1;
+				    continue;
+				}
+				seen_star = seen_slash = 0;
+				if(c == '\n') {
+				    lineno++;
+				    continue;
+				}
+			    }
+			    if(c == EOF)
+				unterminated("comment", start_lineno);
+			}
+	YY_BREAK
+case 87:
+YY_RULE_SETUP
+#line 212 "lex.l"
+{ 
+			    int start_lineno = lineno;
+			    int c;
+			    char buf[1024];
+			    char *p = buf;
+			    int f = 0;
+			    int skip_ws = 0;
+			    
+			    while((c = input()) != EOF) {
+				if(isspace(c) && skip_ws) {
+				    if(c == '\n')
+					lineno++;
+				    continue;
+				}
+				skip_ws = 0;
+				
+				if(c == '"') {
+				    if(f) {
+					*p++ = '"';
+					f = 0;
+				    } else
+					f = 1;
+				    continue;
+				}
+				if(f == 1) {
+				    unput(c);
+				    break;
+				}
+				if(c == '\n') {
+				    lineno++;
+				    while(p > buf && isspace((unsigned char)p[-1]))
+					p--;
+				    skip_ws = 1;
+				    continue;
+				}
+				*p++ = c;
+			    }
+			    if(c == EOF)
+				unterminated("string", start_lineno);
+			    *p++ = '\0';
+			    fprintf(stderr, "string -- %s\n", buf);
+			    yylval.name = estrdup(buf);
+			    return STRING; 
+			}
+	YY_BREAK
+case 88:
+YY_RULE_SETUP
+#line 257 "lex.l"
+{ char *e, *y = yytext;
+			  yylval.constant = strtol((const char *)yytext,
+						   &e, 0);
+			  if(e == y) 
+			    error_message("malformed constant (%s)", yytext); 
+			  else
+			    return NUMBER;
+			}
+	YY_BREAK
+case 89:
+YY_RULE_SETUP
+#line 265 "lex.l"
+{
+			  yylval.name =  estrdup ((const char *)yytext);
+			  return IDENTIFIER;
+			}
+	YY_BREAK
+case 90:
+YY_RULE_SETUP
+#line 269 "lex.l"
+;
+	YY_BREAK
+case 91:
+/* rule 91 can match eol */
+YY_RULE_SETUP
+#line 270 "lex.l"
+{ ++lineno; }
+	YY_BREAK
+case 92:
+YY_RULE_SETUP
+#line 271 "lex.l"
+{ return ELLIPSIS; }
+	YY_BREAK
+case 93:
+YY_RULE_SETUP
+#line 272 "lex.l"
+{ return RANGE; }
+	YY_BREAK
+case 94:
+YY_RULE_SETUP
+#line 273 "lex.l"
+{ error_message("Ignoring char(%c)\n", *yytext); }
+	YY_BREAK
+case 95:
+YY_RULE_SETUP
+#line 274 "lex.l"
+ECHO;
+	YY_BREAK
+#line 1679 "lex.c"
+case YY_STATE_EOF(INITIAL):
+	yyterminate();
+
+	case YY_END_OF_BUFFER:
+		{
+		/* Amount of text matched not including the EOB char. */
+		int yy_amount_of_matched_text = (int) (yy_cp - (yytext_ptr)) - 1;
+
+		/* Undo the effects of YY_DO_BEFORE_ACTION. */
+		*yy_cp = (yy_hold_char);
+		YY_RESTORE_YY_MORE_OFFSET
+
+		if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_NEW )
+			{
+			/* We're scanning a new file or input source.  It's
+			 * possible that this happened because the user
+			 * just pointed yyin at a new source and called
+			 * yylex().  If so, then we have to assure
+			 * consistency between YY_CURRENT_BUFFER and our
+			 * globals.  Here is the right place to do so, because
+			 * this is the first action (other than possibly a
+			 * back-up) that will match for the new input source.
+			 */
+			(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
+			YY_CURRENT_BUFFER_LVALUE->yy_input_file = yyin;
+			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = YY_BUFFER_NORMAL;
+			}
+
+		/* Note that here we test for yy_c_buf_p "<=" to the position
+		 * of the first EOB in the buffer, since yy_c_buf_p will
+		 * already have been incremented past the NUL character
+		 * (since all states make transitions on EOB to the
+		 * end-of-buffer state).  Contrast this with the test
+		 * in input().
+		 */
+		if ( (yy_c_buf_p) <= &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
+			{ /* This was really a NUL. */
+			yy_state_type yy_next_state;
+
+			(yy_c_buf_p) = (yytext_ptr) + yy_amount_of_matched_text;
+
+			yy_current_state = yy_get_previous_state(  );
+
+			/* Okay, we're now positioned to make the NUL
+			 * transition.  We couldn't have
+			 * yy_get_previous_state() go ahead and do it
+			 * for us because it doesn't know how to deal
+			 * with the possibility of jamming (and we don't
+			 * want to build jamming into it because then it
+			 * will run more slowly).
+			 */
+
+			yy_next_state = yy_try_NUL_trans( yy_current_state );
+
+			yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+
+			if ( yy_next_state )
+				{
+				/* Consume the NUL. */
+				yy_cp = ++(yy_c_buf_p);
+				yy_current_state = yy_next_state;
+				goto yy_match;
+				}
+
+			else
+				{
+				yy_cp = (yy_c_buf_p);
+				goto yy_find_action;
+				}
+			}
+
+		else switch ( yy_get_next_buffer(  ) )
+			{
+			case EOB_ACT_END_OF_FILE:
+				{
+				(yy_did_buffer_switch_on_eof) = 0;
+
+				if ( yywrap( ) )
+					{
+					/* Note: because we've taken care in
+					 * yy_get_next_buffer() to have set up
+					 * yytext, we can now set up
+					 * yy_c_buf_p so that if some total
+					 * hoser (like flex itself) wants to
+					 * call the scanner after we return the
+					 * YY_NULL, it'll still work - another
+					 * YY_NULL will get returned.
+					 */
+					(yy_c_buf_p) = (yytext_ptr) + YY_MORE_ADJ;
+
+					yy_act = YY_STATE_EOF(YY_START);
+					goto do_action;
+					}
+
+				else
+					{
+					if ( ! (yy_did_buffer_switch_on_eof) )
+						YY_NEW_FILE;
+					}
+				break;
+				}
+
+			case EOB_ACT_CONTINUE_SCAN:
+				(yy_c_buf_p) =
+					(yytext_ptr) + yy_amount_of_matched_text;
+
+				yy_current_state = yy_get_previous_state(  );
+
+				yy_cp = (yy_c_buf_p);
+				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+				goto yy_match;
+
+			case EOB_ACT_LAST_MATCH:
+				(yy_c_buf_p) =
+				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)];
+
+				yy_current_state = yy_get_previous_state(  );
+
+				yy_cp = (yy_c_buf_p);
+				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+				goto yy_find_action;
+			}
+		break;
+		}
+
+	default:
+		YY_FATAL_ERROR(
+			"fatal flex scanner internal error--no action found" );
+	} /* end of action switch */
+		} /* end of scanning one token */
+} /* end of yylex */
+
+/* yy_get_next_buffer - try to read in a new buffer
+ *
+ * Returns a code representing an action:
+ *	EOB_ACT_LAST_MATCH -
+ *	EOB_ACT_CONTINUE_SCAN - continue scanning from current position
+ *	EOB_ACT_END_OF_FILE - end of file
+ */
+static int yy_get_next_buffer (void)
+{
+    	register char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
+	register char *source = (yytext_ptr);
+	register int number_to_move, i;
+	int ret_val;
+
+	if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] )
+		YY_FATAL_ERROR(
+		"fatal flex scanner internal error--end of buffer missed" );
+
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 )
+		{ /* Don't try to fill the buffer, so this is an EOF. */
+		if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 )
+			{
+			/* We matched a single character, the EOB, so
+			 * treat this as a final EOF.
+			 */
+			return EOB_ACT_END_OF_FILE;
+			}
+
+		else
+			{
+			/* We matched some text prior to the EOB, first
+			 * process it.
+			 */
+			return EOB_ACT_LAST_MATCH;
+			}
+		}
+
+	/* Try to read more data. */
+
+	/* First move last chars to start of buffer. */
+	number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr)) - 1;
+
+	for ( i = 0; i < number_to_move; ++i )
+		*(dest++) = *(source++);
+
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+		/* don't do the read, it's not guaranteed to return an EOF,
+		 * just force an EOF
+		 */
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0;
+
+	else
+		{
+			int num_to_read =
+			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+
+		while ( num_to_read <= 0 )
+			{ /* Not enough room in the buffer - grow it. */
+
+			/* just a shorter name for the current buffer */
+			YY_BUFFER_STATE b = YY_CURRENT_BUFFER;
+
+			int yy_c_buf_p_offset =
+				(int) ((yy_c_buf_p) - b->yy_ch_buf);
+
+			if ( b->yy_is_our_buffer )
+				{
+				int new_size = b->yy_buf_size * 2;
+
+				if ( new_size <= 0 )
+					b->yy_buf_size += b->yy_buf_size / 8;
+				else
+					b->yy_buf_size *= 2;
+
+				b->yy_ch_buf = (char *)
+					/* Include room in for 2 EOB chars. */
+					yyrealloc((void *) b->yy_ch_buf,b->yy_buf_size + 2  );
+				}
+			else
+				/* Can't grow it, we don't own it. */
+				b->yy_ch_buf = 0;
+
+			if ( ! b->yy_ch_buf )
+				YY_FATAL_ERROR(
+				"fatal error - scanner input buffer overflow" );
+
+			(yy_c_buf_p) = &b->yy_ch_buf[yy_c_buf_p_offset];
+
+			num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size -
+						number_to_move - 1;
+
+			}
+
+		if ( num_to_read > YY_READ_BUF_SIZE )
+			num_to_read = YY_READ_BUF_SIZE;
+
+		/* Read in more data. */
+		YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
+			(yy_n_chars), num_to_read );
+
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	if ( (yy_n_chars) == 0 )
+		{
+		if ( number_to_move == YY_MORE_ADJ )
+			{
+			ret_val = EOB_ACT_END_OF_FILE;
+			yyrestart(yyin  );
+			}
+
+		else
+			{
+			ret_val = EOB_ACT_LAST_MATCH;
+			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status =
+				YY_BUFFER_EOF_PENDING;
+			}
+		}
+
+	else
+		ret_val = EOB_ACT_CONTINUE_SCAN;
+
+	(yy_n_chars) += number_to_move;
+	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
+	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
+
+	(yytext_ptr) = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[0];
+
+	return ret_val;
+}
+
+/* yy_get_previous_state - get the state just before the EOB char was reached */
+
+    static yy_state_type yy_get_previous_state (void)
+{
+	register yy_state_type yy_current_state;
+	register char *yy_cp;
+    
+	yy_current_state = (yy_start);
+
+	for ( yy_cp = (yytext_ptr) + YY_MORE_ADJ; yy_cp < (yy_c_buf_p); ++yy_cp )
+		{
+		register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
+		if ( yy_accept[yy_current_state] )
+			{
+			(yy_last_accepting_state) = yy_current_state;
+			(yy_last_accepting_cpos) = yy_cp;
+			}
+		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+			{
+			yy_current_state = (int) yy_def[yy_current_state];
+			if ( yy_current_state >= 568 )
+				yy_c = yy_meta[(unsigned int) yy_c];
+			}
+		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+		}
+
+	return yy_current_state;
+}
+
+/* yy_try_NUL_trans - try to make a transition on the NUL character
+ *
+ * synopsis
+ *	next_state = yy_try_NUL_trans( current_state );
+ */
+    static yy_state_type yy_try_NUL_trans  (yy_state_type yy_current_state )
+{
+	register int yy_is_jam;
+    	register char *yy_cp = (yy_c_buf_p);
+
+	register YY_CHAR yy_c = 1;
+	if ( yy_accept[yy_current_state] )
+		{
+		(yy_last_accepting_state) = yy_current_state;
+		(yy_last_accepting_cpos) = yy_cp;
+		}
+	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+		{
+		yy_current_state = (int) yy_def[yy_current_state];
+		if ( yy_current_state >= 568 )
+			yy_c = yy_meta[(unsigned int) yy_c];
+		}
+	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+	yy_is_jam = (yy_current_state == 567);
+
+	return yy_is_jam ? 0 : yy_current_state;
+}
+
+    static void yyunput (int c, register char * yy_bp )
+{
+	register char *yy_cp;
+    
+    yy_cp = (yy_c_buf_p);
+
+	/* undo effects of setting up yytext */
+	*yy_cp = (yy_hold_char);
+
+	if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
+		{ /* need to shift things up to make room */
+		/* +2 for EOB chars. */
+		register int number_to_move = (yy_n_chars) + 2;
+		register char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
+					YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
+		register char *source =
+				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move];
+
+		while ( source > YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
+			*--dest = *--source;
+
+		yy_cp += (int) (dest - source);
+		yy_bp += (int) (dest - source);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
+			(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
+
+		if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
+			YY_FATAL_ERROR( "flex scanner push-back overflow" );
+		}
+
+	*--yy_cp = (char) c;
+
+	(yytext_ptr) = yy_bp;
+	(yy_hold_char) = *yy_cp;
+	(yy_c_buf_p) = yy_cp;
+}
+
+#ifndef YY_NO_INPUT
+#ifdef __cplusplus
+    static int yyinput (void)
+#else
+    static int input  (void)
+#endif
+
+{
+	int c;
+    
+	*(yy_c_buf_p) = (yy_hold_char);
+
+	if ( *(yy_c_buf_p) == YY_END_OF_BUFFER_CHAR )
+		{
+		/* yy_c_buf_p now points to the character we want to return.
+		 * If this occurs *before* the EOB characters, then it's a
+		 * valid NUL; if not, then we've hit the end of the buffer.
+		 */
+		if ( (yy_c_buf_p) < &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
+			/* This was really a NUL. */
+			*(yy_c_buf_p) = '\0';
+
+		else
+			{ /* need more input */
+			int offset = (yy_c_buf_p) - (yytext_ptr);
+			++(yy_c_buf_p);
+
+			switch ( yy_get_next_buffer(  ) )
+				{
+				case EOB_ACT_LAST_MATCH:
+					/* This happens because yy_g_n_b()
+					 * sees that we've accumulated a
+					 * token and flags that we need to
+					 * try matching the token before
+					 * proceeding.  But for input(),
+					 * there's no matching to consider.
+					 * So convert the EOB_ACT_LAST_MATCH
+					 * to EOB_ACT_END_OF_FILE.
+					 */
+
+					/* Reset buffer status. */
+					yyrestart(yyin );
+
+					/*FALLTHROUGH*/
+
+				case EOB_ACT_END_OF_FILE:
+					{
+					if ( yywrap( ) )
+						return 0;
+
+					if ( ! (yy_did_buffer_switch_on_eof) )
+						YY_NEW_FILE;
+#ifdef __cplusplus
+					return yyinput();
+#else
+					return input();
+#endif
+					}
+
+				case EOB_ACT_CONTINUE_SCAN:
+					(yy_c_buf_p) = (yytext_ptr) + offset;
+					break;
+				}
+			}
+		}
+
+	c = *(unsigned char *) (yy_c_buf_p);	/* cast for 8-bit char's */
+	*(yy_c_buf_p) = '\0';	/* preserve yytext */
+	(yy_hold_char) = *++(yy_c_buf_p);
+
+	return c;
+}
+#endif	/* ifndef YY_NO_INPUT */
+
+/** Immediately switch to a different input stream.
+ * @param input_file A readable stream.
+ * 
+ * @note This function does not reset the start condition to @c INITIAL .
+ */
+    void yyrestart  (FILE * input_file )
+{
+    
+	if ( ! YY_CURRENT_BUFFER ){
+        yyensure_buffer_stack ();
+		YY_CURRENT_BUFFER_LVALUE =
+            yy_create_buffer(yyin,YY_BUF_SIZE );
+	}
+
+	yy_init_buffer(YY_CURRENT_BUFFER,input_file );
+	yy_load_buffer_state( );
+}
+
+/** Switch to a different input buffer.
+ * @param new_buffer The new input buffer.
+ * 
+ */
+    void yy_switch_to_buffer  (YY_BUFFER_STATE  new_buffer )
+{
+    
+	/* TODO. We should be able to replace this entire function body
+	 * with
+	 *		yypop_buffer_state();
+	 *		yypush_buffer_state(new_buffer);
+     */
+	yyensure_buffer_stack ();
+	if ( YY_CURRENT_BUFFER == new_buffer )
+		return;
+
+	if ( YY_CURRENT_BUFFER )
+		{
+		/* Flush out information for old buffer. */
+		*(yy_c_buf_p) = (yy_hold_char);
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	YY_CURRENT_BUFFER_LVALUE = new_buffer;
+	yy_load_buffer_state( );
+
+	/* We don't actually know whether we did this switch during
+	 * EOF (yywrap()) processing, but the only time this flag
+	 * is looked at is after yywrap() is called, so it's safe
+	 * to go ahead and always set it.
+	 */
+	(yy_did_buffer_switch_on_eof) = 1;
+}
+
+static void yy_load_buffer_state  (void)
+{
+    	(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
+	(yytext_ptr) = (yy_c_buf_p) = YY_CURRENT_BUFFER_LVALUE->yy_buf_pos;
+	yyin = YY_CURRENT_BUFFER_LVALUE->yy_input_file;
+	(yy_hold_char) = *(yy_c_buf_p);
+}
+
+/** Allocate and initialize an input buffer state.
+ * @param file A readable stream.
+ * @param size The character buffer size in bytes. When in doubt, use @c YY_BUF_SIZE.
+ * 
+ * @return the allocated buffer state.
+ */
+    YY_BUFFER_STATE yy_create_buffer  (FILE * file, int  size )
+{
+	YY_BUFFER_STATE b;
+    
+	b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state )  );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_buf_size = size;
+
+	/* yy_ch_buf has to be 2 characters longer than the size given because
+	 * we need to put in 2 end-of-buffer characters.
+	 */
+	b->yy_ch_buf = (char *) yyalloc(b->yy_buf_size + 2  );
+	if ( ! b->yy_ch_buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_is_our_buffer = 1;
+
+	yy_init_buffer(b,file );
+
+	return b;
+}
+
+/** Destroy the buffer.
+ * @param b a buffer created with yy_create_buffer()
+ * 
+ */
+    void yy_delete_buffer (YY_BUFFER_STATE  b )
+{
+    
+	if ( ! b )
+		return;
+
+	if ( b == YY_CURRENT_BUFFER ) /* Not sure if we should pop here. */
+		YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0;
+
+	if ( b->yy_is_our_buffer )
+		yyfree((void *) b->yy_ch_buf  );
+
+	yyfree((void *) b  );
+}
+
+#ifndef __cplusplus
+extern int isatty (int );
+#endif /* __cplusplus */
+    
+/* Initializes or reinitializes a buffer.
+ * This function is sometimes called more than once on the same buffer,
+ * such as during a yyrestart() or at EOF.
+ */
+    static void yy_init_buffer  (YY_BUFFER_STATE  b, FILE * file )
+
+{
+	int oerrno = errno;
+    
+	yy_flush_buffer(b );
+
+	b->yy_input_file = file;
+	b->yy_fill_buffer = 1;
+
+    /* If b is the current buffer, then yy_init_buffer was _probably_
+     * called from yyrestart() or through yy_get_next_buffer.
+     * In that case, we don't want to reset the lineno or column.
+     */
+    if (b != YY_CURRENT_BUFFER){
+        b->yy_bs_lineno = 1;
+        b->yy_bs_column = 0;
+    }
+
+        b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+    
+	errno = oerrno;
+}
+
+/** Discard all buffered characters. On the next scan, YY_INPUT will be called.
+ * @param b the buffer state to be flushed, usually @c YY_CURRENT_BUFFER.
+ * 
+ */
+    void yy_flush_buffer (YY_BUFFER_STATE  b )
+{
+    	if ( ! b )
+		return;
+
+	b->yy_n_chars = 0;
+
+	/* We always need two end-of-buffer characters.  The first causes
+	 * a transition to the end-of-buffer state.  The second causes
+	 * a jam in that state.
+	 */
+	b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
+	b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
+
+	b->yy_buf_pos = &b->yy_ch_buf[0];
+
+	b->yy_at_bol = 1;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	if ( b == YY_CURRENT_BUFFER )
+		yy_load_buffer_state( );
+}
+
+/** Pushes the new state onto the stack. The new state becomes
+ *  the current state. This function will allocate the stack
+ *  if necessary.
+ *  @param new_buffer The new state.
+ *  
+ */
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer )
+{
+    	if (new_buffer == NULL)
+		return;
+
+	yyensure_buffer_stack();
+
+	/* This block is copied from yy_switch_to_buffer. */
+	if ( YY_CURRENT_BUFFER )
+		{
+		/* Flush out information for old buffer. */
+		*(yy_c_buf_p) = (yy_hold_char);
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	/* Only push if top exists. Otherwise, replace top. */
+	if (YY_CURRENT_BUFFER)
+		(yy_buffer_stack_top)++;
+	YY_CURRENT_BUFFER_LVALUE = new_buffer;
+
+	/* copied from yy_switch_to_buffer. */
+	yy_load_buffer_state( );
+	(yy_did_buffer_switch_on_eof) = 1;
+}
+
+/** Removes and deletes the top of the stack, if present.
+ *  The next element becomes the new top.
+ *  
+ */
+void yypop_buffer_state (void)
+{
+    	if (!YY_CURRENT_BUFFER)
+		return;
+
+	yy_delete_buffer(YY_CURRENT_BUFFER );
+	YY_CURRENT_BUFFER_LVALUE = NULL;
+	if ((yy_buffer_stack_top) > 0)
+		--(yy_buffer_stack_top);
+
+	if (YY_CURRENT_BUFFER) {
+		yy_load_buffer_state( );
+		(yy_did_buffer_switch_on_eof) = 1;
+	}
+}
+
+/* Allocates the stack if it does not exist.
+ *  Guarantees space for at least one push.
+ */
+static void yyensure_buffer_stack (void)
+{
+	int num_to_alloc;
+    
+	if (!(yy_buffer_stack)) {
+
+		/* First allocation is just for 2 elements, since we don't know if this
+		 * scanner will even need a stack. We use 2 instead of 1 to avoid an
+		 * immediate realloc on the next call.
+         */
+		num_to_alloc = 1;
+		(yy_buffer_stack) = (struct yy_buffer_state**)yyalloc
+								(num_to_alloc * sizeof(struct yy_buffer_state*)
+								);
+		
+		memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
+				
+		(yy_buffer_stack_max) = num_to_alloc;
+		(yy_buffer_stack_top) = 0;
+		return;
+	}
+
+	if ((yy_buffer_stack_top) >= ((yy_buffer_stack_max)) - 1){
+
+		/* Increase the buffer to prepare for a possible push. */
+		int grow_size = 8 /* arbitrary grow size */;
+
+		num_to_alloc = (yy_buffer_stack_max) + grow_size;
+		(yy_buffer_stack) = (struct yy_buffer_state**)yyrealloc
+								((yy_buffer_stack),
+								num_to_alloc * sizeof(struct yy_buffer_state*)
+								);
+
+		/* zero only the new slots.*/
+		memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*));
+		(yy_buffer_stack_max) = num_to_alloc;
+	}
+}
+
+/** Setup the input buffer state to scan directly from a user-specified character buffer.
+ * @param base the character buffer
+ * @param size the size in bytes of the character buffer
+ * 
+ * @return the newly allocated buffer state object. 
+ */
+YY_BUFFER_STATE yy_scan_buffer  (char * base, yy_size_t  size )
+{
+	YY_BUFFER_STATE b;
+    
+	if ( size < 2 ||
+	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
+	     base[size-1] != YY_END_OF_BUFFER_CHAR )
+		/* They forgot to leave room for the EOB's. */
+		return 0;
+
+	b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state )  );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
+
+	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
+	b->yy_buf_pos = b->yy_ch_buf = base;
+	b->yy_is_our_buffer = 0;
+	b->yy_input_file = 0;
+	b->yy_n_chars = b->yy_buf_size;
+	b->yy_is_interactive = 0;
+	b->yy_at_bol = 1;
+	b->yy_fill_buffer = 0;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	yy_switch_to_buffer(b  );
+
+	return b;
+}
+
+/** Setup the input buffer state to scan a string. The next call to yylex() will
+ * scan from a @e copy of @a str.
+ * @param str a NUL-terminated string to scan
+ * 
+ * @return the newly allocated buffer state object.
+ * @note If you want to scan bytes that may contain NUL values, then use
+ *       yy_scan_bytes() instead.
+ */
+YY_BUFFER_STATE yy_scan_string (yyconst char * yystr )
+{
+    
+	return yy_scan_bytes(yystr,strlen(yystr) );
+}
+
+/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
+ * scan from a @e copy of @a bytes.
+ * @param bytes the byte buffer to scan
+ * @param len the number of bytes in the buffer pointed to by @a bytes.
+ * 
+ * @return the newly allocated buffer state object.
+ */
+YY_BUFFER_STATE yy_scan_bytes  (yyconst char * yybytes, int  _yybytes_len )
+{
+	YY_BUFFER_STATE b;
+	char *buf;
+	yy_size_t n;
+	int i;
+    
+	/* Get memory for full buffer, including space for trailing EOB's. */
+	n = _yybytes_len + 2;
+	buf = (char *) yyalloc(n  );
+	if ( ! buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
+
+	for ( i = 0; i < _yybytes_len; ++i )
+		buf[i] = yybytes[i];
+
+	buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR;
+
+	b = yy_scan_buffer(buf,n );
+	if ( ! b )
+		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
+
+	/* It's okay to grow etc. this buffer, and we should throw it
+	 * away when we're done.
+	 */
+	b->yy_is_our_buffer = 1;
+
+	return b;
+}
+
+#ifndef YY_EXIT_FAILURE
+#define YY_EXIT_FAILURE 2
+#endif
+
+static void yy_fatal_error (yyconst char* msg )
+{
+    	(void) fprintf( stderr, "%s\n", msg );
+	exit( YY_EXIT_FAILURE );
+}
+
+/* Redefine yyless() so it works in section 3 code. */
+
+#undef yyless
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+        int yyless_macro_arg = (n); \
+        YY_LESS_LINENO(yyless_macro_arg);\
+		yytext[yyleng] = (yy_hold_char); \
+		(yy_c_buf_p) = yytext + yyless_macro_arg; \
+		(yy_hold_char) = *(yy_c_buf_p); \
+		*(yy_c_buf_p) = '\0'; \
+		yyleng = yyless_macro_arg; \
+		} \
+	while ( 0 )
+
+/* Accessor  methods (get/set functions) to struct members. */
+
+/** Get the current line number.
+ * 
+ */
+int yyget_lineno  (void)
+{
+        
+    return yylineno;
+}
+
+/** Get the input stream.
+ * 
+ */
+FILE *yyget_in  (void)
+{
+        return yyin;
+}
+
+/** Get the output stream.
+ * 
+ */
+FILE *yyget_out  (void)
+{
+        return yyout;
+}
+
+/** Get the length of the current token.
+ * 
+ */
+int yyget_leng  (void)
+{
+        return yyleng;
+}
+
+/** Get the current token.
+ * 
+ */
+
+char *yyget_text  (void)
+{
+        return yytext;
+}
+
+/** Set the current line number.
+ * @param line_number
+ * 
+ */
+void yyset_lineno (int  line_number )
+{
+    
+    yylineno = line_number;
+}
+
+/** Set the input stream. This does not discard the current
+ * input buffer.
+ * @param in_str A readable stream.
+ * 
+ * @see yy_switch_to_buffer
+ */
+void yyset_in (FILE *  in_str )
+{
+        yyin = in_str ;
+}
+
+void yyset_out (FILE *  out_str )
+{
+        yyout = out_str ;
+}
+
+int yyget_debug  (void)
+{
+        return yy_flex_debug;
+}
+
+void yyset_debug (int  bdebug )
+{
+        yy_flex_debug = bdebug ;
+}
+
+static int yy_init_globals (void)
+{
+        /* Initialization is the same as for the non-reentrant scanner.
+     * This function is called from yylex_destroy(), so don't allocate here.
+     */
+
+    (yy_buffer_stack) = 0;
+    (yy_buffer_stack_top) = 0;
+    (yy_buffer_stack_max) = 0;
+    (yy_c_buf_p) = (char *) 0;
+    (yy_init) = 0;
+    (yy_start) = 0;
+
+/* Defined in main.c */
+#ifdef YY_STDINIT
+    yyin = stdin;
+    yyout = stdout;
+#else
+    yyin = (FILE *) 0;
+    yyout = (FILE *) 0;
+#endif
+
+    /* For future reference: Set errno on error, since we are called by
+     * yylex_init()
+     */
+    return 0;
+}
+
+/* yylex_destroy is for both reentrant and non-reentrant scanners. */
+int yylex_destroy  (void)
+{
+    
+    /* Pop the buffer stack, destroying each element. */
+	while(YY_CURRENT_BUFFER){
+		yy_delete_buffer(YY_CURRENT_BUFFER  );
+		YY_CURRENT_BUFFER_LVALUE = NULL;
+		yypop_buffer_state();
+	}
+
+	/* Destroy the stack itself. */
+	yyfree((yy_buffer_stack) );
+	(yy_buffer_stack) = NULL;
+
+    /* Reset the globals. This is important in a non-reentrant scanner so the next time
+     * yylex() is called, initialization will occur. */
+    yy_init_globals( );
+
+    return 0;
+}
+
+/*
+ * Internal utility routines.
+ */
+
+#ifndef yytext_ptr
+static void yy_flex_strncpy (char* s1, yyconst char * s2, int n )
+{
+	register int i;
+	for ( i = 0; i < n; ++i )
+		s1[i] = s2[i];
+}
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen (yyconst char * s )
+{
+	register int n;
+	for ( n = 0; s[n]; ++n )
+		;
+
+	return n;
+}
+#endif
+
+void *yyalloc (yy_size_t  size )
+{
+	return (void *) malloc( size );
+}
+
+void *yyrealloc  (void * ptr, yy_size_t  size )
+{
+	/* The cast to (char *) in the following accommodates both
+	 * implementations that use char* generic pointers, and those
+	 * that use void* generic pointers.  It works with the latter
+	 * because both ANSI C and C++ allow castless assignment from
+	 * any pointer type to void*, and deal with argument conversions
+	 * as though doing an assignment.
+	 */
+	return (void *) realloc( (char *) ptr, size );
+}
+
+void yyfree (void * ptr )
+{
+	free( (char *) ptr );	/* see yyrealloc() for (char *) cast */
+}
+
+#define YYTABLES_NAME "yytables"
+
+#line 274 "lex.l"
+
+
+
+#ifndef yywrap /* XXX */
+int
+yywrap () 
+{
+     return 1;
+}
+#endif
+
+void
+error_message (const char *format, ...)
+{
+    va_list args;
+
+    va_start (args, format);
+    fprintf (stderr, "%s:%d: ", get_filename(), lineno);
+    vfprintf (stderr, format, args);
+    va_end (args);
+    error_flag++;
+}
+
+static void
+unterminated(const char *type, unsigned start_lineno)
+{
+    error_message("unterminated %s, possibly started on line %d\n", type, start_lineno);
+}
+
diff --git a/crypto/heimdal/lib/asn1/lex.h b/crypto/heimdal/lib/asn1/lex.h
index 9f5cadf..7aececf 100644
--- a/crypto/heimdal/lib/asn1/lex.h
+++ b/crypto/heimdal/lib/asn1/lex.h
@@ -31,11 +31,12 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: lex.h,v 1.5 2000/07/01 20:21:34 assar Exp $ */
+/* $Id: lex.h 15617 2005-07-12 06:27:42Z lha $ */
 
 #include <roken.h>
 
 void error_message (const char *, ...)
 __attribute__ ((format (printf, 1, 2)));
+extern int error_flag;
 
 int yylex(void);
diff --git a/crypto/heimdal/lib/asn1/lex.l b/crypto/heimdal/lib/asn1/lex.l
index 3abc17e..ec74422 100644
--- a/crypto/heimdal/lib/asn1/lex.l
+++ b/crypto/heimdal/lib/asn1/lex.l
@@ -1,6 +1,6 @@
 %{
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: lex.l,v 1.19 2001/09/25 23:28:03 assar Exp $ */
+/* $Id: lex.l 18738 2006-10-21 11:57:22Z lha $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -52,53 +52,224 @@
 
 static unsigned lineno = 1;
 
-#define YY_NO_UNPUT
-
 #undef ECHO
 
+static void unterminated(const char *, unsigned);
+
 %}
 
+/* This is for broken old lexes (solaris 10 and hpux) */
+%e 2000
+%p 5000
+%a 5000
+%n 1000
+%o 10000
 
 %%
-INTEGER			{ return INTEGER; }
-IMPORTS			{ return IMPORTS; }
-FROM			{ return FROM; }
-SEQUENCE		{ return SEQUENCE; }
-OF			{ return OF; }
-OCTET			{ return OCTET; }
-STRING			{ return STRING; }
-GeneralizedTime		{ return GeneralizedTime; }
-GeneralString		{ return GeneralString; }
-BIT			{ return BIT; }
-APPLICATION		{ return APPLICATION; }
-OPTIONAL		{ return OPTIONAL; }
-BEGIN			{ return TBEGIN; }
-END			{ return END; }
-DEFINITIONS		{ return DEFINITIONS; }
-ENUMERATED		{ return ENUMERATED; }
-EXTERNAL		{ return EXTERNAL; }
-OBJECT			{ return OBJECT; }
-IDENTIFIER		{ return IDENTIFIER; }
-[,;{}()|]		{ return *yytext; }
+ABSENT			{ return kw_ABSENT; }
+ABSTRACT-SYNTAX		{ return kw_ABSTRACT_SYNTAX; }
+ALL			{ return kw_ALL; }
+APPLICATION		{ return kw_APPLICATION; }
+AUTOMATIC		{ return kw_AUTOMATIC; }
+BEGIN			{ return kw_BEGIN; }
+BIT			{ return kw_BIT; }
+BMPString		{ return kw_BMPString; }
+BOOLEAN			{ return kw_BOOLEAN; }
+BY			{ return kw_BY; }
+CHARACTER		{ return kw_CHARACTER; }
+CHOICE			{ return kw_CHOICE; }
+CLASS			{ return kw_CLASS; }
+COMPONENT		{ return kw_COMPONENT; }
+COMPONENTS		{ return kw_COMPONENTS; }
+CONSTRAINED		{ return kw_CONSTRAINED; }
+CONTAINING		{ return kw_CONTAINING; }
+DEFAULT			{ return kw_DEFAULT; }
+DEFINITIONS		{ return kw_DEFINITIONS; }
+EMBEDDED		{ return kw_EMBEDDED; }
+ENCODED			{ return kw_ENCODED; }
+END			{ return kw_END; }
+ENUMERATED		{ return kw_ENUMERATED; }
+EXCEPT			{ return kw_EXCEPT; }
+EXPLICIT		{ return kw_EXPLICIT; }
+EXPORTS			{ return kw_EXPORTS; }
+EXTENSIBILITY		{ return kw_EXTENSIBILITY; }
+EXTERNAL		{ return kw_EXTERNAL; }
+FALSE			{ return kw_FALSE; }
+FROM			{ return kw_FROM; }
+GeneralString		{ return kw_GeneralString; }
+GeneralizedTime		{ return kw_GeneralizedTime; }
+GraphicString		{ return kw_GraphicString; }
+IA5String		{ return kw_IA5String; }
+IDENTIFIER		{ return kw_IDENTIFIER; }
+IMPLICIT		{ return kw_IMPLICIT; }
+IMPLIED			{ return kw_IMPLIED; }
+IMPORTS			{ return kw_IMPORTS; }
+INCLUDES		{ return kw_INCLUDES; }
+INSTANCE		{ return kw_INSTANCE; }
+INTEGER			{ return kw_INTEGER; }
+INTERSECTION		{ return kw_INTERSECTION; }
+ISO646String		{ return kw_ISO646String; }
+MAX			{ return kw_MAX; }
+MIN			{ return kw_MIN; }
+MINUS-INFINITY		{ return kw_MINUS_INFINITY; }
+NULL			{ return kw_NULL; }
+NumericString		{ return kw_NumericString; }
+OBJECT			{ return kw_OBJECT; }
+OCTET			{ return kw_OCTET; }
+OF			{ return kw_OF; }
+OPTIONAL		{ return kw_OPTIONAL; }
+ObjectDescriptor	{ return kw_ObjectDescriptor; }
+PATTERN			{ return kw_PATTERN; }
+PDV			{ return kw_PDV; }
+PLUS-INFINITY		{ return kw_PLUS_INFINITY; }
+PRESENT			{ return kw_PRESENT; }
+PRIVATE			{ return kw_PRIVATE; }
+PrintableString		{ return kw_PrintableString; }
+REAL			{ return kw_REAL; }
+RELATIVE_OID		{ return kw_RELATIVE_OID; }
+SEQUENCE		{ return kw_SEQUENCE; }
+SET			{ return kw_SET; }
+SIZE			{ return kw_SIZE; }
+STRING			{ return kw_STRING; }
+SYNTAX			{ return kw_SYNTAX; }
+T61String		{ return kw_T61String; }
+TAGS			{ return kw_TAGS; }
+TRUE			{ return kw_TRUE; }
+TYPE-IDENTIFIER		{ return kw_TYPE_IDENTIFIER; }
+TeletexString		{ return kw_TeletexString; }
+UNION			{ return kw_UNION; }
+UNIQUE			{ return kw_UNIQUE; }
+UNIVERSAL		{ return kw_UNIVERSAL; }
+UTCTime			{ return kw_UTCTime; }
+UTF8String		{ return kw_UTF8String; }
+UniversalString		{ return kw_UniversalString; }
+VideotexString		{ return kw_VideotexString; }
+VisibleString		{ return kw_VisibleString; }
+WITH			{ return kw_WITH; }
+[-,;{}()|]		{ return *yytext; }
 "["			{ return *yytext; }
 "]"			{ return *yytext; }
 ::=			{ return EEQUAL; }
---[^\n]*\n		{ ++lineno; }
--?(0x)?[0-9]+		{ char *e, *y = yytext;
+--			{ 
+			    int c, start_lineno = lineno;
+			    int f = 0;
+			    while((c = input()) != EOF) {
+				if(f && c == '-')
+				    break;
+				if(c == '-') {
+				    f = 1;
+				    continue;
+				}
+				if(c == '\n') {
+				    lineno++;
+				    break;
+				}
+				f = 0;
+			    }
+			    if(c == EOF)
+				unterminated("comment", start_lineno);
+			}
+\/\*			{ 
+			    int c, start_lineno = lineno;
+			    int level = 1;
+			    int seen_star = 0;
+			    int seen_slash = 0;
+			    while((c = input()) != EOF) {
+				if(c == '/') {
+				    if(seen_star) {
+					if(--level == 0)
+					    break;
+					seen_star = 0;
+					continue;
+				    }
+				    seen_slash = 1;
+				    continue;
+				}
+				if(seen_star && c == '/') {
+				    if(--level == 0)
+					break;
+				    seen_star = 0;
+				    continue;
+				}
+				if(c == '*') {
+				    if(seen_slash) {
+					level++;
+					seen_star = seen_slash = 0;
+					continue;
+				    } 
+				    seen_star = 1;
+				    continue;
+				}
+				seen_star = seen_slash = 0;
+				if(c == '\n') {
+				    lineno++;
+				    continue;
+				}
+			    }
+			    if(c == EOF)
+				unterminated("comment", start_lineno);
+			}
+"\""			{ 
+			    int start_lineno = lineno;
+			    int c;
+			    char buf[1024];
+			    char *p = buf;
+			    int f = 0;
+			    int skip_ws = 0;
+			    
+			    while((c = input()) != EOF) {
+				if(isspace(c) && skip_ws) {
+				    if(c == '\n')
+					lineno++;
+				    continue;
+				}
+				skip_ws = 0;
+				
+				if(c == '"') {
+				    if(f) {
+					*p++ = '"';
+					f = 0;
+				    } else
+					f = 1;
+				    continue;
+				}
+				if(f == 1) {
+				    unput(c);
+				    break;
+				}
+				if(c == '\n') {
+				    lineno++;
+				    while(p > buf && isspace((unsigned char)p[-1]))
+					p--;
+				    skip_ws = 1;
+				    continue;
+				}
+				*p++ = c;
+			    }
+			    if(c == EOF)
+				unterminated("string", start_lineno);
+			    *p++ = '\0';
+			    fprintf(stderr, "string -- %s\n", buf);
+			    yylval.name = estrdup(buf);
+			    return STRING; 
+			}
+
+-?0x[0-9A-Fa-f]+|-?[0-9]+ { char *e, *y = yytext;
 			  yylval.constant = strtol((const char *)yytext,
 						   &e, 0);
 			  if(e == y) 
 			    error_message("malformed constant (%s)", yytext); 
 			  else
-			    return CONSTANT;
+			    return NUMBER;
 			}
 [A-Za-z][-A-Za-z0-9_]*	{
-			  yylval.name =  strdup ((const char *)yytext);
-			  return IDENT;
+			  yylval.name =  estrdup ((const char *)yytext);
+			  return IDENTIFIER;
 			}
 [ \t]			;
 \n			{ ++lineno; }
-\.\.			{ return DOTDOT; }
+\.\.\.			{ return ELLIPSIS; }
+\.\.			{ return RANGE; }
 .			{ error_message("Ignoring char(%c)\n", *yytext); }
 %%
 
@@ -113,10 +284,17 @@ yywrap ()
 void
 error_message (const char *format, ...)
 {
-     va_list args;
+    va_list args;
+
+    va_start (args, format);
+    fprintf (stderr, "%s:%d: ", get_filename(), lineno);
+    vfprintf (stderr, format, args);
+    va_end (args);
+    error_flag++;
+}
 
-     va_start (args, format);
-     fprintf (stderr, "%s:%d: ", filename(), lineno);
-     vfprintf (stderr, format, args);
-     va_end (args);
+static void
+unterminated(const char *type, unsigned start_lineno)
+{
+    error_message("unterminated %s, possibly started on line %d\n", type, start_lineno);
 }
diff --git a/crypto/heimdal/lib/asn1/main.c b/crypto/heimdal/lib/asn1/main.c
index 8b1b409..3b4a812 100644
--- a/crypto/heimdal/lib/asn1/main.c
+++ b/crypto/heimdal/lib/asn1/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,14 +33,44 @@
 
 #include "gen_locl.h"
 #include <getarg.h>
+#include "lex.h"
 
-RCSID("$Id: main.c,v 1.11 2001/02/20 01:44:52 assar Exp $");
+RCSID("$Id: main.c 20858 2007-06-03 18:56:41Z lha $");
 
 extern FILE *yyin;
 
+static getarg_strings preserve;
+static getarg_strings seq;
+
+int
+preserve_type(const char *p)
+{
+    int i;
+    for (i = 0; i < preserve.num_strings; i++)
+	if (strcmp(preserve.strings[i], p) == 0)
+	    return 1;
+    return 0;
+}
+
+int
+seq_type(const char *p)
+{
+    int i;
+    for (i = 0; i < seq.num_strings; i++)
+	if (strcmp(seq.strings[i], p) == 0)
+	    return 1;
+    return 0;
+}
+
+int dce_fix;
+int rfc1510_bitstring;
 int version_flag;
 int help_flag;
 struct getargs args[] = {
+    { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring },
+    { "decode-dce-ber", 0, arg_flag, &dce_fix },
+    { "preserve-binary", 0, arg_strings, &preserve },
+    { "sequence", 0, arg_strings, &seq },
     { "version", 0, arg_flag, &version_flag },
     { "help", 0, arg_flag, &help_flag }
 };
@@ -53,16 +83,18 @@ usage(int code)
     exit(code);
 }
 
+int error_flag;
+
 int
 main(int argc, char **argv)
 {
     int ret;
-    char *file;
-    char *name = NULL;
-    int optind = 0;
+    const char *file;
+    const char *name = NULL;
+    int optidx = 0;
 
     setprogname(argv[0]);
-    if(getarg(args, num_args, argc, argv, &optind))
+    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
     if(help_flag)
 	usage(0);
@@ -70,21 +102,32 @@ main(int argc, char **argv)
 	print_version(NULL);
 	exit(0);
     }
-    if (argc == optind) {
+    if (argc == optidx) {
 	file = "stdin";
 	name = "stdin";
 	yyin = stdin;
     } else {
-	file = argv[optind];
+	file = argv[optidx];
 	yyin = fopen (file, "r");
 	if (yyin == NULL)
 	    err (1, "open %s", file);
-	name = argv[optind + 1];
+	if (argc == optidx + 1) {
+	    char *p;
+	    name = estrdup(file);
+	    p = strrchr(name, '.');
+	    if (p)
+		*p = '\0';
+	} else
+	    name = argv[optidx + 1];
     }
 
     init_generate (file, name);
     initsym ();
     ret = yyparse ();
+    if(ret != 0 || error_flag != 0)
+	exit(1);
     close_generate ();
-    return ret;
+    if (argc != optidx)
+	fclose(yyin);
+    return 0;
 }
diff --git a/crypto/heimdal/lib/asn1/parse.c b/crypto/heimdal/lib/asn1/parse.c
new file mode 100644
index 0000000..9800d54
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/parse.c
@@ -0,0 +1,2831 @@
+/* A Bison parser, made by GNU Bison 2.3.  */
+
+/* Skeleton implementation for Bison's Yacc-like parsers in C
+
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+   Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
+
+/* As a special exception, you may create a larger work that contains
+   part or all of the Bison parser skeleton and distribute that work
+   under terms of your choice, so long as that work isn't itself a
+   parser generator using the skeleton or a modified version thereof
+   as a parser skeleton.  Alternatively, if you modify or redistribute
+   the parser skeleton itself, you may (at your option) remove this
+   special exception, which will cause the skeleton and the resulting
+   Bison output files to be licensed under the GNU General Public
+   License without this special exception.
+
+   This special exception was added by the Free Software Foundation in
+   version 2.2 of Bison.  */
+
+/* C LALR(1) parser skeleton written by Richard Stallman, by
+   simplifying the original so-called "semantic" parser.  */
+
+/* All symbols defined below should begin with yy or YY, to avoid
+   infringing on user name space.  This should be done even for local
+   variables, as they might otherwise be expanded by user macros.
+   There are some unavoidable exceptions within include files to
+   define necessary library symbols; they are noted "INFRINGES ON
+   USER NAME SPACE" below.  */
+
+/* Identify Bison output.  */
+#define YYBISON 1
+
+/* Bison version.  */
+#define YYBISON_VERSION "2.3"
+
+/* Skeleton name.  */
+#define YYSKELETON_NAME "yacc.c"
+
+/* Pure parsers.  */
+#define YYPURE 0
+
+/* Using locations.  */
+#define YYLSP_NEEDED 0
+
+
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     kw_ABSENT = 258,
+     kw_ABSTRACT_SYNTAX = 259,
+     kw_ALL = 260,
+     kw_APPLICATION = 261,
+     kw_AUTOMATIC = 262,
+     kw_BEGIN = 263,
+     kw_BIT = 264,
+     kw_BMPString = 265,
+     kw_BOOLEAN = 266,
+     kw_BY = 267,
+     kw_CHARACTER = 268,
+     kw_CHOICE = 269,
+     kw_CLASS = 270,
+     kw_COMPONENT = 271,
+     kw_COMPONENTS = 272,
+     kw_CONSTRAINED = 273,
+     kw_CONTAINING = 274,
+     kw_DEFAULT = 275,
+     kw_DEFINITIONS = 276,
+     kw_EMBEDDED = 277,
+     kw_ENCODED = 278,
+     kw_END = 279,
+     kw_ENUMERATED = 280,
+     kw_EXCEPT = 281,
+     kw_EXPLICIT = 282,
+     kw_EXPORTS = 283,
+     kw_EXTENSIBILITY = 284,
+     kw_EXTERNAL = 285,
+     kw_FALSE = 286,
+     kw_FROM = 287,
+     kw_GeneralString = 288,
+     kw_GeneralizedTime = 289,
+     kw_GraphicString = 290,
+     kw_IA5String = 291,
+     kw_IDENTIFIER = 292,
+     kw_IMPLICIT = 293,
+     kw_IMPLIED = 294,
+     kw_IMPORTS = 295,
+     kw_INCLUDES = 296,
+     kw_INSTANCE = 297,
+     kw_INTEGER = 298,
+     kw_INTERSECTION = 299,
+     kw_ISO646String = 300,
+     kw_MAX = 301,
+     kw_MIN = 302,
+     kw_MINUS_INFINITY = 303,
+     kw_NULL = 304,
+     kw_NumericString = 305,
+     kw_OBJECT = 306,
+     kw_OCTET = 307,
+     kw_OF = 308,
+     kw_OPTIONAL = 309,
+     kw_ObjectDescriptor = 310,
+     kw_PATTERN = 311,
+     kw_PDV = 312,
+     kw_PLUS_INFINITY = 313,
+     kw_PRESENT = 314,
+     kw_PRIVATE = 315,
+     kw_PrintableString = 316,
+     kw_REAL = 317,
+     kw_RELATIVE_OID = 318,
+     kw_SEQUENCE = 319,
+     kw_SET = 320,
+     kw_SIZE = 321,
+     kw_STRING = 322,
+     kw_SYNTAX = 323,
+     kw_T61String = 324,
+     kw_TAGS = 325,
+     kw_TRUE = 326,
+     kw_TYPE_IDENTIFIER = 327,
+     kw_TeletexString = 328,
+     kw_UNION = 329,
+     kw_UNIQUE = 330,
+     kw_UNIVERSAL = 331,
+     kw_UTCTime = 332,
+     kw_UTF8String = 333,
+     kw_UniversalString = 334,
+     kw_VideotexString = 335,
+     kw_VisibleString = 336,
+     kw_WITH = 337,
+     RANGE = 338,
+     EEQUAL = 339,
+     ELLIPSIS = 340,
+     IDENTIFIER = 341,
+     referencename = 342,
+     STRING = 343,
+     NUMBER = 344
+   };
+#endif
+/* Tokens.  */
+#define kw_ABSENT 258
+#define kw_ABSTRACT_SYNTAX 259
+#define kw_ALL 260
+#define kw_APPLICATION 261
+#define kw_AUTOMATIC 262
+#define kw_BEGIN 263
+#define kw_BIT 264
+#define kw_BMPString 265
+#define kw_BOOLEAN 266
+#define kw_BY 267
+#define kw_CHARACTER 268
+#define kw_CHOICE 269
+#define kw_CLASS 270
+#define kw_COMPONENT 271
+#define kw_COMPONENTS 272
+#define kw_CONSTRAINED 273
+#define kw_CONTAINING 274
+#define kw_DEFAULT 275
+#define kw_DEFINITIONS 276
+#define kw_EMBEDDED 277
+#define kw_ENCODED 278
+#define kw_END 279
+#define kw_ENUMERATED 280
+#define kw_EXCEPT 281
+#define kw_EXPLICIT 282
+#define kw_EXPORTS 283
+#define kw_EXTENSIBILITY 284
+#define kw_EXTERNAL 285
+#define kw_FALSE 286
+#define kw_FROM 287
+#define kw_GeneralString 288
+#define kw_GeneralizedTime 289
+#define kw_GraphicString 290
+#define kw_IA5String 291
+#define kw_IDENTIFIER 292
+#define kw_IMPLICIT 293
+#define kw_IMPLIED 294
+#define kw_IMPORTS 295
+#define kw_INCLUDES 296
+#define kw_INSTANCE 297
+#define kw_INTEGER 298
+#define kw_INTERSECTION 299
+#define kw_ISO646String 300
+#define kw_MAX 301
+#define kw_MIN 302
+#define kw_MINUS_INFINITY 303
+#define kw_NULL 304
+#define kw_NumericString 305
+#define kw_OBJECT 306
+#define kw_OCTET 307
+#define kw_OF 308
+#define kw_OPTIONAL 309
+#define kw_ObjectDescriptor 310
+#define kw_PATTERN 311
+#define kw_PDV 312
+#define kw_PLUS_INFINITY 313
+#define kw_PRESENT 314
+#define kw_PRIVATE 315
+#define kw_PrintableString 316
+#define kw_REAL 317
+#define kw_RELATIVE_OID 318
+#define kw_SEQUENCE 319
+#define kw_SET 320
+#define kw_SIZE 321
+#define kw_STRING 322
+#define kw_SYNTAX 323
+#define kw_T61String 324
+#define kw_TAGS 325
+#define kw_TRUE 326
+#define kw_TYPE_IDENTIFIER 327
+#define kw_TeletexString 328
+#define kw_UNION 329
+#define kw_UNIQUE 330
+#define kw_UNIVERSAL 331
+#define kw_UTCTime 332
+#define kw_UTF8String 333
+#define kw_UniversalString 334
+#define kw_VideotexString 335
+#define kw_VisibleString 336
+#define kw_WITH 337
+#define RANGE 338
+#define EEQUAL 339
+#define ELLIPSIS 340
+#define IDENTIFIER 341
+#define referencename 342
+#define STRING 343
+#define NUMBER 344
+
+
+
+
+/* Copy the first part of user declarations.  */
+#line 36 "parse.y"
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "symbol.h"
+#include "lex.h"
+#include "gen_locl.h"
+#include "der.h"
+
+RCSID("$Id: parse.y 21597 2007-07-16 18:48:58Z lha $");
+
+static Type *new_type (Typetype t);
+static struct constraint_spec *new_constraint_spec(enum ctype);
+static Type *new_tag(int tagclass, int tagvalue, int tagenv, Type *oldtype);
+void yyerror (const char *);
+static struct objid *new_objid(const char *label, int value);
+static void add_oid_to_tail(struct objid *, struct objid *);
+static void fix_labels(Symbol *s);
+
+struct string_list {
+    char *string;
+    struct string_list *next;
+};
+
+
+
+/* Enabling traces.  */
+#ifndef YYDEBUG
+# define YYDEBUG 1
+#endif
+
+/* Enabling verbose error messages.  */
+#ifdef YYERROR_VERBOSE
+# undef YYERROR_VERBOSE
+# define YYERROR_VERBOSE 1
+#else
+# define YYERROR_VERBOSE 0
+#endif
+
+/* Enabling the token table.  */
+#ifndef YYTOKEN_TABLE
+# define YYTOKEN_TABLE 0
+#endif
+
+#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
+typedef union YYSTYPE
+#line 65 "parse.y"
+{
+    int constant;
+    struct value *value;
+    struct range *range;
+    char *name;
+    Type *type;
+    Member *member;
+    struct objid *objid;
+    char *defval;
+    struct string_list *sl;
+    struct tagtype tag;
+    struct memhead *members;
+    struct constraint_spec *constraint_spec;
+}
+/* Line 193 of yacc.c.  */
+#line 318 "parse.c"
+	YYSTYPE;
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
+# define YYSTYPE_IS_DECLARED 1
+# define YYSTYPE_IS_TRIVIAL 1
+#endif
+
+
+
+/* Copy the second part of user declarations.  */
+
+
+/* Line 216 of yacc.c.  */
+#line 331 "parse.c"
+
+#ifdef short
+# undef short
+#endif
+
+#ifdef YYTYPE_UINT8
+typedef YYTYPE_UINT8 yytype_uint8;
+#else
+typedef unsigned char yytype_uint8;
+#endif
+
+#ifdef YYTYPE_INT8
+typedef YYTYPE_INT8 yytype_int8;
+#elif (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+typedef signed char yytype_int8;
+#else
+typedef short int yytype_int8;
+#endif
+
+#ifdef YYTYPE_UINT16
+typedef YYTYPE_UINT16 yytype_uint16;
+#else
+typedef unsigned short int yytype_uint16;
+#endif
+
+#ifdef YYTYPE_INT16
+typedef YYTYPE_INT16 yytype_int16;
+#else
+typedef short int yytype_int16;
+#endif
+
+#ifndef YYSIZE_T
+# ifdef __SIZE_TYPE__
+#  define YYSIZE_T __SIZE_TYPE__
+# elif defined size_t
+#  define YYSIZE_T size_t
+# elif ! defined YYSIZE_T && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+#  include <stddef.h> /* INFRINGES ON USER NAME SPACE */
+#  define YYSIZE_T size_t
+# else
+#  define YYSIZE_T unsigned int
+# endif
+#endif
+
+#define YYSIZE_MAXIMUM ((YYSIZE_T) -1)
+
+#ifndef YY_
+# if defined YYENABLE_NLS && YYENABLE_NLS
+#  if ENABLE_NLS
+#   include <libintl.h> /* INFRINGES ON USER NAME SPACE */
+#   define YY_(msgid) dgettext ("bison-runtime", msgid)
+#  endif
+# endif
+# ifndef YY_
+#  define YY_(msgid) msgid
+# endif
+#endif
+
+/* Suppress unused-variable warnings by "using" E.  */
+#if ! defined lint || defined __GNUC__
+# define YYUSE(e) ((void) (e))
+#else
+# define YYUSE(e) /* empty */
+#endif
+
+/* Identity function, used to suppress warnings about constant conditions.  */
+#ifndef lint
+# define YYID(n) (n)
+#else
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static int
+YYID (int i)
+#else
+static int
+YYID (i)
+    int i;
+#endif
+{
+  return i;
+}
+#endif
+
+#if ! defined yyoverflow || YYERROR_VERBOSE
+
+/* The parser invokes alloca or malloc; define the necessary symbols.  */
+
+# ifdef YYSTACK_USE_ALLOCA
+#  if YYSTACK_USE_ALLOCA
+#   ifdef __GNUC__
+#    define YYSTACK_ALLOC __builtin_alloca
+#   elif defined __BUILTIN_VA_ARG_INCR
+#    include <alloca.h> /* INFRINGES ON USER NAME SPACE */
+#   elif defined _AIX
+#    define YYSTACK_ALLOC __alloca
+#   elif defined _MSC_VER
+#    include <malloc.h> /* INFRINGES ON USER NAME SPACE */
+#    define alloca _alloca
+#   else
+#    define YYSTACK_ALLOC alloca
+#    if ! defined _ALLOCA_H && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+#     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+#     ifndef _STDLIB_H
+#      define _STDLIB_H 1
+#     endif
+#    endif
+#   endif
+#  endif
+# endif
+
+# ifdef YYSTACK_ALLOC
+   /* Pacify GCC's `empty if-body' warning.  */
+#  define YYSTACK_FREE(Ptr) do { /* empty */; } while (YYID (0))
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+    /* The OS might guarantee only one guard page at the bottom of the stack,
+       and a page size can be as small as 4096 bytes.  So we cannot safely
+       invoke alloca (N) if N exceeds 4096.  Use a slightly smaller number
+       to allow for a few compiler-allocated temporary stack slots.  */
+#   define YYSTACK_ALLOC_MAXIMUM 4032 /* reasonable circa 2006 */
+#  endif
+# else
+#  define YYSTACK_ALLOC YYMALLOC
+#  define YYSTACK_FREE YYFREE
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+#   define YYSTACK_ALLOC_MAXIMUM YYSIZE_MAXIMUM
+#  endif
+#  if (defined __cplusplus && ! defined _STDLIB_H \
+       && ! ((defined YYMALLOC || defined malloc) \
+	     && (defined YYFREE || defined free)))
+#   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+#   ifndef _STDLIB_H
+#    define _STDLIB_H 1
+#   endif
+#  endif
+#  ifndef YYMALLOC
+#   define YYMALLOC malloc
+#   if ! defined malloc && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+#  ifndef YYFREE
+#   define YYFREE free
+#   if ! defined free && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+void free (void *); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+# endif
+#endif /* ! defined yyoverflow || YYERROR_VERBOSE */
+
+
+#if (! defined yyoverflow \
+     && (! defined __cplusplus \
+	 || (defined YYSTYPE_IS_TRIVIAL && YYSTYPE_IS_TRIVIAL)))
+
+/* A type that is properly aligned for any stack member.  */
+union yyalloc
+{
+  yytype_int16 yyss;
+  YYSTYPE yyvs;
+  };
+
+/* The size of the maximum gap between one aligned stack and the next.  */
+# define YYSTACK_GAP_MAXIMUM (sizeof (union yyalloc) - 1)
+
+/* The size of an array large to enough to hold all stacks, each with
+   N elements.  */
+# define YYSTACK_BYTES(N) \
+     ((N) * (sizeof (yytype_int16) + sizeof (YYSTYPE)) \
+      + YYSTACK_GAP_MAXIMUM)
+
+/* Copy COUNT objects from FROM to TO.  The source and destination do
+   not overlap.  */
+# ifndef YYCOPY
+#  if defined __GNUC__ && 1 < __GNUC__
+#   define YYCOPY(To, From, Count) \
+      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
+#  else
+#   define YYCOPY(To, From, Count)		\
+      do					\
+	{					\
+	  YYSIZE_T yyi;				\
+	  for (yyi = 0; yyi < (Count); yyi++)	\
+	    (To)[yyi] = (From)[yyi];		\
+	}					\
+      while (YYID (0))
+#  endif
+# endif
+
+/* Relocate STACK from its old location to the new one.  The
+   local variables YYSIZE and YYSTACKSIZE give the old and new number of
+   elements in the stack, and YYPTR gives the new location of the
+   stack.  Advance YYPTR to a properly aligned location for the next
+   stack.  */
+# define YYSTACK_RELOCATE(Stack)					\
+    do									\
+      {									\
+	YYSIZE_T yynewbytes;						\
+	YYCOPY (&yyptr->Stack, Stack, yysize);				\
+	Stack = &yyptr->Stack;						\
+	yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \
+	yyptr += yynewbytes / sizeof (*yyptr);				\
+      }									\
+    while (YYID (0))
+
+#endif
+
+/* YYFINAL -- State number of the termination state.  */
+#define YYFINAL  6
+/* YYLAST -- Last index in YYTABLE.  */
+#define YYLAST   195
+
+/* YYNTOKENS -- Number of terminals.  */
+#define YYNTOKENS  98
+/* YYNNTS -- Number of nonterminals.  */
+#define YYNNTS  68
+/* YYNRULES -- Number of rules.  */
+#define YYNRULES  136
+/* YYNRULES -- Number of states.  */
+#define YYNSTATES  214
+
+/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX.  */
+#define YYUNDEFTOK  2
+#define YYMAXUTOK   344
+
+#define YYTRANSLATE(YYX)						\
+  ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
+
+/* YYTRANSLATE[YYLEX] -- Bison symbol number corresponding to YYLEX.  */
+static const yytype_uint8 yytranslate[] =
+{
+       0,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+      92,    93,     2,     2,    91,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,    90,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,    96,     2,    97,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,    94,     2,    95,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     1,     2,     3,     4,
+       5,     6,     7,     8,     9,    10,    11,    12,    13,    14,
+      15,    16,    17,    18,    19,    20,    21,    22,    23,    24,
+      25,    26,    27,    28,    29,    30,    31,    32,    33,    34,
+      35,    36,    37,    38,    39,    40,    41,    42,    43,    44,
+      45,    46,    47,    48,    49,    50,    51,    52,    53,    54,
+      55,    56,    57,    58,    59,    60,    61,    62,    63,    64,
+      65,    66,    67,    68,    69,    70,    71,    72,    73,    74,
+      75,    76,    77,    78,    79,    80,    81,    82,    83,    84,
+      85,    86,    87,    88,    89
+};
+
+#if YYDEBUG
+/* YYPRHS[YYN] -- Index of the first RHS symbol of rule number YYN in
+   YYRHS.  */
+static const yytype_uint16 yyprhs[] =
+{
+       0,     0,     3,    13,    16,    19,    22,    23,    26,    27,
+      30,    31,    35,    36,    38,    39,    41,    44,    49,    51,
+      54,    56,    58,    62,    64,    68,    70,    72,    74,    76,
+      78,    80,    82,    84,    86,    88,    90,    92,    94,    96,
+      98,   100,   102,   104,   110,   116,   122,   126,   128,   131,
+     136,   138,   142,   146,   151,   156,   158,   161,   167,   170,
+     174,   176,   177,   180,   185,   189,   194,   199,   203,   207,
+     212,   214,   216,   218,   220,   222,   225,   229,   231,   233,
+     235,   238,   242,   248,   253,   257,   262,   263,   265,   267,
+     269,   270,   272,   274,   279,   281,   283,   285,   287,   289,
+     291,   293,   295,   297,   301,   305,   308,   310,   313,   317,
+     319,   323,   328,   330,   331,   335,   336,   339,   344,   346,
+     348,   350,   352,   354,   356,   358,   360,   362,   364,   366,
+     368,   370,   372,   374,   376,   378,   380
+};
+
+/* YYRHS -- A `-1'-separated list of the rules' RHS.  */
+static const yytype_int16 yyrhs[] =
+{
+      99,     0,    -1,    86,   151,    21,   100,   101,    84,     8,
+     102,    24,    -1,    27,    70,    -1,    38,    70,    -1,     7,
+      70,    -1,    -1,    29,    39,    -1,    -1,   103,   107,    -1,
+      -1,    40,   104,    90,    -1,    -1,   105,    -1,    -1,   106,
+      -1,   105,   106,    -1,   109,    32,    86,   151,    -1,   108,
+      -1,   108,   107,    -1,   110,    -1,   143,    -1,    86,    91,
+     109,    -1,    86,    -1,    86,    84,   111,    -1,   112,    -1,
+     130,    -1,   133,    -1,   120,    -1,   113,    -1,   144,    -1,
+     129,    -1,   118,    -1,   115,    -1,   123,    -1,   121,    -1,
+     122,    -1,   125,    -1,   126,    -1,   127,    -1,   128,    -1,
+     139,    -1,    11,    -1,    92,   155,    83,   155,    93,    -1,
+      92,   155,    83,    46,    93,    -1,    92,    47,    83,   155,
+      93,    -1,    92,   155,    93,    -1,    43,    -1,    43,   114,
+      -1,    43,    94,   116,    95,    -1,   117,    -1,   116,    91,
+     117,    -1,   116,    91,    85,    -1,    86,    92,   163,    93,
+      -1,    25,    94,   119,    95,    -1,   116,    -1,     9,    67,
+      -1,     9,    67,    94,   149,    95,    -1,    51,    37,    -1,
+      52,    67,   124,    -1,    49,    -1,    -1,    66,   114,    -1,
+      64,    94,   146,    95,    -1,    64,    94,    95,    -1,    64,
+     124,    53,   111,    -1,    65,    94,   146,    95,    -1,    65,
+      94,    95,    -1,    65,    53,   111,    -1,    14,    94,   146,
+      95,    -1,   131,    -1,   132,    -1,    86,    -1,    34,    -1,
+      77,    -1,   111,   134,    -1,    92,   135,    93,    -1,   136,
+      -1,   137,    -1,   138,    -1,    19,   111,    -1,    23,    12,
+     155,    -1,    19,   111,    23,    12,   155,    -1,    18,    12,
+      94,    95,    -1,   140,   142,   111,    -1,    96,   141,    89,
+      97,    -1,    -1,    76,    -1,     6,    -1,    60,    -1,    -1,
+      27,    -1,    38,    -1,    86,   111,    84,   155,    -1,   145,
+      -1,    33,    -1,    78,    -1,    61,    -1,    81,    -1,    36,
+      -1,    10,    -1,    79,    -1,   148,    -1,   146,    91,   148,
+      -1,   146,    91,    85,    -1,    86,   111,    -1,   147,    -1,
+     147,    54,    -1,   147,    20,   155,    -1,   150,    -1,   149,
+      91,   150,    -1,    86,    92,    89,    93,    -1,   152,    -1,
+      -1,    94,   153,    95,    -1,    -1,   154,   153,    -1,    86,
+      92,    89,    93,    -1,    86,    -1,    89,    -1,   156,    -1,
+     157,    -1,   161,    -1,   160,    -1,   162,    -1,   165,    -1,
+     164,    -1,   158,    -1,   159,    -1,    86,    -1,    88,    -1,
+      71,    -1,    31,    -1,   163,    -1,    89,    -1,    49,    -1,
+     152,    -1
+};
+
+/* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
+static const yytype_uint16 yyrline[] =
+{
+       0,   233,   233,   240,   241,   243,   245,   248,   250,   253,
+     254,   257,   258,   261,   262,   265,   266,   269,   280,   281,
+     284,   285,   288,   294,   302,   312,   313,   314,   317,   318,
+     319,   320,   321,   322,   323,   324,   325,   326,   327,   328,
+     329,   330,   333,   340,   350,   358,   366,   377,   382,   388,
+     396,   402,   407,   411,   424,   432,   435,   442,   450,   456,
+     465,   473,   474,   479,   485,   493,   502,   508,   516,   524,
+     531,   532,   535,   546,   551,   558,   574,   580,   583,   584,
+     587,   593,   601,   611,   617,   630,   639,   642,   646,   650,
+     657,   660,   664,   671,   682,   685,   690,   695,   700,   705,
+     710,   715,   723,   729,   734,   745,   756,   762,   768,   776,
+     782,   789,   802,   803,   806,   813,   816,   827,   831,   842,
+     848,   849,   852,   853,   854,   855,   856,   859,   862,   865,
+     876,   884,   890,   898,   906,   909,   914
+};
+#endif
+
+#if YYDEBUG || YYERROR_VERBOSE || YYTOKEN_TABLE
+/* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM.
+   First, the terminals, then, starting at YYNTOKENS, nonterminals.  */
+static const char *const yytname[] =
+{
+  "$end", "error", "$undefined", "kw_ABSENT", "kw_ABSTRACT_SYNTAX",
+  "kw_ALL", "kw_APPLICATION", "kw_AUTOMATIC", "kw_BEGIN", "kw_BIT",
+  "kw_BMPString", "kw_BOOLEAN", "kw_BY", "kw_CHARACTER", "kw_CHOICE",
+  "kw_CLASS", "kw_COMPONENT", "kw_COMPONENTS", "kw_CONSTRAINED",
+  "kw_CONTAINING", "kw_DEFAULT", "kw_DEFINITIONS", "kw_EMBEDDED",
+  "kw_ENCODED", "kw_END", "kw_ENUMERATED", "kw_EXCEPT", "kw_EXPLICIT",
+  "kw_EXPORTS", "kw_EXTENSIBILITY", "kw_EXTERNAL", "kw_FALSE", "kw_FROM",
+  "kw_GeneralString", "kw_GeneralizedTime", "kw_GraphicString",
+  "kw_IA5String", "kw_IDENTIFIER", "kw_IMPLICIT", "kw_IMPLIED",
+  "kw_IMPORTS", "kw_INCLUDES", "kw_INSTANCE", "kw_INTEGER",
+  "kw_INTERSECTION", "kw_ISO646String", "kw_MAX", "kw_MIN",
+  "kw_MINUS_INFINITY", "kw_NULL", "kw_NumericString", "kw_OBJECT",
+  "kw_OCTET", "kw_OF", "kw_OPTIONAL", "kw_ObjectDescriptor", "kw_PATTERN",
+  "kw_PDV", "kw_PLUS_INFINITY", "kw_PRESENT", "kw_PRIVATE",
+  "kw_PrintableString", "kw_REAL", "kw_RELATIVE_OID", "kw_SEQUENCE",
+  "kw_SET", "kw_SIZE", "kw_STRING", "kw_SYNTAX", "kw_T61String", "kw_TAGS",
+  "kw_TRUE", "kw_TYPE_IDENTIFIER", "kw_TeletexString", "kw_UNION",
+  "kw_UNIQUE", "kw_UNIVERSAL", "kw_UTCTime", "kw_UTF8String",
+  "kw_UniversalString", "kw_VideotexString", "kw_VisibleString", "kw_WITH",
+  "RANGE", "EEQUAL", "ELLIPSIS", "IDENTIFIER", "referencename", "STRING",
+  "NUMBER", "';'", "','", "'('", "')'", "'{'", "'}'", "'['", "']'",
+  "$accept", "ModuleDefinition", "TagDefault", "ExtensionDefault",
+  "ModuleBody", "Imports", "SymbolsImported", "SymbolsFromModuleList",
+  "SymbolsFromModule", "AssignmentList", "Assignment", "referencenames",
+  "TypeAssignment", "Type", "BuiltinType", "BooleanType", "range",
+  "IntegerType", "NamedNumberList", "NamedNumber", "EnumeratedType",
+  "Enumerations", "BitStringType", "ObjectIdentifierType",
+  "OctetStringType", "NullType", "size", "SequenceType", "SequenceOfType",
+  "SetType", "SetOfType", "ChoiceType", "ReferencedType", "DefinedType",
+  "UsefulType", "ConstrainedType", "Constraint", "ConstraintSpec",
+  "GeneralConstraint", "ContentsConstraint", "UserDefinedConstraint",
+  "TaggedType", "Tag", "Class", "tagenv", "ValueAssignment",
+  "CharacterStringType", "RestrictedCharactedStringType",
+  "ComponentTypeList", "NamedType", "ComponentType", "NamedBitList",
+  "NamedBit", "objid_opt", "objid", "objid_list", "objid_element", "Value",
+  "BuiltinValue", "ReferencedValue", "DefinedValue", "Valuereference",
+  "CharacterStringValue", "BooleanValue", "IntegerValue", "SignedNumber",
+  "NullValue", "ObjectIdentifierValue", 0
+};
+#endif
+
+# ifdef YYPRINT
+/* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to
+   token YYLEX-NUM.  */
+static const yytype_uint16 yytoknum[] =
+{
+       0,   256,   257,   258,   259,   260,   261,   262,   263,   264,
+     265,   266,   267,   268,   269,   270,   271,   272,   273,   274,
+     275,   276,   277,   278,   279,   280,   281,   282,   283,   284,
+     285,   286,   287,   288,   289,   290,   291,   292,   293,   294,
+     295,   296,   297,   298,   299,   300,   301,   302,   303,   304,
+     305,   306,   307,   308,   309,   310,   311,   312,   313,   314,
+     315,   316,   317,   318,   319,   320,   321,   322,   323,   324,
+     325,   326,   327,   328,   329,   330,   331,   332,   333,   334,
+     335,   336,   337,   338,   339,   340,   341,   342,   343,   344,
+      59,    44,    40,    41,   123,   125,    91,    93
+};
+# endif
+
+/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
+static const yytype_uint8 yyr1[] =
+{
+       0,    98,    99,   100,   100,   100,   100,   101,   101,   102,
+     102,   103,   103,   104,   104,   105,   105,   106,   107,   107,
+     108,   108,   109,   109,   110,   111,   111,   111,   112,   112,
+     112,   112,   112,   112,   112,   112,   112,   112,   112,   112,
+     112,   112,   113,   114,   114,   114,   114,   115,   115,   115,
+     116,   116,   116,   117,   118,   119,   120,   120,   121,   122,
+     123,   124,   124,   125,   125,   126,   127,   127,   128,   129,
+     130,   130,   131,   132,   132,   133,   134,   135,   136,   136,
+     137,   137,   137,   138,   139,   140,   141,   141,   141,   141,
+     142,   142,   142,   143,   144,   145,   145,   145,   145,   145,
+     145,   145,   146,   146,   146,   147,   148,   148,   148,   149,
+     149,   150,   151,   151,   152,   153,   153,   154,   154,   154,
+     155,   155,   156,   156,   156,   156,   156,   157,   158,   159,
+     160,   161,   161,   162,   163,   164,   165
+};
+
+/* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN.  */
+static const yytype_uint8 yyr2[] =
+{
+       0,     2,     9,     2,     2,     2,     0,     2,     0,     2,
+       0,     3,     0,     1,     0,     1,     2,     4,     1,     2,
+       1,     1,     3,     1,     3,     1,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     5,     5,     5,     3,     1,     2,     4,
+       1,     3,     3,     4,     4,     1,     2,     5,     2,     3,
+       1,     0,     2,     4,     3,     4,     4,     3,     3,     4,
+       1,     1,     1,     1,     1,     2,     3,     1,     1,     1,
+       2,     3,     5,     4,     3,     4,     0,     1,     1,     1,
+       0,     1,     1,     4,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     3,     3,     2,     1,     2,     3,     1,
+       3,     4,     1,     0,     3,     0,     2,     4,     1,     1,
+       1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     1
+};
+
+/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
+   STATE-NUM when YYTABLE doesn't specify something else to do.  Zero
+   means the default is an error.  */
+static const yytype_uint8 yydefact[] =
+{
+       0,   113,     0,   115,     0,   112,     1,   118,   119,     0,
+     115,     6,     0,   114,   116,     0,     0,     0,     8,     0,
+       5,     3,     4,     0,     0,   117,     7,     0,    10,    14,
+       0,     0,    23,     0,    13,    15,     0,     2,     0,     9,
+      18,    20,    21,     0,    11,    16,     0,     0,   100,    42,
+       0,     0,    95,    73,    99,    47,    60,     0,     0,    97,
+      61,     0,    74,    96,   101,    98,     0,    72,    86,     0,
+      25,    29,    33,    32,    28,    35,    36,    34,    37,    38,
+      39,    40,    31,    26,    70,    71,    27,    41,    90,    30,
+      94,    19,    22,   113,    56,     0,     0,     0,     0,    48,
+      58,    61,     0,     0,     0,     0,     0,    24,    88,    89,
+      87,     0,     0,     0,    75,    91,    92,     0,    17,     0,
+       0,     0,   106,   102,     0,    55,    50,     0,   132,     0,
+     135,   131,   129,   130,   134,   136,     0,   120,   121,   127,
+     128,   123,   122,   124,   133,   126,   125,     0,    59,    62,
+      64,     0,     0,    68,    67,     0,     0,    93,     0,     0,
+       0,     0,    77,    78,    79,    84,     0,     0,   109,   105,
+       0,    69,     0,   107,     0,     0,    54,     0,     0,    46,
+      49,    63,    65,    66,    85,     0,    80,     0,    76,     0,
+       0,    57,   104,   103,   108,     0,    52,    51,     0,     0,
+       0,     0,     0,    81,     0,   110,    53,    45,    44,    43,
+      83,     0,   111,    82
+};
+
+/* YYDEFGOTO[NTERM-NUM].  */
+static const yytype_int16 yydefgoto[] =
+{
+      -1,     2,    18,    24,    30,    31,    33,    34,    35,    39,
+      40,    36,    41,    69,    70,    71,    99,    72,   125,   126,
+      73,   127,    74,    75,    76,    77,   104,    78,    79,    80,
+      81,    82,    83,    84,    85,    86,   114,   161,   162,   163,
+     164,    87,    88,   111,   117,    42,    89,    90,   121,   122,
+     123,   167,   168,     4,   135,     9,    10,   136,   137,   138,
+     139,   140,   141,   142,   143,   144,   145,   146
+};
+
+/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
+   STATE-NUM.  */
+#define YYPACT_NINF -113
+static const yytype_int16 yypact[] =
+{
+     -74,   -67,    38,   -69,    23,  -113,  -113,   -44,  -113,   -41,
+     -69,     4,   -26,  -113,  -113,    -3,     1,    10,    52,   -10,
+    -113,  -113,  -113,    45,    13,  -113,  -113,    77,   -35,    15,
+      64,    19,    17,    20,    15,  -113,    85,  -113,    25,  -113,
+      19,  -113,  -113,    15,  -113,  -113,    27,    47,  -113,  -113,
+      26,    29,  -113,  -113,  -113,   -30,  -113,    89,    61,  -113,
+     -57,   -47,  -113,  -113,  -113,  -113,    82,  -113,    -4,   -68,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,   -17,  -113,
+    -113,  -113,  -113,   -67,    35,    33,    46,    51,    46,  -113,
+    -113,    69,    44,   -73,    88,    82,   -72,    56,  -113,  -113,
+    -113,    49,    93,     7,  -113,  -113,  -113,    82,  -113,    58,
+      82,   -76,   -13,  -113,    57,    59,  -113,    60,  -113,    68,
+    -113,  -113,  -113,  -113,  -113,  -113,   -75,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,   -63,  -113,  -113,
+    -113,   -62,    82,    56,  -113,   -46,    65,  -113,   141,    82,
+     142,    63,  -113,  -113,  -113,    56,    66,   -38,  -113,    56,
+     -16,  -113,    93,  -113,    76,    -7,  -113,    93,    81,  -113,
+    -113,  -113,    56,  -113,  -113,    72,   -19,    93,  -113,    83,
+      58,  -113,  -113,  -113,  -113,    78,  -113,  -113,    80,    84,
+      87,    62,   162,  -113,    90,  -113,  -113,  -113,  -113,  -113,
+    -113,    93,  -113,  -113
+};
+
+/* YYPGOTO[NTERM-NUM].  */
+static const yytype_int16 yypgoto[] =
+{
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,   150,   136,
+    -113,   143,  -113,   -65,  -113,  -113,    86,  -113,    91,    16,
+    -113,  -113,  -113,  -113,  -113,  -113,    92,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,   -60,  -113,
+      22,  -113,    -5,    97,     2,   184,  -113,  -112,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,    21,  -113,  -113
+};
+
+/* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
+   positive, shift that token.  If negative, reduce the rule which
+   number is the opposite.  If zero, do what YYDEFACT says.
+   If YYTABLE_NINF, syntax error.  */
+#define YYTABLE_NINF -13
+static const yytype_int16 yytable[] =
+{
+     157,   107,   108,     5,   202,    29,   105,   172,   178,   102,
+     115,    15,     1,   120,   120,   170,   112,     7,   179,   171,
+       8,   116,   150,   154,   113,   158,   159,     3,   175,   170,
+     160,    16,   180,   181,    47,    48,    49,   103,     6,    50,
+     153,   173,    17,   151,    11,   170,   155,   106,    12,   183,
+      51,   -12,   165,   190,    13,   169,   109,   191,    52,    53,
+     194,    54,    97,    19,    98,   198,   200,    20,    55,   192,
+     120,    21,   110,   113,    56,   203,    57,    58,   196,   124,
+      22,    23,   128,    25,    26,    28,    59,   182,    37,    60,
+      61,    47,    48,    49,   186,     5,    50,    27,   129,   213,
+     130,    32,    62,    63,    64,    38,    65,    51,    43,    66,
+      44,    67,   128,    93,    94,    52,    53,    46,    54,   120,
+      95,    68,   131,    96,   128,    55,   100,   199,   101,   119,
+     130,    56,   124,    57,    58,   102,    97,   132,   156,   133,
+     134,   152,   130,    59,   166,     3,    60,    61,   113,   174,
+     175,   177,   131,   185,   187,   176,   188,   210,   189,    62,
+      63,    64,   184,    65,   131,   134,   201,   132,    67,   133,
+     134,   206,   204,   207,   211,     3,    91,   208,    68,   132,
+     209,   133,   134,   212,    45,   205,    92,     3,   149,   147,
+     118,   197,   193,   148,    14,   195
+};
+
+static const yytype_uint8 yycheck[] =
+{
+     112,    66,     6,     1,    23,    40,    53,    20,    83,    66,
+      27,     7,    86,    86,    86,    91,    84,    86,    93,    95,
+      89,    38,    95,    95,    92,    18,    19,    94,    91,    91,
+      23,    27,    95,    95,     9,    10,    11,    94,     0,    14,
+     105,    54,    38,   103,    21,    91,   106,    94,    92,    95,
+      25,    86,   117,    91,    95,   120,    60,    95,    33,    34,
+     172,    36,    92,    89,    94,   177,   178,    70,    43,    85,
+      86,    70,    76,    92,    49,   187,    51,    52,    85,    86,
+      70,    29,    31,    93,    39,     8,    61,   152,    24,    64,
+      65,     9,    10,    11,   159,    93,    14,    84,    47,   211,
+      49,    86,    77,    78,    79,    86,    81,    25,    91,    84,
+      90,    86,    31,    86,    67,    33,    34,    32,    36,    86,
+      94,    96,    71,    94,    31,    43,    37,    46,    67,    94,
+      49,    49,    86,    51,    52,    66,    92,    86,    89,    88,
+      89,    53,    49,    61,    86,    94,    64,    65,    92,    92,
+      91,    83,    71,    12,    12,    95,    93,    95,    92,    77,
+      78,    79,    97,    81,    71,    89,    94,    86,    86,    88,
+      89,    93,    89,    93,    12,    94,    40,    93,    96,    86,
+      93,    88,    89,    93,    34,   190,    43,    94,   102,    98,
+      93,   175,   170,   101,    10,   174
+};
+
+/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
+   symbol of state STATE-NUM.  */
+static const yytype_uint8 yystos[] =
+{
+       0,    86,    99,    94,   151,   152,     0,    86,    89,   153,
+     154,    21,    92,    95,   153,     7,    27,    38,   100,    89,
+      70,    70,    70,    29,   101,    93,    39,    84,     8,    40,
+     102,   103,    86,   104,   105,   106,   109,    24,    86,   107,
+     108,   110,   143,    91,    90,   106,    32,     9,    10,    11,
+      14,    25,    33,    34,    36,    43,    49,    51,    52,    61,
+      64,    65,    77,    78,    79,    81,    84,    86,    96,   111,
+     112,   113,   115,   118,   120,   121,   122,   123,   125,   126,
+     127,   128,   129,   130,   131,   132,   133,   139,   140,   144,
+     145,   107,   109,    86,    67,    94,    94,    92,    94,   114,
+      37,    67,    66,    94,   124,    53,    94,   111,     6,    60,
+      76,   141,    84,    92,   134,    27,    38,   142,   151,    94,
+      86,   146,   147,   148,    86,   116,   117,   119,    31,    47,
+      49,    71,    86,    88,    89,   152,   155,   156,   157,   158,
+     159,   160,   161,   162,   163,   164,   165,   116,   124,   114,
+      95,   146,    53,   111,    95,   146,    89,   155,    18,    19,
+      23,   135,   136,   137,   138,   111,    86,   149,   150,   111,
+      91,    95,    20,    54,    92,    91,    95,    83,    83,    93,
+      95,    95,   111,    95,    97,    12,   111,    12,    93,    92,
+      91,    95,    85,   148,   155,   163,    85,   117,   155,    46,
+     155,    94,    23,   155,    89,   150,    93,    93,    93,    93,
+      95,    12,    93,   155
+};
+
+#define yyerrok		(yyerrstatus = 0)
+#define yyclearin	(yychar = YYEMPTY)
+#define YYEMPTY		(-2)
+#define YYEOF		0
+
+#define YYACCEPT	goto yyacceptlab
+#define YYABORT		goto yyabortlab
+#define YYERROR		goto yyerrorlab
+
+
+/* Like YYERROR except do call yyerror.  This remains here temporarily
+   to ease the transition to the new meaning of YYERROR, for GCC.
+   Once GCC version 2 has supplanted version 1, this can go.  */
+
+#define YYFAIL		goto yyerrlab
+
+#define YYRECOVERING()  (!!yyerrstatus)
+
+#define YYBACKUP(Token, Value)					\
+do								\
+  if (yychar == YYEMPTY && yylen == 1)				\
+    {								\
+      yychar = (Token);						\
+      yylval = (Value);						\
+      yytoken = YYTRANSLATE (yychar);				\
+      YYPOPSTACK (1);						\
+      goto yybackup;						\
+    }								\
+  else								\
+    {								\
+      yyerror (YY_("syntax error: cannot back up")); \
+      YYERROR;							\
+    }								\
+while (YYID (0))
+
+
+#define YYTERROR	1
+#define YYERRCODE	256
+
+
+/* YYLLOC_DEFAULT -- Set CURRENT to span from RHS[1] to RHS[N].
+   If N is 0, then set CURRENT to the empty location which ends
+   the previous symbol: RHS[0] (always defined).  */
+
+#define YYRHSLOC(Rhs, K) ((Rhs)[K])
+#ifndef YYLLOC_DEFAULT
+# define YYLLOC_DEFAULT(Current, Rhs, N)				\
+    do									\
+      if (YYID (N))                                                    \
+	{								\
+	  (Current).first_line   = YYRHSLOC (Rhs, 1).first_line;	\
+	  (Current).first_column = YYRHSLOC (Rhs, 1).first_column;	\
+	  (Current).last_line    = YYRHSLOC (Rhs, N).last_line;		\
+	  (Current).last_column  = YYRHSLOC (Rhs, N).last_column;	\
+	}								\
+      else								\
+	{								\
+	  (Current).first_line   = (Current).last_line   =		\
+	    YYRHSLOC (Rhs, 0).last_line;				\
+	  (Current).first_column = (Current).last_column =		\
+	    YYRHSLOC (Rhs, 0).last_column;				\
+	}								\
+    while (YYID (0))
+#endif
+
+
+/* YY_LOCATION_PRINT -- Print the location on the stream.
+   This macro was not mandated originally: define only if we know
+   we won't break user code: when these are the locations we know.  */
+
+#ifndef YY_LOCATION_PRINT
+# if defined YYLTYPE_IS_TRIVIAL && YYLTYPE_IS_TRIVIAL
+#  define YY_LOCATION_PRINT(File, Loc)			\
+     fprintf (File, "%d.%d-%d.%d",			\
+	      (Loc).first_line, (Loc).first_column,	\
+	      (Loc).last_line,  (Loc).last_column)
+# else
+#  define YY_LOCATION_PRINT(File, Loc) ((void) 0)
+# endif
+#endif
+
+
+/* YYLEX -- calling `yylex' with the right arguments.  */
+
+#ifdef YYLEX_PARAM
+# define YYLEX yylex (YYLEX_PARAM)
+#else
+# define YYLEX yylex ()
+#endif
+
+/* Enable debugging if requested.  */
+#if YYDEBUG
+
+# ifndef YYFPRINTF
+#  include <stdio.h> /* INFRINGES ON USER NAME SPACE */
+#  define YYFPRINTF fprintf
+# endif
+
+# define YYDPRINTF(Args)			\
+do {						\
+  if (yydebug)					\
+    YYFPRINTF Args;				\
+} while (YYID (0))
+
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)			  \
+do {									  \
+  if (yydebug)								  \
+    {									  \
+      YYFPRINTF (stderr, "%s ", Title);					  \
+      yy_symbol_print (stderr,						  \
+		  Type, Value); \
+      YYFPRINTF (stderr, "\n");						  \
+    }									  \
+} while (YYID (0))
+
+
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
+
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_symbol_value_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_value_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
+{
+  if (!yyvaluep)
+    return;
+# ifdef YYPRINT
+  if (yytype < YYNTOKENS)
+    YYPRINT (yyoutput, yytoknum[yytype], *yyvaluep);
+# else
+  YYUSE (yyoutput);
+# endif
+  switch (yytype)
+    {
+      default:
+	break;
+    }
+}
+
+
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_symbol_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
+{
+  if (yytype < YYNTOKENS)
+    YYFPRINTF (yyoutput, "token %s (", yytname[yytype]);
+  else
+    YYFPRINTF (yyoutput, "nterm %s (", yytname[yytype]);
+
+  yy_symbol_value_print (yyoutput, yytype, yyvaluep);
+  YYFPRINTF (yyoutput, ")");
+}
+
+/*------------------------------------------------------------------.
+| yy_stack_print -- Print the state stack from its BOTTOM up to its |
+| TOP (included).                                                   |
+`------------------------------------------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_stack_print (yytype_int16 *bottom, yytype_int16 *top)
+#else
+static void
+yy_stack_print (bottom, top)
+    yytype_int16 *bottom;
+    yytype_int16 *top;
+#endif
+{
+  YYFPRINTF (stderr, "Stack now");
+  for (; bottom <= top; ++bottom)
+    YYFPRINTF (stderr, " %d", *bottom);
+  YYFPRINTF (stderr, "\n");
+}
+
+# define YY_STACK_PRINT(Bottom, Top)				\
+do {								\
+  if (yydebug)							\
+    yy_stack_print ((Bottom), (Top));				\
+} while (YYID (0))
+
+
+/*------------------------------------------------.
+| Report that the YYRULE is going to be reduced.  |
+`------------------------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_reduce_print (YYSTYPE *yyvsp, int yyrule)
+#else
+static void
+yy_reduce_print (yyvsp, yyrule)
+    YYSTYPE *yyvsp;
+    int yyrule;
+#endif
+{
+  int yynrhs = yyr2[yyrule];
+  int yyi;
+  unsigned long int yylno = yyrline[yyrule];
+  YYFPRINTF (stderr, "Reducing stack by rule %d (line %lu):\n",
+	     yyrule - 1, yylno);
+  /* The symbols being reduced.  */
+  for (yyi = 0; yyi < yynrhs; yyi++)
+    {
+      fprintf (stderr, "   $%d = ", yyi + 1);
+      yy_symbol_print (stderr, yyrhs[yyprhs[yyrule] + yyi],
+		       &(yyvsp[(yyi + 1) - (yynrhs)])
+		       		       );
+      fprintf (stderr, "\n");
+    }
+}
+
+# define YY_REDUCE_PRINT(Rule)		\
+do {					\
+  if (yydebug)				\
+    yy_reduce_print (yyvsp, Rule); \
+} while (YYID (0))
+
+/* Nonzero means print parse trace.  It is left uninitialized so that
+   multiple parsers can coexist.  */
+int yydebug;
+#else /* !YYDEBUG */
+# define YYDPRINTF(Args)
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)
+# define YY_STACK_PRINT(Bottom, Top)
+# define YY_REDUCE_PRINT(Rule)
+#endif /* !YYDEBUG */
+
+
+/* YYINITDEPTH -- initial size of the parser's stacks.  */
+#ifndef	YYINITDEPTH
+# define YYINITDEPTH 200
+#endif
+
+/* YYMAXDEPTH -- maximum size the stacks can grow to (effective only
+   if the built-in stack extension method is used).
+
+   Do not make this value too large; the results are undefined if
+   YYSTACK_ALLOC_MAXIMUM < YYSTACK_BYTES (YYMAXDEPTH)
+   evaluated with infinite-precision integer arithmetic.  */
+
+#ifndef YYMAXDEPTH
+# define YYMAXDEPTH 10000
+#endif
+
+
+
+#if YYERROR_VERBOSE
+
+# ifndef yystrlen
+#  if defined __GLIBC__ && defined _STRING_H
+#   define yystrlen strlen
+#  else
+/* Return the length of YYSTR.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static YYSIZE_T
+yystrlen (const char *yystr)
+#else
+static YYSIZE_T
+yystrlen (yystr)
+    const char *yystr;
+#endif
+{
+  YYSIZE_T yylen;
+  for (yylen = 0; yystr[yylen]; yylen++)
+    continue;
+  return yylen;
+}
+#  endif
+# endif
+
+# ifndef yystpcpy
+#  if defined __GLIBC__ && defined _STRING_H && defined _GNU_SOURCE
+#   define yystpcpy stpcpy
+#  else
+/* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in
+   YYDEST.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static char *
+yystpcpy (char *yydest, const char *yysrc)
+#else
+static char *
+yystpcpy (yydest, yysrc)
+    char *yydest;
+    const char *yysrc;
+#endif
+{
+  char *yyd = yydest;
+  const char *yys = yysrc;
+
+  while ((*yyd++ = *yys++) != '\0')
+    continue;
+
+  return yyd - 1;
+}
+#  endif
+# endif
+
+# ifndef yytnamerr
+/* Copy to YYRES the contents of YYSTR after stripping away unnecessary
+   quotes and backslashes, so that it's suitable for yyerror.  The
+   heuristic is that double-quoting is unnecessary unless the string
+   contains an apostrophe, a comma, or backslash (other than
+   backslash-backslash).  YYSTR is taken from yytname.  If YYRES is
+   null, do not copy; instead, return the length of what the result
+   would have been.  */
+static YYSIZE_T
+yytnamerr (char *yyres, const char *yystr)
+{
+  if (*yystr == '"')
+    {
+      YYSIZE_T yyn = 0;
+      char const *yyp = yystr;
+
+      for (;;)
+	switch (*++yyp)
+	  {
+	  case '\'':
+	  case ',':
+	    goto do_not_strip_quotes;
+
+	  case '\\':
+	    if (*++yyp != '\\')
+	      goto do_not_strip_quotes;
+	    /* Fall through.  */
+	  default:
+	    if (yyres)
+	      yyres[yyn] = *yyp;
+	    yyn++;
+	    break;
+
+	  case '"':
+	    if (yyres)
+	      yyres[yyn] = '\0';
+	    return yyn;
+	  }
+    do_not_strip_quotes: ;
+    }
+
+  if (! yyres)
+    return yystrlen (yystr);
+
+  return yystpcpy (yyres, yystr) - yyres;
+}
+# endif
+
+/* Copy into YYRESULT an error message about the unexpected token
+   YYCHAR while in state YYSTATE.  Return the number of bytes copied,
+   including the terminating null byte.  If YYRESULT is null, do not
+   copy anything; just return the number of bytes that would be
+   copied.  As a special case, return 0 if an ordinary "syntax error"
+   message will do.  Return YYSIZE_MAXIMUM if overflow occurs during
+   size calculation.  */
+static YYSIZE_T
+yysyntax_error (char *yyresult, int yystate, int yychar)
+{
+  int yyn = yypact[yystate];
+
+  if (! (YYPACT_NINF < yyn && yyn <= YYLAST))
+    return 0;
+  else
+    {
+      int yytype = YYTRANSLATE (yychar);
+      YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]);
+      YYSIZE_T yysize = yysize0;
+      YYSIZE_T yysize1;
+      int yysize_overflow = 0;
+      enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
+      char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
+      int yyx;
+
+# if 0
+      /* This is so xgettext sees the translatable formats that are
+	 constructed on the fly.  */
+      YY_("syntax error, unexpected %s");
+      YY_("syntax error, unexpected %s, expecting %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s or %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s");
+# endif
+      char *yyfmt;
+      char const *yyf;
+      static char const yyunexpected[] = "syntax error, unexpected %s";
+      static char const yyexpecting[] = ", expecting %s";
+      static char const yyor[] = " or %s";
+      char yyformat[sizeof yyunexpected
+		    + sizeof yyexpecting - 1
+		    + ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2)
+		       * (sizeof yyor - 1))];
+      char const *yyprefix = yyexpecting;
+
+      /* Start YYX at -YYN if negative to avoid negative indexes in
+	 YYCHECK.  */
+      int yyxbegin = yyn < 0 ? -yyn : 0;
+
+      /* Stay within bounds of both yycheck and yytname.  */
+      int yychecklim = YYLAST - yyn + 1;
+      int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
+      int yycount = 1;
+
+      yyarg[0] = yytname[yytype];
+      yyfmt = yystpcpy (yyformat, yyunexpected);
+
+      for (yyx = yyxbegin; yyx < yyxend; ++yyx)
+	if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
+	  {
+	    if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
+	      {
+		yycount = 1;
+		yysize = yysize0;
+		yyformat[sizeof yyunexpected - 1] = '\0';
+		break;
+	      }
+	    yyarg[yycount++] = yytname[yyx];
+	    yysize1 = yysize + yytnamerr (0, yytname[yyx]);
+	    yysize_overflow |= (yysize1 < yysize);
+	    yysize = yysize1;
+	    yyfmt = yystpcpy (yyfmt, yyprefix);
+	    yyprefix = yyor;
+	  }
+
+      yyf = YY_(yyformat);
+      yysize1 = yysize + yystrlen (yyf);
+      yysize_overflow |= (yysize1 < yysize);
+      yysize = yysize1;
+
+      if (yysize_overflow)
+	return YYSIZE_MAXIMUM;
+
+      if (yyresult)
+	{
+	  /* Avoid sprintf, as that infringes on the user's name space.
+	     Don't have undefined behavior even if the translation
+	     produced a string with the wrong number of "%s"s.  */
+	  char *yyp = yyresult;
+	  int yyi = 0;
+	  while ((*yyp = *yyf) != '\0')
+	    {
+	      if (*yyp == '%' && yyf[1] == 's' && yyi < yycount)
+		{
+		  yyp += yytnamerr (yyp, yyarg[yyi++]);
+		  yyf += 2;
+		}
+	      else
+		{
+		  yyp++;
+		  yyf++;
+		}
+	    }
+	}
+      return yysize;
+    }
+}
+#endif /* YYERROR_VERBOSE */
+
+
+/*-----------------------------------------------.
+| Release the memory associated to this symbol.  |
+`-----------------------------------------------*/
+
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep)
+#else
+static void
+yydestruct (yymsg, yytype, yyvaluep)
+    const char *yymsg;
+    int yytype;
+    YYSTYPE *yyvaluep;
+#endif
+{
+  YYUSE (yyvaluep);
+
+  if (!yymsg)
+    yymsg = "Deleting";
+  YY_SYMBOL_PRINT (yymsg, yytype, yyvaluep, yylocationp);
+
+  switch (yytype)
+    {
+
+      default:
+	break;
+    }
+}
+
+
+/* Prevent warnings from -Wmissing-prototypes.  */
+
+#ifdef YYPARSE_PARAM
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void *YYPARSE_PARAM);
+#else
+int yyparse ();
+#endif
+#else /* ! YYPARSE_PARAM */
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void);
+#else
+int yyparse ();
+#endif
+#endif /* ! YYPARSE_PARAM */
+
+
+
+/* The look-ahead symbol.  */
+int yychar;
+
+/* The semantic value of the look-ahead symbol.  */
+YYSTYPE yylval;
+
+/* Number of syntax errors so far.  */
+int yynerrs;
+
+
+
+/*----------.
+| yyparse.  |
+`----------*/
+
+#ifdef YYPARSE_PARAM
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+int
+yyparse (void *YYPARSE_PARAM)
+#else
+int
+yyparse (YYPARSE_PARAM)
+    void *YYPARSE_PARAM;
+#endif
+#else /* ! YYPARSE_PARAM */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+int
+yyparse (void)
+#else
+int
+yyparse ()
+
+#endif
+#endif
+{
+  
+  int yystate;
+  int yyn;
+  int yyresult;
+  /* Number of tokens to shift before error messages enabled.  */
+  int yyerrstatus;
+  /* Look-ahead token as an internal (translated) token number.  */
+  int yytoken = 0;
+#if YYERROR_VERBOSE
+  /* Buffer for error messages, and its allocated size.  */
+  char yymsgbuf[128];
+  char *yymsg = yymsgbuf;
+  YYSIZE_T yymsg_alloc = sizeof yymsgbuf;
+#endif
+
+  /* Three stacks and their tools:
+     `yyss': related to states,
+     `yyvs': related to semantic values,
+     `yyls': related to locations.
+
+     Refer to the stacks thru separate pointers, to allow yyoverflow
+     to reallocate them elsewhere.  */
+
+  /* The state stack.  */
+  yytype_int16 yyssa[YYINITDEPTH];
+  yytype_int16 *yyss = yyssa;
+  yytype_int16 *yyssp;
+
+  /* The semantic value stack.  */
+  YYSTYPE yyvsa[YYINITDEPTH];
+  YYSTYPE *yyvs = yyvsa;
+  YYSTYPE *yyvsp;
+
+
+
+#define YYPOPSTACK(N)   (yyvsp -= (N), yyssp -= (N))
+
+  YYSIZE_T yystacksize = YYINITDEPTH;
+
+  /* The variables used to return semantic value and location from the
+     action routines.  */
+  YYSTYPE yyval;
+
+
+  /* The number of symbols on the RHS of the reduced rule.
+     Keep to zero when no symbol should be popped.  */
+  int yylen = 0;
+
+  YYDPRINTF ((stderr, "Starting parse\n"));
+
+  yystate = 0;
+  yyerrstatus = 0;
+  yynerrs = 0;
+  yychar = YYEMPTY;		/* Cause a token to be read.  */
+
+  /* Initialize stack pointers.
+     Waste one element of value and location stack
+     so that they stay on the same level as the state stack.
+     The wasted elements are never initialized.  */
+
+  yyssp = yyss;
+  yyvsp = yyvs;
+
+  goto yysetstate;
+
+/*------------------------------------------------------------.
+| yynewstate -- Push a new state, which is found in yystate.  |
+`------------------------------------------------------------*/
+ yynewstate:
+  /* In all cases, when you get here, the value and location stacks
+     have just been pushed.  So pushing a state here evens the stacks.  */
+  yyssp++;
+
+ yysetstate:
+  *yyssp = yystate;
+
+  if (yyss + yystacksize - 1 <= yyssp)
+    {
+      /* Get the current used size of the three stacks, in elements.  */
+      YYSIZE_T yysize = yyssp - yyss + 1;
+
+#ifdef yyoverflow
+      {
+	/* Give user a chance to reallocate the stack.  Use copies of
+	   these so that the &'s don't force the real ones into
+	   memory.  */
+	YYSTYPE *yyvs1 = yyvs;
+	yytype_int16 *yyss1 = yyss;
+
+
+	/* Each stack pointer address is followed by the size of the
+	   data in use in that stack, in bytes.  This used to be a
+	   conditional around just the two extra args, but that might
+	   be undefined if yyoverflow is a macro.  */
+	yyoverflow (YY_("memory exhausted"),
+		    &yyss1, yysize * sizeof (*yyssp),
+		    &yyvs1, yysize * sizeof (*yyvsp),
+
+		    &yystacksize);
+
+	yyss = yyss1;
+	yyvs = yyvs1;
+      }
+#else /* no yyoverflow */
+# ifndef YYSTACK_RELOCATE
+      goto yyexhaustedlab;
+# else
+      /* Extend the stack our own way.  */
+      if (YYMAXDEPTH <= yystacksize)
+	goto yyexhaustedlab;
+      yystacksize *= 2;
+      if (YYMAXDEPTH < yystacksize)
+	yystacksize = YYMAXDEPTH;
+
+      {
+	yytype_int16 *yyss1 = yyss;
+	union yyalloc *yyptr =
+	  (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
+	if (! yyptr)
+	  goto yyexhaustedlab;
+	YYSTACK_RELOCATE (yyss);
+	YYSTACK_RELOCATE (yyvs);
+
+#  undef YYSTACK_RELOCATE
+	if (yyss1 != yyssa)
+	  YYSTACK_FREE (yyss1);
+      }
+# endif
+#endif /* no yyoverflow */
+
+      yyssp = yyss + yysize - 1;
+      yyvsp = yyvs + yysize - 1;
+
+
+      YYDPRINTF ((stderr, "Stack size increased to %lu\n",
+		  (unsigned long int) yystacksize));
+
+      if (yyss + yystacksize - 1 <= yyssp)
+	YYABORT;
+    }
+
+  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
+
+  goto yybackup;
+
+/*-----------.
+| yybackup.  |
+`-----------*/
+yybackup:
+
+  /* Do appropriate processing given the current state.  Read a
+     look-ahead token if we need one and don't already have one.  */
+
+  /* First try to decide what to do without reference to look-ahead token.  */
+  yyn = yypact[yystate];
+  if (yyn == YYPACT_NINF)
+    goto yydefault;
+
+  /* Not known => get a look-ahead token if don't already have one.  */
+
+  /* YYCHAR is either YYEMPTY or YYEOF or a valid look-ahead symbol.  */
+  if (yychar == YYEMPTY)
+    {
+      YYDPRINTF ((stderr, "Reading a token: "));
+      yychar = YYLEX;
+    }
+
+  if (yychar <= YYEOF)
+    {
+      yychar = yytoken = YYEOF;
+      YYDPRINTF ((stderr, "Now at end of input.\n"));
+    }
+  else
+    {
+      yytoken = YYTRANSLATE (yychar);
+      YY_SYMBOL_PRINT ("Next token is", yytoken, &yylval, &yylloc);
+    }
+
+  /* If the proper action on seeing token YYTOKEN is to reduce or to
+     detect an error, take that action.  */
+  yyn += yytoken;
+  if (yyn < 0 || YYLAST < yyn || yycheck[yyn] != yytoken)
+    goto yydefault;
+  yyn = yytable[yyn];
+  if (yyn <= 0)
+    {
+      if (yyn == 0 || yyn == YYTABLE_NINF)
+	goto yyerrlab;
+      yyn = -yyn;
+      goto yyreduce;
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  /* Count tokens shifted since error; after three, turn off error
+     status.  */
+  if (yyerrstatus)
+    yyerrstatus--;
+
+  /* Shift the look-ahead token.  */
+  YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc);
+
+  /* Discard the shifted token unless it is eof.  */
+  if (yychar != YYEOF)
+    yychar = YYEMPTY;
+
+  yystate = yyn;
+  *++yyvsp = yylval;
+
+  goto yynewstate;
+
+
+/*-----------------------------------------------------------.
+| yydefault -- do the default action for the current state.  |
+`-----------------------------------------------------------*/
+yydefault:
+  yyn = yydefact[yystate];
+  if (yyn == 0)
+    goto yyerrlab;
+  goto yyreduce;
+
+
+/*-----------------------------.
+| yyreduce -- Do a reduction.  |
+`-----------------------------*/
+yyreduce:
+  /* yyn is the number of a rule to reduce with.  */
+  yylen = yyr2[yyn];
+
+  /* If YYLEN is nonzero, implement the default value of the action:
+     `$$ = $1'.
+
+     Otherwise, the following line sets YYVAL to garbage.
+     This behavior is undocumented and Bison
+     users should not rely upon it.  Assigning to YYVAL
+     unconditionally makes the parser a bit smaller, and it avoids a
+     GCC warning that YYVAL may be used uninitialized.  */
+  yyval = yyvsp[1-yylen];
+
+
+  YY_REDUCE_PRINT (yyn);
+  switch (yyn)
+    {
+        case 2:
+#line 235 "parse.y"
+    {
+			checkundefined();
+		}
+    break;
+
+  case 4:
+#line 242 "parse.y"
+    { error_message("implicit tagging is not supported"); }
+    break;
+
+  case 5:
+#line 244 "parse.y"
+    { error_message("automatic tagging is not supported"); }
+    break;
+
+  case 7:
+#line 249 "parse.y"
+    { error_message("no extensibility options supported"); }
+    break;
+
+  case 17:
+#line 270 "parse.y"
+    { 
+		    struct string_list *sl;
+		    for(sl = (yyvsp[(1) - (4)].sl); sl != NULL; sl = sl->next) {
+			Symbol *s = addsym(sl->string);
+			s->stype = Stype;
+		    }
+		    add_import((yyvsp[(3) - (4)].name));
+		}
+    break;
+
+  case 22:
+#line 289 "parse.y"
+    {
+		    (yyval.sl) = emalloc(sizeof(*(yyval.sl)));
+		    (yyval.sl)->string = (yyvsp[(1) - (3)].name);
+		    (yyval.sl)->next = (yyvsp[(3) - (3)].sl);
+		}
+    break;
+
+  case 23:
+#line 295 "parse.y"
+    {
+		    (yyval.sl) = emalloc(sizeof(*(yyval.sl)));
+		    (yyval.sl)->string = (yyvsp[(1) - (1)].name);
+		    (yyval.sl)->next = NULL;
+		}
+    break;
+
+  case 24:
+#line 303 "parse.y"
+    {
+		    Symbol *s = addsym ((yyvsp[(1) - (3)].name));
+		    s->stype = Stype;
+		    s->type = (yyvsp[(3) - (3)].type);
+		    fix_labels(s);
+		    generate_type (s);
+		}
+    break;
+
+  case 42:
+#line 334 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_Boolean, 
+				     TE_EXPLICIT, new_type(TBoolean));
+		}
+    break;
+
+  case 43:
+#line 341 "parse.y"
+    {
+		    if((yyvsp[(2) - (5)].value)->type != integervalue)
+			error_message("Non-integer used in first part of range");
+		    if((yyvsp[(2) - (5)].value)->type != integervalue)
+			error_message("Non-integer in second part of range");
+		    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+		    (yyval.range)->min = (yyvsp[(2) - (5)].value)->u.integervalue;
+		    (yyval.range)->max = (yyvsp[(4) - (5)].value)->u.integervalue;
+		}
+    break;
+
+  case 44:
+#line 351 "parse.y"
+    {		
+		    if((yyvsp[(2) - (5)].value)->type != integervalue)
+			error_message("Non-integer in first part of range");
+		    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+		    (yyval.range)->min = (yyvsp[(2) - (5)].value)->u.integervalue;
+		    (yyval.range)->max = (yyvsp[(2) - (5)].value)->u.integervalue - 1;
+		}
+    break;
+
+  case 45:
+#line 359 "parse.y"
+    {		
+		    if((yyvsp[(4) - (5)].value)->type != integervalue)
+			error_message("Non-integer in second part of range");
+		    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+		    (yyval.range)->min = (yyvsp[(4) - (5)].value)->u.integervalue + 2;
+		    (yyval.range)->max = (yyvsp[(4) - (5)].value)->u.integervalue;
+		}
+    break;
+
+  case 46:
+#line 367 "parse.y"
+    {
+		    if((yyvsp[(2) - (3)].value)->type != integervalue)
+			error_message("Non-integer used in limit");
+		    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+		    (yyval.range)->min = (yyvsp[(2) - (3)].value)->u.integervalue;
+		    (yyval.range)->max = (yyvsp[(2) - (3)].value)->u.integervalue;
+		}
+    break;
+
+  case 47:
+#line 378 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer, 
+				     TE_EXPLICIT, new_type(TInteger));
+		}
+    break;
+
+  case 48:
+#line 383 "parse.y"
+    {
+			(yyval.type) = new_type(TInteger);
+			(yyval.type)->range = (yyvsp[(2) - (2)].range);
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 49:
+#line 389 "parse.y"
+    {
+		  (yyval.type) = new_type(TInteger);
+		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 50:
+#line 397 "parse.y"
+    {
+			(yyval.members) = emalloc(sizeof(*(yyval.members)));
+			ASN1_TAILQ_INIT((yyval.members));
+			ASN1_TAILQ_INSERT_HEAD((yyval.members), (yyvsp[(1) - (1)].member), members);
+		}
+    break;
+
+  case 51:
+#line 403 "parse.y"
+    {
+			ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
+			(yyval.members) = (yyvsp[(1) - (3)].members);
+		}
+    break;
+
+  case 52:
+#line 408 "parse.y"
+    { (yyval.members) = (yyvsp[(1) - (3)].members); }
+    break;
+
+  case 53:
+#line 412 "parse.y"
+    {
+			(yyval.member) = emalloc(sizeof(*(yyval.member)));
+			(yyval.member)->name = (yyvsp[(1) - (4)].name);
+			(yyval.member)->gen_name = estrdup((yyvsp[(1) - (4)].name));
+			output_name ((yyval.member)->gen_name);
+			(yyval.member)->val = (yyvsp[(3) - (4)].constant);
+			(yyval.member)->optional = 0;
+			(yyval.member)->ellipsis = 0;
+			(yyval.member)->type = NULL;
+		}
+    break;
+
+  case 54:
+#line 425 "parse.y"
+    {
+		  (yyval.type) = new_type(TInteger);
+		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Enumerated, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 56:
+#line 436 "parse.y"
+    {
+		  (yyval.type) = new_type(TBitString);
+		  (yyval.type)->members = emalloc(sizeof(*(yyval.type)->members));
+		  ASN1_TAILQ_INIT((yyval.type)->members);
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_BitString, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 57:
+#line 443 "parse.y"
+    {
+		  (yyval.type) = new_type(TBitString);
+		  (yyval.type)->members = (yyvsp[(4) - (5)].members);
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_BitString, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 58:
+#line 451 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_OID, 
+				     TE_EXPLICIT, new_type(TOID));
+		}
+    break;
+
+  case 59:
+#line 457 "parse.y"
+    {
+		    Type *t = new_type(TOctetString);
+		    t->range = (yyvsp[(3) - (3)].range);
+		    (yyval.type) = new_tag(ASN1_C_UNIV, UT_OctetString, 
+				 TE_EXPLICIT, t);
+		}
+    break;
+
+  case 60:
+#line 466 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_Null, 
+				     TE_EXPLICIT, new_type(TNull));
+		}
+    break;
+
+  case 61:
+#line 473 "parse.y"
+    { (yyval.range) = NULL; }
+    break;
+
+  case 62:
+#line 475 "parse.y"
+    { (yyval.range) = (yyvsp[(2) - (2)].range); }
+    break;
+
+  case 63:
+#line 480 "parse.y"
+    {
+		  (yyval.type) = new_type(TSequence);
+		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 64:
+#line 486 "parse.y"
+    {
+		  (yyval.type) = new_type(TSequence);
+		  (yyval.type)->members = NULL;
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 65:
+#line 494 "parse.y"
+    {
+		  (yyval.type) = new_type(TSequenceOf);
+		  (yyval.type)->range = (yyvsp[(2) - (4)].range);
+		  (yyval.type)->subtype = (yyvsp[(4) - (4)].type);
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 66:
+#line 503 "parse.y"
+    {
+		  (yyval.type) = new_type(TSet);
+		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 67:
+#line 509 "parse.y"
+    {
+		  (yyval.type) = new_type(TSet);
+		  (yyval.type)->members = NULL;
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 68:
+#line 517 "parse.y"
+    {
+		  (yyval.type) = new_type(TSetOf);
+		  (yyval.type)->subtype = (yyvsp[(3) - (3)].type);
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 69:
+#line 525 "parse.y"
+    {
+		  (yyval.type) = new_type(TChoice);
+		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
+		}
+    break;
+
+  case 72:
+#line 536 "parse.y"
+    {
+		  Symbol *s = addsym((yyvsp[(1) - (1)].name));
+		  (yyval.type) = new_type(TType);
+		  if(s->stype != Stype && s->stype != SUndefined)
+		    error_message ("%s is not a type\n", (yyvsp[(1) - (1)].name));
+		  else
+		    (yyval.type)->symbol = s;
+		}
+    break;
+
+  case 73:
+#line 547 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralizedTime, 
+				     TE_EXPLICIT, new_type(TGeneralizedTime));
+		}
+    break;
+
+  case 74:
+#line 552 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_UTCTime, 
+				     TE_EXPLICIT, new_type(TUTCTime));
+		}
+    break;
+
+  case 75:
+#line 559 "parse.y"
+    {
+		    /* if (Constraint.type == contentConstrant) {
+		       assert(Constraint.u.constraint.type == octetstring|bitstring-w/o-NamedBitList); // remember to check type reference too
+		       if (Constraint.u.constraint.type) {
+		         assert((Constraint.u.constraint.type.length % 8) == 0);
+		       }
+		      }
+		      if (Constraint.u.constraint.encoding) {
+		        type == der-oid|ber-oid
+		      }
+		    */
+		}
+    break;
+
+  case 76:
+#line 575 "parse.y"
+    {
+		    (yyval.constraint_spec) = (yyvsp[(2) - (3)].constraint_spec);
+		}
+    break;
+
+  case 80:
+#line 588 "parse.y"
+    {
+		    (yyval.constraint_spec) = new_constraint_spec(CT_CONTENTS);
+		    (yyval.constraint_spec)->u.content.type = (yyvsp[(2) - (2)].type);
+		    (yyval.constraint_spec)->u.content.encoding = NULL;
+		}
+    break;
+
+  case 81:
+#line 594 "parse.y"
+    {
+		    if ((yyvsp[(3) - (3)].value)->type != objectidentifiervalue)
+			error_message("Non-OID used in ENCODED BY constraint");
+		    (yyval.constraint_spec) = new_constraint_spec(CT_CONTENTS);
+		    (yyval.constraint_spec)->u.content.type = NULL;
+		    (yyval.constraint_spec)->u.content.encoding = (yyvsp[(3) - (3)].value);
+		}
+    break;
+
+  case 82:
+#line 602 "parse.y"
+    {
+		    if ((yyvsp[(5) - (5)].value)->type != objectidentifiervalue)
+			error_message("Non-OID used in ENCODED BY constraint");
+		    (yyval.constraint_spec) = new_constraint_spec(CT_CONTENTS);
+		    (yyval.constraint_spec)->u.content.type = (yyvsp[(2) - (5)].type);
+		    (yyval.constraint_spec)->u.content.encoding = (yyvsp[(5) - (5)].value);
+		}
+    break;
+
+  case 83:
+#line 612 "parse.y"
+    {
+		    (yyval.constraint_spec) = new_constraint_spec(CT_USER);
+		}
+    break;
+
+  case 84:
+#line 618 "parse.y"
+    {
+			(yyval.type) = new_type(TTag);
+			(yyval.type)->tag = (yyvsp[(1) - (3)].tag);
+			(yyval.type)->tag.tagenv = (yyvsp[(2) - (3)].constant);
+			if((yyvsp[(3) - (3)].type)->type == TTag && (yyvsp[(2) - (3)].constant) == TE_IMPLICIT) {
+				(yyval.type)->subtype = (yyvsp[(3) - (3)].type)->subtype;
+				free((yyvsp[(3) - (3)].type));
+			} else
+				(yyval.type)->subtype = (yyvsp[(3) - (3)].type);
+		}
+    break;
+
+  case 85:
+#line 631 "parse.y"
+    {
+			(yyval.tag).tagclass = (yyvsp[(2) - (4)].constant);
+			(yyval.tag).tagvalue = (yyvsp[(3) - (4)].constant);
+			(yyval.tag).tagenv = TE_EXPLICIT;
+		}
+    break;
+
+  case 86:
+#line 639 "parse.y"
+    {
+			(yyval.constant) = ASN1_C_CONTEXT;
+		}
+    break;
+
+  case 87:
+#line 643 "parse.y"
+    {
+			(yyval.constant) = ASN1_C_UNIV;
+		}
+    break;
+
+  case 88:
+#line 647 "parse.y"
+    {
+			(yyval.constant) = ASN1_C_APPL;
+		}
+    break;
+
+  case 89:
+#line 651 "parse.y"
+    {
+			(yyval.constant) = ASN1_C_PRIVATE;
+		}
+    break;
+
+  case 90:
+#line 657 "parse.y"
+    {
+			(yyval.constant) = TE_EXPLICIT;
+		}
+    break;
+
+  case 91:
+#line 661 "parse.y"
+    {
+			(yyval.constant) = TE_EXPLICIT;
+		}
+    break;
+
+  case 92:
+#line 665 "parse.y"
+    {
+			(yyval.constant) = TE_IMPLICIT;
+		}
+    break;
+
+  case 93:
+#line 672 "parse.y"
+    {
+			Symbol *s;
+			s = addsym ((yyvsp[(1) - (4)].name));
+
+			s->stype = SValue;
+			s->value = (yyvsp[(4) - (4)].value);
+			generate_constant (s);
+		}
+    break;
+
+  case 95:
+#line 686 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralString, 
+				     TE_EXPLICIT, new_type(TGeneralString));
+		}
+    break;
+
+  case 96:
+#line 691 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_UTF8String, 
+				     TE_EXPLICIT, new_type(TUTF8String));
+		}
+    break;
+
+  case 97:
+#line 696 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_PrintableString, 
+				     TE_EXPLICIT, new_type(TPrintableString));
+		}
+    break;
+
+  case 98:
+#line 701 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_VisibleString, 
+				     TE_EXPLICIT, new_type(TVisibleString));
+		}
+    break;
+
+  case 99:
+#line 706 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String, 
+				     TE_EXPLICIT, new_type(TIA5String));
+		}
+    break;
+
+  case 100:
+#line 711 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString, 
+				     TE_EXPLICIT, new_type(TBMPString));
+		}
+    break;
+
+  case 101:
+#line 716 "parse.y"
+    {
+			(yyval.type) = new_tag(ASN1_C_UNIV, UT_UniversalString, 
+				     TE_EXPLICIT, new_type(TUniversalString));
+		}
+    break;
+
+  case 102:
+#line 724 "parse.y"
+    {
+			(yyval.members) = emalloc(sizeof(*(yyval.members)));
+			ASN1_TAILQ_INIT((yyval.members));
+			ASN1_TAILQ_INSERT_HEAD((yyval.members), (yyvsp[(1) - (1)].member), members);
+		}
+    break;
+
+  case 103:
+#line 730 "parse.y"
+    {
+			ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
+			(yyval.members) = (yyvsp[(1) - (3)].members);
+		}
+    break;
+
+  case 104:
+#line 735 "parse.y"
+    {
+		        struct member *m = ecalloc(1, sizeof(*m));
+			m->name = estrdup("...");
+			m->gen_name = estrdup("asn1_ellipsis");
+			m->ellipsis = 1;
+			ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), m, members);
+			(yyval.members) = (yyvsp[(1) - (3)].members);
+		}
+    break;
+
+  case 105:
+#line 746 "parse.y"
+    {
+		  (yyval.member) = emalloc(sizeof(*(yyval.member)));
+		  (yyval.member)->name = (yyvsp[(1) - (2)].name);
+		  (yyval.member)->gen_name = estrdup((yyvsp[(1) - (2)].name));
+		  output_name ((yyval.member)->gen_name);
+		  (yyval.member)->type = (yyvsp[(2) - (2)].type);
+		  (yyval.member)->ellipsis = 0;
+		}
+    break;
+
+  case 106:
+#line 757 "parse.y"
+    {
+			(yyval.member) = (yyvsp[(1) - (1)].member);
+			(yyval.member)->optional = 0;
+			(yyval.member)->defval = NULL;
+		}
+    break;
+
+  case 107:
+#line 763 "parse.y"
+    {
+			(yyval.member) = (yyvsp[(1) - (2)].member);
+			(yyval.member)->optional = 1;
+			(yyval.member)->defval = NULL;
+		}
+    break;
+
+  case 108:
+#line 769 "parse.y"
+    {
+			(yyval.member) = (yyvsp[(1) - (3)].member);
+			(yyval.member)->optional = 0;
+			(yyval.member)->defval = (yyvsp[(3) - (3)].value);
+		}
+    break;
+
+  case 109:
+#line 777 "parse.y"
+    {
+			(yyval.members) = emalloc(sizeof(*(yyval.members)));
+			ASN1_TAILQ_INIT((yyval.members));
+			ASN1_TAILQ_INSERT_HEAD((yyval.members), (yyvsp[(1) - (1)].member), members);
+		}
+    break;
+
+  case 110:
+#line 783 "parse.y"
+    {
+			ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
+			(yyval.members) = (yyvsp[(1) - (3)].members);
+		}
+    break;
+
+  case 111:
+#line 790 "parse.y"
+    {
+		  (yyval.member) = emalloc(sizeof(*(yyval.member)));
+		  (yyval.member)->name = (yyvsp[(1) - (4)].name);
+		  (yyval.member)->gen_name = estrdup((yyvsp[(1) - (4)].name));
+		  output_name ((yyval.member)->gen_name);
+		  (yyval.member)->val = (yyvsp[(3) - (4)].constant);
+		  (yyval.member)->optional = 0;
+		  (yyval.member)->ellipsis = 0;
+		  (yyval.member)->type = NULL;
+		}
+    break;
+
+  case 113:
+#line 803 "parse.y"
+    { (yyval.objid) = NULL; }
+    break;
+
+  case 114:
+#line 807 "parse.y"
+    {
+			(yyval.objid) = (yyvsp[(2) - (3)].objid);
+		}
+    break;
+
+  case 115:
+#line 813 "parse.y"
+    {
+			(yyval.objid) = NULL;
+		}
+    break;
+
+  case 116:
+#line 817 "parse.y"
+    {
+		        if ((yyvsp[(2) - (2)].objid)) {
+				(yyval.objid) = (yyvsp[(2) - (2)].objid);
+				add_oid_to_tail((yyvsp[(2) - (2)].objid), (yyvsp[(1) - (2)].objid));
+			} else {
+				(yyval.objid) = (yyvsp[(1) - (2)].objid);
+			}
+		}
+    break;
+
+  case 117:
+#line 828 "parse.y"
+    {
+			(yyval.objid) = new_objid((yyvsp[(1) - (4)].name), (yyvsp[(3) - (4)].constant));
+		}
+    break;
+
+  case 118:
+#line 832 "parse.y"
+    {
+		    Symbol *s = addsym((yyvsp[(1) - (1)].name));
+		    if(s->stype != SValue ||
+		       s->value->type != objectidentifiervalue) {
+			error_message("%s is not an object identifier\n", 
+				      s->name);
+			exit(1);
+		    }
+		    (yyval.objid) = s->value->u.objectidentifiervalue;
+		}
+    break;
+
+  case 119:
+#line 843 "parse.y"
+    {
+		    (yyval.objid) = new_objid(NULL, (yyvsp[(1) - (1)].constant));
+		}
+    break;
+
+  case 129:
+#line 866 "parse.y"
+    {
+			Symbol *s = addsym((yyvsp[(1) - (1)].name));
+			if(s->stype != SValue)
+				error_message ("%s is not a value\n",
+						s->name);
+			else
+				(yyval.value) = s->value;
+		}
+    break;
+
+  case 130:
+#line 877 "parse.y"
+    {
+			(yyval.value) = emalloc(sizeof(*(yyval.value)));
+			(yyval.value)->type = stringvalue;
+			(yyval.value)->u.stringvalue = (yyvsp[(1) - (1)].name);
+		}
+    break;
+
+  case 131:
+#line 885 "parse.y"
+    {
+			(yyval.value) = emalloc(sizeof(*(yyval.value)));
+			(yyval.value)->type = booleanvalue;
+			(yyval.value)->u.booleanvalue = 0;
+		}
+    break;
+
+  case 132:
+#line 891 "parse.y"
+    {
+			(yyval.value) = emalloc(sizeof(*(yyval.value)));
+			(yyval.value)->type = booleanvalue;
+			(yyval.value)->u.booleanvalue = 0;
+		}
+    break;
+
+  case 133:
+#line 899 "parse.y"
+    {
+			(yyval.value) = emalloc(sizeof(*(yyval.value)));
+			(yyval.value)->type = integervalue;
+			(yyval.value)->u.integervalue = (yyvsp[(1) - (1)].constant);
+		}
+    break;
+
+  case 135:
+#line 910 "parse.y"
+    {
+		}
+    break;
+
+  case 136:
+#line 915 "parse.y"
+    {
+			(yyval.value) = emalloc(sizeof(*(yyval.value)));
+			(yyval.value)->type = objectidentifiervalue;
+			(yyval.value)->u.objectidentifiervalue = (yyvsp[(1) - (1)].objid);
+		}
+    break;
+
+
+/* Line 1267 of yacc.c.  */
+#line 2523 "parse.c"
+      default: break;
+    }
+  YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
+
+  YYPOPSTACK (yylen);
+  yylen = 0;
+  YY_STACK_PRINT (yyss, yyssp);
+
+  *++yyvsp = yyval;
+
+
+  /* Now `shift' the result of the reduction.  Determine what state
+     that goes to, based on the state we popped back to and the rule
+     number reduced by.  */
+
+  yyn = yyr1[yyn];
+
+  yystate = yypgoto[yyn - YYNTOKENS] + *yyssp;
+  if (0 <= yystate && yystate <= YYLAST && yycheck[yystate] == *yyssp)
+    yystate = yytable[yystate];
+  else
+    yystate = yydefgoto[yyn - YYNTOKENS];
+
+  goto yynewstate;
+
+
+/*------------------------------------.
+| yyerrlab -- here on detecting error |
+`------------------------------------*/
+yyerrlab:
+  /* If not already recovering from an error, report this error.  */
+  if (!yyerrstatus)
+    {
+      ++yynerrs;
+#if ! YYERROR_VERBOSE
+      yyerror (YY_("syntax error"));
+#else
+      {
+	YYSIZE_T yysize = yysyntax_error (0, yystate, yychar);
+	if (yymsg_alloc < yysize && yymsg_alloc < YYSTACK_ALLOC_MAXIMUM)
+	  {
+	    YYSIZE_T yyalloc = 2 * yysize;
+	    if (! (yysize <= yyalloc && yyalloc <= YYSTACK_ALLOC_MAXIMUM))
+	      yyalloc = YYSTACK_ALLOC_MAXIMUM;
+	    if (yymsg != yymsgbuf)
+	      YYSTACK_FREE (yymsg);
+	    yymsg = (char *) YYSTACK_ALLOC (yyalloc);
+	    if (yymsg)
+	      yymsg_alloc = yyalloc;
+	    else
+	      {
+		yymsg = yymsgbuf;
+		yymsg_alloc = sizeof yymsgbuf;
+	      }
+	  }
+
+	if (0 < yysize && yysize <= yymsg_alloc)
+	  {
+	    (void) yysyntax_error (yymsg, yystate, yychar);
+	    yyerror (yymsg);
+	  }
+	else
+	  {
+	    yyerror (YY_("syntax error"));
+	    if (yysize != 0)
+	      goto yyexhaustedlab;
+	  }
+      }
+#endif
+    }
+
+
+
+  if (yyerrstatus == 3)
+    {
+      /* If just tried and failed to reuse look-ahead token after an
+	 error, discard it.  */
+
+      if (yychar <= YYEOF)
+	{
+	  /* Return failure if at end of input.  */
+	  if (yychar == YYEOF)
+	    YYABORT;
+	}
+      else
+	{
+	  yydestruct ("Error: discarding",
+		      yytoken, &yylval);
+	  yychar = YYEMPTY;
+	}
+    }
+
+  /* Else will try to reuse look-ahead token after shifting the error
+     token.  */
+  goto yyerrlab1;
+
+
+/*---------------------------------------------------.
+| yyerrorlab -- error raised explicitly by YYERROR.  |
+`---------------------------------------------------*/
+yyerrorlab:
+
+  /* Pacify compilers like GCC when the user code never invokes
+     YYERROR and the label yyerrorlab therefore never appears in user
+     code.  */
+  if (/*CONSTCOND*/ 0)
+     goto yyerrorlab;
+
+  /* Do not reclaim the symbols of the rule which action triggered
+     this YYERROR.  */
+  YYPOPSTACK (yylen);
+  yylen = 0;
+  YY_STACK_PRINT (yyss, yyssp);
+  yystate = *yyssp;
+  goto yyerrlab1;
+
+
+/*-------------------------------------------------------------.
+| yyerrlab1 -- common code for both syntax error and YYERROR.  |
+`-------------------------------------------------------------*/
+yyerrlab1:
+  yyerrstatus = 3;	/* Each real token shifted decrements this.  */
+
+  for (;;)
+    {
+      yyn = yypact[yystate];
+      if (yyn != YYPACT_NINF)
+	{
+	  yyn += YYTERROR;
+	  if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
+	    {
+	      yyn = yytable[yyn];
+	      if (0 < yyn)
+		break;
+	    }
+	}
+
+      /* Pop the current state because it cannot handle the error token.  */
+      if (yyssp == yyss)
+	YYABORT;
+
+
+      yydestruct ("Error: popping",
+		  yystos[yystate], yyvsp);
+      YYPOPSTACK (1);
+      yystate = *yyssp;
+      YY_STACK_PRINT (yyss, yyssp);
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  *++yyvsp = yylval;
+
+
+  /* Shift the error token.  */
+  YY_SYMBOL_PRINT ("Shifting", yystos[yyn], yyvsp, yylsp);
+
+  yystate = yyn;
+  goto yynewstate;
+
+
+/*-------------------------------------.
+| yyacceptlab -- YYACCEPT comes here.  |
+`-------------------------------------*/
+yyacceptlab:
+  yyresult = 0;
+  goto yyreturn;
+
+/*-----------------------------------.
+| yyabortlab -- YYABORT comes here.  |
+`-----------------------------------*/
+yyabortlab:
+  yyresult = 1;
+  goto yyreturn;
+
+#ifndef yyoverflow
+/*-------------------------------------------------.
+| yyexhaustedlab -- memory exhaustion comes here.  |
+`-------------------------------------------------*/
+yyexhaustedlab:
+  yyerror (YY_("memory exhausted"));
+  yyresult = 2;
+  /* Fall through.  */
+#endif
+
+yyreturn:
+  if (yychar != YYEOF && yychar != YYEMPTY)
+     yydestruct ("Cleanup: discarding lookahead",
+		 yytoken, &yylval);
+  /* Do not reclaim the symbols of the rule which action triggered
+     this YYABORT or YYACCEPT.  */
+  YYPOPSTACK (yylen);
+  YY_STACK_PRINT (yyss, yyssp);
+  while (yyssp != yyss)
+    {
+      yydestruct ("Cleanup: popping",
+		  yystos[*yyssp], yyvsp);
+      YYPOPSTACK (1);
+    }
+#ifndef yyoverflow
+  if (yyss != yyssa)
+    YYSTACK_FREE (yyss);
+#endif
+#if YYERROR_VERBOSE
+  if (yymsg != yymsgbuf)
+    YYSTACK_FREE (yymsg);
+#endif
+  /* Make sure YYID is used.  */
+  return YYID (yyresult);
+}
+
+
+#line 922 "parse.y"
+
+
+void
+yyerror (const char *s)
+{
+     error_message ("%s\n", s);
+}
+
+static Type *
+new_tag(int tagclass, int tagvalue, int tagenv, Type *oldtype)
+{
+    Type *t;
+    if(oldtype->type == TTag && oldtype->tag.tagenv == TE_IMPLICIT) {
+	t = oldtype;
+	oldtype = oldtype->subtype; /* XXX */
+    } else
+	t = new_type (TTag);
+    
+    t->tag.tagclass = tagclass;
+    t->tag.tagvalue = tagvalue;
+    t->tag.tagenv = tagenv;
+    t->subtype = oldtype;
+    return t;
+}
+
+static struct objid *
+new_objid(const char *label, int value)
+{
+    struct objid *s;
+    s = emalloc(sizeof(*s));
+    s->label = label;
+    s->value = value;
+    s->next = NULL;
+    return s;
+}
+
+static void
+add_oid_to_tail(struct objid *head, struct objid *tail)
+{
+    struct objid *o;
+    o = head;
+    while (o->next)
+	o = o->next;
+    o->next = tail;
+}
+
+static Type *
+new_type (Typetype tt)
+{
+    Type *t = ecalloc(1, sizeof(*t));
+    t->type = tt;
+    return t;
+}
+
+static struct constraint_spec *
+new_constraint_spec(enum ctype ct)
+{
+    struct constraint_spec *c = ecalloc(1, sizeof(*c));
+    c->ctype = ct;
+    return c;
+}
+
+static void fix_labels2(Type *t, const char *prefix);
+static void fix_labels1(struct memhead *members, const char *prefix)
+{
+    Member *m;
+
+    if(members == NULL)
+	return;
+    ASN1_TAILQ_FOREACH(m, members, members) {
+	asprintf(&m->label, "%s_%s", prefix, m->gen_name);
+	if (m->label == NULL)
+	    errx(1, "malloc");
+	if(m->type != NULL)
+	    fix_labels2(m->type, m->label);
+    }
+}
+
+static void fix_labels2(Type *t, const char *prefix)
+{
+    for(; t; t = t->subtype)
+	fix_labels1(t->members, prefix);
+}
+
+static void
+fix_labels(Symbol *s)
+{
+    char *p;
+    asprintf(&p, "choice_%s", s->gen_name);
+    if (p == NULL)
+	errx(1, "malloc");
+    fix_labels2(s->type, p);
+    free(p);
+}
+
diff --git a/crypto/heimdal/lib/asn1/parse.h b/crypto/heimdal/lib/asn1/parse.h
new file mode 100644
index 0000000..45b06c5
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/parse.h
@@ -0,0 +1,249 @@
+/* A Bison parser, made by GNU Bison 2.3.  */
+
+/* Skeleton interface for Bison's Yacc-like parsers in C
+
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+   Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
+
+/* As a special exception, you may create a larger work that contains
+   part or all of the Bison parser skeleton and distribute that work
+   under terms of your choice, so long as that work isn't itself a
+   parser generator using the skeleton or a modified version thereof
+   as a parser skeleton.  Alternatively, if you modify or redistribute
+   the parser skeleton itself, you may (at your option) remove this
+   special exception, which will cause the skeleton and the resulting
+   Bison output files to be licensed under the GNU General Public
+   License without this special exception.
+
+   This special exception was added by the Free Software Foundation in
+   version 2.2 of Bison.  */
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     kw_ABSENT = 258,
+     kw_ABSTRACT_SYNTAX = 259,
+     kw_ALL = 260,
+     kw_APPLICATION = 261,
+     kw_AUTOMATIC = 262,
+     kw_BEGIN = 263,
+     kw_BIT = 264,
+     kw_BMPString = 265,
+     kw_BOOLEAN = 266,
+     kw_BY = 267,
+     kw_CHARACTER = 268,
+     kw_CHOICE = 269,
+     kw_CLASS = 270,
+     kw_COMPONENT = 271,
+     kw_COMPONENTS = 272,
+     kw_CONSTRAINED = 273,
+     kw_CONTAINING = 274,
+     kw_DEFAULT = 275,
+     kw_DEFINITIONS = 276,
+     kw_EMBEDDED = 277,
+     kw_ENCODED = 278,
+     kw_END = 279,
+     kw_ENUMERATED = 280,
+     kw_EXCEPT = 281,
+     kw_EXPLICIT = 282,
+     kw_EXPORTS = 283,
+     kw_EXTENSIBILITY = 284,
+     kw_EXTERNAL = 285,
+     kw_FALSE = 286,
+     kw_FROM = 287,
+     kw_GeneralString = 288,
+     kw_GeneralizedTime = 289,
+     kw_GraphicString = 290,
+     kw_IA5String = 291,
+     kw_IDENTIFIER = 292,
+     kw_IMPLICIT = 293,
+     kw_IMPLIED = 294,
+     kw_IMPORTS = 295,
+     kw_INCLUDES = 296,
+     kw_INSTANCE = 297,
+     kw_INTEGER = 298,
+     kw_INTERSECTION = 299,
+     kw_ISO646String = 300,
+     kw_MAX = 301,
+     kw_MIN = 302,
+     kw_MINUS_INFINITY = 303,
+     kw_NULL = 304,
+     kw_NumericString = 305,
+     kw_OBJECT = 306,
+     kw_OCTET = 307,
+     kw_OF = 308,
+     kw_OPTIONAL = 309,
+     kw_ObjectDescriptor = 310,
+     kw_PATTERN = 311,
+     kw_PDV = 312,
+     kw_PLUS_INFINITY = 313,
+     kw_PRESENT = 314,
+     kw_PRIVATE = 315,
+     kw_PrintableString = 316,
+     kw_REAL = 317,
+     kw_RELATIVE_OID = 318,
+     kw_SEQUENCE = 319,
+     kw_SET = 320,
+     kw_SIZE = 321,
+     kw_STRING = 322,
+     kw_SYNTAX = 323,
+     kw_T61String = 324,
+     kw_TAGS = 325,
+     kw_TRUE = 326,
+     kw_TYPE_IDENTIFIER = 327,
+     kw_TeletexString = 328,
+     kw_UNION = 329,
+     kw_UNIQUE = 330,
+     kw_UNIVERSAL = 331,
+     kw_UTCTime = 332,
+     kw_UTF8String = 333,
+     kw_UniversalString = 334,
+     kw_VideotexString = 335,
+     kw_VisibleString = 336,
+     kw_WITH = 337,
+     RANGE = 338,
+     EEQUAL = 339,
+     ELLIPSIS = 340,
+     IDENTIFIER = 341,
+     referencename = 342,
+     STRING = 343,
+     NUMBER = 344
+   };
+#endif
+/* Tokens.  */
+#define kw_ABSENT 258
+#define kw_ABSTRACT_SYNTAX 259
+#define kw_ALL 260
+#define kw_APPLICATION 261
+#define kw_AUTOMATIC 262
+#define kw_BEGIN 263
+#define kw_BIT 264
+#define kw_BMPString 265
+#define kw_BOOLEAN 266
+#define kw_BY 267
+#define kw_CHARACTER 268
+#define kw_CHOICE 269
+#define kw_CLASS 270
+#define kw_COMPONENT 271
+#define kw_COMPONENTS 272
+#define kw_CONSTRAINED 273
+#define kw_CONTAINING 274
+#define kw_DEFAULT 275
+#define kw_DEFINITIONS 276
+#define kw_EMBEDDED 277
+#define kw_ENCODED 278
+#define kw_END 279
+#define kw_ENUMERATED 280
+#define kw_EXCEPT 281
+#define kw_EXPLICIT 282
+#define kw_EXPORTS 283
+#define kw_EXTENSIBILITY 284
+#define kw_EXTERNAL 285
+#define kw_FALSE 286
+#define kw_FROM 287
+#define kw_GeneralString 288
+#define kw_GeneralizedTime 289
+#define kw_GraphicString 290
+#define kw_IA5String 291
+#define kw_IDENTIFIER 292
+#define kw_IMPLICIT 293
+#define kw_IMPLIED 294
+#define kw_IMPORTS 295
+#define kw_INCLUDES 296
+#define kw_INSTANCE 297
+#define kw_INTEGER 298
+#define kw_INTERSECTION 299
+#define kw_ISO646String 300
+#define kw_MAX 301
+#define kw_MIN 302
+#define kw_MINUS_INFINITY 303
+#define kw_NULL 304
+#define kw_NumericString 305
+#define kw_OBJECT 306
+#define kw_OCTET 307
+#define kw_OF 308
+#define kw_OPTIONAL 309
+#define kw_ObjectDescriptor 310
+#define kw_PATTERN 311
+#define kw_PDV 312
+#define kw_PLUS_INFINITY 313
+#define kw_PRESENT 314
+#define kw_PRIVATE 315
+#define kw_PrintableString 316
+#define kw_REAL 317
+#define kw_RELATIVE_OID 318
+#define kw_SEQUENCE 319
+#define kw_SET 320
+#define kw_SIZE 321
+#define kw_STRING 322
+#define kw_SYNTAX 323
+#define kw_T61String 324
+#define kw_TAGS 325
+#define kw_TRUE 326
+#define kw_TYPE_IDENTIFIER 327
+#define kw_TeletexString 328
+#define kw_UNION 329
+#define kw_UNIQUE 330
+#define kw_UNIVERSAL 331
+#define kw_UTCTime 332
+#define kw_UTF8String 333
+#define kw_UniversalString 334
+#define kw_VideotexString 335
+#define kw_VisibleString 336
+#define kw_WITH 337
+#define RANGE 338
+#define EEQUAL 339
+#define ELLIPSIS 340
+#define IDENTIFIER 341
+#define referencename 342
+#define STRING 343
+#define NUMBER 344
+
+
+
+
+#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
+typedef union YYSTYPE
+#line 65 "parse.y"
+{
+    int constant;
+    struct value *value;
+    struct range *range;
+    char *name;
+    Type *type;
+    Member *member;
+    struct objid *objid;
+    char *defval;
+    struct string_list *sl;
+    struct tagtype tag;
+    struct memhead *members;
+    struct constraint_spec *constraint_spec;
+}
+/* Line 1529 of yacc.c.  */
+#line 242 "parse.h"
+	YYSTYPE;
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
+# define YYSTYPE_IS_DECLARED 1
+# define YYSTYPE_IS_TRIVIAL 1
+#endif
+
+extern YYSTYPE yylval;
+
diff --git a/crypto/heimdal/lib/asn1/parse.y b/crypto/heimdal/lib/asn1/parse.y
index fc78086..772f2b1 100644
--- a/crypto/heimdal/lib/asn1/parse.y
+++ b/crypto/heimdal/lib/asn1/parse.y
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: parse.y,v 1.19 2001/09/27 16:21:47 assar Exp $ */
+/* $Id: parse.y 21597 2007-07-16 18:48:58Z lha $ */
 
 %{
 #ifdef HAVE_CONFIG_H
@@ -43,221 +43,973 @@
 #include "symbol.h"
 #include "lex.h"
 #include "gen_locl.h"
+#include "der.h"
 
-RCSID("$Id: parse.y,v 1.19 2001/09/27 16:21:47 assar Exp $");
+RCSID("$Id: parse.y 21597 2007-07-16 18:48:58Z lha $");
 
 static Type *new_type (Typetype t);
-void yyerror (char *);
+static struct constraint_spec *new_constraint_spec(enum ctype);
+static Type *new_tag(int tagclass, int tagvalue, int tagenv, Type *oldtype);
+void yyerror (const char *);
+static struct objid *new_objid(const char *label, int value);
+static void add_oid_to_tail(struct objid *, struct objid *);
+static void fix_labels(Symbol *s);
 
-static void append (Member *l, Member *r);
+struct string_list {
+    char *string;
+    struct string_list *next;
+};
 
 %}
 
 %union {
-  int constant;
-  char *name;
-  Type *type;
-  Member *member;
+    int constant;
+    struct value *value;
+    struct range *range;
+    char *name;
+    Type *type;
+    Member *member;
+    struct objid *objid;
+    char *defval;
+    struct string_list *sl;
+    struct tagtype tag;
+    struct memhead *members;
+    struct constraint_spec *constraint_spec;
 }
 
-%token INTEGER SEQUENCE OF OCTET STRING GeneralizedTime GeneralString
-%token BIT APPLICATION OPTIONAL EEQUAL TBEGIN END DEFINITIONS ENUMERATED
-%token EXTERNAL
-%token DOTDOT
-%token IMPORTS FROM
-%token OBJECT IDENTIFIER
-%token <name> IDENT 
-%token <constant> CONSTANT
+%token kw_ABSENT
+%token kw_ABSTRACT_SYNTAX
+%token kw_ALL
+%token kw_APPLICATION
+%token kw_AUTOMATIC
+%token kw_BEGIN
+%token kw_BIT
+%token kw_BMPString
+%token kw_BOOLEAN
+%token kw_BY
+%token kw_CHARACTER
+%token kw_CHOICE
+%token kw_CLASS
+%token kw_COMPONENT
+%token kw_COMPONENTS
+%token kw_CONSTRAINED
+%token kw_CONTAINING
+%token kw_DEFAULT
+%token kw_DEFINITIONS
+%token kw_EMBEDDED
+%token kw_ENCODED
+%token kw_END
+%token kw_ENUMERATED
+%token kw_EXCEPT
+%token kw_EXPLICIT
+%token kw_EXPORTS
+%token kw_EXTENSIBILITY
+%token kw_EXTERNAL
+%token kw_FALSE
+%token kw_FROM
+%token kw_GeneralString
+%token kw_GeneralizedTime
+%token kw_GraphicString
+%token kw_IA5String
+%token kw_IDENTIFIER
+%token kw_IMPLICIT
+%token kw_IMPLIED
+%token kw_IMPORTS
+%token kw_INCLUDES
+%token kw_INSTANCE
+%token kw_INTEGER
+%token kw_INTERSECTION
+%token kw_ISO646String
+%token kw_MAX
+%token kw_MIN
+%token kw_MINUS_INFINITY
+%token kw_NULL
+%token kw_NumericString
+%token kw_OBJECT
+%token kw_OCTET
+%token kw_OF
+%token kw_OPTIONAL
+%token kw_ObjectDescriptor
+%token kw_PATTERN
+%token kw_PDV
+%token kw_PLUS_INFINITY
+%token kw_PRESENT
+%token kw_PRIVATE
+%token kw_PrintableString
+%token kw_REAL
+%token kw_RELATIVE_OID
+%token kw_SEQUENCE
+%token kw_SET
+%token kw_SIZE
+%token kw_STRING
+%token kw_SYNTAX
+%token kw_T61String
+%token kw_TAGS
+%token kw_TRUE
+%token kw_TYPE_IDENTIFIER
+%token kw_TeletexString
+%token kw_UNION
+%token kw_UNIQUE
+%token kw_UNIVERSAL
+%token kw_UTCTime
+%token kw_UTF8String
+%token kw_UniversalString
+%token kw_VideotexString
+%token kw_VisibleString
+%token kw_WITH
 
-%type <constant> constant optional2
-%type <type> type
-%type <member> memberdecls memberdecl bitdecls bitdecl
+%token RANGE
+%token EEQUAL
+%token ELLIPSIS
 
-%start envelope
+%token <name> IDENTIFIER  referencename
+%token <name> STRING
+
+%token <constant> NUMBER
+%type <constant> SignedNumber
+%type <constant> Class tagenv
+
+%type <value> Value
+%type <value> BuiltinValue
+%type <value> IntegerValue
+%type <value> BooleanValue
+%type <value> ObjectIdentifierValue
+%type <value> CharacterStringValue
+%type <value> NullValue
+%type <value> DefinedValue
+%type <value> ReferencedValue
+%type <value> Valuereference
+
+%type <type> Type
+%type <type> BuiltinType
+%type <type> BitStringType
+%type <type> BooleanType
+%type <type> ChoiceType
+%type <type> ConstrainedType
+%type <type> EnumeratedType
+%type <type> IntegerType
+%type <type> NullType
+%type <type> OctetStringType
+%type <type> SequenceType
+%type <type> SequenceOfType
+%type <type> SetType
+%type <type> SetOfType
+%type <type> TaggedType
+%type <type> ReferencedType
+%type <type> DefinedType
+%type <type> UsefulType
+%type <type> ObjectIdentifierType
+%type <type> CharacterStringType
+%type <type> RestrictedCharactedStringType
+
+%type <tag> Tag
+
+%type <member> ComponentType
+%type <member> NamedBit
+%type <member> NamedNumber
+%type <member> NamedType
+%type <members> ComponentTypeList 
+%type <members> Enumerations
+%type <members> NamedBitList
+%type <members> NamedNumberList
+
+%type <objid> objid objid_list objid_element objid_opt
+%type <range> range size
+
+%type <sl> referencenames
+
+%type <constraint_spec> Constraint
+%type <constraint_spec> ConstraintSpec
+%type <constraint_spec> GeneralConstraint
+%type <constraint_spec> ContentsConstraint
+%type <constraint_spec> UserDefinedConstraint
+
+
+
+%start ModuleDefinition
 
 %%
 
-envelope	: IDENT DEFINITIONS EEQUAL TBEGIN specification END {}
+ModuleDefinition: IDENTIFIER objid_opt kw_DEFINITIONS TagDefault ExtensionDefault
+			EEQUAL kw_BEGIN ModuleBody kw_END
+		{
+			checkundefined();
+		}
 		;
 
-specification	:
-		| specification declaration
+TagDefault	: kw_EXPLICIT kw_TAGS
+		| kw_IMPLICIT kw_TAGS
+		      { error_message("implicit tagging is not supported"); }
+		| kw_AUTOMATIC kw_TAGS
+		      { error_message("automatic tagging is not supported"); }
+		| /* empty */
 		;
 
-declaration	: imports_decl
-		| type_decl
-		| constant_decl
+ExtensionDefault: kw_EXTENSIBILITY kw_IMPLIED
+		      { error_message("no extensibility options supported"); }
+		| /* empty */
 		;
 
-referencenames	: IDENT ',' referencenames
-		{
-			Symbol *s = addsym($1);
+ModuleBody	: /* Exports */ Imports AssignmentList
+		| /* empty */
+		;
+
+Imports		: kw_IMPORTS SymbolsImported ';'
+		| /* empty */
+		;
+
+SymbolsImported	: SymbolsFromModuleList
+		| /* empty */
+		;
+
+SymbolsFromModuleList: SymbolsFromModule
+		| SymbolsFromModuleList SymbolsFromModule
+		;
+
+SymbolsFromModule: referencenames kw_FROM IDENTIFIER objid_opt
+		{ 
+		    struct string_list *sl;
+		    for(sl = $1; sl != NULL; sl = sl->next) {
+			Symbol *s = addsym(sl->string);
 			s->stype = Stype;
+		    }
+		    add_import($3);
+		}
+		;
+
+AssignmentList	: Assignment
+		| Assignment AssignmentList
+		;
+
+Assignment	: TypeAssignment
+		| ValueAssignment
+		;
+
+referencenames	: IDENTIFIER ',' referencenames
+		{
+		    $$ = emalloc(sizeof(*$$));
+		    $$->string = $1;
+		    $$->next = $3;
 		}
-		| IDENT
+		| IDENTIFIER
 		{
-			Symbol *s = addsym($1);
-			s->stype = Stype;
+		    $$ = emalloc(sizeof(*$$));
+		    $$->string = $1;
+		    $$->next = NULL;
+		}
+		;
+
+TypeAssignment	: IDENTIFIER EEQUAL Type
+		{
+		    Symbol *s = addsym ($1);
+		    s->stype = Stype;
+		    s->type = $3;
+		    fix_labels(s);
+		    generate_type (s);
 		}
 		;
 
-imports_decl	: IMPORTS referencenames FROM IDENT ';'
-		{ add_import($4); }
+Type		: BuiltinType
+		| ReferencedType
+		| ConstrainedType
 		;
 
-type_decl	: IDENT EEQUAL type
+BuiltinType	: BitStringType
+		| BooleanType
+		| CharacterStringType
+		| ChoiceType
+		| EnumeratedType
+		| IntegerType
+		| NullType
+		| ObjectIdentifierType
+		| OctetStringType
+		| SequenceType
+		| SequenceOfType
+		| SetType
+		| SetOfType
+		| TaggedType
+		;
+
+BooleanType	: kw_BOOLEAN
 		{
-		  Symbol *s = addsym ($1);
-		  s->stype = Stype;
-		  s->type = $3;
-		  generate_type (s);
+			$$ = new_tag(ASN1_C_UNIV, UT_Boolean, 
+				     TE_EXPLICIT, new_type(TBoolean));
 		}
 		;
 
-constant_decl	: IDENT type EEQUAL constant
+range		: '(' Value RANGE Value ')'
 		{
-		  Symbol *s = addsym ($1);
-		  s->stype = SConstant;
-		  s->constant = $4;
-		  generate_constant (s);
+		    if($2->type != integervalue)
+			error_message("Non-integer used in first part of range");
+		    if($2->type != integervalue)
+			error_message("Non-integer in second part of range");
+		    $$ = ecalloc(1, sizeof(*$$));
+		    $$->min = $2->u.integervalue;
+		    $$->max = $4->u.integervalue;
+		}
+		| '(' Value RANGE kw_MAX ')'
+		{		
+		    if($2->type != integervalue)
+			error_message("Non-integer in first part of range");
+		    $$ = ecalloc(1, sizeof(*$$));
+		    $$->min = $2->u.integervalue;
+		    $$->max = $2->u.integervalue - 1;
+		}
+		| '(' kw_MIN RANGE Value ')'
+		{		
+		    if($4->type != integervalue)
+			error_message("Non-integer in second part of range");
+		    $$ = ecalloc(1, sizeof(*$$));
+		    $$->min = $4->u.integervalue + 2;
+		    $$->max = $4->u.integervalue;
+		}
+		| '(' Value ')'
+		{
+		    if($2->type != integervalue)
+			error_message("Non-integer used in limit");
+		    $$ = ecalloc(1, sizeof(*$$));
+		    $$->min = $2->u.integervalue;
+		    $$->max = $2->u.integervalue;
 		}
 		;
 
-type		: INTEGER     { $$ = new_type(TInteger); }
-		| INTEGER '(' constant DOTDOT constant ')' {
-		    if($3 != 0)
-			error_message("Only 0 supported as low range");
-		    if($5 != INT_MIN && $5 != UINT_MAX && $5 != INT_MAX)
-			error_message("Only %u supported as high range",
-				      UINT_MAX);
-		    $$ = new_type(TUInteger);
+
+IntegerType	: kw_INTEGER
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_Integer, 
+				     TE_EXPLICIT, new_type(TInteger));
 		}
-                | INTEGER '{' bitdecls '}'
-                {
+		| kw_INTEGER range
+		{
 			$$ = new_type(TInteger);
-			$$->members = $3;
-                }
-		| OBJECT IDENTIFIER { $$ = new_type(TOID); }
-		| ENUMERATED '{' bitdecls '}'
+			$$->range = $2;
+			$$ = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, $$);
+		}
+		| kw_INTEGER '{' NamedNumberList '}'
 		{
-			$$ = new_type(TEnumerated);
-			$$->members = $3;
+		  $$ = new_type(TInteger);
+		  $$->members = $3;
+		  $$ = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, $$);
 		}
-		| OCTET STRING { $$ = new_type(TOctetString); }
-		| GeneralString { $$ = new_type(TGeneralString); }
-		| GeneralizedTime { $$ = new_type(TGeneralizedTime); }
-		| SEQUENCE OF type
+		;
+
+NamedNumberList	: NamedNumber
 		{
-		  $$ = new_type(TSequenceOf);
-		  $$->subtype = $3;
+			$$ = emalloc(sizeof(*$$));
+			ASN1_TAILQ_INIT($$);
+			ASN1_TAILQ_INSERT_HEAD($$, $1, members);
 		}
-		| SEQUENCE '{' memberdecls '}'
+		| NamedNumberList ',' NamedNumber
 		{
-		  $$ = new_type(TSequence);
+			ASN1_TAILQ_INSERT_TAIL($1, $3, members);
+			$$ = $1;
+		}
+		| NamedNumberList ',' ELLIPSIS
+			{ $$ = $1; } /* XXX used for Enumerations */
+		;
+
+NamedNumber	: IDENTIFIER '(' SignedNumber ')'
+		{
+			$$ = emalloc(sizeof(*$$));
+			$$->name = $1;
+			$$->gen_name = estrdup($1);
+			output_name ($$->gen_name);
+			$$->val = $3;
+			$$->optional = 0;
+			$$->ellipsis = 0;
+			$$->type = NULL;
+		}
+		;
+
+EnumeratedType	: kw_ENUMERATED '{' Enumerations '}'
+		{
+		  $$ = new_type(TInteger);
 		  $$->members = $3;
+		  $$ = new_tag(ASN1_C_UNIV, UT_Enumerated, TE_EXPLICIT, $$);
+		}
+		;
+
+Enumerations	: NamedNumberList /* XXX */
+		;
+
+BitStringType	: kw_BIT kw_STRING
+		{
+		  $$ = new_type(TBitString);
+		  $$->members = emalloc(sizeof(*$$->members));
+		  ASN1_TAILQ_INIT($$->members);
+		  $$ = new_tag(ASN1_C_UNIV, UT_BitString, TE_EXPLICIT, $$);
 		}
-		| BIT STRING '{' bitdecls '}'
+		| kw_BIT kw_STRING '{' NamedBitList '}'
 		{
 		  $$ = new_type(TBitString);
 		  $$->members = $4;
+		  $$ = new_tag(ASN1_C_UNIV, UT_BitString, TE_EXPLICIT, $$);
+		}
+		;
+
+ObjectIdentifierType: kw_OBJECT kw_IDENTIFIER
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_OID, 
+				     TE_EXPLICIT, new_type(TOID));
+		}
+		;
+OctetStringType	: kw_OCTET kw_STRING size
+		{
+		    Type *t = new_type(TOctetString);
+		    t->range = $3;
+		    $$ = new_tag(ASN1_C_UNIV, UT_OctetString, 
+				 TE_EXPLICIT, t);
+		}
+		;
+
+NullType	: kw_NULL
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_Null, 
+				     TE_EXPLICIT, new_type(TNull));
 		}
-		| IDENT
+		;
+
+size		:
+		{ $$ = NULL; }
+		| kw_SIZE range
+		{ $$ = $2; }
+		;
+
+
+SequenceType	: kw_SEQUENCE '{' /* ComponentTypeLists */ ComponentTypeList '}'
+		{
+		  $$ = new_type(TSequence);
+		  $$->members = $3;
+		  $$ = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, $$);
+		}
+		| kw_SEQUENCE '{' '}'
+		{
+		  $$ = new_type(TSequence);
+		  $$->members = NULL;
+		  $$ = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, $$);
+		}
+		;
+
+SequenceOfType	: kw_SEQUENCE size kw_OF Type
+		{
+		  $$ = new_type(TSequenceOf);
+		  $$->range = $2;
+		  $$->subtype = $4;
+		  $$ = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, $$);
+		}
+		;
+
+SetType		: kw_SET '{' /* ComponentTypeLists */ ComponentTypeList '}'
+		{
+		  $$ = new_type(TSet);
+		  $$->members = $3;
+		  $$ = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, $$);
+		}
+		| kw_SET '{' '}'
+		{
+		  $$ = new_type(TSet);
+		  $$->members = NULL;
+		  $$ = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, $$);
+		}
+		;
+
+SetOfType	: kw_SET kw_OF Type
+		{
+		  $$ = new_type(TSetOf);
+		  $$->subtype = $3;
+		  $$ = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, $$);
+		}
+		;
+
+ChoiceType	: kw_CHOICE '{' /* AlternativeTypeLists */ ComponentTypeList '}'
+		{
+		  $$ = new_type(TChoice);
+		  $$->members = $3;
+		}
+		;
+
+ReferencedType	: DefinedType
+		| UsefulType
+		;
+
+DefinedType	: IDENTIFIER
 		{
 		  Symbol *s = addsym($1);
 		  $$ = new_type(TType);
-		  if(s->stype != Stype)
+		  if(s->stype != Stype && s->stype != SUndefined)
 		    error_message ("%s is not a type\n", $1);
 		  else
 		    $$->symbol = s;
 		}
-		| '[' APPLICATION constant ']' type
+		;
+
+UsefulType	: kw_GeneralizedTime
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_GeneralizedTime, 
+				     TE_EXPLICIT, new_type(TGeneralizedTime));
+		}
+		| kw_UTCTime
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_UTCTime, 
+				     TE_EXPLICIT, new_type(TUTCTime));
+		}
+		;
+
+ConstrainedType	: Type Constraint
+		{
+		    /* if (Constraint.type == contentConstrant) {
+		       assert(Constraint.u.constraint.type == octetstring|bitstring-w/o-NamedBitList); // remember to check type reference too
+		       if (Constraint.u.constraint.type) {
+		         assert((Constraint.u.constraint.type.length % 8) == 0);
+		       }
+		      }
+		      if (Constraint.u.constraint.encoding) {
+		        type == der-oid|ber-oid
+		      }
+		    */
+		}
+		;
+
+
+Constraint	: '(' ConstraintSpec ')'
+		{
+		    $$ = $2;
+		}
+		;
+
+ConstraintSpec	: GeneralConstraint
+		;
+
+GeneralConstraint: ContentsConstraint
+		| UserDefinedConstraint
+		;
+
+ContentsConstraint: kw_CONTAINING Type
+		{
+		    $$ = new_constraint_spec(CT_CONTENTS);
+		    $$->u.content.type = $2;
+		    $$->u.content.encoding = NULL;
+		}
+		| kw_ENCODED kw_BY Value
+		{
+		    if ($3->type != objectidentifiervalue)
+			error_message("Non-OID used in ENCODED BY constraint");
+		    $$ = new_constraint_spec(CT_CONTENTS);
+		    $$->u.content.type = NULL;
+		    $$->u.content.encoding = $3;
+		}
+		| kw_CONTAINING Type kw_ENCODED kw_BY Value
 		{
-		  $$ = new_type(TApplication);
-		  $$->subtype = $5;
-		  $$->application = $3;
+		    if ($5->type != objectidentifiervalue)
+			error_message("Non-OID used in ENCODED BY constraint");
+		    $$ = new_constraint_spec(CT_CONTENTS);
+		    $$->u.content.type = $2;
+		    $$->u.content.encoding = $5;
 		}
 		;
 
-memberdecls	: { $$ = NULL; }
-		| memberdecl	{ $$ = $1; }
-		| memberdecls ',' memberdecl { $$ = $1; append($$, $3); }
+UserDefinedConstraint: kw_CONSTRAINED kw_BY '{' '}'
+		{
+		    $$ = new_constraint_spec(CT_USER);
+		}
 		;
 
-memberdecl	: IDENT '[' constant ']' type optional2
+TaggedType	: Tag tagenv Type
 		{
-		  $$ = malloc(sizeof(*$$));
+			$$ = new_type(TTag);
+			$$->tag = $1;
+			$$->tag.tagenv = $2;
+			if($3->type == TTag && $2 == TE_IMPLICIT) {
+				$$->subtype = $3->subtype;
+				free($3);
+			} else
+				$$->subtype = $3;
+		}
+		;
+
+Tag		: '[' Class NUMBER ']'
+		{
+			$$.tagclass = $2;
+			$$.tagvalue = $3;
+			$$.tagenv = TE_EXPLICIT;
+		}
+		;
+
+Class		: /* */
+		{
+			$$ = ASN1_C_CONTEXT;
+		}
+		| kw_UNIVERSAL
+		{
+			$$ = ASN1_C_UNIV;
+		}
+		| kw_APPLICATION
+		{
+			$$ = ASN1_C_APPL;
+		}
+		| kw_PRIVATE
+		{
+			$$ = ASN1_C_PRIVATE;
+		}
+		;
+
+tagenv		: /* */
+		{
+			$$ = TE_EXPLICIT;
+		}
+		| kw_EXPLICIT
+		{
+			$$ = TE_EXPLICIT;
+		}
+		| kw_IMPLICIT
+		{
+			$$ = TE_IMPLICIT;
+		}
+		;
+
+
+ValueAssignment	: IDENTIFIER Type EEQUAL Value
+		{
+			Symbol *s;
+			s = addsym ($1);
+
+			s->stype = SValue;
+			s->value = $4;
+			generate_constant (s);
+		}
+		;
+
+CharacterStringType: RestrictedCharactedStringType
+		;
+
+RestrictedCharactedStringType: kw_GeneralString
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_GeneralString, 
+				     TE_EXPLICIT, new_type(TGeneralString));
+		}
+		| kw_UTF8String
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_UTF8String, 
+				     TE_EXPLICIT, new_type(TUTF8String));
+		}
+		| kw_PrintableString
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_PrintableString, 
+				     TE_EXPLICIT, new_type(TPrintableString));
+		}
+		| kw_VisibleString
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_VisibleString, 
+				     TE_EXPLICIT, new_type(TVisibleString));
+		}
+		| kw_IA5String
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_IA5String, 
+				     TE_EXPLICIT, new_type(TIA5String));
+		}
+		| kw_BMPString
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_BMPString, 
+				     TE_EXPLICIT, new_type(TBMPString));
+		}
+		| kw_UniversalString
+		{
+			$$ = new_tag(ASN1_C_UNIV, UT_UniversalString, 
+				     TE_EXPLICIT, new_type(TUniversalString));
+		}
+
+		;
+
+ComponentTypeList: ComponentType
+		{
+			$$ = emalloc(sizeof(*$$));
+			ASN1_TAILQ_INIT($$);
+			ASN1_TAILQ_INSERT_HEAD($$, $1, members);
+		}
+		| ComponentTypeList ',' ComponentType
+		{
+			ASN1_TAILQ_INSERT_TAIL($1, $3, members);
+			$$ = $1;
+		}
+		| ComponentTypeList ',' ELLIPSIS
+		{
+		        struct member *m = ecalloc(1, sizeof(*m));
+			m->name = estrdup("...");
+			m->gen_name = estrdup("asn1_ellipsis");
+			m->ellipsis = 1;
+			ASN1_TAILQ_INSERT_TAIL($1, m, members);
+			$$ = $1;
+		}
+		;
+
+NamedType	: IDENTIFIER Type
+		{
+		  $$ = emalloc(sizeof(*$$));
 		  $$->name = $1;
-		  $$->gen_name = strdup($1);
+		  $$->gen_name = estrdup($1);
 		  output_name ($$->gen_name);
-		  $$->val = $3;
-		  $$->optional = $6;
-		  $$->type = $5;
-		  $$->next = $$->prev = $$;
+		  $$->type = $2;
+		  $$->ellipsis = 0;
 		}
 		;
 
-optional2	: { $$ = 0; }
-		| OPTIONAL { $$ = 1; }
+ComponentType	: NamedType
+		{
+			$$ = $1;
+			$$->optional = 0;
+			$$->defval = NULL;
+		}
+		| NamedType kw_OPTIONAL
+		{
+			$$ = $1;
+			$$->optional = 1;
+			$$->defval = NULL;
+		}
+		| NamedType kw_DEFAULT Value
+		{
+			$$ = $1;
+			$$->optional = 0;
+			$$->defval = $3;
+		}
 		;
 
-bitdecls	: { $$ = NULL; }
-		| bitdecl { $$ = $1; }
-		| bitdecls ',' bitdecl { $$ = $1; append($$, $3); }
+NamedBitList	: NamedBit
+		{
+			$$ = emalloc(sizeof(*$$));
+			ASN1_TAILQ_INIT($$);
+			ASN1_TAILQ_INSERT_HEAD($$, $1, members);
+		}
+		| NamedBitList ',' NamedBit
+		{
+			ASN1_TAILQ_INSERT_TAIL($1, $3, members);
+			$$ = $1;
+		}
 		;
 
-bitdecl		: IDENT '(' constant ')'
+NamedBit	: IDENTIFIER '(' NUMBER ')'
 		{
-		  $$ = malloc(sizeof(*$$));
+		  $$ = emalloc(sizeof(*$$));
 		  $$->name = $1;
-		  $$->gen_name = strdup($1);
+		  $$->gen_name = estrdup($1);
 		  output_name ($$->gen_name);
 		  $$->val = $3;
 		  $$->optional = 0;
+		  $$->ellipsis = 0;
 		  $$->type = NULL;
-		  $$->prev = $$->next = $$;
 		}
 		;
 
-constant	: CONSTANT	{ $$ = $1; }
-		| IDENT	{
-				  Symbol *s = addsym($1);
-				  if(s->stype != SConstant)
-				    error_message ("%s is not a constant\n",
-						   s->name);
-				  else
-				    $$ = s->constant;
-				}
+objid_opt	: objid
+		| /* empty */ { $$ = NULL; }
 		;
+
+objid		: '{' objid_list '}'
+		{
+			$$ = $2;
+		}
+		;
+
+objid_list	:  /* empty */
+		{
+			$$ = NULL;
+		}
+		| objid_element objid_list
+		{
+		        if ($2) {
+				$$ = $2;
+				add_oid_to_tail($2, $1);
+			} else {
+				$$ = $1;
+			}
+		}
+		;
+
+objid_element	: IDENTIFIER '(' NUMBER ')'
+		{
+			$$ = new_objid($1, $3);
+		}
+		| IDENTIFIER
+		{
+		    Symbol *s = addsym($1);
+		    if(s->stype != SValue ||
+		       s->value->type != objectidentifiervalue) {
+			error_message("%s is not an object identifier\n", 
+				      s->name);
+			exit(1);
+		    }
+		    $$ = s->value->u.objectidentifiervalue;
+		}
+		| NUMBER
+		{
+		    $$ = new_objid(NULL, $1);
+		}
+		;
+
+Value		: BuiltinValue
+		| ReferencedValue
+		;
+
+BuiltinValue	: BooleanValue
+		| CharacterStringValue
+		| IntegerValue
+		| ObjectIdentifierValue
+		| NullValue
+		;
+
+ReferencedValue	: DefinedValue
+		;
+
+DefinedValue	: Valuereference
+		;
+
+Valuereference	: IDENTIFIER
+		{
+			Symbol *s = addsym($1);
+			if(s->stype != SValue)
+				error_message ("%s is not a value\n",
+						s->name);
+			else
+				$$ = s->value;
+		}
+		;
+
+CharacterStringValue: STRING
+		{
+			$$ = emalloc(sizeof(*$$));
+			$$->type = stringvalue;
+			$$->u.stringvalue = $1;
+		}
+		;
+
+BooleanValue	: kw_TRUE
+		{
+			$$ = emalloc(sizeof(*$$));
+			$$->type = booleanvalue;
+			$$->u.booleanvalue = 0;
+		}
+		| kw_FALSE
+		{
+			$$ = emalloc(sizeof(*$$));
+			$$->type = booleanvalue;
+			$$->u.booleanvalue = 0;
+		}
+		;
+
+IntegerValue	: SignedNumber
+		{
+			$$ = emalloc(sizeof(*$$));
+			$$->type = integervalue;
+			$$->u.integervalue = $1;
+		}
+		;
+
+SignedNumber	: NUMBER
+		;
+
+NullValue	: kw_NULL
+		{
+		}
+		;
+
+ObjectIdentifierValue: objid
+		{
+			$$ = emalloc(sizeof(*$$));
+			$$->type = objectidentifiervalue;
+			$$->u.objectidentifiervalue = $1;
+		}
+		;
+
 %%
 
 void
-yyerror (char *s)
+yyerror (const char *s)
 {
      error_message ("%s\n", s);
 }
 
 static Type *
+new_tag(int tagclass, int tagvalue, int tagenv, Type *oldtype)
+{
+    Type *t;
+    if(oldtype->type == TTag && oldtype->tag.tagenv == TE_IMPLICIT) {
+	t = oldtype;
+	oldtype = oldtype->subtype; /* XXX */
+    } else
+	t = new_type (TTag);
+    
+    t->tag.tagclass = tagclass;
+    t->tag.tagvalue = tagvalue;
+    t->tag.tagenv = tagenv;
+    t->subtype = oldtype;
+    return t;
+}
+
+static struct objid *
+new_objid(const char *label, int value)
+{
+    struct objid *s;
+    s = emalloc(sizeof(*s));
+    s->label = label;
+    s->value = value;
+    s->next = NULL;
+    return s;
+}
+
+static void
+add_oid_to_tail(struct objid *head, struct objid *tail)
+{
+    struct objid *o;
+    o = head;
+    while (o->next)
+	o = o->next;
+    o->next = tail;
+}
+
+static Type *
 new_type (Typetype tt)
 {
-  Type *t = malloc(sizeof(*t));
-  if (t == NULL) {
-      error_message ("out of memory in malloc(%lu)", 
-		     (unsigned long)sizeof(*t));
-      exit (1);
-  }
-  t->type = tt;
-  t->application = 0;
-  t->members = NULL;
-  t->subtype = NULL;
-  t->symbol  = NULL;
-  return t;
+    Type *t = ecalloc(1, sizeof(*t));
+    t->type = tt;
+    return t;
+}
+
+static struct constraint_spec *
+new_constraint_spec(enum ctype ct)
+{
+    struct constraint_spec *c = ecalloc(1, sizeof(*c));
+    c->ctype = ct;
+    return c;
+}
+
+static void fix_labels2(Type *t, const char *prefix);
+static void fix_labels1(struct memhead *members, const char *prefix)
+{
+    Member *m;
+
+    if(members == NULL)
+	return;
+    ASN1_TAILQ_FOREACH(m, members, members) {
+	asprintf(&m->label, "%s_%s", prefix, m->gen_name);
+	if (m->label == NULL)
+	    errx(1, "malloc");
+	if(m->type != NULL)
+	    fix_labels2(m->type, m->label);
+    }
+}
+
+static void fix_labels2(Type *t, const char *prefix)
+{
+    for(; t; t = t->subtype)
+	fix_labels1(t->members, prefix);
 }
 
 static void
-append (Member *l, Member *r)
+fix_labels(Symbol *s)
 {
-  l->prev->next = r;
-  r->prev = l->prev;
-  l->prev = r;
-  r->next = l;
+    char *p;
+    asprintf(&p, "choice_%s", s->gen_name);
+    if (p == NULL)
+	errx(1, "malloc");
+    fix_labels2(s->type, p);
+    free(p);
 }
diff --git a/crypto/heimdal/lib/asn1/pkcs12.asn1 b/crypto/heimdal/lib/asn1/pkcs12.asn1
new file mode 100644
index 0000000..37fe03e
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/pkcs12.asn1
@@ -0,0 +1,81 @@
+-- $Id: pkcs12.asn1 15715 2005-07-23 11:08:47Z lha $ --
+
+PKCS12 DEFINITIONS ::=
+
+BEGIN
+
+IMPORTS ContentInfo FROM cms
+	DigestInfo FROM rfc2459
+	heim_any, heim_any_set FROM heim;
+
+-- The PFX PDU
+
+id-pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+	rsadsi(113549) pkcs(1) pkcs-12(12) }
+
+id-pkcs-12PbeIds                   OBJECT IDENTIFIER ::= { id-pkcs-12 1}
+id-pbeWithSHAAnd128BitRC4          OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 1}
+id-pbeWithSHAAnd40BitRC4           OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 2}
+id-pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 3}
+id-pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 4}
+id-pbeWithSHAAnd128BitRC2-CBC      OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 5}
+id-pbewithSHAAnd40BitRC2-CBC       OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 6}
+
+id-pkcs12-bagtypes		OBJECT IDENTIFIER ::= { id-pkcs-12 10 1}
+
+id-pkcs12-keyBag		OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 1 }
+id-pkcs12-pkcs8ShroudedKeyBag	OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 2 }
+id-pkcs12-certBag		OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 3 }
+id-pkcs12-crlBag		OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 4 }
+id-pkcs12-secretBag		OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 5 }
+id-pkcs12-safeContentsBag	OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 6 }
+
+
+PKCS12-MacData ::= SEQUENCE {
+    	mac 		DigestInfo,
+	macSalt	        OCTET STRING,
+	iterations	INTEGER OPTIONAL
+}
+
+PKCS12-PFX ::= SEQUENCE {
+    	version		INTEGER,
+    	authSafe	ContentInfo,
+    	macData    	PKCS12-MacData OPTIONAL
+}
+
+PKCS12-AuthenticatedSafe ::= SEQUENCE OF ContentInfo
+	-- Data if unencrypted
+	-- EncryptedData if password-encrypted
+	-- EnvelopedData if public key-encrypted
+
+PKCS12-Attribute ::= SEQUENCE {
+	attrId	   	OBJECT IDENTIFIER,
+	attrValues 	-- SET OF -- heim_any_set 
+}
+
+PKCS12-Attributes ::= SET OF PKCS12-Attribute
+
+PKCS12-SafeBag ::= SEQUENCE {
+  	bagId	      	OBJECT IDENTIFIER,
+  	bagValue      	[0] heim_any,
+  	bagAttributes 	PKCS12-Attributes OPTIONAL
+}
+
+PKCS12-SafeContents ::= SEQUENCE OF PKCS12-SafeBag
+
+PKCS12-CertBag ::= SEQUENCE {
+	certType	OBJECT IDENTIFIER,
+  	certValue      	[0] heim_any
+}
+
+PKCS12-PBEParams ::= SEQUENCE {
+	salt		OCTET STRING,
+	iterations	INTEGER (0..4294967295) OPTIONAL
+}
+
+PKCS12-OctetString ::= OCTET STRING
+
+-- KeyBag ::= PrivateKeyInfo
+-- PKCS8ShroudedKeyBag ::= EncryptedPrivateKeyInfo
+
+END
diff --git a/crypto/heimdal/lib/asn1/pkcs8.asn1 b/crypto/heimdal/lib/asn1/pkcs8.asn1
new file mode 100644
index 0000000..911e727
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/pkcs8.asn1
@@ -0,0 +1,30 @@
+-- $Id: pkcs8.asn1 16060 2005-09-13 19:41:29Z lha $ --
+
+PKCS8 DEFINITIONS ::=
+
+BEGIN
+
+IMPORTS	Attribute, AlgorithmIdentifier FROM rfc2459
+	heim_any, heim_any_set FROM heim;
+
+PKCS8PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
+
+PKCS8PrivateKey ::= OCTET STRING
+
+PKCS8Attributes ::= SET OF Attribute
+
+PKCS8PrivateKeyInfo ::= SEQUENCE {
+  version INTEGER,
+  privateKeyAlgorithm PKCS8PrivateKeyAlgorithmIdentifier,
+  privateKey PKCS8PrivateKey,
+  attributes [0] IMPLICIT SET OF Attribute OPTIONAL
+}
+
+PKCS8EncryptedData ::= OCTET STRING
+
+PKCS8EncryptedPrivateKeyInfo ::= SEQUENCE {
+    encryptionAlgorithm AlgorithmIdentifier,
+    encryptedData PKCS8EncryptedData 
+}
+
+END
diff --git a/crypto/heimdal/lib/asn1/pkcs9.asn1 b/crypto/heimdal/lib/asn1/pkcs9.asn1
new file mode 100644
index 0000000..d985e91
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/pkcs9.asn1
@@ -0,0 +1,28 @@
+-- $Id: pkcs9.asn1 17202 2006-04-24 08:59:10Z lha $ --
+
+PKCS9 DEFINITIONS ::=
+
+BEGIN
+
+-- The PFX PDU
+
+id-pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+	rsadsi(113549) pkcs(1) pkcs-9(9) }
+
+id-pkcs9-emailAddress		OBJECT IDENTIFIER ::= {id-pkcs-9 1 }
+id-pkcs9-contentType		OBJECT IDENTIFIER ::= {id-pkcs-9 3 }
+id-pkcs9-messageDigest		OBJECT IDENTIFIER ::= {id-pkcs-9 4 }
+id-pkcs9-signingTime		OBJECT IDENTIFIER ::= {id-pkcs-9 5 }
+id-pkcs9-countersignature	OBJECT IDENTIFIER ::= {id-pkcs-9 6 }
+
+id-pkcs-9-at-friendlyName	OBJECT IDENTIFIER ::= {id-pkcs-9 20}
+id-pkcs-9-at-localKeyId		OBJECT IDENTIFIER ::= {id-pkcs-9 21}
+id-pkcs-9-at-certTypes		OBJECT IDENTIFIER ::= {id-pkcs-9 22}
+id-pkcs-9-at-certTypes-x509	OBJECT IDENTIFIER ::= {id-pkcs-9-at-certTypes 1}
+
+PKCS9-BMPString ::= BMPString
+
+PKCS9-friendlyName ::= SET OF PKCS9-BMPString
+
+END
+
diff --git a/crypto/heimdal/lib/asn1/pkinit.asn1 b/crypto/heimdal/lib/asn1/pkinit.asn1
index 92c5de7..989b265 100644
--- a/crypto/heimdal/lib/asn1/pkinit.asn1
+++ b/crypto/heimdal/lib/asn1/pkinit.asn1
@@ -1,189 +1,182 @@
+-- $Id$ --
+
 PKINIT DEFINITIONS ::= BEGIN
 
-IMPORTS  EncryptionKey, PrincipalName, Realm, KerberosTime, TypedData 
-	FROM krb5;
-IMPORTS SignedData, EnvelopedData FROM CMS;
-IMPORTS CertificateSerialNumber, AttributeTypeAndValue, Name FROM X509;
+IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5
+	IssuerAndSerialNumber, ContentInfo FROM cms
+	SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
+	heim_any FROM heim;
 
+id-pkinit OBJECT IDENTIFIER ::=
+  { iso (1) org (3) dod (6) internet (1) security (5)
+    kerberosv5 (2) pkinit (3) }
 
--- 3.1
+id-pkauthdata  OBJECT IDENTIFIER  ::= { id-pkinit 1 }
+id-pkdhkeydata OBJECT IDENTIFIER  ::= { id-pkinit 2 }
+id-pkrkeydata  OBJECT IDENTIFIER  ::= { id-pkinit 3 }
+id-pkekuoid    OBJECT IDENTIFIER  ::= { id-pkinit 4 }
+id-pkkdcekuoid OBJECT IDENTIFIER  ::= { id-pkinit 5 }
 
-CertPrincipalName ::= SEQUENCE {
-	name-type[0]		INTEGER,
-	name-string[1]		SEQUENCE OF UTF8String
-}
+id-pkinit-san	OBJECT IDENTIFIER ::=
+  { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
+    x509-sanan(2) }
 
+id-pkinit-ms-eku OBJECT IDENTIFIER ::=
+  { iso(1) org(3) dod(6) internet(1) private(4) 
+    enterprise(1) microsoft(311) 20 2 2 }
 
--- 3.2.2
+id-pkinit-ms-san OBJECT IDENTIFIER ::=
+  { iso(1) org(3) dod(6) internet(1) private(4) 
+    enterprise(1) microsoft(311) 20 2 3 }
 
+MS-UPN-SAN ::= UTF8String
 
-TrustedCertifiers ::= SEQUENCE OF PrincipalName
-				-- X.500 name encoded as a principal name
-				-- see Section 3.1
-CertificateIndex  ::= INTEGER
-				-- 0 = 1st certificate,
-				--     (in order of encoding)
-				-- 1 = 2nd certificate, etc
+pa-pk-as-req INTEGER ::=                  16
+pa-pk-as-rep INTEGER ::=                  17
 
-PA-PK-AS-REP ::= CHOICE {
-				-- PA TYPE 15
-	dhSignedData[0]		SignedData,
-				-- Defined in CMS and used only with
-				-- Diffie-Hellman key exchange (if the
-				-- client public value was present in the
-				-- request).
-				-- This choice MUST be supported
-				-- by compliant implementations.
-	encKeyPack[1]		EnvelopedData
-				-- Defined in CMS
-				-- The temporary key is encrypted
-				-- using the client public key
-				-- key
-				-- SignedReplyKeyPack, encrypted
-				-- with the temporary key, is also
-				-- included.
-}
-
-
-
-KdcDHKeyInfo ::= SEQUENCE {
-				-- used only when utilizing Diffie-Hellman
-	nonce[0]		INTEGER,
-				-- binds responce to the request
-	subjectPublicKey[2]	BIT STRING
-				-- Equals public exponent (g^a mod p)
-				-- INTEGER encoded as payload of
-				-- BIT STRING
+td-trusted-certifiers INTEGER ::=        104
+td-invalid-certificates INTEGER ::=      105
+td-dh-parameters INTEGER ::=             109
+
+DHNonce ::= OCTET STRING
+
+KDFAlgorithmId ::= SEQUENCE {
+       kdf-id            [0] OBJECT IDENTIFIER,
+       ...
 }
 
-ReplyKeyPack ::= SEQUENCE {
-				-- not used for Diffie-Hellman
-	replyKey[0]		EncryptionKey,
-				-- used to encrypt main reply
-				-- ENCTYPE is at least as strong as
-				-- ENCTYPE of session key
-	nonce[1]		INTEGER
-				-- binds response to the request
-				-- must be same as the nonce
-				-- passed in the PKAuthenticator
-}
-
--- subjectAltName EXTENSION ::= {
--- 	SYNTAX GeneralNames
--- 	IDENTIFIED BY id-ce-subjectAltName
--- }
-
-OtherName ::= SEQUENCE {
-	type-id			OBJECT IDENTIFIER,
-	value[0]		OCTET STRING
---	value[0] EXPLICIT ANY DEFINED BY type-id
-}
-
-GeneralName ::= CHOICE {
-	otherName       [0] OtherName,
+TrustedCA ::= SEQUENCE {
+	caName                  [0] IMPLICIT OCTET STRING,
+	certificateSerialNumber [1] INTEGER OPTIONAL,
+	subjectKeyIdentifier    [2] OCTET STRING OPTIONAL,
 	...
 }
 
-GeneralNames ::= SEQUENCE -- SIZE(1..MAX)
-	OF GeneralName
+ExternalPrincipalIdentifier ::= SEQUENCE {
+	subjectName		[0] IMPLICIT OCTET STRING OPTIONAL,
+	issuerAndSerialNumber	[1] IMPLICIT OCTET STRING OPTIONAL,
+	subjectKeyIdentifier	[2] IMPLICIT OCTET STRING OPTIONAL,
+	...
+}
 
-KerberosName ::= SEQUENCE {
-	realm[0]		Realm,
-				-- as defined in RFC 1510
-	principalName[1]	CertPrincipalName
-				-- defined above
+ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier
+
+PA-PK-AS-REQ ::= SEQUENCE {
+        signedAuthPack          [0] IMPLICIT OCTET STRING,
+        trustedCertifiers       [1] ExternalPrincipalIdentifiers OPTIONAL,
+	kdcPkId                 [2] IMPLICIT OCTET STRING OPTIONAL,
+	...
 }
 
+PKAuthenticator ::= SEQUENCE {
+	cusec                   [0] INTEGER -- (0..999999) --,
+	ctime                   [1] KerberosTime,
+	nonce                   [2] INTEGER (0..4294967295),
+	paChecksum              [3] OCTET STRING OPTIONAL,
+	...
+}
 
--- krb5 OBJECT IDENTIFIER ::= {
--- 	iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2)
--- }
+AuthPack ::= SEQUENCE {
+	pkAuthenticator         [0] PKAuthenticator,
+	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL,
+	supportedCMSTypes       [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
+	clientDHNonce           [3] DHNonce OPTIONAL,
+	...,
+	supportedKDFs		[4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
+	...
+}
 
--- krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
+TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
+TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers
 
--- 3.2.1
+KRB5PrincipalName ::= SEQUENCE {
+	realm                   [0] Realm,
+	principalName           [1] PrincipalName
+}
 
+AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
 
-IssuerAndSerialNumber ::= SEQUENCE {
-	issuer			Name,
-	serialNumber		CertificateSerialNumber
+DHRepInfo ::= SEQUENCE {
+	dhSignedData            [0] IMPLICIT OCTET STRING,
+	serverDHNonce           [1] DHNonce OPTIONAL,
+	...,
+	kdf			[2] KDFAlgorithmId OPTIONAL,
+	...
 }
 
-TrustedCas ::= CHOICE {
-	principalName[0]	KerberosName,
-				-- as defined below
-	caName[1]		Name,
-				-- fully qualified X.500 name
-				-- as defined by X.509
-	issuerAndSerial[2]	IssuerAndSerialNumber
-				-- Since a CA may have a number of
-				-- certificates, only one of which
-				-- a client trusts
+PA-PK-AS-REP ::= CHOICE {
+	dhInfo                  [0] DHRepInfo,
+	encKeyPack              [1] IMPLICIT OCTET STRING,
+	...
 }
 
-PA-PK-AS-REQ ::= SEQUENCE {
-	-- PA TYPE 14
-	signedAuthPack[0]	SignedData,
-				-- defined in CMS [11]
-				-- AuthPack (below) defines the data
-				-- that is signed
-	trustedCertifiers[1]	SEQUENCE OF TrustedCas OPTIONAL,
-				-- CAs that the client trusts
-	kdcCert[2]		IssuerAndSerialNumber OPTIONAL,
-				-- as defined in CMS [11]
-				-- specifies a particular KDC
-				-- certificate if the client
-				-- already has it;
-	encryptionCert[3]	IssuerAndSerialNumber OPTIONAL
-				-- For example, this may be the
-				-- client's Diffie-Hellman
-				-- certificate, or it may be the
-				-- client's RSA encryption
-				-- certificate.
+KDCDHKeyInfo ::= SEQUENCE {
+	subjectPublicKey        [0] BIT STRING,
+	nonce                   [1] INTEGER (0..4294967295),
+	dhKeyExpiration         [2] KerberosTime OPTIONAL,
+	...
 }
 
-PKAuthenticator ::= SEQUENCE {
-	kdcName[0]		PrincipalName,
-	kdcRealm[1]		Realm,
-	cusec[2]		INTEGER,
-				-- for replay prevention as in RFC1510
-	ctime[3]		KerberosTime,
-				-- for replay prevention as in RFC1510
-	nonce[4]		INTEGER
+ReplyKeyPack ::= SEQUENCE {
+	replyKey                [0] EncryptionKey,
+	asChecksum		[1] Checksum,
+	...
 }
 
--- This is the real definition of AlgorithmIdentifier
--- AlgorithmIdentifier ::= SEQUENCE {
--- 	algorithm		ALGORITHM.&id,
---	parameters		ALGORITHM.&Type
--- }   -- as specified by the X.509 recommendation[10]
+TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
+
 
--- But we'll use this one instead:
+-- Windows compat glue --
 
-AlgorithmIdentifier ::= SEQUENCE {
-	algorithm		OBJECT IDENTIFIER,
-	parameters		CHOICE {
-					a INTEGER
-				}
+PKAuthenticator-Win2k ::= SEQUENCE {
+	kdcName			[0] PrincipalName,
+	kdcRealm		[1] Realm,
+	cusec			[2] INTEGER (0..4294967295),
+	ctime			[3] KerberosTime,
+	nonce                   [4] INTEGER (-2147483648..2147483647)
 }
 
+AuthPack-Win2k ::= SEQUENCE {
+	pkAuthenticator         [0] PKAuthenticator-Win2k,
+	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL
+}
 
 
-SubjectPublicKeyInfo ::= SEQUENCE {
-	algorithm		AlgorithmIdentifier,
-				-- dhKeyAgreement
-	subjectPublicKey	BIT STRING
-				-- for DH, equals
-				-- public exponent (INTEGER encoded
-				-- as payload of BIT STRING)
-} -- as specified by the X.509 recommendation[10]
+TrustedCA-Win2k ::= CHOICE {
+	caName                  [1] heim_any,
+	issuerAndSerial         [2] IssuerAndSerialNumber
+}
 
-AuthPack ::= SEQUENCE {
-	pkAuthenticator[0]	PKAuthenticator,
-	clientPublicValue[1]	SubjectPublicKeyInfo OPTIONAL
-				-- if client is using Diffie-Hellman
-				-- (ephemeral-ephemeral only)
+PA-PK-AS-REQ-Win2k ::= SEQUENCE { 
+	signed-auth-pack	[0] IMPLICIT OCTET STRING, 
+	trusted-certifiers	[2] SEQUENCE OF TrustedCA-Win2k OPTIONAL, 
+	kdc-cert		[3] IMPLICIT OCTET STRING OPTIONAL, 
+	encryption-cert		[4] IMPLICIT OCTET STRING OPTIONAL
 }
 
+PA-PK-AS-REP-Win2k ::= CHOICE {
+	dhSignedData		[0] IMPLICIT OCTET STRING, 
+	encKeyPack		[1] IMPLICIT OCTET STRING
+}
+
+
+KDCDHKeyInfo-Win2k ::= SEQUENCE {
+	nonce			[0] INTEGER (-2147483648..2147483647),
+	subjectPublicKey	[2] BIT STRING
+}
+
+ReplyKeyPack-Win2k ::= SEQUENCE {
+        replyKey                [0] EncryptionKey,
+        nonce                   [1] INTEGER (-2147483648..2147483647),
+	...
+}
+
+PkinitSuppPubInfo ::= SEQUENCE {
+       enctype           [0] INTEGER (-2147483648..2147483647),
+       as-REQ            [1] OCTET STRING,
+       pk-as-rep         [2] OCTET STRING,
+       ticket            [3] Ticket,
+       ...
+}
 
 END
diff --git a/crypto/heimdal/lib/asn1/rfc2459.asn1 b/crypto/heimdal/lib/asn1/rfc2459.asn1
index c9adec6..8e24f07 100644
--- a/crypto/heimdal/lib/asn1/rfc2459.asn1
+++ b/crypto/heimdal/lib/asn1/rfc2459.asn1
@@ -1,21 +1,506 @@
+-- $Id$ --
+-- Definitions from rfc2459/rfc3280
+
 RFC2459 DEFINITIONS ::= BEGIN
 
-AttributeType ::= OBJECT-IDENTIFIER
+IMPORTS heim_any FROM heim;
+
+Version ::=  INTEGER {
+	rfc3280_version_1(0), 
+	rfc3280_version_2(1),
+	rfc3280_version_3(2)
+}
+
+id-pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+	rsadsi(113549) pkcs(1) 1 }
+id-pkcs1-rsaEncryption OBJECT IDENTIFIER ::=		{ id-pkcs-1 1 }
+id-pkcs1-md2WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 2 }
+id-pkcs1-md5WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 4 }
+id-pkcs1-sha1WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 5 }
+id-pkcs1-sha256WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 11 }
+id-pkcs1-sha384WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 12 }
+id-pkcs1-sha512WithRSAEncryption OBJECT IDENTIFIER ::=	{ id-pkcs-1 13 }
+
+id-heim-rsa-pkcs1-x509 OBJECT IDENTIFIER ::= { 1  2 752 43 16 1 }
+
+id-pkcs-2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+	rsadsi(113549) pkcs(1) 2 }
+id-pkcs2-md2 OBJECT IDENTIFIER ::=		{ id-pkcs-2 2 }
+id-pkcs2-md4 OBJECT IDENTIFIER ::=		{ id-pkcs-2 4 }
+id-pkcs2-md5 OBJECT IDENTIFIER ::=		{ id-pkcs-2 5 }
+
+id-rsa-digestAlgorithm OBJECT IDENTIFIER ::= 
+{ iso(1) member-body(2) us(840) rsadsi(113549) 2 }
+
+id-rsa-digest-md2 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 2 }
+id-rsa-digest-md4 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 4 }
+id-rsa-digest-md5 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 5 }
+
+id-pkcs-3 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+	rsadsi(113549) pkcs(1) 3 }
+
+id-pkcs3-rc2-cbc OBJECT IDENTIFIER ::=		{ id-pkcs-3 2 }
+id-pkcs3-rc4     OBJECT IDENTIFIER ::=		{ id-pkcs-3 4 }
+id-pkcs3-des-ede3-cbc OBJECT IDENTIFIER ::=	{ id-pkcs-3 7 }
+
+id-rsadsi-encalg OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+	rsadsi(113549) 3 }
+
+id-rsadsi-rc2-cbc OBJECT IDENTIFIER ::=		{ id-rsadsi-encalg 2 }
+id-rsadsi-des-ede3-cbc OBJECT IDENTIFIER ::=	{ id-rsadsi-encalg 7 }
+
+id-secsig-sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
+	oiw(14) secsig(3) algorithm(2) 26 }
+
+id-nistAlgorithm OBJECT IDENTIFIER ::= {
+   joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 }
+   
+id-nist-aes-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 1 }
+
+id-aes-128-cbc OBJECT IDENTIFIER ::=		{ id-nist-aes-algs 2 }
+id-aes-192-cbc OBJECT IDENTIFIER ::=		{ id-nist-aes-algs 22 }
+id-aes-256-cbc OBJECT IDENTIFIER ::=		{ id-nist-aes-algs 42 }
+
+id-nist-sha-algs OBJECT IDENTIFIER ::=		{ id-nistAlgorithm 2 }
+
+id-sha256 OBJECT IDENTIFIER ::=			{ id-nist-sha-algs 1 }
+id-sha224 OBJECT IDENTIFIER ::=			{ id-nist-sha-algs 4 }
+id-sha384 OBJECT IDENTIFIER ::=			{ id-nist-sha-algs 2 }
+id-sha512 OBJECT IDENTIFIER ::=			{ id-nist-sha-algs 3 }
+
+id-dhpublicnumber OBJECT IDENTIFIER ::= {
+        iso(1) member-body(2) us(840) ansi-x942(10046)
+        number-type(2) 1 }
 
-AttributeValue ::= OCTET STRING --ANY DEFINED BY AttributeType
+id-x9-57 OBJECT IDENTIFIER ::= {
+        iso(1) member-body(2) us(840) ansi-x942(10046)
+	4 }
+
+id-dsa OBJECT IDENTIFIER ::=		{ id-x9-57 1 }
+id-dsa-with-sha1 OBJECT IDENTIFIER ::=		{ id-x9-57 3 }
+
+-- x.520 names types
+
+id-x520-at 	OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
+
+id-at-commonName		OBJECT IDENTIFIER ::= { id-x520-at 3 }
+id-at-surname			OBJECT IDENTIFIER ::= { id-x520-at 4 }
+id-at-serialNumber		OBJECT IDENTIFIER ::= { id-x520-at 5 }
+id-at-countryName		OBJECT IDENTIFIER ::= { id-x520-at 6 }
+id-at-localityName		OBJECT IDENTIFIER ::= { id-x520-at 7 }
+id-at-stateOrProvinceName	OBJECT IDENTIFIER ::= { id-x520-at 8 }
+id-at-streetAddress		OBJECT IDENTIFIER ::= { id-x520-at 9 }
+id-at-organizationName		OBJECT IDENTIFIER ::= { id-x520-at 10 }
+id-at-organizationalUnitName	OBJECT IDENTIFIER ::= { id-x520-at 11 }
+id-at-name			OBJECT IDENTIFIER ::= { id-x520-at 41 }
+id-at-givenName			OBJECT IDENTIFIER ::= { id-x520-at 42 }
+id-at-initials			OBJECT IDENTIFIER ::= { id-x520-at 43 }
+id-at-generationQualifier	OBJECT IDENTIFIER ::= { id-x520-at 44 }
+id-at-pseudonym			OBJECT IDENTIFIER ::= { id-x520-at 65 }
+-- RFC 2247
+id-Userid		      	OBJECT IDENTIFIER ::=
+                          { 0 9 2342 19200300 100 1 1 }
+id-domainComponent      	OBJECT IDENTIFIER ::=
+                          { 0 9 2342 19200300 100 1 25 }
+
+
+-- rfc3280
+
+id-x509-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29}
+
+AlgorithmIdentifier ::= SEQUENCE {
+	algorithm	OBJECT IDENTIFIER,
+	parameters	heim_any OPTIONAL
+}
+
+AttributeType ::=   OBJECT IDENTIFIER
+
+AttributeValue ::=   heim_any
+
+TeletexStringx ::= [UNIVERSAL 20] IMPLICIT OCTET STRING
+
+DirectoryString ::= CHOICE {
+	ia5String	IA5String,
+	teletexString	TeletexStringx,
+	printableString	PrintableString,
+	universalString UniversalString,
+	utf8String	UTF8String,
+	bmpString	BMPString
+}
+
+Attribute ::= SEQUENCE {
+        type    AttributeType,
+        value   SET OF -- AttributeValue -- heim_any
+}
 
 AttributeTypeAndValue ::= SEQUENCE {
-	type AttributeType,
-	value AttributeValue
+        type    AttributeType,
+        value   DirectoryString
 }
 
-RelativeDistinguishedName ::= --SET
-SEQUENCE OF AttributeTypeAndValue
+RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
 
 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 
-Name ::= CHOICE { -- RFC2459
-	x RDNSequence
+Name ::= CHOICE {
+	rdnSequence  RDNSequence
+}
+
+CertificateSerialNumber ::= INTEGER
+
+Time ::= CHOICE {
+     utcTime        UTCTime,
+     generalTime    GeneralizedTime
+}
+
+Validity ::= SEQUENCE {
+     notBefore      Time,
+     notAfter       Time
+}
+
+UniqueIdentifier  ::=  BIT STRING
+
+SubjectPublicKeyInfo  ::=  SEQUENCE  {
+     algorithm            AlgorithmIdentifier,
+     subjectPublicKey     BIT STRING
+}
+
+Extension  ::=  SEQUENCE  {
+     extnID      OBJECT IDENTIFIER,
+     critical    BOOLEAN OPTIONAL, -- DEFAULT FALSE XXX
+     extnValue   OCTET STRING
+}
+
+Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+
+TBSCertificate  ::=  SEQUENCE  {
+     version         [0]  Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1,
+     serialNumber         CertificateSerialNumber,
+     signature            AlgorithmIdentifier,
+     issuer               Name,
+     validity             Validity,
+     subject              Name,
+     subjectPublicKeyInfo SubjectPublicKeyInfo,
+     issuerUniqueID  [1]  IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL,
+                          -- If present, version shall be v2 or v3
+     subjectUniqueID [2]  IMPLICIT BIT STRING -- UniqueIdentifier -- OPTIONAL,
+                          -- If present, version shall be v2 or v3
+     extensions      [3]  EXPLICIT Extensions OPTIONAL
+                          -- If present, version shall be v3
+}
+
+Certificate  ::=  SEQUENCE  {
+     tbsCertificate       TBSCertificate,
+     signatureAlgorithm   AlgorithmIdentifier,
+     signatureValue       BIT STRING
+}
+
+Certificates ::= SEQUENCE OF Certificate
+
+ValidationParms ::= SEQUENCE {
+	seed		BIT STRING,
+	pgenCounter	INTEGER
+}
+
+DomainParameters ::= SEQUENCE {
+	p		INTEGER, -- odd prime, p=jq +1
+	g		INTEGER, -- generator, g
+	q		INTEGER, -- factor of p-1
+	j		INTEGER OPTIONAL, -- subgroup factor
+	validationParms	ValidationParms OPTIONAL -- ValidationParms
+}
+
+DHPublicKey ::= INTEGER
+
+OtherName ::= SEQUENCE {
+	type-id    OBJECT IDENTIFIER,
+	value      [0] EXPLICIT heim_any
+}
+
+GeneralName ::= CHOICE {
+	otherName			[0]     IMPLICIT -- OtherName -- SEQUENCE {
+		type-id    OBJECT IDENTIFIER,
+		value      [0] EXPLICIT heim_any
+	},
+	rfc822Name			[1]     IMPLICIT IA5String,
+	dNSName				[2]     IMPLICIT IA5String,
+--	x400Address			[3]     IMPLICIT ORAddress,--
+	directoryName			[4]     IMPLICIT -- Name -- CHOICE {
+		rdnSequence  RDNSequence
+	},
+--	ediPartyName			[5]     IMPLICIT EDIPartyName, --
+	uniformResourceIdentifier	[6]     IMPLICIT IA5String,
+	iPAddress			[7]     IMPLICIT OCTET STRING,
+	registeredID			[8]     IMPLICIT OBJECT IDENTIFIER
+}
+
+GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+
+id-x509-ce-keyUsage OBJECT IDENTIFIER ::=  { id-x509-ce 15 }
+
+KeyUsage ::= BIT STRING {
+	digitalSignature	(0),
+	nonRepudiation		(1),
+	keyEncipherment		(2),
+	dataEncipherment	(3),
+	keyAgreement		(4),
+	keyCertSign		(5),
+	cRLSign			(6),
+	encipherOnly		(7),
+	decipherOnly		(8)
+}
+
+id-x509-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-x509-ce 35 }
+
+KeyIdentifier ::= OCTET STRING
+
+AuthorityKeyIdentifier ::= SEQUENCE {
+	keyIdentifier             [0] IMPLICIT OCTET STRING OPTIONAL,
+	authorityCertIssuer       [1] IMPLICIT -- GeneralName -- 
+		SEQUENCE -- SIZE (1..MAX) -- OF GeneralName OPTIONAL, 
+	authorityCertSerialNumber [2] IMPLICIT INTEGER OPTIONAL
+}
+
+id-x509-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-x509-ce 14 }
+
+SubjectKeyIdentifier ::= KeyIdentifier
+
+id-x509-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-x509-ce 19 }
+
+BasicConstraints ::= SEQUENCE {
+	cA                      BOOLEAN OPTIONAL -- DEFAULT FALSE --,
+	pathLenConstraint	INTEGER (0..4294967295) OPTIONAL 
 }
 
-END
\ No newline at end of file
+id-x509-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-x509-ce 30 }
+
+BaseDistance ::= INTEGER -- (0..MAX) --
+
+GeneralSubtree ::= SEQUENCE {
+	base			GeneralName,
+	minimum		[0]	IMPLICIT -- BaseDistance -- INTEGER OPTIONAL -- DEFAULT 0 --,
+	maximum		[1]	IMPLICIT -- BaseDistance -- INTEGER OPTIONAL
+}
+
+GeneralSubtrees ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralSubtree
+
+NameConstraints ::= SEQUENCE {
+	permittedSubtrees       [0]     IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL,
+	excludedSubtrees        [1]     IMPLICIT -- GeneralSubtrees -- SEQUENCE OF GeneralSubtree OPTIONAL
+}
+
+id-x509-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-x509-ce 16 }
+id-x509-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-x509-ce 32 }
+id-x509-ce-policyMappings OBJECT IDENTIFIER ::=  { id-x509-ce 33 }
+id-x509-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-x509-ce 17 }
+id-x509-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-x509-ce 18 }
+id-x509-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-x509-ce 9 }
+id-x509-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-x509-ce 36 }
+
+id-x509-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-x509-ce 37}
+
+ExtKeyUsage ::= SEQUENCE OF OBJECT IDENTIFIER
+
+id-x509-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-x509-ce 31 }
+id-x509-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-x509-ce 27 }
+id-x509-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-x509-ce 28 }
+id-x509-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-x509-ce 23 }
+id-x509-ce-invalidityDate OBJECT IDENTIFIER ::= { id-x509-ce 24 }
+id-x509-ce-certificateIssuer   OBJECT IDENTIFIER ::= { id-x509-ce 29 }
+id-x509-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-x509-ce 54 }
+
+DistributionPointReasonFlags ::= BIT STRING {
+	unused                  (0),
+	keyCompromise           (1),
+	cACompromise            (2),
+	affiliationChanged      (3),
+	superseded              (4),
+	cessationOfOperation    (5),
+	certificateHold         (6),
+	privilegeWithdrawn      (7),
+	aACompromise            (8)
+}
+
+DistributionPointName ::= CHOICE {
+	fullName                [0]     IMPLICIT -- GeneralNames --  SEQUENCE SIZE (1..MAX) OF GeneralName,
+	nameRelativeToCRLIssuer [1]     RelativeDistinguishedName
+}
+
+DistributionPoint ::= SEQUENCE {
+	distributionPoint       [0]     IMPLICIT heim_any -- DistributionPointName -- OPTIONAL,
+	reasons                 [1]     IMPLICIT heim_any -- DistributionPointReasonFlags -- OPTIONAL,
+	cRLIssuer               [2]     IMPLICIT heim_any -- GeneralNames -- OPTIONAL
+}
+
+CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+
+
+-- rfc3279
+
+DSASigValue  ::=  SEQUENCE {
+	r	INTEGER,
+	s	INTEGER
+}
+
+DSAPublicKey ::= INTEGER
+
+DSAParams  ::=  SEQUENCE {
+	p	INTEGER,
+	q	INTEGER,
+	g	INTEGER
+}
+
+-- really pkcs1
+
+RSAPublicKey ::= SEQUENCE {
+	modulus INTEGER, -- n
+	publicExponent INTEGER -- e
+}
+
+RSAPrivateKey ::= SEQUENCE {
+	version INTEGER (0..4294967295),
+	modulus INTEGER, -- n
+	publicExponent INTEGER, -- e
+	privateExponent INTEGER, -- d
+	prime1 INTEGER, -- p
+	prime2 INTEGER, -- q
+	exponent1 INTEGER, -- d mod (p-1)
+	exponent2 INTEGER, -- d mod (q-1)
+	coefficient INTEGER -- (inverse of q) mod p
+}
+
+DigestInfo ::= SEQUENCE {
+	digestAlgorithm AlgorithmIdentifier,
+	digest OCTET STRING
+}
+
+-- some ms ext
+
+-- szOID_ENROLL_CERTTYPE_EXTENSION "1.3.6.1.4.1.311.20.2" is Encoded as a
+
+-- UNICODESTRING (0x1E tag)
+
+-- szOID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7" is Encoded as:
+
+-- TemplateVersion ::= INTEGER (0..4294967295) 
+
+-- CertificateTemplate ::= SEQUENCE {
+--	templateID OBJECT IDENTIFIER,
+--	templateMajorVersion TemplateVersion,
+--	templateMinorVersion TemplateVersion OPTIONAL
+-- }
+
+
+--
+-- CRL
+-- 
+
+TBSCRLCertList ::=  SEQUENCE  {
+	version			Version OPTIONAL, -- if present, MUST be v2
+	signature		AlgorithmIdentifier,
+	issuer			Name,
+	thisUpdate		Time,
+	nextUpdate		Time OPTIONAL,
+	revokedCertificates     SEQUENCE OF SEQUENCE  {
+		userCertificate         CertificateSerialNumber,
+		revocationDate          Time,
+		crlEntryExtensions      Extensions OPTIONAL
+						-- if present, MUST be v2
+	} OPTIONAL,
+	crlExtensions		[0] EXPLICIT Extensions OPTIONAL
+						-- if present, MUST be v2
+}
+
+
+CRLCertificateList ::=  SEQUENCE  {
+	tbsCertList          TBSCRLCertList,
+	signatureAlgorithm   AlgorithmIdentifier,
+	signatureValue       BIT STRING
+}
+
+id-x509-ce-cRLNumber OBJECT IDENTIFIER ::= { id-x509-ce 20 }
+id-x509-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-x509-ce 46 }
+id-x509-ce-cRLReason OBJECT IDENTIFIER ::= { id-x509-ce 21 }
+
+CRLReason ::= ENUMERATED {
+	unspecified             (0),
+	keyCompromise           (1),
+	cACompromise            (2),
+	affiliationChanged      (3),
+	superseded              (4),
+	cessationOfOperation    (5),
+	certificateHold         (6),
+	removeFromCRL           (8),
+	privilegeWithdrawn      (9),
+	aACompromise           (10)
+}
+
+PKIXXmppAddr ::= UTF8String
+
+id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
+            dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
+
+id-pkix-on OBJECT IDENTIFIER ::= { id-pkix 8 }
+id-pkix-on-xmppAddr OBJECT IDENTIFIER ::= { id-pkix-on 5 }
+id-pkix-on-dnsSRV OBJECT IDENTIFIER ::= { id-pkix-on 7 }
+
+id-pkix-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
+id-pkix-kp-serverAuth OBJECT IDENTIFIER ::= { id-pkix-kp 1 }
+id-pkix-kp-clientAuth OBJECT IDENTIFIER ::= { id-pkix-kp 2 }
+id-pkix-kp-emailProtection OBJECT IDENTIFIER ::= { id-pkix-kp 4 }
+id-pkix-kp-timeStamping OBJECT IDENTIFIER ::= { id-pkix-kp 8 }
+id-pkix-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-pkix-kp 9 }
+
+id-pkix-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
+
+id-pkix-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pkix-pe 1 }
+
+AccessDescription  ::=  SEQUENCE {
+	accessMethod          OBJECT IDENTIFIER,
+	accessLocation        GeneralName
+}
+
+AuthorityInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription
+
+-- RFC 3820 Proxy Certificate Profile
+
+id-pkix-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 }
+
+id-pkix-ppl  OBJECT IDENTIFIER ::= { id-pkix 21 }
+
+id-pkix-ppl-anyLanguage     OBJECT IDENTIFIER ::= { id-pkix-ppl 0 }
+id-pkix-ppl-inheritAll      OBJECT IDENTIFIER ::= { id-pkix-ppl 1 }
+id-pkix-ppl-independent     OBJECT IDENTIFIER ::= { id-pkix-ppl 2 }
+
+ProxyPolicy ::= SEQUENCE {
+	policyLanguage		OBJECT IDENTIFIER,
+	policy			OCTET STRING OPTIONAL
+}
+
+ProxyCertInfo ::= SEQUENCE {
+	pCPathLenConstraint	INTEGER (0..4294967295) OPTIONAL, -- really MAX
+	proxyPolicy		ProxyPolicy
+}
+
+--- U.S. Federal PKI Common Policy Framework
+-- Card Authentication key
+id-uspkicommon-card-id OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 6 }
+id-uspkicommon-piv-interim OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 9 1 }
+
+--- Netscape extentions
+
+id-netscape OBJECT IDENTIFIER ::= 
+    { joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) }
+id-netscape-cert-comment OBJECT IDENTIFIER ::= { id-netscape 1 13 }
+
+--- MS extentions
+
+id-ms-cert-enroll-domaincontroller OBJECT IDENTIFIER ::= 
+    { 1 3 6 1 4 1 311 20 2 }
+
+id-ms-client-authentication OBJECT IDENTIFIER ::= 
+ { 1 3 6 1 5 5 7 3 2 }
+
+-- DER:1e:20:00:44:00:6f:00:6d:00:61:00:69:00:6e:00:43:00:6f:00:6e:00:74:00:72:00:6f:00:6c:00:6c:00:65:00:72
+
+END
diff --git a/crypto/heimdal/lib/asn1/setchgpw2.asn1 b/crypto/heimdal/lib/asn1/setchgpw2.asn1
new file mode 100644
index 0000000..7db3854
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/setchgpw2.asn1
@@ -0,0 +1,193 @@
+-- $Id: setchgpw2.asn1 18010 2006-09-05 12:31:59Z lha $
+
+SETCHGPW2 DEFINITIONS ::=
+BEGIN
+
+IMPORTS PrincipalName, Realm, ENCTYPE FROM krb5;
+
+ProtocolErrorCode ::= ENUMERATED {
+	generic-error(0),
+	unsupported-major-version(1),
+	unsupported-minor-version(2),
+	unsupported-operation(3),
+	authorization-failed(4),
+	initial-ticket-required(5),
+	target-principal-unknown(6),
+	...
+}
+
+Key	::= SEQUENCE {
+	enc-type[0]	INTEGER,
+	key[1]		OCTET STRING,
+	...
+}
+
+Language-Tag	::= UTF8String    -- Constrained by RFC3066
+
+LangTaggedText	::= SEQUENCE {
+	language[0]	Language-Tag OPTIONAL,
+	text[1]		UTF8String,
+	...
+}
+
+-- NULL Op
+
+Req-null ::= NULL
+Rep-null ::= NULL
+Err-null ::= NULL
+
+-- Change password
+Req-change-pw ::= SEQUENCE {
+	old-pw[0]	UTF8String,
+	new-pw[1]	UTF8String OPTIONAL,
+	etypes[2]	SEQUENCE OF ENCTYPE OPTIONAL,
+	...
+}
+
+Rep-change-pw ::= SEQUENCE {
+	info-text[0]	UTF8String OPTIONAL,
+	new-pw[1]	UTF8String OPTIONAL,
+	etypes[2]	SEQUENCE OF ENCTYPE OPTIONAL
+}
+
+Err-change-pw ::= SEQUENCE {
+	help-text[0]		UTF8String OPTIONAL,
+	code[1]			ENUMERATED {
+		generic(0),
+		wont-generate-new-pw(1),
+		old-pw-incorrect(2),
+		new-pw-rejected-geneneric(3),
+		pw-change-too-short(4),
+		...
+	},
+	suggested-new-pw[2]	UTF8String OPTIONAL,
+	...
+}
+
+-- Change/Set keys
+Req-set-keys ::= SEQUENCE {
+	etypes[0]	SEQUENCE OF ENCTYPE,
+	entropy[1]	OCTET STRING,
+	...
+}
+
+Rep-set-keys ::= SEQUENCE {
+	info-text[0]		UTF8String OPTIONAL,
+	kvno[1]			INTEGER,
+	keys[2]			SEQUENCE OF Key,
+	aliases[3]	SEQUENCE OF SEQUENCE {
+		name[0] PrincipalName,
+		realm[1] Realm OPTIONAL,
+		...
+	},
+	...
+}
+
+Err-set-keys ::= SEQUENCE {
+	help-text[0]		UTF8String OPTIONAL,
+	enctypes[1]		SEQUENCE OF ENCTYPE OPTIONAL,
+	code[1]		ENUMERATED {
+		etype-no-support(0),
+		...
+	},
+	...
+}
+
+-- Get password policy
+Req-get-pw-policy ::= NULL
+
+Rep-get-pw-policy ::= SEQUENCE {
+	help-text[0]		UTF8String OPTIONAL,
+	policy-name[1]		UTF8String OPTIONAL,
+	description[2]		UTF8String OPTIONAL,
+	...
+}
+
+Err-get-pw-policy ::= NULL
+
+-- Get principal aliases
+Req-get-princ-aliases ::= NULL
+
+Rep-get-princ-aliases ::= SEQUENCE {
+	help-text[0]		UTF8String OPTIONAL,
+	aliases[1]	SEQUENCE OF SEQUENCE {
+		name[0]		PrincipalName,
+		realm[1]	Realm OPTIONAL,
+		...
+	} OPTIONAL,
+	...
+}
+
+Err-get-princ-aliases ::= NULL
+
+-- Get list of encryption types supported by KDC for new types
+Req-get-supported-etypes ::= NULL
+
+Rep-get-supported-etypes ::= SEQUENCE OF ENCTYPE
+
+Err-get-supported-etypes ::= NULL
+
+-- Choice switch
+
+Op-req ::= CHOICE {
+	null[0]			Req-null,
+	change-pw[1]		Req-change-pw,
+	set-keys[2]		Req-set-keys,
+	get-pw-policy[3]	Req-get-pw-policy,
+	get-princ-aliases[4]	Req-get-princ-aliases,
+	get-supported-etypes[5]	Req-get-supported-etypes,
+	...
+}
+ 
+Op-rep ::= CHOICE {
+	null[0]			Rep-null,
+	change-pw[1]		Rep-change-pw,
+	set-keys[2]		Rep-set-keys,
+	get-pw-policy[3]	Rep-get-pw-policy,
+	get-princ-aliases[4]	Rep-get-princ-aliases,
+	get-supported-etypes[5]	Rep-get-supported-etypes,
+	...
+}
+
+Op-error ::= CHOICE {
+	null[0]			Err-null,
+	change-pw[1]		Err-change-pw,
+	set-keys[2]		Err-set-keys,
+	get-pw-policy[3]	Err-get-pw-policy,
+	get-princ-aliases[4]	Err-get-princ-aliases,
+	get-supported-etypes[5]	Err-get-supported-etypes,
+	...
+}
+
+
+Request ::= [ APPLICATION 0 ] SEQUENCE {
+	pvno-major[0]	INTEGER DEFAULT 2,
+	pvno-minor[1]	INTEGER DEFAULT 0,
+	languages[2]	SEQUENCE OF Language-Tag OPTIONAL,
+	targ-name[3]	PrincipalName OPTIONAL,
+	targ-realm[4]	Realm OPTIONAL,
+	operation[5]	Op-Req,
+	...
+}
+
+Response ::= [ APPLICATION 1 ] SEQUENCE {
+	pvno-major[0]	INTEGER DEFAULT 2,
+	pvno-minor[1]	INTEGER DEFAULT 0,
+	language[2]	Language-Tag DEFAULT "i-default",
+	result[3]	Op-rep OPTIONAL,
+	...
+}
+
+Error-Response ::= [ APPLICATION 2 ] SEQUENCE {
+	pvno-major[0]	INTEGER DEFAULT 2,
+	pvno-minor[1]	INTEGER DEFAULT 0,
+	language[2]	Language-Tag DEFAULT "i-default",
+	error-code[3]	ProtocolErrorCode,
+	help-text[4]	UTF8String OPTIONAL,
+	op-error[5]	Op-error OP-ERROR,
+	...
+}
+
+END
+
+-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' setchgpw2.asn1
diff --git a/crypto/heimdal/lib/asn1/symbol.c b/crypto/heimdal/lib/asn1/symbol.c
index 5f69c10..9407915 100644
--- a/crypto/heimdal/lib/asn1/symbol.c
+++ b/crypto/heimdal/lib/asn1/symbol.c
@@ -1,90 +1,110 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
 #include "gen_locl.h"
+#include "lex.h"
 
-RCSID("$Id: symbol.c,v 1.9 2001/09/25 13:39:27 assar Exp $");
+RCSID("$Id: symbol.c 15617 2005-07-12 06:27:42Z lha $");
 
 static Hashtab *htab;
 
 static int
-cmp (void *a, void *b)
+cmp(void *a, void *b)
 {
-  Symbol *s1 = (Symbol *)a;
-  Symbol *s2 = (Symbol *)b;
+    Symbol *s1 = (Symbol *) a;
+    Symbol *s2 = (Symbol *) b;
 
-  return strcmp (s1->name, s2->name);
+    return strcmp(s1->name, s2->name);
 }
 
 static unsigned
-hash (void *a)
+hash(void *a)
 {
-  Symbol *s = (Symbol *)a;
+    Symbol *s = (Symbol *) a;
 
-  return hashjpw (s->name);
+    return hashjpw(s->name);
 }
 
 void
-initsym (void)
+initsym(void)
 {
-  htab = hashtabnew (101, cmp, hash);
+    htab = hashtabnew(101, cmp, hash);
 }
 
 
 void
-output_name (char *s)
+output_name(char *s)
 {
-  char *p;
+    char *p;
 
-  for (p = s; *p; ++p)
-    if (*p == '-')
-      *p = '_';
+    for (p = s; *p; ++p)
+	if (*p == '-')
+	    *p = '_';
 }
 
-Symbol*
-addsym (char *name)
+Symbol *
+addsym(char *name)
 {
-  Symbol key, *s;
+    Symbol key, *s;
 
-  key.name = name;
-  s = (Symbol *)hashtabsearch (htab, (void *)&key);
-  if (s == NULL) {
-    s = (Symbol *)malloc (sizeof (*s));
-    s->name = name;
-    s->gen_name = strdup(name);
-    output_name (s->gen_name);
-    s->stype = SUndefined;
-    hashtabadd (htab, s);
-  }
-  return s;
+    key.name = name;
+    s = (Symbol *) hashtabsearch(htab, (void *) &key);
+    if (s == NULL) {
+	s = (Symbol *) emalloc(sizeof(*s));
+	s->name = name;
+	s->gen_name = estrdup(name);
+	output_name(s->gen_name);
+	s->stype = SUndefined;
+	hashtabadd(htab, s);
+    }
+    return s;
+}
+
+static int
+checkfunc(void *ptr, void *arg)
+{
+    Symbol *s = ptr;
+    if (s->stype == SUndefined) {
+	error_message("%s is still undefined\n", s->name);
+	*(int *) arg = 1;
+    }
+    return 0;
+}
+
+int
+checkundefined(void)
+{
+    int f = 0;
+    hashtabforeach(htab, checkfunc, &f);
+    return f;
 }
diff --git a/crypto/heimdal/lib/asn1/symbol.h b/crypto/heimdal/lib/asn1/symbol.h
index 1bd9cd8..d07caf5 100644
--- a/crypto/heimdal/lib/asn1/symbol.h
+++ b/crypto/heimdal/lib/asn1/symbol.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,48 +31,125 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: symbol.h,v 1.6 2001/09/25 13:39:27 assar Exp $ */
+/* $Id: symbol.h 19539 2006-12-28 17:15:05Z lha $ */
 
 #ifndef _SYMBOL_H
 #define _SYMBOL_H
 
-enum typetype { TInteger, TOctetString, TBitString, TSequence, TSequenceOf,
-		TGeneralizedTime, TGeneralString, TApplication, TType, 
-		TUInteger, TEnumerated, TOID };
+#include "asn1_queue.h"
+
+enum typetype { 
+    TBitString,
+    TBoolean,
+    TChoice, 
+    TEnumerated,
+    TGeneralString, 
+    TGeneralizedTime, 
+    TIA5String,
+    TInteger, 
+    TNull,
+    TOID, 
+    TOctetString, 
+    TPrintableString,
+    TSequence, 
+    TSequenceOf,
+    TSet, 
+    TSetOf,
+    TTag, 
+    TType, 
+    TUTCTime, 
+    TUTF8String,
+    TBMPString,
+    TUniversalString,
+    TVisibleString
+};
 
 typedef enum typetype Typetype;
 
 struct type;
 
+struct value {
+    enum { booleanvalue, 
+	   nullvalue, 
+	   integervalue, 
+	   stringvalue, 
+	   objectidentifiervalue
+    } type;
+    union {
+	int booleanvalue;
+	int integervalue;
+	char *stringvalue;
+	struct objid *objectidentifiervalue;
+    } u;
+};
+
 struct member {
-  char *name;
-  char *gen_name;
-  int val;
-  int optional;
-  struct type *type;
-  struct member *next, *prev;
+    char *name;
+    char *gen_name;
+    char *label;
+    int val;
+    int optional;
+    int ellipsis;
+    struct type *type;
+    ASN1_TAILQ_ENTRY(member) members;
+    struct value *defval;
 };
 
 typedef struct member Member;
 
+ASN1_TAILQ_HEAD(memhead, member);
+
 struct symbol;
 
+struct tagtype {
+    int tagclass;
+    int tagvalue;
+    enum { TE_IMPLICIT, TE_EXPLICIT } tagenv;
+};
+
+struct range {
+    int min;
+    int max;
+};
+
+enum ctype { CT_CONTENTS, CT_USER } ;
+
+struct constraint_spec;
+
 struct type {
-  Typetype type;
-  int application;
-  Member *members;
-  struct type *subtype;
-  struct symbol *symbol;
+    Typetype type;
+    struct memhead *members;
+    struct symbol *symbol;
+    struct type *subtype;
+    struct tagtype tag;
+    struct range *range;
+    struct constraint_spec *constraint;
 };
 
 typedef struct type Type;
 
+struct constraint_spec {
+    enum ctype ctype;
+    union {
+	struct {
+	    Type *type;
+	    struct value *encoding;
+	} content;
+    } u;
+};
+
+struct objid {
+    const char *label;
+    int value;
+    struct objid *next;
+};
+
 struct symbol {
-  char *name;
-  char *gen_name;
-  enum { SUndefined, SConstant, Stype } stype;
-  int constant;
-  Type *type;
+    char *name;
+    char *gen_name;
+    enum { SUndefined, SValue, Stype } stype;
+    struct value *value;
+    Type *type;
 };
 
 typedef struct symbol Symbol;
@@ -80,4 +157,5 @@ typedef struct symbol Symbol;
 void initsym (void);
 Symbol *addsym (char *);
 void output_name (char *);
+int checkundefined(void);
 #endif
diff --git a/crypto/heimdal/lib/asn1/test.asn1 b/crypto/heimdal/lib/asn1/test.asn1
new file mode 100644
index 0000000..b2f58a2
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/test.asn1
@@ -0,0 +1,95 @@
+-- $Id: test.asn1 21455 2007-07-10 12:51:19Z lha $ --
+
+TEST DEFINITIONS ::=
+
+BEGIN
+
+IMPORTS heim_any FROM heim;
+
+TESTLargeTag ::= SEQUENCE {
+	foo[127] INTEGER (-2147483648..2147483647)
+}
+
+TESTSeq ::= SEQUENCE {
+	tag0[0] INTEGER (-2147483648..2147483647),
+	tag1[1] TESTLargeTag,
+	tagless INTEGER (-2147483648..2147483647),
+	tag3[2] INTEGER (-2147483648..2147483647)
+}
+
+TESTChoice1 ::= CHOICE {
+	i1[1]	INTEGER (-2147483648..2147483647),
+	i2[2]	INTEGER (-2147483648..2147483647),
+	...	
+}
+
+TESTChoice2 ::= CHOICE {
+	i1[1]	INTEGER (-2147483648..2147483647),
+	...	
+}
+
+TESTInteger ::= INTEGER (-2147483648..2147483647)
+
+TESTInteger2 ::= [4] IMPLICIT TESTInteger
+TESTInteger3 ::= [5] IMPLICIT TESTInteger2
+
+TESTImplicit ::= SEQUENCE {
+	ti1[0] IMPLICIT INTEGER (-2147483648..2147483647),
+	ti2[1] IMPLICIT SEQUENCE { 
+		foo[127] INTEGER (-2147483648..2147483647)
+	},
+	ti3[2] IMPLICIT [5] IMPLICIT [4] IMPLICIT INTEGER (-2147483648..2147483647)
+}
+
+TESTImplicit2 ::= SEQUENCE {
+	ti1[0] IMPLICIT TESTInteger,
+	ti2[1] IMPLICIT TESTLargeTag,
+	ti3[2] IMPLICIT TESTInteger3
+}
+
+TESTAllocInner ::= SEQUENCE {
+	ai[0] TESTInteger
+}
+
+TESTAlloc ::= SEQUENCE {
+	  tagless TESTAllocInner OPTIONAL,
+	  three [1] INTEGER (-2147483648..2147483647),
+	  tagless2 heim_any OPTIONAL
+}
+
+
+TESTCONTAINING ::= OCTET STRING ( CONTAINING INTEGER )
+TESTENCODEDBY ::= OCTET STRING ( ENCODED BY 
+  { joint-iso-itu-t(2) asn(1) ber-derived(2) distinguished-encoding(1) }
+)
+
+TESTDer OBJECT IDENTIFIER ::= { 
+	joint-iso-itu-t(2) asn(1) ber-derived(2) distinguished-encoding(1)
+}
+
+TESTCONTAININGENCODEDBY ::= OCTET STRING ( CONTAINING INTEGER ENCODED BY 
+  { joint-iso-itu-t(2) asn(1) ber-derived(2) distinguished-encoding(1) }
+)
+
+TESTCONTAININGENCODEDBY2 ::= OCTET STRING ( 
+	CONTAINING INTEGER ENCODED BY TESTDer
+)
+
+
+TESTValue1 INTEGER ::= 1
+
+TESTUSERCONSTRAINED ::= OCTET STRING (CONSTRAINED BY { -- meh -- })
+-- TESTUSERCONSTRAINED2 ::= OCTET STRING (CONSTRAINED BY { TESTInteger })
+-- TESTUSERCONSTRAINED3 ::= OCTET STRING (CONSTRAINED BY { INTEGER })
+-- TESTUSERCONSTRAINED4 ::= OCTET STRING (CONSTRAINED BY { INTEGER : 1 })
+
+TESTSeqOf ::= SEQUENCE OF TESTInteger
+
+TESTSeqSizeOf1 ::= SEQUENCE SIZE (2) OF TESTInteger
+TESTSeqSizeOf2 ::= SEQUENCE SIZE (1..2) OF TESTInteger
+TESTSeqSizeOf3 ::= SEQUENCE SIZE (1..MAX) OF TESTInteger
+TESTSeqSizeOf4 ::= SEQUENCE SIZE (MIN..2) OF TESTInteger
+
+TESTOSSize1 ::= OCTET STRING SIZE (1..2)
+
+END
diff --git a/crypto/heimdal/lib/asn1/test.gen b/crypto/heimdal/lib/asn1/test.gen
new file mode 100644
index 0000000..d0fc7d9
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/test.gen
@@ -0,0 +1,14 @@
+# $Id: test.gen 15617 2005-07-12 06:27:42Z lha $
+# Sample for TESTSeq in test.asn1
+#
+
+UNIV CONS Sequence 23
+  CONTEXT CONS 0 3
+    UNIV PRIM Integer 1 01
+   CONTEXT CONS 1 8
+     UNIV CONS Sequence 6
+       CONTEXT CONS 127 3
+         UNIV PRIM Integer 1 01
+   UNIV PRIM Integer 1 01
+   CONTEXT CONS 2 3
+     UNIV PRIM Integer 1 01
diff --git a/crypto/heimdal/lib/asn1/timegm.c b/crypto/heimdal/lib/asn1/timegm.c
index bdc997f..33b9684 100644
--- a/crypto/heimdal/lib/asn1/timegm.c
+++ b/crypto/heimdal/lib/asn1/timegm.c
@@ -33,9 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: timegm.c,v 1.7 1999/12/02 17:05:02 joda Exp $");
-
-#ifndef HAVE_TIMEGM
+RCSID("$Id: timegm.c 21366 2007-06-27 10:06:22Z lha $");
 
 static int
 is_leap(unsigned y)
@@ -44,8 +42,14 @@ is_leap(unsigned y)
     return (y % 4) == 0 && ((y % 100) != 0 || (y % 400) == 0);
 }
 
+/* 
+ * This is a simplifed version of timegm(3) that doesn't accept out of
+ * bound values that timegm(3) normally accepts but those are not
+ * valid in asn1 encodings.
+ */
+
 time_t
-timegm (struct tm *tm)
+_der_timegm (struct tm *tm)
 {
   static const unsigned ndays[2][12] ={
     {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
@@ -53,6 +57,19 @@ timegm (struct tm *tm)
   time_t res = 0;
   unsigned i;
 
+  if (tm->tm_year < 0) 
+      return -1;
+  if (tm->tm_mon < 0 || tm->tm_mon > 11) 
+      return -1;
+  if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon])
+      return -1;
+  if (tm->tm_hour < 0 || tm->tm_hour > 23) 
+      return -1;
+  if (tm->tm_min < 0 || tm->tm_min > 59) 
+      return -1;
+  if (tm->tm_sec < 0 || tm->tm_sec > 59) 
+      return -1;
+
   for (i = 70; i < tm->tm_year; ++i)
     res += is_leap(i) ? 366 : 365;
 
@@ -67,5 +84,3 @@ timegm (struct tm *tm)
   res += tm->tm_sec;
   return res;
 }
-
-#endif /* HAVE_TIMEGM */
diff --git a/crypto/heimdal/lib/auth/ChangeLog b/crypto/heimdal/lib/auth/ChangeLog
index c85ad35..1ef62c0 100644
--- a/crypto/heimdal/lib/auth/ChangeLog
+++ b/crypto/heimdal/lib/auth/ChangeLog
@@ -1,14 +1,52 @@
+2007-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* sia/Makefile.am: One EXTRA_DIST is enought, from dave love.
+
+	* pam/Makefile.am: Add SRCS to EXTRA_DIST
+
+	* afskauthlib/Makefile.am: SRCS
+
+2006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pam/Makefile.am: use libtool to build binaries
+	
+2005-05-02  Dave Love  <fx@gnu.org>
+	
+	* afskauthlib/Makefile.am (afskauthlib.so): Use libtool.
+	(.c.o): Use CC (like SIA module), not COMPILE.
+
+2005-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* sia/sia.c: fix getpw*_r calls, they return 0 even when the entry
+	isn't found and instead make it with setting return pointer to
+	NULL.  From Luke Mewburn <lukem@NetBSD.org>
+
 2004-09-08  Johan Danielsson  <joda@pdc.kth.se>
 
-	* afskauthlib/verify.c: pull up 1.27->1.28: use
-	krb5_appdefault_boolean instead of krb5_config_get_bool
+	* afskauthlib/verify.c: use krb5_appdefault_boolean instead of
+	krb5_config_get_bool
+
+2003-09-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* sia/sia.c: Add support for AFS when using Kerberos 5, From:
+	Sergio.Gelato@astro.su.se
+	
+2003-07-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pam/Makefile.am: XXX inline COMPILE since automake wont add it
+	
+	* afskauthlib/verify.c (verify_krb5): use krb5_cc_clear_mcred
+	
+2003-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* sia/Makefile.am: inline COMPILE since (modern) automake doesn't
+	add it by itself for some reason
 
-2003-05-08  Love Hörnquist Åstrand <lha@it.su.se>
+2003-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* sia/Makefile.am: 1.15->1.16: inline COMPILE since (modern)
-	automake doesn't add it by itself for some reason
+	* afskauthlib/Makefile.am: always includes kafs now that its built
 	
-2003-03-27  Love Hörnquist Åstrand <lha@it.su.se>
+2003-03-27  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* sia/Makefile.am: libkafs is always built now, lets include it
 	
diff --git a/crypto/heimdal/lib/auth/Makefile.am b/crypto/heimdal/lib/auth/Makefile.am
index 0310dc3..c62903c 100644
--- a/crypto/heimdal/lib/auth/Makefile.am
+++ b/crypto/heimdal/lib/auth/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $
+# $Id: Makefile.am 5683 1999-03-21 17:11:08Z joda $
 
 include $(top_srcdir)/Makefile.am.common
 
diff --git a/crypto/heimdal/lib/auth/Makefile.in b/crypto/heimdal/lib/auth/Makefile.in
index 0eafe82..d7200ce 100644
--- a/crypto/heimdal/lib/auth/Makefile.in
+++ b/crypto/heimdal/lib/auth/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,20 +14,16 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $
+# $Id: Makefile.am 5683 1999-03-21 17:11:08Z joda $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -39,6 +35,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -46,16 +43,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = lib/auth
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -68,6 +63,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -76,16 +72,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 depcomp =
@@ -94,21 +94,18 @@ SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	html-recursive info-recursive install-data-recursive \
-	install-exec-recursive install-info-recursive \
-	install-recursive installcheck-recursive installdirs-recursive \
-	pdf-recursive ps-recursive uninstall-info-recursive \
-	uninstall-recursive
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -118,8 +115,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -130,11 +125,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -142,42 +136,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -195,12 +174,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -210,15 +186,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -227,6 +202,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -238,15 +214,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -254,74 +225,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -338,13 +314,14 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 SUBDIRS = @LIB_AUTH_SUBDIRS@
 DIST_SUBDIRS = afskauthlib pam sia
 all: all-recursive
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -381,10 +358,6 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
 # To change the values of `make' variables: instead of editing Makefiles,
@@ -392,7 +365,13 @@ uninstall-info-am:
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
 $(RECURSIVE_TARGETS):
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	target=`echo $@ | sed s/-recursive//`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -404,15 +383,20 @@ $(RECURSIVE_TARGETS):
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done; \
 	if test "$$dot_seen" = "no"; then \
 	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
 	fi; test -z "$$fail"
 
-mostlyclean-recursive clean-recursive distclean-recursive \
-maintainer-clean-recursive:
-	@set fnord $$MAKEFLAGS; amf=$$2; \
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
 	dot_seen=no; \
 	case "$@" in \
 	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
@@ -433,7 +417,7 @@ maintainer-clean-recursive:
 	    local_target="$$target"; \
 	  fi; \
 	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	  || eval $$failcom; \
 	done && test -z "$$fail"
 tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -458,14 +442,16 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
-	if (etags --etags-include --version) >/dev/null 2>&1; then \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
 	  include_option=--etags-include; \
+	  empty_fix=.; \
 	else \
 	  include_option=--include; \
+	  empty_fix=; \
 	fi; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -f $$subdir/TAGS && \
+	    test ! -f $$subdir/TAGS || \
 	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
@@ -475,9 +461,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -502,23 +490,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -532,12 +518,16 @@ distdir: $(DISTFILES)
 	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
 	    test -d "$(distdir)/$$subdir" \
-	    || mkdir "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
 	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
 	    (cd $$subdir && \
 	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="../$(top_distdir)" \
-	        distdir="../$(distdir)/$$subdir" \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
 	        distdir) \
 	      || exit 1; \
 	  fi; \
@@ -570,7 +560,7 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -581,8 +571,7 @@ clean-am: clean-generic clean-libtool mostlyclean-am
 
 distclean: distclean-recursive
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool \
-	distclean-tags
+distclean-am: clean-am distclean-generic distclean-tags
 
 dvi: dvi-recursive
 
@@ -598,14 +587,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-recursive
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-recursive
+
 install-info: install-info-recursive
 
 install-man:
 
+install-pdf: install-pdf-recursive
+
+install-ps: install-ps-recursive
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
@@ -624,22 +621,27 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-info-am
-
-uninstall-info: uninstall-info-recursive
-
-.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local check \
-	check-am check-local clean clean-generic clean-libtool \
-	clean-recursive ctags ctags-recursive distclean \
-	distclean-generic distclean-libtool distclean-recursive \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am install-man \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	maintainer-clean-recursive mostlyclean mostlyclean-generic \
-	mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am uninstall-info-am
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
+	install-data-am install-exec-am install-strip uninstall-am
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool ctags ctags-recursive dist-hook \
+	distclean distclean-generic distclean-libtool distclean-tags \
+	distdir dvi dvi-am html html-am info info-am install \
+	install-am install-data install-data-am install-data-hook \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-exec-hook install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am uninstall-hook
 
 
 install-suid-programs:
@@ -654,8 +656,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -665,19 +667,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -693,7 +707,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -763,14 +777,39 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/lib/auth/afskauthlib/Makefile.am b/crypto/heimdal/lib/auth/afskauthlib/Makefile.am
index 8d9faae..1eec4f5 100644
--- a/crypto/heimdal/lib/auth/afskauthlib/Makefile.am
+++ b/crypto/heimdal/lib/auth/afskauthlib/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.6 2001/07/15 04:21:07 assar Exp $
+# $Id: Makefile.am 22298 2007-12-14 06:38:06Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4)
+AM_CPPFLAGS += $(INCLUDE_krb4)
 
 DEFS = @DEFS@
 
@@ -17,14 +17,14 @@ OBJS = verify.o
 CLEANFILES = $(foo_DATA) $(OBJS) so_locations
 
 afskauthlib.so: $(OBJS)
-	$(LINK) -shared $(OBJS) $(L)
+	$(LIBTOOL) --mode=link $(CC) -shared -o $@ $(OBJS) $(L) $(LDFLAGS)
 
 .c.o:
-	$(COMPILE) -c $<
+	$(CC) $(DEFS) $(DEFAULT_AM_CPPFLAGS) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \
+	-c `test -f '$<' || echo '$(srcdir)/'`$<
 
-if KRB4
 KAFS = $(top_builddir)/lib/kafs/libkafs.la
-endif
 
 if KRB5
 L = \
@@ -32,7 +32,7 @@ L = \
 	$(top_builddir)/lib/krb5/libkrb5.la	\
 	$(top_builddir)/lib/asn1/libasn1.la	\
 	$(LIB_krb4)				\
-	$(LIB_des)				\
+	$(LIB_hcrypto)				\
 	$(top_builddir)/lib/roken/libroken.la	\
 	-lc
 
@@ -41,9 +41,11 @@ else
 L = \
 	$(KAFS)	\
 	$(LIB_krb4)				\
-	$(LIB_des)				\
+	$(LIB_hcrypto)				\
 	$(top_builddir)/lib/roken/libroken.la	\
 	-lc
 endif
 
 $(OBJS): $(top_builddir)/include/config.h
+
+EXTRA_DIST = $(SRCS)
diff --git a/crypto/heimdal/lib/auth/afskauthlib/Makefile.in b/crypto/heimdal/lib/auth/afskauthlib/Makefile.in
index ef36bf5..89c966a 100644
--- a/crypto/heimdal/lib/auth/afskauthlib/Makefile.in
+++ b/crypto/heimdal/lib/auth/afskauthlib/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,21 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.6 2001/07/15 04:21:07 assar Exp $
+# $Id: Makefile.am 22298 2007-12-14 06:38:06Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -40,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -47,16 +44,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = lib/auth/afskauthlib
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -69,6 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -77,34 +73,38 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 depcomp =
 am__depfiles_maybe =
 SOURCES =
 DIST_SOURCES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
 am__installdirs = "$(DESTDIR)$(foodir)"
 fooDATA_INSTALL = $(INSTALL_DATA)
 DATA = $(foo_DATA)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -114,8 +114,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -126,11 +124,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -138,42 +135,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -191,12 +173,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -206,15 +185,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -223,6 +201,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -234,15 +213,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -250,74 +224,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -334,17 +314,18 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 foodir = $(libdir)
 foo_DATA = afskauthlib.so
 SRCS = verify.c
 OBJS = verify.o
 CLEANFILES = $(foo_DATA) $(OBJS) so_locations
-@KRB4_TRUE@KAFS = $(top_builddir)/lib/kafs/libkafs.la
+KAFS = $(top_builddir)/lib/kafs/libkafs.la
 @KRB5_FALSE@L = \
 @KRB5_FALSE@	$(KAFS)	\
 @KRB5_FALSE@	$(LIB_krb4)				\
-@KRB5_FALSE@	$(LIB_des)				\
+@KRB5_FALSE@	$(LIB_hcrypto)				\
 @KRB5_FALSE@	$(top_builddir)/lib/roken/libroken.la	\
 @KRB5_FALSE@	-lc
 
@@ -353,14 +334,15 @@ CLEANFILES = $(foo_DATA) $(OBJS) so_locations
 @KRB5_TRUE@	$(top_builddir)/lib/krb5/libkrb5.la	\
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la	\
 @KRB5_TRUE@	$(LIB_krb4)				\
-@KRB5_TRUE@	$(LIB_des)				\
+@KRB5_TRUE@	$(LIB_hcrypto)				\
 @KRB5_TRUE@	$(top_builddir)/lib/roken/libroken.la	\
 @KRB5_TRUE@	-lc
 
+EXTRA_DIST = $(SRCS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -396,16 +378,12 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-fooDATA: $(foo_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(foodir)" || $(mkdir_p) "$(DESTDIR)$(foodir)"
+	test -z "$(foodir)" || $(MKDIR_P) "$(DESTDIR)$(foodir)"
 	@list='$(foo_DATA)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " $(fooDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(foodir)/$$f'"; \
 	  $(fooDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(foodir)/$$f"; \
 	done
@@ -413,7 +391,7 @@ install-fooDATA: $(foo_DATA)
 uninstall-fooDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(foo_DATA)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(foodir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(foodir)/$$f"; \
 	done
@@ -425,23 +403,21 @@ CTAGS:
 
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -461,7 +437,7 @@ check: check-am
 all-am: Makefile $(DATA) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(foodir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -483,7 +459,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -494,7 +470,7 @@ clean-am: clean-generic clean-libtool mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool
+distclean-am: clean-am distclean-generic
 
 dvi: dvi-am
 
@@ -510,14 +486,22 @@ install-data-am: install-fooDATA
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -536,18 +520,26 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-fooDATA uninstall-info-am
+uninstall-am: uninstall-fooDATA
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: all all-am all-local check check-am check-local clean \
-	clean-generic clean-libtool distclean distclean-generic \
-	distclean-libtool distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-fooDATA install-info install-info-am \
-	install-man install-strip installcheck installcheck-am \
+	clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-fooDATA \
+	install-html install-html-am install-info install-info-am \
+	install-man install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
 	installdirs maintainer-clean maintainer-clean-generic \
 	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
 	ps ps-am uninstall uninstall-am uninstall-fooDATA \
-	uninstall-info-am
+	uninstall-hook
 
 
 install-suid-programs:
@@ -562,8 +554,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -573,19 +565,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -601,7 +605,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -671,20 +675,47 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 afskauthlib.so: $(OBJS)
-	$(LINK) -shared $(OBJS) $(L)
+	$(LIBTOOL) --mode=link $(CC) -shared -o $@ $(OBJS) $(L) $(LDFLAGS)
 
 .c.o:
-	$(COMPILE) -c $<
+	$(CC) $(DEFS) $(DEFAULT_AM_CPPFLAGS) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \
+	-c `test -f '$<' || echo '$(srcdir)/'`$<
 
 $(OBJS): $(top_builddir)/include/config.h
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/crypto/heimdal/lib/auth/afskauthlib/verify.c b/crypto/heimdal/lib/auth/afskauthlib/verify.c
index 3f24298..ff0141b 100644
--- a/crypto/heimdal/lib/auth/afskauthlib/verify.c
+++ b/crypto/heimdal/lib/auth/afskauthlib/verify.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995-2000, 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: verify.c,v 1.25.12.1 2004/09/08 09:14:26 joda Exp $");
+RCSID("$Id: verify.c 14203 2004-09-08 09:02:59Z joda $");
 #endif
 #include <unistd.h>
 #include <sys/types.h>
@@ -175,6 +175,8 @@ verify_krb5(struct passwd *pwd,
 	    CREDENTIALS c;
 	    krb5_creds mcred, cred;
 
+	    krb5_cc_clear_mcred(&mcred);
+
 	    krb5_make_principal(context, &mcred.server, realm,
 				"krbtgt",
 				realm,
@@ -189,14 +191,14 @@ verify_krb5(struct passwd *pwd,
 		    tf_setup(&c, c.pname, c.pinst); 
 		}
 		memset(&c, 0, sizeof(c));
-		krb5_free_creds_contents(context, &cred);
+		krb5_free_cred_contents(context, &cred);
 	    } else
 		syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s", 
 		       krb5_get_err_text(context, ret));
 	    
 	    krb5_free_principal(context, mcred.server);
 	}
-	free(realm);
+	free (realm);
 	if (!pag_set && k_hasafs()) {
 	    k_setpag();
 	    pag_set = 1;
diff --git a/crypto/heimdal/lib/auth/pam/Makefile.am b/crypto/heimdal/lib/auth/pam/Makefile.am
index 963d2ce..c4d0eb5 100644
--- a/crypto/heimdal/lib/auth/pam/Makefile.am
+++ b/crypto/heimdal/lib/auth/pam/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.4 2002/05/19 18:43:44 joda Exp $
+# $Id: Makefile.am 22299 2007-12-14 06:39:19Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4)
+AM_CPPFLAGS += $(INCLUDE_krb4)
 
 WFLAGS += $(WFLAGS_NOIMPLICITINT)
 
@@ -19,14 +19,14 @@ KAFS_S=$(top_builddir)/lib/kafs/.libs/libkafs.so
 L = \
 	$(KAFS)						\
 	$(top_builddir)/lib/krb/.libs/libkrb.a		\
-	$(LIB_des_a)		\
+	$(LIB_hcrypto_a)		\
 	$(top_builddir)/lib/roken/.libs/libroken.a	\
 	-lc
 
 L_shared = \
 	$(KAFS_S)					\
 	$(top_builddir)/lib/krb/.libs/libkrb.so		\
-	$(LIB_des_so)		\
+	$(LIB_hcrypto_so)		\
 	$(top_builddir)/lib/roken/.libs/libroken.so	\
 	$(LIB_getpwnam_r)				\
 	-lc
@@ -35,22 +35,21 @@ MOD = pam_krb4.so
 
 endif
 
-EXTRA_DIST = pam.conf.add
-
 foodir = $(libdir)
 foo_DATA = $(MOD)
 
 LDFLAGS = @LDFLAGS@
 
+SRCS = pam.c
 OBJS = pam.o
 
 pam_krb4.so: $(OBJS)
 	@if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \
-		echo "$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \
-		$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \
+		echo "$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \
+		$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \
 	elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \
-		echo "$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \
-		$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \
+		echo "$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \
+		$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \
 	else \
 		echo "missing libraries"; exit 1; \
 	fi
@@ -59,5 +58,12 @@ CLEANFILES = $(MOD) $(OBJS)
 
 SUFFIXES += .c .o
 
+# XXX inline COMPILE since automake wont add it
+
 .c.o:
-	$(COMPILE) -c $<
+	$(LIBTOOL) --mode=compile --tag=CC $(CC) \
+	$(DEFS) $(DEFAULT_AM_CPPFLAGS) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \
+	-c `test -f '$<' || echo '$(srcdir)/'`$<
+
+EXTRA_DIST = pam.conf.add $(SRCS)
diff --git a/crypto/heimdal/lib/auth/pam/Makefile.in b/crypto/heimdal/lib/auth/pam/Makefile.in
index 349c18c..0f9e084 100644
--- a/crypto/heimdal/lib/auth/pam/Makefile.in
+++ b/crypto/heimdal/lib/auth/pam/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,21 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.4 2002/05/19 18:43:44 joda Exp $
+# $Id: Makefile.am 22299 2007-12-14 06:39:19Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -40,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -47,16 +44,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = lib/auth/pam
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -69,6 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -77,34 +73,38 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 depcomp =
 am__depfiles_maybe =
 SOURCES =
 DIST_SOURCES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
 am__installdirs = "$(DESTDIR)$(foodir)"
 fooDATA_INSTALL = $(INSTALL_DATA)
 DATA = $(foo_DATA)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -114,8 +114,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -126,11 +124,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -138,42 +135,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -191,12 +173,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -206,15 +185,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -223,6 +201,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -234,15 +213,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -250,74 +224,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT)
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -334,34 +314,36 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 @KRB4_TRUE@KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a
 @KRB4_TRUE@KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so
 @KRB4_TRUE@L = \
 @KRB4_TRUE@	$(KAFS)						\
 @KRB4_TRUE@	$(top_builddir)/lib/krb/.libs/libkrb.a		\
-@KRB4_TRUE@	$(LIB_des_a)		\
+@KRB4_TRUE@	$(LIB_hcrypto_a)		\
 @KRB4_TRUE@	$(top_builddir)/lib/roken/.libs/libroken.a	\
 @KRB4_TRUE@	-lc
 
 @KRB4_TRUE@L_shared = \
 @KRB4_TRUE@	$(KAFS_S)					\
 @KRB4_TRUE@	$(top_builddir)/lib/krb/.libs/libkrb.so		\
-@KRB4_TRUE@	$(LIB_des_so)		\
+@KRB4_TRUE@	$(LIB_hcrypto_so)		\
 @KRB4_TRUE@	$(top_builddir)/lib/roken/.libs/libroken.so	\
 @KRB4_TRUE@	$(LIB_getpwnam_r)				\
 @KRB4_TRUE@	-lc
 
 @KRB4_TRUE@MOD = pam_krb4.so
-EXTRA_DIST = pam.conf.add
 foodir = $(libdir)
 foo_DATA = $(MOD)
+SRCS = pam.c
 OBJS = pam.o
 CLEANFILES = $(MOD) $(OBJS)
+EXTRA_DIST = pam.conf.add $(SRCS)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -397,16 +379,12 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-fooDATA: $(foo_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(foodir)" || $(mkdir_p) "$(DESTDIR)$(foodir)"
+	test -z "$(foodir)" || $(MKDIR_P) "$(DESTDIR)$(foodir)"
 	@list='$(foo_DATA)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " $(fooDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(foodir)/$$f'"; \
 	  $(fooDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(foodir)/$$f"; \
 	done
@@ -414,7 +392,7 @@ install-fooDATA: $(foo_DATA)
 uninstall-fooDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(foo_DATA)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(foodir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(foodir)/$$f"; \
 	done
@@ -426,23 +404,21 @@ CTAGS:
 
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -462,7 +438,7 @@ check: check-am
 all-am: Makefile $(DATA) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(foodir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -484,7 +460,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -495,7 +471,7 @@ clean-am: clean-generic clean-libtool mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool
+distclean-am: clean-am distclean-generic
 
 dvi: dvi-am
 
@@ -511,14 +487,22 @@ install-data-am: install-fooDATA
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -537,18 +521,26 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-fooDATA uninstall-info-am
+uninstall-am: uninstall-fooDATA
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: all all-am all-local check check-am check-local clean \
-	clean-generic clean-libtool distclean distclean-generic \
-	distclean-libtool distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-fooDATA install-info install-info-am \
-	install-man install-strip installcheck installcheck-am \
+	clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-fooDATA \
+	install-html install-html-am install-info install-info-am \
+	install-man install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
 	installdirs maintainer-clean maintainer-clean-generic \
 	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
 	ps ps-am uninstall uninstall-am uninstall-fooDATA \
-	uninstall-info-am
+	uninstall-hook
 
 
 install-suid-programs:
@@ -563,8 +555,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -574,19 +566,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -602,7 +606,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -672,28 +676,58 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 pam_krb4.so: $(OBJS)
 	@if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \
-		echo "$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \
-		$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \
+		echo "$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \
+		$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \
 	elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \
-		echo "$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \
-		$(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \
+		echo "$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \
+		$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \
 	else \
 		echo "missing libraries"; exit 1; \
 	fi
 
+# XXX inline COMPILE since automake wont add it
+
 .c.o:
-	$(COMPILE) -c $<
+	$(LIBTOOL) --mode=compile --tag=CC $(CC) \
+	$(DEFS) $(DEFAULT_AM_CPPFLAGS) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \
+	-c `test -f '$<' || echo '$(srcdir)/'`$<
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/lib/auth/pam/pam.c b/crypto/heimdal/lib/auth/pam/pam.c
index 68446c3..ed5071b 100644
--- a/crypto/heimdal/lib/auth/pam/pam.c
+++ b/crypto/heimdal/lib/auth/pam/pam.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include<config.h>
-RCSID("$Id: pam.c,v 1.28 2002/09/09 15:57:24 joda Exp $");
+RCSID("$Id: pam.c 11417 2002-09-09 15:57:24Z joda $");
 #endif
 
 #include <stdio.h>
diff --git a/crypto/heimdal/lib/auth/sia/Makefile.am b/crypto/heimdal/lib/auth/sia/Makefile.am
index 30bf011..7b6aedd 100644
--- a/crypto/heimdal/lib/auth/sia/Makefile.am
+++ b/crypto/heimdal/lib/auth/sia/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.15.2.1 2003/05/08 10:31:48 lha Exp $
+# $Id: Makefile.am 22304 2007-12-14 12:18:18Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4)
+AM_CPPFLAGS += $(INCLUDE_krb4)
 
 WFLAGS += $(WFLAGS_NOIMPLICITINT)
 
@@ -21,7 +21,7 @@ L = \
 	$(top_builddir)/lib/krb5/.libs/libkrb5.a	\
 	$(top_builddir)/lib/asn1/.libs/libasn1.a	\
 	$(LIB_krb4)					\
-	$(LIB_des_a)					\
+	$(LIB_hcrypto_a)					\
 	$(LIB_com_err_a)				\
 	$(top_builddir)/lib/roken/.libs/libroken.a	\
 	$(LIB_getpwnam_r)				\
@@ -32,7 +32,7 @@ L_shared = \
 	$(top_builddir)/lib/krb5/.libs/libkrb5.so	\
 	$(top_builddir)/lib/asn1/.libs/libasn1.so	\
 	$(LIB_krb4)					\
-	$(LIB_des_so)					\
+	$(LIB_hcrypto_so)					\
 	$(LIB_com_err_so)				\
 	$(top_builddir)/lib/roken/.libs/libroken.so	\
 	$(LIB_getpwnam_r)				\
@@ -46,7 +46,7 @@ L = \
 	$(KAFS)						\
 	$(top_builddir)/lib/kadm/.libs/libkadm.a	\
 	$(top_builddir)/lib/krb/.libs/libkrb.a		\
-	$(LIB_des_a)		\
+	$(LIB_hcrypto_a)		\
 	$(top_builddir)/lib/com_err/.libs/libcom_err.a	\
 	$(top_builddir)/lib/roken/.libs/libroken.a	\
 	$(LIB_getpwnam_r)				\
@@ -56,7 +56,7 @@ L_shared = \
 	$(KAFS_S)					\
 	$(top_builddir)/lib/kadm/.libs/libkadm.so	\
 	$(top_builddir)/lib/krb/.libs/libkrb.so		\
-	$(LIB_des_so)		\
+	$(LIB_hcrypto_so)		\
 	$(top_builddir)/lib/com_err/.libs/libcom_err.so	\
 	$(top_builddir)/lib/roken/.libs/libroken.so	\
 	$(LIB_getpwnam_r)				\
@@ -66,14 +66,12 @@ MOD = libsia_krb4.so
 
 endif
 
-EXTRA_DIST = sia.c krb4_matrix.conf krb4+c2_matrix.conf \
-	krb5_matrix.conf krb5+c2_matrix.conf security.patch
-
 foodir = $(libdir)
 foo_DATA = $(MOD)
 
 LDFLAGS = @LDFLAGS@ -rpath $(libdir) -Wl,-hidden -Wl,-exported_symbol -Wl,siad_\* 
 
+SRCS = sia.c posix_getpw.c sia_locl.h
 OBJS = sia.o posix_getpw.o
 
 libsia_krb5.so: $(OBJS)
@@ -107,6 +105,12 @@ SUFFIXES += .c .o
 # XXX inline COMPILE since automake wont add it
 
 .c.o:
-	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CC) $(DEFS) $(DEFAULT_AM_CPPFLAGS) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \
 	-c `test -f '$<' || echo '$(srcdir)/'`$<
+
+EXTRA_DIST = sia.c sia_locl.h posix_getpw.c \
+	krb4_matrix.conf krb4+c2_matrix.conf \
+	krb5_matrix.conf krb5+c2_matrix.conf \
+	security.patch \
+	make-rpath $(SRCS)
diff --git a/crypto/heimdal/lib/auth/sia/Makefile.in b/crypto/heimdal/lib/auth/sia/Makefile.in
index b6dd8f8..88f6257 100644
--- a/crypto/heimdal/lib/auth/sia/Makefile.in
+++ b/crypto/heimdal/lib/auth/sia/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,21 +14,17 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.15.2.1 2003/05/08 10:31:48 lha Exp $
+# $Id: Makefile.am 22304 2007-12-14 12:18:18Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -40,6 +36,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -47,16 +44,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = lib/auth/sia
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -69,6 +64,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -77,34 +73,38 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 depcomp =
 am__depfiles_maybe =
 SOURCES =
 DIST_SOURCES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
 am__installdirs = "$(DESTDIR)$(foodir)"
 fooDATA_INSTALL = $(INSTALL_DATA)
 DATA = $(foo_DATA)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -114,8 +114,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -126,11 +124,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -138,42 +135,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@ -rpath $(libdir) -Wl,-hidden -Wl,-exported_symbol -Wl,siad_\* 
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -191,12 +173,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -206,15 +185,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -223,6 +201,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -234,15 +213,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -250,74 +224,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT)
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -334,6 +314,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a
 KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so
@@ -341,7 +322,7 @@ KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so
 @KRB5_FALSE@	$(KAFS)						\
 @KRB5_FALSE@	$(top_builddir)/lib/kadm/.libs/libkadm.a	\
 @KRB5_FALSE@	$(top_builddir)/lib/krb/.libs/libkrb.a		\
-@KRB5_FALSE@	$(LIB_des_a)		\
+@KRB5_FALSE@	$(LIB_hcrypto_a)		\
 @KRB5_FALSE@	$(top_builddir)/lib/com_err/.libs/libcom_err.a	\
 @KRB5_FALSE@	$(top_builddir)/lib/roken/.libs/libroken.a	\
 @KRB5_FALSE@	$(LIB_getpwnam_r)				\
@@ -352,7 +333,7 @@ KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so
 @KRB5_TRUE@	$(top_builddir)/lib/krb5/.libs/libkrb5.a	\
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/.libs/libasn1.a	\
 @KRB5_TRUE@	$(LIB_krb4)					\
-@KRB5_TRUE@	$(LIB_des_a)					\
+@KRB5_TRUE@	$(LIB_hcrypto_a)					\
 @KRB5_TRUE@	$(LIB_com_err_a)				\
 @KRB5_TRUE@	$(top_builddir)/lib/roken/.libs/libroken.a	\
 @KRB5_TRUE@	$(LIB_getpwnam_r)				\
@@ -362,7 +343,7 @@ KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so
 @KRB5_FALSE@	$(KAFS_S)					\
 @KRB5_FALSE@	$(top_builddir)/lib/kadm/.libs/libkadm.so	\
 @KRB5_FALSE@	$(top_builddir)/lib/krb/.libs/libkrb.so		\
-@KRB5_FALSE@	$(LIB_des_so)		\
+@KRB5_FALSE@	$(LIB_hcrypto_so)		\
 @KRB5_FALSE@	$(top_builddir)/lib/com_err/.libs/libcom_err.so	\
 @KRB5_FALSE@	$(top_builddir)/lib/roken/.libs/libroken.so	\
 @KRB5_FALSE@	$(LIB_getpwnam_r)				\
@@ -373,7 +354,7 @@ KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so
 @KRB5_TRUE@	$(top_builddir)/lib/krb5/.libs/libkrb5.so	\
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/.libs/libasn1.so	\
 @KRB5_TRUE@	$(LIB_krb4)					\
-@KRB5_TRUE@	$(LIB_des_so)					\
+@KRB5_TRUE@	$(LIB_hcrypto_so)					\
 @KRB5_TRUE@	$(LIB_com_err_so)				\
 @KRB5_TRUE@	$(top_builddir)/lib/roken/.libs/libroken.so	\
 @KRB5_TRUE@	$(LIB_getpwnam_r)				\
@@ -381,17 +362,21 @@ KAFS_S = $(top_builddir)/lib/kafs/.libs/libkafs.so
 
 @KRB5_FALSE@MOD = libsia_krb4.so
 @KRB5_TRUE@MOD = libsia_krb5.so
-EXTRA_DIST = sia.c krb4_matrix.conf krb4+c2_matrix.conf \
-	krb5_matrix.conf krb5+c2_matrix.conf security.patch
-
 foodir = $(libdir)
 foo_DATA = $(MOD)
+SRCS = sia.c posix_getpw.c sia_locl.h
 OBJS = sia.o posix_getpw.o
 CLEANFILES = $(MOD) $(OBJS) so_locations
+EXTRA_DIST = sia.c sia_locl.h posix_getpw.c \
+	krb4_matrix.conf krb4+c2_matrix.conf \
+	krb5_matrix.conf krb5+c2_matrix.conf \
+	security.patch \
+	make-rpath $(SRCS)
+
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .o
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -427,16 +412,12 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-fooDATA: $(foo_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(foodir)" || $(mkdir_p) "$(DESTDIR)$(foodir)"
+	test -z "$(foodir)" || $(MKDIR_P) "$(DESTDIR)$(foodir)"
 	@list='$(foo_DATA)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " $(fooDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(foodir)/$$f'"; \
 	  $(fooDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(foodir)/$$f"; \
 	done
@@ -444,7 +425,7 @@ install-fooDATA: $(foo_DATA)
 uninstall-fooDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(foo_DATA)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(foodir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(foodir)/$$f"; \
 	done
@@ -456,23 +437,21 @@ CTAGS:
 
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../../.. $(distdir)/../../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -492,7 +471,7 @@ check: check-am
 all-am: Makefile $(DATA) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(foodir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -514,7 +493,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -525,7 +504,7 @@ clean-am: clean-generic clean-libtool mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool
+distclean-am: clean-am distclean-generic
 
 dvi: dvi-am
 
@@ -541,14 +520,22 @@ install-data-am: install-fooDATA
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -567,18 +554,26 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-fooDATA uninstall-info-am
+uninstall-am: uninstall-fooDATA
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: all all-am all-local check check-am check-local clean \
-	clean-generic clean-libtool distclean distclean-generic \
-	distclean-libtool distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-fooDATA install-info install-info-am \
-	install-man install-strip installcheck installcheck-am \
+	clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-fooDATA \
+	install-html install-html-am install-info install-info-am \
+	install-man install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
 	installdirs maintainer-clean maintainer-clean-generic \
 	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
 	ps ps-am uninstall uninstall-am uninstall-fooDATA \
-	uninstall-info-am
+	uninstall-hook
 
 
 install-suid-programs:
@@ -593,8 +588,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -604,19 +599,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -632,7 +639,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -702,15 +709,40 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 libsia_krb5.so: $(OBJS)
 	@if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \
 		echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`"; \
@@ -738,7 +770,7 @@ libsia_krb4.so: $(OBJS)
 # XXX inline COMPILE since automake wont add it
 
 .c.o:
-	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CC) $(DEFS) $(DEFAULT_AM_CPPFLAGS) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \
 	-c `test -f '$<' || echo '$(srcdir)/'`$<
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/crypto/heimdal/lib/auth/sia/krb4+c2_matrix.conf b/crypto/heimdal/lib/auth/sia/krb4+c2_matrix.conf
index 4b90e02..47b5cd4 100644
--- a/crypto/heimdal/lib/auth/sia/krb4+c2_matrix.conf
+++ b/crypto/heimdal/lib/auth/sia/krb4+c2_matrix.conf
@@ -29,7 +29,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 # SUCH DAMAGE. 
 
-# $Id: krb4+c2_matrix.conf,v 1.4 1999/12/02 16:58:37 joda Exp $
+# $Id: krb4+c2_matrix.conf 7463 1999-12-02 16:58:55Z joda $
 
 # sia matrix configuration file (Kerberos 4 + C2)
 
diff --git a/crypto/heimdal/lib/auth/sia/krb4_matrix.conf b/crypto/heimdal/lib/auth/sia/krb4_matrix.conf
index 4f55a81..17d6d13 100644
--- a/crypto/heimdal/lib/auth/sia/krb4_matrix.conf
+++ b/crypto/heimdal/lib/auth/sia/krb4_matrix.conf
@@ -29,7 +29,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 # SUCH DAMAGE. 
 
-# $Id: krb4_matrix.conf,v 1.6 1999/12/02 16:58:37 joda Exp $
+# $Id: krb4_matrix.conf 7463 1999-12-02 16:58:55Z joda $
 
 # sia matrix configuration file (Kerberos 4 + BSD)
 
diff --git a/crypto/heimdal/lib/auth/sia/krb5+c2_matrix.conf b/crypto/heimdal/lib/auth/sia/krb5+c2_matrix.conf
index c2952e2..ada8ba5 100644
--- a/crypto/heimdal/lib/auth/sia/krb5+c2_matrix.conf
+++ b/crypto/heimdal/lib/auth/sia/krb5+c2_matrix.conf
@@ -1,4 +1,4 @@
-# $Id: krb5+c2_matrix.conf,v 1.2 1998/11/26 20:58:18 assar Exp $
+# $Id: krb5+c2_matrix.conf 5254 1998-11-26 20:58:18Z assar $
 
 # sia matrix configuration file (Kerberos 5 + C2)
 
diff --git a/crypto/heimdal/lib/auth/sia/krb5_matrix.conf b/crypto/heimdal/lib/auth/sia/krb5_matrix.conf
index e880472..ab07956 100644
--- a/crypto/heimdal/lib/auth/sia/krb5_matrix.conf
+++ b/crypto/heimdal/lib/auth/sia/krb5_matrix.conf
@@ -1,4 +1,4 @@
-# $Id: krb5_matrix.conf,v 1.2 2001/08/28 08:49:20 joda Exp $
+# $Id: krb5_matrix.conf 10576 2001-08-28 08:49:20Z joda $
 
 # sia matrix configuration file (Kerberos 5 + BSD)
 
diff --git a/crypto/heimdal/lib/auth/sia/make-rpath b/crypto/heimdal/lib/auth/sia/make-rpath
index 2223aa0..4aa297e 100755
--- a/crypto/heimdal/lib/auth/sia/make-rpath
+++ b/crypto/heimdal/lib/auth/sia/make-rpath
@@ -1,5 +1,5 @@
 #!/bin/sh
-# $Id: make-rpath,v 1.1 2001/07/17 15:15:31 assar Exp $
+# $Id: make-rpath 10345 2001-07-17 15:15:31Z assar $
 rlist=
 rest=
 while test $# -gt 0; do
diff --git a/crypto/heimdal/lib/auth/sia/posix_getpw.c b/crypto/heimdal/lib/auth/sia/posix_getpw.c
index c5961dc..65d7a2e 100644
--- a/crypto/heimdal/lib/auth/sia/posix_getpw.c
+++ b/crypto/heimdal/lib/auth/sia/posix_getpw.c
@@ -32,7 +32,7 @@
 
 #include "sia_locl.h"
 
-RCSID("$Id: posix_getpw.c,v 1.1 1999/03/21 17:07:02 joda Exp $");
+RCSID("$Id: posix_getpw.c 5680 1999-03-21 17:07:02Z joda $");
 
 #ifndef POSIX_GETPWNAM_R
 /* 
diff --git a/crypto/heimdal/lib/auth/sia/sia.c b/crypto/heimdal/lib/auth/sia/sia.c
index d2de063..640b868 100644
--- a/crypto/heimdal/lib/auth/sia/sia.c
+++ b/crypto/heimdal/lib/auth/sia/sia.c
@@ -33,7 +33,7 @@
 
 #include "sia_locl.h"
 
-RCSID("$Id: sia.c,v 1.36 2001/09/13 01:19:14 assar Exp $");
+RCSID("$Id: sia.c 14838 2005-04-19 04:41:07Z lha $");
 
 int 
 siad_init(void)
@@ -125,7 +125,7 @@ doauth(SIAENTITY *entity, int pkgind, char *name)
     int secure;
 #endif
 	
-    if(getpwnam_r(name, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0){
+    if(getpwnam_r(name, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0 || pwd == NULL){
 	SIA_DEBUG(("DEBUG", "failed to getpwnam(%s)", name));
 	return SIADFAIL;
     }
@@ -162,7 +162,7 @@ doauth(SIAENTITY *entity, int pkgind, char *name)
 #else
 	ouid = getuid();
 #endif
-	if(getpwuid_r(ouid, &fpw, fpwbuf, sizeof(fpwbuf), &fpwd) != 0){
+	if(getpwuid_r(ouid, &fpw, fpwbuf, sizeof(fpwbuf), &fpwd) != 0 || fpwd == NULL){
 	    SIA_DEBUG(("DEBUG", "failed to getpwuid(%u)", ouid));
 	    return SIADFAIL;
 	}
@@ -328,7 +328,19 @@ siad_ses_launch(sia_collect_func_t *collect,
 #endif
 	putenv(env);
     }
-#ifdef KRB4
+#ifdef SIA_KRB5
+    if (k_hasafs()) {
+	char cell[64];
+	krb5_ccache ccache;
+	if(krb5_cc_resolve(s->context, s->ticket, &ccache) == 0) {
+	    k_setpag();
+	    if(k_afs_cell_of_file(entity->pwd->pw_dir, cell, sizeof(cell)) == 0)
+		krb5_afslog(s->context, ccache, cell, 0);
+	    krb5_afslog_home(s->context, ccache, 0, 0, entity->pwd->pw_dir);
+	}
+    }
+#endif
+#ifdef SIA_KRB4
     if (k_hasafs()) {
 	char cell[64];
 	k_setpag();
@@ -390,7 +402,20 @@ siad_ses_reauthent (sia_collect_func_t *collect,
            duplicate some code here... */
 	struct state *s = (struct state*)entity->mech[pkgind];
 	chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
-#ifdef KRB4
+#ifdef SIA_KRB5
+	if (k_hasafs()) {
+	    char cell[64];
+	    krb5_ccache ccache;
+	    if(krb5_cc_resolve(s->context, s->ticket, &ccache) == 0) {
+		k_setpag();
+		if(k_afs_cell_of_file(entity->pwd->pw_dir, 
+				      cell, sizeof(cell)) == 0)
+		    krb5_afslog(s->context, ccache, cell, 0);
+		krb5_afslog_home(s->context, ccache, 0, 0, entity->pwd->pw_dir);
+	    }
+	}
+#endif
+#ifdef SIA_KRB4
 	if(k_hasafs()) {
 	    char cell[64];
 	    if(k_afs_cell_of_file(entity->pwd->pw_dir, 
diff --git a/crypto/heimdal/lib/auth/sia/sia_locl.h b/crypto/heimdal/lib/auth/sia/sia_locl.h
index 7b41159..81e8439 100644
--- a/crypto/heimdal/lib/auth/sia/sia_locl.h
+++ b/crypto/heimdal/lib/auth/sia/sia_locl.h
@@ -30,7 +30,7 @@
  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 
-/* $Id: sia_locl.h,v 1.3 2001/09/13 01:15:34 assar Exp $ */
+/* $Id: sia_locl.h 10688 2001-09-13 01:15:34Z assar $ */
 
 #ifndef __sia_locl_h__
 #define __sia_locl_h__
diff --git a/crypto/heimdal/lib/com_err/ChangeLog b/crypto/heimdal/lib/com_err/ChangeLog
index 23d5403..dbeb8fb 100644
--- a/crypto/heimdal/lib/com_err/ChangeLog
+++ b/crypto/heimdal/lib/com_err/ChangeLog
@@ -1,3 +1,72 @@
+2007-07-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: split source files in dist and nodist.
+
+2007-07-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Only do roken rename for the library.
+
+2007-07-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: use version script.
+	
+	* version-script.map: use version script.
+
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: New library version.
+	
+2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am (compile_et_SOURCES): add lex.h
+	
+2005-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* com_err.3: Document the _r functions.
+	
+2005-07-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* com_err.h: Include <stdarg.h> for va_list to help AIX 5.2.
+	
+2005-06-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* parse.y: rename base to base_id since flex defines a function
+	with the argument base
+
+	* compile_et.h: rename base to base_id since flex defines a
+	function with the argument base
+
+	* compile_et.c: rename base to base_id since flex defines a
+	function with the argument base
+
+	* parse.y (name2number): rename base to num to avoid shadowing
+	
+	* compile_et.c: rename optind to optidx
+	
+2005-05-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* parse.y: check allocation errors
+
+	* lex.l: check allocation errors correctly
+	
+	* compile_et.h: include <err.h>
+	
+	* (main): compile_et.c: use strlcpy
+	
+2005-04-29  Dave Love  <fx@gnu.org>
+
+	* Makefile.am (LDADD): Add libcom_err.la
+
+2005-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* include strlcpy and *printf and use them
+
+2005-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* com_right.h: de-__P
+
+	* com_err.h: de-__P
+
 2002-08-20  Johan Danielsson  <joda@pdc.kth.se>
 
 	* compile_et.c: don't add comma after last enum member
diff --git a/crypto/heimdal/lib/com_err/Makefile.am b/crypto/heimdal/lib/com_err/Makefile.am
index ae48cb5..64d4976 100644
--- a/crypto/heimdal/lib/com_err/Makefile.am
+++ b/crypto/heimdal/lib/com_err/Makefile.am
@@ -1,24 +1,39 @@
-# $Id: Makefile.am,v 1.27 2002/03/10 23:52:41 assar Exp $
+# $Id: Makefile.am 21619 2007-07-17 07:34:00Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
 YFLAGS = -d
 
 lib_LTLIBRARIES = libcom_err.la
-libcom_err_la_LDFLAGS = -version-info 2:1:1
+libcom_err_la_LDFLAGS = -version-info 2:3:1
+
+if versionscript
+libcom_err_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+endif
 
 bin_PROGRAMS = compile_et
 
 include_HEADERS = com_err.h com_right.h
 
-compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l
+compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l lex.h
 
-libcom_err_la_SOURCES = error.c com_err.c roken_rename.h
+libcom_err_la_CPPFLAGS = $(ROKEN_RENAME)
+dist_libcom_err_la_SOURCES = error.c com_err.c roken_rename.h
 
-CLEANFILES = lex.c parse.c parse.h
+if do_roken_rename
+nodist_libcom_err_la_SOURCES = snprintf.c strlcpy.c
+endif
 
 $(compile_et_OBJECTS): parse.h parse.c ## XXX broken automake 1.4s
 
 compile_et_LDADD = \
+	libcom_err.la \
 	$(LIB_roken) \
 	$(LEXLIB)
+
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
+strlcpy.c:
+	$(LN_S) $(srcdir)/../roken/strlcpy.c .
+
+EXTRA_DIST = version-script.map
diff --git a/crypto/heimdal/lib/com_err/Makefile.in b/crypto/heimdal/lib/com_err/Makefile.in
index 579f9c1..2581001 100644
--- a/crypto/heimdal/lib/com_err/Makefile.in
+++ b/crypto/heimdal/lib/com_err/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,25 +14,19 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.27 2002/03/10 23:52:41 assar Exp $
+# $Id: Makefile.am 21619 2007-07-17 07:34:00Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
 
-SOURCES = $(libcom_err_la_SOURCES) $(compile_et_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -44,25 +38,25 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
 	$(top_srcdir)/cf/Makefile.am.common ChangeLog lex.c parse.c \
 	parse.h
+@versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 bin_PROGRAMS = compile_et$(EXEEXT)
 subdir = lib/com_err
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -75,6 +69,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -83,62 +78,82 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(includedir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \
+	"$(DESTDIR)$(includedir)"
 libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
 libcom_err_la_LIBADD =
-am_libcom_err_la_OBJECTS = error.lo com_err.lo
-libcom_err_la_OBJECTS = $(am_libcom_err_la_OBJECTS)
+dist_libcom_err_la_OBJECTS = libcom_err_la-error.lo \
+	libcom_err_la-com_err.lo
+@do_roken_rename_TRUE@nodist_libcom_err_la_OBJECTS =  \
+@do_roken_rename_TRUE@	libcom_err_la-snprintf.lo \
+@do_roken_rename_TRUE@	libcom_err_la-strlcpy.lo
+libcom_err_la_OBJECTS = $(dist_libcom_err_la_OBJECTS) \
+	$(nodist_libcom_err_la_OBJECTS)
+libcom_err_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libcom_err_la_LDFLAGS) $(LDFLAGS) -o $@
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(bin_PROGRAMS)
 am_compile_et_OBJECTS = compile_et.$(OBJEXT) parse.$(OBJEXT) \
 	lex.$(OBJEXT)
 compile_et_OBJECTS = $(am_compile_et_OBJECTS)
 am__DEPENDENCIES_1 =
-compile_et_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+compile_et_DEPENDENCIES = libcom_err.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MAINTAINER_MODE_FALSE@am__skiplex = test -f $@ ||
 LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+YLWRAP = $(top_srcdir)/ylwrap
+@MAINTAINER_MODE_FALSE@am__skipyacc = test -f $@ ||
 YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) \
-	$(AM_YFLAGS)
-SOURCES = $(libcom_err_la_SOURCES) $(compile_et_SOURCES)
-DIST_SOURCES = $(libcom_err_la_SOURCES) $(compile_et_SOURCES)
+LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+SOURCES = $(dist_libcom_err_la_SOURCES) \
+	$(nodist_libcom_err_la_SOURCES) $(compile_et_SOURCES)
+DIST_SOURCES = $(dist_libcom_err_la_SOURCES) $(compile_et_SOURCES)
 includeHEADERS_INSTALL = $(INSTALL_HEADER)
 HEADERS = $(include_HEADERS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -148,8 +163,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -160,11 +173,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -172,42 +184,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -225,12 +222,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -240,15 +234,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -257,6 +250,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -268,15 +262,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -284,74 +273,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = -d
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -368,22 +362,25 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-YFLAGS = -d
 lib_LTLIBRARIES = libcom_err.la
-libcom_err_la_LDFLAGS = -version-info 2:1:1
+libcom_err_la_LDFLAGS = -version-info 2:3:1 $(am__append_1)
 include_HEADERS = com_err.h com_right.h
-compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l
-libcom_err_la_SOURCES = error.c com_err.c roken_rename.h
-CLEANFILES = lex.c parse.c parse.h
+compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l lex.h
+libcom_err_la_CPPFLAGS = $(ROKEN_RENAME)
+dist_libcom_err_la_SOURCES = error.c com_err.c roken_rename.h
+@do_roken_rename_TRUE@nodist_libcom_err_la_SOURCES = snprintf.c strlcpy.c
 compile_et_LDADD = \
+	libcom_err.la \
 	$(LIB_roken) \
 	$(LEXLIB)
 
+EXTRA_DIST = version-script.map
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -415,10 +412,10 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    f="`echo $$p | sed -e 's|^.*/||'`"; \
+	    f=$(am__strip_dir) \
 	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
 	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
 	  else :; fi; \
@@ -427,7 +424,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	    p="`echo $$p | sed -e 's|^.*/||'`"; \
+	  p=$(am__strip_dir) \
 	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
 	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
 	done
@@ -436,15 +433,15 @@ clean-libLTLIBRARIES:
 	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" = "$$p" && dir=.; \
+	  test "$$dir" != "$$p" || dir=.; \
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
 libcom_err.la: $(libcom_err_la_OBJECTS) $(libcom_err_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libcom_err_la_LDFLAGS) $(libcom_err_la_OBJECTS) $(libcom_err_la_LIBADD) $(LIBS)
+	$(libcom_err_la_LINK) -rpath $(libdir) $(libcom_err_la_OBJECTS) $(libcom_err_la_LIBADD) $(LIBS)
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -473,11 +470,11 @@ clean-binPROGRAMS:
 parse.h: parse.c
 	@if test ! -f $@; then \
 	  rm -f parse.c; \
-	  $(MAKE) parse.c; \
+	  $(MAKE) $(AM_MAKEFLAGS) parse.c; \
 	else :; fi
 compile_et$(EXEEXT): $(compile_et_OBJECTS) $(compile_et_DEPENDENCIES) 
 	@rm -f compile_et$(EXEEXT)
-	$(LINK) $(compile_et_LDFLAGS) $(compile_et_OBJECTS) $(compile_et_LDADD) $(LIBS)
+	$(LINK) $(compile_et_OBJECTS) $(compile_et_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -494,46 +491,35 @@ distclean-compile:
 .c.lo:
 	$(LTCOMPILE) -c -o $@ $<
 
+libcom_err_la-error.lo: error.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcom_err_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcom_err_la-error.lo `test -f 'error.c' || echo '$(srcdir)/'`error.c
+
+libcom_err_la-com_err.lo: com_err.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcom_err_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcom_err_la-com_err.lo `test -f 'com_err.c' || echo '$(srcdir)/'`com_err.c
+
+libcom_err_la-snprintf.lo: snprintf.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcom_err_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcom_err_la-snprintf.lo `test -f 'snprintf.c' || echo '$(srcdir)/'`snprintf.c
+
+libcom_err_la-strlcpy.lo: strlcpy.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcom_err_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcom_err_la-strlcpy.lo `test -f 'strlcpy.c' || echo '$(srcdir)/'`strlcpy.c
+
 .l.c:
-	$(LEXCOMPILE) $<
-	sed '/^#/ s|$(LEX_OUTPUT_ROOT)\.c|$@|' $(LEX_OUTPUT_ROOT).c >$@
-	rm -f $(LEX_OUTPUT_ROOT).c
+	$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
 
 .y.c:
-	$(YACCCOMPILE) $<
-	if test -f y.tab.h; then \
-	  to=`echo "$*_H" | sed \
-                -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \
-                -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \
-	  sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \
-	  rm -f y.tab.h; \
-	  if cmp -s $*.ht $*.h; then \
-	    rm -f $*.ht ;\
-	  else \
-	    mv $*.ht $*.h; \
-	  fi; \
-	fi
-	if test -f y.output; then \
-	  mv y.output $*.output; \
-	fi
-	sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@t && mv $@t $@
-	rm -f y.tab.c
+	$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-includeHEADERS: $(include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)"
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
 	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -541,7 +527,7 @@ install-includeHEADERS: $(include_HEADERS)
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(include_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -566,9 +552,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -593,23 +581,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -631,7 +617,7 @@ install-binPROGRAMS: install-libLTLIBRARIES
 
 installdirs:
 	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(includedir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -650,17 +636,16 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
-	-rm -f parse.h
 	-rm -f lex.c
 	-rm -f parse.c
+	-rm -f parse.h
 clean: clean-am
 
 clean-am: clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \
@@ -669,7 +654,7 @@ clean-am: clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -685,14 +670,22 @@ install-data-am: install-includeHEADERS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS install-libLTLIBRARIES
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -713,22 +706,30 @@ ps: ps-am
 ps-am:
 
 uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \
-	uninstall-info-am uninstall-libLTLIBRARIES
+	uninstall-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \
-	clean-libtool ctags distclean distclean-compile \
+	clean-libtool ctags dist-hook distclean distclean-compile \
 	distclean-generic distclean-libtool distclean-tags distdir dvi \
 	dvi-am html html-am info info-am install install-am \
-	install-binPROGRAMS install-data install-data-am install-exec \
-	install-exec-am install-includeHEADERS install-info \
-	install-info-am install-libLTLIBRARIES install-man \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-binPROGRAMS uninstall-includeHEADERS \
-	uninstall-info-am uninstall-libLTLIBRARIES
+	install-binPROGRAMS install-data install-data-am \
+	install-data-hook install-dvi install-dvi-am install-exec \
+	install-exec-am install-exec-hook install-html install-html-am \
+	install-includeHEADERS install-info install-info-am \
+	install-libLTLIBRARIES install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-binPROGRAMS \
+	uninstall-hook uninstall-includeHEADERS \
+	uninstall-libLTLIBRARIES
 
 
 install-suid-programs:
@@ -743,8 +744,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -754,19 +755,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -782,7 +795,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -852,16 +865,46 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 $(compile_et_OBJECTS): parse.h parse.c ## XXX broken automake 1.4s
+
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
+strlcpy.c:
+	$(LN_S) $(srcdir)/../roken/strlcpy.c .
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/lib/com_err/com_err.c b/crypto/heimdal/lib/com_err/com_err.c
index ea0ac7c..faf4294 100644
--- a/crypto/heimdal/lib/com_err/com_err.c
+++ b/crypto/heimdal/lib/com_err/com_err.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: com_err.c,v 1.18 2002/03/10 23:07:01 assar Exp $");
+RCSID("$Id: com_err.c 14930 2005-04-24 19:43:06Z lha $");
 #endif
 #include <stdio.h>
 #include <stdlib.h>
@@ -51,15 +51,14 @@ error_message (long code)
     const char *p = com_right(_et_list, code);
     if (p == NULL) {
 	if (code < 0)
-	    sprintf(msg, "Unknown error %ld", code);
+	    snprintf(msg, sizeof(msg), "Unknown error %ld", code);
 	else
 	    p = strerror(code);
     }
     if (p != NULL && *p != '\0') {
-	strncpy(msg, p, sizeof(msg) - 1);
-	msg[sizeof(msg) - 1] = 0;
+	strlcpy(msg, p, sizeof(msg));
     } else 
-	sprintf(msg, "Unknown error %ld", code);
+	snprintf(msg, sizeof(msg), "Unknown error %ld", code);
     return msg;
 }
 
diff --git a/crypto/heimdal/lib/com_err/com_err.h b/crypto/heimdal/lib/com_err/com_err.h
index a76214b..bdd764f 100644
--- a/crypto/heimdal/lib/com_err/com_err.h
+++ b/crypto/heimdal/lib/com_err/com_err.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: com_err.h,v 1.9 2001/05/11 20:03:36 assar Exp $ */
+/* $Id: com_err.h 15566 2005-07-07 14:58:07Z lha $ */
 
 /* MIT compatible com_err library */
 
@@ -39,27 +39,28 @@
 #define __COM_ERR_H__
 
 #include <com_right.h>
+#include <stdarg.h>
 
 #if !defined(__GNUC__) && !defined(__attribute__)
 #define __attribute__(X)
 #endif
 
-typedef void (*errf) __P((const char *, long, const char *, va_list));
+typedef void (*errf) (const char *, long, const char *, va_list);
 
-const char * error_message __P((long));
-int init_error_table __P((const char**, long, int));
+const char * error_message (long);
+int init_error_table (const char**, long, int);
 
-void com_err_va __P((const char *, long, const char *, va_list))
+void com_err_va (const char *, long, const char *, va_list)
     __attribute__((format(printf, 3, 0)));
 
-void com_err __P((const char *, long, const char *, ...))
+void com_err (const char *, long, const char *, ...)
     __attribute__((format(printf, 3, 4)));
 
-errf set_com_err_hook __P((errf));
-errf reset_com_err_hook __P((void));
+errf set_com_err_hook (errf);
+errf reset_com_err_hook (void);
 
-const char *error_table_name  __P((int num));
+const char *error_table_name  (int num);
 
-void add_to_error_table __P((struct et_list *new_table));
+void add_to_error_table (struct et_list *new_table);
 
 #endif /* __COM_ERR_H__ */
diff --git a/crypto/heimdal/lib/com_err/com_right.h b/crypto/heimdal/lib/com_err/com_right.h
index c87bb0d..4d929da 100644
--- a/crypto/heimdal/lib/com_err/com_right.h
+++ b/crypto/heimdal/lib/com_err/com_right.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: com_right.h,v 1.11 2000/07/31 01:11:08 assar Exp $ */
+/* $Id: com_right.h 14551 2005-02-03 08:45:13Z lha $ */
 
 #ifndef __COM_RIGHT_H__
 #define __COM_RIGHT_H__
@@ -40,14 +40,6 @@
 #include <stdarg.h>
 #endif
 
-#ifndef __P
-#ifdef __STDC__
-#define __P(X) X
-#else
-#define __P(X) ()
-#endif
-#endif
-
 struct error_table {
     char const * const * msgs;
     long base;
@@ -59,8 +51,8 @@ struct et_list {
 };
 extern struct et_list *_et_list;
 
-const char *com_right __P((struct et_list *list, long code));
-void initialize_error_table_r __P((struct et_list **, const char **, int, long));
-void free_error_table __P((struct et_list *));
+const char *com_right (struct et_list *list, long code);
+void initialize_error_table_r (struct et_list **, const char **, int, long);
+void free_error_table (struct et_list *);
 
 #endif /* __COM_RIGHT_H__ */
diff --git a/crypto/heimdal/lib/com_err/compile_et.c b/crypto/heimdal/lib/com_err/compile_et.c
index b19b218..1057654 100644
--- a/crypto/heimdal/lib/com_err/compile_et.c
+++ b/crypto/heimdal/lib/com_err/compile_et.c
@@ -35,7 +35,7 @@
 #include "compile_et.h"
 #include <getarg.h>
 
-RCSID("$Id: compile_et.c,v 1.16 2002/08/20 12:44:51 joda Exp $");
+RCSID("$Id: compile_et.c 15426 2005-06-16 19:21:42Z lha $");
 
 #include <roken.h>
 #include <err.h>
@@ -46,7 +46,7 @@ extern FILE *yyin;
 
 extern void yyparse(void);
 
-long base;
+long base_id;
 int number;
 char *prefix;
 char *id_str;
@@ -156,13 +156,13 @@ generate_h(void)
     fprintf(h_file, "typedef enum %s_error_number{\n", name);
 
     for(ec = codes; ec; ec = ec->next) {
-	fprintf(h_file, "\t%s = %ld%s\n", ec->name, base + ec->number, 
+	fprintf(h_file, "\t%s = %ld%s\n", ec->name, base_id + ec->number, 
 		(ec->next != NULL) ? "," : "");
     }
 
     fprintf(h_file, "} %s_error_number;\n", name);
     fprintf(h_file, "\n");
-    fprintf(h_file, "#define ERROR_TABLE_BASE_%s %ld\n", name, base);
+    fprintf(h_file, "#define ERROR_TABLE_BASE_%s %ld\n", name, base_id);
     fprintf(h_file, "\n");
     fprintf(h_file, "#endif /* %s */\n", fn);
 
@@ -196,10 +196,10 @@ int
 main(int argc, char **argv)
 {
     char *p;
-    int optind = 0;
+    int optidx = 0;
 
     setprogname(argv[0]);
-    if(getarg(args, num_args, argc, argv, &optind))
+    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
     if(help_flag)
 	usage(0);
@@ -208,9 +208,9 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    if(optind == argc) 
+    if(optidx == argc) 
 	usage(1);
-    filename = argv[optind];
+    filename = argv[optidx];
     yyin = fopen(filename, "r");
     if(yyin == NULL)
 	err(1, "%s", filename);
@@ -221,8 +221,7 @@ main(int argc, char **argv)
 	p++;
     else
 	p = filename;
-    strncpy(Basename, p, sizeof(Basename));
-    Basename[sizeof(Basename) - 1] = '\0';
+    strlcpy(Basename, p, sizeof(Basename));
     
     Basename[strcspn(Basename, ".")] = '\0';
     
diff --git a/crypto/heimdal/lib/com_err/compile_et.h b/crypto/heimdal/lib/com_err/compile_et.h
index 86dd113..1c7de5a 100644
--- a/crypto/heimdal/lib/com_err/compile_et.h
+++ b/crypto/heimdal/lib/com_err/compile_et.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: compile_et.h,v 1.6 2000/07/01 20:21:48 assar Exp $ */
+/* $Id: compile_et.h 15426 2005-06-16 19:21:42Z lha $ */
 
 #ifndef __COMPILE_ET_H__
 #define __COMPILE_ET_H__
@@ -40,6 +40,7 @@
 #include <config.h>
 #endif
 
+#include <err.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -47,7 +48,7 @@
 #include <ctype.h>
 #include <roken.h>
 
-extern long base;
+extern long base_id;
 extern int number;
 extern char *prefix;
 extern char name[128];
diff --git a/crypto/heimdal/lib/com_err/error.c b/crypto/heimdal/lib/com_err/error.c
index b22f25b..0510780 100644
--- a/crypto/heimdal/lib/com_err/error.c
+++ b/crypto/heimdal/lib/com_err/error.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: error.c,v 1.15 2001/02/28 20:00:13 joda Exp $");
+RCSID("$Id: error.c 9724 2001-02-28 20:00:13Z joda $");
 #endif
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/crypto/heimdal/lib/com_err/lex.c b/crypto/heimdal/lib/com_err/lex.c
new file mode 100644
index 0000000..8f756d3
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/lex.c
@@ -0,0 +1,1896 @@
+
+#line 3 "lex.c"
+
+#define  YY_INT_ALIGNED short int
+
+/* A lexical scanner generated by flex */
+
+#define FLEX_SCANNER
+#define YY_FLEX_MAJOR_VERSION 2
+#define YY_FLEX_MINOR_VERSION 5
+#define YY_FLEX_SUBMINOR_VERSION 33
+#if YY_FLEX_SUBMINOR_VERSION > 0
+#define FLEX_BETA
+#endif
+
+/* First, we deal with  platform-specific or compiler-specific issues. */
+
+/* begin standard C headers. */
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+
+/* end standard C headers. */
+
+/* flex integer type definitions */
+
+#ifndef FLEXINT_H
+#define FLEXINT_H
+
+/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
+
+#if __STDC_VERSION__ >= 199901L
+
+/* C99 says to define __STDC_LIMIT_MACROS before including stdint.h,
+ * if you want the limit (max/min) macros for int types. 
+ */
+#ifndef __STDC_LIMIT_MACROS
+#define __STDC_LIMIT_MACROS 1
+#endif
+
+#include <inttypes.h>
+typedef int8_t flex_int8_t;
+typedef uint8_t flex_uint8_t;
+typedef int16_t flex_int16_t;
+typedef uint16_t flex_uint16_t;
+typedef int32_t flex_int32_t;
+typedef uint32_t flex_uint32_t;
+#else
+typedef signed char flex_int8_t;
+typedef short int flex_int16_t;
+typedef int flex_int32_t;
+typedef unsigned char flex_uint8_t; 
+typedef unsigned short int flex_uint16_t;
+typedef unsigned int flex_uint32_t;
+#endif /* ! C99 */
+
+/* Limits of integral types. */
+#ifndef INT8_MIN
+#define INT8_MIN               (-128)
+#endif
+#ifndef INT16_MIN
+#define INT16_MIN              (-32767-1)
+#endif
+#ifndef INT32_MIN
+#define INT32_MIN              (-2147483647-1)
+#endif
+#ifndef INT8_MAX
+#define INT8_MAX               (127)
+#endif
+#ifndef INT16_MAX
+#define INT16_MAX              (32767)
+#endif
+#ifndef INT32_MAX
+#define INT32_MAX              (2147483647)
+#endif
+#ifndef UINT8_MAX
+#define UINT8_MAX              (255U)
+#endif
+#ifndef UINT16_MAX
+#define UINT16_MAX             (65535U)
+#endif
+#ifndef UINT32_MAX
+#define UINT32_MAX             (4294967295U)
+#endif
+
+#endif /* ! FLEXINT_H */
+
+#ifdef __cplusplus
+
+/* The "const" storage-class-modifier is valid. */
+#define YY_USE_CONST
+
+#else	/* ! __cplusplus */
+
+#if __STDC__
+
+#define YY_USE_CONST
+
+#endif	/* __STDC__ */
+#endif	/* ! __cplusplus */
+
+#ifdef YY_USE_CONST
+#define yyconst const
+#else
+#define yyconst
+#endif
+
+/* Returned upon end-of-file. */
+#define YY_NULL 0
+
+/* Promotes a possibly negative, possibly signed char to an unsigned
+ * integer for use as an array index.  If the signed char is negative,
+ * we want to instead treat it as an 8-bit unsigned char, hence the
+ * double cast.
+ */
+#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+
+/* Enter a start condition.  This macro really ought to take a parameter,
+ * but we do it the disgusting crufty way forced on us by the ()-less
+ * definition of BEGIN.
+ */
+#define BEGIN (yy_start) = 1 + 2 *
+
+/* Translate the current start state into a value that can be later handed
+ * to BEGIN to return to the state.  The YYSTATE alias is for lex
+ * compatibility.
+ */
+#define YY_START (((yy_start) - 1) / 2)
+#define YYSTATE YY_START
+
+/* Action number for EOF rule of a given start state. */
+#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
+
+/* Special action meaning "start processing a new file". */
+#define YY_NEW_FILE yyrestart(yyin  )
+
+#define YY_END_OF_BUFFER_CHAR 0
+
+/* Size of default input buffer. */
+#ifndef YY_BUF_SIZE
+#define YY_BUF_SIZE 16384
+#endif
+
+/* The state buf must be large enough to hold one state per character in the main buffer.
+ */
+#define YY_STATE_BUF_SIZE   ((YY_BUF_SIZE + 2) * sizeof(yy_state_type))
+
+#ifndef YY_TYPEDEF_YY_BUFFER_STATE
+#define YY_TYPEDEF_YY_BUFFER_STATE
+typedef struct yy_buffer_state *YY_BUFFER_STATE;
+#endif
+
+extern int yyleng;
+
+extern FILE *yyin, *yyout;
+
+#define EOB_ACT_CONTINUE_SCAN 0
+#define EOB_ACT_END_OF_FILE 1
+#define EOB_ACT_LAST_MATCH 2
+
+    #define YY_LESS_LINENO(n)
+    
+/* Return all but the first "n" matched characters back to the input stream. */
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+        int yyless_macro_arg = (n); \
+        YY_LESS_LINENO(yyless_macro_arg);\
+		*yy_cp = (yy_hold_char); \
+		YY_RESTORE_YY_MORE_OFFSET \
+		(yy_c_buf_p) = yy_cp = yy_bp + yyless_macro_arg - YY_MORE_ADJ; \
+		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
+		} \
+	while ( 0 )
+
+#define unput(c) yyunput( c, (yytext_ptr)  )
+
+/* The following is because we cannot portably get our hands on size_t
+ * (without autoconf's help, which isn't available because we want
+ * flex-generated scanners to compile on their own).
+ */
+
+#ifndef YY_TYPEDEF_YY_SIZE_T
+#define YY_TYPEDEF_YY_SIZE_T
+typedef unsigned int yy_size_t;
+#endif
+
+#ifndef YY_STRUCT_YY_BUFFER_STATE
+#define YY_STRUCT_YY_BUFFER_STATE
+struct yy_buffer_state
+	{
+	FILE *yy_input_file;
+
+	char *yy_ch_buf;		/* input buffer */
+	char *yy_buf_pos;		/* current position in input buffer */
+
+	/* Size of input buffer in bytes, not including room for EOB
+	 * characters.
+	 */
+	yy_size_t yy_buf_size;
+
+	/* Number of characters read into yy_ch_buf, not including EOB
+	 * characters.
+	 */
+	int yy_n_chars;
+
+	/* Whether we "own" the buffer - i.e., we know we created it,
+	 * and can realloc() it to grow it, and should free() it to
+	 * delete it.
+	 */
+	int yy_is_our_buffer;
+
+	/* Whether this is an "interactive" input source; if so, and
+	 * if we're using stdio for input, then we want to use getc()
+	 * instead of fread(), to make sure we stop fetching input after
+	 * each newline.
+	 */
+	int yy_is_interactive;
+
+	/* Whether we're considered to be at the beginning of a line.
+	 * If so, '^' rules will be active on the next match, otherwise
+	 * not.
+	 */
+	int yy_at_bol;
+
+    int yy_bs_lineno; /**< The line count. */
+    int yy_bs_column; /**< The column count. */
+    
+	/* Whether to try to fill the input buffer when we reach the
+	 * end of it.
+	 */
+	int yy_fill_buffer;
+
+	int yy_buffer_status;
+
+#define YY_BUFFER_NEW 0
+#define YY_BUFFER_NORMAL 1
+	/* When an EOF's been seen but there's still some text to process
+	 * then we mark the buffer as YY_EOF_PENDING, to indicate that we
+	 * shouldn't try reading from the input source any more.  We might
+	 * still have a bunch of tokens to match, though, because of
+	 * possible backing-up.
+	 *
+	 * When we actually see the EOF, we change the status to "new"
+	 * (via yyrestart()), so that the user can continue scanning by
+	 * just pointing yyin at a new input file.
+	 */
+#define YY_BUFFER_EOF_PENDING 2
+
+	};
+#endif /* !YY_STRUCT_YY_BUFFER_STATE */
+
+/* Stack of input buffers. */
+static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */
+static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */
+static YY_BUFFER_STATE * yy_buffer_stack = 0; /**< Stack as an array. */
+
+/* We provide macros for accessing buffer states in case in the
+ * future we want to put the buffer states in a more general
+ * "scanner state".
+ *
+ * Returns the top of the stack, or NULL.
+ */
+#define YY_CURRENT_BUFFER ( (yy_buffer_stack) \
+                          ? (yy_buffer_stack)[(yy_buffer_stack_top)] \
+                          : NULL)
+
+/* Same as previous macro, but useful when we know that the buffer stack is not
+ * NULL or when we need an lvalue. For internal use only.
+ */
+#define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)]
+
+/* yy_hold_char holds the character lost when yytext is formed. */
+static char yy_hold_char;
+static int yy_n_chars;		/* number of characters read into yy_ch_buf */
+int yyleng;
+
+/* Points to current character in buffer. */
+static char *yy_c_buf_p = (char *) 0;
+static int yy_init = 0;		/* whether we need to initialize */
+static int yy_start = 0;	/* start state number */
+
+/* Flag which is used to allow yywrap()'s to do buffer switches
+ * instead of setting up a fresh yyin.  A bit of a hack ...
+ */
+static int yy_did_buffer_switch_on_eof;
+
+void yyrestart (FILE *input_file  );
+void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer  );
+YY_BUFFER_STATE yy_create_buffer (FILE *file,int size  );
+void yy_delete_buffer (YY_BUFFER_STATE b  );
+void yy_flush_buffer (YY_BUFFER_STATE b  );
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer  );
+void yypop_buffer_state (void );
+
+static void yyensure_buffer_stack (void );
+static void yy_load_buffer_state (void );
+static void yy_init_buffer (YY_BUFFER_STATE b,FILE *file  );
+
+#define YY_FLUSH_BUFFER yy_flush_buffer(YY_CURRENT_BUFFER )
+
+YY_BUFFER_STATE yy_scan_buffer (char *base,yy_size_t size  );
+YY_BUFFER_STATE yy_scan_string (yyconst char *yy_str  );
+YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,int len  );
+
+void *yyalloc (yy_size_t  );
+void *yyrealloc (void *,yy_size_t  );
+void yyfree (void *  );
+
+#define yy_new_buffer yy_create_buffer
+
+#define yy_set_interactive(is_interactive) \
+	{ \
+	if ( ! YY_CURRENT_BUFFER ){ \
+        yyensure_buffer_stack (); \
+		YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+	} \
+	YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
+	}
+
+#define yy_set_bol(at_bol) \
+	{ \
+	if ( ! YY_CURRENT_BUFFER ){\
+        yyensure_buffer_stack (); \
+		YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+	} \
+	YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
+	}
+
+#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
+
+/* Begin user sect3 */
+
+typedef unsigned char YY_CHAR;
+
+FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
+
+typedef int yy_state_type;
+
+extern int yylineno;
+
+int yylineno = 1;
+
+extern char *yytext;
+#define yytext_ptr yytext
+
+static yy_state_type yy_get_previous_state (void );
+static yy_state_type yy_try_NUL_trans (yy_state_type current_state  );
+static int yy_get_next_buffer (void );
+static void yy_fatal_error (yyconst char msg[]  );
+
+/* Done after the current pattern has been matched and before the
+ * corresponding action - sets up yytext.
+ */
+#define YY_DO_BEFORE_ACTION \
+	(yytext_ptr) = yy_bp; \
+	yyleng = (size_t) (yy_cp - yy_bp); \
+	(yy_hold_char) = *yy_cp; \
+	*yy_cp = '\0'; \
+	(yy_c_buf_p) = yy_cp;
+
+#define YY_NUM_RULES 16
+#define YY_END_OF_BUFFER 17
+/* This struct is not used in this scanner,
+   but its presence is necessary. */
+struct yy_trans_info
+	{
+	flex_int32_t yy_verify;
+	flex_int32_t yy_nxt;
+	};
+static yyconst flex_int16_t yy_accept[46] =
+    {   0,
+        0,    0,   17,   15,   11,   12,   13,   10,    9,   14,
+       14,   14,   14,   10,    9,   14,    3,   14,   14,    1,
+        7,   14,   14,    8,   14,   14,   14,   14,   14,   14,
+       14,    6,   14,   14,    5,   14,   14,   14,   14,   14,
+       14,    4,   14,    2,    0
+    } ;
+
+static yyconst flex_int32_t yy_ec[256] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    2,    1,    4,    5,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    6,    6,    6,
+        6,    6,    6,    6,    6,    6,    6,    1,    1,    1,
+        1,    1,    1,    1,    7,    7,    7,    7,    7,    7,
+        7,    7,    7,    7,    7,    7,    7,    7,    7,    7,
+        7,    7,    7,    7,    7,    7,    7,    7,    7,    7,
+        1,    1,    1,    1,    8,    1,    9,   10,   11,   12,
+
+       13,   14,    7,    7,   15,    7,    7,   16,    7,   17,
+       18,   19,    7,   20,    7,   21,    7,    7,    7,   22,
+        7,    7,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1
+    } ;
+
+static yyconst flex_int32_t yy_meta[23] =
+    {   0,
+        1,    1,    2,    1,    1,    3,    3,    3,    3,    3,
+        3,    3,    3,    3,    3,    3,    3,    3,    3,    3,
+        3,    3
+    } ;
+
+static yyconst flex_int16_t yy_base[48] =
+    {   0,
+        0,    0,   56,   57,   57,   57,   57,    0,   49,    0,
+       12,   13,   34,    0,   47,    0,    0,   40,   31,    0,
+        0,   38,   36,    0,   30,   34,   32,   25,   22,   28,
+       34,    0,   19,   13,    0,   22,   30,   26,   26,   18,
+       12,    0,   14,    0,   57,   34,   23
+    } ;
+
+static yyconst flex_int16_t yy_def[48] =
+    {   0,
+       45,    1,   45,   45,   45,   45,   45,   46,   47,   47,
+       47,   47,   47,   46,   47,   47,   47,   47,   47,   47,
+       47,   47,   47,   47,   47,   47,   47,   47,   47,   47,
+       47,   47,   47,   47,   47,   47,   47,   47,   47,   47,
+       47,   47,   47,   47,    0,   45,   45
+    } ;
+
+static yyconst flex_int16_t yy_nxt[80] =
+    {   0,
+        4,    5,    6,    7,    8,    9,   10,   10,   10,   10,
+       10,   10,   11,   10,   12,   10,   10,   10,   13,   10,
+       10,   10,   17,   36,   21,   16,   44,   43,   18,   22,
+       42,   19,   20,   37,   14,   41,   14,   40,   39,   38,
+       35,   34,   33,   32,   31,   30,   29,   28,   27,   26,
+       25,   24,   15,   23,   15,   45,    3,   45,   45,   45,
+       45,   45,   45,   45,   45,   45,   45,   45,   45,   45,
+       45,   45,   45,   45,   45,   45,   45,   45,   45
+    } ;
+
+static yyconst flex_int16_t yy_chk[80] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,   11,   34,   12,   47,   43,   41,   11,   12,
+       40,   11,   11,   34,   46,   39,   46,   38,   37,   36,
+       33,   31,   30,   29,   28,   27,   26,   25,   23,   22,
+       19,   18,   15,   13,    9,    3,   45,   45,   45,   45,
+       45,   45,   45,   45,   45,   45,   45,   45,   45,   45,
+       45,   45,   45,   45,   45,   45,   45,   45,   45
+    } ;
+
+static yy_state_type yy_last_accepting_state;
+static char *yy_last_accepting_cpos;
+
+extern int yy_flex_debug;
+int yy_flex_debug = 0;
+
+/* The intent behind this definition is that it'll catch
+ * any uses of REJECT which flex missed.
+ */
+#define REJECT reject_used_but_not_detected
+#define yymore() yymore_used_but_not_detected
+#define YY_MORE_ADJ 0
+#define YY_RESTORE_YY_MORE_OFFSET
+char *yytext;
+#line 1 "lex.l"
+#line 2 "lex.l"
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ * This is to handle the definition of this symbol in some AIX
+ * headers, which will conflict with the definition that lex will
+ * generate for it.  It's only a problem for AIX lex.
+ */
+
+#undef ECHO
+
+#include "compile_et.h"
+#include "parse.h"
+#include "lex.h"
+
+RCSID("$Id: lex.l 15143 2005-05-16 08:52:54Z lha $");
+
+static unsigned lineno = 1;
+static int getstring(void);
+
+#define YY_NO_UNPUT
+
+#undef ECHO
+
+#line 536 "lex.c"
+
+#define INITIAL 0
+
+#ifndef YY_NO_UNISTD_H
+/* Special case for "unistd.h", since it is non-ANSI. We include it way
+ * down here because we want the user's section 1 to have been scanned first.
+ * The user has a chance to override it with an option.
+ */
+#include <unistd.h>
+#endif
+
+#ifndef YY_EXTRA_TYPE
+#define YY_EXTRA_TYPE void *
+#endif
+
+static int yy_init_globals (void );
+
+/* Macros after this point can all be overridden by user definitions in
+ * section 1.
+ */
+
+#ifndef YY_SKIP_YYWRAP
+#ifdef __cplusplus
+extern "C" int yywrap (void );
+#else
+extern int yywrap (void );
+#endif
+#endif
+
+    static void yyunput (int c,char *buf_ptr  );
+    
+#ifndef yytext_ptr
+static void yy_flex_strncpy (char *,yyconst char *,int );
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen (yyconst char * );
+#endif
+
+#ifndef YY_NO_INPUT
+
+#ifdef __cplusplus
+static int yyinput (void );
+#else
+static int input (void );
+#endif
+
+#endif
+
+/* Amount of stuff to slurp up with each read. */
+#ifndef YY_READ_BUF_SIZE
+#define YY_READ_BUF_SIZE 8192
+#endif
+
+/* Copy whatever the last rule matched to the standard output. */
+#ifndef ECHO
+/* This used to be an fputs(), but since the string might contain NUL's,
+ * we now use fwrite().
+ */
+#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
+#endif
+
+/* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
+ * is returned in "result".
+ */
+#ifndef YY_INPUT
+#define YY_INPUT(buf,result,max_size) \
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
+		{ \
+		int c = '*'; \
+		size_t n; \
+		for ( n = 0; n < max_size && \
+			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
+			buf[n] = (char) c; \
+		if ( c == '\n' ) \
+			buf[n++] = (char) c; \
+		if ( c == EOF && ferror( yyin ) ) \
+			YY_FATAL_ERROR( "input in flex scanner failed" ); \
+		result = n; \
+		} \
+	else \
+		{ \
+		errno=0; \
+		while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \
+			{ \
+			if( errno != EINTR) \
+				{ \
+				YY_FATAL_ERROR( "input in flex scanner failed" ); \
+				break; \
+				} \
+			errno=0; \
+			clearerr(yyin); \
+			} \
+		}\
+\
+
+#endif
+
+/* No semi-colon after return; correct usage is to write "yyterminate();" -
+ * we don't want an extra ';' after the "return" because that will cause
+ * some compilers to complain about unreachable statements.
+ */
+#ifndef yyterminate
+#define yyterminate() return YY_NULL
+#endif
+
+/* Number of entries by which start-condition stack grows. */
+#ifndef YY_START_STACK_INCR
+#define YY_START_STACK_INCR 25
+#endif
+
+/* Report a fatal error. */
+#ifndef YY_FATAL_ERROR
+#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
+#endif
+
+/* end tables serialization structures and prototypes */
+
+/* Default declaration of generated scanner - a define so the user can
+ * easily add parameters.
+ */
+#ifndef YY_DECL
+#define YY_DECL_IS_OURS 1
+
+extern int yylex (void);
+
+#define YY_DECL int yylex (void)
+#endif /* !YY_DECL */
+
+/* Code executed at the beginning of each rule, after yytext and yyleng
+ * have been set up.
+ */
+#ifndef YY_USER_ACTION
+#define YY_USER_ACTION
+#endif
+
+/* Code executed at the end of each rule. */
+#ifndef YY_BREAK
+#define YY_BREAK break;
+#endif
+
+#define YY_RULE_SETUP \
+	YY_USER_ACTION
+
+/** The main scanner function which does all the work.
+ */
+YY_DECL
+{
+	register yy_state_type yy_current_state;
+	register char *yy_cp, *yy_bp;
+	register int yy_act;
+    
+#line 59 "lex.l"
+
+#line 691 "lex.c"
+
+	if ( !(yy_init) )
+		{
+		(yy_init) = 1;
+
+#ifdef YY_USER_INIT
+		YY_USER_INIT;
+#endif
+
+		if ( ! (yy_start) )
+			(yy_start) = 1;	/* first start state */
+
+		if ( ! yyin )
+			yyin = stdin;
+
+		if ( ! yyout )
+			yyout = stdout;
+
+		if ( ! YY_CURRENT_BUFFER ) {
+			yyensure_buffer_stack ();
+			YY_CURRENT_BUFFER_LVALUE =
+				yy_create_buffer(yyin,YY_BUF_SIZE );
+		}
+
+		yy_load_buffer_state( );
+		}
+
+	while ( 1 )		/* loops until end-of-file is reached */
+		{
+		yy_cp = (yy_c_buf_p);
+
+		/* Support of yytext. */
+		*yy_cp = (yy_hold_char);
+
+		/* yy_bp points to the position in yy_ch_buf of the start of
+		 * the current run.
+		 */
+		yy_bp = yy_cp;
+
+		yy_current_state = (yy_start);
+yy_match:
+		do
+			{
+			register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
+			if ( yy_accept[yy_current_state] )
+				{
+				(yy_last_accepting_state) = yy_current_state;
+				(yy_last_accepting_cpos) = yy_cp;
+				}
+			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+				{
+				yy_current_state = (int) yy_def[yy_current_state];
+				if ( yy_current_state >= 46 )
+					yy_c = yy_meta[(unsigned int) yy_c];
+				}
+			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+			++yy_cp;
+			}
+		while ( yy_base[yy_current_state] != 57 );
+
+yy_find_action:
+		yy_act = yy_accept[yy_current_state];
+		if ( yy_act == 0 )
+			{ /* have to back up */
+			yy_cp = (yy_last_accepting_cpos);
+			yy_current_state = (yy_last_accepting_state);
+			yy_act = yy_accept[yy_current_state];
+			}
+
+		YY_DO_BEFORE_ACTION;
+
+do_action:	/* This label is used only to access EOF actions. */
+
+		switch ( yy_act )
+	{ /* beginning of action switch */
+			case 0: /* must back up */
+			/* undo the effects of YY_DO_BEFORE_ACTION */
+			*yy_cp = (yy_hold_char);
+			yy_cp = (yy_last_accepting_cpos);
+			yy_current_state = (yy_last_accepting_state);
+			goto yy_find_action;
+
+case 1:
+YY_RULE_SETUP
+#line 60 "lex.l"
+{ return ET; }
+	YY_BREAK
+case 2:
+YY_RULE_SETUP
+#line 61 "lex.l"
+{ return ET; }
+	YY_BREAK
+case 3:
+YY_RULE_SETUP
+#line 62 "lex.l"
+{ return EC; }
+	YY_BREAK
+case 4:
+YY_RULE_SETUP
+#line 63 "lex.l"
+{ return EC; }
+	YY_BREAK
+case 5:
+YY_RULE_SETUP
+#line 64 "lex.l"
+{ return PREFIX; }
+	YY_BREAK
+case 6:
+YY_RULE_SETUP
+#line 65 "lex.l"
+{ return INDEX; }
+	YY_BREAK
+case 7:
+YY_RULE_SETUP
+#line 66 "lex.l"
+{ return ID; }
+	YY_BREAK
+case 8:
+YY_RULE_SETUP
+#line 67 "lex.l"
+{ return END; }
+	YY_BREAK
+case 9:
+YY_RULE_SETUP
+#line 68 "lex.l"
+{ yylval.number = atoi(yytext); return NUMBER; }
+	YY_BREAK
+case 10:
+YY_RULE_SETUP
+#line 69 "lex.l"
+;
+	YY_BREAK
+case 11:
+YY_RULE_SETUP
+#line 70 "lex.l"
+;
+	YY_BREAK
+case 12:
+/* rule 12 can match eol */
+YY_RULE_SETUP
+#line 71 "lex.l"
+{ lineno++; }
+	YY_BREAK
+case 13:
+YY_RULE_SETUP
+#line 72 "lex.l"
+{ return getstring(); }
+	YY_BREAK
+case 14:
+YY_RULE_SETUP
+#line 73 "lex.l"
+{ yylval.string = strdup(yytext); return STRING; }
+	YY_BREAK
+case 15:
+YY_RULE_SETUP
+#line 74 "lex.l"
+{ return *yytext; }
+	YY_BREAK
+case 16:
+YY_RULE_SETUP
+#line 75 "lex.l"
+ECHO;
+	YY_BREAK
+#line 855 "lex.c"
+case YY_STATE_EOF(INITIAL):
+	yyterminate();
+
+	case YY_END_OF_BUFFER:
+		{
+		/* Amount of text matched not including the EOB char. */
+		int yy_amount_of_matched_text = (int) (yy_cp - (yytext_ptr)) - 1;
+
+		/* Undo the effects of YY_DO_BEFORE_ACTION. */
+		*yy_cp = (yy_hold_char);
+		YY_RESTORE_YY_MORE_OFFSET
+
+		if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_NEW )
+			{
+			/* We're scanning a new file or input source.  It's
+			 * possible that this happened because the user
+			 * just pointed yyin at a new source and called
+			 * yylex().  If so, then we have to assure
+			 * consistency between YY_CURRENT_BUFFER and our
+			 * globals.  Here is the right place to do so, because
+			 * this is the first action (other than possibly a
+			 * back-up) that will match for the new input source.
+			 */
+			(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
+			YY_CURRENT_BUFFER_LVALUE->yy_input_file = yyin;
+			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = YY_BUFFER_NORMAL;
+			}
+
+		/* Note that here we test for yy_c_buf_p "<=" to the position
+		 * of the first EOB in the buffer, since yy_c_buf_p will
+		 * already have been incremented past the NUL character
+		 * (since all states make transitions on EOB to the
+		 * end-of-buffer state).  Contrast this with the test
+		 * in input().
+		 */
+		if ( (yy_c_buf_p) <= &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
+			{ /* This was really a NUL. */
+			yy_state_type yy_next_state;
+
+			(yy_c_buf_p) = (yytext_ptr) + yy_amount_of_matched_text;
+
+			yy_current_state = yy_get_previous_state(  );
+
+			/* Okay, we're now positioned to make the NUL
+			 * transition.  We couldn't have
+			 * yy_get_previous_state() go ahead and do it
+			 * for us because it doesn't know how to deal
+			 * with the possibility of jamming (and we don't
+			 * want to build jamming into it because then it
+			 * will run more slowly).
+			 */
+
+			yy_next_state = yy_try_NUL_trans( yy_current_state );
+
+			yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+
+			if ( yy_next_state )
+				{
+				/* Consume the NUL. */
+				yy_cp = ++(yy_c_buf_p);
+				yy_current_state = yy_next_state;
+				goto yy_match;
+				}
+
+			else
+				{
+				yy_cp = (yy_c_buf_p);
+				goto yy_find_action;
+				}
+			}
+
+		else switch ( yy_get_next_buffer(  ) )
+			{
+			case EOB_ACT_END_OF_FILE:
+				{
+				(yy_did_buffer_switch_on_eof) = 0;
+
+				if ( yywrap( ) )
+					{
+					/* Note: because we've taken care in
+					 * yy_get_next_buffer() to have set up
+					 * yytext, we can now set up
+					 * yy_c_buf_p so that if some total
+					 * hoser (like flex itself) wants to
+					 * call the scanner after we return the
+					 * YY_NULL, it'll still work - another
+					 * YY_NULL will get returned.
+					 */
+					(yy_c_buf_p) = (yytext_ptr) + YY_MORE_ADJ;
+
+					yy_act = YY_STATE_EOF(YY_START);
+					goto do_action;
+					}
+
+				else
+					{
+					if ( ! (yy_did_buffer_switch_on_eof) )
+						YY_NEW_FILE;
+					}
+				break;
+				}
+
+			case EOB_ACT_CONTINUE_SCAN:
+				(yy_c_buf_p) =
+					(yytext_ptr) + yy_amount_of_matched_text;
+
+				yy_current_state = yy_get_previous_state(  );
+
+				yy_cp = (yy_c_buf_p);
+				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+				goto yy_match;
+
+			case EOB_ACT_LAST_MATCH:
+				(yy_c_buf_p) =
+				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)];
+
+				yy_current_state = yy_get_previous_state(  );
+
+				yy_cp = (yy_c_buf_p);
+				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+				goto yy_find_action;
+			}
+		break;
+		}
+
+	default:
+		YY_FATAL_ERROR(
+			"fatal flex scanner internal error--no action found" );
+	} /* end of action switch */
+		} /* end of scanning one token */
+} /* end of yylex */
+
+/* yy_get_next_buffer - try to read in a new buffer
+ *
+ * Returns a code representing an action:
+ *	EOB_ACT_LAST_MATCH -
+ *	EOB_ACT_CONTINUE_SCAN - continue scanning from current position
+ *	EOB_ACT_END_OF_FILE - end of file
+ */
+static int yy_get_next_buffer (void)
+{
+    	register char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
+	register char *source = (yytext_ptr);
+	register int number_to_move, i;
+	int ret_val;
+
+	if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] )
+		YY_FATAL_ERROR(
+		"fatal flex scanner internal error--end of buffer missed" );
+
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 )
+		{ /* Don't try to fill the buffer, so this is an EOF. */
+		if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 )
+			{
+			/* We matched a single character, the EOB, so
+			 * treat this as a final EOF.
+			 */
+			return EOB_ACT_END_OF_FILE;
+			}
+
+		else
+			{
+			/* We matched some text prior to the EOB, first
+			 * process it.
+			 */
+			return EOB_ACT_LAST_MATCH;
+			}
+		}
+
+	/* Try to read more data. */
+
+	/* First move last chars to start of buffer. */
+	number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr)) - 1;
+
+	for ( i = 0; i < number_to_move; ++i )
+		*(dest++) = *(source++);
+
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+		/* don't do the read, it's not guaranteed to return an EOF,
+		 * just force an EOF
+		 */
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0;
+
+	else
+		{
+			int num_to_read =
+			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+
+		while ( num_to_read <= 0 )
+			{ /* Not enough room in the buffer - grow it. */
+
+			/* just a shorter name for the current buffer */
+			YY_BUFFER_STATE b = YY_CURRENT_BUFFER;
+
+			int yy_c_buf_p_offset =
+				(int) ((yy_c_buf_p) - b->yy_ch_buf);
+
+			if ( b->yy_is_our_buffer )
+				{
+				int new_size = b->yy_buf_size * 2;
+
+				if ( new_size <= 0 )
+					b->yy_buf_size += b->yy_buf_size / 8;
+				else
+					b->yy_buf_size *= 2;
+
+				b->yy_ch_buf = (char *)
+					/* Include room in for 2 EOB chars. */
+					yyrealloc((void *) b->yy_ch_buf,b->yy_buf_size + 2  );
+				}
+			else
+				/* Can't grow it, we don't own it. */
+				b->yy_ch_buf = 0;
+
+			if ( ! b->yy_ch_buf )
+				YY_FATAL_ERROR(
+				"fatal error - scanner input buffer overflow" );
+
+			(yy_c_buf_p) = &b->yy_ch_buf[yy_c_buf_p_offset];
+
+			num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size -
+						number_to_move - 1;
+
+			}
+
+		if ( num_to_read > YY_READ_BUF_SIZE )
+			num_to_read = YY_READ_BUF_SIZE;
+
+		/* Read in more data. */
+		YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
+			(yy_n_chars), num_to_read );
+
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	if ( (yy_n_chars) == 0 )
+		{
+		if ( number_to_move == YY_MORE_ADJ )
+			{
+			ret_val = EOB_ACT_END_OF_FILE;
+			yyrestart(yyin  );
+			}
+
+		else
+			{
+			ret_val = EOB_ACT_LAST_MATCH;
+			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status =
+				YY_BUFFER_EOF_PENDING;
+			}
+		}
+
+	else
+		ret_val = EOB_ACT_CONTINUE_SCAN;
+
+	(yy_n_chars) += number_to_move;
+	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
+	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
+
+	(yytext_ptr) = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[0];
+
+	return ret_val;
+}
+
+/* yy_get_previous_state - get the state just before the EOB char was reached */
+
+    static yy_state_type yy_get_previous_state (void)
+{
+	register yy_state_type yy_current_state;
+	register char *yy_cp;
+    
+	yy_current_state = (yy_start);
+
+	for ( yy_cp = (yytext_ptr) + YY_MORE_ADJ; yy_cp < (yy_c_buf_p); ++yy_cp )
+		{
+		register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
+		if ( yy_accept[yy_current_state] )
+			{
+			(yy_last_accepting_state) = yy_current_state;
+			(yy_last_accepting_cpos) = yy_cp;
+			}
+		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+			{
+			yy_current_state = (int) yy_def[yy_current_state];
+			if ( yy_current_state >= 46 )
+				yy_c = yy_meta[(unsigned int) yy_c];
+			}
+		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+		}
+
+	return yy_current_state;
+}
+
+/* yy_try_NUL_trans - try to make a transition on the NUL character
+ *
+ * synopsis
+ *	next_state = yy_try_NUL_trans( current_state );
+ */
+    static yy_state_type yy_try_NUL_trans  (yy_state_type yy_current_state )
+{
+	register int yy_is_jam;
+    	register char *yy_cp = (yy_c_buf_p);
+
+	register YY_CHAR yy_c = 1;
+	if ( yy_accept[yy_current_state] )
+		{
+		(yy_last_accepting_state) = yy_current_state;
+		(yy_last_accepting_cpos) = yy_cp;
+		}
+	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+		{
+		yy_current_state = (int) yy_def[yy_current_state];
+		if ( yy_current_state >= 46 )
+			yy_c = yy_meta[(unsigned int) yy_c];
+		}
+	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+	yy_is_jam = (yy_current_state == 45);
+
+	return yy_is_jam ? 0 : yy_current_state;
+}
+
+    static void yyunput (int c, register char * yy_bp )
+{
+	register char *yy_cp;
+    
+    yy_cp = (yy_c_buf_p);
+
+	/* undo effects of setting up yytext */
+	*yy_cp = (yy_hold_char);
+
+	if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
+		{ /* need to shift things up to make room */
+		/* +2 for EOB chars. */
+		register int number_to_move = (yy_n_chars) + 2;
+		register char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
+					YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
+		register char *source =
+				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move];
+
+		while ( source > YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
+			*--dest = *--source;
+
+		yy_cp += (int) (dest - source);
+		yy_bp += (int) (dest - source);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
+			(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
+
+		if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
+			YY_FATAL_ERROR( "flex scanner push-back overflow" );
+		}
+
+	*--yy_cp = (char) c;
+
+	(yytext_ptr) = yy_bp;
+	(yy_hold_char) = *yy_cp;
+	(yy_c_buf_p) = yy_cp;
+}
+
+#ifndef YY_NO_INPUT
+#ifdef __cplusplus
+    static int yyinput (void)
+#else
+    static int input  (void)
+#endif
+
+{
+	int c;
+    
+	*(yy_c_buf_p) = (yy_hold_char);
+
+	if ( *(yy_c_buf_p) == YY_END_OF_BUFFER_CHAR )
+		{
+		/* yy_c_buf_p now points to the character we want to return.
+		 * If this occurs *before* the EOB characters, then it's a
+		 * valid NUL; if not, then we've hit the end of the buffer.
+		 */
+		if ( (yy_c_buf_p) < &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
+			/* This was really a NUL. */
+			*(yy_c_buf_p) = '\0';
+
+		else
+			{ /* need more input */
+			int offset = (yy_c_buf_p) - (yytext_ptr);
+			++(yy_c_buf_p);
+
+			switch ( yy_get_next_buffer(  ) )
+				{
+				case EOB_ACT_LAST_MATCH:
+					/* This happens because yy_g_n_b()
+					 * sees that we've accumulated a
+					 * token and flags that we need to
+					 * try matching the token before
+					 * proceeding.  But for input(),
+					 * there's no matching to consider.
+					 * So convert the EOB_ACT_LAST_MATCH
+					 * to EOB_ACT_END_OF_FILE.
+					 */
+
+					/* Reset buffer status. */
+					yyrestart(yyin );
+
+					/*FALLTHROUGH*/
+
+				case EOB_ACT_END_OF_FILE:
+					{
+					if ( yywrap( ) )
+						return 0;
+
+					if ( ! (yy_did_buffer_switch_on_eof) )
+						YY_NEW_FILE;
+#ifdef __cplusplus
+					return yyinput();
+#else
+					return input();
+#endif
+					}
+
+				case EOB_ACT_CONTINUE_SCAN:
+					(yy_c_buf_p) = (yytext_ptr) + offset;
+					break;
+				}
+			}
+		}
+
+	c = *(unsigned char *) (yy_c_buf_p);	/* cast for 8-bit char's */
+	*(yy_c_buf_p) = '\0';	/* preserve yytext */
+	(yy_hold_char) = *++(yy_c_buf_p);
+
+	return c;
+}
+#endif	/* ifndef YY_NO_INPUT */
+
+/** Immediately switch to a different input stream.
+ * @param input_file A readable stream.
+ * 
+ * @note This function does not reset the start condition to @c INITIAL .
+ */
+    void yyrestart  (FILE * input_file )
+{
+    
+	if ( ! YY_CURRENT_BUFFER ){
+        yyensure_buffer_stack ();
+		YY_CURRENT_BUFFER_LVALUE =
+            yy_create_buffer(yyin,YY_BUF_SIZE );
+	}
+
+	yy_init_buffer(YY_CURRENT_BUFFER,input_file );
+	yy_load_buffer_state( );
+}
+
+/** Switch to a different input buffer.
+ * @param new_buffer The new input buffer.
+ * 
+ */
+    void yy_switch_to_buffer  (YY_BUFFER_STATE  new_buffer )
+{
+    
+	/* TODO. We should be able to replace this entire function body
+	 * with
+	 *		yypop_buffer_state();
+	 *		yypush_buffer_state(new_buffer);
+     */
+	yyensure_buffer_stack ();
+	if ( YY_CURRENT_BUFFER == new_buffer )
+		return;
+
+	if ( YY_CURRENT_BUFFER )
+		{
+		/* Flush out information for old buffer. */
+		*(yy_c_buf_p) = (yy_hold_char);
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	YY_CURRENT_BUFFER_LVALUE = new_buffer;
+	yy_load_buffer_state( );
+
+	/* We don't actually know whether we did this switch during
+	 * EOF (yywrap()) processing, but the only time this flag
+	 * is looked at is after yywrap() is called, so it's safe
+	 * to go ahead and always set it.
+	 */
+	(yy_did_buffer_switch_on_eof) = 1;
+}
+
+static void yy_load_buffer_state  (void)
+{
+    	(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
+	(yytext_ptr) = (yy_c_buf_p) = YY_CURRENT_BUFFER_LVALUE->yy_buf_pos;
+	yyin = YY_CURRENT_BUFFER_LVALUE->yy_input_file;
+	(yy_hold_char) = *(yy_c_buf_p);
+}
+
+/** Allocate and initialize an input buffer state.
+ * @param file A readable stream.
+ * @param size The character buffer size in bytes. When in doubt, use @c YY_BUF_SIZE.
+ * 
+ * @return the allocated buffer state.
+ */
+    YY_BUFFER_STATE yy_create_buffer  (FILE * file, int  size )
+{
+	YY_BUFFER_STATE b;
+    
+	b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state )  );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_buf_size = size;
+
+	/* yy_ch_buf has to be 2 characters longer than the size given because
+	 * we need to put in 2 end-of-buffer characters.
+	 */
+	b->yy_ch_buf = (char *) yyalloc(b->yy_buf_size + 2  );
+	if ( ! b->yy_ch_buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_is_our_buffer = 1;
+
+	yy_init_buffer(b,file );
+
+	return b;
+}
+
+/** Destroy the buffer.
+ * @param b a buffer created with yy_create_buffer()
+ * 
+ */
+    void yy_delete_buffer (YY_BUFFER_STATE  b )
+{
+    
+	if ( ! b )
+		return;
+
+	if ( b == YY_CURRENT_BUFFER ) /* Not sure if we should pop here. */
+		YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0;
+
+	if ( b->yy_is_our_buffer )
+		yyfree((void *) b->yy_ch_buf  );
+
+	yyfree((void *) b  );
+}
+
+#ifndef __cplusplus
+extern int isatty (int );
+#endif /* __cplusplus */
+    
+/* Initializes or reinitializes a buffer.
+ * This function is sometimes called more than once on the same buffer,
+ * such as during a yyrestart() or at EOF.
+ */
+    static void yy_init_buffer  (YY_BUFFER_STATE  b, FILE * file )
+
+{
+	int oerrno = errno;
+    
+	yy_flush_buffer(b );
+
+	b->yy_input_file = file;
+	b->yy_fill_buffer = 1;
+
+    /* If b is the current buffer, then yy_init_buffer was _probably_
+     * called from yyrestart() or through yy_get_next_buffer.
+     * In that case, we don't want to reset the lineno or column.
+     */
+    if (b != YY_CURRENT_BUFFER){
+        b->yy_bs_lineno = 1;
+        b->yy_bs_column = 0;
+    }
+
+        b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+    
+	errno = oerrno;
+}
+
+/** Discard all buffered characters. On the next scan, YY_INPUT will be called.
+ * @param b the buffer state to be flushed, usually @c YY_CURRENT_BUFFER.
+ * 
+ */
+    void yy_flush_buffer (YY_BUFFER_STATE  b )
+{
+    	if ( ! b )
+		return;
+
+	b->yy_n_chars = 0;
+
+	/* We always need two end-of-buffer characters.  The first causes
+	 * a transition to the end-of-buffer state.  The second causes
+	 * a jam in that state.
+	 */
+	b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
+	b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
+
+	b->yy_buf_pos = &b->yy_ch_buf[0];
+
+	b->yy_at_bol = 1;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	if ( b == YY_CURRENT_BUFFER )
+		yy_load_buffer_state( );
+}
+
+/** Pushes the new state onto the stack. The new state becomes
+ *  the current state. This function will allocate the stack
+ *  if necessary.
+ *  @param new_buffer The new state.
+ *  
+ */
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer )
+{
+    	if (new_buffer == NULL)
+		return;
+
+	yyensure_buffer_stack();
+
+	/* This block is copied from yy_switch_to_buffer. */
+	if ( YY_CURRENT_BUFFER )
+		{
+		/* Flush out information for old buffer. */
+		*(yy_c_buf_p) = (yy_hold_char);
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	/* Only push if top exists. Otherwise, replace top. */
+	if (YY_CURRENT_BUFFER)
+		(yy_buffer_stack_top)++;
+	YY_CURRENT_BUFFER_LVALUE = new_buffer;
+
+	/* copied from yy_switch_to_buffer. */
+	yy_load_buffer_state( );
+	(yy_did_buffer_switch_on_eof) = 1;
+}
+
+/** Removes and deletes the top of the stack, if present.
+ *  The next element becomes the new top.
+ *  
+ */
+void yypop_buffer_state (void)
+{
+    	if (!YY_CURRENT_BUFFER)
+		return;
+
+	yy_delete_buffer(YY_CURRENT_BUFFER );
+	YY_CURRENT_BUFFER_LVALUE = NULL;
+	if ((yy_buffer_stack_top) > 0)
+		--(yy_buffer_stack_top);
+
+	if (YY_CURRENT_BUFFER) {
+		yy_load_buffer_state( );
+		(yy_did_buffer_switch_on_eof) = 1;
+	}
+}
+
+/* Allocates the stack if it does not exist.
+ *  Guarantees space for at least one push.
+ */
+static void yyensure_buffer_stack (void)
+{
+	int num_to_alloc;
+    
+	if (!(yy_buffer_stack)) {
+
+		/* First allocation is just for 2 elements, since we don't know if this
+		 * scanner will even need a stack. We use 2 instead of 1 to avoid an
+		 * immediate realloc on the next call.
+         */
+		num_to_alloc = 1;
+		(yy_buffer_stack) = (struct yy_buffer_state**)yyalloc
+								(num_to_alloc * sizeof(struct yy_buffer_state*)
+								);
+		
+		memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
+				
+		(yy_buffer_stack_max) = num_to_alloc;
+		(yy_buffer_stack_top) = 0;
+		return;
+	}
+
+	if ((yy_buffer_stack_top) >= ((yy_buffer_stack_max)) - 1){
+
+		/* Increase the buffer to prepare for a possible push. */
+		int grow_size = 8 /* arbitrary grow size */;
+
+		num_to_alloc = (yy_buffer_stack_max) + grow_size;
+		(yy_buffer_stack) = (struct yy_buffer_state**)yyrealloc
+								((yy_buffer_stack),
+								num_to_alloc * sizeof(struct yy_buffer_state*)
+								);
+
+		/* zero only the new slots.*/
+		memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*));
+		(yy_buffer_stack_max) = num_to_alloc;
+	}
+}
+
+/** Setup the input buffer state to scan directly from a user-specified character buffer.
+ * @param base the character buffer
+ * @param size the size in bytes of the character buffer
+ * 
+ * @return the newly allocated buffer state object. 
+ */
+YY_BUFFER_STATE yy_scan_buffer  (char * base, yy_size_t  size )
+{
+	YY_BUFFER_STATE b;
+    
+	if ( size < 2 ||
+	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
+	     base[size-1] != YY_END_OF_BUFFER_CHAR )
+		/* They forgot to leave room for the EOB's. */
+		return 0;
+
+	b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state )  );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
+
+	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
+	b->yy_buf_pos = b->yy_ch_buf = base;
+	b->yy_is_our_buffer = 0;
+	b->yy_input_file = 0;
+	b->yy_n_chars = b->yy_buf_size;
+	b->yy_is_interactive = 0;
+	b->yy_at_bol = 1;
+	b->yy_fill_buffer = 0;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	yy_switch_to_buffer(b  );
+
+	return b;
+}
+
+/** Setup the input buffer state to scan a string. The next call to yylex() will
+ * scan from a @e copy of @a str.
+ * @param str a NUL-terminated string to scan
+ * 
+ * @return the newly allocated buffer state object.
+ * @note If you want to scan bytes that may contain NUL values, then use
+ *       yy_scan_bytes() instead.
+ */
+YY_BUFFER_STATE yy_scan_string (yyconst char * yystr )
+{
+    
+	return yy_scan_bytes(yystr,strlen(yystr) );
+}
+
+/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
+ * scan from a @e copy of @a bytes.
+ * @param bytes the byte buffer to scan
+ * @param len the number of bytes in the buffer pointed to by @a bytes.
+ * 
+ * @return the newly allocated buffer state object.
+ */
+YY_BUFFER_STATE yy_scan_bytes  (yyconst char * yybytes, int  _yybytes_len )
+{
+	YY_BUFFER_STATE b;
+	char *buf;
+	yy_size_t n;
+	int i;
+    
+	/* Get memory for full buffer, including space for trailing EOB's. */
+	n = _yybytes_len + 2;
+	buf = (char *) yyalloc(n  );
+	if ( ! buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
+
+	for ( i = 0; i < _yybytes_len; ++i )
+		buf[i] = yybytes[i];
+
+	buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR;
+
+	b = yy_scan_buffer(buf,n );
+	if ( ! b )
+		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
+
+	/* It's okay to grow etc. this buffer, and we should throw it
+	 * away when we're done.
+	 */
+	b->yy_is_our_buffer = 1;
+
+	return b;
+}
+
+#ifndef YY_EXIT_FAILURE
+#define YY_EXIT_FAILURE 2
+#endif
+
+static void yy_fatal_error (yyconst char* msg )
+{
+    	(void) fprintf( stderr, "%s\n", msg );
+	exit( YY_EXIT_FAILURE );
+}
+
+/* Redefine yyless() so it works in section 3 code. */
+
+#undef yyless
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+        int yyless_macro_arg = (n); \
+        YY_LESS_LINENO(yyless_macro_arg);\
+		yytext[yyleng] = (yy_hold_char); \
+		(yy_c_buf_p) = yytext + yyless_macro_arg; \
+		(yy_hold_char) = *(yy_c_buf_p); \
+		*(yy_c_buf_p) = '\0'; \
+		yyleng = yyless_macro_arg; \
+		} \
+	while ( 0 )
+
+/* Accessor  methods (get/set functions) to struct members. */
+
+/** Get the current line number.
+ * 
+ */
+int yyget_lineno  (void)
+{
+        
+    return yylineno;
+}
+
+/** Get the input stream.
+ * 
+ */
+FILE *yyget_in  (void)
+{
+        return yyin;
+}
+
+/** Get the output stream.
+ * 
+ */
+FILE *yyget_out  (void)
+{
+        return yyout;
+}
+
+/** Get the length of the current token.
+ * 
+ */
+int yyget_leng  (void)
+{
+        return yyleng;
+}
+
+/** Get the current token.
+ * 
+ */
+
+char *yyget_text  (void)
+{
+        return yytext;
+}
+
+/** Set the current line number.
+ * @param line_number
+ * 
+ */
+void yyset_lineno (int  line_number )
+{
+    
+    yylineno = line_number;
+}
+
+/** Set the input stream. This does not discard the current
+ * input buffer.
+ * @param in_str A readable stream.
+ * 
+ * @see yy_switch_to_buffer
+ */
+void yyset_in (FILE *  in_str )
+{
+        yyin = in_str ;
+}
+
+void yyset_out (FILE *  out_str )
+{
+        yyout = out_str ;
+}
+
+int yyget_debug  (void)
+{
+        return yy_flex_debug;
+}
+
+void yyset_debug (int  bdebug )
+{
+        yy_flex_debug = bdebug ;
+}
+
+static int yy_init_globals (void)
+{
+        /* Initialization is the same as for the non-reentrant scanner.
+     * This function is called from yylex_destroy(), so don't allocate here.
+     */
+
+    (yy_buffer_stack) = 0;
+    (yy_buffer_stack_top) = 0;
+    (yy_buffer_stack_max) = 0;
+    (yy_c_buf_p) = (char *) 0;
+    (yy_init) = 0;
+    (yy_start) = 0;
+
+/* Defined in main.c */
+#ifdef YY_STDINIT
+    yyin = stdin;
+    yyout = stdout;
+#else
+    yyin = (FILE *) 0;
+    yyout = (FILE *) 0;
+#endif
+
+    /* For future reference: Set errno on error, since we are called by
+     * yylex_init()
+     */
+    return 0;
+}
+
+/* yylex_destroy is for both reentrant and non-reentrant scanners. */
+int yylex_destroy  (void)
+{
+    
+    /* Pop the buffer stack, destroying each element. */
+	while(YY_CURRENT_BUFFER){
+		yy_delete_buffer(YY_CURRENT_BUFFER  );
+		YY_CURRENT_BUFFER_LVALUE = NULL;
+		yypop_buffer_state();
+	}
+
+	/* Destroy the stack itself. */
+	yyfree((yy_buffer_stack) );
+	(yy_buffer_stack) = NULL;
+
+    /* Reset the globals. This is important in a non-reentrant scanner so the next time
+     * yylex() is called, initialization will occur. */
+    yy_init_globals( );
+
+    return 0;
+}
+
+/*
+ * Internal utility routines.
+ */
+
+#ifndef yytext_ptr
+static void yy_flex_strncpy (char* s1, yyconst char * s2, int n )
+{
+	register int i;
+	for ( i = 0; i < n; ++i )
+		s1[i] = s2[i];
+}
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen (yyconst char * s )
+{
+	register int n;
+	for ( n = 0; s[n]; ++n )
+		;
+
+	return n;
+}
+#endif
+
+void *yyalloc (yy_size_t  size )
+{
+	return (void *) malloc( size );
+}
+
+void *yyrealloc  (void * ptr, yy_size_t  size )
+{
+	/* The cast to (char *) in the following accommodates both
+	 * implementations that use char* generic pointers, and those
+	 * that use void* generic pointers.  It works with the latter
+	 * because both ANSI C and C++ allow castless assignment from
+	 * any pointer type to void*, and deal with argument conversions
+	 * as though doing an assignment.
+	 */
+	return (void *) realloc( (char *) ptr, size );
+}
+
+void yyfree (void * ptr )
+{
+	free( (char *) ptr );	/* see yyrealloc() for (char *) cast */
+}
+
+#define YYTABLES_NAME "yytables"
+
+#line 75 "lex.l"
+
+
+
+#ifndef yywrap /* XXX */
+int
+yywrap () 
+{
+     return 1;
+}
+#endif
+
+static int
+getstring(void)
+{
+    char x[128];
+    int i = 0;
+    int c;
+    int quote = 0;
+    while(i < sizeof(x) - 1 && (c = input()) != EOF){
+	if(quote) {
+	    x[i++] = c;
+	    quote = 0;
+	    continue;
+	}
+	if(c == '\n'){
+	    error_message("unterminated string");
+	    lineno++;
+	    break;
+	}
+	if(c == '\\'){
+	    quote++;
+	    continue;
+	}
+	if(c == '\"')
+	    break;
+	x[i++] = c;
+    }
+    x[i] = '\0';
+    yylval.string = strdup(x);
+    if (yylval.string == NULL)
+        err(1, "malloc");
+    return STRING;
+}
+
+void
+error_message (const char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, "%s:%d:", filename, lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+     numerror++;
+}
+
diff --git a/crypto/heimdal/lib/com_err/lex.h b/crypto/heimdal/lib/com_err/lex.h
index 9912bf4..89f0387 100644
--- a/crypto/heimdal/lib/com_err/lex.h
+++ b/crypto/heimdal/lib/com_err/lex.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: lex.h,v 1.1 2000/06/22 00:42:52 assar Exp $ */
+/* $Id: lex.h 8451 2000-06-22 00:42:52Z assar $ */
 
 void error_message (const char *, ...)
 __attribute__ ((format (printf, 1, 2)));
diff --git a/crypto/heimdal/lib/com_err/lex.l b/crypto/heimdal/lib/com_err/lex.l
index e98db6f..08aef51 100644
--- a/crypto/heimdal/lib/com_err/lex.l
+++ b/crypto/heimdal/lib/com_err/lex.l
@@ -44,7 +44,7 @@
 #include "parse.h"
 #include "lex.h"
 
-RCSID("$Id: lex.l,v 1.6 2000/06/22 00:42:52 assar Exp $");
+RCSID("$Id: lex.l 15143 2005-05-16 08:52:54Z lha $");
 
 static unsigned lineno = 1;
 static int getstring(void);
@@ -89,7 +89,7 @@ getstring(void)
     int i = 0;
     int c;
     int quote = 0;
-    while((c = input()) != EOF){
+    while(i < sizeof(x) - 1 && (c = input()) != EOF){
 	if(quote) {
 	    x[i++] = c;
 	    quote = 0;
@@ -110,6 +110,8 @@ getstring(void)
     }
     x[i] = '\0';
     yylval.string = strdup(x);
+    if (yylval.string == NULL)
+        err(1, "malloc");
     return STRING;
 }
 
diff --git a/crypto/heimdal/lib/com_err/parse.c b/crypto/heimdal/lib/com_err/parse.c
new file mode 100644
index 0000000..32cff63
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/parse.c
@@ -0,0 +1,1716 @@
+/* A Bison parser, made by GNU Bison 2.3.  */
+
+/* Skeleton implementation for Bison's Yacc-like parsers in C
+
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+   Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
+
+/* As a special exception, you may create a larger work that contains
+   part or all of the Bison parser skeleton and distribute that work
+   under terms of your choice, so long as that work isn't itself a
+   parser generator using the skeleton or a modified version thereof
+   as a parser skeleton.  Alternatively, if you modify or redistribute
+   the parser skeleton itself, you may (at your option) remove this
+   special exception, which will cause the skeleton and the resulting
+   Bison output files to be licensed under the GNU General Public
+   License without this special exception.
+
+   This special exception was added by the Free Software Foundation in
+   version 2.2 of Bison.  */
+
+/* C LALR(1) parser skeleton written by Richard Stallman, by
+   simplifying the original so-called "semantic" parser.  */
+
+/* All symbols defined below should begin with yy or YY, to avoid
+   infringing on user name space.  This should be done even for local
+   variables, as they might otherwise be expanded by user macros.
+   There are some unavoidable exceptions within include files to
+   define necessary library symbols; they are noted "INFRINGES ON
+   USER NAME SPACE" below.  */
+
+/* Identify Bison output.  */
+#define YYBISON 1
+
+/* Bison version.  */
+#define YYBISON_VERSION "2.3"
+
+/* Skeleton name.  */
+#define YYSKELETON_NAME "yacc.c"
+
+/* Pure parsers.  */
+#define YYPURE 0
+
+/* Using locations.  */
+#define YYLSP_NEEDED 0
+
+
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     ET = 258,
+     INDEX = 259,
+     PREFIX = 260,
+     EC = 261,
+     ID = 262,
+     END = 263,
+     STRING = 264,
+     NUMBER = 265
+   };
+#endif
+/* Tokens.  */
+#define ET 258
+#define INDEX 259
+#define PREFIX 260
+#define EC 261
+#define ID 262
+#define END 263
+#define STRING 264
+#define NUMBER 265
+
+
+
+
+/* Copy the first part of user declarations.  */
+#line 1 "parse.y"
+
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "compile_et.h"
+#include "lex.h"
+
+RCSID("$Id: parse.y 15426 2005-06-16 19:21:42Z lha $");
+
+void yyerror (char *s);
+static long name2number(const char *str);
+
+extern char *yytext;
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+
+
+/* Enabling traces.  */
+#ifndef YYDEBUG
+# define YYDEBUG 0
+#endif
+
+/* Enabling verbose error messages.  */
+#ifdef YYERROR_VERBOSE
+# undef YYERROR_VERBOSE
+# define YYERROR_VERBOSE 1
+#else
+# define YYERROR_VERBOSE 0
+#endif
+
+/* Enabling the token table.  */
+#ifndef YYTOKEN_TABLE
+# define YYTOKEN_TABLE 0
+#endif
+
+#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
+typedef union YYSTYPE
+#line 53 "parse.y"
+{
+  char *string;
+  int number;
+}
+/* Line 193 of yacc.c.  */
+#line 173 "parse.c"
+	YYSTYPE;
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
+# define YYSTYPE_IS_DECLARED 1
+# define YYSTYPE_IS_TRIVIAL 1
+#endif
+
+
+
+/* Copy the second part of user declarations.  */
+
+
+/* Line 216 of yacc.c.  */
+#line 186 "parse.c"
+
+#ifdef short
+# undef short
+#endif
+
+#ifdef YYTYPE_UINT8
+typedef YYTYPE_UINT8 yytype_uint8;
+#else
+typedef unsigned char yytype_uint8;
+#endif
+
+#ifdef YYTYPE_INT8
+typedef YYTYPE_INT8 yytype_int8;
+#elif (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+typedef signed char yytype_int8;
+#else
+typedef short int yytype_int8;
+#endif
+
+#ifdef YYTYPE_UINT16
+typedef YYTYPE_UINT16 yytype_uint16;
+#else
+typedef unsigned short int yytype_uint16;
+#endif
+
+#ifdef YYTYPE_INT16
+typedef YYTYPE_INT16 yytype_int16;
+#else
+typedef short int yytype_int16;
+#endif
+
+#ifndef YYSIZE_T
+# ifdef __SIZE_TYPE__
+#  define YYSIZE_T __SIZE_TYPE__
+# elif defined size_t
+#  define YYSIZE_T size_t
+# elif ! defined YYSIZE_T && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+#  include <stddef.h> /* INFRINGES ON USER NAME SPACE */
+#  define YYSIZE_T size_t
+# else
+#  define YYSIZE_T unsigned int
+# endif
+#endif
+
+#define YYSIZE_MAXIMUM ((YYSIZE_T) -1)
+
+#ifndef YY_
+# if defined YYENABLE_NLS && YYENABLE_NLS
+#  if ENABLE_NLS
+#   include <libintl.h> /* INFRINGES ON USER NAME SPACE */
+#   define YY_(msgid) dgettext ("bison-runtime", msgid)
+#  endif
+# endif
+# ifndef YY_
+#  define YY_(msgid) msgid
+# endif
+#endif
+
+/* Suppress unused-variable warnings by "using" E.  */
+#if ! defined lint || defined __GNUC__
+# define YYUSE(e) ((void) (e))
+#else
+# define YYUSE(e) /* empty */
+#endif
+
+/* Identity function, used to suppress warnings about constant conditions.  */
+#ifndef lint
+# define YYID(n) (n)
+#else
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static int
+YYID (int i)
+#else
+static int
+YYID (i)
+    int i;
+#endif
+{
+  return i;
+}
+#endif
+
+#if ! defined yyoverflow || YYERROR_VERBOSE
+
+/* The parser invokes alloca or malloc; define the necessary symbols.  */
+
+# ifdef YYSTACK_USE_ALLOCA
+#  if YYSTACK_USE_ALLOCA
+#   ifdef __GNUC__
+#    define YYSTACK_ALLOC __builtin_alloca
+#   elif defined __BUILTIN_VA_ARG_INCR
+#    include <alloca.h> /* INFRINGES ON USER NAME SPACE */
+#   elif defined _AIX
+#    define YYSTACK_ALLOC __alloca
+#   elif defined _MSC_VER
+#    include <malloc.h> /* INFRINGES ON USER NAME SPACE */
+#    define alloca _alloca
+#   else
+#    define YYSTACK_ALLOC alloca
+#    if ! defined _ALLOCA_H && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+#     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+#     ifndef _STDLIB_H
+#      define _STDLIB_H 1
+#     endif
+#    endif
+#   endif
+#  endif
+# endif
+
+# ifdef YYSTACK_ALLOC
+   /* Pacify GCC's `empty if-body' warning.  */
+#  define YYSTACK_FREE(Ptr) do { /* empty */; } while (YYID (0))
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+    /* The OS might guarantee only one guard page at the bottom of the stack,
+       and a page size can be as small as 4096 bytes.  So we cannot safely
+       invoke alloca (N) if N exceeds 4096.  Use a slightly smaller number
+       to allow for a few compiler-allocated temporary stack slots.  */
+#   define YYSTACK_ALLOC_MAXIMUM 4032 /* reasonable circa 2006 */
+#  endif
+# else
+#  define YYSTACK_ALLOC YYMALLOC
+#  define YYSTACK_FREE YYFREE
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+#   define YYSTACK_ALLOC_MAXIMUM YYSIZE_MAXIMUM
+#  endif
+#  if (defined __cplusplus && ! defined _STDLIB_H \
+       && ! ((defined YYMALLOC || defined malloc) \
+	     && (defined YYFREE || defined free)))
+#   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+#   ifndef _STDLIB_H
+#    define _STDLIB_H 1
+#   endif
+#  endif
+#  ifndef YYMALLOC
+#   define YYMALLOC malloc
+#   if ! defined malloc && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+#  ifndef YYFREE
+#   define YYFREE free
+#   if ! defined free && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+void free (void *); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+# endif
+#endif /* ! defined yyoverflow || YYERROR_VERBOSE */
+
+
+#if (! defined yyoverflow \
+     && (! defined __cplusplus \
+	 || (defined YYSTYPE_IS_TRIVIAL && YYSTYPE_IS_TRIVIAL)))
+
+/* A type that is properly aligned for any stack member.  */
+union yyalloc
+{
+  yytype_int16 yyss;
+  YYSTYPE yyvs;
+  };
+
+/* The size of the maximum gap between one aligned stack and the next.  */
+# define YYSTACK_GAP_MAXIMUM (sizeof (union yyalloc) - 1)
+
+/* The size of an array large to enough to hold all stacks, each with
+   N elements.  */
+# define YYSTACK_BYTES(N) \
+     ((N) * (sizeof (yytype_int16) + sizeof (YYSTYPE)) \
+      + YYSTACK_GAP_MAXIMUM)
+
+/* Copy COUNT objects from FROM to TO.  The source and destination do
+   not overlap.  */
+# ifndef YYCOPY
+#  if defined __GNUC__ && 1 < __GNUC__
+#   define YYCOPY(To, From, Count) \
+      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
+#  else
+#   define YYCOPY(To, From, Count)		\
+      do					\
+	{					\
+	  YYSIZE_T yyi;				\
+	  for (yyi = 0; yyi < (Count); yyi++)	\
+	    (To)[yyi] = (From)[yyi];		\
+	}					\
+      while (YYID (0))
+#  endif
+# endif
+
+/* Relocate STACK from its old location to the new one.  The
+   local variables YYSIZE and YYSTACKSIZE give the old and new number of
+   elements in the stack, and YYPTR gives the new location of the
+   stack.  Advance YYPTR to a properly aligned location for the next
+   stack.  */
+# define YYSTACK_RELOCATE(Stack)					\
+    do									\
+      {									\
+	YYSIZE_T yynewbytes;						\
+	YYCOPY (&yyptr->Stack, Stack, yysize);				\
+	Stack = &yyptr->Stack;						\
+	yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \
+	yyptr += yynewbytes / sizeof (*yyptr);				\
+      }									\
+    while (YYID (0))
+
+#endif
+
+/* YYFINAL -- State number of the termination state.  */
+#define YYFINAL  9
+/* YYLAST -- Last index in YYTABLE.  */
+#define YYLAST   23
+
+/* YYNTOKENS -- Number of terminals.  */
+#define YYNTOKENS  12
+/* YYNNTS -- Number of nonterminals.  */
+#define YYNNTS  7
+/* YYNRULES -- Number of rules.  */
+#define YYNRULES  15
+/* YYNRULES -- Number of states.  */
+#define YYNSTATES  24
+
+/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX.  */
+#define YYUNDEFTOK  2
+#define YYMAXUTOK   265
+
+#define YYTRANSLATE(YYX)						\
+  ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
+
+/* YYTRANSLATE[YYLEX] -- Bison symbol number corresponding to YYLEX.  */
+static const yytype_uint8 yytranslate[] =
+{
+       0,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,    11,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     1,     2,     3,     4,
+       5,     6,     7,     8,     9,    10
+};
+
+#if YYDEBUG
+/* YYPRHS[YYN] -- Index of the first RHS symbol of rule number YYN in
+   YYRHS.  */
+static const yytype_uint8 yyprhs[] =
+{
+       0,     0,     3,     4,     7,    10,    12,    15,    18,    22,
+      24,    27,    30,    33,    35,    40
+};
+
+/* YYRHS -- A `-1'-separated list of the rules' RHS.  */
+static const yytype_int8 yyrhs[] =
+{
+      13,     0,    -1,    -1,    14,    17,    -1,    15,    16,    -1,
+      16,    -1,     7,     9,    -1,     3,     9,    -1,     3,     9,
+       9,    -1,    18,    -1,    17,    18,    -1,     4,    10,    -1,
+       5,     9,    -1,     5,    -1,     6,     9,    11,     9,    -1,
+       8,    -1
+};
+
+/* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
+static const yytype_uint8 yyrline[] =
+{
+       0,    64,    64,    65,    68,    69,    72,    78,    84,    93,
+      94,    97,   101,   109,   116,   136
+};
+#endif
+
+#if YYDEBUG || YYERROR_VERBOSE || YYTOKEN_TABLE
+/* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM.
+   First, the terminals, then, starting at YYNTOKENS, nonterminals.  */
+static const char *const yytname[] =
+{
+  "$end", "error", "$undefined", "ET", "INDEX", "PREFIX", "EC", "ID",
+  "END", "STRING", "NUMBER", "','", "$accept", "file", "header", "id",
+  "et", "statements", "statement", 0
+};
+#endif
+
+# ifdef YYPRINT
+/* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to
+   token YYLEX-NUM.  */
+static const yytype_uint16 yytoknum[] =
+{
+       0,   256,   257,   258,   259,   260,   261,   262,   263,   264,
+     265,    44
+};
+# endif
+
+/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
+static const yytype_uint8 yyr1[] =
+{
+       0,    12,    13,    13,    14,    14,    15,    16,    16,    17,
+      17,    18,    18,    18,    18,    18
+};
+
+/* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN.  */
+static const yytype_uint8 yyr2[] =
+{
+       0,     2,     0,     2,     2,     1,     2,     2,     3,     1,
+       2,     2,     2,     1,     4,     1
+};
+
+/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
+   STATE-NUM when YYTABLE doesn't specify something else to do.  Zero
+   means the default is an error.  */
+static const yytype_uint8 yydefact[] =
+{
+       2,     0,     0,     0,     0,     0,     5,     7,     6,     1,
+       0,    13,     0,    15,     3,     9,     4,     8,    11,    12,
+       0,    10,     0,    14
+};
+
+/* YYDEFGOTO[NTERM-NUM].  */
+static const yytype_int8 yydefgoto[] =
+{
+      -1,     3,     4,     5,     6,    14,    15
+};
+
+/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
+   STATE-NUM.  */
+#define YYPACT_NINF -5
+static const yytype_int8 yypact[] =
+{
+       0,    -3,    -1,     5,    -4,     6,    -5,     1,    -5,    -5,
+       2,     4,     7,    -5,    -4,    -5,    -5,    -5,    -5,    -5,
+       3,    -5,     8,    -5
+};
+
+/* YYPGOTO[NTERM-NUM].  */
+static const yytype_int8 yypgoto[] =
+{
+      -5,    -5,    -5,    -5,    10,    -5,     9
+};
+
+/* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
+   positive, shift that token.  If negative, reduce the rule which
+   number is the opposite.  If zero, do what YYDEFACT says.
+   If YYTABLE_NINF, syntax error.  */
+#define YYTABLE_NINF -1
+static const yytype_uint8 yytable[] =
+{
+      10,    11,    12,     1,    13,     9,     7,     2,     8,     1,
+      17,     0,    18,    19,    22,    16,    20,    23,     0,     0,
+       0,     0,     0,    21
+};
+
+static const yytype_int8 yycheck[] =
+{
+       4,     5,     6,     3,     8,     0,     9,     7,     9,     3,
+       9,    -1,    10,     9,    11,     5,     9,     9,    -1,    -1,
+      -1,    -1,    -1,    14
+};
+
+/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
+   symbol of state STATE-NUM.  */
+static const yytype_uint8 yystos[] =
+{
+       0,     3,     7,    13,    14,    15,    16,     9,     9,     0,
+       4,     5,     6,     8,    17,    18,    16,     9,    10,     9,
+       9,    18,    11,     9
+};
+
+#define yyerrok		(yyerrstatus = 0)
+#define yyclearin	(yychar = YYEMPTY)
+#define YYEMPTY		(-2)
+#define YYEOF		0
+
+#define YYACCEPT	goto yyacceptlab
+#define YYABORT		goto yyabortlab
+#define YYERROR		goto yyerrorlab
+
+
+/* Like YYERROR except do call yyerror.  This remains here temporarily
+   to ease the transition to the new meaning of YYERROR, for GCC.
+   Once GCC version 2 has supplanted version 1, this can go.  */
+
+#define YYFAIL		goto yyerrlab
+
+#define YYRECOVERING()  (!!yyerrstatus)
+
+#define YYBACKUP(Token, Value)					\
+do								\
+  if (yychar == YYEMPTY && yylen == 1)				\
+    {								\
+      yychar = (Token);						\
+      yylval = (Value);						\
+      yytoken = YYTRANSLATE (yychar);				\
+      YYPOPSTACK (1);						\
+      goto yybackup;						\
+    }								\
+  else								\
+    {								\
+      yyerror (YY_("syntax error: cannot back up")); \
+      YYERROR;							\
+    }								\
+while (YYID (0))
+
+
+#define YYTERROR	1
+#define YYERRCODE	256
+
+
+/* YYLLOC_DEFAULT -- Set CURRENT to span from RHS[1] to RHS[N].
+   If N is 0, then set CURRENT to the empty location which ends
+   the previous symbol: RHS[0] (always defined).  */
+
+#define YYRHSLOC(Rhs, K) ((Rhs)[K])
+#ifndef YYLLOC_DEFAULT
+# define YYLLOC_DEFAULT(Current, Rhs, N)				\
+    do									\
+      if (YYID (N))                                                    \
+	{								\
+	  (Current).first_line   = YYRHSLOC (Rhs, 1).first_line;	\
+	  (Current).first_column = YYRHSLOC (Rhs, 1).first_column;	\
+	  (Current).last_line    = YYRHSLOC (Rhs, N).last_line;		\
+	  (Current).last_column  = YYRHSLOC (Rhs, N).last_column;	\
+	}								\
+      else								\
+	{								\
+	  (Current).first_line   = (Current).last_line   =		\
+	    YYRHSLOC (Rhs, 0).last_line;				\
+	  (Current).first_column = (Current).last_column =		\
+	    YYRHSLOC (Rhs, 0).last_column;				\
+	}								\
+    while (YYID (0))
+#endif
+
+
+/* YY_LOCATION_PRINT -- Print the location on the stream.
+   This macro was not mandated originally: define only if we know
+   we won't break user code: when these are the locations we know.  */
+
+#ifndef YY_LOCATION_PRINT
+# if defined YYLTYPE_IS_TRIVIAL && YYLTYPE_IS_TRIVIAL
+#  define YY_LOCATION_PRINT(File, Loc)			\
+     fprintf (File, "%d.%d-%d.%d",			\
+	      (Loc).first_line, (Loc).first_column,	\
+	      (Loc).last_line,  (Loc).last_column)
+# else
+#  define YY_LOCATION_PRINT(File, Loc) ((void) 0)
+# endif
+#endif
+
+
+/* YYLEX -- calling `yylex' with the right arguments.  */
+
+#ifdef YYLEX_PARAM
+# define YYLEX yylex (YYLEX_PARAM)
+#else
+# define YYLEX yylex ()
+#endif
+
+/* Enable debugging if requested.  */
+#if YYDEBUG
+
+# ifndef YYFPRINTF
+#  include <stdio.h> /* INFRINGES ON USER NAME SPACE */
+#  define YYFPRINTF fprintf
+# endif
+
+# define YYDPRINTF(Args)			\
+do {						\
+  if (yydebug)					\
+    YYFPRINTF Args;				\
+} while (YYID (0))
+
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)			  \
+do {									  \
+  if (yydebug)								  \
+    {									  \
+      YYFPRINTF (stderr, "%s ", Title);					  \
+      yy_symbol_print (stderr,						  \
+		  Type, Value); \
+      YYFPRINTF (stderr, "\n");						  \
+    }									  \
+} while (YYID (0))
+
+
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
+
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_symbol_value_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_value_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
+{
+  if (!yyvaluep)
+    return;
+# ifdef YYPRINT
+  if (yytype < YYNTOKENS)
+    YYPRINT (yyoutput, yytoknum[yytype], *yyvaluep);
+# else
+  YYUSE (yyoutput);
+# endif
+  switch (yytype)
+    {
+      default:
+	break;
+    }
+}
+
+
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_symbol_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
+{
+  if (yytype < YYNTOKENS)
+    YYFPRINTF (yyoutput, "token %s (", yytname[yytype]);
+  else
+    YYFPRINTF (yyoutput, "nterm %s (", yytname[yytype]);
+
+  yy_symbol_value_print (yyoutput, yytype, yyvaluep);
+  YYFPRINTF (yyoutput, ")");
+}
+
+/*------------------------------------------------------------------.
+| yy_stack_print -- Print the state stack from its BOTTOM up to its |
+| TOP (included).                                                   |
+`------------------------------------------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_stack_print (yytype_int16 *bottom, yytype_int16 *top)
+#else
+static void
+yy_stack_print (bottom, top)
+    yytype_int16 *bottom;
+    yytype_int16 *top;
+#endif
+{
+  YYFPRINTF (stderr, "Stack now");
+  for (; bottom <= top; ++bottom)
+    YYFPRINTF (stderr, " %d", *bottom);
+  YYFPRINTF (stderr, "\n");
+}
+
+# define YY_STACK_PRINT(Bottom, Top)				\
+do {								\
+  if (yydebug)							\
+    yy_stack_print ((Bottom), (Top));				\
+} while (YYID (0))
+
+
+/*------------------------------------------------.
+| Report that the YYRULE is going to be reduced.  |
+`------------------------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_reduce_print (YYSTYPE *yyvsp, int yyrule)
+#else
+static void
+yy_reduce_print (yyvsp, yyrule)
+    YYSTYPE *yyvsp;
+    int yyrule;
+#endif
+{
+  int yynrhs = yyr2[yyrule];
+  int yyi;
+  unsigned long int yylno = yyrline[yyrule];
+  YYFPRINTF (stderr, "Reducing stack by rule %d (line %lu):\n",
+	     yyrule - 1, yylno);
+  /* The symbols being reduced.  */
+  for (yyi = 0; yyi < yynrhs; yyi++)
+    {
+      fprintf (stderr, "   $%d = ", yyi + 1);
+      yy_symbol_print (stderr, yyrhs[yyprhs[yyrule] + yyi],
+		       &(yyvsp[(yyi + 1) - (yynrhs)])
+		       		       );
+      fprintf (stderr, "\n");
+    }
+}
+
+# define YY_REDUCE_PRINT(Rule)		\
+do {					\
+  if (yydebug)				\
+    yy_reduce_print (yyvsp, Rule); \
+} while (YYID (0))
+
+/* Nonzero means print parse trace.  It is left uninitialized so that
+   multiple parsers can coexist.  */
+int yydebug;
+#else /* !YYDEBUG */
+# define YYDPRINTF(Args)
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)
+# define YY_STACK_PRINT(Bottom, Top)
+# define YY_REDUCE_PRINT(Rule)
+#endif /* !YYDEBUG */
+
+
+/* YYINITDEPTH -- initial size of the parser's stacks.  */
+#ifndef	YYINITDEPTH
+# define YYINITDEPTH 200
+#endif
+
+/* YYMAXDEPTH -- maximum size the stacks can grow to (effective only
+   if the built-in stack extension method is used).
+
+   Do not make this value too large; the results are undefined if
+   YYSTACK_ALLOC_MAXIMUM < YYSTACK_BYTES (YYMAXDEPTH)
+   evaluated with infinite-precision integer arithmetic.  */
+
+#ifndef YYMAXDEPTH
+# define YYMAXDEPTH 10000
+#endif
+
+
+
+#if YYERROR_VERBOSE
+
+# ifndef yystrlen
+#  if defined __GLIBC__ && defined _STRING_H
+#   define yystrlen strlen
+#  else
+/* Return the length of YYSTR.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static YYSIZE_T
+yystrlen (const char *yystr)
+#else
+static YYSIZE_T
+yystrlen (yystr)
+    const char *yystr;
+#endif
+{
+  YYSIZE_T yylen;
+  for (yylen = 0; yystr[yylen]; yylen++)
+    continue;
+  return yylen;
+}
+#  endif
+# endif
+
+# ifndef yystpcpy
+#  if defined __GLIBC__ && defined _STRING_H && defined _GNU_SOURCE
+#   define yystpcpy stpcpy
+#  else
+/* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in
+   YYDEST.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static char *
+yystpcpy (char *yydest, const char *yysrc)
+#else
+static char *
+yystpcpy (yydest, yysrc)
+    char *yydest;
+    const char *yysrc;
+#endif
+{
+  char *yyd = yydest;
+  const char *yys = yysrc;
+
+  while ((*yyd++ = *yys++) != '\0')
+    continue;
+
+  return yyd - 1;
+}
+#  endif
+# endif
+
+# ifndef yytnamerr
+/* Copy to YYRES the contents of YYSTR after stripping away unnecessary
+   quotes and backslashes, so that it's suitable for yyerror.  The
+   heuristic is that double-quoting is unnecessary unless the string
+   contains an apostrophe, a comma, or backslash (other than
+   backslash-backslash).  YYSTR is taken from yytname.  If YYRES is
+   null, do not copy; instead, return the length of what the result
+   would have been.  */
+static YYSIZE_T
+yytnamerr (char *yyres, const char *yystr)
+{
+  if (*yystr == '"')
+    {
+      YYSIZE_T yyn = 0;
+      char const *yyp = yystr;
+
+      for (;;)
+	switch (*++yyp)
+	  {
+	  case '\'':
+	  case ',':
+	    goto do_not_strip_quotes;
+
+	  case '\\':
+	    if (*++yyp != '\\')
+	      goto do_not_strip_quotes;
+	    /* Fall through.  */
+	  default:
+	    if (yyres)
+	      yyres[yyn] = *yyp;
+	    yyn++;
+	    break;
+
+	  case '"':
+	    if (yyres)
+	      yyres[yyn] = '\0';
+	    return yyn;
+	  }
+    do_not_strip_quotes: ;
+    }
+
+  if (! yyres)
+    return yystrlen (yystr);
+
+  return yystpcpy (yyres, yystr) - yyres;
+}
+# endif
+
+/* Copy into YYRESULT an error message about the unexpected token
+   YYCHAR while in state YYSTATE.  Return the number of bytes copied,
+   including the terminating null byte.  If YYRESULT is null, do not
+   copy anything; just return the number of bytes that would be
+   copied.  As a special case, return 0 if an ordinary "syntax error"
+   message will do.  Return YYSIZE_MAXIMUM if overflow occurs during
+   size calculation.  */
+static YYSIZE_T
+yysyntax_error (char *yyresult, int yystate, int yychar)
+{
+  int yyn = yypact[yystate];
+
+  if (! (YYPACT_NINF < yyn && yyn <= YYLAST))
+    return 0;
+  else
+    {
+      int yytype = YYTRANSLATE (yychar);
+      YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]);
+      YYSIZE_T yysize = yysize0;
+      YYSIZE_T yysize1;
+      int yysize_overflow = 0;
+      enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
+      char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
+      int yyx;
+
+# if 0
+      /* This is so xgettext sees the translatable formats that are
+	 constructed on the fly.  */
+      YY_("syntax error, unexpected %s");
+      YY_("syntax error, unexpected %s, expecting %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s or %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s");
+# endif
+      char *yyfmt;
+      char const *yyf;
+      static char const yyunexpected[] = "syntax error, unexpected %s";
+      static char const yyexpecting[] = ", expecting %s";
+      static char const yyor[] = " or %s";
+      char yyformat[sizeof yyunexpected
+		    + sizeof yyexpecting - 1
+		    + ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2)
+		       * (sizeof yyor - 1))];
+      char const *yyprefix = yyexpecting;
+
+      /* Start YYX at -YYN if negative to avoid negative indexes in
+	 YYCHECK.  */
+      int yyxbegin = yyn < 0 ? -yyn : 0;
+
+      /* Stay within bounds of both yycheck and yytname.  */
+      int yychecklim = YYLAST - yyn + 1;
+      int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
+      int yycount = 1;
+
+      yyarg[0] = yytname[yytype];
+      yyfmt = yystpcpy (yyformat, yyunexpected);
+
+      for (yyx = yyxbegin; yyx < yyxend; ++yyx)
+	if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
+	  {
+	    if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
+	      {
+		yycount = 1;
+		yysize = yysize0;
+		yyformat[sizeof yyunexpected - 1] = '\0';
+		break;
+	      }
+	    yyarg[yycount++] = yytname[yyx];
+	    yysize1 = yysize + yytnamerr (0, yytname[yyx]);
+	    yysize_overflow |= (yysize1 < yysize);
+	    yysize = yysize1;
+	    yyfmt = yystpcpy (yyfmt, yyprefix);
+	    yyprefix = yyor;
+	  }
+
+      yyf = YY_(yyformat);
+      yysize1 = yysize + yystrlen (yyf);
+      yysize_overflow |= (yysize1 < yysize);
+      yysize = yysize1;
+
+      if (yysize_overflow)
+	return YYSIZE_MAXIMUM;
+
+      if (yyresult)
+	{
+	  /* Avoid sprintf, as that infringes on the user's name space.
+	     Don't have undefined behavior even if the translation
+	     produced a string with the wrong number of "%s"s.  */
+	  char *yyp = yyresult;
+	  int yyi = 0;
+	  while ((*yyp = *yyf) != '\0')
+	    {
+	      if (*yyp == '%' && yyf[1] == 's' && yyi < yycount)
+		{
+		  yyp += yytnamerr (yyp, yyarg[yyi++]);
+		  yyf += 2;
+		}
+	      else
+		{
+		  yyp++;
+		  yyf++;
+		}
+	    }
+	}
+      return yysize;
+    }
+}
+#endif /* YYERROR_VERBOSE */
+
+
+/*-----------------------------------------------.
+| Release the memory associated to this symbol.  |
+`-----------------------------------------------*/
+
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep)
+#else
+static void
+yydestruct (yymsg, yytype, yyvaluep)
+    const char *yymsg;
+    int yytype;
+    YYSTYPE *yyvaluep;
+#endif
+{
+  YYUSE (yyvaluep);
+
+  if (!yymsg)
+    yymsg = "Deleting";
+  YY_SYMBOL_PRINT (yymsg, yytype, yyvaluep, yylocationp);
+
+  switch (yytype)
+    {
+
+      default:
+	break;
+    }
+}
+
+
+/* Prevent warnings from -Wmissing-prototypes.  */
+
+#ifdef YYPARSE_PARAM
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void *YYPARSE_PARAM);
+#else
+int yyparse ();
+#endif
+#else /* ! YYPARSE_PARAM */
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void);
+#else
+int yyparse ();
+#endif
+#endif /* ! YYPARSE_PARAM */
+
+
+
+/* The look-ahead symbol.  */
+int yychar;
+
+/* The semantic value of the look-ahead symbol.  */
+YYSTYPE yylval;
+
+/* Number of syntax errors so far.  */
+int yynerrs;
+
+
+
+/*----------.
+| yyparse.  |
+`----------*/
+
+#ifdef YYPARSE_PARAM
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+int
+yyparse (void *YYPARSE_PARAM)
+#else
+int
+yyparse (YYPARSE_PARAM)
+    void *YYPARSE_PARAM;
+#endif
+#else /* ! YYPARSE_PARAM */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+int
+yyparse (void)
+#else
+int
+yyparse ()
+
+#endif
+#endif
+{
+  
+  int yystate;
+  int yyn;
+  int yyresult;
+  /* Number of tokens to shift before error messages enabled.  */
+  int yyerrstatus;
+  /* Look-ahead token as an internal (translated) token number.  */
+  int yytoken = 0;
+#if YYERROR_VERBOSE
+  /* Buffer for error messages, and its allocated size.  */
+  char yymsgbuf[128];
+  char *yymsg = yymsgbuf;
+  YYSIZE_T yymsg_alloc = sizeof yymsgbuf;
+#endif
+
+  /* Three stacks and their tools:
+     `yyss': related to states,
+     `yyvs': related to semantic values,
+     `yyls': related to locations.
+
+     Refer to the stacks thru separate pointers, to allow yyoverflow
+     to reallocate them elsewhere.  */
+
+  /* The state stack.  */
+  yytype_int16 yyssa[YYINITDEPTH];
+  yytype_int16 *yyss = yyssa;
+  yytype_int16 *yyssp;
+
+  /* The semantic value stack.  */
+  YYSTYPE yyvsa[YYINITDEPTH];
+  YYSTYPE *yyvs = yyvsa;
+  YYSTYPE *yyvsp;
+
+
+
+#define YYPOPSTACK(N)   (yyvsp -= (N), yyssp -= (N))
+
+  YYSIZE_T yystacksize = YYINITDEPTH;
+
+  /* The variables used to return semantic value and location from the
+     action routines.  */
+  YYSTYPE yyval;
+
+
+  /* The number of symbols on the RHS of the reduced rule.
+     Keep to zero when no symbol should be popped.  */
+  int yylen = 0;
+
+  YYDPRINTF ((stderr, "Starting parse\n"));
+
+  yystate = 0;
+  yyerrstatus = 0;
+  yynerrs = 0;
+  yychar = YYEMPTY;		/* Cause a token to be read.  */
+
+  /* Initialize stack pointers.
+     Waste one element of value and location stack
+     so that they stay on the same level as the state stack.
+     The wasted elements are never initialized.  */
+
+  yyssp = yyss;
+  yyvsp = yyvs;
+
+  goto yysetstate;
+
+/*------------------------------------------------------------.
+| yynewstate -- Push a new state, which is found in yystate.  |
+`------------------------------------------------------------*/
+ yynewstate:
+  /* In all cases, when you get here, the value and location stacks
+     have just been pushed.  So pushing a state here evens the stacks.  */
+  yyssp++;
+
+ yysetstate:
+  *yyssp = yystate;
+
+  if (yyss + yystacksize - 1 <= yyssp)
+    {
+      /* Get the current used size of the three stacks, in elements.  */
+      YYSIZE_T yysize = yyssp - yyss + 1;
+
+#ifdef yyoverflow
+      {
+	/* Give user a chance to reallocate the stack.  Use copies of
+	   these so that the &'s don't force the real ones into
+	   memory.  */
+	YYSTYPE *yyvs1 = yyvs;
+	yytype_int16 *yyss1 = yyss;
+
+
+	/* Each stack pointer address is followed by the size of the
+	   data in use in that stack, in bytes.  This used to be a
+	   conditional around just the two extra args, but that might
+	   be undefined if yyoverflow is a macro.  */
+	yyoverflow (YY_("memory exhausted"),
+		    &yyss1, yysize * sizeof (*yyssp),
+		    &yyvs1, yysize * sizeof (*yyvsp),
+
+		    &yystacksize);
+
+	yyss = yyss1;
+	yyvs = yyvs1;
+      }
+#else /* no yyoverflow */
+# ifndef YYSTACK_RELOCATE
+      goto yyexhaustedlab;
+# else
+      /* Extend the stack our own way.  */
+      if (YYMAXDEPTH <= yystacksize)
+	goto yyexhaustedlab;
+      yystacksize *= 2;
+      if (YYMAXDEPTH < yystacksize)
+	yystacksize = YYMAXDEPTH;
+
+      {
+	yytype_int16 *yyss1 = yyss;
+	union yyalloc *yyptr =
+	  (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
+	if (! yyptr)
+	  goto yyexhaustedlab;
+	YYSTACK_RELOCATE (yyss);
+	YYSTACK_RELOCATE (yyvs);
+
+#  undef YYSTACK_RELOCATE
+	if (yyss1 != yyssa)
+	  YYSTACK_FREE (yyss1);
+      }
+# endif
+#endif /* no yyoverflow */
+
+      yyssp = yyss + yysize - 1;
+      yyvsp = yyvs + yysize - 1;
+
+
+      YYDPRINTF ((stderr, "Stack size increased to %lu\n",
+		  (unsigned long int) yystacksize));
+
+      if (yyss + yystacksize - 1 <= yyssp)
+	YYABORT;
+    }
+
+  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
+
+  goto yybackup;
+
+/*-----------.
+| yybackup.  |
+`-----------*/
+yybackup:
+
+  /* Do appropriate processing given the current state.  Read a
+     look-ahead token if we need one and don't already have one.  */
+
+  /* First try to decide what to do without reference to look-ahead token.  */
+  yyn = yypact[yystate];
+  if (yyn == YYPACT_NINF)
+    goto yydefault;
+
+  /* Not known => get a look-ahead token if don't already have one.  */
+
+  /* YYCHAR is either YYEMPTY or YYEOF or a valid look-ahead symbol.  */
+  if (yychar == YYEMPTY)
+    {
+      YYDPRINTF ((stderr, "Reading a token: "));
+      yychar = YYLEX;
+    }
+
+  if (yychar <= YYEOF)
+    {
+      yychar = yytoken = YYEOF;
+      YYDPRINTF ((stderr, "Now at end of input.\n"));
+    }
+  else
+    {
+      yytoken = YYTRANSLATE (yychar);
+      YY_SYMBOL_PRINT ("Next token is", yytoken, &yylval, &yylloc);
+    }
+
+  /* If the proper action on seeing token YYTOKEN is to reduce or to
+     detect an error, take that action.  */
+  yyn += yytoken;
+  if (yyn < 0 || YYLAST < yyn || yycheck[yyn] != yytoken)
+    goto yydefault;
+  yyn = yytable[yyn];
+  if (yyn <= 0)
+    {
+      if (yyn == 0 || yyn == YYTABLE_NINF)
+	goto yyerrlab;
+      yyn = -yyn;
+      goto yyreduce;
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  /* Count tokens shifted since error; after three, turn off error
+     status.  */
+  if (yyerrstatus)
+    yyerrstatus--;
+
+  /* Shift the look-ahead token.  */
+  YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc);
+
+  /* Discard the shifted token unless it is eof.  */
+  if (yychar != YYEOF)
+    yychar = YYEMPTY;
+
+  yystate = yyn;
+  *++yyvsp = yylval;
+
+  goto yynewstate;
+
+
+/*-----------------------------------------------------------.
+| yydefault -- do the default action for the current state.  |
+`-----------------------------------------------------------*/
+yydefault:
+  yyn = yydefact[yystate];
+  if (yyn == 0)
+    goto yyerrlab;
+  goto yyreduce;
+
+
+/*-----------------------------.
+| yyreduce -- Do a reduction.  |
+`-----------------------------*/
+yyreduce:
+  /* yyn is the number of a rule to reduce with.  */
+  yylen = yyr2[yyn];
+
+  /* If YYLEN is nonzero, implement the default value of the action:
+     `$$ = $1'.
+
+     Otherwise, the following line sets YYVAL to garbage.
+     This behavior is undocumented and Bison
+     users should not rely upon it.  Assigning to YYVAL
+     unconditionally makes the parser a bit smaller, and it avoids a
+     GCC warning that YYVAL may be used uninitialized.  */
+  yyval = yyvsp[1-yylen];
+
+
+  YY_REDUCE_PRINT (yyn);
+  switch (yyn)
+    {
+        case 6:
+#line 73 "parse.y"
+    {
+		    id_str = (yyvsp[(2) - (2)].string);
+		}
+    break;
+
+  case 7:
+#line 79 "parse.y"
+    {
+		    base_id = name2number((yyvsp[(2) - (2)].string));
+		    strlcpy(name, (yyvsp[(2) - (2)].string), sizeof(name));
+		    free((yyvsp[(2) - (2)].string));
+		}
+    break;
+
+  case 8:
+#line 85 "parse.y"
+    {
+		    base_id = name2number((yyvsp[(2) - (3)].string));
+		    strlcpy(name, (yyvsp[(3) - (3)].string), sizeof(name));
+		    free((yyvsp[(2) - (3)].string));
+		    free((yyvsp[(3) - (3)].string));
+		}
+    break;
+
+  case 11:
+#line 98 "parse.y"
+    {
+			number = (yyvsp[(2) - (2)].number);
+		}
+    break;
+
+  case 12:
+#line 102 "parse.y"
+    {
+		    free(prefix);
+		    asprintf (&prefix, "%s_", (yyvsp[(2) - (2)].string));
+		    if (prefix == NULL)
+			errx(1, "malloc");
+		    free((yyvsp[(2) - (2)].string));
+		}
+    break;
+
+  case 13:
+#line 110 "parse.y"
+    {
+		    prefix = realloc(prefix, 1);
+		    if (prefix == NULL)
+			errx(1, "malloc");
+		    *prefix = '\0';
+		}
+    break;
+
+  case 14:
+#line 117 "parse.y"
+    {
+		    struct error_code *ec = malloc(sizeof(*ec));
+		    
+		    if (ec == NULL)
+			errx(1, "malloc");
+
+		    ec->next = NULL;
+		    ec->number = number;
+		    if(prefix && *prefix != '\0') {
+			asprintf (&ec->name, "%s%s", prefix, (yyvsp[(2) - (4)].string));
+			if (ec->name == NULL)
+			    errx(1, "malloc");
+			free((yyvsp[(2) - (4)].string));
+		    } else
+			ec->name = (yyvsp[(2) - (4)].string);
+		    ec->string = (yyvsp[(4) - (4)].string);
+		    APPEND(codes, ec);
+		    number++;
+		}
+    break;
+
+  case 15:
+#line 137 "parse.y"
+    {
+			YYACCEPT;
+		}
+    break;
+
+
+/* Line 1267 of yacc.c.  */
+#line 1470 "parse.c"
+      default: break;
+    }
+  YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
+
+  YYPOPSTACK (yylen);
+  yylen = 0;
+  YY_STACK_PRINT (yyss, yyssp);
+
+  *++yyvsp = yyval;
+
+
+  /* Now `shift' the result of the reduction.  Determine what state
+     that goes to, based on the state we popped back to and the rule
+     number reduced by.  */
+
+  yyn = yyr1[yyn];
+
+  yystate = yypgoto[yyn - YYNTOKENS] + *yyssp;
+  if (0 <= yystate && yystate <= YYLAST && yycheck[yystate] == *yyssp)
+    yystate = yytable[yystate];
+  else
+    yystate = yydefgoto[yyn - YYNTOKENS];
+
+  goto yynewstate;
+
+
+/*------------------------------------.
+| yyerrlab -- here on detecting error |
+`------------------------------------*/
+yyerrlab:
+  /* If not already recovering from an error, report this error.  */
+  if (!yyerrstatus)
+    {
+      ++yynerrs;
+#if ! YYERROR_VERBOSE
+      yyerror (YY_("syntax error"));
+#else
+      {
+	YYSIZE_T yysize = yysyntax_error (0, yystate, yychar);
+	if (yymsg_alloc < yysize && yymsg_alloc < YYSTACK_ALLOC_MAXIMUM)
+	  {
+	    YYSIZE_T yyalloc = 2 * yysize;
+	    if (! (yysize <= yyalloc && yyalloc <= YYSTACK_ALLOC_MAXIMUM))
+	      yyalloc = YYSTACK_ALLOC_MAXIMUM;
+	    if (yymsg != yymsgbuf)
+	      YYSTACK_FREE (yymsg);
+	    yymsg = (char *) YYSTACK_ALLOC (yyalloc);
+	    if (yymsg)
+	      yymsg_alloc = yyalloc;
+	    else
+	      {
+		yymsg = yymsgbuf;
+		yymsg_alloc = sizeof yymsgbuf;
+	      }
+	  }
+
+	if (0 < yysize && yysize <= yymsg_alloc)
+	  {
+	    (void) yysyntax_error (yymsg, yystate, yychar);
+	    yyerror (yymsg);
+	  }
+	else
+	  {
+	    yyerror (YY_("syntax error"));
+	    if (yysize != 0)
+	      goto yyexhaustedlab;
+	  }
+      }
+#endif
+    }
+
+
+
+  if (yyerrstatus == 3)
+    {
+      /* If just tried and failed to reuse look-ahead token after an
+	 error, discard it.  */
+
+      if (yychar <= YYEOF)
+	{
+	  /* Return failure if at end of input.  */
+	  if (yychar == YYEOF)
+	    YYABORT;
+	}
+      else
+	{
+	  yydestruct ("Error: discarding",
+		      yytoken, &yylval);
+	  yychar = YYEMPTY;
+	}
+    }
+
+  /* Else will try to reuse look-ahead token after shifting the error
+     token.  */
+  goto yyerrlab1;
+
+
+/*---------------------------------------------------.
+| yyerrorlab -- error raised explicitly by YYERROR.  |
+`---------------------------------------------------*/
+yyerrorlab:
+
+  /* Pacify compilers like GCC when the user code never invokes
+     YYERROR and the label yyerrorlab therefore never appears in user
+     code.  */
+  if (/*CONSTCOND*/ 0)
+     goto yyerrorlab;
+
+  /* Do not reclaim the symbols of the rule which action triggered
+     this YYERROR.  */
+  YYPOPSTACK (yylen);
+  yylen = 0;
+  YY_STACK_PRINT (yyss, yyssp);
+  yystate = *yyssp;
+  goto yyerrlab1;
+
+
+/*-------------------------------------------------------------.
+| yyerrlab1 -- common code for both syntax error and YYERROR.  |
+`-------------------------------------------------------------*/
+yyerrlab1:
+  yyerrstatus = 3;	/* Each real token shifted decrements this.  */
+
+  for (;;)
+    {
+      yyn = yypact[yystate];
+      if (yyn != YYPACT_NINF)
+	{
+	  yyn += YYTERROR;
+	  if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
+	    {
+	      yyn = yytable[yyn];
+	      if (0 < yyn)
+		break;
+	    }
+	}
+
+      /* Pop the current state because it cannot handle the error token.  */
+      if (yyssp == yyss)
+	YYABORT;
+
+
+      yydestruct ("Error: popping",
+		  yystos[yystate], yyvsp);
+      YYPOPSTACK (1);
+      yystate = *yyssp;
+      YY_STACK_PRINT (yyss, yyssp);
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  *++yyvsp = yylval;
+
+
+  /* Shift the error token.  */
+  YY_SYMBOL_PRINT ("Shifting", yystos[yyn], yyvsp, yylsp);
+
+  yystate = yyn;
+  goto yynewstate;
+
+
+/*-------------------------------------.
+| yyacceptlab -- YYACCEPT comes here.  |
+`-------------------------------------*/
+yyacceptlab:
+  yyresult = 0;
+  goto yyreturn;
+
+/*-----------------------------------.
+| yyabortlab -- YYABORT comes here.  |
+`-----------------------------------*/
+yyabortlab:
+  yyresult = 1;
+  goto yyreturn;
+
+#ifndef yyoverflow
+/*-------------------------------------------------.
+| yyexhaustedlab -- memory exhaustion comes here.  |
+`-------------------------------------------------*/
+yyexhaustedlab:
+  yyerror (YY_("memory exhausted"));
+  yyresult = 2;
+  /* Fall through.  */
+#endif
+
+yyreturn:
+  if (yychar != YYEOF && yychar != YYEMPTY)
+     yydestruct ("Cleanup: discarding lookahead",
+		 yytoken, &yylval);
+  /* Do not reclaim the symbols of the rule which action triggered
+     this YYABORT or YYACCEPT.  */
+  YYPOPSTACK (yylen);
+  YY_STACK_PRINT (yyss, yyssp);
+  while (yyssp != yyss)
+    {
+      yydestruct ("Cleanup: popping",
+		  yystos[*yyssp], yyvsp);
+      YYPOPSTACK (1);
+    }
+#ifndef yyoverflow
+  if (yyss != yyssa)
+    YYSTACK_FREE (yyss);
+#endif
+#if YYERROR_VERBOSE
+  if (yymsg != yymsgbuf)
+    YYSTACK_FREE (yymsg);
+#endif
+  /* Make sure YYID is used.  */
+  return YYID (yyresult);
+}
+
+
+#line 142 "parse.y"
+
+
+static long
+name2number(const char *str)
+{
+    const char *p;
+    long num = 0;
+    const char *x = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+	"abcdefghijklmnopqrstuvwxyz0123456789_";
+    if(strlen(str) > 4) {
+	yyerror("table name too long");
+	return 0;
+    }
+    for(p = str; *p; p++){
+	char *q = strchr(x, *p);
+	if(q == NULL) {
+	    yyerror("invalid character in table name");
+	    return 0;
+	}
+	num = (num << 6) + (q - x) + 1;
+    }
+    num <<= 8;
+    if(num > 0x7fffffff)
+	num = -(0xffffffff - num + 1);
+    return num;
+}
+
+void
+yyerror (char *s)
+{
+     error_message ("%s\n", s);
+}
+
diff --git a/crypto/heimdal/lib/com_err/parse.h b/crypto/heimdal/lib/com_err/parse.h
new file mode 100644
index 0000000..23d7e0c
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/parse.h
@@ -0,0 +1,81 @@
+/* A Bison parser, made by GNU Bison 2.3.  */
+
+/* Skeleton interface for Bison's Yacc-like parsers in C
+
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+   Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
+
+/* As a special exception, you may create a larger work that contains
+   part or all of the Bison parser skeleton and distribute that work
+   under terms of your choice, so long as that work isn't itself a
+   parser generator using the skeleton or a modified version thereof
+   as a parser skeleton.  Alternatively, if you modify or redistribute
+   the parser skeleton itself, you may (at your option) remove this
+   special exception, which will cause the skeleton and the resulting
+   Bison output files to be licensed under the GNU General Public
+   License without this special exception.
+
+   This special exception was added by the Free Software Foundation in
+   version 2.2 of Bison.  */
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     ET = 258,
+     INDEX = 259,
+     PREFIX = 260,
+     EC = 261,
+     ID = 262,
+     END = 263,
+     STRING = 264,
+     NUMBER = 265
+   };
+#endif
+/* Tokens.  */
+#define ET 258
+#define INDEX 259
+#define PREFIX 260
+#define EC 261
+#define ID 262
+#define END 263
+#define STRING 264
+#define NUMBER 265
+
+
+
+
+#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
+typedef union YYSTYPE
+#line 53 "parse.y"
+{
+  char *string;
+  int number;
+}
+/* Line 1529 of yacc.c.  */
+#line 74 "parse.h"
+	YYSTYPE;
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
+# define YYSTYPE_IS_DECLARED 1
+# define YYSTYPE_IS_TRIVIAL 1
+#endif
+
+extern YYSTYPE yylval;
+
diff --git a/crypto/heimdal/lib/com_err/parse.y b/crypto/heimdal/lib/com_err/parse.y
index 82e99ff..3159313 100644
--- a/crypto/heimdal/lib/com_err/parse.y
+++ b/crypto/heimdal/lib/com_err/parse.y
@@ -35,7 +35,7 @@
 #include "compile_et.h"
 #include "lex.h"
 
-RCSID("$Id: parse.y,v 1.11 2000/06/22 00:42:52 assar Exp $");
+RCSID("$Id: parse.y 15426 2005-06-16 19:21:42Z lha $");
 
 void yyerror (char *s);
 static long name2number(const char *str);
@@ -77,16 +77,14 @@ id		: ID STRING
 
 et		: ET STRING
 		{
-		    base = name2number($2);
-		    strncpy(name, $2, sizeof(name));
-		    name[sizeof(name) - 1] = '\0';
+		    base_id = name2number($2);
+		    strlcpy(name, $2, sizeof(name));
 		    free($2);
 		}
 		| ET STRING STRING
 		{
-		    base = name2number($2);
-		    strncpy(name, $3, sizeof(name));
-		    name[sizeof(name) - 1] = '\0';
+		    base_id = name2number($2);
+		    strlcpy(name, $3, sizeof(name));
 		    free($2);
 		    free($3);
 		}
@@ -102,24 +100,32 @@ statement	: INDEX NUMBER
 		}
 		| PREFIX STRING
 		{
-		    prefix = realloc(prefix, strlen($2) + 2);
-		    strcpy(prefix, $2);
-		    strcat(prefix, "_");
+		    free(prefix);
+		    asprintf (&prefix, "%s_", $2);
+		    if (prefix == NULL)
+			errx(1, "malloc");
 		    free($2);
 		}
 		| PREFIX
 		{
 		    prefix = realloc(prefix, 1);
+		    if (prefix == NULL)
+			errx(1, "malloc");
 		    *prefix = '\0';
 		}
 		| EC STRING ',' STRING
 		{
 		    struct error_code *ec = malloc(sizeof(*ec));
+		    
+		    if (ec == NULL)
+			errx(1, "malloc");
 
 		    ec->next = NULL;
 		    ec->number = number;
 		    if(prefix && *prefix != '\0') {
 			asprintf (&ec->name, "%s%s", prefix, $2);
+			if (ec->name == NULL)
+			    errx(1, "malloc");
 			free($2);
 		    } else
 			ec->name = $2;
@@ -139,7 +145,7 @@ static long
 name2number(const char *str)
 {
     const char *p;
-    long base = 0;
+    long num = 0;
     const char *x = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 	"abcdefghijklmnopqrstuvwxyz0123456789_";
     if(strlen(str) > 4) {
@@ -152,12 +158,12 @@ name2number(const char *str)
 	    yyerror("invalid character in table name");
 	    return 0;
 	}
-	base = (base << 6) + (q - x) + 1;
+	num = (num << 6) + (q - x) + 1;
     }
-    base <<= 8;
-    if(base > 0x7fffffff)
-	base = -(0xffffffff - base + 1);
-    return base;
+    num <<= 8;
+    if(num > 0x7fffffff)
+	num = -(0xffffffff - num + 1);
+    return num;
 }
 
 void
diff --git a/crypto/heimdal/lib/com_err/roken_rename.h b/crypto/heimdal/lib/com_err/roken_rename.h
index 173c9a7..7c9b0ee 100644
--- a/crypto/heimdal/lib/com_err/roken_rename.h
+++ b/crypto/heimdal/lib/com_err/roken_rename.h
@@ -31,9 +31,32 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: roken_rename.h,v 1.3 1999/12/02 16:58:38 joda Exp $ */
+/* $Id: roken_rename.h 14930 2005-04-24 19:43:06Z lha $ */
 
 #ifndef __roken_rename_h__
 #define __roken_rename_h__
 
+#ifndef HAVE_SNPRINTF
+#define snprintf _com_err_snprintf
+#endif
+#ifndef HAVE_VSNPRINTF
+#define vsnprintf _com_err_vsnprintf
+#endif
+#ifndef HAVE_ASPRINTF
+#define asprintf _com_err_asprintf
+#endif
+#ifndef HAVE_ASNPRINTF
+#define asnprintf _com_err_asnprintf
+#endif
+#ifndef HAVE_VASPRINTF
+#define vasprintf _com_err_vasprintf
+#endif
+#ifndef HAVE_VASNPRINTF
+#define vasnprintf _com_err_vasnprintf
+#endif
+#ifndef HAVE_STRLCPY
+#define strlcpy _com_err_strlcpy
+#endif
+
+
 #endif /* __roken_rename_h__ */
diff --git a/crypto/heimdal/lib/com_err/version-script.map b/crypto/heimdal/lib/com_err/version-script.map
new file mode 100644
index 0000000..43e2e02
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/version-script.map
@@ -0,0 +1,18 @@
+# $Id$
+
+HEIMDAL_COM_ERR_1.0 {
+	global:
+		com_right;
+		free_error_table;
+		initialize_error_table_r;
+		add_to_error_table;
+		com_err;
+		com_err_va;
+		error_message;
+		error_table_name;
+		init_error_table;
+		reset_com_err_hook;
+		set_com_err_hook;
+	local:
+		*;
+};
diff --git a/crypto/heimdal/lib/gssapi/ChangeLog b/crypto/heimdal/lib/gssapi/ChangeLog
index b18bde6..3a0c39f 100644
--- a/crypto/heimdal/lib/gssapi/ChangeLog
+++ b/crypto/heimdal/lib/gssapi/ChangeLog
@@ -1,113 +1,2288 @@
-2003-12-19  Love Hörnquist Åstrand  <lha@it.su.se>
+2008-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* accept_sec_context.c: 1.40->1.41: Don't require timestamp to be
-	set on delegated token, its already protected by the outer token
-	(and windows doesn't alway send it) Pointed out by Zi-Bin Yang
+	* test_ntlm.c: Test source name (and make the acceptor in ntlm gss
+	mech useful).
+
+2007-12-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/init_sec_context.c: Don't confuse target name and source
+	name, make regressiont tests pass again.
+	
+2007-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ntlm: clean up name handling
+
+2007-12-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/init_sec_context.c: Use credential if it was passed in.
+
+	* ntlm/acquire_cred.c: Check if there is initial creds with
+	_gss_ntlm_get_user_cred().
+
+	* ntlm/init_sec_context.c: Add _gss_ntlm_get_user_info() that
+	return the user info so it can be used by external modules.
+
+	* ntlm/inquire_cred.c: use the right error code.
+
+	* ntlm/inquire_cred.c: Return GSS_C_NO_CREDENTIAL if there is no
+	credential, ntlm have (not yet) a default credential.
+	
+	* mech/gss_release_oid_set.c: Avoid trying to deref NULL, from
+	Phil Fisher.
+
+2007-12-03  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_acquire_cred.c: Always try to fetch cred (even with
+	GSS_C_NO_NAME).
+
+2007-08-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mech/gss_krb5.c: Readd gss_krb5_get_tkt_flags.
+
+2007-08-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* spnego/compat.c (_gss_spnego_internal_delete_sec_context):
+	release ctx->target_name too From Rafal Malinowski.
+
+2007-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mech/gss_mech_switch.c: Don't try to do dlopen if system doesn't
+	have dlopen. From Rune of Chalmers.
+
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mech/gss_duplicate_name.c: New signature of _gss_find_mn.
+
+	* mech/gss_init_sec_context.c: New signature of _gss_find_mn.
+
+	* mech/gss_acquire_cred.c: New signature of _gss_find_mn.
+
+	* mech/name.h: New signature of _gss_find_mn.
+
+	* mech/gss_canonicalize_name.c: New signature of _gss_find_mn.
+
+	* mech/gss_compare_name.c: New signature of _gss_find_mn.
+
+	* mech/gss_add_cred.c: New signature of _gss_find_mn.
+
+	* mech/gss_names.c (_gss_find_mn): Return an error code for
+	caller.
+
+	* spnego/accept_sec_context.c: remove checks that are done by the
+	previous function.
+
+	* Makefile.am: New library version.
+
+2007-07-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mech/gss_oid_to_str.c: Refuse to print GSS_C_NULL_OID, from
+	Rafal Malinowski.
+
+	* spnego/spnego.asn1: Indent and make NegTokenInit and
+	NegTokenResp extendable.
+
+2007-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/inquire_cred.c: Implement _gss_ntlm_inquire_cred.
+
+	* mech/gss_display_status.c: Provide message for GSS_S_COMPLETE.
+	
+	* mech/context.c: If the canned string is "", its no use to the
+	user, make it fall back to the default error string.
+	
+2007-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mech/gss_display_name.c (gss_display_name): no name ->
+	fail. From Rafal Malinswski.
+
+	* spnego/accept_sec_context.c: Wrap name in a spnego_name instead
+	of just a copy of the underlaying object. From Rafal Malinswski.
+
+	* spnego/accept_sec_context.c: Handle underlaying mech not
+	returning mn.
+
+	* mech/gss_accept_sec_context.c: Handle underlaying mech not
+	returning mn.
+
+	* spnego/accept_sec_context.c: Make sure src_name is always set to
+	GSS_C_NO_NAME when returning.
+
+	* krb5/acquire_cred.c (acquire_acceptor_cred): don't claim
+	everything is well on failure.  From Phil Fisher.
+
+	* mech/gss_duplicate_name.c: catch error (and ignore it)
+
+	* ntlm/init_sec_context.c: Use heim_ntlm_calculate_ntlm2_sess.
+
+	* mech/gss_accept_sec_context.c: Only wrap the delegated cred if
+	we got a delegated mech cred.  From Rafal Malinowski.
+
+	* spnego/accept_sec_context.c: Only wrap the delegated cred if we
+	are going to return it to the consumer.  From Rafal Malinowski.
+
+	* spnego/accept_sec_context.c: Fixed memory leak pointed out by
+	Rafal Malinowski, also while here moved to use NegotiationToken
+	for decoding.
+
+2007-06-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/prf.c (_gsskrb5_pseudo_random): add missing break.
+
+	* krb5/release_name.c: Set *minor_status unconditionallty, its
+	done later anyway.
+
+	* spnego/accept_sec_context.c: Init get_mic to 0.
+
+	* mech/gss_set_cred_option.c: Free memory in failure case, found
+	by beam.
+
+	* mech/gss_inquire_context.c: Handle mech_type being NULL.
+
+	* mech/gss_inquire_cred_by_mech.c: Handle cred_name being NULL.
+
+	* mech/gss_krb5.c: Free memory in error case, found by beam.
+
+2007-06-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/inquire_context.c: Use ctx->gssflags for flags.
+
+	* krb5/display_name.c: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY, this is
+	not ment for machine consumption.
+
+2007-06-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/digest.c (kdc_alloc): free memory on failure, pointed out
+	by Rafal Malinowski.
+	
+	* ntlm/digest.c (kdc_destroy): free context when done, pointed out
+	by Rafal Malinowski.
+
+	* spnego/context_stubs.c (_gss_spnego_display_name): if input_name
+	is null, fail.  From Rafal Malinowski.
+	
+2007-06-04  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ntlm/digest.c: Free memory when done.
+	
+2007-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_ntlm.c: Test both with and without keyex.
+
+	* ntlm/digest.c: If we didn't set session key, don't expect one
+	back.
+
+	* test_ntlm.c: Set keyex flag and calculate session key.
+	
+2007-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* spnego/accept_sec_context.c: Use the return value before is
+	overwritten by later calls.  From Rafal Malinowski
+
+	* krb5/release_cred.c: Give an minor_status argument to
+	gss_release_oid_set.  From Rafal Malinowski
+	
+2007-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/accept_sec_context.c: Catch errors and return the up the
+	stack.
+
+	* test_kcred.c: more testing of lifetimes
+	
+2007-05-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Drop the gss oid_set function for the krb5 mech,
+	use the mech glue versions instead. Pointed out by Rafal
+	Malinowski.
+
+	* krb5: Use gss oid_set functions from mechglue
+
+2007-05-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/accept_sec_context.c: Set session key only if we are
+	returned a session key. Found by David Love.
+	
+2007-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* krb5/prf.c: switched MIN to min to make compile on solaris,
+	pointed out by David Love.
+	
+2007-05-09 Love Hörnquist Åstrand <lha@it.su.se>
+
+	* krb5/inquire_cred_by_mech.c: Fill in all of the variables if
+	they are passed in. Pointed out by Phil Fisher.
+	
+2007-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/inquire_cred.c: Fix copy and paste error, bug spotted by
+	from Phil Fisher.
+
+	* mech: dont keep track of gc_usage, just figure it out at
+	gss_inquire_cred() time
+
+	* mech/gss_mech_switch.c (add_builtin): ok for
+	__gss_mech_initialize() to return NULL
+
+	* test_kcred.c: more correct tests
+
+	* spnego/cred_stubs.c (gss_inquire_cred*): wrap the name with a
+	spnego_name.
+
+	* ntlm/inquire_cred.c: make ntlm gss_inquire_cred fail for now,
+	need to find default cred and friends.
+
+	* krb5/inquire_cred_by_mech.c: reimplement
+	
+2007-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ntlm/acquire_cred.c: drop unused variable.
+
+	* ntlm/acquire_cred.c: Reimplement.
+
+	* Makefile.am: add ntlm/digest.c
+
+	* ntlm: split out backend ntlm server processing
+
+2007-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/delete_sec_context.c (_gss_ntlm_delete_sec_context): free
+	credcache when done
+	
+2007-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/init_sec_context.c: ntlm-key credential entry is prefix with @
+	
+	* ntlm/init_sec_context.c (get_user_ccache): pick up the ntlm
+	creds from the krb5 credential cache.
+	
+2007-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/delete_sec_context.c: free the key stored in the context
+
+	* ntlm/ntlm.h: switch password for a key
+
+	* test_oid.c: Switch oid to one that is exported.
+	
+2007-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/init_sec_context.c: move where hash is calculated to make
+	it easier to add ccache support.
+
+	* Makefile.am: Add version-script.map to EXTRA_DIST.
+	
+2007-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Unconfuse newer versions of automake that doesn't
+	know the diffrence between depenences and setting variables. foo:
+	vs foo=.
+
+	* test_ntlm.c: delete sec context when done.
+
+	* version-script.map: export more symbols.
+	
+	* Makefile.am: add version script if ld supports it
+	
+	* version-script.map: add version script if ld supports it
+	
+2007-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: test_acquire_cred need test_common.[ch]
+
+	* test_acquire_cred.c: add more test options.
+
+	* krb5/external.c: add GSS_KRB5_CCACHE_NAME_X
+
+	* gssapi/gssapi_krb5.h: add GSS_KRB5_CCACHE_NAME_X
+
+	* krb5/set_sec_context_option.c: refactor code, implement
+	GSS_KRB5_CCACHE_NAME_X
+
+	* mech/gss_krb5.c: reimplement gss_krb5_ccache_name
+	
+2007-04-17  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* spnego/cred_stubs.c: Need to import spnego name before we can
+	use it as a gss_name_t.
+
+	* test_acquire_cred.c: use this test as part of the regression
+	suite.
+
+	* mech/gss_acquire_cred.c (gss_acquire_cred): dont init
+	cred->gc_mc every time in the loop.
+	
+2007-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add test_common.h
+	
+2007-02-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss_acquire_cred.3: Add link for
+	gsskrb5_register_acceptor_identity.
+
+2007-02-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/copy_ccache.c: Try to leak less memory in the failure case.
+	
+2007-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* mech/gss_display_status.c: Use right printf formater.
+
+	* test_*.[ch]: split out the error printing function and try to
+	return better errors
+
+2007-01-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/init_sec_context.c: revert 1.75: (init_auth): only turn on
+	GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it.
+	
+	This is because Kerberos always support INT|CONF, matches behavior
+	with MS and MIT. The creates problems for the GSS-SPNEGO mech.
+	
+2007-01-24  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* krb5/prf.c: constrain desired_output_len
+
+	* krb5/external.c (krb5_mech): add _gsskrb5_pseudo_random
+
+	* mech/gss_pseudo_random.c: Catch error from underlaying mech on
+	failure.
+
+	* Makefile.am: Add krb5/prf.c
+
+	* krb5/prf.c: gss_pseudo_random for krb5
+
+	* test_context.c: Checks for gss_pseudo_random.
+
+	* krb5/gkrb5_err.et: add KG_INPUT_TOO_LONG
+
+	* Makefile.am: Add mech/gss_pseudo_random.c
+
+	* gssapi/gssapi.h: try to load pseudo_random
+
+	* mech/gss_mech_switch.c: try to load pseudo_random
+
+	* mech/gss_pseudo_random.c: Add gss_pseudo_random.
+
+	* gssapi_mech.h: Add hook for gm_pseudo_random.
+	
+2007-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_context.c: Don't assume bufer from gss_display_status is
+	ok.
+
+	* mech/gss_wrap_size_limit.c: Reset out variables.
+
+	* mech/gss_wrap.c: Reset out variables.
+
+	* mech/gss_verify_mic.c: Reset out variables.
+
+	* mech/gss_utils.c: Reset out variables.
+
+	* mech/gss_release_oid_set.c: Reset out variables.
+
+	* mech/gss_release_cred.c: Reset out variables.
+
+	* mech/gss_release_buffer.c: Reset variables.
+
+	* mech/gss_oid_to_str.c: Reset out variables.
+
+	* mech/gss_inquire_sec_context_by_oid.c: Fix reset out variables.
+
+	* mech/gss_mech_switch.c: Reset out variables.
+
+	* mech/gss_inquire_sec_context_by_oid.c: Reset out variables.
+
+	* mech/gss_inquire_names_for_mech.c: Reset out variables.
+
+	* mech/gss_inquire_cred_by_oid.c: Reset out variables.
+
+	* mech/gss_inquire_cred_by_oid.c: Reset out variables.
+
+	* mech/gss_inquire_cred_by_mech.c: Reset out variables.
+
+	* mech/gss_inquire_cred.c: Reset out variables, fix memory leak.
+
+	* mech/gss_inquire_context.c: Reset out variables.
+
+	* mech/gss_init_sec_context.c: Zero out outbuffer on failure.
+
+	* mech/gss_import_name.c: Reset out variables.
+
+	* mech/gss_import_name.c: Reset out variables.
+
+	* mech/gss_get_mic.c: Reset out variables.
+
+	* mech/gss_export_name.c: Reset out variables.
+
+	* mech/gss_encapsulate_token.c: Reset out variables.
+
+	* mech/gss_duplicate_oid.c: Reset out variables.
+
+	* mech/gss_duplicate_oid.c: Reset out variables.
+
+	* mech/gss_duplicate_name.c: Reset out variables.
+
+	* mech/gss_display_status.c: Reset out variables.
+
+	* mech/gss_display_name.c: Reset out variables.
+
+	* mech/gss_delete_sec_context.c: Reset out variables using propper
+	macros.
+
+	* mech/gss_decapsulate_token.c: Reset out variables using propper
+	macros.
+
+	* mech/gss_add_cred.c: Reset out variables.
+
+	* mech/gss_acquire_cred.c: Reset out variables.
+
+	* mech/gss_accept_sec_context.c: Reset out variables using propper
+	macros.
+
+	* mech/gss_init_sec_context.c: Reset out variables.
+
+	* mech/mech_locl.h (_mg_buffer_zero): new macro that zaps a
+	gss_buffer_t
+
+2007-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* mech: sprinkel _gss_mg_error
+
+	* mech/gss_display_status.c (gss_display_status): use
+	_gss_mg_get_error to fetch the error from underlaying mech, if it
+	failes, let do the regular dance for GSS-CODE version and a
+	generic print-the-error code for MECH-CODE.
+
+	* mech/gss_oid_to_str.c: Don't include the NUL in the length of
+	the string.
+
+	* mech/context.h: Protoypes for _gss_mg_.
+
+	* mech/context.c: Glue to catch the error from the lower gss-api
+	layer and save that for later so gss_display_status() can show the
+	error.
+
+	* gss.c: Detect NTLM.
+	
+2007-01-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* mech/gss_accept_sec_context.c: spelling
+	
+2007-01-04  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Include build (private) prototypes header files.
+
+	* Makefile.am (ntlmsrc): add ntlm/ntlm-private.h
+	
+2006-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ntlm/accept_sec_context.c: Pass signseal argument to
+	_gss_ntlm_set_key.
+
+	* ntlm/init_sec_context.c: Pass signseal argument to
+	_gss_ntlm_set_key.
+
+	* ntlm/crypto.c (_gss_ntlm_set_key): add signseal argument
+
+	* test_ntlm.c: add ntlmv2 test
+
+	* ntlm/ntlm.h: break out struct ntlmv2_key;
+
+	* ntlm/crypto.c (_gss_ntlm_set_key): set ntlm v2 keys.
+
+	* ntlm/accept_sec_context.c: Set dummy ntlmv2 keys and Check TI.
+
+	* ntlm/ntlm.h: NTLMv2 keys.
+
+	* ntlm/crypto.c: NTLMv2 sign and verify.
+	
+2006-12-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/accept_sec_context.c: Don't send targetinfo now.
+	
+	* ntlm/init_sec_context.c: Build ntlmv2 answer buffer.
+
+	* ntlm/init_sec_context.c: Leak less memory.
+
+	* ntlm/init_sec_context.c: Announce that we support key exchange.
+
+	* ntlm/init_sec_context.c: Add NTLM_NEG_NTLM2_SESSION, NTLMv2
+	session security (disable because missing sign and seal).
+	
+2006-12-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ntlm/accept_sec_context.c: split RC4 send and recv keystreams
+
+	* ntlm/init_sec_context.c: split RC4 send and recv keystreams
+
+	* ntlm/ntlm.h: split RC4 send and recv keystreams
+
+	* ntlm/crypto.c: Implement SEAL.
+
+	* ntlm/crypto.c: move gss_wrap/gss_unwrap here
+
+	* test_context.c: request INT and CONF from the gss layer, test
+	get and verify MIC.
+
+	* ntlm/ntlm.h: add crypto bits.
+
+	* ntlm/accept_sec_context.c: Save session master key.
+
+	* Makefile.am: Move get and verify mic to the same file (crypto.c)
+	since they share code.
+
+	* ntlm/crypto.c: Move get and verify mic to the same file since
+	they share code, implement NTLM v1 and dummy signatures.
+
+	* ntlm/init_sec_context.c: pass on GSS_C_CONF_FLAG and
+	GSS_C_INTEG_FLAG, save the session master key
+	
+	* spnego/accept_sec_context.c: try using gss_accept_sec_context()
+	on the opportunistic token instead of guessing the acceptor name
+	and do gss_acquire_cred, this make SPNEGO work like before.
+	
+2006-12-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ntlm/init_sec_context.c: Calculate the NTLM version 1 "master"
+	key.
+
+	* spnego/accept_sec_context.c: Resurect negHints for the acceptor
+	sends first packet.
+	
+	* Makefile.am: Add "windows" versions of the NegTokenInitWin and
+	friends.
+
+	* test_context.c: add --wrapunwrap flag
+
+	* spnego/compat.c: move _gss_spnego_indicate_mechtypelist() to
+	compat.c, use the sequence types of MechTypeList, make
+	add_mech_type() static.
+
+	* spnego/accept_sec_context.c: move
+	_gss_spnego_indicate_mechtypelist() to compat.c
+
+	* Makefile.am: Generate sequence code for MechTypeList
+
+	* spnego: check that the generated acceptor mechlist is acceptable too
+
+	* spnego/init_sec_context.c: Abstract out the initiator filter
+	function, it will be needed for the acceptor too.
+
+	* spnego/accept_sec_context.c: Abstract out the initiator filter
+	function, it will be needed for the acceptor too. Remove negHints.
+
+	* test_context.c: allow asserting return mech
+
+	* ntlm/accept_sec_context.c: add _gss_ntlm_allocate_ctx
+
+	* ntlm/acquire_cred.c: Check that the KDC seem to there and
+	answering us, we can't do better then that wen checking if we will
+	accept the credential.
+
+	* ntlm/get_mic.c: return GSS_S_UNAVAILABLE
+
+	* mech/utils.h: add _gss_free_oid, reverse of _gss_copy_oid
+
+	* mech/gss_utils.c: add _gss_free_oid, reverse of _gss_copy_oid
+
+	* spnego/spnego.asn1: Its very sad, but NegHints its are not part
+	of the NegTokenInit, this makes SPNEGO acceptor life a lot harder.
+	
+	* spnego: try harder to handle names better. handle missing
+	acceptor and initator creds better (ie dont propose/accept mech
+	that there are no credentials for) split NegTokenInit and
+	NegTokenResp in acceptor
+
+2006-12-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/import_name.c: Allocate the buffer from the right length.
+	
+2006-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/init_sec_context.c (init_sec_context): Tell the other side
+	what domain we think we are talking to.
+
+	* ntlm/delete_sec_context.c: free username and password
+
+	* ntlm/release_name.c (_gss_ntlm_release_name): free name.
+
+	* ntlm/import_name.c (_gss_ntlm_import_name): add support for
+	GSS_C_NT_HOSTBASED_SERVICE names
+
+	* ntlm/ntlm.h: Add ntlm_name.
+
+	* test_context.c: allow testing of ntlm.
+
+	* gssapi_mech.h: add __gss_ntlm_initialize
+
+	* ntlm/accept_sec_context.c (handle_type3): verify that the kdc
+	approved of the ntlm exchange too
+
+	* mech/gss_mech_switch.c: Add the builtin ntlm mech
+
+	* test_ntlm.c: NTLM test app.
+
+	* mech/gss_accept_sec_context.c: Add detection of NTLMSSP.
+
+	* gssapi/gssapi.h: add ntlm mech oid
+
+	* ntlm/external.c: Switch OID to the ms ntlmssp oid
+
+	* Makefile.am: Add ntlm gss-api module.
+
+	* ntlm/accept_sec_context.c: Catch more error errors.
+
+	* ntlm/accept_sec_context.c: Check after a credential to use.
+	
+2006-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* krb5/set_sec_context_option.c (GSS_KRB5_SET_DEFAULT_REALM_X):
+	don't fail on success.  Bug report from Stefan Metzmacher.
+	
+2006-12-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* krb5/init_sec_context.c (init_auth): only turn on
+	GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it.
+	From Stefan Metzmacher.
+	
+2006-12-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am (libgssapi_la_OBJECTS): depends on gssapi_asn1.h
+	spnego_asn1.h.
+
+2006-11-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/acquire_cred.c: Make krb5_get_init_creds_opt_free take a
+	context argument.
+	
+2006-11-16  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* test_context.c: Test that token keys are the same, return
+	actual_mech.
+	
+2006-11-15  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* spnego/spnego_locl.h: Make bitfields unsigned, add maybe_open.
+
+	* spnego/accept_sec_context.c: Use ASN.1 encoder functions to
+	encode CHOICE structure now that we can handle it.
+
+	* spnego/init_sec_context.c: Use ASN.1 encoder functions to encode
+	CHOICE structure now that we can handle it.
+
+	* spnego/accept_sec_context.c (_gss_spnego_accept_sec_context):
+	send back ad accept_completed when the security context is ->open,
+	w/o this the client doesn't know that the server have completed
+	the transaction.
+
+	* test_context.c: Add delegate flag and check that the delegated
+	cred works.
+
+	* spnego/init_sec_context.c: Keep track of the opportunistic token
+	in the inital message, it might be a complete gss-api context, in
+	that case we'll get back accept_completed without any token. With
+	this change, krb5 w/o mutual authentication works.
+
+	* spnego/accept_sec_context.c: Use ASN.1 encoder functions to
+	encode CHOICE structure now that we can handle it.
+
+	* spnego/accept_sec_context.c: Filter out SPNEGO from the out
+	supported mechs list and make sure we don't select that for the
+	preferred mechamism.
+	
+2006-11-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* mech/gss_init_sec_context.c (_gss_mech_cred_find): break out the
+	cred finding to its own function
+
+	* krb5/wrap.c: Better error strings, from Andrew Bartlet.
+	
+2006-11-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_context.c: Create our own krb5_context.
+
+	* krb5: Switch from using a specific error message context in the
+	TLS to have a whole krb5_context in TLS. This have some
+	interestion side-effekts for the configruration setting options
+	since they operate on per-thread basis now.
+
+	* mech/gss_set_cred_option.c: When calling ->gm_set_cred_option
+	and checking for success, use GSS_S_COMPLETE. From Andrew Bartlet.
+	
+2006-11-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Help solaris make even more.
+
+	* Makefile.am: Help solaris make.
+	
+2006-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: remove include $(srcdir)/Makefile-digest.am for now
+
+	* mech/gss_accept_sec_context.c: Try better guessing what is mech
+	we are going to select by looking harder at the input_token, idea
+	from Luke Howard's mechglue branch.
+
+	* Makefile.am: libgssapi_la_OBJECTS: add depency on gkrb5_err.h
+
+	* gssapi/gssapi_krb5.h: add GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X
+
+	* mech/gss_krb5.c: implement gss_krb5_set_allowable_enctypes
+
+	* gssapi/gssapi.h: GSS_KRB5_S_
+
+	* krb5/gsskrb5_locl.h: Include <gkrb5_err.h>.
+
+	* gssapi/gssapi_krb5.h: Add gss_krb5_set_allowable_enctypes.
+
+	* Makefile.am: Build and install gkrb5_err.h
+
+	* krb5/gkrb5_err.et: Move the GSS_KRB5_S error here.
+	
+2006-11-08  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* mech/gss_krb5.c: Add gsskrb5_set_default_realm.
+
+	* krb5/set_sec_context_option.c: Support
+	GSS_KRB5_SET_DEFAULT_REALM_X.
+
+	* gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DEFAULT_REALM_X
+
+	* krb5/external.c: add GSS_KRB5_SET_DEFAULT_REALM_X
+	
+2006-11-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_context.c: rename krb5_[gs]et_time_wrap to
+	krb5_[gs]et_max_time_skew
+
+	* krb5/copy_ccache.c: _gsskrb5_extract_authz_data_from_sec_context
+	no longer used, bye bye
+
+	* mech/gss_krb5.c: No depenency of the krb5 gssapi mech.
+
+	* mech/gss_krb5.c (gsskrb5_extract_authtime_from_sec_context): use
+	_gsskrb5_decode_om_uint32. From Andrew Bartlet.
+
+	* mech/gss_krb5.c: Add dummy gss_krb5_set_allowable_enctypes for
+	now.
+
+	* spnego/spnego_locl.h: Include <roken.h> for compatiblity.
+
+	* krb5/arcfour.c: Use IS_DCE_STYLE flag. There is no padding in
+	DCE-STYLE, don't try to use to.  From Andrew Bartlett.
+
+	* test_context.c: test wrap/unwrap, add flag for dce-style and
+	mutual auth, also support multi-roundtrip sessions
+
+	* krb5/gsskrb5_locl.h: Add IS_DCE_STYLE macro.
+
+	* krb5/accept_sec_context.c (gsskrb5_acceptor_start): use
+	krb5_rd_req_ctx
+
+	* mech/gss_krb5.c (gsskrb5_get_subkey): return the per message
+	token subkey
+
+	* krb5/inquire_sec_context_by_oid.c: check if there is any key at
+	all
+	
+2006-11-06  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* krb5/inquire_sec_context_by_oid.c: Set more error strings, use
+	right enum for acceptor subkey.  From Andrew Bartlett.
+	
+2006-11-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_context.c: Test gsskrb5_extract_service_keyblock, needed in
+	PAC valication.  From Andrew Bartlett
+
+	* mech/gss_krb5.c: Add gsskrb5_extract_authz_data_from_sec_context
+	and keyblock extraction functions.
+
+	* gssapi/gssapi_krb5.h: Add extraction of keyblock function, from
+	Andrew Bartlett.
+
+	* krb5/external.c: Add GSS_KRB5_GET_SERVICE_KEYBLOCK_X
+	
+2006-11-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_context.c: Rename various routines and constants from
+	canonize to canonicalize.  From Andrew Bartlett
+
+	* mech/gss_krb5.c: Rename various routines and constants from
+	canonize to canonicalize.  From Andrew Bartlett
+
+	* krb5/set_sec_context_option.c: Rename various routines and
+	constants from canonize to canonicalize.  From Andrew Bartlett
+
+	* krb5/external.c: Rename various routines and constants from
+	canonize to canonicalize.  From Andrew Bartlett
+	
+	* gssapi/gssapi_krb5.h: Rename various routines and constants from
+	canonize to canonicalize.  From Andrew Bartlett
+	
+2006-10-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/accept_sec_context.c (gsskrb5_accept_delegated_token): need
+	to free ccache
+	
+2006-10-24  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_context.c (loop): free target_name
+
+	* mech/gss_accept_sec_context.c: SLIST_INIT the ->gc_mc'
+	
+	* mech/gss_acquire_cred.c : SLIST_INIT the ->gc_mc' 
+
+	* krb5/init_sec_context.c: Avoid leaking memory.
+
+	* mech/gss_buffer_set.c (gss_release_buffer_set): don't leak the
+	->elements memory.
+
+	* test_context.c: make compile
+
+	* krb5/cfx.c (_gssapi_verify_mic_cfx): always free crypto context.
+
+	* krb5/set_cred_option.c (import_cred): free sp
+	
+2006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mech/gss_add_oid_set_member.c: Use old implementation of
+	gss_add_oid_set_member, it leaks less memory.
+
+	* krb5/test_cfx.c: free krb5_crypto.
+
+	* krb5/test_cfx.c: free krb5_context
+
+	* mech/gss_release_name.c (gss_release_name): free input_name
+	it-self.
+	
+2006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_context.c: Call setprogname.
+
+	* mech/gss_krb5.c: Add gsskrb5_extract_authtime_from_sec_context.
+
+	* gssapi/gssapi_krb5.h: add
+	gsskrb5_extract_authtime_from_sec_context
+	
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* krb5/inquire_sec_context_by_oid.c: Add get_authtime.
+
+	* krb5/external.c: add GSS_KRB5_GET_AUTHTIME_X
+
+	* gssapi/gssapi_krb5.h: add GSS_KRB5_GET_AUTHTIME_X
+
+	* krb5/set_sec_context_option.c: Implement GSS_KRB5_SEND_TO_KDC_X.
+
+	* mech/gss_krb5.c: Add gsskrb5_set_send_to_kdc
+
+	* gssapi/gssapi_krb5.h: Add GSS_KRB5_SEND_TO_KDC_X and
+	gsskrb5_set_send_to_kdc
+
+	* krb5/external.c: add GSS_KRB5_SEND_TO_KDC_X
+
+	* Makefile.am: more files
+	
+2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: remove spnego/gssapi_spnego.h, its now in gssapi/
+
+	* test_context.c: Allow specifing mech.
+
+	* krb5/external.c: add GSS_SASL_DIGEST_MD5_MECHANISM (for now)
+
+	* gssapi/gssapi.h: Rename GSS_DIGEST_MECHANISM to
+	GSS_SASL_DIGEST_MD5_MECHANISM
+	
+2006-10-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* mech/gssapi.asn1: Make it into a heim_any_set, its doesn't
+	except a tag.
+
+	* mech/gssapi.asn1: GSSAPIContextToken is IMPLICIT SEQUENCE
+
+	* gssapi/gssapi_krb5.h: add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X
+
+	* krb5/external.c: Add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X.
+
+	* gssapi/gssapi_krb5.h: add GSS_KRB5_GET_INITIATOR_SUBKEY_X and
+	GSS_KRB5_GET_SUBKEY_X
+
+	* krb5/external.c: add GSS_KRB5_GET_INITIATOR_SUBKEY_X,
+	GSS_KRB5_GET_SUBKEY_X
+	
+2006-10-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_context.c: Support switching on name type oid's
+
+	* test_context.c: add test for dns canon flag
+
+	* mech/gss_krb5.c: Add gsskrb5_set_dns_canonlize.
+
+	* gssapi/gssapi_krb5.h: remove gss_krb5_compat_des3_mic
+
+	* gssapi/gssapi_krb5.h: Add gsskrb5_set_dns_canonlize.
+
+	* krb5/set_sec_context_option.c: implement
+	GSS_KRB5_SET_DNS_CANONIZE_X
+
+	* gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DNS_CANONIZE_X
+
+	* krb5/external.c: add GSS_KRB5_SET_DNS_CANONIZE_X
+
+	* mech/gss_krb5.c: add bits to make lucid context work
+	
+2006-10-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* mech/gss_oid_to_str.c: Prefix der primitives with der_.
+
+	* krb5/inquire_sec_context_by_oid.c: Prefix der primitives with
+	der_.
+
+	* krb5/encapsulate.c: Prefix der primitives with der_.
+
+	* mech/gss_oid_to_str.c: New der_print_heim_oid signature.
+	
+2006-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add test_context
+
+	* krb5/inquire_sec_context_by_oid.c: Make it work.
+
+	* test_oid.c: Test lucid oid.
+
+	* gssapi/gssapi.h: Add OM_uint64_t.
+
+	* krb5/inquire_sec_context_by_oid.c: Add lucid interface.
+
+	* krb5/external.c: Add lucid interface, renumber oids to my
+	delegated space.
+
+	* mech/gss_krb5.c: Add lucid interface.
+
+	* gssapi/gssapi_krb5.h: Add lucid interface.
+
+	* spnego/spnego_locl.h: Maybe include <netdb.h>.
+	
+2006-10-09  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* mech/gss_mech_switch.c: define RTLD_LOCAL to 0 if not defined.
+	
+2006-10-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: install gssapi_krb5.H and gssapi_spnego.h
+
+	* gssapi/gssapi_krb5.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>.
+
+	* gssapi/gssapi.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>.
+
+	* Makefile.am: Drop some -I no longer needed.
+
+	* gssapi/gssapi_spnego.h: Move gssapi_spengo.h over here.
+
+	* krb5: reference all include files using 'krb5/'
+
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi.h: Add file inclusion protection.
+
+	* gssapi/gssapi.h: Correct header file inclusion protection.
+
+	* gssapi/gssapi.h: Move the gssapi.h from lib/gssapi/ to
+	lib/gssapi/gssapi/ to please automake.
+	
+	* spnego/spnego_locl.h: Maybe include <sys/types.h>.
+
+	* mech/mech_locl.h: Include <roken.h>.
+
+	* Makefile.am: split build files into dist_ and noinst_ SOURCES
+	
+2006-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss.c: #if 0 out unused code.
+
+	* mech/gss_mech_switch.c: Cast argument to ctype(3) functions
+	to (unsigned char).
+	
+2006-10-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mech/name.h: remove <sys/queue.h>
+
+	* mech/mech_switch.h: remove <sys/queue.h>
+	
+	* mech/cred.h: remove <sys/queue.h>
+
+2006-10-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/arcfour.c: Thinker more with header lengths.
+
+	* krb5/arcfour.c: Improve the calcucation of header
+	lengths. DCE-STYLE data is also padded so remove if (1 || ...)
+	code.
+
+	* krb5/wrap.c (_gsskrb5_wrap_size_limit): use
+	_gssapi_wrap_size_arcfour for arcfour
+
+	* krb5/arcfour.c: Move _gssapi_wrap_size_arcfour here.
+
+	* Makefile.am: Split all mech to diffrent mechsrc variables.
+
+	* spnego/context_stubs.c: Make internal function static (and
+	rename).
+	
+2006-10-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/inquire_cred.c: Fix "if (x) lock(y)" bug. From Harald
+	Barth.
+
+	* spnego/spnego_locl.h: Include <sys/param.h> for MAXHOSTNAMELEN.
+	
+2006-09-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/arcfour.c: Add wrap support, interrop with itself but not
+	w2k3s-sp1
+
+	* krb5/gsskrb5_locl.h: move the arcfour specific stuff to the
+	arcfour header.
+
+	* krb5/arcfour.c: Support DCE-style unwrap, tested with
+	w2k3server-sp1.
+
+	* mech/gss_accept_sec_context.c (gss_accept_sec_context): if the
+	token doesn't start with [APPLICATION 0] SEQUENCE, lets assume its
+	a DCE-style kerberos 5 connection. XXX this needs to be made
+	better in cause we get another GSS-API protocol violating
+	protocol. It should be possible to detach the Kerberos DCE-style
+	since it starts with a AP-REQ PDU, but that have to wait for now.
+	
+2006-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi.h: Add GSS_C flags from
+	draft-brezak-win2k-krb-rc4-hmac-04.txt.
+
+	* krb5/delete_sec_context.c: Free service_keyblock and fwd_data,
+	indent.
+
+	* krb5/accept_sec_context.c: Merge of the acceptor part from the
+	samba patch by Stefan Metzmacher and Andrew Bartlet.
+
+	* krb5/init_sec_context.c: Add GSS_C_DCE_STYLE.
+
+	* krb5/{init_sec_context.c,gsskrb5_locl.h}: merge most of the
+	initiator part from the samba patch by Stefan Metzmacher and
+	Andrew Bartlet (still missing DCE/RPC support)
+
+2006-08-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss.c (help): use sl_slc_help().
+	
+2006-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss-commands.in: rename command to supported-mechanisms
+
+	* Makefile.am: Make gss objects depend on the slc built
+	gss-commands.h
+	
+2006-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* gss-commands.in: add slc commands for gss
+
+	* krb5/gsskrb5_locl.h: Remove dup prototype of _gsskrb5_init()
+
+	* Makefile.am: Add test_cfx
+
+	* krb5/external.c: add GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
+
+	* krb5/set_sec_context_option.c: catch
+	GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
+
+	* krb5/accept_sec_context.c: reimplement
+	gsskrb5_register_acceptor_identity
+
+	* mech/gss_krb5.c: implement gsskrb5_register_acceptor_identity
+
+	* mech/gss_inquire_mechs_for_name.c: call _gss_load_mech
+
+	* mech/gss_inquire_cred.c (gss_inquire_cred): call _gss_load_mech
+
+	* mech/gss_mech_switch.c: Make _gss_load_mech() atomic and run
+	only once, this have the side effect that _gss_mechs and
+	_gss_mech_oids is only initialized once, so if just the users of
+	these two global variables calls _gss_load_mech() first, it will
+	act as a barrier and make sure the variables are never changed and
+	we don't need to lock them.
+
+	* mech/utils.h: no need to mark functions extern.
+
+	* mech/name.h: no need to mark _gss_find_mn extern.
+	
+2006-07-19  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* krb5/cfx.c: Redo the wrap length calculations.
+
+	* krb5/test_cfx.c: test max_wrap_size in cfx.c
+
+	* mech/gss_display_status.c: Handle more error codes.
+	
+2006-07-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mech/mech_locl.h: Include <krb5-types.h> and "mechqueue.h"
+
+	* mech/mechqueue.h: Add SLIST macros.
+
+	* krb5/inquire_context.c: Don't free return values on success.
+
+	* krb5/inquire_cred.c (_gsskrb5_inquire_cred): When cred provided
+	is the default cred, acquire the acceptor cred and initator cred
+	in two diffrent steps and then query them for the information,
+	this way, the code wont fail if there are no keytab, but there is
+	a credential cache.
+
+	* mech/gss_inquire_cred.c: move the check if we found any cred
+	where it matter for both cases
+	(default cred and provided cred)
+
+	* mech/gss_init_sec_context.c: If the desired mechanism can't
+	convert the name to a MN, fail with GSS_S_BAD_NAME rather then a
+	NULL de-reference.
+	
+2006-07-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* spnego/external.c: readd gss_spnego_inquire_names_for_mech
+
+	* spnego/spnego_locl.h: reimplement
+	gss_spnego_inquire_names_for_mech add support function
+	_gss_spnego_supported_mechs
+
+	* spnego/context_stubs.h: reimplement
+	gss_spnego_inquire_names_for_mech add support function
+	_gss_spnego_supported_mechs
+
+	* spnego/context_stubs.c: drop gss_spnego_indicate_mechs
+	
+	* mech/gss_indicate_mechs.c: if the underlaying mech doesn't
+	support gss_indicate_mechs, use the oid in the mechswitch
+	structure
+
+	* spnego/external.c: let the mech glue layer implement
+	gss_indicate_mechs
+
+	* spnego/cred_stubs.c (gss_spnego_acquire_cred): don't care about
+	desired_mechs, get our own list with indicate_mechs and remove
+	ourself.
+	
+2006-07-05 Love Hörnquist Åstrand <lha@it.su.se>
+
+	* spnego/external.c: remove gss_spnego_inquire_names_for_mech, let
+	the mechglue layer implement it
+	
+	* spnego/context_stubs.c: remove gss_spnego_inquire_names_for_mech, let
+	the mechglue layer implement it
+
+	* spnego/spnego_locl.c: remove gss_spnego_inquire_names_for_mech, let
+	the mechglue layer implement it
+
+2006-07-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* mech/gss_set_cred_option.c: fix argument to gss_release_cred
+	
+2006-06-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/init_sec_context.c: Make work on compilers that are
+	somewhat more picky then gcc4 (like gcc2.95)
+
+	* krb5/init_sec_context.c (do_delegation): use KDCOptions2int to
+	convert fwd_flags to an integer, since otherwise int2KDCOptions in
+	krb5_get_forwarded_creds wont do the right thing.
+
+	* mech/gss_set_cred_option.c (gss_set_cred_option): free memory on
+	failure
+
+	* krb5/set_sec_context_option.c (_gsskrb5_set_sec_context_option):
+	init global kerberos context
+
+	* krb5/set_cred_option.c (_gsskrb5_set_cred_option): init global
+	kerberos context
+
+	* mech/gss_accept_sec_context.c: Insert the delegated sub cred on
+	the delegated cred handle, not cred handle
+
+	* mech/gss_accept_sec_context.c (gss_accept_sec_context): handle
+	the case where ret_flags == NULL
+
+	* mech/gss_mech_switch.c (add_builtin): set
+	_gss_mech_switch->gm_mech_oid
+
+	* mech/gss_set_cred_option.c (gss_set_cred_option): laod mechs
+
+	* test_cred.c (gss_print_errors): don't try to print error when
+	gss_display_status failed
+
+	* Makefile.am: Add mech/gss_release_oid.c
+	
+	* mech/gss_release_oid.c: Add gss_release_oid, reverse of
+	gss_duplicate_oid
+
+	* spnego/compat.c: preferred_mech_type was allocated with
+	gss_duplicate_oid in one place and assigned static varianbles a
+	the second place. change that static assignement to
+	gss_duplicate_oid and bring back gss_release_oid.
+
+	* spnego/compat.c (_gss_spnego_delete_sec_context): don't release
+	preferred_mech_type and negotiated_mech_type, they where never
+	allocated from the begining.
+	
+2006-06-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mech/gss_import_name.c (gss_import_name): avoid
+	type-punned/strict aliasing rules
+
+	* mech/gss_add_cred.c: avoid type-punned/strict aliasing rules
+
+	* gssapi.h: Make gss_name_t an opaque type.
+	
+	* krb5: make gss_name_t an opaque type
+
+	* krb5/set_cred_option.c: Add
+
+	* mech/gss_set_cred_option.c (gss_set_cred_option): support the
+	case where *cred_handle == NULL
+
+	* mech/gss_krb5.c (gss_krb5_import_cred): make sure cred is
+	GSS_C_NO_CREDENTIAL on failure.
+
+	* mech/gss_acquire_cred.c (gss_acquire_cred): if desired_mechs is
+	NO_OID_SET, there is a need to load the mechs, so always do that.
+	
+2006-06-28  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* krb5/inquire_cred_by_oid.c: Reimplement GSS_KRB5_COPY_CCACHE_X
+	to instead pass a fullname to the credential, then resolve and
+	copy out the content, and then close the cred.
+
+	* mech/gss_krb5.c: Reimplement GSS_KRB5_COPY_CCACHE_X to instead
+	pass a fullname to the credential, then resolve and copy out the
+	content, and then close the cred.
+	
+	* krb5/inquire_cred_by_oid.c: make "work", GSS_KRB5_COPY_CCACHE_X
+	interface needs to be re-done, currently its utterly broken.
+
+	* mech/gss_set_cred_option.c: Make work.
+
+	* krb5/external.c: Add _gsskrb5_set_{sec_context,cred}_option
+
+	* mech/gss_krb5.c (gss_krb5_import_cred): implement
+
+	* Makefile.am: Add gss_set_{sec_context,cred}_option and sort
+	
+	* mech/gss_set_{sec_context,cred}_option.c: add
+
+	* gssapi.h: Add GSS_KRB5_IMPORT_CRED_X
+
+	* test_*.c: make compile again
+
+	* Makefile.am: Add lib dependencies and test programs
+
+	* spnego: remove dependency on libkrb5
+
+	* mech: Bug fixes, cleanup, compiler warnings, restructure code.
+
+	* spnego: Rename gss_context_id_t and gss_cred_id_t to local names
+
+	* krb5: repro copy the krb5 files here
+
+	* mech: import Doug Rabson mechglue from freebsd
+	
+	* spnego: Import Luke Howard's SPNEGO from the mechglue branch
+
+2006-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi.h: Add oid_to_str.
+
+	* Makefile.am: add oid_to_str and test_oid
+	
+	* oid_to_str.c: Add gss_oid_to_str
+
+	* test_oid.c: Add test for gss_oid_to_str()
+	
+2006-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* verify_mic.c: Less pointer signedness warnings.
+
+	* unwrap.c: Less pointer signedness warnings.
+
+	* arcfour.c: Less pointer signedness warnings.
+
+	* gssapi_locl.h: Use const void * to instead of unsigned char * to
+	avoid pointer signedness warnings.
+
+	* encapsulate.c: Use const void * to instead of unsigned char * to
+	avoid pointer signedness warnings.
+
+	* decapsulate.c: Use const void * to instead of unsigned char * to
+	avoid pointer signedness warnings.
+
+	* decapsulate.c: Less pointer signedness warnings.
+
+	* cfx.c: Less pointer signedness warnings.
+
+	* init_sec_context.c: Less pointer signedness warnings (partly by
+	using the new asn.1 CHOICE decoder)
+
+	* import_sec_context.c: Less pointer signedness warnings.
+
+2006-05-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* accept_sec_context.c (gsskrb5_is_cfx): always set is_cfx. From
+	Andrew Abartlet.
+	
+2006-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* get_mic.c (mic_des3): make sure message_buffer doesn't point to
+	free()ed memory on failure. Pointed out by IBM checker.
+	
+2006-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Rename u_intXX_t to uintXX_t
+	
+2006-05-04 Love Hörnquist Åstrand <lha@it.su.se>
+
+	* cfx.c: Less pointer signedness warnings.
+
+	* arcfour.c: Avoid pointer signedness warnings.
+
+	* gssapi_locl.h (gssapi_decode_*): make data argument const void *
+	
+	* 8003.c (gssapi_decode_*): make data argument const void *
+	
+2006-04-12  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* export_sec_context.c: Export sequence order element. From Wynn
+	Wilkes <wynn.wilkes@quest.com>.
+
+	* import_sec_context.c: Import sequence order element. From Wynn
+	Wilkes <wynn.wilkes@quest.com>.
+
+	* sequence.c (_gssapi_msg_order_import,_gssapi_msg_order_export):
+	New functions, used by {import,export}_sec_context.  From Wynn
+	Wilkes <wynn.wilkes@quest.com>.
+
+	* test_sequence.c: Add test for import/export sequence.
+	
+2006-04-09  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* add_cred.c: Check that cred != GSS_C_NO_CREDENTIAL, this is a
+	standard conformance failure, but much better then a crash.
+	
+2006-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* get_mic.c (get_mic*)_: make sure message_token is cleaned on
+	error, found by IBM checker.
+
+	* wrap.c (wrap*): Reset output_buffer on error, found by IBM
+	checker.
+	
+2006-02-15  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* import_name.c: Accept both GSS_C_NT_HOSTBASED_SERVICE and
+	GSS_C_NT_HOSTBASED_SERVICE_X as nametype for hostbased names.
+	
+2006-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* delete_sec_context.c (gss_delete_sec_context): if the context
+	handle is GSS_C_NO_CONTEXT, don't fall over.
+
+2005-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss_acquire_cred.3: Replace gss_krb5_import_ccache with
+	gss_krb5_import_cred and add more references
+	
+2005-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi.h: Change gss_krb5_import_ccache to gss_krb5_import_cred,
+	it can handle keytabs too.
+
+	* add_cred.c (gss_add_cred): avoid deadlock
+
+	* context_time.c (gssapi_lifetime_left): define the 0 lifetime as
+	GSS_C_INDEFINITE.
+	
+2005-12-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* acquire_cred.c (acquire_acceptor_cred): only check if principal
+	exists if we got called with principal as an argument.
+
+	* acquire_cred.c (acquire_acceptor_cred): check that the acceptor
+	exists in the keytab before returning ok.
+	
+2005-11-29  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* copy_ccache.c (gss_krb5_import_cred): fix buglet, from Andrew
+	Bartlett.
+	
+2005-11-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_kcred.c: Rename gss_krb5_import_ccache to
+	gss_krb5_import_cred.
+	
+	* copy_ccache.c: Rename gss_krb5_import_ccache to
+	gss_krb5_import_cred and let it grow code to handle keytabs too.
+	
+2005-11-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_sec_context.c: Change sematics of ok-as-delegate to match
+	windows if
+	[gssapi]realm/ok-as-delegate=true is set, otherwise keep old
+	sematics.
+	
+	* release_cred.c (gss_release_cred): use
+	GSS_CF_DESTROY_CRED_ON_RELEASE to decide if the cache should be
+	krb5_cc_destroy-ed
+	
+	* acquire_cred.c (acquire_initiator_cred):
+	GSS_CF_DESTROY_CRED_ON_RELEASE on created credentials.
+
+	* accept_sec_context.c (gsskrb5_accept_delegated_token): rewrite
+	to use gss_krb5_import_ccache
+	
+2005-11-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* arcfour.c: Remove signedness warnings.
+	
+2005-10-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss_acquire_cred.3: Document that gss_krb5_import_ccache is copy
+	by reference.
+
+	* copy_ccache.c (gss_krb5_import_ccache): Instead of making a copy
+	of the ccache, make a reference by getting the name and resolving
+	the name. This way the cache is shared, this flipp side is of
+	course that if someone calls krb5_cc_destroy the cache is lost for
+	everyone.
+	
+	* test_kcred.c: Remove memory leaks.
+	
+2005-10-26  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: build test_kcred
+	
+	* gss_acquire_cred.3: Document gss_krb5_import_ccache
+
+	* gssapi.3: Sort and add gss_krb5_import_ccache.
+	
+	* acquire_cred.c (_gssapi_krb5_ccache_lifetime): break out code
+	used to extract lifetime from a credential cache
+
+	* gssapi_locl.h: Add _gssapi_krb5_ccache_lifetime, used to extract
+	lifetime from a credential cache.
+
+	* gssapi.h: add gss_krb5_import_ccache, reverse of
+	gss_krb5_copy_ccache
+
+	* copy_ccache.c: add gss_krb5_import_ccache, reverse of
+	gss_krb5_copy_ccache
+
+	* test_kcred.c: test gss_krb5_import_ccache
+	
+2005-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* acquire_cred.c (acquire_initiator_cred): use krb5_cc_cache_match
+	to find a matching creditial cache, if that failes, fallback to
+	the default cache.
+	
+2005-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi_locl.h: Add gssapi_krb5_set_status and
+	gssapi_krb5_clear_status
+	
+	* init_sec_context.c (spnego_reply): Don't pass back raw Kerberos
+	errors, use GSS-API errors instead. From Michael B Allen.
+
+	* display_status.c: Add gssapi_krb5_clear_status,
+	gssapi_krb5_set_status for handling error messages.
+	
+2005-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* external.c: Use rk_UNCONST to avoid const warning.
+	
+	* display_status.c: Constify strings to avoid warnings.
+	
+2005-08-11 Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_sec_context.c: avoid warnings, update (c)
+
+2005-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_sec_context.c (spnego_initial): use NegotiationToken
+	encoder now that we have one with the new asn1. compiler.
+	
+	* Makefile.am: the new asn.1 compiler includes the modules name in
+	the depend file
+
+2005-06-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* decapsulate.c: use rk_UNCONST
+
+	* ccache_name.c: rename to avoid shadowing
+
+	* gssapi_locl.h: give kret in GSSAPI_KRB5_INIT a more unique name
+	
+	* process_context_token.c: use rk_UNCONST to unconstify
+	
+	* test_cred.c: rename optind to optidx
+
+2005-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_sec_context.c (init_auth): honor ok-as-delegate if local
+	configuration approves
+
+	* gssapi_locl.h: prototype for _gss_check_compat
+
+	* compat.c: export check_compat as _gss_check_compat
+
+2005-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
+	problems with system headerfiles that pollute the name space.
+
+	* accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
+	problems with system headerfiles that pollute the name space.
+
+2005-05-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_sec_context.c (init_auth): set
+	KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility),
+	also while here, use krb5_auth_con_addflags
+
+2005-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* arcfour.c (_gssapi_wrap_arcfour): fix calculating the encap
+	length. From: Tom Maher <tmaher@eecs.berkeley.edu>
+
+2005-05-02  Dave Love  <fx@gnu.org>
+
+	* test_cred.c (main): Call setprogname.
+
+2005-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* prefix all sequence symbols with _, they are not part of the
+	GSS-API api. By comment from Wynn Wilkes <wynnw@vintela.com>
+
+2005-04-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* accept_sec_context.c: break out the processing of the delegated
+	credential to a separate function to make error handling easier,
+	move the credential handling to after other setup is done
+	
+	* test_sequence.c: make less verbose in case of success
+
+	* Makefile.am: add test_sequence to TESTS
+
+2005-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* 8003.c (gssapi_krb5_verify_8003_checksum): check that cksum
+	isn't NULL From: Nicolas Pouvesle <npouvesle@tenablesecurity.com>
+
+2005-03-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: use $(LIB_roken)
+
+2005-03-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* display_status.c (gssapi_krb5_set_error_string): pass in the
+	krb5_context to krb5_free_error_string
+	
+2005-03-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* display_status.c (gssapi_krb5_set_error_string): don't misuse
+	the krb5_get_error_string api
+
+2005-03-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* compat.c (_gss_DES3_get_mic_compat): don't unlock mutex
+	here. Bug reported by Stefan Metzmacher <metze@samba.org>
+
+2005-02-21  Luke Howard  <lukeh@padl.com>
+
+	* init_sec_context.c: don't call krb5_get_credentials() with
+	  KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache
+	  growing indefinitely as no key is found with KEYTYPE_NULL
+
+	* compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is
+	  no longer used (however the mechListMIC behaviour is broken,
+	  rfc2478bis support requires the code in the mechglue branch)
+
+	* init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
+
+	* gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
+
+2005-01-05  Luke Howard  <lukeh@padl.com>
+
+	* 8003.c: use symbolic name for checksum type
+
+	* accept_sec_context.c: allow client to indicate
+	  that subkey should be used
+
+	* acquire_cred.c: plug leak
+
+	* get_mic.c: use gss_krb5_get_subkey() instead
+	  of gss_krb5_get_{local,remote}key(), support
+	  KEYTYPE_ARCFOUR_56
+
+	* gssapi_local.c: use gss_krb5_get_subkey(),
+	  support KEYTYPE_ARCFOUR_56
+
+	* import_sec_context.c: plug leak
+
+	* unwrap.c: use gss_krb5_get_subkey(),
+	  support KEYTYPE_ARCFOUR_56
+
+	* verify_mic.c: use gss_krb5_get_subkey(),
+	  support KEYTYPE_ARCFOUR_56
+
+	* wrap.c: use gss_krb5_get_subkey(),
+	  support KEYTYPE_ARCFOUR_56
+
+2004-11-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* inquire_cred.c: Reverse order of HEIMDAL_MUTEX_unlock and
+	gss_release_cred to avoid deadlock, from Luke Howard
+	<lukeh@padl.com>.
+
+2004-09-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss_acquire_cred.3: gss_krb5_extract_authz_data_from_sec_context
+	was renamed to gsskrb5_extract_authz_data_from_sec_context
+	
+2004-08-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* unwrap.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM>
+	
+	* arcfour.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM>
+	
+2004-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi.3: spelling from Josef El-Rayes <josef@FreeBSD.org> while
+	here, write some text about the SPNEGO situation
+	
+2004-04-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cfx.c: s/CTXAcceptorSubkey/CFXAcceptorSubkey/
+	
+2004-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi.h: add GSS_C_EXPECTING_MECH_LIST_MIC_FLAG From: Luke
+	Howard <lukeh@padl.com>
+	
+	* init_sec_context.c (spnego_reply): use
+	_gss_spnego_require_mechlist_mic to figure out if we need to check
+	MechListMIC; From: Luke Howard <lukeh@padl.com>
+
+	* accept_sec_context.c (send_accept): use
+	_gss_spnego_require_mechlist_mic to figure out if we need to send
+	MechListMIC; From: Luke Howard <lukeh@padl.com>
+
+	* gssapi_locl.h: add _gss_spnego_require_mechlist_mic
+	From: Luke Howard <lukeh@padl.com>
+
+	* compat.c: add _gss_spnego_require_mechlist_mic for compatibility
+	with MS SPNEGO, From: Luke Howard <lukeh@padl.com>
+	
+2004-04-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* accept_sec_context.c (gsskrb5_is_cfx): krb5_keyblock->keytype is
+	an enctype, not keytype
+
+	* accept_sec_context.c: use ASN1_MALLOC_ENCODE
+	
+	* init_sec_context.c: avoid the malloc loop and just allocate the
+	propper amount of data
+
+	* init_sec_context.c (spnego_initial): handle mech_token better
+	
+2004-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi.h: add gss_krb5_get_tkt_flags
+	
+	* Makefile.am: add ticket_flags.c
+	
+	* ticket_flags.c: Get ticket-flags from acceptor ticket From: Luke
+	Howard <lukeh@PADL.COM>
+	
+	* gss_acquire_cred.3: document gss_krb5_get_tkt_flags
+	
+2004-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* acquire_cred.c (gss_acquire_cred): check usage before even
+	bothering to process it, add both keytab and initial tgt if
+	requested
+
+	* wrap.c: support cfx, try to handle acceptor asserted subkey
+	
+	* unwrap.c: support cfx, try to handle acceptor asserted subkey
+	
+	* verify_mic.c: support cfx
+	
+	* get_mic.c: support cfx
+	
+	* test_sequence.c: handle changed signature of
+	gssapi_msg_order_create
+
+	* import_sec_context.c: handle acceptor asserted subkey
+	
+	* init_sec_context.c: handle acceptor asserted subkey
+	
+	* accept_sec_context.c: handle acceptor asserted subkey
+	
+	* sequence.c: add dummy use_64 argument to gssapi_msg_order_create
+	
+	* gssapi_locl.h: add partial support for CFX
+	
+	* Makefile.am (noinst_PROGRAMS) += test_cred
+	
+	* test_cred.c: gssapi credential testing
+
+	* test_acquire_cred.c: fix comment
+	
+2004-03-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* arcfour.h: drop structures for message formats, no longer used
+	
+	* arcfour.c: comment describing message formats
+
+	* accept_sec_context.c (spnego_accept_sec_context): make sure the
+	length of the choice element doesn't overrun us
+	
+	* init_sec_context.c (spnego_reply): make sure the length of the
+	choice element doesn't overrun us
+	
+	* spnego.asn1: move NegotiationToken to avoid warning
+	
+	* spnego.asn1: uncomment NegotiationToken
+	
+	* Makefile.am: spnego_files += asn1_NegotiationToken.x
+	
+2004-01-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi.h: add gss_krb5_ccache_name
+	
+	* Makefile.am (libgssapi_la_SOURCES): += ccache_name.c
+	
+	* ccache_name.c (gss_krb5_ccache_name): help function enable to
+	set krb5 name, using out_name argument makes function no longer
+	thread-safe
+
+	* gssapi.3: add missing gss_krb5_ references
+	
+	* gss_acquire_cred.3: document gss_krb5_ccache_name
+	
+2003-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cfx.c: make rrc a modulus operation if its longer then the
+	length of the message, noticed by Sam Hartman
+
+2003-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* accept_sec_context.c: use krb5_auth_con_addflags
+	
+2003-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cfx.c: Wrap token id was in wrong order, found by Sam Hartman
+	
+2003-12-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cfx.c: add AcceptorSubkey (but no code understand it yet) ignore
+	unknown token flags
+	
+2003-11-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* accept_sec_context.c: Don't require timestamp to be set on
+	delegated token, its already protected by the outer token (and
+	windows doesn't alway send it) Pointed out by Zi-Bin Yang
 	<zbyang@decru.com> on heimdal-discuss
 
-2003-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-11-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cfx.c: fix {} error, pointed out by Liqiang Zhu
+	
+2003-11-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cfx.c: Sequence number should be stored in bigendian order From:
+	Luke Howard <lukeh@padl.com>
+	
+2003-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* delete_sec_context.c (gss_delete_sec_context): don't free
+	ticket, krb5_free_ticket does that now
+
+2003-11-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* add_cred.c: 1.3->1.4: If its a MEMORY cc, make a copy. We need
-	to do this since now gss_release_cred will destroy the cred. This
-	should be really be solved a better way.
+	* cfx.c: checksum the header last in MIC token, update to -03
+	From: Luke Howard <lukeh@padl.com>
 	
 2003-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* release_cred.c: 1.9->1.10:
-	(gss_release_cred): if its a mcc, destroy it rather the just release it
-	Found by: "Zi-Bin Yang" <zbyang@decru.com>
+	* add_cred.c: If its a MEMORY cc, make a copy. We need to do this
+	since now gss_release_cred will destroy the cred. This should be
+	really be solved a better way.
+
+	* acquire_cred.c (gss_release_cred): if its a mcc, destroy it
+	rather the just release it Found by: "Zi-Bin Yang"
+	<zbyang@decru.com>
+
+	* acquire_cred.c (acquire_initiator_cred): use kret instead of ret
+	where appropriate
+
+2003-09-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss_acquire_cred.3: spelling
+	From: jmc <jmc@prioris.mini.pw.edu.pl>
+	
+2003-09-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cfx.c: - EC and RRC are big-endian, not little-endian - The
+	default is now to rotate regardless of GSS_C_DCE_STYLE. There are
+	no longer any references to GSS_C_DCE_STYLE.  - rrc_rotate()
+	avoids allocating memory on the heap if rrc <= 256
+	From: Luke Howard <lukeh@padl.com>
+	
+2003-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cfx.[ch]: rrc_rotate() was untested and broken, fix it.
+	Set and verify wrap Token->Filler.
+	Correct token ID for wrap tokens, 
+	were accidentally swapped with delete tokens.
+	From: Luke Howard <lukeh@PADL.COM>
+
+2003-09-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cfx.[ch]: no ASN.1-ish header on per-message tokens
+	From: Luke Howard <lukeh@PADL.COM>
 	
 2003-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* arcfour.c: 1.13->1.14: remove depenency on gss_arcfour_mic_token
-	and gss_arcfour_warp_token
+	* arcfour.h: remove depenency on gss_arcfour_mic_token and
+	gss_arcfour_warp_token
+
+	* arcfour.c: remove depenency on gss_arcfour_mic_token and
+	gss_arcfour_warp_token
+
+2003-09-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* 8003.c: remove #if 0'ed code
 	
-	* arcfour.h: 1.3->1.4: remove depenency on gss_arcfour_mic_token
-	and gss_arcfour_warp_token
+2003-09-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* accept_sec_context.c (gsskrb5_accept_sec_context): set sequence
+	number when not requesting mutual auth From: Luke Howard
+	<lukeh@PADL.COM>
 
-	* arcfour.c: make build
+	* init_sec_context.c (init_auth): set sequence number when not
+	requesting mutual auth From: Luke Howard <lukeh@PADL.COM>
 	
-	* get_mic.c, verify_mic.c, unwrap.c, wrap.c:
-	glue in arcfour support
+2003-09-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* gssapi_locl.h: 1.32->1.33: add _gssapi_verify_pad
+	* arcfour.c (*): set minor_status
+	(gss_wrap): set conf_state to conf_req_flags on success
+	From: Luke Howard <lukeh@PADL.COM>
 	
-2003-09-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	* wrap.c (gss_wrap_size_limit): use existing function From: Luke
+	Howard <lukeh@PADL.COM>
+	
+2003-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* indicate_mechs.c (gss_indicate_mechs): in case of error, free
+	mech_set
 
-	* encapsulate.c: add _gssapi_make_mech_header
+	* indicate_mechs.c (gss_indicate_mechs): add SPNEGO
+
+2003-09-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_sec_context.c (spnego_initial): catch errors and return
+	them
+
+	* init_sec_context.c (spnego_initial): add #if 0 out version of
+	the CHOICE branch encoding, also where here, free no longer used
+	memory
+
+2003-09-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss_acquire_cred.3: support GSS_SPNEGO_MECHANISM
+	
+	* accept_sec_context.c: SPNEGO doesn't include gss wrapping on
+	SubsequentContextToken like the Kerberos 5 mech does.
+	
+	* init_sec_context.c (spnego_reply): SPNEGO doesn't include gss
+	wrapping on SubsequentContextToken like the Kerberos 5 mech
+	does. Lets check for it anyway.
+	
+	* accept_sec_context.c: Add support for SPNEGO on the initator
+	side.  Implementation initially from Assar Westerlund, passes
+	though quite a lot of hands before I commited it.
+	
+	* init_sec_context.c: Add support for SPNEGO on the initator side.
+	Tested with ldap server on a Windows 2000 DC. Implementation
+	initially from Assar Westerlund, passes though quite a lot of
+	hands before I commited it.
+	
+	* gssapi.h: export GSS_SPNEGO_MECHANISM
+	
+	* gssapi_locl.h: include spnego_as.h add prototype for
+	gssapi_krb5_get_mech
+	
+	* decapsulate.c (gssapi_krb5_get_mech): make non static
+	
+	* Makefile.am: build SPNEGO file
 	
-	* gssapi_locl.h: add "arcfour.h" and prototype for
-	_gssapi_make_mech_header
+2003-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* gssapi_locl.h: add gssapi_{en,de}code_{be_,}om_uint32
+	* external.c: SPENGO and IAKERB oids
 	
-	* 8003.c: 1.12->1.13: export and rename
-	encode_om_uint32/decode_om_uint32 and start to use them
+	* spnego.asn1: SPENGO ASN1
 	
-2003-08-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* verify_mic.c: 1.21->1.22: make sure minor_status is always set,
-	pointed out by Luke Howard <lukeh@PADL.COM>
+	* cfx.c: RRC also need to be zero before wraping them
+	From: Luke Howard <lukeh@PADL.COM>
 	
-2003-08-15  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* context_time.c: 1.7->1.10: return time in seconds from now
+	* encapsulate.c (gssapi_krb5_encap_length): don't return void
 	
-	* gssapi_locl.h: add gssapi_lifetime_left
+2003-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* verify_mic.c: switch from the des_ to the DES_ api
+	
+	* get_mic.c: switch from the des_ to the DES_ api
+	
+	* unwrap.c: switch from the des_ to the DES_ api
+	
+	* wrap.c: switch from the des_ to the DES_ api
+	
+	* cfx.c: EC is not included in the checksum since the length might
+	change depending on the data.  From: Luke Howard <lukeh@PADL.COM>
+	
+	* acquire_cred.c: use
+	krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
+
+2003-09-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* copy_ccache.c: rename
+	gss_krb5_extract_authz_data_from_sec_context to
+	gsskrb5_extract_authz_data_from_sec_context
+
+	* gssapi.h: rename gss_krb5_extract_authz_data_from_sec_context to
+	gsskrb5_extract_authz_data_from_sec_context
+	
+2003-08-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context):
+	check that we have a ticket before we start to use it
+	
+	* gss_acquire_cred.3: document
+	gss_krb5_extract_authz_data_from_sec_context
+	
+	* gssapi.h (gss_krb5_extract_authz_data_from_sec_context):
+	return the kerberos authorizationdata, from idea of Luke Howard
+
+	* copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context):
+	return the kerberos authorizationdata, from idea of Luke Howard
+	
+	* verify_mic.c (gss_verify_mic_internal): switch type and key
+	argument
+
+2003-08-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cfx.[ch]: draft-ietf-krb-wg-gssapi-cfx-01.txt implemetation
+	From: Luke Howard <lukeh@PADL.COM>
+	
+2003-08-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* arcfour.c (arcfour_mic_cksum): use free_Checksum to free the
+	checksum
+
+	* arcfour.h: swap two last arguments to verify_mic for consistency
+	with des3
+
+	* wrap.c,unwrap.c,get_mic.c,verify_mic.c,cfx.c,cfx.h:
+	prefix cfx symbols with _gssapi_
+
+	* arcfour.c: release the right buffer
+	
+	* arcfour.c: rename token structure in consistency with rest of
+	GSS-API From: Luke Howard <lukeh@PADL.COM>
+	
+	* unwrap.c (unwrap_des3): use _gssapi_verify_pad
+	(unwrap_des): use _gssapi_verify_pad
+
+	* arcfour.c (_gssapi_wrap_arcfour): set the correct padding
+	(_gssapi_unwrap_arcfour): verify and strip padding
+
+	* gssapi_locl.h: added _gssapi_verify_pad
+	
+	* decapsulate.c (_gssapi_verify_pad): verify padding of a gss
+	wrapped message and return its length
+	
+	* arcfour.c: support KEYTYPE_ARCFOUR_56 keys, from Luke Howard
+	<lukeh@PADL.COM>
+	
+	* arcfour.c: use right seal alg, inherit keytype from parent key
+	
+	* arcfour.c: include the confounder in the checksum use the right
+	key usage number for warped/unwraped tokens
+	
+	* gssapi.h: add gss_krb5_nt_general_name as an mit compat glue
+	(same as GSS_KRB5_NT_PRINCIPAL_NAME)
+
+	* unwrap.c: hook in arcfour unwrap
+	
+	* wrap.c: hook in arcfour wrap
+	
+	* verify_mic.c: hook in arcfour verify_mic
+	
+	* get_mic.c: hook in arcfour get_mic
+	
+	* arcfour.c: implement wrap/unwarp
+	
+	* gssapi_locl.h: add gssapi_{en,de}code_be_om_uint32
+	
+	* 8003.c: add gssapi_{en,de}code_be_om_uint32
+	
+2003-08-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* arcfour.c (_gssapi_verify_mic_arcfour): Do the checksum on right
+	area. Swap filler check, it was reversed.
+	
+	* Makefile.am (libgssapi_la_SOURCES): += arcfour.c
+	
+	* gssapi_locl.h: include "arcfour.h"
+	
+	* arcfour.c: arcfour gss-api mech, get_mic/verify_mic working
+
+	* arcfour.h: arcfour gss-api mech, get_mic/verify_mic working
+	
+2003-08-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi_locl.h: always include cfx.h add prototype for
+	_gssapi_decapsulate
+
+	* cfx.[ch]: Implementation of draft-ietf-krb-wg-gssapi-cfx-00.txt
+	from Luke Howard <lukeh@PADL.COM>
+
+	* decapsulate.c: add _gssapi_decapsulate, from Luke Howard
+	<lukeh@PADL.COM>
+	
+2003-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* unwrap.c: encap/decap now takes a oid if the enctype/keytype is
+	arcfour, return error add hook for cfx
+	
+	* verify_mic.c: encap/decap now takes a oid if the enctype/keytype
+	is arcfour, return error add hook for cfx
+	
+	* get_mic.c: encap/decap now takes a oid if the enctype/keytype is
+	arcfour, return error add hook for cfx
+	
+	* accept_sec_context.c: encap/decap now takes a oid
+	
+	* init_sec_context.c: encap/decap now takes a oid
+	
+	* gssapi_locl.h: include cfx.h if we need it lifetime is a
+	OM_uint32, depend on gssapi interface add all new encap/decap
+	functions
 	
-	* init_sec_context.c: part of 1.37->1.38: (init_auth): if the cred
-	is expired before we tries to create a token, fail so the peer
-	doesn't need reject us
-	(*): make sure time is returned in seconds from now, not in
-	kerberos time
+	* decapsulate.c: add decap functions that doesn't take the token
+	type also make all decap function take the oid mech that they
+	should use
 
-	* acquire_cred.c: 1.14->1.15: (gss_aquire_cred): make sure time is
+	* encapsulate.c: add encap functions that doesn't take the token
+	type also make all encap function take the oid mech that they
+	should use
+
+	* sequence.c (elem_insert): fix a off by one index counter
+	
+	* inquire_cred.c (gss_inquire_cred): handle cred_handle being
+	GSS_C_NO_CREDENTIAL and use the default cred then.
+	
+2003-08-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss_acquire_cred.3: break out extensions and document
+	gsskrb5_register_acceptor_identity
+
+2003-08-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_acquire_cred.c (print_time): time is returned in seconds
+	from now, not unix time
+
+2003-08-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* compat.c (check_compat): avoid leaking principal when finding a
+	match
+
+	* address_to_krb5addr.c: sa_size argument to krb5_addr2sockaddr is
+	a krb5_socklen_t
+
+	* acquire_cred.c (gss_acquire_cred): 4th argument to
+	gss_test_oid_set_member is a int
+
+2003-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_sec_context.c (repl_mutual): don't set kerberos error where
+	there was no kerberos error
+
+	* gssapi_locl.h: Add destruction/creation prototypes and structure
+	for the thread specific storage.
+
+	* display_status.c: use thread specific storage to set/get the
+	kerberos error message
+
+	* init.c: Provide locking around the creation of the global
+	krb5_context. Add destruction/creation functions for the thread
+	specific storage that the error string handling is using.
+	
+2003-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss_acquire_cred.3: add missing prototype and missing .Ft
+	arguments
+
+2003-06-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* verify_mic.c: reorder code so sequence numbers can can be used
+	
+	* unwrap.c: reorder code so sequence numbers can can be used
+	
+	* sequence.c: remove unused function, indent, add
+	gssapi_msg_order_f that filter gss flags to gss_msg_order flags
+	
+	* gssapi_locl.h: prototypes for
+	gssapi_{encode_om_uint32,decode_om_uint32} add sequence number
+	verifier prototypes
+
+	* delete_sec_context.c: destroy sequence number verifier
+	
+	* init_sec_context.c: remember to free data use sequence number
+	verifier
+	
+	* accept_sec_context.c: don't clear output_token twice remember to
+	free data use sequence number verifier
+	
+	* 8003.c: export and rename encode_om_uint32/decode_om_uint32 and
+	start to use them
+
+2003-06-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: can't have sequence.c in two different places
+
+2003-06-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_sequence.c: check rollover, print summery
+	
+	* wrap.c (sub_wrap_size): gss_wrap_size_limit() has
+	req_output_size and max_input_size around the wrong way -- it
+	returns the output token size for a given input size, rather than
+	the maximum input size for a given output token size.
+	
+	From: Luke Howard <lukeh@PADL.COM>
+	
+2003-06-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi_locl.h: add prototypes for sequence.c
+	
+	* Makefile.am (libgssapi_la_SOURCES): add sequence.c
+	(test_sequence): build
+
+	* sequence.c: sequence number checks, order and replay
+	* test_sequence.c: sequence number checks, order and replay
+
+2003-06-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* accept_sec_context.c (gss_accept_sec_context): make sure time is
 	returned in seconds from now, not in kerberos time
 	
-	* accept_sec_context.c: 1.34->1.35: (gss_accept_sec_context): make
-	sure time is returned in seconds from now, not in kerberos time
+	* acquire_cred.c (gss_aquire_cred): make sure time is returned in
+	seconds from now, not in kerberos time
 	
-2003-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	* init_sec_context.c (init_auth): if the cred is expired before we
+	tries to create a token, fail so the peer doesn't need reject us
+	(*): make sure time is returned in seconds from now, 
+	not in kerberos time
+	(repl_mutual): remember to unlock the context mutex
+
+	* context_time.c (gss_context_time): remove unused variable
+	
+	* verify_mic.c: make sure minor_status is always set, pointed out
+	by Luke Howard <lukeh@PADL.COM>
+
+2003-05-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* *.[ch]: do some basic locking (no reference counting so contexts 
+	  can be removed while still used)
+	- don't export gss_ctx_id_t_desc_struct and gss_cred_id_t_desc_struct
+	- make sure all lifetime are returned in seconds left until expired,
+	  not in unix epoch
 
-	* gssapi.h: 1.27->1.28:
-	if __cplusplus, wrap the extern variable (just to be safe) and
-	functions in extern "C" { }
+	* gss_acquire_cred.3: document argument lifetime_rec to function
+	gss_inquire_context
 
+2003-05-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_acquire_cred.c: test gss_add_cred more then once
+	
+2003-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gssapi.h: if __cplusplus, wrap the extern variable (just to be
+	safe) and functions in extern "C" { }
+	
 2003-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.3: more about the des3 mic mess
 	
-	* verify_mic.c 1.19->1.20 : (verify_mic_des3): always check if the
-	mic is the correct mic or the mic that old heimdal would have
-	generated
+	* verify_mic.c (verify_mic_des3): always check if the mic is the
+	correct mic or the mic that old heimdal would have generated
 	
-2003-04-29  Jacques Vidrine  <nectar@kth.se>
+2003-04-28  Jacques Vidrine  <nectar@kth.se>
+
+	* verify_mic.c (verify_mic_des3): If MIC verification fails,
+	retry using the `old' MIC computation (with zero IV).
+
+2003-04-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss_acquire_cred.3: more about difference between comparing IN
+	and MN
 
-	* verify_mic.c: 1.18->1.19: verify_mic_des3: If MIC verification
-	fails, retry using the `old' MIC computation (with zero IV).
+	* gss_acquire_cred.3: more about name type and access control
 	
-2003-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* compat.c (_gss_DES3_get_mic_compat): default to use compat
+	* gss_acquire_cred.3: document gss_context_time
 	
-	* gssapi.3: 1.5->1.6: document [gssapi]correct_des3_mic and
+	* context_time.c: if lifetime of context have expired, set
+	time_rec to 0 and return GSS_S_CONTEXT_EXPIRED
+	
+	* gssapi.3: document [gssapi]correct_des3_mic
 	[gssapi]broken_des3_mic
 
-	* compat.c: 1.2->1.4:
-	(gss_krb5_compat_des3_mci): return a value
-	(gss_krb5_compat_des3_mic): enable turning on/off des3 mic compat
+	* gss_acquire_cred.3: document gss_krb5_compat_des3_mic
+	
+	* compat.c (gss_krb5_compat_des3_mic): enable turning on/off des3
+	mic compat
 	(_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too
 
-	* gssapi.h: 1.26->1.27:
-	(gss_krb5_compat_des3_mic): new function, turn on/off des3 mic compat
+	* gssapi.h (gss_krb5_compat_des3_mic): new function, turn on/off
+	des3 mic compat
 	(GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if
 	gss_krb5_compat_des3_mic exists
 	
-2003-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* Makefile.am: 1.44->1.45: test_acquire_cred_LDADD: use
-	libgssapi.la not ./libgssapi.la (makes make -jN work)
+	* Makefile.am:  (libgssapi_la_LDFLAGS): update major
+	version of gssapi for incompatiblity in 3des getmic support
 	
+2003-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: test_acquire_cred_LDADD: use libgssapi.la not
+	./libgssapi.la (make make -jN work)
+
 2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.3: spelling
diff --git a/crypto/heimdal/lib/gssapi/Makefile.am b/crypto/heimdal/lib/gssapi/Makefile.am
index 2988d6a..2326482 100644
--- a/crypto/heimdal/lib/gssapi/Makefile.am
+++ b/crypto/heimdal/lib/gssapi/Makefile.am
@@ -1,66 +1,313 @@
-# $Id: Makefile.am,v 1.44.2.7 2003/10/14 16:13:13 joda Exp $
+# $Id: Makefile.am 22399 2008-01-11 14:25:47Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += -I$(srcdir)/../krb5 $(INCLUDE_des) $(INCLUDE_krb4)
+AUTOMAKE_OPTIONS = subdir-objects
+
+AM_CPPFLAGS += -I$(srcdir)/../krb5 \
+	-I$(srcdir) \
+	-I$(srcdir)/mech \
+	$(INCLUDE_hcrypto) \
+	$(INCLUDE_krb4)
 
 lib_LTLIBRARIES = libgssapi.la
-libgssapi_la_LDFLAGS = -version-info 5:0:4
-libgssapi_la_LIBADD  = ../krb5/libkrb5.la $(LIB_des) ../asn1/libasn1.la ../roken/libroken.la
 
-man_MANS = gssapi.3 gss_acquire_cred.3
+krb5src = \
+	krb5/8003.c \
+	krb5/accept_sec_context.c \
+	krb5/acquire_cred.c \
+	krb5/add_cred.c \
+	krb5/address_to_krb5addr.c \
+	krb5/arcfour.c \
+	krb5/canonicalize_name.c \
+	krb5/ccache_name.c \
+	krb5/cfx.c \
+	krb5/cfx.h \
+	krb5/compare_name.c \
+	krb5/compat.c \
+	krb5/context_time.c \
+	krb5/copy_ccache.c \
+	krb5/decapsulate.c \
+	krb5/delete_sec_context.c \
+	krb5/display_name.c \
+	krb5/display_status.c \
+	krb5/duplicate_name.c \
+	krb5/encapsulate.c \
+	krb5/export_name.c \
+	krb5/export_sec_context.c \
+	krb5/external.c \
+	krb5/get_mic.c \
+	krb5/gsskrb5_locl.h \
+	krb5/gsskrb5-private.h \
+	krb5/import_name.c \
+	krb5/import_sec_context.c \
+	krb5/indicate_mechs.c \
+	krb5/init.c \
+	krb5/init_sec_context.c \
+	krb5/inquire_context.c \
+	krb5/inquire_cred.c \
+	krb5/inquire_cred_by_mech.c \
+	krb5/inquire_cred_by_oid.c \
+	krb5/inquire_mechs_for_name.c \
+	krb5/inquire_names_for_mech.c \
+	krb5/inquire_sec_context_by_oid.c \
+	krb5/process_context_token.c \
+	krb5/prf.c \
+	krb5/release_buffer.c \
+	krb5/release_cred.c \
+	krb5/release_name.c \
+	krb5/sequence.c \
+	krb5/set_cred_option.c \
+	krb5/set_sec_context_option.c \
+	krb5/ticket_flags.c \
+	krb5/unwrap.c \
+	krb5/v1.c \
+	krb5/verify_mic.c \
+	krb5/wrap.c
+
+mechsrc = \
+	mech/context.h \
+	mech/context.c \
+	mech/cred.h \
+	mech/gss_accept_sec_context.c \
+	mech/gss_acquire_cred.c \
+	mech/gss_add_cred.c \
+	mech/gss_add_oid_set_member.c \
+	mech/gss_buffer_set.c \
+	mech/gss_canonicalize_name.c \
+	mech/gss_compare_name.c \
+	mech/gss_context_time.c \
+	mech/gss_create_empty_oid_set.c \
+	mech/gss_decapsulate_token.c \
+	mech/gss_delete_sec_context.c \
+	mech/gss_display_name.c \
+	mech/gss_display_status.c \
+	mech/gss_duplicate_name.c \
+	mech/gss_duplicate_oid.c \
+	mech/gss_encapsulate_token.c \
+	mech/gss_export_name.c \
+	mech/gss_export_sec_context.c \
+	mech/gss_get_mic.c \
+	mech/gss_import_name.c \
+	mech/gss_import_sec_context.c \
+	mech/gss_indicate_mechs.c \
+	mech/gss_init_sec_context.c \
+	mech/gss_inquire_context.c \
+	mech/gss_inquire_cred.c \
+	mech/gss_inquire_cred_by_mech.c \
+	mech/gss_inquire_cred_by_oid.c \
+	mech/gss_inquire_mechs_for_name.c \
+	mech/gss_inquire_names_for_mech.c \
+	mech/gss_krb5.c \
+	mech/gss_mech_switch.c \
+	mech/gss_names.c \
+	mech/gss_oid_equal.c \
+	mech/gss_oid_to_str.c \
+	mech/gss_process_context_token.c \
+	mech/gss_pseudo_random.c \
+	mech/gss_release_buffer.c \
+	mech/gss_release_cred.c \
+	mech/gss_release_name.c \
+	mech/gss_release_oid.c \
+	mech/gss_release_oid_set.c \
+	mech/gss_seal.c \
+	mech/gss_set_cred_option.c \
+	mech/gss_set_sec_context_option.c \
+	mech/gss_sign.c \
+	mech/gss_test_oid_set_member.c \
+	mech/gss_unseal.c \
+	mech/gss_unwrap.c \
+	mech/gss_utils.c \
+	mech/gss_verify.c \
+	mech/gss_verify_mic.c \
+	mech/gss_wrap.c \
+	mech/gss_wrap_size_limit.c \
+	mech/gss_inquire_sec_context_by_oid.c \
+	mech/mech_switch.h \
+	mech/mechqueue.h \
+	mech/mech_locl.h \
+	mech/name.h \
+	mech/utils.h
+
+spnegosrc = \
+	spnego/accept_sec_context.c \
+	spnego/compat.c \
+	spnego/context_stubs.c \
+	spnego/cred_stubs.c \
+	spnego/external.c \
+	spnego/init_sec_context.c \
+	spnego/spnego_locl.h \
+	spnego/spnego-private.h
+
+ntlmsrc = \
+	ntlm/accept_sec_context.c \
+	ntlm/acquire_cred.c \
+	ntlm/add_cred.c \
+	ntlm/canonicalize_name.c \
+	ntlm/compare_name.c \
+	ntlm/context_time.c \
+	ntlm/crypto.c \
+	ntlm/delete_sec_context.c \
+	ntlm/display_name.c \
+	ntlm/display_status.c \
+	ntlm/duplicate_name.c \
+	ntlm/export_name.c \
+	ntlm/export_sec_context.c \
+	ntlm/external.c \
+	ntlm/ntlm.h \
+	ntlm/ntlm-private.h \
+	ntlm/import_name.c \
+	ntlm/import_sec_context.c \
+	ntlm/indicate_mechs.c \
+	ntlm/init_sec_context.c \
+	ntlm/inquire_context.c \
+	ntlm/inquire_cred.c \
+	ntlm/inquire_cred_by_mech.c \
+	ntlm/inquire_mechs_for_name.c \
+	ntlm/inquire_names_for_mech.c \
+	ntlm/process_context_token.c \
+	ntlm/release_cred.c \
+	ntlm/release_name.c \
+	ntlm/digest.c
+
+$(srcdir)/ntlm/ntlm-private.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p ntlm/ntlm-private.h $(ntlmsrc) || rm -f ntlm/ntlm-private.h
+
+dist_libgssapi_la_SOURCES  = \
+	$(krb5src) \
+	$(mechsrc) \
+	$(ntlmsrc) \
+	$(spnegosrc)
+
+nodist_libgssapi_la_SOURCES  = \
+	gkrb5_err.c \
+	gkrb5_err.h \
+	$(BUILT_SOURCES)
+
+libgssapi_la_LDFLAGS = -version-info 2:0:0
+
+if versionscript
+libgssapi_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+endif
+
+libgssapi_la_LIBADD = \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_com_err) \
+	$(LIB_hcrypto) \
+	$(LIBADD_roken)
+
+man_MANS = gssapi.3 gss_acquire_cred.3 mech/mech.5
 
 include_HEADERS = gssapi.h
+noinst_HEADERS = \
+	gssapi_mech.h \
+	ntlm/ntlm-private.h \
+	spnego/spnego-private.h \
+	krb5/gsskrb5-private.h
+nobase_include_HEADERS = \
+	gssapi/gssapi.h \
+	gssapi/gssapi_krb5.h \
+	gssapi/gssapi_spnego.h
+
+gssapidir = $(includedir)/gssapi
+nodist_gssapi_HEADERS = gkrb5_err.h
+
+gssapi_files = asn1_GSSAPIContextToken.x
+
+spnego_files =					\
+	asn1_ContextFlags.x			\
+	asn1_MechType.x				\
+	asn1_MechTypeList.x			\
+	asn1_NegotiationToken.x			\
+	asn1_NegotiationTokenWin.x		\
+	asn1_NegHints.x				\
+	asn1_NegTokenInit.x			\
+	asn1_NegTokenInitWin.x			\
+	asn1_NegTokenResp.x
+
+$(libgssapi_la_OBJECTS): $(srcdir)/krb5/gsskrb5-private.h
+$(libgssapi_la_OBJECTS): $(srcdir)/spnego/spnego-private.h
+$(libgssapi_la_OBJECTS): $(srcdir)/ntlm/ntlm-private.h
+
+$(libgssapi_la_OBJECTS): $(srcdir)/version-script.map
+
+BUILT_SOURCES = $(spnego_files:.x=.c) $(gssapi_files:.x=.c)
+
+CLEANFILES = $(BUILT_SOURCES) \
+	gkrb5_err.h gkrb5_err.c \
+	$(spnego_files) spnego_asn1.h spnego_asn1_files \
+	$(gssapi_files) gssapi_asn1.h gssapi_asn1_files \
+	gss-commands.h gss-commands.c
+
+$(spnego_files) spnego_asn1.h: spnego_asn1_files
+$(gssapi_files) gssapi_asn1.h: gssapi_asn1_files
+
+spnego_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego/spnego.asn1
+	../asn1/asn1_compile$(EXEEXT) --sequence=MechTypeList $(srcdir)/spnego/spnego.asn1 spnego_asn1
+
+gssapi_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/mech/gssapi.asn1
+	../asn1/asn1_compile$(EXEEXT) $(srcdir)/mech/gssapi.asn1 gssapi_asn1
+
+$(srcdir)/krb5/gsskrb5-private.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5/gsskrb5-private.h $(krb5src) || rm -f krb5/gsskrb5-private.h
+
+$(srcdir)/spnego/spnego-private.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p spnego/spnego-private.h $(spnegosrc) || rm -f spnego/spnego-private.h
+
+
+TESTS = test_oid test_names test_cfx
+# test_sequence 
+
+test_cfx_SOURCES = krb5/test_cfx.c
+
+check_PROGRAMS = test_acquire_cred $(TESTS)
+
+bin_PROGRAMS = gss
+noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm
+
+test_context_SOURCES = test_context.c test_common.c test_common.h
+test_ntlm_SOURCES = test_ntlm.c test_common.c test_common.h
+test_acquire_cred_SOURCES = test_acquire_cred.c test_common.c test_common.h
+
+test_ntlm_LDADD = \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(LDADD)
+
+LDADD = libgssapi.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_roken)
+
+# gss
+
+dist_gss_SOURCES = gss.c
+nodist_gss_SOURCES = gss-commands.c gss-commands.h
+
+gss_LDADD = libgssapi.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_readline) \
+	$(LIB_roken)
+
+SLC = $(top_builddir)/lib/sl/slc
+
+gss-commands.c gss-commands.h: gss-commands.in
+	$(SLC) $(srcdir)/gss-commands.in
+
+$(gss_OBJECTS): gss-commands.h
+
+EXTRA_DIST = \
+	$(man_MANS) \
+	krb5/gkrb5_err.et \
+	mech/gssapi.asn1 \
+	spnego/spnego.asn1 \
+	version-script.map \
+	gss-commands.in
+
+# to help stupid solaris make
+
+$(libgssapi_la_OBJECTS): gkrb5_err.h gssapi_asn1.h spnego_asn1.h
 
-libgssapi_la_SOURCES =		\
-	8003.c			\
-	arcfour.c		\
-	accept_sec_context.c	\
-	acquire_cred.c		\
-	add_cred.c		\
-	add_oid_set_member.c	\
-	canonicalize_name.c	\
-	compare_name.c		\
-	compat.c		\
-	context_time.c		\
-	copy_ccache.c		\
-	create_emtpy_oid_set.c	\
-	decapsulate.c		\
-	delete_sec_context.c	\
-	display_name.c		\
-	display_status.c	\
-	duplicate_name.c	\
-	encapsulate.c		\
-	export_sec_context.c	\
-	export_name.c		\
-	external.c		\
-	get_mic.c		\
-	gssapi.h		\
-	gssapi_locl.h		\
-	import_name.c		\
-	import_sec_context.c	\
-	indicate_mechs.c	\
-	init.c			\
-	init_sec_context.c	\
-	inquire_context.c	\
-	inquire_cred.c		\
-	inquire_cred_by_mech.c	\
-	inquire_mechs_for_name.c \
-	inquire_names_for_mech.c \
-	release_buffer.c	\
-	release_cred.c		\
-	release_name.c		\
-	release_oid_set.c	\
-	process_context_token.c \
-	test_oid_set_member.c	\
-	unwrap.c		\
-	v1.c			\
-	verify_mic.c		\
-        wrap.c                  \
-        address_to_krb5addr.c
-
-#noinst_PROGRAMS = test_acquire_cred
-
-#test_acquire_cred_SOURCES = test_acquire_cred.c
-
-#test_acquire_cred_LDADD = libgssapi.la
+gkrb5_err.h gkrb5_err.c: $(srcdir)/krb5/gkrb5_err.et
+	$(COMPILE_ET) $(srcdir)/krb5/gkrb5_err.et
diff --git a/crypto/heimdal/lib/gssapi/Makefile.in b/crypto/heimdal/lib/gssapi/Makefile.in
index 6dee239..9886d49 100644
--- a/crypto/heimdal/lib/gssapi/Makefile.in
+++ b/crypto/heimdal/lib/gssapi/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,24 +14,19 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.44.2.7 2003/10/14 16:13:13 joda Exp $
+# $Id: Makefile.am 22399 2008-01-11 14:25:47Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
-SOURCES = $(libgssapi_la_SOURCES)
 
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -43,23 +38,29 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
-DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
+DIST_COMMON = $(include_HEADERS) $(nobase_include_HEADERS) \
+	$(noinst_HEADERS) $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
 	$(top_srcdir)/cf/Makefile.am.common ChangeLog
+@versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+TESTS = test_oid$(EXEEXT) test_names$(EXEEXT) test_cfx$(EXEEXT)
+check_PROGRAMS = test_acquire_cred$(EXEEXT) $(am__EXEEXT_1)
+bin_PROGRAMS = gss$(EXEEXT)
+noinst_PROGRAMS = test_cred$(EXEEXT) test_kcred$(EXEEXT) \
+	test_context$(EXEEXT) test_ntlm$(EXEEXT)
 subdir = lib/gssapi
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -72,6 +73,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -80,67 +82,206 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \
+	"$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \
+	"$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)" \
+	"$(DESTDIR)$(gssapidir)"
 libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
-libgssapi_la_DEPENDENCIES = ../krb5/libkrb5.la $(am__DEPENDENCIES_1) \
-	../asn1/libasn1.la ../roken/libroken.la
-am_libgssapi_la_OBJECTS = 8003.lo arcfour.lo accept_sec_context.lo \
-	acquire_cred.lo add_cred.lo add_oid_set_member.lo \
-	canonicalize_name.lo compare_name.lo compat.lo context_time.lo \
-	copy_ccache.lo create_emtpy_oid_set.lo decapsulate.lo \
-	delete_sec_context.lo display_name.lo display_status.lo \
-	duplicate_name.lo encapsulate.lo export_sec_context.lo \
-	export_name.lo external.lo get_mic.lo import_name.lo \
-	import_sec_context.lo indicate_mechs.lo init.lo \
-	init_sec_context.lo inquire_context.lo inquire_cred.lo \
-	inquire_cred_by_mech.lo inquire_mechs_for_name.lo \
-	inquire_names_for_mech.lo release_buffer.lo release_cred.lo \
-	release_name.lo release_oid_set.lo process_context_token.lo \
-	test_oid_set_member.lo unwrap.lo v1.lo verify_mic.lo wrap.lo \
-	address_to_krb5addr.lo
-libgssapi_la_OBJECTS = $(am_libgssapi_la_OBJECTS)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+libgssapi_la_DEPENDENCIES = $(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+am__dirstamp = $(am__leading_dot)dirstamp
+am__objects_1 = krb5/8003.lo krb5/accept_sec_context.lo \
+	krb5/acquire_cred.lo krb5/add_cred.lo \
+	krb5/address_to_krb5addr.lo krb5/arcfour.lo \
+	krb5/canonicalize_name.lo krb5/ccache_name.lo krb5/cfx.lo \
+	krb5/compare_name.lo krb5/compat.lo krb5/context_time.lo \
+	krb5/copy_ccache.lo krb5/decapsulate.lo \
+	krb5/delete_sec_context.lo krb5/display_name.lo \
+	krb5/display_status.lo krb5/duplicate_name.lo \
+	krb5/encapsulate.lo krb5/export_name.lo \
+	krb5/export_sec_context.lo krb5/external.lo krb5/get_mic.lo \
+	krb5/import_name.lo krb5/import_sec_context.lo \
+	krb5/indicate_mechs.lo krb5/init.lo krb5/init_sec_context.lo \
+	krb5/inquire_context.lo krb5/inquire_cred.lo \
+	krb5/inquire_cred_by_mech.lo krb5/inquire_cred_by_oid.lo \
+	krb5/inquire_mechs_for_name.lo krb5/inquire_names_for_mech.lo \
+	krb5/inquire_sec_context_by_oid.lo \
+	krb5/process_context_token.lo krb5/prf.lo \
+	krb5/release_buffer.lo krb5/release_cred.lo \
+	krb5/release_name.lo krb5/sequence.lo krb5/set_cred_option.lo \
+	krb5/set_sec_context_option.lo krb5/ticket_flags.lo \
+	krb5/unwrap.lo krb5/v1.lo krb5/verify_mic.lo krb5/wrap.lo
+am__objects_2 = mech/context.lo mech/gss_accept_sec_context.lo \
+	mech/gss_acquire_cred.lo mech/gss_add_cred.lo \
+	mech/gss_add_oid_set_member.lo mech/gss_buffer_set.lo \
+	mech/gss_canonicalize_name.lo mech/gss_compare_name.lo \
+	mech/gss_context_time.lo mech/gss_create_empty_oid_set.lo \
+	mech/gss_decapsulate_token.lo mech/gss_delete_sec_context.lo \
+	mech/gss_display_name.lo mech/gss_display_status.lo \
+	mech/gss_duplicate_name.lo mech/gss_duplicate_oid.lo \
+	mech/gss_encapsulate_token.lo mech/gss_export_name.lo \
+	mech/gss_export_sec_context.lo mech/gss_get_mic.lo \
+	mech/gss_import_name.lo mech/gss_import_sec_context.lo \
+	mech/gss_indicate_mechs.lo mech/gss_init_sec_context.lo \
+	mech/gss_inquire_context.lo mech/gss_inquire_cred.lo \
+	mech/gss_inquire_cred_by_mech.lo \
+	mech/gss_inquire_cred_by_oid.lo \
+	mech/gss_inquire_mechs_for_name.lo \
+	mech/gss_inquire_names_for_mech.lo mech/gss_krb5.lo \
+	mech/gss_mech_switch.lo mech/gss_names.lo \
+	mech/gss_oid_equal.lo mech/gss_oid_to_str.lo \
+	mech/gss_process_context_token.lo mech/gss_pseudo_random.lo \
+	mech/gss_release_buffer.lo mech/gss_release_cred.lo \
+	mech/gss_release_name.lo mech/gss_release_oid.lo \
+	mech/gss_release_oid_set.lo mech/gss_seal.lo \
+	mech/gss_set_cred_option.lo mech/gss_set_sec_context_option.lo \
+	mech/gss_sign.lo mech/gss_test_oid_set_member.lo \
+	mech/gss_unseal.lo mech/gss_unwrap.lo mech/gss_utils.lo \
+	mech/gss_verify.lo mech/gss_verify_mic.lo mech/gss_wrap.lo \
+	mech/gss_wrap_size_limit.lo \
+	mech/gss_inquire_sec_context_by_oid.lo
+am__objects_3 = ntlm/accept_sec_context.lo ntlm/acquire_cred.lo \
+	ntlm/add_cred.lo ntlm/canonicalize_name.lo \
+	ntlm/compare_name.lo ntlm/context_time.lo ntlm/crypto.lo \
+	ntlm/delete_sec_context.lo ntlm/display_name.lo \
+	ntlm/display_status.lo ntlm/duplicate_name.lo \
+	ntlm/export_name.lo ntlm/export_sec_context.lo \
+	ntlm/external.lo ntlm/import_name.lo \
+	ntlm/import_sec_context.lo ntlm/indicate_mechs.lo \
+	ntlm/init_sec_context.lo ntlm/inquire_context.lo \
+	ntlm/inquire_cred.lo ntlm/inquire_cred_by_mech.lo \
+	ntlm/inquire_mechs_for_name.lo ntlm/inquire_names_for_mech.lo \
+	ntlm/process_context_token.lo ntlm/release_cred.lo \
+	ntlm/release_name.lo ntlm/digest.lo
+am__objects_4 = spnego/accept_sec_context.lo spnego/compat.lo \
+	spnego/context_stubs.lo spnego/cred_stubs.lo \
+	spnego/external.lo spnego/init_sec_context.lo
+dist_libgssapi_la_OBJECTS = $(am__objects_1) $(am__objects_2) \
+	$(am__objects_3) $(am__objects_4)
+am__objects_5 = asn1_ContextFlags.lo asn1_MechType.lo \
+	asn1_MechTypeList.lo asn1_NegotiationToken.lo \
+	asn1_NegotiationTokenWin.lo asn1_NegHints.lo \
+	asn1_NegTokenInit.lo asn1_NegTokenInitWin.lo \
+	asn1_NegTokenResp.lo
+am__objects_6 = asn1_GSSAPIContextToken.lo
+am__objects_7 = $(am__objects_5) $(am__objects_6)
+nodist_libgssapi_la_OBJECTS = gkrb5_err.lo $(am__objects_7)
+libgssapi_la_OBJECTS = $(dist_libgssapi_la_OBJECTS) \
+	$(nodist_libgssapi_la_OBJECTS)
+libgssapi_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libgssapi_la_LDFLAGS) $(LDFLAGS) -o $@
+binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+am__EXEEXT_1 = test_oid$(EXEEXT) test_names$(EXEEXT) test_cfx$(EXEEXT)
+PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS)
+dist_gss_OBJECTS = gss.$(OBJEXT)
+nodist_gss_OBJECTS = gss-commands.$(OBJEXT)
+gss_OBJECTS = $(dist_gss_OBJECTS) $(nodist_gss_OBJECTS)
+gss_DEPENDENCIES = libgssapi.la $(top_builddir)/lib/sl/libsl.la \
+	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+am_test_acquire_cred_OBJECTS = test_acquire_cred.$(OBJEXT) \
+	test_common.$(OBJEXT)
+test_acquire_cred_OBJECTS = $(am_test_acquire_cred_OBJECTS)
+test_acquire_cred_LDADD = $(LDADD)
+test_acquire_cred_DEPENDENCIES = libgssapi.la \
+	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1)
+am_test_cfx_OBJECTS = krb5/test_cfx.$(OBJEXT)
+test_cfx_OBJECTS = $(am_test_cfx_OBJECTS)
+test_cfx_LDADD = $(LDADD)
+test_cfx_DEPENDENCIES = libgssapi.la \
+	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1)
+am_test_context_OBJECTS = test_context.$(OBJEXT) test_common.$(OBJEXT)
+test_context_OBJECTS = $(am_test_context_OBJECTS)
+test_context_LDADD = $(LDADD)
+test_context_DEPENDENCIES = libgssapi.la \
+	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1)
+test_cred_SOURCES = test_cred.c
+test_cred_OBJECTS = test_cred.$(OBJEXT)
+test_cred_LDADD = $(LDADD)
+test_cred_DEPENDENCIES = libgssapi.la \
+	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1)
+test_kcred_SOURCES = test_kcred.c
+test_kcred_OBJECTS = test_kcred.$(OBJEXT)
+test_kcred_LDADD = $(LDADD)
+test_kcred_DEPENDENCIES = libgssapi.la \
+	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1)
+test_names_SOURCES = test_names.c
+test_names_OBJECTS = test_names.$(OBJEXT)
+test_names_LDADD = $(LDADD)
+test_names_DEPENDENCIES = libgssapi.la \
+	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1)
+am_test_ntlm_OBJECTS = test_ntlm.$(OBJEXT) test_common.$(OBJEXT)
+test_ntlm_OBJECTS = $(am_test_ntlm_OBJECTS)
+am__DEPENDENCIES_2 = libgssapi.la $(top_builddir)/lib/krb5/libkrb5.la \
+	$(am__DEPENDENCIES_1)
+test_ntlm_DEPENDENCIES = $(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(am__DEPENDENCIES_2)
+test_oid_SOURCES = test_oid.c
+test_oid_OBJECTS = test_oid.$(OBJEXT)
+test_oid_LDADD = $(LDADD)
+test_oid_DEPENDENCIES = libgssapi.la \
+	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-SOURCES = $(libgssapi_la_SOURCES)
-DIST_SOURCES = $(libgssapi_la_SOURCES)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(dist_libgssapi_la_SOURCES) $(nodist_libgssapi_la_SOURCES) \
+	$(dist_gss_SOURCES) $(nodist_gss_SOURCES) \
+	$(test_acquire_cred_SOURCES) $(test_cfx_SOURCES) \
+	$(test_context_SOURCES) test_cred.c test_kcred.c test_names.c \
+	$(test_ntlm_SOURCES) test_oid.c
+DIST_SOURCES = $(dist_libgssapi_la_SOURCES) $(dist_gss_SOURCES) \
+	$(test_acquire_cred_SOURCES) $(test_cfx_SOURCES) \
+	$(test_context_SOURCES) test_cred.c test_kcred.c test_names.c \
+	$(test_ntlm_SOURCES) test_oid.c
 man3dir = $(mandir)/man3
+man5dir = $(mandir)/man5
 MANS = $(man_MANS)
 includeHEADERS_INSTALL = $(INSTALL_HEADER)
-HEADERS = $(include_HEADERS)
+nobase_includeHEADERS_INSTALL = $(install_sh_DATA)
+nodist_gssapiHEADERS_INSTALL = $(INSTALL_HEADER)
+HEADERS = $(include_HEADERS) $(nobase_include_HEADERS) \
+	$(nodist_gssapi_HEADERS) $(noinst_HEADERS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -150,8 +291,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -162,11 +301,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -174,42 +312,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -227,12 +350,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -242,15 +362,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -259,6 +378,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -270,15 +390,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -286,74 +401,81 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../krb5 $(INCLUDE_des) $(INCLUDE_krb4)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	-I$(srcdir)/../krb5 -I$(srcdir) -I$(srcdir)/mech \
+	$(INCLUDE_hcrypto) $(INCLUDE_krb4)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -370,63 +492,259 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+AUTOMAKE_OPTIONS = subdir-objects
 lib_LTLIBRARIES = libgssapi.la
-libgssapi_la_LDFLAGS = -version-info 5:0:4
-libgssapi_la_LIBADD = ../krb5/libkrb5.la $(LIB_des) ../asn1/libasn1.la ../roken/libroken.la
-man_MANS = gssapi.3 gss_acquire_cred.3
+krb5src = \
+	krb5/8003.c \
+	krb5/accept_sec_context.c \
+	krb5/acquire_cred.c \
+	krb5/add_cred.c \
+	krb5/address_to_krb5addr.c \
+	krb5/arcfour.c \
+	krb5/canonicalize_name.c \
+	krb5/ccache_name.c \
+	krb5/cfx.c \
+	krb5/cfx.h \
+	krb5/compare_name.c \
+	krb5/compat.c \
+	krb5/context_time.c \
+	krb5/copy_ccache.c \
+	krb5/decapsulate.c \
+	krb5/delete_sec_context.c \
+	krb5/display_name.c \
+	krb5/display_status.c \
+	krb5/duplicate_name.c \
+	krb5/encapsulate.c \
+	krb5/export_name.c \
+	krb5/export_sec_context.c \
+	krb5/external.c \
+	krb5/get_mic.c \
+	krb5/gsskrb5_locl.h \
+	krb5/gsskrb5-private.h \
+	krb5/import_name.c \
+	krb5/import_sec_context.c \
+	krb5/indicate_mechs.c \
+	krb5/init.c \
+	krb5/init_sec_context.c \
+	krb5/inquire_context.c \
+	krb5/inquire_cred.c \
+	krb5/inquire_cred_by_mech.c \
+	krb5/inquire_cred_by_oid.c \
+	krb5/inquire_mechs_for_name.c \
+	krb5/inquire_names_for_mech.c \
+	krb5/inquire_sec_context_by_oid.c \
+	krb5/process_context_token.c \
+	krb5/prf.c \
+	krb5/release_buffer.c \
+	krb5/release_cred.c \
+	krb5/release_name.c \
+	krb5/sequence.c \
+	krb5/set_cred_option.c \
+	krb5/set_sec_context_option.c \
+	krb5/ticket_flags.c \
+	krb5/unwrap.c \
+	krb5/v1.c \
+	krb5/verify_mic.c \
+	krb5/wrap.c
+
+mechsrc = \
+	mech/context.h \
+	mech/context.c \
+	mech/cred.h \
+	mech/gss_accept_sec_context.c \
+	mech/gss_acquire_cred.c \
+	mech/gss_add_cred.c \
+	mech/gss_add_oid_set_member.c \
+	mech/gss_buffer_set.c \
+	mech/gss_canonicalize_name.c \
+	mech/gss_compare_name.c \
+	mech/gss_context_time.c \
+	mech/gss_create_empty_oid_set.c \
+	mech/gss_decapsulate_token.c \
+	mech/gss_delete_sec_context.c \
+	mech/gss_display_name.c \
+	mech/gss_display_status.c \
+	mech/gss_duplicate_name.c \
+	mech/gss_duplicate_oid.c \
+	mech/gss_encapsulate_token.c \
+	mech/gss_export_name.c \
+	mech/gss_export_sec_context.c \
+	mech/gss_get_mic.c \
+	mech/gss_import_name.c \
+	mech/gss_import_sec_context.c \
+	mech/gss_indicate_mechs.c \
+	mech/gss_init_sec_context.c \
+	mech/gss_inquire_context.c \
+	mech/gss_inquire_cred.c \
+	mech/gss_inquire_cred_by_mech.c \
+	mech/gss_inquire_cred_by_oid.c \
+	mech/gss_inquire_mechs_for_name.c \
+	mech/gss_inquire_names_for_mech.c \
+	mech/gss_krb5.c \
+	mech/gss_mech_switch.c \
+	mech/gss_names.c \
+	mech/gss_oid_equal.c \
+	mech/gss_oid_to_str.c \
+	mech/gss_process_context_token.c \
+	mech/gss_pseudo_random.c \
+	mech/gss_release_buffer.c \
+	mech/gss_release_cred.c \
+	mech/gss_release_name.c \
+	mech/gss_release_oid.c \
+	mech/gss_release_oid_set.c \
+	mech/gss_seal.c \
+	mech/gss_set_cred_option.c \
+	mech/gss_set_sec_context_option.c \
+	mech/gss_sign.c \
+	mech/gss_test_oid_set_member.c \
+	mech/gss_unseal.c \
+	mech/gss_unwrap.c \
+	mech/gss_utils.c \
+	mech/gss_verify.c \
+	mech/gss_verify_mic.c \
+	mech/gss_wrap.c \
+	mech/gss_wrap_size_limit.c \
+	mech/gss_inquire_sec_context_by_oid.c \
+	mech/mech_switch.h \
+	mech/mechqueue.h \
+	mech/mech_locl.h \
+	mech/name.h \
+	mech/utils.h
+
+spnegosrc = \
+	spnego/accept_sec_context.c \
+	spnego/compat.c \
+	spnego/context_stubs.c \
+	spnego/cred_stubs.c \
+	spnego/external.c \
+	spnego/init_sec_context.c \
+	spnego/spnego_locl.h \
+	spnego/spnego-private.h
+
+ntlmsrc = \
+	ntlm/accept_sec_context.c \
+	ntlm/acquire_cred.c \
+	ntlm/add_cred.c \
+	ntlm/canonicalize_name.c \
+	ntlm/compare_name.c \
+	ntlm/context_time.c \
+	ntlm/crypto.c \
+	ntlm/delete_sec_context.c \
+	ntlm/display_name.c \
+	ntlm/display_status.c \
+	ntlm/duplicate_name.c \
+	ntlm/export_name.c \
+	ntlm/export_sec_context.c \
+	ntlm/external.c \
+	ntlm/ntlm.h \
+	ntlm/ntlm-private.h \
+	ntlm/import_name.c \
+	ntlm/import_sec_context.c \
+	ntlm/indicate_mechs.c \
+	ntlm/init_sec_context.c \
+	ntlm/inquire_context.c \
+	ntlm/inquire_cred.c \
+	ntlm/inquire_cred_by_mech.c \
+	ntlm/inquire_mechs_for_name.c \
+	ntlm/inquire_names_for_mech.c \
+	ntlm/process_context_token.c \
+	ntlm/release_cred.c \
+	ntlm/release_name.c \
+	ntlm/digest.c
+
+dist_libgssapi_la_SOURCES = \
+	$(krb5src) \
+	$(mechsrc) \
+	$(ntlmsrc) \
+	$(spnegosrc)
+
+nodist_libgssapi_la_SOURCES = \
+	gkrb5_err.c \
+	gkrb5_err.h \
+	$(BUILT_SOURCES)
+
+libgssapi_la_LDFLAGS = -version-info 2:0:0 $(am__append_1)
+libgssapi_la_LIBADD = \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_com_err) \
+	$(LIB_hcrypto) \
+	$(LIBADD_roken)
+
+man_MANS = gssapi.3 gss_acquire_cred.3 mech/mech.5
 include_HEADERS = gssapi.h
-libgssapi_la_SOURCES = \
-	8003.c			\
-	arcfour.c		\
-	accept_sec_context.c	\
-	acquire_cred.c		\
-	add_cred.c		\
-	add_oid_set_member.c	\
-	canonicalize_name.c	\
-	compare_name.c		\
-	compat.c		\
-	context_time.c		\
-	copy_ccache.c		\
-	create_emtpy_oid_set.c	\
-	decapsulate.c		\
-	delete_sec_context.c	\
-	display_name.c		\
-	display_status.c	\
-	duplicate_name.c	\
-	encapsulate.c		\
-	export_sec_context.c	\
-	export_name.c		\
-	external.c		\
-	get_mic.c		\
-	gssapi.h		\
-	gssapi_locl.h		\
-	import_name.c		\
-	import_sec_context.c	\
-	indicate_mechs.c	\
-	init.c			\
-	init_sec_context.c	\
-	inquire_context.c	\
-	inquire_cred.c		\
-	inquire_cred_by_mech.c	\
-	inquire_mechs_for_name.c \
-	inquire_names_for_mech.c \
-	release_buffer.c	\
-	release_cred.c		\
-	release_name.c		\
-	release_oid_set.c	\
-	process_context_token.c \
-	test_oid_set_member.c	\
-	unwrap.c		\
-	v1.c			\
-	verify_mic.c		\
-        wrap.c                  \
-        address_to_krb5addr.c
-
-all: all-am
+noinst_HEADERS = \
+	gssapi_mech.h \
+	ntlm/ntlm-private.h \
+	spnego/spnego-private.h \
+	krb5/gsskrb5-private.h
+
+nobase_include_HEADERS = \
+	gssapi/gssapi.h \
+	gssapi/gssapi_krb5.h \
+	gssapi/gssapi_spnego.h
+
+gssapidir = $(includedir)/gssapi
+nodist_gssapi_HEADERS = gkrb5_err.h
+gssapi_files = asn1_GSSAPIContextToken.x
+spnego_files = \
+	asn1_ContextFlags.x			\
+	asn1_MechType.x				\
+	asn1_MechTypeList.x			\
+	asn1_NegotiationToken.x			\
+	asn1_NegotiationTokenWin.x		\
+	asn1_NegHints.x				\
+	asn1_NegTokenInit.x			\
+	asn1_NegTokenInitWin.x			\
+	asn1_NegTokenResp.x
+
+BUILT_SOURCES = $(spnego_files:.x=.c) $(gssapi_files:.x=.c)
+CLEANFILES = $(BUILT_SOURCES) \
+	gkrb5_err.h gkrb5_err.c \
+	$(spnego_files) spnego_asn1.h spnego_asn1_files \
+	$(gssapi_files) gssapi_asn1.h gssapi_asn1_files \
+	gss-commands.h gss-commands.c
+
+# test_sequence 
+test_cfx_SOURCES = krb5/test_cfx.c
+test_context_SOURCES = test_context.c test_common.c test_common.h
+test_ntlm_SOURCES = test_ntlm.c test_common.c test_common.h
+test_acquire_cred_SOURCES = test_acquire_cred.c test_common.c test_common.h
+test_ntlm_LDADD = \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(LDADD)
+
+LDADD = libgssapi.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_roken)
+
+
+# gss
+dist_gss_SOURCES = gss.c
+nodist_gss_SOURCES = gss-commands.c gss-commands.h
+gss_LDADD = libgssapi.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_readline) \
+	$(LIB_roken)
+
+SLC = $(top_builddir)/lib/sl/slc
+EXTRA_DIST = \
+	$(man_MANS) \
+	krb5/gkrb5_err.et \
+	mech/gssapi.asn1 \
+	spnego/spnego.asn1 \
+	version-script.map \
+	gss-commands.in
+
+all: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -458,10 +776,10 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    f="`echo $$p | sed -e 's|^.*/||'`"; \
+	    f=$(am__strip_dir) \
 	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
 	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
 	  else :; fi; \
@@ -470,7 +788,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	    p="`echo $$p | sed -e 's|^.*/||'`"; \
+	  p=$(am__strip_dir) \
 	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
 	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
 	done
@@ -479,24 +797,515 @@ clean-libLTLIBRARIES:
 	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" = "$$p" && dir=.; \
+	  test "$$dir" != "$$p" || dir=.; \
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
+krb5/$(am__dirstamp):
+	@$(MKDIR_P) krb5
+	@: > krb5/$(am__dirstamp)
+krb5/8003.lo: krb5/$(am__dirstamp)
+krb5/accept_sec_context.lo: krb5/$(am__dirstamp)
+krb5/acquire_cred.lo: krb5/$(am__dirstamp)
+krb5/add_cred.lo: krb5/$(am__dirstamp)
+krb5/address_to_krb5addr.lo: krb5/$(am__dirstamp)
+krb5/arcfour.lo: krb5/$(am__dirstamp)
+krb5/canonicalize_name.lo: krb5/$(am__dirstamp)
+krb5/ccache_name.lo: krb5/$(am__dirstamp)
+krb5/cfx.lo: krb5/$(am__dirstamp)
+krb5/compare_name.lo: krb5/$(am__dirstamp)
+krb5/compat.lo: krb5/$(am__dirstamp)
+krb5/context_time.lo: krb5/$(am__dirstamp)
+krb5/copy_ccache.lo: krb5/$(am__dirstamp)
+krb5/decapsulate.lo: krb5/$(am__dirstamp)
+krb5/delete_sec_context.lo: krb5/$(am__dirstamp)
+krb5/display_name.lo: krb5/$(am__dirstamp)
+krb5/display_status.lo: krb5/$(am__dirstamp)
+krb5/duplicate_name.lo: krb5/$(am__dirstamp)
+krb5/encapsulate.lo: krb5/$(am__dirstamp)
+krb5/export_name.lo: krb5/$(am__dirstamp)
+krb5/export_sec_context.lo: krb5/$(am__dirstamp)
+krb5/external.lo: krb5/$(am__dirstamp)
+krb5/get_mic.lo: krb5/$(am__dirstamp)
+krb5/import_name.lo: krb5/$(am__dirstamp)
+krb5/import_sec_context.lo: krb5/$(am__dirstamp)
+krb5/indicate_mechs.lo: krb5/$(am__dirstamp)
+krb5/init.lo: krb5/$(am__dirstamp)
+krb5/init_sec_context.lo: krb5/$(am__dirstamp)
+krb5/inquire_context.lo: krb5/$(am__dirstamp)
+krb5/inquire_cred.lo: krb5/$(am__dirstamp)
+krb5/inquire_cred_by_mech.lo: krb5/$(am__dirstamp)
+krb5/inquire_cred_by_oid.lo: krb5/$(am__dirstamp)
+krb5/inquire_mechs_for_name.lo: krb5/$(am__dirstamp)
+krb5/inquire_names_for_mech.lo: krb5/$(am__dirstamp)
+krb5/inquire_sec_context_by_oid.lo: krb5/$(am__dirstamp)
+krb5/process_context_token.lo: krb5/$(am__dirstamp)
+krb5/prf.lo: krb5/$(am__dirstamp)
+krb5/release_buffer.lo: krb5/$(am__dirstamp)
+krb5/release_cred.lo: krb5/$(am__dirstamp)
+krb5/release_name.lo: krb5/$(am__dirstamp)
+krb5/sequence.lo: krb5/$(am__dirstamp)
+krb5/set_cred_option.lo: krb5/$(am__dirstamp)
+krb5/set_sec_context_option.lo: krb5/$(am__dirstamp)
+krb5/ticket_flags.lo: krb5/$(am__dirstamp)
+krb5/unwrap.lo: krb5/$(am__dirstamp)
+krb5/v1.lo: krb5/$(am__dirstamp)
+krb5/verify_mic.lo: krb5/$(am__dirstamp)
+krb5/wrap.lo: krb5/$(am__dirstamp)
+mech/$(am__dirstamp):
+	@$(MKDIR_P) mech
+	@: > mech/$(am__dirstamp)
+mech/context.lo: mech/$(am__dirstamp)
+mech/gss_accept_sec_context.lo: mech/$(am__dirstamp)
+mech/gss_acquire_cred.lo: mech/$(am__dirstamp)
+mech/gss_add_cred.lo: mech/$(am__dirstamp)
+mech/gss_add_oid_set_member.lo: mech/$(am__dirstamp)
+mech/gss_buffer_set.lo: mech/$(am__dirstamp)
+mech/gss_canonicalize_name.lo: mech/$(am__dirstamp)
+mech/gss_compare_name.lo: mech/$(am__dirstamp)
+mech/gss_context_time.lo: mech/$(am__dirstamp)
+mech/gss_create_empty_oid_set.lo: mech/$(am__dirstamp)
+mech/gss_decapsulate_token.lo: mech/$(am__dirstamp)
+mech/gss_delete_sec_context.lo: mech/$(am__dirstamp)
+mech/gss_display_name.lo: mech/$(am__dirstamp)
+mech/gss_display_status.lo: mech/$(am__dirstamp)
+mech/gss_duplicate_name.lo: mech/$(am__dirstamp)
+mech/gss_duplicate_oid.lo: mech/$(am__dirstamp)
+mech/gss_encapsulate_token.lo: mech/$(am__dirstamp)
+mech/gss_export_name.lo: mech/$(am__dirstamp)
+mech/gss_export_sec_context.lo: mech/$(am__dirstamp)
+mech/gss_get_mic.lo: mech/$(am__dirstamp)
+mech/gss_import_name.lo: mech/$(am__dirstamp)
+mech/gss_import_sec_context.lo: mech/$(am__dirstamp)
+mech/gss_indicate_mechs.lo: mech/$(am__dirstamp)
+mech/gss_init_sec_context.lo: mech/$(am__dirstamp)
+mech/gss_inquire_context.lo: mech/$(am__dirstamp)
+mech/gss_inquire_cred.lo: mech/$(am__dirstamp)
+mech/gss_inquire_cred_by_mech.lo: mech/$(am__dirstamp)
+mech/gss_inquire_cred_by_oid.lo: mech/$(am__dirstamp)
+mech/gss_inquire_mechs_for_name.lo: mech/$(am__dirstamp)
+mech/gss_inquire_names_for_mech.lo: mech/$(am__dirstamp)
+mech/gss_krb5.lo: mech/$(am__dirstamp)
+mech/gss_mech_switch.lo: mech/$(am__dirstamp)
+mech/gss_names.lo: mech/$(am__dirstamp)
+mech/gss_oid_equal.lo: mech/$(am__dirstamp)
+mech/gss_oid_to_str.lo: mech/$(am__dirstamp)
+mech/gss_process_context_token.lo: mech/$(am__dirstamp)
+mech/gss_pseudo_random.lo: mech/$(am__dirstamp)
+mech/gss_release_buffer.lo: mech/$(am__dirstamp)
+mech/gss_release_cred.lo: mech/$(am__dirstamp)
+mech/gss_release_name.lo: mech/$(am__dirstamp)
+mech/gss_release_oid.lo: mech/$(am__dirstamp)
+mech/gss_release_oid_set.lo: mech/$(am__dirstamp)
+mech/gss_seal.lo: mech/$(am__dirstamp)
+mech/gss_set_cred_option.lo: mech/$(am__dirstamp)
+mech/gss_set_sec_context_option.lo: mech/$(am__dirstamp)
+mech/gss_sign.lo: mech/$(am__dirstamp)
+mech/gss_test_oid_set_member.lo: mech/$(am__dirstamp)
+mech/gss_unseal.lo: mech/$(am__dirstamp)
+mech/gss_unwrap.lo: mech/$(am__dirstamp)
+mech/gss_utils.lo: mech/$(am__dirstamp)
+mech/gss_verify.lo: mech/$(am__dirstamp)
+mech/gss_verify_mic.lo: mech/$(am__dirstamp)
+mech/gss_wrap.lo: mech/$(am__dirstamp)
+mech/gss_wrap_size_limit.lo: mech/$(am__dirstamp)
+mech/gss_inquire_sec_context_by_oid.lo: mech/$(am__dirstamp)
+ntlm/$(am__dirstamp):
+	@$(MKDIR_P) ntlm
+	@: > ntlm/$(am__dirstamp)
+ntlm/accept_sec_context.lo: ntlm/$(am__dirstamp)
+ntlm/acquire_cred.lo: ntlm/$(am__dirstamp)
+ntlm/add_cred.lo: ntlm/$(am__dirstamp)
+ntlm/canonicalize_name.lo: ntlm/$(am__dirstamp)
+ntlm/compare_name.lo: ntlm/$(am__dirstamp)
+ntlm/context_time.lo: ntlm/$(am__dirstamp)
+ntlm/crypto.lo: ntlm/$(am__dirstamp)
+ntlm/delete_sec_context.lo: ntlm/$(am__dirstamp)
+ntlm/display_name.lo: ntlm/$(am__dirstamp)
+ntlm/display_status.lo: ntlm/$(am__dirstamp)
+ntlm/duplicate_name.lo: ntlm/$(am__dirstamp)
+ntlm/export_name.lo: ntlm/$(am__dirstamp)
+ntlm/export_sec_context.lo: ntlm/$(am__dirstamp)
+ntlm/external.lo: ntlm/$(am__dirstamp)
+ntlm/import_name.lo: ntlm/$(am__dirstamp)
+ntlm/import_sec_context.lo: ntlm/$(am__dirstamp)
+ntlm/indicate_mechs.lo: ntlm/$(am__dirstamp)
+ntlm/init_sec_context.lo: ntlm/$(am__dirstamp)
+ntlm/inquire_context.lo: ntlm/$(am__dirstamp)
+ntlm/inquire_cred.lo: ntlm/$(am__dirstamp)
+ntlm/inquire_cred_by_mech.lo: ntlm/$(am__dirstamp)
+ntlm/inquire_mechs_for_name.lo: ntlm/$(am__dirstamp)
+ntlm/inquire_names_for_mech.lo: ntlm/$(am__dirstamp)
+ntlm/process_context_token.lo: ntlm/$(am__dirstamp)
+ntlm/release_cred.lo: ntlm/$(am__dirstamp)
+ntlm/release_name.lo: ntlm/$(am__dirstamp)
+ntlm/digest.lo: ntlm/$(am__dirstamp)
+spnego/$(am__dirstamp):
+	@$(MKDIR_P) spnego
+	@: > spnego/$(am__dirstamp)
+spnego/accept_sec_context.lo: spnego/$(am__dirstamp)
+spnego/compat.lo: spnego/$(am__dirstamp)
+spnego/context_stubs.lo: spnego/$(am__dirstamp)
+spnego/cred_stubs.lo: spnego/$(am__dirstamp)
+spnego/external.lo: spnego/$(am__dirstamp)
+spnego/init_sec_context.lo: spnego/$(am__dirstamp)
 libgssapi.la: $(libgssapi_la_OBJECTS) $(libgssapi_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libgssapi_la_LDFLAGS) $(libgssapi_la_OBJECTS) $(libgssapi_la_LIBADD) $(LIBS)
+	$(libgssapi_la_LINK) -rpath $(libdir) $(libgssapi_la_OBJECTS) $(libgssapi_la_LIBADD) $(LIBS)
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(bindir)/$$f"; \
+	done
+
+clean-binPROGRAMS:
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+gss$(EXEEXT): $(gss_OBJECTS) $(gss_DEPENDENCIES) 
+	@rm -f gss$(EXEEXT)
+	$(LINK) $(gss_OBJECTS) $(gss_LDADD) $(LIBS)
+test_acquire_cred$(EXEEXT): $(test_acquire_cred_OBJECTS) $(test_acquire_cred_DEPENDENCIES) 
+	@rm -f test_acquire_cred$(EXEEXT)
+	$(LINK) $(test_acquire_cred_OBJECTS) $(test_acquire_cred_LDADD) $(LIBS)
+krb5/test_cfx.$(OBJEXT): krb5/$(am__dirstamp)
+test_cfx$(EXEEXT): $(test_cfx_OBJECTS) $(test_cfx_DEPENDENCIES) 
+	@rm -f test_cfx$(EXEEXT)
+	$(LINK) $(test_cfx_OBJECTS) $(test_cfx_LDADD) $(LIBS)
+test_context$(EXEEXT): $(test_context_OBJECTS) $(test_context_DEPENDENCIES) 
+	@rm -f test_context$(EXEEXT)
+	$(LINK) $(test_context_OBJECTS) $(test_context_LDADD) $(LIBS)
+test_cred$(EXEEXT): $(test_cred_OBJECTS) $(test_cred_DEPENDENCIES) 
+	@rm -f test_cred$(EXEEXT)
+	$(LINK) $(test_cred_OBJECTS) $(test_cred_LDADD) $(LIBS)
+test_kcred$(EXEEXT): $(test_kcred_OBJECTS) $(test_kcred_DEPENDENCIES) 
+	@rm -f test_kcred$(EXEEXT)
+	$(LINK) $(test_kcred_OBJECTS) $(test_kcred_LDADD) $(LIBS)
+test_names$(EXEEXT): $(test_names_OBJECTS) $(test_names_DEPENDENCIES) 
+	@rm -f test_names$(EXEEXT)
+	$(LINK) $(test_names_OBJECTS) $(test_names_LDADD) $(LIBS)
+test_ntlm$(EXEEXT): $(test_ntlm_OBJECTS) $(test_ntlm_DEPENDENCIES) 
+	@rm -f test_ntlm$(EXEEXT)
+	$(LINK) $(test_ntlm_OBJECTS) $(test_ntlm_LDADD) $(LIBS)
+test_oid$(EXEEXT): $(test_oid_OBJECTS) $(test_oid_DEPENDENCIES) 
+	@rm -f test_oid$(EXEEXT)
+	$(LINK) $(test_oid_OBJECTS) $(test_oid_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
+	-rm -f krb5/8003.$(OBJEXT)
+	-rm -f krb5/8003.lo
+	-rm -f krb5/accept_sec_context.$(OBJEXT)
+	-rm -f krb5/accept_sec_context.lo
+	-rm -f krb5/acquire_cred.$(OBJEXT)
+	-rm -f krb5/acquire_cred.lo
+	-rm -f krb5/add_cred.$(OBJEXT)
+	-rm -f krb5/add_cred.lo
+	-rm -f krb5/address_to_krb5addr.$(OBJEXT)
+	-rm -f krb5/address_to_krb5addr.lo
+	-rm -f krb5/arcfour.$(OBJEXT)
+	-rm -f krb5/arcfour.lo
+	-rm -f krb5/canonicalize_name.$(OBJEXT)
+	-rm -f krb5/canonicalize_name.lo
+	-rm -f krb5/ccache_name.$(OBJEXT)
+	-rm -f krb5/ccache_name.lo
+	-rm -f krb5/cfx.$(OBJEXT)
+	-rm -f krb5/cfx.lo
+	-rm -f krb5/compare_name.$(OBJEXT)
+	-rm -f krb5/compare_name.lo
+	-rm -f krb5/compat.$(OBJEXT)
+	-rm -f krb5/compat.lo
+	-rm -f krb5/context_time.$(OBJEXT)
+	-rm -f krb5/context_time.lo
+	-rm -f krb5/copy_ccache.$(OBJEXT)
+	-rm -f krb5/copy_ccache.lo
+	-rm -f krb5/decapsulate.$(OBJEXT)
+	-rm -f krb5/decapsulate.lo
+	-rm -f krb5/delete_sec_context.$(OBJEXT)
+	-rm -f krb5/delete_sec_context.lo
+	-rm -f krb5/display_name.$(OBJEXT)
+	-rm -f krb5/display_name.lo
+	-rm -f krb5/display_status.$(OBJEXT)
+	-rm -f krb5/display_status.lo
+	-rm -f krb5/duplicate_name.$(OBJEXT)
+	-rm -f krb5/duplicate_name.lo
+	-rm -f krb5/encapsulate.$(OBJEXT)
+	-rm -f krb5/encapsulate.lo
+	-rm -f krb5/export_name.$(OBJEXT)
+	-rm -f krb5/export_name.lo
+	-rm -f krb5/export_sec_context.$(OBJEXT)
+	-rm -f krb5/export_sec_context.lo
+	-rm -f krb5/external.$(OBJEXT)
+	-rm -f krb5/external.lo
+	-rm -f krb5/get_mic.$(OBJEXT)
+	-rm -f krb5/get_mic.lo
+	-rm -f krb5/import_name.$(OBJEXT)
+	-rm -f krb5/import_name.lo
+	-rm -f krb5/import_sec_context.$(OBJEXT)
+	-rm -f krb5/import_sec_context.lo
+	-rm -f krb5/indicate_mechs.$(OBJEXT)
+	-rm -f krb5/indicate_mechs.lo
+	-rm -f krb5/init.$(OBJEXT)
+	-rm -f krb5/init.lo
+	-rm -f krb5/init_sec_context.$(OBJEXT)
+	-rm -f krb5/init_sec_context.lo
+	-rm -f krb5/inquire_context.$(OBJEXT)
+	-rm -f krb5/inquire_context.lo
+	-rm -f krb5/inquire_cred.$(OBJEXT)
+	-rm -f krb5/inquire_cred.lo
+	-rm -f krb5/inquire_cred_by_mech.$(OBJEXT)
+	-rm -f krb5/inquire_cred_by_mech.lo
+	-rm -f krb5/inquire_cred_by_oid.$(OBJEXT)
+	-rm -f krb5/inquire_cred_by_oid.lo
+	-rm -f krb5/inquire_mechs_for_name.$(OBJEXT)
+	-rm -f krb5/inquire_mechs_for_name.lo
+	-rm -f krb5/inquire_names_for_mech.$(OBJEXT)
+	-rm -f krb5/inquire_names_for_mech.lo
+	-rm -f krb5/inquire_sec_context_by_oid.$(OBJEXT)
+	-rm -f krb5/inquire_sec_context_by_oid.lo
+	-rm -f krb5/prf.$(OBJEXT)
+	-rm -f krb5/prf.lo
+	-rm -f krb5/process_context_token.$(OBJEXT)
+	-rm -f krb5/process_context_token.lo
+	-rm -f krb5/release_buffer.$(OBJEXT)
+	-rm -f krb5/release_buffer.lo
+	-rm -f krb5/release_cred.$(OBJEXT)
+	-rm -f krb5/release_cred.lo
+	-rm -f krb5/release_name.$(OBJEXT)
+	-rm -f krb5/release_name.lo
+	-rm -f krb5/sequence.$(OBJEXT)
+	-rm -f krb5/sequence.lo
+	-rm -f krb5/set_cred_option.$(OBJEXT)
+	-rm -f krb5/set_cred_option.lo
+	-rm -f krb5/set_sec_context_option.$(OBJEXT)
+	-rm -f krb5/set_sec_context_option.lo
+	-rm -f krb5/test_cfx.$(OBJEXT)
+	-rm -f krb5/ticket_flags.$(OBJEXT)
+	-rm -f krb5/ticket_flags.lo
+	-rm -f krb5/unwrap.$(OBJEXT)
+	-rm -f krb5/unwrap.lo
+	-rm -f krb5/v1.$(OBJEXT)
+	-rm -f krb5/v1.lo
+	-rm -f krb5/verify_mic.$(OBJEXT)
+	-rm -f krb5/verify_mic.lo
+	-rm -f krb5/wrap.$(OBJEXT)
+	-rm -f krb5/wrap.lo
+	-rm -f mech/context.$(OBJEXT)
+	-rm -f mech/context.lo
+	-rm -f mech/gss_accept_sec_context.$(OBJEXT)
+	-rm -f mech/gss_accept_sec_context.lo
+	-rm -f mech/gss_acquire_cred.$(OBJEXT)
+	-rm -f mech/gss_acquire_cred.lo
+	-rm -f mech/gss_add_cred.$(OBJEXT)
+	-rm -f mech/gss_add_cred.lo
+	-rm -f mech/gss_add_oid_set_member.$(OBJEXT)
+	-rm -f mech/gss_add_oid_set_member.lo
+	-rm -f mech/gss_buffer_set.$(OBJEXT)
+	-rm -f mech/gss_buffer_set.lo
+	-rm -f mech/gss_canonicalize_name.$(OBJEXT)
+	-rm -f mech/gss_canonicalize_name.lo
+	-rm -f mech/gss_compare_name.$(OBJEXT)
+	-rm -f mech/gss_compare_name.lo
+	-rm -f mech/gss_context_time.$(OBJEXT)
+	-rm -f mech/gss_context_time.lo
+	-rm -f mech/gss_create_empty_oid_set.$(OBJEXT)
+	-rm -f mech/gss_create_empty_oid_set.lo
+	-rm -f mech/gss_decapsulate_token.$(OBJEXT)
+	-rm -f mech/gss_decapsulate_token.lo
+	-rm -f mech/gss_delete_sec_context.$(OBJEXT)
+	-rm -f mech/gss_delete_sec_context.lo
+	-rm -f mech/gss_display_name.$(OBJEXT)
+	-rm -f mech/gss_display_name.lo
+	-rm -f mech/gss_display_status.$(OBJEXT)
+	-rm -f mech/gss_display_status.lo
+	-rm -f mech/gss_duplicate_name.$(OBJEXT)
+	-rm -f mech/gss_duplicate_name.lo
+	-rm -f mech/gss_duplicate_oid.$(OBJEXT)
+	-rm -f mech/gss_duplicate_oid.lo
+	-rm -f mech/gss_encapsulate_token.$(OBJEXT)
+	-rm -f mech/gss_encapsulate_token.lo
+	-rm -f mech/gss_export_name.$(OBJEXT)
+	-rm -f mech/gss_export_name.lo
+	-rm -f mech/gss_export_sec_context.$(OBJEXT)
+	-rm -f mech/gss_export_sec_context.lo
+	-rm -f mech/gss_get_mic.$(OBJEXT)
+	-rm -f mech/gss_get_mic.lo
+	-rm -f mech/gss_import_name.$(OBJEXT)
+	-rm -f mech/gss_import_name.lo
+	-rm -f mech/gss_import_sec_context.$(OBJEXT)
+	-rm -f mech/gss_import_sec_context.lo
+	-rm -f mech/gss_indicate_mechs.$(OBJEXT)
+	-rm -f mech/gss_indicate_mechs.lo
+	-rm -f mech/gss_init_sec_context.$(OBJEXT)
+	-rm -f mech/gss_init_sec_context.lo
+	-rm -f mech/gss_inquire_context.$(OBJEXT)
+	-rm -f mech/gss_inquire_context.lo
+	-rm -f mech/gss_inquire_cred.$(OBJEXT)
+	-rm -f mech/gss_inquire_cred.lo
+	-rm -f mech/gss_inquire_cred_by_mech.$(OBJEXT)
+	-rm -f mech/gss_inquire_cred_by_mech.lo
+	-rm -f mech/gss_inquire_cred_by_oid.$(OBJEXT)
+	-rm -f mech/gss_inquire_cred_by_oid.lo
+	-rm -f mech/gss_inquire_mechs_for_name.$(OBJEXT)
+	-rm -f mech/gss_inquire_mechs_for_name.lo
+	-rm -f mech/gss_inquire_names_for_mech.$(OBJEXT)
+	-rm -f mech/gss_inquire_names_for_mech.lo
+	-rm -f mech/gss_inquire_sec_context_by_oid.$(OBJEXT)
+	-rm -f mech/gss_inquire_sec_context_by_oid.lo
+	-rm -f mech/gss_krb5.$(OBJEXT)
+	-rm -f mech/gss_krb5.lo
+	-rm -f mech/gss_mech_switch.$(OBJEXT)
+	-rm -f mech/gss_mech_switch.lo
+	-rm -f mech/gss_names.$(OBJEXT)
+	-rm -f mech/gss_names.lo
+	-rm -f mech/gss_oid_equal.$(OBJEXT)
+	-rm -f mech/gss_oid_equal.lo
+	-rm -f mech/gss_oid_to_str.$(OBJEXT)
+	-rm -f mech/gss_oid_to_str.lo
+	-rm -f mech/gss_process_context_token.$(OBJEXT)
+	-rm -f mech/gss_process_context_token.lo
+	-rm -f mech/gss_pseudo_random.$(OBJEXT)
+	-rm -f mech/gss_pseudo_random.lo
+	-rm -f mech/gss_release_buffer.$(OBJEXT)
+	-rm -f mech/gss_release_buffer.lo
+	-rm -f mech/gss_release_cred.$(OBJEXT)
+	-rm -f mech/gss_release_cred.lo
+	-rm -f mech/gss_release_name.$(OBJEXT)
+	-rm -f mech/gss_release_name.lo
+	-rm -f mech/gss_release_oid.$(OBJEXT)
+	-rm -f mech/gss_release_oid.lo
+	-rm -f mech/gss_release_oid_set.$(OBJEXT)
+	-rm -f mech/gss_release_oid_set.lo
+	-rm -f mech/gss_seal.$(OBJEXT)
+	-rm -f mech/gss_seal.lo
+	-rm -f mech/gss_set_cred_option.$(OBJEXT)
+	-rm -f mech/gss_set_cred_option.lo
+	-rm -f mech/gss_set_sec_context_option.$(OBJEXT)
+	-rm -f mech/gss_set_sec_context_option.lo
+	-rm -f mech/gss_sign.$(OBJEXT)
+	-rm -f mech/gss_sign.lo
+	-rm -f mech/gss_test_oid_set_member.$(OBJEXT)
+	-rm -f mech/gss_test_oid_set_member.lo
+	-rm -f mech/gss_unseal.$(OBJEXT)
+	-rm -f mech/gss_unseal.lo
+	-rm -f mech/gss_unwrap.$(OBJEXT)
+	-rm -f mech/gss_unwrap.lo
+	-rm -f mech/gss_utils.$(OBJEXT)
+	-rm -f mech/gss_utils.lo
+	-rm -f mech/gss_verify.$(OBJEXT)
+	-rm -f mech/gss_verify.lo
+	-rm -f mech/gss_verify_mic.$(OBJEXT)
+	-rm -f mech/gss_verify_mic.lo
+	-rm -f mech/gss_wrap.$(OBJEXT)
+	-rm -f mech/gss_wrap.lo
+	-rm -f mech/gss_wrap_size_limit.$(OBJEXT)
+	-rm -f mech/gss_wrap_size_limit.lo
+	-rm -f ntlm/accept_sec_context.$(OBJEXT)
+	-rm -f ntlm/accept_sec_context.lo
+	-rm -f ntlm/acquire_cred.$(OBJEXT)
+	-rm -f ntlm/acquire_cred.lo
+	-rm -f ntlm/add_cred.$(OBJEXT)
+	-rm -f ntlm/add_cred.lo
+	-rm -f ntlm/canonicalize_name.$(OBJEXT)
+	-rm -f ntlm/canonicalize_name.lo
+	-rm -f ntlm/compare_name.$(OBJEXT)
+	-rm -f ntlm/compare_name.lo
+	-rm -f ntlm/context_time.$(OBJEXT)
+	-rm -f ntlm/context_time.lo
+	-rm -f ntlm/crypto.$(OBJEXT)
+	-rm -f ntlm/crypto.lo
+	-rm -f ntlm/delete_sec_context.$(OBJEXT)
+	-rm -f ntlm/delete_sec_context.lo
+	-rm -f ntlm/digest.$(OBJEXT)
+	-rm -f ntlm/digest.lo
+	-rm -f ntlm/display_name.$(OBJEXT)
+	-rm -f ntlm/display_name.lo
+	-rm -f ntlm/display_status.$(OBJEXT)
+	-rm -f ntlm/display_status.lo
+	-rm -f ntlm/duplicate_name.$(OBJEXT)
+	-rm -f ntlm/duplicate_name.lo
+	-rm -f ntlm/export_name.$(OBJEXT)
+	-rm -f ntlm/export_name.lo
+	-rm -f ntlm/export_sec_context.$(OBJEXT)
+	-rm -f ntlm/export_sec_context.lo
+	-rm -f ntlm/external.$(OBJEXT)
+	-rm -f ntlm/external.lo
+	-rm -f ntlm/import_name.$(OBJEXT)
+	-rm -f ntlm/import_name.lo
+	-rm -f ntlm/import_sec_context.$(OBJEXT)
+	-rm -f ntlm/import_sec_context.lo
+	-rm -f ntlm/indicate_mechs.$(OBJEXT)
+	-rm -f ntlm/indicate_mechs.lo
+	-rm -f ntlm/init_sec_context.$(OBJEXT)
+	-rm -f ntlm/init_sec_context.lo
+	-rm -f ntlm/inquire_context.$(OBJEXT)
+	-rm -f ntlm/inquire_context.lo
+	-rm -f ntlm/inquire_cred.$(OBJEXT)
+	-rm -f ntlm/inquire_cred.lo
+	-rm -f ntlm/inquire_cred_by_mech.$(OBJEXT)
+	-rm -f ntlm/inquire_cred_by_mech.lo
+	-rm -f ntlm/inquire_mechs_for_name.$(OBJEXT)
+	-rm -f ntlm/inquire_mechs_for_name.lo
+	-rm -f ntlm/inquire_names_for_mech.$(OBJEXT)
+	-rm -f ntlm/inquire_names_for_mech.lo
+	-rm -f ntlm/process_context_token.$(OBJEXT)
+	-rm -f ntlm/process_context_token.lo
+	-rm -f ntlm/release_cred.$(OBJEXT)
+	-rm -f ntlm/release_cred.lo
+	-rm -f ntlm/release_name.$(OBJEXT)
+	-rm -f ntlm/release_name.lo
+	-rm -f spnego/accept_sec_context.$(OBJEXT)
+	-rm -f spnego/accept_sec_context.lo
+	-rm -f spnego/compat.$(OBJEXT)
+	-rm -f spnego/compat.lo
+	-rm -f spnego/context_stubs.$(OBJEXT)
+	-rm -f spnego/context_stubs.lo
+	-rm -f spnego/cred_stubs.$(OBJEXT)
+	-rm -f spnego/cred_stubs.lo
+	-rm -f spnego/external.$(OBJEXT)
+	-rm -f spnego/external.lo
+	-rm -f spnego/init_sec_context.$(OBJEXT)
+	-rm -f spnego/init_sec_context.lo
 
 distclean-compile:
 	-rm -f *.tab.c
 
 .c.o:
-	$(COMPILE) -c $<
+	$(COMPILE) -c -o $@ $<
 
 .c.obj:
-	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+	$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
 
 .c.lo:
 	$(LTCOMPILE) -c -o $@ $<
@@ -506,13 +1315,13 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
+	-rm -rf krb5/.libs krb5/_libs
+	-rm -rf mech/.libs mech/_libs
+	-rm -rf ntlm/.libs ntlm/_libs
+	-rm -rf spnego/.libs spnego/_libs
 install-man3: $(man3_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)"
+	test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)"
 	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -555,12 +1364,57 @@ uninstall-man3:
 	  echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \
 	  rm -f "$(DESTDIR)$(man3dir)/$$inst"; \
 	done
+install-man5: $(man5_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
+	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    5*) ;; \
+	    *) ext='5' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \
+	done
+uninstall-man5:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    5*) ;; \
+	    *) ext='5' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man5dir)/$$inst"; \
+	done
 install-includeHEADERS: $(include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)"
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
 	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -568,10 +1422,46 @@ install-includeHEADERS: $(include_HEADERS)
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(include_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
 	done
+install-nobase_includeHEADERS: $(nobase_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@$(am__vpath_adj_setup) \
+	list='$(nobase_include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  $(am__vpath_adj) \
+	  echo " $(nobase_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(nobase_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	done
+
+uninstall-nobase_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@$(am__vpath_adj_setup) \
+	list='$(nobase_include_HEADERS)'; for p in $$list; do \
+	  $(am__vpath_adj) \
+	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
+	done
+install-nodist_gssapiHEADERS: $(nodist_gssapi_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(gssapidir)" || $(MKDIR_P) "$(DESTDIR)$(gssapidir)"
+	@list='$(nodist_gssapi_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(nodist_gssapiHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(gssapidir)/$$f'"; \
+	  $(nodist_gssapiHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(gssapidir)/$$f"; \
+	done
+
+uninstall-nodist_gssapiHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nodist_gssapi_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(gssapidir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(gssapidir)/$$f"; \
+	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -593,9 +1483,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -619,24 +1511,95 @@ GTAGS:
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
-distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
 	  else \
-	    dir=''; \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
 	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -651,14 +1614,20 @@ distdir: $(DISTFILES)
 	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
 	  dist-hook
 check-am: all-am
-	$(MAKE) $(AM_MAKEFLAGS) check-local
-check: check-am
-all-am: Makefile $(LTLIBRARIES) $(MANS) $(HEADERS) all-local
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \
+		all-local
+install-binPROGRAMS: install-libLTLIBRARIES
+
 installdirs:
-	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(gssapidir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
-install: install-am
+install: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) install-am
 install-exec: install-exec-am
 install-data: install-data-am
 uninstall: uninstall-am
@@ -675,22 +1644,29 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-rm -f krb5/$(am__dirstamp)
+	-rm -f mech/$(am__dirstamp)
+	-rm -f ntlm/$(am__dirstamp)
+	-rm -f spnego/$(am__dirstamp)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
 clean: clean-am
 
-clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
+clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \
+	clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS \
 	mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -702,17 +1678,26 @@ info: info-am
 
 info-am:
 
-install-data-am: install-includeHEADERS install-man
+install-data-am: install-includeHEADERS install-man \
+	install-nobase_includeHEADERS install-nodist_gssapiHEADERS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
-install-exec-am: install-libLTLIBRARIES
+install-dvi: install-dvi-am
+
+install-exec-am: install-binPROGRAMS install-libLTLIBRARIES
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
-install-man: install-man3
+install-man: install-man3 install-man5
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
 
 installcheck-am:
 
@@ -733,25 +1718,39 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-includeHEADERS uninstall-info-am \
-	uninstall-libLTLIBRARIES uninstall-man
-
-uninstall-man: uninstall-man3
-
-.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
-	clean clean-generic clean-libLTLIBRARIES clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-exec install-exec-am \
-	install-includeHEADERS install-info install-info-am \
-	install-libLTLIBRARIES install-man install-man3 install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
+uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \
+	uninstall-libLTLIBRARIES uninstall-man \
+	uninstall-nobase_includeHEADERS uninstall-nodist_gssapiHEADERS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+uninstall-man: uninstall-man3 uninstall-man5
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
+	check-local clean clean-binPROGRAMS clean-checkPROGRAMS \
+	clean-generic clean-libLTLIBRARIES clean-libtool \
+	clean-noinstPROGRAMS ctags dist-hook distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-binPROGRAMS install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-includeHEADERS install-info \
+	install-info-am install-libLTLIBRARIES install-man \
+	install-man3 install-man5 install-nobase_includeHEADERS \
+	install-nodist_gssapiHEADERS install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-includeHEADERS \
-	uninstall-info-am uninstall-libLTLIBRARIES uninstall-man \
-	uninstall-man3
+	tags uninstall uninstall-am uninstall-binPROGRAMS \
+	uninstall-hook uninstall-includeHEADERS \
+	uninstall-libLTLIBRARIES uninstall-man uninstall-man3 \
+	uninstall-man5 uninstall-nobase_includeHEADERS \
+	uninstall-nodist_gssapiHEADERS
 
 
 install-suid-programs:
@@ -766,8 +1765,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -777,19 +1776,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -805,7 +1816,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -875,20 +1886,75 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
-#noinst_PROGRAMS = test_acquire_cred
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+$(srcdir)/ntlm/ntlm-private.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p ntlm/ntlm-private.h $(ntlmsrc) || rm -f ntlm/ntlm-private.h
+
+$(libgssapi_la_OBJECTS): $(srcdir)/krb5/gsskrb5-private.h
+$(libgssapi_la_OBJECTS): $(srcdir)/spnego/spnego-private.h
+$(libgssapi_la_OBJECTS): $(srcdir)/ntlm/ntlm-private.h
+
+$(libgssapi_la_OBJECTS): $(srcdir)/version-script.map
+
+$(spnego_files) spnego_asn1.h: spnego_asn1_files
+$(gssapi_files) gssapi_asn1.h: gssapi_asn1_files
+
+spnego_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego/spnego.asn1
+	../asn1/asn1_compile$(EXEEXT) --sequence=MechTypeList $(srcdir)/spnego/spnego.asn1 spnego_asn1
+
+gssapi_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/mech/gssapi.asn1
+	../asn1/asn1_compile$(EXEEXT) $(srcdir)/mech/gssapi.asn1 gssapi_asn1
+
+$(srcdir)/krb5/gsskrb5-private.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5/gsskrb5-private.h $(krb5src) || rm -f krb5/gsskrb5-private.h
+
+$(srcdir)/spnego/spnego-private.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p spnego/spnego-private.h $(spnegosrc) || rm -f spnego/spnego-private.h
+
+gss-commands.c gss-commands.h: gss-commands.in
+	$(SLC) $(srcdir)/gss-commands.in
+
+$(gss_OBJECTS): gss-commands.h
+
+# to help stupid solaris make
 
-#test_acquire_cred_SOURCES = test_acquire_cred.c
+$(libgssapi_la_OBJECTS): gkrb5_err.h gssapi_asn1.h spnego_asn1.h
 
-#test_acquire_cred_LDADD = libgssapi.la
+gkrb5_err.h gkrb5_err.c: $(srcdir)/krb5/gkrb5_err.et
+	$(COMPILE_ET) $(srcdir)/krb5/gkrb5_err.et
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/lib/gssapi/gss-commands.in b/crypto/heimdal/lib/gssapi/gss-commands.in
new file mode 100644
index 0000000..2204f2a
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/gss-commands.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: gss-commands.in 17870 2006-07-22 14:48:58Z lha $ */
+
+command = {
+	name = "supported-mechanisms"
+	help = "Print the supported mechanisms"
+}
+command = {
+	name = "help"
+	name = "?"
+	argument = "[command]"
+	min_args = "0"
+	max_args = "1"
+	help = "Help! I need somebody."
+}
diff --git a/crypto/heimdal/lib/gssapi/gss.c b/crypto/heimdal/lib/gssapi/gss.c
new file mode 100644
index 0000000..739e830
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/gss.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <gssapi.h>
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#include <rtbl.h>
+#include <gss-commands.h>
+#include <krb5.h>
+
+RCSID("$Id: gss.c 19922 2007-01-16 09:32:03Z lha $");
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args),
+		    NULL, "service@host");
+    exit (ret);
+}
+
+#define COL_OID		"OID"
+#define COL_NAME	"Name"
+
+int
+supported_mechanisms(void *argptr, int argc, char **argv)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_OID_set mechs;
+    rtbl_t ct;
+    size_t i;
+
+    maj_stat = gss_indicate_mechs(&min_stat, &mechs);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_indicate_mechs failed");
+
+    printf("Supported mechanisms:\n");
+
+    ct = rtbl_create();
+    if (ct == NULL)
+	errx(1, "rtbl_create");
+
+    rtbl_set_separator(ct, "  ");
+    rtbl_add_column(ct, COL_OID, 0);
+    rtbl_add_column(ct, COL_NAME, 0);
+
+    for (i = 0; i < mechs->count; i++) {
+	gss_buffer_desc name;
+
+	maj_stat = gss_oid_to_str(&min_stat, &mechs->elements[i], &name);
+	if (maj_stat != GSS_S_COMPLETE)
+	    errx(1, "gss_oid_to_str failed");
+
+	rtbl_add_column_entryv(ct, COL_OID, "%.*s",
+			       (int)name.length, (char *)name.value);
+	gss_release_buffer(&min_stat, &name);
+
+	if (gss_oid_equal(&mechs->elements[i], GSS_KRB5_MECHANISM))
+	    rtbl_add_column_entry(ct, COL_NAME, "Kerberos 5");
+	else if (gss_oid_equal(&mechs->elements[i], GSS_SPNEGO_MECHANISM))
+	    rtbl_add_column_entry(ct, COL_NAME, "SPNEGO");
+	else if (gss_oid_equal(&mechs->elements[i], GSS_NTLM_MECHANISM))
+	    rtbl_add_column_entry(ct, COL_NAME, "NTLM");
+    }
+    gss_release_oid_set(&min_stat, &mechs);
+
+    rtbl_format(ct, stdout);
+    rtbl_destroy(ct);
+
+    return 0;
+}
+
+#if 0
+/*
+ *
+ */
+
+#define DOVEDOT_MAJOR_VERSION 1
+#define DOVEDOT_MINOR_VERSION 0
+
+/*
+	S: MECH mech mech-parameters
+	S: MECH mech mech-parameters
+	S: VERSION major minor
+	S: CPID pid
+	S: CUID pid
+	S: ...
+	S: DONE
+	C: VERSION major minor
+	C: CPID pid
+
+	C: AUTH id method service= resp=
+	C: CONT id message
+
+	S: OK id user=
+	S: FAIL id reason=
+	S: CONTINUE id message
+*/
+
+int
+dovecot_server(void *argptr, int argc, char **argv)
+{
+    krb5_storage *sp;
+    int fd = 0;
+
+    sp = krb5_storage_from_fd(fd);
+    if (sp == NULL)
+	errx(1, "krb5_storage_from_fd");
+
+    krb5_store_stringnl(sp, "MECH\tGSSAPI");
+    krb5_store_stringnl(sp, "VERSION\t1\t0");
+    krb5_store_stringnl(sp, "DONE");
+
+    while (1) {
+	char *cmd;
+	if (krb5_ret_stringnl(sp, &cmd) != 0)
+	    break;
+	printf("cmd: %s\n", cmd);
+	free(cmd);
+    }
+    return 0;
+}
+#endif
+
+/*
+ *
+ */
+
+int
+help(void *opt, int argc, char **argv)
+{
+    sl_slc_help(commands, argc, argv);
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    int optidx = 0;
+
+    setprogname(argv[0]);
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    if (argc == 0) {
+	help(NULL, argc, argv);
+	return 1;
+    }
+
+    return sl_command (commands, argc, argv);
+}
diff --git a/crypto/heimdal/lib/gssapi/gss_acquire_cred.3 b/crypto/heimdal/lib/gssapi/gss_acquire_cred.3
index 1d8c0a0..d2a04d9 100644
--- a/crypto/heimdal/lib/gssapi/gss_acquire_cred.3
+++ b/crypto/heimdal/lib/gssapi/gss_acquire_cred.3
@@ -1,37 +1,37 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\" 
-.\" $Id: gss_acquire_cred.3,v 1.8.2.1 2003/04/28 13:41:42 lha Exp $
-.\" 
-.Dd April  2, 2003
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: gss_acquire_cred.3 20235 2007-02-16 11:19:03Z lha $
+.\"
+.Dd October 26, 2005
 .Dt GSS_ACQUIRE_CRED 3
 .Os HEIMDAL
 .Sh NAME
@@ -59,8 +59,14 @@
 .Nm gss_inquire_cred_by_mech ,
 .Nm gss_inquire_mechs_for_name ,
 .Nm gss_inquire_names_for_mech ,
-.Nm gss_krb5_copy_ccache ,
+.Nm gss_krb5_ccache_name ,
 .Nm gss_krb5_compat_des3_mic ,
+.Nm gss_krb5_copy_ccache ,
+.Nm gss_krb5_import_cred
+.Nm gsskrb5_extract_authz_data_from_sec_context ,
+.Nm gsskrb5_register_acceptor_identity ,
+.Nm gss_krb5_import_ccache ,
+.Nm gss_krb5_get_tkt_flags ,
 .Nm gss_process_context_token ,
 .Nm gss_release_buffer ,
 .Nm gss_release_cred ,
@@ -107,7 +113,20 @@ GSS-API library (libgssapi, -lgssapi)
 .Fa "gss_OID_set * actual_mechs"
 .Fa "OM_uint32 * time_rec"
 .Fc
-.\" .Fn gss_add_cred
+.Ft OM_uint32
+.Fo gss_add_cred
+.Fa "OM_uint32 *minor_status"
+.Fa "const gss_cred_id_t input_cred_handle"
+.Fa "const gss_name_t desired_name"
+.Fa "const gss_OID desired_mech"
+.Fa "gss_cred_usage_t cred_usage"
+.Fa "OM_uint32 initiator_time_req"
+.Fa "OM_uint32 acceptor_time_req"
+.Fa "gss_cred_id_t *output_cred_handle"
+.Fa "gss_OID_set *actual_mechs"
+.Fa "OM_uint32 *initiator_time_rec"
+.Fa "OM_uint32 *acceptor_time_rec"
+.Fc
 .Ft OM_uint32
 .Fo gss_add_oid_set_member
 .Fa "OM_uint32 * minor_status"
@@ -169,7 +188,7 @@ GSS-API library (libgssapi, -lgssapi)
 .Fc
 .Ft OM_uint32
 .Fo gss_export_name
-.Fa "OM_uint32  * minor_status"
+.Fa "OM_uint32 * minor_status"
 .Fa "const gss_name_t input_name"
 .Fa "gss_buffer_t exported_name"
 .Fc
@@ -189,7 +208,7 @@ GSS-API library (libgssapi, -lgssapi)
 .Fc
 .Ft OM_uint32
 .Fo gss_import_name
-.Fa "OM_uint32 * minor_status,
+.Fa "OM_uint32 * minor_status"
 .Fa "const gss_buffer_t input_name_buffer"
 .Fa "const gss_OID input_name_type"
 .Fa "gss_name_t * output_name"
@@ -244,12 +263,31 @@ GSS-API library (libgssapi, -lgssapi)
 .Fc
 .Ft OM_uint32
 .Fo gss_inquire_cred_by_mech
+.Fa "OM_uint32 * minor_status"
+.Fa "const gss_cred_id_t cred_handle"
+.Fa "const gss_OID mech_type"
+.Fa "gss_name_t * name"
+.Fa "OM_uint32 * initiator_lifetime"
+.Fa "OM_uint32 * acceptor_lifetime"
+.Fa "gss_cred_usage_t * cred_usage"
 .Fc
 .Ft OM_uint32
 .Fo gss_inquire_mechs_for_name
+.Fa "OM_uint32 * minor_status"
+.Fa "const gss_name_t input_name"
+.Fa "gss_OID_set * mech_types"
 .Fc
 .Ft OM_uint32
 .Fo gss_inquire_names_for_mech
+.Fa "OM_uint32 * minor_status"
+.Fa "const gss_OID mechanism"
+.Fa "gss_OID_set * name_types"
+.Fc
+.Ft OM_uint32
+.Fo gss_krb5_ccache_name
+.Fa "OM_uint32 *minor"
+.Fa "const char *name"
+.Fa "const char **old_name"
 .Fc
 .Ft OM_uint32
 .Fo gss_krb5_copy_ccache
@@ -258,13 +296,48 @@ GSS-API library (libgssapi, -lgssapi)
 .Fa "krb5_ccache out"
 .Fc
 .Ft OM_uint32
+.Fo gss_krb5_import_cred
+.Fa "OM_uint32 *minor_status"
+.Fa "krb5_ccache id"
+.Fa "krb5_principal keytab_principal"
+.Fa "krb5_keytab keytab"
+.Fa "gss_cred_id_t *cred"
+.Fc
+.Ft OM_uint32
 .Fo gss_krb5_compat_des3_mic
 .Fa "OM_uint32 * minor_status"
 .Fa "gss_ctx_id_t context_handle"
 .Fa "int onoff"
-.Fc 
+.Fc
+.Ft OM_uint32
+.Fo gsskrb5_extract_authz_data_from_sec_context
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_ctx_id_t context_handle"
+.Fa "int ad_type"
+.Fa "gss_buffer_t ad_data"
+.Fc
+.Ft OM_uint32
+.Fo gsskrb5_register_acceptor_identity
+.Fa "const char *identity"
+.Fc
+.Ft OM_uint32
+.Fo gss_krb5_import_cache
+.Fa "OM_uint32 *minor"
+.Fa "krb5_ccache id"
+.Fa "krb5_keytab keytab"
+.Fa "gss_cred_id_t *cred"
+.Fc
+.Ft OM_uint32
+.Fo gss_krb5_get_tkt_flags
+.Fa "OM_uint32 *minor_status"
+.Fa "gss_ctx_id_t context_handle"
+.Fa "OM_uint32 *tkt_flags"
+.Fc
 .Ft OM_uint32
 .Fo gss_process_context_token
+.Fa "OM_uint32 * minor_status"
+.Fa "const gss_ctx_id_t context_handle"
+.Fa "const gss_buffer_t token_buffer"
 .Fc
 .Ft OM_uint32
 .Fo gss_release_buffer
@@ -281,7 +354,7 @@ GSS-API library (libgssapi, -lgssapi)
 .Fa "OM_uint32 * minor_status"
 .Fa "gss_name_t * input_name"
 .Fc
-.Ft
+.Ft OM_uint32
 .Fo gss_release_oid_set
 .Fa "OM_uint32 * minor_status"
 .Fa "gss_OID_set * set"
@@ -345,7 +418,7 @@ GSS-API library (libgssapi, -lgssapi)
 .Fa "const gss_buffer_t token_buffer"
 .Fa "gss_qop_t * qop_state"
 .Fc
-.Ft
+.Ft OM_uint32
 .Fo gss_wrap
 .Fa "OM_uint32 * minor_status"
 .Fa "const gss_ctx_id_t context_handle"
@@ -377,10 +450,12 @@ Heimdals GSS-API implementation supports the following mechanisms
 .Bl -bullet
 .It
 .Li GSS_KRB5_MECHANISM
+.It
+.Li GSS_SPNEGO_MECHANISM
 .El
 .Pp
 GSS-API have generic name types that all mechanism are supposed to
-implement (if possible)
+implement (if possible):
 .Bl -bullet
 .It
 .Li GSS_C_NT_USER_NAME
@@ -397,7 +472,7 @@ implement (if possible)
 .El
 .Pp
 GSS-API implementations that supports Kerberos 5 have some additional
-name types
+name types:
 .Bl -bullet
 .It
 .Li GSS_KRB5_NT_PRINCIPAL_NAME
@@ -409,10 +484,86 @@ name types
 .Li GSS_KRB5_NT_STRING_UID_NAME
 .El
 .Pp
+In GSS-API, names have two forms, internal names and contiguous string
+names.
+.Bl -bullet
+.It
+.Li Internal name and mechanism name
+.Pp
+Internal names are implementation specific representation of
+a GSS-API name.
+.Li Mechanism names
+special form of internal names corresponds to one and only one mechanism.
+.Pp
+In GSS-API an internal name is stored in a
+.Dv gss_name_t .
+.It
+.Li Contiguous string name and exported name
+.Pp
+Contiguous string names are gssapi names stored in a
+.Dv OCTET STRING
+that together with a name type identifier (OID) uniquely specifies a
+gss-name.
+A special form of the contiguous string name is the exported name that
+have a OID embedded in the string to make it unique.
+Exported name have the nametype
+.Dv GSS_C_NT_EXPORT_NAME .
+.Pp
+In GSS-API an contiguous string name is stored in a
+.Dv gss_buffer_t .
+.Pp
+Exported names also have the property that they are specified by the
+mechanism itself and compatible between diffrent GSS-API
+implementations.
+.El
+.Sh ACCESS CONTROL
+There are two ways of comparing GSS-API names, either comparing two
+internal names with each other or two contiguous string names with
+either other.
+.Pp
+To compare two internal names with each other, import (if needed) the
+names with
+.Fn gss_import_name
+into the GSS-API implementation and the compare the imported name with
+.Fn gss_compare_name .
+.Pp
+Importing names can be slow, so when its possible to store exported
+names in the access control list, comparing contiguous string name
+might be better.
+.Pp
+when comparing contiguous string name, first export them into a
+.Dv GSS_C_NT_EXPORT_NAME
+name with
+.Fn gss_export_name
+and then compare with
+.Xr memcmp 3 .
+.Pp
+Note that there are might be a difference between the two methods of
+comparing names.
+The first (using
+.Fn gss_compare_name )
+will compare to (unauthenticated) names are the same.
+The second will compare if a mechanism will authenticate them as the
+same principal.
+.Pp
+For example, if
+.Fn gss_import_name
+name was used with
+.Dv GSS_C_NO_OID
+the default syntax is used for all mechanism the GSS-API
+implementation supports.
+When compare the imported name of
+.Dv GSS_C_NO_OID
+it may match serveral mechanism names (MN).
+.Pp
+The resulting name from
+.Fn gss_display_name
+must not be used for acccess control.
+.Sh FUNCTIONS
 .Fn gss_display_name
 takes the gss name in
 .Fa input_name
-and put a printable form in
+and puts a printable form in
 .Fa output_name_buffer .
 .Fa output_name_buffer
 should be freed when done using
@@ -422,31 +573,103 @@ can either be
 .Dv NULL
 or a pointer to a
 .Li gss_OID
-and will in the later case contain the OID type of the name.
-The name should only be used for printing.
-Access control should be done with the result of
-.Fn gss_export_name .
+and will in the latter case contain the OID type of the name.
+The name must only be used for printing.
+If access control is needed, see section
+.Sx ACCESS CONTROL .
+.Pp
+.Fn gss_inquire_context
+returns information about the context.
+Information is available even after the context have expired.
+.Fa lifetime_rec
+argument is set to
+.Dv GSS_C_INDEFINITE
+(dont expire) or the number of seconds that the context is still valid.
+A value of 0 means that the context is expired.
+.Fa mech_type
+argument should be considered readonly and must not be released.
+.Fa src_name
+and
+.Fn dest_name
+are both mechanims names and must be released with
+.Fn gss_release_name
+when no longer used.
+.Pp
+.Nm gss_context_time
+will return the amount of time (in seconds) of the context is still
+valid.
+If its expired
+.Fa time_rec
+will be set to 0 and
+.Dv GSS_S_CONTEXT_EXPIRED
+returned.
 .Pp
 .Fn gss_sign ,
 .Fn gss_verify ,
 .Fn gss_seal ,
 and
 .Fn gss_unseal
-are part of the GSS-API V1 interface and are obsolete. The functions
-should not be used for new applications.
+are part of the GSS-API V1 interface and are obsolete.
+The functions should not be used for new applications.
 They are provided so that version 1 applications can link against the
 library.
+.Sh EXTENSIONS
+.Fn gss_krb5_ccache_name
+sets the internal kerberos 5 credential cache name to
+.Fa name .
+The old name is returned in
+.Fa old_name ,
+and must not be freed.
+The data allocated for
+.Fa old_name
+is free upon next call to
+.Fn gss_krb5_ccache_name .
+This function is not threadsafe if
+.Fa old_name
+argument is used.
 .Pp
 .Fn gss_krb5_copy_ccache
-is an extension to the GSS-API API.
-The function will extract the krb5 credential that are transfered from
-the initiator to the acceptor when using token delegation in the
-Kerberos mechanism.
+will extract the krb5 credentials that are transferred from the
+initiator to the acceptor when using token delegation in the Kerberos
+mechanism.
 The acceptor receives the delegated token in the last argument to
 .Fn gss_accept_sec_context .
 .Pp
-.Nm gss_krb5_compat_des3_mic
-turns on or off the compatibly with older version of Heimdal using
+.Fn gss_krb5_import_cred
+will import the krb5 credentials (both keytab and/or credential cache)
+into gss credential so it can be used withing GSS-API.
+The
+.Fa ccache
+is copied by reference and thus shared, so if the credential is destroyed
+with
+.Fa krb5_cc_destroy ,
+all users of thep
+.Fa gss_cred_id_t
+returned by
+.Fn gss_krb5_import_ccache
+will fail.
+.Pp
+.Fn gsskrb5_register_acceptor_identity
+sets the Kerberos 5 filebased keytab that the acceptor will use.  The
+.Fa identifier
+is the file name.
+.Pp
+.Fn gsskrb5_extract_authz_data_from_sec_context
+extracts the Kerberos authorizationdata that may be stored within the
+context.
+Tha caller must free the returned buffer
+.Fa ad_data
+with
+.Fn gss_release_buffer
+upon success.
+.Pp
+.Fn gss_krb5_get_tkt_flags
+return the ticket flags for the kerberos ticket receive when
+authenticating the initiator.
+Only valid on the acceptor context.
+.Pp
+.Fn gss_krb5_compat_des3_mic
+turns on or off the compatibility with older version of Heimdal using
 des3 get and verify mic, this is way to programmatically set the
 [gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see
 COMPATIBILITY section in
@@ -454,12 +677,12 @@ COMPATIBILITY section in
 If the CPP symbol
 .Dv GSS_C_KRB5_COMPAT_DES3_MIC
 is present,
-.Nm gss_krb5_compat_des3_mic
+.Fn gss_krb5_compat_des3_mic
 exists.
-.Nm gss_krb5_compat_des3_mic
+.Fn gss_krb5_compat_des3_mic
 will be removed in a later version of the GSS-API library.
 .Sh SEE ALSO
+.Xr gssapi 3 ,
 .Xr krb5 3 ,
 .Xr krb5_ccache 3 ,
-.Xr gssapi 3 ,
 .Xr kerberos 8
diff --git a/crypto/heimdal/lib/gssapi/gssapi.3 b/crypto/heimdal/lib/gssapi/gssapi.3
index ff30042..0241ee7 100644
--- a/crypto/heimdal/lib/gssapi/gssapi.3
+++ b/crypto/heimdal/lib/gssapi/gssapi.3
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
+.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: gssapi.3,v 1.5.2.2 2003/04/30 09:56:26 lha Exp $
+.\" $Id: gssapi.3 22071 2007-11-14 20:04:50Z lha $
 .\"
-.Dd January 23, 2003
+.Dd April 20, 2005
 .Dt GSSAPI 3
 .Os
 .Sh NAME
@@ -45,6 +45,9 @@ provides security services to callers in a generic fashion,
 supportable with a range of underlying mechanisms and technologies and
 hence allowing source-level portability of applications to different
 environments.
+.Pp
+The GSS-API implementation in Heimdal implements the Kerberos 5 and
+the SPNEGO GSS-API security mechanisms.
 .Sh LIST OF FUNCTIONS
 These functions constitute the gssapi library,
 .Em libgssapi .
@@ -80,7 +83,11 @@ gss_inquire_cred.3
 gss_inquire_cred_by_mech.3
 gss_inquire_mechs_for_name.3
 gss_inquire_names_for_mech.3
+gss_krb5_ccache_name.3
+gss_krb5_compat_des3_mic.3
 gss_krb5_copy_ccache.3
+gss_krb5_extract_authz_data_from_sec_context.3
+gss_krb5_import_ccache.3
 gss_process_context_token.3
 gss_release_buffer.3
 gss_release_cred.3
@@ -106,15 +113,15 @@ implementations when using
 .Fn gss_get_mic
 /
 .Fn gss_verify_mic .
-Its possible to modify the behavior of the generator of the MIC with
+It is possible to modify the behavior of the generator of the MIC with
 the
 .Pa krb5.conf
 configuration file so that old clients/servers will still
 work.
 .Pp
 New clients/servers will try both the old and new MIC in Heimdal 0.6.
-In 0.7 it will check only if configured and the compatibility code
-will be removed in 0.8.
+In 0.7 it will check only if configured - the compatibility code will
+be removed in 0.8.
 .Pp
 Heimdal 0.6 still generates by default the broken GSS-API DES3 mic,
 this will change in 0.7 to generate correct des3 mic.
@@ -135,17 +142,29 @@ If a match for a entry is in both
 .Ar correct_des3_mic
 and
 .Nm [gssapi]
-.Ar correct_des3_mic ,
+.Ar broken_des3_mic ,
 the later will override.
 .Pp
 This config option modifies behaviour for both clients and servers.
 .Pp
-Example:
+Microsoft implemented SPNEGO to Windows2000, however, they manage to
+get it wrong, their implementation didn't fill in the MechListMIC in
+the reply token with the right content.
+There is a work around for this problem, but not all implementation
+support it.
+.Pp
+Heimdal defaults to correct SPNEGO when the the kerberos
+implementation uses CFX, or when it is configured by the user.
+To turn on compatibility with peers, use option
+.Nm [gssapi]
+.Ar require_mechlist_mic .
+.Sh EXAMPLES
 .Bd -literal -offset indent
 [gssapi]
 	broken_des3_mic = cvs/*@SU.SE
 	broken_des3_mic = host/*@E.KTH.SE
 	correct_des3_mic = host/*@SU.SE
+	require_mechlist_mic = host/*@SU.SE
 .Ed
 .Sh BUGS
 All of 0.5.x versions of
diff --git a/crypto/heimdal/lib/gssapi/gssapi.h b/crypto/heimdal/lib/gssapi/gssapi.h
index 12ac426..ae0274f 100644
--- a/crypto/heimdal/lib/gssapi/gssapi.h
+++ b/crypto/heimdal/lib/gssapi/gssapi.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,758 +31,11 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gssapi.h,v 1.26.2.2 2003/05/07 11:12:21 lha Exp $ */
+/* $Id: gssapi.h 18332 2006-10-07 20:57:15Z lha $ */
 
 #ifndef GSSAPI_H_
 #define GSSAPI_H_
 
-/*
- * First, include stddef.h to get size_t defined.
- */
-#include <stddef.h>
-
-#include <krb5-types.h>
-
-/*
- * Now define the three implementation-dependent types.
- */
-
-typedef u_int32_t OM_uint32;
-
-typedef u_int32_t gss_uint32;
-
-/*
- * This is to avoid having to include <krb5.h>
- */
-
-struct krb5_auth_context_data;
-
-struct Principal;
-
-/* typedef void *gss_name_t; */
-
-typedef struct Principal *gss_name_t;
-
-typedef struct gss_ctx_id_t_desc_struct {
-  struct krb5_auth_context_data *auth_context;
-  gss_name_t source, target;
-  OM_uint32 flags;
-  enum { LOCAL = 1, OPEN = 2, 
-	 COMPAT_OLD_DES3 = 4, COMPAT_OLD_DES3_SELECTED = 8 } more_flags;
-  struct krb5_ticket *ticket;
-  time_t lifetime;
-} gss_ctx_id_t_desc;
-
-typedef gss_ctx_id_t_desc *gss_ctx_id_t;
-
-typedef struct gss_OID_desc_struct {
-      OM_uint32 length;
-      void      *elements;
-} gss_OID_desc, *gss_OID;
-
-typedef struct gss_OID_set_desc_struct  {
-      size_t     count;
-      gss_OID    elements;
-} gss_OID_set_desc, *gss_OID_set;
-
-struct krb5_keytab_data;
-
-struct krb5_ccache_data;
-
-typedef int gss_cred_usage_t;
-
-typedef struct gss_cred_id_t_desc_struct {
-  gss_name_t principal;
-  struct krb5_keytab_data *keytab;
-  OM_uint32 lifetime;
-  gss_cred_usage_t usage;
-  gss_OID_set mechanisms;
-  struct krb5_ccache_data *ccache;
-} gss_cred_id_t_desc;
-
-typedef gss_cred_id_t_desc *gss_cred_id_t;
-
-typedef struct gss_buffer_desc_struct {
-      size_t length;
-      void *value;
-} gss_buffer_desc, *gss_buffer_t;
-
-typedef struct gss_channel_bindings_struct {
-      OM_uint32 initiator_addrtype;
-      gss_buffer_desc initiator_address;
-      OM_uint32 acceptor_addrtype;
-      gss_buffer_desc acceptor_address;
-      gss_buffer_desc application_data;
-} *gss_channel_bindings_t;
-
-/*
- * For now, define a QOP-type as an OM_uint32
- */
-typedef OM_uint32 gss_qop_t;
-
-/*
- * Flag bits for context-level services.
- */
-#define GSS_C_DELEG_FLAG 1
-#define GSS_C_MUTUAL_FLAG 2
-#define GSS_C_REPLAY_FLAG 4
-#define GSS_C_SEQUENCE_FLAG 8
-#define GSS_C_CONF_FLAG 16
-#define GSS_C_INTEG_FLAG 32
-#define GSS_C_ANON_FLAG 64
-#define GSS_C_PROT_READY_FLAG 128
-#define GSS_C_TRANS_FLAG 256
-
-/*
- * Credential usage options
- */
-#define GSS_C_BOTH 0
-#define GSS_C_INITIATE 1
-#define GSS_C_ACCEPT 2
-
-/*
- * Status code types for gss_display_status
- */
-#define GSS_C_GSS_CODE 1
-#define GSS_C_MECH_CODE 2
-
-/*
- * The constant definitions for channel-bindings address families
- */
-#define GSS_C_AF_UNSPEC     0
-#define GSS_C_AF_LOCAL      1
-#define GSS_C_AF_INET       2
-#define GSS_C_AF_IMPLINK    3
-#define GSS_C_AF_PUP        4
-#define GSS_C_AF_CHAOS      5
-#define GSS_C_AF_NS         6
-#define GSS_C_AF_NBS        7
-#define GSS_C_AF_ECMA       8
-#define GSS_C_AF_DATAKIT    9
-#define GSS_C_AF_CCITT      10
-#define GSS_C_AF_SNA        11
-#define GSS_C_AF_DECnet     12
-#define GSS_C_AF_DLI        13
-#define GSS_C_AF_LAT        14
-#define GSS_C_AF_HYLINK     15
-#define GSS_C_AF_APPLETALK  16
-#define GSS_C_AF_BSC        17
-#define GSS_C_AF_DSS        18
-#define GSS_C_AF_OSI        19
-#define GSS_C_AF_X25        21
-#define GSS_C_AF_INET6	    24
-
-#define GSS_C_AF_NULLADDR   255
+#include <gssapi/gssapi.h>
 
-/*
- * Various Null values
- */
-#define GSS_C_NO_NAME ((gss_name_t) 0)
-#define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
-#define GSS_C_NO_OID ((gss_OID) 0)
-#define GSS_C_NO_OID_SET ((gss_OID_set) 0)
-#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
-#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
-#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
-#define GSS_C_EMPTY_BUFFER {0, NULL}
-
-/*
- * Some alternate names for a couple of the above
- * values.  These are defined for V1 compatibility.
- */
-#define GSS_C_NULL_OID GSS_C_NO_OID
-#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
-
-/*
- * Define the default Quality of Protection for per-message
- * services.  Note that an implementation that offers multiple
- * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
- * (as done here) to mean "default protection", or to a specific
- * explicit QOP value.  However, a value of 0 should always be
- * interpreted by a GSSAPI implementation as a request for the
- * default protection level.
- */
-#define GSS_C_QOP_DEFAULT 0
-
-#define GSS_KRB5_CONF_C_QOP_DES		0x0100
-#define GSS_KRB5_CONF_C_QOP_DES3_KD	0x0200
-
-/*
- * Expiration time of 2^32-1 seconds means infinite lifetime for a
- * credential or security context
- */
-#define GSS_C_INDEFINITE 0xfffffffful
-
-#ifdef __cplusplus
-extern "C" {
 #endif
-
-/*
- * The implementation must reserve static storage for a
- * gss_OID_desc object containing the value
- * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
- *              "\x01\x02\x01\x01"},
- * corresponding to an object-identifier value of
- * {iso(1) member-body(2) United States(840) mit(113554)
- *  infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
- * GSS_C_NT_USER_NAME should be initialized to point
- * to that gss_OID_desc.
- */
-extern gss_OID GSS_C_NT_USER_NAME;
-
-/*
- * The implementation must reserve static storage for a
- * gss_OID_desc object containing the value
- * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
- *              "\x01\x02\x01\x02"},
- * corresponding to an object-identifier value of
- * {iso(1) member-body(2) United States(840) mit(113554)
- *  infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
- * The constant GSS_C_NT_MACHINE_UID_NAME should be
- * initialized to point to that gss_OID_desc.
- */
-extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
-
-/*
- * The implementation must reserve static storage for a
- * gss_OID_desc object containing the value
- * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
- *              "\x01\x02\x01\x03"},
- * corresponding to an object-identifier value of
- * {iso(1) member-body(2) United States(840) mit(113554)
- *  infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
- * The constant GSS_C_NT_STRING_UID_NAME should be
- * initialized to point to that gss_OID_desc.
- */
-extern gss_OID GSS_C_NT_STRING_UID_NAME;
-
-/*
- * The implementation must reserve static storage for a
- * gss_OID_desc object containing the value
- * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
- * corresponding to an object-identifier value of
- * {iso(1) org(3) dod(6) internet(1) security(5)
- * nametypes(6) gss-host-based-services(2)).  The constant
- * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
- * to that gss_OID_desc.  This is a deprecated OID value, and
- * implementations wishing to support hostbased-service names
- * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
- * defined below, to identify such names;
- * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
- * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
- * parameter, but should not be emitted by GSS-API
- * implementations
- */
-extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
-
-/*
- * The implementation must reserve static storage for a
- * gss_OID_desc object containing the value
- * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
- *              "\x01\x02\x01\x04"}, corresponding to an
- * object-identifier value of {iso(1) member-body(2)
- * Unites States(840) mit(113554) infosys(1) gssapi(2)
- * generic(1) service_name(4)}.  The constant
- * GSS_C_NT_HOSTBASED_SERVICE should be initialized
- * to point to that gss_OID_desc.
- */
-extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
-
-/*
- * The implementation must reserve static storage for a
- * gss_OID_desc object containing the value
- * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
- * corresponding to an object identifier value of
- * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
- * 6(nametypes), 3(gss-anonymous-name)}.  The constant
- * and GSS_C_NT_ANONYMOUS should be initialized to point
- * to that gss_OID_desc.
- */
-extern gss_OID GSS_C_NT_ANONYMOUS;
-
-/*
- * The implementation must reserve static storage for a
- * gss_OID_desc object containing the value
- * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
- * corresponding to an object-identifier value of
- * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
- * 6(nametypes), 4(gss-api-exported-name)}.  The constant
- * GSS_C_NT_EXPORT_NAME should be initialized to point
- * to that gss_OID_desc.
- */
-extern gss_OID GSS_C_NT_EXPORT_NAME;
-
-/*
- * This if for kerberos5 names.
- */
-
-extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
-extern gss_OID GSS_KRB5_NT_USER_NAME;
-extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
-extern gss_OID GSS_KRB5_NT_STRING_UID_NAME;
-
-extern gss_OID GSS_KRB5_MECHANISM;
-
-/* for compatibility with MIT api */
-
-#define gss_mech_krb5 GSS_KRB5_MECHANISM
-
-/* Major status codes */
-
-#define GSS_S_COMPLETE 0
-
-/*
- * Some "helper" definitions to make the status code macros obvious.
- */
-#define GSS_C_CALLING_ERROR_OFFSET 24
-#define GSS_C_ROUTINE_ERROR_OFFSET 16
-#define GSS_C_SUPPLEMENTARY_OFFSET 0
-#define GSS_C_CALLING_ERROR_MASK 0377ul
-#define GSS_C_ROUTINE_ERROR_MASK 0377ul
-#define GSS_C_SUPPLEMENTARY_MASK 0177777ul
-
-/*
- * The macros that test status codes for error conditions.
- * Note that the GSS_ERROR() macro has changed slightly from
- * the V1 GSSAPI so that it now evaluates its argument
- * only once.
- */
-#define GSS_CALLING_ERROR(x) \
-  (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
-#define GSS_ROUTINE_ERROR(x) \
-  (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
-#define GSS_SUPPLEMENTARY_INFO(x) \
-  (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
-#define GSS_ERROR(x) \
-  (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
-        (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
-
-/*
- * Now the actual status code definitions
- */
-
-/*
- * Calling errors:
- */
-#define GSS_S_CALL_INACCESSIBLE_READ \
-                             (1ul << GSS_C_CALLING_ERROR_OFFSET)
-#define GSS_S_CALL_INACCESSIBLE_WRITE \
-                             (2ul << GSS_C_CALLING_ERROR_OFFSET)
-#define GSS_S_CALL_BAD_STRUCTURE \
-                             (3ul << GSS_C_CALLING_ERROR_OFFSET)
-
-/*
- * Routine errors:
- */
-#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
-
-#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_BAD_MIC GSS_S_BAD_SIG
-#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
-
-/*
- * Supplementary info bits:
- */
-#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
-#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
-#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
-#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
-#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
-
-/*
- * From RFC1964:
- *
- * 4.1.1. Non-Kerberos-specific codes
- */
-
-#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1
-           /* "No @ in SERVICE-NAME name string" */
-#define GSS_KRB5_S_G_BAD_STRING_UID 2
-           /* "STRING-UID-NAME contains nondigits" */
-#define GSS_KRB5_S_G_NOUSER 3
-           /* "UID does not resolve to username" */
-#define GSS_KRB5_S_G_VALIDATE_FAILED 4
-           /* "Validation error" */
-#define GSS_KRB5_S_G_BUFFER_ALLOC 5
-           /* "Couldn't allocate gss_buffer_t data" */
-#define GSS_KRB5_S_G_BAD_MSG_CTX 6
-           /* "Message context invalid" */
-#define GSS_KRB5_S_G_WRONG_SIZE 7
-           /* "Buffer is the wrong size" */
-#define GSS_KRB5_S_G_BAD_USAGE 8
-           /* "Credential usage type is unknown" */
-#define GSS_KRB5_S_G_UNKNOWN_QOP 9
-           /* "Unknown quality of protection specified" */
-
-  /*
-   * 4.1.2. Kerberos-specific-codes
-   */
-
-#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10
-           /* "Principal in credential cache does not match desired name" */
-#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11
-           /* "No principal in keytab matches desired name" */
-#define GSS_KRB5_S_KG_TGT_MISSING 12
-           /* "Credential cache has no TGT" */
-#define GSS_KRB5_S_KG_NO_SUBKEY 13
-           /* "Authenticator has no subkey" */
-#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14
-           /* "Context is already fully established" */
-#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15
-           /* "Unknown signature type in token" */
-#define GSS_KRB5_S_KG_BAD_LENGTH 16
-           /* "Invalid field length in token" */
-#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17
-           /* "Attempt to use incomplete security context" */
-
-/*
- * Finally, function prototypes for the GSS-API routines.
- */
-
-OM_uint32 gss_acquire_cred
-           (OM_uint32 * /*minor_status*/,
-            const gss_name_t /*desired_name*/,
-            OM_uint32 /*time_req*/,
-            const gss_OID_set /*desired_mechs*/,
-            gss_cred_usage_t /*cred_usage*/,
-            gss_cred_id_t * /*output_cred_handle*/,
-            gss_OID_set * /*actual_mechs*/,
-            OM_uint32 * /*time_rec*/
-           );
-
-OM_uint32 gss_release_cred
-           (OM_uint32 * /*minor_status*/,
-            gss_cred_id_t * /*cred_handle*/
-           );
-
-OM_uint32 gss_init_sec_context
-           (OM_uint32 * /*minor_status*/,
-            const gss_cred_id_t /*initiator_cred_handle*/,
-            gss_ctx_id_t * /*context_handle*/,
-            const gss_name_t /*target_name*/,
-            const gss_OID /*mech_type*/,
-            OM_uint32 /*req_flags*/,
-            OM_uint32 /*time_req*/,
-            const gss_channel_bindings_t /*input_chan_bindings*/,
-            const gss_buffer_t /*input_token*/,
-            gss_OID * /*actual_mech_type*/,
-            gss_buffer_t /*output_token*/,
-            OM_uint32 * /*ret_flags*/,
-            OM_uint32 * /*time_rec*/
-           );
-
-OM_uint32 gss_accept_sec_context
-           (OM_uint32 * /*minor_status*/,
-            gss_ctx_id_t * /*context_handle*/,
-            const gss_cred_id_t /*acceptor_cred_handle*/,
-            const gss_buffer_t /*input_token_buffer*/,
-            const gss_channel_bindings_t /*input_chan_bindings*/,
-            gss_name_t * /*src_name*/,
-            gss_OID * /*mech_type*/,
-            gss_buffer_t /*output_token*/,
-            OM_uint32 * /*ret_flags*/,
-            OM_uint32 * /*time_rec*/,
-            gss_cred_id_t * /*delegated_cred_handle*/
-           );
-
-OM_uint32 gss_process_context_token
-           (OM_uint32 * /*minor_status*/,
-            const gss_ctx_id_t /*context_handle*/,
-            const gss_buffer_t /*token_buffer*/
-           );
-
-OM_uint32 gss_delete_sec_context
-           (OM_uint32 * /*minor_status*/,
-            gss_ctx_id_t * /*context_handle*/,
-            gss_buffer_t /*output_token*/
-           );
-
-OM_uint32 gss_context_time
-           (OM_uint32 * /*minor_status*/,
-            const gss_ctx_id_t /*context_handle*/,
-            OM_uint32 * /*time_rec*/
-           );
-
-OM_uint32 gss_get_mic
-           (OM_uint32 * /*minor_status*/,
-            const gss_ctx_id_t /*context_handle*/,
-            gss_qop_t /*qop_req*/,
-            const gss_buffer_t /*message_buffer*/,
-            gss_buffer_t /*message_token*/
-           );
-
-OM_uint32 gss_verify_mic
-           (OM_uint32 * /*minor_status*/,
-            const gss_ctx_id_t /*context_handle*/,
-            const gss_buffer_t /*message_buffer*/,
-            const gss_buffer_t /*token_buffer*/,
-            gss_qop_t * /*qop_state*/
-           );
-
-OM_uint32 gss_wrap
-           (OM_uint32 * /*minor_status*/,
-            const gss_ctx_id_t /*context_handle*/,
-            int /*conf_req_flag*/,
-            gss_qop_t /*qop_req*/,
-            const gss_buffer_t /*input_message_buffer*/,
-            int * /*conf_state*/,
-            gss_buffer_t /*output_message_buffer*/
-           );
-
-OM_uint32 gss_unwrap
-           (OM_uint32 * /*minor_status*/,
-            const gss_ctx_id_t /*context_handle*/,
-            const gss_buffer_t /*input_message_buffer*/,
-            gss_buffer_t /*output_message_buffer*/,
-            int * /*conf_state*/,
-            gss_qop_t * /*qop_state*/
-           );
-
-OM_uint32 gss_display_status
-           (OM_uint32 * /*minor_status*/,
-            OM_uint32 /*status_value*/,
-            int /*status_type*/,
-            const gss_OID /*mech_type*/,
-            OM_uint32 * /*message_context*/,
-            gss_buffer_t /*status_string*/
-           );
-
-OM_uint32 gss_indicate_mechs
-           (OM_uint32 * /*minor_status*/,
-            gss_OID_set * /*mech_set*/
-           );
-
-OM_uint32 gss_compare_name
-           (OM_uint32 * /*minor_status*/,
-            const gss_name_t /*name1*/,
-            const gss_name_t /*name2*/,
-            int * /*name_equal*/
-           );
-
-OM_uint32 gss_display_name
-           (OM_uint32 * /*minor_status*/,
-            const gss_name_t /*input_name*/,
-            gss_buffer_t /*output_name_buffer*/,
-            gss_OID * /*output_name_type*/
-           );
-
-OM_uint32 gss_import_name
-           (OM_uint32 * /*minor_status*/,
-            const gss_buffer_t /*input_name_buffer*/,
-            const gss_OID /*input_name_type*/,
-            gss_name_t * /*output_name*/
-           );
-
-OM_uint32 gss_export_name
-           (OM_uint32  * /*minor_status*/,
-            const gss_name_t /*input_name*/,
-            gss_buffer_t /*exported_name*/
-           );
-
-OM_uint32 gss_release_name
-           (OM_uint32 * /*minor_status*/,
-            gss_name_t * /*input_name*/
-           );
-
-OM_uint32 gss_release_buffer
-           (OM_uint32 * /*minor_status*/,
-            gss_buffer_t /*buffer*/
-           );
-
-OM_uint32 gss_release_oid_set
-           (OM_uint32 * /*minor_status*/,
-            gss_OID_set * /*set*/
-           );
-
-OM_uint32 gss_inquire_cred
-           (OM_uint32 * /*minor_status*/,
-            const gss_cred_id_t /*cred_handle*/,
-            gss_name_t * /*name*/,
-            OM_uint32 * /*lifetime*/,
-            gss_cred_usage_t * /*cred_usage*/,
-            gss_OID_set * /*mechanisms*/
-           );
-
-OM_uint32 gss_inquire_context (
-            OM_uint32 * /*minor_status*/,
-            const gss_ctx_id_t /*context_handle*/,
-            gss_name_t * /*src_name*/,
-            gss_name_t * /*targ_name*/,
-            OM_uint32 * /*lifetime_rec*/,
-            gss_OID * /*mech_type*/,
-            OM_uint32 * /*ctx_flags*/,
-            int * /*locally_initiated*/,
-            int * /*open_context*/
-           );
-
-OM_uint32 gss_wrap_size_limit (
-            OM_uint32 * /*minor_status*/,
-            const gss_ctx_id_t /*context_handle*/,
-            int /*conf_req_flag*/,
-            gss_qop_t /*qop_req*/,
-            OM_uint32 /*req_output_size*/,
-            OM_uint32 * /*max_input_size*/
-           );
-
-OM_uint32 gss_add_cred (
-            OM_uint32 * /*minor_status*/,
-            const gss_cred_id_t /*input_cred_handle*/,
-            const gss_name_t /*desired_name*/,
-            const gss_OID /*desired_mech*/,
-            gss_cred_usage_t /*cred_usage*/,
-            OM_uint32 /*initiator_time_req*/,
-            OM_uint32 /*acceptor_time_req*/,
-            gss_cred_id_t * /*output_cred_handle*/,
-            gss_OID_set * /*actual_mechs*/,
-            OM_uint32 * /*initiator_time_rec*/,
-            OM_uint32 * /*acceptor_time_rec*/
-           );
-
-OM_uint32 gss_inquire_cred_by_mech (
-            OM_uint32 * /*minor_status*/,
-            const gss_cred_id_t /*cred_handle*/,
-            const gss_OID /*mech_type*/,
-            gss_name_t * /*name*/,
-            OM_uint32 * /*initiator_lifetime*/,
-            OM_uint32 * /*acceptor_lifetime*/,
-            gss_cred_usage_t * /*cred_usage*/
-           );
-
-OM_uint32 gss_export_sec_context (
-            OM_uint32 * /*minor_status*/,
-            gss_ctx_id_t * /*context_handle*/,
-            gss_buffer_t /*interprocess_token*/
-           );
-
-OM_uint32 gss_import_sec_context (
-            OM_uint32 * /*minor_status*/,
-            const gss_buffer_t /*interprocess_token*/,
-            gss_ctx_id_t * /*context_handle*/
-           );
-
-OM_uint32 gss_create_empty_oid_set (
-            OM_uint32 * /*minor_status*/,
-            gss_OID_set * /*oid_set*/
-           );
-
-OM_uint32 gss_add_oid_set_member (
-            OM_uint32 * /*minor_status*/,
-            const gss_OID /*member_oid*/,
-            gss_OID_set * /*oid_set*/
-           );
-
-OM_uint32 gss_test_oid_set_member (
-            OM_uint32 * /*minor_status*/,
-            const gss_OID /*member*/,
-            const gss_OID_set /*set*/,
-            int * /*present*/
-           );
-
-OM_uint32 gss_inquire_names_for_mech (
-            OM_uint32 * /*minor_status*/,
-            const gss_OID /*mechanism*/,
-            gss_OID_set * /*name_types*/
-           );
-
-OM_uint32 gss_inquire_mechs_for_name (
-            OM_uint32 * /*minor_status*/,
-            const gss_name_t /*input_name*/,
-            gss_OID_set * /*mech_types*/
-           );
-
-OM_uint32 gss_canonicalize_name (
-            OM_uint32 * /*minor_status*/,
-            const gss_name_t /*input_name*/,
-            const gss_OID /*mech_type*/,
-            gss_name_t * /*output_name*/
-           );
-
-OM_uint32 gss_duplicate_name (
-            OM_uint32 * /*minor_status*/,
-            const gss_name_t /*src_name*/,
-            gss_name_t * /*dest_name*/
-           );
-
-/*
- * The following routines are obsolete variants of gss_get_mic,
- * gss_verify_mic, gss_wrap and gss_unwrap.  They should be
- * provided by GSSAPI V2 implementations for backwards
- * compatibility with V1 applications.  Distinct entrypoints
- * (as opposed to #defines) should be provided, both to allow
- * GSSAPI V1 applications to link against GSSAPI V2 implementations,
- * and to retain the slight parameter type differences between the
- * obsolete versions of these routines and their current forms.
- */
-
-OM_uint32 gss_sign
-           (OM_uint32 * /*minor_status*/,
-            gss_ctx_id_t /*context_handle*/,
-            int /*qop_req*/,
-            gss_buffer_t /*message_buffer*/,
-            gss_buffer_t /*message_token*/
-           );
-
-OM_uint32 gss_verify
-           (OM_uint32 * /*minor_status*/,
-            gss_ctx_id_t /*context_handle*/,
-            gss_buffer_t /*message_buffer*/,
-            gss_buffer_t /*token_buffer*/,
-            int * /*qop_state*/
-           );
-
-OM_uint32 gss_seal
-           (OM_uint32 * /*minor_status*/,
-            gss_ctx_id_t /*context_handle*/,
-            int /*conf_req_flag*/,
-            int /*qop_req*/,
-            gss_buffer_t /*input_message_buffer*/,
-            int * /*conf_state*/,
-            gss_buffer_t /*output_message_buffer*/
-           );
-
-OM_uint32 gss_unseal
-           (OM_uint32 * /*minor_status*/,
-            gss_ctx_id_t /*context_handle*/,
-            gss_buffer_t /*input_message_buffer*/,
-            gss_buffer_t /*output_message_buffer*/,
-            int * /*conf_state*/,
-            int * /*qop_state*/
-           );
-
-/*
- * kerberos mechanism specific functions
- */
-
-OM_uint32 gsskrb5_register_acceptor_identity
-        (const char */*identity*/);
-
-OM_uint32 gss_krb5_copy_ccache
-	(OM_uint32 */*minor*/,
-	 gss_cred_id_t /*cred*/,
-	 struct krb5_ccache_data */*out*/);
-
-#define GSS_C_KRB5_COMPAT_DES3_MIC 1
-
-OM_uint32
-gss_krb5_compat_des3_mic(OM_uint32 *, gss_ctx_id_t, int);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* GSSAPI_H_ */
diff --git a/crypto/heimdal/lib/gssapi/gssapi/gssapi.h b/crypto/heimdal/lib/gssapi/gssapi/gssapi.h
new file mode 100644
index 0000000..fbc638c
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/gssapi/gssapi.h
@@ -0,0 +1,809 @@
+/*
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gssapi.h 21004 2007-06-08 01:53:10Z lha $ */
+
+#ifndef GSSAPI_GSSAPI_H_
+#define GSSAPI_GSSAPI_H_
+
+/*
+ * First, include stddef.h to get size_t defined.
+ */
+#include <stddef.h>
+
+#include <krb5-types.h>
+
+/*
+ * Now define the three implementation-dependent types.
+ */
+
+typedef uint32_t OM_uint32;
+typedef uint64_t OM_uint64;
+
+typedef uint32_t gss_uint32;
+
+struct gss_name_t_desc_struct;
+typedef struct gss_name_t_desc_struct *gss_name_t;
+
+struct gss_ctx_id_t_desc_struct;
+typedef struct gss_ctx_id_t_desc_struct *gss_ctx_id_t;
+
+typedef struct gss_OID_desc_struct {
+      OM_uint32 length;
+      void      *elements;
+} gss_OID_desc, *gss_OID;
+
+typedef struct gss_OID_set_desc_struct  {
+      size_t     count;
+      gss_OID    elements;
+} gss_OID_set_desc, *gss_OID_set;
+
+typedef int gss_cred_usage_t;
+
+struct gss_cred_id_t_desc_struct;
+typedef struct gss_cred_id_t_desc_struct *gss_cred_id_t;
+
+typedef struct gss_buffer_desc_struct {
+      size_t length;
+      void *value;
+} gss_buffer_desc, *gss_buffer_t;
+
+typedef struct gss_channel_bindings_struct {
+      OM_uint32 initiator_addrtype;
+      gss_buffer_desc initiator_address;
+      OM_uint32 acceptor_addrtype;
+      gss_buffer_desc acceptor_address;
+      gss_buffer_desc application_data;
+} *gss_channel_bindings_t;
+
+/* GGF extension data types */
+typedef struct gss_buffer_set_desc_struct {
+      size_t count;
+      gss_buffer_desc *elements;
+} gss_buffer_set_desc, *gss_buffer_set_t;
+
+/*
+ * For now, define a QOP-type as an OM_uint32
+ */
+typedef OM_uint32 gss_qop_t;
+
+/*
+ * Flag bits for context-level services.
+ */
+#define GSS_C_DELEG_FLAG 1
+#define GSS_C_MUTUAL_FLAG 2
+#define GSS_C_REPLAY_FLAG 4
+#define GSS_C_SEQUENCE_FLAG 8
+#define GSS_C_CONF_FLAG 16
+#define GSS_C_INTEG_FLAG 32
+#define GSS_C_ANON_FLAG 64
+#define GSS_C_PROT_READY_FLAG 128
+#define GSS_C_TRANS_FLAG 256
+
+#define GSS_C_DCE_STYLE 4096
+#define GSS_C_IDENTIFY_FLAG 8192
+#define GSS_C_EXTENDED_ERROR_FLAG 16384
+
+/*
+ * Credential usage options
+ */
+#define GSS_C_BOTH 0
+#define GSS_C_INITIATE 1
+#define GSS_C_ACCEPT 2
+
+/*
+ * Status code types for gss_display_status
+ */
+#define GSS_C_GSS_CODE 1
+#define GSS_C_MECH_CODE 2
+
+/*
+ * The constant definitions for channel-bindings address families
+ */
+#define GSS_C_AF_UNSPEC     0
+#define GSS_C_AF_LOCAL      1
+#define GSS_C_AF_INET       2
+#define GSS_C_AF_IMPLINK    3
+#define GSS_C_AF_PUP        4
+#define GSS_C_AF_CHAOS      5
+#define GSS_C_AF_NS         6
+#define GSS_C_AF_NBS        7
+#define GSS_C_AF_ECMA       8
+#define GSS_C_AF_DATAKIT    9
+#define GSS_C_AF_CCITT      10
+#define GSS_C_AF_SNA        11
+#define GSS_C_AF_DECnet     12
+#define GSS_C_AF_DLI        13
+#define GSS_C_AF_LAT        14
+#define GSS_C_AF_HYLINK     15
+#define GSS_C_AF_APPLETALK  16
+#define GSS_C_AF_BSC        17
+#define GSS_C_AF_DSS        18
+#define GSS_C_AF_OSI        19
+#define GSS_C_AF_X25        21
+#define GSS_C_AF_INET6	    24
+
+#define GSS_C_AF_NULLADDR   255
+
+/*
+ * Various Null values
+ */
+#define GSS_C_NO_NAME ((gss_name_t) 0)
+#define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
+#define GSS_C_NO_BUFFER_SET ((gss_buffer_set_t) 0)
+#define GSS_C_NO_OID ((gss_OID) 0)
+#define GSS_C_NO_OID_SET ((gss_OID_set) 0)
+#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
+#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
+#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
+#define GSS_C_EMPTY_BUFFER {0, NULL}
+
+/*
+ * Some alternate names for a couple of the above
+ * values.  These are defined for V1 compatibility.
+ */
+#define GSS_C_NULL_OID GSS_C_NO_OID
+#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
+
+/*
+ * Define the default Quality of Protection for per-message
+ * services.  Note that an implementation that offers multiple
+ * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
+ * (as done here) to mean "default protection", or to a specific
+ * explicit QOP value.  However, a value of 0 should always be
+ * interpreted by a GSSAPI implementation as a request for the
+ * default protection level.
+ */
+#define GSS_C_QOP_DEFAULT 0
+
+#define GSS_KRB5_CONF_C_QOP_DES		0x0100
+#define GSS_KRB5_CONF_C_QOP_DES3_KD	0x0200
+
+/*
+ * Expiration time of 2^32-1 seconds means infinite lifetime for a
+ * credential or security context
+ */
+#define GSS_C_INDEFINITE 0xfffffffful
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x01"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+ * GSS_C_NT_USER_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_USER_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+ * The constant GSS_C_NT_MACHINE_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x03"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+ * The constant GSS_C_NT_STRING_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_STRING_UID_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) org(3) dod(6) internet(1) security(5)
+ * nametypes(6) gss-host-based-services(2)).  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+ * to that gss_OID_desc.  This is a deprecated OID value, and
+ * implementations wishing to support hostbased-service names
+ * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+ * defined below, to identify such names;
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+ * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+ * parameter, but should not be emitted by GSS-API
+ * implementations
+ */
+extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x04"}, corresponding to an
+ * object-identifier value of {iso(1) member-body(2)
+ * Unites States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) service_name(4)}.  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+ * to point to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+ * corresponding to an object identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+ * and GSS_C_NT_ANONYMOUS should be initialized to point
+ * to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_ANONYMOUS;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+ * corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+ * GSS_C_NT_EXPORT_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_EXPORT_NAME;
+
+/*
+ * Digest mechanism
+ */
+
+extern gss_OID GSS_SASL_DIGEST_MD5_MECHANISM;
+
+/*
+ * NTLM mechanism
+ */
+
+extern gss_OID GSS_NTLM_MECHANISM;
+
+/* Major status codes */
+
+#define GSS_S_COMPLETE 0
+
+/*
+ * Some "helper" definitions to make the status code macros obvious.
+ */
+#define GSS_C_CALLING_ERROR_OFFSET 24
+#define GSS_C_ROUTINE_ERROR_OFFSET 16
+#define GSS_C_SUPPLEMENTARY_OFFSET 0
+#define GSS_C_CALLING_ERROR_MASK 0377ul
+#define GSS_C_ROUTINE_ERROR_MASK 0377ul
+#define GSS_C_SUPPLEMENTARY_MASK 0177777ul
+
+/*
+ * The macros that test status codes for error conditions.
+ * Note that the GSS_ERROR() macro has changed slightly from
+ * the V1 GSSAPI so that it now evaluates its argument
+ * only once.
+ */
+#define GSS_CALLING_ERROR(x) \
+  (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
+#define GSS_ROUTINE_ERROR(x) \
+  (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
+#define GSS_SUPPLEMENTARY_INFO(x) \
+  (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
+#define GSS_ERROR(x) \
+  (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
+        (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
+
+/*
+ * Now the actual status code definitions
+ */
+
+/*
+ * Calling errors:
+ */
+#define GSS_S_CALL_INACCESSIBLE_READ \
+                             (1ul << GSS_C_CALLING_ERROR_OFFSET)
+#define GSS_S_CALL_INACCESSIBLE_WRITE \
+                             (2ul << GSS_C_CALLING_ERROR_OFFSET)
+#define GSS_S_CALL_BAD_STRUCTURE \
+                             (3ul << GSS_C_CALLING_ERROR_OFFSET)
+
+/*
+ * Routine errors:
+ */
+#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_MIC GSS_S_BAD_SIG
+#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+/*
+ * Supplementary info bits:
+ */
+#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
+#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
+#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
+#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
+#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
+
+/*
+ * Finally, function prototypes for the GSS-API routines.
+ */
+
+OM_uint32 gss_acquire_cred
+           (OM_uint32 * /*minor_status*/,
+            const gss_name_t /*desired_name*/,
+            OM_uint32 /*time_req*/,
+            const gss_OID_set /*desired_mechs*/,
+            gss_cred_usage_t /*cred_usage*/,
+            gss_cred_id_t * /*output_cred_handle*/,
+            gss_OID_set * /*actual_mechs*/,
+            OM_uint32 * /*time_rec*/
+           );
+
+OM_uint32 gss_release_cred
+           (OM_uint32 * /*minor_status*/,
+            gss_cred_id_t * /*cred_handle*/
+           );
+
+OM_uint32 gss_init_sec_context
+           (OM_uint32 * /*minor_status*/,
+            const gss_cred_id_t /*initiator_cred_handle*/,
+            gss_ctx_id_t * /*context_handle*/,
+            const gss_name_t /*target_name*/,
+            const gss_OID /*mech_type*/,
+            OM_uint32 /*req_flags*/,
+            OM_uint32 /*time_req*/,
+            const gss_channel_bindings_t /*input_chan_bindings*/,
+            const gss_buffer_t /*input_token*/,
+            gss_OID * /*actual_mech_type*/,
+            gss_buffer_t /*output_token*/,
+            OM_uint32 * /*ret_flags*/,
+            OM_uint32 * /*time_rec*/
+           );
+
+OM_uint32 gss_accept_sec_context
+           (OM_uint32 * /*minor_status*/,
+            gss_ctx_id_t * /*context_handle*/,
+            const gss_cred_id_t /*acceptor_cred_handle*/,
+            const gss_buffer_t /*input_token_buffer*/,
+            const gss_channel_bindings_t /*input_chan_bindings*/,
+            gss_name_t * /*src_name*/,
+            gss_OID * /*mech_type*/,
+            gss_buffer_t /*output_token*/,
+            OM_uint32 * /*ret_flags*/,
+            OM_uint32 * /*time_rec*/,
+            gss_cred_id_t * /*delegated_cred_handle*/
+           );
+
+OM_uint32 gss_process_context_token
+           (OM_uint32 * /*minor_status*/,
+            const gss_ctx_id_t /*context_handle*/,
+            const gss_buffer_t /*token_buffer*/
+           );
+
+OM_uint32 gss_delete_sec_context
+           (OM_uint32 * /*minor_status*/,
+            gss_ctx_id_t * /*context_handle*/,
+            gss_buffer_t /*output_token*/
+           );
+
+OM_uint32 gss_context_time
+           (OM_uint32 * /*minor_status*/,
+            const gss_ctx_id_t /*context_handle*/,
+            OM_uint32 * /*time_rec*/
+           );
+
+OM_uint32 gss_get_mic
+           (OM_uint32 * /*minor_status*/,
+            const gss_ctx_id_t /*context_handle*/,
+            gss_qop_t /*qop_req*/,
+            const gss_buffer_t /*message_buffer*/,
+            gss_buffer_t /*message_token*/
+           );
+
+OM_uint32 gss_verify_mic
+           (OM_uint32 * /*minor_status*/,
+            const gss_ctx_id_t /*context_handle*/,
+            const gss_buffer_t /*message_buffer*/,
+            const gss_buffer_t /*token_buffer*/,
+            gss_qop_t * /*qop_state*/
+           );
+
+OM_uint32 gss_wrap
+           (OM_uint32 * /*minor_status*/,
+            const gss_ctx_id_t /*context_handle*/,
+            int /*conf_req_flag*/,
+            gss_qop_t /*qop_req*/,
+            const gss_buffer_t /*input_message_buffer*/,
+            int * /*conf_state*/,
+            gss_buffer_t /*output_message_buffer*/
+           );
+
+OM_uint32 gss_unwrap
+           (OM_uint32 * /*minor_status*/,
+            const gss_ctx_id_t /*context_handle*/,
+            const gss_buffer_t /*input_message_buffer*/,
+            gss_buffer_t /*output_message_buffer*/,
+            int * /*conf_state*/,
+            gss_qop_t * /*qop_state*/
+           );
+
+OM_uint32 gss_display_status
+           (OM_uint32 * /*minor_status*/,
+            OM_uint32 /*status_value*/,
+            int /*status_type*/,
+            const gss_OID /*mech_type*/,
+            OM_uint32 * /*message_context*/,
+            gss_buffer_t /*status_string*/
+           );
+
+OM_uint32 gss_indicate_mechs
+           (OM_uint32 * /*minor_status*/,
+            gss_OID_set * /*mech_set*/
+           );
+
+OM_uint32 gss_compare_name
+           (OM_uint32 * /*minor_status*/,
+            const gss_name_t /*name1*/,
+            const gss_name_t /*name2*/,
+            int * /*name_equal*/
+           );
+
+OM_uint32 gss_display_name
+           (OM_uint32 * /*minor_status*/,
+            const gss_name_t /*input_name*/,
+            gss_buffer_t /*output_name_buffer*/,
+            gss_OID * /*output_name_type*/
+           );
+
+OM_uint32 gss_import_name
+           (OM_uint32 * /*minor_status*/,
+            const gss_buffer_t /*input_name_buffer*/,
+            const gss_OID /*input_name_type*/,
+            gss_name_t * /*output_name*/
+           );
+
+OM_uint32 gss_export_name
+           (OM_uint32  * /*minor_status*/,
+            const gss_name_t /*input_name*/,
+            gss_buffer_t /*exported_name*/
+           );
+
+OM_uint32 gss_release_name
+           (OM_uint32 * /*minor_status*/,
+            gss_name_t * /*input_name*/
+           );
+
+OM_uint32 gss_release_buffer
+           (OM_uint32 * /*minor_status*/,
+            gss_buffer_t /*buffer*/
+           );
+
+OM_uint32 gss_release_oid_set
+           (OM_uint32 * /*minor_status*/,
+            gss_OID_set * /*set*/
+           );
+
+OM_uint32 gss_inquire_cred
+           (OM_uint32 * /*minor_status*/,
+            const gss_cred_id_t /*cred_handle*/,
+            gss_name_t * /*name*/,
+            OM_uint32 * /*lifetime*/,
+            gss_cred_usage_t * /*cred_usage*/,
+            gss_OID_set * /*mechanisms*/
+           );
+
+OM_uint32 gss_inquire_context (
+            OM_uint32 * /*minor_status*/,
+            const gss_ctx_id_t /*context_handle*/,
+            gss_name_t * /*src_name*/,
+            gss_name_t * /*targ_name*/,
+            OM_uint32 * /*lifetime_rec*/,
+            gss_OID * /*mech_type*/,
+            OM_uint32 * /*ctx_flags*/,
+            int * /*locally_initiated*/,
+            int * /*open_context*/
+           );
+
+OM_uint32 gss_wrap_size_limit (
+            OM_uint32 * /*minor_status*/,
+            const gss_ctx_id_t /*context_handle*/,
+            int /*conf_req_flag*/,
+            gss_qop_t /*qop_req*/,
+            OM_uint32 /*req_output_size*/,
+            OM_uint32 * /*max_input_size*/
+           );
+
+OM_uint32 gss_add_cred (
+            OM_uint32 * /*minor_status*/,
+            const gss_cred_id_t /*input_cred_handle*/,
+            const gss_name_t /*desired_name*/,
+            const gss_OID /*desired_mech*/,
+            gss_cred_usage_t /*cred_usage*/,
+            OM_uint32 /*initiator_time_req*/,
+            OM_uint32 /*acceptor_time_req*/,
+            gss_cred_id_t * /*output_cred_handle*/,
+            gss_OID_set * /*actual_mechs*/,
+            OM_uint32 * /*initiator_time_rec*/,
+            OM_uint32 * /*acceptor_time_rec*/
+           );
+
+OM_uint32 gss_inquire_cred_by_mech (
+            OM_uint32 * /*minor_status*/,
+            const gss_cred_id_t /*cred_handle*/,
+            const gss_OID /*mech_type*/,
+            gss_name_t * /*name*/,
+            OM_uint32 * /*initiator_lifetime*/,
+            OM_uint32 * /*acceptor_lifetime*/,
+            gss_cred_usage_t * /*cred_usage*/
+           );
+
+OM_uint32 gss_export_sec_context (
+            OM_uint32 * /*minor_status*/,
+            gss_ctx_id_t * /*context_handle*/,
+            gss_buffer_t /*interprocess_token*/
+           );
+
+OM_uint32 gss_import_sec_context (
+            OM_uint32 * /*minor_status*/,
+            const gss_buffer_t /*interprocess_token*/,
+            gss_ctx_id_t * /*context_handle*/
+           );
+
+OM_uint32 gss_create_empty_oid_set (
+            OM_uint32 * /*minor_status*/,
+            gss_OID_set * /*oid_set*/
+           );
+
+OM_uint32 gss_add_oid_set_member (
+            OM_uint32 * /*minor_status*/,
+            const gss_OID /*member_oid*/,
+            gss_OID_set * /*oid_set*/
+           );
+
+OM_uint32 gss_test_oid_set_member (
+            OM_uint32 * /*minor_status*/,
+            const gss_OID /*member*/,
+            const gss_OID_set /*set*/,
+            int * /*present*/
+           );
+
+OM_uint32 gss_inquire_names_for_mech (
+            OM_uint32 * /*minor_status*/,
+            const gss_OID /*mechanism*/,
+            gss_OID_set * /*name_types*/
+           );
+
+OM_uint32 gss_inquire_mechs_for_name (
+            OM_uint32 * /*minor_status*/,
+            const gss_name_t /*input_name*/,
+            gss_OID_set * /*mech_types*/
+           );
+
+OM_uint32 gss_canonicalize_name (
+            OM_uint32 * /*minor_status*/,
+            const gss_name_t /*input_name*/,
+            const gss_OID /*mech_type*/,
+            gss_name_t * /*output_name*/
+           );
+
+OM_uint32 gss_duplicate_name (
+            OM_uint32 * /*minor_status*/,
+            const gss_name_t /*src_name*/,
+            gss_name_t * /*dest_name*/
+           );
+
+OM_uint32 gss_duplicate_oid (
+	    OM_uint32 * /* minor_status */,
+	    gss_OID /* src_oid */,
+	    gss_OID * /* dest_oid */
+           );
+OM_uint32
+gss_release_oid
+	(OM_uint32 * /*minor_status*/,
+	 gss_OID * /* oid */
+	);
+
+OM_uint32
+gss_oid_to_str(
+	    OM_uint32 * /*minor_status*/,
+	    gss_OID /* oid */,
+	    gss_buffer_t /* str */
+           );
+
+OM_uint32
+gss_inquire_sec_context_by_oid(
+	    OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_OID desired_object,
+            gss_buffer_set_t *data_set
+           );
+
+OM_uint32
+gss_set_sec_context_option (OM_uint32 *minor_status,
+			    gss_ctx_id_t *context_handle,
+			    const gss_OID desired_object,
+			    const gss_buffer_t value);
+
+OM_uint32
+gss_set_cred_option (OM_uint32 *minor_status,
+		     gss_cred_id_t *cred_handle,
+		     const gss_OID object,
+		     const gss_buffer_t value);
+
+int
+gss_oid_equal(const gss_OID a, const gss_OID b);
+
+OM_uint32 
+gss_create_empty_buffer_set
+	   (OM_uint32 * minor_status,
+	    gss_buffer_set_t *buffer_set);
+
+OM_uint32
+gss_add_buffer_set_member
+	   (OM_uint32 * minor_status,
+	    const gss_buffer_t member_buffer,
+	    gss_buffer_set_t *buffer_set);
+
+OM_uint32
+gss_release_buffer_set
+	   (OM_uint32 * minor_status,
+	    gss_buffer_set_t *buffer_set);
+
+OM_uint32
+gss_inquire_cred_by_oid(OM_uint32 *minor_status,
+	                const gss_cred_id_t cred_handle,
+	                const gss_OID desired_object,
+	                gss_buffer_set_t *data_set);
+
+/*
+ * RFC 4401
+ */
+
+#define GSS_C_PRF_KEY_FULL 0
+#define GSS_C_PRF_KEY_PARTIAL 1
+
+OM_uint32
+gss_pseudo_random
+	(OM_uint32 *minor_status,
+	 gss_ctx_id_t context,
+	 int prf_key,
+	 const gss_buffer_t prf_in,
+	 ssize_t desired_output_len,
+	 gss_buffer_t prf_out
+	);
+
+/*
+ * The following routines are obsolete variants of gss_get_mic,
+ * gss_verify_mic, gss_wrap and gss_unwrap.  They should be
+ * provided by GSSAPI V2 implementations for backwards
+ * compatibility with V1 applications.  Distinct entrypoints
+ * (as opposed to #defines) should be provided, both to allow
+ * GSSAPI V1 applications to link against GSSAPI V2 implementations,
+ * and to retain the slight parameter type differences between the
+ * obsolete versions of these routines and their current forms.
+ */
+
+OM_uint32 gss_sign
+           (OM_uint32 * /*minor_status*/,
+            gss_ctx_id_t /*context_handle*/,
+            int /*qop_req*/,
+            gss_buffer_t /*message_buffer*/,
+            gss_buffer_t /*message_token*/
+           );
+
+OM_uint32 gss_verify
+           (OM_uint32 * /*minor_status*/,
+            gss_ctx_id_t /*context_handle*/,
+            gss_buffer_t /*message_buffer*/,
+            gss_buffer_t /*token_buffer*/,
+            int * /*qop_state*/
+           );
+
+OM_uint32 gss_seal
+           (OM_uint32 * /*minor_status*/,
+            gss_ctx_id_t /*context_handle*/,
+            int /*conf_req_flag*/,
+            int /*qop_req*/,
+            gss_buffer_t /*input_message_buffer*/,
+            int * /*conf_state*/,
+            gss_buffer_t /*output_message_buffer*/
+           );
+
+OM_uint32 gss_unseal
+           (OM_uint32 * /*minor_status*/,
+            gss_ctx_id_t /*context_handle*/,
+            gss_buffer_t /*input_message_buffer*/,
+            gss_buffer_t /*output_message_buffer*/,
+            int * /*conf_state*/,
+            int * /*qop_state*/
+           );
+
+/*
+ *
+ */
+
+OM_uint32
+gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
+	                        const gss_ctx_id_t context_handle,
+	                        const gss_OID desired_object,
+	                        gss_buffer_set_t *data_set);
+
+OM_uint32
+gss_encapsulate_token(gss_buffer_t /* input_token */,
+		      gss_OID /* oid */,
+		      gss_buffer_t /* output_token */);
+
+OM_uint32
+gss_decapsulate_token(gss_buffer_t /* input_token */,
+		      gss_OID /* oid */,
+		      gss_buffer_t /* output_token */);
+
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#include <gssapi/gssapi_krb5.h>
+#include <gssapi/gssapi_spnego.h>
+
+#endif /* GSSAPI_GSSAPI_H_ */
diff --git a/crypto/heimdal/lib/gssapi/gssapi/gssapi_krb5.h b/crypto/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
new file mode 100644
index 0000000..cca529f
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
@@ -0,0 +1,220 @@
+/*
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gssapi_krb5.h 20385 2007-04-18 08:51:32Z lha $ */
+
+#ifndef GSSAPI_KRB5_H_
+#define GSSAPI_KRB5_H_
+
+#include <gssapi/gssapi.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * This is for kerberos5 names.
+ */
+
+extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
+extern gss_OID GSS_KRB5_NT_USER_NAME;
+extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
+extern gss_OID GSS_KRB5_NT_STRING_UID_NAME;
+
+extern gss_OID GSS_KRB5_MECHANISM;
+
+/* for compatibility with MIT api */
+
+#define gss_mech_krb5 GSS_KRB5_MECHANISM
+#define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME
+
+/* Extensions set contexts options */
+extern gss_OID GSS_KRB5_COPY_CCACHE_X;
+extern gss_OID GSS_KRB5_COMPAT_DES3_MIC_X;
+extern gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X;
+extern gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X;
+extern gss_OID GSS_KRB5_SEND_TO_KDC_X;
+extern gss_OID GSS_KRB5_SET_DEFAULT_REALM_X;
+extern gss_OID GSS_KRB5_CCACHE_NAME_X;
+/* Extensions inquire context */
+extern gss_OID GSS_KRB5_GET_TKT_FLAGS_X;
+extern gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X;
+extern gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO;
+extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X;
+extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X;
+extern gss_OID GSS_KRB5_GET_SUBKEY_X;
+extern gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X;
+extern gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X;
+extern gss_OID GSS_KRB5_GET_AUTHTIME_X;
+extern gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X;
+/* Extensions creds */
+extern gss_OID GSS_KRB5_IMPORT_CRED_X;
+extern gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X;
+
+/*
+ * kerberos mechanism specific functions
+ */
+
+struct krb5_keytab_data;
+struct krb5_ccache_data;
+struct Principal;
+
+OM_uint32
+gss_krb5_ccache_name(OM_uint32 * /*minor_status*/, 
+		     const char * /*name */,
+		     const char ** /*out_name */);
+
+OM_uint32 gsskrb5_register_acceptor_identity
+        (const char */*identity*/);
+
+OM_uint32 gss_krb5_copy_ccache
+	(OM_uint32 */*minor*/,
+	 gss_cred_id_t /*cred*/,
+	 struct krb5_ccache_data */*out*/);
+
+OM_uint32
+gss_krb5_import_cred(OM_uint32 */*minor*/,
+		     struct krb5_ccache_data * /*in*/,
+		     struct Principal * /*keytab_principal*/,
+		     struct krb5_keytab_data * /*keytab*/,
+		     gss_cred_id_t */*out*/);
+
+OM_uint32 gss_krb5_get_tkt_flags
+	(OM_uint32 */*minor*/,
+	 gss_ctx_id_t /*context_handle*/,
+	 OM_uint32 */*tkt_flags*/);
+
+OM_uint32
+gsskrb5_extract_authz_data_from_sec_context
+	(OM_uint32 * /*minor_status*/,
+	 gss_ctx_id_t /*context_handle*/,
+	 int /*ad_type*/,
+	 gss_buffer_t /*ad_data*/);
+
+OM_uint32
+gsskrb5_set_dns_canonicalize(int);
+
+struct gsskrb5_send_to_kdc {
+    void *func;
+    void *ptr;
+};
+
+OM_uint32
+gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *);
+
+OM_uint32
+gsskrb5_set_default_realm(const char *);
+
+OM_uint32
+gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, time_t *);
+
+struct EncryptionKey;
+
+OM_uint32 
+gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
+				 gss_ctx_id_t context_handle,
+				 struct EncryptionKey **out);
+OM_uint32 
+gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
+				 gss_ctx_id_t context_handle,
+				 struct EncryptionKey **out);
+OM_uint32 
+gsskrb5_get_subkey(OM_uint32 *minor_status,
+		   gss_ctx_id_t context_handle,
+		   struct EncryptionKey **out);
+
+/*
+ * Lucid - NFSv4 interface to GSS-API KRB5 to expose key material to
+ * do GSS content token handling in-kernel.
+ */
+
+typedef struct gss_krb5_lucid_key {
+	OM_uint32	type;
+	OM_uint32	length;
+	void *		data;
+} gss_krb5_lucid_key_t;
+
+typedef struct gss_krb5_rfc1964_keydata {
+	OM_uint32		sign_alg;
+	OM_uint32		seal_alg;
+	gss_krb5_lucid_key_t	ctx_key;
+} gss_krb5_rfc1964_keydata_t;
+
+typedef struct gss_krb5_cfx_keydata {
+	OM_uint32		have_acceptor_subkey;
+	gss_krb5_lucid_key_t	ctx_key;
+	gss_krb5_lucid_key_t	acceptor_subkey;
+} gss_krb5_cfx_keydata_t;
+
+typedef struct gss_krb5_lucid_context_v1 {
+	OM_uint32	version;
+	OM_uint32	initiate;
+	OM_uint32	endtime;
+	OM_uint64	send_seq;
+	OM_uint64	recv_seq;
+	OM_uint32	protocol;
+	gss_krb5_rfc1964_keydata_t rfc1964_kd;
+	gss_krb5_cfx_keydata_t	   cfx_kd;
+} gss_krb5_lucid_context_v1_t;
+
+typedef struct gss_krb5_lucid_context_version {
+	OM_uint32	version;	/* Structure version number */
+} gss_krb5_lucid_context_version_t;
+
+/*
+ * Function declarations
+ */
+
+OM_uint32
+gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
+				  gss_ctx_id_t *context_handle,
+				  OM_uint32 version,
+				  void **kctx);
+
+
+OM_uint32
+gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
+				void *kctx);
+
+
+OM_uint32
+gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, 
+				gss_cred_id_t cred,
+				OM_uint32 num_enctypes,
+				int32_t *enctypes);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* GSSAPI_SPNEGO_H_ */
diff --git a/crypto/heimdal/lib/gssapi/gssapi/gssapi_spnego.h b/crypto/heimdal/lib/gssapi/gssapi/gssapi_spnego.h
new file mode 100644
index 0000000..fbb7906
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/gssapi/gssapi_spnego.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gssapi_spnego.h 18335 2006-10-07 22:26:21Z lha $ */
+
+#ifndef GSSAPI_SPNEGO_H_
+#define GSSAPI_SPNEGO_H_
+
+#include <gssapi.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * RFC2478, SPNEGO:
+ *  The security mechanism of the initial
+ *  negotiation token is identified by the Object Identifier
+ *  iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
+ */
+extern gss_OID GSS_SPNEGO_MECHANISM;
+#define gss_mech_spnego GSS_SPNEGO_MECHANISM
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* GSSAPI_SPNEGO_H_ */
diff --git a/crypto/heimdal/lib/gssapi/gssapi_mech.h b/crypto/heimdal/lib/gssapi/gssapi_mech.h
new file mode 100644
index 0000000..3704099
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/gssapi_mech.h
@@ -0,0 +1,359 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#ifndef GSSAPI_MECH_H
+#define GSSAPI_MECH_H 1
+
+#include <gssapi.h>
+
+typedef OM_uint32 _gss_acquire_cred_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_name_t,       /* desired_name */
+	       OM_uint32,              /* time_req */
+	       const gss_OID_set,      /* desired_mechs */
+	       gss_cred_usage_t,       /* cred_usage */
+	       gss_cred_id_t *,        /* output_cred_handle */
+	       gss_OID_set *,          /* actual_mechs */
+	       OM_uint32 *             /* time_rec */
+	      );
+
+typedef OM_uint32 _gss_release_cred_t
+	      (OM_uint32 *,            /* minor_status */
+	       gss_cred_id_t *         /* cred_handle */
+	      );
+
+typedef OM_uint32 _gss_init_sec_context_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_cred_id_t,    /* initiator_cred_handle */
+	       gss_ctx_id_t *,         /* context_handle */
+	       const gss_name_t,       /* target_name */
+	       const gss_OID,          /* mech_type */
+	       OM_uint32,              /* req_flags */
+	       OM_uint32,              /* time_req */
+	       const gss_channel_bindings_t,
+				       /* input_chan_bindings */
+	       const gss_buffer_t,     /* input_token */
+	       gss_OID *,              /* actual_mech_type */
+	       gss_buffer_t,           /* output_token */
+	       OM_uint32 *,            /* ret_flags */
+	       OM_uint32 *             /* time_rec */
+	      );
+
+typedef OM_uint32 _gss_accept_sec_context_t
+	      (OM_uint32 *,            /* minor_status */
+	       gss_ctx_id_t *,         /* context_handle */
+	       const gss_cred_id_t,    /* acceptor_cred_handle */
+	       const gss_buffer_t,     /* input_token_buffer */
+	       const gss_channel_bindings_t,
+				       /* input_chan_bindings */
+	       gss_name_t *,           /* src_name */
+	       gss_OID *,              /* mech_type */
+	       gss_buffer_t,           /* output_token */
+	       OM_uint32 *,            /* ret_flags */
+	       OM_uint32 *,            /* time_rec */
+	       gss_cred_id_t *         /* delegated_cred_handle */
+	      );
+
+typedef OM_uint32 _gss_process_context_token_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_ctx_id_t,     /* context_handle */
+	       const gss_buffer_t      /* token_buffer */
+	      );
+
+typedef OM_uint32 _gss_delete_sec_context_t
+	      (OM_uint32 *,            /* minor_status */
+	       gss_ctx_id_t *,         /* context_handle */
+	       gss_buffer_t            /* output_token */
+	      );
+
+typedef OM_uint32 _gss_context_time_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_ctx_id_t,     /* context_handle */
+	       OM_uint32 *             /* time_rec */
+	      );
+
+typedef OM_uint32 _gss_get_mic_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_ctx_id_t,     /* context_handle */
+	       gss_qop_t,              /* qop_req */
+	       const gss_buffer_t,     /* message_buffer */
+	       gss_buffer_t            /* message_token */
+	      );
+
+typedef OM_uint32 _gss_verify_mic_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_ctx_id_t,     /* context_handle */
+	       const gss_buffer_t,     /* message_buffer */
+	       const gss_buffer_t,     /* token_buffer */
+	       gss_qop_t *             /* qop_state */
+	      );
+
+typedef OM_uint32 _gss_wrap_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_ctx_id_t,     /* context_handle */
+	       int,                    /* conf_req_flag */
+	       gss_qop_t,              /* qop_req */
+	       const gss_buffer_t,     /* input_message_buffer */
+	       int *,                  /* conf_state */
+	       gss_buffer_t            /* output_message_buffer */
+	      );
+
+typedef OM_uint32 _gss_unwrap_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_ctx_id_t,     /* context_handle */
+	       const gss_buffer_t,     /* input_message_buffer */
+	       gss_buffer_t,           /* output_message_buffer */
+	       int *,                  /* conf_state */
+	       gss_qop_t *             /* qop_state */
+	      );
+
+typedef OM_uint32 _gss_display_status_t
+	      (OM_uint32 *,            /* minor_status */
+	       OM_uint32,              /* status_value */
+	       int,                    /* status_type */
+	       const gss_OID,          /* mech_type */
+	       OM_uint32 *,            /* message_context */
+	       gss_buffer_t            /* status_string */
+	      );
+
+typedef OM_uint32 _gss_indicate_mechs_t
+	      (OM_uint32 *,            /* minor_status */
+	       gss_OID_set *           /* mech_set */
+	      );
+
+typedef OM_uint32 _gss_compare_name_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_name_t,       /* name1 */
+	       const gss_name_t,       /* name2 */
+	       int *                   /* name_equal */
+	      );
+
+typedef OM_uint32 _gss_display_name_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_name_t,       /* input_name */
+	       gss_buffer_t,           /* output_name_buffer */
+	       gss_OID *               /* output_name_type */
+	      );
+
+typedef OM_uint32 _gss_import_name_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_buffer_t,     /* input_name_buffer */
+	       const gss_OID,          /* input_name_type */
+	       gss_name_t *            /* output_name */
+	      );
+
+typedef OM_uint32 _gss_export_name_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_name_t,       /* input_name */
+	       gss_buffer_t            /* exported_name */
+	      );
+
+typedef OM_uint32 _gss_release_name_t
+	      (OM_uint32 *,            /* minor_status */
+	       gss_name_t *            /* input_name */
+	      );
+
+typedef OM_uint32 _gss_inquire_cred_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_cred_id_t,    /* cred_handle */
+	       gss_name_t *,           /* name */
+	       OM_uint32 *,            /* lifetime */
+	       gss_cred_usage_t *,     /* cred_usage */
+	       gss_OID_set *           /* mechanisms */
+	      );
+
+typedef OM_uint32 _gss_inquire_context_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_ctx_id_t,     /* context_handle */
+	       gss_name_t *,           /* src_name */
+	       gss_name_t *,           /* targ_name */
+	       OM_uint32 *,            /* lifetime_rec */
+	       gss_OID *,              /* mech_type */
+	       OM_uint32 *,            /* ctx_flags */
+	       int *,                  /* locally_initiated */
+	       int *                   /* open */
+	      );
+
+typedef OM_uint32 _gss_wrap_size_limit_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_ctx_id_t,     /* context_handle */
+	       int,                    /* conf_req_flag */
+	       gss_qop_t,              /* qop_req */
+	       OM_uint32,              /* req_output_size */
+	       OM_uint32 *             /* max_input_size */
+	      );
+
+typedef OM_uint32 _gss_add_cred_t (
+	       OM_uint32 *,            /* minor_status */
+	       const gss_cred_id_t,    /* input_cred_handle */
+	       const gss_name_t,       /* desired_name */
+	       const gss_OID,          /* desired_mech */
+	       gss_cred_usage_t,       /* cred_usage */
+	       OM_uint32,              /* initiator_time_req */
+	       OM_uint32,              /* acceptor_time_req */
+	       gss_cred_id_t *,        /* output_cred_handle */
+	       gss_OID_set *,          /* actual_mechs */
+	       OM_uint32 *,            /* initiator_time_rec */
+	       OM_uint32 *             /* acceptor_time_rec */
+	      );
+
+typedef OM_uint32 _gss_inquire_cred_by_mech_t (
+	       OM_uint32 *,            /* minor_status */
+	       const gss_cred_id_t,    /* cred_handle */
+	       const gss_OID,          /* mech_type */
+	       gss_name_t *,           /* name */
+	       OM_uint32 *,            /* initiator_lifetime */
+	       OM_uint32 *,            /* acceptor_lifetime */
+	       gss_cred_usage_t *      /* cred_usage */
+	      );
+
+typedef OM_uint32 _gss_export_sec_context_t (
+	       OM_uint32 *,            /* minor_status */
+	       gss_ctx_id_t *,         /* context_handle */
+	       gss_buffer_t            /* interprocess_token */
+	      );
+
+typedef OM_uint32 _gss_import_sec_context_t (
+	       OM_uint32 *,            /* minor_status */
+	       const gss_buffer_t,     /* interprocess_token */
+	       gss_ctx_id_t *          /* context_handle */
+	      );
+
+typedef OM_uint32 _gss_inquire_names_for_mech_t (
+	       OM_uint32 *,            /* minor_status */
+	       const gss_OID,          /* mechanism */
+	       gss_OID_set *           /* name_types */
+	      );
+
+typedef OM_uint32 _gss_inquire_mechs_for_name_t (
+	       OM_uint32 *,            /* minor_status */
+	       const gss_name_t,       /* input_name */
+	       gss_OID_set *           /* mech_types */
+	      );
+
+typedef OM_uint32 _gss_canonicalize_name_t (
+	       OM_uint32 *,            /* minor_status */
+	       const gss_name_t,       /* input_name */
+	       const gss_OID,          /* mech_type */
+	       gss_name_t *            /* output_name */
+	      );
+
+typedef OM_uint32 _gss_duplicate_name_t (
+	       OM_uint32 *,            /* minor_status */
+	       const gss_name_t,       /* src_name */
+	       gss_name_t *            /* dest_name */
+	      );
+
+typedef OM_uint32 _gss_inquire_sec_context_by_oid (
+	       OM_uint32 *minor_status,
+	       const gss_ctx_id_t context_handle,
+	       const gss_OID desired_object,
+	       gss_buffer_set_t *data_set
+	      );
+
+typedef OM_uint32 _gss_inquire_cred_by_oid (
+	       OM_uint32 *minor_status,
+	       const gss_cred_id_t cred,
+	       const gss_OID desired_object,
+	       gss_buffer_set_t *data_set
+	      );
+
+typedef OM_uint32 _gss_set_sec_context_option (
+	       OM_uint32 *minor_status,
+	       gss_ctx_id_t *cred_handle,
+	       const gss_OID desired_object,
+	       const gss_buffer_t value
+ 	      );
+
+typedef OM_uint32 _gss_set_cred_option (
+	       OM_uint32 *minor_status,
+	       gss_cred_id_t *cred_handle,
+	       const gss_OID desired_object,
+	       const gss_buffer_t value
+ 	      );
+
+
+typedef OM_uint32 _gss_pseudo_random(
+    	       OM_uint32 *minor_status,
+	       gss_ctx_id_t context,
+	       int prf_key,
+	       const gss_buffer_t prf_in,
+	       ssize_t desired_output_len,
+	       gss_buffer_t prf_out
+              );
+
+#define GMI_VERSION 1
+
+typedef struct gssapi_mech_interface_desc {
+	unsigned			gm_version;
+	const char			*gm_name;
+	gss_OID_desc			gm_mech_oid;
+	_gss_acquire_cred_t		*gm_acquire_cred;
+	_gss_release_cred_t		*gm_release_cred;
+	_gss_init_sec_context_t		*gm_init_sec_context;
+	_gss_accept_sec_context_t	*gm_accept_sec_context;
+	_gss_process_context_token_t	*gm_process_context_token;
+	_gss_delete_sec_context_t	*gm_delete_sec_context;
+	_gss_context_time_t		*gm_context_time;
+	_gss_get_mic_t			*gm_get_mic;
+	_gss_verify_mic_t		*gm_verify_mic;
+	_gss_wrap_t			*gm_wrap;
+	_gss_unwrap_t			*gm_unwrap;
+	_gss_display_status_t		*gm_display_status;
+	_gss_indicate_mechs_t		*gm_indicate_mechs;
+	_gss_compare_name_t		*gm_compare_name;
+	_gss_display_name_t		*gm_display_name;
+	_gss_import_name_t		*gm_import_name;
+	_gss_export_name_t		*gm_export_name;
+	_gss_release_name_t		*gm_release_name;
+	_gss_inquire_cred_t		*gm_inquire_cred;
+	_gss_inquire_context_t		*gm_inquire_context;
+	_gss_wrap_size_limit_t		*gm_wrap_size_limit;
+	_gss_add_cred_t			*gm_add_cred;
+	_gss_inquire_cred_by_mech_t	*gm_inquire_cred_by_mech;
+	_gss_export_sec_context_t	*gm_export_sec_context;
+	_gss_import_sec_context_t	*gm_import_sec_context;
+	_gss_inquire_names_for_mech_t	*gm_inquire_names_for_mech;
+	_gss_inquire_mechs_for_name_t	*gm_inquire_mechs_for_name;
+	_gss_canonicalize_name_t	*gm_canonicalize_name;
+	_gss_duplicate_name_t		*gm_duplicate_name;
+	_gss_inquire_sec_context_by_oid	*gm_inquire_sec_context_by_oid;
+	_gss_inquire_cred_by_oid	*gm_inquire_cred_by_oid;
+	_gss_set_sec_context_option	*gm_set_sec_context_option;
+	_gss_set_cred_option		*gm_set_cred_option;
+	_gss_pseudo_random		*gm_pseudo_random;
+} gssapi_mech_interface_desc, *gssapi_mech_interface;
+
+gssapi_mech_interface
+__gss_get_mechanism(gss_OID /* oid */);
+
+gssapi_mech_interface __gss_spnego_initialize(void);
+gssapi_mech_interface __gss_krb5_initialize(void);
+gssapi_mech_interface __gss_ntlm_initialize(void);
+
+#endif /* GSSAPI_MECH_H */
diff --git a/crypto/heimdal/lib/gssapi/krb5/8003.c b/crypto/heimdal/lib/gssapi/krb5/8003.c
new file mode 100644
index 0000000..619cbf9
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/8003.c
@@ -0,0 +1,248 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: 8003.c 18334 2006-10-07 22:16:04Z lha $");
+
+krb5_error_code
+_gsskrb5_encode_om_uint32(OM_uint32 n, u_char *p)
+{
+  p[0] = (n >> 0)  & 0xFF;
+  p[1] = (n >> 8)  & 0xFF;
+  p[2] = (n >> 16) & 0xFF;
+  p[3] = (n >> 24) & 0xFF;
+  return 0;
+}
+
+krb5_error_code
+_gsskrb5_encode_be_om_uint32(OM_uint32 n, u_char *p)
+{
+  p[0] = (n >> 24) & 0xFF;
+  p[1] = (n >> 16) & 0xFF;
+  p[2] = (n >> 8)  & 0xFF;
+  p[3] = (n >> 0)  & 0xFF;
+  return 0;
+}
+
+krb5_error_code
+_gsskrb5_decode_om_uint32(const void *ptr, OM_uint32 *n)
+{
+    const u_char *p = ptr;
+    *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+    return 0;
+}
+
+krb5_error_code
+_gsskrb5_decode_be_om_uint32(const void *ptr, OM_uint32 *n)
+{
+    const u_char *p = ptr;
+    *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0);
+    return 0;
+}
+
+static krb5_error_code
+hash_input_chan_bindings (const gss_channel_bindings_t b,
+			  u_char *p)
+{
+  u_char num[4];
+  MD5_CTX md5;
+
+  MD5_Init(&md5);
+  _gsskrb5_encode_om_uint32 (b->initiator_addrtype, num);
+  MD5_Update (&md5, num, sizeof(num));
+  _gsskrb5_encode_om_uint32 (b->initiator_address.length, num);
+  MD5_Update (&md5, num, sizeof(num));
+  if (b->initiator_address.length)
+    MD5_Update (&md5,
+		b->initiator_address.value,
+		b->initiator_address.length);
+  _gsskrb5_encode_om_uint32 (b->acceptor_addrtype, num);
+  MD5_Update (&md5, num, sizeof(num));
+  _gsskrb5_encode_om_uint32 (b->acceptor_address.length, num);
+  MD5_Update (&md5, num, sizeof(num));
+  if (b->acceptor_address.length)
+    MD5_Update (&md5,
+		b->acceptor_address.value,
+		b->acceptor_address.length);
+  _gsskrb5_encode_om_uint32 (b->application_data.length, num);
+  MD5_Update (&md5, num, sizeof(num));
+  if (b->application_data.length)
+    MD5_Update (&md5,
+		b->application_data.value,
+		b->application_data.length);
+  MD5_Final (p, &md5);
+  return 0;
+}
+
+/*
+ * create a checksum over the chanel bindings in
+ * `input_chan_bindings', `flags' and `fwd_data' and return it in
+ * `result'
+ */
+
+OM_uint32
+_gsskrb5_create_8003_checksum (
+		      OM_uint32 *minor_status,    
+		      const gss_channel_bindings_t input_chan_bindings,
+		      OM_uint32 flags,
+		      const krb5_data *fwd_data,
+		      Checksum *result)
+{
+    u_char *p;
+
+    /* 
+     * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value 
+     * field's format) */
+    result->cksumtype = CKSUMTYPE_GSSAPI;
+    if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG))
+	result->checksum.length = 24 + 4 + fwd_data->length;
+    else 
+	result->checksum.length = 24;
+    result->checksum.data   = malloc (result->checksum.length);
+    if (result->checksum.data == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+  
+    p = result->checksum.data;
+    _gsskrb5_encode_om_uint32 (16, p);
+    p += 4;
+    if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) {
+	memset (p, 0, 16);
+    } else {
+	hash_input_chan_bindings (input_chan_bindings, p);
+    }
+    p += 16;
+    _gsskrb5_encode_om_uint32 (flags, p);
+    p += 4;
+
+    if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) {
+
+	*p++ = (1 >> 0) & 0xFF;                   /* DlgOpt */ /* == 1 */
+	*p++ = (1 >> 8) & 0xFF;                   /* DlgOpt */ /* == 0 */
+	*p++ = (fwd_data->length >> 0) & 0xFF;    /* Dlgth  */
+	*p++ = (fwd_data->length >> 8) & 0xFF;    /* Dlgth  */
+	memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length);
+
+	p += fwd_data->length;
+    }
+     
+    return GSS_S_COMPLETE;
+}
+
+/*
+ * verify the checksum in `cksum' over `input_chan_bindings'
+ * returning  `flags' and `fwd_data'
+ */
+
+OM_uint32
+_gsskrb5_verify_8003_checksum(
+		      OM_uint32 *minor_status,    
+		      const gss_channel_bindings_t input_chan_bindings,
+		      const Checksum *cksum,
+		      OM_uint32 *flags,
+		      krb5_data *fwd_data)
+{
+    unsigned char hash[16];
+    unsigned char *p;
+    OM_uint32 length;
+    int DlgOpt;
+    static unsigned char zeros[16];
+
+    if (cksum == NULL) {
+	*minor_status = 0;
+	return GSS_S_BAD_BINDINGS;
+    }
+
+    /* XXX should handle checksums > 24 bytes */
+    if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) {
+	*minor_status = 0;
+	return GSS_S_BAD_BINDINGS;
+    }
+    
+    p = cksum->checksum.data;
+    _gsskrb5_decode_om_uint32(p, &length);
+    if(length != sizeof(hash)) {
+	*minor_status = 0;
+	return GSS_S_BAD_BINDINGS;
+    }
+    
+    p += 4;
+    
+    if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS
+	&& memcmp(p, zeros, sizeof(zeros)) != 0) {
+	if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) {
+	    *minor_status = 0;
+	    return GSS_S_BAD_BINDINGS;
+	}
+	if(memcmp(hash, p, sizeof(hash)) != 0) {
+	    *minor_status = 0;
+	    return GSS_S_BAD_BINDINGS;
+	}
+    }
+    
+    p += sizeof(hash);
+    
+    _gsskrb5_decode_om_uint32(p, flags);
+    p += 4;
+
+    if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {
+	if(cksum->checksum.length < 28) {
+	    *minor_status = 0;
+	    return GSS_S_BAD_BINDINGS;
+	}
+    
+	DlgOpt = (p[0] << 0) | (p[1] << 8);
+	p += 2;
+	if (DlgOpt != 1) {
+	    *minor_status = 0;
+	    return GSS_S_BAD_BINDINGS;
+	}
+
+	fwd_data->length = (p[0] << 0) | (p[1] << 8);
+	p += 2;
+	if(cksum->checksum.length < 28 + fwd_data->length) {
+	    *minor_status = 0;
+	    return GSS_S_BAD_BINDINGS;
+	}
+	fwd_data->data = malloc(fwd_data->length);
+	if (fwd_data->data == NULL) {
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+	memcpy(fwd_data->data, p, fwd_data->length);
+    }
+    
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/accept_sec_context.c b/crypto/heimdal/lib/gssapi/krb5/accept_sec_context.c
new file mode 100644
index 0000000..73b93ce
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -0,0 +1,801 @@
+/*
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: accept_sec_context.c 20199 2007-02-07 22:36:39Z lha $");
+
+HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
+krb5_keytab _gsskrb5_keytab;
+
+OM_uint32
+_gsskrb5_register_acceptor_identity (const char *identity)
+{
+    krb5_context context;
+    krb5_error_code ret;
+
+    ret = _gsskrb5_init(&context);
+    if(ret)
+	return GSS_S_FAILURE;
+    
+    HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
+
+    if(_gsskrb5_keytab != NULL) {
+	krb5_kt_close(context, _gsskrb5_keytab);
+	_gsskrb5_keytab = NULL;
+    }
+    if (identity == NULL) {
+	ret = krb5_kt_default(context, &_gsskrb5_keytab);
+    } else {
+	char *p;
+
+	asprintf(&p, "FILE:%s", identity);
+	if(p == NULL) {
+	    HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
+	    return GSS_S_FAILURE;
+	}
+	ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab);
+	free(p);
+    }
+    HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
+    if(ret)
+	return GSS_S_FAILURE;
+    return GSS_S_COMPLETE;
+}
+
+void
+_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx)
+{
+    krb5_keyblock *key;
+    int acceptor = (ctx->more_flags & LOCAL) == 0;
+
+    *is_cfx = 0;
+
+    if (acceptor) {
+	if (ctx->auth_context->local_subkey)
+	    key = ctx->auth_context->local_subkey;
+	else
+	    key = ctx->auth_context->remote_subkey;
+    } else {
+	if (ctx->auth_context->remote_subkey)
+	    key = ctx->auth_context->remote_subkey;
+	else
+	    key = ctx->auth_context->local_subkey;
+    }
+    if (key == NULL)
+	key = ctx->auth_context->keyblock;
+
+    if (key == NULL)
+	return;
+	    
+    switch (key->keytype) {
+    case ETYPE_DES_CBC_CRC:
+    case ETYPE_DES_CBC_MD4:
+    case ETYPE_DES_CBC_MD5:
+    case ETYPE_DES3_CBC_MD5:
+    case ETYPE_DES3_CBC_SHA1:
+    case ETYPE_ARCFOUR_HMAC_MD5:
+    case ETYPE_ARCFOUR_HMAC_MD5_56:
+	break;
+    default :
+	*is_cfx = 1;
+	if ((acceptor && ctx->auth_context->local_subkey) ||
+	    (!acceptor && ctx->auth_context->remote_subkey))
+	    ctx->more_flags |= ACCEPTOR_SUBKEY;
+	break;
+    }
+}
+
+
+static OM_uint32
+gsskrb5_accept_delegated_token
+(OM_uint32 * minor_status,
+ gsskrb5_ctx ctx,
+ krb5_context context,
+ gss_cred_id_t * delegated_cred_handle
+    )
+{
+    krb5_ccache ccache = NULL;
+    krb5_error_code kret;
+    int32_t ac_flags, ret = GSS_S_COMPLETE;
+      
+    *minor_status = 0;
+
+    /* XXX Create a new delegated_cred_handle? */
+    if (delegated_cred_handle == NULL) {
+	kret = krb5_cc_default (context, &ccache);
+    } else {
+	*delegated_cred_handle = NULL;
+	kret = krb5_cc_gen_new (context, &krb5_mcc_ops, &ccache);
+    }
+    if (kret) {
+	ctx->flags &= ~GSS_C_DELEG_FLAG;
+	goto out;
+    }
+
+    kret = krb5_cc_initialize(context, ccache, ctx->source);
+    if (kret) {
+	ctx->flags &= ~GSS_C_DELEG_FLAG;
+	goto out;
+    }
+      
+    krb5_auth_con_removeflags(context,
+			      ctx->auth_context,
+			      KRB5_AUTH_CONTEXT_DO_TIME,
+			      &ac_flags);
+    kret = krb5_rd_cred2(context,
+			 ctx->auth_context,
+			 ccache,
+			 &ctx->fwd_data);
+    krb5_auth_con_setflags(context,
+			   ctx->auth_context,
+			   ac_flags);
+    if (kret) {
+	ctx->flags &= ~GSS_C_DELEG_FLAG;
+	ret = GSS_S_FAILURE;
+	*minor_status = kret;
+	goto out;
+    }
+
+    if (delegated_cred_handle) {
+	gsskrb5_cred handle;
+
+	ret = _gsskrb5_import_cred(minor_status,
+				   ccache,
+				   NULL,
+				   NULL,
+				   delegated_cred_handle);
+	if (ret != GSS_S_COMPLETE)
+	    goto out;
+
+	handle = (gsskrb5_cred) *delegated_cred_handle;
+    
+	handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
+	krb5_cc_close(context, ccache);
+	ccache = NULL;
+    }
+
+out:
+    if (ccache) {
+	/* Don't destroy the default cred cache */
+	if (delegated_cred_handle == NULL)
+	    krb5_cc_close(context, ccache);
+	else
+	    krb5_cc_destroy(context, ccache);
+    }
+    return ret;
+}
+
+static OM_uint32
+gsskrb5_acceptor_ready(OM_uint32 * minor_status,
+		       gsskrb5_ctx ctx,
+		       krb5_context context,
+		       gss_cred_id_t *delegated_cred_handle)
+{
+    OM_uint32 ret;
+    int32_t seq_number;
+    int is_cfx = 0;
+
+    krb5_auth_getremoteseqnumber (context,
+				  ctx->auth_context,
+				  &seq_number);
+
+    _gsskrb5i_is_cfx(ctx, &is_cfx);
+
+    ret = _gssapi_msg_order_create(minor_status,
+				   &ctx->order,
+				   _gssapi_msg_order_f(ctx->flags),
+				   seq_number, 0, is_cfx);
+    if (ret)
+	return ret;
+
+    /* 
+     * If requested, set local sequence num to remote sequence if this
+     * isn't a mutual authentication context
+     */
+    if (!(ctx->flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(ctx->flags)) {
+	krb5_auth_con_setlocalseqnumber(context,
+					ctx->auth_context,
+					seq_number);
+    }
+
+    /*
+     * We should handle the delegation ticket, in case it's there
+     */
+    if (ctx->fwd_data.length > 0 && (ctx->flags & GSS_C_DELEG_FLAG)) {
+	ret = gsskrb5_accept_delegated_token(minor_status,
+					     ctx,
+					     context,
+					     delegated_cred_handle);
+	if (ret)
+	    return ret;
+    } else {
+	/* Well, looks like it wasn't there after all */
+	ctx->flags &= ~GSS_C_DELEG_FLAG;
+    }
+
+    ctx->state = ACCEPTOR_READY;
+    ctx->more_flags |= OPEN;
+
+    return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+gsskrb5_acceptor_start(OM_uint32 * minor_status,
+		       gsskrb5_ctx ctx,
+		       krb5_context context,
+		       const gss_cred_id_t acceptor_cred_handle,
+		       const gss_buffer_t input_token_buffer,
+		       const gss_channel_bindings_t input_chan_bindings,
+		       gss_name_t * src_name,
+		       gss_OID * mech_type,
+		       gss_buffer_t output_token,
+		       OM_uint32 * ret_flags,
+		       OM_uint32 * time_rec,
+		       gss_cred_id_t * delegated_cred_handle)
+{
+    krb5_error_code kret;
+    OM_uint32 ret = GSS_S_COMPLETE;
+    krb5_data indata;
+    krb5_flags ap_options;
+    krb5_keytab keytab = NULL;
+    int is_cfx = 0;
+    const gsskrb5_cred acceptor_cred = (gsskrb5_cred)acceptor_cred_handle;
+
+    /*
+     * We may, or may not, have an escapsulation.
+     */
+    ret = _gsskrb5_decapsulate (minor_status,
+				input_token_buffer,
+				&indata,
+				"\x01\x00",
+				GSS_KRB5_MECHANISM);
+
+    if (ret) {
+	/* Assume that there is no OID wrapping. */
+	indata.length	= input_token_buffer->length;
+	indata.data	= input_token_buffer->value;
+    }
+
+    /*
+     * We need to get our keytab
+     */
+    if (acceptor_cred == NULL) {
+	if (_gsskrb5_keytab != NULL)
+	    keytab = _gsskrb5_keytab;
+    } else if (acceptor_cred->keytab != NULL) {
+	keytab = acceptor_cred->keytab;
+    }
+    
+    /*
+     * We need to check the ticket and create the AP-REP packet
+     */
+
+    {
+	krb5_rd_req_in_ctx in = NULL;
+	krb5_rd_req_out_ctx out = NULL;
+
+	kret = krb5_rd_req_in_ctx_alloc(context, &in);
+	if (kret == 0)
+	    kret = krb5_rd_req_in_set_keytab(context, in, keytab);
+	if (kret) {
+	    if (in)
+		krb5_rd_req_in_ctx_free(context, in);
+	    ret = GSS_S_FAILURE;
+	    *minor_status = kret;
+	    return ret;
+	}
+
+	kret = krb5_rd_req_ctx(context,
+			       &ctx->auth_context,
+			       &indata,
+			       (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal,
+			       in, &out);
+	krb5_rd_req_in_ctx_free(context, in);
+	if (kret) {
+	    ret = GSS_S_FAILURE;
+	    *minor_status = kret;
+	    return ret;
+	}
+
+	/*
+	 * We need to remember some data on the context_handle.
+	 */
+	kret = krb5_rd_req_out_get_ap_req_options(context, out,
+						  &ap_options);
+	if (kret == 0)
+	    kret = krb5_rd_req_out_get_ticket(context, out, 
+					      &ctx->ticket);
+	if (kret == 0)
+	    kret = krb5_rd_req_out_get_keyblock(context, out,
+						&ctx->service_keyblock);
+	ctx->lifetime = ctx->ticket->ticket.endtime;
+
+	krb5_rd_req_out_ctx_free(context, out);
+	if (kret) {
+	    ret = GSS_S_FAILURE;
+	    *minor_status = kret;
+	    return ret;
+	}
+    }
+    
+    
+    /*
+     * We need to copy the principal names to the context and the
+     * calling layer.
+     */
+    kret = krb5_copy_principal(context,
+			       ctx->ticket->client,
+			       &ctx->source);
+    if (kret) {
+	ret = GSS_S_FAILURE;
+	*minor_status = kret;
+    }
+
+    kret = krb5_copy_principal(context, 
+			       ctx->ticket->server,
+			       &ctx->target);
+    if (kret) {
+	ret = GSS_S_FAILURE;
+	*minor_status = kret;
+	return ret;
+    }
+    
+    /*
+     * We need to setup some compat stuff, this assumes that
+     * context_handle->target is already set.
+     */
+    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
+    if (ret)
+	return ret;
+
+    if (src_name != NULL) {
+	kret = krb5_copy_principal (context,
+				    ctx->ticket->client,
+				    (gsskrb5_name*)src_name);
+	if (kret) {
+	    ret = GSS_S_FAILURE;
+	    *minor_status = kret;
+	    return ret;
+	}
+    }
+
+    /*
+     * We need to get the flags out of the 8003 checksum.
+     */
+    {
+	krb5_authenticator authenticator;
+      
+	kret = krb5_auth_con_getauthenticator(context,
+					      ctx->auth_context,
+					      &authenticator);
+	if(kret) {
+	    ret = GSS_S_FAILURE;
+	    *minor_status = kret;
+	    return ret;
+	}
+
+        if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+            ret = _gsskrb5_verify_8003_checksum(minor_status,
+						input_chan_bindings,
+						authenticator->cksum,
+						&ctx->flags,
+						&ctx->fwd_data);
+
+	    krb5_free_authenticator(context, &authenticator);
+	    if (ret) {
+		return ret;
+	    }
+        } else {
+	    krb5_crypto crypto;
+
+	    kret = krb5_crypto_init(context, 
+				    ctx->auth_context->keyblock, 
+				    0, &crypto);
+	    if(kret) {
+		krb5_free_authenticator(context, &authenticator);
+
+		ret = GSS_S_FAILURE;
+		*minor_status = kret;
+		return ret;
+	    }
+
+	    /* 
+	     * Windows accepts Samba3's use of a kerberos, rather than
+	     * GSSAPI checksum here 
+	     */
+
+	    kret = krb5_verify_checksum(context,
+					crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
+					authenticator->cksum);
+	    krb5_free_authenticator(context, &authenticator);
+	    krb5_crypto_destroy(context, crypto);
+
+	    if(kret) {
+		ret = GSS_S_BAD_SIG;
+		*minor_status = kret;
+		return ret;
+	    }
+
+	    /* 
+	     * Samba style get some flags (but not DCE-STYLE)
+	     */
+	    ctx->flags = 
+		GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+        }
+    }
+    
+    if(ctx->flags & GSS_C_MUTUAL_FLAG) {
+	krb5_data outbuf;
+	    
+	_gsskrb5i_is_cfx(ctx, &is_cfx);
+	    
+	if (is_cfx != 0 
+	    || (ap_options & AP_OPTS_USE_SUBKEY)) {
+	    kret = krb5_auth_con_addflags(context,
+					  ctx->auth_context,
+					  KRB5_AUTH_CONTEXT_USE_SUBKEY,
+					  NULL);
+	    ctx->more_flags |= ACCEPTOR_SUBKEY;
+	}
+	    
+	kret = krb5_mk_rep(context,
+			   ctx->auth_context,
+			   &outbuf);
+	if (kret) {
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+	    
+	if (IS_DCE_STYLE(ctx)) {
+	    output_token->length = outbuf.length;
+	    output_token->value = outbuf.data;
+	} else {
+	    ret = _gsskrb5_encapsulate(minor_status,
+				       &outbuf,
+				       output_token,
+				       "\x02\x00",
+				       GSS_KRB5_MECHANISM);
+	    krb5_data_free (&outbuf);
+	    if (ret)
+		return ret;
+	}
+    }
+    
+    ctx->flags |= GSS_C_TRANS_FLAG;
+
+    /* Remember the flags */
+    
+    ctx->lifetime = ctx->ticket->ticket.endtime;
+    ctx->more_flags |= OPEN;
+    
+    if (mech_type)
+	*mech_type = GSS_KRB5_MECHANISM;
+    
+    if (time_rec) {
+	ret = _gsskrb5_lifetime_left(minor_status,
+				     context,
+				     ctx->lifetime,
+				     time_rec);
+	if (ret) {
+	    return ret;
+	}
+    }
+
+    /*
+     * When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from
+     * the client.
+     */
+    if (IS_DCE_STYLE(ctx)) {
+	/*
+	 * Return flags to caller, but we haven't processed
+	 * delgations yet
+	 */
+	if (ret_flags)
+	    *ret_flags = (ctx->flags & ~GSS_C_DELEG_FLAG);
+
+	ctx->state = ACCEPTOR_WAIT_FOR_DCESTYLE;
+	return GSS_S_CONTINUE_NEEDED;
+    }
+
+    ret = gsskrb5_acceptor_ready(minor_status, ctx, context, 
+				 delegated_cred_handle);
+
+    if (ret_flags)
+	*ret_flags = ctx->flags;
+
+    return ret;
+}
+
+static OM_uint32
+acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
+			   gsskrb5_ctx ctx,
+			   krb5_context context,
+			   const gss_cred_id_t acceptor_cred_handle,
+			   const gss_buffer_t input_token_buffer,
+			   const gss_channel_bindings_t input_chan_bindings,
+			   gss_name_t * src_name,
+			   gss_OID * mech_type,
+			   gss_buffer_t output_token,
+			   OM_uint32 * ret_flags,
+			   OM_uint32 * time_rec,
+			   gss_cred_id_t * delegated_cred_handle)
+{
+    OM_uint32 ret;
+    krb5_error_code kret;
+    krb5_data inbuf;
+    int32_t r_seq_number, l_seq_number;
+	
+    /* 
+     * We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP
+     */
+
+    inbuf.length = input_token_buffer->length;
+    inbuf.data = input_token_buffer->value;
+
+    /* 
+     * We need to remeber the old remote seq_number, then check if the
+     * client has replied with our local seq_number, and then reset
+     * the remote seq_number to the old value
+     */
+    {
+	kret = krb5_auth_con_getlocalseqnumber(context,
+					       ctx->auth_context,
+					       &l_seq_number);
+	if (kret) {
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+
+	kret = krb5_auth_getremoteseqnumber(context,
+					    ctx->auth_context,
+					    &r_seq_number);
+	if (kret) {
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+
+	kret = krb5_auth_con_setremoteseqnumber(context,
+						ctx->auth_context,
+						l_seq_number);
+	if (kret) {
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+    }
+
+    /* 
+     * We need to verify the AP_REP, but we need to flag that this is
+     * DCE_STYLE, so don't check the timestamps this time, but put the
+     * flag DO_TIME back afterward.
+    */ 
+    {
+	krb5_ap_rep_enc_part *repl;
+	int32_t auth_flags;
+		
+	krb5_auth_con_removeflags(context,
+				  ctx->auth_context,
+				  KRB5_AUTH_CONTEXT_DO_TIME,
+				  &auth_flags);
+
+	kret = krb5_rd_rep(context, ctx->auth_context, &inbuf, &repl);
+	if (kret) {
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+	krb5_free_ap_rep_enc_part(context, repl);
+	krb5_auth_con_setflags(context, ctx->auth_context, auth_flags);
+    }
+
+    /* We need to check the liftime */
+    {
+	OM_uint32 lifetime_rec;
+
+	ret = _gsskrb5_lifetime_left(minor_status,
+				     context,
+				     ctx->lifetime,
+				     &lifetime_rec);
+	if (ret) {
+	    return ret;
+	}
+	if (lifetime_rec == 0) {
+	    return GSS_S_CONTEXT_EXPIRED;
+	}
+	
+	if (time_rec) *time_rec = lifetime_rec;
+    }
+
+    /* We need to give the caller the flags which are in use */
+    if (ret_flags) *ret_flags = ctx->flags;
+
+    if (src_name) {
+	kret = krb5_copy_principal(context,
+				   ctx->source,
+				   (gsskrb5_name*)src_name);
+	if (kret) {
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+    }
+
+    /*
+     * After the krb5_rd_rep() the remote and local seq_number should
+     * be the same, because the client just replies the seq_number
+     * from our AP-REP in its AP-REP, but then the client uses the
+     * seq_number from its AP-REQ for GSS_wrap()
+     */
+    {
+	int32_t tmp_r_seq_number, tmp_l_seq_number;
+
+	kret = krb5_auth_getremoteseqnumber(context,
+					    ctx->auth_context,
+					    &tmp_r_seq_number);
+	if (kret) {
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+
+	kret = krb5_auth_con_getlocalseqnumber(context,
+					       ctx->auth_context,
+					       &tmp_l_seq_number);
+	if (kret) {
+
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+
+	/*
+	 * Here we check if the client has responsed with our local seq_number,
+	 */
+	if (tmp_r_seq_number != tmp_l_seq_number) {
+	    return GSS_S_UNSEQ_TOKEN;
+	}
+    }
+
+    /*
+     * We need to reset the remote seq_number, because the client will use,
+     * the old one for the GSS_wrap() calls
+     */
+    {
+	kret = krb5_auth_con_setremoteseqnumber(context,
+						ctx->auth_context,
+						r_seq_number);	
+	if (kret) {
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+    }
+
+    return gsskrb5_acceptor_ready(minor_status, ctx, context, 
+				  delegated_cred_handle);
+}
+
+
+OM_uint32
+_gsskrb5_accept_sec_context(OM_uint32 * minor_status,
+			    gss_ctx_id_t * context_handle,
+			    const gss_cred_id_t acceptor_cred_handle,
+			    const gss_buffer_t input_token_buffer,
+			    const gss_channel_bindings_t input_chan_bindings,
+			    gss_name_t * src_name,
+			    gss_OID * mech_type,
+			    gss_buffer_t output_token,
+			    OM_uint32 * ret_flags,
+			    OM_uint32 * time_rec,
+			    gss_cred_id_t * delegated_cred_handle)
+{
+    krb5_context context;
+    OM_uint32 ret;
+    gsskrb5_ctx ctx;
+
+    GSSAPI_KRB5_INIT(&context);
+
+    output_token->length = 0;
+    output_token->value = NULL;
+
+    if (src_name != NULL)
+	*src_name = NULL;
+    if (mech_type)
+	*mech_type = GSS_KRB5_MECHANISM;
+
+    if (*context_handle == GSS_C_NO_CONTEXT) {
+	ret = _gsskrb5_create_ctx(minor_status,
+				  context_handle,
+				  context,
+				  input_chan_bindings,
+				  ACCEPTOR_START);
+	if (ret)
+	    return ret;
+    }
+    
+    ctx = (gsskrb5_ctx)*context_handle;
+
+    
+    /*
+     * TODO: check the channel_bindings 
+     * (above just sets them to krb5 layer)
+     */
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+    
+    switch (ctx->state) {
+    case ACCEPTOR_START:
+	ret = gsskrb5_acceptor_start(minor_status,
+				     ctx,
+				     context,
+				     acceptor_cred_handle,
+				     input_token_buffer,
+				     input_chan_bindings,
+				     src_name,
+				     mech_type,
+				     output_token,
+				     ret_flags,
+				     time_rec,
+				     delegated_cred_handle);
+	break;
+    case ACCEPTOR_WAIT_FOR_DCESTYLE:
+	ret = acceptor_wait_for_dcestyle(minor_status,
+					 ctx,
+					 context,
+					 acceptor_cred_handle,
+					 input_token_buffer,
+					 input_chan_bindings,
+					 src_name,
+					 mech_type,
+					 output_token,
+					 ret_flags,
+					 time_rec,
+					 delegated_cred_handle);
+	break;
+    case ACCEPTOR_READY:
+	/* 
+	 * If we get there, the caller have called
+	 * gss_accept_sec_context() one time too many.
+	 */
+	ret =  GSS_S_BAD_STATUS;
+	break;
+    default:
+	/* TODO: is this correct here? --metze */
+	ret =  GSS_S_BAD_STATUS;
+	break;
+    }
+    
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+    
+    if (GSS_ERROR(ret)) {
+	OM_uint32 min2;
+	_gsskrb5_delete_sec_context(&min2, context_handle, GSS_C_NO_BUFFER);
+    }
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/acquire_cred.c b/crypto/heimdal/lib/gssapi/krb5/acquire_cred.c
new file mode 100644
index 0000000..6e13a42
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/acquire_cred.c
@@ -0,0 +1,398 @@
+/*
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: acquire_cred.c 22124 2007-12-04 00:03:52Z lha $");
+
+OM_uint32
+__gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
+			  krb5_context context,
+			  krb5_ccache id,
+			  krb5_principal principal,
+			  OM_uint32 *lifetime)
+{
+    krb5_creds in_cred, *out_cred;
+    krb5_const_realm realm;
+    krb5_error_code kret;
+
+    memset(&in_cred, 0, sizeof(in_cred));
+    in_cred.client = principal;
+	
+    realm = krb5_principal_get_realm(context,  principal);
+    if (realm == NULL) {
+	_gsskrb5_clear_status ();
+	*minor_status = KRB5_PRINC_NOMATCH; /* XXX */
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_make_principal(context, &in_cred.server, 
+			       realm, KRB5_TGS_NAME, realm, NULL);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_get_credentials(context, 0, 
+				id, &in_cred, &out_cred);
+    krb5_free_principal(context, in_cred.server);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+
+    *lifetime = out_cred->times.endtime;
+    krb5_free_creds(context, out_cred);
+
+    return GSS_S_COMPLETE;
+}
+
+
+
+
+static krb5_error_code
+get_keytab(krb5_context context, krb5_keytab *keytab)
+{
+    char kt_name[256];
+    krb5_error_code kret;
+
+    HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
+
+    if (_gsskrb5_keytab != NULL) {
+	kret = krb5_kt_get_name(context,
+				_gsskrb5_keytab,
+				kt_name, sizeof(kt_name));
+	if (kret == 0)
+	    kret = krb5_kt_resolve(context, kt_name, keytab);
+    } else
+	kret = krb5_kt_default(context, keytab);
+
+    HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
+
+    return (kret);
+}
+
+static OM_uint32 acquire_initiator_cred
+		  (OM_uint32 * minor_status,
+		   krb5_context context,
+		   const gss_name_t desired_name,
+		   OM_uint32 time_req,
+		   const gss_OID_set desired_mechs,
+		   gss_cred_usage_t cred_usage,
+		   gsskrb5_cred handle,
+		   gss_OID_set * actual_mechs,
+		   OM_uint32 * time_rec
+		  )
+{
+    OM_uint32 ret;
+    krb5_creds cred;
+    krb5_principal def_princ;
+    krb5_get_init_creds_opt *opt;
+    krb5_ccache ccache;
+    krb5_keytab keytab;
+    krb5_error_code kret;
+
+    keytab = NULL;
+    ccache = NULL;
+    def_princ = NULL;
+    ret = GSS_S_FAILURE;
+    memset(&cred, 0, sizeof(cred));
+
+    /* If we have a preferred principal, lets try to find it in all
+     * caches, otherwise, fall back to default cache.  Ignore
+     * errors. */
+    if (handle->principal)
+	kret = krb5_cc_cache_match (context,
+				    handle->principal,
+				    NULL,
+				    &ccache);
+    
+    if (ccache == NULL) {
+	kret = krb5_cc_default(context, &ccache);
+	if (kret)
+	    goto end;
+    }
+    kret = krb5_cc_get_principal(context, ccache,
+	&def_princ);
+    if (kret != 0) {
+	/* we'll try to use a keytab below */
+	krb5_cc_destroy(context, ccache);
+	ccache = NULL;
+	kret = 0;
+    } else if (handle->principal == NULL)  {
+	kret = krb5_copy_principal(context, def_princ,
+	    &handle->principal);
+	if (kret)
+	    goto end;
+    } else if (handle->principal != NULL &&
+	krb5_principal_compare(context, handle->principal,
+	def_princ) == FALSE) {
+	/* Before failing, lets check the keytab */
+	krb5_free_principal(context, def_princ);
+	def_princ = NULL;
+    }
+    if (def_princ == NULL) {
+	/* We have no existing credentials cache,
+	 * so attempt to get a TGT using a keytab.
+	 */
+	if (handle->principal == NULL) {
+	    kret = krb5_get_default_principal(context,
+		&handle->principal);
+	    if (kret)
+		goto end;
+	}
+	kret = get_keytab(context, &keytab);
+	if (kret)
+	    goto end;
+	kret = krb5_get_init_creds_opt_alloc(context, &opt);
+	if (kret)
+	    goto end;
+	kret = krb5_get_init_creds_keytab(context, &cred,
+	    handle->principal, keytab, 0, NULL, opt);
+	krb5_get_init_creds_opt_free(context, opt);
+	if (kret)
+	    goto end;
+	kret = krb5_cc_gen_new(context, &krb5_mcc_ops,
+		&ccache);
+	if (kret)
+	    goto end;
+	kret = krb5_cc_initialize(context, ccache, cred.client);
+	if (kret)
+	    goto end;
+	kret = krb5_cc_store_cred(context, ccache, &cred);
+	if (kret)
+	    goto end;
+	handle->lifetime = cred.times.endtime;
+	handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
+    } else {
+
+	ret = __gsskrb5_ccache_lifetime(minor_status,
+					context,
+					ccache,
+					handle->principal,
+					&handle->lifetime);
+	if (ret != GSS_S_COMPLETE)
+	    goto end;
+	kret = 0;
+    }
+
+    handle->ccache = ccache;
+    ret = GSS_S_COMPLETE;
+
+end:
+    if (cred.client != NULL)
+	krb5_free_cred_contents(context, &cred);
+    if (def_princ != NULL)
+	krb5_free_principal(context, def_princ);
+    if (keytab != NULL)
+	krb5_kt_close(context, keytab);
+    if (ret != GSS_S_COMPLETE) {
+	if (ccache != NULL)
+	    krb5_cc_close(context, ccache);
+	if (kret != 0) {
+	    *minor_status = kret;
+	}
+    }
+    return (ret);
+}
+
+static OM_uint32 acquire_acceptor_cred
+		  (OM_uint32 * minor_status,
+		   krb5_context context,
+		   const gss_name_t desired_name,
+		   OM_uint32 time_req,
+		   const gss_OID_set desired_mechs,
+		   gss_cred_usage_t cred_usage,
+		   gsskrb5_cred handle,
+		   gss_OID_set * actual_mechs,
+		   OM_uint32 * time_rec
+		  )
+{
+    OM_uint32 ret;
+    krb5_error_code kret;
+
+    kret = 0;
+    ret = GSS_S_FAILURE;
+    kret = get_keytab(context, &handle->keytab);
+    if (kret)
+	goto end;
+    
+    /* check that the requested principal exists in the keytab */
+    if (handle->principal) {
+	krb5_keytab_entry entry;
+
+	kret = krb5_kt_get_entry(context, handle->keytab, 
+				 handle->principal, 0, 0, &entry);
+	if (kret)
+	    goto end;
+	krb5_kt_free_entry(context, &entry);
+	ret = GSS_S_COMPLETE;
+    } else {
+	/* 
+	 * Check if there is at least one entry in the keytab before
+	 * declaring it as an useful keytab.
+	 */
+	krb5_keytab_entry tmp;
+	krb5_kt_cursor c;
+
+	kret = krb5_kt_start_seq_get (context, handle->keytab, &c);
+	if (kret)
+	    goto end;
+	if (krb5_kt_next_entry(context, handle->keytab, &tmp, &c) == 0) {
+	    krb5_kt_free_entry(context, &tmp);
+	    ret = GSS_S_COMPLETE; /* ok found one entry */
+	}
+	krb5_kt_end_seq_get (context, handle->keytab, &c);
+    } 
+end:
+    if (ret != GSS_S_COMPLETE) {
+	if (handle->keytab != NULL)
+	    krb5_kt_close(context, handle->keytab);
+	if (kret != 0) {
+	    *minor_status = kret;
+	}
+    }
+    return (ret);
+}
+
+OM_uint32 _gsskrb5_acquire_cred
+(OM_uint32 * minor_status,
+ const gss_name_t desired_name,
+ OM_uint32 time_req,
+ const gss_OID_set desired_mechs,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t * output_cred_handle,
+ gss_OID_set * actual_mechs,
+ OM_uint32 * time_rec
+    )
+{
+    krb5_context context;
+    gsskrb5_cred handle;
+    OM_uint32 ret;
+
+    if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
+	*minor_status = GSS_KRB5_S_G_BAD_USAGE;
+	return GSS_S_FAILURE;
+    }
+
+    GSSAPI_KRB5_INIT(&context);
+
+    *output_cred_handle = NULL;
+    if (time_rec)
+	*time_rec = 0;
+    if (actual_mechs)
+	*actual_mechs = GSS_C_NO_OID_SET;
+
+    if (desired_mechs) {
+	int present = 0;
+
+	ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
+				      desired_mechs, &present); 
+	if (ret)
+	    return ret;
+	if (!present) {
+	    *minor_status = 0;
+	    return GSS_S_BAD_MECH;
+	}
+    }
+
+    handle = calloc(1, sizeof(*handle));
+    if (handle == NULL) {
+	*minor_status = ENOMEM;
+        return (GSS_S_FAILURE);
+    }
+
+    HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
+
+    if (desired_name != GSS_C_NO_NAME) {
+	krb5_principal name = (krb5_principal)desired_name;
+	ret = krb5_copy_principal(context, name, &handle->principal);
+	if (ret) {
+	    HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
+	    *minor_status = ret;
+	    free(handle);
+	    return GSS_S_FAILURE;
+	}
+    }
+    if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
+	ret = acquire_initiator_cred(minor_status, context,
+				     desired_name, time_req,
+				     desired_mechs, cred_usage, handle,
+				     actual_mechs, time_rec);
+    	if (ret != GSS_S_COMPLETE) {
+	    HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
+	    krb5_free_principal(context, handle->principal);
+	    free(handle);
+	    return (ret);
+	}
+    }
+    if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
+	ret = acquire_acceptor_cred(minor_status, context,
+				    desired_name, time_req,
+				    desired_mechs, cred_usage, handle, actual_mechs, time_rec);
+	if (ret != GSS_S_COMPLETE) {
+	    HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
+	    krb5_free_principal(context, handle->principal);
+	    free(handle);
+	    return (ret);
+	}
+    }
+    ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
+    if (ret == GSS_S_COMPLETE)
+    	ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
+				     &handle->mechanisms);
+    if (ret == GSS_S_COMPLETE)
+    	ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle, 
+				    NULL, time_rec, NULL, actual_mechs);
+    if (ret != GSS_S_COMPLETE) {
+	if (handle->mechanisms != NULL)
+	    gss_release_oid_set(NULL, &handle->mechanisms);
+	HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
+	krb5_free_principal(context, handle->principal);
+	free(handle);
+	return (ret);
+    } 
+    *minor_status = 0;
+    if (time_rec) {
+	ret = _gsskrb5_lifetime_left(minor_status,
+				     context,
+				     handle->lifetime,
+				     time_rec);
+
+	if (ret)
+	    return ret;
+    }
+    handle->usage = cred_usage;
+    *output_cred_handle = (gss_cred_id_t)handle;
+    return (GSS_S_COMPLETE);
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/add_cred.c b/crypto/heimdal/lib/gssapi/krb5/add_cred.c
new file mode 100644
index 0000000..9a1045a
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/add_cred.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: add_cred.c 20688 2007-05-17 18:44:31Z lha $");
+
+OM_uint32 _gsskrb5_add_cred (
+     OM_uint32           *minor_status,
+     const gss_cred_id_t input_cred_handle,
+     const gss_name_t    desired_name,
+     const gss_OID       desired_mech,
+     gss_cred_usage_t    cred_usage,
+     OM_uint32           initiator_time_req,
+     OM_uint32           acceptor_time_req,
+     gss_cred_id_t       *output_cred_handle,
+     gss_OID_set         *actual_mechs,
+     OM_uint32           *initiator_time_rec,
+     OM_uint32           *acceptor_time_rec)
+{
+    krb5_context context;
+    OM_uint32 ret, lifetime;
+    gsskrb5_cred cred, handle;
+    krb5_const_principal dname;
+
+    handle = NULL;
+    cred = (gsskrb5_cred)input_cred_handle;
+    dname = (krb5_const_principal)desired_name;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) {
+	*minor_status = 0;
+	return GSS_S_BAD_MECH;
+    }
+
+    if (cred == NULL && output_cred_handle == NULL) {
+	*minor_status = 0;
+	return GSS_S_NO_CRED;
+    }
+
+    if (cred == NULL) { /* XXX standard conformance failure */
+	*minor_status = 0;
+	return GSS_S_NO_CRED;
+    }
+
+    /* check if requested output usage is compatible with output usage */ 
+    if (output_cred_handle != NULL) {
+	HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
+	if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
+	    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+	    *minor_status = GSS_KRB5_S_G_BAD_USAGE;
+	    return(GSS_S_FAILURE);
+	}
+    }
+	
+    /* check that we have the same name */
+    if (dname != NULL &&
+	krb5_principal_compare(context, dname, 
+			       cred->principal) != FALSE) {
+	if (output_cred_handle)
+	    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+	*minor_status = 0;
+	return GSS_S_BAD_NAME;
+    }
+
+    /* make a copy */
+    if (output_cred_handle) {
+	krb5_error_code kret;
+
+	handle = calloc(1, sizeof(*handle));
+	if (handle == NULL) {
+	    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+	    *minor_status = ENOMEM;
+	    return (GSS_S_FAILURE);
+	}
+
+	handle->usage = cred_usage;
+	handle->lifetime = cred->lifetime;
+	handle->principal = NULL;
+	handle->keytab = NULL;
+	handle->ccache = NULL;
+	handle->mechanisms = NULL;
+	HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
+	
+	ret = GSS_S_FAILURE;
+
+	kret = krb5_copy_principal(context, cred->principal,
+				  &handle->principal);
+	if (kret) {
+	    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+	    free(handle);
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+
+	if (cred->keytab) {
+	    char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN];
+	    int len;
+	    
+	    ret = GSS_S_FAILURE;
+
+	    kret = krb5_kt_get_type(context, cred->keytab,
+				    name, KRB5_KT_PREFIX_MAX_LEN);
+	    if (kret) {
+		*minor_status = kret;
+		goto failure;
+	    }
+	    len = strlen(name);
+	    name[len++] = ':';
+
+	    kret = krb5_kt_get_name(context, cred->keytab,
+				    name + len, 
+				    sizeof(name) - len);
+	    if (kret) {
+		*minor_status = kret;
+		goto failure;
+	    }
+
+	    kret = krb5_kt_resolve(context, name,
+				   &handle->keytab);
+	    if (kret){
+		*minor_status = kret;
+		goto failure;
+	    }
+	}
+
+	if (cred->ccache) {
+	    const char *type, *name;
+	    char *type_name;
+
+	    ret = GSS_S_FAILURE;
+
+	    type = krb5_cc_get_type(context, cred->ccache);
+	    if (type == NULL){
+		*minor_status = ENOMEM;
+		goto failure;
+	    }
+
+	    if (strcmp(type, "MEMORY") == 0) {
+		ret = krb5_cc_gen_new(context, &krb5_mcc_ops,
+				      &handle->ccache);
+		if (ret) {
+		    *minor_status = ret;
+		    goto failure;
+		}
+
+		ret = krb5_cc_copy_cache(context, cred->ccache,
+					 handle->ccache);
+		if (ret) {
+		    *minor_status = ret;
+		    goto failure;
+		}
+
+	    } else {
+		name = krb5_cc_get_name(context, cred->ccache);
+		if (name == NULL) {
+		    *minor_status = ENOMEM;
+		    goto failure;
+		}
+		
+		asprintf(&type_name, "%s:%s", type, name);
+		if (type_name == NULL) {
+		    *minor_status = ENOMEM;
+		    goto failure;
+		}
+		
+		kret = krb5_cc_resolve(context, type_name,
+				       &handle->ccache);
+		free(type_name);
+		if (kret) {
+		    *minor_status = kret;
+		    goto failure;
+		}	    
+	    }
+	}
+	ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
+	if (ret)
+	    goto failure;
+
+	ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
+				     &handle->mechanisms);
+	if (ret)
+	    goto failure;
+    }
+
+    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+
+    ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred, 
+				NULL, &lifetime, NULL, actual_mechs);
+    if (ret)
+	goto failure;
+
+    if (initiator_time_rec)
+	*initiator_time_rec = lifetime;
+    if (acceptor_time_rec)
+	*acceptor_time_rec = lifetime;
+
+    if (output_cred_handle) {
+	*output_cred_handle = (gss_cred_id_t)handle;
+    }
+
+    *minor_status = 0;
+    return ret;
+
+ failure:
+
+    if (handle) {
+	if (handle->principal)
+	    krb5_free_principal(context, handle->principal);
+	if (handle->keytab)
+	    krb5_kt_close(context, handle->keytab);
+	if (handle->ccache)
+	    krb5_cc_destroy(context, handle->ccache);
+	if (handle->mechanisms)
+	    gss_release_oid_set(NULL, &handle->mechanisms);
+	free(handle);
+    }
+    if (output_cred_handle)
+	HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/address_to_krb5addr.c b/crypto/heimdal/lib/gssapi/krb5/address_to_krb5addr.c
new file mode 100644
index 0000000..18a90fe
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/address_to_krb5addr.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+#include <roken.h>
+
+krb5_error_code
+_gsskrb5i_address_to_krb5addr(krb5_context context,
+			      OM_uint32 gss_addr_type,
+			      gss_buffer_desc *gss_addr,
+			      int16_t port,
+			      krb5_address *address)
+{
+   int addr_type;
+   struct sockaddr sa;
+   krb5_socklen_t sa_size = sizeof(sa);
+   krb5_error_code problem;
+   
+   if (gss_addr == NULL)
+      return GSS_S_FAILURE; 
+   
+   switch (gss_addr_type) {
+#ifdef HAVE_IPV6
+      case GSS_C_AF_INET6: addr_type = AF_INET6;
+                           break;
+#endif /* HAVE_IPV6 */
+                           
+      case GSS_C_AF_INET:  addr_type = AF_INET;
+                           break;
+      default:
+                           return GSS_S_FAILURE;
+   }
+                      
+   problem = krb5_h_addr2sockaddr (context,
+				   addr_type,
+                                   gss_addr->value, 
+                                   &sa, 
+                                   &sa_size, 
+                                   port);
+   if (problem)
+      return GSS_S_FAILURE;
+
+   problem = krb5_sockaddr2address (context, &sa, address);
+
+   return problem;  
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/arcfour.c b/crypto/heimdal/lib/gssapi/krb5/arcfour.c
new file mode 100644
index 0000000..032da36
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/arcfour.c
@@ -0,0 +1,760 @@
+/*
+ * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: arcfour.c 19031 2006-11-13 18:02:57Z lha $");
+
+/*
+ * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
+ *
+ * The arcfour message have the following formats:
+ *
+ * MIC token
+ * 	TOK_ID[2] = 01 01
+ *	SGN_ALG[2] = 11 00
+ *	Filler[4]
+ *	SND_SEQ[8]
+ *	SGN_CKSUM[8]
+ *
+ * WRAP token
+ *	TOK_ID[2] = 02 01
+ *	SGN_ALG[2];
+ *	SEAL_ALG[2]
+ *	Filler[2]
+ *	SND_SEQ[2]
+ *	SGN_CKSUM[8]
+ *	Confounder[8]
+ */
+
+/*
+ * WRAP in DCE-style have a fixed size header, the oid and length over
+ * the WRAP header is a total of
+ * GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE +
+ * GSS_ARCFOUR_WRAP_TOKEN_SIZE byte (ie total of 45 bytes overhead,
+ * remember the 2 bytes from APPL [0] SEQ).
+ */
+
+#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32
+#define GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE 13
+
+
+static krb5_error_code
+arcfour_mic_key(krb5_context context, krb5_keyblock *key,
+		void *cksum_data, size_t cksum_size,
+		void *key6_data, size_t key6_size)
+{
+    krb5_error_code ret;
+    
+    Checksum cksum_k5;
+    krb5_keyblock key5;
+    char k5_data[16];
+    
+    Checksum cksum_k6;
+    
+    char T[4];
+
+    memset(T, 0, 4);
+    cksum_k5.checksum.data = k5_data;
+    cksum_k5.checksum.length = sizeof(k5_data);
+
+    if (key->keytype == KEYTYPE_ARCFOUR_56) {
+	char L40[14] = "fortybits";
+
+	memcpy(L40 + 10, T, sizeof(T));
+	ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5,
+			L40, 14, 0, key, &cksum_k5);
+	memset(&k5_data[7], 0xAB, 9);
+    } else {
+	ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5,
+			T, 4, 0, key, &cksum_k5);
+    }
+    if (ret)
+	return ret;
+
+    key5.keytype = KEYTYPE_ARCFOUR;
+    key5.keyvalue = cksum_k5.checksum;
+
+    cksum_k6.checksum.data = key6_data;
+    cksum_k6.checksum.length = key6_size;
+
+    return krb5_hmac(context, CKSUMTYPE_RSA_MD5,
+		     cksum_data, cksum_size, 0, &key5, &cksum_k6);
+}
+
+
+static krb5_error_code
+arcfour_mic_cksum(krb5_context context,
+		  krb5_keyblock *key, unsigned usage,
+		  u_char *sgn_cksum, size_t sgn_cksum_sz,
+		  const u_char *v1, size_t l1,
+		  const void *v2, size_t l2,
+		  const void *v3, size_t l3)
+{
+    Checksum CKSUM;
+    u_char *ptr;
+    size_t len;
+    krb5_crypto crypto;
+    krb5_error_code ret;
+    
+    assert(sgn_cksum_sz == 8);
+
+    len = l1 + l2 + l3;
+
+    ptr = malloc(len);
+    if (ptr == NULL)
+	return ENOMEM;
+
+    memcpy(ptr, v1, l1);
+    memcpy(ptr + l1, v2, l2);
+    memcpy(ptr + l1 + l2, v3, l3);
+    
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret) {
+	free(ptr);
+	return ret;
+    }
+    
+    ret = krb5_create_checksum(context,
+			       crypto,
+			       usage,
+			       0,
+			       ptr, len,
+			       &CKSUM);
+    free(ptr);
+    if (ret == 0) {
+	memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz);
+	free_Checksum(&CKSUM);
+    }
+    krb5_crypto_destroy(context, crypto);
+
+    return ret;
+}
+
+
+OM_uint32
+_gssapi_get_mic_arcfour(OM_uint32 * minor_status,
+			const gsskrb5_ctx context_handle,
+			krb5_context context,
+			gss_qop_t qop_req,
+			const gss_buffer_t message_buffer,
+			gss_buffer_t message_token,
+			krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    int32_t seq_number;
+    size_t len, total_len;
+    u_char k6_data[16], *p0, *p;
+    RC4_KEY rc4_key;
+    
+    _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
+    
+    message_token->length = total_len;
+    message_token->value  = malloc (total_len);
+    if (message_token->value == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    
+    p0 = _gssapi_make_mech_header(message_token->value,
+				  len,
+				  GSS_KRB5_MECHANISM);
+    p = p0;
+    
+    *p++ = 0x01; /* TOK_ID */
+    *p++ = 0x01;
+    *p++ = 0x11; /* SGN_ALG */
+    *p++ = 0x00;
+    *p++ = 0xff; /* Filler */
+    *p++ = 0xff;
+    *p++ = 0xff;
+    *p++ = 0xff;
+
+    p = NULL;
+
+    ret = arcfour_mic_cksum(context,
+			    key, KRB5_KU_USAGE_SIGN,
+			    p0 + 16, 8,  /* SGN_CKSUM */
+			    p0, 8, /* TOK_ID, SGN_ALG, Filer */
+			    message_buffer->value, message_buffer->length,
+			    NULL, 0);
+    if (ret) {
+	_gsskrb5_release_buffer(minor_status, message_token);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = arcfour_mic_key(context, key,
+			  p0 + 16, 8, /* SGN_CKSUM */
+			  k6_data, sizeof(k6_data));
+    if (ret) {
+	_gsskrb5_release_buffer(minor_status, message_token);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    krb5_auth_con_getlocalseqnumber (context,
+				     context_handle->auth_context,
+				     &seq_number);
+    p = p0 + 8; /* SND_SEQ */
+    _gsskrb5_encode_be_om_uint32(seq_number, p);
+    
+    krb5_auth_con_setlocalseqnumber (context,
+				     context_handle->auth_context,
+				     ++seq_number);
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    
+    memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4);
+
+    RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+    RC4 (&rc4_key, 8, p, p);
+	
+    memset(&rc4_key, 0, sizeof(rc4_key));
+    memset(k6_data, 0, sizeof(k6_data));
+    
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+
+OM_uint32
+_gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+			   const gsskrb5_ctx context_handle,
+			   krb5_context context,
+			   const gss_buffer_t message_buffer,
+			   const gss_buffer_t token_buffer,
+			   gss_qop_t * qop_state,
+			   krb5_keyblock *key,
+			   char *type)
+{
+    krb5_error_code ret;
+    uint32_t seq_number;
+    OM_uint32 omret;
+    u_char SND_SEQ[8], cksum_data[8], *p;
+    char k6_data[16];
+    int cmp;
+    
+    if (qop_state)
+	*qop_state = 0;
+
+    p = token_buffer->value;
+    omret = _gsskrb5_verify_header (&p,
+				       token_buffer->length,
+				       (u_char *)type,
+				       GSS_KRB5_MECHANISM);
+    if (omret)
+	return omret;
+    
+    if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
+	return GSS_S_BAD_SIG;
+    p += 2;
+    if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
+	return GSS_S_BAD_MIC;
+    p += 4;
+
+    ret = arcfour_mic_cksum(context,
+			    key, KRB5_KU_USAGE_SIGN,
+			    cksum_data, sizeof(cksum_data),
+			    p - 8, 8,
+			    message_buffer->value, message_buffer->length,
+			    NULL, 0);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = arcfour_mic_key(context, key,
+			  cksum_data, sizeof(cksum_data),
+			  k6_data, sizeof(k6_data));
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    cmp = memcmp(cksum_data, p + 8, 8);
+    if (cmp) {
+	*minor_status = 0;
+	return GSS_S_BAD_MIC;
+    }
+
+    {
+	RC4_KEY rc4_key;
+	
+	RC4_set_key (&rc4_key, sizeof(k6_data), (void*)k6_data);
+	RC4 (&rc4_key, 8, p, SND_SEQ);
+	
+	memset(&rc4_key, 0, sizeof(rc4_key));
+	memset(k6_data, 0, sizeof(k6_data));
+    }
+
+    _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
+
+    if (context_handle->more_flags & LOCAL)
+	cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+    else
+	cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+
+    memset(SND_SEQ, 0, sizeof(SND_SEQ));
+    if (cmp != 0) {
+	*minor_status = 0;
+	return GSS_S_BAD_MIC;
+    }
+    
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    omret = _gssapi_msg_order_check(context_handle->order, seq_number);
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    if (omret)
+	return omret;
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+_gssapi_wrap_arcfour(OM_uint32 * minor_status,
+		     const gsskrb5_ctx context_handle,
+		     krb5_context context,
+		     int conf_req_flag,
+		     gss_qop_t qop_req,
+		     const gss_buffer_t input_message_buffer,
+		     int * conf_state,
+		     gss_buffer_t output_message_buffer,
+		     krb5_keyblock *key)
+{
+    u_char Klocaldata[16], k6_data[16], *p, *p0;
+    size_t len, total_len, datalen;
+    krb5_keyblock Klocal;
+    krb5_error_code ret;
+    int32_t seq_number;
+
+    if (conf_state)
+	*conf_state = 0;
+
+    datalen = input_message_buffer->length;
+
+    if (IS_DCE_STYLE(context_handle)) {
+	len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+	_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
+	total_len += datalen;
+    } else {
+	datalen += 1; /* padding */
+	len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+	_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
+    }
+
+    output_message_buffer->length = total_len;
+    output_message_buffer->value  = malloc (total_len);
+    if (output_message_buffer->value == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    
+    p0 = _gssapi_make_mech_header(output_message_buffer->value,
+				  len,
+				  GSS_KRB5_MECHANISM);
+    p = p0;
+
+    *p++ = 0x02; /* TOK_ID */
+    *p++ = 0x01;
+    *p++ = 0x11; /* SGN_ALG */
+    *p++ = 0x00;
+    if (conf_req_flag) {
+	*p++ = 0x10; /* SEAL_ALG */
+	*p++ = 0x00;
+    } else {
+	*p++ = 0xff; /* SEAL_ALG */
+	*p++ = 0xff;
+    }
+    *p++ = 0xff; /* Filler */
+    *p++ = 0xff;
+
+    p = NULL;
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    krb5_auth_con_getlocalseqnumber (context,
+				     context_handle->auth_context,
+				     &seq_number);
+
+    _gsskrb5_encode_be_om_uint32(seq_number, p0 + 8);
+
+    krb5_auth_con_setlocalseqnumber (context,
+				     context_handle->auth_context,
+				     ++seq_number);
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+    memset (p0 + 8 + 4,
+	    (context_handle->more_flags & LOCAL) ? 0 : 0xff,
+	    4);
+
+    krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */
+    
+    /* p points to data */
+    p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+    memcpy(p, input_message_buffer->value, input_message_buffer->length);
+
+    if (!IS_DCE_STYLE(context_handle))
+	p[input_message_buffer->length] = 1; /* padding */
+
+    ret = arcfour_mic_cksum(context,
+			    key, KRB5_KU_USAGE_SEAL,
+			    p0 + 16, 8, /* SGN_CKSUM */ 
+			    p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */
+			    p0 + 24, 8, /* Confounder */
+			    p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, 
+			    datalen);
+    if (ret) {
+	*minor_status = ret;
+	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+	return GSS_S_FAILURE;
+    }
+
+    {
+	int i;
+
+	Klocal.keytype = key->keytype;
+	Klocal.keyvalue.data = Klocaldata;
+	Klocal.keyvalue.length = sizeof(Klocaldata);
+
+	for (i = 0; i < 16; i++)
+	    Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
+    }
+    ret = arcfour_mic_key(context, &Klocal,
+			  p0 + 8, 4, /* SND_SEQ */
+			  k6_data, sizeof(k6_data));
+    memset(Klocaldata, 0, sizeof(Klocaldata));
+    if (ret) {
+	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+
+    if(conf_req_flag) {
+	RC4_KEY rc4_key;
+
+	RC4_set_key (&rc4_key, sizeof(k6_data), (void *)k6_data);
+	/* XXX ? */
+	RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */
+	memset(&rc4_key, 0, sizeof(rc4_key));
+    }
+    memset(k6_data, 0, sizeof(k6_data));
+
+    ret = arcfour_mic_key(context, key,
+			  p0 + 16, 8, /* SGN_CKSUM */
+			  k6_data, sizeof(k6_data));
+    if (ret) {
+	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    {
+	RC4_KEY rc4_key;
+	
+	RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+	RC4 (&rc4_key, 8, p0 + 8, p0 + 8); /* SND_SEQ */
+	memset(&rc4_key, 0, sizeof(rc4_key));
+	memset(k6_data, 0, sizeof(k6_data));
+    }
+
+    if (conf_state)
+	*conf_state = conf_req_flag;
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+				 const gsskrb5_ctx context_handle,
+				 krb5_context context,
+				 const gss_buffer_t input_message_buffer,
+				 gss_buffer_t output_message_buffer,
+				 int *conf_state,
+				 gss_qop_t *qop_state,
+				 krb5_keyblock *key)
+{
+    u_char Klocaldata[16];
+    krb5_keyblock Klocal;
+    krb5_error_code ret;
+    uint32_t seq_number;
+    size_t datalen;
+    OM_uint32 omret;
+    u_char k6_data[16], SND_SEQ[8], Confounder[8];
+    u_char cksum_data[8];
+    u_char *p, *p0;
+    int cmp;
+    int conf_flag;
+    size_t padlen = 0, len;
+    
+    if (conf_state)
+	*conf_state = 0;
+    if (qop_state)
+	*qop_state = 0;
+
+    p0 = input_message_buffer->value;
+
+    if (IS_DCE_STYLE(context_handle)) {
+	len = GSS_ARCFOUR_WRAP_TOKEN_SIZE + 
+	    GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE;
+	if (input_message_buffer->length < len)
+	    return GSS_S_BAD_MECH;
+    } else {
+	len = input_message_buffer->length;
+    }
+
+    omret = _gssapi_verify_mech_header(&p0,
+				       len,
+				       GSS_KRB5_MECHANISM);
+    if (omret)
+	return omret;
+
+    /* length of mech header */
+    len = (p0 - (u_char *)input_message_buffer->value) + 
+	GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+
+    if (len > input_message_buffer->length)
+	return GSS_S_BAD_MECH;
+
+    /* length of data */
+    datalen = input_message_buffer->length - len;
+
+    p = p0;
+
+    if (memcmp(p, "\x02\x01", 2) != 0)
+	return GSS_S_BAD_SIG;
+    p += 2;
+    if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
+	return GSS_S_BAD_SIG;
+    p += 2;
+
+    if (memcmp (p, "\x10\x00", 2) == 0)
+	conf_flag = 1;
+    else if (memcmp (p, "\xff\xff", 2) == 0)
+	conf_flag = 0;
+    else
+	return GSS_S_BAD_SIG;
+
+    p += 2;
+    if (memcmp (p, "\xff\xff", 2) != 0)
+	return GSS_S_BAD_MIC;
+    p = NULL;
+
+    ret = arcfour_mic_key(context, key,
+			  p0 + 16, 8, /* SGN_CKSUM */
+			  k6_data, sizeof(k6_data));
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    {
+	RC4_KEY rc4_key;
+	
+	RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+	RC4 (&rc4_key, 8, p0 + 8, SND_SEQ); /* SND_SEQ */
+	memset(&rc4_key, 0, sizeof(rc4_key));
+	memset(k6_data, 0, sizeof(k6_data));
+    }
+
+    _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
+
+    if (context_handle->more_flags & LOCAL)
+	cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+    else
+	cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+
+    if (cmp != 0) {
+	*minor_status = 0;
+	return GSS_S_BAD_MIC;
+    }
+
+    {
+	int i;
+
+	Klocal.keytype = key->keytype;
+	Klocal.keyvalue.data = Klocaldata;
+	Klocal.keyvalue.length = sizeof(Klocaldata);
+
+	for (i = 0; i < 16; i++)
+	    Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
+    }
+    ret = arcfour_mic_key(context, &Klocal,
+			  SND_SEQ, 4,
+			  k6_data, sizeof(k6_data));
+    memset(Klocaldata, 0, sizeof(Klocaldata));
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    output_message_buffer->value = malloc(datalen);
+    if (output_message_buffer->value == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    output_message_buffer->length = datalen;
+
+    if(conf_flag) {
+	RC4_KEY rc4_key;
+
+	RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+	RC4 (&rc4_key, 8, p0 + 24, Confounder); /* Confounder */
+	RC4 (&rc4_key, datalen, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
+	     output_message_buffer->value);
+	memset(&rc4_key, 0, sizeof(rc4_key));
+    } else {
+	memcpy(Confounder, p0 + 24, 8); /* Confounder */
+	memcpy(output_message_buffer->value, 
+	       p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
+	       datalen);
+    }
+    memset(k6_data, 0, sizeof(k6_data));
+
+    if (!IS_DCE_STYLE(context_handle)) {
+	ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen);
+	if (ret) {
+	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
+	    *minor_status = 0;
+	    return ret;
+	}
+	output_message_buffer->length -= padlen;
+    }
+
+    ret = arcfour_mic_cksum(context,
+			    key, KRB5_KU_USAGE_SEAL,
+			    cksum_data, sizeof(cksum_data),
+			    p0, 8, 
+			    Confounder, sizeof(Confounder),
+			    output_message_buffer->value, 
+			    output_message_buffer->length + padlen);
+    if (ret) {
+	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
+    if (cmp) {
+	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+	*minor_status = 0;
+	return GSS_S_BAD_MIC;
+    }
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    omret = _gssapi_msg_order_check(context_handle->order, seq_number);
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    if (omret)
+	return omret;
+
+    if (conf_state)
+	*conf_state = conf_flag;
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+max_wrap_length_arcfour(const gsskrb5_ctx ctx,
+			krb5_crypto crypto,
+			size_t input_length,
+			OM_uint32 *max_input_size)
+{
+    /* 
+     * if GSS_C_DCE_STYLE is in use:
+     *  - we only need to encapsulate the WRAP token
+     * However, since this is a fixed since, we just 
+     */
+    if (IS_DCE_STYLE(ctx)) {
+	size_t len, total_len;
+
+	len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+	_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
+
+	if (input_length < len)
+	    *max_input_size = 0;
+	else
+	    *max_input_size = input_length - len;
+
+    } else {
+	size_t extrasize = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+	size_t blocksize = 8;
+	size_t len, total_len;
+
+	len = 8 + input_length + blocksize + extrasize;
+
+	_gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
+
+	total_len -= input_length; /* token length */
+	if (total_len < input_length) {
+	    *max_input_size = (input_length - total_len);
+	    (*max_input_size) &= (~(OM_uint32)(blocksize - 1));
+	} else {
+	    *max_input_size = 0;
+	}
+    }
+
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+_gssapi_wrap_size_arcfour(OM_uint32 *minor_status,
+			  const gsskrb5_ctx ctx,
+			  krb5_context context,
+			  int conf_req_flag,
+			  gss_qop_t qop_req,
+			  OM_uint32 req_output_size,
+			  OM_uint32 *max_input_size,
+			  krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret != 0) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = max_wrap_length_arcfour(ctx, crypto,
+				  req_output_size, max_input_size);
+    if (ret != 0) {
+	*minor_status = ret;
+	krb5_crypto_destroy(context, crypto);
+	return GSS_S_FAILURE;
+    }
+
+    krb5_crypto_destroy(context, crypto);
+
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/canonicalize_name.c b/crypto/heimdal/lib/gssapi/krb5/canonicalize_name.c
new file mode 100644
index 0000000..c1744ab
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/canonicalize_name.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: canonicalize_name.c 18334 2006-10-07 22:16:04Z lha $");
+
+OM_uint32 _gsskrb5_canonicalize_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            const gss_OID mech_type,
+            gss_name_t * output_name
+           )
+{
+    return _gsskrb5_duplicate_name (minor_status, input_name, output_name);
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/ccache_name.c b/crypto/heimdal/lib/gssapi/krb5/ccache_name.c
new file mode 100644
index 0000000..6f33246
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/ccache_name.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: ccache_name.c 19031 2006-11-13 18:02:57Z lha $");
+
+char *last_out_name;
+
+OM_uint32
+_gsskrb5_krb5_ccache_name(OM_uint32 *minor_status, 
+			  const char *name,
+			  const char **out_name)
+{
+    krb5_context context;
+    krb5_error_code kret;
+
+    *minor_status = 0;
+
+    GSSAPI_KRB5_INIT(&context);
+
+    if (out_name) {
+	const char *n;
+
+	if (last_out_name) {
+	    free(last_out_name);
+	    last_out_name = NULL;
+	}
+
+	n = krb5_cc_default_name(context);
+	if (n == NULL) {
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+	last_out_name = strdup(n);
+	if (last_out_name == NULL) {
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+	*out_name = last_out_name;
+    }
+
+    kret = krb5_cc_set_default_name(context, name);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/cfx.c b/crypto/heimdal/lib/gssapi/krb5/cfx.c
new file mode 100644
index 0000000..6452f80
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/cfx.c
@@ -0,0 +1,878 @@
+/*
+ * Copyright (c) 2003, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: cfx.c 19031 2006-11-13 18:02:57Z lha $");
+
+/*
+ * Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt
+ */
+
+#define CFXSentByAcceptor	(1 << 0)
+#define CFXSealed		(1 << 1)
+#define CFXAcceptorSubkey	(1 << 2)
+
+krb5_error_code
+_gsskrb5cfx_wrap_length_cfx(krb5_context context,
+			    krb5_crypto crypto,
+			    int conf_req_flag,
+			    size_t input_length,
+			    size_t *output_length,
+			    size_t *cksumsize,
+			    uint16_t *padlength)
+{
+    krb5_error_code ret;
+    krb5_cksumtype type;
+
+    /* 16-byte header is always first */
+    *output_length = sizeof(gss_cfx_wrap_token_desc);
+    *padlength = 0;
+
+    ret = krb5_crypto_get_checksum_type(context, crypto, &type);
+    if (ret)
+	return ret;
+
+    ret = krb5_checksumsize(context, type, cksumsize);
+    if (ret)
+	return ret;
+
+    if (conf_req_flag) {
+	size_t padsize;
+
+	/* Header is concatenated with data before encryption */
+	input_length += sizeof(gss_cfx_wrap_token_desc);
+
+	ret = krb5_crypto_getpadsize(context, crypto, &padsize);
+	if (ret) {
+	    return ret;
+	}
+	if (padsize > 1) {
+	    /* XXX check this */
+	    *padlength = padsize - (input_length % padsize);
+
+	    /* We add the pad ourselves (noted here for completeness only) */
+	    input_length += *padlength;
+	}
+
+	*output_length += krb5_get_wrapped_length(context,
+						  crypto, input_length);
+    } else {
+	/* Checksum is concatenated with data */
+	*output_length += input_length + *cksumsize;
+    }
+
+    assert(*output_length > input_length);
+
+    return 0;
+}
+
+krb5_error_code
+_gsskrb5cfx_max_wrap_length_cfx(krb5_context context,
+				krb5_crypto crypto,
+				int conf_req_flag,
+				size_t input_length,
+				OM_uint32 *output_length)
+{
+    krb5_error_code ret;
+
+    *output_length = 0;
+
+    /* 16-byte header is always first */
+    if (input_length < 16)
+	return 0;
+    input_length -= 16;
+
+    if (conf_req_flag) {
+	size_t wrapped_size, sz;
+
+	wrapped_size = input_length + 1;
+	do {
+	    wrapped_size--;
+	    sz = krb5_get_wrapped_length(context, 
+					 crypto, wrapped_size);
+	} while (wrapped_size && sz > input_length);
+	if (wrapped_size == 0) {
+	    *output_length = 0;
+	    return 0;
+	}
+
+	/* inner header */
+	if (wrapped_size < 16) {
+	    *output_length = 0;
+	    return 0;
+	}
+	wrapped_size -= 16;
+
+	*output_length = wrapped_size;
+    } else {
+	krb5_cksumtype type;
+	size_t cksumsize;
+
+	ret = krb5_crypto_get_checksum_type(context, crypto, &type);
+	if (ret)
+	    return ret;
+
+	ret = krb5_checksumsize(context, type, &cksumsize);
+	if (ret)
+	    return ret;
+
+	if (input_length < cksumsize)
+	    return 0;
+
+	/* Checksum is concatenated with data */
+	*output_length = input_length - cksumsize;
+    }
+
+    return 0;
+}
+
+
+OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
+				const gsskrb5_ctx context_handle,
+				krb5_context context,
+				int conf_req_flag,
+				gss_qop_t qop_req,
+				OM_uint32 req_output_size,
+				OM_uint32 *max_input_size,
+				krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret != 0) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = _gsskrb5cfx_max_wrap_length_cfx(context, crypto, conf_req_flag, 
+					  req_output_size, max_input_size);
+    if (ret != 0) {
+	*minor_status = ret;
+	krb5_crypto_destroy(context, crypto);
+	return GSS_S_FAILURE;
+    }
+
+    krb5_crypto_destroy(context, crypto);
+
+    return GSS_S_COMPLETE;
+}
+
+/*
+ * Rotate "rrc" bytes to the front or back
+ */
+
+static krb5_error_code
+rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
+{
+    u_char *tmp, buf[256];
+    size_t left;
+
+    if (len == 0)
+	return 0;
+
+    rrc %= len;
+
+    if (rrc == 0)
+	return 0;
+
+    left = len - rrc;
+
+    if (rrc <= sizeof(buf)) {
+	tmp = buf;
+    } else {
+	tmp = malloc(rrc);
+	if (tmp == NULL) 
+	    return ENOMEM;
+    }
+ 
+    if (unrotate) {
+	memcpy(tmp, data, rrc);
+	memmove(data, (u_char *)data + rrc, left);
+	memcpy((u_char *)data + left, tmp, rrc);
+    } else {
+	memcpy(tmp, (u_char *)data + left, rrc);
+	memmove((u_char *)data + rrc, data, left);
+	memcpy(data, tmp, rrc);
+    }
+
+    if (rrc > sizeof(buf)) 
+	free(tmp);
+
+    return 0;
+}
+
+OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
+			   const gsskrb5_ctx context_handle,
+			   krb5_context context,
+			   int conf_req_flag,
+			   gss_qop_t qop_req,
+			   const gss_buffer_t input_message_buffer,
+			   int *conf_state,
+			   gss_buffer_t output_message_buffer,
+			   krb5_keyblock *key)
+{
+    krb5_crypto crypto;
+    gss_cfx_wrap_token token;
+    krb5_error_code ret;
+    unsigned usage;
+    krb5_data cipher;
+    size_t wrapped_len, cksumsize;
+    uint16_t padlength, rrc = 0;
+    int32_t seq_number;
+    u_char *p;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret != 0) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = _gsskrb5cfx_wrap_length_cfx(context,
+				      crypto, conf_req_flag, 
+				      input_message_buffer->length,
+				      &wrapped_len, &cksumsize, &padlength);
+    if (ret != 0) {
+	*minor_status = ret;
+	krb5_crypto_destroy(context, crypto);
+	return GSS_S_FAILURE;
+    }
+
+    /* Always rotate encrypted token (if any) and checksum to header */
+    rrc = (conf_req_flag ? sizeof(*token) : 0) + (uint16_t)cksumsize;
+
+    output_message_buffer->length = wrapped_len;
+    output_message_buffer->value = malloc(output_message_buffer->length);
+    if (output_message_buffer->value == NULL) {
+	*minor_status = ENOMEM;
+	krb5_crypto_destroy(context, crypto);
+	return GSS_S_FAILURE;
+    }
+
+    p = output_message_buffer->value;
+    token = (gss_cfx_wrap_token)p;
+    token->TOK_ID[0] = 0x05;
+    token->TOK_ID[1] = 0x04;
+    token->Flags     = 0;
+    token->Filler    = 0xFF;
+    if ((context_handle->more_flags & LOCAL) == 0)
+	token->Flags |= CFXSentByAcceptor;
+    if (context_handle->more_flags & ACCEPTOR_SUBKEY)
+	token->Flags |= CFXAcceptorSubkey;
+    if (conf_req_flag) {
+	/*
+	 * In Wrap tokens with confidentiality, the EC field is
+	 * used to encode the size (in bytes) of the random filler.
+	 */
+	token->Flags |= CFXSealed;
+	token->EC[0] = (padlength >> 8) & 0xFF;
+	token->EC[1] = (padlength >> 0) & 0xFF;
+    } else {
+	/*
+	 * In Wrap tokens without confidentiality, the EC field is
+	 * used to encode the size (in bytes) of the trailing
+	 * checksum.
+	 *
+	 * This is not used in the checksum calcuation itself,
+	 * because the checksum length could potentially vary
+	 * depending on the data length.
+	 */
+	token->EC[0] = 0;
+	token->EC[1] = 0;
+    }
+
+    /*
+     * In Wrap tokens that provide for confidentiality, the RRC
+     * field in the header contains the hex value 00 00 before
+     * encryption.
+     *
+     * In Wrap tokens that do not provide for confidentiality,
+     * both the EC and RRC fields in the appended checksum
+     * contain the hex value 00 00 for the purpose of calculating
+     * the checksum.
+     */
+    token->RRC[0] = 0;
+    token->RRC[1] = 0;
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    krb5_auth_con_getlocalseqnumber(context,
+				    context_handle->auth_context,
+				    &seq_number);
+    _gsskrb5_encode_be_om_uint32(0,          &token->SND_SEQ[0]);
+    _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
+    krb5_auth_con_setlocalseqnumber(context,
+				    context_handle->auth_context,
+				    ++seq_number);
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+    /*
+     * If confidentiality is requested, the token header is
+     * appended to the plaintext before encryption; the resulting
+     * token is {"header" | encrypt(plaintext | pad | "header")}.
+     *
+     * If no confidentiality is requested, the checksum is
+     * calculated over the plaintext concatenated with the
+     * token header.
+     */
+    if (context_handle->more_flags & LOCAL) {
+	usage = KRB5_KU_USAGE_INITIATOR_SEAL;
+    } else {
+	usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
+    }
+
+    if (conf_req_flag) {
+	/*
+	 * Any necessary padding is added here to ensure that the
+	 * encrypted token header is always at the end of the
+	 * ciphertext.
+	 *
+	 * The specification does not require that the padding
+	 * bytes are initialized.
+	 */
+	p += sizeof(*token);
+	memcpy(p, input_message_buffer->value, input_message_buffer->length);
+	memset(p + input_message_buffer->length, 0xFF, padlength);
+	memcpy(p + input_message_buffer->length + padlength,
+	       token, sizeof(*token));
+
+	ret = krb5_encrypt(context, crypto,
+			   usage, p,
+			   input_message_buffer->length + padlength +
+				sizeof(*token),
+			   &cipher);
+	if (ret != 0) {
+	    *minor_status = ret;
+	    krb5_crypto_destroy(context, crypto);
+	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
+	    return GSS_S_FAILURE;
+	}
+	assert(sizeof(*token) + cipher.length == wrapped_len);
+	token->RRC[0] = (rrc >> 8) & 0xFF;  
+	token->RRC[1] = (rrc >> 0) & 0xFF;
+
+	ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
+	if (ret != 0) {
+	    *minor_status = ret;
+	    krb5_crypto_destroy(context, crypto);
+	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
+	    return GSS_S_FAILURE;
+	}
+	memcpy(p, cipher.data, cipher.length);
+	krb5_data_free(&cipher);
+    } else {
+	char *buf;
+	Checksum cksum;
+
+	buf = malloc(input_message_buffer->length + sizeof(*token));
+	if (buf == NULL) {
+	    *minor_status = ENOMEM;
+	    krb5_crypto_destroy(context, crypto);
+	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
+	    return GSS_S_FAILURE;
+	}
+	memcpy(buf, input_message_buffer->value, input_message_buffer->length);
+	memcpy(buf + input_message_buffer->length, token, sizeof(*token));
+
+	ret = krb5_create_checksum(context, crypto,
+				   usage, 0, buf, 
+				   input_message_buffer->length +
+					sizeof(*token), 
+				   &cksum);
+	if (ret != 0) {
+	    *minor_status = ret;
+	    krb5_crypto_destroy(context, crypto);
+	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
+	    free(buf);
+	    return GSS_S_FAILURE;
+	}
+
+	free(buf);
+
+	assert(cksum.checksum.length == cksumsize);
+	token->EC[0] =  (cksum.checksum.length >> 8) & 0xFF;
+	token->EC[1] =  (cksum.checksum.length >> 0) & 0xFF;
+	token->RRC[0] = (rrc >> 8) & 0xFF;  
+	token->RRC[1] = (rrc >> 0) & 0xFF;
+
+	p += sizeof(*token);
+	memcpy(p, input_message_buffer->value, input_message_buffer->length);
+	memcpy(p + input_message_buffer->length,
+	       cksum.checksum.data, cksum.checksum.length);
+
+	ret = rrc_rotate(p,
+	    input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
+	if (ret != 0) {
+	    *minor_status = ret;
+	    krb5_crypto_destroy(context, crypto);
+	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
+	    free_Checksum(&cksum);
+	    return GSS_S_FAILURE;
+	}
+	free_Checksum(&cksum);
+    }
+
+    krb5_crypto_destroy(context, crypto);
+
+    if (conf_state != NULL) {
+	*conf_state = conf_req_flag;
+    }
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
+			     const gsskrb5_ctx context_handle,
+			     krb5_context context,
+			     const gss_buffer_t input_message_buffer,
+			     gss_buffer_t output_message_buffer,
+			     int *conf_state,
+			     gss_qop_t *qop_state,
+			     krb5_keyblock *key)
+{
+    krb5_crypto crypto;
+    gss_cfx_wrap_token token;
+    u_char token_flags;
+    krb5_error_code ret;
+    unsigned usage;
+    krb5_data data;
+    uint16_t ec, rrc;
+    OM_uint32 seq_number_lo, seq_number_hi;
+    size_t len;
+    u_char *p;
+
+    *minor_status = 0;
+
+    if (input_message_buffer->length < sizeof(*token)) {
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    p = input_message_buffer->value;
+
+    token = (gss_cfx_wrap_token)p;
+
+    if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04) {
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    /* Ignore unknown flags */
+    token_flags = token->Flags &
+	(CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey);
+
+    if (token_flags & CFXSentByAcceptor) {
+	if ((context_handle->more_flags & LOCAL) == 0)
+	    return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
+	if ((token_flags & CFXAcceptorSubkey) == 0)
+	    return GSS_S_DEFECTIVE_TOKEN;
+    } else {
+	if (token_flags & CFXAcceptorSubkey)
+	    return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    if (token->Filler != 0xFF) {
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    if (conf_state != NULL) {
+	*conf_state = (token_flags & CFXSealed) ? 1 : 0;
+    }
+
+    ec  = (token->EC[0]  << 8) | token->EC[1];
+    rrc = (token->RRC[0] << 8) | token->RRC[1];
+
+    /*
+     * Check sequence number
+     */
+    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
+    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
+    if (seq_number_hi) {
+	/* no support for 64-bit sequence numbers */
+	*minor_status = ERANGE;
+	return GSS_S_UNSEQ_TOKEN;
+    }
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
+    if (ret != 0) {
+	*minor_status = 0;
+	HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+	return ret;
+    }
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+    /*
+     * Decrypt and/or verify checksum
+     */
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret != 0) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    if (context_handle->more_flags & LOCAL) {
+	usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
+    } else {
+	usage = KRB5_KU_USAGE_INITIATOR_SEAL;
+    }
+
+    p += sizeof(*token);
+    len = input_message_buffer->length;
+    len -= (p - (u_char *)input_message_buffer->value);
+
+    /* Rotate by RRC; bogus to do this in-place XXX */
+    *minor_status = rrc_rotate(p, len, rrc, TRUE);
+    if (*minor_status != 0) {
+	krb5_crypto_destroy(context, crypto);
+	return GSS_S_FAILURE;
+    }
+
+    if (token_flags & CFXSealed) {
+	ret = krb5_decrypt(context, crypto, usage,
+	    p, len, &data);
+	if (ret != 0) {
+	    *minor_status = ret;
+	    krb5_crypto_destroy(context, crypto);
+	    return GSS_S_BAD_MIC;
+	}
+
+	/* Check that there is room for the pad and token header */
+	if (data.length < ec + sizeof(*token)) {
+	    krb5_crypto_destroy(context, crypto);
+	    krb5_data_free(&data);
+	    return GSS_S_DEFECTIVE_TOKEN;
+	}
+	p = data.data;
+	p += data.length - sizeof(*token);
+
+	/* RRC is unprotected; don't modify input buffer */
+	((gss_cfx_wrap_token)p)->RRC[0] = token->RRC[0];
+	((gss_cfx_wrap_token)p)->RRC[1] = token->RRC[1];
+
+	/* Check the integrity of the header */
+	if (memcmp(p, token, sizeof(*token)) != 0) {
+	    krb5_crypto_destroy(context, crypto);
+	    krb5_data_free(&data);
+	    return GSS_S_BAD_MIC;
+	}
+
+	output_message_buffer->value = data.data;
+	output_message_buffer->length = data.length - ec - sizeof(*token);
+    } else {
+	Checksum cksum;
+
+	/* Determine checksum type */
+	ret = krb5_crypto_get_checksum_type(context,
+					    crypto, &cksum.cksumtype);
+	if (ret != 0) {
+	    *minor_status = ret;
+	    krb5_crypto_destroy(context, crypto);
+	    return GSS_S_FAILURE;
+	}
+
+	cksum.checksum.length = ec;
+
+	/* Check we have at least as much data as the checksum */
+	if (len < cksum.checksum.length) {
+	    *minor_status = ERANGE;
+	    krb5_crypto_destroy(context, crypto);
+	    return GSS_S_BAD_MIC;
+	}
+
+	/* Length now is of the plaintext only, no checksum */
+	len -= cksum.checksum.length;
+	cksum.checksum.data = p + len;
+
+	output_message_buffer->length = len; /* for later */
+	output_message_buffer->value = malloc(len + sizeof(*token));
+	if (output_message_buffer->value == NULL) {
+	    *minor_status = ENOMEM;
+	    krb5_crypto_destroy(context, crypto);
+	    return GSS_S_FAILURE;
+	}
+
+	/* Checksum is over (plaintext-data | "header") */
+	memcpy(output_message_buffer->value, p, len);
+	memcpy((u_char *)output_message_buffer->value + len, 
+	       token, sizeof(*token));
+
+	/* EC is not included in checksum calculation */
+	token = (gss_cfx_wrap_token)((u_char *)output_message_buffer->value +
+				     len);
+	token->EC[0]  = 0;
+	token->EC[1]  = 0;
+	token->RRC[0] = 0;
+	token->RRC[1] = 0;
+
+	ret = krb5_verify_checksum(context, crypto,
+				   usage,
+				   output_message_buffer->value,
+				   len + sizeof(*token),
+				   &cksum);
+	if (ret != 0) {
+	    *minor_status = ret;
+	    krb5_crypto_destroy(context, crypto);
+	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
+	    return GSS_S_BAD_MIC;
+	}
+    }
+
+    krb5_crypto_destroy(context, crypto);
+
+    if (qop_state != NULL) {
+	*qop_state = GSS_C_QOP_DEFAULT;
+    }
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
+			  const gsskrb5_ctx context_handle,
+			  krb5_context context,
+			  gss_qop_t qop_req,
+			  const gss_buffer_t message_buffer,
+			  gss_buffer_t message_token,
+			  krb5_keyblock *key)
+{
+    krb5_crypto crypto;
+    gss_cfx_mic_token token;
+    krb5_error_code ret;
+    unsigned usage;
+    Checksum cksum;
+    u_char *buf;
+    size_t len;
+    int32_t seq_number;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret != 0) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    len = message_buffer->length + sizeof(*token);
+    buf = malloc(len);
+    if (buf == NULL) {
+	*minor_status = ENOMEM;
+	krb5_crypto_destroy(context, crypto);
+	return GSS_S_FAILURE;
+    }
+
+    memcpy(buf, message_buffer->value, message_buffer->length);
+
+    token = (gss_cfx_mic_token)(buf + message_buffer->length);
+    token->TOK_ID[0] = 0x04;
+    token->TOK_ID[1] = 0x04;
+    token->Flags = 0;
+    if ((context_handle->more_flags & LOCAL) == 0)
+	token->Flags |= CFXSentByAcceptor;
+    if (context_handle->more_flags & ACCEPTOR_SUBKEY)
+	token->Flags |= CFXAcceptorSubkey;
+    memset(token->Filler, 0xFF, 5);
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    krb5_auth_con_getlocalseqnumber(context,
+				    context_handle->auth_context,
+				    &seq_number);
+    _gsskrb5_encode_be_om_uint32(0,          &token->SND_SEQ[0]);
+    _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
+    krb5_auth_con_setlocalseqnumber(context,
+				    context_handle->auth_context,
+				    ++seq_number);
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+    if (context_handle->more_flags & LOCAL) {
+	usage = KRB5_KU_USAGE_INITIATOR_SIGN;
+    } else {
+	usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
+    }
+
+    ret = krb5_create_checksum(context, crypto,
+	usage, 0, buf, len, &cksum);
+    if (ret != 0) {
+	*minor_status = ret;
+	krb5_crypto_destroy(context, crypto);
+	free(buf);
+	return GSS_S_FAILURE;
+    }
+    krb5_crypto_destroy(context, crypto);
+
+    /* Determine MIC length */
+    message_token->length = sizeof(*token) + cksum.checksum.length;
+    message_token->value = malloc(message_token->length);
+    if (message_token->value == NULL) {
+	*minor_status = ENOMEM;
+	free_Checksum(&cksum);
+	free(buf);
+	return GSS_S_FAILURE;
+    }
+
+    /* Token is { "header" | get_mic("header" | plaintext-data) } */
+    memcpy(message_token->value, token, sizeof(*token));
+    memcpy((u_char *)message_token->value + sizeof(*token),
+	   cksum.checksum.data, cksum.checksum.length);
+
+    free_Checksum(&cksum);
+    free(buf);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
+				 const gsskrb5_ctx context_handle,
+				 krb5_context context,
+				 const gss_buffer_t message_buffer,
+				 const gss_buffer_t token_buffer,
+				 gss_qop_t *qop_state,
+				 krb5_keyblock *key)
+{
+    krb5_crypto crypto;
+    gss_cfx_mic_token token;
+    u_char token_flags;
+    krb5_error_code ret;
+    unsigned usage;
+    OM_uint32 seq_number_lo, seq_number_hi;
+    u_char *buf, *p;
+    Checksum cksum;
+
+    *minor_status = 0;
+
+    if (token_buffer->length < sizeof(*token)) {
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    p = token_buffer->value;
+
+    token = (gss_cfx_mic_token)p;
+
+    if (token->TOK_ID[0] != 0x04 || token->TOK_ID[1] != 0x04) {
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    /* Ignore unknown flags */
+    token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey);
+
+    if (token_flags & CFXSentByAcceptor) {
+	if ((context_handle->more_flags & LOCAL) == 0)
+	    return GSS_S_DEFECTIVE_TOKEN;
+    }
+    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
+	if ((token_flags & CFXAcceptorSubkey) == 0)
+	    return GSS_S_DEFECTIVE_TOKEN;
+    } else {
+	if (token_flags & CFXAcceptorSubkey)
+	    return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    if (memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) {
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    /*
+     * Check sequence number
+     */
+    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
+    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
+    if (seq_number_hi) {
+	*minor_status = ERANGE;
+	return GSS_S_UNSEQ_TOKEN;
+    }
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
+    if (ret != 0) {
+	*minor_status = 0;
+	HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+	return ret;
+    }
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+    /*
+     * Verify checksum
+     */
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret != 0) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_crypto_get_checksum_type(context, crypto,
+					&cksum.cksumtype);
+    if (ret != 0) {
+	*minor_status = ret;
+	krb5_crypto_destroy(context, crypto);
+	return GSS_S_FAILURE;
+    }
+
+    cksum.checksum.data = p + sizeof(*token);
+    cksum.checksum.length = token_buffer->length - sizeof(*token);
+
+    if (context_handle->more_flags & LOCAL) {
+	usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
+    } else {
+	usage = KRB5_KU_USAGE_INITIATOR_SIGN;
+    }
+
+    buf = malloc(message_buffer->length + sizeof(*token));
+    if (buf == NULL) {
+	*minor_status = ENOMEM;
+	krb5_crypto_destroy(context, crypto);
+	return GSS_S_FAILURE;
+    }
+    memcpy(buf, message_buffer->value, message_buffer->length);
+    memcpy(buf + message_buffer->length, token, sizeof(*token));
+
+    ret = krb5_verify_checksum(context, crypto,
+			       usage,
+			       buf,
+			       sizeof(*token) + message_buffer->length,
+			       &cksum);
+    krb5_crypto_destroy(context, crypto);
+    if (ret != 0) {
+	*minor_status = ret;
+	free(buf);
+	return GSS_S_BAD_MIC;
+    }
+
+    free(buf);
+
+    if (qop_state != NULL) {
+	*qop_state = GSS_C_QOP_DEFAULT;
+    }
+
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/cfx.h b/crypto/heimdal/lib/gssapi/krb5/cfx.h
new file mode 100644
index 0000000..672704a
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/cfx.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2003, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: cfx.h 19031 2006-11-13 18:02:57Z lha $ */
+
+#ifndef GSSAPI_CFX_H_
+#define GSSAPI_CFX_H_ 1
+
+/*
+ * Implementation of draft-ietf-krb-wg-gssapi-cfx-01.txt
+ */
+
+typedef struct gss_cfx_mic_token_desc_struct {
+	u_char TOK_ID[2]; /* 04 04 */
+	u_char Flags;
+	u_char Filler[5];
+	u_char SND_SEQ[8];
+} gss_cfx_mic_token_desc, *gss_cfx_mic_token;
+
+typedef struct gss_cfx_wrap_token_desc_struct {
+	u_char TOK_ID[2]; /* 04 05 */
+	u_char Flags;
+	u_char Filler;
+	u_char EC[2];
+	u_char RRC[2];
+	u_char SND_SEQ[8];
+} gss_cfx_wrap_token_desc, *gss_cfx_wrap_token;
+
+typedef struct gss_cfx_delete_token_desc_struct {
+	u_char TOK_ID[2]; /* 05 04 */
+	u_char Flags;
+	u_char Filler[5];
+	u_char SND_SEQ[8];
+} gss_cfx_delete_token_desc, *gss_cfx_delete_token;
+
+#endif /* GSSAPI_CFX_H_ */
diff --git a/crypto/heimdal/lib/gssapi/krb5/compare_name.c b/crypto/heimdal/lib/gssapi/krb5/compare_name.c
new file mode 100644
index 0000000..3f3b59d
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/compare_name.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: compare_name.c 19031 2006-11-13 18:02:57Z lha $");
+
+OM_uint32 _gsskrb5_compare_name
+           (OM_uint32 * minor_status,
+            const gss_name_t name1,
+            const gss_name_t name2,
+            int * name_equal
+           )
+{
+    krb5_const_principal princ1 = (krb5_const_principal)name1;
+    krb5_const_principal princ2 = (krb5_const_principal)name2;
+    krb5_context context;
+
+    GSSAPI_KRB5_INIT(&context);
+
+    *name_equal = krb5_principal_compare (context,
+					  princ1, princ2);
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/compat.c b/crypto/heimdal/lib/gssapi/krb5/compat.c
new file mode 100644
index 0000000..a0f0756
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/compat.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: compat.c 19031 2006-11-13 18:02:57Z lha $");
+
+
+static krb5_error_code
+check_compat(OM_uint32 *minor_status, 
+	     krb5_context context, krb5_const_principal name, 
+	     const char *option, krb5_boolean *compat, 
+	     krb5_boolean match_val)
+{
+    krb5_error_code ret = 0;
+    char **p, **q;
+    krb5_principal match;
+
+
+    p = krb5_config_get_strings(context, NULL, "gssapi",
+				option, NULL);
+    if(p == NULL)
+	return 0;
+
+    match = NULL;
+    for(q = p; *q; q++) {
+	ret = krb5_parse_name(context, *q, &match);
+	if (ret)
+	    break;
+
+	if (krb5_principal_match(context, name, match)) {
+	    *compat = match_val;
+	    break;
+	}
+	
+	krb5_free_principal(context, match);
+	match = NULL;
+    }
+    if (match)
+	krb5_free_principal(context, match);
+    krb5_config_free_strings(p);
+
+    if (ret) {
+	if (minor_status)
+	    *minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    return 0;
+}
+
+/*
+ * ctx->ctx_id_mutex is assumed to be locked
+ */
+
+OM_uint32
+_gss_DES3_get_mic_compat(OM_uint32 *minor_status,
+			 gsskrb5_ctx ctx,
+			 krb5_context context)
+{
+    krb5_boolean use_compat = FALSE;
+    OM_uint32 ret;
+
+    if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) {
+	ret = check_compat(minor_status, context, ctx->target, 
+			   "broken_des3_mic", &use_compat, TRUE);
+	if (ret)
+	    return ret;
+	ret = check_compat(minor_status, context, ctx->target, 
+			   "correct_des3_mic", &use_compat, FALSE);
+	if (ret)
+	    return ret;
+
+	if (use_compat)
+	    ctx->more_flags |= COMPAT_OLD_DES3;
+	ctx->more_flags |= COMPAT_OLD_DES3_SELECTED;
+    }
+    return 0;
+}
+
+#if 0
+OM_uint32
+gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on)
+{
+    *minor_status = 0;
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+    if (on) {
+	ctx->more_flags |= COMPAT_OLD_DES3;
+    } else {
+	ctx->more_flags &= ~COMPAT_OLD_DES3;
+    }
+    ctx->more_flags |= COMPAT_OLD_DES3_SELECTED;
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    return 0;
+}
+#endif
diff --git a/crypto/heimdal/lib/gssapi/krb5/context_time.c b/crypto/heimdal/lib/gssapi/krb5/context_time.c
new file mode 100644
index 0000000..b57ac78
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/context_time.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: context_time.c 19031 2006-11-13 18:02:57Z lha $");
+
+OM_uint32
+_gsskrb5_lifetime_left(OM_uint32 *minor_status, 
+		       krb5_context context,
+		       OM_uint32 lifetime,
+		       OM_uint32 *lifetime_rec)
+{
+    krb5_timestamp timeret;
+    krb5_error_code kret;
+
+    if (lifetime == 0) {
+	*lifetime_rec = GSS_C_INDEFINITE;
+	return GSS_S_COMPLETE;
+    }
+
+    kret = krb5_timeofday(context, &timeret);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+
+    if (lifetime < timeret) 
+	*lifetime_rec = 0;
+    else
+	*lifetime_rec = lifetime - timeret;
+
+    return GSS_S_COMPLETE;
+}
+
+
+OM_uint32 _gsskrb5_context_time
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            OM_uint32 * time_rec
+           )
+{
+    krb5_context context;
+    OM_uint32 lifetime;
+    OM_uint32 major_status;
+    const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+    lifetime = ctx->lifetime;
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    major_status = _gsskrb5_lifetime_left(minor_status, context,
+					  lifetime, time_rec);
+    if (major_status != GSS_S_COMPLETE)
+	return major_status;
+
+    *minor_status = 0;
+
+    if (*time_rec == 0)
+	return GSS_S_CONTEXT_EXPIRED;
+	
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/copy_ccache.c b/crypto/heimdal/lib/gssapi/krb5/copy_ccache.c
new file mode 100644
index 0000000..66d797c
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/copy_ccache.c
@@ -0,0 +1,195 @@
+/*
+ * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: copy_ccache.c 20688 2007-05-17 18:44:31Z lha $");
+
+#if 0
+OM_uint32
+gss_krb5_copy_ccache(OM_uint32 *minor_status,
+		     krb5_context context,
+		     gss_cred_id_t cred,
+		     krb5_ccache out)
+{
+    krb5_error_code kret;
+
+    HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
+
+    if (cred->ccache == NULL) {
+	HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_cc_copy_cache(context, cred->ccache, out);
+    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+#endif
+
+
+OM_uint32
+_gsskrb5_import_cred(OM_uint32 *minor_status,
+		     krb5_ccache id,
+		     krb5_principal keytab_principal,
+		     krb5_keytab keytab,
+		     gss_cred_id_t *cred)
+{
+    krb5_context context;
+    krb5_error_code kret;
+    gsskrb5_cred handle;
+    OM_uint32 ret;
+
+    *cred = NULL;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    handle = calloc(1, sizeof(*handle));
+    if (handle == NULL) {
+	_gsskrb5_clear_status ();
+	*minor_status = ENOMEM;
+        return (GSS_S_FAILURE);
+    }
+    HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
+
+    handle->usage = 0;
+
+    if (id) {
+	char *str;
+
+	handle->usage |= GSS_C_INITIATE;
+
+	kret = krb5_cc_get_principal(context, id,
+				     &handle->principal);
+	if (kret) {
+	    free(handle);
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+	
+	if (keytab_principal) {
+	    krb5_boolean match;
+
+	    match = krb5_principal_compare(context,
+					   handle->principal,
+					   keytab_principal);
+	    if (match == FALSE) {
+		krb5_free_principal(context, handle->principal);
+		free(handle);
+		_gsskrb5_clear_status ();
+		*minor_status = EINVAL;
+		return GSS_S_FAILURE;
+	    }
+	}
+
+	ret = __gsskrb5_ccache_lifetime(minor_status,
+					context,
+					id,
+					handle->principal,
+					&handle->lifetime);
+	if (ret != GSS_S_COMPLETE) {
+	    krb5_free_principal(context, handle->principal);
+	    free(handle);
+	    return ret;
+	}
+
+
+	kret = krb5_cc_get_full_name(context, id, &str);
+	if (kret)
+	    goto out;
+
+	kret = krb5_cc_resolve(context, str, &handle->ccache);
+	free(str);
+	if (kret)
+	    goto out;
+    }
+
+
+    if (keytab) {
+	char *str;
+
+	handle->usage |= GSS_C_ACCEPT;
+
+	if (keytab_principal && handle->principal == NULL) {
+	    kret = krb5_copy_principal(context, 
+				       keytab_principal, 
+				       &handle->principal);
+	    if (kret)
+		goto out;
+	}
+
+	kret = krb5_kt_get_full_name(context, keytab, &str);
+	if (kret)
+	    goto out;
+
+	kret = krb5_kt_resolve(context, str, &handle->keytab);
+	free(str);
+	if (kret)
+	    goto out;
+    }
+
+
+    if (id || keytab) {
+	ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
+	if (ret == GSS_S_COMPLETE)
+	    ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
+					 &handle->mechanisms);
+	if (ret != GSS_S_COMPLETE) {
+	    kret = *minor_status;
+	    goto out;
+	}
+    }
+
+    *minor_status = 0;
+    *cred = (gss_cred_id_t)handle;
+    return GSS_S_COMPLETE;
+
+out:
+    gss_release_oid_set(minor_status, &handle->mechanisms);
+    if (handle->ccache)
+	krb5_cc_close(context, handle->ccache);
+    if (handle->keytab)
+	krb5_kt_close(context, handle->keytab);
+    if (handle->principal)
+	krb5_free_principal(context, handle->principal);
+    HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
+    free(handle);
+    *minor_status = kret;
+    return GSS_S_FAILURE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/decapsulate.c b/crypto/heimdal/lib/gssapi/krb5/decapsulate.c
new file mode 100644
index 0000000..39176fa
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/decapsulate.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: decapsulate.c 18334 2006-10-07 22:16:04Z lha $");
+
+/*
+ * return the length of the mechanism in token or -1
+ * (which implies that the token was bad - GSS_S_DEFECTIVE_TOKEN
+ */
+
+ssize_t
+_gsskrb5_get_mech (const u_char *ptr,
+		      size_t total_len,
+		      const u_char **mech_ret)
+{
+    size_t len, len_len, mech_len, foo;
+    const u_char *p = ptr;
+    int e;
+
+    if (total_len < 1)
+	return -1;
+    if (*p++ != 0x60)
+	return -1;
+    e = der_get_length (p, total_len - 1, &len, &len_len);
+    if (e || 1 + len_len + len != total_len)
+	return -1;
+    p += len_len;
+    if (*p++ != 0x06)
+	return -1;
+    e = der_get_length (p, total_len - 1 - len_len - 1,
+			&mech_len, &foo);
+    if (e)
+	return -1;
+    p += foo;
+    *mech_ret = p;
+    return mech_len;
+}
+
+OM_uint32
+_gssapi_verify_mech_header(u_char **str,
+			   size_t total_len,
+			   gss_OID mech)
+{
+    const u_char *p;
+    ssize_t mech_len;
+
+    mech_len = _gsskrb5_get_mech (*str, total_len, &p);
+    if (mech_len < 0)
+	return GSS_S_DEFECTIVE_TOKEN;
+
+    if (mech_len != mech->length)
+	return GSS_S_BAD_MECH;
+    if (memcmp(p,
+	       mech->elements,
+	       mech->length) != 0)
+	return GSS_S_BAD_MECH;
+    p += mech_len;
+    *str = rk_UNCONST(p);
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+_gsskrb5_verify_header(u_char **str,
+			  size_t total_len,
+			  const void *type,
+			  gss_OID oid)
+{
+    OM_uint32 ret;
+    size_t len;
+    u_char *p = *str;
+
+    ret = _gssapi_verify_mech_header(str, total_len, oid);
+    if (ret)
+	return ret;
+
+    len = total_len - (*str - p);
+
+    if (len < 2)
+	return GSS_S_DEFECTIVE_TOKEN;
+
+    if (memcmp (*str, type, 2) != 0)
+	return GSS_S_DEFECTIVE_TOKEN;
+    *str += 2;
+
+    return 0;
+}
+
+/*
+ * Remove the GSS-API wrapping from `in_token' giving `out_data.
+ * Does not copy data, so just free `in_token'.
+ */
+
+OM_uint32
+_gssapi_decapsulate(
+    OM_uint32 *minor_status,
+    gss_buffer_t input_token_buffer,
+    krb5_data *out_data,
+    const gss_OID mech
+)
+{
+    u_char *p;
+    OM_uint32 ret;
+
+    p = input_token_buffer->value;
+    ret = _gssapi_verify_mech_header(&p,
+				    input_token_buffer->length,
+				    mech);
+    if (ret) {
+	*minor_status = 0;
+	return ret;
+    }
+
+    out_data->length = input_token_buffer->length -
+	(p - (u_char *)input_token_buffer->value);
+    out_data->data   = p;
+    return GSS_S_COMPLETE;
+}
+
+/*
+ * Remove the GSS-API wrapping from `in_token' giving `out_data.
+ * Does not copy data, so just free `in_token'.
+ */
+
+OM_uint32
+_gsskrb5_decapsulate(OM_uint32 *minor_status,    
+			gss_buffer_t input_token_buffer,
+			krb5_data *out_data,
+			const void *type,
+			gss_OID oid)
+{
+    u_char *p;
+    OM_uint32 ret;
+
+    p = input_token_buffer->value;
+    ret = _gsskrb5_verify_header(&p,
+				    input_token_buffer->length,
+				    type,
+				    oid);
+    if (ret) {
+	*minor_status = 0;
+	return ret;
+    }
+
+    out_data->length = input_token_buffer->length -
+	(p - (u_char *)input_token_buffer->value);
+    out_data->data   = p;
+    return GSS_S_COMPLETE;
+}
+
+/*
+ * Verify padding of a gss wrapped message and return its length.
+ */
+
+OM_uint32
+_gssapi_verify_pad(gss_buffer_t wrapped_token, 
+		   size_t datalen,
+		   size_t *padlen)
+{
+    u_char *pad;
+    size_t padlength;
+    int i;
+
+    pad = (u_char *)wrapped_token->value + wrapped_token->length - 1;
+    padlength = *pad;
+
+    if (padlength > datalen)
+	return GSS_S_BAD_MECH;
+
+    for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
+	;
+    if (i != 0)
+	return GSS_S_BAD_MIC;
+
+    *padlen = padlength;
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/delete_sec_context.c b/crypto/heimdal/lib/gssapi/krb5/delete_sec_context.c
new file mode 100644
index 0000000..abad986
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/delete_sec_context.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: delete_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
+
+OM_uint32
+_gsskrb5_delete_sec_context(OM_uint32 * minor_status,
+			    gss_ctx_id_t * context_handle,
+			    gss_buffer_t output_token)
+{
+    krb5_context context;
+    gsskrb5_ctx ctx;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    *minor_status = 0;
+
+    if (output_token) {
+	output_token->length = 0;
+	output_token->value  = NULL;
+    }
+
+    if (*context_handle == GSS_C_NO_CONTEXT)
+	return GSS_S_COMPLETE;
+
+    ctx = (gsskrb5_ctx) *context_handle;
+    *context_handle = GSS_C_NO_CONTEXT;
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    krb5_auth_con_free (context, ctx->auth_context);
+    if(ctx->source)
+	krb5_free_principal (context, ctx->source);
+    if(ctx->target)
+	krb5_free_principal (context, ctx->target);
+    if (ctx->ticket)
+	krb5_free_ticket (context, ctx->ticket);
+    if(ctx->order)
+	_gssapi_msg_order_destroy(&ctx->order);
+    if (ctx->service_keyblock)
+	krb5_free_keyblock (context, ctx->service_keyblock);
+    krb5_data_free(&ctx->fwd_data);
+
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+    HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
+    memset(ctx, 0, sizeof(*ctx));
+    free (ctx);
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/display_name.c b/crypto/heimdal/lib/gssapi/krb5/display_name.c
new file mode 100644
index 0000000..727c447
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/display_name.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: display_name.c 21077 2007-06-12 22:42:56Z lha $");
+
+OM_uint32 _gsskrb5_display_name
+           (OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t output_name_buffer,
+            gss_OID * output_name_type
+           )
+{
+    krb5_context context;
+    krb5_const_principal name = (krb5_const_principal)input_name;
+    krb5_error_code kret;
+    char *buf;
+    size_t len;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    kret = krb5_unparse_name_flags (context, name,
+				    KRB5_PRINCIPAL_UNPARSE_DISPLAY, &buf);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+    len = strlen (buf);
+    output_name_buffer->length = len;
+    output_name_buffer->value  = malloc(len + 1);
+    if (output_name_buffer->value == NULL) {
+	free (buf);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    memcpy (output_name_buffer->value, buf, len);
+    ((char *)output_name_buffer->value)[len] = '\0';
+    free (buf);
+    if (output_name_type)
+	*output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME;
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/display_status.c b/crypto/heimdal/lib/gssapi/krb5/display_status.c
new file mode 100644
index 0000000..c019252
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/display_status.c
@@ -0,0 +1,200 @@
+/*
+ * Copyright (c) 1998 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: display_status.c 19031 2006-11-13 18:02:57Z lha $");
+
+static const char *
+calling_error(OM_uint32 v)
+{
+    static const char *msgs[] = {
+	NULL,			/* 0 */
+	"A required input parameter could not be read.", /*  */
+	"A required output parameter could not be written.", /*  */
+	"A parameter was malformed"
+    };
+
+    v >>= GSS_C_CALLING_ERROR_OFFSET;
+
+    if (v == 0)
+	return "";
+    else if (v >= sizeof(msgs)/sizeof(*msgs))
+	return "unknown calling error";
+    else
+	return msgs[v];
+}
+
+static const char *
+routine_error(OM_uint32 v)
+{
+    static const char *msgs[] = {
+	NULL,			/* 0 */
+	"An unsupported mechanism was requested",
+	"An invalid name was supplied",
+	"A supplied name was of an unsupported type",
+	"Incorrect channel bindings were supplied",
+	"An invalid status code was supplied",
+	"A token had an invalid MIC",
+	"No credentials were supplied, "
+	"or the credentials were unavailable or inaccessible.",
+	"No context has been established",
+	"A token was invalid",
+	"A credential was invalid",
+	"The referenced credentials have expired",
+	"The context has expired",
+	"Miscellaneous failure (see text)",
+	"The quality-of-protection requested could not be provide",
+	"The operation is forbidden by local security policy",
+	"The operation or option is not available",
+	"The requested credential element already exists",
+	"The provided name was not a mechanism name.",
+    };
+
+    v >>= GSS_C_ROUTINE_ERROR_OFFSET;
+
+    if (v == 0)
+	return "";
+    else if (v >= sizeof(msgs)/sizeof(*msgs))
+	return "unknown routine error";
+    else
+	return msgs[v];
+}
+
+static const char *
+supplementary_error(OM_uint32 v)
+{
+    static const char *msgs[] = {
+	"normal completion",
+	"continuation call to routine required",
+	"duplicate per-message token detected",
+	"timed-out per-message token detected",
+	"reordered (early) per-message token detected",
+	"skipped predecessor token(s) detected"
+    };
+
+    v >>= GSS_C_SUPPLEMENTARY_OFFSET;
+
+    if (v >= sizeof(msgs)/sizeof(*msgs))
+	return "unknown routine error";
+    else
+	return msgs[v];
+}
+
+void
+_gsskrb5_clear_status (void)
+{
+    krb5_context context;
+
+    if (_gsskrb5_init (&context) != 0)
+	return;
+    krb5_clear_error_string(context);
+}
+
+void
+_gsskrb5_set_status (const char *fmt, ...)
+{
+    krb5_context context;
+    va_list args;
+    char *str;
+
+    if (_gsskrb5_init (&context) != 0)
+	return;
+
+    va_start(args, fmt);
+    vasprintf(&str, fmt, args);
+    va_end(args);
+    if (str) {
+	krb5_set_error_string(context, str);
+	free(str);
+    }
+}
+
+OM_uint32 _gsskrb5_display_status
+(OM_uint32		*minor_status,
+ OM_uint32		 status_value,
+ int			 status_type,
+ const gss_OID	 mech_type,
+ OM_uint32		*message_context,
+ gss_buffer_t	 status_string)
+{
+    krb5_context context;
+    char *buf;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    status_string->length = 0;
+    status_string->value = NULL;
+
+    if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 &&
+	gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) {
+	*minor_status = 0;
+	return GSS_C_GSS_CODE;
+    }
+
+    if (status_type == GSS_C_GSS_CODE) {
+	if (GSS_SUPPLEMENTARY_INFO(status_value))
+	    asprintf(&buf, "%s", 
+		     supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value)));
+	else
+	    asprintf (&buf, "%s %s",
+		      calling_error(GSS_CALLING_ERROR(status_value)),
+		      routine_error(GSS_ROUTINE_ERROR(status_value)));
+    } else if (status_type == GSS_C_MECH_CODE) {
+	buf = krb5_get_error_string(context);
+	if (buf == NULL) {
+	    const char *tmp = krb5_get_err_text (context, status_value);
+	    if (tmp == NULL)
+		asprintf(&buf, "unknown mech error-code %u",
+			 (unsigned)status_value);
+	    else
+		buf = strdup(tmp);
+	}
+    } else {
+	*minor_status = EINVAL;
+	return GSS_S_BAD_STATUS;
+    }
+
+    if (buf == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    *message_context = 0;
+    *minor_status = 0;
+
+    status_string->length = strlen(buf);
+    status_string->value  = buf;
+  
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/duplicate_name.c b/crypto/heimdal/lib/gssapi/krb5/duplicate_name.c
new file mode 100644
index 0000000..7337f1a
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/duplicate_name.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: duplicate_name.c 19031 2006-11-13 18:02:57Z lha $");
+
+OM_uint32 _gsskrb5_duplicate_name (
+            OM_uint32 * minor_status,
+            const gss_name_t src_name,
+            gss_name_t * dest_name
+           )
+{
+    krb5_context context;
+    krb5_const_principal src = (krb5_const_principal)src_name;
+    krb5_principal *dest = (krb5_principal *)dest_name;
+    krb5_error_code kret;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    kret = krb5_copy_principal (context, src, dest);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    } else {
+	*minor_status = 0;
+	return GSS_S_COMPLETE;
+    }
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/encapsulate.c b/crypto/heimdal/lib/gssapi/krb5/encapsulate.c
new file mode 100644
index 0000000..58dcb5c
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/encapsulate.c
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: encapsulate.c 18459 2006-10-14 10:12:16Z lha $");
+
+void
+_gssapi_encap_length (size_t data_len,
+		      size_t *len,
+		      size_t *total_len,
+		      const gss_OID mech)
+{
+    size_t len_len;
+
+    *len = 1 + 1 + mech->length + data_len;
+
+    len_len = der_length_len(*len);
+
+    *total_len = 1 + len_len + *len;
+}
+
+void
+_gsskrb5_encap_length (size_t data_len,
+			  size_t *len,
+			  size_t *total_len,
+			  const gss_OID mech)
+{
+    _gssapi_encap_length(data_len + 2, len, total_len, mech);
+}
+
+void *
+_gsskrb5_make_header (void *ptr,
+			 size_t len,
+			 const void *type,
+			 const gss_OID mech)
+{
+    u_char *p = ptr;
+    p = _gssapi_make_mech_header(p, len, mech);
+    memcpy (p, type, 2);
+    p += 2;
+    return p;
+}
+
+void *
+_gssapi_make_mech_header(void *ptr,
+			 size_t len,
+			 const gss_OID mech)
+{
+    u_char *p = ptr;
+    int e;
+    size_t len_len, foo;
+
+    *p++ = 0x60;
+    len_len = der_length_len(len);
+    e = der_put_length (p + len_len - 1, len_len, len, &foo);
+    if(e || foo != len_len)
+	abort ();
+    p += len_len;
+    *p++ = 0x06;
+    *p++ = mech->length;
+    memcpy (p, mech->elements, mech->length);
+    p += mech->length;
+    return p;
+}
+
+/*
+ * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings.
+ */
+
+OM_uint32
+_gssapi_encapsulate(
+    OM_uint32 *minor_status,
+    const krb5_data *in_data,
+    gss_buffer_t output_token,
+    const gss_OID mech
+)
+{
+    size_t len, outer_len;
+    void *p;
+
+    _gssapi_encap_length (in_data->length, &len, &outer_len, mech);
+    
+    output_token->length = outer_len;
+    output_token->value  = malloc (outer_len);
+    if (output_token->value == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }	
+
+    p = _gssapi_make_mech_header (output_token->value, len, mech);
+    memcpy (p, in_data->data, in_data->length);
+    return GSS_S_COMPLETE;
+}
+
+/*
+ * Give it a krb5_data and it will encapsulate with extra GSS-API krb5
+ * wrappings.
+ */
+
+OM_uint32
+_gsskrb5_encapsulate(
+			OM_uint32 *minor_status,    
+			const krb5_data *in_data,
+			gss_buffer_t output_token,
+			const void *type,
+			const gss_OID mech
+)
+{
+    size_t len, outer_len;
+    u_char *p;
+
+    _gsskrb5_encap_length (in_data->length, &len, &outer_len, mech);
+    
+    output_token->length = outer_len;
+    output_token->value  = malloc (outer_len);
+    if (output_token->value == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }	
+
+    p = _gsskrb5_make_header (output_token->value, len, type, mech);
+    memcpy (p, in_data->data, in_data->length);
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/export_name.c b/crypto/heimdal/lib/gssapi/krb5/export_name.c
new file mode 100644
index 0000000..efa45a2
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/export_name.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: export_name.c 19031 2006-11-13 18:02:57Z lha $");
+
+OM_uint32 _gsskrb5_export_name
+           (OM_uint32  * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t exported_name
+           )
+{
+    krb5_context context;
+    krb5_const_principal princ = (krb5_const_principal)input_name;
+    krb5_error_code kret;
+    char *buf, *name;
+    size_t len;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    kret = krb5_unparse_name (context, princ, &name);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+    len = strlen (name);
+
+    exported_name->length = 10 + len + GSS_KRB5_MECHANISM->length;
+    exported_name->value  = malloc(exported_name->length);
+    if (exported_name->value == NULL) {
+	free (name);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */
+
+    buf = exported_name->value;
+    memcpy(buf, "\x04\x01", 2);
+    buf += 2;
+    buf[0] = ((GSS_KRB5_MECHANISM->length + 2) >> 8) & 0xff;
+    buf[1] = (GSS_KRB5_MECHANISM->length + 2) & 0xff;
+    buf+= 2;
+    buf[0] = 0x06;
+    buf[1] = (GSS_KRB5_MECHANISM->length) & 0xFF;
+    buf+= 2;
+
+    memcpy(buf, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length);
+    buf += GSS_KRB5_MECHANISM->length;
+
+    buf[0] = (len >> 24) & 0xff;
+    buf[1] = (len >> 16) & 0xff;
+    buf[2] = (len >> 8) & 0xff;
+    buf[3] = (len) & 0xff;
+    buf += 4;
+
+    memcpy (buf, name, len);
+
+    free (name);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/export_sec_context.c b/crypto/heimdal/lib/gssapi/krb5/export_sec_context.c
new file mode 100644
index 0000000..0021861
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/export_sec_context.c
@@ -0,0 +1,240 @@
+/*
+ * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: export_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
+
+OM_uint32
+_gsskrb5_export_sec_context (
+    OM_uint32 * minor_status,
+    gss_ctx_id_t * context_handle,
+    gss_buffer_t interprocess_token
+    )
+{
+    krb5_context context;
+    const gsskrb5_ctx ctx = (const gsskrb5_ctx) *context_handle;
+    krb5_storage *sp;
+    krb5_auth_context ac;
+    OM_uint32 ret = GSS_S_COMPLETE;
+    krb5_data data;
+    gss_buffer_desc buffer;
+    int flags;
+    OM_uint32 minor;
+    krb5_error_code kret;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    if (!(ctx->flags & GSS_C_TRANS_FLAG)) {
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	*minor_status = 0;
+	return GSS_S_UNAVAILABLE;
+    }
+
+    sp = krb5_storage_emem ();
+    if (sp == NULL) {
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    ac = ctx->auth_context;
+
+    /* flagging included fields */
+
+    flags = 0;
+    if (ac->local_address)
+	flags |= SC_LOCAL_ADDRESS;
+    if (ac->remote_address)
+	flags |= SC_REMOTE_ADDRESS;
+    if (ac->keyblock)
+	flags |= SC_KEYBLOCK;
+    if (ac->local_subkey)
+	flags |= SC_LOCAL_SUBKEY;
+    if (ac->remote_subkey)
+	flags |= SC_REMOTE_SUBKEY;
+
+    kret = krb5_store_int32 (sp, flags);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+
+    /* marshall auth context */
+
+    kret = krb5_store_int32 (sp, ac->flags);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    if (ac->local_address) {
+	kret = krb5_store_address (sp, *ac->local_address);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    }
+    if (ac->remote_address) {
+	kret = krb5_store_address (sp, *ac->remote_address);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    }
+    kret = krb5_store_int16 (sp, ac->local_port);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    kret = krb5_store_int16 (sp, ac->remote_port);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    if (ac->keyblock) {
+	kret = krb5_store_keyblock (sp, *ac->keyblock);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    }
+    if (ac->local_subkey) {
+	kret = krb5_store_keyblock (sp, *ac->local_subkey);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    }
+    if (ac->remote_subkey) {
+	kret = krb5_store_keyblock (sp, *ac->remote_subkey);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    }
+    kret = krb5_store_int32 (sp, ac->local_seqnumber);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    kret = krb5_store_int32 (sp, ac->remote_seqnumber);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+
+    kret = krb5_store_int32 (sp, ac->keytype);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    kret = krb5_store_int32 (sp, ac->cksumtype);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+
+    /* names */
+
+    ret = _gsskrb5_export_name (minor_status,
+				(gss_name_t)ctx->source, &buffer);
+    if (ret)
+	goto failure;
+    data.data   = buffer.value;
+    data.length = buffer.length;
+    kret = krb5_store_data (sp, data);
+    _gsskrb5_release_buffer (&minor, &buffer);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+
+    ret = _gsskrb5_export_name (minor_status,
+				(gss_name_t)ctx->target, &buffer);
+    if (ret)
+	goto failure;
+    data.data   = buffer.value;
+    data.length = buffer.length;
+
+    ret = GSS_S_FAILURE;
+
+    kret = krb5_store_data (sp, data);
+    _gsskrb5_release_buffer (&minor, &buffer);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+
+    kret = krb5_store_int32 (sp, ctx->flags);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    kret = krb5_store_int32 (sp, ctx->more_flags);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    kret = krb5_store_int32 (sp, ctx->lifetime);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    kret = _gssapi_msg_order_export(sp, ctx->order);
+    if (kret ) {
+        *minor_status = kret;
+        goto failure;
+    }
+
+    kret = krb5_storage_to_data (sp, &data);
+    krb5_storage_free (sp);
+    if (kret) {
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+    interprocess_token->length = data.length;
+    interprocess_token->value  = data.data;
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+    ret = _gsskrb5_delete_sec_context (minor_status, context_handle,
+				       GSS_C_NO_BUFFER);
+    if (ret != GSS_S_COMPLETE)
+	_gsskrb5_release_buffer (NULL, interprocess_token);
+    *minor_status = 0;
+    return ret;
+ failure:
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+    krb5_storage_free (sp);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/external.c b/crypto/heimdal/lib/gssapi/krb5/external.c
new file mode 100644
index 0000000..03fe61d
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/external.c
@@ -0,0 +1,425 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+#include <gssapi_mech.h>
+
+RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $");
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x01"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+ * GSS_C_NT_USER_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_user_name_oid_desc =
+{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")};
+
+gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+ * The constant GSS_C_NT_MACHINE_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc =
+{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")};
+
+gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x03"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+ * The constant GSS_C_NT_STRING_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_string_uid_name_oid_desc =
+{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")};
+
+gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) org(3) dod(6) internet(1) security(5)
+ * nametypes(6) gss-host-based-services(2)).  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+ * to that gss_OID_desc.  This is a deprecated OID value, and
+ * implementations wishing to support hostbased-service names
+ * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+ * defined below, to identify such names;
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+ * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+ * parameter, but should not be emitted by GSS-API
+ * implementations
+ */
+
+static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc =
+{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")};
+
+gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x04"}, corresponding to an
+ * object-identifier value of {iso(1) member-body(2)
+ * Unites States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) service_name(4)}.  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+ * to point to that gss_OID_desc.
+ */
+static gss_OID_desc gss_c_nt_hostbased_service_oid_desc =
+{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")};
+
+gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+ * corresponding to an object identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+ * and GSS_C_NT_ANONYMOUS should be initialized to point
+ * to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_anonymous_oid_desc =
+{6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")};
+
+gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+ * corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+ * GSS_C_NT_EXPORT_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_export_name_oid_desc =
+{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") };
+
+gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   krb5(2) krb5_name(1)}.  The recommended symbolic name for this type
+ *   is "GSS_KRB5_NT_PRINCIPAL_NAME".
+ */
+
+static gss_OID_desc gss_krb5_nt_principal_name_oid_desc =
+{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") };
+
+gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   generic(1) user_name(1)}.  The recommended symbolic name for this
+ *   type is "GSS_KRB5_NT_USER_NAME".
+ */
+
+gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   generic(1) machine_uid_name(2)}.  The recommended symbolic name for
+ *   this type is "GSS_KRB5_NT_MACHINE_UID_NAME".
+ */
+
+gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   generic(1) string_uid_name(3)}.  The recommended symbolic name for
+ *   this type is "GSS_KRB5_NT_STRING_UID_NAME".
+ */
+
+gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
+
+/*
+ *   To support ongoing experimentation, testing, and evolution of the
+ *   specification, the Kerberos V5 GSS-API mechanism as defined in this
+ *   and any successor memos will be identified with the following Object
+ *   Identifier, as defined in RFC-1510, until the specification is
+ *   advanced to the level of Proposed Standard RFC:
+ *
+ *   {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)}
+ *
+ *   Upon advancement to the level of Proposed Standard RFC, the Kerberos
+ *   V5 GSS-API mechanism will be identified by an Object Identifier
+ *   having the value:
+ *
+ *   {iso(1) member-body(2) United States(840) mit(113554) infosys(1)
+ *   gssapi(2) krb5(2)}
+ */
+
+#if 0 /* This is the old OID */
+
+static gss_OID_desc gss_krb5_mechanism_oid_desc =
+{5, rk_UNCONST("\x2b\x05\x01\x05\x02")};
+
+#endif
+
+static gss_OID_desc gss_krb5_mechanism_oid_desc =
+{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
+
+gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
+
+/*
+ * draft-ietf-cat-iakerb-09, IAKERB:
+ *   The mechanism ID for IAKERB proxy GSS-API Kerberos, in accordance
+ *   with the mechanism proposed by SPNEGO [7] for negotiating protocol
+ *   variations, is:  {iso(1) org(3) dod(6) internet(1) security(5)
+ *   mechanisms(5) iakerb(10) iakerbProxyProtocol(1)}.  The proposed
+ *   mechanism ID for IAKERB minimum messages GSS-API Kerberos, in
+ *   accordance with the mechanism proposed by SPNEGO for negotiating
+ *   protocol variations, is: {iso(1) org(3) dod(6) internet(1)
+ *   security(5) mechanisms(5) iakerb(10)
+ *   iakerbMinimumMessagesProtocol(2)}.
+ */
+
+static gss_OID_desc gss_iakerb_proxy_mechanism_oid_desc =
+{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")};
+
+gss_OID GSS_IAKERB_PROXY_MECHANISM = &gss_iakerb_proxy_mechanism_oid_desc;
+
+static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc =
+{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") };
+
+gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc;
+
+/*
+ *
+ */
+
+static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc =
+{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"};
+
+gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc;
+
+/*
+ * 1.2.752.43.13 Heimdal GSS-API Extentions
+ */
+
+/* 1.2.752.43.13.1 */
+static gss_OID_desc gss_krb5_copy_ccache_x_oid_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")};
+
+gss_OID GSS_KRB5_COPY_CCACHE_X = &gss_krb5_copy_ccache_x_oid_desc;
+
+/* 1.2.752.43.13.2 */
+static gss_OID_desc gss_krb5_get_tkt_flags_x_oid_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")};
+
+gss_OID GSS_KRB5_GET_TKT_FLAGS_X = &gss_krb5_get_tkt_flags_x_oid_desc;
+
+/* 1.2.752.43.13.3 */
+static gss_OID_desc gss_krb5_extract_authz_data_from_sec_context_x_oid_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")};
+
+gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc;
+
+/* 1.2.752.43.13.4 */
+static gss_OID_desc gss_krb5_compat_des3_mic_x_oid_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")};
+
+gss_OID GSS_KRB5_COMPAT_DES3_MIC_X = &gss_krb5_compat_des3_mic_x_oid_desc;
+
+/* 1.2.752.43.13.5 */
+static gss_OID_desc gss_krb5_register_acceptor_identity_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")};
+
+gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X = &gss_krb5_register_acceptor_identity_x_desc;
+
+/* 1.2.752.43.13.6 */
+static gss_OID_desc gss_krb5_export_lucid_context_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")};
+
+gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X = &gss_krb5_export_lucid_context_x_desc;
+
+/* 1.2.752.43.13.6.1 */
+static gss_OID_desc gss_krb5_export_lucid_context_v1_x_desc =
+{7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")};
+
+gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X = &gss_krb5_export_lucid_context_v1_x_desc;
+
+/* 1.2.752.43.13.7 */
+static gss_OID_desc gss_krb5_set_dns_canonicalize_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")};
+
+gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X = &gss_krb5_set_dns_canonicalize_x_desc;
+
+/* 1.2.752.43.13.8 */
+static gss_OID_desc gss_krb5_get_subkey_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")};
+
+gss_OID GSS_KRB5_GET_SUBKEY_X = &gss_krb5_get_subkey_x_desc;
+
+/* 1.2.752.43.13.9 */
+static gss_OID_desc gss_krb5_get_initiator_subkey_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")};
+
+gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X = &gss_krb5_get_initiator_subkey_x_desc;
+
+/* 1.2.752.43.13.10 */
+static gss_OID_desc gss_krb5_get_acceptor_subkey_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")};
+
+gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X = &gss_krb5_get_acceptor_subkey_x_desc;
+
+/* 1.2.752.43.13.11 */
+static gss_OID_desc gss_krb5_send_to_kdc_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")};
+
+gss_OID GSS_KRB5_SEND_TO_KDC_X = &gss_krb5_send_to_kdc_x_desc;
+
+/* 1.2.752.43.13.12 */
+static gss_OID_desc gss_krb5_get_authtime_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")};
+
+gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc;
+
+/* 1.2.752.43.13.13 */
+static gss_OID_desc gss_krb5_get_service_keyblock_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")};
+
+gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc;
+
+/* 1.2.752.43.13.14 */
+static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")};
+
+gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc;
+
+/* 1.2.752.43.13.15 */
+static gss_OID_desc gss_krb5_set_default_realm_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")};
+
+gss_OID GSS_KRB5_SET_DEFAULT_REALM_X = &gss_krb5_set_default_realm_x_desc;
+
+/* 1.2.752.43.13.16 */
+static gss_OID_desc gss_krb5_ccache_name_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")};
+
+gss_OID GSS_KRB5_CCACHE_NAME_X = &gss_krb5_ccache_name_x_desc;
+
+/* 1.2.752.43.14.1 */
+static gss_OID_desc gss_sasl_digest_md5_mechanism_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
+
+gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc;
+
+/*
+ * Context for krb5 calls.
+ */
+
+/*
+ *
+ */
+
+static gssapi_mech_interface_desc krb5_mech = {
+    GMI_VERSION,
+    "kerberos 5",
+    {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
+    _gsskrb5_acquire_cred,
+    _gsskrb5_release_cred,
+    _gsskrb5_init_sec_context,
+    _gsskrb5_accept_sec_context,
+    _gsskrb5_process_context_token,
+    _gsskrb5_delete_sec_context,
+    _gsskrb5_context_time,
+    _gsskrb5_get_mic,
+    _gsskrb5_verify_mic,
+    _gsskrb5_wrap,
+    _gsskrb5_unwrap,
+    _gsskrb5_display_status,
+    _gsskrb5_indicate_mechs,
+    _gsskrb5_compare_name,
+    _gsskrb5_display_name,
+    _gsskrb5_import_name,
+    _gsskrb5_export_name,
+    _gsskrb5_release_name,
+    _gsskrb5_inquire_cred,
+    _gsskrb5_inquire_context,
+    _gsskrb5_wrap_size_limit,
+    _gsskrb5_add_cred,
+    _gsskrb5_inquire_cred_by_mech,
+    _gsskrb5_export_sec_context,
+    _gsskrb5_import_sec_context,
+    _gsskrb5_inquire_names_for_mech,
+    _gsskrb5_inquire_mechs_for_name,
+    _gsskrb5_canonicalize_name,
+    _gsskrb5_duplicate_name,
+    _gsskrb5_inquire_sec_context_by_oid,
+    _gsskrb5_inquire_cred_by_oid,
+    _gsskrb5_set_sec_context_option,
+    _gsskrb5_set_cred_option,
+    _gsskrb5_pseudo_random
+};
+
+gssapi_mech_interface
+__gss_krb5_initialize(void)
+{
+    return &krb5_mech;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/get_mic.c b/crypto/heimdal/lib/gssapi/krb5/get_mic.c
new file mode 100644
index 0000000..133481f
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/get_mic.c
@@ -0,0 +1,317 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: get_mic.c 19031 2006-11-13 18:02:57Z lha $");
+
+static OM_uint32
+mic_des
+           (OM_uint32 * minor_status,
+            const gsskrb5_ctx ctx,
+	    krb5_context context,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p;
+  MD5_CTX md5;
+  u_char hash[16];
+  DES_key_schedule schedule;
+  DES_cblock deskey;
+  DES_cblock zero;
+  int32_t seq_number;
+  size_t len, total_len;
+
+  _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
+
+  message_token->length = total_len;
+  message_token->value  = malloc (total_len);
+  if (message_token->value == NULL) {
+    message_token->length = 0;
+    *minor_status = ENOMEM;
+    return GSS_S_FAILURE;
+  }
+
+  p = _gsskrb5_make_header(message_token->value,
+			      len,
+			      "\x01\x01", /* TOK_ID */
+			      GSS_KRB5_MECHANISM); 
+
+  memcpy (p, "\x00\x00", 2);	/* SGN_ALG = DES MAC MD5 */
+  p += 2;
+
+  memcpy (p, "\xff\xff\xff\xff", 4); /* Filler */
+  p += 4;
+
+  /* Fill in later (SND-SEQ) */
+  memset (p, 0, 16);
+  p += 16;
+
+  /* checksum */
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, message_buffer->value, message_buffer->length);
+  MD5_Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+  DES_set_key (&deskey, &schedule);
+  DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
+		 &schedule, &zero);
+  memcpy (p - 8, hash, 8);	/* SGN_CKSUM */
+
+  HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+  /* sequence number */
+  krb5_auth_con_getlocalseqnumber (context,
+				   ctx->auth_context,
+				   &seq_number);
+
+  p -= 16;			/* SND_SEQ */
+  p[0] = (seq_number >> 0)  & 0xFF;
+  p[1] = (seq_number >> 8)  & 0xFF;
+  p[2] = (seq_number >> 16) & 0xFF;
+  p[3] = (seq_number >> 24) & 0xFF;
+  memset (p + 4,
+	  (ctx->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+  DES_set_key (&deskey, &schedule);
+  DES_cbc_encrypt ((void *)p, (void *)p, 8,
+		   &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
+
+  krb5_auth_con_setlocalseqnumber (context,
+			       ctx->auth_context,
+			       ++seq_number);
+  HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+  
+  memset (deskey, 0, sizeof(deskey));
+  memset (&schedule, 0, sizeof(schedule));
+  
+  *minor_status = 0;
+  return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+mic_des3
+           (OM_uint32 * minor_status,
+            const gsskrb5_ctx ctx,
+	    krb5_context context,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p;
+  Checksum cksum;
+  u_char seq[8];
+
+  int32_t seq_number;
+  size_t len, total_len;
+
+  krb5_crypto crypto;
+  krb5_error_code kret;
+  krb5_data encdata;
+  char *tmp;
+  char ivec[8];
+
+  _gsskrb5_encap_length (36, &len, &total_len, GSS_KRB5_MECHANISM);
+
+  message_token->length = total_len;
+  message_token->value  = malloc (total_len);
+  if (message_token->value == NULL) {
+      message_token->length = 0;
+      *minor_status = ENOMEM;
+      return GSS_S_FAILURE;
+  }
+
+  p = _gsskrb5_make_header(message_token->value,
+			      len,
+			      "\x01\x01", /* TOK-ID */
+			      GSS_KRB5_MECHANISM);
+
+  memcpy (p, "\x04\x00", 2);	/* SGN_ALG = HMAC SHA1 DES3-KD */
+  p += 2;
+
+  memcpy (p, "\xff\xff\xff\xff", 4); /* filler */
+  p += 4;
+
+  /* this should be done in parts */
+
+  tmp = malloc (message_buffer->length + 8);
+  if (tmp == NULL) {
+      free (message_token->value);
+      message_token->value = NULL;
+      message_token->length = 0;
+      *minor_status = ENOMEM;
+      return GSS_S_FAILURE;
+  }
+  memcpy (tmp, p - 8, 8);
+  memcpy (tmp + 8, message_buffer->value, message_buffer->length);
+
+  kret = krb5_crypto_init(context, key, 0, &crypto);
+  if (kret) {
+      free (message_token->value);
+      message_token->value = NULL;
+      message_token->length = 0;
+      free (tmp);
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+
+  kret = krb5_create_checksum (context,
+			       crypto,
+			       KRB5_KU_USAGE_SIGN,
+			       0,
+			       tmp,
+			       message_buffer->length + 8,
+			       &cksum);
+  free (tmp);
+  krb5_crypto_destroy (context, crypto);
+  if (kret) {
+      free (message_token->value);
+      message_token->value = NULL;
+      message_token->length = 0;
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+
+  memcpy (p + 8, cksum.checksum.data, cksum.checksum.length);
+
+  HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+  /* sequence number */
+  krb5_auth_con_getlocalseqnumber (context,
+			       ctx->auth_context,
+			       &seq_number);
+
+  seq[0] = (seq_number >> 0)  & 0xFF;
+  seq[1] = (seq_number >> 8)  & 0xFF;
+  seq[2] = (seq_number >> 16) & 0xFF;
+  seq[3] = (seq_number >> 24) & 0xFF;
+  memset (seq + 4,
+	  (ctx->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+  kret = krb5_crypto_init(context, key,
+			  ETYPE_DES3_CBC_NONE, &crypto);
+  if (kret) {
+      free (message_token->value);
+      message_token->value = NULL;
+      message_token->length = 0;
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+
+  if (ctx->more_flags & COMPAT_OLD_DES3)
+      memset(ivec, 0, 8);
+  else
+      memcpy(ivec, p + 8, 8);
+
+  kret = krb5_encrypt_ivec (context,
+			    crypto,
+			    KRB5_KU_USAGE_SEQ,
+			    seq, 8, &encdata, ivec);
+  krb5_crypto_destroy (context, crypto);
+  if (kret) {
+      free (message_token->value);
+      message_token->value = NULL;
+      message_token->length = 0;
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+  
+  assert (encdata.length == 8);
+
+  memcpy (p, encdata.data, encdata.length);
+  krb5_data_free (&encdata);
+
+  krb5_auth_con_setlocalseqnumber (context,
+			       ctx->auth_context,
+			       ++seq_number);
+  HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+  
+  free_Checksum (&cksum);
+  *minor_status = 0;
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gsskrb5_get_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           )
+{
+  krb5_context context;
+  const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
+  krb5_keyblock *key;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+
+  GSSAPI_KRB5_INIT (&context);
+
+  HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+  ret = _gsskrb5i_get_token_key(ctx, context, &key);
+  HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (context, key->keytype, &keytype);
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = mic_des (minor_status, ctx, context, qop_req,
+		     message_buffer, message_token, key);
+      break;
+  case KEYTYPE_DES3 :
+      ret = mic_des3 (minor_status, ctx, context, qop_req,
+		      message_buffer, message_token, key);
+      break;
+  case KEYTYPE_ARCFOUR:
+  case KEYTYPE_ARCFOUR_56:
+      ret = _gssapi_get_mic_arcfour (minor_status, ctx, context, qop_req,
+				     message_buffer, message_token, key);
+      break;
+  default :
+      ret = _gssapi_mic_cfx (minor_status, ctx, context, qop_req,
+			     message_buffer, message_token, key);
+      break;
+  }
+  krb5_free_keyblock (context, key);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/gkrb5_err.et b/crypto/heimdal/lib/gssapi/krb5/gkrb5_err.et
new file mode 100644
index 0000000..dbfdbdf
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/gkrb5_err.et
@@ -0,0 +1,31 @@
+#
+# extended gss krb5 error messages
+#
+
+id "$Id: gkrb5_err.et 20049 2007-01-24 00:14:24Z lha $"
+
+error_table gk5
+
+prefix GSS_KRB5_S
+
+error_code G_BAD_SERVICE_NAME, "No @ in SERVICE-NAME name string"
+error_code G_BAD_STRING_UID, "STRING-UID-NAME contains nondigits"
+error_code G_NOUSER, "UID does not resolve to username"
+error_code G_VALIDATE_FAILED, "Validation error"
+error_code G_BUFFER_ALLOC, "Couldn't allocate gss_buffer_t data"
+error_code G_BAD_MSG_CTX, "Message context invalid"
+error_code G_WRONG_SIZE, "Buffer is the wrong size"
+error_code G_BAD_USAGE, "Credential usage type is unknown"
+error_code G_UNKNOWN_QOP, "Unknown quality of protection specified"
+
+index 128
+
+error_code KG_CCACHE_NOMATCH, "Principal in credential cache does not match desired name"
+error_code KG_KEYTAB_NOMATCH, "No principal in keytab matches desired name"
+error_code KG_TGT_MISSING, "Credential cache has no TGT"
+error_code KG_NO_SUBKEY, "Authenticator has no subkey"
+error_code KG_CONTEXT_ESTABLISHED, "Context is already fully established"
+error_code KG_BAD_SIGN_TYPE, "Unknown signature type in token"
+error_code KG_BAD_LENGTH, "Invalid field length in token"
+error_code KG_CTX_INCOMPLETE, "Attempt to use incomplete security context"
+error_code KG_INPUT_TOO_LONG, "Input too long"
diff --git a/crypto/heimdal/lib/gssapi/krb5/gsskrb5-private.h b/crypto/heimdal/lib/gssapi/krb5/gsskrb5-private.h
new file mode 100644
index 0000000..c2239f1
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/gsskrb5-private.h
@@ -0,0 +1,703 @@
+/* This is a generated file */
+#ifndef __gsskrb5_private_h__
+#define __gsskrb5_private_h__
+
+#include <stdarg.h>
+
+gssapi_mech_interface
+__gss_krb5_initialize (void);
+
+OM_uint32
+__gsskrb5_ccache_lifetime (
+	OM_uint32 */*minor_status*/,
+	krb5_context /*context*/,
+	krb5_ccache /*id*/,
+	krb5_principal /*principal*/,
+	OM_uint32 */*lifetime*/);
+
+OM_uint32
+_gss_DES3_get_mic_compat (
+	OM_uint32 */*minor_status*/,
+	gsskrb5_ctx /*ctx*/,
+	krb5_context /*context*/);
+
+OM_uint32
+_gssapi_decapsulate (
+	 OM_uint32 */*minor_status*/,
+	gss_buffer_t /*input_token_buffer*/,
+	krb5_data */*out_data*/,
+	const gss_OID mech );
+
+void
+_gssapi_encap_length (
+	size_t /*data_len*/,
+	size_t */*len*/,
+	size_t */*total_len*/,
+	const gss_OID /*mech*/);
+
+OM_uint32
+_gssapi_encapsulate (
+	 OM_uint32 */*minor_status*/,
+	const krb5_data */*in_data*/,
+	gss_buffer_t /*output_token*/,
+	const gss_OID mech );
+
+OM_uint32
+_gssapi_get_mic_arcfour (
+	OM_uint32 * /*minor_status*/,
+	const gsskrb5_ctx /*context_handle*/,
+	krb5_context /*context*/,
+	gss_qop_t /*qop_req*/,
+	const gss_buffer_t /*message_buffer*/,
+	gss_buffer_t /*message_token*/,
+	krb5_keyblock */*key*/);
+
+void *
+_gssapi_make_mech_header (
+	void */*ptr*/,
+	size_t /*len*/,
+	const gss_OID /*mech*/);
+
+OM_uint32
+_gssapi_mic_cfx (
+	OM_uint32 */*minor_status*/,
+	const gsskrb5_ctx /*context_handle*/,
+	krb5_context /*context*/,
+	gss_qop_t /*qop_req*/,
+	const gss_buffer_t /*message_buffer*/,
+	gss_buffer_t /*message_token*/,
+	krb5_keyblock */*key*/);
+
+OM_uint32
+_gssapi_msg_order_check (
+	struct gss_msg_order */*o*/,
+	OM_uint32 /*seq_num*/);
+
+OM_uint32
+_gssapi_msg_order_create (
+	OM_uint32 */*minor_status*/,
+	struct gss_msg_order **/*o*/,
+	OM_uint32 /*flags*/,
+	OM_uint32 /*seq_num*/,
+	OM_uint32 /*jitter_window*/,
+	int /*use_64*/);
+
+OM_uint32
+_gssapi_msg_order_destroy (struct gss_msg_order **/*m*/);
+
+krb5_error_code
+_gssapi_msg_order_export (
+	krb5_storage */*sp*/,
+	struct gss_msg_order */*o*/);
+
+OM_uint32
+_gssapi_msg_order_f (OM_uint32 /*flags*/);
+
+OM_uint32
+_gssapi_msg_order_import (
+	OM_uint32 */*minor_status*/,
+	krb5_storage */*sp*/,
+	struct gss_msg_order **/*o*/);
+
+OM_uint32
+_gssapi_unwrap_arcfour (
+	OM_uint32 */*minor_status*/,
+	const gsskrb5_ctx /*context_handle*/,
+	krb5_context /*context*/,
+	const gss_buffer_t /*input_message_buffer*/,
+	gss_buffer_t /*output_message_buffer*/,
+	int */*conf_state*/,
+	gss_qop_t */*qop_state*/,
+	krb5_keyblock */*key*/);
+
+OM_uint32
+_gssapi_unwrap_cfx (
+	OM_uint32 */*minor_status*/,
+	const gsskrb5_ctx /*context_handle*/,
+	krb5_context /*context*/,
+	const gss_buffer_t /*input_message_buffer*/,
+	gss_buffer_t /*output_message_buffer*/,
+	int */*conf_state*/,
+	gss_qop_t */*qop_state*/,
+	krb5_keyblock */*key*/);
+
+OM_uint32
+_gssapi_verify_mech_header (
+	u_char **/*str*/,
+	size_t /*total_len*/,
+	gss_OID /*mech*/);
+
+OM_uint32
+_gssapi_verify_mic_arcfour (
+	OM_uint32 * /*minor_status*/,
+	const gsskrb5_ctx /*context_handle*/,
+	krb5_context /*context*/,
+	const gss_buffer_t /*message_buffer*/,
+	const gss_buffer_t /*token_buffer*/,
+	gss_qop_t * /*qop_state*/,
+	krb5_keyblock */*key*/,
+	char */*type*/);
+
+OM_uint32
+_gssapi_verify_mic_cfx (
+	OM_uint32 */*minor_status*/,
+	const gsskrb5_ctx /*context_handle*/,
+	krb5_context /*context*/,
+	const gss_buffer_t /*message_buffer*/,
+	const gss_buffer_t /*token_buffer*/,
+	gss_qop_t */*qop_state*/,
+	krb5_keyblock */*key*/);
+
+OM_uint32
+_gssapi_verify_pad (
+	gss_buffer_t /*wrapped_token*/,
+	size_t /*datalen*/,
+	size_t */*padlen*/);
+
+OM_uint32
+_gssapi_wrap_arcfour (
+	OM_uint32 * /*minor_status*/,
+	const gsskrb5_ctx /*context_handle*/,
+	krb5_context /*context*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	const gss_buffer_t /*input_message_buffer*/,
+	int * /*conf_state*/,
+	gss_buffer_t /*output_message_buffer*/,
+	krb5_keyblock */*key*/);
+
+OM_uint32
+_gssapi_wrap_cfx (
+	OM_uint32 */*minor_status*/,
+	const gsskrb5_ctx /*context_handle*/,
+	krb5_context /*context*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	const gss_buffer_t /*input_message_buffer*/,
+	int */*conf_state*/,
+	gss_buffer_t /*output_message_buffer*/,
+	krb5_keyblock */*key*/);
+
+OM_uint32
+_gssapi_wrap_size_arcfour (
+	OM_uint32 */*minor_status*/,
+	const gsskrb5_ctx /*ctx*/,
+	krb5_context /*context*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	OM_uint32 /*req_output_size*/,
+	OM_uint32 */*max_input_size*/,
+	krb5_keyblock */*key*/);
+
+OM_uint32
+_gssapi_wrap_size_cfx (
+	OM_uint32 */*minor_status*/,
+	const gsskrb5_ctx /*context_handle*/,
+	krb5_context /*context*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	OM_uint32 /*req_output_size*/,
+	OM_uint32 */*max_input_size*/,
+	krb5_keyblock */*key*/);
+
+OM_uint32
+_gsskrb5_accept_sec_context (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t * /*context_handle*/,
+	const gss_cred_id_t /*acceptor_cred_handle*/,
+	const gss_buffer_t /*input_token_buffer*/,
+	const gss_channel_bindings_t /*input_chan_bindings*/,
+	gss_name_t * /*src_name*/,
+	gss_OID * /*mech_type*/,
+	gss_buffer_t /*output_token*/,
+	OM_uint32 * /*ret_flags*/,
+	OM_uint32 * /*time_rec*/,
+	gss_cred_id_t * /*delegated_cred_handle*/);
+
+OM_uint32
+_gsskrb5_acquire_cred (
+	OM_uint32 * /*minor_status*/,
+	const gss_name_t /*desired_name*/,
+	OM_uint32 /*time_req*/,
+	const gss_OID_set /*desired_mechs*/,
+	gss_cred_usage_t /*cred_usage*/,
+	gss_cred_id_t * /*output_cred_handle*/,
+	gss_OID_set * /*actual_mechs*/,
+	OM_uint32 * time_rec );
+
+OM_uint32
+_gsskrb5_add_cred (
+	 OM_uint32 */*minor_status*/,
+	const gss_cred_id_t /*input_cred_handle*/,
+	const gss_name_t /*desired_name*/,
+	const gss_OID /*desired_mech*/,
+	gss_cred_usage_t /*cred_usage*/,
+	OM_uint32 /*initiator_time_req*/,
+	OM_uint32 /*acceptor_time_req*/,
+	gss_cred_id_t */*output_cred_handle*/,
+	gss_OID_set */*actual_mechs*/,
+	OM_uint32 */*initiator_time_rec*/,
+	OM_uint32 */*acceptor_time_rec*/);
+
+OM_uint32
+_gsskrb5_canonicalize_name (
+	 OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	const gss_OID /*mech_type*/,
+	gss_name_t * output_name );
+
+void
+_gsskrb5_clear_status (void);
+
+OM_uint32
+_gsskrb5_compare_name (
+	OM_uint32 * /*minor_status*/,
+	const gss_name_t /*name1*/,
+	const gss_name_t /*name2*/,
+	int * name_equal );
+
+OM_uint32
+_gsskrb5_context_time (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	OM_uint32 * time_rec );
+
+OM_uint32
+_gsskrb5_create_8003_checksum (
+	 OM_uint32 */*minor_status*/,
+	const gss_channel_bindings_t /*input_chan_bindings*/,
+	OM_uint32 /*flags*/,
+	const krb5_data */*fwd_data*/,
+	Checksum */*result*/);
+
+OM_uint32
+_gsskrb5_create_ctx (
+	 OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t * /*context_handle*/,
+	krb5_context /*context*/,
+	const gss_channel_bindings_t /*input_chan_bindings*/,
+	enum gss_ctx_id_t_state /*state*/);
+
+OM_uint32
+_gsskrb5_decapsulate (
+	OM_uint32 */*minor_status*/,
+	gss_buffer_t /*input_token_buffer*/,
+	krb5_data */*out_data*/,
+	const void */*type*/,
+	gss_OID /*oid*/);
+
+krb5_error_code
+_gsskrb5_decode_be_om_uint32 (
+	const void */*ptr*/,
+	OM_uint32 */*n*/);
+
+krb5_error_code
+_gsskrb5_decode_om_uint32 (
+	const void */*ptr*/,
+	OM_uint32 */*n*/);
+
+OM_uint32
+_gsskrb5_delete_sec_context (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t * /*context_handle*/,
+	gss_buffer_t /*output_token*/);
+
+OM_uint32
+_gsskrb5_display_name (
+	OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	gss_buffer_t /*output_name_buffer*/,
+	gss_OID * output_name_type );
+
+OM_uint32
+_gsskrb5_display_status (
+	OM_uint32 */*minor_status*/,
+	OM_uint32 /*status_value*/,
+	int /*status_type*/,
+	const gss_OID /*mech_type*/,
+	OM_uint32 */*message_context*/,
+	gss_buffer_t /*status_string*/);
+
+OM_uint32
+_gsskrb5_duplicate_name (
+	 OM_uint32 * /*minor_status*/,
+	const gss_name_t /*src_name*/,
+	gss_name_t * dest_name );
+
+void
+_gsskrb5_encap_length (
+	size_t /*data_len*/,
+	size_t */*len*/,
+	size_t */*total_len*/,
+	const gss_OID /*mech*/);
+
+OM_uint32
+_gsskrb5_encapsulate (
+	 OM_uint32 */*minor_status*/,
+	const krb5_data */*in_data*/,
+	gss_buffer_t /*output_token*/,
+	const void */*type*/,
+	const gss_OID mech );
+
+krb5_error_code
+_gsskrb5_encode_be_om_uint32 (
+	OM_uint32 /*n*/,
+	u_char */*p*/);
+
+krb5_error_code
+_gsskrb5_encode_om_uint32 (
+	OM_uint32 /*n*/,
+	u_char */*p*/);
+
+OM_uint32
+_gsskrb5_export_name (
+	OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	gss_buffer_t exported_name );
+
+OM_uint32
+_gsskrb5_export_sec_context (
+	 OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t * /*context_handle*/,
+	gss_buffer_t interprocess_token );
+
+ssize_t
+_gsskrb5_get_mech (
+	const u_char */*ptr*/,
+	size_t /*total_len*/,
+	const u_char **/*mech_ret*/);
+
+OM_uint32
+_gsskrb5_get_mic (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	gss_qop_t /*qop_req*/,
+	const gss_buffer_t /*message_buffer*/,
+	gss_buffer_t message_token );
+
+OM_uint32
+_gsskrb5_get_tkt_flags (
+	OM_uint32 */*minor_status*/,
+	gsskrb5_ctx /*ctx*/,
+	OM_uint32 */*tkt_flags*/);
+
+OM_uint32
+_gsskrb5_import_cred (
+	OM_uint32 */*minor_status*/,
+	krb5_ccache /*id*/,
+	krb5_principal /*keytab_principal*/,
+	krb5_keytab /*keytab*/,
+	gss_cred_id_t */*cred*/);
+
+OM_uint32
+_gsskrb5_import_name (
+	OM_uint32 * /*minor_status*/,
+	const gss_buffer_t /*input_name_buffer*/,
+	const gss_OID /*input_name_type*/,
+	gss_name_t * output_name );
+
+OM_uint32
+_gsskrb5_import_sec_context (
+	 OM_uint32 * /*minor_status*/,
+	const gss_buffer_t /*interprocess_token*/,
+	gss_ctx_id_t * context_handle );
+
+OM_uint32
+_gsskrb5_indicate_mechs (
+	OM_uint32 * /*minor_status*/,
+	gss_OID_set * mech_set );
+
+krb5_error_code
+_gsskrb5_init (krb5_context */*context*/);
+
+OM_uint32
+_gsskrb5_init_sec_context (
+	OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*initiator_cred_handle*/,
+	gss_ctx_id_t * /*context_handle*/,
+	const gss_name_t /*target_name*/,
+	const gss_OID /*mech_type*/,
+	OM_uint32 /*req_flags*/,
+	OM_uint32 /*time_req*/,
+	const gss_channel_bindings_t /*input_chan_bindings*/,
+	const gss_buffer_t /*input_token*/,
+	gss_OID * /*actual_mech_type*/,
+	gss_buffer_t /*output_token*/,
+	OM_uint32 * /*ret_flags*/,
+	OM_uint32 * time_rec );
+
+OM_uint32
+_gsskrb5_inquire_context (
+	 OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	gss_name_t * /*src_name*/,
+	gss_name_t * /*targ_name*/,
+	OM_uint32 * /*lifetime_rec*/,
+	gss_OID * /*mech_type*/,
+	OM_uint32 * /*ctx_flags*/,
+	int * /*locally_initiated*/,
+	int * open_context );
+
+OM_uint32
+_gsskrb5_inquire_cred (
+	OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*cred_handle*/,
+	gss_name_t * /*output_name*/,
+	OM_uint32 * /*lifetime*/,
+	gss_cred_usage_t * /*cred_usage*/,
+	gss_OID_set * mechanisms );
+
+OM_uint32
+_gsskrb5_inquire_cred_by_mech (
+	 OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*cred_handle*/,
+	const gss_OID /*mech_type*/,
+	gss_name_t * /*name*/,
+	OM_uint32 * /*initiator_lifetime*/,
+	OM_uint32 * /*acceptor_lifetime*/,
+	gss_cred_usage_t * cred_usage );
+
+OM_uint32
+_gsskrb5_inquire_cred_by_oid (
+	OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*cred_handle*/,
+	const gss_OID /*desired_object*/,
+	gss_buffer_set_t */*data_set*/);
+
+OM_uint32
+_gsskrb5_inquire_mechs_for_name (
+	 OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	gss_OID_set * mech_types );
+
+OM_uint32
+_gsskrb5_inquire_names_for_mech (
+	 OM_uint32 * /*minor_status*/,
+	const gss_OID /*mechanism*/,
+	gss_OID_set * name_types );
+
+OM_uint32
+_gsskrb5_inquire_sec_context_by_oid (
+	OM_uint32 */*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_OID /*desired_object*/,
+	gss_buffer_set_t */*data_set*/);
+
+OM_uint32
+_gsskrb5_krb5_ccache_name (
+	OM_uint32 */*minor_status*/,
+	const char */*name*/,
+	const char **/*out_name*/);
+
+OM_uint32
+_gsskrb5_lifetime_left (
+	OM_uint32 */*minor_status*/,
+	krb5_context /*context*/,
+	OM_uint32 /*lifetime*/,
+	OM_uint32 */*lifetime_rec*/);
+
+void *
+_gsskrb5_make_header (
+	void */*ptr*/,
+	size_t /*len*/,
+	const void */*type*/,
+	const gss_OID /*mech*/);
+
+OM_uint32
+_gsskrb5_process_context_token (
+	 OM_uint32 */*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_buffer_t token_buffer );
+
+OM_uint32
+_gsskrb5_pseudo_random (
+	OM_uint32 */*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	int /*prf_key*/,
+	const gss_buffer_t /*prf_in*/,
+	ssize_t /*desired_output_len*/,
+	gss_buffer_t /*prf_out*/);
+
+OM_uint32
+_gsskrb5_register_acceptor_identity (const char */*identity*/);
+
+OM_uint32
+_gsskrb5_release_buffer (
+	OM_uint32 * /*minor_status*/,
+	gss_buffer_t buffer );
+
+OM_uint32
+_gsskrb5_release_cred (
+	OM_uint32 * /*minor_status*/,
+	gss_cred_id_t * cred_handle );
+
+OM_uint32
+_gsskrb5_release_name (
+	OM_uint32 * /*minor_status*/,
+	gss_name_t * input_name );
+
+OM_uint32
+_gsskrb5_seal (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	int /*qop_req*/,
+	gss_buffer_t /*input_message_buffer*/,
+	int * /*conf_state*/,
+	gss_buffer_t output_message_buffer );
+
+OM_uint32
+_gsskrb5_set_cred_option (
+	OM_uint32 */*minor_status*/,
+	gss_cred_id_t */*cred_handle*/,
+	const gss_OID /*desired_object*/,
+	const gss_buffer_t /*value*/);
+
+OM_uint32
+_gsskrb5_set_sec_context_option (
+	OM_uint32 */*minor_status*/,
+	gss_ctx_id_t */*context_handle*/,
+	const gss_OID /*desired_object*/,
+	const gss_buffer_t /*value*/);
+
+void
+_gsskrb5_set_status (
+	const char */*fmt*/,
+	...);
+
+OM_uint32
+_gsskrb5_sign (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	int /*qop_req*/,
+	gss_buffer_t /*message_buffer*/,
+	gss_buffer_t message_token );
+
+OM_uint32
+_gsskrb5_unseal (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	gss_buffer_t /*input_message_buffer*/,
+	gss_buffer_t /*output_message_buffer*/,
+	int * /*conf_state*/,
+	int * qop_state );
+
+OM_uint32
+_gsskrb5_unwrap (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_buffer_t /*input_message_buffer*/,
+	gss_buffer_t /*output_message_buffer*/,
+	int * /*conf_state*/,
+	gss_qop_t * qop_state );
+
+OM_uint32
+_gsskrb5_verify (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	gss_buffer_t /*message_buffer*/,
+	gss_buffer_t /*token_buffer*/,
+	int * qop_state );
+
+OM_uint32
+_gsskrb5_verify_8003_checksum (
+	 OM_uint32 */*minor_status*/,
+	const gss_channel_bindings_t /*input_chan_bindings*/,
+	const Checksum */*cksum*/,
+	OM_uint32 */*flags*/,
+	krb5_data */*fwd_data*/);
+
+OM_uint32
+_gsskrb5_verify_header (
+	u_char **/*str*/,
+	size_t /*total_len*/,
+	const void */*type*/,
+	gss_OID /*oid*/);
+
+OM_uint32
+_gsskrb5_verify_mic (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_buffer_t /*message_buffer*/,
+	const gss_buffer_t /*token_buffer*/,
+	gss_qop_t * qop_state );
+
+OM_uint32
+_gsskrb5_verify_mic_internal (
+	OM_uint32 * /*minor_status*/,
+	const gsskrb5_ctx /*context_handle*/,
+	krb5_context /*context*/,
+	const gss_buffer_t /*message_buffer*/,
+	const gss_buffer_t /*token_buffer*/,
+	gss_qop_t * /*qop_state*/,
+	char * type );
+
+OM_uint32
+_gsskrb5_wrap (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	const gss_buffer_t /*input_message_buffer*/,
+	int * /*conf_state*/,
+	gss_buffer_t output_message_buffer );
+
+OM_uint32
+_gsskrb5_wrap_size_limit (
+	 OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	OM_uint32 /*req_output_size*/,
+	OM_uint32 * max_input_size );
+
+krb5_error_code
+_gsskrb5cfx_max_wrap_length_cfx (
+	krb5_context /*context*/,
+	krb5_crypto /*crypto*/,
+	int /*conf_req_flag*/,
+	size_t /*input_length*/,
+	OM_uint32 */*output_length*/);
+
+krb5_error_code
+_gsskrb5cfx_wrap_length_cfx (
+	krb5_context /*context*/,
+	krb5_crypto /*crypto*/,
+	int /*conf_req_flag*/,
+	size_t /*input_length*/,
+	size_t */*output_length*/,
+	size_t */*cksumsize*/,
+	uint16_t */*padlength*/);
+
+krb5_error_code
+_gsskrb5i_address_to_krb5addr (
+	krb5_context /*context*/,
+	OM_uint32 /*gss_addr_type*/,
+	gss_buffer_desc */*gss_addr*/,
+	int16_t /*port*/,
+	krb5_address */*address*/);
+
+krb5_error_code
+_gsskrb5i_get_acceptor_subkey (
+	const gsskrb5_ctx /*ctx*/,
+	krb5_context /*context*/,
+	krb5_keyblock **/*key*/);
+
+krb5_error_code
+_gsskrb5i_get_initiator_subkey (
+	const gsskrb5_ctx /*ctx*/,
+	krb5_context /*context*/,
+	krb5_keyblock **/*key*/);
+
+OM_uint32
+_gsskrb5i_get_token_key (
+	const gsskrb5_ctx /*ctx*/,
+	krb5_context /*context*/,
+	krb5_keyblock **/*key*/);
+
+void
+_gsskrb5i_is_cfx (
+	gsskrb5_ctx /*ctx*/,
+	int */*is_cfx*/);
+
+#endif /* __gsskrb5_private_h__ */
diff --git a/crypto/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/crypto/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
new file mode 100644
index 0000000..6ffb607
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gsskrb5_locl.h 20324 2007-04-12 16:46:01Z lha $ */
+
+#ifndef GSSKRB5_LOCL_H
+#define GSSKRB5_LOCL_H
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <krb5_locl.h>
+#include <gkrb5_err.h>
+#include <gssapi.h>
+#include <gssapi_mech.h>
+#include <assert.h>
+
+#include "cfx.h"
+
+/*
+ *
+ */
+
+struct gss_msg_order;
+
+typedef struct {
+  struct krb5_auth_context_data *auth_context;
+  krb5_principal source, target;
+#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0)
+  OM_uint32 flags;
+  enum { LOCAL = 1, OPEN = 2, 
+	 COMPAT_OLD_DES3 = 4,
+         COMPAT_OLD_DES3_SELECTED = 8,
+	 ACCEPTOR_SUBKEY = 16
+  } more_flags;
+  enum gss_ctx_id_t_state {
+      /* initiator states */
+      INITIATOR_START,
+      INITIATOR_WAIT_FOR_MUTAL,
+      INITIATOR_READY,
+      /* acceptor states */
+      ACCEPTOR_START,
+      ACCEPTOR_WAIT_FOR_DCESTYLE,
+      ACCEPTOR_READY
+  } state;
+  struct krb5_ticket *ticket;
+  OM_uint32 lifetime;
+  HEIMDAL_MUTEX ctx_id_mutex;
+  struct gss_msg_order *order;
+  krb5_keyblock *service_keyblock;
+  krb5_data fwd_data;
+} *gsskrb5_ctx;
+
+typedef struct {
+  krb5_principal principal;
+  int cred_flags;
+#define GSS_CF_DESTROY_CRED_ON_RELEASE	1
+  struct krb5_keytab_data *keytab;
+  OM_uint32 lifetime;
+  gss_cred_usage_t usage;
+  gss_OID_set mechanisms;
+  struct krb5_ccache_data *ccache;
+  HEIMDAL_MUTEX cred_id_mutex;
+  krb5_enctype *enctypes;
+} *gsskrb5_cred;
+
+typedef struct Principal *gsskrb5_name;
+
+/*
+ *
+ */
+
+extern krb5_keytab _gsskrb5_keytab;
+extern HEIMDAL_MUTEX gssapi_keytab_mutex;
+
+struct gssapi_thr_context {
+    HEIMDAL_MUTEX mutex;
+    char *error_string;
+};
+
+/*
+ * Prototypes
+ */
+
+#include <krb5/gsskrb5-private.h>
+
+#define GSSAPI_KRB5_INIT(ctx) do {				\
+    krb5_error_code kret_gss_init;				\
+    if((kret_gss_init = _gsskrb5_init (ctx)) != 0) {		\
+	*minor_status = kret_gss_init;				\
+	return GSS_S_FAILURE;					\
+    }								\
+} while (0)
+
+/* sec_context flags */
+
+#define SC_LOCAL_ADDRESS  0x01
+#define SC_REMOTE_ADDRESS 0x02
+#define SC_KEYBLOCK	  0x04
+#define SC_LOCAL_SUBKEY	  0x08
+#define SC_REMOTE_SUBKEY  0x10
+
+#endif
diff --git a/crypto/heimdal/lib/gssapi/krb5/import_name.c b/crypto/heimdal/lib/gssapi/krb5/import_name.c
new file mode 100644
index 0000000..bf31db9
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/import_name.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: import_name.c 19031 2006-11-13 18:02:57Z lha $");
+
+static OM_uint32
+parse_krb5_name (OM_uint32 *minor_status,
+		 krb5_context context,
+		 const char *name,
+		 gss_name_t *output_name)
+{
+    krb5_principal princ;
+    krb5_error_code kerr;
+
+    kerr = krb5_parse_name (context, name, &princ);
+
+    if (kerr == 0) {
+	*output_name = (gss_name_t)princ;
+	return GSS_S_COMPLETE;
+    }
+    *minor_status = kerr;
+
+    if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
+	return GSS_S_BAD_NAME;
+
+    return GSS_S_FAILURE;
+}
+
+static OM_uint32
+import_krb5_name (OM_uint32 *minor_status,
+		  krb5_context context,
+		  const gss_buffer_t input_name_buffer,
+		  gss_name_t *output_name)
+{
+    OM_uint32 ret;
+    char *tmp;
+
+    tmp = malloc (input_name_buffer->length + 1);
+    if (tmp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    memcpy (tmp,
+	    input_name_buffer->value,
+	    input_name_buffer->length);
+    tmp[input_name_buffer->length] = '\0';
+
+    ret = parse_krb5_name(minor_status, context, tmp, output_name);
+    free(tmp);
+
+    return ret;
+}
+
+static OM_uint32
+import_hostbased_name (OM_uint32 *minor_status,
+		       krb5_context context,
+		       const gss_buffer_t input_name_buffer,
+		       gss_name_t *output_name)
+{
+    krb5_error_code kerr;
+    char *tmp;
+    char *p;
+    char *host;
+    char local_hostname[MAXHOSTNAMELEN];
+    krb5_principal princ = NULL;
+
+    tmp = malloc (input_name_buffer->length + 1);
+    if (tmp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    memcpy (tmp,
+	    input_name_buffer->value,
+	    input_name_buffer->length);
+    tmp[input_name_buffer->length] = '\0';
+
+    p = strchr (tmp, '@');
+    if (p != NULL) {
+	*p = '\0';
+	host = p + 1;
+    } else {
+	if (gethostname(local_hostname, sizeof(local_hostname)) < 0) {
+	    *minor_status = errno;
+	    free (tmp);
+	    return GSS_S_FAILURE;
+	}
+	host = local_hostname;
+    }
+
+    kerr = krb5_sname_to_principal (context,
+				    host,
+				    tmp,
+				    KRB5_NT_SRV_HST,
+				    &princ);
+    free (tmp);
+    *minor_status = kerr;
+    if (kerr == 0) {
+	*output_name = (gss_name_t)princ;
+	return GSS_S_COMPLETE;
+    }
+
+    if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
+	return GSS_S_BAD_NAME;
+
+    return GSS_S_FAILURE;
+}
+
+static OM_uint32
+import_export_name (OM_uint32 *minor_status,
+		    krb5_context context,
+		    const gss_buffer_t input_name_buffer,
+		    gss_name_t *output_name)
+{
+    unsigned char *p;
+    uint32_t length;
+    OM_uint32 ret;
+    char *name;
+
+    if (input_name_buffer->length < 10 + GSS_KRB5_MECHANISM->length)
+	return GSS_S_BAD_NAME;
+
+    /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */
+
+    p = input_name_buffer->value;
+
+    if (memcmp(&p[0], "\x04\x01\x00", 3) != 0 ||
+	p[3] != GSS_KRB5_MECHANISM->length + 2 ||
+	p[4] != 0x06 ||
+	p[5] != GSS_KRB5_MECHANISM->length ||
+	memcmp(&p[6], GSS_KRB5_MECHANISM->elements, 
+	       GSS_KRB5_MECHANISM->length) != 0)
+	return GSS_S_BAD_NAME;
+
+    p += 6 + GSS_KRB5_MECHANISM->length;
+
+    length = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3];
+    p += 4;
+
+    if (length > input_name_buffer->length - 10 - GSS_KRB5_MECHANISM->length)
+	return GSS_S_BAD_NAME;
+
+    name = malloc(length + 1);
+    if (name == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    memcpy(name, p, length);
+    name[length] = '\0';
+
+    ret = parse_krb5_name(minor_status, context, name, output_name);
+    free(name);
+
+    return ret;
+}
+
+OM_uint32 _gsskrb5_import_name
+           (OM_uint32 * minor_status,
+            const gss_buffer_t input_name_buffer,
+            const gss_OID input_name_type,
+            gss_name_t * output_name
+           )
+{
+    krb5_context context;
+
+    *minor_status = 0;
+    *output_name = GSS_C_NO_NAME;
+    
+    GSSAPI_KRB5_INIT (&context);
+
+    if (gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE) ||
+	gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE_X))
+	return import_hostbased_name (minor_status,
+				      context,
+				      input_name_buffer,
+				      output_name);
+    else if (gss_oid_equal(input_name_type, GSS_C_NO_OID)
+	     || gss_oid_equal(input_name_type, GSS_C_NT_USER_NAME)
+	     || gss_oid_equal(input_name_type, GSS_KRB5_NT_PRINCIPAL_NAME))
+ 	/* default printable syntax */
+	return import_krb5_name (minor_status,
+				 context,
+				 input_name_buffer,
+				 output_name);
+    else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) {
+	return import_export_name(minor_status,
+				  context,
+				  input_name_buffer, 
+				  output_name);
+    } else {
+	*minor_status = 0;
+	return GSS_S_BAD_NAMETYPE;
+    }
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/import_sec_context.c b/crypto/heimdal/lib/gssapi/krb5/import_sec_context.c
new file mode 100644
index 0000000..3300036
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/import_sec_context.c
@@ -0,0 +1,229 @@
+/*
+ * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: import_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
+
+OM_uint32
+_gsskrb5_import_sec_context (
+    OM_uint32 * minor_status,
+    const gss_buffer_t interprocess_token,
+    gss_ctx_id_t * context_handle
+    )
+{
+    OM_uint32 ret = GSS_S_FAILURE;
+    krb5_context context;
+    krb5_error_code kret;
+    krb5_storage *sp;
+    krb5_auth_context ac;
+    krb5_address local, remote;
+    krb5_address *localp, *remotep;
+    krb5_data data;
+    gss_buffer_desc buffer;
+    krb5_keyblock keyblock;
+    int32_t tmp;
+    int32_t flags;
+    gsskrb5_ctx ctx;
+    gss_name_t name;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    *context_handle = GSS_C_NO_CONTEXT;
+
+    localp = remotep = NULL;
+
+    sp = krb5_storage_from_mem (interprocess_token->value,
+				interprocess_token->length);
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    ctx = calloc(1, sizeof(*ctx));
+    if (ctx == NULL) {
+	*minor_status = ENOMEM;
+	krb5_storage_free (sp);
+	return GSS_S_FAILURE;
+    }
+    HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
+
+    kret = krb5_auth_con_init (context,
+			       &ctx->auth_context);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    /* flags */
+
+    *minor_status = 0;
+
+    if (krb5_ret_int32 (sp, &flags) != 0)
+	goto failure;
+
+    /* retrieve the auth context */
+
+    ac = ctx->auth_context;
+    if (krb5_ret_uint32 (sp, &ac->flags) != 0)
+	goto failure;
+    if (flags & SC_LOCAL_ADDRESS) {
+	if (krb5_ret_address (sp, localp = &local) != 0)
+	    goto failure;
+    }
+
+    if (flags & SC_REMOTE_ADDRESS) {
+	if (krb5_ret_address (sp, remotep = &remote) != 0)
+	    goto failure;
+    }
+
+    krb5_auth_con_setaddrs (context, ac, localp, remotep);
+    if (localp)
+	krb5_free_address (context, localp);
+    if (remotep)
+	krb5_free_address (context, remotep);
+    localp = remotep = NULL;
+
+    if (krb5_ret_int16 (sp, &ac->local_port) != 0)
+	goto failure;
+
+    if (krb5_ret_int16 (sp, &ac->remote_port) != 0)
+	goto failure;
+    if (flags & SC_KEYBLOCK) {
+	if (krb5_ret_keyblock (sp, &keyblock) != 0)
+	    goto failure;
+	krb5_auth_con_setkey (context, ac, &keyblock);
+	krb5_free_keyblock_contents (context, &keyblock);
+    }
+    if (flags & SC_LOCAL_SUBKEY) {
+	if (krb5_ret_keyblock (sp, &keyblock) != 0)
+	    goto failure;
+	krb5_auth_con_setlocalsubkey (context, ac, &keyblock);
+	krb5_free_keyblock_contents (context, &keyblock);
+    }
+    if (flags & SC_REMOTE_SUBKEY) {
+	if (krb5_ret_keyblock (sp, &keyblock) != 0)
+	    goto failure;
+	krb5_auth_con_setremotesubkey (context, ac, &keyblock);
+	krb5_free_keyblock_contents (context, &keyblock);
+    }
+    if (krb5_ret_uint32 (sp, &ac->local_seqnumber))
+	goto failure;
+    if (krb5_ret_uint32 (sp, &ac->remote_seqnumber))
+	goto failure;
+
+    if (krb5_ret_int32 (sp, &tmp) != 0)
+	goto failure;
+    ac->keytype = tmp;
+    if (krb5_ret_int32 (sp, &tmp) != 0)
+	goto failure;
+    ac->cksumtype = tmp;
+
+    /* names */
+
+    if (krb5_ret_data (sp, &data))
+	goto failure;
+    buffer.value  = data.data;
+    buffer.length = data.length;
+
+    ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
+				&name);
+    if (ret) {
+	ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
+				    &name);
+	if (ret) {
+	    krb5_data_free (&data);
+	    goto failure;
+	}
+    }
+    ctx->source = (krb5_principal)name;
+    krb5_data_free (&data);
+
+    if (krb5_ret_data (sp, &data) != 0)
+	goto failure;
+    buffer.value  = data.data;
+    buffer.length = data.length;
+
+    ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
+				&name);
+    if (ret) {
+	ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
+				    &name);
+	if (ret) {
+	    krb5_data_free (&data);
+	    goto failure;
+	}
+    }    
+    ctx->target = (krb5_principal)name;
+    krb5_data_free (&data);
+
+    if (krb5_ret_int32 (sp, &tmp))
+	goto failure;
+    ctx->flags = tmp;
+    if (krb5_ret_int32 (sp, &tmp))
+	goto failure;
+    ctx->more_flags = tmp;
+    if (krb5_ret_int32 (sp, &tmp))
+	goto failure;
+    ctx->lifetime = tmp;
+
+    ret = _gssapi_msg_order_import(minor_status, sp, &ctx->order);
+    if (ret)
+        goto failure;    
+    
+    krb5_storage_free (sp);
+
+    *context_handle = (gss_ctx_id_t)ctx;
+
+    return GSS_S_COMPLETE;
+
+failure:
+    krb5_auth_con_free (context,
+			ctx->auth_context);
+    if (ctx->source != NULL)
+	krb5_free_principal(context, ctx->source);
+    if (ctx->target != NULL)
+	krb5_free_principal(context, ctx->target);
+    if (localp)
+	krb5_free_address (context, localp);
+    if (remotep)
+	krb5_free_address (context, remotep);
+    if(ctx->order)
+	_gssapi_msg_order_destroy(&ctx->order);
+    HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
+    krb5_storage_free (sp);
+    free (ctx);
+    *context_handle = GSS_C_NO_CONTEXT;
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/indicate_mechs.c b/crypto/heimdal/lib/gssapi/krb5/indicate_mechs.c
new file mode 100644
index 0000000..eb886c2
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/indicate_mechs.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: indicate_mechs.c 20688 2007-05-17 18:44:31Z lha $");
+
+OM_uint32 _gsskrb5_indicate_mechs
+           (OM_uint32 * minor_status,
+            gss_OID_set * mech_set
+           )
+{
+  OM_uint32 ret, junk;
+
+  ret = gss_create_empty_oid_set(minor_status, mech_set);
+  if (ret)
+      return ret;
+
+  ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, mech_set);
+  if (ret) {
+      gss_release_oid_set(&junk, mech_set);
+      return ret;
+  }
+
+  *minor_status = 0;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/init.c b/crypto/heimdal/lib/gssapi/krb5/init.c
new file mode 100644
index 0000000..3bbdcc8
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/init.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 1997 - 2001, 2003, 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: init.c 19031 2006-11-13 18:02:57Z lha $");
+
+static HEIMDAL_MUTEX context_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static int created_key;
+static HEIMDAL_thread_key context_key;
+
+static void
+destroy_context(void *ptr)
+{
+    krb5_context context = ptr;
+
+    if (context == NULL)
+	return;
+    krb5_free_context(context);
+}
+
+krb5_error_code
+_gsskrb5_init (krb5_context *context)
+{
+    krb5_error_code ret = 0;
+
+    HEIMDAL_MUTEX_lock(&context_mutex);
+
+    if (!created_key) {
+	HEIMDAL_key_create(&context_key, destroy_context, ret);
+	if (ret) {
+	    HEIMDAL_MUTEX_unlock(&context_mutex);
+	    return ret;
+	}
+	created_key = 1;
+    }
+    HEIMDAL_MUTEX_unlock(&context_mutex);
+
+    *context = HEIMDAL_getspecific(context_key);
+    if (*context == NULL) {
+
+	ret = krb5_init_context(context);
+	if (ret == 0) {
+	    HEIMDAL_setspecific(context_key, *context, ret);
+	    if (ret) {
+		krb5_free_context(*context);
+		*context = NULL;
+	    }
+	}
+    }
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/init_sec_context.c b/crypto/heimdal/lib/gssapi/krb5/init_sec_context.c
new file mode 100644
index 0000000..05f7978
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/init_sec_context.c
@@ -0,0 +1,811 @@
+/*
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: init_sec_context.c 22071 2007-11-14 20:04:50Z lha $");
+
+/*
+ * copy the addresses from `input_chan_bindings' (if any) to
+ * the auth context `ac'
+ */
+
+static OM_uint32
+set_addresses (krb5_context context,
+	       krb5_auth_context ac,
+	       const gss_channel_bindings_t input_chan_bindings)	       
+{
+    /* Port numbers are expected to be in application_data.value, 
+     * initator's port first */ 
+
+    krb5_address initiator_addr, acceptor_addr;
+    krb5_error_code kret;
+       
+    if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS
+	|| input_chan_bindings->application_data.length !=
+	2 * sizeof(ac->local_port))
+	return 0;
+
+    memset(&initiator_addr, 0, sizeof(initiator_addr));
+    memset(&acceptor_addr, 0, sizeof(acceptor_addr));
+       
+    ac->local_port =
+	*(int16_t *) input_chan_bindings->application_data.value;
+       
+    ac->remote_port =
+	*((int16_t *) input_chan_bindings->application_data.value + 1);
+       
+    kret = _gsskrb5i_address_to_krb5addr(context,
+					 input_chan_bindings->acceptor_addrtype,
+					 &input_chan_bindings->acceptor_address,
+					 ac->remote_port,
+					 &acceptor_addr);
+    if (kret)
+	return kret;
+           
+    kret = _gsskrb5i_address_to_krb5addr(context,
+					 input_chan_bindings->initiator_addrtype,
+					 &input_chan_bindings->initiator_address,
+					 ac->local_port,
+					 &initiator_addr);
+    if (kret) {
+	krb5_free_address (context, &acceptor_addr);
+	return kret;
+    }
+       
+    kret = krb5_auth_con_setaddrs(context,
+				  ac,
+				  &initiator_addr,  /* local address */
+				  &acceptor_addr);  /* remote address */
+       
+    krb5_free_address (context, &initiator_addr);
+    krb5_free_address (context, &acceptor_addr);
+       
+#if 0
+    free(input_chan_bindings->application_data.value);
+    input_chan_bindings->application_data.value = NULL;
+    input_chan_bindings->application_data.length = 0;
+#endif
+
+    return kret;
+}
+
+OM_uint32
+_gsskrb5_create_ctx(
+        OM_uint32 * minor_status,
+	gss_ctx_id_t * context_handle,
+	krb5_context context,
+ 	const gss_channel_bindings_t input_chan_bindings,
+ 	enum gss_ctx_id_t_state state)
+{
+    krb5_error_code kret;
+    gsskrb5_ctx ctx;
+
+    *context_handle = NULL;
+
+    ctx = malloc(sizeof(*ctx));
+    if (ctx == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    ctx->auth_context		= NULL;
+    ctx->source			= NULL;
+    ctx->target			= NULL;
+    ctx->state			= state;
+    ctx->flags			= 0;
+    ctx->more_flags		= 0;
+    ctx->service_keyblock	= NULL;
+    ctx->ticket			= NULL;
+    krb5_data_zero(&ctx->fwd_data);
+    ctx->lifetime		= GSS_C_INDEFINITE;
+    ctx->order			= NULL;
+    HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
+
+    kret = krb5_auth_con_init (context, &ctx->auth_context);
+    if (kret) {
+	*minor_status = kret;
+
+	HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
+		
+	return GSS_S_FAILURE;
+    }
+
+    kret = set_addresses(context, ctx->auth_context, input_chan_bindings);
+    if (kret) {
+	*minor_status = kret;
+
+	HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
+
+	krb5_auth_con_free(context, ctx->auth_context);
+
+	return GSS_S_BAD_BINDINGS;
+    }
+
+    /*
+     * We need a sequence number
+     */
+
+    krb5_auth_con_addflags(context,
+			   ctx->auth_context,
+			   KRB5_AUTH_CONTEXT_DO_SEQUENCE |
+			   KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
+			   NULL);
+
+    *context_handle = (gss_ctx_id_t)ctx;
+
+    return GSS_S_COMPLETE;
+}
+
+
+static OM_uint32
+gsskrb5_get_creds(
+        OM_uint32 * minor_status,
+	krb5_context context,
+	krb5_ccache ccache,
+	gsskrb5_ctx ctx,
+	krb5_const_principal target_name,
+	OM_uint32 time_req,
+	OM_uint32 * time_rec,
+	krb5_creds ** cred)
+{
+    OM_uint32 ret;
+    krb5_error_code kret;
+    krb5_creds this_cred;
+    OM_uint32 lifetime_rec;
+
+    *cred = NULL;
+
+    memset(&this_cred, 0, sizeof(this_cred));
+    this_cred.client = ctx->source;
+    this_cred.server = ctx->target;
+
+    if (time_req && time_req != GSS_C_INDEFINITE) {
+	krb5_timestamp ts;
+
+	krb5_timeofday (context, &ts);
+	this_cred.times.endtime = ts + time_req;
+    } else {
+	this_cred.times.endtime   = 0;
+    }
+
+    this_cred.session.keytype = KEYTYPE_NULL;
+
+    kret = krb5_get_credentials(context,
+				0,
+				ccache,
+				&this_cred,
+				cred);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+
+    ctx->lifetime = (*cred)->times.endtime;
+
+    ret = _gsskrb5_lifetime_left(minor_status, context,
+				 ctx->lifetime, &lifetime_rec);
+    if (ret) return ret;
+
+    if (lifetime_rec == 0) {
+	*minor_status = 0;
+	return GSS_S_CONTEXT_EXPIRED;
+    }
+
+    if (time_rec) *time_rec = lifetime_rec;
+
+    return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+gsskrb5_initiator_ready(
+	OM_uint32 * minor_status,
+	gsskrb5_ctx ctx,
+	krb5_context context)
+{
+	OM_uint32 ret;
+	int32_t seq_number;
+	int is_cfx = 0;
+	OM_uint32 flags = ctx->flags;
+
+	krb5_auth_getremoteseqnumber (context,
+				      ctx->auth_context,
+				      &seq_number);
+
+	_gsskrb5i_is_cfx(ctx, &is_cfx);
+
+	ret = _gssapi_msg_order_create(minor_status,
+				       &ctx->order,
+				       _gssapi_msg_order_f(flags),
+				       seq_number, 0, is_cfx);
+	if (ret) return ret;
+
+	ctx->state	= INITIATOR_READY;
+	ctx->more_flags	|= OPEN;
+
+	return GSS_S_COMPLETE;
+}
+
+/*
+ * handle delegated creds in init-sec-context
+ */
+
+static void
+do_delegation (krb5_context context,
+	       krb5_auth_context ac,
+	       krb5_ccache ccache,
+	       krb5_creds *cred,
+	       krb5_const_principal name,
+	       krb5_data *fwd_data,
+	       uint32_t *flags)
+{
+    krb5_creds creds;
+    KDCOptions fwd_flags;
+    krb5_error_code kret;
+       
+    memset (&creds, 0, sizeof(creds));
+    krb5_data_zero (fwd_data);
+       
+    kret = krb5_cc_get_principal(context, ccache, &creds.client);
+    if (kret) 
+	goto out;
+       
+    kret = krb5_build_principal(context,
+				&creds.server,
+				strlen(creds.client->realm),
+				creds.client->realm,
+				KRB5_TGS_NAME,
+				creds.client->realm,
+				NULL);
+    if (kret)
+	goto out; 
+       
+    creds.times.endtime = 0;
+       
+    memset(&fwd_flags, 0, sizeof(fwd_flags));
+    fwd_flags.forwarded = 1;
+    fwd_flags.forwardable = 1;
+       
+    if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/
+	name->name.name_string.len < 2) 
+	goto out;
+       
+    kret = krb5_get_forwarded_creds(context,
+				    ac,
+				    ccache,
+				    KDCOptions2int(fwd_flags),
+				    name->name.name_string.val[1],
+				    &creds,
+				    fwd_data);
+       
+ out:
+    if (kret)
+	*flags &= ~GSS_C_DELEG_FLAG;
+    else
+	*flags |= GSS_C_DELEG_FLAG;
+       
+    if (creds.client)
+	krb5_free_principal(context, creds.client);
+    if (creds.server)
+	krb5_free_principal(context, creds.server);
+}
+
+/*
+ * first stage of init-sec-context
+ */
+
+static OM_uint32
+init_auth
+(OM_uint32 * minor_status,
+ gsskrb5_cred initiator_cred_handle,
+ gsskrb5_ctx ctx,
+ krb5_context context,
+ krb5_const_principal name,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+    )
+{
+    OM_uint32 ret = GSS_S_FAILURE;
+    krb5_error_code kret;
+    krb5_flags ap_options;
+    krb5_creds *cred = NULL;
+    krb5_data outbuf;
+    krb5_ccache ccache = NULL;
+    uint32_t flags;
+    krb5_data authenticator;
+    Checksum cksum;
+    krb5_enctype enctype;
+    krb5_data fwd_data;
+    OM_uint32 lifetime_rec;
+
+    krb5_data_zero(&outbuf);
+    krb5_data_zero(&fwd_data);
+
+    *minor_status = 0;
+
+    if (actual_mech_type)
+	*actual_mech_type = GSS_KRB5_MECHANISM;
+
+    if (initiator_cred_handle == NULL) {
+	kret = krb5_cc_default (context, &ccache);
+	if (kret) {
+	    *minor_status = kret;
+	    ret = GSS_S_FAILURE;
+	    goto failure;
+	}
+    } else
+	ccache = initiator_cred_handle->ccache;
+
+    kret = krb5_cc_get_principal (context, ccache, &ctx->source);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    kret = krb5_copy_principal (context, name, &ctx->target);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
+    if (ret)
+	goto failure;
+
+
+    /*
+     * This is hideous glue for (NFS) clients that wants to limit the
+     * available enctypes to what it can support (encryption in
+     * kernel). If there is no enctypes selected for this credential,
+     * reset it to the default set of enctypes.
+     */
+    {
+	krb5_enctype *enctypes = NULL;
+
+	if (initiator_cred_handle && initiator_cred_handle->enctypes)
+	    enctypes = initiator_cred_handle->enctypes;
+	krb5_set_default_in_tkt_etypes(context, enctypes);
+    }
+
+    ret = gsskrb5_get_creds(minor_status,
+			    context,
+			    ccache,
+			    ctx,
+			    ctx->target,
+			    time_req,
+			    time_rec,
+			    &cred);
+    if (ret)
+	goto failure;
+
+    ctx->lifetime = cred->times.endtime;
+
+    ret = _gsskrb5_lifetime_left(minor_status,
+				 context,
+				 ctx->lifetime,
+				 &lifetime_rec);
+    if (ret) {
+	goto failure;
+    }
+
+    if (lifetime_rec == 0) {
+	*minor_status = 0;
+	ret = GSS_S_CONTEXT_EXPIRED;
+	goto failure;
+    }
+
+    krb5_auth_con_setkey(context, 
+			 ctx->auth_context, 
+			 &cred->session);
+
+    kret = krb5_auth_con_generatelocalsubkey(context, 
+					     ctx->auth_context,
+					     &cred->session);
+    if(kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+    
+    /* 
+     * If the credential doesn't have ok-as-delegate, check what local
+     * policy say about ok-as-delegate, default is FALSE that makes
+     * code ignore the KDC setting and follow what the application
+     * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the
+     * KDC doesn't set ok-as-delegate.
+     */
+    if (!cred->flags.b.ok_as_delegate) {
+	krb5_boolean delegate;
+    
+	krb5_appdefault_boolean(context,
+				"gssapi", name->realm,
+				"ok-as-delegate", FALSE, &delegate);
+	if (delegate)
+	    req_flags &= ~GSS_C_DELEG_FLAG;
+    }
+
+    flags = 0;
+    ap_options = 0;
+    if (req_flags & GSS_C_DELEG_FLAG)
+	do_delegation (context,
+		       ctx->auth_context,
+		       ccache, cred, name, &fwd_data, &flags);
+    
+    if (req_flags & GSS_C_MUTUAL_FLAG) {
+	flags |= GSS_C_MUTUAL_FLAG;
+	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
+    }
+    
+    if (req_flags & GSS_C_REPLAY_FLAG)
+	flags |= GSS_C_REPLAY_FLAG;
+    if (req_flags & GSS_C_SEQUENCE_FLAG)
+	flags |= GSS_C_SEQUENCE_FLAG;
+    if (req_flags & GSS_C_ANON_FLAG)
+	;                               /* XXX */
+    if (req_flags & GSS_C_DCE_STYLE) {
+	/* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */
+	flags |= GSS_C_DCE_STYLE | GSS_C_MUTUAL_FLAG;
+	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
+    }
+    if (req_flags & GSS_C_IDENTIFY_FLAG)
+	flags |= GSS_C_IDENTIFY_FLAG;
+    if (req_flags & GSS_C_EXTENDED_ERROR_FLAG)
+	flags |= GSS_C_EXTENDED_ERROR_FLAG;
+
+    flags |= GSS_C_CONF_FLAG;
+    flags |= GSS_C_INTEG_FLAG;
+    flags |= GSS_C_TRANS_FLAG;
+    
+    if (ret_flags)
+	*ret_flags = flags;
+    ctx->flags = flags;
+    ctx->more_flags |= LOCAL;
+    
+    ret = _gsskrb5_create_8003_checksum (minor_status,
+					 input_chan_bindings,
+					 flags,
+					 &fwd_data,
+					 &cksum);
+    krb5_data_free (&fwd_data);
+    if (ret)
+	goto failure;
+
+    enctype = ctx->auth_context->keyblock->keytype;
+
+    kret = krb5_build_authenticator (context,
+				     ctx->auth_context,
+				     enctype,
+				     cred,
+				     &cksum,
+				     NULL,
+				     &authenticator,
+				     KRB5_KU_AP_REQ_AUTH);
+
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    kret = krb5_build_ap_req (context,
+			      enctype,
+			      cred,
+			      ap_options,
+			      authenticator,
+			      &outbuf);
+
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
+				   (u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
+    if (ret)
+	goto failure;
+
+    krb5_data_free (&outbuf);
+    krb5_free_creds(context, cred);
+    free_Checksum(&cksum);
+    if (initiator_cred_handle == NULL)
+	krb5_cc_close(context, ccache);
+
+    if (flags & GSS_C_MUTUAL_FLAG) {
+	ctx->state = INITIATOR_WAIT_FOR_MUTAL;
+	return GSS_S_CONTINUE_NEEDED;
+    }
+
+    return gsskrb5_initiator_ready(minor_status, ctx, context);
+failure:
+    if(cred)
+	krb5_free_creds(context, cred);
+    if (ccache && initiator_cred_handle == NULL)
+	krb5_cc_close(context, ccache);
+
+    return ret;
+
+}
+
+static OM_uint32
+repl_mutual
+(OM_uint32 * minor_status,
+ gsskrb5_ctx ctx,
+ krb5_context context,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+    )
+{
+    OM_uint32 ret;
+    krb5_error_code kret;
+    krb5_data indata;
+    krb5_ap_rep_enc_part *repl;
+    int is_cfx = 0;
+
+    output_token->length = 0;
+    output_token->value = NULL;
+
+    if (actual_mech_type)
+	*actual_mech_type = GSS_KRB5_MECHANISM;
+
+    if (ctx->flags & GSS_C_DCE_STYLE) {
+	/* There is no OID wrapping. */
+	indata.length	= input_token->length;
+	indata.data	= input_token->value;
+    } else {
+	ret = _gsskrb5_decapsulate (minor_status,
+				    input_token,
+				    &indata,
+				    "\x02\x00",
+				    GSS_KRB5_MECHANISM);
+	if (ret) {
+	    /* XXX - Handle AP_ERROR */
+	    return ret;
+	}
+    }
+
+    kret = krb5_rd_rep (context,
+			ctx->auth_context,
+			&indata,
+			&repl);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+    krb5_free_ap_rep_enc_part (context,
+			       repl);
+    
+    _gsskrb5i_is_cfx(ctx, &is_cfx);
+    if (is_cfx) {
+	krb5_keyblock *key = NULL;
+
+	kret = krb5_auth_con_getremotesubkey(context,
+					     ctx->auth_context, 
+					     &key);
+	if (kret == 0 && key != NULL) {
+    	    ctx->more_flags |= ACCEPTOR_SUBKEY;
+	    krb5_free_keyblock (context, key);
+	}
+    }
+
+
+    *minor_status = 0;
+    if (time_rec) {
+	ret = _gsskrb5_lifetime_left(minor_status,
+				     context,
+				     ctx->lifetime,
+				     time_rec);
+    } else {
+	ret = GSS_S_COMPLETE;
+    }
+    if (ret_flags)
+	*ret_flags = ctx->flags;
+
+    if (req_flags & GSS_C_DCE_STYLE) {
+	int32_t con_flags;
+	krb5_data outbuf;
+
+	/* Do don't do sequence number for the mk-rep */
+	krb5_auth_con_removeflags(context,
+				  ctx->auth_context,
+				  KRB5_AUTH_CONTEXT_DO_SEQUENCE,
+				  &con_flags);
+
+	kret = krb5_mk_rep(context,
+			   ctx->auth_context,
+			   &outbuf);
+	if (kret) {
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
+	}
+	
+	output_token->length = outbuf.length;
+	output_token->value  = outbuf.data;
+
+	krb5_auth_con_removeflags(context,
+				  ctx->auth_context,
+				  KRB5_AUTH_CONTEXT_DO_SEQUENCE,
+				  NULL);
+    }
+
+    return gsskrb5_initiator_ready(minor_status, ctx, context);
+}
+
+/*
+ * gss_init_sec_context
+ */
+
+OM_uint32 _gsskrb5_init_sec_context
+(OM_uint32 * minor_status,
+ const gss_cred_id_t initiator_cred_handle,
+ gss_ctx_id_t * context_handle,
+ const gss_name_t target_name,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+    )
+{
+    krb5_context context;
+    gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle;
+    krb5_const_principal name = (krb5_const_principal)target_name;
+    gsskrb5_ctx ctx;
+    OM_uint32 ret;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    output_token->length = 0;
+    output_token->value  = NULL;
+
+    if (context_handle == NULL) {
+	*minor_status = 0;
+	return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
+    }
+
+    if (ret_flags)
+	*ret_flags = 0;
+    if (time_rec)
+	*time_rec = 0;
+
+    if (target_name == GSS_C_NO_NAME) {
+	if (actual_mech_type)
+	    *actual_mech_type = GSS_C_NO_OID;
+	*minor_status = 0;
+	return GSS_S_BAD_NAME;
+    }
+
+    if (mech_type != GSS_C_NO_OID && 
+	!gss_oid_equal(mech_type, GSS_KRB5_MECHANISM))
+	return GSS_S_BAD_MECH;
+
+    if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
+	OM_uint32 ret;
+
+	if (*context_handle != GSS_C_NO_CONTEXT) {
+	    *minor_status = 0;
+	    return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
+	}
+    
+	ret = _gsskrb5_create_ctx(minor_status,
+				  context_handle,
+				  context,
+				  input_chan_bindings,
+				  INITIATOR_START);
+	if (ret)
+	    return ret;
+    }
+
+    if (*context_handle == GSS_C_NO_CONTEXT) {
+	*minor_status = 0;
+	return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
+    }
+
+    ctx = (gsskrb5_ctx) *context_handle;
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    switch (ctx->state) {
+    case INITIATOR_START:
+	ret = init_auth(minor_status,
+			cred,
+			ctx,
+			context,
+			name,
+			mech_type,
+			req_flags,
+			time_req,
+			input_chan_bindings,
+			input_token,
+			actual_mech_type,
+			output_token,
+			ret_flags,
+			time_rec);
+	break;
+    case INITIATOR_WAIT_FOR_MUTAL:
+	ret = repl_mutual(minor_status,
+			  ctx,
+			  context,
+			  mech_type,
+			  req_flags,
+			  time_req,
+			  input_chan_bindings,
+			  input_token,
+			  actual_mech_type,
+			  output_token,
+			  ret_flags,
+			  time_rec);
+	break;
+    case INITIATOR_READY:
+	/* 
+	 * If we get there, the caller have called
+	 * gss_init_sec_context() one time too many.
+	 */
+	*minor_status = 0;
+	ret = GSS_S_BAD_STATUS;
+	break;
+    default:
+	*minor_status = 0;
+	ret = GSS_S_BAD_STATUS;
+	break;
+    }
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    /* destroy context in case of error */
+    if (GSS_ERROR(ret)) {
+	OM_uint32 min2;
+	_gsskrb5_delete_sec_context(&min2, context_handle, GSS_C_NO_BUFFER);
+    }
+
+    return ret;
+
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_context.c b/crypto/heimdal/lib/gssapi/krb5/inquire_context.c
new file mode 100644
index 0000000..4143056
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/inquire_context.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: inquire_context.c 19031 2006-11-13 18:02:57Z lha $");
+
+OM_uint32 _gsskrb5_inquire_context (
+    OM_uint32 * minor_status,
+	const gss_ctx_id_t context_handle,
+	gss_name_t * src_name,
+	gss_name_t * targ_name,
+	OM_uint32 * lifetime_rec,
+	gss_OID * mech_type,
+	OM_uint32 * ctx_flags,
+	int * locally_initiated,
+	int * open_context
+    )
+{
+    krb5_context context;
+    OM_uint32 ret;
+    gsskrb5_ctx ctx = (gsskrb5_ctx)context_handle;
+    gss_name_t name;
+
+    if (src_name)
+	*src_name = GSS_C_NO_NAME;
+    if (targ_name)
+	*targ_name = GSS_C_NO_NAME;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    if (src_name) {
+	name = (gss_name_t)ctx->source;
+	ret = _gsskrb5_duplicate_name (minor_status, name, src_name);
+	if (ret)
+	    goto failed;
+    }
+
+    if (targ_name) {
+	name = (gss_name_t)ctx->target;
+	ret = _gsskrb5_duplicate_name (minor_status, name, targ_name);
+	if (ret)
+	    goto failed;
+    }
+
+    if (lifetime_rec) {
+	ret = _gsskrb5_lifetime_left(minor_status, 
+				     context,
+				     ctx->lifetime,
+				     lifetime_rec);
+	if (ret)
+	    goto failed;
+    }
+
+    if (mech_type)
+	*mech_type = GSS_KRB5_MECHANISM;
+
+    if (ctx_flags)
+	*ctx_flags = ctx->flags;
+
+    if (locally_initiated)
+	*locally_initiated = ctx->more_flags & LOCAL;
+
+    if (open_context)
+	*open_context = ctx->more_flags & OPEN;
+
+    *minor_status = 0;
+
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+    return GSS_S_COMPLETE;
+
+failed:
+    if (src_name)
+	_gsskrb5_release_name(NULL, src_name);
+    if (targ_name)
+	_gsskrb5_release_name(NULL, targ_name);
+
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_cred.c b/crypto/heimdal/lib/gssapi/krb5/inquire_cred.c
new file mode 100644
index 0000000..47bf71e
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/inquire_cred.c
@@ -0,0 +1,182 @@
+/*
+ * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: inquire_cred.c 20688 2007-05-17 18:44:31Z lha $");
+
+OM_uint32 _gsskrb5_inquire_cred
+(OM_uint32 * minor_status,
+ const gss_cred_id_t cred_handle,
+ gss_name_t * output_name,
+ OM_uint32 * lifetime,
+ gss_cred_usage_t * cred_usage,
+ gss_OID_set * mechanisms
+    )
+{
+    krb5_context context;
+    gss_cred_id_t aqcred_init = GSS_C_NO_CREDENTIAL;
+    gss_cred_id_t aqcred_accept = GSS_C_NO_CREDENTIAL;
+    gsskrb5_cred acred = NULL, icred = NULL;
+    OM_uint32 ret;
+
+    *minor_status = 0;
+
+    if (output_name)
+	*output_name = NULL;
+    if (mechanisms)
+	*mechanisms = GSS_C_NO_OID_SET;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    if (cred_handle == GSS_C_NO_CREDENTIAL) {
+	ret = _gsskrb5_acquire_cred(minor_status, 
+				    GSS_C_NO_NAME,
+				    GSS_C_INDEFINITE,
+				    GSS_C_NO_OID_SET,
+				    GSS_C_ACCEPT,
+				    &aqcred_accept,
+				    NULL,
+				    NULL);
+	if (ret == GSS_S_COMPLETE)
+	    acred = (gsskrb5_cred)aqcred_accept;
+
+	ret = _gsskrb5_acquire_cred(minor_status, 
+				    GSS_C_NO_NAME,
+				    GSS_C_INDEFINITE,
+				    GSS_C_NO_OID_SET,
+				    GSS_C_INITIATE,
+				    &aqcred_init,
+				    NULL,
+				    NULL);
+	if (ret == GSS_S_COMPLETE)
+	    icred = (gsskrb5_cred)aqcred_init;
+
+	if (icred == NULL && acred == NULL) {
+	    *minor_status = 0;
+	    return GSS_S_NO_CRED;
+	}
+    } else
+	acred = (gsskrb5_cred)cred_handle;
+
+    if (acred)
+	HEIMDAL_MUTEX_lock(&acred->cred_id_mutex);
+    if (icred)
+	HEIMDAL_MUTEX_lock(&icred->cred_id_mutex);
+
+    if (output_name != NULL) {
+	if (icred && icred->principal != NULL) {
+	    gss_name_t name;
+	    
+	    if (acred && acred->principal)
+		name = (gss_name_t)acred->principal;
+	    else
+		name = (gss_name_t)icred->principal;
+		
+            ret = _gsskrb5_duplicate_name(minor_status, name, output_name);
+            if (ret)
+		goto out;
+	} else if (acred && acred->usage == GSS_C_ACCEPT) {
+	    krb5_principal princ;
+	    *minor_status = krb5_sname_to_principal(context, NULL,
+						    NULL, KRB5_NT_SRV_HST, 
+						    &princ);
+	    if (*minor_status) {
+		ret = GSS_S_FAILURE;
+		goto out;
+	    }
+	    *output_name = (gss_name_t)princ;
+	} else {
+	    krb5_principal princ;
+	    *minor_status = krb5_get_default_principal(context,
+						       &princ);
+	    if (*minor_status) {
+		ret = GSS_S_FAILURE;
+		goto out;
+	    }
+	    *output_name = (gss_name_t)princ;
+	}
+    }
+    if (lifetime != NULL) {
+	OM_uint32 alife = GSS_C_INDEFINITE, ilife = GSS_C_INDEFINITE;
+
+	if (acred) alife = acred->lifetime;
+	if (icred) ilife = icred->lifetime;
+
+	ret = _gsskrb5_lifetime_left(minor_status, 
+				     context,
+				     min(alife,ilife),
+				     lifetime);
+	if (ret)
+	    goto out;
+    }
+    if (cred_usage != NULL) {
+	if (acred && icred)
+	    *cred_usage = GSS_C_BOTH;
+	else if (acred)
+	    *cred_usage = GSS_C_ACCEPT;
+	else if (icred)
+	    *cred_usage = GSS_C_INITIATE;
+	else
+	    abort();
+    }
+
+    if (mechanisms != NULL) {
+        ret = gss_create_empty_oid_set(minor_status, mechanisms);
+        if (ret)
+	    goto out;
+	if (acred)
+	    ret = gss_add_oid_set_member(minor_status,
+					 &acred->mechanisms->elements[0],
+					 mechanisms);
+	if (ret == GSS_S_COMPLETE && icred)
+	    ret = gss_add_oid_set_member(minor_status,
+					 &icred->mechanisms->elements[0],
+					 mechanisms);
+        if (ret)
+	    goto out;
+    }
+    ret = GSS_S_COMPLETE;
+out:
+    if (acred)
+	HEIMDAL_MUTEX_unlock(&acred->cred_id_mutex);
+    if (icred)
+	HEIMDAL_MUTEX_unlock(&icred->cred_id_mutex);
+
+    if (aqcred_init != GSS_C_NO_CREDENTIAL)
+	ret = _gsskrb5_release_cred(minor_status, &aqcred_init);
+    if (aqcred_accept != GSS_C_NO_CREDENTIAL)
+	ret = _gsskrb5_release_cred(minor_status, &aqcred_accept);
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c b/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c
new file mode 100644
index 0000000..a8af214
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2003, 2006, 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: inquire_cred_by_mech.c 20634 2007-05-09 15:33:01Z lha $");
+
+OM_uint32 _gsskrb5_inquire_cred_by_mech (
+    OM_uint32 * minor_status,
+	const gss_cred_id_t cred_handle,
+	const gss_OID mech_type,
+	gss_name_t * name,
+	OM_uint32 * initiator_lifetime,
+	OM_uint32 * acceptor_lifetime,
+	gss_cred_usage_t * cred_usage
+    )
+{
+    gss_cred_usage_t usage;
+    OM_uint32 maj_stat;
+    OM_uint32 lifetime;
+
+    maj_stat = 
+	_gsskrb5_inquire_cred (minor_status, cred_handle,
+			       name, &lifetime, &usage, NULL);
+    if (maj_stat)
+	return maj_stat;
+
+    if (initiator_lifetime) {
+	if (usage == GSS_C_INITIATE || usage == GSS_C_BOTH)
+	    *initiator_lifetime = lifetime;
+	else
+	    *initiator_lifetime = 0;
+    }
+   
+    if (acceptor_lifetime) {
+	if (usage == GSS_C_ACCEPT || usage == GSS_C_BOTH)
+	    *acceptor_lifetime = lifetime;
+	else
+	    *acceptor_lifetime = 0;
+    }
+
+    if (cred_usage)
+	*cred_usage = usage;
+
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c b/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c
new file mode 100644
index 0000000..da50b11
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: inquire_cred_by_oid.c 19031 2006-11-13 18:02:57Z lha $");
+
+OM_uint32 _gsskrb5_inquire_cred_by_oid
+	   (OM_uint32 * minor_status,
+	    const gss_cred_id_t cred_handle,
+	    const gss_OID desired_object,
+	    gss_buffer_set_t *data_set)
+{
+    krb5_context context;
+    gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
+    krb5_error_code ret;
+    gss_buffer_desc buffer;
+    char *str;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    if (gss_oid_equal(desired_object, GSS_KRB5_COPY_CCACHE_X) == 0) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
+
+    if (cred->ccache == NULL) {
+	HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_cc_get_full_name(context, cred->ccache, &str);
+    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    buffer.value = str;
+    buffer.length = strlen(str);
+
+    ret = gss_add_buffer_set_member(minor_status, &buffer, data_set);
+    if (ret != GSS_S_COMPLETE)
+	_gsskrb5_clear_status ();
+
+    free(str);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c b/crypto/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c
new file mode 100644
index 0000000..0ce051f
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: inquire_mechs_for_name.c 20688 2007-05-17 18:44:31Z lha $");
+
+OM_uint32 _gsskrb5_inquire_mechs_for_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_OID_set * mech_types
+           )
+{
+    OM_uint32 ret;
+
+    ret = gss_create_empty_oid_set(minor_status, mech_types);
+    if (ret)
+	return ret;
+
+    ret = gss_add_oid_set_member(minor_status,
+				 GSS_KRB5_MECHANISM,
+				 mech_types);
+    if (ret)
+	gss_release_oid_set(NULL, mech_types);
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c b/crypto/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c
new file mode 100644
index 0000000..64abd3c
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: inquire_names_for_mech.c 20688 2007-05-17 18:44:31Z lha $");
+
+
+static gss_OID *name_list[] = {
+    &GSS_C_NT_HOSTBASED_SERVICE,
+    &GSS_C_NT_USER_NAME,
+    &GSS_KRB5_NT_PRINCIPAL_NAME,
+    &GSS_C_NT_EXPORT_NAME,
+    NULL
+};
+
+OM_uint32 _gsskrb5_inquire_names_for_mech (
+            OM_uint32 * minor_status,
+            const gss_OID mechanism,
+            gss_OID_set * name_types
+           )
+{
+    OM_uint32 ret;
+    int i;
+
+    *minor_status = 0;
+
+    if (gss_oid_equal(mechanism, GSS_KRB5_MECHANISM) == 0 &&
+	gss_oid_equal(mechanism, GSS_C_NULL_OID) == 0) {
+	*name_types = GSS_C_NO_OID_SET;
+	return GSS_S_BAD_MECH;
+    }
+
+    ret = gss_create_empty_oid_set(minor_status, name_types);
+    if (ret != GSS_S_COMPLETE)
+	return ret;
+    
+    for (i = 0; name_list[i] != NULL; i++) {
+	ret = gss_add_oid_set_member(minor_status, 
+				     *(name_list[i]),
+				     name_types);
+	if (ret != GSS_S_COMPLETE)
+	    break;
+    }
+
+    if (ret != GSS_S_COMPLETE)
+	gss_release_oid_set(NULL, name_types);
+	
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/crypto/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
new file mode 100644
index 0000000..5ca7536
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
@@ -0,0 +1,557 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: inquire_sec_context_by_oid.c 19031 2006-11-13 18:02:57Z lha $");
+
+static int
+oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix)
+{
+    int ret;
+    heim_oid oid;
+    heim_oid prefix;
+ 
+    *suffix = 0;
+
+    ret = der_get_oid(oid_enc->elements, oid_enc->length,
+		      &oid, NULL);
+    if (ret) {
+	return 0;
+    }
+
+    ret = der_get_oid(prefix_enc->elements, prefix_enc->length,
+		      &prefix, NULL);
+    if (ret) {
+	der_free_oid(&oid);
+	return 0;
+    }
+
+    ret = 0;
+
+    if (oid.length - 1 == prefix.length) {
+	*suffix = oid.components[oid.length - 1];
+	oid.length--;
+	ret = (der_heim_oid_cmp(&oid, &prefix) == 0);
+	oid.length++;
+    }
+
+    der_free_oid(&oid);
+    der_free_oid(&prefix);
+
+    return ret;
+}
+
+static OM_uint32 inquire_sec_context_tkt_flags
+           (OM_uint32 *minor_status,
+            const gsskrb5_ctx context_handle,
+            gss_buffer_set_t *data_set)
+{
+    OM_uint32 tkt_flags;
+    unsigned char buf[4];
+    gss_buffer_desc value;
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+
+    if (context_handle->ticket == NULL) {
+	HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+	_gsskrb5_set_status("No ticket from which to obtain flags");
+	*minor_status = EINVAL;
+	return GSS_S_BAD_MECH;
+    }
+
+    tkt_flags = TicketFlags2int(context_handle->ticket->ticket.flags);
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+    _gsskrb5_encode_om_uint32(tkt_flags, buf);
+    value.length = sizeof(buf);
+    value.value = buf;
+
+    return gss_add_buffer_set_member(minor_status,
+				     &value,
+				     data_set);
+}
+
+enum keytype { ACCEPTOR_KEY, INITIATOR_KEY, TOKEN_KEY };
+
+static OM_uint32 inquire_sec_context_get_subkey
+           (OM_uint32 *minor_status,
+            const gsskrb5_ctx context_handle,
+	    krb5_context context,
+	    enum keytype keytype,
+            gss_buffer_set_t *data_set)
+{
+    krb5_keyblock *key = NULL;
+    krb5_storage *sp = NULL;
+    krb5_data data;
+    OM_uint32 maj_stat = GSS_S_COMPLETE;
+    krb5_error_code ret;
+
+    krb5_data_zero(&data);
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	_gsskrb5_clear_status();
+	ret = ENOMEM;
+	goto out;
+    }
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    switch(keytype) {
+    case ACCEPTOR_KEY:
+	ret = _gsskrb5i_get_acceptor_subkey(context_handle, context, &key);
+	break;
+    case INITIATOR_KEY:
+	ret = _gsskrb5i_get_initiator_subkey(context_handle, context, &key);
+	break;
+    case TOKEN_KEY:
+	ret = _gsskrb5i_get_token_key(context_handle, context, &key);
+	break;
+    default:
+	_gsskrb5_set_status("%d is not a valid subkey type", keytype);
+	ret = EINVAL;
+	break;
+   }
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    if (ret) 
+	goto out;
+    if (key == NULL) {
+	_gsskrb5_set_status("have no subkey of type %d", keytype);
+	ret = EINVAL;
+	goto out;
+    }
+
+    ret = krb5_store_keyblock(sp, *key);
+    krb5_free_keyblock (context, key);
+    if (ret)
+	goto out;
+
+    ret = krb5_storage_to_data(sp, &data);
+    if (ret)
+	goto out;
+
+    {
+	gss_buffer_desc value;
+	
+	value.length = data.length;
+	value.value = data.data;
+	
+	maj_stat = gss_add_buffer_set_member(minor_status,
+					     &value,
+					     data_set);
+    }
+
+out:
+    krb5_data_free(&data);
+    if (sp)
+	krb5_storage_free(sp);
+    if (ret) {
+	*minor_status = ret;
+	maj_stat = GSS_S_FAILURE;
+    }
+    return maj_stat;
+}
+
+static OM_uint32 inquire_sec_context_authz_data
+           (OM_uint32 *minor_status,
+            const gsskrb5_ctx context_handle,
+	    krb5_context context,
+            unsigned ad_type,
+            gss_buffer_set_t *data_set)
+{
+    krb5_data data;
+    gss_buffer_desc ad_data;
+    OM_uint32 ret;
+
+    *minor_status = 0;
+    *data_set = GSS_C_NO_BUFFER_SET;
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    if (context_handle->ticket == NULL) {
+	HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+	*minor_status = EINVAL;
+	_gsskrb5_set_status("No ticket to obtain authz data from");
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ret = krb5_ticket_get_authorization_data_type(context,
+						  context_handle->ticket,
+						  ad_type,
+						  &data);
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ad_data.value = data.data;
+    ad_data.length = data.length;
+
+    ret = gss_add_buffer_set_member(minor_status,
+				    &ad_data,
+				    data_set);
+
+    krb5_data_free(&data);
+
+    return ret;
+}
+
+static OM_uint32 inquire_sec_context_has_updated_spnego
+           (OM_uint32 *minor_status,
+            const gsskrb5_ctx context_handle,
+            gss_buffer_set_t *data_set)
+{
+    int is_updated = 0;
+
+    *minor_status = 0;
+    *data_set = GSS_C_NO_BUFFER_SET;
+
+    /*
+     * For Windows SPNEGO implementations, both the initiator and the
+     * acceptor are assumed to have been updated if a "newer" [CLAR] or
+     * different enctype is negotiated for use by the Kerberos GSS-API
+     * mechanism.
+     */
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    _gsskrb5i_is_cfx(context_handle, &is_updated);
+    if (is_updated == 0) {
+	krb5_keyblock *acceptor_subkey;
+
+	if (context_handle->more_flags & LOCAL)
+	    acceptor_subkey = context_handle->auth_context->remote_subkey;
+	else
+	    acceptor_subkey = context_handle->auth_context->local_subkey;
+
+	if (acceptor_subkey != NULL)
+	    is_updated = (acceptor_subkey->keytype !=
+			  context_handle->auth_context->keyblock->keytype);
+    }
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+    return is_updated ? GSS_S_COMPLETE : GSS_S_FAILURE;
+}
+
+/*
+ *
+ */
+
+static OM_uint32
+export_lucid_sec_context_v1(OM_uint32 *minor_status,
+			    gsskrb5_ctx context_handle,
+			    krb5_context context,
+			    gss_buffer_set_t *data_set)
+{
+    krb5_storage *sp = NULL;
+    OM_uint32 major_status = GSS_S_COMPLETE;
+    krb5_error_code ret;
+    krb5_keyblock *key = NULL;
+    int32_t number;
+    int is_cfx;
+    krb5_data data;
+    
+    *minor_status = 0;
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+
+    _gsskrb5i_is_cfx(context_handle, &is_cfx);
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	_gsskrb5_clear_status();
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ret = krb5_store_int32(sp, 1);
+    if (ret) goto out;
+    ret = krb5_store_int32(sp, (context_handle->more_flags & LOCAL) ? 1 : 0);
+    if (ret) goto out;
+    ret = krb5_store_int32(sp, context_handle->lifetime);
+    if (ret) goto out;
+    krb5_auth_con_getlocalseqnumber (context,
+				     context_handle->auth_context,
+				     &number);
+    ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
+    ret = krb5_store_uint32(sp, (uint32_t)number);
+    krb5_auth_getremoteseqnumber (context,
+				  context_handle->auth_context,
+				  &number);
+    ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
+    ret = krb5_store_uint32(sp, (uint32_t)number);
+    ret = krb5_store_int32(sp, (is_cfx) ? 1 : 0);
+    if (ret) goto out;
+
+    ret = _gsskrb5i_get_token_key(context_handle, context, &key);
+    if (ret) goto out;
+
+    if (is_cfx == 0) {
+	int sign_alg, seal_alg;
+
+	switch (key->keytype) {
+	case ETYPE_DES_CBC_CRC:
+	case ETYPE_DES_CBC_MD4:
+	case ETYPE_DES_CBC_MD5:
+	    sign_alg = 0;
+	    seal_alg = 0;
+	    break;
+	case ETYPE_DES3_CBC_MD5:
+	case ETYPE_DES3_CBC_SHA1:
+	    sign_alg = 4;
+	    seal_alg = 2;
+	    break;
+	case ETYPE_ARCFOUR_HMAC_MD5:
+	case ETYPE_ARCFOUR_HMAC_MD5_56:
+	    sign_alg = 17;
+	    seal_alg = 16;
+	    break;
+	default:
+	    sign_alg = -1;
+	    seal_alg = -1;
+	    break;
+	}
+	ret = krb5_store_int32(sp, sign_alg);
+	if (ret) goto out;
+	ret = krb5_store_int32(sp, seal_alg);
+	if (ret) goto out;
+	/* ctx_key */
+	ret = krb5_store_keyblock(sp, *key);
+	if (ret) goto out;
+    } else {
+	int subkey_p = (context_handle->more_flags & ACCEPTOR_SUBKEY) ? 1 : 0;
+
+	/* have_acceptor_subkey */
+	ret = krb5_store_int32(sp, subkey_p);
+	if (ret) goto out;
+	/* ctx_key */
+	ret = krb5_store_keyblock(sp, *key);
+	if (ret) goto out;
+	/* acceptor_subkey */
+	if (subkey_p) {
+	    ret = krb5_store_keyblock(sp, *key);
+	    if (ret) goto out;
+	}
+    }
+    ret = krb5_storage_to_data(sp, &data);
+    if (ret) goto out;
+
+    {
+	gss_buffer_desc ad_data;
+
+	ad_data.value = data.data;
+	ad_data.length = data.length;
+
+	ret = gss_add_buffer_set_member(minor_status, &ad_data, data_set);
+	krb5_data_free(&data);
+	if (ret)
+	    goto out;
+    }
+
+out:
+    if (key)
+	krb5_free_keyblock (context, key);
+    if (sp)
+	krb5_storage_free(sp);
+    if (ret) {
+	*minor_status = ret;
+	major_status = GSS_S_FAILURE;
+    }
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    return major_status;
+}
+
+static OM_uint32
+get_authtime(OM_uint32 *minor_status,
+	     gsskrb5_ctx ctx, 
+	     gss_buffer_set_t *data_set)
+
+{
+    gss_buffer_desc value;
+    unsigned char buf[4];
+    OM_uint32 authtime;
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+    if (ctx->ticket == NULL) {
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	_gsskrb5_set_status("No ticket to obtain auth time from");
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+    
+    authtime = ctx->ticket->ticket.authtime;
+    
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    _gsskrb5_encode_om_uint32(authtime, buf);
+    value.length = sizeof(buf);
+    value.value = buf;
+
+    return gss_add_buffer_set_member(minor_status,
+				     &value,
+				     data_set);
+}
+
+
+static OM_uint32 
+get_service_keyblock
+        (OM_uint32 *minor_status,
+	 gsskrb5_ctx ctx, 
+	 gss_buffer_set_t *data_set)
+{
+    krb5_storage *sp = NULL;
+    krb5_data data;
+    OM_uint32 maj_stat = GSS_S_COMPLETE;
+    krb5_error_code ret = EINVAL;
+    
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	_gsskrb5_clear_status();
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+    if (ctx->service_keyblock == NULL) {
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	_gsskrb5_set_status("No service keyblock on gssapi context");
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE; 
+    }
+
+    krb5_data_zero(&data);
+
+    ret = krb5_store_keyblock(sp, *ctx->service_keyblock);
+
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    if (ret)
+	goto out;
+
+    ret = krb5_storage_to_data(sp, &data);
+    if (ret)
+	goto out;
+
+    {
+	gss_buffer_desc value;
+	
+	value.length = data.length;
+	value.value = data.data;
+	
+	maj_stat = gss_add_buffer_set_member(minor_status,
+					     &value,
+					     data_set);
+    }
+
+out:
+    krb5_data_free(&data);
+    if (sp)
+	krb5_storage_free(sp);
+    if (ret) {
+	*minor_status = ret;
+	maj_stat = GSS_S_FAILURE;
+    }
+    return maj_stat;
+}
+/*
+ *
+ */
+
+OM_uint32 _gsskrb5_inquire_sec_context_by_oid
+           (OM_uint32 *minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_OID desired_object,
+            gss_buffer_set_t *data_set)
+{
+    krb5_context context;
+    const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
+    unsigned suffix;
+
+    if (ctx == NULL) {
+	*minor_status = EINVAL;
+	return GSS_S_NO_CONTEXT;
+    }
+
+    GSSAPI_KRB5_INIT (&context);
+
+    if (gss_oid_equal(desired_object, GSS_KRB5_GET_TKT_FLAGS_X)) {
+	return inquire_sec_context_tkt_flags(minor_status,
+					     ctx,
+					     data_set);
+    } else if (gss_oid_equal(desired_object, GSS_C_PEER_HAS_UPDATED_SPNEGO)) {
+	return inquire_sec_context_has_updated_spnego(minor_status,
+						      ctx,
+						      data_set);
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SUBKEY_X)) {
+	return inquire_sec_context_get_subkey(minor_status,
+					      ctx,
+					      context,
+					      TOKEN_KEY,
+					      data_set);
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_INITIATOR_SUBKEY_X)) {
+	return inquire_sec_context_get_subkey(minor_status,
+					      ctx,
+					      context,
+					      INITIATOR_KEY,
+					      data_set);
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_ACCEPTOR_SUBKEY_X)) {
+	return inquire_sec_context_get_subkey(minor_status,
+					      ctx,
+					      context,
+					      ACCEPTOR_KEY,
+					      data_set);
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) {
+	return get_authtime(minor_status, ctx, data_set);
+    } else if (oid_prefix_equal(desired_object,
+				GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X,
+				&suffix)) {
+	return inquire_sec_context_authz_data(minor_status,
+					      ctx,
+					      context,
+					      suffix,
+					      data_set);
+    } else if (oid_prefix_equal(desired_object,
+				GSS_KRB5_EXPORT_LUCID_CONTEXT_X,
+				&suffix)) {
+	if (suffix == 1)
+	    return export_lucid_sec_context_v1(minor_status,
+					       ctx,
+					       context,
+					       data_set);
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SERVICE_KEYBLOCK_X)) {
+	return get_service_keyblock(minor_status, ctx, data_set);
+    } else {
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+}
+
diff --git a/crypto/heimdal/lib/gssapi/krb5/prf.c b/crypto/heimdal/lib/gssapi/krb5/prf.c
new file mode 100644
index 0000000..f79c937
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/prf.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: prf.c 21129 2007-06-18 20:28:44Z lha $");
+
+OM_uint32
+_gsskrb5_pseudo_random(OM_uint32 *minor_status,
+		       gss_ctx_id_t context_handle,
+		       int prf_key,
+		       const gss_buffer_t prf_in,
+		       ssize_t desired_output_len,
+		       gss_buffer_t prf_out)
+{
+    gsskrb5_ctx ctx = (gsskrb5_ctx)context_handle;
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    krb5_data input, output;
+    uint32_t num;
+    unsigned char *p;
+    krb5_keyblock *key = NULL;
+
+    if (ctx == NULL) {
+	*minor_status = 0;
+	return GSS_S_NO_CONTEXT;
+    }
+
+    if (desired_output_len <= 0) {
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+
+    GSSAPI_KRB5_INIT (&context);
+
+    switch(prf_key) {
+    case GSS_C_PRF_KEY_FULL:
+	_gsskrb5i_get_acceptor_subkey(ctx, context, &key);
+	break;
+    case GSS_C_PRF_KEY_PARTIAL:
+	_gsskrb5i_get_initiator_subkey(ctx, context, &key);
+	break;
+    default:
+	_gsskrb5_set_status("unknown kerberos prf_key");
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+
+    if (key == NULL) {
+	_gsskrb5_set_status("no prf_key found");
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    krb5_free_keyblock (context, key);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    prf_out->value = malloc(desired_output_len);
+    if (prf_out->value == NULL) {
+	_gsskrb5_set_status("Out of memory");
+	*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
+	krb5_crypto_destroy(context, crypto);
+	return GSS_S_FAILURE;
+    }
+    prf_out->length = desired_output_len;
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    input.length = prf_in->length + 4;
+    input.data = malloc(prf_in->length + 4);
+    if (input.data == NULL) {
+	OM_uint32 junk;
+	_gsskrb5_set_status("Out of memory");
+	*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
+	gss_release_buffer(&junk, prf_out);
+	krb5_crypto_destroy(context, crypto);
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	return GSS_S_FAILURE;
+    }
+    memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length);
+
+    num = 0;
+    p = prf_out->value;
+    while(desired_output_len > 0) {
+	_gsskrb5_encode_om_uint32(num, input.data);
+	ret = krb5_crypto_prf(context, crypto, &input, &output);
+	if (ret) {
+	    OM_uint32 junk;
+	    *minor_status = ret;
+	    free(input.data);
+	    gss_release_buffer(&junk, prf_out);
+	    krb5_crypto_destroy(context, crypto);
+	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	    return GSS_S_FAILURE;
+	}
+	memcpy(p, output.data, min(desired_output_len, output.length));
+	p += output.length;
+	desired_output_len -= output.length;
+	krb5_data_free(&output);
+	num++;
+    }
+
+    krb5_crypto_destroy(context, crypto);
+
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/process_context_token.c b/crypto/heimdal/lib/gssapi/krb5/process_context_token.c
new file mode 100644
index 0000000..15638f5
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/process_context_token.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: process_context_token.c 19031 2006-11-13 18:02:57Z lha $");
+
+OM_uint32 _gsskrb5_process_context_token (
+	OM_uint32          *minor_status,
+	const gss_ctx_id_t context_handle,
+	const gss_buffer_t token_buffer
+    )
+{
+    krb5_context context;
+    OM_uint32 ret = GSS_S_FAILURE;
+    gss_buffer_desc empty_buffer;
+    gss_qop_t qop_state;
+
+    empty_buffer.length = 0;
+    empty_buffer.value = NULL;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    qop_state = GSS_C_QOP_DEFAULT;
+
+    ret = _gsskrb5_verify_mic_internal(minor_status, 
+				       (gsskrb5_ctx)context_handle,
+				       context,
+				       token_buffer, &empty_buffer,
+				       GSS_C_QOP_DEFAULT, "\x01\x02");
+
+    if (ret == GSS_S_COMPLETE)
+	ret = _gsskrb5_delete_sec_context(minor_status,
+					  rk_UNCONST(&context_handle),
+					  GSS_C_NO_BUFFER);
+    if (ret == GSS_S_COMPLETE)
+	*minor_status = 0;
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/release_buffer.c b/crypto/heimdal/lib/gssapi/krb5/release_buffer.c
new file mode 100644
index 0000000..5dff626
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/release_buffer.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: release_buffer.c 18334 2006-10-07 22:16:04Z lha $");
+
+OM_uint32 _gsskrb5_release_buffer
+           (OM_uint32 * minor_status,
+            gss_buffer_t buffer
+           )
+{
+  *minor_status = 0;
+  free (buffer->value);
+  buffer->value  = NULL;
+  buffer->length = 0;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/release_cred.c b/crypto/heimdal/lib/gssapi/krb5/release_cred.c
new file mode 100644
index 0000000..ab5695b
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/release_cred.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: release_cred.c 20753 2007-05-31 22:50:06Z lha $");
+
+OM_uint32 _gsskrb5_release_cred
+           (OM_uint32 * minor_status,
+            gss_cred_id_t * cred_handle
+           )
+{
+    krb5_context context;
+    gsskrb5_cred cred;
+    OM_uint32 junk;
+
+    *minor_status = 0;
+
+    if (*cred_handle == NULL) 
+        return GSS_S_COMPLETE;
+
+    cred = (gsskrb5_cred)*cred_handle;
+    *cred_handle = GSS_C_NO_CREDENTIAL;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
+
+    if (cred->principal != NULL)
+        krb5_free_principal(context, cred->principal);
+    if (cred->keytab != NULL)
+	krb5_kt_close(context, cred->keytab);
+    if (cred->ccache != NULL) {
+	const krb5_cc_ops *ops;
+	ops = krb5_cc_get_ops(context, cred->ccache);
+	if (cred->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE)
+	    krb5_cc_destroy(context, cred->ccache);
+	else 
+	    krb5_cc_close(context, cred->ccache);
+    }
+    gss_release_oid_set(&junk, &cred->mechanisms);
+    if (cred->enctypes)
+	free(cred->enctypes);
+    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+    HEIMDAL_MUTEX_destroy(&cred->cred_id_mutex);
+    memset(cred, 0, sizeof(*cred));
+    free(cred);
+    return GSS_S_COMPLETE;
+}
+
diff --git a/crypto/heimdal/lib/gssapi/krb5/release_name.c b/crypto/heimdal/lib/gssapi/krb5/release_name.c
new file mode 100644
index 0000000..80b9193
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/release_name.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: release_name.c 21128 2007-06-18 20:26:50Z lha $");
+
+OM_uint32 _gsskrb5_release_name
+           (OM_uint32 * minor_status,
+            gss_name_t * input_name
+           )
+{
+    krb5_context context;
+    krb5_principal name = (krb5_principal)*input_name;
+
+    *minor_status = 0;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    *input_name = GSS_C_NO_NAME;
+
+    krb5_free_principal(context, name);
+
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/sequence.c b/crypto/heimdal/lib/gssapi/krb5/sequence.c
new file mode 100644
index 0000000..677a3c8
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/sequence.c
@@ -0,0 +1,294 @@
+/*
+ * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: sequence.c 18334 2006-10-07 22:16:04Z lha $");
+
+#define DEFAULT_JITTER_WINDOW 20
+
+struct gss_msg_order {
+    OM_uint32 flags;
+    OM_uint32 start;
+    OM_uint32 length;
+    OM_uint32 jitter_window;
+    OM_uint32 first_seq;
+    OM_uint32 elem[1];
+};
+
+
+/*
+ *
+ */
+
+static OM_uint32
+msg_order_alloc(OM_uint32 *minor_status,
+		struct gss_msg_order **o,
+		OM_uint32 jitter_window)
+{
+    size_t len;
+    
+    len = jitter_window * sizeof((*o)->elem[0]);
+    len += sizeof(**o);
+    len -= sizeof((*o)->elem[0]);
+    
+    *o = calloc(1, len);
+    if (*o == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }	
+    
+    *minor_status = 0;
+    return GSS_S_COMPLETE;    
+}
+
+/*
+ *
+ */
+
+OM_uint32
+_gssapi_msg_order_create(OM_uint32 *minor_status,
+			 struct gss_msg_order **o, 
+			 OM_uint32 flags, 
+			 OM_uint32 seq_num, 
+			 OM_uint32 jitter_window,
+			 int use_64)
+{
+    OM_uint32 ret;
+
+    if (jitter_window == 0)
+	jitter_window = DEFAULT_JITTER_WINDOW;
+
+    ret = msg_order_alloc(minor_status, o, jitter_window);
+    if(ret != GSS_S_COMPLETE)
+        return ret;
+
+    (*o)->flags = flags;
+    (*o)->length = 0;
+    (*o)->first_seq = seq_num;
+    (*o)->jitter_window = jitter_window;
+    (*o)->elem[0] = seq_num - 1;
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+_gssapi_msg_order_destroy(struct gss_msg_order **m)
+{
+    free(*m);
+    *m = NULL;
+    return GSS_S_COMPLETE;
+}
+
+static void
+elem_set(struct gss_msg_order *o, unsigned int slot, OM_uint32 val)
+{
+    o->elem[slot % o->jitter_window] = val;
+}
+
+static void
+elem_insert(struct gss_msg_order *o, 
+	    unsigned int after_slot,
+	    OM_uint32 seq_num)
+{
+    assert(o->jitter_window > after_slot);
+
+    if (o->length > after_slot)
+	memmove(&o->elem[after_slot + 1], &o->elem[after_slot],
+		(o->length - after_slot - 1) * sizeof(o->elem[0]));
+
+    elem_set(o, after_slot, seq_num);
+
+    if (o->length < o->jitter_window)
+	o->length++;
+}
+
+/* rule 1: expected sequence number */
+/* rule 2: > expected sequence number */
+/* rule 3: seqnum < seqnum(first) */
+/* rule 4+5: seqnum in [seqnum(first),seqnum(last)]  */
+
+OM_uint32
+_gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num)
+{
+    OM_uint32 r;
+    int i;
+
+    if (o == NULL)
+	return GSS_S_COMPLETE;
+
+    if ((o->flags & (GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG)) == 0)
+	return GSS_S_COMPLETE;
+
+    /* check if the packet is the next in order */
+    if (o->elem[0] == seq_num - 1) {
+	elem_insert(o, 0, seq_num);
+	return GSS_S_COMPLETE;
+    }
+
+    r = (o->flags & (GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG))==GSS_C_REPLAY_FLAG;
+
+    /* sequence number larger then largest sequence number 
+     * or smaller then the first sequence number */
+    if (seq_num > o->elem[0]
+	|| seq_num < o->first_seq
+	|| o->length == 0) 
+    {
+	elem_insert(o, 0, seq_num);
+	if (r) {
+	    return GSS_S_COMPLETE;
+	} else {
+	    return GSS_S_GAP_TOKEN;
+	}
+    }
+
+    assert(o->length > 0);
+
+    /* sequence number smaller the first sequence number */
+    if (seq_num < o->elem[o->length - 1]) {
+	if (r)
+	    return(GSS_S_OLD_TOKEN);
+	else
+	    return(GSS_S_UNSEQ_TOKEN);
+    }
+
+    if (seq_num == o->elem[o->length - 1]) {
+	return GSS_S_DUPLICATE_TOKEN;
+    }
+
+    for (i = 0; i < o->length - 1; i++) {
+	if (o->elem[i] == seq_num)
+	    return GSS_S_DUPLICATE_TOKEN;
+	if (o->elem[i + 1] < seq_num && o->elem[i] < seq_num) {
+	    elem_insert(o, i, seq_num);
+	    if (r)
+		return GSS_S_COMPLETE;
+	    else
+		return GSS_S_UNSEQ_TOKEN;
+	}
+    }
+
+    return GSS_S_FAILURE;
+}
+
+OM_uint32
+_gssapi_msg_order_f(OM_uint32 flags)
+{
+    return flags & (GSS_C_SEQUENCE_FLAG|GSS_C_REPLAY_FLAG);
+}
+
+/*
+ * Translate `o` into inter-process format and export in to `sp'.
+ */
+
+krb5_error_code
+_gssapi_msg_order_export(krb5_storage *sp, struct gss_msg_order *o)
+{
+    krb5_error_code kret;
+    OM_uint32 i;
+    
+    kret = krb5_store_int32(sp, o->flags);
+    if (kret)
+        return kret;
+    kret = krb5_store_int32(sp, o->start);
+    if (kret)
+        return kret;
+    kret = krb5_store_int32(sp, o->length);
+    if (kret)
+        return kret;
+    kret = krb5_store_int32(sp, o->jitter_window);
+    if (kret)
+        return kret;
+    kret = krb5_store_int32(sp, o->first_seq);
+    if (kret)
+        return kret;
+    
+    for (i = 0; i < o->jitter_window; i++) {
+        kret = krb5_store_int32(sp, o->elem[i]);
+	if (kret)
+	    return kret;
+    }
+    
+    return 0;
+}
+
+OM_uint32
+_gssapi_msg_order_import(OM_uint32 *minor_status,
+			 krb5_storage *sp, 
+			 struct gss_msg_order **o)
+{
+    OM_uint32 ret;
+    krb5_error_code kret;
+    int32_t i, flags, start, length, jitter_window, first_seq;
+    
+    kret = krb5_ret_int32(sp, &flags);
+    if (kret)
+	goto failed;
+    ret = krb5_ret_int32(sp, &start);
+    if (kret)
+	goto failed;
+    ret = krb5_ret_int32(sp, &length);
+    if (kret)
+	goto failed;
+    ret = krb5_ret_int32(sp, &jitter_window);
+    if (kret)
+	goto failed;
+    ret = krb5_ret_int32(sp, &first_seq);
+    if (kret)
+	goto failed;
+    
+    ret = msg_order_alloc(minor_status, o, jitter_window);
+    if (ret != GSS_S_COMPLETE)
+        return ret;
+    
+    (*o)->flags = flags;
+    (*o)->start = start;
+    (*o)->length = length;
+    (*o)->jitter_window = jitter_window;
+    (*o)->first_seq = first_seq;
+    
+    for( i = 0; i < jitter_window; i++ ) {
+        kret = krb5_ret_int32(sp, (int32_t*)&((*o)->elem[i]));
+	if (kret)
+	    goto failed;
+    }
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+
+failed:
+    _gssapi_msg_order_destroy(o);
+    *minor_status = kret;
+    return GSS_S_FAILURE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/set_cred_option.c b/crypto/heimdal/lib/gssapi/krb5/set_cred_option.c
new file mode 100644
index 0000000..d0ca1c4
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/set_cred_option.c
@@ -0,0 +1,229 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: set_cred_option.c 20325 2007-04-12 16:49:17Z lha $");
+
+static gss_OID_desc gss_krb5_import_cred_x_oid_desc =
+{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"}; /* XXX */
+
+gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc;
+
+static OM_uint32
+import_cred(OM_uint32 *minor_status,
+	    krb5_context context,
+            gss_cred_id_t *cred_handle,
+            const gss_buffer_t value)
+{
+    OM_uint32 major_stat;
+    krb5_error_code ret;
+    krb5_principal keytab_principal = NULL;
+    krb5_keytab keytab = NULL;
+    krb5_storage *sp = NULL;
+    krb5_ccache id = NULL;
+    char *str;
+
+    if (cred_handle == NULL || *cred_handle != GSS_C_NO_CREDENTIAL) {
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+
+    sp = krb5_storage_from_mem(value->value, value->length);
+    if (sp == NULL) {
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+
+    /* credential cache name */
+    ret = krb5_ret_string(sp, &str);
+    if (ret) {
+	*minor_status = ret;
+	major_stat =  GSS_S_FAILURE;
+	goto out;
+    }
+    if (str[0]) {
+	ret = krb5_cc_resolve(context, str, &id);
+	if (ret) {
+	    *minor_status = ret;
+	    major_stat =  GSS_S_FAILURE;
+	    goto out;
+	}
+    }
+    free(str);
+    str = NULL;
+
+    /* keytab principal name */
+    ret = krb5_ret_string(sp, &str);
+    if (ret == 0 && str[0])
+	ret = krb5_parse_name(context, str, &keytab_principal);
+    if (ret) {
+	*minor_status = ret;
+	major_stat = GSS_S_FAILURE;
+	goto out;
+    }
+    free(str);
+    str = NULL;
+
+    /* keytab principal */
+    ret = krb5_ret_string(sp, &str);
+    if (ret) {
+	*minor_status = ret;
+	major_stat =  GSS_S_FAILURE;
+	goto out;
+    }
+    if (str[0]) {
+	ret = krb5_kt_resolve(context, str, &keytab);
+	if (ret) {
+	    *minor_status = ret;
+	    major_stat =  GSS_S_FAILURE;
+	    goto out;
+	}
+    }
+    free(str);
+    str = NULL;
+
+    major_stat = _gsskrb5_import_cred(minor_status, id, keytab_principal,
+				      keytab, cred_handle);
+out:
+    if (id)
+	krb5_cc_close(context, id);
+    if (keytab_principal)
+	krb5_free_principal(context, keytab_principal);
+    if (keytab)
+	krb5_kt_close(context, keytab);
+    if (str)
+	free(str);
+    if (sp)
+	krb5_storage_free(sp);
+
+    return major_stat;
+}
+
+
+static OM_uint32
+allowed_enctypes(OM_uint32 *minor_status,
+		 krb5_context context,
+		 gss_cred_id_t *cred_handle,
+		 const gss_buffer_t value)
+{
+    OM_uint32 major_stat;
+    krb5_error_code ret;
+    size_t len, i;
+    krb5_enctype *enctypes = NULL;
+    krb5_storage *sp = NULL;
+    gsskrb5_cred cred;
+
+    if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) {
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+
+    cred = (gsskrb5_cred)*cred_handle;
+
+    if ((value->length % 4) != 0) {
+	*minor_status = 0;
+	major_stat = GSS_S_FAILURE;
+	goto out;
+    }
+
+    len = value->length / 4;
+    enctypes = malloc((len + 1) * 4);
+    if (enctypes == NULL) {
+	*minor_status = ENOMEM;
+	major_stat = GSS_S_FAILURE;
+	goto out;
+    }
+
+    sp = krb5_storage_from_mem(value->value, value->length);
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	major_stat = GSS_S_FAILURE;
+	goto out;
+    }
+
+    for (i = 0; i < len; i++) {
+	uint32_t e;
+
+	ret = krb5_ret_uint32(sp, &e);
+	if (ret) {
+	    *minor_status = ret;
+	    major_stat =  GSS_S_FAILURE;
+	    goto out;
+	}
+	enctypes[i] = e;
+    }
+    enctypes[i] = 0;
+
+    if (cred->enctypes)
+	free(cred->enctypes);
+    cred->enctypes = enctypes;
+
+    krb5_storage_free(sp);
+
+    return GSS_S_COMPLETE;
+
+out:
+    if (sp)
+	krb5_storage_free(sp);
+    if (enctypes)
+	free(enctypes);
+
+    return major_stat;
+}
+
+
+OM_uint32
+_gsskrb5_set_cred_option
+           (OM_uint32 *minor_status,
+            gss_cred_id_t *cred_handle,
+            const gss_OID desired_object,
+            const gss_buffer_t value)
+{
+    krb5_context context;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    if (value == GSS_C_NO_BUFFER) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    if (gss_oid_equal(desired_object, GSS_KRB5_IMPORT_CRED_X))
+	return import_cred(minor_status, context, cred_handle, value);
+
+    if (gss_oid_equal(desired_object, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X))
+	return allowed_enctypes(minor_status, context, cred_handle, value);
+
+    *minor_status = EINVAL;
+    return GSS_S_FAILURE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/crypto/heimdal/lib/gssapi/krb5/set_sec_context_option.c
new file mode 100644
index 0000000..50441a1
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/set_sec_context_option.c
@@ -0,0 +1,192 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ *  glue routine for _gsskrb5_inquire_sec_context_by_oid
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: set_sec_context_option.c 20384 2007-04-18 08:51:06Z lha $");
+
+static OM_uint32
+get_bool(OM_uint32 *minor_status,
+	 const gss_buffer_t value,
+	 int *flag)
+{
+    if (value->value == NULL || value->length != 1) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+    *flag = *((const char *)value->value) != 0;
+    return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+get_string(OM_uint32 *minor_status,
+	   const gss_buffer_t value,
+	   char **str)
+{
+    if (value == NULL || value->length == 0) {
+	*str = NULL;
+    } else {
+	*str = malloc(value->length + 1);
+	if (*str == NULL) {
+	    *minor_status = 0;
+	    return GSS_S_UNAVAILABLE;
+	}
+	memcpy(*str, value->value, value->length);
+	(*str)[value->length] = '\0';
+    }
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+_gsskrb5_set_sec_context_option
+           (OM_uint32 *minor_status,
+            gss_ctx_id_t *context_handle,
+            const gss_OID desired_object,
+            const gss_buffer_t value)
+{
+    krb5_context context;
+    OM_uint32 maj_stat;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    if (value == GSS_C_NO_BUFFER) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    if (gss_oid_equal(desired_object, GSS_KRB5_COMPAT_DES3_MIC_X)) {
+	gsskrb5_ctx ctx;
+	int flag;
+
+	if (*context_handle == GSS_C_NO_CONTEXT) {
+	    *minor_status = EINVAL;
+	    return GSS_S_NO_CONTEXT;
+	}
+
+	maj_stat = get_bool(minor_status, value, &flag);
+	if (maj_stat != GSS_S_COMPLETE)
+	    return maj_stat;
+
+	ctx = (gsskrb5_ctx)*context_handle;
+	HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+	if (flag)
+	    ctx->more_flags |= COMPAT_OLD_DES3;
+	else
+	    ctx->more_flags &= ~COMPAT_OLD_DES3;
+	ctx->more_flags |= COMPAT_OLD_DES3_SELECTED;
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	return GSS_S_COMPLETE;
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DNS_CANONICALIZE_X)) {
+	int flag;
+
+	maj_stat = get_bool(minor_status, value, &flag);
+	if (maj_stat != GSS_S_COMPLETE)
+	    return maj_stat;
+
+	krb5_set_dns_canonicalize_hostname(context, flag);
+	return GSS_S_COMPLETE;
+
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X)) {
+	char *str;
+
+	maj_stat = get_string(minor_status, value, &str);
+	if (maj_stat != GSS_S_COMPLETE)
+	    return maj_stat;
+
+	_gsskrb5_register_acceptor_identity(str);
+	free(str);
+
+	*minor_status = 0;
+	return GSS_S_COMPLETE;
+
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
+	char *str;
+
+	maj_stat = get_string(minor_status, value, &str);
+	if (maj_stat != GSS_S_COMPLETE)
+	    return maj_stat;
+	if (str == NULL) {
+	    *minor_status = 0;
+	    return GSS_S_CALL_INACCESSIBLE_READ;
+	}
+
+	krb5_set_default_realm(context, str);
+	free(str);
+
+	*minor_status = 0;
+	return GSS_S_COMPLETE;
+
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) {
+
+	if (value == NULL || value->length == 0) {
+	    krb5_set_send_to_kdc_func(context, NULL, NULL);
+	} else {
+	    struct gsskrb5_send_to_kdc c;
+
+	    if (value->length != sizeof(c)) {
+		*minor_status = EINVAL;
+		return GSS_S_FAILURE;
+	    }
+	    memcpy(&c, value->value, sizeof(c));
+	    krb5_set_send_to_kdc_func(context,
+				      (krb5_send_to_kdc_func)c.func, 
+				      c.ptr);
+	}
+
+	*minor_status = 0;
+	return GSS_S_COMPLETE;
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_CCACHE_NAME_X)) {
+	char *str;
+
+	maj_stat = get_string(minor_status, value, &str);
+	if (maj_stat != GSS_S_COMPLETE)
+	    return maj_stat;
+	if (str == NULL) {
+	    *minor_status = 0;
+	    return GSS_S_CALL_INACCESSIBLE_READ;
+	}
+
+	*minor_status = krb5_cc_set_default_name(context, str);
+	free(str);
+	if (*minor_status)
+	    return GSS_S_FAILURE;
+
+	return GSS_S_COMPLETE;
+    }
+
+    *minor_status = EINVAL;
+    return GSS_S_FAILURE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/test_cfx.c b/crypto/heimdal/lib/gssapi/krb5/test_cfx.c
new file mode 100644
index 0000000..b453622
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/test_cfx.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: test_cfx.c 19031 2006-11-13 18:02:57Z lha $");
+
+struct range {
+    size_t lower;
+    size_t upper;
+};
+
+struct range tests[] = {
+    { 0, 1040 },
+    { 2040, 2080 },
+    { 4080, 5000 },
+    { 8180, 8292 },
+    { 9980, 10010 }
+};
+
+static void
+test_range(const struct range *r, int integ, 
+	   krb5_context context, krb5_crypto crypto)
+{
+    krb5_error_code ret;
+    size_t size, rsize;
+
+    for (size = r->lower; size < r->upper; size++) {
+	OM_uint32 max_wrap_size;
+	size_t cksumsize;
+	uint16_t padsize;
+
+	ret = _gsskrb5cfx_max_wrap_length_cfx(context,
+					      crypto,
+					      integ,
+					      size,
+					      &max_wrap_size);
+	if (ret)
+	    krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
+	if (max_wrap_size == 0)
+	    continue;
+
+	ret = _gsskrb5cfx_wrap_length_cfx(context,
+					  crypto,
+					  integ,
+					  max_wrap_size,
+					  &rsize, &cksumsize, &padsize);
+	if (ret)
+	    krb5_errx(context, 1, "_gsskrb5cfx_wrap_length_cfx: %d", ret);
+
+	if (size < rsize)
+	    krb5_errx(context, 1, 
+		      "size (%d) < rsize (%d) for max_wrap_size %d",
+		      (int)size, (int)rsize, (int)max_wrap_size);
+    }
+}
+
+static void
+test_special(krb5_context context, krb5_crypto crypto,
+	     int integ, size_t testsize)
+{
+    krb5_error_code ret;
+    size_t rsize;
+    OM_uint32 max_wrap_size;
+    size_t cksumsize;
+    uint16_t padsize;
+
+    ret = _gsskrb5cfx_max_wrap_length_cfx(context,
+					  crypto,
+					  integ,
+					  testsize,
+					  &max_wrap_size);
+    if (ret)
+	krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
+    
+    ret = _gsskrb5cfx_wrap_length_cfx(context,
+				      crypto,
+				      integ,
+				      max_wrap_size,
+				      &rsize, &cksumsize, &padsize);
+    if (ret)
+	krb5_errx(context, 1, "_gsskrb5cfx_wrap_length_cfx: %d", ret);
+    
+    if (testsize < rsize)
+	krb5_errx(context, 1, 
+		  "testsize (%d) < rsize (%d) for max_wrap_size %d",
+		  (int)testsize, (int)rsize, (int)max_wrap_size);
+}
+
+
+
+
+int
+main(int argc, char **argv)
+{
+    krb5_keyblock keyblock;
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_crypto crypto;
+    int i;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_context_init: %d", ret);
+    
+    ret = krb5_generate_random_keyblock(context, 
+					ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+					&keyblock);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
+    ret = krb5_crypto_init(context, &keyblock, 0, &crypto);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_crypto_init");
+
+    test_special(context, crypto, 1, 60);
+    test_special(context, crypto, 0, 60);
+
+    for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
+	test_range(&tests[i], 1, context, crypto);
+	test_range(&tests[i], 0, context, crypto);
+    }
+
+    krb5_free_keyblock_contents(context, &keyblock);
+    krb5_crypto_destroy(context, crypto);
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/ticket_flags.c b/crypto/heimdal/lib/gssapi/krb5/ticket_flags.c
new file mode 100644
index 0000000..51d8159
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/ticket_flags.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: ticket_flags.c 18334 2006-10-07 22:16:04Z lha $");
+
+OM_uint32
+_gsskrb5_get_tkt_flags(OM_uint32 *minor_status,
+		       gsskrb5_ctx ctx,
+		       OM_uint32 *tkt_flags)
+{
+    if (ctx == NULL) {
+	*minor_status = EINVAL;
+	return GSS_S_NO_CONTEXT;
+    }
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    if (ctx->ticket == NULL) {
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	*minor_status = EINVAL;
+	return GSS_S_BAD_MECH;
+    }
+
+    *tkt_flags = TicketFlags2int(ctx->ticket->ticket.flags);
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/unwrap.c b/crypto/heimdal/lib/gssapi/krb5/unwrap.c
new file mode 100644
index 0000000..d0a33d8
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/unwrap.c
@@ -0,0 +1,413 @@
+/*
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: unwrap.c 19031 2006-11-13 18:02:57Z lha $");
+
+static OM_uint32
+unwrap_des
+           (OM_uint32 * minor_status,
+            const gsskrb5_ctx context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p, *seq;
+  size_t len;
+  MD5_CTX md5;
+  u_char hash[16];
+  DES_key_schedule schedule;
+  DES_cblock deskey;
+  DES_cblock zero;
+  int i;
+  uint32_t seq_number;
+  size_t padlength;
+  OM_uint32 ret;
+  int cstate;
+  int cmp;
+
+  p = input_message_buffer->value;
+  ret = _gsskrb5_verify_header (&p,
+				   input_message_buffer->length,
+				   "\x02\x01",
+				   GSS_KRB5_MECHANISM);
+  if (ret)
+      return ret;
+
+  if (memcmp (p, "\x00\x00", 2) != 0)
+    return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\x00\x00", 2) == 0) {
+      cstate = 1;
+  } else if (memcmp (p, "\xFF\xFF", 2) == 0) {
+      cstate = 0;
+  } else
+      return GSS_S_BAD_MIC;
+  p += 2;
+  if(conf_state != NULL)
+      *conf_state = cstate;
+  if (memcmp (p, "\xff\xff", 2) != 0)
+    return GSS_S_DEFECTIVE_TOKEN;
+  p += 2;
+  p += 16;
+
+  len = p - (u_char *)input_message_buffer->value;
+
+  if(cstate) {
+      /* decrypt data */
+      memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+
+      for (i = 0; i < sizeof(deskey); ++i)
+	  deskey[i] ^= 0xf0;
+      DES_set_key (&deskey, &schedule);
+      memset (&zero, 0, sizeof(zero));
+      DES_cbc_encrypt ((void *)p,
+		       (void *)p,
+		       input_message_buffer->length - len,
+		       &schedule,
+		       &zero,
+		       DES_DECRYPT);
+      
+      memset (deskey, 0, sizeof(deskey));
+      memset (&schedule, 0, sizeof(schedule));
+  }
+  /* check pad */
+  ret = _gssapi_verify_pad(input_message_buffer, 
+			   input_message_buffer->length - len,
+			   &padlength);
+  if (ret)
+      return ret;
+
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, p, input_message_buffer->length - len);
+  MD5_Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+  DES_set_key (&deskey, &schedule);
+  DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
+		 &schedule, &zero);
+  if (memcmp (p - 8, hash, 8) != 0)
+    return GSS_S_BAD_MIC;
+
+  /* verify sequence number */
+  
+  HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+
+  p -= 16;
+  DES_set_key (&deskey, &schedule);
+  DES_cbc_encrypt ((void *)p, (void *)p, 8,
+		   &schedule, (DES_cblock *)hash, DES_DECRYPT);
+
+  memset (deskey, 0, sizeof(deskey));
+  memset (&schedule, 0, sizeof(schedule));
+
+  seq = p;
+  _gsskrb5_decode_om_uint32(seq, &seq_number);
+
+  if (context_handle->more_flags & LOCAL)
+      cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
+  else
+      cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
+
+  if (cmp != 0) {
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    return GSS_S_BAD_MIC;
+  }
+
+  ret = _gssapi_msg_order_check(context_handle->order, seq_number);
+  if (ret) {
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    return ret;
+  }
+
+  HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+  /* copy out data */
+
+  output_message_buffer->length = input_message_buffer->length
+    - len - padlength - 8;
+  output_message_buffer->value  = malloc(output_message_buffer->length);
+  if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
+      return GSS_S_FAILURE;
+  memcpy (output_message_buffer->value,
+	  p + 24,
+	  output_message_buffer->length);
+  return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+unwrap_des3
+           (OM_uint32 * minor_status,
+            const gsskrb5_ctx context_handle,
+	    krb5_context context,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p;
+  size_t len;
+  u_char *seq;
+  krb5_data seq_data;
+  u_char cksum[20];
+  uint32_t seq_number;
+  size_t padlength;
+  OM_uint32 ret;
+  int cstate;
+  krb5_crypto crypto;
+  Checksum csum;
+  int cmp;
+
+  p = input_message_buffer->value;
+  ret = _gsskrb5_verify_header (&p,
+				   input_message_buffer->length,
+				   "\x02\x01",
+				   GSS_KRB5_MECHANISM);
+  if (ret)
+      return ret;
+
+  if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
+    return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\x02\x00", 2) == 0) {
+    cstate = 1;
+  } else if (memcmp (p, "\xff\xff", 2) == 0) {
+    cstate = 0;
+  } else
+    return GSS_S_BAD_MIC;
+  p += 2;
+  if(conf_state != NULL)
+    *conf_state = cstate;
+  if (memcmp (p, "\xff\xff", 2) != 0)
+    return GSS_S_DEFECTIVE_TOKEN;
+  p += 2;
+  p += 28;
+
+  len = p - (u_char *)input_message_buffer->value;
+
+  if(cstate) {
+      /* decrypt data */
+      krb5_data tmp;
+
+      ret = krb5_crypto_init(context, key,
+			     ETYPE_DES3_CBC_NONE, &crypto);
+      if (ret) {
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      ret = krb5_decrypt(context, crypto, KRB5_KU_USAGE_SEAL,
+			 p, input_message_buffer->length - len, &tmp);
+      krb5_crypto_destroy(context, crypto);
+      if (ret) {
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      assert (tmp.length == input_message_buffer->length - len);
+
+      memcpy (p, tmp.data, tmp.length);
+      krb5_data_free(&tmp);
+  }
+  /* check pad */
+  ret = _gssapi_verify_pad(input_message_buffer, 
+			   input_message_buffer->length - len,
+			   &padlength);
+  if (ret)
+      return ret;
+
+  /* verify sequence number */
+  
+  HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+
+  p -= 28;
+
+  ret = krb5_crypto_init(context, key,
+			 ETYPE_DES3_CBC_NONE, &crypto);
+  if (ret) {
+      *minor_status = ret;
+      HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+      return GSS_S_FAILURE;
+  }
+  {
+      DES_cblock ivec;
+
+      memcpy(&ivec, p + 8, 8);
+      ret = krb5_decrypt_ivec (context,
+			       crypto,
+			       KRB5_KU_USAGE_SEQ,
+			       p, 8, &seq_data,
+			       &ivec);
+  }
+  krb5_crypto_destroy (context, crypto);
+  if (ret) {
+      *minor_status = ret;
+      HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+      return GSS_S_FAILURE;
+  }
+  if (seq_data.length != 8) {
+      krb5_data_free (&seq_data);
+      *minor_status = 0;
+      HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+      return GSS_S_BAD_MIC;
+  }
+
+  seq = seq_data.data;
+  _gsskrb5_decode_om_uint32(seq, &seq_number);
+
+  if (context_handle->more_flags & LOCAL)
+      cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
+  else
+      cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
+  
+  krb5_data_free (&seq_data);
+  if (cmp != 0) {
+      *minor_status = 0;
+      HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+      return GSS_S_BAD_MIC;
+  }
+
+  ret = _gssapi_msg_order_check(context_handle->order, seq_number);
+  if (ret) {
+      *minor_status = 0;
+      HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+      return ret;
+  }
+
+  HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+  /* verify checksum */
+
+  memcpy (cksum, p + 8, 20);
+
+  memcpy (p + 20, p - 8, 8);
+
+  csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3;
+  csum.checksum.length = 20;
+  csum.checksum.data   = cksum;
+
+  ret = krb5_crypto_init(context, key, 0, &crypto);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  ret = krb5_verify_checksum (context, crypto,
+			      KRB5_KU_USAGE_SIGN,
+			      p + 20,
+			      input_message_buffer->length - len + 8,
+			      &csum);
+  krb5_crypto_destroy (context, crypto);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  /* copy out data */
+
+  output_message_buffer->length = input_message_buffer->length
+    - len - padlength - 8;
+  output_message_buffer->value  = malloc(output_message_buffer->length);
+  if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
+      return GSS_S_FAILURE;
+  memcpy (output_message_buffer->value,
+	  p + 36,
+	  output_message_buffer->length);
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gsskrb5_unwrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state
+           )
+{
+  krb5_keyblock *key;
+  krb5_context context;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+  gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle;
+
+  output_message_buffer->value = NULL;
+  output_message_buffer->length = 0;
+
+  GSSAPI_KRB5_INIT (&context);
+
+  if (qop_state != NULL)
+      *qop_state = GSS_C_QOP_DEFAULT;
+  HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+  ret = _gsskrb5i_get_token_key(ctx, context, &key);
+  HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (context, key->keytype, &keytype);
+
+  *minor_status = 0;
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = unwrap_des (minor_status, ctx,
+			input_message_buffer, output_message_buffer,
+			conf_state, qop_state, key);
+      break;
+  case KEYTYPE_DES3 :
+      ret = unwrap_des3 (minor_status, ctx, context,
+			 input_message_buffer, output_message_buffer,
+			 conf_state, qop_state, key);
+      break;
+  case KEYTYPE_ARCFOUR:
+  case KEYTYPE_ARCFOUR_56:
+      ret = _gssapi_unwrap_arcfour (minor_status, ctx, context,
+				    input_message_buffer, output_message_buffer,
+				    conf_state, qop_state, key);
+      break;
+  default :
+      ret = _gssapi_unwrap_cfx (minor_status, ctx, context,
+				input_message_buffer, output_message_buffer,
+				conf_state, qop_state, key);
+      break;
+  }
+  krb5_free_keyblock (context, key);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/v1.c b/crypto/heimdal/lib/gssapi/krb5/v1.c
new file mode 100644
index 0000000..c5ebeb9
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/v1.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: v1.c 18334 2006-10-07 22:16:04Z lha $");
+
+/* These functions are for V1 compatibility */
+
+OM_uint32 _gsskrb5_sign
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int qop_req,
+            gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           )
+{
+  return _gsskrb5_get_mic(minor_status,
+	context_handle,
+	(gss_qop_t)qop_req,
+	message_buffer,
+	message_token);
+}
+
+OM_uint32 _gsskrb5_verify
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t message_buffer,
+            gss_buffer_t token_buffer,
+            int * qop_state
+           )
+{
+  return _gsskrb5_verify_mic(minor_status,
+	context_handle,
+	message_buffer,
+	token_buffer,
+	(gss_qop_t *)qop_state);
+}
+
+OM_uint32 _gsskrb5_seal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            int qop_req,
+            gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           )
+{
+  return _gsskrb5_wrap(minor_status,
+	context_handle,
+	conf_req_flag,
+	(gss_qop_t)qop_req,
+	input_message_buffer,
+	conf_state,
+	output_message_buffer);
+}
+
+OM_uint32 _gsskrb5_unseal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            int * qop_state
+           )
+{
+  return _gsskrb5_unwrap(minor_status,
+	context_handle,
+	input_message_buffer,
+	output_message_buffer,
+	conf_state,
+	(gss_qop_t *)qop_state);
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/verify_mic.c b/crypto/heimdal/lib/gssapi/krb5/verify_mic.c
new file mode 100644
index 0000000..52381af
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/verify_mic.c
@@ -0,0 +1,344 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: verify_mic.c 19031 2006-11-13 18:02:57Z lha $");
+
+static OM_uint32
+verify_mic_des
+           (OM_uint32 * minor_status,
+            const gsskrb5_ctx context_handle,
+	    krb5_context context,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key,
+	    char *type
+	    )
+{
+  u_char *p;
+  MD5_CTX md5;
+  u_char hash[16], *seq;
+  DES_key_schedule schedule;
+  DES_cblock zero;
+  DES_cblock deskey;
+  uint32_t seq_number;
+  OM_uint32 ret;
+  int cmp;
+
+  p = token_buffer->value;
+  ret = _gsskrb5_verify_header (&p,
+				   token_buffer->length,
+				   type,
+				   GSS_KRB5_MECHANISM);
+  if (ret)
+      return ret;
+
+  if (memcmp(p, "\x00\x00", 2) != 0)
+      return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
+    return GSS_S_BAD_MIC;
+  p += 4;
+  p += 16;
+
+  /* verify checksum */
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, message_buffer->value,
+	     message_buffer->length);
+  MD5_Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+
+  DES_set_key (&deskey, &schedule);
+  DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
+		 &schedule, &zero);
+  if (memcmp (p - 8, hash, 8) != 0) {
+    memset (deskey, 0, sizeof(deskey));
+    memset (&schedule, 0, sizeof(schedule));
+    return GSS_S_BAD_MIC;
+  }
+
+  /* verify sequence number */
+  
+  HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+
+  p -= 16;
+  DES_set_key (&deskey, &schedule);
+  DES_cbc_encrypt ((void *)p, (void *)p, 8,
+		   &schedule, (DES_cblock *)hash, DES_DECRYPT);
+
+  memset (deskey, 0, sizeof(deskey));
+  memset (&schedule, 0, sizeof(schedule));
+
+  seq = p;
+  _gsskrb5_decode_om_uint32(seq, &seq_number);
+
+  if (context_handle->more_flags & LOCAL)
+      cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
+  else
+      cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
+
+  if (cmp != 0) {
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    return GSS_S_BAD_MIC;
+  }
+
+  ret = _gssapi_msg_order_check(context_handle->order, seq_number);
+  if (ret) {
+      HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+      return ret;
+  }
+
+  HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+  return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+verify_mic_des3
+           (OM_uint32 * minor_status,
+            const gsskrb5_ctx context_handle,
+	    krb5_context context,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key,
+	    char *type
+	    )
+{
+  u_char *p;
+  u_char *seq;
+  uint32_t seq_number;
+  OM_uint32 ret;
+  krb5_crypto crypto;
+  krb5_data seq_data;
+  int cmp, docompat;
+  Checksum csum;
+  char *tmp;
+  char ivec[8];
+  
+  p = token_buffer->value;
+  ret = _gsskrb5_verify_header (&p,
+				   token_buffer->length,
+				   type,
+				   GSS_KRB5_MECHANISM);
+  if (ret)
+      return ret;
+
+  if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */
+      return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
+    return GSS_S_BAD_MIC;
+  p += 4;
+
+  ret = krb5_crypto_init(context, key,
+			 ETYPE_DES3_CBC_NONE, &crypto);
+  if (ret){
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  /* verify sequence number */
+  docompat = 0;
+retry:
+  if (docompat)
+      memset(ivec, 0, 8);
+  else
+      memcpy(ivec, p + 8, 8);
+
+  ret = krb5_decrypt_ivec (context,
+			   crypto,
+			   KRB5_KU_USAGE_SEQ,
+			   p, 8, &seq_data, ivec);
+  if (ret) {
+      if (docompat++) {
+	  krb5_crypto_destroy (context, crypto);
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      } else
+	  goto retry;
+  }
+
+  if (seq_data.length != 8) {
+      krb5_data_free (&seq_data);
+      if (docompat++) {
+	  krb5_crypto_destroy (context, crypto);
+	  return GSS_S_BAD_MIC;
+      } else
+	  goto retry;
+  }
+
+  HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+
+  seq = seq_data.data;
+  _gsskrb5_decode_om_uint32(seq, &seq_number);
+
+  if (context_handle->more_flags & LOCAL)
+      cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
+  else
+      cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
+
+  krb5_data_free (&seq_data);
+  if (cmp != 0) {
+      krb5_crypto_destroy (context, crypto);
+      *minor_status = 0;
+      HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+      return GSS_S_BAD_MIC;
+  }
+
+  ret = _gssapi_msg_order_check(context_handle->order, seq_number);
+  if (ret) {
+      krb5_crypto_destroy (context, crypto);
+      *minor_status = 0;
+      HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+      return ret;
+  }
+
+  /* verify checksum */
+
+  tmp = malloc (message_buffer->length + 8);
+  if (tmp == NULL) {
+      krb5_crypto_destroy (context, crypto);
+      HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+      *minor_status = ENOMEM;
+      return GSS_S_FAILURE;
+  }
+
+  memcpy (tmp, p - 8, 8);
+  memcpy (tmp + 8, message_buffer->value, message_buffer->length);
+
+  csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3;
+  csum.checksum.length = 20;
+  csum.checksum.data   = p + 8;
+
+  ret = krb5_verify_checksum (context, crypto,
+			      KRB5_KU_USAGE_SIGN,
+			      tmp, message_buffer->length + 8,
+			      &csum);
+  free (tmp);
+  if (ret) {
+      krb5_crypto_destroy (context, crypto);
+      *minor_status = ret;
+      HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+      return GSS_S_BAD_MIC;
+  }
+  HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+  krb5_crypto_destroy (context, crypto);
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32
+_gsskrb5_verify_mic_internal
+           (OM_uint32 * minor_status,
+            const gsskrb5_ctx context_handle,
+	    krb5_context context,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state,
+	    char * type
+	    )
+{
+    krb5_keyblock *key;
+    OM_uint32 ret;
+    krb5_keytype keytype;
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    ret = _gsskrb5i_get_token_key(context_handle, context, &key);
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+    *minor_status = 0;
+    krb5_enctype_to_keytype (context, key->keytype, &keytype);
+    switch (keytype) {
+    case KEYTYPE_DES :
+	ret = verify_mic_des (minor_status, context_handle, context,
+			      message_buffer, token_buffer, qop_state, key,
+			      type);
+	break;
+    case KEYTYPE_DES3 :
+	ret = verify_mic_des3 (minor_status, context_handle, context,
+			       message_buffer, token_buffer, qop_state, key,
+			       type);
+	break;
+    case KEYTYPE_ARCFOUR :
+    case KEYTYPE_ARCFOUR_56 :
+	ret = _gssapi_verify_mic_arcfour (minor_status, context_handle,
+					  context,
+					  message_buffer, token_buffer,
+					  qop_state, key, type);
+	break;
+    default :
+	ret = _gssapi_verify_mic_cfx (minor_status, context_handle,
+				      context,
+				      message_buffer, token_buffer, qop_state,
+				      key);
+	break;
+    }
+    krb5_free_keyblock (context, key);
+    
+    return ret;
+}
+
+OM_uint32
+_gsskrb5_verify_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state
+	    )
+{
+    krb5_context context;
+    OM_uint32 ret;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    if (qop_state != NULL)
+	*qop_state = GSS_C_QOP_DEFAULT;
+
+    ret = _gsskrb5_verify_mic_internal(minor_status, 
+				       (gsskrb5_ctx)context_handle,
+				       context,
+				       message_buffer, token_buffer,
+				       qop_state, "\x01\x01");
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/krb5/wrap.c b/crypto/heimdal/lib/gssapi/krb5/wrap.c
new file mode 100644
index 0000000..d413798
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/krb5/wrap.c
@@ -0,0 +1,551 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5/gsskrb5_locl.h"
+
+RCSID("$Id: wrap.c 19035 2006-11-14 09:49:56Z lha $");
+
+/*
+ * Return initiator subkey, or if that doesn't exists, the subkey.
+ */
+
+krb5_error_code
+_gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx,
+			       krb5_context context,
+			       krb5_keyblock **key)
+{
+    krb5_error_code ret;
+    *key = NULL;
+
+    if (ctx->more_flags & LOCAL) {
+	ret = krb5_auth_con_getlocalsubkey(context,
+				     ctx->auth_context, 
+				     key);
+    } else {
+	ret = krb5_auth_con_getremotesubkey(context,
+				      ctx->auth_context, 
+				      key);
+    }
+    if (ret == 0 && *key == NULL)
+	ret = krb5_auth_con_getkey(context,
+				   ctx->auth_context, 
+				   key);
+    if (ret == 0 && *key == NULL) {
+	krb5_set_error_string(context, "No initiator subkey available");
+	return GSS_KRB5_S_KG_NO_SUBKEY;
+    }
+    return ret;
+}
+
+krb5_error_code
+_gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx,
+			      krb5_context context,
+			      krb5_keyblock **key)
+{
+    krb5_error_code ret;
+    *key = NULL;
+
+    if (ctx->more_flags & LOCAL) {
+	ret = krb5_auth_con_getremotesubkey(context,
+				      ctx->auth_context, 
+				      key);
+    } else {
+	ret = krb5_auth_con_getlocalsubkey(context,
+				     ctx->auth_context, 
+				     key);
+    }
+    if (ret == 0 && *key == NULL) {
+	krb5_set_error_string(context, "No acceptor subkey available");
+	return GSS_KRB5_S_KG_NO_SUBKEY;
+    }
+    return ret;
+}
+
+OM_uint32
+_gsskrb5i_get_token_key(const gsskrb5_ctx ctx,
+			krb5_context context,
+			krb5_keyblock **key)
+{
+    _gsskrb5i_get_acceptor_subkey(ctx, context, key);
+    if(*key == NULL) {
+	/*
+	 * Only use the initiator subkey or ticket session key if an
+	 * acceptor subkey was not required.
+	 */
+	if ((ctx->more_flags & ACCEPTOR_SUBKEY) == 0)
+	    _gsskrb5i_get_initiator_subkey(ctx, context, key);
+    }
+    if (*key == NULL) {
+	krb5_set_error_string(context, "No token key available");
+	return GSS_KRB5_S_KG_NO_SUBKEY;
+    }
+    return 0;
+}
+
+static OM_uint32
+sub_wrap_size (
+            OM_uint32 req_output_size,
+            OM_uint32 * max_input_size,
+	    int blocksize,
+	    int extrasize
+           )
+{
+    size_t len, total_len; 
+
+    len = 8 + req_output_size + blocksize + extrasize;
+
+    _gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
+
+    total_len -= req_output_size; /* token length */
+    if (total_len < req_output_size) {
+        *max_input_size = (req_output_size - total_len);
+        (*max_input_size) &= (~(OM_uint32)(blocksize - 1));
+    } else {
+        *max_input_size = 0;
+    }
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+_gsskrb5_wrap_size_limit (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            OM_uint32 req_output_size,
+            OM_uint32 * max_input_size
+           )
+{
+  krb5_context context;
+  krb5_keyblock *key;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+  const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
+
+  GSSAPI_KRB5_INIT (&context);
+
+  HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+  ret = _gsskrb5i_get_token_key(ctx, context, &key);
+  HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (context, key->keytype, &keytype);
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = sub_wrap_size(req_output_size, max_input_size, 8, 22);
+      break;
+  case KEYTYPE_ARCFOUR:
+  case KEYTYPE_ARCFOUR_56:
+      ret = _gssapi_wrap_size_arcfour(minor_status, ctx, context,
+				      conf_req_flag, qop_req, 
+				      req_output_size, max_input_size, key);
+      break;
+  case KEYTYPE_DES3 :
+      ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
+      break;
+  default :
+      ret = _gssapi_wrap_size_cfx(minor_status, ctx, context,
+				  conf_req_flag, qop_req, 
+				  req_output_size, max_input_size, key);
+      break;
+  }
+  krb5_free_keyblock (context, key);
+  *minor_status = 0;
+  return ret;
+}
+
+static OM_uint32
+wrap_des
+           (OM_uint32 * minor_status,
+            const gsskrb5_ctx ctx,
+	    krb5_context context,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p;
+  MD5_CTX md5;
+  u_char hash[16];
+  DES_key_schedule schedule;
+  DES_cblock deskey;
+  DES_cblock zero;
+  int i;
+  int32_t seq_number;
+  size_t len, total_len, padlength, datalen;
+
+  padlength = 8 - (input_message_buffer->length % 8);
+  datalen = input_message_buffer->length + padlength + 8;
+  len = datalen + 22;
+  _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+
+  output_message_buffer->length = total_len;
+  output_message_buffer->value  = malloc (total_len);
+  if (output_message_buffer->value == NULL) {
+    output_message_buffer->length = 0;
+    *minor_status = ENOMEM;
+    return GSS_S_FAILURE;
+  }
+
+  p = _gsskrb5_make_header(output_message_buffer->value,
+			      len,
+			      "\x02\x01", /* TOK_ID */
+			      GSS_KRB5_MECHANISM);
+
+  /* SGN_ALG */
+  memcpy (p, "\x00\x00", 2);
+  p += 2;
+  /* SEAL_ALG */
+  if(conf_req_flag)
+      memcpy (p, "\x00\x00", 2);
+  else
+      memcpy (p, "\xff\xff", 2);
+  p += 2;
+  /* Filler */
+  memcpy (p, "\xff\xff", 2);
+  p += 2;
+
+  /* fill in later */
+  memset (p, 0, 16);
+  p += 16;
+
+  /* confounder + data + pad */
+  krb5_generate_random_block(p, 8);
+  memcpy (p + 8, input_message_buffer->value,
+	  input_message_buffer->length);
+  memset (p + 8 + input_message_buffer->length, padlength, padlength);
+
+  /* checksum */
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, p, datalen);
+  MD5_Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+  DES_set_key (&deskey, &schedule);
+  DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
+		 &schedule, &zero);
+  memcpy (p - 8, hash, 8);
+
+  /* sequence number */
+  HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+  krb5_auth_con_getlocalseqnumber (context,
+				   ctx->auth_context,
+				   &seq_number);
+
+  p -= 16;
+  p[0] = (seq_number >> 0)  & 0xFF;
+  p[1] = (seq_number >> 8)  & 0xFF;
+  p[2] = (seq_number >> 16) & 0xFF;
+  p[3] = (seq_number >> 24) & 0xFF;
+  memset (p + 4,
+	  (ctx->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+  DES_set_key (&deskey, &schedule);
+  DES_cbc_encrypt ((void *)p, (void *)p, 8,
+		   &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
+
+  krb5_auth_con_setlocalseqnumber (context,
+			       ctx->auth_context,
+			       ++seq_number);
+  HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+  /* encrypt the data */
+  p += 16;
+
+  if(conf_req_flag) {
+      memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+
+      for (i = 0; i < sizeof(deskey); ++i)
+	  deskey[i] ^= 0xf0;
+      DES_set_key (&deskey, &schedule);
+      memset (&zero, 0, sizeof(zero));
+      DES_cbc_encrypt ((void *)p,
+		       (void *)p,
+		       datalen,
+		       &schedule,
+		       &zero,
+		       DES_ENCRYPT);
+  }
+  memset (deskey, 0, sizeof(deskey));
+  memset (&schedule, 0, sizeof(schedule));
+
+  if(conf_state != NULL)
+      *conf_state = conf_req_flag;
+  *minor_status = 0;
+  return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+wrap_des3
+           (OM_uint32 * minor_status,
+            const gsskrb5_ctx ctx,
+	    krb5_context context,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p;
+  u_char seq[8];
+  int32_t seq_number;
+  size_t len, total_len, padlength, datalen;
+  uint32_t ret;
+  krb5_crypto crypto;
+  Checksum cksum;
+  krb5_data encdata;
+
+  padlength = 8 - (input_message_buffer->length % 8);
+  datalen = input_message_buffer->length + padlength + 8;
+  len = datalen + 34;
+  _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+
+  output_message_buffer->length = total_len;
+  output_message_buffer->value  = malloc (total_len);
+  if (output_message_buffer->value == NULL) {
+    output_message_buffer->length = 0;
+    *minor_status = ENOMEM;
+    return GSS_S_FAILURE;
+  }
+
+  p = _gsskrb5_make_header(output_message_buffer->value,
+			      len,
+			      "\x02\x01", /* TOK_ID */
+			      GSS_KRB5_MECHANISM); 
+
+  /* SGN_ALG */
+  memcpy (p, "\x04\x00", 2);	/* HMAC SHA1 DES3-KD */
+  p += 2;
+  /* SEAL_ALG */
+  if(conf_req_flag)
+      memcpy (p, "\x02\x00", 2); /* DES3-KD */
+  else
+      memcpy (p, "\xff\xff", 2);
+  p += 2;
+  /* Filler */
+  memcpy (p, "\xff\xff", 2);
+  p += 2;
+
+  /* calculate checksum (the above + confounder + data + pad) */
+
+  memcpy (p + 20, p - 8, 8);
+  krb5_generate_random_block(p + 28, 8);
+  memcpy (p + 28 + 8, input_message_buffer->value,
+	  input_message_buffer->length);
+  memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength);
+
+  ret = krb5_crypto_init(context, key, 0, &crypto);
+  if (ret) {
+      free (output_message_buffer->value);
+      output_message_buffer->length = 0;
+      output_message_buffer->value = NULL;
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  ret = krb5_create_checksum (context,
+			      crypto,
+			      KRB5_KU_USAGE_SIGN,
+			      0,
+			      p + 20,
+			      datalen + 8,
+			      &cksum);
+  krb5_crypto_destroy (context, crypto);
+  if (ret) {
+      free (output_message_buffer->value);
+      output_message_buffer->length = 0;
+      output_message_buffer->value = NULL;
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  /* zero out SND_SEQ + SGN_CKSUM in case */
+  memset (p, 0, 28);
+
+  memcpy (p + 8, cksum.checksum.data, cksum.checksum.length);
+  free_Checksum (&cksum);
+
+  HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+  /* sequence number */
+  krb5_auth_con_getlocalseqnumber (context,
+			       ctx->auth_context,
+			       &seq_number);
+
+  seq[0] = (seq_number >> 0)  & 0xFF;
+  seq[1] = (seq_number >> 8)  & 0xFF;
+  seq[2] = (seq_number >> 16) & 0xFF;
+  seq[3] = (seq_number >> 24) & 0xFF;
+  memset (seq + 4,
+	  (ctx->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+
+  ret = krb5_crypto_init(context, key, ETYPE_DES3_CBC_NONE,
+			 &crypto);
+  if (ret) {
+      free (output_message_buffer->value);
+      output_message_buffer->length = 0;
+      output_message_buffer->value = NULL;
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  {
+      DES_cblock ivec;
+
+      memcpy (&ivec, p + 8, 8);
+      ret = krb5_encrypt_ivec (context,
+			       crypto,
+			       KRB5_KU_USAGE_SEQ,
+			       seq, 8, &encdata,
+			       &ivec);
+  }
+  krb5_crypto_destroy (context, crypto);
+  if (ret) {
+      free (output_message_buffer->value);
+      output_message_buffer->length = 0;
+      output_message_buffer->value = NULL;
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  
+  assert (encdata.length == 8);
+
+  memcpy (p, encdata.data, encdata.length);
+  krb5_data_free (&encdata);
+
+  krb5_auth_con_setlocalseqnumber (context,
+			       ctx->auth_context,
+			       ++seq_number);
+  HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+  /* encrypt the data */
+  p += 28;
+
+  if(conf_req_flag) {
+      krb5_data tmp;
+
+      ret = krb5_crypto_init(context, key,
+			     ETYPE_DES3_CBC_NONE, &crypto);
+      if (ret) {
+	  free (output_message_buffer->value);
+	  output_message_buffer->length = 0;
+	  output_message_buffer->value = NULL;
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      ret = krb5_encrypt(context, crypto, KRB5_KU_USAGE_SEAL,
+			 p, datalen, &tmp);
+      krb5_crypto_destroy(context, crypto);
+      if (ret) {
+	  free (output_message_buffer->value);
+	  output_message_buffer->length = 0;
+	  output_message_buffer->value = NULL;
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      assert (tmp.length == datalen);
+
+      memcpy (p, tmp.data, datalen);
+      krb5_data_free(&tmp);
+  }
+  if(conf_state != NULL)
+      *conf_state = conf_req_flag;
+  *minor_status = 0;
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gsskrb5_wrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           )
+{
+  krb5_context context;
+  krb5_keyblock *key;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+  const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
+
+  GSSAPI_KRB5_INIT (&context);
+
+  HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+  ret = _gsskrb5i_get_token_key(ctx, context, &key);
+  HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+  if (ret) {
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (context, key->keytype, &keytype);
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = wrap_des (minor_status, ctx, context, conf_req_flag,
+		      qop_req, input_message_buffer, conf_state,
+		      output_message_buffer, key);
+      break;
+  case KEYTYPE_DES3 :
+      ret = wrap_des3 (minor_status, ctx, context, conf_req_flag,
+		       qop_req, input_message_buffer, conf_state,
+		       output_message_buffer, key);
+      break;
+  case KEYTYPE_ARCFOUR:
+  case KEYTYPE_ARCFOUR_56:
+      ret = _gssapi_wrap_arcfour (minor_status, ctx, context, conf_req_flag,
+				  qop_req, input_message_buffer, conf_state,
+				  output_message_buffer, key);
+      break;
+  default :
+      ret = _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag,
+			      qop_req, input_message_buffer, conf_state,
+			      output_message_buffer, key);
+      break;
+  }
+  krb5_free_keyblock (context, key);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/accept_sec_context.c b/crypto/heimdal/lib/gssapi/ntlm/accept_sec_context.c
new file mode 100644
index 0000000..79fc538
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/accept_sec_context.c
@@ -0,0 +1,257 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: accept_sec_context.c 22521 2008-01-24 11:53:18Z lha $");
+
+/*
+ *
+ */
+
+OM_uint32
+_gss_ntlm_allocate_ctx(OM_uint32 *minor_status, ntlm_ctx *ctx)
+{
+    OM_uint32 maj_stat;
+
+    *ctx = calloc(1, sizeof(**ctx));
+
+    (*ctx)->server = &ntlmsspi_kdc_digest;
+
+    maj_stat = (*(*ctx)->server->nsi_init)(minor_status, &(*ctx)->ictx);
+    if (maj_stat != GSS_S_COMPLETE)
+	return maj_stat;
+
+    return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
+OM_uint32
+_gss_ntlm_accept_sec_context
+(OM_uint32 * minor_status,
+ gss_ctx_id_t * context_handle,
+ const gss_cred_id_t acceptor_cred_handle,
+ const gss_buffer_t input_token_buffer,
+ const gss_channel_bindings_t input_chan_bindings,
+ gss_name_t * src_name,
+ gss_OID * mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec,
+ gss_cred_id_t * delegated_cred_handle
+    )
+{
+    krb5_error_code ret;
+    struct ntlm_buf data;
+    ntlm_ctx ctx;
+
+    output_token->value = NULL;
+    output_token->length = 0;
+
+    *minor_status = 0;
+
+    if (context_handle == NULL)
+	return GSS_S_FAILURE;
+	
+    if (input_token_buffer == GSS_C_NO_BUFFER)
+	return GSS_S_FAILURE;
+
+    if (src_name)
+	*src_name = GSS_C_NO_NAME;
+    if (mech_type)
+	*mech_type = GSS_C_NO_OID;
+    if (ret_flags)
+	*ret_flags = 0;
+    if (time_rec)
+	*time_rec = 0;
+    if (delegated_cred_handle)
+	*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+
+    if (*context_handle == GSS_C_NO_CONTEXT) {
+	struct ntlm_type1 type1;
+	OM_uint32 major_status;
+	OM_uint32 retflags;
+	struct ntlm_buf out;
+
+	major_status = _gss_ntlm_allocate_ctx(minor_status, &ctx);
+	if (major_status)
+	    return major_status;
+	*context_handle = (gss_ctx_id_t)ctx;
+	
+	/* check if the mechs is allowed by remote service */
+	major_status = (*ctx->server->nsi_probe)(minor_status, ctx->ictx, NULL);
+	if (major_status) {
+	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
+	    return major_status;
+	}
+
+	data.data = input_token_buffer->value;
+	data.length = input_token_buffer->length;
+	
+	ret = heim_ntlm_decode_type1(&data, &type1);
+	if (ret) {
+	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	if ((type1.flags & NTLM_NEG_UNICODE) == 0) {
+	    heim_ntlm_free_type1(&type1);
+	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
+	    *minor_status = EINVAL;
+	    return GSS_S_FAILURE;
+	}
+
+	if (type1.flags & NTLM_NEG_SIGN)
+	    ctx->gssflags |= GSS_C_CONF_FLAG;
+	if (type1.flags & NTLM_NEG_SIGN)
+	    ctx->gssflags |= GSS_C_INTEG_FLAG;
+
+	major_status = (*ctx->server->nsi_type2)(minor_status,
+						 ctx->ictx,
+						 type1.flags,
+						 type1.hostname,
+						 type1.domain,
+						 &retflags,
+						 &out);
+	heim_ntlm_free_type1(&type1);
+	if (major_status != GSS_S_COMPLETE) {
+	    OM_uint32 junk;
+	    _gss_ntlm_delete_sec_context(&junk, context_handle, NULL);
+	    return major_status;
+	}
+
+	output_token->value = malloc(out.length);
+	if (output_token->value == NULL) {
+	    OM_uint32 junk;
+	    _gss_ntlm_delete_sec_context(&junk, context_handle, NULL);
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+	memcpy(output_token->value, out.data, out.length);
+	output_token->length = out.length;
+
+	ctx->flags = retflags;
+
+	return GSS_S_CONTINUE_NEEDED;
+    } else {
+	OM_uint32 maj_stat;
+	struct ntlm_type3 type3;
+	struct ntlm_buf session;
+
+	ctx = (ntlm_ctx)*context_handle;
+
+	data.data = input_token_buffer->value;
+	data.length = input_token_buffer->length;
+
+	ret = heim_ntlm_decode_type3(&data, 1, &type3);
+	if (ret) {
+	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	maj_stat = (*ctx->server->nsi_type3)(minor_status,
+					     ctx->ictx,
+					     &type3,
+					     &session);
+	if (maj_stat) {
+	    heim_ntlm_free_type3(&type3);
+	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
+	    return maj_stat;
+	}
+
+	if (src_name) {
+	    ntlm_name n = calloc(1, sizeof(*n));
+	    if (n) {
+		n->user = strdup(type3.username);
+		n->domain = strdup(type3.targetname);
+	    }
+	    if (n == NULL || n->user == NULL || n->domain == NULL) {
+		heim_ntlm_free_type3(&type3);
+		_gss_ntlm_delete_sec_context(minor_status, 
+					     context_handle, NULL);
+		return maj_stat;
+	    }
+	    *src_name = (gss_name_t)n;
+	}	    
+
+	heim_ntlm_free_type3(&type3);
+
+	ret = krb5_data_copy(&ctx->sessionkey, 
+			     session.data, session.length);
+	if (ret) {	
+	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+	
+	if (session.length != 0) {
+
+	    ctx->status |= STATUS_SESSIONKEY; 
+
+	    if (ctx->flags & NTLM_NEG_NTLM2_SESSION) {
+		_gss_ntlm_set_key(&ctx->u.v2.send, 1,
+				  (ctx->flags & NTLM_NEG_KEYEX),
+				  ctx->sessionkey.data,
+				  ctx->sessionkey.length);
+		_gss_ntlm_set_key(&ctx->u.v2.recv, 0,
+				  (ctx->flags & NTLM_NEG_KEYEX),
+				  ctx->sessionkey.data,
+				  ctx->sessionkey.length);
+	    } else {
+		RC4_set_key(&ctx->u.v1.crypto_send.key, 
+			    ctx->sessionkey.length,
+			    ctx->sessionkey.data);
+		RC4_set_key(&ctx->u.v1.crypto_recv.key, 
+			    ctx->sessionkey.length,
+			    ctx->sessionkey.data);
+	    }
+	}
+
+	if (mech_type)
+	    *mech_type = GSS_NTLM_MECHANISM;
+	if (time_rec)
+	    *time_rec = GSS_C_INDEFINITE;
+
+	ctx->status |= STATUS_OPEN;
+
+	if (ret_flags)
+	    *ret_flags = ctx->gssflags;
+
+	return GSS_S_COMPLETE;
+    }
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/acquire_cred.c b/crypto/heimdal/lib/gssapi/ntlm/acquire_cred.c
new file mode 100644
index 0000000..8e17d4f
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/acquire_cred.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: acquire_cred.c 22380 2007-12-29 18:42:56Z lha $");
+
+OM_uint32 _gss_ntlm_acquire_cred
+           (OM_uint32 * min_stat,
+            const gss_name_t desired_name,
+            OM_uint32 time_req,
+            const gss_OID_set desired_mechs,
+            gss_cred_usage_t cred_usage,
+            gss_cred_id_t * output_cred_handle,
+            gss_OID_set * actual_mechs,
+            OM_uint32 * time_rec
+           )
+{
+    ntlm_name name = (ntlm_name) desired_name;
+    OM_uint32 maj_stat;
+    ntlm_ctx ctx;
+
+    *min_stat = 0;
+    if (output_cred_handle)
+	*output_cred_handle = GSS_C_NO_CREDENTIAL;
+    if (actual_mechs)
+	*actual_mechs = GSS_C_NO_OID_SET;
+    if (time_rec)
+	*time_rec = GSS_C_INDEFINITE;
+
+    if (desired_name == NULL)
+	return GSS_S_NO_CRED;
+
+    if (cred_usage == GSS_C_BOTH || cred_usage == GSS_C_ACCEPT) {
+
+	maj_stat = _gss_ntlm_allocate_ctx(min_stat, &ctx);
+	if (maj_stat != GSS_S_COMPLETE)
+	    return maj_stat;
+	
+	maj_stat = (*ctx->server->nsi_probe)(min_stat, ctx->ictx, 
+					     name->domain);
+
+	if (maj_stat)
+	    return maj_stat;
+
+	{
+	    gss_ctx_id_t context = (gss_ctx_id_t)ctx;
+	    _gss_ntlm_delete_sec_context(min_stat, &context, NULL);
+	    *min_stat = 0;
+	}
+    }	
+    if (cred_usage == GSS_C_BOTH || cred_usage == GSS_C_INITIATE) {
+	ntlm_cred cred;
+
+	*min_stat = _gss_ntlm_get_user_cred(name, &cred);
+	if (*min_stat)
+	    return GSS_S_FAILURE;
+	cred->usage = cred_usage;
+
+	*output_cred_handle = (gss_cred_id_t)cred;
+    }
+
+    return (GSS_S_COMPLETE);
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/add_cred.c b/crypto/heimdal/lib/gssapi/ntlm/add_cred.c
new file mode 100644
index 0000000..11a2581
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/add_cred.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: add_cred.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32 _gss_ntlm_add_cred (
+     OM_uint32           *minor_status,
+     const gss_cred_id_t input_cred_handle,
+     const gss_name_t    desired_name,
+     const gss_OID       desired_mech,
+     gss_cred_usage_t    cred_usage,
+     OM_uint32           initiator_time_req,
+     OM_uint32           acceptor_time_req,
+     gss_cred_id_t       *output_cred_handle,
+     gss_OID_set         *actual_mechs,
+     OM_uint32           *initiator_time_rec,
+     OM_uint32           *acceptor_time_rec)
+{
+    if (minor_status)
+	*minor_status = 0;
+    if (output_cred_handle)
+	*output_cred_handle = GSS_C_NO_CREDENTIAL;
+    if (actual_mechs)
+	*actual_mechs = GSS_C_NO_OID_SET;
+    if (initiator_time_rec)
+	*initiator_time_rec = 0;
+    if (acceptor_time_rec)
+	*acceptor_time_rec = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/canonicalize_name.c b/crypto/heimdal/lib/gssapi/ntlm/canonicalize_name.c
new file mode 100644
index 0000000..8eaa870
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/canonicalize_name.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: canonicalize_name.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32 _gss_ntlm_canonicalize_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            const gss_OID mech_type,
+            gss_name_t * output_name
+           )
+{
+    return gss_duplicate_name (minor_status, input_name, output_name);
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/compare_name.c b/crypto/heimdal/lib/gssapi/ntlm/compare_name.c
new file mode 100644
index 0000000..d2c2d8b
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/compare_name.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: compare_name.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32 _gss_ntlm_compare_name
+           (OM_uint32 * minor_status,
+            const gss_name_t name1,
+            const gss_name_t name2,
+            int * name_equal
+           )
+{
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/context_time.c b/crypto/heimdal/lib/gssapi/ntlm/context_time.c
new file mode 100644
index 0000000..a6895cb
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/context_time.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: context_time.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32 _gss_ntlm_context_time
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            OM_uint32 * time_rec
+           )
+{
+    if (time_rec)
+	*time_rec = GSS_C_INDEFINITE;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/crypto.c b/crypto/heimdal/lib/gssapi/ntlm/crypto.c
new file mode 100644
index 0000000..b05246c
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/crypto.c
@@ -0,0 +1,595 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: crypto.c 19535 2006-12-28 14:49:01Z lha $");
+
+uint32_t
+_krb5_crc_update (const char *p, size_t len, uint32_t res);
+void
+_krb5_crc_init_table(void);
+
+/*
+ *
+ */
+
+static void
+encode_le_uint32(uint32_t n, unsigned char *p)
+{
+  p[0] = (n >> 0)  & 0xFF;
+  p[1] = (n >> 8)  & 0xFF;
+  p[2] = (n >> 16) & 0xFF;
+  p[3] = (n >> 24) & 0xFF;
+}
+
+
+static void
+decode_le_uint32(const void *ptr, uint32_t *n)
+{
+    const unsigned char *p = ptr;
+    *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+}
+
+/*
+ *
+ */
+
+const char a2i_signmagic[] =
+    "session key to server-to-client signing key magic constant";
+const char a2i_sealmagic[] =
+    "session key to server-to-client sealing key magic constant";
+const char i2a_signmagic[] =
+    "session key to client-to-server signing key magic constant";
+const char i2a_sealmagic[] =
+    "session key to client-to-server sealing key magic constant";
+
+
+void
+_gss_ntlm_set_key(struct ntlmv2_key *key, int acceptor, int sealsign,
+		  unsigned char *data, size_t len)
+{
+    unsigned char out[16];
+    MD5_CTX ctx;
+    const char *signmagic;
+    const char *sealmagic;
+
+    if (acceptor) {
+	signmagic = a2i_signmagic;
+	sealmagic = a2i_sealmagic;
+    } else {
+	signmagic = i2a_signmagic;
+	sealmagic = i2a_sealmagic;
+    }
+
+    key->seq = 0;
+
+    MD5_Init(&ctx);
+    MD5_Update(&ctx, data, len);
+    MD5_Update(&ctx, signmagic, strlen(signmagic) + 1);
+    MD5_Final(key->signkey, &ctx);
+
+    MD5_Init(&ctx);
+    MD5_Update(&ctx, data, len);
+    MD5_Update(&ctx, sealmagic, strlen(sealmagic) + 1);
+    MD5_Final(out, &ctx);
+
+    RC4_set_key(&key->sealkey, 16, out);
+    if (sealsign)
+	key->signsealkey = &key->sealkey;
+}
+
+/*
+ *
+ */
+
+static OM_uint32
+v1_sign_message(gss_buffer_t in,
+		RC4_KEY *signkey,
+		uint32_t seq,
+		unsigned char out[16])
+{
+    unsigned char sigature[12];
+    uint32_t crc;
+    
+    _krb5_crc_init_table();
+    crc = _krb5_crc_update(in->value, in->length, 0);
+    
+    encode_le_uint32(0, &sigature[0]);
+    encode_le_uint32(crc, &sigature[4]);
+    encode_le_uint32(seq, &sigature[8]);
+    
+    encode_le_uint32(1, out); /* version */
+    RC4(signkey, sizeof(sigature), sigature, out + 4);
+    
+    if (RAND_bytes(out + 4, 4) != 1)
+	return GSS_S_UNAVAILABLE;
+    
+    return 0;
+}
+
+
+static OM_uint32
+v2_sign_message(gss_buffer_t in,
+		unsigned char signkey[16],
+		RC4_KEY *sealkey,
+		uint32_t seq,
+		unsigned char out[16])
+{
+    unsigned char hmac[16];
+    unsigned int hmaclen;
+    HMAC_CTX c;
+
+    HMAC_CTX_init(&c);
+    HMAC_Init_ex(&c, signkey, 16, EVP_md5(), NULL);
+    
+    encode_le_uint32(seq, hmac);
+    HMAC_Update(&c, hmac, 4);
+    HMAC_Update(&c, in->value, in->length);
+    HMAC_Final(&c, hmac, &hmaclen);
+    HMAC_CTX_cleanup(&c);
+
+    encode_le_uint32(1, &out[0]);
+    if (sealkey)
+	RC4(sealkey, 8, hmac, &out[4]);
+    else
+	memcpy(&out[4], hmac, 8);
+
+    memset(&out[12], 0, 4);
+
+    return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+v2_verify_message(gss_buffer_t in,
+		  unsigned char signkey[16],
+		  RC4_KEY *sealkey,
+		  uint32_t seq,
+		  const unsigned char checksum[16])
+{
+    OM_uint32 ret;
+    unsigned char out[16];
+
+    ret = v2_sign_message(in, signkey, sealkey, seq, out);
+    if (ret)
+	return ret;
+
+    if (memcmp(checksum, out, 16) != 0)
+	return GSS_S_BAD_MIC;
+
+    return GSS_S_COMPLETE;
+}    
+
+static OM_uint32
+v2_seal_message(const gss_buffer_t in,
+		unsigned char signkey[16],
+		uint32_t seq,
+		RC4_KEY *sealkey,
+		gss_buffer_t out)
+{
+    unsigned char *p;
+    OM_uint32 ret;
+
+    if (in->length + 16 < in->length)
+	return EINVAL;
+
+    p = malloc(in->length + 16);
+    if (p == NULL)
+	return ENOMEM;
+
+    RC4(sealkey, in->length, in->value, p);
+
+    ret = v2_sign_message(in, signkey, sealkey, seq, &p[in->length]);
+    if (ret) {
+	free(p);
+	return ret;
+    }
+
+    out->value = p;
+    out->length = in->length + 16;
+
+    return 0;
+}
+
+static OM_uint32
+v2_unseal_message(gss_buffer_t in,
+		  unsigned char signkey[16],
+		  uint32_t seq,
+		  RC4_KEY *sealkey,
+		  gss_buffer_t out)
+{
+    OM_uint32 ret;
+
+    if (in->length < 16)
+	return GSS_S_BAD_MIC;
+
+    out->length = in->length - 16;
+    out->value = malloc(out->length);
+    if (out->value == NULL)
+	return GSS_S_BAD_MIC;
+
+    RC4(sealkey, out->length, in->value, out->value);
+
+    ret = v2_verify_message(out, signkey, sealkey, seq,
+			    ((const unsigned char *)in->value) + out->length);
+    if (ret) {
+	OM_uint32 junk;
+	gss_release_buffer(&junk, out);
+    }
+    return ret;
+}
+
+/*
+ *
+ */
+
+#define CTX_FLAGS_ISSET(_ctx,_flags) \
+    (((_ctx)->flags & (_flags)) == (_flags))
+
+/*
+ *
+ */
+ 
+OM_uint32 _gss_ntlm_get_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           )
+{
+    ntlm_ctx ctx = (ntlm_ctx)context_handle;
+    OM_uint32 junk;
+
+    if (minor_status)
+	*minor_status = 0;
+    if (message_token) {
+	message_token->length = 0;
+	message_token->value = NULL;
+    }
+
+    message_token->value = malloc(16);
+    message_token->length = 16;
+    if (message_token->value == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) {
+	OM_uint32 ret;
+
+	if ((ctx->status & STATUS_SESSIONKEY) == 0) {
+	    gss_release_buffer(&junk, message_token);
+	    return GSS_S_UNAVAILABLE;
+	}
+
+	ret = v2_sign_message(message_buffer,
+			      ctx->u.v2.send.signkey,
+			      ctx->u.v2.send.signsealkey,
+			      ctx->u.v2.send.seq++,
+			      message_token->value);
+	if (ret)
+	    gss_release_buffer(&junk, message_token);
+        return ret;
+
+    } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) {
+	OM_uint32 ret;
+
+	if ((ctx->status & STATUS_SESSIONKEY) == 0) {
+	    gss_release_buffer(&junk, message_token);
+	    return GSS_S_UNAVAILABLE;
+	}
+
+	ret = v1_sign_message(message_buffer,
+			      &ctx->u.v1.crypto_send.key,
+			      ctx->u.v1.crypto_send.seq++,
+			      message_token->value);
+	if (ret)
+	    gss_release_buffer(&junk, message_token);
+        return ret;
+
+    } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_ALWAYS_SIGN)) {
+	unsigned char *sigature;
+
+	sigature = message_token->value;
+
+	encode_le_uint32(1, &sigature[0]); /* version */
+	encode_le_uint32(0, &sigature[4]);
+	encode_le_uint32(0, &sigature[8]);
+	encode_le_uint32(0, &sigature[12]);
+
+        return GSS_S_COMPLETE;
+    }
+    gss_release_buffer(&junk, message_token);
+
+    return GSS_S_UNAVAILABLE;
+}
+
+/*
+ *
+ */
+
+OM_uint32
+_gss_ntlm_verify_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state
+	    )
+{
+    ntlm_ctx ctx = (ntlm_ctx)context_handle;
+
+    if (qop_state != NULL)
+	*qop_state = GSS_C_QOP_DEFAULT;
+    *minor_status = 0;
+
+    if (token_buffer->length != 16)
+	return GSS_S_BAD_MIC;
+
+    if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) {
+	OM_uint32 ret;
+
+	if ((ctx->status & STATUS_SESSIONKEY) == 0)
+	    return GSS_S_UNAVAILABLE;
+
+	ret = v2_verify_message(message_buffer,
+				ctx->u.v2.recv.signkey,
+				ctx->u.v2.recv.signsealkey,
+				ctx->u.v2.recv.seq++,
+				token_buffer->value);
+	if (ret)
+	    return ret;
+
+	return GSS_S_COMPLETE;
+    } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) {
+
+	unsigned char sigature[12];
+	uint32_t crc, num;
+
+	if ((ctx->status & STATUS_SESSIONKEY) == 0)
+	    return GSS_S_UNAVAILABLE;
+
+	decode_le_uint32(token_buffer->value, &num);
+	if (num != 1)
+	    return GSS_S_BAD_MIC;
+
+	RC4(&ctx->u.v1.crypto_recv.key, sizeof(sigature),
+	    ((unsigned char *)token_buffer->value) + 4, sigature);
+
+	_krb5_crc_init_table();
+	crc = _krb5_crc_update(message_buffer->value, 
+			       message_buffer->length, 0);
+	/* skip first 4 bytes in the encrypted checksum */
+	decode_le_uint32(&sigature[4], &num);
+	if (num != crc)
+	    return GSS_S_BAD_MIC;
+	decode_le_uint32(&sigature[8], &num);
+	if (ctx->u.v1.crypto_recv.seq != num)
+	    return GSS_S_BAD_MIC;
+	ctx->u.v1.crypto_recv.seq++;
+
+        return GSS_S_COMPLETE;
+    } else if (ctx->flags & NTLM_NEG_ALWAYS_SIGN) {
+	uint32_t num;
+	unsigned char *p;
+
+	p = (unsigned char*)(token_buffer->value);
+
+	decode_le_uint32(&p[0], &num); /* version */
+	if (num != 1) return GSS_S_BAD_MIC;
+	decode_le_uint32(&p[4], &num);
+	if (num != 0) return GSS_S_BAD_MIC;
+	decode_le_uint32(&p[8], &num);
+	if (num != 0) return GSS_S_BAD_MIC;
+	decode_le_uint32(&p[12], &num);
+	if (num != 0) return GSS_S_BAD_MIC;
+
+        return GSS_S_COMPLETE;
+    }
+
+    return GSS_S_UNAVAILABLE;
+}
+
+/*
+ *
+ */
+
+OM_uint32
+_gss_ntlm_wrap_size_limit (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            OM_uint32 req_output_size,
+            OM_uint32 * max_input_size
+           )
+{
+    ntlm_ctx ctx = (ntlm_ctx)context_handle;
+
+    *minor_status = 0;
+
+    if(ctx->flags & NTLM_NEG_SEAL) {
+
+	if (req_output_size < 16)
+	    *max_input_size = 0;
+	else
+	    *max_input_size = req_output_size - 16;
+
+	return GSS_S_COMPLETE;
+    }
+
+    return GSS_S_UNAVAILABLE;
+}
+
+/*
+ *
+ */
+
+OM_uint32 _gss_ntlm_wrap
+(OM_uint32 * minor_status,
+ const gss_ctx_id_t context_handle,
+ int conf_req_flag,
+ gss_qop_t qop_req,
+ const gss_buffer_t input_message_buffer,
+ int * conf_state,
+ gss_buffer_t output_message_buffer
+    )
+{
+    ntlm_ctx ctx = (ntlm_ctx)context_handle;
+    OM_uint32 ret;
+
+    if (minor_status)
+	*minor_status = 0;
+    if (conf_state)
+	*conf_state = 0;
+    if (output_message_buffer == GSS_C_NO_BUFFER)
+	return GSS_S_FAILURE;
+
+    
+    if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) {
+
+	return v2_seal_message(input_message_buffer,
+			       ctx->u.v2.send.signkey,
+			       ctx->u.v2.send.seq++,
+			       &ctx->u.v2.send.sealkey,
+			       output_message_buffer);
+
+    } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) {
+	gss_buffer_desc trailer;
+	OM_uint32 junk;
+
+	output_message_buffer->length = input_message_buffer->length + 16;
+	output_message_buffer->value = malloc(output_message_buffer->length);
+	if (output_message_buffer->value == NULL) {
+	    output_message_buffer->length = 0;
+	    return GSS_S_FAILURE;
+	}
+
+
+	RC4(&ctx->u.v1.crypto_send.key, input_message_buffer->length,
+	    input_message_buffer->value, output_message_buffer->value);
+	
+	ret = _gss_ntlm_get_mic(minor_status, context_handle,
+				0, input_message_buffer,
+				&trailer);
+	if (ret) {
+	    gss_release_buffer(&junk, output_message_buffer);
+	    return ret;
+	}
+	if (trailer.length != 16) {
+	    gss_release_buffer(&junk, output_message_buffer);
+	    gss_release_buffer(&junk, &trailer);
+	    return GSS_S_FAILURE;
+	}
+	memcpy(((unsigned char *)output_message_buffer->value) + 
+	       input_message_buffer->length,
+	       trailer.value, trailer.length);
+	gss_release_buffer(&junk, &trailer);
+
+	return GSS_S_COMPLETE;
+    }
+
+    return GSS_S_UNAVAILABLE;
+}
+
+/*
+ *
+ */
+
+OM_uint32 _gss_ntlm_unwrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state
+           )
+{
+    ntlm_ctx ctx = (ntlm_ctx)context_handle;
+    OM_uint32 ret;
+
+    if (minor_status)
+	*minor_status = 0;
+    if (output_message_buffer) {
+	output_message_buffer->value = NULL;
+	output_message_buffer->length = 0;
+    }
+    if (conf_state)
+	*conf_state = 0;
+    if (qop_state)
+	*qop_state = 0;
+
+    if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) {
+
+	return v2_unseal_message(input_message_buffer,
+				 ctx->u.v2.recv.signkey,
+				 ctx->u.v2.recv.seq++,
+				 &ctx->u.v2.recv.sealkey,
+				 output_message_buffer);
+
+    } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) {
+
+	gss_buffer_desc trailer;
+	OM_uint32 junk;
+
+	if (input_message_buffer->length < 16)
+	    return GSS_S_BAD_MIC;
+
+	output_message_buffer->length = input_message_buffer->length - 16;
+	output_message_buffer->value = malloc(output_message_buffer->length);
+	if (output_message_buffer->value == NULL) {
+	    output_message_buffer->length = 0;
+	    return GSS_S_FAILURE;
+	}
+	
+	RC4(&ctx->u.v1.crypto_recv.key, output_message_buffer->length,
+	    input_message_buffer->value, output_message_buffer->value);
+	
+	trailer.value = ((unsigned char *)input_message_buffer->value) +
+	    output_message_buffer->length;
+	trailer.length = 16;
+
+	ret = _gss_ntlm_verify_mic(minor_status, context_handle,
+				   output_message_buffer,
+				   &trailer, NULL);
+	if (ret) {
+	    gss_release_buffer(&junk, output_message_buffer);
+	    return ret;
+	}
+
+	return GSS_S_COMPLETE;
+    }
+
+    return GSS_S_UNAVAILABLE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/delete_sec_context.c b/crypto/heimdal/lib/gssapi/ntlm/delete_sec_context.c
new file mode 100644
index 0000000..c51f227
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/delete_sec_context.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: delete_sec_context.c 22163 2007-12-04 21:25:06Z lha $");
+
+OM_uint32 _gss_ntlm_delete_sec_context
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            gss_buffer_t output_token
+           )
+{
+    if (context_handle) {
+	ntlm_ctx ctx = (ntlm_ctx)*context_handle;
+	gss_cred_id_t cred = (gss_cred_id_t)ctx->client;
+
+	*context_handle = GSS_C_NO_CONTEXT;
+
+	if (ctx->server)
+	    (*ctx->server->nsi_destroy)(minor_status, ctx->ictx);
+
+	_gss_ntlm_release_cred(NULL, &cred);
+
+	memset(ctx, 0, sizeof(*ctx));
+	free(ctx);
+    }
+    if (output_token) {
+	output_token->length = 0;
+	output_token->value  = NULL;
+    }
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/digest.c b/crypto/heimdal/lib/gssapi/ntlm/digest.c
new file mode 100644
index 0000000..fecf4a5
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/digest.c
@@ -0,0 +1,435 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: digest.c 22169 2007-12-04 22:19:16Z lha $");
+
+/*
+ *
+ */
+
+struct ntlmkrb5 {
+    krb5_context context;
+    krb5_ntlm ntlm;
+    krb5_realm kerberos_realm;
+    krb5_ccache id;
+    krb5_data opaque;
+    int destroy;
+    OM_uint32 flags;
+    struct ntlm_buf key;
+    krb5_data sessionkey;
+};
+
+static OM_uint32 kdc_destroy(OM_uint32 *, void *);
+
+/*
+ * Get credential cache that the ntlm code can use to talk to the KDC
+ * using the digest API.
+ */
+
+static krb5_error_code
+get_ccache(krb5_context context, int *destroy, krb5_ccache *id)
+{
+    krb5_principal principal = NULL;
+    krb5_error_code ret;
+    krb5_keytab kt = NULL;
+
+    *id = NULL;
+    
+    if (!issuid()) {
+	const char *cache;
+
+	cache = getenv("NTLM_ACCEPTOR_CCACHE");
+	if (cache) {
+	    ret = krb5_cc_resolve(context, cache, id);
+	    if (ret)
+		goto out;
+	    return 0;
+	}
+    }
+
+    ret = krb5_sname_to_principal(context, NULL, "host", 
+				  KRB5_NT_SRV_HST, &principal);
+    if (ret)
+	goto out;
+    
+    ret = krb5_cc_cache_match(context, principal, NULL, id);
+    if (ret == 0)
+	return 0;
+    
+    /* did not find in default credcache, lets try default keytab */
+    ret = krb5_kt_default(context, &kt);
+    if (ret)
+	goto out;
+
+    /* XXX check in keytab */
+    {
+	krb5_get_init_creds_opt *opt;
+	krb5_creds cred;
+
+	memset(&cred, 0, sizeof(cred));
+
+	ret = krb5_cc_new_unique(context, "MEMORY", NULL, id);
+	if (ret)
+	    goto out;
+	*destroy = 1;
+	ret = krb5_get_init_creds_opt_alloc(context, &opt);
+	if (ret)
+	    goto out;
+	ret = krb5_get_init_creds_keytab (context,
+					  &cred,
+					  principal,
+					  kt,
+					  0,
+					  NULL,
+					  opt);
+	krb5_get_init_creds_opt_free(context, opt);
+	if (ret)
+	    goto out;
+	ret = krb5_cc_initialize (context, *id, cred.client);
+	if (ret) {
+	    krb5_free_cred_contents (context, &cred);
+	    goto out;
+	}
+	ret = krb5_cc_store_cred (context, *id, &cred);
+	krb5_free_cred_contents (context, &cred);
+	if (ret)
+	    goto out;
+    }
+
+    krb5_kt_close(context, kt);
+    
+    return 0;
+
+out:
+    if (*destroy)
+	krb5_cc_destroy(context, *id);
+    else
+	krb5_cc_close(context, *id);
+
+    *id = NULL;
+
+    if (kt)
+	krb5_kt_close(context, kt);
+
+    if (principal)
+	krb5_free_principal(context, principal);
+    return ret;
+}
+
+/*
+ *
+ */
+
+static OM_uint32
+kdc_alloc(OM_uint32 *minor, void **ctx)
+{
+    krb5_error_code ret;
+    struct ntlmkrb5 *c;
+    OM_uint32 junk;
+
+    c = calloc(1, sizeof(*c));
+    if (c == NULL) {
+	*minor = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_init_context(&c->context);
+    if (ret) {
+	kdc_destroy(&junk, c);
+	*minor = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = get_ccache(c->context, &c->destroy, &c->id);
+    if (ret) {
+	kdc_destroy(&junk, c);
+	*minor = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_ntlm_alloc(c->context, &c->ntlm);
+    if (ret) {
+	kdc_destroy(&junk, c);
+	*minor = ret;
+	return GSS_S_FAILURE;
+    }
+
+    *ctx = c;
+
+    return GSS_S_COMPLETE;
+}
+
+static int
+kdc_probe(OM_uint32 *minor, void *ctx, const char *realm)
+{
+    struct ntlmkrb5 *c = ctx;
+    krb5_error_code ret;
+    unsigned flags;
+
+    ret = krb5_digest_probe(c->context, rk_UNCONST(realm), c->id, &flags);
+    if (ret)
+	return ret;
+    
+    if ((flags & (1|2|4)) == 0)
+	return EINVAL;
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+static OM_uint32
+kdc_destroy(OM_uint32 *minor, void *ctx)
+{
+    struct ntlmkrb5 *c = ctx;
+    krb5_data_free(&c->opaque);
+    krb5_data_free(&c->sessionkey);
+    if (c->ntlm)
+	krb5_ntlm_free(c->context, c->ntlm);
+    if (c->id) {
+	if (c->destroy)
+	    krb5_cc_destroy(c->context, c->id);
+	else
+	    krb5_cc_close(c->context, c->id);
+    }
+    if (c->context)
+	krb5_free_context(c->context);
+    memset(c, 0, sizeof(*c));
+    free(c);
+
+    return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
+static OM_uint32
+kdc_type2(OM_uint32 *minor_status,
+	  void *ctx,
+	  uint32_t flags,
+	  const char *hostname,
+	  const char *domain,
+	  uint32_t *ret_flags,
+	  struct ntlm_buf *out)
+{
+    struct ntlmkrb5 *c = ctx;
+    krb5_error_code ret;
+    struct ntlm_type2 type2;
+    krb5_data challange;
+    struct ntlm_buf data;
+    krb5_data ti;
+    
+    memset(&type2, 0, sizeof(type2));
+    
+    /*
+     * Request data for type 2 packet from the KDC.
+     */
+    ret = krb5_ntlm_init_request(c->context, 
+				 c->ntlm,
+				 NULL,
+				 c->id,
+				 flags,
+				 hostname,
+				 domain);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    /*
+     *
+     */
+
+    ret = krb5_ntlm_init_get_opaque(c->context, c->ntlm, &c->opaque);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    /*
+     *
+     */
+
+    ret = krb5_ntlm_init_get_flags(c->context, c->ntlm, &type2.flags);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+    *ret_flags = type2.flags;
+
+    ret = krb5_ntlm_init_get_challange(c->context, c->ntlm, &challange);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    if (challange.length != sizeof(type2.challange)) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+    memcpy(type2.challange, challange.data, sizeof(type2.challange));
+    krb5_data_free(&challange);
+
+    ret = krb5_ntlm_init_get_targetname(c->context, c->ntlm,
+					&type2.targetname);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_ntlm_init_get_targetinfo(c->context, c->ntlm, &ti);
+    if (ret) {
+	free(type2.targetname);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    type2.targetinfo.data = ti.data;
+    type2.targetinfo.length = ti.length;
+	
+    ret = heim_ntlm_encode_type2(&type2, &data);
+    free(type2.targetname);
+    krb5_data_free(&ti);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+	
+    out->data = data.data;
+    out->length = data.length;
+
+    return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
+static OM_uint32
+kdc_type3(OM_uint32 *minor_status,
+	  void *ctx,
+	  const struct ntlm_type3 *type3,
+	  struct ntlm_buf *sessionkey)
+{
+    struct ntlmkrb5 *c = ctx;
+    krb5_error_code ret;
+
+    sessionkey->data = NULL;
+    sessionkey->length = 0;
+
+    ret = krb5_ntlm_req_set_flags(c->context, c->ntlm, type3->flags);
+    if (ret) goto out;
+    ret = krb5_ntlm_req_set_username(c->context, c->ntlm, type3->username);
+    if (ret) goto out;
+    ret = krb5_ntlm_req_set_targetname(c->context, c->ntlm, 
+				       type3->targetname);
+    if (ret) goto out;
+    ret = krb5_ntlm_req_set_lm(c->context, c->ntlm, 
+			       type3->lm.data, type3->lm.length);
+    if (ret) goto out;
+    ret = krb5_ntlm_req_set_ntlm(c->context, c->ntlm, 
+				 type3->ntlm.data, type3->ntlm.length);
+    if (ret) goto out;
+    ret = krb5_ntlm_req_set_opaque(c->context, c->ntlm, &c->opaque);
+    if (ret) goto out;
+
+    if (type3->sessionkey.length) {
+	ret = krb5_ntlm_req_set_session(c->context, c->ntlm,
+					type3->sessionkey.data,
+					type3->sessionkey.length);
+	if (ret) goto out;
+    }
+
+    /*
+     * Verify with the KDC the type3 packet is ok
+     */
+    ret = krb5_ntlm_request(c->context, 
+			    c->ntlm,
+			    NULL,
+			    c->id);
+    if (ret)
+	goto out;
+
+    if (krb5_ntlm_rep_get_status(c->context, c->ntlm) != TRUE) {
+	ret = EINVAL;
+	goto out;
+    }
+
+    if (type3->sessionkey.length) {
+	ret = krb5_ntlm_rep_get_sessionkey(c->context, 
+					   c->ntlm,
+					   &c->sessionkey);
+	if (ret)
+	    goto out;
+
+	sessionkey->data = c->sessionkey.data;
+	sessionkey->length = c->sessionkey.length;
+    }
+
+    return 0;
+
+ out:
+    *minor_status = ret;
+    return GSS_S_FAILURE;
+}
+
+/*
+ *
+ */
+
+static void
+kdc_free_buffer(struct ntlm_buf *sessionkey)
+{
+    if (sessionkey->data)
+	free(sessionkey->data);
+    sessionkey->data = NULL;
+    sessionkey->length = 0;
+}
+
+/*
+ *
+ */
+
+struct ntlm_server_interface ntlmsspi_kdc_digest = {
+    kdc_alloc,
+    kdc_destroy,
+    kdc_probe,
+    kdc_type2,
+    kdc_type3,
+    kdc_free_buffer
+};
diff --git a/crypto/heimdal/lib/gssapi/ntlm/display_name.c b/crypto/heimdal/lib/gssapi/ntlm/display_name.c
new file mode 100644
index 0000000..a04d96c
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/display_name.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: display_name.c 22373 2007-12-28 18:36:06Z lha $");
+
+OM_uint32 _gss_ntlm_display_name
+           (OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t output_name_buffer,
+            gss_OID * output_name_type
+           )
+{
+    *minor_status = 0;
+
+    if (output_name_type)
+	*output_name_type = GSS_NTLM_MECHANISM;
+
+    if (output_name_buffer) {
+	ntlm_name n = (ntlm_name)input_name;
+	char *str;
+	int len;
+	
+	output_name_buffer->length = 0;
+	output_name_buffer->value = NULL;
+
+	if (n == NULL) {
+	    *minor_status = 0;
+	    return GSS_S_BAD_NAME;
+	}
+
+	len = asprintf(&str, "%s@%s", n->user, n->domain);
+	if (str == NULL) {
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+	output_name_buffer->length = len;
+	output_name_buffer->value = str;
+    }
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/display_status.c b/crypto/heimdal/lib/gssapi/ntlm/display_status.c
new file mode 100644
index 0000000..70be5eb
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/display_status.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: display_status.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32 _gss_ntlm_display_status
+           (OM_uint32		*minor_status,
+	    OM_uint32		 status_value,
+	    int			 status_type,
+	    const gss_OID	 mech_type,
+	    OM_uint32		*message_context,
+	    gss_buffer_t	 status_string)
+{
+    if (minor_status)
+	*minor_status = 0;
+    if (status_string) {
+	status_string->length = 0;
+	status_string->value = NULL;
+    }
+    if (message_context)
+	*message_context = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/duplicate_name.c b/crypto/heimdal/lib/gssapi/ntlm/duplicate_name.c
new file mode 100644
index 0000000..2b2f7dd
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/duplicate_name.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: duplicate_name.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32 _gss_ntlm_duplicate_name (
+            OM_uint32 * minor_status,
+            const gss_name_t src_name,
+            gss_name_t * dest_name
+           )
+{
+    if (minor_status)
+	*minor_status = 0;
+    if (dest_name)
+	*dest_name = NULL;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/export_name.c b/crypto/heimdal/lib/gssapi/ntlm/export_name.c
new file mode 100644
index 0000000..f0941b1
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/export_name.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: export_name.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32 _gss_ntlm_export_name
+           (OM_uint32  * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t exported_name
+           )
+{
+    if (minor_status)
+	*minor_status = 0;
+    if (exported_name) {
+	exported_name->length = 0;
+	exported_name->value = NULL;
+    }
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/export_sec_context.c b/crypto/heimdal/lib/gssapi/ntlm/export_sec_context.c
new file mode 100644
index 0000000..99a7be1
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/export_sec_context.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: export_sec_context.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32
+_gss_ntlm_export_sec_context (
+    OM_uint32 * minor_status,
+    gss_ctx_id_t * context_handle,
+    gss_buffer_t interprocess_token
+    )
+{
+    if (minor_status)
+	*minor_status = 0;
+    if (interprocess_token) {
+	interprocess_token->length = 0;
+	interprocess_token->value = NULL;
+    }
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/external.c b/crypto/heimdal/lib/gssapi/ntlm/external.c
new file mode 100644
index 0000000..8f86032
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/external.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: external.c 19359 2006-12-15 20:01:48Z lha $");
+
+static gssapi_mech_interface_desc ntlm_mech = {
+    GMI_VERSION,
+    "ntlm",
+    {10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") },
+    _gss_ntlm_acquire_cred,
+    _gss_ntlm_release_cred,
+    _gss_ntlm_init_sec_context,
+    _gss_ntlm_accept_sec_context,
+    _gss_ntlm_process_context_token,
+    _gss_ntlm_delete_sec_context,
+    _gss_ntlm_context_time,
+    _gss_ntlm_get_mic,
+    _gss_ntlm_verify_mic,
+    _gss_ntlm_wrap,
+    _gss_ntlm_unwrap,
+    _gss_ntlm_display_status,
+    NULL,
+    _gss_ntlm_compare_name,
+    _gss_ntlm_display_name,
+    _gss_ntlm_import_name,
+    _gss_ntlm_export_name,
+    _gss_ntlm_release_name,
+    _gss_ntlm_inquire_cred,
+    _gss_ntlm_inquire_context,
+    _gss_ntlm_wrap_size_limit,
+    _gss_ntlm_add_cred,
+    _gss_ntlm_inquire_cred_by_mech,
+    _gss_ntlm_export_sec_context,
+    _gss_ntlm_import_sec_context,
+    _gss_ntlm_inquire_names_for_mech,
+    _gss_ntlm_inquire_mechs_for_name,
+    _gss_ntlm_canonicalize_name,
+    _gss_ntlm_duplicate_name
+};
+
+gssapi_mech_interface
+__gss_ntlm_initialize(void)
+{
+	return &ntlm_mech;
+}
+
+static gss_OID_desc _gss_ntlm_mechanism_desc = 
+{10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") };
+
+gss_OID GSS_NTLM_MECHANISM = &_gss_ntlm_mechanism_desc;
diff --git a/crypto/heimdal/lib/gssapi/ntlm/import_name.c b/crypto/heimdal/lib/gssapi/ntlm/import_name.c
new file mode 100644
index 0000000..91cba08
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/import_name.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: import_name.c 22373 2007-12-28 18:36:06Z lha $");
+
+OM_uint32 _gss_ntlm_import_name
+           (OM_uint32 * minor_status,
+            const gss_buffer_t input_name_buffer,
+            const gss_OID input_name_type,
+            gss_name_t * output_name
+           )
+{
+    char *name, *p, *p2;
+    ntlm_name n;
+
+    *minor_status = 0;
+
+    if (output_name)
+	*output_name = GSS_C_NO_NAME;
+
+    if (!gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE))
+	return GSS_S_BAD_NAMETYPE;
+
+    name = malloc(input_name_buffer->length + 1);
+    if (name == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    memcpy(name, input_name_buffer->value, input_name_buffer->length);
+    name[input_name_buffer->length] = '\0';
+
+    /* find "domain" part of the name and uppercase it */
+    p = strchr(name, '@');
+    if (p == NULL)
+	return GSS_S_BAD_NAME;
+    p[0] = '\0';
+    p++;
+    p2 = strchr(p, '.');
+    if (p2 && p2[1] != '\0') {
+	p = p2 + 1;
+	p2 = strchr(p, '.');
+	if (p2)
+	    *p2 = '\0';
+    }
+    strupr(p);
+    
+    n = calloc(1, sizeof(*n));
+    if (name == NULL) {
+	free(name);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    n->user = strdup(name);
+    n->domain = strdup(p);
+
+    free(name);
+
+    if (n->user == NULL || n->domain == NULL) {
+	free(n->user);
+	free(n->domain);
+	free(n);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    *output_name = (gss_name_t)n;
+
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/import_sec_context.c b/crypto/heimdal/lib/gssapi/ntlm/import_sec_context.c
new file mode 100644
index 0000000..cde0a01
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/import_sec_context.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: import_sec_context.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32
+_gss_ntlm_import_sec_context (
+    OM_uint32 * minor_status,
+    const gss_buffer_t interprocess_token,
+    gss_ctx_id_t * context_handle
+    )
+{
+    if (minor_status)
+	*minor_status = 0;
+    if (context_handle)
+	*context_handle = GSS_C_NO_CONTEXT;
+    return GSS_S_FAILURE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/indicate_mechs.c b/crypto/heimdal/lib/gssapi/ntlm/indicate_mechs.c
new file mode 100644
index 0000000..6417163
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/indicate_mechs.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: indicate_mechs.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32 _gss_ntlm_indicate_mechs
+(OM_uint32 * minor_status,
+ gss_OID_set * mech_set
+    )
+{
+    if (minor_status)
+	*minor_status = 0;
+    if (mech_set)
+	*mech_set = GSS_C_NO_OID_SET;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/init_sec_context.c b/crypto/heimdal/lib/gssapi/ntlm/init_sec_context.c
new file mode 100644
index 0000000..140dbec
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/init_sec_context.c
@@ -0,0 +1,508 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: init_sec_context.c 22382 2007-12-30 12:13:17Z lha $");
+
+static int
+from_file(const char *fn, const char *target_domain, 
+	  char **username, struct ntlm_buf *key)
+{	  
+    char *str, buf[1024];
+    FILE *f;
+
+    f = fopen(fn, "r");
+    if (f == NULL)
+	return ENOENT;
+
+    while (fgets(buf, sizeof(buf), f) != NULL) {
+	char *d, *u, *p;
+	buf[strcspn(buf, "\r\n")] = '\0';
+	if (buf[0] == '#')
+	    continue;
+	str = NULL;
+	d = strtok_r(buf, ":", &str);
+	if (d && strcasecmp(target_domain, d) != 0)
+	    continue;
+	u = strtok_r(NULL, ":", &str);
+	p = strtok_r(NULL, ":", &str);
+	if (u == NULL || p == NULL)
+	    continue;
+
+	*username = strdup(u);
+
+	heim_ntlm_nt_key(p, key);
+
+	memset(buf, 0, sizeof(buf));
+	fclose(f);
+	return 0;
+    }
+    memset(buf, 0, sizeof(buf));
+    fclose(f);
+    return ENOENT;
+}
+
+static int
+get_user_file(const ntlm_name target_name, 
+	      char **username, struct ntlm_buf *key)
+{
+    const char *fn;
+
+    if (issuid())
+	return ENOENT;
+
+    fn = getenv("NTLM_USER_FILE");
+    if (fn == NULL)
+	return ENOENT;
+    if (from_file(fn, target_name->domain, username, key) == 0)
+	return 0;
+
+    return ENOENT;
+}
+
+/*
+ * Pick up the ntlm cred from the default krb5 credential cache.
+ */
+
+static int
+get_user_ccache(const ntlm_name name, char **username, struct ntlm_buf *key)
+{
+    krb5_principal client;
+    krb5_context context = NULL;
+    krb5_error_code ret;
+    krb5_ccache id = NULL;
+    krb5_creds mcreds, creds;
+
+    *username = NULL;
+    key->length = 0;
+    key->data = NULL;
+
+    memset(&creds, 0, sizeof(creds));
+    memset(&mcreds, 0, sizeof(mcreds));
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	return ret;
+
+    ret = krb5_cc_default(context, &id);
+    if (ret)
+	goto out;
+
+    ret = krb5_cc_get_principal(context, id, &client);
+    if (ret)
+	goto out;
+
+    ret = krb5_unparse_name_flags(context, client,
+				  KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+				  username);
+    if (ret)
+	goto out;
+
+    ret = krb5_make_principal(context, &mcreds.server,
+			      krb5_principal_get_realm(context, client),
+			      "@ntlm-key", name->domain, NULL);
+    krb5_free_principal(context, client);
+    if (ret)
+	goto out;
+
+    mcreds.session.keytype = ENCTYPE_ARCFOUR_HMAC_MD5;
+    ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_MATCH_KEYTYPE, 
+				&mcreds, &creds);
+    if (ret) {
+	char *s = krb5_get_error_message(context, ret);
+	krb5_free_error_string(context, s);
+	goto out;
+    }
+
+    key->data = malloc(creds.session.keyvalue.length);
+    if (key->data == NULL)
+	goto out;
+    key->length = creds.session.keyvalue.length;
+    memcpy(key->data, creds.session.keyvalue.data, key->length);
+
+    krb5_free_cred_contents(context, &creds);
+
+    return 0;
+
+out:
+    if (*username) {
+	free(*username);
+	*username = NULL;
+    }
+    krb5_free_cred_contents(context, &creds);
+    if (mcreds.server)
+	krb5_free_principal(context, mcreds.server);
+    if (id)
+	krb5_cc_close(context, id);
+    if (context)
+	krb5_free_context(context);
+
+    return ret;
+}
+
+int
+_gss_ntlm_get_user_cred(const ntlm_name target_name,
+			ntlm_cred *rcred)
+{
+    ntlm_cred cred;
+    int ret;
+ 
+    cred = calloc(1, sizeof(*cred));
+    if (cred == NULL)
+	return ENOMEM;
+    
+    ret = get_user_file(target_name, &cred->username, &cred->key);
+    if (ret)
+	ret = get_user_ccache(target_name, &cred->username, &cred->key);
+    if (ret) {
+	free(cred);
+	return ret;
+    }
+    
+    cred->domain = strdup(target_name->domain);
+    *rcred = cred;
+
+    return ret;
+}
+
+static int
+_gss_copy_cred(ntlm_cred from, ntlm_cred *to)
+{
+    *to = calloc(1, sizeof(*to));
+    if (*to == NULL)
+	return ENOMEM;
+    (*to)->username = strdup(from->username);
+    if ((*to)->username == NULL) {
+	free(*to);
+	return ENOMEM;
+    }
+    (*to)->domain = strdup(from->domain);
+    if ((*to)->domain == NULL) {
+	free((*to)->username);
+	free(*to);
+	return ENOMEM;
+    }
+    (*to)->key.data = malloc(from->key.length);
+    if ((*to)->key.data == NULL) {
+	free((*to)->domain);
+	free((*to)->username);
+	free(*to);
+	return ENOMEM;
+    }
+    memcpy((*to)->key.data, from->key.data, from->key.length);
+    (*to)->key.length = from->key.length;
+
+    return 0;
+}
+
+OM_uint32
+_gss_ntlm_init_sec_context
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t initiator_cred_handle,
+            gss_ctx_id_t * context_handle,
+            const gss_name_t target_name,
+            const gss_OID mech_type,
+            OM_uint32 req_flags,
+            OM_uint32 time_req,
+            const gss_channel_bindings_t input_chan_bindings,
+            const gss_buffer_t input_token,
+            gss_OID * actual_mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec
+	   )
+{
+    ntlm_ctx ctx;
+    ntlm_name name = (ntlm_name)target_name;
+
+    *minor_status = 0;
+
+    if (ret_flags)
+	*ret_flags = 0;
+    if (time_rec)
+	*time_rec = 0;
+    if (actual_mech_type)
+	*actual_mech_type = GSS_C_NO_OID;
+
+    if (*context_handle == GSS_C_NO_CONTEXT) {
+	struct ntlm_type1 type1;
+	struct ntlm_buf data;
+	uint32_t flags = 0;
+	int ret;
+	
+	ctx = calloc(1, sizeof(*ctx));
+	if (ctx == NULL) {
+	    *minor_status = EINVAL;
+	    return GSS_S_FAILURE;
+	}
+	*context_handle = (gss_ctx_id_t)ctx;
+
+	if (initiator_cred_handle != GSS_C_NO_CREDENTIAL) {
+	    ntlm_cred cred = (ntlm_cred)initiator_cred_handle;
+	    ret = _gss_copy_cred(cred, &ctx->client);
+	} else
+	    ret = _gss_ntlm_get_user_cred(name, &ctx->client);
+
+	if (ret) {
+	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	if (req_flags & GSS_C_CONF_FLAG)
+	    flags |= NTLM_NEG_SEAL;
+	if (req_flags & GSS_C_INTEG_FLAG)
+	    flags |= NTLM_NEG_SIGN;
+	else
+	    flags |= NTLM_NEG_ALWAYS_SIGN;
+
+	flags |= NTLM_NEG_UNICODE;
+	flags |= NTLM_NEG_NTLM;
+	flags |= NTLM_NEG_NTLM2_SESSION;
+	flags |= NTLM_NEG_KEYEX;
+
+	memset(&type1, 0, sizeof(type1));
+	
+	type1.flags = flags;
+	type1.domain = name->domain;
+	type1.hostname = NULL;
+	type1.os[0] = 0;
+	type1.os[1] = 0;
+	
+	ret = heim_ntlm_encode_type1(&type1, &data);
+	if (ret) {
+	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+	
+	output_token->value = data.data;
+	output_token->length = data.length;
+	
+	return GSS_S_CONTINUE_NEEDED;
+    } else {
+	krb5_error_code ret;
+	struct ntlm_type2 type2;
+	struct ntlm_type3 type3;
+	struct ntlm_buf data;
+
+	ctx = (ntlm_ctx)*context_handle;
+
+	data.data = input_token->value;
+	data.length = input_token->length;
+
+	ret = heim_ntlm_decode_type2(&data, &type2);
+	if (ret) {
+	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	ctx->flags = type2.flags;
+
+	/* XXX check that type2.targetinfo matches `target_name´ */
+	/* XXX check verify targetinfo buffer */
+
+	memset(&type3, 0, sizeof(type3));
+
+	type3.username = ctx->client->username;
+	type3.flags = type2.flags;
+	type3.targetname = type2.targetname;
+	type3.ws = rk_UNCONST("workstation");
+
+	/*
+	 * NTLM Version 1 if no targetinfo buffer.
+	 */
+
+	if (1 || type2.targetinfo.length == 0) {
+	    struct ntlm_buf sessionkey;
+
+	    if (type2.flags & NTLM_NEG_NTLM2_SESSION) {
+		unsigned char nonce[8];
+
+		if (RAND_bytes(nonce, sizeof(nonce)) != 1) {
+		    _gss_ntlm_delete_sec_context(minor_status, 
+						 context_handle, NULL);
+		    *minor_status = EINVAL;
+		    return GSS_S_FAILURE;
+		}
+
+		ret = heim_ntlm_calculate_ntlm2_sess(nonce,
+						     type2.challange,
+						     ctx->client->key.data,
+						     &type3.lm,
+						     &type3.ntlm);
+	    } else {
+		ret = heim_ntlm_calculate_ntlm1(ctx->client->key.data, 
+						ctx->client->key.length,
+						type2.challange,
+						&type3.ntlm);
+
+	    }
+	    if (ret) {
+		_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
+		*minor_status = ret;
+		return GSS_S_FAILURE;
+	    }
+
+	    ret = heim_ntlm_build_ntlm1_master(ctx->client->key.data, 
+					       ctx->client->key.length,
+					       &sessionkey,
+					       &type3.sessionkey);
+	    if (ret) {
+		if (type3.lm.data)
+		    free(type3.lm.data);
+		if (type3.ntlm.data)
+		    free(type3.ntlm.data);
+		_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
+		*minor_status = ret;
+		return GSS_S_FAILURE;
+	    }
+
+	    ret = krb5_data_copy(&ctx->sessionkey, 
+				 sessionkey.data, sessionkey.length);
+	    free(sessionkey.data);
+	    if (ret) {
+		if (type3.lm.data)
+		    free(type3.lm.data);
+		if (type3.ntlm.data)
+		    free(type3.ntlm.data);
+		_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
+		*minor_status = ret;
+		return GSS_S_FAILURE;
+	    }
+	    ctx->status |= STATUS_SESSIONKEY; 
+
+	} else {
+	    struct ntlm_buf sessionkey;
+	    unsigned char ntlmv2[16];
+	    struct ntlm_targetinfo ti;
+
+	    /* verify infotarget */
+	    
+	    ret = heim_ntlm_decode_targetinfo(&type2.targetinfo, 1, &ti);
+	    if(ret) {
+		_gss_ntlm_delete_sec_context(minor_status, 
+					     context_handle, NULL);
+		*minor_status = ret;
+		return GSS_S_FAILURE;
+	    }
+
+	    if (ti.domainname && strcmp(ti.domainname, name->domain) != 0) {
+		_gss_ntlm_delete_sec_context(minor_status, 
+					     context_handle, NULL);
+		*minor_status = EINVAL;
+		return GSS_S_FAILURE;
+	    }
+
+	    ret = heim_ntlm_calculate_ntlm2(ctx->client->key.data,
+					    ctx->client->key.length,
+					    ctx->client->username,
+					    name->domain,
+					    type2.challange,
+					    &type2.targetinfo,
+					    ntlmv2,
+					    &type3.ntlm);
+	    if (ret) {
+		_gss_ntlm_delete_sec_context(minor_status, 
+					     context_handle, NULL);
+		*minor_status = ret;
+		return GSS_S_FAILURE;
+	    }
+
+	    ret = heim_ntlm_build_ntlm1_master(ntlmv2, sizeof(ntlmv2),
+					       &sessionkey,
+					       &type3.sessionkey);
+	    memset(ntlmv2, 0, sizeof(ntlmv2));
+	    if (ret) {
+		_gss_ntlm_delete_sec_context(minor_status, 
+					     context_handle, NULL);
+		*minor_status = ret;
+		return GSS_S_FAILURE;
+	    }
+	    
+	    ctx->flags |= NTLM_NEG_NTLM2_SESSION;
+
+	    ret = krb5_data_copy(&ctx->sessionkey, 
+				 sessionkey.data, sessionkey.length);
+	    free(sessionkey.data);
+	}
+
+	if (ctx->flags & NTLM_NEG_NTLM2_SESSION) {
+	    ctx->status |= STATUS_SESSIONKEY; 
+	    _gss_ntlm_set_key(&ctx->u.v2.send, 0, (ctx->flags & NTLM_NEG_KEYEX),
+			      ctx->sessionkey.data,
+			      ctx->sessionkey.length);
+	    _gss_ntlm_set_key(&ctx->u.v2.recv, 1, (ctx->flags & NTLM_NEG_KEYEX),
+			      ctx->sessionkey.data,
+			      ctx->sessionkey.length);
+	} else {
+	    ctx->status |= STATUS_SESSIONKEY; 
+	    RC4_set_key(&ctx->u.v1.crypto_recv.key, 
+			ctx->sessionkey.length,
+			ctx->sessionkey.data);
+	    RC4_set_key(&ctx->u.v1.crypto_send.key, 
+			ctx->sessionkey.length,
+			ctx->sessionkey.data);
+	}
+	
+
+
+	ret = heim_ntlm_encode_type3(&type3, &data);
+	free(type3.sessionkey.data);
+	if (type3.lm.data)
+	    free(type3.lm.data);
+	if (type3.ntlm.data)
+	    free(type3.ntlm.data);
+	if (ret) {
+	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	output_token->length = data.length;
+	output_token->value = data.data;
+
+	if (actual_mech_type)
+	    *actual_mech_type = GSS_NTLM_MECHANISM;
+	if (ret_flags)
+	    *ret_flags = 0;
+	if (time_rec)
+	    *time_rec = GSS_C_INDEFINITE;
+
+	ctx->status |= STATUS_OPEN;
+
+	return GSS_S_COMPLETE;
+    }
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/inquire_context.c b/crypto/heimdal/lib/gssapi/ntlm/inquire_context.c
new file mode 100644
index 0000000..fe6b322
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/inquire_context.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: inquire_context.c 21079 2007-06-13 00:25:25Z lha $");
+
+OM_uint32 _gss_ntlm_inquire_context (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_name_t * src_name,
+            gss_name_t * targ_name,
+            OM_uint32 * lifetime_rec,
+            gss_OID * mech_type,
+            OM_uint32 * ctx_flags,
+            int * locally_initiated,
+            int * open_context
+           )
+{
+    ntlm_ctx ctx = (ntlm_ctx)context_handle;
+
+    *minor_status = 0;
+    if (src_name)
+	*src_name = GSS_C_NO_NAME;
+    if (targ_name)
+	*targ_name = GSS_C_NO_NAME;
+    if (lifetime_rec)
+	*lifetime_rec = GSS_C_INDEFINITE;
+    if (mech_type)
+	*mech_type = GSS_NTLM_MECHANISM;
+    if (ctx_flags)
+	*ctx_flags = ctx->gssflags;
+    if (locally_initiated)
+	*locally_initiated = (ctx->status & STATUS_CLIENT) ? 1 : 0;
+    if (open_context)
+	*open_context = (ctx->status & STATUS_OPEN) ? 1 : 0;
+
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/inquire_cred.c b/crypto/heimdal/lib/gssapi/ntlm/inquire_cred.c
new file mode 100644
index 0000000..1d49b50
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/inquire_cred.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: inquire_cred.c 22148 2007-12-04 17:59:29Z lha $");
+
+OM_uint32 _gss_ntlm_inquire_cred
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            gss_name_t * name,
+            OM_uint32 * lifetime,
+            gss_cred_usage_t * cred_usage,
+            gss_OID_set * mechanisms
+           )
+{
+    OM_uint32 ret, junk;
+
+    if (minor_status)
+	*minor_status = 0;
+    if (name)
+	*name = GSS_C_NO_NAME;
+    if (lifetime)
+	*lifetime = GSS_C_INDEFINITE;
+    if (cred_usage)
+	*cred_usage = 0;
+    if (mechanisms)
+	*mechanisms = GSS_C_NO_OID_SET;
+
+    if (cred_handle == GSS_C_NO_CREDENTIAL)
+	return GSS_S_NO_CRED;
+
+    if (mechanisms) {
+        ret = gss_create_empty_oid_set(minor_status, mechanisms);
+        if (ret)
+	    goto out;
+	ret = gss_add_oid_set_member(minor_status,
+				     GSS_NTLM_MECHANISM,
+				     mechanisms);
+        if (ret)
+	    goto out;
+    }
+
+    return GSS_S_COMPLETE;
+out:
+    gss_release_oid_set(&junk, mechanisms);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/inquire_cred_by_mech.c b/crypto/heimdal/lib/gssapi/ntlm/inquire_cred_by_mech.c
new file mode 100644
index 0000000..572c6fe
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/inquire_cred_by_mech.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: inquire_cred_by_mech.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32 _gss_ntlm_inquire_cred_by_mech (
+            OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            const gss_OID mech_type,
+            gss_name_t * name,
+            OM_uint32 * initiator_lifetime,
+            OM_uint32 * acceptor_lifetime,
+            gss_cred_usage_t * cred_usage
+    )
+{
+    if (minor_status)
+	*minor_status = 0;
+    if (name)
+	*name = GSS_C_NO_NAME;
+    if (initiator_lifetime)
+	*initiator_lifetime = 0;
+    if (acceptor_lifetime)
+	*acceptor_lifetime = 0;
+    if (cred_usage)
+	*cred_usage = 0;
+    return GSS_S_UNAVAILABLE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/inquire_mechs_for_name.c b/crypto/heimdal/lib/gssapi/ntlm/inquire_mechs_for_name.c
new file mode 100644
index 0000000..8bee483
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/inquire_mechs_for_name.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: inquire_mechs_for_name.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32 _gss_ntlm_inquire_mechs_for_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_OID_set * mech_types
+           )
+{
+    if (minor_status)
+	*minor_status = 0;
+    if (mech_types)
+	*mech_types = GSS_C_NO_OID_SET;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/inquire_names_for_mech.c b/crypto/heimdal/lib/gssapi/ntlm/inquire_names_for_mech.c
new file mode 100644
index 0000000..ebf624d
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/inquire_names_for_mech.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: inquire_names_for_mech.c 19334 2006-12-14 12:17:34Z lha $");
+
+
+OM_uint32 _gss_ntlm_inquire_names_for_mech (
+            OM_uint32 * minor_status,
+            const gss_OID mechanism,
+            gss_OID_set * name_types
+           )
+{
+    OM_uint32 ret;
+
+    ret = gss_create_empty_oid_set(minor_status, name_types);
+    if (ret != GSS_S_COMPLETE)
+	return ret;
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/ntlm-private.h b/crypto/heimdal/lib/gssapi/ntlm/ntlm-private.h
new file mode 100644
index 0000000..cc6c400
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/ntlm-private.h
@@ -0,0 +1,264 @@
+/* This is a generated file */
+#ifndef __ntlm_private_h__
+#define __ntlm_private_h__
+
+#include <stdarg.h>
+
+gssapi_mech_interface
+__gss_ntlm_initialize (void);
+
+OM_uint32
+_gss_ntlm_accept_sec_context (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t * /*context_handle*/,
+	const gss_cred_id_t /*acceptor_cred_handle*/,
+	const gss_buffer_t /*input_token_buffer*/,
+	const gss_channel_bindings_t /*input_chan_bindings*/,
+	gss_name_t * /*src_name*/,
+	gss_OID * /*mech_type*/,
+	gss_buffer_t /*output_token*/,
+	OM_uint32 * /*ret_flags*/,
+	OM_uint32 * /*time_rec*/,
+	gss_cred_id_t * delegated_cred_handle );
+
+OM_uint32
+_gss_ntlm_acquire_cred (
+	OM_uint32 * /*min_stat*/,
+	const gss_name_t /*desired_name*/,
+	OM_uint32 /*time_req*/,
+	const gss_OID_set /*desired_mechs*/,
+	gss_cred_usage_t /*cred_usage*/,
+	gss_cred_id_t * /*output_cred_handle*/,
+	gss_OID_set * /*actual_mechs*/,
+	OM_uint32 * time_rec );
+
+OM_uint32
+_gss_ntlm_add_cred (
+	 OM_uint32 */*minor_status*/,
+	const gss_cred_id_t /*input_cred_handle*/,
+	const gss_name_t /*desired_name*/,
+	const gss_OID /*desired_mech*/,
+	gss_cred_usage_t /*cred_usage*/,
+	OM_uint32 /*initiator_time_req*/,
+	OM_uint32 /*acceptor_time_req*/,
+	gss_cred_id_t */*output_cred_handle*/,
+	gss_OID_set */*actual_mechs*/,
+	OM_uint32 */*initiator_time_rec*/,
+	OM_uint32 */*acceptor_time_rec*/);
+
+OM_uint32
+_gss_ntlm_allocate_ctx (
+	OM_uint32 */*minor_status*/,
+	ntlm_ctx */*ctx*/);
+
+OM_uint32
+_gss_ntlm_canonicalize_name (
+	 OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	const gss_OID /*mech_type*/,
+	gss_name_t * output_name );
+
+OM_uint32
+_gss_ntlm_compare_name (
+	OM_uint32 * /*minor_status*/,
+	const gss_name_t /*name1*/,
+	const gss_name_t /*name2*/,
+	int * name_equal );
+
+OM_uint32
+_gss_ntlm_context_time (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	OM_uint32 * time_rec );
+
+OM_uint32
+_gss_ntlm_delete_sec_context (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t * /*context_handle*/,
+	gss_buffer_t output_token );
+
+OM_uint32
+_gss_ntlm_display_name (
+	OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	gss_buffer_t /*output_name_buffer*/,
+	gss_OID * output_name_type );
+
+OM_uint32
+_gss_ntlm_display_status (
+	OM_uint32 */*minor_status*/,
+	OM_uint32 /*status_value*/,
+	int /*status_type*/,
+	const gss_OID /*mech_type*/,
+	OM_uint32 */*message_context*/,
+	gss_buffer_t /*status_string*/);
+
+OM_uint32
+_gss_ntlm_duplicate_name (
+	 OM_uint32 * /*minor_status*/,
+	const gss_name_t /*src_name*/,
+	gss_name_t * dest_name );
+
+OM_uint32
+_gss_ntlm_export_name (
+	OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	gss_buffer_t exported_name );
+
+OM_uint32
+_gss_ntlm_export_sec_context (
+	 OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t * /*context_handle*/,
+	gss_buffer_t interprocess_token );
+
+OM_uint32
+_gss_ntlm_get_mic (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	gss_qop_t /*qop_req*/,
+	const gss_buffer_t /*message_buffer*/,
+	gss_buffer_t message_token );
+
+int
+_gss_ntlm_get_user_cred (
+	const ntlm_name /*target_name*/,
+	ntlm_cred */*rcred*/);
+
+OM_uint32
+_gss_ntlm_import_name (
+	OM_uint32 * /*minor_status*/,
+	const gss_buffer_t /*input_name_buffer*/,
+	const gss_OID /*input_name_type*/,
+	gss_name_t * output_name );
+
+OM_uint32
+_gss_ntlm_import_sec_context (
+	 OM_uint32 * /*minor_status*/,
+	const gss_buffer_t /*interprocess_token*/,
+	gss_ctx_id_t * context_handle );
+
+OM_uint32
+_gss_ntlm_indicate_mechs (
+	OM_uint32 * /*minor_status*/,
+	gss_OID_set * mech_set );
+
+OM_uint32
+_gss_ntlm_init_sec_context (
+	OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*initiator_cred_handle*/,
+	gss_ctx_id_t * /*context_handle*/,
+	const gss_name_t /*target_name*/,
+	const gss_OID /*mech_type*/,
+	OM_uint32 /*req_flags*/,
+	OM_uint32 /*time_req*/,
+	const gss_channel_bindings_t /*input_chan_bindings*/,
+	const gss_buffer_t /*input_token*/,
+	gss_OID * /*actual_mech_type*/,
+	gss_buffer_t /*output_token*/,
+	OM_uint32 * /*ret_flags*/,
+	OM_uint32 * time_rec );
+
+OM_uint32
+_gss_ntlm_inquire_context (
+	 OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	gss_name_t * /*src_name*/,
+	gss_name_t * /*targ_name*/,
+	OM_uint32 * /*lifetime_rec*/,
+	gss_OID * /*mech_type*/,
+	OM_uint32 * /*ctx_flags*/,
+	int * /*locally_initiated*/,
+	int * open_context );
+
+OM_uint32
+_gss_ntlm_inquire_cred (
+	OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*cred_handle*/,
+	gss_name_t * /*name*/,
+	OM_uint32 * /*lifetime*/,
+	gss_cred_usage_t * /*cred_usage*/,
+	gss_OID_set * mechanisms );
+
+OM_uint32
+_gss_ntlm_inquire_cred_by_mech (
+	 OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*cred_handle*/,
+	const gss_OID /*mech_type*/,
+	gss_name_t * /*name*/,
+	OM_uint32 * /*initiator_lifetime*/,
+	OM_uint32 * /*acceptor_lifetime*/,
+	gss_cred_usage_t * cred_usage );
+
+OM_uint32
+_gss_ntlm_inquire_mechs_for_name (
+	 OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	gss_OID_set * mech_types );
+
+OM_uint32
+_gss_ntlm_inquire_names_for_mech (
+	 OM_uint32 * /*minor_status*/,
+	const gss_OID /*mechanism*/,
+	gss_OID_set * name_types );
+
+OM_uint32
+_gss_ntlm_process_context_token (
+	 OM_uint32 */*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_buffer_t token_buffer );
+
+OM_uint32
+_gss_ntlm_release_cred (
+	OM_uint32 * /*minor_status*/,
+	gss_cred_id_t * cred_handle );
+
+OM_uint32
+_gss_ntlm_release_name (
+	OM_uint32 * /*minor_status*/,
+	gss_name_t * input_name );
+
+void
+_gss_ntlm_set_key (
+	struct ntlmv2_key */*key*/,
+	int /*acceptor*/,
+	int /*sealsign*/,
+	unsigned char */*data*/,
+	size_t /*len*/);
+
+OM_uint32
+_gss_ntlm_unwrap (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_buffer_t /*input_message_buffer*/,
+	gss_buffer_t /*output_message_buffer*/,
+	int * /*conf_state*/,
+	gss_qop_t * qop_state );
+
+OM_uint32
+_gss_ntlm_verify_mic (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_buffer_t /*message_buffer*/,
+	const gss_buffer_t /*token_buffer*/,
+	gss_qop_t * qop_state );
+
+OM_uint32
+_gss_ntlm_wrap (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	const gss_buffer_t /*input_message_buffer*/,
+	int * /*conf_state*/,
+	gss_buffer_t output_message_buffer );
+
+OM_uint32
+_gss_ntlm_wrap_size_limit (
+	 OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	OM_uint32 /*req_output_size*/,
+	OM_uint32 * max_input_size );
+
+#endif /* __ntlm_private_h__ */
diff --git a/crypto/heimdal/lib/gssapi/ntlm/ntlm.h b/crypto/heimdal/lib/gssapi/ntlm/ntlm.h
new file mode 100644
index 0000000..5713b72
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/ntlm.h
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: ntlm.h 22373 2007-12-28 18:36:06Z lha $ */
+
+#ifndef NTLM_NTLM_H
+#define NTLM_NTLM_H
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <string.h>
+#include <errno.h>
+
+#include <gssapi.h>
+#include <gssapi_mech.h>
+
+#include <krb5.h>
+#include <roken.h>
+#include <heim_threads.h>
+
+#include <heimntlm.h>
+
+#include "crypto-headers.h"
+
+typedef OM_uint32
+(*ntlm_interface_init)(OM_uint32 *, void **);
+
+typedef OM_uint32
+(*ntlm_interface_destroy)(OM_uint32 *, void *);
+
+typedef int
+(*ntlm_interface_probe)(OM_uint32 *, void *, const char *);
+
+typedef OM_uint32
+(*ntlm_interface_type2)(OM_uint32 *, void *, uint32_t, const char *,
+			const char *, uint32_t *, struct ntlm_buf *);
+
+typedef OM_uint32
+(*ntlm_interface_type3)(OM_uint32 *, void *, const struct ntlm_type3 *,
+			struct ntlm_buf *);
+
+typedef void
+(*ntlm_interface_free_buffer)(struct ntlm_buf *);
+
+struct ntlm_server_interface {
+    ntlm_interface_init nsi_init;
+    ntlm_interface_destroy nsi_destroy;
+    ntlm_interface_probe nsi_probe;
+    ntlm_interface_type2 nsi_type2;
+    ntlm_interface_type3 nsi_type3;
+    ntlm_interface_free_buffer nsi_free_buffer;
+};
+
+
+struct ntlmv2_key {
+    uint32_t seq;
+    RC4_KEY sealkey;
+    RC4_KEY *signsealkey;
+    unsigned char signkey[16];
+};
+
+extern struct ntlm_server_interface ntlmsspi_kdc_digest;
+
+typedef struct ntlm_cred {
+    gss_cred_usage_t usage;
+    char *username;
+    char *domain;
+    struct ntlm_buf key;
+} *ntlm_cred;
+
+typedef struct {
+    struct ntlm_server_interface *server;
+    void *ictx;
+    ntlm_cred client;
+    OM_uint32 gssflags;
+    uint32_t flags;
+    uint32_t status;
+#define STATUS_OPEN 1
+#define STATUS_CLIENT 2
+#define STATUS_SESSIONKEY 4
+    krb5_data sessionkey;
+
+    union {
+	struct {
+	    struct {
+		uint32_t seq;
+		RC4_KEY key;
+	    } crypto_send, crypto_recv;
+	} v1;
+	struct {
+	    struct ntlmv2_key send, recv;
+	} v2;
+    } u;
+} *ntlm_ctx;
+
+typedef struct {
+    char *user;
+    char *domain;
+} *ntlm_name;
+
+#include <ntlm/ntlm-private.h>
+
+
+#endif /* NTLM_NTLM_H */
diff --git a/crypto/heimdal/lib/gssapi/ntlm/process_context_token.c b/crypto/heimdal/lib/gssapi/ntlm/process_context_token.c
new file mode 100644
index 0000000..33c1072
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/process_context_token.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: process_context_token.c 19334 2006-12-14 12:17:34Z lha $");
+
+OM_uint32 _gss_ntlm_process_context_token (
+	OM_uint32          *minor_status,
+	const gss_ctx_id_t context_handle,
+	const gss_buffer_t token_buffer
+    )
+{
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/ntlm/release_cred.c b/crypto/heimdal/lib/gssapi/ntlm/release_cred.c
new file mode 100644
index 0000000..a63e568
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/release_cred.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: release_cred.c 22163 2007-12-04 21:25:06Z lha $");
+
+OM_uint32 _gss_ntlm_release_cred
+           (OM_uint32 * minor_status,
+            gss_cred_id_t * cred_handle
+           )
+{
+    ntlm_cred cred;
+
+    if (minor_status)
+	*minor_status = 0;
+
+    if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL)
+	return GSS_S_COMPLETE;
+
+    cred = (ntlm_cred)*cred_handle;
+    *cred_handle = GSS_C_NO_CREDENTIAL;
+
+    if (cred->username)
+	free(cred->username);
+    if (cred->domain)
+	free(cred->domain);
+    if (cred->key.data) {
+	memset(cred->key.data, 0, cred->key.length);
+	free(cred->key.data);
+    }
+
+    return GSS_S_COMPLETE;
+}
+
diff --git a/crypto/heimdal/lib/gssapi/ntlm/release_name.c b/crypto/heimdal/lib/gssapi/ntlm/release_name.c
new file mode 100644
index 0000000..687d9fd
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ntlm/release_name.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ntlm/ntlm.h"
+
+RCSID("$Id: release_name.c 22373 2007-12-28 18:36:06Z lha $");
+
+OM_uint32 _gss_ntlm_release_name
+           (OM_uint32 * minor_status,
+            gss_name_t * input_name
+           )
+{
+    if (minor_status)
+	*minor_status = 0;
+    if (input_name) {
+	ntlm_name n = (ntlm_name)*input_name;
+	*input_name = GSS_C_NO_NAME;
+	free(n->user);
+	free(n->domain);
+	free(n);
+    }
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c
new file mode 100644
index 0000000..1afe26f
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c
@@ -0,0 +1,1024 @@
+/*
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * Portions Copyright (c) 2004 PADL Software Pty Ltd.
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "spnego/spnego_locl.h"
+
+RCSID("$Id: accept_sec_context.c 21461 2007-07-10 14:01:13Z lha $");
+
+static OM_uint32
+send_reject (OM_uint32 *minor_status,
+	     gss_buffer_t output_token)
+{
+    NegotiationToken nt;
+    size_t size;
+
+    nt.element = choice_NegotiationToken_negTokenResp;
+
+    ALLOC(nt.u.negTokenResp.negResult, 1);
+    if (nt.u.negTokenResp.negResult == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    *(nt.u.negTokenResp.negResult)  = reject;
+    nt.u.negTokenResp.supportedMech = NULL;
+    nt.u.negTokenResp.responseToken = NULL;
+    nt.u.negTokenResp.mechListMIC   = NULL;
+    
+    ASN1_MALLOC_ENCODE(NegotiationToken,
+		       output_token->value, output_token->length, &nt,
+		       &size, *minor_status);
+    free_NegotiationToken(&nt);
+    if (*minor_status != 0)
+	return GSS_S_FAILURE;
+
+    return GSS_S_BAD_MECH;
+}
+
+static OM_uint32
+acceptor_approved(gss_name_t target_name, gss_OID mech)
+{
+    gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
+    gss_OID_set oidset;
+    OM_uint32 junk, ret;
+
+    if (target_name == GSS_C_NO_NAME)
+	return GSS_S_COMPLETE;
+
+    gss_create_empty_oid_set(&junk, &oidset);
+    gss_add_oid_set_member(&junk, mech, &oidset);
+    
+    ret = gss_acquire_cred(&junk, target_name, GSS_C_INDEFINITE, oidset,
+			   GSS_C_ACCEPT, &cred, NULL, NULL);
+    gss_release_oid_set(&junk, &oidset);
+    if (ret != GSS_S_COMPLETE)
+	return ret;
+    gss_release_cred(&junk, &cred);
+    
+    return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+send_supported_mechs (OM_uint32 *minor_status,
+		      gss_buffer_t output_token)
+{
+    NegotiationTokenWin nt;
+    char hostname[MAXHOSTNAMELEN + 1], *p;
+    gss_buffer_desc name_buf;
+    gss_OID name_type;
+    gss_name_t target_princ;
+    gss_name_t canon_princ;
+    OM_uint32 minor;
+    size_t buf_len;
+    gss_buffer_desc data;
+    OM_uint32 ret;
+
+    memset(&nt, 0, sizeof(nt));
+
+    nt.element = choice_NegotiationTokenWin_negTokenInit;
+    nt.u.negTokenInit.reqFlags = NULL;
+    nt.u.negTokenInit.mechToken = NULL;
+    nt.u.negTokenInit.negHints = NULL;
+
+    ret = _gss_spnego_indicate_mechtypelist(minor_status, GSS_C_NO_NAME,
+					    acceptor_approved, 1, NULL,
+					    &nt.u.negTokenInit.mechTypes, NULL);
+    if (ret != GSS_S_COMPLETE) {
+	return ret;
+    }
+
+    memset(&target_princ, 0, sizeof(target_princ));
+    if (gethostname(hostname, sizeof(hostname) - 2) != 0) {
+	*minor_status = errno;
+	free_NegotiationTokenWin(&nt);
+	return GSS_S_FAILURE;
+    }
+    hostname[sizeof(hostname) - 1] = '\0';
+
+    /* Send the constructed SAM name for this host */
+    for (p = hostname; *p != '\0' && *p != '.'; p++) {
+	*p = toupper((unsigned char)*p);
+    }
+    *p++ = '$';
+    *p = '\0';
+
+    name_buf.length = strlen(hostname);
+    name_buf.value = hostname;
+
+    ret = gss_import_name(minor_status, &name_buf,
+			  GSS_C_NO_OID,
+			  &target_princ);
+    if (ret != GSS_S_COMPLETE) {
+	free_NegotiationTokenWin(&nt);
+	return ret;
+    }
+
+    name_buf.length = 0;
+    name_buf.value = NULL;
+
+    /* Canonicalize the name using the preferred mechanism */
+    ret = gss_canonicalize_name(minor_status,
+				target_princ,
+				GSS_C_NO_OID,
+				&canon_princ);
+    if (ret != GSS_S_COMPLETE) {
+	free_NegotiationTokenWin(&nt);
+	gss_release_name(&minor, &target_princ);
+	return ret;
+    }
+
+    ret = gss_display_name(minor_status, canon_princ,
+			   &name_buf, &name_type);
+    if (ret != GSS_S_COMPLETE) {
+	free_NegotiationTokenWin(&nt);
+	gss_release_name(&minor, &canon_princ);
+	gss_release_name(&minor, &target_princ);
+	return ret;
+    }
+
+    gss_release_name(&minor, &canon_princ);
+    gss_release_name(&minor, &target_princ);
+
+    ALLOC(nt.u.negTokenInit.negHints, 1);
+    if (nt.u.negTokenInit.negHints == NULL) {
+	*minor_status = ENOMEM;
+	gss_release_buffer(&minor, &name_buf);
+	free_NegotiationTokenWin(&nt);
+	return GSS_S_FAILURE;
+    }
+
+    ALLOC(nt.u.negTokenInit.negHints->hintName, 1);
+    if (nt.u.negTokenInit.negHints->hintName == NULL) {
+	*minor_status = ENOMEM;
+	gss_release_buffer(&minor, &name_buf);
+	free_NegotiationTokenWin(&nt);
+	return GSS_S_FAILURE;
+    }
+
+    *(nt.u.negTokenInit.negHints->hintName) = name_buf.value;
+    name_buf.value = NULL;
+    nt.u.negTokenInit.negHints->hintAddress = NULL;
+
+    ASN1_MALLOC_ENCODE(NegotiationTokenWin, 
+		       data.value, data.length, &nt, &buf_len, ret);
+    free_NegotiationTokenWin(&nt);
+    if (ret) {
+	return ret;
+    }
+    if (data.length != buf_len)
+	abort();
+
+    ret = gss_encapsulate_token(&data, GSS_SPNEGO_MECHANISM, output_token);
+
+    free (data.value);
+
+    if (ret != GSS_S_COMPLETE)
+	return ret;
+
+    *minor_status = 0;
+
+    return GSS_S_CONTINUE_NEEDED;
+}
+
+static OM_uint32
+send_accept (OM_uint32 *minor_status,
+	     gssspnego_ctx context_handle,
+	     gss_buffer_t mech_token,
+	     int initial_response,
+	     gss_buffer_t mech_buf,
+	     gss_buffer_t output_token)
+{
+    NegotiationToken nt;
+    OM_uint32 ret;
+    gss_buffer_desc mech_mic_buf;
+    size_t size;
+
+    memset(&nt, 0, sizeof(nt));
+
+    nt.element = choice_NegotiationToken_negTokenResp;
+
+    ALLOC(nt.u.negTokenResp.negResult, 1);
+    if (nt.u.negTokenResp.negResult == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    if (context_handle->open) {
+	if (mech_token != GSS_C_NO_BUFFER
+	    && mech_token->length != 0
+	    && mech_buf != GSS_C_NO_BUFFER)
+	    *(nt.u.negTokenResp.negResult)  = accept_incomplete;
+	else
+	    *(nt.u.negTokenResp.negResult)  = accept_completed;
+    } else {
+	if (initial_response && context_handle->require_mic)
+	    *(nt.u.negTokenResp.negResult)  = request_mic;
+	else
+	    *(nt.u.negTokenResp.negResult)  = accept_incomplete;
+    }
+
+    if (initial_response) {
+	ALLOC(nt.u.negTokenResp.supportedMech, 1);
+	if (nt.u.negTokenResp.supportedMech == NULL) {
+	    free_NegotiationToken(&nt);
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+
+	ret = der_get_oid(context_handle->preferred_mech_type->elements,
+			  context_handle->preferred_mech_type->length,
+			  nt.u.negTokenResp.supportedMech,
+			  NULL);
+	if (ret) {
+	    free_NegotiationToken(&nt);
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+    } else {
+	nt.u.negTokenResp.supportedMech = NULL;
+    }
+
+    if (mech_token != GSS_C_NO_BUFFER && mech_token->length != 0) {
+	ALLOC(nt.u.negTokenResp.responseToken, 1);
+	if (nt.u.negTokenResp.responseToken == NULL) {
+	    free_NegotiationToken(&nt);
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+	nt.u.negTokenResp.responseToken->length = mech_token->length;
+	nt.u.negTokenResp.responseToken->data   = mech_token->value;
+	mech_token->length = 0;
+	mech_token->value  = NULL;
+    } else {
+	nt.u.negTokenResp.responseToken = NULL;
+    }
+
+    if (mech_buf != GSS_C_NO_BUFFER) {
+	ret = gss_get_mic(minor_status,
+			  context_handle->negotiated_ctx_id,
+			  0,
+			  mech_buf,
+			  &mech_mic_buf);
+	if (ret == GSS_S_COMPLETE) {
+	    ALLOC(nt.u.negTokenResp.mechListMIC, 1);
+	    if (nt.u.negTokenResp.mechListMIC == NULL) {
+		gss_release_buffer(minor_status, &mech_mic_buf);
+		free_NegotiationToken(&nt);
+		*minor_status = ENOMEM;
+		return GSS_S_FAILURE;
+	    }
+	    nt.u.negTokenResp.mechListMIC->length = mech_mic_buf.length;
+	    nt.u.negTokenResp.mechListMIC->data   = mech_mic_buf.value;
+	} else if (ret == GSS_S_UNAVAILABLE) {
+	    nt.u.negTokenResp.mechListMIC = NULL;
+	} else {
+	    free_NegotiationToken(&nt);
+	    return ret;
+	}
+
+    } else
+	nt.u.negTokenResp.mechListMIC = NULL;
+ 
+    ASN1_MALLOC_ENCODE(NegotiationToken,
+		       output_token->value, output_token->length,
+		       &nt, &size, ret);
+    if (ret) {
+	free_NegotiationToken(&nt);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    /*
+     * The response should not be encapsulated, because
+     * it is a SubsequentContextToken (note though RFC 1964
+     * specifies encapsulation for all _Kerberos_ tokens).
+     */
+
+    if (*(nt.u.negTokenResp.negResult) == accept_completed)
+	ret = GSS_S_COMPLETE;
+    else
+	ret = GSS_S_CONTINUE_NEEDED;
+    free_NegotiationToken(&nt);
+    return ret;
+}
+
+
+static OM_uint32
+verify_mechlist_mic
+	   (OM_uint32 *minor_status,
+	    gssspnego_ctx context_handle,
+	    gss_buffer_t mech_buf,
+	    heim_octet_string *mechListMIC
+	   )
+{
+    OM_uint32 ret;
+    gss_buffer_desc mic_buf;
+
+    if (context_handle->verified_mic) {
+	/* This doesn't make sense, we've already verified it? */
+	*minor_status = 0;
+	return GSS_S_DUPLICATE_TOKEN;
+    }
+
+    if (mechListMIC == NULL) {
+	*minor_status = 0;
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    mic_buf.length = mechListMIC->length;
+    mic_buf.value  = mechListMIC->data;
+
+    ret = gss_verify_mic(minor_status,
+			 context_handle->negotiated_ctx_id,
+			 mech_buf,
+			 &mic_buf,
+			 NULL);
+
+    if (ret != GSS_S_COMPLETE)
+	ret = GSS_S_DEFECTIVE_TOKEN;
+
+    return ret;
+}
+
+static OM_uint32
+select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
+	    gss_OID *mech_p)
+{
+    char mechbuf[64];
+    size_t mech_len;
+    gss_OID_desc oid;
+    OM_uint32 ret, junk;
+
+    ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1,
+		       sizeof(mechbuf),
+		       mechType,
+		       &mech_len);
+    if (ret) {
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    oid.length   = mech_len;
+    oid.elements = mechbuf + sizeof(mechbuf) - mech_len;
+
+    if (gss_oid_equal(&oid, GSS_SPNEGO_MECHANISM)) {
+	return GSS_S_BAD_MECH;
+    }
+
+    *minor_status = 0;
+
+    /* Translate broken MS Kebreros OID */
+    if (gss_oid_equal(&oid, &_gss_spnego_mskrb_mechanism_oid_desc)) {
+	gssapi_mech_interface mech;
+
+	mech = __gss_get_mechanism(&_gss_spnego_krb5_mechanism_oid_desc);
+	if (mech == NULL)
+	    return GSS_S_BAD_MECH;
+
+	ret = gss_duplicate_oid(minor_status,
+				&_gss_spnego_mskrb_mechanism_oid_desc,
+				mech_p);
+    } else {
+	gssapi_mech_interface mech;
+
+	mech = __gss_get_mechanism(&oid);
+	if (mech == NULL)
+	    return GSS_S_BAD_MECH;
+
+	ret = gss_duplicate_oid(minor_status,
+				&mech->gm_mech_oid,
+				mech_p);
+    }
+
+    if (verify_p) {
+	gss_name_t name = GSS_C_NO_NAME;
+	gss_buffer_desc namebuf;
+	char *str = NULL, *host, hostname[MAXHOSTNAMELEN];
+
+	host = getenv("GSSAPI_SPNEGO_NAME");
+	if (host == NULL || issuid()) {
+	    if (gethostname(hostname, sizeof(hostname)) != 0) {
+		*minor_status = errno;
+		return GSS_S_FAILURE;
+	    }
+	    asprintf(&str, "host@%s", hostname);
+	    host = str;
+	}
+
+	namebuf.length = strlen(host);
+	namebuf.value = host;
+
+	ret = gss_import_name(minor_status, &namebuf,
+			      GSS_C_NT_HOSTBASED_SERVICE, &name);
+	if (str)
+	    free(str);
+	if (ret != GSS_S_COMPLETE)
+	    return ret;
+
+	ret = acceptor_approved(name, *mech_p);
+	gss_release_name(&junk, &name);
+    }
+
+    return ret;
+}
+
+
+static OM_uint32
+acceptor_complete(OM_uint32 * minor_status,
+		  gssspnego_ctx ctx,
+		  int *get_mic,
+		  gss_buffer_t mech_buf,
+		  gss_buffer_t mech_input_token,
+		  gss_buffer_t mech_output_token,
+		  heim_octet_string *mic,
+		  gss_buffer_t output_token)
+{
+    OM_uint32 ret;
+    int require_mic, verify_mic;
+    gss_buffer_desc buf;
+
+    buf.length = 0;
+    buf.value = NULL;
+
+    ret = _gss_spnego_require_mechlist_mic(minor_status, ctx, &require_mic);
+    if (ret)
+	return ret;
+    
+    ctx->require_mic = require_mic;
+
+    if (mic != NULL)
+	require_mic = 1;
+    
+    if (ctx->open && require_mic) {
+	if (mech_input_token == GSS_C_NO_BUFFER) { /* Even/One */
+	    verify_mic = 1;
+	    *get_mic = 0;
+	} else if (mech_output_token != GSS_C_NO_BUFFER &&
+		   mech_output_token->length == 0) { /* Odd */
+	    *get_mic = verify_mic = 1;
+	} else { /* Even/One */
+	    verify_mic = 0;
+	    *get_mic = 1;
+	}
+	
+	if (verify_mic || get_mic) {
+	    int eret;
+	    size_t buf_len;
+	    
+	    ASN1_MALLOC_ENCODE(MechTypeList, 
+			       mech_buf->value, mech_buf->length,
+			       &ctx->initiator_mech_types, &buf_len, eret);
+	    if (eret) {
+		*minor_status = eret;
+		return GSS_S_FAILURE;
+	    }
+	    if (buf.length != buf_len)
+		abort();
+	}
+	
+	if (verify_mic) {
+	    ret = verify_mechlist_mic(minor_status, ctx, mech_buf, mic);
+	    if (ret) {
+		if (get_mic)
+		    send_reject (minor_status, output_token);
+		if (buf.value)
+		    free(buf.value);
+		return ret;
+	    }
+	    ctx->verified_mic = 1;
+	}
+	if (buf.value)
+	    free(buf.value);
+
+    } else
+	*get_mic = verify_mic = 0;
+    
+    return GSS_S_COMPLETE;
+}
+
+
+static OM_uint32
+acceptor_start
+	   (OM_uint32 * minor_status,
+	    gss_ctx_id_t * context_handle,
+	    const gss_cred_id_t acceptor_cred_handle,
+	    const gss_buffer_t input_token_buffer,
+	    const gss_channel_bindings_t input_chan_bindings,
+	    gss_name_t * src_name,
+	    gss_OID * mech_type,
+	    gss_buffer_t output_token,
+	    OM_uint32 * ret_flags,
+	    OM_uint32 * time_rec,
+	    gss_cred_id_t *delegated_cred_handle
+	   )
+{
+    OM_uint32 ret, junk, minor;
+    NegotiationToken nt;
+    size_t nt_len;
+    NegTokenInit *ni;
+    int i;
+    gss_buffer_desc data;
+    gss_buffer_t mech_input_token = GSS_C_NO_BUFFER;
+    gss_buffer_desc mech_output_token;
+    gss_buffer_desc mech_buf;
+    gss_OID preferred_mech_type = GSS_C_NO_OID;
+    gssspnego_ctx ctx;
+    gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle;
+    int get_mic = 0;
+    int first_ok = 0;
+
+    mech_output_token.value = NULL;
+    mech_output_token.length = 0;
+    mech_buf.value = NULL;
+
+    if (input_token_buffer->length == 0)
+	return send_supported_mechs (minor_status, output_token);
+	
+    ret = _gss_spnego_alloc_sec_context(minor_status, context_handle);
+    if (ret != GSS_S_COMPLETE)
+	return ret;
+
+    ctx = (gssspnego_ctx)*context_handle;
+
+    /*
+     * The GSS-API encapsulation is only present on the initial
+     * context token (negTokenInit).
+     */
+    ret = gss_decapsulate_token (input_token_buffer,
+				 GSS_SPNEGO_MECHANISM,
+				 &data);
+    if (ret)
+	return ret;
+
+    ret = decode_NegotiationToken(data.value, data.length, &nt, &nt_len);
+    gss_release_buffer(minor_status, &data);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+    if (nt.element != choice_NegotiationToken_negTokenInit) {
+	*minor_status = 0;
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+    ni = &nt.u.negTokenInit;
+
+    if (ni->mechTypes.len < 1) {
+	free_NegotiationToken(&nt);
+	*minor_status = 0;
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    ret = copy_MechTypeList(&ni->mechTypes, &ctx->initiator_mech_types);
+    if (ret) {
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	free_NegotiationToken(&nt);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    /*
+     * First we try the opportunistic token if we have support for it,
+     * don't try to verify we have credential for the token,
+     * gss_accept_sec_context will (hopefully) tell us that.
+     * If that failes, 
+     */
+
+    ret = select_mech(minor_status,
+		      &ni->mechTypes.val[0], 
+		      0,
+		      &preferred_mech_type);
+
+    if (ret == 0 && ni->mechToken != NULL) {
+	gss_cred_id_t mech_delegated_cred = GSS_C_NO_CREDENTIAL;
+	gss_cred_id_t mech_cred;
+	gss_buffer_desc ibuf;
+
+	ibuf.length = ni->mechToken->length;
+	ibuf.value = ni->mechToken->data;
+	mech_input_token = &ibuf;
+
+	if (acceptor_cred != NULL)
+	    mech_cred = acceptor_cred->negotiated_cred_id;
+	else
+	    mech_cred = GSS_C_NO_CREDENTIAL;
+	
+	if (ctx->mech_src_name != GSS_C_NO_NAME)
+	    gss_release_name(&minor, &ctx->mech_src_name);
+	
+	if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL)
+	    _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
+	
+	ret = gss_accept_sec_context(&minor,
+				     &ctx->negotiated_ctx_id,
+				     mech_cred,
+				     mech_input_token,
+				     input_chan_bindings,
+				     &ctx->mech_src_name,
+				     &ctx->negotiated_mech_type,
+				     &mech_output_token,
+				     &ctx->mech_flags,
+				     &ctx->mech_time_rec,
+				     &mech_delegated_cred);
+	if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
+	    ctx->preferred_mech_type = preferred_mech_type;
+	    ctx->negotiated_mech_type = preferred_mech_type;
+	    if (ret == GSS_S_COMPLETE)
+		ctx->open = 1;
+
+	    if (mech_delegated_cred && delegated_cred_handle)
+		ret = _gss_spnego_alloc_cred(minor_status,
+					     mech_delegated_cred,
+					     delegated_cred_handle);
+	    else
+		gss_release_cred(&junk, &mech_delegated_cred);
+
+	    ret = acceptor_complete(minor_status,
+				    ctx,
+				    &get_mic,
+				    &mech_buf,
+				    mech_input_token,
+				    &mech_output_token,
+				    ni->mechListMIC,
+				    output_token);
+	    if (ret != GSS_S_COMPLETE)
+		goto out;
+
+	    first_ok = 1;
+	}
+    }
+
+    /*
+     * If opportunistic token failed, lets try the other mechs.
+     */
+
+    if (!first_ok) {
+
+	/* Call glue layer to find first mech we support */
+	for (i = 1; i < ni->mechTypes.len; ++i) {
+	    ret = select_mech(minor_status,
+			      &ni->mechTypes.val[i],
+			      1,
+			      &preferred_mech_type);
+	    if (ret == 0)
+		break;
+	}
+	if (preferred_mech_type == GSS_C_NO_OID) {
+	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	    free_NegotiationToken(&nt);
+	    return GSS_S_BAD_MECH;
+	}
+
+	ctx->preferred_mech_type = preferred_mech_type;
+	ctx->negotiated_mech_type = preferred_mech_type;
+    }
+
+    /*
+     * The initial token always have a response
+     */
+
+    ret = send_accept (minor_status,
+		       ctx,
+		       &mech_output_token,
+		       1,
+		       get_mic ? &mech_buf : NULL,
+		       output_token);
+    if (ret)
+	goto out;
+    
+out:
+    if (mech_output_token.value != NULL)
+	gss_release_buffer(&minor, &mech_output_token);
+    if (mech_buf.value != NULL) {
+	free(mech_buf.value);
+	mech_buf.value = NULL;
+    }
+    free_NegotiationToken(&nt);
+
+
+    if (ret == GSS_S_COMPLETE) {
+	if (src_name != NULL && ctx->mech_src_name != NULL) {
+	    spnego_name name;
+
+	    name = calloc(1, sizeof(*name));
+	    if (name) {
+		name->mech = ctx->mech_src_name;
+		ctx->mech_src_name = NULL;
+		*src_name = (gss_name_t)name;
+	    }
+	}
+        if (delegated_cred_handle != NULL) {
+	    *delegated_cred_handle = ctx->delegated_cred_id;
+	    ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
+	}
+    }
+    
+    if (mech_type != NULL)
+	*mech_type = ctx->negotiated_mech_type;
+    if (ret_flags != NULL)
+	*ret_flags = ctx->mech_flags;
+    if (time_rec != NULL)
+	*time_rec = ctx->mech_time_rec;
+
+    if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+ 	return ret;
+    }
+
+    _gss_spnego_internal_delete_sec_context(&minor, context_handle,
+					    GSS_C_NO_BUFFER);
+    
+    return ret;
+}
+
+
+static OM_uint32
+acceptor_continue
+	   (OM_uint32 * minor_status,
+	    gss_ctx_id_t * context_handle,
+	    const gss_cred_id_t acceptor_cred_handle,
+	    const gss_buffer_t input_token_buffer,
+	    const gss_channel_bindings_t input_chan_bindings,
+	    gss_name_t * src_name,
+	    gss_OID * mech_type,
+	    gss_buffer_t output_token,
+	    OM_uint32 * ret_flags,
+	    OM_uint32 * time_rec,
+	    gss_cred_id_t *delegated_cred_handle
+	   )
+{
+    OM_uint32 ret, ret2, minor;
+    NegotiationToken nt;
+    size_t nt_len;
+    NegTokenResp *na;
+    unsigned int negResult = accept_incomplete;
+    gss_buffer_t mech_input_token = GSS_C_NO_BUFFER;
+    gss_buffer_t mech_output_token = GSS_C_NO_BUFFER;
+    gss_buffer_desc mech_buf;
+    gssspnego_ctx ctx;
+    gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle;
+
+    mech_buf.value = NULL;
+
+    ctx = (gssspnego_ctx)*context_handle;
+
+    /*
+     * The GSS-API encapsulation is only present on the initial
+     * context token (negTokenInit).
+     */
+
+    ret = decode_NegotiationToken(input_token_buffer->value, 
+				  input_token_buffer->length,
+				  &nt, &nt_len);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+    if (nt.element != choice_NegotiationToken_negTokenResp) {
+	*minor_status = 0;
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
+    na = &nt.u.negTokenResp;
+
+    if (na->negResult != NULL) {
+	negResult = *(na->negResult);
+    }
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    {
+	gss_buffer_desc ibuf, obuf;
+	int require_mic, get_mic = 0;
+	int require_response;
+	heim_octet_string *mic;
+
+	if (na->responseToken != NULL) {
+	    ibuf.length = na->responseToken->length;
+	    ibuf.value = na->responseToken->data;
+	    mech_input_token = &ibuf;
+	} else {
+	    ibuf.value = NULL;
+	    ibuf.length = 0;
+	}
+
+	if (mech_input_token != GSS_C_NO_BUFFER) {
+	    gss_cred_id_t mech_cred;
+	    gss_cred_id_t mech_delegated_cred;
+	    gss_cred_id_t *mech_delegated_cred_p;
+
+	    if (acceptor_cred != NULL)
+		mech_cred = acceptor_cred->negotiated_cred_id;
+	    else
+		mech_cred = GSS_C_NO_CREDENTIAL;
+
+	    if (delegated_cred_handle != NULL) {
+		mech_delegated_cred = GSS_C_NO_CREDENTIAL;
+		mech_delegated_cred_p = &mech_delegated_cred;
+	    } else {
+		mech_delegated_cred_p = NULL;
+	    }
+
+	    if (ctx->mech_src_name != GSS_C_NO_NAME)
+		gss_release_name(&minor, &ctx->mech_src_name);
+
+	    if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL)
+		_gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
+
+	    ret = gss_accept_sec_context(&minor,
+					 &ctx->negotiated_ctx_id,
+					 mech_cred,
+					 mech_input_token,
+					 input_chan_bindings,
+					 &ctx->mech_src_name,
+					 &ctx->negotiated_mech_type,
+					 &obuf,
+					 &ctx->mech_flags,
+					 &ctx->mech_time_rec,
+					 mech_delegated_cred_p);
+	    if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
+		if (mech_delegated_cred_p != NULL &&
+		    mech_delegated_cred != GSS_C_NO_CREDENTIAL) {
+		    ret2 = _gss_spnego_alloc_cred(minor_status,
+						  mech_delegated_cred,
+						  &ctx->delegated_cred_id);
+		    if (ret2 != GSS_S_COMPLETE)
+			ret = ret2;
+		}
+		mech_output_token = &obuf;
+	    }
+	    if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) {
+		free_NegotiationToken(&nt);
+		send_reject (minor_status, output_token);
+		HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+		return ret;
+	    }
+	    if (ret == GSS_S_COMPLETE)
+		ctx->open = 1;
+	} else
+	    ret = GSS_S_COMPLETE;
+
+	ret2 = _gss_spnego_require_mechlist_mic(minor_status, 
+						ctx,
+						&require_mic);
+	if (ret2)
+	    goto out;
+
+	ctx->require_mic = require_mic;
+
+	mic = na->mechListMIC;
+	if (mic != NULL)
+	    require_mic = 1;
+
+	if (ret == GSS_S_COMPLETE)
+	    ret = acceptor_complete(minor_status,
+				    ctx,
+				    &get_mic,
+				    &mech_buf,
+				    mech_input_token,
+				    mech_output_token,
+				    na->mechListMIC,
+				    output_token);
+
+	if (ctx->mech_flags & GSS_C_DCE_STYLE)
+	    require_response = (negResult != accept_completed);
+	else
+	    require_response = 0;
+
+	/*
+	 * Check whether we need to send a result: there should be only
+	 * one accept_completed response sent in the entire negotiation
+	 */
+	if ((mech_output_token != GSS_C_NO_BUFFER &&
+	     mech_output_token->length != 0)
+	    || (ctx->open && negResult == accept_incomplete)
+	    || require_response
+	    || get_mic) {
+	    ret2 = send_accept (minor_status,
+				ctx,
+				mech_output_token,
+				0,
+				get_mic ? &mech_buf : NULL,
+				output_token);
+	    if (ret2)
+		goto out;
+	}
+
+     out:
+	if (ret2 != GSS_S_COMPLETE)
+	    ret = ret2;
+	if (mech_output_token != NULL)
+	    gss_release_buffer(&minor, mech_output_token);
+	if (mech_buf.value != NULL)
+	    free(mech_buf.value);
+	free_NegotiationToken(&nt);
+    }
+
+    if (ret == GSS_S_COMPLETE) {
+	if (src_name != NULL && ctx->mech_src_name != NULL) {
+	    spnego_name name;
+
+	    name = calloc(1, sizeof(*name));
+	    if (name) {
+		name->mech = ctx->mech_src_name;
+		ctx->mech_src_name = NULL;
+		*src_name = (gss_name_t)name;
+	    }
+	}
+        if (delegated_cred_handle != NULL) {
+	    *delegated_cred_handle = ctx->delegated_cred_id;
+	    ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
+	}
+    }
+
+    if (mech_type != NULL)
+	*mech_type = ctx->negotiated_mech_type;
+    if (ret_flags != NULL)
+	*ret_flags = ctx->mech_flags;
+    if (time_rec != NULL)
+	*time_rec = ctx->mech_time_rec;
+
+    if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+ 	return ret;
+    }
+
+    _gss_spnego_internal_delete_sec_context(&minor, context_handle,
+				   GSS_C_NO_BUFFER);
+
+    return ret;
+}
+
+OM_uint32
+_gss_spnego_accept_sec_context
+	   (OM_uint32 * minor_status,
+	    gss_ctx_id_t * context_handle,
+	    const gss_cred_id_t acceptor_cred_handle,
+	    const gss_buffer_t input_token_buffer,
+	    const gss_channel_bindings_t input_chan_bindings,
+	    gss_name_t * src_name,
+	    gss_OID * mech_type,
+	    gss_buffer_t output_token,
+	    OM_uint32 * ret_flags,
+	    OM_uint32 * time_rec,
+	    gss_cred_id_t *delegated_cred_handle
+	   )
+{
+    _gss_accept_sec_context_t *func;
+
+    *minor_status = 0;
+
+    output_token->length = 0;
+    output_token->value  = NULL;
+
+    if (src_name != NULL)
+	*src_name = GSS_C_NO_NAME;
+    if (mech_type != NULL)
+	*mech_type = GSS_C_NO_OID;
+    if (ret_flags != NULL)
+	*ret_flags = 0;
+    if (time_rec != NULL)
+	*time_rec = 0;
+    if (delegated_cred_handle != NULL)
+	*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+
+
+    if (*context_handle == GSS_C_NO_CONTEXT) 
+	func = acceptor_start;
+    else
+	func = acceptor_continue;
+    
+
+    return (*func)(minor_status, context_handle, acceptor_cred_handle,
+		   input_token_buffer, input_chan_bindings,
+		   src_name, mech_type, output_token, ret_flags,
+		   time_rec, delegated_cred_handle);
+}
diff --git a/crypto/heimdal/lib/gssapi/spnego/compat.c b/crypto/heimdal/lib/gssapi/spnego/compat.c
new file mode 100644
index 0000000..287f4f7
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/spnego/compat.c
@@ -0,0 +1,322 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "spnego/spnego_locl.h"
+
+RCSID("$Id: compat.c 21866 2007-08-08 11:31:29Z lha $");
+
+/*
+ * Apparently Microsoft got the OID wrong, and used
+ * 1.2.840.48018.1.2.2 instead. We need both this and
+ * the correct Kerberos OID here in order to deal with
+ * this. Because this is manifest in SPNEGO only I'd
+ * prefer to deal with this here rather than inside the
+ * Kerberos mechanism.
+ */
+gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc =
+	{9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"};
+
+gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc =
+	{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
+
+/*
+ * Allocate a SPNEGO context handle
+ */
+OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 * minor_status,
+					 gss_ctx_id_t *context_handle)
+{
+    gssspnego_ctx ctx;
+
+    ctx = calloc(1, sizeof(*ctx));
+    if (ctx == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    ctx->initiator_mech_types.len = 0;
+    ctx->initiator_mech_types.val = NULL;
+    ctx->preferred_mech_type = GSS_C_NO_OID;
+    ctx->negotiated_mech_type = GSS_C_NO_OID;
+    ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT;
+
+    /*
+     * Cache these so we can return them before returning
+     * GSS_S_COMPLETE, even if the mechanism has itself
+     * completed earlier
+     */
+    ctx->mech_flags = 0;
+    ctx->mech_time_rec = 0;
+    ctx->mech_src_name = GSS_C_NO_NAME;
+    ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
+
+    ctx->open = 0;
+    ctx->local = 0;
+    ctx->require_mic = 0;
+    ctx->verified_mic = 0;
+
+    HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
+
+    *context_handle = (gss_ctx_id_t)ctx;
+
+    return GSS_S_COMPLETE;
+}
+
+/*
+ * Free a SPNEGO context handle. The caller must have acquired
+ * the lock before this is called.
+ */
+OM_uint32 _gss_spnego_internal_delete_sec_context
+           (OM_uint32 *minor_status,
+            gss_ctx_id_t *context_handle,
+            gss_buffer_t output_token
+           )
+{
+    gssspnego_ctx ctx;
+    OM_uint32 ret, minor;
+
+    *minor_status = 0;
+
+    if (context_handle == NULL) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    if (output_token != GSS_C_NO_BUFFER) {
+	output_token->length = 0;
+	output_token->value = NULL;
+    }
+
+    ctx = (gssspnego_ctx)*context_handle;
+    *context_handle = GSS_C_NO_CONTEXT;
+
+    if (ctx == NULL) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    if (ctx->initiator_mech_types.val != NULL)
+	free_MechTypeList(&ctx->initiator_mech_types);
+
+    _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
+
+    gss_release_oid(&minor, &ctx->preferred_mech_type);
+    ctx->negotiated_mech_type = GSS_C_NO_OID;
+
+    gss_release_name(&minor, &ctx->target_name);
+    gss_release_name(&minor, &ctx->mech_src_name);
+
+    if (ctx->negotiated_ctx_id != GSS_C_NO_CONTEXT) {
+	ret = gss_delete_sec_context(minor_status,
+				     &ctx->negotiated_ctx_id,
+				     output_token);
+	ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT;
+    } else {
+	ret = GSS_S_COMPLETE;
+    }
+
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+    HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
+
+    free(ctx);
+    *context_handle = NULL;
+
+    return ret;
+}
+
+/*
+ * For compatability with the Windows SPNEGO implementation, the
+ * default is to ignore the mechListMIC unless CFX is used and
+ * a non-preferred mechanism was negotiated
+ */
+
+OM_uint32
+_gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
+				 gssspnego_ctx ctx,
+				 int *require_mic)
+{
+    gss_buffer_set_t buffer_set = GSS_C_NO_BUFFER_SET;
+    OM_uint32 minor;
+
+    *minor_status = 0;
+    *require_mic = 0;
+
+    if (ctx == NULL) {
+	return GSS_S_COMPLETE;
+    }
+
+    if (ctx->require_mic) {
+	/* Acceptor requested it: mandatory to honour */
+	*require_mic = 1;
+	return GSS_S_COMPLETE;
+    }
+
+    /*
+     * Check whether peer indicated implicit support for updated SPNEGO
+     * (eg. in the Kerberos case by using CFX)
+     */
+    if (gss_inquire_sec_context_by_oid(&minor, ctx->negotiated_ctx_id,
+				       GSS_C_PEER_HAS_UPDATED_SPNEGO,
+				       &buffer_set) == GSS_S_COMPLETE) {
+	*require_mic = 1;
+	gss_release_buffer_set(&minor, &buffer_set);
+    }
+
+    /* Safe-to-omit MIC rules follow */
+    if (*require_mic) {
+	if (gss_oid_equal(ctx->negotiated_mech_type, ctx->preferred_mech_type)) {
+	    *require_mic = 0;
+	} else if (gss_oid_equal(ctx->negotiated_mech_type, &_gss_spnego_krb5_mechanism_oid_desc) &&
+		   gss_oid_equal(ctx->preferred_mech_type, &_gss_spnego_mskrb_mechanism_oid_desc)) {
+	    *require_mic = 0;
+	}
+    }
+
+    return GSS_S_COMPLETE;
+}
+
+static int
+add_mech_type(gss_OID mech_type,
+	      int includeMSCompatOID,
+	      MechTypeList *mechtypelist)
+{
+    MechType mech;
+    int ret;
+
+    if (gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM))
+	return 0;
+
+    if (includeMSCompatOID &&
+	gss_oid_equal(mech_type, &_gss_spnego_krb5_mechanism_oid_desc)) {
+	ret = der_get_oid(_gss_spnego_mskrb_mechanism_oid_desc.elements,
+			  _gss_spnego_mskrb_mechanism_oid_desc.length,
+			  &mech,
+			  NULL);
+	if (ret)
+	    return ret;
+	ret = add_MechTypeList(mechtypelist, &mech);
+	free_MechType(&mech);
+	if (ret)
+	    return ret;
+    }
+    ret = der_get_oid(mech_type->elements, mech_type->length, &mech, NULL);
+    if (ret)
+	return ret;
+    ret = add_MechTypeList(mechtypelist, &mech);
+    free_MechType(&mech);
+    return ret;
+}
+
+
+OM_uint32
+_gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
+				   gss_name_t target_name,
+				   OM_uint32 (*func)(gss_name_t, gss_OID),
+				   int includeMSCompatOID,
+				   const gssspnego_cred cred_handle,
+				   MechTypeList *mechtypelist,
+				   gss_OID *preferred_mech)
+{
+    gss_OID_set supported_mechs = GSS_C_NO_OID_SET;
+    gss_OID first_mech = GSS_C_NO_OID;
+    OM_uint32 ret;
+    int i;
+
+    mechtypelist->len = 0;
+    mechtypelist->val = NULL;
+
+    if (cred_handle != NULL) {
+	ret = gss_inquire_cred(minor_status,
+			       cred_handle->negotiated_cred_id,
+			       NULL,
+			       NULL,
+			       NULL,
+			       &supported_mechs);
+    } else {
+	ret = gss_indicate_mechs(minor_status, &supported_mechs);
+    }
+
+    if (ret != GSS_S_COMPLETE) {
+	return ret;
+    }
+
+    if (supported_mechs->count == 0) {
+	*minor_status = ENOENT;
+	gss_release_oid_set(minor_status, &supported_mechs);
+	return GSS_S_FAILURE;
+    }
+
+    ret = (*func)(target_name, GSS_KRB5_MECHANISM);
+    if (ret == GSS_S_COMPLETE) {
+	ret = add_mech_type(GSS_KRB5_MECHANISM,
+			    includeMSCompatOID,
+			    mechtypelist);
+	if (!GSS_ERROR(ret))
+	    first_mech = GSS_KRB5_MECHANISM;
+    }
+    ret = GSS_S_COMPLETE;
+
+    for (i = 0; i < supported_mechs->count; i++) {
+	OM_uint32 subret;
+	if (gss_oid_equal(&supported_mechs->elements[i], GSS_SPNEGO_MECHANISM))
+	    continue;
+	if (gss_oid_equal(&supported_mechs->elements[i], GSS_KRB5_MECHANISM))
+	    continue;
+
+	subret = (*func)(target_name, &supported_mechs->elements[i]);
+	if (subret != GSS_S_COMPLETE)
+	    continue;
+
+	ret = add_mech_type(&supported_mechs->elements[i],
+			    includeMSCompatOID,
+			    mechtypelist);
+	if (ret != 0) {
+	    *minor_status = ret;
+	    ret = GSS_S_FAILURE;
+	    break;
+	}
+	if (first_mech == GSS_C_NO_OID)
+	    first_mech = &supported_mechs->elements[i];
+    }
+
+    if (mechtypelist->len == 0) {
+	gss_release_oid_set(minor_status, &supported_mechs);
+	*minor_status = 0;
+	return GSS_S_BAD_MECH;
+    }
+
+    if (preferred_mech != NULL) {
+	ret = gss_duplicate_oid(minor_status, first_mech, preferred_mech);
+	if (ret != GSS_S_COMPLETE)
+	    free_MechTypeList(mechtypelist);
+    }
+    gss_release_oid_set(minor_status, &supported_mechs);
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/spnego/context_stubs.c b/crypto/heimdal/lib/gssapi/spnego/context_stubs.c
new file mode 100644
index 0000000..3535c7b
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/spnego/context_stubs.c
@@ -0,0 +1,903 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "spnego/spnego_locl.h"
+
+RCSID("$Id: context_stubs.c 21035 2007-06-09 15:32:47Z lha $");
+
+static OM_uint32
+spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs)
+{
+    OM_uint32 ret, junk;
+    gss_OID_set m;
+    int i;
+
+    ret = gss_indicate_mechs(minor_status, &m);
+    if (ret != GSS_S_COMPLETE)
+	return ret;
+
+    ret = gss_create_empty_oid_set(minor_status, mechs);
+    if (ret != GSS_S_COMPLETE) {
+	gss_release_oid_set(&junk, &m);
+	return ret;
+    }
+
+    for (i = 0; i < m->count; i++) {
+	if (gss_oid_equal(&m->elements[i], GSS_SPNEGO_MECHANISM))
+	    continue;
+
+	ret = gss_add_oid_set_member(minor_status, &m->elements[i], mechs);
+	if (ret) {
+	    gss_release_oid_set(&junk, &m);
+	    gss_release_oid_set(&junk, mechs);
+	    return ret;
+	}
+    }
+    return ret;
+}
+
+
+
+OM_uint32 _gss_spnego_process_context_token
+           (OM_uint32 *minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t token_buffer
+           )
+{
+    gss_ctx_id_t context ;
+    gssspnego_ctx ctx;
+    OM_uint32 ret;
+
+    if (context_handle == GSS_C_NO_CONTEXT)
+	return GSS_S_NO_CONTEXT;
+
+    context = context_handle;
+    ctx = (gssspnego_ctx)context_handle;
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    ret = gss_process_context_token(minor_status,
+				    ctx->negotiated_ctx_id,
+				    token_buffer);
+    if (ret != GSS_S_COMPLETE) {
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	return ret;
+    }
+
+    ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT;
+
+    return _gss_spnego_internal_delete_sec_context(minor_status,
+					   &context,
+					   GSS_C_NO_BUFFER);
+}
+
+OM_uint32 _gss_spnego_delete_sec_context
+           (OM_uint32 *minor_status,
+            gss_ctx_id_t *context_handle,
+            gss_buffer_t output_token
+           )
+{
+    gssspnego_ctx ctx;
+
+    if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT)
+	return GSS_S_NO_CONTEXT;
+
+    ctx = (gssspnego_ctx)*context_handle;
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    return _gss_spnego_internal_delete_sec_context(minor_status,
+						   context_handle,
+						   output_token);
+}
+
+OM_uint32 _gss_spnego_context_time
+           (OM_uint32 *minor_status,
+            const gss_ctx_id_t context_handle,
+            OM_uint32 *time_rec
+           )
+{
+    gssspnego_ctx ctx;
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_context_time(minor_status,
+			    ctx->negotiated_ctx_id,
+			    time_rec);
+}
+
+OM_uint32 _gss_spnego_get_mic
+           (OM_uint32 *minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           )
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_get_mic(minor_status, ctx->negotiated_ctx_id,
+		       qop_req, message_buffer, message_token);
+}
+
+OM_uint32 _gss_spnego_verify_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state
+           )
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_verify_mic(minor_status,
+			  ctx->negotiated_ctx_id,
+			  message_buffer,
+			  token_buffer,
+			  qop_state);
+}
+
+OM_uint32 _gss_spnego_wrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           )
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_wrap(minor_status,
+		    ctx->negotiated_ctx_id,
+		    conf_req_flag,
+		    qop_req,
+		    input_message_buffer,
+		    conf_state,
+		    output_message_buffer);
+}
+
+OM_uint32 _gss_spnego_unwrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state
+           )
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_unwrap(minor_status,
+		      ctx->negotiated_ctx_id,
+		      input_message_buffer,
+		      output_message_buffer,
+		      conf_state,
+		      qop_state);
+}
+
+OM_uint32 _gss_spnego_display_status
+           (OM_uint32 * minor_status,
+            OM_uint32 status_value,
+            int status_type,
+            const gss_OID mech_type,
+            OM_uint32 * message_context,
+            gss_buffer_t status_string
+           )
+{
+    return GSS_S_FAILURE;
+}
+
+OM_uint32 _gss_spnego_compare_name
+           (OM_uint32 *minor_status,
+            const gss_name_t name1,
+            const gss_name_t name2,
+            int * name_equal
+           )
+{
+    spnego_name n1 = (spnego_name)name1;
+    spnego_name n2 = (spnego_name)name2;
+
+    *name_equal = 0;
+
+    if (!gss_oid_equal(&n1->type, &n2->type))
+	return GSS_S_COMPLETE;
+    if (n1->value.length != n2->value.length)
+	return GSS_S_COMPLETE;
+    if (memcmp(n1->value.value, n2->value.value, n2->value.length) != 0)
+	return GSS_S_COMPLETE;
+
+    *name_equal = 1;
+
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gss_spnego_display_name
+           (OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t output_name_buffer,
+            gss_OID * output_name_type
+           )
+{
+    spnego_name name = (spnego_name)input_name;
+
+    *minor_status = 0;
+
+    if (name == NULL || name->mech == GSS_C_NO_NAME)
+	return GSS_S_FAILURE;
+
+    return gss_display_name(minor_status, name->mech,
+			    output_name_buffer, output_name_type);
+}
+
+OM_uint32 _gss_spnego_import_name
+           (OM_uint32 * minor_status,
+            const gss_buffer_t name_buffer,
+            const gss_OID name_type,
+            gss_name_t * output_name
+           )
+{
+    spnego_name name;
+    OM_uint32 maj_stat;
+
+    *minor_status = 0;
+
+    name = calloc(1, sizeof(*name));
+    if (name == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    
+    maj_stat = _gss_copy_oid(minor_status, name_type, &name->type);
+    if (maj_stat) {
+	free(name);
+	return GSS_S_FAILURE;
+    }
+    
+    maj_stat = _gss_copy_buffer(minor_status, name_buffer, &name->value);
+    if (maj_stat) {
+	gss_name_t rname = (gss_name_t)name;
+	_gss_spnego_release_name(minor_status, &rname);
+	return GSS_S_FAILURE;
+    }
+    name->mech = GSS_C_NO_NAME;
+    *output_name = (gss_name_t)name;
+
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gss_spnego_export_name
+           (OM_uint32  * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t exported_name
+           )
+{
+    spnego_name name;
+    *minor_status = 0;
+
+    if (input_name == GSS_C_NO_NAME)
+	return GSS_S_BAD_NAME;
+
+    name = (spnego_name)input_name;
+    if (name->mech == GSS_C_NO_NAME)
+	return GSS_S_BAD_NAME;
+
+    return gss_export_name(minor_status, name->mech, exported_name);
+}
+
+OM_uint32 _gss_spnego_release_name
+           (OM_uint32 * minor_status,
+            gss_name_t * input_name
+           )
+{
+    *minor_status = 0;
+
+    if (*input_name != GSS_C_NO_NAME) {
+	OM_uint32 junk;
+	spnego_name name = (spnego_name)*input_name;
+	_gss_free_oid(&junk, &name->type);
+	gss_release_buffer(&junk, &name->value);
+	if (name->mech != GSS_C_NO_NAME)
+	    gss_release_name(&junk, &name->mech);
+	free(name);
+
+	*input_name = GSS_C_NO_NAME;
+    }
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gss_spnego_inquire_context (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_name_t * src_name,
+            gss_name_t * targ_name,
+            OM_uint32 * lifetime_rec,
+            gss_OID * mech_type,
+            OM_uint32 * ctx_flags,
+            int * locally_initiated,
+            int * open_context
+           )
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_inquire_context(minor_status,
+			       ctx->negotiated_ctx_id,
+			       src_name,
+			       targ_name,
+			       lifetime_rec,
+			       mech_type,
+			       ctx_flags,
+			       locally_initiated,
+			       open_context);
+}
+
+OM_uint32 _gss_spnego_wrap_size_limit (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            OM_uint32 req_output_size,
+            OM_uint32 * max_input_size
+           )
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_wrap_size_limit(minor_status,
+			       ctx->negotiated_ctx_id,
+			       conf_req_flag,
+			       qop_req,
+			       req_output_size,
+			       max_input_size);
+}
+
+OM_uint32 _gss_spnego_export_sec_context (
+            OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            gss_buffer_t interprocess_token
+           )
+{
+    gssspnego_ctx ctx;
+    OM_uint32 ret;
+
+    *minor_status = 0;
+
+    if (context_handle == NULL) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)*context_handle;
+
+    if (ctx == NULL)
+	return GSS_S_NO_CONTEXT;
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ret = gss_export_sec_context(minor_status,
+				 &ctx->negotiated_ctx_id,
+				 interprocess_token);
+    if (ret == GSS_S_COMPLETE) {
+	ret = _gss_spnego_internal_delete_sec_context(minor_status,
+					     context_handle,
+					     GSS_C_NO_BUFFER);
+	if (ret == GSS_S_COMPLETE)
+	    return GSS_S_COMPLETE;
+    }
+
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    return ret;
+}
+
+OM_uint32 _gss_spnego_import_sec_context (
+            OM_uint32 * minor_status,
+            const gss_buffer_t interprocess_token,
+            gss_ctx_id_t *context_handle
+           )
+{
+    OM_uint32 ret, minor;
+    gss_ctx_id_t context;
+    gssspnego_ctx ctx;
+
+    ret = _gss_spnego_alloc_sec_context(minor_status, &context);
+    if (ret != GSS_S_COMPLETE) {
+	return ret;
+    }
+    ctx = (gssspnego_ctx)context;
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    ret = gss_import_sec_context(minor_status,
+				 interprocess_token,
+				 &ctx->negotiated_ctx_id);
+    if (ret != GSS_S_COMPLETE) {
+	_gss_spnego_internal_delete_sec_context(&minor, context_handle, GSS_C_NO_BUFFER);
+	return ret;
+    }
+
+    ctx->open = 1;
+    /* don't bother filling in the rest of the fields */
+
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    *context_handle = (gss_ctx_id_t)ctx;
+
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gss_spnego_inquire_names_for_mech (
+            OM_uint32 * minor_status,
+            const gss_OID mechanism,
+            gss_OID_set * name_types
+           )
+{
+    gss_OID_set mechs, names, n;
+    OM_uint32 ret, junk;
+    int i, j;
+
+    *name_types = NULL;
+
+    ret = spnego_supported_mechs(minor_status, &mechs);
+    if (ret != GSS_S_COMPLETE)
+	return ret;
+
+    ret = gss_create_empty_oid_set(minor_status, &names);
+    if (ret != GSS_S_COMPLETE)
+	goto out;
+
+    for (i = 0; i < mechs->count; i++) {
+	ret = gss_inquire_names_for_mech(minor_status,
+					 &mechs->elements[i],
+					 &n);
+	if (ret)
+	    continue;
+
+	for (j = 0; j < n->count; j++)
+	    gss_add_oid_set_member(minor_status,
+				   &n->elements[j],
+				   &names);
+	gss_release_oid_set(&junk, &n);
+    }
+
+    ret = GSS_S_COMPLETE;
+    *name_types = names;
+out:
+
+    gss_release_oid_set(&junk, &mechs);
+
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gss_spnego_inquire_mechs_for_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_OID_set * mech_types
+           )
+{
+    OM_uint32 ret, junk;
+
+    ret = gss_create_empty_oid_set(minor_status, mech_types);
+    if (ret)
+	return ret;
+
+    ret = gss_add_oid_set_member(minor_status,
+				 GSS_SPNEGO_MECHANISM,
+				 mech_types);
+    if (ret)
+	gss_release_oid_set(&junk, mech_types);
+
+    return ret;
+}
+
+OM_uint32 _gss_spnego_canonicalize_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            const gss_OID mech_type,
+            gss_name_t * output_name
+           )
+{
+    /* XXX */
+    return gss_duplicate_name(minor_status, input_name, output_name);
+}
+
+OM_uint32 _gss_spnego_duplicate_name (
+            OM_uint32 * minor_status,
+            const gss_name_t src_name,
+            gss_name_t * dest_name
+           )
+{
+    return gss_duplicate_name(minor_status, src_name, dest_name);
+}
+
+OM_uint32 _gss_spnego_sign
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int qop_req,
+            gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           )
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_sign(minor_status,
+		    ctx->negotiated_ctx_id,
+		    qop_req,
+		    message_buffer,
+		    message_token);
+}
+
+OM_uint32 _gss_spnego_verify
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t message_buffer,
+            gss_buffer_t token_buffer,
+            int * qop_state
+           )
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_verify(minor_status,
+		      ctx->negotiated_ctx_id,
+		      message_buffer,
+		      token_buffer,
+		      qop_state);
+}
+
+OM_uint32 _gss_spnego_seal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            int qop_req,
+            gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           )
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_seal(minor_status,
+		    ctx->negotiated_ctx_id,
+		    conf_req_flag,
+		    qop_req,
+		    input_message_buffer,
+		    conf_state,
+		    output_message_buffer);
+}
+
+OM_uint32 _gss_spnego_unseal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            int * qop_state
+           )
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_unseal(minor_status,
+		      ctx->negotiated_ctx_id,
+		      input_message_buffer,
+		      output_message_buffer,
+		      conf_state,
+		      qop_state);
+}
+
+#if 0
+OM_uint32 _gss_spnego_unwrap_ex
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+	    const gss_buffer_t token_header_buffer,
+	    const gss_buffer_t associated_data_buffer,
+	    const gss_buffer_t input_message_buffer,
+	    gss_buffer_t output_message_buffer,
+	    int * conf_state,
+	    gss_qop_t * qop_state)
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_unwrap_ex(minor_status,
+			 ctx->negotiated_ctx_id,
+			 token_header_buffer,
+			 associated_data_buffer,
+			 input_message_buffer,
+			 output_message_buffer,
+			 conf_state,
+			 qop_state);
+}
+
+OM_uint32 _gss_spnego_wrap_ex
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t associated_data_buffer,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_token_buffer,
+            gss_buffer_t output_message_buffer
+	   )
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    if ((ctx->mech_flags & GSS_C_DCE_STYLE) == 0 &&
+	associated_data_buffer->length != input_message_buffer->length) {
+	*minor_status = EINVAL;
+	return GSS_S_BAD_QOP;
+    }
+
+    return gss_wrap_ex(minor_status,
+		       ctx->negotiated_ctx_id,
+		       conf_req_flag,
+		       qop_req,
+		       associated_data_buffer,
+		       input_message_buffer,
+		       conf_state,
+		       output_token_buffer,
+		       output_message_buffer);
+}
+
+OM_uint32 _gss_spnego_complete_auth_token
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+	    gss_buffer_t input_message_buffer)
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_complete_auth_token(minor_status,
+				   ctx->negotiated_ctx_id,
+				   input_message_buffer);
+}
+#endif
+
+OM_uint32 _gss_spnego_inquire_sec_context_by_oid
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_OID desired_object,
+            gss_buffer_set_t *data_set)
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_inquire_sec_context_by_oid(minor_status,
+					  ctx->negotiated_ctx_id,
+					  desired_object,
+					  data_set);
+}
+
+OM_uint32 _gss_spnego_set_sec_context_option
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            const gss_OID desired_object,
+            const gss_buffer_t value)
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	return GSS_S_NO_CONTEXT;
+    }
+
+    return gss_set_sec_context_option(minor_status,
+				      &ctx->negotiated_ctx_id,
+				      desired_object,
+				      value);
+}
+
diff --git a/crypto/heimdal/lib/gssapi/spnego/cred_stubs.c b/crypto/heimdal/lib/gssapi/spnego/cred_stubs.c
new file mode 100644
index 0000000..2362e99
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/spnego/cred_stubs.c
@@ -0,0 +1,336 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "spnego/spnego_locl.h"
+
+RCSID("$Id: cred_stubs.c 20619 2007-05-08 13:43:45Z lha $");
+
+OM_uint32
+_gss_spnego_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
+{
+    gssspnego_cred cred;
+    OM_uint32 ret;
+    
+    *minor_status = 0;
+
+    if (*cred_handle == GSS_C_NO_CREDENTIAL) {
+	return GSS_S_COMPLETE;
+    }
+    cred = (gssspnego_cred)*cred_handle;
+
+    ret = gss_release_cred(minor_status, &cred->negotiated_cred_id);
+
+    free(cred);
+    *cred_handle = GSS_C_NO_CREDENTIAL;
+
+    return ret;
+}
+
+OM_uint32
+_gss_spnego_alloc_cred(OM_uint32 *minor_status,
+		       gss_cred_id_t mech_cred_handle,
+		       gss_cred_id_t *cred_handle)
+{
+    gssspnego_cred cred;
+
+    if (*cred_handle != GSS_C_NO_CREDENTIAL) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    cred = calloc(1, sizeof(*cred));
+    if (cred == NULL) {
+	*cred_handle = GSS_C_NO_CREDENTIAL;
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    cred->negotiated_cred_id = mech_cred_handle;
+
+    *cred_handle = (gss_cred_id_t)cred;
+
+    return GSS_S_COMPLETE; 
+}
+
+/*
+ * For now, just a simple wrapper that avoids recursion. When
+ * we support gss_{get,set}_neg_mechs() we will need to expose
+ * more functionality.
+ */
+OM_uint32 _gss_spnego_acquire_cred
+(OM_uint32 *minor_status,
+ const gss_name_t desired_name,
+ OM_uint32 time_req,
+ const gss_OID_set desired_mechs,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t * output_cred_handle,
+ gss_OID_set * actual_mechs,
+ OM_uint32 * time_rec
+    )
+{
+    const spnego_name dname = (const spnego_name)desired_name;
+    gss_name_t name = GSS_C_NO_NAME;
+    OM_uint32 ret, tmp;
+    gss_OID_set_desc actual_desired_mechs;
+    gss_OID_set mechs;
+    int i, j;
+    gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL;
+    gssspnego_cred cred;
+
+    *output_cred_handle = GSS_C_NO_CREDENTIAL;
+
+    if (dname) {
+	ret = gss_import_name(minor_status, &dname->value, &dname->type, &name);
+	if (ret) {
+	    return ret;
+	}
+    }
+    
+    ret = gss_indicate_mechs(minor_status, &mechs);
+    if (ret != GSS_S_COMPLETE) {
+	gss_release_name(minor_status, &name);
+	return ret;
+    }
+
+    /* Remove ourselves from this list */
+    actual_desired_mechs.count = mechs->count;
+    actual_desired_mechs.elements = malloc(actual_desired_mechs.count *
+					   sizeof(gss_OID_desc));
+    if (actual_desired_mechs.elements == NULL) {
+	*minor_status = ENOMEM;
+	ret = GSS_S_FAILURE;
+	goto out;
+    }
+
+    for (i = 0, j = 0; i < mechs->count; i++) {
+	if (gss_oid_equal(&mechs->elements[i], GSS_SPNEGO_MECHANISM))
+	    continue;
+
+	actual_desired_mechs.elements[j] = mechs->elements[i];
+	j++;
+    }
+    actual_desired_mechs.count = j;
+
+    ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL,
+				 &cred_handle);
+    if (ret != GSS_S_COMPLETE)
+	goto out;
+
+    cred = (gssspnego_cred)cred_handle;
+    ret = gss_acquire_cred(minor_status, name,
+			   time_req, &actual_desired_mechs,
+			   cred_usage,
+			   &cred->negotiated_cred_id,
+			   actual_mechs, time_rec);
+    if (ret != GSS_S_COMPLETE)
+	goto out;
+
+    *output_cred_handle = cred_handle;
+
+out:
+    gss_release_name(minor_status, &name);
+    gss_release_oid_set(&tmp, &mechs);
+    if (actual_desired_mechs.elements != NULL) {
+	free(actual_desired_mechs.elements);
+    }
+    if (ret != GSS_S_COMPLETE) {
+	_gss_spnego_release_cred(&tmp, &cred_handle);
+    }
+
+    return ret;
+}
+
+OM_uint32 _gss_spnego_inquire_cred
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            gss_name_t * name,
+            OM_uint32 * lifetime,
+            gss_cred_usage_t * cred_usage,
+            gss_OID_set * mechanisms
+           )
+{
+    gssspnego_cred cred;
+    spnego_name sname = NULL;
+    OM_uint32 ret;
+
+    if (cred_handle == GSS_C_NO_CREDENTIAL) {
+	*minor_status = 0;
+	return GSS_S_NO_CRED;
+    }
+
+    if (name) {
+	sname = calloc(1, sizeof(*sname));
+	if (sname == NULL) {
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+    }
+
+    cred = (gssspnego_cred)cred_handle;
+
+    ret = gss_inquire_cred(minor_status,
+			   cred->negotiated_cred_id,
+			   sname ? &sname->mech : NULL,
+			   lifetime,
+			   cred_usage,
+			   mechanisms);
+    if (ret) {
+	if (sname)
+	    free(sname);
+	return ret;
+    }
+    if (name)
+	*name = (gss_name_t)sname;
+
+    return ret;
+}
+
+OM_uint32 _gss_spnego_add_cred (
+            OM_uint32 * minor_status,
+            const gss_cred_id_t input_cred_handle,
+            const gss_name_t desired_name,
+            const gss_OID desired_mech,
+            gss_cred_usage_t cred_usage,
+            OM_uint32 initiator_time_req,
+            OM_uint32 acceptor_time_req,
+            gss_cred_id_t * output_cred_handle,
+            gss_OID_set * actual_mechs,
+            OM_uint32 * initiator_time_rec,
+            OM_uint32 * acceptor_time_rec
+           )
+{
+    gss_cred_id_t spnego_output_cred_handle = GSS_C_NO_CREDENTIAL;
+    OM_uint32 ret, tmp;
+    gssspnego_cred input_cred, output_cred;
+
+    *output_cred_handle = GSS_C_NO_CREDENTIAL;
+
+    ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL,
+				 &spnego_output_cred_handle);
+    if (ret)
+	return ret;
+
+    input_cred = (gssspnego_cred)input_cred_handle;
+    output_cred = (gssspnego_cred)spnego_output_cred_handle;
+
+    ret = gss_add_cred(minor_status,
+		       input_cred->negotiated_cred_id,
+		       desired_name,
+		       desired_mech,
+		       cred_usage,
+		       initiator_time_req,
+		       acceptor_time_req,
+		       &output_cred->negotiated_cred_id,
+		       actual_mechs,
+		       initiator_time_rec,
+		       acceptor_time_rec);
+    if (ret) {
+	_gss_spnego_release_cred(&tmp, &spnego_output_cred_handle);
+	return ret;
+    }
+
+    *output_cred_handle = spnego_output_cred_handle;
+
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gss_spnego_inquire_cred_by_mech (
+            OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            const gss_OID mech_type,
+            gss_name_t * name,
+            OM_uint32 * initiator_lifetime,
+            OM_uint32 * acceptor_lifetime,
+            gss_cred_usage_t * cred_usage
+           )
+{
+    gssspnego_cred cred;
+    spnego_name sname = NULL;
+    OM_uint32 ret;
+
+    if (cred_handle == GSS_C_NO_CREDENTIAL) {
+	*minor_status = 0;
+	return GSS_S_NO_CRED;
+    }
+
+    if (name) {
+	sname = calloc(1, sizeof(*sname));
+	if (sname == NULL) {
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+    }
+
+    cred = (gssspnego_cred)cred_handle;
+
+    ret = gss_inquire_cred_by_mech(minor_status,
+				   cred->negotiated_cred_id,
+				   mech_type,
+				   sname ? &sname->mech : NULL,
+				   initiator_lifetime,
+				   acceptor_lifetime,
+				   cred_usage);
+
+    if (ret) {
+	if (sname)
+	    free(sname);
+	return ret;
+    }
+    if (name)
+	*name = (gss_name_t)sname;
+
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gss_spnego_inquire_cred_by_oid
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            const gss_OID desired_object,
+            gss_buffer_set_t *data_set)
+{
+    gssspnego_cred cred;
+    OM_uint32 ret;
+
+    if (cred_handle == GSS_C_NO_CREDENTIAL) {
+	*minor_status = 0;
+	return GSS_S_NO_CRED;
+    }
+    cred = (gssspnego_cred)cred_handle;
+
+    ret = gss_inquire_cred_by_oid(minor_status,
+				  cred->negotiated_cred_id,
+				  desired_object,
+				  data_set);
+
+    return ret;
+}
+
diff --git a/crypto/heimdal/lib/gssapi/spnego/external.c b/crypto/heimdal/lib/gssapi/spnego/external.c
new file mode 100644
index 0000000..fbc231f
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/spnego/external.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "spnego/spnego_locl.h"
+#include <gssapi_mech.h>
+
+RCSID("$Id: external.c 18336 2006-10-07 22:27:13Z lha $");
+
+/*
+ * RFC2478, SPNEGO:
+ *  The security mechanism of the initial
+ *  negotiation token is identified by the Object Identifier
+ *  iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
+ */
+
+static gssapi_mech_interface_desc spnego_mech = {
+    GMI_VERSION,
+    "spnego",
+    {6, (void *)"\x2b\x06\x01\x05\x05\x02"},
+    _gss_spnego_acquire_cred,
+    _gss_spnego_release_cred,
+    _gss_spnego_init_sec_context,
+    _gss_spnego_accept_sec_context,
+    _gss_spnego_process_context_token,
+    _gss_spnego_internal_delete_sec_context,
+    _gss_spnego_context_time,
+    _gss_spnego_get_mic,
+    _gss_spnego_verify_mic,
+    _gss_spnego_wrap,
+    _gss_spnego_unwrap,
+    _gss_spnego_display_status,
+    NULL,
+    _gss_spnego_compare_name,
+    _gss_spnego_display_name,
+    _gss_spnego_import_name,
+    _gss_spnego_export_name,
+    _gss_spnego_release_name,
+    _gss_spnego_inquire_cred,
+    _gss_spnego_inquire_context,
+    _gss_spnego_wrap_size_limit,
+    _gss_spnego_add_cred,
+    _gss_spnego_inquire_cred_by_mech,
+    _gss_spnego_export_sec_context,
+    _gss_spnego_import_sec_context,
+    _gss_spnego_inquire_names_for_mech,
+    _gss_spnego_inquire_mechs_for_name,
+    _gss_spnego_canonicalize_name,
+    _gss_spnego_duplicate_name
+};
+
+gssapi_mech_interface
+__gss_spnego_initialize(void)
+{
+	return &spnego_mech;
+}
+
+static gss_OID_desc _gss_spnego_mechanism_desc = 
+    {6, (void *)"\x2b\x06\x01\x05\x05\x02"};
+
+gss_OID GSS_SPNEGO_MECHANISM = &_gss_spnego_mechanism_desc;
diff --git a/crypto/heimdal/lib/gssapi/spnego/init_sec_context.c b/crypto/heimdal/lib/gssapi/spnego/init_sec_context.c
new file mode 100644
index 0000000..7c74981
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/spnego/init_sec_context.c
@@ -0,0 +1,663 @@
+/*
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * Portions Copyright (c) 2004 PADL Software Pty Ltd.
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "spnego/spnego_locl.h"
+
+RCSID("$Id: init_sec_context.c 19411 2006-12-18 15:42:03Z lha $");
+
+/*
+ * Is target_name an sane target for `mech´.
+ */
+
+static OM_uint32
+initiator_approved(gss_name_t target_name, gss_OID mech)
+{
+    OM_uint32 min_stat, maj_stat;
+    gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
+    gss_buffer_desc out;
+    
+    maj_stat = gss_init_sec_context(&min_stat,
+				    GSS_C_NO_CREDENTIAL,
+				    &ctx,
+				    target_name,
+				    mech,
+				    0,
+				    GSS_C_INDEFINITE,
+				    GSS_C_NO_CHANNEL_BINDINGS,
+				    GSS_C_NO_BUFFER,
+				    NULL,
+				    &out,
+				    NULL,
+				    NULL);
+    if (GSS_ERROR(maj_stat))
+	return GSS_S_BAD_MECH;
+    gss_release_buffer(&min_stat, &out);
+    gss_delete_sec_context(&min_stat, &ctx, NULL);
+
+    return GSS_S_COMPLETE;
+}
+
+/*
+ * Send a reply. Note that we only need to send a reply if we
+ * need to send a MIC or a mechanism token. Otherwise, we can
+ * return an empty buffer.
+ *
+ * The return value of this will be returned to the API, so it
+ * must return GSS_S_CONTINUE_NEEDED if a token was generated.
+ */
+static OM_uint32
+spnego_reply_internal(OM_uint32 *minor_status,
+		      gssspnego_ctx context_handle,
+		      const gss_buffer_t mech_buf,
+		      gss_buffer_t mech_token,
+		      gss_buffer_t output_token)
+{
+    NegotiationToken nt;
+    gss_buffer_desc mic_buf;
+    OM_uint32 ret;
+    size_t size;
+
+    if (mech_buf == GSS_C_NO_BUFFER && mech_token->length == 0) {
+	output_token->length = 0;
+	output_token->value = NULL;
+
+	return context_handle->open ? GSS_S_COMPLETE : GSS_S_FAILURE;
+    }
+
+    memset(&nt, 0, sizeof(nt));
+
+    nt.element = choice_NegotiationToken_negTokenResp;
+
+    ALLOC(nt.u.negTokenResp.negResult, 1);
+    if (nt.u.negTokenResp.negResult == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    nt.u.negTokenResp.supportedMech = NULL;
+
+    output_token->length = 0;
+    output_token->value = NULL;
+
+    if (mech_token->length == 0) {
+	nt.u.negTokenResp.responseToken = NULL;
+	*(nt.u.negTokenResp.negResult)  = accept_completed;
+    } else {
+	ALLOC(nt.u.negTokenResp.responseToken, 1);
+	if (nt.u.negTokenResp.responseToken == NULL) {
+	    free_NegotiationToken(&nt);
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+	nt.u.negTokenResp.responseToken->length = mech_token->length;
+	nt.u.negTokenResp.responseToken->data   = mech_token->value;
+	mech_token->length = 0;
+	mech_token->value  = NULL;
+
+	*(nt.u.negTokenResp.negResult)  = accept_incomplete;
+    }
+
+    if (mech_buf != GSS_C_NO_BUFFER) {
+
+	ret = gss_get_mic(minor_status,
+			  context_handle->negotiated_ctx_id,
+			  0,
+			  mech_buf,
+			  &mic_buf);
+	if (ret == GSS_S_COMPLETE) {
+	    ALLOC(nt.u.negTokenResp.mechListMIC, 1);
+	    if (nt.u.negTokenResp.mechListMIC == NULL) {
+		gss_release_buffer(minor_status, &mic_buf);
+		free_NegotiationToken(&nt);
+		*minor_status = ENOMEM;
+		return GSS_S_FAILURE;
+	    }
+
+	    nt.u.negTokenResp.mechListMIC->length = mic_buf.length;
+	    nt.u.negTokenResp.mechListMIC->data   = mic_buf.value;
+	} else if (ret == GSS_S_UNAVAILABLE) {
+	    nt.u.negTokenResp.mechListMIC = NULL;
+	} if (ret) {
+	    free_NegotiationToken(&nt);
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+    } else {
+	nt.u.negTokenResp.mechListMIC = NULL;
+    }
+
+    ASN1_MALLOC_ENCODE(NegotiationToken,
+		       output_token->value, output_token->length,
+		       &nt, &size, ret);
+    if (ret) {
+	free_NegotiationToken(&nt);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    if (*(nt.u.negTokenResp.negResult) == accept_completed)
+	ret = GSS_S_COMPLETE;
+    else
+	ret = GSS_S_CONTINUE_NEEDED;
+
+    free_NegotiationToken(&nt);
+    return ret;
+}
+
+static OM_uint32
+spnego_initial
+           (OM_uint32 * minor_status,
+	    gssspnego_cred cred,
+            gss_ctx_id_t * context_handle,
+            const gss_name_t target_name,
+            const gss_OID mech_type,
+            OM_uint32 req_flags,
+            OM_uint32 time_req,
+            const gss_channel_bindings_t input_chan_bindings,
+            const gss_buffer_t input_token,
+            gss_OID * actual_mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec
+    )
+{
+    NegTokenInit ni;
+    int ret;
+    OM_uint32 sub, minor;
+    gss_buffer_desc mech_token;
+    u_char *buf;
+    size_t buf_size, buf_len;
+    gss_buffer_desc data;
+    size_t ni_len;
+    gss_ctx_id_t context;
+    gssspnego_ctx ctx;
+    spnego_name name = (spnego_name)target_name;
+
+    *minor_status = 0;
+
+    memset (&ni, 0, sizeof(ni));
+
+    *context_handle = GSS_C_NO_CONTEXT;
+
+    if (target_name == GSS_C_NO_NAME)
+	return GSS_S_BAD_NAME;
+
+    sub = _gss_spnego_alloc_sec_context(&minor, &context);
+    if (GSS_ERROR(sub)) {
+	*minor_status = minor;
+	return sub;
+    }
+    ctx = (gssspnego_ctx)context;
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    ctx->local = 1;
+
+    sub = gss_import_name(&minor, &name->value, &name->type, &ctx->target_name);
+    if (GSS_ERROR(sub)) {
+	*minor_status = minor;
+	_gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
+	return sub;
+    }
+
+    sub = _gss_spnego_indicate_mechtypelist(&minor, 
+					    ctx->target_name,
+					    initiator_approved,
+					    0,
+					    cred,
+					    &ni.mechTypes,
+					    &ctx->preferred_mech_type);
+    if (GSS_ERROR(sub)) {
+	*minor_status = minor;
+	_gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
+	return sub;
+    }
+
+    ni.reqFlags = NULL;
+
+    /*
+     * If we have a credential handle, use it to select the mechanism
+     * that we will use
+     */
+
+    /* generate optimistic token */
+    sub = gss_init_sec_context(&minor,
+			       (cred != NULL) ? cred->negotiated_cred_id :
+			          GSS_C_NO_CREDENTIAL,
+			       &ctx->negotiated_ctx_id,
+			       ctx->target_name,
+			       ctx->preferred_mech_type,
+			       req_flags,
+			       time_req,
+			       input_chan_bindings,
+			       input_token,
+			       &ctx->negotiated_mech_type,
+			       &mech_token,
+			       &ctx->mech_flags,
+			       &ctx->mech_time_rec);
+    if (GSS_ERROR(sub)) {
+	free_NegTokenInit(&ni);
+	*minor_status = minor;
+	_gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
+	return sub;
+    }
+    if (sub == GSS_S_COMPLETE)
+	ctx->maybe_open = 1;
+
+    if (mech_token.length != 0) {
+	ALLOC(ni.mechToken, 1);
+	if (ni.mechToken == NULL) {
+	    free_NegTokenInit(&ni);
+	    gss_release_buffer(&minor, &mech_token);
+	    _gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+	ni.mechToken->length = mech_token.length;
+	ni.mechToken->data = malloc(mech_token.length);
+	if (ni.mechToken->data == NULL && mech_token.length != 0) {
+	    free_NegTokenInit(&ni);
+	    gss_release_buffer(&minor, &mech_token);
+	    *minor_status = ENOMEM;
+	    _gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
+	    return GSS_S_FAILURE;
+	}
+	memcpy(ni.mechToken->data, mech_token.value, mech_token.length);
+	gss_release_buffer(&minor, &mech_token);
+    } else
+	ni.mechToken = NULL;
+
+    ni.mechListMIC = NULL;
+
+    ni_len = length_NegTokenInit(&ni);
+    buf_size = 1 + der_length_len(ni_len) + ni_len;
+
+    buf = malloc(buf_size);
+    if (buf == NULL) {
+	free_NegTokenInit(&ni);
+	*minor_status = ENOMEM;
+	_gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
+	return GSS_S_FAILURE;
+    }
+
+    ret = encode_NegTokenInit(buf + buf_size - 1,
+			      ni_len,
+			      &ni, &buf_len);
+    if (ret == 0 && ni_len != buf_len)
+	abort();
+
+    if (ret == 0) {
+	size_t tmp;
+
+	ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
+				     buf_size - buf_len,
+				     buf_len,
+				     ASN1_C_CONTEXT,
+				     CONS,
+				     0,
+				     &tmp);
+	if (ret == 0 && tmp + buf_len != buf_size)
+	    abort();
+    }
+    if (ret) {
+	*minor_status = ret;
+	free(buf);
+	free_NegTokenInit(&ni);
+	_gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
+	return GSS_S_FAILURE;
+    }
+
+    data.value  = buf;
+    data.length = buf_size;
+
+    ctx->initiator_mech_types.len = ni.mechTypes.len;
+    ctx->initiator_mech_types.val = ni.mechTypes.val;
+    ni.mechTypes.len = 0;
+    ni.mechTypes.val = NULL;
+ 
+    free_NegTokenInit(&ni);
+
+    sub = gss_encapsulate_token(&data,
+				GSS_SPNEGO_MECHANISM,
+				output_token);
+    free (buf);
+
+    if (sub) {
+	_gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
+	return sub;
+    }
+
+    if (actual_mech_type)
+	*actual_mech_type = ctx->negotiated_mech_type;
+    if (ret_flags)
+	*ret_flags = ctx->mech_flags;
+    if (time_rec)
+	*time_rec = ctx->mech_time_rec;
+
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    *context_handle = context;
+
+    return GSS_S_CONTINUE_NEEDED;
+}
+
+static OM_uint32
+spnego_reply
+           (OM_uint32 * minor_status,
+	    const gssspnego_cred cred,
+            gss_ctx_id_t * context_handle,
+            const gss_name_t target_name,
+            const gss_OID mech_type,
+            OM_uint32 req_flags,
+            OM_uint32 time_req,
+            const gss_channel_bindings_t input_chan_bindings,
+            const gss_buffer_t input_token,
+            gss_OID * actual_mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec
+    )
+{
+    OM_uint32 ret, minor;
+    NegTokenResp resp;
+    size_t len, taglen;
+    gss_OID_desc mech;
+    int require_mic;
+    size_t buf_len;
+    gss_buffer_desc mic_buf, mech_buf;
+    gss_buffer_desc mech_output_token;
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    ctx = (gssspnego_ctx)*context_handle;
+
+    output_token->length = 0;
+    output_token->value  = NULL;
+
+    mech_output_token.length = 0;
+    mech_output_token.value = NULL;
+
+    mech_buf.value = NULL;
+    mech_buf.length = 0;
+
+    ret = der_match_tag_and_length(input_token->value, input_token->length,
+				   ASN1_C_CONTEXT, CONS, 1, &len, &taglen);
+    if (ret)
+	return ret;
+
+    if (len > input_token->length - taglen)
+	return ASN1_OVERRUN;
+
+    ret = decode_NegTokenResp((const unsigned char *)input_token->value+taglen,
+			      len, &resp, NULL);
+    if (ret) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    if (resp.negResult == NULL
+	|| *(resp.negResult) == reject
+	/* || resp.supportedMech == NULL */
+	)
+    {
+	free_NegTokenResp(&resp);
+	return GSS_S_BAD_MECH;
+    }
+
+    /*
+     * Pick up the mechanism that the acceptor selected, only allow it
+     * to be sent in packet.
+     */
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+
+    if (resp.supportedMech) {
+
+	if (ctx->oidlen) {
+	    free_NegTokenResp(&resp);
+	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	    return GSS_S_BAD_MECH;
+	}
+	ret = der_put_oid(ctx->oidbuf + sizeof(ctx->oidbuf) - 1,
+			  sizeof(ctx->oidbuf),
+			  resp.supportedMech,
+			  &ctx->oidlen);
+	/* Avoid recursively embedded SPNEGO */
+	if (ret || (ctx->oidlen == GSS_SPNEGO_MECHANISM->length &&
+		    memcmp(ctx->oidbuf + sizeof(ctx->oidbuf) - ctx->oidlen,
+			   GSS_SPNEGO_MECHANISM->elements,
+			   ctx->oidlen) == 0))
+	{
+	    free_NegTokenResp(&resp);
+	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	    return GSS_S_BAD_MECH;
+	}
+
+	/* check if the acceptor took our optimistic token */
+	if (ctx->oidlen != ctx->preferred_mech_type->length ||
+	    memcmp(ctx->oidbuf + sizeof(ctx->oidbuf) - ctx->oidlen,
+		   ctx->preferred_mech_type->elements,
+		   ctx->oidlen) != 0)
+	{
+	    gss_delete_sec_context(&minor, &ctx->negotiated_ctx_id, 
+				   GSS_C_NO_BUFFER);
+	    ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT;
+	}
+    } else if (ctx->oidlen == 0) {
+	free_NegTokenResp(&resp);
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	return GSS_S_BAD_MECH;
+    }
+
+    if (resp.responseToken != NULL || 
+	ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+	gss_buffer_desc mech_input_token;
+
+	if (resp.responseToken) {
+	    mech_input_token.length = resp.responseToken->length;
+	    mech_input_token.value  = resp.responseToken->data;
+	} else {
+	    mech_input_token.length = 0;
+	    mech_input_token.value = NULL;
+	}
+
+
+	mech.length = ctx->oidlen;
+	mech.elements = ctx->oidbuf + sizeof(ctx->oidbuf) - ctx->oidlen;
+
+	/* Fall through as if the negotiated mechanism
+	   was requested explicitly */
+	ret = gss_init_sec_context(&minor,
+				   (cred != NULL) ? cred->negotiated_cred_id :
+				       GSS_C_NO_CREDENTIAL,
+				   &ctx->negotiated_ctx_id,
+				   ctx->target_name,
+				   &mech,
+				   req_flags,
+				   time_req,
+				   input_chan_bindings,
+				   &mech_input_token,
+				   &ctx->negotiated_mech_type,
+				   &mech_output_token,
+				   &ctx->mech_flags,
+				   &ctx->mech_time_rec);
+	if (GSS_ERROR(ret)) {
+	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	    free_NegTokenResp(&resp);
+	    *minor_status = minor;
+	    return ret;
+	}
+	if (ret == GSS_S_COMPLETE) {
+	    ctx->open = 1;
+	}
+    } else if (*(resp.negResult) == accept_completed) {
+	if (ctx->maybe_open)
+	    ctx->open = 1;
+    }
+
+    if (*(resp.negResult) == request_mic) {
+	ctx->require_mic = 1;
+    }
+
+    if (ctx->open) {
+	/*
+	 * Verify the mechListMIC if one was provided or CFX was
+	 * used and a non-preferred mechanism was selected
+	 */
+	if (resp.mechListMIC != NULL) {
+	    require_mic = 1;
+	} else {
+	    ret = _gss_spnego_require_mechlist_mic(minor_status, ctx,
+						   &require_mic);
+	    if (ret) {
+		HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+		free_NegTokenResp(&resp);
+		gss_release_buffer(&minor, &mech_output_token);
+		return ret;
+	    }
+	}
+    } else {
+	require_mic = 0;
+    }
+
+    if (require_mic) {
+	ASN1_MALLOC_ENCODE(MechTypeList, mech_buf.value, mech_buf.length,
+			   &ctx->initiator_mech_types, &buf_len, ret);
+	if (ret) {
+	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	    free_NegTokenResp(&resp);
+	    gss_release_buffer(&minor, &mech_output_token);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+	if (mech_buf.length != buf_len)
+	    abort();
+
+	if (resp.mechListMIC == NULL) {
+	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	    free(mech_buf.value);
+	    free_NegTokenResp(&resp);
+	    *minor_status = 0;
+	    return GSS_S_DEFECTIVE_TOKEN;
+	}
+	mic_buf.length = resp.mechListMIC->length;
+	mic_buf.value  = resp.mechListMIC->data;
+
+	if (mech_output_token.length == 0) {
+	    ret = gss_verify_mic(minor_status,
+				 ctx->negotiated_ctx_id,
+				 &mech_buf,
+				 &mic_buf,
+				 NULL);
+	   if (ret) {
+		HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+		free(mech_buf.value);
+		gss_release_buffer(&minor, &mech_output_token);
+		free_NegTokenResp(&resp);
+		return GSS_S_DEFECTIVE_TOKEN;
+	    }
+	    ctx->verified_mic = 1;
+	}
+    }
+
+    ret = spnego_reply_internal(minor_status, ctx,
+				require_mic ? &mech_buf : NULL,
+				&mech_output_token,
+				output_token);
+
+    if (mech_buf.value != NULL)
+	free(mech_buf.value);
+
+    free_NegTokenResp(&resp);
+    gss_release_buffer(&minor, &mech_output_token);
+
+    if (actual_mech_type)
+	*actual_mech_type = ctx->negotiated_mech_type;
+    if (ret_flags)
+	*ret_flags = ctx->mech_flags;
+    if (time_rec)
+	*time_rec = ctx->mech_time_rec;
+
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+    return ret;
+}
+
+OM_uint32 _gss_spnego_init_sec_context
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t initiator_cred_handle,
+            gss_ctx_id_t * context_handle,
+            const gss_name_t target_name,
+            const gss_OID mech_type,
+            OM_uint32 req_flags,
+            OM_uint32 time_req,
+            const gss_channel_bindings_t input_chan_bindings,
+            const gss_buffer_t input_token,
+            gss_OID * actual_mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec
+           )
+{
+    gssspnego_cred cred = (gssspnego_cred)initiator_cred_handle;
+
+    if (*context_handle == GSS_C_NO_CONTEXT)
+	return spnego_initial (minor_status,
+			       cred,
+			       context_handle,
+			       target_name,
+			       mech_type,
+			       req_flags,
+			       time_req,
+			       input_chan_bindings,
+			       input_token,
+			       actual_mech_type,
+			       output_token,
+			       ret_flags,
+			       time_rec);
+    else
+	return spnego_reply (minor_status,
+			     cred,
+			     context_handle,
+			     target_name,
+			     mech_type,
+			     req_flags,
+			     time_req,
+			     input_chan_bindings,
+			     input_token,
+			     actual_mech_type,
+			     output_token,
+			     ret_flags,
+			     time_rec);
+}
+
diff --git a/crypto/heimdal/lib/gssapi/spnego/spnego-private.h b/crypto/heimdal/lib/gssapi/spnego/spnego-private.h
new file mode 100644
index 0000000..d80db00
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/spnego/spnego-private.h
@@ -0,0 +1,330 @@
+/* This is a generated file */
+#ifndef __spnego_private_h__
+#define __spnego_private_h__
+
+#include <stdarg.h>
+
+gssapi_mech_interface
+__gss_spnego_initialize (void);
+
+OM_uint32
+_gss_spnego_accept_sec_context (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t * /*context_handle*/,
+	const gss_cred_id_t /*acceptor_cred_handle*/,
+	const gss_buffer_t /*input_token_buffer*/,
+	const gss_channel_bindings_t /*input_chan_bindings*/,
+	gss_name_t * /*src_name*/,
+	gss_OID * /*mech_type*/,
+	gss_buffer_t /*output_token*/,
+	OM_uint32 * /*ret_flags*/,
+	OM_uint32 * /*time_rec*/,
+	gss_cred_id_t *delegated_cred_handle );
+
+OM_uint32
+_gss_spnego_acquire_cred (
+	OM_uint32 */*minor_status*/,
+	const gss_name_t /*desired_name*/,
+	OM_uint32 /*time_req*/,
+	const gss_OID_set /*desired_mechs*/,
+	gss_cred_usage_t /*cred_usage*/,
+	gss_cred_id_t * /*output_cred_handle*/,
+	gss_OID_set * /*actual_mechs*/,
+	OM_uint32 * time_rec );
+
+OM_uint32
+_gss_spnego_add_cred (
+	 OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*input_cred_handle*/,
+	const gss_name_t /*desired_name*/,
+	const gss_OID /*desired_mech*/,
+	gss_cred_usage_t /*cred_usage*/,
+	OM_uint32 /*initiator_time_req*/,
+	OM_uint32 /*acceptor_time_req*/,
+	gss_cred_id_t * /*output_cred_handle*/,
+	gss_OID_set * /*actual_mechs*/,
+	OM_uint32 * /*initiator_time_rec*/,
+	OM_uint32 * acceptor_time_rec );
+
+OM_uint32
+_gss_spnego_alloc_cred (
+	OM_uint32 */*minor_status*/,
+	gss_cred_id_t /*mech_cred_handle*/,
+	gss_cred_id_t */*cred_handle*/);
+
+OM_uint32
+_gss_spnego_alloc_sec_context (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t */*context_handle*/);
+
+OM_uint32
+_gss_spnego_canonicalize_name (
+	 OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	const gss_OID /*mech_type*/,
+	gss_name_t * output_name );
+
+OM_uint32
+_gss_spnego_compare_name (
+	OM_uint32 */*minor_status*/,
+	const gss_name_t /*name1*/,
+	const gss_name_t /*name2*/,
+	int * name_equal );
+
+OM_uint32
+_gss_spnego_context_time (
+	OM_uint32 */*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	OM_uint32 *time_rec );
+
+OM_uint32
+_gss_spnego_delete_sec_context (
+	OM_uint32 */*minor_status*/,
+	gss_ctx_id_t */*context_handle*/,
+	gss_buffer_t output_token );
+
+OM_uint32
+_gss_spnego_display_name (
+	OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	gss_buffer_t /*output_name_buffer*/,
+	gss_OID * output_name_type );
+
+OM_uint32
+_gss_spnego_display_status (
+	OM_uint32 * /*minor_status*/,
+	OM_uint32 /*status_value*/,
+	int /*status_type*/,
+	const gss_OID /*mech_type*/,
+	OM_uint32 * /*message_context*/,
+	gss_buffer_t status_string );
+
+OM_uint32
+_gss_spnego_duplicate_name (
+	 OM_uint32 * /*minor_status*/,
+	const gss_name_t /*src_name*/,
+	gss_name_t * dest_name );
+
+OM_uint32
+_gss_spnego_export_name (
+	OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	gss_buffer_t exported_name );
+
+OM_uint32
+_gss_spnego_export_sec_context (
+	 OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t * /*context_handle*/,
+	gss_buffer_t interprocess_token );
+
+OM_uint32
+_gss_spnego_get_mic (
+	OM_uint32 */*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	gss_qop_t /*qop_req*/,
+	const gss_buffer_t /*message_buffer*/,
+	gss_buffer_t message_token );
+
+OM_uint32
+_gss_spnego_import_name (
+	OM_uint32 * /*minor_status*/,
+	const gss_buffer_t /*name_buffer*/,
+	const gss_OID /*name_type*/,
+	gss_name_t * output_name );
+
+OM_uint32
+_gss_spnego_import_sec_context (
+	 OM_uint32 * /*minor_status*/,
+	const gss_buffer_t /*interprocess_token*/,
+	gss_ctx_id_t *context_handle );
+
+OM_uint32
+_gss_spnego_indicate_mechtypelist (
+	OM_uint32 */*minor_status*/,
+	gss_name_t /*target_name*/,
+	OM_uint32 (*/*func*/)(gss_name_t, gss_OID),
+	int /*includeMSCompatOID*/,
+	const gssspnego_cred /*cred_handle*/,
+	MechTypeList */*mechtypelist*/,
+	gss_OID */*preferred_mech*/);
+
+OM_uint32
+_gss_spnego_init_sec_context (
+	OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*initiator_cred_handle*/,
+	gss_ctx_id_t * /*context_handle*/,
+	const gss_name_t /*target_name*/,
+	const gss_OID /*mech_type*/,
+	OM_uint32 /*req_flags*/,
+	OM_uint32 /*time_req*/,
+	const gss_channel_bindings_t /*input_chan_bindings*/,
+	const gss_buffer_t /*input_token*/,
+	gss_OID * /*actual_mech_type*/,
+	gss_buffer_t /*output_token*/,
+	OM_uint32 * /*ret_flags*/,
+	OM_uint32 * time_rec );
+
+OM_uint32
+_gss_spnego_inquire_context (
+	 OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	gss_name_t * /*src_name*/,
+	gss_name_t * /*targ_name*/,
+	OM_uint32 * /*lifetime_rec*/,
+	gss_OID * /*mech_type*/,
+	OM_uint32 * /*ctx_flags*/,
+	int * /*locally_initiated*/,
+	int * open_context );
+
+OM_uint32
+_gss_spnego_inquire_cred (
+	OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*cred_handle*/,
+	gss_name_t * /*name*/,
+	OM_uint32 * /*lifetime*/,
+	gss_cred_usage_t * /*cred_usage*/,
+	gss_OID_set * mechanisms );
+
+OM_uint32
+_gss_spnego_inquire_cred_by_mech (
+	 OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*cred_handle*/,
+	const gss_OID /*mech_type*/,
+	gss_name_t * /*name*/,
+	OM_uint32 * /*initiator_lifetime*/,
+	OM_uint32 * /*acceptor_lifetime*/,
+	gss_cred_usage_t * cred_usage );
+
+OM_uint32
+_gss_spnego_inquire_cred_by_oid (
+	OM_uint32 * /*minor_status*/,
+	const gss_cred_id_t /*cred_handle*/,
+	const gss_OID /*desired_object*/,
+	gss_buffer_set_t */*data_set*/);
+
+OM_uint32
+_gss_spnego_inquire_mechs_for_name (
+	 OM_uint32 * /*minor_status*/,
+	const gss_name_t /*input_name*/,
+	gss_OID_set * mech_types );
+
+OM_uint32
+_gss_spnego_inquire_names_for_mech (
+	 OM_uint32 * /*minor_status*/,
+	const gss_OID /*mechanism*/,
+	gss_OID_set * name_types );
+
+OM_uint32
+_gss_spnego_inquire_sec_context_by_oid (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_OID /*desired_object*/,
+	gss_buffer_set_t */*data_set*/);
+
+OM_uint32
+_gss_spnego_internal_delete_sec_context (
+	OM_uint32 */*minor_status*/,
+	gss_ctx_id_t */*context_handle*/,
+	gss_buffer_t output_token );
+
+OM_uint32
+_gss_spnego_process_context_token (
+	OM_uint32 */*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_buffer_t token_buffer );
+
+OM_uint32
+_gss_spnego_release_cred (
+	OM_uint32 */*minor_status*/,
+	gss_cred_id_t */*cred_handle*/);
+
+OM_uint32
+_gss_spnego_release_name (
+	OM_uint32 * /*minor_status*/,
+	gss_name_t * input_name );
+
+OM_uint32
+_gss_spnego_require_mechlist_mic (
+	OM_uint32 */*minor_status*/,
+	gssspnego_ctx /*ctx*/,
+	int */*require_mic*/);
+
+OM_uint32
+_gss_spnego_seal (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	int /*qop_req*/,
+	gss_buffer_t /*input_message_buffer*/,
+	int * /*conf_state*/,
+	gss_buffer_t output_message_buffer );
+
+OM_uint32
+_gss_spnego_set_sec_context_option (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t * /*context_handle*/,
+	const gss_OID /*desired_object*/,
+	const gss_buffer_t /*value*/);
+
+OM_uint32
+_gss_spnego_sign (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	int /*qop_req*/,
+	gss_buffer_t /*message_buffer*/,
+	gss_buffer_t message_token );
+
+OM_uint32
+_gss_spnego_unseal (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	gss_buffer_t /*input_message_buffer*/,
+	gss_buffer_t /*output_message_buffer*/,
+	int * /*conf_state*/,
+	int * qop_state );
+
+OM_uint32
+_gss_spnego_unwrap (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_buffer_t /*input_message_buffer*/,
+	gss_buffer_t /*output_message_buffer*/,
+	int * /*conf_state*/,
+	gss_qop_t * qop_state );
+
+OM_uint32
+_gss_spnego_verify (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	gss_buffer_t /*message_buffer*/,
+	gss_buffer_t /*token_buffer*/,
+	int * qop_state );
+
+OM_uint32
+_gss_spnego_verify_mic (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_buffer_t /*message_buffer*/,
+	const gss_buffer_t /*token_buffer*/,
+	gss_qop_t * qop_state );
+
+OM_uint32
+_gss_spnego_wrap (
+	OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	const gss_buffer_t /*input_message_buffer*/,
+	int * /*conf_state*/,
+	gss_buffer_t output_message_buffer );
+
+OM_uint32
+_gss_spnego_wrap_size_limit (
+	 OM_uint32 * /*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	OM_uint32 /*req_output_size*/,
+	OM_uint32 * max_input_size );
+
+#endif /* __spnego_private_h__ */
diff --git a/crypto/heimdal/lib/gssapi/spnego/spnego.asn1 b/crypto/heimdal/lib/gssapi/spnego/spnego.asn1
new file mode 100644
index 0000000..058f10b
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/spnego/spnego.asn1
@@ -0,0 +1,63 @@
+-- $Id: spnego.asn1 21403 2007-07-04 08:13:12Z lha $
+
+SPNEGO DEFINITIONS ::=
+BEGIN
+
+MechType::= OBJECT IDENTIFIER
+
+MechTypeList ::= SEQUENCE OF MechType
+
+ContextFlags ::= BIT STRING {
+    delegFlag       (0),
+    mutualFlag      (1),
+    replayFlag      (2),
+    sequenceFlag    (3),
+    anonFlag        (4),
+    confFlag        (5),
+    integFlag       (6)
+}
+
+NegHints ::= SEQUENCE {
+    hintName       [0]  GeneralString	OPTIONAL,
+    hintAddress    [1]  OCTET STRING	OPTIONAL
+} 
+
+NegTokenInitWin ::= SEQUENCE {
+    mechTypes       [0] MechTypeList,
+    reqFlags        [1] ContextFlags   OPTIONAL,
+    mechToken       [2] OCTET STRING   OPTIONAL,
+    negHints        [3] NegHints       OPTIONAL
+}
+
+NegTokenInit ::= SEQUENCE {
+    mechTypes       [0] MechTypeList,
+    reqFlags        [1] ContextFlags   OPTIONAL,
+    mechToken       [2] OCTET STRING   OPTIONAL,
+    mechListMIC	    [3] OCTET STRING   OPTIONAL,
+    ...
+}
+
+-- NB: negResult is not OPTIONAL in the new SPNEGO spec but
+-- Windows clients do not always send it
+NegTokenResp ::= SEQUENCE {
+    negResult      [0] ENUMERATED {
+                            accept_completed    (0),
+                            accept_incomplete   (1),
+                            reject              (2),
+                            request-mic         (3) }          OPTIONAL,
+    supportedMech  [1] MechType                                OPTIONAL,
+    responseToken  [2] OCTET STRING                            OPTIONAL,
+    mechListMIC    [3] OCTET STRING                            OPTIONAL,
+    ...
+}
+
+NegotiationToken ::= CHOICE {
+	negTokenInit[0]		NegTokenInit,
+	negTokenResp[1]		NegTokenResp
+}
+
+NegotiationTokenWin ::= CHOICE {
+	negTokenInit[0]		NegTokenInitWin
+}
+
+END
diff --git a/crypto/heimdal/lib/gssapi/spnego/spnego_locl.h b/crypto/heimdal/lib/gssapi/spnego/spnego_locl.h
new file mode 100644
index 0000000..44b2468
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/spnego/spnego_locl.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: spnego_locl.h 19411 2006-12-18 15:42:03Z lha $ */
+
+#ifndef SPNEGO_LOCL_H
+#define SPNEGO_LOCL_H
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_PTHREAD_H
+#include <pthread.h>
+#endif
+
+#include <gssapi/gssapi_spnego.h>
+#include <gssapi.h>
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <ctype.h>
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#include <heim_threads.h>
+#include <asn1_err.h>
+
+#include <gssapi_mech.h>
+
+#include "spnego_asn1.h"
+#include "mech/utils.h"
+#include <der.h>
+
+#include <roken.h>
+
+#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
+
+typedef struct {
+	gss_cred_id_t		negotiated_cred_id;
+} *gssspnego_cred;
+
+typedef struct {
+	MechTypeList		initiator_mech_types;
+	gss_OID			preferred_mech_type;
+	gss_OID			negotiated_mech_type;
+	gss_ctx_id_t		negotiated_ctx_id;
+	OM_uint32		mech_flags;
+	OM_uint32		mech_time_rec;
+	gss_name_t		mech_src_name;
+	gss_cred_id_t		delegated_cred_id;
+	unsigned int		open : 1;
+	unsigned int		local : 1;
+	unsigned int		require_mic : 1;
+	unsigned int		verified_mic : 1;
+	unsigned int		maybe_open : 1;
+	HEIMDAL_MUTEX		ctx_id_mutex;
+
+	gss_name_t		target_name;
+
+	u_char			oidbuf[17];
+ 	size_t			oidlen;
+
+} *gssspnego_ctx;
+
+typedef struct {
+	gss_OID_desc		type;
+	gss_buffer_desc		value;
+	gss_name_t		mech;
+} *spnego_name;
+
+extern gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc;
+extern gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc;
+
+#include <spnego/spnego-private.h>
+
+#endif /* SPNEGO_LOCL_H */
diff --git a/crypto/heimdal/lib/gssapi/test_acquire_cred.c b/crypto/heimdal/lib/gssapi/test_acquire_cred.c
index 29ed830..fd2bc32 100644
--- a/crypto/heimdal/lib/gssapi/test_acquire_cred.c
+++ b/crypto/heimdal/lib/gssapi/test_acquire_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 2003-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -28,12 +28,25 @@
  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 
-#include "gssapi_locl.h"
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <gssapi.h>
 #include <err.h>
+#include <roken.h>
+#include <getarg.h>
+
+#include "test_common.h"
 
-RCSID("$Id: test_acquire_cred.c,v 1.2 2003/04/06 00:20:37 lha Exp $");
+RCSID("$Id: test_acquire_cred.c 22129 2007-12-04 01:13:13Z lha $");
 
 static void
 print_time(OM_uint32 time_rec)
@@ -41,32 +54,20 @@ print_time(OM_uint32 time_rec)
     if (time_rec == GSS_C_INDEFINITE) {
 	printf("cred never expire\n");
     } else {
-	time_t t = time_rec;
+	time_t t = time_rec + time(NULL);
 	printf("expiration time: %s", ctime(&t));
     }
 }
 
-int
-main(int argc, char **argv)
+#if 0
+
+static void
+test_add(gss_cred_id_t cred_handle)
 {
     OM_uint32 major_status, minor_status;
-    gss_cred_id_t cred_handle, copy_cred;
+    gss_cred_id_t copy_cred;
     OM_uint32 time_rec;
 
-    major_status = gss_acquire_cred(&minor_status, 
-				    GSS_C_NO_NAME,
-				    0,
-				    NULL,
-				    GSS_C_INITIATE,
-				    &cred_handle,
-				    NULL,
-				    &time_rec);
-    if (GSS_ERROR(major_status))
-	errx(1, "acquire_cred failed");
-	
-
-    print_time(time_rec);
-
     major_status = gss_add_cred (&minor_status,
 				 cred_handle,
 				 GSS_C_NO_NAME,
@@ -85,14 +86,168 @@ main(int argc, char **argv)
     print_time(time_rec);
 
     major_status = gss_release_cred(&minor_status,
-				    &cred_handle);
+				    &copy_cred);
     if (GSS_ERROR(major_status))
 	errx(1, "release_cred failed");
+}
+
+static void
+copy_cred(void)
+{
+    OM_uint32 major_status, minor_status;
+    gss_cred_id_t cred_handle;
+    OM_uint32 time_rec;
+
+    major_status = gss_acquire_cred(&minor_status, 
+				    GSS_C_NO_NAME,
+				    0,
+				    NULL,
+				    GSS_C_INITIATE,
+				    &cred_handle,
+				    NULL,
+				    &time_rec);
+    if (GSS_ERROR(major_status))
+	errx(1, "acquire_cred failed");
+	
+    print_time(time_rec);
+
+    test_add(cred_handle);
+    test_add(cred_handle);
+    test_add(cred_handle);
 
     major_status = gss_release_cred(&minor_status,
-				    &copy_cred);
+				    &cred_handle);
     if (GSS_ERROR(major_status))
 	errx(1, "release_cred failed");
+}
+#endif
+
+static void
+acquire_cred_service(const char *service,
+		     gss_OID nametype,
+		     int flags)
+{
+    OM_uint32 major_status, minor_status;
+    gss_cred_id_t cred_handle;
+    OM_uint32 time_rec;
+    gss_buffer_desc name_buffer;
+    gss_name_t name = GSS_C_NO_NAME;
+
+    if (service) {
+	name_buffer.value = rk_UNCONST(service);
+	name_buffer.length = strlen(service);
+	
+	major_status = gss_import_name(&minor_status,
+				       &name_buffer,
+				       nametype,
+				       &name);
+	if (GSS_ERROR(major_status))
+	    errx(1, "import_name failed");
+    }
+
+    major_status = gss_acquire_cred(&minor_status, 
+				    name,
+				    0,
+				    NULL,
+				    flags,
+				    &cred_handle,
+				    NULL,
+				    &time_rec);
+    if (GSS_ERROR(major_status)) {
+	warnx("acquire_cred failed: %s", 
+	     gssapi_err(major_status, minor_status, GSS_C_NO_OID));
+    } else {    
+	print_time(time_rec);
+	gss_release_cred(&minor_status, &cred_handle);
+    }
+
+    if (name != GSS_C_NO_NAME)
+	gss_release_name(&minor_status, &name);
+
+    if (GSS_ERROR(major_status))
+	exit(1);
+}
+
+static int version_flag = 0;
+static int help_flag	= 0;
+static char *acquire_name;
+static char *acquire_type;
+static char *name_type;
+static char *ccache;
+
+static struct getargs args[] = {
+    {"acquire-name", 0,	arg_string,	&acquire_name, "name", NULL },
+    {"acquire-type", 0,	arg_string,	&acquire_type, "type", NULL },
+    {"ccache", 0,	arg_string,	&ccache, "name", NULL },
+    {"name-type", 0,	arg_string,	&name_type, "type", NULL },
+    {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optidx = 0;
+    OM_uint32 flag;
+    gss_OID type;
+
+    setprogname(argv[0]);
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    if (argc != 0)
+	usage(1);
+
+    if (acquire_type) {
+	if (strcasecmp(acquire_type, "both") == 0)
+	    flag = GSS_C_BOTH;
+	else if (strcasecmp(acquire_type, "accept") == 0)
+	    flag = GSS_C_ACCEPT;
+	else if (strcasecmp(acquire_type, "initiate") == 0)
+	    flag = GSS_C_INITIATE;
+	else
+	    errx(1, "unknown type %s", acquire_type);
+    } else
+	flag = GSS_C_ACCEPT;
+	
+    if (name_type) {
+	if (strcasecmp("hostbased-service", name_type) == 0)
+	    type = GSS_C_NT_HOSTBASED_SERVICE;
+	else if (strcasecmp("user-name", name_type) == 0)
+	    type = GSS_C_NT_USER_NAME;
+	else
+	    errx(1, "unknown name type %s", name_type);
+    } else
+	type = GSS_C_NT_HOSTBASED_SERVICE;
+
+    if (ccache) {
+	OM_uint32 major_status, minor_status;
+	major_status = gss_krb5_ccache_name(&minor_status,
+					    ccache, NULL);
+	if (GSS_ERROR(major_status))
+	    errx(1, "gss_krb5_ccache_name %s", 
+		 gssapi_err(major_status, minor_status, GSS_C_NO_OID));
+    }
+
+    acquire_cred_service(acquire_name, type, flag);
 
     return 0;
 }
diff --git a/crypto/heimdal/lib/gssapi/test_common.c b/crypto/heimdal/lib/gssapi/test_common.c
new file mode 100644
index 0000000..329180f
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/test_common.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "krb5/gsskrb5_locl.h"
+#include <err.h>
+#include "test_common.h"
+
+RCSID("$Id: test_common.c 20075 2007-01-31 06:05:19Z lha $");
+
+char *
+gssapi_err(OM_uint32 maj_stat, OM_uint32 min_stat, gss_OID mech)
+{
+	OM_uint32 disp_min_stat, disp_maj_stat;
+	gss_buffer_desc maj_error_message;
+	gss_buffer_desc min_error_message;
+	OM_uint32 msg_ctx = 0;
+
+	char *ret = NULL;
+
+	maj_error_message.length = 0;
+	maj_error_message.value = NULL;
+	min_error_message.length = 0;
+	min_error_message.value = NULL;
+	
+	disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, 
+					   GSS_C_GSS_CODE,
+					   mech, &msg_ctx, &maj_error_message);
+	disp_maj_stat = gss_display_status(&disp_min_stat, min_stat,
+					   GSS_C_MECH_CODE,
+					   mech, &msg_ctx, &min_error_message);
+	asprintf(&ret, "gss-code: %lu %.*s\nmech-code: %lu %.*s", 
+		 (unsigned long)maj_stat,
+		 (int)maj_error_message.length, 
+		 (char *)maj_error_message.value, 
+		 (unsigned long)min_stat,
+		 (int)min_error_message.length, 
+		 (char *)min_error_message.value);
+
+	gss_release_buffer(&disp_min_stat, &maj_error_message);
+	gss_release_buffer(&disp_min_stat, &min_error_message);
+
+	return ret;
+}
+
diff --git a/crypto/heimdal/lib/gssapi/test_common.h b/crypto/heimdal/lib/gssapi/test_common.h
new file mode 100644
index 0000000..8e78a5d
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/test_common.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id: test_common.h 20075 2007-01-31 06:05:19Z lha $ */
+
+char * gssapi_err(OM_uint32, OM_uint32, gss_OID);
diff --git a/crypto/heimdal/lib/gssapi/test_context.c b/crypto/heimdal/lib/gssapi/test_context.c
new file mode 100644
index 0000000..e02535a
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/test_context.c
@@ -0,0 +1,542 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "krb5/gsskrb5_locl.h"
+#include <err.h>
+#include <getarg.h>
+#include "test_common.h"
+
+RCSID("$Id: test_context.c 20075 2007-01-31 06:05:19Z lha $");
+
+static char *type_string;
+static char *mech_string;
+static char *ret_mech_string;
+static int dns_canon_flag = -1;
+static int mutual_auth_flag = 0;
+static int dce_style_flag = 0;
+static int wrapunwrap_flag = 0;
+static int getverifymic_flag = 0;
+static int deleg_flag = 0;
+static int version_flag = 0;
+static int verbose_flag = 0;
+static int help_flag	= 0;
+
+static struct {
+    const char *name;
+    gss_OID *oid;
+} o2n[] = {
+    { "krb5", &GSS_KRB5_MECHANISM },
+    { "spnego", &GSS_SPNEGO_MECHANISM },
+    { "ntlm", &GSS_NTLM_MECHANISM },
+    { "sasl-digest-md5", &GSS_SASL_DIGEST_MD5_MECHANISM }
+};
+
+static gss_OID
+string_to_oid(const char *name)
+{
+    int i;
+    for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++)
+	if (strcasecmp(name, o2n[i].name) == 0)
+	    return *o2n[i].oid;
+    errx(1, "name %s not unknown", name);
+}
+
+static const char *
+oid_to_string(const gss_OID oid)
+{
+    int i;
+    for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++)
+	if (gss_oid_equal(oid, *o2n[i].oid))
+	    return o2n[i].name;
+    return "unknown oid";
+}
+
+static void
+loop(gss_OID mechoid,
+     gss_OID nameoid, const char *target,
+     gss_cred_id_t init_cred,
+     gss_ctx_id_t *sctx, gss_ctx_id_t *cctx,
+     gss_OID *actual_mech, 
+     gss_cred_id_t *deleg_cred)
+{
+    int server_done = 0, client_done = 0;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t gss_target_name;
+    gss_buffer_desc input_token, output_token;
+    OM_uint32 flags = 0, ret_cflags, ret_sflags;
+    gss_OID actual_mech_client; 
+    gss_OID actual_mech_server; 
+
+    *actual_mech = GSS_C_NO_OID;
+
+    flags |= GSS_C_INTEG_FLAG;
+    flags |= GSS_C_CONF_FLAG;
+
+    if (mutual_auth_flag)
+	flags |= GSS_C_MUTUAL_FLAG;
+    if (dce_style_flag)
+	flags |= GSS_C_DCE_STYLE;
+    if (deleg_flag)
+	flags |= GSS_C_DELEG_FLAG;
+
+    input_token.value = rk_UNCONST(target);
+    input_token.length = strlen(target);
+
+    maj_stat = gss_import_name(&min_stat,
+			       &input_token,
+			       nameoid,
+			       &gss_target_name);
+    if (GSS_ERROR(maj_stat))
+	err(1, "import name creds failed with: %d", maj_stat);
+
+    input_token.length = 0;
+    input_token.value = NULL;
+
+    while (!server_done || !client_done) {
+
+	maj_stat = gss_init_sec_context(&min_stat,
+					init_cred,
+					cctx,
+					gss_target_name,
+					mechoid, 
+					flags,
+					0, 
+					NULL,
+					&input_token,
+					&actual_mech_client,
+					&output_token,
+					&ret_cflags,
+					NULL);
+	if (GSS_ERROR(maj_stat))
+	    errx(1, "init_sec_context: %s",
+		 gssapi_err(maj_stat, min_stat, mechoid));
+	if (maj_stat & GSS_S_CONTINUE_NEEDED)
+	    ;
+	else
+	    client_done = 1;
+
+	if (client_done && server_done)
+	    break;
+
+	if (input_token.length != 0)
+	    gss_release_buffer(&min_stat, &input_token);
+
+	maj_stat = gss_accept_sec_context(&min_stat,
+					  sctx,
+					  GSS_C_NO_CREDENTIAL,
+					  &output_token,
+					  GSS_C_NO_CHANNEL_BINDINGS,
+					  NULL,
+					  &actual_mech_server,
+					  &input_token,
+					  &ret_sflags,
+					  NULL,
+					  deleg_cred);
+	if (GSS_ERROR(maj_stat))
+		errx(1, "accept_sec_context: %s",
+		     gssapi_err(maj_stat, min_stat, actual_mech_server));
+
+	if (verbose_flag)
+	    printf("%.*s", (int)input_token.length, (char *)input_token.value);
+
+	if (output_token.length != 0)
+	    gss_release_buffer(&min_stat, &output_token);
+
+	if (maj_stat & GSS_S_CONTINUE_NEEDED)
+	    ;
+	else
+	    server_done = 1;
+    }	
+    if (output_token.length != 0)
+	gss_release_buffer(&min_stat, &output_token);
+    if (input_token.length != 0)
+	gss_release_buffer(&min_stat, &input_token);
+    gss_release_name(&min_stat, &gss_target_name);
+
+    if (gss_oid_equal(actual_mech_server, actual_mech_client) == 0)
+	errx(1, "mech mismatch");
+    *actual_mech = actual_mech_server;
+}
+
+static void
+wrapunwrap(gss_ctx_id_t cctx, gss_ctx_id_t sctx, gss_OID mechoid)
+{
+    gss_buffer_desc input_token, output_token, output_token2;
+    OM_uint32 min_stat, maj_stat;
+    int32_t flags = 0;
+    gss_qop_t qop_state;
+    int conf_state;
+
+    input_token.value = "foo";
+    input_token.length = 3;
+
+    maj_stat = gss_wrap(&min_stat, cctx, flags, 0, &input_token,
+			&conf_state, &output_token);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_wrap failed: %s",
+	     gssapi_err(maj_stat, min_stat, mechoid));
+
+    maj_stat = gss_unwrap(&min_stat, sctx, &output_token,
+			  &output_token2, &conf_state, &qop_state);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_unwrap failed: %s",
+	     gssapi_err(maj_stat, min_stat, mechoid));
+}
+
+static void
+getverifymic(gss_ctx_id_t cctx, gss_ctx_id_t sctx, gss_OID mechoid)
+{
+    gss_buffer_desc input_token, output_token;
+    OM_uint32 min_stat, maj_stat;
+    gss_qop_t qop_state;
+
+    input_token.value = "bar";
+    input_token.length = 3;
+
+    maj_stat = gss_get_mic(&min_stat, cctx, 0, &input_token,
+			   &output_token);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_get_mic failed: %s",
+	     gssapi_err(maj_stat, min_stat, mechoid));
+
+    maj_stat = gss_verify_mic(&min_stat, sctx, &input_token,
+			      &output_token, &qop_state);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_verify_mic failed: %s",
+	     gssapi_err(maj_stat, min_stat, mechoid));
+}
+
+
+/*
+ *
+ */
+
+static struct getargs args[] = {
+    {"name-type",0,	arg_string, &type_string,  "type of name", NULL },
+    {"mech-type",0,	arg_string, &mech_string,  "type of mech", NULL },
+    {"ret-mech-type",0,	arg_string, &ret_mech_string,
+     "type of return mech", NULL },
+    {"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag, 
+     "use dns to canonicalize", NULL },
+    {"mutual-auth",0,	arg_flag,	&mutual_auth_flag,"mutual auth", NULL },
+    {"dce-style",0,	arg_flag,	&dce_style_flag, "dce-style", NULL },
+    {"wrapunwrap",0,	arg_flag,	&wrapunwrap_flag, "wrap/unwrap", NULL },
+    {"getverifymic",0,	arg_flag,	&getverifymic_flag, 
+     "get and verify mic", NULL },
+    {"delegate",0,	arg_flag,	&deleg_flag, "delegate credential", NULL },
+    {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
+    {"verbose",	'v',	arg_flag,	&verbose_flag, "verbose", NULL },
+    {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args),
+		    NULL, "service@host");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    OM_uint32 min_stat, maj_stat;
+    gss_ctx_id_t cctx, sctx;
+    void *ctx;
+    gss_OID nameoid, mechoid, actual_mech;
+    gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
+
+    setprogname(argv[0]);
+
+    cctx = sctx = GSS_C_NO_CONTEXT;
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 1)
+	usage(1);
+
+    if (dns_canon_flag != -1)
+	gsskrb5_set_dns_canonicalize(dns_canon_flag);
+
+    if (type_string == NULL)
+	nameoid = GSS_C_NT_HOSTBASED_SERVICE;
+    else if (strcmp(type_string, "hostbased-service") == 0)
+	nameoid = GSS_C_NT_HOSTBASED_SERVICE;
+    else if (strcmp(type_string, "krb5-principal-name") == 0)
+	nameoid = GSS_KRB5_NT_PRINCIPAL_NAME;
+    else
+	errx(1, "%s not suppported", type_string);
+
+    if (mech_string == NULL)
+	mechoid = GSS_KRB5_MECHANISM;
+    else 
+	mechoid = string_to_oid(mech_string);
+
+    loop(mechoid, nameoid, argv[0], GSS_C_NO_CREDENTIAL,
+	 &sctx, &cctx, &actual_mech, &deleg_cred);
+    
+    if (verbose_flag)
+	printf("resulting mech: %s\n", oid_to_string(actual_mech));
+
+    if (ret_mech_string) {
+	gss_OID retoid;
+
+	retoid = string_to_oid(ret_mech_string);
+
+	if (gss_oid_equal(retoid, actual_mech) == 0)
+	    errx(1, "actual_mech mech is not the expected type %s", 
+		 ret_mech_string);
+    }
+
+    /* XXX should be actual_mech */
+    if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) { 
+	krb5_context context;
+	time_t time, skew;
+	gss_buffer_desc authz_data;
+	gss_buffer_desc in, out1, out2;
+	krb5_keyblock *keyblock, *keyblock2;
+	krb5_timestamp now;
+	krb5_error_code ret;
+
+	ret = krb5_init_context(&context);
+	if (ret)
+	    errx(1, "krb5_init_context");
+
+	ret = krb5_timeofday(context, &now);
+	if (ret) 
+		errx(1, "krb5_timeofday failed");
+	
+	/* client */
+	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
+						     &cctx,
+						     1, /* version */
+						     &ctx);
+	if (maj_stat != GSS_S_COMPLETE)
+		errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
+		     gssapi_err(maj_stat, min_stat, actual_mech));
+	
+	
+	maj_stat = gss_krb5_free_lucid_sec_context(&maj_stat, ctx);
+	if (maj_stat != GSS_S_COMPLETE)
+	    errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
+		     gssapi_err(maj_stat, min_stat, actual_mech));
+	
+	/* server */
+	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
+						     &sctx,
+						     1, /* version */
+						     &ctx);
+	if (maj_stat != GSS_S_COMPLETE)
+	    errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
+		     gssapi_err(maj_stat, min_stat, actual_mech));
+	maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, ctx);
+	if (maj_stat != GSS_S_COMPLETE)
+	    errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
+		     gssapi_err(maj_stat, min_stat, actual_mech));
+
+ 	maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
+							     sctx,
+							     &time);
+	if (maj_stat != GSS_S_COMPLETE)
+	    errx(1, "gsskrb5_extract_authtime_from_sec_context failed: %s",
+		     gssapi_err(maj_stat, min_stat, actual_mech));
+
+	skew = abs(time - now);
+	if (skew > krb5_get_max_time_skew(context)) {
+	    errx(1, "gsskrb5_extract_authtime_from_sec_context failed: "
+		 "time skew too great %llu > %llu", 
+		 (unsigned long long)skew, 
+		 (unsigned long long)krb5_get_max_time_skew(context));
+	}
+
+ 	maj_stat = gsskrb5_extract_service_keyblock(&min_stat,
+						    sctx,
+						    &keyblock);
+	if (maj_stat != GSS_S_COMPLETE)
+	    errx(1, "gsskrb5_export_service_keyblock failed: %s",
+		     gssapi_err(maj_stat, min_stat, actual_mech));
+
+	krb5_free_keyblock(context, keyblock);
+
+ 	maj_stat = gsskrb5_get_subkey(&min_stat,
+				      sctx,
+				      &keyblock);
+	if (maj_stat != GSS_S_COMPLETE 
+	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
+	    errx(1, "gsskrb5_get_subkey server failed: %s",
+		     gssapi_err(maj_stat, min_stat, actual_mech));
+
+	if (maj_stat != GSS_S_COMPLETE)
+	    keyblock = NULL;
+	
+ 	maj_stat = gsskrb5_get_subkey(&min_stat,
+				      cctx,
+				      &keyblock2);
+	if (maj_stat != GSS_S_COMPLETE 
+	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
+	    errx(1, "gsskrb5_get_subkey client failed: %s",
+		     gssapi_err(maj_stat, min_stat, actual_mech));
+
+	if (maj_stat != GSS_S_COMPLETE)
+	    keyblock2 = NULL;
+
+	if (keyblock || keyblock2) {
+	    if (keyblock == NULL)
+		errx(1, "server missing token keyblock");
+	    if (keyblock2 == NULL)
+		errx(1, "client missing token keyblock");
+
+	    if (keyblock->keytype != keyblock2->keytype)
+		errx(1, "enctype mismatch");
+	    if (keyblock->keyvalue.length != keyblock2->keyvalue.length)
+		errx(1, "key length mismatch");
+	    if (memcmp(keyblock->keyvalue.data, keyblock2->keyvalue.data, 
+		       keyblock2->keyvalue.length) != 0)
+		errx(1, "key data mismatch");
+	}
+
+	if (keyblock)
+	    krb5_free_keyblock(context, keyblock);
+	if (keyblock2)
+	    krb5_free_keyblock(context, keyblock2);
+
+ 	maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
+						sctx,
+						&keyblock);
+	if (maj_stat != GSS_S_COMPLETE 
+	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
+	    errx(1, "gsskrb5_get_initiator_subkey failed: %s",
+		     gssapi_err(maj_stat, min_stat, actual_mech));
+
+	if (maj_stat == GSS_S_COMPLETE)
+	    krb5_free_keyblock(context, keyblock);
+
+ 	maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
+							       sctx,
+							       128,
+							       &authz_data);
+	if (maj_stat == GSS_S_COMPLETE)
+	    gss_release_buffer(&min_stat, &authz_data);
+
+	krb5_free_context(context);
+
+
+	memset(&out1, 0, sizeof(out1));
+	memset(&out2, 0, sizeof(out2));
+
+	in.value = "foo";
+	in.length = 3;
+
+	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in, 
+			  100, &out1);
+	gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_FULL, &in, 
+			  100, &out2);
+
+	if (out1.length != out2.length)
+	    errx(1, "prf len mismatch");
+	if (memcmp(out1.value, out2.value, out1.length) != 0)
+	    errx(1, "prf data mismatch");
+	
+	gss_release_buffer(&min_stat, &out1);
+
+	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in, 
+			  100, &out1);
+
+	if (out1.length != out2.length)
+	    errx(1, "prf len mismatch");
+	if (memcmp(out1.value, out2.value, out1.length) != 0)
+	    errx(1, "prf data mismatch");
+
+	gss_release_buffer(&min_stat, &out1);
+	gss_release_buffer(&min_stat, &out2);
+
+	in.value = "bar";
+	in.length = 3;
+
+	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_PARTIAL, &in, 
+			  100, &out1);
+	gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_PARTIAL, &in, 
+			  100, &out2);
+
+	if (out1.length != out2.length)
+	    errx(1, "prf len mismatch");
+	if (memcmp(out1.value, out2.value, out1.length) != 0)
+	    errx(1, "prf data mismatch");
+
+	gss_release_buffer(&min_stat, &out1);
+	gss_release_buffer(&min_stat, &out2);
+
+	wrapunwrap_flag = 1;
+	getverifymic_flag = 1;
+    }
+
+    if (wrapunwrap_flag) {
+	wrapunwrap(cctx, sctx, actual_mech);
+	wrapunwrap(cctx, sctx, actual_mech);
+	wrapunwrap(sctx, cctx, actual_mech);
+	wrapunwrap(sctx, cctx, actual_mech);
+    }
+    if (getverifymic_flag) {
+	getverifymic(cctx, sctx, actual_mech);
+	getverifymic(cctx, sctx, actual_mech);
+	getverifymic(sctx, cctx, actual_mech);
+	getverifymic(sctx, cctx, actual_mech);
+    }
+
+    gss_delete_sec_context(&min_stat, &cctx, NULL);
+    gss_delete_sec_context(&min_stat, &sctx, NULL);
+
+    if (deleg_cred != GSS_C_NO_CREDENTIAL) {
+
+	loop(mechoid, nameoid, argv[0], deleg_cred, &cctx, &sctx, &actual_mech, NULL);
+
+	gss_delete_sec_context(&min_stat, &cctx, NULL);
+	gss_delete_sec_context(&min_stat, &sctx, NULL);
+
+    }
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/gssapi/test_cred.c b/crypto/heimdal/lib/gssapi/test_cred.c
new file mode 100644
index 0000000..5ecc89f
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/test_cred.c
@@ -0,0 +1,229 @@
+/*
+ * Copyright (c) 2003-2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <gssapi.h>
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+
+RCSID("$Id: test_cred.c 17750 2006-06-30 11:55:28Z lha $");
+
+static void
+gss_print_errors (int min_stat)
+{
+    OM_uint32 new_stat;
+    OM_uint32 msg_ctx = 0;
+    gss_buffer_desc status_string;
+    OM_uint32 ret;
+
+    do {
+	ret = gss_display_status (&new_stat,
+				  min_stat,
+				  GSS_C_MECH_CODE,
+				  GSS_C_NO_OID,
+				  &msg_ctx,
+				  &status_string);
+	if (!GSS_ERROR(ret)) {
+	    fprintf (stderr, "%s\n", (char *)status_string.value);
+	    gss_release_buffer (&new_stat, &status_string);
+	}
+    } while (!GSS_ERROR(ret) && msg_ctx != 0);
+}
+
+static void
+gss_err(int exitval, int status, const char *fmt, ...)
+{
+    va_list args;
+
+    va_start(args, fmt);
+    vwarnx (fmt, args);
+    gss_print_errors (status);
+    va_end(args);
+    exit (exitval);
+}
+
+static void
+acquire_release_loop(gss_name_t name, int counter, gss_cred_usage_t usage)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_cred_id_t cred;
+    int i;
+
+    for (i = 0; i < counter; i++) {
+	maj_stat = gss_acquire_cred(&min_stat, name,
+				    GSS_C_INDEFINITE,
+				    GSS_C_NO_OID_SET,
+				    usage,
+				    &cred,
+				    NULL,
+				    NULL);
+	if (maj_stat != GSS_S_COMPLETE)
+	    gss_err(1, min_stat, "aquire %d %d != GSS_S_COMPLETE", 
+		    i, (int)maj_stat);
+				    
+	maj_stat = gss_release_cred(&min_stat, &cred);
+	if (maj_stat != GSS_S_COMPLETE)
+	    gss_err(1, min_stat, "release %d %d != GSS_S_COMPLETE", 
+		    i, (int)maj_stat);
+    }
+}
+
+
+static void
+acquire_add_release_add(gss_name_t name, gss_cred_usage_t usage)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_cred_id_t cred, cred2, cred3;
+
+    maj_stat = gss_acquire_cred(&min_stat, name,
+				GSS_C_INDEFINITE,
+				GSS_C_NO_OID_SET,
+				usage,
+				&cred,
+				NULL,
+				NULL);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "aquire %d != GSS_S_COMPLETE", (int)maj_stat);
+    
+    maj_stat = gss_add_cred(&min_stat,
+			    cred,
+			    GSS_C_NO_NAME,
+			    GSS_KRB5_MECHANISM,
+			    usage,
+			    GSS_C_INDEFINITE,
+			    GSS_C_INDEFINITE,
+			    &cred2,
+			    NULL,
+			    NULL,
+			    NULL);
+			    
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "add_cred %d != GSS_S_COMPLETE", (int)maj_stat);
+
+    maj_stat = gss_release_cred(&min_stat, &cred);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "release %d != GSS_S_COMPLETE", (int)maj_stat);
+
+    maj_stat = gss_add_cred(&min_stat,
+			    cred2,
+			    GSS_C_NO_NAME,
+			    GSS_KRB5_MECHANISM,
+			    GSS_C_BOTH,
+			    GSS_C_INDEFINITE,
+			    GSS_C_INDEFINITE,
+			    &cred3,
+			    NULL,
+			    NULL,
+			    NULL);
+
+    maj_stat = gss_release_cred(&min_stat, &cred2);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "release 2 %d != GSS_S_COMPLETE", (int)maj_stat);
+
+    maj_stat = gss_release_cred(&min_stat, &cred3);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "release 2 %d != GSS_S_COMPLETE", (int)maj_stat);
+}
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args),
+		    NULL, "service@host");
+    exit (ret);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    struct gss_buffer_desc_struct name_buffer;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t name;
+    int optidx = 0;
+
+    setprogname(argv[0]);
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    if (argc < 1)
+	errx(1, "argc < 1");
+
+    name_buffer.value = argv[0];
+    name_buffer.length = strlen(argv[0]);
+
+    maj_stat = gss_import_name(&min_stat, &name_buffer,
+			       GSS_C_NT_HOSTBASED_SERVICE,
+			       &name);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "import name error");
+
+    acquire_release_loop(name, 100, GSS_C_ACCEPT);
+    acquire_release_loop(name, 100, GSS_C_INITIATE);
+    acquire_release_loop(name, 100, GSS_C_BOTH);
+
+    acquire_add_release_add(name, GSS_C_ACCEPT);
+    acquire_add_release_add(name, GSS_C_INITIATE);
+    acquire_add_release_add(name, GSS_C_BOTH);
+
+    gss_release_name(&min_stat, &name);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/gssapi/test_kcred.c b/crypto/heimdal/lib/gssapi/test_kcred.c
new file mode 100644
index 0000000..b774b04
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/test_kcred.c
@@ -0,0 +1,186 @@
+/*
+ * Copyright (c) 2003-2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <gssapi.h>
+#include <krb5.h>
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+
+RCSID("$Id: test_kcred.c 20694 2007-05-30 13:58:46Z lha $");
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static void
+copy_import(void)
+{
+    gss_cred_id_t cred1, cred2;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t name1, name2;
+    OM_uint32 lifetime1, lifetime2;
+    gss_cred_usage_t usage1, usage2;
+    gss_OID_set mechs1, mechs2;
+    krb5_ccache id;
+    krb5_error_code ret;
+    krb5_context context;
+    int equal;
+
+    maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, GSS_C_INDEFINITE,
+				GSS_C_NO_OID_SET, GSS_C_INITIATE,
+				&cred1, NULL, NULL);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_acquire_cred");
+
+    maj_stat = gss_inquire_cred(&min_stat, cred1, &name1, &lifetime1,
+				&usage1, &mechs1);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_inquire_cred");
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_init_context");
+
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_gen_new");
+
+    maj_stat = gss_krb5_copy_ccache(&min_stat, cred1, id);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_krb5_copy_ccache");
+
+    maj_stat = gss_krb5_import_cred(&min_stat, id, NULL, NULL, &cred2);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_krb5_import_cred");
+
+    maj_stat = gss_inquire_cred(&min_stat, cred2, &name2, &lifetime2,
+				&usage2, &mechs2);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_inquire_cred 2");
+
+    maj_stat = gss_compare_name(&min_stat, name1, name2, &equal);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_compare_name");
+    if (!equal)
+	errx(1, "names not equal");
+	
+    if (lifetime1 != lifetime2)
+	errx(1, "lifetime not equal %lu != %lu",
+	     (unsigned long)lifetime1, (unsigned long)lifetime2);
+
+    if (usage1 != usage2) {
+	/* as long any of them is both are everything it ok */
+	if (usage1 != GSS_C_BOTH && usage2 != GSS_C_BOTH)
+	    errx(1, "usages disjoined");
+    }
+
+    gss_release_name(&min_stat, &name2);
+    gss_release_oid_set(&min_stat, &mechs2);
+
+    maj_stat = gss_inquire_cred(&min_stat, cred2, &name2, &lifetime2,
+				&usage2, &mechs2);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_inquire_cred");
+
+    maj_stat = gss_compare_name(&min_stat, name1, name2, &equal);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_compare_name");
+    if (!equal)
+	errx(1, "names not equal");
+	
+    if (lifetime1 != lifetime2)
+	errx(1, "lifetime not equal %lu != %lu",
+	     (unsigned long)lifetime1, (unsigned long)lifetime2);
+
+    gss_release_cred(&min_stat, &cred1);
+    gss_release_cred(&min_stat, &cred2);
+
+    gss_release_name(&min_stat, &name1);
+    gss_release_name(&min_stat, &name2);
+
+#if 0
+    compare(mechs1, mechs2);
+#endif
+
+    gss_release_oid_set(&min_stat, &mechs1);
+    gss_release_oid_set(&min_stat, &mechs2);
+
+    krb5_cc_destroy(context, id);
+    krb5_free_context(context);
+}
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args),
+		    NULL, "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optidx = 0;
+
+    setprogname(argv[0]);
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    copy_import();
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/gssapi/test_names.c b/crypto/heimdal/lib/gssapi/test_names.c
new file mode 100644
index 0000000..abc4769
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/test_names.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <gssapi.h>
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+
+RCSID("$Id: test_names.c 17856 2006-07-20 05:13:25Z lha $");
+
+static void
+gss_print_errors (int min_stat)
+{
+    OM_uint32 new_stat;
+    OM_uint32 msg_ctx = 0;
+    gss_buffer_desc status_string;
+    OM_uint32 ret;
+
+    do {
+	ret = gss_display_status (&new_stat,
+				  min_stat,
+				  GSS_C_MECH_CODE,
+				  GSS_C_NO_OID,
+				  &msg_ctx,
+				  &status_string);
+	if (!GSS_ERROR(ret)) {
+	    fprintf (stderr, "%s\n", (char *)status_string.value);
+	    gss_release_buffer (&new_stat, &status_string);
+	}
+    } while (!GSS_ERROR(ret) && msg_ctx != 0);
+}
+
+static void
+gss_err(int exitval, int status, const char *fmt, ...)
+{
+    va_list args;
+
+    va_start(args, fmt);
+    vwarnx (fmt, args);
+    gss_print_errors (status);
+    va_end(args);
+    exit (exitval);
+}
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args),
+		    NULL, "service@host");
+    exit (ret);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    gss_buffer_desc name_buffer;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t name, MNname, MNname2;
+    int optidx = 0;
+    char *str;
+    int len, equal;
+
+    setprogname(argv[0]);
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    /*
+     * test import/export
+     */
+
+    len = asprintf(&str, "ftp@freeze-arrow.mit.edu");
+    if (len == -1)
+	errx(1, "asprintf");
+
+    name_buffer.value = str;
+    name_buffer.length = len;
+
+    maj_stat = gss_import_name(&min_stat, &name_buffer,
+			       GSS_C_NT_HOSTBASED_SERVICE,
+			       &name);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "import name error");
+    free(str);
+
+    maj_stat = gss_canonicalize_name (&min_stat,
+				      name,
+				      GSS_KRB5_MECHANISM,
+				      &MNname);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "canonicalize name error");
+
+    maj_stat = gss_export_name(&min_stat,
+			       MNname,
+			       &name_buffer);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "export name error (KRB5)");
+
+    /*
+     * Import the exported name and compare
+     */
+
+    maj_stat = gss_import_name(&min_stat, &name_buffer,
+			       GSS_C_NT_EXPORT_NAME,
+			       &MNname2);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "import name error (exported KRB5 name)");
+
+
+    maj_stat = gss_compare_name(&min_stat, MNname, MNname2, &equal);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_compare_name");
+    if (!equal)
+	errx(1, "names not equal");
+
+    gss_release_name(&min_stat, &MNname2);
+    gss_release_buffer(&min_stat, &name_buffer);
+    gss_release_name(&min_stat, &MNname);
+    gss_release_name(&min_stat, &name);
+
+    /*
+     * Import oid less name and compare to mech name.
+     * Dovecot SASL lib does this.
+     */
+
+    len = asprintf(&str, "lha");
+    if (len == -1)
+	errx(1, "asprintf");
+
+    name_buffer.value = str;
+    name_buffer.length = len;
+
+    maj_stat = gss_import_name(&min_stat, &name_buffer,
+			       GSS_C_NO_OID,
+			       &name);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "import (no oid) name error");
+
+    maj_stat = gss_import_name(&min_stat, &name_buffer,
+			       GSS_KRB5_NT_USER_NAME,
+			       &MNname);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "import (krb5 mn) name error");
+
+    free(str);
+
+    maj_stat = gss_compare_name(&min_stat, name, MNname, &equal);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_compare_name");
+    if (!equal)
+	errx(1, "names not equal");
+
+    gss_release_name(&min_stat, &MNname);
+    gss_release_name(&min_stat, &name);
+
+#if 0
+    maj_stat = gss_canonicalize_name (&min_stat,
+				      name,
+				      GSS_SPNEGO_MECHANISM,
+				      &MNname);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "canonicalize name error");
+
+
+    maj_stat = gss_export_name(&maj_stat,
+			       MNname,
+			       &name_buffer);
+    if (maj_stat != GSS_S_COMPLETE)
+	gss_err(1, min_stat, "export name error (SPNEGO)");
+
+    gss_release_name(&min_stat, &MNname);
+    gss_release_buffer(&min_stat, &name_buffer);
+#endif
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/gssapi/test_ntlm.c b/crypto/heimdal/lib/gssapi/test_ntlm.c
new file mode 100644
index 0000000..9bd0d1e
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/test_ntlm.c
@@ -0,0 +1,339 @@
+/*
+ * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <gssapi.h>
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#include "test_common.h"
+
+RCSID("$Id: test_ntlm.c 22423 2008-01-13 09:45:03Z lha $");
+
+#include <krb5.h>
+#include <heimntlm.h>
+
+static int
+test_libntlm_v1(int flags)
+{
+    const char *user = "foo", 
+	*domain = "mydomain",
+	*password = "digestpassword";
+    OM_uint32 maj_stat, min_stat;
+    gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
+    gss_buffer_desc input, output;
+    struct ntlm_type1 type1;
+    struct ntlm_type2 type2;
+    struct ntlm_type3 type3;
+    struct ntlm_buf data;
+    krb5_error_code ret;
+    gss_name_t src_name = GSS_C_NO_NAME;
+    
+    memset(&type1, 0, sizeof(type1));
+    memset(&type2, 0, sizeof(type2));
+    memset(&type3, 0, sizeof(type3));
+
+    type1.flags = NTLM_NEG_UNICODE|NTLM_NEG_TARGET|NTLM_NEG_NTLM|flags;
+    type1.domain = strdup(domain);
+    type1.hostname = NULL;
+    type1.os[0] = 0;
+    type1.os[1] = 0;
+
+    ret = heim_ntlm_encode_type1(&type1, &data);
+    if (ret)
+	errx(1, "heim_ntlm_encode_type1");
+
+    input.value = data.data;
+    input.length = data.length;
+
+    output.length = 0;
+    output.value = NULL;
+
+    maj_stat = gss_accept_sec_context(&min_stat,
+				      &ctx,
+				      GSS_C_NO_CREDENTIAL,
+				      &input,
+				      GSS_C_NO_CHANNEL_BINDINGS,
+				      NULL,
+				      NULL,
+				      &output,
+				      NULL,
+				      NULL,
+				      NULL);
+    free(data.data);
+    if (GSS_ERROR(maj_stat))
+	errx(1, "accept_sec_context v1: %s",
+	     gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+
+    if (output.length == 0)
+	errx(1, "output.length == 0");
+
+    data.data = output.value;
+    data.length = output.length;
+
+    ret = heim_ntlm_decode_type2(&data, &type2);
+    if (ret)
+	errx(1, "heim_ntlm_decode_type2");
+
+    gss_release_buffer(&min_stat, &output);
+
+    type3.flags = type2.flags;
+    type3.username = rk_UNCONST(user);
+    type3.targetname = type2.targetname;
+    type3.ws = rk_UNCONST("workstation");
+
+    {
+	struct ntlm_buf key;
+
+	heim_ntlm_nt_key(password, &key);
+
+	heim_ntlm_calculate_ntlm1(key.data, key.length,
+				  type2.challange,
+				  &type3.ntlm);
+
+	if (flags & NTLM_NEG_KEYEX) {
+	    struct ntlm_buf sessionkey;
+	    heim_ntlm_build_ntlm1_master(key.data, key.length,
+					 &sessionkey,
+				     &type3.sessionkey);
+	    free(sessionkey.data);
+	}
+	free(key.data);
+    }
+
+    ret = heim_ntlm_encode_type3(&type3, &data);
+    if (ret)
+	errx(1, "heim_ntlm_encode_type3");
+
+    input.length = data.length;
+    input.value = data.data;
+
+    maj_stat = gss_accept_sec_context(&min_stat,
+				      &ctx,
+				      GSS_C_NO_CREDENTIAL,
+				      &input,
+				      GSS_C_NO_CHANNEL_BINDINGS,
+				      &src_name,
+				      NULL,
+				      &output,
+				      NULL,
+				      NULL,
+				      NULL);
+    free(input.value);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "accept_sec_context v1 2 %s",
+	     gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+
+    gss_release_buffer(&min_stat, &output);
+    gss_delete_sec_context(&min_stat, &ctx, NULL);
+
+    if (src_name == GSS_C_NO_NAME)
+	errx(1, "no source name!");
+
+    gss_display_name(&min_stat, src_name, &output, NULL);
+
+    printf("src_name: %.*s\n", (int)output.length, (char*)output.value);
+
+    gss_release_name(&min_stat, &src_name);
+    gss_release_buffer(&min_stat, &output);
+
+    return 0;
+}
+
+static int
+test_libntlm_v2(int flags)
+{
+    const char *user = "foo", 
+	*domain = "mydomain",
+	*password = "digestpassword";
+    OM_uint32 maj_stat, min_stat;
+    gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
+    gss_buffer_desc input, output;
+    struct ntlm_type1 type1;
+    struct ntlm_type2 type2;
+    struct ntlm_type3 type3;
+    struct ntlm_buf data;
+    krb5_error_code ret;
+    
+    memset(&type1, 0, sizeof(type1));
+    memset(&type2, 0, sizeof(type2));
+    memset(&type3, 0, sizeof(type3));
+
+    type1.flags = NTLM_NEG_UNICODE|NTLM_NEG_NTLM|flags;
+    type1.domain = strdup(domain);
+    type1.hostname = NULL;
+    type1.os[0] = 0;
+    type1.os[1] = 0;
+
+    ret = heim_ntlm_encode_type1(&type1, &data);
+    if (ret)
+	errx(1, "heim_ntlm_encode_type1");
+
+    input.value = data.data;
+    input.length = data.length;
+
+    output.length = 0;
+    output.value = NULL;
+
+    maj_stat = gss_accept_sec_context(&min_stat,
+				      &ctx,
+				      GSS_C_NO_CREDENTIAL,
+				      &input,
+				      GSS_C_NO_CHANNEL_BINDINGS,
+				      NULL,
+				      NULL,
+				      &output,
+				      NULL,
+				      NULL,
+				      NULL);
+    free(data.data);
+    if (GSS_ERROR(maj_stat))
+	errx(1, "accept_sec_context v2 %s",
+	     gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+
+    if (output.length == 0)
+	errx(1, "output.length == 0");
+
+    data.data = output.value;
+    data.length = output.length;
+
+    ret = heim_ntlm_decode_type2(&data, &type2);
+    if (ret)
+	errx(1, "heim_ntlm_decode_type2");
+
+    type3.flags = type2.flags;
+    type3.username = rk_UNCONST(user);
+    type3.targetname = type2.targetname;
+    type3.ws = rk_UNCONST("workstation");
+
+    {
+	struct ntlm_buf key;
+	unsigned char ntlmv2[16];
+
+	heim_ntlm_nt_key(password, &key);
+
+	heim_ntlm_calculate_ntlm2(key.data, key.length,
+				  user,
+				  type2.targetname,
+				  type2.challange,
+				  &type2.targetinfo,
+				  ntlmv2,
+				  &type3.ntlm);
+	free(key.data);
+
+	if (flags & NTLM_NEG_KEYEX) {
+	    struct ntlm_buf sessionkey;
+	    heim_ntlm_build_ntlm1_master(ntlmv2, sizeof(ntlmv2),
+					 &sessionkey,
+					 &type3.sessionkey);
+	    free(sessionkey.data);
+	}
+    }
+
+    ret = heim_ntlm_encode_type3(&type3, &data);
+    if (ret)
+	errx(1, "heim_ntlm_encode_type3");
+
+    input.length = data.length;
+    input.value = data.data;
+
+    maj_stat = gss_accept_sec_context(&min_stat,
+				      &ctx,
+				      GSS_C_NO_CREDENTIAL,
+				      &input,
+				      GSS_C_NO_CHANNEL_BINDINGS,
+				      NULL,
+				      NULL,
+				      &output,
+				      NULL,
+				      NULL,
+				      NULL);
+    free(input.value);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "accept_sec_context v2 2 %s",
+	     gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+
+    gss_delete_sec_context(&min_stat, &ctx, NULL);
+
+    return 0;
+}
+
+
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args),
+		    NULL, "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int ret = 0, optind = 0;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    ret += test_libntlm_v1(0);
+    ret += test_libntlm_v1(NTLM_NEG_KEYEX);
+
+    ret += test_libntlm_v2(0);
+    ret += test_libntlm_v2(NTLM_NEG_KEYEX);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/gssapi/test_oid.c b/crypto/heimdal/lib/gssapi/test_oid.c
new file mode 100644
index 0000000..3beb30c
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/test_oid.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <gssapi.h>
+#include <err.h>
+#include <roken.h>
+
+RCSID("$Id: test_oid.c 20488 2007-04-21 06:29:11Z lha $");
+
+int
+main(int argc, char **argv)
+{
+    OM_uint32 minor_status, maj_stat;
+    gss_buffer_desc data;
+    int ret;
+
+    maj_stat = gss_oid_to_str(&minor_status, GSS_KRB5_MECHANISM, &data);
+    if (GSS_ERROR(maj_stat))
+	errx(1, "gss_oid_to_str failed");
+
+    ret = strcmp(data.value, "1 2 840 113554 1 2 2");
+    gss_release_buffer(&maj_stat, &data);
+    if (ret)
+	return 1;
+
+    maj_stat = gss_oid_to_str(&minor_status, GSS_C_NT_EXPORT_NAME, &data);
+    if (GSS_ERROR(maj_stat))
+	errx(1, "gss_oid_to_str failed");
+
+    ret = strcmp(data.value, "1 3 6 1 5 6 4");
+    gss_release_buffer(&maj_stat, &data);
+    if (ret)
+	return 1;
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/gssapi/version-script.map b/crypto/heimdal/lib/gssapi/version-script.map
new file mode 100644
index 0000000..43ea73f
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/version-script.map
@@ -0,0 +1,97 @@
+# $Id: version-script.map 20493 2007-04-21 07:56:20Z lha $
+
+HEIMDAL_GSS_1.0 {
+	global:
+		GSS_KRB5_MECHANISM;
+		GSS_NTLM_MECHANISM;
+		GSS_SPNEGO_MECHANISM;
+		GSS_SASL_DIGEST_MD5_MECHANISM;
+		GSS_C_NT_ANONYMOUS;
+		GSS_C_NT_EXPORT_NAME;
+		GSS_C_NT_HOSTBASED_SERVICE;
+		GSS_C_NT_HOSTBASED_SERVICE_X;
+		GSS_C_NT_MACHINE_UID_NAME;
+		GSS_C_NT_STRING_UID_NAME;
+		GSS_C_NT_USER_NAME;
+		GSS_KRB5_NT_PRINCIPAL_NAME;
+		GSS_KRB5_NT_USER_NAME;
+		GSS_KRB5_NT_MACHINE_UID_NAME;
+		GSS_KRB5_NT_STRING_UID_NAME;
+		gss_acquire_cred;
+		gss_release_cred;
+		gss_init_sec_context;
+		gss_accept_sec_context;
+		gss_process_context_token;
+		gss_delete_sec_context;
+		gss_context_time;
+		gss_get_mic;
+		gss_verify_mic;
+		gss_wrap;
+		gss_unwrap;
+		gss_display_status;
+		gss_indicate_mechs;
+		gss_compare_name;
+		gss_display_name;
+		gss_import_name;
+		gss_export_name;
+		gss_release_name;
+		gss_release_buffer;
+		gss_release_oid_set;
+		gss_inquire_cred;
+		gss_inquire_context;
+		gss_wrap_size_limit;
+		gss_add_cred;
+		gss_inquire_cred_by_mech;
+		gss_export_sec_context;
+		gss_import_sec_context;
+		gss_create_empty_oid_set;
+		gss_add_oid_set_member;
+		gss_test_oid_set_member;
+		gss_inquire_names_for_mech;
+		gss_inquire_mechs_for_name;
+		gss_canonicalize_name;
+		gss_duplicate_name;
+		gss_duplicate_oid;
+		gss_release_oid;
+		gss_oid_to_str;
+		gss_inquire_sec_context_by_oid;
+		gss_set_sec_context_option;
+		gss_set_cred_option;
+		gss_oid_equal;
+		gss_create_empty_buffer_set;
+		gss_add_buffer_set_member;
+		gss_release_buffer_set;
+		gss_inquire_cred_by_oid;
+		gss_pseudo_random;
+		gss_sign;
+		gss_verify;
+		gss_seal;
+		gss_unseal;
+		gss_inquire_sec_context_by_oid;
+		gss_encapsulate_token;
+		gss_decapsulate_token;
+		gss_krb5_ccache_name;
+		gsskrb5_register_acceptor_identity;
+		gss_krb5_copy_ccache;
+		gss_krb5_import_cred;
+		gss_krb5_get_tkt_flags;
+		gsskrb5_extract_authz_data_from_sec_context;
+		gsskrb5_set_dns_canonicalize;
+		gsskrb5_set_send_to_kdc;
+		gsskrb5_set_default_realm;
+		gsskrb5_extract_authtime_from_sec_context;
+		gsskrb5_extract_service_keyblock;
+		gsskrb5_get_initiator_subkey;
+		gsskrb5_get_subkey;
+		gss_krb5_export_lucid_sec_context;
+		gss_krb5_free_lucid_sec_context;
+		gss_krb5_set_allowable_enctypes;
+
+		# _gsskrb5cfx_ are really internal symbols, but export
+		# then now to make testing easier.
+		_gsskrb5cfx_max_wrap_length_cfx;
+		_gsskrb5cfx_wrap_length_cfx;
+
+	local:
+		*;
+};
diff --git a/crypto/heimdal/lib/hdb/Makefile.am b/crypto/heimdal/lib/hdb/Makefile.am
index 952944b..f66cd06 100644
--- a/crypto/heimdal/lib/hdb/Makefile.am
+++ b/crypto/heimdal/lib/hdb/Makefile.am
@@ -1,62 +1,115 @@
-# $Id: Makefile.am,v 1.53.4.2 2003/10/14 16:13:14 joda Exp $
+# $Id: Makefile.am 22490 2008-01-21 11:49:33Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += -I../asn1 -I$(srcdir)/../asn1 $(INCLUDE_des)
+AM_CPPFLAGS += -I../asn1 -I$(srcdir)/../asn1 $(INCLUDE_hcrypto)
+
+BUILT_SOURCES = \
+	$(gen_files_hdb:.x=.c)	\
+	hdb_err.c \
+	hdb_err.h
+
+gen_files_hdb = \
+	asn1_Salt.x \
+	asn1_Key.x \
+	asn1_Event.x \
+	asn1_HDBFlags.x \
+	asn1_GENERATION.x \
+	asn1_HDB_Ext_PKINIT_acl.x \
+	asn1_HDB_Ext_PKINIT_hash.x \
+	asn1_HDB_Ext_Constrained_delegation_acl.x \
+	asn1_HDB_Ext_Lan_Manager_OWF.x \
+	asn1_HDB_Ext_Password.x \
+	asn1_HDB_Ext_Aliases.x \
+	asn1_HDB_extension.x \
+	asn1_HDB_extensions.x \
+	asn1_hdb_entry.x \
+	asn1_hdb_entry_alias.x
+
+CLEANFILES = $(BUILT_SOURCES) $(gen_files_hdb) hdb_asn1.h hdb_asn1_files
 
-BUILT_SOURCES = asn1_Key.c asn1_Event.c asn1_HDBFlags.c asn1_hdb_entry.c \
-	asn1_Salt.c hdb_err.c hdb_err.h asn1_GENERATION.c
-
-foo = asn1_Key.x asn1_GENERATION.x asn1_Event.x asn1_HDBFlags.x asn1_hdb_entry.x asn1_Salt.x
-
-CLEANFILES = $(BUILT_SOURCES) $(foo) hdb_asn1.h asn1_files
-
-noinst_PROGRAMS = convert_db
 LDADD = libhdb.la \
 	$(LIB_openldap) \
 	../krb5/libkrb5.la \
 	../asn1/libasn1.la \
-	$(LIB_des) \
-	$(LIB_roken)
+	$(LIB_hcrypto) \
+	$(LIB_roken) \
+	$(LIB_ldopen)
+
+if OPENLDAP_MODULE
+
+ldap_so = hdb_ldap.la
+hdb_ldap_la_SOURCES = hdb-ldap.c
+hdb_ldap_la_LDFLAGS = -module
+
+else
+
+ldap = hdb-ldap.c
+
+endif
+
 
-lib_LTLIBRARIES = libhdb.la
-libhdb_la_LDFLAGS = -version-info 7:7:0
+lib_LTLIBRARIES = libhdb.la $(ldap_so)
+libhdb_la_LDFLAGS = -version-info 11:0:2
 
-libhdb_la_SOURCES =				\
+noinst_PROGRAMS = test_dbinfo
+
+dist_libhdb_la_SOURCES =			\
 	common.c				\
 	db.c					\
 	db3.c					\
-	hdb-ldap.c				\
+	ext.c					\
+	$(ldap)					\
 	hdb.c					\
+	hdb_locl.h				\
+	hdb-private.h				\
+	keys.c					\
 	keytab.c				\
+	dbinfo.c				\
 	mkey.c					\
 	ndbm.c					\
-	print.c					\
-	$(BUILT_SOURCES)
+	print.c
+
+nodist_libhdb_la_SOURCES = $(BUILT_SOURCES)
 
-INCLUDES += $(INCLUDE_openldap)
+AM_CPPFLAGS += $(INCLUDE_openldap)
 
-include_HEADERS = hdb.h hdb_err.h hdb_asn1.h hdb-protos.h hdb-private.h
+include_HEADERS = hdb.h hdb-protos.h
+nodist_include_HEADERS =  hdb_err.h hdb_asn1.h
 
-libhdb_la_LIBADD = ../krb5/libkrb5.la ../asn1/libasn1.la ../roken/libroken.la $(LIB_openldap) $(DBLIB) $(LIB_NDBM)
+libhdb_la_CPPFLAGS = -DHDB_DB_DIR=\"$(DIR_hdbdir)\"
+
+libhdb_la_LIBADD = \
+	$(LIB_com_err) \
+	../krb5/libkrb5.la \
+	../asn1/libasn1.la \
+	$(LIBADD_roken) \
+	$(LIB_openldap) \
+	$(LIB_dlopen) \
+	$(DBLIB) \
+	$(LIB_NDBM)
 
 $(libhdb_la_OBJECTS): $(srcdir)/hdb-protos.h $(srcdir)/hdb-private.h
 
 $(srcdir)/hdb-protos.h:
-	cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -o hdb-protos.h $(libhdb_la_SOURCES) || rm -f hdb-protos.h
+	cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -o hdb-protos.h $(dist_libhdb_la_SOURCES) || rm -f hdb-protos.h
 
 $(srcdir)/hdb-private.h:
-	cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -p hdb-private.h $(libhdb_la_SOURCES) || rm -f hdb-private.h
+	cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -p hdb-private.h $(dist_libhdb_la_SOURCES) || rm -f hdb-private.h
 
-$(foo) hdb_asn1.h: asn1_files
+$(gen_files_hdb) hdb_asn1.h: hdb_asn1_files
 
-asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1
+hdb_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1
 	../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 hdb_asn1
 
 $(libhdb_la_OBJECTS): hdb_asn1.h hdb_err.h
 
-$(convert_db_OBJECTS): hdb_asn1.h hdb_err.h
+test_dbinfo_SOURCES = test_dbinfo.c
+
+test_dbinfo_LIBS = libhdb.la
 
 # to help stupid solaris make
 
 hdb_err.h: hdb_err.et
+
+EXTRA_DIST = hdb.asn1 hdb_err.et hdb.schema
diff --git a/crypto/heimdal/lib/hdb/Makefile.in b/crypto/heimdal/lib/hdb/Makefile.in
index 28ca7d5..cb0f916 100644
--- a/crypto/heimdal/lib/hdb/Makefile.in
+++ b/crypto/heimdal/lib/hdb/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,25 +14,19 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.53.4.2 2003/10/14 16:13:14 joda Exp $
+# $Id: Makefile.am 22490 2008-01-21 11:49:33Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
 
-SOURCES = $(libhdb_la_SOURCES) convert_db.c
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -44,24 +38,23 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
 	$(top_srcdir)/cf/Makefile.am.common
-noinst_PROGRAMS = convert_db$(EXEEXT)
+noinst_PROGRAMS = test_dbinfo$(EXEEXT)
 subdir = lib/hdb
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -74,6 +67,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -82,63 +76,104 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" \
+	"$(DESTDIR)$(includedir)"
 libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
+hdb_ldap_la_LIBADD =
+am__hdb_ldap_la_SOURCES_DIST = hdb-ldap.c
+@OPENLDAP_MODULE_TRUE@am_hdb_ldap_la_OBJECTS = hdb-ldap.lo
+hdb_ldap_la_OBJECTS = $(am_hdb_ldap_la_OBJECTS)
+hdb_ldap_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(hdb_ldap_la_LDFLAGS) $(LDFLAGS) -o $@
+@OPENLDAP_MODULE_TRUE@am_hdb_ldap_la_rpath = -rpath $(libdir)
 am__DEPENDENCIES_1 =
-libhdb_la_DEPENDENCIES = ../krb5/libkrb5.la ../asn1/libasn1.la \
-	../roken/libroken.la $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am__objects_1 = asn1_Key.lo asn1_Event.lo asn1_HDBFlags.lo \
-	asn1_hdb_entry.lo asn1_Salt.lo hdb_err.lo asn1_GENERATION.lo
-am_libhdb_la_OBJECTS = common.lo db.lo db3.lo hdb-ldap.lo hdb.lo \
-	keytab.lo mkey.lo ndbm.lo print.lo $(am__objects_1)
-libhdb_la_OBJECTS = $(am_libhdb_la_OBJECTS)
+libhdb_la_DEPENDENCIES = $(am__DEPENDENCIES_1) ../krb5/libkrb5.la \
+	../asn1/libasn1.la $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+am__dist_libhdb_la_SOURCES_DIST = common.c db.c db3.c ext.c hdb-ldap.c \
+	hdb.c hdb_locl.h hdb-private.h keys.c keytab.c dbinfo.c mkey.c \
+	ndbm.c print.c
+@OPENLDAP_MODULE_FALSE@am__objects_1 = libhdb_la-hdb-ldap.lo
+dist_libhdb_la_OBJECTS = libhdb_la-common.lo libhdb_la-db.lo \
+	libhdb_la-db3.lo libhdb_la-ext.lo $(am__objects_1) \
+	libhdb_la-hdb.lo libhdb_la-keys.lo libhdb_la-keytab.lo \
+	libhdb_la-dbinfo.lo libhdb_la-mkey.lo libhdb_la-ndbm.lo \
+	libhdb_la-print.lo
+am__objects_2 = libhdb_la-asn1_Salt.lo libhdb_la-asn1_Key.lo \
+	libhdb_la-asn1_Event.lo libhdb_la-asn1_HDBFlags.lo \
+	libhdb_la-asn1_GENERATION.lo \
+	libhdb_la-asn1_HDB_Ext_PKINIT_acl.lo \
+	libhdb_la-asn1_HDB_Ext_PKINIT_hash.lo \
+	libhdb_la-asn1_HDB_Ext_Constrained_delegation_acl.lo \
+	libhdb_la-asn1_HDB_Ext_Lan_Manager_OWF.lo \
+	libhdb_la-asn1_HDB_Ext_Password.lo \
+	libhdb_la-asn1_HDB_Ext_Aliases.lo \
+	libhdb_la-asn1_HDB_extension.lo \
+	libhdb_la-asn1_HDB_extensions.lo libhdb_la-asn1_hdb_entry.lo \
+	libhdb_la-asn1_hdb_entry_alias.lo
+am__objects_3 = $(am__objects_2) libhdb_la-hdb_err.lo
+nodist_libhdb_la_OBJECTS = $(am__objects_3)
+libhdb_la_OBJECTS = $(dist_libhdb_la_OBJECTS) \
+	$(nodist_libhdb_la_OBJECTS)
+libhdb_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libhdb_la_LDFLAGS) $(LDFLAGS) -o $@
 PROGRAMS = $(noinst_PROGRAMS)
-convert_db_SOURCES = convert_db.c
-convert_db_OBJECTS = convert_db.$(OBJEXT)
-convert_db_LDADD = $(LDADD)
-convert_db_DEPENDENCIES = libhdb.la $(am__DEPENDENCIES_1) \
+am_test_dbinfo_OBJECTS = test_dbinfo.$(OBJEXT)
+test_dbinfo_OBJECTS = $(am_test_dbinfo_OBJECTS)
+test_dbinfo_LDADD = $(LDADD)
+test_dbinfo_DEPENDENCIES = libhdb.la $(am__DEPENDENCIES_1) \
 	../krb5/libkrb5.la ../asn1/libasn1.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-SOURCES = $(libhdb_la_SOURCES) convert_db.c
-DIST_SOURCES = $(libhdb_la_SOURCES) convert_db.c
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(hdb_ldap_la_SOURCES) $(dist_libhdb_la_SOURCES) \
+	$(nodist_libhdb_la_SOURCES) $(test_dbinfo_SOURCES)
+DIST_SOURCES = $(am__hdb_ldap_la_SOURCES_DIST) \
+	$(am__dist_libhdb_la_SOURCES_DIST) $(test_dbinfo_SOURCES)
 includeHEADERS_INSTALL = $(INSTALL_HEADER)
-HEADERS = $(include_HEADERS)
+nodist_includeHEADERS_INSTALL = $(INSTALL_HEADER)
+HEADERS = $(include_HEADERS) $(nodist_include_HEADERS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -148,8 +183,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -160,11 +193,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -172,42 +204,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -225,12 +242,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -240,15 +254,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -257,6 +270,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -268,15 +282,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -284,74 +293,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I../asn1 -I$(srcdir)/../asn1 $(INCLUDE_des) $(INCLUDE_openldap)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) -I../asn1 \
+	-I$(srcdir)/../asn1 $(INCLUDE_hcrypto) $(INCLUDE_openldap)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -368,40 +383,83 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-BUILT_SOURCES = asn1_Key.c asn1_Event.c asn1_HDBFlags.c asn1_hdb_entry.c \
-	asn1_Salt.c hdb_err.c hdb_err.h asn1_GENERATION.c
-
-foo = asn1_Key.x asn1_GENERATION.x asn1_Event.x asn1_HDBFlags.x asn1_hdb_entry.x asn1_Salt.x
-CLEANFILES = $(BUILT_SOURCES) $(foo) hdb_asn1.h asn1_files
+BUILT_SOURCES = \
+	$(gen_files_hdb:.x=.c)	\
+	hdb_err.c \
+	hdb_err.h
+
+gen_files_hdb = \
+	asn1_Salt.x \
+	asn1_Key.x \
+	asn1_Event.x \
+	asn1_HDBFlags.x \
+	asn1_GENERATION.x \
+	asn1_HDB_Ext_PKINIT_acl.x \
+	asn1_HDB_Ext_PKINIT_hash.x \
+	asn1_HDB_Ext_Constrained_delegation_acl.x \
+	asn1_HDB_Ext_Lan_Manager_OWF.x \
+	asn1_HDB_Ext_Password.x \
+	asn1_HDB_Ext_Aliases.x \
+	asn1_HDB_extension.x \
+	asn1_HDB_extensions.x \
+	asn1_hdb_entry.x \
+	asn1_hdb_entry_alias.x
+
+CLEANFILES = $(BUILT_SOURCES) $(gen_files_hdb) hdb_asn1.h hdb_asn1_files
 LDADD = libhdb.la \
 	$(LIB_openldap) \
 	../krb5/libkrb5.la \
 	../asn1/libasn1.la \
-	$(LIB_des) \
-	$(LIB_roken)
-
-lib_LTLIBRARIES = libhdb.la
-libhdb_la_LDFLAGS = -version-info 7:7:0
-libhdb_la_SOURCES = \
+	$(LIB_hcrypto) \
+	$(LIB_roken) \
+	$(LIB_ldopen)
+
+@OPENLDAP_MODULE_TRUE@ldap_so = hdb_ldap.la
+@OPENLDAP_MODULE_TRUE@hdb_ldap_la_SOURCES = hdb-ldap.c
+@OPENLDAP_MODULE_TRUE@hdb_ldap_la_LDFLAGS = -module
+@OPENLDAP_MODULE_FALSE@ldap = hdb-ldap.c
+lib_LTLIBRARIES = libhdb.la $(ldap_so)
+libhdb_la_LDFLAGS = -version-info 11:0:2
+dist_libhdb_la_SOURCES = \
 	common.c				\
 	db.c					\
 	db3.c					\
-	hdb-ldap.c				\
+	ext.c					\
+	$(ldap)					\
 	hdb.c					\
+	hdb_locl.h				\
+	hdb-private.h				\
+	keys.c					\
 	keytab.c				\
+	dbinfo.c				\
 	mkey.c					\
 	ndbm.c					\
-	print.c					\
-	$(BUILT_SOURCES)
+	print.c
+
+nodist_libhdb_la_SOURCES = $(BUILT_SOURCES)
+include_HEADERS = hdb.h hdb-protos.h
+nodist_include_HEADERS = hdb_err.h hdb_asn1.h
+libhdb_la_CPPFLAGS = -DHDB_DB_DIR=\"$(DIR_hdbdir)\"
+libhdb_la_LIBADD = \
+	$(LIB_com_err) \
+	../krb5/libkrb5.la \
+	../asn1/libasn1.la \
+	$(LIBADD_roken) \
+	$(LIB_openldap) \
+	$(LIB_dlopen) \
+	$(DBLIB) \
+	$(LIB_NDBM)
 
-include_HEADERS = hdb.h hdb_err.h hdb_asn1.h hdb-protos.h hdb-private.h
-libhdb_la_LIBADD = ../krb5/libkrb5.la ../asn1/libasn1.la ../roken/libroken.la $(LIB_openldap) $(DBLIB) $(LIB_NDBM)
+test_dbinfo_SOURCES = test_dbinfo.c
+test_dbinfo_LIBS = libhdb.la
+EXTRA_DIST = hdb.asn1 hdb_err.et hdb.schema
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -433,10 +491,10 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    f="`echo $$p | sed -e 's|^.*/||'`"; \
+	    f=$(am__strip_dir) \
 	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
 	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
 	  else :; fi; \
@@ -445,7 +503,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	    p="`echo $$p | sed -e 's|^.*/||'`"; \
+	  p=$(am__strip_dir) \
 	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
 	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
 	done
@@ -454,12 +512,14 @@ clean-libLTLIBRARIES:
 	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" = "$$p" && dir=.; \
+	  test "$$dir" != "$$p" || dir=.; \
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
+hdb_ldap.la: $(hdb_ldap_la_OBJECTS) $(hdb_ldap_la_DEPENDENCIES) 
+	$(hdb_ldap_la_LINK) $(am_hdb_ldap_la_rpath) $(hdb_ldap_la_OBJECTS) $(hdb_ldap_la_LIBADD) $(LIBS)
 libhdb.la: $(libhdb_la_OBJECTS) $(libhdb_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libhdb_la_LDFLAGS) $(libhdb_la_OBJECTS) $(libhdb_la_LIBADD) $(LIBS)
+	$(libhdb_la_LINK) -rpath $(libdir) $(libhdb_la_OBJECTS) $(libhdb_la_LIBADD) $(LIBS)
 
 clean-noinstPROGRAMS:
 	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
@@ -467,9 +527,9 @@ clean-noinstPROGRAMS:
 	  echo " rm -f $$p $$f"; \
 	  rm -f $$p $$f ; \
 	done
-convert_db$(EXEEXT): $(convert_db_OBJECTS) $(convert_db_DEPENDENCIES) 
-	@rm -f convert_db$(EXEEXT)
-	$(LINK) $(convert_db_LDFLAGS) $(convert_db_OBJECTS) $(convert_db_LDADD) $(LIBS)
+test_dbinfo$(EXEEXT): $(test_dbinfo_OBJECTS) $(test_dbinfo_DEPENDENCIES) 
+	@rm -f test_dbinfo$(EXEEXT)
+	$(LINK) $(test_dbinfo_OBJECTS) $(test_dbinfo_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -486,21 +546,101 @@ distclean-compile:
 .c.lo:
 	$(LTCOMPILE) -c -o $@ $<
 
+libhdb_la-common.lo: common.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-common.lo `test -f 'common.c' || echo '$(srcdir)/'`common.c
+
+libhdb_la-db.lo: db.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-db.lo `test -f 'db.c' || echo '$(srcdir)/'`db.c
+
+libhdb_la-db3.lo: db3.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-db3.lo `test -f 'db3.c' || echo '$(srcdir)/'`db3.c
+
+libhdb_la-ext.lo: ext.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-ext.lo `test -f 'ext.c' || echo '$(srcdir)/'`ext.c
+
+libhdb_la-hdb-ldap.lo: hdb-ldap.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-hdb-ldap.lo `test -f 'hdb-ldap.c' || echo '$(srcdir)/'`hdb-ldap.c
+
+libhdb_la-hdb.lo: hdb.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-hdb.lo `test -f 'hdb.c' || echo '$(srcdir)/'`hdb.c
+
+libhdb_la-keys.lo: keys.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-keys.lo `test -f 'keys.c' || echo '$(srcdir)/'`keys.c
+
+libhdb_la-keytab.lo: keytab.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-keytab.lo `test -f 'keytab.c' || echo '$(srcdir)/'`keytab.c
+
+libhdb_la-dbinfo.lo: dbinfo.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-dbinfo.lo `test -f 'dbinfo.c' || echo '$(srcdir)/'`dbinfo.c
+
+libhdb_la-mkey.lo: mkey.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-mkey.lo `test -f 'mkey.c' || echo '$(srcdir)/'`mkey.c
+
+libhdb_la-ndbm.lo: ndbm.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-ndbm.lo `test -f 'ndbm.c' || echo '$(srcdir)/'`ndbm.c
+
+libhdb_la-print.lo: print.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-print.lo `test -f 'print.c' || echo '$(srcdir)/'`print.c
+
+libhdb_la-asn1_Salt.lo: asn1_Salt.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_Salt.lo `test -f 'asn1_Salt.c' || echo '$(srcdir)/'`asn1_Salt.c
+
+libhdb_la-asn1_Key.lo: asn1_Key.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_Key.lo `test -f 'asn1_Key.c' || echo '$(srcdir)/'`asn1_Key.c
+
+libhdb_la-asn1_Event.lo: asn1_Event.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_Event.lo `test -f 'asn1_Event.c' || echo '$(srcdir)/'`asn1_Event.c
+
+libhdb_la-asn1_HDBFlags.lo: asn1_HDBFlags.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_HDBFlags.lo `test -f 'asn1_HDBFlags.c' || echo '$(srcdir)/'`asn1_HDBFlags.c
+
+libhdb_la-asn1_GENERATION.lo: asn1_GENERATION.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_GENERATION.lo `test -f 'asn1_GENERATION.c' || echo '$(srcdir)/'`asn1_GENERATION.c
+
+libhdb_la-asn1_HDB_Ext_PKINIT_acl.lo: asn1_HDB_Ext_PKINIT_acl.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_HDB_Ext_PKINIT_acl.lo `test -f 'asn1_HDB_Ext_PKINIT_acl.c' || echo '$(srcdir)/'`asn1_HDB_Ext_PKINIT_acl.c
+
+libhdb_la-asn1_HDB_Ext_PKINIT_hash.lo: asn1_HDB_Ext_PKINIT_hash.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_HDB_Ext_PKINIT_hash.lo `test -f 'asn1_HDB_Ext_PKINIT_hash.c' || echo '$(srcdir)/'`asn1_HDB_Ext_PKINIT_hash.c
+
+libhdb_la-asn1_HDB_Ext_Constrained_delegation_acl.lo: asn1_HDB_Ext_Constrained_delegation_acl.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_HDB_Ext_Constrained_delegation_acl.lo `test -f 'asn1_HDB_Ext_Constrained_delegation_acl.c' || echo '$(srcdir)/'`asn1_HDB_Ext_Constrained_delegation_acl.c
+
+libhdb_la-asn1_HDB_Ext_Lan_Manager_OWF.lo: asn1_HDB_Ext_Lan_Manager_OWF.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_HDB_Ext_Lan_Manager_OWF.lo `test -f 'asn1_HDB_Ext_Lan_Manager_OWF.c' || echo '$(srcdir)/'`asn1_HDB_Ext_Lan_Manager_OWF.c
+
+libhdb_la-asn1_HDB_Ext_Password.lo: asn1_HDB_Ext_Password.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_HDB_Ext_Password.lo `test -f 'asn1_HDB_Ext_Password.c' || echo '$(srcdir)/'`asn1_HDB_Ext_Password.c
+
+libhdb_la-asn1_HDB_Ext_Aliases.lo: asn1_HDB_Ext_Aliases.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_HDB_Ext_Aliases.lo `test -f 'asn1_HDB_Ext_Aliases.c' || echo '$(srcdir)/'`asn1_HDB_Ext_Aliases.c
+
+libhdb_la-asn1_HDB_extension.lo: asn1_HDB_extension.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_HDB_extension.lo `test -f 'asn1_HDB_extension.c' || echo '$(srcdir)/'`asn1_HDB_extension.c
+
+libhdb_la-asn1_HDB_extensions.lo: asn1_HDB_extensions.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_HDB_extensions.lo `test -f 'asn1_HDB_extensions.c' || echo '$(srcdir)/'`asn1_HDB_extensions.c
+
+libhdb_la-asn1_hdb_entry.lo: asn1_hdb_entry.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_hdb_entry.lo `test -f 'asn1_hdb_entry.c' || echo '$(srcdir)/'`asn1_hdb_entry.c
+
+libhdb_la-asn1_hdb_entry_alias.lo: asn1_hdb_entry_alias.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-asn1_hdb_entry_alias.lo `test -f 'asn1_hdb_entry_alias.c' || echo '$(srcdir)/'`asn1_hdb_entry_alias.c
+
+libhdb_la-hdb_err.lo: hdb_err.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhdb_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhdb_la-hdb_err.lo `test -f 'hdb_err.c' || echo '$(srcdir)/'`hdb_err.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-includeHEADERS: $(include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)"
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
 	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -508,7 +648,24 @@ install-includeHEADERS: $(include_HEADERS)
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(include_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
+	done
+install-nodist_includeHEADERS: $(nodist_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(nodist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(nodist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	done
+
+uninstall-nodist_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -533,9 +690,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -560,23 +719,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -596,8 +753,8 @@ check: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) check-am
 all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
 installdirs:
-	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) install-am
@@ -620,7 +777,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -634,7 +791,7 @@ clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -646,18 +803,26 @@ info: info-am
 
 info-am:
 
-install-data-am: install-includeHEADERS
+install-data-am: install-includeHEADERS install-nodist_includeHEADERS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-libLTLIBRARIES
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -677,22 +842,32 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-includeHEADERS uninstall-info-am \
-	uninstall-libLTLIBRARIES
+uninstall-am: uninstall-includeHEADERS uninstall-libLTLIBRARIES \
+	uninstall-nodist_includeHEADERS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-generic clean-libLTLIBRARIES clean-libtool \
-	clean-noinstPROGRAMS ctags distclean distclean-compile \
-	distclean-generic distclean-libtool distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-exec install-exec-am \
+	clean-noinstPROGRAMS ctags dist-hook distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am \
+	install-data-hook install-dvi install-dvi-am install-exec \
+	install-exec-am install-exec-hook install-html install-html-am \
 	install-includeHEADERS install-info install-info-am \
-	install-libLTLIBRARIES install-man install-strip installcheck \
+	install-libLTLIBRARIES install-man \
+	install-nodist_includeHEADERS install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
 	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-includeHEADERS \
-	uninstall-info-am uninstall-libLTLIBRARIES
+	tags uninstall uninstall-am uninstall-hook \
+	uninstall-includeHEADERS uninstall-libLTLIBRARIES \
+	uninstall-nodist_includeHEADERS
 
 
 install-suid-programs:
@@ -707,8 +882,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -718,19 +893,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -746,7 +933,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -816,32 +1003,55 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 $(libhdb_la_OBJECTS): $(srcdir)/hdb-protos.h $(srcdir)/hdb-private.h
 
 $(srcdir)/hdb-protos.h:
-	cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -o hdb-protos.h $(libhdb_la_SOURCES) || rm -f hdb-protos.h
+	cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -o hdb-protos.h $(dist_libhdb_la_SOURCES) || rm -f hdb-protos.h
 
 $(srcdir)/hdb-private.h:
-	cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -p hdb-private.h $(libhdb_la_SOURCES) || rm -f hdb-private.h
+	cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -p hdb-private.h $(dist_libhdb_la_SOURCES) || rm -f hdb-private.h
 
-$(foo) hdb_asn1.h: asn1_files
+$(gen_files_hdb) hdb_asn1.h: hdb_asn1_files
 
-asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1
+hdb_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1
 	../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 hdb_asn1
 
 $(libhdb_la_OBJECTS): hdb_asn1.h hdb_err.h
 
-$(convert_db_OBJECTS): hdb_asn1.h hdb_err.h
-
 # to help stupid solaris make
 
 hdb_err.h: hdb_err.et
diff --git a/crypto/heimdal/lib/hdb/common.c b/crypto/heimdal/lib/hdb/common.c
index 6f0e730..680b666 100644
--- a/crypto/heimdal/lib/hdb/common.c
+++ b/crypto/heimdal/lib/hdb/common.c
@@ -33,10 +33,10 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: common.c,v 1.12 2003/01/14 06:54:32 lha Exp $");
+RCSID("$Id: common.c 20236 2007-02-16 23:52:29Z lha $");
 
 int
-hdb_principal2key(krb5_context context, krb5_principal p, krb5_data *key)
+hdb_principal2key(krb5_context context, krb5_const_principal p, krb5_data *key)
 {
     Principal new;
     size_t len;
@@ -48,6 +48,8 @@ hdb_principal2key(krb5_context context, krb5_principal p, krb5_data *key)
     new.name.name_type = 0;
 
     ASN1_MALLOC_ENCODE(Principal, key->data, key->length, &new, &len, ret);
+    if (ret == 0 && key->length != len)
+	krb5_abortx(context, "internal asn.1 encoder error");
     free_Principal(&new);
     return ret;
 }
@@ -59,12 +61,14 @@ hdb_key2principal(krb5_context context, krb5_data *key, krb5_principal p)
 }
 
 int
-hdb_entry2value(krb5_context context, hdb_entry *ent, krb5_data *value)
+hdb_entry2value(krb5_context context, const hdb_entry *ent, krb5_data *value)
 {
     size_t len;
     int ret;
     
     ASN1_MALLOC_ENCODE(hdb_entry, value->data, value->length, ent, &len, ret);
+    if (ret == 0 && value->length != len)
+	krb5_abortx(context, "internal asn.1 encoder error");
     return ret;
 }
 
@@ -74,69 +78,205 @@ hdb_value2entry(krb5_context context, krb5_data *value, hdb_entry *ent)
     return decode_hdb_entry(value->data, value->length, ent, NULL);
 }
 
+int
+hdb_entry_alias2value(krb5_context context, 
+		      const hdb_entry_alias *alias,
+		      krb5_data *value)
+{
+    size_t len;
+    int ret;
+    
+    ASN1_MALLOC_ENCODE(hdb_entry_alias, value->data, value->length, 
+		       alias, &len, ret);
+    if (ret == 0 && value->length != len)
+	krb5_abortx(context, "internal asn.1 encoder error");
+    return ret;
+}
+
+int
+hdb_value2entry_alias(krb5_context context, krb5_data *value, 
+		      hdb_entry_alias *ent)
+{
+    return decode_hdb_entry_alias(value->data, value->length, ent, NULL);
+}
+
 krb5_error_code
-_hdb_fetch(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+_hdb_fetch(krb5_context context, HDB *db, krb5_const_principal principal,
+	   unsigned flags, hdb_entry_ex *entry)
 {
     krb5_data key, value;
     int code;
 
-    hdb_principal2key(context, entry->principal, &key);
-    code = db->_get(context, db, key, &value);
+    hdb_principal2key(context, principal, &key);
+    code = db->hdb__get(context, db, key, &value);
     krb5_data_free(&key);
     if(code)
 	return code;
-    code = hdb_value2entry(context, &value, entry);
+    code = hdb_value2entry(context, &value, &entry->entry);
+    if (code == ASN1_BAD_ID && (flags & HDB_F_CANON) == 0) {
+	krb5_data_free(&value);
+	return HDB_ERR_NOENTRY;
+    } else if (code == ASN1_BAD_ID) {
+	hdb_entry_alias alias;
+
+	code = hdb_value2entry_alias(context, &value, &alias);
+	if (code) {
+	    krb5_data_free(&value);
+	    return code;
+	}
+	hdb_principal2key(context, alias.principal, &key);
+	krb5_data_free(&value);
+	free_hdb_entry_alias(&alias);
+
+	code = db->hdb__get(context, db, key, &value);
+	krb5_data_free(&key);
+	if (code)
+	    return code;
+	code = hdb_value2entry(context, &value, &entry->entry);
+	if (code) {
+	    krb5_data_free(&value);
+	    return code;
+	}
+    }
     krb5_data_free(&value);
-    if (code)
-	return code;
-    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
-	code = hdb_unseal_keys (context, db, entry);
+    if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
+	code = hdb_unseal_keys (context, db, &entry->entry);
 	if (code)
 	    hdb_free_entry(context, entry);
     }
     return code;
 }
 
+static krb5_error_code
+hdb_remove_aliases(krb5_context context, HDB *db, krb5_data *key)
+{
+    const HDB_Ext_Aliases *aliases;
+    krb5_error_code code;
+    hdb_entry oldentry;
+    krb5_data value;
+    int i;
+
+    code = db->hdb__get(context, db, *key, &value);
+    if (code == HDB_ERR_NOENTRY)
+	return 0;
+    else if (code)
+	return code;
+	    
+    code = hdb_value2entry(context, &value, &oldentry);
+    krb5_data_free(&value);
+    if (code)
+	return code;
+
+    code = hdb_entry_get_aliases(&oldentry, &aliases);
+    if (code || aliases == NULL) {
+	free_hdb_entry(&oldentry);
+	return code;
+    }
+    for (i = 0; i < aliases->aliases.len; i++) {
+	krb5_data akey;
+
+	hdb_principal2key(context, &aliases->aliases.val[i], &akey);
+	code = db->hdb__del(context, db, akey);
+	krb5_data_free(&akey);
+	if (code) {
+	    free_hdb_entry(&oldentry);
+	    return code;
+	}
+    }
+    free_hdb_entry(&oldentry);
+    return 0;
+}
+
+static krb5_error_code
+hdb_add_aliases(krb5_context context, HDB *db, 
+		unsigned flags, hdb_entry_ex *entry)
+{
+    const HDB_Ext_Aliases *aliases;
+    krb5_error_code code;
+    krb5_data key, value;
+    int i;
+    
+    code = hdb_entry_get_aliases(&entry->entry, &aliases);
+    if (code || aliases == NULL)
+	return code;
+    
+    for (i = 0; i < aliases->aliases.len; i++) {
+	hdb_entry_alias entryalias;
+	entryalias.principal = entry->entry.principal;
+	
+	hdb_principal2key(context, &aliases->aliases.val[i], &key);
+	code = hdb_entry_alias2value(context, &entryalias, &value);
+	if (code) {
+	    krb5_data_free(&key);
+	    return code;
+	}
+	code = db->hdb__put(context, db, flags, key, value);
+	krb5_data_free(&key);
+	krb5_data_free(&value);
+	if (code)
+	    return code;
+    }
+    return 0;
+}
+
 krb5_error_code
-_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
 {
     krb5_data key, value;
     int code;
 
-    if(entry->generation == NULL) {
+    if(entry->entry.generation == NULL) {
 	struct timeval t;
-	entry->generation = malloc(sizeof(*entry->generation));
-	if(entry->generation == NULL) {
+	entry->entry.generation = malloc(sizeof(*entry->entry.generation));
+	if(entry->entry.generation == NULL) {
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    return ENOMEM;
 	}
 	gettimeofday(&t, NULL);
-	entry->generation->time = t.tv_sec;
-	entry->generation->usec = t.tv_usec;
-	entry->generation->gen = 0;
+	entry->entry.generation->time = t.tv_sec;
+	entry->entry.generation->usec = t.tv_usec;
+	entry->entry.generation->gen = 0;
     } else
-	entry->generation->gen++;
-    hdb_principal2key(context, entry->principal, &key);
-    code = hdb_seal_keys(context, db, entry);
+	entry->entry.generation->gen++;
+    hdb_principal2key(context, entry->entry.principal, &key);
+    code = hdb_seal_keys(context, db, &entry->entry);
+    if (code) {
+	krb5_data_free(&key);
+	return code;
+    }
+
+    /* remove aliases */
+    code = hdb_remove_aliases(context, db, &key);
     if (code) {
 	krb5_data_free(&key);
 	return code;
     }
-    hdb_entry2value(context, entry, &value);
-    code = db->_put(context, db, flags & HDB_F_REPLACE, key, value);
+    hdb_entry2value(context, &entry->entry, &value);
+    code = db->hdb__put(context, db, flags & HDB_F_REPLACE, key, value);
     krb5_data_free(&value);
     krb5_data_free(&key);
+    if (code)
+	return code;
+
+    code = hdb_add_aliases(context, db, flags, entry);
+
     return code;
 }
 
 krb5_error_code
-_hdb_remove(krb5_context context, HDB *db, hdb_entry *entry)
+_hdb_remove(krb5_context context, HDB *db, krb5_const_principal principal)
 {
     krb5_data key;
     int code;
 
-    hdb_principal2key(context, entry->principal, &key);
-    code = db->_del(context, db, key);
+    hdb_principal2key(context, principal, &key);
+
+    code = hdb_remove_aliases(context, db, &key);
+    if (code) {
+	krb5_data_free(&key);
+	return code;
+    }
+    code = db->hdb__del(context, db, key);
     krb5_data_free(&key);
     return code;
 }
diff --git a/crypto/heimdal/lib/hdb/db.c b/crypto/heimdal/lib/hdb/db.c
index 4dfbc66..870f043 100644
--- a/crypto/heimdal/lib/hdb/db.c
+++ b/crypto/heimdal/lib/hdb/db.c
@@ -33,7 +33,7 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: db.c,v 1.30 2001/08/09 08:41:48 assar Exp $");
+RCSID("$Id: db.c 20215 2007-02-09 21:59:53Z lha $");
 
 #if HAVE_DB1
 
@@ -46,8 +46,8 @@ RCSID("$Id: db.c,v 1.30 2001/08/09 08:41:48 assar Exp $");
 static krb5_error_code
 DB_close(krb5_context context, HDB *db)
 {
-    DB *d = (DB*)db->db;
-    d->close(d);
+    DB *d = (DB*)db->hdb_db;
+    (*d->close)(d);
     return 0;
 }
 
@@ -57,7 +57,7 @@ DB_destroy(krb5_context context, HDB *db)
     krb5_error_code ret;
 
     ret = hdb_clear_master_key (context, db);
-    free(db->name);
+    free(db->hdb_name);
     free(db);
     return ret;
 }
@@ -65,62 +65,77 @@ DB_destroy(krb5_context context, HDB *db)
 static krb5_error_code
 DB_lock(krb5_context context, HDB *db, int operation)
 {
-    DB *d = (DB*)db->db;
+    DB *d = (DB*)db->hdb_db;
     int fd = (*d->fd)(d);
-    if(fd < 0)
+    if(fd < 0) {
+	krb5_set_error_string(context,
+			      "Can't lock database: %s", db->hdb_name);
 	return HDB_ERR_CANT_LOCK_DB;
+    }
     return hdb_lock(fd, operation);
 }
 
 static krb5_error_code
 DB_unlock(krb5_context context, HDB *db)
 {
-    DB *d = (DB*)db->db;
+    DB *d = (DB*)db->hdb_db;
     int fd = (*d->fd)(d);
-    if(fd < 0)
+    if(fd < 0) {
+	krb5_set_error_string(context, 
+			      "Can't unlock database: %s", db->hdb_name);
 	return HDB_ERR_CANT_LOCK_DB;
+    }
     return hdb_unlock(fd);
 }
 
 
 static krb5_error_code
 DB_seq(krb5_context context, HDB *db,
-       unsigned flags, hdb_entry *entry, int flag)
+       unsigned flags, hdb_entry_ex *entry, int flag)
 {
-    DB *d = (DB*)db->db;
+    DB *d = (DB*)db->hdb_db;
     DBT key, value;
     krb5_data key_data, data;
     int code;
 
-    code = db->lock(context, db, HDB_RLOCK);
-    if(code == -1)
+    code = db->hdb_lock(context, db, HDB_RLOCK);
+    if(code == -1) {
+	krb5_set_error_string(context, "Database %s in use", db->hdb_name);
 	return HDB_ERR_DB_INUSE;
-    code = d->seq(d, &key, &value, flag);
-    db->unlock(context, db); /* XXX check value */
-    if(code == -1)
-	return errno;
-    if(code == 1)
+    }
+    code = (*d->seq)(d, &key, &value, flag);
+    db->hdb_unlock(context, db); /* XXX check value */
+    if(code == -1) {
+	code = errno;
+	krb5_set_error_string(context, "Database %s seq error: %s", 
+			      db->hdb_name, strerror(code));
+	return code;
+    }
+    if(code == 1) {
+	krb5_clear_error_string(context);
 	return HDB_ERR_NOENTRY;
+    }
 
     key_data.data = key.data;
     key_data.length = key.size;
     data.data = value.data;
     data.length = value.size;
-    if (hdb_value2entry(context, &data, entry))
+    memset(entry, 0, sizeof(*entry));
+    if (hdb_value2entry(context, &data, &entry->entry))
 	return DB_seq(context, db, flags, entry, R_NEXT);
-    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
-	code = hdb_unseal_keys (context, db, entry);
+    if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
+	code = hdb_unseal_keys (context, db, &entry->entry);
 	if (code)
 	    hdb_free_entry (context, entry);
     }
-    if (code == 0 && entry->principal == NULL) {
-	entry->principal = malloc(sizeof(*entry->principal));
-	if (entry->principal == NULL) {
+    if (code == 0 && entry->entry.principal == NULL) {
+	entry->entry.principal = malloc(sizeof(*entry->entry.principal));
+	if (entry->entry.principal == NULL) {
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    code = ENOMEM;
 	    hdb_free_entry (context, entry);
 	} else {
-	    hdb_key2principal(context, &key_data, entry->principal);
+	    hdb_key2principal(context, &key_data, entry->entry.principal);
 	}
     }
     return code;
@@ -128,14 +143,14 @@ DB_seq(krb5_context context, HDB *db,
 
 
 static krb5_error_code
-DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
 {
     return DB_seq(context, db, flags, entry, R_FIRST);
 }
 
 
 static krb5_error_code
-DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
 {
     return DB_seq(context, db, flags, entry, R_NEXT);
 }
@@ -146,7 +161,7 @@ DB_rename(krb5_context context, HDB *db, const char *new_name)
     int ret;
     char *old, *new;
 
-    asprintf(&old, "%s.db", db->name);
+    asprintf(&old, "%s.db", db->hdb_name);
     asprintf(&new, "%s.db", new_name);
     ret = rename(old, new);
     free(old);
@@ -154,29 +169,35 @@ DB_rename(krb5_context context, HDB *db, const char *new_name)
     if(ret)
 	return errno;
     
-    free(db->name);
-    db->name = strdup(new_name);
+    free(db->hdb_name);
+    db->hdb_name = strdup(new_name);
     return 0;
 }
 
 static krb5_error_code
 DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply)
 {
-    DB *d = (DB*)db->db;
+    DB *d = (DB*)db->hdb_db;
     DBT k, v;
     int code;
 
     k.data = key.data;
     k.size = key.length;
-    code = db->lock(context, db, HDB_RLOCK);
+    code = db->hdb_lock(context, db, HDB_RLOCK);
     if(code)
 	return code;
-    code = d->get(d, &k, &v, 0);
-    db->unlock(context, db);
-    if(code < 0)
-	return errno;
-    if(code == 1)
+    code = (*d->get)(d, &k, &v, 0);
+    db->hdb_unlock(context, db);
+    if(code < 0) {
+	code = errno;
+	krb5_set_error_string(context, "Database %s get error: %s", 
+			      db->hdb_name, strerror(code));
+	return code;
+    }
+    if(code == 1) {
+	krb5_clear_error_string(context);
 	return HDB_ERR_NOENTRY;
+    }
     
     krb5_data_copy(reply, v.data, v.size);
     return 0;
@@ -186,7 +207,7 @@ static krb5_error_code
 DB__put(krb5_context context, HDB *db, int replace, 
 	krb5_data key, krb5_data value)
 {
-    DB *d = (DB*)db->db;
+    DB *d = (DB*)db->hdb_db;
     DBT k, v;
     int code;
 
@@ -194,33 +215,43 @@ DB__put(krb5_context context, HDB *db, int replace,
     k.size = key.length;
     v.data = value.data;
     v.size = value.length;
-    code = db->lock(context, db, HDB_WLOCK);
+    code = db->hdb_lock(context, db, HDB_WLOCK);
     if(code)
 	return code;
-    code = d->put(d, &k, &v, replace ? 0 : R_NOOVERWRITE);
-    db->unlock(context, db);
-    if(code < 0)
-	return errno;
-    if(code == 1)
+    code = (*d->put)(d, &k, &v, replace ? 0 : R_NOOVERWRITE);
+    db->hdb_unlock(context, db);
+    if(code < 0) {
+	code = errno;
+	krb5_set_error_string(context, "Database %s put error: %s", 
+			      db->hdb_name, strerror(code));
+	return code;
+    }
+    if(code == 1) {
+	krb5_clear_error_string(context);
 	return HDB_ERR_EXISTS;
+    }
     return 0;
 }
 
 static krb5_error_code
 DB__del(krb5_context context, HDB *db, krb5_data key)
 {
-    DB *d = (DB*)db->db;
+    DB *d = (DB*)db->hdb_db;
     DBT k;
     krb5_error_code code;
     k.data = key.data;
     k.size = key.length;
-    code = db->lock(context, db, HDB_WLOCK);
+    code = db->hdb_lock(context, db, HDB_WLOCK);
     if(code)
 	return code;
-    code = d->del(d, &k, 0);
-    db->unlock(context, db);
-    if(code == 1)
-	return HDB_ERR_NOENTRY;
+    code = (*d->del)(d, &k, 0);
+    db->hdb_unlock(context, db);
+    if(code == 1) {
+	code = errno;
+	krb5_set_error_string(context, "Database %s put error: %s", 
+			      db->hdb_name, strerror(code));
+	return code;
+    }
     if(code < 0)
 	return errno;
     return 0;
@@ -232,20 +263,20 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
     char *fn;
     krb5_error_code ret;
 
-    asprintf(&fn, "%s.db", db->name);
+    asprintf(&fn, "%s.db", db->hdb_name);
     if (fn == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
-    db->db = dbopen(fn, flags, mode, DB_BTREE, NULL);
+    db->hdb_db = dbopen(fn, flags, mode, DB_BTREE, NULL);
     free(fn);
     /* try to open without .db extension */
-    if(db->db == NULL && errno == ENOENT)
-	db->db = dbopen(db->name, flags, mode, DB_BTREE, NULL);
-    if(db->db == NULL) {
+    if(db->hdb_db == NULL && errno == ENOENT)
+	db->hdb_db = dbopen(db->hdb_name, flags, mode, DB_BTREE, NULL);
+    if(db->hdb_db == NULL) {
 	ret = errno;
 	krb5_set_error_string(context, "dbopen (%s): %s",
-			      db->name, strerror(ret));
+			      db->hdb_name, strerror(ret));
 	return ret;
     }
     if((flags & O_ACCMODE) == O_RDONLY)
@@ -256,6 +287,13 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
 	krb5_clear_error_string(context);
 	return 0;
     }
+    if (ret) {
+	DB_close(context, db);
+	krb5_set_error_string(context, "hdb_open: failed %s database %s",
+			      (flags & O_ACCMODE) == O_RDONLY ? 
+			      "checking format of" : "initialize", 
+			      db->hdb_name);
+    }
     return ret;
 }
 
@@ -263,36 +301,36 @@ krb5_error_code
 hdb_db_create(krb5_context context, HDB **db, 
 	      const char *filename)
 {
-    *db = malloc(sizeof(**db));
+    *db = calloc(1, sizeof(**db));
     if (*db == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
 
-    (*db)->db = NULL;
-    (*db)->name = strdup(filename);
-    if ((*db)->name == NULL) {
+    (*db)->hdb_db = NULL;
+    (*db)->hdb_name = strdup(filename);
+    if ((*db)->hdb_name == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	free(*db);
 	*db = NULL;
 	return ENOMEM;
     }
-    (*db)->master_key_set = 0;
-    (*db)->openp = 0;
-    (*db)->open  = DB_open;
-    (*db)->close = DB_close;
-    (*db)->fetch = _hdb_fetch;
-    (*db)->store = _hdb_store;
-    (*db)->remove = _hdb_remove;
-    (*db)->firstkey = DB_firstkey;
-    (*db)->nextkey= DB_nextkey;
-    (*db)->lock = DB_lock;
-    (*db)->unlock = DB_unlock;
-    (*db)->rename = DB_rename;
-    (*db)->_get = DB__get;
-    (*db)->_put = DB__put;
-    (*db)->_del = DB__del;
-    (*db)->destroy = DB_destroy;
+    (*db)->hdb_master_key_set = 0;
+    (*db)->hdb_openp = 0;
+    (*db)->hdb_open = DB_open;
+    (*db)->hdb_close = DB_close;
+    (*db)->hdb_fetch = _hdb_fetch;
+    (*db)->hdb_store = _hdb_store;
+    (*db)->hdb_remove = _hdb_remove;
+    (*db)->hdb_firstkey = DB_firstkey;
+    (*db)->hdb_nextkey= DB_nextkey;
+    (*db)->hdb_lock = DB_lock;
+    (*db)->hdb_unlock = DB_unlock;
+    (*db)->hdb_rename = DB_rename;
+    (*db)->hdb__get = DB__get;
+    (*db)->hdb__put = DB__put;
+    (*db)->hdb__del = DB__del;
+    (*db)->hdb_destroy = DB_destroy;
     return 0;
 }
 
diff --git a/crypto/heimdal/lib/hdb/db3.c b/crypto/heimdal/lib/hdb/db3.c
index 8ae3535..45ccbef 100644
--- a/crypto/heimdal/lib/hdb/db3.c
+++ b/crypto/heimdal/lib/hdb/db3.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: db3.c,v 1.8.6.1 2003/08/29 16:59:39 lha Exp $");
+RCSID("$Id: db3.c 21610 2007-07-17 07:10:45Z lha $");
 
 #if HAVE_DB3
 
@@ -48,12 +48,12 @@ RCSID("$Id: db3.c,v 1.8.6.1 2003/08/29 16:59:39 lha Exp $");
 static krb5_error_code
 DB_close(krb5_context context, HDB *db)
 {
-    DB *d = (DB*)db->db;
-    DBC *dbcp = (DBC*)db->dbc;
+    DB *d = (DB*)db->hdb_db;
+    DBC *dbcp = (DBC*)db->hdb_dbc;
 
-    dbcp->c_close(dbcp);
-    db->dbc = 0;
-    d->close(d, 0);
+    (*dbcp->c_close)(dbcp);
+    db->hdb_dbc = 0;
+    (*d->close)(d, 0);
     return 0;
 }
 
@@ -63,7 +63,7 @@ DB_destroy(krb5_context context, HDB *db)
     krb5_error_code ret;
 
     ret = hdb_clear_master_key (context, db);
-    free(db->name);
+    free(db->hdb_name);
     free(db);
     return ret;
 }
@@ -71,7 +71,7 @@ DB_destroy(krb5_context context, HDB *db)
 static krb5_error_code
 DB_lock(krb5_context context, HDB *db, int operation)
 {
-    DB *d = (DB*)db->db;
+    DB *d = (DB*)db->hdb_db;
     int fd;
     if ((*d->fd)(d, &fd))
 	return HDB_ERR_CANT_LOCK_DB;
@@ -81,7 +81,7 @@ DB_lock(krb5_context context, HDB *db, int operation)
 static krb5_error_code
 DB_unlock(krb5_context context, HDB *db)
 {
-    DB *d = (DB*)db->db;
+    DB *d = (DB*)db->hdb_db;
     int fd;
     if ((*d->fd)(d, &fd))
 	return HDB_ERR_CANT_LOCK_DB;
@@ -91,19 +91,19 @@ DB_unlock(krb5_context context, HDB *db)
 
 static krb5_error_code
 DB_seq(krb5_context context, HDB *db,
-       unsigned flags, hdb_entry *entry, int flag)
+       unsigned flags, hdb_entry_ex *entry, int flag)
 {
     DBT key, value;
-    DBC *dbcp = db->dbc;
+    DBC *dbcp = db->hdb_dbc;
     krb5_data key_data, data;
     int code;
 
     memset(&key, 0, sizeof(DBT));
     memset(&value, 0, sizeof(DBT));
-    if (db->lock(context, db, HDB_RLOCK))
+    if ((*db->hdb_lock)(context, db, HDB_RLOCK))
 	return HDB_ERR_DB_INUSE;
-    code = dbcp->c_get(dbcp, &key, &value, flag);
-    db->unlock(context, db); /* XXX check value */
+    code = (*dbcp->c_get)(dbcp, &key, &value, flag);
+    (*db->hdb_unlock)(context, db); /* XXX check value */
     if (code == DB_NOTFOUND)
 	return HDB_ERR_NOENTRY;
     if (code)
@@ -113,21 +113,22 @@ DB_seq(krb5_context context, HDB *db,
     key_data.length = key.size;
     data.data = value.data;
     data.length = value.size;
-    if (hdb_value2entry(context, &data, entry))
+    memset(entry, 0, sizeof(*entry));
+    if (hdb_value2entry(context, &data, &entry->entry))
 	return DB_seq(context, db, flags, entry, DB_NEXT);
-    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
-	code = hdb_unseal_keys (context, db, entry);
+    if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
+	code = hdb_unseal_keys (context, db, &entry->entry);
 	if (code)
 	    hdb_free_entry (context, entry);
     }
-    if (entry->principal == NULL) {
-	entry->principal = malloc(sizeof(*entry->principal));
-	if (entry->principal == NULL) {
+    if (entry->entry.principal == NULL) {
+	entry->entry.principal = malloc(sizeof(*entry->entry.principal));
+	if (entry->entry.principal == NULL) {
 	    hdb_free_entry (context, entry);
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    return ENOMEM;
 	} else {
-	    hdb_key2principal(context, &key_data, entry->principal);
+	    hdb_key2principal(context, &key_data, entry->entry.principal);
 	}
     }
     return 0;
@@ -135,14 +136,14 @@ DB_seq(krb5_context context, HDB *db,
 
 
 static krb5_error_code
-DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
 {
     return DB_seq(context, db, flags, entry, DB_FIRST);
 }
 
 
 static krb5_error_code
-DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
 {
     return DB_seq(context, db, flags, entry, DB_NEXT);
 }
@@ -153,7 +154,7 @@ DB_rename(krb5_context context, HDB *db, const char *new_name)
     int ret;
     char *old, *new;
 
-    asprintf(&old, "%s.db", db->name);
+    asprintf(&old, "%s.db", db->hdb_name);
     asprintf(&new, "%s.db", new_name);
     ret = rename(old, new);
     free(old);
@@ -161,15 +162,15 @@ DB_rename(krb5_context context, HDB *db, const char *new_name)
     if(ret)
 	return errno;
     
-    free(db->name);
-    db->name = strdup(new_name);
+    free(db->hdb_name);
+    db->hdb_name = strdup(new_name);
     return 0;
 }
 
 static krb5_error_code
 DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply)
 {
-    DB *d = (DB*)db->db;
+    DB *d = (DB*)db->hdb_db;
     DBT k, v;
     int code;
 
@@ -178,10 +179,10 @@ DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply)
     k.data = key.data;
     k.size = key.length;
     k.flags = 0;
-    if ((code = db->lock(context, db, HDB_RLOCK)))
+    if ((code = (*db->hdb_lock)(context, db, HDB_RLOCK)))
 	return code;
-    code = d->get(d, NULL, &k, &v, 0);
-    db->unlock(context, db);
+    code = (*d->get)(d, NULL, &k, &v, 0);
+    (*db->hdb_unlock)(context, db);
     if(code == DB_NOTFOUND)
 	return HDB_ERR_NOENTRY;
     if(code)
@@ -195,7 +196,7 @@ static krb5_error_code
 DB__put(krb5_context context, HDB *db, int replace, 
 	krb5_data key, krb5_data value)
 {
-    DB *d = (DB*)db->db;
+    DB *d = (DB*)db->hdb_db;
     DBT k, v;
     int code;
 
@@ -207,10 +208,10 @@ DB__put(krb5_context context, HDB *db, int replace,
     v.data = value.data;
     v.size = value.length;
     v.flags = 0;
-    if ((code = db->lock(context, db, HDB_WLOCK)))
+    if ((code = (*db->hdb_lock)(context, db, HDB_WLOCK)))
 	return code;
-    code = d->put(d, NULL, &k, &v, replace ? 0 : DB_NOOVERWRITE);
-    db->unlock(context, db);
+    code = (*d->put)(d, NULL, &k, &v, replace ? 0 : DB_NOOVERWRITE);
+    (*db->hdb_unlock)(context, db);
     if(code == DB_KEYEXIST)
 	return HDB_ERR_EXISTS;
     if(code)
@@ -221,18 +222,18 @@ DB__put(krb5_context context, HDB *db, int replace,
 static krb5_error_code
 DB__del(krb5_context context, HDB *db, krb5_data key)
 {
-    DB *d = (DB*)db->db;
+    DB *d = (DB*)db->hdb_db;
     DBT k;
     krb5_error_code code;
     memset(&k, 0, sizeof(DBT));
     k.data = key.data;
     k.size = key.length;
     k.flags = 0;
-    code = db->lock(context, db, HDB_WLOCK);
+    code = (*db->hdb_lock)(context, db, HDB_WLOCK);
     if(code)
 	return code;
-    code = d->del(d, NULL, &k, 0);
-    db->unlock(context, db);
+    code = (*d->del)(d, NULL, &k, 0);
+    (*db->hdb_unlock)(context, db);
     if(code == DB_NOTFOUND)
 	return HDB_ERR_NOENTRY;
     if(code)
@@ -243,6 +244,7 @@ DB__del(krb5_context context, HDB *db, krb5_data key)
 static krb5_error_code
 DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
 {
+    DBC *dbc = NULL;
     char *fn;
     krb5_error_code ret;
     DB *d;
@@ -254,44 +256,51 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
     if (flags & O_EXCL)
       myflags |= DB_EXCL;
 
-    if (flags & O_RDONLY)
+    if((flags & O_ACCMODE) == O_RDONLY)
       myflags |= DB_RDONLY;
 
     if (flags & O_TRUNC)
       myflags |= DB_TRUNCATE;
 
-    asprintf(&fn, "%s.db", db->name);
+    asprintf(&fn, "%s.db", db->hdb_name);
     if (fn == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
     db_create(&d, NULL, 0);
-    db->db = d;
-#if (DB_VERSION_MAJOR > 3) && (DB_VERSION_MINOR > 0)
-    if ((ret = d->open(db->db, NULL, fn, NULL, DB_BTREE, myflags, mode))) {
+    db->hdb_db = d;
+
+#if (DB_VERSION_MAJOR >= 4) && (DB_VERSION_MINOR >= 1)
+    ret = (*d->open)(db->hdb_db, NULL, fn, NULL, DB_BTREE, myflags, mode);
 #else
-    if ((ret = d->open(db->db, fn, NULL, DB_BTREE, myflags, mode))) {
+    ret = (*d->open)(db->hdb_db, fn, NULL, DB_BTREE, myflags, mode);
 #endif
-      if(ret == ENOENT)
+
+    if (ret == ENOENT) {
 	/* try to open without .db extension */
-#if (DB_VERSION_MAJOR > 3) && (DB_VERSION_MINOR > 0)
-	if (d->open(db->db, NULL, db->name, NULL, DB_BTREE, myflags, mode)) {
+#if (DB_VERSION_MAJOR >= 4) && (DB_VERSION_MINOR >= 1)
+	ret = (*d->open)(db->hdb_db, NULL, db->hdb_name, NULL, DB_BTREE,
+			 myflags, mode);
 #else
-	if (d->open(db->db, db->name, NULL, DB_BTREE, myflags, mode)) {
+	ret = (*d->open)(db->hdb_db, db->hdb_name, NULL, DB_BTREE, 
+			 myflags, mode);
 #endif
-	  free(fn);
-	  krb5_set_error_string(context, "opening %s: %s",
-				db->name, strerror(ret));
-	  return ret;
-	}
+    }
+
+    if (ret) {
+	free(fn);
+	krb5_set_error_string(context, "opening %s: %s",
+			      db->hdb_name, strerror(ret));
+	return ret;
     }
     free(fn);
 
-    ret = d->cursor(d, NULL, (DBC **)&db->dbc, 0);
+    ret = (*d->cursor)(d, NULL, &dbc, 0);
     if (ret) {
 	krb5_set_error_string(context, "d->cursor: %s", strerror(ret));
         return ret;
     }
+    db->hdb_dbc = dbc;
 
     if((flags & O_ACCMODE) == O_RDONLY)
 	ret = hdb_check_db_format(context, db);
@@ -299,6 +308,14 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
 	ret = hdb_init_db(context, db);
     if(ret == HDB_ERR_NOENTRY)
 	return 0;
+    if (ret) {
+	DB_close(context, db);
+	krb5_set_error_string(context, "hdb_open: failed %s database %s",
+			      (flags & O_ACCMODE) == O_RDONLY ? 
+			      "checking format of" : "initialize", 
+			      db->hdb_name);
+    }
+
     return ret;
 }
 
@@ -306,36 +323,36 @@ krb5_error_code
 hdb_db_create(krb5_context context, HDB **db, 
 	      const char *filename)
 {
-    *db = malloc(sizeof(**db));
+    *db = calloc(1, sizeof(**db));
     if (*db == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
 
-    (*db)->db = NULL;
-    (*db)->name = strdup(filename);
-    if ((*db)->name == NULL) {
+    (*db)->hdb_db = NULL;
+    (*db)->hdb_name = strdup(filename);
+    if ((*db)->hdb_name == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	free(*db);
 	*db = NULL;
 	return ENOMEM;
     }
-    (*db)->master_key_set = 0;
-    (*db)->openp = 0;
-    (*db)->open  = DB_open;
-    (*db)->close = DB_close;
-    (*db)->fetch = _hdb_fetch;
-    (*db)->store = _hdb_store;
-    (*db)->remove = _hdb_remove;
-    (*db)->firstkey = DB_firstkey;
-    (*db)->nextkey= DB_nextkey;
-    (*db)->lock = DB_lock;
-    (*db)->unlock = DB_unlock;
-    (*db)->rename = DB_rename;
-    (*db)->_get = DB__get;
-    (*db)->_put = DB__put;
-    (*db)->_del = DB__del;
-    (*db)->destroy = DB_destroy;
+    (*db)->hdb_master_key_set = 0;
+    (*db)->hdb_openp = 0;
+    (*db)->hdb_open  = DB_open;
+    (*db)->hdb_close = DB_close;
+    (*db)->hdb_fetch = _hdb_fetch;
+    (*db)->hdb_store = _hdb_store;
+    (*db)->hdb_remove = _hdb_remove;
+    (*db)->hdb_firstkey = DB_firstkey;
+    (*db)->hdb_nextkey= DB_nextkey;
+    (*db)->hdb_lock = DB_lock;
+    (*db)->hdb_unlock = DB_unlock;
+    (*db)->hdb_rename = DB_rename;
+    (*db)->hdb__get = DB__get;
+    (*db)->hdb__put = DB__put;
+    (*db)->hdb__del = DB__del;
+    (*db)->hdb_destroy = DB_destroy;
     return 0;
 }
 #endif /* HAVE_DB3 */
diff --git a/crypto/heimdal/lib/hdb/dbinfo.c b/crypto/heimdal/lib/hdb/dbinfo.c
new file mode 100644
index 0000000..d43e31b
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/dbinfo.c
@@ -0,0 +1,266 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: dbinfo.c 22306 2007-12-14 12:22:38Z lha $");
+
+struct hdb_dbinfo {
+    char *label;
+    char *realm;
+    char *dbname;
+    char *mkey_file;
+    char *acl_file;
+    char *log_file;
+    const krb5_config_binding *binding;
+    struct hdb_dbinfo *next;
+};
+
+static int
+get_dbinfo(krb5_context context,
+	   const krb5_config_binding *db_binding,
+	   const char *label,
+	   struct hdb_dbinfo **db)
+{
+    struct hdb_dbinfo *di;
+    const char *p;
+
+    *db = NULL;
+
+    p = krb5_config_get_string(context, db_binding, "dbname", NULL);
+    if(p == NULL)
+	return 0;
+
+    di = calloc(1, sizeof(*di));
+    if (di == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    di->label = strdup(label);
+    di->dbname = strdup(p);
+
+    p = krb5_config_get_string(context, db_binding, "realm", NULL);
+    if(p)
+	di->realm = strdup(p);
+    p = krb5_config_get_string(context, db_binding, "mkey_file", NULL);
+    if(p)
+	di->mkey_file = strdup(p);
+    p = krb5_config_get_string(context, db_binding, "acl_file", NULL);
+    if(p)
+	di->acl_file = strdup(p);
+    p = krb5_config_get_string(context, db_binding, "log_file", NULL);
+    if(p)
+	di->log_file = strdup(p);
+
+    di->binding = db_binding;
+
+    *db = di;
+    return 0;
+}
+
+
+int
+hdb_get_dbinfo(krb5_context context, struct hdb_dbinfo **dbp)
+{
+    const krb5_config_binding *db_binding;
+    struct hdb_dbinfo *di, **dt, *databases;
+    const char *default_dbname = HDB_DEFAULT_DB;
+    const char *default_mkey = HDB_DB_DIR "/m-key";
+    const char *default_acl = HDB_DB_DIR "/kadmind.acl";
+    const char *p;
+    int ret;
+
+    *dbp = NULL;
+    dt = NULL;
+    databases = NULL;
+
+    db_binding = krb5_config_get(context, NULL, krb5_config_list,
+				 "kdc", 
+				 "database",
+				 NULL);
+    if (db_binding) {
+
+	ret = get_dbinfo(context, db_binding, "default", &di);
+	if (ret == 0 && di) {
+	    databases = di;
+	    dt = &di->next;
+	}		
+
+	for ( ; db_binding != NULL; db_binding = db_binding->next) {
+
+	    if (db_binding->type != krb5_config_list)
+		continue;
+
+	    ret = get_dbinfo(context, db_binding->u.list, 
+			     db_binding->name, &di);
+	    if (ret)
+		krb5_err(context, 1, ret, "failed getting realm");
+
+	    if (di == NULL)
+		continue;
+
+	    if (dt)
+		*dt = di;
+	    else
+		databases = di;
+	    dt = &di->next;
+
+	}
+    }
+
+    if(databases == NULL) {
+	/* if there are none specified, create one and use defaults */
+	di = calloc(1, sizeof(*di));
+	databases = di;
+	di->label = strdup("default");
+    }
+
+    for(di = databases; di; di = di->next) {
+	if(di->dbname == NULL) {
+	    di->dbname = strdup(default_dbname);
+	    if (di->mkey_file == NULL)
+		di->mkey_file = strdup(default_mkey);
+	}
+	if(di->mkey_file == NULL) {
+	    p = strrchr(di->dbname, '.');
+	    if(p == NULL || strchr(p, '/') != NULL)
+		/* final pathname component does not contain a . */
+		asprintf(&di->mkey_file, "%s.mkey", di->dbname);
+	    else
+		/* the filename is something.else, replace .else with
+                   .mkey */
+		asprintf(&di->mkey_file, "%.*s.mkey", 
+			 (int)(p - di->dbname), di->dbname);
+	}
+	if(di->acl_file == NULL)
+	    di->acl_file = strdup(default_acl);
+    }
+    *dbp = databases;
+    return 0;
+}
+
+
+struct hdb_dbinfo *
+hdb_dbinfo_get_next(struct hdb_dbinfo *dbp, struct hdb_dbinfo *dbprevp)
+{
+    if (dbprevp == NULL)
+	return dbp;
+    else
+	return dbprevp->next;
+}
+
+const char *
+hdb_dbinfo_get_label(krb5_context context, struct hdb_dbinfo *dbp)
+{
+    return dbp->label;
+}
+
+const char *
+hdb_dbinfo_get_realm(krb5_context context, struct hdb_dbinfo *dbp)
+{
+    return dbp->realm;
+}
+
+const char *
+hdb_dbinfo_get_dbname(krb5_context context, struct hdb_dbinfo *dbp)
+{
+    return dbp->dbname;
+}
+
+const char *
+hdb_dbinfo_get_mkey_file(krb5_context context, struct hdb_dbinfo *dbp)
+{
+    return dbp->mkey_file;
+}
+
+const char *
+hdb_dbinfo_get_acl_file(krb5_context context, struct hdb_dbinfo *dbp)
+{
+    return dbp->acl_file;
+}
+
+const char *
+hdb_dbinfo_get_log_file(krb5_context context, struct hdb_dbinfo *dbp)
+{
+    return dbp->log_file;
+}
+
+const krb5_config_binding *
+hdb_dbinfo_get_binding(krb5_context context, struct hdb_dbinfo *dbp)
+{
+    return dbp->binding;
+}
+
+void
+hdb_free_dbinfo(krb5_context context, struct hdb_dbinfo **dbp)
+{
+    struct hdb_dbinfo *di, *ndi;
+
+    for(di = *dbp; di != NULL; di = ndi) {
+	ndi = di->next;
+	free (di->realm);
+	free (di->dbname);
+	if (di->mkey_file)
+	    free (di->mkey_file);
+	free(di);
+    }
+    *dbp = NULL;
+}
+
+/**
+ * Return the directory where the hdb database resides.
+ *
+ * @param context Kerberos 5 context.
+ *
+ * @return string pointing to directory.
+ */
+
+const char *
+hdb_db_dir(krb5_context context)
+{
+    return HDB_DB_DIR;
+}
+
+/**
+ * Return the default hdb database resides.
+ *
+ * @param context Kerberos 5 context.
+ *
+ * @return string pointing to directory.
+ */
+
+const char *
+hdb_default_db(krb5_context context)
+{
+    return HDB_DEFAULT_DB;
+}
diff --git a/crypto/heimdal/lib/hdb/ext.c b/crypto/heimdal/lib/hdb/ext.c
new file mode 100644
index 0000000..5f60999
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/ext.c
@@ -0,0 +1,418 @@
+/*
+ * Copyright (c) 2004 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+#include <der.h>
+
+RCSID("$Id: ext.c 21113 2007-06-18 12:59:32Z lha $");
+
+krb5_error_code
+hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent)
+{
+    int i;
+
+    if (ent->extensions == NULL)
+	return 0;
+
+    /* 
+     * check for unknown extensions and if they where tagged mandatory
+     */
+
+    for (i = 0; i < ent->extensions->len; i++) {
+	if (ent->extensions->val[i].data.element != 
+	    choice_HDB_extension_data_asn1_ellipsis)
+	    continue;
+	if (ent->extensions->val[i].mandatory) {
+	    krb5_set_error_string(context,  "Principal have unknown "
+				  "mandatory extension");
+	    return HDB_ERR_MANDATORY_OPTION;
+	}
+    }
+    return 0;
+}
+
+HDB_extension *
+hdb_find_extension(const hdb_entry *entry, int type)
+{
+    int i;
+
+    if (entry->extensions == NULL)
+	return NULL;
+
+    for (i = 0; i < entry->extensions->len; i++)
+	if (entry->extensions->val[i].data.element == type)
+	    return &entry->extensions->val[i];
+    return NULL;
+}
+
+/*
+ * Replace the extension `ext' in `entry'. Make a copy of the
+ * extension, so the caller must still free `ext' on both success and
+ * failure. Returns 0 or error code.
+ */
+
+krb5_error_code
+hdb_replace_extension(krb5_context context, 
+		      hdb_entry *entry, 
+		      const HDB_extension *ext)
+{
+    HDB_extension *ext2;
+    HDB_extension *es;
+    int ret;
+
+    ext2 = NULL;
+
+    if (entry->extensions == NULL) {
+	entry->extensions = calloc(1, sizeof(*entry->extensions));
+	if (entry->extensions == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+    } else if (ext->data.element != choice_HDB_extension_data_asn1_ellipsis) {
+	ext2 = hdb_find_extension(entry, ext->data.element);
+    } else {
+	/* 
+	 * This is an unknown extention, and we are asked to replace a
+	 * possible entry in `entry' that is of the same type. This
+	 * might seem impossible, but ASN.1 CHOICE comes to our
+	 * rescue. The first tag in each branch in the CHOICE is
+	 * unique, so just find the element in the list that have the
+	 * same tag was we are putting into the list.
+	 */
+	Der_class replace_class, list_class;
+	Der_type replace_type, list_type;
+	unsigned int replace_tag, list_tag;
+	size_t size;
+	int i;
+
+	ret = der_get_tag(ext->data.u.asn1_ellipsis.data,
+			  ext->data.u.asn1_ellipsis.length,
+			  &replace_class, &replace_type, &replace_tag,
+			  &size);
+	if (ret) {
+	    krb5_set_error_string(context, "hdb: failed to decode "
+				  "replacement hdb extention");
+	    return ret;
+	}
+
+	for (i = 0; i < entry->extensions->len; i++) {
+	    HDB_extension *ext3 = &entry->extensions->val[i];
+
+	    if (ext3->data.element != choice_HDB_extension_data_asn1_ellipsis)
+		continue;
+
+	    ret = der_get_tag(ext3->data.u.asn1_ellipsis.data,
+			      ext3->data.u.asn1_ellipsis.length,
+			      &list_class, &list_type, &list_tag,
+			      &size);
+	    if (ret) {
+		krb5_set_error_string(context, "hdb: failed to decode "
+				      "present hdb extention");
+		return ret;
+	    }
+
+	    if (MAKE_TAG(replace_class,replace_type,replace_type) ==
+		MAKE_TAG(list_class,list_type,list_type)) {
+		ext2 = ext3;
+		break;
+	    }
+	}
+    }
+
+    if (ext2) {
+	free_HDB_extension(ext2);
+	ret = copy_HDB_extension(ext, ext2);
+	if (ret)
+	    krb5_set_error_string(context, "hdb: failed to copy replacement "
+				  "hdb extention");
+	return ret;
+    }
+
+    es = realloc(entry->extensions->val, 
+		 (entry->extensions->len+1)*sizeof(entry->extensions->val[0]));
+    if (es == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    entry->extensions->val = es;
+
+    ret = copy_HDB_extension(ext,
+			     &entry->extensions->val[entry->extensions->len]);
+    if (ret == 0)
+	entry->extensions->len++;
+    else
+	krb5_set_error_string(context, "hdb: failed to copy new extension");
+
+    return ret;
+}
+
+krb5_error_code
+hdb_clear_extension(krb5_context context, 
+		    hdb_entry *entry, 
+		    int type)
+{
+    int i;
+
+    if (entry->extensions == NULL)
+	return 0;
+
+    for (i = 0; i < entry->extensions->len; i++) {
+	if (entry->extensions->val[i].data.element == type) {
+	    free_HDB_extension(&entry->extensions->val[i]);
+	    memmove(&entry->extensions->val[i],
+		    &entry->extensions->val[i + 1],
+		    sizeof(entry->extensions->val[i]) * (entry->extensions->len - i - 1));
+	    entry->extensions->len--;
+	}
+    }
+    if (entry->extensions->len == 0) {
+	free(entry->extensions->val);
+	free(entry->extensions);
+	entry->extensions = NULL;
+    }
+
+    return 0;
+}
+
+
+krb5_error_code
+hdb_entry_get_pkinit_acl(const hdb_entry *entry, const HDB_Ext_PKINIT_acl **a)
+{
+    const HDB_extension *ext;
+
+    ext = hdb_find_extension(entry, choice_HDB_extension_data_pkinit_acl);
+    if (ext)
+	*a = &ext->data.u.pkinit_acl;
+    else
+	*a = NULL;
+
+    return 0;
+}
+
+krb5_error_code
+hdb_entry_get_pkinit_hash(const hdb_entry *entry, const HDB_Ext_PKINIT_hash **a)
+{
+    const HDB_extension *ext;
+
+    ext = hdb_find_extension(entry, choice_HDB_extension_data_pkinit_cert_hash);
+    if (ext)
+	*a = &ext->data.u.pkinit_cert_hash;
+    else
+	*a = NULL;
+
+    return 0;
+}
+
+krb5_error_code
+hdb_entry_get_pw_change_time(const hdb_entry *entry, time_t *t)
+{
+    const HDB_extension *ext;
+
+    ext = hdb_find_extension(entry, choice_HDB_extension_data_last_pw_change);
+    if (ext)
+	*t = ext->data.u.last_pw_change;
+    else
+	*t = 0;
+
+    return 0;
+}
+
+krb5_error_code
+hdb_entry_set_pw_change_time(krb5_context context, 
+			     hdb_entry *entry,
+			     time_t t)
+{
+    HDB_extension ext;
+
+    ext.mandatory = FALSE;
+    ext.data.element = choice_HDB_extension_data_last_pw_change;
+    if (t == 0)
+	t = time(NULL);
+    ext.data.u.last_pw_change = t;
+
+    return hdb_replace_extension(context, entry, &ext);
+}
+
+int
+hdb_entry_get_password(krb5_context context, HDB *db, 
+		       const hdb_entry *entry, char **p)
+{
+    HDB_extension *ext;
+    char *str;
+    int ret;
+
+    ext = hdb_find_extension(entry, choice_HDB_extension_data_password);
+    if (ext) {
+	heim_utf8_string str;
+	heim_octet_string pw;
+
+	if (db->hdb_master_key_set && ext->data.u.password.mkvno) {
+	    hdb_master_key key;
+
+	    key = _hdb_find_master_key(ext->data.u.password.mkvno, 
+				       db->hdb_master_key);
+
+	    if (key == NULL) {
+		krb5_set_error_string(context, "master key %d missing",
+				      *ext->data.u.password.mkvno);
+		return HDB_ERR_NO_MKEY;
+	    }
+
+	    ret = _hdb_mkey_decrypt(context, key, HDB_KU_MKEY,
+				    ext->data.u.password.password.data,
+				    ext->data.u.password.password.length,
+				    &pw);
+	} else {
+	    ret = der_copy_octet_string(&ext->data.u.password.password, &pw);
+	}
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    return ret;
+	}
+
+	str = pw.data;
+	if (str[pw.length - 1] != '\0') {
+	    krb5_set_error_string(context, "password malformated");
+	    return EINVAL;
+	}
+
+	*p = strdup(str);
+
+	der_free_octet_string(&pw);
+	if (*p == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	return 0;
+    }
+
+    ret = krb5_unparse_name(context, entry->principal, &str);
+    if (ret == 0) {
+	krb5_set_error_string(context, "no password attributefor %s", str);
+	free(str);
+    } else 
+	krb5_clear_error_string(context);
+
+    return ENOENT;
+}
+
+int
+hdb_entry_set_password(krb5_context context, HDB *db, 
+		       hdb_entry *entry, const char *p)
+{
+    HDB_extension ext;
+    hdb_master_key key;
+    int ret;
+
+    ext.mandatory = FALSE;
+    ext.data.element = choice_HDB_extension_data_password;
+
+    if (db->hdb_master_key_set) {
+
+	key = _hdb_find_master_key(NULL, db->hdb_master_key);
+	if (key == NULL) {
+	    krb5_set_error_string(context, "hdb_entry_set_password: "
+				  "failed to find masterkey");
+	    return HDB_ERR_NO_MKEY;
+	}
+
+	ret = _hdb_mkey_encrypt(context, key, HDB_KU_MKEY,
+				p, strlen(p) + 1, 
+				&ext.data.u.password.password);
+	if (ret)
+	    return ret;
+
+	ext.data.u.password.mkvno = 
+	    malloc(sizeof(*ext.data.u.password.mkvno));
+	if (ext.data.u.password.mkvno == NULL) {
+	    free_HDB_extension(&ext);
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	*ext.data.u.password.mkvno = _hdb_mkey_version(key);
+
+    } else {
+	ext.data.u.password.mkvno = NULL;
+
+	ret = krb5_data_copy(&ext.data.u.password.password, 
+			     p, strlen(p) + 1);
+	if (ret) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    free_HDB_extension(&ext);
+	    return ret;
+	}
+    }
+
+    ret = hdb_replace_extension(context, entry, &ext);
+
+    free_HDB_extension(&ext);
+
+    return ret;
+}
+
+int
+hdb_entry_clear_password(krb5_context context, hdb_entry *entry)
+{
+    return hdb_clear_extension(context, entry, 
+			       choice_HDB_extension_data_password);
+}
+
+krb5_error_code
+hdb_entry_get_ConstrainedDelegACL(const hdb_entry *entry, 
+				  const HDB_Ext_Constrained_delegation_acl **a)
+{
+    const HDB_extension *ext;
+
+    ext = hdb_find_extension(entry, 
+			     choice_HDB_extension_data_allowed_to_delegate_to);
+    if (ext)
+	*a = &ext->data.u.allowed_to_delegate_to;
+    else
+	*a = NULL;
+
+    return 0;
+}
+
+krb5_error_code
+hdb_entry_get_aliases(const hdb_entry *entry, const HDB_Ext_Aliases **a)
+{
+    const HDB_extension *ext;
+
+    ext = hdb_find_extension(entry, choice_HDB_extension_data_aliases);
+    if (ext)
+	*a = &ext->data.u.aliases;
+    else
+	*a = NULL;
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/hdb/hdb-ldap.c b/crypto/heimdal/lib/hdb/hdb-ldap.c
index aed29b3..c9f3d37 100644
--- a/crypto/heimdal/lib/hdb/hdb-ldap.c
+++ b/crypto/heimdal/lib/hdb/hdb-ldap.c
@@ -1,5 +1,7 @@
 /*
- * Copyright (c) 1999-2001, PADL Software Pty Ltd.
+ * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
+ * Copyright (c) 2004, Andrew Bartlett.
+ * Copyright (c) 2003 - 2007, Kungliga Tekniska Högskolan.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32,47 +34,124 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: hdb-ldap.c,v 1.10.4.1 2003/09/18 20:49:09 lha Exp $");
+RCSID("$Id: hdb-ldap.c 22071 2007-11-14 20:04:50Z lha $");
 
 #ifdef OPENLDAP
 
 #include <lber.h>
 #include <ldap.h>
-#include <ctype.h>
 #include <sys/un.h>
+#include <hex.h>
 
-static krb5_error_code LDAP__connect(krb5_context context, HDB * db);
+static krb5_error_code LDAP__connect(krb5_context context, HDB *);
+static krb5_error_code LDAP_close(krb5_context context, HDB *);
 
 static krb5_error_code
 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
-		   hdb_entry * ent);
-
-static char *krb5kdcentry_attrs[] =
-    { "krb5PrincipalName", "cn", "krb5PrincipalRealm",
-    "krb5KeyVersionNumber", "krb5Key",
-    "krb5ValidStart", "krb5ValidEnd", "krb5PasswordEnd",
-    "krb5MaxLife", "krb5MaxRenew", "krb5KDCFlags", "krb5EncryptionType",
-    "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp",
+		   hdb_entry_ex * ent);
+
+static const char *default_structural_object = "account";
+static char *structural_object;
+static krb5_boolean samba_forwardable;
+
+struct hdbldapdb {
+    LDAP *h_lp;
+    int   h_msgid;
+    char *h_base;
+    char *h_url;
+    char *h_createbase;
+};
+
+#define HDB2LDAP(db) (((struct hdbldapdb *)(db)->hdb_db)->h_lp)
+#define HDB2MSGID(db) (((struct hdbldapdb *)(db)->hdb_db)->h_msgid)
+#define HDBSETMSGID(db,msgid) \
+	do { ((struct hdbldapdb *)(db)->hdb_db)->h_msgid = msgid; } while(0)
+#define HDB2BASE(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_base)
+#define HDB2URL(dn) (((struct hdbldapdb *)(db)->hdb_db)->h_url)
+#define HDB2CREATE(db) (((struct hdbldapdb *)(db)->hdb_db)->h_createbase)
+
+/*
+ *
+ */
+
+static char * krb5kdcentry_attrs[] = { 
+    "cn",
+    "createTimestamp",
+    "creatorsName",
+    "krb5EncryptionType",
+    "krb5KDCFlags",
+    "krb5Key",
+    "krb5KeyVersionNumber",
+    "krb5MaxLife",
+    "krb5MaxRenew",
+    "krb5PasswordEnd",
+    "krb5PrincipalName",
+    "krb5PrincipalRealm",
+    "krb5ValidEnd",
+    "krb5ValidStart",
+    "modifiersName",
+    "modifyTimestamp",
+    "objectClass",
+    "sambaAcctFlags",
+    "sambaKickoffTime",
+    "sambaNTPassword",
+    "sambaPwdLastSet",
+    "sambaPwdMustChange",
+    "uid",
     NULL
 };
 
-static char *krb5principal_attrs[] =
-    { "krb5PrincipalName", "cn", "krb5PrincipalRealm",
-    "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp",
+static char *krb5principal_attrs[] = {
+    "cn",
+    "createTimestamp",
+    "creatorsName",
+    "krb5PrincipalName",
+    "krb5PrincipalRealm",
+    "modifiersName",
+    "modifyTimestamp",
+    "objectClass",
+    "uid",
     NULL
 };
 
+static int
+LDAP_no_size_limit(krb5_context context, LDAP *lp)
+{
+    int ret, limit = LDAP_NO_LIMIT;
+
+    ret = ldap_set_option(lp, LDAP_OPT_SIZELIMIT, (const void *)&limit);
+    if (ret != LDAP_SUCCESS) {
+	krb5_set_error_string(context, "ldap_set_option: %s",
+			      ldap_err2string(ret));
+	return HDB_ERR_BADVERSION;
+    }
+    return 0;
+}
+
+static int
+check_ldap(krb5_context context, HDB *db, int ret)
+{
+    switch (ret) {
+    case LDAP_SUCCESS:
+	return 0;
+    case LDAP_SERVER_DOWN:
+	LDAP_close(context, db);
+	return 1;
+    default:
+	return 1;
+    }
+}
+
 static krb5_error_code
 LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute,
-	int *pIndex)
+	     int *pIndex)
 {
     int cMods;
 
     if (*modlist == NULL) {
 	*modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *));
-	if (*modlist == NULL) {
+	if (*modlist == NULL)
 	    return ENOMEM;
-	}
     }
 
     for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) {
@@ -89,13 +168,12 @@ LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute,
 
 	*modlist = (LDAPMod **)ber_memrealloc(*modlist,
 					      (cMods + 2) * sizeof(LDAPMod *));
-	if (*modlist == NULL) {
+	if (*modlist == NULL)
 	    return ENOMEM;
-	}
+
 	(*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod));
-	if ((*modlist)[cMods] == NULL) {
+	if ((*modlist)[cMods] == NULL)
 	    return ENOMEM;
-	}
 
 	mod = (*modlist)[cMods];
 	mod->mod_op = modop;
@@ -122,39 +200,36 @@ static krb5_error_code
 LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,
 		unsigned char *value, size_t len)
 {
-    int cMods, cValues = 0;
     krb5_error_code ret;
+    int cMods, i = 0;
 
     ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods);
-    if (ret != 0) {
+    if (ret)
 	return ret;
-    }
 
     if (value != NULL) {
-	struct berval *bValue;
-	struct berval ***pbValues = &((*modlist)[cMods]->mod_bvalues);
+	struct berval **bv;
 
-	if (*pbValues != NULL) {
-	    for (cValues = 0; (*pbValues)[cValues] != NULL; cValues++)
+	bv = (*modlist)[cMods]->mod_bvalues;
+	if (bv != NULL) {
+	    for (i = 0; bv[i] != NULL; i++)
 		;
-	    *pbValues = (struct berval **)ber_memrealloc(*pbValues, (cValues + 2)
-							 * sizeof(struct berval *));
-	} else {
-	    *pbValues = (struct berval **)ber_memalloc(2 * sizeof(struct berval *));
-	}
-	if (*pbValues == NULL) {
+	    bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
+	} else
+	    bv = ber_memalloc(2 * sizeof(*bv));
+	if (bv == NULL)
 	    return ENOMEM;
-	}
-	(*pbValues)[cValues] = (struct berval *)ber_memalloc(sizeof(struct berval));;
-	if ((*pbValues)[cValues] == NULL) {
+
+	(*modlist)[cMods]->mod_bvalues = bv;
+
+	bv[i] = ber_memalloc(sizeof(*bv));;
+	if (bv[i] == NULL)
 	    return ENOMEM;
-	}
 
-	bValue = (*pbValues)[cValues];
-	bValue->bv_val = value;
-	bValue->bv_len = len;
+	bv[i]->bv_val = (void *)value;
+	bv[i]->bv_len = len;
 
-	(*pbValues)[cValues + 1] = NULL;
+	bv[i + 1] = NULL;
     }
 
     return 0;
@@ -164,32 +239,33 @@ static krb5_error_code
 LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute,
 	    const char *value)
 {
-    int cMods, cValues = 0;
+    int cMods, i = 0;
     krb5_error_code ret;
 
     ret = LDAP__setmod(modlist, modop, attribute, &cMods);
-    if (ret != 0) {
+    if (ret)
 	return ret;
-    }
 
     if (value != NULL) {
-	char ***pValues = &((*modlist)[cMods]->mod_values);
+	char **bv;
 
-	if (*pValues != NULL) {
-	    for (cValues = 0; (*pValues)[cValues] != NULL; cValues++)
+	bv = (*modlist)[cMods]->mod_values;
+	if (bv != NULL) {
+	    for (i = 0; bv[i] != NULL; i++)
 		;
-	    *pValues = (char **)ber_memrealloc(*pValues, (cValues + 2) * sizeof(char *));
-	} else {
-	    *pValues = (char **)ber_memalloc(2 * sizeof(char *));
-	}
-	if (*pValues == NULL) {
+	    bv = ber_memrealloc(bv, (i + 2) * sizeof(*bv));
+	} else
+	    bv = ber_memalloc(2 * sizeof(*bv));
+	if (bv == NULL)
 	    return ENOMEM;
-	}
-	(*pValues)[cValues] = ber_strdup(value);
-	if ((*pValues)[cValues] == NULL) {
+
+	(*modlist)[cMods]->mod_values = bv;
+
+	bv[i] = ber_strdup(value);
+	if (bv[i] == NULL)
 	    return ENOMEM;
-	}
-	(*pValues)[cValues + 1] = NULL;
+
+	bv[i + 1] = NULL;
     }
 
     return 0;
@@ -210,22 +286,41 @@ LDAP_addmod_generalized_time(LDAPMod *** mods, int modop,
 }
 
 static krb5_error_code
+LDAP_addmod_integer(krb5_context context,
+		    LDAPMod *** mods, int modop,
+		    const char *attribute, unsigned long l)
+{
+    krb5_error_code ret;
+    char *buf;
+
+    ret = asprintf(&buf, "%ld", l);
+    if (ret < 0) {
+	krb5_set_error_string(context, "asprintf: out of memory:");
+	return ret;
+    }
+    ret = LDAP_addmod(mods, modop, attribute, buf);
+    free (buf);
+    return ret;
+}
+
+static krb5_error_code
 LDAP_get_string_value(HDB * db, LDAPMessage * entry,
 		      const char *attribute, char **ptr)
 {
     char **vals;
     int ret;
 
-    vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute);
+    vals = ldap_get_values(HDB2LDAP(db), entry, (char *) attribute);
     if (vals == NULL) {
+	*ptr = NULL;
 	return HDB_ERR_NOENTRY;
     }
+
     *ptr = strdup(vals[0]);
-    if (*ptr == NULL) {
+    if (*ptr == NULL)
 	ret = ENOMEM;
-    } else {
+    else
 	ret = 0;
-    }
 
     ldap_value_free(vals);
 
@@ -238,10 +333,10 @@ LDAP_get_integer_value(HDB * db, LDAPMessage * entry,
 {
     char **vals;
 
-    vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute);
-    if (vals == NULL) {
+    vals = ldap_get_values(HDB2LDAP(db), entry, (char *) attribute);
+    if (vals == NULL)
 	return HDB_ERR_NOENTRY;
-    }
+
     *ptr = atoi(vals[0]);
     ldap_value_free(vals);
     return 0;
@@ -258,9 +353,8 @@ LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
     *kt = 0;
 
     ret = LDAP_get_string_value(db, entry, attribute, &gentime);
-    if (ret != 0) {
+    if (ret)
 	return ret;
-    }
 
     tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
     if (tmp == NULL) {
@@ -276,218 +370,337 @@ LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
 }
 
 static krb5_error_code
-LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent,
+LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
 		LDAPMessage * msg, LDAPMod *** pmods)
 {
     krb5_error_code ret;
     krb5_boolean is_new_entry;
-    int rc, i;
     char *tmp = NULL;
     LDAPMod **mods = NULL;
-    hdb_entry orig;
+    hdb_entry_ex orig;
     unsigned long oflags, nflags;
+    int i;
+
+    krb5_boolean is_samba_account = FALSE;
+    krb5_boolean is_account = FALSE;
+    krb5_boolean is_heimdal_entry = FALSE;
+    krb5_boolean is_heimdal_principal = FALSE;
+
+    char **values;
+
+    *pmods = NULL;
 
     if (msg != NULL) {
+
 	ret = LDAP_message2entry(context, db, msg, &orig);
-	if (ret != 0) {
+	if (ret)
 	    goto out;
-	}
+
 	is_new_entry = FALSE;
-    } else {
+	    
+	values = ldap_get_values(HDB2LDAP(db), msg, "objectClass");
+	if (values) {
+	    int num_objectclasses = ldap_count_values(values);
+	    for (i=0; i < num_objectclasses; i++) {
+		if (strcasecmp(values[i], "sambaSamAccount") == 0) {
+		    is_samba_account = TRUE;
+		} else if (strcasecmp(values[i], structural_object) == 0) {
+		    is_account = TRUE;
+		} else if (strcasecmp(values[i], "krb5Principal") == 0) {
+		    is_heimdal_principal = TRUE;
+		} else if (strcasecmp(values[i], "krb5KDCEntry") == 0) {
+		    is_heimdal_entry = TRUE;
+		}
+	    }
+	    ldap_value_free(values);
+	}
+
+	/*
+	 * If this is just a "account" entry and no other objectclass
+	 * is hanging on this entry, it's really a new entry.
+	 */
+	if (is_samba_account == FALSE && is_heimdal_principal == FALSE && 
+	    is_heimdal_entry == FALSE) {
+	    if (is_account == TRUE) {
+		is_new_entry = TRUE;
+	    } else {
+		ret = HDB_ERR_NOENTRY;
+		goto out;
+	    }
+	}
+    } else
+	is_new_entry = TRUE;
+
+    if (is_new_entry) {
+
 	/* to make it perfectly obvious we're depending on
 	 * orig being intiialized to zero */
 	memset(&orig, 0, sizeof(orig));
-	is_new_entry = TRUE;
-    }
 
-    if (is_new_entry) {
 	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
-	if (ret != 0) {
-	    goto out;
-	}
-	/* person is the structural object class */
-	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "person");
-	if (ret != 0) {
+	if (ret)
 	    goto out;
+	
+	/* account is the structural object class */
+	if (is_account == FALSE) {
+	    ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", 
+			      structural_object);
+	    is_account = TRUE;
+	    if (ret)
+		goto out;
 	}
-	ret =
-	    LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
-			"krb5Principal");
-	if (ret != 0) {
+
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5Principal");
+	is_heimdal_principal = TRUE;
+	if (ret)
 	    goto out;
-	}
-	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
-			  "krb5KDCEntry");
-	if (ret != 0) {
+
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "krb5KDCEntry");
+	is_heimdal_entry = TRUE;
+	if (ret)
 	    goto out;
-	}
     }
 
-    if (is_new_entry ||
-	krb5_principal_compare(context, ent->principal, orig.principal) ==
-	FALSE) {
-	ret = krb5_unparse_name(context, ent->principal, &tmp);
-	if (ret != 0) {
-	    goto out;
+    if (is_new_entry || 
+	krb5_principal_compare(context, ent->entry.principal, orig.entry.principal)
+	== FALSE)
+    {
+	if (is_heimdal_principal || is_heimdal_entry) {
+
+	    ret = krb5_unparse_name(context, ent->entry.principal, &tmp);
+	    if (ret)
+		goto out;
+
+	    ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE,
+			      "krb5PrincipalName", tmp);
+	    if (ret) {
+		free(tmp);
+		goto out;
+	    }
+	    free(tmp);
 	}
-	ret =
-	    LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5PrincipalName", tmp);
-	if (ret != 0) {
+
+	if (is_account || is_samba_account) {
+	    ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp);
+	    if (ret)
+		goto out;
+	    ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);
+	    if (ret) {
+		free(tmp);
+		goto out;
+	    }
 	    free(tmp);
-	    goto out;
 	}
-	free(tmp);
     }
 
-    if (ent->kvno != orig.kvno) {
-	rc = asprintf(&tmp, "%d", ent->kvno);
-	if (rc < 0) {
-	    krb5_set_error_string(context, "asprintf: out of memory");
-	    ret = ENOMEM;
-	    goto out;
-	}
-	ret =
-	    LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KeyVersionNumber",
-			tmp);
-	free(tmp);
-	if (ret != 0) {
+    if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) {
+	ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+			    "krb5KeyVersionNumber", 
+			    ent->entry.kvno);
+	if (ret)
 	    goto out;
-	}
     }
 
-    if (ent->valid_start) {
-	if (orig.valid_end == NULL
-	    || (*(ent->valid_start) != *(orig.valid_start))) {
-	    ret =
-		LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
-					     "krb5ValidStart",
-					     ent->valid_start);
-	    if (ret != 0) {
+    if (is_heimdal_entry && ent->entry.valid_start) {
+	if (orig.entry.valid_end == NULL
+	    || (*(ent->entry.valid_start) != *(orig.entry.valid_start))) {
+	    ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+					       "krb5ValidStart",
+					       ent->entry.valid_start);
+	    if (ret)
 		goto out;
-	    }
 	}
     }
 
-    if (ent->valid_end) {
-	if (orig.valid_end == NULL
-	    || (*(ent->valid_end) != *(orig.valid_end))) {
-	    ret =
-		LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
-					     "krb5ValidEnd",
-					     ent->valid_end);
-	    if (ret != 0) {
-		goto out;
+    if (ent->entry.valid_end) {
+ 	if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) {
+	    if (is_heimdal_entry) { 
+		ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+						   "krb5ValidEnd",
+						   ent->entry.valid_end);
+		if (ret)
+		    goto out;
+            }
+	    if (is_samba_account) {
+		ret = LDAP_addmod_integer(context, &mods,  LDAP_MOD_REPLACE,
+					  "sambaKickoffTime", 
+					  *(ent->entry.valid_end));
+		if (ret)
+		    goto out;
 	    }
-	}
+   	}
     }
 
-    if (ent->pw_end) {
-	if (orig.pw_end == NULL || (*(ent->pw_end) != *(orig.pw_end))) {
-	    ret =
-		LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
-					     "krb5PasswordEnd",
-					     ent->pw_end);
-	    if (ret != 0) {
-		goto out;
+    if (ent->entry.pw_end) {
+	if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) {
+	    if (is_heimdal_entry) {
+		ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+						   "krb5PasswordEnd",
+						   ent->entry.pw_end);
+		if (ret)
+		    goto out;
 	    }
-	}
-    }
 
-    if (ent->max_life) {
-	if (orig.max_life == NULL
-	    || (*(ent->max_life) != *(orig.max_life))) {
-	    rc = asprintf(&tmp, "%d", *(ent->max_life));
-	    if (rc < 0) {
-		krb5_set_error_string(context, "asprintf: out of memory");
-		ret = ENOMEM;
-		goto out;
-	    }
-	    ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxLife", tmp);
-	    free(tmp);
-	    if (ret != 0) {
-		goto out;
+	    if (is_samba_account) {
+		ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+					  "sambaPwdMustChange", 
+					  *(ent->entry.pw_end));
+		if (ret)
+		    goto out;
 	    }
 	}
     }
 
-    if (ent->max_renew) {
-	if (orig.max_renew == NULL
-	    || (*(ent->max_renew) != *(orig.max_renew))) {
-	    rc = asprintf(&tmp, "%d", *(ent->max_renew));
-	    if (rc < 0) {
-		krb5_set_error_string(context, "asprintf: out of memory");
-		ret = ENOMEM;
-		goto out;
-	    }
-	    ret =
-		LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxRenew", tmp);
-	    free(tmp);
-	    if (ret != 0) {
+
+#if 0 /* we we have last_pw_change */
+    if (is_samba_account && ent->entry.last_pw_change) {
+	if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) {
+	    ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+				      "sambaPwdLastSet", 
+				      *(ent->entry.last_pw_change));
+	    if (ret)
 		goto out;
-	    }
 	}
     }
+#endif
 
-    oflags = HDBFlags2int(orig.flags);
-    nflags = HDBFlags2int(ent->flags);
+    if (is_heimdal_entry && ent->entry.max_life) {
+	if (orig.entry.max_life == NULL
+	    || (*(ent->entry.max_life) != *(orig.entry.max_life))) {
 
-    if (oflags != nflags) {
-	rc = asprintf(&tmp, "%lu", nflags);
-	if (rc < 0) {
-	    krb5_set_error_string(context, "asprintf: out of memory");
-	    ret = ENOMEM;
-	    goto out;
-	}
-	ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KDCFlags", tmp);
-	free(tmp);
-	if (ret != 0) {
-	    goto out;
+	    ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+				      "krb5MaxLife", 
+				      *(ent->entry.max_life));
+	    if (ret)
+		goto out;
 	}
     }
 
-    if (is_new_entry == FALSE && orig.keys.len > 0) {
-	/* for the moment, clobber and replace keys. */
-	ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
-	if (ret != 0) {
-	    goto out;
+    if (is_heimdal_entry && ent->entry.max_renew) {
+	if (orig.entry.max_renew == NULL
+	    || (*(ent->entry.max_renew) != *(orig.entry.max_renew))) {
+
+	    ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+				      "krb5MaxRenew",
+				      *(ent->entry.max_renew));
+	    if (ret)
+		goto out;
 	}
     }
 
-    for (i = 0; i < ent->keys.len; i++) {
-	unsigned char *buf;
-	size_t len;
+    oflags = HDBFlags2int(orig.entry.flags);
+    nflags = HDBFlags2int(ent->entry.flags);
 
-	ASN1_MALLOC_ENCODE(Key, buf, len, &ent->keys.val[i], &len, ret);
-	if (ret != 0)
-	    goto out;
+    if (is_heimdal_entry && oflags != nflags) {
 
-	/* addmod_len _owns_ the key, doesn't need to copy it */
-	ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
-	if (ret != 0) {
+	ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
+				  "krb5KDCFlags",
+				  nflags);
+	if (ret)
 	    goto out;
-	}
     }
 
-    if (ent->etypes) {
-	/* clobber and replace encryption types. */
-	if (is_new_entry == FALSE) {
-	    ret =
-		LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
-			    NULL);
+    /* Remove keys if they exists, and then replace keys. */
+    if (!is_new_entry && orig.entry.keys.len > 0) {
+	values = ldap_get_values(HDB2LDAP(db), msg, "krb5Key");
+	if (values) {
+	    ldap_value_free(values);
+
+	    ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
+	    if (ret)
+		goto out;
 	}
-	for (i = 0; i < ent->etypes->len; i++) {
-	    rc = asprintf(&tmp, "%d", ent->etypes->val[i]);
-	    if (rc < 0) {
-		krb5_set_error_string(context, "asprintf: out of memory");
+    }
+
+    for (i = 0; i < ent->entry.keys.len; i++) {
+
+	if (is_samba_account
+	    && ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
+	    char *ntHexPassword;
+	    char *nt;
+		    
+	    /* the key might have been 'sealed', but samba passwords
+	       are clear in the directory */
+	    ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]);
+	    if (ret)
+		goto out;
+		    
+	    nt = ent->entry.keys.val[i].key.keyvalue.data;
+	    /* store in ntPassword, not krb5key */
+	    ret = hex_encode(nt, 16, &ntHexPassword);
+	    if (ret < 0) {
+		krb5_set_error_string(context, "hdb-ldap: failed to "
+				      "hex encode key");
 		ret = ENOMEM;
 		goto out;
 	    }
-	    free(tmp);
-	    ret =
-		LDAP_addmod(&mods, LDAP_MOD_ADD, "krb5EncryptionType",
-			    tmp);
-	    if (ret != 0) {
+	    ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "sambaNTPassword", 
+			      ntHexPassword);
+	    free(ntHexPassword);
+	    if (ret)
 		goto out;
+		    
+	    /* have to kill the LM passwod if it exists */
+	    values = ldap_get_values(HDB2LDAP(db), msg, "sambaLMPassword");
+	    if (values) {
+		ldap_value_free(values);
+		ret = LDAP_addmod(&mods, LDAP_MOD_DELETE,
+				  "sambaLMPassword", NULL);
+		if (ret)
+		    goto out;
+	    }
+		    
+	} else if (is_heimdal_entry) {
+	    unsigned char *buf;
+	    size_t len, buf_size;
+
+	    ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret);
+	    if (ret)
+		goto out;
+	    if(buf_size != len)
+		krb5_abortx(context, "internal error in ASN.1 encoder");
+
+	    /* addmod_len _owns_ the key, doesn't need to copy it */
+	    ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
+	    if (ret)
+		goto out;
+	}
+    }
+
+    if (ent->entry.etypes) {
+	int add_krb5EncryptionType = 0;
+
+	/* 
+	 * Only add/modify krb5EncryptionType if it's a new heimdal
+	 * entry or krb5EncryptionType already exists on the entry.
+	 */
+
+	if (!is_new_entry) {
+	    values = ldap_get_values(HDB2LDAP(db), msg, "krb5EncryptionType");
+	    if (values) {
+		ldap_value_free(values);
+		ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
+				  NULL);
+		if (ret)
+		    goto out;
+		add_krb5EncryptionType = 1;
+	    }
+	} else if (is_heimdal_entry)
+	    add_krb5EncryptionType = 1;
+
+	if (add_krb5EncryptionType) {
+	    for (i = 0; i < ent->entry.etypes->len; i++) {
+		if (is_samba_account && 
+		    ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
+		{
+		    ;
+		} else if (is_heimdal_entry) {
+		    ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
+					      "krb5EncryptionType",
+					      ent->entry.etypes->val[i]);
+		    if (ret)
+			goto out;
+		}
 	    }
 	}
     }
@@ -495,18 +708,17 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent,
     /* for clarity */
     ret = 0;
 
-  out:
+ out:
 
-    if (ret == 0) {
+    if (ret == 0)
 	*pmods = mods;
-    } else if (mods != NULL) {
+    else if (mods != NULL) {
 	ldap_mods_free(mods, 1);
 	*pmods = NULL;
     }
 
-    if (msg != NULL) {
+    if (msg)
 	hdb_free_entry(context, &orig);
-    }
 
     return ret;
 }
@@ -516,33 +728,32 @@ LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
 		  krb5_principal * principal)
 {
     krb5_error_code ret;
-    int rc, limit = 1;
+    int rc;
+    const char *filter = "(objectClass=krb5Principal)";
     char **values;
     LDAPMessage *res = NULL, *e;
 
-    rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit);
-    if (rc != LDAP_SUCCESS) {
-	krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc));
-	ret = HDB_ERR_BADVERSION;
+    ret = LDAP_no_size_limit(context, HDB2LDAP(db));
+    if (ret)
 	goto out;
-     }
 
-    rc = ldap_search_s((LDAP *) db->db, dn, LDAP_SCOPE_BASE,
-		       "(objectclass=krb5Principal)", krb5principal_attrs,
+    rc = ldap_search_s(HDB2LDAP(db), dn, LDAP_SCOPE_SUBTREE,
+		       filter, krb5principal_attrs,
 		       0, &res);
-    if (rc != LDAP_SUCCESS) {
-	krb5_set_error_string(context, "ldap_search_s: %s", ldap_err2string(rc));
+    if (check_ldap(context, db, rc)) {
+	krb5_set_error_string(context, "ldap_search_s: filter: %s error: %s",
+			      filter, ldap_err2string(rc));
 	ret = HDB_ERR_NOENTRY;
 	goto out;
     }
 
-    e = ldap_first_entry((LDAP *) db->db, res);
+    e = ldap_first_entry(HDB2LDAP(db), res);
     if (e == NULL) {
 	ret = HDB_ERR_NOENTRY;
 	goto out;
     }
 
-    values = ldap_get_values((LDAP *) db->db, e, "krb5PrincipalName");
+    values = ldap_get_values(HDB2LDAP(db), e, "krb5PrincipalName");
     if (values == NULL) {
 	ret = HDB_ERR_NOENTRY;
 	goto out;
@@ -552,70 +763,123 @@ LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
     ldap_value_free(values);
 
   out:
-    if (res != NULL) {
+    if (res)
 	ldap_msgfree(res);
-    }
+
     return ret;
 }
 
 static krb5_error_code
-LDAP__lookup_princ(krb5_context context, HDB * db, const char *princname,
-		   LDAPMessage ** msg)
+LDAP__lookup_princ(krb5_context context,
+		   HDB *db,
+		   const char *princname,
+		   const char *userid,
+		   LDAPMessage **msg)
 {
     krb5_error_code ret;
-    int rc, limit = 1;
+    int rc;
     char *filter = NULL;
 
-    (void) LDAP__connect(context, db);
+    ret = LDAP__connect(context, db);
+    if (ret)
+	return ret;
 
-    rc =
-	asprintf(&filter,
-		 "(&(objectclass=krb5KDCEntry)(krb5PrincipalName=%s))",
-		 princname);
+    rc = asprintf(&filter,
+		  "(&(objectClass=krb5Principal)(krb5PrincipalName=%s))",
+		  princname);
     if (rc < 0) {
 	krb5_set_error_string(context, "asprintf: out of memory");
 	ret = ENOMEM;
 	goto out;
     }
 
-    rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit);
-    if (rc != LDAP_SUCCESS) {
-	krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc));
-	ret = HDB_ERR_BADVERSION;
+    ret = LDAP_no_size_limit(context, HDB2LDAP(db));
+    if (ret)
 	goto out;
-    }
 
-    rc = ldap_search_s((LDAP *) db->db, db->name, LDAP_SCOPE_ONELEVEL, filter, 
+    rc = ldap_search_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE, filter, 
 		       krb5kdcentry_attrs, 0, msg);
-    if (rc != LDAP_SUCCESS) {
-	krb5_set_error_string(context, "ldap_search_s: %s", ldap_err2string(rc));
+    if (check_ldap(context, db, rc)) {
+	krb5_set_error_string(context, "ldap_search_s: filter: %s - error: %s",
+			      filter, ldap_err2string(rc));
 	ret = HDB_ERR_NOENTRY;
 	goto out;
     }
 
+    if (userid && ldap_count_entries(HDB2LDAP(db), *msg) == 0) {
+	free(filter);
+	filter = NULL;
+	ldap_msgfree(*msg);
+	*msg = NULL;
+	
+	rc = asprintf(&filter,
+	    "(&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))",
+		      structural_object, userid);
+	if (rc < 0) {
+	    krb5_set_error_string(context, "asprintf: out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	    
+	ret = LDAP_no_size_limit(context, HDB2LDAP(db));
+	if (ret)
+	    goto out;
+
+	rc = ldap_search_s(HDB2LDAP(db), HDB2BASE(db), LDAP_SCOPE_SUBTREE, 
+			   filter, krb5kdcentry_attrs, 0, msg);
+	if (check_ldap(context, db, rc)) {
+	    krb5_set_error_string(context, 
+				  "ldap_search_s: filter: %s error: %s",
+				  filter, ldap_err2string(rc));
+	    ret = HDB_ERR_NOENTRY;
+	    goto out;
+	}
+    }
+
     ret = 0;
 
   out:
-    if (filter != NULL) {
+    if (filter)
 	free(filter);
-    }
+
     return ret;
 }
 
 static krb5_error_code
 LDAP_principal2message(krb5_context context, HDB * db,
-		       krb5_principal princ, LDAPMessage ** msg)
+		       krb5_const_principal princ, LDAPMessage ** msg)
 {
-    char *princname = NULL;
+    char *name, *name_short = NULL;
     krb5_error_code ret;
+    krb5_realm *r, *r0;
 
-    ret = krb5_unparse_name(context, princ, &princname);
-    if (ret != 0) {
+    *msg = NULL;
+
+    ret = krb5_unparse_name(context, princ, &name);
+    if (ret)
+	return ret;
+
+    ret = krb5_get_default_realms(context, &r0);
+    if(ret) {
+	free(name);
 	return ret;
     }
+    for (r = r0; *r != NULL; r++) {
+	if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) {
+	    ret = krb5_unparse_name_short(context, princ, &name_short);
+	    if (ret) {
+		krb5_free_host_realm(context, r0);
+		free(name);
+		return ret;
+	    }
+	    break;
+	}
+    }
+    krb5_free_host_realm(context, r0);
 
-    ret = LDAP__lookup_princ(context, db, princname, msg);
-    free(princname);
+    ret = LDAP__lookup_princ(context, db, name, name_short, msg);
+    free(name);
+    free(name_short);
 
     return ret;
 }
@@ -625,51 +889,62 @@ LDAP_principal2message(krb5_context context, HDB * db,
  */
 static krb5_error_code
 LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
-		   hdb_entry * ent)
+		   hdb_entry_ex * ent)
 {
-    char *unparsed_name = NULL, *dn = NULL;
-    int ret;
+    char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;
+    char *samba_acct_flags = NULL;
     unsigned long tmp;
     struct berval **keys;
     char **values;
+    int tmp_time, i, ret, have_arcfour = 0;
 
     memset(ent, 0, sizeof(*ent));
-    ent->flags = int2HDBFlags(0);
+    ent->entry.flags = int2HDBFlags(0);
 
-    ret =
-	LDAP_get_string_value(db, msg, "krb5PrincipalName",
-			      &unparsed_name);
-    if (ret != 0) {
-	return ret;
-    }
-
-    ret = krb5_parse_name(context, unparsed_name, &ent->principal);
-    if (ret != 0) {
-	goto out;
+    ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);
+    if (ret == 0) {
+	ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
+	if (ret)
+	    goto out;
+    } else {
+	ret = LDAP_get_string_value(db, msg, "uid",
+				    &unparsed_name);
+	if (ret == 0) {
+	    ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
+	    if (ret)
+		goto out;
+	} else {
+	    krb5_set_error_string(context, "hdb-ldap: ldap entry missing"
+				  "principal name");
+	    return HDB_ERR_NOENTRY;
+	}
     }
 
-    ret =
-	LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
-			       &ent->kvno);
-    if (ret != 0) {
-	ent->kvno = 0;
+    {
+	int integer;
+	ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
+				     &integer);
+	if (ret)
+	    ent->entry.kvno = 0;
+	else
+	    ent->entry.kvno = integer;
     }
 
-    keys = ldap_get_values_len((LDAP *) db->db, msg, "krb5Key");
+    keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
     if (keys != NULL) {
 	int i;
 	size_t l;
 
-	ent->keys.len = ldap_count_values_len(keys);
-	ent->keys.val = (Key *) calloc(ent->keys.len, sizeof(Key));
-	if (ent->keys.val == NULL) {
+	ent->entry.keys.len = ldap_count_values_len(keys);
+	ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key));
+	if (ent->entry.keys.val == NULL) {
 	    krb5_set_error_string(context, "calloc: out of memory");
 	    ret = ENOMEM;
 	    goto out;
 	}
-	for (i = 0; i < ent->keys.len; i++) {
+	for (i = 0; i < ent->entry.keys.len; i++) {
 	    decode_Key((unsigned char *) keys[i]->bv_val,
-		       (size_t) keys[i]->bv_len, &ent->keys.val[i], &l);
+		       (size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l);
 	}
 	ber_bvecfree(keys);
     } else {
@@ -679,124 +954,248 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
 	 * be related to a general directory entry without creating
 	 * the keys. Hopefully it's OK.
 	 */
-	ent->keys.len = 0;
-	ent->keys.val = NULL;
+	ent->entry.keys.len = 0;
+	ent->entry.keys.val = NULL;
 #else
 	ret = HDB_ERR_NOENTRY;
 	goto out;
 #endif
     }
 
-    ret =
-	LDAP_get_generalized_time_value(db, msg, "createTimestamp",
-					&ent->created_by.time);
-    if (ret != 0) {
-	ent->created_by.time = time(NULL);
+    values = ldap_get_values(HDB2LDAP(db), msg, "krb5EncryptionType");
+    if (values != NULL) {
+	int i;
+
+	ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
+	if (ent->entry.etypes == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ent->entry.etypes->len = ldap_count_values(values);
+	ent->entry.etypes->val = calloc(ent->entry.etypes->len, sizeof(int));
+	if (ent->entry.etypes->val == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	for (i = 0; i < ent->entry.etypes->len; i++) {
+	    ent->entry.etypes->val[i] = atoi(values[i]);
+	}
+	ldap_value_free(values);
     }
 
-    ent->created_by.principal = NULL;
+    for (i = 0; i < ent->entry.keys.len; i++) {
+	if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
+	    have_arcfour = 1;
+	    break;
+	}
+    }
+
+    /* manually construct the NT (type 23) key */
+    ret = LDAP_get_string_value(db, msg, "sambaNTPassword", &ntPasswordIN);
+    if (ret == 0 && have_arcfour == 0) {
+	unsigned *etypes;
+	Key *keys;
+	int i;
+
+	keys = realloc(ent->entry.keys.val,
+		       (ent->entry.keys.len + 1) * sizeof(ent->entry.keys.val[0]));
+	if (keys == NULL) {
+	    free(ntPasswordIN);
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ent->entry.keys.val = keys;
+	memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key));
+	ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
+	ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16);
+	if (ret) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    free(ntPasswordIN);
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ret = hex_decode(ntPasswordIN,
+			 ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16);
+	ent->entry.keys.len++;
+
+	if (ent->entry.etypes == NULL) {
+	    ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
+	    if (ent->entry.etypes == NULL) {
+		krb5_set_error_string(context, "malloc: out of memory");
+		ret = ENOMEM;
+		goto out;
+	    }
+	    ent->entry.etypes->val = NULL;
+	    ent->entry.etypes->len = 0;
+	}
+
+	for (i = 0; i < ent->entry.etypes->len; i++)
+	    if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
+		break;
+	/* If there is no ARCFOUR enctype, add one */
+	if (i == ent->entry.etypes->len) {
+	    etypes = realloc(ent->entry.etypes->val, 
+			     (ent->entry.etypes->len + 1) * 
+			     sizeof(ent->entry.etypes->val[0]));
+	    if (etypes == NULL) {
+		krb5_set_error_string(context, "malloc: out of memory");
+		ret = ENOMEM;
+		goto out;			    
+	    }
+	    ent->entry.etypes->val = etypes;
+	    ent->entry.etypes->val[ent->entry.etypes->len] = 
+		ETYPE_ARCFOUR_HMAC_MD5;
+	    ent->entry.etypes->len++;
+	}
+    }
+
+    ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",
+					  &ent->entry.created_by.time);
+    if (ret)
+	ent->entry.created_by.time = time(NULL);
+
+    ent->entry.created_by.principal = NULL;
 
     ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
     if (ret == 0) {
-	if (LDAP_dn2principal(context, db, dn, &ent->created_by.principal)
+	if (LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal)
 	    != 0) {
-	    ent->created_by.principal = NULL;
+	    ent->entry.created_by.principal = NULL;
 	}
 	free(dn);
     }
 
-    ent->modified_by = (Event *) malloc(sizeof(Event));
-    if (ent->modified_by == NULL) {
+    ent->entry.modified_by = (Event *) malloc(sizeof(Event));
+    if (ent->entry.modified_by == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	ret = ENOMEM;
 	goto out;
     }
-    ret =
-	LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
-					&ent->modified_by->time);
+    ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
+					  &ent->entry.modified_by->time);
     if (ret == 0) {
 	ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
-	if (LDAP_dn2principal
-	    (context, db, dn, &ent->modified_by->principal) != 0) {
-	    ent->modified_by->principal = NULL;
-	}
+	if (LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal))
+	    ent->entry.modified_by->principal = NULL;
 	free(dn);
     } else {
-	free(ent->modified_by);
-	ent->modified_by = NULL;
+	free(ent->entry.modified_by);
+	ent->entry.modified_by = NULL;
     }
 
-    if ((ent->valid_start = (KerberosTime *) malloc(sizeof(KerberosTime)))
-	== NULL) {
+    ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start));
+    if (ent->entry.valid_start == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	ret = ENOMEM;
 	goto out;
     }
-    ret =
-	LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
-					ent->valid_start);
-    if (ret != 0) {
+    ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
+					  ent->entry.valid_start);
+    if (ret) {
 	/* OPTIONAL */
-	free(ent->valid_start);
-	ent->valid_start = NULL;
+	free(ent->entry.valid_start);
+	ent->entry.valid_start = NULL;
     }
-
-    if ((ent->valid_end = (KerberosTime *) malloc(sizeof(KerberosTime))) ==
-	NULL) {
+    
+    ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
+    if (ent->entry.valid_end == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	ret = ENOMEM;
 	goto out;
     }
-    ret =
-	LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
-					ent->valid_end);
-    if (ret != 0) {
+    ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
+					  ent->entry.valid_end);
+    if (ret) {
 	/* OPTIONAL */
-	free(ent->valid_end);
-	ent->valid_end = NULL;
+	free(ent->entry.valid_end);
+	ent->entry.valid_end = NULL;
     }
 
-    if ((ent->pw_end = (KerberosTime *) malloc(sizeof(KerberosTime))) ==
-	NULL) {
+    ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);
+    if (ret == 0) {
+ 	if (ent->entry.valid_end == NULL) {
+ 	    ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
+ 	    if (ent->entry.valid_end == NULL) {
+ 		krb5_set_error_string(context, "malloc: out of memory");
+ 		ret = ENOMEM;
+ 		goto out;
+ 	    }
+ 	}
+ 	*ent->entry.valid_end = tmp_time;
+    }
+
+    ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
+    if (ent->entry.pw_end == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	ret = ENOMEM;
 	goto out;
     }
-    ret =
-	LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
-					ent->pw_end);
-    if (ret != 0) {
+    ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
+					  ent->entry.pw_end);
+    if (ret) {
 	/* OPTIONAL */
-	free(ent->pw_end);
-	ent->pw_end = NULL;
+	free(ent->entry.pw_end);
+	ent->entry.pw_end = NULL;
     }
 
-    ent->max_life = (int *) malloc(sizeof(int));
-    if (ent->max_life == NULL) {
-	krb5_set_error_string(context, "malloc: out of memory");
-	ret = ENOMEM;
-	goto out;
-    }
-    ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", ent->max_life);
-    if (ret != 0) {
-	free(ent->max_life);
-	ent->max_life = NULL;
+    ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);
+    if (ret == 0) {
+	if (ent->entry.pw_end == NULL) {
+	    ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
+	    if (ent->entry.pw_end == NULL) {
+		krb5_set_error_string(context, "malloc: out of memory");
+		ret = ENOMEM;
+		goto out;
+	    }
+	}
+	*ent->entry.pw_end = tmp_time;
     }
 
-    ent->max_renew = (int *) malloc(sizeof(int));
-    if (ent->max_renew == NULL) {
-	krb5_set_error_string(context, "malloc: out of memory");
-	ret = ENOMEM;
-	goto out;
+    /* OPTIONAL */
+    ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
+    if (ret == 0)
+	hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time);
+
+    {
+	int max_life;
+
+	ent->entry.max_life = malloc(sizeof(*ent->entry.max_life));
+	if (ent->entry.max_life == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life);
+	if (ret) {
+	    free(ent->entry.max_life);
+	    ent->entry.max_life = NULL;
+	} else
+	    *ent->entry.max_life = max_life;
     }
-    ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", ent->max_renew);
-    if (ret != 0) {
-	free(ent->max_renew);
-	ent->max_renew = NULL;
+
+    {
+	int max_renew;
+
+	ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew));
+	if (ent->entry.max_renew == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew);
+	if (ret) {
+	    free(ent->entry.max_renew);
+	    ent->entry.max_renew = NULL;
+	} else
+	    *ent->entry.max_renew = max_renew;
     }
 
-    values = ldap_get_values((LDAP *) db->db, msg, "krb5KDCFlags");
+    values = ldap_get_values(HDB2LDAP(db), msg, "krb5KDCFlags");
     if (values != NULL) {
+	errno = 0;
 	tmp = strtoul(values[0], (char **) NULL, 10);
 	if (tmp == ULONG_MAX && errno == ERANGE) {
 	    krb5_set_error_string(context, "strtoul: could not convert flag");
@@ -806,46 +1205,109 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
     } else {
 	tmp = 0;
     }
-    ent->flags = int2HDBFlags(tmp);
 
-    values = ldap_get_values((LDAP *) db->db, msg, "krb5EncryptionType");
-    if (values != NULL) {
-	int i;
+    ent->entry.flags = int2HDBFlags(tmp);
 
-	ent->etypes = malloc(sizeof(*(ent->etypes)));
-	if (ent->etypes == NULL) {
-	    krb5_set_error_string(context, "malloc: out of memory");
-	    ret = ENOMEM;
-	    goto out;
-	}
-	ent->etypes->len = ldap_count_values(values);
-	ent->etypes->val = calloc(ent->etypes->len, sizeof(int));
-	for (i = 0; i < ent->etypes->len; i++) {
-	    ent->etypes->val[i] = atoi(values[i]);
+    /* Try and find Samba flags to put into the mix */
+    ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);
+    if (ret == 0) {
+	/* parse the [UXW...] string:
+	       
+	   'N'    No password	 
+	   'D'    Disabled	 
+	   'H'    Homedir required	 
+	   'T'    Temp account.	 
+	   'U'    User account (normal) 	 
+	   'M'    MNS logon user account - what is this ? 	 
+	   'W'    Workstation account	 
+	   'S'    Server account 	 
+	   'L'    Locked account	 
+	   'X'    No Xpiry on password 	 
+	   'I'    Interdomain trust account	 
+	    
+	*/	 
+	    
+	int i;
+	int flags_len = strlen(samba_acct_flags);
+
+	if (flags_len < 2)
+	    goto out2;
+
+	if (samba_acct_flags[0] != '[' 
+	    || samba_acct_flags[flags_len - 1] != ']') 
+	    goto out2;
+
+	/* Allow forwarding */
+	if (samba_forwardable)
+	    ent->entry.flags.forwardable = TRUE;
+
+	for (i=0; i < flags_len; i++) {
+	    switch (samba_acct_flags[i]) {
+	    case ' ':
+	    case '[':
+	    case ']':
+		break;
+	    case 'N':
+		/* how to handle no password in kerberos? */
+		break;
+	    case 'D':
+		ent->entry.flags.invalid = TRUE;
+		break;
+	    case 'H':
+		break;
+	    case 'T':
+		/* temp duplicate */
+		ent->entry.flags.invalid = TRUE;
+		break;
+	    case 'U':
+		ent->entry.flags.client = TRUE;
+		break;
+	    case 'M':
+		break;
+	    case 'W':
+	    case 'S':
+		ent->entry.flags.server = TRUE;
+		ent->entry.flags.client = TRUE;
+		break;
+	    case 'L':
+		ent->entry.flags.invalid = TRUE;
+		break;
+	    case 'X':
+		if (ent->entry.pw_end) {
+		    free(ent->entry.pw_end);
+		    ent->entry.pw_end = NULL;
+		}
+		break;
+	    case 'I':
+		ent->entry.flags.server = TRUE;
+		ent->entry.flags.client = TRUE;
+		break;
+	    }
 	}
-	ldap_value_free(values);
+    out2:
+	free(samba_acct_flags);
     }
 
     ret = 0;
 
-  out:
-    if (unparsed_name != NULL) {
+out:
+    if (unparsed_name)
 	free(unparsed_name);
-    }
 
-    if (ret != 0) {
-	/* I don't think this frees ent itself. */
+    if (ret)
 	hdb_free_entry(context, ent);
-    }
 
     return ret;
 }
 
-static krb5_error_code LDAP_close(krb5_context context, HDB * db)
+static krb5_error_code
+LDAP_close(krb5_context context, HDB * db)
 {
-    ldap_unbind_ext((LDAP *) db->db, NULL, NULL);
-    db->db = NULL;
-
+    if (HDB2LDAP(db)) {
+	ldap_unbind_ext(HDB2LDAP(db), NULL, NULL);
+	((struct hdbldapdb *)db->hdb_db)->h_lp = NULL;
+    }
+    
     return 0;
 }
 
@@ -855,26 +1317,30 @@ LDAP_lock(krb5_context context, HDB * db, int operation)
     return 0;
 }
 
-static krb5_error_code LDAP_unlock(krb5_context context, HDB * db)
+static krb5_error_code
+LDAP_unlock(krb5_context context, HDB * db)
 {
     return 0;
 }
 
 static krb5_error_code
-LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry)
+LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
 {
     int msgid, rc, parserc;
     krb5_error_code ret;
     LDAPMessage *e;
 
-    msgid = db->openp;		/* BOGUS OVERLOADING */
-    if (msgid < 0) {
+    msgid = HDB2MSGID(db);
+    if (msgid < 0)
 	return HDB_ERR_NOENTRY;
-    }
 
     do {
-	rc = ldap_result((LDAP *) db->db, msgid, LDAP_MSG_ONE, NULL, &e);
+	rc = ldap_result(HDB2LDAP(db), msgid, LDAP_MSG_ONE, NULL, &e);
 	switch (rc) {
+	case LDAP_RES_SEARCH_REFERENCE:
+	    ldap_msgfree(e);
+	    ret = 0;
+	    break;
 	case LDAP_RES_SEARCH_ENTRY:
 	    /* We have an entry. Parse it. */
 	    ret = LDAP_message2entry(context, db, e, entry);
@@ -883,33 +1349,38 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry)
 	case LDAP_RES_SEARCH_RESULT:
 	    /* We're probably at the end of the results. If not, abandon. */
 	    parserc =
-		ldap_parse_result((LDAP *) db->db, e, NULL, NULL, NULL,
+		ldap_parse_result(HDB2LDAP(db), e, NULL, NULL, NULL,
 				  NULL, NULL, 1);
 	    if (parserc != LDAP_SUCCESS
 		&& parserc != LDAP_MORE_RESULTS_TO_RETURN) {
-	        krb5_set_error_string(context, "ldap_parse_result: %s", ldap_err2string(parserc));
-		ldap_abandon((LDAP *) db->db, msgid);
+	        krb5_set_error_string(context, "ldap_parse_result: %s",
+				      ldap_err2string(parserc));
+		ldap_abandon(HDB2LDAP(db), msgid);
 	    }
 	    ret = HDB_ERR_NOENTRY;
-	    db->openp = -1;
+	    HDBSETMSGID(db, -1);
+	    break;
+	case LDAP_SERVER_DOWN:
+	    ldap_msgfree(e);
+	    LDAP_close(context, db);
+	    HDBSETMSGID(db, -1);
+	    ret = ENETDOWN;
 	    break;
-	case 0:
-	case -1:
 	default:
 	    /* Some unspecified error (timeout?). Abandon. */
 	    ldap_msgfree(e);
-	    ldap_abandon((LDAP *) db->db, msgid);
+	    ldap_abandon(HDB2LDAP(db), msgid);
 	    ret = HDB_ERR_NOENTRY;
-	    db->openp = -1;
+	    HDBSETMSGID(db, -1);
 	    break;
 	}
     } while (rc == LDAP_RES_SEARCH_REFERENCE);
 
     if (ret == 0) {
-	if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
-	    ret = hdb_unseal_keys(context, db, entry);
+	if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
+	    ret = hdb_unseal_keys(context, db, &entry->entry);
 	    if (ret)
-		hdb_free_entry(context,entry);
+		hdb_free_entry(context, entry);
 	}
     }
 
@@ -917,45 +1388,41 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry)
 }
 
 static krb5_error_code
-LDAP_firstkey(krb5_context context, HDB * db, unsigned flags,
-	      hdb_entry * entry)
+LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
+	      hdb_entry_ex *entry)
 {
-    int msgid, limit = LDAP_NO_LIMIT, rc;
+    krb5_error_code ret;
+    int msgid;
 
-    (void) LDAP__connect(context, db);
+    ret = LDAP__connect(context, db);
+    if (ret)
+	return ret;
 
-    rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit);
-    if (rc != LDAP_SUCCESS) {
-	krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc));
-	return HDB_ERR_BADVERSION;
-    }
+    ret = LDAP_no_size_limit(context, HDB2LDAP(db));
+    if (ret)
+	return ret;
 
-    msgid = ldap_search((LDAP *) db->db, db->name,
-			LDAP_SCOPE_ONELEVEL, "(objectclass=krb5KDCEntry)",
+    msgid = ldap_search(HDB2LDAP(db), HDB2BASE(db),
+			LDAP_SCOPE_SUBTREE,
+			"(|(objectClass=krb5Principal)(objectClass=sambaSamAccount))",
 			krb5kdcentry_attrs, 0);
-    if (msgid < 0) {
+    if (msgid < 0)
 	return HDB_ERR_NOENTRY;
-    }
 
-    db->openp = msgid;
+    HDBSETMSGID(db, msgid);
 
     return LDAP_seq(context, db, flags, entry);
 }
 
 static krb5_error_code
 LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
-	     hdb_entry * entry)
+	     hdb_entry_ex * entry)
 {
     return LDAP_seq(context, db, flags, entry);
 }
 
 static krb5_error_code
-LDAP_rename(krb5_context context, HDB * db, const char *new_name)
-{
-    return HDB_ERR_DB_INUSE;
-}
-
-static krb5_error_code LDAP__connect(krb5_context context, HDB * db)
+LDAP__connect(krb5_context context, HDB * db)
 {
     int rc, version = LDAP_VERSION3;
     /*
@@ -966,43 +1433,44 @@ static krb5_error_code LDAP__connect(krb5_context context, HDB * db)
      */
     struct berval bv = { 0, "" };
 
-    if (db->db != NULL) {
+    if (HDB2LDAP(db)) {
 	/* connection has been opened. ping server. */
 	struct sockaddr_un addr;
-	socklen_t len;
+	socklen_t len = sizeof(addr);
 	int sd;
 
-	if (ldap_get_option((LDAP *) db->db, LDAP_OPT_DESC, &sd) == 0 &&
+	if (ldap_get_option(HDB2LDAP(db), LDAP_OPT_DESC, &sd) == 0 &&
 	    getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
 	    /* the other end has died. reopen. */
 	    LDAP_close(context, db);
 	}
     }
 
-    if (db->db != NULL) {
-	/* server is UP */
+    if (HDB2LDAP(db) != NULL) /* server is UP */
 	return 0;
-    }
 
-    rc = ldap_initialize((LDAP **) & db->db, "ldapi:///");
+    rc = ldap_initialize(&((struct hdbldapdb *)db->hdb_db)->h_lp, HDB2URL(db));
     if (rc != LDAP_SUCCESS) {
-	krb5_set_error_string(context, "ldap_initialize: %s", ldap_err2string(rc));
+	krb5_set_error_string(context, "ldap_initialize: %s", 
+			      ldap_err2string(rc));
 	return HDB_ERR_NOENTRY;
     }
 
-    rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_PROTOCOL_VERSION, (const void *)&version);
+    rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_PROTOCOL_VERSION,
+			 (const void *)&version);
     if (rc != LDAP_SUCCESS) {
-	krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc));
-	ldap_unbind_ext((LDAP *) db->db, NULL, NULL);
-	db->db = NULL;
+	krb5_set_error_string(context, "ldap_set_option: %s",
+			      ldap_err2string(rc));
+	LDAP_close(context, db);
 	return HDB_ERR_BADVERSION;
     }
 
-    rc = ldap_sasl_bind_s((LDAP *) db->db, NULL, "EXTERNAL", &bv, NULL, NULL, NULL);
+    rc = ldap_sasl_bind_s(HDB2LDAP(db), NULL, "EXTERNAL", &bv,
+			  NULL, NULL, NULL);
     if (rc != LDAP_SUCCESS) {
-	krb5_set_error_string(context, "ldap_sasl_bind_s: %s", ldap_err2string(rc));
-	ldap_unbind_ext((LDAP *) db->db, NULL, NULL);
-	db->db = NULL;
+	krb5_set_error_string(context, "ldap_sasl_bind_s: %s",
+			      ldap_err2string(rc));
+	LDAP_close(context, db);
 	return HDB_ERR_BADVERSION;
     }
 
@@ -1029,18 +1497,17 @@ LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
 }
 
 static krb5_error_code
-LDAP_fetch(krb5_context context, HDB * db, unsigned flags,
-	   hdb_entry * entry)
+LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
+	   unsigned flags, hdb_entry_ex * entry)
 {
     LDAPMessage *msg, *e;
     krb5_error_code ret;
 
-    ret = LDAP_principal2message(context, db, entry->principal, &msg);
-    if (ret != 0) {
+    ret = LDAP_principal2message(context, db, principal, &msg);
+    if (ret)
 	return ret;
-    }
 
-    e = ldap_first_entry((LDAP *) db->db, msg);
+    e = ldap_first_entry(HDB2LDAP(db), msg);
     if (e == NULL) {
 	ret = HDB_ERR_NOENTRY;
 	goto out;
@@ -1048,10 +1515,10 @@ LDAP_fetch(krb5_context context, HDB * db, unsigned flags,
 
     ret = LDAP_message2entry(context, db, e, entry);
     if (ret == 0) {
-	if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
-	    ret = hdb_unseal_keys(context, db, entry);
+	if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
+	    ret = hdb_unseal_keys(context, db, &entry->entry);
 	    if (ret)
-		hdb_free_entry(context,entry);
+		hdb_free_entry(context, entry);
 	}
     }
 
@@ -1063,7 +1530,7 @@ LDAP_fetch(krb5_context context, HDB * db, unsigned flags,
 
 static krb5_error_code
 LDAP_store(krb5_context context, HDB * db, unsigned flags,
-	   hdb_entry * entry)
+	   hdb_entry_ex * entry)
 {
     LDAPMod **mods = NULL;
     krb5_error_code ret;
@@ -1072,60 +1539,27 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
     LDAPMessage *msg = NULL, *e = NULL;
     char *dn = NULL, *name = NULL;
 
-    ret = krb5_unparse_name(context, entry->principal, &name);
-    if (ret != 0) {
-	goto out;
-    }
+    ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);
+    if (ret == 0)
+	e = ldap_first_entry(HDB2LDAP(db), msg);
 
-    ret = LDAP__lookup_princ(context, db, name, &msg);
-    if (ret == 0) {
-	e = ldap_first_entry((LDAP *) db->db, msg);
+    ret = krb5_unparse_name(context, entry->entry.principal, &name);
+    if (ret) {
+	free(name);
+	return ret;
     }
 
-    ret = hdb_seal_keys(context, db, entry);
-    if (ret != 0) {
+    ret = hdb_seal_keys(context, db, &entry->entry);
+    if (ret)
 	goto out;
-    }
 
     /* turn new entry into LDAPMod array */
     ret = LDAP_entry2mods(context, db, entry, e, &mods);
-    if (ret != 0) {
+    if (ret)
 	goto out;
-    }
 
     if (e == NULL) {
-	/* Doesn't exist yet. */
-	char *p;
-
-	e = NULL;
-
-	/* normalize the naming attribute */
-	for (p = name; *p != '\0'; p++) {
-	    *p = (char) tolower((int) *p);
-	}
-
-	/*
-	 * We could do getpwnam() on the local component of
-	 * the principal to find cn/sn but that's probably
-	 * bad thing to do from inside a KDC. Better leave
-	 * it to management tools.
-	 */
-	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "cn", name);
-	if (ret < 0) {
-	    goto out;
-	}
-
-	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "sn", name);
-	if (ret < 0) {
-	    goto out;
-	}
-
-	if (db->name != NULL) {
-	    ret = asprintf(&dn, "cn=%s,%s", name, db->name);
-	} else {
-	    /* A bit bogus, but we don't have a search base */
-	    ret = asprintf(&dn, "cn=%s", name);
-	}
+	ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));
 	if (ret < 0) {
 	    krb5_set_error_string(context, "asprintf: out of memory");
 	    ret = ENOMEM;
@@ -1133,7 +1567,7 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
 	}
     } else if (flags & HDB_F_REPLACE) {
 	/* Entry exists, and we're allowed to replace it. */
-	dn = ldap_get_dn((LDAP *) db->db, e);
+	dn = ldap_get_dn(HDB2LDAP(db), e);
     } else {
 	/* Entry exists, but we're not allowed to replace it. Bail. */
 	ret = HDB_ERR_EXISTS;
@@ -1143,182 +1577,253 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
     /* write entry into directory */
     if (e == NULL) {
 	/* didn't exist before */
-	rc = ldap_add_s((LDAP *) db->db, dn, mods);
+	rc = ldap_add_s(HDB2LDAP(db), dn, mods);
 	errfn = "ldap_add_s";
     } else {
 	/* already existed, send deltas only */
-	rc = ldap_modify_s((LDAP *) db->db, dn, mods);
+	rc = ldap_modify_s(HDB2LDAP(db), dn, mods);
 	errfn = "ldap_modify_s";
     }
 
-    if (rc == LDAP_SUCCESS) {
-	ret = 0;
-    } else {
-	krb5_set_error_string(context, "%s: %s (dn=%s) %s", 
-			      errfn, name, dn, ldap_err2string(rc));
+    if (check_ldap(context, db, rc)) {
+	char *ld_error = NULL;
+	ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,
+			&ld_error);
+	krb5_set_error_string(context, "%s: %s (DN=%s) %s: %s", 
+			      errfn, name, dn, ldap_err2string(rc), ld_error);
 	ret = HDB_ERR_CANT_LOCK_DB;
-    }
+    } else
+	ret = 0;
 
   out:
     /* free stuff */
-    if (dn != NULL) {
+    if (dn)
 	free(dn);
-    }
-
-    if (msg != NULL) {
+    if (msg)
 	ldap_msgfree(msg);
-    }
-
-    if (mods != NULL) {
+    if (mods)
 	ldap_mods_free(mods, 1);
-    }
-
-    if (name != NULL) {
+    if (name)
 	free(name);
-    }
 
     return ret;
 }
 
 static krb5_error_code
-LDAP_remove(krb5_context context, HDB * db, hdb_entry * entry)
+LDAP_remove(krb5_context context, HDB *db, krb5_const_principal principal)
 {
     krb5_error_code ret;
     LDAPMessage *msg, *e;
     char *dn = NULL;
     int rc, limit = LDAP_NO_LIMIT;
 
-    ret = LDAP_principal2message(context, db, entry->principal, &msg);
-    if (ret != 0) {
+    ret = LDAP_principal2message(context, db, principal, &msg);
+    if (ret)
 	goto out;
-    }
 
-    e = ldap_first_entry((LDAP *) db->db, msg);
+    e = ldap_first_entry(HDB2LDAP(db), msg);
     if (e == NULL) {
 	ret = HDB_ERR_NOENTRY;
 	goto out;
     }
 
-    dn = ldap_get_dn((LDAP *) db->db, e);
+    dn = ldap_get_dn(HDB2LDAP(db), e);
     if (dn == NULL) {
 	ret = HDB_ERR_NOENTRY;
 	goto out;
     }
 
-    rc = ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (const void *)&limit);
+    rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit);
     if (rc != LDAP_SUCCESS) {
-	krb5_set_error_string(context, "ldap_set_option: %s", ldap_err2string(rc));
+	krb5_set_error_string(context, "ldap_set_option: %s",
+			      ldap_err2string(rc));
 	ret = HDB_ERR_BADVERSION;
 	goto out;
     }
 
-    rc = ldap_delete_s((LDAP *) db->db, dn);
-    if (rc == LDAP_SUCCESS) {
-	ret = 0;
-    } else {
-	krb5_set_error_string(context, "ldap_delete_s: %s", ldap_err2string(rc));
+    rc = ldap_delete_s(HDB2LDAP(db), dn);
+    if (check_ldap(context, db, rc)) {
+	krb5_set_error_string(context, "ldap_delete_s: %s", 
+			      ldap_err2string(rc));
 	ret = HDB_ERR_CANT_LOCK_DB;
-    }
+    } else
+	ret = 0;
 
   out:
-    if (dn != NULL) {
+    if (dn != NULL)
 	free(dn);
-    }
-
-    if (msg != NULL) {
+    if (msg != NULL)
 	ldap_msgfree(msg);
-    }
 
     return ret;
 }
 
 static krb5_error_code
-LDAP__get(krb5_context context, HDB * db, krb5_data key, krb5_data * reply)
-{
-    fprintf(stderr, "LDAP__get not implemented\n");
-    abort();
-    return 0;
-}
-
-static krb5_error_code
-LDAP__put(krb5_context context, HDB * db, int replace,
-	  krb5_data key, krb5_data value)
-{
-    fprintf(stderr, "LDAP__put not implemented\n");
-    abort();
-    return 0;
-}
-
-static krb5_error_code
-LDAP__del(krb5_context context, HDB * db, krb5_data key)
-{
-    fprintf(stderr, "LDAP__del not implemented\n");
-    abort();
-    return 0;
-}
-
-static krb5_error_code LDAP_destroy(krb5_context context, HDB * db)
+LDAP_destroy(krb5_context context, HDB * db)
 {
     krb5_error_code ret;
 
+    LDAP_close(context, db);
+
     ret = hdb_clear_master_key(context, db);
-    if (db->name != NULL) {
-	free(db->name);
-    }
+    if (HDB2BASE(db))
+	free(HDB2BASE(db));
+    if (HDB2CREATE(db))
+	free(HDB2CREATE(db));
+    if (HDB2URL(db))
+	free(HDB2URL(db));
+    if (db->hdb_name)
+	free(db->hdb_name);
+    free(db->hdb_db);
     free(db);
 
     return ret;
 }
 
 krb5_error_code
-hdb_ldap_create(krb5_context context, HDB ** db, const char *arg)
+hdb_ldap_common(krb5_context context,
+		HDB ** db,
+		const char *search_base,
+		const char *url)
 {
-    *db = malloc(sizeof(**db));
+    struct hdbldapdb *h;
+    const char *create_base = NULL;
+
+    if (search_base == NULL && search_base[0] == '\0') {
+	krb5_set_error_string(context, "ldap search base not configured");
+	return ENOMEM; /* XXX */
+    }
+
+    if (structural_object == NULL) {
+	const char *p;
+
+	p = krb5_config_get_string(context, NULL, "kdc", 
+				   "hdb-ldap-structural-object", NULL);
+	if (p == NULL)
+	    p = default_structural_object;
+	structural_object = strdup(p);
+	if (structural_object == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+    }
+
+    samba_forwardable = 
+	krb5_config_get_bool_default(context, NULL, TRUE,
+				     "kdc", "hdb-samba-forwardable", NULL);
+
+    *db = calloc(1, sizeof(**db));
     if (*db == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
+    memset(*db, 0, sizeof(**db));
 
-    (*db)->db = NULL;
+    h = calloc(1, sizeof(*h));
+    if (h == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	free(*db);
+	*db = NULL;
+	return ENOMEM;
+    }
+    (*db)->hdb_db = h;
 
-    if (arg == NULL || arg[0] == '\0') {
-	/*
-	 * if no argument specified in the configuration file
-	 * then use NULL, which tells OpenLDAP to look in
-	 * the ldap.conf file. This doesn't work for
-	 * writing entries because we don't know where to
-	 * put new principals.
-	 */
-	(*db)->name = NULL;
-    } else {
-	(*db)->name = strdup(arg); 
-	if ((*db)->name == NULL) {
-	    krb5_set_error_string(context, "strdup: out of memory");
-	    free(*db);
-	    *db = NULL;
-	    return ENOMEM;
-	}
+    /* XXX */
+    if (asprintf(&(*db)->hdb_name, "ldap:%s", search_base) == -1) {
+	LDAP_destroy(context, *db);
+	krb5_set_error_string(context, "strdup: out of memory");
+	*db = NULL;
+	return ENOMEM;
+    }
+
+    h->h_url = strdup(url);
+    h->h_base = strdup(search_base);
+    if (h->h_url == NULL || h->h_base == NULL) {
+	LDAP_destroy(context, *db);
+	krb5_set_error_string(context, "strdup: out of memory");
+	*db = NULL;
+	return ENOMEM;
     }
 
-    (*db)->master_key_set = 0;
-    (*db)->openp = 0;
-    (*db)->open = LDAP_open;
-    (*db)->close = LDAP_close;
-    (*db)->fetch = LDAP_fetch;
-    (*db)->store = LDAP_store;
-    (*db)->remove = LDAP_remove;
-    (*db)->firstkey = LDAP_firstkey;
-    (*db)->nextkey = LDAP_nextkey;
-    (*db)->lock = LDAP_lock;
-    (*db)->unlock = LDAP_unlock;
-    (*db)->rename = LDAP_rename;
-    /* can we ditch these? */
-    (*db)->_get = LDAP__get;
-    (*db)->_put = LDAP__put;
-    (*db)->_del = LDAP__del;
-    (*db)->destroy = LDAP_destroy;
+    create_base = krb5_config_get_string(context, NULL, "kdc", 
+					 "hdb-ldap-create-base", NULL);
+    if (create_base == NULL)
+	create_base = h->h_base;
+
+    h->h_createbase = strdup(create_base);
+    if (h->h_createbase == NULL) {
+	LDAP_destroy(context, *db);
+	krb5_set_error_string(context, "strdup: out of memory");
+	*db = NULL;
+	return ENOMEM;
+    }
+
+    (*db)->hdb_master_key_set = 0;
+    (*db)->hdb_openp = 0;
+    (*db)->hdb_open = LDAP_open;
+    (*db)->hdb_close = LDAP_close;
+    (*db)->hdb_fetch = LDAP_fetch;
+    (*db)->hdb_store = LDAP_store;
+    (*db)->hdb_remove = LDAP_remove;
+    (*db)->hdb_firstkey = LDAP_firstkey;
+    (*db)->hdb_nextkey = LDAP_nextkey;
+    (*db)->hdb_lock = LDAP_lock;
+    (*db)->hdb_unlock = LDAP_unlock;
+    (*db)->hdb_rename = NULL;
+    (*db)->hdb__get = NULL;
+    (*db)->hdb__put = NULL;
+    (*db)->hdb__del = NULL;
+    (*db)->hdb_destroy = LDAP_destroy;
 
     return 0;
 }
 
+krb5_error_code
+hdb_ldap_create(krb5_context context, HDB ** db, const char *arg)
+{
+    return hdb_ldap_common(context, db, arg, "ldapi:///");
+}
+
+krb5_error_code
+hdb_ldapi_create(krb5_context context, HDB ** db, const char *arg)
+{
+    krb5_error_code ret;
+    char *search_base, *p;
+
+    asprintf(&p, "ldapi:%s", arg);
+    if (p == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	*db = NULL;
+	return ENOMEM;
+    }
+    search_base = strchr(p + strlen("ldapi://"), ':');
+    if (search_base == NULL) {
+	krb5_set_error_string(context, "search base missing");
+	*db = NULL;
+	return HDB_ERR_BADVERSION;
+    }
+    *search_base = '\0';
+    search_base++;
+
+    ret = hdb_ldap_common(context, db, search_base, p);
+    free(p);
+    return ret;
+}
+
+#ifdef OPENLDAP_MODULE
+
+struct hdb_so_method hdb_ldap_interface = {
+    HDB_INTERFACE_VERSION,
+    "ldap",
+    hdb_ldap_create
+};
+
+struct hdb_so_method hdb_ldapi_interface = {
+    HDB_INTERFACE_VERSION,
+    "ldapi",
+    hdb_ldapi_create
+};
+
+#endif
+
 #endif				/* OPENLDAP */
diff --git a/crypto/heimdal/lib/hdb/hdb-private.h b/crypto/heimdal/lib/hdb/hdb-private.h
index a47de70..5147d8b 100644
--- a/crypto/heimdal/lib/hdb/hdb-private.h
+++ b/crypto/heimdal/lib/hdb/hdb-private.h
@@ -8,20 +8,47 @@ krb5_error_code
 _hdb_fetch (
 	krb5_context /*context*/,
 	HDB */*db*/,
+	krb5_const_principal /*principal*/,
 	unsigned /*flags*/,
-	hdb_entry */*entry*/);
+	hdb_entry_ex */*entry*/);
+
+hdb_master_key
+_hdb_find_master_key (
+	uint32_t */*mkvno*/,
+	hdb_master_key /*mkey*/);
+
+int
+_hdb_mkey_decrypt (
+	krb5_context /*context*/,
+	hdb_master_key /*key*/,
+	krb5_key_usage /*usage*/,
+	void */*ptr*/,
+	size_t /*size*/,
+	krb5_data */*res*/);
+
+int
+_hdb_mkey_encrypt (
+	krb5_context /*context*/,
+	hdb_master_key /*key*/,
+	krb5_key_usage /*usage*/,
+	const void */*ptr*/,
+	size_t /*size*/,
+	krb5_data */*res*/);
+
+int
+_hdb_mkey_version (hdb_master_key /*mkey*/);
 
 krb5_error_code
 _hdb_remove (
 	krb5_context /*context*/,
 	HDB */*db*/,
-	hdb_entry */*entry*/);
+	krb5_const_principal /*principal*/);
 
 krb5_error_code
 _hdb_store (
 	krb5_context /*context*/,
 	HDB */*db*/,
 	unsigned /*flags*/,
-	hdb_entry */*entry*/);
+	hdb_entry_ex */*entry*/);
 
 #endif /* __hdb_private_h__ */
diff --git a/crypto/heimdal/lib/hdb/hdb-protos.h b/crypto/heimdal/lib/hdb/hdb-protos.h
index ce85fcb..4c3d3eb 100644
--- a/crypto/heimdal/lib/hdb/hdb-protos.h
+++ b/crypto/heimdal/lib/hdb/hdb-protos.h
@@ -4,6 +4,10 @@
 
 #include <stdarg.h>
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 krb5_error_code
 hdb_add_master_key (
 	krb5_context /*context*/,
@@ -16,6 +20,12 @@ hdb_check_db_format (
 	HDB */*db*/);
 
 krb5_error_code
+hdb_clear_extension (
+	krb5_context /*context*/,
+	hdb_entry */*entry*/,
+	int /*type*/);
+
+krb5_error_code
 hdb_clear_master_key (
 	krb5_context /*context*/,
 	HDB */*db*/);
@@ -32,6 +42,52 @@ hdb_db_create (
 	HDB **/*db*/,
 	const char */*filename*/);
 
+const char *
+hdb_db_dir (krb5_context /*context*/);
+
+const char *
+hdb_dbinfo_get_acl_file (
+	krb5_context /*context*/,
+	struct hdb_dbinfo */*dbp*/);
+
+const krb5_config_binding *
+hdb_dbinfo_get_binding (
+	krb5_context /*context*/,
+	struct hdb_dbinfo */*dbp*/);
+
+const char *
+hdb_dbinfo_get_dbname (
+	krb5_context /*context*/,
+	struct hdb_dbinfo */*dbp*/);
+
+const char *
+hdb_dbinfo_get_label (
+	krb5_context /*context*/,
+	struct hdb_dbinfo */*dbp*/);
+
+const char *
+hdb_dbinfo_get_log_file (
+	krb5_context /*context*/,
+	struct hdb_dbinfo */*dbp*/);
+
+const char *
+hdb_dbinfo_get_mkey_file (
+	krb5_context /*context*/,
+	struct hdb_dbinfo */*dbp*/);
+
+struct hdb_dbinfo *
+hdb_dbinfo_get_next (
+	struct hdb_dbinfo */*dbp*/,
+	struct hdb_dbinfo */*dbprevp*/);
+
+const char *
+hdb_dbinfo_get_realm (
+	krb5_context /*context*/,
+	struct hdb_dbinfo */*dbp*/);
+
+const char *
+hdb_default_db (krb5_context /*context*/);
+
 krb5_error_code
 hdb_enctype2key (
 	krb5_context /*context*/,
@@ -48,9 +104,75 @@ hdb_entry2string (
 int
 hdb_entry2value (
 	krb5_context /*context*/,
-	hdb_entry */*ent*/,
+	const hdb_entry */*ent*/,
 	krb5_data */*value*/);
 
+int
+hdb_entry_alias2value (
+	krb5_context /*context*/,
+	const hdb_entry_alias */*alias*/,
+	krb5_data */*value*/);
+
+krb5_error_code
+hdb_entry_check_mandatory (
+	krb5_context /*context*/,
+	const hdb_entry */*ent*/);
+
+int
+hdb_entry_clear_password (
+	krb5_context /*context*/,
+	hdb_entry */*entry*/);
+
+krb5_error_code
+hdb_entry_get_ConstrainedDelegACL (
+	const hdb_entry */*entry*/,
+	const HDB_Ext_Constrained_delegation_acl **/*a*/);
+
+krb5_error_code
+hdb_entry_get_aliases (
+	const hdb_entry */*entry*/,
+	const HDB_Ext_Aliases **/*a*/);
+
+int
+hdb_entry_get_password (
+	krb5_context /*context*/,
+	HDB */*db*/,
+	const hdb_entry */*entry*/,
+	char **/*p*/);
+
+krb5_error_code
+hdb_entry_get_pkinit_acl (
+	const hdb_entry */*entry*/,
+	const HDB_Ext_PKINIT_acl **/*a*/);
+
+krb5_error_code
+hdb_entry_get_pkinit_hash (
+	const hdb_entry */*entry*/,
+	const HDB_Ext_PKINIT_hash **/*a*/);
+
+krb5_error_code
+hdb_entry_get_pw_change_time (
+	const hdb_entry */*entry*/,
+	time_t */*t*/);
+
+int
+hdb_entry_set_password (
+	krb5_context /*context*/,
+	HDB */*db*/,
+	hdb_entry */*entry*/,
+	const char */*p*/);
+
+krb5_error_code
+hdb_entry_set_pw_change_time (
+	krb5_context /*context*/,
+	hdb_entry */*entry*/,
+	time_t /*t*/);
+
+HDB_extension *
+hdb_find_extension (
+	const hdb_entry */*entry*/,
+	int /*type*/);
+
 krb5_error_code
 hdb_foreach (
 	krb5_context /*context*/,
@@ -60,19 +182,51 @@ hdb_foreach (
 	void */*data*/);
 
 void
+hdb_free_dbinfo (
+	krb5_context /*context*/,
+	struct hdb_dbinfo **/*dbp*/);
+
+void
 hdb_free_entry (
 	krb5_context /*context*/,
-	hdb_entry */*ent*/);
+	hdb_entry_ex */*ent*/);
 
 void
 hdb_free_key (Key */*key*/);
 
 void
+hdb_free_keys (
+	krb5_context /*context*/,
+	int /*len*/,
+	Key */*keys*/);
+
+void
 hdb_free_master_key (
 	krb5_context /*context*/,
 	hdb_master_key /*mkey*/);
 
 krb5_error_code
+hdb_generate_key_set (
+	krb5_context /*context*/,
+	krb5_principal /*principal*/,
+	Key **/*ret_key_set*/,
+	size_t */*nkeyset*/,
+	int /*no_salt*/);
+
+krb5_error_code
+hdb_generate_key_set_password (
+	krb5_context /*context*/,
+	krb5_principal /*principal*/,
+	const char */*password*/,
+	Key **/*keys*/,
+	size_t */*num_keys*/);
+
+int
+hdb_get_dbinfo (
+	krb5_context /*context*/,
+	struct hdb_dbinfo **/*dbp*/);
+
+krb5_error_code
 hdb_init_db (
 	krb5_context /*context*/,
 	HDB */*db*/);
@@ -84,12 +238,30 @@ hdb_key2principal (
 	krb5_principal /*p*/);
 
 krb5_error_code
+hdb_ldap_common (
+	krb5_context /*context*/,
+	HDB ** /*db*/,
+	const char */*search_base*/,
+	const char */*url*/);
+
+krb5_error_code
 hdb_ldap_create (
 	krb5_context /*context*/,
 	HDB ** /*db*/,
 	const char */*arg*/);
 
 krb5_error_code
+hdb_ldapi_create (
+	krb5_context /*context*/,
+	HDB ** /*db*/,
+	const char */*arg*/);
+
+krb5_error_code
+hdb_list_builtin (
+	krb5_context /*context*/,
+	char **/*list*/);
+
+krb5_error_code
 hdb_lock (
 	int /*fd*/,
 	int /*operation*/);
@@ -110,14 +282,14 @@ hdb_next_enctype2key (
 int
 hdb_principal2key (
 	krb5_context /*context*/,
-	krb5_principal /*p*/,
+	krb5_const_principal /*p*/,
 	krb5_data */*key*/);
 
 krb5_error_code
 hdb_print_entry (
 	krb5_context /*context*/,
 	HDB */*db*/,
-	hdb_entry */*entry*/,
+	hdb_entry_ex */*entry*/,
 	void */*data*/);
 
 krb5_error_code
@@ -135,6 +307,24 @@ hdb_read_master_key (
 	hdb_master_key */*mkey*/);
 
 krb5_error_code
+hdb_replace_extension (
+	krb5_context /*context*/,
+	hdb_entry */*entry*/,
+	const HDB_extension */*ext*/);
+
+krb5_error_code
+hdb_seal_key (
+	krb5_context /*context*/,
+	HDB */*db*/,
+	Key */*k*/);
+
+krb5_error_code
+hdb_seal_key_mkey (
+	krb5_context /*context*/,
+	Key */*k*/,
+	hdb_master_key /*mkey*/);
+
+krb5_error_code
 hdb_seal_keys (
 	krb5_context /*context*/,
 	HDB */*db*/,
@@ -162,6 +352,18 @@ krb5_error_code
 hdb_unlock (int /*fd*/);
 
 krb5_error_code
+hdb_unseal_key (
+	krb5_context /*context*/,
+	HDB */*db*/,
+	Key */*k*/);
+
+krb5_error_code
+hdb_unseal_key_mkey (
+	krb5_context /*context*/,
+	Key */*k*/,
+	hdb_master_key /*mkey*/);
+
+krb5_error_code
 hdb_unseal_keys (
 	krb5_context /*context*/,
 	HDB */*db*/,
@@ -179,10 +381,20 @@ hdb_value2entry (
 	krb5_data */*value*/,
 	hdb_entry */*ent*/);
 
+int
+hdb_value2entry_alias (
+	krb5_context /*context*/,
+	krb5_data */*value*/,
+	hdb_entry_alias */*ent*/);
+
 krb5_error_code
 hdb_write_master_key (
 	krb5_context /*context*/,
 	const char */*filename*/,
 	hdb_master_key /*mkey*/);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* __hdb_protos_h__ */
diff --git a/crypto/heimdal/lib/hdb/hdb.asn1 b/crypto/heimdal/lib/hdb/hdb.asn1
index 084d5a1..acd8f61 100644
--- a/crypto/heimdal/lib/hdb/hdb.asn1
+++ b/crypto/heimdal/lib/hdb/hdb.asn1
@@ -1,4 +1,4 @@
--- $Id: hdb.asn1,v 1.9 2001/06/21 14:54:53 joda Exp $
+-- $Id: hdb.asn1 20236 2007-02-16 23:52:29Z lha $
 HDB DEFINITIONS ::=
 BEGIN
 
@@ -12,12 +12,12 @@ hdb-pw-salt	INTEGER	::= 3
 hdb-afs3-salt	INTEGER	::= 10
 
 Salt ::= SEQUENCE {
-	type[0]		INTEGER,
+	type[0]		INTEGER (0..4294967295),
 	salt[1]		OCTET STRING
 }
 
 Key ::= SEQUENCE {
-	mkvno[0]	INTEGER OPTIONAL,	-- master key version number
+	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
 	key[1]		EncryptionKey,
 	salt[2]		Salt OPTIONAL
 }
@@ -28,43 +28,100 @@ Event ::= SEQUENCE {
 }
 
 HDBFlags ::= BIT STRING {
-	initial(0),		-- require as-req
-	forwardable(1),		-- may issue forwardable
-	proxiable(2),		-- may issue proxiable
-	renewable(3),		-- may issue renewable
-	postdate(4),		-- may issue postdatable
-	server(5),		-- may be server
-	client(6),		-- may be client
-	invalid(7),		-- entry is invalid
-	require-preauth(8),	-- must use preauth
-	change-pw(9),		-- change password service
-	require-hwauth(10),	-- must use hwauth
-	ok-as-delegate(11),	-- as in TicketFlags
-	user-to-user(12),	-- may use user-to-user auth
-	immutable(13)		-- may not be deleted
+	initial(0),			-- require as-req
+	forwardable(1),			-- may issue forwardable
+	proxiable(2),			-- may issue proxiable
+	renewable(3),			-- may issue renewable
+	postdate(4),			-- may issue postdatable
+	server(5),			-- may be server
+	client(6),			-- may be client
+	invalid(7),			-- entry is invalid
+	require-preauth(8),		-- must use preauth
+	change-pw(9),			-- change password service
+	require-hwauth(10),		-- must use hwauth
+	ok-as-delegate(11),		-- as in TicketFlags
+	user-to-user(12),		-- may use user-to-user auth
+	immutable(13),			-- may not be deleted
+	trusted-for-delegation(14),	-- Trusted to print forwardabled tickets
+	allow-kerberos4(15),		-- Allow Kerberos 4 requests
+	allow-digest(16)		-- Allow digest requests
 }
 
 GENERATION ::= SEQUENCE {
-	time[0]		KerberosTime,	-- timestamp
-	usec[1]		INTEGER,	-- microseconds
-	gen[2]		INTEGER		-- generation number
+	time[0]		KerberosTime,			-- timestamp
+	usec[1]		INTEGER (0..4294967295),	-- microseconds
+	gen[2]		INTEGER (0..4294967295)		-- generation number
 }
 
+HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
+	subject[0]	UTF8String,
+	issuer[1]	UTF8String OPTIONAL,
+	anchor[2]	UTF8String OPTIONAL
+}
+
+HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
+	digest-type[0] OBJECT IDENTIFIER,
+	digest[1] OCTET STRING
+}
+
+HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
+
+-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
+
+HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
+
+HDB-Ext-Password ::= SEQUENCE {
+	mkvno[0]	INTEGER (0..4294967295) OPTIONAL, -- master key version number
+	password	OCTET STRING
+}
+
+HDB-Ext-Aliases ::= SEQUENCE {
+	case-insensitive[0]	BOOLEAN, -- case insensitive name allowed
+	aliases[1]		SEQUENCE OF Principal -- all names, inc primary
+}
+
+
+HDB-extension ::= SEQUENCE {
+        mandatory[0]    BOOLEAN,        -- kdc MUST understand this extension,
+                                        --   if not the whole entry must
+                                        --   be rejected
+        data[1]          CHOICE {
+	        pkinit-acl[0]			HDB-Ext-PKINIT-acl,
+	        pkinit-cert-hash[1]  		HDB-Ext-PKINIT-hash,
+		allowed-to-delegate-to[2]   HDB-Ext-Constrained-delegation-acl,
+--		referral-info[3]		HDB-Ext-Referrals,
+		lm-owf[4]			HDB-Ext-Lan-Manager-OWF,
+		password[5]			HDB-Ext-Password,
+		aliases[6]			HDB-Ext-Aliases,
+		last-pw-change[7]		KerberosTime,
+		...
+	},
+	...
+}
+
+HDB-extensions ::= SEQUENCE OF HDB-extension
+
+
 hdb_entry ::= SEQUENCE {
 	principal[0]	Principal  OPTIONAL, -- this is optional only 
 					     -- for compatibility with libkrb5
-	kvno[1]		INTEGER,
+	kvno[1]		INTEGER (0..4294967295),
 	keys[2]		SEQUENCE OF Key,
 	created-by[3]	Event,
 	modified-by[4]	Event OPTIONAL,
 	valid-start[5]	KerberosTime OPTIONAL,
 	valid-end[6]	KerberosTime OPTIONAL,
 	pw-end[7]	KerberosTime OPTIONAL,
-	max-life[8]	INTEGER OPTIONAL,
-	max-renew[9]	INTEGER OPTIONAL,
+	max-life[8]	INTEGER (0..4294967295) OPTIONAL,
+	max-renew[9]	INTEGER (0..4294967295) OPTIONAL,
 	flags[10]	HDBFlags,
-	etypes[11]	SEQUENCE OF INTEGER OPTIONAL,
-	generation[12]	GENERATION OPTIONAL
+	etypes[11]	SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
+	generation[12]	GENERATION OPTIONAL,
+        extensions[13]  HDB-extensions OPTIONAL
+}
+
+hdb_entry_alias ::= [APPLICATION 0] SEQUENCE {
+	principal[0]	Principal  OPTIONAL
 }
 
 END
diff --git a/crypto/heimdal/lib/hdb/hdb.c b/crypto/heimdal/lib/hdb/hdb.c
index 95fde19..a515709 100644
--- a/crypto/heimdal/lib/hdb/hdb.c
+++ b/crypto/heimdal/lib/hdb/hdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,11 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: hdb.c,v 1.44 2001/08/09 08:41:48 assar Exp $");
+RCSID("$Id: hdb.c 20214 2007-02-09 21:51:10Z lha $");
+
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
 
 struct hdb_method {
     const char *prefix;
@@ -47,19 +51,23 @@ static struct hdb_method methods[] = {
 #if HAVE_NDBM
     {"ndbm:",	hdb_ndbm_create},
 #endif
-#ifdef OPENLDAP
+#if defined(OPENLDAP) && !defined(OPENLDAP_MODULE)
     {"ldap:",	hdb_ldap_create},
+    {"ldapi:",	hdb_ldapi_create},
 #endif
-#if HAVE_DB1 || HAVE_DB3
-    {"",	hdb_db_create},
-#elif defined(HAVE_NDBM)
-    {"",	hdb_ndbm_create},
-#elif defined(OPENLDAP)
-    {"",	hdb_ldap_create},
+#ifdef HAVE_LDB /* Used for integrated samba build */
+    {"ldb:",	hdb_ldb_create},
 #endif
     {NULL,	NULL}
 };
 
+#if HAVE_DB1 || HAVE_DB3
+static struct hdb_method dbmetod = {"",	hdb_db_create };
+#elif defined(HAVE_NDBM)
+static struct hdb_method dbmetod = {"",	hdb_ndbm_create };
+#endif
+
+
 krb5_error_code
 hdb_next_enctype2key(krb5_context context,
 		     const hdb_entry *e,
@@ -70,11 +78,15 @@ hdb_next_enctype2key(krb5_context context,
     
     for (k = *key ? (*key) + 1 : e->keys.val;
 	 k < e->keys.val + e->keys.len; 
-	 k++)
+	 k++) 
+    {
 	if(k->key.keytype == enctype){
 	    *key = k;
 	    return 0;
 	}
+    }
+    krb5_set_error_string(context, "No next enctype %d for hdb-entry", 
+			  (int)enctype);
     return KRB5_PROG_ETYPE_NOSUPP; /* XXX */
 }
 
@@ -128,16 +140,19 @@ hdb_unlock(int fd)
 }
 
 void
-hdb_free_entry(krb5_context context, hdb_entry *ent)
+hdb_free_entry(krb5_context context, hdb_entry_ex *ent)
 {
     int i;
 
-    for(i = 0; i < ent->keys.len; ++i) {
-	Key *k = &ent->keys.val[i];
+    if (ent->free_entry)
+	(*ent->free_entry)(context, ent);
+
+    for(i = 0; i < ent->entry.keys.len; ++i) {
+	Key *k = &ent->entry.keys.val[i];
 
 	memset (k->key.keyvalue.data, 0, k->key.keyvalue.length);
     }
-    free_hdb_entry(ent);
+    free_hdb_entry(&ent->entry);
 }
 
 krb5_error_code
@@ -148,13 +163,15 @@ hdb_foreach(krb5_context context,
 	    void *data)
 {
     krb5_error_code ret;
-    hdb_entry entry;
-    ret = db->firstkey(context, db, flags, &entry);
+    hdb_entry_ex entry;
+    ret = db->hdb_firstkey(context, db, flags, &entry);
+    if (ret == 0)
+	krb5_clear_error_string(context);
     while(ret == 0){
 	ret = (*func)(context, db, &entry, data);
 	hdb_free_entry(context, &entry);
 	if(ret == 0)
-	    ret = db->nextkey(context, db, flags, &entry);
+	    ret = db->hdb_nextkey(context, db, flags, &entry);
     }
     if(ret == HDB_ERR_NOENTRY)
 	ret = 0;
@@ -166,15 +183,22 @@ hdb_check_db_format(krb5_context context, HDB *db)
 {
     krb5_data tag;
     krb5_data version;
-    krb5_error_code ret;
+    krb5_error_code ret, ret2;
     unsigned ver;
     int foo;
 
+    ret = db->hdb_lock(context, db, HDB_RLOCK);
+    if (ret)
+	return ret;
+
     tag.data = HDB_DB_FORMAT_ENTRY;
     tag.length = strlen(tag.data);
-    ret = (*db->_get)(context, db, tag, &version);
+    ret = (*db->hdb__get)(context, db, tag, &version);
+    ret2 = db->hdb_unlock(context, db);
     if(ret)
 	return ret;
+    if (ret2)
+	return ret2;
     foo = sscanf(version.data, "%u", &ver);
     krb5_data_free (&version);
     if (foo != 1)
@@ -187,7 +211,7 @@ hdb_check_db_format(krb5_context context, HDB *db)
 krb5_error_code
 hdb_init_db(krb5_context context, HDB *db)
 {
-    krb5_error_code ret;
+    krb5_error_code ret, ret2;
     krb5_data tag;
     krb5_data version;
     char ver[32];
@@ -196,15 +220,118 @@ hdb_init_db(krb5_context context, HDB *db)
     if(ret != HDB_ERR_NOENTRY)
 	return ret;
     
+    ret = db->hdb_lock(context, db, HDB_WLOCK);
+    if (ret)
+	return ret;
+
     tag.data = HDB_DB_FORMAT_ENTRY;
     tag.length = strlen(tag.data);
     snprintf(ver, sizeof(ver), "%u", HDB_DB_FORMAT);
     version.data = ver;
     version.length = strlen(version.data) + 1; /* zero terminated */
-    ret = (*db->_put)(context, db, 0, tag, version);
-    return ret;
+    ret = (*db->hdb__put)(context, db, 0, tag, version);
+    ret2 = db->hdb_unlock(context, db);
+    if (ret) {
+	if (ret2)
+	    krb5_clear_error_string(context);
+	return ret;
+    }
+    return ret2;
 }
 
+#ifdef HAVE_DLOPEN
+
+ /*
+ * Load a dynamic backend from /usr/heimdal/lib/hdb_NAME.so,
+ * looking for the hdb_NAME_create symbol.
+ */
+
+static const struct hdb_method *
+find_dynamic_method (krb5_context context,
+		     const char *filename, 
+		     const char **rest)
+{
+    static struct hdb_method method;
+    struct hdb_so_method *mso;
+    char *prefix, *path, *symbol;
+    const char *p;
+    void *dl;
+    size_t len;
+    
+    p = strchr(filename, ':');
+
+    /* if no prefix, don't know what module to load, just ignore it */
+    if (p == NULL)
+	return NULL;
+
+    len = p - filename;
+    *rest = filename + len + 1;
+    
+    prefix = strndup(filename, len);
+    if (prefix == NULL)
+	krb5_errx(context, 1, "out of memory");
+    
+    if (asprintf(&path, LIBDIR "/hdb_%s.so", prefix) == -1)
+	krb5_errx(context, 1, "out of memory");
+
+#ifndef RTLD_NOW
+#define RTLD_NOW 0
+#endif
+#ifndef RTLD_GLOBAL
+#define RTLD_GLOBAL 0
+#endif
+
+    dl = dlopen(path, RTLD_NOW | RTLD_GLOBAL);
+    if (dl == NULL) {
+	krb5_warnx(context, "error trying to load dynamic module %s: %s\n",
+		   path, dlerror());
+	free(prefix);
+	free(path);
+	return NULL;
+    }
+    
+    if (asprintf(&symbol, "hdb_%s_interface", prefix) == -1)
+	krb5_errx(context, 1, "out of memory");
+	
+    mso = dlsym(dl, symbol);
+    if (mso == NULL) {
+	krb5_warnx(context, "error finding symbol %s in %s: %s\n", 
+		   symbol, path, dlerror());
+	dlclose(dl);
+	free(symbol);
+	free(prefix);
+	free(path);
+	return NULL;
+    }
+    free(path);
+    free(symbol);
+
+    if (mso->version != HDB_INTERFACE_VERSION) {
+	krb5_warnx(context, 
+		   "error wrong version in shared module %s "
+		   "version: %d should have been %d\n", 
+		   prefix, mso->version, HDB_INTERFACE_VERSION);
+	dlclose(dl);
+	free(prefix);
+	return NULL;
+    }
+
+    if (mso->create == NULL) {
+	krb5_errx(context, 1,
+		  "no entry point function in shared mod %s ",
+		   prefix);
+	dlclose(dl);
+	free(prefix);
+	return NULL;
+    }
+
+    method.create = mso->create;
+    method.prefix = prefix;
+
+    return &method;
+}
+#endif /* HAVE_DLOPEN */
+
 /*
  * find the relevant method for `filename', returning a pointer to the
  * rest in `rest'.
@@ -216,15 +343,56 @@ find_method (const char *filename, const char **rest)
 {
     const struct hdb_method *h;
 
-    for (h = methods; h->prefix != NULL; ++h)
+    for (h = methods; h->prefix != NULL; ++h) {
 	if (strncmp (filename, h->prefix, strlen(h->prefix)) == 0) {
 	    *rest = filename + strlen(h->prefix);
 	    return h;
 	}
+    }
+#if defined(HAVE_DB1) || defined(HAVE_DB3) || defined(HAVE_NDBM)
+    if (strncmp(filename, "/", 1) == 0
+	|| strncmp(filename, "./", 2) == 0
+	|| strncmp(filename, "../", 3) == 0)
+    {
+	*rest = filename;
+	return &dbmetod;
+    }
+#endif
+
     return NULL;
 }
 
 krb5_error_code
+hdb_list_builtin(krb5_context context, char **list)
+{
+    const struct hdb_method *h;
+    size_t len = 0;
+    char *buf = NULL;
+
+    for (h = methods; h->prefix != NULL; ++h) {
+	if (h->prefix[0] == '\0')
+	    continue;
+	len += strlen(h->prefix) + 2;
+    }
+
+    len += 1;
+    buf = malloc(len);
+    if (buf == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    buf[0] = '\0';
+
+    for (h = methods; h->prefix != NULL; ++h) {
+	if (h != methods)
+	    strlcat(buf, ", ", len);
+	strlcat(buf, h->prefix, len);
+    }
+    *list = buf;
+    return 0;
+}
+
+krb5_error_code
 hdb_create(krb5_context context, HDB **db, const char *filename)
 {
     const struct hdb_method *h;
@@ -234,7 +402,11 @@ hdb_create(krb5_context context, HDB **db, const char *filename)
 	filename = HDB_DEFAULT_DB;
     krb5_add_et_list(context, initialize_hdb_error_table_r);
     h = find_method (filename, &residual);
+#ifdef HAVE_DLOPEN
+    if (h == NULL)
+	h = find_dynamic_method (context, filename, &residual);
+#endif
     if (h == NULL)
-	krb5_errx(context, 1, "No database support! (hdb_create)");
+	krb5_errx(context, 1, "No database support for %s", filename);
     return (*h->create)(context, db, residual);
 }
diff --git a/crypto/heimdal/lib/hdb/hdb.h b/crypto/heimdal/lib/hdb/hdb.h
index 21d739b..742b924 100644
--- a/crypto/heimdal/lib/hdb/hdb.h
+++ b/crypto/heimdal/lib/hdb/hdb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,59 +31,112 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: hdb.h,v 1.31 2000/07/08 16:03:37 joda Exp $ */
+/* $Id: hdb.h 22198 2007-12-07 13:09:25Z lha $ */
 
 #ifndef __HDB_H__
 #define __HDB_H__
 
 #include <hdb_err.h>
 
+#include <heim_asn1.h>
 #include <hdb_asn1.h>
 
+struct hdb_dbinfo;
+
 enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 
 /* flags for various functions */
-#define HDB_F_DECRYPT	1 /* decrypt keys */
-#define HDB_F_REPLACE	2 /* replace entry */
+#define HDB_F_DECRYPT		1	/* decrypt keys */
+#define HDB_F_REPLACE		2	/* replace entry */
+#define HDB_F_GET_CLIENT	4	/* fetch client */
+#define HDB_F_GET_SERVER	8	/* fetch server */
+#define HDB_F_GET_KRBTGT	16	/* fetch krbtgt */
+#define HDB_F_GET_ANY		28	/* fetch any of client,server,krbtgt */
+#define HDB_F_CANON		32	/* want canonicalition */
 
 /* key usage for master key */
 #define HDB_KU_MKEY	0x484442
 
 typedef struct hdb_master_key_data *hdb_master_key;
 
+typedef struct hdb_entry_ex {
+    void *ctx;
+    hdb_entry entry;
+    void (*free_entry)(krb5_context, struct hdb_entry_ex *);
+} hdb_entry_ex;
+
+
 typedef struct HDB{
-    void *db;
-    void *dbc;
-    char *name;
-    int master_key_set;
-    hdb_master_key master_key;
-    int openp;
-
-    krb5_error_code (*open)(krb5_context, struct HDB*, int, mode_t);
-    krb5_error_code (*close)(krb5_context, struct HDB*);
-    krb5_error_code (*fetch)(krb5_context, struct HDB*, unsigned, hdb_entry*);
-    krb5_error_code (*store)(krb5_context, struct HDB*, unsigned, hdb_entry*);
-    krb5_error_code (*remove)(krb5_context, struct HDB*, hdb_entry*);
-    krb5_error_code (*firstkey)(krb5_context, struct HDB*, 
-				unsigned, hdb_entry*);
-    krb5_error_code (*nextkey)(krb5_context, struct HDB*, 
-			       unsigned, hdb_entry*);
-    krb5_error_code (*lock)(krb5_context, struct HDB*, int operation);
-    krb5_error_code (*unlock)(krb5_context, struct HDB*);
-    krb5_error_code (*rename)(krb5_context, struct HDB*, const char*);
-    krb5_error_code (*_get)(krb5_context, struct HDB*, krb5_data, krb5_data*);
-    krb5_error_code (*_put)(krb5_context, struct HDB*, int, 
-			    krb5_data, krb5_data);
-    krb5_error_code (*_del)(krb5_context, struct HDB*, krb5_data);
-    krb5_error_code (*destroy)(krb5_context, struct HDB*);
+    void *hdb_db;
+    void *hdb_dbc;
+    char *hdb_name;
+    int hdb_master_key_set;
+    hdb_master_key hdb_master_key;
+    int hdb_openp;
+
+    krb5_error_code (*hdb_open)(krb5_context,
+				struct HDB*,
+				int,
+				mode_t);
+    krb5_error_code (*hdb_close)(krb5_context, 
+				 struct HDB*);
+    void	    (*hdb_free)(krb5_context,
+				struct HDB*,
+				hdb_entry_ex*);
+    krb5_error_code (*hdb_fetch)(krb5_context,
+				 struct HDB*,
+				 krb5_const_principal,
+				 unsigned,
+				 hdb_entry_ex*);
+    krb5_error_code (*hdb_store)(krb5_context,
+				 struct HDB*,
+				 unsigned,
+				 hdb_entry_ex*);
+    krb5_error_code (*hdb_remove)(krb5_context,
+				  struct HDB*,
+				  krb5_const_principal);
+    krb5_error_code (*hdb_firstkey)(krb5_context,
+				    struct HDB*,
+				    unsigned,
+				    hdb_entry_ex*);
+    krb5_error_code (*hdb_nextkey)(krb5_context,
+				   struct HDB*,
+				   unsigned,
+				   hdb_entry_ex*);
+    krb5_error_code (*hdb_lock)(krb5_context,
+				struct HDB*,
+				int operation);
+    krb5_error_code (*hdb_unlock)(krb5_context,
+				  struct HDB*);
+    krb5_error_code (*hdb_rename)(krb5_context,
+				  struct HDB*,
+				  const char*);
+    krb5_error_code (*hdb__get)(krb5_context,
+				struct HDB*,
+				krb5_data,
+				krb5_data*);
+    krb5_error_code (*hdb__put)(krb5_context,
+				struct HDB*,
+				int, 
+				krb5_data,
+				krb5_data);
+    krb5_error_code (*hdb__del)(krb5_context, 
+				struct HDB*,
+				krb5_data);
+    krb5_error_code (*hdb_destroy)(krb5_context,
+				   struct HDB*);
 }HDB;
 
-#define HDB_DB_DIR "/var/heimdal"
-#define HDB_DEFAULT_DB HDB_DB_DIR "/heimdal"
-#define HDB_DB_FORMAT_ENTRY "hdb/db-format"
+#define HDB_INTERFACE_VERSION	4
+
+struct hdb_so_method {
+    int version;
+    const char *prefix;
+    krb5_error_code (*create)(krb5_context, HDB **, const char *filename);
+};
 
 typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*,
-					      hdb_entry*, void*);
+					      hdb_entry_ex*, void*);
 extern krb5_kt_ops hdb_kt_ops;
 
 #include <hdb-protos.h>
diff --git a/crypto/heimdal/lib/hdb/hdb.schema b/crypto/heimdal/lib/hdb/hdb.schema
new file mode 100644
index 0000000..6e5c0f7
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb.schema
@@ -0,0 +1,139 @@
+# Definitions for a Kerberos V KDC schema
+#
+# $Id: hdb.schema 14958 2005-04-25 17:33:40Z lha $
+#
+# This version is compatible with OpenLDAP 1.8
+#
+# OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) padl(5322) kdcSchema(10)
+#
+# Syntaxes are under 1.3.6.1.4.1.5322.10.0
+# Attributes types are under 1.3.6.1.4.1.5322.10.1
+# Object classes are under 1.3.6.1.4.1.5322.10.2
+
+# Syntax definitions
+
+#krb5KDCFlagsSyntax SYNTAX ::= {
+#   WITH SYNTAX            INTEGER
+#--        initial(0),             -- require as-req
+#--        forwardable(1),         -- may issue forwardable
+#--        proxiable(2),           -- may issue proxiable
+#--        renewable(3),           -- may issue renewable
+#--        postdate(4),            -- may issue postdatable
+#--        server(5),              -- may be server
+#--        client(6),              -- may be client
+#--        invalid(7),             -- entry is invalid
+#--        require-preauth(8),     -- must use preauth
+#--        change-pw(9),           -- change password service
+#--        require-hwauth(10),     -- must use hwauth
+#--        ok-as-delegate(11),     -- as in TicketFlags
+#--        user-to-user(12),       -- may use user-to-user auth
+#--        immutable(13)           -- may not be deleted         
+#   ID                     { 1.3.6.1.4.1.5322.10.0.1 }
+#}
+
+#krb5PrincipalNameSyntax SYNTAX ::= {
+#   WITH SYNTAX            OCTET STRING
+#-- String representations of distinguished names as per RFC1510
+#   ID                     { 1.3.6.1.4.1.5322.10.0.2 }
+#}
+
+# Attribute type definitions
+ 
+attributetype ( 1.3.6.1.4.1.5322.10.1.1
+	NAME 'krb5PrincipalName'
+	DESC 'The unparsed Kerberos principal name'
+	EQUALITY caseExactIA5Match
+	SINGLE-VALUE
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.5322.10.1.2
+	NAME 'krb5KeyVersionNumber'
+	EQUALITY integerMatch
+	SINGLE-VALUE
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+attributetype ( 1.3.6.1.4.1.5322.10.1.3
+	NAME 'krb5MaxLife'
+	EQUALITY integerMatch
+	SINGLE-VALUE
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+attributetype ( 1.3.6.1.4.1.5322.10.1.4
+	NAME 'krb5MaxRenew'
+	EQUALITY integerMatch
+	SINGLE-VALUE
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+attributetype ( 1.3.6.1.4.1.5322.10.1.5
+	NAME 'krb5KDCFlags'
+	EQUALITY integerMatch
+	SINGLE-VALUE
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+attributetype ( 1.3.6.1.4.1.5322.10.1.6
+	NAME 'krb5EncryptionType'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+attributetype ( 1.3.6.1.4.1.5322.10.1.7
+	NAME 'krb5ValidStart'
+	EQUALITY generalizedTimeMatch
+	ORDERING generalizedTimeOrderingMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.5322.10.1.8
+	NAME 'krb5ValidEnd'
+	EQUALITY generalizedTimeMatch
+	ORDERING generalizedTimeOrderingMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+	SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.5322.10.1.9
+	NAME 'krb5PasswordEnd'
+	EQUALITY generalizedTimeMatch
+	ORDERING generalizedTimeOrderingMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+	SINGLE-VALUE )
+
+# this is temporary; keys will eventually
+# be child entries or compound attributes.
+attributetype ( 1.3.6.1.4.1.5322.10.1.10
+	NAME 'krb5Key'
+	DESC 'Encoded ASN1 Key as an octet string'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
+
+attributetype ( 1.3.6.1.4.1.5322.10.1.11
+	NAME 'krb5PrincipalRealm'
+	DESC 'Distinguished name of krb5Realm entry'
+	SUP distinguishedName )
+
+attributetype ( 1.3.6.1.4.1.5322.10.1.12
+	NAME 'krb5RealmName'
+	EQUALITY octetStringMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
+
+# Object class definitions
+
+objectclass ( 1.3.6.1.4.1.5322.10.2.1
+	NAME 'krb5Principal'
+	SUP top
+	AUXILIARY
+	MUST ( krb5PrincipalName )
+	MAY ( cn $ krb5PrincipalRealm ) )
+
+objectclass ( 1.3.6.1.4.1.5322.10.2.2
+	NAME 'krb5KDCEntry'
+	SUP krb5Principal
+	AUXILIARY
+	MUST ( krb5KeyVersionNumber )
+	MAY ( krb5ValidStart $ krb5ValidEnd $ krb5PasswordEnd $
+              krb5MaxLife $ krb5MaxRenew $ krb5KDCFlags $
+              krb5EncryptionType $ krb5Key ) )
+
+objectclass ( 1.3.6.1.4.1.5322.10.2.3
+	NAME 'krb5Realm'
+	SUP top
+	AUXILIARY
+	MUST ( krb5RealmName ) )
+
diff --git a/crypto/heimdal/lib/hdb/hdb_err.et b/crypto/heimdal/lib/hdb/hdb_err.et
index 9929a56..5c5b80b 100644
--- a/crypto/heimdal/lib/hdb/hdb_err.et
+++ b/crypto/heimdal/lib/hdb/hdb_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: hdb_err.et,v 1.5 2001/01/28 23:05:52 assar Exp $"
+id "$Id: hdb_err.et 15878 2005-08-11 13:17:22Z lha $"
 
 error_table hdb
 
@@ -23,5 +23,6 @@ error_code CANT_LOCK_DB,	"Insufficient access to lock database"
 error_code EXISTS,		"Entry already exists in database"
 error_code BADVERSION,		"Wrong database version"
 error_code NO_MKEY,		"No correct master key"
+error_code MANDATORY_OPTION,	"Entry contains unknown mandatory extension"
 
 end
diff --git a/crypto/heimdal/lib/hdb/keys.c b/crypto/heimdal/lib/hdb/keys.c
new file mode 100644
index 0000000..60a5867
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/keys.c
@@ -0,0 +1,398 @@
+/*
+ * Copyright (c) 1997 - 2001, 2003 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: keys.c 22071 2007-11-14 20:04:50Z lha $");
+
+/*
+ * free all the memory used by (len, keys)
+ */
+
+void
+hdb_free_keys (krb5_context context, int len, Key *keys)
+{
+    int i;
+
+    for (i = 0; i < len; i++) {
+	free(keys[i].mkvno);
+	keys[i].mkvno = NULL;
+	if (keys[i].salt != NULL) {
+	    free_Salt(keys[i].salt);
+	    free(keys[i].salt);
+	    keys[i].salt = NULL;
+	}
+	krb5_free_keyblock_contents(context, &keys[i].key);
+    }
+    free (keys);
+}
+
+/* 
+ * for each entry in `default_keys' try to parse it as a sequence
+ * of etype:salttype:salt, syntax of this if something like:
+ * [(des|des3|etype):](pw-salt|afs3)[:string], if etype is omitted it
+ *      means all etypes, and if string is omitted is means the default
+ * string (for that principal). Additional special values:
+ *	v5 == pw-salt, and
+ *	v4 == des:pw-salt:
+ *	afs or afs3 == des:afs3-salt
+ */
+
+/* the 3 DES types must be first */
+static const krb5_enctype all_etypes[] = { 
+    ETYPE_DES_CBC_MD5,
+    ETYPE_DES_CBC_MD4,
+    ETYPE_DES_CBC_CRC,
+    ETYPE_AES256_CTS_HMAC_SHA1_96,
+    ETYPE_ARCFOUR_HMAC_MD5,
+    ETYPE_DES3_CBC_SHA1
+};
+
+static krb5_error_code
+parse_key_set(krb5_context context, const char *key, 
+	      krb5_enctype **ret_enctypes, size_t *ret_num_enctypes, 
+	      krb5_salt *salt, krb5_principal principal)
+{
+    const char *p;
+    char buf[3][256];
+    int num_buf = 0;
+    int i, num_enctypes = 0;
+    krb5_enctype e;
+    const krb5_enctype *enctypes = NULL;
+    krb5_error_code ret;
+    
+    p = key;
+
+    *ret_enctypes = NULL;
+    *ret_num_enctypes = 0;
+
+    /* split p in a list of :-separated strings */
+    for(num_buf = 0; num_buf < 3; num_buf++)
+	if(strsep_copy(&p, ":", buf[num_buf], sizeof(buf[num_buf])) == -1)
+	    break;
+
+    salt->saltvalue.data = NULL;
+    salt->saltvalue.length = 0;
+
+    for(i = 0; i < num_buf; i++) {
+	if(enctypes == NULL && num_buf > 1) {
+	    /* this might be a etype specifier */
+	    /* XXX there should be a string_to_etypes handling
+	       special cases like `des' and `all' */
+	    if(strcmp(buf[i], "des") == 0) {
+		enctypes = all_etypes;
+		num_enctypes = 3;
+	    } else if(strcmp(buf[i], "des3") == 0) {
+		e = ETYPE_DES3_CBC_SHA1;
+		enctypes = &e;
+		num_enctypes = 1;
+	    } else {
+		ret = krb5_string_to_enctype(context, buf[i], &e);
+		if (ret == 0) {
+		    enctypes = &e;
+		    num_enctypes = 1;
+		} else
+		    return ret;
+	    }
+	    continue;
+	}
+	if(salt->salttype == 0) {
+	    /* interpret string as a salt specifier, if no etype
+	       is set, this sets default values */
+	    /* XXX should perhaps use string_to_salttype, but that
+	       interface sucks */
+	    if(strcmp(buf[i], "pw-salt") == 0) {
+		if(enctypes == NULL) {
+		    enctypes = all_etypes;
+		    num_enctypes = sizeof(all_etypes)/sizeof(all_etypes[0]);
+		}
+		salt->salttype = KRB5_PW_SALT;
+	    } else if(strcmp(buf[i], "afs3-salt") == 0) {
+		if(enctypes == NULL) {
+		    enctypes = all_etypes;
+		    num_enctypes = 3;
+		}
+		salt->salttype = KRB5_AFS3_SALT;
+	    }
+	    continue;
+	}
+
+	{
+	    /* if there is a final string, use it as the string to
+	       salt with, this is mostly useful with null salt for
+	       v4 compat, and a cell name for afs compat */
+	    salt->saltvalue.data = strdup(buf[i]);
+	    if (salt->saltvalue.data == NULL) {
+		krb5_set_error_string(context, "out of memory");
+		return ENOMEM;
+	    }
+	    salt->saltvalue.length = strlen(buf[i]);
+	}
+    }
+    
+    if(enctypes == NULL || salt->salttype == 0) {
+	krb5_set_error_string(context, "bad value for default_keys `%s'", key);
+	return EINVAL;
+    }
+    
+    /* if no salt was specified make up default salt */
+    if(salt->saltvalue.data == NULL) {
+	if(salt->salttype == KRB5_PW_SALT)
+	    ret = krb5_get_pw_salt(context, principal, salt);
+	else if(salt->salttype == KRB5_AFS3_SALT) {
+	    krb5_realm *realm = krb5_princ_realm(context, principal);
+	    salt->saltvalue.data = strdup(*realm);
+	    if(salt->saltvalue.data == NULL) {
+		krb5_set_error_string(context, "out of memory while "
+				      "parsing salt specifiers");
+		return ENOMEM;
+	    }
+	    strlwr(salt->saltvalue.data);
+	    salt->saltvalue.length = strlen(*realm);
+	}
+    }
+
+    *ret_enctypes = malloc(sizeof(enctypes[0]) * num_enctypes);
+    if (*ret_enctypes == NULL) {
+	krb5_free_salt(context, *salt);
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * num_enctypes);
+    *ret_num_enctypes = num_enctypes;
+
+    return 0;
+}
+
+static krb5_error_code
+add_enctype_to_key_set(Key **key_set, size_t *nkeyset, 
+		       krb5_enctype enctype, krb5_salt *salt)
+{
+    krb5_error_code ret;
+    Key key, *tmp;
+
+    memset(&key, 0, sizeof(key));
+
+    tmp = realloc(*key_set, (*nkeyset + 1) * sizeof((*key_set)[0]));
+    if (tmp == NULL)
+	return ENOMEM;
+    
+    *key_set = tmp;
+
+    key.key.keytype = enctype;
+    key.key.keyvalue.length = 0;
+    key.key.keyvalue.data = NULL;
+    
+    if (salt) {
+	key.salt = malloc(sizeof(*key.salt));
+	if (key.salt == NULL) {
+	    free_Key(&key);
+	    return ENOMEM;
+	}
+	
+	key.salt->type = salt->salttype;
+	krb5_data_zero (&key.salt->salt);
+	
+	ret = krb5_data_copy(&key.salt->salt, 
+			     salt->saltvalue.data, 
+			     salt->saltvalue.length);
+	if (ret) {
+	    free_Key(&key);
+	    return ret;
+	}
+    } else
+	key.salt = NULL;
+    
+    (*key_set)[*nkeyset] = key;
+    
+    *nkeyset += 1;
+
+    return 0;
+}
+
+
+/*
+ * Generate the `key_set' from the [kadmin]default_keys statement. If
+ * `no_salt' is set, salt is not important (and will not be set) since
+ * it's random keys that is going to be created.
+ */
+
+krb5_error_code
+hdb_generate_key_set(krb5_context context, krb5_principal principal,
+		     Key **ret_key_set, size_t *nkeyset, int no_salt)
+{
+    char **ktypes, **kp;
+    krb5_error_code ret;
+    Key *k, *key_set;
+    int i, j;
+    char *default_keytypes[] = {
+	"des:pw-salt",
+	"aes256-cts-hmac-sha1-96:pw-salt",
+	"des3-cbc-sha1:pw-salt",
+	"arcfour-hmac-md5:pw-salt",
+	NULL
+    };
+    
+    ktypes = krb5_config_get_strings(context, NULL, "kadmin",
+				     "default_keys", NULL);
+    if (ktypes == NULL)
+	ktypes = default_keytypes;
+
+    if (ktypes == NULL)
+	abort();
+
+    *ret_key_set = key_set = NULL;
+    *nkeyset = 0;
+
+    ret = 0;
+ 
+    for(kp = ktypes; kp && *kp; kp++) {
+	const char *p;
+	krb5_salt salt;
+	krb5_enctype *enctypes;
+	size_t num_enctypes;
+
+	p = *kp;
+	/* check alias */
+	if(strcmp(p, "v5") == 0)
+	    p = "pw-salt";
+	else if(strcmp(p, "v4") == 0)
+	    p = "des:pw-salt:";
+	else if(strcmp(p, "afs") == 0 || strcmp(p, "afs3") == 0)
+	    p = "des:afs3-salt";
+	else if (strcmp(p, "arcfour-hmac-md5") == 0)
+	    p = "arcfour-hmac-md5:pw-salt";
+	    
+	memset(&salt, 0, sizeof(salt));
+
+	ret = parse_key_set(context, p,
+			    &enctypes, &num_enctypes, &salt, principal);
+	if (ret) {
+	    krb5_warn(context, ret, "bad value for default_keys `%s'", *kp);
+	    ret = 0;
+	    continue;
+	}
+
+	for (i = 0; i < num_enctypes; i++) {
+	    /* find duplicates */
+	    for (j = 0; j < *nkeyset; j++) {
+
+		k = &key_set[j];
+
+		if (k->key.keytype == enctypes[i]) {
+		    if (no_salt)
+			break;
+		    if (k->salt == NULL && salt.salttype == KRB5_PW_SALT)
+			break;
+		    if (k->salt->type == salt.salttype &&
+			k->salt->salt.length == salt.saltvalue.length &&
+			memcmp(k->salt->salt.data, salt.saltvalue.data, 
+			       salt.saltvalue.length) == 0)
+			break;
+		}
+	    }
+	    /* not a duplicate, lets add it */
+	    if (j == *nkeyset) {
+		ret = add_enctype_to_key_set(&key_set, nkeyset, enctypes[i], 
+					     no_salt ? NULL : &salt);
+		if (ret) {
+		    free(enctypes);
+		    krb5_free_salt(context, salt);
+		    goto out;
+		}
+	    }
+	}
+	free(enctypes);
+	krb5_free_salt(context, salt);
+    }
+    
+    *ret_key_set = key_set;
+
+ out:
+    if (ktypes != default_keytypes)
+	krb5_config_free_strings(ktypes);
+
+    if (ret) {
+	krb5_warn(context, ret, 
+		  "failed to parse the [kadmin]default_keys values");
+
+	for (i = 0; i < *nkeyset; i++)
+	    free_Key(&key_set[i]);
+	free(key_set);
+    } else if (*nkeyset == 0) {
+	krb5_warnx(context, 
+		   "failed to parse any of the [kadmin]default_keys values");
+	ret = EINVAL; /* XXX */
+    }
+
+    return ret;
+}
+
+
+krb5_error_code
+hdb_generate_key_set_password(krb5_context context, 
+			      krb5_principal principal, 
+			      const char *password, 
+			      Key **keys, size_t *num_keys) 
+{
+    krb5_error_code ret;
+    int i;
+
+    ret = hdb_generate_key_set(context, principal,
+				keys, num_keys, 0);
+    if (ret)
+	return ret;
+
+    for (i = 0; i < (*num_keys); i++) {
+	krb5_salt salt;
+
+	salt.salttype = (*keys)[i].salt->type;
+	salt.saltvalue.length = (*keys)[i].salt->salt.length;
+	salt.saltvalue.data = (*keys)[i].salt->salt.data;
+
+	ret = krb5_string_to_key_salt (context,
+				       (*keys)[i].key.keytype,
+				       password,
+				       salt,
+				       &(*keys)[i].key);
+
+	if(ret)
+	    break;
+    }
+
+    if(ret) {
+	hdb_free_keys (context, *num_keys, *keys);
+	return ret;
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/lib/hdb/keytab.c b/crypto/heimdal/lib/hdb/keytab.c
index 6ede2b9..e319bb5 100644
--- a/crypto/heimdal/lib/hdb/keytab.c
+++ b/crypto/heimdal/lib/hdb/keytab.c
@@ -35,7 +35,7 @@
 
 /* keytab backend for HDB databases */
 
-RCSID("$Id: keytab.c,v 1.5 2002/08/26 13:28:11 assar Exp $");
+RCSID("$Id: keytab.c 18380 2006-10-09 12:36:40Z lha $");
 
 struct hdb_data {
     char *dbname;
@@ -44,7 +44,7 @@ struct hdb_data {
 
 /*
  * the format for HDB keytabs is:
- * HDB:[database:mkey]
+ * HDB:[database:file:mkey]
  */
 
 static krb5_error_code
@@ -76,7 +76,7 @@ hdb_resolve(krb5_context context, const char *name, krb5_keytab id)
 	if((mkey - db) == 0) {
 	    d->dbname = NULL;
 	} else {
-	    d->dbname = malloc(mkey - db);
+	    d->dbname = malloc(mkey - db + 1);
 	    if(d->dbname == NULL) {
 		free(d);
 		krb5_set_error_string(context, "malloc: out of memory");
@@ -125,7 +125,7 @@ hdb_get_name(krb5_context context,
 
 static void
 set_config (krb5_context context,
-	    krb5_config_binding *binding,
+	    const krb5_config_binding *binding,
 	    const char **dbname,
 	    const char **mkey)
 {
@@ -145,13 +145,13 @@ find_db (krb5_context context,
 	 krb5_const_principal principal)
 {
     const krb5_config_binding *top_bind = NULL;
-    krb5_config_binding *default_binding = NULL;
-    krb5_config_binding *db;
-    krb5_realm *prealm = krb5_princ_realm(context, (krb5_principal)principal);
+    const krb5_config_binding *default_binding = NULL;
+    const krb5_config_binding *db;
+    krb5_realm *prealm = krb5_princ_realm(context, rk_UNCONST(principal));
 
     *dbname = *mkey = NULL;
 
-    while ((db = (krb5_config_binding *)
+    while ((db =
 	    krb5_config_get_next(context,
 				 NULL,
 				 &top_bind,
@@ -193,7 +193,7 @@ hdb_get_entry(krb5_context context,
 	      krb5_enctype enctype,
 	      krb5_keytab_entry *entry)
 {
-    hdb_entry ent;
+    hdb_entry_ex ent;
     krb5_error_code ret;
     struct hdb_data *d = id->data;
     int i;
@@ -201,6 +201,8 @@ hdb_get_entry(krb5_context context,
     const char *dbname = d->dbname;
     const char *mkey   = d->mkey;
 
+    memset(&ent, 0, sizeof(ent));
+
     if (dbname == NULL)
 	find_db (context, &dbname, &mkey, principal);
 
@@ -209,44 +211,50 @@ hdb_get_entry(krb5_context context,
 	return ret;
     ret = hdb_set_master_keyfile (context, db, mkey);
     if (ret) {
-	(*db->destroy)(context, db);
+	(*db->hdb_destroy)(context, db);
 	return ret;
     }
 	
-    ret = (*db->open)(context, db, O_RDONLY, 0);
+    ret = (*db->hdb_open)(context, db, O_RDONLY, 0);
     if (ret) {
-	(*db->destroy)(context, db);
+	(*db->hdb_destroy)(context, db);
 	return ret;
     }
-    ent.principal = (krb5_principal)principal;
-    ret = (*db->fetch)(context, db, HDB_F_DECRYPT, &ent);
-    (*db->close)(context, db);
-    (*db->destroy)(context, db);
+    ret = (*db->hdb_fetch)(context, db, principal, 
+			   HDB_F_DECRYPT|
+			   HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
+			   &ent);
 
-    if(ret == HDB_ERR_NOENTRY)
-	return KRB5_KT_NOTFOUND;
-    else if(ret)
-	return ret;
-    if(kvno && ent.kvno != kvno) {
+    if(ret == HDB_ERR_NOENTRY) {
+	ret = KRB5_KT_NOTFOUND;
+	goto out;
+    }else if(ret)
+	goto out;
+
+    if(kvno && ent.entry.kvno != kvno) {
 	hdb_free_entry(context, &ent);
- 	return KRB5_KT_NOTFOUND;
+ 	ret = KRB5_KT_NOTFOUND;
+	goto out;
     }
     if(enctype == 0)
-	if(ent.keys.len > 0)
-	    enctype = ent.keys.val[0].key.keytype;
+	if(ent.entry.keys.len > 0)
+	    enctype = ent.entry.keys.val[0].key.keytype;
     ret = KRB5_KT_NOTFOUND;
-    for(i = 0; i < ent.keys.len; i++) {
-	if(ent.keys.val[i].key.keytype == enctype) {
+    for(i = 0; i < ent.entry.keys.len; i++) {
+	if(ent.entry.keys.val[i].key.keytype == enctype) {
 	    krb5_copy_principal(context, principal, &entry->principal);
-	    entry->vno = ent.kvno;
+	    entry->vno = ent.entry.kvno;
 	    krb5_copy_keyblock_contents(context, 
-					&ent.keys.val[i].key, 
+					&ent.entry.keys.val[i].key, 
 					&entry->keyblock);
 	    ret = 0;
 	    break;
 	}
     }
     hdb_free_entry(context, &ent);
+out:
+    (*db->hdb_close)(context, db);
+    (*db->hdb_destroy)(context, db);
     return ret;
 }
 
diff --git a/crypto/heimdal/lib/hdb/mkey.c b/crypto/heimdal/lib/hdb/mkey.c
index 92bcd86..05cf71c 100644
--- a/crypto/heimdal/lib/hdb/mkey.c
+++ b/crypto/heimdal/lib/hdb/mkey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -36,7 +36,7 @@
 #define O_BINARY 0
 #endif
 
-RCSID("$Id: mkey.c,v 1.15 2003/03/28 02:01:33 lha Exp $");
+RCSID("$Id: mkey.c 21745 2007-07-31 16:11:25Z lha $");
 
 struct hdb_master_key_data {
     krb5_keytab_entry keytab;
@@ -129,6 +129,11 @@ read_master_keytab(krb5_context context, const char *filename,
     *mkey = NULL;
     while(krb5_kt_next_entry(context, id, &entry, &cursor) == 0) {
 	p = calloc(1, sizeof(*p));
+	if(p == NULL) {
+	    krb5_kt_end_seq_get(context, id, &cursor);
+	    ret = ENOMEM;
+	    goto out;
+	}
 	p->keytab = entry;
 	ret = krb5_crypto_init(context, &p->keytab.keyblock, 0, &p->crypto);
 	p->next = *mkey;
@@ -148,7 +153,7 @@ read_master_mit(krb5_context context, const char *filename,
     int fd;
     krb5_error_code ret;
     krb5_storage *sp;
-    u_int16_t enctype;
+    int16_t enctype;
     krb5_keyblock key;
 	       
     fd = open(filename, O_RDONLY | O_BINARY);
@@ -354,68 +359,111 @@ hdb_write_master_key(krb5_context context, const char *filename,
     return ret;
 }
 
-static hdb_master_key
-find_master_key(Key *key, hdb_master_key mkey)
+hdb_master_key
+_hdb_find_master_key(uint32_t *mkvno, hdb_master_key mkey)
 {
     hdb_master_key ret = NULL;
     while(mkey) {
 	if(ret == NULL && mkey->keytab.vno == 0)
 	    ret = mkey;
-	if(key->mkvno == NULL) {
+	if(mkvno == NULL) {
 	    if(ret == NULL || mkey->keytab.vno > ret->keytab.vno)
 		ret = mkey;
-	} else if(mkey->keytab.vno == *key->mkvno)
+	} else if(mkey->keytab.vno == *mkvno)
 	    return mkey;
 	mkey = mkey->next;
     }
     return ret;
 }
 
+int
+_hdb_mkey_version(hdb_master_key mkey)
+{
+    return mkey->keytab.vno;
+}
+
+int
+_hdb_mkey_decrypt(krb5_context context, hdb_master_key key,
+		  krb5_key_usage usage,
+		  void *ptr, size_t size, krb5_data *res)
+{
+    return krb5_decrypt(context, key->crypto, usage,
+			ptr, size, res);
+}
+
+int
+_hdb_mkey_encrypt(krb5_context context, hdb_master_key key,
+		  krb5_key_usage usage,
+		  const void *ptr, size_t size, krb5_data *res)
+{
+    return krb5_encrypt(context, key->crypto, usage,
+			ptr, size, res);
+}
+
 krb5_error_code
-hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
+hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey) 
 {
-    int i;
+	
     krb5_error_code ret;
     krb5_data res;
     size_t keysize;
-    Key *k;
 
-    for(i = 0; i < ent->keys.len; i++){
-	hdb_master_key key;
+    hdb_master_key key;
+
+    if(k->mkvno == NULL)
+	return 0;
+	
+    key = _hdb_find_master_key(k->mkvno, mkey);
+
+    if (key == NULL)
+	return HDB_ERR_NO_MKEY;
+
+    ret = _hdb_mkey_decrypt(context, key, HDB_KU_MKEY,
+			    k->key.keyvalue.data,
+			    k->key.keyvalue.length,
+			    &res);
+    if(ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+	/* try to decrypt with MIT key usage */
+	ret = _hdb_mkey_decrypt(context, key, 0,
+				k->key.keyvalue.data,
+				k->key.keyvalue.length,
+				&res);
+    }    
+    if (ret)
+	return ret;
 
-	k = &ent->keys.val[i];
-	if(k->mkvno == NULL)
-	    continue;
+    /* fixup keylength if the key got padded when encrypting it */
+    ret = krb5_enctype_keysize(context, k->key.keytype, &keysize);
+    if (ret) {
+	krb5_data_free(&res);
+	return ret;
+    }
+    if (keysize > res.length) {
+	krb5_data_free(&res);
+	return KRB5_BAD_KEYSIZE;
+    }
 
-	key = find_master_key(&ent->keys.val[i], mkey);
+    memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
+    free(k->key.keyvalue.data);
+    k->key.keyvalue = res;
+    k->key.keyvalue.length = keysize;
+    free(k->mkvno);
+    k->mkvno = NULL;
 
-	if (key == NULL)
-	    return HDB_ERR_NO_MKEY;
+    return 0;
+}
 
-	ret = krb5_decrypt(context, key->crypto, HDB_KU_MKEY,
-			   k->key.keyvalue.data,
-			   k->key.keyvalue.length,
-			   &res);
-	if (ret)
-	    return ret;
+krb5_error_code
+hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
+{
+    int i;
 
-	/* fixup keylength if the key got padded when encrypting it */
-	ret = krb5_enctype_keysize(context, k->key.keytype, &keysize);
-	if (ret) {
-	    krb5_data_free(&res);
-	    return ret;
-	}
-	if (keysize > res.length) {
-	    krb5_data_free(&res);
-	    return KRB5_BAD_KEYSIZE;
-	}
+    for(i = 0; i < ent->keys.len; i++){
+	krb5_error_code ret;
 
-	memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
-	free(k->key.keyvalue.data);
-	k->key.keyvalue = res;
-	k->key.keyvalue.length = keysize;
-	free(k->mkvno);
-	k->mkvno = NULL;
+	ret = hdb_unseal_key_mkey(context, &ent->keys.val[i], mkey);
+	if (ret) 
+	    return ret;
     }
     return 0;
 }
@@ -423,44 +471,65 @@ hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
 krb5_error_code
 hdb_unseal_keys(krb5_context context, HDB *db, hdb_entry *ent)
 {
-    if (db->master_key_set == 0)
+    if (db->hdb_master_key_set == 0)
 	return 0;
-    return hdb_unseal_keys_mkey(context, ent, db->master_key);
+    return hdb_unseal_keys_mkey(context, ent, db->hdb_master_key);
 }
 
 krb5_error_code
-hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
+hdb_unseal_key(krb5_context context, HDB *db, Key *k)
+{
+    if (db->hdb_master_key_set == 0)
+	return 0;
+    return hdb_unseal_key_mkey(context, k, db->hdb_master_key);
+}
+
+krb5_error_code
+hdb_seal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey)
 {
-    int i;
     krb5_error_code ret;
     krb5_data res;
-    for(i = 0; i < ent->keys.len; i++){
-	Key *k = &ent->keys.val[i];
-	hdb_master_key key;
+    hdb_master_key key;
 
-	if(k->mkvno != NULL)
-	    continue;
+    if(k->mkvno != NULL)
+	return 0;
 
-	key = find_master_key(k, mkey);
+    key = _hdb_find_master_key(k->mkvno, mkey);
 
-	if (key == NULL)
-	    return HDB_ERR_NO_MKEY;
+    if (key == NULL)
+	return HDB_ERR_NO_MKEY;
 
-	ret = krb5_encrypt(context, key->crypto, HDB_KU_MKEY,
-			   k->key.keyvalue.data,
-			   k->key.keyvalue.length,
-			   &res);
-	if (ret)
-	    return ret;
+    ret = _hdb_mkey_encrypt(context, key, HDB_KU_MKEY,
+			    k->key.keyvalue.data,
+			    k->key.keyvalue.length,
+			    &res);
+    if (ret)
+	return ret;
 
-	memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
-	free(k->key.keyvalue.data);
-	k->key.keyvalue = res;
+    memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
+    free(k->key.keyvalue.data);
+    k->key.keyvalue = res;
 
+    if (k->mkvno == NULL) {
 	k->mkvno = malloc(sizeof(*k->mkvno));
 	if (k->mkvno == NULL)
 	    return ENOMEM;
-	*k->mkvno = key->keytab.vno;
+    }
+    *k->mkvno = key->keytab.vno;
+	
+    return 0;
+}
+
+krb5_error_code
+hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
+{
+    int i;
+    for(i = 0; i < ent->keys.len; i++){
+	krb5_error_code ret;
+
+	ret = hdb_seal_key_mkey(context, &ent->keys.val[i], mkey);
+	if (ret)
+	    return ret;
     }
     return 0;
 }
@@ -468,10 +537,19 @@ hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
 krb5_error_code
 hdb_seal_keys(krb5_context context, HDB *db, hdb_entry *ent)
 {
-    if (db->master_key_set == 0)
+    if (db->hdb_master_key_set == 0)
+	return 0;
+    
+    return hdb_seal_keys_mkey(context, ent, db->hdb_master_key);
+}
+
+krb5_error_code
+hdb_seal_key(krb5_context context, HDB *db, Key *k)
+{
+    if (db->hdb_master_key_set == 0)
 	return 0;
     
-    return hdb_seal_keys_mkey(context, ent, db->master_key);
+    return hdb_seal_key_mkey(context, k, db->hdb_master_key);
 }
 
 krb5_error_code
@@ -485,11 +563,11 @@ hdb_set_master_key (krb5_context context,
     ret = hdb_process_master_key(context, 0, key, 0, &mkey);
     if (ret)
 	return ret;
-    db->master_key = mkey;
+    db->hdb_master_key = mkey;
 #if 0 /* XXX - why? */
     des_set_random_generator_seed(key.keyvalue.data);
 #endif
-    db->master_key_set = 1;
+    db->hdb_master_key_set = 1;
     return 0;
 }
 
@@ -508,8 +586,8 @@ hdb_set_master_keyfile (krb5_context context,
 	krb5_clear_error_string(context);
 	return 0;
     }
-    db->master_key = key;
-    db->master_key_set = 1;
+    db->hdb_master_key = key;
+    db->hdb_master_key_set = 1;
     return ret;
 }
 
@@ -517,9 +595,9 @@ krb5_error_code
 hdb_clear_master_key (krb5_context context,
 		      HDB *db)
 {
-    if (db->master_key_set) {
-	hdb_free_master_key(context, db->master_key);
-	db->master_key_set = 0;
+    if (db->hdb_master_key_set) {
+	hdb_free_master_key(context, db->hdb_master_key);
+	db->hdb_master_key_set = 0;
     }
     return 0;
 }
diff --git a/crypto/heimdal/lib/hdb/ndbm.c b/crypto/heimdal/lib/hdb/ndbm.c
index c162145..6575b8a 100644
--- a/crypto/heimdal/lib/hdb/ndbm.c
+++ b/crypto/heimdal/lib/hdb/ndbm.c
@@ -33,7 +33,7 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: ndbm.c,v 1.33 2001/09/03 05:03:01 assar Exp $");
+RCSID("$Id: ndbm.c 16395 2005-12-13 11:54:10Z lha $");
 
 #if HAVE_NDBM
 
@@ -56,7 +56,7 @@ NDBM_destroy(krb5_context context, HDB *db)
     krb5_error_code ret;
 
     ret = hdb_clear_master_key (context, db);
-    free(db->name);
+    free(db->hdb_name);
     free(db);
     return 0;
 }
@@ -64,23 +64,23 @@ NDBM_destroy(krb5_context context, HDB *db)
 static krb5_error_code
 NDBM_lock(krb5_context context, HDB *db, int operation)
 {
-    struct ndbm_db *d = db->db;
+    struct ndbm_db *d = db->hdb_db;
     return hdb_lock(d->lock_fd, operation);
 }
 
 static krb5_error_code
 NDBM_unlock(krb5_context context, HDB *db)
 {
-    struct ndbm_db *d = db->db;
+    struct ndbm_db *d = db->hdb_db;
     return hdb_unlock(d->lock_fd);
 }
 
 static krb5_error_code
 NDBM_seq(krb5_context context, HDB *db, 
-	 unsigned flags, hdb_entry *entry, int first)
+	 unsigned flags, hdb_entry_ex *entry, int first)
 
 {
-    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    struct ndbm_db *d = (struct ndbm_db *)db->hdb_db;
     datum key, value;
     krb5_data key_data, data;
     krb5_error_code ret = 0;
@@ -93,27 +93,28 @@ NDBM_seq(krb5_context context, HDB *db,
 	return HDB_ERR_NOENTRY;
     key_data.data = key.dptr;
     key_data.length = key.dsize;
-    ret = db->lock(context, db, HDB_RLOCK);
+    ret = db->hdb_lock(context, db, HDB_RLOCK);
     if(ret) return ret;
     value = dbm_fetch(d->db, key);
-    db->unlock(context, db);
+    db->hdb_unlock(context, db);
     data.data = value.dptr;
     data.length = value.dsize;
-    if(hdb_value2entry(context, &data, entry))
+    memset(entry, 0, sizeof(*entry));
+    if(hdb_value2entry(context, &data, &entry->entry))
 	return NDBM_seq(context, db, flags, entry, 0);
-    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
-	ret = hdb_unseal_keys (context, db, entry);
+    if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
+	ret = hdb_unseal_keys (context, db, &entry->entry);
 	if (ret)
 	    hdb_free_entry (context, entry);
     }
-    if (entry->principal == NULL) {
-	entry->principal = malloc (sizeof(*entry->principal));
-	if (entry->principal == NULL) {
+    if (ret == 0 && entry->entry.principal == NULL) {
+	entry->entry.principal = malloc (sizeof(*entry->entry.principal));
+	if (entry->entry.principal == NULL) {
 	    ret = ENOMEM;
 	    hdb_free_entry (context, entry);
 	    krb5_set_error_string(context, "malloc: out of memory");
 	} else {
-	    hdb_key2principal (context, &key_data, entry->principal);
+	    hdb_key2principal (context, &key_data, entry->entry.principal);
 	}
     }
     return ret;
@@ -121,14 +122,14 @@ NDBM_seq(krb5_context context, HDB *db,
 
 
 static krb5_error_code
-NDBM_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+NDBM_firstkey(krb5_context context, HDB *db,unsigned flags,hdb_entry_ex *entry)
 {
     return NDBM_seq(context, db, flags, entry, 1);
 }
 
 
 static krb5_error_code
-NDBM_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+NDBM_nextkey(krb5_context context, HDB *db, unsigned flags,hdb_entry_ex *entry)
 {
     return NDBM_seq(context, db, flags, entry, 0);
 }
@@ -137,7 +138,7 @@ static krb5_error_code
 NDBM_rename(krb5_context context, HDB *db, const char *new_name)
 {
     /* XXX this function will break */
-    struct ndbm_db *d = db->db;
+    struct ndbm_db *d = db->hdb_db;
 
     int ret;
     char *old_dir, *old_pag, *new_dir, *new_pag;
@@ -145,19 +146,19 @@ NDBM_rename(krb5_context context, HDB *db, const char *new_name)
     int lock_fd;
 
     /* lock old and new databases */
-    ret = db->lock(context, db, HDB_WLOCK);
+    ret = db->hdb_lock(context, db, HDB_WLOCK);
     if(ret)
 	return ret;
     asprintf(&new_lock, "%s.lock", new_name);
     if(new_lock == NULL) {
-	db->unlock(context, db);
+	db->hdb_unlock(context, db);
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
     lock_fd = open(new_lock, O_RDWR | O_CREAT, 0600);
     if(lock_fd < 0) {
 	ret = errno;
-	db->unlock(context, db);
+	db->hdb_unlock(context, db);
 	krb5_set_error_string(context, "open(%s): %s", new_lock,
 			      strerror(ret));
 	free(new_lock);
@@ -166,13 +167,13 @@ NDBM_rename(krb5_context context, HDB *db, const char *new_name)
     free(new_lock);
     ret = hdb_lock(lock_fd, HDB_WLOCK);
     if(ret) {
-	db->unlock(context, db);
+	db->hdb_unlock(context, db);
 	close(lock_fd);
 	return ret;
     }
 
-    asprintf(&old_dir, "%s.dir", db->name);
-    asprintf(&old_pag, "%s.pag", db->name);
+    asprintf(&old_dir, "%s.dir", db->hdb_name);
+    asprintf(&old_pag, "%s.pag", db->hdb_name);
     asprintf(&new_dir, "%s.dir", new_name);
     asprintf(&new_pag, "%s.pag", new_name);
 
@@ -182,7 +183,7 @@ NDBM_rename(krb5_context context, HDB *db, const char *new_name)
     free(new_dir);
     free(new_pag);
     hdb_unlock(lock_fd);
-    db->unlock(context, db);
+    db->hdb_unlock(context, db);
 
     if(ret) {
 	ret = errno;
@@ -194,25 +195,25 @@ NDBM_rename(krb5_context context, HDB *db, const char *new_name)
     close(d->lock_fd);
     d->lock_fd = lock_fd;
     
-    free(db->name);
-    db->name = strdup(new_name);
+    free(db->hdb_name);
+    db->hdb_name = strdup(new_name);
     return 0;
 }
 
 static krb5_error_code
 NDBM__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply)
 {
-    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    struct ndbm_db *d = (struct ndbm_db *)db->hdb_db;
     datum k, v;
     int code;
 
     k.dptr  = key.data;
     k.dsize = key.length;
-    code = db->lock(context, db, HDB_RLOCK);
+    code = db->hdb_lock(context, db, HDB_RLOCK);
     if(code)
 	return code;
     v = dbm_fetch(d->db, k);
-    db->unlock(context, db);
+    db->hdb_unlock(context, db);
     if(v.dptr == NULL)
 	return HDB_ERR_NOENTRY;
 
@@ -224,7 +225,7 @@ static krb5_error_code
 NDBM__put(krb5_context context, HDB *db, int replace, 
 	krb5_data key, krb5_data value)
 {
-    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    struct ndbm_db *d = (struct ndbm_db *)db->hdb_db;
     datum k, v;
     int code;
 
@@ -233,11 +234,11 @@ NDBM__put(krb5_context context, HDB *db, int replace,
     v.dptr  = value.data;
     v.dsize = value.length;
 
-    code = db->lock(context, db, HDB_WLOCK);
+    code = db->hdb_lock(context, db, HDB_WLOCK);
     if(code)
 	return code;
     code = dbm_store(d->db, k, v, replace ? DBM_REPLACE : DBM_INSERT);
-    db->unlock(context, db);
+    db->hdb_unlock(context, db);
     if(code == 1)
 	return HDB_ERR_EXISTS;
     if (code < 0)
@@ -248,22 +249,33 @@ NDBM__put(krb5_context context, HDB *db, int replace,
 static krb5_error_code
 NDBM__del(krb5_context context, HDB *db, krb5_data key)
 {
-    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    struct ndbm_db *d = (struct ndbm_db *)db->hdb_db;
     datum k;
     int code;
     krb5_error_code ret;
 
     k.dptr = key.data;
     k.dsize = key.length;
-    ret = db->lock(context, db, HDB_WLOCK);
+    ret = db->hdb_lock(context, db, HDB_WLOCK);
     if(ret) return ret;
     code = dbm_delete(d->db, k);
-    db->unlock(context, db);
+    db->hdb_unlock(context, db);
     if(code < 0)
 	return errno;
     return 0;
 }
 
+
+static krb5_error_code
+NDBM_close(krb5_context context, HDB *db)
+{
+    struct ndbm_db *d = db->hdb_db;
+    dbm_close(d->db);
+    close(d->lock_fd);
+    free(d);
+    return 0;
+}
+
 static krb5_error_code
 NDBM_open(krb5_context context, HDB *db, int flags, mode_t mode)
 {
@@ -275,18 +287,18 @@ NDBM_open(krb5_context context, HDB *db, int flags, mode_t mode)
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
-    asprintf(&lock_file, "%s.lock", (char*)db->name);
+    asprintf(&lock_file, "%s.lock", (char*)db->hdb_name);
     if(lock_file == NULL) {
 	free(d);
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
-    d->db = dbm_open((char*)db->name, flags, mode);
+    d->db = dbm_open((char*)db->hdb_name, flags, mode);
     if(d->db == NULL){
 	ret = errno;
 	free(d);
 	free(lock_file);
-	krb5_set_error_string(context, "dbm_open(%s): %s", db->name,
+	krb5_set_error_string(context, "dbm_open(%s): %s", db->hdb_name,
 			      strerror(ret));
 	return ret;
     }
@@ -301,60 +313,57 @@ NDBM_open(krb5_context context, HDB *db, int flags, mode_t mode)
 	return ret;
     }
     free(lock_file);
-    db->db = d;
+    db->hdb_db = d;
     if((flags & O_ACCMODE) == O_RDONLY)
 	ret = hdb_check_db_format(context, db);
     else
 	ret = hdb_init_db(context, db);
     if(ret == HDB_ERR_NOENTRY)
 	return 0;
+    if (ret) {
+	NDBM_close(context, db);
+	krb5_set_error_string(context, "hdb_open: failed %s database %s",
+			      (flags & O_ACCMODE) == O_RDONLY ? 
+			      "checking format of" : "initialize", 
+			      db->hdb_name);
+    }
     return ret;
 }
 
-static krb5_error_code
-NDBM_close(krb5_context context, HDB *db)
-{
-    struct ndbm_db *d = db->db;
-    dbm_close(d->db);
-    close(d->lock_fd);
-    free(d);
-    return 0;
-}
-
 krb5_error_code
 hdb_ndbm_create(krb5_context context, HDB **db, 
 		const char *filename)
 {
-    *db = malloc(sizeof(**db));
+    *db = calloc(1, sizeof(**db));
     if (*db == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
 
-    (*db)->db = NULL;
-    (*db)->name = strdup(filename);
-    if ((*db)->name == NULL) {
+    (*db)->hdb_db = NULL;
+    (*db)->hdb_name = strdup(filename);
+    if ((*db)->hdb_name == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	free(*db);
 	*db = NULL;
 	return ENOMEM;
     }
-    (*db)->master_key_set = 0;
-    (*db)->openp = 0;
-    (*db)->open = NDBM_open;
-    (*db)->close = NDBM_close;
-    (*db)->fetch = _hdb_fetch;
-    (*db)->store = _hdb_store;
-    (*db)->remove = _hdb_remove;
-    (*db)->firstkey = NDBM_firstkey;
-    (*db)->nextkey= NDBM_nextkey;
-    (*db)->lock = NDBM_lock;
-    (*db)->unlock = NDBM_unlock;
-    (*db)->rename = NDBM_rename;
-    (*db)->_get = NDBM__get;
-    (*db)->_put = NDBM__put;
-    (*db)->_del = NDBM__del;
-    (*db)->destroy = NDBM_destroy;
+    (*db)->hdb_master_key_set = 0;
+    (*db)->hdb_openp = 0;
+    (*db)->hdb_open = NDBM_open;
+    (*db)->hdb_close = NDBM_close;
+    (*db)->hdb_fetch = _hdb_fetch;
+    (*db)->hdb_store = _hdb_store;
+    (*db)->hdb_remove = _hdb_remove;
+    (*db)->hdb_firstkey = NDBM_firstkey;
+    (*db)->hdb_nextkey= NDBM_nextkey;
+    (*db)->hdb_lock = NDBM_lock;
+    (*db)->hdb_unlock = NDBM_unlock;
+    (*db)->hdb_rename = NDBM_rename;
+    (*db)->hdb__get = NDBM__get;
+    (*db)->hdb__put = NDBM__put;
+    (*db)->hdb__del = NDBM__del;
+    (*db)->hdb_destroy = NDBM_destroy;
     return 0;
 }
 
diff --git a/crypto/heimdal/lib/hdb/print.c b/crypto/heimdal/lib/hdb/print.c
index 5ad172f..60b7e8d 100644
--- a/crypto/heimdal/lib/hdb/print.c
+++ b/crypto/heimdal/lib/hdb/print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,9 +31,10 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 
 #include "hdb_locl.h"
+#include <hex.h>
 #include <ctype.h>
 
-RCSID("$Id: print.c,v 1.8 2002/05/24 15:18:02 joda Exp $");
+RCSID("$Id: print.c 16378 2005-12-12 12:40:12Z lha $");
 
 /* 
    This is the present contents of a dump line. This might change at
@@ -91,8 +92,9 @@ append_hex(krb5_context context, krb5_storage *sp, krb5_data *data)
     if(printable)
 	return append_string(context, sp, "\"%.*s\"",
 			     data->length, data->data);
-    for(i = 0; i < data->length; i++) 
-	append_string(context, sp, "%02x", ((unsigned char*)data->data)[i]);
+    hex_encode(data->data, data->length, &p);
+    append_string(context, sp, "%s", p);
+    free(p);
     return 0;
 }
 
@@ -198,11 +200,41 @@ entry2string_int (krb5_context context, krb5_storage *sp, hdb_entry *ent)
 
     /* --- generation number */
     if(ent->generation) {
-	append_string(context, sp, "%s:%d:%d", time2str(ent->generation->time),
+	append_string(context, sp, "%s:%d:%d ", time2str(ent->generation->time),
 		      ent->generation->usec,
 		      ent->generation->gen);
     } else
+	append_string(context, sp, "- ");
+
+    /* --- extensions */
+    if(ent->extensions && ent->extensions->len > 0) {
+	for(i = 0; i < ent->extensions->len; i++) {
+	    void *d;
+	    size_t size, sz;
+
+	    ASN1_MALLOC_ENCODE(HDB_extension, d, size,
+			       &ent->extensions->val[i], &sz, ret);
+	    if (ret) {
+		krb5_clear_error_string(context);
+		return ret;
+	    }
+	    if(size != sz)
+		krb5_abortx(context, "internal asn.1 encoder error");
+
+	    if (hex_encode(d, size, &p) < 0) {
+		free(d);
+		krb5_set_error_string(context, "malloc: out of memory");
+		return ENOMEM;
+	    }
+
+	    free(d);
+	    append_string(context, sp, "%s%s", p, 
+			  ent->extensions->len - 1 != i ? ":" : "");
+	    free(p);
+	}
+    } else
 	append_string(context, sp, "-");
+
     
     return 0;
 }
@@ -236,7 +268,7 @@ hdb_entry2string (krb5_context context, hdb_entry *ent, char **str)
 /* print a hdb_entry to (FILE*)data; suitable for hdb_foreach */
 
 krb5_error_code
-hdb_print_entry(krb5_context context, HDB *db, hdb_entry *entry, void *data)
+hdb_print_entry(krb5_context context, HDB *db, hdb_entry_ex *entry, void *data)
 {
     krb5_error_code ret;
     krb5_storage *sp;
@@ -250,7 +282,7 @@ hdb_print_entry(krb5_context context, HDB *db, hdb_entry *entry, void *data)
 	return ENOMEM;
     }
     
-    ret = entry2string_int(context, sp, entry);
+    ret = entry2string_int(context, sp, &entry->entry);
     if(ret) {
 	krb5_storage_free(sp);
 	return ret;
diff --git a/crypto/heimdal/lib/hdb/test_dbinfo.c b/crypto/heimdal/lib/hdb/test_dbinfo.c
new file mode 100644
index 0000000..d92a538
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/test_dbinfo.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+#include <getarg.h>
+
+RCSID("$Id: test_dbinfo.c 20575 2007-04-27 20:20:32Z lha $");
+
+static int help_flag;
+static int version_flag;
+
+struct getargs args[] = {
+    { "help",		'h',	arg_flag,   &help_flag },
+    { "version",	0,	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    struct hdb_dbinfo *info, *d;
+    krb5_context context;
+    int ret, o = 0;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &o))
+	krb5_std_usage(1, args, num_args);
+
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    ret = hdb_get_dbinfo(context, &info);
+    if (ret)
+	krb5_err(context, 1, ret, "hdb_get_dbinfo");
+
+    d = NULL;
+    while ((d = hdb_dbinfo_get_next(info, d)) != NULL) {
+	printf("label: %s\n", hdb_dbinfo_get_label(context, d));
+	printf("\trealm: %s\n", hdb_dbinfo_get_realm(context, d));
+	printf("\tdbname: %s\n", hdb_dbinfo_get_dbname(context, d));
+	printf("\tmkey_file: %s\n", hdb_dbinfo_get_mkey_file(context, d));
+	printf("\tacl_file: %s\n", hdb_dbinfo_get_acl_file(context, d));
+    }
+
+    hdb_free_dbinfo(context, &info);
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/hx509/ChangeLog b/crypto/heimdal/lib/hx509/ChangeLog
new file mode 100644
index 0000000..cb29cee
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ChangeLog
@@ -0,0 +1,2641 @@
+2008-01-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_soft_pkcs11.c: use func for more C_ functions.
+	
+2008-01-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* version-script.map: Export hx509_free_error_string().
+
+2008-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* version-script.map: only export C_GetFunctionList
+
+	* test_soft_pkcs11.c: use C_GetFunctionList
+
+	* softp11.c: fix comment, remove label.
+
+	* softp11.c: Add option app-fatal to control if softtoken should
+	abort() on erroneous input from applications.
+
+2008-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_pkcs11.in: Test password less certificates too
+
+	* keyset.c: document HX509_CERTS_UNPROTECT_ALL
+
+	* ks_file.c: Support HX509_CERTS_UNPROTECT_ALL.
+
+	* hx509.h: Add HX509_CERTS_UNPROTECT_ALL.
+
+	* test_soft_pkcs11.c: Only log in if needed.
+
+2008-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* softp11.c: Support PINs to login to the store.
+
+	* Makefile.am: add java pkcs11 test
+
+	* test_java_pkcs11.in: first version of disable java test
+
+	* softp11.c: Drop unused stuff.
+
+	* cert.c: Spelling, Add hx509_cert_get_SPKI_AlgorithmIdentifier,
+	remove unused stuff, add hx509_context to some functions.
+	
+	* softp11.c: Add more glue to figure out what keytype this
+	certificate is using.
+
+2008-01-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_pkcs11.in: test debug
+
+	* Add a PKCS11 provider supporting signing and verifing sigatures.
+
+2008-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* version-script.map: Replace hx509_name_to_der_name with
+	hx509_name_binary.
+
+	* print.c: make print_func static
+
+2007-12-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* print.c: doxygen
+
+	* env.c: doxygen
+
+	* doxygen.c: add more groups
+
+	* ca.c: doxygen.
+
+2007-12-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ca.c: doxygen
+
+2007-12-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* error.c: doxygen
+	
+2007-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* More documentation
+	
+	* lock.c: Add page referance
+
+	* keyset.c: some more documentation.
+
+	* cms.c: Doxygen documentation.
+
+2007-12-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* *.[ch]: More documentation
+
+2007-12-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* handle refcount on NULL.
+
+	* test_nist_pkcs12.in: drop echo -n, doesn't work with posix sh
+
+2007-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_nist2.in: Print that this is version 2 of the tests
+
+	* test_nist.in: Drop printing of $id.
+
+	* hx509.h: Add HX509_VHN_F_ALLOW_NO_MATCH.
+
+	* name.c: spelling.
+
+	* cert.c: make work the doxygen.
+
+	* name.c: fix doxygen compiling.
+
+	* Makefile.am: add doxygen.c
+
+	* doxygen.c: Add doxygen main page.
+
+	* cert.c: Add doxygen.
+
+	* revoke.c (_hx509_revoke_ref): new function.
+
+2007-11-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_keychain.c: Check if SecKeyGetCSPHandle needs prototype.
+
+2007-08-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* data/nist-data: Make work on case senstive filesystems too.
+	
+2007-08-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cert.c: match rfc822 contrains better, provide better error
+	strings.
+
+2007-08-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cert.c: "self-signed doesn't count" doesn't apply to trust
+	anchor certificate.  make trust anchor check consistant.
+
+	* revoke.c: make compile.
+
+	* revoke.c (verify_crl): set error strings.
+	
+	* revoke.c (verify_crl): handle with the signer is the
+	CRLsigner (shortcut).
+
+	* cert.c: Fix NC, comment on how to use _hx509_check_key_usage.
+
+2007-08-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_nist2.in, Makefile, test/nist*: Add nist pkits tests. 
+
+	* revoke.c: Update to use CERT_REVOKED error, shortcut out of OCSP
+	checking when OCSP reply is a revocation reply.
+
+	* hx509_err.et: Make CERT_REVOKED error OCSP/CRL agnostic.
+
+	* name.c (_hx509_Name_to_string): make printableString handle
+	space (0x20) diffrences as required by rfc3280.
+
+	* revoke.c: Search for the right issuer when looking for the
+	issuer of the CRL signer.
+
+2007-08-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* revoke.c: Handle CRL signing certificate better, try to not
+	revalidate invalid CRLs over and over.
+
+2007-08-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cms.c: remove stale comment.
+
+	* test_nist.in: Unpack PKITS_data.zip and run tests.
+	
+	* test_nist_cert.in: Adapt to new nist pkits framework.
+
+	* test_nist_pkcs12.in: Adapt to new nist pkits framework.
+
+	* Makefile.am: clean PKITS_data
+
+2007-07-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add version-script.map to EXTRA_DIST
+
+2007-07-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add depenency on asn1_compile for asn1 built files.
+	
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* peer.c: update (c), indent.
+
+	* Makefile.am: New library version.
+
+2007-06-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_p11.c: Add sha2 types.
+
+	* ref/pkcs11.h: Sync with scute.
+
+	* ref/pkcs11.h: Add sha2 CKM's.
+
+	* print.c: Print authorityInfoAccess.
+
+	* cert.c: Rename proxyCertInfo oid.
+
+	* ca.c: Rename proxyCertInfo oid.
+
+	* print.c: Rename proxyCertInfo oid.
+	
+2007-06-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_ca.in: Adapt to new request handling.
+
+	* req.c: Allow export some of the request parameters.
+
+	* hxtool-commands.in: Adapt to new request handling.
+
+	* hxtool.c: Adapt to new request handling.
+
+	* test_req.in: Adapt to new request handling.
+
+	* version-script.map: Add initialize_hx_error_table_r.
+
+	* req.c: Move _hx509_request_print here.
+
+	* hxtool.c: use _hx509_request_print
+
+	* version-script.map: Export more crap^W semiprivate functions.
+
+	* hxtool.c: don't _hx509_abort
+
+	* version-script.map: add missing ;
+
+2007-06-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cms.c: Use hx509_crypto_random_iv.
+
+	* crypto.c: Split out the iv creation from hx509_crypto_encrypt
+	since _hx509_pbe_encrypt needs to use the iv from the s2k
+	function.
+
+	* test_cert.in: Test PEM and DER FILE writing functionallity.
+
+	* ks_file.c: Add writing DER certificates.
+
+	* hxtool.c: Update to new hx509_pem_write().
+
+	* test_cms.in: test creation of PEM signeddata.
+
+	* hx509.h: PEM struct/function declarations.
+
+	* ks_file.c: Use PEM encoding/decoding functions.
+
+	* file.c: PEM encode/decoding functions.
+
+	* ks_file.c: Use hx509_pem_write.
+
+	* version-script.map: Export some semi-private functions.
+
+	* hxtool.c: Enable writing out signed data as a pem attachment.
+
+	* hxtool-commands.in (cms-create-signed): add --pem
+
+	* file.c (hx509_pem_write): Add.
+
+	* test_ca.in: Issue and test null subject cert.
+
+	* cert.c: Match is first component is in a CN=.
+
+	* test_ca.in: Test hostname if first CN.
+
+	* Makefile.am: Add version script.
+
+	* version-script.map: Limited exported symbols.
+
+	* test_ca.in: test --hostname.
+
+	* test_chain.in: test max-depth
+
+	* hx509.h: fixate HX509_HN_HOSTNAME at 0.
+
+	* hxtool-commands.in: add --hostname add --max-depth
+
+	* cert.c: Verify hostname and max-depth.
+
+	* hxtool.c: Verify hostname and test max-depth.
+
+2007-06-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_cms.in: Test --id-by-name.
+
+	* hxtool-commands.in: add cms-create-sd --id-by-name
+
+	* hxtool.c: Use HX509_CMS_SIGATURE_ID_NAME.
+
+	* cms.c: Implement and use HX509_CMS_SIGATURE_ID_NAME.
+
+	* hx509.h: Add HX509_CMS_SIGATURE_ID_NAME, use subject name for
+	CMS.Identifier.  hx509_hostname_type: add hostname type for
+	matching.
+
+	* cert.c (match_general_name): more strict rfc822Name matching.
+	(hx509_verify_hostname): add hostname type for matching.
+
+2007-06-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hxtool.c: Make compile again.
+
+	* hxtool.c: Added peap-server for to make windows peap clients
+	happy.
+
+	* hxtool.c: Unify parse_oid code.
+
+	* hxtool.c: Implement --content-type.
+
+	* hxtool-commands.in: Add content-type.
+
+	* test_cert.in: more cert and keyset tests.
+
+2007-06-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* revoke.c: Avoid stomping on NULL.
+
+	* revoke.c: Avoid reusing i.
+
+	* cert.c: Provide __attribute__ for _hx509_abort.
+
+	* ks_file.c: Fail if not finding iv.
+
+	* keyset.c: Avoid useing freed memory.
+
+	* crypto.c: Free memory in failure case.
+
+	* crypto.c: Free memory in failure case.
+
+2007-06-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* *.c: Add hx509_cert_init_data and use everywhere
+
+	* hx_locl.h: Now that KEYCHAIN:system-anchors is fast again, use
+	that.
+
+	* ks_keychain.c: Implement trust anchor support with
+	SecTrustCopyAnchorCertificates.
+
+	* keyset.c: Set ref to 1 for the new object.
+
+	* cert.c: Fix logic for allow_default_trust_anchors
+
+	* keyset.c: Add refcounting to keystores.
+
+	* cert.c: Change logic for default trust anchors, make it be
+	either default trust anchor, the user supplied, or non at all.
+
+2007-06-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add data/j.pem.
+
+	* Makefile.am: Add test_windows.in.
+	
+2007-06-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_keychain.c: rename functions, leaks less memory and more
+	paranoia.
+
+	* test_cms.in: Test cms peer-alg.
+
+	* crypto.c (rsa_create_signature): make oid_id_pkcs1_rsaEncryption
+	mean rsa-with-sha1 but oid oid_id_pkcs1_rsaEncryption in algorithm
+	field.  XXX should probably use another algorithmIdentifier for
+	this.
+
+	* peer.c: Make free function return void.
+
+	* cms.c (hx509_cms_create_signed_1): Use hx509_peer_info to select
+	the signature algorithm too.
+
+	* hxtool-commands.in: Add cms-create-sd --peer-alg.
+
+	* req.c: Use _hx509_crypto_default_sig_alg.
+
+	* test_windows.in: Create crl, because everyone needs one.
+
+	* Makefile.am: add wcrl.crl
+	
+2007-06-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hx_locl.h: Disable KEYCHAIN for now, its slow.
+
+	* cms.c: When we are not using pkcs7-data, avoid seing
+	signedAttributes since some clients get upset by that (pkcs7 based
+	or just plain broken).
+
+	* ks_keychain.c: Provide rsa signatures.
+
+	* ks_keychain.c: Limit the searches to the selected keychain.
+
+	* ks_keychain.c: include -framework Security specific header files
+	after #ifdef
+
+	* ks_keychain.c: Find and attach private key (does not provide
+	operations yet though).
+
+	* ks_p11.c: Prefix rsa method with p11_
+
+	* ks_keychain.c: Allow opening a specific chain, making "system"
+	special and be the system X509Anchors file. By not specifing any
+	keychain ("KEYCHAIN:"), all keychains are probed.
+	
+2007-06-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hxtool.c (verify): Friendlier error message.
+
+	* cert.c: Read in and use default trust anchors if they exists.
+
+	* hx_locl.h: Add concept of default_trust_anchors.
+
+	* ks_keychain.c: Remove err(), remove extra empty comment, fix
+	_iter function.
+
+	* error.c (hx509_get_error_string): if the error code is not the
+	one we expect, punt and use the default com_err/strerror string
+	instead.
+
+	* keyset.c (hx509_certs_merge): its ok to merge in the NULL set of
+	certs.
+
+	* test_windows.in: Fix status string.
+
+	* ks_p12.c (store_func): free whole CertBag, not just the data
+	part.
+	
+	* print.c: Check that the self-signed cert is really self-signed.
+
+	* print.c: Use selfsigned for CRL DP whine, tell if its a
+	self-signed.
+
+	* print.c: Whine if its a non CA/proxy and doesn't have CRL DP.
+
+	* ca.c: Add cRLSign to CA certs.
+
+	* cert.c: Register NULL and KEYCHAIN.
+
+	* ks_null.c: register the NULL keystore.
+
+	* Makefile.am: Add ks_keychain.c and related libs.
+
+	* test_crypto.in: Print certificate with utf8.
+
+	* print.c: Leak less memory.
+
+	* hxtool.c: Leak less memory.
+
+	* print.c: Leak less memory, use functions that does same but
+	more.
+
+	* name.c (quote_string): don't sign extend the (signed) char to
+	avoid printing too much, add an assert to check that we didn't
+	overrun the buffer.
+
+	* name.c: Use right element out of the CHOICE for printableString
+	and utf8String
+
+	* ks_keychain.c: Certificate only KeyChain backend.
+
+	* name.c: Reset name before parsing it.
+	
+2007-06-03  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* revoke.c (hx509_crl_*): fix sizeof() mistakes to fix memory
+	corruption.
+
+	* hxtool.c: Add lifetime to crls.
+
+	* hxtool-commands.in: Add lifetime to crls.
+
+	* revoke.c: Add lifetime to crls.
+
+	* test_ca.in: More crl checks.
+
+	* revoke.c: Add revoking certs.
+
+	* hxtool-commands.in: argument is certificates.. for crl-sign
+
+	* hxtool.c (certificate_copy): free lock
+
+	* revoke.c: Fix hx509_set_error_string calls, add
+	hx509_crl_add_revoked_certs(), implement hx509_crl_{alloc,free}.
+
+	* hxtool.c (crl_sign): free lock
+
+	* cert.c (hx509_context_free): free querystat
+	
+2007-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_chain.in: test ocsp-verify
+	
+	* revoke.c (hx509_ocsp_verify): explain what its useful for and
+	provide sane error message.
+
+	* hx509_err.et: New error code, CERT_NOT_IN_OCSP
+
+	* hxtool.c: New command ocsp-verify, check if ocsp contains all
+	certs and are valid (exist and non expired).
+
+	* hxtool-commands.in: New command ocsp-verify.
+	
+2007-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_ca.in: Create crl and verify that is works.
+
+	* hxtool.c: Sign CRL command.
+
+	* hx509.h: Add hx509_crl.
+
+	* hxtool-commands.in: Add crl-sign commands.
+
+	* revoke.c: Support to generate an empty CRL.
+
+	* tst-crypto-select2: Switched default types.
+
+	* tst-crypto-select1: Switched default types.
+
+	* ca.c: Use default AlgorithmIdentifier.
+
+	* cms.c: Use default AlgorithmIdentifier.
+
+	* crypto.c: Provide default AlgorithmIdentifier and use them.
+
+	* hx_locl.h: Provide default AlgorithmIdentifier.
+
+	* keyset.c (hx509_certs_find): collects stats for queries.
+
+	* cert.c: Sort and print more info.
+
+	* hx_locl.h: Add querystat to hx509_context.
+
+	* test_*.in: sprinle stat saveing
+
+	* Makefile.am: Add stat and objdir.
+
+	* collector.c (_hx509_collector_alloc): return error code instead
+	of pointer.
+
+	* hxtool.c: Add statistic hook.
+
+	* ks_file.c: Update _hx509_collector_alloc prototype.
+
+	* ks_p12.c: Update _hx509_collector_alloc prototype.
+
+	* ks_p11.c: Update _hx509_collector_alloc prototype.
+
+	* hxtool-commands.in: Add statistics hook.
+
+	* cert.c: Statistics printing.
+
+	* ks_p12.c: plug memory leak
+
+	* ca.c (hx509_ca_tbs_add_crl_dp_uri): plug memory leak
+	
+2007-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* print.c: print utf8 type SAN's
+
+	* Makefile.am: Fix windows client cert name.
+
+	* test_windows.in: Add crl-uri for the ee certs.
+
+	* print.c: Printf formating.
+
+	* ca.c: Add glue for adding CRL dps.
+
+	* test_ca.in: Readd the crl adding code, it works (somewhat) now.
+
+	* print.c: Fix printing of CRL DPnames (I hate IMPLICIT encoded
+	structures).
+
+	* hxtool-commands.in: make ca and alias of certificate-sign
+	
+2007-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* crypto.c (hx509_crypto_select): copy AI to the right place.
+
+	* hxtool-commands.in: Add ca --ms-upn.
+
+	* hxtool.c: add --ms-upn and add more EKU's for pk-init client.
+
+	* ca.c: Add hx509_ca_tbs_add_san_ms_upn and refactor code.
+
+	* test_crypto.in: Resurect killed e.
+
+	* test_crypto.in: check for aes256-cbc
+
+	* tst-crypto-select7: check for aes256-cbc
+
+	* test_windows.in: test windows stuff
+
+	* hxtool.c: add ca --domain-controller option, add secret key
+	option to avaible.
+
+	* ca.c: Add hx509_ca_tbs_set_domaincontroller.
+
+	* hxtool-commands.in: add ca --domain-controller
+
+	* hxtool.c: hook for testing secrety key algs
+
+	* crypto.c: Add selection code for secret key crypto.
+
+	* hx509.h: Add HX509_SELECT_SECRET_ENC.
+	
+2007-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ks_p11.c: add more mechtypes
+	
+2007-05-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* print.c: Indent.
+
+	* hxtool-commands.in: add test-crypto command
+
+	* hxtool.c: test crypto command
+
+	* cms.c (hx509_cms_create_signed_1): if no eContentType is given,
+	use pkcs7-data.
+
+	* print.c: add Netscape cert comment
+
+	* crypto.c: Try both the empty password and the NULL
+	password (nothing vs the octet string \x00\x00).
+
+	* print.c: Add some US Fed PKI oids.
+
+	* ks_p11.c: Add some more hashes.
+	
+2007-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hxtool.c (crypto_select): stop memory leak
+	
+2007-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* peer.c (hx509_peer_info_free): free memory used too
+
+	* hxtool.c (crypto_select): only free peer if it was used.
+	
+2007-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hxtool.c: free template
+
+	* ks_mem.c (mem_free): free key array too
+
+	* hxtool.c: free private key and tbs
+
+	* hxtool.c (hxtool_ca): free signer
+
+	* hxtool.c (crypto_available): free peer too.
+
+	* ca.c (get_AuthorityKeyIdentifier): leak less memory
+
+	* hxtool.c (hxtool_ca): free SPKI
+
+	* hxtool.c (hxtool_ca): free cert
+
+	* ks_mem.c (mem_getkeys): allocate one more the we have elements
+	so its possible to store the NULL pointer at the end.
+	
+2007-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: CLEANFILES += cert-null.pem cert-sub-ca2.pem
+	
+2007-02-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ca.c: Disable CRLDistributionPoints for now, its IMPLICIT code
+	in the asn1 parser.
+
+	* print.c: Add some more \n's.
+	
+2007-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* file.c: Allow mapping using heim_octet_string.
+
+	* hxtool.c: Add options to generate detached signatures.
+
+	* cms.c: Add flags to generate detached signatures.
+
+	* hx509.h: Flag to generate detached signatures.
+
+	* test_cms.in: Support detached sigatures.
+
+	* name.c (hx509_general_name_unparse): unparse the other
+	GeneralName nametypes.
+
+	* print.c: Use less printf. Use hx509_general_name_unparse.
+
+	* cert.c: Fix printing and plug leak-on-error.
+	
+2007-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_ca.in: Add test for ca --crl-uri.
+
+	* hxtool.c: Add ca --crl-uri.
+
+	* hxtool-commands.in: add ca --crl-uri
+
+	* ca.c: Code to set CRLDistributionPoints in certificates.
+
+	* print.c: Check CRLDistributionPointNames.
+
+	* name.c (hx509_general_name_unparse): function for unparsing
+	GeneralName, only supports GeneralName.URI
+
+	* cert.c (is_proxy_cert): free info if we wont return it.
+	
+2007-01-30  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* hxtool.c: Try to help how to use this command.
+	
+2007-01-21  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* switch to sha256 as default digest for signing
+
+2007-01-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_ca.in: Really test sub-ca code, add basic constraints tests
+	
+2007-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Fix makefile problem.
+	
+2007-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hxtool.c: Set num of bits before we generate the key.
+	
+2007-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* cms.c (hx509_cms_create_signed_1): use hx509_cert_binary
+
+	* ks_p12.c (store_func): use hx509_cert_binary
+
+	* ks_file.c (store_func): use hx509_cert_binary
+
+	* cert.c (hx509_cert_binary): return binary encoded
+	certificate (DER format)
+	
+2007-01-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ca.c (hx509_ca_tbs_subject_expand): new function.
+
+	* name.c (hx509_name_expand): if env is NULL, return directly
+
+	* test_ca.in: test template handling
+
+	* hx509.h: Add template flags.
+
+	* Makefile.am: clean out new files
+
+	* hxtool.c: Add certificate template processing, fix hx509_err
+	usage.
+
+	* hxtool-commands.in: Add certificate template processing.
+
+	* ca.c: Add certificate template processing. Fix return messages
+	from hx509_ca_tbs_add_eku.
+
+	* cert.c: Export more stuff from certificate.
+	
+2007-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ca.c: update (c)
+
+	* ca.c: (hx509_ca_tbs_add_eku): filter out dups.
+	
+	* hxtool.c: Add type email and add email eku when using option
+	--email.
+
+	* Makefile.am: add env.c
+
+	* name.c: Remove abort, add error handling.
+
+	* test_name.c: test name expansion
+
+	* name.c: add hx509_name_expand
+
+	* env.c: key-value pair help functions
+	
+2007-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ca.c: Don't issue certs with subject DN that is NULL and have no
+	SANs
+
+	* print.c: Fix previous test.
+
+	* print.c: Check there is a SAN if subject DN is NULL.
+
+	* test_ca.in: test email, null subject dn
+
+	* hxtool.c: Allow setting parameters to private key generation.
+
+	* hx_locl.h: Allow setting parameters to private key generation.
+
+	* crypto.c: Allow setting parameters to private key generation.
+
+	* hxtool.c (eval_types): add jid if user gave one
+
+	* hxtool-commands.in (certificate-sign): add --jid
+
+	* ca.c (hx509_ca_tbs_add_san_jid): Allow adding
+	id-pkix-on-xmppAddr OtherName.
+
+	* print.c: Print id-pkix-on-xmppAddr OtherName.
+	
+2007-01-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* no random, no RSA/DH tests
+
+	* hxtool.c (info): print status of random generator
+
+	* Makefile.am: remove files created by tests
+
+	* error.c: constify
+
+	* name.c: constify
+
+	* revoke.c: constify
+
+	* hx_locl.h: constify
+
+	* keyset.c: constify
+
+	* ks_p11.c: constify
+
+	* hx_locl.h: make printinfo char * argument const.
+
+	* cms.c: move _hx509_set_digest_alg from cms.c to crypto.c since
+	its only used there.
+
+	* crypto.c: remove no longer used stuff, move set_digest_alg here
+	from cms.c since its only used here.
+
+	* Makefile.am: add data/test-nopw.p12 to EXTRA_DIST
+	
+2007-01-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* print.c: BasicConstraints vs criticality bit is complicated and
+	not really possible to evaluate on its own, silly RFC3280.
+
+	* ca.c: Make basicConstraints critical if this is a CA.
+
+	* print.c: fix the version vs extension test
+
+	* print.c: More validation checks.
+
+	* name.c (hx509_name_cmp): add
+	
+2007-01-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_p11.c (collect_private_key): Missing CKA_MODULUS is ok
+	too (XXX why should these be fetched given they are not used).
+
+	* test_ca.in: rename all files to PEM files, since that is what
+	they are.
+
+	* hxtool.c: copy out the key with the self signed CA cert
+
+	* Factor out private key operation out of the signing, operations,
+	support import, export, and generation of private keys. Add
+	support for writing PEM and PKCS12 files with private keys in them.
+ 
+	* data/gen-req.sh: Generate a no password pkcs12 file.
+	
+2007-01-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cms.c: Check for internal ASN1 encoder error.
+	
+2007-01-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Drop most of the pkcs11 files.
+
+	* test_ca.in: test reissueing ca certificate (xxx time
+	validAfter).
+
+	* hxtool.c: Allow setting serialNumber (needed for reissuing
+	certificates) Change --key argument to --out-key.
+
+	* hxtool-commands.in (issue-certificate): Allow setting
+	serialNumber (needed for reissuing certificates), Change --key
+	argument to --out-key.
+
+	* ref: Replace with Marcus Brinkmann of g10 Code GmbH pkcs11
+	headerfile that is compatible with GPL (file taken from scute)
+
+2007-01-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_ca.in: Test to generate key and use them.
+
+	* hxtool.c: handle other keys the pkcs10 requested keys
+
+	* hxtool-commands.in: add generate key commands
+
+	* req.c (_hx509_request_to_pkcs10): PKCS10 needs to have a subject
+
+	* hxtool-commands.in: Spelling.
+
+	* ca.c (hx509_ca_tbs_set_proxy): allow negative pathLenConstraint
+	to signal no limit
+
+	* ks_file.c: Try all formats on the binary file before giving up,
+	this way we can handle binary rsa keys too.
+
+	* data/key2.der: new test key
+
+2007-01-04  David Love  <fx@gnu.org>
+
+	* Makefile.am (hxtool_LDADD): Add libasn1.la
+
+	* hxtool.c (pcert_verify): Fix format string.
+
+2006-12-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hxtool.c: Allow setting path length
+
+	* cert.c: Fix test for proxy certs chain length, it was too
+	restrictive.
+	
+	* data: regen
+	
+	* data/openssl.cnf: (proxy_cert) make length 0
+
+	* test_ca.in: Issue a long living cert.
+
+	* hxtool.c: add --lifetime to ca command.
+
+	* hxtool-commands.in: add --lifetime to ca command.
+
+	* ca.c: allow setting notBefore and notAfter.
+
+	* test_ca.in: Test generation of proxy certificates.
+
+	* ca.c: Allow generation of proxy certificates, always include
+	BasicConstraints, fix error codes.
+
+	* hxtool.c: Allow generation of proxy certificates.
+
+	* test_name.c: make hx509_parse_name take a hx509_context.
+
+	* name.c: Split building RDN to a separate function.
+	
+2006-12-30  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: clean test_ca files.
+
+	* test_ca.in: test issuing self-signed and CA certificates.
+
+	* hxtool.c: Add bits to allow issuing self-signed and CA
+	certificates.
+
+	* hxtool-commands.in: Add bits to allow issuing self-signed and CA
+	certificates.
+
+	* ca.c: Add bits to allow issuing CA certificates.
+
+	* revoke.c: use new OCSPSigning.
+
+	* ca.c: Add Subject Key Identifier.
+
+	* ca.c: Add Authority Key Identifier.
+	
+	* cert.c: Locally export _hx509_find_extension_subject_key_id.
+	Handle AuthorityKeyIdentifier where only authorityCertSerialNumber
+	and authorityCertSerialNumber is set.
+
+	* hxtool-commands.in: Add dnsname and rfc822 SANs.
+
+	* test_ca.in: Test dnsname and rfc822 SANs.
+
+	* ca.c: Add dnsname and rfc822 SANs.
+
+	* hxtool.c: Add dnsname and rfc822 SANs.
+
+	* test_ca.in: test adding eku, ku and san to the
+	certificate (https and pk-init)
+
+	* hxtool.c: Add eku, ku and san to the certificate.
+
+	* ca.c: Add eku, ku and san to the certificate.
+
+	* hxtool-commands.in: Add --type and --pk-init-principal
+
+	* ocsp.asn1: remove id-kp-OCSPSigning, its in rfc2459.asn1 now
+	
+2006-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ca.c: Add KeyUsage extension.
+
+	* Makefile.am: add ca.c, add sign-certificate tests.
+
+	* crypto.c: Add _hx509_create_signature_bitstring.
+
+	* hxtool-commands.in: Add the sign-certificate tool.
+
+	* hxtool.c: Add the sign-certificate tool.
+
+	* cert.c: Add HX509_QUERY_OPTION_KU_KEYCERTSIGN.
+
+	* hx509.h: Add hx509_ca_tbs and HX509_QUERY_OPTION_KU_KEYCERTSIGN.
+
+	* test_ca.in: Basic test of generating a pkcs10 request, signing
+	it and verifying the chain.
+
+	* ca.c: Naive certificate signer.
+	
+2006-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* hxtool.c: add hxtool_hex
+	
+2006-12-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: use top_builddir for libasn1.la
+	
+2006-12-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* hxtool.c (print_certificate): print serial number.
+
+	* name.c (no): add S=stateOrProvinceName
+	
+2006-12-09  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* crypto.c (_hx509_private_key_assign_rsa): set a default sig alg
+
+	* ks_file.c (try_decrypt): pass down AlgorithmIdentifier that key
+	uses to do sigatures so there is no need to hardcode RSA into this
+	function.
+	
+2006-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_file.c: Pass filename to the parse functions and use it in
+	the error messages
+
+	* test_chain.in: test proxy cert (third level)
+	
+	* hx509_err.et: fix errorstring for PROXY_CERT_NAME_WRONG
+
+	* data: regen
+
+	* Makefile.am: EXTRA_DIST: add
+	data/proxy10-child-child-test.{key,crt}
+
+	* data/gen-req.sh: Fix names and restrictions on the proxy
+	certificates
+
+	* cert.c: Clairfy and make proxy cert handling work for multiple
+	levels, before it was too restrictive. More helpful error message.
+	
+2006-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* cert.c (check_key_usage): tell what keyusages are missing
+
+	* print.c: Split OtherName printing code to a oid lookup and print
+	function.
+
+	* print.c (Time2string): print hour as hour not min
+
+	* Makefile.am: CLEANFILES += test
+	
+2006-12-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am (EXTRA_DIST): add data/pkinit-proxy* files
+
+	* Makefile.am (EXTRA_DIST): add tst-crypto* files
+
+	* cert.c (hx509_query_match_issuer_serial): make a copy of the
+	data
+
+	* cert.c (hx509_query_match_issuer_serial): allow matching on
+	issuer and serial num
+
+	* cert.c (_hx509_calculate_path): add flag to allow leaving out
+	trust anchor
+
+	* cms.c (hx509_cms_create_signed_1): when building the path, omit
+	the trust anchors.
+
+	* crypto.c (rsa_create_signature): Abort when signature is longer,
+	not shorter.
+
+	* cms.c: Provide time to _hx509_calculate_path so we don't send no
+	longer valid certs to our peer.
+
+	* cert.c (find_parent): when checking for certs and its not a
+	trust anchor, require time be in range.
+	(_hx509_query_match_cert): Add time validity-testing to query mask
+
+	* hx_locl.h: add time validity-testing to query mask
+
+	* test_cms.in: Tests for CMS SignedData with incomplete chain from
+	the signer.
+	
+2006-11-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cms.c (hx509_cms_verify_signed): specify what signature we
+	failed to verify
+	
+	* Makefile.am: Depend on LIB_com_err for AIX.
+
+	* keyset.c: Remove anther strndup that causes AIX to fall over.
+
+	* cert.c: Don't check the trust anchors expiration time since they
+	are transported out of band, from RFC3820.
+
+	* cms.c: sprinkle more error strings
+
+	* crypto.c: sprinkle more error strings
+
+	* hxtool.c: use unsigned int as counter to fit better with the
+	asn1 compiler
+
+	* crypto.c: use unsigned int as counter to fit better with the
+	asn1 compiler
+	
+2006-11-27  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* cms.c: Remove trailing white space.
+
+	* crypto.c: rewrite comment to make more sense
+
+	* crypto.c (hx509_crypto_select): check sig_algs[j]->key_oid
+
+	* hxtool-commands.in (crypto-available): add --type
+
+	* crypto.c (hx509_crypto_available): let alg pass if its keyless
+
+	* hxtool-commands.in: Expand crypto-select
+
+	* cms.c: Rename hx509_select to hx509_crypto_select.
+
+	* hxtool-commands.in: Add crypto-select and crypto-available.
+
+	* hxtool.c: Add crypto-select and crypto-available.
+
+	* crypto.c (hx509_crypto_available): use right index.
+	(hx509_crypto_free_algs): new function
+
+	* crypto.c (hx509_crypto_select): improve
+	(hx509_crypto_available): new function
+	
+2006-11-26  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* cert.c: Sprinkle more error string and hx509_contexts.
+
+	* cms.c: Sprinkle more error strings.
+
+	* crypto.c: Sprinkle error string and hx509_contexts.
+
+	* crypto.c: Add some more comments about how this works.
+
+	* crypto.c (hx509_select): new function.
+	
+	* Makefile.am: add peer.c
+
+	* hxtool.c: Update hx509_cms_create_signed_1.
+
+	* hx_locl.h: add struct hx509_peer_info
+
+	* peer.c: Allow selection of digest/sig-alg
+
+	* cms.c: Allow selection of a better digest using hx509_peer_info.
+
+	* revoke.c: Handle that _hx509_verify_signature takes a context.
+	
+	* cert.c: Handle that _hx509_verify_signature takes a context.
+	
+2006-11-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cms.c: Sprinkle error strings.
+
+	* crypto.c: Sprinkle context and error strings.
+	
+2006-11-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* name.c: Handle printing and parsing raw oids in name.
+
+2006-11-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cert.c (_hx509_calculate_path): allow to calculate optimistic
+	path when we don't know the trust anchors, just follow the chain
+	upward until we no longer find a parent or we hit the max limit.
+
+	* cms.c (hx509_cms_create_signed_1): provide a best effort path to
+	the trust anchors to be stored in the SignedData packet, if find
+	parents until trust anchor or max length.
+
+	* data: regen
+
+	* data/gen-req.sh: Build pk-init proxy cert.
+	
+2006-11-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* error.c (hx509_get_error_string): Put ", " between strings in
+	error message.
+	
+2006-11-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* data/openssl.cnf: Change realm to TEST.H5L.SE
+	
+2006-11-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* revoke.c: Sprinkle error strings.
+	
+2006-11-04  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* hx_locl.h: add context variable to cmp function.
+
+	* cert.c (hx509_query_match_cmp_func): allow setting the match
+	function.
+	
+2006-10-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_p11.c: Return less EINVAL.
+
+	* hx509_err.et: add more pkcs11 errors
+
+	* hx509_err.et: more error-codes
+
+	* revoke.c: Return less EINVAL.
+
+	* ks_dir.c: sprinkel more hx509_set_error_string
+
+	* ks_file.c: Return less EINVAL.
+
+	* hxtool.c: Pass in context to _hx509_parse_private_key.
+
+	* ks_file.c: Sprinkle more hx509_context so we can return propper
+	errors.
+
+	* hx509_err.et: add HX509_PARSING_KEY_FAILED
+
+	* crypto.c: Sprinkle more hx509_context so we can return propper
+	errors.
+
+	* collector.c: No more EINVAL.
+
+	* hx509_err.et: add HX509_LOCAL_ATTRIBUTE_MISSING
+
+	* cert.c (hx509_cert_get_base_subject): one less EINVAL
+	(_hx509_cert_private_decrypt): one less EINVAL
+	
+2006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* collector.c: indent
+
+	* hxtool.c: Try to not leak memory.
+
+	* req.c: clean memory before free
+
+	* crypto.c (_hx509_private_key2SPKI): indent
+
+	* req.c: Try to not leak memory.
+	
+2006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_crypto.in: Read 50 kilobyte random data
+	
+	* revoke.c: Try to not leak memory.
+
+	* hxtool.c: Try to not leak memory.
+
+	* crypto.c (hx509_crypto_destroy): free oid.
+
+	* error.c: Clean error string on failure just to make sure.
+
+	* cms.c: Try to not leak memory (again).
+
+	* hxtool.c: use a sensable content type
+
+	* cms.c: Try harder to free certificate.
+	
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add make check data.
+	
+2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ks_p11.c (p11_list_keys): make element of search_data[0]
+	constants and set them later
+
+	* Makefile.am: Add more files.
+	
+2006-10-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ks_file.c: set ret, remember to free ivdata
+	
+2006-10-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hx_locl.h: Include <parse_bytes.h>.
+
+	* test_crypto.in: Test random-data.
+
+	* hxtool.c: RAND_bytes() return 1 for cryptographic strong data,
+	check for that.
+
+	* Makefile.am: clean random-data
+
+	* hxtool.c: Add random-data command, use sl_slc_help.
+
+	* hxtool-commands.in: Add random-data.
+
+	* ks_p12.c: Remember to release certs.
+
+	* ks_p11.c: Remember to release certs.
+	
+2006-10-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* prefix der primitives with der_
+
+	* lock.c: Match the prompt type PROMPT exact.
+
+	* hx_locl.h: Drop heim_any.h
+	
+2006-10-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ks_p11.c (p11_release_module): j needs to be used as inter loop
+	index. From Douglas Engert.
+
+	* ks_file.c (parse_rsa_private_key): try all passwords and
+	prompter.
+	
+2006-10-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_*.in: Parameterise the invocation of hxtool, so we can make
+	it run under TESTS_ENVIRONMENT. From Andrew Bartlett
+
+2006-10-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_crypto.in: Put all test stuck at 2006-09-25 since all their
+	chains where valied then.
+
+	* hxtool.c: Implement --time= option.
+
+	* hxtool-commands.in: Add option time.
+
+	* Makefile.am: test_name is a PROGRAM_TESTS
+
+	* ks_p11.c: Return HX509_PKCS11_NO_SLOT when there are no slots
+	and HX509_PKCS11_NO_TOKEN when there are no token. For use in PAM
+	modules that want to detect when to use smartcard login and when
+	not to. Patched based on code from Douglas Engert.
+
+	* hx509_err.et: Add new pkcs11 related errors in a new section:
+	keystore related error.  Patched based on code from Douglas
+	Engert.
+	
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Make depenency for slc built files just like
+	everywhere else.
+
+	* cert.c: Add all openssl algs and init asn1 et
+	
+2006-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_file.c (parse_rsa_private_key): free type earlier.
+
+	* ks_file.c (parse_rsa_private_key): free type after use
+
+	* name.c (_hx509_Name_to_string): remove dup const
+	
+2006-10-02  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Add more libs to libhx509
+	
+2006-10-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_p11.c: Fix double free's, NULL ptr de-reference, and conform
+	better to pkcs11.  From Douglas Engert.
+
+	* ref: remove ^M, it breaks solaris 10s cc. From Harald Barth
+
+2006-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_crypto.in: Bleichenbacher bad cert from Ralf-Philipp
+	Weinmann and Andrew Pyshkin, pad right.
+
+	* data: starfield test root cert and Ralf-Philipp and Andreis
+	correctly padded bad cert
+
+2006-09-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_crypto.in: Add test for yutaka certs.
+
+	* cert.c: Add a strict rfc3280 verification flag. rfc3280 requires
+	certificates to have KeyUsage.keyCertSign if they are to be used
+	for signing of certificates, but the step in the verifiation is
+	optional.
+
+	* hxtool.c: Improve printing and error reporting.
+	
+2006-09-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_crypto.in,Makefile.am,data/bleichenbacher-{bad,good}.pem:
+	test bleichenbacher from eay
+
+2006-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hxtool.c: Make common function for all getarg_strings and
+	hx509_certs_append commonly used.
+
+	* cms.c: HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT is a negative
+	flag, treat it was such.
+	
+2006-09-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* req.c: Use the new add_GeneralNames function.
+
+	* hx509.h: Add HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT.
+
+	* ks_p12.c: Adapt to new signature of hx509_cms_unenvelope.
+
+	* hxtool.c: Adapt to new signature of hx509_cms_unenvelope.
+
+	* cms.c: Allow passing in encryptedContent and flag.  Add new flag
+	HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT.
+	
+2006-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ks_p11.c: cast void * to char * when using it for %s formating
+	in printf.
+
+	* name.c: New function _hx509_Name_to_string.
+	
+2006-09-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_file.c: Sprinkle error messages.
+
+	* cms.c: Sprinkle even more error messages.
+	
+	* cms.c: Sprinkle some error messages.
+
+	* cms.c (find_CMSIdentifier): only free string when we allocated
+	one.
+
+	* ks_p11.c: Don't build most of the pkcs11 module if there are no
+	dlopen().
+	
+2006-09-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cms.c (hx509_cms_unenvelope): try to save the error string from
+	find_CMSIdentifier so we have one more bit of information what
+	went wrong.
+
+	* hxtool.c: More pretty printing, make verify_signed return the
+	error string from the library.
+
+	* cms.c: Try returning what certificates failed to parse or be
+	found.
+
+	* ks_p11.c (p11_list_keys): fetch CKA_LABEL and use it to set the
+	friendlyname for the certificate.
+	
+2006-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* crypto.c: check that there are no extra bytes in the checksum
+	and that the parameters are NULL or the NULL-type. All to avoid
+	having excess data that can be used to fake the signature.
+
+	* hxtool.c: print keyusage
+
+	* print.c: add hx509_cert_keyusage_print, simplify oid printing
+
+	* cert.c: add _hx509_cert_get_keyusage
+
+	* ks_p11.c: keep one session around for the whole life of the keyset
+
+	* test_query.in: tests more selection
+
+	* hxtool.c: improve pretty printing in print and query
+
+	* hxtool{.c,-commands.in}: add selection on KU and printing to query
+
+	* test_cms.in: Add cms test for digitalSignature and
+	keyEncipherment certs.
+
+	* name.c (no): Add serialNumber
+
+	* ks_p11.c (p11_get_session): return better error messages
+	
+2006-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ref: update to pkcs11 reference files 2.20
+
+	* ks_p11.c: add more mechflags
+
+	* name.c (no): add OU and sort
+
+	* revoke.c: pass context to _hx509_create_signature
+
+	* ks_p11.c (p11_printinfo): print proper plural s
+
+	* ks_p11.c: save the mechs supported when initing the token, print
+	them in printinfo.
+
+	* hx_locl.h: Include <parse_units.h>.
+
+	* cms.c: pass context to _hx509_create_signature
+
+	* req.c: pass context to _hx509_create_signature
+
+	* keyset.c (hx509_certs_info): print information about the keyset.
+
+	* hxtool.c (pcert_print) print keystore info when --info flag is
+	given.
+
+	* hxtool-commands.in: Add hxtool print --info.
+
+	* test_query.in: Test hxtool print --info.
+
+	* hx_locl.h (hx509_keyset_ops): add printinfo
+
+	* crypto.c: Start to hang the private key operations of the
+	private key, pass hx509_context to create_checksum.
+	
+2006-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_p11.c: Iterate over all slots, not just the first/selected
+	one.
+	
+2006-05-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cert.c: Add release function for certifiates so backend knowns
+	when its no longer used.
+
+	* ks_p11.c: Add reference counting on certifiates, push out
+	CK_SESSION_HANDLE from slot.
+
+	* cms.c: sprinkle more hx509_clear_error_string
+
+2006-05-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_p11.c: Sprinkle some hx509_set_error_strings
+	
+2006-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* hxtool.c: Avoid shadowing.
+
+	* revoke.c: Avoid shadowing.
+
+	* ks_file.c: Avoid shadowing.
+
+	* cert.c: Avoid shadowing.
+	
+2006-05-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lock.c (hx509_prompt_hidden): reshuffle to avoid gcc warning
+	
+	* hx509.h: Reshuffle the prompter types, remove the hidden field.
+
+	* lock.c (hx509_prompt_hidden): return if the prompt should be
+	hidden or not
+
+	* revoke.c (hx509_revoke_free): allow free of NULL.
+	
+2006-05-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ks_file.c (file_init): Avoid shadowing ret (and thus avoiding
+	crashing).
+
+	* ks_dir.c: Implement DIR: caches useing FILE: caches.
+
+	* ks_p11.c: Catch more errors.
+	
+2006-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* crypto.c (hx509_crypto_encrypt): free correctly in error
+	path. From Andrew Bartlett.
+
+	* crypto.c: If RAND_bytes fails, then we will attempt to
+	double-free crypt->key.data.  From Andrew Bartlett.
+	
+2006-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* name.c: Rename u_intXX_t to uintXX_t
+	
+2006-05-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* TODO: More to do about the about the PKCS11 code.
+
+	* ks_p11.c: Use the prompter from the lock function.
+
+	* lock.c: Deal with that hx509_prompt.reply is no longer a
+	pointer.
+
+	* hx509.h: Make hx509_prompt.reply not a pointer.
+	
+2006-05-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* keyset.c: Sprinkle setting error strings.
+
+	* crypto.c: Sprinkle setting error strings.
+
+	* collector.c: Sprinkle setting error strings.
+
+	* cms.c: Sprinkle setting error strings.
+	
+2006-05-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_name.c: renamed one error code
+
+	* name.c: renamed one error code
+
+	* ks_p11.c: _hx509_set_cert_attribute changed signature
+
+	* hxtool.c (pcert_print): use hx509_err so I can test it
+
+	* error.c (hx509_set_error_stringv): clear errors on malloc
+	failure
+
+	* hx509_err.et: Add some more errors
+
+	* cert.c: Sprinkle setting error strings.
+
+	* cms.c: _hx509_path_append changed signature.
+
+	* revoke.c: changed signature of _hx509_check_key_usage
+
+	* keyset.c: changed signature of _hx509_query_match_cert
+
+	* hx509.h: Add support for error strings.
+
+	* cms.c: changed signature of _hx509_check_key_usage
+
+	* Makefile.am: ibhx509_la_files += error.c
+
+	* ks_file.c: Sprinkel setting error strings.
+
+	* cert.c: Sprinkel setting error strings.
+
+	* hx_locl.h: Add support for error strings.
+
+	* error.c: Add string error handling functions.
+
+	* keyset.c (hx509_certs_init): pass the right error code back
+	
+2006-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* revoke.c: Revert previous patch.
+	(hx509_ocsp_verify): new function that returns the expiration of
+	certificate in ocsp data-blob
+
+	* cert.c: Reverse previous patch, lets do it another way.
+
+	* cert.c (hx509_revoke_verify): update usage
+
+	* revoke.c: Make compile.
+
+	* revoke.c: Add the expiration time the crl/ocsp info expire
+
+	* name.c: Add hx509_name_is_null_p
+
+	* cert.c: remove _hx509_cert_private_sigature
+	
+2006-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* name.c: Expose more of Name.
+
+	* hxtool.c (main): add missing argument to printf
+
+	* data/openssl.cnf: Add EKU for the KDC certificate
+
+	* cert.c (hx509_cert_get_base_subject): reject un-canon proxy
+	certs, not the reverse
+	(add_to_list): constify and fix argument order to
+	copy_octet_string
+	(hx509_cert_find_subjectAltName_otherName): make work
+	
+2006-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* data/{pkinit,kdc}.{crt,key}: pkinit certificates
+
+	* data/gen-req.sh: Generate pkinit certificates.
+
+	* data/openssl.cnf: Add pkinit glue.
+
+	* cert.c (hx509_verify_hostname): implement stub function
+	
+2006-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* TODO: CRL delta support
+
+2006-04-26 Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* data/.cvsignore: ignore leftover from OpenSSL cert generation
+
+	* hx509_err.et: Add name malformated error
+
+	* name.c (hx509_parse_name): don't abort on error, rather return
+	error
+
+	* test_name.c: Test failure parsing name.
+
+	* cert.c: When verifying certificates, store subject basename for
+	later consumption.
+
+	* test_name.c: test to parse and print name and check that they
+	are the same.
+
+	* name.c (hx509_parse_name): fix length argument to printf string
+
+	* name.c (hx509_parse_name): fix length argument to stringtooid, 1
+	too short.
+
+	* cert.c: remove debug printf's
+
+	* name.c (hx509_parse_name): make compile pre c99
+
+	* data/gen-req.sh: OpenSSL have a serious issue of user confusion
+	-subj in -ca takes the arguments in LDAP order. -subj for x509
+	takes it in x509 order.
+
+	* cert.c (hx509_verify_path): handle the case where the where two
+	proxy certs in a chain.
+
+	* test_chain.in: enable two proxy certificates in a chain test
+
+	* test_chain.in: tests proxy certificates
+
+	* data: re-gen
+
+	* data/gen-req.sh: build proxy certificates
+	
+	* data/openssl.cnf: add def for proxy10_cert
+
+	* hx509_err.et: Add another proxy certificate error.
+
+	* cert.c (hx509_verify_path): Need to mangle name to remove the CN
+	of the subject, copying issuer only works for one level but is
+	better then doing no checking at all.
+
+	* hxtool.c: Add verify --allow-proxy-certificate.
+
+	* hxtool-commands.in: add verify --allow-proxy-certificate
+
+	* hx509_err.et: Add proxy certificate errors.
+
+	* cert.c: Fix comment about subject name of proxy certificate.
+
+	* test_chain.in: tests for proxy certs
+
+	* data/gen-req.sh: gen proxy and non-proxy tests certificates
+
+	* data/openssl.cnf: Add definition for proxy certs
+
+	* data/*proxy-test.*: Add proxy certificates
+
+	* cert.c (hx509_verify_path): verify proxy certificate have no san
+	or ian
+
+	* cert.c (hx509_verify_set_proxy_certificate): Add
+	(*): rename policy cert to proxy cert
+
+	* cert.c: Initial support for proxy certificates.
+	
+2006-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hxtool.c: some error checking
+
+	* name.c: Switch over to asn1 generaed oids.
+
+	* TODO: merge with old todo file
+	
+2006-04-23 Love Hörnquist Åstrand <lha@it.su.se>
+
+	* test_query.in: make quiet
+
+	* test_req.in: SKIP test if there is no RSA support.
+
+	* hxtool.c: print dh method too
+
+	* test_chain.in: SKIP test if there is no RSA support.
+	
+	* test_cms.in: SKIP test if there is no RSA support.
+
+	* test_nist.in: SKIP test if there is no RSA support.
+	
+2006-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hxtool-commands.in: Allow passing in pool and anchor to
+	signedData
+
+	* hxtool.c: Allow passing in pool and anchor to signedData
+
+	* test_cms.in: Test that certs in signed data is picked up.
+
+	* hx_locl.h: Expose the path building function to internal
+	functions.
+
+	* cert.c: Expose the path building function to internal functions.
+
+	* hxtool-commands.in: cms-envelope: Add support for choosing the
+	encryption type
+
+	* hxtool.c (cms_create_enveloped): Add support for choosing the
+	encryption type
+
+	* test_cms.in: Test generating des-ede3 aes-128 aes-256 enveloped
+	data
+
+	* crypto.c: Add names to cipher types.
+
+	* cert.c (hx509_query_match_friendly_name): fix return value
+
+	* data/gen-req.sh: generate tests for enveloped data using
+	des-ede3 and aes256
+
+	* test_cms.in: add tests for enveloped data using des-ede3 and
+	aes256
+
+	* cert.c (hx509_query_match_friendly_name): New function.
+	
+2006-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ks_p11.c: Add support for parsing slot-number.
+
+	* crypto.c (oid_private_rc2_40): simply
+
+	* crypto.c: Use oids from asn1 generator.
+
+	* ks_file.c (file_init): reset length when done with a part
+
+	* test_cms.in: check with test.combined.crt.
+
+	* data/gen-req.sh: Create test.combined.crt.
+
+	* test_cms.in: Test signed data using keyfile that is encrypted.
+
+	* ks_file.c: Remove (commented out) debug printf
+
+	* ks_file.c (parse_rsa_private_key): use EVP_get_cipherbyname
+
+	* ks_file.c (parse_rsa_private_key): make working for one
+	password.
+
+	* ks_file.c (parse_rsa_private_key): Implement enought for
+	testing.
+
+	* hx_locl.h: Add <ctype.h>
+
+	* ks_file.c: Add glue code for PEM encrypted password files.
+
+	* test_cms.in: Add commeted out password protected PEM file,
+	remove password for those tests that doesn't need it.
+
+	* test_cms.in: adapt test now that we can use any certificate and
+	trust anchor
+
+	* collector.c: handle PEM RSA PRIVATE KEY files
+
+	* cert.c: Remove unused function.
+
+	* ks_dir.c: move code here from ks_file.c now that its no longer
+	used.
+
+	* ks_file.c: Add support for parsing unencrypted RSA PRIVATE KEY
+
+	* crypto.c: Handle rsa private keys better.
+	
+2006-04-20  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* hxtool.c: Use hx509_cms_{,un}wrap_ContentInfo
+
+	* cms.c: Make hx509_cms_{,un}wrap_ContentInfo usable in asn1
+	un-aware code.
+
+	* cert.c (hx509_verify_path): if trust anchor is not self signed,
+	don't check sig From Douglas Engert.
+
+	* test_chain.in: test "sub-cert -> sub-ca"
+	
+	* crypto.c: Use the right length for the sha256 checksums.
+	
+2006-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* crypto.c: Fix breakage from sha256 code.
+
+	* crypto.c: Add SHA256 support, and symbols for the other new
+	SHA-2 types.
+	
+2006-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_cms.in: test rc2-40 rc2-64 rc2-128 enveloped data
+	
+	* data/test-enveloped-rc2-{40,64,128}: add tests cases for rc2
+
+	* cms.c: Update prototypes changes for hx509_crypto_[gs]et_params.
+
+	* crypto.c: Break out the parameter handling code for encrypting
+	data to handle RC2.  Needed for Windows 2k pk-init support.
+	
+2006-04-04  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* Makefile.am: Split libhx509_la_SOURCES into build file and
+	distributed files so we can avoid building prototypes for
+	build-files.
+	
+2006-04-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* TODO: split certificate request into pkcs10 and CRMF
+
+	* hxtool-commands.in: Add nonce flag to ocsp-fetch
+
+	* hxtool.c: control sending nonce
+
+	* hxtool.c (request_create): store the request in a file, no in
+	bitbucket.
+
+	* cert.c: expose print_cert_subject internally
+
+	* hxtool.c: Add ocsp_print.
+
+	* hxtool-commands.in: New command "ocsp-print".
+
+	* hx_locl.h: Include <hex.h>.
+
+	* revoke.c (verify_ocsp): require issuer to match too.
+	(free_ocsp): new function
+	(hx509_revoke_ocsp_print): new function, print ocsp reply
+
+	* Makefile.am: build CRMF files
+
+	* data/key.der: needed for cert request test
+
+	* test_req.in: adapt to rename of pkcs10-create to request-create
+
+	* hxtool.c: adapt to rename of pkcs10-create to request-create
+
+	* hxtool-commands.in: Rename pkcs10-create to request-create
+
+	* crypto.c: (_hx509_parse_private_key): Avoid crashing on bad input.
+
+	* hxtool.c (pkcs10_create): use opt->subject_string
+
+	* hxtool-commands.in: Add pkcs10-create --subject
+
+	* Makefile.am: Add test_req to tests.
+	
+	* test_req.in: Test for pkcs10 commands.
+
+	* name.c (hx509_parse_name): new function.
+
+	* hxtool.c (pkcs10_create): implement
+
+	* hxtool-commands.in (pkcs10-create): Add arguments
+
+	* crypto.c: Add _hx509_private_key2SPKI and support
+	functions (only support RSA for now).
+	
+2006-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* hxtool-commands.in: Add pkcs10-create command.
+
+	* hx509.h: Add hx509_request.
+
+	* TODO: more stuff
+
+	* Makefile.am: Add req.c
+
+	* req.c: Create certificate requests, prototype converts the
+	request in a pkcs10 packet.
+
+	* hxtool.c: Add pkcs10_create
+
+	* name.c (hx509_name_copy): new function.
+	
+2006-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* TODO: fill out what do
+
+	* hxtool-commands.in: add pkcs10-print
+
+	* hx_locl.h: Include <pkcs10_asn1.h>.
+
+	* pkcs10.asn1: PKCS#10
+
+	* hxtool.c (pkcs10_print): new function.
+
+	* test_chain.in: test ocsp keyhash
+
+	* data: generate ocsp keyhash version too
+
+	* revoke.c (load_ocsp): test that we got back a BasicReponse
+
+	* ocsp.asn1: Add asn1_id_pkix_ocsp*.
+
+	* Makefile.am: Add asn1_id_pkix_ocsp*.
+
+	* cert.c: Add HX509_QUERY_MATCH_KEY_HASH_SHA1
+
+	* hx_locl.h: Add HX509_QUERY_MATCH_KEY_HASH_SHA1
+
+	* revoke.c: Support OCSPResponderID.byKey, indent.
+
+	* revoke.c (hx509_ocsp_request): Add nonce to ocsp request.
+
+	* hxtool.c: Add nonce to ocsp request.
+
+	* test_chain.in: Added crl tests
+	
+	* data/nist-data: rename missing-crl to missing-revoke
+
+	* data: make ca use openssl ca command so we can add ocsp tests,
+	and regen certs
+
+	* test_chain.in: Add revoked ocsp cert test
+
+	* cert.c: rename missing-crl to missing-revoke
+
+	* revoke.c: refactor code, fix a un-init-ed variable
+	
+	* test_chain.in: rename missing-crl to missing-revoke add ocsp
+	tests
+
+	* test_cms.in: rename missing-crl to missing-revoke
+
+	* hxtool.c: rename missing-crl to missing-revoke
+
+	* hxtool-commands.in: rename missing-crl to missing-revoke
+	
+	* revoke.c: Plug one memory leak.
+
+	* revoke.c: Renamed generic CRL related errors.
+	
+	* hx509_err.et: Comments and renamed generic CRL related errors
+	
+	* revoke.c: Add ocsp checker.
+
+	* ocsp.asn1: Add id-kp-OCSPSigning
+
+	* hxtool-commands.in: add url-path argument to ocsp-fetch
+
+	* hxtool.c: implement ocsp-fetch
+
+	* cert.c: Use HX509_DEFAULT_OCSP_TIME_DIFF.
+	
+	* hx_locl.h: Add ocsp_time_diff to hx509_context
+
+	* crypto.c (_hx509_verify_signature_bitstring): new function,
+	commonly use when checking certificates
+
+	* cms.c (hx509_cms_envelope_1): check for internal ASN.1 encoder
+	error
+
+	* cert.c: Add ocsp glue, use new
+	_hx509_verify_signature_bitstring, add eku checking function.
+	
+2006-03-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add id_kp_OCSPSigning.x
+
+	* revoke.c: Pick out certs in ocsp response
+
+	* TODO: list of stuff to verify
+
+	* revoke.c: Add code to load OCSPBasicOCSPResponse files, reload
+	crl when its changed on disk.
+
+	* cert.c: Update for ocsp merge. handle building path w/o
+	subject (using subject key id)
+
+	* ks_p12.c: _hx509_map_file changed prototype.
+
+	* file.c: _hx509_map_file changed prototype, returns struct stat
+	if requested.
+
+	* ks_file.c: _hx509_map_file changed prototype.
+
+	* hxtool.c: Add stub for ocsp-fetch, _hx509_map_file changed
+	prototype, add ocsp parsing to verify command.
+
+	* hx_locl.h: rename HX509_CTX_CRL_MISSING_OK to
+	HX509_CTX_VERIFY_MISSING_OK now that we have OCSP glue
+	
+2006-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hx_locl.h: Add <krb5-types.h> to make it compile on Solaris,
+	from Alex V. Labuta.
+	
+2006-03-28  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* crypto.c (_hx509_pbe_decrypt): try all passwords, not just the
+	first one.
+	
+2006-03-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* print.c (check_altName): Print the othername oid.
+
+	* crypto.c: Manual page claims RSA_public_decrypt will return -1
+	on error, lets check for that
+	
+	* crypto.c (_hx509_pbe_decrypt): also try the empty password
+
+	* collector.c (match_localkeyid): no need to add back the cert to
+	the cert pool, its already there.
+
+	* crypto.c: Add REQUIRE_SIGNER
+
+	* cert.c (hx509_cert_free): ok to free NULL
+
+	* hx509_err.et: Add new error code SIGNATURE_WITHOUT_SIGNER.
+
+	* name.c (_hx509_name_ds_cmp): make DirectoryString case
+	insenstive
+	(hx509_name_to_string): less spacing
+
+	* cms.c: Check for signature error, check consitency of error
+	
+2006-03-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* collector.c (_hx509_collector_alloc): handle errors
+
+	* cert.c (hx509_query_alloc): allocate slight more more then a
+	sizeof(pointer)
+
+	* crypto.c (_hx509_private_key_assign_key_file): ask for password
+	if nothing matches.
+
+	* cert.c: Expose more of the hx509_query interface.
+
+	* collector.c: hx509_certs_find is now exposed.
+
+	* cms.c: hx509_certs_find is now exposed.
+
+	* revoke.c: hx509_certs_find is now exposed.
+
+	* keyset.c (hx509_certs_free): allow free-ing NULL
+	(hx509_certs_find): expose
+	(hx509_get_one_cert): new function
+
+	* hxtool.c: hx509_certs_find is now exposed.
+
+	* hx_locl.h: Remove hx509_query, its exposed now.
+
+	* hx509.h: Add hx509_query.
+	
+2006-02-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cert.c: Add exceptions for null (empty) subjectNames
+
+	* data/nist-data: Add some more name constraints tests.
+
+	* data/nist-data: Add some of the test from 4.13 Name Constraints.
+
+	* cert.c: Name constraits needs to be evaluated in block as they
+	appear in the certificates, they can not be joined to one
+	list. One example of this is:
+	
+	- cert is cn=foo,dc=bar,dc=baz
+	- subca is dc=foo,dc=baz with name restriction dc=kaka,dc=baz
+	- ca is dc=baz with name restriction dc=baz
+	
+	If the name restrictions are merged to a list, the certificate
+	will pass this test.
+
+2006-02-14 Love Hörnquist Åstrand <lha@it.su.se>
+
+	* cert.c: Handle more name constraints cases.
+
+	* crypto.c (dsa_verify_signature): if test if malloc failed
+
+2006-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cms.c: Drop partial pkcs12 string2key implementation.
+	
+2006-01-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* data/nist-data: Add commited out DSA tests (they fail).
+
+	* data/nist-data: Add 4.2 Validity Periods.
+
+	* test_nist.in: Make less verbose to use.
+
+	* Makefile.am: Add test_nist_cert.
+
+	* data/nist-data: Add some more CRL-tests.
+
+	* test_nist.in: Print $id instead of . when running the tests.
+
+	* test_nist.in: Drop verifying certifiates, its done in another
+	test now.
+
+	* data/nist-data: fixup kill-rectangle leftovers
+
+	* data/nist-data: Drop verifying certifiates, its done in another
+	test now.  Add more crl tests. comment out all unused tests.
+
+	* test_nist_cert.in: test parse all nist certs
+	
+2006-01-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hx509_err.et: Add HX509_CRL_UNKNOWN_EXTENSION.
+
+	* revoke.c: Check for unknown extentions in CRLs and CRLEntries.
+
+	* test_nist.in: Parse new format to handle CRL info.
+
+	* test_chain.in: Add --missing-crl.
+
+	* name.c (hx509_unparse_der_name): Rename from hx509_parse_name.
+	(_hx509_unparse_Name): Add.
+
+	* hxtool-commands.in: Add --missing-crl to verify commands.
+
+	* hx509_err.et: Add CRL errors.
+
+	* cert.c (hx509_context_set_missing_crl): new function Add CRL
+	handling.
+
+	* hx_locl.h: Add HX509_CTX_CRL_MISSING_OK.
+
+	* revoke.c: Parse and verify CRLs (simplistic).
+
+	* hxtool.c: Parse CRL info.
+
+	* data/nist-data: Change format so we can deal with CRLs, also
+	note the test-id from PKITS.
+
+	* data: regenerate test
+	
+	* data/gen-req.sh: use static-file to generate tests
+	
+	* data/static-file: new file to use for commited tests
+
+	* test_cms.in: Use static file, add --missing-crl.
+	
+2006-01-18  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* print.c: Its cRLReason, not cRLReasons.
+
+	* hxtool.c: Attach revoke context to verify context.
+
+	* data/nist-data: change syntax to make match better with crl
+	checks
+
+	* cert.c: Verify no certificates has been revoked with the new
+	revoke interface.
+
+	* Makefile.am: libhx509_la_SOURCES += revoke.c
+
+	* revoke.c: Add framework for handling CRLs.
+
+	* hx509.h: Add hx509_revoke_ctx.
+	
+2006-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* delete crypto_headers.h, use global file instead.
+
+	* crypto.c (PBE_string2key): libdes now supports PKCS12_key_gen
+	
+2006-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* crypto_headers.h: Need BN_is_negative too.
+	
+2006-01-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ks_p11.c (p11_rsa_public_decrypt): since is wrong, don't provide
+	it. PKCS11 can't do public_decrypt, it support verify though. All
+	this doesn't matter, since the code never go though this path.
+
+	* crypto_headers.h: Provide glue to compile with less warnings
+	with OpenSSL
+	
+2006-01-08  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Depend on LIB_des
+
+	* lock.c: Use "crypto_headers.h".
+
+	* crypto_headers.h: Include the two diffrent implementation of
+	crypto headers.
+
+	* cert.c: Use "crypto-headers.h". Load ENGINE configuration.
+
+	* crypto.c: Make compile with both OpenSSL and heimdal libdes.
+
+	* ks_p11.c: Add code for public key decryption (not supported yet)
+	and use "crypto-headers.h".
+	
+
+2006-01-04 Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* add a hx509_context where we can store configuration
+
+	* p11.c,Makefile.am: pkcs11 is now supported by library, remove
+	old files.
+
+	* ks_p11.c: more paranoid on refcount, set refcounter ealier,
+	reset pointers after free
+
+	* collector.c (struct private_key): remove temporary key data
+	storage, convert directly to a key
+	(match_localkeyid): match certificate and key using localkeyid
+	(match_keys): match certificate and key using _hx509_match_keys
+	(_hx509_collector_collect): rewrite to use match_keys and
+	match_localkeyid
+
+	* crypto.c (_hx509_match_keys): function that determins if a
+	private key matches a certificate, used when there is no
+	localkeyid.
+	(*) reset free pointer
+
+	* ks_file.c: Rewrite to use collector and mapping support
+	function.
+
+	* ks_p11.c (rsa_pkcs1_method): constify
+
+	* ks_p11.c: drop extra wrapping of p11_init
+
+	* crypto.c (_hx509_private_key_assign_key_file): use function to
+	extact rsa key
+
+	* cert.c: Revert previous, refcounter is unsigned, so it can never
+	be negative.
+
+	* cert.c (hx509_cert_ref): more refcount paranoia
+
+	* ks_p11.c: Implement rsa_private_decrypt and add stubs for public
+	ditto.
+
+	* ks_p11.c: Less printf, less memory leaks.
+
+	* ks_p11.c: Implement signing using pkcs11.
+	
+	* ks_p11.c: Partly assign private key, enough to complete
+	collection, but not any crypto functionallity.
+
+	* collector.c: Use hx509_private_key to assign private keys.
+
+	* crypto.c: Remove most of the EVP_PKEY code, and use RSA
+	directly, this temporary removes DSA support.
+
+	* hxtool.c (print_f): print if there is a friendly name and if
+	there is a private key
+	
+2006-01-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* name.c: Avoid warning from missing __attribute__((noreturn))
+
+	* lock.c (_hx509_lock_unlock_certs): return unlock certificates
+
+	* crypto.c (_hx509_private_key_assign_ptr): new function, exposes
+	EVP_PKEY
+	(_hx509_private_key_assign_key_file): remember to free private key
+	if there is one.
+
+	* cert.c (_hx509_abort): add newline to output and flush stdout
+
+	* Makefile.am: libhx509_la_SOURCES += collector.c
+
+	* hx_locl.h: forward type declaration of struct hx509_collector.
+
+	* collector.c: Support functions to collect certificates and
+	private keys and then match them.
+
+	* ks_p12.c: Use the new hx509_collector support functions.
+
+	* ks_p11.c: Add enough glue to support certificate iteration.
+
+	* test_nist_pkcs12.in: Less verbose.
+
+	* cert.c (hx509_cert_free): if there is a private key assosited
+	with this cert, free it
+
+	* print.c: Use _hx509_abort.
+
+	* ks_p12.c: Use _hx509_abort.
+
+	* hxtool.c: Use _hx509_abort.
+
+	* crypto.c: Use _hx509_abort.
+
+	* cms.c: Use _hx509_abort.
+
+	* cert.c: Use _hx509_abort.
+
+	* name.c: use _hx509_abort
+	
+2006-01-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* name.c (hx509_name_to_string): don't cut bmpString in half.
+
+	* name.c (hx509_name_to_string): don't overwrite with 1 byte with
+	bmpString.
+
+	* ks_file.c (parse_certificate): avoid stomping before array
+
+	* name.c (oidtostring): avoid leaking memory
+
+	* keyset.c: Add _hx509_ks_dir_register.
+
+	* Makefile.am (libhx509_la_SOURCES): += ks_dir.c
+
+	* hxtool-commands.in: Remove pkcs11.
+
+	* hxtool.c: Remove pcert_pkcs11.
+
+	* ks_file.c: Factor out certificate parsing code.
+
+	* ks_dir.c: Add new keystore that treats all files in a directory
+	a keystore, useful for regression tests.
+	
+2005-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_nist_pkcs12.in: Test parse PKCS12 files from NIST.
+
+	* data/nist-data: Can handle DSA certificate.
+	
+	* hxtool.c: Print error code on failure.
+	
+2005-10-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* crypto.c: Support DSA signature operations.
+	
+2005-10-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* print.c: Validate that issuerAltName and subjectAltName isn't
+	empty.
+	
+2005-09-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* p11.c: Cast to unsigned char to avoid warning.
+
+	* keyset.c: Register pkcs11 module.
+
+	* Makefile.am: Add ks_p11.c, install hxtool.
+	
+	* ks_p11.c: Starting point of a pkcs11 module.
+	
+2005-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lock.c: Implement prompter.
+
+	* hxtool-commands.in: add --content to print
+
+	* hxtool.c: Split verify and print.
+
+	* cms.c: _hx509_pbe_decrypt now takes a hx509_lock.
+
+	* crypto.c: Make _hx509_pbe_decrypt take a hx509_lock, workaround
+	for empty password.
+
+	* name.c: Add DC, handle all Directory strings, fix signless
+	problems.
+	
+2005-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_query.in: Pass in --pass to all commands.
+
+	* hxtool.c: Use option --pass.
+
+	* hxtool-commands.in: Add --pass to all commands.
+
+	* hx509_err.et: add UNKNOWN_LOCK_COMMAND and CRYPTO_NO_PROMPTER
+
+	* test_cms.in: pass in password to cms-create-sd
+
+	* crypto.c: Abstract out PBE_string2key so I can add PBE2 s2k
+	later.  Avoid signess warnings with OpenSSL.
+
+	* cms.c: Use void * instead of char * for to avoid signedness
+	issues
+
+	* cert.c (hx509_cert_get_attribute): remove const, its not
+
+	* ks_p12.c: Cast size_t to unsigned long when print.
+
+	* name.c: Fix signedness warning.
+
+	* test_query.in: Use echo, the function check isn't defined here.
+	
+2005-08-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hxtool-commands.in: Add more options that was missing.
+
+2005-07-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_cms.in: Use --certificate= for enveloped/unenvelope.
+
+	* hxtool.c: Use --certificate= for enveloped/unenvelope.  Clean
+	up.
+
+	* test_cms.in: add EnvelopeData tests
+	
+	* hxtool.c: use id-envelopedData for ContentInfo
+	
+	* hxtool-commands.in: add contentinfo wrapping for create/unwrap
+	enveloped data
+
+	* hxtool.c: add contentinfo wrapping for create/unwrap enveloped
+	data
+
+	* data/gen-req.sh: add enveloped data (aes128)
+	
+	* crypto.c: add "new" RC2 oid
+	
+2005-07-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hx_locl.h, cert.c: Add HX509_QUERY_MATCH_FUNCTION that allows
+	caller to match by function, note that this doesn't not work
+	directly for backends that implements ->query, they must do their
+	own processing. (I'm running out of flags, only 12 left now)
+
+	* test_cms.in: verify ContentInfo wrapping code in hxtool
+	
+	* hxtool-commands.in (cms_create_sd): support wrapping in content
+	info spelling
+
+	* hxtool.c (cms_create_sd): support wrapping in content info
+
+	* test_cms.in: test more cms signeddata messages
+	
+	* data/gen-req.sh: generate SignedData
+	
+	* hxtool.c (cms_create_sd): support certificate store, add support
+	to unwrap a ContentInfo the SignedData inside.
+
+	* crypto.c: sprinkel rk_UNCONST
+
+	* crypto.c: add DER NULL to the digest oid's
+
+	* hxtool-commands.in: add --content-info to cms-verify-sd
+
+	* cms.c (hx509_cms_create_signed_1): pass in a full
+	AlgorithmIdentifier instead of heim_oid for digest_alg
+
+	* crypto.c: make digest_alg a digest_oid, it's not needed right
+	now
+
+	* hx509_err.et: add CERT_NOT_FOUND
+	
+	* keyset.c (_hx509_certs_find): add error code for cert not
+	found
+
+	* cms.c (hx509_cms_verify_signed): add external store of
+	certificates, use the right digest algorithm identifier.
+
+	* cert.c: fix const warning
+
+	* ks_p12.c: slightly less verbose
+	
+	* cert.c: add hx509_cert_find_subjectAltName_otherName, add
+	HX509_QUERY_MATCH_FRIENDLY_NAME
+	
+	* hx509.h: add hx509_octet_string_list, remove bad comment
+	
+	* hx_locl.h: add HX509_QUERY_MATCH_FRIENDLY_NAME
+
+	* keyset.c (hx509_certs_append): needs a hx509_lock, add one
+
+	* Makefile.am: add test cases tempfiles to CLEANFILES
+	
+	* Makefile.am: add test_query to TESTS, fix dependency on hxtool
+	sources on hxtool-commands.h
+
+	* hxtool-commands.in: explain what signer is for create-sd
+
+	* hxtool.c: add query, add more options to verify-sd and create-sd
+
+	* test_cms.in: add more cms tests
+	
+	* hxtool-commands.in: add query, add more options to verify-sd
+
+	* test_query.in: test query interface
+	
+	* data: fix filenames for ds/ke files, add pkcs12 files, regen
+	
+	* hxtool.c,Makefile.am,hxtool-commands.in: switch to slc
+
+2005-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cert.c (hx509_verify_destroy_ctx): add
+	
+	* hxtool.c: free hx509_verify_ctx
+	
+	* name.c (_hx509_name_ds_cmp): make sure all strings are not equal
+
+2005-07-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hxtool.c: return error
+	
+	* keyset.c: return errors from iterations
+	
+	* test_chain.in: clean up checks
+	
+	* ks_file.c (parse_certificate): return errno's not 1 in case of
+	error
+	
+	* ks_file.c (file_iter): make sure endpointer is NULL
+
+	* ks_mem.c (mem_iter): follow conversion and return NULL when we
+	get to the end, not ENOENT.
+	
+	* Makefile.am: test_chain depends on hxtool
+	
+	* data: test certs that lasts 10 years
+	
+	* data/gen-req.sh: script to generate test certs
+	
+	* Makefile.am: Add regression tests.
+
+	* data: test certificate and keys
+
+	* test_chain.in: test chain
+
+	* hxtool.c (cms_create_sd): add KU digitalSigature as a
+	requirement to the query
+
+	* hx_locl.h: add KeyUsage query bits
+
+	* hx509_err.et: add KeyUsage error
+
+	* cms.c: add checks for KeyUsage
+
+	* cert.c: more checks on KeyUsage, allow to query on them too
+
+2005-07-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* cms.c: Add missing break.
+	
+	* hx_locl.h,cms.c,cert.c: allow matching on SubjectKeyId
+
+	* hxtool.c: Use _hx509_map_file, _hx509_unmap_file and
+	_hx509_write_file.
+
+	* file.c (_hx509_write_file): in case of write error, return errno
+
+	* file.c (_hx509_write_file): add a function that write a data
+	blob to disk too
+
+	* Fix id-tags
+
+	* Import mostly complete X.509 and CMS library. Handles, PEM, DER,
+	PKCS12 encoded certicates.  Verificate RSA chains and handled
+	CMS's SignedData, and EnvelopedData.
+
+
diff --git a/crypto/heimdal/lib/hx509/Makefile.am b/crypto/heimdal/lib/hx509/Makefile.am
new file mode 100644
index 0000000..3144a71
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/Makefile.am
@@ -0,0 +1,388 @@
+# $Id: Makefile.am 22459 2008-01-15 21:46:20Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+lib_LTLIBRARIES = libhx509.la
+libhx509_la_LDFLAGS = -version-info 3:0:0
+
+BUILT_SOURCES =				\
+	$(gen_files_ocsp:.x=.c)		\
+	$(gen_files_pkcs10:.x=.c)	\
+	hx509_err.c			\
+	hx509_err.h
+
+gen_files_ocsp = 			\
+	asn1_OCSPBasicOCSPResponse.x	\
+	asn1_OCSPCertID.x		\
+	asn1_OCSPCertStatus.x		\
+	asn1_OCSPInnerRequest.x		\
+	asn1_OCSPKeyHash.x		\
+	asn1_OCSPRequest.x		\
+	asn1_OCSPResponderID.x		\
+	asn1_OCSPResponse.x		\
+	asn1_OCSPResponseBytes.x	\
+	asn1_OCSPResponseData.x		\
+	asn1_OCSPResponseStatus.x	\
+	asn1_OCSPSignature.x		\
+	asn1_OCSPSingleResponse.x	\
+	asn1_OCSPTBSRequest.x		\
+	asn1_OCSPVersion.x		\
+	asn1_id_pkix_ocsp.x		\
+	asn1_id_pkix_ocsp_basic.x	\
+	asn1_id_pkix_ocsp_nonce.x
+
+gen_files_pkcs10 = 			\
+	asn1_CertificationRequestInfo.x	\
+	asn1_CertificationRequest.x
+
+gen_files_crmf = 			\
+	asn1_CRMFRDNSequence.x		\
+	asn1_CertReqMessages.x		\
+	asn1_CertReqMsg.x		\
+	asn1_CertRequest.x		\
+	asn1_CertTemplate.x		\
+	asn1_Controls.x			\
+	asn1_PBMParameter.x		\
+	asn1_PKMACValue.x		\
+	asn1_POPOPrivKey.x		\
+	asn1_POPOSigningKey.x		\
+	asn1_POPOSigningKeyInput.x	\
+	asn1_ProofOfPossession.x	\
+	asn1_SubsequentMessage.x	
+
+dist_libhx509_la_SOURCES = \
+	ca.c \
+	cert.c \
+	cms.c \
+	collector.c \
+	crypto.c \
+	doxygen.c \
+	error.c \
+	env.c \
+	file.c \
+	hx509-private.h \
+	hx509-protos.h \
+	hx509.h \
+	hx_locl.h \
+	keyset.c \
+	ks_dir.c \
+	ks_file.c \
+	ks_mem.c \
+	ks_null.c \
+	ks_p11.c \
+	ks_p12.c \
+	ks_keychain.c \
+	lock.c \
+	name.c \
+	peer.c \
+	print.c \
+	softp11.c \
+	ref/pkcs11.h \
+	req.c \
+	revoke.c
+
+libhx509_la_LIBADD = \
+	$(LIB_com_err) \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIBADD_roken) \
+	$(LIB_dlopen)
+
+if FRAMEWORK_SECURITY
+libhx509_la_LDFLAGS += -framework Security -framework CoreFoundation
+endif
+
+if versionscript
+libhx509_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+endif
+$(libhx509_la_OBJECTS): $(srcdir)/version-script.map
+
+libhx509_la_CPPFLAGS = -I$(srcdir)/ref $(INCLUDE_hcrypto)
+nodist_libhx509_la_SOURCES = $(BUILT_SOURCES)
+
+$(gen_files_ocsp) ocsp_asn1.h: ocsp_asn1_files
+$(gen_files_pkcs10) pkcs10_asn1.h: pkcs10_asn1_files
+$(gen_files_crmf) crmf_asn1.h: crmf_asn1_files
+
+asn1_compile = ../asn1/asn1_compile$(EXEEXT)
+
+ocsp_asn1_files: $(asn1_compile) $(srcdir)/ocsp.asn1
+	$(asn1_compile) --preserve-binary=OCSPTBSRequest --preserve-binary=OCSPResponseData $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
+
+pkcs10_asn1_files: $(asn1_compile) $(srcdir)/pkcs10.asn1
+	$(asn1_compile) --preserve-binary=CertificationRequestInfo $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
+
+crmf_asn1_files: $(asn1_compile) $(srcdir)/crmf.asn1
+	$(asn1_compile) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+
+$(libhx509_la_OBJECTS): $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
+
+$(srcdir)/hx509-protos.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB_FUNCTION -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
+
+$(srcdir)/hx509-private.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
+
+dist_include_HEADERS = hx509.h hx509-protos.h
+nodist_include_HEADERS = hx509_err.h
+
+SLC = $(top_builddir)/lib/sl/slc
+
+bin_PROGRAMS = hxtool
+
+hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC)
+	$(SLC) $(srcdir)/hxtool-commands.in
+
+dist_hxtool_SOURCES = hxtool.c
+nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
+
+$(hxtool_OBJECTS): hxtool-commands.h
+
+hxtool_CPPFLAGS = $(INCLUDE_hcrypto)
+hxtool_LDADD = \
+	libhx509.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_hcrypto) \
+	$(LIB_roken) \
+	$(top_builddir)/lib/sl/libsl.la
+
+CLEANFILES = $(BUILT_SOURCES) \
+	$(gen_files_ocsp) ocsp_asn1_files ocsp_asn1.h \
+	$(gen_files_pkcs10) pkcs10_asn1_files pkcs10_asn1.h \
+	$(gen_files_crmf) crmf_asn1_files crmf_asn1.h \
+	$(TESTS) \
+	hxtool-commands.c hxtool-commands.h *.tmp \
+	request.out \
+	out.pem out2.pem \
+	sd.data sd.data.out \
+	ev.data ev.data.out \
+	cert-null.pem cert-sub-ca2.pem \
+	cert-ee.pem cert-ca.pem \
+	cert-sub-ee.pem cert-sub-ca.pem \
+	cert-proxy.der cert-ca.der cert-ee.der pkcs10-request.der \
+	wca.pem wuser.pem wdc.pem wcrl.crl \
+	random-data statfile crl.crl \
+	test p11dbg.log pkcs11.cfg \
+	test-rc-file.rc
+
+clean-local:
+	@echo "cleaning PKITS" ; rm -rf PKITS_data
+
+#
+# regression tests
+#
+
+check_SCRIPTS = $(SCRIPT_TESTS)
+check_PROGRAMS = $(PROGRAM_TESTS) test_soft_pkcs11
+
+LDADD = libhx509.la
+
+test_soft_pkcs11_LDADD = libhx509.la
+test_soft_pkcs11_CPPFLAGS = -I$(srcdir)/ref
+
+TESTS = $(SCRIPT_TESTS) $(PROGRAM_TESTS)
+
+PROGRAM_TESTS = 		\
+	test_name
+
+SCRIPT_TESTS = 			\
+	test_ca			\
+	test_cert		\
+	test_chain		\
+	test_cms		\
+	test_crypto		\
+	test_nist		\
+	test_nist2		\
+	test_pkcs11		\
+	test_java_pkcs11	\
+	test_nist_cert		\
+	test_nist_pkcs12	\
+	test_req		\
+	test_windows		\
+	test_query
+
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/lib/hx509,g'
+
+test_ca: test_ca.in Makefile
+	$(do_subst) < $(srcdir)/test_ca.in > test_ca.tmp
+	chmod +x test_ca.tmp
+	mv test_ca.tmp test_ca
+
+test_cert: test_cert.in Makefile
+	$(do_subst) < $(srcdir)/test_cert.in > test_cert.tmp
+	chmod +x test_cert.tmp
+	mv test_cert.tmp test_cert
+
+test_chain: test_chain.in Makefile
+	$(do_subst) < $(srcdir)/test_chain.in > test_chain.tmp
+	chmod +x test_chain.tmp
+	mv test_chain.tmp test_chain
+
+test_cms: test_cms.in Makefile
+	$(do_subst) < $(srcdir)/test_cms.in > test_cms.tmp
+	chmod +x test_cms.tmp
+	mv test_cms.tmp test_cms
+
+test_crypto: test_crypto.in Makefile
+	$(do_subst) < $(srcdir)/test_crypto.in > test_crypto.tmp
+	chmod +x test_crypto.tmp
+	mv test_crypto.tmp test_crypto
+
+test_nist: test_nist.in Makefile
+	$(do_subst) < $(srcdir)/test_nist.in > test_nist.tmp
+	chmod +x test_nist.tmp
+	mv test_nist.tmp test_nist
+
+test_nist2: test_nist2.in Makefile
+	$(do_subst) < $(srcdir)/test_nist2.in > test_nist2.tmp
+	chmod +x test_nist2.tmp
+	mv test_nist2.tmp test_nist2
+
+test_pkcs11: test_pkcs11.in Makefile
+	$(do_subst) < $(srcdir)/test_pkcs11.in > test_pkcs11.tmp
+	chmod +x test_pkcs11.tmp
+	mv test_pkcs11.tmp test_pkcs11
+
+test_java_pkcs11: test_java_pkcs11.in Makefile
+	$(do_subst) < $(srcdir)/test_java_pkcs11.in > test_java_pkcs11.tmp
+	chmod +x test_java_pkcs11.tmp
+	mv test_java_pkcs11.tmp test_java_pkcs11
+
+test_nist_cert: test_nist_cert.in Makefile
+	$(do_subst) < $(srcdir)/test_nist_cert.in > test_nist_cert.tmp
+	chmod +x test_nist_cert.tmp
+	mv test_nist_cert.tmp test_nist_cert
+
+test_nist_pkcs12: test_nist_pkcs12.in Makefile
+	$(do_subst) < $(srcdir)/test_nist_pkcs12.in > test_nist_pkcs12.tmp
+	chmod +x test_nist_pkcs12.tmp
+	mv test_nist_pkcs12.tmp test_nist_pkcs12
+
+test_req: test_req.in Makefile
+	$(do_subst) < $(srcdir)/test_req.in > test_req.tmp
+	chmod +x test_req.tmp
+	mv test_req.tmp test_req
+
+test_windows: test_windows.in Makefile
+	$(do_subst) < $(srcdir)/test_windows.in > test_windows.tmp
+	chmod +x test_windows.tmp
+	mv test_windows.tmp test_windows
+
+test_query: test_query.in Makefile
+	$(do_subst) < $(srcdir)/test_query.in > test_query.tmp
+	chmod +x test_query.tmp
+	mv test_query.tmp test_query
+
+EXTRA_DIST = \
+	version-script.map \
+	crmf.asn1 \
+	data/bleichenbacher-bad.pem \
+	hx509_err.et \
+	hxtool-commands.in \
+	ocsp.asn1 \
+	pkcs10.asn1 \
+	test_ca.in \
+	test_chain.in \
+	test_cert.in \
+	test_cms.in \
+	test_crypto.in \
+	test_nist.in \
+	test_nist2.in \
+	test_nist_cert.in \
+	test_nist_pkcs12.in \
+	test_pkcs11.in \
+	test_java_pkcs11.in \
+	test_query.in \
+	test_req.in \
+	test_windows.in \
+	tst-crypto-available1 \
+	tst-crypto-available2 \
+	tst-crypto-available3 \
+	tst-crypto-select \
+	tst-crypto-select1 \
+	tst-crypto-select2 \
+	tst-crypto-select3 \
+	tst-crypto-select4 \
+	tst-crypto-select5 \
+	tst-crypto-select6 \
+	tst-crypto-select7 \
+	data/bleichenbacher-good.pem \
+	data/bleichenbacher-sf-pad-correct.pem \
+	data/ca.crt \
+	data/ca.key \
+	data/crl1.crl \
+	data/crl1.der \
+	data/gen-req.sh \
+	data/j.pem \
+	data/kdc.crt \
+	data/kdc.key \
+	data/key.der \
+	data/key2.der \
+	data/nist-data \
+	data/nist-data2 \
+	data/no-proxy-test.crt \
+	data/no-proxy-test.key \
+	data/ocsp-req1.der \
+	data/ocsp-req2.der \
+	data/ocsp-resp1-2.der \
+	data/ocsp-resp1-3.der \
+	data/ocsp-resp1-ca.der \
+	data/ocsp-resp1-keyhash.der \
+	data/ocsp-resp1-ocsp-no-cert.der \
+	data/ocsp-resp1-ocsp.der \
+	data/ocsp-resp1.der \
+	data/ocsp-resp2.der \
+	data/ocsp-responder.crt \
+	data/ocsp-responder.key \
+	data/openssl.cnf \
+	data/pkinit-proxy-chain.crt \
+	data/pkinit-proxy.crt \
+	data/pkinit-proxy.key \
+	data/pkinit-pw.key \
+	data/pkinit.crt \
+	data/pkinit.key \
+	data/proxy-level-test.crt \
+	data/proxy-level-test.key \
+	data/proxy-test.crt \
+	data/proxy-test.key \
+	data/proxy10-child-test.crt \
+	data/proxy10-child-test.key \
+	data/proxy10-child-child-test.crt \
+	data/proxy10-child-child-test.key \
+	data/proxy10-test.crt \
+	data/proxy10-test.key \
+	data/revoke.crt \
+	data/revoke.key \
+	data/sf-class2-root.pem \
+	data/static-file \
+	data/sub-ca.crt \
+	data/sub-ca.key \
+	data/sub-cert.crt \
+	data/sub-cert.key \
+	data/sub-cert.p12 \
+	data/test-ds-only.crt \
+	data/test-ds-only.key \
+	data/test-enveloped-aes-128 \
+	data/test-enveloped-aes-256 \
+	data/test-enveloped-des \
+	data/test-enveloped-des-ede3 \
+	data/test-enveloped-rc2-128 \
+	data/test-enveloped-rc2-40 \
+	data/test-enveloped-rc2-64 \
+	data/test-ke-only.crt \
+	data/test-ke-only.key \
+	data/test-nopw.p12 \
+	data/test-pw.key \
+	data/test-signed-data \
+	data/test-signed-data-noattr \
+	data/test-signed-data-noattr-nocerts \
+	data/test.combined.crt \
+	data/test.crt \
+	data/test.key \
+	data/test.p12 \
+	data/yutaka-pad-broken-ca.pem \
+	data/yutaka-pad-broken-cert.pem \
+	data/yutaka-pad-ok-ca.pem \
+	data/yutaka-pad-ok-cert.pem \
+	data/yutaka-pad.key
diff --git a/crypto/heimdal/lib/hx509/Makefile.in b/crypto/heimdal/lib/hx509/Makefile.in
new file mode 100644
index 0000000..b564a49
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/Makefile.in
@@ -0,0 +1,1530 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 22459 2008-01-15 21:46:20Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(dist_include_HEADERS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common ChangeLog TODO
+@FRAMEWORK_SECURITY_TRUE@am__append_1 = -framework Security -framework CoreFoundation
+@versionscript_TRUE@am__append_2 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+bin_PROGRAMS = hxtool$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1) test_soft_pkcs11$(EXEEXT)
+TESTS = $(SCRIPT_TESTS) $(am__EXEEXT_1)
+subdir = lib/hx509
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \
+	"$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"
+libLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(lib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libhx509_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+dist_libhx509_la_OBJECTS = libhx509_la-ca.lo libhx509_la-cert.lo \
+	libhx509_la-cms.lo libhx509_la-collector.lo \
+	libhx509_la-crypto.lo libhx509_la-doxygen.lo \
+	libhx509_la-error.lo libhx509_la-env.lo libhx509_la-file.lo \
+	libhx509_la-keyset.lo libhx509_la-ks_dir.lo \
+	libhx509_la-ks_file.lo libhx509_la-ks_mem.lo \
+	libhx509_la-ks_null.lo libhx509_la-ks_p11.lo \
+	libhx509_la-ks_p12.lo libhx509_la-ks_keychain.lo \
+	libhx509_la-lock.lo libhx509_la-name.lo libhx509_la-peer.lo \
+	libhx509_la-print.lo libhx509_la-softp11.lo libhx509_la-req.lo \
+	libhx509_la-revoke.lo
+am__objects_1 = libhx509_la-asn1_OCSPBasicOCSPResponse.lo \
+	libhx509_la-asn1_OCSPCertID.lo \
+	libhx509_la-asn1_OCSPCertStatus.lo \
+	libhx509_la-asn1_OCSPInnerRequest.lo \
+	libhx509_la-asn1_OCSPKeyHash.lo \
+	libhx509_la-asn1_OCSPRequest.lo \
+	libhx509_la-asn1_OCSPResponderID.lo \
+	libhx509_la-asn1_OCSPResponse.lo \
+	libhx509_la-asn1_OCSPResponseBytes.lo \
+	libhx509_la-asn1_OCSPResponseData.lo \
+	libhx509_la-asn1_OCSPResponseStatus.lo \
+	libhx509_la-asn1_OCSPSignature.lo \
+	libhx509_la-asn1_OCSPSingleResponse.lo \
+	libhx509_la-asn1_OCSPTBSRequest.lo \
+	libhx509_la-asn1_OCSPVersion.lo \
+	libhx509_la-asn1_id_pkix_ocsp.lo \
+	libhx509_la-asn1_id_pkix_ocsp_basic.lo \
+	libhx509_la-asn1_id_pkix_ocsp_nonce.lo
+am__objects_2 = libhx509_la-asn1_CertificationRequestInfo.lo \
+	libhx509_la-asn1_CertificationRequest.lo
+am__objects_3 = $(am__objects_1) $(am__objects_2) \
+	libhx509_la-hx509_err.lo
+nodist_libhx509_la_OBJECTS = $(am__objects_3)
+libhx509_la_OBJECTS = $(dist_libhx509_la_OBJECTS) \
+	$(nodist_libhx509_la_OBJECTS)
+libhx509_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libhx509_la_LDFLAGS) $(LDFLAGS) -o $@
+binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+am__EXEEXT_1 = test_name$(EXEEXT)
+PROGRAMS = $(bin_PROGRAMS)
+dist_hxtool_OBJECTS = hxtool-hxtool.$(OBJEXT)
+nodist_hxtool_OBJECTS = hxtool-hxtool-commands.$(OBJEXT)
+hxtool_OBJECTS = $(dist_hxtool_OBJECTS) $(nodist_hxtool_OBJECTS)
+hxtool_DEPENDENCIES = libhx509.la $(top_builddir)/lib/asn1/libasn1.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/sl/libsl.la
+test_name_SOURCES = test_name.c
+test_name_OBJECTS = test_name.$(OBJEXT)
+test_name_LDADD = $(LDADD)
+test_name_DEPENDENCIES = libhx509.la
+test_soft_pkcs11_SOURCES = test_soft_pkcs11.c
+test_soft_pkcs11_OBJECTS =  \
+	test_soft_pkcs11-test_soft_pkcs11.$(OBJEXT)
+test_soft_pkcs11_DEPENDENCIES = libhx509.la
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
+depcomp =
+am__depfiles_maybe =
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(dist_libhx509_la_SOURCES) $(nodist_libhx509_la_SOURCES) \
+	$(dist_hxtool_SOURCES) $(nodist_hxtool_SOURCES) test_name.c \
+	test_soft_pkcs11.c
+DIST_SOURCES = $(dist_libhx509_la_SOURCES) $(dist_hxtool_SOURCES) \
+	test_name.c test_soft_pkcs11.c
+dist_includeHEADERS_INSTALL = $(INSTALL_HEADER)
+nodist_includeHEADERS_INSTALL = $(INSTALL_HEADER)
+HEADERS = $(dist_include_HEADERS) $(nodist_include_HEADERS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+lib_LTLIBRARIES = libhx509.la
+libhx509_la_LDFLAGS = -version-info 3:0:0 $(am__append_1) \
+	$(am__append_2)
+BUILT_SOURCES = \
+	$(gen_files_ocsp:.x=.c)		\
+	$(gen_files_pkcs10:.x=.c)	\
+	hx509_err.c			\
+	hx509_err.h
+
+gen_files_ocsp = \
+	asn1_OCSPBasicOCSPResponse.x	\
+	asn1_OCSPCertID.x		\
+	asn1_OCSPCertStatus.x		\
+	asn1_OCSPInnerRequest.x		\
+	asn1_OCSPKeyHash.x		\
+	asn1_OCSPRequest.x		\
+	asn1_OCSPResponderID.x		\
+	asn1_OCSPResponse.x		\
+	asn1_OCSPResponseBytes.x	\
+	asn1_OCSPResponseData.x		\
+	asn1_OCSPResponseStatus.x	\
+	asn1_OCSPSignature.x		\
+	asn1_OCSPSingleResponse.x	\
+	asn1_OCSPTBSRequest.x		\
+	asn1_OCSPVersion.x		\
+	asn1_id_pkix_ocsp.x		\
+	asn1_id_pkix_ocsp_basic.x	\
+	asn1_id_pkix_ocsp_nonce.x
+
+gen_files_pkcs10 = \
+	asn1_CertificationRequestInfo.x	\
+	asn1_CertificationRequest.x
+
+gen_files_crmf = \
+	asn1_CRMFRDNSequence.x		\
+	asn1_CertReqMessages.x		\
+	asn1_CertReqMsg.x		\
+	asn1_CertRequest.x		\
+	asn1_CertTemplate.x		\
+	asn1_Controls.x			\
+	asn1_PBMParameter.x		\
+	asn1_PKMACValue.x		\
+	asn1_POPOPrivKey.x		\
+	asn1_POPOSigningKey.x		\
+	asn1_POPOSigningKeyInput.x	\
+	asn1_ProofOfPossession.x	\
+	asn1_SubsequentMessage.x	
+
+dist_libhx509_la_SOURCES = \
+	ca.c \
+	cert.c \
+	cms.c \
+	collector.c \
+	crypto.c \
+	doxygen.c \
+	error.c \
+	env.c \
+	file.c \
+	hx509-private.h \
+	hx509-protos.h \
+	hx509.h \
+	hx_locl.h \
+	keyset.c \
+	ks_dir.c \
+	ks_file.c \
+	ks_mem.c \
+	ks_null.c \
+	ks_p11.c \
+	ks_p12.c \
+	ks_keychain.c \
+	lock.c \
+	name.c \
+	peer.c \
+	print.c \
+	softp11.c \
+	ref/pkcs11.h \
+	req.c \
+	revoke.c
+
+libhx509_la_LIBADD = \
+	$(LIB_com_err) \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIBADD_roken) \
+	$(LIB_dlopen)
+
+libhx509_la_CPPFLAGS = -I$(srcdir)/ref $(INCLUDE_hcrypto)
+nodist_libhx509_la_SOURCES = $(BUILT_SOURCES)
+asn1_compile = ../asn1/asn1_compile$(EXEEXT)
+dist_include_HEADERS = hx509.h hx509-protos.h
+nodist_include_HEADERS = hx509_err.h
+SLC = $(top_builddir)/lib/sl/slc
+dist_hxtool_SOURCES = hxtool.c
+nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
+hxtool_CPPFLAGS = $(INCLUDE_hcrypto)
+hxtool_LDADD = \
+	libhx509.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_hcrypto) \
+	$(LIB_roken) \
+	$(top_builddir)/lib/sl/libsl.la
+
+CLEANFILES = $(BUILT_SOURCES) \
+	$(gen_files_ocsp) ocsp_asn1_files ocsp_asn1.h \
+	$(gen_files_pkcs10) pkcs10_asn1_files pkcs10_asn1.h \
+	$(gen_files_crmf) crmf_asn1_files crmf_asn1.h \
+	$(TESTS) \
+	hxtool-commands.c hxtool-commands.h *.tmp \
+	request.out \
+	out.pem out2.pem \
+	sd.data sd.data.out \
+	ev.data ev.data.out \
+	cert-null.pem cert-sub-ca2.pem \
+	cert-ee.pem cert-ca.pem \
+	cert-sub-ee.pem cert-sub-ca.pem \
+	cert-proxy.der cert-ca.der cert-ee.der pkcs10-request.der \
+	wca.pem wuser.pem wdc.pem wcrl.crl \
+	random-data statfile crl.crl \
+	test p11dbg.log pkcs11.cfg \
+	test-rc-file.rc
+
+
+#
+# regression tests
+#
+check_SCRIPTS = $(SCRIPT_TESTS)
+LDADD = libhx509.la
+test_soft_pkcs11_LDADD = libhx509.la
+test_soft_pkcs11_CPPFLAGS = -I$(srcdir)/ref
+PROGRAM_TESTS = \
+	test_name
+
+SCRIPT_TESTS = \
+	test_ca			\
+	test_cert		\
+	test_chain		\
+	test_cms		\
+	test_crypto		\
+	test_nist		\
+	test_nist2		\
+	test_pkcs11		\
+	test_java_pkcs11	\
+	test_nist_cert		\
+	test_nist_pkcs12	\
+	test_req		\
+	test_windows		\
+	test_query
+
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/lib/hx509,g'
+
+EXTRA_DIST = \
+	version-script.map \
+	crmf.asn1 \
+	data/bleichenbacher-bad.pem \
+	hx509_err.et \
+	hxtool-commands.in \
+	ocsp.asn1 \
+	pkcs10.asn1 \
+	test_ca.in \
+	test_chain.in \
+	test_cert.in \
+	test_cms.in \
+	test_crypto.in \
+	test_nist.in \
+	test_nist2.in \
+	test_nist_cert.in \
+	test_nist_pkcs12.in \
+	test_pkcs11.in \
+	test_java_pkcs11.in \
+	test_query.in \
+	test_req.in \
+	test_windows.in \
+	tst-crypto-available1 \
+	tst-crypto-available2 \
+	tst-crypto-available3 \
+	tst-crypto-select \
+	tst-crypto-select1 \
+	tst-crypto-select2 \
+	tst-crypto-select3 \
+	tst-crypto-select4 \
+	tst-crypto-select5 \
+	tst-crypto-select6 \
+	tst-crypto-select7 \
+	data/bleichenbacher-good.pem \
+	data/bleichenbacher-sf-pad-correct.pem \
+	data/ca.crt \
+	data/ca.key \
+	data/crl1.crl \
+	data/crl1.der \
+	data/gen-req.sh \
+	data/j.pem \
+	data/kdc.crt \
+	data/kdc.key \
+	data/key.der \
+	data/key2.der \
+	data/nist-data \
+	data/nist-data2 \
+	data/no-proxy-test.crt \
+	data/no-proxy-test.key \
+	data/ocsp-req1.der \
+	data/ocsp-req2.der \
+	data/ocsp-resp1-2.der \
+	data/ocsp-resp1-3.der \
+	data/ocsp-resp1-ca.der \
+	data/ocsp-resp1-keyhash.der \
+	data/ocsp-resp1-ocsp-no-cert.der \
+	data/ocsp-resp1-ocsp.der \
+	data/ocsp-resp1.der \
+	data/ocsp-resp2.der \
+	data/ocsp-responder.crt \
+	data/ocsp-responder.key \
+	data/openssl.cnf \
+	data/pkinit-proxy-chain.crt \
+	data/pkinit-proxy.crt \
+	data/pkinit-proxy.key \
+	data/pkinit-pw.key \
+	data/pkinit.crt \
+	data/pkinit.key \
+	data/proxy-level-test.crt \
+	data/proxy-level-test.key \
+	data/proxy-test.crt \
+	data/proxy-test.key \
+	data/proxy10-child-test.crt \
+	data/proxy10-child-test.key \
+	data/proxy10-child-child-test.crt \
+	data/proxy10-child-child-test.key \
+	data/proxy10-test.crt \
+	data/proxy10-test.key \
+	data/revoke.crt \
+	data/revoke.key \
+	data/sf-class2-root.pem \
+	data/static-file \
+	data/sub-ca.crt \
+	data/sub-ca.key \
+	data/sub-cert.crt \
+	data/sub-cert.key \
+	data/sub-cert.p12 \
+	data/test-ds-only.crt \
+	data/test-ds-only.key \
+	data/test-enveloped-aes-128 \
+	data/test-enveloped-aes-256 \
+	data/test-enveloped-des \
+	data/test-enveloped-des-ede3 \
+	data/test-enveloped-rc2-128 \
+	data/test-enveloped-rc2-40 \
+	data/test-enveloped-rc2-64 \
+	data/test-ke-only.crt \
+	data/test-ke-only.key \
+	data/test-nopw.p12 \
+	data/test-pw.key \
+	data/test-signed-data \
+	data/test-signed-data-noattr \
+	data/test-signed-data-noattr-nocerts \
+	data/test.combined.crt \
+	data/test.crt \
+	data/test.key \
+	data/test.p12 \
+	data/yutaka-pad-broken-ca.pem \
+	data/yutaka-pad-broken-cert.pem \
+	data/yutaka-pad-ok-ca.pem \
+	data/yutaka-pad-ok-cert.pem \
+	data/yutaka-pad.key
+
+all: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps lib/hx509/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps lib/hx509/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
+	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
+	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
+	done
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libhx509.la: $(libhx509_la_OBJECTS) $(libhx509_la_DEPENDENCIES) 
+	$(libhx509_la_LINK) -rpath $(libdir) $(libhx509_la_OBJECTS) $(libhx509_la_LIBADD) $(LIBS)
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(bindir)/$$f"; \
+	done
+
+clean-binPROGRAMS:
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+hxtool$(EXEEXT): $(hxtool_OBJECTS) $(hxtool_DEPENDENCIES) 
+	@rm -f hxtool$(EXEEXT)
+	$(LINK) $(hxtool_OBJECTS) $(hxtool_LDADD) $(LIBS)
+test_name$(EXEEXT): $(test_name_OBJECTS) $(test_name_DEPENDENCIES) 
+	@rm -f test_name$(EXEEXT)
+	$(LINK) $(test_name_OBJECTS) $(test_name_LDADD) $(LIBS)
+test_soft_pkcs11$(EXEEXT): $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_DEPENDENCIES) 
+	@rm -f test_soft_pkcs11$(EXEEXT)
+	$(LINK) $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+.c.o:
+	$(COMPILE) -c $<
+
+.c.obj:
+	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+libhx509_la-ca.lo: ca.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ca.lo `test -f 'ca.c' || echo '$(srcdir)/'`ca.c
+
+libhx509_la-cert.lo: cert.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-cert.lo `test -f 'cert.c' || echo '$(srcdir)/'`cert.c
+
+libhx509_la-cms.lo: cms.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-cms.lo `test -f 'cms.c' || echo '$(srcdir)/'`cms.c
+
+libhx509_la-collector.lo: collector.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-collector.lo `test -f 'collector.c' || echo '$(srcdir)/'`collector.c
+
+libhx509_la-crypto.lo: crypto.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
+
+libhx509_la-doxygen.lo: doxygen.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c
+
+libhx509_la-error.lo: error.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-error.lo `test -f 'error.c' || echo '$(srcdir)/'`error.c
+
+libhx509_la-env.lo: env.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-env.lo `test -f 'env.c' || echo '$(srcdir)/'`env.c
+
+libhx509_la-file.lo: file.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-file.lo `test -f 'file.c' || echo '$(srcdir)/'`file.c
+
+libhx509_la-keyset.lo: keyset.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-keyset.lo `test -f 'keyset.c' || echo '$(srcdir)/'`keyset.c
+
+libhx509_la-ks_dir.lo: ks_dir.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_dir.lo `test -f 'ks_dir.c' || echo '$(srcdir)/'`ks_dir.c
+
+libhx509_la-ks_file.lo: ks_file.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_file.lo `test -f 'ks_file.c' || echo '$(srcdir)/'`ks_file.c
+
+libhx509_la-ks_mem.lo: ks_mem.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_mem.lo `test -f 'ks_mem.c' || echo '$(srcdir)/'`ks_mem.c
+
+libhx509_la-ks_null.lo: ks_null.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_null.lo `test -f 'ks_null.c' || echo '$(srcdir)/'`ks_null.c
+
+libhx509_la-ks_p11.lo: ks_p11.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_p11.lo `test -f 'ks_p11.c' || echo '$(srcdir)/'`ks_p11.c
+
+libhx509_la-ks_p12.lo: ks_p12.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_p12.lo `test -f 'ks_p12.c' || echo '$(srcdir)/'`ks_p12.c
+
+libhx509_la-ks_keychain.lo: ks_keychain.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_keychain.lo `test -f 'ks_keychain.c' || echo '$(srcdir)/'`ks_keychain.c
+
+libhx509_la-lock.lo: lock.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-lock.lo `test -f 'lock.c' || echo '$(srcdir)/'`lock.c
+
+libhx509_la-name.lo: name.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-name.lo `test -f 'name.c' || echo '$(srcdir)/'`name.c
+
+libhx509_la-peer.lo: peer.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-peer.lo `test -f 'peer.c' || echo '$(srcdir)/'`peer.c
+
+libhx509_la-print.lo: print.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-print.lo `test -f 'print.c' || echo '$(srcdir)/'`print.c
+
+libhx509_la-softp11.lo: softp11.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-softp11.lo `test -f 'softp11.c' || echo '$(srcdir)/'`softp11.c
+
+libhx509_la-req.lo: req.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-req.lo `test -f 'req.c' || echo '$(srcdir)/'`req.c
+
+libhx509_la-revoke.lo: revoke.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-revoke.lo `test -f 'revoke.c' || echo '$(srcdir)/'`revoke.c
+
+libhx509_la-asn1_OCSPBasicOCSPResponse.lo: asn1_OCSPBasicOCSPResponse.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPBasicOCSPResponse.lo `test -f 'asn1_OCSPBasicOCSPResponse.c' || echo '$(srcdir)/'`asn1_OCSPBasicOCSPResponse.c
+
+libhx509_la-asn1_OCSPCertID.lo: asn1_OCSPCertID.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPCertID.lo `test -f 'asn1_OCSPCertID.c' || echo '$(srcdir)/'`asn1_OCSPCertID.c
+
+libhx509_la-asn1_OCSPCertStatus.lo: asn1_OCSPCertStatus.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPCertStatus.lo `test -f 'asn1_OCSPCertStatus.c' || echo '$(srcdir)/'`asn1_OCSPCertStatus.c
+
+libhx509_la-asn1_OCSPInnerRequest.lo: asn1_OCSPInnerRequest.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPInnerRequest.lo `test -f 'asn1_OCSPInnerRequest.c' || echo '$(srcdir)/'`asn1_OCSPInnerRequest.c
+
+libhx509_la-asn1_OCSPKeyHash.lo: asn1_OCSPKeyHash.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPKeyHash.lo `test -f 'asn1_OCSPKeyHash.c' || echo '$(srcdir)/'`asn1_OCSPKeyHash.c
+
+libhx509_la-asn1_OCSPRequest.lo: asn1_OCSPRequest.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPRequest.lo `test -f 'asn1_OCSPRequest.c' || echo '$(srcdir)/'`asn1_OCSPRequest.c
+
+libhx509_la-asn1_OCSPResponderID.lo: asn1_OCSPResponderID.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponderID.lo `test -f 'asn1_OCSPResponderID.c' || echo '$(srcdir)/'`asn1_OCSPResponderID.c
+
+libhx509_la-asn1_OCSPResponse.lo: asn1_OCSPResponse.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponse.lo `test -f 'asn1_OCSPResponse.c' || echo '$(srcdir)/'`asn1_OCSPResponse.c
+
+libhx509_la-asn1_OCSPResponseBytes.lo: asn1_OCSPResponseBytes.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponseBytes.lo `test -f 'asn1_OCSPResponseBytes.c' || echo '$(srcdir)/'`asn1_OCSPResponseBytes.c
+
+libhx509_la-asn1_OCSPResponseData.lo: asn1_OCSPResponseData.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponseData.lo `test -f 'asn1_OCSPResponseData.c' || echo '$(srcdir)/'`asn1_OCSPResponseData.c
+
+libhx509_la-asn1_OCSPResponseStatus.lo: asn1_OCSPResponseStatus.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponseStatus.lo `test -f 'asn1_OCSPResponseStatus.c' || echo '$(srcdir)/'`asn1_OCSPResponseStatus.c
+
+libhx509_la-asn1_OCSPSignature.lo: asn1_OCSPSignature.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPSignature.lo `test -f 'asn1_OCSPSignature.c' || echo '$(srcdir)/'`asn1_OCSPSignature.c
+
+libhx509_la-asn1_OCSPSingleResponse.lo: asn1_OCSPSingleResponse.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPSingleResponse.lo `test -f 'asn1_OCSPSingleResponse.c' || echo '$(srcdir)/'`asn1_OCSPSingleResponse.c
+
+libhx509_la-asn1_OCSPTBSRequest.lo: asn1_OCSPTBSRequest.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPTBSRequest.lo `test -f 'asn1_OCSPTBSRequest.c' || echo '$(srcdir)/'`asn1_OCSPTBSRequest.c
+
+libhx509_la-asn1_OCSPVersion.lo: asn1_OCSPVersion.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPVersion.lo `test -f 'asn1_OCSPVersion.c' || echo '$(srcdir)/'`asn1_OCSPVersion.c
+
+libhx509_la-asn1_id_pkix_ocsp.lo: asn1_id_pkix_ocsp.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_id_pkix_ocsp.lo `test -f 'asn1_id_pkix_ocsp.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp.c
+
+libhx509_la-asn1_id_pkix_ocsp_basic.lo: asn1_id_pkix_ocsp_basic.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_id_pkix_ocsp_basic.lo `test -f 'asn1_id_pkix_ocsp_basic.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp_basic.c
+
+libhx509_la-asn1_id_pkix_ocsp_nonce.lo: asn1_id_pkix_ocsp_nonce.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_id_pkix_ocsp_nonce.lo `test -f 'asn1_id_pkix_ocsp_nonce.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp_nonce.c
+
+libhx509_la-asn1_CertificationRequestInfo.lo: asn1_CertificationRequestInfo.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_CertificationRequestInfo.lo `test -f 'asn1_CertificationRequestInfo.c' || echo '$(srcdir)/'`asn1_CertificationRequestInfo.c
+
+libhx509_la-asn1_CertificationRequest.lo: asn1_CertificationRequest.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_CertificationRequest.lo `test -f 'asn1_CertificationRequest.c' || echo '$(srcdir)/'`asn1_CertificationRequest.c
+
+libhx509_la-hx509_err.lo: hx509_err.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-hx509_err.lo `test -f 'hx509_err.c' || echo '$(srcdir)/'`hx509_err.c
+
+hxtool-hxtool.o: hxtool.c
+	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool.o `test -f 'hxtool.c' || echo '$(srcdir)/'`hxtool.c
+
+hxtool-hxtool.obj: hxtool.c
+	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool.obj `if test -f 'hxtool.c'; then $(CYGPATH_W) 'hxtool.c'; else $(CYGPATH_W) '$(srcdir)/hxtool.c'; fi`
+
+hxtool-hxtool-commands.o: hxtool-commands.c
+	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool-commands.o `test -f 'hxtool-commands.c' || echo '$(srcdir)/'`hxtool-commands.c
+
+hxtool-hxtool-commands.obj: hxtool-commands.c
+	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool-commands.obj `if test -f 'hxtool-commands.c'; then $(CYGPATH_W) 'hxtool-commands.c'; else $(CYGPATH_W) '$(srcdir)/hxtool-commands.c'; fi`
+
+test_soft_pkcs11-test_soft_pkcs11.o: test_soft_pkcs11.c
+	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_soft_pkcs11_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_soft_pkcs11-test_soft_pkcs11.o `test -f 'test_soft_pkcs11.c' || echo '$(srcdir)/'`test_soft_pkcs11.c
+
+test_soft_pkcs11-test_soft_pkcs11.obj: test_soft_pkcs11.c
+	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_soft_pkcs11_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_soft_pkcs11-test_soft_pkcs11.obj `if test -f 'test_soft_pkcs11.c'; then $(CYGPATH_W) 'test_soft_pkcs11.c'; else $(CYGPATH_W) '$(srcdir)/test_soft_pkcs11.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-dist_includeHEADERS: $(dist_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@list='$(dist_include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(dist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(dist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	done
+
+uninstall-dist_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
+	done
+install-nodist_includeHEADERS: $(nodist_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(nodist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(nodist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	done
+
+uninstall-nodist_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(check_SCRIPTS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+install-binPROGRAMS: install-libLTLIBRARIES
+
+installdirs:
+	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+clean: clean-am
+
+clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \
+	clean-libLTLIBRARIES clean-libtool clean-local mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-dist_includeHEADERS \
+	install-nodist_includeHEADERS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am: install-binPROGRAMS install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
+	uninstall-libLTLIBRARIES uninstall-nodist_includeHEADERS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
+	check-local clean clean-binPROGRAMS clean-checkPROGRAMS \
+	clean-generic clean-libLTLIBRARIES clean-libtool clean-local \
+	ctags dist-hook distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-binPROGRAMS \
+	install-data install-data-am install-data-hook \
+	install-dist_includeHEADERS install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am \
+	install-libLTLIBRARIES install-man \
+	install-nodist_includeHEADERS install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-binPROGRAMS \
+	uninstall-dist_includeHEADERS uninstall-hook \
+	uninstall-libLTLIBRARIES uninstall-nodist_includeHEADERS
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+$(libhx509_la_OBJECTS): $(srcdir)/version-script.map
+
+$(gen_files_ocsp) ocsp_asn1.h: ocsp_asn1_files
+$(gen_files_pkcs10) pkcs10_asn1.h: pkcs10_asn1_files
+$(gen_files_crmf) crmf_asn1.h: crmf_asn1_files
+
+ocsp_asn1_files: $(asn1_compile) $(srcdir)/ocsp.asn1
+	$(asn1_compile) --preserve-binary=OCSPTBSRequest --preserve-binary=OCSPResponseData $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
+
+pkcs10_asn1_files: $(asn1_compile) $(srcdir)/pkcs10.asn1
+	$(asn1_compile) --preserve-binary=CertificationRequestInfo $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
+
+crmf_asn1_files: $(asn1_compile) $(srcdir)/crmf.asn1
+	$(asn1_compile) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+
+$(libhx509_la_OBJECTS): $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
+
+$(srcdir)/hx509-protos.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB_FUNCTION -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
+
+$(srcdir)/hx509-private.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
+
+hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC)
+	$(SLC) $(srcdir)/hxtool-commands.in
+
+$(hxtool_OBJECTS): hxtool-commands.h
+
+clean-local:
+	@echo "cleaning PKITS" ; rm -rf PKITS_data
+
+test_ca: test_ca.in Makefile
+	$(do_subst) < $(srcdir)/test_ca.in > test_ca.tmp
+	chmod +x test_ca.tmp
+	mv test_ca.tmp test_ca
+
+test_cert: test_cert.in Makefile
+	$(do_subst) < $(srcdir)/test_cert.in > test_cert.tmp
+	chmod +x test_cert.tmp
+	mv test_cert.tmp test_cert
+
+test_chain: test_chain.in Makefile
+	$(do_subst) < $(srcdir)/test_chain.in > test_chain.tmp
+	chmod +x test_chain.tmp
+	mv test_chain.tmp test_chain
+
+test_cms: test_cms.in Makefile
+	$(do_subst) < $(srcdir)/test_cms.in > test_cms.tmp
+	chmod +x test_cms.tmp
+	mv test_cms.tmp test_cms
+
+test_crypto: test_crypto.in Makefile
+	$(do_subst) < $(srcdir)/test_crypto.in > test_crypto.tmp
+	chmod +x test_crypto.tmp
+	mv test_crypto.tmp test_crypto
+
+test_nist: test_nist.in Makefile
+	$(do_subst) < $(srcdir)/test_nist.in > test_nist.tmp
+	chmod +x test_nist.tmp
+	mv test_nist.tmp test_nist
+
+test_nist2: test_nist2.in Makefile
+	$(do_subst) < $(srcdir)/test_nist2.in > test_nist2.tmp
+	chmod +x test_nist2.tmp
+	mv test_nist2.tmp test_nist2
+
+test_pkcs11: test_pkcs11.in Makefile
+	$(do_subst) < $(srcdir)/test_pkcs11.in > test_pkcs11.tmp
+	chmod +x test_pkcs11.tmp
+	mv test_pkcs11.tmp test_pkcs11
+
+test_java_pkcs11: test_java_pkcs11.in Makefile
+	$(do_subst) < $(srcdir)/test_java_pkcs11.in > test_java_pkcs11.tmp
+	chmod +x test_java_pkcs11.tmp
+	mv test_java_pkcs11.tmp test_java_pkcs11
+
+test_nist_cert: test_nist_cert.in Makefile
+	$(do_subst) < $(srcdir)/test_nist_cert.in > test_nist_cert.tmp
+	chmod +x test_nist_cert.tmp
+	mv test_nist_cert.tmp test_nist_cert
+
+test_nist_pkcs12: test_nist_pkcs12.in Makefile
+	$(do_subst) < $(srcdir)/test_nist_pkcs12.in > test_nist_pkcs12.tmp
+	chmod +x test_nist_pkcs12.tmp
+	mv test_nist_pkcs12.tmp test_nist_pkcs12
+
+test_req: test_req.in Makefile
+	$(do_subst) < $(srcdir)/test_req.in > test_req.tmp
+	chmod +x test_req.tmp
+	mv test_req.tmp test_req
+
+test_windows: test_windows.in Makefile
+	$(do_subst) < $(srcdir)/test_windows.in > test_windows.tmp
+	chmod +x test_windows.tmp
+	mv test_windows.tmp test_windows
+
+test_query: test_query.in Makefile
+	$(do_subst) < $(srcdir)/test_query.in > test_query.tmp
+	chmod +x test_query.tmp
+	mv test_query.tmp test_query
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/hx509/ca.c b/crypto/heimdal/lib/hx509/ca.c
new file mode 100644
index 0000000..4026070
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ca.c
@@ -0,0 +1,1518 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+#include <pkinit_asn1.h>
+RCSID("$Id: ca.c 22456 2008-01-15 20:22:53Z lha $");
+
+/**
+ * @page page_ca Hx509 CA functions
+ *
+ * See the library functions here: @ref hx509_ca
+ */
+
+struct hx509_ca_tbs {
+    hx509_name subject;
+    SubjectPublicKeyInfo spki;
+    ExtKeyUsage eku;
+    GeneralNames san;
+    unsigned key_usage;
+    heim_integer serial;
+    struct {
+	unsigned int proxy:1;
+	unsigned int ca:1;
+	unsigned int key:1;
+	unsigned int serial:1;
+	unsigned int domaincontroller:1;
+    } flags;
+    time_t notBefore;
+    time_t notAfter;
+    int pathLenConstraint; /* both for CA and Proxy */
+    CRLDistributionPoints crldp;
+};
+
+/**
+ * Allocate an to-be-signed certificate object that will be converted
+ * into an certificate.
+ *
+ * @param context A hx509 context.
+ * @param tbs returned to-be-signed certicate object, free with
+ * hx509_ca_tbs_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_init(hx509_context context, hx509_ca_tbs *tbs)
+{
+    *tbs = calloc(1, sizeof(**tbs));
+    if (*tbs == NULL)
+	return ENOMEM;
+
+    (*tbs)->subject = NULL;
+    (*tbs)->san.len = 0;
+    (*tbs)->san.val = NULL;
+    (*tbs)->eku.len = 0;
+    (*tbs)->eku.val = NULL;
+    (*tbs)->pathLenConstraint = 0;
+    (*tbs)->crldp.len = 0;
+    (*tbs)->crldp.val = NULL;
+
+    return 0;
+}
+
+/**
+ * Free an To Be Signed object.
+ *
+ * @param tbs object to free.
+ *
+ * @ingroup hx509_ca
+ */
+
+void
+hx509_ca_tbs_free(hx509_ca_tbs *tbs)
+{
+    if (tbs == NULL || *tbs == NULL)
+	return;
+
+    free_SubjectPublicKeyInfo(&(*tbs)->spki);
+    free_GeneralNames(&(*tbs)->san);
+    free_ExtKeyUsage(&(*tbs)->eku);
+    der_free_heim_integer(&(*tbs)->serial);
+    free_CRLDistributionPoints(&(*tbs)->crldp);
+
+    hx509_name_free(&(*tbs)->subject);
+
+    memset(*tbs, 0, sizeof(**tbs));
+    free(*tbs);
+    *tbs = NULL;
+}
+
+/**
+ * Set the absolute time when the certificate is valid from. If not
+ * set the current time will be used.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param t time the certificated will start to be valid
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_notBefore(hx509_context context,
+			   hx509_ca_tbs tbs,
+			   time_t t)
+{
+    tbs->notBefore = t;
+    return 0;
+}
+
+/**
+ * Set the absolute time when the certificate is valid to.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param t time when the certificate will expire
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_notAfter(hx509_context context,
+			   hx509_ca_tbs tbs,
+			   time_t t)
+{
+    tbs->notAfter = t;
+    return 0;
+}
+
+/**
+ * Set the relative time when the certificiate is going to expire.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param delta seconds to the certificate is going to expire.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_notAfter_lifetime(hx509_context context,
+				   hx509_ca_tbs tbs,
+				   time_t delta)
+{
+    return hx509_ca_tbs_set_notAfter(context, tbs, time(NULL) + delta);
+}
+
+static const struct units templatebits[] = {
+    { "ExtendedKeyUsage", HX509_CA_TEMPLATE_EKU },
+    { "KeyUsage", HX509_CA_TEMPLATE_KU },
+    { "SPKI", HX509_CA_TEMPLATE_SPKI },
+    { "notAfter", HX509_CA_TEMPLATE_NOTAFTER },
+    { "notBefore", HX509_CA_TEMPLATE_NOTBEFORE },
+    { "serial", HX509_CA_TEMPLATE_SERIAL },
+    { "subject", HX509_CA_TEMPLATE_SUBJECT },
+    { NULL, 0 }
+};
+
+/**
+ * Make of template units, use to build flags argument to
+ * hx509_ca_tbs_set_template() with parse_units().
+ *
+ * @return an units structure.
+ *
+ * @ingroup hx509_ca
+ */
+
+const struct units *
+hx509_ca_tbs_template_units(void)
+{
+    return templatebits;
+}
+
+/**
+ * Initialize the to-be-signed certificate object from a template certifiate.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param flags bit field selecting what to copy from the template
+ * certifiate.
+ * @param cert template certificate.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_template(hx509_context context,
+			  hx509_ca_tbs tbs,
+			  int flags,
+			  hx509_cert cert)
+{
+    int ret;
+
+    if (flags & HX509_CA_TEMPLATE_SUBJECT) {
+	if (tbs->subject)
+	    hx509_name_free(&tbs->subject);
+	ret = hx509_cert_get_subject(cert, &tbs->subject);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, 
+				   "Failed to get subject from template");
+	    return ret;
+	}
+    }
+    if (flags & HX509_CA_TEMPLATE_SERIAL) {
+	der_free_heim_integer(&tbs->serial);
+	ret = hx509_cert_get_serialnumber(cert, &tbs->serial);
+	tbs->flags.serial = !ret;
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, 
+				   "Failed to copy serial number");
+	    return ret;
+	}
+    }
+    if (flags & HX509_CA_TEMPLATE_NOTBEFORE)
+	tbs->notBefore = hx509_cert_get_notBefore(cert);
+    if (flags & HX509_CA_TEMPLATE_NOTAFTER)
+	tbs->notAfter = hx509_cert_get_notAfter(cert);
+    if (flags & HX509_CA_TEMPLATE_SPKI) {
+	free_SubjectPublicKeyInfo(&tbs->spki);
+	ret = hx509_cert_get_SPKI(context, cert, &tbs->spki);
+	tbs->flags.key = !ret;
+	if (ret)
+	    return ret;
+    }
+    if (flags & HX509_CA_TEMPLATE_KU) {
+	KeyUsage ku;
+	ret = _hx509_cert_get_keyusage(context, cert, &ku);
+	if (ret)
+	    return ret;
+	tbs->key_usage = KeyUsage2int(ku);
+    }
+    if (flags & HX509_CA_TEMPLATE_EKU) {
+	ExtKeyUsage eku;
+	int i;
+	ret = _hx509_cert_get_eku(context, cert, &eku);
+	if (ret)
+	    return ret;
+	for (i = 0; i < eku.len; i++) {
+	    ret = hx509_ca_tbs_add_eku(context, tbs, &eku.val[i]);
+	    if (ret) {
+		free_ExtKeyUsage(&eku);
+		return ret;
+	    }
+	}
+	free_ExtKeyUsage(&eku);
+    }
+    return 0;
+}
+
+/**
+ * Make the to-be-signed certificate object a CA certificate. If the
+ * pathLenConstraint is negative path length constraint is used.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param pathLenConstraint path length constraint, negative, no
+ * constraint.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_ca(hx509_context context,
+		    hx509_ca_tbs tbs,
+		    int pathLenConstraint)
+{
+    tbs->flags.ca = 1;
+    tbs->pathLenConstraint = pathLenConstraint;
+    return 0;
+}
+
+/**
+ * Make the to-be-signed certificate object a proxy certificate. If the
+ * pathLenConstraint is negative path length constraint is used.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param pathLenConstraint path length constraint, negative, no
+ * constraint.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_proxy(hx509_context context,
+		       hx509_ca_tbs tbs,
+		       int pathLenConstraint)
+{
+    tbs->flags.proxy = 1;
+    tbs->pathLenConstraint = pathLenConstraint;
+    return 0;
+}
+
+
+/**
+ * Make the to-be-signed certificate object a windows domain controller certificate.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_domaincontroller(hx509_context context,
+				  hx509_ca_tbs tbs)
+{
+    tbs->flags.domaincontroller = 1;
+    return 0;
+}
+
+/**
+ * Set the subject public key info (SPKI) in the to-be-signed certificate
+ * object. SPKI is the public key and key related parameters in the
+ * certificate.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param spki subject public key info to use for the to-be-signed certificate object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_spki(hx509_context context,
+		      hx509_ca_tbs tbs,
+		      const SubjectPublicKeyInfo *spki)
+{
+    int ret;
+    free_SubjectPublicKeyInfo(&tbs->spki);
+    ret = copy_SubjectPublicKeyInfo(spki, &tbs->spki);
+    tbs->flags.key = !ret;
+    return ret;
+}
+
+/**
+ * Set the serial number to use for to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param serialNumber serial number to use for the to-be-signed
+ * certificate object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_serialnumber(hx509_context context,
+			      hx509_ca_tbs tbs,
+			      const heim_integer *serialNumber)
+{
+    int ret;
+    der_free_heim_integer(&tbs->serial);
+    ret = der_copy_heim_integer(serialNumber, &tbs->serial);
+    tbs->flags.serial = !ret;
+    return ret;
+}
+
+/**
+ * An an extended key usage to the to-be-signed certificate object.
+ * Duplicates will detected and not added.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param oid extended key usage to add.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_add_eku(hx509_context context,
+		     hx509_ca_tbs tbs,
+		     const heim_oid *oid)
+{
+    void *ptr;
+    int ret;
+    unsigned i;
+
+    /* search for duplicates */
+    for (i = 0; i < tbs->eku.len; i++) {
+	if (der_heim_oid_cmp(oid, &tbs->eku.val[i]) == 0)
+	    return 0;
+    }
+
+    ptr = realloc(tbs->eku.val, sizeof(tbs->eku.val[0]) * (tbs->eku.len + 1));
+    if (ptr == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    tbs->eku.val = ptr;
+    ret = der_copy_oid(oid, &tbs->eku.val[tbs->eku.len]);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	return ret;
+    }
+    tbs->eku.len += 1;
+    return 0;
+}
+
+/**
+ * Add CRL distribution point URI to the to-be-signed certificate
+ * object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param uri uri to the CRL.
+ * @param issuername name of the issuer.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_add_crl_dp_uri(hx509_context context,
+			    hx509_ca_tbs tbs,
+			    const char *uri,
+			    hx509_name issuername)
+{
+    DistributionPoint dp;
+    int ret;
+
+    memset(&dp, 0, sizeof(dp));
+    
+    dp.distributionPoint = ecalloc(1, sizeof(*dp.distributionPoint));
+
+    {
+	DistributionPointName name;
+	GeneralName gn;
+	size_t size;
+
+	name.element = choice_DistributionPointName_fullName;
+	name.u.fullName.len = 1;
+	name.u.fullName.val = &gn;
+
+	gn.element = choice_GeneralName_uniformResourceIdentifier;
+	gn.u.uniformResourceIdentifier = rk_UNCONST(uri);
+
+	ASN1_MALLOC_ENCODE(DistributionPointName, 
+			   dp.distributionPoint->data, 
+			   dp.distributionPoint->length,
+			   &name, &size, ret);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret,
+				   "Failed to encoded DistributionPointName");
+	    goto out;
+	}
+	if (dp.distributionPoint->length != size)
+	    _hx509_abort("internal ASN.1 encoder error");
+    }
+
+    if (issuername) {
+#if 1
+	/**
+	 * issuername not supported
+	 */
+	hx509_set_error_string(context, 0, EINVAL,
+			       "CRLDistributionPoints.name.issuername not yet supported");
+	return EINVAL;
+#else 
+	GeneralNames *crlissuer;
+	GeneralName gn;
+	Name n;
+
+	crlissuer = calloc(1, sizeof(*crlissuer));
+	if (crlissuer == NULL) {
+	    return ENOMEM;
+	}
+	memset(&gn, 0, sizeof(gn));
+
+	gn.element = choice_GeneralName_directoryName;
+	ret = hx509_name_to_Name(issuername, &n);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "out of memory");
+	    goto out;
+	}
+
+	gn.u.directoryName.element = n.element;
+	gn.u.directoryName.u.rdnSequence = n.u.rdnSequence;
+
+	ret = add_GeneralNames(&crlissuer, &gn);
+	free_Name(&n);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "out of memory");
+	    goto out;
+	}
+
+	dp.cRLIssuer = &crlissuer;
+#endif
+    }
+
+    ret = add_CRLDistributionPoints(&tbs->crldp, &dp);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	goto out;
+    }
+
+out:
+    free_DistributionPoint(&dp);
+
+    return ret;
+}
+
+/**
+ * Add Subject Alternative Name otherName to the to-be-signed
+ * certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param oid the oid of the OtherName.
+ * @param os data in the other name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_add_san_otherName(hx509_context context,
+			       hx509_ca_tbs tbs,
+			       const heim_oid *oid,
+			       const heim_octet_string *os)
+{
+    GeneralName gn;
+
+    memset(&gn, 0, sizeof(gn));
+    gn.element = choice_GeneralName_otherName;
+    gn.u.otherName.type_id = *oid;
+    gn.u.otherName.value = *os;
+    
+    return add_GeneralNames(&tbs->san, &gn);
+}
+
+/**
+ * Add Kerberos Subject Alternative Name to the to-be-signed
+ * certificate object. The principal string is a UTF8 string.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param principal Kerberos principal to add to the certificate.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_add_san_pkinit(hx509_context context,
+			    hx509_ca_tbs tbs,
+			    const char *principal)
+{
+    heim_octet_string os;
+    KRB5PrincipalName p;
+    size_t size;
+    int ret;
+    char *s = NULL;
+
+    memset(&p, 0, sizeof(p));
+
+    /* parse principal */
+    {
+	const char *str;
+	char *q;
+	int n;
+	
+	/* count number of component */
+	n = 1;
+	for(str = principal; *str != '\0' && *str != '@'; str++){
+	    if(*str=='\\'){
+		if(str[1] == '\0' || str[1] == '@') {
+		    ret = HX509_PARSING_NAME_FAILED;
+		    hx509_set_error_string(context, 0, ret, 
+					   "trailing \\ in principal name");
+		    goto out;
+		}
+		str++;
+	    } else if(*str == '/')
+		n++;
+	}
+	p.principalName.name_string.val = 
+	    calloc(n, sizeof(*p.principalName.name_string.val));
+	if (p.principalName.name_string.val == NULL) {
+	    ret = ENOMEM;
+	    hx509_set_error_string(context, 0, ret, "malloc: out of memory");
+	    goto out;
+	}
+	p.principalName.name_string.len = n;
+	
+	p.principalName.name_type = KRB5_NT_PRINCIPAL;
+	q = s = strdup(principal);
+	if (q == NULL) {
+	    ret = ENOMEM;
+	    hx509_set_error_string(context, 0, ret, "malloc: out of memory");
+	    goto out;
+	}
+	p.realm = strrchr(q, '@');
+	if (p.realm == NULL) {
+	    ret = HX509_PARSING_NAME_FAILED;
+	    hx509_set_error_string(context, 0, ret, "Missing @ in principal");
+	    goto out;
+	};
+	*p.realm++ = '\0';
+
+	n = 0;
+	while (q) {
+	    p.principalName.name_string.val[n++] = q;
+	    q = strchr(q, '/');
+	    if (q)
+		*q++ = '\0';
+	}
+    }
+    
+    ASN1_MALLOC_ENCODE(KRB5PrincipalName, os.data, os.length, &p, &size, ret);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Out of memory");
+	goto out;
+    }
+    if (size != os.length)
+	_hx509_abort("internal ASN.1 encoder error");
+    
+    ret = hx509_ca_tbs_add_san_otherName(context,
+					 tbs,
+					 oid_id_pkinit_san(),
+					 &os);
+    free(os.data);
+out:
+    if (p.principalName.name_string.val)
+	free (p.principalName.name_string.val);
+    if (s)
+	free(s);
+    return ret;
+}
+    
+/*
+ *
+ */
+
+static int
+add_utf8_san(hx509_context context,
+	     hx509_ca_tbs tbs,
+	     const heim_oid *oid,
+	     const char *string)
+{
+    const PKIXXmppAddr ustring = (const PKIXXmppAddr)string;
+    heim_octet_string os;
+    size_t size;
+    int ret;
+
+    os.length = 0;
+    os.data = NULL;
+
+    ASN1_MALLOC_ENCODE(PKIXXmppAddr, os.data, os.length, &ustring, &size, ret);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Out of memory");
+	goto out;
+    }
+    if (size != os.length)
+	_hx509_abort("internal ASN.1 encoder error");
+    
+    ret = hx509_ca_tbs_add_san_otherName(context,
+					 tbs,
+					 oid,
+					 &os);
+    free(os.data);
+out:
+    return ret;
+}
+
+/**
+ * Add Microsoft UPN Subject Alternative Name to the to-be-signed
+ * certificate object. The principal string is a UTF8 string.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param principal Microsoft UPN string.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_add_san_ms_upn(hx509_context context,
+			    hx509_ca_tbs tbs,
+			    const char *principal)
+{
+    return add_utf8_san(context, tbs, oid_id_pkinit_ms_san(), principal);
+}
+
+/**
+ * Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed
+ * certificate object. The jid is an UTF8 string.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param jid string of an a jabber id in UTF8.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_add_san_jid(hx509_context context,
+			 hx509_ca_tbs tbs,
+			 const char *jid)
+{
+    return add_utf8_san(context, tbs, oid_id_pkix_on_xmppAddr(), jid);
+}
+
+
+/**
+ * Add a Subject Alternative Name hostname to to-be-signed certificate
+ * object. A domain match starts with ., an exact match does not.
+ *
+ * Example of a an domain match: .domain.se matches the hostname
+ * host.domain.se.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param dnsname a hostame.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_add_san_hostname(hx509_context context,
+			      hx509_ca_tbs tbs,
+			      const char *dnsname)
+{
+    GeneralName gn;
+
+    memset(&gn, 0, sizeof(gn));
+    gn.element = choice_GeneralName_dNSName;
+    gn.u.dNSName = rk_UNCONST(dnsname);
+    
+    return add_GeneralNames(&tbs->san, &gn);
+}
+
+/**
+ * Add a Subject Alternative Name rfc822 (email address) to
+ * to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param rfc822Name a string to a email address.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_add_san_rfc822name(hx509_context context,
+				hx509_ca_tbs tbs,
+				const char *rfc822Name)
+{
+    GeneralName gn;
+
+    memset(&gn, 0, sizeof(gn));
+    gn.element = choice_GeneralName_rfc822Name;
+    gn.u.rfc822Name = rk_UNCONST(rfc822Name);
+    
+    return add_GeneralNames(&tbs->san, &gn);
+}
+
+/**
+ * Set the subject name of a to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param subject the name to set a subject.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_subject(hx509_context context,
+			 hx509_ca_tbs tbs,
+			 hx509_name subject)
+{
+    if (tbs->subject)
+	hx509_name_free(&tbs->subject);
+    return hx509_name_copy(context, subject, &tbs->subject);
+}
+
+/**
+ * Expand the the subject name in the to-be-signed certificate object
+ * using hx509_name_expand().
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param env enviroment variable to expand variables in the subject
+ * name, see hx509_env_init().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_subject_expand(hx509_context context,
+			    hx509_ca_tbs tbs,
+			    hx509_env env)
+{
+    return hx509_name_expand(context, tbs->subject, env);
+}
+
+static int
+add_extension(hx509_context context,
+	      TBSCertificate *tbsc,
+	      int critical_flag,
+	      const heim_oid *oid,
+	      const heim_octet_string *data)
+{
+    Extension ext;
+    int ret;
+
+    memset(&ext, 0, sizeof(ext));
+
+    if (critical_flag) {
+	ext.critical = malloc(sizeof(*ext.critical));
+	if (ext.critical == NULL) {
+	    ret = ENOMEM;
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	*ext.critical = TRUE;
+    }
+
+    ret = der_copy_oid(oid, &ext.extnID);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Out of memory");
+	goto out;
+    }
+    ret = der_copy_octet_string(data, &ext.extnValue);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Out of memory");
+	goto out;
+    }
+    ret = add_Extensions(tbsc->extensions, &ext);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Out of memory");
+	goto out;
+    }
+out:
+    free_Extension(&ext);
+    return ret;
+}
+
+static int
+build_proxy_prefix(hx509_context context, const Name *issuer, Name *subject)
+{
+    char *tstr;
+    time_t t;
+    int ret;
+
+    ret = copy_Name(issuer, subject);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to copy subject name");
+	return ret;
+    }
+
+    t = time(NULL);
+    asprintf(&tstr, "ts-%lu", (unsigned long)t);
+    if (tstr == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM,
+			       "Failed to copy subject name");
+	return ENOMEM;
+    }
+    /* prefix with CN=<ts>,...*/
+    ret = _hx509_name_modify(context, subject, 1, oid_id_at_commonName(), tstr);
+    free(tstr);
+    if (ret)
+	free_Name(subject);
+    return ret;
+}
+
+static int
+ca_sign(hx509_context context,
+	hx509_ca_tbs tbs,
+	hx509_private_key signer,
+	const AuthorityKeyIdentifier *ai,
+	const Name *issuername,
+	hx509_cert *certificate)
+{
+    heim_octet_string data;
+    Certificate c;
+    TBSCertificate *tbsc;
+    size_t size;
+    int ret;
+    const AlgorithmIdentifier *sigalg;
+    time_t notBefore;
+    time_t notAfter;
+    unsigned key_usage;
+
+    sigalg = _hx509_crypto_default_sig_alg;
+
+    memset(&c, 0, sizeof(c));
+
+    /*
+     * Default values are: Valid since 24h ago, valid one year into
+     * the future, KeyUsage digitalSignature and keyEncipherment set,
+     * and keyCertSign for CA certificates.
+     */
+    notBefore = tbs->notBefore;
+    if (notBefore == 0)
+	notBefore = time(NULL) - 3600 * 24;
+    notAfter = tbs->notAfter;
+    if (notAfter == 0)
+	notAfter = time(NULL) + 3600 * 24 * 365;
+
+    key_usage = tbs->key_usage;
+    if (key_usage == 0) {
+	KeyUsage ku;
+	memset(&ku, 0, sizeof(ku));
+	ku.digitalSignature = 1;
+	ku.keyEncipherment = 1;
+	key_usage = KeyUsage2int(ku);
+    }
+
+    if (tbs->flags.ca) {
+	KeyUsage ku;
+	memset(&ku, 0, sizeof(ku));
+	ku.keyCertSign = 1;
+	ku.cRLSign = 1;
+	key_usage |= KeyUsage2int(ku);
+    }
+
+    /*
+     *
+     */
+
+    tbsc = &c.tbsCertificate;
+
+    if (tbs->flags.key == 0) {
+	ret = EINVAL;
+	hx509_set_error_string(context, 0, ret, "No public key set");
+	return ret;
+    }
+    /*
+     * Don't put restrictions on proxy certificate's subject name, it
+     * will be generated below.
+     */
+    if (!tbs->flags.proxy) {
+	if (tbs->subject == NULL) {
+	    hx509_set_error_string(context, 0, EINVAL, "No subject name set");
+	    return EINVAL;
+	}
+	if (hx509_name_is_null_p(tbs->subject) && tbs->san.len == 0) {
+	    hx509_set_error_string(context, 0, EINVAL, 
+				   "NULL subject and no SubjectAltNames");
+	    return EINVAL;
+	}
+    }
+    if (tbs->flags.ca && tbs->flags.proxy) {
+	hx509_set_error_string(context, 0, EINVAL, "Can't be proxy and CA "
+			       "at the same time");
+	return EINVAL;
+    }
+    if (tbs->flags.proxy) {
+	if (tbs->san.len > 0) {
+	    hx509_set_error_string(context, 0, EINVAL, 
+				   "Proxy certificate is not allowed "
+				   "to have SubjectAltNames");
+	    return EINVAL;
+	}
+    }
+
+    /* version         [0]  Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1, */
+    tbsc->version = calloc(1, sizeof(*tbsc->version));
+    if (tbsc->version == NULL) {
+	ret = ENOMEM;
+	hx509_set_error_string(context, 0, ret, "Out of memory");
+	goto out;
+    }
+    *tbsc->version = rfc3280_version_3;
+    /* serialNumber         CertificateSerialNumber, */
+    if (tbs->flags.serial) {
+	ret = der_copy_heim_integer(&tbs->serial, &tbsc->serialNumber);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+    } else {
+	tbsc->serialNumber.length = 20;
+	tbsc->serialNumber.data = malloc(tbsc->serialNumber.length);
+	if (tbsc->serialNumber.data == NULL){
+	    ret = ENOMEM;
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	/* XXX diffrent */
+	RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length);
+	((unsigned char *)tbsc->serialNumber.data)[0] &= 0x7f;
+    }
+    /* signature            AlgorithmIdentifier, */
+    ret = copy_AlgorithmIdentifier(sigalg, &tbsc->signature);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Failed to copy sigature alg");
+	goto out;
+    }
+    /* issuer               Name, */
+    if (issuername)
+	ret = copy_Name(issuername, &tbsc->issuer);
+    else
+	ret = hx509_name_to_Name(tbs->subject, &tbsc->issuer);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Failed to copy issuer name");
+	goto out;
+    }
+    /* validity             Validity, */
+    tbsc->validity.notBefore.element = choice_Time_generalTime;
+    tbsc->validity.notBefore.u.generalTime = notBefore;
+    tbsc->validity.notAfter.element = choice_Time_generalTime;
+    tbsc->validity.notAfter.u.generalTime = notAfter;
+    /* subject              Name, */
+    if (tbs->flags.proxy) {
+	ret = build_proxy_prefix(context, &tbsc->issuer, &tbsc->subject);
+	if (ret)
+	    goto out;
+    } else {
+	ret = hx509_name_to_Name(tbs->subject, &tbsc->subject);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret,
+				   "Failed to copy subject name");
+	    goto out;
+	}
+    }
+    /* subjectPublicKeyInfo SubjectPublicKeyInfo, */
+    ret = copy_SubjectPublicKeyInfo(&tbs->spki, &tbsc->subjectPublicKeyInfo);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Failed to copy spki");
+	goto out;
+    }
+    /* issuerUniqueID  [1]  IMPLICIT BIT STRING OPTIONAL */
+    /* subjectUniqueID [2]  IMPLICIT BIT STRING OPTIONAL */
+    /* extensions      [3]  EXPLICIT Extensions OPTIONAL */
+    tbsc->extensions = calloc(1, sizeof(*tbsc->extensions));
+    if (tbsc->extensions == NULL) {
+	ret = ENOMEM;
+	hx509_set_error_string(context, 0, ret, "Out of memory");
+	goto out;
+    }
+    
+    /* Add the text BMP string Domaincontroller to the cert */
+    if (tbs->flags.domaincontroller) {
+	data.data = rk_UNCONST("\x1e\x20\x00\x44\x00\x6f\x00\x6d"
+			       "\x00\x61\x00\x69\x00\x6e\x00\x43"
+			       "\x00\x6f\x00\x6e\x00\x74\x00\x72"
+			       "\x00\x6f\x00\x6c\x00\x6c\x00\x65"
+			       "\x00\x72");
+	data.length = 34;
+
+	ret = add_extension(context, tbsc, 0,
+			    oid_id_ms_cert_enroll_domaincontroller(),
+			    &data);
+	if (ret)
+	    goto out;
+    }
+
+    /* add KeyUsage */
+    {
+	KeyUsage ku;
+
+	ku = int2KeyUsage(key_usage);
+	ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length, &ku, &size, ret);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	if (size != data.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+	ret = add_extension(context, tbsc, 1,
+			    oid_id_x509_ce_keyUsage(), &data);
+	free(data.data);
+	if (ret)
+	    goto out;
+    }
+
+    /* add ExtendedKeyUsage */
+    if (tbs->eku.len > 0) {
+	ASN1_MALLOC_ENCODE(ExtKeyUsage, data.data, data.length, 
+			   &tbs->eku, &size, ret);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	if (size != data.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+	ret = add_extension(context, tbsc, 0,
+			    oid_id_x509_ce_extKeyUsage(), &data);
+	free(data.data);
+	if (ret)
+	    goto out;
+    }
+
+    /* add Subject Alternative Name */
+    if (tbs->san.len > 0) {
+	ASN1_MALLOC_ENCODE(GeneralNames, data.data, data.length, 
+			   &tbs->san, &size, ret);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	if (size != data.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+	ret = add_extension(context, tbsc, 0,
+			    oid_id_x509_ce_subjectAltName(),
+			    &data);
+	free(data.data);
+	if (ret)
+	    goto out;
+    }
+
+    /* Add Authority Key Identifier */
+    if (ai) {
+	ASN1_MALLOC_ENCODE(AuthorityKeyIdentifier, data.data, data.length, 
+			   ai, &size, ret);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	if (size != data.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+	ret = add_extension(context, tbsc, 0,
+			    oid_id_x509_ce_authorityKeyIdentifier(),
+			    &data);
+	free(data.data);
+	if (ret)
+	    goto out;
+    }
+
+    /* Add Subject Key Identifier */
+    {
+	SubjectKeyIdentifier si;
+	unsigned char hash[SHA_DIGEST_LENGTH];
+
+	{
+	    SHA_CTX m;
+	    
+	    SHA1_Init(&m);
+	    SHA1_Update(&m, tbs->spki.subjectPublicKey.data,
+			tbs->spki.subjectPublicKey.length / 8);
+	    SHA1_Final (hash, &m);
+	}
+
+	si.data = hash;
+	si.length = sizeof(hash);
+
+	ASN1_MALLOC_ENCODE(SubjectKeyIdentifier, data.data, data.length, 
+			   &si, &size, ret);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	if (size != data.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+	ret = add_extension(context, tbsc, 0,
+			    oid_id_x509_ce_subjectKeyIdentifier(),
+			    &data);
+	free(data.data);
+	if (ret)
+	    goto out;
+    }
+
+    /* Add BasicConstraints */ 
+    {
+	BasicConstraints bc;
+	int aCA = 1;
+	uint32_t path;
+
+	memset(&bc, 0, sizeof(bc));
+
+	if (tbs->flags.ca) {
+	    bc.cA = &aCA;
+	    if (tbs->pathLenConstraint >= 0) {
+		path = tbs->pathLenConstraint;
+		bc.pathLenConstraint = &path;
+	    }
+	}
+
+	ASN1_MALLOC_ENCODE(BasicConstraints, data.data, data.length, 
+			   &bc, &size, ret);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	if (size != data.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+	/* Critical if this is a CA */
+	ret = add_extension(context, tbsc, tbs->flags.ca,
+			    oid_id_x509_ce_basicConstraints(),
+			    &data);
+	free(data.data);
+	if (ret)
+	    goto out;
+    }
+
+    /* add Proxy */
+    if (tbs->flags.proxy) {
+	ProxyCertInfo info;
+
+	memset(&info, 0, sizeof(info));
+
+	if (tbs->pathLenConstraint >= 0) {
+	    info.pCPathLenConstraint = 
+		malloc(sizeof(*info.pCPathLenConstraint));
+	    if (info.pCPathLenConstraint == NULL) {
+		ret = ENOMEM;
+		hx509_set_error_string(context, 0, ret, "Out of memory");
+		goto out;
+	    }
+	    *info.pCPathLenConstraint = tbs->pathLenConstraint;
+	}
+
+	ret = der_copy_oid(oid_id_pkix_ppl_inheritAll(),
+			   &info.proxyPolicy.policyLanguage);
+	if (ret) {
+	    free_ProxyCertInfo(&info);
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+
+	ASN1_MALLOC_ENCODE(ProxyCertInfo, data.data, data.length, 
+			   &info, &size, ret);
+	free_ProxyCertInfo(&info);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	if (size != data.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+	ret = add_extension(context, tbsc, 0,
+			    oid_id_pkix_pe_proxyCertInfo(),
+			    &data);
+	free(data.data);
+	if (ret)
+	    goto out;
+    }
+
+    if (tbs->crldp.len) {
+
+	ASN1_MALLOC_ENCODE(CRLDistributionPoints, data.data, data.length,
+			   &tbs->crldp, &size, ret);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	if (size != data.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+	ret = add_extension(context, tbsc, FALSE,
+			    oid_id_x509_ce_cRLDistributionPoints(),
+			    &data);
+	free(data.data);
+	if (ret)
+	    goto out;
+    }
+
+    ASN1_MALLOC_ENCODE(TBSCertificate, data.data, data.length,tbsc, &size, ret);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "malloc out of memory");
+	goto out;
+    }
+    if (data.length != size)
+	_hx509_abort("internal ASN.1 encoder error");
+
+    ret = _hx509_create_signature_bitstring(context,
+					    signer,
+					    sigalg,
+					    &data,
+					    &c.signatureAlgorithm,
+					    &c.signatureValue);
+    free(data.data);
+    if (ret)
+	goto out;
+
+    ret = hx509_cert_init(context, &c, certificate);
+    if (ret)
+	goto out;
+
+    free_Certificate(&c);
+
+    return 0;
+
+out:
+    free_Certificate(&c);
+    return ret;
+}
+
+static int
+get_AuthorityKeyIdentifier(hx509_context context,
+			   const Certificate *certificate,
+			   AuthorityKeyIdentifier *ai)
+{
+    SubjectKeyIdentifier si;
+    int ret;
+
+    ret = _hx509_find_extension_subject_key_id(certificate, &si);
+    if (ret == 0) {
+	ai->keyIdentifier = calloc(1, sizeof(*ai->keyIdentifier));
+	if (ai->keyIdentifier == NULL) {
+	    free_SubjectKeyIdentifier(&si);
+	    ret = ENOMEM;
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	ret = der_copy_octet_string(&si, ai->keyIdentifier);
+	free_SubjectKeyIdentifier(&si);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+    } else {
+	GeneralNames gns;
+	GeneralName gn;
+	Name name;
+
+	memset(&gn, 0, sizeof(gn));
+	memset(&gns, 0, sizeof(gns));
+	memset(&name, 0, sizeof(name));
+
+	ai->authorityCertIssuer = 
+	    calloc(1, sizeof(*ai->authorityCertIssuer));
+	if (ai->authorityCertIssuer == NULL) {
+	    ret = ENOMEM;
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+	ai->authorityCertSerialNumber = 
+	    calloc(1, sizeof(*ai->authorityCertSerialNumber));
+	if (ai->authorityCertSerialNumber == NULL) {
+	    ret = ENOMEM;
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+
+	/* 
+	 * XXX unbreak when asn1 compiler handle IMPLICIT
+	 *
+	 * This is so horrible.
+	 */
+
+	ret = copy_Name(&certificate->tbsCertificate.subject, &name);
+	if (ai->authorityCertSerialNumber == NULL) {
+	    ret = ENOMEM;
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+
+	memset(&gn, 0, sizeof(gn));
+	gn.element = choice_GeneralName_directoryName;
+	gn.u.directoryName.element = 
+	    choice_GeneralName_directoryName_rdnSequence;
+	gn.u.directoryName.u.rdnSequence = name.u.rdnSequence;
+
+	ret = add_GeneralNames(&gns, &gn);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+
+	ai->authorityCertIssuer->val = gns.val;
+	ai->authorityCertIssuer->len = gns.len;
+
+	ret = der_copy_heim_integer(&certificate->tbsCertificate.serialNumber,
+				    ai->authorityCertSerialNumber);
+	if (ai->authorityCertSerialNumber == NULL) {
+	    ret = ENOMEM;
+	    hx509_set_error_string(context, 0, ret, "Out of memory");
+	    goto out;
+	}
+    }
+out:
+    if (ret)
+	free_AuthorityKeyIdentifier(ai);
+    return ret;
+}
+
+
+/**
+ * Sign a to-be-signed certificate object with a issuer certificate. 
+ *
+ * The caller needs to at least have called the following functions on the
+ * to-be-signed certificate object:
+ * - hx509_ca_tbs_init()
+ * - hx509_ca_tbs_set_subject()
+ * - hx509_ca_tbs_set_spki()
+ *
+ * When done the to-be-signed certificate object should be freed with
+ * hx509_ca_tbs_free().
+ *
+ * When creating self-signed certificate use hx509_ca_sign_self() instead.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param signer the CA certificate object to sign with (need private key).
+ * @param certificate return cerificate, free with hx509_cert_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_sign(hx509_context context,
+	      hx509_ca_tbs tbs,
+	      hx509_cert signer,
+	      hx509_cert *certificate)
+{
+    const Certificate *signer_cert;
+    AuthorityKeyIdentifier ai;
+    int ret;
+
+    memset(&ai, 0, sizeof(ai));
+
+    signer_cert = _hx509_get_cert(signer);
+
+    ret = get_AuthorityKeyIdentifier(context, signer_cert, &ai);
+    if (ret)
+	goto out;
+
+    ret = ca_sign(context,
+		  tbs, 
+		  _hx509_cert_private_key(signer),
+		  &ai,
+		  &signer_cert->tbsCertificate.subject,
+		  certificate);
+
+out:
+    free_AuthorityKeyIdentifier(&ai);
+
+    return ret;
+}
+
+/**
+ * Work just like hx509_ca_sign() but signs it-self.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param signer private key to sign with.
+ * @param certificate return cerificate, free with hx509_cert_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_sign_self(hx509_context context,
+		   hx509_ca_tbs tbs,
+		   hx509_private_key signer,
+		   hx509_cert *certificate)
+{
+    return ca_sign(context,
+		   tbs, 
+		   signer,
+		   NULL,
+		   NULL,
+		   certificate);
+}
diff --git a/crypto/heimdal/lib/hx509/cert.c b/crypto/heimdal/lib/hx509/cert.c
new file mode 100644
index 0000000..1520e23
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/cert.c
@@ -0,0 +1,3108 @@
+/*
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: cert.c 22450 2008-01-15 19:39:14Z lha $");
+#include "crypto-headers.h"
+#include <rtbl.h>
+
+/**
+ * @page page_cert The basic certificate
+ *
+ * The basic hx509 cerificate object in hx509 is hx509_cert. The
+ * hx509_cert object is representing one X509/PKIX certificate and
+ * associated attributes; like private key, friendly name, etc.
+ *
+ * A hx509_cert object is usully found via the keyset interfaces (@ref
+ * page_keyset), but its also possible to create a certificate
+ * directly from a parsed object with hx509_cert_init() and
+ * hx509_cert_init_data().
+ *
+ * See the library functions here: @ref hx509_cert
+ */
+
+struct hx509_verify_ctx_data {
+    hx509_certs trust_anchors;
+    int flags;
+#define HX509_VERIFY_CTX_F_TIME_SET			1
+#define HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE	2
+#define HX509_VERIFY_CTX_F_REQUIRE_RFC3280		4
+#define HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS		8
+#define HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS		16
+    time_t time_now;
+    unsigned int max_depth;
+#define HX509_VERIFY_MAX_DEPTH 30
+    hx509_revoke_ctx revoke_ctx;
+};
+
+#define REQUIRE_RFC3280(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_REQUIRE_RFC3280)
+#define CHECK_TA(ctx) ((ctx)->flags & HX509_VERIFY_CTX_F_CHECK_TRUST_ANCHORS)
+#define ALLOW_DEF_TA(ctx) (((ctx)->flags & HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS) == 0)
+
+struct _hx509_cert_attrs {
+    size_t len;
+    hx509_cert_attribute *val;
+};
+
+struct hx509_cert_data {
+    unsigned int ref;
+    char *friendlyname;
+    Certificate *data;
+    hx509_private_key private_key;
+    struct _hx509_cert_attrs attrs;
+    hx509_name basename;
+    _hx509_cert_release_func release;
+    void *ctx;
+};
+
+typedef struct hx509_name_constraints {
+    NameConstraints *val;
+    size_t len;
+} hx509_name_constraints;
+
+#define GeneralSubtrees_SET(g,var) \
+	(g)->len = (var)->len, (g)->val = (var)->val;
+
+/**
+ * Creates a hx509 context that most functions in the library
+ * uses. The context is only allowed to be used by one thread at each
+ * moment. Free the context with hx509_context_free().
+ *
+ * @param context Returns a pointer to new hx509 context.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509
+ */
+
+int
+hx509_context_init(hx509_context *context)
+{
+    *context = calloc(1, sizeof(**context));
+    if (*context == NULL)
+	return ENOMEM;
+
+    _hx509_ks_null_register(*context);
+    _hx509_ks_mem_register(*context);
+    _hx509_ks_file_register(*context);
+    _hx509_ks_pkcs12_register(*context);
+    _hx509_ks_pkcs11_register(*context);
+    _hx509_ks_dir_register(*context);
+    _hx509_ks_keychain_register(*context);
+
+    ENGINE_add_conf_module();
+    OpenSSL_add_all_algorithms();
+
+    (*context)->ocsp_time_diff = HX509_DEFAULT_OCSP_TIME_DIFF;
+
+    initialize_hx_error_table_r(&(*context)->et_list);
+    initialize_asn1_error_table_r(&(*context)->et_list);
+
+#ifdef HX509_DEFAULT_ANCHORS
+    (void)hx509_certs_init(*context, HX509_DEFAULT_ANCHORS, 0,
+			   NULL, &(*context)->default_trust_anchors);
+#endif
+
+    return 0;
+}
+
+/**
+ * Selects if the hx509_revoke_verify() function is going to require
+ * the existans of a revokation method (OSCP, CRL) or not. Note that
+ * hx509_verify_path(), hx509_cms_verify_signed(), and other function
+ * call hx509_revoke_verify().
+ * 
+ * @param context hx509 context to change the flag for.
+ * @param flag zero, revokation method required, non zero missing
+ * revokation method ok
+ *
+ * @ingroup hx509_verify
+ */
+
+void
+hx509_context_set_missing_revoke(hx509_context context, int flag)
+{
+    if (flag)
+	context->flags |= HX509_CTX_VERIFY_MISSING_OK;
+    else
+	context->flags &= ~HX509_CTX_VERIFY_MISSING_OK;
+}
+
+/**
+ * Free the context allocated by hx509_context_init().
+ * 
+ * @param context context to be freed.
+ *
+ * @ingroup hx509
+ */
+
+void
+hx509_context_free(hx509_context *context)
+{
+    hx509_clear_error_string(*context);
+    if ((*context)->ks_ops) {
+	free((*context)->ks_ops);
+	(*context)->ks_ops = NULL;
+    }
+    (*context)->ks_num_ops = 0;
+    free_error_table ((*context)->et_list);
+    if ((*context)->querystat)
+	free((*context)->querystat);
+    memset(*context, 0, sizeof(**context));
+    free(*context);
+    *context = NULL;
+}
+
+/*
+ *
+ */
+
+Certificate *
+_hx509_get_cert(hx509_cert cert)
+{
+    return cert->data;
+}
+
+/*
+ *
+ */
+
+int
+_hx509_cert_get_version(const Certificate *t)
+{
+    return t->tbsCertificate.version ? *t->tbsCertificate.version + 1 : 1;
+}
+
+/**
+ * Allocate and init an hx509 certificate object from the decoded
+ * certificate `c´.
+ *
+ * @param context A hx509 context.
+ * @param c
+ * @param cert
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_init(hx509_context context, const Certificate *c, hx509_cert *cert)
+{
+    int ret;
+
+    *cert = malloc(sizeof(**cert));
+    if (*cert == NULL)
+	return ENOMEM;
+    (*cert)->ref = 1;
+    (*cert)->friendlyname = NULL;
+    (*cert)->attrs.len = 0;
+    (*cert)->attrs.val = NULL;
+    (*cert)->private_key = NULL;
+    (*cert)->basename = NULL;
+    (*cert)->release = NULL;
+    (*cert)->ctx = NULL;
+
+    (*cert)->data = calloc(1, sizeof(*(*cert)->data));
+    if ((*cert)->data == NULL) {
+	free(*cert);
+	return ENOMEM;
+    }
+    ret = copy_Certificate(c, (*cert)->data);
+    if (ret) {
+	free((*cert)->data);
+	free(*cert);
+	*cert = NULL;
+    }
+    return ret;
+}
+
+/**
+ * Just like hx509_cert_init(), but instead of a decode certificate
+ * takes an pointer and length to a memory region that contains a
+ * DER/BER encoded certificate.
+ *
+ * If the memory region doesn't contain just the certificate and
+ * nothing more the function will fail with
+ * HX509_EXTRA_DATA_AFTER_STRUCTURE.
+ *
+ * @param context A hx509 context.
+ * @param ptr pointer to memory region containing encoded certificate.
+ * @param len length of memory region.
+ * @param cert a return pointer to a hx509 certificate object, will
+ * contain NULL on error.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_init_data(hx509_context context, 
+		     const void *ptr,
+		     size_t len,
+		     hx509_cert *cert)
+{
+    Certificate t;
+    size_t size;
+    int ret;
+
+    ret = decode_Certificate(ptr, len, &t, &size);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Failed to decode certificate");
+	return ret;
+    }
+    if (size != len) {
+	hx509_set_error_string(context, 0, HX509_EXTRA_DATA_AFTER_STRUCTURE,
+			       "Extra data after certificate");
+	return HX509_EXTRA_DATA_AFTER_STRUCTURE;
+    }
+
+    ret = hx509_cert_init(context, &t, cert);
+    free_Certificate(&t);
+    return ret;
+}
+
+void
+_hx509_cert_set_release(hx509_cert cert, 
+			_hx509_cert_release_func release,
+			void *ctx)
+{
+    cert->release = release;
+    cert->ctx = ctx;
+}
+
+
+/* Doesn't make a copy of `private_key'. */
+
+int
+_hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key)
+{
+    if (cert->private_key)
+	_hx509_private_key_free(&cert->private_key);
+    cert->private_key = _hx509_private_key_ref(private_key);
+    return 0;
+}
+
+/**
+ * Free reference to the hx509 certificate object, if the refcounter
+ * reaches 0, the object if freed. Its allowed to pass in NULL.
+ *
+ * @param cert the cert to free.
+ *
+ * @ingroup hx509_cert
+ */
+
+void
+hx509_cert_free(hx509_cert cert)
+{
+    int i;
+
+    if (cert == NULL)
+	return;
+
+    if (cert->ref <= 0)
+	_hx509_abort("cert refcount <= 0 on free");
+    if (--cert->ref > 0)
+	return;
+
+    if (cert->release)
+	(cert->release)(cert, cert->ctx);
+
+    if (cert->private_key)
+	_hx509_private_key_free(&cert->private_key);
+
+    free_Certificate(cert->data);
+    free(cert->data);
+
+    for (i = 0; i < cert->attrs.len; i++) {
+	der_free_octet_string(&cert->attrs.val[i]->data);
+	der_free_oid(&cert->attrs.val[i]->oid);
+	free(cert->attrs.val[i]);
+    }
+    free(cert->attrs.val);
+    free(cert->friendlyname);
+    if (cert->basename)
+	hx509_name_free(&cert->basename);
+    memset(cert, 0, sizeof(cert));
+    free(cert);
+}
+
+/**
+ * Add a reference to a hx509 certificate object.
+ *
+ * @param cert a pointer to an hx509 certificate object.
+ *
+ * @return the same object as is passed in.
+ *
+ * @ingroup hx509_cert
+ */
+
+hx509_cert
+hx509_cert_ref(hx509_cert cert)
+{
+    if (cert == NULL)
+	return NULL;
+    if (cert->ref <= 0)
+	_hx509_abort("cert refcount <= 0");
+    cert->ref++;
+    if (cert->ref == 0)
+	_hx509_abort("cert refcount == 0");
+    return cert;
+}
+
+/**
+ * Allocate an verification context that is used fo control the
+ * verification process. 
+ *
+ * @param context A hx509 context.
+ * @param ctx returns a pointer to a hx509_verify_ctx object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
+int
+hx509_verify_init_ctx(hx509_context context, hx509_verify_ctx *ctx)
+{
+    hx509_verify_ctx c;
+
+    c = calloc(1, sizeof(*c));
+    if (c == NULL)
+	return ENOMEM;
+
+    c->max_depth = HX509_VERIFY_MAX_DEPTH;
+
+    *ctx = c;
+    
+    return 0;
+}
+
+/**
+ * Free an hx509 verification context.
+ *
+ * @param ctx the context to be freed.
+ *
+ * @ingroup hx509_verify
+ */
+
+void
+hx509_verify_destroy_ctx(hx509_verify_ctx ctx)
+{
+    if (ctx) {
+	hx509_certs_free(&ctx->trust_anchors);
+	hx509_revoke_free(&ctx->revoke_ctx);
+	memset(ctx, 0, sizeof(*ctx));
+    }
+    free(ctx);
+}
+
+/**
+ * Set the trust anchors in the verification context, makes an
+ * reference to the keyset, so the consumer can free the keyset
+ * independent of the destruction of the verification context (ctx).
+ *
+ * @param ctx a verification context
+ * @param set a keyset containing the trust anchors.
+ *
+ * @ingroup hx509_verify
+ */
+
+void
+hx509_verify_attach_anchors(hx509_verify_ctx ctx, hx509_certs set)
+{
+    ctx->trust_anchors = _hx509_certs_ref(set);
+}
+
+/**
+ * Attach an revocation context to the verfication context, , makes an
+ * reference to the revoke context, so the consumer can free the
+ * revoke context independent of the destruction of the verification
+ * context. If there is no revoke context, the verification process is
+ * NOT going to check any verification status.
+ *
+ * @param ctx a verification context.
+ * @param revoke_ctx a revoke context.
+ *
+ * @ingroup hx509_verify
+ */
+
+void
+hx509_verify_attach_revoke(hx509_verify_ctx ctx, hx509_revoke_ctx revoke_ctx)
+{
+    if (ctx->revoke_ctx)
+	hx509_revoke_free(&ctx->revoke_ctx);
+    ctx->revoke_ctx = _hx509_revoke_ref(revoke_ctx);
+}
+
+/**
+ * Set the clock time the the verification process is going to
+ * use. Used to check certificate in the past and future time. If not
+ * set the current time will be used.
+ *
+ * @param ctx a verification context.
+ * @param t the time the verifiation is using.
+ *
+ *
+ * @ingroup hx509_verify
+ */
+
+void
+hx509_verify_set_time(hx509_verify_ctx ctx, time_t t)
+{
+    ctx->flags |= HX509_VERIFY_CTX_F_TIME_SET;
+    ctx->time_now = t;
+}
+
+/**
+ * Set the maximum depth of the certificate chain that the path
+ * builder is going to try.
+ *
+ * @param ctx a verification context
+ * @param max_depth maxium depth of the certificate chain, include
+ * trust anchor.
+ *
+ * @ingroup hx509_verify
+ */
+
+void
+hx509_verify_set_max_depth(hx509_verify_ctx ctx, unsigned int max_depth)
+{
+    ctx->max_depth = max_depth;
+}
+
+/**
+ * Allow or deny the use of proxy certificates
+ *
+ * @param ctx a verification context
+ * @param boolean if non zero, allow proxy certificates.
+ *
+ * @ingroup hx509_verify
+ */
+
+void
+hx509_verify_set_proxy_certificate(hx509_verify_ctx ctx, int boolean)
+{
+    if (boolean)
+	ctx->flags |= HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE;
+    else
+	ctx->flags &= ~HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE;
+}
+
+/**
+ * Select strict RFC3280 verification of certificiates. This means
+ * checking key usage on CA certificates, this will make version 1
+ * certificiates unuseable.
+ *
+ * @param ctx a verification context
+ * @param boolean if non zero, use strict verification.
+ *
+ * @ingroup hx509_verify
+ */
+
+void
+hx509_verify_set_strict_rfc3280_verification(hx509_verify_ctx ctx, int boolean)
+{
+    if (boolean)
+	ctx->flags |= HX509_VERIFY_CTX_F_REQUIRE_RFC3280;
+    else
+	ctx->flags &= ~HX509_VERIFY_CTX_F_REQUIRE_RFC3280;
+}
+
+/**
+ * Allow using the operating system builtin trust anchors if no other
+ * trust anchors are configured.
+ *
+ * @param ctx a verification context
+ * @param boolean if non zero, useing the operating systems builtin
+ * trust anchors.
+ *
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+void
+hx509_verify_ctx_f_allow_default_trustanchors(hx509_verify_ctx ctx, int boolean)
+{
+    if (boolean)
+	ctx->flags &= ~HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS;
+    else
+	ctx->flags |= HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS;
+}
+
+static const Extension *
+find_extension(const Certificate *cert, const heim_oid *oid, int *idx)
+{
+    const TBSCertificate *c = &cert->tbsCertificate;
+
+    if (c->version == NULL || *c->version < 2 || c->extensions == NULL)
+	return NULL;
+    
+    for (;*idx < c->extensions->len; (*idx)++) {
+	if (der_heim_oid_cmp(&c->extensions->val[*idx].extnID, oid) == 0)
+	    return &c->extensions->val[(*idx)++];
+    }
+    return NULL;
+}
+
+static int
+find_extension_auth_key_id(const Certificate *subject, 
+			   AuthorityKeyIdentifier *ai)
+{
+    const Extension *e;
+    size_t size;
+    int i = 0;
+
+    memset(ai, 0, sizeof(*ai));
+
+    e = find_extension(subject, oid_id_x509_ce_authorityKeyIdentifier(), &i);
+    if (e == NULL)
+	return HX509_EXTENSION_NOT_FOUND;
+    
+    return decode_AuthorityKeyIdentifier(e->extnValue.data, 
+					 e->extnValue.length, 
+					 ai, &size);
+}
+
+int
+_hx509_find_extension_subject_key_id(const Certificate *issuer,
+				     SubjectKeyIdentifier *si)
+{
+    const Extension *e;
+    size_t size;
+    int i = 0;
+
+    memset(si, 0, sizeof(*si));
+
+    e = find_extension(issuer, oid_id_x509_ce_subjectKeyIdentifier(), &i);
+    if (e == NULL)
+	return HX509_EXTENSION_NOT_FOUND;
+    
+    return decode_SubjectKeyIdentifier(e->extnValue.data, 
+				       e->extnValue.length,
+				       si, &size);
+}
+
+static int
+find_extension_name_constraints(const Certificate *subject, 
+				NameConstraints *nc)
+{
+    const Extension *e;
+    size_t size;
+    int i = 0;
+
+    memset(nc, 0, sizeof(*nc));
+
+    e = find_extension(subject, oid_id_x509_ce_nameConstraints(), &i);
+    if (e == NULL)
+	return HX509_EXTENSION_NOT_FOUND;
+    
+    return decode_NameConstraints(e->extnValue.data, 
+				  e->extnValue.length, 
+				  nc, &size);
+}
+
+static int
+find_extension_subject_alt_name(const Certificate *cert, int *i,
+				GeneralNames *sa)
+{
+    const Extension *e;
+    size_t size;
+
+    memset(sa, 0, sizeof(*sa));
+
+    e = find_extension(cert, oid_id_x509_ce_subjectAltName(), i);
+    if (e == NULL)
+	return HX509_EXTENSION_NOT_FOUND;
+    
+    return decode_GeneralNames(e->extnValue.data, 
+			       e->extnValue.length,
+			       sa, &size);
+}
+
+static int
+find_extension_eku(const Certificate *cert, ExtKeyUsage *eku)
+{
+    const Extension *e;
+    size_t size;
+    int i = 0;
+
+    memset(eku, 0, sizeof(*eku));
+
+    e = find_extension(cert, oid_id_x509_ce_extKeyUsage(), &i);
+    if (e == NULL)
+	return HX509_EXTENSION_NOT_FOUND;
+    
+    return decode_ExtKeyUsage(e->extnValue.data, 
+			      e->extnValue.length,
+			      eku, &size);
+}
+
+static int
+add_to_list(hx509_octet_string_list *list, const heim_octet_string *entry)
+{
+    void *p;
+    int ret;
+
+    p = realloc(list->val, (list->len + 1) * sizeof(list->val[0]));
+    if (p == NULL)
+	return ENOMEM;
+    list->val = p;
+    ret = der_copy_octet_string(entry, &list->val[list->len]);
+    if (ret)
+	return ret;
+    list->len++;
+    return 0;
+}
+
+/**
+ * Free a list of octet strings returned by another hx509 library
+ * function.
+ *
+ * @param list list to be freed.
+ *
+ * @ingroup hx509_misc
+ */
+
+void
+hx509_free_octet_string_list(hx509_octet_string_list *list)
+{
+    int i;
+    for (i = 0; i < list->len; i++)
+	der_free_octet_string(&list->val[i]);
+    free(list->val);
+    list->val = NULL;
+    list->len = 0;
+}
+
+/**
+ * Return a list of subjectAltNames specified by oid in the
+ * certificate. On error the 
+ *
+ * The returned list of octet string should be freed with
+ * hx509_free_octet_string_list().
+ *
+ * @param context A hx509 context.
+ * @param cert a hx509 certificate object.
+ * @param oid an oid to for SubjectAltName.
+ * @param list list of matching SubjectAltName.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_find_subjectAltName_otherName(hx509_context context,
+					 hx509_cert cert,
+					 const heim_oid *oid,
+					 hx509_octet_string_list *list)
+{
+    GeneralNames sa;
+    int ret, i, j;
+
+    list->val = NULL;
+    list->len = 0;
+
+    i = 0;
+    while (1) {
+	ret = find_extension_subject_alt_name(_hx509_get_cert(cert), &i, &sa);
+	i++;
+	if (ret == HX509_EXTENSION_NOT_FOUND) {
+	    ret = 0;
+	    break;
+	} else if (ret != 0) {
+	    hx509_set_error_string(context, 0, ret, "Error searching for SAN");
+	    hx509_free_octet_string_list(list);
+	    return ret;
+	}
+
+	for (j = 0; j < sa.len; j++) {
+	    if (sa.val[j].element == choice_GeneralName_otherName &&
+		der_heim_oid_cmp(&sa.val[j].u.otherName.type_id, oid) == 0) 
+	    {
+		ret = add_to_list(list, &sa.val[j].u.otherName.value);
+		if (ret) {
+		    hx509_set_error_string(context, 0, ret, 
+					   "Error adding an exra SAN to "
+					   "return list");
+		    hx509_free_octet_string_list(list);
+		    free_GeneralNames(&sa);
+		    return ret;
+		}
+	    }
+	}
+	free_GeneralNames(&sa);
+    }
+    return 0;
+}
+
+
+static int
+check_key_usage(hx509_context context, const Certificate *cert, 
+		unsigned flags, int req_present)
+{
+    const Extension *e;
+    KeyUsage ku;
+    size_t size;
+    int ret, i = 0;
+    unsigned ku_flags;
+
+    if (_hx509_cert_get_version(cert) < 3)
+	return 0;
+
+    e = find_extension(cert, oid_id_x509_ce_keyUsage(), &i);
+    if (e == NULL) {
+	if (req_present) {
+	    hx509_set_error_string(context, 0, HX509_KU_CERT_MISSING,
+				   "Required extension key "
+				   "usage missing from certifiate");
+	    return HX509_KU_CERT_MISSING;
+	}
+	return 0;
+    }
+    
+    ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length, &ku, &size);
+    if (ret)
+	return ret;
+    ku_flags = KeyUsage2int(ku);
+    if ((ku_flags & flags) != flags) {
+	unsigned missing = (~ku_flags) & flags;
+	char buf[256], *name;
+
+	unparse_flags(missing, asn1_KeyUsage_units(), buf, sizeof(buf));
+	_hx509_unparse_Name(&cert->tbsCertificate.subject, &name);
+	hx509_set_error_string(context, 0, HX509_KU_CERT_MISSING,
+			       "Key usage %s required but missing "
+			       "from certifiate %s", buf, name);
+	free(name);
+	return HX509_KU_CERT_MISSING;
+    }
+    return 0;
+}
+
+/*
+ * Return 0 on matching key usage 'flags' for 'cert', otherwise return
+ * an error code. If 'req_present' the existance is required of the
+ * KeyUsage extension.
+ */
+
+int
+_hx509_check_key_usage(hx509_context context, hx509_cert cert, 
+		       unsigned flags, int req_present)
+{
+    return check_key_usage(context, _hx509_get_cert(cert), flags, req_present);
+}
+
+enum certtype { PROXY_CERT, EE_CERT, CA_CERT };
+
+static int
+check_basic_constraints(hx509_context context, const Certificate *cert, 
+			enum certtype type, int depth)
+{
+    BasicConstraints bc;
+    const Extension *e;
+    size_t size;
+    int ret, i = 0;
+
+    if (_hx509_cert_get_version(cert) < 3)
+	return 0;
+
+    e = find_extension(cert, oid_id_x509_ce_basicConstraints(), &i);
+    if (e == NULL) {
+	switch(type) {
+	case PROXY_CERT:
+	case EE_CERT:
+	    return 0;
+	case CA_CERT: {
+	    char *name;
+	    ret = _hx509_unparse_Name(&cert->tbsCertificate.subject, &name);
+	    assert(ret == 0);
+	    hx509_set_error_string(context, 0, HX509_EXTENSION_NOT_FOUND,
+				   "basicConstraints missing from "
+				   "CA certifiacte %s", name);
+	    free(name);
+	    return HX509_EXTENSION_NOT_FOUND;
+	}
+	}
+    }
+    
+    ret = decode_BasicConstraints(e->extnValue.data, 
+				  e->extnValue.length, &bc,
+				  &size);
+    if (ret)
+	return ret;
+    switch(type) {
+    case PROXY_CERT:
+	if (bc.cA != NULL && *bc.cA)
+	    ret = HX509_PARENT_IS_CA;
+	break;
+    case EE_CERT:
+	ret = 0;
+	break;
+    case CA_CERT:
+	if (bc.cA == NULL || !*bc.cA)
+	    ret = HX509_PARENT_NOT_CA;
+	else if (bc.pathLenConstraint)
+	    if (depth - 1 > *bc.pathLenConstraint)
+		ret = HX509_CA_PATH_TOO_DEEP;
+	break;
+    }
+    free_BasicConstraints(&bc);
+    return ret;
+}
+
+int
+_hx509_cert_is_parent_cmp(const Certificate *subject,
+			  const Certificate *issuer,
+			  int allow_self_signed)
+{
+    int diff;
+    AuthorityKeyIdentifier ai;
+    SubjectKeyIdentifier si;
+    int ret_ai, ret_si;
+
+    diff = _hx509_name_cmp(&issuer->tbsCertificate.subject, 
+			   &subject->tbsCertificate.issuer);
+    if (diff)
+	return diff;
+    
+    memset(&ai, 0, sizeof(ai));
+    memset(&si, 0, sizeof(si));
+
+    /*
+     * Try to find AuthorityKeyIdentifier, if it's not present in the
+     * subject certificate nor the parent.
+     */
+
+    ret_ai = find_extension_auth_key_id(subject, &ai);
+    if (ret_ai && ret_ai != HX509_EXTENSION_NOT_FOUND)
+	return 1;
+    ret_si = _hx509_find_extension_subject_key_id(issuer, &si);
+    if (ret_si && ret_si != HX509_EXTENSION_NOT_FOUND)
+	return -1;
+
+    if (ret_si && ret_ai)
+	goto out;
+    if (ret_ai)
+	goto out;
+    if (ret_si) {
+	if (allow_self_signed) {
+	    diff = 0;
+	    goto out;
+	} else if (ai.keyIdentifier) {
+	    diff = -1;
+	    goto out;
+	}
+    }
+    
+    if (ai.keyIdentifier == NULL) {
+	Name name;
+
+	if (ai.authorityCertIssuer == NULL)
+	    return -1;
+	if (ai.authorityCertSerialNumber == NULL)
+	    return -1;
+
+	diff = der_heim_integer_cmp(ai.authorityCertSerialNumber, 
+				    &issuer->tbsCertificate.serialNumber);
+	if (diff)
+	    return diff;
+	if (ai.authorityCertIssuer->len != 1)
+	    return -1;
+	if (ai.authorityCertIssuer->val[0].element != choice_GeneralName_directoryName)
+	    return -1;
+	
+	name.element = 
+	    ai.authorityCertIssuer->val[0].u.directoryName.element;
+	name.u.rdnSequence = 
+	    ai.authorityCertIssuer->val[0].u.directoryName.u.rdnSequence;
+
+	diff = _hx509_name_cmp(&issuer->tbsCertificate.subject, 
+			       &name);
+	if (diff)
+	    return diff;
+	diff = 0;
+    } else
+	diff = der_heim_octet_string_cmp(ai.keyIdentifier, &si);
+    if (diff)
+	goto out;
+
+ out:
+    free_AuthorityKeyIdentifier(&ai);
+    free_SubjectKeyIdentifier(&si);
+    return diff;
+}
+
+static int
+certificate_is_anchor(hx509_context context,
+		      hx509_certs trust_anchors,
+		      const hx509_cert cert)
+{
+    hx509_query q;
+    hx509_cert c;
+    int ret;
+
+    if (trust_anchors == NULL)
+	return 0;
+
+    _hx509_query_clear(&q);
+
+    q.match = HX509_QUERY_MATCH_CERTIFICATE;
+    q.certificate = _hx509_get_cert(cert);
+
+    ret = hx509_certs_find(context, trust_anchors, &q, &c);
+    if (ret == 0)
+	hx509_cert_free(c);
+    return ret == 0;
+}
+
+static int
+certificate_is_self_signed(const Certificate *cert)
+{
+    return _hx509_name_cmp(&cert->tbsCertificate.subject, 
+			   &cert->tbsCertificate.issuer) == 0;
+}
+
+/*
+ * The subjectName is "null" when it's empty set of relative DBs.
+ */
+
+static int
+subject_null_p(const Certificate *c)
+{
+    return c->tbsCertificate.subject.u.rdnSequence.len == 0;
+}
+
+
+static int
+find_parent(hx509_context context,
+	    time_t time_now,
+	    hx509_certs trust_anchors,
+	    hx509_path *path,
+	    hx509_certs pool, 
+	    hx509_cert current,
+	    hx509_cert *parent)
+{
+    AuthorityKeyIdentifier ai;
+    hx509_query q;
+    int ret;
+
+    *parent = NULL;
+    memset(&ai, 0, sizeof(ai));
+    
+    _hx509_query_clear(&q);
+
+    if (!subject_null_p(current->data)) {
+	q.match |= HX509_QUERY_FIND_ISSUER_CERT;
+	q.subject = _hx509_get_cert(current);
+    } else {
+	ret = find_extension_auth_key_id(current->data, &ai);
+	if (ret) {
+	    hx509_set_error_string(context, 0, HX509_CERTIFICATE_MALFORMED,
+				   "Subjectless certificate missing AuthKeyID");
+	    return HX509_CERTIFICATE_MALFORMED;
+	}
+
+	if (ai.keyIdentifier == NULL) {
+	    free_AuthorityKeyIdentifier(&ai);
+	    hx509_set_error_string(context, 0, HX509_CERTIFICATE_MALFORMED,
+				   "Subjectless certificate missing keyIdentifier "
+				   "inside AuthKeyID");
+	    return HX509_CERTIFICATE_MALFORMED;
+	}
+
+	q.subject_id = ai.keyIdentifier;
+	q.match = HX509_QUERY_MATCH_SUBJECT_KEY_ID;
+    }
+
+    q.path = path;
+    q.match |= HX509_QUERY_NO_MATCH_PATH;
+
+    if (pool) {
+	q.timenow = time_now;
+	q.match |= HX509_QUERY_MATCH_TIME;
+
+	ret = hx509_certs_find(context, pool, &q, parent);
+	if (ret == 0) {
+	    free_AuthorityKeyIdentifier(&ai);
+	    return 0;
+	}
+	q.match &= ~HX509_QUERY_MATCH_TIME;
+    }
+
+    if (trust_anchors) {
+	ret = hx509_certs_find(context, trust_anchors, &q, parent);
+	if (ret == 0) {
+	    free_AuthorityKeyIdentifier(&ai);
+	    return ret;
+	}
+    }
+    free_AuthorityKeyIdentifier(&ai);
+
+    {
+	hx509_name name;
+	char *str;
+
+	ret = hx509_cert_get_subject(current, &name);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    return HX509_ISSUER_NOT_FOUND;
+	}
+	ret = hx509_name_to_string(name, &str);
+	hx509_name_free(&name);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    return HX509_ISSUER_NOT_FOUND;
+	}
+	
+	hx509_set_error_string(context, 0, HX509_ISSUER_NOT_FOUND,
+			       "Failed to find issuer for "
+			       "certificate with subject: '%s'", str);
+	free(str);
+    }
+    return HX509_ISSUER_NOT_FOUND;
+}
+
+/*
+ *
+ */
+
+static int
+is_proxy_cert(hx509_context context, 
+	      const Certificate *cert, 
+	      ProxyCertInfo *rinfo)
+{
+    ProxyCertInfo info;
+    const Extension *e;
+    size_t size;
+    int ret, i = 0;
+
+    if (rinfo)
+	memset(rinfo, 0, sizeof(*rinfo));
+
+    e = find_extension(cert, oid_id_pkix_pe_proxyCertInfo(), &i);
+    if (e == NULL) {
+	hx509_clear_error_string(context);
+	return HX509_EXTENSION_NOT_FOUND;
+    }
+
+    ret = decode_ProxyCertInfo(e->extnValue.data, 
+			       e->extnValue.length, 
+			       &info,
+			       &size);
+    if (ret) {
+	hx509_clear_error_string(context);
+	return ret;
+    }
+    if (size != e->extnValue.length) {
+	free_ProxyCertInfo(&info);
+	hx509_clear_error_string(context);
+	return HX509_EXTRA_DATA_AFTER_STRUCTURE; 
+    }
+    if (rinfo == NULL)
+	free_ProxyCertInfo(&info);
+    else
+	*rinfo = info;
+
+    return 0;
+}
+
+/*
+ * Path operations are like MEMORY based keyset, but with exposed
+ * internal so we can do easy searches.
+ */
+
+int
+_hx509_path_append(hx509_context context, hx509_path *path, hx509_cert cert)
+{
+    hx509_cert *val;
+    val = realloc(path->val, (path->len + 1) * sizeof(path->val[0]));
+    if (val == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    path->val = val;
+    path->val[path->len] = hx509_cert_ref(cert);
+    path->len++;
+
+    return 0;
+}
+
+void
+_hx509_path_free(hx509_path *path)
+{
+    unsigned i;
+    
+    for (i = 0; i < path->len; i++)
+	hx509_cert_free(path->val[i]);
+    free(path->val);
+    path->val = NULL;
+    path->len = 0;
+}
+
+/*
+ * Find path by looking up issuer for the top certificate and continue
+ * until an anchor certificate is found or max limit is found. A
+ * certificate never included twice in the path.
+ *
+ * If the trust anchors are not given, calculate optimistic path, just
+ * follow the chain upward until we no longer find a parent or we hit
+ * the max path limit. In this case, a failure will always be returned
+ * depending on what error condition is hit first.
+ *
+ * The path includes a path from the top certificate to the anchor
+ * certificate.
+ *
+ * The caller needs to free `path´ both on successful built path and
+ * failure.
+ */
+
+int
+_hx509_calculate_path(hx509_context context,
+		      int flags,
+		      time_t time_now,
+		      hx509_certs anchors,
+		      unsigned int max_depth,
+		      hx509_cert cert,
+		      hx509_certs pool,
+		      hx509_path *path)
+{
+    hx509_cert parent, current;
+    int ret;
+
+    if (max_depth == 0)
+	max_depth = HX509_VERIFY_MAX_DEPTH;
+
+    ret = _hx509_path_append(context, path, cert);
+    if (ret)
+	return ret;
+
+    current = hx509_cert_ref(cert);
+
+    while (!certificate_is_anchor(context, anchors, current)) {
+
+	ret = find_parent(context, time_now, anchors, path, 
+			  pool, current, &parent);
+	hx509_cert_free(current);
+	if (ret)
+	    return ret;
+
+	ret = _hx509_path_append(context, path, parent);
+	if (ret)
+	    return ret;
+	current = parent;
+
+	if (path->len > max_depth) {
+	    hx509_cert_free(current);
+	    hx509_set_error_string(context, 0, HX509_PATH_TOO_LONG,
+				   "Path too long while bulding "
+				   "certificate chain");
+	    return HX509_PATH_TOO_LONG;
+	}
+    }
+
+    if ((flags & HX509_CALCULATE_PATH_NO_ANCHOR) && 
+	path->len > 0 && 
+	certificate_is_anchor(context, anchors, path->val[path->len - 1]))
+    {
+	hx509_cert_free(path->val[path->len - 1]);
+	path->len--;
+    }
+
+    hx509_cert_free(current);
+    return 0;
+}
+
+int
+_hx509_AlgorithmIdentifier_cmp(const AlgorithmIdentifier *p,
+			       const AlgorithmIdentifier *q)
+{
+    int diff;
+    diff = der_heim_oid_cmp(&p->algorithm, &q->algorithm);
+    if (diff)
+	return diff;
+    if (p->parameters) {
+	if (q->parameters)
+	    return heim_any_cmp(p->parameters,
+				q->parameters);
+	else
+	    return 1;
+    } else {
+	if (q->parameters)
+	    return -1;
+	else
+	    return 0;
+    }
+}
+
+int
+_hx509_Certificate_cmp(const Certificate *p, const Certificate *q)
+{
+    int diff;
+    diff = der_heim_bit_string_cmp(&p->signatureValue, &q->signatureValue);
+    if (diff)
+	return diff;
+    diff = _hx509_AlgorithmIdentifier_cmp(&p->signatureAlgorithm, 
+					  &q->signatureAlgorithm);
+    if (diff)
+	return diff;
+    diff = der_heim_octet_string_cmp(&p->tbsCertificate._save,
+				     &q->tbsCertificate._save);
+    return diff;
+}
+
+/**
+ * Compare to hx509 certificate object, useful for sorting.
+ *
+ * @param p a hx509 certificate object.
+ * @param q a hx509 certificate object.
+ *
+ * @return 0 the objects are the same, returns > 0 is p is "larger"
+ * then q, < 0 if p is "smaller" then q.
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_cmp(hx509_cert p, hx509_cert q)
+{
+    return _hx509_Certificate_cmp(p->data, q->data);
+}
+
+/**
+ * Return the name of the issuer of the hx509 certificate.
+ *
+ * @param p a hx509 certificate object.
+ * @param name a pointer to a hx509 name, should be freed by
+ * hx509_name_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_get_issuer(hx509_cert p, hx509_name *name)
+{
+    return _hx509_name_from_Name(&p->data->tbsCertificate.issuer, name);
+}
+
+/**
+ * Return the name of the subject of the hx509 certificate.
+ *
+ * @param p a hx509 certificate object.
+ * @param name a pointer to a hx509 name, should be freed by
+ * hx509_name_free(). See also hx509_cert_get_base_subject().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_get_subject(hx509_cert p, hx509_name *name)
+{
+    return _hx509_name_from_Name(&p->data->tbsCertificate.subject, name);
+}
+
+/**
+ * Return the name of the base subject of the hx509 certificate. If
+ * the certiicate is a verified proxy certificate, the this function
+ * return the base certificate (root of the proxy chain). If the proxy
+ * certificate is not verified with the base certificate
+ * HX509_PROXY_CERTIFICATE_NOT_CANONICALIZED is returned.
+ *
+ * @param context a hx509 context.
+ * @param c a hx509 certificate object.
+ * @param name a pointer to a hx509 name, should be freed by
+ * hx509_name_free(). See also hx509_cert_get_subject().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_get_base_subject(hx509_context context, hx509_cert c,
+			    hx509_name *name)
+{
+    if (c->basename)
+	return hx509_name_copy(context, c->basename, name);
+    if (is_proxy_cert(context, c->data, NULL) == 0) {
+	int ret = HX509_PROXY_CERTIFICATE_NOT_CANONICALIZED;
+	hx509_set_error_string(context, 0, ret,
+			       "Proxy certificate have not been "
+			       "canonicalize yet, no base name");
+	return ret;
+    }
+    return _hx509_name_from_Name(&c->data->tbsCertificate.subject, name);
+}
+
+/**
+ * Get serial number of the certificate.
+ *
+ * @param p a hx509 certificate object.
+ * @param i serial number, should be freed ith der_free_heim_integer().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_get_serialnumber(hx509_cert p, heim_integer *i)
+{
+    return der_copy_heim_integer(&p->data->tbsCertificate.serialNumber, i);
+}
+
+/**
+ * Get notBefore time of the certificate.
+ *
+ * @param p a hx509 certificate object.
+ *
+ * @return return not before time
+ *
+ * @ingroup hx509_cert
+ */
+
+time_t
+hx509_cert_get_notBefore(hx509_cert p)
+{
+    return _hx509_Time2time_t(&p->data->tbsCertificate.validity.notBefore);
+}
+
+/**
+ * Get notAfter time of the certificate.
+ *
+ * @param p a hx509 certificate object.
+ *
+ * @return return not after time.
+ *
+ * @ingroup hx509_cert
+ */
+
+time_t
+hx509_cert_get_notAfter(hx509_cert p)
+{
+    return _hx509_Time2time_t(&p->data->tbsCertificate.validity.notAfter);
+}
+
+/**
+ * Get the SubjectPublicKeyInfo structure from the hx509 certificate.
+ *
+ * @param context a hx509 context.
+ * @param p a hx509 certificate object.
+ * @param spki SubjectPublicKeyInfo, should be freed with
+ * free_SubjectPublicKeyInfo().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_get_SPKI(hx509_context context, hx509_cert p, SubjectPublicKeyInfo *spki)
+{
+    int ret;
+
+    ret = copy_SubjectPublicKeyInfo(&p->data->tbsCertificate.subjectPublicKeyInfo, spki);
+    if (ret)
+	hx509_set_error_string(context, 0, ret, "Failed to copy SPKI");
+    return ret;
+}
+
+/**
+ * Get the AlgorithmIdentifier from the hx509 certificate.
+ *
+ * @param context a hx509 context.
+ * @param p a hx509 certificate object.
+ * @param alg AlgorithmIdentifier, should be freed with
+ * free_AlgorithmIdentifier().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_get_SPKI_AlgorithmIdentifier(hx509_context context,
+					hx509_cert p, 
+					AlgorithmIdentifier *alg)
+{
+    int ret;
+
+    ret = copy_AlgorithmIdentifier(&p->data->tbsCertificate.subjectPublicKeyInfo.algorithm, alg);
+    if (ret)
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to copy SPKI AlgorithmIdentifier");
+    return ret;
+}
+
+
+hx509_private_key
+_hx509_cert_private_key(hx509_cert p)
+{
+    return p->private_key;
+}
+
+int
+hx509_cert_have_private_key(hx509_cert p)
+{
+    return p->private_key ? 1 : 0;
+}
+
+
+int
+_hx509_cert_private_key_exportable(hx509_cert p)
+{
+    if (p->private_key == NULL)
+	return 0;
+    return _hx509_private_key_exportable(p->private_key);
+}
+
+int
+_hx509_cert_private_decrypt(hx509_context context,
+			    const heim_octet_string *ciphertext,
+			    const heim_oid *encryption_oid,
+			    hx509_cert p,
+			    heim_octet_string *cleartext)
+{
+    cleartext->data = NULL;
+    cleartext->length = 0;
+
+    if (p->private_key == NULL) {
+	hx509_set_error_string(context, 0, HX509_PRIVATE_KEY_MISSING,
+			       "Private key missing");
+	return HX509_PRIVATE_KEY_MISSING;
+    }
+
+    return _hx509_private_key_private_decrypt(context,
+					      ciphertext,
+					      encryption_oid,
+					      p->private_key, 
+					      cleartext);
+}
+
+int
+_hx509_cert_public_encrypt(hx509_context context,
+			   const heim_octet_string *cleartext,
+			   const hx509_cert p,
+			   heim_oid *encryption_oid,
+			   heim_octet_string *ciphertext)
+{
+    return _hx509_public_encrypt(context,
+				 cleartext, p->data,
+				 encryption_oid, ciphertext);
+}
+
+/*
+ *
+ */
+
+time_t
+_hx509_Time2time_t(const Time *t)
+{
+    switch(t->element) {
+    case choice_Time_utcTime:
+	return t->u.utcTime;
+    case choice_Time_generalTime:
+	return t->u.generalTime;
+    }
+    return 0;
+}
+
+/*
+ *
+ */
+
+static int
+init_name_constraints(hx509_name_constraints *nc)
+{
+    memset(nc, 0, sizeof(*nc));
+    return 0;
+}
+
+static int
+add_name_constraints(hx509_context context, const Certificate *c, int not_ca,
+		     hx509_name_constraints *nc)
+{
+    NameConstraints tnc;
+    int ret;
+
+    ret = find_extension_name_constraints(c, &tnc);
+    if (ret == HX509_EXTENSION_NOT_FOUND)
+	return 0;
+    else if (ret) {
+	hx509_set_error_string(context, 0, ret, "Failed getting NameConstraints");
+	return ret;
+    } else if (not_ca) {
+	ret = HX509_VERIFY_CONSTRAINTS;
+	hx509_set_error_string(context, 0, ret, "Not a CA and "
+			       "have NameConstraints");
+    } else {
+	NameConstraints *val;
+	val = realloc(nc->val, sizeof(nc->val[0]) * (nc->len + 1));
+	if (val == NULL) {
+	    hx509_clear_error_string(context);
+	    ret = ENOMEM;
+	    goto out;
+	}
+	nc->val = val;
+	ret = copy_NameConstraints(&tnc, &nc->val[nc->len]);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    goto out;
+	}
+	nc->len += 1;
+    }
+out:
+    free_NameConstraints(&tnc);
+    return ret;
+}
+
+static int
+match_RDN(const RelativeDistinguishedName *c,
+	  const RelativeDistinguishedName *n)
+{
+    int i;
+
+    if (c->len != n->len)
+	return HX509_NAME_CONSTRAINT_ERROR;
+    
+    for (i = 0; i < n->len; i++) {
+	if (der_heim_oid_cmp(&c->val[i].type, &n->val[i].type) != 0)
+	    return HX509_NAME_CONSTRAINT_ERROR;
+	if (_hx509_name_ds_cmp(&c->val[i].value, &n->val[i].value) != 0)
+	    return HX509_NAME_CONSTRAINT_ERROR;
+    }
+    return 0;
+}
+
+static int
+match_X501Name(const Name *c, const Name *n)
+{
+    int i, ret;
+
+    if (c->element != choice_Name_rdnSequence
+	|| n->element != choice_Name_rdnSequence)
+	return 0;
+    if (c->u.rdnSequence.len > n->u.rdnSequence.len)
+	return HX509_NAME_CONSTRAINT_ERROR;
+    for (i = 0; i < c->u.rdnSequence.len; i++) {
+	ret = match_RDN(&c->u.rdnSequence.val[i], &n->u.rdnSequence.val[i]);
+	if (ret)
+	    return ret;
+    }
+    return 0;
+} 
+
+
+static int
+match_general_name(const GeneralName *c, const GeneralName *n, int *match)
+{
+    /* 
+     * Name constraints only apply to the same name type, see RFC3280,
+     * 4.2.1.11.
+     */
+    assert(c->element == n->element);
+
+    switch(c->element) {
+    case choice_GeneralName_otherName:
+	if (der_heim_oid_cmp(&c->u.otherName.type_id,
+			 &n->u.otherName.type_id) != 0)
+	    return HX509_NAME_CONSTRAINT_ERROR;
+	if (heim_any_cmp(&c->u.otherName.value,
+			 &n->u.otherName.value) != 0)
+	    return HX509_NAME_CONSTRAINT_ERROR;
+	*match = 1;
+	return 0;
+    case choice_GeneralName_rfc822Name: {
+	const char *s;
+	size_t len1, len2;
+	s = strchr(c->u.rfc822Name, '@');
+	if (s) {
+	    if (strcasecmp(c->u.rfc822Name, n->u.rfc822Name) != 0)
+		return HX509_NAME_CONSTRAINT_ERROR;
+	} else {
+	    s = strchr(n->u.rfc822Name, '@');
+	    if (s == NULL)
+		return HX509_NAME_CONSTRAINT_ERROR;
+	    len1 = strlen(c->u.rfc822Name);
+	    len2 = strlen(s + 1);
+	    if (len1 > len2)
+		return HX509_NAME_CONSTRAINT_ERROR;
+	    if (strcasecmp(s + 1 + len2 - len1, c->u.rfc822Name) != 0)
+		return HX509_NAME_CONSTRAINT_ERROR;
+	    if (len1 < len2 && s[len2 - len1 + 1] != '.')
+		return HX509_NAME_CONSTRAINT_ERROR;
+	}
+	*match = 1;
+	return 0;
+    }
+    case choice_GeneralName_dNSName: {
+	size_t lenc, lenn;
+
+	lenc = strlen(c->u.dNSName);
+	lenn = strlen(n->u.dNSName);
+	if (lenc > lenn)
+	    return HX509_NAME_CONSTRAINT_ERROR;
+	if (strcasecmp(&n->u.dNSName[lenn - lenc], c->u.dNSName) != 0)
+	    return HX509_NAME_CONSTRAINT_ERROR;
+	if (lenc != lenn && n->u.dNSName[lenn - lenc - 1] != '.')
+	    return HX509_NAME_CONSTRAINT_ERROR;
+	*match = 1;
+	return 0;
+    }
+    case choice_GeneralName_directoryName: {
+	Name c_name, n_name;
+	int ret;
+
+	c_name._save.data = NULL;
+	c_name._save.length = 0;
+	c_name.element = c->u.directoryName.element;
+	c_name.u.rdnSequence = c->u.directoryName.u.rdnSequence;
+
+	n_name._save.data = NULL;
+	n_name._save.length = 0;
+	n_name.element = n->u.directoryName.element;
+	n_name.u.rdnSequence = n->u.directoryName.u.rdnSequence;
+
+	ret = match_X501Name(&c_name, &n_name);
+	if (ret == 0)
+	    *match = 1;
+	return ret;
+    }
+    case choice_GeneralName_uniformResourceIdentifier:
+    case choice_GeneralName_iPAddress:
+    case choice_GeneralName_registeredID:
+    default:
+	return HX509_NAME_CONSTRAINT_ERROR;
+    }
+}
+
+static int
+match_alt_name(const GeneralName *n, const Certificate *c, 
+	       int *same, int *match)
+{
+    GeneralNames sa;
+    int ret, i, j;
+
+    i = 0;
+    do {
+	ret = find_extension_subject_alt_name(c, &i, &sa);
+	if (ret == HX509_EXTENSION_NOT_FOUND) {
+	    ret = 0;
+	    break;
+	} else if (ret != 0)
+	    break;
+
+	for (j = 0; j < sa.len; j++) {
+	    if (n->element == sa.val[j].element) {
+		*same = 1;
+		ret = match_general_name(n, &sa.val[j], match);
+	    }
+	}
+	free_GeneralNames(&sa);
+    } while (1);
+    return ret;
+}
+
+
+static int
+match_tree(const GeneralSubtrees *t, const Certificate *c, int *match)
+{
+    int name, alt_name, same;
+    unsigned int i;
+    int ret = 0;
+
+    name = alt_name = same = *match = 0;
+    for (i = 0; i < t->len; i++) {
+	if (t->val[i].minimum && t->val[i].maximum)
+	    return HX509_RANGE;
+
+	/*
+	 * If the constraint apply to directoryNames, test is with
+	 * subjectName of the certificate if the certificate have a
+	 * non-null (empty) subjectName.
+	 */
+
+	if (t->val[i].base.element == choice_GeneralName_directoryName
+	    && !subject_null_p(c))
+	{
+	    GeneralName certname;
+	    
+	    memset(&certname, 0, sizeof(certname));
+	    certname.element = choice_GeneralName_directoryName;
+	    certname.u.directoryName.element = 
+		c->tbsCertificate.subject.element;
+	    certname.u.directoryName.u.rdnSequence = 
+		c->tbsCertificate.subject.u.rdnSequence;
+    
+	    ret = match_general_name(&t->val[i].base, &certname, &name);
+	}
+
+	/* Handle subjectAltNames, this is icky since they
+	 * restrictions only apply if the subjectAltName is of the
+	 * same type. So if there have been a match of type, require
+	 * altname to be set.
+	 */
+	ret = match_alt_name(&t->val[i].base, c, &same, &alt_name);
+    }
+    if (name && (!same || alt_name))
+	*match = 1;
+    return ret;
+}
+
+static int
+check_name_constraints(hx509_context context, 
+		       const hx509_name_constraints *nc,
+		       const Certificate *c)
+{
+    int match, ret;
+    int i;
+
+    for (i = 0 ; i < nc->len; i++) {
+	GeneralSubtrees gs;
+
+	if (nc->val[i].permittedSubtrees) {
+	    GeneralSubtrees_SET(&gs, nc->val[i].permittedSubtrees);
+	    ret = match_tree(&gs, c, &match);
+	    if (ret) {
+		hx509_clear_error_string(context);
+		return ret;
+	    }
+	    /* allow null subjectNames, they wont matches anything */
+	    if (match == 0 && !subject_null_p(c)) {
+		hx509_set_error_string(context, 0, HX509_VERIFY_CONSTRAINTS,
+				       "Error verify constraints, "
+				       "certificate didn't match any "
+				       "permitted subtree");
+		return HX509_VERIFY_CONSTRAINTS;
+	    }
+	}
+	if (nc->val[i].excludedSubtrees) {
+	    GeneralSubtrees_SET(&gs, nc->val[i].excludedSubtrees);
+	    ret = match_tree(&gs, c, &match);
+	    if (ret) {
+		hx509_clear_error_string(context);
+		return ret;
+	    }
+	    if (match) {
+		hx509_set_error_string(context, 0, HX509_VERIFY_CONSTRAINTS,
+				       "Error verify constraints, "
+				       "certificate included in excluded "
+				       "subtree");
+		return HX509_VERIFY_CONSTRAINTS;
+	    }
+	}
+    }
+    return 0;
+}
+
+static void
+free_name_constraints(hx509_name_constraints *nc)
+{
+    int i;
+
+    for (i = 0 ; i < nc->len; i++)
+	free_NameConstraints(&nc->val[i]);
+    free(nc->val);
+}
+
+/**
+ * Build and verify the path for the certificate to the trust anchor
+ * specified in the verify context. The path is constructed from the
+ * certificate, the pool and the trust anchors.
+ *
+ * @param context A hx509 context.
+ * @param ctx A hx509 verification context.
+ * @param cert the certificate to build the path from.
+ * @param pool A keyset of certificates to build the chain from.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
+int
+hx509_verify_path(hx509_context context,
+		  hx509_verify_ctx ctx,
+		  hx509_cert cert,
+		  hx509_certs pool)
+{
+    hx509_name_constraints nc;
+    hx509_path path;
+#if 0
+    const AlgorithmIdentifier *alg_id;
+#endif
+    int ret, i, proxy_cert_depth, selfsigned_depth;
+    enum certtype type;
+    Name proxy_issuer;
+    hx509_certs anchors = NULL;
+
+    memset(&proxy_issuer, 0, sizeof(proxy_issuer));
+
+    ret = init_name_constraints(&nc);
+    if (ret)	
+	return ret;
+
+    path.val = NULL;
+    path.len = 0;
+
+    if ((ctx->flags & HX509_VERIFY_CTX_F_TIME_SET) == 0)
+	ctx->time_now = time(NULL);
+
+    /*
+     *
+     */
+    if (ctx->trust_anchors)
+	anchors = _hx509_certs_ref(ctx->trust_anchors);
+    else if (context->default_trust_anchors && ALLOW_DEF_TA(ctx))
+	anchors = _hx509_certs_ref(context->default_trust_anchors);
+    else {
+	ret = hx509_certs_init(context, "MEMORY:no-TA", 0, NULL, &anchors);
+	if (ret)
+	    goto out;
+    }
+
+    /*
+     * Calculate the path from the certificate user presented to the
+     * to an anchor.
+     */
+    ret = _hx509_calculate_path(context, 0, ctx->time_now,
+				anchors, ctx->max_depth,
+				cert, pool, &path);
+    if (ret)
+	goto out;
+
+#if 0
+    alg_id = path.val[path->len - 1]->data->tbsCertificate.signature;
+#endif
+
+    /*
+     * Check CA and proxy certificate chain from the top of the
+     * certificate chain. Also check certificate is valid with respect
+     * to the current time.
+     *
+     */
+
+    proxy_cert_depth = 0;
+    selfsigned_depth = 0;
+
+    if (ctx->flags & HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE)
+	type = PROXY_CERT;
+    else
+	type = EE_CERT;
+
+    for (i = 0; i < path.len; i++) {
+	Certificate *c;
+	time_t t;
+
+	c = _hx509_get_cert(path.val[i]);
+	
+	/*
+	 * Lets do some basic check on issuer like
+	 * keyUsage.keyCertSign and basicConstraints.cA bit depending
+	 * on what type of certificate this is.
+	 */
+
+	switch (type) {
+	case CA_CERT:
+	    /* XXX make constants for keyusage */
+	    ret = check_key_usage(context, c, 1 << 5,
+				  REQUIRE_RFC3280(ctx) ? TRUE : FALSE);
+	    if (ret) {
+		hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+				       "Key usage missing from CA certificate");
+		goto out;
+	    }
+
+	    if (i + 1 != path.len && certificate_is_self_signed(c)) 
+		selfsigned_depth++;
+
+	    break;
+	case PROXY_CERT: {
+	    ProxyCertInfo info;	    
+
+	    if (is_proxy_cert(context, c, &info) == 0) {
+		int j;
+
+		if (info.pCPathLenConstraint != NULL &&
+		    *info.pCPathLenConstraint < i)
+		{
+		    free_ProxyCertInfo(&info);
+		    ret = HX509_PATH_TOO_LONG;
+		    hx509_set_error_string(context, 0, ret,
+					   "Proxy certificate chain "
+					   "longer then allowed");
+		    goto out;
+		}
+		/* XXX MUST check info.proxyPolicy */
+		free_ProxyCertInfo(&info);
+		
+		j = 0;
+		if (find_extension(c, oid_id_x509_ce_subjectAltName(), &j)) {
+		    ret = HX509_PROXY_CERT_INVALID;
+		    hx509_set_error_string(context, 0, ret, 
+					   "Proxy certificate have explicity "
+					   "forbidden subjectAltName");
+		    goto out;
+		}
+
+		j = 0;
+		if (find_extension(c, oid_id_x509_ce_issuerAltName(), &j)) {
+		    ret = HX509_PROXY_CERT_INVALID;
+		    hx509_set_error_string(context, 0, ret, 
+					   "Proxy certificate have explicity "
+					   "forbidden issuerAltName");
+		    goto out;
+		}
+			
+		/* 
+		 * The subject name of the proxy certificate should be
+		 * CN=XXX,<proxy issuer>, prune of CN and check if its
+		 * the same over the whole chain of proxy certs and
+		 * then check with the EE cert when we get to it.
+		 */
+
+		if (proxy_cert_depth) {
+		    ret = _hx509_name_cmp(&proxy_issuer, &c->tbsCertificate.subject);
+		    if (ret) {
+			ret = HX509_PROXY_CERT_NAME_WRONG;
+			hx509_set_error_string(context, 0, ret,
+					       "Base proxy name not right");
+			goto out;
+		    }
+		}
+
+		free_Name(&proxy_issuer);
+
+		ret = copy_Name(&c->tbsCertificate.subject, &proxy_issuer);
+		if (ret) {
+		    hx509_clear_error_string(context);
+		    goto out;
+		}
+
+		j = proxy_issuer.u.rdnSequence.len;
+		if (proxy_issuer.u.rdnSequence.len < 2 
+		    || proxy_issuer.u.rdnSequence.val[j - 1].len > 1
+		    || der_heim_oid_cmp(&proxy_issuer.u.rdnSequence.val[j - 1].val[0].type,
+					oid_id_at_commonName()))
+		{
+		    ret = HX509_PROXY_CERT_NAME_WRONG;
+		    hx509_set_error_string(context, 0, ret,
+					   "Proxy name too short or "
+					   "does not have Common name "
+					   "at the top");
+		    goto out;
+		}
+
+		free_RelativeDistinguishedName(&proxy_issuer.u.rdnSequence.val[j - 1]);
+		proxy_issuer.u.rdnSequence.len -= 1;
+
+		ret = _hx509_name_cmp(&proxy_issuer, &c->tbsCertificate.issuer);
+		if (ret != 0) {
+		    ret = HX509_PROXY_CERT_NAME_WRONG;
+		    hx509_set_error_string(context, 0, ret,
+					   "Proxy issuer name not as expected");
+		    goto out;
+		}
+
+		break;
+	    } else {
+		/* 
+		 * Now we are done with the proxy certificates, this
+		 * cert was an EE cert and we we will fall though to
+		 * EE checking below.
+		 */
+		type = EE_CERT;
+		/* FALLTHOUGH */
+	    }
+	}
+	case EE_CERT:
+	    /*
+	     * If there where any proxy certificates in the chain
+	     * (proxy_cert_depth > 0), check that the proxy issuer
+	     * matched proxy certificates "base" subject.
+	     */
+	    if (proxy_cert_depth) {
+
+		ret = _hx509_name_cmp(&proxy_issuer,
+				      &c->tbsCertificate.subject);
+		if (ret) {
+		    ret = HX509_PROXY_CERT_NAME_WRONG;
+		    hx509_clear_error_string(context);
+		    goto out;
+		}
+		if (cert->basename)
+		    hx509_name_free(&cert->basename);
+		
+		ret = _hx509_name_from_Name(&proxy_issuer, &cert->basename);
+		if (ret) {
+		    hx509_clear_error_string(context);
+		    goto out;
+		}
+	    }
+
+	    break;
+	}
+
+	ret = check_basic_constraints(context, c, type, 
+				      i - proxy_cert_depth - selfsigned_depth);
+	if (ret)
+	    goto out;
+	    
+	/*
+	 * Don't check the trust anchors expiration time since they
+	 * are transported out of band, from RFC3820.
+	 */
+	if (i + 1 != path.len || CHECK_TA(ctx)) {
+
+	    t = _hx509_Time2time_t(&c->tbsCertificate.validity.notBefore);
+	    if (t > ctx->time_now) {
+		ret = HX509_CERT_USED_BEFORE_TIME;
+		hx509_clear_error_string(context);
+		goto out;
+	    }
+	    t = _hx509_Time2time_t(&c->tbsCertificate.validity.notAfter);
+	    if (t < ctx->time_now) {
+		ret = HX509_CERT_USED_AFTER_TIME;
+		hx509_clear_error_string(context);
+		goto out;
+	    }
+	}
+
+	if (type == EE_CERT)
+	    type = CA_CERT;
+	else if (type == PROXY_CERT)
+	    proxy_cert_depth++;
+    }
+
+    /*
+     * Verify constraints, do this backward so path constraints are
+     * checked in the right order.
+     */
+
+    for (ret = 0, i = path.len - 1; i >= 0; i--) {
+	Certificate *c;
+
+	c = _hx509_get_cert(path.val[i]);
+
+	/* verify name constraints, not for selfsigned and anchor */
+	if (!certificate_is_self_signed(c) || i + 1 != path.len) {
+	    ret = check_name_constraints(context, &nc, c);
+	    if (ret) {
+		goto out;
+	    }
+	}
+	ret = add_name_constraints(context, c, i == 0, &nc);
+	if (ret)
+	    goto out;
+
+	/* XXX verify all other silly constraints */
+
+    }
+
+    /*
+     * Verify that no certificates has been revoked.
+     */
+
+    if (ctx->revoke_ctx) {
+	hx509_certs certs;
+
+	ret = hx509_certs_init(context, "MEMORY:revoke-certs", 0,
+			       NULL, &certs);
+	if (ret)
+	    goto out;
+
+	for (i = 0; i < path.len; i++) {
+	    ret = hx509_certs_add(context, certs, path.val[i]);
+	    if (ret) {
+		hx509_certs_free(&certs);
+		goto out;
+	    }
+	}
+	ret = hx509_certs_merge(context, certs, pool);
+	if (ret) {
+	    hx509_certs_free(&certs);
+	    goto out;
+	}
+
+	for (i = 0; i < path.len - 1; i++) {
+	    int parent = (i < path.len - 1) ? i + 1 : i;
+
+	    ret = hx509_revoke_verify(context,
+				      ctx->revoke_ctx, 
+				      certs,
+				      ctx->time_now,
+				      path.val[i],
+				      path.val[parent]);
+	    if (ret) {
+		hx509_certs_free(&certs);
+		goto out;
+	    }
+	}
+	hx509_certs_free(&certs);
+    }
+
+    /*
+     * Verify signatures, do this backward so public key working
+     * parameter is passed up from the anchor up though the chain.
+     */
+
+    for (i = path.len - 1; i >= 0; i--) {
+	Certificate *signer, *c;
+
+	c = _hx509_get_cert(path.val[i]);
+
+	/* is last in chain (trust anchor) */
+	if (i + 1 == path.len) {
+	    signer = path.val[i]->data;
+
+	    /* if trust anchor is not self signed, don't check sig */
+	    if (!certificate_is_self_signed(signer))
+		continue;
+	} else {
+	    /* take next certificate in chain */
+	    signer = path.val[i + 1]->data;
+	}
+
+	/* verify signatureValue */
+	ret = _hx509_verify_signature_bitstring(context,
+						signer,
+						&c->signatureAlgorithm,
+						&c->tbsCertificate._save,
+						&c->signatureValue);
+	if (ret) {
+	    hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+				   "Failed to verify signature of certificate");
+	    goto out;
+	}
+    }
+
+out:
+    hx509_certs_free(&anchors);
+    free_Name(&proxy_issuer);
+    free_name_constraints(&nc);
+    _hx509_path_free(&path);
+
+    return ret;
+}
+
+/**
+ * Verify a signature made using the private key of an certificate.
+ *
+ * @param context A hx509 context.
+ * @param signer the certificate that made the signature.
+ * @param alg algorthm that was used to sign the data.
+ * @param data the data that was signed.
+ * @param sig the sigature to verify.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_crypto
+ */
+
+int
+hx509_verify_signature(hx509_context context,
+		       const hx509_cert signer,
+		       const AlgorithmIdentifier *alg,
+		       const heim_octet_string *data,
+		       const heim_octet_string *sig)
+{
+    return _hx509_verify_signature(context, signer->data, alg, data, sig);
+}
+
+
+/**
+ * Verify that the certificate is allowed to be used for the hostname
+ * and address.
+ *
+ * @param context A hx509 context.
+ * @param cert the certificate to match with
+ * @param flags Flags to modify the behavior:
+ * - HX509_VHN_F_ALLOW_NO_MATCH no match is ok
+ * @param type type of hostname:
+ * - HX509_HN_HOSTNAME for plain hostname.
+ * - HX509_HN_DNSSRV for DNS SRV names.
+ * @param hostname the hostname to check
+ * @param sa address of the host
+ * @param sa_size length of address
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_verify_hostname(hx509_context context,
+		      const hx509_cert cert,
+		      int flags,
+		      hx509_hostname_type type,
+		      const char *hostname,
+		      const struct sockaddr *sa,
+		      /* XXX krb5_socklen_t */ int sa_size) 
+{
+    GeneralNames san;
+    int ret, i, j;
+
+    if (sa && sa_size <= 0)
+	return EINVAL;
+
+    memset(&san, 0, sizeof(san));
+
+    i = 0;
+    do {
+	ret = find_extension_subject_alt_name(cert->data, &i, &san);
+	if (ret == HX509_EXTENSION_NOT_FOUND) {
+	    ret = 0;
+	    break;
+	} else if (ret != 0)
+	    break;
+
+	for (j = 0; j < san.len; j++) {
+	    switch (san.val[j].element) {
+	    case choice_GeneralName_dNSName:
+		if (strcasecmp(san.val[j].u.dNSName, hostname) == 0) {
+		    free_GeneralNames(&san);
+		    return 0;
+		}
+		break;
+	    default:
+		break;
+	    }
+	}
+	free_GeneralNames(&san);
+    } while (1);
+
+    {
+	Name *name = &cert->data->tbsCertificate.subject;
+
+	/* match if first component is a CN= */
+	if (name->u.rdnSequence.len > 0
+	    && name->u.rdnSequence.val[0].len == 1
+	    && der_heim_oid_cmp(&name->u.rdnSequence.val[0].val[0].type,
+				oid_id_at_commonName()) == 0)
+	{
+	    DirectoryString *ds = &name->u.rdnSequence.val[0].val[0].value;
+
+	    switch (ds->element) {
+	    case choice_DirectoryString_printableString:
+		if (strcasecmp(ds->u.printableString, hostname) == 0)
+		    return 0;
+		break;
+	    case choice_DirectoryString_ia5String:
+		if (strcasecmp(ds->u.ia5String, hostname) == 0)
+		    return 0;
+		break;
+	    case choice_DirectoryString_utf8String:
+		if (strcasecmp(ds->u.utf8String, hostname) == 0)
+		    return 0;
+	    default:
+		break;
+	    }
+	}
+    }
+
+    if ((flags & HX509_VHN_F_ALLOW_NO_MATCH) == 0)
+	ret = HX509_NAME_CONSTRAINT_ERROR;
+
+    return ret;
+}
+
+int
+_hx509_set_cert_attribute(hx509_context context,
+			  hx509_cert cert, 
+			  const heim_oid *oid, 
+			  const heim_octet_string *attr)
+{
+    hx509_cert_attribute a;
+    void *d;
+
+    if (hx509_cert_get_attribute(cert, oid) != NULL)
+	return 0;
+
+    d = realloc(cert->attrs.val, 
+		sizeof(cert->attrs.val[0]) * (cert->attrs.len + 1));
+    if (d == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+    cert->attrs.val = d;
+
+    a = malloc(sizeof(*a));
+    if (a == NULL)
+	return ENOMEM;
+
+    der_copy_octet_string(attr, &a->data);
+    der_copy_oid(oid, &a->oid);
+    
+    cert->attrs.val[cert->attrs.len] = a;
+    cert->attrs.len++;
+
+    return 0;
+}
+
+/**
+ * Get an external attribute for the certificate, examples are
+ * friendly name and id.
+ *
+ * @param cert hx509 certificate object to search
+ * @param oid an oid to search for.
+ *
+ * @return an hx509_cert_attribute, only valid as long as the
+ * certificate is referenced.
+ *
+ * @ingroup hx509_cert
+ */
+
+hx509_cert_attribute
+hx509_cert_get_attribute(hx509_cert cert, const heim_oid *oid)
+{
+    int i;
+    for (i = 0; i < cert->attrs.len; i++)
+	if (der_heim_oid_cmp(oid, &cert->attrs.val[i]->oid) == 0)
+	    return cert->attrs.val[i];
+    return NULL;
+}
+
+/**
+ * Set the friendly name on the certificate.
+ *
+ * @param cert The certificate to set the friendly name on
+ * @param name Friendly name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_set_friendly_name(hx509_cert cert, const char *name)
+{
+    if (cert->friendlyname)
+	free(cert->friendlyname);
+    cert->friendlyname = strdup(name);
+    if (cert->friendlyname == NULL)
+	return ENOMEM;
+    return 0;
+}
+
+/**
+ * Get friendly name of the certificate.
+ *
+ * @param cert cert to get the friendly name from.
+ *
+ * @return an friendly name or NULL if there is. The friendly name is
+ * only valid as long as the certificate is referenced.
+ *
+ * @ingroup hx509_cert
+ */
+
+const char *
+hx509_cert_get_friendly_name(hx509_cert cert)
+{
+    hx509_cert_attribute a;
+    PKCS9_friendlyName n;
+    size_t sz;
+    int ret, i;
+
+    if (cert->friendlyname)
+	return cert->friendlyname;
+
+    a = hx509_cert_get_attribute(cert, oid_id_pkcs_9_at_friendlyName());
+    if (a == NULL) {
+	/* XXX use subject name ? */
+	return NULL; 
+    }
+
+    ret = decode_PKCS9_friendlyName(a->data.data, a->data.length, &n, &sz);
+    if (ret)
+	return NULL;
+	
+    if (n.len != 1) {
+	free_PKCS9_friendlyName(&n);
+	return NULL;
+    }
+    
+    cert->friendlyname = malloc(n.val[0].length + 1);
+    if (cert->friendlyname == NULL) {
+	free_PKCS9_friendlyName(&n);
+	return NULL;
+    }
+    
+    for (i = 0; i < n.val[0].length; i++) {
+	if (n.val[0].data[i] <= 0xff)
+	    cert->friendlyname[i] = n.val[0].data[i] & 0xff;
+	else
+	    cert->friendlyname[i] = 'X';
+    }
+    cert->friendlyname[i] = '\0';
+    free_PKCS9_friendlyName(&n);
+
+    return cert->friendlyname;
+}
+
+void
+_hx509_query_clear(hx509_query *q)
+{
+    memset(q, 0, sizeof(*q));
+}
+
+/**
+ * Allocate an query controller. Free using hx509_query_free().
+ *
+ * @param context A hx509 context.
+ * @param q return pointer to a hx509_query.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_query_alloc(hx509_context context, hx509_query **q)
+{
+    *q = calloc(1, sizeof(**q));
+    if (*q == NULL)
+	return ENOMEM;
+    return 0;
+}
+
+/**
+ * Set match options for the hx509 query controller.
+ *
+ * @param q query controller.
+ * @param option options to control the query controller.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+void
+hx509_query_match_option(hx509_query *q, hx509_query_option option)
+{
+    switch(option) {
+    case HX509_QUERY_OPTION_PRIVATE_KEY:
+	q->match |= HX509_QUERY_PRIVATE_KEY;
+	break;
+    case HX509_QUERY_OPTION_KU_ENCIPHERMENT:
+	q->match |= HX509_QUERY_KU_ENCIPHERMENT;
+	break;
+    case HX509_QUERY_OPTION_KU_DIGITALSIGNATURE:
+	q->match |= HX509_QUERY_KU_DIGITALSIGNATURE;
+	break;
+    case HX509_QUERY_OPTION_KU_KEYCERTSIGN:
+	q->match |= HX509_QUERY_KU_KEYCERTSIGN;
+	break;
+    case HX509_QUERY_OPTION_END:
+    default:
+	break;
+    }
+}
+
+/**
+ * Set the issuer and serial number of match in the query
+ * controller. The function make copies of the isser and serial number.
+ *
+ * @param q a hx509 query controller
+ * @param issuer issuer to search for
+ * @param serialNumber the serialNumber of the issuer.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_query_match_issuer_serial(hx509_query *q,
+				const Name *issuer, 
+				const heim_integer *serialNumber)
+{
+    int ret;
+    if (q->serial) {
+	der_free_heim_integer(q->serial);
+	free(q->serial);
+    }
+    q->serial = malloc(sizeof(*q->serial));
+    if (q->serial == NULL)
+	return ENOMEM;
+    ret = der_copy_heim_integer(serialNumber, q->serial);
+    if (ret) {
+	free(q->serial);
+	q->serial = NULL;
+	return ret;
+    }
+    if (q->issuer_name) {
+	free_Name(q->issuer_name);
+	free(q->issuer_name);
+    }
+    q->issuer_name = malloc(sizeof(*q->issuer_name));
+    if (q->issuer_name == NULL)
+	return ENOMEM;
+    ret = copy_Name(issuer, q->issuer_name);
+    if (ret) {
+	free(q->issuer_name);
+	q->issuer_name = NULL;
+	return ret;
+    }
+    q->match |= HX509_QUERY_MATCH_SERIALNUMBER|HX509_QUERY_MATCH_ISSUER_NAME;
+    return 0;
+}
+
+/**
+ * Set the query controller to match on a friendly name
+ *
+ * @param q a hx509 query controller.
+ * @param name a friendly name to match on
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_query_match_friendly_name(hx509_query *q, const char *name)
+{
+    if (q->friendlyname)
+	free(q->friendlyname);
+    q->friendlyname = strdup(name);
+    if (q->friendlyname == NULL)
+	return ENOMEM;
+    q->match |= HX509_QUERY_MATCH_FRIENDLY_NAME;
+    return 0;
+}
+
+/**
+ * Set the query controller to match using a specific match function.
+ *
+ * @param q a hx509 query controller.
+ * @param func function to use for matching, if the argument is NULL,
+ * the match function is removed.
+ * @param ctx context passed to the function.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_query_match_cmp_func(hx509_query *q,
+			   int (*func)(void *, hx509_cert),
+			   void *ctx)
+{
+    if (func)
+	q->match |= HX509_QUERY_MATCH_FUNCTION;
+    else
+	q->match &= ~HX509_QUERY_MATCH_FUNCTION;
+    q->cmp_func = func;
+    q->cmp_func_ctx = ctx;
+    return 0;
+}
+
+/**
+ * Free the query controller.
+ *
+ * @param context A hx509 context.
+ * @param q a pointer to the query controller.
+ *
+ * @ingroup hx509_cert
+ */
+
+void
+hx509_query_free(hx509_context context, hx509_query *q)
+{
+    if (q->serial) {
+	der_free_heim_integer(q->serial);
+	free(q->serial);
+	q->serial = NULL;
+    }
+    if (q->issuer_name) {
+	free_Name(q->issuer_name);
+	free(q->issuer_name);
+	q->issuer_name = NULL;
+    }
+    if (q) {
+	free(q->friendlyname);
+	memset(q, 0, sizeof(*q));
+    }
+    free(q);
+}
+
+int
+_hx509_query_match_cert(hx509_context context, const hx509_query *q, hx509_cert cert)
+{
+    Certificate *c = _hx509_get_cert(cert);
+
+    _hx509_query_statistic(context, 1, q);
+
+    if ((q->match & HX509_QUERY_FIND_ISSUER_CERT) &&
+	_hx509_cert_is_parent_cmp(q->subject, c, 0) != 0)
+	return 0;
+
+    if ((q->match & HX509_QUERY_MATCH_CERTIFICATE) &&
+	_hx509_Certificate_cmp(q->certificate, c) != 0)
+	return 0;
+
+    if ((q->match & HX509_QUERY_MATCH_SERIALNUMBER)
+	&& der_heim_integer_cmp(&c->tbsCertificate.serialNumber, q->serial) != 0)
+	return 0;
+
+    if ((q->match & HX509_QUERY_MATCH_ISSUER_NAME)
+	&& _hx509_name_cmp(&c->tbsCertificate.issuer, q->issuer_name) != 0)
+	return 0;
+
+    if ((q->match & HX509_QUERY_MATCH_SUBJECT_NAME)
+	&& _hx509_name_cmp(&c->tbsCertificate.subject, q->subject_name) != 0)
+	return 0;
+
+    if (q->match & HX509_QUERY_MATCH_SUBJECT_KEY_ID) {
+	SubjectKeyIdentifier si;
+	int ret;
+
+	ret = _hx509_find_extension_subject_key_id(c, &si);
+	if (ret == 0) {
+	    if (der_heim_octet_string_cmp(&si, q->subject_id) != 0)
+		ret = 1;
+	    free_SubjectKeyIdentifier(&si);
+	}
+	if (ret)
+	    return 0;
+    }
+    if ((q->match & HX509_QUERY_MATCH_ISSUER_ID))
+	return 0;
+    if ((q->match & HX509_QUERY_PRIVATE_KEY) && 
+	_hx509_cert_private_key(cert) == NULL)
+	return 0;
+
+    {
+	unsigned ku = 0;
+	if (q->match & HX509_QUERY_KU_DIGITALSIGNATURE)
+	    ku |= (1 << 0);
+	if (q->match & HX509_QUERY_KU_NONREPUDIATION)
+	    ku |= (1 << 1);
+	if (q->match & HX509_QUERY_KU_ENCIPHERMENT)
+	    ku |= (1 << 2);
+	if (q->match & HX509_QUERY_KU_DATAENCIPHERMENT)
+	    ku |= (1 << 3);
+	if (q->match & HX509_QUERY_KU_KEYAGREEMENT)
+	    ku |= (1 << 4);
+	if (q->match & HX509_QUERY_KU_KEYCERTSIGN)
+	    ku |= (1 << 5);
+	if (q->match & HX509_QUERY_KU_CRLSIGN)
+	    ku |= (1 << 6);
+	if (ku && check_key_usage(context, c, ku, TRUE))
+	    return 0;
+    }
+    if ((q->match & HX509_QUERY_ANCHOR))
+	return 0;
+
+    if (q->match & HX509_QUERY_MATCH_LOCAL_KEY_ID) {
+	hx509_cert_attribute a;
+
+	a = hx509_cert_get_attribute(cert, oid_id_pkcs_9_at_localKeyId());
+	if (a == NULL)
+	    return 0;
+	if (der_heim_octet_string_cmp(&a->data, q->local_key_id) != 0)
+	    return 0;
+    }
+
+    if (q->match & HX509_QUERY_NO_MATCH_PATH) {
+	size_t i;
+
+	for (i = 0; i < q->path->len; i++)
+	    if (hx509_cert_cmp(q->path->val[i], cert) == 0)
+		return 0;
+    }
+    if (q->match & HX509_QUERY_MATCH_FRIENDLY_NAME) {
+	const char *name = hx509_cert_get_friendly_name(cert);
+	if (name == NULL)
+	    return 0;
+	if (strcasecmp(q->friendlyname, name) != 0)
+	    return 0;
+    }
+    if (q->match & HX509_QUERY_MATCH_FUNCTION) {
+	int ret = (*q->cmp_func)(q->cmp_func_ctx, cert);
+	if (ret != 0)
+	    return 0;
+    }
+
+    if (q->match & HX509_QUERY_MATCH_KEY_HASH_SHA1) {
+	heim_octet_string os;
+	int ret;
+
+	os.data = c->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
+	os.length = 
+	    c->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.length / 8;
+
+	ret = _hx509_verify_signature(context,
+				      NULL,
+				      hx509_signature_sha1(),
+				      &os,
+				      q->keyhash_sha1);
+	if (ret != 0)
+	    return 0;
+    }
+
+    if (q->match & HX509_QUERY_MATCH_TIME) {
+	time_t t;
+	t = _hx509_Time2time_t(&c->tbsCertificate.validity.notBefore);
+	if (t > q->timenow)
+	    return 0;
+	t = _hx509_Time2time_t(&c->tbsCertificate.validity.notAfter);
+	if (t < q->timenow)
+	    return 0;
+    }
+
+    if (q->match & ~HX509_QUERY_MASK)
+	return 0;
+
+    return 1;
+}
+
+/**
+ * Set a statistic file for the query statistics.
+ *
+ * @param context A hx509 context.
+ * @param fn statistics file name
+ *
+ * @ingroup hx509_cert
+ */
+
+void
+hx509_query_statistic_file(hx509_context context, const char *fn)
+{
+    if (context->querystat)
+	free(context->querystat);
+    context->querystat = strdup(fn);
+}
+
+void
+_hx509_query_statistic(hx509_context context, int type, const hx509_query *q)
+{
+    FILE *f;
+    if (context->querystat == NULL)
+	return;
+    f = fopen(context->querystat, "a");
+    if (f == NULL)
+	return;
+    fprintf(f, "%d %d\n", type, q->match);
+    fclose(f);
+}
+
+static const char *statname[] = {
+    "find issuer cert",
+    "match serialnumber",
+    "match issuer name",
+    "match subject name",
+    "match subject key id",
+    "match issuer id",
+    "private key",
+    "ku encipherment",
+    "ku digitalsignature",
+    "ku keycertsign",
+    "ku crlsign",
+    "ku nonrepudiation",
+    "ku keyagreement",
+    "ku dataencipherment",
+    "anchor",
+    "match certificate",
+    "match local key id",
+    "no match path",
+    "match friendly name",
+    "match function",
+    "match key hash sha1",
+    "match time"
+};
+
+struct stat_el {
+    unsigned long stats;
+    unsigned int index;
+};
+
+
+static int
+stat_sort(const void *a, const void *b)
+{
+    const struct stat_el *ae = a;
+    const struct stat_el *be = b;
+    return be->stats - ae->stats;
+}
+
+/**
+ * Unparse the statistics file and print the result on a FILE descriptor.
+ *
+ * @param context A hx509 context.
+ * @param printtype tyep to print
+ * @param out the FILE to write the data on.
+ *
+ * @ingroup hx509_cert
+ */
+
+void
+hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
+{
+    rtbl_t t;
+    FILE *f;
+    int type, mask, i, num;
+    unsigned long multiqueries = 0, totalqueries = 0;
+    struct stat_el stats[32];
+
+    if (context->querystat == NULL)
+	return;
+    f = fopen(context->querystat, "r");
+    if (f == NULL) {
+	fprintf(out, "No statistic file %s: %s.\n", 
+		context->querystat, strerror(errno));
+	return;
+    }
+    
+    for (i = 0; i < sizeof(stats)/sizeof(stats[0]); i++) {
+	stats[i].index = i;
+	stats[i].stats = 0;
+    }
+
+    while (fscanf(f, "%d %d\n", &type, &mask) == 2) {
+	if (type != printtype)
+	    continue;
+	num = i = 0;
+	while (mask && i < sizeof(stats)/sizeof(stats[0])) {
+	    if (mask & 1) {
+		stats[i].stats++;
+		num++;
+	    }
+	    mask = mask >>1 ;
+	    i++;
+	}
+	if (num > 1)
+	    multiqueries++;
+	totalqueries++;
+    }
+    fclose(f);
+
+    qsort(stats, sizeof(stats)/sizeof(stats[0]), sizeof(stats[0]), stat_sort);
+
+    t = rtbl_create();
+    if (t == NULL)
+	errx(1, "out of memory");
+
+    rtbl_set_separator (t, "  ");
+    
+    rtbl_add_column_by_id (t, 0, "Name", 0);
+    rtbl_add_column_by_id (t, 1, "Counter", 0);
+
+
+    for (i = 0; i < sizeof(stats)/sizeof(stats[0]); i++) {
+	char str[10];
+
+	if (stats[i].index < sizeof(statname)/sizeof(statname[0])) 
+	    rtbl_add_column_entry_by_id (t, 0, statname[stats[i].index]);
+	else {
+	    snprintf(str, sizeof(str), "%d", stats[i].index);
+	    rtbl_add_column_entry_by_id (t, 0, str);
+	}
+	snprintf(str, sizeof(str), "%lu", stats[i].stats);
+	rtbl_add_column_entry_by_id (t, 1, str);
+    }
+
+    rtbl_format(t, out);
+    rtbl_destroy(t);
+
+    fprintf(out, "\nQueries: multi %lu total %lu\n", 
+	    multiqueries, totalqueries);
+}
+
+/**
+ * Check the extended key usage on the hx509 certificate.
+ *
+ * @param context A hx509 context.
+ * @param cert A hx509 context.
+ * @param eku the EKU to check for
+ * @param allow_any_eku if the any EKU is set, allow that to be a
+ * substitute.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_check_eku(hx509_context context, hx509_cert cert,
+		     const heim_oid *eku, int allow_any_eku)
+{
+    ExtKeyUsage e;
+    int ret, i;
+
+    ret = find_extension_eku(_hx509_get_cert(cert), &e);
+    if (ret) {
+	hx509_clear_error_string(context);
+	return ret;
+    }
+
+    for (i = 0; i < e.len; i++) {
+	if (der_heim_oid_cmp(eku, &e.val[i]) == 0) {
+	    free_ExtKeyUsage(&e);
+	    return 0;
+	}
+	if (allow_any_eku) {
+#if 0
+	    if (der_heim_oid_cmp(id_any_eku, &e.val[i]) == 0) {
+		free_ExtKeyUsage(&e);
+		return 0;
+	    }
+#endif
+	}
+    }
+    free_ExtKeyUsage(&e);
+    hx509_clear_error_string(context);
+    return HX509_CERTIFICATE_MISSING_EKU;
+}
+
+int
+_hx509_cert_get_keyusage(hx509_context context,
+			 hx509_cert c,
+			 KeyUsage *ku)
+{
+    Certificate *cert;
+    const Extension *e;
+    size_t size;
+    int ret, i = 0;
+
+    memset(ku, 0, sizeof(*ku));
+
+    cert = _hx509_get_cert(c);
+
+    if (_hx509_cert_get_version(cert) < 3)
+	return 0;
+
+    e = find_extension(cert, oid_id_x509_ce_keyUsage(), &i);
+    if (e == NULL)
+	return HX509_KU_CERT_MISSING;
+    
+    ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length, ku, &size);
+    if (ret)
+	return ret;
+    return 0;
+}
+
+int
+_hx509_cert_get_eku(hx509_context context,
+		    hx509_cert cert,
+		    ExtKeyUsage *e)
+{
+    int ret;
+
+    memset(e, 0, sizeof(*e));
+
+    ret = find_extension_eku(_hx509_get_cert(cert), e);
+    if (ret && ret != HX509_EXTENSION_NOT_FOUND) {
+	hx509_clear_error_string(context);
+	return ret;
+    }
+    return 0;
+}
+
+/**
+ * Encodes the hx509 certificate as a DER encode binary.
+ *
+ * @param context A hx509 context.
+ * @param c the certificate to encode.
+ * @param os the encode certificate, set to NULL, 0 on case of
+ * error. Free the returned structure with hx509_xfree().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
+int
+hx509_cert_binary(hx509_context context, hx509_cert c, heim_octet_string *os)
+{
+    size_t size;
+    int ret;
+
+    os->data = NULL;
+    os->length = 0;
+
+    ASN1_MALLOC_ENCODE(Certificate, os->data, os->length, 
+		       _hx509_get_cert(c), &size, ret);
+    if (ret) {
+	os->data = NULL;
+	os->length = 0;
+	return ret;
+    }
+    if (os->length != size)
+	_hx509_abort("internal ASN.1 encoder error");
+
+    return ret;
+}
+
+/*
+ * Last to avoid lost __attribute__s due to #undef.
+ */
+
+#undef __attribute__
+#define __attribute__(X)
+
+void
+_hx509_abort(const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 1, 2)))
+{
+    va_list ap;
+    va_start(ap, fmt);
+    vprintf(fmt, ap);
+    va_end(ap);
+    printf("\n");
+    fflush(stdout);
+    abort();
+}
+
+/**
+ * Free a data element allocated in the library.
+ *
+ * @param ptr data to be freed.
+ *
+ * @ingroup hx509_misc
+ */
+
+void
+hx509_xfree(void *ptr)
+{
+    free(ptr);
+}
diff --git a/crypto/heimdal/lib/hx509/cms.c b/crypto/heimdal/lib/hx509/cms.c
new file mode 100644
index 0000000..80bcaac
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/cms.c
@@ -0,0 +1,1426 @@
+/*
+ * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: cms.c 22327 2007-12-15 04:49:37Z lha $");
+
+/**
+ * @page page_cms CMS/PKCS7 message functions.
+ *
+ * CMS is defined in RFC 3369 and is an continuation of the RSA Labs
+ * standard PKCS7. The basic messages in CMS is 
+ *
+ * - SignedData
+ *   Data signed with private key (RSA, DSA, ECDSA) or secret
+ *   (symmetric) key
+ * - EnvelopedData
+ *   Data encrypted with private key (RSA)
+ * - EncryptedData
+ *   Data encrypted with secret (symmetric) key.
+ * - ContentInfo
+ *   Wrapper structure including type and data.
+ *
+ *
+ * See the library functions here: @ref hx509_cms
+ */
+
+#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
+#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
+
+/**
+ * Wrap data and oid in a ContentInfo and encode it.
+ *
+ * @param oid type of the content.
+ * @param buf data to be wrapped. If a NULL pointer is passed in, the
+ * optional content field in the ContentInfo is not going be filled
+ * in.
+ * @param res the encoded buffer, the result should be freed with
+ * der_free_octet_string().
+ *
+ * @return Returns an hx509 error code.
+ * 
+ * @ingroup hx509_cms
+ */
+
+int
+hx509_cms_wrap_ContentInfo(const heim_oid *oid,
+			   const heim_octet_string *buf,
+			   heim_octet_string *res)
+{
+    ContentInfo ci;
+    size_t size;
+    int ret;
+
+    memset(res, 0, sizeof(*res));
+    memset(&ci, 0, sizeof(ci));
+
+    ret = der_copy_oid(oid, &ci.contentType);
+    if (ret)
+	return ret;
+    if (buf) {
+	ALLOC(ci.content, 1);
+	if (ci.content == NULL) {
+	    free_ContentInfo(&ci);
+	    return ENOMEM;
+	}
+	ci.content->data = malloc(buf->length);
+	if (ci.content->data == NULL) {
+	    free_ContentInfo(&ci);
+	    return ENOMEM;
+	}
+	memcpy(ci.content->data, buf->data, buf->length);
+	ci.content->length = buf->length;
+    }
+
+    ASN1_MALLOC_ENCODE(ContentInfo, res->data, res->length, &ci, &size, ret);
+    free_ContentInfo(&ci);
+    if (ret)
+	return ret;
+    if (res->length != size)
+	_hx509_abort("internal ASN.1 encoder error");
+
+    return 0;
+}
+
+/**
+ * Decode an ContentInfo and unwrap data and oid it.
+ *
+ * @param in the encoded buffer.
+ * @param oid type of the content.
+ * @param out data to be wrapped.
+ * @param have_data since the data is optional, this flags show dthe
+ * diffrence between no data and the zero length data.
+ *
+ * @return Returns an hx509 error code.
+ * 
+ * @ingroup hx509_cms
+ */
+
+int
+hx509_cms_unwrap_ContentInfo(const heim_octet_string *in,
+			     heim_oid *oid,
+			     heim_octet_string *out,
+			     int *have_data)
+{
+    ContentInfo ci;
+    size_t size;
+    int ret;
+
+    memset(oid, 0, sizeof(*oid));
+    memset(out, 0, sizeof(*out));
+
+    ret = decode_ContentInfo(in->data, in->length, &ci, &size);
+    if (ret)
+	return ret;
+
+    ret = der_copy_oid(&ci.contentType, oid);
+    if (ret) {
+	free_ContentInfo(&ci);
+	return ret;
+    }
+    if (ci.content) {
+	ret = der_copy_octet_string(ci.content, out);
+	if (ret) {
+	    der_free_oid(oid);
+	    free_ContentInfo(&ci);
+	    return ret;
+	}
+    } else
+	memset(out, 0, sizeof(*out));
+
+    if (have_data)
+	*have_data = (ci.content != NULL) ? 1 : 0;
+
+    free_ContentInfo(&ci);
+
+    return 0;
+}
+
+#define CMS_ID_SKI	0
+#define CMS_ID_NAME	1
+
+static int
+fill_CMSIdentifier(const hx509_cert cert,
+		   int type,
+		   CMSIdentifier *id)
+{
+    int ret;
+
+    switch (type) {
+    case CMS_ID_SKI:
+	id->element = choice_CMSIdentifier_subjectKeyIdentifier;
+	ret = _hx509_find_extension_subject_key_id(_hx509_get_cert(cert),
+						   &id->u.subjectKeyIdentifier);
+	if (ret == 0)
+	    break;
+	/* FALL THOUGH */
+    case CMS_ID_NAME: {
+	hx509_name name;
+
+	id->element = choice_CMSIdentifier_issuerAndSerialNumber;
+	ret = hx509_cert_get_issuer(cert, &name);
+	if (ret)
+	    return ret;
+	ret = hx509_name_to_Name(name, &id->u.issuerAndSerialNumber.issuer);
+	hx509_name_free(&name);
+	if (ret)
+	    return ret;
+
+	ret = hx509_cert_get_serialnumber(cert, &id->u.issuerAndSerialNumber.serialNumber);
+	break;
+    }
+    default:
+	_hx509_abort("CMS fill identifier with unknown type");
+    }
+    return ret;
+}
+
+static int
+unparse_CMSIdentifier(hx509_context context,
+		      CMSIdentifier *id,
+		      char **str)
+{
+    int ret;
+
+    *str = NULL;
+    switch (id->element) {
+    case choice_CMSIdentifier_issuerAndSerialNumber: {
+	IssuerAndSerialNumber *iasn;
+	char *serial, *name;
+
+	iasn = &id->u.issuerAndSerialNumber;
+
+	ret = _hx509_Name_to_string(&iasn->issuer, &name);
+	if(ret)
+	    return ret;
+	ret = der_print_hex_heim_integer(&iasn->serialNumber, &serial);
+	if (ret) {
+	    free(name);
+	    return ret;
+	}
+	asprintf(str, "certificate issued by %s with serial number %s",
+		 name, serial);
+	free(name);
+	free(serial);
+	break;
+    }
+    case choice_CMSIdentifier_subjectKeyIdentifier: {
+	KeyIdentifier *ki  = &id->u.subjectKeyIdentifier;
+	char *keyid;
+	ssize_t len;
+
+	len = hex_encode(ki->data, ki->length, &keyid);
+	if (len < 0)
+	    return ENOMEM;
+
+	asprintf(str, "certificate with id %s", keyid);
+	free(keyid);
+	break;
+    }
+    default:
+	asprintf(str, "certificate have unknown CMSidentifier type");
+	break;
+    }
+    if (*str == NULL)
+	return ENOMEM;
+    return 0;
+}
+
+static int
+find_CMSIdentifier(hx509_context context,
+		   CMSIdentifier *client,
+		   hx509_certs certs,
+		   hx509_cert *signer_cert,
+		   int match)
+{
+    hx509_query q;
+    hx509_cert cert;
+    Certificate c;
+    int ret;
+
+    memset(&c, 0, sizeof(c));
+    _hx509_query_clear(&q);
+
+    *signer_cert = NULL;
+
+    switch (client->element) {
+    case choice_CMSIdentifier_issuerAndSerialNumber:
+	q.serial = &client->u.issuerAndSerialNumber.serialNumber;
+	q.issuer_name = &client->u.issuerAndSerialNumber.issuer;
+	q.match = HX509_QUERY_MATCH_SERIALNUMBER|HX509_QUERY_MATCH_ISSUER_NAME;
+	break;
+    case choice_CMSIdentifier_subjectKeyIdentifier:
+	q.subject_id = &client->u.subjectKeyIdentifier;
+	q.match = HX509_QUERY_MATCH_SUBJECT_KEY_ID;
+	break;
+    default:
+	hx509_set_error_string(context, 0, HX509_CMS_NO_RECIPIENT_CERTIFICATE,
+			       "unknown CMS identifier element");
+	return HX509_CMS_NO_RECIPIENT_CERTIFICATE;
+    }
+
+    q.match |= match;
+
+    q.match |= HX509_QUERY_MATCH_TIME;
+    q.timenow = time(NULL);
+
+    ret = hx509_certs_find(context, certs, &q, &cert);
+    if (ret == HX509_CERT_NOT_FOUND) {
+	char *str;
+
+	ret = unparse_CMSIdentifier(context, client, &str);
+	if (ret == 0) {
+	    hx509_set_error_string(context, 0,
+				   HX509_CMS_NO_RECIPIENT_CERTIFICATE,
+				   "Failed to find %s", str);
+	} else
+	    hx509_clear_error_string(context);
+	return HX509_CMS_NO_RECIPIENT_CERTIFICATE;
+    } else if (ret) {
+	hx509_set_error_string(context, HX509_ERROR_APPEND,
+			       HX509_CMS_NO_RECIPIENT_CERTIFICATE,
+			       "Failed to find CMS id in cert store");
+	return HX509_CMS_NO_RECIPIENT_CERTIFICATE;
+    }
+
+    *signer_cert = cert;
+
+    return 0;
+}
+
+/**
+ * Decode and unencrypt EnvelopedData.
+ *
+ * Extract data and parameteres from from the EnvelopedData. Also
+ * supports using detached EnvelopedData.
+ *
+ * @param context A hx509 context.
+ * @param certs Certificate that can decrypt the EnvelopedData
+ * encryption key.
+ * @param flags HX509_CMS_UE flags to control the behavior.
+ * @param data pointer the structure the contains the DER/BER encoded
+ * EnvelopedData stucture.
+ * @param length length of the data that data point to.
+ * @param encryptedContent in case of detached signature, this
+ * contains the actual encrypted data, othersize its should be NULL.
+ * @param contentType output type oid, should be freed with der_free_oid().
+ * @param content the data, free with der_free_octet_string().
+ *
+ * @ingroup hx509_cms
+ */
+
+int
+hx509_cms_unenvelope(hx509_context context,
+		     hx509_certs certs,
+		     int flags,
+		     const void *data,
+		     size_t length,
+		     const heim_octet_string *encryptedContent,
+		     heim_oid *contentType,
+		     heim_octet_string *content)
+{
+    heim_octet_string key;
+    EnvelopedData ed;
+    hx509_cert cert;
+    AlgorithmIdentifier *ai;
+    const heim_octet_string *enccontent;
+    heim_octet_string *params, params_data;
+    heim_octet_string ivec;
+    size_t size;
+    int ret, i, matched = 0, findflags = 0;
+
+
+    memset(&key, 0, sizeof(key));
+    memset(&ed, 0, sizeof(ed));
+    memset(&ivec, 0, sizeof(ivec));
+    memset(content, 0, sizeof(*content));
+    memset(contentType, 0, sizeof(*contentType));
+
+    if ((flags & HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT) == 0)
+	findflags |= HX509_QUERY_KU_ENCIPHERMENT;
+
+    ret = decode_EnvelopedData(data, length, &ed, &size);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to decode EnvelopedData");
+	return ret;
+    }
+
+    if (ed.recipientInfos.len == 0) {
+	ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE;
+	hx509_set_error_string(context, 0, ret,
+			       "No recipient info in enveloped data");
+	goto out;
+    }
+
+    enccontent = ed.encryptedContentInfo.encryptedContent;
+    if (enccontent == NULL) {
+	if (encryptedContent == NULL) {
+	    ret = HX509_CMS_NO_DATA_AVAILABLE;
+	    hx509_set_error_string(context, 0, ret,
+				   "Content missing from encrypted data");
+	    goto out;
+	}
+	enccontent = encryptedContent;
+    } else if (encryptedContent != NULL) {
+	ret = HX509_CMS_NO_DATA_AVAILABLE;
+	hx509_set_error_string(context, 0, ret,
+			       "Both internal and external encrypted data");
+	goto out;
+    }
+
+    cert = NULL;
+    for (i = 0; i < ed.recipientInfos.len; i++) {
+	KeyTransRecipientInfo *ri;
+	char *str;
+	int ret2;
+
+	ri = &ed.recipientInfos.val[i];
+
+	ret = find_CMSIdentifier(context, &ri->rid, certs, &cert,
+				 HX509_QUERY_PRIVATE_KEY|findflags);
+	if (ret)
+	    continue;
+
+	matched = 1; /* found a matching certificate, let decrypt */
+
+	ret = _hx509_cert_private_decrypt(context,
+					  &ri->encryptedKey,
+					  &ri->keyEncryptionAlgorithm.algorithm,
+					  cert, &key);
+
+	hx509_cert_free(cert);
+	if (ret == 0)
+	    break; /* succuessfully decrypted cert */
+	cert = NULL;
+	ret2 = unparse_CMSIdentifier(context, &ri->rid, &str);
+	if (ret2 == 0) {
+	    hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+				   "Failed to decrypt with %s", str);
+	    free(str);
+	}
+    }
+
+    if (!matched) {
+	ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE;
+	hx509_set_error_string(context, 0, ret,
+			       "No private key matched any certificate");
+	goto out;
+    }
+
+    if (cert == NULL) {
+	ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE;
+	hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+			       "No private key decrypted the transfer key");
+	goto out;
+    }
+
+    ret = der_copy_oid(&ed.encryptedContentInfo.contentType, contentType);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to copy EnvelopedData content oid");
+	goto out;
+    }
+
+    ai = &ed.encryptedContentInfo.contentEncryptionAlgorithm;
+    if (ai->parameters) {
+	params_data.data = ai->parameters->data;
+	params_data.length = ai->parameters->length;
+	params = &params_data;
+    } else
+	params = NULL;
+
+    {
+	hx509_crypto crypto;
+
+	ret = hx509_crypto_init(context, NULL, &ai->algorithm, &crypto);
+	if (ret)
+	    goto out;
+	
+	if (params) {
+	    ret = hx509_crypto_set_params(context, crypto, params, &ivec);
+	    if (ret) {
+		hx509_crypto_destroy(crypto);
+		goto out;
+	    }
+	}
+
+	ret = hx509_crypto_set_key_data(crypto, key.data, key.length);
+	if (ret) {
+	    hx509_crypto_destroy(crypto);
+	    hx509_set_error_string(context, 0, ret,
+				   "Failed to set key for decryption "
+				   "of EnvelopedData");
+	    goto out;
+	}
+	
+	ret = hx509_crypto_decrypt(crypto,
+				   enccontent->data,
+				   enccontent->length,
+				   ivec.length ? &ivec : NULL,
+				   content);
+	hx509_crypto_destroy(crypto);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret,
+				   "Failed to decrypt EnvelopedData");
+	    goto out;
+	}
+    }
+
+out:
+
+    free_EnvelopedData(&ed);
+    der_free_octet_string(&key);
+    if (ivec.length)
+	der_free_octet_string(&ivec);
+    if (ret) {
+	der_free_oid(contentType);
+	der_free_octet_string(content);
+    }
+
+    return ret;
+}
+
+/**
+ * Encrypt end encode EnvelopedData.
+ *
+ * Encrypt and encode EnvelopedData. The data is encrypted with a
+ * random key and the the random key is encrypted with the
+ * certificates private key. This limits what private key type can be
+ * used to RSA.
+ *
+ * @param context A hx509 context.
+ * @param flags flags to control the behavior, no flags today
+ * @param cert Certificate to encrypt the EnvelopedData encryption key
+ * with.
+ * @param data pointer the data to encrypt.
+ * @param length length of the data that data point to.
+ * @param encryption_type Encryption cipher to use for the bulk data,
+ * use NULL to get default.
+ * @param contentType type of the data that is encrypted
+ * @param content the output of the function,
+ * free with der_free_octet_string().
+ *
+ * @ingroup hx509_cms
+ */
+
+int
+hx509_cms_envelope_1(hx509_context context,
+		     int flags,
+		     hx509_cert cert,
+		     const void *data,
+		     size_t length,
+		     const heim_oid *encryption_type,
+		     const heim_oid *contentType,
+		     heim_octet_string *content)
+{
+    KeyTransRecipientInfo *ri;
+    heim_octet_string ivec;
+    heim_octet_string key;
+    hx509_crypto crypto = NULL;
+    EnvelopedData ed;
+    size_t size;
+    int ret;
+
+    memset(&ivec, 0, sizeof(ivec));
+    memset(&key, 0, sizeof(key));
+    memset(&ed, 0, sizeof(ed));
+    memset(content, 0, sizeof(*content));
+
+    if (encryption_type == NULL)
+	encryption_type = oid_id_aes_256_cbc();
+
+    ret = _hx509_check_key_usage(context, cert, 1 << 2, TRUE);
+    if (ret)
+	goto out;
+
+    ret = hx509_crypto_init(context, NULL, encryption_type, &crypto);
+    if (ret)
+	goto out;
+
+    ret = hx509_crypto_set_random_key(crypto, &key);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Create random key for EnvelopedData content");
+	goto out;
+    }
+
+    ret = hx509_crypto_random_iv(crypto, &ivec);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to create a random iv");
+	goto out;
+    }
+
+    ret = hx509_crypto_encrypt(crypto,
+			       data,
+			       length,
+			       &ivec,
+			       &ed.encryptedContentInfo.encryptedContent);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to encrypt EnvelopedData content");
+	goto out;
+    }
+
+    {
+	AlgorithmIdentifier *enc_alg;
+	enc_alg = &ed.encryptedContentInfo.contentEncryptionAlgorithm;
+	ret = der_copy_oid(encryption_type, &enc_alg->algorithm);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret,
+				   "Failed to set crypto oid "
+				   "for EnvelopedData");
+	    goto out;
+	}	
+	ALLOC(enc_alg->parameters, 1);
+	if (enc_alg->parameters == NULL) {
+	    ret = ENOMEM;
+	    hx509_set_error_string(context, 0, ret,
+				   "Failed to allocate crypto paramaters "
+				   "for EnvelopedData");
+	    goto out;
+	}
+
+	ret = hx509_crypto_get_params(context,
+				      crypto,
+				      &ivec,
+				      enc_alg->parameters);
+	if (ret) {
+	    goto out;
+	}
+    }
+
+    ALLOC_SEQ(&ed.recipientInfos, 1);
+    if (ed.recipientInfos.val == NULL) {
+	ret = ENOMEM;
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to allocate recipients info "
+			       "for EnvelopedData");
+	goto out;
+    }
+
+    ri = &ed.recipientInfos.val[0];
+
+    ri->version = 0;
+    ret = fill_CMSIdentifier(cert, CMS_ID_SKI, &ri->rid);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to set CMS identifier info "
+			       "for EnvelopedData");
+	goto out;
+    }
+
+    ret = _hx509_cert_public_encrypt(context,
+				     &key, cert,
+				     &ri->keyEncryptionAlgorithm.algorithm,
+				     &ri->encryptedKey);
+    if (ret) {
+	hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+			       "Failed to encrypt transport key for "
+			       "EnvelopedData");
+	goto out;
+    }
+
+    /*
+     *
+     */
+
+    ed.version = 0;
+    ed.originatorInfo = NULL;
+
+    ret = der_copy_oid(contentType, &ed.encryptedContentInfo.contentType);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to copy content oid for "
+			       "EnvelopedData");
+	goto out;
+    }
+
+    ed.unprotectedAttrs = NULL;
+
+    ASN1_MALLOC_ENCODE(EnvelopedData, content->data, content->length,
+		       &ed, &size, ret);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to encode EnvelopedData");
+	goto out;
+    }
+    if (size != content->length)
+	_hx509_abort("internal ASN.1 encoder error");
+
+out:
+    if (crypto)
+	hx509_crypto_destroy(crypto);
+    if (ret)
+	der_free_octet_string(content);
+    der_free_octet_string(&key);
+    der_free_octet_string(&ivec);
+    free_EnvelopedData(&ed);
+
+    return ret;
+}
+
+static int
+any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
+{
+    int ret, i;
+
+    if (sd->certificates == NULL)
+	return 0;
+
+    for (i = 0; i < sd->certificates->len; i++) {
+	hx509_cert c;
+
+	ret = hx509_cert_init_data(context, 
+				   sd->certificates->val[i].data, 
+				   sd->certificates->val[i].length,
+				   &c);
+	if (ret)
+	    return ret;
+	ret = hx509_certs_add(context, certs, c);
+	hx509_cert_free(c);
+	if (ret)
+	    return ret;
+    }
+
+    return 0;
+}
+
+static const Attribute *
+find_attribute(const CMSAttributes *attr, const heim_oid *oid)
+{
+    int i;
+    for (i = 0; i < attr->len; i++)
+	if (der_heim_oid_cmp(&attr->val[i].type, oid) == 0)
+	    return &attr->val[i];
+    return NULL;
+}
+
+/**
+ * Decode SignedData and verify that the signature is correct.
+ *
+ * @param context A hx509 context.
+ * @param ctx a hx509 version context
+ * @param data
+ * @param length length of the data that data point to.
+ * @param signedContent
+ * @param pool certificate pool to build certificates paths.
+ * @param contentType free with der_free_oid()
+ * @param content the output of the function, free with
+ * der_free_octet_string().
+ * @param signer_certs list of the cerficates used to sign this
+ * request, free with hx509_certs_free().
+ *
+ * @ingroup hx509_cms
+ */
+
+int
+hx509_cms_verify_signed(hx509_context context,
+			hx509_verify_ctx ctx,
+			const void *data,
+			size_t length,
+			const heim_octet_string *signedContent,
+			hx509_certs pool,
+			heim_oid *contentType,
+			heim_octet_string *content,
+			hx509_certs *signer_certs)
+{
+    SignerInfo *signer_info;
+    hx509_cert cert = NULL;
+    hx509_certs certs = NULL;
+    SignedData sd;
+    size_t size;
+    int ret, i, found_valid_sig;
+
+    *signer_certs = NULL;
+    content->data = NULL;
+    content->length = 0;
+    contentType->length = 0;
+    contentType->components = NULL;
+
+    memset(&sd, 0, sizeof(sd));
+
+    ret = decode_SignedData(data, length, &sd, &size);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to decode SignedData");
+	goto out;
+    }
+
+    if (sd.encapContentInfo.eContent == NULL && signedContent == NULL) {
+	ret = HX509_CMS_NO_DATA_AVAILABLE;
+	hx509_set_error_string(context, 0, ret,
+			       "No content data in SignedData");
+	goto out;
+    }
+    if (sd.encapContentInfo.eContent && signedContent) {
+	ret = HX509_CMS_NO_DATA_AVAILABLE;
+	hx509_set_error_string(context, 0, ret,
+			       "Both external and internal SignedData");
+	goto out;
+    }
+    if (sd.encapContentInfo.eContent)
+	signedContent = sd.encapContentInfo.eContent;
+
+    ret = hx509_certs_init(context, "MEMORY:cms-cert-buffer",
+			   0, NULL, &certs);
+    if (ret)
+	goto out;
+
+    ret = hx509_certs_init(context, "MEMORY:cms-signer-certs",
+			   0, NULL, signer_certs);
+    if (ret)
+	goto out;
+
+    /* XXX Check CMS version */
+
+    ret = any_to_certs(context, &sd, certs);
+    if (ret)
+	goto out;
+
+    if (pool) {
+	ret = hx509_certs_merge(context, certs, pool);
+	if (ret)
+	    goto out;
+    }
+
+    for (found_valid_sig = 0, i = 0; i < sd.signerInfos.len; i++) {
+	heim_octet_string *signed_data;
+	const heim_oid *match_oid;
+	heim_oid decode_oid;
+
+	signer_info = &sd.signerInfos.val[i];
+	match_oid = NULL;
+
+	if (signer_info->signature.length == 0) {
+	    ret = HX509_CMS_MISSING_SIGNER_DATA;
+	    hx509_set_error_string(context, 0, ret,
+				   "SignerInfo %d in SignedData "
+				   "missing sigature", i);
+	    continue;
+	}
+
+	ret = find_CMSIdentifier(context, &signer_info->sid, certs, &cert,
+				 HX509_QUERY_KU_DIGITALSIGNATURE);
+	if (ret)
+	    continue;
+
+	if (signer_info->signedAttrs) {
+	    const Attribute *attr;
+	
+	    CMSAttributes sa;
+	    heim_octet_string os;
+
+	    sa.val = signer_info->signedAttrs->val;
+	    sa.len = signer_info->signedAttrs->len;
+
+	    /* verify that sigature exists */
+	    attr = find_attribute(&sa, oid_id_pkcs9_messageDigest());
+	    if (attr == NULL) {
+		ret = HX509_CRYPTO_SIGNATURE_MISSING;
+		hx509_set_error_string(context, 0, ret,
+				       "SignerInfo have signed attributes "
+				       "but messageDigest (signature) "
+				       "is missing");
+		goto next_sigature;
+	    }
+	    if (attr->value.len != 1) {
+		ret = HX509_CRYPTO_SIGNATURE_MISSING;
+		hx509_set_error_string(context, 0, ret,
+				       "SignerInfo have more then one "
+				       "messageDigest (signature)");
+		goto next_sigature;
+	    }
+	
+	    ret = decode_MessageDigest(attr->value.val[0].data,
+				       attr->value.val[0].length,
+				       &os,
+				       &size);
+	    if (ret) {
+		hx509_set_error_string(context, 0, ret,
+				       "Failed to decode "
+				       "messageDigest (signature)");
+		goto next_sigature;
+	    }
+
+	    ret = _hx509_verify_signature(context,
+					  NULL,
+					  &signer_info->digestAlgorithm,
+					  signedContent,
+					  &os);
+	    der_free_octet_string(&os);
+	    if (ret) {
+		hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+				       "Failed to verify messageDigest");
+		goto next_sigature;
+	    }
+
+	    /*
+	     * Fetch content oid inside signedAttrs or set it to
+	     * id-pkcs7-data.
+	     */
+	    attr = find_attribute(&sa, oid_id_pkcs9_contentType());
+	    if (attr == NULL) {
+		match_oid = oid_id_pkcs7_data();
+	    } else {
+		if (attr->value.len != 1) {
+		    ret = HX509_CMS_DATA_OID_MISMATCH;
+		    hx509_set_error_string(context, 0, ret,
+					   "More then one oid in signedAttrs");
+		    goto next_sigature;
+
+		}
+		ret = decode_ContentType(attr->value.val[0].data,
+					 attr->value.val[0].length,
+					 &decode_oid,
+					 &size);
+		if (ret) {
+		    hx509_set_error_string(context, 0, ret,
+					   "Failed to decode "
+					   "oid in signedAttrs");
+		    goto next_sigature;
+		}
+		match_oid = &decode_oid;
+	    }
+
+	    ALLOC(signed_data, 1);
+	    if (signed_data == NULL) {
+		if (match_oid == &decode_oid)
+		    der_free_oid(&decode_oid);
+		ret = ENOMEM;
+		hx509_clear_error_string(context);
+		goto next_sigature;
+	    }
+	
+	    ASN1_MALLOC_ENCODE(CMSAttributes,
+			       signed_data->data,
+			       signed_data->length,
+			       &sa,
+			       &size, ret);
+	    if (ret) {
+		if (match_oid == &decode_oid)
+		    der_free_oid(&decode_oid);
+		free(signed_data);
+		hx509_clear_error_string(context);
+		goto next_sigature;
+	    }
+	    if (size != signed_data->length)
+		_hx509_abort("internal ASN.1 encoder error");
+
+	} else {
+	    signed_data = rk_UNCONST(signedContent);
+	    match_oid = oid_id_pkcs7_data();
+	}
+
+	if (der_heim_oid_cmp(match_oid, &sd.encapContentInfo.eContentType)) {
+	    ret = HX509_CMS_DATA_OID_MISMATCH;
+	    hx509_set_error_string(context, 0, ret,
+				   "Oid in message mismatch from the expected");
+	}
+	if (match_oid == &decode_oid)
+	    der_free_oid(&decode_oid);
+
+	if (ret == 0) {
+	    ret = hx509_verify_signature(context,
+					 cert,
+					 &signer_info->signatureAlgorithm,
+					 signed_data,
+					 &signer_info->signature);
+	    if (ret)
+		hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+				       "Failed to verify sigature in "
+				       "CMS SignedData");
+	}
+	if (signed_data != signedContent) {
+	    der_free_octet_string(signed_data);
+	    free(signed_data);
+	}
+	if (ret)
+	    goto next_sigature;
+
+	ret = hx509_verify_path(context, ctx, cert, certs);
+	if (ret)
+	    goto next_sigature;
+
+	ret = hx509_certs_add(context, *signer_certs, cert);
+	if (ret)
+	    goto next_sigature;
+
+	found_valid_sig++;
+
+    next_sigature:
+	if (cert)
+	    hx509_cert_free(cert);
+	cert = NULL;
+    }
+    if (found_valid_sig == 0) {
+	if (ret == 0) {
+	    ret = HX509_CMS_SIGNER_NOT_FOUND;
+	    hx509_set_error_string(context, 0, ret,
+				   "No signers where found");
+	}
+	goto out;
+    }
+
+    ret = der_copy_oid(&sd.encapContentInfo.eContentType, contentType);
+    if (ret) {
+	hx509_clear_error_string(context);
+	goto out;
+    }
+
+    content->data = malloc(signedContent->length);
+    if (content->data == NULL) {
+	hx509_clear_error_string(context);
+	ret = ENOMEM;
+	goto out;
+    }
+    content->length = signedContent->length;
+    memcpy(content->data, signedContent->data, content->length);
+
+out:
+    free_SignedData(&sd);
+    if (certs)
+	hx509_certs_free(&certs);
+    if (ret) {
+	if (*signer_certs)
+	    hx509_certs_free(signer_certs);
+	der_free_oid(contentType);
+	der_free_octet_string(content);
+    }
+
+    return ret;
+}
+
+static int
+add_one_attribute(Attribute **attr,
+		  unsigned int *len,
+		  const heim_oid *oid,
+		  heim_octet_string *data)
+{
+    void *d;
+    int ret;
+
+    d = realloc(*attr, sizeof((*attr)[0]) * (*len + 1));
+    if (d == NULL)
+	return ENOMEM;
+    (*attr) = d;
+
+    ret = der_copy_oid(oid, &(*attr)[*len].type);
+    if (ret)
+	return ret;
+
+    ALLOC_SEQ(&(*attr)[*len].value, 1);
+    if ((*attr)[*len].value.val == NULL) {
+	der_free_oid(&(*attr)[*len].type);
+	return ENOMEM;
+    }
+
+    (*attr)[*len].value.val[0].data = data->data;
+    (*attr)[*len].value.val[0].length = data->length;
+
+    *len += 1;
+
+    return 0;
+}
+	
+/**
+ * Decode SignedData and verify that the signature is correct.
+ *
+ * @param context A hx509 context.
+ * @param flags
+ * @param eContentType the type of the data.
+ * @param data data to sign
+ * @param length length of the data that data point to.
+ * @param digest_alg digest algorithm to use, use NULL to get the
+ * default or the peer determined algorithm.
+ * @param cert certificate to use for sign the data.
+ * @param peer info about the peer the message to send the message to,
+ * like what digest algorithm to use.
+ * @param anchors trust anchors that the client will use, used to
+ * polulate the certificates included in the message
+ * @param pool certificates to use in try to build the path to the
+ * trust anchors.
+ * @param signed_data the output of the function, free with
+ * der_free_octet_string().
+ *
+ * @ingroup hx509_cms
+ */
+
+int
+hx509_cms_create_signed_1(hx509_context context,
+			  int flags,
+			  const heim_oid *eContentType,
+			  const void *data, size_t length,
+			  const AlgorithmIdentifier *digest_alg,
+			  hx509_cert cert,
+			  hx509_peer_info peer,
+			  hx509_certs anchors,
+			  hx509_certs pool,
+			  heim_octet_string *signed_data)
+{
+    AlgorithmIdentifier digest;
+    hx509_name name;
+    SignerInfo *signer_info;
+    heim_octet_string buf, content, sigdata = { 0, NULL };
+    SignedData sd;
+    int ret;
+    size_t size;
+    hx509_path path;
+    int cmsidflag = CMS_ID_SKI;
+
+    memset(&sd, 0, sizeof(sd));
+    memset(&name, 0, sizeof(name));
+    memset(&path, 0, sizeof(path));
+    memset(&digest, 0, sizeof(digest));
+
+    content.data = rk_UNCONST(data);
+    content.length = length;
+
+    if (flags & HX509_CMS_SIGATURE_ID_NAME)
+	cmsidflag = CMS_ID_NAME;
+
+    if (_hx509_cert_private_key(cert) == NULL) {
+	hx509_set_error_string(context, 0, HX509_PRIVATE_KEY_MISSING,
+			       "Private key missing for signing");
+	return HX509_PRIVATE_KEY_MISSING;
+    }
+
+    if (digest_alg == NULL) {
+	ret = hx509_crypto_select(context, HX509_SELECT_DIGEST,
+				  _hx509_cert_private_key(cert), peer, &digest);
+    } else {
+	ret = copy_AlgorithmIdentifier(digest_alg, &digest);
+	if (ret)
+	    hx509_clear_error_string(context);
+    }
+    if (ret)
+	goto out;
+
+    sd.version = CMSVersion_v3;
+
+    if (eContentType == NULL)
+	eContentType = oid_id_pkcs7_data();
+
+    der_copy_oid(eContentType, &sd.encapContentInfo.eContentType);
+
+    /* */
+    if ((flags & HX509_CMS_SIGATURE_DETACHED) == 0) {
+	ALLOC(sd.encapContentInfo.eContent, 1);
+	if (sd.encapContentInfo.eContent == NULL) {
+	    hx509_clear_error_string(context);
+	    ret = ENOMEM;
+	    goto out;
+	}
+	
+	sd.encapContentInfo.eContent->data = malloc(length);
+	if (sd.encapContentInfo.eContent->data == NULL) {
+	    hx509_clear_error_string(context);
+	    ret = ENOMEM;
+	    goto out;
+	}
+	memcpy(sd.encapContentInfo.eContent->data, data, length);
+	sd.encapContentInfo.eContent->length = length;
+    }
+
+    ALLOC_SEQ(&sd.signerInfos, 1);
+    if (sd.signerInfos.val == NULL) {
+	hx509_clear_error_string(context);
+	ret = ENOMEM;
+	goto out;
+    }
+
+    signer_info = &sd.signerInfos.val[0];
+
+    signer_info->version = 1;
+
+    ret = fill_CMSIdentifier(cert, cmsidflag, &signer_info->sid);
+    if (ret) {
+	hx509_clear_error_string(context);
+	goto out;
+    }			
+
+    signer_info->signedAttrs = NULL;
+    signer_info->unsignedAttrs = NULL;
+
+
+    ret = copy_AlgorithmIdentifier(&digest, &signer_info->digestAlgorithm);
+    if (ret) {
+	hx509_clear_error_string(context);
+	goto out;
+    }
+
+    /*
+     * If it isn't pkcs7-data send signedAttributes
+     */
+
+    if (der_heim_oid_cmp(eContentType, oid_id_pkcs7_data()) != 0) {
+	CMSAttributes sa;	
+	heim_octet_string sig;
+
+	ALLOC(signer_info->signedAttrs, 1);
+	if (signer_info->signedAttrs == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	ret = _hx509_create_signature(context,
+				      NULL,
+				      &digest,
+				      &content,
+				      NULL,
+				      &sig);
+	if (ret)
+	    goto out;
+
+	ASN1_MALLOC_ENCODE(MessageDigest,
+			   buf.data,
+			   buf.length,
+			   &sig,
+			   &size,
+			   ret);
+	der_free_octet_string(&sig);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    goto out;
+	}
+	if (size != buf.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+
+	ret = add_one_attribute(&signer_info->signedAttrs->val,
+				&signer_info->signedAttrs->len,
+				oid_id_pkcs9_messageDigest(),
+				&buf);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    goto out;
+	}
+
+
+	ASN1_MALLOC_ENCODE(ContentType,
+			   buf.data,
+			   buf.length,
+			   eContentType,
+			   &size,
+			   ret);
+	if (ret)
+	    goto out;
+	if (size != buf.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+
+	ret = add_one_attribute(&signer_info->signedAttrs->val,
+				&signer_info->signedAttrs->len,
+				oid_id_pkcs9_contentType(),
+				&buf);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    goto out;
+	}
+
+	sa.val = signer_info->signedAttrs->val;
+	sa.len = signer_info->signedAttrs->len;
+	
+	ASN1_MALLOC_ENCODE(CMSAttributes,
+			   sigdata.data,
+			   sigdata.length,
+			   &sa,
+			   &size,
+			   ret);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    goto out;
+	}
+	if (size != sigdata.length)
+	    _hx509_abort("internal ASN.1 encoder error");
+    } else {
+	sigdata.data = content.data;
+	sigdata.length = content.length;
+    }
+
+
+    {
+	AlgorithmIdentifier sigalg;
+
+	ret = hx509_crypto_select(context, HX509_SELECT_PUBLIC_SIG,
+				  _hx509_cert_private_key(cert), peer,
+				  &sigalg);
+	if (ret)
+	    goto out;
+
+	ret = _hx509_create_signature(context,
+				      _hx509_cert_private_key(cert),
+				      &sigalg,
+				      &sigdata,
+				      &signer_info->signatureAlgorithm,
+				      &signer_info->signature);
+	free_AlgorithmIdentifier(&sigalg);
+	if (ret)
+	    goto out;
+    }
+
+    ALLOC_SEQ(&sd.digestAlgorithms, 1);
+    if (sd.digestAlgorithms.val == NULL) {
+	ret = ENOMEM;
+	hx509_clear_error_string(context);
+	goto out;
+    }
+
+    ret = copy_AlgorithmIdentifier(&digest, &sd.digestAlgorithms.val[0]);
+    if (ret) {
+	hx509_clear_error_string(context);
+	goto out;
+    }
+
+    /*
+     * Provide best effort path
+     */
+    if (pool) {
+	_hx509_calculate_path(context,
+			      HX509_CALCULATE_PATH_NO_ANCHOR,			      
+			      time(NULL),
+			      anchors,
+			      0,
+			      cert,
+			      pool,
+			      &path);
+    } else
+	_hx509_path_append(context, &path, cert);
+
+
+    if (path.len) {
+	int i;
+
+	ALLOC(sd.certificates, 1);
+	if (sd.certificates == NULL) {
+	    hx509_clear_error_string(context);
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ALLOC_SEQ(sd.certificates, path.len);
+	if (sd.certificates->val == NULL) {
+	    hx509_clear_error_string(context);
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	for (i = 0; i < path.len; i++) {
+	    ret = hx509_cert_binary(context, path.val[i],
+				    &sd.certificates->val[i]);
+	    if (ret) {
+		hx509_clear_error_string(context);
+		goto out;
+	    }
+	}
+    }
+
+    ASN1_MALLOC_ENCODE(SignedData,
+		       signed_data->data, signed_data->length,
+		       &sd, &size, ret);
+    if (ret) {
+	hx509_clear_error_string(context);
+	goto out;
+    }
+    if (signed_data->length != size)
+	_hx509_abort("internal ASN.1 encoder error");
+
+out:
+    if (sigdata.data != content.data)
+	der_free_octet_string(&sigdata);
+    free_AlgorithmIdentifier(&digest);
+    _hx509_path_free(&path);
+    free_SignedData(&sd);
+
+    return ret;
+}
+
+int
+hx509_cms_decrypt_encrypted(hx509_context context,
+			    hx509_lock lock,
+			    const void *data,
+			    size_t length,
+			    heim_oid *contentType,
+			    heim_octet_string *content)
+{
+    heim_octet_string cont;
+    CMSEncryptedData ed;
+    AlgorithmIdentifier *ai;
+    int ret;
+
+    memset(content, 0, sizeof(*content));
+    memset(&cont, 0, sizeof(cont));
+
+    ret = decode_CMSEncryptedData(data, length, &ed, NULL);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to decode CMSEncryptedData");
+	return ret;
+    }
+
+    if (ed.encryptedContentInfo.encryptedContent == NULL) {
+	ret = HX509_CMS_NO_DATA_AVAILABLE;
+	hx509_set_error_string(context, 0, ret,
+			       "No content in EncryptedData");
+	goto out;
+    }
+
+    ret = der_copy_oid(&ed.encryptedContentInfo.contentType, contentType);
+    if (ret) {
+	hx509_clear_error_string(context);
+	goto out;
+    }
+
+    ai = &ed.encryptedContentInfo.contentEncryptionAlgorithm;
+    if (ai->parameters == NULL) {
+	ret = HX509_ALG_NOT_SUPP;
+	hx509_clear_error_string(context);
+	goto out;
+    }
+
+    ret = _hx509_pbe_decrypt(context,
+			     lock,
+			     ai,
+			     ed.encryptedContentInfo.encryptedContent,
+			     &cont);
+    if (ret)
+	goto out;
+
+    *content = cont;
+
+out:
+    if (ret) {
+	if (cont.data)
+	    free(cont.data);
+    }
+    free_CMSEncryptedData(&ed);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/hx509/collector.c b/crypto/heimdal/lib/hx509/collector.c
new file mode 100644
index 0000000..8b6ffcb
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/collector.c
@@ -0,0 +1,329 @@
+/*
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: collector.c 20778 2007-06-01 22:04:13Z lha $");
+
+struct private_key {
+    AlgorithmIdentifier alg;
+    hx509_private_key private_key;
+    heim_octet_string localKeyId;
+};
+
+struct hx509_collector {
+    hx509_lock lock;
+    hx509_certs unenvelop_certs;
+    hx509_certs certs;
+    struct {
+	struct private_key **data;
+	size_t len;
+    } val;
+};
+
+
+int
+_hx509_collector_alloc(hx509_context context, hx509_lock lock, struct hx509_collector **collector)
+{
+    struct hx509_collector *c;
+    int ret;
+
+    *collector = NULL;
+
+    c = calloc(1, sizeof(*c));
+    if (c == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    c->lock = lock;
+
+    ret = hx509_certs_init(context, "MEMORY:collector-unenvelop-cert",
+			   0,NULL, &c->unenvelop_certs);
+    if (ret) {
+	free(c);
+	return ret;
+    }
+    c->val.data = NULL;
+    c->val.len = 0;
+    ret = hx509_certs_init(context, "MEMORY:collector-tmp-store",
+			   0, NULL, &c->certs);
+    if (ret) {
+	hx509_certs_free(&c->unenvelop_certs);
+	free(c);
+	return ret;
+    }
+
+    *collector = c;
+    return 0;
+}
+
+hx509_lock
+_hx509_collector_get_lock(struct hx509_collector *c)
+{
+    return c->lock;
+}
+
+
+int
+_hx509_collector_certs_add(hx509_context context,
+			   struct hx509_collector *c,
+			   hx509_cert cert)
+{
+    return hx509_certs_add(context, c->certs, cert);
+}
+
+static void
+free_private_key(struct private_key *key)
+{
+    free_AlgorithmIdentifier(&key->alg);
+    if (key->private_key)
+	_hx509_private_key_free(&key->private_key);
+    der_free_octet_string(&key->localKeyId);
+    free(key);
+}
+
+int
+_hx509_collector_private_key_add(hx509_context context,
+				 struct hx509_collector *c, 
+				 const AlgorithmIdentifier *alg,
+				 hx509_private_key private_key,
+				 const heim_octet_string *key_data,
+				 const heim_octet_string *localKeyId)
+{
+    struct private_key *key;
+    void *d;
+    int ret;
+
+    key = calloc(1, sizeof(*key));
+    if (key == NULL)
+	return ENOMEM;
+
+    d = realloc(c->val.data, (c->val.len + 1) * sizeof(c->val.data[0]));
+    if (d == NULL) {
+	free(key);
+	hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
+	return ENOMEM;
+    }
+    c->val.data = d;
+	
+    ret = copy_AlgorithmIdentifier(alg, &key->alg);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Failed to copy "
+			       "AlgorithmIdentifier");
+	goto out;
+    }
+    if (private_key) {
+	key->private_key = private_key;
+    } else {
+	ret = _hx509_parse_private_key(context, &alg->algorithm,
+				       key_data->data, key_data->length,
+				       &key->private_key);
+	if (ret)
+	    goto out;
+    }
+    if (localKeyId) {
+	ret = der_copy_octet_string(localKeyId, &key->localKeyId);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, 
+				   "Failed to copy localKeyId");
+	    goto out;
+	}
+    } else
+	memset(&key->localKeyId, 0, sizeof(key->localKeyId));
+
+    c->val.data[c->val.len] = key;
+    c->val.len++;
+
+out:
+    if (ret)
+	free_private_key(key);
+
+    return ret;
+}
+
+static int
+match_localkeyid(hx509_context context,
+		 struct private_key *value,
+		 hx509_certs certs)
+{
+    hx509_cert cert;
+    hx509_query q;
+    int ret;
+
+    if (value->localKeyId.length == 0) {
+	hx509_set_error_string(context, 0, HX509_LOCAL_ATTRIBUTE_MISSING,
+			       "No local key attribute on private key");
+	return HX509_LOCAL_ATTRIBUTE_MISSING;
+    }
+
+    _hx509_query_clear(&q);
+    q.match |= HX509_QUERY_MATCH_LOCAL_KEY_ID;
+    
+    q.local_key_id = &value->localKeyId;
+    
+    ret = hx509_certs_find(context, certs, &q, &cert);
+    if (ret == 0) {
+	
+	if (value->private_key)
+	    _hx509_cert_assign_key(cert, value->private_key);
+	hx509_cert_free(cert);
+    }
+    return ret;
+}
+
+static int
+match_keys(hx509_context context, struct private_key *value, hx509_certs certs)
+{
+    hx509_cursor cursor;
+    hx509_cert c;
+    int ret, found = HX509_CERT_NOT_FOUND;
+
+    if (value->private_key == NULL) {
+	hx509_set_error_string(context, 0, HX509_PRIVATE_KEY_MISSING, 
+			       "No private key to compare with");
+	return HX509_PRIVATE_KEY_MISSING;
+    }
+
+    ret = hx509_certs_start_seq(context, certs, &cursor);
+    if (ret)
+	return ret;
+
+    c = NULL;
+    while (1) {
+	ret = hx509_certs_next_cert(context, certs, cursor, &c);
+	if (ret)
+	    break;
+	if (c == NULL)
+	    break;
+	if (_hx509_cert_private_key(c)) {
+	    hx509_cert_free(c);
+	    continue;
+	}
+
+	ret = _hx509_match_keys(c, value->private_key);
+	if (ret) {
+	    _hx509_cert_assign_key(c, value->private_key);
+	    hx509_cert_free(c);
+	    found = 0;
+	    break;
+	}
+	hx509_cert_free(c);
+    }
+
+    hx509_certs_end_seq(context, certs, cursor);
+
+    if (found)
+	hx509_clear_error_string(context);
+
+    return found;
+}
+
+int
+_hx509_collector_collect_certs(hx509_context context, 
+			       struct hx509_collector *c,
+			       hx509_certs *ret_certs)
+{
+    hx509_certs certs;
+    int ret, i;
+
+    *ret_certs = NULL;
+
+    ret = hx509_certs_init(context, "MEMORY:collector-store", 0, NULL, &certs);
+    if (ret)
+	return ret;
+
+    ret = hx509_certs_merge(context, certs, c->certs);
+    if (ret) {
+	hx509_certs_free(&certs);
+	return ret;
+    }
+
+    for (i = 0; i < c->val.len; i++) {
+	ret = match_localkeyid(context, c->val.data[i], certs);
+	if (ret == 0)
+	    continue;
+	ret = match_keys(context, c->val.data[i], certs);
+	if (ret == 0)
+	    continue;
+    }
+
+    *ret_certs = certs;
+
+    return 0;
+}
+
+int
+_hx509_collector_collect_private_keys(hx509_context context, 
+				      struct hx509_collector *c,
+				      hx509_private_key **keys)
+{
+    int i, nkeys;
+
+    *keys = NULL;
+
+    for (i = 0, nkeys = 0; i < c->val.len; i++)
+	if (c->val.data[i]->private_key)
+	    nkeys++;
+
+    *keys = calloc(nkeys + 1, sizeof(**keys));
+    if (*keys == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "malloc - out of memory");
+	return ENOMEM;
+    }
+
+    for (i = 0, nkeys = 0; i < c->val.len; i++) {
+ 	if (c->val.data[i]->private_key) {
+	    (*keys)[nkeys++] = c->val.data[i]->private_key;
+	    c->val.data[i]->private_key = NULL;
+	}
+    }
+    (*keys)[nkeys++] = NULL;
+
+    return 0;
+}
+
+
+void
+_hx509_collector_free(struct hx509_collector *c)
+{
+    int i;
+
+    if (c->unenvelop_certs)
+	hx509_certs_free(&c->unenvelop_certs);
+    if (c->certs)
+	hx509_certs_free(&c->certs);
+    for (i = 0; i < c->val.len; i++)
+	free_private_key(c->val.data[i]);
+    if (c->val.data)
+	free(c->val.data);
+    free(c);
+}
diff --git a/crypto/heimdal/lib/hx509/crmf.asn1 b/crypto/heimdal/lib/hx509/crmf.asn1
new file mode 100644
index 0000000..97ade26
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/crmf.asn1
@@ -0,0 +1,113 @@
+-- $Id: crmf.asn1 17102 2006-04-18 13:05:21Z lha $
+PKCS10 DEFINITIONS ::=
+
+BEGIN
+
+IMPORTS
+	Time,
+	GeneralName,
+	SubjectPublicKeyInfo,
+	RelativeDistinguishedName,
+	AttributeTypeAndValue,
+	Extension,
+	AlgorithmIdentifier
+	FROM rfc2459
+	heim_any
+	FROM heim;
+
+CRMFRDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+Controls  ::= SEQUENCE -- SIZE(1..MAX) -- OF AttributeTypeAndValue
+
+-- XXX IMPLICIT brokenness
+POPOSigningKey ::= SEQUENCE {
+	poposkInput           [0] IMPLICIT POPOSigningKeyInput OPTIONAL,
+	algorithmIdentifier   AlgorithmIdentifier,
+	signature             BIT STRING }
+
+PKMACValue ::= SEQUENCE {
+	algId  AlgorithmIdentifier,
+	value  BIT STRING
+}
+
+-- XXX IMPLICIT brokenness
+POPOSigningKeyInput ::= SEQUENCE {
+	authInfo            CHOICE {
+		sender              [0] IMPLICIT GeneralName,
+		publicKeyMAC        PKMACValue
+	},
+	publicKey           SubjectPublicKeyInfo
+}  -- from CertTemplate
+
+
+PBMParameter ::= SEQUENCE {
+   salt                OCTET STRING,
+   owf                 AlgorithmIdentifier,
+   iterationCount      INTEGER,
+   mac                 AlgorithmIdentifier
+}
+
+SubsequentMessage ::= INTEGER {
+	encrCert (0),
+	challengeResp (1)
+}
+
+-- XXX IMPLICIT brokenness
+POPOPrivKey ::= CHOICE {
+	thisMessage       [0] BIT STRING,         -- Deprecated
+	subsequentMessage [1] IMPLICIT SubsequentMessage,
+	dhMAC             [2] BIT STRING,         -- Deprecated
+	agreeMAC          [3] IMPLICIT PKMACValue,
+	encryptedKey      [4] heim_any
+}
+
+-- XXX IMPLICIT brokenness
+ProofOfPossession ::= CHOICE {
+	raVerified        [0] NULL,
+	signature         [1] POPOSigningKey,
+	keyEncipherment   [2] POPOPrivKey,
+	keyAgreement      [3] POPOPrivKey
+}
+
+CertTemplate ::= SEQUENCE {
+	version      [0] INTEGER OPTIONAL,
+	serialNumber [1] INTEGER OPTIONAL,
+	signingAlg   [2] SEQUENCE {
+		algorithm	OBJECT IDENTIFIER,
+		parameters	heim_any OPTIONAL
+	} -- AlgorithmIdentifier --   OPTIONAL,
+	issuer       [3] IMPLICIT CHOICE {
+		rdnSequence  CRMFRDNSequence
+	} -- Name --  OPTIONAL,
+	validity     [4] SEQUENCE {
+		notBefore  [0] Time OPTIONAL,
+		notAfter   [1] Time OPTIONAL
+	} -- OptionalValidity -- OPTIONAL,
+	subject      [5] IMPLICIT CHOICE {
+		rdnSequence  CRMFRDNSequence
+	} -- Name -- OPTIONAL,
+	publicKey    [6] IMPLICIT SEQUENCE  {
+		algorithm            AlgorithmIdentifier,
+		subjectPublicKey     BIT STRING OPTIONAL
+	} -- SubjectPublicKeyInfo -- OPTIONAL,
+	issuerUID    [7] IMPLICIT BIT STRING OPTIONAL,
+	subjectUID   [8] IMPLICIT BIT STRING OPTIONAL,
+	extensions   [9] IMPLICIT SEQUENCE OF Extension OPTIONAL
+}
+
+CertRequest ::= SEQUENCE {
+	certReqId	INTEGER,
+	certTemplate	CertTemplate,
+	controls	Controls OPTIONAL
+}
+
+CertReqMsg ::= SEQUENCE {
+	certReq		CertRequest,
+	popo		ProofOfPossession  OPTIONAL,
+	regInfo		SEQUENCE OF AttributeTypeAndValue OPTIONAL }
+
+CertReqMessages ::= SEQUENCE OF CertReqMsg
+
+
+END
+
diff --git a/crypto/heimdal/lib/hx509/crypto.c b/crypto/heimdal/lib/hx509/crypto.c
new file mode 100644
index 0000000..e0f00ad
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/crypto.c
@@ -0,0 +1,2706 @@
+/*
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: crypto.c 22435 2008-01-14 20:53:56Z lha $");
+
+struct hx509_crypto;
+
+struct signature_alg;
+
+enum crypto_op_type {
+    COT_SIGN
+};
+
+struct hx509_generate_private_context {
+    const heim_oid *key_oid;
+    int isCA;
+    unsigned long num_bits;
+};
+
+struct hx509_private_key_ops {
+    const char *pemtype;
+    const heim_oid *(*key_oid)(void);
+    int (*get_spki)(hx509_context,
+		    const hx509_private_key,
+		    SubjectPublicKeyInfo *);
+    int (*export)(hx509_context context,
+		  const hx509_private_key,
+		  heim_octet_string *);
+    int (*import)(hx509_context,
+		  const void *data,
+		  size_t len,
+		  hx509_private_key private_key);
+    int (*generate_private_key)(hx509_context,
+				struct hx509_generate_private_context *,
+				hx509_private_key);
+    BIGNUM *(*get_internal)(hx509_context, hx509_private_key, const char *);
+    int (*handle_alg)(const hx509_private_key,
+		      const AlgorithmIdentifier *,
+		      enum crypto_op_type);
+    int (*sign)(hx509_context context,
+		const hx509_private_key,
+		const AlgorithmIdentifier *,
+		const heim_octet_string *,
+		AlgorithmIdentifier *,
+		heim_octet_string *);
+#if 0
+    const AlgorithmIdentifier *(*preferred_sig_alg)
+	(const hx509_private_key,
+	 const hx509_peer_info);
+    int (*unwrap)(hx509_context context,
+		  const hx509_private_key,
+		  const AlgorithmIdentifier *,
+		  const heim_octet_string *,
+		  heim_octet_string *);
+#endif
+};
+
+struct hx509_private_key {
+    unsigned int ref;
+    const struct signature_alg *md;
+    const heim_oid *signature_alg;
+    union {
+	RSA *rsa;
+	void *keydata;
+    } private_key;
+    /* new crypto layer */
+    hx509_private_key_ops *ops;
+};
+
+/*
+ *
+ */
+
+struct signature_alg {
+    const char *name;
+    const heim_oid *(*sig_oid)(void);
+    const AlgorithmIdentifier *(*sig_alg)(void);
+    const heim_oid *(*key_oid)(void);
+    const heim_oid *(*digest_oid)(void);
+    int flags;
+#define PROVIDE_CONF 1
+#define REQUIRE_SIGNER 2
+
+#define SIG_DIGEST	0x100
+#define SIG_PUBLIC_SIG	0x200
+#define SIG_SECRET	0x400
+
+#define RA_RSA_USES_DIGEST_INFO 0x1000000
+
+
+    int (*verify_signature)(hx509_context context,
+			    const struct signature_alg *,
+			    const Certificate *,
+			    const AlgorithmIdentifier *,
+			    const heim_octet_string *,
+			    const heim_octet_string *);
+    int (*create_signature)(hx509_context,
+			    const struct signature_alg *,
+			    const hx509_private_key,
+			    const AlgorithmIdentifier *,
+			    const heim_octet_string *,
+			    AlgorithmIdentifier *,
+			    heim_octet_string *);
+};
+
+/*
+ *
+ */
+
+static BIGNUM *
+heim_int2BN(const heim_integer *i)
+{
+    BIGNUM *bn;
+
+    bn = BN_bin2bn(i->data, i->length, NULL);
+    BN_set_negative(bn, i->negative);
+    return bn;
+}
+
+/*
+ *
+ */
+
+static int
+set_digest_alg(DigestAlgorithmIdentifier *id,
+	       const heim_oid *oid,
+	       const void *param, size_t length)
+{
+    int ret;
+    if (param) {
+	id->parameters = malloc(sizeof(*id->parameters));
+	if (id->parameters == NULL)
+	    return ENOMEM;
+	id->parameters->data = malloc(length);
+	if (id->parameters->data == NULL) {
+	    free(id->parameters);
+	    id->parameters = NULL;
+	    return ENOMEM;
+	}
+	memcpy(id->parameters->data, param, length);
+	id->parameters->length = length;
+    } else
+	id->parameters = NULL;
+    ret = der_copy_oid(oid, &id->algorithm);
+    if (ret) {
+	if (id->parameters) {
+	    free(id->parameters->data);
+	    free(id->parameters);
+	    id->parameters = NULL;
+	}
+	return ret;
+    }
+    return 0;
+}
+
+/*
+ *
+ */
+
+static int
+rsa_verify_signature(hx509_context context,
+		     const struct signature_alg *sig_alg,
+		     const Certificate *signer,
+		     const AlgorithmIdentifier *alg,
+		     const heim_octet_string *data,
+		     const heim_octet_string *sig)
+{
+    const SubjectPublicKeyInfo *spi;
+    DigestInfo di;
+    unsigned char *to;
+    int tosize, retsize;
+    int ret;
+    RSA *rsa;
+    RSAPublicKey pk;
+    size_t size;
+
+    memset(&di, 0, sizeof(di));
+
+    spi = &signer->tbsCertificate.subjectPublicKeyInfo;
+
+    rsa = RSA_new();
+    if (rsa == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    ret = decode_RSAPublicKey(spi->subjectPublicKey.data,
+			      spi->subjectPublicKey.length / 8,
+			      &pk, &size);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Failed to decode RSAPublicKey");
+	goto out;
+    }
+
+    rsa->n = heim_int2BN(&pk.modulus);
+    rsa->e = heim_int2BN(&pk.publicExponent);
+
+    free_RSAPublicKey(&pk);
+
+    if (rsa->n == NULL || rsa->e == NULL) {
+	ret = ENOMEM;
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	goto out;
+    }
+
+    tosize = RSA_size(rsa);
+    to = malloc(tosize);
+    if (to == NULL) {
+	ret = ENOMEM;
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	goto out;
+    }
+
+    retsize = RSA_public_decrypt(sig->length, (unsigned char *)sig->data, 
+				 to, rsa, RSA_PKCS1_PADDING);
+    if (retsize <= 0) {
+	ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+	hx509_set_error_string(context, 0, ret, 
+			       "RSA public decrypt failed: %d", retsize);
+	free(to);
+	goto out;
+    }
+    if (retsize > tosize)
+	_hx509_abort("internal rsa decryption failure: ret > tosize");
+
+    if (sig_alg->flags & RA_RSA_USES_DIGEST_INFO) {
+
+	ret = decode_DigestInfo(to, retsize, &di, &size);
+	free(to);
+	if (ret) {
+	    goto out;
+	}
+	
+	/* Check for extra data inside the sigature */
+	if (size != retsize) {
+	    ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+	    hx509_set_error_string(context, 0, ret, "size from decryption mismatch");
+	    goto out;
+	}
+	
+	if (sig_alg->digest_oid &&
+	    der_heim_oid_cmp(&di.digestAlgorithm.algorithm, 
+			     (*sig_alg->digest_oid)()) != 0) 
+	{
+	    ret = HX509_CRYPTO_OID_MISMATCH;
+	    hx509_set_error_string(context, 0, ret, "object identifier in RSA sig mismatch");
+	    goto out;
+	}
+	
+	/* verify that the parameters are NULL or the NULL-type */
+	if (di.digestAlgorithm.parameters != NULL &&
+	    (di.digestAlgorithm.parameters->length != 2 ||
+	     memcmp(di.digestAlgorithm.parameters->data, "\x05\x00", 2) != 0))
+	{
+	    ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+	    hx509_set_error_string(context, 0, ret, "Extra parameters inside RSA signature");
+	    goto out;
+	}
+
+	ret = _hx509_verify_signature(context,
+				      NULL,
+				      &di.digestAlgorithm,
+				      data,
+				      &di.digest);
+    } else {
+	if (retsize != data->length ||
+	    memcmp(to, data->data, retsize) != 0)
+	{
+	    ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+	    hx509_set_error_string(context, 0, ret, "RSA Signature incorrect");
+	    goto out;
+	}
+	free(to);
+    }
+
+ out:
+    free_DigestInfo(&di);
+    RSA_free(rsa);
+    return ret;
+}
+
+static int
+rsa_create_signature(hx509_context context,
+		     const struct signature_alg *sig_alg,
+		     const hx509_private_key signer,
+		     const AlgorithmIdentifier *alg,
+		     const heim_octet_string *data,
+		     AlgorithmIdentifier *signatureAlgorithm,
+		     heim_octet_string *sig)
+{
+    const AlgorithmIdentifier *digest_alg;
+    heim_octet_string indata;
+    const heim_oid *sig_oid;
+    size_t size;
+    int ret;
+    
+    if (alg)
+	sig_oid = &alg->algorithm;
+    else
+	sig_oid = signer->signature_alg;
+
+    if (der_heim_oid_cmp(sig_oid, oid_id_pkcs1_sha256WithRSAEncryption()) == 0) {
+	digest_alg = hx509_signature_sha256();
+    } else if (der_heim_oid_cmp(sig_oid, oid_id_pkcs1_sha1WithRSAEncryption()) == 0) {
+	digest_alg = hx509_signature_sha1();
+    } else if (der_heim_oid_cmp(sig_oid, oid_id_pkcs1_md5WithRSAEncryption()) == 0) {
+	digest_alg = hx509_signature_md5();
+    } else if (der_heim_oid_cmp(sig_oid, oid_id_pkcs1_md5WithRSAEncryption()) == 0) {
+	digest_alg = hx509_signature_md5();
+    } else if (der_heim_oid_cmp(sig_oid, oid_id_dsa_with_sha1()) == 0) {
+	digest_alg = hx509_signature_sha1();
+    } else if (der_heim_oid_cmp(sig_oid, oid_id_pkcs1_rsaEncryption()) == 0) {
+	digest_alg = hx509_signature_sha1();
+    } else if (der_heim_oid_cmp(sig_oid, oid_id_heim_rsa_pkcs1_x509()) == 0) {
+	digest_alg = NULL;
+    } else
+	return HX509_ALG_NOT_SUPP;
+
+    if (signatureAlgorithm) {
+	ret = set_digest_alg(signatureAlgorithm, sig_oid, "\x05\x00", 2);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    return ret;
+	}
+    }
+
+    if (digest_alg) {
+	DigestInfo di;
+	memset(&di, 0, sizeof(di));
+
+	ret = _hx509_create_signature(context,
+				      NULL,
+				      digest_alg,
+				      data,
+				      &di.digestAlgorithm,
+				      &di.digest);
+	if (ret)
+	    return ret;
+	ASN1_MALLOC_ENCODE(DigestInfo,
+			   indata.data,
+			   indata.length,
+			   &di,
+			   &size,
+			   ret);
+	free_DigestInfo(&di);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "out of memory");
+	    return ret;
+	}
+	if (indata.length != size)
+	    _hx509_abort("internal ASN.1 encoder error");
+    } else {
+	indata = *data;
+    }
+
+    sig->length = RSA_size(signer->private_key.rsa);
+    sig->data = malloc(sig->length);
+    if (sig->data == NULL) {
+	der_free_octet_string(&indata);
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    ret = RSA_private_encrypt(indata.length, indata.data, 
+			      sig->data, 
+			      signer->private_key.rsa,
+			      RSA_PKCS1_PADDING);
+    if (indata.data != data->data)
+	der_free_octet_string(&indata);
+    if (ret <= 0) {
+	ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+	hx509_set_error_string(context, 0, ret,
+			       "RSA private decrypt failed: %d", ret);
+	return ret;
+    }
+    if (ret > sig->length)
+	_hx509_abort("RSA signature prelen longer the output len");
+
+    sig->length = ret;
+    
+    return 0;
+}
+
+static int
+rsa_private_key_import(hx509_context context,
+		       const void *data,
+		       size_t len,
+		       hx509_private_key private_key)
+{
+    const unsigned char *p = data;
+
+    private_key->private_key.rsa = 
+	d2i_RSAPrivateKey(NULL, &p, len);
+    if (private_key->private_key.rsa == NULL) {
+	hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+			       "Failed to parse RSA key");
+	return HX509_PARSING_KEY_FAILED;
+    }
+    private_key->signature_alg = oid_id_pkcs1_sha1WithRSAEncryption();
+
+    return 0;
+}
+
+static int
+rsa_private_key2SPKI(hx509_context context,
+		     hx509_private_key private_key,
+		     SubjectPublicKeyInfo *spki)
+{
+    int len, ret;
+
+    memset(spki, 0, sizeof(*spki));
+
+    len = i2d_RSAPublicKey(private_key->private_key.rsa, NULL);
+
+    spki->subjectPublicKey.data = malloc(len);
+    if (spki->subjectPublicKey.data == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "malloc - out of memory");
+	return ENOMEM;
+    }
+    spki->subjectPublicKey.length = len * 8;
+
+    ret = set_digest_alg(&spki->algorithm,oid_id_pkcs1_rsaEncryption(), 
+			 "\x05\x00", 2);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "malloc - out of memory");
+	free(spki->subjectPublicKey.data);
+	spki->subjectPublicKey.data = NULL;
+	spki->subjectPublicKey.length = 0;
+	return ret;
+    }
+
+    {
+	unsigned char *pp = spki->subjectPublicKey.data;
+	i2d_RSAPublicKey(private_key->private_key.rsa, &pp);
+    }
+
+    return 0;
+}
+
+static int
+rsa_generate_private_key(hx509_context context, 
+			 struct hx509_generate_private_context *ctx,
+			 hx509_private_key private_key)
+{
+    BIGNUM *e;
+    int ret;
+    unsigned long bits;
+
+    static const int default_rsa_e = 65537;
+    static const int default_rsa_bits = 1024;
+
+    private_key->private_key.rsa = RSA_new();
+    if (private_key->private_key.rsa == NULL) {
+	hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+			       "Failed to generate RSA key");
+	return HX509_PARSING_KEY_FAILED;
+    }
+    
+    e = BN_new();
+    BN_set_word(e, default_rsa_e);
+
+    bits = default_rsa_bits;
+
+    if (ctx->num_bits)
+	bits = ctx->num_bits;
+    else if (ctx->isCA)
+	bits *= 2;
+
+    ret = RSA_generate_key_ex(private_key->private_key.rsa, bits, e, NULL);
+    BN_free(e);
+    if (ret != 1) {
+	hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+			       "Failed to generate RSA key");
+	return HX509_PARSING_KEY_FAILED;
+    }
+    private_key->signature_alg = oid_id_pkcs1_sha1WithRSAEncryption();
+
+    return 0;
+}
+
+static int 
+rsa_private_key_export(hx509_context context,
+		       const hx509_private_key key,
+		       heim_octet_string *data)
+{
+    int ret;
+
+    data->data = NULL;
+    data->length = 0;
+
+    ret = i2d_RSAPrivateKey(key->private_key.rsa, NULL);
+    if (ret <= 0) {
+	ret = EINVAL;
+	hx509_set_error_string(context, 0, ret,
+			       "Private key is not exportable");
+	return ret;
+    }
+
+    data->data = malloc(ret);
+    if (data->data == NULL) {
+	ret = ENOMEM;
+	hx509_set_error_string(context, 0, ret, "malloc out of memory");
+	return ret;
+    }
+    data->length = ret;
+    
+    {
+	unsigned char *p = data->data;
+	i2d_RSAPrivateKey(key->private_key.rsa, &p);
+    }
+
+    return 0;
+}
+
+static BIGNUM *
+rsa_get_internal(hx509_context context, hx509_private_key key, const char *type)
+{
+    if (strcasecmp(type, "rsa-modulus") == 0) {
+	return BN_dup(key->private_key.rsa->n);
+    } else if (strcasecmp(type, "rsa-exponent") == 0) {
+	return BN_dup(key->private_key.rsa->e);
+    } else
+	return NULL;
+}
+
+
+
+static hx509_private_key_ops rsa_private_key_ops = {
+    "RSA PRIVATE KEY",
+    oid_id_pkcs1_rsaEncryption,
+    rsa_private_key2SPKI,
+    rsa_private_key_export,
+    rsa_private_key_import,
+    rsa_generate_private_key,
+    rsa_get_internal
+};
+
+
+/*
+ *
+ */
+
+static int
+dsa_verify_signature(hx509_context context,
+		     const struct signature_alg *sig_alg,
+		     const Certificate *signer,
+		     const AlgorithmIdentifier *alg,
+		     const heim_octet_string *data,
+		     const heim_octet_string *sig)
+{
+    const SubjectPublicKeyInfo *spi;
+    DSAPublicKey pk;
+    DSAParams param;
+    size_t size;
+    DSA *dsa;
+    int ret;
+
+    spi = &signer->tbsCertificate.subjectPublicKeyInfo;
+
+    dsa = DSA_new();
+    if (dsa == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    ret = decode_DSAPublicKey(spi->subjectPublicKey.data,
+			      spi->subjectPublicKey.length / 8,
+			      &pk, &size);
+    if (ret)
+	goto out;
+
+    dsa->pub_key = heim_int2BN(&pk);
+
+    free_DSAPublicKey(&pk);
+
+    if (dsa->pub_key == NULL) {
+	ret = ENOMEM;
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	goto out;
+    }
+
+    if (spi->algorithm.parameters == NULL) {
+	ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+	hx509_set_error_string(context, 0, ret, "DSA parameters missing");
+	goto out;
+    }
+
+    ret = decode_DSAParams(spi->algorithm.parameters->data,
+			   spi->algorithm.parameters->length,
+			   &param,
+			   &size);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "DSA parameters failed to decode");
+	goto out;
+    }
+
+    dsa->p = heim_int2BN(&param.p);
+    dsa->q = heim_int2BN(&param.q);
+    dsa->g = heim_int2BN(&param.g);
+
+    free_DSAParams(&param);
+
+    if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
+	ret = ENOMEM;
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	goto out;
+    }
+
+    ret = DSA_verify(-1, data->data, data->length,
+		     (unsigned char*)sig->data, sig->length,
+		     dsa);
+    if (ret == 1)
+	ret = 0;
+    else if (ret == 0 || ret == -1) {
+	ret = HX509_CRYPTO_BAD_SIGNATURE;
+	hx509_set_error_string(context, 0, ret, "BAD DSA sigature");
+    } else {
+	ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+	hx509_set_error_string(context, 0, ret, "Invalid format of DSA sigature");
+    }
+
+ out:
+    DSA_free(dsa);
+
+    return ret;
+}
+
+#if 0
+static int
+dsa_parse_private_key(hx509_context context,
+		      const void *data,
+		      size_t len,
+		      hx509_private_key private_key)
+{
+    const unsigned char *p = data;
+
+    private_key->private_key.dsa = 
+	d2i_DSAPrivateKey(NULL, &p, len);
+    if (private_key->private_key.dsa == NULL)
+	return EINVAL;
+    private_key->signature_alg = oid_id_dsa_with_sha1();
+
+    return 0;
+/* else */
+    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+			   "No support to parse DSA keys");
+    return HX509_PARSING_KEY_FAILED;
+}
+#endif
+
+
+static int
+sha1_verify_signature(hx509_context context,
+		      const struct signature_alg *sig_alg,
+		      const Certificate *signer,
+		      const AlgorithmIdentifier *alg,
+		      const heim_octet_string *data,
+		      const heim_octet_string *sig)
+{
+    unsigned char digest[SHA_DIGEST_LENGTH];
+    SHA_CTX m;
+    
+    if (sig->length != SHA_DIGEST_LENGTH) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_SIG_INVALID_FORMAT,
+			       "SHA1 sigature have wrong length");
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+
+    SHA1_Init(&m);
+    SHA1_Update(&m, data->data, data->length);
+    SHA1_Final (digest, &m);
+	
+    if (memcmp(digest, sig->data, SHA_DIGEST_LENGTH) != 0) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_BAD_SIGNATURE,
+			       "Bad SHA1 sigature");
+	return HX509_CRYPTO_BAD_SIGNATURE;
+    }
+
+    return 0;
+}
+
+static int
+sha256_create_signature(hx509_context context,
+			const struct signature_alg *sig_alg,
+			const hx509_private_key signer,
+			const AlgorithmIdentifier *alg,
+			const heim_octet_string *data,
+			AlgorithmIdentifier *signatureAlgorithm,
+			heim_octet_string *sig)
+{
+    SHA256_CTX m;
+    
+    memset(sig, 0, sizeof(*sig));
+
+    if (signatureAlgorithm) {
+	int ret;
+	ret = set_digest_alg(signatureAlgorithm, (*sig_alg->sig_oid)(),
+			     "\x05\x00", 2);
+	if (ret)
+	    return ret;
+    }
+	    
+
+    sig->data = malloc(SHA256_DIGEST_LENGTH);
+    if (sig->data == NULL) {
+	sig->length = 0;
+	return ENOMEM;
+    }
+    sig->length = SHA256_DIGEST_LENGTH;
+
+    SHA256_Init(&m);
+    SHA256_Update(&m, data->data, data->length);
+    SHA256_Final (sig->data, &m);
+
+    return 0;
+}
+
+static int
+sha256_verify_signature(hx509_context context,
+			const struct signature_alg *sig_alg,
+			const Certificate *signer,
+			const AlgorithmIdentifier *alg,
+			const heim_octet_string *data,
+			const heim_octet_string *sig)
+{
+    unsigned char digest[SHA256_DIGEST_LENGTH];
+    SHA256_CTX m;
+    
+    if (sig->length != SHA256_DIGEST_LENGTH) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_SIG_INVALID_FORMAT,
+			       "SHA256 sigature have wrong length");
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+
+    SHA256_Init(&m);
+    SHA256_Update(&m, data->data, data->length);
+    SHA256_Final (digest, &m);
+	
+    if (memcmp(digest, sig->data, SHA256_DIGEST_LENGTH) != 0) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_BAD_SIGNATURE,
+			       "Bad SHA256 sigature");
+	return HX509_CRYPTO_BAD_SIGNATURE;
+    }
+
+    return 0;
+}
+
+static int
+sha1_create_signature(hx509_context context,
+		      const struct signature_alg *sig_alg,
+		      const hx509_private_key signer,
+		      const AlgorithmIdentifier *alg,
+		      const heim_octet_string *data,
+		      AlgorithmIdentifier *signatureAlgorithm,
+		      heim_octet_string *sig)
+{
+    SHA_CTX m;
+    
+    memset(sig, 0, sizeof(*sig));
+
+    if (signatureAlgorithm) {
+	int ret;
+	ret = set_digest_alg(signatureAlgorithm, (*sig_alg->sig_oid)(), 
+			     "\x05\x00", 2);
+	if (ret)
+	    return ret;
+    }
+	    
+
+    sig->data = malloc(SHA_DIGEST_LENGTH);
+    if (sig->data == NULL) {
+	sig->length = 0;
+	return ENOMEM;
+    }
+    sig->length = SHA_DIGEST_LENGTH;
+
+    SHA1_Init(&m);
+    SHA1_Update(&m, data->data, data->length);
+    SHA1_Final (sig->data, &m);
+
+    return 0;
+}
+
+static int
+md5_verify_signature(hx509_context context,
+		     const struct signature_alg *sig_alg,
+		     const Certificate *signer,
+		     const AlgorithmIdentifier *alg,
+		     const heim_octet_string *data,
+		     const heim_octet_string *sig)
+{
+    unsigned char digest[MD5_DIGEST_LENGTH];
+    MD5_CTX m;
+    
+    if (sig->length != MD5_DIGEST_LENGTH) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_SIG_INVALID_FORMAT,
+			       "MD5 sigature have wrong length");
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+
+    MD5_Init(&m);
+    MD5_Update(&m, data->data, data->length);
+    MD5_Final (digest, &m);
+	
+    if (memcmp(digest, sig->data, MD5_DIGEST_LENGTH) != 0) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_BAD_SIGNATURE,
+			       "Bad MD5 sigature");
+	return HX509_CRYPTO_BAD_SIGNATURE;
+    }
+
+    return 0;
+}
+
+static int
+md2_verify_signature(hx509_context context,
+		     const struct signature_alg *sig_alg,
+		     const Certificate *signer,
+		     const AlgorithmIdentifier *alg,
+		     const heim_octet_string *data,
+		     const heim_octet_string *sig)
+{
+    unsigned char digest[MD2_DIGEST_LENGTH];
+    MD2_CTX m;
+    
+    if (sig->length != MD2_DIGEST_LENGTH) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_SIG_INVALID_FORMAT,
+			       "MD2 sigature have wrong length");
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+
+    MD2_Init(&m);
+    MD2_Update(&m, data->data, data->length);
+    MD2_Final (digest, &m);
+	
+    if (memcmp(digest, sig->data, MD2_DIGEST_LENGTH) != 0) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_BAD_SIGNATURE,
+			       "Bad MD2 sigature");
+	return HX509_CRYPTO_BAD_SIGNATURE;
+    }
+
+    return 0;
+}
+
+static const struct signature_alg heim_rsa_pkcs1_x509 = {
+    "rsa-pkcs1-x509",
+    oid_id_heim_rsa_pkcs1_x509,
+    hx509_signature_rsa_pkcs1_x509,
+    oid_id_pkcs1_rsaEncryption,
+    NULL,
+    PROVIDE_CONF|REQUIRE_SIGNER|SIG_PUBLIC_SIG,
+    rsa_verify_signature,
+    rsa_create_signature
+};
+
+static const struct signature_alg pkcs1_rsa_sha1_alg = {
+    "rsa",
+    oid_id_pkcs1_rsaEncryption,
+    hx509_signature_rsa_with_sha1,
+    oid_id_pkcs1_rsaEncryption,
+    NULL,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    rsa_verify_signature,
+    rsa_create_signature
+};
+
+static const struct signature_alg rsa_with_sha256_alg = {
+    "rsa-with-sha256",
+    oid_id_pkcs1_sha256WithRSAEncryption,
+    hx509_signature_rsa_with_sha256,
+    oid_id_pkcs1_rsaEncryption,
+    oid_id_sha256,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    rsa_verify_signature,
+    rsa_create_signature
+};
+
+static const struct signature_alg rsa_with_sha1_alg = {
+    "rsa-with-sha1",
+    oid_id_pkcs1_sha1WithRSAEncryption,
+    hx509_signature_rsa_with_sha1,
+    oid_id_pkcs1_rsaEncryption,
+    oid_id_secsig_sha_1,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    rsa_verify_signature,
+    rsa_create_signature
+};
+
+static const struct signature_alg rsa_with_md5_alg = {
+    "rsa-with-md5",
+    oid_id_pkcs1_md5WithRSAEncryption,
+    hx509_signature_rsa_with_md5,
+    oid_id_pkcs1_rsaEncryption,
+    oid_id_rsa_digest_md5,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    rsa_verify_signature,
+    rsa_create_signature
+};
+
+static const struct signature_alg rsa_with_md2_alg = {
+    "rsa-with-md2",
+    oid_id_pkcs1_md2WithRSAEncryption,
+    hx509_signature_rsa_with_md2,
+    oid_id_pkcs1_rsaEncryption,
+    oid_id_rsa_digest_md2,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    rsa_verify_signature,
+    rsa_create_signature
+};
+
+static const struct signature_alg dsa_sha1_alg = {
+    "dsa-with-sha1",
+    oid_id_dsa_with_sha1,
+    NULL,
+    oid_id_dsa, 
+    oid_id_secsig_sha_1,
+    PROVIDE_CONF|REQUIRE_SIGNER|SIG_PUBLIC_SIG,
+    dsa_verify_signature,
+    /* create_signature */ NULL,
+};
+
+static const struct signature_alg sha256_alg = {
+    "sha-256",
+    oid_id_sha256,
+    hx509_signature_sha256,
+    NULL,
+    NULL,
+    SIG_DIGEST,
+    sha256_verify_signature,
+    sha256_create_signature
+};
+
+static const struct signature_alg sha1_alg = {
+    "sha1",
+    oid_id_secsig_sha_1,
+    hx509_signature_sha1,
+    NULL,
+    NULL,
+    SIG_DIGEST,
+    sha1_verify_signature,
+    sha1_create_signature
+};
+
+static const struct signature_alg md5_alg = {
+    "rsa-md5",
+    oid_id_rsa_digest_md5,
+    hx509_signature_md5,
+    NULL,
+    NULL,
+    SIG_DIGEST,
+    md5_verify_signature
+};
+
+static const struct signature_alg md2_alg = {
+    "rsa-md2",
+    oid_id_rsa_digest_md2,
+    hx509_signature_md2,
+    NULL,
+    NULL,
+    SIG_DIGEST,
+    md2_verify_signature
+};
+
+/* 
+ * Order matter in this structure, "best" first for each "key
+ * compatible" type (type is RSA, DSA, none, etc)
+ */
+
+static const struct signature_alg *sig_algs[] = {
+    &rsa_with_sha256_alg,
+    &rsa_with_sha1_alg,
+    &pkcs1_rsa_sha1_alg,
+    &rsa_with_md5_alg,
+    &rsa_with_md2_alg,
+    &heim_rsa_pkcs1_x509,
+    &dsa_sha1_alg,
+    &sha256_alg,
+    &sha1_alg,
+    &md5_alg,
+    &md2_alg,
+    NULL
+};
+
+static const struct signature_alg *
+find_sig_alg(const heim_oid *oid)
+{
+    int i;
+    for (i = 0; sig_algs[i]; i++)
+	if (der_heim_oid_cmp((*sig_algs[i]->sig_oid)(), oid) == 0)
+	    return sig_algs[i];
+    return NULL;
+}
+
+/*
+ *
+ */
+
+static struct hx509_private_key_ops *private_algs[] = {
+    &rsa_private_key_ops,
+    NULL
+};
+
+static hx509_private_key_ops *
+find_private_alg(const heim_oid *oid)
+{
+    int i;
+    for (i = 0; private_algs[i]; i++) {
+	if (private_algs[i]->key_oid == NULL)
+	    continue;
+	if (der_heim_oid_cmp((*private_algs[i]->key_oid)(), oid) == 0)
+	    return private_algs[i];
+    }
+    return NULL;
+}
+
+
+int
+_hx509_verify_signature(hx509_context context,
+			const Certificate *signer,
+			const AlgorithmIdentifier *alg,
+			const heim_octet_string *data,
+			const heim_octet_string *sig)
+{
+    const struct signature_alg *md;
+
+    md = find_sig_alg(&alg->algorithm);
+    if (md == NULL) {
+	hx509_clear_error_string(context);
+	return HX509_SIG_ALG_NO_SUPPORTED;
+    }
+    if (signer && (md->flags & PROVIDE_CONF) == 0) {
+	hx509_clear_error_string(context);
+	return HX509_CRYPTO_SIG_NO_CONF;
+    }
+    if (signer == NULL && (md->flags & REQUIRE_SIGNER)) {
+	    hx509_clear_error_string(context);
+	return HX509_CRYPTO_SIGNATURE_WITHOUT_SIGNER;
+    }
+    if (md->key_oid && signer) {
+	const SubjectPublicKeyInfo *spi;
+	spi = &signer->tbsCertificate.subjectPublicKeyInfo;
+
+	if (der_heim_oid_cmp(&spi->algorithm.algorithm, (*md->key_oid)()) != 0) {
+	    hx509_clear_error_string(context);
+	    return HX509_SIG_ALG_DONT_MATCH_KEY_ALG;
+	}
+    }
+    return (*md->verify_signature)(context, md, signer, alg, data, sig);
+}
+
+int
+_hx509_verify_signature_bitstring(hx509_context context,
+				  const Certificate *signer,
+				  const AlgorithmIdentifier *alg,
+				  const heim_octet_string *data,
+				  const heim_bit_string *sig)
+{
+    heim_octet_string os;
+
+    if (sig->length & 7) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_SIG_INVALID_FORMAT,
+			       "signature not multiple of 8 bits");
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+
+    os.data = sig->data;
+    os.length = sig->length / 8;
+    
+    return _hx509_verify_signature(context, signer, alg, data, &os);
+}
+
+int
+_hx509_create_signature(hx509_context context,
+			const hx509_private_key signer,
+			const AlgorithmIdentifier *alg,
+			const heim_octet_string *data,
+			AlgorithmIdentifier *signatureAlgorithm,
+			heim_octet_string *sig)
+{
+    const struct signature_alg *md;
+
+    if (signer && signer->ops && signer->ops->handle_alg &&
+	(*signer->ops->handle_alg)(signer, alg, COT_SIGN))
+    {
+	return (*signer->ops->sign)(context, signer, alg, data, 
+				    signatureAlgorithm, sig);
+    }
+
+    md = find_sig_alg(&alg->algorithm);
+    if (md == NULL) {
+	hx509_set_error_string(context, 0, HX509_SIG_ALG_NO_SUPPORTED,
+	    "algorithm no supported");
+	return HX509_SIG_ALG_NO_SUPPORTED;
+    }
+
+    if (signer && (md->flags & PROVIDE_CONF) == 0) {
+	hx509_set_error_string(context, 0, HX509_SIG_ALG_NO_SUPPORTED,
+	    "algorithm provides no conf");
+	return HX509_CRYPTO_SIG_NO_CONF;
+    }
+
+    return (*md->create_signature)(context, md, signer, alg, data, 
+				   signatureAlgorithm, sig);
+}
+
+int
+_hx509_create_signature_bitstring(hx509_context context,
+				  const hx509_private_key signer,
+				  const AlgorithmIdentifier *alg,
+				  const heim_octet_string *data,
+				  AlgorithmIdentifier *signatureAlgorithm,
+				  heim_bit_string *sig)
+{
+    heim_octet_string os;
+    int ret;
+
+    ret = _hx509_create_signature(context, signer, alg,
+				  data, signatureAlgorithm, &os);
+    if (ret)
+	return ret;
+    sig->data = os.data;
+    sig->length = os.length * 8;
+    return 0;
+}
+
+int
+_hx509_public_encrypt(hx509_context context,
+		      const heim_octet_string *cleartext,
+		      const Certificate *cert,
+		      heim_oid *encryption_oid,
+		      heim_octet_string *ciphertext)
+{
+    const SubjectPublicKeyInfo *spi;
+    unsigned char *to;
+    int tosize;
+    int ret;
+    RSA *rsa;
+    RSAPublicKey pk;
+    size_t size;
+
+    ciphertext->data = NULL;
+    ciphertext->length = 0;
+
+    spi = &cert->tbsCertificate.subjectPublicKeyInfo;
+
+    rsa = RSA_new();
+    if (rsa == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    ret = decode_RSAPublicKey(spi->subjectPublicKey.data,
+			      spi->subjectPublicKey.length / 8,
+			      &pk, &size);
+    if (ret) {
+	RSA_free(rsa);
+	hx509_set_error_string(context, 0, ret, "RSAPublicKey decode failure");
+	return ret;
+    }
+    rsa->n = heim_int2BN(&pk.modulus);
+    rsa->e = heim_int2BN(&pk.publicExponent);
+
+    free_RSAPublicKey(&pk);
+
+    if (rsa->n == NULL || rsa->e == NULL) {
+	RSA_free(rsa);
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    tosize = RSA_size(rsa);
+    to = malloc(tosize);
+    if (to == NULL) {
+	RSA_free(rsa);
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    ret = RSA_public_encrypt(cleartext->length, 
+			     (unsigned char *)cleartext->data, 
+			     to, rsa, RSA_PKCS1_PADDING);
+    RSA_free(rsa);
+    if (ret <= 0) {
+	free(to);
+	hx509_set_error_string(context, 0, HX509_CRYPTO_RSA_PUBLIC_ENCRYPT,
+			       "RSA public encrypt failed with %d", ret);
+	return HX509_CRYPTO_RSA_PUBLIC_ENCRYPT;
+    }
+    if (ret > tosize)
+	_hx509_abort("internal rsa decryption failure: ret > tosize");
+
+    ciphertext->length = ret;
+    ciphertext->data = to;
+
+    ret = der_copy_oid(oid_id_pkcs1_rsaEncryption(), encryption_oid);
+    if (ret) {
+	der_free_octet_string(ciphertext);
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    return 0;
+}
+
+int
+_hx509_private_key_private_decrypt(hx509_context context,
+				   const heim_octet_string *ciphertext,
+				   const heim_oid *encryption_oid,
+				   hx509_private_key p,
+				   heim_octet_string *cleartext)
+{
+    int ret;
+
+    cleartext->data = NULL;
+    cleartext->length = 0;
+
+    if (p->private_key.rsa == NULL) {
+	hx509_set_error_string(context, 0, HX509_PRIVATE_KEY_MISSING,
+			       "Private RSA key missing");
+	return HX509_PRIVATE_KEY_MISSING;
+    }
+
+    cleartext->length = RSA_size(p->private_key.rsa);
+    cleartext->data = malloc(cleartext->length);
+    if (cleartext->data == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    ret = RSA_private_decrypt(ciphertext->length, ciphertext->data,
+			      cleartext->data,
+			      p->private_key.rsa,
+			      RSA_PKCS1_PADDING);
+    if (ret <= 0) {
+	der_free_octet_string(cleartext);
+	hx509_set_error_string(context, 0, HX509_CRYPTO_RSA_PRIVATE_DECRYPT,
+			       "Failed to decrypt using private key: %d", ret);
+	return HX509_CRYPTO_RSA_PRIVATE_DECRYPT;
+    }
+    if (cleartext->length < ret)
+	_hx509_abort("internal rsa decryption failure: ret > tosize");
+
+    cleartext->length = ret;
+
+    return 0;
+}
+
+
+int
+_hx509_parse_private_key(hx509_context context,
+			 const heim_oid *key_oid,
+			 const void *data,
+			 size_t len,
+			 hx509_private_key *private_key)
+{
+    struct hx509_private_key_ops *ops;
+    int ret;
+
+    *private_key = NULL;
+
+    ops = find_private_alg(key_oid);
+    if (ops == NULL) {
+	hx509_clear_error_string(context);
+	return HX509_SIG_ALG_NO_SUPPORTED;
+    }
+
+    ret = _hx509_private_key_init(private_key, ops, NULL);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	return ret;
+    }
+
+    ret = (*ops->import)(context, data, len, *private_key);
+    if (ret)
+	_hx509_private_key_free(private_key);
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+int
+_hx509_private_key2SPKI(hx509_context context,
+			hx509_private_key private_key,
+			SubjectPublicKeyInfo *spki)
+{
+    const struct hx509_private_key_ops *ops = private_key->ops;
+    if (ops == NULL || ops->get_spki == NULL) {
+	hx509_set_error_string(context, 0, HX509_UNIMPLEMENTED_OPERATION,
+			       "Private key have no key2SPKI function");
+	return HX509_UNIMPLEMENTED_OPERATION;
+    }
+    return (*ops->get_spki)(context, private_key, spki);
+}
+
+int
+_hx509_generate_private_key_init(hx509_context context,
+				 const heim_oid *oid,
+				 struct hx509_generate_private_context **ctx)
+{
+    *ctx = NULL;
+
+    if (der_heim_oid_cmp(oid, oid_id_pkcs1_rsaEncryption()) != 0) {
+	hx509_set_error_string(context, 0, EINVAL, 
+			       "private key not an RSA key");
+	return EINVAL;
+    }
+
+    *ctx = calloc(1, sizeof(**ctx));
+    if (*ctx == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    (*ctx)->key_oid = oid;
+
+    return 0;
+}
+
+int
+_hx509_generate_private_key_is_ca(hx509_context context,
+				  struct hx509_generate_private_context *ctx)
+{
+    ctx->isCA = 1;
+    return 0;
+}
+
+int
+_hx509_generate_private_key_bits(hx509_context context,
+				 struct hx509_generate_private_context *ctx,
+				 unsigned long bits)
+{
+    ctx->num_bits = bits;
+    return 0;
+}
+
+
+void
+_hx509_generate_private_key_free(struct hx509_generate_private_context **ctx)
+{
+    free(*ctx);
+    *ctx = NULL;
+}
+
+int
+_hx509_generate_private_key(hx509_context context,
+			    struct hx509_generate_private_context *ctx,
+			    hx509_private_key *private_key)
+{
+    struct hx509_private_key_ops *ops;
+    int ret;
+
+    *private_key = NULL;
+
+    ops = find_private_alg(ctx->key_oid);
+    if (ops == NULL) {
+	hx509_clear_error_string(context);
+	return HX509_SIG_ALG_NO_SUPPORTED;
+    }
+
+    ret = _hx509_private_key_init(private_key, ops, NULL);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	return ret;
+    }
+
+    ret = (*ops->generate_private_key)(context, ctx, *private_key);
+    if (ret)
+	_hx509_private_key_free(private_key);
+
+    return ret;
+}
+
+
+/*
+ *
+ */
+
+static const heim_octet_string null_entry_oid = { 2, rk_UNCONST("\x05\x00") };
+
+static const unsigned sha512_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 3 };
+const AlgorithmIdentifier _hx509_signature_sha512_data = { 
+    { 9, rk_UNCONST(sha512_oid_tree) }, rk_UNCONST(&null_entry_oid)
+};
+
+static const unsigned sha384_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 2 };
+const AlgorithmIdentifier _hx509_signature_sha384_data = { 
+    { 9, rk_UNCONST(sha384_oid_tree) }, rk_UNCONST(&null_entry_oid)
+};
+
+static const unsigned sha256_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 1 };
+const AlgorithmIdentifier _hx509_signature_sha256_data = { 
+    { 9, rk_UNCONST(sha256_oid_tree) }, rk_UNCONST(&null_entry_oid)
+};
+
+static const unsigned sha1_oid_tree[] = { 1, 3, 14, 3, 2, 26 };
+const AlgorithmIdentifier _hx509_signature_sha1_data = { 
+    { 6, rk_UNCONST(sha1_oid_tree) }, rk_UNCONST(&null_entry_oid)
+};
+
+static const unsigned md5_oid_tree[] = { 1, 2, 840, 113549, 2, 5 };
+const AlgorithmIdentifier _hx509_signature_md5_data = { 
+    { 6, rk_UNCONST(md5_oid_tree) }, rk_UNCONST(&null_entry_oid)
+};
+
+static const unsigned md2_oid_tree[] = { 1, 2, 840, 113549, 2, 2 };
+const AlgorithmIdentifier _hx509_signature_md2_data = { 
+    { 6, rk_UNCONST(md2_oid_tree) }, rk_UNCONST(&null_entry_oid)
+};
+
+static const unsigned rsa_with_sha512_oid[] ={ 1, 2, 840, 113549, 1, 1, 13 };
+const AlgorithmIdentifier _hx509_signature_rsa_with_sha512_data = { 
+    { 7, rk_UNCONST(rsa_with_sha512_oid) }, NULL
+};
+
+static const unsigned rsa_with_sha384_oid[] ={ 1, 2, 840, 113549, 1, 1, 12 };
+const AlgorithmIdentifier _hx509_signature_rsa_with_sha384_data = { 
+    { 7, rk_UNCONST(rsa_with_sha384_oid) }, NULL
+};
+
+static const unsigned rsa_with_sha256_oid[] ={ 1, 2, 840, 113549, 1, 1, 11 };
+const AlgorithmIdentifier _hx509_signature_rsa_with_sha256_data = { 
+    { 7, rk_UNCONST(rsa_with_sha256_oid) }, NULL
+};
+
+static const unsigned rsa_with_sha1_oid[] ={ 1, 2, 840, 113549, 1, 1, 5 };
+const AlgorithmIdentifier _hx509_signature_rsa_with_sha1_data = { 
+    { 7, rk_UNCONST(rsa_with_sha1_oid) }, NULL
+};
+
+static const unsigned rsa_with_md5_oid[] ={ 1, 2, 840, 113549, 1, 1, 4 };
+const AlgorithmIdentifier _hx509_signature_rsa_with_md5_data = { 
+    { 7, rk_UNCONST(rsa_with_md5_oid) }, NULL
+};
+
+static const unsigned rsa_with_md2_oid[] ={ 1, 2, 840, 113549, 1, 1, 2 };
+const AlgorithmIdentifier _hx509_signature_rsa_with_md2_data = { 
+    { 7, rk_UNCONST(rsa_with_md2_oid) }, NULL
+};
+
+static const unsigned rsa_oid[] ={ 1, 2, 840, 113549, 1, 1, 1 };
+const AlgorithmIdentifier _hx509_signature_rsa_data = { 
+    { 7, rk_UNCONST(rsa_oid) }, NULL
+};
+
+static const unsigned rsa_pkcs1_x509_oid[] ={ 1, 2, 752, 43, 16, 1 };
+const AlgorithmIdentifier _hx509_signature_rsa_pkcs1_x509_data = { 
+    { 6, rk_UNCONST(rsa_pkcs1_x509_oid) }, NULL
+};
+
+static const unsigned des_rsdi_ede3_cbc_oid[] ={ 1, 2, 840, 113549, 3, 7 };
+const AlgorithmIdentifier _hx509_des_rsdi_ede3_cbc_oid = {
+    { 6, rk_UNCONST(des_rsdi_ede3_cbc_oid) }, NULL
+};
+
+static const unsigned aes128_cbc_oid[] ={ 2, 16, 840, 1, 101, 3, 4, 1, 2 };
+const AlgorithmIdentifier _hx509_crypto_aes128_cbc_data = {
+    { 9, rk_UNCONST(aes128_cbc_oid) }, NULL
+};
+
+static const unsigned aes256_cbc_oid[] ={ 2, 16, 840, 1, 101, 3, 4, 1, 42 };
+const AlgorithmIdentifier _hx509_crypto_aes256_cbc_data = {
+    { 9, rk_UNCONST(aes256_cbc_oid) }, NULL
+};
+
+const AlgorithmIdentifier *
+hx509_signature_sha512(void)
+{ return &_hx509_signature_sha512_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_sha384(void)
+{ return &_hx509_signature_sha384_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_sha256(void)
+{ return &_hx509_signature_sha256_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_sha1(void)
+{ return &_hx509_signature_sha1_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_md5(void)
+{ return &_hx509_signature_md5_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_md2(void)
+{ return &_hx509_signature_md2_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_sha512(void)
+{ return &_hx509_signature_rsa_with_sha512_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_sha384(void)
+{ return &_hx509_signature_rsa_with_sha384_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_sha256(void)
+{ return &_hx509_signature_rsa_with_sha256_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_sha1(void)
+{ return &_hx509_signature_rsa_with_sha1_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_md5(void)
+{ return &_hx509_signature_rsa_with_md5_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_md2(void)
+{ return &_hx509_signature_rsa_with_md2_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_rsa(void)
+{ return &_hx509_signature_rsa_data; }
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_pkcs1_x509(void)
+{ return &_hx509_signature_rsa_pkcs1_x509_data; }
+
+const AlgorithmIdentifier *
+hx509_crypto_des_rsdi_ede3_cbc(void)
+{ return &_hx509_des_rsdi_ede3_cbc_oid; }
+
+const AlgorithmIdentifier *
+hx509_crypto_aes128_cbc(void)
+{ return &_hx509_crypto_aes128_cbc_data; }
+
+const AlgorithmIdentifier *
+hx509_crypto_aes256_cbc(void)
+{ return &_hx509_crypto_aes256_cbc_data; }
+
+/*
+ *
+ */
+
+const AlgorithmIdentifier * _hx509_crypto_default_sig_alg = 
+    &_hx509_signature_rsa_with_sha1_data;
+const AlgorithmIdentifier * _hx509_crypto_default_digest_alg = 
+    &_hx509_signature_sha1_data;
+const AlgorithmIdentifier * _hx509_crypto_default_secret_alg = 
+    &_hx509_crypto_aes128_cbc_data;
+
+/*
+ *
+ */
+
+int
+_hx509_private_key_init(hx509_private_key *key,
+			hx509_private_key_ops *ops,
+			void *keydata)
+{
+    *key = calloc(1, sizeof(**key));
+    if (*key == NULL)
+	return ENOMEM;
+    (*key)->ref = 1;
+    (*key)->ops = ops;
+    (*key)->private_key.keydata = keydata;
+    return 0;
+}
+
+hx509_private_key
+_hx509_private_key_ref(hx509_private_key key)
+{
+    if (key->ref <= 0)
+	_hx509_abort("refcount <= 0");
+    key->ref++;
+    if (key->ref == 0)
+	_hx509_abort("refcount == 0");
+    return key;
+}
+
+const char *
+_hx509_private_pem_name(hx509_private_key key)
+{
+    return key->ops->pemtype;
+}
+
+int
+_hx509_private_key_free(hx509_private_key *key)
+{
+    if (key == NULL || *key == NULL)
+	return 0;
+
+    if ((*key)->ref <= 0)
+	_hx509_abort("refcount <= 0");
+    if (--(*key)->ref > 0)
+	return 0;
+
+    if ((*key)->private_key.rsa)
+	RSA_free((*key)->private_key.rsa);
+    (*key)->private_key.rsa = NULL;
+    free(*key);
+    *key = NULL;
+    return 0;
+}
+
+void
+_hx509_private_key_assign_rsa(hx509_private_key key, void *ptr)
+{
+    if (key->private_key.rsa)
+	RSA_free(key->private_key.rsa);
+    key->private_key.rsa = ptr;
+    key->signature_alg = oid_id_pkcs1_sha1WithRSAEncryption();
+    key->md = &pkcs1_rsa_sha1_alg;
+}
+
+int 
+_hx509_private_key_oid(hx509_context context,
+		       const hx509_private_key key,
+		       heim_oid *data)
+{
+    int ret;
+    ret = der_copy_oid((*key->ops->key_oid)(), data);
+    if (ret)
+	hx509_set_error_string(context, 0, ret, "malloc out of memory");
+    return ret;
+}
+
+int
+_hx509_private_key_exportable(hx509_private_key key)
+{
+    if (key->ops->export == NULL)
+	return 0;
+    return 1;
+}
+
+BIGNUM *
+_hx509_private_key_get_internal(hx509_context context,
+				hx509_private_key key, 
+				const char *type)
+{
+    if (key->ops->get_internal == NULL)
+	return NULL;
+    return (*key->ops->get_internal)(context, key, type);
+}
+
+int 
+_hx509_private_key_export(hx509_context context,
+			  const hx509_private_key key,
+			  heim_octet_string *data)
+{
+    if (key->ops->export == NULL) {
+	hx509_clear_error_string(context);
+	return HX509_UNIMPLEMENTED_OPERATION;
+    }
+    return (*key->ops->export)(context, key, data);
+}
+
+/*
+ *
+ */
+
+struct hx509cipher {
+    const char *name;
+    const heim_oid *(*oid_func)(void);
+    const AlgorithmIdentifier *(*ai_func)(void);
+    const EVP_CIPHER *(*evp_func)(void);
+    int (*get_params)(hx509_context, const hx509_crypto,
+		      const heim_octet_string *, heim_octet_string *);
+    int (*set_params)(hx509_context, const heim_octet_string *, 
+		      hx509_crypto, heim_octet_string *);
+};
+
+struct hx509_crypto_data {
+    char *name;
+    const struct hx509cipher *cipher;
+    const EVP_CIPHER *c;
+    heim_octet_string key;
+    heim_oid oid;
+    void *param;
+};
+
+/*
+ *
+ */
+
+static const heim_oid *
+oid_private_rc2_40(void)
+{
+    static unsigned oid_data[] = { 127, 1 };
+    static const heim_oid oid = { 2, oid_data };
+
+    return &oid;
+}
+
+
+/*
+ *
+ */
+
+static int
+CMSCBCParam_get(hx509_context context, const hx509_crypto crypto,
+		 const heim_octet_string *ivec, heim_octet_string *param)
+{
+    size_t size;
+    int ret;
+
+    assert(crypto->param == NULL);
+    if (ivec == NULL)
+	return 0;
+
+    ASN1_MALLOC_ENCODE(CMSCBCParameter, param->data, param->length,
+		       ivec, &size, ret);
+    if (ret == 0 && size != param->length)
+	_hx509_abort("Internal asn1 encoder failure");
+    if (ret)
+	hx509_clear_error_string(context);
+    return ret;
+}
+
+static int
+CMSCBCParam_set(hx509_context context, const heim_octet_string *param,
+		hx509_crypto crypto, heim_octet_string *ivec)
+{
+    int ret;
+    if (ivec == NULL)
+	return 0;
+
+    ret = decode_CMSCBCParameter(param->data, param->length, ivec, NULL);
+    if (ret)
+	hx509_clear_error_string(context);
+
+    return ret;
+}
+
+struct _RC2_params {
+    int maximum_effective_key;
+};
+
+static int
+CMSRC2CBCParam_get(hx509_context context, const hx509_crypto crypto,
+		   const heim_octet_string *ivec, heim_octet_string *param)
+{
+    CMSRC2CBCParameter rc2params;
+    const struct _RC2_params *p = crypto->param;
+    int maximum_effective_key = 128;
+    size_t size;
+    int ret;
+
+    memset(&rc2params, 0, sizeof(rc2params));
+
+    if (p)
+	maximum_effective_key = p->maximum_effective_key;
+
+    switch(maximum_effective_key) {
+    case 40:
+	rc2params.rc2ParameterVersion = 160;
+	break;
+    case 64:
+	rc2params.rc2ParameterVersion = 120;
+	break;
+    case 128:
+	rc2params.rc2ParameterVersion = 58;
+	break;
+    }
+    rc2params.iv = *ivec;
+
+    ASN1_MALLOC_ENCODE(CMSRC2CBCParameter, param->data, param->length,
+		       &rc2params, &size, ret);
+    if (ret == 0 && size != param->length)
+	_hx509_abort("Internal asn1 encoder failure");
+
+    return ret;
+}
+
+static int
+CMSRC2CBCParam_set(hx509_context context, const heim_octet_string *param,
+		   hx509_crypto crypto, heim_octet_string *ivec)
+{
+    CMSRC2CBCParameter rc2param;
+    struct _RC2_params *p;
+    size_t size;
+    int ret;
+
+    ret = decode_CMSRC2CBCParameter(param->data, param->length,
+				    &rc2param, &size);
+    if (ret) {
+	hx509_clear_error_string(context);
+	return ret;
+    }
+
+    p = calloc(1, sizeof(*p));
+    if (p == NULL) {
+	free_CMSRC2CBCParameter(&rc2param);
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+    switch(rc2param.rc2ParameterVersion) {
+    case 160:
+	crypto->c = EVP_rc2_40_cbc();
+	p->maximum_effective_key = 40;
+	break;
+    case 120:
+	crypto->c = EVP_rc2_64_cbc();
+	p->maximum_effective_key = 64;
+	break;
+    case 58:
+	crypto->c = EVP_rc2_cbc();
+	p->maximum_effective_key = 128;
+	break;
+    default:
+	free(p);
+	free_CMSRC2CBCParameter(&rc2param);
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+    if (ivec)
+	ret = der_copy_octet_string(&rc2param.iv, ivec);
+    free_CMSRC2CBCParameter(&rc2param);
+    if (ret) {
+	free(p);
+	hx509_clear_error_string(context);
+    } else
+	crypto->param = p;
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+static const struct hx509cipher ciphers[] = {
+    {
+	"rc2-cbc",
+	oid_id_pkcs3_rc2_cbc,
+	NULL,
+	EVP_rc2_cbc,
+	CMSRC2CBCParam_get,
+	CMSRC2CBCParam_set
+    },
+    {
+	"rc2-cbc",
+	oid_id_rsadsi_rc2_cbc,
+	NULL,
+	EVP_rc2_cbc,
+	CMSRC2CBCParam_get,
+	CMSRC2CBCParam_set
+    },
+    {
+	"rc2-40-cbc",
+	oid_private_rc2_40,
+	NULL,
+	EVP_rc2_40_cbc,
+	CMSRC2CBCParam_get,
+	CMSRC2CBCParam_set
+    },
+    {
+	"des-ede3-cbc",
+	oid_id_pkcs3_des_ede3_cbc,
+	NULL,
+	EVP_des_ede3_cbc,
+	CMSCBCParam_get,
+	CMSCBCParam_set
+    },
+    {
+	"des-ede3-cbc",
+	oid_id_rsadsi_des_ede3_cbc,
+	hx509_crypto_des_rsdi_ede3_cbc,
+	EVP_des_ede3_cbc,
+	CMSCBCParam_get,
+	CMSCBCParam_set
+    },
+    {
+	"aes-128-cbc",
+	oid_id_aes_128_cbc,
+	hx509_crypto_aes128_cbc,
+	EVP_aes_128_cbc,
+	CMSCBCParam_get,
+	CMSCBCParam_set
+    },
+    {
+	"aes-192-cbc",
+	oid_id_aes_192_cbc,
+	NULL,
+	EVP_aes_192_cbc,
+	CMSCBCParam_get,
+	CMSCBCParam_set
+    },
+    {
+	"aes-256-cbc",
+	oid_id_aes_256_cbc,
+	hx509_crypto_aes256_cbc,
+	EVP_aes_256_cbc,
+	CMSCBCParam_get,
+	CMSCBCParam_set
+    }
+};
+
+static const struct hx509cipher *
+find_cipher_by_oid(const heim_oid *oid)
+{
+    int i;
+
+    for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
+	if (der_heim_oid_cmp(oid, (*ciphers[i].oid_func)()) == 0)
+	    return &ciphers[i];
+
+    return NULL;
+}
+
+static const struct hx509cipher *
+find_cipher_by_name(const char *name)
+{
+    int i;
+
+    for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
+	if (strcasecmp(name, ciphers[i].name) == 0)
+	    return &ciphers[i];
+
+    return NULL;
+}
+
+
+const heim_oid *
+hx509_crypto_enctype_by_name(const char *name)
+{
+    const struct hx509cipher *cipher;
+
+    cipher = find_cipher_by_name(name);
+    if (cipher == NULL)
+	return NULL;
+    return (*cipher->oid_func)();
+}
+
+int
+hx509_crypto_init(hx509_context context,
+		  const char *provider,
+		  const heim_oid *enctype,
+		  hx509_crypto *crypto)
+{
+    const struct hx509cipher *cipher;
+
+    *crypto = NULL;
+
+    cipher = find_cipher_by_oid(enctype);
+    if (cipher == NULL) {
+	hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP,
+			       "Algorithm not supported");
+	return HX509_ALG_NOT_SUPP;
+    }
+
+    *crypto = calloc(1, sizeof(**crypto));
+    if (*crypto == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+
+    (*crypto)->cipher = cipher;
+    (*crypto)->c = (*cipher->evp_func)();
+
+    if (der_copy_oid(enctype, &(*crypto)->oid)) {
+	hx509_crypto_destroy(*crypto);
+	*crypto = NULL;
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+
+    return 0;
+}
+
+const char *
+hx509_crypto_provider(hx509_crypto crypto)
+{
+    return "unknown";
+}
+
+void
+hx509_crypto_destroy(hx509_crypto crypto)
+{
+    if (crypto->name)
+	free(crypto->name);
+    if (crypto->key.data)
+	free(crypto->key.data);
+    if (crypto->param)
+	free(crypto->param);
+    der_free_oid(&crypto->oid);
+    memset(crypto, 0, sizeof(*crypto));
+    free(crypto);
+}
+
+int
+hx509_crypto_set_key_name(hx509_crypto crypto, const char *name)
+{
+    return 0;
+}
+
+int
+hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length)
+{
+    if (EVP_CIPHER_key_length(crypto->c) > length)
+	return HX509_CRYPTO_INTERNAL_ERROR;
+
+    if (crypto->key.data) {
+	free(crypto->key.data);
+	crypto->key.data = NULL;
+	crypto->key.length = 0;
+    }
+    crypto->key.data = malloc(length);
+    if (crypto->key.data == NULL)
+	return ENOMEM;
+    memcpy(crypto->key.data, data, length);
+    crypto->key.length = length;
+
+    return 0;
+}
+
+int
+hx509_crypto_set_random_key(hx509_crypto crypto, heim_octet_string *key)
+{
+    if (crypto->key.data) {
+	free(crypto->key.data);
+	crypto->key.length = 0;
+    }
+
+    crypto->key.length = EVP_CIPHER_key_length(crypto->c);
+    crypto->key.data = malloc(crypto->key.length);
+    if (crypto->key.data == NULL) {
+	crypto->key.length = 0;
+	return ENOMEM;
+    }
+    if (RAND_bytes(crypto->key.data, crypto->key.length) <= 0) {
+	free(crypto->key.data);
+	crypto->key.data = NULL;
+	crypto->key.length = 0;
+	return HX509_CRYPTO_INTERNAL_ERROR;
+    }
+    if (key)
+	return der_copy_octet_string(&crypto->key, key);
+    else
+	return 0;
+}
+
+int
+hx509_crypto_set_params(hx509_context context,
+			hx509_crypto crypto, 
+			const heim_octet_string *param,
+			heim_octet_string *ivec)
+{
+    return (*crypto->cipher->set_params)(context, param, crypto, ivec);
+}
+
+int
+hx509_crypto_get_params(hx509_context context,
+			hx509_crypto crypto, 
+			const heim_octet_string *ivec,
+			heim_octet_string *param)
+{
+    return (*crypto->cipher->get_params)(context, crypto, ivec, param);
+}
+
+int
+hx509_crypto_random_iv(hx509_crypto crypto, heim_octet_string *ivec)
+{
+    ivec->length = EVP_CIPHER_iv_length(crypto->c);
+    ivec->data = malloc(ivec->length);
+    if (ivec->data == NULL) {
+	ivec->length = 0;
+	return ENOMEM;
+    }
+
+    if (RAND_bytes(ivec->data, ivec->length) <= 0) {
+	free(ivec->data);
+	ivec->data = NULL;
+	ivec->length = 0;
+	return HX509_CRYPTO_INTERNAL_ERROR;
+    }
+    return 0;
+}
+
+int
+hx509_crypto_encrypt(hx509_crypto crypto,
+		     const void *data,
+		     const size_t length,
+		     const heim_octet_string *ivec,
+		     heim_octet_string **ciphertext)
+{
+    EVP_CIPHER_CTX evp;
+    size_t padsize;
+    int ret;
+
+    *ciphertext = NULL;
+
+    assert(EVP_CIPHER_iv_length(crypto->c) == ivec->length);
+
+    EVP_CIPHER_CTX_init(&evp);
+
+    ret = EVP_CipherInit_ex(&evp, crypto->c, NULL,
+			    crypto->key.data, ivec->data, 1);
+    if (ret != 1) {
+	EVP_CIPHER_CTX_cleanup(&evp);
+	ret = HX509_CRYPTO_INTERNAL_ERROR;
+	goto out;
+    }
+
+    *ciphertext = calloc(1, sizeof(**ciphertext));
+    if (*ciphertext == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    
+    if (EVP_CIPHER_block_size(crypto->c) == 1) {
+	padsize = 0;
+    } else {
+	int bsize = EVP_CIPHER_block_size(crypto->c);
+	padsize = bsize - (length % bsize);
+    }
+    (*ciphertext)->length = length + padsize;
+    (*ciphertext)->data = malloc(length + padsize);
+    if ((*ciphertext)->data == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+	
+    memcpy((*ciphertext)->data, data, length);
+    if (padsize) {
+	int i;
+	unsigned char *p = (*ciphertext)->data;
+	p += length;
+	for (i = 0; i < padsize; i++)
+	    *p++ = padsize;
+    }
+
+    ret = EVP_Cipher(&evp, (*ciphertext)->data,
+		     (*ciphertext)->data,
+		     length + padsize);
+    if (ret != 1) {
+	ret = HX509_CRYPTO_INTERNAL_ERROR;
+	goto out;
+    }
+    ret = 0;
+
+ out:
+    if (ret) {
+	if (*ciphertext) {
+	    if ((*ciphertext)->data) {
+		free((*ciphertext)->data);
+	    }
+	    free(*ciphertext);
+	    *ciphertext = NULL;
+	}
+    }
+    EVP_CIPHER_CTX_cleanup(&evp);
+
+    return ret;
+}
+
+int
+hx509_crypto_decrypt(hx509_crypto crypto,
+		     const void *data,
+		     const size_t length,
+		     heim_octet_string *ivec,
+		     heim_octet_string *clear)
+{
+    EVP_CIPHER_CTX evp;
+    void *idata = NULL;
+    int ret;
+
+    clear->data = NULL;
+    clear->length = 0;
+
+    if (ivec && EVP_CIPHER_iv_length(crypto->c) < ivec->length)
+	return HX509_CRYPTO_INTERNAL_ERROR;
+
+    if (crypto->key.data == NULL)
+	return HX509_CRYPTO_INTERNAL_ERROR;
+
+    if (ivec)
+	idata = ivec->data;
+
+    EVP_CIPHER_CTX_init(&evp);
+
+    ret = EVP_CipherInit_ex(&evp, crypto->c, NULL,
+			    crypto->key.data, idata, 0);
+    if (ret != 1) {
+	EVP_CIPHER_CTX_cleanup(&evp);
+	return HX509_CRYPTO_INTERNAL_ERROR;
+    }
+
+    clear->length = length;
+    clear->data = malloc(length);
+    if (clear->data == NULL) {
+	EVP_CIPHER_CTX_cleanup(&evp);
+	clear->length = 0;
+	return ENOMEM;
+    }
+
+    if (EVP_Cipher(&evp, clear->data, data, length) != 1) {
+	return HX509_CRYPTO_INTERNAL_ERROR;
+    }
+    EVP_CIPHER_CTX_cleanup(&evp);
+
+    if (EVP_CIPHER_block_size(crypto->c) > 1) {
+	int padsize;
+	unsigned char *p; 
+	int j, bsize = EVP_CIPHER_block_size(crypto->c);
+
+	if (clear->length < bsize) {
+	    ret = HX509_CMS_PADDING_ERROR;
+	    goto out;
+	}
+
+	p = clear->data;
+	p += clear->length - 1;
+	padsize = *p;
+	if (padsize > bsize) {
+	    ret = HX509_CMS_PADDING_ERROR;
+	    goto out;
+	}
+	clear->length -= padsize;
+	for (j = 0; j < padsize; j++) {
+	    if (*p-- != padsize) {
+		ret = HX509_CMS_PADDING_ERROR;
+		goto out;
+	    }
+	}
+    }
+
+    return 0;
+
+ out:
+    if (clear->data)
+	free(clear->data);
+    clear->data = NULL;
+    clear->length = 0;
+    return ret;
+}
+
+typedef int (*PBE_string2key_func)(hx509_context,
+				   const char *,
+				   const heim_octet_string *,
+				   hx509_crypto *, heim_octet_string *, 
+				   heim_octet_string *,
+				   const heim_oid *, const EVP_MD *);
+
+static int
+PBE_string2key(hx509_context context,
+	       const char *password,
+	       const heim_octet_string *parameters,
+	       hx509_crypto *crypto, 
+	       heim_octet_string *key, heim_octet_string *iv,
+	       const heim_oid *enc_oid,
+	       const EVP_MD *md)
+{
+    PKCS12_PBEParams p12params;
+    int passwordlen;
+    hx509_crypto c;
+    int iter, saltlen, ret;
+    unsigned char *salt;
+
+    passwordlen = password ? strlen(password) : 0;
+
+    if (parameters == NULL)
+ 	return HX509_ALG_NOT_SUPP;
+
+    ret = decode_PKCS12_PBEParams(parameters->data,
+				  parameters->length,
+				  &p12params, NULL);
+    if (ret)
+	goto out;
+
+    if (p12params.iterations)
+	iter = *p12params.iterations;
+    else
+	iter = 1;
+    salt = p12params.salt.data;
+    saltlen = p12params.salt.length;
+
+    if (!PKCS12_key_gen (password, passwordlen, salt, saltlen, 
+			 PKCS12_KEY_ID, iter, key->length, key->data, md)) {
+	ret = HX509_CRYPTO_INTERNAL_ERROR;
+	goto out;
+    }
+    
+    if (!PKCS12_key_gen (password, passwordlen, salt, saltlen, 
+			 PKCS12_IV_ID, iter, iv->length, iv->data, md)) {
+	ret = HX509_CRYPTO_INTERNAL_ERROR;
+	goto out;
+    }
+
+    ret = hx509_crypto_init(context, NULL, enc_oid, &c);
+    if (ret)
+	goto out;
+
+    ret = hx509_crypto_set_key_data(c, key->data, key->length);
+    if (ret) {
+	hx509_crypto_destroy(c);
+	goto out;
+    }
+
+    *crypto = c;
+out:
+    free_PKCS12_PBEParams(&p12params);
+    return ret;
+}
+
+static const heim_oid *
+find_string2key(const heim_oid *oid, 
+		const EVP_CIPHER **c, 
+		const EVP_MD **md,
+		PBE_string2key_func *s2k)
+{
+    if (der_heim_oid_cmp(oid, oid_id_pbewithSHAAnd40BitRC2_CBC()) == 0) {
+	*c = EVP_rc2_40_cbc();
+	*md = EVP_sha1();
+	*s2k = PBE_string2key;
+	return oid_private_rc2_40();
+    } else if (der_heim_oid_cmp(oid, oid_id_pbeWithSHAAnd128BitRC2_CBC()) == 0) {
+	*c = EVP_rc2_cbc();
+	*md = EVP_sha1();
+	*s2k = PBE_string2key;
+	return oid_id_pkcs3_rc2_cbc();
+#if 0
+    } else if (der_heim_oid_cmp(oid, oid_id_pbeWithSHAAnd40BitRC4()) == 0) {
+	*c = EVP_rc4_40();
+	*md = EVP_sha1();
+	*s2k = PBE_string2key;
+	return NULL;
+    } else if (der_heim_oid_cmp(oid, oid_id_pbeWithSHAAnd128BitRC4()) == 0) {
+	*c = EVP_rc4();
+	*md = EVP_sha1();
+	*s2k = PBE_string2key;
+	return oid_id_pkcs3_rc4();
+#endif
+    } else if (der_heim_oid_cmp(oid, oid_id_pbeWithSHAAnd3_KeyTripleDES_CBC()) == 0) {
+	*c = EVP_des_ede3_cbc();
+	*md = EVP_sha1();
+	*s2k = PBE_string2key;
+	return oid_id_pkcs3_des_ede3_cbc();
+    }
+
+    return NULL;
+}
+
+/*
+ *
+ */
+
+int
+_hx509_pbe_encrypt(hx509_context context,
+		   hx509_lock lock,
+		   const AlgorithmIdentifier *ai,
+		   const heim_octet_string *content,
+		   heim_octet_string *econtent)
+{
+    hx509_clear_error_string(context);
+    return EINVAL;
+}
+
+/*
+ *
+ */
+
+int
+_hx509_pbe_decrypt(hx509_context context,
+		   hx509_lock lock,
+		   const AlgorithmIdentifier *ai,
+		   const heim_octet_string *econtent,
+		   heim_octet_string *content)
+{
+    const struct _hx509_password *pw;
+    heim_octet_string key, iv;
+    const heim_oid *enc_oid;
+    const EVP_CIPHER *c;
+    const EVP_MD *md;
+    PBE_string2key_func s2k;
+    int i, ret = 0;
+
+    memset(&key, 0, sizeof(key));
+    memset(&iv, 0, sizeof(iv));
+
+    memset(content, 0, sizeof(*content));
+
+    enc_oid = find_string2key(&ai->algorithm, &c, &md, &s2k);
+    if (enc_oid == NULL) {
+	hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP,
+			       "String to key algorithm not supported");
+	ret = HX509_ALG_NOT_SUPP;
+	goto out;
+    }
+
+    key.length = EVP_CIPHER_key_length(c);
+    key.data = malloc(key.length);
+    if (key.data == NULL) {
+	ret = ENOMEM;
+	hx509_clear_error_string(context);
+	goto out;
+    }
+
+    iv.length = EVP_CIPHER_iv_length(c);
+    iv.data = malloc(iv.length);
+    if (iv.data == NULL) {
+	ret = ENOMEM;
+	hx509_clear_error_string(context);
+	goto out;
+    }
+
+    pw = _hx509_lock_get_passwords(lock);
+
+    ret = HX509_CRYPTO_INTERNAL_ERROR;
+    for (i = 0; i < pw->len + 1; i++) {
+	hx509_crypto crypto;
+	const char *password;
+
+	if (i < pw->len)
+	    password = pw->val[i];
+	else if (i < pw->len + 1)
+	    password = "";
+	else
+	    password = NULL;
+
+	ret = (*s2k)(context, password, ai->parameters, &crypto, 
+		     &key, &iv, enc_oid, md);
+	if (ret)
+	    goto out;
+
+	ret = hx509_crypto_decrypt(crypto,
+				   econtent->data,
+				   econtent->length,
+				   &iv,
+				   content);
+	hx509_crypto_destroy(crypto);
+	if (ret == 0)
+	    goto out;
+				   
+    }
+out:
+    if (key.data)
+	der_free_octet_string(&key);
+    if (iv.data)
+	der_free_octet_string(&iv);
+    return ret;
+}
+
+/*
+ *
+ */
+
+
+int
+_hx509_match_keys(hx509_cert c, hx509_private_key private_key)
+{
+    const Certificate *cert;
+    const SubjectPublicKeyInfo *spi;
+    RSAPublicKey pk;
+    RSA *rsa;
+    size_t size;
+    int ret;
+
+    if (private_key->private_key.rsa == NULL)
+	return 0;
+
+    rsa = private_key->private_key.rsa;
+    if (rsa->d == NULL || rsa->p == NULL || rsa->q == NULL)
+	return 0;
+
+    cert = _hx509_get_cert(c);
+    spi = &cert->tbsCertificate.subjectPublicKeyInfo;
+
+    rsa = RSA_new();
+    if (rsa == NULL)
+	return 0;
+
+    ret = decode_RSAPublicKey(spi->subjectPublicKey.data,
+			      spi->subjectPublicKey.length / 8,
+			      &pk, &size);
+    if (ret) {
+	RSA_free(rsa);
+	return 0;
+    }
+    rsa->n = heim_int2BN(&pk.modulus);
+    rsa->e = heim_int2BN(&pk.publicExponent);
+
+    free_RSAPublicKey(&pk);
+
+    rsa->d = BN_dup(private_key->private_key.rsa->d);
+    rsa->p = BN_dup(private_key->private_key.rsa->p);
+    rsa->q = BN_dup(private_key->private_key.rsa->q);
+    rsa->dmp1 = BN_dup(private_key->private_key.rsa->dmp1);
+    rsa->dmq1 = BN_dup(private_key->private_key.rsa->dmq1);
+    rsa->iqmp = BN_dup(private_key->private_key.rsa->iqmp);
+
+    if (rsa->n == NULL || rsa->e == NULL || 
+	rsa->d == NULL || rsa->p == NULL|| rsa->q == NULL ||
+	rsa->dmp1 == NULL || rsa->dmq1 == NULL) {
+	RSA_free(rsa);
+	return 0;
+    }
+
+    ret = RSA_check_key(rsa);
+    RSA_free(rsa);
+
+    return ret == 1;
+}
+
+static const heim_oid *
+find_keytype(const hx509_private_key key)
+{
+    const struct signature_alg *md;
+
+    if (key == NULL)
+	return NULL;
+
+    md = find_sig_alg(key->signature_alg);
+    if (md == NULL)
+	return NULL;
+    return (*md->key_oid)();
+}
+
+
+int
+hx509_crypto_select(const hx509_context context,
+		    int type,
+		    const hx509_private_key source,
+		    hx509_peer_info peer,
+		    AlgorithmIdentifier *selected)
+{
+    const AlgorithmIdentifier *def;
+    size_t i, j;
+    int ret, bits;
+
+    memset(selected, 0, sizeof(*selected));
+
+    if (type == HX509_SELECT_DIGEST) {
+	bits = SIG_DIGEST;
+	def = _hx509_crypto_default_digest_alg;
+    } else if (type == HX509_SELECT_PUBLIC_SIG) {
+	bits = SIG_PUBLIC_SIG;
+	/* XXX depend on `source´ and `peer´ */
+	def = _hx509_crypto_default_sig_alg;
+    } else if (type == HX509_SELECT_SECRET_ENC) {
+	bits = SIG_SECRET;
+	def = _hx509_crypto_default_secret_alg;
+    } else {
+	hx509_set_error_string(context, 0, EINVAL, 
+			       "Unknown type %d of selection", type);
+	return EINVAL;
+    }
+
+    if (peer) {
+	const heim_oid *keytype = NULL;
+
+	keytype = find_keytype(source);
+
+	for (i = 0; i < peer->len; i++) {
+	    for (j = 0; sig_algs[j]; j++) {
+		if ((sig_algs[j]->flags & bits) != bits)
+		    continue;
+		if (der_heim_oid_cmp((*sig_algs[j]->sig_oid)(), 
+				     &peer->val[i].algorithm) != 0)
+		    continue;
+		if (keytype && sig_algs[j]->key_oid && 
+		    der_heim_oid_cmp(keytype, (*sig_algs[j]->key_oid)()))
+		    continue;
+
+		/* found one, use that */
+		ret = copy_AlgorithmIdentifier(&peer->val[i], selected);
+		if (ret)
+		    hx509_clear_error_string(context);
+		return ret;
+	    }
+	    if (bits & SIG_SECRET) {
+		const struct hx509cipher *cipher;
+
+		cipher = find_cipher_by_oid(&peer->val[i].algorithm);
+		if (cipher == NULL)
+		    continue;
+		if (cipher->ai_func == NULL)
+		    continue;
+		ret = copy_AlgorithmIdentifier(cipher->ai_func(), selected);
+		if (ret)
+		    hx509_clear_error_string(context);
+		return ret;
+	    }
+	}
+    }
+
+    /* use default */
+    ret = copy_AlgorithmIdentifier(def, selected);
+    if (ret)
+	hx509_clear_error_string(context);
+    return ret;
+}
+
+int
+hx509_crypto_available(hx509_context context,
+		       int type,
+		       hx509_cert source,
+		       AlgorithmIdentifier **val,
+		       unsigned int *plen)
+{
+    const heim_oid *keytype = NULL;
+    unsigned int len, i;
+    void *ptr;
+    int bits, ret;
+
+    *val = NULL;
+
+    if (type == HX509_SELECT_ALL) {
+	bits = SIG_DIGEST | SIG_PUBLIC_SIG | SIG_SECRET;
+    } else if (type == HX509_SELECT_DIGEST) {
+	bits = SIG_DIGEST;
+    } else if (type == HX509_SELECT_PUBLIC_SIG) {
+	bits = SIG_PUBLIC_SIG;
+    } else {
+	hx509_set_error_string(context, 0, EINVAL, 
+			       "Unknown type %d of available", type);
+	return EINVAL;
+    }
+
+    if (source)
+	keytype = find_keytype(_hx509_cert_private_key(source));
+
+    len = 0;
+    for (i = 0; sig_algs[i]; i++) {
+	if ((sig_algs[i]->flags & bits) == 0)
+	    continue;
+	if (sig_algs[i]->sig_alg == NULL)
+	    continue;
+	if (keytype && sig_algs[i]->key_oid && 
+	    der_heim_oid_cmp((*sig_algs[i]->key_oid)(), keytype))
+	    continue;
+
+	/* found one, add that to the list */
+	ptr = realloc(*val, sizeof(**val) * (len + 1));
+	if (ptr == NULL)
+	    goto out;
+	*val = ptr;
+
+	ret = copy_AlgorithmIdentifier((*sig_algs[i]->sig_alg)(), &(*val)[len]);
+	if (ret)
+	    goto out;
+	len++;
+    }
+
+    /* Add AES */
+    if (bits & SIG_SECRET) {
+
+	for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) {
+	
+	    if (ciphers[i].ai_func == NULL)
+		continue;
+
+	    ptr = realloc(*val, sizeof(**val) * (len + 1));
+	    if (ptr == NULL)
+		goto out;
+	    *val = ptr;
+	    
+	    ret = copy_AlgorithmIdentifier((ciphers[i].ai_func)(), &(*val)[len]);
+	    if (ret)
+		goto out;
+	    len++;
+	}
+    }
+
+    *plen = len;
+    return 0;
+
+out:
+    for (i = 0; i < len; i++)
+	free_AlgorithmIdentifier(&(*val)[i]);
+    free(*val);
+    *val = NULL;
+    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+    return ENOMEM;
+}
+
+void
+hx509_crypto_free_algs(AlgorithmIdentifier *val,
+		       unsigned int len)
+{
+    unsigned int i;
+    for (i = 0; i < len; i++)
+	free_AlgorithmIdentifier(&val[i]);
+    free(val);
+}    
diff --git a/crypto/heimdal/lib/hx509/data/bleichenbacher-bad.pem b/crypto/heimdal/lib/hx509/data/bleichenbacher-bad.pem
new file mode 100644
index 0000000..2c71932
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/bleichenbacher-bad.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVoCAQYwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD
+VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw0wNjA5MTEyMzU4NTVa
+Fw0wNjEwMTEyMzU4NTVaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNs
+YW5kMRowGAYDVQQKExFDcnlwdFNvZnQgUHR5IEx0ZDEjMCEGA1UEAxMaU2VydmVy
+IHRlc3QgY2VydCAoNTEyIGJpdCkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PD
+hCeV/xIxUg8V70YRxK2A5jZbD92A12GN4PxyRQk0/lVmRUNMaJdq/qigpd9feP/u
+12S4PwTLb/8q/v657QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAbynCRIlUQgaqyNgU
+DF6P14yRKUtX8akOP2TwStaSiVf/akYqfLFm3UGka5XbPj4rifrZ0/sOoZEEBvHQ
+e20sRA==
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/bleichenbacher-good.pem b/crypto/heimdal/lib/hx509/data/bleichenbacher-good.pem
new file mode 100644
index 0000000..409147bd
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/bleichenbacher-good.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVoCAQYwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD
+VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw0wNjA5MTEyMzU5MDJa
+Fw0wNjEwMTEyMzU5MDJaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNs
+YW5kMRowGAYDVQQKExFDcnlwdFNvZnQgUHR5IEx0ZDEjMCEGA1UEAxMaU2VydmVy
+IHRlc3QgY2VydCAoNTEyIGJpdCkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PD
+hCeV/xIxUg8V70YRxK2A5jZbD92A12GN4PxyRQk0/lVmRUNMaJdq/qigpd9feP/u
+12S4PwTLb/8q/v657QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAc+fnj0rB2CYautG2
+4itiMOU4SN6JFTFDCTU/Gb5aR/Fiu7HJkuE5yGEnTdnwcId/T9sTW251yzCc1e2z
+rHX/kw==
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/bleichenbacher-sf-pad-correct.pem b/crypto/heimdal/lib/hx509/data/bleichenbacher-sf-pad-correct.pem
new file mode 100644
index 0000000..3e73f5d
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/bleichenbacher-sf-pad-correct.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICgzCCAWugAwIBAgIBFzANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
+MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
+U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYw
+ODE5MTY1MTMwWhcNMDYxMDE4MTY1MTMwWjARMQ8wDQYDVQQDEwZIYWNrZXIwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKSu6ChWttBsOpaBrYf4PzyCGNe6DuE7
+rmq4CMskdz8uiAJ3wVd8jGsjdeY4YzoXSVp+9mEF6XqNgyDf8Ub3kNgPYxvJ28lg
+QVpd5RdGWXHo14LWBTD1mtFkCiAhVlATsVNI/tjv2tv7Jp8EsylbDHe7hslA0rns
+Rr2cS9bvpM03AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEF
+BQADggEBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADLL/Up63HkFWD15INcW
+Xd1nZGI+gO/whm58ICyJ1Js7ON6N4NyBTwe8513CvdOlOdG/Ctmy2gxEE47HhEed
+ST8AUooI0ey599t84P20gGRuOYIjr7c=
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/ca.crt b/crypto/heimdal/lib/hx509/data/ca.crt
new file mode 100644
index 0000000..76fa2c4
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ca.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICbDCCAdWgAwIBAgIJALeUXoWyGYBYMA0GCSqGSIb3DQEBBQUAMCoxGzAZBgNV
+BAMMEmh4NTA5IFRlc3QgUm9vdCBDQTELMAkGA1UEBhMCU0UwHhcNMDcxMTE1MDY1
+ODU2WhcNMTcxMTEyMDY1ODU2WjAqMRswGQYDVQQDDBJoeDUwOSBUZXN0IFJvb3Qg
+Q0ExCzAJBgNVBAYTAlNFMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHcvJb
+yJXPhM9HHq1hU6d2Cu1fW9o1CvObirn1SNZg+pTnQgO9Lv4VjQQfltNK0aovyLJa
+UdbAbsRCfH+79YY2tU76x8aXpUri0DfUv5PGscIZzW7WULaaXxBgHo1owzmhc1Qj
+F9JDEurJXGFEZaDsPcEwY40RjrKDL8SXzEoEwwIDAQABo4GZMIGWMB0GA1UdDgQW
+BBSM5w21xd5phXUsCKHeUxUwnKHoADBaBgNVHSMEUzBRgBSM5w21xd5phXUsCKHe
+UxUwnKHoAKEupCwwKjEbMBkGA1UEAwwSaHg1MDkgVGVzdCBSb290IENBMQswCQYD
+VQQGEwJTRYIJALeUXoWyGYBYMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgHmMA0G
+CSqGSIb3DQEBBQUAA4GBAIBa6mq1aytlbhixD6q4PROg7P1OGX6nr5CkC96CC+Xp
+5UTLZEVIddkrBswNAAS0p5eEorO8xD9eT5ztZ0oYITymsO1sEIfDLks+LhdBoyF7
+TX24INRwjlqsC8UlbRFoClxIMNhrMwcC3oZ4oLddV2OmA0IOG6yHXvEOQq0sTotr
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/ca.key b/crypto/heimdal/lib/hx509/data/ca.key
new file mode 100644
index 0000000..924c52d
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ca.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDHcvJbyJXPhM9HHq1hU6d2Cu1fW9o1CvObirn1SNZg+pTnQgO9
+Lv4VjQQfltNK0aovyLJaUdbAbsRCfH+79YY2tU76x8aXpUri0DfUv5PGscIZzW7W
+ULaaXxBgHo1owzmhc1QjF9JDEurJXGFEZaDsPcEwY40RjrKDL8SXzEoEwwIDAQAB
+AoGAcRFgBdpr224eF+JzRganm8rMENBAnutreRUnIL+/ENFd0tBg0EIwtsTvvnzB
+odvEkDxFp+BXT1Y8Grj7rPGeuKq7537J43Go02fSC7z4i3HDhSmv1SXE59hiES4F
+ktyR2D7N+A/RPCckS4JM/zG4ZkucqKg/NnVpbdTpl0P2oSkCQQDoDkPde5vfWeXG
+wmAgm5HPbyEmDBXQMlYDgNd448TmObRpjr0dyyr5zDgFJkOpOmv6WUMUxGILam3k
+hCDqQqHPAkEA3AdgsMafqkR+OJmZT/gIDYb+mU8DFH6+WcUPxk+qbAa8JWg4VD30
+tpOKwZu4an1kExHnsVTqKOoW1cYmtYDuzQJAJ+78gsrYwhDoV9HvVO0wpG/NVozR
+3CgtYSD085rOsYfQojGsHcputNoN8eTp09934Xcm8hXxgWFpU9/hAi9BRQJACKG1
+dlnka56SQRAthoiZcEZqeIM0ALrUJttnOgVoDyLYgLMs+okPr5XsLJo6StsucN0T
+9M36/a3pRWunmxk6xQJBAOaD3sdIMLtGpFFOIQgkNUD9rOqXpi87h3ecmJCuG82w
+B6kRNvpZz33U2FowFQtGBdvUBsbzlRzYDMrWniC6YKc=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/crl1.crl b/crypto/heimdal/lib/hx509/data/crl1.crl
new file mode 100644
index 0000000..14aecf4
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/crl1.crl
@@ -0,0 +1,8 @@
+-----BEGIN X509 CRL-----
+MIIBBDBvMA0GCSqGSIb3DQEBBQUAMCoxGzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9v
+dCBDQTELMAkGA1UEBhMCU0UXDTA3MTExNTA2NTkwMFoXDTE3MDkyMzA2NTkwMFow
+FDASAgEDFw0wNzExMTUwNjU5MDBaMA0GCSqGSIb3DQEBBQUAA4GBAGYUroSt3oVI
+0mjphSYqtpzDavF6xVM7bQrQEW+ZhzG7VynJdJaPgaJRaEHj9CNlJT1GF5WOY180
+wWuZEqXUV144snZ7YkSdsNOQRSmnHp8Fl6Sjdya3G55FoJHmhZ2JvscyZpb/Vh8N
+NoMICB27iYqCzVlK9NkT5neCmomv/mDn
+-----END X509 CRL-----
diff --git a/crypto/heimdal/lib/hx509/data/crl1.der b/crypto/heimdal/lib/hx509/data/crl1.der
new file mode 100644
index 0000000..6d29196
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/crl1.der
diff --git a/crypto/heimdal/lib/hx509/data/gen-req.sh b/crypto/heimdal/lib/hx509/data/gen-req.sh
new file mode 100644
index 0000000..4926399
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/gen-req.sh
@@ -0,0 +1,316 @@
+#!/bin/sh
+# $Id: gen-req.sh 21786 2007-08-01 19:37:45Z lha $
+#
+# This script need openssl 0.9.8a or newer, so it can parse the
+# otherName section for pkinit certificates.
+#
+
+openssl=$HOME/src/openssl/openssl-0.9.8e/apps/openssl
+
+gen_cert()
+{
+	${openssl} req \
+		-new \
+		-subj "$1" \
+		-config openssl.cnf \
+		-newkey rsa:1024 \
+		-sha1 \
+		-nodes \
+		-keyout out.key \
+		-out cert.req > /dev/null 2>/dev/null
+
+        if [ "$3" = "ca" ] ; then
+	    ${openssl} x509 \
+		-req \
+		-days 3650 \
+		-in cert.req \
+		-extfile openssl.cnf \
+		-extensions $4 \
+                -signkey out.key \
+		-out cert.crt
+
+		ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0
+
+		name=$3
+
+        elif [ "$3" = "proxy" ] ; then
+
+	    ${openssl} x509 \
+		-req \
+		-in cert.req \
+		-days 3650 \
+		-out cert.crt \
+		-CA $2.crt \
+		-CAkey $2.key \
+		-CAcreateserial \
+		-extfile openssl.cnf \
+		-extensions $4
+
+		name=$5
+	else
+
+	    ${openssl} ca \
+		-name $4 \
+		-days 3650 \
+		-cert $2.crt \
+		-keyfile $2.key \
+		-in cert.req \
+		-out cert.crt \
+		-outdir . \
+		-batch \
+		-config openssl.cnf 
+
+		name=$3
+	fi
+
+	mv cert.crt $name.crt
+	mv out.key $name.key
+}
+
+echo "01" > serial
+> index.txt
+rm -f *.0
+
+gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca"
+gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp"
+gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr"
+gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr"
+gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke"
+gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds"
+gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client"
+gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy
+gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc"
+gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https"
+gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca"
+gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr"
+gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test
+gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test
+gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test
+gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test
+gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test
+gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test
+
+
+# combine
+cat sub-ca.crt ca.crt > sub-ca-combined.crt
+cat test.crt test.key > test.combined.crt
+cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt
+
+# password protected key
+${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key
+${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key
+
+
+${openssl} ca \
+    -name usr \
+    -cert ca.crt \
+    -keyfile ca.key \
+    -revoke revoke.crt \
+    -config openssl.cnf 
+
+${openssl} pkcs12 \
+    -export \
+    -in test.crt \
+    -inkey test.key \
+    -passout pass:foobar \
+    -out test.p12 \
+    -name "friendlyname-test" \
+    -certfile ca.crt \
+    -caname ca
+
+${openssl} pkcs12 \
+    -export \
+    -in sub-cert.crt \
+    -inkey sub-cert.key \
+    -passout pass:foobar \
+    -out sub-cert.p12 \
+    -name "friendlyname-sub-cert" \
+    -certfile sub-ca-combined.crt \
+    -caname sub-ca \
+    -caname ca
+
+${openssl} pkcs12 \
+    -keypbe NONE \
+    -certpbe NONE \
+    -export \
+    -in test.crt \
+    -inkey test.key \
+    -passout pass:foobar \
+    -out test-nopw.p12 \
+    -name "friendlyname-cert" \
+    -certfile ca.crt \
+    -caname ca
+
+${openssl} smime \
+    -sign \
+    -nodetach \
+    -binary \
+    -in static-file \
+    -signer test.crt \
+    -inkey test.key \
+    -outform DER \
+    -out test-signed-data
+
+${openssl} smime \
+    -sign \
+    -nodetach \
+    -binary \
+    -in static-file \
+    -signer test.crt \
+    -inkey test.key \
+    -noattr \
+    -outform DER \
+    -out test-signed-data-noattr
+
+${openssl} smime \
+    -sign \
+    -nodetach \
+    -binary \
+    -in static-file \
+    -signer test.crt \
+    -inkey test.key \
+    -noattr \
+    -nocerts \
+    -outform DER \
+    -out test-signed-data-noattr-nocerts
+
+${openssl} smime \
+    -encrypt \
+    -nodetach \
+    -binary \
+    -in static-file \
+    -outform DER \
+    -out test-enveloped-rc2-40 \
+    -rc2-40 \
+    test.crt
+
+${openssl} smime \
+    -encrypt \
+    -nodetach \
+    -binary \
+    -in static-file \
+    -outform DER \
+    -out test-enveloped-rc2-64 \
+    -rc2-64 \
+    test.crt
+
+${openssl} smime \
+    -encrypt \
+    -nodetach \
+    -binary \
+    -in static-file \
+    -outform DER \
+    -out test-enveloped-rc2-128 \
+    -rc2-128 \
+    test.crt
+
+${openssl} smime \
+    -encrypt \
+    -nodetach \
+    -binary \
+    -in static-file \
+    -outform DER \
+    -out test-enveloped-des \
+    -des \
+    test.crt
+
+${openssl} smime \
+    -encrypt \
+    -nodetach \
+    -binary \
+    -in static-file \
+    -outform DER \
+    -out test-enveloped-des-ede3 \
+    -des3 \
+    test.crt
+
+${openssl} smime \
+    -encrypt \
+    -nodetach \
+    -binary \
+    -in static-file \
+    -outform DER \
+    -out test-enveloped-aes-128 \
+    -aes128 \
+    test.crt
+
+${openssl} smime \
+    -encrypt \
+    -nodetach \
+    -binary \
+    -in static-file \
+    -outform DER \
+    -out test-enveloped-aes-256 \
+    -aes256 \
+    test.crt
+
+echo ocsp requests
+
+${openssl} ocsp \
+    -issuer ca.crt \
+    -cert test.crt \
+    -reqout ocsp-req1.der
+
+${openssl} ocsp \
+    -index index.txt \
+    -rsigner ocsp-responder.crt \
+    -rkey ocsp-responder.key \
+    -CA ca.crt \
+    -reqin ocsp-req1.der \
+    -noverify \
+    -respout ocsp-resp1-ocsp.der
+
+${openssl} ocsp \
+    -index index.txt \
+    -rsigner ca.crt \
+    -rkey ca.key \
+    -CA ca.crt \
+    -reqin ocsp-req1.der \
+    -noverify \
+    -respout ocsp-resp1-ca.der
+
+${openssl} ocsp \
+    -index index.txt \
+    -rsigner ocsp-responder.crt \
+    -rkey ocsp-responder.key \
+    -CA ca.crt \
+    -resp_no_certs \
+    -reqin ocsp-req1.der \
+    -noverify \
+    -respout ocsp-resp1-ocsp-no-cert.der
+
+${openssl} ocsp \
+    -index index.txt \
+    -rsigner ocsp-responder.crt \
+    -rkey ocsp-responder.key \
+    -CA ca.crt \
+    -reqin ocsp-req1.der \
+    -resp_key_id \
+    -noverify \
+    -respout ocsp-resp1-keyhash.der
+
+${openssl} ocsp \
+    -issuer ca.crt \
+    -cert revoke.crt \
+    -reqout ocsp-req2.der
+
+${openssl} ocsp \
+    -index index.txt \
+    -rsigner ocsp-responder.crt \
+    -rkey ocsp-responder.key \
+    -CA ca.crt \
+    -reqin ocsp-req2.der \
+    -noverify \
+    -respout ocsp-resp2.der
+
+${openssl} ca \
+    -gencrl \
+    -name usr \
+    -crldays 3600 \
+    -keyfile ca.key \
+    -cert ca.crt \
+    -crl_reason superseded \
+    -out crl1.crl \
+    -config openssl.cnf 
+
+${openssl} crl -in crl1.crl -outform der -out crl1.der
diff --git a/crypto/heimdal/lib/hx509/data/j.pem b/crypto/heimdal/lib/hx509/data/j.pem
new file mode 100644
index 0000000..45ae8e8
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/j.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEajCCA1KgAwIBAgIBATANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJKUDEN
+MAsGA1UECgwESlBLSTEpMCcGA1UECwwgUHJlZmVjdHVyYWwgQXNzb2NpYXRpb24g
+Rm9yIEpQS0kxETAPBgNVBAsMCEJyaWRnZUNBMB4XDTAzMTIyNzA1MDgxNVoXDTEz
+MTIyNjE0NTk1OVowWjELMAkGA1UEBhMCSlAxDTALBgNVBAoMBEpQS0kxKTAnBgNV
+BAsMIFByZWZlY3R1cmFsIEFzc29jaWF0aW9uIEZvciBKUEtJMREwDwYDVQQLDAhC
+cmlkZ2VDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTnUmg7K3m8
+52vd77kwkq156euwoWm5no8E8kmaTSc7x2RABPpqNTlMKdZ6ttsyYrqREeDkcvPL
+yF7yf/I8+innasNtsytcTAy8xY8Avsbd4JkCGW9dyPjk9pzzc3yLQ64Rx2fujRn2
+agcEVdPCr/XpJygX8FD5bbhkZ0CVoiASBmlHOcC3YpFlfbT1QcpOSOb7o+VdKVEi
+MMfbBuU2IlYIaSr/R1nO7RPNtkqkFWJ1/nKjKHyzZje7j70qSxb+BTGcNgTHa1YA
+UrogKB+UpBftmb4ds+XlkEJ1dvwokiSbCDaWFKD+YD4B2s0bvjCbw8xuZFYGhNyR
+/2D5XfN1s2MCAwEAAaOCATkwggE1MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MG0GA1UdHwRmMGQwYqBgoF6kXDBaMQswCQYDVQQGEwJKUDENMAsGA1UE
+CgwESlBLSTEpMCcGA1UECwwgUHJlZmVjdHVyYWwgQXNzb2NpYXRpb24gRm9yIEpQ
+S0kxETAPBgNVBAsMCEJyaWRnZUNBMIGDBgNVHREEfDB6pHgwdjELMAkGA1UEBhMC
+SlAxJzAlBgNVBAoMHuWFrOeahOWAi+S6uuiqjeiovOOCteODvOODk+OCuTEeMBwG
+A1UECwwV6YO96YGT5bqc55yM5Y2U6K2w5LyaMR4wHAYDVQQLDBXjg5bjg6rjg4Pj
+grjoqo3oqLzlsYAwHQYDVR0OBBYEFNQXMiCqQNkR2OaZmQgLtf8mR8p8MA0GCSqG
+SIb3DQEBBQUAA4IBAQATjJo4reTNPC5CsvAKu1RYT8PyXFVYHbKsEpGt4GR8pDCg
+HEGAiAhHSNrGh9CagZMXADvlG0gmMOnXowriQQixrtpkmx0TB8tNAlZptZWkZC+R
+8TnjOkHrk2nFAEC3ezbdK0R7MR4tJLDQCnhEWbg50rf0wZ/aF8uAaVeEtHXa6W0M
+Xq3dSe0XAcrLbX4zZHQTaWvdpLAIjl6DZ3SCieRMyoWUL+LXaLFdTP5WBCd+No58
+IounD9X4xxze2aeRVaiV/WnQ0OSPNS7n7YXy6xQdnaOU4KRW/Lne1EDf5IfWC/ih
+bVAmhZMbcrkWWcsR6aCPG+2mV3zTD6AUzuKPal8Y
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/kdc.crt b/crypto/heimdal/lib/hx509/data/kdc.crt
new file mode 100644
index 0000000..7dc3835
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/kdc.crt
@@ -0,0 +1,59 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 7 (0x7)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hx509 Test Root CA, C=SE
+        Validity
+            Not Before: Nov 15 06:58:58 2007 GMT
+            Not After : Nov 12 06:58:58 2017 GMT
+        Subject: C=SE, CN=kdc
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:bb:fa:14:24:35:9f:cb:82:91:20:b9:44:ec:4d:
+                    f8:e4:1b:68:3f:6a:4d:d1:56:3e:28:25:6e:ab:aa:
+                    8b:6b:9c:59:ce:67:cc:27:61:4f:ff:18:a5:56:81:
+                    a1:94:c4:33:f9:20:54:e5:1f:5a:47:43:ee:8f:52:
+                    8a:9f:97:6b:73:92:a3:e1:fd:9e:0b:04:36:2b:b2:
+                    72:bd:80:ff:ae:5a:e1:9b:bb:d8:77:c8:fe:f8:3b:
+                    3f:b9:51:56:6e:97:c2:2a:76:ea:56:d8:46:67:45:
+                    33:6f:b1:74:cf:2b:dd:11:32:1f:d7:a9:e9:2a:e2:
+                    0f:a8:dd:b1:94:85:87:dd:b5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                pkkdcekuoid
+            X509v3 Subject Key Identifier: 
+                51:75:26:1A:E0:16:0F:69:A8:B4:98:80:EB:C8:49:A6:D0:C6:24:C1
+            X509v3 Subject Alternative Name: 
+                othername:<unsupported>
+    Signature Algorithm: sha1WithRSAEncryption
+        7a:f7:7c:cf:2d:87:aa:93:49:b1:05:2a:ea:ee:75:97:22:02:
+        5a:a1:2c:e3:e1:9d:be:48:0c:75:26:e0:84:f0:2a:90:5a:15:
+        dd:7c:58:65:ab:79:05:85:40:54:35:e1:57:58:96:aa:32:68:
+        f2:bd:cc:b5:9a:1c:f5:d7:49:01:44:ce:fc:22:55:3c:86:d6:
+        c2:ed:46:e6:dc:a7:c5:48:3f:ac:0c:10:ba:b9:e2:e8:78:37:
+        79:f7:d5:da:c0:8e:74:09:64:ff:bb:36:24:d4:c7:4d:c3:93:
+        c2:d7:3a:32:97:b9:e1:79:ea:82:3a:42:69:ec:e4:ec:48:d5:
+        3f:90
+-----BEGIN CERTIFICATE-----
+MIICVDCCAb2gAwIBAgIBBzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA3MTExNTA2NTg1OFoXDTE3
+MTExMjA2NTg1OFowGzELMAkGA1UEBhMCU0UxDDAKBgNVBAMMA2tkYzCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAu/oUJDWfy4KRILlE7E345BtoP2pN0VY+KCVu
+q6qLa5xZzmfMJ2FP/xilVoGhlMQz+SBU5R9aR0Puj1KKn5drc5Kj4f2eCwQ2K7Jy
+vYD/rlrhm7vYd8j++Ds/uVFWbpfCKnbqVthGZ0Uzb7F0zyvdETIf16npKuIPqN2x
+lIWH3bUCAwEAAaOBmDCBlTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DASBgNVHSUE
+CzAJBgcrBgEFAgMFMB0GA1UdDgQWBBRRdSYa4BYPaai0mIDryEmm0MYkwTBIBgNV
+HREEQTA/oD0GBisGAQUCAqAzMDGgDRsLVEVTVC5INUwuU0WhIDAeoAMCAQGhFzAV
+GwZrcmJ0Z3QbC1RFU1QuSDVMLlNFMA0GCSqGSIb3DQEBBQUAA4GBAHr3fM8th6qT
+SbEFKurudZciAlqhLOPhnb5IDHUm4ITwKpBaFd18WGWreQWFQFQ14VdYlqoyaPK9
+zLWaHPXXSQFEzvwiVTyG1sLtRubcp8VIP6wMELq54uh4N3n31drAjnQJZP+7NiTU
+x03Dk8LXOjKXueF56oI6Qmns5OxI1T+Q
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/kdc.key b/crypto/heimdal/lib/hx509/data/kdc.key
new file mode 100644
index 0000000..01fca65
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/kdc.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC7+hQkNZ/LgpEguUTsTfjkG2g/ak3RVj4oJW6rqotrnFnOZ8wn
+YU//GKVWgaGUxDP5IFTlH1pHQ+6PUoqfl2tzkqPh/Z4LBDYrsnK9gP+uWuGbu9h3
+yP74Oz+5UVZul8IqdupW2EZnRTNvsXTPK90RMh/Xqekq4g+o3bGUhYfdtQIDAQAB
+AoGBAJXwJO65A0v+SqqyfSKME1JH9kBXF9k5lHzLVtqBP5JHdW7pZnOm8HtG+mLl
+JbCXS+mUe4MDHiyoJ/qUWVRxIFgBBEQpaYxdyW8d+SpCnR53hBa3t0yxr3yZ0XCc
+u4lkKaCCQM5aPZqlbEkyR0Hm+lXPKbW+Sgm18fm2zPJ/2EXhAkEA8RO+dydMR7LV
+8PdOvMkENwwnkUQTI3YjoRy0yV9UV+x3JDdBufOOjObrXIg/jDkg3PyOE5JBo/EZ
+u1OyFFbyPQJBAMec4B3+ZyOPeH1OodSWfL/0AFCSZyOs1UgEC7vorMJ8i0eHDIsT
+Uie1xNlrfrjnXTvMG7woFZOvNXBJkxCXKNkCQQCyMX/lnxyZGq1csdB3ZrZA4jEV
+BRaIbbikTA2tk1NKsjTWhimFA2xo5f8upF8kjM2nyt5RxRfT0FDO0Gye8C2ZAkBq
+CJYwuJwXErZBcgya/dmEqduk8TAijkO5fpSxG7bxlPDzbPSnx/qjJ3ZKvERTemtX
+QWQWPgDAM5kibaLWdEV5AkAJn7iP495Cbac0y3zihgK/M70M9y1WB0TbumpTVpg2
+taw3NwTjQlGnFj64dJIj+hgCOGYJ7H1Gt7JOi10NRtbd
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/key.der b/crypto/heimdal/lib/hx509/data/key.der
new file mode 100644
index 0000000..e7c665e
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/key.der
diff --git a/crypto/heimdal/lib/hx509/data/key2.der b/crypto/heimdal/lib/hx509/data/key2.der
new file mode 100644
index 0000000..fe3f413
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/key2.der
diff --git a/crypto/heimdal/lib/hx509/data/nist-data b/crypto/heimdal/lib/hx509/data/nist-data
new file mode 100644
index 0000000..80333bb
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/nist-data
@@ -0,0 +1,91 @@
+# $Id: nist-data 21917 2007-08-16 13:54:25Z lha $
+# id verify cert hxtool-verify-arguments...
+# p(ass) f(ail)
+# Those id's that end with i are invariants of the orignal test
+#
+# 4.1 Signature Verification
+#
+4.1.1   p ValidCertificatePathTest1EE.crt GoodCACert.crt GoodCACRL.crl
+4.1.2   f InvalidCASignatureTest2EE.crt BadSignedCACert.crt BadSignedCACRL.crl
+4.1.3   f InvalidEESignatureTest3EE.crt GoodCACert.crt GoodCACRL.crl
+#4.1.4	p ValidDSASignaturesTest4EE.crt DSACACert.crt DSACACRL.crl
+#4.1.5	p ValidDSAParameterInheritanceTest5EE.crl DSAParametersInheritedCACert.crt DSAParametersInheritedCACRL.crl DSACACert.crt DSACACRL.crl
+#4.1.6	f InvalidDSASignaturesTest6EE.crt DSACACert.crt DSACACRL.crl
+#
+# 4.2 Validity Periods
+#
+4.2.1   f InvalidCAnotBeforeDateTest1EE.crt BadnotBeforeDateCACert.crt BadnotBeforeDateCACRL.crl
+4.2.2   f InvalidEEnotBeforeDateTest2EE.crt GoodCACert.crt GoodCACRL.crl
+4.2.3   p Validpre2000UTCnotBeforeDateTest3EE.crt GoodCACert.crt GoodCACRL.crl
+4.2.4   p ValidGeneralizedTimenotBeforeDateTest4EE.crt GoodCACert.crt GoodCACRL.crl
+4.2.5   f InvalidCAnotAfterDateTest5EE.crt BadnotAfterDateCACert.crt BadnotAfterDateCACRL.crl
+4.2.6   f InvalidEEnotAfterDateTest6EE.crt GoodCACert.crt GoodCACRL.crl
+4.2.7   f Invalidpre2000UTCEEnotAfterDateTest7EE.crt GoodCACert.crt GoodCACRL.crl
+#4.2.8   p ValidGeneralizedTimenotAfterDateTest8EE.crt GoodCACert.crt GoodCACRL.crl
+#
+# 4.4 CRtests
+#
+4.4.1   f InvalidMissingCRLTest1EE.crt NoCRLCACert.crt
+4.4.1i  p InvalidMissingCRLTest1EE.crt --missing-revoke NoCRLCACert.crt
+4.4.2   f InvalidRevokedEETest3EE.crt GoodCACert.crt InvalidRevokedCATest2EE.crt GoodCACRL.crl RevokedsubCACRL.crl
+4.4.2i  p InvalidRevokedEETest3EE.crt --missing-revoke GoodCACert.crt InvalidRevokedCATest2EE.crt
+4.4.3   f InvalidRevokedEETest3EE.crt GoodCACert.crt GoodCACRL.crl
+4.4.3i  p InvalidRevokedEETest3EE.crt --missing-revoke GoodCACert.crt
+4.4.4   f InvalidBadCRLSignatureTest4EE.crt BadCRLSignatureCACert.crt BadCRLSignatureCACRL.crl
+4.4.4i  p InvalidBadCRLSignatureTest4EE.crt --missing-revoke BadCRLSignatureCACert.crt
+4.4.5   f InvalidBadCRLIssuerNameTest5EE.crt BadCRLIssuerNameCACert.crt BadCRLIssuerNameCACRL.crl
+4.4.5i  p InvalidBadCRLIssuerNameTest5EE.crt --missing-revoke BadCRLIssuerNameCACert.crt
+4.4.6   f InvalidWrongCRLTest6EE.crt WrongCRLCACert.crt WrongCRLCACRL.crl
+4.4.7   p ValidTwoCRLsTest7EE.crt TwoCRLsCACert.crt TwoCRLsCAGoodCRL.crl TwoCRLsCABadCRL.crl
+4.4.8   f InvalidUnknownCRLEntryExtensionTest8EE.crt UnknownCRLEntryExtensionCACert.crt UnknownCRLEntryExtensionCACRL.crl
+4.4.9   f InvalidUnknownCRLExtensionTest9EE.crt UnknownCRLExtensionCACert.crt UnknownCRLExtensionCACRL.crl
+4.4.10  f InvalidUnknownCRLExtensionTest10EE.crt UnknownCRLExtensionCACert.crt UnknownCRLExtensionCACRL.crl
+4.4.11  f InvalidOldCRLnextUpdateTest11EE.crt OldCRLnextUpdateCACert.crt OldCRLnextUpdateCACRL.crl 
+4.4.12  f Invalidpre2000CRLnextUpdateTest12EE.crt pre2000CRLnextUpdateCACert.crt pre2000CRLnextUpdateCACRL.crl
+#4.4.13-xxx s ValidGeneralizedTimeCRLnextUpdateTest13EE.crt GeneralizedTimeCRLnextUpdateCACert.crt GeneralizedTimeCRLnextUpdateCACRL.crl
+4.4.14  p ValidNegativeSerialNumberTest14EE.crt NegativeSerialNumberCACert.crt NegativeSerialNumberCACRL.crl
+4.4.15  f InvalidNegativeSerialNumberTest15EE.crt NegativeSerialNumberCACert.crt NegativeSerialNumberCACRL.crl
+4.4.16  p ValidLongSerialNumberTest16EE.crt LongSerialNumberCACert.crt LongSerialNumberCACRL.crl
+4.4.17  p ValidLongSerialNumberTest17EE.crt LongSerialNumberCACert.crt LongSerialNumberCACRL.crl
+4.4.18  f InvalidLongSerialNumberTest18EE.crt LongSerialNumberCACert.crt LongSerialNumberCACRL.crl
+#
+#
+# 4.8 Ceificate Policies
+incomplete4.8.2 p AllCertificatesNoPoliciesTest2EE.crt NoPoliciesCACert.crt NoPoliciesCACRL.crl
+incomplete4.8.10 p AllCertificatesSamePoliciesTest10EE.crt PoliciesP12CACert.crt PoliciesP12CACRL.crl
+incomplete4.8.13 p AllCertificatesSamePoliciesTest13EE.crt PoliciesP123CACert.crt PoliciesP123CACRL.crl
+incomplete4.8.11 p AllCertificatesanyPolicyTest11EE.crt anyPolicyCACert.crt anyPolicyCACRL.crl
+unknown p AnyPolicyTest14EE.crt anyPolicyCACert.crt anyPolicyCACRL.crl
+unknown f BadSignedCACert.crt
+unknown f BadnotAfterDateCACert.crt
+unknown f BadnotBeforeDateCACert.crt
+#
+# 4.13 Name Constraints
+#
+4.13.1   p ValidDNnameConstraintsTest1EE.crt nameConstraintsDN1CACert.crt nameConstraintsDN1CACRL.crl
+4.13.2   f InvalidDNnameConstraintsTest2EE.crt nameConstraintsDN1CACert.crt nameConstraintsDN1CACRL.crl
+4.13.3   f InvalidDNnameConstraintsTest3EE.crt nameConstraintsDN1CACert.crt nameConstraintsDN1CACRL.crl
+4.13.4   p ValidDNnameConstraintsTest4EE.crt nameConstraintsDN1CACert.crt nameConstraintsDN1CACRL.crl
+4.13.5   p ValidDNnameConstraintsTest5EE.crt nameConstraintsDN2CACert.crt nameConstraintsDN2CACRL.crl
+4.13.6   p ValidDNnameConstraintsTest6EE.crt nameConstraintsDN3CACert.crt nameConstraintsDN3CACRL.crl
+4.13.7   f InvalidDNnameConstraintsTest7EE.crt nameConstraintsDN3CACert.crt nameConstraintsDN3CACRL.crl
+4.13.8   f InvalidDNnameConstraintsTest8EE.crt nameConstraintsDN4CACert.crt nameConstraintsDN4CACRL.crl
+4.13.9   f InvalidDNnameConstraintsTest9EE.crt nameConstraintsDN4CACert.crt nameConstraintsDN4CACRL.crl
+4.13.10   f InvalidDNnameConstraintsTest10EE.crt nameConstraintsDN5CACert.crt nameConstraintsDN5CACRL.crl
+4.13.11   p ValidDNnameConstraintsTest11EE.crt nameConstraintsDN5CACert.crt nameConstraintsDN5CACRL.crl
+4.13.12   f InvalidDNnameConstraintsTest12EE.crt nameConstraintsDN1subCA1Cert.crt nameConstraintsDN1subCA1CRL.crl nameConstraintsDN1CACert.crt nameConstraintsDN1CACRL.crl
+4.13.13   f InvalidDNnameConstraintsTest13EE.crt nameConstraintsDN1subCA1Cert.crt nameConstraintsDN1subCA1CRL.crl nameConstraintsDN1CACert.crt nameConstraintsDN1CACRL.crl
+4.13.14   p ValidDNnameConstraintsTest14EE.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1subCA2CRL.crl nameConstraintsDN1CACert.crt nameConstraintsDN1CACRL.crl
+4.13.15   f InvalidDNnameConstraintsTest15EE.crt nameConstraintsDN3subCA1Cert.crt nameConstraintsDN3subCA1CRL.crl nameConstraintsDN3CACert.crt nameConstraintsDN3CACRL.crl
+4.13.16   f InvalidDNnameConstraintsTest16EE.crt nameConstraintsDN3subCA1Cert.crt nameConstraintsDN3subCA1CRL.crl nameConstraintsDN3CACert.crt nameConstraintsDN3CACRL.crl
+4.13.17   f InvalidDNnameConstraintsTest17EE.crt nameConstraintsDN3subCA2Cert.crt nameConstraintsDN3subCA2CRL.crl nameConstraintsDN3CACert.crt nameConstraintsDN3CACRL.crl
+4.13.18   p ValidDNnameConstraintsTest18EE.crt nameConstraintsDN3subCA2Cert.crt nameConstraintsDN3subCA2CRL.crl nameConstraintsDN3CACert.crt nameConstraintsDN3CACRL.crl
+#
+# no crl for self issued cert
+#
+#4.13.19   p ValidDNnameConstraintsTest19EE.crt nameConstraintsDN1SelfIssuedCACert.crt nameConstraintsDN1CACert.crt nameConstraintsDN1CACRL.crl
+# ??
+4.13.20   f InvalidDNnameConstraintsTest20EE.crt nameConstraintsDN1CACert.crt nameConstraintsDN1CACRL.crl
+#4.13.21   p ValidRFC822nameConstraintsTest21EE.crt nameConstraintsRFC822CA1Cert.crt nameConstraintsRFC822CA1CRL.crl
+#page 74
+end
diff --git a/crypto/heimdal/lib/hx509/data/nist-data2 b/crypto/heimdal/lib/hx509/data/nist-data2
new file mode 100644
index 0000000..491beac
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/nist-data2
@@ -0,0 +1,291 @@
+# 4.1.1 Valid Signatures Test1 - Validate Successfully
+0 ValidCertificatePathTest1EE.crt
+# 4.1.2 Invalid CA Signature Test2 - Reject - Invalid signature on intermediate certificate
+1 InvalidCASignatureTest2EE.crt
+# 4.1.3 Invalid EE Signature Test3 - Reject - Invalid signature on end entity certificate
+1 InvalidEESignatureTest3EE.crt
+# 4.1.4 Valid DSA Signatures Test4 - Reject - Application can not process DSA signatures
+1 ValidDSASignaturesTest4EE.crt
+# 4.2.1 Invalid CA notBefore Date Test1 - Reject - notBefore date in intermediate certificate is after the current date
+1 InvalidCAnotBeforeDateTest1EE.crt
+# 4.2.2 Invalid EE notBefore Date Test2 - Reject - notBefore date in end entity certificate is after the current date
+1 InvalidEEnotBeforeDateTest2EE.crt
+# 4.2.3 Valid pre2000 UTC notBefore Date Test3 - Validate Successfully
+0 Validpre2000UTCnotBeforeDateTest3EE.crt
+# 4.2.4 Valid GeneralizedTime notBefore Date Test4 - Validate Successfully
+0 ValidGeneralizedTimenotBeforeDateTest4EE.crt
+# 4.2.5 Invalid CA notAfter Date Test5 - Reject - notAfter date in intermediate certificate is before the current date
+1 InvalidCAnotAfterDateTest5EE.crt
+# 4.2.6 Invalid EE notAfter Date Test6 - Reject - notAfter date in end entity certificate is before the current date
+1 InvalidEEnotAfterDateTest6EE.crt
+# 4.2.7 Invalid pre2000 UTC EE notAfter Date Test7 - Reject - notAfter date in end entity certificate is before the current date
+1 Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+# 4.2.8 Valid GeneralizedTime notAfter Date Test8 - Validate Successfully
+0 ValidGeneralizedTimenotAfterDateTest8EE.crt
+# 4.3.1 Invalid Name Chaining EE Test1 - Reject - names do not chain
+1 InvalidNameChainingTest1EE.crt
+# 4.3.2 Invalid Name Chaining Order Test2 - Reject - names do not chain
+1 InvalidNameChainingOrderTest2EE.crt
+# 4.3.3 Valid Name Chaining Whitespace Test3 - Validate Successfully
+0 ValidNameChainingWhitespaceTest3EE.crt
+# 4.3.4 Valid Name Chaining Whitespace Test4 - Validate Successfully
+0 ValidNameChainingWhitespaceTest4EE.crt
+# 4.3.5 Valid Name Chaining Capitalization Test5 - Validate Successfully
+0 ValidNameChainingCapitalizationTest5EE.crt
+# 4.3.6 Valid Name Chaining UIDs Test6 - Validate Successfully
+0 ValidNameUIDsTest6EE.crt
+# 4.3.9 Valid UTF8String Encoded Names Test9 - Validate Successfully
+0 ValidUTF8StringEncodedNamesTest9EE.crt
+# 4.4.1 Missing CRL Test1 - Reject or Warn - status of end entity certificate can not be determined
+3 InvalidMissingCRLTest1EE.crt
+# 4.4.2 Invalid Revoked CA Test2 - Reject - an intermediate certificate has been revoked.
+2 InvalidRevokedCATest2EE.crt
+# 4.4.3 Invalid Revoked EE Test3 - Reject - the end entity certificate has been revoked
+2 InvalidRevokedEETest3EE.crt
+# 4.4.4. Invalid Bad CRL Signature Test4 - Reject or Warn - status of end entity certificate can not be determined
+3 InvalidBadCRLSignatureTest4EE.crt
+# 4.4.5 Invalid Bad CRL Issuer Name Test5 - Reject or Warn - status of end entity certificate can not be determined
+3 InvalidBadCRLIssuerNameTest5EE.crt
+# 4.4.6 Invalid Wrong CRL Test6 - Reject or Warn - status of end entity certificate can not be determined
+3 InvalidWrongCRLTest6EE.crt
+# 4.4.7 Valid Two CRLs Test7 - Validate Successfully
+0 ValidTwoCRLsTest7EE.crt
+# 4.4.8 Invalid Unknown CRL Entry Extension Test8 - Reject - the end entity certificate has been revoked
+2 InvalidUnknownCRLEntryExtensionTest8EE.crt
+# 4.4.9 Invalid Unknown CRL Extension Test9 - Reject - the end entity certificate has been revoked
+2 InvalidUnknownCRLExtensionTest9EE.crt
+# 4.4.10 Invalid Unknown CRL Extension Test10 - Reject or Warn - status of end entity certificate can not be determined
+3 InvalidUnknownCRLExtensionTest10EE.crt
+# 4.4.11 Invalid Old CRL nextUpdate Test11 - Reject or Warn - status of end entity certificate can not be determined
+3 InvalidOldCRLnextUpdateTest11EE.crt
+# 4.4.12 Invalid pre2000 CRL nextUpdate Tesst12 - Reject or Warn - status of end entity certificate can not be determined
+3 Invalidpre2000CRLnextUpdateTest12EE.crt
+# 4.4.13 Valid GeneralizedTime CRL nextUpdate Test13 - Validate Successfully
+0 ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+# 4.4.14 Valid Negative Serial Number Test14 - Validate Successfully
+0 ValidNegativeSerialNumberTest14EE.crt
+# 4.4.15 Invalid Negative Serial Number Test15 - Reject - the end entity certificate has been revoked
+2 InvalidNegativeSerialNumberTest15EE.crt
+# 4.4.16 Valid Long Serial Number Test16 - Validate Successfully
+0 ValidLongSerialNumberTest16EE.crt
+# 4.4.17 Valid Long Serial Number Test17 - Validate Successfully
+0 ValidLongSerialNumberTest17EE.crt
+# 4.4.18 Invalid Long Serial Number Test18 - Reject - the end entity certificate has been revoked
+2 InvalidLongSerialNumberTest18EE.crt
+# 4.4.19 Valid Separate Certificate and CRL Keys Test19 - Validate Successfully
+0 ValidSeparateCertificateandCRLKeysTest19EE.crt
+# 4.4.20 Invalid Separate Certificate and CRL Keys Test20 - Reject - the end entity certificate has been revoked
+2 InvalidSeparateCertificateandCRLKeysTest20EE.crt
+# 4.4.21 Invalid Separate Certificate and CRL Keys Test21 - Reject or Warn - status of end entity certificate can not be determined
+3 InvalidSeparateCertificateandCRLKeysTest21EE.crt
+# 4.5.1 Valid Basic Self-Issued Old With New Test1 - Validate Successfully
+0 ValidBasicSelfIssuedOldWithNewTest1EE.crt
+# 4.5.2 Invalid Basic Self-Issued Old With New Test2 - Reject - the end entity certificate has been revoked
+2 InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+# 4.5.3 Valid Basic Self-Issued New With Old Test3 - Validate Successfully
+0 ValidBasicSelfIssuedNewWithOldTest3EE.crt
+# 4.5.4 Valid Basic Self-Issued New With Old Test4 - Validate Successfully
+0 ValidBasicSelfIssuedNewWithOldTest4EE.crt
+# 4.5.5 Invalid Basic Self-Issued New With Old Test5 - Reject - the end entity certificate has been revoked
+2 InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+# 4.5.6 Valid Basic Self-Issued CRL Signing Key Test6 - Validate Successfully
+0 ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
+# 4.5.7 Invalid Basic Self-Issued CRL Signing Key Test7 - Reject - the end entity certificate has been revoked
+2 InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+# 4.5.8 Invalid Basic Self-Issued CRL Signing Key Test8 - Reject - invalid certification path
+1 InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+# 4.6.1 Invalid Missing basicConstraints Test1 - Reject - invalid certification path
+1 InvalidMissingbasicConstraintsTest1EE.crt
+# 4.6.2 Invalid cA False Test2 - Reject - invalid certification path
+1 InvalidcAFalseTest2EE.crt
+# 4.6.3 Invalid cA False Test3 - Reject - invalid certification path
+1 InvalidcAFalseTest3EE.crt
+# 4.6.4 Valid basicConstraints Not Critical Test4 - Validate Successfully
+0 ValidbasicConstraintsNotCriticalTest4EE.crt
+# 4.6.5 Invalid pathLenConstraint Test5 - Reject - invalid certification path
+1 InvalidpathLenConstraintTest5EE.crt
+# 4.6.6 Invalid pathLenConstraint Test6 - Reject - invalid certification path
+1 InvalidpathLenConstraintTest6EE.crt
+# 4.6.7 Valid pathLenConstraint Test7 - Validate Successfully
+0 ValidpathLenConstraintTest7EE.crt
+# 4.6.8 Valid pathLenConstraint Test8 - Validate Successfully
+0 ValidpathLenConstraintTest8EE.crt
+# 4.6.9 Invalid pathLenConstraint Test9 - Reject - invalid certification path
+1 InvalidpathLenConstraintTest9EE.crt
+# 4.6.10 Invalid pathLenConstraint Test10 - Reject - invalid certification path
+1 InvalidpathLenConstraintTest10EE.crt
+# 4.6.11 Invalid pathLenConstraint Test11 - Reject - invalid certification path
+1 InvalidpathLenConstraintTest11EE.crt
+# 4.6.12 Invalid pathLenConstraint Test12 - Reject - invalid certification path
+1 InvalidpathLenConstraintTest12EE.crt
+# 4.6.13 Valid pathLenConstraint Test13 - Validate Successfully
+0 ValidpathLenConstraintTest13EE.crt
+# 4.6.14 Valid pathLenConstraint Test14 - Validate Successfully
+0 ValidpathLenConstraintTest14EE.crt
+# 4.6.15 Valid Self-Issued pathLenConstraint Test15 - Validate Successfully
+0 ValidSelfIssuedpathLenConstraintTest15EE.crt
+# 4.6.16 Invalid Self-Issued pathLenConstraint Test16 - Reject - invalid certification path
+1 InvalidSelfIssuedpathLenConstraintTest16EE.crt
+# 4.6.17 Valid Self-Issued pathLenConstraint Test17 - Validate Successfully
+0 ValidSelfIssuedpathLenConstraintTest17EE.crt
+# 4.7.1 Invalid keyUsage Critical keyCertSign False Test1 - Reject - invalid certification path
+1 InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
+# 4.7.2 Invalid keyUsage Not Critical keyCertSign False Test2 - Reject - invalid certification path
+1 InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
+# 4.7.3 Valid keyUsage Not Critical Test3 - Validate Successfully
+0 ValidkeyUsageNotCriticalTest3EE.crt
+# 4.7.4 Invalid keyUsage Critical cRLSign False Test4 - Reject - invalid certification path
+1 InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
+# 4.7.5 Invalid keyUsage Not Critical cRLSign False Test5 - Reject - invalid certification path
+1 InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
+0 UserNoticeQualifierTest19EE.crt
+# 4.10.1 Valid Policy Mapping Test1, subtest 1 - Reject - unrecognized critical extension [Test using the default settings (i.e., <i>initial-policy-set</i> = <i>any-policy</i>)
+1 InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
+# 4.11.2 Valid inhibitPolicyMapping Test2 - Reject - unrecognized critical extension
+1 ValidinhibitPolicyMappingTest2EE.crt
+# 4.12.2 Valid inhibitAnyPolicy Test2 - Reject - unrecognized critical extension
+1 ValidinhibitAnyPolicyTest2EE.crt
+# 4.13.1 Valid DN nameConstraints Test1 - Validate Successfully
+0 ValidDNnameConstraintsTest1EE.crt
+# 4.13.2 Invalid DN nameConstraints Test2 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest2EE.crt
+# 4.13.3 Invalid DN nameConstraints Test3 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest3EE.crt
+# 4.13.4 Valid DN nameConstraints Test4 - Validate Successfully
+0 ValidDNnameConstraintsTest4EE.crt
+# 4.13.5 Valid DN nameConstraints Test5 - Validate Successfully
+0 ValidDNnameConstraintsTest5EE.crt
+# 4.13.6 Valid DN nameConstraints Test6 - Validate Successfully
+0 ValidDNnameConstraintsTest6EE.crt
+# 4.13.7 Invalid DN nameConstraints Test7 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest7EE.crt
+# 4.13.8 Invalid DN nameConstraints Test8 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest8EE.crt
+# 4.13.9 Invalid DN nameConstraints Test9 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest9EE.crt
+# 4.13.10 Invalid DN nameConstraints Test10 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest10EE.crt
+# 4.13.11 Valid DN nameConstraints Test11 - Validate Successfully
+0 ValidDNnameConstraintsTest11EE.crt
+# 4.13.12 Invalid DN nameConstraints Test12 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest12EE.crt
+# 4.13.13 Invalid DN nameConstraints Test13 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest13EE.crt
+# 4.13.14 Valid DN nameConstraints Test14 - Validate Successfully
+0 ValidDNnameConstraintsTest14EE.crt
+# 4.13.15 Invalid DN nameConstraints Test15 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest15EE.crt
+# 4.13.16 Invalid DN nameConstraints Test16 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest16EE.crt
+# 4.13.17 Invalid DN nameConstraints Test17 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest17EE.crt
+# 4.13.18 Valid DN nameConstraints Test18 - Validate Successfully
+0 ValidDNnameConstraintsTest18EE.crt
+# 4.13.19 Valid Self-Issued DN nameConstraints Test19 - Validate Successfully
+0 ValidDNnameConstraintsTest19EE.crt
+# 4.13.20 Invalid Self-Issued DN nameConstraints Test20 - Reject - name constraints violation
+1 InvalidDNnameConstraintsTest20EE.crt
+# 4.13.21 Valid RFC822 nameConstraints Test21 - Validate Successfully
+0 ValidRFC822nameConstraintsTest21EE.crt
+# 4.13.22 Invalid RFC822 nameConstraints Test22 - Reject - name constraints violation
+1 InvalidRFC822nameConstraintsTest22EE.crt
+# 4.13.23 Valid RFC822 nameConstraints Test23 - Validate Successfully
+0 ValidRFC822nameConstraintsTest23EE.crt
+# 4.13.24 Invalid RFC822 nameConstraints Test24 - Reject - name constraints violation
+1 InvalidRFC822nameConstraintsTest24EE.crt
+# 4.13.25 Valid RFC822 nameConstraints Test25 - Validate Successfully
+0 ValidRFC822nameConstraintsTest25EE.crt
+# 4.13.26 Invalid RFC822 nameConstraints Test26 - Reject - name constraints violation
+1 InvalidRFC822nameConstraintsTest26EE.crt
+# 4.13.27 Valid DN and  RFC822 nameConstraints Test27 - Validate Successfully
+0 ValidDNandRFC822nameConstraintsTest27EE.crt
+# 4.13.28 Invalid DN and  RFC822 nameConstraints Test28 - Reject - name constraints violation
+1 InvalidDNandRFC822nameConstraintsTest28EE.crt
+# 4.13.29 Invalid DN and  RFC822 nameConstraints Test29 - Reject - name constraints violation
+1 InvalidDNandRFC822nameConstraintsTest29EE.crt
+# 4.13.30 Valid DNS nameConstraints Test30 - Validate Successfully
+0 ValidDNSnameConstraintsTest30EE.crt
+# 4.13.31 Invalid DNS nameConstraints Test31 - Reject - name constraints violation
+1 InvalidDNSnameConstraintsTest31EE.crt
+# 4.13.32 Valid DNS nameConstraints Test32 - Validate Successfully
+0 ValidDNSnameConstraintsTest32EE.crt
+# 4.13.33 Invalid DNS nameConstraints Test33 - Reject - name constraints violation
+1 InvalidDNSnameConstraintsTest33EE.crt
+# 4.13.34 Valid URI nameConstraints Test34 - Validate Successfully
+0 ValidURInameConstraintsTest34EE.crt
+# 4.13.35 Invalid URI nameConstraints Test35 - Reject - name constraints violation
+1 InvalidURInameConstraintsTest35EE.crt
+# 4.13.36 Valid URI nameConstraints Test36 - Validate Successfully
+0 ValidURInameConstraintsTest36EE.crt
+# 4.13.37 Invalid URI nameConstraints Test37 - Reject - name constraints violation
+1 InvalidURInameConstraintsTest37EE.crt
+# 4.13.38 Invalid DNS nameConstraints Test38 - Reject - name constraints violation
+1 InvalidDNSnameConstraintsTest38EE.crt
+# 4.14.1 Valid distributionPoint Test1 - Validate Successfully
+0 ValiddistributionPointTest1EE.crt
+# 4.14.2 Invalid distributionPoint Test2 - Reject - end entity certificate has been revoked
+2 InvaliddistributionPointTest2EE.crt
+# 4.14.3 Invalid distributionPoint Test3 - Reject or Warn - status of end entity certificate can not be determined
+3 InvaliddistributionPointTest3EE.crt
+# 4.14.4 Valid distributionPoint Test4 - Validate Successfully
+0 ValiddistributionPointTest4EE.crt
+# 4.14.5 Valid distributionPoint Test5 - Validate Successfully
+0 ValiddistributionPointTest5EE.crt
+# 4.14.6 Invalid distributionPoint Test6 - Reject - end entity certificate has been revoked
+2 InvaliddistributionPointTest6EE.crt
+# 4.14.7 Valid distributionPoint Test7 - Validate Successfully
+0 ValiddistributionPointTest7EE.crt
+# 4.14.8 Invalid distributionPoint Test8 - Reject or Warn - status of end entity certificate can not be determined
+3 InvaliddistributionPointTest8EE.crt
+# 4.14.9 Invalid distributionPoint Test9 - Reject or Warn - status of end entity certificate can not be determined
+3 InvaliddistributionPointTest9EE.crt
+# 4.14.10 Valid No issuingDistributionPoint Test10 - Validate Successfully
+0 ValidNoissuingDistributionPointTest10EE.crt
+# 4.14.11 Invalid onlyContainsUserCerts CRL Test11 - Reject or Warn - status of end entity certificate can not be determined
+3 InvalidonlyContainsUserCertsTest11EE.crt
+# 4.14.12 Invalid onlyContainsCACerts CRL Test12 - Reject or Warn - status of end entity certificate can not be determined
+3 InvalidonlyContainsCACertsTest12EE.crt
+# 4.14.13 Valid onlyContainsCACerts CRL Test13 - Validate Successfully
+0 ValidonlyContainsCACertsTest13EE.crt
+# 4.14.14 Invalid onlyContainsAttributeCerts Test14 - Reject or Warn - status of end entity certificate can not be determined
+3 InvalidonlyContainsAttributeCertsTest14EE.crt
+# 4.14.15 Invalid onlySomeReasons Test15 - Reject - end entity certificate has been revoked
+2 InvalidonlySomeReasonsTest15EE.crt
+# 4.14.16 Invalid onlySomeReasons Test16 - Reject - end entity certificate is on hold
+2 InvalidonlySomeReasonsTest16EE.crt
+# 4.14.17 Invalid onlySomeReasons Test17 - Reject or Warn - status of end entity certificate can not be determined
+3 InvalidonlySomeReasonsTest17EE.crt
+# 4.14.18 Valid onlySomeReasons Test18 - Validate Successfully
+0 ValidonlySomeReasonsTest18EE.crt
+# 4.14.19 Valid onlySomeReasons Test19 - Validate Successfully
+0 ValidonlySomeReasonsTest19EE.crt
+# 4.14.20 Invalid onlySomeReasons Test20 - Reject - end entity certificate has been revoked
+2 InvalidonlySomeReasonsTest20EE.crt
+# 4.14.21 Invalid onlySomeReasons Test21 - Reject - end entity certificate has been revoked
+2 InvalidonlySomeReasonsTest21EE.crt
+# 4.14.24 Valid IDP with indirectCRL Test24 - Reject or Warn - status of end entity certificate can not be determined
+3 ValidIDPwithindirectCRLTest24EE.crt
+# 4.15.1 Invalid deltaCRLIndicator No Base Test1 - Reject or Warn - status of end entity certificate can not be determined
+3 InvaliddeltaCRLIndicatorNoBaseTest1EE.crt
+# 4.15.2 Valid delta-CRL Test2 - Validate Successfully
+0 ValiddeltaCRLTest2EE.crt
+# 4.15.3 Invalid delta-CRL Test3 - Reject - end entity certificate has been revoked
+2 InvaliddeltaCRLTest3EE.crt
+# 4.15.4 Invalid delta-CRL Test4 - Reject - end entity certificate has been revoked
+2 InvaliddeltaCRLTest4EE.crt
+# 4.15.5 Valid delta-CRL Test5 - Validate Successfully
+0 ValiddeltaCRLTest5EE.crt
+# 4.15.6 Invalid delta-CRL Test6 - Reject - end entity certificate has been revoked
+2 InvaliddeltaCRLTest6EE.crt
+# 4.15.7 Valid delta-CRL Test7 - Validate Successfully
+0 ValiddeltaCRLTest7EE.crt
+# 4.15.8 Valid delta-CRL Test8 - Validate Successfully
+0 ValiddeltaCRLTest8EE.crt
+# 4.15.9 Invalid delta-CRL Test9 - Reject - end entity certificate has been revoked
+2 InvaliddeltaCRLTest9EE.crt
+# 4.15.10 Invalid delta-CRL Test10 - Reject or Warn - status of end entity certificate can not be determined
+3 InvaliddeltaCRLTest10EE.crt
+# 4.16.1 Valid Unknown Not Critical Certificate Extension Test1 - Validate Successfully
+0 ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+# 4.16.2 Invalid Unknown Critical Certificate Extension Test2 - Reject - unrecognized critical extension
+1 InvalidUnknownCriticalCertificateExtensionTest2EE.crt
diff --git a/crypto/heimdal/lib/hx509/data/no-proxy-test.crt b/crypto/heimdal/lib/hx509/data/no-proxy-test.crt
new file mode 100644
index 0000000..d57802e
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/no-proxy-test.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICDDCCAXWgAwIBAgIJAI8UaHGQmUvOMA0GCSqGSIb3DQEBBQUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMDcxMTE1MDY1ODU5WhcNMTcx
+MTEyMDY1ODU5WjA0MQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MREw
+DwYDVQQDDAhuby1wcm94eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvF58
+Sgq1QTZwsXyFvMTo2Iit/NLZupuIlJgctZJ51EOaFBmTfqt/PgxQKmgqQhgFW+HT
+8WPdvvfUxjwe4BiIORYoCX8pl/wGFCa70zUC7/5IoMmhb9XBrecOxswRNK8EvGhF
+67z2uDUS4LASuy7ng8HSuAM0PCHYnGmqeYrR6jUCAwEAAaM5MDcwCQYDVR0TBAIw
+ADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFJ+WD/mqMrbcBts4x0tXv0CflIcZMA0G
+CSqGSIb3DQEBBQUAA4GBAEAODiL2ZL2ZhkklFbHXSg/ZEkUs1Oewpg+bDO6xjute
+hnarKTrWFWiSgQ9yhZMa8klaNCdHjDo0Q5borQeVzp027cemLdnLyxusSuIJRqy+
+mZtNl7533q+oKWydZtvNmXRlGi5HmJV5JAjEXbadqUnlRJ/CdN1WvdwLWfvbW5DL
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/no-proxy-test.key b/crypto/heimdal/lib/hx509/data/no-proxy-test.key
new file mode 100644
index 0000000..1c47937
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/no-proxy-test.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQC8XnxKCrVBNnCxfIW8xOjYiK380tm6m4iUmBy1knnUQ5oUGZN+
+q38+DFAqaCpCGAVb4dPxY92+99TGPB7gGIg5FigJfymX/AYUJrvTNQLv/kigyaFv
+1cGt5w7GzBE0rwS8aEXrvPa4NRLgsBK7LueDwdK4AzQ8Idicaap5itHqNQIDAQAB
+AoGBAJt0CnR8U8tGp0gCMMhxZIvWeGfOhnr3AodG5WJ/SGWBiLWPyeZel7rYJIxq
+vH0hH8MNIoDy3rxMAN+8G+rqs/elE8zeYv8FCP4jahz+HPKeJIjFm1MBOHZQspq7
+Y4OfoBH+EgqJjBRxuBIeCUqVhyluSsYHQFihurp3a76dHvxBAkEA7c4KjJ6mka9C
+9X+Tp2EKW+h8npEEXbLIvHet9p0pzD5PhE2aVvSEAXEqxdbuFAb4LVApUdd4Quec
+PXa0EOF7UQJBAMrIIV317rGPlmEXqt681KkHo30C2e6SpM6by42r+csTs+6KDZdf
+uDWZKb4o9bLTj+A0LC73ySESv4PlGC+8v6UCQEIRnJy091JCfzf12fAG5fni/byQ
+TcY6hcrW9V4vDA3SwgTgCqFeDc7Ywil1LXAi/5CXVOOIGcF818u7zwthmgECQCm+
+Rvgjr05IA6nbCGavsotVMjeCxcAR2fFaKu3wEAzY8npRWvjlUHNgIzKtFd8JJB4A
+P3Qvt+yiAmCxYWg6T60CQHvGW0M/usmQXEGWMx+KCkm71UKcKCxDEKzZ8mI3jQ3H
+b6Whs1NdsQJwIEXHB2Sb2GmTIlFjXczw7fp/ub3Dx84=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-req1.der b/crypto/heimdal/lib/hx509/data/ocsp-req1.der
new file mode 100644
index 0000000..869a7dc
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-req1.der
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-req2.der b/crypto/heimdal/lib/hx509/data/ocsp-req2.der
new file mode 100644
index 0000000..c1481e1
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-req2.der
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-resp1-2.der b/crypto/heimdal/lib/hx509/data/ocsp-resp1-2.der
new file mode 100644
index 0000000..98d88e4
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-resp1-2.der
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-resp1-3.der b/crypto/heimdal/lib/hx509/data/ocsp-resp1-3.der
new file mode 100644
index 0000000..4c65016
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-resp1-3.der
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-resp1-ca.der b/crypto/heimdal/lib/hx509/data/ocsp-resp1-ca.der
new file mode 100644
index 0000000..2450168
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-resp1-ca.der
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-resp1-keyhash.der b/crypto/heimdal/lib/hx509/data/ocsp-resp1-keyhash.der
new file mode 100644
index 0000000..19cf6c8
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-resp1-keyhash.der
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der b/crypto/heimdal/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
new file mode 100644
index 0000000..460b5f7
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-resp1-ocsp.der b/crypto/heimdal/lib/hx509/data/ocsp-resp1-ocsp.der
new file mode 100644
index 0000000..87173ff
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-resp1-ocsp.der
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-resp1.der b/crypto/heimdal/lib/hx509/data/ocsp-resp1.der
new file mode 100644
index 0000000..8546eba
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-resp1.der
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-resp2.der b/crypto/heimdal/lib/hx509/data/ocsp-resp2.der
new file mode 100644
index 0000000..0ba588a
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-resp2.der
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-responder.crt b/crypto/heimdal/lib/hx509/data/ocsp-responder.crt
new file mode 100644
index 0000000..fb55a8a
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-responder.crt
@@ -0,0 +1,56 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hx509 Test Root CA, C=SE
+        Validity
+            Not Before: Nov 15 06:58:56 2007 GMT
+            Not After : Nov 12 06:58:56 2017 GMT
+        Subject: C=SE, CN=OCSP responder
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:d9:10:2f:04:de:99:10:61:02:ff:4e:b5:54:6f:
+                    98:80:70:fb:a1:e0:97:ee:a9:0f:74:47:a9:8c:a5:
+                    86:ff:b8:ea:80:d9:ae:45:07:bd:33:93:e2:f4:f1:
+                    dd:dc:86:6e:9a:6c:b7:67:11:50:ad:9c:b0:0f:68:
+                    5d:4d:74:2a:24:4e:5e:c6:c0:9e:6a:a2:ed:80:31:
+                    d9:ac:79:c7:09:07:1f:9c:c3:12:33:88:72:9d:99:
+                    c5:f4:fd:c6:a1:9f:09:04:e0:7d:b0:ed:1f:91:4c:
+                    8e:de:9b:6d:7d:cb:2e:83:32:0e:32:57:f1:16:07:
+                    ed:69:fc:0e:a8:2a:ad:82:9d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                OCSP No Check, OCSP Signing
+            X509v3 Subject Key Identifier: 
+                9C:BE:33:AF:C2:52:C6:F2:46:5F:A8:67:71:02:F1:70:4B:A7:B7:14
+    Signature Algorithm: sha1WithRSAEncryption
+        8b:c5:8e:d6:dc:ba:e3:77:da:66:2b:be:c4:a6:4c:b0:30:6d:
+        fd:26:3d:8d:1d:ad:c5:8c:88:61:86:0a:da:48:e8:39:cf:c5:
+        83:98:e7:f9:ff:92:a7:ba:fe:b4:b4:6c:bb:84:17:fd:e3:71:
+        9e:a7:39:af:d3:08:0b:1f:05:29:cf:ef:e4:3c:82:7e:ee:aa:
+        4a:19:3b:17:e6:e9:2d:b4:f7:4f:e2:f3:6b:04:20:58:42:fa:
+        e2:b6:d4:80:c4:db:22:32:ce:cb:59:23:8b:df:ba:87:bb:bf:
+        4e:ea:b0:1e:7a:73:b4:c9:06:aa:f1:59:cf:d3:28:db:d2:6c:
+        a0:dd
+-----BEGIN CERTIFICATE-----
+MIICHzCCAYigAwIBAgIBATANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA3MTExNTA2NTg1NloXDTE3
+MTExMjA2NTg1NlowJjELMAkGA1UEBhMCU0UxFzAVBgNVBAMMDk9DU1AgcmVzcG9u
+ZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZEC8E3pkQYQL/TrVUb5iA
+cPuh4JfuqQ90R6mMpYb/uOqA2a5FB70zk+L08d3chm6abLdnEVCtnLAPaF1NdCok
+Tl7GwJ5qou2AMdmseccJBx+cwxIziHKdmcX0/cahnwkE4H2w7R+RTI7em219yy6D
+Mg4yV/EWB+1p/A6oKq2CnQIDAQABo1kwVzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF
+4DAeBgNVHSUEFzAVBgkrBgEFBQcwAQUGCCsGAQUFBwMJMB0GA1UdDgQWBBScvjOv
+wlLG8kZfqGdxAvFwS6e3FDANBgkqhkiG9w0BAQUFAAOBgQCLxY7W3Lrjd9pmK77E
+pkywMG39Jj2NHa3FjIhhhgraSOg5z8WDmOf5/5Knuv60tGy7hBf943Gepzmv0wgL
+HwUpz+/kPIJ+7qpKGTsX5ukttPdP4vNrBCBYQvrittSAxNsiMs7LWSOL37qHu79O
+6rAeenO0yQaq8VnP0yjb0myg3Q==
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/ocsp-responder.key b/crypto/heimdal/lib/hx509/data/ocsp-responder.key
new file mode 100644
index 0000000..24369bc
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/ocsp-responder.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDZEC8E3pkQYQL/TrVUb5iAcPuh4JfuqQ90R6mMpYb/uOqA2a5F
+B70zk+L08d3chm6abLdnEVCtnLAPaF1NdCokTl7GwJ5qou2AMdmseccJBx+cwxIz
+iHKdmcX0/cahnwkE4H2w7R+RTI7em219yy6DMg4yV/EWB+1p/A6oKq2CnQIDAQAB
+AoGBALXDXowmVmgnxFnEMAWvmTVc5unL5437VayaYbkb1ysGTqBtKAg4DdBF81QH
+wS/sBmwbw4x0LGnk/m04iIDWWH4ZTH0HHthLxTiIrGHenS01V4Ucq1EjhYNJW/bk
+8FGf91UDknZrEnvPFQxvdSLHVSB+WHgqkX8WXPc7MwoJ7HblAkEA9pmjB8TXxeky
+B8+0G65u3QDWMzmfw12oHgKHnHxKyL/gamHERNPJ0NsFE4BtsSF1LJQYCw189s8m
+GDpa0uW0iwJBAOFWUiJSYYVTSdcmfjI99XUCo9rXEkaJXY0etjK5q+rK21mrkWNQ
+M7fWVZDbQZfbTP1LiUak+qjz64J9/iOogncCQEXUT6Qdi3RRiodHu5qzFFWkrQMo
+aCMsXDTTRo97arnaC7RUJv3OczGfM5rIHUexT7rl3MEUerRxCDqIG7voq+0CQQDE
+806sgvaLsoVqkFFilnbwg5M1lh96GVv0GTDEWzZg7FcWI/faJuJdPu/gwVKuaNX8
+2cWtQkt32mIw1vCGuCT3AkAfubHAXeiBHHE95jLtQ98s4KzOaZtFnQfn14c8nGS0
+2qUv1RHYZEVHYnsOZs3pLyOdxrZOlOSE6gKHCGVHoUKJ
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/openssl.cnf b/crypto/heimdal/lib/hx509/data/openssl.cnf
new file mode 100644
index 0000000..7fe3b64
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/openssl.cnf
@@ -0,0 +1,182 @@
+oid_section             = new_oids
+
+[ new_oids ]
+pkkdcekuoid = 1.3.6.1.5.2.3.5
+
+[ca]
+
+default_ca = user
+
+[usr]
+database	= index.txt
+serial		= serial
+x509_extensions = usr_cert
+default_md=sha1
+policy		= policy_match
+certs		= .
+
+[ocsp]
+database	= index.txt
+serial		= serial
+x509_extensions = ocsp_cert
+default_md=sha1
+policy		= policy_match
+certs		= .
+
+[usr_ke]
+database	= index.txt
+serial		= serial
+x509_extensions = usr_cert_ke
+default_md=sha1
+policy		= policy_match
+certs		= .
+
+[usr_ds]
+database	= index.txt
+serial		= serial
+x509_extensions = usr_cert_ds
+default_md=sha1
+policy		= policy_match
+certs		= .
+
+[pkinit_client]
+database	= index.txt
+serial		= serial
+x509_extensions = pkinit_client_cert
+default_md=sha1
+policy		= policy_match
+certs		= .
+
+[pkinit_kdc]
+database	= index.txt
+serial		= serial
+x509_extensions = pkinit_kdc_cert
+default_md=sha1
+policy		= policy_match
+certs		= .
+
+[https]
+database	= index.txt
+serial		= serial
+x509_extensions = https_cert
+default_md=sha1
+policy		= policy_match
+certs		= .
+
+[subca]
+database	= index.txt
+serial		= serial
+x509_extensions = v3_ca
+default_md=sha1
+policy		= policy_match
+certs		= .
+
+
+[ req ]
+distinguished_name	= req_distinguished_name
+x509_extensions		= v3_ca	# The extentions to add to the self signed cert
+
+string_mask = utf8only
+
+[ v3_ca ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+
+[ usr_cert_ke ]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, keyEncipherment
+subjectKeyIdentifier	= hash
+
+[ proxy_cert ]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo
+
+[pkinitc_princ_name] 
+realm = EXP:0, GeneralString:TEST.H5L.SE
+principal_name = EXP:1, SEQUENCE:pkinitc_principal_seq
+
+[ pkinit_client_cert ]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name
+
+[pkinitc_principal_seq] 
+name_type = EXP:0, INTEGER:1 
+name_string = EXP:1, SEQUENCE:pkinitc_principals
+
+[pkinitc_principals] 
+princ1 = GeneralString:bar
+
+[ https_cert ]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+#extendedKeyUsage = https-server XXX
+subjectKeyIdentifier	= hash
+
+[ pkinit_kdc_cert ]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = pkkdcekuoid
+subjectKeyIdentifier	= hash
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name 
+
+[pkinitkdc_princ_name] 
+realm = EXP:0, GeneralString:TEST.H5L.SE
+principal_name = EXP:1, SEQUENCE:pkinitkdc_principal_seq
+
+[pkinitkdc_principal_seq] 
+name_type = EXP:0, INTEGER:1 
+name_string = EXP:1, SEQUENCE:pkinitkdc_principals
+
+[pkinitkdc_principals] 
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:TEST.H5L.SE
+
+[ proxy10_cert ]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier	= hash
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo
+
+[ usr_cert_ds ]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature
+subjectKeyIdentifier	= hash
+
+[ ocsp_cert ]
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# ocsp-nocheck and kp-OCSPSigning
+extendedKeyUsage	= 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9
+subjectKeyIdentifier	= hash
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= SE
+countryName_min			= 2
+countryName_max			= 2
+
+organizationalName		= Organizational Unit Name (eg, section)
+
+commonName			= Common Name (eg, YOUR name)
+commonName_max			= 64
+
+#[ req_attributes ]
+#challengePassword              = A challenge password
+#challengePassword_min          = 4
+#challengePassword_max          = 20
+
+[ policy_match ]
+countryName		= match
+commonName		= supplied
diff --git a/crypto/heimdal/lib/hx509/data/pkinit-proxy-chain.crt b/crypto/heimdal/lib/hx509/data/pkinit-proxy-chain.crt
new file mode 100644
index 0000000..7349a62
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/pkinit-proxy-chain.crt
@@ -0,0 +1,70 @@
+-----BEGIN CERTIFICATE-----
+MIICMTCCAZqgAwIBAgIJAJWfAgX+rDGvMA0GCSqGSIb3DQEBBQUAMB4xCzAJBgNV
+BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwHhcNMDcxMTE1MDY1ODU3WhcNMTcxMTEy
+MDY1ODU3WjA1MQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MRUwEwYDVQQD
+DAxwa2luaXQtcHJveHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJk+5riF
+ML9djk75CGm9WUN37N+EKXZvLS1/jLsQbxOWPnfZ/bHPpnI2I4EEavSQUgrlbpLf
+5IZsxlAFtokSROpef1MQ3oyJFom8c1Ut37zEJL13m4pjUZjr8Ky+OUsWNVieRIXU
+eHw2+Ny8a5y3XOygCJWDzaCTcm+nvfTmVsr9AgMBAAGjYDBeMAkGA1UdEwQCMAAw
+CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBQRgztmDHmF1DecOPint9iafFNckDAlBggr
+BgEFBQcBDgEB/wQWMBQCAQAwDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG9w0BAQUF
+AAOBgQCYm9bHTRfvEpjnKXQz9t8Uh9L+prU2+BMDClnDHsBE/Pb1vH40rOIT2sV8
+KQnjo+TVlvHXDxUy/HMY5O/5umLbzP4xr6mWwP5B2K5y566WHThz2ltcRgcmbRrn
+eOzN87+Gt1XqrTIlFftvxGX9U0PxyxFTASAOiv0hFvZN5GxYzQ==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 6 (0x6)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hx509 Test Root CA, C=SE
+        Validity
+            Not Before: Nov 15 06:58:57 2007 GMT
+            Not After : Nov 12 06:58:57 2017 GMT
+        Subject: C=SE, CN=pkinit
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a3:44:b1:8a:42:9d:d0:3f:30:de:e8:66:42:c1:
+                    f1:c9:98:8f:d2:bd:eb:59:67:3d:5e:0e:35:ca:3b:
+                    b8:91:b0:fc:e5:22:3a:2d:62:81:56:bb:51:77:60:
+                    ac:83:43:75:87:ce:f1:f6:bd:ab:f2:07:c5:8d:d5:
+                    b8:56:9e:8e:45:93:bd:c6:ac:5d:20:3e:cb:14:e8:
+                    10:07:b9:5e:07:ac:56:13:48:1b:84:c7:30:62:f4:
+                    e4:19:67:b5:1b:3a:ac:af:0b:92:e2:00:90:2f:81:
+                    75:b6:63:3f:43:a5:e9:76:ee:33:75:74:b2:76:5d:
+                    a5:76:f2:f9:30:68:ec:e8:47
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Subject Key Identifier: 
+                66:BB:EC:4F:F0:52:7E:D1:F4:F4:F9:CD:E9:B6:C7:C4:FC:2A:2F:4F
+            X509v3 Subject Alternative Name: 
+                othername:<unsupported>
+    Signature Algorithm: sha1WithRSAEncryption
+        1f:bd:87:72:d7:85:93:f9:96:97:6f:25:2f:89:1f:09:64:ff:
+        da:44:92:d0:59:6e:4f:cf:29:d7:5a:78:64:40:1c:3d:a5:80:
+        e9:b9:92:85:44:2e:25:ab:5c:8d:35:4b:5b:47:c6:79:61:cf:
+        b9:75:55:0b:20:6a:ad:ec:f5:0f:47:1e:e7:72:b0:b6:61:0f:
+        d6:84:e3:e4:29:05:4d:d1:7c:7b:a6:7b:6f:b2:af:9a:6b:dd:
+        81:ae:5d:c1:7b:74:11:86:18:2e:38:eb:ed:33:03:f6:05:4b:
+        ec:d7:7d:53:6c:71:01:86:fb:fb:63:dd:5b:cb:10:85:96:f2:
+        43:43
+-----BEGIN CERTIFICATE-----
+MIICMTCCAZqgAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA3MTExNTA2NTg1N1oXDTE3
+MTExMjA2NTg1N1owHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBnBraW5pdDCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo0SxikKd0D8w3uhmQsHxyZiP0r3rWWc9
+Xg41yju4kbD85SI6LWKBVrtRd2Csg0N1h87x9r2r8gfFjdW4Vp6ORZO9xqxdID7L
+FOgQB7leB6xWE0gbhMcwYvTkGWe1GzqsrwuS4gCQL4F1tmM/Q6Xpdu4zdXSydl2l
+dvL5MGjs6EcCAwEAAaNzMHEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0O
+BBYEFGa77E/wUn7R9PT5zem2x8T8Ki9PMDgGA1UdEQQxMC+gLQYGKwYBBQICoCMw
+IaANGwtURVNULkg1TC5TRaEQMA6gAwIBAaEHMAUbA2JhcjANBgkqhkiG9w0BAQUF
+AAOBgQAfvYdy14WT+ZaXbyUviR8JZP/aRJLQWW5PzynXWnhkQBw9pYDpuZKFRC4l
+q1yNNUtbR8Z5Yc+5dVULIGqt7PUPRx7ncrC2YQ/WhOPkKQVN0Xx7pntvsq+aa92B
+rl3Be3QRhhguOOvtMwP2BUvs131TbHEBhvv7Y91byxCFlvJDQw==
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/pkinit-proxy.crt b/crypto/heimdal/lib/hx509/data/pkinit-proxy.crt
new file mode 100644
index 0000000..3867a89
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/pkinit-proxy.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICMTCCAZqgAwIBAgIJAJWfAgX+rDGvMA0GCSqGSIb3DQEBBQUAMB4xCzAJBgNV
+BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwHhcNMDcxMTE1MDY1ODU3WhcNMTcxMTEy
+MDY1ODU3WjA1MQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MRUwEwYDVQQD
+DAxwa2luaXQtcHJveHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJk+5riF
+ML9djk75CGm9WUN37N+EKXZvLS1/jLsQbxOWPnfZ/bHPpnI2I4EEavSQUgrlbpLf
+5IZsxlAFtokSROpef1MQ3oyJFom8c1Ut37zEJL13m4pjUZjr8Ky+OUsWNVieRIXU
+eHw2+Ny8a5y3XOygCJWDzaCTcm+nvfTmVsr9AgMBAAGjYDBeMAkGA1UdEwQCMAAw
+CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBQRgztmDHmF1DecOPint9iafFNckDAlBggr
+BgEFBQcBDgEB/wQWMBQCAQAwDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG9w0BAQUF
+AAOBgQCYm9bHTRfvEpjnKXQz9t8Uh9L+prU2+BMDClnDHsBE/Pb1vH40rOIT2sV8
+KQnjo+TVlvHXDxUy/HMY5O/5umLbzP4xr6mWwP5B2K5y566WHThz2ltcRgcmbRrn
+eOzN87+Gt1XqrTIlFftvxGX9U0PxyxFTASAOiv0hFvZN5GxYzQ==
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/pkinit-proxy.key b/crypto/heimdal/lib/hx509/data/pkinit-proxy.key
new file mode 100644
index 0000000..d04b009
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/pkinit-proxy.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCZPua4hTC/XY5O+QhpvVlDd+zfhCl2by0tf4y7EG8Tlj532f2x
+z6ZyNiOBBGr0kFIK5W6S3+SGbMZQBbaJEkTqXn9TEN6MiRaJvHNVLd+8xCS9d5uK
+Y1GY6/CsvjlLFjVYnkSF1Hh8NvjcvGuct1zsoAiVg82gk3Jvp7305lbK/QIDAQAB
+AoGAKH4TbuxariYlZT6ud2o9/PLiV0lPv2ivEleiswcrooxPo1GplGNfAszFYuDs
+9gRweUqYhhy9ALwbRqfLzLpUFQUBzQ1cZlO23m48GsCPL4XJxlzE9+w/wLWWaqsK
+syFax5T//iokYVa07AvFZxWpEUixewirJrhNyUafdKk8W8ECQQDKpH/pvljO6e9J
+jC65aTYPzMXAUp54DMWu1+FXUyELxGp+GjAwwhESpSLEaAnZH97H6ZtTiJku3Z0n
+pMsrH7WtAkEAwZi2sV8I/MjFPpti/zf6OHEJo89/SgTYIHmL6pE3tuNWhw/9Dorc
+N45cMGAiGep2HQdfZFGD0OekzLGeGBj0kQJAPFdNi5HVqg945IKsqyNMKNpGDGXN
+sFvFRbIc9L7ZOULMny43KV2wbcfkmW2NeS0HTqoeSXqEerMdB+AHa5jupQJADALP
+gt2kjxpdsm6ti6wLaCkLMhCTkyINzqX72ke8LyqXmbWSO669zuyUJ6QvOXBkd5SX
+hH/SL8nPXau/ZTtXIQJBAICcJBlgxhrUn5C12wwuQw/BZi6qK9KdVcWTapnhE7eQ
+Z6k/Pbi53/aI2g1EXq7G3RrQvAhV43AW5foJWqijDdA=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/pkinit-pw.key b/crypto/heimdal/lib/hx509/data/pkinit-pw.key
new file mode 100644
index 0000000..563ccf1
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/pkinit-pw.key
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,1698161265C4033B32CEB819B5D78953
+
+vQnkfeICkS2/gIEv1zrJ+WaUOeRvKfUUFM6uH4/xm5Abp4DqGlkCvwb4u9dZuRUj
+arlvgRc0e0CoBuQ/3gmBDlmQp+4ByiypERku8MAxsUV6LEmv2f1YfhecQSntDoJH
+fNOXna8caCy4W1xhmsYgWYSVS98QkNXdLjBjLJ4/MrwzdR2SMqAzyg6eNwhWAMe1
+aUh/M9JYB04sfRUtqD67oeyBfHVhDd9kByXuRYWyNE0SW5wlmVehhnEb/YHREKHr
+yOa3eRGtA4MHi7NXww4NBzOG10N9Ajq55ouMKnejFroCpevC332ijBzjTI+fo4SX
+hegNDXzAIqRueGZlmBzHjkTzA8tEPM1dsbviJ5BYO3iZgWE8J1rIBx51HOZmlREC
+3EWflJPhd666BnBepODMBXldkmfcfxhZxuoOrrXer+NZCsXE0z0DOLsNARR/7JvW
+Ie81eQijvkur1QJO63SwT0kNm5IMJZr2Ul0QLysvjY2G/nV0bzHb8KsWqNoUPNvJ
+lBUGQ2yvpeVRNR9CMm39U/CcnkLOl+z2oLUC86TdodaY6FEBmIBaakZ1rHkANWK4
+HMcN0FgdGbcRLg5PHji84g4tT+SOZa1hWEC4PC7lmRxAZP+o8Pe0tpiJzIbLPTRb
+3rvnEEG3IawMIGcoUGcgIUPvHH93EMpDrflVYdXmvapzST3U8xBDzpkXZRof7APG
+qAFsEB4psQEDG6KmOJ245aVWN0SBjHTLlIhUTx+m7OYl34MDoyv6Yk12i9PpKQN5
+W++QayfkJzQpV4EsR08UO615+XYCzMhCU3eozH+P39RF58rYnMLv9owjx1wL0z5R
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/pkinit.crt b/crypto/heimdal/lib/hx509/data/pkinit.crt
new file mode 100644
index 0000000..e8d485e
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/pkinit.crt
@@ -0,0 +1,56 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 6 (0x6)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hx509 Test Root CA, C=SE
+        Validity
+            Not Before: Nov 15 06:58:57 2007 GMT
+            Not After : Nov 12 06:58:57 2017 GMT
+        Subject: C=SE, CN=pkinit
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a3:44:b1:8a:42:9d:d0:3f:30:de:e8:66:42:c1:
+                    f1:c9:98:8f:d2:bd:eb:59:67:3d:5e:0e:35:ca:3b:
+                    b8:91:b0:fc:e5:22:3a:2d:62:81:56:bb:51:77:60:
+                    ac:83:43:75:87:ce:f1:f6:bd:ab:f2:07:c5:8d:d5:
+                    b8:56:9e:8e:45:93:bd:c6:ac:5d:20:3e:cb:14:e8:
+                    10:07:b9:5e:07:ac:56:13:48:1b:84:c7:30:62:f4:
+                    e4:19:67:b5:1b:3a:ac:af:0b:92:e2:00:90:2f:81:
+                    75:b6:63:3f:43:a5:e9:76:ee:33:75:74:b2:76:5d:
+                    a5:76:f2:f9:30:68:ec:e8:47
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Subject Key Identifier: 
+                66:BB:EC:4F:F0:52:7E:D1:F4:F4:F9:CD:E9:B6:C7:C4:FC:2A:2F:4F
+            X509v3 Subject Alternative Name: 
+                othername:<unsupported>
+    Signature Algorithm: sha1WithRSAEncryption
+        1f:bd:87:72:d7:85:93:f9:96:97:6f:25:2f:89:1f:09:64:ff:
+        da:44:92:d0:59:6e:4f:cf:29:d7:5a:78:64:40:1c:3d:a5:80:
+        e9:b9:92:85:44:2e:25:ab:5c:8d:35:4b:5b:47:c6:79:61:cf:
+        b9:75:55:0b:20:6a:ad:ec:f5:0f:47:1e:e7:72:b0:b6:61:0f:
+        d6:84:e3:e4:29:05:4d:d1:7c:7b:a6:7b:6f:b2:af:9a:6b:dd:
+        81:ae:5d:c1:7b:74:11:86:18:2e:38:eb:ed:33:03:f6:05:4b:
+        ec:d7:7d:53:6c:71:01:86:fb:fb:63:dd:5b:cb:10:85:96:f2:
+        43:43
+-----BEGIN CERTIFICATE-----
+MIICMTCCAZqgAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA3MTExNTA2NTg1N1oXDTE3
+MTExMjA2NTg1N1owHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBnBraW5pdDCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo0SxikKd0D8w3uhmQsHxyZiP0r3rWWc9
+Xg41yju4kbD85SI6LWKBVrtRd2Csg0N1h87x9r2r8gfFjdW4Vp6ORZO9xqxdID7L
+FOgQB7leB6xWE0gbhMcwYvTkGWe1GzqsrwuS4gCQL4F1tmM/Q6Xpdu4zdXSydl2l
+dvL5MGjs6EcCAwEAAaNzMHEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0O
+BBYEFGa77E/wUn7R9PT5zem2x8T8Ki9PMDgGA1UdEQQxMC+gLQYGKwYBBQICoCMw
+IaANGwtURVNULkg1TC5TRaEQMA6gAwIBAaEHMAUbA2JhcjANBgkqhkiG9w0BAQUF
+AAOBgQAfvYdy14WT+ZaXbyUviR8JZP/aRJLQWW5PzynXWnhkQBw9pYDpuZKFRC4l
+q1yNNUtbR8Z5Yc+5dVULIGqt7PUPRx7ncrC2YQ/WhOPkKQVN0Xx7pntvsq+aa92B
+rl3Be3QRhhguOOvtMwP2BUvs131TbHEBhvv7Y91byxCFlvJDQw==
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/pkinit.key b/crypto/heimdal/lib/hx509/data/pkinit.key
new file mode 100644
index 0000000..12b4168
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/pkinit.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCjRLGKQp3QPzDe6GZCwfHJmI/SvetZZz1eDjXKO7iRsPzlIjot
+YoFWu1F3YKyDQ3WHzvH2vavyB8WN1bhWno5Fk73GrF0gPssU6BAHuV4HrFYTSBuE
+xzBi9OQZZ7UbOqyvC5LiAJAvgXW2Yz9Dpel27jN1dLJ2XaV28vkwaOzoRwIDAQAB
+AoGAQTAxTwnwJvDEG4xhIDB90MdITZWk/YpaF07HLVsRA6LOJtK2td5J1A5wpaCE
+4NgzeikntSPgHn/54fq+Yl9mYEAM1Uv6SimudiKe3Qk0M+bS4m/SMMlmV0eFjEh6
+ZG4NNRZmmzoaQbUiVa27fZ6362xtFGbGXJ8BjxOoTeaRn6kCQQDUwJafoKPN2dsq
+ewSCjGQhVGezw12ho2eaxj7VyNWU7V4LW2LdLClbXovSnpQ7bgHEopx1e97G2du7
+1ak3BxejAkEAxHUCpbFSbBBoIdnt+VGS/8hCWl8/6YniOFOk9Qp22moaNVVZYyTT
+Xpu45FeDKfm/xDwvPP9If0PDoM38tBvHDQJBAMTcmAOI/0lhRv1d62RpR9XXZkXe
+huskap+6xTXIqmkt4xGbNDX3wST8rWDsv7jmJ9itpxzGy/Mwb7S1FekHNQUCQDDw
+jTZFlCjDdY1pQrUnMx1w/8aPj9ZXuPkbLS616qHCaMD8gAYIuHcLB+YqPsyIINN7
+wrDJT4AUm3lFlzwu50kCQELkMFUM6rb9q/cOUQxsf023nPbObm3xJ0X4FtVhXuGi
+oUAOklX1xDLSqvWySOrTXfvfF4c3qCw9DAoDtKpbCgk=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/proxy-level-test.crt b/crypto/heimdal/lib/hx509/data/proxy-level-test.crt
new file mode 100644
index 0000000..0cab380
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/proxy-level-test.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUDCCAbmgAwIBAgIJAKfbLM8p28MgMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxDjAMBgNVBAMMBXByb3h5MB4XDTA3
+MTExNTA2NTg1OVoXDTE3MTExMjA2NTg1OVowQTELMAkGA1UEBhMCU0UxEjAQBgNV
+BAMMCVRlc3QgY2VydDEOMAwGA1UEAwwFcHJveHkxDjAMBgNVBAMMBWNoaWxkMIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0hrvRoael03J8Y5gvtDMq0ZGm5ZZM
+OGOhTtMnNlCpA/OKEpwMPIxiWr625wFwD7YUupvUZ7qLodf5yTN1wkbpVD2NbAUa
+klBRKHZm+UCJ8L6X4MgahNy+Y1uj6m14a50B9GtCi+RspP7p9pNKx9hnA8+dRs6Q
+9oZgim2zMwvVBQIDAQABo2AwXjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNV
+HQ4EFgQUQGqZ5v4NSB5Iwo17DynPRufgbF0wJQYIKwYBBQUHAQ4BAf8EFjAUAgEA
+MA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcNAQEFBQADgYEAxQjN9RrCdZHhGAyS
+y3/1EAyWIvmz8wKW0q4kSfNV7DAcUCKmQQ45oCEVnyTEbP8ltdIaHyIK1ujxKQC1
+QLDzjHkBBQGBrCH+gyIdpT9OZu2gT8f2j4u01YwbjLTcU2yEXVkkH18SZiawq2DF
+ETkEd/u6TKzhpwFPuZPKUeFexPA=
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/proxy-level-test.key b/crypto/heimdal/lib/hx509/data/proxy-level-test.key
new file mode 100644
index 0000000..c697b1b
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/proxy-level-test.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC0hrvRoael03J8Y5gvtDMq0ZGm5ZZMOGOhTtMnNlCpA/OKEpwM
+PIxiWr625wFwD7YUupvUZ7qLodf5yTN1wkbpVD2NbAUaklBRKHZm+UCJ8L6X4Mga
+hNy+Y1uj6m14a50B9GtCi+RspP7p9pNKx9hnA8+dRs6Q9oZgim2zMwvVBQIDAQAB
+AoGBAI7cPM/1ZK1W+rezPSErMn7FH8V61Ij26ukhbvoOAqDuLpFqjrEkTVgcReaK
+QtoCpO4ciur5N2f+qOLUNXQQTXpMN+nRxkKxLMhG99Hej+vmzPjMdimEtTJiRfKF
+KU4rKUOCPdmu9fMe/kniOKbDmq1FFP+SqCU4hRiZZv0GMdDhAkEA8I6Du8UvTZ8I
+04o05s/BlMiErASTZgq27UM6rWl2FNy5Av2suayBW7xJczdGEtbT982KwQmk0Mg9
+Hj5pWi5MDQJBAMAdorBVTMD4iFvfRhN6aSD3PzG/fsEexRuxvx2iBrrMZQ+6mS26
+8myNHPMASAiwt5H2T7Y/dNMB64iod5gFVtkCQDMJ+ddQKg4tDQFdFIZYVDlOJiAd
+RGzlHxTOK9f5RU19219QFWK7wCKHm4nvk1WR8R1lpef5NNf7dERDd7Tjl80CQAx6
+oFO15rtuKWVWVnXzcJq8lLVFjBU9S25mGFTzbl554mKoK0UGLLMSY3wBW6x81h+8
+ESd0bcE7EbKZxtLwHdkCQQDYB5HxhlPZdquY+yg7vqxUF9Lf6+smlVv3PjfhXztg
+2aV717UGinyqZgcn2J+ADWocRI3JnOhU0lswsGc+oVXp
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/proxy-test.crt b/crypto/heimdal/lib/hx509/data/proxy-test.crt
new file mode 100644
index 0000000..d0d3135
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/proxy-test.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICMDCCAZmgAwIBAgIJAI8UaHGQmUvNMA0GCSqGSIb3DQEBBQUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMDcxMTE1MDY1ODU5WhcNMTcx
+MTEyMDY1ODU5WjAxMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MQ4w
+DAYDVQQDDAVwcm94eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzeKelgMO
+dEHFmfEANkv6k+HkOduzT2It++ma7Kg+6+eOWpBqWcY3AOEbSE2UJM6H+StDhNNS
+cldPd3LoZayywckvgD3/NZjB9drsxF9GGClHew+fKjiekjNR3aUuAjysJYfr9AYd
+E6AFft2qKphuPKlEjPDeOZ4RpjvQOgFRB28CAwEAAaNgMF4wCQYDVR0TBAIwADAL
+BgNVHQ8EBAMCBeAwHQYDVR0OBBYEFOGuL3xdInqdArsxly/BbLmYbzDTMCUGCCsG
+AQUFBwEOAQH/BBYwFAIBADAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3DQEBBQUA
+A4GBADOZurVQ/lXeLADFOZbTmbRt0Nv3aPHniG1yovlSDEuNjMczeRMMIsef+jpJ
+4Z0rt65i3qpX3uXZdCgGtIbusIlM7fBLCRI5vJ27jqs2PnCvodWO05e/aL3XxRwr
+42wDWTioZuGm8Sz4hpHv74Fz/7PgvZPMFSo15ujdOTWMXj08
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/proxy-test.key b/crypto/heimdal/lib/hx509/data/proxy-test.key
new file mode 100644
index 0000000..93b609b
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/proxy-test.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDN4p6WAw50QcWZ8QA2S/qT4eQ527NPYi376ZrsqD7r545akGpZ
+xjcA4RtITZQkzof5K0OE01JyV093cuhlrLLByS+APf81mMH12uzEX0YYKUd7D58q
+OJ6SM1HdpS4CPKwlh+v0Bh0ToAV+3aoqmG48qUSM8N45nhGmO9A6AVEHbwIDAQAB
+AoGAaAv+2RDyXQ5gLkv9L3N2TwX5sMO2+odDdeu4v6DHK7D54ArbtELXyTn577BF
+DdTSIroahSXGpMI7BsKrb7a3Hw+lnbEsag0a71yMM+E/zN9e0BgZwb7ZpeezVG2O
+kaXCuVPQlmDys8UH001FWP/XxqhLfCjy25ynaXi990k0AwECQQDwI64IquGE0OCO
+bI15Z+qLM5aRQgkNPokU7bZ1oSp9Ctx0pI9IzN6DcXe1QcXBDUJrZ0medNmNjqkG
+KPkiAieDAkEA23vDr6+iiSTOIUAGj+NDY9ydk48j8oWYUeQPL8Y7hJrckJrqqfNL
+MGZUKnF/RFPRbfS543xiqlXs4j3C61cwpQJAS9DH+l6Q8tDLhMvK4sCnMSmpaNTz
+bKYIu33NdFfcxTuvnHfz8OUVf2RMigJo/+lCxgwHFysHIIUg4hv/g/gwJwJBAIfx
+UHMwxetL8KCHl4jnqoXfz3nl3s4IESAnsYBVt+eaQ6MNUOuS1a9UsizXv4wCnmUM
+f1Z3ZGU8c0xuFJzPlEECQAs9UM+v0WxhUY8iVltgaLxGP282Mg+p+pIoqXbn8Mt7
+gOomlisP+s0Hh+c+YFPIAaAeH6j7n4AxydI0Z9fKIZA=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/proxy10-child-child-test.crt b/crypto/heimdal/lib/hx509/data/proxy10-child-child-test.crt
new file mode 100644
index 0000000..95abe01
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/proxy10-child-child-test.crt
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICdDCCAd2gAwIBAgIJAN27BSQHOOO6MA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAxDjAM
+BgNVBAMMBWNoaWxkMB4XDTA3MTExNTA2NTkwMFoXDTE3MTExMjA2NTkwMFowUzEL
+MAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDEQMA4GA1UEAwwHcHJveHkx
+MDEOMAwGA1UEAwwFY2hpbGQxDjAMBgNVBAMMBWNoaWxkMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCw3LymYPXq7FKF1yumUvZTEbyMNszUYmoaMXgfnOgu8TWR
+Dwek7ome68yHYYkc4fj1jG2ugdQ+/LgpJ10c+lHa1MeE7QHbJu6tNhRcCgxnAtlV
+JljkmB24Ne/UjQwVVT73rUrvaigby8Ai0ujDtPJDqfUQvh8lwEFFWuafq9Ms1wID
+AQABo2AwXjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUNBaggvaD
+C/Amnb2M8g60WKxwGn0wJQYIKwYBBQUHAQ4BAf8EFjAUAgEKMA8GCCsGAQUFBxUA
+BANmb28wDQYJKoZIhvcNAQEFBQADgYEAmT5WYZ6FM6ceyyxTKiusYLDPJ04D7dVk
+VVMnu1q9dATMje/RKrncT0+KNEMdLWLpZgeHj4E2bi1507l3/zOUwOPpdI9MrvpY
+Or6ssQ3sZAZI60ruZ91ml6cYt+rbE1F2J+y1CM0rW/wnAIT1v2vP2Wd7PrEm8RsM
+QGbyuzcrAL4=
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/proxy10-child-child-test.key b/crypto/heimdal/lib/hx509/data/proxy10-child-child-test.key
new file mode 100644
index 0000000..247f616
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/proxy10-child-child-test.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCw3LymYPXq7FKF1yumUvZTEbyMNszUYmoaMXgfnOgu8TWRDwek
+7ome68yHYYkc4fj1jG2ugdQ+/LgpJ10c+lHa1MeE7QHbJu6tNhRcCgxnAtlVJljk
+mB24Ne/UjQwVVT73rUrvaigby8Ai0ujDtPJDqfUQvh8lwEFFWuafq9Ms1wIDAQAB
+AoGAHRo1cKtDzARXD+74H8ZHAiRJAkmCKvCGxQie25TWH+NRDS2L9HfL7XqfjSdf
+iIEmlkElSzHR2wt6wkrX54zJKxMNayc88UfInQ03a4XwFzAksTf05zpdGPbkKohi
+eeQcf3Raq+Swe4pTEwyEU8mDidM/rKJst+zMiE4UMeVGTQECQQDZPFrVTyJwGBcS
+sxJly0zXmZ8tvvsxIuplwAvbfCWbhEEgeO3LAKjcpb5HVOLfTe8+2ZO00ALidVCH
+N6/ae+iLAkEA0GwPxjlbKnL1VcpKdsegntACxlHD0TonvIEINKv9PiKzHIhQo8xJ
+Rt/2aBRAOJn+zB3FJxfQ+o6vEUwvBfEKZQJBANHMLTlG9M5nJZlkogb3YZ3y+j0W
+7cdVniRoZcsySau4/aDbyWO9nleCJpMDUxwwSzdasAD2x2JnxD7itA4AjuMCQQCP
+a+0m8M0lVtowYPYA6rpCzs05/4YKckRp2Tj2Vev8WBB87+jd7nP2S6PaVyUiTgYi
+G9JRZnguEwWxl4U8R3RpAkA5QpGHFhXNI2xA0ZKYH1tgmYfLBAAiVrIDKJddtOf/
+rKceL88RXsjnA6PTN9AdpnJ4sTToR3HDeEwAQrNHMC2M
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/proxy10-child-test.crt b/crypto/heimdal/lib/hx509/data/proxy10-child-test.crt
new file mode 100644
index 0000000..c450741
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/proxy10-child-test.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICVDCCAb2gAwIBAgIJAITDCg/e+gWyMA0GCSqGSIb3DQEBBQUAMDMxCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAwHhcN
+MDcxMTE1MDY1OTAwWhcNMTcxMTEyMDY1OTAwWjBDMQswCQYDVQQGEwJTRTESMBAG
+A1UEAwwJVGVzdCBjZXJ0MRAwDgYDVQQDDAdwcm94eTEwMQ4wDAYDVQQDDAVjaGls
+ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAroEn/MX0t84+NLivDSbN0y5r
+ZRxaiTDYkmvbdvJuBryCCLkzUT+/eh3pEK52BODXZWD4oiEMJLubH/pz+/6eAb4T
+ReAWft/wMFaOSZ37a7iLWr8vFaRfBjQREpEm0rCp7dPvWYrraRIIjMRJzAUwygXN
+KSS4f5VZkMwNfT9wwE8CAwEAAaNgMF4wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
+HQYDVR0OBBYEFJrcQRDczQ1P+84ND71GVT99a/2mMCUGCCsGAQUFBwEOAQH/BBYw
+FAIBCjAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3DQEBBQUAA4GBALIbzPSyUE5Q
+4TWAUfATVsADj131V1Xe+HHgwXebWbnNCJIe3OyWoFqK3X5ATKzi6MzHzA+UngFK
+KGl8m8Ogx9dYQKzP2LIw0GuvpMyc3azb/cvbWv3vmM55UEdBlqxSTFynqLdpJqtn
+9dXq2wCNdUtbGEOpaRVOiZ0wjvpTB4wA
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/proxy10-child-test.key b/crypto/heimdal/lib/hx509/data/proxy10-child-test.key
new file mode 100644
index 0000000..70cea5d
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/proxy10-child-test.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCugSf8xfS3zj40uK8NJs3TLmtlHFqJMNiSa9t28m4GvIIIuTNR
+P796HekQrnYE4NdlYPiiIQwku5sf+nP7/p4BvhNF4BZ+3/AwVo5JnftruItavy8V
+pF8GNBESkSbSsKnt0+9ZiutpEgiMxEnMBTDKBc0pJLh/lVmQzA19P3DATwIDAQAB
+AoGAaYkc+Odzd9IYluP2ojqMkiJpuu2p53yODgeC4+38EsDg14vB+GpYT+9U68zG
+/W5JdjtuQwc/g9ueFnnuuUEkpyMIKDdAl00ZJQU5Vvz+ooZdxp/iYm3axkV2Gc2l
+mbulzUxgpomflDd/B3RXO1jY4ZttpVHTNUvjm7DtypiqsAkCQQDgIIRBtSipM3F6
+GYKgnmsjK+19YxUdMbHS6fyfg0TDIrSrBi5EqyjgA4MzxfzimvfKCiV6SSqFnU3G
+MIWDLh2dAkEAx1IaAAi+DmED08rarKRU2Ma7KRQWlxjXTp6c9OrbzuCJrqZgscxJ
+vBjmHzbXCKumRZwqWgzM5mRxPVX6npyn2wJBALrWQIqqI3hRuzJnG78b8QJD91nE
+hHBu4eeKSZ8MBgGJ6AR+RYnXCV8dbn11eifJufECXlW/sqPqC1DBWDuP8P0CQFxg
+utglNSCo6gMw0ySMjR5jDL8/JjElPDSd4pTIfNNm0aj2R35f9hSNXao92m+UTl2Y
+wTA3Gof1KV6KCLuWU10CQCeGYU3SFAy5QLVqR0B0u19wWyS8ZMl06DjOslmu7Zp+
+x1GxxFu1MNFvcKwmFeeYcNU1t9X0tC7EhUIaLQk2kqM=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/proxy10-test.crt b/crypto/heimdal/lib/hx509/data/proxy10-test.crt
new file mode 100644
index 0000000..331c3ea
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/proxy10-test.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICMjCCAZugAwIBAgIJAI8UaHGQmUvPMA0GCSqGSIb3DQEBBQUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMDcxMTE1MDY1OTAwWhcNMTcx
+MTEyMDY1OTAwWjAzMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MRAw
+DgYDVQQDDAdwcm94eTEwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTeTGh
+PIY39c75rcek77oZeDKnvO9zmsU2nlPnKpNsQ/QYEa610EeaRhB36lLhIS3aEtoG
+LKgHeDF+jxasog3GNWZ7/EF5x5VwIbXo659ZbDwnT8c8ZJADEe1kfMuFgKd49l4y
+PNCqN4LX2DdAh2HIb7x1iw7Fnu7s0Xnipgq0twIDAQABo2AwXjAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUe24gc/gLyB6DW4gELVL3axuZTbkwJQYI
+KwYBBQUHAQ4BAf8EFjAUAgEKMA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcNAQEF
+BQADgYEABlvvmLwl6ZjaLdTGmxDD2eHN4/IbjYj1Vta2zQOKKA/W4qrkhmSNpy0x
++v9tqf2fumNSpspqF+g814pXbqSMuObHEE1IeUmiGwVPC7AMWVXd2skMdkjEqhLM
+8qvDrPt+c5rGnnqM9AqrT/xDgXm7XnPLSFcrX/q8xVKVztskgEU=
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/proxy10-test.key b/crypto/heimdal/lib/hx509/data/proxy10-test.key
new file mode 100644
index 0000000..3bc0b45
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/proxy10-test.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXwIBAAKBgQDTeTGhPIY39c75rcek77oZeDKnvO9zmsU2nlPnKpNsQ/QYEa61
+0EeaRhB36lLhIS3aEtoGLKgHeDF+jxasog3GNWZ7/EF5x5VwIbXo659ZbDwnT8c8
+ZJADEe1kfMuFgKd49l4yPNCqN4LX2DdAh2HIb7x1iw7Fnu7s0Xnipgq0twIDAQAB
+AoGBANDEIiSklXQFLFD8J81CBBxEtu007cbYkbx7zSS2uVb2NrDUM/+1IBrC9FsN
+bshlctiIJ8hUqYTGOUZRh/bg/GpVOgTRAgaMBEBOYXra7r7TVcUUxpC8CzX9hevl
+H42T6Ez6+Ednfg0RX6rZTiFeCNV3ADkguO07mlgSppiQJmlxAkEA/ICw/Ar/GtJH
+/EK8jrbxzakNzFxtHUtVNwSALsiWZUfJWJgf7jDsl0XB8w/HhVDrdwfc+Aiexxc9
+SPJKKqdpswJBANZnBfxEucE1SWu9elvPNWIMYBXinfMvfnkSt81KH3AfObiUj93d
+LCii1sF/x2aDeKJseFiUycy9xQXhQMF5vu0CQQCPECs24tQfUj1PBFDpW2YtbDdR
+Lpz0GBa0EWy/FQ+BWucNt0OAJWAnZXK6UJpvQqXmzyG3tsqfat9iUUUMXcZZAkEA
+vc+PePrPCMHIMl4ZCVa0iA00s6tg8n7FlSKBHnnUw0qhq0u64kyAX6lqPvyE57jU
+/9bP5Hw0+9G1r7LvxVmnMQJBAMdphUdEYRlIZ0GTnIETDzjm3lge06cXzLvXFIps
+nCANLV4OXJZVaTUrnDINLJVHu5d+Mx1pTw6GOF+v0+LjbF4=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/revoke.crt b/crypto/heimdal/lib/hx509/data/revoke.crt
new file mode 100644
index 0000000..0adcc2d
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/revoke.crt
@@ -0,0 +1,53 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hx509 Test Root CA, C=SE
+        Validity
+            Not Before: Nov 15 06:58:56 2007 GMT
+            Not After : Nov 12 06:58:56 2017 GMT
+        Subject: C=SE, CN=Revoke cert
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:b3:24:de:14:fc:b6:80:e2:34:59:81:1f:ec:cb:
+                    00:21:75:e5:34:88:09:5e:5e:8e:f8:91:6b:ab:09:
+                    34:f8:6c:69:14:00:c5:47:f2:d7:de:a0:32:00:02:
+                    63:79:3c:14:1a:a9:4d:d1:1d:c0:fc:a7:50:72:26:
+                    96:53:d1:9f:a9:5f:f4:82:4d:4b:17:3b:fe:14:60:
+                    42:94:22:93:3e:c5:14:97:c8:a3:6a:8e:bd:90:03:
+                    22:12:9e:41:ca:a5:de:4f:57:f4:bf:f1:9e:f8:63:
+                    4f:c0:9e:c8:3c:e1:8b:89:60:3a:2b:5c:a7:b7:6e:
+                    a0:48:34:49:58:61:a0:34:6d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Subject Key Identifier: 
+                F3:E2:96:20:28:53:21:92:67:A8:5C:B5:2C:7E:87:CF:7A:07:3D:84
+    Signature Algorithm: sha1WithRSAEncryption
+        90:39:f3:a6:fe:92:b9:92:4c:75:58:b2:51:36:11:07:f5:a2:
+        71:dc:90:d7:2b:b5:bc:37:c8:30:4f:a4:6b:41:11:63:3e:53:
+        42:ae:6f:59:7d:f8:b0:59:01:2f:50:4f:2d:21:7e:6a:58:bd:
+        74:f1:69:c5:62:3d:8f:fa:1a:c8:7e:a4:30:dc:01:8b:c9:f8:
+        77:44:5c:d3:a4:ab:9a:50:cc:45:d0:65:00:5c:fe:d3:b5:a3:
+        7a:f1:b1:5c:25:0f:06:16:5f:cf:e2:5d:0b:87:c0:fe:14:b8:
+        0a:10:17:55:34:15:4d:44:6b:60:80:6e:af:7b:81:30:47:5c:
+        f3:fe
+-----BEGIN CERTIFICATE-----
+MIIB/DCCAWWgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA3MTExNTA2NTg1NloXDTE3
+MTExMjA2NTg1NlowIzELMAkGA1UEBhMCU0UxFDASBgNVBAMMC1Jldm9rZSBjZXJ0
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzJN4U/LaA4jRZgR/sywAhdeU0
+iAleXo74kWurCTT4bGkUAMVH8tfeoDIAAmN5PBQaqU3RHcD8p1ByJpZT0Z+pX/SC
+TUsXO/4UYEKUIpM+xRSXyKNqjr2QAyISnkHKpd5PV/S/8Z74Y0/Ansg84YuJYDor
+XKe3bqBINElYYaA0bQIDAQABozkwNzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAd
+BgNVHQ4EFgQU8+KWIChTIZJnqFy1LH6Hz3oHPYQwDQYJKoZIhvcNAQEFBQADgYEA
+kDnzpv6SuZJMdViyUTYRB/WicdyQ1yu1vDfIME+ka0ERYz5TQq5vWX34sFkBL1BP
+LSF+ali9dPFpxWI9j/oayH6kMNwBi8n4d0Rc06SrmlDMRdBlAFz+07WjevGxXCUP
+BhZfz+JdC4fA/hS4ChAXVTQVTURrYIBur3uBMEdc8/4=
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/revoke.key b/crypto/heimdal/lib/hx509/data/revoke.key
new file mode 100644
index 0000000..a4c68ae
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/revoke.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCzJN4U/LaA4jRZgR/sywAhdeU0iAleXo74kWurCTT4bGkUAMVH
+8tfeoDIAAmN5PBQaqU3RHcD8p1ByJpZT0Z+pX/SCTUsXO/4UYEKUIpM+xRSXyKNq
+jr2QAyISnkHKpd5PV/S/8Z74Y0/Ansg84YuJYDorXKe3bqBINElYYaA0bQIDAQAB
+AoGAIDHl/5uTKQJ+Kf+8vw+UjG7lrFUuadlQlHd+BBT5ghPppoCk89M+3HGpyrqj
+KeyUKF5477YLMtzW5kztA09PBBJvMjSm92dI2uCYfipkIWZZUlq64AStI15pgeVd
+cH61hxOUCm47tqhtkaO11DnKkoJBXaAVIe2ySG2sIZQH+gECQQDjhMdCWkaO+HUe
+utqKJCq6pUkwSelgLEINDVoRVgJ+qUHb0nN06DmPfcfxwqfgP/vS6baKkGIBCiZJ
+n9Kfd23BAkEAyZHXY5iGSq9qc2ern0CcyitNozvtm6eEZYVvJxVMsVBQRo23EmGF
+68SJlHjpY+nHyPWEkbG99R/CMdr3FV9JrQJBAOG/hoKk1mvXxUYXeu4kkq0dgXBD
+diex4lvXCq423ETXJny55UtzfGGPGUwdq7rLYc/VjAUS29tSOclFppQJyUECQQDA
+J7P5UhHTaN5GHfJR4rqVUCq3Dg45cLyaO1X3ICr4bePZHogDkcylMbsmOw3jHZ5D
+SSqT6al44Em0VVVunmQRAkBUAQzHGGJnMKI9ZSdD3J6scWCVIjHVgaehYe9a8DlK
+DeZ4KYGG0+1aUdkqeYE8c6Qqp+pdjPmRMdooww6y+Xk1
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/sf-class2-root.pem b/crypto/heimdal/lib/hx509/data/sf-class2-root.pem
new file mode 100644
index 0000000..d552e65
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/sf-class2-root.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
+MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
+U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
+NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
+ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
+ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
+DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
+8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
++lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
+X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
+K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
+1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
+A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
+zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
+YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
+bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
+DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
+L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
+eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
+xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
+VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
+WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/static-file b/crypto/heimdal/lib/hx509/data/static-file
new file mode 100644
index 0000000..2216857
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/static-file
@@ -0,0 +1,84 @@
+This is a static file don't change the content, it is used in the test
+
+#!/bin/sh
+#
+# Copyright (c) 2005 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+#
+
+srcdir="@srcdir@"
+
+echo "try printing"
+./hxtool print \
+	--pass=PASS:foobar \
+	PKCS12:$srcdir/data/test.p12 || exit 1
+
+echo "make sure entry is found (friendlyname)"
+./hxtool query \
+	--pass=PASS:foobar \
+	--friendlyname=friendlyname-test  \
+	PKCS12:$srcdir/data/test.p12 || exit 1
+
+echo "make sure entry is not found  (friendlyname)"
+./hxtool query \
+	--pass=PASS:foobar \
+	--friendlyname=friendlyname-test-not  \
+	PKCS12:$srcdir/data/test.p12 && exit 1
+
+echo "check for ca cert (friendlyname)"
+./hxtool query \
+	--pass=PASS:foobar \
+	--friendlyname=ca  \
+	PKCS12:$srcdir/data/test.p12 || exit 1
+
+echo "make sure entry is not found (friendlyname)"
+./hxtool query \
+	--pass=PASS:foobar \
+	--friendlyname=friendlyname-test \
+	PKCS12:$srcdir/data/sub-cert.p12 && exit 1
+
+echo "make sure entry is found (friendlyname|private key)"
+./hxtool query \
+	--pass=PASS:foobar \
+	--friendlyname=friendlyname-test  \
+	--private-key \
+	PKCS12:$srcdir/data/test.p12 || exit 1
+
+echo "make sure entry is not found (friendlyname|private key)"
+./hxtool query \
+	--pass=PASS:foobar \
+	--friendlyname=ca  \
+	--private-key \
+	PKCS12:$srcdir/data/test.p12 && exit 1
+
+exit 0
+
diff --git a/crypto/heimdal/lib/hx509/data/sub-ca.crt b/crypto/heimdal/lib/hx509/data/sub-ca.crt
new file mode 100644
index 0000000..6cb485a
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/sub-ca.crt
@@ -0,0 +1,60 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 9 (0x9)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hx509 Test Root CA, C=SE
+        Validity
+            Not Before: Nov 15 06:58:59 2007 GMT
+            Not After : Nov 12 06:58:59 2017 GMT
+        Subject: C=SE, CN=Sub CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:f3:ab:db:06:fa:f9:a1:84:35:a6:fb:a4:a9:39:
+                    5f:54:10:a2:a4:3f:1a:ae:2c:7e:bd:dd:aa:63:4a:
+                    7a:62:99:07:25:af:eb:62:b4:20:93:67:46:59:b4:
+                    30:85:81:24:41:9d:49:97:fb:a3:ce:74:61:f7:ff:
+                    d5:9e:b1:9b:d3:5a:8b:59:51:76:99:69:2a:73:02:
+                    e9:2d:39:3f:21:b8:2f:f1:af:91:1f:f1:c3:e3:4d:
+                    c0:e4:87:95:df:e7:d2:e7:27:a6:cd:c4:cf:97:e6:
+                    b8:24:31:d1:66:d3:af:f8:06:8b:9c:81:bf:66:54:
+                    53:08:0a:ee:15:71:b2:a5:a5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                36:04:CF:AD:8B:30:E2:5D:C0:43:8C:09:0B:4D:50:7B:1F:39:41:17
+            X509v3 Authority Key Identifier: 
+                keyid:8C:E7:0D:B5:C5:DE:69:85:75:2C:08:A1:DE:53:15:30:9C:A1:E8:00
+                DirName:/CN=hx509 Test Root CA/C=SE
+                serial:B7:94:5E:85:B2:19:80:58
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign, CRL Sign
+    Signature Algorithm: sha1WithRSAEncryption
+        5b:f9:bb:2c:d2:d6:4d:bb:20:b1:05:fc:67:45:de:9c:5e:83:
+        35:24:9a:f6:33:bc:3d:ca:27:dc:be:3c:cb:c6:d7:c5:b4:d3:
+        9e:c4:c2:60:4d:dc:21:2c:f4:88:ec:dd:41:37:58:63:45:d6:
+        9b:32:7d:f8:e0:d1:41:0f:f3:30:20:7d:15:af:49:15:2b:cb:
+        db:fe:90:6e:db:84:fa:92:a3:ac:83:25:5a:ab:49:7a:1e:2b:
+        dc:c9:74:7b:9f:2b:62:a9:6f:ef:b9:89:72:4b:ea:02:5a:27:
+        93:b7:9d:fd:e2:a3:73:04:52:d0:98:5a:a3:23:f5:02:56:b6:
+        c6:8f
+-----BEGIN CERTIFICATE-----
+MIICWDCCAcGgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA3MTExNTA2NTg1OVoXDTE3
+MTExMjA2NTg1OVowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBlN1YiBDQTCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA86vbBvr5oYQ1pvukqTlfVBCipD8arix+
+vd2qY0p6YpkHJa/rYrQgk2dGWbQwhYEkQZ1Jl/ujznRh9//VnrGb01qLWVF2mWkq
+cwLpLTk/Ibgv8a+RH/HD403A5IeV3+fS5yemzcTPl+a4JDHRZtOv+AaLnIG/ZlRT
+CAruFXGypaUCAwEAAaOBmTCBljAdBgNVHQ4EFgQUNgTPrYsw4l3AQ4wJC01Qex85
+QRcwWgYDVR0jBFMwUYAUjOcNtcXeaYV1LAih3lMVMJyh6AChLqQsMCoxGzAZBgNV
+BAMMEmh4NTA5IFRlc3QgUm9vdCBDQTELMAkGA1UEBhMCU0WCCQC3lF6FshmAWDAM
+BgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB5jANBgkqhkiG9w0BAQUFAAOBgQBb+bss
+0tZNuyCxBfxnRd6cXoM1JJr2M7w9yifcvjzLxtfFtNOexMJgTdwhLPSI7N1BN1hj
+RdabMn344NFBD/MwIH0Vr0kVK8vb/pBu24T6kqOsgyVaq0l6HivcyXR7nytiqW/v
+uYlyS+oCWieTt5394qNzBFLQmFqjI/UCVrbGjw==
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/sub-ca.key b/crypto/heimdal/lib/hx509/data/sub-ca.key
new file mode 100644
index 0000000..070d21d
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/sub-ca.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDzq9sG+vmhhDWm+6SpOV9UEKKkPxquLH693apjSnpimQclr+ti
+tCCTZ0ZZtDCFgSRBnUmX+6POdGH3/9WesZvTWotZUXaZaSpzAuktOT8huC/xr5Ef
+8cPjTcDkh5Xf59LnJ6bNxM+X5rgkMdFm06/4Boucgb9mVFMICu4VcbKlpQIDAQAB
+AoGBAIoiQmgSnrERYdjnjtDf1Uqyo4C4xUc3siGwJ4diET8TwRl8QNQTiOQHB7qS
+i28jZopLwAyIerPvBhqwzUjJJqvu1z+5/MjwBJ/aonmJjJ9e3nqk/KE658xGg5E8
+V64DYRif0YboZEYJo5yzU9UEdEPI4zTyhFlR21TmOZkidnwBAkEA/IIRCcGs/FNR
+q9tEW8ARK1DEeerXhoV9Xye9xYb5UNyH4f6J31NdkvYOMA4F0+0lKecaKmPtKsu7
+gQrFZYwt/QJBAPcKgUVOJox/s/o1PXRGjifl1haehcawWNLtN/UnFZcUKslyMkxh
+qyCJJ0SuX7quQqy+++hFj/DwNdECaFRd0skCQBocdRiWL4Y0M3jbBrmaJexdwMN+
+tmTRvwItAOHBMFzdQSvsf2NZoo6E5Tiw6odcuYAYxsrlZGwNf0k7zOfQVB0CQQDy
+GWdqZhY9JoFYuYhKRULXMtTGQgBUIUpLG5L1O6Ja9rafyLwmQqkUL5U+J61FI7XP
+2TLCBDn2I1J6TGO2GmSRAkAIFsFpkrq4q+lbJ3Vr3UpfhRJsTVOD5SgZx1umn63l
+jEz5/r4HCg/Q0/yiPiYaTHutfnsChg3/AfbmWcA6j4NU
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/sub-cert.crt b/crypto/heimdal/lib/hx509/data/sub-cert.crt
new file mode 100644
index 0000000..fe23a37
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/sub-cert.crt
@@ -0,0 +1,53 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 10 (0xa)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=SE, CN=Sub CA
+        Validity
+            Not Before: Nov 15 06:58:59 2007 GMT
+            Not After : Nov 12 06:58:59 2017 GMT
+        Subject: C=SE, CN=Test sub cert
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:da:41:57:e1:62:23:1b:bf:ac:1c:a9:06:c8:98:
+                    77:38:dc:33:a3:03:c0:02:6d:d8:6d:68:95:b1:ea:
+                    60:c0:c2:96:23:34:91:fb:32:44:44:cd:72:40:5b:
+                    a3:cf:57:94:3c:8d:a9:30:11:73:61:15:17:10:a6:
+                    17:7d:9d:27:f0:58:23:ee:a4:83:3c:b1:0f:20:0c:
+                    a4:3d:01:ef:de:93:cb:b5:02:c1:1e:b4:54:35:6a:
+                    8f:55:7b:5d:76:0a:f9:6d:b1:31:25:4c:fb:e2:d6:
+                    6e:94:e9:8a:c4:cc:4e:28:6b:bd:4c:80:85:2c:87:
+                    eb:31:88:6d:27:2a:d3:df:1f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Subject Key Identifier: 
+                D3:5F:89:9B:31:E6:2A:E0:C6:64:27:9F:A4:E5:42:8C:70:99:96:25
+    Signature Algorithm: sha1WithRSAEncryption
+        34:f9:9f:c5:6f:44:55:6a:15:8f:51:ab:c1:44:18:0e:eb:9a:
+        d0:c4:64:ce:ab:24:2b:77:82:f3:88:e3:9e:1f:9c:8d:28:a6:
+        be:3d:d5:3e:5e:95:01:c8:b9:d4:e2:b5:17:06:1d:10:0b:a5:
+        64:29:d9:45:b0:fd:16:ec:5d:3c:3f:58:55:25:90:d0:e4:4f:
+        3f:9f:9c:5f:d5:1e:0c:73:a5:1a:7c:71:10:b5:a3:d5:fb:0f:
+        d3:de:fc:9a:06:bc:0b:8c:72:eb:bc:fc:d1:47:87:68:44:25:
+        25:ab:51:e9:af:d8:9e:1b:04:f2:1c:4f:4c:27:a0:87:11:4a:
+        69:67
+-----BEGIN CERTIFICATE-----
+MIIB8jCCAVugAwIBAgIBCjANBgkqhkiG9w0BAQUFADAeMQswCQYDVQQGEwJTRTEP
+MA0GA1UEAwwGU3ViIENBMB4XDTA3MTExNTA2NTg1OVoXDTE3MTExMjA2NTg1OVow
+JTELMAkGA1UEBhMCU0UxFjAUBgNVBAMMDVRlc3Qgc3ViIGNlcnQwgZ8wDQYJKoZI
+hvcNAQEBBQADgY0AMIGJAoGBANpBV+FiIxu/rBypBsiYdzjcM6MDwAJt2G1olbHq
+YMDCliM0kfsyRETNckBbo89XlDyNqTARc2EVFxCmF32dJ/BYI+6kgzyxDyAMpD0B
+796Ty7UCwR60VDVqj1V7XXYK+W2xMSVM++LWbpTpisTMTihrvUyAhSyH6zGIbScq
+098fAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTT
+X4mbMeYq4MZkJ5+k5UKMcJmWJTANBgkqhkiG9w0BAQUFAAOBgQA0+Z/Fb0RVahWP
+UavBRBgO65rQxGTOqyQrd4LziOOeH5yNKKa+PdU+XpUByLnU4rUXBh0QC6VkKdlF
+sP0W7F08P1hVJZDQ5E8/n5xf1R4Mc6UafHEQtaPV+w/T3vyaBrwLjHLrvPzRR4do
+RCUlq1Hpr9ieGwTyHE9MJ6CHEUppZw==
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/sub-cert.key b/crypto/heimdal/lib/hx509/data/sub-cert.key
new file mode 100644
index 0000000..b9faa56
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/sub-cert.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDaQVfhYiMbv6wcqQbImHc43DOjA8ACbdhtaJWx6mDAwpYjNJH7
+MkREzXJAW6PPV5Q8jakwEXNhFRcQphd9nSfwWCPupIM8sQ8gDKQ9Ae/ek8u1AsEe
+tFQ1ao9Ve112CvltsTElTPvi1m6U6YrEzE4oa71MgIUsh+sxiG0nKtPfHwIDAQAB
+AoGBAMPvk4h4BNK9gTL9n2RoU+fM7+Jx1GeZ24llMbZWlmOWjRiv8joTx2wJEH+s
+hWP32NF/z5qin/VQ7LL6mO4hLx8RbPysfZH2PGwGLBsL6yFKrpVLEb6Gze7bfaNC
+Zxqz2zBaUup5IN5IoQbYmhYgo7h+uca2FKZMtWZlvxsNb22hAkEA/QCwdBhlf7w9
+BUWezxxm5o/laKhvP7RYem43eJNKj1tenB1MnbjM6R3Ckp0ykbKQIEL3mjTEUR+/
+31yfSjKRrwJBANzXRXmowoaKFrjkRFjfKrSk6cIa5/32U4Shy3/1LRoHv1qcsyEv
+0Acn5aE8vdiYK4J/OqiS87KFYH6WISCEFZECQQDg4xH1wBHIfvwGiaHmGyrkWpfi
+dYWdrKLRANNR3Cr0TpVEU07dC30o4YkoZY6jr4MpCh2o9qpiKcSVuHDmtRiFAkBE
+AsvznqRhuK8su6fM0tWdElinHZAqpyyrYQSB4KjGJnKo3i9QXiArw/60/DbfOGXV
+54bSGYeRh//inCuRjvvxAkBv9rarlopkpj29aAM4e4gs5W4ssl0uOjnSBiSH+Zn/
+j/oYrQgvpITFLCdF48D44GWtupw5zCLiJAREySaNma4Z
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/sub-cert.p12 b/crypto/heimdal/lib/hx509/data/sub-cert.p12
new file mode 100644
index 0000000..90def93
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/sub-cert.p12
diff --git a/crypto/heimdal/lib/hx509/data/test-ds-only.crt b/crypto/heimdal/lib/hx509/data/test-ds-only.crt
new file mode 100644
index 0000000..78559c6
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-ds-only.crt
@@ -0,0 +1,53 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 5 (0x5)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hx509 Test Root CA, C=SE
+        Validity
+            Not Before: Nov 15 06:58:57 2007 GMT
+            Not After : Nov 12 06:58:57 2017 GMT
+        Subject: C=SE, CN=Test cert DigitalSignature
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:c7:40:d0:87:47:81:b2:4e:4b:36:7c:c9:8d:9d:
+                    eb:dc:65:13:20:dc:72:0f:bf:5e:44:36:aa:18:fc:
+                    09:54:8c:1a:4e:15:5a:c5:c3:0c:95:f7:55:1c:b0:
+                    93:d2:80:92:eb:7e:67:b4:2e:9c:0c:fd:65:6a:9c:
+                    d6:35:d2:c2:62:3f:a2:6c:90:9e:a6:5a:59:33:e1:
+                    3a:13:9a:9d:9a:7e:2b:a2:44:96:41:87:b3:e2:b8:
+                    62:1b:88:46:08:39:c5:7a:90:83:42:22:c9:73:9f:
+                    41:51:1d:40:34:0f:94:0e:2a:ee:27:76:6d:6d:44:
+                    d2:e7:90:ad:9c:da:f8:7f:87
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation
+            X509v3 Subject Key Identifier: 
+                B9:41:3E:C9:AB:F2:37:75:F1:F8:C7:86:BB:54:78:76:15:16:D9:BB
+    Signature Algorithm: sha1WithRSAEncryption
+        72:fc:ea:ad:ec:08:be:45:34:5e:d0:1b:d0:0d:fc:2f:70:89:
+        8e:58:fb:15:ce:7b:78:8f:db:e9:97:cc:89:10:e6:10:f5:22:
+        f9:e9:c6:0d:4e:f9:35:c6:e2:5f:ab:28:47:e3:d6:94:d0:80:
+        db:44:4a:a9:8b:86:8b:c6:09:7b:d5:eb:07:ef:92:5a:ac:9a:
+        a7:04:c5:e2:c5:3f:01:d0:c1:92:c1:14:90:50:bd:0f:38:09:
+        0e:c5:9f:96:bd:42:8b:87:ac:b1:62:ca:bc:79:1d:fc:23:06:
+        55:b3:55:f2:b8:49:67:8e:d7:63:1f:52:aa:b9:19:e0:1f:18:
+        11:ac
+-----BEGIN CERTIFICATE-----
+MIICCzCCAXSgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA3MTExNTA2NTg1N1oXDTE3
+MTExMjA2NTg1N1owMjELMAkGA1UEBhMCU0UxIzAhBgNVBAMMGlRlc3QgY2VydCBE
+aWdpdGFsU2lnbmF0dXJlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHQNCH
+R4GyTks2fMmNnevcZRMg3HIPv15ENqoY/AlUjBpOFVrFwwyV91UcsJPSgJLrfme0
+LpwM/WVqnNY10sJiP6JskJ6mWlkz4ToTmp2afiuiRJZBh7PiuGIbiEYIOcV6kINC
+Islzn0FRHUA0D5QOKu4ndm1tRNLnkK2c2vh/hwIDAQABozkwNzAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIGwDAdBgNVHQ4EFgQUuUE+yavyN3Xx+MeGu1R4dhUW2bswDQYJ
+KoZIhvcNAQEFBQADgYEAcvzqrewIvkU0XtAb0A38L3CJjlj7Fc57eI/b6ZfMiRDm
+EPUi+enGDU75NcbiX6soR+PWlNCA20RKqYuGi8YJe9XrB++SWqyapwTF4sU/AdDB
+ksEUkFC9DzgJDsWflr1Ci4essWLKvHkd/CMGVbNV8rhJZ47XYx9SqrkZ4B8YEaw=
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/test-ds-only.key b/crypto/heimdal/lib/hx509/data/test-ds-only.key
new file mode 100644
index 0000000..1233c34
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-ds-only.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDHQNCHR4GyTks2fMmNnevcZRMg3HIPv15ENqoY/AlUjBpOFVrF
+wwyV91UcsJPSgJLrfme0LpwM/WVqnNY10sJiP6JskJ6mWlkz4ToTmp2afiuiRJZB
+h7PiuGIbiEYIOcV6kINCIslzn0FRHUA0D5QOKu4ndm1tRNLnkK2c2vh/hwIDAQAB
+AoGAPa3Ln0S8WjSwRaKlRahP/b5wCGkVCdjkVltRlkBWpwxjjC5CFhvFxpp0h1gF
+ulDAqhNMCNOwzLiX70Ozb5/ZOcK6eIYolFDf8ldc5fSJMTIZF2V6CzICNNKFGWpI
+z5QFhfQDqru6ZaWtPuK4sJIcmBx1nMTu4z9rNjvnGqJV/ckCQQDm8HfOI6f5Dlgg
+QI9My7uDshfF2j6lo8wX32Vsgfb2PO+a6BGCCQhSjlKSZoiOH+KNz1/fp0/sbeGY
+ZbdJSMg9AkEA3OAZrLlgKId6Gs5EjDfvq2njJf4dAOk5aH8HB1u18VuRvdkWxEwo
+A7zrFZz+l1U52OMNKazPuPLju7foen9fEwJAR1URfG/RC4HdwKCQYsUvN1+ELk3a
+OemdOeZ7+ocuVCLAU9XIyqSlmHJzmNro5RV+MhVS5M9WRY4vN5Z7hbxgdQJBAJG3
+NrkAwzN5zVCJ7Cclb/SCMt0JvFCxjLInu5dbJblJU+kPozl1lKCCrgTgQgXMsBEq
+GbD41UGK3DsnpTPLfAkCQQCeZlgPiddfNhyg3SQOgj1M/3NBEfJFnX3FqlF32Pvz
+0U29o0iMSP4q2j+cyUxAmlp9I7clhq7bBRTfCHKIHETg
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/test-enveloped-aes-128 b/crypto/heimdal/lib/hx509/data/test-enveloped-aes-128
new file mode 100644
index 0000000..c706839
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-enveloped-aes-128
diff --git a/crypto/heimdal/lib/hx509/data/test-enveloped-aes-256 b/crypto/heimdal/lib/hx509/data/test-enveloped-aes-256
new file mode 100644
index 0000000..1d5ef41
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-enveloped-aes-256
diff --git a/crypto/heimdal/lib/hx509/data/test-enveloped-des b/crypto/heimdal/lib/hx509/data/test-enveloped-des
new file mode 100644
index 0000000..85a08d9
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-enveloped-des
diff --git a/crypto/heimdal/lib/hx509/data/test-enveloped-des-ede3 b/crypto/heimdal/lib/hx509/data/test-enveloped-des-ede3
new file mode 100644
index 0000000..deb5fe1
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-enveloped-des-ede3
diff --git a/crypto/heimdal/lib/hx509/data/test-enveloped-rc2-128 b/crypto/heimdal/lib/hx509/data/test-enveloped-rc2-128
new file mode 100644
index 0000000..ebe0b5f
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-enveloped-rc2-128
diff --git a/crypto/heimdal/lib/hx509/data/test-enveloped-rc2-40 b/crypto/heimdal/lib/hx509/data/test-enveloped-rc2-40
new file mode 100644
index 0000000..c664b81
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-enveloped-rc2-40
diff --git a/crypto/heimdal/lib/hx509/data/test-enveloped-rc2-64 b/crypto/heimdal/lib/hx509/data/test-enveloped-rc2-64
new file mode 100644
index 0000000..24bd368
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-enveloped-rc2-64
diff --git a/crypto/heimdal/lib/hx509/data/test-ke-only.crt b/crypto/heimdal/lib/hx509/data/test-ke-only.crt
new file mode 100644
index 0000000..9239de4
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-ke-only.crt
@@ -0,0 +1,53 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hx509 Test Root CA, C=SE
+        Validity
+            Not Before: Nov 15 06:58:57 2007 GMT
+            Not After : Nov 12 06:58:57 2017 GMT
+        Subject: C=SE, CN=Test cert KeyEncipherment
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:bd:6a:09:6d:65:fd:2f:a6:02:74:48:59:5a:d6:
+                    b1:cf:d2:30:60:21:92:bf:ed:94:d1:df:e9:de:b7:
+                    c2:c5:5d:c8:7b:a7:f2:b3:e0:1b:78:ba:a8:ba:4b:
+                    ee:95:5c:06:77:10:39:be:e5:4c:4a:f0:1e:96:a0:
+                    df:77:7a:7a:06:ce:95:b0:d9:fd:ac:4b:85:45:b1:
+                    7c:a5:51:af:b8:c3:82:6f:21:09:37:03:b0:61:e0:
+                    04:46:a8:71:56:a6:36:67:79:42:e1:ef:bf:28:1d:
+                    a0:ef:02:6e:26:60:e1:fe:05:95:72:87:b9:c1:08:
+                    8e:ed:dc:fd:71:06:15:80:79
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Non Repudiation, Key Encipherment
+            X509v3 Subject Key Identifier: 
+                17:F3:F4:8B:D1:CD:D4:A3:D9:9D:A0:0E:6E:52:EE:11:03:85:32:6F
+    Signature Algorithm: sha1WithRSAEncryption
+        5f:1d:86:c2:bd:eb:c7:75:ad:b6:ec:c8:10:96:4f:8b:b2:36:
+        b4:7b:ba:c4:b5:6c:1c:2e:80:eb:d0:97:5f:71:48:8a:79:f7:
+        05:ee:2b:96:ef:b9:68:0d:fa:86:73:c7:30:3f:22:81:ea:cf:
+        46:3a:4b:4d:31:39:29:5d:1a:b8:44:ae:12:f1:18:ea:de:55:
+        47:f4:1c:77:07:34:41:cf:1c:f1:1c:f8:0d:63:c1:e8:b4:98:
+        e7:cb:c1:2d:96:b3:5a:21:6e:fa:e7:e1:15:87:84:c9:71:31:
+        5f:6f:93:98:7f:ca:00:d3:8d:96:bb:b5:03:af:c0:4d:4e:a2:
+        a5:97
+-----BEGIN CERTIFICATE-----
+MIICCjCCAXOgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA3MTExNTA2NTg1N1oXDTE3
+MTExMjA2NTg1N1owMTELMAkGA1UEBhMCU0UxIjAgBgNVBAMMGVRlc3QgY2VydCBL
+ZXlFbmNpcGhlcm1lbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL1qCW1l
+/S+mAnRIWVrWsc/SMGAhkr/tlNHf6d63wsVdyHun8rPgG3i6qLpL7pVcBncQOb7l
+TErwHpag33d6egbOlbDZ/axLhUWxfKVRr7jDgm8hCTcDsGHgBEaocVamNmd5QuHv
+vygdoO8CbiZg4f4FlXKHucEIju3c/XEGFYB5AgMBAAGjOTA3MAkGA1UdEwQCMAAw
+CwYDVR0PBAQDAgVgMB0GA1UdDgQWBBQX8/SL0c3Uo9mdoA5uUu4RA4UybzANBgkq
+hkiG9w0BAQUFAAOBgQBfHYbCvevHda227MgQlk+Lsja0e7rEtWwcLoDr0JdfcUiK
+efcF7iuW77loDfqGc8cwPyKB6s9GOktNMTkpXRq4RK4S8Rjq3lVH9Bx3BzRBzxzx
+HPgNY8HotJjny8EtlrNaIW765+EVh4TJcTFfb5OYf8oA042Wu7UDr8BNTqKllw==
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/test-ke-only.key b/crypto/heimdal/lib/hx509/data/test-ke-only.key
new file mode 100644
index 0000000..878267e
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-ke-only.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC9agltZf0vpgJ0SFla1rHP0jBgIZK/7ZTR3+net8LFXch7p/Kz
+4Bt4uqi6S+6VXAZ3EDm+5UxK8B6WoN93enoGzpWw2f2sS4VFsXylUa+4w4JvIQk3
+A7Bh4ARGqHFWpjZneULh778oHaDvAm4mYOH+BZVyh7nBCI7t3P1xBhWAeQIDAQAB
+AoGASR2vee1OqJ/6foyXAXuys7g9OD59eVzqf4Fhs7lXk/w5sZIJG+o8cIQNMayx
+8jHNxRQcVlYI9zxtclOzL1m11FPRgP6oVicPdIbKf/9JQhjlq/RgX/N66iBSPOW3
+80RtZ0G9pI+9RQN3sG1t39sXyMZJz5ApkcrsIfkX7Ej8tAkCQQD1mqP32MjUIpDc
+x15ybBXib7E/27f/aM04Zg4D1WLkYANmUKFLiNeKKEIy+R6iQ9bqcWdh/u2Pu08e
+I9eusolbAkEAxW6GQOihK5hsmKY7QdrORP6I6g8nqu/esiN1/LMtIVZdHtuaLxea
+3XUIewnK1h5d2eKXyWjMgT8o5y/XtT5xuwJAVW7mbJeHPGuNso7TZr/8WNj7cjgu
+5/R/toehhmnazZAsfpG7mbfPKirY5DxOEKnCf6jVCnyQDHhejCBxrT5DkwJBALrW
+MW7Tt1JOWNbM2V8k9fcM+fymgt+dSJ5EOK//0EGwPUeqgmr2Z7QTwQbO6YlgC2ja
+qtILvxzA7LB78iKvCWkCQQCOPkDbIzy5JM8AZtUFYb7PqJBb5fHDg3wiKWXiTh8+
+eaBxDdbBxCsamPLwfP2cguCvVv9yz3ODA9Aopny9iAv3
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/test-nopw.p12 b/crypto/heimdal/lib/hx509/data/test-nopw.p12
new file mode 100644
index 0000000..49db084
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-nopw.p12
diff --git a/crypto/heimdal/lib/hx509/data/test-pw.key b/crypto/heimdal/lib/hx509/data/test-pw.key
new file mode 100644
index 0000000..e844a98
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-pw.key
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,B9B1B14B38E4ED57E3F9D8DFA7FEB086
+
+mgUkuZfb6TTZ+69kLKbHpwfSYmY1tRMeIuuqcY6qdNpF70kiZ6BylMYzGG29OZJQ
+ttiYmYz1zFYVhWrnpGnK7Raa7CHaohlcPfiUBD2lRzNmj6xYAJdooiR9kWNnZZe5
+JTOpLuokpSWSqgS58AB1BLkK67JGTEhF3iDwPff/oVBjW5X/VMRd62RfDk32MJmd
+nd+xNdBeKk7nXwMITZyv3n5KayVohNSpFblIAwl/k8BDLavIKboZtJDqw9LyRpWC
+KLtToAWTO7pvZcOoK9yIhM5TtbZkp7pQrebGjoYkvdF84i4oVS85q8swwsw7BFq5
+s8AVbdC0kcj5tfSaJYxFonyj5BHiEc1k1CLkcn0Aff1DhW/vR93W28UgQBT11Lxf
+bvHxCSIGp6TKut7Jr1FGs6tzU5eTI2AlWeWJBoANDD2HaKnouRQfDEf8pHP9Odxg
+nOQ4HinpwpylimqisYqHbeocO5izz1xioze82SxYQTUGj+gCViSBIBesVaZ31DGm
+3ECN94ItCm9z6zAeMNtUdLkTY6rPeetwrXXcrWddD7p5c1HdWEEQHU1HilunQc6N
+I39udeWfW0HlINxKu7IgOepNipdw9EFUPtY1LGP+2Xa3ezi8saXPbsq0i/0looWf
+dhjvWke/uwi16zwDKL25pNSmSAKyhD+P46f5pcf1yk1MbMkFbfTrHzcxOIN1Fd5m
+rFVJTUnVonQinb8cEyqgg/2ufvOe6AnaIqjsKdFUQthYrCg6Voupis+SXRbIefhr
+diiBsOoIu8O38I9R6KmSs+CYTBeChWmt1sAJudRIgZ3v5vTm734qwlxijL4sSkYQ
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/test-signed-data b/crypto/heimdal/lib/hx509/data/test-signed-data
new file mode 100644
index 0000000..ae27556
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-signed-data
diff --git a/crypto/heimdal/lib/hx509/data/test-signed-data-noattr b/crypto/heimdal/lib/hx509/data/test-signed-data-noattr
new file mode 100644
index 0000000..11b008e
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-signed-data-noattr
diff --git a/crypto/heimdal/lib/hx509/data/test-signed-data-noattr-nocerts b/crypto/heimdal/lib/hx509/data/test-signed-data-noattr-nocerts
new file mode 100644
index 0000000..0c94ab9
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test-signed-data-noattr-nocerts
diff --git a/crypto/heimdal/lib/hx509/data/test.combined.crt b/crypto/heimdal/lib/hx509/data/test.combined.crt
new file mode 100644
index 0000000..05c1e74
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test.combined.crt
@@ -0,0 +1,68 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hx509 Test Root CA, C=SE
+        Validity
+            Not Before: Nov 15 06:58:56 2007 GMT
+            Not After : Nov 12 06:58:56 2017 GMT
+        Subject: C=SE, CN=Test cert
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:e8:bd:c6:8e:de:37:d8:f3:43:23:c3:27:b6:49:
+                    65:33:a8:b2:a9:f0:16:0d:90:49:47:7b:90:98:e4:
+                    ae:de:dd:64:b6:3b:48:b7:2e:0b:02:18:1f:85:f3:
+                    48:af:78:4b:54:34:63:62:06:30:f0:b5:a2:e9:db:
+                    35:6c:c7:55:f5:30:27:a0:66:54:a5:e8:52:27:52:
+                    43:4e:90:04:11:6a:e8:2b:52:e4:8d:fe:fd:c4:aa:
+                    b0:4e:63:c6:aa:2d:0a:4e:1d:ae:1c:0d:c8:12:10:
+                    93:af:5c:e5:31:30:df:2c:0d:d7:c4:9e:d1:fd:37:
+                    3a:45:71:fa:62:af:90:5e:c3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Subject Key Identifier: 
+                D0:9B:77:9A:88:C7:AD:71:07:17:56:E1:0C:4D:B2:23:85:81:D1:EB
+    Signature Algorithm: sha1WithRSAEncryption
+        88:f8:ee:7d:35:36:1c:a9:71:e4:c5:64:b9:c9:c2:2d:9d:d5:
+        79:67:25:12:d7:96:28:4c:dd:92:6a:19:6b:ce:bc:fa:78:bd:
+        f3:d2:c4:5c:a9:d9:4a:b7:ef:40:8f:c8:e2:1a:67:90:58:a4:
+        71:76:87:c2:66:9e:69:57:37:c9:15:b8:c7:d9:fa:3f:32:be:
+        14:5e:7b:41:5c:7f:c2:54:1b:f1:1b:15:20:8c:0a:62:7c:71:
+        07:ff:7d:df:71:75:0c:4b:7d:b8:a1:59:e1:5a:4e:b7:c1:df:
+        98:3b:cf:c9:de:e3:73:6f:fa:2d:fa:39:c5:59:92:08:c4:6b:
+        43:7a
+-----BEGIN CERTIFICATE-----
+MIIB+jCCAWOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA3MTExNTA2NTg1NloXDTE3
+MTExMjA2NTg1NlowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6L3Gjt432PNDI8MntkllM6iyqfAW
+DZBJR3uQmOSu3t1ktjtIty4LAhgfhfNIr3hLVDRjYgYw8LWi6ds1bMdV9TAnoGZU
+pehSJ1JDTpAEEWroK1Lkjf79xKqwTmPGqi0KTh2uHA3IEhCTr1zlMTDfLA3XxJ7R
+/Tc6RXH6Yq+QXsMCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYD
+VR0OBBYEFNCbd5qIx61xBxdW4QxNsiOFgdHrMA0GCSqGSIb3DQEBBQUAA4GBAIj4
+7n01NhypceTFZLnJwi2d1XlnJRLXlihM3ZJqGWvOvPp4vfPSxFyp2Uq370CPyOIa
+Z5BYpHF2h8JmnmlXN8kVuMfZ+j8yvhRee0Fcf8JUG/EbFSCMCmJ8cQf/fd9xdQxL
+fbihWeFaTrfB35g7z8ne43Nv+i36OcVZkgjEa0N6
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDovcaO3jfY80Mjwye2SWUzqLKp8BYNkElHe5CY5K7e3WS2O0i3
+LgsCGB+F80iveEtUNGNiBjDwtaLp2zVsx1X1MCegZlSl6FInUkNOkAQRaugrUuSN
+/v3EqrBOY8aqLQpOHa4cDcgSEJOvXOUxMN8sDdfEntH9NzpFcfpir5BewwIDAQAB
+AoGBAKS3WsVWBBRo5cVzorFh9FvBMuEOZ60lxpbunoF2p0RXT6WhA2+RCH1s8TJt
+4a0956IqiYOgehaBllEHsSHRWcUZ0P96qhZbVn1fWem0/U1VGb6d9WFftqPCOgYI
+0joyDn+mmS1nhILexQARULyM67JyhX1xVbgFQUeTtr2WGIdBAkEA9hQURHdgxsu+
+iqe+93I1mA0LccKI3Mmb9jM0DBW1+NeGw17xE39u2DTLsFTIXkcpGzbaJYPaaOhU
+pcpLX7haMQJBAPIgCT9cwEhX/MQq4eViCXd7blg4FxlDJDrD8sC8E0xss2N9Kpk4
+aJBtd4leOlzDwCanlWHrMCKo/NuE2b58FzMCQQDLTMtxxS6vDqTc6LlctX6RoDVU
+RuPLhMTVInhdg5JTg7xSrJ1+/kkVVojxpRnkyeWsFiUj2UsYYNmOHxMmgagBAkEA
+1to8uoAolEmXn89Zsv3C3salzRzAyob84DS+9e4uxdNzf+Yy5dHbX8Xzm+8EpQqD
+OQnekgxsI2WHM5h4zAI7ZwJAefxLT1ljFxZmp1612/jqDaeNmmUHIN2aMpDinIle
+r2S7S+UC+m573YcLZoYy9QAcTjnvgs/99zXjewfIQSQOmw==
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/test.crt b/crypto/heimdal/lib/hx509/data/test.crt
new file mode 100644
index 0000000..607605b
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test.crt
@@ -0,0 +1,53 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hx509 Test Root CA, C=SE
+        Validity
+            Not Before: Nov 15 06:58:56 2007 GMT
+            Not After : Nov 12 06:58:56 2017 GMT
+        Subject: C=SE, CN=Test cert
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:e8:bd:c6:8e:de:37:d8:f3:43:23:c3:27:b6:49:
+                    65:33:a8:b2:a9:f0:16:0d:90:49:47:7b:90:98:e4:
+                    ae:de:dd:64:b6:3b:48:b7:2e:0b:02:18:1f:85:f3:
+                    48:af:78:4b:54:34:63:62:06:30:f0:b5:a2:e9:db:
+                    35:6c:c7:55:f5:30:27:a0:66:54:a5:e8:52:27:52:
+                    43:4e:90:04:11:6a:e8:2b:52:e4:8d:fe:fd:c4:aa:
+                    b0:4e:63:c6:aa:2d:0a:4e:1d:ae:1c:0d:c8:12:10:
+                    93:af:5c:e5:31:30:df:2c:0d:d7:c4:9e:d1:fd:37:
+                    3a:45:71:fa:62:af:90:5e:c3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Subject Key Identifier: 
+                D0:9B:77:9A:88:C7:AD:71:07:17:56:E1:0C:4D:B2:23:85:81:D1:EB
+    Signature Algorithm: sha1WithRSAEncryption
+        88:f8:ee:7d:35:36:1c:a9:71:e4:c5:64:b9:c9:c2:2d:9d:d5:
+        79:67:25:12:d7:96:28:4c:dd:92:6a:19:6b:ce:bc:fa:78:bd:
+        f3:d2:c4:5c:a9:d9:4a:b7:ef:40:8f:c8:e2:1a:67:90:58:a4:
+        71:76:87:c2:66:9e:69:57:37:c9:15:b8:c7:d9:fa:3f:32:be:
+        14:5e:7b:41:5c:7f:c2:54:1b:f1:1b:15:20:8c:0a:62:7c:71:
+        07:ff:7d:df:71:75:0c:4b:7d:b8:a1:59:e1:5a:4e:b7:c1:df:
+        98:3b:cf:c9:de:e3:73:6f:fa:2d:fa:39:c5:59:92:08:c4:6b:
+        43:7a
+-----BEGIN CERTIFICATE-----
+MIIB+jCCAWOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA3MTExNTA2NTg1NloXDTE3
+MTExMjA2NTg1NlowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6L3Gjt432PNDI8MntkllM6iyqfAW
+DZBJR3uQmOSu3t1ktjtIty4LAhgfhfNIr3hLVDRjYgYw8LWi6ds1bMdV9TAnoGZU
+pehSJ1JDTpAEEWroK1Lkjf79xKqwTmPGqi0KTh2uHA3IEhCTr1zlMTDfLA3XxJ7R
+/Tc6RXH6Yq+QXsMCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYD
+VR0OBBYEFNCbd5qIx61xBxdW4QxNsiOFgdHrMA0GCSqGSIb3DQEBBQUAA4GBAIj4
+7n01NhypceTFZLnJwi2d1XlnJRLXlihM3ZJqGWvOvPp4vfPSxFyp2Uq370CPyOIa
+Z5BYpHF2h8JmnmlXN8kVuMfZ+j8yvhRee0Fcf8JUG/EbFSCMCmJ8cQf/fd9xdQxL
+fbihWeFaTrfB35g7z8ne43Nv+i36OcVZkgjEa0N6
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/test.key b/crypto/heimdal/lib/hx509/data/test.key
new file mode 100644
index 0000000..5251ceb
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDovcaO3jfY80Mjwye2SWUzqLKp8BYNkElHe5CY5K7e3WS2O0i3
+LgsCGB+F80iveEtUNGNiBjDwtaLp2zVsx1X1MCegZlSl6FInUkNOkAQRaugrUuSN
+/v3EqrBOY8aqLQpOHa4cDcgSEJOvXOUxMN8sDdfEntH9NzpFcfpir5BewwIDAQAB
+AoGBAKS3WsVWBBRo5cVzorFh9FvBMuEOZ60lxpbunoF2p0RXT6WhA2+RCH1s8TJt
+4a0956IqiYOgehaBllEHsSHRWcUZ0P96qhZbVn1fWem0/U1VGb6d9WFftqPCOgYI
+0joyDn+mmS1nhILexQARULyM67JyhX1xVbgFQUeTtr2WGIdBAkEA9hQURHdgxsu+
+iqe+93I1mA0LccKI3Mmb9jM0DBW1+NeGw17xE39u2DTLsFTIXkcpGzbaJYPaaOhU
+pcpLX7haMQJBAPIgCT9cwEhX/MQq4eViCXd7blg4FxlDJDrD8sC8E0xss2N9Kpk4
+aJBtd4leOlzDwCanlWHrMCKo/NuE2b58FzMCQQDLTMtxxS6vDqTc6LlctX6RoDVU
+RuPLhMTVInhdg5JTg7xSrJ1+/kkVVojxpRnkyeWsFiUj2UsYYNmOHxMmgagBAkEA
+1to8uoAolEmXn89Zsv3C3salzRzAyob84DS+9e4uxdNzf+Yy5dHbX8Xzm+8EpQqD
+OQnekgxsI2WHM5h4zAI7ZwJAefxLT1ljFxZmp1612/jqDaeNmmUHIN2aMpDinIle
+r2S7S+UC+m573YcLZoYy9QAcTjnvgs/99zXjewfIQSQOmw==
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/data/test.p12 b/crypto/heimdal/lib/hx509/data/test.p12
new file mode 100644
index 0000000..ad3e90a
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/test.p12
diff --git a/crypto/heimdal/lib/hx509/data/yutaka-pad-broken-ca.pem b/crypto/heimdal/lib/hx509/data/yutaka-pad-broken-ca.pem
new file mode 100644
index 0000000..32685d1
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/yutaka-pad-broken-ca.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIJAOSnzE4Qx2H+MA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTQwHhcNMDYwOTA3MTYzMzE4WhcNMDYxMDA3MTYzMzE4WjA5MQswCQYDVQQGEwJK
+UDEUMBIGA1UEChMLQ0EgVEVTVCAxLTQxFDASBgNVBAMTC0NBIFRFU1QgMS00MIGd
+MA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDZfFjkPDZeorxWqk7/DKM2d/9Nao28
+dM6T5sb5L41hD5C1kXV6MJev5ALASSxtI6OVOmZO4gfubnsvcj0NTZO4SeF1yL1r
+VDPdx7juQI1cbDiG/EwIMW29UIdj9h052JTmEbpT0RuP/4JWmAWrdO5UE40xua7S
+z2/6+DB2ZklFoQIBA6OBmzCBmDAdBgNVHQ4EFgQU340JbeYcg6V9zi8aozy48aIh
+tfgwaQYDVR0jBGIwYIAU340JbeYcg6V9zi8aozy48aIhtfihPaQ7MDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTSCCQDkp8xOEMdh/jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABsH
+aJ/c/3cGHssi8IvVRci/aavqj607y7l22nKDtG1p4KAjnfNhBMOhRhFv00nJnokK
+y0uc4DIegAW1bxQjqcMNNEmGbzAeixH/cRCot8C1LobEQmxNWCY2DJLWoI3wwqr8
+uUSnI1CDZ5402etkCiNXsDy/eYDrF+2KonkIWRrr
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/yutaka-pad-broken-cert.pem b/crypto/heimdal/lib/hx509/data/yutaka-pad-broken-cert.pem
new file mode 100644
index 0000000..b0726ea
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/yutaka-pad-broken-cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzTCCAjagAwIBAgIJAOSnzE4Qx2H/MA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTQwHhcNMDYwOTA3MTY0MDM3WhcNMDcwOTA3MTY0MDM3WjBPMQswCQYDVQQGEwJK
+UDEOMAwGA1UECBMFVG9reW8xFjAUBgNVBAoTDVRFU1QgMiBDTElFTlQxGDAWBgNV
+BAMTD3d3dzIuZXhhbXBsZS5qcDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+vSpZ6ig9DpeKB60h7ii1RitNuvkn4INOfEXjCjPSFwmIbGJqnyWvKTiMKzguEYkG
+6CZAbsx44t3kvsVDeUd5WZBRgMoeQd1tNJBU4BXxOA8bVzdwstzaPeeufQtZDvKf
+M4ej+fo/j9lYH9udCug1huaNybcCtijzGonkddX4JEUCAwEAAaOBxjCBwzAJBgNV
+HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
+Y2F0ZTAdBgNVHQ4EFgQUK0DZtd8K1P2ij9gVKUNcHlx7uCIwaQYDVR0jBGIwYIAU
+340JbeYcg6V9zi8aozy48aIhtfihPaQ7MDkxCzAJBgNVBAYTAkpQMRQwEgYDVQQK
+EwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAxLTSCCQDkp8xOEMdh/jAN
+BgkqhkiG9w0BAQUFAAOBgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAUKJ+eFJYSvXwGF2wxzDXj+x5YCItrHFmrEy4AXXAW+H0NgJVNvqRY/O
+Kw==
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/yutaka-pad-ok-ca.pem b/crypto/heimdal/lib/hx509/data/yutaka-pad-ok-ca.pem
new file mode 100644
index 0000000..32685d1
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/yutaka-pad-ok-ca.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIJAOSnzE4Qx2H+MA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTQwHhcNMDYwOTA3MTYzMzE4WhcNMDYxMDA3MTYzMzE4WjA5MQswCQYDVQQGEwJK
+UDEUMBIGA1UEChMLQ0EgVEVTVCAxLTQxFDASBgNVBAMTC0NBIFRFU1QgMS00MIGd
+MA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDZfFjkPDZeorxWqk7/DKM2d/9Nao28
+dM6T5sb5L41hD5C1kXV6MJev5ALASSxtI6OVOmZO4gfubnsvcj0NTZO4SeF1yL1r
+VDPdx7juQI1cbDiG/EwIMW29UIdj9h052JTmEbpT0RuP/4JWmAWrdO5UE40xua7S
+z2/6+DB2ZklFoQIBA6OBmzCBmDAdBgNVHQ4EFgQU340JbeYcg6V9zi8aozy48aIh
+tfgwaQYDVR0jBGIwYIAU340JbeYcg6V9zi8aozy48aIhtfihPaQ7MDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTSCCQDkp8xOEMdh/jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABsH
+aJ/c/3cGHssi8IvVRci/aavqj607y7l22nKDtG1p4KAjnfNhBMOhRhFv00nJnokK
+y0uc4DIegAW1bxQjqcMNNEmGbzAeixH/cRCot8C1LobEQmxNWCY2DJLWoI3wwqr8
+uUSnI1CDZ5402etkCiNXsDy/eYDrF+2KonkIWRrr
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/yutaka-pad-ok-cert.pem b/crypto/heimdal/lib/hx509/data/yutaka-pad-ok-cert.pem
new file mode 100644
index 0000000..9a89e59
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/yutaka-pad-ok-cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzTCCAjagAwIBAgIJAOSnzE4Qx2H/MA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTQwHhcNMDYwOTA3MTY0MDM3WhcNMDcwOTA3MTY0MDM3WjBPMQswCQYDVQQGEwJK
+UDEOMAwGA1UECBMFVG9reW8xFjAUBgNVBAoTDVRFU1QgMiBDTElFTlQxGDAWBgNV
+BAMTD3d3dzIuZXhhbXBsZS5qcDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+vSpZ6ig9DpeKB60h7ii1RitNuvkn4INOfEXjCjPSFwmIbGJqnyWvKTiMKzguEYkG
+6CZAbsx44t3kvsVDeUd5WZBRgMoeQd1tNJBU4BXxOA8bVzdwstzaPeeufQtZDvKf
+M4ej+fo/j9lYH9udCug1huaNybcCtijzGonkddX4JEUCAwEAAaOBxjCBwzAJBgNV
+HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
+Y2F0ZTAdBgNVHQ4EFgQUK0DZtd8K1P2ij9gVKUNcHlx7uCIwaQYDVR0jBGIwYIAU
+340JbeYcg6V9zi8aozy48aIhtfihPaQ7MDkxCzAJBgNVBAYTAkpQMRQwEgYDVQQK
+EwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAxLTSCCQDkp8xOEMdh/jAN
+BgkqhkiG9w0BAQUFAAOBgQCkGhwCDLRwWbDnDFReXkIZ1/9OhfiR8yL1idP9iYVU
+cSoWxSHPBWkv6LORFS03APcXCSzDPJ9pxTjFjGGFSI91fNrzkKdHU/+0WCF2uTh7
+Dz2blqtcmnJqMSn1xHxxfM/9e6M3XwFUMf7SGiKRAbDfsauPafEPTn83vSeKj1lg
+Dw==
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/lib/hx509/data/yutaka-pad.key b/crypto/heimdal/lib/hx509/data/yutaka-pad.key
new file mode 100644
index 0000000..1763623
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/data/yutaka-pad.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC9KlnqKD0Ol4oHrSHuKLVGK026+Sfgg058ReMKM9IXCYhsYmqf
+Ja8pOIwrOC4RiQboJkBuzHji3eS+xUN5R3lZkFGAyh5B3W00kFTgFfE4DxtXN3Cy
+3No95659C1kO8p8zh6P5+j+P2Vgf250K6DWG5o3JtwK2KPMaieR11fgkRQIDAQAB
+AoGBAJCYvwJun713uNsFTNpv46EvmMtDiWfk9ymnglVaJ03Uy6ON11Kvy6UGxJ6E
+4zIkPFNYaghH5GAGncP1pg4exHKRGJTNcQbMf9iOsCTOuvKSWbBZpnJcFllKyESK
+PTt72D6x/cuzDXVTeWvQMoOILa09szW7aqFNIdxae4Vq7a4BAkEA6MoehuRtZ4N9
+Jtc9cIpSKOOatZ1UajWEFV2yVHaDED2kkWxKjppPzRn06LzX8LWm1RT0qe3Zyasi
+iXCXlno/+QJBANAGvY+k/+OvzWnv1yTKO8OmrMqkSzh3KAhFbiVWdQaqMSCWtKYk
+GoOKnq0PB73ExhdbTFmxC4KBPHTC2guOca0CQCD78pNebnoKUYNdYCFAGCAfD97H
+6hwadRqp6gi5uhxk/5pzY6UNDF2dXexURayfsIHktD4Xq5I9o2kiAPibXdECQQDC
+KihwlL9K02JVSMl0y1XxDfclxSd4cq9o2PUv4HymVeA43LGMiRI+SPpF6Ut+ctW6
+IzsmVDu7+chl6yD9vFyZAkA3Auv9UxKL3kPtvu5G/lrCVmwzVfAzuwtnmSfp1+M5
+yTYBz+VFSsYrdlDZ3jdLnFzVOMiIm9pZca/L93QjmXJ+
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/heimdal/lib/hx509/doxygen.c b/crypto/heimdal/lib/hx509/doxygen.c
new file mode 100644
index 0000000..488ae4b
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/doxygen.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/** @mainpage Heimdal PKIX/X.509 library
+ *
+ * @section intro Introduction
+ *
+ * Heimdal libhx509 library is a implementation of the PKIX/X.509 and
+ * related protocols.
+ * 
+ * PKIX/X.509 is ...
+ *
+ *
+ * Sections in this manual are:
+ * - @ref page_name
+ * - @ref page_cert
+ * - @ref page_keyset
+ * - @ref page_error
+ * - @ref page_lock
+ * - @ref page_cms
+ * - @ref page_ca
+ * - @ref page_revoke
+ * - @ref page_print
+ * - @ref page_env
+ *
+ * The project web page:
+ * http://www.h5l.org/
+ *
+ */
+
+/** @defgroup hx509 hx509 library */
+
+/** @defgroup hx509_error hx509 error functions
+ * See the @ref page_error for description and examples. */
+/** @defgroup hx509_cert hx509 certificate functions
+ * See the @ref page_cert for description and examples. */
+/** @defgroup hx509_keyset hx509 certificate store functions
+ * See the @ref page_keyset for description and examples. */
+/** @defgroup hx509_cms hx509 CMS/pkcs7 functions
+ * See the @ref page_cms for description and examples. */
+/** @defgroup hx509_crypto hx509 crypto functions */
+/** @defgroup hx509_misc hx509 misc functions */
+/** @defgroup hx509_name hx509 name functions 
+ * See the @ref page_name for description and examples. */
+/** @defgroup hx509_revoke hx509 revokation checking functions
+ * See the @ref page_revoke for description and examples. */
+/** @defgroup hx509_verify hx509 verification functions */
+/** @defgroup hx509_lock hx509 lock functions
+ * See the @ref page_lock for description and examples. */
+/** @defgroup hx509_query hx509 query functions */
+/** @defgroup hx509_ca hx509 CA functions
+ * See the @ref page_ca for description and examples. */
+/** @defgroup hx509_peer hx509 certificate selecting functions */
+/** @defgroup hx509_print hx509 printing functions */
+/** @defgroup hx509_env hx509 enviroment functions */
diff --git a/crypto/heimdal/lib/hx509/env.c b/crypto/heimdal/lib/hx509/env.c
new file mode 100644
index 0000000..f868c22
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/env.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: env.c 22349 2007-12-26 19:32:49Z lha $");
+
+/**
+ * @page page_env Hx509 enviroment functions
+ *
+ * See the library functions here: @ref hx509_env
+ */
+
+struct hx509_env {
+    struct {
+	char *key;
+	char *value;
+    } *val;
+    size_t len;
+};
+
+/**
+ * Allocate a new hx509_env container object.
+ *
+ * @param context A hx509 context.
+ * @param env return a hx509_env structure, free with hx509_env_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_env
+ */
+
+int
+hx509_env_init(hx509_context context, hx509_env *env)
+{
+    *env = calloc(1, sizeof(**env));
+    if (*env == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+/**
+ * Add a new key/value pair to the hx509_env.
+ *
+ * @param context A hx509 context.
+ * @param env enviroment to add the enviroment variable too.
+ * @param key key to add
+ * @param value value to add
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_env
+ */
+
+int
+hx509_env_add(hx509_context context, hx509_env env, 
+	      const char *key, const char *value)
+{
+    void *ptr;
+
+    ptr = realloc(env->val, sizeof(env->val[0]) * (env->len + 1));
+    if (ptr == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    env->val = ptr;
+    env->val[env->len].key = strdup(key);
+    if (env->val[env->len].key == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    env->val[env->len].value = strdup(value);
+    if (env->val[env->len].value == NULL) {
+	free(env->val[env->len].key);
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    env->len++;
+    return 0;
+}
+
+/**
+ * Search the hx509_env for a key.
+ *
+ * @param context A hx509 context.
+ * @param env enviroment to add the enviroment variable too.
+ * @param key key to search for.
+ * @param len length of key.
+ *
+ * @return the value if the key is found, NULL otherwise.
+ *
+ * @ingroup hx509_env
+ */
+
+const char *
+hx509_env_lfind(hx509_context context, hx509_env env,
+		const char *key, size_t len)
+{
+    size_t i;
+
+    for (i = 0; i < env->len; i++) {
+	char *s = env->val[i].key;
+	if (strncmp(key, s, len) == 0 && s[len] == '\0')
+	    return env->val[i].value;
+    }
+    return NULL;
+}
+
+/**
+ * Free an hx509_env enviroment context.
+ *
+ * @param env the enviroment to free.
+ *
+ * @ingroup hx509_env
+ */
+
+void
+hx509_env_free(hx509_env *env)
+{
+    size_t i;
+
+    for (i = 0; i < (*env)->len; i++) {
+	free((*env)->val[i].key);
+	free((*env)->val[i].value);
+    }
+    free((*env)->val);
+    free(*env);
+    *env = NULL;
+}
+
diff --git a/crypto/heimdal/lib/hx509/error.c b/crypto/heimdal/lib/hx509/error.c
new file mode 100644
index 0000000..25119ed
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/error.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: error.c 22332 2007-12-17 01:03:22Z lha $");
+
+/**
+ * @page page_error Hx509 error reporting functions
+ *
+ * See the library functions here: @ref hx509_error
+ */
+
+struct hx509_error_data {
+    hx509_error next;
+    int code;
+    char *msg;
+};
+
+static void
+free_error_string(hx509_error msg)
+{
+    while(msg) {
+	hx509_error m2 = msg->next;
+	free(msg->msg);
+	free(msg);
+	msg = m2;
+    }
+}
+
+/**
+ * Resets the error strings the hx509 context.
+ *
+ * @param context A hx509 context.
+ *
+ * @ingroup hx509_error
+ */
+
+void
+hx509_clear_error_string(hx509_context context)
+{
+    free_error_string(context->error);
+    context->error = NULL;
+}
+
+/**
+ * Add an error message to the hx509 context.
+ *
+ * @param context A hx509 context.
+ * @param flags
+ * - HX509_ERROR_APPEND appends the error string to the old messages
+     (code is updated).
+ * @param code error code related to error message
+ * @param fmt error message format
+ * @param ap arguments to error message format
+ *
+ * @ingroup hx509_error
+ */
+
+void
+hx509_set_error_stringv(hx509_context context, int flags, int code, 
+			const char *fmt, va_list ap)
+{
+    hx509_error msg;
+
+    msg = calloc(1, sizeof(*msg));
+    if (msg == NULL) {
+	hx509_clear_error_string(context);
+	return;
+    }
+
+    if (vasprintf(&msg->msg, fmt, ap) == -1) {
+	hx509_clear_error_string(context);
+	free(msg);
+	return;
+    }
+    msg->code = code;
+
+    if (flags & HX509_ERROR_APPEND) {
+	msg->next = context->error;
+	context->error = msg;
+    } else  {
+	free_error_string(context->error);
+	context->error = msg;
+    }
+}
+
+/**
+ * See hx509_set_error_stringv(). 
+ *
+ * @param context A hx509 context.
+ * @param flags
+ * - HX509_ERROR_APPEND appends the error string to the old messages
+     (code is updated).
+ * @param code error code related to error message
+ * @param fmt error message format
+ * @param ... arguments to error message format
+ *
+ * @ingroup hx509_error
+ */
+
+void
+hx509_set_error_string(hx509_context context, int flags, int code,
+		       const char *fmt, ...)
+{
+    va_list ap;
+
+    va_start(ap, fmt);
+    hx509_set_error_stringv(context, flags, code, fmt, ap);
+    va_end(ap);
+}
+
+/**
+ * Get an error string from context associated with error_code.
+ *
+ * @param context A hx509 context.
+ * @param error_code Get error message for this error code.
+ *
+ * @return error string, free with hx509_free_error_string().
+ *
+ * @ingroup hx509_error
+ */
+
+char *
+hx509_get_error_string(hx509_context context, int error_code)
+{
+    struct rk_strpool *p = NULL;
+    hx509_error msg = context->error;
+
+    if (msg == NULL || msg->code != error_code) {
+	const char *cstr;
+	char *str;
+
+	cstr = com_right(context->et_list, error_code);
+	if (cstr)
+	    return strdup(cstr);
+	cstr = strerror(error_code);
+	if (cstr)
+	    return strdup(cstr);
+	if (asprintf(&str, "<unknown error: %d>", error_code) == -1)
+	    return NULL;
+	return str;
+    }
+
+    for (msg = context->error; msg; msg = msg->next)
+	p = rk_strpoolprintf(p, "%s%s", msg->msg, 
+			     msg->next != NULL ? "; " : "");
+
+    return rk_strpoolcollect(p);
+}
+
+/**
+ * Free error string returned by hx509_get_error_string().
+ *
+ * @param str error string to free.
+ *
+ * @ingroup hx509_error
+ */
+
+void
+hx509_free_error_string(char *str)
+{
+    free(str);
+}
+
+/**
+ * Print error message and fatally exit from error code
+ *
+ * @param context A hx509 context.
+ * @param exit_code exit() code from process.
+ * @param error_code Error code for the reason to exit.
+ * @param fmt format string with the exit message.
+ * @param ... argument to format string.
+ *
+ * @ingroup hx509_error
+ */
+
+void
+hx509_err(hx509_context context, int exit_code, 
+	  int error_code, const char *fmt, ...)
+{
+    va_list ap;
+    const char *msg;
+    char *str;
+
+    va_start(ap, fmt);
+    vasprintf(&str, fmt, ap);
+    va_end(ap);
+    msg = hx509_get_error_string(context, error_code);
+    if (msg == NULL)
+	msg = "no error";
+
+    errx(exit_code, "%s: %s", str, msg);
+}
diff --git a/crypto/heimdal/lib/hx509/file.c b/crypto/heimdal/lib/hx509/file.c
new file mode 100644
index 0000000..b076b74
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/file.c
@@ -0,0 +1,376 @@
+/*
+ * Copyright (c) 2005 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$ID$");
+
+int
+_hx509_map_file_os(const char *fn, heim_octet_string *os, struct stat *rsb)
+{
+    size_t length;
+    void *data;
+    int ret;
+
+    ret = _hx509_map_file(fn, &data, &length, rsb);
+
+    os->data = data;
+    os->length = length;
+
+    return ret;
+}
+
+void
+_hx509_unmap_file_os(heim_octet_string *os)
+{
+    _hx509_unmap_file(os->data, os->length);
+}
+
+int
+_hx509_map_file(const char *fn, void **data, size_t *length, struct stat *rsb)
+{
+    struct stat sb;
+    size_t len;
+    ssize_t l;
+    int ret;
+    void *d;
+    int fd;
+
+    *data = NULL;
+    *length = 0;
+
+    fd = open(fn, O_RDONLY);
+    if (fd < 0)
+	return errno;
+    
+    if (fstat(fd, &sb) < 0) {
+	ret = errno;
+	close(fd);
+	return ret;
+    }
+
+    len = sb.st_size;
+
+    d = malloc(len);
+    if (d == NULL) {
+	close(fd);
+	return ENOMEM;
+    }
+    
+    l = read(fd, d, len);
+    close(fd);
+    if (l < 0 || l != len) {
+	free(d);
+	return EINVAL;
+    }
+
+    if (rsb)
+	*rsb = sb;
+    *data = d;
+    *length = len;
+    return 0;
+}
+
+void
+_hx509_unmap_file(void *data, size_t len)
+{
+    free(data);
+}
+
+int
+_hx509_write_file(const char *fn, const void *data, size_t length)
+{
+    ssize_t sz;
+    const unsigned char *p = data;
+    int fd;
+
+    fd = open(fn, O_WRONLY|O_TRUNC|O_CREAT, 0644);
+    if (fd < 0)
+	return errno;
+
+    do {
+	sz = write(fd, p, length);
+	if (sz < 0) {
+	    int saved_errno = errno;
+	    close(fd);
+	    return saved_errno;
+	}
+	if (sz == 0)
+	    break;
+	length -= sz;
+    } while (length > 0);
+		
+    if (close(fd) == -1)
+	return errno;
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+static void
+header(FILE *f, const char *type, const char *str)
+{
+    fprintf(f, "-----%s %s-----\n", type, str);
+}
+
+int
+hx509_pem_write(hx509_context context, const char *type, 
+		hx509_pem_header *headers, FILE *f,
+		const void *data, size_t size)
+{
+    const char *p = data;
+    size_t length;
+    char *line;
+
+#define ENCODE_LINE_LENGTH	54
+    
+    header(f, "BEGIN", type);
+
+    while (headers) {
+	fprintf(f, "%s: %s\n%s", 
+		headers->header, headers->value,
+		headers->next ? "" : "\n");
+	headers = headers->next;
+    }
+
+    while (size > 0) {
+	ssize_t l;
+	
+	length = size;
+	if (length > ENCODE_LINE_LENGTH)
+	    length = ENCODE_LINE_LENGTH;
+	
+	l = base64_encode(p, length, &line);
+	if (l < 0) {
+	    hx509_set_error_string(context, 0, ENOMEM,
+				   "malloc - out of memory");
+	    return ENOMEM;
+	}
+	size -= length;
+	fprintf(f, "%s\n", line);
+	p += length;
+	free(line);
+    }
+
+    header(f, "END", type);
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+int
+hx509_pem_add_header(hx509_pem_header **headers, 
+		     const char *header, const char *value)
+{
+    hx509_pem_header *h;
+
+    h = calloc(1, sizeof(*h));
+    if (h == NULL)
+	return ENOMEM;
+    h->header = strdup(header);
+    if (h->header == NULL) {
+	free(h);
+	return ENOMEM;
+    }
+    h->value = strdup(value);
+    if (h->value == NULL) {
+	free(h->header);
+	free(h);
+	return ENOMEM;
+    }
+
+    h->next = *headers;
+    *headers = h;
+
+    return 0;
+}
+
+void
+hx509_pem_free_header(hx509_pem_header *headers)
+{
+    hx509_pem_header *h;
+    while (headers) {
+	h = headers;
+	headers = headers->next;
+	free(h->header);
+	free(h->value);
+	free(h);
+    }
+}
+
+/*
+ *
+ */
+
+const char *
+hx509_pem_find_header(const hx509_pem_header *h, const char *header)
+{
+    while(h) {
+	if (strcmp(header, h->header) == 0)
+	    return h->value;
+	h = h->next;
+    }
+    return NULL;
+}
+
+
+/*
+ *
+ */
+
+int
+hx509_pem_read(hx509_context context,
+	       FILE *f, 
+	       hx509_pem_read_func func,
+	       void *ctx)
+{
+    hx509_pem_header *headers = NULL;
+    char *type = NULL;
+    void *data = NULL;
+    size_t len = 0;
+    char buf[1024];
+    int ret = HX509_PARSING_KEY_FAILED;
+
+    enum { BEFORE, SEARCHHEADER, INHEADER, INDATA, DONE } where;
+
+    where = BEFORE;
+
+    while (fgets(buf, sizeof(buf), f) != NULL) {
+	char *p;
+	int i;
+
+	i = strcspn(buf, "\n");
+	if (buf[i] == '\n') {
+	    buf[i] = '\0';
+	    if (i > 0)
+		i--;
+	}
+	if (buf[i] == '\r') {
+	    buf[i] = '\0';
+	    if (i > 0)
+		i--;
+	}
+	    
+	switch (where) {
+	case BEFORE:
+	    if (strncmp("-----BEGIN ", buf, 11) == 0) {
+		type = strdup(buf + 11);
+		if (type == NULL)
+		    break;
+		p = strchr(type, '-');
+		if (p)
+		    *p = '\0';
+		where = SEARCHHEADER;
+	    }
+	    break;
+	case SEARCHHEADER:
+	    p = strchr(buf, ':');
+	    if (p == NULL) {
+		where = INDATA;
+		goto indata;
+	    }
+	    /* FALLTHOUGH */
+	case INHEADER:
+	    if (buf[0] == '\0') {
+		where = INDATA;
+		break;
+	    }
+	    p = strchr(buf, ':');
+	    if (p) {
+		*p++ = '\0';
+		while (isspace((int)*p))
+		    p++;
+		ret = hx509_pem_add_header(&headers, buf, p);
+		if (ret)
+		    abort();
+	    }
+	    break;
+	case INDATA:
+	indata:
+
+	    if (strncmp("-----END ", buf, 9) == 0) {
+		where = DONE;
+		break;
+	    }
+
+	    p = emalloc(i);
+	    i = base64_decode(buf, p);
+	    if (i < 0) {
+		free(p);
+		goto out;
+	    }
+	    
+	    data = erealloc(data, len + i);
+	    memcpy(((char *)data) + len, p, i);
+	    free(p);
+	    len += i;
+	    break;
+	case DONE:
+	    abort();
+	}
+
+	if (where == DONE) {
+	    ret = (*func)(context, type, headers, data, len, ctx);
+	out:
+	    free(data);
+	    data = NULL;
+	    len = 0;
+	    free(type);
+	    type = NULL;
+	    where = BEFORE;
+	    hx509_pem_free_header(headers);
+	    headers = NULL;
+	    if (ret)
+		break;
+	}
+    }
+
+    if (where != BEFORE) {
+	hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+			       "File ends before end of PEM end tag");
+	ret = HX509_PARSING_KEY_FAILED;
+    }
+    if (data)
+	free(data);
+    if (type)
+	free(type);
+    if (headers)
+	hx509_pem_free_header(headers);
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/hx509/hx509-private.h b/crypto/heimdal/lib/hx509/hx509-private.h
new file mode 100644
index 0000000..67bb843
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/hx509-private.h
@@ -0,0 +1,529 @@
+/* This is a generated file */
+#ifndef __hx509_private_h__
+#define __hx509_private_h__
+
+#include <stdarg.h>
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+int
+_hx509_AlgorithmIdentifier_cmp (
+	const AlgorithmIdentifier */*p*/,
+	const AlgorithmIdentifier */*q*/);
+
+int
+_hx509_Certificate_cmp (
+	const Certificate */*p*/,
+	const Certificate */*q*/);
+
+int
+_hx509_Name_to_string (
+	const Name */*n*/,
+	char **/*str*/);
+
+time_t
+_hx509_Time2time_t (const Time */*t*/);
+
+void
+_hx509_abort (
+	const char */*fmt*/,
+	...)
+    __attribute__ ((noreturn, format (printf, 1, 2)));
+
+int
+_hx509_calculate_path (
+	hx509_context /*context*/,
+	int /*flags*/,
+	time_t /*time_now*/,
+	hx509_certs /*anchors*/,
+	unsigned int /*max_depth*/,
+	hx509_cert /*cert*/,
+	hx509_certs /*pool*/,
+	hx509_path */*path*/);
+
+int
+_hx509_cert_assign_key (
+	hx509_cert /*cert*/,
+	hx509_private_key /*private_key*/);
+
+int
+_hx509_cert_get_eku (
+	hx509_context /*context*/,
+	hx509_cert /*cert*/,
+	ExtKeyUsage */*e*/);
+
+int
+_hx509_cert_get_keyusage (
+	hx509_context /*context*/,
+	hx509_cert /*c*/,
+	KeyUsage */*ku*/);
+
+int
+_hx509_cert_get_version (const Certificate */*t*/);
+
+int
+_hx509_cert_is_parent_cmp (
+	const Certificate */*subject*/,
+	const Certificate */*issuer*/,
+	int /*allow_self_signed*/);
+
+int
+_hx509_cert_private_decrypt (
+	hx509_context /*context*/,
+	const heim_octet_string */*ciphertext*/,
+	const heim_oid */*encryption_oid*/,
+	hx509_cert /*p*/,
+	heim_octet_string */*cleartext*/);
+
+hx509_private_key
+_hx509_cert_private_key (hx509_cert /*p*/);
+
+int
+_hx509_cert_private_key_exportable (hx509_cert /*p*/);
+
+int
+_hx509_cert_public_encrypt (
+	hx509_context /*context*/,
+	const heim_octet_string */*cleartext*/,
+	const hx509_cert /*p*/,
+	heim_oid */*encryption_oid*/,
+	heim_octet_string */*ciphertext*/);
+
+void
+_hx509_cert_set_release (
+	hx509_cert /*cert*/,
+	_hx509_cert_release_func /*release*/,
+	void */*ctx*/);
+
+int
+_hx509_certs_keys_add (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	hx509_private_key /*key*/);
+
+void
+_hx509_certs_keys_free (
+	hx509_context /*context*/,
+	hx509_private_key */*keys*/);
+
+int
+_hx509_certs_keys_get (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	hx509_private_key **/*keys*/);
+
+hx509_certs
+_hx509_certs_ref (hx509_certs /*certs*/);
+
+int
+_hx509_check_key_usage (
+	hx509_context /*context*/,
+	hx509_cert /*cert*/,
+	unsigned /*flags*/,
+	int /*req_present*/);
+
+int
+_hx509_collector_alloc (
+	hx509_context /*context*/,
+	hx509_lock /*lock*/,
+	struct hx509_collector **/*collector*/);
+
+int
+_hx509_collector_certs_add (
+	hx509_context /*context*/,
+	struct hx509_collector */*c*/,
+	hx509_cert /*cert*/);
+
+int
+_hx509_collector_collect_certs (
+	hx509_context /*context*/,
+	struct hx509_collector */*c*/,
+	hx509_certs */*ret_certs*/);
+
+int
+_hx509_collector_collect_private_keys (
+	hx509_context /*context*/,
+	struct hx509_collector */*c*/,
+	hx509_private_key **/*keys*/);
+
+void
+_hx509_collector_free (struct hx509_collector */*c*/);
+
+hx509_lock
+_hx509_collector_get_lock (struct hx509_collector */*c*/);
+
+int
+_hx509_collector_private_key_add (
+	hx509_context /*context*/,
+	struct hx509_collector */*c*/,
+	const AlgorithmIdentifier */*alg*/,
+	hx509_private_key /*private_key*/,
+	const heim_octet_string */*key_data*/,
+	const heim_octet_string */*localKeyId*/);
+
+int
+_hx509_create_signature (
+	hx509_context /*context*/,
+	const hx509_private_key /*signer*/,
+	const AlgorithmIdentifier */*alg*/,
+	const heim_octet_string */*data*/,
+	AlgorithmIdentifier */*signatureAlgorithm*/,
+	heim_octet_string */*sig*/);
+
+int
+_hx509_create_signature_bitstring (
+	hx509_context /*context*/,
+	const hx509_private_key /*signer*/,
+	const AlgorithmIdentifier */*alg*/,
+	const heim_octet_string */*data*/,
+	AlgorithmIdentifier */*signatureAlgorithm*/,
+	heim_bit_string */*sig*/);
+
+int
+_hx509_find_extension_subject_key_id (
+	const Certificate */*issuer*/,
+	SubjectKeyIdentifier */*si*/);
+
+int
+_hx509_generate_private_key (
+	hx509_context /*context*/,
+	struct hx509_generate_private_context */*ctx*/,
+	hx509_private_key */*private_key*/);
+
+int
+_hx509_generate_private_key_bits (
+	hx509_context /*context*/,
+	struct hx509_generate_private_context */*ctx*/,
+	unsigned long /*bits*/);
+
+void
+_hx509_generate_private_key_free (struct hx509_generate_private_context **/*ctx*/);
+
+int
+_hx509_generate_private_key_init (
+	hx509_context /*context*/,
+	const heim_oid */*oid*/,
+	struct hx509_generate_private_context **/*ctx*/);
+
+int
+_hx509_generate_private_key_is_ca (
+	hx509_context /*context*/,
+	struct hx509_generate_private_context */*ctx*/);
+
+Certificate *
+_hx509_get_cert (hx509_cert /*cert*/);
+
+void
+_hx509_ks_dir_register (hx509_context /*context*/);
+
+void
+_hx509_ks_file_register (hx509_context /*context*/);
+
+void
+_hx509_ks_keychain_register (hx509_context /*context*/);
+
+void
+_hx509_ks_mem_register (hx509_context /*context*/);
+
+void
+_hx509_ks_null_register (hx509_context /*context*/);
+
+void
+_hx509_ks_pkcs11_register (hx509_context /*context*/);
+
+void
+_hx509_ks_pkcs12_register (hx509_context /*context*/);
+
+void
+_hx509_ks_register (
+	hx509_context /*context*/,
+	struct hx509_keyset_ops */*ops*/);
+
+int
+_hx509_lock_find_cert (
+	hx509_lock /*lock*/,
+	const hx509_query */*q*/,
+	hx509_cert */*c*/);
+
+const struct _hx509_password *
+_hx509_lock_get_passwords (hx509_lock /*lock*/);
+
+hx509_certs
+_hx509_lock_unlock_certs (hx509_lock /*lock*/);
+
+int
+_hx509_map_file (
+	const char */*fn*/,
+	void **/*data*/,
+	size_t */*length*/,
+	struct stat */*rsb*/);
+
+int
+_hx509_map_file_os (
+	const char */*fn*/,
+	heim_octet_string */*os*/,
+	struct stat */*rsb*/);
+
+int
+_hx509_match_keys (
+	hx509_cert /*c*/,
+	hx509_private_key /*private_key*/);
+
+int
+_hx509_name_cmp (
+	const Name */*n1*/,
+	const Name */*n2*/);
+
+int
+_hx509_name_ds_cmp (
+	const DirectoryString */*ds1*/,
+	const DirectoryString */*ds2*/);
+
+int
+_hx509_name_from_Name (
+	const Name */*n*/,
+	hx509_name */*name*/);
+
+int
+_hx509_name_modify (
+	hx509_context /*context*/,
+	Name */*name*/,
+	int /*append*/,
+	const heim_oid */*oid*/,
+	const char */*str*/);
+
+int
+_hx509_parse_private_key (
+	hx509_context /*context*/,
+	const heim_oid */*key_oid*/,
+	const void */*data*/,
+	size_t /*len*/,
+	hx509_private_key */*private_key*/);
+
+int
+_hx509_path_append (
+	hx509_context /*context*/,
+	hx509_path */*path*/,
+	hx509_cert /*cert*/);
+
+void
+_hx509_path_free (hx509_path */*path*/);
+
+int
+_hx509_pbe_decrypt (
+	hx509_context /*context*/,
+	hx509_lock /*lock*/,
+	const AlgorithmIdentifier */*ai*/,
+	const heim_octet_string */*econtent*/,
+	heim_octet_string */*content*/);
+
+int
+_hx509_pbe_encrypt (
+	hx509_context /*context*/,
+	hx509_lock /*lock*/,
+	const AlgorithmIdentifier */*ai*/,
+	const heim_octet_string */*content*/,
+	heim_octet_string */*econtent*/);
+
+void
+_hx509_pi_printf (
+	int (*/*func*/)(void *, const char *),
+	void */*ctx*/,
+	const char */*fmt*/,
+	...);
+
+int
+_hx509_private_key2SPKI (
+	hx509_context /*context*/,
+	hx509_private_key /*private_key*/,
+	SubjectPublicKeyInfo */*spki*/);
+
+void
+_hx509_private_key_assign_rsa (
+	hx509_private_key /*key*/,
+	void */*ptr*/);
+
+int
+_hx509_private_key_export (
+	hx509_context /*context*/,
+	const hx509_private_key /*key*/,
+	heim_octet_string */*data*/);
+
+int
+_hx509_private_key_exportable (hx509_private_key /*key*/);
+
+int
+_hx509_private_key_free (hx509_private_key */*key*/);
+
+BIGNUM *
+_hx509_private_key_get_internal (
+	hx509_context /*context*/,
+	hx509_private_key /*key*/,
+	const char */*type*/);
+
+int
+_hx509_private_key_init (
+	hx509_private_key */*key*/,
+	hx509_private_key_ops */*ops*/,
+	void */*keydata*/);
+
+int
+_hx509_private_key_oid (
+	hx509_context /*context*/,
+	const hx509_private_key /*key*/,
+	heim_oid */*data*/);
+
+int
+_hx509_private_key_private_decrypt (
+	hx509_context /*context*/,
+	const heim_octet_string */*ciphertext*/,
+	const heim_oid */*encryption_oid*/,
+	hx509_private_key /*p*/,
+	heim_octet_string */*cleartext*/);
+
+hx509_private_key
+_hx509_private_key_ref (hx509_private_key /*key*/);
+
+const char *
+_hx509_private_pem_name (hx509_private_key /*key*/);
+
+int
+_hx509_public_encrypt (
+	hx509_context /*context*/,
+	const heim_octet_string */*cleartext*/,
+	const Certificate */*cert*/,
+	heim_oid */*encryption_oid*/,
+	heim_octet_string */*ciphertext*/);
+
+void
+_hx509_query_clear (hx509_query */*q*/);
+
+int
+_hx509_query_match_cert (
+	hx509_context /*context*/,
+	const hx509_query */*q*/,
+	hx509_cert /*cert*/);
+
+void
+_hx509_query_statistic (
+	hx509_context /*context*/,
+	int /*type*/,
+	const hx509_query */*q*/);
+
+int
+_hx509_request_add_dns_name (
+	hx509_context /*context*/,
+	hx509_request /*req*/,
+	const char */*hostname*/);
+
+int
+_hx509_request_add_eku (
+	hx509_context /*context*/,
+	hx509_request /*req*/,
+	const heim_oid */*oid*/);
+
+int
+_hx509_request_add_email (
+	hx509_context /*context*/,
+	hx509_request /*req*/,
+	const char */*email*/);
+
+void
+_hx509_request_free (hx509_request */*req*/);
+
+int
+_hx509_request_get_SubjectPublicKeyInfo (
+	hx509_context /*context*/,
+	hx509_request /*req*/,
+	SubjectPublicKeyInfo */*key*/);
+
+int
+_hx509_request_get_name (
+	hx509_context /*context*/,
+	hx509_request /*req*/,
+	hx509_name */*name*/);
+
+int
+_hx509_request_init (
+	hx509_context /*context*/,
+	hx509_request */*req*/);
+
+int
+_hx509_request_parse (
+	hx509_context /*context*/,
+	const char */*path*/,
+	hx509_request */*req*/);
+
+int
+_hx509_request_print (
+	hx509_context /*context*/,
+	hx509_request /*req*/,
+	FILE */*f*/);
+
+int
+_hx509_request_set_SubjectPublicKeyInfo (
+	hx509_context /*context*/,
+	hx509_request /*req*/,
+	const SubjectPublicKeyInfo */*key*/);
+
+int
+_hx509_request_set_name (
+	hx509_context /*context*/,
+	hx509_request /*req*/,
+	hx509_name /*name*/);
+
+int
+_hx509_request_to_pkcs10 (
+	hx509_context /*context*/,
+	const hx509_request /*req*/,
+	const hx509_private_key /*signer*/,
+	heim_octet_string */*request*/);
+
+hx509_revoke_ctx
+_hx509_revoke_ref (hx509_revoke_ctx /*ctx*/);
+
+int
+_hx509_set_cert_attribute (
+	hx509_context /*context*/,
+	hx509_cert /*cert*/,
+	const heim_oid */*oid*/,
+	const heim_octet_string */*attr*/);
+
+void
+_hx509_unmap_file (
+	void */*data*/,
+	size_t /*len*/);
+
+void
+_hx509_unmap_file_os (heim_octet_string */*os*/);
+
+int
+_hx509_unparse_Name (
+	const Name */*aname*/,
+	char **/*str*/);
+
+int
+_hx509_verify_signature (
+	hx509_context /*context*/,
+	const Certificate */*signer*/,
+	const AlgorithmIdentifier */*alg*/,
+	const heim_octet_string */*data*/,
+	const heim_octet_string */*sig*/);
+
+int
+_hx509_verify_signature_bitstring (
+	hx509_context /*context*/,
+	const Certificate */*signer*/,
+	const AlgorithmIdentifier */*alg*/,
+	const heim_octet_string */*data*/,
+	const heim_bit_string */*sig*/);
+
+int
+_hx509_write_file (
+	const char */*fn*/,
+	const void */*data*/,
+	size_t /*length*/);
+
+#endif /* __hx509_private_h__ */
diff --git a/crypto/heimdal/lib/hx509/hx509-protos.h b/crypto/heimdal/lib/hx509/hx509-protos.h
new file mode 100644
index 0000000..50ce1b3
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/hx509-protos.h
@@ -0,0 +1,1049 @@
+/* This is a generated file */
+#ifndef __hx509_protos_h__
+#define __hx509_protos_h__
+
+#include <stdarg.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef HX509_LIB_FUNCTION
+#if defined(_WIN32)
+#define HX509_LIB_FUNCTION _stdcall
+#else
+#define HX509_LIB_FUNCTION
+#endif
+#endif
+
+void
+hx509_bitstring_print (
+	const heim_bit_string */*b*/,
+	hx509_vprint_func /*func*/,
+	void */*ctx*/);
+
+int
+hx509_ca_sign (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	hx509_cert /*signer*/,
+	hx509_cert */*certificate*/);
+
+int
+hx509_ca_sign_self (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	hx509_private_key /*signer*/,
+	hx509_cert */*certificate*/);
+
+int
+hx509_ca_tbs_add_crl_dp_uri (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	const char */*uri*/,
+	hx509_name /*issuername*/);
+
+int
+hx509_ca_tbs_add_eku (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	const heim_oid */*oid*/);
+
+int
+hx509_ca_tbs_add_san_hostname (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	const char */*dnsname*/);
+
+int
+hx509_ca_tbs_add_san_jid (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	const char */*jid*/);
+
+int
+hx509_ca_tbs_add_san_ms_upn (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	const char */*principal*/);
+
+int
+hx509_ca_tbs_add_san_otherName (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	const heim_oid */*oid*/,
+	const heim_octet_string */*os*/);
+
+int
+hx509_ca_tbs_add_san_pkinit (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	const char */*principal*/);
+
+int
+hx509_ca_tbs_add_san_rfc822name (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	const char */*rfc822Name*/);
+
+void
+hx509_ca_tbs_free (hx509_ca_tbs */*tbs*/);
+
+int
+hx509_ca_tbs_init (
+	hx509_context /*context*/,
+	hx509_ca_tbs */*tbs*/);
+
+int
+hx509_ca_tbs_set_ca (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	int /*pathLenConstraint*/);
+
+int
+hx509_ca_tbs_set_domaincontroller (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/);
+
+int
+hx509_ca_tbs_set_notAfter (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	time_t /*t*/);
+
+int
+hx509_ca_tbs_set_notAfter_lifetime (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	time_t /*delta*/);
+
+int
+hx509_ca_tbs_set_notBefore (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	time_t /*t*/);
+
+int
+hx509_ca_tbs_set_proxy (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	int /*pathLenConstraint*/);
+
+int
+hx509_ca_tbs_set_serialnumber (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	const heim_integer */*serialNumber*/);
+
+int
+hx509_ca_tbs_set_spki (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	const SubjectPublicKeyInfo */*spki*/);
+
+int
+hx509_ca_tbs_set_subject (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	hx509_name /*subject*/);
+
+int
+hx509_ca_tbs_set_template (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	int /*flags*/,
+	hx509_cert /*cert*/);
+
+int
+hx509_ca_tbs_subject_expand (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	hx509_env /*env*/);
+
+const struct units *
+hx509_ca_tbs_template_units (void);
+
+int
+hx509_cert_binary (
+	hx509_context /*context*/,
+	hx509_cert /*c*/,
+	heim_octet_string */*os*/);
+
+int
+hx509_cert_check_eku (
+	hx509_context /*context*/,
+	hx509_cert /*cert*/,
+	const heim_oid */*eku*/,
+	int /*allow_any_eku*/);
+
+int
+hx509_cert_cmp (
+	hx509_cert /*p*/,
+	hx509_cert /*q*/);
+
+int
+hx509_cert_find_subjectAltName_otherName (
+	hx509_context /*context*/,
+	hx509_cert /*cert*/,
+	const heim_oid */*oid*/,
+	hx509_octet_string_list */*list*/);
+
+void
+hx509_cert_free (hx509_cert /*cert*/);
+
+int
+hx509_cert_get_SPKI (
+	hx509_context /*context*/,
+	hx509_cert /*p*/,
+	SubjectPublicKeyInfo */*spki*/);
+
+int
+hx509_cert_get_SPKI_AlgorithmIdentifier (
+	hx509_context /*context*/,
+	hx509_cert /*p*/,
+	AlgorithmIdentifier */*alg*/);
+
+hx509_cert_attribute
+hx509_cert_get_attribute (
+	hx509_cert /*cert*/,
+	const heim_oid */*oid*/);
+
+int
+hx509_cert_get_base_subject (
+	hx509_context /*context*/,
+	hx509_cert /*c*/,
+	hx509_name */*name*/);
+
+const char *
+hx509_cert_get_friendly_name (hx509_cert /*cert*/);
+
+int
+hx509_cert_get_issuer (
+	hx509_cert /*p*/,
+	hx509_name */*name*/);
+
+time_t
+hx509_cert_get_notAfter (hx509_cert /*p*/);
+
+time_t
+hx509_cert_get_notBefore (hx509_cert /*p*/);
+
+int
+hx509_cert_get_serialnumber (
+	hx509_cert /*p*/,
+	heim_integer */*i*/);
+
+int
+hx509_cert_get_subject (
+	hx509_cert /*p*/,
+	hx509_name */*name*/);
+
+int
+hx509_cert_have_private_key (hx509_cert /*p*/);
+
+int
+hx509_cert_init (
+	hx509_context /*context*/,
+	const Certificate */*c*/,
+	hx509_cert */*cert*/);
+
+int
+hx509_cert_init_data (
+	hx509_context /*context*/,
+	const void */*ptr*/,
+	size_t /*len*/,
+	hx509_cert */*cert*/);
+
+int
+hx509_cert_keyusage_print (
+	hx509_context /*context*/,
+	hx509_cert /*c*/,
+	char **/*s*/);
+
+hx509_cert
+hx509_cert_ref (hx509_cert /*cert*/);
+
+int
+hx509_cert_set_friendly_name (
+	hx509_cert /*cert*/,
+	const char */*name*/);
+
+int
+hx509_certs_add (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	hx509_cert /*cert*/);
+
+int
+hx509_certs_append (
+	hx509_context /*context*/,
+	hx509_certs /*to*/,
+	hx509_lock /*lock*/,
+	const char */*name*/);
+
+int
+hx509_certs_end_seq (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	hx509_cursor /*cursor*/);
+
+int
+hx509_certs_find (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	const hx509_query */*q*/,
+	hx509_cert */*r*/);
+
+void
+hx509_certs_free (hx509_certs */*certs*/);
+
+int
+hx509_certs_info (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	int (*/*func*/)(void *, const char *),
+	void */*ctx*/);
+
+int
+hx509_certs_init (
+	hx509_context /*context*/,
+	const char */*name*/,
+	int /*flags*/,
+	hx509_lock /*lock*/,
+	hx509_certs */*certs*/);
+
+int
+hx509_certs_iter (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	int (*/*func*/)(hx509_context, void *, hx509_cert),
+	void */*ctx*/);
+
+int
+hx509_certs_merge (
+	hx509_context /*context*/,
+	hx509_certs /*to*/,
+	hx509_certs /*from*/);
+
+int
+hx509_certs_next_cert (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	hx509_cursor /*cursor*/,
+	hx509_cert */*cert*/);
+
+int
+hx509_certs_start_seq (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	hx509_cursor */*cursor*/);
+
+int
+hx509_certs_store (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	int /*flags*/,
+	hx509_lock /*lock*/);
+
+int
+hx509_ci_print_names (
+	hx509_context /*context*/,
+	void */*ctx*/,
+	hx509_cert /*c*/);
+
+void
+hx509_clear_error_string (hx509_context /*context*/);
+
+int
+hx509_cms_create_signed_1 (
+	hx509_context /*context*/,
+	int /*flags*/,
+	const heim_oid */*eContentType*/,
+	const void */*data*/,
+	size_t /*length*/,
+	const AlgorithmIdentifier */*digest_alg*/,
+	hx509_cert /*cert*/,
+	hx509_peer_info /*peer*/,
+	hx509_certs /*anchors*/,
+	hx509_certs /*pool*/,
+	heim_octet_string */*signed_data*/);
+
+int
+hx509_cms_decrypt_encrypted (
+	hx509_context /*context*/,
+	hx509_lock /*lock*/,
+	const void */*data*/,
+	size_t /*length*/,
+	heim_oid */*contentType*/,
+	heim_octet_string */*content*/);
+
+int
+hx509_cms_envelope_1 (
+	hx509_context /*context*/,
+	int /*flags*/,
+	hx509_cert /*cert*/,
+	const void */*data*/,
+	size_t /*length*/,
+	const heim_oid */*encryption_type*/,
+	const heim_oid */*contentType*/,
+	heim_octet_string */*content*/);
+
+int
+hx509_cms_unenvelope (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	int /*flags*/,
+	const void */*data*/,
+	size_t /*length*/,
+	const heim_octet_string */*encryptedContent*/,
+	heim_oid */*contentType*/,
+	heim_octet_string */*content*/);
+
+int
+hx509_cms_unwrap_ContentInfo (
+	const heim_octet_string */*in*/,
+	heim_oid */*oid*/,
+	heim_octet_string */*out*/,
+	int */*have_data*/);
+
+int
+hx509_cms_verify_signed (
+	hx509_context /*context*/,
+	hx509_verify_ctx /*ctx*/,
+	const void */*data*/,
+	size_t /*length*/,
+	const heim_octet_string */*signedContent*/,
+	hx509_certs /*pool*/,
+	heim_oid */*contentType*/,
+	heim_octet_string */*content*/,
+	hx509_certs */*signer_certs*/);
+
+int
+hx509_cms_wrap_ContentInfo (
+	const heim_oid */*oid*/,
+	const heim_octet_string */*buf*/,
+	heim_octet_string */*res*/);
+
+void
+hx509_context_free (hx509_context */*context*/);
+
+int
+hx509_context_init (hx509_context */*context*/);
+
+void
+hx509_context_set_missing_revoke (
+	hx509_context /*context*/,
+	int /*flag*/);
+
+int
+hx509_crl_add_revoked_certs (
+	hx509_context /*context*/,
+	hx509_crl /*crl*/,
+	hx509_certs /*certs*/);
+
+int
+hx509_crl_alloc (
+	hx509_context /*context*/,
+	hx509_crl */*crl*/);
+
+void
+hx509_crl_free (
+	hx509_context /*context*/,
+	hx509_crl */*crl*/);
+
+int
+hx509_crl_lifetime (
+	hx509_context /*context*/,
+	hx509_crl /*crl*/,
+	int /*delta*/);
+
+int
+hx509_crl_sign (
+	hx509_context /*context*/,
+	hx509_cert /*signer*/,
+	hx509_crl /*crl*/,
+	heim_octet_string */*os*/);
+
+const AlgorithmIdentifier *
+hx509_crypto_aes128_cbc (void);
+
+const AlgorithmIdentifier *
+hx509_crypto_aes256_cbc (void);
+
+int
+hx509_crypto_available (
+	hx509_context /*context*/,
+	int /*type*/,
+	hx509_cert /*source*/,
+	AlgorithmIdentifier **/*val*/,
+	unsigned int */*plen*/);
+
+int
+hx509_crypto_decrypt (
+	hx509_crypto /*crypto*/,
+	const void */*data*/,
+	const size_t /*length*/,
+	heim_octet_string */*ivec*/,
+	heim_octet_string */*clear*/);
+
+const AlgorithmIdentifier *
+hx509_crypto_des_rsdi_ede3_cbc (void);
+
+void
+hx509_crypto_destroy (hx509_crypto /*crypto*/);
+
+int
+hx509_crypto_encrypt (
+	hx509_crypto /*crypto*/,
+	const void */*data*/,
+	const size_t /*length*/,
+	const heim_octet_string */*ivec*/,
+	heim_octet_string **/*ciphertext*/);
+
+const heim_oid *
+hx509_crypto_enctype_by_name (const char */*name*/);
+
+void
+hx509_crypto_free_algs (
+	AlgorithmIdentifier */*val*/,
+	unsigned int /*len*/);
+
+int
+hx509_crypto_get_params (
+	hx509_context /*context*/,
+	hx509_crypto /*crypto*/,
+	const heim_octet_string */*ivec*/,
+	heim_octet_string */*param*/);
+
+int
+hx509_crypto_init (
+	hx509_context /*context*/,
+	const char */*provider*/,
+	const heim_oid */*enctype*/,
+	hx509_crypto */*crypto*/);
+
+const char *
+hx509_crypto_provider (hx509_crypto /*crypto*/);
+
+int
+hx509_crypto_random_iv (
+	hx509_crypto /*crypto*/,
+	heim_octet_string */*ivec*/);
+
+int
+hx509_crypto_select (
+	const hx509_context /*context*/,
+	int /*type*/,
+	const hx509_private_key /*source*/,
+	hx509_peer_info /*peer*/,
+	AlgorithmIdentifier */*selected*/);
+
+int
+hx509_crypto_set_key_data (
+	hx509_crypto /*crypto*/,
+	const void */*data*/,
+	size_t /*length*/);
+
+int
+hx509_crypto_set_key_name (
+	hx509_crypto /*crypto*/,
+	const char */*name*/);
+
+int
+hx509_crypto_set_params (
+	hx509_context /*context*/,
+	hx509_crypto /*crypto*/,
+	const heim_octet_string */*param*/,
+	heim_octet_string */*ivec*/);
+
+int
+hx509_crypto_set_random_key (
+	hx509_crypto /*crypto*/,
+	heim_octet_string */*key*/);
+
+int
+hx509_env_add (
+	hx509_context /*context*/,
+	hx509_env /*env*/,
+	const char */*key*/,
+	const char */*value*/);
+
+void
+hx509_env_free (hx509_env */*env*/);
+
+int
+hx509_env_init (
+	hx509_context /*context*/,
+	hx509_env */*env*/);
+
+const char *
+hx509_env_lfind (
+	hx509_context /*context*/,
+	hx509_env /*env*/,
+	const char */*key*/,
+	size_t /*len*/);
+
+void
+hx509_err (
+	hx509_context /*context*/,
+	int /*exit_code*/,
+	int /*error_code*/,
+	const char */*fmt*/,
+	...);
+
+void
+hx509_free_error_string (char */*str*/);
+
+void
+hx509_free_octet_string_list (hx509_octet_string_list */*list*/);
+
+int
+hx509_general_name_unparse (
+	GeneralName */*name*/,
+	char **/*str*/);
+
+char *
+hx509_get_error_string (
+	hx509_context /*context*/,
+	int /*error_code*/);
+
+int
+hx509_get_one_cert (
+	hx509_context /*context*/,
+	hx509_certs /*certs*/,
+	hx509_cert */*c*/);
+
+int
+hx509_lock_add_cert (
+	hx509_context /*context*/,
+	hx509_lock /*lock*/,
+	hx509_cert /*cert*/);
+
+int
+hx509_lock_add_certs (
+	hx509_context /*context*/,
+	hx509_lock /*lock*/,
+	hx509_certs /*certs*/);
+
+int
+hx509_lock_add_password (
+	hx509_lock /*lock*/,
+	const char */*password*/);
+
+int
+hx509_lock_command_string (
+	hx509_lock /*lock*/,
+	const char */*string*/);
+
+void
+hx509_lock_free (hx509_lock /*lock*/);
+
+int
+hx509_lock_init (
+	hx509_context /*context*/,
+	hx509_lock */*lock*/);
+
+int
+hx509_lock_prompt (
+	hx509_lock /*lock*/,
+	hx509_prompt */*prompt*/);
+
+void
+hx509_lock_reset_certs (
+	hx509_context /*context*/,
+	hx509_lock /*lock*/);
+
+void
+hx509_lock_reset_passwords (hx509_lock /*lock*/);
+
+void
+hx509_lock_reset_promper (hx509_lock /*lock*/);
+
+int
+hx509_lock_set_prompter (
+	hx509_lock /*lock*/,
+	hx509_prompter_fct /*prompt*/,
+	void */*data*/);
+
+int
+hx509_name_binary (
+	const hx509_name /*name*/,
+	heim_octet_string */*os*/);
+
+int
+hx509_name_cmp (
+	hx509_name /*n1*/,
+	hx509_name /*n2*/);
+
+int
+hx509_name_copy (
+	hx509_context /*context*/,
+	const hx509_name /*from*/,
+	hx509_name */*to*/);
+
+int
+hx509_name_expand (
+	hx509_context /*context*/,
+	hx509_name /*name*/,
+	hx509_env /*env*/);
+
+void
+hx509_name_free (hx509_name */*name*/);
+
+int
+hx509_name_is_null_p (const hx509_name /*name*/);
+
+int
+hx509_name_normalize (
+	hx509_context /*context*/,
+	hx509_name /*name*/);
+
+int
+hx509_name_to_Name (
+	const hx509_name /*from*/,
+	Name */*to*/);
+
+int
+hx509_name_to_string (
+	const hx509_name /*name*/,
+	char **/*str*/);
+
+int
+hx509_ocsp_request (
+	hx509_context /*context*/,
+	hx509_certs /*reqcerts*/,
+	hx509_certs /*pool*/,
+	hx509_cert /*signer*/,
+	const AlgorithmIdentifier */*digest*/,
+	heim_octet_string */*request*/,
+	heim_octet_string */*nonce*/);
+
+int
+hx509_ocsp_verify (
+	hx509_context /*context*/,
+	time_t /*now*/,
+	hx509_cert /*cert*/,
+	int /*flags*/,
+	const void */*data*/,
+	size_t /*length*/,
+	time_t */*expiration*/);
+
+void
+hx509_oid_print (
+	const heim_oid */*oid*/,
+	hx509_vprint_func /*func*/,
+	void */*ctx*/);
+
+int
+hx509_oid_sprint (
+	const heim_oid */*oid*/,
+	char **/*str*/);
+
+int
+hx509_parse_name (
+	hx509_context /*context*/,
+	const char */*str*/,
+	hx509_name */*name*/);
+
+int
+hx509_peer_info_alloc (
+	hx509_context /*context*/,
+	hx509_peer_info */*peer*/);
+
+void
+hx509_peer_info_free (hx509_peer_info /*peer*/);
+
+int
+hx509_peer_info_set_cert (
+	hx509_peer_info /*peer*/,
+	hx509_cert /*cert*/);
+
+int
+hx509_peer_info_set_cms_algs (
+	hx509_context /*context*/,
+	hx509_peer_info /*peer*/,
+	const AlgorithmIdentifier */*val*/,
+	size_t /*len*/);
+
+int
+hx509_pem_add_header (
+	hx509_pem_header **/*headers*/,
+	const char */*header*/,
+	const char */*value*/);
+
+const char *
+hx509_pem_find_header (
+	const hx509_pem_header */*h*/,
+	const char */*header*/);
+
+void
+hx509_pem_free_header (hx509_pem_header */*headers*/);
+
+int
+hx509_pem_read (
+	hx509_context /*context*/,
+	FILE */*f*/,
+	hx509_pem_read_func /*func*/,
+	void */*ctx*/);
+
+int
+hx509_pem_write (
+	hx509_context /*context*/,
+	const char */*type*/,
+	hx509_pem_header */*headers*/,
+	FILE */*f*/,
+	const void */*data*/,
+	size_t /*size*/);
+
+void
+hx509_print_stdout (
+	void */*ctx*/,
+	const char */*fmt*/,
+	va_list /*va*/);
+
+int
+hx509_prompt_hidden (hx509_prompt_type /*type*/);
+
+int
+hx509_query_alloc (
+	hx509_context /*context*/,
+	hx509_query **/*q*/);
+
+void
+hx509_query_free (
+	hx509_context /*context*/,
+	hx509_query */*q*/);
+
+int
+hx509_query_match_cmp_func (
+	hx509_query */*q*/,
+	int (*/*func*/)(void *, hx509_cert),
+	void */*ctx*/);
+
+int
+hx509_query_match_friendly_name (
+	hx509_query */*q*/,
+	const char */*name*/);
+
+int
+hx509_query_match_issuer_serial (
+	hx509_query */*q*/,
+	const Name */*issuer*/,
+	const heim_integer */*serialNumber*/);
+
+void
+hx509_query_match_option (
+	hx509_query */*q*/,
+	hx509_query_option /*option*/);
+
+void
+hx509_query_statistic_file (
+	hx509_context /*context*/,
+	const char */*fn*/);
+
+void
+hx509_query_unparse_stats (
+	hx509_context /*context*/,
+	int /*printtype*/,
+	FILE */*out*/);
+
+int
+hx509_revoke_add_crl (
+	hx509_context /*context*/,
+	hx509_revoke_ctx /*ctx*/,
+	const char */*path*/);
+
+int
+hx509_revoke_add_ocsp (
+	hx509_context /*context*/,
+	hx509_revoke_ctx /*ctx*/,
+	const char */*path*/);
+
+void
+hx509_revoke_free (hx509_revoke_ctx */*ctx*/);
+
+int
+hx509_revoke_init (
+	hx509_context /*context*/,
+	hx509_revoke_ctx */*ctx*/);
+
+int
+hx509_revoke_ocsp_print (
+	hx509_context /*context*/,
+	const char */*path*/,
+	FILE */*out*/);
+
+int
+hx509_revoke_verify (
+	hx509_context /*context*/,
+	hx509_revoke_ctx /*ctx*/,
+	hx509_certs /*certs*/,
+	time_t /*now*/,
+	hx509_cert /*cert*/,
+	hx509_cert /*parent_cert*/);
+
+void
+hx509_set_error_string (
+	hx509_context /*context*/,
+	int /*flags*/,
+	int /*code*/,
+	const char */*fmt*/,
+	...);
+
+void
+hx509_set_error_stringv (
+	hx509_context /*context*/,
+	int /*flags*/,
+	int /*code*/,
+	const char */*fmt*/,
+	va_list /*ap*/);
+
+const AlgorithmIdentifier *
+hx509_signature_md2 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_md5 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_rsa (void);
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_pkcs1_x509 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_md2 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_md5 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_sha1 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_sha256 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_sha384 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_rsa_with_sha512 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_sha1 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_sha256 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_sha384 (void);
+
+const AlgorithmIdentifier *
+hx509_signature_sha512 (void);
+
+int
+hx509_unparse_der_name (
+	const void */*data*/,
+	size_t /*length*/,
+	char **/*str*/);
+
+int
+hx509_validate_cert (
+	hx509_context /*context*/,
+	hx509_validate_ctx /*ctx*/,
+	hx509_cert /*cert*/);
+
+void
+hx509_validate_ctx_add_flags (
+	hx509_validate_ctx /*ctx*/,
+	int /*flags*/);
+
+void
+hx509_validate_ctx_free (hx509_validate_ctx /*ctx*/);
+
+int
+hx509_validate_ctx_init (
+	hx509_context /*context*/,
+	hx509_validate_ctx */*ctx*/);
+
+void
+hx509_validate_ctx_set_print (
+	hx509_validate_ctx /*ctx*/,
+	hx509_vprint_func /*func*/,
+	void */*c*/);
+
+void
+hx509_verify_attach_anchors (
+	hx509_verify_ctx /*ctx*/,
+	hx509_certs /*set*/);
+
+void
+hx509_verify_attach_revoke (
+	hx509_verify_ctx /*ctx*/,
+	hx509_revoke_ctx /*revoke_ctx*/);
+
+void
+hx509_verify_ctx_f_allow_default_trustanchors (
+	hx509_verify_ctx /*ctx*/,
+	int /*boolean*/);
+
+void
+hx509_verify_destroy_ctx (hx509_verify_ctx /*ctx*/);
+
+int
+hx509_verify_hostname (
+	hx509_context /*context*/,
+	const hx509_cert /*cert*/,
+	int /*flags*/,
+	hx509_hostname_type /*type*/,
+	const char */*hostname*/,
+	const struct sockaddr */*sa*/,
+	int /*sa_size*/);
+
+int
+hx509_verify_init_ctx (
+	hx509_context /*context*/,
+	hx509_verify_ctx */*ctx*/);
+
+int
+hx509_verify_path (
+	hx509_context /*context*/,
+	hx509_verify_ctx /*ctx*/,
+	hx509_cert /*cert*/,
+	hx509_certs /*pool*/);
+
+void
+hx509_verify_set_max_depth (
+	hx509_verify_ctx /*ctx*/,
+	unsigned int /*max_depth*/);
+
+void
+hx509_verify_set_proxy_certificate (
+	hx509_verify_ctx /*ctx*/,
+	int /*boolean*/);
+
+void
+hx509_verify_set_strict_rfc3280_verification (
+	hx509_verify_ctx /*ctx*/,
+	int /*boolean*/);
+
+void
+hx509_verify_set_time (
+	hx509_verify_ctx /*ctx*/,
+	time_t /*t*/);
+
+int
+hx509_verify_signature (
+	hx509_context /*context*/,
+	const hx509_cert /*signer*/,
+	const AlgorithmIdentifier */*alg*/,
+	const heim_octet_string */*data*/,
+	const heim_octet_string */*sig*/);
+
+void
+hx509_xfree (void */*ptr*/);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __hx509_protos_h__ */
diff --git a/crypto/heimdal/lib/hx509/hx509.h b/crypto/heimdal/lib/hx509/hx509.h
new file mode 100644
index 0000000..be02f63
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/hx509.h
@@ -0,0 +1,148 @@
+/*
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: hx509.h 22464 2008-01-16 14:24:50Z lha $ */
+
+typedef struct hx509_cert_attribute_data *hx509_cert_attribute;
+typedef struct hx509_cert_data *hx509_cert;
+typedef struct hx509_certs_data *hx509_certs;
+typedef struct hx509_context_data *hx509_context;
+typedef struct hx509_crypto_data *hx509_crypto;
+typedef struct hx509_lock_data *hx509_lock;
+typedef struct hx509_name_data *hx509_name;
+typedef struct hx509_private_key *hx509_private_key;
+typedef struct hx509_validate_ctx_data *hx509_validate_ctx;
+typedef struct hx509_verify_ctx_data *hx509_verify_ctx;
+typedef struct hx509_revoke_ctx_data *hx509_revoke_ctx;
+typedef struct hx509_query_data hx509_query;
+typedef void * hx509_cursor;
+typedef struct hx509_request_data *hx509_request;
+typedef struct hx509_error_data *hx509_error;
+typedef struct hx509_peer_info *hx509_peer_info;
+typedef struct hx509_ca_tbs *hx509_ca_tbs;
+typedef struct hx509_env *hx509_env;
+typedef struct hx509_crl *hx509_crl;
+
+typedef void (*hx509_vprint_func)(void *, const char *, va_list);
+
+enum {
+    HX509_VHN_F_ALLOW_NO_MATCH = 1
+};
+
+enum {
+    HX509_VALIDATE_F_VALIDATE = 1,
+    HX509_VALIDATE_F_VERBOSE = 2
+};
+
+struct hx509_cert_attribute_data {
+    heim_oid oid;
+    heim_octet_string data;
+};
+
+typedef enum {
+    HX509_PROMPT_TYPE_PASSWORD		= 0x1,	/* password, hidden */
+    HX509_PROMPT_TYPE_QUESTION		= 0x2,	/* question, not hidden */
+    HX509_PROMPT_TYPE_INFO		= 0x4	/* infomation, reply doesn't matter */
+} hx509_prompt_type;
+
+typedef struct hx509_prompt {
+    const char *prompt;
+    hx509_prompt_type type;
+    heim_octet_string reply;
+} hx509_prompt;
+
+typedef int (*hx509_prompter_fct)(void *, const hx509_prompt *);
+
+typedef struct hx509_octet_string_list {
+    size_t len;
+    heim_octet_string *val;
+} hx509_octet_string_list;
+
+typedef struct hx509_pem_header {
+    struct hx509_pem_header *next;
+    char *header;
+    char *value;
+} hx509_pem_header;
+
+typedef int
+(*hx509_pem_read_func)(hx509_context, const char *, const hx509_pem_header *,
+		       const void *, size_t, void *ctx);
+
+/*
+ * Options passed to hx509_query_match_option.
+ */
+typedef enum {
+    HX509_QUERY_OPTION_PRIVATE_KEY = 1,
+    HX509_QUERY_OPTION_KU_ENCIPHERMENT = 2,
+    HX509_QUERY_OPTION_KU_DIGITALSIGNATURE = 3,
+    HX509_QUERY_OPTION_KU_KEYCERTSIGN = 4,
+    HX509_QUERY_OPTION_END = 0xffff
+} hx509_query_option;
+
+/* flags to hx509_certs_init */
+#define HX509_CERTS_CREATE				0x01
+#define HX509_CERTS_UNPROTECT_ALL			0x02
+
+/* flags to hx509_set_error_string */
+#define HX509_ERROR_APPEND				0x01
+
+/* flags to hx509_cms_unenvelope */
+#define HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT	0x01
+
+/* selectors passed to hx509_crypto_select and hx509_crypto_available */
+#define HX509_SELECT_ALL 0
+#define HX509_SELECT_DIGEST 1
+#define HX509_SELECT_PUBLIC_SIG 2
+#define HX509_SELECT_PUBLIC_ENC 3
+#define HX509_SELECT_SECRET_ENC 4
+
+/* flags to hx509_ca_tbs_set_template */
+#define HX509_CA_TEMPLATE_SUBJECT 1
+#define HX509_CA_TEMPLATE_SERIAL 2
+#define HX509_CA_TEMPLATE_NOTBEFORE 4
+#define HX509_CA_TEMPLATE_NOTAFTER 8
+#define HX509_CA_TEMPLATE_SPKI 16
+#define HX509_CA_TEMPLATE_KU 32
+#define HX509_CA_TEMPLATE_EKU 64
+
+/* flags hx509_cms_create_signed* */
+#define HX509_CMS_SIGATURE_DETACHED 1
+#define HX509_CMS_SIGATURE_ID_NAME 2
+
+/* hx509_verify_hostname nametype */
+typedef enum  {
+    HX509_HN_HOSTNAME = 0,
+    HX509_HN_DNSSRV
+} hx509_hostname_type;
+
+#include <hx509-protos.h>
diff --git a/crypto/heimdal/lib/hx509/hx509_err.et b/crypto/heimdal/lib/hx509/hx509_err.et
new file mode 100644
index 0000000..8fc5cb8
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/hx509_err.et
@@ -0,0 +1,101 @@
+#
+# Error messages for the hx509 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: hx509_err.et 22329 2007-12-15 05:13:14Z lha $"
+
+error_table hx
+prefix HX509
+
+# path validateion and construction related errors
+error_code BAD_TIMEFORMAT,	"ASN.1 failed call to system time library"
+error_code EXTENSION_NOT_FOUND,	"Extension not found"
+error_code NO_PATH,		"Certification path not found"
+error_code PARENT_NOT_CA,	"Parent certificate is not a CA"
+error_code CA_PATH_TOO_DEEP,	"CA path too deep"
+error_code SIG_ALG_NO_SUPPORTED, "Signature algorithm not supported"
+error_code SIG_ALG_DONT_MATCH_KEY_ALG, "Signature algorithm doesn't match certificate key"
+error_code CERT_USED_BEFORE_TIME, "Certificate used before it became valid"
+error_code CERT_USED_AFTER_TIME, "Certificate used after it became invalid"
+error_code PRIVATE_KEY_MISSING,	"Private key required for the operation is missing"
+error_code ALG_NOT_SUPP, 	"Algorithm not supported"
+error_code ISSUER_NOT_FOUND, 	"Issuer couldn't be found"
+error_code VERIFY_CONSTRAINTS,	"Error verifing constraints"
+error_code RANGE,		"Number too large"
+error_code NAME_CONSTRAINT_ERROR, "Error while verifing name constraints"
+error_code PATH_TOO_LONG, "Path is too long, failed to find valid anchor"
+error_code KU_CERT_MISSING, "Required keyusage for this certificate is missing"
+error_code CERT_NOT_FOUND, "Certificate not found"
+error_code UNKNOWN_LOCK_COMMAND, "Unknown lock command"
+error_code PARENT_IS_CA, "Parent certificate is a CA"
+error_code EXTRA_DATA_AFTER_STRUCTURE, "Extra data was found after the structure"
+error_code PROXY_CERT_INVALID, "Proxy certificate is invalid"
+error_code PROXY_CERT_NAME_WRONG, "Proxy certificate name is wrong"
+error_code NAME_MALFORMED, "Name is malformated"
+error_code CERTIFICATE_MALFORMED, "Certificate is malformated"
+error_code CERTIFICATE_MISSING_EKU, "Certificate is missing a required EKU"
+error_code PROXY_CERTIFICATE_NOT_CANONICALIZED, "Proxy certificate not canonicalize" 
+
+# cms related errors
+index 32
+prefix HX509_CMS
+error_code FAILED_CREATE_SIGATURE, "Failed to create signature"
+error_code MISSING_SIGNER_DATA, "Missing signer data"
+error_code SIGNER_NOT_FOUND, "Couldn't find signers certificate"
+error_code NO_DATA_AVAILABLE, "No data to perform the operation on"
+error_code INVALID_DATA, "Data in the message is invalid"
+error_code PADDING_ERROR, "Padding in the message invalid"
+error_code NO_RECIPIENT_CERTIFICATE, "Couldn't find recipient certificate"
+error_code DATA_OID_MISMATCH, "Mismatch bewteen signed type and unsigned type"
+
+# crypto related errors
+index 64
+prefix HX509_CRYPTO
+error_code INTERNAL_ERROR, "Internal error in the crypto engine"
+error_code EXTERNAL_ERROR, "External error in the crypto engine"
+error_code SIGNATURE_MISSING, "Signature missing for data"
+error_code BAD_SIGNATURE, "Signature is not valid"
+error_code SIG_NO_CONF, "Sigature doesn't provide confidentiality"
+error_code SIG_INVALID_FORMAT, "Invalid format on signature"
+error_code OID_MISMATCH, "Mismatch bewteen oids"
+error_code NO_PROMPTER, "No prompter function defined"
+error_code SIGNATURE_WITHOUT_SIGNER, "Signature require signer, but non available"
+error_code RSA_PUBLIC_ENCRYPT, "RSA public encyption failed"
+error_code RSA_PRIVATE_ENCRYPT, "RSA public encyption failed"
+error_code RSA_PUBLIC_DECRYPT, "RSA private decryption failed"
+error_code RSA_PRIVATE_DECRYPT, "RSA private decryption failed"
+
+# revoke related errors
+index 96
+prefix HX509
+error_code CRL_USED_BEFORE_TIME, "CRL used before it became valid"
+error_code CRL_USED_AFTER_TIME, "CRL used after it became invalid"
+error_code CRL_INVALID_FORMAT, "CRL have invalid format"
+error_code CERT_REVOKED, "Certificate is revoked"
+error_code REVOKE_STATUS_MISSING, "No revoke status found for certificates"
+error_code CRL_UNKNOWN_EXTENSION, "Unknown extension"
+error_code REVOKE_WRONG_DATA, "Got wrong CRL/OCSP data from server"
+error_code REVOKE_NOT_SAME_PARENT, "Doesn't have same parent as other certificates"
+error_code CERT_NOT_IN_OCSP, "Certificates not in OCSP reply"
+
+# misc error
+index 108
+error_code LOCAL_ATTRIBUTE_MISSING, "No local key attribute"
+error_code PARSING_KEY_FAILED, "Failed to parse key"
+error_code UNSUPPORTED_OPERATION, "Unsupported operation"
+error_code UNIMPLEMENTED_OPERATION, "Unimplemented operation"
+error_code PARSING_NAME_FAILED, "Failed to parse name"
+
+# keystore related error
+index 128
+prefix HX509_PKCS11
+error_code NO_SLOT,  "No smartcard reader/device found"
+error_code NO_TOKEN,  "No smartcard in reader"
+error_code NO_MECH,  "No supported mech(s)"
+error_code TOKEN_CONFUSED,  "Token or slot failed in inconsistent way"
+error_code OPEN_SESSION,  "Failed to open session to slot"
+error_code LOGIN,  "Failed to login to slot"
+error_code LOAD,  "Failed to load PKCS module"
+
+end
diff --git a/crypto/heimdal/lib/hx509/hx_locl.h b/crypto/heimdal/lib/hx509/hx_locl.h
new file mode 100644
index 0000000..145bfcc
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/hx_locl.h
@@ -0,0 +1,199 @@
+/*
+ * Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: hx_locl.h 21083 2007-06-13 02:11:19Z lha $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <errno.h>
+#include <strings.h>
+#include <assert.h>
+#include <stdarg.h>
+#include <err.h>
+#include <getarg.h>
+#include <base64.h>
+#include <hex.h>
+#include <roken.h>
+#include <com_err.h>
+#include <parse_units.h>
+#include <parse_bytes.h>
+
+#include <krb5-types.h>
+
+#include <rfc2459_asn1.h>
+#include <cms_asn1.h>
+#include <pkcs8_asn1.h>
+#include <pkcs9_asn1.h>
+#include <pkcs12_asn1.h>
+#include <ocsp_asn1.h>
+#include <pkcs10_asn1.h>
+#include <asn1_err.h>
+#include <pkinit_asn1.h>
+
+#include <der.h>
+
+#include "crypto-headers.h"
+
+struct hx509_keyset_ops;
+struct hx509_collector;
+struct hx509_generate_private_context;
+typedef struct hx509_path hx509_path;
+
+#include <hx509.h>
+
+typedef void (*_hx509_cert_release_func)(struct hx509_cert_data *, void *);
+
+typedef struct hx509_private_key_ops hx509_private_key_ops;
+
+#include <hx509-private.h>
+#include <hx509_err.h>
+
+struct hx509_peer_info {
+    hx509_cert cert;
+    AlgorithmIdentifier *val;
+    size_t len;
+};
+
+#define HX509_CERTS_FIND_SERIALNUMBER		1
+#define HX509_CERTS_FIND_ISSUER			2
+#define HX509_CERTS_FIND_SUBJECT		4
+#define HX509_CERTS_FIND_ISSUER_KEY_ID		8
+#define HX509_CERTS_FIND_SUBJECT_KEY_ID		16
+
+struct hx509_name_data {
+    Name der_name;
+};
+
+struct hx509_path {
+    size_t len;
+    hx509_cert *val;
+};
+
+struct hx509_query_data {
+    int match;
+#define HX509_QUERY_FIND_ISSUER_CERT		0x000001
+#define HX509_QUERY_MATCH_SERIALNUMBER		0x000002
+#define HX509_QUERY_MATCH_ISSUER_NAME		0x000004
+#define HX509_QUERY_MATCH_SUBJECT_NAME		0x000008
+#define HX509_QUERY_MATCH_SUBJECT_KEY_ID	0x000010
+#define HX509_QUERY_MATCH_ISSUER_ID		0x000020
+#define HX509_QUERY_PRIVATE_KEY			0x000040
+#define HX509_QUERY_KU_ENCIPHERMENT		0x000080
+#define HX509_QUERY_KU_DIGITALSIGNATURE		0x000100
+#define HX509_QUERY_KU_KEYCERTSIGN		0x000200
+#define HX509_QUERY_KU_CRLSIGN			0x000400
+#define HX509_QUERY_KU_NONREPUDIATION		0x000800
+#define HX509_QUERY_KU_KEYAGREEMENT		0x001000
+#define HX509_QUERY_KU_DATAENCIPHERMENT		0x002000
+#define HX509_QUERY_ANCHOR			0x004000
+#define HX509_QUERY_MATCH_CERTIFICATE		0x008000
+#define HX509_QUERY_MATCH_LOCAL_KEY_ID		0x010000
+#define HX509_QUERY_NO_MATCH_PATH		0x020000
+#define HX509_QUERY_MATCH_FRIENDLY_NAME		0x040000
+#define HX509_QUERY_MATCH_FUNCTION		0x080000
+#define HX509_QUERY_MATCH_KEY_HASH_SHA1		0x100000
+#define HX509_QUERY_MATCH_TIME			0x200000
+#define HX509_QUERY_MASK			0x3fffff
+    Certificate *subject;
+    Certificate *certificate;
+    heim_integer *serial;
+    heim_octet_string *subject_id;
+    heim_octet_string *local_key_id;
+    Name *issuer_name;
+    Name *subject_name;
+    hx509_path *path;
+    char *friendlyname;
+    int (*cmp_func)(void *, hx509_cert);
+    void *cmp_func_ctx;
+    heim_octet_string *keyhash_sha1;
+    time_t timenow;
+};
+
+struct hx509_keyset_ops {
+    const char *name;
+    int flags;
+    int (*init)(hx509_context, hx509_certs, void **, 
+		int, const char *, hx509_lock);
+    int (*store)(hx509_context, hx509_certs, void *, int, hx509_lock);
+    int (*free)(hx509_certs, void *);
+    int (*add)(hx509_context, hx509_certs, void *, hx509_cert);
+    int (*query)(hx509_context, hx509_certs, void *, 
+		 const hx509_query *, hx509_cert *);
+    int (*iter_start)(hx509_context, hx509_certs, void *, void **);
+    int (*iter)(hx509_context, hx509_certs, void *, void *, hx509_cert *);
+    int (*iter_end)(hx509_context, hx509_certs, void *, void *);
+    int (*printinfo)(hx509_context, hx509_certs, 
+		     void *, int (*)(void *, const char *), void *);
+    int (*getkeys)(hx509_context, hx509_certs, void *, hx509_private_key **);
+    int (*addkey)(hx509_context, hx509_certs, void *, hx509_private_key);
+};
+
+struct _hx509_password {
+    size_t len;
+    char **val;
+};
+
+extern hx509_lock _hx509_empty_lock;
+
+struct hx509_context_data {
+    struct hx509_keyset_ops **ks_ops;
+    int ks_num_ops;
+    int flags;
+#define HX509_CTX_VERIFY_MISSING_OK	1
+    int ocsp_time_diff;
+#define HX509_DEFAULT_OCSP_TIME_DIFF	(5*60)
+    hx509_error error;
+    struct et_list *et_list;
+    char *querystat;
+    hx509_certs default_trust_anchors;
+};
+
+/* _hx509_calculate_path flag field */
+#define HX509_CALCULATE_PATH_NO_ANCHOR 1
+
+extern const AlgorithmIdentifier * _hx509_crypto_default_sig_alg;
+extern const AlgorithmIdentifier * _hx509_crypto_default_digest_alg;
+extern const AlgorithmIdentifier * _hx509_crypto_default_secret_alg;
+
+/*
+ * Configurable options
+ */
+
+#ifdef __APPLE__
+#define HX509_DEFAULT_ANCHORS "KEYCHAIN:system-anchors"
+#endif
diff --git a/crypto/heimdal/lib/hx509/hxtool-commands.in b/crypto/heimdal/lib/hx509/hxtool-commands.in
new file mode 100644
index 0000000..b648ecf
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/hxtool-commands.in
@@ -0,0 +1,707 @@
+/*
+ * Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: hxtool-commands.in 21343 2007-06-26 14:21:55Z lha $ */
+
+command = {
+	name = "cms-create-sd"
+	option = {
+		long = "certificate"
+		short = "c"
+		type = "strings"
+		argument = "certificate-store"
+		help = "certificate stores to pull certificates from"
+	}
+	option = {
+		long = "signer"
+		short = "s"
+		type = "string"
+		argument = "signer-friendly-name"
+		help = "certificate to sign with"
+	}
+	option = {
+		long = "anchors"
+		type = "strings"
+		argument = "certificate-store"
+		help = "trust anchors"
+	}
+	option = {
+		long = "pool"
+		type = "strings"
+		argument = "certificate-pool"
+		help = "certificate store to pull certificates from"
+	}
+	option = {
+		long = "pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	option = {
+		long = "peer-alg"
+		type = "strings"
+		argument = "oid"
+		help = "oid that the peer support"
+	}
+	option = {
+		long = "content-type"
+		type = "string"
+		argument = "oid"
+		help = "content type oid"
+	}
+	option = {
+		long = "content-info"
+		type = "flag"
+		help = "wrapped out-data in a ContentInfo"
+	}
+	option = {
+		long = "pem"
+		type = "flag"
+		help = "wrap out-data in PEM armor"
+	}
+	option = {
+		long = "detached-signature"
+		type = "flag"
+		help = "create a detached signature"
+	}
+	option = {
+		long = "id-by-name"
+		type = "flag"
+		help = "use subject name for CMS Identifier"
+	}
+	min_args="2"
+	max_args="2"
+	argument="in-file out-file"
+	help = "Wrap a file within a SignedData object"
+}
+command = {
+	name = "cms-verify-sd"
+	option = {
+		long = "anchors"
+		type = "strings"
+		argument = "certificate-store"
+		help = "trust anchors"
+	}
+	option = {
+		long = "certificate"
+		short = "c"
+		type = "strings"
+		argument = "certificate-store"
+		help = "certificate store to pull certificates from"
+	}
+	option = {
+		long = "pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	option = {
+		long = "missing-revoke"
+		type = "flag"
+		help = "missing CRL/OCSP is ok"
+	}
+	option = {
+		long = "content-info"
+		type = "flag"
+		help = "unwrap in-data that's in a ContentInfo"
+	}
+	option = {
+		long = "signed-content"
+		type = "string"
+		help = "file containing content"
+	}
+	min_args="2"
+	max_args="2"
+	argument="in-file out-file"
+	help = "Verify a file within a SignedData object"
+}
+command = {
+	name = "cms-unenvelope"
+	option = {
+		long = "certificate"
+		short = "c"
+		type = "strings"
+		argument = "certificate-store"
+		help = "certificate used to decrypt the data"
+	}
+	option = {
+		long = "pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	option = {
+		long = "content-info"
+		type = "flag"
+		help = "wrapped out-data in a ContentInfo"
+	}
+	min_args="2"
+	argument="in-file out-file"
+	help = "Unenvelope a file containing a EnvelopedData object"
+}
+command = {
+	name = "cms-envelope"
+	function = "cms_create_enveloped"
+	option = {
+		long = "certificate"
+		short = "c"
+		type = "strings"
+		argument = "certificate-store"
+		help = "certificates used to receive the data"
+	}
+	option = {
+		long = "pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	option = {
+		long = "encryption-type"
+		type = "string"
+		argument = "enctype"
+		help = "enctype"
+	}
+	option = {
+		long = "content-type"
+		type = "string"
+		argument = "oid"
+		help = "content type oid"
+	}
+	option = {
+		long = "content-info"
+		type = "flag"
+		help = "wrapped out-data in a ContentInfo"
+	}
+	min_args="2"
+	argument="in-file out-file"
+	help = "Envelope a file containing a EnvelopedData object"
+}
+command = {
+	name = "verify"
+	function = "pcert_verify"
+	option = {
+		long = "pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	option = {
+		long = "allow-proxy-certificate"
+		type = "flag"
+		help = "allow proxy certificates"
+	}
+	option = {
+		long = "missing-revoke"
+		type = "flag"
+		help = "missing CRL/OCSP is ok"
+	}
+	option = {
+		long = "time"
+		type = "string"
+		help = "time when to validate the chain"
+	}
+	option = {
+		long = "verbose"
+		short = "v"
+		type = "flag"
+		help = "verbose logging"
+	}
+	option = {
+		long = "max-depth"
+		type = "integer"
+		help = "maximum search length of certificate trust anchor"
+	}
+	option = {
+		long = "hostname"
+		type = "string"
+		help = "match hostname to certificate"
+	}
+	argument = "cert:foo chain:cert1 chain:cert2 anchor:anchor1 anchor:anchor2"
+	help = "Verify certificate chain"
+}
+command = {
+	name = "print"
+	function = "pcert_print"
+	option = {
+		long = "pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	option = {
+		long = "content"
+		type = "flag"
+		help = "print the content of the certificates"
+	}
+	option = {
+		long = "info"
+		type = "flag"
+		help = "print the information about the certificate store"
+	}
+	min_args="1"
+	argument="certificate ..."
+	help = "Print certificates"
+}
+command = {
+	name = "validate"
+	function = "pcert_validate"
+	option = {
+		long = "pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	min_args="1"
+	argument="certificate ..."
+	help = "Validate content of certificates"
+}
+command = {
+	name = "certificate-copy"
+	name = "cc"
+	option = {
+		long = "in-pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	option = {
+		long = "out-pass"
+		type = "string"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	min_args="2"
+	argument="in-certificates-1 ... out-certificate"
+	help = "Copy in certificates stores into out certificate store"
+}
+command = {
+	name = "ocsp-fetch"
+	option = {
+		long = "pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	option = {
+		long = "sign"
+		type = "string"
+		argument = "certificate"
+		help = "certificate use to sign the request"
+	}
+	option = {
+		long = "url-path"
+		type = "string"
+		argument = "url"
+		help = "part after host in url to put in the request"
+	}
+	option = {
+		long = "nonce"
+		type = "-flag"
+		default = "1"
+		help = "don't include nonce in request"
+	}
+	option = {
+		long = "pool"
+		type = "strings"
+		argument = "certificate-store"
+		help = "pool to find parent certificate in"
+	}
+	min_args="2"
+	argument="outfile certs ..."
+	help = "Fetch OCSP responses for the following certs"
+}
+command = {
+	option = {
+		long = "ocsp-file"
+		type = "string"
+		help = "OCSP file"
+	}
+	name = "ocsp-verify"
+	min_args="1"
+	argument="certificates ..."
+	help = "Check that certificates are in OCSP file and valid"
+}
+command = {
+	name = "ocsp-print"
+	option = {
+		long = "verbose"
+		type = "flag"
+		help = "verbose"
+	}
+	min_args="1"
+	argument="ocsp-response-file ..."
+	help = "Print the OCSP responses"
+}
+command = {
+	name = "request-create"
+	option = {
+		long = "subject"
+		type = "string"
+		help = "Subject DN"
+	}
+	option = {
+		long = "email"
+		type = "strings"
+		help = "Email address in SubjectAltName"
+	}
+	option = {
+		long = "dnsname"
+		type = "strings"
+		help = "Hostname or domainname in SubjectAltName"
+	}
+	option = {
+		long = "type"
+		type = "string"
+		help = "Type of request CRMF or PKCS10, defaults to PKCS10"
+	}
+	option = {
+		long = "key"
+		type = "string"
+		help = "Key-pair"
+	}
+	option = {
+		long = "generate-key"
+		type = "string"
+		help = "keytype"
+	}
+	option = {
+	        long = "key-bits"
+		type = "integer"
+		help = "number of bits in the generated key";
+	}
+	option = {
+		long = "verbose"
+		type = "flag"
+		help = "verbose status"
+	}
+	min_args="1"
+	max_args="1"
+	argument="output-file"
+	help = "Create a CRMF or PKCS10 request"
+}
+command = {
+	name = "request-print"
+	option = {
+		long = "verbose"
+		type = "flag"
+		help = "verbose printing"
+	}
+	min_args="1"
+	argument="requests ..."
+	help = "Print requests"
+}
+command = {
+	name = "query"
+	option = {
+		long = "exact"
+		type = "flag"
+		help = "exact match"
+	}
+	option = {
+		long = "private-key"
+		type = "flag"
+		help = "search for private key"
+	}
+	option = {
+		long = "friendlyname"
+		type = "string"
+		argument = "name"
+		help = "match on friendly name"
+	}
+	option = {
+		long = "keyEncipherment"
+		type = "flag"
+		help = "match keyEncipherment certificates"
+	}
+	option = {
+		long = "digitalSignature"
+		type = "flag"
+		help = "match digitalSignature certificates"
+	}
+	option = {
+		long = "print"
+		type = "flag"
+		help = "print matches"
+	}
+	option = {
+		long = "pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	min_args="1"
+	argument="certificates ..."
+	help = "Query the certificates for a match"
+}
+command = {
+	name = "info"
+}
+command = {
+	name = "random-data"
+	min_args="1"
+	argument="bytes"
+	help = "Generates random bytes and prints them to standard output"
+}
+command = {
+	option = {
+		long = "type"
+		type = "string"
+		help = "type of CMS algorithm"
+	}
+	name = "crypto-available"
+	min_args="0"
+	help = "Print available CMS crypto types"
+}
+command = {
+	option = {
+		long = "type"
+		type = "string"
+		help = "type of CMS algorithm"
+	}
+	option = {
+		long = "certificate"
+		type = "string"
+		help = "source certificate limiting the choices"
+	}
+	option = {
+		long = "peer-cmstype"
+		type = "strings"
+		help = "peer limiting cmstypes"
+	}
+	name = "crypto-select"
+	min_args="0"
+	help = "Print selected CMS type"
+}
+command = {
+	option = {
+		long = "decode"
+		short = "d"
+		type = "flag"
+		help = "decode instead of encode"
+	}
+	name = "hex"
+	function = "hxtool_hex"
+	min_args="0"
+	help = "Encode input to hex"
+}
+command = {
+	option = {
+		long = "issue-ca"
+		type = "flag"
+		help = "Issue a CA certificate"
+	}
+	option = {
+		long = "issue-proxy"
+		type = "flag"
+		help = "Issue a proxy certificate"
+	}
+	option = {
+		long = "domain-controller"
+		type = "flag"
+		help = "Issue a MS domaincontroller certificate"
+	}
+	option = {
+		long = "subject"
+		type = "string"
+		help = "Subject of issued certificate"
+	}
+	option = {
+		long = "ca-certificate"
+		type = "string"
+		help = "Issuing CA certificate"
+	}
+	option = {
+		long = "self-signed"
+		type = "flag"
+		help = "Issuing a self-signed certificate"
+	}
+	option = {
+		long = "ca-private-key"
+		type = "string"
+		help = "Private key for self-signed certificate"
+	}
+	option = {
+		long = "certificate"
+		type = "string"
+		help = "Issued certificate"
+	}
+	option = {
+		long = "type"
+		type = "strings"
+		help = "Type of certificate to issue"
+	}
+	option = {
+		long = "lifetime"
+		type = "string"
+		help = "Lifetime of certificate"
+	}
+	option = {
+		long = "serial-number"
+		type = "string"
+		help = "serial-number of certificate"
+	}
+	option = {
+		long = "path-length"
+		default = "-1"
+		type = "integer"
+		help = "Maximum path length (CA and proxy certificates), -1 no limit"
+	}
+	option = {
+		long = "hostname"
+		type = "strings"
+		help = "DNS names this certificate is allowed to serve"
+	}
+	option = {
+		long = "email"
+		type = "strings"
+		help = "email addresses assigned to this certificate"
+	}
+	option = {
+		long = "pk-init-principal"
+		type = "string"
+		help = "PK-INIT principal (for SAN)"
+	}
+	option = {
+		long = "ms-upn"
+		type = "string"
+		help = "Microsoft UPN (for SAN)"
+	}
+	option = {
+		long = "jid"
+		type = "string"
+		help = "XMPP jabber id (for SAN)"
+	}
+	option = {
+		long = "req"
+		type = "string"
+		help = "certificate request"
+	}
+	option = {
+		long = "certificate-private-key"
+		type = "string"
+		help = "private-key"
+	}
+	option = {
+		long = "generate-key"
+		type = "string"
+		help = "keytype"
+	}
+	option = {
+	        long = "key-bits"
+		type = "integer"
+		help = "number of bits in the generated key"
+	}
+	option = {
+	        long = "crl-uri"
+		type = "string"
+		help = "URI to CRL"
+	}
+	option = {
+		long = "template-certificate"
+		type = "string"
+		help = "certificate"
+	}
+	option = {
+		long = "template-fields"
+		type = "string"
+		help = "flag"
+	}
+	name = "certificate-sign"
+	name = "cert-sign"
+	name = "issue-certificate"
+	name = "ca"
+	function = "hxtool_ca"
+	min_args="0"
+	help = "Issue a certificate"
+}
+command = {
+	name = "test-crypto"
+	option = {
+		long = "pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	option = {
+		long = "verbose"
+		type = "flag"
+		help = "verbose printing"
+	}
+	min_args="1"
+	argument="certificates..."
+	help = "Test crypto system related to the certificates"
+}
+command = {
+	option = {
+		long = "type"
+		type = "integer"
+		help = "type of statistics"
+	}
+	name = "statistic-print"
+	min_args="0"
+	help = "Print statistics"
+}
+command = {
+	option = {
+		long = "signer"
+		type = "string"
+		help = "signer certificate"
+	}
+	option = {
+		long = "pass"
+		type = "strings"
+		argument = "password"
+		help = "password, prompter, or environment"
+	}
+	option = {
+		long = "crl-file"
+		type = "string"
+		help = "CRL output file"
+	}
+	option = {
+		long = "lifetime"
+		type = "string"
+		help = "time the crl will be valid"
+	}
+	name = "crl-sign"
+	min_args="0"
+	argument="certificates..."
+	help = "Create a CRL"
+}
+command = {
+	name = "help"
+	name = "?"
+	argument = "[command]"
+	min_args = "0"
+	max_args = "1"
+	help = "Help! I need somebody"
+}
diff --git a/crypto/heimdal/lib/hx509/hxtool.c b/crypto/heimdal/lib/hx509/hxtool.c
new file mode 100644
index 0000000..55410b1
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/hxtool.c
@@ -0,0 +1,1986 @@
+/*
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: hxtool.c 22333 2007-12-17 01:03:43Z lha $");
+
+#include <hxtool-commands.h>
+#include <sl.h>
+#include <parse_time.h>
+
+static hx509_context context;
+
+static char *stat_file_string;
+static int version_flag;
+static int help_flag;
+
+struct getargs args[] = {
+    { "statistic-file", 0, arg_string, &stat_file_string },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "command");
+    printf("Use \"%s help\" to get more help\n", getprogname());
+    exit(code);
+}
+
+/*
+ *
+ */
+
+static void
+lock_strings(hx509_lock lock, getarg_strings *pass)
+{
+    int i;
+    for (i = 0; i < pass->num_strings; i++) {
+	int ret = hx509_lock_command_string(lock, pass->strings[i]);
+	if (ret)
+	    errx(1, "hx509_lock_command_string: %s: %d", 
+		 pass->strings[i], ret);
+    }
+}
+
+/*
+ *
+ */
+
+static void
+certs_strings(hx509_context context, const char *type, hx509_certs certs,
+	      hx509_lock lock, const getarg_strings *s)
+{
+    int i, ret;
+
+    for (i = 0; i < s->num_strings; i++) {
+	ret = hx509_certs_append(context, certs, lock, s->strings[i]);
+	if (ret)
+	    hx509_err(context, 1, ret,
+		      "hx509_certs_append: %s %s", type, s->strings[i]);
+    }
+}
+
+/*
+ *
+ */
+
+static void
+parse_oid(const char *str, const heim_oid *def, heim_oid *oid)
+{
+    int ret;
+    if (str)
+	ret = der_parse_heim_oid (str, " .", oid);
+    else
+	ret = der_copy_oid(def, oid);
+    if  (ret)
+	errx(1, "parse_oid failed for: %s", str ? str : "default oid");
+}
+
+/*
+ *
+ */
+
+static void
+peer_strings(hx509_context context,
+	     hx509_peer_info *peer, 
+	     const getarg_strings *s)
+{
+    AlgorithmIdentifier *val;
+    int ret, i;
+    
+    ret = hx509_peer_info_alloc(context, peer);
+    if (ret)
+	hx509_err(context, 1, ret, "hx509_peer_info_alloc");
+    
+    val = calloc(s->num_strings, sizeof(*val));
+    if (val == NULL)
+	err(1, "malloc");
+
+    for (i = 0; i < s->num_strings; i++)
+	parse_oid(s->strings[i], NULL, &val[i].algorithm);
+	    
+    ret = hx509_peer_info_set_cms_algs(context, *peer, val, s->num_strings);
+    if (ret)
+	hx509_err(context, 1, ret, "hx509_peer_info_set_cms_algs");
+
+    for (i = 0; i < s->num_strings; i++)
+	free_AlgorithmIdentifier(&val[i]);
+    free(val);
+}
+
+/*
+ *
+ */
+
+int
+cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
+{
+    hx509_verify_ctx ctx = NULL;
+    heim_oid type;
+    heim_octet_string c, co, signeddata, *sd = NULL;
+    hx509_certs store = NULL;
+    hx509_certs signers = NULL;
+    hx509_certs anchors = NULL;
+    hx509_lock lock;
+    int ret;
+
+    size_t sz;
+    void *p;
+
+    if (opt->missing_revoke_flag)
+	hx509_context_set_missing_revoke(context, 1);
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->pass_strings);
+
+    ret = _hx509_map_file(argv[0], &p, &sz, NULL);
+    if (ret)
+	err(1, "map_file: %s: %d", argv[0], ret);
+
+    if (opt->signed_content_string) {
+	ret = _hx509_map_file_os(opt->signed_content_string, &signeddata, NULL);
+	if (ret)
+	    err(1, "map_file: %s: %d", opt->signed_content_string, ret);
+	sd = &signeddata;
+    }
+
+    ret = hx509_verify_init_ctx(context, &ctx);
+
+    ret = hx509_certs_init(context, "MEMORY:cms-anchors", 0, NULL, &anchors);
+    ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store);
+
+    certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings);
+    certs_strings(context, "store", store, lock, &opt->certificate_strings);
+
+    co.data = p;
+    co.length = sz;
+
+    if (opt->content_info_flag) {
+	heim_octet_string uwco;
+	heim_oid oid;
+
+	ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL);
+	if (ret)
+	    errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret);
+
+	if (der_heim_oid_cmp(&oid, oid_id_pkcs7_signedData()) != 0)
+	    errx(1, "Content is not SignedData");
+	der_free_oid(&oid);
+
+	co = uwco;
+    }
+
+    hx509_verify_attach_anchors(ctx, anchors);
+
+    ret = hx509_cms_verify_signed(context, ctx, co.data, co.length, sd,
+				  store, &type, &c, &signers);
+    if (co.data != p)
+	der_free_octet_string(&co);
+    if (ret)
+	hx509_err(context, 1, ret, "hx509_cms_verify_signed");
+
+    {
+	char *str;
+	der_print_heim_oid(&type, '.', &str);
+	printf("type: %s\n", str);
+	free(str);
+	der_free_oid(&type);
+    }
+    printf("signers:\n");
+    hx509_certs_iter(context, signers, hx509_ci_print_names, stdout);
+
+    hx509_verify_destroy_ctx(ctx);
+
+    hx509_certs_free(&store);
+    hx509_certs_free(&signers);
+    hx509_certs_free(&anchors);
+
+    hx509_lock_free(lock);
+
+    ret = _hx509_write_file(argv[1], c.data, c.length);
+    if (ret)
+	errx(1, "hx509_write_file: %d", ret);
+
+    der_free_octet_string(&c);
+    _hx509_unmap_file(p, sz);
+    if (sd)
+	_hx509_unmap_file_os(sd);
+
+    return 0;
+}
+
+int
+cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
+{
+    heim_oid contentType;
+    hx509_peer_info peer = NULL;
+    heim_octet_string o;
+    hx509_query *q;
+    hx509_lock lock;
+    hx509_certs store, pool, anchors;
+    hx509_cert cert;
+    size_t sz;
+    void *p;
+    int ret, flags = 0;
+    char *signer_name = NULL;
+
+    memset(&contentType, 0, sizeof(contentType));
+
+    if (argc < 2)
+	errx(1, "argc < 2");
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->pass_strings);
+
+    ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store);
+    ret = hx509_certs_init(context, "MEMORY:cert-pool", 0, NULL, &pool);
+
+    certs_strings(context, "store", store, lock, &opt->certificate_strings);
+    certs_strings(context, "pool", pool, lock, &opt->pool_strings);
+
+    if (opt->anchors_strings.num_strings) {
+	ret = hx509_certs_init(context, "MEMORY:cert-anchors", 
+			       0, NULL, &anchors);
+	certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings);
+    } else
+	anchors = NULL;
+
+    if (opt->detached_signature_flag)
+	flags |= HX509_CMS_SIGATURE_DETACHED;
+    if (opt->id_by_name_flag)
+	flags |= HX509_CMS_SIGATURE_ID_NAME;
+
+    ret = hx509_query_alloc(context, &q);
+    if (ret)
+	errx(1, "hx509_query_alloc: %d", ret);
+
+    hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+    hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+			     
+    if (opt->signer_string)
+	hx509_query_match_friendly_name(q, opt->signer_string);
+
+    ret = hx509_certs_find(context, store, q, &cert);
+    hx509_query_free(context, q);
+    if (ret)
+	hx509_err(context, 1, ret, "hx509_certs_find");
+
+    ret = _hx509_map_file(argv[0], &p, &sz, NULL);
+    if (ret)
+	err(1, "map_file: %s: %d", argv[0], ret);
+
+    if (opt->peer_alg_strings.num_strings)
+	peer_strings(context, &peer, &opt->peer_alg_strings);
+
+    parse_oid(opt->content_type_string, oid_id_pkcs7_data(), &contentType);
+
+    ret = hx509_cms_create_signed_1(context,
+				    flags,
+				    &contentType,
+				    p,
+				    sz, 
+				    NULL,
+				    cert,
+				    peer,
+				    anchors,
+				    pool,
+				    &o);
+    if (ret)
+	errx(1, "hx509_cms_create_signed: %d", ret);
+
+    {
+	hx509_name name;
+	
+	ret = hx509_cert_get_subject(cert, &name);
+	if (ret)
+	    errx(1, "hx509_cert_get_subject");
+	
+	ret = hx509_name_to_string(name, &signer_name);
+	hx509_name_free(&name);
+	if (ret)
+	    errx(1, "hx509_name_to_string");
+    }
+
+
+    hx509_certs_free(&anchors);
+    hx509_certs_free(&pool);
+    hx509_cert_free(cert);
+    hx509_certs_free(&store);
+    _hx509_unmap_file(p, sz);
+    hx509_lock_free(lock);
+    hx509_peer_info_free(peer);
+    der_free_oid(&contentType);
+
+    if (opt->content_info_flag) {
+	heim_octet_string wo;
+
+	ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(), &o, &wo);
+	if (ret)
+	    errx(1, "hx509_cms_wrap_ContentInfo: %d", ret);
+
+	der_free_octet_string(&o);
+	o = wo;
+    }
+
+    if (opt->pem_flag) {
+	hx509_pem_header *header = NULL;
+	FILE *f;
+
+	hx509_pem_add_header(&header, "Content-disposition", 
+			     opt->detached_signature_flag ? "detached" : "inline");
+	hx509_pem_add_header(&header, "Signer", signer_name);
+
+	f = fopen(argv[1], "w");
+	if (f == NULL)
+	    err(1, "open %s", argv[1]);
+	
+	ret = hx509_pem_write(context, "CMS SIGNEDDATA", header, f, 
+			      o.data, o.length);
+	fclose(f);
+	hx509_pem_free_header(header);
+	if (ret)
+	    errx(1, "hx509_pem_write: %d", ret);
+
+    } else {
+	ret = _hx509_write_file(argv[1], o.data, o.length);
+	if (ret)
+	    errx(1, "hx509_write_file: %d", ret);
+    }
+
+    free(signer_name);
+    free(o.data);
+
+    return 0;
+}
+
+int
+cms_unenvelope(struct cms_unenvelope_options *opt, int argc, char **argv)
+{
+    heim_oid contentType = { 0, NULL };
+    heim_octet_string o, co;
+    hx509_certs certs;
+    size_t sz;
+    void *p;
+    int ret;
+    hx509_lock lock;
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->pass_strings);
+
+    ret = _hx509_map_file(argv[0], &p, &sz, NULL);
+    if (ret)
+	err(1, "map_file: %s: %d", argv[0], ret);
+
+    co.data = p;
+    co.length = sz;
+
+    if (opt->content_info_flag) {
+	heim_octet_string uwco;
+	heim_oid oid;
+
+	ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL);
+	if (ret)
+	    errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret);
+
+	if (der_heim_oid_cmp(&oid, oid_id_pkcs7_envelopedData()) != 0)
+	    errx(1, "Content is not SignedData");
+	der_free_oid(&oid);
+
+	co = uwco;
+    }
+
+    ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
+    if (ret)
+	errx(1, "hx509_certs_init: MEMORY: %d", ret);
+
+    certs_strings(context, "store", certs, lock, &opt->certificate_strings);
+
+    ret = hx509_cms_unenvelope(context, certs, 0, co.data, co.length,
+			       NULL, &contentType, &o);
+    if (co.data != p)
+	der_free_octet_string(&co);
+    if (ret)
+	hx509_err(context, 1, ret, "hx509_cms_unenvelope");
+
+    _hx509_unmap_file(p, sz);
+    hx509_lock_free(lock);
+    hx509_certs_free(&certs);
+    der_free_oid(&contentType);
+
+    ret = _hx509_write_file(argv[1], o.data, o.length);
+    if (ret)
+	errx(1, "hx509_write_file: %d", ret);
+
+    der_free_octet_string(&o);
+
+    return 0;
+}
+
+int
+cms_create_enveloped(struct cms_envelope_options *opt, int argc, char **argv)
+{
+    heim_oid contentType;
+    heim_octet_string o;
+    const heim_oid *enctype = NULL;
+    hx509_query *q;
+    hx509_certs certs;
+    hx509_cert cert;
+    int ret;
+    size_t sz;
+    void *p;
+    hx509_lock lock;
+
+    memset(&contentType, 0, sizeof(contentType));
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->pass_strings);
+
+    ret = _hx509_map_file(argv[0], &p, &sz, NULL);
+    if (ret)
+	err(1, "map_file: %s: %d", argv[0], ret);
+
+    ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
+
+    certs_strings(context, "store", certs, lock, &opt->certificate_strings);
+
+    if (opt->encryption_type_string) {
+	enctype = hx509_crypto_enctype_by_name(opt->encryption_type_string);
+	if (enctype == NULL)
+	    errx(1, "encryption type: %s no found", 
+		 opt->encryption_type_string);
+    }
+
+    ret = hx509_query_alloc(context, &q);
+    if (ret)
+	errx(1, "hx509_query_alloc: %d", ret);
+
+    hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT);
+
+    ret = hx509_certs_find(context, certs, q, &cert);
+    hx509_query_free(context, q);
+    if (ret)
+	errx(1, "hx509_certs_find: %d", ret);
+
+    parse_oid(opt->content_type_string, oid_id_pkcs7_data(), &contentType);
+
+    ret = hx509_cms_envelope_1(context, 0, cert, p, sz, enctype, 
+			       &contentType, &o);
+    if (ret)
+	errx(1, "hx509_cms_envelope_1: %d", ret);
+
+    hx509_cert_free(cert);
+    hx509_certs_free(&certs);
+    _hx509_unmap_file(p, sz);
+    der_free_oid(&contentType);
+
+    if (opt->content_info_flag) {
+	heim_octet_string wo;
+
+	ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_envelopedData(), &o, &wo);
+	if (ret)
+	    errx(1, "hx509_cms_wrap_ContentInfo: %d", ret);
+
+	der_free_octet_string(&o);
+	o = wo;
+    }
+
+    hx509_lock_free(lock);
+
+    ret = _hx509_write_file(argv[1], o.data, o.length);
+    if (ret)
+	errx(1, "hx509_write_file: %d", ret);
+
+    der_free_octet_string(&o);
+
+    return 0;
+}
+
+static void
+print_certificate(hx509_context hxcontext, hx509_cert cert, int verbose)
+{
+    hx509_name name;
+    const char *fn;
+    char *str;
+    int ret;
+    
+    fn = hx509_cert_get_friendly_name(cert);
+    if (fn)
+	printf("    friendly name: %s\n", fn);
+    printf("    private key: %s\n", 
+	   _hx509_cert_private_key(cert) ? "yes" : "no");
+
+    ret = hx509_cert_get_issuer(cert, &name);
+    hx509_name_to_string(name, &str);
+    hx509_name_free(&name);
+    printf("    issuer:  \"%s\"\n", str);
+    free(str);
+
+    ret = hx509_cert_get_subject(cert, &name);
+    hx509_name_to_string(name, &str);
+    hx509_name_free(&name);
+    printf("    subject: \"%s\"\n", str);
+    free(str);
+
+    {
+	heim_integer serialNumber;
+
+	hx509_cert_get_serialnumber(cert, &serialNumber);
+	der_print_hex_heim_integer(&serialNumber, &str);
+	der_free_heim_integer(&serialNumber);
+	printf("    serial: %s\n", str);
+	free(str);
+    }
+
+    printf("    keyusage: ");
+    ret = hx509_cert_keyusage_print(hxcontext, cert, &str);
+    if (ret == 0) {
+	printf("%s\n", str);
+	free(str);
+    } else
+	printf("no");
+
+    if (verbose) {
+	hx509_validate_ctx vctx;
+
+	hx509_validate_ctx_init(hxcontext, &vctx);
+	hx509_validate_ctx_set_print(vctx, hx509_print_stdout, stdout);
+	hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VALIDATE);
+	hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VERBOSE);
+	
+	hx509_validate_cert(hxcontext, vctx, cert);
+
+	hx509_validate_ctx_free(vctx);
+    }
+}
+
+
+struct print_s {
+    int counter;
+    int verbose;
+};
+
+static int
+print_f(hx509_context hxcontext, void *ctx, hx509_cert cert)
+{
+    struct print_s *s = ctx;
+    
+    printf("cert: %d\n", s->counter++);
+    print_certificate(context, cert, s->verbose);
+
+    return 0;
+}
+
+int
+pcert_print(struct print_options *opt, int argc, char **argv)
+{
+    hx509_certs certs;
+    hx509_lock lock;
+    struct print_s s;
+
+    s.counter = 0;
+    s.verbose = opt->content_flag;
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->pass_strings);
+
+    while(argc--) {
+	int ret;
+	ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_certs_init");
+	if (opt->info_flag)
+	    hx509_certs_info(context, certs, NULL, NULL);
+	hx509_certs_iter(context, certs, print_f, &s);
+	hx509_certs_free(&certs);
+	argv++;
+    }
+
+    hx509_lock_free(lock);
+
+    return 0;
+}
+
+
+static int
+validate_f(hx509_context hxcontext, void *ctx, hx509_cert c)
+{
+    hx509_validate_cert(hxcontext, ctx, c);
+    return 0;
+}
+
+int
+pcert_validate(struct validate_options *opt, int argc, char **argv)
+{
+    hx509_validate_ctx ctx;
+    hx509_certs certs;
+    hx509_lock lock;
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->pass_strings);
+
+    hx509_validate_ctx_init(context, &ctx);
+    hx509_validate_ctx_set_print(ctx, hx509_print_stdout, stdout);
+    hx509_validate_ctx_add_flags(ctx, HX509_VALIDATE_F_VALIDATE);
+
+    while(argc--) {
+	int ret;
+	ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
+	if (ret)
+	    errx(1, "hx509_certs_init: %d", ret);
+	hx509_certs_iter(context, certs, validate_f, ctx);
+	hx509_certs_free(&certs);
+	argv++;
+    }
+    hx509_validate_ctx_free(ctx);
+
+    hx509_lock_free(lock);
+
+    return 0;
+}
+
+int
+certificate_copy(struct certificate_copy_options *opt, int argc, char **argv)
+{
+    hx509_certs certs;
+    hx509_lock lock;
+    int ret;
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->in_pass_strings);
+
+    ret = hx509_certs_init(context, argv[argc - 1], 
+			   HX509_CERTS_CREATE, lock, &certs);
+    if (ret)
+	hx509_err(context, 1, ret, "hx509_certs_init");
+
+    while(argc-- > 1) {
+	int ret;
+	ret = hx509_certs_append(context, certs, lock, argv[0]);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_certs_append");
+	argv++;
+    }
+
+    ret = hx509_certs_store(context, certs, 0, NULL);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_certs_store");
+
+    hx509_certs_free(&certs);
+    hx509_lock_free(lock);
+
+    return 0;
+}
+
+struct verify {
+    hx509_verify_ctx ctx;
+    hx509_certs chain;
+    const char *hostname;
+    int errors;
+};
+
+static int
+verify_f(hx509_context hxcontext, void *ctx, hx509_cert c)
+{
+    struct verify *v = ctx;
+    int ret;
+
+    ret = hx509_verify_path(hxcontext, v->ctx, c, v->chain);
+    if (ret) {
+	char *s = hx509_get_error_string(hxcontext, ret);
+	printf("verify_path: %s: %d\n", s, ret);
+	hx509_free_error_string(s);
+	v->errors++;
+    } else
+	printf("path ok\n");
+
+    if (v->hostname) {
+	ret = hx509_verify_hostname(hxcontext, c, 0, HX509_HN_HOSTNAME,
+				    v->hostname, NULL, 0);
+	if (ret) {
+	    printf("verify_hostname: %d\n", ret);
+	    v->errors++;
+	}
+    }
+
+    return 0;
+}
+
+int
+pcert_verify(struct verify_options *opt, int argc, char **argv)
+{
+    hx509_certs anchors, chain, certs;
+    hx509_revoke_ctx revoke_ctx;
+    hx509_verify_ctx ctx;
+    struct verify v;
+    int ret;
+
+    memset(&v, 0, sizeof(v));
+
+    if (opt->missing_revoke_flag)
+	hx509_context_set_missing_revoke(context, 1);
+
+    ret = hx509_verify_init_ctx(context, &ctx);
+    ret = hx509_certs_init(context, "MEMORY:anchors", 0, NULL, &anchors);
+    ret = hx509_certs_init(context, "MEMORY:chain", 0, NULL, &chain);
+    ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &certs);
+
+    if (opt->allow_proxy_certificate_flag)
+	hx509_verify_set_proxy_certificate(ctx, 1);
+
+    if (opt->time_string) {
+	const char *p;
+	struct tm tm;
+	time_t t;
+
+	memset(&tm, 0, sizeof(tm));
+
+	p = strptime (opt->time_string, "%Y-%m-%d", &tm);
+	if (p == NULL)
+	    errx(1, "Failed to parse time %s, need to be on format %%Y-%%m-%%d",
+		 opt->time_string);
+	
+	t = tm2time (tm, 0);
+
+	hx509_verify_set_time(ctx, t);
+    }
+
+    if (opt->hostname_string)
+	v.hostname = opt->hostname_string;
+    if (opt->max_depth_integer)
+	hx509_verify_set_max_depth(ctx, opt->max_depth_integer);
+
+    ret = hx509_revoke_init(context, &revoke_ctx);
+    if (ret)
+	errx(1, "hx509_revoke_init: %d", ret);
+
+    while(argc--) {
+	char *s = *argv++;
+
+	if (strncmp(s, "chain:", 6) == 0) {
+	    s += 6;
+
+	    ret = hx509_certs_append(context, chain, NULL, s);
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_certs_append: chain: %s: %d", s, ret);
+
+	} else if (strncmp(s, "anchor:", 7) == 0) {
+	    s += 7;
+
+	    ret = hx509_certs_append(context, anchors, NULL, s);
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_certs_append: anchor: %s: %d", s, ret);
+
+	} else if (strncmp(s, "cert:", 5) == 0) {
+	    s += 5;
+
+	    ret = hx509_certs_append(context, certs, NULL, s);
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_certs_append: certs: %s: %d", 
+			  s, ret);
+
+	} else if (strncmp(s, "crl:", 4) == 0) {
+	    s += 4;
+
+	    ret = hx509_revoke_add_crl(context, revoke_ctx, s);
+	    if (ret)
+		errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
+
+	} else if (strncmp(s, "ocsp:", 4) == 0) {
+	    s += 5;
+
+	    ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
+	    if (ret)
+		errx(1, "hx509_revoke_add_ocsp: %s: %d", s, ret);
+
+	} else {
+	    errx(1, "unknown option to verify: `%s'\n", s);
+	}
+    }
+
+    hx509_verify_attach_anchors(ctx, anchors);
+    hx509_verify_attach_revoke(ctx, revoke_ctx);
+
+    v.ctx = ctx;
+    v.chain = chain;
+
+    hx509_certs_iter(context, certs, verify_f, &v);
+
+    hx509_verify_destroy_ctx(ctx);
+
+    hx509_certs_free(&certs);
+    hx509_certs_free(&chain);
+    hx509_certs_free(&anchors);
+
+    hx509_revoke_free(&revoke_ctx);
+
+    if (v.errors) {
+	printf("failed verifing %d checks\n", v.errors);
+	return 1;
+    }
+
+    return 0;
+}
+
+int
+query(struct query_options *opt, int argc, char **argv)
+{
+    hx509_lock lock;
+    hx509_query *q;
+    hx509_certs certs;
+    hx509_cert c;
+    int ret;
+
+    ret = hx509_query_alloc(context, &q);
+    if (ret)
+	errx(1, "hx509_query_alloc: %d", ret);
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->pass_strings);
+
+    ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
+
+    while (argc > 0) {
+
+	ret = hx509_certs_append(context, certs, lock, argv[0]);
+	if (ret)
+	    errx(1, "hx509_certs_append: %s: %d", argv[0], ret);
+
+	argc--;
+	argv++;
+    }
+
+    if (opt->friendlyname_string)
+	hx509_query_match_friendly_name(q, opt->friendlyname_string);
+
+    if (opt->private_key_flag)
+	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+
+    if (opt->keyEncipherment_flag)
+	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT);
+
+    if (opt->digitalSignature_flag)
+	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+
+    ret = hx509_certs_find(context, certs, q, &c);
+    hx509_query_free(context, q);
+    if (ret)
+	printf("no match found (%d)\n", ret);
+    else {
+	printf("match found\n");
+	if (opt->print_flag)
+	    print_certificate(context, c, 0);
+    }
+
+    hx509_cert_free(c);
+    hx509_certs_free(&certs);
+
+    hx509_lock_free(lock);
+
+    return ret;
+}
+
+int
+ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv)
+{
+    hx509_certs reqcerts, pool;
+    heim_octet_string req, nonce_data, *nonce = &nonce_data;
+    hx509_lock lock;
+    int i, ret;
+    char *file;
+    const char *url = "/";
+
+    memset(&nonce, 0, sizeof(nonce));
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->pass_strings);
+
+    /* no nonce */
+    if (!opt->nonce_flag)
+	nonce = NULL;
+
+    if (opt->url_path_string)
+	url = opt->url_path_string;
+
+    ret = hx509_certs_init(context, "MEMORY:ocsp-pool", 0, NULL, &pool);
+
+    certs_strings(context, "ocsp-pool", pool, lock, &opt->pool_strings);
+
+    file = argv[0];
+
+    ret = hx509_certs_init(context, "MEMORY:ocsp-req", 0, NULL, &reqcerts);
+
+    for (i = 1; i < argc; i++) {
+	ret = hx509_certs_append(context, reqcerts, lock, argv[i]);
+	if (ret)
+	    errx(1, "hx509_certs_append: req: %s: %d", argv[i], ret);
+    }
+
+    ret = hx509_ocsp_request(context, reqcerts, pool, NULL, NULL, &req, nonce);
+    if (ret)
+	errx(1, "hx509_ocsp_request: req: %d", ret);
+	
+    {
+	FILE *f;
+
+	f = fopen(file, "w");
+	if (f == NULL)
+	    abort();
+
+	fprintf(f, 
+		"POST %s HTTP/1.0\r\n"
+		"Content-Type: application/ocsp-request\r\n"
+		"Content-Length: %ld\r\n"
+		"\r\n",
+		url,
+		(unsigned long)req.length);
+	fwrite(req.data, req.length, 1, f);
+	fclose(f);
+    }
+
+    if (nonce)
+	der_free_octet_string(nonce);
+
+    hx509_certs_free(&reqcerts);
+    hx509_certs_free(&pool);
+
+    return 0;
+}
+
+int
+ocsp_print(struct ocsp_print_options *opt, int argc, char **argv)
+{
+    hx509_revoke_ocsp_print(context, argv[0], stdout);
+    return 0;
+}
+
+/*
+ *
+ */
+
+static int
+verify_o(hx509_context hxcontext, void *ctx, hx509_cert c)
+{
+    heim_octet_string *os = ctx;
+    time_t expiration;
+    int ret;
+
+    ret = hx509_ocsp_verify(context, 0, c, 0, 
+			    os->data, os->length, &expiration);
+    if (ret) {
+	char *s = hx509_get_error_string(hxcontext, ret);
+	printf("ocsp_verify: %s: %d\n", s, ret);
+	hx509_free_error_string(s);
+    } else
+	printf("expire: %d\n", (int)expiration);
+
+    return ret;
+}
+
+
+int
+ocsp_verify(struct ocsp_verify_options *opt, int argc, char **argv)
+{
+    hx509_lock lock;
+    hx509_certs certs;
+    int ret, i;
+    heim_octet_string os;
+    
+    hx509_lock_init(context, &lock);
+
+    if (opt->ocsp_file_string == NULL)
+	errx(1, "no ocsp file given");
+
+    ret = _hx509_map_file(opt->ocsp_file_string, &os.data, &os.length, NULL);
+    if (ret)
+	err(1, "map_file: %s: %d", argv[0], ret);
+    
+    ret = hx509_certs_init(context, "MEMORY:test-certs", 0, NULL, &certs);
+
+    for (i = 0; i < argc; i++) {
+	ret = hx509_certs_append(context, certs, lock, argv[i]);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
+    }
+
+    ret = hx509_certs_iter(context, certs, verify_o, &os);
+
+    hx509_certs_free(&certs);
+    _hx509_unmap_file(os.data, os.length);
+    hx509_lock_free(lock);
+
+    return ret;
+}
+
+static int
+read_private_key(const char *fn, hx509_private_key *key)
+{
+    hx509_private_key *keys;
+    hx509_certs certs;
+    int ret;
+    
+    *key = NULL;
+
+    ret = hx509_certs_init(context, fn, 0, NULL, &certs);
+    if (ret)
+	hx509_err(context, 1, ret, "hx509_certs_init: %s", fn);
+
+    ret = _hx509_certs_keys_get(context, certs, &keys);
+    hx509_certs_free(&certs);
+    if (ret)
+	hx509_err(context, 1, ret, "hx509_certs_keys_get");
+    if (keys[0] == NULL)
+	errx(1, "no keys in key store: %s", fn);
+
+    *key = _hx509_private_key_ref(keys[0]);
+    _hx509_certs_keys_free(context, keys);
+
+    return 0;
+}
+
+static void
+get_key(const char *fn, const char *type, int optbits,
+	hx509_private_key *signer)
+{
+    int ret;
+
+    if (type) {
+	BIGNUM *e;
+	RSA *rsa;
+	unsigned char *p0, *p;
+	size_t len;
+	int bits = 1024;
+
+	if (fn == NULL)
+	    errx(1, "no key argument, don't know here to store key");
+	
+	if (strcasecmp(type, "rsa") != 0)
+	    errx(1, "can only handle rsa keys for now");
+	    
+	e = BN_new();
+	BN_set_word(e, 0x10001);
+
+	if (optbits)
+	    bits = optbits;
+
+	rsa = RSA_new();
+	if(rsa == NULL)
+	    errx(1, "RSA_new failed");
+
+	ret = RSA_generate_key_ex(rsa, bits, e, NULL);
+	if(ret != 1)
+	    errx(1, "RSA_new failed");
+
+	BN_free(e);
+
+	len = i2d_RSAPrivateKey(rsa, NULL);
+
+	p0 = p = malloc(len);
+	if (p == NULL)
+	    errx(1, "out of memory");
+	
+	i2d_RSAPrivateKey(rsa, &p);
+
+	rk_dumpdata(fn, p0, len);
+	memset(p0, 0, len);
+	free(p0);
+	
+	RSA_free(rsa);
+
+    } else if (fn == NULL)
+	err(1, "no private key");
+
+    ret = read_private_key(fn, signer);
+    if (ret)
+	err(1, "read_private_key");
+}
+
+int
+request_create(struct request_create_options *opt, int argc, char **argv)
+{
+    heim_octet_string request;
+    hx509_request req;
+    int ret, i;
+    hx509_private_key signer;
+    SubjectPublicKeyInfo key;
+    const char *outfile = argv[0];
+
+    memset(&key, 0, sizeof(key));
+
+    get_key(opt->key_string, 
+	    opt->generate_key_string,
+	    opt->key_bits_integer,
+	    &signer);
+    
+    _hx509_request_init(context, &req);
+
+    if (opt->subject_string) {
+	hx509_name name = NULL;
+
+	ret = hx509_parse_name(context, opt->subject_string, &name);
+	if (ret)
+	    errx(1, "hx509_parse_name: %d\n", ret);
+	_hx509_request_set_name(context, req, name);
+
+	if (opt->verbose_flag) {
+	    char *s;
+	    hx509_name_to_string(name, &s);
+	    printf("%s\n", s);
+	}
+	hx509_name_free(&name);
+    }
+
+    for (i = 0; i < opt->email_strings.num_strings; i++) {
+	ret = _hx509_request_add_email(context, req, 
+				       opt->email_strings.strings[i]);
+    }
+
+    for (i = 0; i < opt->dnsname_strings.num_strings; i++) {
+	ret = _hx509_request_add_dns_name(context, req, 
+					  opt->dnsname_strings.strings[i]);
+    }
+
+
+    ret = _hx509_private_key2SPKI(context, signer, &key);
+    if (ret)
+	errx(1, "_hx509_private_key2SPKI: %d\n", ret);
+
+    ret = _hx509_request_set_SubjectPublicKeyInfo(context,
+						  req,
+						  &key);
+    free_SubjectPublicKeyInfo(&key);
+    if (ret)
+	hx509_err(context, 1, ret, "_hx509_request_set_SubjectPublicKeyInfo");
+
+    ret = _hx509_request_to_pkcs10(context,
+				   req,
+				   signer,
+				   &request);
+    if (ret)
+	hx509_err(context, 1, ret, "_hx509_request_to_pkcs10");
+
+    _hx509_private_key_free(&signer);
+    _hx509_request_free(&req);
+
+    if (ret == 0)
+	rk_dumpdata(outfile, request.data, request.length);
+    der_free_octet_string(&request);
+
+    return 0;
+}
+
+int
+request_print(struct request_print_options *opt, int argc, char **argv)
+{
+    int ret, i;
+
+    printf("request print\n");
+
+    for (i = 0; i < argc; i++) {
+	hx509_request req;
+
+	ret = _hx509_request_parse(context, argv[i], &req);
+	if (ret)
+	    hx509_err(context, 1, ret, "parse_request: %s", argv[i]);
+
+	ret = _hx509_request_print(context, req, stdout);
+	_hx509_request_free(&req);
+	if (ret)
+	    hx509_err(context, 1, ret, "Failed to print file %s", argv[i]);
+    }
+
+    return 0;
+}
+
+int
+info(void *opt, int argc, char **argv)
+{
+
+    ENGINE_add_conf_module();
+
+    {
+	const RSA_METHOD *m = RSA_get_default_method();
+	if (m != NULL)
+	    printf("rsa: %s\n", m->name);
+    }
+    {
+	const DH_METHOD *m = DH_get_default_method();
+	if (m != NULL)
+	    printf("dh: %s\n", m->name);
+    }
+    {
+	int ret = RAND_status();
+	printf("rand: %s\n", ret == 1 ? "ok" : "not available");
+    }
+
+    return 0;
+}
+
+int
+random_data(void *opt, int argc, char **argv)
+{
+    void *ptr;
+    int len, ret;
+
+    len = parse_bytes(argv[0], "byte");
+    if (len <= 0) {
+	fprintf(stderr, "bad argument to random-data\n");
+	return 1;
+    }
+
+    ptr = malloc(len);
+    if (ptr == NULL) {
+	fprintf(stderr, "out of memory\n");
+	return 1;
+    }
+
+    ret = RAND_bytes(ptr, len);
+    if (ret != 1) {
+	free(ptr);
+	fprintf(stderr, "did not get cryptographic strong random\n");
+	return 1;
+    }
+
+    fwrite(ptr, len, 1, stdout);
+    fflush(stdout);
+
+    free(ptr);
+
+    return 0;
+}
+
+int
+crypto_available(struct crypto_available_options *opt, int argc, char **argv)
+{
+    AlgorithmIdentifier *val;
+    unsigned int len, i;
+    int ret, type;
+
+    if (opt->type_string) {
+	if (strcmp(opt->type_string, "all") == 0)
+	    type = HX509_SELECT_ALL;
+	else if (strcmp(opt->type_string, "digest") == 0)
+	    type = HX509_SELECT_DIGEST;
+	else if (strcmp(opt->type_string, "public-sig") == 0)
+	    type = HX509_SELECT_PUBLIC_SIG;
+	else if (strcmp(opt->type_string, "secret") == 0)
+	    type = HX509_SELECT_SECRET_ENC;
+	else
+	    errx(1, "unknown type: %s", opt->type_string);
+    } else
+	type = HX509_SELECT_ALL;
+
+    ret = hx509_crypto_available(context, type, NULL, &val, &len);
+    if (ret)
+	errx(1, "hx509_crypto_available");
+
+    for (i = 0; i < len; i++) {
+	char *s;
+	der_print_heim_oid (&val[i].algorithm, '.', &s);
+	printf("%s\n", s);
+	free(s);
+    }
+
+    hx509_crypto_free_algs(val, len);
+
+    return 0;
+}
+
+int
+crypto_select(struct crypto_select_options *opt, int argc, char **argv)
+{
+    hx509_peer_info peer = NULL;
+    AlgorithmIdentifier selected;
+    int ret, type;
+    char *s;
+
+    if (opt->type_string) {
+	if (strcmp(opt->type_string, "digest") == 0)
+	    type = HX509_SELECT_DIGEST;
+	else if (strcmp(opt->type_string, "public-sig") == 0)
+	    type = HX509_SELECT_PUBLIC_SIG;
+	else if (strcmp(opt->type_string, "secret") == 0)
+	    type = HX509_SELECT_SECRET_ENC;
+	else
+	    errx(1, "unknown type: %s", opt->type_string);
+    } else
+	type = HX509_SELECT_DIGEST;
+
+    if (opt->peer_cmstype_strings.num_strings)
+	peer_strings(context, &peer, &opt->peer_cmstype_strings);
+
+    ret = hx509_crypto_select(context, type, NULL, peer, &selected);
+    if (ret)
+	errx(1, "hx509_crypto_available");
+
+    der_print_heim_oid (&selected.algorithm, '.', &s);
+    printf("%s\n", s);
+    free(s);
+    free_AlgorithmIdentifier(&selected);
+
+    hx509_peer_info_free(peer);
+
+    return 0;
+}
+
+int
+hxtool_hex(struct hex_options *opt, int argc, char **argv)
+{
+
+    if (opt->decode_flag) {
+	char buf[1024], buf2[1024], *p;
+	ssize_t len;
+
+	while(fgets(buf, sizeof(buf), stdin) != NULL) {
+	    buf[strcspn(buf, "\r\n")] = '\0';
+	    p = buf;
+	    while(isspace(*(unsigned char *)p))
+		p++;
+	    len = hex_decode(p, buf2, strlen(p));
+	    if (len < 0)
+		errx(1, "hex_decode failed");
+	    if (fwrite(buf2, 1, len, stdout) != len)
+		errx(1, "fwrite failed");
+	}
+    } else {
+	char buf[28], *p;
+	size_t len;
+
+	while((len = fread(buf, 1, sizeof(buf), stdin)) != 0) {
+	    len = hex_encode(buf, len, &p);
+	    fprintf(stdout, "%s\n", p);
+	    free(p);
+	}
+    }
+    return 0;
+}
+
+static int
+eval_types(hx509_context context, 
+	   hx509_ca_tbs tbs,
+	   const struct certificate_sign_options *opt)
+{
+    int pkinit = 0;
+    int i, ret;
+
+    for (i = 0; i < opt->type_strings.num_strings; i++) {
+	const char *type = opt->type_strings.strings[i];
+	
+	if (strcmp(type, "https-server") == 0) {
+	    ret = hx509_ca_tbs_add_eku(context, tbs, 
+				       oid_id_pkix_kp_serverAuth());
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku");
+	} else if (strcmp(type, "https-client") == 0) {
+	    ret = hx509_ca_tbs_add_eku(context, tbs, 
+				       oid_id_pkix_kp_clientAuth());
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku");
+	} else if (strcmp(type, "peap-server") == 0) {
+	    ret = hx509_ca_tbs_add_eku(context, tbs, 
+				       oid_id_pkix_kp_serverAuth());
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku");
+	} else if (strcmp(type, "pkinit-kdc") == 0) {
+	    pkinit++;
+	    ret = hx509_ca_tbs_add_eku(context, tbs, 
+				       oid_id_pkkdcekuoid());
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku");
+	} else if (strcmp(type, "pkinit-client") == 0) {
+	    pkinit++;
+	    ret = hx509_ca_tbs_add_eku(context, tbs, 
+				       oid_id_pkekuoid());
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku");
+
+	    ret = hx509_ca_tbs_add_eku(context, tbs, 
+				       oid_id_ms_client_authentication());
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku");
+
+	    ret = hx509_ca_tbs_add_eku(context, tbs, 
+				       oid_id_pkinit_ms_eku());
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku");
+
+	} else if (strcmp(type, "email") == 0) {
+	    ret = hx509_ca_tbs_add_eku(context, tbs, 
+				       oid_id_pkix_kp_emailProtection());
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku");
+	} else
+	    errx(1, "unknown type %s", type);
+    }
+
+    if (pkinit > 1)
+	errx(1, "More the one PK-INIT type given");
+
+    if (opt->pk_init_principal_string) {
+	if (!pkinit)
+	    errx(1, "pk-init principal given but no pk-init oid");
+
+	ret = hx509_ca_tbs_add_san_pkinit(context, tbs,
+					  opt->pk_init_principal_string);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_pkinit");
+    }
+
+    if (opt->ms_upn_string) {
+	if (!pkinit)
+	    errx(1, "MS up given but no pk-init oid");
+
+	ret = hx509_ca_tbs_add_san_ms_upn(context, tbs, opt->ms_upn_string);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_ms_upn");
+    }
+
+    
+    for (i = 0; i < opt->hostname_strings.num_strings; i++) {
+	const char *hostname = opt->hostname_strings.strings[i];
+
+	ret = hx509_ca_tbs_add_san_hostname(context, tbs, hostname);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hostname");
+    }
+
+    for (i = 0; i < opt->email_strings.num_strings; i++) {
+	const char *email = opt->email_strings.strings[i];
+
+	ret = hx509_ca_tbs_add_san_rfc822name(context, tbs, email);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hostname");
+	
+	ret = hx509_ca_tbs_add_eku(context, tbs, 
+				   oid_id_pkix_kp_emailProtection());
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku");
+    }
+
+    if (opt->jid_string) {
+	ret = hx509_ca_tbs_add_san_jid(context, tbs, opt->jid_string);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_jid");
+    }
+
+    return 0;
+}
+
+int
+hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
+{
+    int ret;
+    hx509_ca_tbs tbs;
+    hx509_cert signer = NULL, cert = NULL;
+    hx509_private_key private_key = NULL;
+    hx509_private_key cert_key = NULL;
+    hx509_name subject = NULL;
+    SubjectPublicKeyInfo spki;
+    int delta = 0;
+
+    memset(&spki, 0, sizeof(spki));
+
+    if (opt->ca_certificate_string == NULL && !opt->self_signed_flag)
+	errx(1, "--ca-certificate argument missing (not using --self-signed)");
+    if (opt->ca_private_key_string == NULL && opt->generate_key_string == NULL && opt->self_signed_flag)
+	errx(1, "--ca-private-key argument missing (using --self-signed)");
+    if (opt->certificate_string == NULL)
+	errx(1, "--certificate argument missing");
+
+    if (opt->template_certificate_string) {
+	if (opt->template_fields_string == NULL)
+	    errx(1, "--template-certificate not no --template-fields");
+    }
+
+    if (opt->lifetime_string) {
+	delta = parse_time(opt->lifetime_string, "day");
+	if (delta < 0)
+	    errx(1, "Invalid lifetime: %s", opt->lifetime_string);
+    }
+
+    if (opt->ca_certificate_string) {
+	hx509_certs cacerts = NULL;
+	hx509_query *q;
+
+	ret = hx509_certs_init(context, opt->ca_certificate_string, 0,
+			       NULL, &cacerts);
+	if (ret)
+	    hx509_err(context, 1, ret,
+		      "hx509_certs_init: %s", opt->ca_certificate_string);
+
+	ret = hx509_query_alloc(context, &q);
+	if (ret)
+	    errx(1, "hx509_query_alloc: %d", ret);
+
+	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+	if (!opt->issue_proxy_flag)
+	    hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
+
+	ret = hx509_certs_find(context, cacerts, q, &signer);
+	hx509_query_free(context, q);
+	hx509_certs_free(&cacerts);
+	if (ret)
+	    hx509_err(context, 1, ret, "no CA certificate found");
+    } else if (opt->self_signed_flag) {
+	if (opt->generate_key_string == NULL
+	    && opt->ca_private_key_string == NULL)
+	    errx(1, "no signing private key");
+    } else
+	errx(1, "missing ca key");
+
+    if (opt->ca_private_key_string) {
+
+	ret = read_private_key(opt->ca_private_key_string, &private_key);
+	if (ret)
+	    err(1, "read_private_key");
+
+	ret = _hx509_private_key2SPKI(context, private_key, &spki);
+	if (ret)
+	    errx(1, "_hx509_private_key2SPKI: %d\n", ret);
+
+	if (opt->self_signed_flag)
+	    cert_key = private_key;
+    }
+
+    if (opt->req_string) {
+	hx509_request req;
+
+	ret = _hx509_request_parse(context, opt->req_string, &req);
+	if (ret)
+	    hx509_err(context, 1, ret, "parse_request: %s", opt->req_string);
+	ret = _hx509_request_get_name(context, req, &subject);
+	if (ret)
+	    hx509_err(context, 1, ret, "get name");
+	ret = _hx509_request_get_SubjectPublicKeyInfo(context, req, &spki);
+	if (ret)
+	    hx509_err(context, 1, ret, "get spki");
+	_hx509_request_free(&req);
+    }
+
+    if (opt->generate_key_string) {
+	struct hx509_generate_private_context *keyctx;
+
+	ret = _hx509_generate_private_key_init(context, 
+					       oid_id_pkcs1_rsaEncryption(),
+					       &keyctx);
+
+	if (opt->issue_ca_flag)
+	    _hx509_generate_private_key_is_ca(context, keyctx);
+
+	if (opt->key_bits_integer)
+	    _hx509_generate_private_key_bits(context, keyctx,
+					     opt->key_bits_integer);
+
+	ret = _hx509_generate_private_key(context, keyctx,
+					  &cert_key);
+	_hx509_generate_private_key_free(&keyctx);
+	if (ret)
+	    hx509_err(context, 1, ret, "generate private key");
+	
+	ret = _hx509_private_key2SPKI(context, cert_key, &spki);
+	if (ret)
+	    errx(1, "_hx509_private_key2SPKI: %d\n", ret);
+
+	if (opt->self_signed_flag)
+	    private_key = cert_key;
+    }
+
+    if (opt->certificate_private_key_string) {
+	ret = read_private_key(opt->certificate_private_key_string, &cert_key);
+	if (ret)
+	    err(1, "read_private_key for certificate");
+    }
+
+    if (opt->subject_string) {
+	if (subject)
+	    hx509_name_free(&subject);
+	ret = hx509_parse_name(context, opt->subject_string, &subject);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_parse_name");
+    }
+
+    /*
+     *
+     */
+
+    ret = hx509_ca_tbs_init(context, &tbs);
+    if (ret)
+	hx509_err(context, 1, ret, "hx509_ca_tbs_init");
+	
+    if (opt->template_certificate_string) {
+	hx509_cert template;
+	hx509_certs tcerts;
+	int flags;
+
+	ret = hx509_certs_init(context, opt->template_certificate_string, 0,
+			       NULL, &tcerts);
+	if (ret)
+	    hx509_err(context, 1, ret,
+		      "hx509_certs_init: %s", opt->template_certificate_string);
+
+	ret = hx509_get_one_cert(context, tcerts, &template);
+
+	hx509_certs_free(&tcerts);
+	if (ret)
+	    hx509_err(context, 1, ret, "no template certificate found");
+
+	flags = parse_units(opt->template_fields_string, 
+			    hx509_ca_tbs_template_units(), "");
+
+	ret = hx509_ca_tbs_set_template(context, tbs, flags, template);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_template");
+
+	hx509_cert_free(template);
+    }
+
+    if (opt->serial_number_string) {
+	heim_integer serialNumber;
+
+	ret = der_parse_hex_heim_integer(opt->serial_number_string,
+					 &serialNumber);
+	if (ret)
+	    err(1, "der_parse_hex_heim_integer");
+	ret = hx509_ca_tbs_set_serialnumber(context, tbs, &serialNumber);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_init");
+	der_free_heim_integer(&serialNumber);
+    }
+
+    if (spki.subjectPublicKey.length) {
+	ret = hx509_ca_tbs_set_spki(context, tbs, &spki);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_spki");
+    }
+
+    if (subject) {
+	ret = hx509_ca_tbs_set_subject(context, tbs, subject);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_subject");
+    }
+
+    if (opt->crl_uri_string) {
+	ret = hx509_ca_tbs_add_crl_dp_uri(context, tbs, 
+					  opt->crl_uri_string, NULL);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_crl_dp_uri");
+    }
+
+    eval_types(context, tbs, opt);
+
+    if (opt->issue_ca_flag) {
+	ret = hx509_ca_tbs_set_ca(context, tbs, opt->path_length_integer);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_ca");
+    }
+    if (opt->issue_proxy_flag) {
+	ret = hx509_ca_tbs_set_proxy(context, tbs, opt->path_length_integer);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_proxy");
+    }
+    if (opt->domain_controller_flag) {
+	hx509_ca_tbs_set_domaincontroller(context, tbs);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_domaincontroller");
+    }
+
+    if (delta) {
+	ret = hx509_ca_tbs_set_notAfter_lifetime(context, tbs, delta);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_tbs_set_notAfter_lifetime");
+    }	
+
+    if (opt->self_signed_flag) {
+	ret = hx509_ca_sign_self(context, tbs, private_key, &cert);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_sign_self");
+    } else {
+	ret = hx509_ca_sign(context, tbs, signer, &cert);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_ca_sign");
+    }
+
+    if (cert_key) {
+	ret = _hx509_cert_assign_key(cert, cert_key);
+	if (ret)
+	    hx509_err(context, 1, ret, "_hx509_cert_assign_key");
+    }	    
+
+    {
+	hx509_certs certs;
+
+	ret = hx509_certs_init(context, opt->certificate_string, 
+			       HX509_CERTS_CREATE, NULL, &certs);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_certs_init");
+
+	ret = hx509_certs_add(context, certs, cert);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_certs_add");
+
+	ret = hx509_certs_store(context, certs, 0, NULL);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_certs_store");
+
+	hx509_certs_free(&certs);
+    }
+
+    if (subject)
+	hx509_name_free(&subject);
+    if (signer)
+	hx509_cert_free(signer);
+    hx509_cert_free(cert);
+    free_SubjectPublicKeyInfo(&spki);
+
+    if (private_key != cert_key)
+	_hx509_private_key_free(&private_key);
+    _hx509_private_key_free(&cert_key);
+
+    hx509_ca_tbs_free(&tbs);
+
+    return 0;
+}
+
+static int
+test_one_cert(hx509_context hxcontext, void *ctx, hx509_cert cert)
+{
+    heim_octet_string sd, c;
+    hx509_verify_ctx vctx = ctx;
+    hx509_certs signer = NULL;
+    heim_oid type;
+    int ret;
+
+    if (_hx509_cert_private_key(cert) == NULL)
+	return 0;
+
+    ret = hx509_cms_create_signed_1(context, 0, NULL, NULL, 0,
+				    NULL, cert, NULL, NULL, NULL, &sd);
+    if (ret)
+	errx(1, "hx509_cms_create_signed_1");
+
+    ret = hx509_cms_verify_signed(context, vctx, sd.data, sd.length,
+				  NULL, NULL, &type, &c, &signer);
+    free(sd.data);
+    if (ret)
+	hx509_err(context, 1, ret, "hx509_cms_verify_signed");
+
+    printf("create-signature verify-sigature done\n");
+
+    free(c.data);
+
+    return 0;
+}
+
+int
+test_crypto(struct test_crypto_options *opt, int argc, char ** argv)
+{
+    hx509_verify_ctx vctx;
+    hx509_certs certs;
+    hx509_lock lock;
+    int i, ret;
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->pass_strings);
+
+    ret = hx509_certs_init(context, "MEMORY:test-crypto", 0, NULL, &certs);
+
+    for (i = 0; i < argc; i++) {
+	ret = hx509_certs_append(context, certs, lock, argv[i]);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_certs_append");
+    }
+
+    ret = hx509_verify_init_ctx(context, &vctx);
+    if (ret)
+	hx509_err(context, 1, ret, "hx509_verify_init_ctx");
+
+    hx509_verify_attach_anchors(vctx, certs);
+
+    ret = hx509_certs_iter(context, certs, test_one_cert, vctx);
+
+    hx509_certs_free(&certs);
+
+    return 0;
+}
+
+int
+statistic_print(struct statistic_print_options*opt, int argc, char **argv)
+{
+    int type = 0;
+
+    if (stat_file_string == NULL)
+	errx(1, "no stat file");
+
+    if (opt->type_integer)
+	type = opt->type_integer;
+
+    hx509_query_unparse_stats(context, type, stdout);
+    return 0;
+}
+
+/*
+ *
+ */
+
+int
+crl_sign(struct crl_sign_options *opt, int argc, char **argv)
+{
+    hx509_crl crl;
+    heim_octet_string os;
+    hx509_cert signer = NULL;
+    hx509_lock lock;
+    int ret;
+
+    hx509_lock_init(context, &lock);
+    lock_strings(lock, &opt->pass_strings);
+
+    ret = hx509_crl_alloc(context, &crl);
+    if (ret)
+	errx(1, "crl alloc");
+
+    if (opt->signer_string == NULL)
+	errx(1, "signer missing");
+
+    {
+	hx509_certs certs = NULL;
+	hx509_query *q;
+
+	ret = hx509_certs_init(context, opt->signer_string, 0,
+			       NULL, &certs);
+	if (ret)
+	    hx509_err(context, 1, ret, 
+		      "hx509_certs_init: %s", opt->signer_string);
+
+	ret = hx509_query_alloc(context, &q);
+	if (ret)
+	    hx509_err(context, 1, ret, "hx509_query_alloc: %d", ret);
+
+	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+
+	ret = hx509_certs_find(context, certs, q, &signer);
+	hx509_query_free(context, q);
+	hx509_certs_free(&certs);
+	if (ret)
+	    hx509_err(context, 1, ret, "no signer certificate found");
+    }
+
+    if (opt->lifetime_string) {
+	int delta;
+
+	delta = parse_time(opt->lifetime_string, "day");
+	if (delta < 0)
+	    errx(1, "Invalid lifetime: %s", opt->lifetime_string);
+
+	hx509_crl_lifetime(context, crl, delta);
+    }
+
+    {
+	hx509_certs revoked = NULL;
+	int i;
+
+	ret = hx509_certs_init(context, "MEMORY:revoked-certs", 0,
+			       NULL, &revoked);
+
+	for (i = 0; i < argc; i++) {
+	    ret = hx509_certs_append(context, revoked, lock, argv[i]);
+	    if (ret)
+		hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
+	}
+
+	hx509_crl_add_revoked_certs(context, crl, revoked);
+	hx509_certs_free(&revoked);
+    }
+
+    hx509_crl_sign(context, signer, crl, &os);
+
+    if (opt->crl_file_string)
+	rk_dumpdata(opt->crl_file_string, os.data, os.length);
+
+    free(os.data);
+
+    hx509_crl_free(context, &crl);
+    hx509_cert_free(signer);
+    hx509_lock_free(lock);
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+int
+help(void *opt, int argc, char **argv)
+{
+    sl_slc_help(commands, argc, argv);
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    int ret, optidx = 0;
+
+    setprogname (argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optidx))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    argv += optidx;
+    argc -= optidx;
+
+    if (argc == 0)
+	usage(1);
+
+    ret = hx509_context_init(&context);
+    if (ret)
+	errx(1, "hx509_context_init failed with %d", ret);
+
+    if (stat_file_string)
+	hx509_query_statistic_file(context, stat_file_string);
+
+    ret = sl_command(commands, argc, argv);
+    if(ret == -1)
+	warnx ("unrecognized command: %s", argv[0]);
+
+    hx509_context_free(&context);
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/hx509/keyset.c b/crypto/heimdal/lib/hx509/keyset.c
new file mode 100644
index 0000000..2fcff7b
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/keyset.c
@@ -0,0 +1,677 @@
+/*
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: keyset.c 22466 2008-01-16 14:26:35Z lha $");
+
+/**
+ * @page page_keyset Certificate store operations
+ *
+ * Type of certificates store:
+ * - MEMORY
+ *   In memory based format. Doesnt support storing.
+ * - FILE 
+ *   FILE supports raw DER certicates and PEM certicates. When PEM is
+ *   used the file can contain may certificates and match private
+ *   keys. Support storing the certificates. DER format only supports
+ *   on certificate and no private key.
+ * - PEM-FILE
+ *   Same as FILE, defaulting to PEM encoded certificates.
+ * - PEM-FILE
+ *   Same as FILE, defaulting to DER encoded certificates.
+ * - PKCS11
+ * - PKCS12
+ * - DIR
+ * - KEYCHAIN
+ *   Apple Mac OS X KeyChain backed keychain object.
+ *
+ * See the library functions here: @ref hx509_keyset
+ */
+
+struct hx509_certs_data {
+    int ref;
+    struct hx509_keyset_ops *ops;
+    void *ops_data;
+};
+
+static struct hx509_keyset_ops *
+_hx509_ks_type(hx509_context context, const char *type)
+{
+    int i;
+
+    for (i = 0; i < context->ks_num_ops; i++)
+	if (strcasecmp(type, context->ks_ops[i]->name) == 0)
+	    return context->ks_ops[i];
+
+    return NULL;
+}
+
+void
+_hx509_ks_register(hx509_context context, struct hx509_keyset_ops *ops)
+{
+    struct hx509_keyset_ops **val;
+
+    if (_hx509_ks_type(context, ops->name))
+	return;
+
+    val = realloc(context->ks_ops, 
+		  (context->ks_num_ops + 1) * sizeof(context->ks_ops[0]));
+    if (val == NULL)
+	return;
+    val[context->ks_num_ops] = ops;
+    context->ks_ops = val;
+    context->ks_num_ops++;
+}
+
+/**
+ * Open or creates a new hx509 certificate store.
+ *
+ * @param context A hx509 context
+ * @param name name of the store, format is TYPE:type-specific-string,
+ * if NULL is used the MEMORY store is used.
+ * @param flags list of flags:
+ * - HX509_CERTS_CREATE create a new keystore of the specific TYPE.
+ * - HX509_CERTS_UNPROTECT_ALL fails if any private key failed to be extracted.
+ * @param lock a lock that unlocks the certificates store, use NULL to
+ * select no password/certifictes/prompt lock (see @ref page_lock).
+ * @param certs return pointer, free with hx509_certs_free().
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_certs_init(hx509_context context,
+		 const char *name, int flags,
+		 hx509_lock lock, hx509_certs *certs)
+{
+    struct hx509_keyset_ops *ops;
+    const char *residue;
+    hx509_certs c;
+    char *type;
+    int ret;
+
+    *certs = NULL;
+
+    residue = strchr(name, ':');
+    if (residue) {
+	type = malloc(residue - name + 1);
+	if (type)
+	    strlcpy(type, name, residue - name + 1);
+	residue++;
+	if (residue[0] == '\0')
+	    residue = NULL;
+    } else {
+	type = strdup("MEMORY");
+	residue = name;
+    }
+    if (type == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+    
+    ops = _hx509_ks_type(context, type);
+    if (ops == NULL) {
+	hx509_set_error_string(context, 0, ENOENT, 
+			       "Keyset type %s is not supported", type);
+	free(type);
+	return ENOENT;
+    }
+    free(type);
+    c = calloc(1, sizeof(*c));
+    if (c == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+    c->ops = ops;
+    c->ref = 1;
+
+    ret = (*ops->init)(context, c, &c->ops_data, flags, residue, lock);
+    if (ret) {
+	free(c);
+	return ret;
+    }
+
+    *certs = c;
+    return 0;
+}
+
+/**
+ * Write the certificate store to stable storage.
+ *
+ * @param context A hx509 context.
+ * @param certs a certificate store to store.
+ * @param flags currently unused, use 0.
+ * @param lock a lock that unlocks the certificates store, use NULL to
+ * select no password/certifictes/prompt lock (see @ref page_lock).
+ *
+ * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION if
+ * the certificate store doesn't support the store operation.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_certs_store(hx509_context context,
+		  hx509_certs certs,
+		  int flags,
+		  hx509_lock lock)
+{
+    if (certs->ops->store == NULL) {
+	hx509_set_error_string(context, 0, HX509_UNSUPPORTED_OPERATION,
+			       "keystore if type %s doesn't support "
+			       "store operation",
+			       certs->ops->name);
+	return HX509_UNSUPPORTED_OPERATION;
+    }
+
+    return (*certs->ops->store)(context, certs, certs->ops_data, flags, lock);
+}
+
+
+hx509_certs
+_hx509_certs_ref(hx509_certs certs)
+{
+    if (certs == NULL)
+	return NULL;
+    if (certs->ref <= 0)
+	_hx509_abort("certs refcount <= 0");
+    certs->ref++;
+    if (certs->ref == 0)
+	_hx509_abort("certs refcount == 0");
+    return certs;
+}
+
+/**
+ * Free a certificate store.
+ *
+ * @param certs certificate store to free.
+ *
+ * @ingroup hx509_keyset
+ */
+
+void
+hx509_certs_free(hx509_certs *certs)
+{
+    if (*certs) {
+	if ((*certs)->ref <= 0)
+	    _hx509_abort("refcount <= 0");
+	if (--(*certs)->ref > 0)
+	    return;
+
+	(*(*certs)->ops->free)(*certs, (*certs)->ops_data);
+	free(*certs);
+	*certs = NULL;
+    }
+}
+
+/**
+ * Start the integration
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over
+ * @param cursor cursor that will keep track of progress, free with
+ * hx509_certs_end_seq().
+ *
+ * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION is
+ * returned if the certificate store doesn't support the iteration
+ * operation.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_certs_start_seq(hx509_context context,
+		      hx509_certs certs,
+		      hx509_cursor *cursor)
+{
+    int ret;
+
+    if (certs->ops->iter_start == NULL) {
+	hx509_set_error_string(context, 0, HX509_UNSUPPORTED_OPERATION, 
+			       "Keyset type %s doesn't support iteration", 
+			       certs->ops->name);
+	return HX509_UNSUPPORTED_OPERATION;
+    }
+
+    ret = (*certs->ops->iter_start)(context, certs, certs->ops_data, cursor);
+    if (ret)
+	return ret;
+
+    return 0;
+}
+
+/**
+ * Get next ceritificate from the certificate keystore pointed out by
+ * cursor.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param cursor cursor that keeps track of progress.
+ * @param cert return certificate next in store, NULL if the store
+ * contains no more certificates. Free with hx509_cert_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_certs_next_cert(hx509_context context,
+		      hx509_certs certs,
+		      hx509_cursor cursor,
+		      hx509_cert *cert)
+{
+    *cert = NULL;
+    return (*certs->ops->iter)(context, certs, certs->ops_data, cursor, cert);
+}
+
+/**
+ * End the iteration over certificates.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param cursor cursor that will keep track of progress, freed.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_certs_end_seq(hx509_context context,
+		    hx509_certs certs,
+		    hx509_cursor cursor)
+{
+    (*certs->ops->iter_end)(context, certs, certs->ops_data, cursor);
+    return 0;
+}
+
+/**
+ * Iterate over all certificates in a keystore and call an function
+ * for each fo them.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param func function to call for each certificate. The function
+ * should return non-zero to abort the iteration, that value is passed
+ * back to te caller of hx509_certs_iter().
+ * @param ctx context variable that will passed to the function.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_certs_iter(hx509_context context, 
+		 hx509_certs certs, 
+		 int (*func)(hx509_context, void *, hx509_cert),
+		 void *ctx)
+{
+    hx509_cursor cursor;
+    hx509_cert c;
+    int ret;
+
+    ret = hx509_certs_start_seq(context, certs, &cursor);
+    if (ret)
+	return ret;
+    
+    while (1) {
+	ret = hx509_certs_next_cert(context, certs, cursor, &c);
+	if (ret)
+	    break;
+	if (c == NULL) {
+	    ret = 0;
+	    break;
+	}
+	ret = (*func)(context, ctx, c);
+	hx509_cert_free(c);
+	if (ret)
+	    break;
+    }
+
+    hx509_certs_end_seq(context, certs, cursor);
+
+    return ret;
+}
+
+
+/**
+ * Function to use to hx509_certs_iter() as a function argument, the
+ * ctx variable to hx509_certs_iter() should be a FILE file descriptor.
+ *
+ * @param context a hx509 context.
+ * @param ctx used by hx509_certs_iter().
+ * @param c a certificate
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_ci_print_names(hx509_context context, void *ctx, hx509_cert c)
+{
+    Certificate *cert;
+    hx509_name n;
+    char *s, *i;
+
+    cert = _hx509_get_cert(c);
+
+    _hx509_name_from_Name(&cert->tbsCertificate.subject, &n);
+    hx509_name_to_string(n, &s);
+    hx509_name_free(&n);
+    _hx509_name_from_Name(&cert->tbsCertificate.issuer, &n);
+    hx509_name_to_string(n, &i);
+    hx509_name_free(&n);
+    fprintf(ctx, "subject: %s\nissuer: %s\n", s, i);
+    free(s);
+    free(i);
+    return 0;
+}
+
+/**
+ * Add a certificate to the certificiate store.
+ *
+ * The receiving keyset certs will either increase reference counter
+ * of the cert or make a deep copy, either way, the caller needs to
+ * free the cert itself.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to add the certificate to.
+ * @param cert certificate to add.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_certs_add(hx509_context context, hx509_certs certs, hx509_cert cert)
+{
+    if (certs->ops->add == NULL) {
+	hx509_set_error_string(context, 0, ENOENT, 
+			       "Keyset type %s doesn't support add operation", 
+			       certs->ops->name);
+	return ENOENT;
+    }
+
+    return (*certs->ops->add)(context, certs, certs->ops_data, cert);
+}
+
+/**
+ * Find a certificate matching the query.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to search.
+ * @param q query allocated with @ref hx509_query functions.
+ * @param r return certificate (or NULL on error), should be freed
+ * with hx509_cert_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_certs_find(hx509_context context,
+		 hx509_certs certs, 
+		 const hx509_query *q,
+		 hx509_cert *r)
+{
+    hx509_cursor cursor;
+    hx509_cert c;
+    int ret;
+
+    *r = NULL;
+
+    _hx509_query_statistic(context, 0, q);
+
+    if (certs->ops->query)
+	return (*certs->ops->query)(context, certs, certs->ops_data, q, r);
+
+    ret = hx509_certs_start_seq(context, certs, &cursor);
+    if (ret)
+	return ret;
+
+    c = NULL;
+    while (1) {
+	ret = hx509_certs_next_cert(context, certs, cursor, &c);
+	if (ret)
+	    break;
+	if (c == NULL)
+	    break;
+	if (_hx509_query_match_cert(context, q, c)) {
+	    *r = c;
+	    break;
+	}
+	hx509_cert_free(c);
+    }
+
+    hx509_certs_end_seq(context, certs, cursor);
+    if (ret)
+	return ret;
+    if (c == NULL) {
+	hx509_clear_error_string(context);
+	return HX509_CERT_NOT_FOUND;
+    }
+
+    return 0;
+}
+
+static int
+certs_merge_func(hx509_context context, void *ctx, hx509_cert c)
+{
+    return hx509_certs_add(context, (hx509_certs)ctx, c);
+}
+
+/**
+ * Merge a certificate store into another. The from store is keep
+ * intact.
+ *
+ * @param context a hx509 context.
+ * @param to the store to merge into.
+ * @param from the store to copy the object from.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_certs_merge(hx509_context context, hx509_certs to, hx509_certs from)
+{
+    if (from == NULL)
+	return 0;
+    return hx509_certs_iter(context, from, certs_merge_func, to);
+}
+
+/**
+ * Same a hx509_certs_merge() but use a lock and name to describe the
+ * from source.
+ *
+ * @param context a hx509 context.
+ * @param to the store to merge into.
+ * @param lock a lock that unlocks the certificates store, use NULL to
+ * select no password/certifictes/prompt lock (see @ref page_lock).
+ * @param name name of the source store
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_certs_append(hx509_context context,
+		   hx509_certs to,
+		   hx509_lock lock,
+		   const char *name)
+{
+    hx509_certs s;
+    int ret;
+
+    ret = hx509_certs_init(context, name, 0, lock, &s);
+    if (ret)
+	return ret;
+    ret = hx509_certs_merge(context, to, s);
+    hx509_certs_free(&s);
+    return ret;
+}
+
+/**
+ * Get one random certificate from the certificate store.
+ *
+ * @param context a hx509 context.
+ * @param certs a certificate store to get the certificate from.
+ * @param c return certificate, should be freed with hx509_cert_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_get_one_cert(hx509_context context, hx509_certs certs, hx509_cert *c)
+{
+    hx509_cursor cursor;
+    int ret;
+
+    *c = NULL;
+
+    ret = hx509_certs_start_seq(context, certs, &cursor);
+    if (ret)
+	return ret;
+
+    ret = hx509_certs_next_cert(context, certs, cursor, c);
+    if (ret)
+	return ret;
+
+    hx509_certs_end_seq(context, certs, cursor);
+    return 0;
+}
+
+static int
+certs_info_stdio(void *ctx, const char *str)
+{
+    FILE *f = ctx;
+    fprintf(f, "%s\n", str);
+    return 0;
+}
+
+/**
+ * Print some info about the certificate store.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to print information about.
+ * @param func function that will get each line of the information, if
+ * NULL is used the data is printed on a FILE descriptor that should
+ * be passed in ctx, if ctx also is NULL, stdout is used.
+ * @param ctx parameter to func.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+int
+hx509_certs_info(hx509_context context, 
+		 hx509_certs certs,
+		 int (*func)(void *, const char *),
+		 void *ctx)
+{
+    if (func == NULL) {
+	func = certs_info_stdio;
+	if (ctx == NULL)
+	    ctx = stdout;
+    }
+    if (certs->ops->printinfo == NULL) {
+	(*func)(ctx, "No info function for certs");
+	return 0;
+    }
+    return (*certs->ops->printinfo)(context, certs, certs->ops_data,
+				    func, ctx);
+}
+
+void
+_hx509_pi_printf(int (*func)(void *, const char *), void *ctx,
+		 const char *fmt, ...)
+{
+    va_list ap;
+    char *str;
+
+    va_start(ap, fmt);
+    vasprintf(&str, fmt, ap);
+    va_end(ap);
+    if (str == NULL)
+	return;
+    (*func)(ctx, str);
+    free(str);
+}
+
+int
+_hx509_certs_keys_get(hx509_context context, 
+		      hx509_certs certs, 
+		      hx509_private_key **keys)
+{
+    if (certs->ops->getkeys == NULL) {
+	*keys = NULL;
+	return 0;
+    }
+    return (*certs->ops->getkeys)(context, certs, certs->ops_data, keys);
+}
+
+int
+_hx509_certs_keys_add(hx509_context context, 
+		      hx509_certs certs, 
+		      hx509_private_key key)
+{
+    if (certs->ops->addkey == NULL) {
+	hx509_set_error_string(context, 0, EINVAL,
+			       "keystore if type %s doesn't support "
+			       "key add operation",
+			       certs->ops->name);
+	return EINVAL;
+    }
+    return (*certs->ops->addkey)(context, certs, certs->ops_data, key);
+}
+
+
+void
+_hx509_certs_keys_free(hx509_context context,
+		       hx509_private_key *keys)
+{
+    int i;
+    for (i = 0; keys[i]; i++)
+	_hx509_private_key_free(&keys[i]);
+    free(keys);
+}
diff --git a/crypto/heimdal/lib/hx509/ks_dir.c b/crypto/heimdal/lib/hx509/ks_dir.c
new file mode 100644
index 0000000..a0bc875
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ks_dir.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: ks_dir.c 19778 2007-01-09 10:52:13Z lha $");
+#include <dirent.h>
+
+/*
+ * The DIR keyset module is strange compared to the other modules
+ * since it does lazy evaluation and really doesn't keep any local
+ * state except for the directory iteration and cert iteration of
+ * files. DIR ignores most errors so that the consumer doesn't get
+ * failes for stray files in directories.
+ */
+
+struct dircursor {
+    DIR *dir;
+    hx509_certs certs;
+    void *iter;
+};
+
+/*
+ *
+ */
+
+static int
+dir_init(hx509_context context,
+	 hx509_certs certs, void **data, int flags, 
+	 const char *residue, hx509_lock lock)
+{
+    *data = NULL;
+
+    {
+	struct stat sb;
+	int ret;
+
+	ret = stat(residue, &sb);
+	if (ret == -1) {
+	    hx509_set_error_string(context, 0, ENOENT,
+				   "No such file %s", residue);
+	    return ENOENT;
+	}
+
+	if ((sb.st_mode & S_IFDIR) == 0) {
+	    hx509_set_error_string(context, 0, ENOTDIR,
+				   "%s is not a directory", residue);
+	    return ENOTDIR;
+	}
+    }
+
+    *data = strdup(residue);
+    if (*data == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+
+    return 0;
+}
+
+static int
+dir_free(hx509_certs certs, void *data)
+{
+    free(data);
+    return 0;
+}
+
+
+
+static int 
+dir_iter_start(hx509_context context,
+	       hx509_certs certs, void *data, void **cursor)
+{
+    struct dircursor *d;
+
+    *cursor = NULL;
+
+    d = calloc(1, sizeof(*d));
+    if (d == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+
+    d->dir = opendir(data);
+    if (d->dir == NULL) {
+	hx509_clear_error_string(context);
+	free(d);
+	return errno;
+    }
+    d->certs = NULL;
+    d->iter = NULL;
+
+    *cursor = d;
+    return 0;
+}
+
+static int
+dir_iter(hx509_context context,
+	 hx509_certs certs, void *data, void *iter, hx509_cert *cert)
+{
+    struct dircursor *d = iter;
+    int ret = 0;
+    
+    *cert = NULL;
+
+    do {
+	struct dirent *dir;
+	char *fn;
+
+	if (d->certs) {
+	    ret = hx509_certs_next_cert(context, d->certs, d->iter, cert);
+	    if (ret) {
+		hx509_certs_end_seq(context, d->certs, d->iter);
+		d->iter = NULL;
+		hx509_certs_free(&d->certs);
+		return ret;
+	    }
+	    if (*cert) {
+		ret = 0;
+		break;
+	    }
+	    hx509_certs_end_seq(context, d->certs, d->iter);
+	    d->iter = NULL;
+	    hx509_certs_free(&d->certs);
+	}
+
+	dir = readdir(d->dir);
+	if (dir == NULL) {
+	    ret = 0;
+	    break;
+	}
+	if (strcmp(dir->d_name, ".") == 0 || strcmp(dir->d_name, "..") == 0)
+	    continue;
+	
+	if (asprintf(&fn, "FILE:%s/%s", (char *)data, dir->d_name) == -1)
+	    return ENOMEM;
+	
+	ret = hx509_certs_init(context, fn, 0, NULL, &d->certs);
+	if (ret == 0) {
+
+	    ret = hx509_certs_start_seq(context, d->certs, &d->iter);
+	    if (ret)
+	    hx509_certs_free(&d->certs);
+	}
+	/* ignore errors */
+	if (ret) {
+	    d->certs = NULL;
+	    ret = 0;
+	}
+
+	free(fn);
+    } while(ret == 0);
+
+    return ret;
+}
+
+
+static int
+dir_iter_end(hx509_context context,
+	     hx509_certs certs,
+	     void *data,
+	     void *cursor)
+{
+    struct dircursor *d = cursor;
+
+    if (d->certs) {
+	hx509_certs_end_seq(context, d->certs, d->iter);
+	d->iter = NULL;
+	hx509_certs_free(&d->certs);
+    }
+    closedir(d->dir);
+    free(d);
+    return 0;
+}
+
+
+static struct hx509_keyset_ops keyset_dir = {
+    "DIR",
+    0,
+    dir_init,
+    NULL,
+    dir_free,
+    NULL,
+    NULL,
+    dir_iter_start,
+    dir_iter,
+    dir_iter_end
+};
+
+void
+_hx509_ks_dir_register(hx509_context context)
+{
+    _hx509_ks_register(context, &keyset_dir);
+}
diff --git a/crypto/heimdal/lib/hx509/ks_file.c b/crypto/heimdal/lib/hx509/ks_file.c
new file mode 100644
index 0000000..87b97af
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ks_file.c
@@ -0,0 +1,643 @@
+/*
+ * Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: ks_file.c 22465 2008-01-16 14:25:24Z lha $");
+
+typedef enum { USE_PEM, USE_DER } outformat;
+
+struct ks_file {
+    hx509_certs certs;
+    char *fn;
+    outformat format;
+};
+
+/*
+ *
+ */
+
+static int
+parse_certificate(hx509_context context, const char *fn, 
+		  struct hx509_collector *c, 
+		  const hx509_pem_header *headers,
+		  const void *data, size_t len)
+{
+    hx509_cert cert;
+    int ret;
+
+    ret = hx509_cert_init_data(context, data, len, &cert);
+    if (ret)
+	return ret;
+
+    ret = _hx509_collector_certs_add(context, c, cert);
+    hx509_cert_free(cert);
+    return ret;
+}
+
+static int
+try_decrypt(hx509_context context,
+	    struct hx509_collector *collector,
+	    const AlgorithmIdentifier *alg,
+	    const EVP_CIPHER *c,
+	    const void *ivdata,
+	    const void *password,
+	    size_t passwordlen,
+	    const void *cipher,
+	    size_t len)
+{
+    heim_octet_string clear;
+    size_t keylen;
+    void *key;
+    int ret;
+
+    keylen = EVP_CIPHER_key_length(c);
+
+    key = malloc(keylen);
+    if (key == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+
+    ret = EVP_BytesToKey(c, EVP_md5(), ivdata,
+			 password, passwordlen,
+			 1, key, NULL);
+    if (ret <= 0) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_INTERNAL_ERROR,
+			       "Failed to do string2key for private key");
+	return HX509_CRYPTO_INTERNAL_ERROR;
+    }
+
+    clear.data = malloc(len);
+    if (clear.data == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM,
+			       "Out of memory to decrypt for private key");
+	ret = ENOMEM;
+	goto out;
+    }
+    clear.length = len;
+
+    {
+	EVP_CIPHER_CTX ctx;
+	EVP_CIPHER_CTX_init(&ctx);
+	EVP_CipherInit_ex(&ctx, c, NULL, key, ivdata, 0);
+	EVP_Cipher(&ctx, clear.data, cipher, len);
+	EVP_CIPHER_CTX_cleanup(&ctx);
+    }	
+
+    ret = _hx509_collector_private_key_add(context,
+					   collector,
+					   alg,
+					   NULL,
+					   &clear,
+					   NULL);
+
+    memset(clear.data, 0, clear.length);
+    free(clear.data);
+out:
+    memset(key, 0, keylen);
+    free(key);
+    return ret;
+}
+
+static int
+parse_rsa_private_key(hx509_context context, const char *fn,
+		      struct hx509_collector *c, 
+		      const hx509_pem_header *headers,
+		      const void *data, size_t len)
+{
+    int ret = 0;
+    const char *enc;
+
+    enc = hx509_pem_find_header(headers, "Proc-Type");
+    if (enc) {
+	const char *dek;
+	char *type, *iv;
+	ssize_t ssize, size;
+	void *ivdata;
+	const EVP_CIPHER *cipher;
+	const struct _hx509_password *pw;
+	hx509_lock lock;
+	int i, decrypted = 0;
+
+	lock = _hx509_collector_get_lock(c);
+	if (lock == NULL) {
+	    hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP,
+				   "Failed to get password for "
+				   "password protected file %s", fn);
+	    return HX509_ALG_NOT_SUPP;
+	}
+
+	if (strcmp(enc, "4,ENCRYPTED") != 0) {
+	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+				   "RSA key encrypted in unknown method %s "
+				   "in file",
+				   enc, fn);
+	    hx509_clear_error_string(context);
+	    return HX509_PARSING_KEY_FAILED;
+	}
+
+	dek = hx509_pem_find_header(headers, "DEK-Info");
+	if (dek == NULL) {
+	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+				   "Encrypted RSA missing DEK-Info");
+	    return HX509_PARSING_KEY_FAILED;
+	}
+
+	type = strdup(dek);
+	if (type == NULL) {
+	    hx509_clear_error_string(context);
+	    return ENOMEM;
+	}
+
+	iv = strchr(type, ',');
+	if (iv == NULL) {
+	    free(type);
+	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+				   "IV missing");
+	    return HX509_PARSING_KEY_FAILED;
+	}
+
+	*iv++ = '\0';
+
+	size = strlen(iv);
+	ivdata = malloc(size);
+	if (ivdata == NULL) {
+	    hx509_clear_error_string(context);
+	    free(type);
+	    return ENOMEM;
+	}
+
+	cipher = EVP_get_cipherbyname(type);
+	if (cipher == NULL) {
+	    free(ivdata);
+	    hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP,
+				   "RSA key encrypted with "
+				   "unsupported cipher: %s",
+				   type);
+	    free(type);
+	    return HX509_ALG_NOT_SUPP;
+	}
+
+#define PKCS5_SALT_LEN 8
+
+	ssize = hex_decode(iv, ivdata, size);
+	free(type);
+	type = NULL;
+	iv = NULL;
+
+	if (ssize < 0 || ssize < PKCS5_SALT_LEN || ssize < EVP_CIPHER_iv_length(cipher)) {
+	    free(ivdata);
+	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+				   "Salt have wrong length in RSA key file");
+	    return HX509_PARSING_KEY_FAILED;
+	}
+	
+	pw = _hx509_lock_get_passwords(lock);
+	if (pw != NULL) {
+	    const void *password;
+	    size_t passwordlen;
+
+	    for (i = 0; i < pw->len; i++) {
+		password = pw->val[i];
+		passwordlen = strlen(password);
+		
+		ret = try_decrypt(context, c, hx509_signature_rsa(),
+				  cipher, ivdata, password, passwordlen,
+				  data, len);
+		if (ret == 0) {
+		    decrypted = 1;
+		    break;
+		}
+	    }
+	}
+	if (!decrypted) {
+	    hx509_prompt prompt;
+	    char password[128];
+
+	    memset(&prompt, 0, sizeof(prompt));
+
+	    prompt.prompt = "Password for keyfile: ";
+	    prompt.type = HX509_PROMPT_TYPE_PASSWORD;
+	    prompt.reply.data = password;
+	    prompt.reply.length = sizeof(password);
+
+	    ret = hx509_lock_prompt(lock, &prompt);
+	    if (ret == 0)
+		ret = try_decrypt(context, c, hx509_signature_rsa(),
+				  cipher, ivdata, password, strlen(password),
+				  data, len);
+	    /* XXX add password to lock password collection ? */
+	    memset(password, 0, sizeof(password));
+	}
+	free(ivdata);
+
+    } else {
+	heim_octet_string keydata;
+
+	keydata.data = rk_UNCONST(data);
+	keydata.length = len;
+
+	ret = _hx509_collector_private_key_add(context,
+					       c,
+					       hx509_signature_rsa(),
+					       NULL,
+					       &keydata,
+					       NULL);
+    }
+
+    return ret;
+}
+
+
+struct pem_formats {
+    const char *name;
+    int (*func)(hx509_context, const char *, struct hx509_collector *, 
+		const hx509_pem_header *, const void *, size_t);
+} formats[] = {
+    { "CERTIFICATE", parse_certificate },
+    { "RSA PRIVATE KEY", parse_rsa_private_key }
+};
+
+
+struct pem_ctx {
+    int flags;
+    struct hx509_collector *c;
+};
+
+static int
+pem_func(hx509_context context, const char *type,
+	 const hx509_pem_header *header,
+	 const void *data, size_t len, void *ctx)
+{
+    struct pem_ctx *pem_ctx = (struct pem_ctx*)ctx;
+    int ret = 0, j;
+
+    for (j = 0; j < sizeof(formats)/sizeof(formats[0]); j++) {
+	const char *q = formats[j].name;
+	if (strcasecmp(type, q) == 0) {
+	    ret = (*formats[j].func)(context, NULL, pem_ctx->c,  header, data, len);
+	    if (ret == 0)
+		break;
+	}
+    }
+    if (j == sizeof(formats)/sizeof(formats[0])) {
+	ret = HX509_UNSUPPORTED_OPERATION;
+	hx509_set_error_string(context, 0, ret,
+			       "Found no matching PEM format for %s", type);
+	return ret;
+    }
+    if (ret && (pem_ctx->flags & HX509_CERTS_UNPROTECT_ALL))
+	return ret;
+    return 0;
+}
+
+/*
+ *
+ */
+
+static int
+file_init_common(hx509_context context,
+		 hx509_certs certs, void **data, int flags, 
+		 const char *residue, hx509_lock lock, outformat format)
+{
+    char *p, *pnext;
+    struct ks_file *f = NULL;
+    hx509_private_key *keys = NULL;
+    int ret;
+    struct pem_ctx pem_ctx;
+
+    pem_ctx.flags = flags;
+    pem_ctx.c = NULL;
+
+    *data = NULL;
+
+    if (lock == NULL)
+	lock = _hx509_empty_lock;
+
+    f = calloc(1, sizeof(*f));
+    if (f == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+    f->format = format;
+
+    f->fn = strdup(residue);
+    if (f->fn == NULL) {
+	hx509_clear_error_string(context);
+	ret = ENOMEM;
+	goto out;
+    }
+
+    /* 
+     * XXX this is broken, the function should parse the file before
+     * overwriting it
+     */
+
+    if (flags & HX509_CERTS_CREATE) {
+	ret = hx509_certs_init(context, "MEMORY:ks-file-create", 
+			       0, lock, &f->certs);
+	if (ret)
+	    goto out;
+	*data = f;
+	return 0;
+    }
+
+    ret = _hx509_collector_alloc(context, lock, &pem_ctx.c);
+    if (ret)
+	goto out;
+
+    for (p = f->fn; p != NULL; p = pnext) {
+	FILE *f;
+
+	pnext = strchr(p, ',');
+	if (pnext)
+	    *pnext++ = '\0';
+	
+
+	if ((f = fopen(p, "r")) == NULL) {
+	    ret = ENOENT;
+	    hx509_set_error_string(context, 0, ret, 
+				   "Failed to open PEM file \"%s\": %s", 
+				   p, strerror(errno));
+	    goto out;
+	}
+
+	ret = hx509_pem_read(context, f, pem_func, &pem_ctx);
+	fclose(f);		     
+	if (ret != 0 && ret != HX509_PARSING_KEY_FAILED)
+	    goto out;
+	else if (ret == HX509_PARSING_KEY_FAILED) {
+	    size_t length;
+	    void *ptr;
+	    int i;
+
+	    ret = _hx509_map_file(p, &ptr, &length, NULL);
+	    if (ret) {
+		hx509_clear_error_string(context);
+		goto out;
+	    }
+
+	    for (i = 0; i < sizeof(formats)/sizeof(formats[0]); i++) {
+		ret = (*formats[i].func)(context, p, pem_ctx.c, NULL, ptr, length);
+		if (ret == 0)
+		    break;
+	    }
+	    _hx509_unmap_file(ptr, length);
+	    if (ret)
+		goto out;
+	}
+    }
+
+    ret = _hx509_collector_collect_certs(context, pem_ctx.c, &f->certs);
+    if (ret)
+	goto out;
+
+    ret = _hx509_collector_collect_private_keys(context, pem_ctx.c, &keys);
+    if (ret == 0) {
+	int i;
+
+	for (i = 0; keys[i]; i++)
+	    _hx509_certs_keys_add(context, f->certs, keys[i]);
+	_hx509_certs_keys_free(context, keys);
+    }
+
+out:
+    if (ret == 0)
+	*data = f;
+    else {
+	if (f->fn)
+	    free(f->fn);
+	free(f);
+    }
+    if (pem_ctx.c)
+	_hx509_collector_free(pem_ctx.c);
+
+    return ret;
+}
+
+static int
+file_init_pem(hx509_context context,
+	      hx509_certs certs, void **data, int flags, 
+	      const char *residue, hx509_lock lock)
+{
+    return file_init_common(context, certs, data, flags, residue, lock, USE_PEM);
+}
+
+static int
+file_init_der(hx509_context context,
+	      hx509_certs certs, void **data, int flags, 
+	      const char *residue, hx509_lock lock)
+{
+    return file_init_common(context, certs, data, flags, residue, lock, USE_DER);
+}
+
+static int
+file_free(hx509_certs certs, void *data)
+{
+    struct ks_file *f = data;
+    hx509_certs_free(&f->certs);
+    free(f->fn);
+    free(f);
+    return 0;
+}
+
+struct store_ctx {
+    FILE *f;
+    outformat format;
+};
+
+static int
+store_func(hx509_context context, void *ctx, hx509_cert c)
+{
+    struct store_ctx *sc = ctx;
+    heim_octet_string data;
+    int ret;
+
+    ret = hx509_cert_binary(context, c, &data);
+    if (ret)
+	return ret;
+    
+    switch (sc->format) {
+    case USE_DER:
+	fwrite(data.data, data.length, 1, sc->f);
+	free(data.data);
+	break;
+    case USE_PEM:
+	hx509_pem_write(context, "CERTIFICATE", NULL, sc->f, 
+			data.data, data.length);
+	free(data.data);
+	if (_hx509_cert_private_key_exportable(c)) {
+	    hx509_private_key key = _hx509_cert_private_key(c);
+	    ret = _hx509_private_key_export(context, key, &data);
+	    if (ret)
+		break;
+	    hx509_pem_write(context, _hx509_private_pem_name(key), NULL, sc->f,
+			    data.data, data.length);
+	    free(data.data);
+	}
+	break;
+    }
+
+    return 0;
+}
+
+static int
+file_store(hx509_context context, 
+	   hx509_certs certs, void *data, int flags, hx509_lock lock)
+{
+    struct ks_file *f = data;
+    struct store_ctx sc;
+    int ret;
+
+    sc.f = fopen(f->fn, "w");
+    if (sc.f == NULL) {
+	hx509_set_error_string(context, 0, ENOENT,
+			       "Failed to open file %s for writing");
+	return ENOENT;
+    }
+    sc.format = f->format;
+
+    ret = hx509_certs_iter(context, f->certs, store_func, &sc);
+    fclose(sc.f);
+    return ret;
+}
+
+static int 
+file_add(hx509_context context, hx509_certs certs, void *data, hx509_cert c)
+{
+    struct ks_file *f = data;
+    return hx509_certs_add(context, f->certs, c);
+}
+
+static int 
+file_iter_start(hx509_context context,
+		hx509_certs certs, void *data, void **cursor)
+{
+    struct ks_file *f = data;
+    return hx509_certs_start_seq(context, f->certs, cursor);
+}
+
+static int
+file_iter(hx509_context context,
+	  hx509_certs certs, void *data, void *iter, hx509_cert *cert)
+{
+    struct ks_file *f = data;
+    return hx509_certs_next_cert(context, f->certs, iter, cert);
+}
+
+static int
+file_iter_end(hx509_context context,
+	      hx509_certs certs,
+	      void *data,
+	      void *cursor)
+{
+    struct ks_file *f = data;
+    return hx509_certs_end_seq(context, f->certs, cursor);
+}
+
+static int
+file_getkeys(hx509_context context,
+	     hx509_certs certs,
+	     void *data,
+	     hx509_private_key **keys)
+{
+    struct ks_file *f = data;
+    return _hx509_certs_keys_get(context, f->certs, keys);
+}
+
+static int
+file_addkey(hx509_context context,
+	     hx509_certs certs,
+	     void *data,
+	     hx509_private_key key)
+{
+    struct ks_file *f = data;
+    return _hx509_certs_keys_add(context, f->certs, key);
+}
+
+static struct hx509_keyset_ops keyset_file = {
+    "FILE",
+    0,
+    file_init_pem,
+    file_store,
+    file_free,
+    file_add,
+    NULL,
+    file_iter_start,
+    file_iter,
+    file_iter_end,
+    NULL,
+    file_getkeys,
+    file_addkey
+};
+
+static struct hx509_keyset_ops keyset_pemfile = {
+    "PEM-FILE",
+    0,
+    file_init_pem,
+    file_store,
+    file_free,
+    file_add,
+    NULL,
+    file_iter_start,
+    file_iter,
+    file_iter_end,
+    NULL,
+    file_getkeys,
+    file_addkey
+};
+
+static struct hx509_keyset_ops keyset_derfile = {
+    "DER-FILE",
+    0,
+    file_init_der,
+    file_store,
+    file_free,
+    file_add,
+    NULL,
+    file_iter_start,
+    file_iter,
+    file_iter_end,
+    NULL,
+    file_getkeys,
+    file_addkey
+};
+
+
+void
+_hx509_ks_file_register(hx509_context context)
+{
+    _hx509_ks_register(context, &keyset_file);
+    _hx509_ks_register(context, &keyset_pemfile);
+    _hx509_ks_register(context, &keyset_derfile);
+}
diff --git a/crypto/heimdal/lib/hx509/ks_keychain.c b/crypto/heimdal/lib/hx509/ks_keychain.c
new file mode 100644
index 0000000..f818197
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ks_keychain.c
@@ -0,0 +1,548 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: ks_keychain.c 22084 2007-11-16 20:12:30Z lha $");
+
+#ifdef HAVE_FRAMEWORK_SECURITY
+
+#include <Security/Security.h>
+
+/* Missing function decls in pre Leopard */
+#ifdef NEED_SECKEYGETCSPHANDLE_PROTO
+OSStatus SecKeyGetCSPHandle(SecKeyRef, CSSM_CSP_HANDLE *);
+OSStatus SecKeyGetCredentials(SecKeyRef, CSSM_ACL_AUTHORIZATION_TAG,
+			      int, const CSSM_ACCESS_CREDENTIALS **);
+#define kSecCredentialTypeDefault 0
+#endif
+
+
+static int
+getAttribute(SecKeychainItemRef itemRef, SecItemAttr item,
+	     SecKeychainAttributeList **attrs)
+{	     
+    SecKeychainAttributeInfo attrInfo;
+    UInt32 attrFormat = 0;
+    OSStatus ret;
+
+    *attrs = NULL;
+
+    attrInfo.count = 1;
+    attrInfo.tag = &item;
+    attrInfo.format = &attrFormat;
+  
+    ret = SecKeychainItemCopyAttributesAndData(itemRef, &attrInfo, NULL,
+					       attrs, NULL, NULL);
+    if (ret)
+	return EINVAL;
+    return 0;
+}
+
+
+/*
+ *
+ */
+
+struct kc_rsa {
+    SecKeychainItemRef item;
+    size_t keysize;
+};
+
+
+static int
+kc_rsa_public_encrypt(int flen,
+		      const unsigned char *from,
+		      unsigned char *to,
+		      RSA *rsa,
+		      int padding)
+{
+    return -1;
+}
+
+static int
+kc_rsa_public_decrypt(int flen,
+		      const unsigned char *from,
+		      unsigned char *to,
+		      RSA *rsa,
+		      int padding)
+{
+    return -1;
+}
+
+
+static int
+kc_rsa_private_encrypt(int flen, 
+		       const unsigned char *from,
+		       unsigned char *to,
+		       RSA *rsa,
+		       int padding)
+{
+    struct kc_rsa *kc = RSA_get_app_data(rsa);
+
+    CSSM_RETURN cret;
+    OSStatus ret;
+    const CSSM_ACCESS_CREDENTIALS *creds;
+    SecKeyRef privKeyRef = (SecKeyRef)kc->item;
+    CSSM_CSP_HANDLE cspHandle;
+    const CSSM_KEY *cssmKey;
+    CSSM_CC_HANDLE sigHandle = 0;
+    CSSM_DATA sig, in;
+    int fret = 0;
+
+
+    cret = SecKeyGetCSSMKey(privKeyRef, &cssmKey);
+    if(cret) abort();
+
+    cret = SecKeyGetCSPHandle(privKeyRef, &cspHandle);
+    if(cret) abort();
+
+    ret = SecKeyGetCredentials(privKeyRef, CSSM_ACL_AUTHORIZATION_SIGN,
+			       kSecCredentialTypeDefault, &creds);
+    if(ret) abort();
+
+    ret = CSSM_CSP_CreateSignatureContext(cspHandle, CSSM_ALGID_RSA,
+					  creds, cssmKey, &sigHandle);
+    if(ret) abort();
+
+    in.Data = (uint8 *)from;
+    in.Length = flen;
+	
+    sig.Data = (uint8 *)to;
+    sig.Length = kc->keysize;
+	
+    cret = CSSM_SignData(sigHandle, &in, 1, CSSM_ALGID_NONE, &sig);
+    if(cret) {
+	/* cssmErrorString(cret); */
+	fret = -1;
+    } else
+	fret = sig.Length;
+
+    if(sigHandle)
+	CSSM_DeleteContext(sigHandle);
+
+    return fret;
+}
+
+static int
+kc_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
+		       RSA * rsa, int padding)
+{
+    return -1;
+}
+
+static int 
+kc_rsa_init(RSA *rsa)
+{
+    return 1;
+}
+
+static int
+kc_rsa_finish(RSA *rsa)
+{
+    struct kc_rsa *kc_rsa = RSA_get_app_data(rsa);
+    CFRelease(kc_rsa->item);
+    memset(kc_rsa, 0, sizeof(*kc_rsa));
+    free(kc_rsa);
+    return 1;
+}
+
+static const RSA_METHOD kc_rsa_pkcs1_method = {
+    "hx509 Keychain PKCS#1 RSA",
+    kc_rsa_public_encrypt,
+    kc_rsa_public_decrypt,
+    kc_rsa_private_encrypt,
+    kc_rsa_private_decrypt,
+    NULL,
+    NULL,
+    kc_rsa_init,
+    kc_rsa_finish,
+    0,
+    NULL,
+    NULL,
+    NULL
+};
+
+static int
+set_private_key(hx509_context context,
+		SecKeychainItemRef itemRef,
+		hx509_cert cert)
+{
+    struct kc_rsa *kc;
+    hx509_private_key key;
+    RSA *rsa;
+    int ret;
+
+    ret = _hx509_private_key_init(&key, NULL, NULL);
+    if (ret)
+	return ret;
+
+    kc = calloc(1, sizeof(*kc));
+    if (kc == NULL)
+	_hx509_abort("out of memory");
+
+    kc->item = itemRef;
+
+    rsa = RSA_new();
+    if (rsa == NULL)
+	_hx509_abort("out of memory");
+
+    /* Argh, fake modulus since OpenSSL API is on crack */
+    {
+	SecKeychainAttributeList *attrs = NULL;
+	uint32_t size;
+	void *data;
+
+	rsa->n = BN_new();
+	if (rsa->n == NULL) abort();
+
+	ret = getAttribute(itemRef, kSecKeyKeySizeInBits, &attrs);
+	if (ret) abort();
+
+	size = *(uint32_t *)attrs->attr[0].data;
+	SecKeychainItemFreeAttributesAndData(attrs, NULL);
+
+	kc->keysize = (size + 7) / 8;
+
+	data = malloc(kc->keysize);
+	memset(data, 0xe0, kc->keysize);
+	BN_bin2bn(data, kc->keysize, rsa->n);
+	free(data);
+    }
+    rsa->e = NULL;
+
+    RSA_set_method(rsa, &kc_rsa_pkcs1_method);
+    ret = RSA_set_app_data(rsa, kc);
+    if (ret != 1)
+	_hx509_abort("RSA_set_app_data");
+
+    _hx509_private_key_assign_rsa(key, rsa);
+    _hx509_cert_assign_key(cert, key);
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+struct ks_keychain {
+    int anchors;
+    SecKeychainRef keychain;
+};
+
+static int
+keychain_init(hx509_context context,
+	      hx509_certs certs, void **data, int flags,
+	      const char *residue, hx509_lock lock)
+{
+    struct ks_keychain *ctx;
+
+    ctx = calloc(1, sizeof(*ctx));
+    if (ctx == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+
+    if (residue) {
+	if (strcasecmp(residue, "system-anchors") == 0) {
+	    ctx->anchors = 1;
+	} else if (strncasecmp(residue, "FILE:", 5) == 0) {
+	    OSStatus ret;
+
+	    ret = SecKeychainOpen(residue + 5, &ctx->keychain);
+	    if (ret != noErr) {
+		hx509_set_error_string(context, 0, ENOENT, 
+				       "Failed to open %s", residue);
+		return ENOENT;
+	    }
+	} else {
+	    hx509_set_error_string(context, 0, ENOENT, 
+				   "Unknown subtype %s", residue);
+	    return ENOENT;
+	}
+    }
+
+    *data = ctx;
+    return 0;
+}
+
+/*
+ *
+ */
+
+static int
+keychain_free(hx509_certs certs, void *data)
+{
+    struct ks_keychain *ctx = data;
+    if (ctx->keychain)
+	CFRelease(ctx->keychain);
+    memset(ctx, 0, sizeof(*ctx));
+    free(ctx);
+    return 0;
+}
+
+/*
+ *
+ */
+
+struct iter {
+    hx509_certs certs;
+    void *cursor;
+    SecKeychainSearchRef searchRef;
+};
+
+static int 
+keychain_iter_start(hx509_context context,
+		    hx509_certs certs, void *data, void **cursor)
+{
+    struct ks_keychain *ctx = data;
+    struct iter *iter;
+
+    iter = calloc(1, sizeof(*iter));
+    if (iter == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    if (ctx->anchors) {
+        CFArrayRef anchors;
+	int ret;
+	int i;
+
+	ret = hx509_certs_init(context, "MEMORY:ks-file-create", 
+			       0, NULL, &iter->certs);
+	if (ret) {
+	    free(iter);
+	    return ret;
+	}
+
+	ret = SecTrustCopyAnchorCertificates(&anchors);
+	if (ret != 0) {
+	    hx509_certs_free(&iter->certs);
+	    free(iter);
+	    hx509_set_error_string(context, 0, ENOMEM, 
+				   "Can't get trust anchors from Keychain");
+	    return ENOMEM;
+	}
+	for (i = 0; i < CFArrayGetCount(anchors); i++) {
+	    SecCertificateRef cr; 
+	    hx509_cert cert;
+	    CSSM_DATA cssm;
+
+	    cr = (SecCertificateRef)CFArrayGetValueAtIndex(anchors, i);
+
+	    SecCertificateGetData(cr, &cssm);
+
+	    ret = hx509_cert_init_data(context, cssm.Data, cssm.Length, &cert);
+	    if (ret)
+		continue;
+
+	    ret = hx509_certs_add(context, iter->certs, cert);
+	    hx509_cert_free(cert);
+	}
+	CFRelease(anchors);
+    }
+
+    if (iter->certs) {
+	int ret;
+	ret = hx509_certs_start_seq(context, iter->certs, &iter->cursor);
+	if (ret) {
+	    hx509_certs_free(&iter->certs);
+	    free(iter);
+	    return ret;
+	}
+    } else {
+	OSStatus ret;
+
+	ret = SecKeychainSearchCreateFromAttributes(ctx->keychain,
+						    kSecCertificateItemClass,
+						    NULL,
+						    &iter->searchRef);
+	if (ret) {
+	    free(iter);
+	    hx509_set_error_string(context, 0, ret, 
+				   "Failed to start search for attributes");
+	    return ENOMEM;
+	}
+    }
+
+    *cursor = iter;
+    return 0;
+}
+
+/*
+ *
+ */
+
+static int
+keychain_iter(hx509_context context,
+	      hx509_certs certs, void *data, void *cursor, hx509_cert *cert)
+{
+    SecKeychainAttributeList *attrs = NULL;
+    SecKeychainAttributeInfo attrInfo;
+    UInt32 attrFormat[1] = { 0 };
+    SecKeychainItemRef itemRef;
+    SecItemAttr item[1];
+    struct iter *iter = cursor;
+    OSStatus ret;
+    UInt32 len;
+    void *ptr = NULL;
+
+    if (iter->certs)
+	return hx509_certs_next_cert(context, iter->certs, iter->cursor, cert);
+
+    *cert = NULL;
+
+    ret = SecKeychainSearchCopyNext(iter->searchRef, &itemRef);
+    if (ret == errSecItemNotFound)
+	return 0;
+    else if (ret != 0)
+	return EINVAL;
+	
+    /*
+     * Pick out certificate and matching "keyid"
+     */
+
+    item[0] = kSecPublicKeyHashItemAttr;
+
+    attrInfo.count = 1;
+    attrInfo.tag = item;
+    attrInfo.format = attrFormat;
+  
+    ret = SecKeychainItemCopyAttributesAndData(itemRef, &attrInfo, NULL,
+					       &attrs, &len, &ptr);
+    if (ret)
+	return EINVAL;
+
+    ret = hx509_cert_init_data(context, ptr, len, cert);
+    if (ret)
+	goto out;
+
+    /* 
+     * Find related private key if there is one by looking at
+     * kSecPublicKeyHashItemAttr == kSecKeyLabel
+     */
+    {
+	SecKeychainSearchRef search;
+	SecKeychainAttribute attrKeyid;
+	SecKeychainAttributeList attrList;
+
+	attrKeyid.tag = kSecKeyLabel;
+	attrKeyid.length = attrs->attr[0].length;
+	attrKeyid.data = attrs->attr[0].data;
+	
+	attrList.count = 1;
+	attrList.attr = &attrKeyid;
+
+	ret = SecKeychainSearchCreateFromAttributes(NULL,
+						    CSSM_DL_DB_RECORD_PRIVATE_KEY,
+						    &attrList,
+						    &search);
+	if (ret) {
+	    ret = 0;
+	    goto out;
+	}
+
+	ret = SecKeychainSearchCopyNext(search, &itemRef);
+	CFRelease(search);
+	if (ret == errSecItemNotFound) {
+	    ret = 0;
+	    goto out;
+	} else if (ret) {
+	    ret = EINVAL;
+	    goto out;
+	}
+	set_private_key(context, itemRef, *cert);
+    }
+
+out:
+    SecKeychainItemFreeAttributesAndData(attrs, ptr);
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+static int
+keychain_iter_end(hx509_context context,
+		  hx509_certs certs,
+		  void *data,
+		  void *cursor)
+{
+    struct iter *iter = cursor;
+
+    if (iter->certs) {
+	int ret;
+	ret = hx509_certs_end_seq(context, iter->certs, iter->cursor);
+	hx509_certs_free(&iter->certs);
+    } else {
+	CFRelease(iter->searchRef);
+    }
+
+    memset(iter, 0, sizeof(*iter));
+    free(iter);
+    return 0;
+}
+
+/*
+ *
+ */
+
+struct hx509_keyset_ops keyset_keychain = {
+    "KEYCHAIN",
+    0,
+    keychain_init,
+    NULL,
+    keychain_free,
+    NULL,
+    NULL,
+    keychain_iter_start,
+    keychain_iter,
+    keychain_iter_end
+};
+
+#endif /* HAVE_FRAMEWORK_SECURITY */
+
+/*
+ *
+ */
+
+void
+_hx509_ks_keychain_register(hx509_context context)
+{
+#ifdef HAVE_FRAMEWORK_SECURITY
+    _hx509_ks_register(context, &keyset_keychain);
+#endif
+}
diff --git a/crypto/heimdal/lib/hx509/ks_mem.c b/crypto/heimdal/lib/hx509/ks_mem.c
new file mode 100644
index 0000000..efa19eb
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ks_mem.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (c) 2005 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("Id$");
+
+/*
+ * Should use two hash/tree certificates intead of a array.  Criteria
+ * should be subject and subjectKeyIdentifier since those two are
+ * commonly seached on in CMS and path building.
+ */
+
+struct mem_data {
+    char *name;
+    struct {
+	unsigned long len;
+	hx509_cert *val;
+    } certs;
+    hx509_private_key *keys;
+};
+
+static int
+mem_init(hx509_context context,
+	 hx509_certs certs, void **data, int flags,
+	 const char *residue, hx509_lock lock)
+{
+    struct mem_data *mem;
+    mem = calloc(1, sizeof(*mem));
+    if (mem == NULL)
+	return ENOMEM;
+    if (residue == NULL || residue[0] == '\0')
+	residue = "anonymous";
+    mem->name = strdup(residue);
+    if (mem->name == NULL) {
+	free(mem);
+	return ENOMEM;
+    }
+    *data = mem;
+    return 0;
+}
+
+static int
+mem_free(hx509_certs certs, void *data)
+{
+    struct mem_data *mem = data;
+    unsigned long i;
+    
+    for (i = 0; i < mem->certs.len; i++)
+	hx509_cert_free(mem->certs.val[i]);
+    free(mem->certs.val);
+    for (i = 0; mem->keys && mem->keys[i]; i++)
+	_hx509_private_key_free(&mem->keys[i]);
+    free(mem->keys);
+    free(mem->name);
+    free(mem);
+
+    return 0;
+}
+
+static int 
+mem_add(hx509_context context, hx509_certs certs, void *data, hx509_cert c)
+{
+    struct mem_data *mem = data;
+    hx509_cert *val;
+
+    val = realloc(mem->certs.val, 
+		  (mem->certs.len + 1) * sizeof(mem->certs.val[0]));
+    if (val == NULL)
+	return ENOMEM;
+
+    mem->certs.val = val;
+    mem->certs.val[mem->certs.len] = hx509_cert_ref(c);
+    mem->certs.len++;
+
+    return 0;
+}
+
+static int 
+mem_iter_start(hx509_context context,
+	       hx509_certs certs,
+	       void *data,
+	       void **cursor)
+{
+    unsigned long *iter = malloc(sizeof(*iter));
+
+    if (iter == NULL)
+	return ENOMEM;
+
+    *iter = 0;
+    *cursor = iter;
+
+    return 0;
+}
+
+static int
+mem_iter(hx509_context contexst,
+	 hx509_certs certs,
+	 void *data, 
+	 void *cursor,
+	 hx509_cert *cert)
+{
+    unsigned long *iter = cursor;
+    struct mem_data *mem = data;
+
+    if (*iter >= mem->certs.len) {
+	*cert = NULL;
+	return 0;
+    }
+
+    *cert = hx509_cert_ref(mem->certs.val[*iter]);
+    (*iter)++;
+    return 0;
+}
+
+static int
+mem_iter_end(hx509_context context,
+	     hx509_certs certs,
+	     void *data,
+	     void *cursor)
+{
+    free(cursor);
+    return 0;
+}
+
+static int
+mem_getkeys(hx509_context context,
+	     hx509_certs certs,
+	     void *data,
+	     hx509_private_key **keys)
+{
+    struct mem_data *mem = data;
+    int i;
+
+    for (i = 0; mem->keys && mem->keys[i]; i++)
+	;
+    *keys = calloc(i + 1, sizeof(**keys));
+    for (i = 0; mem->keys && mem->keys[i]; i++) {
+	(*keys)[i] = _hx509_private_key_ref(mem->keys[i]);
+	if ((*keys)[i] == NULL) {
+	    while (--i >= 0)
+		_hx509_private_key_free(&(*keys)[i]);
+	    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	    return ENOMEM;
+	}
+    }	    
+    (*keys)[i] = NULL;
+    return 0;
+}
+
+static int
+mem_addkey(hx509_context context,
+	   hx509_certs certs,
+	   void *data,
+	   hx509_private_key key)
+{
+    struct mem_data *mem = data;
+    void *ptr;
+    int i;
+
+    for (i = 0; mem->keys && mem->keys[i]; i++)
+	;
+    ptr = realloc(mem->keys, (i + 2) * sizeof(*mem->keys));
+    if (ptr == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    mem->keys = ptr;
+    mem->keys[i++] = _hx509_private_key_ref(key);
+    mem->keys[i++] = NULL;
+    return 0;
+}
+
+
+static struct hx509_keyset_ops keyset_mem = {
+    "MEMORY",
+    0,
+    mem_init,
+    NULL,
+    mem_free,
+    mem_add,
+    NULL,
+    mem_iter_start,
+    mem_iter,
+    mem_iter_end,
+    NULL,
+    mem_getkeys,
+    mem_addkey
+};
+
+void
+_hx509_ks_mem_register(hx509_context context)
+{
+    _hx509_ks_register(context, &keyset_mem);
+}
diff --git a/crypto/heimdal/lib/hx509/ks_null.c b/crypto/heimdal/lib/hx509/ks_null.c
new file mode 100644
index 0000000..3be259f
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ks_null.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 2005 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: ks_null.c 20901 2007-06-04 23:14:08Z lha $");
+
+
+static int
+null_init(hx509_context context,
+	  hx509_certs certs, void **data, int flags,
+	  const char *residue, hx509_lock lock)
+{
+    *data = NULL;
+    return 0;
+}
+
+static int
+null_free(hx509_certs certs, void *data)
+{
+    assert(data == NULL);
+    return 0;
+}
+
+static int 
+null_iter_start(hx509_context context,
+		hx509_certs certs, void *data, void **cursor)
+{
+    *cursor = NULL;
+    return 0;
+}
+
+static int
+null_iter(hx509_context context,
+	  hx509_certs certs, void *data, void *iter, hx509_cert *cert)
+{
+    *cert = NULL;
+    return ENOENT;
+}
+
+static int
+null_iter_end(hx509_context context,
+	      hx509_certs certs,
+	      void *data,
+	      void *cursor)
+{
+    assert(cursor == NULL);
+    return 0;
+}
+
+
+struct hx509_keyset_ops keyset_null = {
+    "NULL",
+    0,
+    null_init,
+    NULL,
+    null_free,
+    NULL,
+    NULL,
+    null_iter_start,
+    null_iter,
+    null_iter_end
+};
+
+void
+_hx509_ks_null_register(hx509_context context)
+{
+    _hx509_ks_register(context, &keyset_null);
+}
diff --git a/crypto/heimdal/lib/hx509/ks_p11.c b/crypto/heimdal/lib/hx509/ks_p11.c
new file mode 100644
index 0000000..0d7c312
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ks_p11.c
@@ -0,0 +1,1192 @@
+/*
+ * Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: ks_p11.c 22071 2007-11-14 20:04:50Z lha $");
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#ifdef HAVE_DLOPEN
+
+#include "pkcs11.h"
+
+struct p11_slot {
+    int flags;
+#define P11_SESSION		1
+#define P11_SESSION_IN_USE	2
+#define P11_LOGIN_REQ		4
+#define P11_LOGIN_DONE		8
+#define P11_TOKEN_PRESENT	16
+    CK_SESSION_HANDLE session;
+    CK_SLOT_ID id;
+    CK_BBOOL token;
+    char *name;
+    hx509_certs certs;
+    char *pin;
+    struct {
+	CK_MECHANISM_TYPE_PTR list;
+	CK_ULONG num;
+	CK_MECHANISM_INFO_PTR *infos;
+    } mechs;
+};
+
+struct p11_module {
+    void *dl_handle;
+    CK_FUNCTION_LIST_PTR funcs;
+    CK_ULONG num_slots;
+    unsigned int refcount;
+    struct p11_slot *slot;
+};
+
+#define P11FUNC(module,f,args) (*(module)->funcs->C_##f)args
+
+static int p11_get_session(hx509_context,
+			   struct p11_module *,
+			   struct p11_slot *,
+			   hx509_lock,
+			   CK_SESSION_HANDLE *);
+static int p11_put_session(struct p11_module *,
+			   struct p11_slot *,
+			   CK_SESSION_HANDLE);
+static void p11_release_module(struct p11_module *);
+
+static int p11_list_keys(hx509_context,
+			 struct p11_module *,
+			 struct p11_slot *, 
+			 CK_SESSION_HANDLE,
+			 hx509_lock,
+			 hx509_certs *);
+
+/*
+ *
+ */
+
+struct p11_rsa {
+    struct p11_module *p;
+    struct p11_slot *slot;
+    CK_OBJECT_HANDLE private_key;
+    CK_OBJECT_HANDLE public_key;
+};
+
+static int
+p11_rsa_public_encrypt(int flen,
+		       const unsigned char *from,
+		       unsigned char *to,
+		       RSA *rsa,
+		       int padding)
+{
+    return -1;
+}
+
+static int
+p11_rsa_public_decrypt(int flen,
+		       const unsigned char *from,
+		       unsigned char *to,
+		       RSA *rsa,
+		       int padding)
+{
+    return -1;
+}
+
+
+static int
+p11_rsa_private_encrypt(int flen, 
+			const unsigned char *from,
+			unsigned char *to,
+			RSA *rsa,
+			int padding)
+{
+    struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
+    CK_OBJECT_HANDLE key = p11rsa->private_key;
+    CK_SESSION_HANDLE session;
+    CK_MECHANISM mechanism;
+    CK_ULONG ck_sigsize;
+    int ret;
+
+    if (padding != RSA_PKCS1_PADDING)
+	return -1;
+
+    memset(&mechanism, 0, sizeof(mechanism));
+    mechanism.mechanism = CKM_RSA_PKCS;
+
+    ck_sigsize = RSA_size(rsa);
+
+    ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
+    if (ret)
+	return -1;
+
+    ret = P11FUNC(p11rsa->p, SignInit, (session, &mechanism, key));
+    if (ret != CKR_OK) {
+	p11_put_session(p11rsa->p, p11rsa->slot, session);
+	return -1;
+    }
+
+    ret = P11FUNC(p11rsa->p, Sign, 
+		  (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
+    p11_put_session(p11rsa->p, p11rsa->slot, session);
+    if (ret != CKR_OK)
+	return -1;
+
+    return ck_sigsize;
+}
+
+static int
+p11_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
+			RSA * rsa, int padding)
+{
+    struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
+    CK_OBJECT_HANDLE key = p11rsa->private_key;
+    CK_SESSION_HANDLE session;
+    CK_MECHANISM mechanism;
+    CK_ULONG ck_sigsize;
+    int ret;
+
+    if (padding != RSA_PKCS1_PADDING)
+	return -1;
+
+    memset(&mechanism, 0, sizeof(mechanism));
+    mechanism.mechanism = CKM_RSA_PKCS;
+
+    ck_sigsize = RSA_size(rsa);
+
+    ret = p11_get_session(NULL, p11rsa->p, p11rsa->slot, NULL, &session);
+    if (ret)
+	return -1;
+
+    ret = P11FUNC(p11rsa->p, DecryptInit, (session, &mechanism, key));
+    if (ret != CKR_OK) {
+	p11_put_session(p11rsa->p, p11rsa->slot, session);
+	return -1;
+    }
+
+    ret = P11FUNC(p11rsa->p, Decrypt, 
+		  (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
+    p11_put_session(p11rsa->p, p11rsa->slot, session);
+    if (ret != CKR_OK)
+	return -1;
+
+    return ck_sigsize;
+}
+
+static int 
+p11_rsa_init(RSA *rsa)
+{
+    return 1;
+}
+
+static int
+p11_rsa_finish(RSA *rsa)
+{
+    struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
+    p11_release_module(p11rsa->p);
+    free(p11rsa);
+    return 1;
+}
+
+static const RSA_METHOD p11_rsa_pkcs1_method = {
+    "hx509 PKCS11 PKCS#1 RSA",
+    p11_rsa_public_encrypt,
+    p11_rsa_public_decrypt,
+    p11_rsa_private_encrypt,
+    p11_rsa_private_decrypt,
+    NULL,
+    NULL,
+    p11_rsa_init,
+    p11_rsa_finish,
+    0,
+    NULL,
+    NULL,
+    NULL
+};
+
+/*
+ *
+ */
+
+static int
+p11_mech_info(hx509_context context,
+	      struct p11_module *p,
+	      struct p11_slot *slot,
+	      int num)
+{
+    CK_ULONG i;
+    int ret;
+
+    ret = P11FUNC(p, GetMechanismList, (slot->id, NULL_PTR, &i));
+    if (ret) {
+	hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
+			       "Failed to get mech list count for slot %d",
+			       num);
+	return HX509_PKCS11_NO_MECH;
+    }
+    if (i == 0) {
+	hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
+			       "no mech supported for slot %d", num);
+	return HX509_PKCS11_NO_MECH;
+    }
+    slot->mechs.list = calloc(i, sizeof(slot->mechs.list[0]));
+    if (slot->mechs.list == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM,
+			       "out of memory");
+	return ENOMEM;
+    }
+    slot->mechs.num = i;
+    ret = P11FUNC(p, GetMechanismList, (slot->id, slot->mechs.list, &i));
+    if (ret) {
+	hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
+			       "Failed to get mech list for slot %d",
+			       num);
+	return HX509_PKCS11_NO_MECH;
+    }
+    assert(i == slot->mechs.num);
+
+    slot->mechs.infos = calloc(i, sizeof(*slot->mechs.infos));
+    if (slot->mechs.list == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM,
+			       "out of memory");
+	return ENOMEM;
+    }
+
+    for (i = 0; i < slot->mechs.num; i++) {
+	slot->mechs.infos[i] = calloc(1, sizeof(*(slot->mechs.infos[0])));
+	if (slot->mechs.infos[i] == NULL) {
+	    hx509_set_error_string(context, 0, ENOMEM,
+				   "out of memory");
+	    return ENOMEM;
+	}
+	ret = P11FUNC(p, GetMechanismInfo, (slot->id, slot->mechs.list[i],
+					    slot->mechs.infos[i]));
+	if (ret) {
+	    hx509_set_error_string(context, 0, HX509_PKCS11_NO_MECH,
+				   "Failed to get mech info for slot %d",
+				   num);
+	    return HX509_PKCS11_NO_MECH;
+	}
+    }
+
+    return 0;
+}
+
+static int
+p11_init_slot(hx509_context context, 
+	      struct p11_module *p,
+	      hx509_lock lock,
+	      CK_SLOT_ID id,
+	      int num,
+	      struct p11_slot *slot)
+{
+    CK_SESSION_HANDLE session;
+    CK_SLOT_INFO slot_info;
+    CK_TOKEN_INFO token_info;
+    int ret, i;
+
+    slot->certs = NULL;
+    slot->id = id;
+
+    ret = P11FUNC(p, GetSlotInfo, (slot->id, &slot_info));
+    if (ret) {
+	hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
+			       "Failed to init PKCS11 slot %d",
+			       num);
+	return HX509_PKCS11_TOKEN_CONFUSED;
+    }
+
+    for (i = sizeof(slot_info.slotDescription) - 1; i > 0; i--) {
+	char c = slot_info.slotDescription[i];
+	if (c == ' ' || c == '\t' || c == '\n' || c == '\r' || c == '\0')
+	    continue;
+	i++;
+	break;
+    }
+
+    asprintf(&slot->name, "%.*s",
+	     i, slot_info.slotDescription);
+
+    if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
+	return 0;
+
+    ret = P11FUNC(p, GetTokenInfo, (slot->id, &token_info));
+    if (ret) {
+	hx509_set_error_string(context, 0, HX509_PKCS11_NO_TOKEN,
+			       "Failed to init PKCS11 slot %d "
+			       "with error 0x08x",
+			       num, ret);
+	return HX509_PKCS11_NO_TOKEN;
+    }
+    slot->flags |= P11_TOKEN_PRESENT;
+
+    if (token_info.flags & CKF_LOGIN_REQUIRED)
+	slot->flags |= P11_LOGIN_REQ;
+
+    ret = p11_get_session(context, p, slot, lock, &session);
+    if (ret)
+	return ret;
+
+    ret = p11_mech_info(context, p, slot, num);
+    if (ret)
+	goto out;
+
+    ret = p11_list_keys(context, p, slot, session, lock, &slot->certs);
+ out:
+    p11_put_session(p, slot, session);
+
+    return ret;
+}
+
+static int
+p11_get_session(hx509_context context,
+		struct p11_module *p,
+		struct p11_slot *slot,
+		hx509_lock lock,
+		CK_SESSION_HANDLE *psession)
+{
+    CK_RV ret;
+
+    if (slot->flags & P11_SESSION_IN_USE)
+	_hx509_abort("slot already in session");
+    
+    if (slot->flags & P11_SESSION) {
+	slot->flags |= P11_SESSION_IN_USE;
+	*psession = slot->session;
+	return 0;
+    }
+
+    ret = P11FUNC(p, OpenSession, (slot->id, 
+				   CKF_SERIAL_SESSION,
+				   NULL,
+				   NULL,
+				   &slot->session));
+    if (ret != CKR_OK) {
+	if (context)
+	    hx509_set_error_string(context, 0, HX509_PKCS11_OPEN_SESSION,
+				   "Failed to OpenSession for slot id %d "
+				   "with error: 0x%08x",
+				   (int)slot->id, ret);
+	return HX509_PKCS11_OPEN_SESSION;
+    }
+    
+    slot->flags |= P11_SESSION;
+    
+    /* 
+     * If we have have to login, and haven't tried before and have a
+     * prompter or known to work pin code.
+     *
+     * This code is very conversative and only uses the prompter in
+     * the hx509_lock, the reason is that it's bad to try many
+     * passwords on a pkcs11 token, it might lock up and have to be
+     * unlocked by a administrator.
+     *
+     * XXX try harder to not use pin several times on the same card.
+     */
+
+    if (   (slot->flags & P11_LOGIN_REQ)
+	&& (slot->flags & P11_LOGIN_DONE) == 0
+	&& (lock || slot->pin))
+    {
+	hx509_prompt prompt;
+	char pin[20];
+	char *str;
+
+	slot->flags |= P11_LOGIN_DONE;
+
+	if (slot->pin == NULL) {
+
+	    memset(&prompt, 0, sizeof(prompt));
+
+	    asprintf(&str, "PIN code for %s: ", slot->name);
+	    prompt.prompt = str;
+	    prompt.type = HX509_PROMPT_TYPE_PASSWORD;
+	    prompt.reply.data = pin;
+	    prompt.reply.length = sizeof(pin);
+	    
+	    ret = hx509_lock_prompt(lock, &prompt);
+	    if (ret) {
+		free(str);
+		if (context)
+		    hx509_set_error_string(context, 0, ret,
+					   "Failed to get pin code for slot "
+					   "id %d with error: %d",
+					   (int)slot->id, ret);
+		return ret;
+	    }
+	    free(str);
+	} else {
+	    strlcpy(pin, slot->pin, sizeof(pin));
+	}
+
+	ret = P11FUNC(p, Login, (slot->session, CKU_USER,
+				 (unsigned char*)pin, strlen(pin)));
+	if (ret != CKR_OK) {
+	    if (context)
+		hx509_set_error_string(context, 0, HX509_PKCS11_LOGIN,
+				       "Failed to login on slot id %d "
+				       "with error: 0x%08x",
+				       (int)slot->id, ret);
+	    p11_put_session(p, slot, slot->session);
+	    return HX509_PKCS11_LOGIN;
+	}
+	if (slot->pin == NULL) {
+	    slot->pin = strdup(pin);
+	    if (slot->pin == NULL) {
+		if (context)
+		    hx509_set_error_string(context, 0, ENOMEM,
+					   "out of memory");
+		p11_put_session(p, slot, slot->session);
+		return ENOMEM;
+	    }
+	}
+    } else
+	slot->flags |= P11_LOGIN_DONE;
+
+    slot->flags |= P11_SESSION_IN_USE;
+
+    *psession = slot->session;
+
+    return 0;
+}
+
+static int
+p11_put_session(struct p11_module *p,
+		struct p11_slot *slot, 
+		CK_SESSION_HANDLE session)
+{
+    if ((slot->flags & P11_SESSION_IN_USE) == 0)
+	_hx509_abort("slot not in session");
+    slot->flags &= ~P11_SESSION_IN_USE;
+
+    return 0;
+}
+
+static int
+iterate_entries(hx509_context context,
+		struct p11_module *p, struct p11_slot *slot,
+		CK_SESSION_HANDLE session,
+		CK_ATTRIBUTE *search_data, int num_search_data,
+		CK_ATTRIBUTE *query, int num_query,
+		int (*func)(hx509_context,
+			    struct p11_module *, struct p11_slot *,
+			    CK_SESSION_HANDLE session,
+			    CK_OBJECT_HANDLE object,
+			    void *, CK_ATTRIBUTE *, int), void *ptr)
+{
+    CK_OBJECT_HANDLE object;
+    CK_ULONG object_count;
+    int ret, i;
+
+    ret = P11FUNC(p, FindObjectsInit, (session, search_data, num_search_data));
+    if (ret != CKR_OK) {
+	return -1;
+    }
+    while (1) {
+	ret = P11FUNC(p, FindObjects, (session, &object, 1, &object_count));
+	if (ret != CKR_OK) {
+	    return -1;
+	}
+	if (object_count == 0)
+	    break;
+	
+	for (i = 0; i < num_query; i++)
+	    query[i].pValue = NULL;
+
+	ret = P11FUNC(p, GetAttributeValue, 
+		      (session, object, query, num_query));
+	if (ret != CKR_OK) {
+	    return -1;
+	}
+	for (i = 0; i < num_query; i++) {
+	    query[i].pValue = malloc(query[i].ulValueLen);
+	    if (query[i].pValue == NULL) {
+		ret = ENOMEM;
+		goto out;
+	    }
+	}
+	ret = P11FUNC(p, GetAttributeValue,
+		      (session, object, query, num_query));
+	if (ret != CKR_OK) {
+	    ret = -1;
+	    goto out;
+	}
+	
+	ret = (*func)(context, p, slot, session, object, ptr, query, num_query);
+	if (ret)
+	    goto out;
+
+	for (i = 0; i < num_query; i++) {
+	    if (query[i].pValue)
+		free(query[i].pValue);
+	    query[i].pValue = NULL;
+	}
+    }
+ out:
+
+    for (i = 0; i < num_query; i++) {
+	if (query[i].pValue)
+	    free(query[i].pValue);
+	query[i].pValue = NULL;
+    }
+
+    ret = P11FUNC(p, FindObjectsFinal, (session));
+    if (ret != CKR_OK) {
+	return -2;
+    }
+
+
+    return 0;
+}
+		
+static BIGNUM *
+getattr_bn(struct p11_module *p,
+	   struct p11_slot *slot,
+	   CK_SESSION_HANDLE session,
+	   CK_OBJECT_HANDLE object, 
+	   unsigned int type)
+{
+    CK_ATTRIBUTE query;
+    BIGNUM *bn;
+    int ret;
+
+    query.type = type;
+    query.pValue = NULL;
+    query.ulValueLen = 0;
+
+    ret = P11FUNC(p, GetAttributeValue, 
+		  (session, object, &query, 1));
+    if (ret != CKR_OK)
+	return NULL;
+
+    query.pValue = malloc(query.ulValueLen);
+
+    ret = P11FUNC(p, GetAttributeValue, 
+		  (session, object, &query, 1));
+    if (ret != CKR_OK) {
+	free(query.pValue);
+	return NULL;
+    }
+    bn = BN_bin2bn(query.pValue, query.ulValueLen, NULL);
+    free(query.pValue);
+
+    return bn;
+}
+
+static int
+collect_private_key(hx509_context context,
+		    struct p11_module *p, struct p11_slot *slot,
+		    CK_SESSION_HANDLE session,
+		    CK_OBJECT_HANDLE object,
+		    void *ptr, CK_ATTRIBUTE *query, int num_query)
+{
+    struct hx509_collector *collector = ptr;
+    hx509_private_key key;
+    heim_octet_string localKeyId;
+    int ret;
+    RSA *rsa;
+    struct p11_rsa *p11rsa;
+
+    localKeyId.data = query[0].pValue;
+    localKeyId.length = query[0].ulValueLen;
+
+    ret = _hx509_private_key_init(&key, NULL, NULL);
+    if (ret)
+	return ret;
+
+    rsa = RSA_new();
+    if (rsa == NULL)
+	_hx509_abort("out of memory");
+
+    /* 
+     * The exponent and modulus should always be present according to
+     * the pkcs11 specification, but some smartcards leaves it out,
+     * let ignore any failure to fetch it.
+     */
+    rsa->n = getattr_bn(p, slot, session, object, CKA_MODULUS);
+    rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
+
+    p11rsa = calloc(1, sizeof(*p11rsa));
+    if (p11rsa == NULL)
+	_hx509_abort("out of memory");
+
+    p11rsa->p = p;
+    p11rsa->slot = slot;
+    p11rsa->private_key = object;
+    
+    p->refcount++;
+    if (p->refcount == 0)
+	_hx509_abort("pkcs11 refcount to high");
+
+    RSA_set_method(rsa, &p11_rsa_pkcs1_method);
+    ret = RSA_set_app_data(rsa, p11rsa);
+    if (ret != 1)
+	_hx509_abort("RSA_set_app_data");
+
+    _hx509_private_key_assign_rsa(key, rsa);
+
+    ret = _hx509_collector_private_key_add(context,
+					   collector,
+					   hx509_signature_rsa(),
+					   key,
+					   NULL,
+					   &localKeyId);
+
+    if (ret) {
+	_hx509_private_key_free(&key);
+	return ret;
+    }
+    return 0;
+}
+
+static void
+p11_cert_release(hx509_cert cert, void *ctx)
+{
+    struct p11_module *p = ctx;
+    p11_release_module(p);
+}
+
+
+static int
+collect_cert(hx509_context context, 
+	     struct p11_module *p, struct p11_slot *slot,
+	     CK_SESSION_HANDLE session,
+	     CK_OBJECT_HANDLE object,
+	     void *ptr, CK_ATTRIBUTE *query, int num_query)
+{
+    struct hx509_collector *collector = ptr;
+    hx509_cert cert;
+    int ret;
+
+    if ((CK_LONG)query[0].ulValueLen == -1 ||
+	(CK_LONG)query[1].ulValueLen == -1) 
+    {
+	return 0;
+    }
+
+    ret = hx509_cert_init_data(context, query[1].pValue, 
+			       query[1].ulValueLen, &cert);
+    if (ret)
+	return ret;
+
+    p->refcount++;
+    if (p->refcount == 0)
+	_hx509_abort("pkcs11 refcount to high");
+
+    _hx509_cert_set_release(cert, p11_cert_release, p);
+
+    {
+	heim_octet_string data;
+	
+	data.data = query[0].pValue;
+	data.length = query[0].ulValueLen;
+	
+	_hx509_set_cert_attribute(context,
+				  cert,
+				  oid_id_pkcs_9_at_localKeyId(),
+				  &data);
+    }
+
+    if ((CK_LONG)query[2].ulValueLen != -1) {
+	char *str;
+
+	asprintf(&str, "%.*s",
+		 (int)query[2].ulValueLen, (char *)query[2].pValue);
+	if (str) {
+	    hx509_cert_set_friendly_name(cert, str);
+	    free(str);
+	}
+    }
+
+    ret = _hx509_collector_certs_add(context, collector, cert);
+    hx509_cert_free(cert);
+
+    return ret;
+}
+
+
+static int
+p11_list_keys(hx509_context context,
+	      struct p11_module *p,
+	      struct p11_slot *slot, 
+	      CK_SESSION_HANDLE session,
+	      hx509_lock lock,
+	      hx509_certs *certs)
+{
+    struct hx509_collector *collector;
+    CK_OBJECT_CLASS key_class;
+    CK_ATTRIBUTE search_data[] = {
+	{CKA_CLASS, NULL, 0},
+    };
+    CK_ATTRIBUTE query_data[3] = {
+	{CKA_ID, NULL, 0},
+	{CKA_VALUE, NULL, 0},
+	{CKA_LABEL, NULL, 0}
+    };
+    int ret;
+
+    search_data[0].pValue = &key_class;
+    search_data[0].ulValueLen = sizeof(key_class);
+
+    if (lock == NULL)
+	lock = _hx509_empty_lock;
+
+    ret = _hx509_collector_alloc(context, lock, &collector);
+    if (ret)
+	return ret;
+
+    key_class = CKO_PRIVATE_KEY;
+    ret = iterate_entries(context, p, slot, session,
+			  search_data, 1,
+			  query_data, 1,
+			  collect_private_key, collector);
+    if (ret)
+	goto out;
+
+    key_class = CKO_CERTIFICATE;
+    ret = iterate_entries(context, p, slot, session,
+			  search_data, 1,
+			  query_data, 3,
+			  collect_cert, collector);
+    if (ret)
+	goto out;
+
+    ret = _hx509_collector_collect_certs(context, collector, &slot->certs);
+
+out:
+    _hx509_collector_free(collector);
+
+    return ret;
+}
+
+
+static int
+p11_init(hx509_context context,
+	 hx509_certs certs, void **data, int flags, 
+	 const char *residue, hx509_lock lock)
+{
+    CK_C_GetFunctionList getFuncs;
+    struct p11_module *p;
+    char *list, *str;
+    int ret;
+
+    *data = NULL;
+
+    list = strdup(residue);
+    if (list == NULL)
+	return ENOMEM;
+
+    p = calloc(1, sizeof(*p));
+    if (p == NULL) {
+	free(list);
+	return ENOMEM;
+    }
+
+    p->refcount = 1;
+
+    str = strchr(list, ',');
+    if (str)
+	*str++ = '\0';
+    while (str) {
+	char *strnext;
+	strnext = strchr(str, ',');
+	if (strnext)
+	    *strnext++ = '\0';
+#if 0
+	if (strncasecmp(str, "slot=", 5) == 0)
+	    p->selected_slot = atoi(str + 5);
+#endif
+	str = strnext;
+    }
+
+    p->dl_handle = dlopen(list, RTLD_NOW);
+    free(list);
+    if (p->dl_handle == NULL) {
+	ret = HX509_PKCS11_LOAD;
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to open %s: %s", list, dlerror());
+	goto out;
+    }
+
+    getFuncs = dlsym(p->dl_handle, "C_GetFunctionList");
+    if (getFuncs == NULL) {
+	ret = HX509_PKCS11_LOAD;
+	hx509_set_error_string(context, 0, ret,
+			       "C_GetFunctionList missing in %s: %s", 
+			       list, dlerror());
+	goto out;
+    }
+
+    ret = (*getFuncs)(&p->funcs);
+    if (ret) {
+	ret = HX509_PKCS11_LOAD;
+	hx509_set_error_string(context, 0, ret,
+			       "C_GetFunctionList failed in %s", list);
+	goto out;
+    }
+
+    ret = P11FUNC(p, Initialize, (NULL_PTR));
+    if (ret != CKR_OK) {
+	ret = HX509_PKCS11_TOKEN_CONFUSED;
+	hx509_set_error_string(context, 0, ret,
+			       "Failed initialize the PKCS11 module");
+	goto out;
+    }
+
+    ret = P11FUNC(p, GetSlotList, (FALSE, NULL, &p->num_slots));
+    if (ret) {
+	ret = HX509_PKCS11_TOKEN_CONFUSED;
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to get number of PKCS11 slots");
+	goto out;
+    }
+
+   if (p->num_slots == 0) {
+	ret = HX509_PKCS11_NO_SLOT;
+	hx509_set_error_string(context, 0, ret,
+			       "Selected PKCS11 module have no slots");
+	goto out;
+   }
+
+
+    {
+	CK_SLOT_ID_PTR slot_ids;
+	int i, num_tokens = 0;
+
+	slot_ids = malloc(p->num_slots * sizeof(*slot_ids));
+	if (slot_ids == NULL) {
+	    hx509_clear_error_string(context);
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	ret = P11FUNC(p, GetSlotList, (FALSE, slot_ids, &p->num_slots));
+	if (ret) {
+	    free(slot_ids);
+	    hx509_set_error_string(context, 0, HX509_PKCS11_TOKEN_CONFUSED,
+				   "Failed getting slot-list from "
+				   "PKCS11 module");
+	    ret = HX509_PKCS11_TOKEN_CONFUSED;
+	    goto out;
+	}
+
+	p->slot = calloc(p->num_slots, sizeof(p->slot[0]));
+	if (p->slot == NULL) {
+	    free(slot_ids);
+	    hx509_set_error_string(context, 0, ENOMEM,
+				   "Failed to get memory for slot-list");
+	    ret = ENOMEM;
+	    goto out;
+	}
+			 
+	for (i = 0; i < p->num_slots; i++) {
+	    ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]);
+	    if (ret)
+		break;
+	    if (p->slot[i].flags & P11_TOKEN_PRESENT)
+		num_tokens++;
+	}
+	free(slot_ids);
+	if (ret)
+	    goto out;
+	if (num_tokens == 0) {
+	    ret = HX509_PKCS11_NO_TOKEN;
+	    goto out;
+	}
+    }
+
+    *data = p;
+
+    return 0;
+ out:    
+    p11_release_module(p);
+    return ret;
+}
+
+static void
+p11_release_module(struct p11_module *p)
+{
+    int i;
+
+    if (p->refcount == 0)
+	_hx509_abort("pkcs11 refcount to low");
+    if (--p->refcount > 0)
+	return;
+
+    for (i = 0; i < p->num_slots; i++) {
+	if (p->slot[i].flags & P11_SESSION_IN_USE)
+	    _hx509_abort("pkcs11 module release while session in use");
+	if (p->slot[i].flags & P11_SESSION) {
+	    int ret;
+
+	    ret = P11FUNC(p, CloseSession, (p->slot[i].session));
+	    if (ret != CKR_OK)
+		;
+	}
+
+	if (p->slot[i].name)
+	    free(p->slot[i].name);
+	if (p->slot[i].pin) {
+	    memset(p->slot[i].pin, 0, strlen(p->slot[i].pin));
+	    free(p->slot[i].pin);
+	}
+	if (p->slot[i].mechs.num) {
+	    free(p->slot[i].mechs.list);
+
+	    if (p->slot[i].mechs.infos) {
+		int j;
+
+		for (j = 0 ; j < p->slot[i].mechs.num ; j++)
+		    free(p->slot[i].mechs.infos[j]);
+		free(p->slot[i].mechs.infos);
+	    }
+	}
+    }
+    free(p->slot);
+
+    if (p->funcs)
+	P11FUNC(p, Finalize, (NULL));
+
+    if (p->dl_handle)
+	dlclose(p->dl_handle);
+
+    memset(p, 0, sizeof(*p));
+    free(p);
+}
+
+static int
+p11_free(hx509_certs certs, void *data)
+{
+    struct p11_module *p = data;
+    int i;
+
+    for (i = 0; i < p->num_slots; i++) {
+	if (p->slot[i].certs)
+	    hx509_certs_free(&p->slot[i].certs);
+    }
+    p11_release_module(p);
+    return 0;
+}
+
+struct p11_cursor {
+    hx509_certs certs;
+    void *cursor;
+};
+
+static int 
+p11_iter_start(hx509_context context,
+	       hx509_certs certs, void *data, void **cursor)
+{
+    struct p11_module *p = data;
+    struct p11_cursor *c;
+    int ret, i;
+
+    c = malloc(sizeof(*c));
+    if (c == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+    ret = hx509_certs_init(context, "MEMORY:pkcs11-iter", 0, NULL, &c->certs);
+    if (ret) {
+	free(c);
+	return ret;
+    }
+
+    for (i = 0 ; i < p->num_slots; i++) {
+	if (p->slot[i].certs == NULL)
+	    continue;
+	ret = hx509_certs_merge(context, c->certs, p->slot[i].certs);
+	if (ret) {
+	    hx509_certs_free(&c->certs);
+	    free(c);
+	    return ret;
+	}
+    }
+
+    ret = hx509_certs_start_seq(context, c->certs, &c->cursor);
+    if (ret) {
+	hx509_certs_free(&c->certs);
+	free(c);
+	return 0;
+    }
+    *cursor = c;
+
+    return 0;
+}
+
+static int
+p11_iter(hx509_context context,
+	 hx509_certs certs, void *data, void *cursor, hx509_cert *cert)
+{
+    struct p11_cursor *c = cursor;
+    return hx509_certs_next_cert(context, c->certs, c->cursor, cert);
+}
+
+static int
+p11_iter_end(hx509_context context,
+	     hx509_certs certs, void *data, void *cursor)
+{
+    struct p11_cursor *c = cursor;
+    int ret;
+    ret = hx509_certs_end_seq(context, c->certs, c->cursor);
+    hx509_certs_free(&c->certs);
+    free(c);
+    return ret;
+}
+
+#define MECHFLAG(x) { "unknown-flag-" #x, x }
+static struct units mechflags[] = {
+	MECHFLAG(0x80000000),
+	MECHFLAG(0x40000000),
+	MECHFLAG(0x20000000),
+	MECHFLAG(0x10000000),
+	MECHFLAG(0x08000000),
+	MECHFLAG(0x04000000),
+	{"ec-compress",		0x2000000 },
+	{"ec-uncompress",	0x1000000 },
+	{"ec-namedcurve",	0x0800000 },
+	{"ec-ecparameters",	0x0400000 },
+	{"ec-f-2m",		0x0200000 },
+	{"ec-f-p",		0x0100000 },
+	{"derive",		0x0080000 },
+	{"unwrap",		0x0040000 },
+	{"wrap",		0x0020000 },
+	{"genereate-key-pair",	0x0010000 },
+	{"generate",		0x0008000 },
+	{"verify-recover",	0x0004000 },
+	{"verify",		0x0002000 },
+	{"sign-recover",	0x0001000 },
+	{"sign",		0x0000800 },
+	{"digest",		0x0000400 },
+	{"decrypt",		0x0000200 },
+	{"encrypt",		0x0000100 },
+	MECHFLAG(0x00080),
+	MECHFLAG(0x00040),
+	MECHFLAG(0x00020),
+	MECHFLAG(0x00010),
+	MECHFLAG(0x00008),
+	MECHFLAG(0x00004),
+	MECHFLAG(0x00002),
+	{"hw",			0x0000001 },
+	{ NULL,			0x0000000 }
+};
+#undef MECHFLAG
+
+static int
+p11_printinfo(hx509_context context, 
+	      hx509_certs certs, 
+	      void *data,
+	      int (*func)(void *, const char *),
+	      void *ctx)
+{
+    struct p11_module *p = data;
+    int i, j;
+        
+    _hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s", 
+		     p->num_slots, p->num_slots > 1 ? "s" : "");
+
+    for (i = 0; i < p->num_slots; i++) {
+	struct p11_slot *s = &p->slot[i];
+
+	_hx509_pi_printf(func, ctx, "slot %d: id: %d name: %s flags: %08x",
+			 i, (int)s->id, s->name, s->flags);
+
+	_hx509_pi_printf(func, ctx, "number of supported mechanisms: %lu", 
+			 (unsigned long)s->mechs.num);
+	for (j = 0; j < s->mechs.num; j++) {
+	    const char *mechname = "unknown";
+	    char flags[256], unknownname[40];
+#define MECHNAME(s,n) case s: mechname = n; break
+	    switch(s->mechs.list[j]) {
+		MECHNAME(CKM_RSA_PKCS_KEY_PAIR_GEN, "rsa-pkcs-key-pair-gen");
+		MECHNAME(CKM_RSA_PKCS, "rsa-pkcs");
+		MECHNAME(CKM_RSA_X_509, "rsa-x-509");
+		MECHNAME(CKM_MD5_RSA_PKCS, "md5-rsa-pkcs");
+		MECHNAME(CKM_SHA1_RSA_PKCS, "sha1-rsa-pkcs");
+		MECHNAME(CKM_SHA256_RSA_PKCS, "sha256-rsa-pkcs");
+		MECHNAME(CKM_SHA384_RSA_PKCS, "sha384-rsa-pkcs");
+		MECHNAME(CKM_SHA512_RSA_PKCS, "sha512-rsa-pkcs");
+		MECHNAME(CKM_RIPEMD160_RSA_PKCS, "ripemd160-rsa-pkcs");
+		MECHNAME(CKM_RSA_PKCS_OAEP, "rsa-pkcs-oaep");
+		MECHNAME(CKM_SHA512_HMAC, "sha512-hmac");
+		MECHNAME(CKM_SHA512, "sha512");
+		MECHNAME(CKM_SHA384_HMAC, "sha384-hmac");
+		MECHNAME(CKM_SHA384, "sha384");
+		MECHNAME(CKM_SHA256_HMAC, "sha256-hmac");
+		MECHNAME(CKM_SHA256, "sha256");
+		MECHNAME(CKM_SHA_1, "sha1");
+		MECHNAME(CKM_MD5, "md5");
+		MECHNAME(CKM_MD2, "md2");
+		MECHNAME(CKM_RIPEMD160, "ripemd-160");
+		MECHNAME(CKM_DES_ECB, "des-ecb");
+		MECHNAME(CKM_DES_CBC, "des-cbc");
+		MECHNAME(CKM_AES_ECB, "aes-ecb");
+		MECHNAME(CKM_AES_CBC, "aes-cbc");
+		MECHNAME(CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen");
+	    default:
+		snprintf(unknownname, sizeof(unknownname),
+			 "unknown-mech-%lu", 
+			 (unsigned long)s->mechs.list[j]);
+		mechname = unknownname;
+		break;
+	    }
+#undef MECHNAME
+	    unparse_flags(s->mechs.infos[j]->flags, mechflags, 
+			  flags, sizeof(flags));
+
+	    _hx509_pi_printf(func, ctx, "  %s: %s", mechname, flags);
+	}
+    }
+
+    return 0;
+}
+
+static struct hx509_keyset_ops keyset_pkcs11 = {
+    "PKCS11",
+    0,
+    p11_init,
+    NULL,
+    p11_free,
+    NULL,
+    NULL,
+    p11_iter_start,
+    p11_iter,
+    p11_iter_end,
+    p11_printinfo
+};
+
+#endif /* HAVE_DLOPEN */
+
+void
+_hx509_ks_pkcs11_register(hx509_context context)
+{
+#ifdef HAVE_DLOPEN
+    _hx509_ks_register(context, &keyset_pkcs11);
+#endif
+}
diff --git a/crypto/heimdal/lib/hx509/ks_p12.c b/crypto/heimdal/lib/hx509/ks_p12.c
new file mode 100644
index 0000000..12756e6
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ks_p12.c
@@ -0,0 +1,704 @@
+/*
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: ks_p12.c 21146 2007-06-18 21:37:25Z lha $");
+
+struct ks_pkcs12 {
+    hx509_certs certs;
+    char *fn;
+};
+
+typedef int (*collector_func)(hx509_context,
+			      struct hx509_collector *,
+			      const void *, size_t,
+			      const PKCS12_Attributes *);
+
+struct type {
+    const heim_oid * (*oid)(void);
+    collector_func func;
+};
+
+static void
+parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *, 
+		  const void *, size_t, const PKCS12_Attributes *);
+
+
+static const PKCS12_Attribute *
+find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid)
+{
+    int i;
+    if (attrs == NULL)
+	return NULL;
+    for (i = 0; i < attrs->len; i++)
+	if (der_heim_oid_cmp(oid, &attrs->val[i].attrId) == 0)
+	    return &attrs->val[i];
+    return NULL;
+}
+
+static int
+keyBag_parser(hx509_context context,
+	      struct hx509_collector *c, 
+	      const void *data, size_t length,
+	      const PKCS12_Attributes *attrs)
+{
+    const PKCS12_Attribute *attr;
+    PKCS8PrivateKeyInfo ki;
+    const heim_octet_string *os = NULL;
+    int ret;
+
+    attr = find_attribute(attrs, oid_id_pkcs_9_at_localKeyId());
+    if (attr)
+	os = &attr->attrValues;
+
+    ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL);
+    if (ret)
+	return ret;
+    
+    _hx509_collector_private_key_add(context,
+				     c,
+				     &ki.privateKeyAlgorithm,
+				     NULL,
+				     &ki.privateKey,
+				     os);
+    free_PKCS8PrivateKeyInfo(&ki);
+    return 0;
+}
+
+static int
+ShroudedKeyBag_parser(hx509_context context,
+		      struct hx509_collector *c, 
+		      const void *data, size_t length,
+		      const PKCS12_Attributes *attrs)
+{
+    PKCS8EncryptedPrivateKeyInfo pk;
+    heim_octet_string content;
+    int ret;
+    
+    memset(&pk, 0, sizeof(pk));
+    
+    ret = decode_PKCS8EncryptedPrivateKeyInfo(data, length, &pk, NULL);
+    if (ret)
+	return ret;
+
+    ret = _hx509_pbe_decrypt(context,
+			     _hx509_collector_get_lock(c),
+			     &pk.encryptionAlgorithm,
+			     &pk.encryptedData,
+			     &content);
+    free_PKCS8EncryptedPrivateKeyInfo(&pk);
+    if (ret)
+	return ret;
+
+    ret = keyBag_parser(context, c, content.data, content.length, attrs);
+    der_free_octet_string(&content);
+    return ret;
+}
+
+static int
+certBag_parser(hx509_context context,
+	       struct hx509_collector *c, 
+	       const void *data, size_t length,
+	       const PKCS12_Attributes *attrs)
+{
+    heim_octet_string os;
+    hx509_cert cert;
+    PKCS12_CertBag cb;
+    int ret;
+
+    ret = decode_PKCS12_CertBag(data, length, &cb, NULL);
+    if (ret)
+	return ret;
+
+    if (der_heim_oid_cmp(oid_id_pkcs_9_at_certTypes_x509(), &cb.certType)) {
+	free_PKCS12_CertBag(&cb);
+	return 0;
+    }
+
+    ret = decode_PKCS12_OctetString(cb.certValue.data, 
+				    cb.certValue.length,
+				    &os,
+				    NULL);
+    free_PKCS12_CertBag(&cb);
+    if (ret)
+	return ret;
+
+    ret = hx509_cert_init_data(context, os.data, os.length, &cert);
+    der_free_octet_string(&os);
+    if (ret)
+	return ret;
+
+    ret = _hx509_collector_certs_add(context, c, cert);
+    if (ret) {
+	hx509_cert_free(cert);
+	return ret;
+    }
+
+    {
+	const PKCS12_Attribute *attr;
+	const heim_oid * (*oids[])(void) = {
+	    oid_id_pkcs_9_at_localKeyId, oid_id_pkcs_9_at_friendlyName
+	};
+	int i;
+
+	for (i = 0; i < sizeof(oids)/sizeof(oids[0]); i++) {
+	    const heim_oid *oid = (*(oids[i]))();
+	    attr = find_attribute(attrs, oid);
+	    if (attr)
+		_hx509_set_cert_attribute(context, cert, oid,
+					  &attr->attrValues);
+	}	
+    }
+
+    hx509_cert_free(cert);
+
+    return 0;
+}
+
+static int
+parse_safe_content(hx509_context context,
+		   struct hx509_collector *c, 
+		   const unsigned char *p, size_t len)
+{
+    PKCS12_SafeContents sc;
+    int ret, i;
+
+    memset(&sc, 0, sizeof(sc));
+
+    ret = decode_PKCS12_SafeContents(p, len, &sc, NULL);
+    if (ret)
+	return ret;
+
+    for (i = 0; i < sc.len ; i++)
+	parse_pkcs12_type(context,
+			  c,
+			  &sc.val[i].bagId,
+			  sc.val[i].bagValue.data,
+			  sc.val[i].bagValue.length,
+			  sc.val[i].bagAttributes);
+
+    free_PKCS12_SafeContents(&sc);
+    return 0;
+}
+
+static int
+safeContent_parser(hx509_context context,
+		   struct hx509_collector *c, 
+		   const void *data, size_t length,
+		   const PKCS12_Attributes *attrs)
+{
+    heim_octet_string os;
+    int ret;
+
+    ret = decode_PKCS12_OctetString(data, length, &os, NULL);
+    if (ret)
+	return ret;
+    ret = parse_safe_content(context, c, os.data, os.length);
+    der_free_octet_string(&os);
+    return ret;
+}
+
+static int
+encryptedData_parser(hx509_context context,
+		     struct hx509_collector *c,
+		     const void *data, size_t length,
+		     const PKCS12_Attributes *attrs)
+{
+    heim_octet_string content;
+    heim_oid contentType;
+    int ret;
+		
+    memset(&contentType, 0, sizeof(contentType));
+
+    ret = hx509_cms_decrypt_encrypted(context,
+				      _hx509_collector_get_lock(c),
+				      data, length,
+				      &contentType,
+				      &content);
+    if (ret)
+	return ret;
+
+    if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) == 0)
+	ret = parse_safe_content(context, c, content.data, content.length);
+
+    der_free_octet_string(&content);
+    der_free_oid(&contentType);
+    return ret;
+}
+
+static int
+envelopedData_parser(hx509_context context,
+		     struct hx509_collector *c,
+		     const void *data, size_t length,
+		     const PKCS12_Attributes *attrs)
+{
+    heim_octet_string content;
+    heim_oid contentType;
+    hx509_lock lock;
+    int ret;
+		
+    memset(&contentType, 0, sizeof(contentType));
+
+    lock = _hx509_collector_get_lock(c);
+
+    ret = hx509_cms_unenvelope(context,
+			       _hx509_lock_unlock_certs(lock),
+			       0,
+			       data, length,
+			       NULL,
+			       &contentType,
+			       &content);
+    if (ret) {
+	hx509_set_error_string(context, HX509_ERROR_APPEND, ret, 
+			       "PKCS12 failed to unenvelope");
+	return ret;
+    }
+
+    if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) == 0)
+	ret = parse_safe_content(context, c, content.data, content.length);
+
+    der_free_octet_string(&content);
+    der_free_oid(&contentType);
+
+    return ret;
+}
+
+
+struct type bagtypes[] = {
+    { oid_id_pkcs12_keyBag, keyBag_parser },
+    { oid_id_pkcs12_pkcs8ShroudedKeyBag, ShroudedKeyBag_parser },
+    { oid_id_pkcs12_certBag, certBag_parser },
+    { oid_id_pkcs7_data, safeContent_parser },
+    { oid_id_pkcs7_encryptedData, encryptedData_parser },
+    { oid_id_pkcs7_envelopedData, envelopedData_parser }
+};
+
+static void
+parse_pkcs12_type(hx509_context context,
+		  struct hx509_collector *c,
+		  const heim_oid *oid, 
+		  const void *data, size_t length,
+		  const PKCS12_Attributes *attrs)
+{
+    int i;
+
+    for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++)
+	if (der_heim_oid_cmp((*bagtypes[i].oid)(), oid) == 0)
+	    (*bagtypes[i].func)(context, c, data, length, attrs);
+}
+
+static int
+p12_init(hx509_context context,
+	 hx509_certs certs, void **data, int flags, 
+	 const char *residue, hx509_lock lock)
+{
+    struct ks_pkcs12 *p12;
+    size_t len;
+    void *buf;
+    PKCS12_PFX pfx;
+    PKCS12_AuthenticatedSafe as;
+    int ret, i;
+    struct hx509_collector *c;
+
+    *data = NULL;
+
+    if (lock == NULL)
+	lock = _hx509_empty_lock;
+
+    ret = _hx509_collector_alloc(context, lock, &c);
+    if (ret)
+	return ret;
+
+    p12 = calloc(1, sizeof(*p12));
+    if (p12 == NULL) {
+	ret = ENOMEM;
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	goto out;
+    }
+
+    p12->fn = strdup(residue);
+    if (p12->fn == NULL) {
+	ret = ENOMEM;
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	goto out;
+    }
+
+    if (flags & HX509_CERTS_CREATE) {
+	ret = hx509_certs_init(context, "MEMORY:ks-file-create",
+			       0, lock, &p12->certs);
+	if (ret == 0)
+	    *data = p12;
+	goto out;
+    }
+
+    ret = _hx509_map_file(residue, &buf, &len, NULL);
+    if (ret) {
+	hx509_clear_error_string(context);
+	goto out;
+    }
+
+    ret = decode_PKCS12_PFX(buf, len, &pfx, NULL);
+    _hx509_unmap_file(buf, len);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to decode the PFX in %s", residue);
+	goto out;
+    }
+
+    if (der_heim_oid_cmp(&pfx.authSafe.contentType, oid_id_pkcs7_data()) != 0) {
+	free_PKCS12_PFX(&pfx);
+	ret = EINVAL;
+	hx509_set_error_string(context, 0, ret,
+			       "PKCS PFX isn't a pkcs7-data container");
+	goto out;
+    }
+
+    if (pfx.authSafe.content == NULL) {
+	free_PKCS12_PFX(&pfx);
+	ret = EINVAL;
+	hx509_set_error_string(context, 0, ret,
+			       "PKCS PFX missing data");
+	goto out;
+    }
+
+    {
+	heim_octet_string asdata;
+
+	ret = decode_PKCS12_OctetString(pfx.authSafe.content->data,
+					pfx.authSafe.content->length,
+					&asdata,
+					NULL);
+	free_PKCS12_PFX(&pfx);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    goto out;
+	}
+	ret = decode_PKCS12_AuthenticatedSafe(asdata.data, 
+					      asdata.length,
+					      &as,
+					      NULL);
+	der_free_octet_string(&asdata);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    goto out;
+	}
+    }
+
+    for (i = 0; i < as.len; i++)
+	parse_pkcs12_type(context,
+			  c,
+			  &as.val[i].contentType,
+			  as.val[i].content->data,
+			  as.val[i].content->length,
+			  NULL);
+
+    free_PKCS12_AuthenticatedSafe(&as);
+
+    ret = _hx509_collector_collect_certs(context, c, &p12->certs);
+    if (ret == 0)
+	*data = p12;
+
+out:
+    _hx509_collector_free(c);
+
+    if (ret && p12) {
+	if (p12->fn)
+	    free(p12->fn);
+	if (p12->certs)
+	    hx509_certs_free(&p12->certs);
+	free(p12);
+    }
+
+    return ret;
+}
+
+static int
+addBag(hx509_context context,
+       PKCS12_AuthenticatedSafe *as,
+       const heim_oid *oid,
+       void *data,
+       size_t length)
+{
+    void *ptr;
+    int ret;
+
+    ptr = realloc(as->val, sizeof(as->val[0]) * (as->len + 1));
+    if (ptr == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    as->val = ptr;
+
+    ret = der_copy_oid(oid, &as->val[as->len].contentType);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	return ret;
+    }
+    
+    as->val[as->len].content = calloc(1, sizeof(*as->val[0].content));
+    if (as->val[as->len].content == NULL) {
+	der_free_oid(&as->val[as->len].contentType);
+	hx509_set_error_string(context, 0, ENOMEM, "malloc out of memory");
+	return ENOMEM;
+    }
+
+    as->val[as->len].content->data = data;
+    as->val[as->len].content->length = length;
+
+    as->len++;
+
+    return 0;
+}
+
+static int
+store_func(hx509_context context, void *ctx, hx509_cert c)
+{
+    PKCS12_AuthenticatedSafe *as = ctx;
+    PKCS12_OctetString os;
+    PKCS12_CertBag cb;
+    size_t size;
+    int ret;
+
+    memset(&os, 0, sizeof(os));
+    memset(&cb, 0, sizeof(cb));
+
+    os.data = NULL;
+    os.length = 0;
+
+    ret = hx509_cert_binary(context, c, &os);
+    if (ret)
+	return ret;
+
+    ASN1_MALLOC_ENCODE(PKCS12_OctetString,
+		       cb.certValue.data,cb.certValue.length,
+		       &os, &size, ret);
+    free(os.data);
+    if (ret)
+	goto out;
+    ret = der_copy_oid(oid_id_pkcs_9_at_certTypes_x509(), &cb.certType);
+    if (ret) {
+	free_PKCS12_CertBag(&cb);
+	goto out;
+    }
+    ASN1_MALLOC_ENCODE(PKCS12_CertBag, os.data, os.length,
+		       &cb, &size, ret);
+    free_PKCS12_CertBag(&cb);
+    if (ret)
+	goto out;
+
+    ret = addBag(context, as, oid_id_pkcs12_certBag(), os.data, os.length);
+
+    if (_hx509_cert_private_key_exportable(c)) {
+	hx509_private_key key = _hx509_cert_private_key(c);
+	PKCS8PrivateKeyInfo pki;
+
+	memset(&pki, 0, sizeof(pki));
+
+	ret = der_parse_hex_heim_integer("00", &pki.version);
+	if (ret)
+	    return ret;
+	ret = _hx509_private_key_oid(context, key, 
+				     &pki.privateKeyAlgorithm.algorithm);
+	if (ret) {
+	    free_PKCS8PrivateKeyInfo(&pki);
+	    return ret;
+	}
+	ret = _hx509_private_key_export(context,
+					_hx509_cert_private_key(c),
+					&pki.privateKey);
+	if (ret) {
+	    free_PKCS8PrivateKeyInfo(&pki);
+	    return ret;
+	}
+	/* set attribute, oid_id_pkcs_9_at_localKeyId() */
+
+	ASN1_MALLOC_ENCODE(PKCS8PrivateKeyInfo, os.data, os.length,
+			   &pki, &size, ret);
+	free_PKCS8PrivateKeyInfo(&pki);
+	if (ret)
+	    return ret;
+
+	ret = addBag(context, as, oid_id_pkcs12_keyBag(), os.data, os.length);
+	if (ret)
+	    return ret;
+    }
+
+out:
+    return ret;
+}
+
+static int
+p12_store(hx509_context context, 
+	  hx509_certs certs, void *data, int flags, hx509_lock lock)
+{
+    struct ks_pkcs12 *p12 = data;
+    PKCS12_PFX pfx;
+    PKCS12_AuthenticatedSafe as;
+    PKCS12_OctetString asdata;
+    size_t size;
+    int ret;
+
+    memset(&as, 0, sizeof(as));
+    memset(&pfx, 0, sizeof(pfx));
+
+    ret = hx509_certs_iter(context, p12->certs, store_func, &as);
+    if (ret)
+	goto out;
+
+    ASN1_MALLOC_ENCODE(PKCS12_AuthenticatedSafe, asdata.data, asdata.length,
+		       &as, &size, ret);
+    free_PKCS12_AuthenticatedSafe(&as);
+    if (ret)
+	return ret;
+		       
+    ret = der_parse_hex_heim_integer("03", &pfx.version);
+    if (ret) {
+	free(asdata.data);
+	goto out;
+    }
+
+    pfx.authSafe.content = calloc(1, sizeof(*pfx.authSafe.content));
+
+    ASN1_MALLOC_ENCODE(PKCS12_OctetString, 
+		       pfx.authSafe.content->data,
+		       pfx.authSafe.content->length,
+		       &asdata, &size, ret);
+    free(asdata.data);
+    if (ret)
+	goto out;
+
+    ret = der_copy_oid(oid_id_pkcs7_data(), &pfx.authSafe.contentType);
+    if (ret)
+	goto out;
+
+    ASN1_MALLOC_ENCODE(PKCS12_PFX, asdata.data, asdata.length,
+		       &pfx, &size, ret);
+    if (ret)
+	goto out;
+
+#if 0
+    const struct _hx509_password *pw;
+
+    pw = _hx509_lock_get_passwords(lock);
+    if (pw != NULL) {
+	pfx.macData = calloc(1, sizeof(*pfx.macData));
+	if (pfx.macData == NULL) {
+	    ret = ENOMEM;
+	    hx509_set_error_string(context, 0, ret, "malloc out of memory");
+	    return ret;
+	}
+	if (pfx.macData == NULL) {
+	    free(asdata.data);
+	    goto out;
+	}
+    }
+    ret = calculate_hash(&aspath, pw, pfx.macData);
+#endif
+
+    rk_dumpdata(p12->fn, asdata.data, asdata.length);
+    free(asdata.data);
+
+out:
+    free_PKCS12_AuthenticatedSafe(&as);
+    free_PKCS12_PFX(&pfx);
+
+    return ret;
+}
+
+
+static int
+p12_free(hx509_certs certs, void *data)
+{
+    struct ks_pkcs12 *p12 = data;
+    hx509_certs_free(&p12->certs);
+    free(p12->fn);
+    free(p12);
+    return 0;
+}
+
+static int 
+p12_add(hx509_context context, hx509_certs certs, void *data, hx509_cert c)
+{
+    struct ks_pkcs12 *p12 = data;
+    return hx509_certs_add(context, p12->certs, c);
+}
+
+static int 
+p12_iter_start(hx509_context context,
+	       hx509_certs certs,
+	       void *data,
+	       void **cursor)
+{
+    struct ks_pkcs12 *p12 = data;
+    return hx509_certs_start_seq(context, p12->certs, cursor);
+}
+
+static int
+p12_iter(hx509_context context,
+	 hx509_certs certs,
+	 void *data,
+	 void *cursor,
+	 hx509_cert *cert)
+{
+    struct ks_pkcs12 *p12 = data;
+    return hx509_certs_next_cert(context, p12->certs, cursor, cert);
+}
+
+static int
+p12_iter_end(hx509_context context,
+	     hx509_certs certs,
+	     void *data,
+	     void *cursor)
+{
+    struct ks_pkcs12 *p12 = data;
+    return hx509_certs_end_seq(context, p12->certs, cursor);
+}
+
+static struct hx509_keyset_ops keyset_pkcs12 = {
+    "PKCS12",
+    0,
+    p12_init,
+    p12_store,
+    p12_free,
+    p12_add,
+    NULL,
+    p12_iter_start,
+    p12_iter,
+    p12_iter_end
+};
+
+void
+_hx509_ks_pkcs12_register(hx509_context context)
+{
+    _hx509_ks_register(context, &keyset_pkcs12);
+}
diff --git a/crypto/heimdal/lib/hx509/lock.c b/crypto/heimdal/lib/hx509/lock.c
new file mode 100644
index 0000000..e835aee
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/lock.c
@@ -0,0 +1,248 @@
+/*
+ * Copyright (c) 2005 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: lock.c 22327 2007-12-15 04:49:37Z lha $");
+
+/**
+ * @page page_lock Locking and unlocking certificates and encrypted data.
+ *
+ * See the library functions here: @ref hx509_lock
+ */
+
+struct hx509_lock_data {
+    struct _hx509_password password;
+    hx509_certs certs;
+    hx509_prompter_fct prompt;
+    void *prompt_data;
+};
+
+static struct hx509_lock_data empty_lock_data = {
+    { 0, NULL }
+};
+
+hx509_lock _hx509_empty_lock = &empty_lock_data;
+
+/*
+ *
+ */
+
+int
+hx509_lock_init(hx509_context context, hx509_lock *lock)
+{
+    hx509_lock l;
+    int ret;
+
+    *lock = NULL;
+
+    l = calloc(1, sizeof(*l));
+    if (l == NULL)
+	return ENOMEM;
+
+    ret = hx509_certs_init(context, 
+			   "MEMORY:locks-internal", 
+			   0,
+			   NULL,
+			   &l->certs);
+    if (ret) {
+	free(l);
+	return ret;
+    }
+
+    *lock = l;
+
+    return 0;
+}
+
+int
+hx509_lock_add_password(hx509_lock lock, const char *password)
+{
+    void *d;
+    char *s;
+
+    s = strdup(password);
+    if (s == NULL)
+	return ENOMEM;
+
+    d = realloc(lock->password.val,
+		(lock->password.len + 1) * sizeof(lock->password.val[0]));
+    if (d == NULL) {
+	free(s);
+	return ENOMEM;
+    }
+    lock->password.val = d;
+    lock->password.val[lock->password.len] = s;
+    lock->password.len++;
+
+    return 0;
+}
+
+const struct _hx509_password *
+_hx509_lock_get_passwords(hx509_lock lock)
+{
+    return &lock->password;
+}
+
+hx509_certs
+_hx509_lock_unlock_certs(hx509_lock lock)
+{
+    return lock->certs;
+}
+
+void
+hx509_lock_reset_passwords(hx509_lock lock)
+{
+    int i;
+    for (i = 0; i < lock->password.len; i++)
+	free(lock->password.val[i]);
+    free(lock->password.val);
+    lock->password.val = NULL;
+    lock->password.len = 0;
+}
+
+int
+hx509_lock_add_cert(hx509_context context, hx509_lock lock, hx509_cert cert)
+{
+    return hx509_certs_add(context, lock->certs, cert);
+}
+
+int
+hx509_lock_add_certs(hx509_context context, hx509_lock lock, hx509_certs certs)
+{
+    return hx509_certs_merge(context, lock->certs, certs);
+}
+
+void
+hx509_lock_reset_certs(hx509_context context, hx509_lock lock)
+{
+    hx509_certs certs = lock->certs;
+    int ret;
+    
+    ret = hx509_certs_init(context, 
+			   "MEMORY:locks-internal",
+			   0,
+			   NULL,
+			   &lock->certs);
+    if (ret == 0)
+	hx509_certs_free(&certs);
+    else
+	lock->certs = certs;
+}
+
+int
+_hx509_lock_find_cert(hx509_lock lock, const hx509_query *q, hx509_cert *c)
+{
+    *c = NULL;
+    return 0;
+}
+
+int
+hx509_lock_set_prompter(hx509_lock lock, hx509_prompter_fct prompt, void *data)
+{
+    lock->prompt = prompt;
+    lock->prompt_data = data;
+    return 0;
+}
+
+void
+hx509_lock_reset_promper(hx509_lock lock)
+{
+    lock->prompt = NULL;
+    lock->prompt_data = NULL;
+}
+
+static int 
+default_prompter(void *data, const hx509_prompt *prompter)
+{
+    if (hx509_prompt_hidden(prompter->type)) {
+	if(UI_UTIL_read_pw_string(prompter->reply.data,
+				  prompter->reply.length,
+				  prompter->prompt,
+				  0))
+	    return 1;
+    } else {
+	char *s = prompter->reply.data;
+
+	fputs (prompter->prompt, stdout);
+	fflush (stdout);
+	if(fgets(prompter->reply.data,
+		 prompter->reply.length,
+		 stdin) == NULL)
+	    return 1;
+	s[strcspn(s, "\n")] = '\0';
+    }
+    return 0;
+}
+
+int
+hx509_lock_prompt(hx509_lock lock, hx509_prompt *prompt)
+{
+    if (lock->prompt == NULL)
+	return HX509_CRYPTO_NO_PROMPTER;
+    return (*lock->prompt)(lock->prompt_data, prompt);
+}
+
+void
+hx509_lock_free(hx509_lock lock)
+{
+    hx509_certs_free(&lock->certs);
+    hx509_lock_reset_passwords(lock);
+    memset(lock, 0, sizeof(*lock));
+    free(lock);
+}
+
+int
+hx509_prompt_hidden(hx509_prompt_type type)
+{
+    /* default to hidden if unknown */
+
+    switch (type) {
+    case HX509_PROMPT_TYPE_QUESTION:
+    case HX509_PROMPT_TYPE_INFO:
+	return 0;
+    default:
+	return 1;
+    }
+}
+
+int
+hx509_lock_command_string(hx509_lock lock, const char *string)
+{
+    if (strncasecmp(string, "PASS:", 5) == 0) {
+	hx509_lock_add_password(lock, string + 5);
+    } else if (strcasecmp(string, "PROMPT") == 0) {
+	hx509_lock_set_prompter(lock, default_prompter, NULL);
+    } else
+	return HX509_UNKNOWN_LOCK_COMMAND;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/hx509/name.c b/crypto/heimdal/lib/hx509/name.c
new file mode 100644
index 0000000..69fafe1
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/name.c
@@ -0,0 +1,918 @@
+/*
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: name.c 22432 2008-01-13 14:08:03Z lha $");
+
+/**
+ * @page page_name PKIX/X.509 Names
+ *
+ * There are several names in PKIX/X.509, GeneralName and Name.
+ *
+ * A Name consists of an ordered list of Relative Distinguished Names
+ * (RDN). Each RDN consists of an unordered list of typed strings. The
+ * types are defined by OID and have long and short description. For
+ * example id-at-commonName (2.5.4.3) have the long name CommonName
+ * and short name CN. The string itself can be of serveral encoding,
+ * UTF8, UTF16, Teltex string, etc. The type limit what encoding
+ * should be used.
+ *
+ * GeneralName is a broader nametype that can contains al kind of
+ * stuff like Name, IP addresses, partial Name, etc.
+ *
+ * Name is mapped into a hx509_name object.
+ *
+ * Parse and string name into a hx509_name object with hx509_parse_name(),
+ * make it back into string representation with hx509_name_to_string().
+ *
+ * Name string are defined rfc2253, rfc1779 and X.501.
+ *
+ * See the library functions here: @ref hx509_name
+ */
+
+static const struct {
+    const char *n;
+    const heim_oid *(*o)(void);
+} no[] = {
+    { "C", oid_id_at_countryName },
+    { "CN", oid_id_at_commonName },
+    { "DC", oid_id_domainComponent },
+    { "L", oid_id_at_localityName },
+    { "O", oid_id_at_organizationName },
+    { "OU", oid_id_at_organizationalUnitName },
+    { "S", oid_id_at_stateOrProvinceName },
+    { "STREET", oid_id_at_streetAddress },
+    { "UID", oid_id_Userid },
+    { "emailAddress", oid_id_pkcs9_emailAddress },
+    { "serialNumber", oid_id_at_serialNumber }
+};
+
+static char *
+quote_string(const char *f, size_t len, size_t *rlen)
+{
+    size_t i, j, tolen;
+    const char *from = f;
+    char *to;
+
+    tolen = len * 3 + 1;
+    to = malloc(tolen);
+    if (to == NULL)
+	return NULL;
+
+    for (i = 0, j = 0; i < len; i++) {
+	if (from[i] == ' ' && i + 1 < len)
+	    to[j++] = from[i];
+	else if (from[i] == ',' || from[i] == '=' || from[i] == '+' ||
+		 from[i] == '<' || from[i] == '>' || from[i] == '#' ||
+		 from[i] == ';' || from[i] == ' ')
+	{
+	    to[j++] = '\\';
+	    to[j++] = from[i];
+	} else if (((unsigned char)from[i]) >= 32 && ((unsigned char)from[i]) <= 127) {
+	    to[j++] = from[i];
+	} else {
+	    int l = snprintf(&to[j], tolen - j - 1,
+			     "#%02x", (unsigned char)from[i]);
+	    j += l;
+	}
+    }
+    to[j] = '\0';
+    assert(j < tolen);
+    *rlen = j;
+    return to;
+}
+
+
+static int
+append_string(char **str, size_t *total_len, const char *ss, 
+	      size_t len, int quote)
+{
+    char *s, *qs;
+
+    if (quote)
+	qs = quote_string(ss, len, &len);
+    else
+	qs = rk_UNCONST(ss);
+
+    s = realloc(*str, len + *total_len + 1);
+    if (s == NULL)
+	_hx509_abort("allocation failure"); /* XXX */
+    memcpy(s + *total_len, qs, len);
+    if (qs != ss)
+	free(qs);
+    s[*total_len + len] = '\0';
+    *str = s;
+    *total_len += len;
+    return 0;
+}
+
+static char *
+oidtostring(const heim_oid *type)
+{
+    char *s;
+    size_t i;
+    
+    for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
+	if (der_heim_oid_cmp((*no[i].o)(), type) == 0)
+	    return strdup(no[i].n);
+    }
+    if (der_print_heim_oid(type, '.', &s) != 0)
+	return NULL;
+    return s;
+}
+
+static int
+stringtooid(const char *name, size_t len, heim_oid *oid)
+{
+    int i, ret;
+    char *s;
+    
+    memset(oid, 0, sizeof(*oid));
+
+    for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
+	if (strncasecmp(no[i].n, name, len) == 0)
+	    return der_copy_oid((*no[i].o)(), oid);
+    }
+    s = malloc(len + 1);
+    if (s == NULL)
+	return ENOMEM;
+    memcpy(s, name, len);
+    s[len] = '\0';
+    ret = der_parse_heim_oid(s, ".", oid);
+    free(s);
+    return ret;
+}
+
+/**
+ * Convert the hx509 name object into a printable string.
+ * The resulting string should be freed with free().
+ *
+ * @param name name to print
+ * @param str the string to return
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
+int
+hx509_name_to_string(const hx509_name name, char **str)
+{
+    return _hx509_Name_to_string(&name->der_name, str);
+}
+
+int
+_hx509_Name_to_string(const Name *n, char **str)
+{
+    size_t total_len = 0;
+    int i, j;
+
+    *str = strdup("");
+    if (*str == NULL)
+	return ENOMEM;
+
+    for (i = n->u.rdnSequence.len - 1 ; i >= 0 ; i--) {
+	int len;
+
+	for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
+	    DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
+	    char *oidname;
+	    char *ss;
+	    
+	    oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type);
+
+	    switch(ds->element) {
+	    case choice_DirectoryString_ia5String:
+		ss = ds->u.ia5String;
+		break;
+	    case choice_DirectoryString_printableString:
+		ss = ds->u.printableString;
+		break;
+	    case choice_DirectoryString_utf8String:
+		ss = ds->u.utf8String;
+		break;
+	    case choice_DirectoryString_bmpString: {
+		uint16_t *bmp = ds->u.bmpString.data;
+		size_t bmplen = ds->u.bmpString.length;
+		size_t k;
+
+		ss = malloc(bmplen + 1);
+		if (ss == NULL)
+		    _hx509_abort("allocation failure"); /* XXX */
+		for (k = 0; k < bmplen; k++)
+		    ss[k] = bmp[k] & 0xff; /* XXX */
+		ss[k] = '\0';
+		break;
+	    }
+	    case choice_DirectoryString_teletexString:
+		ss = malloc(ds->u.teletexString.length + 1);
+		if (ss == NULL)
+		    _hx509_abort("allocation failure"); /* XXX */
+		memcpy(ss, ds->u.teletexString.data, ds->u.teletexString.length);
+		ss[ds->u.teletexString.length] = '\0';
+		break;
+	    case choice_DirectoryString_universalString: {
+		uint32_t *uni = ds->u.universalString.data;
+		size_t unilen = ds->u.universalString.length;
+		size_t k;
+
+		ss = malloc(unilen + 1);
+		if (ss == NULL)
+		    _hx509_abort("allocation failure"); /* XXX */
+		for (k = 0; k < unilen; k++)
+		    ss[k] = uni[k] & 0xff; /* XXX */
+		ss[k] = '\0';
+		break;
+	    }
+	    default:
+		_hx509_abort("unknown directory type: %d", ds->element);
+		exit(1);
+	    }
+	    append_string(str, &total_len, oidname, strlen(oidname), 0);
+	    free(oidname);
+	    append_string(str, &total_len, "=", 1, 0);
+	    len = strlen(ss);
+	    append_string(str, &total_len, ss, len, 1);
+	    if (ds->element == choice_DirectoryString_universalString ||
+		ds->element == choice_DirectoryString_bmpString ||
+		ds->element == choice_DirectoryString_teletexString)
+	    {
+		free(ss);
+	    }
+	    if (j + 1 < n->u.rdnSequence.val[i].len)
+		append_string(str, &total_len, "+", 1, 0);
+	}
+
+	if (i > 0)
+	    append_string(str, &total_len, ",", 1, 0);
+    }
+    return 0;
+}
+
+/*
+ * XXX this function is broken, it needs to compare code points, not
+ * bytes.
+ */
+
+static void
+prune_space(const unsigned char **s)
+{
+    while (**s == ' ')
+	(*s)++;
+}
+
+int
+_hx509_name_ds_cmp(const DirectoryString *ds1, const DirectoryString *ds2)
+{
+    int c;
+
+    c = ds1->element - ds2->element;
+    if (c)
+	return c;
+
+    switch(ds1->element) {
+    case choice_DirectoryString_ia5String:
+	c = strcmp(ds1->u.ia5String, ds2->u.ia5String);
+	break;
+    case choice_DirectoryString_teletexString:
+	c = der_heim_octet_string_cmp(&ds1->u.teletexString,
+				  &ds2->u.teletexString);
+	break;
+    case choice_DirectoryString_printableString: {
+	const unsigned char *s1 = (unsigned char*)ds1->u.printableString;
+	const unsigned char *s2 = (unsigned char*)ds2->u.printableString;
+	prune_space(&s1); prune_space(&s2);
+	while (*s1 && *s2) {
+	    if (toupper(*s1) != toupper(*s2)) {
+		c = toupper(*s1) - toupper(*s2);
+		break;
+	    }
+	    if (*s1 == ' ') { prune_space(&s1); prune_space(&s2); }
+	    else { s1++; s2++; }
+	}	    
+	prune_space(&s1); prune_space(&s2);
+	c = *s1 - *s2;
+	break;
+    }
+    case choice_DirectoryString_utf8String:
+	c = strcmp(ds1->u.utf8String, ds2->u.utf8String);
+	break;
+    case choice_DirectoryString_universalString:
+	c = der_heim_universal_string_cmp(&ds1->u.universalString,
+					  &ds2->u.universalString);
+	break;
+    case choice_DirectoryString_bmpString:
+	c = der_heim_bmp_string_cmp(&ds1->u.bmpString,
+				    &ds2->u.bmpString);
+	break;
+    default:
+	c = 1;
+	break;
+    }
+    return c;
+}
+
+int
+_hx509_name_cmp(const Name *n1, const Name *n2)
+{
+    int i, j, c;
+
+    c = n1->u.rdnSequence.len - n2->u.rdnSequence.len;
+    if (c)
+	return c;
+
+    for (i = 0 ; i < n1->u.rdnSequence.len; i++) {
+	c = n1->u.rdnSequence.val[i].len - n2->u.rdnSequence.val[i].len;
+	if (c)
+	    return c;
+
+	for (j = 0; j < n1->u.rdnSequence.val[i].len; j++) {
+	    c = der_heim_oid_cmp(&n1->u.rdnSequence.val[i].val[j].type,
+				 &n1->u.rdnSequence.val[i].val[j].type);
+	    if (c)
+		return c;
+			     
+	    c = _hx509_name_ds_cmp(&n1->u.rdnSequence.val[i].val[j].value,
+				   &n2->u.rdnSequence.val[i].val[j].value);
+	    if (c)
+		return c;
+	}
+    }
+    return 0;
+}
+
+/**
+ * Compare to hx509 name object, useful for sorting.
+ *
+ * @param n1 a hx509 name object.
+ * @param n2 a hx509 name object.
+ *
+ * @return 0 the objects are the same, returns > 0 is n2 is "larger"
+ * then n2, < 0 if n1 is "smaller" then n2.
+ *
+ * @ingroup hx509_name
+ */
+
+int
+hx509_name_cmp(hx509_name n1, hx509_name n2)
+{
+    return _hx509_name_cmp(&n1->der_name, &n2->der_name);
+}
+
+
+int
+_hx509_name_from_Name(const Name *n, hx509_name *name)
+{
+    int ret;
+    *name = calloc(1, sizeof(**name));
+    if (*name == NULL)
+	return ENOMEM;
+    ret = copy_Name(n, &(*name)->der_name);
+    if (ret) {
+	free(*name);
+	*name = NULL;
+    }
+    return ret;
+}
+
+int
+_hx509_name_modify(hx509_context context,
+		   Name *name, 
+		   int append,
+		   const heim_oid *oid, 
+		   const char *str)
+{
+    RelativeDistinguishedName *rdn;
+    int ret;
+    void *ptr;
+
+    ptr = realloc(name->u.rdnSequence.val, 
+		  sizeof(name->u.rdnSequence.val[0]) * 
+		  (name->u.rdnSequence.len + 1));
+    if (ptr == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
+	return ENOMEM;
+    }
+    name->u.rdnSequence.val = ptr;
+
+    if (append) {
+	rdn = &name->u.rdnSequence.val[name->u.rdnSequence.len];
+    } else {
+	memmove(&name->u.rdnSequence.val[1],
+		&name->u.rdnSequence.val[0],
+		name->u.rdnSequence.len * 
+		sizeof(name->u.rdnSequence.val[0]));
+	
+	rdn = &name->u.rdnSequence.val[0];
+    }
+    rdn->val = malloc(sizeof(rdn->val[0]));
+    if (rdn->val == NULL)
+	return ENOMEM;
+    rdn->len = 1;
+    ret = der_copy_oid(oid, &rdn->val[0].type);
+    if (ret)
+	return ret;
+    rdn->val[0].value.element = choice_DirectoryString_utf8String;
+    rdn->val[0].value.u.utf8String = strdup(str);
+    if (rdn->val[0].value.u.utf8String == NULL)
+	return ENOMEM;
+    name->u.rdnSequence.len += 1;
+
+    return 0;
+}
+
+/**
+ * Parse a string into a hx509 name object.
+ *
+ * @param context A hx509 context.
+ * @param str a string to parse.
+ * @param name the resulting object, NULL in case of error.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
+int
+hx509_parse_name(hx509_context context, const char *str, hx509_name *name)
+{
+    const char *p, *q;
+    size_t len;
+    hx509_name n;
+    int ret;
+
+    *name = NULL;
+
+    n = calloc(1, sizeof(*n));
+    if (n == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    n->der_name.element = choice_Name_rdnSequence;
+
+    p = str;
+
+    while (p != NULL && *p != '\0') {
+	heim_oid oid;
+	int last;
+
+	q = strchr(p, ',');
+	if (q) {
+	    len = (q - p);
+	    last = 1;
+	} else {
+	    len = strlen(p);
+	    last = 0;
+	}
+
+	q = strchr(p, '=');
+	if (q == NULL) {
+	    ret = HX509_PARSING_NAME_FAILED;
+	    hx509_set_error_string(context, 0, ret, "missing = in %s", p);
+	    goto out;
+	}
+	if (q == p) {
+	    ret = HX509_PARSING_NAME_FAILED;
+	    hx509_set_error_string(context, 0, ret, 
+				   "missing name before = in %s", p);
+	    goto out;
+	}
+	
+	if ((q - p) > len) {
+	    ret = HX509_PARSING_NAME_FAILED;
+	    hx509_set_error_string(context, 0, ret, " = after , in %s", p);
+	    goto out;
+	}
+
+	ret = stringtooid(p, q - p, &oid);
+	if (ret) {
+	    ret = HX509_PARSING_NAME_FAILED;
+	    hx509_set_error_string(context, 0, ret, 
+				   "unknown type: %.*s", (int)(q - p), p);
+	    goto out;
+	}
+	
+	{
+	    size_t pstr_len = len - (q - p) - 1;
+	    const char *pstr = p + (q - p) + 1;
+	    char *r;
+	    
+	    r = malloc(pstr_len + 1);
+	    if (r == NULL) {
+		der_free_oid(&oid);
+		ret = ENOMEM;
+		hx509_set_error_string(context, 0, ret, "out of memory");
+		goto out;
+	    }
+	    memcpy(r, pstr, pstr_len);
+	    r[pstr_len] = '\0';
+
+	    ret = _hx509_name_modify(context, &n->der_name, 0, &oid, r);
+	    free(r);
+	    der_free_oid(&oid);
+	    if(ret)
+		goto out;
+	}
+	p += len + last;
+    }
+
+    *name = n;
+
+    return 0;
+out:
+    hx509_name_free(&n);
+    return HX509_NAME_MALFORMED;
+}
+
+/**
+ * Copy a hx509 name object.
+ *
+ * @param context A hx509 cotext.
+ * @param from the name to copy from
+ * @param to the name to copy to
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
+int
+hx509_name_copy(hx509_context context, const hx509_name from, hx509_name *to)
+{
+    int ret;
+
+    *to = calloc(1, sizeof(**to));
+    if (*to == NULL)
+	return ENOMEM;
+    ret = copy_Name(&from->der_name, &(*to)->der_name);
+    if (ret) {
+	free(*to);
+	*to = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+/**
+ * Convert a hx509_name into a Name.
+ *
+ * @param from the name to copy from
+ * @param to the name to copy to
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
+int
+hx509_name_to_Name(const hx509_name from, Name *to)
+{
+    return copy_Name(&from->der_name, to);
+}
+
+int
+hx509_name_normalize(hx509_context context, hx509_name name)
+{
+    return 0;
+}
+
+/**
+ * Expands variables in the name using env. Variables are on the form
+ * ${name}. Useful when dealing with certificate templates.
+ *
+ * @param context A hx509 cotext.
+ * @param name the name to expand.
+ * @param env environment variable to expand.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
+int
+hx509_name_expand(hx509_context context,
+		  hx509_name name,
+		  hx509_env env)
+{
+    Name *n = &name->der_name;
+    int i, j;
+
+    if (env == NULL)
+	return 0;
+
+    if (n->element != choice_Name_rdnSequence) {
+	hx509_set_error_string(context, 0, EINVAL, "RDN not of supported type");
+	return EINVAL;
+    }
+
+    for (i = 0 ; i < n->u.rdnSequence.len; i++) {
+	for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
+	    /** Only UTF8String rdnSequence names are allowed */
+	    /*
+	      THIS SHOULD REALLY BE:
+	      COMP = n->u.rdnSequence.val[i].val[j];
+	      normalize COMP to utf8
+	      check if there are variables
+	        expand variables
+	        convert back to orignal format, store in COMP
+	      free normalized utf8 string
+	    */
+	    DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
+	    char *p, *p2;
+	    struct rk_strpool *strpool = NULL;
+
+	    if (ds->element != choice_DirectoryString_utf8String) {
+		hx509_set_error_string(context, 0, EINVAL, "unsupported type");
+		return EINVAL;
+	    }
+	    p = strstr(ds->u.utf8String, "${");
+	    if (p) {
+		strpool = rk_strpoolprintf(strpool, "%.*s", 
+					   (int)(p - ds->u.utf8String), 
+					   ds->u.utf8String);
+		if (strpool == NULL) {
+		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+		    return ENOMEM;
+		}
+	    }
+	    while (p != NULL) {
+		/* expand variables */
+		const char *value;
+		p2 = strchr(p, '}');
+		if (p2 == NULL) {
+		    hx509_set_error_string(context, 0, EINVAL, "missing }");
+		    rk_strpoolfree(strpool);
+		    return EINVAL;
+		}
+		p += 2;
+		value = hx509_env_lfind(context, env, p, p2 - p);
+		if (value == NULL) {
+		    hx509_set_error_string(context, 0, EINVAL, 
+					   "variable %.*s missing",
+					   (int)(p2 - p), p);
+		    rk_strpoolfree(strpool);
+		    return EINVAL;
+		}
+		strpool = rk_strpoolprintf(strpool, "%s", value);
+		if (strpool == NULL) {
+		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+		    return ENOMEM;
+		}
+		p2++;
+
+		p = strstr(p2, "${");
+		if (p)
+		    strpool = rk_strpoolprintf(strpool, "%.*s", 
+					       (int)(p - p2), p2);
+		else
+		    strpool = rk_strpoolprintf(strpool, "%s", p2);
+		if (strpool == NULL) {
+		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+		    return ENOMEM;
+		}
+	    }
+	    if (strpool) {
+		free(ds->u.utf8String);
+		ds->u.utf8String = rk_strpoolcollect(strpool);
+		if (ds->u.utf8String == NULL) {
+		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+		    return ENOMEM;
+		}
+	    }
+	}
+    }
+    return 0;
+}
+
+/**
+ * Free a hx509 name object, upond return *name will be NULL.
+ *
+ * @param name a hx509 name object to be freed.
+ *
+ * @ingroup hx509_name
+ */
+
+void
+hx509_name_free(hx509_name *name)
+{
+    free_Name(&(*name)->der_name);
+    memset(*name, 0, sizeof(**name));
+    free(*name);
+    *name = NULL;
+}
+
+/**
+ * Convert a DER encoded name info a string.
+ *
+ * @param data data to a DER/BER encoded name
+ * @param length length of data
+ * @param str the resulting string, is NULL on failure.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
+int
+hx509_unparse_der_name(const void *data, size_t length, char **str)
+{
+    Name name;
+    int ret;
+
+    *str = NULL;
+
+    ret = decode_Name(data, length, &name, NULL);
+    if (ret)
+	return ret;
+    ret = _hx509_Name_to_string(&name, str);
+    free_Name(&name);
+    return ret;
+}
+
+/**
+ * Convert a hx509_name object to DER encoded name.
+ *
+ * @param name name to concert
+ * @param os data to a DER encoded name, free the resulting octet
+ * string with hx509_xfree(os->data).
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
+int
+hx509_name_binary(const hx509_name name, heim_octet_string *os)
+{
+    size_t size;
+    int ret;
+
+    ASN1_MALLOC_ENCODE(Name, os->data, os->length, &name->der_name, &size, ret);
+    if (ret)
+	return ret;
+    if (os->length != size)
+	_hx509_abort("internal ASN.1 encoder error");
+
+    return 0;
+}
+
+int
+_hx509_unparse_Name(const Name *aname, char **str)
+{
+    hx509_name name;
+    int ret;
+
+    ret = _hx509_name_from_Name(aname, &name);
+    if (ret)
+	return ret;
+
+    ret = hx509_name_to_string(name, str);
+    hx509_name_free(&name);
+    return ret;
+}
+
+/**
+ * Unparse the hx509 name in name into a string.
+ *
+ * @param name the name to check if its empty/null.
+ *
+ * @return non zero if the name is empty/null.
+ *
+ * @ingroup hx509_name
+ */
+
+int
+hx509_name_is_null_p(const hx509_name name)
+{
+    return name->der_name.u.rdnSequence.len == 0;
+}
+
+/**
+ * Unparse the hx509 name in name into a string.
+ *
+ * @param name the name to print
+ * @param str an allocated string returns the name in string form
+ *
+ * @return An hx509 error code, see krb5_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
+int
+hx509_general_name_unparse(GeneralName *name, char **str)
+{
+    struct rk_strpool *strpool = NULL;
+
+    *str = NULL;
+
+    switch (name->element) {
+    case choice_GeneralName_otherName: {
+	char *str;
+	hx509_oid_sprint(&name->u.otherName.type_id, &str);
+	if (str == NULL)
+	    return ENOMEM;
+	strpool = rk_strpoolprintf(strpool, "otherName: %s", str);
+	free(str);
+	break;
+    }
+    case choice_GeneralName_rfc822Name:
+	strpool = rk_strpoolprintf(strpool, "rfc822Name: %s\n",
+				   name->u.rfc822Name);
+	break;
+    case choice_GeneralName_dNSName:
+	strpool = rk_strpoolprintf(strpool, "dNSName: %s\n",
+				   name->u.dNSName);
+	break;
+    case choice_GeneralName_directoryName: {
+	Name dir;
+	char *s;
+	int ret;
+	memset(&dir, 0, sizeof(dir));
+	dir.element = name->u.directoryName.element;
+	dir.u.rdnSequence = name->u.directoryName.u.rdnSequence;
+	ret = _hx509_unparse_Name(&dir, &s);
+	if (ret)
+	    return ret;
+	strpool = rk_strpoolprintf(strpool, "directoryName: %s", s);
+	free(s);
+	break;
+    }
+    case choice_GeneralName_uniformResourceIdentifier:
+	strpool = rk_strpoolprintf(strpool, "URI: %s", 
+				   name->u.uniformResourceIdentifier);
+	break;
+    case choice_GeneralName_iPAddress: {
+	unsigned char *a = name->u.iPAddress.data;
+
+	strpool = rk_strpoolprintf(strpool, "IPAddress: ");
+	if (strpool == NULL)
+	    break;
+	if (name->u.iPAddress.length == 4)
+	    strpool = rk_strpoolprintf(strpool, "%d.%d.%d.%d", 
+				       a[0], a[1], a[2], a[3]);
+	else if (name->u.iPAddress.length == 16)
+	    strpool = rk_strpoolprintf(strpool, 
+				       "%02X:%02X:%02X:%02X:"
+				       "%02X:%02X:%02X:%02X:"
+				       "%02X:%02X:%02X:%02X:"
+				       "%02X:%02X:%02X:%02X", 
+				       a[0], a[1], a[2], a[3],
+				       a[4], a[5], a[6], a[7],
+				       a[8], a[9], a[10], a[11],
+				       a[12], a[13], a[14], a[15]);
+	else
+	    strpool = rk_strpoolprintf(strpool, 
+				       "unknown IP address of length %lu",
+				       (unsigned long)name->u.iPAddress.length);
+	break;
+    }
+    case choice_GeneralName_registeredID: {
+	char *str;
+	hx509_oid_sprint(&name->u.registeredID, &str);
+	if (str == NULL)
+	    return ENOMEM;
+	strpool = rk_strpoolprintf(strpool, "registeredID: %s", str);
+	free(str);
+	break;
+    }
+    default:
+	return EINVAL;
+    }
+    if (strpool == NULL)
+	return ENOMEM;
+
+    *str = rk_strpoolcollect(strpool);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/hx509/ocsp.asn1 b/crypto/heimdal/lib/hx509/ocsp.asn1
new file mode 100644
index 0000000..d8ecd66
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ocsp.asn1
@@ -0,0 +1,113 @@
+-- From rfc2560
+-- $Id: ocsp.asn1 19576 2006-12-30 12:40:43Z lha $
+OCSP DEFINITIONS EXPLICIT TAGS::=
+
+BEGIN
+
+IMPORTS
+	Certificate, AlgorithmIdentifier, CRLReason,
+	Name, GeneralName, CertificateSerialNumber, Extensions
+	FROM rfc2459;
+
+OCSPVersion  ::=  INTEGER {  ocsp-v1(0) }
+
+OCSPCertStatus ::= CHOICE {
+    good                [0]     IMPLICIT NULL,
+    revoked             [1]     IMPLICIT -- OCSPRevokedInfo -- SEQUENCE {
+    			revocationTime		GeneralizedTime,
+			revocationReason[0]	EXPLICIT CRLReason OPTIONAL
+    },
+    unknown             [2]     IMPLICIT NULL }
+
+OCSPCertID ::= SEQUENCE {
+    hashAlgorithm            AlgorithmIdentifier,
+    issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
+    issuerKeyHash      OCTET STRING, -- Hash of Issuers public key
+    serialNumber       CertificateSerialNumber }
+
+OCSPSingleResponse ::= SEQUENCE {
+   certID                       OCSPCertID,
+   certStatus                   OCSPCertStatus,
+   thisUpdate                   GeneralizedTime,
+   nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
+   singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
+
+OCSPInnerRequest ::=     SEQUENCE {
+    reqCert                    OCSPCertID,
+    singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
+
+OCSPTBSRequest      ::=     SEQUENCE {
+    version             [0] EXPLICIT OCSPVersion -- DEFAULT v1 -- OPTIONAL,
+    requestorName       [1] EXPLICIT GeneralName OPTIONAL,
+    requestList             SEQUENCE OF OCSPInnerRequest,
+    requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
+
+OCSPSignature       ::=     SEQUENCE {
+    signatureAlgorithm   AlgorithmIdentifier,
+    signature            BIT STRING,
+    certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+
+OCSPRequest     ::=     SEQUENCE {
+    tbsRequest                  OCSPTBSRequest,
+    optionalSignature   [0]     EXPLICIT OCSPSignature OPTIONAL }
+
+OCSPResponseBytes ::=       SEQUENCE {
+    responseType   OBJECT IDENTIFIER,
+    response       OCTET STRING }
+
+OCSPResponseStatus ::= ENUMERATED {
+    successful            (0),      --Response has valid confirmations
+    malformedRequest      (1),      --Illegal confirmation request
+    internalError         (2),      --Internal error in issuer
+    tryLater              (3),      --Try again later
+                                    --(4) is not used
+    sigRequired           (5),      --Must sign the request
+    unauthorized          (6)       --Request unauthorized
+}
+
+OCSPResponse ::= SEQUENCE {
+   responseStatus         OCSPResponseStatus,
+   responseBytes          [0] EXPLICIT OCSPResponseBytes OPTIONAL }
+
+OCSPKeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+                         --(excluding the tag and length fields)
+
+OCSPResponderID ::= CHOICE {
+   byName   [1] Name,
+   byKey    [2] OCSPKeyHash }
+
+OCSPResponseData ::= SEQUENCE {
+   version              [0] EXPLICIT OCSPVersion -- DEFAULT v1 -- OPTIONAL,
+   responderID              OCSPResponderID,
+   producedAt               GeneralizedTime,
+   responses                SEQUENCE OF OCSPSingleResponse,
+   responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
+
+OCSPBasicOCSPResponse       ::= SEQUENCE {
+   tbsResponseData      OCSPResponseData,
+   signatureAlgorithm   AlgorithmIdentifier,
+   signature            BIT STRING,
+   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+
+-- ArchiveCutoff ::= GeneralizedTime
+
+-- AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
+
+-- Object Identifiers
+
+id-pkix-ocsp         OBJECT IDENTIFIER ::= {
+ 	 iso(1) identified-organization(3) dod(6) internet(1)
+	 security(5) mechanisms(5) pkix(7) pkix-ad(48) 1
+}
+
+id-pkix-ocsp-basic		OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
+id-pkix-ocsp-nonce		OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
+-- id-pkix-ocsp-crl             OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
+-- id-pkix-ocsp-response        OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
+-- id-pkix-ocsp-nocheck         OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
+-- id-pkix-ocsp-archive-cutoff  OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
+-- id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
+
+
+END
+
diff --git a/crypto/heimdal/lib/hx509/peer.c b/crypto/heimdal/lib/hx509/peer.c
new file mode 100644
index 0000000..eb0ecd2
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/peer.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: peer.c 22345 2007-12-26 19:03:51Z lha $");
+
+/**
+ * @page page_peer Hx509 crypto selecting functions
+ *
+ * Peer info structures are used togeter with hx509_crypto_select() to
+ * select the best avaible crypto algorithm to use.
+ *
+ * See the library functions here: @ref hx509_peer
+ */
+
+/**
+ * Allocate a new peer info structure an init it to default values.
+ *
+ * @param context A hx509 context.
+ * @param peer return an allocated peer, free with hx509_peer_info_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_peer
+ */
+
+int
+hx509_peer_info_alloc(hx509_context context, hx509_peer_info *peer)
+{
+    *peer = calloc(1, sizeof(**peer));
+    if (*peer == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+
+static void
+free_cms_alg(hx509_peer_info peer)
+{
+    if (peer->val) {
+	size_t i;
+	for (i = 0; i < peer->len; i++)
+	    free_AlgorithmIdentifier(&peer->val[i]);
+	free(peer->val);
+	peer->val = NULL;
+	peer->len = 0;
+    }
+}
+
+/**
+ * Free a peer info structure.
+ *
+ * @param peer peer info to be freed.
+ *
+ * @ingroup hx509_peer
+ */
+
+void
+hx509_peer_info_free(hx509_peer_info peer)
+{
+    if (peer == NULL)
+	return;
+    if (peer->cert)
+	hx509_cert_free(peer->cert);
+    free_cms_alg(peer);
+    memset(peer, 0, sizeof(*peer));
+    free(peer);
+}
+
+/**
+ * Set the certificate that remote peer is using.
+ *
+ * @param peer peer info to update
+ * @param cert cerificate of the remote peer.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_peer
+ */
+
+int
+hx509_peer_info_set_cert(hx509_peer_info peer,
+			 hx509_cert cert)
+{
+    if (peer->cert)
+	hx509_cert_free(peer->cert);
+    peer->cert = hx509_cert_ref(cert);
+    return 0;
+}
+
+/**
+ * Set the algorithms that the peer supports.
+ *
+ * @param context A hx509 context.
+ * @param peer the peer to set the new algorithms for
+ * @param val array of supported AlgorithmsIdentiers
+ * @param len length of array val.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_peer
+ */
+
+int
+hx509_peer_info_set_cms_algs(hx509_context context,
+			     hx509_peer_info peer,
+			     const AlgorithmIdentifier *val,
+			     size_t len)
+{
+    size_t i;
+
+    free_cms_alg(peer);
+
+    peer->val = calloc(len, sizeof(*peer->val));
+    if (peer->val == NULL) {
+	peer->len = 0;
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+    peer->len = len;
+    for (i = 0; i < len; i++) {
+	int ret;
+	ret = copy_AlgorithmIdentifier(&val[i], &peer->val[i]);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    free_cms_alg(peer);
+	    return ret;
+	}
+    }
+    return 0;
+}
+
+#if 0
+
+/*
+ * S/MIME
+ */
+
+int
+hx509_peer_info_parse_smime(hx509_peer_info peer,
+			    const heim_octet_string *data)
+{
+    return 0;
+}
+
+int
+hx509_peer_info_unparse_smime(hx509_peer_info peer,
+			      heim_octet_string *data)
+{
+    return 0;
+}
+
+/*
+ * For storing hx509_peer_info to be able to cache them.
+ */
+
+int
+hx509_peer_info_parse(hx509_peer_info peer,
+		      const heim_octet_string *data)
+{
+    return 0;
+}
+
+int
+hx509_peer_info_unparse(hx509_peer_info peer,
+			heim_octet_string *data)
+{
+    return 0;
+}
+#endif
diff --git a/crypto/heimdal/lib/hx509/pkcs10.asn1 b/crypto/heimdal/lib/hx509/pkcs10.asn1
new file mode 100644
index 0000000..518fe3b
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/pkcs10.asn1
@@ -0,0 +1,25 @@
+-- $Id: pkcs10.asn1 16918 2006-04-01 09:46:57Z lha $
+PKCS10 DEFINITIONS ::=
+
+BEGIN
+
+IMPORTS
+	Name, SubjectPublicKeyInfo, Attribute, AlgorithmIdentifier
+	FROM rfc2459;
+
+
+CertificationRequestInfo ::= SEQUENCE {
+    version       INTEGER { pkcs10-v1(0) },
+    subject       Name,
+    subjectPKInfo SubjectPublicKeyInfo,
+    attributes    [0] IMPLICIT SET OF Attribute OPTIONAL 
+}
+
+CertificationRequest ::= SEQUENCE {
+    certificationRequestInfo CertificationRequestInfo,
+    signatureAlgorithm	     AlgorithmIdentifier,
+    signature                BIT STRING
+}
+
+END
+
diff --git a/crypto/heimdal/lib/hx509/print.c b/crypto/heimdal/lib/hx509/print.c
new file mode 100644
index 0000000..78ebbaf
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/print.c
@@ -0,0 +1,990 @@
+/*
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: print.c 22420 2008-01-13 09:42:35Z lha $");
+
+/**
+ * @page page_print Hx509 printing functions
+ *
+ * See the library functions here: @ref hx509_print
+ */
+
+struct hx509_validate_ctx_data {
+    int flags;
+    hx509_vprint_func vprint_func;
+    void *ctx;
+};
+
+struct cert_status {
+    unsigned int selfsigned:1;
+    unsigned int isca:1;
+    unsigned int isproxy:1;
+    unsigned int haveSAN:1;
+    unsigned int haveIAN:1;
+    unsigned int haveSKI:1;
+    unsigned int haveAKI:1;
+    unsigned int haveCRLDP:1;
+};
+
+
+/*
+ *
+ */
+
+static int
+Time2string(const Time *T, char **str)
+{
+    time_t t;
+    char *s;
+    struct tm *tm;
+
+    *str = NULL;
+    t = _hx509_Time2time_t(T);
+    tm = gmtime (&t);
+    s = malloc(30);
+    if (s == NULL)
+	return ENOMEM;
+    strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm);
+    *str = s;
+    return 0;
+}
+
+/**
+ * Helper function to print on stdout for:
+ * - hx509_oid_print(),
+ * - hx509_bitstring_print(),
+ * - hx509_validate_ctx_set_print().
+ *
+ * @param ctx the context to the print function. If the ctx is NULL,
+ * stdout is used.
+ * @param fmt the printing format.
+ * @param va the argumet list.
+ *
+ * @ingroup hx509_print
+ */
+
+void
+hx509_print_stdout(void *ctx, const char *fmt, va_list va)
+{
+    FILE *f = ctx;
+    if (f == NULL)
+	f = stdout;
+    vfprintf(f, fmt, va);
+}
+
+static void
+print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...)
+{
+    va_list va;
+    va_start(va, fmt);
+    (*func)(ctx, fmt, va);
+    va_end(va);
+}
+
+/**
+ * Print a oid to a string.
+ * 
+ * @param oid oid to print
+ * @param str allocated string, free with hx509_xfree().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
+int
+hx509_oid_sprint(const heim_oid *oid, char **str)
+{
+    return der_print_heim_oid(oid, '.', str);
+}
+
+/**
+ * Print a oid using a hx509_vprint_func function. To print to stdout
+ * use hx509_print_stdout().
+ * 
+ * @param oid oid to print
+ * @param func hx509_vprint_func to print with.
+ * @param ctx context variable to hx509_vprint_func function.
+ *
+ * @ingroup hx509_print
+ */
+
+void
+hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
+{
+    char *str;
+    hx509_oid_sprint(oid, &str);
+    print_func(func, ctx, "%s", str);
+    free(str);
+}
+
+/**
+ * Print a bitstring using a hx509_vprint_func function. To print to
+ * stdout use hx509_print_stdout().
+ * 
+ * @param b bit string to print.
+ * @param func hx509_vprint_func to print with.
+ * @param ctx context variable to hx509_vprint_func function.
+ *
+ * @ingroup hx509_print
+ */
+
+void
+hx509_bitstring_print(const heim_bit_string *b,
+		      hx509_vprint_func func, void *ctx)
+{
+    int i;
+    print_func(func, ctx, "\tlength: %d\n\t", b->length);
+    for (i = 0; i < (b->length + 7) / 8; i++)
+	print_func(func, ctx, "%02x%s%s",
+		   ((unsigned char *)b->data)[i], 
+		   i < (b->length - 7) / 8
+		   && (i == 0 || (i % 16) != 15) ? ":" : "",
+		   i != 0 && (i % 16) == 15 ?
+		   (i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):"");
+}
+
+/**
+ * Print certificate usage for a certificate to a string.
+ * 
+ * @param context A hx509 context.
+ * @param c a certificate print the keyusage for.
+ * @param s the return string with the keysage printed in to, free
+ * with hx509_xfree().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
+int
+hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s)
+{
+    KeyUsage ku;
+    char buf[256];
+    int ret;
+
+    *s = NULL;
+
+    ret = _hx509_cert_get_keyusage(context, c, &ku);
+    if (ret)
+	return ret;
+    unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf));
+    *s = strdup(buf);
+    if (*s == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+static void
+validate_vprint(void *c, const char *fmt, va_list va)
+{
+    hx509_validate_ctx ctx = c;
+    if (ctx->vprint_func == NULL)
+	return;
+    (ctx->vprint_func)(ctx->ctx, fmt, va);
+}
+
+static void
+validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...)
+{
+    va_list va;
+    if ((ctx->flags & flags) == 0)
+	return;
+    va_start(va, fmt);
+    validate_vprint(ctx, fmt, va);
+    va_end(va);
+}
+
+/* 
+ * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical,
+ * MUST NOT critical
+ */
+enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C };
+
+static int
+check_Null(hx509_validate_ctx ctx,
+	   struct cert_status *status,
+	   enum critical_flag cf, const Extension *e)
+{
+    switch(cf) {
+    case D_C:
+	break;
+    case S_C:
+	if (!e->critical)
+	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+			   "\tCritical not set on SHOULD\n");
+	break;
+    case S_N_C:
+	if (e->critical)
+	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+			   "\tCritical set on SHOULD NOT\n");
+	break;
+    case M_C:
+	if (!e->critical)
+	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+			   "\tCritical not set on MUST\n");
+	break;
+    case M_N_C:
+	if (e->critical)
+	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+			   "\tCritical set on MUST NOT\n");
+	break;
+    default:
+	_hx509_abort("internal check_Null state error");
+    }
+    return 0;
+}
+
+static int
+check_subjectKeyIdentifier(hx509_validate_ctx ctx, 
+			   struct cert_status *status,
+			   enum critical_flag cf,
+			   const Extension *e)
+{
+    SubjectKeyIdentifier si;
+    size_t size;
+    int ret;
+
+    status->haveSKI = 1;
+    check_Null(ctx, status, cf, e);
+
+    ret = decode_SubjectKeyIdentifier(e->extnValue.data, 
+				      e->extnValue.length,
+				      &si, &size);
+    if (ret) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "Decoding SubjectKeyIdentifier failed: %d", ret);
+	return 1;
+    }
+    if (size != e->extnValue.length) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "Decoding SKI ahve extra bits on the end");
+	return 1;
+    }
+    if (si.length == 0)
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "SKI is too short (0 bytes)");
+    if (si.length > 20)
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "SKI is too long");
+
+    {
+	char *id;
+	hex_encode(si.data, si.length, &id);
+	if (id) {
+	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+			   "\tsubject key id: %s\n", id);
+	    free(id);
+	}
+    }
+
+    free_SubjectKeyIdentifier(&si);
+
+    return 0;
+}
+
+static int
+check_authorityKeyIdentifier(hx509_validate_ctx ctx, 
+			     struct cert_status *status,
+			     enum critical_flag cf,
+			     const Extension *e)
+{
+    AuthorityKeyIdentifier ai;
+    size_t size;
+    int ret;
+
+    status->haveAKI = 1;
+    check_Null(ctx, status, cf, e);
+
+    status->haveSKI = 1;
+    check_Null(ctx, status, cf, e);
+
+    ret = decode_AuthorityKeyIdentifier(e->extnValue.data, 
+					e->extnValue.length,
+					&ai, &size);
+    if (ret) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "Decoding AuthorityKeyIdentifier failed: %d", ret);
+	return 1;
+    }
+    if (size != e->extnValue.length) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "Decoding SKI ahve extra bits on the end");
+	return 1;
+    }
+
+    if (ai.keyIdentifier) {
+	char *id;
+	hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id);
+	if (id) {
+	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+			   "\tauthority key id: %s\n", id);
+	    free(id);
+	}
+    }
+
+    return 0;
+}
+
+
+static int
+check_pkinit_san(hx509_validate_ctx ctx, heim_any *a)
+{
+    KRB5PrincipalName kn;
+    unsigned i;
+    size_t size;
+    int ret;
+
+    ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size);
+    if (ret) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "Decoding kerberos name in SAN failed: %d", ret);
+	return 1;
+    }
+
+    if (size != a->length) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "Decoding kerberos name have extra bits on the end");
+	return 1;
+    }
+
+    /* print kerberos principal, add code to quote / within components */
+    for (i = 0; i < kn.principalName.name_string.len; i++) {
+	validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", 
+		       kn.principalName.name_string.val[i]);
+	if (i + 1 < kn.principalName.name_string.len)
+	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/");
+    }
+    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@");
+    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm);
+
+    free_KRB5PrincipalName(&kn);
+    return 0;
+}
+
+static int
+check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a)
+{
+    PKIXXmppAddr jid;
+    size_t size;
+    int ret;
+
+    ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size);
+    if (ret) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "Decoding JID in SAN failed: %d", ret);
+	return 1;
+    }
+
+    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid);
+    free_PKIXXmppAddr(&jid);
+
+    return 0;
+}
+
+static int
+check_altnull(hx509_validate_ctx ctx, heim_any *a)
+{
+    return 0;
+}
+
+static int
+check_CRLDistributionPoints(hx509_validate_ctx ctx, 
+			   struct cert_status *status,
+			   enum critical_flag cf,
+			   const Extension *e)
+{
+    CRLDistributionPoints dp;
+    size_t size;
+    int ret, i;
+
+    check_Null(ctx, status, cf, e);
+
+    ret = decode_CRLDistributionPoints(e->extnValue.data, 
+				       e->extnValue.length,
+				       &dp, &size);
+    if (ret) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "Decoding CRL Distribution Points failed: %d\n", ret);
+	return 1;
+    }
+
+    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n");
+    for (i = 0 ; i < dp.len; i++) {
+	if (dp.val[i].distributionPoint) {
+	    DistributionPointName dpname;
+	    heim_any *data = dp.val[i].distributionPoint;
+	    int j;
+	    
+	    ret = decode_DistributionPointName(data->data, data->length,
+					       &dpname, NULL);
+	    if (ret) {
+		validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 
+			       "Failed to parse CRL Distribution Point Name: %d\n", ret);
+		continue;
+	    }
+
+	    switch (dpname.element) {
+	    case choice_DistributionPointName_fullName:
+		validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
+		
+		for (j = 0 ; j < dpname.u.fullName.len; j++) {
+		    char *s;
+		    GeneralName *name = &dpname.u.fullName.val[j];
+
+		    ret = hx509_general_name_unparse(name, &s);
+		    if (ret == 0 && s != NULL) {
+			validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "   %s\n", s);
+			free(s);
+		    }
+		}
+		break;
+	    case choice_DistributionPointName_nameRelativeToCRLIssuer:
+		validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+			       "Unknown nameRelativeToCRLIssuer");
+		break;
+	    default:
+		validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+			       "Unknown DistributionPointName");
+		break;
+	    }
+	    free_DistributionPointName(&dpname);
+	}
+    }
+    free_CRLDistributionPoints(&dp);
+
+    status->haveCRLDP = 1;
+
+    return 0;
+}
+
+
+struct {
+    const char *name;
+    const heim_oid *(*oid)(void);
+    int (*func)(hx509_validate_ctx, heim_any *);
+} check_altname[] = {
+    { "pk-init", oid_id_pkinit_san, check_pkinit_san },
+    { "jabber", oid_id_pkix_on_xmppAddr, check_utf8_string_san },
+    { "dns-srv", oid_id_pkix_on_dnsSRV, check_altnull },
+    { "card-id", oid_id_uspkicommon_card_id, check_altnull },
+    { "Microsoft NT-PRINCIPAL-NAME", oid_id_pkinit_ms_san, check_utf8_string_san }
+};
+
+static int
+check_altName(hx509_validate_ctx ctx,
+	      struct cert_status *status,
+	      const char *name,
+	      enum critical_flag cf,
+	      const Extension *e)
+{
+    GeneralNames gn;
+    size_t size;
+    int ret, i;
+
+    check_Null(ctx, status, cf, e);
+
+    if (e->extnValue.length == 0) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "%sAltName empty, not allowed", name);
+	return 1;
+    }
+    ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
+			      &gn, &size);
+    if (ret) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "\tret = %d while decoding %s GeneralNames\n", 
+		       ret, name);
+	return 1;
+    }
+    if (gn.len == 0) {
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "%sAltName generalName empty, not allowed\n", name);
+	return 1;
+    }
+
+    for (i = 0; i < gn.len; i++) {
+	switch (gn.val[i].element) {
+	case choice_GeneralName_otherName: {
+	    unsigned j;
+
+	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+			   "%sAltName otherName ", name);
+
+	    for (j = 0; j < sizeof(check_altname)/sizeof(check_altname[0]); j++) {
+		if (der_heim_oid_cmp((*check_altname[j].oid)(), 
+				     &gn.val[i].u.otherName.type_id) != 0)
+		    continue;
+		
+		validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ", 
+			       check_altname[j].name);
+		(*check_altname[j].func)(ctx, &gn.val[i].u.otherName.value);
+		break;
+	    }
+	    if (j == sizeof(check_altname)/sizeof(check_altname[0])) {
+		hx509_oid_print(&gn.val[i].u.otherName.type_id,
+				validate_vprint, ctx);
+		validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown");
+	    }
+	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
+	    break;
+	}
+	default: {
+	    char *s;
+	    ret = hx509_general_name_unparse(&gn.val[i], &s);
+	    if (ret) {
+		validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+			       "ret = %d unparsing GeneralName\n", ret);
+		return 1;
+	    }
+	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s);
+	    free(s);
+	    break;
+	}
+	}
+    }
+
+    free_GeneralNames(&gn);
+
+    return 0;
+}
+
+static int
+check_subjectAltName(hx509_validate_ctx ctx,
+		     struct cert_status *status,
+		     enum critical_flag cf,
+		     const Extension *e)
+{
+    status->haveSAN = 1;
+    return check_altName(ctx, status, "subject", cf, e);
+}
+
+static int
+check_issuerAltName(hx509_validate_ctx ctx,
+		    struct cert_status *status,
+		     enum critical_flag cf,
+		     const Extension *e)
+{
+    status->haveIAN = 1;
+    return check_altName(ctx, status, "issuer", cf, e);
+}
+
+
+static int
+check_basicConstraints(hx509_validate_ctx ctx, 
+		       struct cert_status *status,
+		       enum critical_flag cf, 
+		       const Extension *e)
+{
+    BasicConstraints b;
+    size_t size;
+    int ret;
+
+    check_Null(ctx, status, cf, e);
+    
+    ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length,
+				  &b, &size);
+    if (ret) {
+	printf("\tret = %d while decoding BasicConstraints\n", ret);
+	return 0;
+    }
+    if (size != e->extnValue.length)
+	printf("\tlength of der data isn't same as extension\n");
+
+    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+		   "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT ");
+    if (b.pathLenConstraint)
+	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+		       "\tpathLenConstraint: %d\n", *b.pathLenConstraint);
+
+    if (b.cA) {
+	if (*b.cA) {
+	    if (!e->critical)
+		validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+			       "Is a CA and not BasicConstraints CRITICAL\n");
+	    status->isca = 1;
+	}
+	else
+	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+			   "cA is FALSE, not allowed to be\n");
+    }
+    free_BasicConstraints(&b);
+
+    return 0;
+}
+
+static int
+check_proxyCertInfo(hx509_validate_ctx ctx, 
+		    struct cert_status *status,
+		    enum critical_flag cf, 
+		    const Extension *e)
+{
+    check_Null(ctx, status, cf, e);
+    status->isproxy = 1;
+    return 0;
+}
+
+static int
+check_authorityInfoAccess(hx509_validate_ctx ctx, 
+			  struct cert_status *status,
+			  enum critical_flag cf, 
+			  const Extension *e)
+{
+    AuthorityInfoAccessSyntax aia;
+    size_t size;
+    int ret, i;
+
+    check_Null(ctx, status, cf, e);
+
+    ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data, 
+					   e->extnValue.length,
+					   &aia, &size);
+    if (ret) {
+	printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
+	return 0;
+    }
+
+    for (i = 0; i < aia.len; i++) {
+	char *str;
+	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+		       "\ttype: ");
+	hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
+	hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
+	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+		       "\n\tdirname: %s\n", str);
+	free(str);
+    }
+    free_AuthorityInfoAccessSyntax(&aia);
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+struct {
+    const char *name;
+    const heim_oid *(*oid)(void);
+    int (*func)(hx509_validate_ctx ctx, 
+		struct cert_status *status,
+		enum critical_flag cf, 
+		const Extension *);
+    enum critical_flag cf;
+} check_extension[] = {
+#define ext(name, checkname) #name, &oid_id_x509_ce_##name, check_##checkname 
+    { ext(subjectDirectoryAttributes, Null), M_N_C },
+    { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C },
+    { ext(keyUsage, Null), S_C },
+    { ext(subjectAltName, subjectAltName), M_N_C },
+    { ext(issuerAltName, issuerAltName), S_N_C },
+    { ext(basicConstraints, basicConstraints), D_C },
+    { ext(cRLNumber, Null), M_N_C },
+    { ext(cRLReason, Null), M_N_C },
+    { ext(holdInstructionCode, Null), M_N_C },
+    { ext(invalidityDate, Null), M_N_C },
+    { ext(deltaCRLIndicator, Null), M_C },
+    { ext(issuingDistributionPoint, Null), M_C },
+    { ext(certificateIssuer, Null), M_C },
+    { ext(nameConstraints, Null), M_C },
+    { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
+    { ext(certificatePolicies, Null) },
+    { ext(policyMappings, Null), M_N_C },
+    { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
+    { ext(policyConstraints, Null), D_C },
+    { ext(extKeyUsage, Null), D_C },
+    { ext(freshestCRL, Null), M_N_C },
+    { ext(inhibitAnyPolicy, Null), M_C },
+#undef ext
+#define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname 
+    { ext(proxyCertInfo, proxyCertInfo), M_C },
+    { ext(authorityInfoAccess, authorityInfoAccess), M_C },
+#undef ext
+    { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim, 
+      check_Null, D_C },
+    { "Netscape cert comment", oid_id_netscape_cert_comment, 
+      check_Null, D_C },
+    { NULL }
+};
+
+/**
+ * Allocate a hx509 validation/printing context.
+ * 
+ * @param context A hx509 context.
+ * @param ctx a new allocated hx509 validation context, free with
+ * hx509_validate_ctx_free().
+
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
+int
+hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
+{
+    *ctx = malloc(sizeof(**ctx));
+    if (*ctx == NULL)
+	return ENOMEM;
+    memset(*ctx, 0, sizeof(**ctx));
+    return 0;
+}
+
+/**
+ * Set the printing functions for the validation context.
+ * 
+ * @param ctx a hx509 valication context.
+ * @param func the printing function to usea.
+ * @param c the context variable to the printing function.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
+void
+hx509_validate_ctx_set_print(hx509_validate_ctx ctx, 
+			     hx509_vprint_func func,
+			     void *c)
+{
+    ctx->vprint_func = func;
+    ctx->ctx = c;
+}
+
+/**
+ * Add flags to control the behaivor of the hx509_validate_cert()
+ * function.
+ * 
+ * @param ctx A hx509 validation context.
+ * @param flags flags to add to the validation context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
+void
+hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
+{
+    ctx->flags |= flags;
+}
+
+/**
+ * Free an hx509 validate context.
+ * 
+ * @param ctx the hx509 validate context to free.
+ *
+ * @ingroup hx509_print
+ */
+
+void
+hx509_validate_ctx_free(hx509_validate_ctx ctx)
+{
+    free(ctx);
+}
+
+/**
+ * Validate/Print the status of the certificate.
+ * 
+ * @param context A hx509 context.
+ * @param ctx A hx509 validation context.
+ * @param cert the cerificate to validate/print.
+
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
+int
+hx509_validate_cert(hx509_context context,
+		    hx509_validate_ctx ctx,
+		    hx509_cert cert)
+{
+    Certificate *c = _hx509_get_cert(cert);
+    TBSCertificate *t = &c->tbsCertificate;
+    hx509_name issuer, subject;
+    char *str;
+    struct cert_status status;
+    int ret;
+
+    memset(&status, 0, sizeof(status));
+
+    if (_hx509_cert_get_version(c) != 3)
+	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+		       "Not version 3 certificate\n");
+    
+    if ((t->version == NULL || *t->version < 2) && t->extensions)
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "Not version 3 certificate with extensions\n");
+	
+    if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL)
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+		       "Version 3 certificate without extensions\n");
+
+    ret = hx509_cert_get_subject(cert, &subject);
+    if (ret) abort();
+    hx509_name_to_string(subject, &str);
+    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+		   "subject name: %s\n", str);
+    free(str);
+
+    ret = hx509_cert_get_issuer(cert, &issuer);
+    if (ret) abort();
+    hx509_name_to_string(issuer, &str);
+    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+		   "issuer name: %s\n", str);
+    free(str);
+
+    if (hx509_name_cmp(subject, issuer) == 0) {
+	status.selfsigned = 1;
+	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+		       "\tis a self-signed certificate\n");
+    }
+
+    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+		   "Validity:\n");
+
+    Time2string(&t->validity.notBefore, &str);
+    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str);
+    free(str);
+    Time2string(&t->validity.notAfter, &str);
+    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter  %s\n", str);
+    free(str);
+
+    if (t->extensions) {
+	int i, j;
+
+	if (t->extensions->len == 0) {
+	    validate_print(ctx,
+			   HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
+			   "The empty extensions list is not "
+			   "allowed by PKIX\n");
+	}
+
+	for (i = 0; i < t->extensions->len; i++) {
+
+	    for (j = 0; check_extension[j].name; j++)
+		if (der_heim_oid_cmp((*check_extension[j].oid)(),
+				     &t->extensions->val[i].extnID) == 0)
+		    break;
+	    if (check_extension[j].name == NULL) {
+		int flags = HX509_VALIDATE_F_VERBOSE;
+		if (t->extensions->val[i].critical)
+		    flags |= HX509_VALIDATE_F_VALIDATE;
+		validate_print(ctx, flags, "don't know what ");
+		if (t->extensions->val[i].critical)
+		    validate_print(ctx, flags, "and is CRITICAL ");
+		if (ctx->flags & flags)
+		    hx509_oid_print(&t->extensions->val[i].extnID, 
+				    validate_vprint, ctx);
+		validate_print(ctx, flags, " is\n");
+		continue;
+	    }
+	    validate_print(ctx,
+			   HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
+			   "checking extention: %s\n",
+			   check_extension[j].name);
+	    (*check_extension[j].func)(ctx,
+				       &status,
+				       check_extension[j].cf,
+				       &t->extensions->val[i]);
+	}
+    } else
+	validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n");
+	
+    if (status.isca) {
+	if (!status.haveSKI)
+	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 
+			   "CA certificate have no SubjectKeyIdentifier\n");
+
+    } else {
+	if (!status.haveAKI)
+	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 
+			   "Is not CA and doesn't have "
+			   "AuthorityKeyIdentifier\n");
+    }
+	    
+
+    if (!status.haveSKI)
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 
+		       "Doesn't have SubjectKeyIdentifier\n");
+
+    if (status.isproxy && status.isca)
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 
+		       "Proxy and CA at the same time!\n");
+
+    if (status.isproxy) {
+	if (status.haveSAN)
+	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 
+			   "Proxy and have SAN\n");
+	if (status.haveIAN)
+	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 
+			   "Proxy and have IAN\n");
+    }
+
+    if (hx509_name_is_null_p(subject) && !status.haveSAN)
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 
+		       "NULL subject DN and doesn't have a SAN\n");
+
+    if (!status.selfsigned && !status.haveCRLDP)
+	validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 
+		       "Not a CA nor PROXY and doesn't have"
+		       "CRL Dist Point\n");
+
+    if (status.selfsigned) {
+	ret = _hx509_verify_signature_bitstring(context,
+						c,
+						&c->signatureAlgorithm,
+						&c->tbsCertificate._save,
+						&c->signatureValue);
+	if (ret == 0)
+	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 
+			   "Self-signed certificate was self-signed\n");
+	else
+	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 
+			   "Self-signed certificate NOT really self-signed!\n");
+    }
+
+    hx509_name_free(&subject);
+    hx509_name_free(&issuer);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/hx509/ref/pkcs11.h b/crypto/heimdal/lib/hx509/ref/pkcs11.h
new file mode 100644
index 0000000..2e6a1e3
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/ref/pkcs11.h
@@ -0,0 +1,1357 @@
+/* pkcs11.h
+   Copyright 2006, 2007 g10 Code GmbH
+   Copyright 2006 Andreas Jellinghaus
+
+   This file is free software; as a special exception the author gives
+   unlimited permission to copy and/or distribute it, with or without
+   modifications, as long as this notice is preserved.
+
+   This file is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+   the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+   PURPOSE.  */
+
+/* Please submit changes back to the Scute project at
+   http://www.scute.org/ (or send them to marcus@g10code.com), so that
+   they can be picked up by other projects from there as well.  */
+
+/* This file is a modified implementation of the PKCS #11 standard by
+   RSA Security Inc.  It is mostly a drop-in replacement, with the
+   following change:
+
+   This header file does not require any macro definitions by the user
+   (like CK_DEFINE_FUNCTION etc).  In fact, it defines those macros
+   for you (if useful, some are missing, let me know if you need
+   more).
+
+   There is an additional API available that does comply better to the
+   GNU coding standard.  It can be switched on by defining
+   CRYPTOKI_GNU before including this header file.  For this, the
+   following changes are made to the specification:
+
+   All structure types are changed to a "struct ck_foo" where CK_FOO
+   is the type name in PKCS #11.
+
+   All non-structure types are changed to ck_foo_t where CK_FOO is the
+   lowercase version of the type name in PKCS #11.  The basic types
+   (CK_ULONG et al.) are removed without substitute.
+
+   All members of structures are modified in the following way: Type
+   indication prefixes are removed, and underscore characters are
+   inserted before words.  Then the result is lowercased.
+
+   Note that function names are still in the original case, as they
+   need for ABI compatibility.
+
+   CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute.  Use
+   <stdbool.h>.
+
+   If CRYPTOKI_COMPAT is defined before including this header file,
+   then none of the API changes above take place, and the API is the
+   one defined by the PKCS #11 standard.  */
+
+#ifndef PKCS11_H
+#define PKCS11_H 1
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* The version of cryptoki we implement.  The revision is changed with
+   each modification of this file.  If you do not use the "official"
+   version of this file, please consider deleting the revision macro
+   (you may use a macro with a different name to keep track of your
+   versions).  */
+#define CRYPTOKI_VERSION_MAJOR		2
+#define CRYPTOKI_VERSION_MINOR		20
+#define CRYPTOKI_VERSION_REVISION	6
+
+
+/* Compatibility interface is default, unless CRYPTOKI_GNU is
+   given.  */
+#ifndef CRYPTOKI_GNU
+#ifndef CRYPTOKI_COMPAT
+#define CRYPTOKI_COMPAT 1
+#endif
+#endif
+
+/* System dependencies.  */
+
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+
+/* There is a matching pop below.  */
+#pragma pack(push, cryptoki, 1)
+
+#ifdef CRYPTOKI_EXPORTS
+#define CK_SPEC __declspec(dllexport)
+#else
+#define CK_SPEC __declspec(dllimport)
+#endif
+
+#else
+
+#define CK_SPEC
+
+#endif
+
+
+#ifdef CRYPTOKI_COMPAT
+  /* If we are in compatibility mode, switch all exposed names to the
+     PKCS #11 variant.  There are corresponding #undefs below.  */
+
+#define ck_flags_t CK_FLAGS
+#define ck_version _CK_VERSION
+
+#define ck_info _CK_INFO
+#define cryptoki_version cryptokiVersion
+#define manufacturer_id manufacturerID
+#define library_description libraryDescription
+#define library_version libraryVersion
+
+#define ck_notification_t CK_NOTIFICATION
+#define ck_slot_id_t CK_SLOT_ID
+
+#define ck_slot_info _CK_SLOT_INFO
+#define slot_description slotDescription
+#define hardware_version hardwareVersion
+#define firmware_version firmwareVersion
+
+#define ck_token_info _CK_TOKEN_INFO
+#define serial_number serialNumber
+#define max_session_count ulMaxSessionCount
+#define session_count ulSessionCount
+#define max_rw_session_count ulMaxRwSessionCount
+#define rw_session_count ulRwSessionCount
+#define max_pin_len ulMaxPinLen
+#define min_pin_len ulMinPinLen
+#define total_public_memory ulTotalPublicMemory
+#define free_public_memory ulFreePublicMemory
+#define total_private_memory ulTotalPrivateMemory
+#define free_private_memory ulFreePrivateMemory
+#define utc_time utcTime
+
+#define ck_session_handle_t CK_SESSION_HANDLE
+#define ck_user_type_t CK_USER_TYPE
+#define ck_state_t CK_STATE
+
+#define ck_session_info _CK_SESSION_INFO
+#define slot_id slotID
+#define device_error ulDeviceError
+
+#define ck_object_handle_t CK_OBJECT_HANDLE
+#define ck_object_class_t CK_OBJECT_CLASS
+#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE
+#define ck_key_type_t CK_KEY_TYPE
+#define ck_certificate_type_t CK_CERTIFICATE_TYPE
+#define ck_attribute_type_t CK_ATTRIBUTE_TYPE
+
+#define ck_attribute _CK_ATTRIBUTE
+#define value pValue
+#define value_len ulValueLen
+
+#define ck_date _CK_DATE
+
+#define ck_mechanism_type_t CK_MECHANISM_TYPE
+
+#define ck_mechanism _CK_MECHANISM
+#define parameter pParameter
+#define parameter_len ulParameterLen
+
+#define ck_mechanism_info _CK_MECHANISM_INFO
+#define min_key_size ulMinKeySize
+#define max_key_size ulMaxKeySize
+
+#define ck_rv_t CK_RV
+#define ck_notify_t CK_NOTIFY
+
+#define ck_function_list _CK_FUNCTION_LIST
+
+#define ck_createmutex_t CK_CREATEMUTEX
+#define ck_destroymutex_t CK_DESTROYMUTEX
+#define ck_lockmutex_t CK_LOCKMUTEX
+#define ck_unlockmutex_t CK_UNLOCKMUTEX
+
+#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS
+#define create_mutex CreateMutex
+#define destroy_mutex DestroyMutex
+#define lock_mutex LockMutex
+#define unlock_mutex UnlockMutex
+#define reserved pReserved
+
+#endif	/* CRYPTOKI_COMPAT */
+
+
+
+typedef unsigned long ck_flags_t;
+
+struct ck_version
+{
+  unsigned char major;
+  unsigned char minor;
+};
+
+
+struct ck_info
+{
+  struct ck_version cryptoki_version;
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  unsigned char library_description[32];
+  struct ck_version library_version;
+};
+
+
+typedef unsigned long ck_notification_t;
+
+#define CKN_SURRENDER	(0)
+
+
+typedef unsigned long ck_slot_id_t;
+
+
+struct ck_slot_info
+{
+  unsigned char slot_description[64];
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+};
+
+
+#define CKF_TOKEN_PRESENT	(1 << 0)
+#define CKF_REMOVABLE_DEVICE	(1 << 1)
+#define CKF_HW_SLOT		(1 << 2)
+#define CKF_ARRAY_ATTRIBUTE	(1 << 30)
+
+
+struct ck_token_info
+{
+  unsigned char label[32];
+  unsigned char manufacturer_id[32];
+  unsigned char model[16];
+  unsigned char serial_number[16];
+  ck_flags_t flags;
+  unsigned long max_session_count;
+  unsigned long session_count;
+  unsigned long max_rw_session_count;
+  unsigned long rw_session_count;
+  unsigned long max_pin_len;
+  unsigned long min_pin_len;
+  unsigned long total_public_memory;
+  unsigned long free_public_memory;
+  unsigned long total_private_memory;
+  unsigned long free_private_memory;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+  unsigned char utc_time[16];
+};
+
+
+#define CKF_RNG					(1 << 0)
+#define CKF_WRITE_PROTECTED			(1 << 1)
+#define CKF_LOGIN_REQUIRED			(1 << 2)
+#define CKF_USER_PIN_INITIALIZED		(1 << 3)
+#define CKF_RESTORE_KEY_NOT_NEEDED		(1 << 5)
+#define CKF_CLOCK_ON_TOKEN			(1 << 6)
+#define CKF_PROTECTED_AUTHENTICATION_PATH	(1 << 8)
+#define CKF_DUAL_CRYPTO_OPERATIONS		(1 << 9)
+#define CKF_TOKEN_INITIALIZED			(1 << 10)
+#define CKF_SECONDARY_AUTHENTICATION		(1 << 11)
+#define CKF_USER_PIN_COUNT_LOW			(1 << 16)
+#define CKF_USER_PIN_FINAL_TRY			(1 << 17)
+#define CKF_USER_PIN_LOCKED			(1 << 18)
+#define CKF_USER_PIN_TO_BE_CHANGED		(1 << 19)
+#define CKF_SO_PIN_COUNT_LOW			(1 << 20)
+#define CKF_SO_PIN_FINAL_TRY			(1 << 21)
+#define CKF_SO_PIN_LOCKED			(1 << 22)
+#define CKF_SO_PIN_TO_BE_CHANGED		(1 << 23)
+
+#define CK_UNAVAILABLE_INFORMATION	((unsigned long) -1)
+#define CK_EFFECTIVELY_INFINITE		(0)
+
+
+typedef unsigned long ck_session_handle_t;
+
+#define CK_INVALID_HANDLE	(0)
+
+
+typedef unsigned long ck_user_type_t;
+
+#define CKU_SO			(0)
+#define CKU_USER		(1)
+#define CKU_CONTEXT_SPECIFIC	(2)
+
+
+typedef unsigned long ck_state_t;
+
+#define CKS_RO_PUBLIC_SESSION	(0)
+#define CKS_RO_USER_FUNCTIONS	(1)
+#define CKS_RW_PUBLIC_SESSION	(2)
+#define CKS_RW_USER_FUNCTIONS	(3)
+#define CKS_RW_SO_FUNCTIONS	(4)
+
+
+struct ck_session_info
+{
+  ck_slot_id_t slot_id;
+  ck_state_t state;
+  ck_flags_t flags;
+  unsigned long device_error;
+};
+
+#define CKF_RW_SESSION		(1 << 1)
+#define CKF_SERIAL_SESSION	(1 << 2)
+
+
+typedef unsigned long ck_object_handle_t;
+
+
+typedef unsigned long ck_object_class_t;
+
+#define CKO_DATA		(0)
+#define CKO_CERTIFICATE		(1)
+#define CKO_PUBLIC_KEY		(2)
+#define CKO_PRIVATE_KEY		(3)
+#define CKO_SECRET_KEY		(4)
+#define CKO_HW_FEATURE		(5)
+#define CKO_DOMAIN_PARAMETERS	(6)
+#define CKO_MECHANISM		(7)
+#define CKO_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_hw_feature_type_t;
+
+#define CKH_MONOTONIC_COUNTER	(1)
+#define CKH_CLOCK		(2)
+#define CKH_USER_INTERFACE	(3)
+#define CKH_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_key_type_t;
+
+#define CKK_RSA			(0)
+#define CKK_DSA			(1)
+#define CKK_DH			(2)
+#define CKK_ECDSA		(3)
+#define CKK_EC			(3)
+#define CKK_X9_42_DH		(4)
+#define CKK_KEA			(5)
+#define CKK_GENERIC_SECRET	(0x10)
+#define CKK_RC2			(0x11)
+#define CKK_RC4			(0x12)
+#define CKK_DES			(0x13)
+#define CKK_DES2		(0x14)
+#define CKK_DES3		(0x15)
+#define CKK_CAST		(0x16)
+#define CKK_CAST3		(0x17)
+#define CKK_CAST128		(0x18)
+#define CKK_RC5			(0x19)
+#define CKK_IDEA		(0x1a)
+#define CKK_SKIPJACK		(0x1b)
+#define CKK_BATON		(0x1c)
+#define CKK_JUNIPER		(0x1d)
+#define CKK_CDMF		(0x1e)
+#define CKK_AES			(0x1f)
+#define CKK_BLOWFISH		(0x20)
+#define CKK_TWOFISH		(0x21)
+#define CKK_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_certificate_type_t;
+
+#define CKC_X_509		(0)
+#define CKC_X_509_ATTR_CERT	(1)
+#define CKC_WTLS		(2)
+#define CKC_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_attribute_type_t;
+
+#define CKA_CLASS			(0)
+#define CKA_TOKEN			(1)
+#define CKA_PRIVATE			(2)
+#define CKA_LABEL			(3)
+#define CKA_APPLICATION			(0x10)
+#define CKA_VALUE			(0x11)
+#define CKA_OBJECT_ID			(0x12)
+#define CKA_CERTIFICATE_TYPE		(0x80)
+#define CKA_ISSUER			(0x81)
+#define CKA_SERIAL_NUMBER		(0x82)
+#define CKA_AC_ISSUER			(0x83)
+#define CKA_OWNER			(0x84)
+#define CKA_ATTR_TYPES			(0x85)
+#define CKA_TRUSTED			(0x86)
+#define CKA_CERTIFICATE_CATEGORY	(0x87)
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN	(0x88)
+#define CKA_URL				(0x89)
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY	(0x8a)
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY	(0x8b)
+#define CKA_CHECK_VALUE			(0x90)
+#define CKA_KEY_TYPE			(0x100)
+#define CKA_SUBJECT			(0x101)
+#define CKA_ID				(0x102)
+#define CKA_SENSITIVE			(0x103)
+#define CKA_ENCRYPT			(0x104)
+#define CKA_DECRYPT			(0x105)
+#define CKA_WRAP			(0x106)
+#define CKA_UNWRAP			(0x107)
+#define CKA_SIGN			(0x108)
+#define CKA_SIGN_RECOVER		(0x109)
+#define CKA_VERIFY			(0x10a)
+#define CKA_VERIFY_RECOVER		(0x10b)
+#define CKA_DERIVE			(0x10c)
+#define CKA_START_DATE			(0x110)
+#define CKA_END_DATE			(0x111)
+#define CKA_MODULUS			(0x120)
+#define CKA_MODULUS_BITS		(0x121)
+#define CKA_PUBLIC_EXPONENT		(0x122)
+#define CKA_PRIVATE_EXPONENT		(0x123)
+#define CKA_PRIME_1			(0x124)
+#define CKA_PRIME_2			(0x125)
+#define CKA_EXPONENT_1			(0x126)
+#define CKA_EXPONENT_2			(0x127)
+#define CKA_COEFFICIENT			(0x128)
+#define CKA_PRIME			(0x130)
+#define CKA_SUBPRIME			(0x131)
+#define CKA_BASE			(0x132)
+#define CKA_PRIME_BITS			(0x133)
+#define CKA_SUB_PRIME_BITS		(0x134)
+#define CKA_VALUE_BITS			(0x160)
+#define CKA_VALUE_LEN			(0x161)
+#define CKA_EXTRACTABLE			(0x162)
+#define CKA_LOCAL			(0x163)
+#define CKA_NEVER_EXTRACTABLE		(0x164)
+#define CKA_ALWAYS_SENSITIVE		(0x165)
+#define CKA_KEY_GEN_MECHANISM		(0x166)
+#define CKA_MODIFIABLE			(0x170)
+#define CKA_ECDSA_PARAMS		(0x180)
+#define CKA_EC_PARAMS			(0x180)
+#define CKA_EC_POINT			(0x181)
+#define CKA_SECONDARY_AUTH		(0x200)
+#define CKA_AUTH_PIN_FLAGS		(0x201)
+#define CKA_ALWAYS_AUTHENTICATE		(0x202)
+#define CKA_WRAP_WITH_TRUSTED		(0x210)
+#define CKA_HW_FEATURE_TYPE		(0x300)
+#define CKA_RESET_ON_INIT		(0x301)
+#define CKA_HAS_RESET			(0x302)
+#define CKA_PIXEL_X			(0x400)
+#define CKA_PIXEL_Y			(0x401)
+#define CKA_RESOLUTION			(0x402)
+#define CKA_CHAR_ROWS			(0x403)
+#define CKA_CHAR_COLUMNS		(0x404)
+#define CKA_COLOR			(0x405)
+#define CKA_BITS_PER_PIXEL		(0x406)
+#define CKA_CHAR_SETS			(0x480)
+#define CKA_ENCODING_METHODS		(0x481)
+#define CKA_MIME_TYPES			(0x482)
+#define CKA_MECHANISM_TYPE		(0x500)
+#define CKA_REQUIRED_CMS_ATTRIBUTES	(0x501)
+#define CKA_DEFAULT_CMS_ATTRIBUTES	(0x502)
+#define CKA_SUPPORTED_CMS_ATTRIBUTES	(0x503)
+#define CKA_WRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x211)
+#define CKA_UNWRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x212)
+#define CKA_ALLOWED_MECHANISMS		(CKF_ARRAY_ATTRIBUTE | 0x600)
+#define CKA_VENDOR_DEFINED		((unsigned long) (1 << 31))
+
+
+struct ck_attribute
+{
+  ck_attribute_type_t type;
+  void *value;
+  unsigned long value_len;
+};
+
+
+struct ck_date
+{
+  unsigned char year[4];
+  unsigned char month[2];
+  unsigned char day[2];
+};
+
+
+typedef unsigned long ck_mechanism_type_t;
+
+#define CKM_RSA_PKCS_KEY_PAIR_GEN	(0)
+#define CKM_RSA_PKCS			(1)
+#define CKM_RSA_9796			(2)
+#define CKM_RSA_X_509			(3)
+#define CKM_MD2_RSA_PKCS		(4)
+#define CKM_MD5_RSA_PKCS		(5)
+#define CKM_SHA1_RSA_PKCS		(6)
+#define CKM_RIPEMD128_RSA_PKCS		(7)
+#define CKM_RIPEMD160_RSA_PKCS		(8)
+#define CKM_RSA_PKCS_OAEP		(9)
+#define CKM_RSA_X9_31_KEY_PAIR_GEN	(0xa)
+#define CKM_RSA_X9_31			(0xb)
+#define CKM_SHA1_RSA_X9_31		(0xc)
+#define CKM_RSA_PKCS_PSS		(0xd)
+#define CKM_SHA1_RSA_PKCS_PSS		(0xe)
+#define CKM_DSA_KEY_PAIR_GEN		(0x10)
+#define	CKM_DSA				(0x11)
+#define CKM_DSA_SHA1			(0x12)
+#define CKM_DH_PKCS_KEY_PAIR_GEN	(0x20)
+#define CKM_DH_PKCS_DERIVE		(0x21)
+#define	CKM_X9_42_DH_KEY_PAIR_GEN	(0x30)
+#define CKM_X9_42_DH_DERIVE		(0x31)
+#define CKM_X9_42_DH_HYBRID_DERIVE	(0x32)
+#define CKM_X9_42_MQV_DERIVE		(0x33)
+#define CKM_SHA256_RSA_PKCS		(0x40)
+#define CKM_SHA384_RSA_PKCS		(0x41)
+#define CKM_SHA512_RSA_PKCS		(0x42)
+#define CKM_SHA256_RSA_PKCS_PSS		(0x43)
+#define CKM_SHA384_RSA_PKCS_PSS		(0x44)
+#define CKM_SHA512_RSA_PKCS_PSS		(0x45)
+#define CKM_RC2_KEY_GEN			(0x100)
+#define CKM_RC2_ECB			(0x101)
+#define	CKM_RC2_CBC			(0x102)
+#define	CKM_RC2_MAC			(0x103)
+#define CKM_RC2_MAC_GENERAL		(0x104)
+#define CKM_RC2_CBC_PAD			(0x105)
+#define CKM_RC4_KEY_GEN			(0x110)
+#define CKM_RC4				(0x111)
+#define CKM_DES_KEY_GEN			(0x120)
+#define CKM_DES_ECB			(0x121)
+#define CKM_DES_CBC			(0x122)
+#define CKM_DES_MAC			(0x123)
+#define CKM_DES_MAC_GENERAL		(0x124)
+#define CKM_DES_CBC_PAD			(0x125)
+#define CKM_DES2_KEY_GEN		(0x130)
+#define CKM_DES3_KEY_GEN		(0x131)
+#define CKM_DES3_ECB			(0x132)
+#define CKM_DES3_CBC			(0x133)
+#define CKM_DES3_MAC			(0x134)
+#define CKM_DES3_MAC_GENERAL		(0x135)
+#define CKM_DES3_CBC_PAD		(0x136)
+#define CKM_CDMF_KEY_GEN		(0x140)
+#define CKM_CDMF_ECB			(0x141)
+#define CKM_CDMF_CBC			(0x142)
+#define CKM_CDMF_MAC			(0x143)
+#define CKM_CDMF_MAC_GENERAL		(0x144)
+#define CKM_CDMF_CBC_PAD		(0x145)
+#define CKM_MD2				(0x200)
+#define CKM_MD2_HMAC			(0x201)
+#define CKM_MD2_HMAC_GENERAL		(0x202)
+#define CKM_MD5				(0x210)
+#define CKM_MD5_HMAC			(0x211)
+#define CKM_MD5_HMAC_GENERAL		(0x212)
+#define CKM_SHA_1			(0x220)
+#define CKM_SHA_1_HMAC			(0x221)
+#define CKM_SHA_1_HMAC_GENERAL		(0x222)
+#define CKM_RIPEMD128			(0x230)
+#define CKM_RIPEMD128_HMAC		(0x231)
+#define CKM_RIPEMD128_HMAC_GENERAL	(0x232)
+#define CKM_RIPEMD160			(0x240)
+#define CKM_RIPEMD160_HMAC		(0x241)
+#define CKM_RIPEMD160_HMAC_GENERAL	(0x242)
+#define CKM_SHA256			(0x250)
+#define CKM_SHA256_HMAC			(0x251)
+#define CKM_SHA256_HMAC_GENERAL		(0x252)
+#define CKM_SHA384			(0x260)
+#define CKM_SHA384_HMAC			(0x261)
+#define CKM_SHA384_HMAC_GENERAL		(0x262)
+#define CKM_SHA512			(0x270)
+#define CKM_SHA512_HMAC			(0x271)
+#define CKM_SHA512_HMAC_GENERAL		(0x272)
+#define CKM_CAST_KEY_GEN		(0x300)
+#define CKM_CAST_ECB			(0x301)
+#define CKM_CAST_CBC			(0x302)
+#define CKM_CAST_MAC			(0x303)
+#define CKM_CAST_MAC_GENERAL		(0x304)
+#define CKM_CAST_CBC_PAD		(0x305)
+#define CKM_CAST3_KEY_GEN		(0x310)
+#define CKM_CAST3_ECB			(0x311)
+#define CKM_CAST3_CBC			(0x312)
+#define CKM_CAST3_MAC			(0x313)
+#define CKM_CAST3_MAC_GENERAL		(0x314)
+#define CKM_CAST3_CBC_PAD		(0x315)
+#define CKM_CAST5_KEY_GEN		(0x320)
+#define CKM_CAST128_KEY_GEN		(0x320)
+#define CKM_CAST5_ECB			(0x321)
+#define CKM_CAST128_ECB			(0x321)
+#define CKM_CAST5_CBC			(0x322)
+#define CKM_CAST128_CBC			(0x322)
+#define CKM_CAST5_MAC			(0x323)
+#define	CKM_CAST128_MAC			(0x323)
+#define CKM_CAST5_MAC_GENERAL		(0x324)
+#define CKM_CAST128_MAC_GENERAL		(0x324)
+#define CKM_CAST5_CBC_PAD		(0x325)
+#define CKM_CAST128_CBC_PAD		(0x325)
+#define CKM_RC5_KEY_GEN			(0x330)
+#define CKM_RC5_ECB			(0x331)
+#define CKM_RC5_CBC			(0x332)
+#define CKM_RC5_MAC			(0x333)
+#define CKM_RC5_MAC_GENERAL		(0x334)
+#define CKM_RC5_CBC_PAD			(0x335)
+#define CKM_IDEA_KEY_GEN		(0x340)
+#define CKM_IDEA_ECB			(0x341)
+#define	CKM_IDEA_CBC			(0x342)
+#define CKM_IDEA_MAC			(0x343)
+#define CKM_IDEA_MAC_GENERAL		(0x344)
+#define CKM_IDEA_CBC_PAD		(0x345)
+#define CKM_GENERIC_SECRET_KEY_GEN	(0x350)
+#define CKM_CONCATENATE_BASE_AND_KEY	(0x360)
+#define CKM_CONCATENATE_BASE_AND_DATA	(0x362)
+#define CKM_CONCATENATE_DATA_AND_BASE	(0x363)
+#define CKM_XOR_BASE_AND_DATA		(0x364)
+#define CKM_EXTRACT_KEY_FROM_KEY	(0x365)
+#define CKM_SSL3_PRE_MASTER_KEY_GEN	(0x370)
+#define CKM_SSL3_MASTER_KEY_DERIVE	(0x371)
+#define CKM_SSL3_KEY_AND_MAC_DERIVE	(0x372)
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH	(0x373)
+#define CKM_TLS_PRE_MASTER_KEY_GEN	(0x374)
+#define CKM_TLS_MASTER_KEY_DERIVE	(0x375)
+#define CKM_TLS_KEY_AND_MAC_DERIVE	(0x376)
+#define CKM_TLS_MASTER_KEY_DERIVE_DH	(0x377)
+#define CKM_SSL3_MD5_MAC		(0x380)
+#define CKM_SSL3_SHA1_MAC		(0x381)
+#define CKM_MD5_KEY_DERIVATION		(0x390)
+#define CKM_MD2_KEY_DERIVATION		(0x391)
+#define CKM_SHA1_KEY_DERIVATION		(0x392)
+#define CKM_PBE_MD2_DES_CBC		(0x3a0)
+#define CKM_PBE_MD5_DES_CBC		(0x3a1)
+#define CKM_PBE_MD5_CAST_CBC		(0x3a2)
+#define CKM_PBE_MD5_CAST3_CBC		(0x3a3)
+#define CKM_PBE_MD5_CAST5_CBC		(0x3a4)
+#define CKM_PBE_MD5_CAST128_CBC		(0x3a4)
+#define CKM_PBE_SHA1_CAST5_CBC		(0x3a5)
+#define CKM_PBE_SHA1_CAST128_CBC	(0x3a5)
+#define CKM_PBE_SHA1_RC4_128		(0x3a6)
+#define CKM_PBE_SHA1_RC4_40		(0x3a7)
+#define CKM_PBE_SHA1_DES3_EDE_CBC	(0x3a8)
+#define CKM_PBE_SHA1_DES2_EDE_CBC	(0x3a9)
+#define CKM_PBE_SHA1_RC2_128_CBC	(0x3aa)
+#define CKM_PBE_SHA1_RC2_40_CBC		(0x3ab)
+#define CKM_PKCS5_PBKD2			(0x3b0)
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC	(0x3c0)
+#define CKM_KEY_WRAP_LYNKS		(0x400)
+#define CKM_KEY_WRAP_SET_OAEP		(0x401)
+#define CKM_SKIPJACK_KEY_GEN		(0x1000)
+#define CKM_SKIPJACK_ECB64		(0x1001)
+#define CKM_SKIPJACK_CBC64		(0x1002)
+#define CKM_SKIPJACK_OFB64		(0x1003)
+#define CKM_SKIPJACK_CFB64		(0x1004)
+#define CKM_SKIPJACK_CFB32		(0x1005)
+#define CKM_SKIPJACK_CFB16		(0x1006)
+#define CKM_SKIPJACK_CFB8		(0x1007)
+#define CKM_SKIPJACK_WRAP		(0x1008)
+#define CKM_SKIPJACK_PRIVATE_WRAP	(0x1009)
+#define CKM_SKIPJACK_RELAYX		(0x100a)
+#define CKM_KEA_KEY_PAIR_GEN		(0x1010)
+#define CKM_KEA_KEY_DERIVE		(0x1011)
+#define CKM_FORTEZZA_TIMESTAMP		(0x1020)
+#define CKM_BATON_KEY_GEN		(0x1030)
+#define CKM_BATON_ECB128		(0x1031)
+#define CKM_BATON_ECB96			(0x1032)
+#define CKM_BATON_CBC128		(0x1033)
+#define CKM_BATON_COUNTER		(0x1034)
+#define CKM_BATON_SHUFFLE		(0x1035)
+#define CKM_BATON_WRAP			(0x1036)
+#define CKM_ECDSA_KEY_PAIR_GEN		(0x1040)
+#define CKM_EC_KEY_PAIR_GEN		(0x1040)
+#define CKM_ECDSA			(0x1041)
+#define CKM_ECDSA_SHA1			(0x1042)
+#define CKM_ECDH1_DERIVE		(0x1050)
+#define CKM_ECDH1_COFACTOR_DERIVE	(0x1051)
+#define CKM_ECMQV_DERIVE		(0x1052)
+#define CKM_JUNIPER_KEY_GEN		(0x1060)
+#define CKM_JUNIPER_ECB128		(0x1061)
+#define CKM_JUNIPER_CBC128		(0x1062)
+#define CKM_JUNIPER_COUNTER		(0x1063)
+#define CKM_JUNIPER_SHUFFLE		(0x1064)
+#define CKM_JUNIPER_WRAP		(0x1065)
+#define CKM_FASTHASH			(0x1070)
+#define CKM_AES_KEY_GEN			(0x1080)
+#define CKM_AES_ECB			(0x1081)
+#define CKM_AES_CBC			(0x1082)
+#define CKM_AES_MAC			(0x1083)
+#define CKM_AES_MAC_GENERAL		(0x1084)
+#define CKM_AES_CBC_PAD			(0x1085)
+#define CKM_DSA_PARAMETER_GEN		(0x2000)
+#define CKM_DH_PKCS_PARAMETER_GEN	(0x2001)
+#define CKM_X9_42_DH_PARAMETER_GEN	(0x2002)
+#define CKM_VENDOR_DEFINED		((unsigned long) (1 << 31))
+
+
+struct ck_mechanism
+{
+  ck_mechanism_type_t mechanism;
+  void *parameter;
+  unsigned long parameter_len;
+};
+
+
+struct ck_mechanism_info
+{
+  unsigned long min_key_size;
+  unsigned long max_key_size;
+  ck_flags_t flags;
+};
+
+#define CKF_HW			(1 << 0)
+#define CKF_ENCRYPT		(1 << 8)
+#define CKF_DECRYPT		(1 << 9)
+#define CKF_DIGEST		(1 << 10)
+#define CKF_SIGN		(1 << 11)
+#define CKF_SIGN_RECOVER	(1 << 12)
+#define CKF_VERIFY		(1 << 13)
+#define CKF_VERIFY_RECOVER	(1 << 14)
+#define CKF_GENERATE		(1 << 15)
+#define CKF_GENERATE_KEY_PAIR	(1 << 16)
+#define CKF_WRAP		(1 << 17)
+#define CKF_UNWRAP		(1 << 18)
+#define CKF_DERIVE		(1 << 19)
+#define CKF_EXTENSION		((unsigned long) (1 << 31))
+
+
+/* Flags for C_WaitForSlotEvent.  */
+#define CKF_DONT_BLOCK				(1)
+
+
+typedef unsigned long ck_rv_t;
+
+
+typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session,
+				ck_notification_t event, void *application);
+
+/* Forward reference.  */
+struct ck_function_list;
+
+#define _CK_DECLARE_FUNCTION(name, args)	\
+typedef ck_rv_t (*CK_ ## name) args;		\
+ck_rv_t CK_SPEC name args
+
+_CK_DECLARE_FUNCTION (C_Initialize, (void *init_args));
+_CK_DECLARE_FUNCTION (C_Finalize, (void *reserved));
+_CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info *info));
+_CK_DECLARE_FUNCTION (C_GetFunctionList,
+		      (struct ck_function_list **function_list));
+
+_CK_DECLARE_FUNCTION (C_GetSlotList,
+		      (unsigned char token_present, ck_slot_id_t *slot_list,
+		       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetSlotInfo,
+		      (ck_slot_id_t slot_id, struct ck_slot_info *info));
+_CK_DECLARE_FUNCTION (C_GetTokenInfo,
+		      (ck_slot_id_t slot_id, struct ck_token_info *info));
+_CK_DECLARE_FUNCTION (C_WaitForSlotEvent,
+		      (ck_flags_t flags, ck_slot_id_t *slot, void *reserved));
+_CK_DECLARE_FUNCTION (C_GetMechanismList,
+		      (ck_slot_id_t slot_id,
+		       ck_mechanism_type_t *mechanism_list,
+		       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetMechanismInfo,
+		      (ck_slot_id_t slot_id, ck_mechanism_type_t type,
+		       struct ck_mechanism_info *info));
+_CK_DECLARE_FUNCTION (C_InitToken,
+		      (ck_slot_id_t slot_id, unsigned char *pin,
+		       unsigned long pin_len, unsigned char *label));
+_CK_DECLARE_FUNCTION (C_InitPIN,
+		      (ck_session_handle_t session, unsigned char *pin,
+		       unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_SetPIN,
+		      (ck_session_handle_t session, unsigned char *old_pin,
+		       unsigned long old_len, unsigned char *new_pin,
+		       unsigned long new_len));
+
+_CK_DECLARE_FUNCTION (C_OpenSession,
+		      (ck_slot_id_t slot_id, ck_flags_t flags,
+		       void *application, ck_notify_t notify,
+		       ck_session_handle_t *session));
+_CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id));
+_CK_DECLARE_FUNCTION (C_GetSessionInfo,
+		      (ck_session_handle_t session,
+		       struct ck_session_info *info));
+_CK_DECLARE_FUNCTION (C_GetOperationState,
+		      (ck_session_handle_t session,
+		       unsigned char *operation_state,
+		       unsigned long *operation_state_len));
+_CK_DECLARE_FUNCTION (C_SetOperationState,
+		      (ck_session_handle_t session,
+		       unsigned char *operation_state,
+		       unsigned long operation_state_len,
+		       ck_object_handle_t encryption_key,
+		       ck_object_handle_t authentiation_key));
+_CK_DECLARE_FUNCTION (C_Login,
+		      (ck_session_handle_t session, ck_user_type_t user_type,
+		       unsigned char *pin, unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_CreateObject,
+		      (ck_session_handle_t session,
+		       struct ck_attribute *templ,
+		       unsigned long count, ck_object_handle_t *object));
+_CK_DECLARE_FUNCTION (C_CopyObject,
+		      (ck_session_handle_t session, ck_object_handle_t object,
+		       struct ck_attribute *templ, unsigned long count,
+		       ck_object_handle_t *new_object));
+_CK_DECLARE_FUNCTION (C_DestroyObject,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object));
+_CK_DECLARE_FUNCTION (C_GetObjectSize,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       unsigned long *size));
+_CK_DECLARE_FUNCTION (C_GetAttributeValue,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_SetAttributeValue,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjectsInit,
+		      (ck_session_handle_t session,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjects,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t *object,
+		       unsigned long max_object_count,
+		       unsigned long *object_count));
+_CK_DECLARE_FUNCTION (C_FindObjectsFinal,
+		      (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_EncryptInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Encrypt,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *encrypted_data,
+		       unsigned long *encrypted_data_len));
+_CK_DECLARE_FUNCTION (C_EncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_EncryptFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *last_encrypted_part,
+		       unsigned long *last_encrypted_part_len));
+
+_CK_DECLARE_FUNCTION (C_DecryptInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Decrypt,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_data,
+		       unsigned long encrypted_data_len,
+		       unsigned char *data, unsigned long *data_len));
+_CK_DECLARE_FUNCTION (C_DecryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part, unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_DecryptFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *last_part,
+		       unsigned long *last_part_len));
+
+_CK_DECLARE_FUNCTION (C_DigestInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism));
+_CK_DECLARE_FUNCTION (C_Digest,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *digest,
+		       unsigned long *digest_len));
+_CK_DECLARE_FUNCTION (C_DigestUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_DigestKey,
+		      (ck_session_handle_t session, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_DigestFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *digest,
+		       unsigned long *digest_len));
+
+_CK_DECLARE_FUNCTION (C_SignInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Sign,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_SignFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignRecoverInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_SignRecover,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+
+_CK_DECLARE_FUNCTION (C_VerifyInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Verify,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_VerifyFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyRecoverInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_VerifyRecover,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long signature_len,
+		       unsigned char *data,
+		       unsigned long *data_len));
+
+_CK_DECLARE_FUNCTION (C_DigestEncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptDigestUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part,
+		       unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_SignEncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part,
+		       unsigned long *part_len));
+
+_CK_DECLARE_FUNCTION (C_GenerateKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       struct ck_attribute *templ,
+		       unsigned long count,
+		       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_GenerateKeyPair,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       struct ck_attribute *public_key_template,
+		       unsigned long public_key_attribute_count,
+		       struct ck_attribute *private_key_template,
+		       unsigned long private_key_attribute_count,
+		       ck_object_handle_t *public_key,
+		       ck_object_handle_t *private_key));
+_CK_DECLARE_FUNCTION (C_WrapKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t wrapping_key,
+		       ck_object_handle_t key,
+		       unsigned char *wrapped_key,
+		       unsigned long *wrapped_key_len));
+_CK_DECLARE_FUNCTION (C_UnwrapKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t unwrapping_key,
+		       unsigned char *wrapped_key,
+		       unsigned long wrapped_key_len,
+		       struct ck_attribute *templ,
+		       unsigned long attribute_count,
+		       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_DeriveKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t base_key,
+		       struct ck_attribute *templ,
+		       unsigned long attribute_count,
+		       ck_object_handle_t *key));
+
+_CK_DECLARE_FUNCTION (C_SeedRandom,
+		      (ck_session_handle_t session, unsigned char *seed,
+		       unsigned long seed_len));
+_CK_DECLARE_FUNCTION (C_GenerateRandom,
+		      (ck_session_handle_t session,
+		       unsigned char *random_data,
+		       unsigned long random_len));
+
+_CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session));
+
+
+struct ck_function_list
+{
+  struct ck_version version;
+  CK_C_Initialize C_Initialize;
+  CK_C_Finalize C_Finalize;
+  CK_C_GetInfo C_GetInfo;
+  CK_C_GetFunctionList C_GetFunctionList;
+  CK_C_GetSlotList C_GetSlotList;
+  CK_C_GetSlotInfo C_GetSlotInfo;
+  CK_C_GetTokenInfo C_GetTokenInfo;
+  CK_C_GetMechanismList C_GetMechanismList;
+  CK_C_GetMechanismInfo C_GetMechanismInfo;
+  CK_C_InitToken C_InitToken;
+  CK_C_InitPIN C_InitPIN;
+  CK_C_SetPIN C_SetPIN;
+  CK_C_OpenSession C_OpenSession;
+  CK_C_CloseSession C_CloseSession;
+  CK_C_CloseAllSessions C_CloseAllSessions;
+  CK_C_GetSessionInfo C_GetSessionInfo;
+  CK_C_GetOperationState C_GetOperationState;
+  CK_C_SetOperationState C_SetOperationState;
+  CK_C_Login C_Login;
+  CK_C_Logout C_Logout;
+  CK_C_CreateObject C_CreateObject;
+  CK_C_CopyObject C_CopyObject;
+  CK_C_DestroyObject C_DestroyObject;
+  CK_C_GetObjectSize C_GetObjectSize;
+  CK_C_GetAttributeValue C_GetAttributeValue;
+  CK_C_SetAttributeValue C_SetAttributeValue;
+  CK_C_FindObjectsInit C_FindObjectsInit;
+  CK_C_FindObjects C_FindObjects;
+  CK_C_FindObjectsFinal C_FindObjectsFinal;
+  CK_C_EncryptInit C_EncryptInit;
+  CK_C_Encrypt C_Encrypt;
+  CK_C_EncryptUpdate C_EncryptUpdate;
+  CK_C_EncryptFinal C_EncryptFinal;
+  CK_C_DecryptInit C_DecryptInit;
+  CK_C_Decrypt C_Decrypt;
+  CK_C_DecryptUpdate C_DecryptUpdate;
+  CK_C_DecryptFinal C_DecryptFinal;
+  CK_C_DigestInit C_DigestInit;
+  CK_C_Digest C_Digest;
+  CK_C_DigestUpdate C_DigestUpdate;
+  CK_C_DigestKey C_DigestKey;
+  CK_C_DigestFinal C_DigestFinal;
+  CK_C_SignInit C_SignInit;
+  CK_C_Sign C_Sign;
+  CK_C_SignUpdate C_SignUpdate;
+  CK_C_SignFinal C_SignFinal;
+  CK_C_SignRecoverInit C_SignRecoverInit;
+  CK_C_SignRecover C_SignRecover;
+  CK_C_VerifyInit C_VerifyInit;
+  CK_C_Verify C_Verify;
+  CK_C_VerifyUpdate C_VerifyUpdate;
+  CK_C_VerifyFinal C_VerifyFinal;
+  CK_C_VerifyRecoverInit C_VerifyRecoverInit;
+  CK_C_VerifyRecover C_VerifyRecover;
+  CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
+  CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
+  CK_C_SignEncryptUpdate C_SignEncryptUpdate;
+  CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
+  CK_C_GenerateKey C_GenerateKey;
+  CK_C_GenerateKeyPair C_GenerateKeyPair;
+  CK_C_WrapKey C_WrapKey;
+  CK_C_UnwrapKey C_UnwrapKey;
+  CK_C_DeriveKey C_DeriveKey;
+  CK_C_SeedRandom C_SeedRandom;
+  CK_C_GenerateRandom C_GenerateRandom;
+  CK_C_GetFunctionStatus C_GetFunctionStatus;
+  CK_C_CancelFunction C_CancelFunction;
+  CK_C_WaitForSlotEvent C_WaitForSlotEvent;
+};
+
+
+typedef ck_rv_t (*ck_createmutex_t) (void **mutex);
+typedef ck_rv_t (*ck_destroymutex_t) (void *mutex);
+typedef ck_rv_t (*ck_lockmutex_t) (void *mutex);
+typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex);
+
+
+struct ck_c_initialize_args
+{
+  ck_createmutex_t create_mutex;
+  ck_destroymutex_t destroy_mutex;
+  ck_lockmutex_t lock_mutex;
+  ck_unlockmutex_t unlock_mutex;
+  ck_flags_t flags;
+  void *reserved;
+};
+
+
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS	(1 << 0)
+#define CKF_OS_LOCKING_OK			(1 << 1)
+
+#define CKR_OK					(0)
+#define CKR_CANCEL				(1)
+#define CKR_HOST_MEMORY				(2)
+#define CKR_SLOT_ID_INVALID			(3)
+#define CKR_GENERAL_ERROR			(5)
+#define CKR_FUNCTION_FAILED			(6)
+#define CKR_ARGUMENTS_BAD			(7)
+#define CKR_NO_EVENT				(8)
+#define CKR_NEED_TO_CREATE_THREADS		(9)
+#define CKR_CANT_LOCK				(0xa)
+#define CKR_ATTRIBUTE_READ_ONLY			(0x10)
+#define CKR_ATTRIBUTE_SENSITIVE			(0x11)
+#define CKR_ATTRIBUTE_TYPE_INVALID		(0x12)
+#define CKR_ATTRIBUTE_VALUE_INVALID		(0x13)
+#define CKR_DATA_INVALID			(0x20)
+#define CKR_DATA_LEN_RANGE			(0x21)
+#define CKR_DEVICE_ERROR			(0x30)
+#define CKR_DEVICE_MEMORY			(0x31)
+#define CKR_DEVICE_REMOVED			(0x32)
+#define CKR_ENCRYPTED_DATA_INVALID		(0x40)
+#define CKR_ENCRYPTED_DATA_LEN_RANGE		(0x41)
+#define CKR_FUNCTION_CANCELED			(0x50)
+#define CKR_FUNCTION_NOT_PARALLEL		(0x51)
+#define CKR_FUNCTION_NOT_SUPPORTED		(0x54)
+#define CKR_KEY_HANDLE_INVALID			(0x60)
+#define CKR_KEY_SIZE_RANGE			(0x62)
+#define CKR_KEY_TYPE_INCONSISTENT		(0x63)
+#define CKR_KEY_NOT_NEEDED			(0x64)
+#define CKR_KEY_CHANGED				(0x65)
+#define CKR_KEY_NEEDED				(0x66)
+#define CKR_KEY_INDIGESTIBLE			(0x67)
+#define CKR_KEY_FUNCTION_NOT_PERMITTED		(0x68)
+#define CKR_KEY_NOT_WRAPPABLE			(0x69)
+#define CKR_KEY_UNEXTRACTABLE			(0x6a)
+#define CKR_MECHANISM_INVALID			(0x70)
+#define CKR_MECHANISM_PARAM_INVALID		(0x71)
+#define CKR_OBJECT_HANDLE_INVALID		(0x82)
+#define CKR_OPERATION_ACTIVE			(0x90)
+#define CKR_OPERATION_NOT_INITIALIZED		(0x91)
+#define CKR_PIN_INCORRECT			(0xa0)
+#define CKR_PIN_INVALID				(0xa1)
+#define CKR_PIN_LEN_RANGE			(0xa2)
+#define CKR_PIN_EXPIRED				(0xa3)
+#define CKR_PIN_LOCKED				(0xa4)
+#define CKR_SESSION_CLOSED			(0xb0)
+#define CKR_SESSION_COUNT			(0xb1)
+#define CKR_SESSION_HANDLE_INVALID		(0xb3)
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED	(0xb4)
+#define CKR_SESSION_READ_ONLY			(0xb5)
+#define CKR_SESSION_EXISTS			(0xb6)
+#define CKR_SESSION_READ_ONLY_EXISTS		(0xb7)
+#define CKR_SESSION_READ_WRITE_SO_EXISTS	(0xb8)
+#define CKR_SIGNATURE_INVALID			(0xc0)
+#define CKR_SIGNATURE_LEN_RANGE			(0xc1)
+#define CKR_TEMPLATE_INCOMPLETE			(0xd0)
+#define CKR_TEMPLATE_INCONSISTENT		(0xd1)
+#define CKR_TOKEN_NOT_PRESENT			(0xe0)
+#define CKR_TOKEN_NOT_RECOGNIZED		(0xe1)
+#define CKR_TOKEN_WRITE_PROTECTED		(0xe2)
+#define	CKR_UNWRAPPING_KEY_HANDLE_INVALID	(0xf0)
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE		(0xf1)
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT	(0xf2)
+#define CKR_USER_ALREADY_LOGGED_IN		(0x100)
+#define CKR_USER_NOT_LOGGED_IN			(0x101)
+#define CKR_USER_PIN_NOT_INITIALIZED		(0x102)
+#define CKR_USER_TYPE_INVALID			(0x103)
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN	(0x104)
+#define CKR_USER_TOO_MANY_TYPES			(0x105)
+#define CKR_WRAPPED_KEY_INVALID			(0x110)
+#define CKR_WRAPPED_KEY_LEN_RANGE		(0x112)
+#define CKR_WRAPPING_KEY_HANDLE_INVALID		(0x113)
+#define CKR_WRAPPING_KEY_SIZE_RANGE		(0x114)
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT	(0x115)
+#define CKR_RANDOM_SEED_NOT_SUPPORTED		(0x120)
+#define CKR_RANDOM_NO_RNG			(0x121)
+#define CKR_DOMAIN_PARAMS_INVALID		(0x130)
+#define CKR_BUFFER_TOO_SMALL			(0x150)
+#define CKR_SAVED_STATE_INVALID			(0x160)
+#define CKR_INFORMATION_SENSITIVE		(0x170)
+#define CKR_STATE_UNSAVEABLE			(0x180)
+#define CKR_CRYPTOKI_NOT_INITIALIZED		(0x190)
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED	(0x191)
+#define CKR_MUTEX_BAD				(0x1a0)
+#define CKR_MUTEX_NOT_LOCKED			(0x1a1)
+#define CKR_FUNCTION_REJECTED			(0x200)
+#define CKR_VENDOR_DEFINED			((unsigned long) (1 << 31))
+
+
+
+/* Compatibility layer.  */
+
+#ifdef CRYPTOKI_COMPAT
+
+#undef CK_DEFINE_FUNCTION
+#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name
+
+/* For NULL.  */
+#include <stddef.h>
+
+typedef unsigned char CK_BYTE;
+typedef unsigned char CK_CHAR;
+typedef unsigned char CK_UTF8CHAR;
+typedef unsigned char CK_BBOOL;
+typedef unsigned long int CK_ULONG;
+typedef long int CK_LONG;
+typedef CK_BYTE *CK_BYTE_PTR;
+typedef CK_CHAR *CK_CHAR_PTR;
+typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR;
+typedef CK_ULONG *CK_ULONG_PTR;
+typedef void *CK_VOID_PTR;
+typedef void **CK_VOID_PTR_PTR;
+#define CK_FALSE 0
+#define CK_TRUE 1
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE 0
+#endif
+#ifndef TRUE
+#define TRUE 1
+#endif
+#endif
+
+typedef struct ck_version CK_VERSION;
+typedef struct ck_version *CK_VERSION_PTR;
+
+typedef struct ck_info CK_INFO;
+typedef struct ck_info *CK_INFO_PTR;
+
+typedef ck_slot_id_t *CK_SLOT_ID_PTR;
+
+typedef struct ck_slot_info CK_SLOT_INFO;
+typedef struct ck_slot_info *CK_SLOT_INFO_PTR;
+
+typedef struct ck_token_info CK_TOKEN_INFO;
+typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
+
+typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR;
+
+typedef struct ck_session_info CK_SESSION_INFO;
+typedef struct ck_session_info *CK_SESSION_INFO_PTR;
+
+typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR;
+
+typedef ck_object_class_t *CK_OBJECT_CLASS_PTR;
+
+typedef struct ck_attribute CK_ATTRIBUTE;
+typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
+
+typedef struct ck_date CK_DATE;
+typedef struct ck_date *CK_DATE_PTR;
+
+typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;
+
+typedef struct ck_mechanism CK_MECHANISM;
+typedef struct ck_mechanism *CK_MECHANISM_PTR;
+
+typedef struct ck_mechanism_info CK_MECHANISM_INFO;
+typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
+
+typedef struct ck_function_list CK_FUNCTION_LIST;
+typedef struct ck_function_list *CK_FUNCTION_LIST_PTR;
+typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
+
+typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS;
+typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
+
+#define NULL_PTR NULL
+
+/* Delete the helper macros defined at the top of the file.  */
+#undef ck_flags_t
+#undef ck_version
+
+#undef ck_info
+#undef cryptoki_version
+#undef manufacturer_id
+#undef library_description
+#undef library_version
+
+#undef ck_notification_t
+#undef ck_slot_id_t
+
+#undef ck_slot_info
+#undef slot_description
+#undef hardware_version
+#undef firmware_version
+
+#undef ck_token_info
+#undef serial_number
+#undef max_session_count
+#undef session_count
+#undef max_rw_session_count
+#undef rw_session_count
+#undef max_pin_len
+#undef min_pin_len
+#undef total_public_memory
+#undef free_public_memory
+#undef total_private_memory
+#undef free_private_memory
+#undef utc_time
+
+#undef ck_session_handle_t
+#undef ck_user_type_t
+#undef ck_state_t
+
+#undef ck_session_info
+#undef slot_id
+#undef device_error
+
+#undef ck_object_handle_t
+#undef ck_object_class_t
+#undef ck_hw_feature_type_t
+#undef ck_key_type_t
+#undef ck_certificate_type_t
+#undef ck_attribute_type_t
+
+#undef ck_attribute
+#undef value
+#undef value_len
+
+#undef ck_date
+
+#undef ck_mechanism_type_t
+
+#undef ck_mechanism
+#undef parameter
+#undef parameter_len
+
+#undef ck_mechanism_info
+#undef min_key_size
+#undef max_key_size
+
+#undef ck_rv_t
+#undef ck_notify_t
+
+#undef ck_function_list
+
+#undef ck_createmutex_t
+#undef ck_destroymutex_t
+#undef ck_lockmutex_t
+#undef ck_unlockmutex_t
+
+#undef ck_c_initialize_args
+#undef create_mutex
+#undef destroy_mutex
+#undef lock_mutex
+#undef unlock_mutex
+#undef reserved
+
+#endif	/* CRYPTOKI_COMPAT */
+
+
+/* System dependencies.  */
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+#pragma pack(pop, cryptoki)
+#endif
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif	/* PKCS11_H */
diff --git a/crypto/heimdal/lib/hx509/req.c b/crypto/heimdal/lib/hx509/req.c
new file mode 100644
index 0000000..d7a85e1
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/req.c
@@ -0,0 +1,325 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+#include <pkcs10_asn1.h>
+RCSID("$Id: req.c 21344 2007-06-26 14:22:34Z lha $");
+
+struct hx509_request_data {
+    hx509_name name;
+    SubjectPublicKeyInfo key;
+    ExtKeyUsage eku;
+    GeneralNames san;
+};
+
+/*
+ *
+ */
+
+int
+_hx509_request_init(hx509_context context, hx509_request *req)
+{
+    *req = calloc(1, sizeof(**req));
+    if (*req == NULL)
+	return ENOMEM;
+
+    return 0;
+}
+
+void
+_hx509_request_free(hx509_request *req)
+{
+    if ((*req)->name)
+	hx509_name_free(&(*req)->name);
+    free_SubjectPublicKeyInfo(&(*req)->key);
+    free_ExtKeyUsage(&(*req)->eku);
+    free_GeneralNames(&(*req)->san);
+    memset(*req, 0, sizeof(**req));
+    free(*req);
+    *req = NULL;
+}
+
+int
+_hx509_request_set_name(hx509_context context,
+			hx509_request req,
+			hx509_name name)
+{
+    if (req->name)
+	hx509_name_free(&req->name);
+    if (name) {
+	int ret = hx509_name_copy(context, name, &req->name);
+	if (ret)
+	    return ret;
+    }
+    return 0;
+}
+
+int
+_hx509_request_get_name(hx509_context context,
+			hx509_request req,
+			hx509_name *name)
+{
+    if (req->name == NULL) {
+	hx509_set_error_string(context, 0, EINVAL, "Request have no name");
+	return EINVAL;
+    }
+    return hx509_name_copy(context, req->name, name);
+}
+
+int
+_hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
+					hx509_request req,
+					const SubjectPublicKeyInfo *key)
+{
+    free_SubjectPublicKeyInfo(&req->key);
+    return copy_SubjectPublicKeyInfo(key, &req->key);
+}
+
+int
+_hx509_request_get_SubjectPublicKeyInfo(hx509_context context,
+					hx509_request req,
+					SubjectPublicKeyInfo *key)
+{
+    return copy_SubjectPublicKeyInfo(&req->key, key);
+}
+
+int
+_hx509_request_add_eku(hx509_context context,
+		       hx509_request req,
+		       const heim_oid *oid)
+{
+    void *val;
+    int ret;
+
+    val = realloc(req->eku.val, sizeof(req->eku.val[0]) * (req->eku.len + 1));
+    if (val == NULL)
+	return ENOMEM;
+    req->eku.val = val;
+
+    ret = der_copy_oid(oid, &req->eku.val[req->eku.len]);
+    if (ret)
+	return ret;
+
+    req->eku.len += 1;
+
+    return 0;
+}
+
+int
+_hx509_request_add_dns_name(hx509_context context,
+			    hx509_request req,
+			    const char *hostname)
+{
+    GeneralName name;
+
+    memset(&name, 0, sizeof(name));
+    name.element = choice_GeneralName_dNSName;
+    name.u.dNSName = rk_UNCONST(hostname);
+
+    return add_GeneralNames(&req->san, &name);
+}
+
+int
+_hx509_request_add_email(hx509_context context,
+			 hx509_request req,
+			 const char *email)
+{
+    GeneralName name;
+
+    memset(&name, 0, sizeof(name));
+    name.element = choice_GeneralName_rfc822Name;
+    name.u.dNSName = rk_UNCONST(email);
+
+    return add_GeneralNames(&req->san, &name);
+}
+
+
+
+int
+_hx509_request_to_pkcs10(hx509_context context,
+			 const hx509_request req,
+			 const hx509_private_key signer,
+			 heim_octet_string *request)
+{
+    CertificationRequest r;
+    heim_octet_string data, os;
+    int ret;
+    size_t size;
+
+    if (req->name == NULL) {
+	hx509_set_error_string(context, 0, EINVAL,
+			       "PKCS10 needs to have a subject");
+	return EINVAL;
+    }
+
+    memset(&r, 0, sizeof(r));
+    memset(request, 0, sizeof(*request));
+
+    r.certificationRequestInfo.version = pkcs10_v1;
+
+    ret = copy_Name(&req->name->der_name,
+		    &r.certificationRequestInfo.subject);
+    if (ret)
+	goto out;
+    ret = copy_SubjectPublicKeyInfo(&req->key,
+				    &r.certificationRequestInfo.subjectPKInfo);
+    if (ret)
+	goto out;
+    r.certificationRequestInfo.attributes = 
+	calloc(1, sizeof(*r.certificationRequestInfo.attributes));
+    if (r.certificationRequestInfo.attributes == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ASN1_MALLOC_ENCODE(CertificationRequestInfo, data.data, data.length, 
+		       &r.certificationRequestInfo, &size, ret);
+    if (ret)
+	goto out;
+    if (data.length != size)
+	abort();
+
+    ret = _hx509_create_signature(context,
+				  signer,
+				  _hx509_crypto_default_sig_alg,
+				  &data,
+				  &r.signatureAlgorithm,
+				  &os);
+    free(data.data);
+    if (ret)
+	goto out;
+    r.signature.data = os.data;
+    r.signature.length = os.length * 8;
+
+    ASN1_MALLOC_ENCODE(CertificationRequest, data.data, data.length,
+		       &r, &size, ret);
+    if (ret)
+	goto out;
+    if (data.length != size)
+	abort();
+
+    *request = data;
+
+out:
+    free_CertificationRequest(&r);
+
+    return ret;
+}
+
+int
+_hx509_request_parse(hx509_context context, 
+		     const char *path,
+		     hx509_request *req)
+{
+    CertificationRequest r;
+    CertificationRequestInfo *rinfo;
+    hx509_name subject;
+    size_t len, size;
+    void *p;
+    int ret;
+
+    if (strncmp(path, "PKCS10:", 7) != 0) {
+	hx509_set_error_string(context, 0, HX509_UNSUPPORTED_OPERATION,
+			       "unsupport type in %s", path);
+	return HX509_UNSUPPORTED_OPERATION;
+    }
+    path += 7;
+
+    /* XXX PEM request */
+
+    ret = _hx509_map_file(path, &p, &len, NULL);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Failed to map file %s", path);
+	return ret;
+    }
+
+    ret = decode_CertificationRequest(p, len, &r, &size);
+    _hx509_unmap_file(p, len);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "Failed to decode %s", path);
+	return ret;
+    }
+
+    ret = _hx509_request_init(context, req);
+    if (ret) {
+	free_CertificationRequest(&r);
+	return ret;
+    }
+
+    rinfo = &r.certificationRequestInfo;
+
+    ret = _hx509_request_set_SubjectPublicKeyInfo(context, *req,
+						  &rinfo->subjectPKInfo);
+    if (ret) {
+	free_CertificationRequest(&r);
+	_hx509_request_free(req);
+	return ret;
+    }
+
+    ret = _hx509_name_from_Name(&rinfo->subject, &subject);
+    if (ret) {
+	free_CertificationRequest(&r);
+	_hx509_request_free(req);
+	return ret;
+    }
+    ret = _hx509_request_set_name(context, *req, subject);
+    hx509_name_free(&subject);
+    free_CertificationRequest(&r);
+    if (ret) {
+	_hx509_request_free(req);
+	return ret;
+    }
+
+    return 0;
+}
+
+
+int
+_hx509_request_print(hx509_context context, hx509_request req, FILE *f)
+{
+    int ret;
+
+    if (req->name) {
+	char *subject;
+	ret = hx509_name_to_string(req->name, &subject);
+	if (ret) {
+	    hx509_set_error_string(context, 0, ret, "Failed to print name");
+	    return ret;
+	}
+        fprintf(f, "name: %s\n", subject);
+	free(subject);
+    }
+    
+    return 0;
+}
+
diff --git a/crypto/heimdal/lib/hx509/revoke.c b/crypto/heimdal/lib/hx509/revoke.c
new file mode 100644
index 0000000..cfde439
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/revoke.c
@@ -0,0 +1,1525 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/**
+ * @page page_revoke Revocation methods
+ *
+ * There are two revocation method for PKIX/X.509: CRL and OCSP.
+ * Revocation is needed if the private key is lost and
+ * stolen. Depending on how picky you are, you might want to make
+ * revocation for destroyed private keys too (smartcard broken), but
+ * that should not be a problem.
+ *
+ * CRL is a list of certifiates that have expired.
+ *
+ * OCSP is an online checking method where the requestor sends a list
+ * of certificates to the OCSP server to return a signed reply if they
+ * are valid or not. Some services sends a OCSP reply as part of the
+ * hand-shake to make the revoktion decision simpler/faster for the
+ * client.
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: revoke.c 22275 2007-12-11 11:02:11Z lha $");
+
+struct revoke_crl {
+    char *path;
+    time_t last_modfied;
+    CRLCertificateList crl;
+    int verified;
+    int failed_verify;
+};
+
+struct revoke_ocsp {
+    char *path;
+    time_t last_modfied;
+    OCSPBasicOCSPResponse ocsp;
+    hx509_certs certs;
+    hx509_cert signer;
+};
+
+
+struct hx509_revoke_ctx_data {
+    unsigned ref;
+    struct {
+	struct revoke_crl *val;
+	size_t len;
+    } crls;
+    struct {
+	struct revoke_ocsp *val;
+	size_t len;
+    } ocsps;
+};
+
+/**
+ * Allocate a revokation context. Free with hx509_revoke_free().
+ *
+ * @param context A hx509 context.
+ * @param ctx returns a newly allocated revokation context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
+int
+hx509_revoke_init(hx509_context context, hx509_revoke_ctx *ctx)
+{
+    *ctx = calloc(1, sizeof(**ctx));
+    if (*ctx == NULL)
+	return ENOMEM;
+
+    (*ctx)->ref = 1;
+    (*ctx)->crls.len = 0;
+    (*ctx)->crls.val = NULL;
+    (*ctx)->ocsps.len = 0;
+    (*ctx)->ocsps.val = NULL;
+
+    return 0;
+}
+
+hx509_revoke_ctx
+_hx509_revoke_ref(hx509_revoke_ctx ctx)
+{
+    if (ctx == NULL)
+	return NULL;
+    if (ctx->ref <= 0)
+	_hx509_abort("revoke ctx refcount <= 0");
+    ctx->ref++;
+    if (ctx->ref == 0)
+	_hx509_abort("revoke ctx refcount == 0");
+    return ctx;
+}
+
+static void
+free_ocsp(struct revoke_ocsp *ocsp)
+{
+    free(ocsp->path);
+    free_OCSPBasicOCSPResponse(&ocsp->ocsp);
+    hx509_certs_free(&ocsp->certs);
+    hx509_cert_free(ocsp->signer);
+}
+
+/**
+ * Free a hx509 revokation context.
+ *
+ * @param ctx context to be freed
+ *
+ * @ingroup hx509_revoke
+ */
+
+void
+hx509_revoke_free(hx509_revoke_ctx *ctx)
+{
+    size_t i ;
+
+    if (ctx == NULL || *ctx == NULL)
+	return;
+
+    if ((*ctx)->ref <= 0)
+	_hx509_abort("revoke ctx refcount <= 0 on free");
+    if (--(*ctx)->ref > 0)
+	return;
+
+    for (i = 0; i < (*ctx)->crls.len; i++) {
+	free((*ctx)->crls.val[i].path);
+	free_CRLCertificateList(&(*ctx)->crls.val[i].crl);
+    }
+
+    for (i = 0; i < (*ctx)->ocsps.len; i++)
+	free_ocsp(&(*ctx)->ocsps.val[i]);
+    free((*ctx)->ocsps.val);
+
+    free((*ctx)->crls.val);
+
+    memset(*ctx, 0, sizeof(**ctx));
+    free(*ctx);
+    *ctx = NULL;
+}
+
+static int
+verify_ocsp(hx509_context context,
+	    struct revoke_ocsp *ocsp,
+	    time_t time_now,
+	    hx509_certs certs,
+	    hx509_cert parent)
+{
+    hx509_cert signer = NULL;
+    hx509_query q;
+    int ret;
+	
+    _hx509_query_clear(&q);
+	
+    /*
+     * Need to match on issuer too in case there are two CA that have
+     * issued the same name to a certificate. One example of this is
+     * the www.openvalidation.org test's ocsp validator.
+     */
+
+    q.match = HX509_QUERY_MATCH_ISSUER_NAME;
+    q.issuer_name = &_hx509_get_cert(parent)->tbsCertificate.issuer;
+
+    switch(ocsp->ocsp.tbsResponseData.responderID.element) {
+    case choice_OCSPResponderID_byName:
+	q.match |= HX509_QUERY_MATCH_SUBJECT_NAME;
+	q.subject_name = &ocsp->ocsp.tbsResponseData.responderID.u.byName;
+	break;
+    case choice_OCSPResponderID_byKey:
+	q.match |= HX509_QUERY_MATCH_KEY_HASH_SHA1;
+	q.keyhash_sha1 = &ocsp->ocsp.tbsResponseData.responderID.u.byKey;
+	break;
+    }
+	
+    ret = hx509_certs_find(context, certs, &q, &signer);
+    if (ret && ocsp->certs)
+	ret = hx509_certs_find(context, ocsp->certs, &q, &signer);
+    if (ret)
+	goto out;
+
+    /*
+     * If signer certificate isn't the CA certificate, lets check the
+     * it is the CA that signed the signer certificate and the OCSP EKU
+     * is set.
+     */
+    if (hx509_cert_cmp(signer, parent) != 0) {
+	Certificate *p = _hx509_get_cert(parent);
+	Certificate *s = _hx509_get_cert(signer);
+
+	ret = _hx509_cert_is_parent_cmp(s, p, 0);
+	if (ret != 0) {
+	    ret = HX509_PARENT_NOT_CA;
+	    hx509_set_error_string(context, 0, ret, "Revoke OSCP signer is "
+				   "doesn't have CA as signer certificate");
+	    goto out;
+	}
+
+	ret = _hx509_verify_signature_bitstring(context,
+						p,
+						&s->signatureAlgorithm,
+						&s->tbsCertificate._save,
+						&s->signatureValue);
+	if (ret) {
+	    hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+				   "OSCP signer signature invalid");
+	    goto out;
+	}
+
+	ret = hx509_cert_check_eku(context, signer, 
+				   oid_id_pkix_kp_OCSPSigning(), 0);
+	if (ret)
+	    goto out;
+    }
+
+    ret = _hx509_verify_signature_bitstring(context,
+					    _hx509_get_cert(signer), 
+					    &ocsp->ocsp.signatureAlgorithm,
+					    &ocsp->ocsp.tbsResponseData._save,
+					    &ocsp->ocsp.signature);
+    if (ret) {
+	hx509_set_error_string(context, HX509_ERROR_APPEND, ret, 
+			       "OSCP signature invalid");
+	goto out;
+    }
+
+    ocsp->signer = signer;
+    signer = NULL;
+out:
+    if (signer)
+	hx509_cert_free(signer);
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+static int
+parse_ocsp_basic(const void *data, size_t length, OCSPBasicOCSPResponse *basic)
+{
+    OCSPResponse resp;
+    size_t size;
+    int ret;
+
+    memset(basic, 0, sizeof(*basic));
+
+    ret = decode_OCSPResponse(data, length, &resp, &size);
+    if (ret)
+	return ret;
+    if (length != size) {
+	free_OCSPResponse(&resp);
+	return ASN1_EXTRA_DATA;
+    }
+
+    switch (resp.responseStatus) {
+    case successful:
+	break;
+    default:
+	free_OCSPResponse(&resp);
+	return HX509_REVOKE_WRONG_DATA;
+    }
+
+    if (resp.responseBytes == NULL) {
+	free_OCSPResponse(&resp);
+	return EINVAL;
+    }
+
+    ret = der_heim_oid_cmp(&resp.responseBytes->responseType, 
+			   oid_id_pkix_ocsp_basic());
+    if (ret != 0) {
+	free_OCSPResponse(&resp);
+	return HX509_REVOKE_WRONG_DATA;
+    }
+
+    ret = decode_OCSPBasicOCSPResponse(resp.responseBytes->response.data,
+				       resp.responseBytes->response.length,
+				       basic,
+				       &size);
+    if (ret) {
+	free_OCSPResponse(&resp);
+	return ret;
+    }
+    if (size != resp.responseBytes->response.length) {
+	free_OCSPResponse(&resp);
+	free_OCSPBasicOCSPResponse(basic);
+	return ASN1_EXTRA_DATA;
+    }
+    free_OCSPResponse(&resp);
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+static int
+load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
+{
+    OCSPBasicOCSPResponse basic;
+    hx509_certs certs = NULL;
+    size_t length;
+    struct stat sb;
+    void *data;
+    int ret;
+
+    ret = _hx509_map_file(ocsp->path, &data, &length, &sb);
+    if (ret)
+	return ret;
+
+    ret = parse_ocsp_basic(data, length, &basic);
+    _hx509_unmap_file(data, length);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to parse OCSP response");
+	return ret;
+    }
+
+    if (basic.certs) {
+	int i;
+
+	ret = hx509_certs_init(context, "MEMORY:ocsp-certs", 0, 
+			       NULL, &certs);
+	if (ret) {
+	    free_OCSPBasicOCSPResponse(&basic);
+	    return ret;
+	}
+
+	for (i = 0; i < basic.certs->len; i++) {
+	    hx509_cert c;
+	    
+	    ret = hx509_cert_init(context, &basic.certs->val[i], &c);
+	    if (ret)
+		continue;
+	    
+	    ret = hx509_certs_add(context, certs, c);
+	    hx509_cert_free(c);
+	    if (ret)
+		continue;
+	}
+    }
+
+    ocsp->last_modfied = sb.st_mtime;
+
+    free_OCSPBasicOCSPResponse(&ocsp->ocsp);
+    hx509_certs_free(&ocsp->certs);
+    hx509_cert_free(ocsp->signer);
+
+    ocsp->ocsp = basic;
+    ocsp->certs = certs;
+    ocsp->signer = NULL;
+
+    return 0;
+}
+
+/**
+ * Add a OCSP file to the revokation context.
+ *
+ * @param context hx509 context
+ * @param ctx hx509 revokation context
+ * @param path path to file that is going to be added to the context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
+int
+hx509_revoke_add_ocsp(hx509_context context,
+		      hx509_revoke_ctx ctx,
+		      const char *path)
+{
+    void *data;
+    int ret;
+    size_t i;
+
+    if (strncmp(path, "FILE:", 5) != 0) {
+	hx509_set_error_string(context, 0, HX509_UNSUPPORTED_OPERATION,
+			       "unsupport type in %s", path);
+	return HX509_UNSUPPORTED_OPERATION;
+    }
+
+    path += 5;
+
+    for (i = 0; i < ctx->ocsps.len; i++) {
+	if (strcmp(ctx->ocsps.val[0].path, path) == 0)
+	    return 0;
+    }
+
+    data = realloc(ctx->ocsps.val, 
+		   (ctx->ocsps.len + 1) * sizeof(ctx->ocsps.val[0]));
+    if (data == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+
+    ctx->ocsps.val = data;
+
+    memset(&ctx->ocsps.val[ctx->ocsps.len], 0, 
+	   sizeof(ctx->ocsps.val[0]));
+
+    ctx->ocsps.val[ctx->ocsps.len].path = strdup(path);
+    if (ctx->ocsps.val[ctx->ocsps.len].path == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+
+    ret = load_ocsp(context, &ctx->ocsps.val[ctx->ocsps.len]);
+    if (ret) {
+	free(ctx->ocsps.val[ctx->ocsps.len].path);
+	return ret;
+    }
+    ctx->ocsps.len++;
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+static int
+verify_crl(hx509_context context,
+	   hx509_revoke_ctx ctx,
+	   CRLCertificateList *crl,
+	   time_t time_now,
+	   hx509_certs certs,
+	   hx509_cert parent)
+{
+    hx509_cert signer;
+    hx509_query q;
+    time_t t;
+    int ret;
+	
+    t = _hx509_Time2time_t(&crl->tbsCertList.thisUpdate);
+    if (t > time_now) {
+	hx509_set_error_string(context, 0, HX509_CRL_USED_BEFORE_TIME,
+			       "CRL used before time");
+	return HX509_CRL_USED_BEFORE_TIME;
+    }
+
+    if (crl->tbsCertList.nextUpdate == NULL) {
+	hx509_set_error_string(context, 0, HX509_CRL_INVALID_FORMAT,
+			       "CRL missing nextUpdate");
+	return HX509_CRL_INVALID_FORMAT;
+    }
+
+    t = _hx509_Time2time_t(crl->tbsCertList.nextUpdate);
+    if (t < time_now) {
+	hx509_set_error_string(context, 0, HX509_CRL_USED_AFTER_TIME,
+			       "CRL used after time");
+	return HX509_CRL_USED_AFTER_TIME;
+    }
+
+    _hx509_query_clear(&q);
+	
+    /*
+     * If it's the signer have CRLSIGN bit set, use that as the signer
+     * cert for the certificate, otherwise, search for a certificate.
+     */
+    if (_hx509_check_key_usage(context, parent, 1 << 6, FALSE) == 0) {
+	signer = hx509_cert_ref(parent);
+    } else {
+	q.match = HX509_QUERY_MATCH_SUBJECT_NAME;
+	q.match |= HX509_QUERY_KU_CRLSIGN;
+	q.subject_name = &crl->tbsCertList.issuer;
+	
+	ret = hx509_certs_find(context, certs, &q, &signer);
+	if (ret) {
+	    hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+				   "Failed to find certificate for CRL");
+	    return ret;
+	}
+    }
+
+    ret = _hx509_verify_signature_bitstring(context,
+					    _hx509_get_cert(signer), 
+					    &crl->signatureAlgorithm,
+					    &crl->tbsCertList._save,
+					    &crl->signatureValue);
+    if (ret) {
+	hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+			       "CRL signature invalid");
+	goto out;
+    }
+
+    /* 
+     * If signer is not CA cert, need to check revoke status of this
+     * CRL signing cert too, this include all parent CRL signer cert
+     * up to the root *sigh*, assume root at least hve CERTSIGN flag
+     * set.
+     */
+    while (_hx509_check_key_usage(context, signer, 1 << 5, TRUE)) {
+	hx509_cert crl_parent;
+
+	_hx509_query_clear(&q);
+	
+	q.match = HX509_QUERY_MATCH_SUBJECT_NAME;
+	q.match |= HX509_QUERY_KU_CRLSIGN;
+	q.subject_name = &_hx509_get_cert(signer)->tbsCertificate.issuer;
+	
+	ret = hx509_certs_find(context, certs, &q, &crl_parent);
+	if (ret) {
+	    hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+				   "Failed to find parent of CRL signer");
+	    goto out;
+	}
+
+	ret = hx509_revoke_verify(context,
+				  ctx, 
+				  certs,
+				  time_now,
+				  signer,
+				  crl_parent);
+	hx509_cert_free(signer);
+	signer = crl_parent;
+	if (ret) {
+	    hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+				   "Failed to verify revoke "
+				   "status of CRL signer");
+	    goto out;
+	}
+    }
+
+out:
+    hx509_cert_free(signer);
+
+    return ret;
+}
+
+static int
+load_crl(const char *path, time_t *t, CRLCertificateList *crl)
+{
+    size_t length, size;
+    struct stat sb;
+    void *data;
+    int ret;
+
+    memset(crl, 0, sizeof(*crl));
+
+    ret = _hx509_map_file(path, &data, &length, &sb);
+    if (ret)
+	return ret;
+
+    *t = sb.st_mtime;
+
+    ret = decode_CRLCertificateList(data, length, crl, &size);
+    _hx509_unmap_file(data, length);
+    if (ret)
+	return ret;
+
+    /* check signature is aligned */
+    if (crl->signatureValue.length & 7) {
+	free_CRLCertificateList(crl);
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+    return 0;
+}
+
+/**
+ * Add a CRL file to the revokation context.
+ *
+ * @param context hx509 context
+ * @param ctx hx509 revokation context
+ * @param path path to file that is going to be added to the context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
+int
+hx509_revoke_add_crl(hx509_context context,
+		     hx509_revoke_ctx ctx,
+		     const char *path)
+{
+    void *data;
+    size_t i;
+    int ret;
+
+    if (strncmp(path, "FILE:", 5) != 0) {
+	hx509_set_error_string(context, 0, HX509_UNSUPPORTED_OPERATION,
+			       "unsupport type in %s", path);
+	return HX509_UNSUPPORTED_OPERATION;
+    }
+
+    
+    path += 5;
+
+    for (i = 0; i < ctx->crls.len; i++) {
+	if (strcmp(ctx->crls.val[0].path, path) == 0)
+	    return 0;
+    }
+
+    data = realloc(ctx->crls.val, 
+		   (ctx->crls.len + 1) * sizeof(ctx->crls.val[0]));
+    if (data == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+    ctx->crls.val = data;
+
+    memset(&ctx->crls.val[ctx->crls.len], 0, sizeof(ctx->crls.val[0]));
+
+    ctx->crls.val[ctx->crls.len].path = strdup(path);
+    if (ctx->crls.val[ctx->crls.len].path == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+
+    ret = load_crl(path, 
+		   &ctx->crls.val[ctx->crls.len].last_modfied,
+		   &ctx->crls.val[ctx->crls.len].crl);
+    if (ret) {
+	free(ctx->crls.val[ctx->crls.len].path);
+	return ret;
+    }
+
+    ctx->crls.len++;
+
+    return ret;
+}
+
+/**
+ * Check that a certificate is not expired according to a revokation
+ * context. Also need the parent certificte to the check OCSP
+ * parent identifier.
+ *
+ * @param context hx509 context
+ * @param ctx hx509 revokation context
+ * @param certs
+ * @param now
+ * @param cert
+ * @param parent_cert
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
+
+int
+hx509_revoke_verify(hx509_context context,
+		    hx509_revoke_ctx ctx,
+		    hx509_certs certs,
+		    time_t now,
+		    hx509_cert cert,
+		    hx509_cert parent_cert)
+{
+    const Certificate *c = _hx509_get_cert(cert);
+    const Certificate *p = _hx509_get_cert(parent_cert);
+    unsigned long i, j, k;
+    int ret;
+
+    hx509_clear_error_string(context);
+
+    for (i = 0; i < ctx->ocsps.len; i++) {
+	struct revoke_ocsp *ocsp = &ctx->ocsps.val[i];
+	struct stat sb;
+
+	/* check this ocsp apply to this cert */
+
+	/* check if there is a newer version of the file */
+	ret = stat(ocsp->path, &sb);
+	if (ret == 0 && ocsp->last_modfied != sb.st_mtime) {
+	    ret = load_ocsp(context, ocsp);
+	    if (ret)
+		continue;
+	}
+
+	/* verify signature in ocsp if not already done */
+	if (ocsp->signer == NULL) {
+	    ret = verify_ocsp(context, ocsp, now, certs, parent_cert);
+	    if (ret)
+		continue;
+	}
+
+	for (j = 0; j < ocsp->ocsp.tbsResponseData.responses.len; j++) {
+	    heim_octet_string os;
+
+	    ret = der_heim_integer_cmp(&ocsp->ocsp.tbsResponseData.responses.val[j].certID.serialNumber,
+				   &c->tbsCertificate.serialNumber);
+	    if (ret != 0)
+		continue;
+	    
+	    /* verify issuer hashes hash */
+	    ret = _hx509_verify_signature(context,
+					  NULL,
+					  &ocsp->ocsp.tbsResponseData.responses.val[i].certID.hashAlgorithm,
+					  &c->tbsCertificate.issuer._save,
+					  &ocsp->ocsp.tbsResponseData.responses.val[i].certID.issuerNameHash);
+	    if (ret != 0)
+		continue;
+
+	    os.data = p->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
+	    os.length = p->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.length / 8;
+
+	    ret = _hx509_verify_signature(context,
+					  NULL,
+					  &ocsp->ocsp.tbsResponseData.responses.val[j].certID.hashAlgorithm,
+					  &os,
+					  &ocsp->ocsp.tbsResponseData.responses.val[j].certID.issuerKeyHash);
+	    if (ret != 0)
+		continue;
+
+	    switch (ocsp->ocsp.tbsResponseData.responses.val[j].certStatus.element) {
+	    case choice_OCSPCertStatus_good:
+		break;
+	    case choice_OCSPCertStatus_revoked:
+		hx509_set_error_string(context, 0, 
+				       HX509_CERT_REVOKED,
+				       "Certificate revoked by issuer in OCSP");
+		return HX509_CERT_REVOKED;
+	    case choice_OCSPCertStatus_unknown:
+		continue;
+	    }
+
+	    /* don't allow the update to be in the future */
+	    if (ocsp->ocsp.tbsResponseData.responses.val[j].thisUpdate > 
+		now + context->ocsp_time_diff)
+		continue;
+
+	    /* don't allow the next update to be in the past */
+	    if (ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate) {
+		if (*ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate < now)
+		    continue;
+	    } else
+		/* Should force a refetch, but can we ? */;
+
+	    return 0;
+	}
+    }
+
+    for (i = 0; i < ctx->crls.len; i++) {
+	struct revoke_crl *crl = &ctx->crls.val[i];
+	struct stat sb;
+
+	/* check if cert.issuer == crls.val[i].crl.issuer */
+	ret = _hx509_name_cmp(&c->tbsCertificate.issuer, 
+			      &crl->crl.tbsCertList.issuer);
+	if (ret)
+	    continue;
+
+	ret = stat(crl->path, &sb);
+	if (ret == 0 && crl->last_modfied != sb.st_mtime) {
+	    CRLCertificateList cl;
+
+	    ret = load_crl(crl->path, &crl->last_modfied, &cl);
+	    if (ret == 0) {
+		free_CRLCertificateList(&crl->crl);
+		crl->crl = cl;
+		crl->verified = 0;
+		crl->failed_verify = 0;
+	    }
+	}
+	if (crl->failed_verify)
+	    continue;
+
+	/* verify signature in crl if not already done */
+	if (crl->verified == 0) {
+	    ret = verify_crl(context, ctx, &crl->crl, now, certs, parent_cert);
+	    if (ret) {
+		crl->failed_verify = 1;
+		continue;
+	    }
+	    crl->verified = 1;
+	}
+
+	if (crl->crl.tbsCertList.crlExtensions) {
+	    for (j = 0; j < crl->crl.tbsCertList.crlExtensions->len; j++) {
+		if (crl->crl.tbsCertList.crlExtensions->val[j].critical) {
+		    hx509_set_error_string(context, 0, 
+					   HX509_CRL_UNKNOWN_EXTENSION,
+					   "Unknown CRL extension");
+		    return HX509_CRL_UNKNOWN_EXTENSION;
+		}
+	    }
+	}
+
+	if (crl->crl.tbsCertList.revokedCertificates == NULL)
+	    return 0;
+
+	/* check if cert is in crl */
+	for (j = 0; j < crl->crl.tbsCertList.revokedCertificates->len; j++) {
+	    time_t t;
+
+	    ret = der_heim_integer_cmp(&crl->crl.tbsCertList.revokedCertificates->val[j].userCertificate,
+				       &c->tbsCertificate.serialNumber);
+	    if (ret != 0)
+		continue;
+
+	    t = _hx509_Time2time_t(&crl->crl.tbsCertList.revokedCertificates->val[j].revocationDate);
+	    if (t > now)
+		continue;
+	    
+	    if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions)
+		for (k = 0; k < crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->len; k++)
+		    if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->val[k].critical)
+			return HX509_CRL_UNKNOWN_EXTENSION;
+	    
+	    hx509_set_error_string(context, 0, 
+				   HX509_CERT_REVOKED,
+				   "Certificate revoked by issuer in CRL");
+	    return HX509_CERT_REVOKED;
+	}
+
+	return 0;
+    }
+
+
+    if (context->flags & HX509_CTX_VERIFY_MISSING_OK)
+	return 0;
+    hx509_set_error_string(context, HX509_ERROR_APPEND, 
+			   HX509_REVOKE_STATUS_MISSING,
+			   "No revoke status found for "
+			   "certificates");
+    return HX509_REVOKE_STATUS_MISSING;
+}
+
+struct ocsp_add_ctx {
+    OCSPTBSRequest *req;
+    hx509_certs certs;
+    const AlgorithmIdentifier *digest;
+    hx509_cert parent;
+};
+
+static int
+add_to_req(hx509_context context, void *ptr, hx509_cert cert)
+{
+    struct ocsp_add_ctx *ctx = ptr;
+    OCSPInnerRequest *one;
+    hx509_cert parent = NULL;
+    Certificate *p, *c = _hx509_get_cert(cert);
+    heim_octet_string os;
+    int ret;
+    hx509_query q;
+    void *d;
+
+    d = realloc(ctx->req->requestList.val, 
+		sizeof(ctx->req->requestList.val[0]) *
+		(ctx->req->requestList.len + 1));
+    if (d == NULL)
+	return ENOMEM;
+    ctx->req->requestList.val = d;
+    
+    one = &ctx->req->requestList.val[ctx->req->requestList.len];
+    memset(one, 0, sizeof(*one));
+
+    _hx509_query_clear(&q);
+
+    q.match |= HX509_QUERY_FIND_ISSUER_CERT;
+    q.subject = c;
+
+    ret = hx509_certs_find(context, ctx->certs, &q, &parent);
+    if (ret)
+	goto out;
+
+    if (ctx->parent) {
+	if (hx509_cert_cmp(ctx->parent, parent) != 0) {
+	    ret = HX509_REVOKE_NOT_SAME_PARENT;
+	    hx509_set_error_string(context, 0, ret,
+				   "Not same parent certifate as "
+				   "last certificate in request");
+	    goto out;
+	}
+    } else
+	ctx->parent = hx509_cert_ref(parent);
+
+    p = _hx509_get_cert(parent);
+
+    ret = copy_AlgorithmIdentifier(ctx->digest, &one->reqCert.hashAlgorithm);
+    if (ret)
+	goto out;
+
+    ret = _hx509_create_signature(context,
+				  NULL,
+				  &one->reqCert.hashAlgorithm,
+				  &c->tbsCertificate.issuer._save,
+				  NULL,
+				  &one->reqCert.issuerNameHash);
+    if (ret)
+	goto out;
+
+    os.data = p->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
+    os.length = 
+	p->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.length / 8;
+
+    ret = _hx509_create_signature(context,
+				  NULL,
+				  &one->reqCert.hashAlgorithm,
+				  &os,
+				  NULL,
+				  &one->reqCert.issuerKeyHash);
+    if (ret)
+	goto out;
+
+    ret = copy_CertificateSerialNumber(&c->tbsCertificate.serialNumber,
+				       &one->reqCert.serialNumber);
+    if (ret)
+	goto out;
+
+    ctx->req->requestList.len++;
+out:
+    hx509_cert_free(parent);
+    if (ret) {
+	free_OCSPInnerRequest(one);
+	memset(one, 0, sizeof(*one));
+    }
+
+    return ret;
+}
+
+/**
+ * Create an OCSP request for a set of certificates.
+ *
+ * @param context a hx509 context
+ * @param reqcerts list of certificates to request ocsp data for
+ * @param pool certificate pool to use when signing
+ * @param signer certificate to use to sign the request
+ * @param digest the signing algorithm in the request, if NULL use the
+ * default signature algorithm,
+ * @param request the encoded request, free with free_heim_octet_string().
+ * @param nonce nonce in the request, free with free_heim_octet_string().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
+int
+hx509_ocsp_request(hx509_context context,
+		   hx509_certs reqcerts,
+		   hx509_certs pool,
+		   hx509_cert signer,
+		   const AlgorithmIdentifier *digest,
+		   heim_octet_string *request,
+		   heim_octet_string *nonce)
+{
+    OCSPRequest req;
+    size_t size;
+    int ret;
+    struct ocsp_add_ctx ctx;
+    Extensions *es;
+
+    memset(&req, 0, sizeof(req));
+
+    if (digest == NULL)
+	digest = _hx509_crypto_default_digest_alg;
+
+    ctx.req = &req.tbsRequest;
+    ctx.certs = pool;
+    ctx.digest = digest;
+    ctx.parent = NULL;
+
+    ret = hx509_certs_iter(context, reqcerts, add_to_req, &ctx);
+    hx509_cert_free(ctx.parent);
+    if (ret)
+	goto out;
+    
+    if (nonce) {
+	req.tbsRequest.requestExtensions = 
+	    calloc(1, sizeof(*req.tbsRequest.requestExtensions));
+	if (req.tbsRequest.requestExtensions == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	es = req.tbsRequest.requestExtensions;
+	
+	es->val = calloc(es->len, sizeof(es->val[0]));
+	if (es->val == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	es->len = 1;
+	
+	ret = der_copy_oid(oid_id_pkix_ocsp_nonce(), &es->val[0].extnID);
+	if (ret) {
+	    free_OCSPRequest(&req);
+	    return ret;
+	}
+
+	es->val[0].extnValue.data = malloc(10);
+	if (es->val[0].extnValue.data == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	es->val[0].extnValue.length = 10;
+	
+	ret = RAND_bytes(es->val[0].extnValue.data,
+			 es->val[0].extnValue.length);
+	if (ret != 1) {
+	    ret = HX509_CRYPTO_INTERNAL_ERROR;
+	    goto out;
+	}
+	ret = der_copy_octet_string(nonce, &es->val[0].extnValue);
+	if (ret) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+    }
+
+    ASN1_MALLOC_ENCODE(OCSPRequest, request->data, request->length,
+		       &req, &size, ret);
+    free_OCSPRequest(&req);
+    if (ret)
+	goto out;
+    if (size != request->length)
+	_hx509_abort("internal ASN.1 encoder error");
+
+    return 0;
+
+out:
+    free_OCSPRequest(&req);
+    return ret;
+}
+
+static char *
+printable_time(time_t t)
+{
+    static char s[128];
+    strlcpy(s, ctime(&t)+ 4, sizeof(s));
+    s[20] = 0;
+    return s;
+}
+
+/**
+ * Print the OCSP reply stored in a file.
+ *
+ * @param context a hx509 context
+ * @param path path to a file with a OCSP reply
+ * @param out the out FILE descriptor to print the reply on
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
+int
+hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
+{
+    struct revoke_ocsp ocsp;
+    int ret, i;
+    
+    if (out == NULL)
+	out = stdout;
+
+    memset(&ocsp, 0, sizeof(ocsp));
+
+    ocsp.path = strdup(path);
+    if (ocsp.path == NULL)
+	return ENOMEM;
+
+    ret = load_ocsp(context, &ocsp);
+    if (ret) {
+	free_ocsp(&ocsp);
+	return ret;
+    }
+
+    fprintf(out, "signer: ");
+
+    switch(ocsp.ocsp.tbsResponseData.responderID.element) {
+    case choice_OCSPResponderID_byName: {
+	hx509_name n;
+	char *s;
+	_hx509_name_from_Name(&ocsp.ocsp.tbsResponseData.responderID.u.byName, &n);
+	hx509_name_to_string(n, &s);
+	hx509_name_free(&n);
+	fprintf(out, " byName: %s\n", s);
+	free(s);
+	break;
+    }
+    case choice_OCSPResponderID_byKey: {
+	char *s;
+	hex_encode(ocsp.ocsp.tbsResponseData.responderID.u.byKey.data,
+		   ocsp.ocsp.tbsResponseData.responderID.u.byKey.length,
+		   &s);
+	fprintf(out, " byKey: %s\n", s);
+	free(s);
+	break;
+    }
+    default:
+	_hx509_abort("choice_OCSPResponderID unknown");
+	break;
+    }
+
+    fprintf(out, "producedAt: %s\n", 
+	    printable_time(ocsp.ocsp.tbsResponseData.producedAt));
+
+    fprintf(out, "replies: %d\n", ocsp.ocsp.tbsResponseData.responses.len);
+
+    for (i = 0; i < ocsp.ocsp.tbsResponseData.responses.len; i++) {
+	const char *status;
+	switch (ocsp.ocsp.tbsResponseData.responses.val[i].certStatus.element) {
+	case choice_OCSPCertStatus_good:
+	    status = "good";
+	    break;
+	case choice_OCSPCertStatus_revoked:
+	    status = "revoked";
+	    break;
+	case choice_OCSPCertStatus_unknown:
+	    status = "unknown";
+	    break;
+	default:
+	    status = "element unknown";
+	}
+
+	fprintf(out, "\t%d. status: %s\n", i, status);
+
+	fprintf(out, "\tthisUpdate: %s\n", 
+		printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate));
+	if (ocsp.ocsp.tbsResponseData.responses.val[i].nextUpdate)
+	    fprintf(out, "\tproducedAt: %s\n", 
+		    printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate));
+
+    }
+
+    fprintf(out, "appended certs:\n");
+    if (ocsp.certs)
+	ret = hx509_certs_iter(context, ocsp.certs, hx509_ci_print_names, out);
+
+    free_ocsp(&ocsp);
+    return ret;
+}
+
+/**
+ * Verify that the certificate is part of the OCSP reply and it's not
+ * expired. Doesn't verify signature the OCSP reply or it's done by a
+ * authorized sender, that is assumed to be already done.
+ *
+ * @param context a hx509 context
+ * @param now the time right now, if 0, use the current time.
+ * @param cert the certificate to verify
+ * @param flags flags control the behavior
+ * @param data pointer to the encode ocsp reply
+ * @param length the length of the encode ocsp reply
+ * @param expiration return the time the OCSP will expire and need to
+ * be rechecked.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
+int
+hx509_ocsp_verify(hx509_context context,
+		  time_t now,
+		  hx509_cert cert,
+		  int flags,
+		  const void *data, size_t length,
+		  time_t *expiration)
+{
+    const Certificate *c = _hx509_get_cert(cert);
+    OCSPBasicOCSPResponse basic;
+    int ret, i;
+
+    if (now == 0)
+	now = time(NULL);
+
+    *expiration = 0;
+
+    ret = parse_ocsp_basic(data, length, &basic);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to parse OCSP response");
+	return ret;
+    }
+
+    for (i = 0; i < basic.tbsResponseData.responses.len; i++) {
+
+	ret = der_heim_integer_cmp(&basic.tbsResponseData.responses.val[i].certID.serialNumber,
+			       &c->tbsCertificate.serialNumber);
+	if (ret != 0)
+	    continue;
+	    
+	/* verify issuer hashes hash */
+	ret = _hx509_verify_signature(context,
+				      NULL,
+				      &basic.tbsResponseData.responses.val[i].certID.hashAlgorithm,
+				      &c->tbsCertificate.issuer._save,
+				      &basic.tbsResponseData.responses.val[i].certID.issuerNameHash);
+	if (ret != 0)
+	    continue;
+
+	switch (basic.tbsResponseData.responses.val[i].certStatus.element) {
+	case choice_OCSPCertStatus_good:
+	    break;
+	case choice_OCSPCertStatus_revoked:
+	case choice_OCSPCertStatus_unknown:
+	    continue;
+	}
+
+	/* don't allow the update to be in the future */
+	if (basic.tbsResponseData.responses.val[i].thisUpdate > 
+	    now + context->ocsp_time_diff)
+	    continue;
+
+	/* don't allow the next update to be in the past */
+	if (basic.tbsResponseData.responses.val[i].nextUpdate) {
+	    if (*basic.tbsResponseData.responses.val[i].nextUpdate < now)
+		continue;
+	    *expiration = *basic.tbsResponseData.responses.val[i].nextUpdate;
+	} else
+	    *expiration = now;
+
+	free_OCSPBasicOCSPResponse(&basic);
+	return 0;
+    }
+
+    free_OCSPBasicOCSPResponse(&basic);
+
+    {
+	hx509_name name;
+	char *subject;
+	
+	ret = hx509_cert_get_subject(cert, &name);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    goto out;
+	}
+	ret = hx509_name_to_string(name, &subject);
+	hx509_name_free(&name);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    goto out;
+	}
+	hx509_set_error_string(context, 0, HX509_CERT_NOT_IN_OCSP,
+			       "Certificate %s not in OCSP response "
+			       "or not good",
+			       subject);
+	free(subject);
+    }
+out:
+    return HX509_CERT_NOT_IN_OCSP;
+}
+
+struct hx509_crl {
+    hx509_certs revoked;
+    time_t expire;
+};
+
+/**
+ * Create a CRL context. Use hx509_crl_free() to free the CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl return pointer to a newly allocated CRL context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
+int
+hx509_crl_alloc(hx509_context context, hx509_crl *crl)
+{
+    int ret;
+
+    *crl = calloc(1, sizeof(**crl));
+    if (*crl == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    ret = hx509_certs_init(context, "MEMORY:crl", 0, NULL, &(*crl)->revoked);
+    if (ret) {
+	free(*crl);
+	*crl = NULL;
+	return ret;
+    }
+    (*crl)->expire = 0;
+    return ret;
+}
+
+/**
+ * Add revoked certificate to an CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl the CRL to add the revoked certificate to.
+ * @param certs keyset of certificate to revoke.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
+int
+hx509_crl_add_revoked_certs(hx509_context context,
+			    hx509_crl crl, 
+			    hx509_certs certs)
+{
+    return hx509_certs_merge(context, crl->revoked, certs);
+}
+
+/**
+ * Set the lifetime of a CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl a CRL context
+ * @param delta delta time the certificate is valid, library adds the
+ * current time to this.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
+int
+hx509_crl_lifetime(hx509_context context, hx509_crl crl, int delta)
+{
+    crl->expire = time(NULL) + delta;
+    return 0;
+}
+
+/**
+ * Free a CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl a CRL context to free.
+ *
+ * @ingroup hx509_verify
+ */
+
+void
+hx509_crl_free(hx509_context context, hx509_crl *crl)
+{
+    if (*crl == NULL)
+	return;
+    hx509_certs_free(&(*crl)->revoked);
+    memset(*crl, 0, sizeof(**crl));
+    free(*crl);
+    *crl = NULL;
+}
+
+static int
+add_revoked(hx509_context context, void *ctx, hx509_cert cert)
+{
+    TBSCRLCertList *c = ctx;
+    unsigned int num;
+    void *ptr;
+    int ret;
+
+    num = c->revokedCertificates->len;
+    ptr = realloc(c->revokedCertificates->val,
+		  (num + 1) * sizeof(c->revokedCertificates->val[0]));
+    if (ptr == NULL) {
+	hx509_clear_error_string(context);
+	return ENOMEM;
+    }
+    c->revokedCertificates->val = ptr;
+
+    ret = hx509_cert_get_serialnumber(cert, 
+				      &c->revokedCertificates->val[num].userCertificate);
+    if (ret) {
+	hx509_clear_error_string(context);
+	return ret;
+    }
+    c->revokedCertificates->val[num].revocationDate.element = 
+	choice_Time_generalTime;
+    c->revokedCertificates->val[num].revocationDate.u.generalTime =
+	time(NULL) - 3600 * 24;
+    c->revokedCertificates->val[num].crlEntryExtensions = NULL;
+
+    c->revokedCertificates->len++;
+
+    return 0;
+}    
+
+/**
+ * Sign a CRL and return an encode certificate.
+ *
+ * @param context a hx509 context.
+ * @param signer certificate to sign the CRL with
+ * @param crl the CRL to sign
+ * @param os return the signed and encoded CRL, free with
+ * free_heim_octet_string()
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
+int
+hx509_crl_sign(hx509_context context,
+	       hx509_cert signer,
+	       hx509_crl crl,
+	       heim_octet_string *os)
+{
+    const AlgorithmIdentifier *sigalg = _hx509_crypto_default_sig_alg;
+    CRLCertificateList c;
+    size_t size;
+    int ret;
+    hx509_private_key signerkey;
+
+    memset(&c, 0, sizeof(c));
+
+    signerkey = _hx509_cert_private_key(signer);
+    if (signerkey == NULL) {
+	ret = HX509_PRIVATE_KEY_MISSING;
+	hx509_set_error_string(context, 0, ret,
+			       "Private key missing for CRL signing");
+	return ret;
+    }
+
+    c.tbsCertList.version = malloc(sizeof(*c.tbsCertList.version));
+    if (c.tbsCertList.version == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	return ENOMEM;
+    }
+
+    *c.tbsCertList.version = 1;
+
+    ret = copy_AlgorithmIdentifier(sigalg, &c.tbsCertList.signature);
+    if (ret) {
+	hx509_clear_error_string(context);
+	goto out;
+    }
+
+    ret = copy_Name(&_hx509_get_cert(signer)->tbsCertificate.issuer,
+		    &c.tbsCertList.issuer);
+    if (ret) {
+	hx509_clear_error_string(context);
+	goto out;
+    }
+
+    c.tbsCertList.thisUpdate.element = choice_Time_generalTime;
+    c.tbsCertList.thisUpdate.u.generalTime = time(NULL) - 24 * 3600;
+
+    c.tbsCertList.nextUpdate = malloc(sizeof(*c.tbsCertList.nextUpdate));
+    if (c.tbsCertList.nextUpdate == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+
+    {
+	time_t next = crl->expire;
+	if (next == 0)
+	    next = time(NULL) + 24 * 3600 * 365;
+
+	c.tbsCertList.nextUpdate->element = choice_Time_generalTime;
+	c.tbsCertList.nextUpdate->u.generalTime = next;
+    }
+
+    c.tbsCertList.revokedCertificates = 
+	calloc(1, sizeof(*c.tbsCertList.revokedCertificates));
+    if (c.tbsCertList.revokedCertificates == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+    c.tbsCertList.crlExtensions = NULL;
+
+    ret = hx509_certs_iter(context, crl->revoked, add_revoked, &c.tbsCertList);
+    if (ret)
+	goto out;
+
+    /* if not revoked certs, remove OPTIONAL entry */
+    if (c.tbsCertList.revokedCertificates->len == 0) {
+	free(c.tbsCertList.revokedCertificates);
+	c.tbsCertList.revokedCertificates = NULL;
+    }
+
+    ASN1_MALLOC_ENCODE(TBSCRLCertList, os->data, os->length,
+		       &c.tbsCertList, &size, ret);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "failed to encode tbsCRL");
+	goto out;
+    }
+    if (size != os->length)
+	_hx509_abort("internal ASN.1 encoder error");
+
+
+    ret = _hx509_create_signature_bitstring(context,
+					    signerkey,
+					    sigalg,
+					    os,
+					    &c.signatureAlgorithm,
+					    &c.signatureValue);
+    free(os->data);
+
+    ASN1_MALLOC_ENCODE(CRLCertificateList, os->data, os->length,
+		       &c, &size, ret);
+    free_CRLCertificateList(&c);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret, "failed to encode CRL");
+	goto out;
+    }
+    if (size != os->length)
+	_hx509_abort("internal ASN.1 encoder error");
+
+    return 0;
+
+out:
+    free_CRLCertificateList(&c);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/hx509/softp11.c b/crypto/heimdal/lib/hx509/softp11.c
new file mode 100644
index 0000000..86bb1d6
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/softp11.c
@@ -0,0 +1,1740 @@
+/*
+ * Copyright (c) 2004 - 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+#include "pkcs11.h"
+
+#define OBJECT_ID_MASK		0xfff
+#define HANDLE_OBJECT_ID(h)	((h) & OBJECT_ID_MASK)
+#define OBJECT_ID(obj)		HANDLE_OBJECT_ID((obj)->object_handle)
+
+
+struct st_attr {
+    CK_ATTRIBUTE attribute;
+    int secret;
+};
+
+struct st_object {
+    CK_OBJECT_HANDLE object_handle;
+    struct st_attr *attrs;
+    int num_attributes;
+    hx509_cert cert;
+};
+
+static struct soft_token {
+    CK_VOID_PTR application;
+    CK_NOTIFY notify;
+    char *config_file;
+    hx509_certs certs;
+    struct {
+	struct st_object **objs;
+	int num_objs;
+    } object;
+    struct {
+	int hardware_slot;
+	int app_error_fatal;
+	int login_done;
+    } flags;
+    int open_sessions;
+    struct session_state {
+	CK_SESSION_HANDLE session_handle;
+
+	struct {
+	    CK_ATTRIBUTE *attributes;
+	    CK_ULONG num_attributes;
+	    int next_object;
+	} find;
+
+	int sign_object;
+	CK_MECHANISM_PTR sign_mechanism;
+	int verify_object;
+	CK_MECHANISM_PTR verify_mechanism;
+    } state[10];
+#define MAX_NUM_SESSION (sizeof(soft_token.state)/sizeof(soft_token.state[0]))
+    FILE *logfile;
+} soft_token;
+
+static hx509_context context;
+
+static void
+application_error(const char *fmt, ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    vprintf(fmt, ap);
+    va_end(ap);
+    if (soft_token.flags.app_error_fatal)
+	abort();
+}
+
+static void
+st_logf(const char *fmt, ...)
+{
+    va_list ap;
+    if (soft_token.logfile == NULL)
+	return;
+    va_start(ap, fmt);
+    vfprintf(soft_token.logfile, fmt, ap);
+    va_end(ap);
+    fflush(soft_token.logfile);
+}
+
+static CK_RV
+init_context(void)
+{
+    if (context == NULL) {
+	int ret = hx509_context_init(&context);
+	if (ret)
+	    return CKR_GENERAL_ERROR;
+    }
+    return CKR_OK;
+}
+
+#define INIT_CONTEXT() { CK_RV icret = init_context(); if (icret) return icret; }
+
+static void
+snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
+{
+    int len;
+    va_list ap;
+    len = vsnprintf(str, size, fmt, ap);
+    va_end(ap);
+    if (len < 0 || len > size)
+	return;
+    while(len < size)
+	str[len++] = fillchar;
+}
+
+#ifndef TEST_APP
+#define printf error_use_st_logf
+#endif
+
+#define VERIFY_SESSION_HANDLE(s, state)			\
+{							\
+    CK_RV ret;						\
+    ret = verify_session_handle(s, state);		\
+    if (ret != CKR_OK) {				\
+	/* return CKR_OK */;				\
+    }							\
+}
+
+static CK_RV
+verify_session_handle(CK_SESSION_HANDLE hSession,
+		      struct session_state **state)
+{
+    int i;
+
+    for (i = 0; i < MAX_NUM_SESSION; i++){
+	if (soft_token.state[i].session_handle == hSession)
+	    break;
+    }
+    if (i == MAX_NUM_SESSION) {
+	application_error("use of invalid handle: 0x%08lx\n",
+			  (unsigned long)hSession);
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+    if (state)
+	*state = &soft_token.state[i];
+    return CKR_OK;
+}
+
+static CK_RV
+object_handle_to_object(CK_OBJECT_HANDLE handle,
+			struct st_object **object)
+{
+    int i = HANDLE_OBJECT_ID(handle);
+
+    *object = NULL;
+    if (i >= soft_token.object.num_objs)
+	return CKR_ARGUMENTS_BAD;
+    if (soft_token.object.objs[i] == NULL)
+	return CKR_ARGUMENTS_BAD;
+    if (soft_token.object.objs[i]->object_handle != handle)
+	return CKR_ARGUMENTS_BAD;
+    *object = soft_token.object.objs[i];
+    return CKR_OK;
+}
+
+static int
+attributes_match(const struct st_object *obj,
+		 const CK_ATTRIBUTE *attributes,
+		 CK_ULONG num_attributes)
+{
+    CK_ULONG i;
+    int j;
+
+    st_logf("attributes_match: %ld\n", (unsigned long)OBJECT_ID(obj));
+
+    for (i = 0; i < num_attributes; i++) {
+	int match = 0;
+	for (j = 0; j < obj->num_attributes; j++) {
+	    if (attributes[i].type == obj->attrs[j].attribute.type &&
+		attributes[i].ulValueLen == obj->attrs[j].attribute.ulValueLen &&
+		memcmp(attributes[i].pValue, obj->attrs[j].attribute.pValue,
+		       attributes[i].ulValueLen) == 0) {
+		match = 1;
+		break;
+	    }
+	}
+	if (match == 0) {
+	    st_logf("type %d attribute have no match\n", attributes[i].type);
+	    return 0;
+	}
+    }
+    st_logf("attribute matches\n");
+    return 1;
+}
+
+static void
+print_attributes(const CK_ATTRIBUTE *attributes,
+		 CK_ULONG num_attributes)
+{
+    CK_ULONG i;
+
+    st_logf("find objects: attrs: %lu\n", (unsigned long)num_attributes);
+
+    for (i = 0; i < num_attributes; i++) {
+	st_logf("  type: ");
+	switch (attributes[i].type) {
+	case CKA_TOKEN: {
+	    CK_BBOOL *ck_true;
+	    if (attributes[i].ulValueLen != sizeof(CK_BBOOL)) {
+		application_error("token attribute wrong length\n");
+		break;
+	    }
+	    ck_true = attributes[i].pValue;
+	    st_logf("token: %s", *ck_true ? "TRUE" : "FALSE");
+	    break;
+	}
+	case CKA_CLASS: {
+	    CK_OBJECT_CLASS *class;
+	    if (attributes[i].ulValueLen != sizeof(CK_ULONG)) {
+		application_error("class attribute wrong length\n");
+		break;
+	    }
+	    class = attributes[i].pValue;
+	    st_logf("class ");
+	    switch (*class) {
+	    case CKO_CERTIFICATE:
+		st_logf("certificate");
+		break;
+	    case CKO_PUBLIC_KEY:
+		st_logf("public key");
+		break;
+	    case CKO_PRIVATE_KEY:
+		st_logf("private key");
+		break;
+	    case CKO_SECRET_KEY:
+		st_logf("secret key");
+		break;
+	    case CKO_DOMAIN_PARAMETERS:
+		st_logf("domain parameters");
+		break;
+	    default:
+		st_logf("[class %lx]", (long unsigned)*class);
+		break;
+	    }
+	    break;
+	}
+	case CKA_PRIVATE:
+	    st_logf("private");
+	    break;
+	case CKA_LABEL:
+	    st_logf("label");
+	    break;
+	case CKA_APPLICATION:
+	    st_logf("application");
+	    break;
+	case CKA_VALUE:
+	    st_logf("value");
+	    break;
+	case CKA_ID:
+	    st_logf("id");
+	    break;
+	default:
+	    st_logf("[unknown 0x%08lx]", (unsigned long)attributes[i].type);
+	    break;
+	}
+	st_logf("\n");
+    }
+}
+
+static struct st_object *
+add_st_object(void)
+{
+    struct st_object *o, **objs;
+    int i;
+
+    o = malloc(sizeof(*o));
+    if (o == NULL)
+	return NULL;
+    memset(o, 0, sizeof(*o));
+    o->attrs = NULL;
+    o->num_attributes = 0;
+    
+    for (i = 0; i < soft_token.object.num_objs; i++) {
+	if (soft_token.object.objs == NULL) {
+	    soft_token.object.objs[i] = o;
+	    break;
+	}
+    }
+    if (i == soft_token.object.num_objs) {
+	objs = realloc(soft_token.object.objs,
+		       (soft_token.object.num_objs + 1) * sizeof(soft_token.object.objs[0]));
+	if (objs == NULL) {
+	    free(o);
+	    return NULL;
+	}
+	soft_token.object.objs = objs;
+	soft_token.object.objs[soft_token.object.num_objs++] = o;
+    }	
+    soft_token.object.objs[i]->object_handle =
+	(random() & (~OBJECT_ID_MASK)) | i;
+
+    return o;
+}
+
+static CK_RV
+add_object_attribute(struct st_object *o, 
+		     int secret,
+		     CK_ATTRIBUTE_TYPE type,
+		     CK_VOID_PTR pValue,
+		     CK_ULONG ulValueLen)
+{
+    struct st_attr *a;
+    int i;
+
+    i = o->num_attributes;
+    a = realloc(o->attrs, (i + 1) * sizeof(o->attrs[0]));
+    if (a == NULL)
+	return CKR_DEVICE_MEMORY;
+    o->attrs = a;
+    o->attrs[i].secret = secret;
+    o->attrs[i].attribute.type = type;
+    o->attrs[i].attribute.pValue = malloc(ulValueLen);
+    if (o->attrs[i].attribute.pValue == NULL && ulValueLen != 0)
+	return CKR_DEVICE_MEMORY;
+    memcpy(o->attrs[i].attribute.pValue, pValue, ulValueLen);
+    o->attrs[i].attribute.ulValueLen = ulValueLen;
+    o->num_attributes++;
+
+    return CKR_OK;
+}
+
+static CK_RV
+add_pubkey_info(hx509_context hxctx, struct st_object *o,
+		CK_KEY_TYPE key_type, hx509_cert cert)
+{
+    BIGNUM *num;
+    CK_BYTE *modulus = NULL;
+    size_t modulus_len = 0;
+    CK_ULONG modulus_bits = 0;
+    CK_BYTE *exponent = NULL;
+    size_t exponent_len = 0;
+    
+    if (key_type != CKK_RSA)
+	return CKR_OK;
+    if (_hx509_cert_private_key(cert) == NULL)
+	return CKR_OK;
+
+    num = _hx509_private_key_get_internal(context, 
+					  _hx509_cert_private_key(cert), 
+					  "rsa-modulus");
+    if (num == NULL)
+	return CKR_GENERAL_ERROR;
+    modulus_bits = BN_num_bits(num);
+
+    modulus_len = BN_num_bytes(num);
+    modulus = malloc(modulus_len);
+    BN_bn2bin(num, modulus);
+    BN_free(num);
+
+    add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
+    add_object_attribute(o, 0, CKA_MODULUS_BITS,
+			 &modulus_bits, sizeof(modulus_bits));
+
+    free(modulus);
+	
+    num = _hx509_private_key_get_internal(context, 
+					  _hx509_cert_private_key(cert), 
+					  "rsa-exponent");
+    if (num == NULL)
+	return CKR_GENERAL_ERROR;
+
+    exponent_len = BN_num_bytes(num);
+    exponent = malloc(exponent_len);
+    BN_bn2bin(num, exponent);
+    BN_free(num);
+
+    add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
+			 exponent, exponent_len);
+
+    free(exponent);
+
+    return CKR_OK;
+}
+
+
+struct foo {
+    char *label;
+    char *id;
+};
+
+static int
+add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
+{
+    struct foo *foo = (struct foo *)ctx;
+    struct st_object *o = NULL;
+    CK_OBJECT_CLASS type;
+    CK_BBOOL bool_true = CK_TRUE;
+    CK_BBOOL bool_false = CK_FALSE;
+    CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
+    CK_KEY_TYPE key_type;
+    CK_MECHANISM_TYPE mech_type;
+    CK_RV ret = CKR_GENERAL_ERROR;
+    int hret;
+    heim_octet_string cert_data, subject_data, issuer_data, serial_data;
+
+    st_logf("adding certificate\n");
+
+    serial_data.data = NULL;
+    serial_data.length = 0;
+    cert_data = subject_data = issuer_data = serial_data;
+
+    hret = hx509_cert_binary(hxctx, cert, &cert_data);
+    if (hret)
+	goto out;
+
+    {
+	    hx509_name name;
+
+	    hret = hx509_cert_get_issuer(cert, &name);
+	    if (hret)
+		goto out;
+	    hret = hx509_name_binary(name, &issuer_data);
+	    hx509_name_free(&name);
+	    if (hret)
+		goto out;
+
+	    hret = hx509_cert_get_subject(cert, &name);
+	    if (hret)
+		goto out;
+	    hret = hx509_name_binary(name, &subject_data);
+	    hx509_name_free(&name);
+	    if (hret)
+		goto out;
+    }
+
+    {
+	AlgorithmIdentifier alg;
+
+	hret = hx509_cert_get_SPKI_AlgorithmIdentifier(context, cert, &alg);
+	if (hret) {
+	    ret = CKR_DEVICE_MEMORY;
+	    goto out;
+	}
+
+	key_type = CKK_RSA; /* XXX */
+
+	free_AlgorithmIdentifier(&alg);
+    }
+
+
+    type = CKO_CERTIFICATE;
+    o = add_st_object();
+    if (o == NULL) {
+	ret = CKR_DEVICE_MEMORY;
+	goto out;
+    }
+
+    o->cert = hx509_cert_ref(cert);
+
+    add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
+    add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
+    add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
+    add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
+    add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
+
+    add_object_attribute(o, 0, CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type));
+    add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
+
+    add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
+    add_object_attribute(o, 0, CKA_ISSUER, issuer_data.data, issuer_data.length);
+    add_object_attribute(o, 0, CKA_SERIAL_NUMBER, serial_data.data, serial_data.length);
+    add_object_attribute(o, 0, CKA_VALUE, cert_data.data, cert_data.length);
+    add_object_attribute(o, 0, CKA_TRUSTED, &bool_false, sizeof(bool_false));
+
+    st_logf("add cert ok: %lx\n", (unsigned long)OBJECT_ID(o));
+
+    type = CKO_PUBLIC_KEY;
+    o = add_st_object();
+    if (o == NULL) {
+	ret = CKR_DEVICE_MEMORY;
+	goto out;
+    }
+    o->cert = hx509_cert_ref(cert);
+
+    add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
+    add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
+    add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
+    add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
+    add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
+
+    add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
+    add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
+    add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */
+    add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */
+    add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
+    add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
+    mech_type = CKM_RSA_X_509;
+    add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));
+
+    add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
+    add_object_attribute(o, 0, CKA_ENCRYPT, &bool_true, sizeof(bool_true));
+    add_object_attribute(o, 0, CKA_VERIFY, &bool_true, sizeof(bool_true));
+    add_object_attribute(o, 0, CKA_VERIFY_RECOVER, &bool_false, sizeof(bool_false));
+    add_object_attribute(o, 0, CKA_WRAP, &bool_true, sizeof(bool_true));
+    add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true));
+
+    add_pubkey_info(hxctx, o, key_type, cert);
+
+    st_logf("add key ok: %lx\n", (unsigned long)OBJECT_ID(o));
+
+    if (hx509_cert_have_private_key(cert)) {
+	CK_FLAGS flags;
+
+	type = CKO_PRIVATE_KEY;
+	o = add_st_object();
+	if (o == NULL) {
+	    ret = CKR_DEVICE_MEMORY;
+	    goto out;
+	}
+	o->cert = hx509_cert_ref(cert);
+
+	add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
+	add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
+	add_object_attribute(o, 0, CKA_PRIVATE, &bool_true, sizeof(bool_false));
+	add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
+	add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
+
+	add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
+	add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
+	add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */
+	add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */
+	add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
+	add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
+	mech_type = CKM_RSA_X_509;
+	add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));
+
+	add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
+	add_object_attribute(o, 0, CKA_SENSITIVE, &bool_true, sizeof(bool_true));
+	add_object_attribute(o, 0, CKA_SECONDARY_AUTH, &bool_false, sizeof(bool_true));
+	flags = 0;
+	add_object_attribute(o, 0, CKA_AUTH_PIN_FLAGS, &flags, sizeof(flags));
+
+	add_object_attribute(o, 0, CKA_DECRYPT, &bool_true, sizeof(bool_true));
+	add_object_attribute(o, 0, CKA_SIGN, &bool_true, sizeof(bool_true));
+	add_object_attribute(o, 0, CKA_SIGN_RECOVER, &bool_false, sizeof(bool_false));
+	add_object_attribute(o, 0, CKA_UNWRAP, &bool_true, sizeof(bool_true));
+	add_object_attribute(o, 0, CKA_EXTRACTABLE, &bool_true, sizeof(bool_true));
+	add_object_attribute(o, 0, CKA_NEVER_EXTRACTABLE, &bool_false, sizeof(bool_false));
+
+	add_pubkey_info(hxctx, o, key_type, cert);
+    }
+
+    ret = CKR_OK;
+ out:
+    if (ret != CKR_OK) {
+	st_logf("something went wrong when adding cert!\n");
+
+	/* XXX wack o */;
+    }
+    hx509_xfree(cert_data.data);
+    hx509_xfree(serial_data.data);
+    hx509_xfree(issuer_data.data);
+    hx509_xfree(subject_data.data);
+
+    return 0;
+}
+
+static CK_RV
+add_certificate(const char *cert_file,
+		const char *pin,
+		char *id,
+		char *label)
+{
+    hx509_certs certs;
+    hx509_lock lock = NULL;
+    int ret, flags = 0;
+
+    struct foo foo;
+    foo.id = id;
+    foo.label = label;
+
+    if (pin == NULL)
+	flags |= HX509_CERTS_UNPROTECT_ALL;
+
+    if (pin) {
+	char *str;
+	asprintf(&str, "PASS:%s", pin);
+
+	hx509_lock_init(context, &lock);
+	hx509_lock_command_string(lock, str);
+
+	memset(str, 0, strlen(str));
+	free(str);
+    }
+
+    ret = hx509_certs_init(context, cert_file, flags, lock, &certs);
+    if (ret) {
+	st_logf("failed to open file %s\n", cert_file);
+	return CKR_GENERAL_ERROR;
+    }
+
+    ret = hx509_certs_iter(context, certs, add_cert, &foo);
+    hx509_certs_free(&certs);
+    if (ret) {
+	st_logf("failed adding certs from file %s\n", cert_file);
+	return CKR_GENERAL_ERROR;
+    }
+
+    return CKR_OK;
+}
+
+static void
+find_object_final(struct session_state *state)
+{
+    if (state->find.attributes) {
+	CK_ULONG i;
+
+	for (i = 0; i < state->find.num_attributes; i++) {
+	    if (state->find.attributes[i].pValue)
+		free(state->find.attributes[i].pValue);
+	}
+	free(state->find.attributes);
+	state->find.attributes = NULL;
+	state->find.num_attributes = 0;
+	state->find.next_object = -1;
+    }
+}
+
+static void
+reset_crypto_state(struct session_state *state)
+{
+    state->sign_object = -1;
+    if (state->sign_mechanism)
+	free(state->sign_mechanism);
+    state->sign_mechanism = NULL_PTR;
+    state->verify_object = -1;
+    if (state->verify_mechanism)
+	free(state->verify_mechanism);
+    state->verify_mechanism = NULL_PTR;
+}
+
+static void
+close_session(struct session_state *state)
+{
+    if (state->find.attributes) {
+	application_error("application didn't do C_FindObjectsFinal\n");
+	find_object_final(state);
+    }
+
+    state->session_handle = CK_INVALID_HANDLE;
+    soft_token.application = NULL_PTR;
+    soft_token.notify = NULL_PTR;
+    reset_crypto_state(state);
+}
+
+static const char *
+has_session(void)
+{
+    return soft_token.open_sessions > 0 ? "yes" : "no";
+}
+
+static CK_RV
+read_conf_file(const char *fn, CK_USER_TYPE userType, const char *pin)
+{
+    char buf[1024], *type, *s, *p;
+    int anchor;
+    FILE *f;
+    CK_RV ret = CKR_OK;
+    CK_RV failed = CKR_OK;
+
+    f = fopen(fn, "r");
+    if (f == NULL) {
+	st_logf("can't open configuration file %s\n", fn);
+	return CKR_GENERAL_ERROR;
+    }
+
+    while(fgets(buf, sizeof(buf), f) != NULL) {
+	buf[strcspn(buf, "\n")] = '\0';
+
+	anchor = 0;
+
+	st_logf("line: %s\n", buf);
+
+	p = buf;
+	while (isspace(*p))
+	    p++;
+	if (*p == '#')
+	    continue;
+	while (isspace(*p))
+	    p++;
+
+	s = NULL;
+	type = strtok_r(p, "\t", &s);
+	if (type == NULL)
+	    continue;
+	
+	if (strcasecmp("certificate", type) == 0) {
+	    char *cert, *id, *label;
+	    
+	    id = strtok_r(NULL, "\t", &s);
+	    if (id == NULL) {
+		st_logf("no id\n");
+		continue;
+	    }
+	    st_logf("id: %s\n", id);
+	    label = strtok_r(NULL, "\t", &s);
+	    if (label == NULL) {
+		st_logf("no label\n");
+		continue;
+	    }
+	    cert = strtok_r(NULL, "\t", &s);
+	    if (cert == NULL) {
+		st_logf("no certfiicate store\n");
+		continue;
+	    }
+	    
+	    st_logf("adding: %s: %s in file %s\n", id, label, cert);
+	    
+	    ret = add_certificate(cert, pin, id, label);
+	    if (ret)
+		failed = ret;
+	} else if (strcasecmp("debug", type) == 0) {
+	    char *name;
+
+	    name = strtok_r(NULL, "\t", &s);
+	    if (name == NULL) {
+		st_logf("no filename\n");
+		continue;
+	    }
+
+	    if (soft_token.logfile)
+		fclose(soft_token.logfile);
+
+	    if (strcasecmp(name, "stdout") == 0)
+		soft_token.logfile = stdout;
+	    else
+		soft_token.logfile = fopen(name, "a");
+	    if (soft_token.logfile == NULL)
+		st_logf("failed to open file: %s\n", name);
+		
+	} else if (strcasecmp("app-fatal", type) == 0) {
+	    char *name;
+
+	    name = strtok_r(NULL, "\t", &s);
+	    if (name == NULL) {
+		st_logf("argument to app-fatal\n");
+		continue;
+	    }
+
+	    if (strcmp(name, "true") == 0 || strcmp(name, "on") == 0)
+		soft_token.flags.app_error_fatal = 1;
+	    else if (strcmp(name, "false") == 0 || strcmp(name, "off") == 0)
+		soft_token.flags.app_error_fatal = 0;
+	    else
+		st_logf("unknown app-fatal: %s\n", name);
+
+	} else {
+	    st_logf("unknown type: %s\n", type);
+	}
+    }
+
+    fclose(f);
+
+    return failed;
+}
+
+static CK_RV
+func_not_supported(void)
+{
+    st_logf("function not supported\n");
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+C_Initialize(CK_VOID_PTR a)
+{
+    CK_C_INITIALIZE_ARGS_PTR args = a;
+    CK_RV ret;
+    int i;
+
+    st_logf("Initialize\n");
+
+    INIT_CONTEXT();
+
+    OpenSSL_add_all_algorithms();
+
+    srandom(getpid() ^ time(NULL));
+
+    for (i = 0; i < MAX_NUM_SESSION; i++) {
+	soft_token.state[i].session_handle = CK_INVALID_HANDLE;
+	soft_token.state[i].find.attributes = NULL;
+	soft_token.state[i].find.num_attributes = 0;
+	soft_token.state[i].find.next_object = -1;
+	reset_crypto_state(&soft_token.state[i]);
+    }
+
+    soft_token.flags.hardware_slot = 1;
+    soft_token.flags.app_error_fatal = 0;
+    soft_token.flags.login_done = 0;
+
+    soft_token.object.objs = NULL;
+    soft_token.object.num_objs = 0;
+    
+    soft_token.logfile = NULL;
+#if 0
+    soft_token.logfile = stdout;
+#endif
+#if 0
+    soft_token.logfile = fopen("/tmp/log-pkcs11.txt", "a");
+#endif
+
+    if (a != NULL_PTR) {
+	st_logf("\tCreateMutex:\t%p\n", args->CreateMutex);
+	st_logf("\tDestroyMutext\t%p\n", args->DestroyMutex);
+	st_logf("\tLockMutext\t%p\n", args->LockMutex);
+	st_logf("\tUnlockMutext\t%p\n", args->UnlockMutex);
+	st_logf("\tFlags\t%04x\n", (unsigned int)args->flags);
+    }
+
+    {
+	char *fn = NULL, *home = NULL;
+
+	if (getuid() == geteuid()) {
+	    fn = getenv("SOFTPKCS11RC");
+	    if (fn)
+		fn = strdup(fn);
+	    home = getenv("HOME");
+	}
+	if (fn == NULL && home == NULL) {
+	    struct passwd *pw = getpwuid(getuid());	
+	    if(pw != NULL)
+		home = pw->pw_dir;
+	}
+	if (fn == NULL) {
+	    if (home)
+		asprintf(&fn, "%s/.soft-token.rc", home);
+	    else
+		fn = strdup("/etc/soft-token.rc");
+	}
+
+	soft_token.config_file = fn;
+    }
+
+    /*
+     * This operations doesn't return CKR_OK if any of the
+     * certificates failes to be unparsed (ie password protected).
+     */
+    ret = read_conf_file(soft_token.config_file, CKU_USER, NULL);
+    if (ret == CKR_OK)
+	soft_token.flags.login_done = 1;
+
+    return CKR_OK;
+}
+
+CK_RV
+C_Finalize(CK_VOID_PTR args)
+{
+    int i;
+
+    INIT_CONTEXT();
+
+    st_logf("Finalize\n");
+
+    for (i = 0; i < MAX_NUM_SESSION; i++) {
+	if (soft_token.state[i].session_handle != CK_INVALID_HANDLE) {
+	    application_error("application finalized without "
+			      "closing session\n");
+	    close_session(&soft_token.state[i]);
+	}
+    }
+
+    return CKR_OK;
+}
+
+CK_RV
+C_GetInfo(CK_INFO_PTR args)
+{
+    INIT_CONTEXT();
+
+    st_logf("GetInfo\n");
+
+    memset(args, 17, sizeof(*args));
+    args->cryptokiVersion.major = 2;
+    args->cryptokiVersion.minor = 10;
+    snprintf_fill((char *)args->manufacturerID, 
+		  sizeof(args->manufacturerID),
+		  ' ',
+		  "Heimdal hx509 SoftToken");
+    snprintf_fill((char *)args->libraryDescription, 
+		  sizeof(args->libraryDescription), ' ',
+		  "Heimdal hx509 SoftToken");
+    args->libraryVersion.major = 2;
+    args->libraryVersion.minor = 0;
+
+    return CKR_OK;
+}
+
+extern CK_FUNCTION_LIST funcs;
+
+CK_RV
+C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList)
+{
+    INIT_CONTEXT();
+
+    *ppFunctionList = &funcs;
+    return CKR_OK;
+}
+
+CK_RV
+C_GetSlotList(CK_BBOOL tokenPresent,
+	      CK_SLOT_ID_PTR pSlotList,
+	      CK_ULONG_PTR   pulCount)
+{
+    INIT_CONTEXT();
+    st_logf("GetSlotList: %s\n",
+	    tokenPresent ? "tokenPresent" : "token not Present");
+    if (pSlotList)
+	pSlotList[0] = 1;
+    *pulCount = 1;
+    return CKR_OK;
+}
+
+CK_RV
+C_GetSlotInfo(CK_SLOT_ID slotID,
+	      CK_SLOT_INFO_PTR pInfo)
+{
+    INIT_CONTEXT();
+    st_logf("GetSlotInfo: slot: %d : %s\n", (int)slotID, has_session());
+
+    memset(pInfo, 18, sizeof(*pInfo));
+
+    if (slotID != 1)
+	return CKR_ARGUMENTS_BAD;
+
+    snprintf_fill((char *)pInfo->slotDescription, 
+		  sizeof(pInfo->slotDescription),
+		  ' ',
+		  "Heimdal hx509 SoftToken (slot)");
+    snprintf_fill((char *)pInfo->manufacturerID,
+		  sizeof(pInfo->manufacturerID),
+		  ' ',
+		  "Heimdal hx509 SoftToken (slot)");
+    pInfo->flags = CKF_TOKEN_PRESENT;
+    if (soft_token.flags.hardware_slot)
+	pInfo->flags |= CKF_HW_SLOT;
+    pInfo->hardwareVersion.major = 1;
+    pInfo->hardwareVersion.minor = 0;
+    pInfo->firmwareVersion.major = 1;
+    pInfo->firmwareVersion.minor = 0;
+    
+    return CKR_OK;
+}
+
+CK_RV
+C_GetTokenInfo(CK_SLOT_ID slotID,
+	       CK_TOKEN_INFO_PTR pInfo)
+{
+    INIT_CONTEXT();
+    st_logf("GetTokenInfo: %s\n", has_session()); 
+
+    memset(pInfo, 19, sizeof(*pInfo));
+
+    snprintf_fill((char *)pInfo->label, 
+		  sizeof(pInfo->label),
+		  ' ',
+		  "Heimdal hx509 SoftToken (token)");
+    snprintf_fill((char *)pInfo->manufacturerID, 
+		  sizeof(pInfo->manufacturerID),
+		  ' ',
+		  "Heimdal hx509 SoftToken (token)");
+    snprintf_fill((char *)pInfo->model,
+		  sizeof(pInfo->model),
+		  ' ',
+		  "Heimdal hx509 SoftToken (token)");
+    snprintf_fill((char *)pInfo->serialNumber, 
+		  sizeof(pInfo->serialNumber),
+		  ' ',
+		  "4711");
+    pInfo->flags = 
+	CKF_TOKEN_INITIALIZED | 
+	CKF_USER_PIN_INITIALIZED;
+
+    if (soft_token.flags.login_done == 0)
+	pInfo->flags |= CKF_LOGIN_REQUIRED;
+
+    /* CFK_RNG |
+       CKF_RESTORE_KEY_NOT_NEEDED |
+    */
+    pInfo->ulMaxSessionCount = MAX_NUM_SESSION;
+    pInfo->ulSessionCount = soft_token.open_sessions;
+    pInfo->ulMaxRwSessionCount = MAX_NUM_SESSION;
+    pInfo->ulRwSessionCount = soft_token.open_sessions;
+    pInfo->ulMaxPinLen = 1024;
+    pInfo->ulMinPinLen = 0;
+    pInfo->ulTotalPublicMemory = 4711;
+    pInfo->ulFreePublicMemory = 4712;
+    pInfo->ulTotalPrivateMemory = 4713;
+    pInfo->ulFreePrivateMemory = 4714;
+    pInfo->hardwareVersion.major = 2;
+    pInfo->hardwareVersion.minor = 0;
+    pInfo->firmwareVersion.major = 2;
+    pInfo->firmwareVersion.minor = 0;
+
+    return CKR_OK;
+}
+
+CK_RV
+C_GetMechanismList(CK_SLOT_ID slotID,
+		   CK_MECHANISM_TYPE_PTR pMechanismList,
+		   CK_ULONG_PTR pulCount)
+{
+    INIT_CONTEXT();
+    st_logf("GetMechanismList\n");
+
+    *pulCount = 1;
+    if (pMechanismList == NULL_PTR)
+	return CKR_OK;
+    pMechanismList[1] = CKM_RSA_PKCS;
+
+    return CKR_OK;
+}
+
+CK_RV
+C_GetMechanismInfo(CK_SLOT_ID slotID,
+		   CK_MECHANISM_TYPE type,
+		   CK_MECHANISM_INFO_PTR pInfo)
+{
+    INIT_CONTEXT();
+    st_logf("GetMechanismInfo: slot %d type: %d\n",
+	    (int)slotID, (int)type);
+    memset(pInfo, 0, sizeof(*pInfo));
+
+    return CKR_OK;
+}
+
+CK_RV
+C_InitToken(CK_SLOT_ID slotID,
+	    CK_UTF8CHAR_PTR pPin,
+	    CK_ULONG ulPinLen,
+	    CK_UTF8CHAR_PTR pLabel)
+{
+    INIT_CONTEXT();
+    st_logf("InitToken: slot %d\n", (int)slotID);
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+C_OpenSession(CK_SLOT_ID slotID,
+	      CK_FLAGS flags,
+	      CK_VOID_PTR pApplication,
+	      CK_NOTIFY Notify,
+	      CK_SESSION_HANDLE_PTR phSession)
+{
+    int i;
+    INIT_CONTEXT();
+    st_logf("OpenSession: slot: %d\n", (int)slotID);
+    
+    if (soft_token.open_sessions == MAX_NUM_SESSION)
+	return CKR_SESSION_COUNT;
+
+    soft_token.application = pApplication;
+    soft_token.notify = Notify;
+
+    for (i = 0; i < MAX_NUM_SESSION; i++)
+	if (soft_token.state[i].session_handle == CK_INVALID_HANDLE)
+	    break;
+    if (i == MAX_NUM_SESSION)
+	abort();
+
+    soft_token.open_sessions++;
+
+    soft_token.state[i].session_handle =
+	(CK_SESSION_HANDLE)(random() & 0xfffff);
+    *phSession = soft_token.state[i].session_handle;
+
+    return CKR_OK;
+}
+
+CK_RV
+C_CloseSession(CK_SESSION_HANDLE hSession)
+{
+    struct session_state *state;
+    INIT_CONTEXT();
+    st_logf("CloseSession\n");
+
+    if (verify_session_handle(hSession, &state) != CKR_OK)
+	application_error("closed session not open");
+    else
+	close_session(state);
+
+    return CKR_OK;
+}
+
+CK_RV
+C_CloseAllSessions(CK_SLOT_ID slotID)
+{
+    int i;
+    INIT_CONTEXT();
+
+    st_logf("CloseAllSessions\n");
+
+    for (i = 0; i < MAX_NUM_SESSION; i++)
+	if (soft_token.state[i].session_handle != CK_INVALID_HANDLE)
+	    close_session(&soft_token.state[i]);
+
+    return CKR_OK;
+}
+
+CK_RV
+C_GetSessionInfo(CK_SESSION_HANDLE hSession,
+		 CK_SESSION_INFO_PTR pInfo)
+{
+    st_logf("GetSessionInfo\n");
+    INIT_CONTEXT();
+    
+    VERIFY_SESSION_HANDLE(hSession, NULL);
+
+    memset(pInfo, 20, sizeof(*pInfo));
+
+    pInfo->slotID = 1;
+    if (soft_token.flags.login_done)
+	pInfo->state = CKS_RO_USER_FUNCTIONS;
+    else
+	pInfo->state = CKS_RO_PUBLIC_SESSION;
+    pInfo->flags = CKF_SERIAL_SESSION;
+    pInfo->ulDeviceError = 0;
+
+    return CKR_OK;
+}
+
+CK_RV
+C_Login(CK_SESSION_HANDLE hSession,
+	CK_USER_TYPE userType,
+	CK_UTF8CHAR_PTR pPin,
+	CK_ULONG ulPinLen)
+{
+    char *pin = NULL;
+    CK_RV ret;
+    INIT_CONTEXT();
+
+    st_logf("Login\n");
+
+    VERIFY_SESSION_HANDLE(hSession, NULL);
+
+    if (pPin != NULL_PTR) {
+	asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
+	st_logf("type: %d password: %s\n", (int)userType, pin);
+    }
+
+    /*
+     * Login
+     */
+
+    ret = read_conf_file(soft_token.config_file, userType, pin);
+    if (ret == CKR_OK)
+	soft_token.flags.login_done = 1;
+
+    free(pin);
+    
+    return soft_token.flags.login_done ? CKR_OK : CKR_PIN_INCORRECT;
+}
+
+CK_RV
+C_Logout(CK_SESSION_HANDLE hSession)
+{
+    st_logf("Logout\n");
+    INIT_CONTEXT();
+
+    VERIFY_SESSION_HANDLE(hSession, NULL);
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+C_GetObjectSize(CK_SESSION_HANDLE hSession,
+		CK_OBJECT_HANDLE hObject,
+		CK_ULONG_PTR pulSize)
+{
+    st_logf("GetObjectSize\n");
+    INIT_CONTEXT();
+
+    VERIFY_SESSION_HANDLE(hSession, NULL);
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+C_GetAttributeValue(CK_SESSION_HANDLE hSession,
+		    CK_OBJECT_HANDLE hObject,
+		    CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG ulCount)
+{
+    struct session_state *state;
+    struct st_object *obj;
+    CK_ULONG i;
+    CK_RV ret;
+    int j;
+
+    INIT_CONTEXT();
+
+    st_logf("GetAttributeValue: %lx\n",
+	    (unsigned long)HANDLE_OBJECT_ID(hObject));
+    VERIFY_SESSION_HANDLE(hSession, &state);
+
+    if ((ret = object_handle_to_object(hObject, &obj)) != CKR_OK) {
+	st_logf("object not found: %lx\n",
+		(unsigned long)HANDLE_OBJECT_ID(hObject));
+	return ret;
+    }
+
+    for (i = 0; i < ulCount; i++) {
+	st_logf("	getting 0x%08lx\n", (unsigned long)pTemplate[i].type);
+	for (j = 0; j < obj->num_attributes; j++) {
+	    if (obj->attrs[j].secret) {
+		pTemplate[i].ulValueLen = (CK_ULONG)-1;
+		break;
+	    }
+	    if (pTemplate[i].type == obj->attrs[j].attribute.type) {
+		if (pTemplate[i].pValue != NULL_PTR && obj->attrs[j].secret == 0) {
+		    if (pTemplate[i].ulValueLen >= obj->attrs[j].attribute.ulValueLen)
+			memcpy(pTemplate[i].pValue, obj->attrs[j].attribute.pValue,
+			       obj->attrs[j].attribute.ulValueLen);
+		}
+		pTemplate[i].ulValueLen = obj->attrs[j].attribute.ulValueLen;
+		break;
+	    }
+	}
+	if (j == obj->num_attributes) {
+	    st_logf("key type: 0x%08lx not found\n", (unsigned long)pTemplate[i].type);
+	    pTemplate[i].ulValueLen = (CK_ULONG)-1;
+	}
+
+    }
+    return CKR_OK;
+}
+
+CK_RV
+C_FindObjectsInit(CK_SESSION_HANDLE hSession,
+		  CK_ATTRIBUTE_PTR pTemplate,
+		  CK_ULONG ulCount)
+{
+    struct session_state *state;
+
+    st_logf("FindObjectsInit\n");
+
+    INIT_CONTEXT();
+
+    VERIFY_SESSION_HANDLE(hSession, &state);
+
+    if (state->find.next_object != -1) {
+	application_error("application didn't do C_FindObjectsFinal\n");
+	find_object_final(state);
+    }
+    if (ulCount) {
+	CK_ULONG i;
+
+	print_attributes(pTemplate, ulCount);
+
+	state->find.attributes = 
+	    calloc(1, ulCount * sizeof(state->find.attributes[0]));
+	if (state->find.attributes == NULL)
+	    return CKR_DEVICE_MEMORY;
+	for (i = 0; i < ulCount; i++) {
+	    state->find.attributes[i].pValue = 
+		malloc(pTemplate[i].ulValueLen);
+	    if (state->find.attributes[i].pValue == NULL) {
+		find_object_final(state);
+		return CKR_DEVICE_MEMORY;
+	    }
+	    memcpy(state->find.attributes[i].pValue,
+		   pTemplate[i].pValue, pTemplate[i].ulValueLen);
+	    state->find.attributes[i].type = pTemplate[i].type;
+	    state->find.attributes[i].ulValueLen = pTemplate[i].ulValueLen;
+	}
+	state->find.num_attributes = ulCount;
+	state->find.next_object = 0;
+    } else {
+	st_logf("find all objects\n");
+	state->find.attributes = NULL;
+	state->find.num_attributes = 0;
+	state->find.next_object = 0;
+    }
+
+    return CKR_OK;
+}
+
+CK_RV
+C_FindObjects(CK_SESSION_HANDLE hSession,
+	      CK_OBJECT_HANDLE_PTR phObject,
+	      CK_ULONG ulMaxObjectCount,
+	      CK_ULONG_PTR pulObjectCount)
+{
+    struct session_state *state;
+    int i;
+
+    INIT_CONTEXT();
+
+    st_logf("FindObjects\n");
+
+    VERIFY_SESSION_HANDLE(hSession, &state);
+
+    if (state->find.next_object == -1) {
+	application_error("application didn't do C_FindObjectsInit\n");
+	return CKR_ARGUMENTS_BAD;
+    }
+    if (ulMaxObjectCount == 0) {
+	application_error("application asked for 0 objects\n");
+	return CKR_ARGUMENTS_BAD;
+    }
+    *pulObjectCount = 0;
+    for (i = state->find.next_object; i < soft_token.object.num_objs; i++) {
+	st_logf("FindObjects: %d\n", i);
+	state->find.next_object = i + 1;
+	if (attributes_match(soft_token.object.objs[i],
+			     state->find.attributes,
+			     state->find.num_attributes)) {
+	    *phObject++ = soft_token.object.objs[i]->object_handle;
+	    ulMaxObjectCount--;
+	    (*pulObjectCount)++;
+	    if (ulMaxObjectCount == 0)
+		break;
+	}
+    }
+    return CKR_OK;
+}
+
+CK_RV
+C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+    struct session_state *state;
+
+    INIT_CONTEXT();
+
+    st_logf("FindObjectsFinal\n");
+    VERIFY_SESSION_HANDLE(hSession, &state);
+    find_object_final(state);
+    return CKR_OK;
+}
+
+static CK_RV
+commonInit(CK_ATTRIBUTE *attr_match, int attr_match_len,
+	   const CK_MECHANISM_TYPE *mechs, int mechs_len,
+	   const CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey,
+	   struct st_object **o)
+{
+    CK_RV ret;
+    int i;
+
+    *o = NULL;
+    if ((ret = object_handle_to_object(hKey, o)) != CKR_OK)
+	return ret;
+
+    ret = attributes_match(*o, attr_match, attr_match_len);
+    if (!ret) {
+	application_error("called commonInit on key that doesn't "
+			  "support required attr");
+	return CKR_ARGUMENTS_BAD;
+    }
+
+    for (i = 0; i < mechs_len; i++)
+	if (mechs[i] == pMechanism->mechanism)
+	    break;
+    if (i == mechs_len) {
+	application_error("called mech (%08lx) not supported\n",
+			  pMechanism->mechanism);
+	return CKR_ARGUMENTS_BAD;
+    }
+    return CKR_OK;
+}
+
+
+static CK_RV
+dup_mechanism(CK_MECHANISM_PTR *dup, const CK_MECHANISM_PTR pMechanism)
+{
+    CK_MECHANISM_PTR p;
+
+    p = malloc(sizeof(*p));
+    if (p == NULL)
+	return CKR_DEVICE_MEMORY;
+
+    if (*dup)
+	free(*dup);
+    *dup = p;
+    memcpy(p, pMechanism, sizeof(*p));
+
+    return CKR_OK;
+}
+
+CK_RV
+C_DigestInit(CK_SESSION_HANDLE hSession,
+	     CK_MECHANISM_PTR pMechanism)
+{
+    st_logf("DigestInit\n");
+    INIT_CONTEXT();
+    VERIFY_SESSION_HANDLE(hSession, NULL);
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+C_SignInit(CK_SESSION_HANDLE hSession,
+	   CK_MECHANISM_PTR pMechanism,
+	   CK_OBJECT_HANDLE hKey)
+{
+    struct session_state *state;
+    CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS };
+    CK_BBOOL bool_true = CK_TRUE;
+    CK_ATTRIBUTE attr[] = {
+	{ CKA_SIGN, &bool_true, sizeof(bool_true) }
+    };
+    struct st_object *o;
+    CK_RV ret;
+
+    INIT_CONTEXT();
+    st_logf("SignInit\n");
+    VERIFY_SESSION_HANDLE(hSession, &state);
+    
+    ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]), 
+		     mechs, sizeof(mechs)/sizeof(mechs[0]),
+		     pMechanism, hKey, &o);
+    if (ret)
+	return ret;
+
+    ret = dup_mechanism(&state->sign_mechanism, pMechanism);
+    if (ret == CKR_OK) 
+	state->sign_object = OBJECT_ID(o);
+
+    return CKR_OK;
+}
+
+CK_RV
+C_Sign(CK_SESSION_HANDLE hSession,
+       CK_BYTE_PTR pData,
+       CK_ULONG ulDataLen,
+       CK_BYTE_PTR pSignature,
+       CK_ULONG_PTR pulSignatureLen)
+{
+    struct session_state *state;
+    struct st_object *o;
+    CK_RV ret;
+    uint hret;
+    const AlgorithmIdentifier *alg;
+    heim_octet_string sig, data;
+
+    INIT_CONTEXT();
+    st_logf("Sign\n");
+    VERIFY_SESSION_HANDLE(hSession, &state);
+
+    sig.data = NULL;
+    sig.length = 0;
+
+    if (state->sign_object == -1)
+	return CKR_ARGUMENTS_BAD;
+
+    if (pulSignatureLen == NULL) {
+	st_logf("signature len NULL\n");
+	ret = CKR_ARGUMENTS_BAD;
+	goto out;
+    }
+
+    if (pData == NULL_PTR) {
+	st_logf("data NULL\n");
+	ret = CKR_ARGUMENTS_BAD;
+	goto out;
+    }
+
+    o = soft_token.object.objs[state->sign_object];
+
+    if (hx509_cert_have_private_key(o->cert) == 0) {
+	st_logf("private key NULL\n");
+	return CKR_ARGUMENTS_BAD;
+    }
+
+    switch(state->sign_mechanism->mechanism) {
+    case CKM_RSA_PKCS:
+	alg = hx509_signature_rsa_pkcs1_x509();
+	break;
+    default:
+	ret = CKR_FUNCTION_NOT_SUPPORTED;
+	goto out;
+    }
+    
+    data.data = pData;
+    data.length = ulDataLen;
+
+    hret = _hx509_create_signature(context,
+				   _hx509_cert_private_key(o->cert),
+				   alg,
+				   &data,
+				   NULL,
+				   &sig);
+    if (hret) {
+	ret = CKR_DEVICE_ERROR;
+	goto out;
+    }
+    *pulSignatureLen = sig.length;
+
+    if (pSignature != NULL_PTR)
+	memcpy(pSignature, sig.data, sig.length);
+
+    ret = CKR_OK;
+ out:
+    if (sig.data) {
+	memset(sig.data, 0, sig.length);
+	der_free_octet_string(&sig);
+    }
+    return ret;
+}
+
+CK_RV
+C_SignUpdate(CK_SESSION_HANDLE hSession,
+	     CK_BYTE_PTR pPart,
+	     CK_ULONG ulPartLen)
+{
+    INIT_CONTEXT();
+    st_logf("SignUpdate\n");
+    VERIFY_SESSION_HANDLE(hSession, NULL);
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+CK_RV
+C_SignFinal(CK_SESSION_HANDLE hSession,
+	    CK_BYTE_PTR pSignature,
+	    CK_ULONG_PTR pulSignatureLen)
+{
+    INIT_CONTEXT();
+    st_logf("SignUpdate\n");
+    VERIFY_SESSION_HANDLE(hSession, NULL);
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+C_VerifyInit(CK_SESSION_HANDLE hSession,
+	     CK_MECHANISM_PTR pMechanism,
+	     CK_OBJECT_HANDLE hKey)
+{
+    struct session_state *state;
+    CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS };
+    CK_BBOOL bool_true = CK_TRUE;
+    CK_ATTRIBUTE attr[] = {
+	{ CKA_VERIFY, &bool_true, sizeof(bool_true) }
+    };
+    struct st_object *o;
+    CK_RV ret;
+
+    INIT_CONTEXT();
+    st_logf("VerifyInit\n");
+    VERIFY_SESSION_HANDLE(hSession, &state);
+    
+    ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]), 
+		     mechs, sizeof(mechs)/sizeof(mechs[0]),
+		     pMechanism, hKey, &o);
+    if (ret)
+	return ret;
+
+    ret = dup_mechanism(&state->verify_mechanism, pMechanism);
+    if (ret == CKR_OK) 
+	state->verify_object = OBJECT_ID(o);
+			
+    return ret;
+}
+
+CK_RV
+C_Verify(CK_SESSION_HANDLE hSession,
+	 CK_BYTE_PTR pData,
+	 CK_ULONG ulDataLen,
+	 CK_BYTE_PTR pSignature,
+	 CK_ULONG ulSignatureLen)
+{
+    struct session_state *state;
+    struct st_object *o;
+    const AlgorithmIdentifier *alg;
+    CK_RV ret;
+    int hret;
+    heim_octet_string data, sig;
+
+    INIT_CONTEXT();
+    st_logf("Verify\n");
+    VERIFY_SESSION_HANDLE(hSession, &state);
+
+    if (state->verify_object == -1)
+	return CKR_ARGUMENTS_BAD;
+
+    o = soft_token.object.objs[state->verify_object];
+
+    switch(state->verify_mechanism->mechanism) {
+    case CKM_RSA_PKCS:
+	alg = hx509_signature_rsa_pkcs1_x509();
+	break;
+    default:
+	ret = CKR_FUNCTION_NOT_SUPPORTED;
+	goto out;
+    }
+
+    sig.data = pData;
+    sig.length = ulDataLen;
+    data.data = pSignature;
+    data.length = ulSignatureLen;
+
+    hret = _hx509_verify_signature(context,
+				   _hx509_get_cert(o->cert),
+				   alg,
+				   &data,
+				   &sig);
+    if (hret) {
+	ret = CKR_GENERAL_ERROR;
+	goto out;
+    }
+    ret = CKR_OK;
+
+ out:
+    return ret;
+}
+
+
+CK_RV
+C_VerifyUpdate(CK_SESSION_HANDLE hSession,
+	       CK_BYTE_PTR pPart,
+	       CK_ULONG ulPartLen)
+{
+    INIT_CONTEXT();
+    st_logf("VerifyUpdate\n");
+    VERIFY_SESSION_HANDLE(hSession, NULL);
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+C_VerifyFinal(CK_SESSION_HANDLE hSession,
+	      CK_BYTE_PTR pSignature,
+	      CK_ULONG ulSignatureLen)
+{
+    INIT_CONTEXT();
+    st_logf("VerifyFinal\n");
+    VERIFY_SESSION_HANDLE(hSession, NULL);
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+C_GenerateRandom(CK_SESSION_HANDLE hSession,
+		 CK_BYTE_PTR RandomData,
+		 CK_ULONG ulRandomLen)
+{
+    INIT_CONTEXT();
+    st_logf("GenerateRandom\n");
+    VERIFY_SESSION_HANDLE(hSession, NULL);
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+CK_FUNCTION_LIST funcs = {
+    { 2, 11 },
+    C_Initialize,
+    C_Finalize,
+    C_GetInfo,
+    C_GetFunctionList,
+    C_GetSlotList,
+    C_GetSlotInfo,
+    C_GetTokenInfo,
+    C_GetMechanismList,
+    C_GetMechanismInfo,
+    C_InitToken,
+    (void *)func_not_supported, /* C_InitPIN */
+    (void *)func_not_supported, /* C_SetPIN */
+    C_OpenSession,
+    C_CloseSession,
+    C_CloseAllSessions,
+    C_GetSessionInfo,
+    (void *)func_not_supported, /* C_GetOperationState */
+    (void *)func_not_supported, /* C_SetOperationState */
+    C_Login,
+    C_Logout,
+    (void *)func_not_supported, /* C_CreateObject */
+    (void *)func_not_supported, /* C_CopyObject */
+    (void *)func_not_supported, /* C_DestroyObject */
+    (void *)func_not_supported, /* C_GetObjectSize */
+    C_GetAttributeValue,
+    (void *)func_not_supported, /* C_SetAttributeValue */
+    C_FindObjectsInit,
+    C_FindObjects,
+    C_FindObjectsFinal,
+    (void *)func_not_supported, /* C_EncryptInit, */
+    (void *)func_not_supported, /* C_Encrypt, */
+    (void *)func_not_supported, /* C_EncryptUpdate, */
+    (void *)func_not_supported, /* C_EncryptFinal, */
+    (void *)func_not_supported, /* C_DecryptInit, */
+    (void *)func_not_supported, /* C_Decrypt, */
+    (void *)func_not_supported, /* C_DecryptUpdate, */
+    (void *)func_not_supported, /* C_DecryptFinal, */
+    C_DigestInit,
+    (void *)func_not_supported, /* C_Digest */
+    (void *)func_not_supported, /* C_DigestUpdate */
+    (void *)func_not_supported, /* C_DigestKey */
+    (void *)func_not_supported, /* C_DigestFinal */
+    C_SignInit,
+    C_Sign,
+    C_SignUpdate,
+    C_SignFinal,
+    (void *)func_not_supported, /* C_SignRecoverInit */
+    (void *)func_not_supported, /* C_SignRecover */
+    C_VerifyInit,
+    C_Verify,
+    C_VerifyUpdate,
+    C_VerifyFinal,
+    (void *)func_not_supported, /* C_VerifyRecoverInit */
+    (void *)func_not_supported, /* C_VerifyRecover */
+    (void *)func_not_supported, /* C_DigestEncryptUpdate */
+    (void *)func_not_supported, /* C_DecryptDigestUpdate */
+    (void *)func_not_supported, /* C_SignEncryptUpdate */
+    (void *)func_not_supported, /* C_DecryptVerifyUpdate */
+    (void *)func_not_supported, /* C_GenerateKey */
+    (void *)func_not_supported, /* C_GenerateKeyPair */
+    (void *)func_not_supported, /* C_WrapKey */
+    (void *)func_not_supported, /* C_UnwrapKey */
+    (void *)func_not_supported, /* C_DeriveKey */
+    (void *)func_not_supported, /* C_SeedRandom */
+    C_GenerateRandom,
+    (void *)func_not_supported, /* C_GetFunctionStatus */
+    (void *)func_not_supported, /* C_CancelFunction */
+    (void *)func_not_supported  /* C_WaitForSlotEvent */
+};
diff --git a/crypto/heimdal/lib/hx509/test_ca.in b/crypto/heimdal/lib/hx509/test_ca.in
new file mode 100644
index 0000000..5cc124d
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_ca.in
@@ -0,0 +1,424 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_ca.in 21345 2007-06-26 14:22:57Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+stat="--statistic-file=${objdir}/statfile"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+
+if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
+    exit 77
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    exit 77
+fi
+
+echo "create certificate request"
+${hxtool} request-create \
+	 --subject="CN=Love,DC=it,DC=su,DC=se" \
+	 --key=FILE:$srcdir/data/key.der \
+	 pkcs10-request.der || exit 1
+
+echo "issue certificate"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	  --subject="cn=foo" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "issue crl (no cert)"
+${hxtool} crl-sign \
+	--crl-file=crl.crl \
+	--signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key || exit 1
+
+echo "verify certificate (with CRL)"
+${hxtool} verify \
+	cert:FILE:cert-ee.pem \
+	crl:FILE:crl.crl \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "issue crl (with cert)"
+${hxtool} crl-sign \
+	--crl-file=crl.crl \
+	--signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	FILE:cert-ee.pem || exit 1
+
+echo "verify certificate (included in CRL)"
+${hxtool} verify \
+	cert:FILE:cert-ee.pem \
+	crl:FILE:crl.crl \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "issue crl (with cert)"
+${hxtool} crl-sign \
+	--crl-file=crl.crl \
+	--lifetime='1 month' \
+	--signer=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	FILE:cert-ee.pem || exit 1
+
+echo "verify certificate (included in CRL, and lifetime 1 month)"
+${hxtool} verify \
+	cert:FILE:cert-ee.pem \
+	crl:FILE:crl.crl \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "issue certificate (10years 1 month)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	  --subject="cn=foo" \
+          --lifetime="10years 1 month" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "issue certificate (with https ekus)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	  --subject="cn=foo" \
+	  --type="https-server" \
+	  --type="https-client" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "issue certificate (pkinit KDC)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	  --subject="cn=foo" \
+	  --type="pkinit-kdc" \
+          --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "issue certificate (pkinit client)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	  --subject="cn=foo" \
+	  --type="pkinit-client" \
+          --pk-init-principal="lha@TEST.H5L.SE" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "issue certificate (hostnames)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	  --subject="cn=foo" \
+	  --type="https-server" \
+          --hostname="www.test.h5l.se" \
+          --hostname="ftp.test.h5l.se" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate hostname (ok)"
+${hxtool} verify --missing-revoke \
+	--hostname=www.test.h5l.se \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "verify certificate hostname (fail)"
+${hxtool} verify --missing-revoke \
+	--hostname=www2.test.h5l.se \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "verify certificate hostname (fail)"
+${hxtool} verify --missing-revoke \
+	--hostname=2www.test.h5l.se \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "issue certificate (hostname in CN)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	  --subject="cn=www.test.h5l.se" \
+	  --type="https-server" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate hostname (ok)"
+${hxtool} verify --missing-revoke \
+	--hostname=www.test.h5l.se \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "verify certificate hostname (fail)"
+${hxtool} verify --missing-revoke \
+	--hostname=www2.test.h5l.se \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "issue certificate (email)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	  --subject="cn=foo" \
+          --email="lha@test.h5l.se" \
+          --email="test@test.h5l.se" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "issue certificate (email, null subject DN)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	  --subject="" \
+          --email="lha@test.h5l.se" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-null.pem" || exit 1
+
+echo "issue certificate (jabber)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	  --subject="cn=foo" \
+          --jid="lha@test.h5l.se" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "issue self-signed cert"
+${hxtool} issue-certificate \
+	  --self-signed \
+	  --ca-private-key=FILE:$srcdir/data/key.der \
+	  --subject="cn=test" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "issue ca cert"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/ca.crt,$srcdir/data/ca.key \
+	  --issue-ca \
+	  --subject="cn=ca-cert" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ca.der" || exit 1
+
+echo "issue self-signed ca cert"
+${hxtool} issue-certificate \
+	  --self-signed \
+	  --issue-ca \
+	  --ca-private-key=FILE:$srcdir/data/key.der \
+	  --subject="cn=ca-root" \
+	  --certificate="FILE:cert-ca.der" || exit 1
+
+echo "issue proxy certificate"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	  --issue-proxy \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-proxy.der" || exit 1
+
+echo "verify proxy cert"
+${hxtool} verify --missing-revoke \
+    --allow-proxy-certificate \
+    cert:FILE:cert-proxy.der \
+    chain:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "issue ca cert (generate rsa key)"
+${hxtool} issue-certificate \
+	  --self-signed \
+	  --issue-ca \
+ 	  --serial-number="deadbeaf" \
+	  --generate-key=rsa \
+          --path-length=-1 \
+	  --subject="cn=ca2-cert" \
+	  --certificate="FILE:cert-ca.pem" || exit 1
+
+echo "issue sub-ca cert (generate rsa key)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+	  --issue-ca \
+ 	  --serial-number="deadbeaf22" \
+	  --generate-key=rsa \
+	  --subject="cn=sub-ca2-cert" \
+	  --certificate="FILE:cert-sub-ca.pem" || exit 1
+
+echo "issue ee cert (generate rsa key)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+	  --generate-key=rsa \
+	  --subject="cn=cert-ee2" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "issue sub-ca ee cert (generate rsa key)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-sub-ca.pem \
+	  --generate-key=rsa \
+	  --subject="cn=cert-sub-ee2" \
+	  --certificate="FILE:cert-sub-ee.pem" || exit 1
+
+echo "verify certificate (ee)"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
+echo "verify certificate (sub-ee)"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-sub-ee.pem \
+	chain:FILE:cert-sub-ca.pem \
+	anchor:FILE:cert-ca.pem || exit 1
+
+echo "sign CMS signature (generate key)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:cert-ee.pem \
+	"$srcdir/test_name.c" \
+	sd.data > /dev/null || exit 1
+
+echo "verify CMS signature (generate key)"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:cert-ca.pem \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_name.c" sd.data.out || exit 1
+
+echo "extend ca cert"
+${hxtool} issue-certificate \
+	  --self-signed \
+	  --issue-ca \
+          --lifetime="2years" \
+ 	  --serial-number="deadbeaf" \
+	  --ca-private-key=FILE:cert-ca.pem \
+	  --subject="cn=ca2-cert" \
+	  --certificate="FILE:cert-ca.pem" || exit 1
+
+echo "verify certificate generated by previous ca"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
+echo "extend ca cert (template)"
+${hxtool} issue-certificate \
+	  --self-signed \
+	  --issue-ca \
+          --lifetime="3years" \
+	  --template-certificate="FILE:cert-ca.pem" \
+	  --template-fields="serialNumber,notBefore,subject" \
+          --path-length=-1 \
+	  --ca-private-key=FILE:cert-ca.pem \
+	  --certificate="FILE:cert-ca.pem" || exit 1
+
+echo "verify certificate generated by previous ca"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
+echo "extend sub-ca cert (template)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+	  --issue-ca \
+          --lifetime="2years" \
+	  --template-certificate="FILE:cert-sub-ca.pem" \
+	  --template-fields="serialNumber,notBefore,subject,SPKI" \
+	  --certificate="FILE:cert-sub-ca2.pem" || exit 1
+
+echo "verify certificate (sub-ee) with extended chain"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-sub-ee.pem \
+	chain:FILE:cert-sub-ca.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
+echo "+++++++++++ test basic constraints"
+
+echo "extend ca cert (too low path-length constraint)"
+${hxtool} issue-certificate \
+	  --self-signed \
+	  --issue-ca \
+          --lifetime="3years" \
+	  --template-certificate="FILE:cert-ca.pem" \
+	  --template-fields="serialNumber,notBefore,subject" \
+          --path-length=0 \
+	  --ca-private-key=FILE:cert-ca.pem \
+	  --certificate="FILE:cert-ca.pem" || exit 1
+
+echo "verify failure of certificate (sub-ee) with path-length constraint"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-sub-ee.pem \
+	chain:FILE:cert-sub-ca.pem \
+	anchor:FILE:cert-ca.pem > /dev/null && exit 1
+
+echo "extend ca cert (exact path-length constraint)"
+${hxtool} issue-certificate \
+	  --self-signed \
+	  --issue-ca \
+          --lifetime="3years" \
+	  --template-certificate="FILE:cert-ca.pem" \
+	  --template-fields="serialNumber,notBefore,subject" \
+          --path-length=1 \
+	  --ca-private-key=FILE:cert-ca.pem \
+	  --certificate="FILE:cert-ca.pem" || exit 1
+
+echo "verify certificate (sub-ee) with exact path-length constraint"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-sub-ee.pem \
+	chain:FILE:cert-sub-ca.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
+echo "Check missing basicConstrants.isCa"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+          --lifetime="2years" \
+	  --template-certificate="FILE:cert-sub-ca.pem" \
+	  --template-fields="serialNumber,notBefore,subject,SPKI" \
+	  --certificate="FILE:cert-sub-ca2.pem" || exit 1
+
+echo "verify failure certificate (sub-ee) with missing isCA"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-sub-ee.pem \
+	chain:FILE:cert-sub-ca2.pem \
+	anchor:FILE:cert-ca.pem > /dev/null && exit 1
+
+echo "issue ee cert (crl uri)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --crl-uri="http://www.test.h5l.se/crl1.crl" \
+	  --subject="cn=cert-ee-crl-uri" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "issue null subject cert"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --subject="" \
+	  --email="lha@test.h5l.se" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate null subject"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
+exit 0
diff --git a/crypto/heimdal/lib/hx509/test_cert.in b/crypto/heimdal/lib/hx509/test_cert.in
new file mode 100644
index 0000000..ed04bfa
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_cert.in
@@ -0,0 +1,69 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_chain.in 20809 2007-06-03 03:19:06Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
+    exit 77
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    exit 77
+fi
+
+echo "print DIR"
+${hxtool} print --content DIR:$srcdir/data > /dev/null || exit 1
+
+echo "print FILE"
+for a in $srcdir/data/*.crt; do 
+    ${hxtool} print --content FILE:"$a" > /dev/null 2>/dev/null
+done
+
+echo "print NULL"
+${hxtool} print --content NULL: > /dev/null || exit 1
+
+echo "copy dance"
+${hxtool} certificate-copy \
+    FILE:${srcdir}/data/test.crt PEM-FILE:cert-pem.tmp || exit 1
+
+${hxtool} certificate-copy PEM-FILE:cert-pem.tmp DER-FILE:cert-der.tmp || exit 1
+${hxtool} certificate-copy DER-FILE:cert-der.tmp PEM-FILE:cert-pem2.tmp || exit 1
+
+cmp cert-pem.tmp cert-pem2.tmp || exit 1
+
+
+exit 0
diff --git a/crypto/heimdal/lib/hx509/test_chain.in b/crypto/heimdal/lib/hx509/test_chain.in
new file mode 100644
index 0000000..a99ae5e
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_chain.in
@@ -0,0 +1,242 @@
+#!/bin/sh
+#
+# Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_chain.in 21278 2007-06-25 04:54:43Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+stat="--statistic-file=${objdir}/statfile"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
+    exit 77
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    exit 77
+fi
+
+echo "cert -> root"
+${hxtool} verify --missing-revoke \
+	cert:FILE:$srcdir/data/test.crt \
+	chain:FILE:$srcdir/data/test.crt \
+	chain:FILE:$srcdir/data/ca.crt \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "cert -> root"
+${hxtool} verify --missing-revoke \
+	cert:FILE:$srcdir/data/test.crt \
+	chain:FILE:$srcdir/data/ca.crt \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "cert -> root"
+${hxtool} verify --missing-revoke \
+	cert:FILE:$srcdir/data/test.crt \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "sub-cert -> root"
+${hxtool} verify --missing-revoke \
+	cert:FILE:$srcdir/data/sub-cert.crt \
+	chain:FILE:$srcdir/data/ca.crt \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "sub-cert -> sub-ca -> root"
+${hxtool} verify --missing-revoke \
+	cert:FILE:$srcdir/data/sub-cert.crt \
+	chain:FILE:$srcdir/data/sub-ca.crt \
+	chain:FILE:$srcdir/data/ca.crt \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "sub-cert -> sub-ca"
+${hxtool} verify --missing-revoke \
+	cert:FILE:$srcdir/data/sub-cert.crt \
+	anchor:FILE:$srcdir/data/sub-ca.crt > /dev/null || exit 1
+
+echo "sub-cert -> sub-ca -> root"
+${hxtool} verify --missing-revoke \
+	cert:FILE:$srcdir/data/sub-cert.crt \
+	chain:FILE:$srcdir/data/sub-ca.crt \
+	chain:FILE:$srcdir/data/ca.crt \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "sub-cert -> sub-ca -> root"
+${hxtool} verify --missing-revoke \
+	cert:FILE:$srcdir/data/sub-cert.crt \
+	chain:FILE:$srcdir/data/ca.crt \
+	chain:FILE:$srcdir/data/sub-ca.crt \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "sub-cert -> sub-ca -> root"
+${hxtool} verify --missing-revoke \
+	cert:FILE:$srcdir/data/sub-cert.crt \
+	chain:FILE:$srcdir/data/sub-ca.crt \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "max depth 2 (ok)"
+${hxtool} verify --missing-revoke \
+	--max-depth=2 \
+	cert:FILE:$srcdir/data/sub-cert.crt \
+	chain:FILE:$srcdir/data/sub-ca.crt \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "max depth 1 (fail)"
+${hxtool} verify --missing-revoke \
+	--max-depth=1 \
+	cert:FILE:$srcdir/data/sub-cert.crt \
+	chain:FILE:$srcdir/data/sub-ca.crt \
+	anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "ocsp non-ca responder"
+${hxtool} verify \
+    cert:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt \
+    ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp.der > /dev/null || exit 1
+
+echo "ocsp ca responder"
+${hxtool} verify \
+    cert:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt \
+    ocsp:FILE:$srcdir/data/ocsp-resp1-ca.der > /dev/null || exit 1
+
+echo "ocsp no-ca responder, missing cert"
+${hxtool} verify \
+    cert:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt \
+    ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp-no-cert.der > /dev/null && exit 1
+
+echo "ocsp no-ca responder, missing cert, in pool"
+${hxtool} verify \
+    cert:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt \
+    ocsp:FILE:$srcdir/data/ocsp-resp1-ocsp-no-cert.der \
+    chain:FILE:$srcdir/data/ocsp-responder.crt > /dev/null || exit 1
+
+echo "ocsp no-ca responder, keyHash"
+${hxtool} verify \
+    cert:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt \
+    ocsp:FILE:$srcdir/data/ocsp-resp1-keyhash.der > /dev/null || exit 1
+
+echo "ocsp revoked cert"
+${hxtool} verify \
+    cert:FILE:$srcdir/data/revoke.crt \
+    anchor:FILE:$srcdir/data/ca.crt \
+    ocsp:FILE:$srcdir/data/ocsp-resp2.der > /dev/null && exit 1
+
+for a in resp1-ocsp-no-cert resp1-ca resp1-keyhash resp2 ; do
+	echo "ocsp print reply $a"
+	${hxtool} ocsp-print \
+	    $srcdir/data/ocsp-${a}.der > /dev/null || exit 1
+done
+
+echo "ocsp verify exists"
+${hxtool} ocsp-verify \
+	--ocsp-file=$srcdir/data/ocsp-resp1-ca.der \
+	FILE:$srcdir/data/test.crt > /dev/null || exit 1
+
+echo "ocsp verify not exists"
+${hxtool} ocsp-verify \
+    --ocsp-file=$srcdir/data/ocsp-resp1.der \
+	FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "ocsp verify revoked"
+${hxtool} ocsp-verify \
+    --ocsp-file=$srcdir/data/ocsp-resp2.der \
+	FILE:$srcdir/data/revoke.crt > /dev/null && exit 1
+
+echo "crl non-revoked cert"
+${hxtool} verify \
+    cert:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt \
+    crl:FILE:$srcdir/data/crl1.der > /dev/null || exit 1
+
+echo "crl revoked cert"
+${hxtool} verify \
+    cert:FILE:$srcdir/data/revoke.crt \
+    anchor:FILE:$srcdir/data/ca.crt \
+    crl:FILE:$srcdir/data/crl1.der > /dev/null && exit 1
+
+echo "proxy cert"
+${hxtool} verify --missing-revoke \
+    --allow-proxy-certificate \
+    cert:FILE:$srcdir/data/proxy-test.crt \
+    chain:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "proxy cert (negative)"
+${hxtool} verify --missing-revoke \
+    cert:FILE:$srcdir/data/proxy-test.crt \
+    chain:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "proxy cert (level fail)"
+${hxtool} verify --missing-revoke \
+    --allow-proxy-certificate \
+    cert:FILE:$srcdir/data/proxy-level-test.crt \
+    chain:FILE:$srcdir/data/proxy-test.crt \
+    chain:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "not a proxy cert"
+${hxtool} verify --missing-revoke \
+    --allow-proxy-certificate \
+    cert:FILE:$srcdir/data/no-proxy-test.crt \
+    chain:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+
+echo "proxy cert (max level 10)"
+${hxtool} verify --missing-revoke \
+    --allow-proxy-certificate \
+    cert:FILE:$srcdir/data/proxy10-test.crt \
+    chain:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "proxy cert (second level)"
+${hxtool} verify --missing-revoke \
+    --allow-proxy-certificate \
+    cert:FILE:$srcdir/data/proxy10-child-test.crt \
+    chain:FILE:$srcdir/data/proxy10-test.crt \
+    chain:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+echo "proxy cert (third level)"
+${hxtool} verify --missing-revoke \
+    --allow-proxy-certificate \
+    cert:FILE:$srcdir/data/proxy10-child-child-test.crt \
+    chain:FILE:$srcdir/data/proxy10-child-test.crt \
+    chain:FILE:$srcdir/data/proxy10-test.crt \
+    chain:FILE:$srcdir/data/test.crt \
+    anchor:FILE:$srcdir/data/ca.crt > /dev/null || exit 1
+
+exit 0
diff --git a/crypto/heimdal/lib/hx509/test_cms.in b/crypto/heimdal/lib/hx509/test_cms.in
new file mode 100644
index 0000000..a89e810
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_cms.in
@@ -0,0 +1,377 @@
+#!/bin/sh
+#
+# Copyright (c) 2005 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_cms.in 21311 2007-06-25 18:26:37Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+stat="--statistic-file=${objdir}/statfile"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+
+if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
+    exit 77
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    exit 77
+fi
+
+echo "create signed data"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify signed data"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "create signed data (id-by-name)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	--id-by-name \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify signed data"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "verify signed data (EE cert as anchor)"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/test.crt \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "create signed data (password)"
+${hxtool} cms-create-sd \
+	--pass=PASS:foobar \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test-pw.key \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify signed data"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "create signed data (combined)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test.combined.crt \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify signed data"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "create signed data  (content info)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	--content-info \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify signed data (content info)"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	--content-info \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "create signed data  (content type)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	--content-type=1.1.1.1 \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify signed data (content type)"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "create signed data (pem)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	--pem \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "create signed data (pem, detached)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	--detached-signature \
+	--pem \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "create signed data (p12)"
+${hxtool} cms-create-sd \
+	--pass=PASS:foobar \
+	--certificate=PKCS12:$srcdir/data/test.p12 \
+	--signer=friendlyname-test \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify signed data"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	--content-info \
+	"$srcdir/data/test-signed-data" sd.data.out > /dev/null || exit 1
+cmp "$srcdir/data/static-file" sd.data.out || exit 1
+
+echo "verify signed data (no attr)"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	--content-info \
+	"$srcdir/data/test-signed-data-noattr" sd.data.out > /dev/null || exit 1
+cmp "$srcdir/data/static-file" sd.data.out || exit 1
+
+echo "verify failure signed data (no attr, no certs)"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	--content-info \
+	"$srcdir/data/test-signed-data-noattr-nocerts" \
+	sd.data.out > /dev/null 2>/dev/null && exit 1
+
+echo "verify signed data (no attr, no certs)"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	--certificate=FILE:$srcdir/data/test.crt \
+	--content-info \
+	"$srcdir/data/test-signed-data-noattr-nocerts" \
+	sd.data.out > /dev/null || exit 1
+cmp "$srcdir/data/static-file" sd.data.out || exit 1
+
+echo "create signed data (subcert, no certs)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify failure signed data"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null 2> /dev/null && exit 1
+
+echo "verify success signed data"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--certificate=FILE:$srcdir/data/sub-ca.crt \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "create signed data (subcert, certs)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
+	--pool=FILE:$srcdir/data/sub-ca.crt \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify success signed data"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "create signed data (subcert, certs, no-root)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
+	--pool=FILE:$srcdir/data/sub-ca.crt \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify success signed data"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "create signed data (subcert, no-subca, no-root)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/sub-cert.crt,$srcdir/data/sub-cert.key \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify failure signed data"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null 2>/dev/null && exit 1
+
+echo "create signed data (sd cert)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test-ds-only.crt,$srcdir/data/test-ds-only.key \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "create signed data (ke cert)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test-ke-only.crt,$srcdir/data/test-ke-only.key \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null 2>/dev/null && exit 1
+
+echo "create signed data (sd + ke certs)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test-ke-only.crt,$srcdir/data/test-ke-only.key \
+	--certificate=FILE:$srcdir/data/test-ds-only.crt,$srcdir/data/test-ds-only.key \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "create signed data (ke + sd certs)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test-ds-only.crt,$srcdir/data/test-ds-only.key \
+	--certificate=FILE:$srcdir/data/test-ke-only.crt,$srcdir/data/test-ke-only.key \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "create signed data (detached)"
+${hxtool} cms-create-sd \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	--detached-signature \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify signed data (detached)"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--signed-content="$srcdir/test_chain.in" \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "verify failure signed data (detached)"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null 2>/dev/null && exit 1
+
+echo "create signed data (rsa)"
+${hxtool} cms-create-sd \
+	--peer-alg=1.2.840.113549.1.1.1 \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
+
+echo "verify signed data (rsa)"
+${hxtool} cms-verify-sd \
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/ca.crt \
+	sd.data sd.data.out > /dev/null 2>/dev/null || exit 1
+cmp "$srcdir/test_chain.in" sd.data.out || exit 1
+
+echo "envelope data (content-type)"
+${hxtool} cms-envelope \
+	--certificate=FILE:$srcdir/data/test.crt \
+	--content-type=1.1.1.1 \
+	"$srcdir/data/static-file" \
+	ev.data > /dev/null || exit 1
+
+echo "unenvelope data (content-type)"
+${hxtool} cms-unenvelope \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	ev.data ev.data.out \
+	FILE:$srcdir/data/test.crt,$srcdir/data/test.key > /dev/null || exit 1
+cmp "$srcdir/data/static-file" ev.data.out || exit 1
+
+echo "envelope data (content-info)"
+${hxtool} cms-envelope \
+	--certificate=FILE:$srcdir/data/test.crt \
+	--content-info \
+	"$srcdir/data/static-file" \
+	ev.data > /dev/null || exit 1
+
+echo "unenvelope data (content-info)"
+${hxtool} cms-unenvelope \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	--content-info \
+	ev.data ev.data.out \
+	FILE:$srcdir/data/test.crt,$srcdir/data/test.key > /dev/null || exit 1
+cmp "$srcdir/data/static-file" ev.data.out || exit 1
+
+for a in des-ede3 aes-128 aes-256; do
+
+	rm -f ev.data ev.data.out
+	echo "envelope data ($a)"
+	${hxtool} cms-envelope \
+	        --encryption-type="$a-cbc" \
+		--certificate=FILE:$srcdir/data/test.crt \
+		"$srcdir/data/static-file" \
+		ev.data  || exit 1
+
+	echo "unenvelope data ($a)"
+	${hxtool} cms-unenvelope \
+		--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+		ev.data ev.data.out > /dev/null || exit 1
+	cmp "$srcdir/data/static-file" ev.data.out || exit 1
+done
+
+for a in rc2-40 rc2-64 rc2-128 des-ede3 aes-128 aes-256; do
+    echo "static unenvelope data ($a)"
+
+    rm -f ev.data.out
+    ${hxtool} cms-unenvelope \
+	--certificate=FILE:$srcdir/data/test.crt,$srcdir/data/test.key \
+	--content-info \
+	"$srcdir/data/test-enveloped-$a" ev.data.out > /dev/null || exit 1
+    cmp "$srcdir/data/static-file" ev.data.out || exit 1
+done
+
+exit 0
diff --git a/crypto/heimdal/lib/hx509/test_crypto.in b/crypto/heimdal/lib/hx509/test_crypto.in
new file mode 100644
index 0000000..31b5233
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_crypto.in
@@ -0,0 +1,187 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_crypto.in 20898 2007-06-04 23:07:46Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+stat="--statistic-file=${objdir}/statfile"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+
+if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
+    exit 77
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    exit 77
+fi
+
+
+echo "Bleichenbacher good cert (from eay)"
+${hxtool} verify --missing-revoke \
+    --time=2006-09-25 \
+    cert:FILE:$srcdir/data/bleichenbacher-good.pem \
+    anchor:FILE:$srcdir/data/bleichenbacher-good.pem > /dev/null || exit 1
+
+echo "Bleichenbacher bad cert (from eay)"
+${hxtool} verify --missing-revoke \
+    --time=2006-09-25 \
+    cert:FILE:$srcdir/data/bleichenbacher-bad.pem \
+    anchor:FILE:$srcdir/data/bleichenbacher-bad.pem > /dev/null && exit 1
+
+echo "Bleichenbacher good cert (from yutaka)"
+${hxtool} verify --missing-revoke \
+    --time=2006-09-25 \
+    cert:FILE:$srcdir/data/yutaka-pad-ok-cert.pem \
+    anchor:FILE:$srcdir/data/yutaka-pad-ok-ca.pem > /dev/null || exit 1
+
+echo "Bleichenbacher bad cert (from yutaka)"
+${hxtool} verify --missing-revoke \
+    --time=2006-09-25 \
+    cert:FILE:$srcdir/data/yutaka-pad-broken-cert.pem \
+    anchor:FILE:$srcdir/data/yutaka-pad-broken-ca.pem > /dev/null && exit 1
+
+# Ralf-Philipp Weinmann <weinmann@cdc.informatik.tu-darmstadt.de>
+# Andrew Pyshkin <pychkine@cdc.informatik.tu-darmstadt.de>
+echo "Bleichenbacher bad cert (sf pad correct)"
+${hxtool} verify --missing-revoke \
+    --time=2006-09-25 \
+    cert:FILE:$srcdir/data/bleichenbacher-sf-pad-correct.pem \
+    anchor:FILE:$srcdir/data/sf-class2-root.pem > /dev/null && exit 1
+
+echo Read 50 kilobyte random data
+${hxtool} random-data 50kilobyte > random-data || exit 1
+
+echo "crypto select1"
+${hxtool} crypto-select > test || { echo "select1"; exit 1; }
+cmp test ${srcdir}/tst-crypto-select1 > /dev/null || \
+	{ echo "select1 failure"; exit 1; }
+
+echo "crypto select1"
+${hxtool} crypto-select --type=digest > test || { echo "select1"; exit 1; }
+cmp test ${srcdir}/tst-crypto-select1 > /dev/null || \
+	{ echo "select1 failure"; exit 1; }
+
+echo "crypto select2"
+${hxtool} crypto-select --type=public-sig > test || { echo "select2"; exit 1; }
+cmp test ${srcdir}/tst-crypto-select2 > /dev/null || \
+	{ echo "select2 failure"; exit 1; }
+
+echo "crypto select3"
+${hxtool} crypto-select \
+	--type=public-sig \
+	--peer-cmstype=1.2.840.113549.1.1.4 \
+	 > test || { echo "select3"; exit 1; }
+cmp test ${srcdir}/tst-crypto-select3 > /dev/null || \
+	{ echo "select3 failure"; exit 1; }
+
+echo "crypto select4"
+${hxtool} crypto-select \
+	--type=public-sig \
+	--peer-cmstype=1.2.840.113549.1.1.5 \
+	--peer-cmstype=1.2.840.113549.1.1.4 \
+	 > test || { echo "select4"; exit 1; }
+cmp test ${srcdir}/tst-crypto-select4 > /dev/null || \
+	{ echo "select4 failure"; exit 1; }
+
+echo "crypto select5"
+${hxtool} crypto-select \
+	--type=public-sig \
+	--peer-cmstype=1.2.840.113549.1.1.11 \
+	--peer-cmstype=1.2.840.113549.1.1.5 \
+	 > test || { echo "select5"; exit 1; }
+cmp test ${srcdir}/tst-crypto-select5 > /dev/null || \
+	{ echo "select5 failure"; exit 1; }
+
+echo "crypto select6"
+${hxtool} crypto-select \
+	--type=public-sig \
+	--peer-cmstype=1.2.840.113549.2.5 \
+	--peer-cmstype=1.2.840.113549.1.1.5 \
+	 > test || { echo "select6"; exit 1; }
+cmp test ${srcdir}/tst-crypto-select6 > /dev/null || \
+	{ echo "select6 failure"; exit 1; }
+
+echo "crypto select7"
+${hxtool} crypto-select \
+	--type=secret \
+	--peer-cmstype=2.16.840.1.101.3.4.1.42 \
+	--peer-cmstype=1.2.840.113549.3.7 \
+	--peer-cmstype=1.2.840.113549.1.1.5 \
+	 > test || { echo "select7"; exit 1; }
+cmp test ${srcdir}/tst-crypto-select7 > /dev/null || \
+	{ echo "select7 failure"; exit 1; }
+
+echo "crypto available1"
+${hxtool} crypto-available \
+	--type=all \
+	> test || { echo "available1"; exit 1; }
+cmp test ${srcdir}/tst-crypto-available1 > /dev/null || \
+	{ echo "available1 failure"; exit 1; }
+
+echo "crypto available2"
+${hxtool} crypto-available \
+	--type=digest \
+	> test || { echo "available2"; exit 1; }
+cmp test ${srcdir}/tst-crypto-available2 > /dev/null || \
+	{ echo "available2 failure"; exit 1; }
+
+echo "crypto available3"
+${hxtool} crypto-available \
+	--type=public-sig \
+	> test || { echo "available3"; exit 1; }
+cmp test ${srcdir}/tst-crypto-available3 > /dev/null || \
+	{ echo "available3 failure"; exit 1; }
+
+echo "copy keystore FILE existing -> FILE"
+${hxtool} certificate-copy \
+    FILE:${srcdir}/data/test.crt,${srcdir}/data/test.key \
+    FILE:out.pem || exit 1
+
+echo "copy keystore FILE -> FILE"
+${hxtool} certificate-copy \
+    FILE:out.pem \
+    FILE:out2.pem || exit 1
+
+echo "copy keystore FILE -> PKCS12"
+${hxtool} certificate-copy \
+    FILE:out.pem \
+    PKCS12:out2.pem || exit 1
+
+echo "print certificate with utf8"
+${hxtool} print \
+	FILE:$srcdir/data/j.pem >/dev/null 2>/dev/null || exit 1
+
+exit 0
diff --git a/crypto/heimdal/lib/hx509/test_java_pkcs11.in b/crypto/heimdal/lib/hx509/test_java_pkcs11.in
new file mode 100644
index 0000000..35f61e6
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_java_pkcs11.in
@@ -0,0 +1,73 @@
+#!/bin/sh
+#
+# Copyright (c) 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+
+exit 0
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+dir=$objdir
+file=
+
+for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do
+    if [ -f $dir/$a ] ; then
+	file=$dir/$a
+	break
+    fi
+done
+
+if [ "X$file" = X ] ; then
+    exit 0
+fi
+
+cat > pkcs11.cfg <<EOF
+name = Heimdal
+library = $file
+EOF
+
+cat > test-rc-file.rc <<EOF
+certificate	cert	User certificate	FILE:$srcdir/data/test.crt,$srcdir/data/test.key
+debug	stdout
+EOF
+
+
+env SOFTPKCS11RC="test-rc-file.rc" \
+    keytool \
+    -keystore NONE \
+    -storetype PKCS11 \
+    -providerClass sun.security.pkcs11.SunPKCS11 \
+    -providerArg pkcs11.cfg \
+    -list || exit 1
+
+exit 0
diff --git a/crypto/heimdal/lib/hx509/test_name.c b/crypto/heimdal/lib/hx509/test_name.c
new file mode 100644
index 0000000..2c6dd51
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_name.c
@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+RCSID("$Id: test_name.c 19882 2007-01-13 01:02:57Z lha $");
+
+static int
+test_name(hx509_context context, const char *name)
+{
+    hx509_name n;
+    char *s;
+    int ret;
+
+    ret = hx509_parse_name(context, name, &n);
+    if (ret)
+	return 1;
+
+    ret = hx509_name_to_string(n, &s);
+    if (ret)
+	return 1;
+
+    if (strcmp(s, name) != 0)
+	return 1;
+
+    hx509_name_free(&n);
+    free(s);
+
+    return 0;
+}
+
+static int
+test_name_fail(hx509_context context, const char *name)
+{
+    hx509_name n;
+
+    if (hx509_parse_name(context, name, &n) == HX509_NAME_MALFORMED)
+	return 0;
+    hx509_name_free(&n);
+    return 1;
+}
+
+static int
+test_expand(hx509_context context, const char *name, const char *expected)
+{
+    hx509_env env;
+    hx509_name n;
+    char *s;
+    int ret;
+
+    hx509_env_init(context, &env);
+    hx509_env_add(context, env, "uid", "lha");
+
+    ret = hx509_parse_name(context, name, &n);
+    if (ret)
+	return 1;
+
+    ret = hx509_name_expand(context, n, env);
+    hx509_env_free(&env);
+    if (ret)
+	return 1;
+
+    ret = hx509_name_to_string(n, &s);
+    hx509_name_free(&n);
+    if (ret)
+	return 1;
+    
+    ret = strcmp(s, expected) != 0;
+    free(s);
+    if (ret)
+	return 1;
+
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    hx509_context context;
+    int ret = 0;
+
+    ret = hx509_context_init(&context);
+    if (ret)
+	errx(1, "hx509_context_init failed with %d", ret);
+
+    ret += test_name(context, "CN=foo,C=SE");
+    ret += test_name(context, "CN=foo,CN=kaka,CN=FOO,DC=ad1,C=SE");
+    ret += test_name(context, "1.2.3.4=foo,C=SE");
+    ret += test_name_fail(context, "=");
+    ret += test_name_fail(context, "CN=foo,=foo");
+    ret += test_name_fail(context, "CN=foo,really-unknown-type=foo");
+
+    ret += test_expand(context, "UID=${uid},C=SE", "UID=lha,C=SE");
+    ret += test_expand(context, "UID=foo${uid},C=SE", "UID=foolha,C=SE");
+    ret += test_expand(context, "UID=${uid}bar,C=SE", "UID=lhabar,C=SE");
+    ret += test_expand(context, "UID=f${uid}b,C=SE", "UID=flhab,C=SE");
+    ret += test_expand(context, "UID=${uid}${uid},C=SE", "UID=lhalha,C=SE");
+    ret += test_expand(context, "UID=${uid}{uid},C=SE", "UID=lha{uid},C=SE");
+
+    hx509_context_free(&context);
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/hx509/test_nist.in b/crypto/heimdal/lib/hx509/test_nist.in
new file mode 100644
index 0000000..8306283
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_nist.in
@@ -0,0 +1,116 @@
+#!/bin/sh
+#
+# Copyright (c) 2004 - 2005 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_nist.in 22240 2007-12-08 22:55:03Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+nistdir=${objdir}/PKITS_data
+nistzip=${srcdir}/data/PKITS_data.zip
+
+stat="--statistic-file=${objdir}/statfile"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+
+# nistzip is not distributed part of the distribution
+test -f "$nistzip" || exit 77
+
+if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
+    exit 77
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    exit 77
+fi
+
+echo "nist tests"
+
+if [ ! -d "$nistdir" ] ; then
+    ( mkdir "$nistdir" && unzip -d "${nistdir}" "${nistzip}" ) >/dev/null || \
+	{ rm -rf "$nistdir" ; exit 1; }
+fi
+
+while read id verify cert arg1 arg2 arg3 arg4 arg5 ; do
+    expr "$id" : "#" > /dev/null && continue
+    
+    test "$id" = "end" && break
+
+    args=""
+    case "$arg1" in
+    *.crt) args="$args chain:FILE:$nistdir/certs/$arg1" ;;
+    *.crl) args="$args crl:FILE:$nistdir/crls/$arg1" ;;
+    *) args="$args $arg1" ;;
+    esac
+    case "$arg2" in
+    *.crt) args="$args chain:FILE:$nistdir/certs/$arg2" ;;
+    *.crl) args="$args crl:FILE:$nistdir/crls/$arg2" ;;
+    *) args="$args $arg2" ;;
+    esac
+    case "$arg3" in
+    *.crt) args="$args chain:FILE:$nistdir/certs/$arg3" ;;
+    *.crl) args="$args crl:FILE:$nistdir/crls/$arg3" ;;
+    *) args="$args $arg3" ;;
+    esac
+    case "$arg4" in
+    *.crt) args="$args chain:FILE:$nistdir/certs/$arg4" ;;
+    *.crl) args="$args crl:FILE:$nistdir/crls/$arg4" ;;
+    *) args="$args $arg4" ;;
+    esac
+    case "$arg5" in
+    *.crt) args="$args chain:FILE:$nistdir/certs/$arg5" ;;
+    *.crl) args="$args crl:FILE:$nistdir/crls/$arg5" ;;
+    *) args="$args $arg5" ;;
+    esac
+
+    args="$args anchor:FILE:$nistdir/certs/TrustAnchorRootCertificate.crt"
+    args="$args crl:FILE:$nistdir/crls/TrustAnchorRootCRL.crl"
+    args="$args cert:FILE:$nistdir/certs/$cert"
+
+    if ${hxtool} verify $args > /dev/null; then
+	if test "$verify" = "f"; then
+	    echo "verify passed on fail: $id $cert"
+	    exit 1
+	fi
+    else
+	if test "$verify" = "p"; then
+	    echo "verify failed on pass: $id $cert"
+	    exit 1
+	fi
+    fi
+
+done < $srcdir/data/nist-data
+
+
+echo "done!"
+
+exit 0
diff --git a/crypto/heimdal/lib/hx509/test_nist2.in b/crypto/heimdal/lib/hx509/test_nist2.in
new file mode 100644
index 0000000..6616129
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_nist2.in
@@ -0,0 +1,118 @@
+#!/bin/sh
+#
+# Copyright (c) 2004 - 2005 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_nist.in 21787 2007-08-02 08:50:24Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+nistdir=${objdir}/PKITS_data
+nistzip=${srcdir}/data/PKITS_data.zip
+
+limit="${1:-nolimit}"
+
+stat="--statistic-file=${objdir}/statfile"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+
+# nistzip is not distributed part of the distribution
+test -f "$nistzip" || exit 77
+
+if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
+    exit 77
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    exit 77
+fi
+
+echo "nist tests, version 2"
+
+if [ ! -d "$nistdir" ] ; then
+    ( mkdir "$nistdir" && unzip -d "${nistdir}" "${nistzip}" ) >/dev/null || \
+	{ rm -rf "$nistdir" ; exit 1; }
+fi
+
+ec=
+name=
+description=
+while read result cert other ; do
+    if expr "$result" : "#" > /dev/null; then
+	name=${cert}
+	description="${other}"
+	continue
+    fi
+    
+    test nolimit != "${limit}" && ! expr "$name" : "$limit" > /dev/null && continue
+
+    test "$result" = "end" && break
+
+    args=
+    args="$args cert:FILE:$nistdir/certs/$cert"
+    args="$args chain:DIR:$nistdir/certs"
+    args="$args anchor:FILE:$nistdir/certs/TrustAnchorRootCertificate.crt"
+#    args="$args crl:FILE:$nistdir/crls/TrustAnchorRootCRL.crl"
+
+    for a in $nistdir/crls/*.crl; do
+	args="$args crl:FILE:$a"
+    done
+
+    cmd="${hxtool} verify $args"
+    eval ${cmd} > /dev/null
+    res=$?
+
+    case "${result},${res}" in
+    0,0) r="PASSs";;
+    0,*) r="FAILs";;
+    [123],0) r="FAILf";;
+    [123],*) r="PASSf";;
+    *) echo="unknown result ${result},${res}" ; exit 1 ;;
+    esac
+    if grep "${name} FAIL" $srcdir/data/nist-result2 > /dev/null; then
+	if expr "$r" : "PASS" >/dev/null; then
+	    echo "${name} passed when expected not to"
+	    echo "# ${description}" > nist2-passed-${name}.tmp
+	    ec=1
+	fi
+    elif expr "$r" : "FAIL.*" >/dev/null ; then
+	echo "$r ${name} ${description}"
+	echo "# ${description}" > nist2-failed-${name}.tmp
+	echo "$cmd" >> nist2-failed-${name}.tmp
+	ec=1
+    fi
+
+done < $srcdir/data/nist-data2
+
+
+echo "done!"
+
+exit $ec
diff --git a/crypto/heimdal/lib/hx509/test_nist_cert.in b/crypto/heimdal/lib/hx509/test_nist_cert.in
new file mode 100644
index 0000000..2d2bbe1
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_nist_cert.in
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_nist_cert.in 21823 2007-08-03 15:13:37Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+nistdir=${objdir}/PKITS_data
+nistzip=${srcdir}/data/PKITS_data.zip
+
+# nistzip is not distributed part of the distribution
+test -f "$nistzip" || exit 77
+
+stat="--statistic-file=${objdir}/statfile"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+
+if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
+    exit 77
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    exit 77
+fi
+
+if [ ! -d "$nistdir" ] ; then
+    ( mkdir "$nistdir" &&  cd "$nistdir" && unzip "$nistzip" ) >/dev/null || \
+	{ rm -rf "$nistdir" ; exit 1; }
+fi
+
+if ${hxtool} validate DIR:$nistdir/certs > /dev/null; then
+   :
+else
+   echo "validate failed"
+   exit 1
+fi
+
+exit 0
diff --git a/crypto/heimdal/lib/hx509/test_nist_pkcs12.in b/crypto/heimdal/lib/hx509/test_nist_pkcs12.in
new file mode 100644
index 0000000..fe595f2
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_nist_pkcs12.in
@@ -0,0 +1,77 @@
+#!/bin/sh
+#
+# Copyright (c) 2004 - 2005 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_nist_pkcs12.in 22256 2007-12-09 06:04:02Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+pass="--pass=PASS:password"
+nistdir=${objdir}/PKITS_data
+nistzip=${srcdir}/data/PKITS_data.zip
+
+# nistzip is not distributed part of the distribution
+test -f "$nistzip" || exit 77
+
+stat="--statistic-file=${objdir}/statfile"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+
+if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
+    exit 77
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    exit 77
+fi
+
+if [ ! -d "$nistdir" ] ; then
+    ( mkdir "$nistdir" &&  cd "$nistdir" && unzip "$nistzip" ) >/dev/null || \
+	{ rm -rf "$nistdir" ; exit 1; }
+fi
+
+echo "nist pkcs12 tests"
+
+for a in $nistdir/pkcs12/*.p12 ; do
+
+    if ${hxtool} validate $pass PKCS12:$a > /dev/null; then
+	:
+    else
+	echo "$a failed"
+	exit 1
+    fi
+
+done
+
+echo "done!"
+
+exit 0
\ No newline at end of file
diff --git a/crypto/heimdal/lib/hx509/test_pkcs11.in b/crypto/heimdal/lib/hx509/test_pkcs11.in
new file mode 100644
index 0000000..0a315bf
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_pkcs11.in
@@ -0,0 +1,62 @@
+#!/bin/sh
+#
+# Copyright (c) 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+SOFTPKCS11RC="test-rc-file.rc" \
+export SOFTPKCS11RC
+
+echo "password less"
+
+cat > test-rc-file.rc <<EOF
+certificate	cert	User certificate	FILE:$srcdir/data/test.crt,$srcdir/data/test.key
+debug	p11dbg.log
+app-fatal	true
+EOF
+
+./test_soft_pkcs11 || exit 1
+
+echo "password"
+
+cat > test-rc-file.rc <<EOF
+certificate	cert	User certificate	FILE:$srcdir/data/test.crt,$srcdir/data/test-pw.key
+debug	p11dbg.log
+app-fatal	true
+EOF
+
+./test_soft_pkcs11 || exit 1
+
+echo "done"
+exit 0
diff --git a/crypto/heimdal/lib/hx509/test_query.in b/crypto/heimdal/lib/hx509/test_query.in
new file mode 100644
index 0000000..01e0c31
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_query.in
@@ -0,0 +1,146 @@
+#!/bin/sh
+#
+# Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_query.in 20782 2007-06-02 00:46:00Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+stat="--statistic-file=${objdir}/statfile"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+
+echo "try printing"
+${hxtool} print \
+	--pass=PASS:foobar \
+	PKCS12:$srcdir/data/test.p12 >/dev/null 2>/dev/null || exit 1
+
+${hxtool} print \
+	--pass=PASS:foobar \
+	--info \
+	PKCS12:$srcdir/data/test.p12 >/dev/null 2>/dev/null || exit 1
+
+echo "make sure entry is found (friendlyname)"
+${hxtool} query \
+	--pass=PASS:foobar \
+	--friendlyname=friendlyname-test  \
+	PKCS12:$srcdir/data/test.p12 >/dev/null 2>/dev/null || exit 1
+
+echo "make sure entry is not found  (friendlyname)"
+${hxtool} query \
+	--pass=PASS:foobar \
+	--friendlyname=friendlyname-test-not  \
+	PKCS12:$srcdir/data/test.p12 >/dev/null 2>/dev/null && exit 1
+
+echo "make sure entry is found (friendlyname, no-pw)"
+${hxtool} query \
+	--friendlyname=friendlyname-cert  \
+	PKCS12:$srcdir/data/test-nopw.p12 >/dev/null 2>/dev/null || exit 1
+
+echo "check for ca cert (friendlyname)"
+${hxtool} query \
+	--pass=PASS:foobar \
+	--friendlyname=ca  \
+	PKCS12:$srcdir/data/test.p12 >/dev/null 2>/dev/null || exit 1
+
+echo "make sure entry is not found (friendlyname)"
+${hxtool} query \
+	--pass=PASS:foobar \
+	--friendlyname=friendlyname-test \
+	PKCS12:$srcdir/data/sub-cert.p12 >/dev/null 2>/dev/null && exit 1
+
+echo "make sure entry is found (friendlyname|private key)"
+${hxtool} query \
+	--pass=PASS:foobar \
+	--friendlyname=friendlyname-test  \
+	--private-key \
+	PKCS12:$srcdir/data/test.p12 > /dev/null || exit 1
+
+echo "make sure entry is not found (friendlyname|private key)"
+${hxtool} query \
+	--pass=PASS:foobar \
+	--friendlyname=ca  \
+	--private-key \
+	PKCS12:$srcdir/data/test.p12 >/dev/null 2>/dev/null && exit 1
+
+echo "make sure entry is found (cert ds)"
+${hxtool} query \
+	--digitalSignature \
+	FILE:$srcdir/data/test.crt >/dev/null 2>/dev/null || exit 1
+
+echo "make sure entry is found (cert ke)"
+${hxtool} query \
+	--keyEncipherment \
+	FILE:$srcdir/data/test.crt >/dev/null 2>/dev/null || exit 1
+
+echo "make sure entry is found (cert ke + ds)"
+${hxtool} query \
+	--digitalSignature \
+	--keyEncipherment \
+	FILE:$srcdir/data/test.crt >/dev/null 2>/dev/null || exit 1
+
+echo "make sure entry is found (cert-ds ds)"
+${hxtool} query \
+	--digitalSignature \
+	FILE:$srcdir/data/test-ds-only.crt >/dev/null 2>/dev/null || exit 1
+
+echo "make sure entry is not found (cert-ds ke)"
+${hxtool} query \
+	--keyEncipherment \
+	FILE:$srcdir/data/test-ds-only.crt >/dev/null 2>/dev/null && exit 1
+
+echo "make sure entry is not found (cert-ds ke + ds)"
+${hxtool} query \
+	--digitalSignature \
+	--keyEncipherment \
+	FILE:$srcdir/data/test-ds-only.crt >/dev/null 2>/dev/null && exit 1
+
+echo "make sure entry is not found (cert-ke ds)"
+${hxtool} query \
+	--digitalSignature \
+	FILE:$srcdir/data/test-ke-only.crt >/dev/null 2>/dev/null && exit 1
+
+echo "make sure entry is found (cert-ke ke)"
+${hxtool} query \
+	--keyEncipherment \
+	FILE:$srcdir/data/test-ke-only.crt >/dev/null 2>/dev/null || exit 1
+
+echo "make sure entry is not found (cert-ke ke + ds)"
+${hxtool} query \
+	--digitalSignature \
+	--keyEncipherment \
+	FILE:$srcdir/data/test-ke-only.crt >/dev/null 2>/dev/null && exit 1
+
+exit 0
+
diff --git a/crypto/heimdal/lib/hx509/test_req.in b/crypto/heimdal/lib/hx509/test_req.in
new file mode 100644
index 0000000..2109ceb
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_req.in
@@ -0,0 +1,63 @@
+#!/bin/sh
+#
+# Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_req.in 21341 2007-06-26 14:20:56Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+stat="--statistic-file=${objdir}/statfile"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+
+if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
+    exit 77
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    exit 77
+fi
+
+${hxtool} request-create \
+	 --subject="CN=Love,DC=it,DC=su,DC=se" \
+	 --key=FILE:$srcdir/data/key.der \
+	 request.out || exit 1
+
+${hxtool} request-print \
+	 PKCS10:request.out > /dev/null || exit 1
+
+${hxtool} request-create \
+	 --subject="CN=Love,DC=it,DC=su,DC=se" \
+	 --dnsname=nutcracker.it.su.se \
+	 --key=FILE:$srcdir/data/key.der \
+	 request.out || exit 1
diff --git a/crypto/heimdal/lib/hx509/test_soft_pkcs11.c b/crypto/heimdal/lib/hx509/test_soft_pkcs11.c
new file mode 100644
index 0000000..e76f772
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_soft_pkcs11.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hx_locl.h"
+#include "pkcs11.h"
+#include <err.h>
+
+static CK_FUNCTION_LIST_PTR func;
+
+
+static CK_RV
+find_object(CK_SESSION_HANDLE session, 
+	    char *id,
+	    CK_OBJECT_CLASS key_class, 
+	    CK_OBJECT_HANDLE_PTR object)
+{
+    CK_ULONG object_count;
+    CK_RV ret;
+    CK_ATTRIBUTE search_data[] = {
+	{CKA_ID, id, 0 },
+	{CKA_CLASS, &key_class, sizeof(key_class)}
+    };
+    CK_ULONG num_search_data = sizeof(search_data)/sizeof(search_data[0]);
+
+    search_data[0].ulValueLen = strlen(id);
+
+    ret = (*func->C_FindObjectsInit)(session, search_data, num_search_data);
+    if (ret != CKR_OK)
+	return ret;
+
+    ret = (*func->C_FindObjects)(session, object, 1, &object_count);
+    if (ret != CKR_OK)
+	return ret;
+    if (object_count == 0) {
+	printf("found no object\n");
+	return 1;
+    }
+
+    ret = (*func->C_FindObjectsFinal)(session);
+    if (ret != CKR_OK)
+	return ret;
+
+    return CKR_OK;
+}
+
+static char *sighash = "hej";
+static char signature[1024];
+
+
+int
+main(int argc, char **argv)
+{
+    CK_SLOT_ID_PTR slot_ids;
+    CK_SLOT_ID slot;
+    CK_ULONG num_slots;
+    CK_RV ret;
+    CK_SLOT_INFO slot_info;
+    CK_TOKEN_INFO token_info;
+    CK_SESSION_HANDLE session;
+    CK_OBJECT_HANDLE public, private;
+
+    ret = C_GetFunctionList(&func);
+    if (ret != CKR_OK)
+	errx(1, "C_GetFunctionList failed: %d", (int)ret);
+
+    (*func->C_Initialize)(NULL_PTR);
+
+    ret = (*func->C_GetSlotList)(FALSE, NULL, &num_slots);
+    if (ret != CKR_OK)
+	errx(1, "C_GetSlotList1 failed: %d", (int)ret);
+
+    if (num_slots == 0)
+	errx(1, "no slots");
+
+    if ((slot_ids = calloc(1, num_slots * sizeof(*slot_ids))) == NULL)
+	err(1, "alloc slots failed");
+
+    ret = (*func->C_GetSlotList)(FALSE, slot_ids, &num_slots);
+    if (ret != CKR_OK)
+	errx(1, "C_GetSlotList2 failed: %d", (int)ret);
+
+    slot = slot_ids[0];
+    free(slot_ids);
+
+    ret = (*func->C_GetSlotInfo)(slot, &slot_info);
+    if (ret)
+	errx(1, "C_GetSlotInfo failed: %d", (int)ret);
+
+    if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
+	errx(1, "no token present");
+
+    ret = (*func->C_OpenSession)(slot, CKF_SERIAL_SESSION, 
+				 NULL, NULL, &session);
+    if (ret != CKR_OK)
+	errx(1, "C_OpenSession failed: %d", (int)ret);
+    
+    ret = (*func->C_GetTokenInfo)(slot, &token_info);
+    if (ret)
+	errx(1, "C_GetTokenInfo1 failed: %d", (int)ret);
+
+    if (token_info.flags & CKF_LOGIN_REQUIRED) {
+	ret = (*func->C_Login)(session, CKU_USER,
+			       (unsigned char*)"foobar", 6);
+	if (ret != CKR_OK)
+	    errx(1, "C_Login failed: %d", (int)ret);
+    }
+
+    ret = (*func->C_GetTokenInfo)(slot, &token_info);
+    if (ret)
+	errx(1, "C_GetTokenInfo2 failed: %d", (int)ret);
+
+    if (token_info.flags & CKF_LOGIN_REQUIRED)
+	errx(1, "login required, even after C_Login");
+
+    ret = find_object(session, "cert", CKO_PUBLIC_KEY, &public);
+    if (ret != CKR_OK)
+	errx(1, "find cert failed: %d", (int)ret);
+    ret = find_object(session, "cert", CKO_PRIVATE_KEY, &private);
+    if (ret != CKR_OK)
+	errx(1, "find private key failed: %d", (int)ret);
+
+    {
+	CK_ULONG ck_sigsize;
+	CK_MECHANISM mechanism;
+
+	memset(&mechanism, 0, sizeof(mechanism));
+	mechanism.mechanism = CKM_RSA_PKCS;
+
+	ret = (*func->C_SignInit)(session, &mechanism, private);
+	if (ret != CKR_OK)
+	    return 1;
+	
+	ck_sigsize = sizeof(signature);
+	ret = (*func->C_Sign)(session, (CK_BYTE *)sighash, strlen(sighash),
+			      (CK_BYTE *)signature, &ck_sigsize);
+	if (ret != CKR_OK) {
+	    printf("C_Sign failed with: %d\n", (int)ret);
+	    return 1;
+	}
+
+	ret = (*func->C_VerifyInit)(session, &mechanism, public);
+	if (ret != CKR_OK)
+	    return 1;
+
+	ret = (*func->C_Verify)(session, (CK_BYTE *)signature, ck_sigsize, 
+				(CK_BYTE *)sighash, strlen(sighash));
+	if (ret != CKR_OK) {
+	    printf("message: %d\n", (int)ret);
+	    return 1;
+	}
+    }
+
+#if 0
+    {
+	CK_ULONG ck_sigsize, outsize;
+	CK_MECHANISM mechanism;
+	char outdata[1024];
+
+	memset(&mechanism, 0, sizeof(mechanism));
+	mechanism.mechanism = CKM_RSA_PKCS;
+
+	ret = (*func->C_EncryptInit)(session, &mechanism, public);
+	if (ret != CKR_OK)
+	    return 1;
+	
+	ck_sigsize = sizeof(signature);
+	ret = (*func->C_Encrypt)(session, (CK_BYTE *)sighash, strlen(sighash),
+				 (CK_BYTE *)signature, &ck_sigsize);
+	if (ret != CKR_OK) {
+	    printf("message: %d\n", (int)ret);
+	    return 1;
+	}
+
+	ret = (*func->C_DecryptInit)(session, &mechanism, private);
+	if (ret != CKR_OK)
+	    return 1;
+
+	outsize = sizeof(outdata);
+	ret = (*func->C_Decrypt)(session, (CK_BYTE *)signature, ck_sigsize, 
+				 (CK_BYTE *)outdata, &outsize);
+	if (ret != CKR_OK) {
+	    printf("message: %d\n", (int)ret);
+	    return 1;
+	}
+
+	if (memcmp(sighash, outdata, strlen(sighash)) != 0)
+	    return 1;
+    }
+#endif
+
+    ret = (*func->C_CloseSession)(session);
+    if (ret != CKR_OK)
+	return 1;
+
+    (*func->C_Finalize)(NULL_PTR);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/hx509/test_windows.in b/crypto/heimdal/lib/hx509/test_windows.in
new file mode 100644
index 0000000..8614544
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/test_windows.in
@@ -0,0 +1,89 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_windows.in 21004 2007-06-08 01:53:10Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+stat="--statistic-file=${objdir}/statfile"
+
+hxtool="${TESTS_ENVIRONMENT} ./hxtool ${stat}"
+
+if ${hxtool} info | grep 'rsa: hcrypto null RSA' > /dev/null ; then
+    exit 77
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    exit 77
+fi
+
+echo "Create trust anchor"
+${hxtool} issue-certificate \
+    --self-signed \
+    --issue-ca \
+    --generate-key=rsa \
+    --subject="CN=Windows-CA,DC=heimdal,DC=pki" \
+    --lifetime=10years \
+    --certificate="FILE:wca.pem" || exit 1
+
+echo "Create domain controller cert"
+${hxtool} issue-certificate \
+    --type="pkinit-kdc" \
+    --pk-init-principal="krbtgt/HEIMDAL.PKI@HEIMDAL.PKI" \
+    --hostname=kdc.heimdal.pki \
+    --generate-key=rsa \
+    --subject="CN=kdc.heimdal.pki,dc=heimdal,dc=pki" \
+    --certificate="FILE:wdc.pem" \
+    --domain-controller \
+    --crl-uri="http://www.test.h5l.se/test-hemdal-pki-crl1.crl" \
+    --ca-certificate=FILE:wca.pem || exit 1
+
+
+echo "Create user cert"
+${hxtool} issue-certificate \
+    --type="pkinit-client" \
+    --pk-init-principal="user@HEIMDAL.PKI" \
+    --generate-key=rsa \
+    --subject="CN=User,DC=heimdal,DC=pki" \
+    --ms-upn="user@heimdal.pki" \
+    --crl-uri="http://www.test.h5l.se/test-hemdal-pki-crl1.crl" \
+    --certificate="FILE:wuser.pem" \
+    --ca-certificate=FILE:wca.pem || exit 1
+
+echo "Create crl"
+${hxtool} crl-sign \
+	--crl-file=wcrl.crl \
+	--signer=FILE:wca.pem || exit 1
+
+exit 0
diff --git a/crypto/heimdal/lib/hx509/tst-crypto-available1 b/crypto/heimdal/lib/hx509/tst-crypto-available1
new file mode 100644
index 0000000..71fa741
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/tst-crypto-available1
@@ -0,0 +1,13 @@
+1.2.840.113549.1.1.11
+1.2.840.113549.1.1.5
+1.2.840.113549.1.1.5
+1.2.840.113549.1.1.4
+1.2.840.113549.1.1.2
+1.2.752.43.16.1
+2.16.840.1.101.3.4.2.1
+1.3.14.3.2.26
+1.2.840.113549.2.5
+1.2.840.113549.2.2
+1.2.840.113549.3.7
+2.16.840.1.101.3.4.1.2
+2.16.840.1.101.3.4.1.42
diff --git a/crypto/heimdal/lib/hx509/tst-crypto-available2 b/crypto/heimdal/lib/hx509/tst-crypto-available2
new file mode 100644
index 0000000..b3f76e3
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/tst-crypto-available2
@@ -0,0 +1,4 @@
+2.16.840.1.101.3.4.2.1
+1.3.14.3.2.26
+1.2.840.113549.2.5
+1.2.840.113549.2.2
diff --git a/crypto/heimdal/lib/hx509/tst-crypto-available3 b/crypto/heimdal/lib/hx509/tst-crypto-available3
new file mode 100644
index 0000000..0b1a855
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/tst-crypto-available3
@@ -0,0 +1,6 @@
+1.2.840.113549.1.1.11
+1.2.840.113549.1.1.5
+1.2.840.113549.1.1.5
+1.2.840.113549.1.1.4
+1.2.840.113549.1.1.2
+1.2.752.43.16.1
diff --git a/crypto/heimdal/lib/hx509/tst-crypto-select b/crypto/heimdal/lib/hx509/tst-crypto-select
new file mode 100644
index 0000000..399c883
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/tst-crypto-select
@@ -0,0 +1 @@
+1.2.840.113549.1.1.11
diff --git a/crypto/heimdal/lib/hx509/tst-crypto-select1 b/crypto/heimdal/lib/hx509/tst-crypto-select1
new file mode 100644
index 0000000..eb0d095
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/tst-crypto-select1
@@ -0,0 +1 @@
+1.3.14.3.2.26
diff --git a/crypto/heimdal/lib/hx509/tst-crypto-select2 b/crypto/heimdal/lib/hx509/tst-crypto-select2
new file mode 100644
index 0000000..749a549
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/tst-crypto-select2
@@ -0,0 +1 @@
+1.2.840.113549.1.1.5
diff --git a/crypto/heimdal/lib/hx509/tst-crypto-select3 b/crypto/heimdal/lib/hx509/tst-crypto-select3
new file mode 100644
index 0000000..ba9f29f
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/tst-crypto-select3
@@ -0,0 +1 @@
+1.2.840.113549.1.1.4
diff --git a/crypto/heimdal/lib/hx509/tst-crypto-select4 b/crypto/heimdal/lib/hx509/tst-crypto-select4
new file mode 100644
index 0000000..749a549
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/tst-crypto-select4
@@ -0,0 +1 @@
+1.2.840.113549.1.1.5
diff --git a/crypto/heimdal/lib/hx509/tst-crypto-select5 b/crypto/heimdal/lib/hx509/tst-crypto-select5
new file mode 100644
index 0000000..399c883
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/tst-crypto-select5
@@ -0,0 +1 @@
+1.2.840.113549.1.1.11
diff --git a/crypto/heimdal/lib/hx509/tst-crypto-select6 b/crypto/heimdal/lib/hx509/tst-crypto-select6
new file mode 100644
index 0000000..749a549
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/tst-crypto-select6
@@ -0,0 +1 @@
+1.2.840.113549.1.1.5
diff --git a/crypto/heimdal/lib/hx509/tst-crypto-select7 b/crypto/heimdal/lib/hx509/tst-crypto-select7
new file mode 100644
index 0000000..9b0ac64
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/tst-crypto-select7
@@ -0,0 +1 @@
+2.16.840.1.101.3.4.1.42
diff --git a/crypto/heimdal/lib/hx509/version-script.map b/crypto/heimdal/lib/hx509/version-script.map
new file mode 100644
index 0000000..68ef73e
--- /dev/null
+++ b/crypto/heimdal/lib/hx509/version-script.map
@@ -0,0 +1,227 @@
+# $Id$
+
+HEIMDAL_X509_1.0 {
+	global:
+		initialize_hx_error_table_r;
+		hx509_bitstring_print;
+		hx509_ca_sign;
+		hx509_ca_sign_self;
+		hx509_ca_tbs_add_crl_dp_uri;
+		hx509_ca_tbs_add_eku;
+		hx509_ca_tbs_add_san_hostname;
+		hx509_ca_tbs_add_san_jid;
+		hx509_ca_tbs_add_san_ms_upn;
+		hx509_ca_tbs_add_san_otherName;
+		hx509_ca_tbs_add_san_pkinit;
+		hx509_ca_tbs_add_san_rfc822name;
+		hx509_ca_tbs_free;
+		hx509_ca_tbs_init;
+		hx509_ca_tbs_set_ca;
+		hx509_ca_tbs_set_domaincontroller;
+		hx509_ca_tbs_set_notAfter;
+		hx509_ca_tbs_set_notAfter_lifetime;
+		hx509_ca_tbs_set_notBefore;
+		hx509_ca_tbs_set_proxy;
+		hx509_ca_tbs_set_serialnumber;
+		hx509_ca_tbs_set_spki;
+		hx509_ca_tbs_set_subject;
+		hx509_ca_tbs_set_template;
+		hx509_ca_tbs_subject_expand;
+		hx509_ca_tbs_template_units;
+		hx509_cert_binary;
+		hx509_cert_check_eku;
+		hx509_cert_cmp;
+		hx509_cert_find_subjectAltName_otherName;
+		hx509_cert_free;
+		hx509_cert_get_SPKI;
+		hx509_cert_attribute;
+		hx509_cert_get_attribute;
+		hx509_cert_get_base_subject;
+		hx509_cert_get_friendly_name;
+		hx509_cert_get_issuer;
+		hx509_cert_get_notAfter;
+		hx509_cert_get_notBefore;
+		hx509_cert_get_serialnumber;
+		hx509_cert_get_subject;
+		hx509_cert_init;
+		hx509_cert_init_data;
+		hx509_cert_keyusage_print;
+		hx509_cert;
+		hx509_cert_ref;
+		hx509_cert_set_friendly_name;
+		hx509_certs_add;
+		hx509_certs_append;
+		hx509_certs_end_seq;
+		hx509_certs_find;
+		hx509_certs_free;
+		hx509_certs_info;
+		hx509_certs_init;
+		hx509_certs_iter;
+		hx509_certs_merge;
+		hx509_certs_next_cert;
+		hx509_certs_start_seq;
+		hx509_certs_store;
+		hx509_ci_print_names;
+		hx509_clear_error_string;
+		hx509_cms_create_signed_1;
+		hx509_cms_decrypt_encrypted;
+		hx509_cms_envelope_1;
+		hx509_cms_unenvelope;
+		hx509_cms_unwrap_ContentInfo;
+		hx509_cms_verify_signed;
+		hx509_cms_wrap_ContentInfo;
+		hx509_context_free;
+		hx509_context_init;
+		hx509_context_set_missing_revoke;
+		hx509_crl_add_revoked_certs;
+		hx509_crl_alloc;
+		hx509_crl_free;
+		hx509_crl_lifetime;
+		hx509_crl_sign;
+		hx509_crypto_aes128_cbc;
+		hx509_crypto_aes256_cbc;
+		hx509_crypto_available;
+		hx509_crypto_decrypt;
+		hx509_crypto_des_rsdi_ede3_cbc;
+		hx509_crypto_destroy;
+		hx509_crypto_encrypt;
+		hx509_crypto_enctype_by_name;
+		hx509_crypto_free_algs;
+		hx509_crypto_get_params;
+		hx509_crypto_init;
+		hx509_crypto_provider;
+		hx509_crypto_select;
+		hx509_crypto_set_key_data;
+		hx509_crypto_set_key_name;
+		hx509_crypto_set_params;
+		hx509_crypto_set_random_key;
+		hx509_env_add;
+		hx509_env_free;
+		hx509_env_init;
+		hx509_env_lfind;
+		hx509_err;
+		hx509_free_error_string;
+		hx509_free_octet_string_list;
+		hx509_general_name_unparse;
+		hx509_get_error_string;
+		hx509_get_one_cert;
+		hx509_lock_add_cert;
+		hx509_lock_add_certs;
+		hx509_lock_add_password;
+		hx509_lock_command_string;
+		hx509_lock_free;
+		hx509_lock_init;
+		hx509_lock_prompt;
+		hx509_lock_reset_certs;
+		hx509_lock_reset_passwords;
+		hx509_lock_reset_promper;
+		hx509_lock_set_prompter;
+		hx509_name_cmp;
+		hx509_name_copy;
+		hx509_name_expand;
+		hx509_name_free;
+		hx509_name_is_null_p;
+		hx509_name_normalize;
+		hx509_name_to_Name;
+		hx509_name_binary;
+		hx509_name_to_string;
+		hx509_ocsp_request;
+		hx509_ocsp_verify;
+		hx509_oid_print;
+		hx509_oid_sprint;
+		hx509_parse_name;
+		hx509_peer_info_alloc;
+		hx509_peer_info_free;
+		hx509_peer_info_set_cert;
+		hx509_peer_info_set_cms_algs;
+		hx509_print_stdout;
+		hx509_prompt_hidden;
+		hx509_query_alloc;
+		hx509_query_free;
+		hx509_query_match_cmp_func;
+		hx509_query_match_friendly_name;
+		hx509_query_match_issuer_serial;
+		hx509_query_match_option;
+		hx509_query_statistic_file;
+		hx509_query_unparse_stats;
+		hx509_revoke_add_crl;
+		hx509_revoke_add_ocsp;
+		hx509_revoke_free;
+		hx509_revoke_init;
+		hx509_revoke_ocsp_print;
+		hx509_revoke_verify;
+		hx509_set_error_string;
+		hx509_set_error_stringv;
+		hx509_signature_md2;
+		hx509_signature_md5;
+		hx509_signature_rsa;
+		hx509_signature_rsa_with_md2;
+		hx509_signature_rsa_with_md5;
+		hx509_signature_rsa_with_sha1;
+		hx509_signature_rsa_with_sha256;
+		hx509_signature_rsa_with_sha384;
+		hx509_signature_rsa_with_sha512;
+		hx509_signature_sha1;
+		hx509_signature_sha256;
+		hx509_signature_sha384;
+		hx509_signature_sha512;
+		hx509_unparse_der_name;
+		hx509_validate_cert;
+		hx509_validate_ctx_add_flags;
+		hx509_validate_ctx_free;
+		hx509_validate_ctx_init;
+		hx509_validate_ctx_set_print;
+		hx509_verify_attach_anchors;
+		hx509_verify_attach_revoke;
+		hx509_verify_ctx_f_allow_default_trustanchors;
+		hx509_verify_destroy_ctx;
+		hx509_verify_hostname;
+		hx509_verify_init_ctx;
+		hx509_verify_path;
+		hx509_verify_set_max_depth;
+		hx509_verify_set_proxy_certificate;
+		hx509_verify_set_strict_rfc3280_verification;
+		hx509_verify_set_time;
+		hx509_verify_signature;
+		hx509_pem_write;
+		hx509_pem_add_header;
+		hx509_pem_find_header;
+		hx509_pem_free_header;
+		hx509_xfree;
+		_hx509_write_file;
+		_hx509_map_file;
+		_hx509_map_file_os;
+		_hx509_unmap_file;
+		_hx509_unmap_file_os;
+		_hx509_certs_keys_free;
+		_hx509_certs_keys_get;
+		_hx509_request_init;
+		_hx509_request_add_dns_name;
+		_hx509_request_add_email;
+		_hx509_request_get_name;
+		_hx509_request_set_name;
+		_hx509_request_set_email;
+		_hx509_request_get_SubjectPublicKeyInfo;
+		_hx509_request_set_SubjectPublicKeyInfo;
+		_hx509_request_to_pkcs10;
+		_hx509_request_to_pkcs10;
+		_hx509_request_free;
+		_hx509_request_print;
+		_hx509_request_parse;
+		_hx509_private_key_ref;
+		_hx509_private_key_free;
+		_hx509_private_key2SPKI;
+		_hx509_generate_private_key_init;
+		_hx509_generate_private_key_is_ca;
+		_hx509_generate_private_key_bits;
+		_hx509_generate_private_key;
+		_hx509_generate_private_key_free;
+		_hx509_cert_assign_key;
+		_hx509_cert_private_key;
+		_hx509_name_from_Name;
+		# pkcs11 symbols
+		C_GetFunctionList;
+	local:
+		*;
+};
+
diff --git a/crypto/heimdal/lib/kadm5/ChangeLog b/crypto/heimdal/lib/kadm5/ChangeLog
index 51b559b..9b1235c 100644
--- a/crypto/heimdal/lib/kadm5/ChangeLog
+++ b/crypto/heimdal/lib/kadm5/ChangeLog
@@ -1,35 +1,756 @@
-2003-12-30  Love Hörnquist Åstrand <lha@it.su.se>
+2008-01-21  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* chpass_s.c: from 1.14->1.15:
-	(change): fix same-password-again by decrypting keys and setting
-	an error code. From: Buck Huppmann <buckh@pobox.com>
+	* default_keys.c: Use hdb_free_keys().
+
+2008-01-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add check-cracklib.pl, flush.c,
+	sample_passwd_check.c
+
+2007-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* use hdb_db_dir() and hdb_default_db()
+
+2007-10-18  Love  <lha@stacken.kth.se>
+
+	* init_c.c: We are getting default_client, not client. this way
+	the user can override the result.
+	
+2007-09-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* iprop.8: fix spelling, From Antoine Jacoutt.
+
+2007-08-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* version-script.map: export _kadm5_unmarshal_params,
+	_kadm5_acl_check_permission
+
+	* version-script.map: export kadm5_log_ symbols.
+
+	* log.c: Unexport the specific log replay operations.
+	
+2007-08-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: build sample_passwd_check.la as part of noinst.
+
+	* sample_passwd_check.c: Add missing prototype for check_length().
+
+2007-08-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* log.c: Sprinkle krb5_set_error_string().
+
+	* ipropd_slave.c: Provide better error why kadm5_log_replay
+	failed.
+
+2007-08-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ipropd_master.c: - don't push whole database to the new client
+	every time.  - make slaves get the whole new database if they have
+	a newer log the the master (and thus have them go back in time).
+
+2007-08-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ipropd_slave.c: make more sane.
+
+	* ipropd_slave.c: more paranoid check that the log entires are
+	self consistant
+
+	* log.c (kadm5_log_foreach): check that the postamble contains the
+	right data.
+
+	* ipropd_master.c: Sprinkle more info about what versions the
+	master thinks about the client versions.
+
+	* ipropd_master.c: Start the server at the current version, not 0.
+
+2007-08-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ipropd_master.c: Add more logging, to figure out what is
+	happening in the master.
+
+2007-08-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add version-script for libkadm5srv.la
+
+	* version-script.map: version script fro kadm5 server libary.
+
+	* log.c: only free the orignal entries extentions if there was
+	any.  Bug reported by Peter Meinecke.
+
+	* add configuration for signal file and acl file, let user select
+	hostname, catch signals and print why we are quiting, make nop
+	cause one new version, not two
+
+2007-07-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ipropd_master.c (send_diffs): make current slave's version
+	uptodate when diff have been sent.
+	
+2007-07-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ipropd_slave.c: More comments and some more error checking.
+	
+2007-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_c.c (get_cache_principal): make sure id is reset if we
+	fail. From Benjamin Bennet.
+
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* context_s.c (find_db_spec): match realm-less as the default
+	realm.
+
+	* Makefile.am: New library version.
+
+2007-07-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* context_s.c: Use hdb_get_dbinfo to pick up configuration.
+	ctx->config.realm can be NULL, check for that, from Bjorn S.
+	
+2007-07-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_c.c: Try harder to use the right principal.
+
+2007-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ipropd_slave.c: Catch return value from krb5_program_setup. From
+	Steven Luo.
+	
+2007-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* delete_s.c: Write log entry after store is successful, rename
+	out goto statments.
+
+	* randkey_s.c: Write log entry after store is successful.
+
+	* modify_s.c: Write log entry after store is successful.
+
+	* rename_s.c: indent.
+
+	* chpass_s.c: Write log entry after store is successful.
+
+	* create_s.c: Write log entry after store is successful.
+	
+2007-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* iprop-commands.in: Add default values to make this working
+	again.
+
+	* iprop-log.c (iprop_replay): create the database with more
+	liberal mode.
+
+	* log.c: make it slightly more working.
+
+	* iprop-log.8: Document last-version.
+
+	* iprop-log.c: (last_version): print last version of the log.
+	
+	* iprop-commands.in: new command last-version: print last version
+	of the log.
+
+	* log.c (kadm5_log_previous): document assumptions and make less
+	broken.  Bug report from Ronny Blomme.
+	
+2007-02-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* admin.h: add support to get aliases
+
+	* get_s.c: add support to get aliases
+
+2007-02-11  David Love  <fx@gnu.org>
+
+	* iprop-log.8: Small fixes, from David Love.
+	
+2006-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_c.c: if the user have a kadmin/admin initial ticket, don't
+	ask for password, just use the credential instead.
+	
+2006-12-06  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ipropd_master.c: Use strcspn to remove \n from string returned
+	by fgets.  From Björn Sandell
+	
+2006-11-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_c.c (kadm_connect): clear error string before trying to
+	print a errno, this way we don't pick up a random failure code
+	
+2006-11-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ipropd_slave.c: Make krb5_get_init_creds_opt_free take a context
+	argument.
+
+	* init_c.c: Make krb5_get_init_creds_opt_free take a context
+	argument.
+	
+2006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ent_setup.c: Try to not leak memory.
+	
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: split build files into dist_ and noinst_ SOURCES
+	
+2006-08-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* get_s.c: Add KRB5_KDB_ALLOW_DIGEST
+
+	* ent_setup.c: Add KRB5_KDB_ALLOW_DIGEST
+
+	* admin.h: Add KRB5_KDB_ALLOW_DIGEST
+	
+2006-06-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-cracklib.pl: Add password reuse checking. From Harald
+	Barth.
+	
+2006-06-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ent_setup.c (attr_to_flags): Add KRB5_KDB_ALLOW_KERBEROS4
+
+	* get_s.c (kadm5_s_get_principal): Add KRB5_KDB_ALLOW_KERBEROS4
+
+	* admin.h: Add KRB5_KDB_ALLOW_KERBEROS4
+	
+2006-06-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ent_setup.c (attr_to_flags): Add KRB5_KDB_TRUSTED_FOR_DELEGATION
+
+2006-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* password_quality.c (kadm5_check_password_quality): set error
+	message in context.
+	
+2006-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* iprop-log.c: Avoid shadowing.
+
+	* rename_s.c: Avoid shadowing.
+
+2006-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* privs_c.c (kadm5_c_get_privs): privs is a uint32_t, let copy it
+	that way.
+	
+2006-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Rename u_intXX_t to uintXX_t
+
+2006-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* chpass_s.c,delete_s.c,get_s.c,log.c,modify_s.c,randkey_s.c,rename_s.c:
+	Pass in HDB_F_GET_ANY to all ->hdb fetch to hint what entries we are looking for
+
+	* send_recv.c: set and clear error string
+
+	* rename_s.c: Break out the that we request from principal from
+	the entry and pass it in as a separate argument.
+
+	* randkey_s.c: Break out the that we request from principal from
+	the entry and pass it in as a separate argument.
+
+	* modify_s.c: Break out the that we request from principal from
+	the entry and pass it in as a separate argument.
+
+	* log.c: Break out the that we request from principal from the
+	entry and pass it in as a separate argument.
+
+	* get_s.c: Break out the that we request from principal from the
+	entry and pass it in as a separate argument.
+
+	* delete_s.c: Break out the that we request from principal from
+	the entry and pass it in as a separate argument.
+
+	* chpass_s.c: Break out the that we request from principal from
+	the entry and pass it in as a separate argument.
+	
+2006-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* create_s.c (create_principal*): If client doesn't send kvno,
+	make sure to set it to 1.
+	
+2006-04-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* log.c: (kadm5_log_rename): handle errors better
+	Fixes Coverity, NetBSD CID#628
+
+	* log.c (kadm5_log_delete): add error handling Coverity, NetBSD
+	CID#626
+	(kadm5_log_modify): add error handling Coverity, NetBSD CID#627
+
+	* init_c.c (_kadm5_c_get_cred_cache): handle ccache case better in
+	case no client name was passed in. Coverity, NetBSD CID#919
+	
+	* init_c.c (_kadm5_c_get_cred_cache): Free client principal in
+	case of error. Coverity NetBSD CID#1908
+	
+2006-02-02  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kadm5_err.et: (PASS_REUSE): Spelling, 
+	from Václav H?la <ax@natur.cuni.cz>
+	
+2006-01-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* send_recv.c: Clear error-string when introducing new errors.
+
+	* *_c.c: Clear error-string when introducing new errors.
+	
+2006-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am (libkadm5clnt.la) doesn't depend on libhdb, remove
+	dependency
+	
+2005-12-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* memset hdb_entry_ex before use
+	
+2005-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Wrap hdb_entry with hdb_entry_ex, patch originally 
+	from Andrew Bartlet
+
+2005-11-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* context_s.c (set_field): try another way to calculate the path
+	to the database/logfile/signal-socket
+
+	* log.c (kadm5_log_init): set error string on failures
+	
+2005-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Constify password.
+
+	* admin.h: Add KRB5_TL_PKINIT_ACL.
+	
+	* marshall.c (_kadm5_unmarshal_params): avoid signed-ness warnings
+	
+	* get_s.c (kadm5_s_get_principal): clear error string
+	
+2005-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* iprop-log.8: More text about iprop-log.
+	
+2005-08-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* iprop.8: SEE ALSO iprop-log.
+
+	* Makefile.am: man_MANS += iprop-log.8
+
+	* iprop-log.8: Basic for documentation of iprop-log.
+	
+	* remove replay_log.c, dump_log.c, and truncate_log.c, folded into
+	iprop-log.
+
+	* log.c (kadm5_log_foreach): add a context variable and pass it
+	down to `func´.
+
+	* iprop-commands.in: Move truncate_log and replay_log into
+	iprop-log.
+
+	* iprop-log.c: Move truncate_log and replay_log into iprop-log.
+	
+	* Makefile.am: Move truncate_log and replay_log into iprop-log.
+	
+	* Makefile.am: Make this work with a clean directory.
+
+	* ipropd_master.c: Make compile.
+
+	* ipropd_master.c: Update to new signature of kadm5_log_previous.
+
+	* log.c (kadm5_log_previous): catch errors instead of asserting
+	and set error string.
+
+	* iprop-commands.in: New program iprop-log that incorperates
+	dump_log as a subcommand, truncate_log and replay_log soon to come
+	after.
+	
+	* iprop-log.c: New program iprop-log that incorperates dump_log as
+	a subcommand, truncate_log and replay_log soon to come after.
+
+	* Makefile.am: New program iprop-log that incorperates dump_log as
+	a subcommand, truncate_log and replay_log soon to come after.
+	
+2005-08-11 Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* get_s.c: Implement KADM5_LAST_PWD_CHANGE.
+	
+	* set_keys.c: Set and clear password where appropriate.
+
+	* randkey_s.c: Operation modifies tl_data.
+
+	* log.c (kadm5_log_replay_modify): Check return values of
+	malloc(), replace all extensions.
+
+	* kadm5_err.et: Make BAD_TL_TYPE error more helpful.
+
+	* get_s.c: Expose KADM5_TL_DATA options to the client.
+
+	* ent_setup.c: Merge in KADM5_TL_DATA in the database.
+
+	* chpass_s.c: Operations modify extensions, mark that with
+	TL_DATA.
+
+	* admin.h: Add more TL types (password and extension).
+
+2005-06-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* constify
+
+	* ipropd_slave.c: avoid shadowing
+
+	* ipropd_master.c: rename local variable slave to s, optind ->
+	optidx
+
+	* get_princs_c.c: rename variable exp to expression
+	
+	* ad.c: rename variable exp to expression
+
+	* log.c: rename shadowing len to num
+	
+	* get_princs_s.c: rename variable exp to expression
+
+	* context_s.c: const poison
+
+	* common_glue.c: rename variable exp to expression
+
+2005-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ent_setup.c (attr_to_flags): check for KRB5_KDB_OK_AS_DELEGATE
+	
+	* get_s.c (kadm5_s_get_principal): set KRB5_KDB_OK_AS_DELEGATE
+
+	* admin.h: add KRB5_KDB_OK_AS_DELEGATE, sync KRB5_TL_ flags
+
+2005-05-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kadm5_pwcheck.3: please mdoclint
+
+2005-05-25  Dave Love  <fx@gnu.org>
+
+	* kadm5_pwcheck.3: document kadm5_add_passwd_quality_verifier,
+	improve text
+
+2005-05-24  Dave Love  <fx@gnu.org>
+
+	* iprop.8: Added some info about defaults, fixed some markup.
+	
+2005-05-23  Dave Love  <fx@gnu.org>
+
+	* ipropd_slave.c: Don't test HAVE_DAEMON since roken supplies it.
+
+	* ipropd_master.c: Don't test HAVE_DAEMON since roken supplies it.
+
+2005-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_c.c (_kadm5_c_init_context): fix memory leak in case of
+	failure
+
+2005-05-09  Dave Love  <fx@gnu.org>
+
+	* password_quality.c (find_func): Fix off-by-one and logic error.
+	(external_passwd_quality): Improve messages.
+
+	* test_pw_quality.c (main): Call kadm5_setup_passwd_quality_check
+	and kadm5_add_passwd_quality_verifier.
+
+2005-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* default_keys.c: #include <err.h>, only print salt it its longer
+	then 0, use krb5_err instead of errx where appropriate
+	
+2005-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ipropd_slave.c: add the documented option --port
+
+	* ipropd_master.c: add the documented option --port
+	
+	* dump_log.c: use the newly generated units function
+
+2005-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* dump_log.c: use strlcpy
+	
+	* password_quality.c: don't use sizeof(pointer)
+	
+2005-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* check-cracklib.pl: external password verifier sample
+
+	* password_quality.c (kadm5_add_passwd_quality_verifier): if NULL
+	is passed in, load defaults
+
+2005-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* password_quality.c: add an end tag to the external password
+	quality check protocol
+
+2005-04-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* password_quality.c: add external passsword quality check builtin
+	module
+	
+	[password_quality]
+		policies = external-check
+		external-program = /bin/false
+	
+	To approve password a, make the test program return APPROVED on
+	stderr and fail with exit code 0.
+	
+2004-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: bump version to 7:7:0 and 6:5:2
+	
+	* default_keys.c (parse_file): use hdb_generate_key_set
+	
+	* keys.c,set_keys.c: Move keyset parsing and password based keyset
+	generation into hdb.  Requested by Andrew Bartlett <abartlet@samba.org>
+	for hdb-ldb backend.
 	
-2003-12-21  Love Hörnquist Åstrand <lha@it.su.se>
+2004-09-23  Johan Danielsson  <joda@pdc.kth.se>
 
-	* init_c.c: 1.47->1.48: (_kadm5_c_init_context): catch errors from
-	strdup and other krb5_ functions
+	* ipropd_master.c: add help strings to some options
 	
-2003-08-15  Love Hörnquist Åstrand <lha@it.su.se>
+2004-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* ipropd_slave.c: 1.27->1.28: (receive_everything): switch close
-	and rename From: Alf Wachsmann <alfw@SLAC.Stanford.EDU>
+	* chpass_s.c: deal with changed prototype for _kadm5_free_keys
 	
-2003-04-16  Love Hörnquist Åstrand <lha@it.su.se>
+	* keys.c (_kadm5_free_keys): change prototype, make it use
+	krb5_context instead of a kadm5_server_context
+	
+	* set_keys.c (parse_key_set): do way with static returning
+	(function) static variable and returned allocated memory
+	(_kadm5_generate_key_set): free enctypes returned by parse_key_set
+
+2004-09-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* set_keys.c: Fix memory leak, don't return stack variables From
+	Andrew Bartlett
+	
+	* set_keys.c: make all_etypes const and move outside function to
+	avoid returning data on stack
+	
+2004-08-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* acl.c (fetch_acl): use " \t\n" instead of just "\n" for the
+	delim of the third element, this is so we can match
+	"foo@REALM<SPC>all<SPC><SPC>*@REALM", before it just matched
+	"foo@REALM<SPC>all<SPC>*@REALM", but that is kind of lucky since
+	what really happen was that the last <SPC> was stamped out, and
+	the it never strtok_r never needed to parse over it.
+	
+2004-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* set_keys.c (_kadm5_generate_key_set): since arcfour-hmac-md5 is
+	without salting, some people tries to add the string
+	"arcfour-hmac-md5" when they really should have used
+	"arcfour-hmac-md5:pw-salt", help them and add glue for that
+	
+2004-08-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ipropd_slave.c: add --detach
+
+2004-07-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ad.c: use new tsasl interface remove debug printf add upn to
+	computer-accounts
+	
+2004-06-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ad.c: implement kadm5_ad_init_with_password_ctx set more error
+	strings
+	
+2004-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: man_MANS = kadm5_pwcheck.3
+	
+	* kadm5_pwcheck.3: document new password quality api
+	
+	* password_quality.c: new password check interface (old still
+	supported)
+	
+	* kadm5-pwcheck.h: new password check interface
+	
+2004-06-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ipropd_master.c (main): process all slaves, not just up to the
+	last slave sending data
+	(bug report from Björn Sandell <biorn@dce.chalmers.se>)
+	(*): only send one ARE_YOU_THERE
+
+2004-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ad.c: use krb5_set_password_using_ccache
+	
+2004-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ad.c: try handle spn's better
+	
+2004-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ad.c: add expiration time
+	
+	* ad.c: add modify operations
+	
+	* ad.c: handle create and delete
+	
+2004-05-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ad.c: more code for get, handle attributes
+	
+	* ad.c: more code for get, handle time stamps and bad password
+	counter
+
+	* ad.c: more code for get, only fetches kvno for now
+	
+2004-05-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ad.c: add support for tsasl
+	
+	* private.h: add kadm5_ad_context
+	
+	* ipropd_master.c (prop_one): store the opcode in the begining of
+	the blob, not the end
+	
+	* ad.c: try all ldap servers in dns, generate a random password,
+	base64(random_block(64)), XXX must make it support other then
+	ARCFOUR
+	
+	* ad.c: framework for windows AD backend
+	
+2004-03-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* create_s.c (kadm5_s_create_principal): remove old XXX command
+	and related code, _kadm5_set_keys will do all this now
+	
+2004-02-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* set_keys.c (_kadm5_set_keys_randomly): make sure enctype to copy
+	enctype for des keys From: Andrew Bartlett <abartlet@samba.org>
+	
+	* create_s.c (kadm5_s_create_principal_with_key): don't call
+	_kadm5_set_keys2, create_principal will do that for us. Set kvno
+	to 1.
+
+	* chpass_s.c (change): bump kvno
+	(kadm5_s_chpass_principal_with_key): bump kvno
+
+	* randkey_s.c (kadm5_s_randkey_principal): bump kvno
+	
+	* set_keys.c (_kadm5_set_*): don't change the kvno, let the callee
+	to that
+
+2003-12-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* chpass_s.c (change): fix same-password-again by decrypting keys
+	and setting an error code From: Buck Huppmann <buckh@pobox.com>
+	
+2003-12-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* init_c.c (_kadm5_c_init_context): catch errors from strdup and
+	other krb5_ functions
+
+2003-12-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rename_s.c (kadm5_s_rename_principal): allow principal to change
+	realm From Panasas Inc
+	
+2003-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* destroy_c.c (kadm5_c_destroy): fix memory leaks, From Panasas,
+	Inc
+
+2003-11-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* iprop.h: don't include <krb5-private.h>
+	
+	* ipropd_slave.c: stop using krb5 lib private byte-frobbing
+	functions and replace them with with krb5_storage
+	
+	* ipropd_master.c: stop using krb5 lib private byte-frobbing
+	functions and replace them with with krb5_storage
+	
+2003-11-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ipropd_slave.c (receive_loop): when seeking over the entries we
+	already have, skip over the trailer.  From: Jeffrey Hutzelman
+	<jhutz@cmu.edu>
+
+	* dump_log.c,ipropd_master.c,ipropd_slave.c,
+	replay_log.c,truncate_log.c: parse kdc.conf
+	From: Jeffrey Hutzelman <jhutz@cmu.edu>
+
+2003-10-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: += test_pw_quality
+	
+	* test_pw_quality.c: test program for verifying password quality
+	function
+
+2003-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add and enable check program default_keys
+	
+	* default_keys.c: test program for _kadm5_generate_key_set
+	
+	* init_c.c: use
+	krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
+
+2003-08-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* set_keys.c (_kadm5_set_keys_randomly): remove dup return
+	
+	* ipropd_master.c (main): make sure current_version is initialized
+	
+2003-08-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* set_keys.c: use default_keys for the both random keys and
+	password derived keys if its defined
+	
+2003-07-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ipropd_slave.c (receive_everything): switch close and rename
+	From: Alf Wachsmann <alfw@SLAC.Stanford.EDU>
+	
+2003-07-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* iprop.h, ipropd_master.c, ipropd_slave.c:
+	Add probing from the server that the client is still there, also
+	make the client check that the server is probing.
+
+2003-07-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* truncate_log.c (main): add missing ``if (ret)''
+	
+2003-06-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* set_keys.c (make_keys): add AES support
+	
+	* set_keys.c: fix off by one in the aes case, pointed out by Ken
+	Raeburn
+
+2003-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* set_keys.c (_kadm5_set_keys_randomly): add
+	ETYPE_AES256_CTS_HMAC_SHA1_96 key when configuried with aes
+	support
+
+2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* send_recv.c: check return values from krb5_data_alloc
 	* log.c: check return values from krb5_data_alloc
 	
-2003-04-16  Love Hörnquist Åstrand <lha@it.su.se>
+2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* dump_log.c (print_entry): check return values from
 	krb5_data_alloc
 
-2003-04-01  Love Hörnquist Åstrand <lha@it.su.se>
+2003-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* init_c.c (kadm_connect): if a context realm was passed in, use
 	that to form the kadmin/admin principal
 	
-2003-03-19  Love Hörnquist Åstrand <lha@it.su.se>
+2003-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ipropd_master.c (main): make sure we don't consider dead slave
 	for select processing
diff --git a/crypto/heimdal/lib/kadm5/Makefile.am b/crypto/heimdal/lib/kadm5/Makefile.am
index 9b0c49d..66ffd37 100644
--- a/crypto/heimdal/lib/kadm5/Makefile.am
+++ b/crypto/heimdal/lib/kadm5/Makefile.am
@@ -1,25 +1,44 @@
-# $Id: Makefile.am,v 1.51.6.1 2003/05/12 15:20:46 joda Exp $
+# $Id: Makefile.am 22403 2008-01-11 14:37:26Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
+SLC = $(top_builddir)/lib/sl/slc
+
 lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la
-libkadm5srv_la_LDFLAGS = -version-info 7:6:0
-libkadm5clnt_la_LDFLAGS = -version-info 6:4:2
-sbin_PROGRAMS = dump_log replay_log truncate_log
+libkadm5srv_la_LDFLAGS = -version-info 8:1:0
+libkadm5clnt_la_LDFLAGS = -version-info 7:1:0
+
+if versionscript
+libkadm5srv_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+endif
+
+sbin_PROGRAMS = iprop-log
+check_PROGRAMS = default_keys
+noinst_PROGRAMS = test_pw_quality
+
+noinst_LTLIBRARIES = sample_passwd_check.la
 
-libkadm5srv_la_LIBADD = ../krb5/libkrb5.la ../hdb/libhdb.la ../roken/libroken.la
-libkadm5clnt_la_LIBADD = ../krb5/libkrb5.la ../hdb/libhdb.la ../roken/libroken.la
+sample_passwd_check_la_SOURCES = sample_passwd_check.c
+sample_passwd_check_la_LDFLAGS = -module
+
+libkadm5srv_la_LIBADD = \
+	$(LIB_com_err) ../krb5/libkrb5.la \
+	../hdb/libhdb.la $(LIBADD_roken)
+libkadm5clnt_la_LIBADD = \
+	$(LIB_com_err) ../krb5/libkrb5.la $(LIBADD_roken)
 
 libexec_PROGRAMS = ipropd-master ipropd-slave
 
+default_keys_SOURCES = default_keys.c
+
 kadm5includedir = $(includedir)/kadm5
 buildkadm5include = $(buildinclude)/kadm5
 
-kadm5include_HEADERS = kadm5_err.h admin.h private.h \
-	kadm5-protos.h kadm5-private.h
+dist_kadm5include_HEADERS = admin.h private.h kadm5-protos.h kadm5-private.h
+nodist_kadm5include_HEADERS = kadm5_err.h
 
-install-build-headers:: $(kadm5include_HEADERS)
-	@foo='$(kadm5include_HEADERS)'; \
+install-build-headers:: $(dist_kadm5include_HEADERS) $(nodist_kadm5include_HEADERS)
+	@foo='$(dist_kadm5include_HEADERS) $(nodist_kadm5include_HEADERS)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -31,9 +50,10 @@ install-build-headers:: $(kadm5include_HEADERS)
 		fi ; \
 	done
 
-SOURCES_client =				\
-	admin.h					\
+dist_libkadm5clnt_la_SOURCES =			\
+	ad.c					\
 	chpass_c.c				\
+	client_glue.c				\
 	common_glue.c				\
 	create_c.c				\
 	delete_c.c				\
@@ -43,7 +63,6 @@ SOURCES_client =				\
 	get_c.c					\
 	get_princs_c.c				\
 	init_c.c				\
-	kadm5_err.c				\
 	kadm5_locl.h				\
 	marshall.c				\
 	modify_c.c				\
@@ -51,9 +70,15 @@ SOURCES_client =				\
 	privs_c.c				\
 	randkey_c.c				\
 	rename_c.c				\
-	send_recv.c
+	send_recv.c				\
+	kadm5-pwcheck.h				\
+	admin.h
+
+nodist_libkadm5clnt_la_SOURCES =		\
+	kadm5_err.c				\
+	kadm5_err.h
 
-SOURCES_server =					\
+dist_libkadm5srv_la_SOURCES =			\
 	acl.c					\
 	admin.h					\
 	bump_pw_expire.c			\
@@ -70,32 +95,34 @@ SOURCES_server =					\
 	get_princs_s.c				\
 	get_s.c					\
 	init_s.c				\
-	kadm5_err.c				\
 	kadm5_locl.h				\
 	keys.c					\
 	log.c					\
 	marshall.c				\
 	modify_s.c				\
+	password_quality.c			\
 	private.h				\
 	privs_s.c				\
 	randkey_s.c				\
 	rename_s.c				\
+	server_glue.c				\
 	set_keys.c				\
 	set_modifier.c				\
-	password_quality.c
-
-libkadm5srv_la_SOURCES = $(SOURCES_server) server_glue.c
-libkadm5clnt_la_SOURCES = $(SOURCES_client) client_glue.c
+	kadm5-pwcheck.h				\
+	admin.h
 
-dump_log_SOURCES = dump_log.c kadm5_locl.h
+nodist_libkadm5srv_la_SOURCES = 		\
+	kadm5_err.c				\
+	kadm5_err.h
 
-replay_log_SOURCES = replay_log.c kadm5_locl.h
+dist_iprop_log_SOURCES = iprop-log.c
+nodist_iprop_log_SOURCES = iprop-commands.c
 
-ipropd_master_SOURCES = ipropd_master.c iprop.h kadm5_locl.h
+ipropd_master_SOURCES = ipropd_master.c ipropd_common.c iprop.h kadm5_locl.h
 
-ipropd_slave_SOURCES = ipropd_slave.c iprop.h kadm5_locl.h
+ipropd_slave_SOURCES = ipropd_slave.c ipropd_common.c iprop.h kadm5_locl.h
 
-truncate_log_SOURCES = truncate_log.c
+man_MANS = kadm5_pwcheck.3 iprop.8 iprop-log.8
 
 LDADD = \
 	libkadm5srv.la \
@@ -103,18 +130,37 @@ LDADD = \
 	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
+	$(LIB_roken) \
+	$(DBLIB) \
+	$(LIB_dlopen) \
+	$(LIB_pidfile)
+
+iprop_log_LDADD = \
+	libkadm5srv.la \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_readline) \
 	$(LIB_roken) \
 	$(DBLIB) \
 	$(LIB_dlopen) \
 	$(LIB_pidfile)
 
-CLEANFILES = kadm5_err.c kadm5_err.h
+
+iprop-commands.c iprop-commands.h: iprop-commands.in
+	$(SLC) $(srcdir)/iprop-commands.in
 
 $(libkadm5srv_la_OBJECTS): kadm5_err.h
+$(iprop_log_OBJECTS): iprop-commands.h
 
 client_glue.lo server_glue.lo: $(srcdir)/common_glue.c
 
+CLEANFILES = kadm5_err.c kadm5_err.h iprop-commands.h iprop-commands.c
+
 # to help stupid solaris make
 
 kadm5_err.h: kadm5_err.et
@@ -125,11 +171,22 @@ proto_opts = -q -R '^(_|kadm5_c_|kadm5_s_|kadm5_log)' -P comment
 $(srcdir)/kadm5-protos.h:
 	cd $(srcdir); perl ../../cf/make-proto.pl $(proto_opts) \
 		-o kadm5-protos.h \
-		$(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \
+		$(dist_libkadm5clnt_la_SOURCES) \
+		$(dist_libkadm5srv_la_SOURCES) \
 		|| rm -f kadm5-protos.h
 
 $(srcdir)/kadm5-private.h:
 	cd $(srcdir); perl ../../cf/make-proto.pl $(proto_opts) \
 		-p kadm5-private.h \
-		$(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \
+		$(dist_libkadm5clnt_la_SOURCES) \
+		$(dist_libkadm5srv_la_SOURCES) \
 		|| rm -f kadm5-private.h
+
+EXTRA_DIST = \
+	kadm5_err.et \
+	iprop-commands.in \
+	$(man_MANS) \
+	check-cracklib.pl \
+	flush.c \
+	sample_passwd_check.c \
+	version-script.map
diff --git a/crypto/heimdal/lib/kadm5/Makefile.in b/crypto/heimdal/lib/kadm5/Makefile.in
index 8695002..81f1ced 100644
--- a/crypto/heimdal/lib/kadm5/Makefile.in
+++ b/crypto/heimdal/lib/kadm5/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,25 +14,19 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.51.6.1 2003/05/12 15:20:46 joda Exp $
+# $Id: Makefile.am 22403 2008-01-11 14:37:26Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
 
-SOURCES = $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) $(dump_log_SOURCES) $(ipropd_master_SOURCES) $(ipropd_slave_SOURCES) $(replay_log_SOURCES) $(truncate_log_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -44,26 +38,27 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
-DIST_COMMON = $(kadm5include_HEADERS) $(srcdir)/Makefile.am \
+DIST_COMMON = $(dist_kadm5include_HEADERS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
 	$(top_srcdir)/cf/Makefile.am.common ChangeLog
-sbin_PROGRAMS = dump_log$(EXEEXT) replay_log$(EXEEXT) \
-	truncate_log$(EXEEXT)
+@versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+sbin_PROGRAMS = iprop-log$(EXEEXT)
+check_PROGRAMS = default_keys$(EXEEXT)
+noinst_PROGRAMS = test_pw_quality$(EXEEXT)
 libexec_PROGRAMS = ipropd-master$(EXEEXT) ipropd-slave$(EXEEXT)
 subdir = lib/kadm5
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -76,6 +71,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -84,53 +80,92 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(kadm5includedir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libexecdir)" \
+	"$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man3dir)" \
+	"$(DESTDIR)$(man8dir)" "$(DESTDIR)$(kadm5includedir)" \
+	"$(DESTDIR)$(kadm5includedir)"
 libLTLIBRARIES_INSTALL = $(INSTALL)
-LTLIBRARIES = $(lib_LTLIBRARIES)
-libkadm5clnt_la_DEPENDENCIES = ../krb5/libkrb5.la ../hdb/libhdb.la \
-	../roken/libroken.la
-am__objects_1 = chpass_c.lo common_glue.lo create_c.lo delete_c.lo \
-	destroy_c.lo flush_c.lo free.lo get_c.lo get_princs_c.lo \
-	init_c.lo kadm5_err.lo marshall.lo modify_c.lo privs_c.lo \
-	randkey_c.lo rename_c.lo send_recv.lo
-am_libkadm5clnt_la_OBJECTS = $(am__objects_1) client_glue.lo
-libkadm5clnt_la_OBJECTS = $(am_libkadm5clnt_la_OBJECTS)
-libkadm5srv_la_DEPENDENCIES = ../krb5/libkrb5.la ../hdb/libhdb.la \
-	../roken/libroken.la
-am__objects_2 = acl.lo bump_pw_expire.lo chpass_s.lo common_glue.lo \
-	context_s.lo create_s.lo delete_s.lo destroy_s.lo ent_setup.lo \
-	error.lo flush_s.lo free.lo get_princs_s.lo get_s.lo init_s.lo \
-	kadm5_err.lo keys.lo log.lo marshall.lo modify_s.lo privs_s.lo \
-	randkey_s.lo rename_s.lo set_keys.lo set_modifier.lo \
-	password_quality.lo
-am_libkadm5srv_la_OBJECTS = $(am__objects_2) server_glue.lo
-libkadm5srv_la_OBJECTS = $(am_libkadm5srv_la_OBJECTS)
+LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libkadm5clnt_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+	../krb5/libkrb5.la $(am__DEPENDENCIES_1)
+dist_libkadm5clnt_la_OBJECTS = ad.lo chpass_c.lo client_glue.lo \
+	common_glue.lo create_c.lo delete_c.lo destroy_c.lo flush_c.lo \
+	free.lo get_c.lo get_princs_c.lo init_c.lo marshall.lo \
+	modify_c.lo privs_c.lo randkey_c.lo rename_c.lo send_recv.lo
+nodist_libkadm5clnt_la_OBJECTS = kadm5_err.lo
+libkadm5clnt_la_OBJECTS = $(dist_libkadm5clnt_la_OBJECTS) \
+	$(nodist_libkadm5clnt_la_OBJECTS)
+libkadm5clnt_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libkadm5clnt_la_LDFLAGS) $(LDFLAGS) -o $@
+libkadm5srv_la_DEPENDENCIES = $(am__DEPENDENCIES_1) ../krb5/libkrb5.la \
+	../hdb/libhdb.la $(am__DEPENDENCIES_1)
+dist_libkadm5srv_la_OBJECTS = acl.lo bump_pw_expire.lo chpass_s.lo \
+	common_glue.lo context_s.lo create_s.lo delete_s.lo \
+	destroy_s.lo ent_setup.lo error.lo flush_s.lo free.lo \
+	get_princs_s.lo get_s.lo init_s.lo keys.lo log.lo marshall.lo \
+	modify_s.lo password_quality.lo privs_s.lo randkey_s.lo \
+	rename_s.lo server_glue.lo set_keys.lo set_modifier.lo
+nodist_libkadm5srv_la_OBJECTS = kadm5_err.lo
+libkadm5srv_la_OBJECTS = $(dist_libkadm5srv_la_OBJECTS) \
+	$(nodist_libkadm5srv_la_OBJECTS)
+libkadm5srv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libkadm5srv_la_LDFLAGS) $(LDFLAGS) -o $@
+sample_passwd_check_la_LIBADD =
+am_sample_passwd_check_la_OBJECTS = sample_passwd_check.lo
+sample_passwd_check_la_OBJECTS = $(am_sample_passwd_check_la_OBJECTS)
+sample_passwd_check_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(sample_passwd_check_la_LDFLAGS) $(LDFLAGS) -o $@
 libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-PROGRAMS = $(libexec_PROGRAMS) $(sbin_PROGRAMS)
-am_dump_log_OBJECTS = dump_log.$(OBJEXT)
-dump_log_OBJECTS = $(am_dump_log_OBJECTS)
-dump_log_LDADD = $(LDADD)
-am__DEPENDENCIES_1 =
-dump_log_DEPENDENCIES = libkadm5srv.la \
+PROGRAMS = $(libexec_PROGRAMS) $(noinst_PROGRAMS) $(sbin_PROGRAMS)
+am_default_keys_OBJECTS = default_keys.$(OBJEXT)
+default_keys_OBJECTS = $(am_default_keys_OBJECTS)
+default_keys_LDADD = $(LDADD)
+default_keys_DEPENDENCIES = libkadm5srv.la \
+	$(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+dist_iprop_log_OBJECTS = iprop-log.$(OBJEXT)
+nodist_iprop_log_OBJECTS = iprop-commands.$(OBJEXT)
+iprop_log_OBJECTS = $(dist_iprop_log_OBJECTS) \
+	$(nodist_iprop_log_OBJECTS)
+iprop_log_DEPENDENCIES = libkadm5srv.la \
 	$(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/sl/libsl.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am_ipropd_master_OBJECTS = ipropd_master.$(OBJEXT)
+am_ipropd_master_OBJECTS = ipropd_master.$(OBJEXT) \
+	ipropd_common.$(OBJEXT)
 ipropd_master_OBJECTS = $(am_ipropd_master_OBJECTS)
 ipropd_master_LDADD = $(LDADD)
 ipropd_master_DEPENDENCIES = libkadm5srv.la \
@@ -139,7 +174,8 @@ ipropd_master_DEPENDENCIES = libkadm5srv.la \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am_ipropd_slave_OBJECTS = ipropd_slave.$(OBJEXT)
+am_ipropd_slave_OBJECTS = ipropd_slave.$(OBJEXT) \
+	ipropd_common.$(OBJEXT)
 ipropd_slave_OBJECTS = $(am_ipropd_slave_OBJECTS)
 ipropd_slave_LDADD = $(LDADD)
 ipropd_slave_DEPENDENCIES = libkadm5srv.la \
@@ -148,56 +184,51 @@ ipropd_slave_DEPENDENCIES = libkadm5srv.la \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am_replay_log_OBJECTS = replay_log.$(OBJEXT)
-replay_log_OBJECTS = $(am_replay_log_OBJECTS)
-replay_log_LDADD = $(LDADD)
-replay_log_DEPENDENCIES = libkadm5srv.la \
+test_pw_quality_SOURCES = test_pw_quality.c
+test_pw_quality_OBJECTS = test_pw_quality.$(OBJEXT)
+test_pw_quality_LDADD = $(LDADD)
+test_pw_quality_DEPENDENCIES = libkadm5srv.la \
 	$(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am_truncate_log_OBJECTS = truncate_log.$(OBJEXT)
-truncate_log_OBJECTS = $(am_truncate_log_OBJECTS)
-truncate_log_LDADD = $(LDADD)
-truncate_log_DEPENDENCIES = libkadm5srv.la \
-	$(top_builddir)/lib/hdb/libhdb.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-SOURCES = $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \
-	$(dump_log_SOURCES) $(ipropd_master_SOURCES) \
-	$(ipropd_slave_SOURCES) $(replay_log_SOURCES) \
-	$(truncate_log_SOURCES)
-DIST_SOURCES = $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \
-	$(dump_log_SOURCES) $(ipropd_master_SOURCES) \
-	$(ipropd_slave_SOURCES) $(replay_log_SOURCES) \
-	$(truncate_log_SOURCES)
-kadm5includeHEADERS_INSTALL = $(INSTALL_HEADER)
-HEADERS = $(kadm5include_HEADERS)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(dist_libkadm5clnt_la_SOURCES) \
+	$(nodist_libkadm5clnt_la_SOURCES) \
+	$(dist_libkadm5srv_la_SOURCES) \
+	$(nodist_libkadm5srv_la_SOURCES) \
+	$(sample_passwd_check_la_SOURCES) $(default_keys_SOURCES) \
+	$(dist_iprop_log_SOURCES) $(nodist_iprop_log_SOURCES) \
+	$(ipropd_master_SOURCES) $(ipropd_slave_SOURCES) \
+	test_pw_quality.c
+DIST_SOURCES = $(dist_libkadm5clnt_la_SOURCES) \
+	$(dist_libkadm5srv_la_SOURCES) \
+	$(sample_passwd_check_la_SOURCES) $(default_keys_SOURCES) \
+	$(dist_iprop_log_SOURCES) $(ipropd_master_SOURCES) \
+	$(ipropd_slave_SOURCES) test_pw_quality.c
+man3dir = $(mandir)/man3
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+dist_kadm5includeHEADERS_INSTALL = $(INSTALL_HEADER)
+nodist_kadm5includeHEADERS_INSTALL = $(INSTALL_HEADER)
+HEADERS = $(dist_kadm5include_HEADERS) $(nodist_kadm5include_HEADERS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -207,8 +238,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -219,11 +248,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -231,42 +259,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -284,12 +297,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -299,15 +309,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -316,6 +325,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -327,15 +337,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -343,74 +348,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -427,20 +437,31 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+SLC = $(top_builddir)/lib/sl/slc
 lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la
-libkadm5srv_la_LDFLAGS = -version-info 7:6:0
-libkadm5clnt_la_LDFLAGS = -version-info 6:4:2
-libkadm5srv_la_LIBADD = ../krb5/libkrb5.la ../hdb/libhdb.la ../roken/libroken.la
-libkadm5clnt_la_LIBADD = ../krb5/libkrb5.la ../hdb/libhdb.la ../roken/libroken.la
+libkadm5srv_la_LDFLAGS = -version-info 8:1:0 $(am__append_1)
+libkadm5clnt_la_LDFLAGS = -version-info 7:1:0
+noinst_LTLIBRARIES = sample_passwd_check.la
+sample_passwd_check_la_SOURCES = sample_passwd_check.c
+sample_passwd_check_la_LDFLAGS = -module
+libkadm5srv_la_LIBADD = \
+	$(LIB_com_err) ../krb5/libkrb5.la \
+	../hdb/libhdb.la $(LIBADD_roken)
+
+libkadm5clnt_la_LIBADD = \
+	$(LIB_com_err) ../krb5/libkrb5.la $(LIBADD_roken)
+
+default_keys_SOURCES = default_keys.c
 kadm5includedir = $(includedir)/kadm5
 buildkadm5include = $(buildinclude)/kadm5
-kadm5include_HEADERS = kadm5_err.h admin.h private.h \
-	kadm5-protos.h kadm5-private.h
-
-SOURCES_client = \
-	admin.h					\
+dist_kadm5include_HEADERS = admin.h private.h kadm5-protos.h kadm5-private.h
+nodist_kadm5include_HEADERS = kadm5_err.h
+dist_libkadm5clnt_la_SOURCES = \
+	ad.c					\
 	chpass_c.c				\
+	client_glue.c				\
 	common_glue.c				\
 	create_c.c				\
 	delete_c.c				\
@@ -450,7 +471,6 @@ SOURCES_client = \
 	get_c.c					\
 	get_princs_c.c				\
 	init_c.c				\
-	kadm5_err.c				\
 	kadm5_locl.h				\
 	marshall.c				\
 	modify_c.c				\
@@ -458,9 +478,15 @@ SOURCES_client = \
 	privs_c.c				\
 	randkey_c.c				\
 	rename_c.c				\
-	send_recv.c
+	send_recv.c				\
+	kadm5-pwcheck.h				\
+	admin.h
+
+nodist_libkadm5clnt_la_SOURCES = \
+	kadm5_err.c				\
+	kadm5_err.h
 
-SOURCES_server = \
+dist_libkadm5srv_la_SOURCES = \
 	acl.c					\
 	admin.h					\
 	bump_pw_expire.c			\
@@ -477,45 +503,72 @@ SOURCES_server = \
 	get_princs_s.c				\
 	get_s.c					\
 	init_s.c				\
-	kadm5_err.c				\
 	kadm5_locl.h				\
 	keys.c					\
 	log.c					\
 	marshall.c				\
 	modify_s.c				\
+	password_quality.c			\
 	private.h				\
 	privs_s.c				\
 	randkey_s.c				\
 	rename_s.c				\
+	server_glue.c				\
 	set_keys.c				\
 	set_modifier.c				\
-	password_quality.c
-
-libkadm5srv_la_SOURCES = $(SOURCES_server) server_glue.c
-libkadm5clnt_la_SOURCES = $(SOURCES_client) client_glue.c
-dump_log_SOURCES = dump_log.c kadm5_locl.h
-replay_log_SOURCES = replay_log.c kadm5_locl.h
-ipropd_master_SOURCES = ipropd_master.c iprop.h kadm5_locl.h
-ipropd_slave_SOURCES = ipropd_slave.c iprop.h kadm5_locl.h
-truncate_log_SOURCES = truncate_log.c
+	kadm5-pwcheck.h				\
+	admin.h
+
+nodist_libkadm5srv_la_SOURCES = \
+	kadm5_err.c				\
+	kadm5_err.h
+
+dist_iprop_log_SOURCES = iprop-log.c
+nodist_iprop_log_SOURCES = iprop-commands.c
+ipropd_master_SOURCES = ipropd_master.c ipropd_common.c iprop.h kadm5_locl.h
+ipropd_slave_SOURCES = ipropd_slave.c ipropd_common.c iprop.h kadm5_locl.h
+man_MANS = kadm5_pwcheck.3 iprop.8 iprop-log.8
 LDADD = \
 	libkadm5srv.la \
 	$(top_builddir)/lib/hdb/libhdb.la \
 	$(LIB_openldap) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(LIB_roken) \
 	$(DBLIB) \
 	$(LIB_dlopen) \
 	$(LIB_pidfile)
 
-CLEANFILES = kadm5_err.c kadm5_err.h
+iprop_log_LDADD = \
+	libkadm5srv.la \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_readline) \
+	$(LIB_roken) \
+	$(DBLIB) \
+	$(LIB_dlopen) \
+	$(LIB_pidfile)
+
+CLEANFILES = kadm5_err.c kadm5_err.h iprop-commands.h iprop-commands.c
 proto_opts = -q -R '^(_|kadm5_c_|kadm5_s_|kadm5_log)' -P comment
+EXTRA_DIST = \
+	kadm5_err.et \
+	iprop-commands.in \
+	$(man_MANS) \
+	check-cracklib.pl \
+	flush.c \
+	sample_passwd_check.c \
+	version-script.map
+
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -547,10 +600,10 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    f="`echo $$p | sed -e 's|^.*/||'`"; \
+	    f=$(am__strip_dir) \
 	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
 	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
 	  else :; fi; \
@@ -559,7 +612,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	    p="`echo $$p | sed -e 's|^.*/||'`"; \
+	  p=$(am__strip_dir) \
 	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
 	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
 	done
@@ -568,17 +621,35 @@ clean-libLTLIBRARIES:
 	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" = "$$p" && dir=.; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
 libkadm5clnt.la: $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libkadm5clnt_la_LDFLAGS) $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_LIBADD) $(LIBS)
+	$(libkadm5clnt_la_LINK) -rpath $(libdir) $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_LIBADD) $(LIBS)
 libkadm5srv.la: $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libkadm5srv_la_LDFLAGS) $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_LIBADD) $(LIBS)
+	$(libkadm5srv_la_LINK) -rpath $(libdir) $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_LIBADD) $(LIBS)
+sample_passwd_check.la: $(sample_passwd_check_la_OBJECTS) $(sample_passwd_check_la_DEPENDENCIES) 
+	$(sample_passwd_check_la_LINK)  $(sample_passwd_check_la_OBJECTS) $(sample_passwd_check_la_LIBADD) $(LIBS)
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
 install-libexecPROGRAMS: $(libexec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)"
+	test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)"
 	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -604,9 +675,16 @@ clean-libexecPROGRAMS:
 	  echo " rm -f $$p $$f"; \
 	  rm -f $$p $$f ; \
 	done
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
 install-sbinPROGRAMS: $(sbin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)"
+	test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
 	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -632,21 +710,21 @@ clean-sbinPROGRAMS:
 	  echo " rm -f $$p $$f"; \
 	  rm -f $$p $$f ; \
 	done
-dump_log$(EXEEXT): $(dump_log_OBJECTS) $(dump_log_DEPENDENCIES) 
-	@rm -f dump_log$(EXEEXT)
-	$(LINK) $(dump_log_LDFLAGS) $(dump_log_OBJECTS) $(dump_log_LDADD) $(LIBS)
+default_keys$(EXEEXT): $(default_keys_OBJECTS) $(default_keys_DEPENDENCIES) 
+	@rm -f default_keys$(EXEEXT)
+	$(LINK) $(default_keys_OBJECTS) $(default_keys_LDADD) $(LIBS)
+iprop-log$(EXEEXT): $(iprop_log_OBJECTS) $(iprop_log_DEPENDENCIES) 
+	@rm -f iprop-log$(EXEEXT)
+	$(LINK) $(iprop_log_OBJECTS) $(iprop_log_LDADD) $(LIBS)
 ipropd-master$(EXEEXT): $(ipropd_master_OBJECTS) $(ipropd_master_DEPENDENCIES) 
 	@rm -f ipropd-master$(EXEEXT)
-	$(LINK) $(ipropd_master_LDFLAGS) $(ipropd_master_OBJECTS) $(ipropd_master_LDADD) $(LIBS)
+	$(LINK) $(ipropd_master_OBJECTS) $(ipropd_master_LDADD) $(LIBS)
 ipropd-slave$(EXEEXT): $(ipropd_slave_OBJECTS) $(ipropd_slave_DEPENDENCIES) 
 	@rm -f ipropd-slave$(EXEEXT)
-	$(LINK) $(ipropd_slave_LDFLAGS) $(ipropd_slave_OBJECTS) $(ipropd_slave_LDADD) $(LIBS)
-replay_log$(EXEEXT): $(replay_log_OBJECTS) $(replay_log_DEPENDENCIES) 
-	@rm -f replay_log$(EXEEXT)
-	$(LINK) $(replay_log_LDFLAGS) $(replay_log_OBJECTS) $(replay_log_LDADD) $(LIBS)
-truncate_log$(EXEEXT): $(truncate_log_OBJECTS) $(truncate_log_DEPENDENCIES) 
-	@rm -f truncate_log$(EXEEXT)
-	$(LINK) $(truncate_log_LDFLAGS) $(truncate_log_OBJECTS) $(truncate_log_LDADD) $(LIBS)
+	$(LINK) $(ipropd_slave_OBJECTS) $(ipropd_slave_LDADD) $(LIBS)
+test_pw_quality$(EXEEXT): $(test_pw_quality_OBJECTS) $(test_pw_quality_DEPENDENCIES) 
+	@rm -f test_pw_quality$(EXEEXT)
+	$(LINK) $(test_pw_quality_OBJECTS) $(test_pw_quality_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -668,24 +746,127 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
+install-man3: $(man3_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)"
+	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    3*) ;; \
+	    *) ext='3' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \
+	done
+uninstall-man3:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    3*) ;; \
+	    *) ext='3' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man3dir)/$$inst"; \
+	done
+install-man8: $(man8_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+install-dist_kadm5includeHEADERS: $(dist_kadm5include_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(kadm5includedir)" || $(MKDIR_P) "$(DESTDIR)$(kadm5includedir)"
+	@list='$(dist_kadm5include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(dist_kadm5includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(kadm5includedir)/$$f'"; \
+	  $(dist_kadm5includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(kadm5includedir)/$$f"; \
+	done
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-install-kadm5includeHEADERS: $(kadm5include_HEADERS)
+uninstall-dist_kadm5includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_kadm5include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(kadm5includedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(kadm5includedir)/$$f"; \
+	done
+install-nodist_kadm5includeHEADERS: $(nodist_kadm5include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(kadm5includedir)" || $(mkdir_p) "$(DESTDIR)$(kadm5includedir)"
-	@list='$(kadm5include_HEADERS)'; for p in $$list; do \
+	test -z "$(kadm5includedir)" || $(MKDIR_P) "$(DESTDIR)$(kadm5includedir)"
+	@list='$(nodist_kadm5include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
-	  echo " $(kadm5includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(kadm5includedir)/$$f'"; \
-	  $(kadm5includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(kadm5includedir)/$$f"; \
+	  f=$(am__strip_dir) \
+	  echo " $(nodist_kadm5includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(kadm5includedir)/$$f'"; \
+	  $(nodist_kadm5includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(kadm5includedir)/$$f"; \
 	done
 
-uninstall-kadm5includeHEADERS:
+uninstall-nodist_kadm5includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(kadm5include_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	@list='$(nodist_kadm5include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(kadm5includedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(kadm5includedir)/$$f"; \
 	done
@@ -710,9 +891,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -737,23 +920,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -768,12 +949,14 @@ distdir: $(DISTFILES)
 	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
 	  dist-hook
 check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
 	$(MAKE) $(AM_MAKEFLAGS) check-local
 check: check-am
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \
+		all-local
 installdirs:
-	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(kadm5includedir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(kadm5includedir)" "$(DESTDIR)$(kadm5includedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -795,20 +978,21 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libLTLIBRARIES clean-libexecPROGRAMS \
-	clean-libtool clean-sbinPROGRAMS mostlyclean-am
+clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
+	clean-libexecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-noinstPROGRAMS clean-sbinPROGRAMS mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -820,18 +1004,27 @@ info: info-am
 
 info-am:
 
-install-data-am: install-kadm5includeHEADERS
+install-data-am: install-dist_kadm5includeHEADERS install-man \
+	install-nodist_kadm5includeHEADERS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-libLTLIBRARIES install-libexecPROGRAMS \
 	install-sbinPROGRAMS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
-install-man:
+install-man: install-man3 install-man8
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
 
 installcheck-am:
 
@@ -852,25 +1045,40 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am uninstall-kadm5includeHEADERS \
+uninstall-am: uninstall-dist_kadm5includeHEADERS \
 	uninstall-libLTLIBRARIES uninstall-libexecPROGRAMS \
+	uninstall-man uninstall-nodist_kadm5includeHEADERS \
 	uninstall-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+uninstall-man: uninstall-man3 uninstall-man8
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
-	clean clean-generic clean-libLTLIBRARIES clean-libexecPROGRAMS \
-	clean-libtool clean-sbinPROGRAMS ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am \
-	install-kadm5includeHEADERS install-libLTLIBRARIES \
-	install-libexecPROGRAMS install-man install-sbinPROGRAMS \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-info-am uninstall-kadm5includeHEADERS \
-	uninstall-libLTLIBRARIES uninstall-libexecPROGRAMS \
+	clean clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
+	clean-libexecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-noinstPROGRAMS clean-sbinPROGRAMS ctags dist-hook \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook \
+	install-dist_kadm5includeHEADERS install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am \
+	install-libLTLIBRARIES install-libexecPROGRAMS install-man \
+	install-man3 install-man8 install-nodist_kadm5includeHEADERS \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-sbinPROGRAMS install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-dist_kadm5includeHEADERS \
+	uninstall-hook uninstall-libLTLIBRARIES \
+	uninstall-libexecPROGRAMS uninstall-man uninstall-man3 \
+	uninstall-man8 uninstall-nodist_kadm5includeHEADERS \
 	uninstall-sbinPROGRAMS
 
 
@@ -886,8 +1094,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -897,19 +1105,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -925,7 +1145,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -995,17 +1215,42 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
-install-build-headers:: $(kadm5include_HEADERS)
-	@foo='$(kadm5include_HEADERS)'; \
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+install-build-headers:: $(dist_kadm5include_HEADERS) $(nodist_kadm5include_HEADERS)
+	@foo='$(dist_kadm5include_HEADERS) $(nodist_kadm5include_HEADERS)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -1017,7 +1262,11 @@ install-build-headers:: $(kadm5include_HEADERS)
 		fi ; \
 	done
 
+iprop-commands.c iprop-commands.h: iprop-commands.in
+	$(SLC) $(srcdir)/iprop-commands.in
+
 $(libkadm5srv_la_OBJECTS): kadm5_err.h
+$(iprop_log_OBJECTS): iprop-commands.h
 
 client_glue.lo server_glue.lo: $(srcdir)/common_glue.c
 
@@ -1029,13 +1278,15 @@ $(libkadm5clnt_la_OBJECTS) $(libkadm5srv_la_OBJECTS): $(srcdir)/kadm5-protos.h $
 $(srcdir)/kadm5-protos.h:
 	cd $(srcdir); perl ../../cf/make-proto.pl $(proto_opts) \
 		-o kadm5-protos.h \
-		$(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \
+		$(dist_libkadm5clnt_la_SOURCES) \
+		$(dist_libkadm5srv_la_SOURCES) \
 		|| rm -f kadm5-protos.h
 
 $(srcdir)/kadm5-private.h:
 	cd $(srcdir); perl ../../cf/make-proto.pl $(proto_opts) \
 		-p kadm5-private.h \
-		$(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \
+		$(dist_libkadm5clnt_la_SOURCES) \
+		$(dist_libkadm5srv_la_SOURCES) \
 		|| rm -f kadm5-private.h
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/crypto/heimdal/lib/kadm5/acl.c b/crypto/heimdal/lib/kadm5/acl.c
index 6240588..9a2f75b 100644
--- a/crypto/heimdal/lib/kadm5/acl.c
+++ b/crypto/heimdal/lib/kadm5/acl.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: acl.c,v 1.13 2001/08/24 04:01:42 assar Exp $");
+RCSID("$Id: acl.c 17445 2006-05-05 10:37:46Z lha $");
 
 static struct units acl_units[] = {
     { "all",		KADM5_PRIV_ALL },
@@ -48,7 +48,7 @@ static struct units acl_units[] = {
 };
 
 kadm5_ret_t
-_kadm5_string_to_privs(const char *s, u_int32_t* privs)
+_kadm5_string_to_privs(const char *s, uint32_t* privs)
 {
     int flags;
     flags = parse_flags(s, acl_units, 0);
@@ -59,7 +59,7 @@ _kadm5_string_to_privs(const char *s, u_int32_t* privs)
 }
 
 kadm5_ret_t
-_kadm5_privs_to_string(u_int32_t privs, char *string, size_t len)
+_kadm5_privs_to_string(uint32_t privs, char *string, size_t len)
 {
     if(privs == 0)
 	strlcpy(string, "none", len);
@@ -115,7 +115,7 @@ fetch_acl (kadm5_server_context *context,
 	ret = _kadm5_string_to_privs(p, &flags);
 	if (ret)
 	    break;
-	p = strtok_r(NULL, "\n", &foo);
+	p = strtok_r(NULL, " \t\n", &foo);
 	if (p == NULL) {
 	    *ret_flags = flags;
 	    break;
diff --git a/crypto/heimdal/lib/kadm5/ad.c b/crypto/heimdal/lib/kadm5/ad.c
new file mode 100644
index 0000000..72288d9
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/ad.c
@@ -0,0 +1,1449 @@
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#define HAVE_TSASL 1
+
+#include "kadm5_locl.h"
+#if 1
+#undef OPENLDAP
+#undef HAVE_TSASL
+#endif
+#ifdef OPENLDAP
+#include <ldap.h>
+#ifdef HAVE_TSASL
+#include <tsasl.h>
+#endif
+#include <resolve.h>
+#include <base64.h>
+#endif
+
+RCSID("$Id: ad.c 17445 2006-05-05 10:37:46Z lha $");
+
+#ifdef OPENLDAP
+
+#define CTX2LP(context) ((LDAP *)((context)->ldap_conn))
+#define CTX2BASE(context) ((context)->base_dn)
+
+/*
+ * userAccountControl
+ */
+
+#define UF_SCRIPT	 			0x00000001
+#define UF_ACCOUNTDISABLE			0x00000002
+#define UF_UNUSED_0	 			0x00000004
+#define UF_HOMEDIR_REQUIRED			0x00000008
+#define UF_LOCKOUT	 			0x00000010
+#define UF_PASSWD_NOTREQD 			0x00000020
+#define UF_PASSWD_CANT_CHANGE 			0x00000040
+#define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED	0x00000080
+#define UF_TEMP_DUPLICATE_ACCOUNT       	0x00000100
+#define UF_NORMAL_ACCOUNT               	0x00000200
+#define UF_UNUSED_1	 			0x00000400
+#define UF_INTERDOMAIN_TRUST_ACCOUNT    	0x00000800
+#define UF_WORKSTATION_TRUST_ACCOUNT    	0x00001000
+#define UF_SERVER_TRUST_ACCOUNT         	0x00002000
+#define UF_UNUSED_2	 			0x00004000
+#define UF_UNUSED_3	 			0x00008000
+#define UF_PASSWD_NOT_EXPIRE			0x00010000
+#define UF_MNS_LOGON_ACCOUNT			0x00020000
+#define UF_SMARTCARD_REQUIRED			0x00040000
+#define UF_TRUSTED_FOR_DELEGATION		0x00080000
+#define UF_NOT_DELEGATED			0x00100000
+#define UF_USE_DES_KEY_ONLY			0x00200000
+#define UF_DONT_REQUIRE_PREAUTH			0x00400000
+#define UF_UNUSED_4				0x00800000
+#define UF_UNUSED_5				0x01000000
+#define UF_UNUSED_6				0x02000000
+#define UF_UNUSED_7				0x04000000
+#define UF_UNUSED_8				0x08000000
+#define UF_UNUSED_9				0x10000000
+#define UF_UNUSED_10				0x20000000
+#define UF_UNUSED_11				0x40000000
+#define UF_UNUSED_12				0x80000000
+
+/*
+ *
+ */
+
+#ifndef HAVE_TSASL
+static int
+sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *interact)
+{
+    return LDAP_SUCCESS;
+}
+#endif
+
+#if 0
+static Sockbuf_IO ldap_tsasl_io = {
+    NULL,			/* sbi_setup */
+    NULL,			/* sbi_remove */
+    NULL,			/* sbi_ctrl */
+    NULL,			/* sbi_read */
+    NULL,			/* sbi_write */
+    NULL			/* sbi_close */
+};
+#endif
+
+#ifdef HAVE_TSASL
+static int
+ldap_tsasl_bind_s(LDAP *ld,
+		  LDAP_CONST char *dn,
+		  LDAPControl **serverControls,
+		  LDAPControl **clientControls,
+		  const char *host)
+{
+    char *attrs[] = { "supportedSASLMechanisms", NULL };
+    struct tsasl_peer *peer = NULL;
+    struct tsasl_buffer in, out;
+    struct berval ccred, *scred;
+    LDAPMessage *m, *m0;
+    const char *mech;
+    char **vals;
+    int ret, rc;
+
+    ret = tsasl_peer_init(TSASL_FLAGS_INITIATOR | TSASL_FLAGS_CLEAR,
+			  "ldap", host, &peer);
+    if (ret != TSASL_DONE) {
+	rc = LDAP_LOCAL_ERROR;
+	goto out;
+    }
+
+    rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, &m0);
+    if (rc != LDAP_SUCCESS)
+	goto out;
+    
+    m = ldap_first_entry(ld, m0);
+    if (m == NULL) {
+	ldap_msgfree(m0);
+	goto out;
+    }
+
+    vals = ldap_get_values(ld, m, "supportedSASLMechanisms");
+    if (vals == NULL) {
+	ldap_msgfree(m0);
+	goto out;
+    }
+
+    ret = tsasl_find_best_mech(peer, vals, &mech);
+    if (ret) {
+	ldap_msgfree(m0);
+	goto out;
+    }
+
+    ldap_msgfree(m0);
+
+    ret = tsasl_select_mech(peer, mech);
+    if (ret != TSASL_DONE) {
+	rc = LDAP_LOCAL_ERROR;
+	goto out;
+    }
+
+    in.tb_data = NULL;
+    in.tb_size = 0;
+
+    do {
+	ret = tsasl_request(peer, &in, &out);
+	if (in.tb_size != 0) {
+	    free(in.tb_data);
+	    in.tb_data = NULL; 
+	    in.tb_size = 0;
+	}
+	if (ret != TSASL_DONE && ret != TSASL_CONTINUE) {
+	    rc = LDAP_AUTH_UNKNOWN;
+	    goto out;
+	}
+
+	ccred.bv_val = out.tb_data;
+	ccred.bv_len = out.tb_size;
+
+	rc = ldap_sasl_bind_s(ld, dn, mech, &ccred,
+			      serverControls, clientControls, &scred);
+	tsasl_buffer_free(&out);
+
+	if (rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS) {
+	    if(scred && scred->bv_len)
+		ber_bvfree(scred);
+	    goto out;
+	}
+
+	in.tb_data = malloc(scred->bv_len);
+	if (in.tb_data == NULL) {
+	    rc = LDAP_LOCAL_ERROR;
+	    goto out;
+	}
+	memcpy(in.tb_data, scred->bv_val, scred->bv_len);
+	in.tb_size = scred->bv_len;
+	ber_bvfree(scred);
+
+    } while (rc == LDAP_SASL_BIND_IN_PROGRESS);
+
+ out:
+    if (rc == LDAP_SUCCESS) {
+#if 0
+	ber_sockbuf_add_io(ld->ld_conns->lconn_sb, &ldap_tsasl_io,
+			   LBER_SBIOD_LEVEL_APPLICATION, peer);
+
+#endif
+    } else if (peer != NULL)
+	tsasl_peer_free(peer);
+
+    return rc;
+}
+#endif /* HAVE_TSASL */
+
+
+static int
+check_ldap(kadm5_ad_context *context, int ret)
+{
+    switch (ret) {
+    case LDAP_SUCCESS:
+	return 0;
+    case LDAP_SERVER_DOWN: {
+	LDAP *lp = CTX2LP(context);
+	ldap_unbind(lp);
+	context->ldap_conn = NULL;
+	free(context->base_dn);
+	context->base_dn = NULL;
+	return 1;
+    }
+    default:
+	return 1;
+    }
+}
+
+/*
+ *
+ */
+
+static void
+laddattr(char ***al, int *attrlen, char *attr)
+{
+    char **a;
+    a = realloc(*al, (*attrlen + 2) * sizeof(**al));
+    if (a == NULL)
+	return;
+    a[*attrlen] = attr;
+    a[*attrlen + 1] = NULL;
+    (*attrlen)++;
+    *al = a;
+}
+
+static kadm5_ret_t
+_kadm5_ad_connect(void *server_handle)
+{
+    kadm5_ad_context *context = server_handle;
+    struct {
+	char *server;
+	int port;
+    } *s, *servers = NULL;
+    int i, num_servers = 0;
+
+    if (context->ldap_conn)
+	return 0;
+
+    {
+	struct dns_reply *r;
+	struct resource_record *rr;
+	char *domain;
+
+	asprintf(&domain, "_ldap._tcp.%s", context->realm);
+	if (domain == NULL) {
+	    krb5_set_error_string(context->context, "malloc");
+	    return KADM5_NO_SRV;
+	}
+
+	r = dns_lookup(domain, "SRV");
+	free(domain);
+	if (r == NULL) {
+	    krb5_set_error_string(context->context, "Didn't find ldap dns");
+	    return KADM5_NO_SRV;
+	}	
+
+	for (rr = r->head ; rr != NULL; rr = rr->next) {
+	    if (rr->type != T_SRV)
+		continue;
+	    s = realloc(servers, sizeof(*servers) * (num_servers + 1));
+	    if (s == NULL) {
+		krb5_set_error_string(context->context, "malloc");
+		dns_free_data(r);
+		goto fail;
+	    }
+	    servers = s;
+	    num_servers++;
+	    servers[num_servers - 1].port =  rr->u.srv->port;
+	    servers[num_servers - 1].server =  strdup(rr->u.srv->target);
+	}
+	dns_free_data(r);
+    }
+
+    if (num_servers == 0) {
+	krb5_set_error_string(context->context, "No AD server found in DNS");
+	return KADM5_NO_SRV;
+    }
+
+    for (i = 0; i < num_servers; i++) {
+	int lret, version = LDAP_VERSION3;
+	LDAP *lp;
+
+	lp = ldap_init(servers[i].server, servers[i].port);
+	if (lp == NULL)
+	    continue;
+	
+	if (ldap_set_option(lp, LDAP_OPT_PROTOCOL_VERSION, &version)) {
+	    ldap_unbind(lp);
+	    continue;
+	}
+	
+	if (ldap_set_option(lp, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)) {
+	    ldap_unbind(lp);
+	    continue;
+	}
+	
+#ifdef HAVE_TSASL
+	lret = ldap_tsasl_bind_s(lp, NULL, NULL, NULL, servers[i].server);
+				 
+#else
+	lret = ldap_sasl_interactive_bind_s(lp, NULL, NULL, NULL, NULL, 
+					    LDAP_SASL_QUIET,
+					    sasl_interact, NULL);
+#endif
+	if (lret != LDAP_SUCCESS) {
+	    krb5_set_error_string(context->context, 
+				  "Couldn't contact any AD servers: %s",
+				  ldap_err2string(lret));
+	    ldap_unbind(lp);
+	    continue;
+	}
+
+	context->ldap_conn = lp;
+	break;
+    }
+    if (i >= num_servers) {
+	goto fail;
+    }
+
+    {
+	LDAPMessage *m, *m0;
+	char **attr = NULL;
+	int attrlen = 0;
+	char **vals;
+	int ret;
+	
+	laddattr(&attr, &attrlen, "defaultNamingContext");
+
+	ret = ldap_search_s(CTX2LP(context), "", LDAP_SCOPE_BASE, 
+			    "objectclass=*", attr, 0, &m);
+	free(attr);
+	if (check_ldap(context, ret))
+	    goto fail;
+
+	if (ldap_count_entries(CTX2LP(context), m) > 0) {
+	    m0 = ldap_first_entry(CTX2LP(context), m);
+	    if (m0 == NULL) {
+		krb5_set_error_string(context->context,
+				      "Error in AD ldap responce");
+		ldap_msgfree(m);
+		goto fail;
+	    }
+	    vals = ldap_get_values(CTX2LP(context), 
+				   m0, "defaultNamingContext");
+	    if (vals == NULL) {
+		krb5_set_error_string(context->context,
+				      "No naming context found");
+		goto fail;
+	    }
+	    context->base_dn = strdup(vals[0]);
+	} else
+	    goto fail;
+	ldap_msgfree(m);
+    }
+
+    for (i = 0; i < num_servers; i++)
+	free(servers[i].server);
+    free(servers);
+
+    return 0;
+
+ fail:
+    for (i = 0; i < num_servers; i++)
+	free(servers[i].server);
+    free(servers);
+
+    if (context->ldap_conn) {
+	ldap_unbind(CTX2LP(context));
+	context->ldap_conn = NULL;
+    }
+    return KADM5_RPC_ERROR;
+}
+
+#define NTTIME_EPOCH 0x019DB1DED53E8000LL
+
+static time_t
+nt2unixtime(const char *str)
+{
+    unsigned long long t;
+    t = strtoll(str, NULL, 10);
+    t = ((t - NTTIME_EPOCH) / (long long)10000000);
+    if (t > (((time_t)(~(long long)0)) >> 1))
+	return 0;
+    return (time_t)t;
+}
+
+static long long
+unix2nttime(time_t unix_time)
+{
+    long long wt;
+    wt = unix_time * (long long)10000000 + (long long)NTTIME_EPOCH;
+    return wt;
+}
+
+/* XXX create filter in a better way */
+
+static int
+ad_find_entry(kadm5_ad_context *context,
+	      const char *fqdn,
+	      const char *pn,
+	      char **name)
+{
+    LDAPMessage *m, *m0;
+    char *attr[] = { "distinguishedName", NULL };
+    char *filter;
+    int ret;
+
+    if (name)
+	*name = NULL;
+
+    if (fqdn)
+	asprintf(&filter, 
+		 "(&(objectClass=computer)(|(dNSHostName=%s)(servicePrincipalName=%s)))",
+		 fqdn, pn);
+    else if(pn)
+	asprintf(&filter, "(&(objectClass=account)(userPrincipalName=%s))", pn);
+    else
+	return KADM5_RPC_ERROR;
+
+    ret = ldap_search_s(CTX2LP(context), CTX2BASE(context),
+			LDAP_SCOPE_SUBTREE, 
+			filter, attr, 0, &m);
+    free(filter);
+    if (check_ldap(context, ret))
+	return KADM5_RPC_ERROR;
+
+    if (ldap_count_entries(CTX2LP(context), m) > 0) {
+	char **vals;
+	m0 = ldap_first_entry(CTX2LP(context), m);
+	vals = ldap_get_values(CTX2LP(context), m0, "distinguishedName");
+	if (vals == NULL || vals[0] == NULL) {
+	    ldap_msgfree(m);
+	    return KADM5_RPC_ERROR;
+	}
+	if (name)
+	    *name = strdup(vals[0]);
+	ldap_msgfree(m);
+    } else
+	return KADM5_UNK_PRINC;
+
+    return 0;
+}
+
+#endif /* OPENLDAP */
+
+static kadm5_ret_t
+ad_get_cred(kadm5_ad_context *context, const char *password)
+{
+    kadm5_ret_t ret;
+    krb5_ccache cc;
+    char *service;
+
+    if (context->ccache)
+	return 0;
+
+    asprintf(&service, "%s/%s@%s", KRB5_TGS_NAME,
+	     context->realm, context->realm);
+    if (service == NULL)
+	return ENOMEM;
+
+    ret = _kadm5_c_get_cred_cache(context->context,
+				  context->client_name,
+				  service,
+				  password, krb5_prompter_posix, 
+				  NULL, NULL, &cc);
+    free(service);
+    if(ret)
+	return ret; /* XXX */
+    context->ccache = cc;
+    return 0;
+}
+
+static kadm5_ret_t
+kadm5_ad_chpass_principal(void *server_handle,
+			  krb5_principal principal,
+			  const char *password)
+{
+    kadm5_ad_context *context = server_handle;
+    krb5_data result_code_string, result_string;
+    int result_code;
+    kadm5_ret_t ret;
+
+    ret = ad_get_cred(context, NULL);
+    if (ret)
+	return ret;
+
+    krb5_data_zero (&result_code_string);
+    krb5_data_zero (&result_string);
+
+    ret = krb5_set_password_using_ccache (context->context, 
+					  context->ccache,
+					  password,
+					  principal,
+					  &result_code,
+					  &result_code_string,
+					  &result_string);
+    
+    krb5_data_free (&result_code_string);
+    krb5_data_free (&result_string);
+
+    /* XXX do mapping here on error codes */
+
+    return ret;
+}
+
+#ifdef OPENLDAP
+static const char *
+get_fqdn(krb5_context context, const krb5_principal p)
+{
+    const char *s, *hosttypes[] = { "host", "ldap", "gc", "cifs", "dns" };
+    int i;
+
+    s = krb5_principal_get_comp_string(context, p, 0);
+    if (p == NULL)
+	return NULL;
+    
+    for (i = 0; i < sizeof(hosttypes)/sizeof(hosttypes[0]); i++) {
+	if (strcasecmp(s, hosttypes[i]) == 0)
+	    return krb5_principal_get_comp_string(context, p, 1);
+    }
+    return 0;
+}
+#endif
+
+
+static kadm5_ret_t
+kadm5_ad_create_principal(void *server_handle,
+			  kadm5_principal_ent_t entry,
+			  uint32_t mask,
+			  const char *password)
+{
+    kadm5_ad_context *context = server_handle;
+
+    /*
+     * KADM5_PRINC_EXPIRE_TIME
+     *
+     * return 0 || KADM5_DUP;
+     */
+
+#ifdef OPENLDAP
+    LDAPMod *attrs[8], rattrs[7], *a;
+    char *useraccvals[2] = { NULL, NULL }, 
+	*samvals[2], *dnsvals[2], *spnvals[5], *upnvals[2], *tv[2];
+    char *ocvals_spn[] = { "top", "person", "organizationalPerson", 
+			   "user", "computer", NULL}; 
+    char *p, *realmless_p, *p_msrealm = NULL, *dn = NULL;
+    const char *fqdn;
+    char *s, *samname = NULL, *short_spn = NULL;
+    int ret, i;
+    int32_t uf_flags = 0;
+    
+    if ((mask & KADM5_PRINCIPAL) == 0)
+	return KADM5_BAD_MASK;
+
+    for (i = 0; i < sizeof(rattrs)/sizeof(rattrs[0]); i++)
+	attrs[i] = &rattrs[i];
+    attrs[i] = NULL;
+    
+    ret = ad_get_cred(context, NULL);
+    if (ret)
+	return ret;
+    
+    ret = _kadm5_ad_connect(server_handle);
+    if (ret)
+	return ret;
+    
+    fqdn = get_fqdn(context->context, entry->principal);
+    
+    ret = krb5_unparse_name(context->context, entry->principal, &p);
+    if (ret)
+	return ret;
+    
+    if (ad_find_entry(context, fqdn, p, NULL) == 0) {
+	free(p);
+	return KADM5_DUP;
+    }
+    
+    if (mask & KADM5_ATTRIBUTES) {
+	if (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX)
+	    uf_flags |= UF_ACCOUNTDISABLE|UF_LOCKOUT;
+	if ((entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH) == 0)
+	    uf_flags |= UF_DONT_REQUIRE_PREAUTH;
+	if (entry->attributes & KRB5_KDB_REQUIRES_HW_AUTH)
+	    uf_flags |= UF_SMARTCARD_REQUIRED;
+    }
+    
+    realmless_p = strdup(p);
+    if (realmless_p == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    s = strrchr(realmless_p, '@');
+    if (s)
+	*s = '\0';
+    
+    if (fqdn) {
+	/* create computer account */
+	asprintf(&samname, "%s$", fqdn);
+	if (samname == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	s = strchr(samname, '.');
+	if (s) {
+	    s[0] = '$';
+	    s[1] = '\0';
+	}
+	
+	short_spn = strdup(p);
+	if (short_spn == NULL) {
+	    errno = ENOMEM;
+	    goto out;
+	}
+	s = strchr(short_spn, '.');
+	if (s) {
+	    *s = '\0';
+	} else {
+	    free(short_spn);
+	    short_spn = NULL;
+	}
+
+	p_msrealm = strdup(p);
+	if (p_msrealm == NULL) {
+	    errno = ENOMEM;
+	    goto out;
+	}
+	s = strrchr(p_msrealm, '@');
+	if (s) {
+	    *s = '/';
+	} else {
+	    free(p_msrealm);
+	    p_msrealm = NULL;
+	}
+
+	asprintf(&dn, "cn=%s, cn=Computers, %s", fqdn, CTX2BASE(context));
+	if (dn == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	a = &rattrs[0];
+	a->mod_op = LDAP_MOD_ADD;
+	a->mod_type = "objectClass";
+	a->mod_values = ocvals_spn;
+	a++;
+
+	a->mod_op = LDAP_MOD_ADD;
+	a->mod_type = "userAccountControl";
+	a->mod_values = useraccvals;
+	asprintf(&useraccvals[0], "%d",
+		 uf_flags |
+		 UF_PASSWD_NOT_EXPIRE |
+		 UF_WORKSTATION_TRUST_ACCOUNT);
+	useraccvals[1] = NULL;
+	a++;
+
+	a->mod_op = LDAP_MOD_ADD;
+	a->mod_type = "sAMAccountName";
+	a->mod_values = samvals;
+	samvals[0] = samname;
+	samvals[1] = NULL;
+	a++;
+
+	a->mod_op = LDAP_MOD_ADD;
+	a->mod_type = "dNSHostName";
+	a->mod_values = dnsvals;
+	dnsvals[0] = (char *)fqdn;
+	dnsvals[1] = NULL;
+	a++;
+
+	/* XXX  add even more spn's */
+	a->mod_op = LDAP_MOD_ADD;
+	a->mod_type = "servicePrincipalName";
+	a->mod_values = spnvals;
+	i = 0;
+	spnvals[i++] = p;
+	spnvals[i++] = realmless_p;
+	if (short_spn)
+	    spnvals[i++] = short_spn;
+	if (p_msrealm)
+	    spnvals[i++] = p_msrealm;
+	spnvals[i++] = NULL;
+	a++;
+
+	a->mod_op = LDAP_MOD_ADD;
+	a->mod_type = "userPrincipalName";
+	a->mod_values = upnvals;
+	upnvals[0] = p;
+	upnvals[1] = NULL;
+	a++;
+
+	a->mod_op = LDAP_MOD_ADD;
+	a->mod_type = "accountExpires";
+	a->mod_values = tv;
+	tv[0] = "9223372036854775807"; /* "never" */
+	tv[1] = NULL;
+	a++;
+
+    } else {
+	/* create user account */
+	
+	a = &rattrs[0];
+	a->mod_op = LDAP_MOD_ADD;
+	a->mod_type = "userAccountControl";
+	a->mod_values = useraccvals;
+	asprintf(&useraccvals[0], "%d", 
+		 uf_flags |
+		 UF_PASSWD_NOT_EXPIRE);
+	useraccvals[1] = NULL;
+	a++;
+
+	a->mod_op = LDAP_MOD_ADD;
+	a->mod_type = "sAMAccountName";
+	a->mod_values = samvals;
+	samvals[0] = realmless_p;
+	samvals[1] = NULL;
+	a++;
+
+	a->mod_op = LDAP_MOD_ADD;
+	a->mod_type = "userPrincipalName";
+	a->mod_values = upnvals;
+	upnvals[0] = p;
+	upnvals[1] = NULL;
+	a++;
+
+	a->mod_op = LDAP_MOD_ADD;
+	a->mod_type = "accountExpires";
+	a->mod_values = tv;
+	tv[0] = "9223372036854775807"; /* "never" */
+	tv[1] = NULL;
+	a++;
+    }
+
+    attrs[a - &rattrs[0]] = NULL;
+
+    ret = ldap_add_s(CTX2LP(context), dn, attrs);
+
+ out:
+    if (useraccvals[0])
+	free(useraccvals[0]);
+    if (realmless_p)
+	free(realmless_p);
+    if (samname)
+	free(samname);
+    if (short_spn)
+	free(short_spn);
+    if (p_msrealm)
+	free(p_msrealm);
+    free(p);
+
+    if (check_ldap(context, ret))
+	return KADM5_RPC_ERROR;
+
+    return 0;
+#else
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+#endif
+}
+
+static kadm5_ret_t
+kadm5_ad_delete_principal(void *server_handle, krb5_principal principal)
+{
+    kadm5_ad_context *context = server_handle;
+#ifdef OPENLDAP
+    char *p, *dn = NULL;
+    const char *fqdn;
+    int ret;
+
+    ret = ad_get_cred(context, NULL);
+    if (ret)
+	return ret;
+
+    ret = _kadm5_ad_connect(server_handle);
+    if (ret)
+	return ret;
+
+    fqdn = get_fqdn(context->context, principal);
+
+    ret = krb5_unparse_name(context->context, principal, &p);
+    if (ret)
+	return ret;
+
+    if (ad_find_entry(context, fqdn, p, &dn) != 0) {
+	free(p);
+	return KADM5_UNK_PRINC;
+    }
+
+    ret = ldap_delete_s(CTX2LP(context), dn);
+
+    free(dn);
+    free(p);
+
+    if (check_ldap(context, ret))
+	return KADM5_RPC_ERROR;
+    return 0;
+#else
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+#endif
+}
+
+static kadm5_ret_t
+kadm5_ad_destroy(void *server_handle)
+{
+    kadm5_ad_context *context = server_handle;
+
+    if (context->ccache)
+	krb5_cc_destroy(context->context, context->ccache);
+
+#ifdef OPENLDAP
+    {
+	LDAP *lp = CTX2LP(context);
+	if (lp)
+	    ldap_unbind(lp);
+	if (context->base_dn)
+	    free(context->base_dn);
+    }
+#endif
+    free(context->realm);
+    free(context->client_name);
+    krb5_free_principal(context->context, context->caller);
+    if(context->my_context)
+	krb5_free_context(context->context);
+    return 0;
+}
+
+static kadm5_ret_t
+kadm5_ad_flush(void *server_handle)
+{
+    kadm5_ad_context *context = server_handle;
+#ifdef OPENLDAP
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+#else
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+#endif
+}
+
+static kadm5_ret_t
+kadm5_ad_get_principal(void *server_handle,
+		       krb5_principal principal, 
+		       kadm5_principal_ent_t entry, 
+		       uint32_t mask)
+{
+    kadm5_ad_context *context = server_handle;
+#ifdef OPENLDAP
+    LDAPMessage *m, *m0;
+    char **attr = NULL;
+    int attrlen = 0;
+    char *filter, *p, *q, *u;
+    int ret;
+
+    /*
+     * principal
+     * KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES
+     */
+
+    /*
+     * return 0 || KADM5_DUP;
+     */
+
+    memset(entry, 0, sizeof(*entry));
+
+    if (mask & KADM5_KVNO)
+	laddattr(&attr, &attrlen, "msDS-KeyVersionNumber");
+
+    if (mask & KADM5_PRINCIPAL) {
+	laddattr(&attr, &attrlen, "userPrincipalName");
+	laddattr(&attr, &attrlen, "servicePrincipalName");
+    }
+    laddattr(&attr, &attrlen, "objectClass");
+    laddattr(&attr, &attrlen, "lastLogon");
+    laddattr(&attr, &attrlen, "badPwdCount");
+    laddattr(&attr, &attrlen, "badPasswordTime");
+    laddattr(&attr, &attrlen, "pwdLastSet");
+    laddattr(&attr, &attrlen, "accountExpires");
+    laddattr(&attr, &attrlen, "userAccountControl");
+
+    krb5_unparse_name_short(context->context, principal, &p);
+    krb5_unparse_name(context->context, principal, &u);
+
+    /* replace @ in domain part with a / */
+    q = strrchr(p, '@');
+    if (q && (p != q && *(q - 1) != '\\'))
+	*q = '/';
+
+    asprintf(&filter, 
+	     "(|(userPrincipalName=%s)(servicePrincipalName=%s)(servicePrincipalName=%s))",
+	     u, p, u);
+    free(p);
+    free(u);
+
+    ret = ldap_search_s(CTX2LP(context), CTX2BASE(context),
+			LDAP_SCOPE_SUBTREE, 
+			filter, attr, 0, &m);
+    free(attr);
+    if (check_ldap(context, ret))
+	return KADM5_RPC_ERROR;
+
+    if (ldap_count_entries(CTX2LP(context), m) > 0) {
+	char **vals;
+	m0 = ldap_first_entry(CTX2LP(context), m);
+	if (m0 == NULL) {
+	    ldap_msgfree(m);
+	    goto fail;
+	}
+#if 0
+	vals = ldap_get_values(CTX2LP(context), m0, "servicePrincipalName");
+	if (vals)
+	    printf("servicePrincipalName %s\n", vals[0]);
+	vals = ldap_get_values(CTX2LP(context), m0, "userPrincipalName");
+	if (vals)
+	    printf("userPrincipalName %s\n", vals[0]);
+	vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl");
+	if (vals)
+	    printf("userAccountControl %s\n", vals[0]);
+#endif
+	entry->princ_expire_time = 0;
+	if (mask & KADM5_PRINC_EXPIRE_TIME) {
+	    vals = ldap_get_values(CTX2LP(context), m0, "accountExpires");
+	    if (vals)
+		entry->princ_expire_time = nt2unixtime(vals[0]);
+	}
+	entry->last_success = 0;
+	if (mask & KADM5_LAST_SUCCESS) {
+	    vals = ldap_get_values(CTX2LP(context), m0, "lastLogon");
+	    if (vals)
+		entry->last_success = nt2unixtime(vals[0]);
+	}
+	if (mask & KADM5_LAST_FAILED) {
+	    vals = ldap_get_values(CTX2LP(context), m0, "badPasswordTime");
+	    if (vals)
+		entry->last_failed = nt2unixtime(vals[0]);
+	}
+	if (mask & KADM5_LAST_PWD_CHANGE) {
+	    vals = ldap_get_values(CTX2LP(context), m0, "pwdLastSet");
+	    if (vals)
+		entry->last_pwd_change = nt2unixtime(vals[0]);
+	}
+	if (mask & KADM5_FAIL_AUTH_COUNT) {
+	    vals = ldap_get_values(CTX2LP(context), m0, "badPwdCount");
+	    if (vals)
+		entry->fail_auth_count = atoi(vals[0]);
+	}
+ 	if (mask & KADM5_ATTRIBUTES) {
+	    vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl");
+	    if (vals) {
+		uint32_t i;
+		i = atoi(vals[0]);
+		if (i & (UF_ACCOUNTDISABLE|UF_LOCKOUT))
+		    entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+		if ((i & UF_DONT_REQUIRE_PREAUTH) == 0)
+		    entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
+		if (i & UF_SMARTCARD_REQUIRED)
+		    entry->attributes |= KRB5_KDB_REQUIRES_HW_AUTH;
+		if ((i & UF_WORKSTATION_TRUST_ACCOUNT) == 0)
+		    entry->attributes |= KRB5_KDB_DISALLOW_SVR;
+	    }
+	}
+	if (mask & KADM5_KVNO) {
+	    vals = ldap_get_values(CTX2LP(context), m0, 
+				   "msDS-KeyVersionNumber");
+	    if (vals)
+		entry->kvno = atoi(vals[0]);
+	    else
+		entry->kvno = 0;
+	}
+	ldap_msgfree(m);
+    } else {
+	return KADM5_UNK_PRINC;
+    }
+
+    if (mask & KADM5_PRINCIPAL)
+	krb5_copy_principal(context->context, principal, &entry->principal);
+
+    return 0;
+ fail:
+    return KADM5_RPC_ERROR;
+#else
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+#endif
+}
+
+static kadm5_ret_t
+kadm5_ad_get_principals(void *server_handle,
+			const char *expression,
+			char ***principals,
+			int *count)
+{
+    kadm5_ad_context *context = server_handle;
+
+    /*
+     * KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES
+     */
+
+#ifdef OPENLDAP
+    kadm5_ret_t ret;
+
+    ret = ad_get_cred(context, NULL);
+    if (ret)
+	return ret;
+
+    ret = _kadm5_ad_connect(server_handle);
+    if (ret)
+	return ret;
+
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+#else
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+#endif
+}
+
+static kadm5_ret_t
+kadm5_ad_get_privs(void *server_handle, uint32_t*privs)
+{
+    kadm5_ad_context *context = server_handle;
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+}
+
+static kadm5_ret_t
+kadm5_ad_modify_principal(void *server_handle,
+			  kadm5_principal_ent_t entry,
+			  uint32_t mask)
+{
+    kadm5_ad_context *context = server_handle;
+
+    /* 
+     * KADM5_ATTRIBUTES
+     * KRB5_KDB_DISALLOW_ALL_TIX (| KADM5_KVNO)
+     */
+
+#ifdef OPENLDAP
+    LDAPMessage *m = NULL, *m0;
+    kadm5_ret_t ret;
+    char **attr = NULL;
+    int attrlen = 0;
+    char *p = NULL, *s = NULL, *q;
+    char **vals;
+    LDAPMod *attrs[4], rattrs[3], *a;
+    char *uaf[2] = { NULL, NULL };
+    char *kvno[2] = { NULL, NULL };
+    char *tv[2] = { NULL, NULL };
+    char *filter, *dn;
+    int i;
+
+    for (i = 0; i < sizeof(rattrs)/sizeof(rattrs[0]); i++)
+	attrs[i] = &rattrs[i];
+    attrs[i] = NULL;
+    a = &rattrs[0];
+
+    ret = _kadm5_ad_connect(server_handle);
+    if (ret)
+	return ret;
+
+    if (mask & KADM5_KVNO)
+	laddattr(&attr, &attrlen, "msDS-KeyVersionNumber");
+    if (mask & KADM5_PRINC_EXPIRE_TIME)
+	laddattr(&attr, &attrlen, "accountExpires");
+    if (mask & KADM5_ATTRIBUTES)
+	laddattr(&attr, &attrlen, "userAccountControl");
+    laddattr(&attr, &attrlen, "distinguishedName");
+
+    krb5_unparse_name(context->context, entry->principal, &p);
+
+    s = strdup(p);
+
+    q = strrchr(s, '@');
+    if (q && (p != q && *(q - 1) != '\\'))
+	*q = '\0';
+
+    asprintf(&filter, 
+	     "(|(userPrincipalName=%s)(servicePrincipalName=%s))",
+	     s, s);
+    free(p);
+    free(s);
+
+    ret = ldap_search_s(CTX2LP(context), CTX2BASE(context),
+			LDAP_SCOPE_SUBTREE, 
+			filter, attr, 0, &m);
+    free(attr);
+    free(filter);
+    if (check_ldap(context, ret))
+	return KADM5_RPC_ERROR;
+
+    if (ldap_count_entries(CTX2LP(context), m) <= 0) {
+	ret = KADM5_RPC_ERROR;
+	goto out;
+    }
+
+    m0 = ldap_first_entry(CTX2LP(context), m);
+
+    if (mask & KADM5_ATTRIBUTES) {
+	int32_t i;
+
+	vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl");
+	if (vals == NULL) {
+	    ret = KADM5_RPC_ERROR;
+	    goto out;
+	}
+
+	i = atoi(vals[0]);
+	if (i == 0)
+	    return KADM5_RPC_ERROR;
+
+	if (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX)
+	    i |= (UF_ACCOUNTDISABLE|UF_LOCKOUT);
+	else
+	    i &= ~(UF_ACCOUNTDISABLE|UF_LOCKOUT);
+	if (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)
+	    i &= ~UF_DONT_REQUIRE_PREAUTH;
+	else
+	    i |= UF_DONT_REQUIRE_PREAUTH;
+	if (entry->attributes & KRB5_KDB_REQUIRES_HW_AUTH)
+	    i |= UF_SMARTCARD_REQUIRED;
+	else
+	    i &= UF_SMARTCARD_REQUIRED;
+	if (entry->attributes & KRB5_KDB_DISALLOW_SVR)
+	    i &= ~UF_WORKSTATION_TRUST_ACCOUNT;
+	else
+	    i |= UF_WORKSTATION_TRUST_ACCOUNT;
+
+	asprintf(&uaf[0], "%d", i);
+
+	a->mod_op = LDAP_MOD_REPLACE;
+	a->mod_type = "userAccountControl";
+	a->mod_values = uaf;
+	a++;
+    }
+
+    if (mask & KADM5_KVNO) {
+	vals = ldap_get_values(CTX2LP(context), m0, "msDS-KeyVersionNumber");
+	if (vals == NULL) {
+	    entry->kvno = 0;
+	} else {
+	    asprintf(&kvno[0], "%d", entry->kvno);
+
+	    a->mod_op = LDAP_MOD_REPLACE;
+	    a->mod_type = "msDS-KeyVersionNumber";
+	    a->mod_values = kvno;
+	    a++;
+	}
+    }
+
+    if (mask & KADM5_PRINC_EXPIRE_TIME) {
+	long long wt;
+	vals = ldap_get_values(CTX2LP(context), m0, "accountExpires");
+	if (vals == NULL) {
+	    ret = KADM5_RPC_ERROR;
+	    goto out;
+	}
+
+	wt = unix2nttime(entry->princ_expire_time);
+
+	asprintf(&tv[0], "%llu", wt);
+
+	a->mod_op = LDAP_MOD_REPLACE;
+	a->mod_type = "accountExpires";
+	a->mod_values = tv;
+	a++;
+    }
+    
+    vals = ldap_get_values(CTX2LP(context), m0, "distinguishedName");
+    if (vals == NULL) {
+	ret = KADM5_RPC_ERROR;
+	goto out;
+    }
+    dn = vals[0];
+
+    attrs[a - &rattrs[0]] = NULL;
+
+    ret = ldap_modify_s(CTX2LP(context), dn, attrs);
+    if (check_ldap(context, ret))
+	return KADM5_RPC_ERROR;
+
+ out:
+    if (m)
+	ldap_msgfree(m);
+    if (uaf[0])
+	free(uaf[0]);
+    if (kvno[0])
+	free(kvno[0]);
+    if (tv[0])
+	free(tv[0]);
+    return ret;
+#else
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+#endif
+}
+
+static kadm5_ret_t
+kadm5_ad_randkey_principal(void *server_handle,
+			   krb5_principal principal,
+			   krb5_keyblock **keys,
+			   int *n_keys)
+{
+    kadm5_ad_context *context = server_handle;
+
+    /*
+     * random key
+     */
+
+#ifdef OPENLDAP
+    krb5_data result_code_string, result_string;
+    int result_code, plen;
+    kadm5_ret_t ret;
+    char *password;
+
+    *keys = NULL;
+    *n_keys = 0;
+
+    {
+	char p[64];
+	krb5_generate_random_block(p, sizeof(p));
+	plen = base64_encode(p, sizeof(p), &password);
+	if (plen < 0)
+	    return ENOMEM;
+    }
+
+    ret = ad_get_cred(context, NULL);
+    if (ret) {
+	free(password);
+	return ret;
+    }
+
+    krb5_data_zero (&result_code_string);
+    krb5_data_zero (&result_string);
+
+    ret = krb5_set_password_using_ccache (context->context, 
+					  context->ccache,
+					  password,
+					  principal,
+					  &result_code,
+					  &result_code_string,
+					  &result_string);
+
+    krb5_data_free (&result_code_string);
+    krb5_data_free (&result_string);
+
+    if (ret == 0) {
+
+	*keys = malloc(sizeof(**keys) * 1);
+	if (*keys == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	*n_keys = 1;
+
+	ret = krb5_string_to_key(context->context,
+				 ENCTYPE_ARCFOUR_HMAC_MD5,
+				 password,
+				 principal,
+				 &(*keys)[0]);
+	memset(password, 0, sizeof(password));
+	if (ret) {
+	    free(*keys);
+	    *keys = NULL;
+	    *n_keys = 0;
+	    goto out;
+	}
+    }
+    memset(password, 0, plen);
+    free(password);
+ out:
+    return ret;
+#else
+    *keys = NULL;
+    *n_keys = 0;
+
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+#endif
+}
+
+static kadm5_ret_t
+kadm5_ad_rename_principal(void *server_handle,
+			  krb5_principal from,
+			  krb5_principal to)
+{
+    kadm5_ad_context *context = server_handle;
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+}
+
+static kadm5_ret_t
+kadm5_ad_chpass_principal_with_key(void *server_handle, 
+				   krb5_principal princ,
+				   int n_key_data,
+				   krb5_key_data *key_data)
+{
+    kadm5_ad_context *context = server_handle;
+    krb5_set_error_string(context->context, "Function not implemented");
+    return KADM5_RPC_ERROR;
+}
+
+static void
+set_funcs(kadm5_ad_context *c)
+{
+#define SET(C, F) (C)->funcs.F = kadm5_ad_ ## F
+    SET(c, chpass_principal);
+    SET(c, chpass_principal_with_key);
+    SET(c, create_principal);
+    SET(c, delete_principal);
+    SET(c, destroy);
+    SET(c, flush);
+    SET(c, get_principal);
+    SET(c, get_principals);
+    SET(c, get_privs);
+    SET(c, modify_principal);
+    SET(c, randkey_principal);
+    SET(c, rename_principal);
+}
+
+kadm5_ret_t 
+kadm5_ad_init_with_password_ctx(krb5_context context,
+				const char *client_name,
+				const char *password,
+				const char *service_name,
+				kadm5_config_params *realm_params,
+				unsigned long struct_version,
+				unsigned long api_version,
+				void **server_handle)
+{
+    kadm5_ret_t ret;
+    kadm5_ad_context *ctx;
+
+    ctx = malloc(sizeof(*ctx));
+    if(ctx == NULL)
+	return ENOMEM;
+    memset(ctx, 0, sizeof(*ctx));
+    set_funcs(ctx);
+
+    ctx->context = context;
+    krb5_add_et_list (context, initialize_kadm5_error_table_r);
+
+    ret = krb5_parse_name(ctx->context, client_name, &ctx->caller);
+    if(ret) {
+	free(ctx);
+	return ret;
+    }
+
+    if(realm_params->mask & KADM5_CONFIG_REALM) {
+	ret = 0;
+	ctx->realm = strdup(realm_params->realm);
+	if (ctx->realm == NULL)
+	    ret = ENOMEM;
+    } else
+	ret = krb5_get_default_realm(ctx->context, &ctx->realm);
+    if (ret) {
+	free(ctx);
+	return ret;
+    }
+
+    ctx->client_name = strdup(client_name);
+
+    if(password != NULL && *password != '\0')
+	ret = ad_get_cred(ctx, password);
+    else
+	ret = ad_get_cred(ctx, NULL);
+    if(ret) {
+	kadm5_ad_destroy(ctx);
+	return ret;
+    }
+
+#ifdef OPENLDAP
+    ret = _kadm5_ad_connect(ctx);
+    if (ret) {
+	kadm5_ad_destroy(ctx);
+	return ret;
+    }
+#endif
+
+    *server_handle = ctx;
+    return 0;
+}
+
+kadm5_ret_t 
+kadm5_ad_init_with_password(const char *client_name,
+			    const char *password,
+			    const char *service_name,
+			    kadm5_config_params *realm_params,
+			    unsigned long struct_version,
+			    unsigned long api_version,
+			    void **server_handle)
+{
+    krb5_context context;
+    kadm5_ret_t ret;
+    kadm5_ad_context *ctx;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	return ret;
+    ret = kadm5_ad_init_with_password_ctx(context, 
+					  client_name,
+					  password,
+					  service_name,
+					  realm_params,
+					  struct_version,
+					  api_version,
+					  server_handle);
+    if(ret) {
+	krb5_free_context(context);
+	return ret;
+    }
+    ctx = *server_handle;
+    ctx->my_context = 1;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/admin.h b/crypto/heimdal/lib/kadm5/admin.h
index d9bd85f..30d68d8 100644
--- a/crypto/heimdal/lib/kadm5/admin.h
+++ b/crypto/heimdal/lib/kadm5/admin.h
@@ -30,7 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
  * SUCH DAMAGE. 
  */
-/* $Id: admin.h,v 1.18 2000/08/04 11:26:21 joda Exp $ */
+/* $Id: admin.h 20237 2007-02-16 23:54:34Z lha $ */
 
 #ifndef __KADM5_ADMIN_H__
 #define __KADM5_ADMIN_H__
@@ -64,6 +64,10 @@
 #define KRB5_KDB_PWCHANGE_SERVICE	0x00002000
 #define KRB5_KDB_SUPPORT_DESMD5		0x00004000
 #define KRB5_KDB_NEW_PRINC		0x00008000
+#define KRB5_KDB_OK_AS_DELEGATE		0x00010000
+#define KRB5_KDB_TRUSTED_FOR_DELEGATION	0x00020000
+#define KRB5_KDB_ALLOW_KERBEROS4	0x00040000
+#define KRB5_KDB_ALLOW_DIGEST		0x00080000
 
 #define KADM5_PRINCIPAL		0x000001
 #define KADM5_PRINC_EXPIRE_TIME	0x000002
@@ -115,6 +119,17 @@ typedef struct _krb5_tl_data {
     void*   tl_data_contents;     
 } krb5_tl_data;
 
+#define KRB5_TL_LAST_PWD_CHANGE		0x0001
+#define KRB5_TL_MOD_PRINC		0x0002
+#define KRB5_TL_KADM_DATA		0x0003
+#define KRB5_TL_KADM5_E_DATA		0x0004
+#define KRB5_TL_RB1_CHALLENGE		0x0005
+#define KRB5_TL_SECURID_STATE           0x0006
+#define KRB5_TL_PASSWORD           	0x0007
+#define KRB5_TL_EXTENSION           	0x0008
+#define KRB5_TL_PKINIT_ACL           	0x0009
+#define KRB5_TL_ALIASES           	0x000a
+
 typedef struct _kadm5_principal_ent_t {
     krb5_principal principal;
 
@@ -129,7 +144,7 @@ typedef struct _kadm5_principal_ent_t {
     krb5_kvno mkvno;
 
     char * policy;
-    u_int32_t aux_attributes;
+    uint32_t aux_attributes;
 
     krb5_deltat max_renewable_life;
     krb5_timestamp last_success;
@@ -144,12 +159,12 @@ typedef struct _kadm5_principal_ent_t {
 typedef struct _kadm5_policy_ent_t {
     char *policy;
 
-    u_int32_t pw_min_life;
-    u_int32_t pw_max_life;
-    u_int32_t pw_min_length;
-    u_int32_t pw_min_classes;
-    u_int32_t pw_history_num;
-    u_int32_t policy_refcnt;
+    uint32_t pw_min_life;
+    uint32_t pw_max_life;
+    uint32_t pw_min_length;
+    uint32_t pw_min_classes;
+    uint32_t pw_history_num;
+    uint32_t policy_refcnt;
 } kadm5_policy_ent_rec, *kadm5_policy_ent_t;
 
 #define KADM5_CONFIG_REALM			(1 << 0)
@@ -185,7 +200,7 @@ typedef struct {
 }krb5_key_salt_tuple;
 
 typedef struct _kadm5_config_params {
-    u_int32_t mask;
+    uint32_t mask;
 
     /* Client and server fields */
     char *realm;
@@ -217,7 +232,7 @@ kadm5_decrypt_key(void *server_handle,
 
 kadm5_ret_t
 kadm5_create_policy(void *server_handle,
-		    kadm5_policy_ent_t policy, u_int32_t mask); 
+		    kadm5_policy_ent_t policy, uint32_t mask); 
 
 kadm5_ret_t
 kadm5_delete_policy(void *server_handle, char *policy);
@@ -226,7 +241,7 @@ kadm5_delete_policy(void *server_handle, char *policy);
 kadm5_ret_t
 kadm5_modify_policy(void *server_handle,
 		    kadm5_policy_ent_t policy, 
-		    u_int32_t mask);
+		    uint32_t mask);
 
 kadm5_ret_t
 kadm5_get_policy(void *server_handle, char *policy, kadm5_policy_ent_t ent); 
diff --git a/crypto/heimdal/lib/kadm5/bump_pw_expire.c b/crypto/heimdal/lib/kadm5/bump_pw_expire.c
index a185c20..17bd5e1 100644
--- a/crypto/heimdal/lib/kadm5/bump_pw_expire.c
+++ b/crypto/heimdal/lib/kadm5/bump_pw_expire.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: bump_pw_expire.c,v 1.1 2000/07/24 03:47:54 assar Exp $");
+RCSID("$Id: bump_pw_expire.c 8797 2000-07-24 03:47:54Z assar $");
 
 /*
  * extend password_expiration if it's defined
diff --git a/crypto/heimdal/lib/kadm5/check-cracklib.pl b/crypto/heimdal/lib/kadm5/check-cracklib.pl
new file mode 100755
index 0000000..229cc7f
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/check-cracklib.pl
@@ -0,0 +1,106 @@
+#!/usr/pkg/bin/perl
+#
+# Sample password verifier for Heimdals external password
+# verifier, see the chapter "Password changing" in the the info
+# documentation for more information about the protocol used.
+#
+# Three checks
+#  1. Check that password is not the principal name
+#  2. Check that the password passes cracklib
+#  3. Check that password isn't repeated for this principal
+#
+# The repeat check must be last because some clients ask
+# twice when getting "no" back and thus the error message
+# would be wrong.
+#
+# Prereqs (example versions): 
+#
+# * perl (5.8.5) http://www.perl.org/
+# * cracklib (2.8.5) http://sourceforge.net/projects/cracklib
+# * Crypt-Cracklib perlmodule (0.01) http://search.cpan.org/~daniel/
+#
+# Sample dictionaries:
+#     cracklib-words (1.1) http://sourceforge.net/projects/cracklib
+#     miscfiles (1.4.2) http://directory.fsf.org/miscfiles.html
+#
+# Configuration for krb5.conf or kdc.conf
+#
+#   [password_quality]
+#     	policies = builtin:external-check
+#     	external_program = <your-path>/check-cracklib.pl
+#
+# $Id: check-cracklib.pl 20578 2007-05-07 22:21:51Z lha $
+
+use strict;
+use Crypt::Cracklib;
+use Digest::MD5;
+
+# NEED TO CHANGE THESE TO MATCH YOUR SYSTEM
+my $database = '/usr/lib/cracklib_dict';
+my $historydb = '/var/heimdal/historydb';
+# NEED TO CHANGE THESE TO MATCH YOUR SYSTEM
+
+my %params;
+
+sub check_basic
+{
+    my $principal = shift;
+    my $passwd = shift;
+
+    if ($principal eq $passwd) {
+	return "Principal name as password is not allowed";
+    }
+    return "ok";
+}
+
+sub check_repeat
+{
+    my $principal = shift;
+    my $passwd = shift;
+    my $result  = 'Do not reuse passwords';
+    my %DB;
+    my $md5context = new Digest::MD5;
+
+    $md5context->reset();
+    $md5context->add($principal, ":", $passwd);
+
+    my $key=$md5context->hexdigest();
+
+    dbmopen(%DB,$historydb,0600) or die "Internal: Could not open $historydb";
+    $result = "ok" if (!$DB{$key});
+    $DB{$key}=scalar(time());
+    dbmclose(%DB) or die "Internal: Could not close $historydb";
+    return $result;
+}
+
+sub badpassword
+{
+    my $reason = shift;
+    print "$reason\n";
+    exit 0
+}
+
+while (<>) {
+    last if /^end$/;
+    if (!/^([^:]+): (.+)$/) {
+	die "key value pair not correct: $_";
+    }
+    $params{$1} = $2;
+}
+
+die "missing principal" if (!defined $params{'principal'});
+die "missing password" if (!defined $params{'new-password'});
+
+my $reason;
+
+$reason = check_basic($params{'principal'}, $params{'new-password'});
+badpassword($reason) if ($reason ne "ok");
+
+$reason = fascist_check($params{'new-password'}, $database);
+badpassword($reason) if ($reason ne "ok");
+
+$reason = check_repeat($params{'principal'}, $params{'new-password'});
+badpassword($reason) if ($reason ne "ok");
+
+print "APPROVED\n";
+exit 0
diff --git a/crypto/heimdal/lib/kadm5/chpass_c.c b/crypto/heimdal/lib/kadm5/chpass_c.c
index b06b8cd..5319ce9 100644
--- a/crypto/heimdal/lib/kadm5/chpass_c.c
+++ b/crypto/heimdal/lib/kadm5/chpass_c.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000, 2005-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,12 +33,12 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: chpass_c.c,v 1.5 2000/07/11 15:59:14 joda Exp $");
+RCSID("$Id: chpass_c.c 16661 2006-01-25 12:50:10Z lha $");
 
 kadm5_ret_t
 kadm5_c_chpass_principal(void *server_handle, 
 			 krb5_principal princ,
-			 char *password)
+			 const char *password)
 {
     kadm5_client_context *context = server_handle;
     kadm5_ret_t ret;
@@ -52,8 +52,10 @@ kadm5_c_chpass_principal(void *server_handle,
 	return ret;
 
     sp = krb5_storage_from_mem(buf, sizeof(buf));
-    if (sp == NULL)
+    if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	return ENOMEM;
+    }
     krb5_store_int32(sp, kadm_chpass);
     krb5_store_principal(sp, princ);
     krb5_store_string(sp, password);
@@ -64,10 +66,12 @@ kadm5_c_chpass_principal(void *server_handle,
 	return ret;
     sp = krb5_storage_from_data (&reply);
     if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	krb5_data_free (&reply);
 	return ENOMEM;
     }
     krb5_ret_int32(sp, &tmp);
+    krb5_clear_error_string(context->context);
     krb5_storage_free(sp);
     krb5_data_free (&reply);
     return tmp;
@@ -92,8 +96,10 @@ kadm5_c_chpass_principal_with_key(void *server_handle,
 	return ret;
 
     sp = krb5_storage_from_mem(buf, sizeof(buf));
-    if (sp == NULL)
+    if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	return ENOMEM;
+    }
     krb5_store_int32(sp, kadm_chpass_with_key);
     krb5_store_principal(sp, princ);
     krb5_store_int32(sp, n_key_data);
@@ -106,10 +112,12 @@ kadm5_c_chpass_principal_with_key(void *server_handle,
 	return ret;
     sp = krb5_storage_from_data (&reply);
     if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	krb5_data_free (&reply);
 	return ENOMEM;
     }
     krb5_ret_int32(sp, &tmp);
+    krb5_clear_error_string(context->context);
     krb5_storage_free(sp);
     krb5_data_free (&reply);
     return tmp;
diff --git a/crypto/heimdal/lib/kadm5/chpass_s.c b/crypto/heimdal/lib/kadm5/chpass_s.c
index a1a4b43..abef28c 100644
--- a/crypto/heimdal/lib/kadm5/chpass_s.c
+++ b/crypto/heimdal/lib/kadm5/chpass_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,74 +33,80 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: chpass_s.c,v 1.13.8.1 2003/12/30 15:59:58 lha Exp $");
+RCSID("$Id: chpass_s.c 20608 2007-05-08 07:11:48Z lha $");
 
 static kadm5_ret_t
 change(void *server_handle, 
        krb5_principal princ,
-       char *password,
+       const char *password,
        int cond)
 {
     kadm5_server_context *context = server_handle;
-    hdb_entry ent;
+    hdb_entry_ex ent;
     kadm5_ret_t ret;
     Key *keys;
     size_t num_keys;
     int cmp = 1;
 
-    ent.principal = princ;
-    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    memset(&ent, 0, sizeof(ent));
+    ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
     if(ret)
 	return ret;
-    ret = context->db->fetch(context->context, context->db, 
-			     HDB_F_DECRYPT, &ent);
+    ret = context->db->hdb_fetch(context->context, context->db, princ,
+				 HDB_F_DECRYPT|HDB_F_GET_ANY, &ent);
     if(ret == HDB_ERR_NOENTRY)
 	goto out;
 
-    num_keys = ent.keys.len;
-    keys     = ent.keys.val;
+    num_keys = ent.entry.keys.len;
+    keys     = ent.entry.keys.val;
 
-    ent.keys.len = 0;
-    ent.keys.val = NULL;
+    ent.entry.keys.len = 0;
+    ent.entry.keys.val = NULL;
 
-    ret = _kadm5_set_keys(context, &ent, password);
+    ret = _kadm5_set_keys(context, &ent.entry, password);
     if(ret) {
-	_kadm5_free_keys (server_handle, num_keys, keys);
+	_kadm5_free_keys (context->context, num_keys, keys);
 	goto out2;
     }
+    ent.entry.kvno++;
     if (cond)
-	cmp = _kadm5_cmp_keys (ent.keys.val, ent.keys.len,
+	cmp = _kadm5_cmp_keys (ent.entry.keys.val, ent.entry.keys.len,
 			       keys, num_keys);
-    _kadm5_free_keys (server_handle, num_keys, keys);
+    _kadm5_free_keys (context->context, num_keys, keys);
 
     if (cmp == 0) {
 	krb5_set_error_string(context->context, "Password reuse forbidden");
 	ret = KADM5_PASS_REUSE;
- 	goto out2;
+	goto out2;
     }
-    ret = _kadm5_set_modifier(context, &ent);
+
+    ret = _kadm5_set_modifier(context, &ent.entry);
     if(ret)
 	goto out2;
 
-    ret = _kadm5_bump_pw_expire(context, &ent);
+    ret = _kadm5_bump_pw_expire(context, &ent.entry);
+    if (ret)
+	goto out2;
+
+    ret = hdb_seal_keys(context->context, context->db, &ent.entry);
     if (ret)
 	goto out2;
 
-    ret = hdb_seal_keys(context->context, context->db, &ent);
+    ret = context->db->hdb_store(context->context, context->db, 
+				 HDB_F_REPLACE, &ent);
     if (ret)
 	goto out2;
 
     kadm5_log_modify (context,
-		      &ent,
+		      &ent.entry,
 		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
-		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION);
-    
-    ret = context->db->store(context->context, context->db, 
-			     HDB_F_REPLACE, &ent);
+		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION |
+		      KADM5_TL_DATA);
+
 out2:
     hdb_free_entry(context->context, &ent);
 out:
-    context->db->close(context->context, context->db);
+    context->db->hdb_close(context->context, context->db);
     return _kadm5_error_code(ret);
 }
 
@@ -113,7 +119,7 @@ out:
 kadm5_ret_t
 kadm5_s_chpass_principal_cond(void *server_handle, 
 			      krb5_principal princ,
-			      char *password)
+			      const char *password)
 {
     return change (server_handle, princ, password, 1);
 }
@@ -125,7 +131,7 @@ kadm5_s_chpass_principal_cond(void *server_handle,
 kadm5_ret_t
 kadm5_s_chpass_principal(void *server_handle, 
 			 krb5_principal princ,
-			 char *password)
+			 const char *password)
 {
     return change (server_handle, princ, password, 0);
 }
@@ -141,39 +147,46 @@ kadm5_s_chpass_principal_with_key(void *server_handle,
 				  krb5_key_data *key_data)
 {
     kadm5_server_context *context = server_handle;
-    hdb_entry ent;
+    hdb_entry_ex ent;
     kadm5_ret_t ret;
-    ent.principal = princ;
-    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+
+    memset(&ent, 0, sizeof(ent));
+    ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
     if(ret)
 	return ret;
-    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    ret = context->db->hdb_fetch(context->context, context->db, princ, 
+				 HDB_F_GET_ANY, &ent);
     if(ret == HDB_ERR_NOENTRY)
 	goto out;
-    ret = _kadm5_set_keys2(context, &ent, n_key_data, key_data);
+    ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data);
     if(ret)
 	goto out2;
-    ret = _kadm5_set_modifier(context, &ent);
+    ent.entry.kvno++;
+    ret = _kadm5_set_modifier(context, &ent.entry);
     if(ret)
 	goto out2;
-    ret = _kadm5_bump_pw_expire(context, &ent);
+    ret = _kadm5_bump_pw_expire(context, &ent.entry);
     if (ret)
 	goto out2;
 
-    ret = hdb_seal_keys(context->context, context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent.entry);
+    if (ret)
+	goto out2;
+
+    ret = context->db->hdb_store(context->context, context->db, 
+				 HDB_F_REPLACE, &ent);
     if (ret)
 	goto out2;
 
     kadm5_log_modify (context,
-		      &ent,
+		      &ent.entry,
 		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
-		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION);
-    
-    ret = context->db->store(context->context, context->db, 
-			     HDB_F_REPLACE, &ent);
+		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION |
+		      KADM5_TL_DATA);
+
 out2:
     hdb_free_entry(context->context, &ent);
 out:
-    context->db->close(context->context, context->db);
+    context->db->hdb_close(context->context, context->db);
     return _kadm5_error_code(ret);
 }
diff --git a/crypto/heimdal/lib/kadm5/client_glue.c b/crypto/heimdal/lib/kadm5/client_glue.c
index 395577d..24d91b3 100644
--- a/crypto/heimdal/lib/kadm5/client_glue.c
+++ b/crypto/heimdal/lib/kadm5/client_glue.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: client_glue.c,v 1.5 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: client_glue.c 7464 1999-12-02 17:05:13Z joda $");
 
 kadm5_ret_t
 kadm5_init_with_password(const char *client_name,
diff --git a/crypto/heimdal/lib/kadm5/common_glue.c b/crypto/heimdal/lib/kadm5/common_glue.c
index b508282..48d9d84 100644
--- a/crypto/heimdal/lib/kadm5/common_glue.c
+++ b/crypto/heimdal/lib/kadm5/common_glue.c
@@ -33,14 +33,14 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: common_glue.c,v 1.5 2000/03/23 22:58:26 assar Exp $");
+RCSID("$Id: common_glue.c 17445 2006-05-05 10:37:46Z lha $");
 
 #define __CALL(F, P) (*((kadm5_common_context*)server_handle)->funcs.F)P;
 
 kadm5_ret_t
 kadm5_chpass_principal(void *server_handle,
 		       krb5_principal princ,
-		       char *password)
+		       const char *password)
 {
     return __CALL(chpass_principal, (server_handle, princ, password));
 }
@@ -58,8 +58,8 @@ kadm5_chpass_principal_with_key(void *server_handle,
 kadm5_ret_t
 kadm5_create_principal(void *server_handle,
 		       kadm5_principal_ent_t princ,
-		       u_int32_t mask,
-		       char *password)
+		       uint32_t mask,
+		       const char *password)
 {
     return __CALL(create_principal, (server_handle, princ, mask, password));
 }
@@ -87,7 +87,7 @@ kadm5_ret_t
 kadm5_get_principal(void *server_handle,
 		    krb5_principal princ,
 		    kadm5_principal_ent_t out,
-		    u_int32_t mask)
+		    uint32_t mask)
 {
     return __CALL(get_principal, (server_handle, princ, out, mask));
 }
@@ -95,7 +95,7 @@ kadm5_get_principal(void *server_handle,
 kadm5_ret_t
 kadm5_modify_principal(void *server_handle,
 		       kadm5_principal_ent_t princ,
-		       u_int32_t mask)
+		       uint32_t mask)
 {
     return __CALL(modify_principal, (server_handle, princ, mask));
 }
@@ -119,16 +119,16 @@ kadm5_rename_principal(void *server_handle,
 
 kadm5_ret_t
 kadm5_get_principals(void *server_handle,
-		     const char *exp,
+		     const char *expression,
 		     char ***princs,
 		     int *count)
 {
-    return __CALL(get_principals, (server_handle, exp, princs, count));
+    return __CALL(get_principals, (server_handle, expression, princs, count));
 }
 
 kadm5_ret_t
 kadm5_get_privs(void *server_handle,
-		u_int32_t *privs)
+		uint32_t *privs)
 {
     return __CALL(get_privs, (server_handle, privs));
 }
diff --git a/crypto/heimdal/lib/kadm5/context_s.c b/crypto/heimdal/lib/kadm5/context_s.c
index a5a78e6..6ac7a9c 100644
--- a/crypto/heimdal/lib/kadm5/context_s.c
+++ b/crypto/heimdal/lib/kadm5/context_s.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: context_s.c,v 1.17 2002/08/26 13:28:36 assar Exp $");
+RCSID("$Id: context_s.c 22211 2007-12-07 19:27:27Z lha $");
 
 static void
 set_funcs(kadm5_server_context *c)
@@ -53,121 +53,70 @@ set_funcs(kadm5_server_context *c)
     SET(c, rename_principal);
 }
 
-struct database_spec {
-    char *dbpath;
-    char *logfile;
-    char *mkeyfile;
-    char *aclfile;
-};
-
 static void
-set_field(krb5_context context, krb5_config_binding *binding, 
-	  const char *dbname, const char *name, const char *ext, 
-	  char **variable)
+set_socket_name(krb5_context context, struct sockaddr_un *un)
 {
-    const char *p;
-
-    if (*variable != NULL)
-	free (*variable);
-
-    p = krb5_config_get_string(context, binding, name, NULL);
-    if(p)
-	*variable = strdup(p);
-    else {
-	p = strrchr(dbname, '.');
-	if(p == NULL)
-	    asprintf(variable, "%s.%s", dbname, ext);
-	else
-	    asprintf(variable, "%.*s.%s", (int)(p - dbname), dbname, ext);
-    }
-}
+    const char *fn = kadm5_log_signal_socket(context);
 
-static void
-set_socket_name(const char *dbname, struct sockaddr_un *un)
-{
-    const char *p;
     memset(un, 0, sizeof(*un));
     un->sun_family = AF_UNIX;
-    p = strrchr(dbname, '.');
-    if(p == NULL)
-	snprintf(un->sun_path, sizeof(un->sun_path), "%s.signal", 
-		 dbname);
-    else
-	snprintf(un->sun_path, sizeof(un->sun_path), "%.*s.signal", 
-		 (int)(p - dbname), dbname);
-}
-
-static void
-set_config(kadm5_server_context *ctx,
-	   krb5_config_binding *binding)
-{
-    const char *p;
-    if(ctx->config.dbname == NULL) {
-	p = krb5_config_get_string(ctx->context, binding, "dbname", NULL);
-	if(p)
-	    ctx->config.dbname = strdup(p);
-	else
-	    ctx->config.dbname = strdup(HDB_DEFAULT_DB);
-    }
-    if(ctx->log_context.log_file == NULL)
-	set_field(ctx->context, binding, ctx->config.dbname, 
-		  "log_file", "log", &ctx->log_context.log_file);
-    set_socket_name(ctx->config.dbname, &ctx->log_context.socket_name);
-    if(ctx->config.acl_file == NULL)
-	set_field(ctx->context, binding, ctx->config.dbname, 
-		  "acl_file", "acl", &ctx->config.acl_file);
-    if(ctx->config.stash_file == NULL)
-	set_field(ctx->context, binding, ctx->config.dbname, 
-		  "mkey_file", "mkey", &ctx->config.stash_file);
+    strlcpy (un->sun_path, fn, sizeof(un->sun_path));
 }
 
 static kadm5_ret_t
 find_db_spec(kadm5_server_context *ctx)
 {
-    const krb5_config_binding *top_binding = NULL;
-    krb5_config_binding *db_binding;
-    krb5_config_binding *default_binding = NULL;
     krb5_context context = ctx->context;
+    struct hdb_dbinfo *info, *d;
+    krb5_error_code ret;
 
-    while((db_binding = (krb5_config_binding *)
-	   krb5_config_get_next(context,
-				NULL,
-				&top_binding, 
-				krb5_config_list, 
-				"kdc", 
-				"database",
-				NULL))) {
-	const char *p;
-	p = krb5_config_get_string(context, db_binding, "realm", NULL);
-	if(p == NULL) {
-	    if(default_binding) {
-		krb5_warnx(context, "WARNING: more than one realm-less "
-			   "database specification");
-		krb5_warnx(context, "WARNING: using the first encountered");
-	    } else
-		default_binding = db_binding;
-	    continue;
-	}
-	if(strcmp(ctx->config.realm, p) != 0)
-	    continue;
+    if (ctx->config.realm) {
+	/* fetch the databases */
+	ret = hdb_get_dbinfo(context, &info);
+	if (ret)
+	    return ret;
 	
-	set_config(ctx, db_binding);
-	return 0;
-    }
-    if(default_binding)
-	set_config(ctx, default_binding);
-    else {
-	ctx->config.dbname        = strdup(HDB_DEFAULT_DB);
-	ctx->config.acl_file      = strdup(HDB_DB_DIR "/kadmind.acl");
-	ctx->config.stash_file    = strdup(HDB_DB_DIR "/m-key");
-	ctx->log_context.log_file = strdup(HDB_DB_DIR "/log");
-	memset(&ctx->log_context.socket_name, 0, 
-	       sizeof(ctx->log_context.socket_name));
-	ctx->log_context.socket_name.sun_family = AF_UNIX;
-	strlcpy(ctx->log_context.socket_name.sun_path, 
-		KADM5_LOG_SIGNAL, 
-		sizeof(ctx->log_context.socket_name.sun_path));
+	d = NULL;
+	while ((d = hdb_dbinfo_get_next(info, d)) != NULL) {
+	    const char *p = hdb_dbinfo_get_realm(context, d);
+	    
+	    /* match default (realm-less) */
+	    if(p != NULL && strcmp(ctx->config.realm, p) != 0)
+		continue;
+	    
+	    p = hdb_dbinfo_get_dbname(context, d);
+	    if (p)
+		ctx->config.dbname = strdup(p);
+	    
+	    p = hdb_dbinfo_get_acl_file(context, d);
+	    if (p)
+		ctx->config.acl_file = strdup(p);
+	    
+	    p = hdb_dbinfo_get_mkey_file(context, d);
+	    if (p)
+		ctx->config.stash_file = strdup(p);
+	    
+	    p = hdb_dbinfo_get_log_file(context, d);
+	    if (p)
+		ctx->log_context.log_file = strdup(p);
+	    break;
+	}
+	hdb_free_dbinfo(context, &info);
     }
+
+    /* If any of the values was unset, pick up the default value */
+
+    if (ctx->config.dbname == NULL)
+	ctx->config.dbname = strdup(hdb_default_db(context));
+    if (ctx->config.acl_file == NULL)
+	asprintf(&ctx->config.acl_file, "%s/kadmind.acl", hdb_db_dir(context));
+    if (ctx->config.stash_file == NULL)
+	asprintf(&ctx->config.stash_file, "%s/m-key", hdb_db_dir(context));
+    if (ctx->log_context.log_file == NULL)
+	asprintf(&ctx->log_context.log_file, "%s/log", hdb_db_dir(context));
+
+    set_socket_name(context, &ctx->log_context.socket_name);
+
     return 0;
 }
 
diff --git a/crypto/heimdal/lib/kadm5/create_c.c b/crypto/heimdal/lib/kadm5/create_c.c
index 8d81cb3..903a06a 100644
--- a/crypto/heimdal/lib/kadm5/create_c.c
+++ b/crypto/heimdal/lib/kadm5/create_c.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000, 2005-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,13 +33,13 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: create_c.c,v 1.4 2000/07/11 15:59:21 joda Exp $");
+RCSID("$Id: create_c.c 17445 2006-05-05 10:37:46Z lha $");
 
 kadm5_ret_t
 kadm5_c_create_principal(void *server_handle,
 			 kadm5_principal_ent_t princ, 
-			 u_int32_t mask,
-			 char *password)
+			 uint32_t mask,
+			 const char *password)
 {
     kadm5_client_context *context = server_handle;
     kadm5_ret_t ret;
@@ -53,8 +53,10 @@ kadm5_c_create_principal(void *server_handle,
 	return ret;
 
     sp = krb5_storage_from_mem(buf, sizeof(buf));
-    if (sp == NULL)
+    if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	return ENOMEM;
+    }
     krb5_store_int32(sp, kadm_create);
     kadm5_store_principal_ent(sp, princ);
     krb5_store_int32(sp, mask);
@@ -66,10 +68,12 @@ kadm5_c_create_principal(void *server_handle,
 	return ret;
     sp = krb5_storage_from_data (&reply);
     if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	krb5_data_free (&reply);
 	return ENOMEM;
     }
     krb5_ret_int32(sp, &tmp);
+    krb5_clear_error_string(context->context);
     krb5_storage_free(sp);
     krb5_data_free (&reply);
     return tmp;
diff --git a/crypto/heimdal/lib/kadm5/create_s.c b/crypto/heimdal/lib/kadm5/create_s.c
index 287211b..9465310 100644
--- a/crypto/heimdal/lib/kadm5/create_s.c
+++ b/crypto/heimdal/lib/kadm5/create_s.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: create_s.c,v 1.19 2001/01/30 01:24:28 assar Exp $");
+RCSID("$Id: create_s.c 20607 2007-05-08 07:11:11Z lha $");
 
 static kadm5_ret_t
 get_default(kadm5_server_context *context, krb5_principal princ, 
@@ -56,14 +56,14 @@ get_default(kadm5_server_context *context, krb5_principal princ,
 static kadm5_ret_t
 create_principal(kadm5_server_context *context,
 		 kadm5_principal_ent_t princ,
-		 u_int32_t mask,
-		 hdb_entry *ent,
-		 u_int32_t required_mask,
-		 u_int32_t forbidden_mask)
+		 uint32_t mask,
+		 hdb_entry_ex *ent,
+		 uint32_t required_mask,
+		 uint32_t forbidden_mask)
 {
     kadm5_ret_t ret;
     kadm5_principal_ent_rec defrec, *defent;
-    u_int32_t def_mask;
+    uint32_t def_mask;
     
     if((mask & required_mask) != required_mask)
 	return KADM5_BAD_MASK;
@@ -74,7 +74,7 @@ create_principal(kadm5_server_context *context,
 	return KADM5_UNK_POLICY;
     memset(ent, 0, sizeof(*ent));
     ret  = krb5_copy_principal(context->context, princ->principal, 
-			       &ent->principal);
+			       &ent->entry.principal);
     if(ret)
 	return ret;
     
@@ -94,9 +94,9 @@ create_principal(kadm5_server_context *context,
     if(defent)
 	kadm5_free_principal_ent(context, defent);
     
-    ent->created_by.time = time(NULL);
+    ent->entry.created_by.time = time(NULL);
     ret = krb5_copy_principal(context->context, context->caller, 
-			      &ent->created_by.principal);
+			      &ent->entry.created_by.principal);
 
     return ret;
 }
@@ -104,10 +104,10 @@ create_principal(kadm5_server_context *context,
 kadm5_ret_t
 kadm5_s_create_principal_with_key(void *server_handle,
 				  kadm5_principal_ent_t princ,
-				  u_int32_t mask)
+				  uint32_t mask)
 {
     kadm5_ret_t ret;
-    hdb_entry ent;
+    hdb_entry_ex ent;
     kadm5_server_context *context = server_handle;
 
     ret = create_principal(context, princ, mask, &ent,
@@ -120,21 +120,22 @@ kadm5_s_create_principal_with_key(void *server_handle,
     if(ret)
 	goto out;
 
-    ret = _kadm5_set_keys2(context, &ent, princ->n_key_data, princ->key_data);
-    if(ret)
-	goto out;
-    
-    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if ((mask & KADM5_KVNO) == 0)
+	ent.entry.kvno = 1;
+
+    ret = hdb_seal_keys(context->context, context->db, &ent.entry);
     if (ret)
 	goto out;
     
-    kadm5_log_create (context, &ent);
-
-    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
     if(ret)
 	goto out;
-    ret = context->db->store(context->context, context->db, 0, &ent);
-    context->db->close(context->context, context->db);
+    ret = context->db->hdb_store(context->context, context->db, 0, &ent);
+    context->db->hdb_close(context->context, context->db);
+    if (ret)
+	goto out;
+    kadm5_log_create (context, &ent.entry);
+
 out:
     hdb_free_entry(context->context, &ent);
     return _kadm5_error_code(ret);
@@ -144,11 +145,11 @@ out:
 kadm5_ret_t
 kadm5_s_create_principal(void *server_handle,
 			 kadm5_principal_ent_t princ, 
-			 u_int32_t mask,
-			 char *password)
+			 uint32_t mask,
+			 const char *password)
 {
     kadm5_ret_t ret;
-    hdb_entry ent;
+    hdb_entry_ex ent;
     kadm5_server_context *context = server_handle;
 
     ret = create_principal(context, princ, mask, &ent,
@@ -161,37 +162,31 @@ kadm5_s_create_principal(void *server_handle,
     if(ret)
 	goto out;
 
-    /* XXX this should be fixed */
-    ent.keys.len = 4;
-    ent.keys.val = calloc(ent.keys.len, sizeof(*ent.keys.val));
-    ent.keys.val[0].key.keytype = ETYPE_DES_CBC_CRC;
-    /* flag as version 4 compatible salt; ignored by _kadm5_set_keys
-       if we don't want to be compatible */
-    ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt));
-    ent.keys.val[0].salt->type = hdb_pw_salt;
-    ent.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
-    ent.keys.val[1].salt = calloc(1, sizeof(*ent.keys.val[1].salt));
-    ent.keys.val[1].salt->type = hdb_pw_salt;
-    ent.keys.val[2].key.keytype = ETYPE_DES_CBC_MD5;
-    ent.keys.val[2].salt = calloc(1, sizeof(*ent.keys.val[2].salt));
-    ent.keys.val[2].salt->type = hdb_pw_salt;
-    ent.keys.val[3].key.keytype = ETYPE_DES3_CBC_SHA1;
-    ret = _kadm5_set_keys(context, &ent, password);
+    if ((mask & KADM5_KVNO) == 0)
+	ent.entry.kvno = 1;
+
+    ent.entry.keys.len = 0;
+    ent.entry.keys.val = NULL;
+
+    ret = _kadm5_set_keys(context, &ent.entry, password);
     if (ret)
 	goto out;
 
-    ret = hdb_seal_keys(context->context, context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent.entry);
     if (ret)
 	goto out;
     
-    kadm5_log_create (context, &ent);
-
-    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
     if(ret)
 	goto out;
-    ret = context->db->store(context->context, context->db, 0, &ent);
-    context->db->close(context->context, context->db);
-out:
+    ret = context->db->hdb_store(context->context, context->db, 0, &ent);
+    context->db->hdb_close(context->context, context->db);
+    if (ret)
+	goto out;
+
+    kadm5_log_create (context, &ent.entry);
+
+ out:
     hdb_free_entry(context->context, &ent);
     return _kadm5_error_code(ret);
 }
diff --git a/crypto/heimdal/lib/kadm5/default_keys.c b/crypto/heimdal/lib/kadm5/default_keys.c
new file mode 100644
index 0000000..2a851cd
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/default_keys.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+#include <err.h>
+
+RCSID("$Id: default_keys.c 22494 2008-01-21 11:56:44Z lha $");
+
+static void
+print_keys(krb5_context context, Key *keys, size_t nkeys)
+{
+    krb5_error_code ret;
+    char *str;
+    int i;
+
+    printf("keys:\n");
+
+    for (i = 0; i < nkeys; i++) {
+
+	ret = krb5_enctype_to_string(context, keys[i].key.keytype, &str);
+	if (ret)
+	    krb5_err(context, ret, 1, "krb5_enctype_to_string: %d\n",
+		     (int)keys[i].key.keytype);
+
+	printf("\tenctype %s", str);
+	free(str);
+
+	if (keys[i].salt) {
+	    printf(" salt: ");
+
+	    switch (keys[i].salt->type) {
+	    case KRB5_PW_SALT:
+		printf("pw-salt:");
+		break;
+	    case KRB5_AFS3_SALT:
+		printf("afs3-salt:");
+		break;
+	    default:
+		printf("unknown salt: %d", keys[i].salt->type);
+		break;
+	    }
+	    if (keys[i].salt->salt.length)
+		printf("%.*s", (int)keys[i].salt->salt.length,
+		       (char *)keys[i].salt->salt.data);
+	}	
+	printf("\n");
+    }
+    printf("end keys:\n");
+}
+
+static void
+parse_file(krb5_context context, krb5_principal principal, int no_salt)
+{
+    krb5_error_code ret;
+    size_t nkeys;
+    Key *keys;
+
+    ret = hdb_generate_key_set(context, principal, &keys, &nkeys, no_salt);
+    if (ret)
+	krb5_err(context, 1, ret, "hdb_generate_key_set");
+
+    print_keys(context, keys, nkeys);
+
+    hdb_free_keys(context, nkeys, keys);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_principal principal;
+
+    ret = krb5_init_context(&context);
+    if (ret) 
+	errx(1, "krb5_init_context");
+
+    ret = krb5_parse_name(context, "lha@SU.SE", &principal);
+    if (ret)
+	krb5_err(context, ret, 1, "krb5_parse_name");
+
+    parse_file(context, principal, 0);
+    parse_file(context, principal, 1);
+
+    krb5_free_principal(context, principal);
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/delete_c.c b/crypto/heimdal/lib/kadm5/delete_c.c
index 7575c5e..5018fd6 100644
--- a/crypto/heimdal/lib/kadm5/delete_c.c
+++ b/crypto/heimdal/lib/kadm5/delete_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: delete_c.c,v 1.4 2000/07/11 15:59:29 joda Exp $");
+RCSID("$Id: delete_c.c 16661 2006-01-25 12:50:10Z lha $");
 
 kadm5_ret_t
 kadm5_c_delete_principal(void *server_handle, krb5_principal princ)
@@ -50,8 +50,10 @@ kadm5_c_delete_principal(void *server_handle, krb5_principal princ)
 	return ret;
 
     sp = krb5_storage_from_mem(buf, sizeof(buf));
-    if (sp == NULL)
+    if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	return ENOMEM;
+    }
     krb5_store_int32(sp, kadm_delete);
     krb5_store_principal(sp, princ);
     ret = _kadm5_client_send(context, sp);
@@ -63,10 +65,12 @@ kadm5_c_delete_principal(void *server_handle, krb5_principal princ)
 	return ret;
     sp = krb5_storage_from_data (&reply);
     if(sp == NULL) {
+	krb5_clear_error_string(context->context);
 	krb5_data_free (&reply);
 	return ENOMEM;
     }
     krb5_ret_int32(sp, &tmp);
+    krb5_clear_error_string(context->context);
     krb5_storage_free(sp);
     krb5_data_free (&reply);
     return tmp;
diff --git a/crypto/heimdal/lib/kadm5/delete_s.c b/crypto/heimdal/lib/kadm5/delete_s.c
index 2f2bf88..b4e5a37 100644
--- a/crypto/heimdal/lib/kadm5/delete_s.c
+++ b/crypto/heimdal/lib/kadm5/delete_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001, 2003, 2005 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,40 +33,43 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: delete_s.c,v 1.9 2001/01/30 01:24:28 assar Exp $");
+RCSID("$Id: delete_s.c 20612 2007-05-08 07:13:45Z lha $");
 
 kadm5_ret_t
 kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
 {
     kadm5_server_context *context = server_handle;
     kadm5_ret_t ret;
-    hdb_entry ent;
+    hdb_entry_ex ent;
 
-    ent.principal = princ;
-    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    memset(&ent, 0, sizeof(ent));
+    ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
     if(ret) {
 	krb5_warn(context->context, ret, "opening database");
 	return ret;
     }
-    ret = context->db->fetch(context->context, context->db, 
-			     HDB_F_DECRYPT, &ent);
+    ret = context->db->hdb_fetch(context->context, context->db, princ,
+				 HDB_F_DECRYPT|HDB_F_GET_ANY, &ent);
     if(ret == HDB_ERR_NOENTRY)
-	goto out2;
-    if(ent.flags.immutable) {
-	ret = KADM5_PROTECT_PRINCIPAL;
 	goto out;
+    if(ent.entry.flags.immutable) {
+	ret = KADM5_PROTECT_PRINCIPAL;
+	goto out2;
     }
     
-    ret = hdb_seal_keys(context->context, context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent.entry);
     if (ret)
-	goto out;
+	goto out2;
+
+    ret = context->db->hdb_remove(context->context, context->db, princ);
+    if (ret)
+	goto out2;
 
     kadm5_log_delete (context, princ);
-    
-    ret = context->db->remove(context->context, context->db, &ent);
-out:
-    hdb_free_entry(context->context, &ent);
+
 out2:
-    context->db->close(context->context, context->db);
+    hdb_free_entry(context->context, &ent);
+out:
+    context->db->hdb_close(context->context, context->db);
     return _kadm5_error_code(ret);
 }
diff --git a/crypto/heimdal/lib/kadm5/destroy_c.c b/crypto/heimdal/lib/kadm5/destroy_c.c
index b42c84c..9ae2e9d 100644
--- a/crypto/heimdal/lib/kadm5/destroy_c.c
+++ b/crypto/heimdal/lib/kadm5/destroy_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: destroy_c.c,v 1.3 1999/12/02 17:05:05 joda Exp $");
+RCSID("$Id: destroy_c.c 13198 2003-12-07 19:01:39Z lha $");
 
 kadm5_ret_t 
 kadm5_c_destroy(void *server_handle)
@@ -43,6 +43,10 @@ kadm5_c_destroy(void *server_handle)
     free(context->realm);
     free(context->admin_server);
     close(context->sock);
+    if (context->client_name)
+	free(context->client_name);
+    if (context->service_name)
+	free(context->service_name);
     if (context->ac != NULL)
 	krb5_auth_con_free(context->context, context->ac);
     if(context->my_context)
diff --git a/crypto/heimdal/lib/kadm5/destroy_s.c b/crypto/heimdal/lib/kadm5/destroy_s.c
index a8ad328..edfc6b5 100644
--- a/crypto/heimdal/lib/kadm5/destroy_s.c
+++ b/crypto/heimdal/lib/kadm5/destroy_s.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: destroy_s.c,v 1.6 2000/05/12 15:23:13 assar Exp $");
+RCSID("$Id: destroy_s.c 12880 2003-09-19 00:25:35Z lha $");
 
 /*
  * dealloc a `kadm5_config_params'
@@ -70,7 +70,7 @@ kadm5_s_destroy(void *server_handle)
     kadm5_server_context *context = server_handle;
     krb5_context kcontext = context->context;
 
-    ret = context->db->destroy(kcontext, context->db);
+    ret = context->db->hdb_destroy(kcontext, context->db);
     destroy_kadm5_log_context (&context->log_context);
     destroy_config (&context->config);
     krb5_free_principal (kcontext, context->caller);
diff --git a/crypto/heimdal/lib/kadm5/ent_setup.c b/crypto/heimdal/lib/kadm5/ent_setup.c
index 29fab74..dfc4a9b 100644
--- a/crypto/heimdal/lib/kadm5/ent_setup.c
+++ b/crypto/heimdal/lib/kadm5/ent_setup.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: ent_setup.c,v 1.12 2000/03/23 23:02:35 assar Exp $");
+RCSID("$Id: ent_setup.c 18823 2006-10-22 10:15:53Z lha $");
 
 #define set_value(X, V) do { if((X) == NULL) (X) = malloc(sizeof(*(X))); *(X) = V; } while(0)
 #define set_null(X)     do { if((X) != NULL) free((X)); (X) = NULL; } while (0)
@@ -53,9 +53,65 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
     flags->server =		!(attr & KRB5_KDB_DISALLOW_SVR);
     flags->change_pw = 	       !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
     flags->client =	        1; /* XXX */
+    flags->ok_as_delegate =    !!(attr & KRB5_KDB_OK_AS_DELEGATE);
+    flags->trusted_for_delegation = !!(attr & KRB5_KDB_TRUSTED_FOR_DELEGATION);
+    flags->allow_kerberos4 =   !!(attr & KRB5_KDB_ALLOW_KERBEROS4);
+    flags->allow_digest =      !!(attr & KRB5_KDB_ALLOW_DIGEST);
 }
 
 /*
+ * Modify the `ent' according to `tl_data'.
+ */
+
+static kadm5_ret_t
+perform_tl_data(krb5_context context,
+		HDB *db,
+		hdb_entry_ex *ent, 
+		const krb5_tl_data *tl_data)
+{
+    kadm5_ret_t ret = 0;
+
+    if (tl_data->tl_data_type == KRB5_TL_PASSWORD) {
+	heim_utf8_string pw = tl_data->tl_data_contents;
+
+	if (pw[tl_data->tl_data_length] != '\0')
+	    return KADM5_BAD_TL_TYPE;
+
+	ret = hdb_entry_set_password(context, db, &ent->entry, pw);
+
+    } else if (tl_data->tl_data_type == KRB5_TL_LAST_PWD_CHANGE) {
+	unsigned char *s;
+	time_t t;
+
+	if (tl_data->tl_data_length != 4)
+	    return KADM5_BAD_TL_TYPE;
+
+	s = tl_data->tl_data_contents;
+
+	t = s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24);
+
+	ret = hdb_entry_set_pw_change_time(context, &ent->entry, t);
+
+    } else if (tl_data->tl_data_type == KRB5_TL_EXTENSION) {
+	HDB_extension ext;
+
+	ret = decode_HDB_extension(tl_data->tl_data_contents,
+				   tl_data->tl_data_length,
+				   &ext,
+				   NULL);
+	if (ret)
+	    return KADM5_BAD_TL_TYPE;
+	
+	ret = hdb_replace_extension(context, &ent->entry, &ext);
+	free_HDB_extension(&ext);
+    } else {
+	return KADM5_BAD_TL_TYPE;
+    }
+    return ret;
+}
+
+
+/*
  * Create the hdb entry `ent' based on data from `princ' with
  * `princ_mask' specifying what fields to be gotten from there and
  * `mask' specifying what fields we want filled in.
@@ -63,77 +119,85 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
 
 kadm5_ret_t
 _kadm5_setup_entry(kadm5_server_context *context,
-		   hdb_entry *ent,
-		   u_int32_t mask,
+		   hdb_entry_ex *ent,
+		   uint32_t mask,
 		   kadm5_principal_ent_t princ, 
-		   u_int32_t princ_mask,
+		   uint32_t princ_mask,
 		   kadm5_principal_ent_t def,
-		   u_int32_t def_mask)
+		   uint32_t def_mask)
 {
     if(mask & KADM5_PRINC_EXPIRE_TIME
        && princ_mask & KADM5_PRINC_EXPIRE_TIME) {
 	if (princ->princ_expire_time)
-	    set_value(ent->valid_end, princ->princ_expire_time);
+	    set_value(ent->entry.valid_end, princ->princ_expire_time);
 	else
-	    set_null(ent->valid_end);
+	    set_null(ent->entry.valid_end);
     }
     if(mask & KADM5_PW_EXPIRATION
        && princ_mask & KADM5_PW_EXPIRATION) {
 	if (princ->pw_expiration)
-	    set_value(ent->pw_end, princ->pw_expiration);
+	    set_value(ent->entry.pw_end, princ->pw_expiration);
 	else
-	    set_null(ent->pw_end);
+	    set_null(ent->entry.pw_end);
     }
     if(mask & KADM5_ATTRIBUTES) {
 	if (princ_mask & KADM5_ATTRIBUTES) {
-	    attr_to_flags(princ->attributes, &ent->flags);
+	    attr_to_flags(princ->attributes, &ent->entry.flags);
 	} else if(def_mask & KADM5_ATTRIBUTES) {
-	    attr_to_flags(def->attributes, &ent->flags);
-	    ent->flags.invalid = 0;
+	    attr_to_flags(def->attributes, &ent->entry.flags);
+	    ent->entry.flags.invalid = 0;
 	} else {
-	    ent->flags.client      = 1;
-	    ent->flags.server      = 1;
-	    ent->flags.forwardable = 1;
-	    ent->flags.proxiable   = 1;
-	    ent->flags.renewable   = 1;
-	    ent->flags.postdate    = 1;
+	    ent->entry.flags.client      = 1;
+	    ent->entry.flags.server      = 1;
+	    ent->entry.flags.forwardable = 1;
+	    ent->entry.flags.proxiable   = 1;
+	    ent->entry.flags.renewable   = 1;
+	    ent->entry.flags.postdate    = 1;
 	}
     }
     if(mask & KADM5_MAX_LIFE) {
 	if(princ_mask & KADM5_MAX_LIFE) {
 	    if(princ->max_life)
-	      set_value(ent->max_life, princ->max_life);
+	      set_value(ent->entry.max_life, princ->max_life);
 	    else
-	      set_null(ent->max_life);
+	      set_null(ent->entry.max_life);
 	} else if(def_mask & KADM5_MAX_LIFE) {
 	    if(def->max_life)
-	      set_value(ent->max_life, def->max_life);
+	      set_value(ent->entry.max_life, def->max_life);
 	    else
-	      set_null(ent->max_life);
+	      set_null(ent->entry.max_life);
 	}
     }
     if(mask & KADM5_KVNO
        && princ_mask & KADM5_KVNO)
-	ent->kvno = princ->kvno;
+	ent->entry.kvno = princ->kvno;
     if(mask & KADM5_MAX_RLIFE) {
 	if(princ_mask & KADM5_MAX_RLIFE) {
 	  if(princ->max_renewable_life)
-	    set_value(ent->max_renew, princ->max_renewable_life);
+	    set_value(ent->entry.max_renew, princ->max_renewable_life);
 	  else
-	    set_null(ent->max_renew);
+	    set_null(ent->entry.max_renew);
 	} else if(def_mask & KADM5_MAX_RLIFE) {
 	  if(def->max_renewable_life)
-	    set_value(ent->max_renew, def->max_renewable_life);
+	    set_value(ent->entry.max_renew, def->max_renewable_life);
 	  else
-	    set_null(ent->max_renew);
+	    set_null(ent->entry.max_renew);
 	}
     }
     if(mask & KADM5_KEY_DATA
        && princ_mask & KADM5_KEY_DATA) {
-	_kadm5_set_keys2(context, ent, princ->n_key_data, princ->key_data);
+	_kadm5_set_keys2(context, &ent->entry,
+			 princ->n_key_data, princ->key_data);
     }
     if(mask & KADM5_TL_DATA) {
-	/* XXX */
+	krb5_tl_data *tl;
+
+	for (tl = princ->tl_data; tl != NULL; tl = tl->tl_data_next) {
+	    kadm5_ret_t ret;
+	    ret = perform_tl_data(context->context, context->db, ent, tl);
+	    if (ret)
+		return ret;
+	}
     }
     if(mask & KADM5_FAIL_AUTH_COUNT) {
 	/* XXX */
diff --git a/crypto/heimdal/lib/kadm5/error.c b/crypto/heimdal/lib/kadm5/error.c
index 11b1ded..46211d2 100644
--- a/crypto/heimdal/lib/kadm5/error.c
+++ b/crypto/heimdal/lib/kadm5/error.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: error.c,v 1.3 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: error.c 7464 1999-12-02 17:05:13Z joda $");
 
 kadm5_ret_t
 _kadm5_error_code(kadm5_ret_t code)
diff --git a/crypto/heimdal/lib/kadm5/flush.c b/crypto/heimdal/lib/kadm5/flush.c
index 4808259..ad1574f 100644
--- a/crypto/heimdal/lib/kadm5/flush.c
+++ b/crypto/heimdal/lib/kadm5/flush.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: flush.c,v 1.2 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: flush.c 7464 1999-12-02 17:05:13Z joda $");
 
 kadm5_ret_t 
 kadm5_s_flush(void *server_handle)
diff --git a/crypto/heimdal/lib/kadm5/flush_c.c b/crypto/heimdal/lib/kadm5/flush_c.c
index 01cdcf7..748a49a 100644
--- a/crypto/heimdal/lib/kadm5/flush_c.c
+++ b/crypto/heimdal/lib/kadm5/flush_c.c
@@ -32,7 +32,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: flush_c.c,v 1.1 1999/03/23 18:23:36 joda Exp $");
+RCSID("$Id: flush_c.c 5723 1999-03-23 18:23:37Z joda $");
 
 kadm5_ret_t 
 kadm5_c_flush(void *server_handle)
diff --git a/crypto/heimdal/lib/kadm5/flush_s.c b/crypto/heimdal/lib/kadm5/flush_s.c
index dffbe2f..9bed0c6 100644
--- a/crypto/heimdal/lib/kadm5/flush_s.c
+++ b/crypto/heimdal/lib/kadm5/flush_s.c
@@ -32,7 +32,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: flush_s.c,v 1.1 1999/03/23 18:23:37 joda Exp $");
+RCSID("$Id: flush_s.c 5723 1999-03-23 18:23:37Z joda $");
 
 kadm5_ret_t 
 kadm5_s_flush(void *server_handle)
diff --git a/crypto/heimdal/lib/kadm5/free.c b/crypto/heimdal/lib/kadm5/free.c
index fcc1e70..1f1740d 100644
--- a/crypto/heimdal/lib/kadm5/free.c
+++ b/crypto/heimdal/lib/kadm5/free.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: free.c,v 1.4 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: free.c 7464 1999-12-02 17:05:13Z joda $");
 
 void 
 kadm5_free_key_data(void *server_handle,
diff --git a/crypto/heimdal/lib/kadm5/get_c.c b/crypto/heimdal/lib/kadm5/get_c.c
index 279a77a..5f9724f 100644
--- a/crypto/heimdal/lib/kadm5/get_c.c
+++ b/crypto/heimdal/lib/kadm5/get_c.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000, 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,13 +33,13 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: get_c.c,v 1.6 2000/07/11 15:59:36 joda Exp $");
+RCSID("$Id: get_c.c 17445 2006-05-05 10:37:46Z lha $");
 
 kadm5_ret_t
 kadm5_c_get_principal(void *server_handle, 
 		      krb5_principal princ, 
 		      kadm5_principal_ent_t out, 
-		      u_int32_t mask)
+		      uint32_t mask)
 {
     kadm5_client_context *context = server_handle;
     kadm5_ret_t ret;
@@ -53,8 +53,10 @@ kadm5_c_get_principal(void *server_handle,
 	return ret;
 
     sp = krb5_storage_from_mem(buf, sizeof(buf));
-    if (sp == NULL)
+    if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	return ENOMEM;
+    }
     krb5_store_int32(sp, kadm_get);
     krb5_store_principal(sp, princ);
     krb5_store_int32(sp, mask);
@@ -67,11 +69,13 @@ kadm5_c_get_principal(void *server_handle,
 	return ret;
     sp = krb5_storage_from_data (&reply);
     if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	krb5_data_free (&reply);
 	return ENOMEM;
     }
     krb5_ret_int32(sp, &tmp);
     ret = tmp;
+    krb5_clear_error_string(context->context);
     if(ret == 0)
 	kadm5_ret_principal_ent(sp, out);
     krb5_storage_free(sp);
diff --git a/crypto/heimdal/lib/kadm5/get_princs_c.c b/crypto/heimdal/lib/kadm5/get_princs_c.c
index 3536cdf..81a3cfd 100644
--- a/crypto/heimdal/lib/kadm5/get_princs_c.c
+++ b/crypto/heimdal/lib/kadm5/get_princs_c.c
@@ -33,11 +33,11 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: get_princs_c.c,v 1.4 2000/07/11 16:00:19 joda Exp $");
+RCSID("$Id: get_princs_c.c 15484 2005-06-17 05:21:07Z lha $");
 
 kadm5_ret_t
 kadm5_c_get_principals(void *server_handle, 
-		       const char *exp,
+		       const char *expression,
 		       char ***princs, 
 		       int *count)
 {
@@ -56,9 +56,9 @@ kadm5_c_get_principals(void *server_handle,
     if (sp == NULL)
 	return ENOMEM;
     krb5_store_int32(sp, kadm_get_princs);
-    krb5_store_int32(sp, exp != NULL);
-    if(exp)
-	krb5_store_string(sp, exp);
+    krb5_store_int32(sp, expression != NULL);
+    if(expression)
+	krb5_store_string(sp, expression);
     ret = _kadm5_client_send(context, sp);
     krb5_storage_free(sp);
     ret = _kadm5_client_recv(context, &reply);
diff --git a/crypto/heimdal/lib/kadm5/get_princs_s.c b/crypto/heimdal/lib/kadm5/get_princs_s.c
index 2702bae..cab6ef7 100644
--- a/crypto/heimdal/lib/kadm5/get_princs_s.c
+++ b/crypto/heimdal/lib/kadm5/get_princs_s.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: get_princs_s.c,v 1.5 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: get_princs_s.c 16378 2005-12-12 12:40:12Z lha $");
 
 struct foreach_data {
     const char *exp;
@@ -55,12 +55,12 @@ add_princ(struct foreach_data *d, char *princ)
 }
 
 static krb5_error_code
-foreach(krb5_context context, HDB *db, hdb_entry *ent, void *data)
+foreach(krb5_context context, HDB *db, hdb_entry_ex *ent, void *data)
 {
     struct foreach_data *d = data;
     char *princ;
     krb5_error_code ret;
-    ret = krb5_unparse_name(context, ent->principal, &princ);
+    ret = krb5_unparse_name(context, ent->entry.principal, &princ);
     if(ret)
 	return ret;
     if(d->exp){
@@ -78,29 +78,29 @@ foreach(krb5_context context, HDB *db, hdb_entry *ent, void *data)
 
 kadm5_ret_t
 kadm5_s_get_principals(void *server_handle, 
-		       const char *exp,
+		       const char *expression,
 		       char ***princs, 
 		       int *count)
 {
     struct foreach_data d;
     kadm5_server_context *context = server_handle;
     kadm5_ret_t ret;
-    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
     if(ret) {
 	krb5_warn(context->context, ret, "opening database");
 	return ret;
     }
-    d.exp = exp;
+    d.exp = expression;
     {
 	krb5_realm r;
 	krb5_get_default_realm(context->context, &r);
-	asprintf(&d.exp2, "%s@%s", exp, r);
+	asprintf(&d.exp2, "%s@%s", expression, r);
 	free(r);
     }
     d.princs = NULL;
     d.count = 0;
     ret = hdb_foreach(context->context, context->db, 0, foreach, &d);
-    context->db->close(context->context, context->db);
+    context->db->hdb_close(context->context, context->db);
     if(ret == 0)
 	ret = add_princ(&d, NULL);
     if(ret == 0){
diff --git a/crypto/heimdal/lib/kadm5/get_s.c b/crypto/heimdal/lib/kadm5/get_s.c
index 0851900..5d0db9b 100644
--- a/crypto/heimdal/lib/kadm5/get_s.c
+++ b/crypto/heimdal/lib/kadm5/get_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,72 +33,105 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: get_s.c,v 1.13 2000/06/19 16:11:31 joda Exp $");
+RCSID("$Id: get_s.c 21745 2007-07-31 16:11:25Z lha $");
+
+static kadm5_ret_t
+add_tl_data(kadm5_principal_ent_t ent, int16_t type, 
+	    const void *data, size_t size)
+{
+    krb5_tl_data *tl;
+
+    tl = calloc(1, sizeof(*tl));
+    if (tl == NULL)
+	return _kadm5_error_code(ENOMEM);
+
+    tl->tl_data_type = type;
+    tl->tl_data_length = size;
+    tl->tl_data_contents = malloc(size);
+    if (tl->tl_data_contents == NULL) {
+	free(tl);
+	return _kadm5_error_code(ENOMEM);
+    }
+    memcpy(tl->tl_data_contents, data, size);
+
+    tl->tl_data_next = ent->tl_data;
+    ent->tl_data = tl;
+    ent->n_tl_data++;
+
+    return 0;
+}
+
+krb5_ssize_t KRB5_LIB_FUNCTION
+_krb5_put_int(void *buffer, unsigned long value, size_t size); /* XXX */
 
 kadm5_ret_t
 kadm5_s_get_principal(void *server_handle, 
 		      krb5_principal princ, 
 		      kadm5_principal_ent_t out, 
-		      u_int32_t mask)
+		      uint32_t mask)
 {
     kadm5_server_context *context = server_handle;
     kadm5_ret_t ret;
-    hdb_entry ent;
+    hdb_entry_ex ent;
     
-    ent.principal = princ;
-    ret = context->db->open(context->context, context->db, O_RDONLY, 0);
+    memset(&ent, 0, sizeof(ent));
+    ret = context->db->hdb_open(context->context, context->db, O_RDONLY, 0);
     if(ret)
 	return ret;
-    ret = context->db->fetch(context->context, context->db, 
-			     HDB_F_DECRYPT, &ent);
-    context->db->close(context->context, context->db);
+    ret = context->db->hdb_fetch(context->context, context->db, princ,
+				 HDB_F_DECRYPT|HDB_F_GET_ANY, &ent);
+    context->db->hdb_close(context->context, context->db);
     if(ret)
 	return _kadm5_error_code(ret);
 
     memset(out, 0, sizeof(*out));
     if(mask & KADM5_PRINCIPAL)
-	ret  = krb5_copy_principal(context->context, ent.principal, 
+	ret  = krb5_copy_principal(context->context, ent.entry.principal, 
 				   &out->principal);
     if(ret)
 	goto out;
-    if(mask & KADM5_PRINC_EXPIRE_TIME && ent.valid_end)
-	out->princ_expire_time = *ent.valid_end;
-    if(mask & KADM5_PW_EXPIRATION && ent.pw_end)
-	out->pw_expiration = *ent.pw_end;
+    if(mask & KADM5_PRINC_EXPIRE_TIME && ent.entry.valid_end)
+	out->princ_expire_time = *ent.entry.valid_end;
+    if(mask & KADM5_PW_EXPIRATION && ent.entry.pw_end)
+	out->pw_expiration = *ent.entry.pw_end;
     if(mask & KADM5_LAST_PWD_CHANGE)
-	/* XXX implement */;
+	hdb_entry_get_pw_change_time(&ent.entry, &out->last_pwd_change);
     if(mask & KADM5_ATTRIBUTES){
-	out->attributes |= ent.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED;
-	out->attributes |= ent.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE;
-	out->attributes |= ent.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0;
-	out->attributes |= ent.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE;
-	out->attributes |= ent.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE;
-	out->attributes |= ent.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0;
-	out->attributes |= ent.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0;
-	out->attributes |= ent.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
-	out->attributes |= ent.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
+	out->attributes |= ent.entry.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED;
+	out->attributes |= ent.entry.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE;
+	out->attributes |= ent.entry.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0;
+	out->attributes |= ent.entry.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE;
+	out->attributes |= ent.entry.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE;
+	out->attributes |= ent.entry.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0;
+	out->attributes |= ent.entry.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0;
+	out->attributes |= ent.entry.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
+	out->attributes |= ent.entry.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
+	out->attributes |= ent.entry.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0;
+	out->attributes |= ent.entry.flags.trusted_for_delegation ? KRB5_KDB_TRUSTED_FOR_DELEGATION : 0;
+	out->attributes |= ent.entry.flags.allow_kerberos4 ? KRB5_KDB_ALLOW_KERBEROS4 : 0;
+	out->attributes |= ent.entry.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0;
     }
     if(mask & KADM5_MAX_LIFE) {
-	if(ent.max_life)
-	    out->max_life = *ent.max_life;
+	if(ent.entry.max_life)
+	    out->max_life = *ent.entry.max_life;
 	else
 	    out->max_life = INT_MAX;
     }
     if(mask & KADM5_MOD_TIME) {
-	if(ent.modified_by)
-	    out->mod_date = ent.modified_by->time;
+	if(ent.entry.modified_by)
+	    out->mod_date = ent.entry.modified_by->time;
 	else
-	    out->mod_date = ent.created_by.time;
+	    out->mod_date = ent.entry.created_by.time;
     }
     if(mask & KADM5_MOD_NAME) {
-	if(ent.modified_by) {
-	    if (ent.modified_by->principal != NULL)
+	if(ent.entry.modified_by) {
+	    if (ent.entry.modified_by->principal != NULL)
 		ret = krb5_copy_principal(context->context, 
-					  ent.modified_by->principal,
+					  ent.entry.modified_by->principal,
 					  &out->mod_name);
-	} else if(ent.created_by.principal != NULL)
+	} else if(ent.entry.created_by.principal != NULL)
 	    ret = krb5_copy_principal(context->context, 
-				      ent.created_by.principal,
+				      ent.entry.created_by.principal,
 				      &out->mod_name);
 	else
 	    out->mod_name = NULL;
@@ -107,13 +140,13 @@ kadm5_s_get_principal(void *server_handle,
 	goto out;
 
     if(mask & KADM5_KVNO)
-	out->kvno = ent.kvno;
+	out->kvno = ent.entry.kvno;
     if(mask & KADM5_MKVNO) {
 	int n;
 	out->mkvno = 0; /* XXX */
-	for(n = 0; n < ent.keys.len; n++)
-	    if(ent.keys.val[n].mkvno) {
-		out->mkvno = *ent.keys.val[n].mkvno; /* XXX this isn't right */
+	for(n = 0; n < ent.entry.keys.len; n++)
+	    if(ent.entry.keys.val[n].mkvno) {
+		out->mkvno = *ent.entry.keys.val[n].mkvno; /* XXX this isn't right */
 		break;
 	    }
     }
@@ -122,8 +155,8 @@ kadm5_s_get_principal(void *server_handle,
     if(mask & KADM5_POLICY)
 	out->policy = NULL;
     if(mask & KADM5_MAX_RLIFE) {
-	if(ent.max_renew)
-	    out->max_renewable_life = *ent.max_renew;
+	if(ent.entry.max_renew)
+	    out->max_renewable_life = *ent.entry.max_renew;
 	else
 	    out->max_renewable_life = INT_MAX;
     }
@@ -139,13 +172,17 @@ kadm5_s_get_principal(void *server_handle,
 	krb5_key_data *kd;
 	krb5_salt salt;
 	krb5_data *sp;
-	krb5_get_pw_salt(context->context, ent.principal, &salt);
-	out->key_data = malloc(ent.keys.len * sizeof(*out->key_data));
-	for(i = 0; i < ent.keys.len; i++){
-	    key = &ent.keys.val[i];
+	krb5_get_pw_salt(context->context, ent.entry.principal, &salt);
+	out->key_data = malloc(ent.entry.keys.len * sizeof(*out->key_data));
+	if (out->key_data == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	for(i = 0; i < ent.entry.keys.len; i++){
+	    key = &ent.entry.keys.val[i];
 	    kd = &out->key_data[i];
 	    kd->key_data_ver = 2;
-	    kd->key_data_kvno = ent.kvno;
+	    kd->key_data_kvno = ent.entry.kvno;
 	    kd->key_data_type[0] = key->key.keytype;
 	    if(key->salt)
 		kd->key_data_type[1] = key->salt->type;
@@ -182,8 +219,64 @@ kadm5_s_get_principal(void *server_handle,
 	kadm5_free_principal_ent(context, out);
 	goto out;
     }
-    if(mask & KADM5_TL_DATA)
-	/* XXX implement */;
+    if(mask & KADM5_TL_DATA) {
+	time_t last_pw_expire;
+	const HDB_Ext_Aliases *aliases;
+
+	ret = hdb_entry_get_pw_change_time(&ent.entry, &last_pw_expire);
+	if (ret == 0 && last_pw_expire) {
+	    unsigned char buf[4];
+	    _krb5_put_int(buf, last_pw_expire, sizeof(buf));
+	    ret = add_tl_data(out, KRB5_TL_LAST_PWD_CHANGE, buf, sizeof(buf));
+	}
+	if(ret){
+	    kadm5_free_principal_ent(context, out);
+	    goto out;
+	}
+	/* 
+	 * If the client was allowed to get key data, let it have the
+	 * password too.
+	 */
+	if(mask & KADM5_KEY_DATA) {
+	    heim_utf8_string pw;
+
+	    ret = hdb_entry_get_password(context->context, 
+					 context->db, &ent.entry, &pw);
+	    if (ret == 0) {
+		ret = add_tl_data(out, KRB5_TL_PASSWORD, pw, strlen(pw) + 1);
+		free(pw);
+	    }
+	    krb5_clear_error_string(context->context);
+	    ret = 0;
+	}
+
+	ret = hdb_entry_get_aliases(&ent.entry, &aliases);
+	if (ret == 0 && aliases) {
+	    krb5_data buf;
+	    size_t len;
+
+	    ASN1_MALLOC_ENCODE(HDB_Ext_Aliases, buf.data, buf.length,
+			       aliases, &len, ret);
+	    if (ret) {
+		kadm5_free_principal_ent(context, out);
+		goto out;
+	    }
+	    if (len != buf.length)
+		krb5_abortx(context->context,
+			    "internal ASN.1 encoder error");
+	    ret = add_tl_data(out, KRB5_TL_ALIASES, buf.data, buf.length);
+	    free(buf.data);
+	    if (ret) {
+		kadm5_free_principal_ent(context, out);
+		goto out;
+	    }
+	}
+	if(ret){
+	    kadm5_free_principal_ent(context, out);
+	    goto out;
+	}
+
+    }
 out:
     hdb_free_entry(context->context, &ent);
 
diff --git a/crypto/heimdal/lib/kadm5/init_c.c b/crypto/heimdal/lib/kadm5/init_c.c
index 05b7adb..be53992 100644
--- a/crypto/heimdal/lib/kadm5/init_c.c
+++ b/crypto/heimdal/lib/kadm5/init_c.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -37,7 +37,7 @@
 #include <netinet/in.h>
 #include <netdb.h>
 
-RCSID("$Id: init_c.c,v 1.45.2.1 2003/12/21 22:48:13 lha Exp $");
+RCSID("$Id: init_c.c 21972 2007-10-18 19:11:15Z lha $");
 
 static void
 set_funcs(kadm5_client_context *c)
@@ -99,9 +99,9 @@ _kadm5_c_init_context(kadm5_client_context **ctx,
     }
 
     if ((*ctx)->admin_server == NULL) {
-	return ENOMEM;
 	free((*ctx)->realm);
 	free(*ctx);
+	return ENOMEM;
     }
     colon = strchr ((*ctx)->admin_server, ':');
     if (colon != NULL)
@@ -154,19 +154,21 @@ get_new_cache(krb5_context context,
 {
     krb5_error_code ret;
     krb5_creds cred;
-    krb5_get_init_creds_opt opt;
+    krb5_get_init_creds_opt *opt;
     krb5_ccache id;
     
-    krb5_get_init_creds_opt_init (&opt);
+    ret = krb5_get_init_creds_opt_alloc (context, &opt);
+    if (ret)
+	return ret;
 
     krb5_get_init_creds_opt_set_default_flags(context, "kadmin", 
 					      krb5_principal_get_realm(context, 
 								       client), 
-					      &opt);
+					      opt);
 
 
-    krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
-    krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
+    krb5_get_init_creds_opt_set_forwardable (opt, FALSE);
+    krb5_get_init_creds_opt_set_proxiable (opt, FALSE);
 
     if(password == NULL && prompter == NULL) {
 	krb5_keytab kt;
@@ -174,15 +176,17 @@ get_new_cache(krb5_context context,
 	    ret = krb5_kt_default(context, &kt);
 	else
 	    ret = krb5_kt_resolve(context, keytab, &kt);
-	if(ret) 
+	if(ret) {
+	    krb5_get_init_creds_opt_free(context, opt);
 	    return ret;
+	}
 	ret = krb5_get_init_creds_keytab (context,
 					  &cred,
 					  client,
 					  kt,
 					  0,
 					  server_name,
-					  &opt);
+					  opt);
 	krb5_kt_close(context, kt);
     } else {
 	ret = krb5_get_init_creds_password (context,
@@ -193,8 +197,9 @@ get_new_cache(krb5_context context,
 					    NULL,
 					    0,
 					    server_name,
-					    &opt);
+					    opt);
     }
+    krb5_get_init_creds_opt_free(context, opt);
     switch(ret){
     case 0:
 	break;
@@ -214,20 +219,102 @@ get_new_cache(krb5_context context,
     ret = krb5_cc_store_cred (context, id, &cred);
     if (ret)
 	return ret;
-    krb5_free_creds_contents (context, &cred);
+    krb5_free_cred_contents (context, &cred);
     *ret_cache = id;
     return 0;
 }
 
+/*
+ * Check the credential cache `id´ to figure out what principal to use
+ * when talking to the kadmind. If there is a initial kadmin/admin@
+ * credential in the cache, use that client principal. Otherwise, use
+ * the client principals first component and add /admin to the
+ * principal.
+ */
+
 static krb5_error_code
-get_cred_cache(krb5_context context,
-	       const char *client_name,
-	       const char *server_name,
-	       const char *password,
-	       krb5_prompter_fct prompter,
-	       const char *keytab,
-	       krb5_ccache ccache,
-	       krb5_ccache *ret_cache)
+get_cache_principal(krb5_context context,
+		    krb5_ccache *id,
+		    krb5_principal *client)
+{
+    krb5_error_code ret;
+    const char *name, *inst;
+    krb5_principal p1, p2;
+
+    ret = krb5_cc_default(context, id);
+    if(ret) {
+	*id = NULL;
+	return ret;
+    }
+    
+    ret = krb5_cc_get_principal(context, *id, &p1);
+    if(ret) {
+	krb5_cc_close(context, *id);
+	*id = NULL;
+	return ret;
+    }
+
+    ret = krb5_make_principal(context, &p2, NULL, 
+			      "kadmin", "admin", NULL);
+    if (ret) {
+	krb5_cc_close(context, *id);
+	*id = NULL;
+	krb5_free_principal(context, p1);
+	return ret;
+    }
+
+    {
+	krb5_creds in, *out;
+	krb5_kdc_flags flags;
+
+	flags.i = 0;
+	memset(&in, 0, sizeof(in));
+
+	in.client = p1;
+	in.server = p2;
+
+	/* check for initial ticket kadmin/admin */
+	ret = krb5_get_credentials_with_flags(context, KRB5_GC_CACHED, flags,
+					      *id, &in, &out);
+	krb5_free_principal(context, p2);
+	if (ret == 0) {
+	    if (out->flags.b.initial) {
+		*client = p1;
+		krb5_free_creds(context, out);
+		return 0;
+	    }
+	    krb5_free_creds(context, out);
+	}
+    }
+    krb5_cc_close(context, *id);
+    *id = NULL;
+
+    name = krb5_principal_get_comp_string(context, p1, 0);
+    inst = krb5_principal_get_comp_string(context, p1, 1);
+    if(inst == NULL || strcmp(inst, "admin") != 0) {
+	ret = krb5_make_principal(context, &p2, NULL, name, "admin", NULL);
+	krb5_free_principal(context, p1);
+	if(ret != 0)
+	    return ret;
+
+	*client = p2;
+	return 0;
+    }
+
+    *client = p1;
+
+    return 0;
+}
+
+krb5_error_code
+_kadm5_c_get_cred_cache(krb5_context context,
+			const char *client_name,
+			const char *server_name,
+			const char *password,
+			krb5_prompter_fct prompter,
+			const char *keytab,
+			krb5_ccache ccache,
+			krb5_ccache *ret_cache)
 {
     krb5_error_code ret;
     krb5_ccache id = NULL;
@@ -245,70 +332,43 @@ get_cred_cache(krb5_context context,
 	    return ret;
     }
 
-    if(password != NULL || prompter != NULL) {
+    if(ccache != NULL) {
+	id = ccache;
+	ret = krb5_cc_get_principal(context, id, &client);
+	if(ret)
+	    return ret;
+    } else {
 	/* get principal from default cache, ok if this doesn't work */
-	ret = krb5_cc_default(context, &id);
-	if(ret == 0) {
-	    ret = krb5_cc_get_principal(context, id, &default_client);
-	    if(ret) {
-		krb5_cc_close(context, id);
-		id = NULL;
-	    } else {
-		const char *name, *inst;
-		krb5_principal tmp;
-		name = krb5_principal_get_comp_string(context, 
-						      default_client, 0);
-		inst = krb5_principal_get_comp_string(context, 
-						      default_client, 1);
-		if(inst == NULL || strcmp(inst, "admin") != 0) {
-		    ret = krb5_make_principal(context, &tmp, NULL, 
-					      name, "admin", NULL);
-		    if(ret != 0) {
-			krb5_free_principal(context, default_client);
-			krb5_cc_close(context, id);
-			return ret;
-		    }
-		    krb5_free_principal(context, default_client);
-		    default_client = tmp;
-		    krb5_cc_close(context, id);
-		    id = NULL;
-		}
-	    }
-	}
 
-	if (client != NULL) {
-	    /* A client was specified by the caller. */
-	    if (default_client != NULL) {
-		krb5_free_principal(context, default_client);
-		default_client = NULL;
-	    }
-	}
-	else if (default_client != NULL)
-	    /* No client was specified by the caller, but we have a
-	     * client from the default credentials cache.
-	     */
-	    client = default_client;
-	else {
-	    /* No client was specified by the caller and we cannot determine
-	     * the client from a credentials cache.
+	ret = get_cache_principal(context, &id, &default_client);
+	if (ret) {
+	    /* 
+	     * No client was specified by the caller and we cannot
+	     * determine the client from a credentials cache.
 	     */
 	    const char *user;
 
 	    user = get_default_username ();
 
-	    if(user == NULL)
+	    if(user == NULL) {
+		krb5_set_error_string(context, "Unable to find local user name");
 		return KADM5_FAILURE;
-	    ret = krb5_make_principal(context, &client, 
+	    }
+	    ret = krb5_make_principal(context, &default_client, 
 				      NULL, user, "admin", NULL);
 	    if(ret)
 		return ret;
-	    if (id != NULL) {
-		krb5_cc_close(context, id);
-		id = NULL;
-	    }
 	}
-    } else if(ccache != NULL)
-	id = ccache;
+    }
+
+
+    /*
+     * No client was specified by the caller, but we have a client
+     * from the default credentials cache.
+     */
+    if (client == NULL && default_client != NULL)
+	client = default_client;
+
     
     if(id && (default_client == NULL || 
 	      krb5_principal_compare(context, client, default_client))) {
@@ -325,7 +385,7 @@ get_cred_cache(krb5_context context,
 	    return -1;
     }
     /* get creds via AS request */
-    if(id)
+    if(id && (id != ccache))
 	krb5_cc_close(context, id);
     if (client != default_client)
 	krb5_free_principal(context, default_client);
@@ -363,14 +423,17 @@ kadm_connect(kadm5_client_context *ctx)
 	hostname = slash + 1;
 
     error = getaddrinfo (hostname, portstr, &hints, &ai);
-    if (error) 
+    if (error) {
+	krb5_clear_error_string(context);
 	return KADM5_BAD_SERVER_NAME;
+    }
     
     for (a = ai; a != NULL; a = a->ai_next) {
 	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
 	if (s < 0)
 	    continue;
 	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    krb5_clear_error_string(context);
 	    krb5_warn (context, errno, "connect(%s)", hostname);
 	    close (s);
 	    continue;
@@ -379,12 +442,15 @@ kadm_connect(kadm5_client_context *ctx)
     }
     if (a == NULL) {
 	freeaddrinfo (ai);
+	krb5_clear_error_string(context);
 	krb5_warnx (context, "failed to contact %s", hostname);
 	return KADM5_FAILURE;
     }
-    ret = get_cred_cache(context, ctx->client_name, ctx->service_name, 
-			 NULL, ctx->prompter, ctx->keytab, 
-			 ctx->ccache, &cc);
+    ret = _kadm5_c_get_cred_cache(context,
+				  ctx->client_name, 
+				  ctx->service_name, 
+				  NULL, ctx->prompter, ctx->keytab, 
+				  ctx->ccache, &cc);
     
     if(ret) {
 	freeaddrinfo (ai);
@@ -400,6 +466,7 @@ kadm_connect(kadm5_client_context *ctx)
     if (service_name == NULL) {
 	freeaddrinfo (ai);
 	close(s);
+	krb5_clear_error_string(context);
 	return ENOMEM;
     }
 
@@ -443,11 +510,13 @@ kadm_connect(kadm5_client_context *ctx)
 	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
 	if (s < 0) {
 	    freeaddrinfo (ai);
+	    krb5_clear_error_string(context);
 	    return errno;
 	}
 	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
 	    close (s);
 	    freeaddrinfo (ai);
+	    krb5_clear_error_string(context);
 	    return errno;
 	}
 	ret = krb5_sendauth(context, &ctx->ac, &s, 
@@ -464,10 +533,6 @@ kadm_connect(kadm5_client_context *ctx)
     krb5_free_principal(context, server);
     if(ctx->ccache == NULL)
 	krb5_cc_close(context, cc);
-    if(ret) {
-	close(s);
-	return ret;
-    }
     ctx->sock = s;
     
     return 0;
@@ -504,8 +569,10 @@ kadm5_c_init_with_context(krb5_context context,
 	return ret;
 
     if(password != NULL && *password != '\0') {
-	ret = get_cred_cache(context, client_name, service_name, 
-			     password, prompter, keytab, ccache, &cc);
+	ret = _kadm5_c_get_cred_cache(context, 
+				      client_name,
+				      service_name, 
+				      password, prompter, keytab, ccache, &cc);
 	if(ret)
 	    return ret; /* XXX */
 	ccache = cc;
diff --git a/crypto/heimdal/lib/kadm5/init_s.c b/crypto/heimdal/lib/kadm5/init_s.c
index bf5d036..dee464b 100644
--- a/crypto/heimdal/lib/kadm5/init_s.c
+++ b/crypto/heimdal/lib/kadm5/init_s.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: init_s.c,v 1.10 2000/12/31 08:01:16 assar Exp $");
+RCSID("$Id: init_s.c 9441 2000-12-31 08:01:16Z assar $");
 
 
 static kadm5_ret_t 
diff --git a/crypto/heimdal/lib/kadm5/iprop-commands.in b/crypto/heimdal/lib/kadm5/iprop-commands.in
new file mode 100644
index 0000000..438594e
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/iprop-commands.in
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: iprop-commands.in 20602 2007-05-08 03:08:35Z lha $ */
+
+command = {
+	name = "dump"
+	option = {
+		long = "config-file"
+		short = "c"
+		type = "string"
+		help = "configuration file"
+		argument = "file"
+	}
+	option = {
+		long = "realm"
+		short = "r"
+		type = "string"
+		help = "realm"
+	}
+	function = "iprop_dump"
+	help = "Prints the iprop transaction log in text."
+	max_args = "0"
+}
+command = {
+	name = "truncate"
+	option = {
+		long = "config-file"
+		short = "c"
+		type = "string"
+		help = "configuration file"
+		argument = "file"
+	}
+	option = {
+		long = "realm"
+		short = "r"
+		type = "string"
+		help = "realm"
+	}
+	function = "iprop_truncate"
+	help = "Truncate the log, preserve the version number."
+	max_args = "0"
+}
+command = {
+	name = "replay"
+	option = {
+		long = "start-version"
+		type = "integer"
+		help = "start replay with this version"
+		argument = "version-number"
+		default = "-1"
+	}
+	option = {
+		long = "end-version"
+		type = "integer"
+		help = "end replay with this version"
+		argument = "version-number"
+		default = "-1"
+	}
+	option = {
+		long = "config-file"
+		short = "c"
+		type = "string"
+		help = "configuration file"
+		argument = "file"
+	}
+	option = {
+		long = "realm"
+		short = "r"
+		type = "string"
+		help = "realm"
+	}
+	function = "iprop_replay"
+	help = "Replay the log on the database."
+	max_args = "0"
+}
+command = {
+	name = "last-version"
+	option = {
+		long = "config-file"
+		short = "c"
+		type = "string"
+		help = "configuration file"
+		argument = "file"
+	}
+	option = {
+		long = "realm"
+		short = "r"
+		type = "string"
+		help = "realm"
+	}
+	function = "last_version"
+	help = "Print the last version of the log-file."
+	max_args = "0"
+}
+command = {
+	name = "help"
+	argument = "command"
+	max_args = "1"
+	function = "help"
+}
diff --git a/crypto/heimdal/lib/kadm5/iprop-log.8 b/crypto/heimdal/lib/kadm5/iprop-log.8
new file mode 100644
index 0000000..599046b
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/iprop-log.8
@@ -0,0 +1,170 @@
+.\" $Id: iprop-log.8 21713 2007-07-27 14:38:49Z lha $
+.\" 
+.\" Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\"
+.\"	$Id: iprop-log.8 21713 2007-07-27 14:38:49Z lha $
+.\"
+.Dd February 18, 2007
+.Dt IPROP-LOG 8
+.Os Heimdal
+.Sh NAME
+.Nm iprop-log
+.Nd
+maintain the iprop log file
+.Sh SYNOPSIS
+.Nm
+.Op Fl -version
+.Op Fl h | Fl -help
+.Ar command
+.Pp
+.Nm iprop-log truncate
+.Oo Fl c Ar file \*(Ba Xo
+.Fl -config-file= Ns Ar file
+.Xc
+.Oc
+.Oo Fl r Ar string \*(Ba Xo
+.Fl -realm= Ns Ar string
+.Xc
+.Oc
+.Op Fl h | Fl -help
+.Pp
+.Nm iprop-log dump
+.Oo Fl c Ar file \*(Ba Xo
+.Fl -config-file= Ns Ar file
+.Xc
+.Oc
+.Oo Fl r Ar string \*(Ba Xo
+.Fl -realm= Ns Ar string
+.Xc
+.Oc
+.Op Fl h | Fl -help
+.Pp
+.Nm iprop-log replay
+.Op Fl -start-version= Ns Ar version-number
+.Op Fl -end-version= Ns Ar version-number
+.Oo Fl c Ar file \*(Ba Xo
+.Fl -config-file= Ns Ar file
+.Xc
+.Oc
+.Oo Fl r Ar string \*(Ba Xo
+.Fl -realm= Ns Ar string
+.Xc
+.Oc
+.Op Fl h | Fl -help
+.Sh DESCRIPTION
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl -version
+.Xc
+.It Xo
+.Fl h ,
+.Fl -help
+.Xc
+.El
+.Pp
+command can be one of the following:
+.Bl -tag -width truncate
+.It truncate
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar file ,
+.Fl -config-file= Ns Ar file
+.Xc
+configuration file
+.It Xo
+.Fl r Ar string ,
+.Fl -realm= Ns Ar string
+.Xc
+realm
+.El
+.Pp
+Truncates the log. Sets the new logs version number for the to the
+last entry of the old log.  If the log is truncted by emptying the
+file, the log will start over at the first version (0).
+.It dump
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar file ,
+.Fl -config-file= Ns Ar file
+.Xc
+configuration file
+.It Xo
+.Fl r Ar string ,
+.Fl -realm= Ns Ar string
+.Xc
+realm
+.El
+.Pp
+Print out all entires in the log to standard output.
+.It replay
+.Bl -tag -width Ds
+.It Xo
+.Fl -start-version= Ns Ar version-number
+.Xc
+start replay with this version
+.It Xo
+.Fl -end-version= Ns Ar version-number
+.Xc
+end replay with this version
+.It Xo
+.Fl c Ar file ,
+.Fl -config-file= Ns Ar file
+.Xc
+configuration file
+.It Xo
+.Fl r Ar string ,
+.Fl -realm= Ns Ar string
+.Xc
+realm
+.El
+.Pp
+Replay the changes from specified entries (or all if none is
+specified) in the transaction log to the database.
+.It last-version
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar file ,
+.Fl -config-file= Ns Ar file
+.Xc
+configuration file
+.It Xo
+.Fl r Ar string ,
+.Fl -realm= Ns Ar string
+.Xc
+realm
+.El
+.Pp
+prints the version of the last log entry.
+.El
+.Sh SEE ALSO
+.Xr iprop 8
diff --git a/crypto/heimdal/lib/kadm5/iprop-log.c b/crypto/heimdal/lib/kadm5/iprop-log.c
new file mode 100644
index 0000000..7b43076
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/iprop-log.c
@@ -0,0 +1,486 @@
+/*
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+#include <sl.h>
+#include <parse_time.h>
+#include "iprop-commands.h"
+
+RCSID("$Id: iprop-log.c 22211 2007-12-07 19:27:27Z lha $");
+
+static krb5_context context;
+
+static kadm5_server_context *
+get_kadmin_context(const char *config_file, char *realm)
+{
+    kadm5_config_params conf;
+    krb5_error_code ret;
+    void *kadm_handle;
+    char **files;
+
+    if (config_file == NULL) {
+	char *file;
+	asprintf(&file, "%s/kdc.conf", hdb_db_dir(context));
+	if (file == NULL)
+	    errx(1, "out of memory");
+	config_file = file;
+    }
+
+    ret = krb5_prepend_config_files_default(config_file, &files);
+    if (ret)
+	krb5_err(context, 1, ret, "getting configuration files");
+
+    ret = krb5_set_config_files(context, files);
+    krb5_free_config_files(files);
+    if (ret)
+	krb5_err(context, 1, ret, "reading configuration files");
+
+    memset(&conf, 0, sizeof(conf));
+    if(realm) {
+	conf.mask |= KADM5_CONFIG_REALM;
+	conf.realm = realm;
+    }
+
+    ret = kadm5_init_with_password_ctx (context,
+					KADM5_ADMIN_SERVICE,
+					NULL,
+					KADM5_ADMIN_SERVICE,
+					&conf, 0, 0, 
+					&kadm_handle);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+
+    return (kadm5_server_context *)kadm_handle;
+}
+
+/*
+ * dump log
+ */
+
+static const char *op_names[] = {
+    "get",
+    "delete",
+    "create",
+    "rename",
+    "chpass",
+    "modify",
+    "randkey",
+    "get_privs",
+    "get_princs",
+    "chpass_with_key",
+    "nop"
+};
+
+static void
+print_entry(kadm5_server_context *server_context,
+	    uint32_t ver,
+	    time_t timestamp,
+	    enum kadm_ops op,
+	    uint32_t len,
+	    krb5_storage *sp,
+	    void *ctx)
+{
+    char t[256];
+    int32_t mask;
+    hdb_entry ent;
+    krb5_principal source;
+    char *name1, *name2;
+    krb5_data data;
+    krb5_context scontext = server_context->context;
+
+    off_t end = krb5_storage_seek(sp, 0, SEEK_CUR) + len;
+    
+    krb5_error_code ret;
+
+    strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", localtime(&timestamp));
+
+    if(op < kadm_get || op > kadm_nop) {
+	printf("unknown op: %d\n", op);
+	krb5_storage_seek(sp, end, SEEK_SET);
+	return;
+    }
+
+    printf ("%s: ver = %u, timestamp = %s, len = %u\n",
+	    op_names[op], ver, t, len);
+    switch(op) {
+    case kadm_delete:
+	krb5_ret_principal(sp, &source);
+	krb5_unparse_name(scontext, source, &name1);
+	printf("    %s\n", name1);
+	free(name1);
+	krb5_free_principal(scontext, source);
+	break;
+    case kadm_rename:
+	ret = krb5_data_alloc(&data, len);
+	if (ret)
+	    krb5_err (scontext, 1, ret, "kadm_rename: data alloc: %d", len);
+	krb5_ret_principal(sp, &source);
+	krb5_storage_read(sp, data.data, data.length);
+	hdb_value2entry(scontext, &data, &ent);
+	krb5_unparse_name(scontext, source, &name1);
+	krb5_unparse_name(scontext, ent.principal, &name2);
+	printf("    %s -> %s\n", name1, name2);
+	free(name1);
+	free(name2);
+	krb5_free_principal(scontext, source);
+	free_hdb_entry(&ent);
+	break;
+    case kadm_create:
+	ret = krb5_data_alloc(&data, len);
+	if (ret)
+	    krb5_err (scontext, 1, ret, "kadm_create: data alloc: %d", len);
+	krb5_storage_read(sp, data.data, data.length);
+	ret = hdb_value2entry(scontext, &data, &ent);
+	if(ret)
+	    abort();
+	mask = ~0;
+	goto foo;
+    case kadm_modify:
+	ret = krb5_data_alloc(&data, len);
+	if (ret)
+	    krb5_err (scontext, 1, ret, "kadm_modify: data alloc: %d", len);
+	krb5_ret_int32(sp, &mask);
+	krb5_storage_read(sp, data.data, data.length);
+	ret = hdb_value2entry(scontext, &data, &ent);
+	if(ret)
+	    abort();
+    foo:
+	if(ent.principal /* mask & KADM5_PRINCIPAL */) {
+	    krb5_unparse_name(scontext, ent.principal, &name1);
+	    printf("    principal = %s\n", name1);
+	    free(name1);
+	}
+	if(mask & KADM5_PRINC_EXPIRE_TIME) {
+	    if(ent.valid_end == NULL) {
+		strlcpy(t, "never", sizeof(t));
+	    } else {
+		strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", 
+			 localtime(ent.valid_end));
+	    }
+	    printf("    expires = %s\n", t);
+	}
+	if(mask & KADM5_PW_EXPIRATION) {
+	    if(ent.pw_end == NULL) {
+		strlcpy(t, "never", sizeof(t));
+	    } else {
+		strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", 
+			 localtime(ent.pw_end));
+	    }
+	    printf("    password exp = %s\n", t);
+	}
+	if(mask & KADM5_LAST_PWD_CHANGE) {
+	}
+	if(mask & KADM5_ATTRIBUTES) {
+	    unparse_flags(HDBFlags2int(ent.flags), 
+			  asn1_HDBFlags_units(), t, sizeof(t));
+	    printf("    attributes = %s\n", t);
+	}
+	if(mask & KADM5_MAX_LIFE) {
+	    if(ent.max_life == NULL)
+		strlcpy(t, "for ever", sizeof(t));
+	    else
+		unparse_time(*ent.max_life, t, sizeof(t));
+	    printf("    max life = %s\n", t);
+	}
+	if(mask & KADM5_MAX_RLIFE) {
+	    if(ent.max_renew == NULL)
+		strlcpy(t, "for ever", sizeof(t));
+	    else
+		unparse_time(*ent.max_renew, t, sizeof(t));
+	    printf("    max rlife = %s\n", t);
+	}
+	if(mask & KADM5_MOD_TIME) {
+	    printf("    mod time\n");
+	}
+	if(mask & KADM5_MOD_NAME) {
+	    printf("    mod name\n");
+	}
+	if(mask & KADM5_KVNO) {
+	    printf("    kvno = %d\n", ent.kvno);
+	}
+	if(mask & KADM5_MKVNO) {
+	    printf("    mkvno\n");
+	}
+	if(mask & KADM5_AUX_ATTRIBUTES) {
+	    printf("    aux attributes\n");
+	}
+	if(mask & KADM5_POLICY) {
+	    printf("    policy\n");
+	}
+	if(mask & KADM5_POLICY_CLR) {
+	    printf("    mod time\n");
+	}
+	if(mask & KADM5_LAST_SUCCESS) {
+	    printf("    last success\n");
+	}
+	if(mask & KADM5_LAST_FAILED) {
+	    printf("    last failed\n");
+	}
+	if(mask & KADM5_FAIL_AUTH_COUNT) {
+	    printf("    fail auth count\n");
+	}
+	if(mask & KADM5_KEY_DATA) {
+	    printf("    key data\n");
+	}
+	if(mask & KADM5_TL_DATA) {
+	    printf("    tl data\n");
+	}
+	free_hdb_entry(&ent);
+	break;
+    case kadm_nop :
+	break;
+    default:
+	abort();
+    }
+    krb5_storage_seek(sp, end, SEEK_SET);
+}
+
+int
+iprop_dump(struct dump_options *opt, int argc, char **argv)
+{
+    kadm5_server_context *server_context;
+    krb5_error_code ret;
+
+    server_context = get_kadmin_context(opt->config_file_string, 
+					opt->realm_string);
+
+    ret = kadm5_log_init (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_init");
+
+    ret = kadm5_log_foreach (server_context, print_entry, NULL);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_log_foreach");
+
+    ret = kadm5_log_end (server_context);
+    if (ret)
+	krb5_warn(context, ret, "kadm5_log_end");
+    return 0;
+}
+
+int
+iprop_truncate(struct truncate_options *opt, int argc, char **argv)
+{
+    kadm5_server_context *server_context;
+    krb5_error_code ret;
+
+    server_context = get_kadmin_context(opt->config_file_string, 
+					opt->realm_string);
+
+    ret = kadm5_log_truncate (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_truncate");
+
+    return 0;
+}
+
+int
+last_version(struct last_version_options *opt, int argc, char **argv)
+{
+    kadm5_server_context *server_context;
+    krb5_error_code ret;
+    uint32_t version;
+
+    server_context = get_kadmin_context(opt->config_file_string, 
+					opt->realm_string);
+
+    ret = kadm5_log_init (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_init");
+
+    ret = kadm5_log_get_version (server_context, &version);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_get_version");
+
+    ret = kadm5_log_end (server_context);
+    if (ret)
+	krb5_warn(context, ret, "kadm5_log_end");
+
+    printf("version: %lu\n", (unsigned long)version);
+
+    return 0;
+}
+
+/*
+ * Replay log
+ */
+
+int start_version = -1;
+int end_version = -1;
+
+static void
+apply_entry(kadm5_server_context *server_context,
+	    uint32_t ver,
+	    time_t timestamp,
+	    enum kadm_ops op,
+	    uint32_t len,
+	    krb5_storage *sp, 
+	    void *ctx)
+{
+    struct replay_options *opt = ctx;
+    krb5_error_code ret;
+
+    if((opt->start_version_integer != -1 && ver < opt->start_version_integer) ||
+       (opt->end_version_integer != -1 && ver > opt->end_version_integer)) {
+	/* XXX skip this entry */
+	krb5_storage_seek(sp, len, SEEK_CUR);
+	return;
+    }
+    printf ("ver %u... ", ver);
+    fflush (stdout);
+
+    ret = kadm5_log_replay (server_context,
+			    op, ver, len, sp);
+    if (ret)
+	krb5_warn (server_context->context, ret, "kadm5_log_replay");
+    
+    printf ("done\n");
+}
+
+int
+iprop_replay(struct replay_options *opt, int argc, char **argv)
+{
+    kadm5_server_context *server_context;
+    krb5_error_code ret;
+
+    server_context = get_kadmin_context(opt->config_file_string, 
+					opt->realm_string);
+
+    ret = server_context->db->hdb_open(context,
+				       server_context->db,
+				       O_RDWR | O_CREAT, 0600);
+    if (ret)
+	krb5_err (context, 1, ret, "db->open");
+
+    ret = kadm5_log_init (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_init");
+
+    ret = kadm5_log_foreach (server_context, apply_entry, opt);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_log_foreach");
+    ret = kadm5_log_end (server_context);
+    if (ret)
+	krb5_warn(context, ret, "kadm5_log_end");
+    ret = server_context->db->hdb_close (context, server_context->db);
+    if (ret)
+	krb5_err (context, 1, ret, "db->close");
+
+    return 0;
+}
+
+static int help_flag;
+static int version_flag;
+
+static struct getargs args[] = {
+    { "version", 	0,	arg_flag, 	&version_flag,
+      NULL,		NULL 
+    }, 
+    { "help", 	'h', 	arg_flag, 	&help_flag, 
+      NULL, NULL
+    }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+help(void *opt, int argc, char **argv)
+{
+    if(argc == 0) {
+	sl_help(commands, 1, argv - 1 /* XXX */);
+    } else {
+	SL_cmd *c = sl_match (commands, argv[0], 0);
+ 	if(c == NULL) {
+	    fprintf (stderr, "No such command: %s. "
+		     "Try \"help\" for a list of commands\n",
+		     argv[0]);
+	} else {
+	    if(c->func) {
+		char *fake[] = { NULL, "--help", NULL };
+		fake[0] = argv[0];
+		(*c->func)(2, fake);
+		fprintf(stderr, "\n");
+	    }
+	    if(c->help && *c->help)
+		fprintf (stderr, "%s\n", c->help);
+	    if((++c)->name && c->func == NULL) {
+		int f = 0;
+		fprintf (stderr, "Synonyms:");
+		while (c->name && c->func == NULL) {
+		    fprintf (stderr, "%s%s", f ? ", " : " ", (c++)->name);
+		    f = 1;
+		}
+		fprintf (stderr, "\n");
+	    }
+	}
+    }
+    return 0;
+}
+
+static void
+usage(int status)
+{
+    arg_printusage(args, num_args, NULL, "command");
+    exit(status);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optidx = 0;
+    krb5_error_code ret;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optidx))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    argc -= optidx;
+    argv += optidx;
+    if(argc == 0)
+	usage(1);
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_init_context failed with: %d\n", ret);
+
+    ret = sl_command(commands, argc, argv);
+    if(ret == -1)
+	warnx ("unrecognized command: %s", argv[0]);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/iprop.8 b/crypto/heimdal/lib/kadm5/iprop.8
new file mode 100644
index 0000000..d1e55cc
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/iprop.8
@@ -0,0 +1,223 @@
+.\" $Id: iprop.8 21940 2007-09-28 22:28:09Z lha $
+.\" 
+.\" Copyright (c) 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\"
+.Dd May 24, 2005
+.Dt IPROP 8
+.Os Heimdal
+.Sh NAME
+.Nm iprop ,
+.Nm ipropd-master ,
+.Nm ipropd-slave
+.Nd
+propagate changes to a Heimdal Kerberos master KDC to slave KDCs
+.Sh SYNOPSIS
+.Nm ipropd-master
+.Oo Fl c Ar string \*(Ba Xo
+.Fl -config-file= Ns Ar string
+.Xc
+.Oc
+.Oo Fl r Ar string \*(Ba Xo
+.Fl -realm= Ns Ar string
+.Xc
+.Oc
+.Oo Fl k Ar kspec \*(Ba Xo
+.Fl -keytab= Ns Ar kspec
+.Xc
+.Oc
+.Oo Fl d Ar file \*(Ba Xo
+.Fl -database= Ns Ar file
+.Xc
+.Oc
+.Op Fl -slave-stats-file= Ns Ar file
+.Op Fl -time-missing= Ns Ar time
+.Op Fl -time-gone= Ns Ar time
+.Op Fl -detach
+.Op Fl -version
+.Op Fl -help
+.Nm ipropd-slave
+.Oo Fl c Ar string \*(Ba Xo
+.Fl -config-file= Ns Ar string
+.Xc
+.Oc
+.Oo Fl r Ar string \*(Ba Xo
+.Fl -realm= Ns Ar string
+.Xc
+.Oc
+.Oo Fl k Ar kspec \*(Ba Xo
+.Fl -keytab= Ns Ar kspec
+.Xc
+.Oc
+.Op Fl -time-lost= Ns Ar time
+.Op Fl -detach
+.Op Fl -version
+.Op Fl -help
+.Ar master
+.Pp
+.Sh DESCRIPTION
+.Nm ipropd-master
+is used to propagate changes to a Heimdal Kerberos database from the
+master Kerberos server on which it runs to slave Kerberos servers
+running
+.Nm ipropd-slave .
+.Pp
+The slaves are specified by the contents of the
+.Pa slaves
+file in the KDC's database directory, e.g.\&
+.Pa /var/heimdal/slaves .
+This has principals one per-line of the form
+.Dl iprop/ Ns Ar slave Ns @ Ns Ar REALM
+where 
+.Ar slave 
+is the hostname of the slave server in the given 
+.Ar REALM ,
+e.g.\&
+.Dl iprop/kerberos-1.example.com@EXAMPLE.COM
+On a slave, the argument
+.Fa master
+specifies the hostname of the master server from which to receive updates.
+.Pp
+In contrast to
+.Xr hprop 8 ,
+which sends the whole database to the slaves regularly,
+.Nm
+normally sends only the changes as they happen on the master.  The
+master keeps track of all the changes by assigning a version number to
+every change to the database.  The slaves know which was the latest
+version they saw, and in this way it can be determined if they are in
+sync or not.  A log of all the changes is kept on the master.  When a
+slave is at an older version than the oldest one in the log, the whole
+database has to be sent.
+.Pp
+The changes are propagated over a secure channel (on port 2121 by
+default).  This should normally be defined as
+.Dq iprop/tcp
+in
+.Pa /etc/services
+or another source of the services database.  The master and slaves
+must each have access to a keytab with keys for the
+.Nm iprop
+service principal on the local host.
+.Pp
+There is a keep-alive feature logged in the master's
+.Pa slave-stats
+file (e.g.\&
+.Pa /var/heimdal/slave-stats ) .
+.Pp
+Supported options for
+.Nm ipropd-master :
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar string ,
+.Fl -config-file= Ns Ar string
+.Xc
+.It Xo
+.Fl r Ar string ,
+.Fl -realm= Ns Ar string
+.Xc
+.It Xo
+.Fl k Ar kspec ,
+.Fl -keytab= Ns Ar kspec
+.Xc
+keytab to get authentication from
+.It Xo
+.Fl d Ar file ,
+.Fl -database= Ns Ar file
+.Xc
+Database (default per KDC)
+.It Xo
+.Fl -slave-stats-file= Ns Ar file
+.Xc
+file for slave status information
+.It Xo
+.Fl -time-missing= Ns Ar time
+.Xc
+time before slave is polled for presence (default 2 min)
+.It Xo
+.Fl -time-gone= Ns Ar time
+.Xc
+time of inactivity after which a slave is considered gone (default 5 min)
+.It Xo
+.Fl -detach
+.Xc
+detach from console
+.It Xo
+.Fl -version
+.Xc
+.It Xo
+.Fl -help
+.Xc
+.El
+.Pp
+Supported options for
+.Nm ipropd-slave :
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar string ,
+.Fl -config-file= Ns Ar string
+.Xc
+.It Xo
+.Fl r Ar string ,
+.Fl -realm= Ns Ar string
+.Xc
+.It Xo
+.Fl k Ar kspec ,
+.Fl -keytab= Ns Ar kspec
+.Xc
+keytab to get authentication from
+.It Xo
+.Fl -time-lost= Ns Ar time
+.Xc
+time before server is considered lost (default 5 min)
+.It Xo
+.Fl -detach
+.Xc
+detach from console
+.It Xo
+.Fl -version
+.Xc
+.It Xo
+.Fl -help
+.Xc
+.El
+Time arguments for the relevant options above may be specified in forms
+like 5 min, 300 s, or simply a number of seconds.
+.Sh FILES
+.Pa slaves ,
+.Pa slave-stats
+in the database directory.
+.Sh SEE ALSO
+.Xr hpropd 8 ,
+.Xr hprop 8 ,
+.Xr krb5.conf 8 , 
+.Xr kdc 8 ,
+.Xr iprop-log 8 .
diff --git a/crypto/heimdal/lib/kadm5/iprop.h b/crypto/heimdal/lib/kadm5/iprop.h
index e02a9d6..beb5414 100644
--- a/crypto/heimdal/lib/kadm5/iprop.h
+++ b/crypto/heimdal/lib/kadm5/iprop.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998-2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,13 +31,12 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: iprop.h,v 1.7 2002/07/04 14:39:19 joda Exp $ */
+/* $Id: iprop.h 22211 2007-12-07 19:27:27Z lha $ */
 
 #ifndef __IPROP_H__
 #define __IPROP_H__
 
 #include "kadm5_locl.h"
-#include <krb5-private.h> /* _krb5_{get,put}_int */
 #include <getarg.h>
 #ifdef HAVE_SYS_SELECT_H
 #include <sys/select.h>
@@ -46,11 +45,9 @@
 #include <util.h>
 #endif
 
-#define IPROP_VERSION "iprop-0.0"
-
-#define KADM5_SLAVE_ACL HDB_DB_DIR "/slaves"
+#include <parse_time.h>
 
-#define KADM5_SLAVE_STATS HDB_DB_DIR "/slaves-stats"
+#define IPROP_VERSION "iprop-0.0"
 
 #define IPROP_NAME "iprop"
 
@@ -62,7 +59,12 @@ enum iprop_cmd { I_HAVE = 1,
 		 FOR_YOU = 2,
 		 TELL_YOU_EVERYTHING = 3,
 		 ONE_PRINC = 4,
-		 NOW_YOU_HAVE = 5
+		 NOW_YOU_HAVE = 5,
+		 ARE_YOU_THERE = 6,
+		 I_AM_HERE = 7
 };
 
+extern sig_atomic_t exit_flag;
+void setup_signal(void);
+
 #endif /* __IPROP_H__ */
diff --git a/crypto/heimdal/lib/kadm5/ipropd_common.c b/crypto/heimdal/lib/kadm5/ipropd_common.c
new file mode 100644
index 0000000..e656159
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/ipropd_common.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+RCSID("$Id$");
+
+sig_atomic_t exit_flag;
+
+static RETSIGTYPE
+sigterm(int sig)
+{
+    exit_flag = sig;
+}
+
+void
+setup_signal(void)
+{
+#ifdef HAVE_SIGACTION
+    {
+	struct sigaction sa;
+
+	sa.sa_flags = 0;
+	sa.sa_handler = sigterm;
+	sigemptyset(&sa.sa_mask);
+
+	sigaction(SIGINT, &sa, NULL);
+	sigaction(SIGTERM, &sa, NULL);
+	sigaction(SIGXCPU, &sa, NULL);
+
+	sa.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &sa, NULL);
+    }
+#else
+    signal(SIGINT, sigterm);
+    signal(SIGTERM, sigterm);
+    signal(SIGXCPU, sigterm);
+    signal(SIGPIPE, SIG_IGN);
+#endif
+}
diff --git a/crypto/heimdal/lib/kadm5/ipropd_master.c b/crypto/heimdal/lib/kadm5/ipropd_master.c
index 537d403..bd8f71f 100644
--- a/crypto/heimdal/lib/kadm5/ipropd_master.c
+++ b/crypto/heimdal/lib/kadm5/ipropd_master.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,24 +34,34 @@
 #include "iprop.h"
 #include <rtbl.h>
 
-RCSID("$Id: ipropd_master.c,v 1.29 2003/03/19 11:56:38 lha Exp $");
+RCSID("$Id: ipropd_master.c 22211 2007-12-07 19:27:27Z lha $");
 
 static krb5_log_facility *log_facility;
 
-const char *slave_stats_file = KADM5_SLAVE_STATS;
+const char *slave_stats_file;
+const char *slave_time_missing = "2 min";
+const char *slave_time_gone = "5 min";
+
+static int time_before_missing;
+static int time_before_gone;
+
+const char *master_hostname;
 
 static int
 make_signal_socket (krb5_context context)
 {
     struct sockaddr_un addr;
+    const char *fn;
     int fd;
 
+    fn = kadm5_log_signal_socket(context);
+
     fd = socket (AF_UNIX, SOCK_DGRAM, 0);
     if (fd < 0)
 	krb5_err (context, 1, errno, "socket AF_UNIX");
     memset (&addr, 0, sizeof(addr));
     addr.sun_family = AF_UNIX;
-    strlcpy (addr.sun_path, KADM5_LOG_SIGNAL, sizeof(addr.sun_path));
+    strlcpy (addr.sun_path, fn, sizeof(addr.sun_path));
     unlink (addr.sun_path);
     if (bind (fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
 	krb5_err (context, 1, errno, "bind %s", addr.sun_path);
@@ -59,7 +69,7 @@ make_signal_socket (krb5_context context)
 }
 
 static int
-make_listen_socket (krb5_context context)
+make_listen_socket (krb5_context context, const char *port_str)
 {
     int fd;
     int one = 1;
@@ -71,8 +81,24 @@ make_listen_socket (krb5_context context)
     setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, (void *)&one, sizeof(one));
     memset (&addr, 0, sizeof(addr));
     addr.sin_family = AF_INET;
-    addr.sin_port   = krb5_getportbyname (context,
-					  IPROP_SERVICE, "tcp", IPROP_PORT);
+
+    if (port_str) {
+	addr.sin_port = krb5_getportbyname (context,
+					      port_str, "tcp", 
+					      0);
+	if (addr.sin_port == 0) {
+	    char *ptr;
+	    long port;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		krb5_errx (context, 1, "bad port `%s'", port_str);
+	    addr.sin_port = htons(port);
+	}
+    } else {
+	addr.sin_port = krb5_getportbyname (context, IPROP_SERVICE, 
+					    "tcp", IPROP_PORT);
+    }
     if(bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
 	krb5_err (context, 1, errno, "bind");
     if (listen(fd, SOMAXCONN) < 0)
@@ -85,10 +111,11 @@ struct slave {
     struct sockaddr_in addr;
     char *name;
     krb5_auth_context ac;
-    u_int32_t version;
+    uint32_t version;
     time_t seen;
     unsigned long flags;
 #define SLAVE_F_DEAD	0x1
+#define SLAVE_F_AYT	0x2
     struct slave *next;
 };
 
@@ -97,16 +124,27 @@ typedef struct slave slave;
 static int
 check_acl (krb5_context context, const char *name)
 {
+    const char *fn;
     FILE *fp;
     char buf[256];
     int ret = 1;
+    char *slavefile;
+
+    asprintf(&slavefile, "%s/slaves", hdb_db_dir(context));
 
-    fp = fopen (KADM5_SLAVE_ACL, "r");
+    fn = krb5_config_get_string_default(context,
+					NULL,
+					slavefile,
+					"kdc",
+					"iprop-acl",
+					NULL);
+
+    fp = fopen (fn, "r");
+    free(slavefile);
     if (fp == NULL)
 	return 1;
     while (fgets(buf, sizeof(buf), fp) != NULL) {
-	if (buf[strlen(buf) - 1 ] == '\n')
-	    buf[strlen(buf) - 1 ] = '\0';
+	buf[strcspn(buf, "\r\n")] = '\0';
 	if (strcmp (buf, name) == 0) {
 	    ret = 0;
 	    break;
@@ -119,12 +157,31 @@ check_acl (krb5_context context, const char *name)
 static void
 slave_seen(slave *s)
 {
+    s->flags &= ~SLAVE_F_AYT;
     s->seen = time(NULL);
 }
 
+static int
+slave_missing_p (slave *s)
+{
+    if (time(NULL) > s->seen + time_before_missing)
+	return 1;
+    return 0;
+}
+
+static int
+slave_gone_p (slave *s)
+{
+    if (time(NULL) > s->seen + time_before_gone)
+	return 1;
+    return 0;
+}
+
 static void
-slave_dead(slave *s)
+slave_dead(krb5_context context, slave *s)
 {
+    krb5_warnx(context, "slave %s dead", s->name);
+
     if (s->fd >= 0) {
 	close (s->fd);
 	s->fd = -1;
@@ -177,7 +234,11 @@ add_slave (krb5_context context, krb5_keytab keytab, slave **root, int fd)
 	krb5_warn (context, errno, "accept");
 	goto error;
     }
-    gethostname(hostname, sizeof(hostname));
+    if (master_hostname)
+	strlcpy(hostname, master_hostname, sizeof(hostname));
+    else
+	gethostname(hostname, sizeof(hostname));
+
     ret = krb5_sname_to_principal (context, hostname, IPROP_NAME,
 				   KRB5_NT_SRV_HST, &server);
     if (ret) {
@@ -240,13 +301,14 @@ struct prop_context {
 };
 
 static int
-prop_one (krb5_context context, HDB *db, hdb_entry *entry, void *v)
+prop_one (krb5_context context, HDB *db, hdb_entry_ex *entry, void *v)
 {
     krb5_error_code ret;
+    krb5_storage *sp;
     krb5_data data;
-    struct slave *slave = (struct slave *)v;
+    struct slave *s = (struct slave *)v;
 
-    ret = hdb_entry2value (context, entry, &data);
+    ret = hdb_entry2value (context, &entry->entry, &data);
     if (ret)
 	return ret;
     ret = krb5_data_realloc (&data, data.length + 4);
@@ -255,18 +317,25 @@ prop_one (krb5_context context, HDB *db, hdb_entry *entry, void *v)
 	return ret;
     }
     memmove ((char *)data.data + 4, data.data, data.length - 4);
-    _krb5_put_int (data.data, ONE_PRINC, 4);
+    sp = krb5_storage_from_data(&data);
+    if (sp == NULL) {
+	krb5_data_free (&data);
+	return ENOMEM;
+    }
+    krb5_store_int32(sp, ONE_PRINC);
+    krb5_storage_free(sp);
 
-    ret = krb5_write_priv_message (context, slave->ac, &slave->fd, &data);
+    ret = krb5_write_priv_message (context, s->ac, &s->fd, &data);
     krb5_data_free (&data);
     return ret;
 }
 
 static int
 send_complete (krb5_context context, slave *s,
-	       const char *database, u_int32_t current_version)
+	       const char *database, uint32_t current_version)
 {
     krb5_error_code ret;
+    krb5_storage *sp;
     HDB *db;
     krb5_data data;
     char buf[8];
@@ -274,11 +343,15 @@ send_complete (krb5_context context, slave *s,
     ret = hdb_create (context, &db, database);
     if (ret)
 	krb5_err (context, 1, ret, "hdb_create: %s", database);
-    ret = db->open (context, db, O_RDONLY, 0);
+    ret = db->hdb_open (context, db, O_RDONLY, 0);
     if (ret)
 	krb5_err (context, 1, ret, "db->open");
 
-    _krb5_put_int(buf, TELL_YOU_EVERYTHING, 4);
+    sp = krb5_storage_from_mem (buf, 4);
+    if (sp == NULL)
+	krb5_errx (context, 1, "krb5_storage_from_mem");
+    krb5_store_int32 (sp, TELL_YOU_EVERYTHING);
+    krb5_storage_free (sp);
 
     data.data   = buf;
     data.length = 4;
@@ -287,26 +360,34 @@ send_complete (krb5_context context, slave *s,
 
     if (ret) {
 	krb5_warn (context, ret, "krb5_write_priv_message");
-	slave_dead(s);
+	slave_dead(context, s);
 	return ret;
     }
 
     ret = hdb_foreach (context, db, 0, prop_one, s);
     if (ret) {
 	krb5_warn (context, ret, "hdb_foreach");
-	slave_dead(s);
+	slave_dead(context, s);
 	return ret;
     }
 
-    _krb5_put_int (buf, NOW_YOU_HAVE, 4);
-    _krb5_put_int (buf + 4, current_version, 4);
+    (*db->hdb_close)(context, db);
+    (*db->hdb_destroy)(context, db);
+
+    sp = krb5_storage_from_mem (buf, 8);
+    if (sp == NULL)
+	krb5_errx (context, 1, "krb5_storage_from_mem");
+    krb5_store_int32 (sp, NOW_YOU_HAVE);
+    krb5_store_int32 (sp, current_version);
+    krb5_storage_free (sp);
+
     data.length = 8;
 
     s->version = current_version;
 
     ret = krb5_write_priv_message(context, s->ac, &s->fd, &data);
     if (ret) {
-	slave_dead(s);
+	slave_dead(context, s);
 	krb5_warn (context, ret, "krb5_write_priv_message");
 	return ret;
     }
@@ -317,59 +398,132 @@ send_complete (krb5_context context, slave *s,
 }
 
 static int
+send_are_you_there (krb5_context context, slave *s)
+{
+    krb5_storage *sp;
+    krb5_data data;
+    char buf[4];
+    int ret;
+
+    if (s->flags & (SLAVE_F_DEAD|SLAVE_F_AYT))
+	return 0;
+
+    s->flags |= SLAVE_F_AYT;
+
+    data.data = buf;
+    data.length = 4;
+
+    sp = krb5_storage_from_mem (buf, 4);
+    if (sp == NULL) {
+	krb5_warnx (context, "are_you_there: krb5_data_alloc");
+	slave_dead(context, s);
+	return 1;
+    }
+    krb5_store_int32 (sp, ARE_YOU_THERE);
+    krb5_storage_free (sp);
+
+    ret = krb5_write_priv_message(context, s->ac, &s->fd, &data);
+
+    if (ret) {
+	krb5_warn (context, ret, "are_you_there: krb5_write_priv_message");
+	slave_dead(context, s);
+	return 1;
+    }
+
+    return 0;
+}
+
+static int
 send_diffs (krb5_context context, slave *s, int log_fd,
-	    const char *database, u_int32_t current_version)
+	    const char *database, uint32_t current_version)
 {
     krb5_storage *sp;
-    u_int32_t ver;
+    uint32_t ver;
     time_t timestamp;
     enum kadm_ops op;
-    u_int32_t len;
+    uint32_t len;
     off_t right, left;
     krb5_data data;
     int ret = 0;
 
-    if (s->version == current_version)
+    if (s->version == current_version) {
+	krb5_warnx(context, "slave %s in sync already at version %ld",
+		   s->name, (long)s->version);
 	return 0;
+    }
 
     if (s->flags & SLAVE_F_DEAD)
 	return 0;
 
+    /* if slave is a fresh client, starting over */
+    if (s->version == 0) {
+	krb5_warnx(context, "sending complete log to fresh slave %s",
+		   s->name);
+	return send_complete (context, s, database, current_version);
+    }
+
     sp = kadm5_log_goto_end (log_fd);
     right = krb5_storage_seek(sp, 0, SEEK_CUR);
     for (;;) {
-	if (kadm5_log_previous (sp, &ver, &timestamp, &op, &len))
-	    abort ();
+	ret = kadm5_log_previous (context, sp, &ver, &timestamp, &op, &len);
+	if (ret)
+	    krb5_err(context, 1, ret, 
+		     "send_diffs: failed to find previous entry");
 	left = krb5_storage_seek(sp, -16, SEEK_CUR);
 	if (ver == s->version)
 	    return 0;
 	if (ver == s->version + 1)
 	    break;
-	if (left == 0)
+	if (left == 0) {
+	    krb5_warnx(context,
+		       "slave %s (version %lu) out of sync with master "
+		       "(first version in log %lu), sending complete database",
+		       s->name, (unsigned long)s->version, (unsigned long)ver);
 	    return send_complete (context, s, database, current_version);
+	}
+    }
+
+    krb5_warnx(context,
+	       "syncing slave %s from version %lu to version %lu",
+	       s->name, (unsigned long)s->version,
+	       (unsigned long)current_version);
+
+    ret = krb5_data_alloc (&data, right - left + 4);
+    if (ret) {
+	krb5_warn (context, ret, "send_diffs: krb5_data_alloc");
+	slave_dead(context, s);
+	return 1;
     }
-    krb5_data_alloc (&data, right - left + 4);
     krb5_storage_read (sp, (char *)data.data + 4, data.length - 4);
     krb5_storage_free(sp);
 
-    _krb5_put_int(data.data, FOR_YOU, 4);
+    sp = krb5_storage_from_data (&data);
+    if (sp == NULL) {
+	krb5_warnx (context, "send_diffs: krb5_storage_from_data");
+	slave_dead(context, s);
+	return 1;
+    }
+    krb5_store_int32 (sp, FOR_YOU);
+    krb5_storage_free(sp);
 
     ret = krb5_write_priv_message(context, s->ac, &s->fd, &data);
     krb5_data_free(&data);
 
     if (ret) {
-	krb5_warn (context, ret, "krb5_write_priv_message");
-	slave_dead(s);
+	krb5_warn (context, ret, "send_diffs: krb5_write_priv_message");
+	slave_dead(context, s);
 	return 1;
     }
     slave_seen(s);
 
+    s->version = current_version;
+
     return 0;
 }
 
 static int
 process_msg (krb5_context context, slave *s, int log_fd,
-	     const char *database, u_int32_t current_version)
+	     const char *database, uint32_t current_version)
 {
     int ret = 0;
     krb5_data out;
@@ -383,13 +537,42 @@ process_msg (krb5_context context, slave *s, int log_fd,
     }
 
     sp = krb5_storage_from_mem (out.data, out.length);
-    krb5_ret_int32 (sp, &tmp);
+    if (sp == NULL) {
+	krb5_warnx (context, "process_msg: no memory");
+	krb5_data_free (&out);
+	return 1;
+    }
+    if (krb5_ret_int32 (sp, &tmp) != 0) {
+	krb5_warnx (context, "process_msg: client send too short command");
+	krb5_data_free (&out);
+	return 1;
+    }
     switch (tmp) {
     case I_HAVE :
-	krb5_ret_int32 (sp, &tmp);
-	s->version = tmp;
-	ret = send_diffs (context, s, log_fd, database, current_version);
+	ret = krb5_ret_int32 (sp, &tmp);
+	if (ret != 0) {
+	    krb5_warnx (context, "process_msg: client send too I_HAVE data");
+	    break;
+	}
+	/* new started slave that have old log */
+	if (s->version == 0 && tmp != 0) {
+	    if (s->version < tmp) {
+		krb5_warnx (context, "Slave %s have later version the master "
+			    "OUT OF SYNC", s->name);
+	    } else {
+		s->version = tmp;
+	    }
+	}
+	if (tmp < s->version) {
+	    krb5_warnx (context, "Slave claims to not have "
+			"version we already sent to it");
+	} else {
+	    ret = send_diffs (context, s, log_fd, database, current_version);
+	}
+	break;
+    case I_AM_HERE :
 	break;
+    case ARE_YOU_THERE:
     case FOR_YOU :
     default :
 	krb5_warnx (context, "Ignoring command %d", tmp);
@@ -409,20 +592,60 @@ process_msg (krb5_context context, slave *s, int log_fd,
 #define SLAVE_STATUS	"Status"
 #define SLAVE_SEEN	"Last Seen"
 
+static FILE *
+open_stats(krb5_context context)
+{
+    char *statfile = NULL;
+    const char *fn;
+    FILE *f;
+
+    if (slave_stats_file)
+	fn = slave_stats_file;
+    else {
+	asprintf(&statfile,  "%s/slaves-stats", hdb_db_dir(context));
+	fn = krb5_config_get_string_default(context,
+					    NULL,
+					    statfile,
+					    "kdc",
+					    "iprop-stats",
+					    NULL);
+    }
+    f = fopen(fn, "w");
+    if (statfile)
+	free(statfile);
+
+    return f;
+}
+
+static void
+write_master_down(krb5_context context)
+{
+    char str[100];
+    time_t t = time(NULL);
+    FILE *fp;
+
+    fp = open_stats(context);
+    if (fp == NULL)
+	return;
+    krb5_format_time(context, t, str, sizeof(str), TRUE); 
+    fprintf(fp, "master down at %s\n", str);
+
+    fclose(fp);
+}
+
 static void
-write_stats(krb5_context context, slave *slaves, u_int32_t current_version)
+write_stats(krb5_context context, slave *slaves, uint32_t current_version)
 {
     char str[100];
     rtbl_t tbl;
     time_t t = time(NULL);
     FILE *fp;
 
-    fp = fopen(slave_stats_file, "w");
+    fp = open_stats(context);
     if (fp == NULL)
 	return;
 
-    strftime(str, sizeof(str), "%Y-%m-%d %H:%M:%S",
-	     localtime(&t));
+    krb5_format_time(context, t, str, sizeof(str), TRUE); 
     fprintf(fp, "Status for slaves, last updated: %s\n\n", str);
 
     fprintf(fp, "Master version: %lu\n\n", (unsigned long)current_version);
@@ -463,9 +686,7 @@ write_stats(krb5_context context, slave *slaves, u_int32_t current_version)
 	else
 	    rtbl_add_column_entry(tbl, SLAVE_STATUS, "Up");
 
-	if (strftime(str, sizeof(str), "%Y-%m-%d %H:%M:%S %Z", 
-		     localtime(&slaves->seen)) == 0)
-	    strlcpy(str, "Unknown time", sizeof(str));
+	ret = krb5_format_time(context, slaves->seen, str, sizeof(str), TRUE); 
 	rtbl_add_column_entry(tbl, SLAVE_SEEN, str);
 
 	slaves = slaves->next;
@@ -483,13 +704,28 @@ static int version_flag;
 static int help_flag;
 static char *keytab_str = "HDB:";
 static char *database;
+static char *config_file;
+static char *port_str;
+static int detach_from_console = 0;
 
 static struct getargs args[] = {
+    { "config-file", 'c', arg_string, &config_file },
     { "realm", 'r', arg_string, &realm },
     { "keytab", 'k', arg_string, &keytab_str,
       "keytab to get authentication from", "kspec" },
     { "database", 'd', arg_string, &database, "database", "file"},
-    { "slave-stats-file", 0, arg_string, &slave_stats_file, "file"},
+    { "slave-stats-file", 0, arg_string, &slave_stats_file, 
+      "file for slave status information", "file"},
+    { "time-missing", 0, arg_string, &slave_time_missing, 
+      "time before slave is polled for presence", "time"},
+    { "time-gone", 0, arg_string, &slave_time_gone,
+      "time of inactivity after which a slave is considered gone", "time"},
+    { "port", 0, arg_string, &port_str,
+      "port ipropd will listen to", "port"},
+    { "detach", 0, arg_flag, &detach_from_console, 
+      "detach from console" },
+    { "hostname", 0, arg_string, &master_hostname, 
+      "hostname of master (if not same as hostname)", "hostname" },
     { "version", 0, arg_flag, &version_flag },
     { "help", 0, arg_flag, &help_flag }
 };
@@ -506,11 +742,12 @@ main(int argc, char **argv)
     int signal_fd, listen_fd;
     int log_fd;
     slave *slaves = NULL;
-    u_int32_t current_version, old_version = 0;
+    uint32_t current_version = 0, old_version = 0;
     krb5_keytab keytab;
-    int optind;
+    int optidx;
+    char **files;
     
-    optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    optidx = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
     
     if(help_flag)
 	krb5_std_usage(0, args, num_args);
@@ -519,6 +756,32 @@ main(int argc, char **argv)
 	exit(0);
     }
 
+    setup_signal();
+
+    if (config_file == NULL) {
+	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (config_file == NULL)
+	    errx(1, "out of memory");
+    }
+
+    ret = krb5_prepend_config_files_default(config_file, &files);
+    if (ret)
+	krb5_err(context, 1, ret, "getting configuration files");
+
+    ret = krb5_set_config_files(context, files);
+    krb5_free_config_files(files);
+    if (ret)
+	krb5_err(context, 1, ret, "reading configuration files");
+
+    time_before_gone = parse_time (slave_time_gone,  "s");
+    if (time_before_gone < 0)
+	krb5_errx (context, 1, "couldn't parse time: %s", slave_time_gone);
+    time_before_missing = parse_time (slave_time_missing,  "s");
+    if (time_before_missing < 0)
+	krb5_errx (context, 1, "couldn't parse time: %s", slave_time_missing);
+
+    if (detach_from_console)
+	daemon(0, 0);
     pidfile (NULL);
     krb5_openlog (context, "ipropd-master", &log_facility);
     krb5_set_warn_dest(context, log_facility);
@@ -553,16 +816,19 @@ main(int argc, char **argv)
 		  server_context->log_context.log_file);
 
     signal_fd = make_signal_socket (context);
-    listen_fd = make_listen_socket (context);
+    listen_fd = make_listen_socket (context, port_str);
 
-    signal (SIGPIPE, SIG_IGN);
+    kadm5_log_get_version_fd (log_fd, &current_version);
 
-    for (;;) {
+    krb5_warnx(context, "ipropd-master started at version: %lu", 
+	       (unsigned long)current_version);
+
+    while(exit_flag == 0){
 	slave *p;
 	fd_set readset;
 	int max_fd = 0;
 	struct timeval to = {30, 0};
-	u_int32_t vers;
+	uint32_t vers;
 
 	if (signal_fd >= FD_SETSIZE || listen_fd >= FD_SETSIZE)
 	    krb5_errx (context, 1, "fd too large");
@@ -593,12 +859,17 @@ main(int argc, char **argv)
 	    old_version = current_version;
 	    kadm5_log_get_version_fd (log_fd, &current_version);
 
-	    if (current_version > old_version)
+	    if (current_version > old_version) {
+		krb5_warnx(context, 
+			   "Missed a signal, updating slaves %lu to %lu",
+			   (unsigned long)old_version,
+			   (unsigned long)current_version);
 		for (p = slaves; p != NULL; p = p->next) {
 		    if (p->flags & SLAVE_F_DEAD)
 			continue;
 		    send_diffs (context, p, log_fd, database, current_version);
 		}
+	    }
 	}
 
 	if (ret && FD_ISSET(signal_fd, &readset)) {
@@ -611,28 +882,56 @@ main(int argc, char **argv)
 		continue;
 	    }
 	    --ret;
+	    assert(ret >= 0);
 	    old_version = current_version;
 	    kadm5_log_get_version_fd (log_fd, &current_version);
-	    for (p = slaves; p != NULL; p = p->next)
-		send_diffs (context, p, log_fd, database, current_version);
-	}
+	    if (current_version > old_version) {
+		krb5_warnx(context, 
+			   "Got a signal, updating slaves %lu to %lu",
+			   (unsigned long)old_version,
+			   (unsigned long)current_version);
+		for (p = slaves; p != NULL; p = p->next)
+		    send_diffs (context, p, log_fd, database, current_version);
+	    } else {
+		krb5_warnx(context, 
+			   "Got a signal, but no update in log version %lu",
+			   (unsigned long)current_version);
+	    }
+        }
 
-	for(p = slaves; ret && p != NULL; p = p->next) {
+	for(p = slaves; p != NULL; p = p->next) {
 	    if (p->flags & SLAVE_F_DEAD)
-		continue;
-	    if (FD_ISSET(p->fd, &readset)) {
+	        continue;
+	    if (ret && FD_ISSET(p->fd, &readset)) {
 		--ret;
+		assert(ret >= 0);
 		if(process_msg (context, p, log_fd, database, current_version))
-		    slave_dead(p);
+		    slave_dead(context, p);
+	    } else if (slave_gone_p (p))
+		slave_dead(context, p);
+	    else if (slave_missing_p (p)) {
+		krb5_warnx(context, "slave %s missing, sending AYT", p->name);
+		send_are_you_there (context, p);
 	    }
 	}
 
 	if (ret && FD_ISSET(listen_fd, &readset)) {
 	    add_slave (context, keytab, &slaves, listen_fd);
 	    --ret;
+	    assert(ret >= 0);
 	}
 	write_stats(context, slaves, current_version);
     }
 
+    if(exit_flag == SIGXCPU)
+	krb5_warnx(context, "%s CPU time limit exceeded", getprogname());
+    else if(exit_flag == SIGINT || exit_flag == SIGTERM)
+	krb5_warnx(context, "%s terminated", getprogname());
+    else
+	krb5_warnx(context, "%s unexpected exit reason: %d", 
+		   getprogname(), exit_flag);
+
+    write_master_down(context);
+
     return 0;
 }
diff --git a/crypto/heimdal/lib/kadm5/ipropd_slave.c b/crypto/heimdal/lib/kadm5/ipropd_slave.c
index abeb29d..482a3f7 100644
--- a/crypto/heimdal/lib/kadm5/ipropd_slave.c
+++ b/crypto/heimdal/lib/kadm5/ipropd_slave.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,12 +33,16 @@
 
 #include "iprop.h"
 
-RCSID("$Id: ipropd_slave.c,v 1.27.2.1 2003/08/15 16:45:15 lha Exp $");
+RCSID("$Id: ipropd_slave.c 22211 2007-12-07 19:27:27Z lha $");
 
 static krb5_log_facility *log_facility;
+static char *server_time_lost = "5 min";
+static int time_before_lost;
+const char *slave_str = NULL;
 
 static int
-connect_to_master (krb5_context context, const char *master)
+connect_to_master (krb5_context context, const char *master,
+		   const char *port_str)
 {
     int fd;
     struct sockaddr_in addr;
@@ -49,8 +53,23 @@ connect_to_master (krb5_context context, const char *master)
 	krb5_err (context, 1, errno, "socket AF_INET");
     memset (&addr, 0, sizeof(addr));
     addr.sin_family = AF_INET;
-    addr.sin_port   = krb5_getportbyname (context,
-					  IPROP_SERVICE, "tcp", IPROP_PORT);
+    if (port_str) {
+	addr.sin_port = krb5_getportbyname (context,
+					    port_str, "tcp", 
+					    0);
+	if (addr.sin_port == 0) {
+	    char *ptr;
+	    long port;
+	    
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		krb5_errx (context, 1, "bad port `%s'", port_str);
+	    addr.sin_port = htons(port);
+	}
+    } else {
+	addr.sin_port = krb5_getportbyname (context, IPROP_SERVICE, 
+					    "tcp", IPROP_PORT);
+    }
     he = roken_gethostbyname (master);
     if (he == NULL)
 	krb5_errx (context, 1, "gethostbyname: %s", hstrerror(h_errno));
@@ -62,12 +81,12 @@ connect_to_master (krb5_context context, const char *master)
 
 static void
 get_creds(krb5_context context, const char *keytab_str,
-	  krb5_ccache *cache, const char *host)
+	  krb5_ccache *cache, const char *serverhost)
 {
     krb5_keytab keytab;
     krb5_principal client;
     krb5_error_code ret;
-    krb5_get_init_creds_opt init_opts;
+    krb5_get_init_creds_opt *init_opts;
     krb5_creds creds;
     char *server;
     char keytab_buf[256];
@@ -83,19 +102,22 @@ get_creds(krb5_context context, const char *keytab_str,
     if(ret)
 	krb5_err(context, 1, ret, "%s", keytab_str);
     
-    ret = krb5_sname_to_principal (context, NULL, IPROP_NAME,
+
+    ret = krb5_sname_to_principal (context, slave_str, IPROP_NAME,
 				   KRB5_NT_SRV_HST, &client);
     if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal");
 
-    krb5_get_init_creds_opt_init(&init_opts);
+    ret = krb5_get_init_creds_opt_alloc(context, &init_opts);
+    if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
 
-    asprintf (&server, "%s/%s", IPROP_NAME, host);
+    asprintf (&server, "%s/%s", IPROP_NAME, serverhost);
     if (server == NULL)
 	krb5_errx (context, 1, "malloc: no memory");
 
     ret = krb5_get_init_creds_keytab(context, &creds, client, keytab,
-				     0, server, &init_opts);
+				     0, server, init_opts);
     free (server);
+    krb5_get_init_creds_opt_free(context, init_opts);
     if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
     
     ret = krb5_kt_close(context, keytab);
@@ -113,12 +135,12 @@ get_creds(krb5_context context, const char *keytab_str,
 
 static void
 ihave (krb5_context context, krb5_auth_context auth_context,
-       int fd, u_int32_t version)
+       int fd, uint32_t version)
 {
     int ret;
     u_char buf[8];
     krb5_storage *sp;
-    krb5_data data, priv_data;
+    krb5_data data;
 
     sp = krb5_storage_from_mem (buf, 8);
     krb5_store_int32 (sp, I_HAVE);
@@ -127,15 +149,9 @@ ihave (krb5_context context, krb5_auth_context auth_context,
     data.length = 8;
     data.data   = buf;
     
-    ret = krb5_mk_priv (context, auth_context, &data, &priv_data, NULL);
+    ret = krb5_write_priv_message(context, auth_context, &fd, &data);
     if (ret)
-	krb5_err (context, 1, ret, "krb_mk_priv");
-
-    ret = krb5_write_message (context, &fd, &priv_data);
-    if (ret)
-	krb5_err (context, 1, ret, "krb5_write_message");
-
-    krb5_data_free (&priv_data);
+	krb5_err (context, 1, ret, "krb5_write_priv_message");
 }
 
 static void
@@ -146,8 +162,12 @@ receive_loop (krb5_context context,
     int ret;
     off_t left, right;
     void *buf;
-    int32_t vers;
+    int32_t vers, vers2;
+    ssize_t sret;
 
+    /*
+     * Seek to the current version of the local database.
+     */
     do {
 	int32_t len, timestamp, tmp;
 	enum kadm_ops op;
@@ -159,43 +179,98 @@ receive_loop (krb5_context context,
 	op = tmp;
 	krb5_ret_int32 (sp, &len);
 	if (vers <= server_context->log_context.version)
-	    krb5_storage_seek(sp, len, SEEK_CUR);
+	    krb5_storage_seek(sp, len + 8, SEEK_CUR);
     } while(vers <= server_context->log_context.version);
 
+    /*
+     * Read up rest of the entires into the memory...
+     */
     left  = krb5_storage_seek (sp, -16, SEEK_CUR);
     right = krb5_storage_seek (sp, 0, SEEK_END);
     buf = malloc (right - left);
-    if (buf == NULL && (right - left) != 0) {
-	krb5_warnx (context, "malloc: no memory");
-	return;
-    }
+    if (buf == NULL && (right - left) != 0)
+	krb5_errx (context, 1, "malloc: no memory");
+
+    /*
+     * ...and then write them out to the on-disk log.
+     */
     krb5_storage_seek (sp, left, SEEK_SET);
     krb5_storage_read (sp, buf, right - left);
-    write (server_context->log_context.log_fd, buf, right-left);
-    fsync (server_context->log_context.log_fd);
+    sret = write (server_context->log_context.log_fd, buf, right-left);
+    if (sret != right - left)
+	krb5_err(context, 1, errno, "Failed to write log to disk");
+    ret = fsync (server_context->log_context.log_fd);
+    if (ret)
+	krb5_err(context, 1, errno, "Failed to sync log to disk");
     free (buf);
 
+    /*
+     * Go back to the startpoint and start to commit the entires to
+     * the database.
+     */
     krb5_storage_seek (sp, left, SEEK_SET);
 
     for(;;) {
-	int32_t len, timestamp, tmp;
+	int32_t len, len2, timestamp, tmp;
+	off_t cur, cur2;
 	enum kadm_ops op;
 
 	if(krb5_ret_int32 (sp, &vers) != 0)
 	    break;
-	krb5_ret_int32 (sp, &timestamp);
-	krb5_ret_int32 (sp, &tmp);
+	ret = krb5_ret_int32 (sp, &timestamp);
+	if (ret) krb5_errx(context, 1, "entry %ld: too short", (long)vers);
+	ret = krb5_ret_int32 (sp, &tmp);
+	if (ret) krb5_errx(context, 1, "entry %ld: too short", (long)vers);
 	op = tmp;
-	krb5_ret_int32 (sp, &len);
+	ret = krb5_ret_int32 (sp, &len);
+	if (ret) krb5_errx(context, 1, "entry %ld: too short", (long)vers);
+	if (len < 0)
+	    krb5_errx(context, 1, "log is corrupted, "
+			"negative length of entry version %ld: %ld",
+			(long)vers, (long)len);
+	cur = krb5_storage_seek(sp, 0, SEEK_CUR);
+
+	krb5_warnx (context, "replaying entry %d", (int)vers);
 
 	ret = kadm5_log_replay (server_context,
 				op, vers, len, sp);
-	if (ret)
-	    krb5_warn (context, ret, "kadm5_log_replay");
-	else
-	    server_context->log_context.version = vers;
-	krb5_storage_seek (sp, 8, SEEK_CUR);
+	if (ret) {
+	    char *s = krb5_get_error_message(server_context->context, ret);
+	    krb5_warnx (context,
+		       "kadm5_log_replay: %ld. Lost entry entry, "
+		       "Database out of sync ?: %s (%d)",
+			(long)vers, s ? s : "unknown error", ret);
+	    krb5_xfree(s);
+	}
+
+	{
+	    /* 
+	     * Make sure the krb5_log_replay does the right thing wrt
+	     * reading out data from the sp.
+	     */
+	    cur2 = krb5_storage_seek(sp, 0, SEEK_CUR);
+	    if (cur + len != cur2)
+		krb5_errx(context, 1, 
+			  "kadm5_log_reply version: %ld didn't read the whole entry",
+			  (long)vers);
+	}
+
+	if (krb5_ret_int32 (sp, &len2) != 0)
+	    krb5_errx(context, 1, "entry %ld: postamble too short", (long)vers);
+	if(krb5_ret_int32 (sp, &vers2) != 0)
+	    krb5_errx(context, 1, "entry %ld: postamble too short", (long)vers);
+
+	if (len != len2)
+	    krb5_errx(context, 1, "entry %ld: len != len2", (long)vers);
+	if (vers != vers2)
+	    krb5_errx(context, 1, "entry %ld: vers != vers2", (long)vers);
     }
+
+    /*
+     * Update version
+     */
+
+    server_context->log_context.version = vers;
 }
 
 static void
@@ -205,20 +280,45 @@ receive (krb5_context context,
 {
     int ret;
 
-    ret = server_context->db->open(context,
-				   server_context->db,
-				   O_RDWR | O_CREAT, 0600);
+    ret = server_context->db->hdb_open(context,
+				       server_context->db,
+				       O_RDWR | O_CREAT, 0600);
     if (ret)
 	krb5_err (context, 1, ret, "db->open");
 
     receive_loop (context, sp, server_context);
 
-    ret = server_context->db->close (context, server_context->db);
+    ret = server_context->db->hdb_close (context, server_context->db);
     if (ret)
 	krb5_err (context, 1, ret, "db->close");
 }
 
 static void
+send_im_here (krb5_context context, int fd,
+	      krb5_auth_context auth_context)
+{
+    krb5_storage *sp;
+    krb5_data data;
+    int ret;
+
+    ret = krb5_data_alloc (&data, 4);
+    if (ret)
+	krb5_err (context, 1, ret, "send_im_here");
+
+    sp = krb5_storage_from_data (&data);
+    if (sp == NULL)
+	krb5_errx (context, 1, "krb5_storage_from_data");
+    krb5_store_int32(sp, I_AM_HERE);
+    krb5_storage_free(sp);
+
+    ret = krb5_write_priv_message(context, auth_context, &fd, &data);
+    krb5_data_free(&data);
+
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_write_priv_message");
+}
+
+static void
 receive_everything (krb5_context context, int fd,
 		    kadm5_server_context *server_context,
 		    krb5_auth_context auth_context)
@@ -227,12 +327,14 @@ receive_everything (krb5_context context, int fd,
     krb5_data data;
     int32_t vno;
     int32_t opcode;
-    unsigned long tmp;
+    krb5_storage *sp;
 
     char *dbname;
     HDB *mydb;
   
-    asprintf(&dbname, "%s-NEW", server_context->db->name);
+    krb5_warnx(context, "receive complete database");
+
+    asprintf(&dbname, "%s-NEW", server_context->db->hdb_name);
     ret = hdb_create(context, &mydb, dbname);
     if(ret)
 	krb5_err(context,1, ret, "hdb_create");
@@ -245,47 +347,54 @@ receive_everything (krb5_context context, int fd,
  
     /* I really want to use O_EXCL here, but given that I can't easily clean
        up on error, I won't */
-    ret = mydb->open(context, mydb, O_RDWR | O_CREAT | O_TRUNC, 0600);
-
+    ret = mydb->hdb_open(context, mydb, O_RDWR | O_CREAT | O_TRUNC, 0600);
     if (ret)
 	krb5_err (context, 1, ret, "db->open");
 
+    sp = NULL;
     do {
-	krb5_storage *sp;
-
 	ret = krb5_read_priv_message(context, auth_context, &fd, &data);
 
 	if (ret)
 	    krb5_err (context, 1, ret, "krb5_read_priv_message");
 
 	sp = krb5_storage_from_data (&data);
+	if (sp == NULL)
+	    krb5_errx (context, 1, "krb5_storage_from_data");
 	krb5_ret_int32 (sp, &opcode);
 	if (opcode == ONE_PRINC) {
 	    krb5_data fake_data;
-	    hdb_entry entry;
+	    hdb_entry_ex entry;
+
+	    krb5_storage_free(sp);
 
 	    fake_data.data   = (char *)data.data + 4;
 	    fake_data.length = data.length - 4;
 
-	    ret = hdb_value2entry (context, &fake_data, &entry);
+	    memset(&entry, 0, sizeof(entry));
+
+	    ret = hdb_value2entry (context, &fake_data, &entry.entry);
 	    if (ret)
 		krb5_err (context, 1, ret, "hdb_value2entry");
-	    ret = mydb->store(server_context->context,
-			      mydb,
-			      0, &entry);
+	    ret = mydb->hdb_store(server_context->context,
+				  mydb,
+				  0, &entry);
 	    if (ret)
 		krb5_err (context, 1, ret, "hdb_store");
 
 	    hdb_free_entry (context, &entry);
 	    krb5_data_free (&data);
-	}
+	} else if (opcode == NOW_YOU_HAVE)
+	    ;
+	else
+	    krb5_errx (context, 1, "strange opcode %d", opcode);
     } while (opcode == ONE_PRINC);
 
     if (opcode != NOW_YOU_HAVE)
 	krb5_errx (context, 1, "receive_everything: strange %d", opcode);
 
-    _krb5_get_int ((char *)data.data + 4, &tmp, 4);
-    vno = tmp;
+    krb5_ret_int32 (sp, &vno);
+    krb5_storage_free(sp);
 
     ret = kadm5_log_reinit (server_context);
     if (ret)
@@ -301,41 +410,48 @@ receive_everything (krb5_context context, int fd,
 
     krb5_data_free (&data);
 
-    ret = mydb->rename (context, mydb, server_context->db->name);
+    ret = mydb->hdb_rename (context, mydb, server_context->db->hdb_name);
     if (ret)
 	krb5_err (context, 1, ret, "db->rename");
 
-    ret = mydb->close (context, mydb);
+    ret = mydb->hdb_close (context, mydb);
     if (ret)
 	krb5_err (context, 1, ret, "db->close");
 
-    ret = mydb->destroy (context, mydb);
+    ret = mydb->hdb_destroy (context, mydb);
     if (ret)
 	krb5_err (context, 1, ret, "db->destroy");
+
+    krb5_warnx(context, "receive complete database, version %ld", (long)vno);
 }
 
+static char *config_file;
 static char *realm;
 static int version_flag;
 static int help_flag;
 static char *keytab_str;
+static char *port_str;
+static int detach_from_console = 0;
 
 static struct getargs args[] = {
+    { "config-file", 'c', arg_string, &config_file },
     { "realm", 'r', arg_string, &realm },
     { "keytab", 'k', arg_string, &keytab_str,
       "keytab to get authentication from", "kspec" },
+    { "time-lost", 0, arg_string, &server_time_lost,
+      "time before server is considered lost", "time" },
+    { "port", 0, arg_string, &port_str,
+      "port ipropd-slave will connect to", "port"},
+    { "detach", 0, arg_flag, &detach_from_console, 
+      "detach from console" },
+    { "hostname", 0, arg_string, &slave_str, 
+      "hostname of slave (if not same as hostname)", "hostname" },
     { "version", 0, arg_flag, &version_flag },
     { "help", 0, arg_flag, &help_flag }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
 
-static void
-usage (int code, struct getargs *args, int num_args)
-{
-    arg_printusage (args, num_args, NULL, "master");
-    exit (code);
-}
-
 int
 main(int argc, char **argv)
 {
@@ -348,27 +464,47 @@ main(int argc, char **argv)
     int master_fd;
     krb5_ccache ccache;
     krb5_principal server;
+    char **files;
+    int optidx;
 
-    int optind;
     const char *master;
     
-    optind = krb5_program_setup(&context, argc, argv, args, num_args, usage);
+    optidx = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
     
     if(help_flag)
-	usage (0, args, num_args);
+	krb5_std_usage(0, args, num_args);
     if(version_flag) {
 	print_version(NULL);
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    setup_signal();
+
+    if (config_file == NULL) {
+	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (config_file == NULL)
+	    errx(1, "out of memory");
+    }
+
+    ret = krb5_prepend_config_files_default(config_file, &files);
+    if (ret)
+	krb5_err(context, 1, ret, "getting configuration files");
+
+    ret = krb5_set_config_files(context, files);
+    krb5_free_config_files(files);
+    if (ret)
+	krb5_err(context, 1, ret, "reading configuration files");
+
+    argc -= optidx;
+    argv += optidx;
 
     if (argc != 1)
-	usage (1, args, num_args);
+	krb5_std_usage(1, args, num_args);
 
     master = argv[0];
 
+    if (detach_from_console)
+	daemon(0, 0);
     pidfile (NULL);
     krb5_openlog (context, "ipropd-slave", &log_facility);
     krb5_set_warn_dest(context, log_facility);
@@ -377,6 +513,10 @@ main(int argc, char **argv)
     if(ret)
 	krb5_err(context, 1, ret, "krb5_kt_register");
 
+    time_before_lost = parse_time (server_time_lost,  "s");
+    if (time_before_lost < 0)
+	krb5_errx (context, 1, "couldn't parse time: %s", server_time_lost);
+
     memset(&conf, 0, sizeof(conf));
     if(realm) {
 	conf.mask |= KADM5_CONFIG_REALM;
@@ -399,7 +539,7 @@ main(int argc, char **argv)
 
     get_creds(context, keytab_str, &ccache, master);
 
-    master_fd = connect_to_master (context, master);
+    master_fd = connect_to_master (context, master, port_str);
 
     ret = krb5_sname_to_principal (context, master, IPROP_NAME,
 				   KRB5_NT_SRV_HST, &server);
@@ -414,14 +554,39 @@ main(int argc, char **argv)
     if (ret)
 	krb5_err (context, 1, ret, "krb5_sendauth");
 
+    krb5_warnx(context, "ipropd-slave started at version: %ld",
+	       (long)server_context->log_context.version);
+
     ihave (context, auth_context, master_fd,
 	   server_context->log_context.version);
 
-    for (;;) {
-	int ret;
+    while (exit_flag == 0) {
 	krb5_data out;
 	krb5_storage *sp;
 	int32_t tmp;
+	fd_set readset;
+	struct timeval to;
+
+	if (master_fd >= FD_SETSIZE)
+	    krb5_errx (context, 1, "fd too large");
+
+	FD_ZERO(&readset);
+	FD_SET(master_fd, &readset);
+
+	to.tv_sec = time_before_lost;
+	to.tv_usec = 0;
+
+	ret = select (master_fd + 1,
+		      &readset, NULL, NULL, &to);
+	if (ret < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		krb5_err (context, 1, errno, "select");
+	}
+	if (ret == 0)
+	    krb5_errx (context, 1, "server didn't send a message "
+		       "in %d seconds", time_before_lost);
 
 	ret = krb5_read_priv_message(context, auth_context, &master_fd, &out);
 
@@ -440,9 +605,13 @@ main(int argc, char **argv)
 	    receive_everything (context, master_fd, server_context,
 				auth_context);
 	    break;
+	case ARE_YOU_THERE :
+	    send_im_here (context, master_fd, auth_context);
+	    break;
 	case NOW_YOU_HAVE :
 	case I_HAVE :
 	case ONE_PRINC :
+	case I_AM_HERE :
 	default :
 	    krb5_warnx (context, "Ignoring command %d", tmp);
 	    break;
@@ -451,5 +620,13 @@ main(int argc, char **argv)
 	krb5_data_free (&out);
     }
     
+    if(exit_flag == SIGXCPU)
+	krb5_warnx(context, "%s CPU time limit exceeded", getprogname());
+    else if(exit_flag == SIGINT || exit_flag == SIGTERM)
+	krb5_warnx(context, "%s terminated", getprogname());
+    else
+	krb5_warnx(context, "%s unexpected exit reason: %d", 
+		   getprogname(), exit_flag);
+
     return 0;
 }
diff --git a/crypto/heimdal/lib/kadm5/kadm5-private.h b/crypto/heimdal/lib/kadm5/kadm5-private.h
index 63e579f..56b2b32 100644
--- a/crypto/heimdal/lib/kadm5/kadm5-private.h
+++ b/crypto/heimdal/lib/kadm5/kadm5-private.h
@@ -18,6 +18,17 @@ _kadm5_bump_pw_expire (
 	kadm5_server_context */*context*/,
 	hdb_entry */*ent*/);
 
+krb5_error_code
+_kadm5_c_get_cred_cache (
+	krb5_context /*context*/,
+	const char */*client_name*/,
+	const char */*server_name*/,
+	const char */*password*/,
+	krb5_prompter_fct /*prompter*/,
+	const char */*keytab*/,
+	krb5_ccache /*ccache*/,
+	krb5_ccache */*ret_cache*/);
+
 kadm5_ret_t
 _kadm5_c_init_context (
 	kadm5_client_context **/*ctx*/,
@@ -49,7 +60,7 @@ _kadm5_error_code (kadm5_ret_t /*code*/);
 
 void
 _kadm5_free_keys (
-	kadm5_server_context */*context*/,
+	krb5_context /*context*/,
 	int /*len*/,
 	Key */*keys*/);
 
@@ -66,7 +77,7 @@ _kadm5_marshal_params (
 
 kadm5_ret_t
 _kadm5_privs_to_string (
-	u_int32_t /*privs*/,
+	uint32_t /*privs*/,
 	char */*string*/,
 	size_t /*len*/);
 
@@ -114,17 +125,17 @@ _kadm5_set_modifier (
 kadm5_ret_t
 _kadm5_setup_entry (
 	kadm5_server_context */*context*/,
-	hdb_entry */*ent*/,
-	u_int32_t /*mask*/,
+	hdb_entry_ex */*ent*/,
+	uint32_t /*mask*/,
 	kadm5_principal_ent_t /*princ*/,
-	u_int32_t /*princ_mask*/,
+	uint32_t /*princ_mask*/,
 	kadm5_principal_ent_t /*def*/,
-	u_int32_t /*def_mask*/);
+	uint32_t /*def_mask*/);
 
 kadm5_ret_t
 _kadm5_string_to_privs (
 	const char */*s*/,
-	u_int32_t* /*privs*/);
+	uint32_t* /*privs*/);
 
 kadm5_ret_t
 _kadm5_unmarshal_params (
@@ -136,7 +147,7 @@ kadm5_ret_t
 kadm5_c_chpass_principal (
 	void */*server_handle*/,
 	krb5_principal /*princ*/,
-	char */*password*/);
+	const char */*password*/);
 
 kadm5_ret_t
 kadm5_c_chpass_principal_with_key (
@@ -149,8 +160,8 @@ kadm5_ret_t
 kadm5_c_create_principal (
 	void */*server_handle*/,
 	kadm5_principal_ent_t /*princ*/,
-	u_int32_t /*mask*/,
-	char */*password*/);
+	uint32_t /*mask*/,
+	const char */*password*/);
 
 kadm5_ret_t
 kadm5_c_delete_principal (
@@ -168,19 +179,19 @@ kadm5_c_get_principal (
 	void */*server_handle*/,
 	krb5_principal /*princ*/,
 	kadm5_principal_ent_t /*out*/,
-	u_int32_t /*mask*/);
+	uint32_t /*mask*/);
 
 kadm5_ret_t
 kadm5_c_get_principals (
 	void */*server_handle*/,
-	const char */*exp*/,
+	const char */*expression*/,
 	char ***/*princs*/,
 	int */*count*/);
 
 kadm5_ret_t
 kadm5_c_get_privs (
 	void */*server_handle*/,
-	u_int32_t */*privs*/);
+	uint32_t */*privs*/);
 
 kadm5_ret_t
 kadm5_c_init_with_creds (
@@ -249,7 +260,7 @@ kadm5_ret_t
 kadm5_c_modify_principal (
 	void */*server_handle*/,
 	kadm5_principal_ent_t /*princ*/,
-	u_int32_t /*mask*/);
+	uint32_t /*mask*/);
 
 kadm5_ret_t
 kadm5_c_randkey_principal (
@@ -280,17 +291,18 @@ kadm5_log_end (kadm5_server_context */*context*/);
 kadm5_ret_t
 kadm5_log_foreach (
 	kadm5_server_context */*context*/,
-	void (*/*func*/)(kadm5_server_context *server_context, u_int32_t ver, time_t timestamp, enum kadm_ops op, u_int32_t len, krb5_storage *sp));
+	void (*/*func*/)(kadm5_server_context *server_context, uint32_t ver, time_t timestamp, enum kadm_ops op, uint32_t len, krb5_storage *, void *),
+	void */*ctx*/);
 
 kadm5_ret_t
 kadm5_log_get_version (
 	kadm5_server_context */*context*/,
-	u_int32_t */*ver*/);
+	uint32_t */*ver*/);
 
 kadm5_ret_t
 kadm5_log_get_version_fd (
 	int /*fd*/,
-	u_int32_t */*ver*/);
+	uint32_t */*ver*/);
 
 krb5_storage *
 kadm5_log_goto_end (int /*fd*/);
@@ -302,18 +314,19 @@ kadm5_ret_t
 kadm5_log_modify (
 	kadm5_server_context */*context*/,
 	hdb_entry */*ent*/,
-	u_int32_t /*mask*/);
+	uint32_t /*mask*/);
 
 kadm5_ret_t
 kadm5_log_nop (kadm5_server_context */*context*/);
 
 kadm5_ret_t
 kadm5_log_previous (
+	krb5_context /*context*/,
 	krb5_storage */*sp*/,
-	u_int32_t */*ver*/,
+	uint32_t */*ver*/,
 	time_t */*timestamp*/,
 	enum kadm_ops */*op*/,
-	u_int32_t */*len*/);
+	uint32_t */*len*/);
 
 kadm5_ret_t
 kadm5_log_reinit (kadm5_server_context */*context*/);
@@ -328,49 +341,17 @@ kadm5_ret_t
 kadm5_log_replay (
 	kadm5_server_context */*context*/,
 	enum kadm_ops /*op*/,
-	u_int32_t /*ver*/,
-	u_int32_t /*len*/,
-	krb5_storage */*sp*/);
-
-kadm5_ret_t
-kadm5_log_replay_create (
-	kadm5_server_context */*context*/,
-	u_int32_t /*ver*/,
-	u_int32_t /*len*/,
-	krb5_storage */*sp*/);
-
-kadm5_ret_t
-kadm5_log_replay_delete (
-	kadm5_server_context */*context*/,
-	u_int32_t /*ver*/,
-	u_int32_t /*len*/,
-	krb5_storage */*sp*/);
-
-kadm5_ret_t
-kadm5_log_replay_modify (
-	kadm5_server_context */*context*/,
-	u_int32_t /*ver*/,
-	u_int32_t /*len*/,
-	krb5_storage */*sp*/);
-
-kadm5_ret_t
-kadm5_log_replay_nop (
-	kadm5_server_context */*context*/,
-	u_int32_t /*ver*/,
-	u_int32_t /*len*/,
-	krb5_storage */*sp*/);
-
-kadm5_ret_t
-kadm5_log_replay_rename (
-	kadm5_server_context */*context*/,
-	u_int32_t /*ver*/,
-	u_int32_t /*len*/,
+	uint32_t /*ver*/,
+	uint32_t /*len*/,
 	krb5_storage */*sp*/);
 
 kadm5_ret_t
 kadm5_log_set_version (
 	kadm5_server_context */*context*/,
-	u_int32_t /*vno*/);
+	uint32_t /*vno*/);
+
+const char *
+kadm5_log_signal_socket (krb5_context /*context*/);
 
 kadm5_ret_t
 kadm5_log_truncate (kadm5_server_context */*server_context*/);
@@ -379,13 +360,13 @@ kadm5_ret_t
 kadm5_s_chpass_principal (
 	void */*server_handle*/,
 	krb5_principal /*princ*/,
-	char */*password*/);
+	const char */*password*/);
 
 kadm5_ret_t
 kadm5_s_chpass_principal_cond (
 	void */*server_handle*/,
 	krb5_principal /*princ*/,
-	char */*password*/);
+	const char */*password*/);
 
 kadm5_ret_t
 kadm5_s_chpass_principal_with_key (
@@ -398,14 +379,14 @@ kadm5_ret_t
 kadm5_s_create_principal (
 	void */*server_handle*/,
 	kadm5_principal_ent_t /*princ*/,
-	u_int32_t /*mask*/,
-	char */*password*/);
+	uint32_t /*mask*/,
+	const char */*password*/);
 
 kadm5_ret_t
 kadm5_s_create_principal_with_key (
 	void */*server_handle*/,
 	kadm5_principal_ent_t /*princ*/,
-	u_int32_t /*mask*/);
+	uint32_t /*mask*/);
 
 kadm5_ret_t
 kadm5_s_delete_principal (
@@ -423,19 +404,19 @@ kadm5_s_get_principal (
 	void */*server_handle*/,
 	krb5_principal /*princ*/,
 	kadm5_principal_ent_t /*out*/,
-	u_int32_t /*mask*/);
+	uint32_t /*mask*/);
 
 kadm5_ret_t
 kadm5_s_get_principals (
 	void */*server_handle*/,
-	const char */*exp*/,
+	const char */*expression*/,
 	char ***/*princs*/,
 	int */*count*/);
 
 kadm5_ret_t
 kadm5_s_get_privs (
 	void */*server_handle*/,
-	u_int32_t */*privs*/);
+	uint32_t */*privs*/);
 
 kadm5_ret_t
 kadm5_s_init_with_creds (
@@ -504,7 +485,7 @@ kadm5_ret_t
 kadm5_s_modify_principal (
 	void */*server_handle*/,
 	kadm5_principal_ent_t /*princ*/,
-	u_int32_t /*mask*/);
+	uint32_t /*mask*/);
 
 kadm5_ret_t
 kadm5_s_randkey_principal (
diff --git a/crypto/heimdal/lib/kadm5/kadm5-protos.h b/crypto/heimdal/lib/kadm5/kadm5-protos.h
index c0a0cce..eebae95 100644
--- a/crypto/heimdal/lib/kadm5/kadm5-protos.h
+++ b/crypto/heimdal/lib/kadm5/kadm5-protos.h
@@ -4,6 +4,36 @@
 
 #include <stdarg.h>
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+kadm5_ret_t
+kadm5_ad_init_with_password (
+	const char */*client_name*/,
+	const char */*password*/,
+	const char */*service_name*/,
+	kadm5_config_params */*realm_params*/,
+	unsigned long /*struct_version*/,
+	unsigned long /*api_version*/,
+	void **/*server_handle*/);
+
+kadm5_ret_t
+kadm5_ad_init_with_password_ctx (
+	krb5_context /*context*/,
+	const char */*client_name*/,
+	const char */*password*/,
+	const char */*service_name*/,
+	kadm5_config_params */*realm_params*/,
+	unsigned long /*struct_version*/,
+	unsigned long /*api_version*/,
+	void **/*server_handle*/);
+
+krb5_error_code
+kadm5_add_passwd_quality_verifier (
+	krb5_context /*context*/,
+	const char */*check_library*/);
+
 const char *
 kadm5_check_password_quality (
 	krb5_context /*context*/,
@@ -14,7 +44,7 @@ kadm5_ret_t
 kadm5_chpass_principal (
 	void */*server_handle*/,
 	krb5_principal /*princ*/,
-	char */*password*/);
+	const char */*password*/);
 
 kadm5_ret_t
 kadm5_chpass_principal_with_key (
@@ -27,8 +57,8 @@ kadm5_ret_t
 kadm5_create_principal (
 	void */*server_handle*/,
 	kadm5_principal_ent_t /*princ*/,
-	u_int32_t /*mask*/,
-	char */*password*/);
+	uint32_t /*mask*/,
+	const char */*password*/);
 
 kadm5_ret_t
 kadm5_delete_principal (
@@ -63,19 +93,19 @@ kadm5_get_principal (
 	void */*server_handle*/,
 	krb5_principal /*princ*/,
 	kadm5_principal_ent_t /*out*/,
-	u_int32_t /*mask*/);
+	uint32_t /*mask*/);
 
 kadm5_ret_t
 kadm5_get_principals (
 	void */*server_handle*/,
-	const char */*exp*/,
+	const char */*expression*/,
 	char ***/*princs*/,
 	int */*count*/);
 
 kadm5_ret_t
 kadm5_get_privs (
 	void */*server_handle*/,
-	u_int32_t */*privs*/);
+	uint32_t */*privs*/);
 
 kadm5_ret_t
 kadm5_init_with_creds (
@@ -144,7 +174,7 @@ kadm5_ret_t
 kadm5_modify_principal (
 	void */*server_handle*/,
 	kadm5_principal_ent_t /*princ*/,
-	u_int32_t /*mask*/);
+	uint32_t /*mask*/);
 
 kadm5_ret_t
 kadm5_randkey_principal (
@@ -173,7 +203,7 @@ kadm5_ret_t
 kadm5_ret_principal_ent_mask (
 	krb5_storage */*sp*/,
 	kadm5_principal_ent_t /*princ*/,
-	u_int32_t */*mask*/);
+	uint32_t */*mask*/);
 
 kadm5_ret_t
 kadm5_ret_tl_data (
@@ -200,11 +230,15 @@ kadm5_ret_t
 kadm5_store_principal_ent_mask (
 	krb5_storage */*sp*/,
 	kadm5_principal_ent_t /*princ*/,
-	u_int32_t /*mask*/);
+	uint32_t /*mask*/);
 
 kadm5_ret_t
 kadm5_store_tl_data (
 	krb5_storage */*sp*/,
 	krb5_tl_data */*tl*/);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* __kadm5_protos_h__ */
diff --git a/crypto/heimdal/lib/kadm5/kadm5-pwcheck.h b/crypto/heimdal/lib/kadm5/kadm5-pwcheck.h
new file mode 100644
index 0000000..96f3f18
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/kadm5-pwcheck.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kadm5-pwcheck.h 15489 2005-06-17 06:45:52Z lha $ */
+
+#ifndef KADM5_PWCHECK_H
+#define KADM5_PWCHECK_H 1
+
+
+#define KADM5_PASSWD_VERSION_V0 0
+#define KADM5_PASSWD_VERSION_V1 1
+
+typedef const char* (*kadm5_passwd_quality_check_func_v0)(krb5_context,
+							  krb5_principal,
+							  krb5_data*);
+
+/* 
+ * The 4th argument, is a tuning parameter for the quality check
+ * function, the lib/caller will providing it for the password quality
+ * module.
+ */
+
+typedef int
+(*kadm5_passwd_quality_check_func)(krb5_context context,
+				   krb5_principal principal,
+				   krb5_data *password,
+				   const char *tuning,
+				   char *message,
+				   size_t length);
+
+struct kadm5_pw_policy_check_func {
+    const char *name;
+    kadm5_passwd_quality_check_func func;
+};
+
+struct kadm5_pw_policy_verifier {
+    const char *name;
+    int version;
+    const char *vendor;
+    const struct kadm5_pw_policy_check_func *funcs;
+};
+
+#endif /* KADM5_PWCHECK_H */
diff --git a/crypto/heimdal/lib/kadm5/kadm5_err.et b/crypto/heimdal/lib/kadm5/kadm5_err.et
index 674fbe7..1ac624a 100644
--- a/crypto/heimdal/lib/kadm5/kadm5_err.et
+++ b/crypto/heimdal/lib/kadm5/kadm5_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: kadm5_err.et,v 1.5 2001/12/06 17:02:55 assar Exp $"
+id "$Id: kadm5_err.et 16683 2006-02-02 13:11:47Z lha $"
 
 error_table ovk kadm5
 
@@ -33,7 +33,7 @@ error_code BAD_MIN_PASS_LIFE,	"Password minimum life is greater than password ma
 error_code PASS_Q_TOOSHORT,	"Password is too short"
 error_code PASS_Q_CLASS,	"Password does not contain enough character classes"
 error_code PASS_Q_DICT,		"Password is in the password dictionary"
-error_code PASS_REUSE,		"Can't resuse password"
+error_code PASS_REUSE,		"Can't reuse password"
 error_code PASS_TOOSOON,	"Current password's minimum life has not expired"
 error_code POLICY_REF,		"Policy is in use"
 error_code INIT,		"Connection to server already initialized"
@@ -54,6 +54,6 @@ error_code BAD_CLIENT_PARAMS,	"Invalid configuration parameter for remote KADM5
 error_code BAD_SERVER_PARAMS,	"Invalid configuration parameter for local KADM5 client."
 error_code AUTH_LIST,		"Operation requires `list' privilege"
 error_code AUTH_CHANGEPW,	"Operation requires `change-password' privilege"
-error_code BAD_TL_TYPE,		"Programmer error!  Invalid tagged data list element type"
+error_code BAD_TL_TYPE,		"Invalid tagged data list element type"
 error_code MISSING_CONF_PARAMS,	"Required parameters in kdc.conf missing"
 error_code BAD_SERVER_NAME,	"Bad krb5 admin server hostname"
diff --git a/crypto/heimdal/lib/kadm5/kadm5_locl.h b/crypto/heimdal/lib/kadm5/kadm5_locl.h
index 6f634ed..c79e644 100644
--- a/crypto/heimdal/lib/kadm5/kadm5_locl.h
+++ b/crypto/heimdal/lib/kadm5/kadm5_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: kadm5_locl.h,v 1.23 2000/07/08 11:57:40 assar Exp $ */
+/* $Id: kadm5_locl.h 8579 2000-07-08 11:57:40Z assar $ */
 
 #ifndef __KADM5_LOCL_H__
 #define __KADM5_LOCL_H__
diff --git a/crypto/heimdal/lib/kadm5/kadm5_pwcheck.3 b/crypto/heimdal/lib/kadm5/kadm5_pwcheck.3
new file mode 100644
index 0000000..ee045c9
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/kadm5_pwcheck.3
@@ -0,0 +1,146 @@
+.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: kadm5_pwcheck.3 15237 2005-05-25 13:16:27Z lha $
+.\"
+.Dd February 29, 2004
+.Dt KADM5_PWCHECK 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_pwcheck ,
+.Nm kadm5_setup_passwd_quality_check ,
+.Nm kadm5_add_passwd_quality_verifier ,
+.Nm kadm5_check_password_quality
+.Nd Heimdal warning and error functions
+.Sh LIBRARY
+Kerberos 5 Library (libkadm5srv, -lkadm5srv)
+.Sh SYNOPSIS
+.In kadm5-protos.h
+.In kadm5-pwcheck.h
+.Ft void
+.Fo kadm5_setup_passwd_quality_check
+.Fa "krb5_context context"
+.Fa "const char *check_library"
+.Fa "const char *check_function"
+.Fc
+.Ft "krb5_error_code"
+.Fo kadm5_add_passwd_quality_verifier
+.Fa "krb5_context context"
+.Fa "const char *check_library"
+.Fc
+.Ft "const char *"
+.Fo kadm5_check_password_quality
+.Fa "krb5_context context"
+.Fa "krb5_principal principal"
+.Fa "krb5_data *pwd_data"
+.Fc
+.Ft int
+.Fo "(*kadm5_passwd_quality_check_func)"
+.Fa "krb5_context context"
+.Fa "krb5_principal principal"
+.Fa "krb5_data *password"
+.Fa "const char *tuning"
+.Fa "char *message"
+.Fa "size_t length"
+.Fc
+.Sh DESCRIPTION
+These functions perform the quality check for the heimdal database
+library.
+.Pp
+There are two versions of the shared object API; the old version (0)
+is deprecated, but still supported.  The new version (1) supports
+multiple password quality checking modules in the same shared object.
+See below for details.
+.Pp
+The password quality checker will run over all tests that are
+configured by the user.
+.Pp
+Module names are of the form
+.Ql vendor:test-name
+or, if the the test name is unique enough, just
+.Ql test-name .
+.Sh IMPLEMENTING A PASSWORD QUALITY CHECKING SHARED OBJECT
+(This refers to the version 1 API only.)
+.Pp
+Module shared objects may conveniently be compiled and linked with
+.Xr libtool 1 .
+An object needs to export a symbol called
+.Ql kadm5_password_verifier
+of the type
+.Ft "struct kadm5_pw_policy_verifier" .
+.Pp
+Its
+.Ft name
+and
+.Ft vendor
+fields should be contain the obvious information and
+.Ft version
+should be
+.Dv KADM5_PASSWD_VERSION_V1 .
+.Ft funcs
+contains an array of
+.Ft "struct kadm5_pw_policy_check_func"
+structures that is terminated with an entry whose
+.Ft name
+component is
+.Dv NULL .
+The
+.Ft func
+Fields of the array elements are functions that are exported by the
+module to be called to check the password.  They get the following
+arguments:  the Kerberos context, principal, password, a tuning parameter, and
+a pointer to a message buffer and its length.  The tuning parameter
+for the quality check function is currently always
+.Dv NULL .
+If the password is acceptable, the function returns zero.  Otherwise
+it returns non-zero and fills in the message buffer with an
+appropriate explanation.
+.Sh RUNNING THE CHECKS
+.Nm kadm5_setup_passwd_quality_check
+sets up type 0 checks.  It sets up all type 0 checks defined in
+.Xr krb5.conf 5
+if called with the last two arguments null.
+.Pp
+.Nm kadm5_add_passwd_quality_verifier
+sets up type 1 checks.  It sets up all type 1 tests defined in
+.Xr krb5.conf 5
+if called with a null second argument.
+.Nm kadm5_check_password_quality
+runs the checks in the order in which they are defined in
+.Xr krb5.conf 5
+and the order in which they occur in a
+module's
+.Ft funcs
+array until one returns non-zero.
+.Sh SEE ALSO
+.Xr libtool 1 ,
+.Xr krb5 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/kadm5/keys.c b/crypto/heimdal/lib/kadm5/keys.c
index 3ae21ab..2521fae 100644
--- a/crypto/heimdal/lib/kadm5/keys.c
+++ b/crypto/heimdal/lib/kadm5/keys.c
@@ -33,29 +33,17 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: keys.c,v 1.1 2000/07/22 05:53:02 assar Exp $");
+RCSID("$Id: keys.c 14297 2004-10-11 23:50:25Z lha $");
 
 /*
  * free all the memory used by (len, keys)
  */
 
 void
-_kadm5_free_keys (kadm5_server_context *context,
+_kadm5_free_keys (krb5_context context,
 		  int len, Key *keys)
 {
-    int i;
-
-    for (i = 0; i < len; ++i) {
-	free (keys[i].mkvno);
-	keys[i].mkvno = NULL;
-	if (keys[i].salt != NULL) {
-	    free_Salt(keys[i].salt);
-	    free(keys[i].salt);
-	    keys[i].salt = NULL;
-	}
-	krb5_free_keyblock_contents(context->context, &keys[i].key);
-    }
-    free (keys);
+    hdb_free_keys(context, len, keys);
 }
 
 /*
diff --git a/crypto/heimdal/lib/kadm5/log.c b/crypto/heimdal/lib/kadm5/log.c
index 8ea3ca9..5c4aaef 100644
--- a/crypto/heimdal/lib/kadm5/log.c
+++ b/crypto/heimdal/lib/kadm5/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,8 +32,9 @@
  */
 
 #include "kadm5_locl.h"
+#include "heim_threads.h"
 
-RCSID("$Id: log.c,v 1.20 2003/04/16 17:56:55 lha Exp $");
+RCSID("$Id: log.c 22211 2007-12-07 19:27:27Z lha $");
 
 /*
  * A log record consists of:
@@ -50,7 +51,7 @@ RCSID("$Id: log.c,v 1.20 2003/04/16 17:56:55 lha Exp $");
 
 kadm5_ret_t
 kadm5_log_get_version_fd (int fd,
-			  u_int32_t *ver)
+			  uint32_t *ver)
 {
     int ret;
     krb5_storage *sp;
@@ -73,13 +74,13 @@ kadm5_log_get_version_fd (int fd,
 }
 
 kadm5_ret_t
-kadm5_log_get_version (kadm5_server_context *context, u_int32_t *ver)
+kadm5_log_get_version (kadm5_server_context *context, uint32_t *ver)
 {
     return kadm5_log_get_version_fd (context->log_context.log_fd, ver);
 }
 
 kadm5_ret_t
-kadm5_log_set_version (kadm5_server_context *context, u_int32_t vno)
+kadm5_log_set_version (kadm5_server_context *context, uint32_t vno)
 {
     kadm5_log_context *log_context = &context->log_context;
 
@@ -97,9 +98,14 @@ kadm5_log_init (kadm5_server_context *context)
     if (log_context->log_fd != -1)
 	return 0;
     fd = open (log_context->log_file, O_RDWR | O_CREAT, 0600);
-    if (fd < 0)
+    if (fd < 0) {
+	krb5_set_error_string(context->context, "kadm5_log_init: open %s",
+			      log_context->log_file);
 	return errno;
+    }
     if (flock (fd, LOCK_EX) < 0) {
+	krb5_set_error_string(context->context, "kadm5_log_init: flock %s",
+			      log_context->log_file);
 	close (fd);
 	return errno;
     }
@@ -119,6 +125,7 @@ kadm5_log_reinit (kadm5_server_context *context)
     kadm5_log_context *log_context = &context->log_context;
 
     if (log_context->log_fd != -1) {
+	flock (log_context->log_fd, LOCK_UN);
 	close (log_context->log_fd);
 	log_context->log_fd = -1;
     }
@@ -258,25 +265,32 @@ kadm5_log_create (kadm5_server_context *context,
  * database.
  */
 
-kadm5_ret_t
+static kadm5_ret_t
 kadm5_log_replay_create (kadm5_server_context *context,
-			 u_int32_t ver,
-			 u_int32_t len,
+			 uint32_t ver,
+			 uint32_t len,
 			 krb5_storage *sp)
 {
     krb5_error_code ret;
     krb5_data data;
-    hdb_entry ent;
+    hdb_entry_ex ent;
+
+    memset(&ent, 0, sizeof(ent));
 
     ret = krb5_data_alloc (&data, len);
-    if (ret)
+    if (ret) {
+	krb5_set_error_string(context->context, "out of memory");
 	return ret;
+    }
     krb5_storage_read (sp, data.data, len);
-    ret = hdb_value2entry (context->context, &data, &ent);
+    ret = hdb_value2entry (context->context, &data, &ent.entry);
     krb5_data_free(&data);
-    if (ret)
+    if (ret) {
+	krb5_set_error_string(context->context, 
+			      "Unmarshaling hdb entry failed");
 	return ret;
-    ret = context->db->store(context->context, context->db, 0, &ent);
+    }
+    ret = context->db->hdb_store(context->context, context->db, 0, &ent);
     hdb_free_entry (context->context, &ent);
     return ret;
 }
@@ -296,33 +310,36 @@ kadm5_log_delete (kadm5_server_context *context,
     kadm5_log_context *log_context = &context->log_context;
 
     sp = krb5_storage_emem();
+    if (sp == NULL)
+	return ENOMEM;
     ret = kadm5_log_preamble (context, sp, kadm_delete);
-    if (ret) {
-	krb5_storage_free(sp);
-	return ret;
-    }
-    krb5_store_int32 (sp, 0);
+    if (ret)
+	goto out;
+    ret = krb5_store_int32 (sp, 0);
+    if (ret)
+	goto out;
     off = krb5_storage_seek (sp, 0, SEEK_CUR);
-    krb5_store_principal (sp, princ);
+    ret = krb5_store_principal (sp, princ);
+    if (ret)
+	goto out;
     len = krb5_storage_seek (sp, 0, SEEK_CUR) - off;
     krb5_storage_seek(sp, -(len + 4), SEEK_CUR);
-    krb5_store_int32 (sp, len);
+    ret = krb5_store_int32 (sp, len);
+    if (ret)
+	goto out;
     krb5_storage_seek(sp, len, SEEK_CUR);
-    krb5_store_int32 (sp, len);
-    if (ret) {
-	krb5_storage_free (sp);
-	return ret;
-    }
+    ret = krb5_store_int32 (sp, len);
+    if (ret)
+	goto out;
     ret = kadm5_log_postamble (log_context, sp);
-    if (ret) {
-	krb5_storage_free (sp);
-	return ret;
-    }
+    if (ret)
+	goto out;
     ret = kadm5_log_flush (log_context, sp);
-    krb5_storage_free (sp);
     if (ret)
-	return ret;
+	goto out;
     ret = kadm5_log_end (context);
+out:
+    krb5_storage_free (sp);
     return ret;
 }
 
@@ -330,19 +347,24 @@ kadm5_log_delete (kadm5_server_context *context,
  * Read a `delete' log operation from `sp' and apply it.
  */
 
-kadm5_ret_t
+static kadm5_ret_t
 kadm5_log_replay_delete (kadm5_server_context *context,
-			 u_int32_t ver,
-			 u_int32_t len,
+			 uint32_t ver,
+			 uint32_t len,
 			 krb5_storage *sp)
 {
     krb5_error_code ret;
-    hdb_entry ent;
+    krb5_principal principal;
 
-    krb5_ret_principal (sp, &ent.principal);
+    ret = krb5_ret_principal (sp, &principal);
+    if (ret) {
+	krb5_set_error_string(context->context,  "Failed to read deleted "
+			      "principal from log version: %ld",  (long)ver);
+	return ret;
+    }
 
-    ret = context->db->remove(context->context, context->db, &ent);
-    krb5_free_principal (context->context, ent.principal);
+    ret = context->db->hdb_remove(context->context, context->db, principal);
+    krb5_free_principal (context->context, principal);
     return ret;
 }
 
@@ -362,43 +384,53 @@ kadm5_log_rename (kadm5_server_context *context,
     krb5_data value;
     kadm5_log_context *log_context = &context->log_context;
 
+    krb5_data_zero(&value);
+
     sp = krb5_storage_emem();
     ret = hdb_entry2value (context->context, ent, &value);
-    if (ret) {
-	krb5_storage_free(sp);
-	return ret;
-    }
+    if (ret)
+	goto failed;
+
     ret = kadm5_log_preamble (context, sp, kadm_rename);
-    if (ret) {
-	krb5_storage_free(sp);
-	krb5_data_free (&value);
-	return ret;
-    }
-    krb5_store_int32 (sp, 0);
+    if (ret)
+	goto failed;
+
+    ret = krb5_store_int32 (sp, 0);
+    if (ret)
+	goto failed;
     off = krb5_storage_seek (sp, 0, SEEK_CUR);
-    krb5_store_principal (sp, source);
+    ret = krb5_store_principal (sp, source);
+    if (ret)
+	goto failed;
+
     krb5_storage_write(sp, value.data, value.length);
-    krb5_data_free (&value);
     len = krb5_storage_seek (sp, 0, SEEK_CUR) - off;
 
     krb5_storage_seek(sp, -(len + 4), SEEK_CUR);
-    krb5_store_int32 (sp, len);
+    ret = krb5_store_int32 (sp, len);
+    if (ret)
+	goto failed;
+
     krb5_storage_seek(sp, len, SEEK_CUR);
-    krb5_store_int32 (sp, len);
-    if (ret) {
-	krb5_storage_free (sp);
-	return ret;
-    }
+    ret = krb5_store_int32 (sp, len);
+    if (ret)
+	goto failed;
+
     ret = kadm5_log_postamble (log_context, sp);
-    if (ret) {
-	krb5_storage_free (sp);
-	return ret;
-    }
+    if (ret)
+	goto failed;
+
     ret = kadm5_log_flush (log_context, sp);
-    krb5_storage_free (sp);
     if (ret)
-	return ret;
-    ret = kadm5_log_end (context);
+	goto failed;
+    krb5_storage_free (sp);
+    krb5_data_free (&value);
+
+    return kadm5_log_end (context);
+
+failed:
+    krb5_data_free(&value);
+    krb5_storage_free(sp);
     return ret;
 }
 
@@ -406,21 +438,28 @@ kadm5_log_rename (kadm5_server_context *context,
  * Read a `rename' log operation from `sp' and apply it.
  */
 
-kadm5_ret_t
+static kadm5_ret_t
 kadm5_log_replay_rename (kadm5_server_context *context,
-			 u_int32_t ver,
-			 u_int32_t len,
+			 uint32_t ver,
+			 uint32_t len,
 			 krb5_storage *sp)
 {
     krb5_error_code ret;
     krb5_principal source;
-    hdb_entry source_ent, target_ent;
+    hdb_entry_ex target_ent;
     krb5_data value;
     off_t off;
     size_t princ_len, data_len;
 
+    memset(&target_ent, 0, sizeof(target_ent));
+
     off = krb5_storage_seek(sp, 0, SEEK_CUR);
-    krb5_ret_principal (sp, &source);
+    ret = krb5_ret_principal (sp, &source);
+    if (ret) {
+	krb5_set_error_string(context->context, "Failed to read renamed "
+			      "principal in log, version: %ld", (long)ver);
+	return ret;
+    }
     princ_len = krb5_storage_seek(sp, 0, SEEK_CUR) - off;
     data_len = len - princ_len;
     ret = krb5_data_alloc (&value, data_len);
@@ -429,20 +468,20 @@ kadm5_log_replay_rename (kadm5_server_context *context,
 	return ret;
     }
     krb5_storage_read (sp, value.data, data_len);
-    ret = hdb_value2entry (context->context, &value, &target_ent);
+    ret = hdb_value2entry (context->context, &value, &target_ent.entry);
     krb5_data_free(&value);
     if (ret) {
 	krb5_free_principal (context->context, source);
 	return ret;
     }
-    ret = context->db->store (context->context, context->db, 0, &target_ent);
+    ret = context->db->hdb_store (context->context, context->db, 
+				  0, &target_ent);
     hdb_free_entry (context->context, &target_ent);
     if (ret) {
 	krb5_free_principal (context->context, source);
 	return ret;
     }
-    source_ent.principal = source;
-    ret = context->db->remove (context->context, context->db, &source_ent);
+    ret = context->db->hdb_remove (context->context, context->db, source);
     krb5_free_principal (context->context, source);
     return ret;
 }
@@ -455,46 +494,49 @@ kadm5_log_replay_rename (kadm5_server_context *context,
 kadm5_ret_t
 kadm5_log_modify (kadm5_server_context *context,
 		  hdb_entry *ent,
-		  u_int32_t mask)
+		  uint32_t mask)
 {
     krb5_storage *sp;
     kadm5_ret_t ret;
     krb5_data value;
-    u_int32_t len;
+    uint32_t len;
     kadm5_log_context *log_context = &context->log_context;
 
+    krb5_data_zero(&value);
+
     sp = krb5_storage_emem();
     ret = hdb_entry2value (context->context, ent, &value);
-    if (ret) {
-	krb5_storage_free(sp);
-	return ret;
-    }
+    if (ret)
+	goto failed;
+
     ret = kadm5_log_preamble (context, sp, kadm_modify);
-    if (ret) {
-	krb5_data_free (&value);
-	krb5_storage_free(sp);
-	return ret;
-    }
+    if (ret)
+	goto failed;
+
     len = value.length + 4;
-    krb5_store_int32 (sp, len);
-    krb5_store_int32 (sp, mask);
+    ret = krb5_store_int32 (sp, len);
+    if (ret)
+	goto failed;
+    ret = krb5_store_int32 (sp, mask);
+    if (ret)
+	goto failed;
     krb5_storage_write (sp, value.data, value.length);
-    krb5_data_free (&value);
-    krb5_store_int32 (sp, len);
-    if (ret) {
-	krb5_storage_free (sp);
-	return ret;
-    }
+
+    ret = krb5_store_int32 (sp, len);
+    if (ret)
+	goto failed;
     ret = kadm5_log_postamble (log_context, sp);
-    if (ret) {
-	krb5_storage_free (sp);
-	return ret;
-    }
+    if (ret)
+	goto failed;
     ret = kadm5_log_flush (log_context, sp);
-    krb5_storage_free (sp);
     if (ret)
-	return ret;
-    ret = kadm5_log_end (context);
+	goto failed;
+    krb5_data_free(&value);
+    krb5_storage_free (sp);
+    return kadm5_log_end (context);
+failed:
+    krb5_data_free(&value);
+    krb5_storage_free(sp);
     return ret;
 }
 
@@ -502,75 +544,107 @@ kadm5_log_modify (kadm5_server_context *context,
  * Read a `modify' log operation from `sp' and apply it.
  */
 
-kadm5_ret_t
+static kadm5_ret_t
 kadm5_log_replay_modify (kadm5_server_context *context,
-			 u_int32_t ver,
-			 u_int32_t len,
+			 uint32_t ver,
+			 uint32_t len,
 			 krb5_storage *sp)
 {
     krb5_error_code ret;
     int32_t mask;
     krb5_data value;
-    hdb_entry ent, log_ent;
+    hdb_entry_ex ent, log_ent;
+
+    memset(&log_ent, 0, sizeof(log_ent));
 
     krb5_ret_int32 (sp, &mask);
     len -= 4;
     ret = krb5_data_alloc (&value, len);
-    if (ret)
+    if (ret) {
+	krb5_set_error_string(context->context, "out of memory");
 	return ret;
+    }
     krb5_storage_read (sp, value.data, len);
-    ret = hdb_value2entry (context->context, &value, &log_ent);
+    ret = hdb_value2entry (context->context, &value, &log_ent.entry);
     krb5_data_free(&value);
     if (ret)
 	return ret;
-    ent.principal = log_ent.principal;
-    log_ent.principal = NULL;
-    ret = context->db->fetch(context->context, context->db, 
-			     HDB_F_DECRYPT, &ent);
+
+    memset(&ent, 0, sizeof(ent));
+    ret = context->db->hdb_fetch(context->context, context->db,
+				 log_ent.entry.principal,
+				 HDB_F_DECRYPT|HDB_F_GET_ANY, &ent);
     if (ret)
-	return ret;
+	goto out;
     if (mask & KADM5_PRINC_EXPIRE_TIME) {
-	if (log_ent.valid_end == NULL) {
-	    ent.valid_end = NULL;
+	if (log_ent.entry.valid_end == NULL) {
+	    ent.entry.valid_end = NULL;
 	} else {
-	    if (ent.valid_end == NULL)
-		ent.valid_end = malloc(sizeof(*ent.valid_end));
-	    *ent.valid_end = *log_ent.valid_end;
+	    if (ent.entry.valid_end == NULL) {
+		ent.entry.valid_end = malloc(sizeof(*ent.entry.valid_end));
+		if (ent.entry.valid_end == NULL) {
+		    krb5_set_error_string(context->context, "out of memory");
+		    ret = ENOMEM;
+		    goto out;
+		}
+	    }
+	    *ent.entry.valid_end = *log_ent.entry.valid_end;
 	}
     }
     if (mask & KADM5_PW_EXPIRATION) {
-	if (log_ent.pw_end == NULL) {
-	    ent.pw_end = NULL;
+	if (log_ent.entry.pw_end == NULL) {
+	    ent.entry.pw_end = NULL;
 	} else {
-	    if (ent.pw_end == NULL)
-		ent.pw_end = malloc(sizeof(*ent.pw_end));
-	    *ent.pw_end = *log_ent.pw_end;
+	    if (ent.entry.pw_end == NULL) {
+		ent.entry.pw_end = malloc(sizeof(*ent.entry.pw_end));
+		if (ent.entry.pw_end == NULL) {
+		    krb5_set_error_string(context->context, "out of memory");
+		    ret = ENOMEM;
+		    goto out;
+		}
+	    }
+	    *ent.entry.pw_end = *log_ent.entry.pw_end;
 	}
     }
     if (mask & KADM5_LAST_PWD_CHANGE) {
 	abort ();		/* XXX */
     }
     if (mask & KADM5_ATTRIBUTES) {
-	ent.flags = log_ent.flags;
+	ent.entry.flags = log_ent.entry.flags;
     }
     if (mask & KADM5_MAX_LIFE) {
-	if (log_ent.max_life == NULL) {
-	    ent.max_life = NULL;
+	if (log_ent.entry.max_life == NULL) {
+	    ent.entry.max_life = NULL;
 	} else {
-	    if (ent.max_life == NULL)
-		ent.max_life = malloc (sizeof(*ent.max_life));
-	    *ent.max_life = *log_ent.max_life;
+	    if (ent.entry.max_life == NULL) {
+		ent.entry.max_life = malloc (sizeof(*ent.entry.max_life));
+		if (ent.entry.max_life == NULL) {
+		    krb5_set_error_string(context->context, "out of memory");
+		    ret = ENOMEM;
+		    goto out;
+		}
+	    }
+	    *ent.entry.max_life = *log_ent.entry.max_life;
 	}
     }
     if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) {
-	if (ent.modified_by == NULL) {
-	    ent.modified_by = malloc(sizeof(*ent.modified_by));
+	if (ent.entry.modified_by == NULL) {
+	    ent.entry.modified_by = malloc(sizeof(*ent.entry.modified_by));
+	    if (ent.entry.modified_by == NULL) {
+		krb5_set_error_string(context->context, "out of memory");
+		ret = ENOMEM;
+		goto out;
+	    }
 	} else
-	    free_Event(ent.modified_by);
-	copy_Event(log_ent.modified_by, ent.modified_by);
+	    free_Event(ent.entry.modified_by);
+	ret = copy_Event(log_ent.entry.modified_by, ent.entry.modified_by);
+	if (ret) {
+	    krb5_set_error_string(context->context, "out of memory");
+	    goto out;
+	}
     }
     if (mask & KADM5_KVNO) {
-	ent.kvno = log_ent.kvno;
+	ent.entry.kvno = log_ent.entry.kvno;
     }
     if (mask & KADM5_MKVNO) {
 	abort ();		/* XXX */
@@ -585,12 +659,18 @@ kadm5_log_replay_modify (kadm5_server_context *context,
 	abort ();		/* XXX */
     }
     if (mask & KADM5_MAX_RLIFE) {
-	if (log_ent.max_renew == NULL) {
-	    ent.max_renew = NULL;
+	if (log_ent.entry.max_renew == NULL) {
+	    ent.entry.max_renew = NULL;
 	} else {
-	    if (ent.max_renew == NULL)
-		ent.max_renew = malloc (sizeof(*ent.max_renew));
-	    *ent.max_renew = *log_ent.max_renew;
+	    if (ent.entry.max_renew == NULL) {
+		ent.entry.max_renew = malloc (sizeof(*ent.entry.max_renew));
+		if (ent.entry.max_renew == NULL) {
+		    krb5_set_error_string(context->context, "out of memory");
+		    ret = ENOMEM;
+		    goto out;
+		}
+	    }
+	    *ent.entry.max_renew = *log_ent.entry.max_renew;
 	}
     }
     if (mask & KADM5_LAST_SUCCESS) {
@@ -603,30 +683,60 @@ kadm5_log_replay_modify (kadm5_server_context *context,
 	abort ();		/* XXX */
     }
     if (mask & KADM5_KEY_DATA) {
-	size_t len;
+	size_t num;
 	int i;
 
-	for (i = 0; i < ent.keys.len; ++i)
-	    free_Key(&ent.keys.val[i]);
-	free (ent.keys.val);
+	for (i = 0; i < ent.entry.keys.len; ++i)
+	    free_Key(&ent.entry.keys.val[i]);
+	free (ent.entry.keys.val);
 
-	len = log_ent.keys.len;
+	num = log_ent.entry.keys.len;
 
-	ent.keys.len = len;
-	ent.keys.val = malloc(len * sizeof(*ent.keys.val));
-	for (i = 0; i < ent.keys.len; ++i)
-	    copy_Key(&log_ent.keys.val[i],
-		     &ent.keys.val[i]);
+	ent.entry.keys.len = num;
+	ent.entry.keys.val = malloc(len * sizeof(*ent.entry.keys.val));
+	if (ent.entry.keys.val == NULL) {
+	    krb5_set_error_string(context->context, "out of memory");
+	    return ENOMEM;
+	}
+	for (i = 0; i < ent.entry.keys.len; ++i) {
+	    ret = copy_Key(&log_ent.entry.keys.val[i],
+			   &ent.entry.keys.val[i]);
+	    if (ret) {
+		krb5_set_error_string(context->context, "out of memory");
+		goto out;
+	    }
+	}
+    }
+    if ((mask & KADM5_TL_DATA) && log_ent.entry.extensions) {
+	HDB_extensions *es = ent.entry.extensions;
+
+	ent.entry.extensions = calloc(1, sizeof(*ent.entry.extensions));
+	if (ent.entry.extensions == NULL)
+	    goto out;
+
+	ret = copy_HDB_extensions(log_ent.entry.extensions,
+				  ent.entry.extensions);
+	if (ret) {
+	    krb5_set_error_string(context->context, "out of memory");
+	    free(ent.entry.extensions);
+	    ent.entry.extensions = es;
+	    goto out;
+	}
+	if (es) {
+	    free_HDB_extensions(es);
+	    free(es);
+	}
     }
-    ret = context->db->store(context->context, context->db, 
-			     HDB_F_REPLACE, &ent);
+    ret = context->db->hdb_store(context->context, context->db, 
+				 HDB_F_REPLACE, &ent);
+ out:
     hdb_free_entry (context->context, &ent);
     hdb_free_entry (context->context, &log_ent);
     return ret;
 }
 
 /*
- * Add a `nop' operation to the log.
+ * Add a `nop' operation to the log. Does not close the log.
  */
 
 kadm5_ret_t
@@ -651,9 +761,7 @@ kadm5_log_nop (kadm5_server_context *context)
     }
     ret = kadm5_log_flush (log_context, sp);
     krb5_storage_free (sp);
-    if (ret)
-	return ret;
-    ret = kadm5_log_end (context);
+
     return ret;
 }
 
@@ -661,10 +769,10 @@ kadm5_log_nop (kadm5_server_context *context)
  * Read a `nop' log operation from `sp' and apply it.
  */
 
-kadm5_ret_t
+static kadm5_ret_t
 kadm5_log_replay_nop (kadm5_server_context *context,
-		      u_int32_t ver,
-		      u_int32_t len,
+		      uint32_t ver,
+		      uint32_t len,
 		      krb5_storage *sp)
 {
     return 0;
@@ -677,11 +785,13 @@ kadm5_log_replay_nop (kadm5_server_context *context,
 kadm5_ret_t
 kadm5_log_foreach (kadm5_server_context *context,
 		   void (*func)(kadm5_server_context *server_context,
-				u_int32_t ver,
+				uint32_t ver,
 				time_t timestamp,
 				enum kadm_ops op,
-				u_int32_t len,
-				krb5_storage *sp))
+				uint32_t len,
+				krb5_storage *,
+				void *),
+		   void *ctx)
 {
     int fd = context->log_context.log_fd;
     krb5_storage *sp;
@@ -689,16 +799,22 @@ kadm5_log_foreach (kadm5_server_context *context,
     lseek (fd, 0, SEEK_SET);
     sp = krb5_storage_from_fd (fd);
     for (;;) {
-	int32_t ver, timestamp, op, len;
+	int32_t ver, timestamp, op, len, len2, ver2;
 
 	if(krb5_ret_int32 (sp, &ver) != 0)
 	    break;
 	krb5_ret_int32 (sp, &timestamp);
 	krb5_ret_int32 (sp, &op);
 	krb5_ret_int32 (sp, &len);
-	(*func)(context, ver, timestamp, op, len, sp);
-	krb5_storage_seek(sp, 8, SEEK_CUR);
+	(*func)(context, ver, timestamp, op, len, sp, ctx);
+	krb5_ret_int32 (sp, &len2);
+	krb5_ret_int32 (sp, &ver2);
+	if (len != len2)
+	    abort();
+	if (ver != ver2)
+	    abort();
     }
+    krb5_storage_free(sp);
     return 0;
 }
 
@@ -718,34 +834,66 @@ kadm5_log_goto_end (int fd)
 
 /*
  * Return previous log entry.
+ * 
+ * The pointer in `sp´ is assumed to be at the top of the entry before
+ * previous entry. On success, the `sp´ pointer is set to data portion
+ * of previous entry. In case of error, it's not changed at all.
  */
 
 kadm5_ret_t
-kadm5_log_previous (krb5_storage *sp,
-		    u_int32_t *ver,
+kadm5_log_previous (krb5_context context,
+		    krb5_storage *sp,
+		    uint32_t *ver,
 		    time_t *timestamp,
 		    enum kadm_ops *op,
-		    u_int32_t *len)
+		    uint32_t *len)
 {
-    off_t off;
+    krb5_error_code ret;
+    off_t off, oldoff;
     int32_t tmp;
 
+    oldoff = krb5_storage_seek(sp, 0, SEEK_CUR);
+
     krb5_storage_seek(sp, -8, SEEK_CUR);
-    krb5_ret_int32 (sp, &tmp);
+    ret = krb5_ret_int32 (sp, &tmp);
+    if (ret)
+	goto end_of_storage;
     *len = tmp;
-    krb5_ret_int32 (sp, &tmp);
+    ret = krb5_ret_int32 (sp, &tmp);
     *ver = tmp;
     off = 24 + *len;
     krb5_storage_seek(sp, -off, SEEK_CUR);
-    krb5_ret_int32 (sp, &tmp);
-    assert(tmp == *ver);
-    krb5_ret_int32 (sp, &tmp);
+    ret = krb5_ret_int32 (sp, &tmp);
+    if (ret)
+	goto end_of_storage;
+    if (tmp != *ver) {
+	krb5_storage_seek(sp, oldoff, SEEK_SET);
+	krb5_set_error_string(context, "kadm5_log_previous: log entry "
+			      "have consistency failure, version number wrong");
+	return KADM5_BAD_DB;
+    }
+    ret = krb5_ret_int32 (sp, &tmp);
+    if (ret)
+	goto end_of_storage;
     *timestamp = tmp;
-    krb5_ret_int32 (sp, &tmp);
+    ret = krb5_ret_int32 (sp, &tmp);
     *op = tmp;
-    krb5_ret_int32 (sp, &tmp);
-    assert(tmp == *len);
+    ret = krb5_ret_int32 (sp, &tmp);
+    if (ret)
+	goto end_of_storage;
+    if (tmp != *len) {
+	krb5_storage_seek(sp, oldoff, SEEK_SET);
+	krb5_set_error_string(context, "kadm5_log_previous: log entry "
+			      "have consistency failure, length wrong");
+	return KADM5_BAD_DB;
+    }
     return 0;
+
+ end_of_storage:
+    krb5_storage_seek(sp, oldoff, SEEK_SET);
+    krb5_set_error_string(context, "kadm5_log_previous: end of storage "
+			  "reached before end");
+    return ret;
 }
 
 /*
@@ -755,8 +903,8 @@ kadm5_log_previous (krb5_storage *sp,
 kadm5_ret_t
 kadm5_log_replay (kadm5_server_context *context,
 		  enum kadm_ops op,
-		  u_int32_t ver,
-		  u_int32_t len,
+		  uint32_t ver,
+		  uint32_t len,
 		  krb5_storage *sp)
 {
     switch (op) {
@@ -771,6 +919,8 @@ kadm5_log_replay (kadm5_server_context *context,
     case kadm_nop :
 	return kadm5_log_replay_nop (context, ver, len, sp);
     default :
+	krb5_set_error_string(context->context, 
+			      "Unsupported replay op %d", (int)op);
 	return KADM5_FAILURE;
     }
 }
@@ -783,7 +933,7 @@ kadm5_ret_t
 kadm5_log_truncate (kadm5_server_context *server_context)
 {
     kadm5_ret_t ret;
-    u_int32_t vno;
+    uint32_t vno;
 
     ret = kadm5_log_init (server_context);
     if (ret)
@@ -797,7 +947,7 @@ kadm5_log_truncate (kadm5_server_context *server_context)
     if (ret)
 	return ret;
 
-    ret = kadm5_log_set_version (server_context, vno + 1);
+    ret = kadm5_log_set_version (server_context, vno);
     if (ret)
 	return ret;
 
@@ -811,3 +961,22 @@ kadm5_log_truncate (kadm5_server_context *server_context)
     return 0;
 
 }
+
+static char *default_signal = NULL;
+static HEIMDAL_MUTEX signal_mutex = HEIMDAL_MUTEX_INITIALIZER;
+
+const char *
+kadm5_log_signal_socket(krb5_context context)
+{
+    HEIMDAL_MUTEX_lock(&signal_mutex);
+    if (!default_signal)
+	asprintf(&default_signal, "%s/signal", hdb_db_dir(context));
+    HEIMDAL_MUTEX_unlock(&signal_mutex);
+
+    return krb5_config_get_string_default(context,
+					  NULL,
+					  default_signal,
+					  "kdc",
+					  "signal_socket",
+					  NULL);
+}
diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c
index 9828837..05ca33f 100644
--- a/crypto/heimdal/lib/kadm5/marshall.c
+++ b/crypto/heimdal/lib/kadm5/marshall.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: marshall.c,v 1.6 1999/12/02 17:05:06 joda Exp $");
+RCSID("$Id: marshall.c 21745 2007-07-31 16:11:25Z lha $");
 
 kadm5_ret_t
 kadm5_store_key_data(krb5_storage *sp,
@@ -105,7 +105,7 @@ kadm5_ret_tl_data(krb5_storage *sp,
 static kadm5_ret_t
 store_principal_ent(krb5_storage *sp,
 		    kadm5_principal_ent_t princ,
-		    u_int32_t mask)
+		    uint32_t mask)
 {
     int i;
 
@@ -173,7 +173,7 @@ kadm5_store_principal_ent(krb5_storage *sp,
 kadm5_ret_t
 kadm5_store_principal_ent_mask(krb5_storage *sp,
 			       kadm5_principal_ent_t princ,
-			       u_int32_t mask)
+			       uint32_t mask)
 {
     krb5_store_int32(sp, mask);
     return store_principal_ent (sp, princ, mask);
@@ -182,7 +182,7 @@ kadm5_store_principal_ent_mask(krb5_storage *sp,
 static kadm5_ret_t
 ret_principal_ent(krb5_storage *sp,
 		  kadm5_principal_ent_t princ,
-		  u_int32_t mask)
+		  uint32_t mask)
 {
     int i;
     int32_t tmp;
@@ -260,6 +260,8 @@ ret_principal_ent(krb5_storage *sp,
 	krb5_ret_int32(sp, &tmp);
 	princ->n_key_data = tmp;
 	princ->key_data = malloc(princ->n_key_data * sizeof(*princ->key_data));
+	if (princ->key_data == NULL)
+	    return ENOMEM;
 	for(i = 0; i < princ->n_key_data; i++)
 	    kadm5_ret_key_data(sp, &princ->key_data[i]);
     }
@@ -269,6 +271,8 @@ ret_principal_ent(krb5_storage *sp,
 	princ->tl_data = NULL;
 	for(i = 0; i < princ->n_tl_data; i++){
 	    krb5_tl_data *tp = malloc(sizeof(*tp));
+	    if (tp == NULL)
+		return ENOMEM;
 	    kadm5_ret_tl_data(sp, tp);
 	    tp->tl_data_next = princ->tl_data;
 	    princ->tl_data = tp;
@@ -287,7 +291,7 @@ kadm5_ret_principal_ent(krb5_storage *sp,
 kadm5_ret_t
 kadm5_ret_principal_ent_mask(krb5_storage *sp,
 			     kadm5_principal_ent_t princ,
-			     u_int32_t *mask)
+			     uint32_t *mask)
 {
     int32_t tmp;
 
@@ -319,8 +323,10 @@ _kadm5_unmarshal_params(krb5_context context,
 			kadm5_config_params *params)
 {
     krb5_storage *sp = krb5_storage_from_data(in);
+    int32_t mask;
     
-    krb5_ret_int32(sp, &params->mask);
+    krb5_ret_int32(sp, &mask);
+    params->mask = mask;
 	
     if(params->mask & KADM5_CONFIG_REALM)
 	krb5_ret_string(sp, &params->realm);
diff --git a/crypto/heimdal/lib/kadm5/modify_c.c b/crypto/heimdal/lib/kadm5/modify_c.c
index 8d8ca56..ed399b3 100644
--- a/crypto/heimdal/lib/kadm5/modify_c.c
+++ b/crypto/heimdal/lib/kadm5/modify_c.c
@@ -33,12 +33,12 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: modify_c.c,v 1.4 2000/07/11 15:59:46 joda Exp $");
+RCSID("$Id: modify_c.c 17445 2006-05-05 10:37:46Z lha $");
 
 kadm5_ret_t
 kadm5_c_modify_principal(void *server_handle,
 			 kadm5_principal_ent_t princ, 
-			 u_int32_t mask)
+			 uint32_t mask)
 {
     kadm5_client_context *context = server_handle;
     kadm5_ret_t ret;
@@ -52,8 +52,10 @@ kadm5_c_modify_principal(void *server_handle,
 	return ret;
 
     sp = krb5_storage_from_mem(buf, sizeof(buf));
-    if (sp == NULL)
+    if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	return ENOMEM;
+    }
     krb5_store_int32(sp, kadm_modify);
     kadm5_store_principal_ent(sp, princ);
     krb5_store_int32(sp, mask);
@@ -66,10 +68,12 @@ kadm5_c_modify_principal(void *server_handle,
 	return ret;
     sp = krb5_storage_from_data (&reply);
     if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	krb5_data_free (&reply);
 	return ENOMEM;
     }
     krb5_ret_int32(sp, &tmp);
+    krb5_clear_error_string(context->context);
     krb5_storage_free(sp);
     krb5_data_free (&reply);
     return tmp;
diff --git a/crypto/heimdal/lib/kadm5/modify_s.c b/crypto/heimdal/lib/kadm5/modify_s.c
index 8c595a9..449f619 100644
--- a/crypto/heimdal/lib/kadm5/modify_s.c
+++ b/crypto/heimdal/lib/kadm5/modify_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001, 2003, 2005-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,50 +33,54 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: modify_s.c,v 1.12 2001/01/30 01:24:28 assar Exp $");
+RCSID("$Id: modify_s.c 20610 2007-05-08 07:12:37Z lha $");
 
 static kadm5_ret_t
 modify_principal(void *server_handle,
 		 kadm5_principal_ent_t princ, 
-		 u_int32_t mask,
-		 u_int32_t forbidden_mask)
+		 uint32_t mask,
+		 uint32_t forbidden_mask)
 {
     kadm5_server_context *context = server_handle;
-    hdb_entry ent;
+    hdb_entry_ex ent;
     kadm5_ret_t ret;
     if((mask & forbidden_mask))
 	return KADM5_BAD_MASK;
     if((mask & KADM5_POLICY) && strcmp(princ->policy, "default"))
 	return KADM5_UNK_POLICY;
     
-    ent.principal = princ->principal;
-    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    memset(&ent, 0, sizeof(ent));
+    ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
     if(ret)
 	return ret;
-    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    ret = context->db->hdb_fetch(context->context, context->db, 
+				 princ->principal, HDB_F_GET_ANY, &ent);
     if(ret)
 	goto out;
     ret = _kadm5_setup_entry(context, &ent, mask, princ, mask, NULL, 0);
     if(ret)
 	goto out2;
-    ret = _kadm5_set_modifier(context, &ent);
+    ret = _kadm5_set_modifier(context, &ent.entry);
     if(ret)
 	goto out2;
 
-    ret = hdb_seal_keys(context->context, context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent.entry);
+    if (ret)
+	goto out2;
+
+    ret = context->db->hdb_store(context->context, context->db, 
+			     HDB_F_REPLACE, &ent);
     if (ret)
 	goto out2;
 
     kadm5_log_modify (context,
-		      &ent,
+		      &ent.entry,
 		      mask | KADM5_MOD_NAME | KADM5_MOD_TIME);
-		      
-    ret = context->db->store(context->context, context->db, 
-			     HDB_F_REPLACE, &ent);
+
 out2:
     hdb_free_entry(context->context, &ent);
 out:
-    context->db->close(context->context, context->db);
+    context->db->hdb_close(context->context, context->db);
     return _kadm5_error_code(ret);
 }
 
@@ -84,7 +88,7 @@ out:
 kadm5_ret_t
 kadm5_s_modify_principal(void *server_handle,
 			 kadm5_principal_ent_t princ, 
-			 u_int32_t mask)
+			 uint32_t mask)
 {
     return modify_principal(server_handle, princ, mask, 
 			    KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME 
diff --git a/crypto/heimdal/lib/kadm5/password_quality.c b/crypto/heimdal/lib/kadm5/password_quality.c
index bc1463f..2610ce8 100644
--- a/crypto/heimdal/lib/kadm5/password_quality.c
+++ b/crypto/heimdal/lib/kadm5/password_quality.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,40 +32,231 @@
  */
 
 #include "kadm5_locl.h"
+#include "kadm5-pwcheck.h"
 
-RCSID("$Id: password_quality.c,v 1.4 2000/07/05 13:14:45 joda Exp $");
+RCSID("$Id: password_quality.c 17595 2006-05-30 21:51:55Z lha $");
 
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
 #ifdef HAVE_DLFCN_H
 #include <dlfcn.h>
 #endif
 
+static int
+min_length_passwd_quality (krb5_context context,
+			   krb5_principal principal,
+			   krb5_data *pwd,
+			   const char *opaque,
+			   char *message,
+			   size_t length)
+{
+    uint32_t min_length = krb5_config_get_int_default(context, NULL, 6,
+						      "password_quality",
+						      "min_length",
+						      NULL);
+
+    if (pwd->length < min_length) {
+	strlcpy(message, "Password too short", length);
+	return 1;
+    } else
+	return 0;
+}
+
 static const char *
-simple_passwd_quality (krb5_context context,
-		       krb5_principal principal,
-		       krb5_data *pwd)
+min_length_passwd_quality_v0 (krb5_context context,
+			      krb5_principal principal,
+			      krb5_data *pwd)
 {
-    if (pwd->length < 6)
-	return "Password too short";
-    else
-	return NULL;
+    static char message[1024];
+    int ret;
+
+    message[0] = '\0';
+
+    ret = min_length_passwd_quality(context, principal, pwd, NULL,
+				    message, sizeof(message));
+    if (ret)
+	return message;
+    return NULL;
 }
 
-typedef const char* (*passwd_quality_check_func)(krb5_context, 
-						 krb5_principal, 
-						 krb5_data*);
 
-static passwd_quality_check_func passwd_quality_check = simple_passwd_quality;
+static int
+char_class_passwd_quality (krb5_context context,
+			   krb5_principal principal,
+			   krb5_data *pwd,
+			   const char *opaque,
+			   char *message,
+			   size_t length)
+{
+    const char *classes[] = {
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+	"abcdefghijklmnopqrstuvwxyz",
+	"1234567890",
+	"!@#$%^&*()/?<>,.{[]}\\|'~`\" "
+    };
+    int i, counter = 0, req_classes;
+    size_t len;
+    char *pw;
 
-#ifdef HAVE_DLOPEN
+    req_classes = krb5_config_get_int_default(context, NULL, 3,
+					      "password_quality",
+					      "min_classes",
+					      NULL);
 
-#define PASSWD_VERSION 0
+    len = pwd->length + 1;
+    pw = malloc(len);
+    if (pw == NULL) {
+	strlcpy(message, "out of memory", length);
+	return 1;
+    }
+    strlcpy(pw, pwd->data, len);
+    len = strlen(pw);
 
-#endif
+    for (i = 0; i < sizeof(classes)/sizeof(classes[0]); i++) {
+	if (strcspn(pw, classes[i]) < len)
+	    counter++;
+    }
+    memset(pw, 0, pwd->length + 1);
+    free(pw);
+    if (counter < req_classes) {
+	snprintf(message, length,
+	    "Password doesn't meet complexity requirement.\n"
+	    "Add more characters from the following classes:\n"
+	    "1. English uppercase characters (A through Z)\n"
+	    "2. English lowercase characters (a through z)\n"
+	    "3. Base 10 digits (0 through 9)\n"
+	    "4. Nonalphanumeric characters (e.g., !, $, #, %%)");
+	return 1;
+    }
+    return 0;
+}
+
+static int
+external_passwd_quality (krb5_context context,
+			 krb5_principal principal,
+			 krb5_data *pwd,
+			 const char *opaque,
+			 char *message,
+			 size_t length)
+{
+    krb5_error_code ret;
+    const char *program;
+    char *p;
+    pid_t child;
+    int status;
+    char reply[1024];
+    FILE *in = NULL, *out = NULL, *error = NULL;
+
+    if (memchr(pwd->data, pwd->length, '\n') != NULL) {
+	snprintf(message, length, "password contains newline, "
+		 "not valid for external test");
+	return 1;
+    }
+
+    program = krb5_config_get_string(context, NULL,
+				     "password_quality",
+				     "external_program",
+				     NULL);
+    if (program == NULL) {
+	snprintf(message, length, "external password quality "
+		 "program not configured");
+	return 1;
+    }
+
+    ret = krb5_unparse_name(context, principal, &p);
+    if (ret) {
+	strlcpy(message, "out of memory", length);
+	return 1;
+    }
+
+    child = pipe_execv(&in, &out, &error, program, p, NULL);
+    if (child < 0) {
+	snprintf(message, length, "external password quality "
+		 "program failed to execute for principal %s", p);
+	free(p);
+	return 1;
+    }
+
+    fprintf(in, "principal: %s\n"
+	    "new-password: %.*s\n"
+	    "end\n",
+	    p, (int)pwd->length, (char *)pwd->data);
+    
+    fclose(in);
+
+    if (fgets(reply, sizeof(reply), out) == NULL) {
+
+	if (fgets(reply, sizeof(reply), error) == NULL) {
+	    snprintf(message, length, "external password quality "
+		     "program failed without error");
+
+	} else {
+	    reply[strcspn(reply, "\n")] = '\0';
+	    snprintf(message, length, "External password quality "
+		     "program failed: %s", reply);
+	}
+
+	fclose(out);
+	fclose(error);
+	waitpid(child, &status, 0);
+	return 1;
+    }
+    reply[strcspn(reply, "\n")] = '\0';
+
+    fclose(out);
+    fclose(error);
+
+    if (waitpid(child, &status, 0) < 0) {
+	snprintf(message, length, "external program failed: %s", reply);
+	free(p);
+	return 1;
+    }
+    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
+	snprintf(message, length, "external program failed: %s", reply);
+	free(p);
+	return 1;
+    }
+
+    if (strcmp(reply, "APPROVED") != 0) {
+	snprintf(message, length, "%s", reply);
+	free(p);
+	return 1;
+    }
+
+    free(p);
+
+    return 0;
+}
+
+
+static kadm5_passwd_quality_check_func_v0 passwd_quality_check = 
+	min_length_passwd_quality_v0;
+
+struct kadm5_pw_policy_check_func builtin_funcs[] = {
+    { "minimum-length", min_length_passwd_quality },
+    { "character-class", char_class_passwd_quality },
+    { "external-check", external_passwd_quality },
+    { NULL }
+};
+struct kadm5_pw_policy_verifier builtin_verifier = {
+    "builtin", 
+    KADM5_PASSWD_VERSION_V1, 
+    "Heimdal builtin",
+    builtin_funcs
+};
+
+static struct kadm5_pw_policy_verifier **verifiers;
+static int num_verifiers;
 
 /*
  * setup the password quality hook
  */
 
+#ifndef RTLD_NOW
+#define RTLD_NOW 0
+#endif
+
 void
 kadm5_setup_passwd_quality_check(krb5_context context,
 				 const char *check_library,
@@ -75,15 +266,8 @@ kadm5_setup_passwd_quality_check(krb5_context context,
     void *handle;
     void *sym;
     int *version;
-    int flags;
     const char *tmp;
 
-#ifdef RTLD_NOW
-    flags = RTLD_NOW;
-#else
-    flags = 0;
-#endif
-
     if(check_library == NULL) {
 	tmp = krb5_config_get_string(context, NULL, 
 				     "password_quality", 
@@ -105,7 +289,7 @@ kadm5_setup_passwd_quality_check(krb5_context context,
 
     if(check_library == NULL)
 	return;
-    handle = dlopen(check_library, flags);
+    handle = dlopen(check_library, RTLD_NOW);
     if(handle == NULL) {
 	krb5_warnx(context, "failed to open `%s'", check_library);
 	return;
@@ -117,10 +301,10 @@ kadm5_setup_passwd_quality_check(krb5_context context,
 	dlclose(handle);
 	return;
     }
-    if(*version != PASSWD_VERSION) {
+    if(*version != KADM5_PASSWD_VERSION_V0) {
 	krb5_warnx(context,
 		   "version of loaded library is %d (expected %d)",
-		   *version, PASSWD_VERSION);
+		   *version, KADM5_PASSWD_VERSION_V0);
 	dlclose(handle);
 	return;
     }
@@ -132,14 +316,197 @@ kadm5_setup_passwd_quality_check(krb5_context context,
 	dlclose(handle);
 	return;
     }
-    passwd_quality_check = (passwd_quality_check_func) sym;
+    passwd_quality_check = (kadm5_passwd_quality_check_func_v0) sym;
+#endif /* HAVE_DLOPEN */
+}
+
+#ifdef HAVE_DLOPEN
+
+static krb5_error_code
+add_verifier(krb5_context context, const char *check_library)
+{
+    struct kadm5_pw_policy_verifier *v, **tmp;
+    void *handle;
+    int i;
+
+    handle = dlopen(check_library, RTLD_NOW);
+    if(handle == NULL) {
+	krb5_warnx(context, "failed to open `%s'", check_library);
+	return ENOENT;
+    }
+    v = dlsym(handle, "kadm5_password_verifier");
+    if(v == NULL) {
+	krb5_warnx(context,
+		   "didn't find `kadm5_password_verifier' symbol "
+		   "in `%s'", check_library);
+	dlclose(handle);
+	return ENOENT;
+    }
+    if(v->version != KADM5_PASSWD_VERSION_V1) {
+	krb5_warnx(context,
+		   "version of loaded library is %d (expected %d)",
+		   v->version, KADM5_PASSWD_VERSION_V1);
+	dlclose(handle);
+	return EINVAL;
+    }
+    for (i = 0; i < num_verifiers; i++) {
+	if (strcmp(v->name, verifiers[i]->name) == 0)
+	    break;
+    }
+    if (i < num_verifiers) {
+	krb5_warnx(context, "password verifier library `%s' is already loaded",
+		   v->name);
+	dlclose(handle);
+	return 0;
+    }
+
+    tmp = realloc(verifiers, (num_verifiers + 1) * sizeof(*verifiers));
+    if (tmp == NULL) {
+	krb5_warnx(context, "out of memory");
+	dlclose(handle);
+	return 0;
+    }
+    verifiers = tmp;
+    verifiers[num_verifiers] = v;
+    num_verifiers++;
+
+    return 0;
+}
+
+#endif
+
+krb5_error_code
+kadm5_add_passwd_quality_verifier(krb5_context context,
+				  const char *check_library)
+{
+#ifdef HAVE_DLOPEN
+
+    if(check_library == NULL) {
+	krb5_error_code ret;
+	char **tmp;
+
+	tmp = krb5_config_get_strings(context, NULL, 
+				      "password_quality", 
+				      "policy_libraries", 
+				      NULL);
+	if(tmp == NULL)
+	    return 0;
+
+	while(tmp) {
+	    ret = add_verifier(context, *tmp);
+	    if (ret)
+		return ret;
+	    tmp++;
+	}
+    }
+    return add_verifier(context, check_library);
+#else
+    return 0;
 #endif /* HAVE_DLOPEN */
 }
 
+/*
+ *
+ */
+
+static const struct kadm5_pw_policy_check_func *
+find_func(krb5_context context, const char *name)
+{
+    const struct kadm5_pw_policy_check_func *f;
+    char *module = NULL;
+    const char *p, *func;
+    int i;
+
+    p = strchr(name, ':');
+    if (p) {
+	func = p + 1;
+	module = strndup(name, p - name);
+	if (module == NULL)
+	    return NULL;
+    } else
+	func = name;
+
+    /* Find module in loaded modules first */
+    for (i = 0; i < num_verifiers; i++) {
+	if (module && strcmp(module, verifiers[i]->name) != 0)
+	    continue;
+	for (f = verifiers[i]->funcs; f->name ; f++)
+	    if (strcmp(name, f->name) == 0) {
+		if (module)
+		    free(module);
+		return f;
+	    }
+    }
+    /* Lets try try the builtin modules */
+    if (module == NULL || strcmp(module, "builtin") == 0) {
+	for (f = builtin_verifier.funcs; f->name ; f++)
+	    if (strcmp(func, f->name) == 0) {
+		if (module)
+		    free(module);
+		return f;
+	    }
+    }
+    if (module)
+	free(module);
+    return NULL;
+}
+
 const char *
 kadm5_check_password_quality (krb5_context context,
 			      krb5_principal principal,
 			      krb5_data *pwd_data)
 {
-    return (*passwd_quality_check) (context, principal, pwd_data);
+    const struct kadm5_pw_policy_check_func *proc;
+    static char error_msg[1024];
+    const char *msg;
+    char **v, **vp;
+    int ret;
+
+    /*
+     * Check if we should use the old version of policy function.
+     */
+
+    v = krb5_config_get_strings(context, NULL, 
+				"password_quality", 
+				"policies", 
+				NULL);
+    if (v == NULL) {
+	msg = (*passwd_quality_check) (context, principal, pwd_data);
+	krb5_set_error_string(context, "password policy failed: %s", msg);
+	return msg;
+    }
+
+    error_msg[0] = '\0';
+
+    msg = NULL;
+    for(vp = v; *vp; vp++) {
+	proc = find_func(context, *vp);
+	if (proc == NULL) {
+	    msg = "failed to find password verifier function";
+	    krb5_set_error_string(context, "Failed to find password policy "
+				  "function: %s", *vp);
+	    break;
+	}
+	ret = (proc->func)(context, principal, pwd_data, NULL,
+			   error_msg, sizeof(error_msg));
+	if (ret) {
+	    krb5_set_error_string(context, "Password policy "
+				  "%s failed with %s", 
+				  proc->name, error_msg);
+	    msg = error_msg;
+	    break;
+	}
+    }
+    krb5_config_free_strings(v);
+
+    /* If the default quality check isn't used, lets check that the
+     * old quality function the user have set too */
+    if (msg == NULL && passwd_quality_check != min_length_passwd_quality_v0) {
+	msg = (*passwd_quality_check) (context, principal, pwd_data);
+	if (msg)
+	    krb5_set_error_string(context, "(old) password policy "
+				  "failed with %s", msg);
+	    
+    }
+    return msg;
 }
diff --git a/crypto/heimdal/lib/kadm5/private.h b/crypto/heimdal/lib/kadm5/private.h
index b09545f..d5e1380 100644
--- a/crypto/heimdal/lib/kadm5/private.h
+++ b/crypto/heimdal/lib/kadm5/private.h
@@ -31,23 +31,23 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: private.h,v 1.15 2002/08/16 20:57:44 joda Exp $ */
+/* $Id: private.h 22211 2007-12-07 19:27:27Z lha $ */
 
 #ifndef __kadm5_privatex_h__
 #define __kadm5_privatex_h__
 
 struct kadm_func {
-    kadm5_ret_t (*chpass_principal) (void *, krb5_principal, char*);
+    kadm5_ret_t (*chpass_principal) (void *, krb5_principal, const char*);
     kadm5_ret_t (*create_principal) (void*, kadm5_principal_ent_t, 
-				     u_int32_t, char*);
+				     uint32_t, const char*);
     kadm5_ret_t (*delete_principal) (void*, krb5_principal);
     kadm5_ret_t (*destroy) (void*);
     kadm5_ret_t (*flush) (void*);
     kadm5_ret_t (*get_principal) (void*, krb5_principal, 
-				  kadm5_principal_ent_t, u_int32_t);
+				  kadm5_principal_ent_t, uint32_t);
     kadm5_ret_t (*get_principals) (void*, const char*, char***, int*);
-    kadm5_ret_t (*get_privs) (void*, u_int32_t*);
-    kadm5_ret_t (*modify_principal) (void*, kadm5_principal_ent_t, u_int32_t);
+    kadm5_ret_t (*get_privs) (void*, uint32_t*);
+    kadm5_ret_t (*modify_principal) (void*, kadm5_principal_ent_t, uint32_t);
     kadm5_ret_t (*randkey_principal) (void*, krb5_principal, 
 				      krb5_keyblock**, int*);
     kadm5_ret_t (*rename_principal) (void*, krb5_principal, krb5_principal);
@@ -73,7 +73,7 @@ typedef struct kadm5_log_peer {
 typedef struct kadm5_log_context {
     char *log_file;
     int log_fd;
-    u_int32_t version;
+    uint32_t version;
     struct sockaddr_un socket_name;
     int socket_fd;
 } kadm5_log_context;
@@ -108,6 +108,20 @@ typedef struct kadm5_client_context {
     kadm5_config_params *realm_params;
 }kadm5_client_context;
 
+typedef struct kadm5_ad_context {
+    krb5_context context;
+    krb5_boolean my_context;
+    struct kadm_func funcs;
+    /* */
+    kadm5_config_params config;
+    krb5_principal caller;
+    krb5_ccache ccache;
+    char *client_name;
+    char *realm;
+    void *ldap_conn;
+    char *base_dn;
+} kadm5_ad_context;
+
 enum kadm_ops {
     kadm_get,
     kadm_delete,
@@ -125,8 +139,6 @@ enum kadm_ops {
 #define KADMIN_APPL_VERSION "KADM0.1"
 #define KADMIN_OLD_APPL_VERSION "KADM0.0"
 
-#define KADM5_LOG_SIGNAL HDB_DB_DIR "/signal"
-
 #include "kadm5-private.h"
 
 #endif /* __kadm5_privatex_h__ */
diff --git a/crypto/heimdal/lib/kadm5/privs_c.c b/crypto/heimdal/lib/kadm5/privs_c.c
index 83d293c..58e6824 100644
--- a/crypto/heimdal/lib/kadm5/privs_c.c
+++ b/crypto/heimdal/lib/kadm5/privs_c.c
@@ -33,10 +33,10 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: privs_c.c,v 1.4 2000/07/11 15:59:54 joda Exp $");
+RCSID("$Id: privs_c.c 17512 2006-05-08 13:43:17Z lha $");
 
 kadm5_ret_t
-kadm5_c_get_privs(void *server_handle, u_int32_t *privs)
+kadm5_c_get_privs(void *server_handle, uint32_t *privs)
 {
     kadm5_client_context *context = server_handle;
     kadm5_ret_t ret;
@@ -45,13 +45,17 @@ kadm5_c_get_privs(void *server_handle, u_int32_t *privs)
     int32_t tmp;
     krb5_data reply;
 
+    *privs = 0;
+
     ret = _kadm5_connect(server_handle);
     if(ret)
 	return ret;
 
     sp = krb5_storage_from_mem(buf, sizeof(buf));
-    if (sp == NULL)
+    if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	return ENOMEM;
+    }
     krb5_store_int32(sp, kadm_get_privs);
     ret = _kadm5_client_send(context, sp);
     krb5_storage_free(sp);
@@ -62,14 +66,15 @@ kadm5_c_get_privs(void *server_handle, u_int32_t *privs)
 	return ret;
     sp = krb5_storage_from_data(&reply);
     if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	krb5_data_free (&reply);
 	return ENOMEM;
     }
     krb5_ret_int32(sp, &tmp);
+    krb5_clear_error_string(context->context);
     ret = tmp;
     if(ret == 0){
-	krb5_ret_int32(sp, &tmp);
-	*privs = tmp;
+	krb5_ret_uint32(sp, privs);
     }
     krb5_storage_free(sp);
     krb5_data_free (&reply);
diff --git a/crypto/heimdal/lib/kadm5/privs_s.c b/crypto/heimdal/lib/kadm5/privs_s.c
index 85cd5d5..9c345e3 100644
--- a/crypto/heimdal/lib/kadm5/privs_s.c
+++ b/crypto/heimdal/lib/kadm5/privs_s.c
@@ -33,10 +33,10 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: privs_s.c,v 1.2 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: privs_s.c 17445 2006-05-05 10:37:46Z lha $");
 
 kadm5_ret_t
-kadm5_s_get_privs(void *server_handle, u_int32_t *privs)
+kadm5_s_get_privs(void *server_handle, uint32_t *privs)
 {
     kadm5_server_context *context = server_handle;
     *privs = context->acl_flags;
diff --git a/crypto/heimdal/lib/kadm5/randkey_c.c b/crypto/heimdal/lib/kadm5/randkey_c.c
index eedf697..60a3f53 100644
--- a/crypto/heimdal/lib/kadm5/randkey_c.c
+++ b/crypto/heimdal/lib/kadm5/randkey_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: randkey_c.c,v 1.4 2000/07/11 16:00:02 joda Exp $");
+RCSID("$Id: randkey_c.c 16662 2006-01-25 12:53:09Z lha $");
 
 kadm5_ret_t
 kadm5_c_randkey_principal(void *server_handle, 
@@ -53,8 +53,10 @@ kadm5_c_randkey_principal(void *server_handle,
 	return ret;
 
     sp = krb5_storage_from_mem(buf, sizeof(buf));
-    if (sp == NULL)
+    if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	return ENOMEM;
+    }
     krb5_store_int32(sp, kadm_randkey);
     krb5_store_principal(sp, princ);
     ret = _kadm5_client_send(context, sp);
@@ -66,9 +68,11 @@ kadm5_c_randkey_principal(void *server_handle,
 	return ret;
     sp = krb5_storage_from_data(&reply);
     if (sp == NULL) {
+	krb5_clear_error_string(context->context);
 	krb5_data_free (&reply);
 	return ENOMEM;
     }
+    krb5_clear_error_string(context->context);
     krb5_ret_int32(sp, &tmp);
     ret = tmp;
     if(ret == 0){
diff --git a/crypto/heimdal/lib/kadm5/randkey_s.c b/crypto/heimdal/lib/kadm5/randkey_s.c
index 9780b11..cb0f0fa 100644
--- a/crypto/heimdal/lib/kadm5/randkey_s.c
+++ b/crypto/heimdal/lib/kadm5/randkey_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001, 2003-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: randkey_s.c,v 1.13 2001/01/30 01:24:28 assar Exp $");
+RCSID("$Id: randkey_s.c 20611 2007-05-08 07:13:07Z lha $");
 
 /*
  * Set the keys of `princ' to random values, returning the random keys
@@ -47,42 +47,48 @@ kadm5_s_randkey_principal(void *server_handle,
 			  int *n_keys)
 {
     kadm5_server_context *context = server_handle;
-    hdb_entry ent;
+    hdb_entry_ex ent;
     kadm5_ret_t ret;
 
-    ent.principal = princ;
-    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    memset(&ent, 0, sizeof(ent));
+    ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
     if(ret)
 	return ret;
-    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    ret = context->db->hdb_fetch(context->context, context->db, princ, 
+				 HDB_F_GET_ANY, &ent);
     if(ret)
 	goto out;
 
     ret = _kadm5_set_keys_randomly (context,
-				    &ent,
+				    &ent.entry,
 				    new_keys,
 				    n_keys);
     if (ret)
 	goto out2;
+    ent.entry.kvno++;
 
-    ret = _kadm5_set_modifier(context, &ent);
+    ret = _kadm5_set_modifier(context, &ent.entry);
     if(ret)
 	goto out3;
-    ret = _kadm5_bump_pw_expire(context, &ent);
+    ret = _kadm5_bump_pw_expire(context, &ent.entry);
     if (ret)
 	goto out2;
 
-    ret = hdb_seal_keys(context->context, context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent.entry);
+    if (ret)
+	goto out2;
+
+    ret = context->db->hdb_store(context->context, context->db, 
+				 HDB_F_REPLACE, &ent);
     if (ret)
 	goto out2;
 
     kadm5_log_modify (context,
-		      &ent,
+		      &ent.entry,
 		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
-		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION);
+		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION |
+		      KADM5_TL_DATA);
 
-    ret = context->db->store(context->context, context->db, 
-			     HDB_F_REPLACE, &ent);
 out3:
     if (ret) {
 	int i;
@@ -96,6 +102,6 @@ out3:
 out2:
     hdb_free_entry(context->context, &ent);
 out:
-    context->db->close(context->context, context->db);
+    context->db->hdb_close(context->context, context->db);
     return _kadm5_error_code(ret);
 }
diff --git a/crypto/heimdal/lib/kadm5/rename_c.c b/crypto/heimdal/lib/kadm5/rename_c.c
index 95ccf25..cec2fd3 100644
--- a/crypto/heimdal/lib/kadm5/rename_c.c
+++ b/crypto/heimdal/lib/kadm5/rename_c.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: rename_c.c,v 1.4 2000/07/11 16:00:08 joda Exp $");
+RCSID("$Id: rename_c.c 8655 2000-07-11 16:00:19Z joda $");
 
 kadm5_ret_t
 kadm5_c_rename_principal(void *server_handle, 
diff --git a/crypto/heimdal/lib/kadm5/rename_s.c b/crypto/heimdal/lib/kadm5/rename_s.c
index a478e0a..2a19426 100644
--- a/crypto/heimdal/lib/kadm5/rename_s.c
+++ b/crypto/heimdal/lib/kadm5/rename_s.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001, 2003, 2005 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: rename_s.c,v 1.11 2001/01/30 01:24:29 assar Exp $");
+RCSID("$Id: rename_s.c 21745 2007-07-31 16:11:25Z lha $");
 
 kadm5_ret_t
 kadm5_s_rename_principal(void *server_handle, 
@@ -42,21 +42,22 @@ kadm5_s_rename_principal(void *server_handle,
 {
     kadm5_server_context *context = server_handle;
     kadm5_ret_t ret;
-    hdb_entry ent, ent2;
-    ent.principal = source;
+    hdb_entry_ex ent;
+    krb5_principal oldname;
+
+    memset(&ent, 0, sizeof(ent));
     if(krb5_principal_compare(context->context, source, target))
 	return KADM5_DUP; /* XXX is this right? */
-    if(!krb5_realm_compare(context->context, source, target))
-	return KADM5_FAILURE; /* XXX better code */
-    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
     if(ret)
 	return ret;
-    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    ret = context->db->hdb_fetch(context->context, context->db, 
+				 source, HDB_F_GET_ANY, &ent);
     if(ret){
-	context->db->close(context->context, context->db);
+	context->db->hdb_close(context->context, context->db);
 	goto out;
     }
-    ret = _kadm5_set_modifier(context, &ent);
+    ret = _kadm5_set_modifier(context, &ent.entry);
     if(ret)
 	goto out2;
     {
@@ -67,10 +68,13 @@ kadm5_s_rename_principal(void *server_handle,
 	krb5_get_pw_salt(context->context, source, &salt2);
 	salt.type = hdb_pw_salt;
 	salt.salt = salt2.saltvalue;
-	for(i = 0; i < ent.keys.len; i++){
-	    if(ent.keys.val[i].salt == NULL){
-		ent.keys.val[i].salt = malloc(sizeof(*ent.keys.val[i].salt));
-		ret = copy_Salt(&salt, ent.keys.val[i].salt);
+	for(i = 0; i < ent.entry.keys.len; i++){
+	    if(ent.entry.keys.val[i].salt == NULL){
+		ent.entry.keys.val[i].salt = 
+		    malloc(sizeof(*ent.entry.keys.val[i].salt));
+		if(ent.entry.keys.val[i].salt == NULL)
+		    return ENOMEM;
+		ret = copy_Salt(&salt, ent.entry.keys.val[i].salt);
 		if(ret)
 		    break;
 	    }
@@ -79,28 +83,26 @@ kadm5_s_rename_principal(void *server_handle,
     }
     if(ret)
 	goto out2;
-    ent2.principal = ent.principal;
-    ent.principal = target;
+    oldname = ent.entry.principal;
+    ent.entry.principal = target;
 
-    ret = hdb_seal_keys(context->context, context->db, &ent);
+    ret = hdb_seal_keys(context->context, context->db, &ent.entry);
     if (ret) {
-	ent.principal = ent2.principal;
+	ent.entry.principal = oldname;
 	goto out2;
     }
 
-    kadm5_log_rename (context,
-		      source,
-		      &ent);
+    kadm5_log_rename (context, source, &ent.entry);
 
-    ret = context->db->store(context->context, context->db, 0, &ent);
+    ret = context->db->hdb_store(context->context, context->db, 0, &ent);
     if(ret){
-	ent.principal = ent2.principal;
+	ent.entry.principal = oldname;
 	goto out2;
     }
-    ret = context->db->remove(context->context, context->db, &ent2);
-    ent.principal = ent2.principal;
+    ret = context->db->hdb_remove(context->context, context->db, oldname);
+    ent.entry.principal = oldname;
 out2:
-    context->db->close(context->context, context->db);
+    context->db->hdb_close(context->context, context->db);
     hdb_free_entry(context->context, &ent);
 out:
     return _kadm5_error_code(ret);
diff --git a/crypto/heimdal/lib/kadm5/sample_passwd_check.c b/crypto/heimdal/lib/kadm5/sample_passwd_check.c
index 4ff5122..1a21c10 100644
--- a/crypto/heimdal/lib/kadm5/sample_passwd_check.c
+++ b/crypto/heimdal/lib/kadm5/sample_passwd_check.c
@@ -30,12 +30,14 @@
  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 
-/* $Id: sample_passwd_check.c,v 1.1 1999/09/10 10:11:03 assar Exp $ */
+/* $Id: sample_passwd_check.c 21901 2007-08-10 06:05:35Z lha $ */
 
 #include <string.h>
 #include <stdlib.h>
 #include <krb5.h>
 
+const char* check_length(krb5_context, krb5_principal, krb5_data *);
+
 /* specify the api-version this library conforms to */
 
 int version = 0;
diff --git a/crypto/heimdal/lib/kadm5/send_recv.c b/crypto/heimdal/lib/kadm5/send_recv.c
index fe44b76..b64bbfe 100644
--- a/crypto/heimdal/lib/kadm5/send_recv.c
+++ b/crypto/heimdal/lib/kadm5/send_recv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003, 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: send_recv.c,v 1.10 2003/04/16 17:58:59 lha Exp $");
+RCSID("$Id: send_recv.c 17311 2006-04-27 11:10:07Z lha $");
 
 kadm5_ret_t 
 _kadm5_client_send(kadm5_client_context *context, krb5_storage *sp)
@@ -47,8 +47,10 @@ _kadm5_client_send(kadm5_client_context *context, krb5_storage *sp)
 
     len = krb5_storage_seek(sp, 0, SEEK_CUR);
     ret = krb5_data_alloc(&msg, len);
-    if (ret)
+    if (ret) {
+	krb5_clear_error_string(context->context);
 	return ret;
+    }
     krb5_storage_seek(sp, 0, SEEK_SET);
     krb5_storage_read(sp, msg.data, msg.length);
     
@@ -59,11 +61,14 @@ _kadm5_client_send(kadm5_client_context *context, krb5_storage *sp)
     
     sock = krb5_storage_from_fd(context->sock);
     if(sock == NULL) {
+	krb5_clear_error_string(context->context);
 	krb5_data_free(&out);
 	return ENOMEM;
     }
     
     ret = krb5_store_data(sock, out);
+    if (ret)
+	krb5_clear_error_string(context->context);
     krb5_storage_free(sock);
     krb5_data_free(&out);
     return ret;
@@ -77,10 +82,13 @@ _kadm5_client_recv(kadm5_client_context *context, krb5_data *reply)
     krb5_storage *sock;
 
     sock = krb5_storage_from_fd(context->sock);
-    if(sock == NULL)
+    if(sock == NULL) {
+	krb5_clear_error_string(context->context);
 	return ENOMEM;
+    }
     ret = krb5_ret_data(sock, &data);
     krb5_storage_free(sock);
+    krb5_clear_error_string(context->context);
     if(ret == KRB5_CC_END)
 	return KADM5_RPC_ERROR;
     else if(ret)
diff --git a/crypto/heimdal/lib/kadm5/server_glue.c b/crypto/heimdal/lib/kadm5/server_glue.c
index 21b6077..2862c36 100644
--- a/crypto/heimdal/lib/kadm5/server_glue.c
+++ b/crypto/heimdal/lib/kadm5/server_glue.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: server_glue.c,v 1.6 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: server_glue.c 7464 1999-12-02 17:05:13Z joda $");
 
 kadm5_ret_t
 kadm5_init_with_password(const char *client_name,
diff --git a/crypto/heimdal/lib/kadm5/set_keys.c b/crypto/heimdal/lib/kadm5/set_keys.c
index d69c509..ee4de3b 100644
--- a/crypto/heimdal/lib/kadm5/set_keys.c
+++ b/crypto/heimdal/lib/kadm5/set_keys.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,258 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: set_keys.c,v 1.25 2001/08/13 15:12:16 joda Exp $");
-
-/*
- * the known and used DES enctypes
- */
-
-static krb5_enctype des_types[] = { ETYPE_DES_CBC_CRC,
- 				    ETYPE_DES_CBC_MD4,
- 				    ETYPE_DES_CBC_MD5 };
-static unsigned n_des_types = sizeof(des_types) / sizeof(des_types[0]);
-
-static krb5_error_code
-make_keys(krb5_context context, krb5_principal principal, const char *password,
-	  Key **keys_ret, size_t *num_keys_ret)
-{
-    krb5_enctype all_etypes[] = { ETYPE_DES3_CBC_SHA1,
-				  ETYPE_DES_CBC_MD5,
-				  ETYPE_DES_CBC_MD4,
-				  ETYPE_DES_CBC_CRC };
-
-
-    krb5_enctype e;
-
-    krb5_error_code ret = 0;
-    char **ktypes, **kp;
-
-    Key *keys = NULL, *tmp;
-    int num_keys = 0;
-    Key key;
-
-    int i;
-    char *v4_ktypes[] = {"des3:pw-salt", "v4", NULL};
-
-    ktypes = krb5_config_get_strings(context, NULL, "kadmin", 
-				     "default_keys", NULL);
-
-    /* for each entry in `default_keys' try to parse it as a sequence
-       of etype:salttype:salt, syntax of this if something like:
-       [(des|des3|etype):](pw|afs3)[:string], if etype is omitted it
-       means all etypes, and if string is omitted is means the default
-       string (for that principal). Additional special values:
-       v5 == pw-salt, and
-       v4 == des:pw-salt:
-       afs or afs3 == des:afs3-salt
-    */
-
-    if (ktypes == NULL
-	&& krb5_config_get_bool (context, NULL, "kadmin",
-				 "use_v4_salt", NULL))
-	ktypes = v4_ktypes;
-
-    for(kp = ktypes; kp && *kp; kp++) {
-	krb5_enctype *etypes;
-	int num_etypes;
-	krb5_salt salt;
-	krb5_boolean salt_set;
-
-	const char *p;
-	char buf[3][256];
-	int num_buf = 0;
-
-	p = *kp;
-	if(strcmp(p, "v5") == 0)
-	    p = "pw-salt";
-	else if(strcmp(p, "v4") == 0)
-	    p = "des:pw-salt:";
-	else if(strcmp(p, "afs") == 0 || strcmp(p, "afs3") == 0)
-	    p = "des:afs3-salt";
-	
-	/* split p in a list of :-separated strings */
-	for(num_buf = 0; num_buf < 3; num_buf++)
-	    if(strsep_copy(&p, ":", buf[num_buf], sizeof(buf[num_buf])) == -1)
-		break;
-
-	etypes = NULL;
-	num_etypes = 0;
-	memset(&salt, 0, sizeof(salt));
-	salt_set = FALSE;
-
-	for(i = 0; i < num_buf; i++) {
-	    if(etypes == NULL) {
-		/* this might be a etype specifier */
-		/* XXX there should be a string_to_etypes handling
-                   special cases like `des' and `all' */
-		if(strcmp(buf[i], "des") == 0) {
-		    etypes = all_etypes + 1;
-		    num_etypes = 3;
-		    continue;
-		} else if(strcmp(buf[i], "des3") == 0) {
-		    e = ETYPE_DES3_CBC_SHA1;
-		    etypes = &e;
-		    num_etypes = 1;
-		    continue;
-		} else {
-		    ret = krb5_string_to_enctype(context, buf[i], &e);
-		    if(ret == 0) {
-			etypes = &e;
-			num_etypes = 1;
-			continue;
-		    }
-		}
-	    }
-	    if(salt.salttype == 0) {
-		/* interpret string as a salt specifier, if no etype
-                   is set, this sets default values */
-		/* XXX should perhaps use string_to_salttype, but that
-                   interface sucks */
-		if(strcmp(buf[i], "pw-salt") == 0) {
-		    if(etypes == NULL) {
-			etypes = all_etypes;
-			num_etypes = 4;
-		    }
-		    salt.salttype = KRB5_PW_SALT;
-		} else if(strcmp(buf[i], "afs3-salt") == 0) {
-		    if(etypes == NULL) {
-			etypes = all_etypes + 1;
-			num_etypes = 3;
-		    }
-		    salt.salttype = KRB5_AFS3_SALT;
-		}
-	    } else {
-		/* if there is a final string, use it as the string to
-                   salt with, this is mostly useful with null salt for
-                   v4 compat, and a cell name for afs compat */
-		salt.saltvalue.data = buf[i];
-		salt.saltvalue.length = strlen(buf[i]);
-		salt_set = TRUE;
-	    }
-	}
-
-	if(etypes == NULL || salt.salttype == 0) {	    
-	    krb5_warnx(context, "bad value for default_keys `%s'", *kp);
-	    continue;
-	}
-
-	if(!salt_set) {
-	    /* make up default salt */
-	    if(salt.salttype == KRB5_PW_SALT)
-		ret = krb5_get_pw_salt(context, principal, &salt);
-	    else if(salt.salttype == KRB5_AFS3_SALT) {
-		krb5_realm *realm = krb5_princ_realm(context, principal);
-		salt.saltvalue.data = strdup(*realm);
-		if(salt.saltvalue.data == NULL) {
-		    krb5_set_error_string(context, "out of memory while "
-					  "parsinig salt specifiers");
-		    ret = ENOMEM;
-		    goto out;
-		}
-		strlwr(salt.saltvalue.data);
-		salt.saltvalue.length = strlen(*realm);
-		salt_set = 1;
-	    }
-	}
-	memset(&key, 0, sizeof(key));
-	for(i = 0; i < num_etypes; i++) {
-	    Key *k;
-	    for(k = keys; k < keys + num_keys; k++) {
-		if(k->key.keytype == etypes[i] &&
-		   ((k->salt != NULL && 
-		     k->salt->type == salt.salttype &&
-		     k->salt->salt.length == salt.saltvalue.length &&
-		     memcmp(k->salt->salt.data, salt.saltvalue.data, 
-			    salt.saltvalue.length) == 0) ||
-		    (k->salt == NULL && 
-		     salt.salttype == KRB5_PW_SALT && 
-		     !salt_set)))
-		    goto next_etype;
-	    }
-		       
-	    ret = krb5_string_to_key_salt (context,
-					   etypes[i],
-					   password,
-					   salt,
-					   &key.key);
-
-	    if(ret)
-		goto out;
-
-	    if (salt.salttype != KRB5_PW_SALT || salt_set) {
-		key.salt = malloc (sizeof(*key.salt));
-		if (key.salt == NULL) {
-		    free_Key(&key);
-		    ret = ENOMEM;
-		    goto out;
-		}
-		key.salt->type = salt.salttype;
-		krb5_data_zero (&key.salt->salt);
-
-		/* is the salt has not been set explicitly, it will be
-		   the default salt, so there's no need to explicitly
-		   copy it */
-		if (salt_set) {
-		    ret = krb5_data_copy(&key.salt->salt, 
-					 salt.saltvalue.data, 
-					 salt.saltvalue.length);
-		    if (ret) {
-			free_Key(&key);
-			goto out;
-		    }
-		}
-	    }
-	    tmp = realloc(keys, (num_keys + 1) * sizeof(*keys));
-	    if(tmp == NULL) {
-		free_Key(&key);
-		ret = ENOMEM;
-		goto out;
-	    }
-	    keys = tmp;
-	    keys[num_keys++] = key;
-	  next_etype:;
-	}
-    }
-
-    if(num_keys == 0) {
-	/* if we didn't manage to find a single valid key, create a
-           default set */
-	/* XXX only do this is there is no `default_keys'? */
-	krb5_salt v5_salt;
-	tmp = realloc(keys, (num_keys + 4) * sizeof(*keys));
-	if(tmp == NULL) {
-	    ret = ENOMEM;
-	    goto out;
-	}
-	keys = tmp;
-	ret = krb5_get_pw_salt(context, principal, &v5_salt);
-	if(ret)
-	    goto out;
-	for(i = 0; i < 4; i++) {
-	    memset(&key, 0, sizeof(key));
-	    ret = krb5_string_to_key_salt(context, all_etypes[i], password, 
-					  v5_salt, &key.key);
-	    if(ret) {
-		krb5_free_salt(context, v5_salt);
-		goto out;
-	    }
-	    keys[num_keys++] = key;
-	}
-	krb5_free_salt(context, v5_salt);
-    }
-
-  out:
-    if(ret == 0) {
-	*keys_ret = keys;
-	*num_keys_ret = num_keys;
-    } else {
-	for(i = 0; i < num_keys; i++) {
-	    free_Key(&keys[i]);
-	}
-	free(keys);
-    }
-    return ret;
-}
+RCSID("$Id: set_keys.c 15888 2005-08-11 13:40:35Z lha $");
 
 /*
  * Set the keys of `ent' to the string-to-key of `password'
@@ -295,20 +44,31 @@ _kadm5_set_keys(kadm5_server_context *context,
 		hdb_entry *ent, 
 		const char *password)
 {
-    kadm5_ret_t ret;
     Key *keys;
     size_t num_keys;
+    kadm5_ret_t ret;
 
-    ret = make_keys(context->context, ent->principal, password, 
-		    &keys, &num_keys);
-
-    if(ret)
+    ret = hdb_generate_key_set_password(context->context,
+					ent->principal, 
+					password, &keys, &num_keys);
+    if (ret)
 	return ret;
-    
-    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
+
+    _kadm5_free_keys (context->context, ent->keys.len, ent->keys.val);
     ent->keys.val = keys;
     ent->keys.len = num_keys;
-    ent->kvno++;
+
+    hdb_entry_set_pw_change_time(context->context, ent, 0);
+
+    if (krb5_config_get_bool_default(context->context, NULL, FALSE, 
+				     "kadmin", "save-password", NULL))
+    {
+	ret = hdb_entry_set_password(context->context, context->db,
+				     ent, password);
+	if (ret)
+	    return ret;
+    }
+
     return 0;
 }
 
@@ -358,13 +118,16 @@ _kadm5_set_keys2(kadm5_server_context *context,
 	} else
 	    keys[i].salt = NULL;
     }
-    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
+    _kadm5_free_keys (context->context, ent->keys.len, ent->keys.val);
     ent->keys.len = len;
     ent->keys.val = keys;
-    ent->kvno++;
+
+    hdb_entry_set_pw_change_time(context->context, ent, 0);
+    hdb_entry_clear_password(context->context, ent);
+
     return 0;
  out:
-    _kadm5_free_keys (context, len, keys);
+    _kadm5_free_keys (context->context, len, keys);
     return ret;
 }
 
@@ -399,17 +162,33 @@ _kadm5_set_keys3(kadm5_server_context *context,
 	    goto out;
 	keys[i].salt = NULL;
     }
-    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
+    _kadm5_free_keys (context->context, ent->keys.len, ent->keys.val);
     ent->keys.len = len;
     ent->keys.val = keys;
-    ent->kvno++;
+
+    hdb_entry_set_pw_change_time(context->context, ent, 0);
+    hdb_entry_clear_password(context->context, ent);
+
     return 0;
  out:
-    _kadm5_free_keys (context, len, keys);
+    _kadm5_free_keys (context->context, len, keys);
     return ret;
 }
 
 /*
+ *
+ */
+
+static int
+is_des_key_p(int keytype)
+{
+    return keytype == ETYPE_DES_CBC_CRC ||
+    	keytype == ETYPE_DES_CBC_MD4 ||
+	keytype == ETYPE_DES_CBC_MD5;
+}
+
+
+/*
  * Set the keys of `ent' to random keys and return them in `n_keys'
  * and `new_keys'.
  */
@@ -420,80 +199,75 @@ _kadm5_set_keys_randomly (kadm5_server_context *context,
 			  krb5_keyblock **new_keys,
 			  int *n_keys)
 {
-    kadm5_ret_t ret = 0;
-    int i;
-    unsigned len;
-    krb5_keyblock *keys;
-    Key *hkeys;
-
-    len  = n_des_types + 1;
-    keys = malloc (len * sizeof(*keys));
-    if (keys == NULL)
-	return ENOMEM;
-
-    for (i = 0; i < len; ++i) {
-	keys[i].keyvalue.length = 0;
-	keys[i].keyvalue.data   = NULL;
-    }
-
-    hkeys = malloc (len * sizeof(*hkeys));
-    if (hkeys == NULL) {
-	free (keys);
-	return ENOMEM;
-    }
-
-    _kadm5_init_keys (hkeys, len);
+   krb5_keyblock *kblock = NULL;
+   kadm5_ret_t ret = 0;
+   int i, des_keyblock;
+   size_t num_keys;
+   Key *keys;
+
+   ret = hdb_generate_key_set(context->context, ent->principal,
+			       &keys, &num_keys, 1);
+   if (ret)
+	return ret;
 
-    ret = krb5_generate_random_keyblock (context->context,
-					 des_types[0],
-					 &keys[0]);
-    if (ret)
-	goto out;
+   kblock = malloc(num_keys * sizeof(kblock[0]));
+   if (kblock == NULL) {
+	ret = ENOMEM;
+	_kadm5_free_keys (context->context, num_keys, keys);
+	return ret;
+   }
+   memset(kblock, 0, num_keys * sizeof(kblock[0]));
+
+   des_keyblock = -1;
+   for (i = 0; i < num_keys; i++) {
+
+	/* 
+	 * To make sure all des keys are the the same we generate only
+	 * the first one and then copy key to all other des keys.
+	 */
+
+	if (des_keyblock != -1 && is_des_key_p(keys[i].key.keytype)) {
+	    ret = krb5_copy_keyblock_contents (context->context,
+					       &kblock[des_keyblock],
+					       &kblock[i]);
+	    if (ret)
+		goto out;
+	    kblock[i].keytype = keys[i].key.keytype;
+	} else {
+	    ret = krb5_generate_random_keyblock (context->context,
+						 keys[i].key.keytype,
+						 &kblock[i]);
+	    if (ret)
+		goto out;
 
-    ret = krb5_copy_keyblock_contents (context->context,
-				       &keys[0],
-				       &hkeys[0].key);
-    if (ret)
-	goto out;
+	    if (is_des_key_p(keys[i].key.keytype))
+		des_keyblock = i;
+	}
 
-    for (i = 1; i < n_des_types; ++i) {
-	ret = krb5_copy_keyblock_contents (context->context,
-					   &keys[0],
-					   &keys[i]);
-	if (ret)
-	    goto out;
-	keys[i].keytype = des_types[i];
 	ret = krb5_copy_keyblock_contents (context->context,
-					   &keys[0],
-					   &hkeys[i].key);
+					   &kblock[i],
+					   &keys[i].key);
 	if (ret)
 	    goto out;
-	hkeys[i].key.keytype = des_types[i];
-    }
-
-    ret = krb5_generate_random_keyblock (context->context,
-					 ETYPE_DES3_CBC_SHA1,
-					 &keys[n_des_types]);
-    if (ret)
-	goto out;
+   }
 
-    ret = krb5_copy_keyblock_contents (context->context,
-				       &keys[n_des_types],
-				       &hkeys[n_des_types].key);
-    if (ret)
-	goto out;
-
-    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
-    ent->keys.len = len;
-    ent->keys.val = hkeys;
-    ent->kvno++;
-    *new_keys     = keys;
-    *n_keys       = len;
-    return ret;
 out:
-    for (i = 0; i < len; ++i)
-	krb5_free_keyblock_contents (context->context, &keys[i]);
-    free (keys);
-    _kadm5_free_keys (context, len, hkeys);
-    return ret;
+   if(ret) {
+	for (i = 0; i < num_keys; ++i)
+	    krb5_free_keyblock_contents (context->context, &kblock[i]);
+	free(kblock);
+	_kadm5_free_keys (context->context, num_keys, keys);
+	return ret;
+   }
+   
+   _kadm5_free_keys (context->context, ent->keys.len, ent->keys.val);
+   ent->keys.val = keys;
+   ent->keys.len = num_keys;
+   *new_keys     = kblock;
+   *n_keys       = num_keys;
+
+   hdb_entry_set_pw_change_time(context->context, ent, 0);
+   hdb_entry_clear_password(context->context, ent);
+
+   return 0;
 }
diff --git a/crypto/heimdal/lib/kadm5/set_modifier.c b/crypto/heimdal/lib/kadm5/set_modifier.c
index 2b09745..6296519 100644
--- a/crypto/heimdal/lib/kadm5/set_modifier.c
+++ b/crypto/heimdal/lib/kadm5/set_modifier.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$Id: set_modifier.c,v 1.2 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: set_modifier.c 7464 1999-12-02 17:05:13Z joda $");
 
 kadm5_ret_t
 _kadm5_set_modifier(kadm5_server_context *context,
diff --git a/crypto/heimdal/lib/kadm5/test_pw_quality.c b/crypto/heimdal/lib/kadm5/test_pw_quality.c
new file mode 100644
index 0000000..745e03e
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/test_pw_quality.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 2003, 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+#include <getarg.h>
+
+RCSID("$Id: test_pw_quality.c 15105 2005-05-09 19:13:29Z lha $");
+
+static int version_flag;
+static int help_flag;
+static char *principal;
+static char *password;
+
+static struct getargs args[] = {
+    { "principal", 0, arg_string, &principal },
+    { "password", 0, arg_string, &password },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_principal p;
+    const char *s;
+    krb5_data pw_data;
+
+    krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if (principal == NULL)
+	krb5_errx(context, 1, "no principal given");
+    if (password == NULL)
+	krb5_errx(context, 1, "no password given");
+
+    ret = krb5_parse_name(context, principal, &p);
+    if (ret)
+	krb5_errx(context, 1, "krb5_parse_name: %s", principal);
+
+    pw_data.data = password;
+    pw_data.length = strlen(password);
+
+    kadm5_setup_passwd_quality_check (context, NULL, NULL);
+    ret = kadm5_add_passwd_quality_verifier(context, NULL);
+    if (ret)
+	krb5_errx(context, 1, "kadm5_add_passwd_quality_verifier");
+
+    s = kadm5_check_password_quality (context, p, &pw_data);
+    if (s)
+	krb5_errx(context, 1, "kadm5_check_password_quality:\n%s", s);
+
+    krb5_free_principal(context, p);
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/version-script.map b/crypto/heimdal/lib/kadm5/version-script.map
new file mode 100644
index 0000000..90bd6fe
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/version-script.map
@@ -0,0 +1,66 @@
+# $Id$
+
+HEIMDAL_KAMD5_SERVER_1.0 {
+	global:
+		kadm5_ad_init_with_password;
+		kadm5_ad_init_with_password_ctx;
+		kadm5_add_passwd_quality_verifier;
+		kadm5_check_password_quality;
+		kadm5_chpass_principal;
+		kadm5_chpass_principal_with_key;
+		kadm5_create_principal;
+		kadm5_delete_principal;
+		kadm5_destroy;
+		kadm5_flush;
+		kadm5_free_key_data;
+		kadm5_free_name_list;
+		kadm5_free_principal_ent;
+		kadm5_get_principal;
+		kadm5_get_principals;
+		kadm5_get_privs;
+		kadm5_init_with_creds;
+		kadm5_init_with_creds_ctx;
+		kadm5_init_with_password;
+		kadm5_init_with_password_ctx;
+		kadm5_init_with_skey;
+		kadm5_init_with_skey_ctx;
+		kadm5_modify_principal;
+		kadm5_randkey_principal;
+		kadm5_rename_principal;
+		kadm5_ret_key_data;
+		kadm5_ret_principal_ent;
+		kadm5_ret_principal_ent_mask;
+		kadm5_ret_tl_data;
+		kadm5_setup_passwd_quality_check;
+		kadm5_store_key_data;
+		kadm5_store_principal_ent;
+		kadm5_store_principal_ent_mask;
+		kadm5_store_tl_data;
+		kadm5_s_init_with_password_ctx;
+		kadm5_s_init_with_password;
+		kadm5_s_init_with_skey_ctx;
+		kadm5_s_init_with_skey;
+		kadm5_s_init_with_creds_ctx;
+		kadm5_s_init_with_creds;
+		kadm5_s_chpass_principal_cond;
+		kadm5_log_set_version;
+		kadm5_log_signal_socket;
+		kadm5_log_previous;
+		kadm5_log_goto_end;
+		kadm5_log_foreach;
+		kadm5_log_get_version_fd;
+		kadm5_log_get_version;
+		kadm5_log_replay;
+		kadm5_log_end;
+		kadm5_log_reinit;
+		kadm5_log_init;
+		kadm5_log_nop;
+		kadm5_log_truncate;
+		kadm5_log_modify;
+		_kadm5_acl_check_permission;
+		_kadm5_unmarshal_params;
+		_kadm5_s_get_db;
+		_kadm5_privs_to_string;
+	local:
+		*;
+};
diff --git a/crypto/heimdal/lib/kafs/ChangeLog b/crypto/heimdal/lib/kafs/ChangeLog
index 2f1bb02..861796a 100644
--- a/crypto/heimdal/lib/kafs/ChangeLog
+++ b/crypto/heimdal/lib/kafs/ChangeLog
@@ -1,13 +1,158 @@
-2004-06-22  Love  <lha@stacken.kth.se>
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* afssys.c: 1.70->1.72: s/arla/nnpfs/
+	* Makefile.am: New library version.
+
+2007-05-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kafs.h: Add VIOCSETTOK2
+	
+2006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: unbreak previous
+	
+	* Makefile.am: split dist and nodist sources
+	
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: add more files
+	
+2006-05-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kafs.3: Spelling, from Björn Sandell.
+	
+2006-04-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afssys.c: use afs_ioctlnum, From Tomas Olsson <tol@it.su.se>
+	
+2006-04-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afssys.c: Try harder to get the pioctl to work via the /proc or
+	/dev interface, OpenAFS choose to reuse the same ioctl number,
+	while Arla didn't.  Also, try new ioctl before the the old
+	syscalls.
+
+	* afskrb5.c (afslog_uid_int): use the simpler
+	krb5_principal_get_realm function.
+	
+2005-12-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Remove dependency on config.h, breaks IRIX build,
+	could depend on libkafs_la_OBJECTS, but that is just asking for
+	trubble.
+	
+2005-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afssys.c (k_hasafs_recheck): new function, allow rechecking if
+	AFS client have started now, internaly it resets the internal
+	state from k_hasafs() and retry retry the probing. The problem
+	with calling k_hasaf() is that is plays around with signals, and
+	that cases problem for some systems/applications.
+	
+2005-10-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kafs_locl.h: Maybe include <sys/sysctl.h>.
+
+	* afssys.c: Mac OS X 10.4 needs a runtime check if we are going to
+	use the syscall, there is no cpp define to use to check the
+	version.  Every after 10.0 (darwin 8.0) uses the /dev/ version of
+	the pioctl.
+	
+2005-10-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afssys.c: Support the new MacOS X 10.4 ioctl interface that is a
+	device node. Patched from Tomas Olson <tol@it.su.se>.
+	
+2005-08-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afskrb5.c: Default to use 2b tokens.
+
+2005-06-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* common.c: rename index to idx
+
+	* afssys.c (k_afs_cell_of_file): unconst path
+	
+2005-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* use struct kafs_data everywhere, don't mix with the typedef
+	kafs_data
+
+	* roken_rename.h: rename more resolve.c symbols
 	
-2004-06-22  Love Hörquist Åstrand  <lha@it.su.se>
+	* afssys.c: Don't building map_syscall_name_to_number where its
+	not used.
 
-	* afssys.c: 1.70: support the linux /proc/fs/mumel/afs_ioctl afs
+2005-02-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: bump version to 4:1:4
+
+2005-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kafs.h: de-__P
+	
+2004-12-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afskrb5.c: s/KEYTYPE_DES/ETYPE_DES_CBC_CRC/
+	
+2004-08-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afssysdefs.h: ifdef protect AFS_SYSCALL for DragonFly since they
+	still define __FreeBSD__ (and __FreeBSD_version), but claim that
+	they will stop doing it some time...
+	
+	* afssysdefs.h: dragonflybsd uses 339 just like freebsd5
+	
+2004-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afssys.c: s/arla/nnpfs/
+	
+	* afssys.c: support the linux /proc/fs/mumel/afs_ioctl afs
 	"syscall" interface
+
+2004-01-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* common.c: search paths for AFS configuration files for the
+	OpenAFS MacOS X, fix comment
+	
+	* kafs.h: search paths for AFS configuration files for the OpenAFS
+	MacOS X
+
+2003-12-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* common.c: add _PATH_ARLA_OPENBSD & c/o
+	
+	* kafs.h: add _PATH_ARLA_OPENBSD & c/o
+	
+2003-11-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* common.c: typo, Bruno Rohee <bruno@rohee.com>
+	
+2003-11-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kafs.3: spelling, partly from jmc <jmc@prioris.mini.pw.edu.pl>
+	
+2003-09-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afskrb5.c (krb5_afslog_uid_home): be even more friendly to the
+	user and fetch context and id ourself
+	
+2003-09-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afskrb5.c (afslog_uid_int): just belive that realm hint the user
+	passed us
+
+2003-07-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: always include v4 symbols
+	
+	* afskrb.c: provide dummy krb_ function to there is no need to
+	bump major
+
+2003-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afskrb5.c (v5_convert): rename one of the two c to cred4
 	
-2003-04-23  Love Hörquist Åstrand  <lha@it.su.se>
+2003-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* common.c, kafs.h: drop the int argument (the error code) from
 	the logging function
@@ -17,12 +162,12 @@
 	* afskrb5.c (v5_convert): better match what other functions do
 	with values from krb5.conf, like case insensitivity
 
-2003-04-16  Love Hörquist Åstrand  <lha@it.su.se>
+2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* kafs.3: Change .Fd #include <header.h> to .In header.h
 	from Thomas Klausner <wiz@netbsd.org>
 
-2003-04-14  Love Hörquist Åstrand  <lha@it.su.se>
+2003-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Makefile.am: (libkafs_la_LDFLAGS): update version
 	
@@ -47,7 +192,7 @@
 	* kafs_locl.h (kafs_data): add name
 	(_kafs_foldup): internally export
 
-2003-04-11  Love Hörquist Åstrand  <lha@it.su.se>
+2003-04-11  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* kafs.3: tell that cell-name is uppercased
 	
@@ -59,18 +204,18 @@
 	have updated their servers but not afs/cell@REALM. Add constant
 	KAFS_RXKAD_2B_KVNO.
 
-2003-04-06  Love Hörquist Åstrand  <lha@it.su.se>
+2003-04-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* kafs.3: s/kerberos/Kerberos/
 	
-2003-03-19  Love Hörquist Åstrand  <lha@it.su.se>
+2003-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* kafs.3: spelling, from <jmc@prioris.mini.pw.edu.pl>
 	
 	* kafs.3: document the kafs_settoken functions write about the
 	krb5_appdefault option for kerberos 5 afs tokens fix prototypes
 	
-2003-03-18  Love Hörquist Åstrand  <lha@it.su.se>
+2003-03-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* afskrb5.c (kafs_settoken5): change signature to include a
 	krb5_context, use v5_convert
@@ -109,7 +254,7 @@
 	internal structure struct kafs_token that carries around for rxkad
 	data that is independant of kerberos version
 	
-2003-02-18  Love Hörquist Åstrand  <lha@it.su.se>
+2003-02-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* dlfcn.h: s/intialize/initialize, from
 	<jmc@prioris.mini.pw.edu.pl>
@@ -118,7 +263,7 @@
 
 	* afssysdefs.h: fix FreeBSD section
 
-2003-02-06  Love Hörquist Åstrand  <lha@it.su.se>
+2003-02-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* afssysdefs.h: use syscall 208 on openbsd (all version) use
 	syscall 339 on freebsd 5.0 and later, use 210 on 4.x and earlier
diff --git a/crypto/heimdal/lib/kafs/Makefile.am b/crypto/heimdal/lib/kafs/Makefile.am
index a08c477..15282f0 100644
--- a/crypto/heimdal/lib/kafs/Makefile.am
+++ b/crypto/heimdal/lib/kafs/Makefile.am
@@ -1,26 +1,26 @@
-# $Id: Makefile.am,v 1.43.2.1 2003/05/12 15:20:46 joda Exp $
+# $Id: Makefile.am 21446 2007-07-10 12:45:36Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(AFS_EXTRA_DEFS) $(ROKEN_RENAME)
+AM_CPPFLAGS += $(AFS_EXTRA_DEFS) $(ROKEN_RENAME)
 
 if KRB4
-DEPLIB_krb4 = $(LIB_krb4) $(LIB_des)
+DEPLIB_krb4 = $(LIB_krb4) $(LIB_hcrypto)
 krb4_am_workaround = $(INCLUDE_krb4)
 else
 DEPLIB_krb4  =
 krb4_am_workaround = 
 endif # KRB4
-INCLUDES += $(krb4_am_workaround)
+AM_CPPFLAGS += $(krb4_am_workaround)
 
 if KRB5
 DEPLIB_krb5 = ../krb5/libkrb5.la 
-krb5_am_workaround = $(INCLUDE_des) -I$(top_srcdir)/lib/krb5
+krb5_am_workaround = $(INCLUDE_hcrypto) -I$(top_srcdir)/lib/krb5
 else
 DEPLIB_krb5  =
 krb5_am_workaround = 
 endif # KRB5
-INCLUDES += $(krb5_am_workaround)
+AM_CPPFLAGS += $(krb5_am_workaround)
 
 
 if AIX
@@ -51,10 +51,10 @@ AFSL_EXP =
 AIX_SRC =
 endif # AIX
 
-libkafs_la_LIBADD = $(DEPLIB_krb5) ../roken/libroken.la $(DEPLIB_krb4)
+libkafs_la_LIBADD = $(DEPLIB_krb5) $(LIBADD_roken) $(DEPLIB_krb4)
 
 lib_LTLIBRARIES = libkafs.la
-libkafs_la_LDFLAGS = -version-info 4:0:4
+libkafs_la_LDFLAGS = -version-info 5:1:5
 foodir = $(libdir)
 foo_DATA = $(AFS_EXTRA_LIBS)
 # EXTRA_DATA = afslib.so
@@ -67,30 +67,25 @@ if KRB5
 afskrb5_c = afskrb5.c
 endif
 
-if KRB4
-afskrb_c = afskrb.c
-endif
-
-
 if do_roken_rename
 ROKEN_SRCS = resolve.c strtok_r.c strlcpy.c strsep.c
 endif
 
-libkafs_la_SOURCES =				\
+dist_libkafs_la_SOURCES =			\
 	afssys.c				\
-	$(afskrb_c)				\
+	afskrb.c				\
 	$(afskrb5_c)				\
 	common.c				\
 	$(AIX_SRC)				\
 	kafs_locl.h				\
 	afssysdefs.h				\
-	$(ROKEN_SRCS)
+	roken_rename.h
 
-#afslib_so_SOURCES = afslib.c
+nodist_libkafs_la_SOURCES = $(ROKEN_SRCS)
 
 EXTRA_libkafs_la_SOURCES = afskrb.c afskrb5.c dlfcn.c afslib.c dlfcn.h
 
-EXTRA_DIST = README.dlfcn afsl.exp afslib.exp
+EXTRA_DIST = README.dlfcn afsl.exp afslib.exp $(man_MANS)
 
 man_MANS = kafs.3
 
@@ -99,8 +94,6 @@ man_MANS = kafs.3
 afslib.so: afslib.o
 	ld -o $@ -bM:SRE -bI:$(srcdir)/afsl.exp -bE:$(srcdir)/afslib.exp $(AFS_EXTRA_LD) afslib.o -lc
 
-$(OBJECTS): ../../include/config.h
-
 resolve.c:
 	$(LN_S) $(srcdir)/../roken/resolve.c .
 
diff --git a/crypto/heimdal/lib/kafs/Makefile.in b/crypto/heimdal/lib/kafs/Makefile.in
index b221833..ae9a12a 100644
--- a/crypto/heimdal/lib/kafs/Makefile.in
+++ b/crypto/heimdal/lib/kafs/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,25 +14,19 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.43.2.1 2003/05/12 15:20:46 joda Exp $
+# $Id: Makefile.am 21446 2007-07-10 12:45:36Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
 
-SOURCES = $(libkafs_la_SOURCES) $(EXTRA_libkafs_la_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -44,6 +38,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
@@ -51,16 +46,14 @@ DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \
 subdir = lib/kafs
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -73,6 +66,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -81,54 +75,71 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(foodir)" "$(DESTDIR)$(includedir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" \
+	"$(DESTDIR)$(foodir)" "$(DESTDIR)$(includedir)"
 libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
 @KRB5_TRUE@am__DEPENDENCIES_1 = ../krb5/libkrb5.la
 am__DEPENDENCIES_2 =
 @KRB4_TRUE@am__DEPENDENCIES_3 = $(am__DEPENDENCIES_2) \
 @KRB4_TRUE@	$(am__DEPENDENCIES_2)
-libkafs_la_DEPENDENCIES = $(am__DEPENDENCIES_1) ../roken/libroken.la \
+libkafs_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \
 	$(am__DEPENDENCIES_3)
-am__libkafs_la_SOURCES_DIST = afssys.c afskrb.c afskrb5.c common.c \
-	afslib.c dlfcn.c kafs_locl.h afssysdefs.h resolve.c strtok_r.c \
-	strlcpy.c strsep.c
-@KRB4_TRUE@am__objects_1 = afskrb.lo
-@KRB5_TRUE@am__objects_2 = afskrb5.lo
-@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@am__objects_3 = afslib.lo
-@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@am__objects_3 =  \
+am__dist_libkafs_la_SOURCES_DIST = afssys.c afskrb.c afskrb5.c \
+	common.c afslib.c dlfcn.c kafs_locl.h afssysdefs.h \
+	roken_rename.h
+@KRB5_TRUE@am__objects_1 = afskrb5.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@am__objects_2 = afslib.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@am__objects_2 =  \
 @AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@	dlfcn.lo
-@do_roken_rename_TRUE@am__objects_4 = resolve.lo strtok_r.lo \
+dist_libkafs_la_OBJECTS = afssys.lo afskrb.lo $(am__objects_1) \
+	common.lo $(am__objects_2)
+@do_roken_rename_TRUE@am__objects_3 = resolve.lo strtok_r.lo \
 @do_roken_rename_TRUE@	strlcpy.lo strsep.lo
-am_libkafs_la_OBJECTS = afssys.lo $(am__objects_1) $(am__objects_2) \
-	common.lo $(am__objects_3) $(am__objects_4)
-libkafs_la_OBJECTS = $(am_libkafs_la_OBJECTS)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+nodist_libkafs_la_OBJECTS = $(am__objects_3)
+libkafs_la_OBJECTS = $(dist_libkafs_la_OBJECTS) \
+	$(nodist_libkafs_la_OBJECTS)
+libkafs_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libkafs_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-SOURCES = $(libkafs_la_SOURCES) $(EXTRA_libkafs_la_SOURCES)
-DIST_SOURCES = $(am__libkafs_la_SOURCES_DIST) \
-	$(EXTRA_libkafs_la_SOURCES)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(EXTRA_libkafs_la_SOURCES) $(dist_libkafs_la_SOURCES) \
+	$(nodist_libkafs_la_SOURCES)
+DIST_SOURCES = $(EXTRA_libkafs_la_SOURCES) \
+	$(am__dist_libkafs_la_SOURCES_DIST)
 man3dir = $(mandir)/man3
 MANS = $(man_MANS)
 fooDATA_INSTALL = $(INSTALL_DATA)
@@ -139,13 +150,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -155,8 +160,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -167,11 +170,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -179,42 +181,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -232,12 +219,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -247,15 +231,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -264,6 +247,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -275,15 +259,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -291,74 +270,81 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(AFS_EXTRA_DEFS) $(ROKEN_RENAME) $(krb4_am_workaround) $(krb5_am_workaround)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(AFS_EXTRA_DEFS) $(ROKEN_RENAME) $(krb4_am_workaround) \
+	$(krb5_am_workaround)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -375,15 +361,16 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 @KRB4_FALSE@DEPLIB_krb4 = 
-@KRB4_TRUE@DEPLIB_krb4 = $(LIB_krb4) $(LIB_des)
+@KRB4_TRUE@DEPLIB_krb4 = $(LIB_krb4) $(LIB_hcrypto)
 @KRB4_FALSE@krb4_am_workaround = 
 @KRB4_TRUE@krb4_am_workaround = $(INCLUDE_krb4)
 @KRB5_FALSE@DEPLIB_krb5 = 
 @KRB5_TRUE@DEPLIB_krb5 = ../krb5/libkrb5.la 
 @KRB5_FALSE@krb5_am_workaround = 
-@KRB5_TRUE@krb5_am_workaround = $(INCLUDE_des) -I$(top_srcdir)/lib/krb5
+@KRB5_TRUE@krb5_am_workaround = $(INCLUDE_hcrypto) -I$(top_srcdir)/lib/krb5
 @AIX_FALSE@AFSL_EXP = 
 @AIX_TRUE@AFSL_EXP = $(srcdir)/afsl.exp
 @AIX4_FALSE@@AIX_TRUE@AFS_EXTRA_LD = -e _nostart
@@ -396,36 +383,34 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@AFS_EXTRA_LIBS = afslib.so
 @AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@AFS_EXTRA_DEFS = -DSTATIC_AFS
 @AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@AFS_EXTRA_DEFS = 
-libkafs_la_LIBADD = $(DEPLIB_krb5) ../roken/libroken.la $(DEPLIB_krb4)
+libkafs_la_LIBADD = $(DEPLIB_krb5) $(LIBADD_roken) $(DEPLIB_krb4)
 lib_LTLIBRARIES = libkafs.la
-libkafs_la_LDFLAGS = -version-info 4:0:4
+libkafs_la_LDFLAGS = -version-info 5:1:5
 foodir = $(libdir)
 foo_DATA = $(AFS_EXTRA_LIBS)
 # EXTRA_DATA = afslib.so
 CLEANFILES = $(AFS_EXTRA_LIBS) $(ROKEN_SRCS)
 include_HEADERS = kafs.h
 @KRB5_TRUE@afskrb5_c = afskrb5.c
-@KRB4_TRUE@afskrb_c = afskrb.c
 @do_roken_rename_TRUE@ROKEN_SRCS = resolve.c strtok_r.c strlcpy.c strsep.c
-libkafs_la_SOURCES = \
+dist_libkafs_la_SOURCES = \
 	afssys.c				\
-	$(afskrb_c)				\
+	afskrb.c				\
 	$(afskrb5_c)				\
 	common.c				\
 	$(AIX_SRC)				\
 	kafs_locl.h				\
 	afssysdefs.h				\
-	$(ROKEN_SRCS)
-
+	roken_rename.h
 
-#afslib_so_SOURCES = afslib.c
+nodist_libkafs_la_SOURCES = $(ROKEN_SRCS)
 EXTRA_libkafs_la_SOURCES = afskrb.c afskrb5.c dlfcn.c afslib.c dlfcn.h
-EXTRA_DIST = README.dlfcn afsl.exp afslib.exp
+EXTRA_DIST = README.dlfcn afsl.exp afslib.exp $(man_MANS)
 man_MANS = kafs.3
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -457,10 +442,10 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    f="`echo $$p | sed -e 's|^.*/||'`"; \
+	    f=$(am__strip_dir) \
 	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
 	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
 	  else :; fi; \
@@ -469,7 +454,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	    p="`echo $$p | sed -e 's|^.*/||'`"; \
+	  p=$(am__strip_dir) \
 	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
 	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
 	done
@@ -478,12 +463,12 @@ clean-libLTLIBRARIES:
 	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" = "$$p" && dir=.; \
+	  test "$$dir" != "$$p" || dir=.; \
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
 libkafs.la: $(libkafs_la_OBJECTS) $(libkafs_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libkafs_la_LDFLAGS) $(libkafs_la_OBJECTS) $(libkafs_la_LIBADD) $(LIBS)
+	$(libkafs_la_LINK) -rpath $(libdir) $(libkafs_la_OBJECTS) $(libkafs_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -505,13 +490,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man3: $(man3_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)"
+	test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)"
 	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -556,10 +537,10 @@ uninstall-man3:
 	done
 install-fooDATA: $(foo_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(foodir)" || $(mkdir_p) "$(DESTDIR)$(foodir)"
+	test -z "$(foodir)" || $(MKDIR_P) "$(DESTDIR)$(foodir)"
 	@list='$(foo_DATA)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " $(fooDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(foodir)/$$f'"; \
 	  $(fooDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(foodir)/$$f"; \
 	done
@@ -567,16 +548,16 @@ install-fooDATA: $(foo_DATA)
 uninstall-fooDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(foo_DATA)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(foodir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(foodir)/$$f"; \
 	done
 install-includeHEADERS: $(include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)"
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
 	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -584,7 +565,7 @@ install-includeHEADERS: $(include_HEADERS)
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(include_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -609,9 +590,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -636,23 +619,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -672,7 +653,7 @@ check: check-am
 all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) all-local
 installdirs:
 	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(foodir)" "$(DESTDIR)$(includedir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -694,7 +675,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -707,7 +688,7 @@ clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -723,14 +704,22 @@ install-data-am: install-fooDATA install-includeHEADERS install-man
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-libLTLIBRARIES
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man3
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -751,24 +740,32 @@ ps: ps-am
 ps-am:
 
 uninstall-am: uninstall-fooDATA uninstall-includeHEADERS \
-	uninstall-info-am uninstall-libLTLIBRARIES uninstall-man
+	uninstall-libLTLIBRARIES uninstall-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man3
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-generic clean-libLTLIBRARIES clean-libtool ctags \
-	distclean distclean-compile distclean-generic \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-data \
-	install-data-am install-exec install-exec-am install-fooDATA \
-	install-includeHEADERS install-info install-info-am \
-	install-libLTLIBRARIES install-man install-man3 install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-fooDATA \
-	uninstall-includeHEADERS uninstall-info-am \
-	uninstall-libLTLIBRARIES uninstall-man uninstall-man3
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-fooDATA \
+	install-html install-html-am install-includeHEADERS \
+	install-info install-info-am install-libLTLIBRARIES \
+	install-man install-man3 install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+	uninstall-am uninstall-fooDATA uninstall-hook \
+	uninstall-includeHEADERS uninstall-libLTLIBRARIES \
+	uninstall-man uninstall-man3
 
 
 install-suid-programs:
@@ -783,8 +780,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -794,19 +791,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -822,7 +831,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -892,22 +901,45 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 # AIX: this almost works with gcc, but somehow it fails to use the
 # correct ld, use ld instead
 afslib.so: afslib.o
 	ld -o $@ -bM:SRE -bI:$(srcdir)/afsl.exp -bE:$(srcdir)/afslib.exp $(AFS_EXTRA_LD) afslib.o -lc
 
-$(OBJECTS): ../../include/config.h
-
 resolve.c:
 	$(LN_S) $(srcdir)/../roken/resolve.c .
 
diff --git a/crypto/heimdal/lib/kafs/afskrb.c b/crypto/heimdal/lib/kafs/afskrb.c
index 523a7b9..f5516a8 100644
--- a/crypto/heimdal/lib/kafs/afskrb.c
+++ b/crypto/heimdal/lib/kafs/afskrb.c
@@ -33,7 +33,7 @@
 
 #include "kafs_locl.h"
 
-RCSID("$Id: afskrb.c,v 1.17 2003/04/14 08:32:11 lha Exp $");
+RCSID("$Id: afskrb.c 15342 2005-06-02 07:38:22Z lha $");
 
 #ifdef KRB4
 
@@ -42,7 +42,7 @@ struct krb_kafs_data {
 };
 
 static int
-get_cred(kafs_data *data, const char *name, const char *inst, 
+get_cred(struct kafs_data *data, const char *name, const char *inst, 
 	 const char *realm, uid_t uid, struct kafs_token *kt)
 {
     CREDENTIALS c;
@@ -60,7 +60,7 @@ get_cred(kafs_data *data, const char *name, const char *inst,
 }
 
 static int
-afslog_uid_int(kafs_data *data,
+afslog_uid_int(struct kafs_data *data,
 	       const char *cell,
 	       const char *realm_hint,
 	       uid_t uid,
@@ -93,7 +93,7 @@ afslog_uid_int(kafs_data *data,
 }
 
 static char *
-get_realm(kafs_data *data, const char *host)
+get_realm(struct kafs_data *data, const char *host)
 {
     char *r = krb_realmofhost(host);
     if(r != NULL)
@@ -106,7 +106,7 @@ int
 krb_afslog_uid_home(const char *cell, const char *realm_hint, uid_t uid,
 		    const char *homedir)
 {
-    kafs_data kd;
+    struct kafs_data kd;
 
     kd.name = "krb4";
     kd.afslog_uid = afslog_uid_int;
@@ -141,7 +141,7 @@ krb_afslog_home(const char *cell, const char *realm_hint, const char *homedir)
 int
 krb_realm_of_cell(const char *cell, char **realm)
 {
-    kafs_data kd;
+    struct kafs_data kd;
 
     kd.name = "krb4";
     kd.get_realm = get_realm;
@@ -170,4 +170,48 @@ kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c)
     return ret;
 }
 
+#else /* KRB4 */
+
+#define KAFS_KRBET_KDC_SERVICE_EXP 39525378
+
+int
+krb_afslog_uid_home(const char *cell, const char *realm_hint, uid_t uid,
+		    const char *homedir)
+{
+    return KAFS_KRBET_KDC_SERVICE_EXP;
+}
+
+int
+krb_afslog_uid(const char *cell, const char *realm_hint, uid_t uid)
+{
+    return KAFS_KRBET_KDC_SERVICE_EXP;
+}
+
+int
+krb_afslog_home(const char *cell, const char *realm_hint, const char *homedir)
+{
+    return KAFS_KRBET_KDC_SERVICE_EXP;
+}
+
+int
+krb_afslog(const char *cell, const char *realm_hint)
+{
+    return KAFS_KRBET_KDC_SERVICE_EXP;
+}
+
+int
+krb_realm_of_cell(const char *cell, char **realm)
+{
+    *realm = NULL;
+    return KAFS_KRBET_KDC_SERVICE_EXP;
+}
+
+int kafs_settoken (const char*, uid_t, struct credentials *);
+
+int
+kafs_settoken(const char *cell, uid_t uid, struct credentials *c)
+{
+    return KAFS_KRBET_KDC_SERVICE_EXP;
+}
+
 #endif /* KRB4 */
diff --git a/crypto/heimdal/lib/kafs/afskrb5.c b/crypto/heimdal/lib/kafs/afskrb5.c
index d415db6..2b05267 100644
--- a/crypto/heimdal/lib/kafs/afskrb5.c
+++ b/crypto/heimdal/lib/kafs/afskrb5.c
@@ -33,7 +33,7 @@
 
 #include "kafs_locl.h"
 
-RCSID("$Id: afskrb5.c,v 1.18.2.1 2003/04/22 14:25:43 joda Exp $");
+RCSID("$Id: afskrb5.c 17032 2006-04-10 08:45:04Z lha $");
 
 struct krb5_kafs_data {
     krb5_context context;
@@ -126,7 +126,7 @@ v5_convert(krb5_context context, krb5_ccache id,
     _kafs_foldup(c, c);
     krb5_appdefault_string (context, "libkafs",
 			    c,
-			    "afs-use-524", "yes", &val);
+			    "afs-use-524", "2b", &val);
     free(c);
 
     if (strcasecmp(val, "local") == 0 || 
@@ -135,16 +135,16 @@ v5_convert(krb5_context context, krb5_ccache id,
     else if(strcasecmp(val, "yes") == 0 ||
 	    strcasecmp(val, "true") == 0 ||
 	    atoi(val)) {
-	struct credentials c;
+	struct credentials cred4;
 	
 	if (id == NULL)
-	    ret = krb524_convert_creds_kdc(context, cred, &c);
+	    ret = krb524_convert_creds_kdc(context, cred, &cred4);
 	else
-	    ret = krb524_convert_creds_kdc_ccache(context, id, cred, &c);
+	    ret = krb524_convert_creds_kdc_ccache(context, id, cred, &cred4);
 	if (ret)
 	    goto out;
 
-	ret = _kafs_v4_to_kt(&c, uid, kt);
+	ret = _kafs_v4_to_kt(&cred4, uid, kt);
     } else 
 	ret = v5_to_kt(cred, uid, kt, 0);
 
@@ -159,7 +159,7 @@ v5_convert(krb5_context context, krb5_ccache id,
  */
 
 static int
-get_cred(kafs_data *data, const char *name, const char *inst, 
+get_cred(struct kafs_data *data, const char *name, const char *inst, 
 	 const char *realm, uid_t uid, struct kafs_token *kt)
 {
     krb5_error_code ret;
@@ -176,7 +176,7 @@ get_cred(kafs_data *data, const char *name, const char *inst,
 	krb5_free_principal(d->context, in_creds.server);
 	return ret;
     }
-    in_creds.session.keytype = KEYTYPE_DES;
+    in_creds.session.keytype = ETYPE_DES_CBC_CRC;
     ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
     krb5_free_principal(d->context, in_creds.server);
     krb5_free_principal(d->context, in_creds.client);
@@ -191,13 +191,13 @@ get_cred(kafs_data *data, const char *name, const char *inst,
 }
 
 static krb5_error_code
-afslog_uid_int(kafs_data *data, const char *cell, const char *rh, uid_t uid,
-	       const char *homedir)
+afslog_uid_int(struct kafs_data *data, const char *cell, const char *rh,
+	       uid_t uid, const char *homedir)
 {
     krb5_error_code ret;
     struct kafs_token kt;
     krb5_principal princ;
-    krb5_realm *trealm; /* ticket realm */
+    const char *trealm; /* ticket realm */
     struct krb5_kafs_data *d = data->data;
     
     if (cell == 0 || cell[0] == 0)
@@ -207,17 +207,11 @@ afslog_uid_int(kafs_data *data, const char *cell, const char *rh, uid_t uid,
     if (ret)
 	return ret;
 
-    trealm = krb5_princ_realm (d->context, princ);
-
-    if (d->realm != NULL && strcmp (d->realm, *trealm) == 0) {
-	trealm = NULL;
-	krb5_free_principal (d->context, princ);
-    }
+    trealm = krb5_principal_get_realm (d->context, princ);
 
     kt.ticket = NULL;
-    ret = _kafs_get_cred(data, cell, d->realm, *trealm, uid, &kt);
-    if(trealm)
-	krb5_free_principal (d->context, princ);
+    ret = _kafs_get_cred(data, cell, d->realm, trealm, uid, &kt);
+    krb5_free_principal (d->context, princ);
     
     if(ret == 0) {
 	ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len);
@@ -227,7 +221,7 @@ afslog_uid_int(kafs_data *data, const char *cell, const char *rh, uid_t uid,
 }
 
 static char *
-get_realm(kafs_data *data, const char *host)
+get_realm(struct kafs_data *data, const char *host)
 {
     struct krb5_kafs_data *d = data->data;
     krb5_realm *realms;
@@ -247,17 +241,35 @@ krb5_afslog_uid_home(krb5_context context,
 		     uid_t uid,
 		     const char *homedir)
 {
-    kafs_data kd;
+    struct kafs_data kd;
     struct krb5_kafs_data d;
+    krb5_error_code ret;
+
     kd.name = "krb5";
     kd.afslog_uid = afslog_uid_int;
     kd.get_cred = get_cred;
     kd.get_realm = get_realm;
     kd.data = &d;
-    d.context = context;
-    d.id = id;
+    if (context == NULL) {
+	ret = krb5_init_context(&d.context);
+	if (ret)
+	    return ret;
+    } else
+	d.context = context;
+    if (id == NULL) {
+	ret = krb5_cc_default(d.context, &d.id);
+	if (ret)
+	    goto out;
+    } else
+	d.id = id;
     d.realm = realm;
-    return afslog_uid_int(&kd, cell, 0, uid, homedir);
+    ret = afslog_uid_int(&kd, cell, 0, uid, homedir);
+    if (id == NULL)
+	krb5_cc_close(context, d.id);
+ out:
+    if (context == NULL)
+	krb5_free_context(d.context);
+    return ret;
 }
 
 krb5_error_code
@@ -296,7 +308,7 @@ krb5_afslog_home(krb5_context context,
 krb5_error_code
 krb5_realm_of_cell(const char *cell, char **realm)
 {
-    kafs_data kd;
+    struct kafs_data kd;
 
     kd.name = "krb5";
     kd.get_realm = get_realm;
diff --git a/crypto/heimdal/lib/kafs/afslib.c b/crypto/heimdal/lib/kafs/afslib.c
index ae3b5a5..4845b7f 100644
--- a/crypto/heimdal/lib/kafs/afslib.c
+++ b/crypto/heimdal/lib/kafs/afslib.c
@@ -37,7 +37,7 @@
 
 #include "kafs_locl.h"
 
-RCSID("$Id: afslib.c,v 1.6 1999/12/02 16:58:40 joda Exp $");
+RCSID("$Id: afslib.c 7463 1999-12-02 16:58:55Z joda $");
 
 int
 aix_pioctl(char *a_path,
diff --git a/crypto/heimdal/lib/kafs/afssys.c b/crypto/heimdal/lib/kafs/afssys.c
index 5cd994c..d9c6b80 100644
--- a/crypto/heimdal/lib/kafs/afssys.c
+++ b/crypto/heimdal/lib/kafs/afssys.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2000, 2002, 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000, 2002, 2004, 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #include "kafs_locl.h"
 
-RCSID("$Id: afssys.c,v 1.69.2.2 2004/06/22 14:29:48 lha Exp $");
+RCSID("$Id: afssys.c 17050 2006-04-11 08:12:29Z lha $");
 
 struct procdata {
     unsigned long param4;
@@ -42,11 +42,25 @@ struct procdata {
     unsigned long param1;
     unsigned long syscall;
 };
-#define VIOC_SYSCALL _IOW('C', 1, void *)
+#define VIOC_SYSCALL_PROC _IOW('C', 1, void *)
+
+struct devdata {
+    unsigned long syscall;
+    unsigned long param1;
+    unsigned long param2;
+    unsigned long param3;
+    unsigned long param4;
+    unsigned long param5;
+    unsigned long param6;
+    unsigned long retval;
+};
+#define VIOC_SYSCALL_DEV _IOWR('C', 2, struct devdata)
+#define VIOC_SYSCALL_DEV_OPENAFS _IOWR('C', 1, struct devdata)
 
 
 int _kafs_debug; /* this should be done in a better way */
 
+#define UNKNOWN_ENTRY_POINT	(-1)
 #define NO_ENTRY_POINT		0
 #define SINGLE_ENTRY_POINT	1
 #define MULTIPLE_ENTRY_POINT	2
@@ -54,10 +68,12 @@ int _kafs_debug; /* this should be done in a better way */
 #define SINGLE_ENTRY_POINT3	4
 #define LINUX_PROC_POINT	5
 #define AIX_ENTRY_POINTS	6
-#define UNKNOWN_ENTRY_POINT	7
+#define MACOS_DEV_POINT		7
+
 static int afs_entry_point = UNKNOWN_ENTRY_POINT;
 static int afs_syscalls[2];
-static char *afs_procpath;
+static char *afs_ioctlpath;
+static unsigned long afs_ioctlnum;
 
 /* Magic to get AIX syscalls to work */
 #ifdef _AIX
@@ -112,6 +128,8 @@ try_aix(void)
  * there's a /etc/name_to_sysnum file.  
  */
 
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+
 #define _PATH_ETC_NAME_TO_SYSNUM "/etc/name_to_sysnum"
 
 static int
@@ -143,32 +161,61 @@ map_syscall_name_to_number (const char *str, int *res)
     fclose (f);
     return -1;
 }
+#endif
 
 static int 
-try_proc(const char *path)
+try_ioctlpath(const char *path, unsigned long ioctlnum, int entrypoint)
 {
-    int fd;
+    int fd, ret, saved_errno;
+
     fd = open(path, O_RDWR);
     if (fd < 0)
 	return 1;
+    switch (entrypoint) {
+    case LINUX_PROC_POINT: {
+	struct procdata data = { 0, 0, 0, 0, AFSCALL_PIOCTL };
+	data.param2 = (unsigned long)VIOCGETTOK;
+	ret = ioctl(fd, ioctlnum, &data);
+	break;
+    }
+    case MACOS_DEV_POINT: {
+	struct devdata data = { AFSCALL_PIOCTL, 0, 0, 0, 0, 0, 0, 0 };
+	data.param2 = (unsigned long)VIOCGETTOK;
+	ret = ioctl(fd, ioctlnum, &data);
+	break;
+    }
+    default:
+	abort();
+    }
+    saved_errno = errno;
     close(fd);
-    afs_procpath = strdup(path);
-    if (afs_procpath == NULL)
+    /* 
+     * Be quite liberal in what error are ok, the first is the one
+     * that should trigger given that params is NULL.
+     */
+    if (ret && 
+	(saved_errno != EFAULT &&
+	 saved_errno != EDOM && 
+	 saved_errno != ENOTCONN))
+	return 1;
+    afs_ioctlnum = ioctlnum;
+    afs_ioctlpath = strdup(path);
+    if (afs_ioctlpath == NULL)
 	return 1;
-    afs_entry_point = LINUX_PROC_POINT;
+    afs_entry_point = entrypoint;
     return 0;
 }
 
 static int
-do_proc(struct procdata *data)
+do_ioctl(void *data)
 {
     int fd, ret, saved_errno;
-    fd = open(afs_procpath, O_RDWR);
+    fd = open(afs_ioctlpath, O_RDWR);
     if (fd < 0) {
 	errno = EINVAL;
 	return -1;
     }
-    ret = ioctl(fd, VIOC_SYSCALL, data);
+    ret = ioctl(fd, afs_ioctlnum, data);
     saved_errno = errno;
     close(fd);
     errno = saved_errno;
@@ -201,7 +248,22 @@ k_pioctl(char *a_path,
 	data.param2 = (unsigned long)o_opcode;
 	data.param3 = (unsigned long)a_paramsP;
 	data.param4 = (unsigned long)a_followSymlinks;
-	return do_proc(&data);
+	return do_ioctl(&data);
+    }
+    case MACOS_DEV_POINT: {
+	struct devdata data = { AFSCALL_PIOCTL, 0, 0, 0, 0, 0, 0, 0 };
+	int ret;
+	
+	data.param1 = (unsigned long)a_path;
+	data.param2 = (unsigned long)o_opcode;
+	data.param3 = (unsigned long)a_paramsP;
+	data.param4 = (unsigned long)a_followSymlinks;
+	
+	ret = do_ioctl(&data);
+	if (ret)
+	    return ret;
+	
+	return data.retval;
     }
 #ifdef _AIX
     case AIX_ENTRY_POINTS:
@@ -224,7 +286,7 @@ k_afs_cell_of_file(const char *path, char *cell, int len)
     parms.in_size = 0;
     parms.out = cell;
     parms.out_size = len;
-    return k_pioctl((char*)path, VIOC_FILE_CELL_NAME, &parms, 1);
+    return k_pioctl(rk_UNCONST(path), VIOC_FILE_CELL_NAME, &parms, 1);
 }
 
 int
@@ -252,8 +314,15 @@ k_setpag(void)
 #endif
     case LINUX_PROC_POINT: {
 	struct procdata data = { 0, 0, 0, 0, AFSCALL_SETPAG };
-	return do_proc(&data);
+	return do_ioctl(&data);
     }
+    case MACOS_DEV_POINT: {
+	struct devdata data = { AFSCALL_SETPAG, 0, 0, 0, 0, 0, 0, 0 };
+	int ret = do_ioctl(&data);
+	if (ret)
+	    return ret;
+	return data.retval;
+     }
 #ifdef _AIX
     case AIX_ENTRY_POINTS:
 	return Setpag();
@@ -339,8 +408,11 @@ k_hasafs(void)
 #if !defined(NO_AFS) && defined(SIGSYS)
     RETSIGTYPE (*saved_func)(int);
 #endif
-    int saved_errno;
-    char *env = getenv ("AFS_SYSCALL");
+    int saved_errno, ret;
+    char *env = NULL;
+
+    if (!issuid())
+	env = getenv ("AFS_SYSCALL");
   
     /*
      * Already checked presence of AFS syscalls?
@@ -360,6 +432,36 @@ k_hasafs(void)
 #ifdef SIGSYS
     saved_func = signal(SIGSYS, SIGSYS_handler);
 #endif
+    if (env && strstr(env, "..") == NULL) {
+
+	if (strncmp("/proc/", env, 6) == 0) {
+	    if (try_ioctlpath(env, VIOC_SYSCALL_PROC, LINUX_PROC_POINT) == 0)
+		goto done;
+	}
+	if (strncmp("/dev/", env, 5) == 0) {
+	    if (try_ioctlpath(env, VIOC_SYSCALL_DEV, MACOS_DEV_POINT) == 0)
+		goto done;
+	    if (try_ioctlpath(env,VIOC_SYSCALL_DEV_OPENAFS,MACOS_DEV_POINT) ==0)
+		goto done;
+	}
+    }
+
+    ret = try_ioctlpath("/proc/fs/openafs/afs_ioctl",
+			VIOC_SYSCALL_PROC, LINUX_PROC_POINT);
+    if (ret == 0)
+	goto done;
+    ret = try_ioctlpath("/proc/fs/nnpfs/afs_ioctl", 
+			VIOC_SYSCALL_PROC, LINUX_PROC_POINT);
+    if (ret == 0)
+	goto done;
+
+    ret = try_ioctlpath("/dev/openafs_ioctl", 
+			VIOC_SYSCALL_DEV_OPENAFS, MACOS_DEV_POINT);
+    if (ret == 0)
+	goto done;
+    ret = try_ioctlpath("/dev/nnpfs_ioctl", VIOC_SYSCALL_DEV, MACOS_DEV_POINT);
+    if (ret == 0)
+	goto done;
 
 #if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
     {
@@ -442,12 +544,6 @@ k_hasafs(void)
 	goto done;
 #endif
 
-    if (try_proc("/proc/fs/openafs/afs_ioctl") == 0)
-	goto done;
-    if (try_proc("/proc/fs/nnpfs/afs_ioctl") == 0)
-	goto done;
-    if (env && try_proc(env) == 0)
-	goto done;
 
 done:
 #ifdef SIGSYS
@@ -457,3 +553,10 @@ done:
     errno = saved_errno;
     return afs_entry_point != NO_ENTRY_POINT;
 }
+
+int
+k_hasafs_recheck(void)
+{
+    afs_entry_point = UNKNOWN_ENTRY_POINT;
+    return k_hasafs();
+}
diff --git a/crypto/heimdal/lib/kafs/afssysdefs.h b/crypto/heimdal/lib/kafs/afssysdefs.h
index bfda36a..dd52a21 100644
--- a/crypto/heimdal/lib/kafs/afssysdefs.h
+++ b/crypto/heimdal/lib/kafs/afssysdefs.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: afssysdefs.h,v 1.26 2003/02/08 22:55:55 assar Exp $ */
+/* $Id: afssysdefs.h 14102 2004-08-09 13:41:32Z lha $ */
 
 /*
  * This section is for machines using single entry point AFS syscalls!
@@ -90,6 +90,12 @@
 #endif
 #endif /* __FreeBSD__ */
 
+#ifdef __DragonFly__
+#ifndef AFS_SYSCALL
+#define AFS_SYSCALL 339
+#endif
+#endif
+
 #ifdef __OpenBSD__
 #define AFS_SYSCALL 208
 #endif
diff --git a/crypto/heimdal/lib/kafs/common.c b/crypto/heimdal/lib/kafs/common.c
index 291dcac..3466d95 100644
--- a/crypto/heimdal/lib/kafs/common.c
+++ b/crypto/heimdal/lib/kafs/common.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kafs_locl.h"
 
-RCSID("$Id: common.c,v 1.26.2.1 2003/04/23 18:03:20 lha Exp $");
+RCSID("$Id: common.c 15461 2005-06-16 22:52:33Z lha $");
 
 #define AUTH_SUPERUSER "afs"
 
@@ -200,12 +200,12 @@ dns_find_cell(const char *cell, char *dbserver, size_t len)
  * Try to find the cells we should try to klog to in "file".
  */
 static void
-find_cells(const char *file, char ***cells, int *index)
+find_cells(const char *file, char ***cells, int *idx)
 {
     FILE *f;
     char cell[64];
     int i;
-    int ind = *index;
+    int ind = *idx;
 
     f = fopen(file, "r");
     if (f == NULL)
@@ -235,14 +235,14 @@ find_cells(const char *file, char ***cells, int *index)
 	}
     }
     fclose(f);
-    *index = ind;
+    *idx = ind;
 }
 
 /*
  * Get tokens for all cells[]
  */
 static int
-afslog_cells(kafs_data *data, char **cells, int max, uid_t uid,
+afslog_cells(struct kafs_data *data, char **cells, int max, uid_t uid,
 	     const char *homedir)
 {
     int ret = 0;
@@ -256,38 +256,44 @@ afslog_cells(kafs_data *data, char **cells, int max, uid_t uid,
 }
 
 int
-_kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir)
+_kafs_afslog_all_local_cells(struct kafs_data *data,
+			     uid_t uid, const char *homedir)
 {
     int ret;
     char **cells = NULL;
-    int index = 0;
+    int idx = 0;
 
     if (homedir == NULL)
 	homedir = getenv("HOME");
     if (homedir != NULL) {
 	char home[MaxPathLen];
 	snprintf(home, sizeof(home), "%s/.TheseCells", homedir);
-	find_cells(home, &cells, &index);
+	find_cells(home, &cells, &idx);
     }
-    find_cells(_PATH_THESECELLS, &cells, &index);
-    find_cells(_PATH_THISCELL, &cells, &index);
-    find_cells(_PATH_ARLA_THESECELLS, &cells, &index);
-    find_cells(_PATH_ARLA_THISCELL, &cells, &index);
-    find_cells(_PATH_OPENAFS_DEBIAN_THESECELLS, &cells, &index);
-    find_cells(_PATH_OPENAFS_DEBIAN_THISCELL, &cells, &index);
-    find_cells(_PATH_ARLA_DEBIAN_THESECELLS, &cells, &index);
-    find_cells(_PATH_ARLA_DEBIAN_THISCELL, &cells, &index);
+    find_cells(_PATH_THESECELLS, &cells, &idx);
+    find_cells(_PATH_THISCELL, &cells, &idx);
+    find_cells(_PATH_ARLA_THESECELLS, &cells, &idx);
+    find_cells(_PATH_ARLA_THISCELL, &cells, &idx);
+    find_cells(_PATH_OPENAFS_DEBIAN_THESECELLS, &cells, &idx);
+    find_cells(_PATH_OPENAFS_DEBIAN_THISCELL, &cells, &idx);
+    find_cells(_PATH_OPENAFS_MACOSX_THESECELLS, &cells, &idx);
+    find_cells(_PATH_OPENAFS_MACOSX_THISCELL, &cells, &idx);
+    find_cells(_PATH_ARLA_DEBIAN_THESECELLS, &cells, &idx);
+    find_cells(_PATH_ARLA_DEBIAN_THISCELL, &cells, &idx);
+    find_cells(_PATH_ARLA_OPENBSD_THESECELLS, &cells, &idx);
+    find_cells(_PATH_ARLA_OPENBSD_THISCELL, &cells, &idx);
     
-    ret = afslog_cells(data, cells, index, uid, homedir);
-    while(index > 0)
-	free(cells[--index]);
+    ret = afslog_cells(data, cells, idx, uid, homedir);
+    while(idx > 0)
+	free(cells[--idx]);
     free(cells);
     return ret;
 }
 
 
 static int
-file_find_cell(kafs_data *data, const char *cell, char **realm, int exact)
+file_find_cell(struct kafs_data *data, 
+	       const char *cell, char **realm, int exact)
 {
     FILE *F;
     char buf[1024];
@@ -297,6 +303,7 @@ file_find_cell(kafs_data *data, const char *cell, char **realm, int exact)
     if ((F = fopen(_PATH_CELLSERVDB, "r"))
 	|| (F = fopen(_PATH_ARLA_CELLSERVDB, "r"))
 	|| (F = fopen(_PATH_OPENAFS_DEBIAN_CELLSERVDB, "r"))
+	|| (F = fopen(_PATH_OPENAFS_MACOSX_CELLSERVDB, "r"))
 	|| (F = fopen(_PATH_ARLA_DEBIAN_CELLSERVDB, "r"))) {
 	while (fgets(buf, sizeof(buf), F)) {
 	    int cmp;
@@ -335,9 +342,9 @@ file_find_cell(kafs_data *data, const char *cell, char **realm, int exact)
     return ret;
 }
 
-/* Find the realm associated with cell. Do this by opening
-   /usr/vice/etc/CellServDB and getting the realm-of-host for the
-   first VL-server for the cell.
+/* Find the realm associated with cell. Do this by opening CellServDB
+   file and getting the realm-of-host for the first VL-server for the
+   cell.
 
    This does not work when the VL-server is living in one realm, but
    the cell it is serving is living in another realm.
@@ -346,7 +353,8 @@ file_find_cell(kafs_data *data, const char *cell, char **realm, int exact)
    */
 
 int
-_kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm)
+_kafs_realm_of_cell(struct kafs_data *data,
+		    const char *cell, char **realm)
 {
     char buf[1024];
     int ret;
@@ -363,7 +371,7 @@ _kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm)
 }
 
 static int
-_kafs_try_get_cred(kafs_data *data, const char *user, const char *cell,
+_kafs_try_get_cred(struct kafs_data *data, const char *user, const char *cell,
 		   const char *realm, uid_t uid, struct kafs_token *kt)
 {
     int ret;
@@ -383,7 +391,7 @@ _kafs_try_get_cred(kafs_data *data, const char *user, const char *cell,
 
 
 int
-_kafs_get_cred(kafs_data *data,
+_kafs_get_cred(struct kafs_data *data,
 	       const char *cell, 
 	       const char *realm_hint,
 	       const char *realm,
@@ -394,7 +402,7 @@ _kafs_get_cred(kafs_data *data,
     char *vl_realm;
     char CELL[64];
 
-    /* We're about to find the the realm that holds the key for afs in
+    /* We're about to find the realm that holds the key for afs in
      * the specified cell. The problem is that null-instance
      * afs-principals are common and that hitting the wrong realm might
      * yield the wrong afs key. The following assumptions were made.
diff --git a/crypto/heimdal/lib/kafs/kafs.3 b/crypto/heimdal/lib/kafs/kafs.3
index c6cff4d..cd5b1fd 100644
--- a/crypto/heimdal/lib/kafs/kafs.3
+++ b/crypto/heimdal/lib/kafs/kafs.3
@@ -1,4 +1,4 @@
-.\" Copyright (c) 1998 - 1999, 2001 - 2003 Kungliga Tekniska Högskolan
+.\" Copyright (c) 1998 - 2006 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -29,13 +29,14 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\"	$Id: kafs.3,v 1.16 2003/04/16 13:58:27 lha Exp $
+.\"	$Id: kafs.3 17380 2006-05-01 07:01:18Z lha $
 .\"
-.Dd Mar 17, 2003
+.Dd May  1, 2006
 .Os HEIMDAL
 .Dt KAFS 3
 .Sh NAME
 .Nm k_hasafs ,
+.Nm k_hasafs_recheck ,
 .Nm k_pioctl ,
 .Nm k_unlog ,
 .Nm k_setpag ,
@@ -44,7 +45,7 @@
 .Nm kafs_settoken_rxkad ,
 .Nm kafs_settoken ,
 .Nm krb_afslog ,
-.Nm krb_afslog_uid
+.Nm krb_afslog_uid ,
 .Nm kafs_settoken5 ,
 .Nm krb5_afslog ,
 .Nm krb5_afslog_uid
@@ -58,6 +59,8 @@ AFS cache manager access library (libkafs, -lkafs)
 .Ft int
 .Fn k_hasafs "void"
 .Ft int
+.Fn k_hasafs_recheck "void"
+.Ft int
 .Fn k_pioctl "char *a_path" "int o_opcode" "struct ViceIoctl *a_paramsP" "int a_followSymlinks"
 .Ft int
 .Fn k_setpag "void"
@@ -86,6 +89,13 @@ called before
 .Fn k_hasafs
 is called, or if it fails.
 .Pp
+.Fn k_hasafs_recheck
+forces a recheck if a AFS client has started since last time
+.Fn k_hasafs
+or
+.Fn k_hasafs_recheck
+was called.
+.Pp
 .Fn kafs_set_verbose
 set a log function that will be called each time the kafs library does
 something important so that the application using libkafs can output
@@ -151,7 +161,7 @@ and
 .Pp
 .Fn krb5_afslog ,
 .Fn kafs_settoken5
-can be configured to behave diffrently via a 
+can be configured to behave differently via a 
 .Nm krb5_appdefault
 option
 .Li afs-use-524
@@ -186,7 +196,7 @@ as application name when running the
 .Nm krb5_appdefault
 function call.
 .Pp
-The (uppercased) cellname is used as the realm to the
+The (uppercased) cell name is used as the realm to the
 .Nm krb5_appdefault function.
 .Pp
 .\" The extra arguments are the ubiquitous context, and the cache id where
@@ -208,7 +218,7 @@ characters is put in
 .Fn k_pioctl
 does a
 .Fn pioctl
-syscall with the specified arguments. This function is equivalent to
+system call with the specified arguments. This function is equivalent to
 .Fn lpioctl .
 .Pp
 .Fn k_setpag
@@ -261,15 +271,14 @@ If any of these functions (apart from
 is called without AFS being present in the kernel, the process will
 usually (depending on the operating system) receive a SIGSYS signal.
 .Sh SEE ALSO
+.Xr krb5_appdefault 3 ,
+.Xr krb5.conf 5
 .Rs
 .%A Transarc Corporation
 .%J AFS-3 Programmer's Reference
 .%T File Server/Cache Manager Interface
 .%D 1991
 .Re
-.Pp
-.Xr krb5_appdefaults 3 ,
-.Xr krb5.conf 5
 .Sh BUGS
 .Ev AFS_SYSCALL
 has no effect under AIX.
diff --git a/crypto/heimdal/lib/kafs/kafs.h b/crypto/heimdal/lib/kafs/kafs.h
index f95b776..d478039 100644
--- a/crypto/heimdal/lib/kafs/kafs.h
+++ b/crypto/heimdal/lib/kafs/kafs.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: kafs.h,v 1.39.2.1 2003/04/23 18:03:21 lha Exp $ */
+/* $Id: kafs.h 20652 2007-05-10 19:30:18Z lha $ */
 
 #ifndef __KAFS_H
 #define __KAFS_H
@@ -47,6 +47,7 @@
 
 #ifndef _VICEIOCTL
 #define _VICEIOCTL(id)  ((unsigned int ) _IOW('V', id, struct ViceIoctl))
+#define _AFSCIOCTL(id)  ((unsigned int ) _IOW('C', id, struct ViceIoctl))
 #endif /* _VICEIOCTL */
 
 #define VIOCSETAL		_VICEIOCTL(1)
@@ -83,6 +84,9 @@
 #define VIOCGETCACHEPARAMS	_VICEIOCTL(40)
 #define VIOC_GCPAGS		_VICEIOCTL(48) 
 
+#define VIOCGETTOK2		_AFSCIOCTL(7)
+#define VIOCSETTOK2		_AFSCIOCTL(8)
+
 struct ViceIoctl {
   caddr_t in, out;
   short in_size;
@@ -97,41 +101,32 @@ struct ClearToken {
   int32_t EndTimestamp;
 };
 
-#ifdef __STDC__
-#ifndef __P
-#define __P(x) x
-#endif
-#else
-#ifndef __P
-#define __P(x) ()
-#endif
-#endif
-
 /* Use k_hasafs() to probe if the machine supports AFS syscalls.
    The other functions will generate a SIGSYS if AFS is not supported */
 
-int k_hasafs __P((void));
+int k_hasafs (void);
+int k_hasafs_recheck (void);
 
-int krb_afslog __P((const char *cell, const char *realm));
-int krb_afslog_uid __P((const char *cell, const char *realm, uid_t uid));
-int krb_afslog_home __P((const char *cell, const char *realm,
-			 const char *homedir));
-int krb_afslog_uid_home __P((const char *cell, const char *realm, uid_t uid,
-			     const char *homedir));
+int krb_afslog (const char *cell, const char *realm);
+int krb_afslog_uid (const char *cell, const char *realm, uid_t uid);
+int krb_afslog_home (const char *cell, const char *realm,
+			 const char *homedir);
+int krb_afslog_uid_home (const char *cell, const char *realm, uid_t uid,
+			     const char *homedir);
 
-int krb_realm_of_cell __P((const char *cell, char **realm));
+int krb_realm_of_cell (const char *cell, char **realm);
 
 /* compat */
 #define k_afsklog krb_afslog
 #define k_afsklog_uid krb_afslog_uid
 
-int k_pioctl __P((char *a_path,
+int k_pioctl (char *a_path,
 		  int o_opcode,
 		  struct ViceIoctl *a_paramsP,
-		  int a_followSymlinks));
-int k_unlog __P((void));
-int k_setpag __P((void));
-int k_afs_cell_of_file __P((const char *path, char *cell, int len));
+		  int a_followSymlinks);
+int k_unlog (void);
+int k_setpag (void);
+int k_afs_cell_of_file (const char *path, char *cell, int len);
 
 
 
@@ -144,41 +139,41 @@ int k_afs_cell_of_file __P((const char *path, char *cell, int len));
 #define KRB5_H_INCLUDED
 #endif
 
-void kafs_set_verbose __P((void (*kafs_verbose)(void *, const char *), void *));
-int kafs_settoken_rxkad __P((const char *, struct ClearToken *,
-			     void *ticket, size_t ticket_len));
+void kafs_set_verbose (void (*kafs_verbose)(void *, const char *), void *);
+int kafs_settoken_rxkad (const char *, struct ClearToken *,
+			     void *ticket, size_t ticket_len);
 #ifdef KRB_H_INCLUDED
-int kafs_settoken __P((const char*, uid_t, CREDENTIALS*));
+int kafs_settoken (const char*, uid_t, CREDENTIALS*);
 #endif
 #ifdef KRB5_H_INCLUDED
-int kafs_settoken5 __P((krb5_context, const char*, uid_t, krb5_creds*));
+int kafs_settoken5 (krb5_context, const char*, uid_t, krb5_creds*);
 #endif
 
 
 #ifdef KRB5_H_INCLUDED
-krb5_error_code krb5_afslog_uid __P((krb5_context context,
+krb5_error_code krb5_afslog_uid (krb5_context context,
 				     krb5_ccache id,
 				     const char *cell,
 				     krb5_const_realm realm,
-				     uid_t uid));
-krb5_error_code krb5_afslog __P((krb5_context context,
+				     uid_t uid);
+krb5_error_code krb5_afslog (krb5_context context,
 				 krb5_ccache id, 
 				 const char *cell,
-				 krb5_const_realm realm));
-krb5_error_code krb5_afslog_uid_home __P((krb5_context context,
+				 krb5_const_realm realm);
+krb5_error_code krb5_afslog_uid_home (krb5_context context,
 					  krb5_ccache id,
 					  const char *cell,
 					  krb5_const_realm realm,
 					  uid_t uid,
-					  const char *homedir));
+					  const char *homedir);
 
-krb5_error_code krb5_afslog_home __P((krb5_context context,
+krb5_error_code krb5_afslog_home (krb5_context context,
 				      krb5_ccache id,
 				      const char *cell,
 				      krb5_const_realm realm,
-				      const char *homedir));
+				      const char *homedir);
 
-krb5_error_code krb5_realm_of_cell __P((const char *cell, char **realm));
+krb5_error_code krb5_realm_of_cell (const char *cell, char **realm);
 
 #endif
 
@@ -198,11 +193,21 @@ krb5_error_code krb5_realm_of_cell __P((const char *cell, char **realm));
 #define _PATH_OPENAFS_DEBIAN_CELLSERVDB 	_PATH_OPENAFS_DEBIAN_VICE "CellServDB"
 #define _PATH_OPENAFS_DEBIAN_THESECELLS		_PATH_OPENAFS_DEBIAN_VICE "TheseCells"
 
+#define _PATH_OPENAFS_MACOSX_VICE		"/var/db/openafs/etc/"
+#define _PATH_OPENAFS_MACOSX_THISCELL		_PATH_OPENAFS_MACOSX_VICE "ThisCell"
+#define _PATH_OPENAFS_MACOSX_CELLSERVDB		_PATH_OPENAFS_MACOSX_VICE "CellServDB"
+#define _PATH_OPENAFS_MACOSX_THESECELLS		_PATH_OPENAFS_MACOSX_VICE "TheseCells"
+
 #define _PATH_ARLA_DEBIAN_VICE			"/etc/arla/"
 #define _PATH_ARLA_DEBIAN_THISCELL		_PATH_ARLA_DEBIAN_VICE "ThisCell"
 #define _PATH_ARLA_DEBIAN_CELLSERVDB		_PATH_ARLA_DEBIAN_VICE "CellServDB"
 #define _PATH_ARLA_DEBIAN_THESECELLS		_PATH_ARLA_DEBIAN_VICE "TheseCells"
 
+#define _PATH_ARLA_OPENBSD_VICE			"/etc/afs/"
+#define _PATH_ARLA_OPENBSD_THISCELL		_PATH_ARLA_OPENBSD_VICE "ThisCell"
+#define _PATH_ARLA_OPENBSD_CELLSERVDB		_PATH_ARLA_OPENBSD_VICE "CellServDB"
+#define _PATH_ARLA_OPENBSD_THESECELLS		_PATH_ARLA_OPENBSD_VICE "TheseCells"
+
 extern int _kafs_debug;
 
 #endif /* __KAFS_H */
diff --git a/crypto/heimdal/lib/kafs/kafs_locl.h b/crypto/heimdal/lib/kafs/kafs_locl.h
index e82b81b..a564104 100644
--- a/crypto/heimdal/lib/kafs/kafs_locl.h
+++ b/crypto/heimdal/lib/kafs/kafs_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: kafs_locl.h,v 1.17 2003/04/14 08:28:37 lha Exp $ */
+/* $Id: kafs_locl.h 16116 2005-10-02 03:14:47Z lha $ */
 
 #ifndef __KAFS_LOCL_H__
 #define __KAFS_LOCL_H__
@@ -59,6 +59,9 @@
 #ifdef HAVE_SYS_FILIO_H
 #include <sys/filio.h>
 #endif
+#ifdef HAVE_SYS_SYSCTL_H
+#include <sys/sysctl.h>
+#endif
 
 #ifdef HAVE_SYS_SYSCALL_H
 #include <sys/syscall.h>
@@ -119,13 +122,13 @@ typedef int (*get_cred_func_t)(struct kafs_data*, const char*, const char*,
 
 typedef char* (*get_realm_func_t)(struct kafs_data*, const char*);
 
-typedef struct kafs_data {
+struct kafs_data {
     const char *name;
     afslog_uid_func_t afslog_uid;
     get_cred_func_t get_cred;
     get_realm_func_t get_realm;
     void *data;
-} kafs_data;
+};
 
 struct kafs_token {
     struct ClearToken ct;
@@ -135,13 +138,13 @@ struct kafs_token {
 
 void _kafs_foldup(char *, const char *);
 
-int _kafs_afslog_all_local_cells(kafs_data*, uid_t, const char*);
+int _kafs_afslog_all_local_cells(struct kafs_data*, uid_t, const char*);
 
-int _kafs_get_cred(kafs_data*, const char*, const char*, const char *, 
+int _kafs_get_cred(struct kafs_data*, const char*, const char*, const char *, 
 		   uid_t, struct kafs_token *);
 
 int
-_kafs_realm_of_cell(kafs_data *, const char *, char **);
+_kafs_realm_of_cell(struct kafs_data *, const char *, char **);
 
 int
 _kafs_v4_to_kt(CREDENTIALS *, uid_t, struct kafs_token *);
diff --git a/crypto/heimdal/lib/kafs/roken_rename.h b/crypto/heimdal/lib/kafs/roken_rename.h
index fbb653d..6eb61fa 100644
--- a/crypto/heimdal/lib/kafs/roken_rename.h
+++ b/crypto/heimdal/lib/kafs/roken_rename.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: roken_rename.h,v 1.6 2002/08/19 15:08:24 joda Exp $ */
+/* $Id: roken_rename.h 15341 2005-06-02 07:35:45Z lha $ */
 
 #ifndef __roken_rename_h__
 #define __roken_rename_h__
@@ -47,6 +47,9 @@
 #define rk_dns_string_to_type _kafs_dns_string_to_type
 #define rk_dns_type_to_string _kafs_dns_type_to_string
 #define rk_dns_srv_order _kafs_dns_srv_order
+#define rk_dns_make_query _kafs_dns_make_query
+#define rk_dns_free_query _kafs_dns_free_query
+#define rk_dns_parse_reply _kafs_dns_parse_reply
 
 #ifndef HAVE_STRTOK_R
 #define strtok_r _kafs_strtok_r
diff --git a/crypto/heimdal/lib/krb5/Makefile.am b/crypto/heimdal/lib/krb5/Makefile.am
index 7ca638b..ced9616 100644
--- a/crypto/heimdal/lib/krb5/Makefile.am
+++ b/crypto/heimdal/lib/krb5/Makefile.am
@@ -1,41 +1,71 @@
-# $Id: Makefile.am,v 1.156.2.4 2004/06/21 10:52:01 lha Exp $
+# $Id: Makefile.am 22501 2008-01-21 15:43:21Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4) $(INCLUDE_des) -I../com_err -I$(srcdir)/../com_err
+AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_hcrypto) -I../com_err -I$(srcdir)/../com_err
 
 bin_PROGRAMS = verify_krb5_conf
 
-noinst_PROGRAMS = dump_config test_get_addrs krbhst-test test_alname
+noinst_PROGRAMS =				\
+	krbhst-test				\
+	test_alname				\
+	test_crypto				\
+	test_get_addrs				\
+	test_kuserok				\
+	test_renew				\
+	test_forward
 
 TESTS =						\
 	aes-test				\
-	n-fold-test				\
-	string-to-key-test			\
 	derived-key-test			\
-	store-test				\
+	n-fold-test				\
+	name-45-test				\
 	parse-name-test				\
+	store-test				\
+	string-to-key-test			\
+	test_acl				\
+	test_addr				\
 	test_cc					\
-	name-45-test
+	test_config				\
+	test_prf				\
+	test_store				\
+	test_crypto_wrapping			\
+	test_keytab				\
+	test_mem				\
+	test_pac				\
+	test_plugin				\
+	test_princ				\
+	test_pkinit_dh2key			\
+	test_time
 
-check_PROGRAMS = $(TESTS)
+check_PROGRAMS = $(TESTS) test_hostname
 
 LDADD = libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
+if PKINIT
+LIB_pkinit = ../hx509/libhx509.la
+endif
+
 libkrb5_la_LIBADD = \
-	../com_err/error.lo ../com_err/com_err.lo \
-	$(LIB_des) \
+	$(LIB_pkinit) \
+	$(LIB_com_err) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
-	$(LIB_roken)
+	$(LIBADD_roken) \
+	$(LIB_door_create) \
+	$(LIB_dlopen)
 
 lib_LTLIBRARIES = libkrb5.la
 
-ERR_FILES = krb5_err.c heim_err.c k524_err.c
+ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c
 
-libkrb5_la_SOURCES =				\
+libkrb5_la_CPPFLAGS = -DBUILD_KRB5_LIB $(AM_CPPFLAGS)
+
+dist_libkrb5_la_SOURCES =			\
+	acache.c				\
 	acl.c					\
 	add_et_list.c				\
 	addr_families.c				\
@@ -57,7 +87,9 @@ libkrb5_la_SOURCES =				\
 	crc.c					\
 	creds.c					\
 	crypto.c				\
+	doxygen.c				\
 	data.c					\
+	digest.c				\
 	eai_to_heim_errno.c			\
 	error_string.c				\
 	expand_hostname.c			\
@@ -77,15 +109,20 @@ libkrb5_la_SOURCES =				\
 	get_in_tkt_with_keytab.c		\
 	get_in_tkt_with_skey.c			\
 	get_port.c				\
+	heim_threads.h				\
 	init_creds.c				\
 	init_creds_pw.c				\
+	kcm.c					\
+	kcm.h					\
 	keyblock.c				\
 	keytab.c				\
 	keytab_any.c				\
 	keytab_file.c				\
-	keytab_memory.c				\
 	keytab_keyfile.c			\
 	keytab_krb4.c				\
+	keytab_memory.c				\
+	krb5_locl.h				\
+	krb5-v4compat.h				\
 	krbhst.c				\
 	kuserok.c				\
 	log.c					\
@@ -97,10 +134,13 @@ libkrb5_la_SOURCES =				\
 	mk_req.c				\
 	mk_req_ext.c				\
 	mk_safe.c				\
+	mit_glue.c				\
 	net_read.c				\
 	net_write.c				\
 	n-fold.c				\
+	pac.c					\
 	padata.c				\
+	pkinit.c				\
 	principal.c				\
 	prog_setup.c				\
 	prompter_posix.c			\
@@ -122,75 +162,137 @@ libkrb5_la_SOURCES =				\
 	store_emem.c				\
 	store_fd.c				\
 	store_mem.c				\
+	plugin.c				\
 	ticket.c				\
 	time.c					\
 	transited.c				\
+	v4_glue.c				\
 	verify_init.c				\
 	verify_user.c				\
 	version.c				\
 	warn.c					\
-	write_message.c				\
+	write_message.c
+
+nodist_libkrb5_la_SOURCES =			\
 	$(ERR_FILES)
 
-libkrb5_la_LDFLAGS = -version-info 20:0:3
+libkrb5_la_LDFLAGS = -version-info 24:0:0
+
+if versionscript
+libkrb5_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+endif
 
-$(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
+$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
 
 $(srcdir)/krb5-protos.h:
-	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o krb5-protos.h $(libkrb5_la_SOURCES) || rm -f krb5-protos.h
+	cd $(srcdir) && perl ../../cf/make-proto.pl -E KRB5_LIB_FUNCTION -q -P comment -o krb5-protos.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-protos.h
 
 $(srcdir)/krb5-private.h:
-	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h
-
-#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-private.h
 
 man_MANS =					\
 	kerberos.8				\
 	krb5.3					\
 	krb5.conf.5				\
+	krb524_convert_creds_kdc.3		\
 	krb5_425_conv_principal.3		\
+	krb5_acl_match_file.3			\
 	krb5_address.3				\
 	krb5_aname_to_localname.3		\
 	krb5_appdefault.3			\
 	krb5_auth_context.3			\
-	krb5_build_principal.3			\
+	krb5_c_make_checksum.3			\
 	krb5_ccache.3				\
+	krb5_check_transited.3			\
+	krb5_compare_creds.3			\
 	krb5_config.3				\
 	krb5_context.3				\
 	krb5_create_checksum.3			\
+	krb5_creds.3				\
 	krb5_crypto_init.3			\
 	krb5_data.3				\
+	krb5_digest.3				\
+	krb5_eai_to_heim_errno.3		\
 	krb5_encrypt.3				\
-	krb5_free_addresses.3			\
-	krb5_free_principal.3			\
+	krb5_expand_hostname.3			\
+	krb5_find_padata.3			\
+	krb5_generate_random_block.3		\
 	krb5_get_all_client_addrs.3		\
+	krb5_get_credentials.3			\
+	krb5_get_creds.3			\
+	krb5_get_forwarded_creds.3		\
+	krb5_get_in_cred.3			\
+	krb5_get_init_creds.3			\
 	krb5_get_krbhst.3			\
+	krb5_getportbyname.3			\
 	krb5_init_context.3			\
+	krb5_is_thread_safe.3			\
+	krb5_keyblock.3				\
 	krb5_keytab.3				\
 	krb5_krbhst_init.3			\
 	krb5_kuserok.3				\
+	krb5_mk_req.3				\
+	krb5_mk_safe.3				\
 	krb5_openlog.3				\
 	krb5_parse_name.3			\
-	krb5_principal_get_realm.3		\
+	krb5_principal.3			\
+	krb5_rcache.3				\
+	krb5_rd_error.3				\
+	krb5_rd_safe.3				\
 	krb5_set_default_realm.3		\
 	krb5_set_password.3			\
-	krb5_sname_to_principal.3		\
+	krb5_storage.3				\
+	krb5_string_to_key.3			\
+	krb5_ticket.3				\
 	krb5_timeofday.3			\
 	krb5_unparse_name.3			\
+	krb5_verify_init_creds.3		\
 	krb5_verify_user.3			\
 	krb5_warn.3				\
 	verify_krb5_conf.8
 
-include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h k524_err.h
+dist_include_HEADERS = \
+	krb5.h \
+	krb5-protos.h \
+	krb5-private.h \
+	krb5_ccapi.h
+
+nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h 
 
-CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h k524_err.c k524_err.h
+# XXX use nobase_include_HEADERS = krb5/locate_plugin.h
+krb5dir = $(includedir)/krb5
+krb5_HEADERS = locate_plugin.h
 
-$(libkrb5_la_OBJECTS): krb5_err.h heim_err.h k524_err.h
+build_HEADERZ = \
+	heim_threads.h \
+	$(krb5_HEADERS) \
+	krb_err.h
+
+CLEANFILES = \
+	krb5_err.c krb5_err.h \
+	krb_err.c krb_err.h \
+	heim_err.c heim_err.h \
+	k524_err.c k524_err.h
+
+$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h
+
+EXTRA_DIST = \
+	krb5_err.et \
+	krb_err.et \
+	heim_err.et \
+	k524_err.et \
+	$(man_MANS) \
+	version-script.map \
+	krb5.moduli
+
+#sysconf_DATA = krb5.moduli
 
 # to help stupid solaris make
 
 krb5_err.h: krb5_err.et
 
+krb_err.h: krb_err.et
+
 heim_err.h: heim_err.et
 
 k524_err.h: k524_err.et
diff --git a/crypto/heimdal/lib/krb5/Makefile.in b/crypto/heimdal/lib/krb5/Makefile.in
index 78017a7..60e0925 100644
--- a/crypto/heimdal/lib/krb5/Makefile.in
+++ b/crypto/heimdal/lib/krb5/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,25 +14,19 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.156.2.4 2004/06/21 10:52:01 lha Exp $
+# $Id: Makefile.am 22501 2008-01-21 15:43:21Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
 
-SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c dump_config.c krbhst-test.c n-fold-test.c name-45-test.c parse-name-test.c store-test.c string-to-key-test.c test_alname.c test_cc.c test_get_addrs.c verify_krb5_conf.c
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -44,27 +38,40 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
-DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
+DIST_COMMON = $(dist_include_HEADERS) $(krb5_HEADERS) \
+	$(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
 	$(top_srcdir)/cf/Makefile.am.common
 bin_PROGRAMS = verify_krb5_conf$(EXEEXT)
-noinst_PROGRAMS = dump_config$(EXEEXT) test_get_addrs$(EXEEXT) \
-	krbhst-test$(EXEEXT) test_alname$(EXEEXT)
-check_PROGRAMS = $(am__EXEEXT_1)
+noinst_PROGRAMS = krbhst-test$(EXEEXT) test_alname$(EXEEXT) \
+	test_crypto$(EXEEXT) test_get_addrs$(EXEEXT) \
+	test_kuserok$(EXEEXT) test_renew$(EXEEXT) \
+	test_forward$(EXEEXT)
+TESTS = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \
+	n-fold-test$(EXEEXT) name-45-test$(EXEEXT) \
+	parse-name-test$(EXEEXT) store-test$(EXEEXT) \
+	string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \
+	test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \
+	test_prf$(EXEEXT) test_store$(EXEEXT) \
+	test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \
+	test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \
+	test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \
+	test_time$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1) test_hostname$(EXEEXT)
+@versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 subdir = lib/krb5
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -77,6 +84,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -85,56 +93,108 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \
+	"$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \
+	"$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" \
+	"$(DESTDIR)$(krb5dir)" "$(DESTDIR)$(includedir)"
 libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
-libkrb5_la_DEPENDENCIES = ../com_err/error.lo ../com_err/com_err.lo \
+libkrb5_la_DEPENDENCIES = $(LIB_pkinit) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
-am__objects_1 = krb5_err.lo heim_err.lo k524_err.lo
-am_libkrb5_la_OBJECTS = acl.lo add_et_list.lo addr_families.lo \
-	aname_to_localname.lo appdefault.lo asn1_glue.lo \
-	auth_context.lo build_ap_req.lo build_auth.lo cache.lo \
-	changepw.lo codec.lo config_file.lo config_file_netinfo.lo \
-	convert_creds.lo constants.lo context.lo copy_host_realm.lo \
-	crc.lo creds.lo crypto.lo data.lo eai_to_heim_errno.lo \
-	error_string.lo expand_hostname.lo fcache.lo free.lo \
-	free_host_realm.lo generate_seq_number.lo generate_subkey.lo \
-	get_addrs.lo get_cred.lo get_default_principal.lo \
-	get_default_realm.lo get_for_creds.lo get_host_realm.lo \
-	get_in_tkt.lo get_in_tkt_pw.lo get_in_tkt_with_keytab.lo \
-	get_in_tkt_with_skey.lo get_port.lo init_creds.lo \
-	init_creds_pw.lo keyblock.lo keytab.lo keytab_any.lo \
-	keytab_file.lo keytab_memory.lo keytab_keyfile.lo \
-	keytab_krb4.lo krbhst.lo kuserok.lo log.lo mcache.lo misc.lo \
-	mk_error.lo mk_priv.lo mk_rep.lo mk_req.lo mk_req_ext.lo \
-	mk_safe.lo net_read.lo net_write.lo n-fold.lo padata.lo \
-	principal.lo prog_setup.lo prompter_posix.lo rd_cred.lo \
-	rd_error.lo rd_priv.lo rd_rep.lo rd_req.lo rd_safe.lo \
-	read_message.lo recvauth.lo replay.lo send_to_kdc.lo \
-	sendauth.lo set_default_realm.lo sock_principal.lo store.lo \
-	store_emem.lo store_fd.lo store_mem.lo ticket.lo time.lo \
-	transited.lo verify_init.lo verify_user.lo version.lo warn.lo \
-	write_message.lo $(am__objects_1)
-libkrb5_la_OBJECTS = $(am_libkrb5_la_OBJECTS)
+dist_libkrb5_la_OBJECTS = libkrb5_la-acache.lo libkrb5_la-acl.lo \
+	libkrb5_la-add_et_list.lo libkrb5_la-addr_families.lo \
+	libkrb5_la-aname_to_localname.lo libkrb5_la-appdefault.lo \
+	libkrb5_la-asn1_glue.lo libkrb5_la-auth_context.lo \
+	libkrb5_la-build_ap_req.lo libkrb5_la-build_auth.lo \
+	libkrb5_la-cache.lo libkrb5_la-changepw.lo libkrb5_la-codec.lo \
+	libkrb5_la-config_file.lo libkrb5_la-config_file_netinfo.lo \
+	libkrb5_la-convert_creds.lo libkrb5_la-constants.lo \
+	libkrb5_la-context.lo libkrb5_la-copy_host_realm.lo \
+	libkrb5_la-crc.lo libkrb5_la-creds.lo libkrb5_la-crypto.lo \
+	libkrb5_la-doxygen.lo libkrb5_la-data.lo libkrb5_la-digest.lo \
+	libkrb5_la-eai_to_heim_errno.lo libkrb5_la-error_string.lo \
+	libkrb5_la-expand_hostname.lo libkrb5_la-fcache.lo \
+	libkrb5_la-free.lo libkrb5_la-free_host_realm.lo \
+	libkrb5_la-generate_seq_number.lo \
+	libkrb5_la-generate_subkey.lo libkrb5_la-get_addrs.lo \
+	libkrb5_la-get_cred.lo libkrb5_la-get_default_principal.lo \
+	libkrb5_la-get_default_realm.lo libkrb5_la-get_for_creds.lo \
+	libkrb5_la-get_host_realm.lo libkrb5_la-get_in_tkt.lo \
+	libkrb5_la-get_in_tkt_pw.lo \
+	libkrb5_la-get_in_tkt_with_keytab.lo \
+	libkrb5_la-get_in_tkt_with_skey.lo libkrb5_la-get_port.lo \
+	libkrb5_la-init_creds.lo libkrb5_la-init_creds_pw.lo \
+	libkrb5_la-kcm.lo libkrb5_la-keyblock.lo libkrb5_la-keytab.lo \
+	libkrb5_la-keytab_any.lo libkrb5_la-keytab_file.lo \
+	libkrb5_la-keytab_keyfile.lo libkrb5_la-keytab_krb4.lo \
+	libkrb5_la-keytab_memory.lo libkrb5_la-krbhst.lo \
+	libkrb5_la-kuserok.lo libkrb5_la-log.lo libkrb5_la-mcache.lo \
+	libkrb5_la-misc.lo libkrb5_la-mk_error.lo \
+	libkrb5_la-mk_priv.lo libkrb5_la-mk_rep.lo \
+	libkrb5_la-mk_req.lo libkrb5_la-mk_req_ext.lo \
+	libkrb5_la-mk_safe.lo libkrb5_la-mit_glue.lo \
+	libkrb5_la-net_read.lo libkrb5_la-net_write.lo \
+	libkrb5_la-n-fold.lo libkrb5_la-pac.lo libkrb5_la-padata.lo \
+	libkrb5_la-pkinit.lo libkrb5_la-principal.lo \
+	libkrb5_la-prog_setup.lo libkrb5_la-prompter_posix.lo \
+	libkrb5_la-rd_cred.lo libkrb5_la-rd_error.lo \
+	libkrb5_la-rd_priv.lo libkrb5_la-rd_rep.lo \
+	libkrb5_la-rd_req.lo libkrb5_la-rd_safe.lo \
+	libkrb5_la-read_message.lo libkrb5_la-recvauth.lo \
+	libkrb5_la-replay.lo libkrb5_la-send_to_kdc.lo \
+	libkrb5_la-sendauth.lo libkrb5_la-set_default_realm.lo \
+	libkrb5_la-sock_principal.lo libkrb5_la-store.lo \
+	libkrb5_la-store_emem.lo libkrb5_la-store_fd.lo \
+	libkrb5_la-store_mem.lo libkrb5_la-plugin.lo \
+	libkrb5_la-ticket.lo libkrb5_la-time.lo \
+	libkrb5_la-transited.lo libkrb5_la-v4_glue.lo \
+	libkrb5_la-verify_init.lo libkrb5_la-verify_user.lo \
+	libkrb5_la-version.lo libkrb5_la-warn.lo \
+	libkrb5_la-write_message.lo
+am__objects_1 = libkrb5_la-krb5_err.lo libkrb5_la-krb_err.lo \
+	libkrb5_la-heim_err.lo libkrb5_la-k524_err.lo
+nodist_libkrb5_la_OBJECTS = $(am__objects_1)
+libkrb5_la_OBJECTS = $(dist_libkrb5_la_OBJECTS) \
+	$(nodist_libkrb5_la_OBJECTS)
+libkrb5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libkrb5_la_LDFLAGS) $(LDFLAGS) -o $@
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-am__EXEEXT_1 = aes-test$(EXEEXT) n-fold-test$(EXEEXT) \
-	string-to-key-test$(EXEEXT) derived-key-test$(EXEEXT) \
-	store-test$(EXEEXT) parse-name-test$(EXEEXT) test_cc$(EXEEXT) \
-	name-45-test$(EXEEXT)
+am__EXEEXT_1 = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \
+	n-fold-test$(EXEEXT) name-45-test$(EXEEXT) \
+	parse-name-test$(EXEEXT) store-test$(EXEEXT) \
+	string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \
+	test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \
+	test_prf$(EXEEXT) test_store$(EXEEXT) \
+	test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \
+	test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \
+	test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \
+	test_time$(EXEEXT)
 PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS)
 aes_test_SOURCES = aes-test.c
 aes_test_OBJECTS = aes-test.$(OBJEXT)
@@ -146,11 +206,6 @@ derived_key_test_OBJECTS = derived-key-test.$(OBJEXT)
 derived_key_test_LDADD = $(LDADD)
 derived_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
-dump_config_SOURCES = dump_config.c
-dump_config_OBJECTS = dump_config.$(OBJEXT)
-dump_config_LDADD = $(LDADD)
-dump_config_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
 krbhst_test_SOURCES = krbhst-test.c
 krbhst_test_OBJECTS = krbhst-test.$(OBJEXT)
 krbhst_test_LDADD = $(LDADD)
@@ -181,6 +236,16 @@ string_to_key_test_OBJECTS = string-to-key-test.$(OBJEXT)
 string_to_key_test_LDADD = $(LDADD)
 string_to_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_acl_SOURCES = test_acl.c
+test_acl_OBJECTS = test_acl.$(OBJEXT)
+test_acl_LDADD = $(LDADD)
+test_acl_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_addr_SOURCES = test_addr.c
+test_addr_OBJECTS = test_addr.$(OBJEXT)
+test_addr_LDADD = $(LDADD)
+test_addr_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
 test_alname_SOURCES = test_alname.c
 test_alname_OBJECTS = test_alname.$(OBJEXT)
 test_alname_LDADD = $(LDADD)
@@ -191,52 +256,140 @@ test_cc_OBJECTS = test_cc.$(OBJEXT)
 test_cc_LDADD = $(LDADD)
 test_cc_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_config_SOURCES = test_config.c
+test_config_OBJECTS = test_config.$(OBJEXT)
+test_config_LDADD = $(LDADD)
+test_config_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_crypto_SOURCES = test_crypto.c
+test_crypto_OBJECTS = test_crypto.$(OBJEXT)
+test_crypto_LDADD = $(LDADD)
+test_crypto_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_crypto_wrapping_SOURCES = test_crypto_wrapping.c
+test_crypto_wrapping_OBJECTS = test_crypto_wrapping.$(OBJEXT)
+test_crypto_wrapping_LDADD = $(LDADD)
+test_crypto_wrapping_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_forward_SOURCES = test_forward.c
+test_forward_OBJECTS = test_forward.$(OBJEXT)
+test_forward_LDADD = $(LDADD)
+test_forward_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
 test_get_addrs_SOURCES = test_get_addrs.c
 test_get_addrs_OBJECTS = test_get_addrs.$(OBJEXT)
 test_get_addrs_LDADD = $(LDADD)
 test_get_addrs_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_hostname_SOURCES = test_hostname.c
+test_hostname_OBJECTS = test_hostname.$(OBJEXT)
+test_hostname_LDADD = $(LDADD)
+test_hostname_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_keytab_SOURCES = test_keytab.c
+test_keytab_OBJECTS = test_keytab.$(OBJEXT)
+test_keytab_LDADD = $(LDADD)
+test_keytab_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_kuserok_SOURCES = test_kuserok.c
+test_kuserok_OBJECTS = test_kuserok.$(OBJEXT)
+test_kuserok_LDADD = $(LDADD)
+test_kuserok_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_mem_SOURCES = test_mem.c
+test_mem_OBJECTS = test_mem.$(OBJEXT)
+test_mem_LDADD = $(LDADD)
+test_mem_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_pac_SOURCES = test_pac.c
+test_pac_OBJECTS = test_pac.$(OBJEXT)
+test_pac_LDADD = $(LDADD)
+test_pac_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_pkinit_dh2key_SOURCES = test_pkinit_dh2key.c
+test_pkinit_dh2key_OBJECTS = test_pkinit_dh2key.$(OBJEXT)
+test_pkinit_dh2key_LDADD = $(LDADD)
+test_pkinit_dh2key_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_plugin_SOURCES = test_plugin.c
+test_plugin_OBJECTS = test_plugin.$(OBJEXT)
+test_plugin_LDADD = $(LDADD)
+test_plugin_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_prf_SOURCES = test_prf.c
+test_prf_OBJECTS = test_prf.$(OBJEXT)
+test_prf_LDADD = $(LDADD)
+test_prf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_princ_SOURCES = test_princ.c
+test_princ_OBJECTS = test_princ.$(OBJEXT)
+test_princ_LDADD = $(LDADD)
+test_princ_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_renew_SOURCES = test_renew.c
+test_renew_OBJECTS = test_renew.$(OBJEXT)
+test_renew_LDADD = $(LDADD)
+test_renew_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_store_SOURCES = test_store.c
+test_store_OBJECTS = test_store.$(OBJEXT)
+test_store_LDADD = $(LDADD)
+test_store_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
+test_time_SOURCES = test_time.c
+test_time_OBJECTS = test_time.$(OBJEXT)
+test_time_LDADD = $(LDADD)
+test_time_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
 verify_krb5_conf_SOURCES = verify_krb5_conf.c
 verify_krb5_conf_OBJECTS = verify_krb5_conf.$(OBJEXT)
 verify_krb5_conf_LDADD = $(LDADD)
 verify_krb5_conf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c \
-	dump_config.c krbhst-test.c n-fold-test.c name-45-test.c \
-	parse-name-test.c store-test.c string-to-key-test.c \
-	test_alname.c test_cc.c test_get_addrs.c verify_krb5_conf.c
-DIST_SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c \
-	dump_config.c krbhst-test.c n-fold-test.c name-45-test.c \
-	parse-name-test.c store-test.c string-to-key-test.c \
-	test_alname.c test_cc.c test_get_addrs.c verify_krb5_conf.c
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(dist_libkrb5_la_SOURCES) $(nodist_libkrb5_la_SOURCES) \
+	aes-test.c derived-key-test.c krbhst-test.c n-fold-test.c \
+	name-45-test.c parse-name-test.c store-test.c \
+	string-to-key-test.c test_acl.c test_addr.c test_alname.c \
+	test_cc.c test_config.c test_crypto.c test_crypto_wrapping.c \
+	test_forward.c test_get_addrs.c test_hostname.c test_keytab.c \
+	test_kuserok.c test_mem.c test_pac.c test_pkinit_dh2key.c \
+	test_plugin.c test_prf.c test_princ.c test_renew.c \
+	test_store.c test_time.c verify_krb5_conf.c
+DIST_SOURCES = $(dist_libkrb5_la_SOURCES) aes-test.c \
+	derived-key-test.c krbhst-test.c n-fold-test.c name-45-test.c \
+	parse-name-test.c store-test.c string-to-key-test.c test_acl.c \
+	test_addr.c test_alname.c test_cc.c test_config.c \
+	test_crypto.c test_crypto_wrapping.c test_forward.c \
+	test_get_addrs.c test_hostname.c test_keytab.c test_kuserok.c \
+	test_mem.c test_pac.c test_pkinit_dh2key.c test_plugin.c \
+	test_prf.c test_princ.c test_renew.c test_store.c test_time.c \
+	verify_krb5_conf.c
 man3dir = $(mandir)/man3
 man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 MANS = $(man_MANS)
-includeHEADERS_INSTALL = $(INSTALL_HEADER)
-HEADERS = $(include_HEADERS)
+dist_includeHEADERS_INSTALL = $(INSTALL_HEADER)
+krb5HEADERS_INSTALL = $(INSTALL_HEADER)
+nodist_includeHEADERS_INSTALL = $(INSTALL_HEADER)
+HEADERS = $(dist_include_HEADERS) $(krb5_HEADERS) \
+	$(nodist_include_HEADERS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -246,8 +399,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -258,11 +409,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -270,42 +420,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -323,12 +458,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -338,15 +470,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -355,6 +486,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -366,15 +498,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -382,74 +509,81 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) -I../com_err -I$(srcdir)/../com_err
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(INCLUDE_krb4) $(INCLUDE_hcrypto) -I../com_err \
+	-I$(srcdir)/../com_err
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -466,31 +600,28 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-TESTS = \
-	aes-test				\
-	n-fold-test				\
-	string-to-key-test			\
-	derived-key-test			\
-	store-test				\
-	parse-name-test				\
-	test_cc					\
-	name-45-test
-
 LDADD = libkrb5.la \
-	$(LIB_des) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
 
+@PKINIT_TRUE@LIB_pkinit = ../hx509/libhx509.la
 libkrb5_la_LIBADD = \
-	../com_err/error.lo ../com_err/com_err.lo \
-	$(LIB_des) \
+	$(LIB_pkinit) \
+	$(LIB_com_err) \
+	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
-	$(LIB_roken)
+	$(LIBADD_roken) \
+	$(LIB_door_create) \
+	$(LIB_dlopen)
 
 lib_LTLIBRARIES = libkrb5.la
-ERR_FILES = krb5_err.c heim_err.c k524_err.c
-libkrb5_la_SOURCES = \
+ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c
+libkrb5_la_CPPFLAGS = -DBUILD_KRB5_LIB $(AM_CPPFLAGS)
+dist_libkrb5_la_SOURCES = \
+	acache.c				\
 	acl.c					\
 	add_et_list.c				\
 	addr_families.c				\
@@ -512,7 +643,9 @@ libkrb5_la_SOURCES = \
 	crc.c					\
 	creds.c					\
 	crypto.c				\
+	doxygen.c				\
 	data.c					\
+	digest.c				\
 	eai_to_heim_errno.c			\
 	error_string.c				\
 	expand_hostname.c			\
@@ -532,15 +665,20 @@ libkrb5_la_SOURCES = \
 	get_in_tkt_with_keytab.c		\
 	get_in_tkt_with_skey.c			\
 	get_port.c				\
+	heim_threads.h				\
 	init_creds.c				\
 	init_creds_pw.c				\
+	kcm.c					\
+	kcm.h					\
 	keyblock.c				\
 	keytab.c				\
 	keytab_any.c				\
 	keytab_file.c				\
-	keytab_memory.c				\
 	keytab_keyfile.c			\
 	keytab_krb4.c				\
+	keytab_memory.c				\
+	krb5_locl.h				\
+	krb5-v4compat.h				\
 	krbhst.c				\
 	kuserok.c				\
 	log.c					\
@@ -552,10 +690,13 @@ libkrb5_la_SOURCES = \
 	mk_req.c				\
 	mk_req_ext.c				\
 	mk_safe.c				\
+	mit_glue.c				\
 	net_read.c				\
 	net_write.c				\
 	n-fold.c				\
+	pac.c					\
 	padata.c				\
+	pkinit.c				\
 	principal.c				\
 	prog_setup.c				\
 	prompter_posix.c			\
@@ -577,62 +718,117 @@ libkrb5_la_SOURCES = \
 	store_emem.c				\
 	store_fd.c				\
 	store_mem.c				\
+	plugin.c				\
 	ticket.c				\
 	time.c					\
 	transited.c				\
+	v4_glue.c				\
 	verify_init.c				\
 	verify_user.c				\
 	version.c				\
 	warn.c					\
-	write_message.c				\
-	$(ERR_FILES)
+	write_message.c
 
-libkrb5_la_LDFLAGS = -version-info 20:0:3
+nodist_libkrb5_la_SOURCES = \
+	$(ERR_FILES)
 
-#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo
+libkrb5_la_LDFLAGS = -version-info 24:0:0 $(am__append_1)
 man_MANS = \
 	kerberos.8				\
 	krb5.3					\
 	krb5.conf.5				\
+	krb524_convert_creds_kdc.3		\
 	krb5_425_conv_principal.3		\
+	krb5_acl_match_file.3			\
 	krb5_address.3				\
 	krb5_aname_to_localname.3		\
 	krb5_appdefault.3			\
 	krb5_auth_context.3			\
-	krb5_build_principal.3			\
+	krb5_c_make_checksum.3			\
 	krb5_ccache.3				\
+	krb5_check_transited.3			\
+	krb5_compare_creds.3			\
 	krb5_config.3				\
 	krb5_context.3				\
 	krb5_create_checksum.3			\
+	krb5_creds.3				\
 	krb5_crypto_init.3			\
 	krb5_data.3				\
+	krb5_digest.3				\
+	krb5_eai_to_heim_errno.3		\
 	krb5_encrypt.3				\
-	krb5_free_addresses.3			\
-	krb5_free_principal.3			\
+	krb5_expand_hostname.3			\
+	krb5_find_padata.3			\
+	krb5_generate_random_block.3		\
 	krb5_get_all_client_addrs.3		\
+	krb5_get_credentials.3			\
+	krb5_get_creds.3			\
+	krb5_get_forwarded_creds.3		\
+	krb5_get_in_cred.3			\
+	krb5_get_init_creds.3			\
 	krb5_get_krbhst.3			\
+	krb5_getportbyname.3			\
 	krb5_init_context.3			\
+	krb5_is_thread_safe.3			\
+	krb5_keyblock.3				\
 	krb5_keytab.3				\
 	krb5_krbhst_init.3			\
 	krb5_kuserok.3				\
+	krb5_mk_req.3				\
+	krb5_mk_safe.3				\
 	krb5_openlog.3				\
 	krb5_parse_name.3			\
-	krb5_principal_get_realm.3		\
+	krb5_principal.3			\
+	krb5_rcache.3				\
+	krb5_rd_error.3				\
+	krb5_rd_safe.3				\
 	krb5_set_default_realm.3		\
 	krb5_set_password.3			\
-	krb5_sname_to_principal.3		\
+	krb5_storage.3				\
+	krb5_string_to_key.3			\
+	krb5_ticket.3				\
 	krb5_timeofday.3			\
 	krb5_unparse_name.3			\
+	krb5_verify_init_creds.3		\
 	krb5_verify_user.3			\
 	krb5_warn.3				\
 	verify_krb5_conf.8
 
-include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h k524_err.h
-CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h k524_err.c k524_err.h
+dist_include_HEADERS = \
+	krb5.h \
+	krb5-protos.h \
+	krb5-private.h \
+	krb5_ccapi.h
+
+nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h 
+
+# XXX use nobase_include_HEADERS = krb5/locate_plugin.h
+krb5dir = $(includedir)/krb5
+krb5_HEADERS = locate_plugin.h
+build_HEADERZ = \
+	heim_threads.h \
+	$(krb5_HEADERS) \
+	krb_err.h
+
+CLEANFILES = \
+	krb5_err.c krb5_err.h \
+	krb_err.c krb_err.h \
+	heim_err.c heim_err.h \
+	k524_err.c k524_err.h
+
+EXTRA_DIST = \
+	krb5_err.et \
+	krb_err.et \
+	heim_err.et \
+	k524_err.et \
+	$(man_MANS) \
+	version-script.map \
+	krb5.moduli
+
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -664,10 +860,10 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    f="`echo $$p | sed -e 's|^.*/||'`"; \
+	    f=$(am__strip_dir) \
 	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
 	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
 	  else :; fi; \
@@ -676,7 +872,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	    p="`echo $$p | sed -e 's|^.*/||'`"; \
+	  p=$(am__strip_dir) \
 	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
 	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
 	done
@@ -685,15 +881,15 @@ clean-libLTLIBRARIES:
 	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" = "$$p" && dir=.; \
+	  test "$$dir" != "$$p" || dir=.; \
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
 libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libkrb5_la_LDFLAGS) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS)
+	$(libkrb5_la_LINK) -rpath $(libdir) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS)
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -735,43 +931,94 @@ clean-noinstPROGRAMS:
 	done
 aes-test$(EXEEXT): $(aes_test_OBJECTS) $(aes_test_DEPENDENCIES) 
 	@rm -f aes-test$(EXEEXT)
-	$(LINK) $(aes_test_LDFLAGS) $(aes_test_OBJECTS) $(aes_test_LDADD) $(LIBS)
+	$(LINK) $(aes_test_OBJECTS) $(aes_test_LDADD) $(LIBS)
 derived-key-test$(EXEEXT): $(derived_key_test_OBJECTS) $(derived_key_test_DEPENDENCIES) 
 	@rm -f derived-key-test$(EXEEXT)
-	$(LINK) $(derived_key_test_LDFLAGS) $(derived_key_test_OBJECTS) $(derived_key_test_LDADD) $(LIBS)
-dump_config$(EXEEXT): $(dump_config_OBJECTS) $(dump_config_DEPENDENCIES) 
-	@rm -f dump_config$(EXEEXT)
-	$(LINK) $(dump_config_LDFLAGS) $(dump_config_OBJECTS) $(dump_config_LDADD) $(LIBS)
+	$(LINK) $(derived_key_test_OBJECTS) $(derived_key_test_LDADD) $(LIBS)
 krbhst-test$(EXEEXT): $(krbhst_test_OBJECTS) $(krbhst_test_DEPENDENCIES) 
 	@rm -f krbhst-test$(EXEEXT)
-	$(LINK) $(krbhst_test_LDFLAGS) $(krbhst_test_OBJECTS) $(krbhst_test_LDADD) $(LIBS)
+	$(LINK) $(krbhst_test_OBJECTS) $(krbhst_test_LDADD) $(LIBS)
 n-fold-test$(EXEEXT): $(n_fold_test_OBJECTS) $(n_fold_test_DEPENDENCIES) 
 	@rm -f n-fold-test$(EXEEXT)
-	$(LINK) $(n_fold_test_LDFLAGS) $(n_fold_test_OBJECTS) $(n_fold_test_LDADD) $(LIBS)
+	$(LINK) $(n_fold_test_OBJECTS) $(n_fold_test_LDADD) $(LIBS)
 name-45-test$(EXEEXT): $(name_45_test_OBJECTS) $(name_45_test_DEPENDENCIES) 
 	@rm -f name-45-test$(EXEEXT)
-	$(LINK) $(name_45_test_LDFLAGS) $(name_45_test_OBJECTS) $(name_45_test_LDADD) $(LIBS)
+	$(LINK) $(name_45_test_OBJECTS) $(name_45_test_LDADD) $(LIBS)
 parse-name-test$(EXEEXT): $(parse_name_test_OBJECTS) $(parse_name_test_DEPENDENCIES) 
 	@rm -f parse-name-test$(EXEEXT)
-	$(LINK) $(parse_name_test_LDFLAGS) $(parse_name_test_OBJECTS) $(parse_name_test_LDADD) $(LIBS)
+	$(LINK) $(parse_name_test_OBJECTS) $(parse_name_test_LDADD) $(LIBS)
 store-test$(EXEEXT): $(store_test_OBJECTS) $(store_test_DEPENDENCIES) 
 	@rm -f store-test$(EXEEXT)
-	$(LINK) $(store_test_LDFLAGS) $(store_test_OBJECTS) $(store_test_LDADD) $(LIBS)
+	$(LINK) $(store_test_OBJECTS) $(store_test_LDADD) $(LIBS)
 string-to-key-test$(EXEEXT): $(string_to_key_test_OBJECTS) $(string_to_key_test_DEPENDENCIES) 
 	@rm -f string-to-key-test$(EXEEXT)
-	$(LINK) $(string_to_key_test_LDFLAGS) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS)
+	$(LINK) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS)
+test_acl$(EXEEXT): $(test_acl_OBJECTS) $(test_acl_DEPENDENCIES) 
+	@rm -f test_acl$(EXEEXT)
+	$(LINK) $(test_acl_OBJECTS) $(test_acl_LDADD) $(LIBS)
+test_addr$(EXEEXT): $(test_addr_OBJECTS) $(test_addr_DEPENDENCIES) 
+	@rm -f test_addr$(EXEEXT)
+	$(LINK) $(test_addr_OBJECTS) $(test_addr_LDADD) $(LIBS)
 test_alname$(EXEEXT): $(test_alname_OBJECTS) $(test_alname_DEPENDENCIES) 
 	@rm -f test_alname$(EXEEXT)
-	$(LINK) $(test_alname_LDFLAGS) $(test_alname_OBJECTS) $(test_alname_LDADD) $(LIBS)
+	$(LINK) $(test_alname_OBJECTS) $(test_alname_LDADD) $(LIBS)
 test_cc$(EXEEXT): $(test_cc_OBJECTS) $(test_cc_DEPENDENCIES) 
 	@rm -f test_cc$(EXEEXT)
-	$(LINK) $(test_cc_LDFLAGS) $(test_cc_OBJECTS) $(test_cc_LDADD) $(LIBS)
+	$(LINK) $(test_cc_OBJECTS) $(test_cc_LDADD) $(LIBS)
+test_config$(EXEEXT): $(test_config_OBJECTS) $(test_config_DEPENDENCIES) 
+	@rm -f test_config$(EXEEXT)
+	$(LINK) $(test_config_OBJECTS) $(test_config_LDADD) $(LIBS)
+test_crypto$(EXEEXT): $(test_crypto_OBJECTS) $(test_crypto_DEPENDENCIES) 
+	@rm -f test_crypto$(EXEEXT)
+	$(LINK) $(test_crypto_OBJECTS) $(test_crypto_LDADD) $(LIBS)
+test_crypto_wrapping$(EXEEXT): $(test_crypto_wrapping_OBJECTS) $(test_crypto_wrapping_DEPENDENCIES) 
+	@rm -f test_crypto_wrapping$(EXEEXT)
+	$(LINK) $(test_crypto_wrapping_OBJECTS) $(test_crypto_wrapping_LDADD) $(LIBS)
+test_forward$(EXEEXT): $(test_forward_OBJECTS) $(test_forward_DEPENDENCIES) 
+	@rm -f test_forward$(EXEEXT)
+	$(LINK) $(test_forward_OBJECTS) $(test_forward_LDADD) $(LIBS)
 test_get_addrs$(EXEEXT): $(test_get_addrs_OBJECTS) $(test_get_addrs_DEPENDENCIES) 
 	@rm -f test_get_addrs$(EXEEXT)
-	$(LINK) $(test_get_addrs_LDFLAGS) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS)
+	$(LINK) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS)
+test_hostname$(EXEEXT): $(test_hostname_OBJECTS) $(test_hostname_DEPENDENCIES) 
+	@rm -f test_hostname$(EXEEXT)
+	$(LINK) $(test_hostname_OBJECTS) $(test_hostname_LDADD) $(LIBS)
+test_keytab$(EXEEXT): $(test_keytab_OBJECTS) $(test_keytab_DEPENDENCIES) 
+	@rm -f test_keytab$(EXEEXT)
+	$(LINK) $(test_keytab_OBJECTS) $(test_keytab_LDADD) $(LIBS)
+test_kuserok$(EXEEXT): $(test_kuserok_OBJECTS) $(test_kuserok_DEPENDENCIES) 
+	@rm -f test_kuserok$(EXEEXT)
+	$(LINK) $(test_kuserok_OBJECTS) $(test_kuserok_LDADD) $(LIBS)
+test_mem$(EXEEXT): $(test_mem_OBJECTS) $(test_mem_DEPENDENCIES) 
+	@rm -f test_mem$(EXEEXT)
+	$(LINK) $(test_mem_OBJECTS) $(test_mem_LDADD) $(LIBS)
+test_pac$(EXEEXT): $(test_pac_OBJECTS) $(test_pac_DEPENDENCIES) 
+	@rm -f test_pac$(EXEEXT)
+	$(LINK) $(test_pac_OBJECTS) $(test_pac_LDADD) $(LIBS)
+test_pkinit_dh2key$(EXEEXT): $(test_pkinit_dh2key_OBJECTS) $(test_pkinit_dh2key_DEPENDENCIES) 
+	@rm -f test_pkinit_dh2key$(EXEEXT)
+	$(LINK) $(test_pkinit_dh2key_OBJECTS) $(test_pkinit_dh2key_LDADD) $(LIBS)
+test_plugin$(EXEEXT): $(test_plugin_OBJECTS) $(test_plugin_DEPENDENCIES) 
+	@rm -f test_plugin$(EXEEXT)
+	$(LINK) $(test_plugin_OBJECTS) $(test_plugin_LDADD) $(LIBS)
+test_prf$(EXEEXT): $(test_prf_OBJECTS) $(test_prf_DEPENDENCIES) 
+	@rm -f test_prf$(EXEEXT)
+	$(LINK) $(test_prf_OBJECTS) $(test_prf_LDADD) $(LIBS)
+test_princ$(EXEEXT): $(test_princ_OBJECTS) $(test_princ_DEPENDENCIES) 
+	@rm -f test_princ$(EXEEXT)
+	$(LINK) $(test_princ_OBJECTS) $(test_princ_LDADD) $(LIBS)
+test_renew$(EXEEXT): $(test_renew_OBJECTS) $(test_renew_DEPENDENCIES) 
+	@rm -f test_renew$(EXEEXT)
+	$(LINK) $(test_renew_OBJECTS) $(test_renew_LDADD) $(LIBS)
+test_store$(EXEEXT): $(test_store_OBJECTS) $(test_store_DEPENDENCIES) 
+	@rm -f test_store$(EXEEXT)
+	$(LINK) $(test_store_OBJECTS) $(test_store_LDADD) $(LIBS)
+test_time$(EXEEXT): $(test_time_OBJECTS) $(test_time_DEPENDENCIES) 
+	@rm -f test_time$(EXEEXT)
+	$(LINK) $(test_time_OBJECTS) $(test_time_LDADD) $(LIBS)
 verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES) 
 	@rm -f verify_krb5_conf$(EXEEXT)
-	$(LINK) $(verify_krb5_conf_LDFLAGS) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS)
+	$(LINK) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -788,18 +1035,332 @@ distclean-compile:
 .c.lo:
 	$(LTCOMPILE) -c -o $@ $<
 
+libkrb5_la-acache.lo: acache.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acache.lo `test -f 'acache.c' || echo '$(srcdir)/'`acache.c
+
+libkrb5_la-acl.lo: acl.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acl.lo `test -f 'acl.c' || echo '$(srcdir)/'`acl.c
+
+libkrb5_la-add_et_list.lo: add_et_list.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-add_et_list.lo `test -f 'add_et_list.c' || echo '$(srcdir)/'`add_et_list.c
+
+libkrb5_la-addr_families.lo: addr_families.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-addr_families.lo `test -f 'addr_families.c' || echo '$(srcdir)/'`addr_families.c
+
+libkrb5_la-aname_to_localname.lo: aname_to_localname.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-aname_to_localname.lo `test -f 'aname_to_localname.c' || echo '$(srcdir)/'`aname_to_localname.c
+
+libkrb5_la-appdefault.lo: appdefault.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-appdefault.lo `test -f 'appdefault.c' || echo '$(srcdir)/'`appdefault.c
+
+libkrb5_la-asn1_glue.lo: asn1_glue.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-asn1_glue.lo `test -f 'asn1_glue.c' || echo '$(srcdir)/'`asn1_glue.c
+
+libkrb5_la-auth_context.lo: auth_context.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-auth_context.lo `test -f 'auth_context.c' || echo '$(srcdir)/'`auth_context.c
+
+libkrb5_la-build_ap_req.lo: build_ap_req.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_ap_req.lo `test -f 'build_ap_req.c' || echo '$(srcdir)/'`build_ap_req.c
+
+libkrb5_la-build_auth.lo: build_auth.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_auth.lo `test -f 'build_auth.c' || echo '$(srcdir)/'`build_auth.c
+
+libkrb5_la-cache.lo: cache.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-cache.lo `test -f 'cache.c' || echo '$(srcdir)/'`cache.c
+
+libkrb5_la-changepw.lo: changepw.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-changepw.lo `test -f 'changepw.c' || echo '$(srcdir)/'`changepw.c
+
+libkrb5_la-codec.lo: codec.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-codec.lo `test -f 'codec.c' || echo '$(srcdir)/'`codec.c
+
+libkrb5_la-config_file.lo: config_file.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-config_file.lo `test -f 'config_file.c' || echo '$(srcdir)/'`config_file.c
+
+libkrb5_la-config_file_netinfo.lo: config_file_netinfo.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-config_file_netinfo.lo `test -f 'config_file_netinfo.c' || echo '$(srcdir)/'`config_file_netinfo.c
+
+libkrb5_la-convert_creds.lo: convert_creds.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-convert_creds.lo `test -f 'convert_creds.c' || echo '$(srcdir)/'`convert_creds.c
+
+libkrb5_la-constants.lo: constants.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-constants.lo `test -f 'constants.c' || echo '$(srcdir)/'`constants.c
+
+libkrb5_la-context.lo: context.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-context.lo `test -f 'context.c' || echo '$(srcdir)/'`context.c
+
+libkrb5_la-copy_host_realm.lo: copy_host_realm.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-copy_host_realm.lo `test -f 'copy_host_realm.c' || echo '$(srcdir)/'`copy_host_realm.c
+
+libkrb5_la-crc.lo: crc.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c
+
+libkrb5_la-creds.lo: creds.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-creds.lo `test -f 'creds.c' || echo '$(srcdir)/'`creds.c
+
+libkrb5_la-crypto.lo: crypto.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
+
+libkrb5_la-doxygen.lo: doxygen.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c
+
+libkrb5_la-data.lo: data.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c
+
+libkrb5_la-digest.lo: digest.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-digest.lo `test -f 'digest.c' || echo '$(srcdir)/'`digest.c
+
+libkrb5_la-eai_to_heim_errno.lo: eai_to_heim_errno.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-eai_to_heim_errno.lo `test -f 'eai_to_heim_errno.c' || echo '$(srcdir)/'`eai_to_heim_errno.c
+
+libkrb5_la-error_string.lo: error_string.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c
+
+libkrb5_la-expand_hostname.lo: expand_hostname.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-expand_hostname.lo `test -f 'expand_hostname.c' || echo '$(srcdir)/'`expand_hostname.c
+
+libkrb5_la-fcache.lo: fcache.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-fcache.lo `test -f 'fcache.c' || echo '$(srcdir)/'`fcache.c
+
+libkrb5_la-free.lo: free.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free.lo `test -f 'free.c' || echo '$(srcdir)/'`free.c
+
+libkrb5_la-free_host_realm.lo: free_host_realm.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free_host_realm.lo `test -f 'free_host_realm.c' || echo '$(srcdir)/'`free_host_realm.c
+
+libkrb5_la-generate_seq_number.lo: generate_seq_number.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_seq_number.lo `test -f 'generate_seq_number.c' || echo '$(srcdir)/'`generate_seq_number.c
+
+libkrb5_la-generate_subkey.lo: generate_subkey.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_subkey.lo `test -f 'generate_subkey.c' || echo '$(srcdir)/'`generate_subkey.c
+
+libkrb5_la-get_addrs.lo: get_addrs.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_addrs.lo `test -f 'get_addrs.c' || echo '$(srcdir)/'`get_addrs.c
+
+libkrb5_la-get_cred.lo: get_cred.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_cred.lo `test -f 'get_cred.c' || echo '$(srcdir)/'`get_cred.c
+
+libkrb5_la-get_default_principal.lo: get_default_principal.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_principal.lo `test -f 'get_default_principal.c' || echo '$(srcdir)/'`get_default_principal.c
+
+libkrb5_la-get_default_realm.lo: get_default_realm.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_realm.lo `test -f 'get_default_realm.c' || echo '$(srcdir)/'`get_default_realm.c
+
+libkrb5_la-get_for_creds.lo: get_for_creds.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_for_creds.lo `test -f 'get_for_creds.c' || echo '$(srcdir)/'`get_for_creds.c
+
+libkrb5_la-get_host_realm.lo: get_host_realm.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_host_realm.lo `test -f 'get_host_realm.c' || echo '$(srcdir)/'`get_host_realm.c
+
+libkrb5_la-get_in_tkt.lo: get_in_tkt.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt.lo `test -f 'get_in_tkt.c' || echo '$(srcdir)/'`get_in_tkt.c
+
+libkrb5_la-get_in_tkt_pw.lo: get_in_tkt_pw.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt_pw.lo `test -f 'get_in_tkt_pw.c' || echo '$(srcdir)/'`get_in_tkt_pw.c
+
+libkrb5_la-get_in_tkt_with_keytab.lo: get_in_tkt_with_keytab.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt_with_keytab.lo `test -f 'get_in_tkt_with_keytab.c' || echo '$(srcdir)/'`get_in_tkt_with_keytab.c
+
+libkrb5_la-get_in_tkt_with_skey.lo: get_in_tkt_with_skey.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt_with_skey.lo `test -f 'get_in_tkt_with_skey.c' || echo '$(srcdir)/'`get_in_tkt_with_skey.c
+
+libkrb5_la-get_port.lo: get_port.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_port.lo `test -f 'get_port.c' || echo '$(srcdir)/'`get_port.c
+
+libkrb5_la-init_creds.lo: init_creds.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds.lo `test -f 'init_creds.c' || echo '$(srcdir)/'`init_creds.c
+
+libkrb5_la-init_creds_pw.lo: init_creds_pw.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds_pw.lo `test -f 'init_creds_pw.c' || echo '$(srcdir)/'`init_creds_pw.c
+
+libkrb5_la-kcm.lo: kcm.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kcm.lo `test -f 'kcm.c' || echo '$(srcdir)/'`kcm.c
+
+libkrb5_la-keyblock.lo: keyblock.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c
+
+libkrb5_la-keytab.lo: keytab.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab.lo `test -f 'keytab.c' || echo '$(srcdir)/'`keytab.c
+
+libkrb5_la-keytab_any.lo: keytab_any.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_any.lo `test -f 'keytab_any.c' || echo '$(srcdir)/'`keytab_any.c
+
+libkrb5_la-keytab_file.lo: keytab_file.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_file.lo `test -f 'keytab_file.c' || echo '$(srcdir)/'`keytab_file.c
+
+libkrb5_la-keytab_keyfile.lo: keytab_keyfile.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_keyfile.lo `test -f 'keytab_keyfile.c' || echo '$(srcdir)/'`keytab_keyfile.c
+
+libkrb5_la-keytab_krb4.lo: keytab_krb4.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_krb4.lo `test -f 'keytab_krb4.c' || echo '$(srcdir)/'`keytab_krb4.c
+
+libkrb5_la-keytab_memory.lo: keytab_memory.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_memory.lo `test -f 'keytab_memory.c' || echo '$(srcdir)/'`keytab_memory.c
+
+libkrb5_la-krbhst.lo: krbhst.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krbhst.lo `test -f 'krbhst.c' || echo '$(srcdir)/'`krbhst.c
+
+libkrb5_la-kuserok.lo: kuserok.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kuserok.lo `test -f 'kuserok.c' || echo '$(srcdir)/'`kuserok.c
+
+libkrb5_la-log.lo: log.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-log.lo `test -f 'log.c' || echo '$(srcdir)/'`log.c
+
+libkrb5_la-mcache.lo: mcache.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mcache.lo `test -f 'mcache.c' || echo '$(srcdir)/'`mcache.c
+
+libkrb5_la-misc.lo: misc.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-misc.lo `test -f 'misc.c' || echo '$(srcdir)/'`misc.c
+
+libkrb5_la-mk_error.lo: mk_error.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_error.lo `test -f 'mk_error.c' || echo '$(srcdir)/'`mk_error.c
+
+libkrb5_la-mk_priv.lo: mk_priv.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_priv.lo `test -f 'mk_priv.c' || echo '$(srcdir)/'`mk_priv.c
+
+libkrb5_la-mk_rep.lo: mk_rep.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_rep.lo `test -f 'mk_rep.c' || echo '$(srcdir)/'`mk_rep.c
+
+libkrb5_la-mk_req.lo: mk_req.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req.lo `test -f 'mk_req.c' || echo '$(srcdir)/'`mk_req.c
+
+libkrb5_la-mk_req_ext.lo: mk_req_ext.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req_ext.lo `test -f 'mk_req_ext.c' || echo '$(srcdir)/'`mk_req_ext.c
+
+libkrb5_la-mk_safe.lo: mk_safe.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_safe.lo `test -f 'mk_safe.c' || echo '$(srcdir)/'`mk_safe.c
+
+libkrb5_la-mit_glue.lo: mit_glue.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mit_glue.lo `test -f 'mit_glue.c' || echo '$(srcdir)/'`mit_glue.c
+
+libkrb5_la-net_read.lo: net_read.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_read.lo `test -f 'net_read.c' || echo '$(srcdir)/'`net_read.c
+
+libkrb5_la-net_write.lo: net_write.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_write.lo `test -f 'net_write.c' || echo '$(srcdir)/'`net_write.c
+
+libkrb5_la-n-fold.lo: n-fold.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c
+
+libkrb5_la-pac.lo: pac.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pac.lo `test -f 'pac.c' || echo '$(srcdir)/'`pac.c
+
+libkrb5_la-padata.lo: padata.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-padata.lo `test -f 'padata.c' || echo '$(srcdir)/'`padata.c
+
+libkrb5_la-pkinit.lo: pkinit.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pkinit.lo `test -f 'pkinit.c' || echo '$(srcdir)/'`pkinit.c
+
+libkrb5_la-principal.lo: principal.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-principal.lo `test -f 'principal.c' || echo '$(srcdir)/'`principal.c
+
+libkrb5_la-prog_setup.lo: prog_setup.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prog_setup.lo `test -f 'prog_setup.c' || echo '$(srcdir)/'`prog_setup.c
+
+libkrb5_la-prompter_posix.lo: prompter_posix.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prompter_posix.lo `test -f 'prompter_posix.c' || echo '$(srcdir)/'`prompter_posix.c
+
+libkrb5_la-rd_cred.lo: rd_cred.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_cred.lo `test -f 'rd_cred.c' || echo '$(srcdir)/'`rd_cred.c
+
+libkrb5_la-rd_error.lo: rd_error.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_error.lo `test -f 'rd_error.c' || echo '$(srcdir)/'`rd_error.c
+
+libkrb5_la-rd_priv.lo: rd_priv.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_priv.lo `test -f 'rd_priv.c' || echo '$(srcdir)/'`rd_priv.c
+
+libkrb5_la-rd_rep.lo: rd_rep.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_rep.lo `test -f 'rd_rep.c' || echo '$(srcdir)/'`rd_rep.c
+
+libkrb5_la-rd_req.lo: rd_req.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_req.lo `test -f 'rd_req.c' || echo '$(srcdir)/'`rd_req.c
+
+libkrb5_la-rd_safe.lo: rd_safe.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_safe.lo `test -f 'rd_safe.c' || echo '$(srcdir)/'`rd_safe.c
+
+libkrb5_la-read_message.lo: read_message.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-read_message.lo `test -f 'read_message.c' || echo '$(srcdir)/'`read_message.c
+
+libkrb5_la-recvauth.lo: recvauth.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-recvauth.lo `test -f 'recvauth.c' || echo '$(srcdir)/'`recvauth.c
+
+libkrb5_la-replay.lo: replay.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-replay.lo `test -f 'replay.c' || echo '$(srcdir)/'`replay.c
+
+libkrb5_la-send_to_kdc.lo: send_to_kdc.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-send_to_kdc.lo `test -f 'send_to_kdc.c' || echo '$(srcdir)/'`send_to_kdc.c
+
+libkrb5_la-sendauth.lo: sendauth.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sendauth.lo `test -f 'sendauth.c' || echo '$(srcdir)/'`sendauth.c
+
+libkrb5_la-set_default_realm.lo: set_default_realm.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-set_default_realm.lo `test -f 'set_default_realm.c' || echo '$(srcdir)/'`set_default_realm.c
+
+libkrb5_la-sock_principal.lo: sock_principal.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sock_principal.lo `test -f 'sock_principal.c' || echo '$(srcdir)/'`sock_principal.c
+
+libkrb5_la-store.lo: store.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store.lo `test -f 'store.c' || echo '$(srcdir)/'`store.c
+
+libkrb5_la-store_emem.lo: store_emem.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_emem.lo `test -f 'store_emem.c' || echo '$(srcdir)/'`store_emem.c
+
+libkrb5_la-store_fd.lo: store_fd.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_fd.lo `test -f 'store_fd.c' || echo '$(srcdir)/'`store_fd.c
+
+libkrb5_la-store_mem.lo: store_mem.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_mem.lo `test -f 'store_mem.c' || echo '$(srcdir)/'`store_mem.c
+
+libkrb5_la-plugin.lo: plugin.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-plugin.lo `test -f 'plugin.c' || echo '$(srcdir)/'`plugin.c
+
+libkrb5_la-ticket.lo: ticket.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-ticket.lo `test -f 'ticket.c' || echo '$(srcdir)/'`ticket.c
+
+libkrb5_la-time.lo: time.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-time.lo `test -f 'time.c' || echo '$(srcdir)/'`time.c
+
+libkrb5_la-transited.lo: transited.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-transited.lo `test -f 'transited.c' || echo '$(srcdir)/'`transited.c
+
+libkrb5_la-v4_glue.lo: v4_glue.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-v4_glue.lo `test -f 'v4_glue.c' || echo '$(srcdir)/'`v4_glue.c
+
+libkrb5_la-verify_init.lo: verify_init.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_init.lo `test -f 'verify_init.c' || echo '$(srcdir)/'`verify_init.c
+
+libkrb5_la-verify_user.lo: verify_user.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_user.lo `test -f 'verify_user.c' || echo '$(srcdir)/'`verify_user.c
+
+libkrb5_la-version.lo: version.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-version.lo `test -f 'version.c' || echo '$(srcdir)/'`version.c
+
+libkrb5_la-warn.lo: warn.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c
+
+libkrb5_la-write_message.lo: write_message.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-write_message.lo `test -f 'write_message.c' || echo '$(srcdir)/'`write_message.c
+
+libkrb5_la-krb5_err.lo: krb5_err.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb5_err.lo `test -f 'krb5_err.c' || echo '$(srcdir)/'`krb5_err.c
+
+libkrb5_la-krb_err.lo: krb_err.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb_err.lo `test -f 'krb_err.c' || echo '$(srcdir)/'`krb_err.c
+
+libkrb5_la-heim_err.lo: heim_err.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-heim_err.lo `test -f 'heim_err.c' || echo '$(srcdir)/'`heim_err.c
+
+libkrb5_la-k524_err.lo: k524_err.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-k524_err.lo `test -f 'k524_err.c' || echo '$(srcdir)/'`k524_err.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man3: $(man3_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)"
+	test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)"
 	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -844,7 +1405,7 @@ uninstall-man3:
 	done
 install-man5: $(man5_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man5dir)" || $(mkdir_p) "$(DESTDIR)$(man5dir)"
+	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
 	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -889,7 +1450,7 @@ uninstall-man5:
 	done
 install-man8: $(man8_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
 	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -932,20 +1493,54 @@ uninstall-man8:
 	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
 	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
 	done
-install-includeHEADERS: $(include_HEADERS)
+install-dist_includeHEADERS: $(dist_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@list='$(dist_include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(dist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(dist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	done
+
+uninstall-dist_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
+	done
+install-krb5HEADERS: $(krb5_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)"
-	@list='$(include_HEADERS)'; for p in $$list; do \
+	test -z "$(krb5dir)" || $(MKDIR_P) "$(DESTDIR)$(krb5dir)"
+	@list='$(krb5_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
-	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
-	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	  f=$(am__strip_dir) \
+	  echo " $(krb5HEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(krb5dir)/$$f'"; \
+	  $(krb5HEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(krb5dir)/$$f"; \
 	done
 
-uninstall-includeHEADERS:
+uninstall-krb5HEADERS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(include_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	@list='$(krb5_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(krb5dir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(krb5dir)/$$f"; \
+	done
+install-nodist_includeHEADERS: $(nodist_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(nodist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(nodist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	done
+
+uninstall-nodist_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -970,9 +1565,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -997,9 +1594,9 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 check-TESTS: $(TESTS)
-	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
 	srcdir=$(srcdir); export srcdir; \
-	list='$(TESTS)'; \
+	list=' $(TESTS) '; \
 	if test -n "$$list"; then \
 	  for tst in $$list; do \
 	    if test -f ./$$tst; then dir=./; \
@@ -1008,7 +1605,7 @@ check-TESTS: $(TESTS)
 	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
 	      all=`expr $$all + 1`; \
 	      case " $(XFAIL_TESTS) " in \
-	      *" $$tst "*) \
+	      *$$ws$$tst$$ws*) \
 		xpass=`expr $$xpass + 1`; \
 		failed=`expr $$failed + 1`; \
 		echo "XPASS: $$tst"; \
@@ -1020,7 +1617,7 @@ check-TESTS: $(TESTS)
 	    elif test $$? -ne 77; then \
 	      all=`expr $$all + 1`; \
 	      case " $(XFAIL_TESTS) " in \
-	      *" $$tst "*) \
+	      *$$ws$$tst$$ws*) \
 		xfail=`expr $$xfail + 1`; \
 		echo "XFAIL: $$tst"; \
 	      ;; \
@@ -1051,42 +1648,40 @@ check-TESTS: $(TESTS)
 	  skipped=""; \
 	  if test "$$skip" -ne 0; then \
 	    skipped="($$skip tests were not run)"; \
-	    test `echo "$$skipped" | wc -c` -gt `echo "$$banner" | wc -c` && \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
 	      dashes="$$skipped"; \
 	  fi; \
 	  report=""; \
 	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
 	    report="Please report to $(PACKAGE_BUGREPORT)"; \
-	    test `echo "$$report" | wc -c` -gt `echo "$$banner" | wc -c` && \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
 	      dashes="$$report"; \
 	  fi; \
 	  dashes=`echo "$$dashes" | sed s/./=/g`; \
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
-	  test -n "$$skipped" && echo "$$skipped"; \
-	  test -n "$$report" && echo "$$report"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
 	  echo "$$dashes"; \
 	  test "$$failed" -eq 0; \
 	else :; fi
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -1109,8 +1704,8 @@ all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \
 install-binPROGRAMS: install-libLTLIBRARIES
 
 installdirs:
-	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(krb5dir)" "$(DESTDIR)$(includedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -1132,7 +1727,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -1146,7 +1741,7 @@ clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -1158,18 +1753,27 @@ info: info-am
 
 info-am:
 
-install-data-am: install-includeHEADERS install-man
+install-data-am: install-dist_includeHEADERS install-krb5HEADERS \
+	install-man install-nodist_includeHEADERS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS install-libLTLIBRARIES
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man3 install-man5 install-man8
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -1189,28 +1793,39 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \
-	uninstall-info-am uninstall-libLTLIBRARIES uninstall-man
+uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
+	uninstall-krb5HEADERS uninstall-libLTLIBRARIES uninstall-man \
+	uninstall-nodist_includeHEADERS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man3 uninstall-man5 uninstall-man8
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
 	check-local clean clean-binPROGRAMS clean-checkPROGRAMS \
 	clean-generic clean-libLTLIBRARIES clean-libtool \
-	clean-noinstPROGRAMS ctags distclean distclean-compile \
-	distclean-generic distclean-libtool distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-binPROGRAMS install-data install-data-am install-exec \
-	install-exec-am install-includeHEADERS install-info \
-	install-info-am install-libLTLIBRARIES install-man \
-	install-man3 install-man5 install-man8 install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
+	clean-noinstPROGRAMS ctags dist-hook distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-binPROGRAMS install-data \
+	install-data-am install-data-hook install-dist_includeHEADERS \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-exec-hook install-html install-html-am install-info \
+	install-info-am install-krb5HEADERS install-libLTLIBRARIES \
+	install-man install-man3 install-man5 install-man8 \
+	install-nodist_includeHEADERS install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-binPROGRAMS \
-	uninstall-includeHEADERS uninstall-info-am \
-	uninstall-libLTLIBRARIES uninstall-man uninstall-man3 \
-	uninstall-man5 uninstall-man8
+	uninstall-dist_includeHEADERS uninstall-hook \
+	uninstall-krb5HEADERS uninstall-libLTLIBRARIES uninstall-man \
+	uninstall-man3 uninstall-man5 uninstall-man8 \
+	uninstall-nodist_includeHEADERS
 
 
 install-suid-programs:
@@ -1225,8 +1840,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -1236,19 +1851,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -1264,7 +1891,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -1334,29 +1961,58 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
-$(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
 
 $(srcdir)/krb5-protos.h:
-	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o krb5-protos.h $(libkrb5_la_SOURCES) || rm -f krb5-protos.h
+	cd $(srcdir) && perl ../../cf/make-proto.pl -E KRB5_LIB_FUNCTION -q -P comment -o krb5-protos.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-protos.h
 
 $(srcdir)/krb5-private.h:
-	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-private.h
 
-$(libkrb5_la_OBJECTS): krb5_err.h heim_err.h k524_err.h
+$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h
+
+#sysconf_DATA = krb5.moduli
 
 # to help stupid solaris make
 
 krb5_err.h: krb5_err.et
 
+krb_err.h: krb_err.et
+
 heim_err.h: heim_err.et
 
 k524_err.h: k524_err.et
diff --git a/crypto/heimdal/lib/krb5/acache.c b/crypto/heimdal/lib/krb5/acache.c
new file mode 100644
index 0000000..30a6d90
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/acache.c
@@ -0,0 +1,961 @@
+/*
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <krb5_ccapi.h>
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+RCSID("$Id: acache.c 22099 2007-12-03 17:14:34Z lha $");
+
+/* XXX should we fetch these for each open ? */
+static HEIMDAL_MUTEX acc_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static cc_initialize_func init_func;
+
+#ifdef HAVE_DLOPEN
+static void *cc_handle; 
+#endif
+
+typedef struct krb5_acc {
+    char *cache_name;
+    cc_context_t context;
+    cc_ccache_t ccache;
+} krb5_acc;
+
+static krb5_error_code acc_close(krb5_context, krb5_ccache);
+
+#define ACACHE(X) ((krb5_acc *)(X)->data.data)
+
+static const struct {
+    cc_int32 error;
+    krb5_error_code ret;
+} cc_errors[] = {
+    { ccErrBadName,		KRB5_CC_BADNAME },
+    { ccErrCredentialsNotFound,	KRB5_CC_NOTFOUND },
+    { ccErrCCacheNotFound,	KRB5_FCC_NOFILE },
+    { ccErrContextNotFound,	KRB5_CC_NOTFOUND },
+    { ccIteratorEnd,		KRB5_CC_END },
+    { ccErrNoMem,		KRB5_CC_NOMEM },
+    { ccErrServerUnavailable,	KRB5_CC_NOSUPP },
+    { ccNoError,		0 }
+};
+
+static krb5_error_code
+translate_cc_error(krb5_context context, cc_int32 error)
+{
+    int i;
+    krb5_clear_error_string(context);
+    for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++)
+	if (cc_errors[i].error == error)
+	    return cc_errors[i].ret;
+    return KRB5_FCC_INTERNAL;
+}
+
+static krb5_error_code
+init_ccapi(krb5_context context)
+{
+    const char *lib;
+
+    HEIMDAL_MUTEX_lock(&acc_mutex);
+    if (init_func) {
+	HEIMDAL_MUTEX_unlock(&acc_mutex);
+	krb5_clear_error_string(context);
+	return 0;
+    }
+
+    lib = krb5_config_get_string(context, NULL,
+				 "libdefaults", "ccapi_library", 
+				 NULL);
+    if (lib == NULL) {
+#ifdef __APPLE__
+	lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos";
+#else
+	lib = "/usr/lib/libkrb5_cc.so";
+#endif
+    }
+
+#ifdef HAVE_DLOPEN
+
+#ifndef RTLD_LAZY
+#define RTLD_LAZY 0
+#endif
+
+    cc_handle = dlopen(lib, RTLD_LAZY);
+    if (cc_handle == NULL) {
+	HEIMDAL_MUTEX_unlock(&acc_mutex);
+	krb5_set_error_string(context, "Failed to load %s", lib);
+	return KRB5_CC_NOSUPP;
+    }
+
+    init_func = (cc_initialize_func)dlsym(cc_handle, "cc_initialize");
+    HEIMDAL_MUTEX_unlock(&acc_mutex);
+    if (init_func == NULL) {
+	krb5_set_error_string(context, "Failed to find cc_initialize"
+			      "in %s: %s", lib, dlerror());
+	dlclose(cc_handle);
+	return KRB5_CC_NOSUPP;
+    }
+
+    return 0;
+#else
+    HEIMDAL_MUTEX_unlock(&acc_mutex);
+    krb5_set_error_string(context, "no support for shared object");
+    return KRB5_CC_NOSUPP;
+#endif
+}    
+
+static krb5_error_code
+make_cred_from_ccred(krb5_context context,
+		     const cc_credentials_v5_t *incred,
+		     krb5_creds *cred)
+{
+    krb5_error_code ret;
+    int i;
+
+    memset(cred, 0, sizeof(*cred));
+
+    ret = krb5_parse_name(context, incred->client, &cred->client);
+    if (ret)
+	goto fail;
+
+    ret = krb5_parse_name(context, incred->server, &cred->server);
+    if (ret)
+	goto fail;
+
+    cred->session.keytype = incred->keyblock.type;
+    cred->session.keyvalue.length = incred->keyblock.length;
+    cred->session.keyvalue.data = malloc(incred->keyblock.length);
+    if (cred->session.keyvalue.data == NULL)
+	goto nomem;
+    memcpy(cred->session.keyvalue.data, incred->keyblock.data,
+	   incred->keyblock.length);
+
+    cred->times.authtime = incred->authtime;
+    cred->times.starttime = incred->starttime;
+    cred->times.endtime = incred->endtime;
+    cred->times.renew_till = incred->renew_till;
+
+    ret = krb5_data_copy(&cred->ticket,
+			 incred->ticket.data,
+			 incred->ticket.length);
+    if (ret)
+	goto nomem;
+
+    ret = krb5_data_copy(&cred->second_ticket,
+			 incred->second_ticket.data,
+			 incred->second_ticket.length);
+    if (ret)
+	goto nomem;
+
+    cred->authdata.val = NULL;
+    cred->authdata.len = 0;
+    
+    cred->addresses.val = NULL;
+    cred->addresses.len = 0;
+    
+    for (i = 0; incred->authdata && incred->authdata[i]; i++)
+	;
+    
+    if (i) {
+	cred->authdata.val = calloc(i, sizeof(cred->authdata.val[0]));
+	if (cred->authdata.val == NULL)
+	    goto nomem;
+	cred->authdata.len = i;
+	for (i = 0; i < cred->authdata.len; i++) {
+	    cred->authdata.val[i].ad_type = incred->authdata[i]->type;
+	    ret = krb5_data_copy(&cred->authdata.val[i].ad_data,
+				 incred->authdata[i]->data,
+				 incred->authdata[i]->length);
+	    if (ret)
+		goto nomem;
+	}
+    }
+    
+    for (i = 0; incred->addresses && incred->addresses[i]; i++)
+	;
+    
+    if (i) {
+	cred->addresses.val = calloc(i, sizeof(cred->addresses.val[0]));
+	if (cred->addresses.val == NULL)
+	    goto nomem;
+	cred->addresses.len = i;
+	
+	for (i = 0; i < cred->addresses.len; i++) {
+	    cred->addresses.val[i].addr_type = incred->addresses[i]->type;
+	    ret = krb5_data_copy(&cred->addresses.val[i].address,
+				 incred->addresses[i]->data,
+				 incred->addresses[i]->length);
+	    if (ret)
+		goto nomem;
+	}
+    }
+    
+    cred->flags.i = 0;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDABLE)
+	cred->flags.b.forwardable = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDED)
+	cred->flags.b.forwarded = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXIABLE)
+	cred->flags.b.proxiable = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXY)
+	cred->flags.b.proxy = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_MAY_POSTDATE)
+	cred->flags.b.may_postdate = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_POSTDATED)
+	cred->flags.b.postdated = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INVALID)
+	cred->flags.b.invalid = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_RENEWABLE)
+	cred->flags.b.renewable = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INITIAL)
+	cred->flags.b.initial = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PRE_AUTH)
+	cred->flags.b.pre_authent = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_HW_AUTH)
+	cred->flags.b.hw_authent = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED)
+	cred->flags.b.transited_policy_checked = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE)
+	cred->flags.b.ok_as_delegate = 1;
+    if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_ANONYMOUS)
+	cred->flags.b.anonymous = 1;
+
+    return 0;
+    
+nomem:
+    ret = ENOMEM;
+    krb5_set_error_string(context, "malloc - out of memory");
+    
+fail:
+    krb5_free_cred_contents(context, cred);
+    return ret;
+}
+
+static void
+free_ccred(cc_credentials_v5_t *cred)
+{
+    int i;
+
+    if (cred->addresses) {
+	for (i = 0; cred->addresses[i] != 0; i++) {
+	    if (cred->addresses[i]->data)
+		free(cred->addresses[i]->data);
+	    free(cred->addresses[i]);
+	}
+	free(cred->addresses);
+    }
+    if (cred->server)
+	free(cred->server);
+    if (cred->client)
+	free(cred->client);
+    memset(cred, 0, sizeof(*cred));
+}
+
+static krb5_error_code
+make_ccred_from_cred(krb5_context context,
+		     const krb5_creds *incred,
+		     cc_credentials_v5_t *cred)
+{
+    krb5_error_code ret;
+    int i;
+
+    memset(cred, 0, sizeof(*cred));
+
+    ret = krb5_unparse_name(context, incred->client, &cred->client);
+    if (ret)
+	goto fail;
+
+    ret = krb5_unparse_name(context, incred->server, &cred->server);
+    if (ret)
+	goto fail;
+
+    cred->keyblock.type = incred->session.keytype;
+    cred->keyblock.length = incred->session.keyvalue.length;
+    cred->keyblock.data = incred->session.keyvalue.data;
+
+    cred->authtime = incred->times.authtime;
+    cred->starttime = incred->times.starttime;
+    cred->endtime = incred->times.endtime;
+    cred->renew_till = incred->times.renew_till;
+
+    cred->ticket.length = incred->ticket.length;
+    cred->ticket.data = incred->ticket.data;
+
+    cred->second_ticket.length = incred->second_ticket.length;
+    cred->second_ticket.data = incred->second_ticket.data;
+
+    /* XXX this one should also be filled in */
+    cred->authdata = NULL;
+    
+    cred->addresses = calloc(incred->addresses.len + 1, 
+			     sizeof(cred->addresses[0]));
+    if (cred->addresses == NULL) {
+
+	ret = ENOMEM;
+	goto fail;
+    }
+
+    for (i = 0; i < incred->addresses.len; i++) {
+	cc_data *addr;
+	addr = malloc(sizeof(*addr));
+	if (addr == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+	addr->type = incred->addresses.val[i].addr_type;
+	addr->length = incred->addresses.val[i].address.length;
+	addr->data = malloc(addr->length);
+	if (addr->data == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+	memcpy(addr->data, incred->addresses.val[i].address.data, 
+	       addr->length);
+	cred->addresses[i] = addr;
+    }
+    cred->addresses[i] = NULL;
+
+    cred->ticket_flags = 0;
+    if (incred->flags.b.forwardable)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDABLE;
+    if (incred->flags.b.forwarded)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDED;
+    if (incred->flags.b.proxiable)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXIABLE;
+    if (incred->flags.b.proxy)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXY;
+    if (incred->flags.b.may_postdate)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_MAY_POSTDATE;
+    if (incred->flags.b.postdated)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_POSTDATED;
+    if (incred->flags.b.invalid)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INVALID;
+    if (incred->flags.b.renewable)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_RENEWABLE;
+    if (incred->flags.b.initial)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INITIAL;
+    if (incred->flags.b.pre_authent)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PRE_AUTH;
+    if (incred->flags.b.hw_authent)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_HW_AUTH;
+    if (incred->flags.b.transited_policy_checked)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED;
+    if (incred->flags.b.ok_as_delegate)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE;
+    if (incred->flags.b.anonymous)
+	cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_ANONYMOUS;
+
+    return 0;
+
+fail:    
+    free_ccred(cred);
+
+    krb5_clear_error_string(context);
+    return ret;
+}
+
+static char *
+get_cc_name(cc_ccache_t cache)
+{
+    cc_string_t name;
+    cc_int32 error;
+    char *str;
+
+    error = (*cache->func->get_name)(cache, &name);
+    if (error)
+	return NULL;
+
+    str = strdup(name->data);
+    (*name->func->release)(name);
+    return str;
+}
+
+
+static const char*
+acc_get_name(krb5_context context,
+	     krb5_ccache id)
+{
+    krb5_acc *a = ACACHE(id);
+    static char n[255];
+    char *name;
+
+    name = get_cc_name(a->ccache);
+    if (name == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return NULL;
+    }
+    strlcpy(n, name, sizeof(n));
+    free(name);
+    return n;
+}
+
+static krb5_error_code
+acc_alloc(krb5_context context, krb5_ccache *id)
+{
+    krb5_error_code ret;
+    cc_int32 error;
+    krb5_acc *a;
+
+    ret = init_ccapi(context);
+    if (ret)
+	return ret;
+
+    ret = krb5_data_alloc(&(*id)->data, sizeof(*a));
+    if (ret) {
+	krb5_clear_error_string(context);
+	return ret;
+    }
+    
+    a = ACACHE(*id);
+
+    error = (*init_func)(&a->context, ccapi_version_3, NULL, NULL);
+    if (error) {
+	krb5_data_free(&(*id)->data);
+	return translate_cc_error(context, error);
+    }
+
+    a->cache_name = NULL;
+
+    return 0;
+}
+
+static krb5_error_code
+acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+{
+    krb5_error_code ret;
+    cc_int32 error;
+    krb5_acc *a;
+
+    ret = acc_alloc(context, id);
+    if (ret)
+	return ret;
+
+    a = ACACHE(*id);
+
+    error = (*a->context->func->open_ccache)(a->context, res,
+					     &a->ccache);
+    if (error == 0) {
+	a->cache_name = get_cc_name(a->ccache);
+	if (a->cache_name == NULL) {
+	    acc_close(context, *id);
+	    *id = NULL;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+    } else if (error == ccErrCCacheNotFound) {
+	a->ccache = NULL;
+	a->cache_name = NULL;
+	error = 0;
+    } else {
+	*id = NULL;
+	return translate_cc_error(context, error);
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+acc_gen_new(krb5_context context, krb5_ccache *id)
+{
+    krb5_error_code ret;
+    krb5_acc *a;
+
+    ret = acc_alloc(context, id);
+    if (ret)
+	return ret;
+
+    a = ACACHE(*id);
+
+    a->ccache = NULL;
+    a->cache_name = NULL;
+
+    return 0;
+}
+
+static krb5_error_code
+acc_initialize(krb5_context context,
+	       krb5_ccache id,
+	       krb5_principal primary_principal)
+{
+    krb5_acc *a = ACACHE(id);
+    krb5_error_code ret;
+    int32_t error;
+    char *name;
+
+    ret = krb5_unparse_name(context, primary_principal, &name);
+    if (ret)
+	return ret;
+
+    error = (*a->context->func->create_new_ccache)(a->context,
+						   cc_credentials_v5,
+						   name,
+						   &a->ccache);
+    free(name);
+
+    return translate_cc_error(context, error);
+}
+
+static krb5_error_code
+acc_close(krb5_context context,
+	  krb5_ccache id)
+{
+    krb5_acc *a = ACACHE(id);
+
+    if (a->ccache) {
+	(*a->ccache->func->release)(a->ccache);
+	a->ccache = NULL;
+    }
+    if (a->cache_name) {
+	free(a->cache_name);
+	a->cache_name = NULL;
+    }
+    (*a->context->func->release)(a->context);
+    a->context = NULL;
+    krb5_data_free(&id->data);
+    return 0;
+}
+
+static krb5_error_code
+acc_destroy(krb5_context context,
+	    krb5_ccache id)
+{
+    krb5_acc *a = ACACHE(id);
+    cc_int32 error = 0;
+
+    if (a->ccache) {
+	error = (*a->ccache->func->destroy)(a->ccache);
+	a->ccache = NULL;
+    }
+    if (a->context) {
+	error = (a->context->func->release)(a->context);
+	a->context = NULL;
+    }
+    return translate_cc_error(context, error);
+}
+
+static krb5_error_code
+acc_store_cred(krb5_context context,
+	       krb5_ccache id,
+	       krb5_creds *creds)
+{
+    krb5_acc *a = ACACHE(id);
+    cc_credentials_union cred;
+    cc_credentials_v5_t v5cred;
+    krb5_error_code ret;
+    cc_int32 error;
+    
+    if (a->ccache == NULL) {
+	krb5_set_error_string(context, "No API credential found");
+	return KRB5_CC_NOTFOUND;
+    }
+
+    cred.version = cc_credentials_v5;
+    cred.credentials.credentials_v5 = &v5cred;
+
+    ret = make_ccred_from_cred(context, 
+			       creds,
+			       &v5cred);
+    if (ret)
+	return ret;
+
+    error = (*a->ccache->func->store_credentials)(a->ccache, &cred);
+    if (error)
+	ret = translate_cc_error(context, error);
+
+    free_ccred(&v5cred);
+
+    return ret;
+}
+
+static krb5_error_code
+acc_get_principal(krb5_context context,
+		  krb5_ccache id,
+		  krb5_principal *principal)
+{
+    krb5_acc *a = ACACHE(id);
+    krb5_error_code ret;
+    int32_t error;
+    cc_string_t name;
+
+    if (a->ccache == NULL) {
+	krb5_set_error_string(context, "No API credential found");
+	return KRB5_CC_NOTFOUND;
+    }
+
+    error = (*a->ccache->func->get_principal)(a->ccache,
+					      cc_credentials_v5,
+					      &name);
+    if (error)
+	return translate_cc_error(context, error);
+    
+    ret = krb5_parse_name(context, name->data, principal);
+    
+    (*name->func->release)(name);
+    return ret;
+}
+
+static krb5_error_code
+acc_get_first (krb5_context context,
+	       krb5_ccache id,
+	       krb5_cc_cursor *cursor)
+{
+    cc_credentials_iterator_t iter;
+    krb5_acc *a = ACACHE(id);
+    int32_t error;
+    
+    if (a->ccache == NULL) {
+	krb5_set_error_string(context, "No API credential found");
+	return KRB5_CC_NOTFOUND;
+    }
+
+    error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
+    if (error) {
+	krb5_clear_error_string(context);
+	return ENOENT;
+    }
+    *cursor = iter;
+    return 0;
+}
+
+
+static krb5_error_code
+acc_get_next (krb5_context context,
+	      krb5_ccache id,
+	      krb5_cc_cursor *cursor,
+	      krb5_creds *creds)
+{
+    cc_credentials_iterator_t iter = *cursor;
+    cc_credentials_t cred;
+    krb5_error_code ret;
+    int32_t error;
+
+    while (1) {
+	error = (*iter->func->next)(iter, &cred);
+	if (error)
+	    return translate_cc_error(context, error);
+	if (cred->data->version == cc_credentials_v5)
+	    break;
+	(*cred->func->release)(cred);
+    }
+
+    ret = make_cred_from_ccred(context, 
+			       cred->data->credentials.credentials_v5,
+			       creds);
+    (*cred->func->release)(cred);
+    return ret;
+}
+
+static krb5_error_code
+acc_end_get (krb5_context context,
+	     krb5_ccache id,
+	     krb5_cc_cursor *cursor)
+{
+    cc_credentials_iterator_t iter = *cursor;
+    (*iter->func->release)(iter);
+    return 0;
+}
+
+static krb5_error_code
+acc_remove_cred(krb5_context context,
+		krb5_ccache id,
+		krb5_flags which,
+		krb5_creds *cred)
+{
+    cc_credentials_iterator_t iter;
+    krb5_acc *a = ACACHE(id);
+    cc_credentials_t ccred;
+    krb5_error_code ret;
+    cc_int32 error;
+    char *client, *server;
+    
+    if (a->ccache == NULL) {
+	krb5_set_error_string(context, "No API credential found");
+	return KRB5_CC_NOTFOUND;
+    }
+
+    if (cred->client) {
+	ret = krb5_unparse_name(context, cred->client, &client);
+	if (ret)
+	    return ret;
+    } else
+	client = NULL;
+
+    ret = krb5_unparse_name(context, cred->server, &server);
+    if (ret) {
+	free(client);
+	return ret;
+    }
+
+    error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter);
+    if (error) {
+	free(server);
+	free(client);
+	return translate_cc_error(context, error);
+    }
+
+    ret = KRB5_CC_NOTFOUND;
+    while (1) {
+	cc_credentials_v5_t *v5cred;
+
+	error = (*iter->func->next)(iter, &ccred);
+	if (error)
+	    break;
+
+	if (ccred->data->version != cc_credentials_v5)
+	    goto next;
+
+	v5cred = ccred->data->credentials.credentials_v5;
+
+	if (client && strcmp(v5cred->client, client) != 0)
+	    goto next;
+
+	if (strcmp(v5cred->server, server) != 0)
+	    goto next;
+
+	(*a->ccache->func->remove_credentials)(a->ccache, ccred);
+	ret = 0;
+    next:
+	(*ccred->func->release)(ccred);
+    }
+
+    (*iter->func->release)(iter);
+
+    if (ret)
+	krb5_set_error_string(context, "Can't find credential %s in cache", 
+			      server);
+    free(server);
+    free(client);
+
+    return ret;
+}
+
+static krb5_error_code
+acc_set_flags(krb5_context context,
+	      krb5_ccache id,
+	      krb5_flags flags)
+{
+    return 0;
+}
+
+static krb5_error_code
+acc_get_version(krb5_context context,
+		krb5_ccache id)
+{
+    return 0;
+}
+		    
+struct cache_iter {
+    cc_context_t context;
+    cc_ccache_iterator_t iter;
+};
+
+static krb5_error_code
+acc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
+{
+    struct cache_iter *iter;
+    krb5_error_code ret;
+    cc_int32 error;
+
+    ret = init_ccapi(context);
+    if (ret)
+	return ret;
+
+    iter = calloc(1, sizeof(*iter));
+    if (iter == NULL) {
+	krb5_set_error_string(context, "malloc - out of memory");
+	return ENOMEM;
+    }
+
+    error = (*init_func)(&iter->context, ccapi_version_3, NULL, NULL);
+    if (error) {
+	free(iter);
+	return translate_cc_error(context, error);
+    }
+
+    error = (*iter->context->func->new_ccache_iterator)(iter->context,
+							&iter->iter);
+    if (error) {
+	free(iter);
+	krb5_clear_error_string(context);
+	return ENOENT;
+    }
+    *cursor = iter;
+    return 0;
+}
+
+static krb5_error_code
+acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
+{
+    struct cache_iter *iter = cursor;
+    cc_ccache_t cache;
+    krb5_acc *a;
+    krb5_error_code ret;
+    int32_t error;
+
+    error = (*iter->iter->func->next)(iter->iter, &cache);
+    if (error)
+	return translate_cc_error(context, error);
+
+    ret = _krb5_cc_allocate(context, &krb5_acc_ops, id);
+    if (ret) {
+	(*cache->func->release)(cache);
+	return ret;
+    }
+
+    ret = acc_alloc(context, id);
+    if (ret) {
+	(*cache->func->release)(cache);
+	free(*id);
+	return ret;
+    }
+
+    a = ACACHE(*id);
+    a->ccache = cache;
+
+    a->cache_name = get_cc_name(a->ccache);
+    if (a->cache_name == NULL) {
+	acc_close(context, *id);
+	*id = NULL;
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }	
+    return 0;
+}
+
+static krb5_error_code
+acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
+{
+    struct cache_iter *iter = cursor;
+
+    (*iter->iter->func->release)(iter->iter);
+    iter->iter = NULL;
+    (*iter->context->func->release)(iter->context);
+    iter->context = NULL;
+    free(iter);
+    return 0;
+}
+
+static krb5_error_code
+acc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
+{
+    krb5_acc *afrom = ACACHE(from);
+    krb5_acc *ato = ACACHE(to);
+    int32_t error;
+
+    if (ato->ccache == NULL) {
+	cc_string_t name;
+
+	error = (*afrom->ccache->func->get_principal)(afrom->ccache,
+						      cc_credentials_v5,
+						      &name);
+	if (error)
+	    return translate_cc_error(context, error);
+    
+	error = (*ato->context->func->create_new_ccache)(ato->context,
+							 cc_credentials_v5,
+							 name->data,
+							 &ato->ccache);
+	(*name->func->release)(name);
+	if (error)
+	    return translate_cc_error(context, error);
+    }
+
+
+    error = (*ato->ccache->func->move)(afrom->ccache, ato->ccache);
+    return translate_cc_error(context, error);
+}
+
+static krb5_error_code
+acc_default_name(krb5_context context, char **str)
+{
+    krb5_error_code ret;
+    cc_context_t cc;
+    cc_string_t name;
+    int32_t error;
+
+    ret = init_ccapi(context);
+    if (ret)
+	return ret;
+
+    error = (*init_func)(&cc, ccapi_version_3, NULL, NULL);
+    if (error)
+	return translate_cc_error(context, error);
+
+    error = (*cc->func->get_default_ccache_name)(cc, &name);
+    if (error) {
+	(*cc->func->release)(cc);
+	return translate_cc_error(context, error);
+    }
+	
+    asprintf(str, "API:%s", name->data);
+    (*name->func->release)(name);
+    (*cc->func->release)(cc);
+
+    if (*str == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+
+/**
+ * Variable containing the API based credential cache implemention.
+ *
+ * @ingroup krb5_ccache
+ */
+
+const krb5_cc_ops krb5_acc_ops = {
+    "API",
+    acc_get_name,
+    acc_resolve,
+    acc_gen_new,
+    acc_initialize,
+    acc_destroy,
+    acc_close,
+    acc_store_cred,
+    NULL, /* acc_retrieve */
+    acc_get_principal,
+    acc_get_first,
+    acc_get_next,
+    acc_end_get,
+    acc_remove_cred,
+    acc_set_flags,
+    acc_get_version,
+    acc_get_cache_first,
+    acc_get_cache_next,
+    acc_end_cache_get,
+    acc_move,
+    acc_default_name
+};
diff --git a/crypto/heimdal/lib/krb5/acl.c b/crypto/heimdal/lib/krb5/acl.c
index c356869..cab6836 100644
--- a/crypto/heimdal/lib/krb5/acl.c
+++ b/crypto/heimdal/lib/krb5/acl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000 - 2002, 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 #include <fnmatch.h>
 
-RCSID("$Id: acl.c,v 1.3 2002/04/18 16:16:24 joda Exp $");
+RCSID("$Id: acl.c 22119 2007-12-03 22:02:48Z lha $");
 
 struct acl_field {
     enum { acl_string, acl_fnmatch, acl_retval } type;
@@ -46,9 +46,24 @@ struct acl_field {
 };
 
 static void
-acl_free_list(struct acl_field *acl)
+free_retv(struct acl_field *acl)
+{
+    while(acl != NULL) {
+	if (acl->type == acl_retval) {
+	    if (*acl->u.retv)
+		free(*acl->u.retv);
+	    *acl->u.retv = NULL;
+	}
+	acl = acl->next;
+    }
+}
+
+static void
+acl_free_list(struct acl_field *acl, int retv)
 {
     struct acl_field *next;
+    if (retv)
+	free_retv(acl);
     while(acl != NULL) {
 	next = acl->next;
 	free(acl);
@@ -69,7 +84,7 @@ acl_parse_format(krb5_context context,
 	tmp = malloc(sizeof(*tmp));
 	if(tmp == NULL) {
 	    krb5_set_error_string(context, "malloc: out of memory");
-	    acl_free_list(acl);
+	    acl_free_list(acl, 0);
 	    return ENOMEM;
 	}
 	if(*p == 's') {
@@ -81,6 +96,13 @@ acl_parse_format(krb5_context context,
 	} else if(*p == 'r') {
 	    tmp->type = acl_retval;
 	    tmp->u.retv = va_arg(ap, char **);
+	    *tmp->u.retv = NULL;
+	} else {
+	    krb5_set_error_string(context, "acl_parse_format: "
+				  "unknown format specifier %c", *p);
+	    acl_free_list(acl, 0);
+	    free(tmp);
+	    return EINVAL;
 	}
 	tmp->next = NULL;
 	if(acl == NULL)
@@ -99,9 +121,9 @@ acl_match_field(krb5_context context,
 		struct acl_field *field)
 {
     if(field->type == acl_string) {
-	return !strcmp(string, field->u.cstr);
+	return !strcmp(field->u.cstr, string);
     } else if(field->type == acl_fnmatch) {
-	return !fnmatch(string, field->u.cstr, 0);
+	return !fnmatch(field->u.cstr, string, 0);
     } else if(field->type == acl_retval) {
 	*field->u.retv = strdup(string);
 	return TRUE;
@@ -115,19 +137,68 @@ acl_match_acl(krb5_context context,
 	      const char *string)
 {
     char buf[256];
-    for(;strsep_copy(&string, " \t", buf, sizeof(buf)) != -1; 
-	acl = acl->next) {
+    while(strsep_copy(&string, " \t", buf, sizeof(buf)) != -1) {
 	if(buf[0] == '\0')
 	    continue; /* skip ws */
+	if (acl == NULL)
+	    return FALSE;
 	if(!acl_match_field(context, buf, acl)) {
 	    return FALSE;
 	}
+	acl = acl->next;
     }
+    if (acl)
+	return FALSE;
     return TRUE;
 }
 
+/**
+ * krb5_acl_match_string matches ACL format against a string.
+ *
+ * The ACL format has three format specifiers: s, f, and r.  Each
+ * specifier will retrieve one argument from the variable arguments
+ * for either matching or storing data.  The input string is split up
+ * using " " (space) and "\t" (tab) as a delimiter; multiple and "\t"
+ * in a row are considered to be the same.
+ *
+ * List of format specifiers:
+ * - s Matches a string using strcmp(3) (case sensitive).
+ * - f Matches the string with fnmatch(3). Theflags
+ *     argument (the last argument) passed to the fnmatch function is 0.
+ * - r Returns a copy of the string in the char ** passed in; the copy
+ *     must be freed with free(3). There is no need to free(3) the
+ *     string on error: the function will clean up and set the pointer
+ *     to NULL.
+ *
+ * @param context Kerberos 5 context
+ * @param string string to match with
+ * @param format format to match
+ * @param ... parameter to format string
+ *
+ * @return Return an error code or 0.
+ *
+ *
+ * @code
+ * char *s;
+ * 
+ * ret = krb5_acl_match_string(context, "foo", "s", "foo");
+ * if (ret)
+ *     krb5_errx(context, 1, "acl didn't match");
+ * ret = krb5_acl_match_string(context, "foo foo baz/kaka",
+ *     "ss", "foo", &s, "foo/\\*");
+ * if (ret) {
+ *     // no need to free(s) on error
+ *     assert(s == NULL);
+ *     krb5_errx(context, 1, "acl didn't match");
+ * }
+ * free(s);
+ * @endcode
+ *
+ * @sa krb5_acl_match_file
+ * @ingroup krb5_support
+ */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_acl_match_string(krb5_context context,
 		      const char *string,
 		      const char *format,
@@ -145,7 +216,7 @@ krb5_acl_match_string(krb5_context context,
 	return ret;
 
     found = acl_match_acl(context, acl, string);
-    acl_free_list(acl);
+    acl_free_list(acl, !found);
     if (found) {
 	return 0;
     } else {
@@ -154,7 +225,23 @@ krb5_acl_match_string(krb5_context context,
     }
 }
 	       
-krb5_error_code
+/**
+ * krb5_acl_match_file matches ACL format against each line in a file
+ * using krb5_acl_match_string(). Lines starting with # are treated
+ * like comments and ignored.
+ *
+ * @param context Kerberos 5 context.
+ * @param file file with acl listed in the file.
+ * @param format format to match.
+ * @param ... parameter to format string.
+ *
+ * @return Return an error code or 0.
+ *
+ * @sa krb5_acl_match_string
+ * @ingroup krb5_support
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_acl_match_file(krb5_context context,
 		    const char *file,
 		    const char *format,
@@ -192,10 +279,11 @@ krb5_acl_match_file(krb5_context context,
 	    found = TRUE;
 	    break;
 	}
+	free_retv(acl);
     }
 
     fclose(f);
-    acl_free_list(acl);
+    acl_free_list(acl, !found);
     if (found) {
 	return 0;
     } else {
diff --git a/crypto/heimdal/lib/krb5/add_et_list.c b/crypto/heimdal/lib/krb5/add_et_list.c
index cfc42f4..a6005c6 100644
--- a/crypto/heimdal/lib/krb5/add_et_list.c
+++ b/crypto/heimdal/lib/krb5/add_et_list.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: add_et_list.c,v 1.2 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: add_et_list.c 13713 2004-04-13 14:33:45Z lha $");
 
 /*
  * Add a specified list of error messages to the et list in context.
@@ -41,7 +41,7 @@ RCSID("$Id: add_et_list.c,v 1.2 1999/12/02 17:05:07 joda Exp $");
  * the current et_list.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_add_et_list (krb5_context context,
 		  void (*func)(struct et_list **))
 {
diff --git a/crypto/heimdal/lib/krb5/addr_families.c b/crypto/heimdal/lib/krb5/addr_families.c
index be32458..f364f59 100644
--- a/crypto/heimdal/lib/krb5/addr_families.c
+++ b/crypto/heimdal/lib/krb5/addr_families.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: addr_families.c,v 1.38 2003/03/25 12:37:02 joda Exp $");
+RCSID("$Id: addr_families.c 22039 2007-11-10 11:47:35Z lha $");
 
 struct addr_operations {
     int af;
@@ -52,6 +52,8 @@ struct addr_operations {
     int (*order_addr)(krb5_context, const krb5_address*, const krb5_address*);
     int (*free_addr)(krb5_context, krb5_address*);
     int (*copy_addr)(krb5_context, const krb5_address*, krb5_address*);
+    int (*mask_boundary)(krb5_context, const krb5_address*, unsigned long, 
+				     krb5_address*, krb5_address*);
 };
 
 /*
@@ -61,20 +63,20 @@ struct addr_operations {
 static krb5_error_code
 ipv4_sockaddr2addr (const struct sockaddr *sa, krb5_address *a)
 {
-    const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+    const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa;
     unsigned char buf[4];
 
     a->addr_type = KRB5_ADDRESS_INET;
-    memcpy (buf, &sin->sin_addr, 4);
+    memcpy (buf, &sin4->sin_addr, 4);
     return krb5_data_copy(&a->address, buf, 4);
 }
 
 static krb5_error_code
 ipv4_sockaddr2port (const struct sockaddr *sa, int16_t *port)
 {
-    const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+    const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa;
 
-    *port = sin->sin_port;
+    *port = sin4->sin_port;
     return 0;
 }
 
@@ -128,9 +130,9 @@ ipv4_h_addr2addr (const char *addr,
 static krb5_boolean
 ipv4_uninteresting (const struct sockaddr *sa)
 {
-    const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+    const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa;
 
-    if (sin->sin_addr.s_addr == INADDR_ANY)
+    if (sin4->sin_addr.s_addr == INADDR_ANY)
 	return TRUE;
 
     return FALSE;
@@ -192,6 +194,40 @@ ipv4_parse_addr (krb5_context context, const char *address, krb5_address *addr)
     return 0;
 }
 
+static int
+ipv4_mask_boundary(krb5_context context, const krb5_address *inaddr,
+		   unsigned long len, krb5_address *low, krb5_address *high)
+{
+    unsigned long ia;
+    uint32_t l, h, m = 0xffffffff;
+
+    if (len > 32) {
+	krb5_set_error_string(context, "IPv4 prefix too large (%ld)", len);
+	return KRB5_PROG_ATYPE_NOSUPP;
+    }
+    m = m << (32 - len);
+
+    _krb5_get_int(inaddr->address.data, &ia, inaddr->address.length);
+
+    l = ia & m;
+    h = l | ~m;
+
+    low->addr_type = KRB5_ADDRESS_INET;
+    if(krb5_data_alloc(&low->address, 4) != 0)
+	return -1;
+    _krb5_put_int(low->address.data, l, low->address.length);
+
+    high->addr_type = KRB5_ADDRESS_INET;
+    if(krb5_data_alloc(&high->address, 4) != 0) {
+	krb5_free_address(context, low);
+	return -1;
+    }
+    _krb5_put_int(high->address.data, h, high->address.length);
+
+    return 0;
+}
+
+
 /*
  * AF_INET6 - aka IPv6 implementation
  */
@@ -350,6 +386,55 @@ ipv6_parse_addr (krb5_context context, const char *address, krb5_address *addr)
     return -1;
 }
 
+static int
+ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr,
+		   unsigned long len, krb5_address *low, krb5_address *high)
+{
+    struct in6_addr addr, laddr, haddr;
+    uint32_t m;
+    int i, sub_len;
+
+    if (len > 128) {
+	krb5_set_error_string(context, "IPv6 prefix too large (%ld)", len);
+	return KRB5_PROG_ATYPE_NOSUPP;
+    }
+
+    if (inaddr->address.length != sizeof(addr)) {
+	krb5_set_error_string(context, "IPv6 addr bad length");
+	return KRB5_PROG_ATYPE_NOSUPP;
+    }
+
+    memcpy(&addr, inaddr->address.data, inaddr->address.length);
+
+    for (i = 0; i < 16; i++) {
+	sub_len = min(8, len);
+
+	m = 0xff << (8 - sub_len);
+	
+	laddr.s6_addr[i] = addr.s6_addr[i] & m;
+	haddr.s6_addr[i] = (addr.s6_addr[i] & m) | ~m;
+
+	if (len > 8)
+	    len -= 8;
+	else
+	    len = 0;
+    }
+
+    low->addr_type = KRB5_ADDRESS_INET6;
+    if (krb5_data_alloc(&low->address, sizeof(laddr.s6_addr)) != 0)
+	return -1;
+    memcpy(low->address.data, laddr.s6_addr, sizeof(laddr.s6_addr));
+
+    high->addr_type = KRB5_ADDRESS_INET6;
+    if (krb5_data_alloc(&high->address, sizeof(haddr.s6_addr)) != 0) {
+	krb5_free_address(context, low);
+	return -1;
+    }
+    memcpy(high->address.data, haddr.s6_addr, sizeof(haddr.s6_addr));
+
+    return 0;
+}
+
 #endif /* IPv6 */
 
 /*
@@ -367,8 +452,8 @@ static int
 arange_parse_addr (krb5_context context, 
 		   const char *address, krb5_address *addr)
 {
-    char buf[1024];
-    krb5_addresses low, high;
+    char buf[1024], *p;
+    krb5_address low0, high0;
     struct arange *a;
     krb5_error_code ret;
     
@@ -377,39 +462,84 @@ arange_parse_addr (krb5_context context,
     
     address += 6;
 
-    /* should handle netmasks */
-    strsep_copy(&address, "-", buf, sizeof(buf));
-    ret = krb5_parse_address(context, buf, &low);
-    if(ret)
-	return ret;
-    if(low.len != 1) {
-	krb5_free_addresses(context, &low);
-	return -1;
-    }
+    p = strrchr(address, '/');
+    if (p) {
+	krb5_addresses addrmask;
+	char *q;
+	long num;
 
-    strsep_copy(&address, "-", buf, sizeof(buf));
-    ret = krb5_parse_address(context, buf, &high);
-    if(ret) {
-	krb5_free_addresses(context, &low);
-	return ret;
-    }
+	if (strlcpy(buf, address, sizeof(buf)) > sizeof(buf))
+	    return -1;
+	buf[p - address] = '\0';
+	ret = krb5_parse_address(context, buf, &addrmask);
+	if (ret)
+	    return ret;
+	if(addrmask.len != 1) {
+	    krb5_free_addresses(context, &addrmask);
+	    return -1;
+	}
+	
+	address += p - address + 1;
+
+	num = strtol(address, &q, 10);
+	if (q == address || *q != '\0' || num < 0) {
+	    krb5_free_addresses(context, &addrmask);
+	    return -1;
+	}
+
+	ret = krb5_address_prefixlen_boundary(context, &addrmask.val[0], num,
+					      &low0, &high0);
+	krb5_free_addresses(context, &addrmask);
+	if (ret)
+	    return ret;
 
-    if(high.len != 1 || high.val[0].addr_type != low.val[0].addr_type) {
+    } else {
+	krb5_addresses low, high;
+	
+	strsep_copy(&address, "-", buf, sizeof(buf));
+	ret = krb5_parse_address(context, buf, &low);
+	if(ret)
+	    return ret;
+	if(low.len != 1) {
+	    krb5_free_addresses(context, &low);
+	    return -1;
+	}
+	
+	strsep_copy(&address, "-", buf, sizeof(buf));
+	ret = krb5_parse_address(context, buf, &high);
+	if(ret) {
+	    krb5_free_addresses(context, &low);
+	    return ret;
+	}
+	
+	if(high.len != 1 && high.val[0].addr_type != low.val[0].addr_type) {
+	    krb5_free_addresses(context, &low);
+	    krb5_free_addresses(context, &high);
+	    return -1;
+	}
+
+	ret = krb5_copy_address(context, &high.val[0], &high0);
+	if (ret == 0) {
+	    ret = krb5_copy_address(context, &low.val[0], &low0);
+	    if (ret)
+		krb5_free_address(context, &high0);
+	}
 	krb5_free_addresses(context, &low);
 	krb5_free_addresses(context, &high);
-	return -1;
+	if (ret)
+	    return ret;
     }
 
     krb5_data_alloc(&addr->address, sizeof(*a));
     addr->addr_type = KRB5_ADDRESS_ARANGE;
     a = addr->address.data;
 
-    if(krb5_address_order(context, &low.val[0], &high.val[0]) < 0) {
-	a->low = low.val[0];
-	a->high = high.val[0];
+    if(krb5_address_order(context, &low0, &high0) < 0) {
+	a->low = low0;
+	a->high = high0;
     } else {
-	a->low = high.val[0];
-	a->high = low.val[0];
+	a->low = high0;
+	a->high = low0;
     }
     return 0;
 }
@@ -421,6 +551,7 @@ arange_free (krb5_context context, krb5_address *addr)
     a = addr->address.data;
     krb5_free_address(context, &a->low);
     krb5_free_address(context, &a->high);
+    krb5_data_free(&addr->address);
     return 0;
 }
 
@@ -457,20 +588,35 @@ arange_print_addr (const krb5_address *addr, char *str, size_t len)
 {
     struct arange *a;
     krb5_error_code ret;
-    size_t l, ret_len = 0;
+    size_t l, size, ret_len;
 
     a = addr->address.data;
 
     l = strlcpy(str, "RANGE:", len);
+    ret_len = l;
+    if (l > len)
+	l = len;
+    size = l;
+	
+    ret = krb5_print_address (&a->low, str + size, len - size, &l);
+    if (ret)
+	return ret;
     ret_len += l;
+    if (len - size > l)
+	size += l;
+    else
+	size = len;
 
-    ret = krb5_print_address (&a->low, str + ret_len, len - ret_len, &l);
-    ret_len += l;
-
-    l = strlcat(str, "-", len);
+    l = strlcat(str + size, "-", len - size);
     ret_len += l;
+    if (len - size > l)
+	size += l;
+    else
+	size = len;
 
-    ret = krb5_print_address (&a->high, str + ret_len, len - ret_len, &l);
+    ret = krb5_print_address (&a->high, str + size, len - size, &l);
+    if (ret)
+	return ret;
     ret_len += l;
 
     return ret_len;
@@ -518,10 +664,13 @@ arange_order_addr(krb5_context context,
 static int
 addrport_print_addr (const krb5_address *addr, char *str, size_t len)
 {
+    krb5_error_code ret;
     krb5_address addr1, addr2;
     uint16_t port = 0;
-    size_t ret_len = 0, l;
-    krb5_storage *sp = krb5_storage_from_data((krb5_data*)&addr->address);
+    size_t ret_len = 0, l, size = 0;
+    krb5_storage *sp;
+
+    sp = krb5_storage_from_data((krb5_data*)rk_UNCONST(&addr->address));
     /* for totally obscure reasons, these are not in network byteorder */
     krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE);
 
@@ -538,10 +687,24 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len)
     }
     l = strlcpy(str, "ADDRPORT:", len);
     ret_len += l;
-    krb5_print_address(&addr1, str + ret_len, len - ret_len, &l);
-    ret_len += l;
-    l = snprintf(str + ret_len, len - ret_len, ",PORT=%u", port);
+    if (len > l)
+	size += l;
+    else
+	size = len;
+
+    ret = krb5_print_address(&addr1, str + size, len - size, &l);
+    if (ret)
+	return ret;
     ret_len += l;
+    if (len - size > l)
+	size += l;
+    else
+	size = len;
+
+    ret = snprintf(str + size, len - size, ",PORT=%u", port);
+    if (ret < 0)
+	return EINVAL;
+    ret_len += ret;
     return ret_len;
 }
 
@@ -552,7 +715,8 @@ static struct addr_operations at[] = {
      ipv4_addr2sockaddr,
      ipv4_h_addr2sockaddr,
      ipv4_h_addr2addr,
-     ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr},
+     ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr,
+     NULL, NULL, NULL, ipv4_mask_boundary },
 #ifdef HAVE_IPV6
     {AF_INET6,	KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6),
      ipv6_sockaddr2addr, 
@@ -560,7 +724,8 @@ static struct addr_operations at[] = {
      ipv6_addr2sockaddr,
      ipv6_h_addr2sockaddr,
      ipv6_h_addr2addr,
-     ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr} ,
+     ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr,
+     NULL, NULL, NULL, ipv6_mask_boundary } ,
 #endif
     {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0,
      NULL, NULL, NULL, NULL, NULL, 
@@ -602,7 +767,20 @@ find_atype(int atype)
     return NULL;
 }
 
-krb5_error_code
+/**
+ * krb5_sockaddr2address stores a address a "struct sockaddr" sa in
+ * the krb5_address addr. 
+ *
+ * @param context a Keberos context
+ * @param sa a struct sockaddr to extract the address from
+ * @param addr an Kerberos 5 address to store the address in.
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sockaddr2address (krb5_context context,
 		       const struct sockaddr *sa, krb5_address *addr)
 {
@@ -615,7 +793,21 @@ krb5_sockaddr2address (krb5_context context,
     return (*a->sockaddr2addr)(sa, addr);
 }
 
-krb5_error_code
+/**
+ * krb5_sockaddr2port extracts a port (if possible) from a "struct
+ * sockaddr.
+ *
+ * @param context a Keberos context
+ * @param sa a struct sockaddr to extract the port from
+ * @param port a pointer to an int16_t store the port in.
+ *
+ * @return Return an error code or 0. Will return
+ * KRB5_PROG_ATYPE_NOSUPP in case address type is not supported.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sockaddr2port (krb5_context context,
 		    const struct sockaddr *sa, int16_t *port)
 {
@@ -628,7 +820,28 @@ krb5_sockaddr2port (krb5_context context,
     return (*a->sockaddr2port)(sa, port);
 }
 
-krb5_error_code
+/**
+ * krb5_addr2sockaddr sets the "struct sockaddr sockaddr" from addr
+ * and port. The argument sa_size should initially contain the size of
+ * the sa and after the call, it will contain the actual length of the
+ * address. In case of the sa is too small to fit the whole address,
+ * the up to *sa_size will be stored, and then *sa_size will be set to
+ * the required length.
+ *
+ * @param context a Keberos context
+ * @param addr the address to copy the from
+ * @param sa the struct sockaddr that will be filled in
+ * @param sa_size pointer to length of sa, and after the call, it will
+ * contain the actual length of the address.
+ * @param port set port in sa.
+ *
+ * @return Return an error code or 0. Will return
+ * KRB5_PROG_ATYPE_NOSUPP in case address type is not supported.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_addr2sockaddr (krb5_context context,
 		    const krb5_address *addr,
 		    struct sockaddr *sa,
@@ -643,7 +856,8 @@ krb5_addr2sockaddr (krb5_context context,
 	return KRB5_PROG_ATYPE_NOSUPP;
     }
     if (a->addr2sockaddr == NULL) {
-	krb5_set_error_string (context, "Can't convert address type %d to sockaddr",
+	krb5_set_error_string (context,
+			       "Can't convert address type %d to sockaddr",
 			       addr->addr_type);
 	return KRB5_PROG_ATYPE_NOSUPP;
     }
@@ -651,7 +865,16 @@ krb5_addr2sockaddr (krb5_context context,
     return 0;
 }
 
-size_t
+/**
+ * krb5_max_sockaddr_size returns the max size of the .Li struct
+ * sockaddr that the Kerberos library will return.
+ *
+ * @return Return an size_t of the maximum struct sockaddr.
+ *
+ * @ingroup krb5_address
+ */
+
+size_t KRB5_LIB_FUNCTION
 krb5_max_sockaddr_size (void)
 {
     if (max_sockaddr_size == 0) {
@@ -663,7 +886,19 @@ krb5_max_sockaddr_size (void)
     return max_sockaddr_size;
 }
 
-krb5_boolean
+/**
+ * krb5_sockaddr_uninteresting returns TRUE for all .Fa sa that the
+ * kerberos library thinks are uninteresting.  One example are link
+ * local addresses.
+ *
+ * @param sa pointer to struct sockaddr that might be interesting.
+ *
+ * @return Return a non zero for uninteresting addresses.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_sockaddr_uninteresting(const struct sockaddr *sa)
 {
     struct addr_operations *a = find_af(sa->sa_family);
@@ -672,7 +907,26 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa)
     return (*a->uninteresting)(sa);
 }
 
-krb5_error_code
+/**
+ * krb5_h_addr2sockaddr initializes a "struct sockaddr sa" from af and
+ * the "struct hostent" (see gethostbyname(3) ) h_addr_list
+ * component. The argument sa_size should initially contain the size
+ * of the sa, and after the call, it will contain the actual length of
+ * the address.
+ *
+ * @param context a Keberos context
+ * @param af addresses
+ * @param addr address
+ * @param sa returned struct sockaddr
+ * @param sa_size size of sa
+ * @param port port to set in sa.
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_h_addr2sockaddr (krb5_context context,
 		      int af,
 		      const char *addr, struct sockaddr *sa,
@@ -688,7 +942,21 @@ krb5_h_addr2sockaddr (krb5_context context,
     return 0;
 }
 
-krb5_error_code
+/**
+ * krb5_h_addr2addr works like krb5_h_addr2sockaddr with the exception
+ * that it operates on a krb5_address instead of a struct sockaddr.
+ *
+ * @param context a Keberos context
+ * @param af address family
+ * @param haddr host address from struct hostent.
+ * @param addr returned krb5_address.
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_h_addr2addr (krb5_context context,
 		  int af,
 		  const char *haddr, krb5_address *addr)
@@ -701,7 +969,24 @@ krb5_h_addr2addr (krb5_context context,
     return (*a->h_addr2addr)(haddr, addr);
 }
 
-krb5_error_code
+/**
+ * krb5_anyaddr fills in a "struct sockaddr sa" that can be used to
+ * bind(2) to.  The argument sa_size should initially contain the size
+ * of the sa, and after the call, it will contain the actual length
+ * of the address.
+ *
+ * @param context a Keberos context
+ * @param af address family
+ * @param sa sockaddr
+ * @param sa_size lenght of sa.
+ * @param port for to fill into sa.
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_anyaddr (krb5_context context,
 	      int af,
 	      struct sockaddr *sa,
@@ -719,12 +1004,28 @@ krb5_anyaddr (krb5_context context,
     return 0;
 }
 
-krb5_error_code
+/**
+ * krb5_print_address prints the address in addr to the string string
+ * that have the length len. If ret_len is not NULL, it will be filled
+ * with the length of the string if size were unlimited (not including
+ * the final NUL) .
+ *
+ * @param addr address to be printed
+ * @param str pointer string to print the address into
+ * @param len length that will fit into area pointed to by "str".
+ * @param ret_len return length the str.
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_print_address (const krb5_address *addr, 
 		    char *str, size_t len, size_t *ret_len)
 {
-    size_t ret;
     struct addr_operations *a = find_atype(addr->addr_type);
+    int ret;
 
     if (a == NULL || a->print_addr == NULL) {
 	char *s;
@@ -733,13 +1034,13 @@ krb5_print_address (const krb5_address *addr,
 
 	s = str;
 	l = snprintf(s, len, "TYPE_%d:", addr->addr_type);
-	if (l < 0)
+	if (l < 0 || l >= len)
 	    return EINVAL;
 	s += l;
 	len -= l;
 	for(i = 0; i < addr->address.length; i++) {
 	    l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]);
-	    if (l < 0)
+	    if (l < 0 || l >= len)
 		return EINVAL;
 	    len -= l;
 	    s += l;
@@ -749,12 +1050,27 @@ krb5_print_address (const krb5_address *addr,
 	return 0;
     }
     ret = (*a->print_addr)(addr, str, len);
+    if (ret < 0)
+	return EINVAL;
     if(ret_len != NULL)
 	*ret_len = ret;
     return 0;
 }
 
-krb5_error_code
+/**
+ * krb5_parse_address returns the resolved hostname in string to the
+ * krb5_addresses addresses .
+ *
+ * @param context a Keberos context
+ * @param string
+ * @param addresses
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_parse_address(krb5_context context,
 		   const char *string,
 		   krb5_addresses *addresses)
@@ -764,11 +1080,18 @@ krb5_parse_address(krb5_context context,
     int error;
     int save_errno;
 
+    addresses->len = 0;
+    addresses->val = NULL;
+
     for(i = 0; i < num_addrs; i++) {
 	if(at[i].parse_addr) {
 	    krb5_address addr;
 	    if((*at[i].parse_addr)(context, string, &addr) == 0) {
 		ALLOC_SEQ(addresses, 1);
+		if (addresses->val == NULL) {
+		    krb5_set_error_string(context, "malloc: out of memory");
+		    return ENOMEM;
+		}
 		addresses->val[0] = addr;
 		return 0;
 	    }
@@ -787,17 +1110,41 @@ krb5_parse_address(krb5_context context,
 	++n;
 
     ALLOC_SEQ(addresses, n);
+    if (addresses->val == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	freeaddrinfo(ai);
+	return ENOMEM;
+    }
 
+    addresses->len = 0;
     for (a = ai, i = 0; a != NULL; a = a->ai_next) {
-	if(krb5_sockaddr2address (context, ai->ai_addr, 
-				  &addresses->val[i]) == 0)
-	    i++;
+	if (krb5_sockaddr2address (context, ai->ai_addr, &addresses->val[i]))
+	    continue;
+	if(krb5_address_search(context, &addresses->val[i], addresses))
+	    continue;
+	addresses->len = i;
+	i++;
     }
     freeaddrinfo (ai);
     return 0;
 }
 
-int
+/**
+ * krb5_address_order compares the addresses addr1 and addr2 so that
+ * it can be used for sorting addresses. If the addresses are the same
+ * address krb5_address_order will return 0. Behavies like memcmp(2). 
+ *
+ * @param context a Keberos context
+ * @param addr1 krb5_address to compare
+ * @param addr2 krb5_address to compare
+ *
+ * @return < 0 if address addr1 in "less" then addr2. 0 if addr1 and
+ * addr2 is the same address, > 0 if addr2 is "less" then addr1.
+ *
+ * @ingroup krb5_address
+ */
+
+int KRB5_LIB_FUNCTION
 krb5_address_order(krb5_context context,
 		   const krb5_address *addr1,
 		   const krb5_address *addr2)
@@ -831,7 +1178,20 @@ krb5_address_order(krb5_context context,
 		   addr1->address.length);
 }
 
-krb5_boolean
+/**
+ * krb5_address_compare compares the addresses  addr1 and addr2.
+ * Returns TRUE if the two addresses are the same.
+ *
+ * @param context a Keberos context
+ * @param addr1 address to compare
+ * @param addr2 address to compare
+ *
+ * @return Return an TRUE is the address are the same FALSE if not
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_address_compare(krb5_context context,
 		     const krb5_address *addr1,
 		     const krb5_address *addr2)
@@ -839,7 +1199,20 @@ krb5_address_compare(krb5_context context,
     return krb5_address_order (context, addr1, addr2) == 0;
 }
 
-krb5_boolean
+/**
+ * krb5_address_search checks if the address addr is a member of the
+ * address set list addrlist .
+ *
+ * @param context a Keberos context.
+ * @param addr address to search for.
+ * @param addrlist list of addresses to look in for addr.
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_address_search(krb5_context context,
 		    const krb5_address *addr,
 		    const krb5_addresses *addrlist)
@@ -852,18 +1225,43 @@ krb5_address_search(krb5_context context,
     return FALSE;
 }
 
-krb5_error_code
+/**
+ * krb5_free_address frees the data stored in the address that is
+ * alloced with any of the krb5_address functions.
+ *
+ * @param context a Keberos context
+ * @param address addresss to be freed.
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_address(krb5_context context,
 		  krb5_address *address)
 {
-    struct addr_operations *a = find_af (address->addr_type);
+    struct addr_operations *a = find_atype (address->addr_type);
     if(a != NULL && a->free_addr != NULL)
 	return (*a->free_addr)(context, address);
     krb5_data_free (&address->address);
+    memset(address, 0, sizeof(*address));
     return 0;
 }
 
-krb5_error_code
+/**
+ * krb5_free_addresses frees the data stored in the address that is
+ * alloced with any of the krb5_address functions.
+ *
+ * @param context a Keberos context
+ * @param addresses addressses to be freed.
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_addresses(krb5_context context,
 		    krb5_addresses *addresses)
 {
@@ -871,10 +1269,25 @@ krb5_free_addresses(krb5_context context,
     for(i = 0; i < addresses->len; i++)
 	krb5_free_address(context, &addresses->val[i]);
     free(addresses->val);
+    addresses->len = 0;
+    addresses->val = NULL;
     return 0;
 }
 
-krb5_error_code
+/**
+ * krb5_copy_address copies the content of address
+ * inaddr to outaddr.
+ *
+ * @param context a Keberos context
+ * @param inaddr pointer to source address
+ * @param outaddr pointer to destination address
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_address(krb5_context context,
 		  const krb5_address *inaddr,
 		  krb5_address *outaddr)
@@ -885,7 +1298,20 @@ krb5_copy_address(krb5_context context,
     return copy_HostAddress(inaddr, outaddr);
 }
 
-krb5_error_code
+/**
+ * krb5_copy_addresses copies the content of addresses
+ * inaddr to outaddr.
+ *
+ * @param context a Keberos context
+ * @param inaddr pointer to source addresses
+ * @param outaddr pointer to destination addresses
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_addresses(krb5_context context,
 		    const krb5_addresses *inaddr,
 		    krb5_addresses *outaddr)
@@ -899,7 +1325,20 @@ krb5_copy_addresses(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+/**
+ * krb5_append_addresses adds the set of addresses in source to
+ * dest. While copying the addresses, duplicates are also sorted out.
+ *
+ * @param context a Keberos context
+ * @param dest destination of copy operation
+ * @param source adresses that are going to be added to dest
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_append_addresses(krb5_context context,
 		      krb5_addresses *dest,
 		      const krb5_addresses *source)
@@ -929,11 +1368,20 @@ krb5_append_addresses(krb5_context context,
     return 0;
 }
 
-/*
+/**
  * Create an address of type KRB5_ADDRESS_ADDRPORT from (addr, port)
+ *
+ * @param context a Keberos context
+ * @param res built address from addr/port
+ * @param addr address to use
+ * @param port port to use
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_make_addrport (krb5_context context,
 		    krb5_address **res, const krb5_address *addr, int16_t port)
 {
@@ -951,6 +1399,7 @@ krb5_make_addrport (krb5_context context,
     if (ret) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	free (*res);
+	*res = NULL;
 	return ret;
     }
     p = (*res)->address.data;
@@ -982,3 +1431,33 @@ krb5_make_addrport (krb5_context context,
 
     return 0;
 }
+
+/**
+ * Calculate the boundary addresses of `inaddr'/`prefixlen' and store
+ * them in `low' and `high'.
+ *
+ * @param context a Keberos context
+ * @param inaddr address in prefixlen that the bondery searched
+ * @param prefixlen width of boundery
+ * @param low lowest address
+ * @param high highest address
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_address
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_address_prefixlen_boundary(krb5_context context,
+				const krb5_address *inaddr,
+				unsigned long prefixlen,
+				krb5_address *low,
+				krb5_address *high)
+{
+    struct addr_operations *a = find_atype (inaddr->addr_type);
+    if(a != NULL && a->mask_boundary != NULL)
+	return (*a->mask_boundary)(context, inaddr, prefixlen, low, high);
+    krb5_set_error_string(context, "Address family %d doesn't support "
+			  "address mask operation", inaddr->addr_type);
+    return KRB5_PROG_ATYPE_NOSUPP;
+}
diff --git a/crypto/heimdal/lib/krb5/aes-test.c b/crypto/heimdal/lib/krb5/aes-test.c
index cfee8e2..82b3431 100644
--- a/crypto/heimdal/lib/krb5/aes-test.c
+++ b/crypto/heimdal/lib/krb5/aes-test.c
@@ -31,30 +31,25 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 
 #include "krb5_locl.h"
+#include <hex.h>
+#include <err.h>
 
 #ifdef HAVE_OPENSSL
 #include <openssl/evp.h>
 #endif
 
-RCSID("$Id: aes-test.c,v 1.3 2003/03/25 11:30:41 lha Exp $");
+RCSID("$Id: aes-test.c 18301 2006-10-07 13:50:34Z lha $");
 
 static int verbose = 0;
 
 static void
-hex_dump_data(krb5_data *data)
+hex_dump_data(const void *data, size_t length)
 {
-    unsigned char *p = data->data;
-    int i, j;
-
-    for (i = j = 0; i < data->length; i++, j++) {
-	printf("%02x ", p[i]);
-	if (j > 15) {
-	    printf("\n");
-	    j = 0;
-	}
-    }
-    if (j != 0)
-	printf("\n");
+    char *p;
+
+    hex_encode(data, length, &p);
+    printf("%s\n", p);
+    free(p);
 }
 
 struct {
@@ -63,11 +58,10 @@ struct {
     int saltlen;
     int iterations;
     krb5_enctype enctype;
-    int keylen;
+    size_t keylen;
     char *pbkdf2;
     char *key;
 } keys[] = {
-#ifdef ENABLE_AES
     { 
 	"password", "ATHENA.MIT.EDUraeburn", -1,
 	1, 
@@ -185,7 +179,6 @@ struct {
 	"\x4b\x6d\x98\x39\xf8\x44\x06\xdf\x1f\x09\xcc\x16\x6d\xb4\xb8\x3c"
 	"\x57\x18\x48\xb7\x84\xa3\xd6\xbd\xc3\x46\x58\x9a\x3e\x39\x3f\x9e"
     },
-#endif
     {
 	"foo", "", -1, 
 	0,
@@ -207,11 +200,9 @@ string_to_key_test(krb5_context context)
 {
     krb5_data password, opaque;
     krb5_error_code ret;
-    krb5_keyblock key;
     krb5_salt salt;
     int i, val = 0;
     char iter[4];
-    char keyout[32];
 
     for (i = 0; i < sizeof(keys)/sizeof(keys[0]); i++) {
 
@@ -229,119 +220,100 @@ string_to_key_test(krb5_context context)
 	opaque.length = sizeof(iter);
 	_krb5_put_int(iter, keys[i].iterations, 4);
 	
-	if (verbose)
-	    printf("%d: password: %s salt: %s\n",
-		   i, keys[i].password, keys[i].salt);
-
-	if (keys[i].keylen > sizeof(keyout))
-	    abort();
-
-#ifdef ENABLE_AES
 	if (keys[i].pbkdf2) {
+	    unsigned char keyout[32];
+
+	    if (keys[i].keylen > sizeof(keyout))
+		abort();
 
-#ifdef HAVE_OPENSSL
 	    PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length,
 				   salt.saltvalue.data, salt.saltvalue.length,
 				   keys[i].iterations, 
 				   keys[i].keylen, keyout);
 	    
 	    if (memcmp(keyout, keys[i].pbkdf2, keys[i].keylen) != 0) {
-		krb5_warnx(context, "%d: openssl key pbkdf2", i);
+		krb5_warnx(context, "%d: pbkdf2", i);
 		val = 1;
 		continue;
 	    }
-#endif
 	    
-	    ret = krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, 
-				    keys[i].iterations - 1,
-				    keys[i].enctype,
-				    &key);
+	    if (verbose) {
+		printf("PBKDF2:\n");
+		hex_dump_data(keyout, keys[i].keylen);
+	    }
+	}
+
+	{
+	    krb5_keyblock key;
+
+	    ret = krb5_string_to_key_data_salt_opaque (context,
+						       keys[i].enctype,
+						       password, 
+						       salt, 
+						       opaque, 
+						       &key);
 	    if (ret) {
-		krb5_warn(context, ret, "%d: krb5_PKCS5_PBKDF2", i);
+		krb5_warn(context, ret, "%d: string_to_key_data_salt_opaque", 
+			  i);
 		val = 1;
 		continue;
 	    }
 	    
 	    if (key.keyvalue.length != keys[i].keylen) {
-		krb5_warnx(context, "%d: size key pbkdf2", i);
+		krb5_warnx(context, "%d: key wrong length (%lu/%lu)",
+			   i, (unsigned long)key.keyvalue.length, 
+			   (unsigned long)keys[i].keylen);
 		val = 1;
 		continue;
 	    }
-
-	    if (memcmp(key.keyvalue.data, keys[i].pbkdf2, keys[i].keylen) != 0) {
-		krb5_warnx(context, "%d: key pbkdf2 pl %d", 
-			   i, password.length);
+	    
+	    if (memcmp(key.keyvalue.data, keys[i].key, keys[i].keylen) != 0) {
+		krb5_warnx(context, "%d: key wrong", i);
 		val = 1;
 		continue;
 	    }
-
+	    
 	    if (verbose) {
-		printf("PBKDF2:\n");
-		hex_dump_data(&key.keyvalue);
+		printf("key:\n");
+		hex_dump_data(key.keyvalue.data, key.keyvalue.length);
 	    }
-	    
 	    krb5_free_keyblock_contents(context, &key);
 	}
-#endif
-
-	ret = krb5_string_to_key_data_salt_opaque (context, keys[i].enctype,
-						   password, salt, opaque, 
-						   &key);
-	if (ret) {
-	    krb5_warn(context, ret, "%d: string_to_key_data_salt_opaque", i);
-	    val = 1;
-	    continue;
-	}
-
-	if (key.keyvalue.length != keys[i].keylen) {
-	    krb5_warnx(context, "%d: key wrong length (%d/%d)",
-		       i, key.keyvalue.length, keys[i].keylen);
-	    val = 1;
-	    continue;
-	}
-
-	if (memcmp(key.keyvalue.data, keys[i].key, keys[i].keylen) != 0) {
-	    krb5_warnx(context, "%d: key wrong", i);
-	    val = 1;
-	    continue;
-	}
-	
-	if (verbose) {
-	    printf("key:\n");
-	    hex_dump_data(&key.keyvalue);
-	}
-	krb5_free_keyblock_contents(context, &key);
     }
     return val;
 }
 
-#ifdef ENABLE_AES
-
-struct {
+struct enc_test {
     size_t len;
     char *input;
     char *output;
-} encs[] = {
+    char *nextiv;
+};
+
+struct enc_test encs1[] = {
     {
 	17,
 	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
 	"\x20",
 	"\xc6\x35\x35\x68\xf2\xbf\x8c\xb4\xd8\xa5\x80\x36\x2d\xa7\xff\x7f"
-	"\x97"
+	"\x97",
+	"\xc6\x35\x35\x68\xf2\xbf\x8c\xb4\xd8\xa5\x80\x36\x2d\xa7\xff\x7f"
     },
     {
 	31,
 	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
 	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20",
 	"\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1\xd4\x45\xd4\xc8\xef\xf7\xed\x22"
-	"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5"
+	"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5",
+	"\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1\xd4\x45\xd4\xc8\xef\xf7\xed\x22"
     },
     {
 	32,
 	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
 	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43",
 	"\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8"
-	"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84"
+	"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84",
+	"\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8"
     },
     {
 	47,
@@ -350,7 +322,18 @@ struct {
 	"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c",
 	"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84"
 	"\xb3\xff\xfd\x94\x0c\x16\xa1\x8c\x1b\x55\x49\xd2\xf8\x38\x02\x9e"
-	"\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5"
+	"\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5",
+	"\xb3\xff\xfd\x94\x0c\x16\xa1\x8c\x1b\x55\x49\xd2\xf8\x38\x02\x9e"
+    },
+    {
+	48,
+	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
+	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
+	"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20",
+	"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84"
+	"\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8"
+	"\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8",
+	"\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8"
     },
     {
 	64,
@@ -361,16 +344,137 @@ struct {
 	"\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84"
 	"\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8"
 	"\x48\x07\xef\xe8\x36\xee\x89\xa5\x26\x73\x0d\xbc\x2f\x7b\xc8\x40"
-	"\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8"
+	"\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8",
+	"\x48\x07\xef\xe8\x36\xee\x89\xa5\x26\x73\x0d\xbc\x2f\x7b\xc8\x40"
     }
 };
 	
-char *enc_key =
+
+struct enc_test encs2[] = {
+    {
+	17,
+	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
+	"\x20",
+	"\x5c\x13\x26\x27\xc4\xcb\xca\x04\x14\x43\x8a\xb5\x97\x97\x7c\x10"
+	"\x16"
+    },
+    {
+	31,
+	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
+	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20",
+	"\x16\xb3\xd8\xe5\xcd\x93\xe6\x2c\x28\x70\xa0\x36\x6e\x9a\xb9\x74"
+	"\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53"
+    },
+    {
+	32,
+	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
+	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43",
+	"\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8"
+	"\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c"
+    },
+    {
+	47,
+	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
+	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
+	"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c",
+	"\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c"
+	"\xe5\x56\xb4\x88\x41\xb9\xde\x27\xf0\x07\xa1\x6e\x89\x94\x47\xf1"
+	"\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff"
+    },
+    {
+	48,
+	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
+	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
+	"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20",
+	"\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c"
+	"\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30"
+	"\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8"
+    },
+    {
+	64,
+	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
+	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
+	"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20"
+	"\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e",
+	"\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c"
+	"\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8"
+	"\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67"
+	"\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30"
+    },
+    {
+	78,
+	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
+	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
+	"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20"
+	"\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e"
+	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",
+	"\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c"
+	"\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8"
+	"\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30"
+	"\x73\xfb\x2c\x36\x76\xaf\xcf\x31\xff\xe3\x8a\x89\x0c\x7e\x99\x3f"
+	"\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62"
+    },
+    {
+	83,
+	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
+	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
+	"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20"
+	"\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e"
+	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+	"\x41\x41\x41",
+	"\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c"
+	"\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8"
+	"\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30"
+	"\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67"
+	"\x65\x39\x3a\xdb\x92\x05\x4d\x4f\x08\xa1\xfa\x59\xda\x56\x58\x0e"
+	"\x3b\xac\x12"
+    },
+    {
+	92,
+	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
+	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
+	"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20"
+	"\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e"
+	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",
+	"\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c"
+	"\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8"
+	"\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30"
+	"\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67"
+	"\x0c\xff\xd7\x63\x50\xf8\x4e\xf9\xec\x56\x1c\x79\xc5\xc8\xfe\x50"
+	"\x3b\xac\x12\x6e\xd3\x2d\x02\xc4\xe5\x06\x43\x5f"
+    },
+    {
+	96,
+	"\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65"
+	"\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43"
+	"\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20"
+	"\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e"
+	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",
+	"\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c"
+	"\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8"
+	"\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30"
+	"\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67"
+	"\x08\x28\x49\xad\xfc\x2d\x8e\x86\xae\x69\xa5\xa8\xd9\x29\x9e\xe4"
+	"\x3b\xac\x12\x6e\xd3\x2d\x02\xc4\xe5\x06\x43\x5f\x4c\x41\xd1\xb8"
+    }
+};
+
+
+
+char *aes_key1 = 
 	"\x63\x68\x69\x63\x6b\x65\x6e\x20\x74\x65\x72\x69\x79\x61\x6b\x69";
 
+char *aes_key2 =
+	"\x63\x68\x69\x63\x6b\x65\x6e\x20\x74\x65\x72\x69\x79\x61\x6b\x69"
+	"\x2c\x20\x79\x75\x6d\x6d\x79\x20\x79\x75\x6d\x6d\x79\x21\x21\x21";
+
+
 static int
-samep(int testn, char *type, const char *p1, const char *p2, size_t len)
+samep(int testn, char *type, const void *pp1, const void *pp2, size_t len)
 {
+    const unsigned char *p1 = pp1, *p2 = pp2;
     size_t i;
     int val = 1;
 
@@ -390,59 +494,258 @@ samep(int testn, char *type, const char *p1, const char *p2, size_t len)
 }
 
 static int
-encryption_test(krb5_context context)
+encryption_test(krb5_context context, const void *key, size_t keylen,
+		struct enc_test *enc, int numenc)
 {
-    char iv[AES_BLOCK_SIZE];
-    int i, val = 0;
+    unsigned char iv[AES_BLOCK_SIZE];
+    int i, val, failed = 0;
     AES_KEY ekey, dkey;
-    char *p;
+    unsigned char *p;
+
+    AES_set_encrypt_key(key, keylen, &ekey);
+    AES_set_decrypt_key(key, keylen, &dkey);
 
-    AES_set_encrypt_key(enc_key, 128, &ekey);
-    AES_set_decrypt_key(enc_key, 128, &dkey);
+    for (i = 0; i < numenc; i++) {
+	val = 0;
 
-    for (i = 0; i < sizeof(encs)/sizeof(encs[0]); i++) {
 	if (verbose)
 	    printf("test: %d\n", i);
 	memset(iv, 0, sizeof(iv));
 
-	p = malloc(encs[i].len + 1);
+	p = malloc(enc[i].len + 1);
 	if (p == NULL)
 	    krb5_errx(context, 1, "malloc");
 
-	p[encs[i].len] = '\0';
+	p[enc[i].len] = '\0';
 
-	memcpy(p, encs[i].input, encs[i].len);
+	memcpy(p, enc[i].input, enc[i].len);
 
-	_krb5_aes_cts_encrypt(p, p, encs[i].len, 
+	_krb5_aes_cts_encrypt(p, p, enc[i].len,
 			      &ekey, iv, AES_ENCRYPT);
 
-	if (p[encs[i].len] != '\0') {
+	if (p[enc[i].len] != '\0') {
 	    krb5_warnx(context, "%d: encrypt modified off end", i);
 	    val = 1;
 	}
 
-	if (!samep(i, "cipher", p, encs[i].output, encs[i].len))
+	if (!samep(i, "cipher", p, enc[i].output, enc[i].len)) {
+	    krb5_warnx(context, "%d: cipher", i);
 	    val = 1;
+	}
+
+	if (enc[i].nextiv && !samep(i, "iv", iv, enc[i].nextiv, 16)){ /*XXX*/ 
+	    krb5_warnx(context, "%d: iv", i);
+	    val = 1;
+	}
 
 	memset(iv, 0, sizeof(iv));
 
-	_krb5_aes_cts_encrypt(p, p, encs[i].len, 
+	_krb5_aes_cts_encrypt(p, p, enc[i].len,
 			      &dkey, iv, AES_DECRYPT);
 
-	if (p[encs[i].len] != '\0') {
+	if (p[enc[i].len] != '\0') {
 	    krb5_warnx(context, "%d: decrypt modified off end", i);
 	    val = 1;
 	}
 
-	if (!samep(i, "clear", p, encs[i].input, encs[i].len))
+	if (!samep(i, "clear", p, enc[i].input, enc[i].len))
 	    val = 1;
 
+	if (enc[i].nextiv && !samep(i, "iv", iv, enc[i].nextiv, 16)){ /*XXX*/ 
+	    krb5_warnx(context, "%d: iv", i);
+	    val = 1;
+	}
+
 	free(p);
+
+	if (val) {
+	    printf("test %d failed\n", i);
+	    failed = 1;
+	}
+	val = 0;
     }
-    return val;
+    return failed;
+}
+
+static int
+krb_enc(krb5_context context,
+	krb5_crypto crypto, 
+	unsigned usage,
+	krb5_data *cipher, 
+	krb5_data *clear)
+{
+    krb5_data decrypt;
+    krb5_error_code ret;
+
+    krb5_data_zero(&decrypt);
+
+    ret = krb5_decrypt(context,
+		       crypto,
+		       usage,
+		       cipher->data,
+		       cipher->length,
+		       &decrypt);
+
+    if (ret) {
+	krb5_warn(context, ret, "krb5_decrypt");
+	return ret;
+    }
+
+    if (decrypt.length != clear->length ||
+	memcmp(decrypt.data, clear->data, decrypt.length) != 0) {
+	krb5_warnx(context, "clear text not same");
+	return EINVAL;
+    }
+
+    krb5_data_free(&decrypt);
+
+    return 0;
+}
+
+static int
+krb_enc_mit(krb5_context context,
+	    krb5_enctype enctype,
+	    krb5_keyblock *key,
+	    unsigned usage,
+	    krb5_data *cipher, 
+	    krb5_data *clear)
+{
+    krb5_error_code ret;
+    krb5_enc_data e;
+    krb5_data decrypt;
+    size_t len;
+
+    e.kvno = 0;
+    e.enctype = enctype;
+    e.ciphertext = *cipher;
+
+    ret = krb5_c_decrypt(context, *key, usage, NULL, &e, &decrypt);
+    if (ret)
+	return ret;
+
+    if (decrypt.length != clear->length ||
+	memcmp(decrypt.data, clear->data, decrypt.length) != 0) {
+	krb5_warnx(context, "clear text not same");
+	return EINVAL;
+    }
+
+    krb5_data_free(&decrypt);
+
+    ret = krb5_c_encrypt_length(context, enctype, clear->length, &len);
+    if (ret)
+	return ret;
+
+    if (len != cipher->length) {
+	krb5_warnx(context, "c_encrypt_length wrong %lu != %lu",
+		   (unsigned long)len, (unsigned long)cipher->length);
+	return EINVAL;
+    }
+
+    return 0;
+}
+
+
+struct {
+    krb5_enctype enctype;
+    unsigned usage;
+    size_t keylen;
+    void *key;
+    size_t elen;
+    void* edata;
+    size_t plen;
+    void *pdata;
+} krbencs[] =  {
+    { 
+	ETYPE_AES256_CTS_HMAC_SHA1_96,
+	7,
+	32,   
+	"\x47\x75\x69\x64\x65\x6c\x69\x6e\x65\x73\x20\x74\x6f\x20\x41\x75"
+	"\x74\x68\x6f\x72\x73\x20\x6f\x66\x20\x49\x6e\x74\x65\x72\x6e\x65",
+	44,
+	"\xcf\x79\x8f\x0d\x76\xf3\xe0\xbe\x8e\x66\x94\x70\xfa\xcc\x9e\x91"
+	"\xa9\xec\x1c\x5c\x21\xfb\x6e\xef\x1a\x7a\xc8\xc1\xcc\x5a\x95\x24"
+	"\x6f\x9f\xf4\xd5\xbe\x5d\x59\x97\x44\xd8\x47\xcd",
+	16,
+	"\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x2e\x0a"
+    }
+};
+
+
+static int
+krb_enc_test(krb5_context context)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    krb5_keyblock kb;
+    krb5_data cipher, plain;
+    int i, failed = 0;
+
+    for (i = 0; i < sizeof(krbencs)/sizeof(krbencs[0]); i++) {
+
+	kb.keytype = krbencs[i].enctype;
+	kb.keyvalue.length = krbencs[i].keylen;
+	kb.keyvalue.data = krbencs[i].key;
+
+	ret = krb5_crypto_init(context, &kb, krbencs[i].enctype, &crypto);
+
+	cipher.length = krbencs[i].elen;
+	cipher.data = krbencs[i].edata;
+	plain.length = krbencs[i].plen;
+	plain.data = krbencs[i].pdata;
+	
+	ret = krb_enc(context, crypto, krbencs[i].usage, &cipher, &plain);
+		       
+	if (ret) {
+	    failed = 1;
+	    printf("krb_enc failed with %d\n", ret);
+	}
+	krb5_crypto_destroy(context, crypto);
+
+	ret = krb_enc_mit(context, krbencs[i].enctype, &kb, 
+			  krbencs[i].usage, &cipher, &plain);
+	if (ret) {
+	    failed = 1;
+	    printf("krb_enc_mit failed with %d\n", ret);
+	}
+
+    }
+
+    return failed;
+}
+
+
+static int
+random_to_key(krb5_context context)
+{
+    krb5_error_code ret;
+    krb5_keyblock key;
+
+    ret = krb5_random_to_key(context,
+			     ETYPE_DES3_CBC_SHA1,
+			     "\x21\x39\x04\x58\x6A\xBD\x7F"
+			     "\x21\x39\x04\x58\x6A\xBD\x7F"
+			     "\x21\x39\x04\x58\x6A\xBD\x7F",
+			     21,
+			     &key);
+    if (ret){
+	krb5_warn(context, ret, "random_to_key");
+	return 1;
+    }
+    if (key.keyvalue.length != 24)
+	return 1;
+
+    if (memcmp(key.keyvalue.data,
+	       "\x20\x38\x04\x58\x6b\xbc\x7f\xc7"
+	       "\x20\x38\x04\x58\x6b\xbc\x7f\xc7"
+	       "\x20\x38\x04\x58\x6b\xbc\x7f\xc7",
+	       24) != 0)
+	return 1;
+
+    krb5_free_keyblock_contents(context, &key);
+
+    return 0;
 }
 
-#endif /* ENABLE_AES */
 
 int
 main(int argc, char **argv)
@@ -457,9 +760,12 @@ main(int argc, char **argv)
 
     val |= string_to_key_test(context);
 
-#ifdef ENABLE_AES
-    val |= encryption_test(context);
-#endif
+    val |= encryption_test(context, aes_key1, 128,
+			   encs1, sizeof(encs1)/sizeof(encs1[0]));
+    val |= encryption_test(context, aes_key2, 256, 
+			   encs2, sizeof(encs2)/sizeof(encs2[0]));
+    val |= krb_enc_test(context);
+    val |= random_to_key(context);
 
     if (verbose && val == 0)
 	printf("all ok\n");
diff --git a/crypto/heimdal/lib/krb5/aname_to_localname.c b/crypto/heimdal/lib/krb5/aname_to_localname.c
index d5b5f87..5800404 100644
--- a/crypto/heimdal/lib/krb5/aname_to_localname.c
+++ b/crypto/heimdal/lib/krb5/aname_to_localname.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 1999, 2002 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,9 +33,9 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: aname_to_localname.c,v 1.6 2003/04/16 16:01:06 lha Exp $");
+RCSID("$Id: aname_to_localname.c 13863 2004-05-25 21:46:46Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_aname_to_localname (krb5_context context,
 			 krb5_const_principal aname,
 			 size_t lnsize,
diff --git a/crypto/heimdal/lib/krb5/appdefault.c b/crypto/heimdal/lib/krb5/appdefault.c
index 831b603..b0bb171 100644
--- a/crypto/heimdal/lib/krb5/appdefault.c
+++ b/crypto/heimdal/lib/krb5/appdefault.c
@@ -33,9 +33,9 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: appdefault.c,v 1.7 2001/09/16 04:48:55 assar Exp $");
+RCSID("$Id: appdefault.c 14465 2005-01-05 05:40:59Z lukeh $");
 
-void
+void KRB5_LIB_FUNCTION
 krb5_appdefault_boolean(krb5_context context, const char *appname, 
 			krb5_const_realm realm, const char *option,
 			krb5_boolean def_val, krb5_boolean *ret_val)
@@ -77,7 +77,7 @@ krb5_appdefault_boolean(krb5_context context, const char *appname,
     *ret_val = def_val;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_appdefault_string(krb5_context context, const char *appname, 
 		       krb5_const_realm realm, const char *option,
 		       const char *def_val, char **ret_val)
@@ -121,17 +121,22 @@ krb5_appdefault_string(krb5_context context, const char *appname,
 	*ret_val = NULL;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_appdefault_time(krb5_context context, const char *appname,
 		     krb5_const_realm realm, const char *option,
 		     time_t def_val, time_t *ret_val)
 {
-    time_t t;
-    char tstr[32];
+    krb5_deltat t;
     char *val;
-    snprintf(tstr, sizeof(tstr), "%ld", (long)def_val);
-    krb5_appdefault_string(context, appname, realm, option, tstr, &val);
-    t = parse_time (val, NULL);
+
+    krb5_appdefault_string(context, appname, realm, option, NULL, &val);
+    if (val == NULL) {
+	*ret_val = def_val;
+	return;
+    }
+    if (krb5_string_to_deltat(val, &t))
+	*ret_val = def_val;
+    else
+	*ret_val = t;
     free(val);
-    *ret_val = t;
 }
diff --git a/crypto/heimdal/lib/krb5/asn1_glue.c b/crypto/heimdal/lib/krb5/asn1_glue.c
index ac83ff7..b3f775b 100644
--- a/crypto/heimdal/lib/krb5/asn1_glue.c
+++ b/crypto/heimdal/lib/krb5/asn1_glue.c
@@ -37,23 +37,28 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: asn1_glue.c,v 1.7 1999/12/02 17:05:07 joda Exp $");
+RCSID("$Id: asn1_glue.c 21745 2007-07-31 16:11:25Z lha $");
 
-krb5_error_code
-krb5_principal2principalname (PrincipalName *p,
-			      const krb5_principal from)
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_principal2principalname (PrincipalName *p,
+			       const krb5_principal from)
 {
     return copy_PrincipalName(&from->name, p);
 }
 
-krb5_error_code
-principalname2krb5_principal (krb5_principal *principal,
-			      const PrincipalName from,
-			      const Realm realm)
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_principalname2krb5_principal (krb5_context context,
+				    krb5_principal *principal,
+				    const PrincipalName from,
+				    const Realm realm)
 {
     krb5_principal p = malloc(sizeof(*p));
+    if (p == NULL)
+	return ENOMEM;
     copy_PrincipalName(&from, &p->name);
     p->realm = strdup(realm);
+    if (p->realm == NULL)
+	return ENOMEM;
     *principal = p;
     return 0;
 }
diff --git a/crypto/heimdal/lib/krb5/auth_context.c b/crypto/heimdal/lib/krb5/auth_context.c
index 2e7a8f4..323f17a 100644
--- a/crypto/heimdal/lib/krb5/auth_context.c
+++ b/crypto/heimdal/lib/krb5/auth_context.c
@@ -33,9 +33,9 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: auth_context.c,v 1.59 2002/09/02 17:11:02 joda Exp $");
+RCSID("$Id: auth_context.c 21745 2007-07-31 16:11:25Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_init(krb5_context context,
 		   krb5_auth_context *auth_context)
 {
@@ -66,7 +66,7 @@ krb5_auth_con_init(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_free(krb5_context context,
 		   krb5_auth_context auth_context)
 {
@@ -88,7 +88,7 @@ krb5_auth_con_free(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setflags(krb5_context context,
 		       krb5_auth_context auth_context,
 		       int32_t flags)
@@ -98,7 +98,7 @@ krb5_auth_con_setflags(krb5_context context,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getflags(krb5_context context,
 		       krb5_auth_context auth_context,
 		       int32_t *flags)
@@ -107,8 +107,31 @@ krb5_auth_con_getflags(krb5_context context,
     return 0;
 }
 
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_auth_con_addflags(krb5_context context,
+		       krb5_auth_context auth_context,
+		       int32_t addflags,
+		       int32_t *flags)
+{
+    if (flags)
+	*flags = auth_context->flags;
+    auth_context->flags |= addflags;
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_auth_con_removeflags(krb5_context context,
+			  krb5_auth_context auth_context,
+			  int32_t removeflags,
+			  int32_t *flags)
+{
+    if (flags)
+	*flags = auth_context->flags;
+    auth_context->flags &= ~removeflags;
+    return 0;
+}
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setaddrs(krb5_context context,
 		       krb5_auth_context auth_context,
 		       krb5_address *local_addr,
@@ -118,20 +141,22 @@ krb5_auth_con_setaddrs(krb5_context context,
 	if (auth_context->local_address)
 	    krb5_free_address (context, auth_context->local_address);
 	else
-	    auth_context->local_address = malloc(sizeof(krb5_address));
+	    if ((auth_context->local_address = malloc(sizeof(krb5_address))) == NULL)
+		return ENOMEM;
 	krb5_copy_address(context, local_addr, auth_context->local_address);
     }
     if (remote_addr) {
 	if (auth_context->remote_address)
 	    krb5_free_address (context, auth_context->remote_address);
 	else
-	    auth_context->remote_address = malloc(sizeof(krb5_address));
+	    if ((auth_context->remote_address = malloc(sizeof(krb5_address))) == NULL)
+		return ENOMEM;
 	krb5_copy_address(context, remote_addr, auth_context->remote_address);
     }
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_genaddrs(krb5_context context, 
 		       krb5_auth_context auth_context, 
 		       int fd, int flags)
@@ -190,7 +215,7 @@ krb5_auth_con_genaddrs(krb5_context context,
 
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setaddrs_from_fd (krb5_context context,
 				krb5_auth_context auth_context,
 				void *p_fd)
@@ -204,7 +229,7 @@ krb5_auth_con_setaddrs_from_fd (krb5_context context,
     return krb5_auth_con_genaddrs(context, auth_context, fd, flags);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getaddrs(krb5_context context,
 		       krb5_auth_context auth_context,
 		       krb5_address **local_addr,
@@ -247,7 +272,7 @@ copy_key(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getkey(krb5_context context,
 		     krb5_auth_context auth_context,
 		     krb5_keyblock **keyblock)
@@ -255,7 +280,7 @@ krb5_auth_con_getkey(krb5_context context,
     return copy_key(context, auth_context->keyblock, keyblock);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getlocalsubkey(krb5_context context,
 			     krb5_auth_context auth_context,
 			     krb5_keyblock **keyblock)
@@ -263,7 +288,7 @@ krb5_auth_con_getlocalsubkey(krb5_context context,
     return copy_key(context, auth_context->local_subkey, keyblock);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getremotesubkey(krb5_context context,
 			      krb5_auth_context auth_context,
 			      krb5_keyblock **keyblock)
@@ -271,7 +296,7 @@ krb5_auth_con_getremotesubkey(krb5_context context,
     return copy_key(context, auth_context->remote_subkey, keyblock);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setkey(krb5_context context,
 		     krb5_auth_context auth_context,
 		     krb5_keyblock *keyblock)
@@ -281,7 +306,7 @@ krb5_auth_con_setkey(krb5_context context,
     return copy_key(context, keyblock, &auth_context->keyblock);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setlocalsubkey(krb5_context context,
 			     krb5_auth_context auth_context,
 			     krb5_keyblock *keyblock)
@@ -291,7 +316,7 @@ krb5_auth_con_setlocalsubkey(krb5_context context,
     return copy_key(context, keyblock, &auth_context->local_subkey);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_generatelocalsubkey(krb5_context context,
 				  krb5_auth_context auth_context,
 				  krb5_keyblock *key)
@@ -299,7 +324,9 @@ krb5_auth_con_generatelocalsubkey(krb5_context context,
     krb5_error_code ret;
     krb5_keyblock *subkey;
 
-    ret = krb5_generate_subkey (context, key, &subkey);
+    ret = krb5_generate_subkey_extended (context, key,
+					 auth_context->keytype,
+					 &subkey);
     if(ret)
 	return ret;
     if(auth_context->local_subkey)
@@ -309,7 +336,7 @@ krb5_auth_con_generatelocalsubkey(krb5_context context,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setremotesubkey(krb5_context context,
 			      krb5_auth_context auth_context,
 			      krb5_keyblock *keyblock)
@@ -319,7 +346,7 @@ krb5_auth_con_setremotesubkey(krb5_context context,
     return copy_key(context, keyblock, &auth_context->remote_subkey);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setcksumtype(krb5_context context,
 			   krb5_auth_context auth_context,
 			   krb5_cksumtype cksumtype)
@@ -328,7 +355,7 @@ krb5_auth_con_setcksumtype(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getcksumtype(krb5_context context,
 			   krb5_auth_context auth_context,
 			   krb5_cksumtype *cksumtype)
@@ -337,7 +364,7 @@ krb5_auth_con_getcksumtype(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setkeytype (krb5_context context,
 			  krb5_auth_context auth_context,
 			  krb5_keytype keytype)
@@ -346,7 +373,7 @@ krb5_auth_con_setkeytype (krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getkeytype (krb5_context context,
 			  krb5_auth_context auth_context,
 			  krb5_keytype *keytype)
@@ -356,7 +383,7 @@ krb5_auth_con_getkeytype (krb5_context context,
 }
 
 #if 0
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setenctype(krb5_context context,
 			 krb5_auth_context auth_context,
 			 krb5_enctype etype)
@@ -370,7 +397,7 @@ krb5_auth_con_setenctype(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getenctype(krb5_context context,
 			 krb5_auth_context auth_context,
 			 krb5_enctype *etype)
@@ -379,7 +406,7 @@ krb5_auth_con_getenctype(krb5_context context,
 }
 #endif
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getlocalseqnumber(krb5_context context,
 			    krb5_auth_context auth_context,
 			    int32_t *seqnumber)
@@ -388,7 +415,7 @@ krb5_auth_con_getlocalseqnumber(krb5_context context,
   return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setlocalseqnumber (krb5_context context,
 			     krb5_auth_context auth_context,
 			     int32_t seqnumber)
@@ -397,7 +424,7 @@ krb5_auth_con_setlocalseqnumber (krb5_context context,
   return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_getremoteseqnumber(krb5_context context,
 			     krb5_auth_context auth_context,
 			     int32_t *seqnumber)
@@ -406,7 +433,7 @@ krb5_auth_getremoteseqnumber(krb5_context context,
   return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setremoteseqnumber (krb5_context context,
 			      krb5_auth_context auth_context,
 			      int32_t seqnumber)
@@ -416,7 +443,7 @@ krb5_auth_con_setremoteseqnumber (krb5_context context,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getauthenticator(krb5_context context,
 			   krb5_auth_context auth_context,
 			   krb5_authenticator *authenticator)
@@ -433,7 +460,7 @@ krb5_auth_con_getauthenticator(krb5_context context,
 }
 
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_authenticator(krb5_context context,
 			krb5_authenticator *authenticator)
 {
@@ -443,7 +470,7 @@ krb5_free_authenticator(krb5_context context,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setuserkey(krb5_context context,
 			 krb5_auth_context auth_context,
 			 krb5_keyblock *keyblock)
@@ -453,7 +480,7 @@ krb5_auth_con_setuserkey(krb5_context context,
     return krb5_copy_keyblock(context, keyblock, &auth_context->keyblock);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getrcache(krb5_context context,
 			krb5_auth_context auth_context,
 			krb5_rcache *rcache)
@@ -462,7 +489,7 @@ krb5_auth_con_getrcache(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setrcache(krb5_context context,
 			krb5_auth_context auth_context,
 			krb5_rcache rcache)
@@ -473,7 +500,7 @@ krb5_auth_con_setrcache(krb5_context context,
 
 #if 0 /* not implemented */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_initivector(krb5_context context,
 			  krb5_auth_context auth_context)
 {
@@ -481,7 +508,7 @@ krb5_auth_con_initivector(krb5_context context,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setivector(krb5_context context,
 			 krb5_auth_context auth_context,
 			 krb5_pointer ivector)
diff --git a/crypto/heimdal/lib/krb5/build_ap_req.c b/crypto/heimdal/lib/krb5/build_ap_req.c
index cab5e6f..b1968fe 100644
--- a/crypto/heimdal/lib/krb5/build_ap_req.c
+++ b/crypto/heimdal/lib/krb5/build_ap_req.c
@@ -33,9 +33,9 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: build_ap_req.c,v 1.18 2002/09/04 16:26:04 joda Exp $");
+RCSID("$Id: build_ap_req.c 13863 2004-05-25 21:46:46Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_ap_req (krb5_context context,
 		   krb5_enctype enctype,
 		   krb5_creds *cred,
@@ -68,7 +68,8 @@ krb5_build_ap_req (krb5_context context,
 
   ASN1_MALLOC_ENCODE(AP_REQ, retdata->data, retdata->length,
 		     &ap, &len, ret);
-
+  if(ret == 0 && retdata->length != len)
+      krb5_abortx(context, "internal error in ASN.1 encoder");
   free_AP_REQ(&ap);
   return ret;
 
diff --git a/crypto/heimdal/lib/krb5/build_auth.c b/crypto/heimdal/lib/krb5/build_auth.c
index 9a2ca3e..f8739c0 100644
--- a/crypto/heimdal/lib/krb5/build_auth.c
+++ b/crypto/heimdal/lib/krb5/build_auth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,9 +33,73 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: build_auth.c,v 1.38 2002/09/04 16:26:04 joda Exp $");
+RCSID("$Id: build_auth.c 17033 2006-04-10 08:53:21Z lha $");
 
-krb5_error_code
+static krb5_error_code
+make_etypelist(krb5_context context,
+	       krb5_authdata **auth_data)
+{
+    EtypeList etypes;
+    krb5_error_code ret;
+    krb5_authdata ad;
+    u_char *buf;
+    size_t len;
+    size_t buf_size;
+     
+    ret = krb5_init_etype(context, &etypes.len, &etypes.val, NULL);
+    if (ret)
+	return ret;
+
+    ASN1_MALLOC_ENCODE(EtypeList, buf, buf_size, &etypes, &len, ret);
+    if (ret) {
+	free_EtypeList(&etypes);
+	return ret;
+    }
+    if(buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+    free_EtypeList(&etypes);
+
+    ALLOC_SEQ(&ad, 1);
+    if (ad.val == NULL) {
+	free(buf);
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    ad.val[0].ad_type = KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION;
+    ad.val[0].ad_data.length = len;
+    ad.val[0].ad_data.data = buf;
+
+    ASN1_MALLOC_ENCODE(AD_IF_RELEVANT, buf, buf_size, &ad, &len, ret);
+    if (ret) {
+	free_AuthorizationData(&ad);
+	return ret;
+    } 
+    if(buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+    free_AuthorizationData(&ad);
+
+    ALLOC(*auth_data, 1);
+    if (*auth_data == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    ALLOC_SEQ(*auth_data, 1);
+    if ((*auth_data)->val == NULL) {
+	free(buf);
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    (*auth_data)->val[0].ad_type = KRB5_AUTHDATA_IF_RELEVANT;
+    (*auth_data)->val[0].ad_data.length = len;
+    (*auth_data)->val[0].ad_data.data = buf;
+
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_authenticator (krb5_context context,
 			  krb5_auth_context auth_context,
 			  krb5_enctype enctype,
@@ -45,86 +109,94 @@ krb5_build_authenticator (krb5_context context,
 			  krb5_data *result,
 			  krb5_key_usage usage)
 {
-  Authenticator *auth;
-  u_char *buf = NULL;
-  size_t buf_size;
-  size_t len;
-  krb5_error_code ret;
-  krb5_crypto crypto;
-
-  auth = malloc(sizeof(*auth));
-  if (auth == NULL) {
-      krb5_set_error_string(context, "malloc: out of memory");
-      return ENOMEM;
-  }
-
-  memset (auth, 0, sizeof(*auth));
-  auth->authenticator_vno = 5;
-  copy_Realm(&cred->client->realm, &auth->crealm);
-  copy_PrincipalName(&cred->client->name, &auth->cname);
-
-  {
-      int32_t sec, usec;
-
-      krb5_us_timeofday (context, &sec, &usec);
-      auth->ctime = sec;
-      auth->cusec = usec;
-  }
-  ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth->subkey);
-  if(ret)
-      goto fail;
-
-  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-    krb5_generate_seq_number (context,
-			      &cred->session, 
-			      &auth_context->local_seqnumber);
-    ALLOC(auth->seq_number, 1);
-    *auth->seq_number = auth_context->local_seqnumber;
-  } else
-    auth->seq_number = NULL;
-  auth->authorization_data = NULL;
-  auth->cksum = cksum;
-
-  /* XXX - Copy more to auth_context? */
-
-  if (auth_context) {
+    Authenticator *auth;
+    u_char *buf = NULL;
+    size_t buf_size;
+    size_t len;
+    krb5_error_code ret;
+    krb5_crypto crypto;
+
+    auth = calloc(1, sizeof(*auth));
+    if (auth == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    auth->authenticator_vno = 5;
+    copy_Realm(&cred->client->realm, &auth->crealm);
+    copy_PrincipalName(&cred->client->name, &auth->cname);
+
+    krb5_us_timeofday (context, &auth->ctime, &auth->cusec);
+    
+    ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth->subkey);
+    if(ret)
+	goto fail;
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+	if(auth_context->local_seqnumber == 0)
+	    krb5_generate_seq_number (context,
+				      &cred->session, 
+				      &auth_context->local_seqnumber);
+	ALLOC(auth->seq_number, 1);
+	if(auth->seq_number == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+	*auth->seq_number = auth_context->local_seqnumber;
+    } else
+	auth->seq_number = NULL;
+    auth->authorization_data = NULL;
+    auth->cksum = cksum;
+
+    if (cksum != NULL && cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+	/*
+	 * This is not GSS-API specific, we only enable it for
+	 * GSS for now
+	 */
+	ret = make_etypelist(context, &auth->authorization_data);
+	if (ret)
+	    goto fail;
+    }
+
+    /* XXX - Copy more to auth_context? */
+
     auth_context->authenticator->ctime = auth->ctime;
     auth_context->authenticator->cusec = auth->cusec;
-  }
-
-  ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, auth, &len, ret);
-
-  if (ret)
-      goto fail;
-
-  ret = krb5_crypto_init(context, &cred->session, enctype, &crypto);
-  if (ret)
-      goto fail;
-  ret = krb5_encrypt (context,
-		      crypto,
-		      usage /* KRB5_KU_AP_REQ_AUTH */,
-		      buf + buf_size - len, 
-		      len,
-		      result);
-  krb5_crypto_destroy(context, crypto);
-
-  if (ret)
-      goto fail;
-
-  free (buf);
-
-  if (auth_result)
-    *auth_result = auth;
-  else {
-    /* Don't free the `cksum', it's allocated by the caller */
-    auth->cksum = NULL;
+
+    ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, auth, &len, ret);
+    if (ret)
+	goto fail;
+    if(buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
+    ret = krb5_crypto_init(context, &cred->session, enctype, &crypto);
+    if (ret)
+	goto fail;
+    ret = krb5_encrypt (context,
+			crypto,
+			usage /* KRB5_KU_AP_REQ_AUTH */,
+			buf + buf_size - len, 
+			len,
+			result);
+    krb5_crypto_destroy(context, crypto);
+
+    if (ret)
+	goto fail;
+
+    free (buf);
+
+    if (auth_result)
+	*auth_result = auth;
+    else {
+	/* Don't free the `cksum', it's allocated by the caller */
+	auth->cksum = NULL;
+	free_Authenticator (auth);
+	free (auth);
+    }
+    return ret;
+  fail:
     free_Authenticator (auth);
     free (auth);
-  }
-  return ret;
-fail:
-  free_Authenticator (auth);
-  free (auth);
-  free (buf);
-  return ret;
+    free (buf);
+    return ret;
 }
diff --git a/crypto/heimdal/lib/krb5/cache.c b/crypto/heimdal/lib/krb5/cache.c
index 26cda9a..5db6d2b 100644
--- a/crypto/heimdal/lib/krb5/cache.c
+++ b/crypto/heimdal/lib/krb5/cache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,15 +33,23 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: cache.c,v 1.52 2003/03/16 18:23:59 lha Exp $");
+RCSID("$Id: cache.c 22127 2007-12-04 00:54:37Z lha $");
 
-/*
+/**
  * Add a new ccache type with operations `ops', overwriting any
  * existing one if `override'.
- * Return an error code or 0.
+ *
+ * @param context a Keberos context
+ * @param ops type of plugin symbol
+ * @param override flag to select if the registration is to overide
+ * an existing ops with the same name.
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_register(krb5_context context, 
 		 const krb5_cc_ops *ops, 
 		 krb5_boolean override)
@@ -77,46 +85,74 @@ krb5_cc_register(krb5_context context,
 }
 
 /*
- * Allocate memory for a new ccache in `id' with operations `ops'
- * and name `residual'.
- * Return 0 or an error code.
+ * Allocate the memory for a `id' and the that function table to
+ * `ops'. Returns 0 or and error code.
  */
 
-static krb5_error_code
-allocate_ccache (krb5_context context,
-		 const krb5_cc_ops *ops,
-		 const char *residual,
-		 krb5_ccache *id)
+krb5_error_code
+_krb5_cc_allocate(krb5_context context, 
+		  const krb5_cc_ops *ops,
+		  krb5_ccache *id)
 {
-    krb5_error_code ret;
     krb5_ccache p;
 
-    p = malloc(sizeof(*p));
+    p = malloc (sizeof(*p));
     if(p == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	return KRB5_CC_NOMEM;
     }
     p->ops = ops;
     *id = p;
-    ret = p->ops->resolve(context, id, residual);
+
+    return 0;
+}
+
+/*
+ * Allocate memory for a new ccache in `id' with operations `ops'
+ * and name `residual'. Return 0 or an error code.
+ */
+
+static krb5_error_code
+allocate_ccache (krb5_context context,
+		 const krb5_cc_ops *ops,
+		 const char *residual,
+		 krb5_ccache *id)
+{
+    krb5_error_code ret;
+
+    ret = _krb5_cc_allocate(context, ops, id);
+    if (ret)
+	return ret;
+    ret = (*id)->ops->resolve(context, id, residual);
     if(ret)
-	free(p);
+	free(*id);
     return ret;
 }
 
-/*
+/**
  * Find and allocate a ccache in `id' from the specification in `residual'.
  * If the ccache name doesn't contain any colon, interpret it as a file name.
- * Return 0 or an error code.
+ *
+ * @param context a Keberos context.
+ * @param name string name of a credential cache.
+ * @param id return pointer to a found credential cache.
+ *
+ * @return Return 0 or an error code. In case of an error, id is set
+ * to NULL.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_resolve(krb5_context context,
 		const char *name,
 		krb5_ccache *id)
 {
     int i;
 
+    *id = NULL;
+
     for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
 	size_t prefix_len = strlen(context->cc_ops[i].prefix);
 
@@ -135,54 +171,130 @@ krb5_cc_resolve(krb5_context context,
     }
 }
 
-/*
+/**
  * Generate a new ccache of type `ops' in `id'.
- * Return 0 or an error code.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_gen_new(krb5_context context,
 		const krb5_cc_ops *ops,
 		krb5_ccache *id)
 {
-    krb5_ccache p;
+    return krb5_cc_new_unique(context, ops->prefix, NULL, id);
+}
 
-    p = malloc (sizeof(*p));
-    if (p == NULL) {
-	krb5_set_error_string(context, "malloc: out of memory");
-	return KRB5_CC_NOMEM;
+/**
+ * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
+ * the library chooses the default credential cache type. The supplied
+ * `hint' (that can be NULL) is a string that the credential cache
+ * type can use to base the name of the credential on, this is to make
+ * it easier for the user to differentiate the credentials.
+ *
+ * @return Returns 0 or an error code.
+ *
+ * @ingroup krb5_ccache
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_new_unique(krb5_context context, const char *type, 
+		   const char *hint, krb5_ccache *id)
+{
+    const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
+    krb5_error_code ret;
+
+    if (type) {
+	ops = krb5_cc_get_prefix_ops(context, type);
+	if (ops == NULL) {
+	    krb5_set_error_string(context,
+				  "Credential cache type %s is unknown", type);
+	    return KRB5_CC_UNKNOWN_TYPE;
+	}
     }
-    p->ops = ops;
-    *id = p;
-    return p->ops->gen_new(context, id);
+
+    ret = _krb5_cc_allocate(context, ops, id);
+    if (ret)
+	return ret;
+    return (*id)->ops->gen_new(context, id);
 }
 
-/*
+/**
  * Return the name of the ccache `id'
+ *
+ * @ingroup krb5_ccache
  */
 
-const char*
+
+const char* KRB5_LIB_FUNCTION
 krb5_cc_get_name(krb5_context context,
 		 krb5_ccache id)
 {
     return id->ops->get_name(context, id);
 }
 
-/*
+/**
  * Return the type of the ccache `id'.
+ *
+ * @ingroup krb5_ccache
  */
 
-const char*
+
+const char* KRB5_LIB_FUNCTION
 krb5_cc_get_type(krb5_context context,
 		 krb5_ccache id)
 {
     return id->ops->prefix;
 }
 
-/*
+/**
+ * Return the complete resolvable name the ccache `id' in `str´.
+ * `str` should be freed with free(3).
+ * Returns 0 or an error (and then *str is set to NULL).
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_get_full_name(krb5_context context,
+		      krb5_ccache id,
+		      char **str)
+{
+    const char *type, *name;
+
+    *str = NULL;
+
+    type = krb5_cc_get_type(context, id);
+    if (type == NULL) {
+	krb5_set_error_string(context, "cache have no name of type");
+	return KRB5_CC_UNKNOWN_TYPE;
+    }
+
+    name = krb5_cc_get_name(context, id);
+    if (name == NULL) {
+	krb5_set_error_string(context, "cache of type %s have no name", type);
+	return KRB5_CC_BADNAME;
+    }
+    
+    if (asprintf(str, "%s:%s", type, name) == -1) {
+	krb5_set_error_string(context, "malloc - out of memory");
+	*str = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+/**
  * Return krb5_cc_ops of a the ccache `id'.
+ *
+ * @ingroup krb5_ccache
  */
 
+
 const krb5_cc_ops *
 krb5_cc_get_ops(krb5_context context, krb5_ccache id)
 {
@@ -190,27 +302,159 @@ krb5_cc_get_ops(krb5_context context, krb5_ccache id)
 }
 
 /*
- * Set the default cc name for `context' to `name'.
+ * Expand variables in `str' into `res'
  */
 
 krb5_error_code
+_krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
+{
+    size_t tlen, len = 0;
+    char *tmp, *tmp2, *append;
+
+    *res = NULL;
+
+    while (str && *str) {
+	tmp = strstr(str, "%{");
+	if (tmp && tmp != str) {
+	    append = malloc((tmp - str) + 1);
+	    if (append) {
+		memcpy(append, str, tmp - str);
+		append[tmp - str] = '\0';
+	    }
+	    str = tmp;
+	} else if (tmp) {
+	    tmp2 = strchr(tmp, '}');
+	    if (tmp2 == NULL) {
+		free(*res);
+		*res = NULL;
+		krb5_set_error_string(context, "variable missing }");
+		return KRB5_CONFIG_BADFORMAT;
+	    }
+	    if (strncasecmp(tmp, "%{uid}", 6) == 0)
+		asprintf(&append, "%u", (unsigned)getuid());
+	    else if (strncasecmp(tmp, "%{null}", 7) == 0)
+		append = strdup("");
+	    else {
+		free(*res);
+		*res = NULL;
+		krb5_set_error_string(context, 
+				      "expand default cache unknown "
+				      "variable \"%.*s\"",
+				      (int)(tmp2 - tmp) - 2, tmp + 2);
+		return KRB5_CONFIG_BADFORMAT;
+	    }
+	    str = tmp2 + 1;
+	} else {
+	    append = strdup(str);
+	    str = NULL;
+	}
+	if (append == NULL) {
+	    free(*res);
+	    *res = NULL;
+	    krb5_set_error_string(context, "malloc - out of memory");
+	    return ENOMEM;
+	}
+	
+	tlen = strlen(append);
+	tmp = realloc(*res, len + tlen + 1);
+	if (tmp == NULL) {
+	    free(append);
+	    free(*res);
+	    *res = NULL;
+	    krb5_set_error_string(context, "malloc - out of memory");
+	    return ENOMEM;
+	}
+	*res = tmp;
+	memcpy(*res + len, append, tlen + 1);
+	len = len + tlen;
+	free(append);
+    }    
+    return 0;
+}
+
+/*
+ * Return non-zero if envirnoment that will determine default krb5cc
+ * name has changed.
+ */
+
+static int
+environment_changed(krb5_context context)
+{
+    const char *e;
+
+    /* if the cc name was set, don't change it */
+    if (context->default_cc_name_set)
+	return 0;
+
+    if(issuid())
+	return 0;
+
+    e = getenv("KRB5CCNAME");
+    if (e == NULL) {
+	if (context->default_cc_name_env) {
+	    free(context->default_cc_name_env);
+	    context->default_cc_name_env = NULL;
+	    return 1;
+	}
+    } else {
+	if (context->default_cc_name_env == NULL)
+	    return 1;
+	if (strcmp(e, context->default_cc_name_env) != 0)
+	    return 1;
+    }
+    return 0;
+}
+
+/**
+ * Set the default cc name for `context' to `name'.
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_set_default_name(krb5_context context, const char *name)
 {
     krb5_error_code ret = 0;
     char *p;
 
     if (name == NULL) {
-	char *e;
-	e = getenv("KRB5CCNAME");
-	if (e)
-	    p = strdup(e);
-	else
-	    asprintf(&p,"FILE:/tmp/krb5cc_%u", (unsigned)getuid());
-    } else
+	const char *e = NULL;
+
+	if(!issuid()) {
+	    e = getenv("KRB5CCNAME");
+	    if (e) {
+		p = strdup(e);
+		if (context->default_cc_name_env)
+		    free(context->default_cc_name_env);
+		context->default_cc_name_env = strdup(e);
+	    }
+	}
+	if (e == NULL) {
+	    e = krb5_config_get_string(context, NULL, "libdefaults",
+				       "default_cc_name", NULL);
+	    if (e) {
+		ret = _krb5_expand_default_cc_name(context, e, &p);
+		if (ret)
+		    return ret;
+	    }
+	    if (e == NULL) {
+		const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
+		ret = (*ops->default_name)(context, &p);
+		if (ret)
+		    return ret;
+	    }
+	}
+	context->default_cc_name_set = 0;
+    } else {
 	p = strdup(name);
+	context->default_cc_name_set = 1;
+    }
 
-    if (p == NULL)
+    if (p == NULL) {
+	krb5_set_error_string(context, "malloc - out of memory");
 	return ENOMEM;
+    }
 
     if (context->default_cc_name)
 	free(context->default_cc_name);
@@ -220,100 +464,133 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
     return ret;
 }
 
-/*
- * Return a pointer to a context static string containing the default ccache name.
+/**
+ * Return a pointer to a context static string containing the default
+ * ccache name.
+ *
+ * @return String to the default credential cache name.
+ *
+ * @ingroup krb5_ccache
  */
 
-const char*
+
+const char* KRB5_LIB_FUNCTION
 krb5_cc_default_name(krb5_context context)
 {
-    if (context->default_cc_name == NULL)
+    if (context->default_cc_name == NULL || environment_changed(context))
 	krb5_cc_set_default_name(context, NULL);
 
     return context->default_cc_name;
 }
 
-/*
+/**
  * Open the default ccache in `id'.
- * Return 0 or an error code.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_default(krb5_context context,
 		krb5_ccache *id)
 {
     const char *p = krb5_cc_default_name(context);
 
-    if (p == NULL)
+    if (p == NULL) {
+	krb5_set_error_string(context, "malloc - out of memory");
 	return ENOMEM;
+    }
     return krb5_cc_resolve(context, p, id);
 }
 
-/*
+/**
  * Create a new ccache in `id' for `primary_principal'.
- * Return 0 or an error code.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_initialize(krb5_context context,
 		   krb5_ccache id,
 		   krb5_principal primary_principal)
 {
-    return id->ops->init(context, id, primary_principal);
+    return (*id->ops->init)(context, id, primary_principal);
 }
 
 
-/*
+/**
  * Remove the ccache `id'.
- * Return 0 or an error code.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_destroy(krb5_context context,
 		krb5_ccache id)
 {
     krb5_error_code ret;
 
-    ret = id->ops->destroy(context, id);
+    ret = (*id->ops->destroy)(context, id);
     krb5_cc_close (context, id);
     return ret;
 }
 
-/*
+/**
  * Stop using the ccache `id' and free the related resources.
- * Return 0 or an error code.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_close(krb5_context context,
 	      krb5_ccache id)
 {
     krb5_error_code ret;
-    ret = id->ops->close(context, id);
+    ret = (*id->ops->close)(context, id);
     free(id);
     return ret;
 }
 
-/*
+/**
  * Store `creds' in the ccache `id'.
- * Return 0 or an error code.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_store_cred(krb5_context context,
 		   krb5_ccache id,
 		   krb5_creds *creds)
 {
-    return id->ops->store(context, id, creds);
+    return (*id->ops->store)(context, id, creds);
 }
 
-/*
+/**
  * Retrieve the credential identified by `mcreds' (and `whichfields')
- * from `id' in `creds'.
- * Return 0 or an error code.
+ * from `id' in `creds'. 'creds' must be free by the caller using
+ * krb5_free_cred_contents.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_retrieve_cred(krb5_context context,
 		      krb5_ccache id,
 		      krb5_flags whichfields,
@@ -322,77 +599,129 @@ krb5_cc_retrieve_cred(krb5_context context,
 {
     krb5_error_code ret;
     krb5_cc_cursor cursor;
-    krb5_cc_start_seq_get(context, id, &cursor);
+
+    if (id->ops->retrieve != NULL) {
+	return (*id->ops->retrieve)(context, id, whichfields,
+				    mcreds, creds);
+    }
+
+    ret = krb5_cc_start_seq_get(context, id, &cursor);
+    if (ret)
+	return ret;
     while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
 	if(krb5_compare_creds(context, whichfields, mcreds, creds)){
 	    ret = 0;
 	    break;
 	}
-	krb5_free_creds_contents (context, creds);
+	krb5_free_cred_contents (context, creds);
     }
     krb5_cc_end_seq_get(context, id, &cursor);
     return ret;
 }
 
-/*
+/**
  * Return the principal of `id' in `principal'.
- * Return 0 or an error code.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_get_principal(krb5_context context,
 		      krb5_ccache id,
 		      krb5_principal *principal)
 {
-    return id->ops->get_princ(context, id, principal);
+    return (*id->ops->get_princ)(context, id, principal);
 }
 
-/*
+/**
  * Start iterating over `id', `cursor' is initialized to the
  * beginning.
- * Return 0 or an error code.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_start_seq_get (krb5_context context,
 		       const krb5_ccache id,
 		       krb5_cc_cursor *cursor)
 {
-    return id->ops->get_first(context, id, cursor);
+    return (*id->ops->get_first)(context, id, cursor);
 }
 
-/*
+/**
  * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
  * and advance `cursor'.
- * Return 0 or an error code.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_next_cred (krb5_context context,
 		   const krb5_ccache id,
 		   krb5_cc_cursor *cursor,
 		   krb5_creds *creds)
 {
-    return id->ops->get_next(context, id, cursor, creds);
+    return (*id->ops->get_next)(context, id, cursor, creds);
 }
 
-/*
+/**
+ * Like krb5_cc_next_cred, but allow for selective retrieval
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_next_cred_match(krb5_context context,
+			const krb5_ccache id,
+			krb5_cc_cursor * cursor,
+			krb5_creds * creds,
+			krb5_flags whichfields,
+			const krb5_creds * mcreds)
+{
+    krb5_error_code ret;
+    while (1) {
+	ret = krb5_cc_next_cred(context, id, cursor, creds);
+	if (ret)
+	    return ret;
+	if (mcreds == NULL || krb5_compare_creds(context, whichfields, mcreds, creds))
+	    return 0;
+	krb5_free_cred_contents(context, creds);
+    }
+}
+
+/**
  * Destroy the cursor `cursor'.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_end_seq_get (krb5_context context,
 		     const krb5_ccache id,
 		     krb5_cc_cursor *cursor)
 {
-    return id->ops->end_get(context, id, cursor);
+    return (*id->ops->end_get)(context, id, cursor);
 }
 
-/*
+/**
  * Remove the credential identified by `cred', `which' from `id'.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_remove_cred(krb5_context context,
 		    krb5_ccache id,
 		    krb5_flags which,
@@ -407,26 +736,35 @@ krb5_cc_remove_cred(krb5_context context,
     return (*id->ops->remove_cred)(context, id, which, cred);
 }
 
-/*
+/**
  * Set the flags of `id' to `flags'.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_set_flags(krb5_context context,
 		  krb5_ccache id,
 		  krb5_flags flags)
 {
-    return id->ops->set_flags(context, id, flags);
+    return (*id->ops->set_flags)(context, id, flags);
 }
 		    
-/*
+/**
  * Copy the contents of `from' to `to'.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
-krb5_cc_copy_cache(krb5_context context,
-		   const krb5_ccache from,
-		   krb5_ccache to)
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_copy_cache_match(krb5_context context,
+			 const krb5_ccache from,
+			 krb5_ccache to,
+			 krb5_flags whichfields,
+			 const krb5_creds * mcreds,
+			 unsigned int *matched)
 {
     krb5_error_code ret;
     krb5_cc_cursor cursor;
@@ -434,37 +772,302 @@ krb5_cc_copy_cache(krb5_context context,
     krb5_principal princ;
 
     ret = krb5_cc_get_principal(context, from, &princ);
-    if(ret)
+    if (ret)
 	return ret;
     ret = krb5_cc_initialize(context, to, princ);
-    if(ret){
+    if (ret) {
 	krb5_free_principal(context, princ);
 	return ret;
     }
     ret = krb5_cc_start_seq_get(context, from, &cursor);
-    if(ret){
+    if (ret) {
 	krb5_free_principal(context, princ);
 	return ret;
     }
-    while(ret == 0 && krb5_cc_next_cred(context, from, &cursor, &cred) == 0){
+    if (matched)
+	*matched = 0;
+    while (ret == 0 &&
+	   krb5_cc_next_cred_match(context, from, &cursor, &cred,
+				   whichfields, mcreds) == 0) {
+	if (matched)
+	    (*matched)++;
 	ret = krb5_cc_store_cred(context, to, &cred);
-	krb5_free_creds_contents (context, &cred);
+	krb5_free_cred_contents(context, &cred);
     }
     krb5_cc_end_seq_get(context, from, &cursor);
     krb5_free_principal(context, princ);
     return ret;
 }
 
-/*
+/**
+ * Just like krb5_cc_copy_cache_match, but copy everything.
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_copy_cache(krb5_context context,
+		   const krb5_ccache from,
+		   krb5_ccache to)
+{
+    return krb5_cc_copy_cache_match(context, from, to, 0, NULL, NULL);
+}
+
+/**
  * Return the version of `id'.
+ *
+ * @ingroup krb5_ccache
  */
 
-krb5_error_code
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_get_version(krb5_context context,
 		    const krb5_ccache id)
 {
     if(id->ops->get_version)
-	return id->ops->get_version(context, id);
+	return (*id->ops->get_version)(context, id);
     else
 	return 0;
 }
+
+/**
+ * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+void KRB5_LIB_FUNCTION
+krb5_cc_clear_mcred(krb5_creds *mcred)
+{
+    memset(mcred, 0, sizeof(*mcred));
+}
+
+/**
+ * Get the cc ops that is registered in `context' to handle the
+ * `prefix'. `prefix' can be a complete credential cache name or a
+ * prefix, the function will only use part up to the first colon (:)
+ * if there is one.
+ * Returns NULL if ops not found.
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+const krb5_cc_ops *
+krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
+{
+    char *p, *p1;
+    int i;
+    
+    if (prefix[0] == '/')
+	return &krb5_fcc_ops;
+
+    p = strdup(prefix);
+    if (p == NULL) {
+	krb5_set_error_string(context, "malloc - out of memory");
+	return NULL;
+    }
+    p1 = strchr(p, ':');
+    if (p1)
+	*p1 = '\0';
+
+    for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
+	if(strcmp(context->cc_ops[i].prefix, p) == 0) {
+	    free(p);
+	    return &context->cc_ops[i];
+	}
+    }
+    free(p);
+    return NULL;
+}
+
+struct krb5_cc_cache_cursor_data {
+    const krb5_cc_ops *ops;
+    krb5_cc_cursor cursor;
+};
+
+/**
+ * Start iterating over all caches of `type'. If `type' is NULL, the
+ * default type is * used. `cursor' is initialized to the beginning.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_cache_get_first (krb5_context context,
+			 const char *type,
+			 krb5_cc_cache_cursor *cursor)
+{
+    const krb5_cc_ops *ops;
+    krb5_error_code ret;
+
+    if (type == NULL)
+	type = krb5_cc_default_name(context);
+
+    ops = krb5_cc_get_prefix_ops(context, type);
+    if (ops == NULL) {
+	krb5_set_error_string(context, "Unknown type \"%s\" when iterating "
+			      "trying to iterate the credential caches", type);
+	return KRB5_CC_UNKNOWN_TYPE;
+    }
+
+    if (ops->get_cache_first == NULL) {
+	krb5_set_error_string(context, "Credential cache type %s doesn't support "
+			      "iterations over caches", ops->prefix);
+	return KRB5_CC_NOSUPP;
+    }
+
+    *cursor = calloc(1, sizeof(**cursor));
+    if (*cursor == NULL) {
+	krb5_set_error_string(context, "malloc - out of memory");
+	return ENOMEM;
+    }
+
+    (*cursor)->ops = ops;
+
+    ret = ops->get_cache_first(context, &(*cursor)->cursor);
+    if (ret) {
+	free(*cursor);
+	*cursor = NULL;
+    }
+    return ret;
+}
+
+/**
+ * Retrieve the next cache pointed to by (`cursor') in `id'
+ * and advance `cursor'.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_cache_next (krb5_context context,
+		   krb5_cc_cache_cursor cursor,
+		   krb5_ccache *id)
+{
+    return cursor->ops->get_cache_next(context, cursor->cursor, id);
+}
+
+/**
+ * Destroy the cursor `cursor'.
+ *
+ * @return Return 0 or an error code.
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_cache_end_seq_get (krb5_context context,
+			   krb5_cc_cache_cursor cursor)
+{
+    krb5_error_code ret;
+    ret = cursor->ops->end_cache_get(context, cursor->cursor);
+    cursor->ops = NULL;
+    free(cursor);
+    return ret;
+}
+
+/**
+ * Search for a matching credential cache of type `type' that have the
+ * `principal' as the default principal. If NULL is used for `type',
+ * the default type is used. On success, `id' needs to be freed with
+ * krb5_cc_close or krb5_cc_destroy.
+ *
+ * @return On failure, error code is returned and `id' is set to NULL.
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_cache_match (krb5_context context,
+		     krb5_principal client,
+		     const char *type,
+		     krb5_ccache *id)
+{
+    krb5_cc_cache_cursor cursor;
+    krb5_error_code ret;
+    krb5_ccache cache = NULL;
+
+    *id = NULL;
+
+    ret = krb5_cc_cache_get_first (context, type, &cursor);
+    if (ret)
+	return ret;
+
+    while ((ret = krb5_cc_cache_next (context, cursor, &cache)) == 0) {
+	krb5_principal principal;
+
+	ret = krb5_cc_get_principal(context, cache, &principal);
+	if (ret == 0) {
+	    krb5_boolean match;
+	    
+	    match = krb5_principal_compare(context, principal, client);
+	    krb5_free_principal(context, principal);
+	    if (match)
+		break;
+	}
+
+	krb5_cc_close(context, cache);
+	cache = NULL;
+    }
+
+    krb5_cc_cache_end_seq_get(context, cursor);
+
+    if (cache == NULL) {
+	char *str;
+
+	krb5_unparse_name(context, client, &str);
+
+	krb5_set_error_string(context, "Principal %s not found in a "
+			  "credential cache", str ? str : "<out of memory>");
+	if (str)
+	    free(str);
+	return KRB5_CC_NOTFOUND;
+    }
+    *id = cache;
+
+    return 0;
+}
+
+/**
+ * Move the content from one credential cache to another. The
+ * operation is an atomic switch. 
+ *
+ * @param context a Keberos context
+ * @param from the credential cache to move the content from
+ * @param to the credential cache to move the content to
+
+ * @return On sucess, from is freed. On failure, error code is
+ * returned and from and to are both still allocated.
+ *
+ * @ingroup krb5_ccache
+ */
+
+krb5_error_code
+krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
+{
+    krb5_error_code ret;
+
+    if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
+	krb5_set_error_string(context, "Moving credentials between diffrent "
+			      "types not yet supported");
+	return KRB5_CC_NOSUPP;
+    }
+
+    ret = (*to->ops->move)(context, from, to);
+    if (ret == 0) {
+	memset(from, 0, sizeof(*from));
+	free(from);
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/changepw.c b/crypto/heimdal/lib/krb5/changepw.c
index 1c4013b..703cf43 100644
--- a/crypto/heimdal/lib/krb5/changepw.c
+++ b/crypto/heimdal/lib/krb5/changepw.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: changepw.c,v 1.38.2.1 2004/06/21 08:38:10 lha Exp $");
+RCSID("$Id: changepw.c 21505 2007-07-12 12:28:38Z lha $");
 
 static void
 str2data (krb5_data *d,
@@ -46,10 +46,12 @@ str2data (krb5_data *d,
 	  ...)
 {
     va_list args;
+    char *str;
 
     va_start(args, fmt);
-    d->length = vasprintf ((char **)&d->data, fmt, args);
+    d->length = vasprintf (&str, fmt, args);
     va_end(args);
+    d->data = str;
 }
 
 /*
@@ -67,7 +69,7 @@ chgpw_send_request (krb5_context context,
 		    krb5_principal targprinc,
 		    int is_stream,
 		    int sock,
-		    char *passwd,
+		    const char *passwd,
 		    const char *host)
 {
     krb5_error_code ret;
@@ -98,7 +100,7 @@ chgpw_send_request (krb5_context context,
     if (ret)
 	return ret;
 
-    passwd_data.data   = passwd;
+    passwd_data.data   = rk_UNCONST(passwd);
     passwd_data.length = strlen(passwd);
 
     krb5_data_zero (&krb_priv_data);
@@ -160,7 +162,7 @@ setpw_send_request (krb5_context context,
 		    krb5_principal targprinc,
 		    int is_stream,
 		    int sock,
-		    char *passwd,
+		    const char *passwd,
 		    const char *host)
 {
     krb5_error_code ret;
@@ -186,7 +188,7 @@ setpw_send_request (krb5_context context,
 	return ret;
 
     chpw.newpasswd.length = strlen(passwd);
-    chpw.newpasswd.data = passwd;
+    chpw.newpasswd.data = rk_UNCONST(passwd);
     if (targprinc) {
 	chpw.targname = &targprinc->name;
 	chpw.targrealm = &targprinc->realm;
@@ -271,7 +273,7 @@ process_reply (krb5_context context,
     krb5_error_code ret;
     u_char reply[1024 * 3];
     ssize_t len;
-    u_int16_t pkt_len, pkt_ver;
+    uint16_t pkt_len, pkt_ver;
     krb5_data ap_rep_data;
     int save_errno;
 
@@ -319,7 +321,7 @@ process_reply (krb5_context context,
 
     if (len < 6) {
 	str2data (result_string, "server %s sent to too short message "
-		  "(%d bytes)", host, len);
+		  "(%ld bytes)", host, (long)len);
 	*result_code = KRB5_KPASSWD_MALFORMED;
 	return 0;
     }
@@ -456,7 +458,7 @@ typedef krb5_error_code (*kpwd_send_request) (krb5_context,
 					      krb5_principal,
 					      int,
 					      int,
-					      char *,
+					      const char *,
 					      const char *);
 typedef krb5_error_code (*kpwd_process_reply) (krb5_context,
 					       krb5_auth_context,
@@ -467,7 +469,7 @@ typedef krb5_error_code (*kpwd_process_reply) (krb5_context,
 					       krb5_data *,
 					       const char *);
 
-struct kpwd_proc {
+static struct kpwd_proc {
     const char *name;
     int flags;
 #define SUPPORT_TCP	1
@@ -509,7 +511,7 @@ static krb5_error_code
 change_password_loop (krb5_context	context,
 		      krb5_creds	*creds,
 		      krb5_principal	targprinc,
-		      char		*newpw,
+		      const char	*newpw,
 		      int		*result_code,
 		      krb5_data		*result_code_string,
 		      krb5_data		*result_string,
@@ -522,7 +524,12 @@ change_password_loop (krb5_context	context,
     int sock;
     int i;
     int done = 0;
-    krb5_realm realm = creds->client->realm;
+    krb5_realm realm;
+
+    if (targprinc)
+	realm = targprinc->realm;
+    else
+	realm = creds->client->realm;
 
     ret = krb5_auth_con_init (context, &auth_context);
     if (ret)
@@ -643,10 +650,12 @@ change_password_loop (krb5_context	context,
     if (done)
 	return 0;
     else {
-	if (ret == KRB5_KDC_UNREACH)
+	if (ret == KRB5_KDC_UNREACH) {
 	    krb5_set_error_string(context,
 				  "unable to reach any changepw server "
 				  " in realm %s", realm);
+	    *result_code = KRB5_KPASSWD_HARDERROR;
+	}
 	return ret;
     }
 }
@@ -658,10 +667,10 @@ change_password_loop (krb5_context	context,
  * the operation in `result_*' and an error code or 0.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_change_password (krb5_context	context,
 		      krb5_creds	*creds,
-		      char		*newpw,
+		      const char	*newpw,
 		      int		*result_code,
 		      krb5_data		*result_code_string,
 		      krb5_data		*result_string)
@@ -684,10 +693,10 @@ krb5_change_password (krb5_context	context,
  *
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_password(krb5_context context,
 		  krb5_creds *creds,
-		  char *newpw,
+		  const char *newpw,
 		  krb5_principal targprinc,
 		  int *result_code,
 		  krb5_data *result_code_string,
@@ -710,7 +719,7 @@ krb5_set_password(krb5_context context,
 
     for (i = 0; procs[i].name != NULL; i++) {
 	*result_code = 0;
-	ret = change_password_loop(context, creds, targprinc, newpw, 
+	ret = change_password_loop(context, creds, principal, newpw, 
 				   result_code, result_code_string, 
 				   result_string, 
 				   &procs[i]);
@@ -727,10 +736,10 @@ krb5_set_password(krb5_context context,
  *
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_password_using_ccache(krb5_context context,
 			       krb5_ccache ccache,
-			       char *newpw,
+			       const char *newpw,
 			       krb5_principal targprinc,
 			       int *result_code,
 			       krb5_data *result_code_string,
@@ -792,7 +801,7 @@ krb5_set_password_using_ccache(krb5_context context,
  *
  */
 
-const char*
+const char* KRB5_LIB_FUNCTION
 krb5_passwd_result_to_string (krb5_context context,
 			      int result)
 {
diff --git a/crypto/heimdal/lib/krb5/codec.c b/crypto/heimdal/lib/krb5/codec.c
index 6a49e68..0d36b4b 100644
--- a/crypto/heimdal/lib/krb5/codec.c
+++ b/crypto/heimdal/lib/krb5/codec.c
@@ -33,9 +33,9 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: codec.c,v 1.7 2001/05/16 22:08:08 assar Exp $");
+RCSID("$Id: codec.c 13863 2004-05-25 21:46:46Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_EncTicketPart (krb5_context context,
 			   const void *data,
 			   size_t length,
@@ -45,7 +45,7 @@ krb5_decode_EncTicketPart (krb5_context context,
     return decode_EncTicketPart(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_EncTicketPart (krb5_context context,
 			   void *data,
 			   size_t length,
@@ -55,7 +55,7 @@ krb5_encode_EncTicketPart (krb5_context context,
     return encode_EncTicketPart(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_EncASRepPart (krb5_context context,
 			  const void *data,
 			  size_t length,
@@ -65,7 +65,7 @@ krb5_decode_EncASRepPart (krb5_context context,
     return decode_EncASRepPart(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_EncASRepPart (krb5_context context,
 			  void *data,
 			  size_t length,
@@ -75,7 +75,7 @@ krb5_encode_EncASRepPart (krb5_context context,
     return encode_EncASRepPart(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_EncTGSRepPart (krb5_context context,
 			   const void *data,
 			   size_t length,
@@ -85,7 +85,7 @@ krb5_decode_EncTGSRepPart (krb5_context context,
     return decode_EncTGSRepPart(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_EncTGSRepPart (krb5_context context,
 			   void *data,
 			   size_t length,
@@ -95,7 +95,7 @@ krb5_encode_EncTGSRepPart (krb5_context context,
     return encode_EncTGSRepPart(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_EncAPRepPart (krb5_context context,
 			  const void *data,
 			  size_t length,
@@ -105,7 +105,7 @@ krb5_decode_EncAPRepPart (krb5_context context,
     return decode_EncAPRepPart(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_EncAPRepPart (krb5_context context,
 			  void *data,
 			  size_t length,
@@ -115,7 +115,7 @@ krb5_encode_EncAPRepPart (krb5_context context,
     return encode_EncAPRepPart(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_Authenticator (krb5_context context,
 			   const void *data,
 			   size_t length,
@@ -125,7 +125,7 @@ krb5_decode_Authenticator (krb5_context context,
     return decode_Authenticator(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_Authenticator (krb5_context context,
 			   void *data,
 			   size_t length,
@@ -135,7 +135,7 @@ krb5_encode_Authenticator (krb5_context context,
     return encode_Authenticator(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_EncKrbCredPart (krb5_context context,
 			    const void *data,
 			    size_t length,
@@ -145,7 +145,7 @@ krb5_decode_EncKrbCredPart (krb5_context context,
     return decode_EncKrbCredPart(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_EncKrbCredPart (krb5_context context,
 			    void *data,
 			    size_t length,
@@ -155,7 +155,7 @@ krb5_encode_EncKrbCredPart (krb5_context context,
     return encode_EncKrbCredPart (data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_ETYPE_INFO (krb5_context context,
 			const void *data,
 			size_t length,
@@ -165,7 +165,7 @@ krb5_decode_ETYPE_INFO (krb5_context context,
     return decode_ETYPE_INFO(data, length, t, len);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_ETYPE_INFO (krb5_context context,
 			void *data,
 			size_t length,
@@ -174,3 +174,23 @@ krb5_encode_ETYPE_INFO (krb5_context context,
 {
     return encode_ETYPE_INFO (data, length, t, len);
 }
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_decode_ETYPE_INFO2 (krb5_context context,
+			const void *data,
+			size_t length,
+			ETYPE_INFO2 *t,
+			size_t *len)
+{
+    return decode_ETYPE_INFO2(data, length, t, len);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_encode_ETYPE_INFO2 (krb5_context context,
+			 void *data,
+			 size_t length,
+			 ETYPE_INFO2 *t,
+			 size_t *len)
+{
+    return encode_ETYPE_INFO2 (data, length, t, len);
+}
diff --git a/crypto/heimdal/lib/krb5/config_file.c b/crypto/heimdal/lib/krb5/config_file.c
index 47c1a94..ac5eba3 100644
--- a/crypto/heimdal/lib/krb5/config_file.c
+++ b/crypto/heimdal/lib/krb5/config_file.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,18 +32,50 @@
  */
 
 #include "krb5_locl.h"
-RCSID("$Id: config_file.c,v 1.46.4.2 2003/10/13 13:46:10 lha Exp $");
+RCSID("$Id: config_file.c 19213 2006-12-04 23:36:36Z lha $");
 
 #ifndef HAVE_NETINFO
 
+/* Gaah! I want a portable funopen */
+struct fileptr {
+    const char *s;
+    FILE *f;
+};
+
+static char *
+config_fgets(char *str, size_t len, struct fileptr *ptr)
+{
+    /* XXX this is not correct, in that they don't do the same if the
+       line is longer than len */
+    if(ptr->f != NULL)
+	return fgets(str, len, ptr->f);
+    else {
+	/* this is almost strsep_copy */
+	const char *p;
+	ssize_t l;
+	if(*ptr->s == '\0')
+	    return NULL;
+	p = ptr->s + strcspn(ptr->s, "\n");
+	if(*p == '\n')
+	    p++;
+	l = min(len, p - ptr->s);
+	if(len > 0) {
+	    memcpy(str, ptr->s, l);
+	    str[l] = '\0';
+	}
+	ptr->s = p;
+	return str;
+    }
+}
+
 static krb5_error_code parse_section(char *p, krb5_config_section **s,
 				     krb5_config_section **res,
 				     const char **error_message);
-static krb5_error_code parse_binding(FILE *f, unsigned *lineno, char *p,
+static krb5_error_code parse_binding(struct fileptr *f, unsigned *lineno, char *p,
 				     krb5_config_binding **b,
 				     krb5_config_binding **parent,
 				     const char **error_message);
-static krb5_error_code parse_list(FILE *f, unsigned *lineno,
+static krb5_error_code parse_list(struct fileptr *f, unsigned *lineno,
 				  krb5_config_binding **parent,
 				  const char **error_message);
 
@@ -114,7 +146,7 @@ parse_section(char *p, krb5_config_section **s, krb5_config_section **parent,
  */
 
 static krb5_error_code
-parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent,
+parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent,
 	   const char **error_message)
 {
     char buf[BUFSIZ];
@@ -122,12 +154,11 @@ parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent,
     krb5_config_binding *b = NULL;
     unsigned beg_lineno = *lineno;
 
-    while(fgets(buf, sizeof(buf), f) != NULL) {
+    while(config_fgets(buf, sizeof(buf), f) != NULL) {
 	char *p;
 
 	++*lineno;
-	if (buf[strlen(buf) - 1] == '\n')
-	    buf[strlen(buf) - 1] = '\0';
+	buf[strcspn(buf, "\r\n")] = '\0';
 	p = buf;
 	while(isspace((unsigned char)*p))
 	    ++p;
@@ -153,7 +184,7 @@ parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent,
  */
 
 static krb5_error_code
-parse_binding(FILE *f, unsigned *lineno, char *p,
+parse_binding(struct fileptr *f, unsigned *lineno, char *p,
 	      krb5_config_binding **b, krb5_config_binding **parent,
 	      const char **error_message)
 {
@@ -209,31 +240,21 @@ parse_binding(FILE *f, unsigned *lineno, char *p,
  */
 
 static krb5_error_code
-krb5_config_parse_file_debug (const char *fname,
-			      krb5_config_section **res,
-			      unsigned *lineno,
-			      const char **error_message)
+krb5_config_parse_debug (struct fileptr *f,
+			 krb5_config_section **res,
+			 unsigned *lineno,
+			 const char **error_message)
 {
-    FILE *f;
-    krb5_config_section *s;
-    krb5_config_binding *b;
+    krb5_config_section *s = NULL;
+    krb5_config_binding *b = NULL;
     char buf[BUFSIZ];
-    krb5_error_code ret = 0;
+    krb5_error_code ret;
 
-    s = NULL;
-    b = NULL;
-    *lineno = 0;
-    f = fopen (fname, "r");
-    if (f == NULL) {
-	*error_message = "cannot open file";
-	return ENOENT;
-    }
-    while (fgets(buf, sizeof(buf), f) != NULL) {
+    while (config_fgets(buf, sizeof(buf), f) != NULL) {
 	char *p;
 
 	++*lineno;
-	if(buf[strlen(buf) - 1] == '\n')
-	    buf[strlen(buf) - 1] = '\0';
+	buf[strcspn(buf, "\r\n")] = '\0';
 	p = buf;
 	while(isspace((unsigned char)*p))
 	    ++p;
@@ -241,40 +262,64 @@ krb5_config_parse_file_debug (const char *fname,
 	    continue;
 	if (*p == '[') {
 	    ret = parse_section(p, &s, res, error_message);
-	    if (ret) {
-		goto out;
-	    }
+	    if (ret) 
+		return ret;
 	    b = NULL;
 	} else if (*p == '}') {
 	    *error_message = "unmatched }";
-	    ret = EINVAL;	/* XXX */
-	    goto out;
+	    return EINVAL;	/* XXX */
 	} else if(*p != '\0') {
 	    if (s == NULL) {
 		*error_message = "binding before section";
-		ret = EINVAL;
-		goto out;
+		return EINVAL;
 	    }
 	    ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message);
 	    if (ret)
-		goto out;
+		return ret;
 	}
     }
-out:
-    fclose (f);
-    return ret;
+    return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_config_parse_string_multi(krb5_context context,
+			       const char *string,
+			       krb5_config_section **res)
+{
+    const char *str;
+    unsigned lineno = 0;
+    krb5_error_code ret;
+    struct fileptr f;
+    f.f = NULL;
+    f.s = string;
+
+    ret = krb5_config_parse_debug (&f, res, &lineno, &str);
+    if (ret) {
+	krb5_set_error_string (context, "%s:%u: %s", "<constant>", lineno, str);
+	return ret;
+    }
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_config_parse_file_multi (krb5_context context,
 			      const char *fname,
 			      krb5_config_section **res)
 {
     const char *str;
-    unsigned lineno;
+    unsigned lineno = 0;
     krb5_error_code ret;
+    struct fileptr f;
+    f.f = fopen(fname, "r");
+    f.s = NULL;
+    if(f.f == NULL) {
+	ret = errno;
+	krb5_set_error_string (context, "open %s: %s", fname, strerror(ret));
+	return ret;
+    }
 
-    ret = krb5_config_parse_file_debug (fname, res, &lineno, &str);
+    ret = krb5_config_parse_debug (&f, res, &lineno, &str);
+    fclose(f.f);
     if (ret) {
 	krb5_set_error_string (context, "%s:%u: %s", fname, lineno, str);
 	return ret;
@@ -282,7 +327,7 @@ krb5_config_parse_file_multi (krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_config_parse_file (krb5_context context,
 			const char *fname,
 			krb5_config_section **res)
@@ -313,7 +358,7 @@ free_binding (krb5_context context, krb5_config_binding *b)
     }
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_config_file_free (krb5_context context, krb5_config_section *s)
 {
     free_binding (context, s);
@@ -443,7 +488,7 @@ krb5_config_vget_list (krb5_context context,
     return krb5_config_vget (context, c, krb5_config_list, args);
 }
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_config_get_string (krb5_context context,
 			const krb5_config_section *c,
 			...)
@@ -457,7 +502,7 @@ krb5_config_get_string (krb5_context context,
     return ret;
 }
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_config_vget_string (krb5_context context,
 			 const krb5_config_section *c,
 			 va_list args)
@@ -465,7 +510,7 @@ krb5_config_vget_string (krb5_context context,
     return krb5_config_vget (context, c, krb5_config_string, args);
 }
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_config_vget_string_default (krb5_context context,
 				 const krb5_config_section *c,
 				 const char *def_value,
@@ -479,7 +524,7 @@ krb5_config_vget_string_default (krb5_context context,
     return ret;
 }
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_config_get_string_default (krb5_context context,
 				const krb5_config_section *c,
 				const char *def_value,
@@ -494,7 +539,7 @@ krb5_config_get_string_default (krb5_context context,
     return ret;
 }
 
-char **
+char ** KRB5_LIB_FUNCTION
 krb5_config_vget_strings(krb5_context context,
 			 const krb5_config_section *c,
 			 va_list args)
@@ -513,10 +558,10 @@ krb5_config_vget_strings(krb5_context context,
 	    goto cleanup;
 	s = strtok_r(tmp, " \t", &pos);
 	while(s){
-	    char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings));
-	    if(tmp == NULL)
+	    char **tmp2 = realloc(strings, (nstr + 1) * sizeof(*strings));
+	    if(tmp2 == NULL)
 		goto cleanup;
-	    strings = tmp;
+	    strings = tmp2;
 	    strings[nstr] = strdup(s);
 	    nstr++;
 	    if(strings[nstr-1] == NULL)
@@ -527,7 +572,7 @@ krb5_config_vget_strings(krb5_context context,
     }
     if(nstr){
 	char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings));
-	if(strings == NULL)
+	if(tmp == NULL)
 	    goto cleanup;
 	strings = tmp;
 	strings[nstr] = NULL;
@@ -554,7 +599,7 @@ krb5_config_get_strings(krb5_context context,
     return ret;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_config_free_strings(char **strings)
 {
     char **s = strings;
@@ -565,7 +610,7 @@ krb5_config_free_strings(char **strings)
     free(strings);
 }
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_config_vget_bool_default (krb5_context context,
 			       const krb5_config_section *c,
 			       krb5_boolean def_value,
@@ -581,7 +626,7 @@ krb5_config_vget_bool_default (krb5_context context,
     return FALSE;
 }
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_config_vget_bool  (krb5_context context,
 			const krb5_config_section *c,
 			va_list args)
@@ -589,7 +634,7 @@ krb5_config_vget_bool  (krb5_context context,
     return krb5_config_vget_bool_default (context, c, FALSE, args);
 }
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_config_get_bool_default (krb5_context context,
 			      const krb5_config_section *c,
 			      krb5_boolean def_value,
@@ -603,7 +648,7 @@ krb5_config_get_bool_default (krb5_context context,
     return ret;
 }
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_config_get_bool (krb5_context context,
 		      const krb5_config_section *c,
 		      ...)
@@ -616,20 +661,24 @@ krb5_config_get_bool (krb5_context context,
     return ret;
 }
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_vget_time_default (krb5_context context,
 			       const krb5_config_section *c,
 			       int def_value,
 			       va_list args)
 {
     const char *str;
+    krb5_deltat t;
+
     str = krb5_config_vget_string (context, c, args);
     if(str == NULL)
 	return def_value;
-    return parse_time (str, NULL);
+    if (krb5_string_to_deltat(str, &t))
+	return def_value;
+    return t;
 }
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_vget_time  (krb5_context context,
 			const krb5_config_section *c,
 			va_list args)
@@ -637,7 +686,7 @@ krb5_config_vget_time  (krb5_context context,
     return krb5_config_vget_time_default (context, c, -1, args);
 }
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_get_time_default (krb5_context context,
 			      const krb5_config_section *c,
 			      int def_value,
@@ -651,7 +700,7 @@ krb5_config_get_time_default (krb5_context context,
     return ret;
 }
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_get_time (krb5_context context,
 		      const krb5_config_section *c,
 		      ...)
@@ -665,7 +714,7 @@ krb5_config_get_time (krb5_context context,
 }
 
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_vget_int_default (krb5_context context,
 			      const krb5_config_section *c,
 			      int def_value,
@@ -686,7 +735,7 @@ krb5_config_vget_int_default (krb5_context context,
     }
 }
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_vget_int  (krb5_context context,
 		       const krb5_config_section *c,
 		       va_list args)
@@ -694,7 +743,7 @@ krb5_config_vget_int  (krb5_context context,
     return krb5_config_vget_int_default (context, c, -1, args);
 }
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_get_int_default (krb5_context context,
 			     const krb5_config_section *c,
 			     int def_value,
@@ -708,7 +757,7 @@ krb5_config_get_int_default (krb5_context context,
     return ret;
 }
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_get_int (krb5_context context,
 		     const krb5_config_section *c,
 		     ...)
diff --git a/crypto/heimdal/lib/krb5/config_file_netinfo.c b/crypto/heimdal/lib/krb5/config_file_netinfo.c
index a035e88..1e01e7c 100644
--- a/crypto/heimdal/lib/krb5/config_file_netinfo.c
+++ b/crypto/heimdal/lib/krb5/config_file_netinfo.c
@@ -32,7 +32,7 @@
  */
 
 #include "krb5_locl.h"
-RCSID("$Id: config_file_netinfo.c,v 1.3 2001/05/14 06:14:45 assar Exp $");
+RCSID("$Id: config_file_netinfo.c 13863 2004-05-25 21:46:46Z lha $");
 
 /*
  * Netinfo implementation from Luke Howard <lukeh@xedoc.com.au>
@@ -130,7 +130,7 @@ ni_idlist2binding(void *ni, ni_idlist *idlist, krb5_config_section **ret)
     return NI_OK;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_config_parse_file (krb5_context context,
 			const char *fname,
 			krb5_config_section **res)
diff --git a/crypto/heimdal/lib/krb5/constants.c b/crypto/heimdal/lib/krb5/constants.c
index 280bf62..5188a1d 100644
--- a/crypto/heimdal/lib/krb5/constants.c
+++ b/crypto/heimdal/lib/krb5/constants.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,11 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: constants.c,v 1.7 2002/08/16 20:52:15 joda Exp $");
+RCSID("$Id: constants.c 14253 2004-09-23 07:57:37Z joda $");
 
-const char *krb5_config_file = SYSCONFDIR "/krb5.conf:/etc/krb5.conf";
+const char *krb5_config_file = 
+#ifdef __APPLE__
+"/Library/Preferences/edu.mit.Kerberos:"
+#endif
+SYSCONFDIR "/krb5.conf:/etc/krb5.conf";
 const char *krb5_defkeyname = KEYTAB_DEFAULT;
diff --git a/crypto/heimdal/lib/krb5/context.c b/crypto/heimdal/lib/krb5/context.c
index d3982e8..2567833 100644
--- a/crypto/heimdal/lib/krb5/context.c
+++ b/crypto/heimdal/lib/krb5/context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,12 +34,19 @@
 #include "krb5_locl.h"
 #include <com_err.h>
 
-RCSID("$Id: context.c,v 1.83.2.1 2004/08/20 15:30:24 lha Exp $");
+RCSID("$Id: context.c 22293 2007-12-14 05:25:59Z lha $");
 
 #define INIT_FIELD(C, T, E, D, F)					\
     (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), 	\
 						"libdefaults", F, NULL)
 
+#define INIT_FLAG(C, O, V, D, F)					\
+    do {								\
+	if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
+	    (C)->O |= V;						\
+        }								\
+    } while(0)
+
 /*
  * Set the list of etypes `ret_etypes' from the configuration variable
  * `name'
@@ -65,8 +72,12 @@ set_etypes (krb5_context context,
 	    return ENOMEM;
 	}
 	for(j = 0, k = 0; j < i; j++) {
-	    if(krb5_string_to_enctype(context, etypes_str[j], &etypes[k]) == 0)
-		k++;
+	    krb5_enctype e;
+	    if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
+		continue;
+	    if (krb5_enctype_valid(context, e) != 0)
+		continue;
+	    etypes[k++] = e;
 	}
 	etypes[k] = ETYPE_NULL;
 	krb5_config_free_strings(etypes_str);
@@ -176,21 +187,49 @@ init_context_from_config_file(krb5_context context)
     /* prefer dns_lookup_kdc over srv_lookup. */
     INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
     INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
+    INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
+    INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
+    INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
     context->default_cc_name = NULL;
+    context->default_cc_name_set = 0;
     return 0;
 }
 
-krb5_error_code
+/**
+ * Initializes the context structure and reads the configuration file
+ * /etc/krb5.conf. The structure should be freed by calling
+ * krb5_free_context() when it is no longer being used.
+ *
+ * @param context pointer to returned context
+ *
+ * @return Returns 0 to indicate success.  Otherwise an errno code is
+ * returned.  Failure means either that something bad happened during
+ * initialization (typically ENOMEM) or that Kerberos should not be
+ * used ENXIO.
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_init_context(krb5_context *context)
 {
     krb5_context p;
     krb5_error_code ret;
     char **files;
 
+    *context = NULL;
+
     p = calloc(1, sizeof(*p));
     if(!p)
 	return ENOMEM;
 
+    p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
+    if (p->mutex == NULL) {
+	free(p);
+	return ENOMEM;
+    }
+    HEIMDAL_MUTEX_init(p->mutex);
+
     ret = krb5_get_default_config_files(&files);
     if(ret) 
 	goto out;
@@ -204,12 +243,18 @@ krb5_init_context(krb5_context *context)
 
     p->cc_ops = NULL;
     p->num_cc_ops = 0;
+    krb5_cc_register(p, &krb5_acc_ops, TRUE);
     krb5_cc_register(p, &krb5_fcc_ops, TRUE);
     krb5_cc_register(p, &krb5_mcc_ops, TRUE);
+#ifdef HAVE_KCM
+    krb5_cc_register(p, &krb5_kcm_ops, TRUE);
+#endif
 
     p->num_kt_types = 0;
     p->kt_types     = NULL;
     krb5_kt_register (p, &krb5_fkt_ops);
+    krb5_kt_register (p, &krb5_wrfkt_ops);
+    krb5_kt_register (p, &krb5_javakt_ops);
     krb5_kt_register (p, &krb5_mkt_ops);
     krb5_kt_register (p, &krb5_akf_ops);
     krb5_kt_register (p, &krb4_fkt_ops);
@@ -225,11 +270,21 @@ out:
     return ret;
 }
 
-void
+/**
+ * Frees the krb5_context allocated by krb5_init_context().
+ *
+ * @param context context to be freed.
+ *
+ *  @ingroup krb5
+*/
+
+void KRB5_LIB_FUNCTION
 krb5_free_context(krb5_context context)
 {
     if (context->default_cc_name)
 	free(context->default_cc_name);
+    if (context->default_cc_name_env)
+	free(context->default_cc_name_env);
     free(context->etypes);
     free(context->etypes_des);
     krb5_free_host_realm (context, context->default_realms);
@@ -242,17 +297,35 @@ krb5_free_context(krb5_context context)
 	krb5_closelog(context, context->warn_dest);
     krb5_set_extra_addresses(context, NULL);
     krb5_set_ignore_addresses(context, NULL);
+    krb5_set_send_to_kdc_func(context, NULL, NULL);
+    if (context->mutex != NULL) {
+	HEIMDAL_MUTEX_destroy(context->mutex);
+	free(context->mutex);
+    }
+    memset(context, 0, sizeof(*context));
     free(context);
 }
 
-krb5_error_code
+/**
+ * Reinit the context from a new set of filenames.
+ *
+ * @param context context to add configuration too.
+ * @param filenames array of filenames, end of list is indicated with a NULL filename.
+ *
+ * @return Returns 0 to indicate success.  Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_config_files(krb5_context context, char **filenames)
 {
     krb5_error_code ret;
     krb5_config_binding *tmp = NULL;
     while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
 	ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
-	if(ret != 0 && ret != ENOENT) {
+	if(ret != 0 && ret != ENOENT && ret != EACCES) {
 	    krb5_config_file_free(context, tmp);
 	    return ret;
 	}
@@ -270,54 +343,158 @@ krb5_set_config_files(krb5_context context, char **filenames)
     return ret;
 }
 
-krb5_error_code 
-krb5_get_default_config_files(char ***pfilenames)
+static krb5_error_code
+add_file(char ***pfilenames, int *len, char *file)
 {
-    const char *p, *q;
-    char **pp;
-    int n, i;
+    char **pp = *pfilenames;
+    int i;
 
-    const char *files = NULL;
-    if (pfilenames == NULL)
-        return EINVAL;
-    if(!issuid())
-	files = getenv("KRB5_CONFIG");
-    if (files == NULL)
-	files = krb5_config_file;
+    for(i = 0; i < *len; i++) {
+	if(strcmp(pp[i], file) == 0) {
+	    free(file);
+	    return 0;
+	}
+    }
 
-    for(n = 0, p = files; strsep_copy(&p, ":", NULL, 0) != -1; n++);
-    pp = malloc((n + 1) * sizeof(*pp));
-    if(pp == NULL)
+    pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
+    if (pp == NULL) {
+	free(file);
 	return ENOMEM;
+    }
+
+    pp[*len] = file;
+    pp[*len + 1] = NULL;
+    *pfilenames = pp;
+    *len += 1;
+    return 0;
+}
+
+/*
+ *  `pq' isn't free, it's up the the caller
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
+{
+    krb5_error_code ret;
+    const char *p, *q;
+    char **pp;
+    int len;
+    char *fn;
 
-    n = 0;
-    p = files;
+    pp = NULL;
+
+    len = 0;
+    p = filelist;
     while(1) {
 	ssize_t l;
 	q = p;
 	l = strsep_copy(&q, ":", NULL, 0);
 	if(l == -1)
 	    break;
-	pp[n] = malloc(l + 1);
-	if(pp[n] == NULL) {
+	fn = malloc(l + 1);
+	if(fn == NULL) {
 	    krb5_free_config_files(pp);
 	    return ENOMEM;
 	}
-	l = strsep_copy(&p, ":", pp[n], l + 1);
-	for(i = 0; i < n; i++)
-	    if(strcmp(pp[i], pp[n]) == 0) {
-		free(pp[n]);
-		goto skip;
+	l = strsep_copy(&p, ":", fn, l + 1);
+	ret = add_file(&pp, &len, fn);
+	if (ret) {
+	    krb5_free_config_files(pp);
+	    return ret;
+	}
+    }
+
+    if (pq != NULL) {
+	int i;
+
+	for (i = 0; pq[i] != NULL; i++) {
+	    fn = strdup(pq[i]);
+	    if (fn == NULL) {
+		krb5_free_config_files(pp);
+		return ENOMEM;
 	    }
-	n++;
-    skip:;
+	    ret = add_file(&pp, &len, fn);
+	    if (ret) {
+		krb5_free_config_files(pp);
+		return ret;
+	    }
+	}
     }
-    pp[n] = NULL;
+
+    *ret_pp = pp;
+    return 0;
+}
+
+/**
+ * Prepend the filename to the global configuration list.
+ *
+ * @param filelist a filename to add to the default list of filename
+ * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
+ *
+ * @return Returns 0 to indicate success.  Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
+{
+    krb5_error_code ret;
+    char **defpp, **pp = NULL;
+    
+    ret = krb5_get_default_config_files(&defpp);
+    if (ret)
+	return ret;
+
+    ret = krb5_prepend_config_files(filelist, defpp, &pp);
+    krb5_free_config_files(defpp);
+    if (ret) {
+	return ret;
+    }	
     *pfilenames = pp;
     return 0;
 }
 
-void
+/**
+ * Get the global configuration list.
+ *
+ * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
+ *
+ * @return Returns 0 to indicate success.  Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION 
+krb5_get_default_config_files(char ***pfilenames)
+{
+    const char *files = NULL;
+
+    if (pfilenames == NULL)
+        return EINVAL;
+    if(!issuid())
+	files = getenv("KRB5_CONFIG");
+    if (files == NULL)
+	files = krb5_config_file;
+
+    return krb5_prepend_config_files(files, NULL, pfilenames);
+}
+
+/**
+ * Free a list of configuration files.
+ *
+ * @param filenames list to be freed.
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+void KRB5_LIB_FUNCTION
 krb5_free_config_files(char **filenames)
 {
     char **p;
@@ -326,14 +503,25 @@ krb5_free_config_files(char **filenames)
     free(filenames);
 }
 
-/*
- * set `etype' to a malloced list of the default enctypes
+/**
+ * Returns the list of Kerberos encryption types sorted in order of
+ * most preferred to least preferred encryption type.  Note that some
+ * encryption types might be disabled, so you need to check with
+ * krb5_enctype_valid() before using the encryption type.
+ *
+ * @return list of enctypes, terminated with ETYPE_NULL. Its a static
+ * array completed into the Kerberos library so the content doesn't
+ * need to be freed.
+ *
+ * @ingroup krb5
  */
 
-static krb5_error_code
-default_etypes(krb5_context context, krb5_enctype **etype)
+const krb5_enctype * KRB5_LIB_FUNCTION
+krb5_kerberos_enctypes(krb5_context context)
 {
-    krb5_enctype p[] = {
+    static const krb5_enctype p[] = {
+	ETYPE_AES256_CTS_HMAC_SHA1_96,
+	ETYPE_AES128_CTS_HMAC_SHA1_96,
 	ETYPE_DES3_CBC_SHA1,
 	ETYPE_DES3_CBC_MD5,
 	ETYPE_ARCFOUR_HMAC_MD5,
@@ -342,30 +530,67 @@ default_etypes(krb5_context context, krb5_enctype **etype)
 	ETYPE_DES_CBC_CRC,
 	ETYPE_NULL
     };
+    return p;
+}
 
-    *etype = malloc(sizeof(p));
-    if(*etype == NULL) {
-	krb5_set_error_string (context, "malloc: out of memory");
-	return ENOMEM;
+/*
+ * set `etype' to a malloced list of the default enctypes
+ */
+
+static krb5_error_code
+default_etypes(krb5_context context, krb5_enctype **etype)
+{
+    const krb5_enctype *p;
+    krb5_enctype *e = NULL, *ep;
+    int i, n = 0;
+
+    p = krb5_kerberos_enctypes(context);
+
+    for (i = 0; p[i] != ETYPE_NULL; i++) {
+	if (krb5_enctype_valid(context, p[i]) != 0)
+	    continue;
+	ep = realloc(e, (n + 2) * sizeof(*e));
+	if (ep == NULL) {
+	    free(e);
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	e = ep;
+	e[n] = p[i];
+	e[n + 1] = ETYPE_NULL;
+	n++;
     }
-    memcpy(*etype, p, sizeof(p));
+    *etype = e;
     return 0;
 }
 
-krb5_error_code
+/**
+ * Set the default encryption types that will be use in communcation
+ * with the KDC, clients and servers.
+ *
+ * @param context Kerberos 5 context.
+ * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_default_in_tkt_etypes(krb5_context context, 
 			       const krb5_enctype *etypes)
 {
-    int i;
     krb5_enctype *p = NULL;
+    int i;
 
     if(etypes) {
-	for (i = 0; etypes[i]; ++i)
-	    if(!krb5_enctype_valid(context, etypes[i])) {
-		krb5_set_error_string(context, "enctype %d not supported",
-				      etypes[i]);
-		return KRB5_PROG_ETYPE_NOSUPP;
-	    }
+	for (i = 0; etypes[i]; ++i) {
+	    krb5_error_code ret;
+	    ret = krb5_enctype_valid(context, etypes[i]);
+	    if (ret)
+		return ret;
+	}
 	++i;
 	ALLOC(p, i);
 	if(!p) {
@@ -380,8 +605,21 @@ krb5_set_default_in_tkt_etypes(krb5_context context,
     return 0;
 }
 
+/**
+ * Get the default encryption types that will be use in communcation
+ * with the KDC, clients and servers.
+ *
+ * @param context Kerberos 5 context.
+ * @param etypes Encryption types, array terminated with
+ * ETYPE_NULL(0), caller should free array with krb5_xfree():
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_default_in_tkt_etypes(krb5_context context,
 			       krb5_enctype **etypes)
 {
@@ -407,7 +645,19 @@ krb5_get_default_in_tkt_etypes(krb5_context context,
   return 0;
 }
 
-const char *
+/**
+ * Return the error string for the error code. The caller must not
+ * free the string.
+ *
+ * @param context Kerberos 5 context.
+ * @param code Kerberos error code.
+ *
+ * @return the error message matching code
+ *
+ * @ingroup krb5
+ */
+
+const char* KRB5_LIB_FUNCTION
 krb5_get_err_text(krb5_context context, krb5_error_code code)
 {
     const char *p = NULL;
@@ -420,7 +670,15 @@ krb5_get_err_text(krb5_context context, krb5_error_code code)
     return p;
 }
 
-void
+/**
+ * Init the built-in ets in the Kerberos library. 
+ *
+ * @param context kerberos context to add the ets too
+ *
+ * @ingroup krb5
+ */
+
+void KRB5_LIB_FUNCTION
 krb5_init_ets(krb5_context context)
 {
     if(context->et_list == NULL){
@@ -428,22 +686,57 @@ krb5_init_ets(krb5_context context)
 	krb5_add_et_list(context, initialize_asn1_error_table_r);
 	krb5_add_et_list(context, initialize_heim_error_table_r);
 	krb5_add_et_list(context, initialize_k524_error_table_r);
+#ifdef PKINIT
+	krb5_add_et_list(context, initialize_hx_error_table_r);
+#endif
     }
 }
 
-void
+/**
+ * Make the kerberos library default to the admin KDC.
+ *
+ * @param context Kerberos 5 context.
+ * @param flag boolean flag to select if the use the admin KDC or not.
+ *
+ * @ingroup krb5
+ */
+
+void KRB5_LIB_FUNCTION
 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
 {
     context->use_admin_kdc = flag;
 }
 
-krb5_boolean
+/**
+ * Make the kerberos library default to the admin KDC.
+ *
+ * @param context Kerberos 5 context.
+ *
+ * @return boolean flag to telling the context will use admin KDC as the default KDC.
+ *
+ * @ingroup krb5
+ */
+
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_get_use_admin_kdc (krb5_context context)
 {
     return context->use_admin_kdc;
 }
 
-krb5_error_code
+/**
+ * Add extra address to the address list that the library will add to
+ * the client's address list when communicating with the KDC.
+ *
+ * @param context Kerberos 5 context.
+ * @param addresses addreses to add
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
 {
 
@@ -454,7 +747,20 @@ krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
 	return krb5_set_extra_addresses(context, addresses);
 }
 
-krb5_error_code
+/**
+ * Set extra address to the address list that the library will add to
+ * the client's address list when communicating with the KDC.
+ *
+ * @param context Kerberos 5 context.
+ * @param addresses addreses to set
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
 {
     if(context->extra_addresses)
@@ -477,7 +783,20 @@ krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
     return krb5_copy_addresses(context, addresses, context->extra_addresses);
 }
 
-krb5_error_code
+/**
+ * Get extra address to the address list that the library will add to
+ * the client's address list when communicating with the KDC.
+ *
+ * @param context Kerberos 5 context.
+ * @param addresses addreses to set
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
 {
     if(context->extra_addresses == NULL) {
@@ -487,7 +806,20 @@ krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
     return krb5_copy_addresses(context,context->extra_addresses, addresses);
 }
 
-krb5_error_code
+/**
+ * Add extra addresses to ignore when fetching addresses from the
+ * underlaying operating system.
+ *
+ * @param context Kerberos 5 context.
+ * @param addresses addreses to ignore
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
 {
 
@@ -498,7 +830,20 @@ krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
 	return krb5_set_ignore_addresses(context, addresses);
 }
 
-krb5_error_code
+/**
+ * Set extra addresses to ignore when fetching addresses from the
+ * underlaying operating system.
+ *
+ * @param context Kerberos 5 context.
+ * @param addresses addreses to ignore
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
 {
     if(context->ignore_addresses)
@@ -520,7 +865,20 @@ krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
     return krb5_copy_addresses(context, addresses, context->ignore_addresses);
 }
 
-krb5_error_code
+/**
+ * Get extra addresses to ignore when fetching addresses from the
+ * underlaying operating system.
+ *
+ * @param context Kerberos 5 context.
+ * @param addresses list addreses ignored
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
 {
     if(context->ignore_addresses == NULL) {
@@ -530,16 +888,146 @@ krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
     return krb5_copy_addresses(context, context->ignore_addresses, addresses);
 }
 
-krb5_error_code
+/**
+ * Set version of fcache that the library should use.
+ *
+ * @param context Kerberos 5 context.
+ * @param version version number.
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_fcache_version(krb5_context context, int version)
 {
     context->fcache_vno = version;
     return 0;
 }
 
-krb5_error_code
+/**
+ * Get version of fcache that the library should use.
+ *
+ * @param context Kerberos 5 context.
+ * @param version version number.
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_fcache_version(krb5_context context, int *version)
 {
     *version = context->fcache_vno;
     return 0;
 }
+
+/**
+ * Runtime check if the Kerberos library was complied with thread support.
+ *
+ * @return TRUE if the library was compiled with thread support, FALSE if not.
+ *
+ * @ingroup krb5
+ */
+
+
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_is_thread_safe(void)
+{
+#ifdef ENABLE_PTHREAD_SUPPORT
+    return TRUE;
+#else
+    return FALSE;
+#endif
+}
+
+/**
+ * Set if the library should use DNS to canonicalize hostnames.
+ *
+ * @param context Kerberos 5 context.
+ * @param flag if its dns canonicalizion is used or not.
+ *
+ * @ingroup krb5
+ */
+
+void KRB5_LIB_FUNCTION
+krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
+{
+    if (flag)
+	context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
+    else
+	context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
+}
+
+/**
+ * Get if the library uses DNS to canonicalize hostnames.
+ *
+ * @param context Kerberos 5 context.
+ *
+ * @return return non zero if the library uses DNS to canonicalize hostnames.
+ *
+ * @ingroup krb5
+ */
+
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_get_dns_canonicalize_hostname (krb5_context context)
+{
+    return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
+}
+
+/**
+ * Get current offset in time to the KDC.
+ *
+ * @param context Kerberos 5 context.
+ * @param sec seconds part of offset.
+ * @param usec micro seconds part of offset.
+ *
+ * @return return non zero if the library uses DNS to canonicalize hostnames.
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
+{
+    if (sec)
+	*sec = context->kdc_sec_offset;
+    if (usec)
+	*usec = context->kdc_usec_offset;
+    return 0;
+}
+
+/**
+ * Get max time skew allowed.
+ *
+ * @param context Kerberos 5 context.
+ *
+ * @return timeskew in seconds.
+ *
+ * @ingroup krb5
+ */
+
+time_t KRB5_LIB_FUNCTION
+krb5_get_max_time_skew (krb5_context context)
+{
+    return context->max_skew;
+}
+
+/**
+ * Set max time skew allowed.
+ *
+ * @param context Kerberos 5 context.
+ * @param t timeskew in seconds.
+ *
+ * @ingroup krb5
+ */
+
+void KRB5_LIB_FUNCTION
+krb5_set_max_time_skew (krb5_context context, time_t t)
+{
+    context->max_skew = t;
+}
diff --git a/crypto/heimdal/lib/krb5/convert_creds.c b/crypto/heimdal/lib/krb5/convert_creds.c
index 0c119e7..b2af018 100644
--- a/crypto/heimdal/lib/krb5/convert_creds.c
+++ b/crypto/heimdal/lib/krb5/convert_creds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "krb5_locl.h"
-RCSID("$Id: convert_creds.c,v 1.26 2003/03/18 03:11:16 lha Exp $");
+RCSID("$Id: convert_creds.c 22050 2007-11-11 11:20:46Z lha $");
 
 #include "krb5-v4compat.h"
 
@@ -42,70 +42,23 @@ check_ticket_flags(TicketFlags f)
     return 0; /* maybe add some more tests here? */
 }
 
-/* include this here, to avoid dependencies on libkrb */
-
-static const int _tkt_lifetimes[TKTLIFENUMFIXED] = {
-   38400,   41055,   43894,   46929,   50174,   53643,   57352,   61318,
-   65558,   70091,   74937,   80119,   85658,   91581,   97914,  104684,
-  111922,  119661,  127935,  136781,  146239,  156350,  167161,  178720,
-  191077,  204289,  218415,  233517,  249664,  266926,  285383,  305116,
-  326213,  348769,  372885,  398668,  426234,  455705,  487215,  520904,
-  556921,  595430,  636601,  680618,  727680,  777995,  831789,  889303,
-  950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247,
- 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000
-};
-
-int
-_krb5_krb_time_to_life(time_t start, time_t end)
-{
-    int i;
-    time_t life = end - start;
-
-    if (life > MAXTKTLIFETIME || life <= 0) 
-	return 0;
-#if 0    
-    if (krb_no_long_lifetimes) 
-	return (life + 5*60 - 1)/(5*60);
-#endif
-    
-    if (end >= NEVERDATE)
-	return TKTLIFENOEXPIRE;
-    if (life < _tkt_lifetimes[0]) 
-	return (life + 5*60 - 1)/(5*60);
-    for (i=0; i<TKTLIFENUMFIXED; i++)
-	if (life <= _tkt_lifetimes[i])
-	    return i + TKTLIFEMINFIXED;
-    return 0;
-    
-}
-
-time_t
-_krb5_krb_life_to_time(int start, int life_)
-{
-    unsigned char life = (unsigned char) life_;
-
-#if 0    
-    if (krb_no_long_lifetimes)
-	return start + life*5*60;
-#endif
-
-    if (life == TKTLIFENOEXPIRE)
-	return NEVERDATE;
-    if (life < TKTLIFEMINFIXED)
-	return start + life*5*60;
-    if (life > TKTLIFEMAXFIXED)
-	return start + MAXTKTLIFETIME;
-    return start + _tkt_lifetimes[life - TKTLIFEMINFIXED];
-}
-
-
-/* Convert the v5 credentials in `in_cred' to v4-dito in `v4creds'.
- * This is done by sending them to the 524 function in the KDC.  If
+/**
+ * Convert the v5 credentials in in_cred to v4-dito in v4creds.  This
+ * is done by sending them to the 524 function in the KDC.  If
  * `in_cred' doesn't contain a DES session key, then a new one is
  * gotten from the KDC and stored in the cred cache `ccache'.
+ *
+ * @param context Kerberos 5 context.
+ * @param in_cred the credential to convert
+ * @param v4creds the converted credential
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5_v4compat
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb524_convert_creds_kdc(krb5_context context, 
 			 krb5_creds *in_cred,
 			 struct credentials *v4creds)
@@ -126,8 +79,8 @@ krb524_convert_creds_kdc(krb5_context context,
 	krb5_krbhst_handle handle;
 
 	ret = krb5_krbhst_init(context,
-			       *krb5_princ_realm(context, 
-						v5_creds->server),
+			       krb5_principal_get_realm(context, 
+							v5_creds->server),
 			       KRB5_KRBHST_KRB524,
 			       &handle);
 	if (ret)
@@ -191,7 +144,22 @@ out2:
     return ret;
 }
 
-krb5_error_code
+/**
+ * Convert the v5 credentials in in_cred to v4-dito in v4creds,
+ * check the credential cache ccache before checking with the KDC.
+ *
+ * @param context Kerberos 5 context.
+ * @param ccache credential cache used to check for des-ticket.
+ * @param in_cred the credential to convert
+ * @param v4creds the converted credential
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5_v4compat
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb524_convert_creds_kdc_ccache(krb5_context context, 
 				krb5_ccache ccache,
 				krb5_creds *in_cred,
@@ -212,18 +180,18 @@ krb524_convert_creds_kdc_ccache(krb5_context context,
 	template.session.keytype = ENCTYPE_DES_CBC_CRC;
 	ret = krb5_copy_principal (context, in_cred->client, &template.client);
 	if (ret) {
-	    krb5_free_creds_contents (context, &template);
+	    krb5_free_cred_contents (context, &template);
 	    return ret;
 	}
 	ret = krb5_copy_principal (context, in_cred->server, &template.server);
 	if (ret) {
-	    krb5_free_creds_contents (context, &template);
+	    krb5_free_cred_contents (context, &template);
 	    return ret;
 	}
 
 	ret = krb5_get_credentials (context, 0, ccache,
 				    &template, &v5_creds);
-	krb5_free_creds_contents (context, &template);
+	krb5_free_cred_contents (context, &template);
 	if (ret)
 	    return ret;
     }
diff --git a/crypto/heimdal/lib/krb5/copy_host_realm.c b/crypto/heimdal/lib/krb5/copy_host_realm.c
index 38fdfa8..8c4f39b 100644
--- a/crypto/heimdal/lib/krb5/copy_host_realm.c
+++ b/crypto/heimdal/lib/krb5/copy_host_realm.c
@@ -33,13 +33,22 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: copy_host_realm.c,v 1.4 2001/05/14 06:14:45 assar Exp $");
+RCSID("$Id: copy_host_realm.c 22057 2007-11-11 15:13:13Z lha $");
 
-/*
+/**
  * Copy the list of realms from `from' to `to'.
+ *
+ * @param context Kerberos 5 context.
+ * @param from list of realms to copy from.
+ * @param to list of realms to copy to, free list of krb5_free_host_realm().
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_host_realm(krb5_context context,
 		     const krb5_realm *from,
 		     krb5_realm **to)
diff --git a/crypto/heimdal/lib/krb5/crc.c b/crypto/heimdal/lib/krb5/crc.c
index c7cedd8..072c29d 100644
--- a/crypto/heimdal/lib/krb5/crc.c
+++ b/crypto/heimdal/lib/krb5/crc.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: crc.c,v 1.9 2000/08/03 01:45:14 assar Exp $");
+RCSID("$Id: crc.c 17442 2006-05-05 09:31:15Z lha $");
 
 static u_long table[256];
 
@@ -62,8 +62,8 @@ _krb5_crc_init_table(void)
     flag = 1;
 }
 
-u_int32_t
-_krb5_crc_update (const char *p, size_t len, u_int32_t res)
+uint32_t
+_krb5_crc_update (const char *p, size_t len, uint32_t res)
 {
     while (len--)
 	res = table[(res ^ *p++) & 0xFF] ^ (res >> 8);
diff --git a/crypto/heimdal/lib/krb5/creds.c b/crypto/heimdal/lib/krb5/creds.c
index 01c1c30..17ef46d 100644
--- a/crypto/heimdal/lib/krb5/creds.c
+++ b/crypto/heimdal/lib/krb5/creds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,16 +33,32 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: creds.c,v 1.15 2001/05/14 06:14:45 assar Exp $");
+RCSID("$Id: creds.c 22062 2007-11-11 15:41:50Z lha $");
 
-krb5_error_code
-krb5_free_cred_contents (krb5_context context, krb5_creds *c)
+#undef __attribute__
+#define __attribute__(X)
+
+/* keep this for compatibility with older code */
+krb5_error_code KRB5_LIB_FUNCTION __attribute__((deprecated))
+krb5_free_creds_contents (krb5_context context, krb5_creds *c)
 {
-    return krb5_free_creds_contents (context, c);
+    return krb5_free_cred_contents (context, c);
 }    
 
-krb5_error_code
-krb5_free_creds_contents (krb5_context context, krb5_creds *c)
+/**
+ * Free content of krb5_creds.
+ *
+ * @param context Kerberos 5 context.
+ * @param c krb5_creds to free.
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_free_cred_contents (krb5_context context, krb5_creds *c)
 {
     krb5_free_principal (context, c->client);
     c->client = NULL;
@@ -53,10 +69,24 @@ krb5_free_creds_contents (krb5_context context, krb5_creds *c)
     krb5_data_free (&c->second_ticket);
     free_AuthorizationData (&c->authdata);
     krb5_free_addresses (context, &c->addresses);
+    memset(c, 0, sizeof(*c));
     return 0;
 }
 
-krb5_error_code
+/**
+ * Copy content of krb5_creds.
+ *
+ * @param context Kerberos 5 context.
+ * @param incred source credential
+ * @param c destination credential, free with krb5_free_cred_contents().
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_creds_contents (krb5_context context,
 			  const krb5_creds *incred,
 			  krb5_creds *c)
@@ -96,11 +126,24 @@ krb5_copy_creds_contents (krb5_context context,
     return 0;
 
 fail:
-    krb5_free_creds_contents (context, c);
+    krb5_free_cred_contents (context, c);
     return ret;
 }
 
-krb5_error_code
+/**
+ * Copy krb5_creds.
+ *
+ * @param context Kerberos 5 context.
+ * @param incred source credential
+ * @param outcred destination credential, free with krb5_free_creds().
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_creds (krb5_context context,
 		 const krb5_creds *incred,
 		 krb5_creds **outcred)
@@ -117,35 +160,110 @@ krb5_copy_creds (krb5_context context,
     return krb5_copy_creds_contents (context, incred, c);
 }
 
-krb5_error_code
+/**
+ * Free krb5_creds.
+ *
+ * @param context Kerberos 5 context.
+ * @param c krb5_creds to free.
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_creds (krb5_context context, krb5_creds *c)
 {
-    krb5_free_creds_contents (context, c);
+    krb5_free_cred_contents (context, c);
     free (c);
     return 0;
 }
 
-/*
+/* XXX this do not belong here */
+static krb5_boolean
+krb5_times_equal(const krb5_times *a, const krb5_times *b)
+{
+    return a->starttime == b->starttime &&
+	a->authtime == b->authtime &&
+	a->endtime == b->endtime &&
+	a->renew_till == b->renew_till;
+}
+
+/**
  * Return TRUE if `mcreds' and `creds' are equal (`whichfields'
  * determines what equal means).
+ *
+ * @param context Kerberos 5 context.
+ * @param whichfields which fields to compare.
+ * @param mcreds cred to compare with.
+ * @param creds cred to compare with.
+ *
+ * @return return TRUE if mcred and creds are equal, FALSE if not.
+ *
+ * @ingroup krb5
  */
 
-krb5_boolean
-krb5_compare_creds(krb5_context context, krb5_flags whichfields, 
-		   const krb5_creds *mcreds, const krb5_creds *creds)
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_compare_creds(krb5_context context, krb5_flags whichfields,
+		   const krb5_creds * mcreds, const krb5_creds * creds)
 {
-    krb5_boolean match;
-
-    if(whichfields & KRB5_TC_DONT_MATCH_REALM)
-	match = krb5_principal_compare_any_realm(context, 
-						 mcreds->server, 
-						 creds->server);
-    else
-	match = krb5_principal_compare(context, mcreds->server, creds->server);
-    if(match && (whichfields & KRB5_TC_MATCH_KEYTYPE) &&
-       !krb5_enctypes_compatible_keys (context,
-				       mcreds->session.keytype,
-				       creds->session.keytype))
-	match = FALSE;
+    krb5_boolean match = TRUE;
+    
+    if (match && mcreds->server) {
+	if (whichfields & (KRB5_TC_DONT_MATCH_REALM | KRB5_TC_MATCH_SRV_NAMEONLY)) 
+	    match = krb5_principal_compare_any_realm (context, mcreds->server, 
+						      creds->server);
+	else
+	    match = krb5_principal_compare (context, mcreds->server, 
+					    creds->server);
+    }
+
+    if (match && mcreds->client) {
+	if(whichfields & KRB5_TC_DONT_MATCH_REALM)
+	    match = krb5_principal_compare_any_realm (context, mcreds->client, 
+						      creds->client);
+	else
+	    match = krb5_principal_compare (context, mcreds->client, 
+					    creds->client);
+    }
+	    
+    if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE))
+	match = krb5_enctypes_compatible_keys(context,
+					      mcreds->session.keytype,
+					      creds->session.keytype);
+
+    if (match && (whichfields & KRB5_TC_MATCH_FLAGS_EXACT))
+	match = mcreds->flags.i == creds->flags.i;
+
+    if (match && (whichfields & KRB5_TC_MATCH_FLAGS))
+	match = (creds->flags.i & mcreds->flags.i) == mcreds->flags.i;
+
+    if (match && (whichfields & KRB5_TC_MATCH_TIMES_EXACT))
+	match = krb5_times_equal(&mcreds->times, &creds->times);
+    
+    if (match && (whichfields & KRB5_TC_MATCH_TIMES))
+	/* compare only expiration times */
+	match = (mcreds->times.renew_till <= creds->times.renew_till) &&
+	    (mcreds->times.endtime <= creds->times.endtime);
+
+    if (match && (whichfields & KRB5_TC_MATCH_AUTHDATA)) {
+	unsigned int i;
+	if(mcreds->authdata.len != creds->authdata.len)
+	    match = FALSE;
+	else
+	    for(i = 0; match && i < mcreds->authdata.len; i++)
+		match = (mcreds->authdata.val[i].ad_type == 
+			 creds->authdata.val[i].ad_type) &&
+		    (krb5_data_cmp(&mcreds->authdata.val[i].ad_data,
+				   &creds->authdata.val[i].ad_data) == 0);
+    }
+    if (match && (whichfields & KRB5_TC_MATCH_2ND_TKT))
+	match = (krb5_data_cmp(&mcreds->second_ticket, &creds->second_ticket) == 0);
+
+    if (match && (whichfields & KRB5_TC_MATCH_IS_SKEY))
+	match = ((mcreds->second_ticket.length == 0) == 
+		 (creds->second_ticket.length == 0));
+
     return match;
 }
diff --git a/crypto/heimdal/lib/krb5/data.c b/crypto/heimdal/lib/krb5/data.c
index d2bfeb2..eda1a8b 100644
--- a/crypto/heimdal/lib/krb5/data.c
+++ b/crypto/heimdal/lib/krb5/data.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,30 +33,65 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: data.c,v 1.17 2003/03/25 22:07:17 lha Exp $");
+RCSID("$Id: data.c 22064 2007-11-11 16:28:14Z lha $");
 
-void
+/**
+ * Reset the (potentially uninitalized) krb5_data structure.
+ *
+ * @param p krb5_data to reset.
+ *
+ * @ingroup krb5
+ */
+
+void KRB5_LIB_FUNCTION
 krb5_data_zero(krb5_data *p)
 {
     p->length = 0;
     p->data   = NULL;
 }
 
-void
+/**
+ * Free the content of krb5_data structure, its ok to free a zeroed
+ * structure. When done, the structure will be zeroed.
+ * 
+ * @param p krb5_data to free.
+ *
+ * @ingroup krb5
+ */
+
+void KRB5_LIB_FUNCTION
 krb5_data_free(krb5_data *p)
 {
     if(p->data != NULL)
 	free(p->data);
-    p->length = 0;
+    krb5_data_zero(p);
 }
 
-void 
+/**
+ * Same as krb5_data_free().
+ * 
+ * @param context Kerberos 5 context.
+ * @param data krb5_data to free.
+ *
+ * @ingroup krb5
+ */
+
+void KRB5_LIB_FUNCTION 
 krb5_free_data_contents(krb5_context context, krb5_data *data)
 {
     krb5_data_free(data);
 }
 
-void
+/**
+ * Free krb5_data (and its content).
+ * 
+ * @param context Kerberos 5 context.
+ * @param p krb5_data to free.
+ *
+ * @ingroup krb5
+ */
+
+void KRB5_LIB_FUNCTION
 krb5_free_data(krb5_context context,
 	       krb5_data *p)
 {
@@ -64,7 +99,19 @@ krb5_free_data(krb5_context context,
     free(p);
 }
 
-krb5_error_code
+/**
+ * Allocate data of and krb5_data.
+ * 
+ * @param p krb5_data to free.
+ * @param len size to allocate.
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned.
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_data_alloc(krb5_data *p, int len)
 {
     p->data = malloc(len);
@@ -74,7 +121,19 @@ krb5_data_alloc(krb5_data *p, int len)
     return 0;
 }
 
-krb5_error_code
+/**
+ * Grow (or shrink) the content of krb5_data to a new size.
+ * 
+ * @param p krb5_data to free.
+ * @param len new size.
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned.
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_data_realloc(krb5_data *p, int len)
 {
     void *tmp;
@@ -86,7 +145,20 @@ krb5_data_realloc(krb5_data *p, int len)
     return 0;
 }
 
-krb5_error_code
+/**
+ * Copy the data of len into the krb5_data.
+ * 
+ * @param p krb5_data to copy into.
+ * @param data data to copy..
+ * @param len new size.
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned.
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_data_copy(krb5_data *p, const void *data, size_t len)
 {
     if (len) {
@@ -99,7 +171,20 @@ krb5_data_copy(krb5_data *p, const void *data, size_t len)
     return 0;
 }
 
-krb5_error_code
+/**
+ * Copy the data into a newly allocated krb5_data.
+ * 
+ * @param context Kerberos 5 context.
+ * @param indata the krb5_data data to copy
+ * @param outdata new krb5_date to copy too. Free with krb5_free_data().
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned.
+ *
+ * @ingroup krb5
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_data(krb5_context context, 
 	       const krb5_data *indata, 
 	       krb5_data **outdata)
@@ -110,10 +195,30 @@ krb5_copy_data(krb5_context context,
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
-    ret = copy_octet_string(indata, *outdata);
+    ret = der_copy_octet_string(indata, *outdata);
     if(ret) {
 	krb5_clear_error_string (context);
 	free(*outdata);
+	*outdata = NULL;
     }
     return ret;
 }
+
+/**
+ * Compare to data.
+ * 
+ * @param data1 krb5_data to compare
+ * @param data2 krb5_data to compare
+ *
+ * @return return the same way as memcmp(), useful when sorting.
+ *
+ * @ingroup krb5
+ */
+
+int KRB5_LIB_FUNCTION
+krb5_data_cmp(const krb5_data *data1, const krb5_data *data2)
+{
+    if (data1->length != data2->length)
+	return data1->length - data2->length;
+    return memcmp(data1->data, data2->data, data1->length);
+}
diff --git a/crypto/heimdal/lib/krb5/derived-key-test.c b/crypto/heimdal/lib/krb5/derived-key-test.c
index 0a47dd3..debadb8 100644
--- a/crypto/heimdal/lib/krb5/derived-key-test.c
+++ b/crypto/heimdal/lib/krb5/derived-key-test.c
@@ -31,8 +31,9 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 
 #include "krb5_locl.h"
+#include <err.h>
 
-RCSID("$Id: derived-key-test.c,v 1.1 2001/03/12 07:44:52 assar Exp $");
+RCSID("$Id: derived-key-test.c 16342 2005-12-02 14:14:43Z lha $");
 
 enum { MAXSIZE = 24 };
 
@@ -76,7 +77,7 @@ static struct testcase {
     {0}
 };
 
-int
+int KRB5_LIB_FUNCTION
 main(int argc, char **argv)
 {
     struct testcase *t;
@@ -114,6 +115,9 @@ main(int argc, char **argv)
 	    printf ("\n");
 	    val = 1;
 	}
+	krb5_free_keyblock(context, dkey);
     }
+    krb5_free_context(context);
+
     return val;
 }
diff --git a/crypto/heimdal/lib/krb5/digest.c b/crypto/heimdal/lib/krb5/digest.c
new file mode 100644
index 0000000..6e612ed
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/digest.c
@@ -0,0 +1,1199 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: digest.c 22156 2007-12-04 20:02:49Z lha $");
+#include "digest_asn1.h"
+
+struct krb5_digest_data {
+    char *cbtype;
+    char *cbbinding;
+
+    DigestInit init;
+    DigestInitReply initReply;
+    DigestRequest request;
+    DigestResponse response;
+};
+
+krb5_error_code
+krb5_digest_alloc(krb5_context context, krb5_digest *digest)
+{
+    krb5_digest d;
+
+    d = calloc(1, sizeof(*d));
+    if (d == NULL) {
+	*digest = NULL;
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    *digest = d;
+
+    return 0;
+}
+
+void
+krb5_digest_free(krb5_digest digest)
+{
+    if (digest == NULL)
+	return;
+    free_DigestInit(&digest->init);
+    free_DigestInitReply(&digest->initReply);
+    free_DigestRequest(&digest->request);
+    free_DigestResponse(&digest->response);
+    memset(digest, 0, sizeof(*digest));
+    free(digest);
+    return;
+}
+
+krb5_error_code
+krb5_digest_set_server_cb(krb5_context context,
+			  krb5_digest digest,
+			  const char *type,
+			  const char *binding)
+{
+    if (digest->init.channel) {
+	krb5_set_error_string(context, "server channel binding already set");
+	return EINVAL;
+    }
+    digest->init.channel = calloc(1, sizeof(*digest->init.channel));
+    if (digest->init.channel == NULL)
+	goto error;
+
+    digest->init.channel->cb_type = strdup(type);
+    if (digest->init.channel->cb_type == NULL)
+	goto error;
+
+    digest->init.channel->cb_binding = strdup(binding);
+    if (digest->init.channel->cb_binding == NULL) 
+	goto error;
+    return 0;
+error:
+    if (digest->init.channel) {
+	free(digest->init.channel->cb_type);
+	free(digest->init.channel->cb_binding);
+	free(digest->init.channel);
+	digest->init.channel = NULL;
+    }
+    krb5_set_error_string(context, "out of memory");
+    return ENOMEM;
+}
+
+krb5_error_code
+krb5_digest_set_type(krb5_context context,
+		     krb5_digest digest,
+		     const char *type)
+{
+    if (digest->init.type) {
+	krb5_set_error_string(context, "client type already set");
+	return EINVAL;
+    }
+    digest->init.type = strdup(type);
+    if (digest->init.type == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_set_hostname(krb5_context context,
+			 krb5_digest digest,
+			 const char *hostname)
+{
+    if (digest->init.hostname) {
+	krb5_set_error_string(context, "server hostname already set");
+	return EINVAL;
+    }
+    digest->init.hostname = malloc(sizeof(*digest->init.hostname));
+    if (digest->init.hostname == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    *digest->init.hostname = strdup(hostname);
+    if (*digest->init.hostname == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	free(digest->init.hostname);
+	digest->init.hostname = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+const char *
+krb5_digest_get_server_nonce(krb5_context context,
+			     krb5_digest digest)
+{
+    return digest->initReply.nonce;
+}
+
+krb5_error_code
+krb5_digest_set_server_nonce(krb5_context context,
+			     krb5_digest digest,
+			     const char *nonce)
+{
+    if (digest->request.serverNonce) {
+	krb5_set_error_string(context, "nonce already set");
+	return EINVAL;
+    }
+    digest->request.serverNonce = strdup(nonce);
+    if (digest->request.serverNonce == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+const char *
+krb5_digest_get_opaque(krb5_context context,
+		       krb5_digest digest)
+{
+    return digest->initReply.opaque;
+}
+
+krb5_error_code
+krb5_digest_set_opaque(krb5_context context,
+		       krb5_digest digest,
+		       const char *opaque)
+{
+    if (digest->request.opaque) {
+	krb5_set_error_string(context, "opaque already set");
+	return EINVAL;
+    }
+    digest->request.opaque = strdup(opaque);
+    if (digest->request.opaque == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+const char *
+krb5_digest_get_identifier(krb5_context context,
+			   krb5_digest digest)
+{
+    if (digest->initReply.identifier == NULL)
+	return NULL;
+    return *digest->initReply.identifier;
+}
+
+krb5_error_code
+krb5_digest_set_identifier(krb5_context context,
+			   krb5_digest digest,
+			   const char *id)
+{
+    if (digest->request.identifier) {
+	krb5_set_error_string(context, "identifier already set");
+	return EINVAL;
+    }
+    digest->request.identifier = calloc(1, sizeof(*digest->request.identifier));
+    if (digest->request.identifier == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    *digest->request.identifier = strdup(id);
+    if (*digest->request.identifier == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	free(digest->request.identifier);
+	digest->request.identifier = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+static krb5_error_code
+digest_request(krb5_context context,
+	       krb5_realm realm,
+	       krb5_ccache ccache,
+	       krb5_key_usage usage,
+	       const DigestReqInner *ireq,
+	       DigestRepInner *irep)
+{
+    DigestREQ req;
+    DigestREP rep;
+    krb5_error_code ret;
+    krb5_data data, data2;
+    size_t size;
+    krb5_crypto crypto = NULL;
+    krb5_auth_context ac = NULL;
+    krb5_principal principal = NULL;
+    krb5_ccache id = NULL;
+    krb5_realm r = NULL;
+
+    krb5_data_zero(&data);
+    krb5_data_zero(&data2);
+    memset(&req, 0, sizeof(req));
+    memset(&rep, 0, sizeof(rep));
+
+    if (ccache == NULL) {
+	ret = krb5_cc_default(context, &id);
+	if (ret)
+	    goto out;
+    } else
+	id = ccache;
+
+    if (realm == NULL) {
+	ret = krb5_get_default_realm(context, &r);
+	if (ret)
+	    goto out;
+    } else
+	r = realm;
+
+    /*
+     *
+     */
+
+    ret = krb5_make_principal(context, &principal, 
+			      r, KRB5_DIGEST_NAME, r, NULL);
+    if (ret)
+	goto out;
+
+    ASN1_MALLOC_ENCODE(DigestReqInner, data.data, data.length,
+		       ireq, &size, ret);
+    if (ret) {
+	krb5_set_error_string(context,
+			      "Failed to encode digest inner request");
+	goto out;
+    }
+    if (size != data.length)
+	krb5_abortx(context, "ASN.1 internal encoder error");
+
+    ret = krb5_mk_req_exact(context, &ac, 
+			    AP_OPTS_USE_SUBKEY|AP_OPTS_MUTUAL_REQUIRED,
+			    principal, NULL, id, &req.apReq);
+    if (ret)
+	goto out;
+
+    {
+	krb5_keyblock *key;
+
+	ret = krb5_auth_con_getlocalsubkey(context, ac, &key);
+	if (ret)
+	    goto out;
+	if (key == NULL) {
+	    krb5_set_error_string(context, "Digest failed to get local subkey");
+	    ret = EINVAL;
+	    goto out;
+	}
+
+	ret = krb5_crypto_init(context, key, 0, &crypto);
+	krb5_free_keyblock (context, key);
+	if (ret)
+	    goto out;
+    }
+
+    ret = krb5_encrypt_EncryptedData(context, crypto, usage,
+				     data.data, data.length, 0, 
+				     &req.innerReq);
+    if (ret)
+	goto out;
+
+    krb5_data_free(&data);
+
+    ASN1_MALLOC_ENCODE(DigestREQ, data.data, data.length,
+		       &req, &size, ret);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to encode DigestREQest");
+	goto out;
+    }
+    if (size != data.length)
+	krb5_abortx(context, "ASN.1 internal encoder error");
+
+    ret = krb5_sendto_kdc(context, &data, &r, &data2);
+    if (ret)
+	goto out;
+
+    ret = decode_DigestREP(data2.data, data2.length, &rep, NULL);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to parse digest response");
+	goto out;
+    }
+
+    {
+	krb5_ap_rep_enc_part *repl;
+
+	ret = krb5_rd_rep(context, ac, &rep.apRep, &repl);
+	if (ret)
+	    goto out;
+
+	krb5_free_ap_rep_enc_part(context, repl);
+    }
+    {
+	krb5_keyblock *key;
+
+	ret = krb5_auth_con_getremotesubkey(context, ac, &key);
+	if (ret)
+	    goto out;
+	if (key == NULL) {
+	    ret = EINVAL;
+	    krb5_set_error_string(context, 
+				  "Digest reply have no remote subkey");
+	    goto out;
+	}
+
+	krb5_crypto_destroy(context, crypto);
+	ret = krb5_crypto_init(context, key, 0, &crypto);
+	krb5_free_keyblock (context, key);
+	if (ret)
+	    goto out;
+    }
+
+    krb5_data_free(&data);
+    ret = krb5_decrypt_EncryptedData(context, crypto, usage,
+				     &rep.innerRep, &data);
+    if (ret)
+	goto out;
+    
+    ret = decode_DigestRepInner(data.data, data.length, irep, NULL);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to decode digest inner reply");
+	goto out;
+    }
+
+out:
+    if (ccache == NULL && id)
+	krb5_cc_close(context, id);
+    if (realm == NULL && r)
+	free(r);
+    if (crypto)
+	krb5_crypto_destroy(context, crypto);
+    if (ac)
+	krb5_auth_con_free(context, ac);
+    if (principal)
+	krb5_free_principal(context, principal);
+
+    krb5_data_free(&data);
+    krb5_data_free(&data2);
+
+    free_DigestREQ(&req);
+    free_DigestREP(&rep);
+
+    return ret;
+}
+
+krb5_error_code
+krb5_digest_init_request(krb5_context context,
+			 krb5_digest digest,
+			 krb5_realm realm,
+			 krb5_ccache ccache)
+{
+    DigestReqInner ireq;
+    DigestRepInner irep;
+    krb5_error_code ret;
+
+    memset(&ireq, 0, sizeof(ireq));
+    memset(&irep, 0, sizeof(irep));
+
+    if (digest->init.type == NULL) {
+	krb5_set_error_string(context, "Type missing from init req");
+	return EINVAL;
+    }
+
+    ireq.element = choice_DigestReqInner_init;
+    ireq.u.init = digest->init;
+
+    ret = digest_request(context, realm, ccache,
+			 KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep);
+    if (ret)
+	goto out;
+
+    if (irep.element == choice_DigestRepInner_error) {
+	krb5_set_error_string(context, "Digest init error: %s",
+			      irep.u.error.reason);
+	ret = irep.u.error.code;
+	goto out;
+    }
+
+    if (irep.element != choice_DigestRepInner_initReply) {
+	krb5_set_error_string(context, "digest reply not an initReply");
+	ret = EINVAL;
+	goto out;
+    }
+
+    ret = copy_DigestInitReply(&irep.u.initReply, &digest->initReply);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to copy initReply");
+	goto out;
+    }
+
+out:
+    free_DigestRepInner(&irep);
+
+    return ret;
+}
+
+
+krb5_error_code
+krb5_digest_set_client_nonce(krb5_context context,
+			     krb5_digest digest,
+			     const char *nonce)
+{
+    if (digest->request.clientNonce) {
+	krb5_set_error_string(context, "clientNonce already set");
+	return EINVAL;
+    }
+    digest->request.clientNonce = 
+	calloc(1, sizeof(*digest->request.clientNonce));
+    if (digest->request.clientNonce == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    *digest->request.clientNonce = strdup(nonce);
+    if (*digest->request.clientNonce == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	free(digest->request.clientNonce);
+	digest->request.clientNonce = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_set_digest(krb5_context context,
+		       krb5_digest digest,
+		       const char *dgst)
+{
+    if (digest->request.digest) {
+	krb5_set_error_string(context, "digest already set");
+	return EINVAL;
+    }
+    digest->request.digest = strdup(dgst);
+    if (digest->request.digest == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_set_username(krb5_context context,
+			 krb5_digest digest,
+			 const char *username)
+{
+    if (digest->request.username) {
+	krb5_set_error_string(context, "username already set");
+	return EINVAL;
+    }
+    digest->request.username = strdup(username);
+    if (digest->request.username == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_set_authid(krb5_context context,
+		       krb5_digest digest,
+		       const char *authid)
+{
+    if (digest->request.authid) {
+	krb5_set_error_string(context, "authid already set");
+	return EINVAL;
+    }
+    digest->request.authid = malloc(sizeof(*digest->request.authid));
+    if (digest->request.authid == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    *digest->request.authid = strdup(authid);
+    if (*digest->request.authid == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	free(digest->request.authid);
+	digest->request.authid = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_set_authentication_user(krb5_context context,
+				    krb5_digest digest,
+				    krb5_principal authentication_user)
+{
+    krb5_error_code ret;
+
+    if (digest->request.authentication_user) {
+	krb5_set_error_string(context, "authentication_user already set");
+	return EINVAL;
+    }
+    ret = krb5_copy_principal(context,
+			      authentication_user,
+			      &digest->request.authentication_user);
+    if (digest->request.authentication_user == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_set_realm(krb5_context context,
+		      krb5_digest digest,
+		      const char *realm)
+{
+    if (digest->request.realm) {
+	krb5_set_error_string(context, "realm already set");
+	return EINVAL;
+    }
+    digest->request.realm = malloc(sizeof(*digest->request.realm));
+    if (digest->request.realm == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    *digest->request.realm = strdup(realm);
+    if (*digest->request.realm == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	free(digest->request.realm);
+	digest->request.realm = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_set_method(krb5_context context,
+		       krb5_digest digest,
+		       const char *method)
+{
+    if (digest->request.method) {
+	krb5_set_error_string(context, "method already set");
+	return EINVAL;
+    }
+    digest->request.method = malloc(sizeof(*digest->request.method));
+    if (digest->request.method == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    *digest->request.method = strdup(method);
+    if (*digest->request.method == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	free(digest->request.method);
+	digest->request.method = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_set_uri(krb5_context context,
+		    krb5_digest digest,
+		    const char *uri)
+{
+    if (digest->request.uri) {
+	krb5_set_error_string(context, "uri already set");
+	return EINVAL;
+    }
+    digest->request.uri = malloc(sizeof(*digest->request.uri));
+    if (digest->request.uri == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    *digest->request.uri = strdup(uri);
+    if (*digest->request.uri == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	free(digest->request.uri);
+	digest->request.uri = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_set_nonceCount(krb5_context context,
+			   krb5_digest digest,
+			   const char *nonce_count)
+{
+    if (digest->request.nonceCount) {
+	krb5_set_error_string(context, "nonceCount already set");
+	return EINVAL;
+    }
+    digest->request.nonceCount = 
+	malloc(sizeof(*digest->request.nonceCount));
+    if (digest->request.nonceCount == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    *digest->request.nonceCount = strdup(nonce_count);
+    if (*digest->request.nonceCount == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	free(digest->request.nonceCount);
+	digest->request.nonceCount = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_set_qop(krb5_context context,
+		    krb5_digest digest,
+		    const char *qop)
+{
+    if (digest->request.qop) {
+	krb5_set_error_string(context, "qop already set");
+	return EINVAL;
+    }
+    digest->request.qop = malloc(sizeof(*digest->request.qop));
+    if (digest->request.qop == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    *digest->request.qop = strdup(qop);
+    if (*digest->request.qop == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	free(digest->request.qop);
+	digest->request.qop = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+int
+krb5_digest_set_responseData(krb5_context context,
+			     krb5_digest digest,
+			     const char *response)
+{
+    digest->request.responseData = strdup(response);
+    if (digest->request.responseData == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_request(krb5_context context,
+		    krb5_digest digest,
+		    krb5_realm realm,
+		    krb5_ccache ccache)
+{
+    DigestReqInner ireq;
+    DigestRepInner irep;
+    krb5_error_code ret;
+
+    memset(&ireq, 0, sizeof(ireq));
+    memset(&irep, 0, sizeof(irep));
+
+    ireq.element = choice_DigestReqInner_digestRequest;
+    ireq.u.digestRequest = digest->request;
+
+    if (digest->request.type == NULL) {
+	if (digest->init.type == NULL) {
+	    krb5_set_error_string(context, "Type missing from req");
+	    return EINVAL;
+	}
+	ireq.u.digestRequest.type = digest->init.type;
+    }
+
+    if (ireq.u.digestRequest.digest == NULL)
+	ireq.u.digestRequest.digest = "md5";
+
+    ret = digest_request(context, realm, ccache,
+			 KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep);
+    if (ret)
+	return ret;
+
+    if (irep.element == choice_DigestRepInner_error) {
+	krb5_set_error_string(context, "Digest response error: %s",
+			      irep.u.error.reason);
+	ret = irep.u.error.code;
+	goto out;
+    }
+
+    if (irep.element != choice_DigestRepInner_response) {
+	krb5_set_error_string(context, "digest reply not an DigestResponse");
+	ret = EINVAL;
+	goto out;
+    }
+
+    ret = copy_DigestResponse(&irep.u.response, &digest->response);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to copy initReply");
+	goto out;
+    }
+
+out:
+    free_DigestRepInner(&irep);
+
+    return ret;
+}
+
+krb5_boolean
+krb5_digest_rep_get_status(krb5_context context, 
+			   krb5_digest digest)
+{
+    return digest->response.success ? TRUE : FALSE;
+}
+
+const char *
+krb5_digest_get_rsp(krb5_context context,
+		    krb5_digest digest)
+{
+    if (digest->response.rsp == NULL)
+	return NULL;
+    return *digest->response.rsp;
+}
+
+krb5_error_code
+krb5_digest_get_tickets(krb5_context context,
+			krb5_digest digest,
+			Ticket **tickets)
+{
+    *tickets = NULL;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_digest_get_client_binding(krb5_context context,
+			       krb5_digest digest,
+			       char **type,
+			       char **binding)
+{
+    if (digest->response.channel) {
+	*type = strdup(digest->response.channel->cb_type);
+	*binding = strdup(digest->response.channel->cb_binding);
+	if (*type == NULL || *binding == NULL) {
+	    free(*type);
+	    free(*binding);
+	    krb5_set_error_string(context, "out of memory");
+	    return ENOMEM;
+	}
+    } else {
+	*type = NULL;
+	*binding = NULL;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_digest_get_session_key(krb5_context context,
+			    krb5_digest digest,
+			    krb5_data *data)
+{
+    krb5_error_code ret;
+
+    krb5_data_zero(data);
+    if (digest->response.session_key == NULL)
+	return 0;
+    ret = der_copy_octet_string(digest->response.session_key, data);
+    if (ret)
+	krb5_clear_error_string(context);
+
+    return ret;
+}
+
+struct krb5_ntlm_data {
+    NTLMInit init;
+    NTLMInitReply initReply;
+    NTLMRequest request;
+    NTLMResponse response;
+};
+
+krb5_error_code
+krb5_ntlm_alloc(krb5_context context, 
+		krb5_ntlm *ntlm)
+{
+    *ntlm = calloc(1, sizeof(**ntlm));
+    if (*ntlm == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ntlm_free(krb5_context context, krb5_ntlm ntlm)
+{
+    free_NTLMInit(&ntlm->init);
+    free_NTLMInitReply(&ntlm->initReply);
+    free_NTLMRequest(&ntlm->request);
+    free_NTLMResponse(&ntlm->response);
+    memset(ntlm, 0, sizeof(*ntlm));
+    free(ntlm);
+    return 0;
+}
+
+
+krb5_error_code
+krb5_ntlm_init_request(krb5_context context, 
+		       krb5_ntlm ntlm,
+		       krb5_realm realm,
+		       krb5_ccache ccache,
+		       uint32_t flags,
+		       const char *hostname,
+		       const char *domainname)
+{
+    DigestReqInner ireq;
+    DigestRepInner irep;
+    krb5_error_code ret;
+
+    memset(&ireq, 0, sizeof(ireq));
+    memset(&irep, 0, sizeof(irep));
+
+    ntlm->init.flags = flags;
+    if (hostname) {
+	ALLOC(ntlm->init.hostname, 1);
+	*ntlm->init.hostname = strdup(hostname);
+    }
+    if (domainname) {
+	ALLOC(ntlm->init.domain, 1);
+	*ntlm->init.domain = strdup(domainname);
+    }
+
+    ireq.element = choice_DigestReqInner_ntlmInit;
+    ireq.u.ntlmInit = ntlm->init;
+
+    ret = digest_request(context, realm, ccache,
+			 KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep);
+    if (ret)
+	goto out;
+
+    if (irep.element == choice_DigestRepInner_error) {
+	krb5_set_error_string(context, "Digest init error: %s",
+			      irep.u.error.reason);
+	ret = irep.u.error.code;
+	goto out;
+    }
+
+    if (irep.element != choice_DigestRepInner_ntlmInitReply) {
+	krb5_set_error_string(context, "ntlm reply not an initReply");
+	ret = EINVAL;
+	goto out;
+    }
+
+    ret = copy_NTLMInitReply(&irep.u.ntlmInitReply, &ntlm->initReply);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to copy initReply");
+	goto out;
+    }
+
+out:
+    free_DigestRepInner(&irep);
+
+    return ret;
+}
+
+krb5_error_code
+krb5_ntlm_init_get_flags(krb5_context context,
+			 krb5_ntlm ntlm,
+			 uint32_t *flags)
+{
+    *flags = ntlm->initReply.flags;
+    return 0;
+}
+
+krb5_error_code
+krb5_ntlm_init_get_challange(krb5_context context,
+			     krb5_ntlm ntlm,
+			     krb5_data *challange)
+{
+    krb5_error_code ret;
+
+    ret = der_copy_octet_string(&ntlm->initReply.challange, challange);
+    if (ret)
+	krb5_clear_error_string(context);
+
+    return ret;
+}
+
+krb5_error_code
+krb5_ntlm_init_get_opaque(krb5_context context,
+			  krb5_ntlm ntlm,
+			  krb5_data *opaque)
+{
+    krb5_error_code ret;
+
+    ret = der_copy_octet_string(&ntlm->initReply.opaque, opaque);
+    if (ret)
+	krb5_clear_error_string(context);
+
+    return ret;
+}
+
+krb5_error_code
+krb5_ntlm_init_get_targetname(krb5_context context,
+			      krb5_ntlm ntlm,
+			      char **name)
+{
+    *name = strdup(ntlm->initReply.targetname);
+    if (*name == NULL) {
+	krb5_clear_error_string(context);
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ntlm_init_get_targetinfo(krb5_context context,
+			      krb5_ntlm ntlm,
+			      krb5_data *data)
+{
+    krb5_error_code ret;
+
+    if (ntlm->initReply.targetinfo == NULL) {
+	krb5_data_zero(data);
+	return 0;
+    }
+
+    ret = krb5_data_copy(data,
+			 ntlm->initReply.targetinfo->data,
+			 ntlm->initReply.targetinfo->length);
+    if (ret) {
+	krb5_clear_error_string(context);
+	return ret;
+    }
+    return 0;
+}
+
+
+krb5_error_code
+krb5_ntlm_request(krb5_context context,
+		  krb5_ntlm ntlm,
+		  krb5_realm realm,
+		  krb5_ccache ccache)
+{
+    DigestReqInner ireq;
+    DigestRepInner irep;
+    krb5_error_code ret;
+
+    memset(&ireq, 0, sizeof(ireq));
+    memset(&irep, 0, sizeof(irep));
+
+    ireq.element = choice_DigestReqInner_ntlmRequest;
+    ireq.u.ntlmRequest = ntlm->request;
+
+    ret = digest_request(context, realm, ccache,
+			 KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep);
+    if (ret)
+	return ret;
+
+    if (irep.element == choice_DigestRepInner_error) {
+	krb5_set_error_string(context, "NTLM response error: %s",
+			      irep.u.error.reason);
+	ret = irep.u.error.code;
+	goto out;
+    }
+
+    if (irep.element != choice_DigestRepInner_ntlmResponse) {
+	krb5_set_error_string(context, "NTLM reply not an NTLMResponse");
+	ret = EINVAL;
+	goto out;
+    }
+
+    ret = copy_NTLMResponse(&irep.u.ntlmResponse, &ntlm->response);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to copy NTLMResponse");
+	goto out;
+    }
+
+out:
+    free_DigestRepInner(&irep);
+
+    return ret;
+}
+
+krb5_error_code
+krb5_ntlm_req_set_flags(krb5_context context, 
+			krb5_ntlm ntlm,
+			uint32_t flags)
+{
+    ntlm->request.flags = flags;
+    return 0;
+}
+
+krb5_error_code
+krb5_ntlm_req_set_username(krb5_context context, 
+			   krb5_ntlm ntlm,
+			   const char *username)
+{
+    ntlm->request.username = strdup(username);
+    if (ntlm->request.username == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ntlm_req_set_targetname(krb5_context context, 
+			     krb5_ntlm ntlm,
+			     const char *targetname)
+{
+    ntlm->request.targetname = strdup(targetname);
+    if (ntlm->request.targetname == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ntlm_req_set_lm(krb5_context context, 
+		     krb5_ntlm ntlm,
+		     void *hash, size_t len)
+{
+    ntlm->request.lm.data = malloc(len);
+    if (ntlm->request.lm.data == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    ntlm->request.lm.length = len;
+    memcpy(ntlm->request.lm.data, hash, len);
+    return 0;
+}
+
+krb5_error_code
+krb5_ntlm_req_set_ntlm(krb5_context context, 
+		       krb5_ntlm ntlm,
+		       void *hash, size_t len)
+{
+    ntlm->request.ntlm.data = malloc(len);
+    if (ntlm->request.ntlm.data == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    ntlm->request.ntlm.length = len;
+    memcpy(ntlm->request.ntlm.data, hash, len);
+    return 0;
+}
+
+krb5_error_code
+krb5_ntlm_req_set_opaque(krb5_context context, 
+			 krb5_ntlm ntlm,
+			 krb5_data *opaque)
+{
+    ntlm->request.opaque.data = malloc(opaque->length);
+    if (ntlm->request.opaque.data == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    ntlm->request.opaque.length = opaque->length;
+    memcpy(ntlm->request.opaque.data, opaque->data, opaque->length);
+    return 0;
+}
+
+krb5_error_code
+krb5_ntlm_req_set_session(krb5_context context, 
+			  krb5_ntlm ntlm,
+			  void *sessionkey, size_t length)
+{
+    ntlm->request.sessionkey = calloc(1, sizeof(*ntlm->request.sessionkey));
+    if (ntlm->request.sessionkey == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    ntlm->request.sessionkey->data = malloc(length);
+    if (ntlm->request.sessionkey->data == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    memcpy(ntlm->request.sessionkey->data, sessionkey, length);
+    ntlm->request.sessionkey->length = length;
+    return 0;
+}
+
+krb5_boolean
+krb5_ntlm_rep_get_status(krb5_context context, 
+			 krb5_ntlm ntlm)
+{
+    return ntlm->response.success ? TRUE : FALSE;
+}
+
+krb5_error_code
+krb5_ntlm_rep_get_sessionkey(krb5_context context, 
+			     krb5_ntlm ntlm,
+			     krb5_data *data)
+{
+    if (ntlm->response.sessionkey == NULL) {
+	krb5_set_error_string(context, "no ntlm session key");
+	return EINVAL;
+    }
+    krb5_clear_error_string(context);
+    return krb5_data_copy(data,
+			  ntlm->response.sessionkey->data,
+			  ntlm->response.sessionkey->length);
+}
+
+/**
+ * Get the supported/allowed mechanism for this principal.
+ *
+ * @param context A Keberos context.
+ * @param realm The realm of the KDC.
+ * @param ccache The credential cache to use when talking to the KDC.
+ * @param flags The supported mechanism.
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_digest
+ */
+
+krb5_error_code
+krb5_digest_probe(krb5_context context,
+		  krb5_realm realm,
+		  krb5_ccache ccache,
+		  unsigned *flags)
+{
+    DigestReqInner ireq;
+    DigestRepInner irep;
+    krb5_error_code ret;
+
+    memset(&ireq, 0, sizeof(ireq));
+    memset(&irep, 0, sizeof(irep));
+
+    ireq.element = choice_DigestReqInner_supportedMechs;
+
+    ret = digest_request(context, realm, ccache,
+			 KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep);
+    if (ret)
+	goto out;
+
+    if (irep.element == choice_DigestRepInner_error) {
+	krb5_set_error_string(context, "Digest probe error: %s",
+			      irep.u.error.reason);
+	ret = irep.u.error.code;
+	goto out;
+    }
+
+    if (irep.element != choice_DigestRepInner_supportedMechs) {
+	krb5_set_error_string(context, "Digest reply not an probe");
+	ret = EINVAL;
+	goto out;
+    }
+
+    *flags = DigestTypes2int(irep.u.supportedMechs);
+
+out:
+    free_DigestRepInner(&irep);
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/doxygen.c b/crypto/heimdal/lib/krb5/doxygen.c
new file mode 100644
index 0000000..b7c6f8f
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/doxygen.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id$");
+
+/**
+ * 
+ */
+
+/*! \mainpage Heimdal Kerberos 5 library
+ *
+ * \section intro Introduction
+ *
+ * Heimdal libkrb5 library is a implementation of the Kerberos
+ * protocol.
+ * 
+ * Kerberos is a system for authenticating users and services on a
+ * network.  It is built upon the assumption that the network is
+ * ``unsafe''.  For example, data sent over the network can be
+ * eavesdropped and altered, and addresses can also be faked.
+ * Therefore they cannot be used for authentication purposes.
+ *
+ * The project web page:\n
+ * http://www.h5l.org/
+ *
+ */
+
+/** @defgroup krb5 Heimdal Kerberos 5 library */
+/** @defgroup krb5_address Heimdal Kerberos 5 address functions */
+/** @defgroup krb5_ccache Heimdal Kerberos 5 credential cache functions */
+/** @defgroup krb5_credential Heimdal Kerberos 5 credential handing functions */
+/** @defgroup krb5_deprecated Heimdal Kerberos 5 deprecated functions */
+/** @defgroup krb5_digest Heimdal Kerberos 5 digest service */
+/** @defgroup krb5_error Heimdal Kerberos 5 error reporting functions */
+/** @defgroup krb5_v4compat Heimdal Kerberos 4 compatiblity functions */
+/** @defgroup krb5_support Heimdal Kerberos 5 support functions */
diff --git a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c
index b30640f..19315ce 100644
--- a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c
+++ b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c
@@ -33,15 +33,20 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: eai_to_heim_errno.c,v 1.3.8.1 2004/02/13 16:15:16 lha Exp $");
+RCSID("$Id: eai_to_heim_errno.c 22065 2007-11-11 16:41:06Z lha $");
 
-/*
- * convert the getaddrinfo error code in `eai_errno' into a
- * krb5_error_code. `system_error' should have the value of the errno
- * after the failed call.
+/**
+ * Convert the getaddrinfo() error code to a Kerberos et error code.
+ *
+ * @param eai_errno contains the error code from getaddrinfo().
+ * @param system_error should have the value of errno after the failed getaddrinfo().
+ *
+ * @return Kerberos error code representing the EAI errors.
+ *
+ * @ingroup krb5_error
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_eai_to_heim_errno(int eai_errno, int system_error)
 {
     switch(eai_errno) {
@@ -78,7 +83,18 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error)
     }
 }
 
-krb5_error_code
+/**
+ * Convert the gethostname() error code (h_error) to a Kerberos et
+ * error code.
+ *
+ * @param eai_errno contains the error code from gethostname().
+ *
+ * @return Kerberos error code representing the gethostname errors.
+ *
+ * @ingroup krb5_error
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_h_errno_to_heim_errno(int eai_errno)
 {
     switch(eai_errno) {
diff --git a/crypto/heimdal/lib/krb5/error_string.c b/crypto/heimdal/lib/krb5/error_string.c
index bf73448..ff6e98a 100644
--- a/crypto/heimdal/lib/krb5/error_string.c
+++ b/crypto/heimdal/lib/krb5/error_string.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 2001, 2003, 2005 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,28 +33,32 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: error_string.c,v 1.1 2001/05/06 23:07:22 assar Exp $");
+RCSID("$Id: error_string.c 22142 2007-12-04 16:56:02Z lha $");
 
 #undef __attribute__
 #define __attribute__(X)
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_error_string(krb5_context context, char *str)
 {
+    HEIMDAL_MUTEX_lock(context->mutex);
     if (str != context->error_buf)
 	free(str);
+    HEIMDAL_MUTEX_unlock(context->mutex);
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_clear_error_string(krb5_context context)
 {
+    HEIMDAL_MUTEX_lock(context->mutex);
     if (context->error_string != NULL
 	&& context->error_string != context->error_buf)
 	free(context->error_string);
     context->error_string = NULL;
+    HEIMDAL_MUTEX_unlock(context->mutex);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_error_string(krb5_context context, const char *fmt, ...)
     __attribute__((format (printf, 2, 3)))
 {
@@ -67,29 +71,85 @@ krb5_set_error_string(krb5_context context, const char *fmt, ...)
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vset_error_string(krb5_context context, const char *fmt, va_list args)
     __attribute__ ((format (printf, 2, 0)))
 {
     krb5_clear_error_string(context);
+    HEIMDAL_MUTEX_lock(context->mutex);
     vasprintf(&context->error_string, fmt, args);
     if(context->error_string == NULL) {
 	vsnprintf (context->error_buf, sizeof(context->error_buf), fmt, args);
 	context->error_string = context->error_buf;
     }
+    HEIMDAL_MUTEX_unlock(context->mutex);
     return 0;
 }
 
-char*
+/**
+ * Return the error message in context. On error or no error string,
+ * the function returns NULL.
+ *
+ * @param context Kerberos 5 context
+ *
+ * @return an error string, needs to be freed with
+ * krb5_free_error_string(). The functions return NULL on error.
+ *
+ * @ingroup krb5_error
+ */
+
+char * KRB5_LIB_FUNCTION
 krb5_get_error_string(krb5_context context)
 {
-    char *ret = context->error_string;
-    context->error_string = NULL;
+    char *ret = NULL;
+
+    HEIMDAL_MUTEX_lock(context->mutex);
+    if (context->error_string)
+	ret = strdup(context->error_string);
+    HEIMDAL_MUTEX_unlock(context->mutex);
     return ret;
 }
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_have_error_string(krb5_context context)
 {
-    return context->error_string != NULL;
+    char *str;
+    HEIMDAL_MUTEX_lock(context->mutex);
+    str = context->error_string;
+    HEIMDAL_MUTEX_unlock(context->mutex);
+    return str != NULL;
+}
+
+/**
+ * Return the error message for `code' in context. On error the
+ * function returns NULL.
+ *
+ * @param context Kerberos 5 context
+ * @param code Error code related to the error
+ *
+ * @return an error string, needs to be freed with
+ * krb5_free_error_string(). The functions return NULL on error.
+ *
+ * @ingroup krb5_error
+ */
+
+char * KRB5_LIB_FUNCTION
+krb5_get_error_message(krb5_context context, krb5_error_code code)
+{
+    const char *cstr;
+    char *str;
+
+    str = krb5_get_error_string(context);
+    if (str)
+	return str;
+
+    cstr = krb5_get_err_text(context, code);
+    if (cstr)
+	return strdup(cstr);
+
+    if (asprintf(&str, "<unknown error: %d>", code) == -1)
+	return NULL;
+
+    return str;
 }
+
diff --git a/crypto/heimdal/lib/krb5/expand_hostname.c b/crypto/heimdal/lib/krb5/expand_hostname.c
index 7ed2dd5..28e39af 100644
--- a/crypto/heimdal/lib/krb5/expand_hostname.c
+++ b/crypto/heimdal/lib/krb5/expand_hostname.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: expand_hostname.c,v 1.11 2001/09/18 09:35:47 joda Exp $");
+RCSID("$Id: expand_hostname.c 22229 2007-12-08 21:40:59Z lha $");
 
 static krb5_error_code
 copy_hostname(krb5_context context,
@@ -54,7 +54,7 @@ copy_hostname(krb5_context context,
  * allocated space returned in `new_hostname'.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_expand_hostname (krb5_context context,
 		      const char *orig_hostname,
 		      char **new_hostname)
@@ -62,6 +62,9 @@ krb5_expand_hostname (krb5_context context,
     struct addrinfo *ai, *a, hints;
     int error;
 
+    if ((context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) == 0)
+	return copy_hostname (context, orig_hostname, new_hostname);
+
     memset (&hints, 0, sizeof(hints));
     hints.ai_flags = AI_CANONNAME;
 
@@ -114,7 +117,7 @@ vanilla_hostname (krb5_context context,
  * allocated space in `host' and return realms in `realms'.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_expand_hostname_realms (krb5_context context,
 			     const char *orig_hostname,
 			     char **new_hostname,
@@ -124,6 +127,10 @@ krb5_expand_hostname_realms (krb5_context context,
     int error;
     krb5_error_code ret = 0;
 
+    if ((context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) == 0)
+	return vanilla_hostname (context, orig_hostname, new_hostname,
+				 realms);
+
     memset (&hints, 0, sizeof(hints));
     hints.ai_flags = AI_CANONNAME;
 
diff --git a/crypto/heimdal/lib/krb5/fcache.c b/crypto/heimdal/lib/krb5/fcache.c
index 38006c3..3857b58 100644
--- a/crypto/heimdal/lib/krb5/fcache.c
+++ b/crypto/heimdal/lib/krb5/fcache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: fcache.c,v 1.34.6.6 2004/03/10 13:30:59 lha Exp $");
+RCSID("$Id: fcache.c 22522 2008-01-24 11:56:25Z lha $");
 
 typedef struct krb5_fcache{
     char *filename;
@@ -105,18 +105,33 @@ _krb5_xlock(krb5_context context, int fd, krb5_boolean exclusive,
 }
 
 int
-_krb5_xunlock(int fd)
+_krb5_xunlock(krb5_context context, int fd)
 {
-#ifdef HAVE_FCNTL_LOCK
+    int ret;
+#ifdef HAVE_FCNTL
     struct flock l;
     l.l_start = 0;
     l.l_len = 0;
     l.l_type = F_UNLCK;
     l.l_whence = SEEK_SET;
-    return fcntl(fd, F_SETLKW, &l);
+    ret = fcntl(fd, F_SETLKW, &l);
 #else
-    return flock(fd, LOCK_UN);
+    ret = flock(fd, LOCK_UN);
 #endif
+    if (ret < 0)
+	ret = errno;
+    switch (ret) {
+    case 0:
+	break;
+    case EINVAL: /* filesystem doesn't support locking, let the user have it */
+	ret = 0; 
+	break;
+    default:
+	krb5_set_error_string(context, 
+			      "Failed to unlock file: %s", strerror(ret));
+	break;
+    }
+    return ret;
 }
 
 static krb5_error_code
@@ -129,7 +144,7 @@ fcc_lock(krb5_context context, krb5_ccache id,
 static krb5_error_code
 fcc_unlock(krb5_context context, int fd)
 {
-    return _krb5_xunlock(fd);
+    return _krb5_xunlock(context, fd);
 }
 
 static krb5_error_code
@@ -254,10 +269,11 @@ fcc_gen_new(krb5_context context, krb5_ccache *id)
     }
     fd = mkstemp(file);
     if(fd < 0) {
+	int ret = errno;
+	krb5_set_error_string(context, "mkstemp %s", file);
 	free(f);
 	free(file);
-	krb5_set_error_string(context, "mkstemp %s", file);
-	return errno;
+	return ret;
     }
     close(fd);
     f->filename = file;
@@ -405,13 +421,12 @@ fcc_store_cred(krb5_context context,
 	sp = krb5_storage_from_fd(fd);
 	krb5_storage_set_eof_code(sp, KRB5_CC_END);
 	storage_set_flags(context, sp, FCACHE(id)->version);
-	if (krb5_config_get_bool_default(context, NULL, FALSE,
-					 "libdefaults",
-					 "fcc-mit-ticketflags",
-					 NULL))
-	    ret = _krb5_store_creds_heimdal_0_7(sp, creds);
-	else
-	    ret = _krb5_store_creds_heimdal_pre_0_7(sp, creds);
+	if (!krb5_config_get_bool_default(context, NULL, TRUE,
+					  "libdefaults",
+					  "fcc-mit-ticketflags",
+					  NULL))
+	    krb5_storage_set_flags(sp, KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER);
+	ret = krb5_store_creds(sp, creds);
 	krb5_storage_free(sp);
     }
     fcc_unlock(context, fd);
@@ -436,28 +451,37 @@ init_fcc (krb5_context context,
     krb5_error_code ret;
 
     ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY, 0);
-
     if(ret)
 	return ret;
     
     sp = krb5_storage_from_fd(fd);
     if(sp == NULL) {
+	krb5_clear_error_string(context);
 	ret = ENOMEM;
 	goto out;
     }
     krb5_storage_set_eof_code(sp, KRB5_CC_END);
     ret = krb5_ret_int8(sp, &pvno);
     if(ret != 0) {
-	if(ret == KRB5_CC_END)
-	    ret = ENOENT; /* empty file */
+	if(ret == KRB5_CC_END) {
+	    krb5_set_error_string(context, "Empty credential cache file: %s",
+				  FILENAME(id));
+	    ret = ENOENT;
+	} else
+	    krb5_set_error_string(context, "Error reading pvno in "
+				  "cache file: %s", FILENAME(id));
 	goto out;
     }
     if(pvno != 5) {
+	krb5_set_error_string(context, "Bad version number in credential "
+			      "cache file: %s", FILENAME(id));
 	ret = KRB5_CCACHE_BADVNO;
 	goto out;
     }
     ret = krb5_ret_int8(sp, &tag); /* should not be host byte order */
     if(ret != 0) {
+	krb5_set_error_string(context, "Error reading tag in "
+			      "cache file: %s", FILENAME(id));
 	ret = KRB5_CC_FORMAT;
 	goto out;
     }
@@ -470,32 +494,42 @@ init_fcc (krb5_context context,
 	ret = krb5_ret_int16 (sp, &length);
 	if(ret) {
 	    ret = KRB5_CC_FORMAT;
+	    krb5_set_error_string(context, "Error reading tag length in "
+			      "cache file: %s", FILENAME(id));
 	    goto out;
 	}
 	while(length > 0) {
-	    int16_t tag, data_len;
+	    int16_t dtag, data_len;
 	    int i;
 	    int8_t dummy;
 
-	    ret = krb5_ret_int16 (sp, &tag);
+	    ret = krb5_ret_int16 (sp, &dtag);
 	    if(ret) {
+		krb5_set_error_string(context, "Error reading dtag in "
+				      "cache file: %s", FILENAME(id));
 		ret = KRB5_CC_FORMAT;
 		goto out;
 	    }
 	    ret = krb5_ret_int16 (sp, &data_len);
 	    if(ret) {
+		krb5_set_error_string(context, "Error reading dlength in "
+				      "cache file: %s", FILENAME(id));
 		ret = KRB5_CC_FORMAT;
 		goto out;
 	    }
-	    switch (tag) {
+	    switch (dtag) {
 	    case FCC_TAG_DELTATIME :
 		ret = krb5_ret_int32 (sp, &context->kdc_sec_offset);
 		if(ret) {
+		    krb5_set_error_string(context, "Error reading kdc_sec in "
+					  "cache file: %s", FILENAME(id));
 		    ret = KRB5_CC_FORMAT;
 		    goto out;
 		}
 		ret = krb5_ret_int32 (sp, &context->kdc_usec_offset);
 		if(ret) {
+		    krb5_set_error_string(context, "Error reading kdc_usec in "
+					  "cache file: %s", FILENAME(id));
 		    ret = KRB5_CC_FORMAT;
 		    goto out;
 		}
@@ -504,6 +538,9 @@ init_fcc (krb5_context context,
 		for (i = 0; i < data_len; ++i) {
 		    ret = krb5_ret_int8 (sp, &dummy);
 		    if(ret) {
+			krb5_set_error_string(context, "Error reading unknown "
+					      "tag in cache file: %s", 
+					      FILENAME(id));
 			ret = KRB5_CC_FORMAT;
 			goto out;
 		    }
@@ -520,6 +557,9 @@ init_fcc (krb5_context context,
 	break;
     default :
 	ret = KRB5_CCACHE_BADVNO;
+	krb5_set_error_string(context, "Unknown version number (%d) in "
+			      "credential cache file: %s",
+			      (int)tag, FILENAME(id));
 	goto out;
     }
     *ret_sp = sp;
@@ -547,6 +587,8 @@ fcc_get_principal(krb5_context context,
     if (ret)
 	return ret;
     ret = krb5_ret_principal(sp, principal);
+    if (ret)
+	krb5_clear_error_string(context);
     krb5_storage_free(sp);
     fcc_unlock(context, fd);
     close(fd);
@@ -567,15 +609,22 @@ fcc_get_first (krb5_context context,
     krb5_principal principal;
 
     *cursor = malloc(sizeof(struct fcc_cursor));
+    if (*cursor == NULL) {
+        krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memset(*cursor, 0, sizeof(struct fcc_cursor));
 
     ret = init_fcc (context, id, &FCC_CURSOR(*cursor)->sp, 
 		    &FCC_CURSOR(*cursor)->fd);
     if (ret) {
 	free(*cursor);
+	*cursor = NULL;
 	return ret;
     }
     ret = krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal);
     if(ret) {
+	krb5_clear_error_string(context);
 	fcc_end_get(context, id, cursor);
 	return ret;
     }
@@ -595,6 +644,8 @@ fcc_get_next (krb5_context context,
 	return ret;
 
     ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds);
+    if (ret)
+	krb5_clear_error_string(context);
 
     fcc_unlock(context, FCC_CURSOR(*cursor)->fd);
     return ret;
@@ -618,7 +669,31 @@ fcc_remove_cred(krb5_context context,
 		 krb5_flags which,
 		 krb5_creds *cred)
 {
-    return 0; /* XXX */
+    krb5_error_code ret;
+    krb5_ccache copy;
+
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &copy);
+    if (ret)
+	return ret;
+
+    ret = krb5_cc_copy_cache(context, id, copy);
+    if (ret) {
+	krb5_cc_destroy(context, copy);
+	return ret;
+    }
+
+    ret = krb5_cc_remove_cred(context, copy, which, cred);
+    if (ret) {
+	krb5_cc_destroy(context, copy);
+	return ret;
+    }
+
+    fcc_destroy(context, id);
+
+    ret = krb5_cc_copy_cache(context, copy, id);
+    krb5_cc_destroy(context, copy);
+
+    return ret;
 }
 
 static krb5_error_code
@@ -636,6 +711,151 @@ fcc_get_version(krb5_context context,
     return FCACHE(id)->version;
 }
 		    
+struct fcache_iter {
+    int first;
+};
+
+static krb5_error_code
+fcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
+{
+    struct fcache_iter *iter;
+
+    iter = calloc(1, sizeof(*iter));
+    if (iter == NULL) {
+	krb5_set_error_string(context, "malloc - out of memory");
+	return ENOMEM;
+    }    
+    iter->first = 1;
+    *cursor = iter;
+    return 0;
+}
+
+static krb5_error_code
+fcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
+{
+    struct fcache_iter *iter = cursor;
+    krb5_error_code ret;
+    const char *fn;
+    char *expandedfn = NULL;
+
+    if (!iter->first) {
+	krb5_clear_error_string(context);
+	return KRB5_CC_END;
+    }
+    iter->first = 0;
+
+    fn = krb5_cc_default_name(context);
+    if (strncasecmp(fn, "FILE:", 5) != 0) {
+	ret = _krb5_expand_default_cc_name(context, 
+					   KRB5_DEFAULT_CCNAME_FILE,
+					   &expandedfn);
+	if (ret)
+	    return ret;
+    }
+    ret = krb5_cc_resolve(context, fn, id);
+    if (expandedfn)
+	free(expandedfn);
+    
+    return ret;
+}
+
+static krb5_error_code
+fcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
+{
+    struct fcache_iter *iter = cursor;
+    free(iter);
+    return 0;
+}
+
+static krb5_error_code
+fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
+{
+    krb5_error_code ret = 0;
+
+    ret = rename(FILENAME(from), FILENAME(to));
+    if (ret && errno != EXDEV) {
+	ret = errno;
+	krb5_set_error_string(context,
+			      "Rename of file from %s to %s failed: %s", 
+			      FILENAME(from), FILENAME(to),
+			      strerror(ret));
+	return ret;
+    } else if (ret && errno == EXDEV) {
+	/* make a copy and delete the orignal */
+	krb5_ssize_t sz1, sz2;
+	int fd1, fd2;
+	char buf[BUFSIZ];
+
+	ret = fcc_open(context, from, &fd1, O_RDONLY | O_BINARY, 0);
+	if(ret)
+	    return ret;
+
+	unlink(FILENAME(to));
+
+	ret = fcc_open(context, to, &fd2, 
+		       O_WRONLY | O_CREAT | O_EXCL | O_BINARY, 0600);
+	if(ret)
+	    goto out1;
+
+	while((sz1 = read(fd1, buf, sizeof(buf))) > 0) {
+	    sz2 = write(fd2, buf, sz1);
+	    if (sz1 != sz2) {
+		ret = EIO;
+		krb5_set_error_string(context,
+				      "Failed to write data from one file "
+				      "credential cache to the other");
+		goto out2;
+	    }
+	}
+	if (sz1 < 0) {
+	    ret = EIO;
+	    krb5_set_error_string(context,
+				  "Failed to read data from one file "
+				  "credential cache to the other");
+	    goto out2;
+	}
+	erase_file(FILENAME(from));
+	    
+    out2:
+	fcc_unlock(context, fd2);
+	close(fd2);
+
+    out1:
+	fcc_unlock(context, fd1);
+	close(fd1);
+
+	if (ret) {
+	    erase_file(FILENAME(to));
+	    return ret;
+	}
+    }
+
+    /* make sure ->version is uptodate */
+    {
+	krb5_storage *sp;
+	int fd;
+	ret = init_fcc (context, to, &sp, &fd);
+	krb5_storage_free(sp);
+	fcc_unlock(context, fd);
+	close(fd);
+    }    
+    return ret;
+}
+
+static krb5_error_code
+fcc_default_name(krb5_context context, char **str)
+{
+    return _krb5_expand_default_cc_name(context, 
+					KRB5_DEFAULT_CCNAME_FILE,
+					str);
+}
+
+/**
+ * Variable containing the FILE based credential cache implemention.
+ *
+ * @ingroup krb5_ccache
+ */
+
 const krb5_cc_ops krb5_fcc_ops = {
     "FILE",
     fcc_get_name,
@@ -652,5 +872,10 @@ const krb5_cc_ops krb5_fcc_ops = {
     fcc_end_get,
     fcc_remove_cred,
     fcc_set_flags,
-    fcc_get_version
+    fcc_get_version,
+    fcc_get_cache_first,
+    fcc_get_cache_next,
+    fcc_end_cache_get,
+    fcc_move,
+    fcc_default_name
 };
diff --git a/crypto/heimdal/lib/krb5/free.c b/crypto/heimdal/lib/krb5/free.c
index 251ec32..1b0bd05 100644
--- a/crypto/heimdal/lib/krb5/free.c
+++ b/crypto/heimdal/lib/krb5/free.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 1999, 2004 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,18 +33,19 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: free.c,v 1.5 1999/12/02 17:05:09 joda Exp $");
+RCSID("$Id: free.c 15175 2005-05-18 10:06:16Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep)
 {
     free_KDC_REP(&rep->kdc_rep);
     free_EncTGSRepPart(&rep->enc_part);
     free_KRB_ERROR(&rep->error);
+    memset(rep, 0, sizeof(*rep));
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_xfree (void *ptr)
 {
     free (ptr);
diff --git a/crypto/heimdal/lib/krb5/free_host_realm.c b/crypto/heimdal/lib/krb5/free_host_realm.c
index a69f29b..6b13ce7 100644
--- a/crypto/heimdal/lib/krb5/free_host_realm.c
+++ b/crypto/heimdal/lib/krb5/free_host_realm.c
@@ -33,13 +33,13 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: free_host_realm.c,v 1.4 1999/12/02 17:05:09 joda Exp $");
+RCSID("$Id: free_host_realm.c 13863 2004-05-25 21:46:46Z lha $");
 
 /*
  * Free all memory allocated by `realmlist'
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_host_realm(krb5_context context,
 		     krb5_realm *realmlist)
 {
diff --git a/crypto/heimdal/lib/krb5/generate_seq_number.c b/crypto/heimdal/lib/krb5/generate_seq_number.c
index 795c3f3..8a04f04 100644
--- a/crypto/heimdal/lib/krb5/generate_seq_number.c
+++ b/crypto/heimdal/lib/krb5/generate_seq_number.c
@@ -33,16 +33,16 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: generate_seq_number.c,v 1.8 2001/05/08 14:05:37 assar Exp $");
+RCSID("$Id: generate_seq_number.c 17442 2006-05-05 09:31:15Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_generate_seq_number(krb5_context context,
 			 const krb5_keyblock *key,
-			 u_int32_t *seqno)
+			 uint32_t *seqno)
 {
     krb5_error_code ret;
     krb5_keyblock *subkey;
-    u_int32_t q;
+    uint32_t q;
     u_char *p;
     int i;
 
diff --git a/crypto/heimdal/lib/krb5/generate_subkey.c b/crypto/heimdal/lib/krb5/generate_subkey.c
index 3fb22f9..fb99cbb 100644
--- a/crypto/heimdal/lib/krb5/generate_subkey.c
+++ b/crypto/heimdal/lib/krb5/generate_subkey.c
@@ -33,13 +33,22 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: generate_subkey.c,v 1.8 2001/05/14 06:14:46 assar Exp $");
+RCSID("$Id: generate_subkey.c 14455 2005-01-05 02:39:21Z lukeh $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_generate_subkey(krb5_context context,
 		     const krb5_keyblock *key,
 		     krb5_keyblock **subkey)
 {
+    return krb5_generate_subkey_extended(context, key, key->keytype, subkey);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_generate_subkey_extended(krb5_context context,
+			      const krb5_keyblock *key,
+			      krb5_enctype etype,
+			      krb5_keyblock **subkey)
+{
     krb5_error_code ret;
 
     ALLOC(*subkey, 1);
@@ -47,8 +56,17 @@ krb5_generate_subkey(krb5_context context,
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
-    ret = krb5_generate_random_keyblock(context, key->keytype, *subkey);
-    if(ret)
+
+    if (etype == ETYPE_NULL)
+	etype = key->keytype; /* use session key etype */
+
+    /* XXX should we use the session key as input to the RF? */
+    ret = krb5_generate_random_keyblock(context, etype, *subkey);
+    if (ret != 0) {
 	free(*subkey);
+	*subkey = NULL;
+    }
+
     return ret;
 }
+
diff --git a/crypto/heimdal/lib/krb5/get_addrs.c b/crypto/heimdal/lib/krb5/get_addrs.c
index 94a0350..a7fd2ea 100644
--- a/crypto/heimdal/lib/krb5/get_addrs.c
+++ b/crypto/heimdal/lib/krb5/get_addrs.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: get_addrs.c,v 1.45 2003/01/25 15:19:49 lha Exp $");
+RCSID("$Id: get_addrs.c 13863 2004-05-25 21:46:46Z lha $");
 
 #ifdef __osf__
 /* hate */
@@ -268,7 +268,7 @@ get_addrs_int (krb5_context context, krb5_addresses *res, int flags)
  * Only include loopback address if there are no other.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_all_client_addrs (krb5_context context, krb5_addresses *res)
 {
     int flags = LOOP_IF_NONE | EXTRA_ADDRESSES;
@@ -284,7 +284,7 @@ krb5_get_all_client_addrs (krb5_context context, krb5_addresses *res)
  * If that fails, we return the address corresponding to `hostname'.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_all_server_addrs (krb5_context context, krb5_addresses *res)
 {
     return get_addrs_int (context, res, LOOP | SCAN_INTERFACES);
diff --git a/crypto/heimdal/lib/krb5/get_cred.c b/crypto/heimdal/lib/krb5/get_cred.c
index cae47f5..ce0ec6d 100644
--- a/crypto/heimdal/lib/krb5/get_cred.c
+++ b/crypto/heimdal/lib/krb5/get_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: get_cred.c,v 1.91.4.3 2004/01/09 00:47:17 lha Exp $");
+RCSID("$Id: get_cred.c 21668 2007-07-22 11:28:05Z lha $");
 
 /*
  * Take the `body' and encode it into `padata' using the credentials
@@ -62,12 +62,12 @@ make_pa_tgs_req(krb5_context context,
 
     in_data.length = len;
     in_data.data   = buf;
-    ret = krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
-			       &padata->padata_value,
-			       KRB5_KU_TGS_REQ_AUTH_CKSUM,
-			       usage
-			       /* KRB5_KU_TGS_REQ_AUTH */);
-out:
+    ret = _krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
+				&padata->padata_value,
+				KRB5_KU_TGS_REQ_AUTH_CKSUM,
+				usage
+				/* KRB5_KU_TGS_REQ_AUTH */);
+ out:
     free (buf);
     if(ret)
 	return ret;
@@ -86,14 +86,17 @@ set_auth_data (krb5_context context,
 	       krb5_keyblock *key)
 {
     if(authdata->len) {
-	size_t len;
+	size_t len, buf_size;
 	unsigned char *buf;
 	krb5_crypto crypto;
 	krb5_error_code ret;
 
-	ASN1_MALLOC_ENCODE(AuthorizationData, buf, len, authdata, &len, ret);
+	ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, authdata,
+			   &len, ret);
 	if (ret)
 	    return ret;
+	if (buf_size != len)
+	    krb5_abortx(context, "internal error in ASN.1 encoder");
 
 	ALLOC(req_body->enc_authorization_data, 1);
 	if (req_body->enc_authorization_data == NULL) {
@@ -105,6 +108,7 @@ set_auth_data (krb5_context context,
 	if (ret) {
 	    free (buf);
 	    free (req_body->enc_authorization_data);
+	    req_body->enc_authorization_data = NULL;
 	    return ret;
 	}
 	krb5_encrypt_EncryptedData(context, 
@@ -138,6 +142,7 @@ init_tgs_req (krb5_context context,
 	      krb5_creds *in_creds,
 	      krb5_creds *krbtgt,
 	      unsigned nonce,
+	      const METHOD_DATA *padata,
 	      krb5_keyblock **subkey,
 	      TGS_REQ *t,
 	      krb5_key_usage usage)
@@ -216,12 +221,22 @@ init_tgs_req (krb5_context context,
 	krb5_set_error_string(context, "malloc: out of memory");
 	goto fail;
     }
-    ALLOC_SEQ(t->padata, 1);
+    ALLOC_SEQ(t->padata, 1 + padata->len);
     if (t->padata->val == NULL) {
 	ret = ENOMEM;
 	krb5_set_error_string(context, "malloc: out of memory");
 	goto fail;
     }
+    {
+	int i;
+	for (i = 0; i < padata->len; i++) {
+	    ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
+	    if (ret) {
+		krb5_set_error_string(context, "malloc: out of memory");
+		goto fail;
+	    }
+	}
+    }
 
     {
 	krb5_auth_context ac;
@@ -252,7 +267,8 @@ init_tgs_req (krb5_context context,
 	    }
 	}
 
-	ret = set_auth_data (context, &t->req_body, &in_creds->authdata, key);
+	ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
+			     key ? key : &krbtgt->session);
 	if (ret) {
 	    if (key)
 		krb5_free_keyblock (context, key);
@@ -263,7 +279,7 @@ init_tgs_req (krb5_context context,
 	ret = make_pa_tgs_req(context,
 			      ac,
 			      &t->req_body, 
-			      t->padata->val,
+			      &t->padata->val[0],
 			      krbtgt,
 			      usage);
 	if(ret) {
@@ -345,7 +361,7 @@ decrypt_tkt_with_subkey (krb5_context context,
     krb5_crypto_destroy(context, crypto);
     if(ret && subkey){
 	/* DCE compat -- try to decrypt with subkey */
-	ret = krb5_crypto_init(context, (krb5_keyblock*)subkey, 0, &crypto);
+	ret = krb5_crypto_init(context, subkey, 0, &crypto);
 	if (ret)
 	    return ret;
 	ret = krb5_decrypt_EncryptedData (context,
@@ -378,8 +394,10 @@ get_cred_kdc_usage(krb5_context context,
 		   krb5_ccache id, 
 		   krb5_kdc_flags flags,
 		   krb5_addresses *addresses, 
-		   krb5_creds *in_creds, 
+		   krb5_creds *in_creds,
 		   krb5_creds *krbtgt,
+		   krb5_principal impersonate_principal,
+		   Ticket *second_ticket,
 		   krb5_creds *out_creds,
 		   krb5_key_usage usage)
 {
@@ -391,58 +409,119 @@ get_cred_kdc_usage(krb5_context context,
     krb5_error_code ret;
     unsigned nonce;
     krb5_keyblock *subkey = NULL;
-    u_char *buf = NULL;
-    size_t buf_size;
     size_t len;
-    Ticket second_ticket;
+    Ticket second_ticket_data;
+    METHOD_DATA padata;
     
+    krb5_data_zero(&resp);
+    krb5_data_zero(&enc);
+    padata.val = NULL;
+    padata.len = 0;
+
     krb5_generate_random_block(&nonce, sizeof(nonce));
     nonce &= 0xffffffff;
     
-    if(flags.b.enc_tkt_in_skey){
+    if(flags.b.enc_tkt_in_skey && second_ticket == NULL){
 	ret = decode_Ticket(in_creds->second_ticket.data, 
 			    in_creds->second_ticket.length, 
-			    &second_ticket, &len);
+			    &second_ticket_data, &len);
 	if(ret)
 	    return ret;
+	second_ticket = &second_ticket_data;
+    }
+
+
+    if (impersonate_principal) {
+	krb5_crypto crypto;
+	PA_S4U2Self self;
+	krb5_data data;
+	void *buf;
+	size_t size;
+
+	self.name = impersonate_principal->name;
+	self.realm = impersonate_principal->realm;
+	self.auth = estrdup("Kerberos");
+	
+	ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);
+	if (ret) {
+	    free(self.auth);
+	    goto out;
+	}
+
+	ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto);
+	if (ret) {
+	    free(self.auth);
+	    krb5_data_free(&data);
+	    goto out;
+	}
+
+	ret = krb5_create_checksum(context,
+				   crypto,
+				   KRB5_KU_OTHER_CKSUM,
+				   0,
+				   data.data,
+				   data.length, 
+				   &self.cksum);
+	krb5_crypto_destroy(context, crypto);
+	krb5_data_free(&data);
+	if (ret) {
+	    free(self.auth);
+	    goto out;
+	}
+
+	ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret);
+	free(self.auth);
+	free_Checksum(&self.cksum);
+	if (ret)
+	    goto out;
+	if (len != size)
+	    krb5_abortx(context, "internal asn1 error");
+	
+	ret = krb5_padata_add(context, &padata, KRB5_PADATA_S4U2SELF, buf, len);
+	if (ret)
+	    goto out;
     }
 
     ret = init_tgs_req (context,
 			id,
 			addresses,
 			flags,
-			flags.b.enc_tkt_in_skey ? &second_ticket : NULL,
+			second_ticket,
 			in_creds,
 			krbtgt,
 			nonce,
+			&padata,
 			&subkey, 
 			&req,
 			usage);
-    if(flags.b.enc_tkt_in_skey)
-	free_Ticket(&second_ticket);
     if (ret)
 	goto out;
 
-    ASN1_MALLOC_ENCODE(TGS_REQ, buf, buf_size, &req, &enc.length, ret);
+    ASN1_MALLOC_ENCODE(TGS_REQ, enc.data, enc.length, &req, &len, ret);
     if (ret) 
 	goto out;
-    if(enc.length != buf_size)
+    if(enc.length != len)
 	krb5_abortx(context, "internal error in ASN.1 encoder");
 
     /* don't free addresses */
     req.req_body.addresses = NULL;
     free_TGS_REQ(&req);
 
-    enc.data = buf + buf_size - enc.length;
-    if (ret)
-	goto out;
-    
     /*
      * Send and receive
      */
+    {
+	krb5_sendto_ctx stctx;
+	ret = krb5_sendto_ctx_alloc(context, &stctx);
+	if (ret)
+	    return ret;
+	krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL);
 
-    ret = krb5_sendto_kdc (context, &enc, 
-			   &krbtgt->server->name.name_string.val[1], &resp);
+	ret = krb5_sendto_context (context, stctx, &enc,
+				   krbtgt->server->name.name_string.val[1],
+				   &resp);
+	krb5_sendto_ctx_free(context, stctx);
+    }
     if(ret)
 	goto out;
 
@@ -469,13 +548,11 @@ get_cred_kdc_usage(krb5_context context,
 				   KRB5_KU_TGS_REP_ENC_PART_SESSION,
 				   &krbtgt->addresses,
 				   nonce,
-				   TRUE,
-				   flags.b.request_anonymous,
+				   EXTRACT_TICKET_ALLOW_CNAME_MISMATCH|
+				   EXTRACT_TICKET_ALLOW_SERVER_MISMATCH,
 				   decrypt_tkt_with_subkey,
 				   subkey);
 	krb5_free_kdc_rep(context, &rep);
-	if (ret)
-	    goto out;
     } else if(krb5_rd_error(context, &resp, &error) == 0) {
 	ret = krb5_error_from_rd_error(context, &error, in_creds);
 	krb5_free_error_contents(context, &error);
@@ -486,14 +563,17 @@ get_cred_kdc_usage(krb5_context context,
 	ret = KRB5KRB_AP_ERR_MSG_TYPE;
 	krb5_clear_error_string(context);
     }
+
+out:
+    if (second_ticket == &second_ticket_data)
+	free_Ticket(&second_ticket_data);
+    free_METHOD_DATA(&padata);
     krb5_data_free(&resp);
- out:
+    krb5_data_free(&enc);
     if(subkey){
 	krb5_free_keyblock_contents(context, subkey);
 	free(subkey);
     }
-    if (buf)
-	free (buf);
     return ret;
     
 }
@@ -505,16 +585,20 @@ get_cred_kdc(krb5_context context,
 	     krb5_addresses *addresses, 
 	     krb5_creds *in_creds, 
 	     krb5_creds *krbtgt,
+	     krb5_principal impersonate_principal,
+	     Ticket *second_ticket,
 	     krb5_creds *out_creds)
 {
     krb5_error_code ret;
 
     ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds,
-			     krbtgt, out_creds, KRB5_KU_TGS_REQ_AUTH);
+			     krbtgt, impersonate_principal, second_ticket,
+			     out_creds, KRB5_KU_TGS_REQ_AUTH);
     if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
 	krb5_clear_error_string (context);
 	ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds,
-				 krbtgt, out_creds, KRB5_KU_AP_REQ_AUTH);
+				 krbtgt, impersonate_principal, second_ticket,
+				 out_creds, KRB5_KU_AP_REQ_AUTH);
     }
     return ret;
 }
@@ -524,6 +608,7 @@ get_cred_kdc(krb5_context context,
 static krb5_error_code
 get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, 
 		krb5_creds *in_creds, krb5_creds *krbtgt, 
+		krb5_principal impersonate_principal, Ticket *second_ticket,
 		krb5_creds *out_creds)
 {
     krb5_error_code ret;
@@ -534,12 +619,13 @@ get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags,
     if(addresses.len == 0)
 	addrs = NULL;
     ret = get_cred_kdc(context, id, flags, addrs, 
-		       in_creds, krbtgt, out_creds);
+		       in_creds, krbtgt, impersonate_principal, second_ticket,
+		       out_creds);
     krb5_free_addresses(context, &addresses);
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_kdc_cred(krb5_context context,
 		  krb5_ccache id,
 		  krb5_kdc_flags flags,
@@ -566,13 +652,27 @@ krb5_get_kdc_cred(krb5_context context,
 	return ret;
     }
     ret = get_cred_kdc(context, id, flags, addresses, 
-		       in_creds, krbtgt, *out_creds);
+		       in_creds, krbtgt, NULL, NULL, *out_creds);
     krb5_free_creds (context, krbtgt);
     if(ret)
 	free(*out_creds);
     return ret;
 }
 
+static void
+not_found(krb5_context context, krb5_const_principal p)
+{
+    krb5_error_code ret;
+    char *str;
+
+    ret = krb5_unparse_name(context, p, &str);
+    if(ret) {
+	krb5_clear_error_string(context);
+	return;
+    }
+    krb5_set_error_string(context, "Matching credential (%s) not found", str);
+    free(str);
+}
 
 static krb5_error_code
 find_cred(krb5_context context,
@@ -583,6 +683,8 @@ find_cred(krb5_context context,
 {
     krb5_error_code ret;
     krb5_creds mcreds;
+
+    krb5_cc_clear_mcred(&mcreds);
     mcreds.server = server;
     ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM, 
 				&mcreds, out_creds);
@@ -596,7 +698,7 @@ find_cred(krb5_context context,
 	}
 	tgts++;
     }
-    krb5_clear_error_string(context);
+    not_found(context, server);
     return KRB5_CC_NOTFOUND;
 }
 
@@ -639,6 +741,8 @@ get_cred_from_kdc_flags(krb5_context context,
 			krb5_kdc_flags flags,
 			krb5_ccache ccache,
 			krb5_creds *in_creds,
+			krb5_principal impersonate_principal,
+			Ticket *second_ticket,			
 			krb5_creds **out_creds,
 			krb5_creds ***ret_tgts)
 {
@@ -648,8 +752,8 @@ get_cred_from_kdc_flags(krb5_context context,
 
     *out_creds = NULL;
 
-    client_realm = *krb5_princ_realm(context, in_creds->client);
-    server_realm = *krb5_princ_realm(context, in_creds->server);
+    client_realm = krb5_principal_get_realm(context, in_creds->client);
+    server_realm = krb5_principal_get_realm(context, in_creds->server);
     memset(&tmp_creds, 0, sizeof(tmp_creds));
     ret = krb5_copy_principal(context, in_creds->client, &tmp_creds.client);
     if(ret)
@@ -696,31 +800,37 @@ get_cred_from_kdc_flags(krb5_context context,
 
 		if (noaddr)
 		    ret = get_cred_kdc(context, ccache, flags, NULL,
-				       in_creds, &tgts, *out_creds);
+				       in_creds, &tgts,
+				       impersonate_principal, 
+				       second_ticket,
+				       *out_creds);
 		else
 		    ret = get_cred_kdc_la(context, ccache, flags, 
-					  in_creds, &tgts, *out_creds);
+					  in_creds, &tgts, 
+					  impersonate_principal, 
+					  second_ticket,
+					  *out_creds);
 		if (ret) {
 		    free (*out_creds);
 		    *out_creds = NULL;
 		}
 	    }
-	    krb5_free_creds_contents(context, &tgts);
+	    krb5_free_cred_contents(context, &tgts);
 	    krb5_free_principal(context, tmp_creds.server);
 	    krb5_free_principal(context, tmp_creds.client);
 	    return ret;
 	}
     }
     if(krb5_realm_compare(context, in_creds->client, in_creds->server)) {
-	krb5_clear_error_string (context);
+	not_found(context, in_creds->server);
 	return KRB5_CC_NOTFOUND;
     }
     /* XXX this can loop forever */
     while(1){
-	general_string tgt_inst;
+	heim_general_string tgt_inst;
 
 	ret = get_cred_from_kdc_flags(context, flags, ccache, &tmp_creds, 
-				      &tgt, ret_tgts);
+				      NULL, NULL, &tgt, ret_tgts);
 	if(ret) {
 	    krb5_free_principal(context, tmp_creds.server);
 	    krb5_free_principal(context, tmp_creds.client);
@@ -761,13 +871,16 @@ get_cred_from_kdc_flags(krb5_context context,
 	krb5_boolean noaddr;
 
 	krb5_appdefault_boolean(context, NULL, tgt->server->realm,
-				"no-addresses", FALSE, &noaddr);
+				"no-addresses", KRB5_ADDRESSLESS_DEFAULT,
+				&noaddr);
 	if (noaddr)
 	    ret = get_cred_kdc (context, ccache, flags, NULL,
-				in_creds, tgt, *out_creds);
+				in_creds, tgt, NULL, NULL,
+				*out_creds);
 	else
 	    ret = get_cred_kdc_la(context, ccache, flags, 
-				  in_creds, tgt, *out_creds);
+				  in_creds, tgt, NULL, NULL,
+				  *out_creds);
 	if (ret) {
 	    free (*out_creds);
 	    *out_creds = NULL;
@@ -777,7 +890,7 @@ get_cred_from_kdc_flags(krb5_context context,
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_cred_from_kdc_opt(krb5_context context,
 			   krb5_ccache ccache,
 			   krb5_creds *in_creds,
@@ -788,10 +901,11 @@ krb5_get_cred_from_kdc_opt(krb5_context context,
     krb5_kdc_flags f;
     f.i = flags;
     return get_cred_from_kdc_flags(context, f, ccache, 
-				   in_creds, out_creds, ret_tgts);
+				   in_creds, NULL, NULL,
+				   out_creds, ret_tgts);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_cred_from_kdc(krb5_context context,
 		       krb5_ccache ccache,
 		       krb5_creds *in_creds,
@@ -803,7 +917,7 @@ krb5_get_cred_from_kdc(krb5_context context,
 }
      
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_credentials_with_flags(krb5_context context,
 				krb5_flags options,
 				krb5_kdc_flags flags,
@@ -823,38 +937,67 @@ krb5_get_credentials_with_flags(krb5_context context,
 	return ENOMEM;
     }
 
+    if (in_creds->session.keytype)
+	options |= KRB5_TC_MATCH_KEYTYPE;
+
+    /* 
+     * If we got a credential, check if credential is expired before
+     * returning it.
+     */
     ret = krb5_cc_retrieve_cred(context,
-				ccache,
-				in_creds->session.keytype ?
-				KRB5_TC_MATCH_KEYTYPE : 0,
-				in_creds, res_creds);
-    if(ret == 0) {
-	*out_creds = res_creds;
-	return 0;
+                                ccache,
+                                in_creds->session.keytype ?
+                                KRB5_TC_MATCH_KEYTYPE : 0,
+                                in_creds, res_creds);
+    /* 
+     * If we got a credential, check if credential is expired before
+     * returning it, but only if KRB5_GC_EXPIRED_OK is not set.
+     */
+    if (ret == 0) {
+	krb5_timestamp timeret;
+
+	/* If expired ok, don't bother checking */
+        if(options & KRB5_GC_EXPIRED_OK) {
+            *out_creds = res_creds;
+            return 0;
+        }
+	    
+	krb5_timeofday(context, &timeret);
+	if(res_creds->times.endtime > timeret) {
+	    *out_creds = res_creds;
+	    return 0;
+	}
+	if(options & KRB5_GC_CACHED)
+	    krb5_cc_remove_cred(context, ccache, 0, res_creds);
+
+    } else if(ret != KRB5_CC_END) {
+        free(res_creds);
+        return ret;
     }
     free(res_creds);
-    if(ret != KRB5_CC_END)
-	return ret;
     if(options & KRB5_GC_CACHED) {
-	krb5_clear_error_string (context);
-	return KRB5_CC_NOTFOUND;
+	not_found(context, in_creds->server);
+        return KRB5_CC_NOTFOUND;
     }
     if(options & KRB5_GC_USER_USER)
 	flags.b.enc_tkt_in_skey = 1;
+    if (flags.b.enc_tkt_in_skey)
+	options |= KRB5_GC_NO_STORE;
+
     tgts = NULL;
     ret = get_cred_from_kdc_flags(context, flags, ccache, 
-				  in_creds, out_creds, &tgts);
+				  in_creds, NULL, NULL, out_creds, &tgts);
     for(i = 0; tgts && tgts[i]; i++) {
 	krb5_cc_store_cred(context, ccache, tgts[i]);
 	krb5_free_creds(context, tgts[i]);
     }
     free(tgts);
-    if(ret == 0 && flags.b.enc_tkt_in_skey == 0)
+    if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
 	krb5_cc_store_cred(context, ccache, *out_creds);
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_credentials(krb5_context context,
 		     krb5_flags options,
 		     krb5_ccache ccache,
@@ -866,3 +1009,269 @@ krb5_get_credentials(krb5_context context,
     return krb5_get_credentials_with_flags(context, options, flags,
 					   ccache, in_creds, out_creds);
 }
+
+struct krb5_get_creds_opt_data {
+    krb5_principal self;
+    krb5_flags options;
+    krb5_enctype enctype;
+    Ticket *ticket;
+};
+
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt)
+{
+    *opt = calloc(1, sizeof(**opt));
+    if (*opt == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+void KRB5_LIB_FUNCTION
+krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt)
+{
+    if (opt->self)
+	krb5_free_principal(context, opt->self);
+    memset(opt, 0, sizeof(*opt));
+    free(opt);
+}
+
+void KRB5_LIB_FUNCTION
+krb5_get_creds_opt_set_options(krb5_context context,
+			       krb5_get_creds_opt opt,
+			       krb5_flags options)
+{
+    opt->options = options;
+}
+
+void KRB5_LIB_FUNCTION
+krb5_get_creds_opt_add_options(krb5_context context,
+			       krb5_get_creds_opt opt,
+			       krb5_flags options)
+{
+    opt->options |= options;
+}
+
+void KRB5_LIB_FUNCTION
+krb5_get_creds_opt_set_enctype(krb5_context context,
+			       krb5_get_creds_opt opt,
+			       krb5_enctype enctype)
+{
+    opt->enctype = enctype;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_creds_opt_set_impersonate(krb5_context context,
+				   krb5_get_creds_opt opt,
+				   krb5_const_principal self)
+{
+    if (opt->self)
+	krb5_free_principal(context, opt->self);
+    return krb5_copy_principal(context, self, &opt->self);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_creds_opt_set_ticket(krb5_context context,
+			      krb5_get_creds_opt opt,
+			      const Ticket *ticket)
+{
+    if (opt->ticket) {
+	free_Ticket(opt->ticket);
+	free(opt->ticket);
+	opt->ticket = NULL;
+    }
+    if (ticket) {
+	krb5_error_code ret;
+
+	opt->ticket = malloc(sizeof(*ticket));
+	if (opt->ticket == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	ret = copy_Ticket(ticket, opt->ticket);
+	if (ret) {
+	    free(opt->ticket);
+	    opt->ticket = NULL;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ret;
+	}
+    }
+    return 0;
+}
+
+
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_creds(krb5_context context,
+	       krb5_get_creds_opt opt,
+	       krb5_ccache ccache,
+	       krb5_const_principal inprinc,
+	       krb5_creds **out_creds)
+{
+    krb5_kdc_flags flags;
+    krb5_flags options;
+    krb5_creds in_creds;
+    krb5_error_code ret;
+    krb5_creds **tgts;
+    krb5_creds *res_creds;
+    int i;
+    
+    memset(&in_creds, 0, sizeof(in_creds));
+    in_creds.server = rk_UNCONST(inprinc);
+
+    ret = krb5_cc_get_principal(context, ccache, &in_creds.client);
+    if (ret)
+	return ret;
+
+    options = opt->options;
+    flags.i = 0;
+
+    *out_creds = NULL;
+    res_creds = calloc(1, sizeof(*res_creds));
+    if (res_creds == NULL) {
+	krb5_free_principal(context, in_creds.client);
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    if (opt->enctype) {
+	in_creds.session.keytype = opt->enctype;
+	options |= KRB5_TC_MATCH_KEYTYPE;
+    }
+
+    /* 
+     * If we got a credential, check if credential is expired before
+     * returning it.
+     */
+    ret = krb5_cc_retrieve_cred(context,
+                                ccache,
+				opt->enctype ? KRB5_TC_MATCH_KEYTYPE : 0,
+                                &in_creds, res_creds);
+    /* 
+     * If we got a credential, check if credential is expired before
+     * returning it, but only if KRB5_GC_EXPIRED_OK is not set.
+     */
+    if (ret == 0) {
+	krb5_timestamp timeret;
+
+	/* If expired ok, don't bother checking */
+        if(options & KRB5_GC_EXPIRED_OK) {
+            *out_creds = res_creds;
+	    krb5_free_principal(context, in_creds.client);
+            return 0;
+        }
+	    
+	krb5_timeofday(context, &timeret);
+	if(res_creds->times.endtime > timeret) {
+	    *out_creds = res_creds;
+	    krb5_free_principal(context, in_creds.client);
+	    return 0;
+	}
+	if(options & KRB5_GC_CACHED)
+	    krb5_cc_remove_cred(context, ccache, 0, res_creds);
+
+    } else if(ret != KRB5_CC_END) {
+        free(res_creds);
+	krb5_free_principal(context, in_creds.client);
+        return ret;
+    }
+    free(res_creds);
+    if(options & KRB5_GC_CACHED) {
+	not_found(context, in_creds.server);
+	krb5_free_principal(context, in_creds.client);
+        return KRB5_CC_NOTFOUND;
+    }
+    if(options & KRB5_GC_USER_USER) {
+	flags.b.enc_tkt_in_skey = 1;
+	options |= KRB5_GC_NO_STORE;
+    }
+    if (options & KRB5_GC_FORWARDABLE)
+	flags.b.forwardable = 1;
+    if (options & KRB5_GC_NO_TRANSIT_CHECK)
+	flags.b.disable_transited_check = 1;
+    if (options & KRB5_GC_CONSTRAINED_DELEGATION) {
+	flags.b.request_anonymous = 1; /* XXX ARGH confusion */
+	flags.b.constrained_delegation = 1;
+    }
+
+    tgts = NULL;
+    ret = get_cred_from_kdc_flags(context, flags, ccache, 
+				  &in_creds, opt->self, opt->ticket,
+				  out_creds, &tgts);
+    krb5_free_principal(context, in_creds.client);
+    for(i = 0; tgts && tgts[i]; i++) {
+	krb5_cc_store_cred(context, ccache, tgts[i]);
+	krb5_free_creds(context, tgts[i]);
+    }
+    free(tgts);
+    if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
+	krb5_cc_store_cred(context, ccache, *out_creds);
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_renewed_creds(krb5_context context,
+		       krb5_creds *creds,
+		       krb5_const_principal client,
+		       krb5_ccache ccache,
+		       const char *in_tkt_service)
+{
+    krb5_error_code ret;
+    krb5_kdc_flags flags;
+    krb5_creds in, *template, *out = NULL;
+
+    memset(&in, 0, sizeof(in));
+    memset(creds, 0, sizeof(*creds));
+
+    ret = krb5_copy_principal(context, client, &in.client);
+    if (ret)
+	return ret;
+
+    if (in_tkt_service) {
+	ret = krb5_parse_name(context, in_tkt_service, &in.server);
+	if (ret) {
+	    krb5_free_principal(context, in.client);
+	    return ret;
+	}
+    } else {
+	const char *realm = krb5_principal_get_realm(context, client);
+	
+	ret = krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME,
+				  realm, NULL);
+	if (ret) {
+	    krb5_free_principal(context, in.client);
+	    return ret;
+	}
+    }
+
+    flags.i = 0;
+    flags.b.renewable = flags.b.renew = 1;
+
+    /*
+     * Get template from old credential cache for the same entry, if
+     * this failes, no worries.
+     */
+    ret = krb5_get_credentials(context, KRB5_GC_CACHED, ccache, &in, &template);
+    if (ret == 0) {
+	flags.b.forwardable = template->flags.b.forwardable;
+	flags.b.proxiable = template->flags.b.proxiable;
+	krb5_free_creds (context, template);
+    }
+
+    ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &out);
+    krb5_free_principal(context, in.client);
+    krb5_free_principal(context, in.server);
+    if (ret)
+	return ret;
+
+    ret = krb5_copy_creds_contents(context, out, creds);
+    krb5_free_creds(context, out);
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/get_default_principal.c b/crypto/heimdal/lib/krb5/get_default_principal.c
index f8ed48f..83fb2b0 100644
--- a/crypto/heimdal/lib/krb5/get_default_principal.c
+++ b/crypto/heimdal/lib/krb5/get_default_principal.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: get_default_principal.c,v 1.7 2001/05/14 06:14:46 assar Exp $");
+RCSID("$Id: get_default_principal.c 14870 2005-04-20 20:53:29Z lha $");
 
 /*
  * Try to find out what's a reasonable default principal.
@@ -50,23 +50,21 @@ get_env_user(void)
     return user;
 }
 
+/*
+ * Will only use operating-system dependant operation to get the
+ * default principal, for use of functions that in ccache layer to
+ * avoid recursive calls.
+ */
+
 krb5_error_code
-krb5_get_default_principal (krb5_context context,
-			    krb5_principal *princ)
+_krb5_get_default_principal_local (krb5_context context, 
+				   krb5_principal *princ)
 {
     krb5_error_code ret;
-    krb5_ccache id;
     const char *user;
     uid_t uid;
 
-    ret = krb5_cc_default (context, &id);
-    if (ret == 0) {
-	ret = krb5_cc_get_principal (context, id, princ);
-	krb5_cc_close (context, id);
-	if (ret == 0)
-	    return 0;
-    }
-
+    *princ = NULL;
 
     uid = getuid();    
     if(uid == 0) {
@@ -93,6 +91,25 @@ krb5_get_default_principal (krb5_context context,
 	}
 	ret = krb5_make_principal(context, princ, NULL, user, NULL);
     }
-
     return ret;
 }
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_default_principal (krb5_context context,
+			    krb5_principal *princ)
+{
+    krb5_error_code ret;
+    krb5_ccache id;
+
+    *princ = NULL;
+
+    ret = krb5_cc_default (context, &id);
+    if (ret == 0) {
+	ret = krb5_cc_get_principal (context, id, princ);
+	krb5_cc_close (context, id);
+	if (ret == 0)
+	    return 0;
+    }
+
+    return _krb5_get_default_principal_local(context, princ);
+}
diff --git a/crypto/heimdal/lib/krb5/get_default_realm.c b/crypto/heimdal/lib/krb5/get_default_realm.c
index 74a880d..09c8577 100644
--- a/crypto/heimdal/lib/krb5/get_default_realm.c
+++ b/crypto/heimdal/lib/krb5/get_default_realm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001, 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,14 +33,14 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: get_default_realm.c,v 1.10 2001/07/19 16:55:27 assar Exp $");
+RCSID("$Id: get_default_realm.c 13863 2004-05-25 21:46:46Z lha $");
 
 /*
  * Return a NULL-terminated list of default realms in `realms'.
  * Free this memory with krb5_free_host_realm.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_default_realms (krb5_context context,
 			 krb5_realm **realms)
 {
@@ -56,22 +56,22 @@ krb5_get_default_realms (krb5_context context,
 }
 
 /*
- * Return the first default realm.  For compatability.
+ * Return the first default realm.  For compatibility.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_default_realm(krb5_context context,
 		       krb5_realm *realm)
 {
+    krb5_error_code ret;
     char *res;
 
     if (context->default_realms == NULL
 	|| context->default_realms[0] == NULL) {
-	krb5_error_code ret = krb5_set_default_realm (context, NULL);
-	if (ret) {
-	    krb5_set_error_string(context, "no default realm configured");
-	    return KRB5_CONFIG_NODEFREALM;
-	}
+	krb5_clear_error_string(context);
+	ret = krb5_set_default_realm (context, NULL);
+	if (ret)
+	    return ret;
     }
 
     res = strdup (context->default_realms[0]);
diff --git a/crypto/heimdal/lib/krb5/get_for_creds.c b/crypto/heimdal/lib/krb5/get_for_creds.c
index 6bdffe5..cb8b7c8 100644
--- a/crypto/heimdal/lib/krb5/get_for_creds.c
+++ b/crypto/heimdal/lib/krb5/get_for_creds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: get_for_creds.c,v 1.34.4.1 2004/01/09 00:51:55 lha Exp $");
+RCSID("$Id: get_for_creds.c 22504 2008-01-21 15:49:58Z lha $");
 
 static krb5_error_code
 add_addrs(krb5_context context,
@@ -50,7 +50,7 @@ add_addrs(krb5_context context,
 	++n;
 
     tmp = realloc(addr->val, (addr->len + n) * sizeof(*addr->val));
-    if (tmp == NULL) {
+    if (tmp == NULL && (addr->len + n) != 0) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	ret = ENOMEM;
 	goto fail;
@@ -83,14 +83,26 @@ fail:
     return ret;
 }
 
-/*
- * Forward credentials for `client' to host `hostname`,
- * making them forwardable if `forwardable', and returning the
- * blob of data to sent in `out_data'.
- * If hostname == NULL, pick it from `server'
+/**
+ * Forward credentials for client to host hostname , making them
+ * forwardable if forwardable, and returning the blob of data to sent
+ * in out_data.  If hostname == NULL, pick it from server.
+ *
+ * @param context A kerberos 5 context.
+ * @param auth_context the auth context with the key to encrypt the out_data.
+ * @param hostname the host to forward the tickets too.
+ * @param client the client to delegate from.
+ * @param server the server to delegate the credential too.
+ * @param ccache credential cache to use.
+ * @param forwardable make the forwarded ticket forwabledable.
+ * @param out_data the resulting credential.
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_credential
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_fwd_tgt_creds (krb5_context	context,
 		    krb5_auth_context	auth_context,
 		    const char		*hostname,
@@ -147,11 +159,34 @@ krb5_fwd_tgt_creds (krb5_context	context,
     return ret;
 }
 
-/*
+/**
+ * Gets tickets forwarded to hostname. If the tickets that are
+ * forwarded are address-less, the forwarded tickets will also be
+ * address-less.
+ * 
+ * If the ticket have any address, hostname will be used for figure
+ * out the address to forward the ticket too. This since this might
+ * use DNS, its insecure and also doesn't represent configured all
+ * addresses of the host. For example, the host might have two
+ * adresses, one IPv4 and one IPv6 address where the later is not
+ * published in DNS. This IPv6 address might be used communications
+ * and thus the resulting ticket useless.
+ *
+ * @param context A kerberos 5 context.
+ * @param auth_context the auth context with the key to encrypt the out_data.
+ * @param ccache credential cache to use
+ * @param flags the flags to control the resulting ticket flags
+ * @param hostname the host to forward the tickets too.
+ * @param in_creds the in client and server ticket names.  The client
+ * and server components forwarded to the remote host.
+ * @param out_data the resulting credential.
  *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_credential
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_forwarded_creds (krb5_context	    context,
 			  krb5_auth_context auth_context,
 			  krb5_ccache       ccache,
@@ -173,33 +208,32 @@ krb5_get_forwarded_creds (krb5_context	    context,
     krb5_crypto crypto;
     struct addrinfo *ai;
     int save_errno;
-    krb5_keyblock *key;
     krb5_creds *ticket;
-    char *realm;
-
-    if (in_creds->client && in_creds->client->realm)
-	realm = in_creds->client->realm;
-    else
-	realm = in_creds->server->realm;
 
+    paddrs = NULL;
     addrs.len = 0;
     addrs.val = NULL;
-    paddrs = &addrs;
-
-    /*
-     * If tickets are address-less, forward address-less tickets.
-     */
 
-    ret = _krb5_get_krbtgt (context,
-			    ccache,
-			    realm,
-			    &ticket);
+    ret = krb5_get_credentials(context, 0, ccache, in_creds, &ticket);
     if(ret == 0) {
-	if (ticket->addresses.len == 0)
-	    paddrs = NULL;
+	if (ticket->addresses.len)
+	    paddrs = &addrs;
 	krb5_free_creds (context, ticket);
+    } else {
+	krb5_boolean noaddr;
+	krb5_appdefault_boolean(context, NULL,
+				krb5_principal_get_realm(context, 
+							 in_creds->client),
+				"no-addresses", KRB5_ADDRESSLESS_DEFAULT,
+				&noaddr);
+	if (!noaddr)
+	    paddrs = &addrs;
     }
-    
+	
+    /*
+     * If tickets have addresses, get the address of the remote host.
+     */
+
     if (paddrs != NULL) {
 
 	ret = getaddrinfo (hostname, NULL, NULL, &ai);
@@ -216,7 +250,7 @@ krb5_get_forwarded_creds (krb5_context	    context,
 	    return ret;
     }
     
-    kdc_flags.i = flags;
+    kdc_flags.b = int2KDCOptions(flags);
 
     ret = krb5_get_kdc_cred (context,
 			     ccache,
@@ -226,9 +260,8 @@ krb5_get_forwarded_creds (krb5_context	    context,
 			     in_creds,
 			     &out_creds);
     krb5_free_addresses (context, &addrs);
-    if (ret) {
+    if (ret)
 	return ret;
-    }
 
     memset (&cred, 0, sizeof(cred));
     cred.pvno = 5;
@@ -254,7 +287,8 @@ krb5_get_forwarded_creds (krb5_context	    context,
     }
     
     if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
-	int32_t sec, usec;
+	krb5_timestamp sec;
+	int32_t usec;
 	
 	krb5_us_timeofday (context, &sec, &usec);
 	
@@ -277,30 +311,28 @@ krb5_get_forwarded_creds (krb5_context	    context,
 	enc_krb_cred_part.usec = NULL;
     }
 
-    if (auth_context->local_address && auth_context->local_port) {
-	krb5_boolean noaddr;
-	krb5_const_realm realm;
+    if (auth_context->local_address && auth_context->local_port && paddrs) {
 
-	realm = krb5_principal_get_realm(context, out_creds->server);
-	krb5_appdefault_boolean(context, NULL, realm, "no-addresses", FALSE,
-				&noaddr);
-	if (!noaddr) {
-	    ret = krb5_make_addrport (context,
-				      &enc_krb_cred_part.s_address,
-				      auth_context->local_address,
-				      auth_context->local_port);
-	    if (ret)
-		goto out4;
-	}
+	ret = krb5_make_addrport (context,
+				  &enc_krb_cred_part.s_address,
+				  auth_context->local_address,
+				  auth_context->local_port);
+	if (ret)
+	    goto out4;
     }
 
     if (auth_context->remote_address) {
 	if (auth_context->remote_port) {
 	    krb5_boolean noaddr;
-	    krb5_const_realm realm;
-
-	    realm = krb5_principal_get_realm(context, out_creds->server);
-	    krb5_appdefault_boolean(context, NULL, realm, "no-addresses",
+	    krb5_const_realm srealm;
+
+	    srealm = krb5_principal_get_realm(context, out_creds->server);
+	    /* Is this correct, and should we use the paddrs == NULL
+               trick here as well? Having an address-less ticket may
+               indicate that we don't know our own global address, but
+               it does not necessary mean that we don't know the
+               server's. */
+	    krb5_appdefault_boolean(context, NULL, srealm, "no-addresses",
 				    FALSE, &noaddr);
 	    if (!noaddr) {
 		ret = krb5_make_addrport (context,
@@ -367,31 +399,46 @@ krb5_get_forwarded_creds (krb5_context	    context,
     if(buf_size != len)
 	krb5_abortx(context, "internal error in ASN.1 encoder");
 
-    if (auth_context->local_subkey)
-	key = auth_context->local_subkey;
-    else if (auth_context->remote_subkey)
-	key = auth_context->remote_subkey;
-    else
-	key = auth_context->keyblock;
+    /**
+     * Some older of the MIT gssapi library used clear-text tickets
+     * (warped inside AP-REQ encryption), use the krb5_auth_context
+     * flag KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED to support those
+     * tickets. The session key is used otherwise to encrypt the
+     * forwarded ticket.
+     */
 
-    ret = krb5_crypto_init(context, key, 0, &crypto);
-    if (ret) {
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) {
+	cred.enc_part.etype = ENCTYPE_NULL;
+	cred.enc_part.kvno = NULL;
+	cred.enc_part.cipher.data = buf;
+	cred.enc_part.cipher.length = buf_size;
+    } else {
+	/* 
+	 * Here older versions then 0.7.2 of Heimdal used the local or
+	 * remote subkey. That is wrong, the session key should be
+	 * used. Heimdal 0.7.2 and newer have code to try both in the
+	 * receiving end.
+	 */
+	
+	ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+	if (ret) {
+	    free(buf);
+	    free_KRB_CRED(&cred);
+	    return ret;
+	}
+	ret = krb5_encrypt_EncryptedData (context,
+					  crypto,
+					  KRB5_KU_KRB_CRED,
+					  buf,
+					  len,
+					  0,
+					  &cred.enc_part);
 	free(buf);
-	free_KRB_CRED(&cred);
-	return ret;
-    }
-    ret = krb5_encrypt_EncryptedData (context,
-				      crypto,
-				      KRB5_KU_KRB_CRED,
-				      buf,
-				      len,
-				      0,
-				      &cred.enc_part);
-    free(buf);
-    krb5_crypto_destroy(context, crypto);
-    if (ret) {
-	free_KRB_CRED(&cred);
-	return ret;
+	krb5_crypto_destroy(context, crypto);
+	if (ret) {
+	    free_KRB_CRED(&cred);
+	    return ret;
+	}
     }
 
     ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret);
diff --git a/crypto/heimdal/lib/krb5/get_host_realm.c b/crypto/heimdal/lib/krb5/get_host_realm.c
index f2b4280..d709e4b 100644
--- a/crypto/heimdal/lib/krb5/get_host_realm.c
+++ b/crypto/heimdal/lib/krb5/get_host_realm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 #include <resolve.h>
 
-RCSID("$Id: get_host_realm.c,v 1.29 2002/08/28 13:36:57 nectar Exp $");
+RCSID("$Id: get_host_realm.c 18541 2006-10-17 19:28:36Z lha $");
 
 /* To automagically find the correct realm of a host (without
  * [domain_realm] in krb5.conf) add a text record for your domain with
@@ -94,30 +94,41 @@ dns_find_realm(krb5_context context,
 	       const char *domain,
 	       krb5_realm **realms)
 {
-    static char *default_labels[] = { "_kerberos", NULL };
+    static const char *default_labels[] = { "_kerberos", NULL };
     char dom[MAXHOSTNAMELEN];
     struct dns_reply *r;
-    char **labels;
+    const char **labels;
+    char **config_labels;
     int i, ret;
     
-    labels = krb5_config_get_strings(context, NULL, "libdefaults",
-	"dns_lookup_realm_labels", NULL);
-    if(labels == NULL)
+    config_labels = krb5_config_get_strings(context, NULL, "libdefaults",
+					    "dns_lookup_realm_labels", NULL);
+    if(config_labels != NULL)
+	labels = (const char **)config_labels;
+    else
 	labels = default_labels;
     if(*domain == '.')
 	domain++;
     for (i = 0; labels[i] != NULL; i++) {
-	if(snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain) >=
-	    sizeof(dom))
+	ret = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain);
+	if(ret < 0 || ret >= sizeof(dom)) {
+	    if (config_labels)
+		krb5_config_free_strings(config_labels);
 	    return -1;
+	}
     	r = dns_lookup(dom, "TXT");
     	if(r != NULL) {
 	    ret = copy_txt_to_realms (r->head, realms);
 	    dns_free_data(r);
-	    if(ret == 0)
+	    if(ret == 0) {
+		if (config_labels)
+		    krb5_config_free_strings(config_labels);
 		return 0;
+	    }
 	}
     }
+    if (config_labels)
+	krb5_config_free_strings(config_labels);
     return -1;
 }
 
@@ -149,11 +160,11 @@ config_find_realm(krb5_context context,
  * fall back to guessing
  */
 
-krb5_error_code
-krb5_get_host_realm_int (krb5_context context,
-			 const char *host,
-			 krb5_boolean use_dns,
-			 krb5_realm **realms)
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_get_host_realm_int (krb5_context context,
+			  const char *host,
+			  krb5_boolean use_dns,
+			  krb5_realm **realms)
 {
     const char *p, *q;
     krb5_boolean dns_locate_enable;
@@ -200,21 +211,47 @@ krb5_get_host_realm_int (krb5_context context,
 }
 
 /*
- * Return the realm(s) of `host' as a NULL-terminated list in `realms'.
+ * Return the realm(s) of `host' as a NULL-terminated list in
+ * `realms'. Free `realms' with krb5_free_host_realm().
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_host_realm(krb5_context context,
-		    const char *host,
+		    const char *targethost,
 		    krb5_realm **realms)
 {
+    const char *host = targethost;
     char hostname[MAXHOSTNAMELEN];
+    krb5_error_code ret;
+    int use_dns;
 
     if (host == NULL) {
-	if (gethostname (hostname, sizeof(hostname)))
+	if (gethostname (hostname, sizeof(hostname))) {
+	    *realms = NULL;
 	    return errno;
+	}
 	host = hostname;
     }
 
-    return krb5_get_host_realm_int (context, host, 1, realms);
+    /* 
+     * If our local hostname is without components, don't even try to dns.
+     */
+
+    use_dns = (strchr(host, '.') != NULL);
+
+    ret = _krb5_get_host_realm_int (context, host, use_dns, realms);
+    if (ret && targethost != NULL) {
+	/*
+	 * If there was no realm mapping for the host (and we wasn't
+	 * looking for ourself), guess at the local realm, maybe our
+	 * KDC knows better then we do and we get a referral back.
+	 */
+	ret = krb5_get_default_realms(context, realms);
+	if (ret) {
+	    krb5_set_error_string(context, "Unable to find realm of host %s",
+				  host);
+	    return KRB5_ERR_HOST_REALM_UNKNOWN;
+	}
+    }
+    return ret;
 }
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt.c b/crypto/heimdal/lib/krb5/get_in_tkt.c
index 88943e7..ffd4ca2 100644
--- a/crypto/heimdal/lib/krb5/get_in_tkt.c
+++ b/crypto/heimdal/lib/krb5/get_in_tkt.c
@@ -33,9 +33,9 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: get_in_tkt.c,v 1.107.2.1 2003/09/18 21:00:09 lha Exp $");
+RCSID("$Id: get_in_tkt.c 20226 2007-02-16 03:31:50Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_init_etype (krb5_context context,
 		 unsigned *len,
 		 krb5_enctype **val,
@@ -125,26 +125,27 @@ _krb5_extract_ticket(krb5_context context,
 		     krb5_key_usage key_usage,
 		     krb5_addresses *addrs,
 		     unsigned nonce,
-		     krb5_boolean allow_server_mismatch,
-		     krb5_boolean ignore_cname,
+		     unsigned flags,
 		     krb5_decrypt_proc decrypt_proc,
 		     krb5_const_pointer decryptarg)
 {
     krb5_error_code ret;
     krb5_principal tmp_principal;
     int tmp;
+    size_t len;
     time_t tmp_time;
     krb5_timestamp sec_now;
 
-    ret = principalname2krb5_principal (&tmp_principal,
-					rep->kdc_rep.cname,
-					rep->kdc_rep.crealm);
+    ret = _krb5_principalname2krb5_principal (context,
+					      &tmp_principal,
+					      rep->kdc_rep.cname,
+					      rep->kdc_rep.crealm);
     if (ret)
 	goto out;
 
     /* compare client */
 
-    if (!ignore_cname) {
+    if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0){
 	tmp = krb5_principal_compare (context, tmp_principal, creds->client);
 	if (!tmp) {
 	    krb5_free_principal (context, tmp_principal);
@@ -159,25 +160,29 @@ _krb5_extract_ticket(krb5_context context,
 
     /* extract ticket */
     ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, 
-		       &rep->kdc_rep.ticket, &creds->ticket.length, ret);
+		       &rep->kdc_rep.ticket, &len, ret);
     if(ret)
 	goto out;
+    if (creds->ticket.length != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
     creds->second_ticket.length = 0;
     creds->second_ticket.data   = NULL;
 
     /* compare server */
 
-    ret = principalname2krb5_principal (&tmp_principal,
-					rep->kdc_rep.ticket.sname,
-					rep->kdc_rep.ticket.realm);
+    ret = _krb5_principalname2krb5_principal (context,
+					      &tmp_principal,
+					      rep->kdc_rep.ticket.sname,
+					      rep->kdc_rep.ticket.realm);
     if (ret)
 	goto out;
-    if(allow_server_mismatch){
+    if(flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH){
 	krb5_free_principal(context, creds->server);
 	creds->server = tmp_principal;
 	tmp_principal = NULL;
-    }else{
-	tmp = krb5_principal_compare (context, tmp_principal, creds->server);
+    } else {
+	tmp = krb5_principal_compare (context, tmp_principal,
+				      creds->server);
 	krb5_free_principal (context, tmp_principal);
 	if (!tmp) {
 	    ret = KRB5KRB_AP_ERR_MODIFIED;
@@ -195,12 +200,19 @@ _krb5_extract_ticket(krb5_context context,
     if (ret)
 	goto out;
 
-#if 0
-    /* XXX should this decode be here, or in the decrypt_proc? */
-    ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1);
-    if(ret)
-	goto out;
-#endif
+    /* verify names */
+    if(flags & EXTRACT_TICKET_MATCH_REALM){
+	const char *srealm = krb5_principal_get_realm(context, creds->server);
+	const char *crealm = krb5_principal_get_realm(context, creds->client);
+
+	if (strcmp(rep->enc_part.srealm, srealm) != 0 ||
+	    strcmp(rep->enc_part.srealm, crealm) != 0)
+	{
+	    ret = KRB5KRB_AP_ERR_MODIFIED;
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+    }
 
     /* compare nonces */
 
@@ -310,12 +322,11 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa,
     size_t len;
     EncryptedData encdata;
     krb5_error_code ret;
-    int32_t sec, usec;
+    int32_t usec;
     int usec2;
     krb5_crypto crypto;
     
-    krb5_us_timeofday (context, &sec, &usec);
-    p.patimestamp = sec;
+    krb5_us_timeofday (context, &p.patimestamp, &usec);
     usec2         = usec;
     p.pausec      = &usec2;
 
@@ -407,7 +418,7 @@ add_padata(krb5_context context,
 
 static krb5_error_code
 init_as_req (krb5_context context,
-	     krb5_kdc_flags opts,
+	     KDCOptions opts,
 	     krb5_creds *creds,
 	     const krb5_addresses *addrs,
 	     const krb5_enctype *etypes,
@@ -425,7 +436,7 @@ init_as_req (krb5_context context,
 
     a->pvno = 5;
     a->msg_type = krb_as_req;
-    a->req_body.kdc_options = opts.b;
+    a->req_body.kdc_options = opts;
     a->req_body.cname = malloc(sizeof(*a->req_body.cname));
     if (a->req_body.cname == NULL) {
 	ret = ENOMEM;
@@ -438,10 +449,10 @@ init_as_req (krb5_context context,
 	krb5_set_error_string(context, "malloc: out of memory");
 	goto fail;
     }
-    ret = krb5_principal2principalname (a->req_body.cname, creds->client);
+    ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
     if (ret)
 	goto fail;
-    ret = krb5_principal2principalname (a->req_body.sname, creds->server);
+    ret = _krb5_principal2principalname (a->req_body.sname, creds->server);
     if (ret)
 	goto fail;
     ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
@@ -516,19 +527,12 @@ init_as_req (krb5_context context,
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    goto fail;
 	}
+	a->padata->val = NULL;
+	a->padata->len = 0;
 	for(i = 0; i < preauth->len; i++) {
 	    if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
 		int j;
-		PA_DATA *tmp = realloc(a->padata->val, 
-				       (a->padata->len + 
-					preauth->val[i].info.len) * 
-				       sizeof(*a->padata->val));
-		if(tmp == NULL) {
-		    ret = ENOMEM;
-		    krb5_set_error_string(context, "malloc: out of memory");
-		    goto fail;
-		}
-		a->padata->val = tmp;
+
 		for(j = 0; j < preauth->val[i].info.len; j++) {
 		    krb5_salt *sp = &salt;
 		    if(preauth->val[i].info.val[j].salttype)
@@ -591,7 +595,7 @@ fail:
 static int
 set_ptypes(krb5_context context,
 	   KRB_ERROR *error, 
-	   krb5_preauthtype **ptypes,
+	   const krb5_preauthtype **ptypes,
 	   krb5_preauthdata **preauth)
 {
     static krb5_preauthdata preauth2;
@@ -630,7 +634,7 @@ set_ptypes(krb5_context context,
     return(1);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_in_cred(krb5_context context,
 		 krb5_flags options,
 		 const krb5_addresses *addrs,
@@ -652,14 +656,14 @@ krb5_get_in_cred(krb5_context context,
     krb5_salt salt;
     krb5_keyblock *key;
     size_t size;
-    krb5_kdc_flags opts;
+    KDCOptions opts;
     PA_DATA *pa;
     krb5_enctype etype;
     krb5_preauthdata *my_preauth = NULL;
     unsigned nonce;
     int done;
 
-    opts.i = options;
+    opts = int2KDCOptions(options);
 
     krb5_generate_random_block (&nonce, sizeof(nonce));
     nonce &= 0xffffffff;
@@ -680,6 +684,7 @@ krb5_get_in_cred(krb5_context context,
 	if (my_preauth) {
 	    free_ETYPE_INFO(&my_preauth->val[0].info);
 	    free (my_preauth->val);
+	    my_preauth = NULL;
 	}
 	if (ret)
 	    return ret;
@@ -737,14 +742,14 @@ krb5_get_in_cred(krb5_context context,
     pa = NULL;
     etype = rep.kdc_rep.enc_part.etype;
     if(rep.kdc_rep.padata){
-	int index = 0;
+	int i = 0;
 	pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len, 
-			      KRB5_PADATA_PW_SALT, &index);
+			      KRB5_PADATA_PW_SALT, &i);
 	if(pa == NULL) {
-	    index = 0;
+	    i = 0;
 	    pa = krb5_find_padata(rep.kdc_rep.padata->val, 
 				  rep.kdc_rep.padata->len, 
-				  KRB5_PADATA_AFS3_SALT, &index);
+				  KRB5_PADATA_AFS3_SALT, &i);
 	}
     }
     if(pa) {
@@ -764,18 +769,23 @@ krb5_get_in_cred(krb5_context context,
     if (ret)
 	goto out;
 	
-    ret = _krb5_extract_ticket(context, 
-			       &rep, 
-			       creds, 
-			       key, 
-			       keyseed, 
-			       KRB5_KU_AS_REP_ENC_PART,
-			       NULL, 
-			       nonce, 
-			       FALSE, 
-			       opts.b.request_anonymous,
-			       decrypt_proc, 
-			       decryptarg);
+    {
+	unsigned flags = 0;
+	if (opts.request_anonymous)
+	    flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
+
+	ret = _krb5_extract_ticket(context, 
+				   &rep, 
+				   creds, 
+				   key, 
+				   keyseed, 
+				   KRB5_KU_AS_REP_ENC_PART,
+				   NULL, 
+				   nonce, 
+				   flags,
+				   decrypt_proc, 
+				   decryptarg);
+    }
     memset (key->keyvalue.data, 0, key->keyvalue.length);
     krb5_free_keyblock_contents (context, key);
     free (key);
@@ -788,7 +798,7 @@ out:
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_in_tkt(krb5_context context,
 		krb5_flags options,
 		const krb5_addresses *addrs,
@@ -803,12 +813,9 @@ krb5_get_in_tkt(krb5_context context,
 		krb5_kdc_rep *ret_as_reply)
 {
     krb5_error_code ret;
-    krb5_kdc_flags opts;
-    opts.i = 0;
-    opts.b = int2KDCOptions(options);
     
     ret = krb5_get_in_cred (context,
-			    opts.i,
+			    options,
 			    addrs,
 			    etypes,
 			    ptypes,
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_pw.c b/crypto/heimdal/lib/krb5/get_in_tkt_pw.c
index a4f5c80..21b27c6 100644
--- a/crypto/heimdal/lib/krb5/get_in_tkt_pw.c
+++ b/crypto/heimdal/lib/krb5/get_in_tkt_pw.c
@@ -33,9 +33,9 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: get_in_tkt_pw.c,v 1.16 2001/05/14 06:14:48 assar Exp $");
+RCSID("$Id: get_in_tkt_pw.c 13863 2004-05-25 21:46:46Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_password_key_proc (krb5_context context,
 			krb5_enctype type,
 			krb5_salt salt,
@@ -52,7 +52,7 @@ krb5_password_key_proc (krb5_context context,
 	return ENOMEM;
     }
     if (password == NULL) {
-	if(des_read_pw_string (buf, sizeof(buf), "Password: ", 0)) {
+	if(UI_UTIL_read_pw_string (buf, sizeof(buf), "Password: ", 0)) {
 	    free (*key);
 	    krb5_clear_error_string(context);
 	    return KRB5_LIBOS_PWDINTR;
@@ -64,7 +64,7 @@ krb5_password_key_proc (krb5_context context,
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_in_tkt_with_password (krb5_context context,
 			       krb5_flags options,
 			       krb5_addresses *addrs,
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c b/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c
index c5feee4..52f95c4 100644
--- a/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c
+++ b/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c
@@ -33,16 +33,16 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: get_in_tkt_with_keytab.c,v 1.6 2001/05/14 06:14:48 assar Exp $");
+RCSID("$Id: get_in_tkt_with_keytab.c 15477 2005-06-17 04:56:44Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_keytab_key_proc (krb5_context context,
 		      krb5_enctype enctype,
 		      krb5_salt salt,
 		      krb5_const_pointer keyseed,
 		      krb5_keyblock **key)
 {
-    krb5_keytab_key_proc_args *args  = (krb5_keytab_key_proc_args *)keyseed;
+    krb5_keytab_key_proc_args *args  = rk_UNCONST(keyseed);
     krb5_keytab keytab = args->keytab;
     krb5_principal principal  = args->principal;
     krb5_error_code ret;
@@ -68,7 +68,7 @@ krb5_keytab_key_proc (krb5_context context,
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_in_tkt_with_keytab (krb5_context context,
 			     krb5_flags options,
 			     krb5_addresses *addrs,
@@ -79,16 +79,10 @@ krb5_get_in_tkt_with_keytab (krb5_context context,
 			     krb5_creds *creds,
 			     krb5_kdc_rep *ret_as_reply)
 {
-    krb5_keytab_key_proc_args *a;
+    krb5_keytab_key_proc_args a;
 
-    a = malloc(sizeof(*a));
-    if (a == NULL) {
-	krb5_set_error_string(context, "malloc: out of memory");
-	return ENOMEM;
-    }
-
-    a->principal = creds->client;
-    a->keytab    = keytab;
+    a.principal = creds->client;
+    a.keytab    = keytab;
 
     return krb5_get_in_tkt (context,
 			    options,
@@ -96,7 +90,7 @@ krb5_get_in_tkt_with_keytab (krb5_context context,
 			    etypes,
 			    pre_auth_types,
 			    krb5_keytab_key_proc,
-			    a,
+			    &a,
 			    NULL,
 			    NULL,
 			    creds,
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c b/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c
index 773d361..1936fa1 100644
--- a/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c
+++ b/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: get_in_tkt_with_skey.c,v 1.3 1999/12/02 17:05:10 joda Exp $");
+RCSID("$Id: get_in_tkt_with_skey.c 13863 2004-05-25 21:46:46Z lha $");
 
 static krb5_error_code
 krb5_skey_key_proc (krb5_context context,
@@ -45,7 +45,7 @@ krb5_skey_key_proc (krb5_context context,
     return krb5_copy_keyblock (context, keyseed, key);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_in_tkt_with_skey (krb5_context context,
 			   krb5_flags options,
 			   krb5_addresses *addrs,
diff --git a/crypto/heimdal/lib/krb5/get_port.c b/crypto/heimdal/lib/krb5/get_port.c
index 6c51741..85587ea 100644
--- a/crypto/heimdal/lib/krb5/get_port.c
+++ b/crypto/heimdal/lib/krb5/get_port.c
@@ -33,9 +33,9 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: get_port.c,v 1.8 2001/01/27 19:24:34 joda Exp $");
+RCSID("$Id: get_port.c 13863 2004-05-25 21:46:46Z lha $");
 
-int
+int KRB5_LIB_FUNCTION
 krb5_getportbyname (krb5_context context,
 		    const char *service,
 		    const char *proto,
diff --git a/crypto/heimdal/lib/krb5/heim_err.et b/crypto/heimdal/lib/krb5/heim_err.et
index 67642a5..1b8ab49 100644
--- a/crypto/heimdal/lib/krb5/heim_err.et
+++ b/crypto/heimdal/lib/krb5/heim_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: heim_err.et,v 1.12 2001/06/21 03:51:36 assar Exp $"
+id "$Id: heim_err.et 13352 2004-02-13 16:23:40Z lha $"
 
 error_table heim
 
@@ -18,6 +18,14 @@ error_code EOF,			"End of file"
 error_code BAD_MKEY,		"Failed to get the master key"
 error_code SERVICE_NOMATCH,	"Unacceptable service used"
 
+index 64
+prefix HEIM_PKINIT
+error_code NO_CERTIFICATE,	"Certificate missing"
+error_code NO_PRIVATE_KEY,	"Private key missing"
+error_code NO_VALID_CA,		"No valid certificate authority"
+error_code CERTIFICATE_INVALID,	"Certificate invalid"
+error_code PRIVATE_KEY_INVALID,	"Private key invalid"
+
 index 128
 prefix HEIM_EAI
 #error_code NOERROR,		"no error"
diff --git a/crypto/heimdal/lib/krb5/heim_threads.h b/crypto/heimdal/lib/krb5/heim_threads.h
new file mode 100644
index 0000000..3c27d13
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/heim_threads.h
@@ -0,0 +1,175 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: heim_threads.h 14409 2004-12-18 16:03:38Z lha $ */
+
+/*
+ * Provide wrapper macros for thread synchronization primitives so we
+ * can use native thread functions for those operating system that
+ * supports it.
+ *
+ * This is so libkrb5.so (or more importantly, libgssapi.so) can have
+ * thread support while the program that that dlopen(3)s the library
+ * don't need to be linked to libpthread.
+ */
+
+#ifndef HEIM_THREADS_H
+#define HEIM_THREADS_H 1
+
+/* assume headers already included */
+
+#if defined(__NetBSD__) && __NetBSD_Version__ >= 106120000 && __NetBSD_Version__< 299001200 && defined(ENABLE_PTHREAD_SUPPORT)
+
+/* 
+ * NetBSD have a thread lib that we can use that part of libc that
+ * works regardless if application are linked to pthreads or not.
+ * NetBSD newer then 2.99.11 just use pthread.h, and the same thing
+ * will happen.
+ */
+#include <threadlib.h>
+
+#define HEIMDAL_MUTEX mutex_t
+#define HEIMDAL_MUTEX_INITIALIZER MUTEX_INITIALIZER
+#define HEIMDAL_MUTEX_init(m) mutex_init(m, NULL)
+#define HEIMDAL_MUTEX_lock(m) mutex_lock(m)
+#define HEIMDAL_MUTEX_unlock(m) mutex_unlock(m)
+#define HEIMDAL_MUTEX_destroy(m) mutex_destroy(m)
+
+#define HEIMDAL_RWLOCK rwlock_t
+#define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER
+#define	HEIMDAL_RWLOCK_init(l) rwlock_init(l, NULL)	
+#define	HEIMDAL_RWLOCK_rdlock(l) rwlock_rdlock(l)	
+#define	HEIMDAL_RWLOCK_wrlock(l) rwlock_wrlock(l)	
+#define	HEIMDAL_RWLOCK_tryrdlock(l) rwlock_tryrdlock(l)	
+#define	HEIMDAL_RWLOCK_trywrlock(l) rwlock_trywrlock(l)	
+#define	HEIMDAL_RWLOCK_unlock(l) rwlock_unlock(l)	
+#define	HEIMDAL_RWLOCK_destroy(l) rwlock_destroy(l)	
+
+#define HEIMDAL_thread_key thread_key_t
+#define HEIMDAL_key_create(k,d,r) do { r = thr_keycreate(k,d); } while(0)
+#define HEIMDAL_setspecific(k,s,r) do { r = thr_setspecific(k,s); } while(0)
+#define HEIMDAL_getspecific(k) thr_getspecific(k)
+#define HEIMDAL_key_delete(k) thr_keydelete(k)
+
+#elif defined(ENABLE_PTHREAD_SUPPORT) && (!defined(__NetBSD__) || __NetBSD_Version__ >= 299001200)
+
+#include <pthread.h>
+
+#define HEIMDAL_MUTEX pthread_mutex_t
+#define HEIMDAL_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
+#define HEIMDAL_MUTEX_init(m) pthread_mutex_init(m, NULL)
+#define HEIMDAL_MUTEX_lock(m) pthread_mutex_lock(m)
+#define HEIMDAL_MUTEX_unlock(m) pthread_mutex_unlock(m)
+#define HEIMDAL_MUTEX_destroy(m) pthread_mutex_destroy(m)
+
+#define HEIMDAL_RWLOCK rwlock_t
+#define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER
+#define	HEIMDAL_RWLOCK_init(l) pthread_rwlock_init(l, NULL)	
+#define	HEIMDAL_RWLOCK_rdlock(l) pthread_rwlock_rdlock(l)	
+#define	HEIMDAL_RWLOCK_wrlock(l) pthread_rwlock_wrlock(l)	
+#define	HEIMDAL_RWLOCK_tryrdlock(l) pthread_rwlock_tryrdlock(l)	
+#define	HEIMDAL_RWLOCK_trywrlock(l) pthread_rwlock_trywrlock(l)	
+#define	HEIMDAL_RWLOCK_unlock(l) pthread_rwlock_unlock(l)	
+#define	HEIMDAL_RWLOCK_destroy(l) pthread_rwlock_destroy(l)	
+
+#define HEIMDAL_thread_key pthread_key_t
+#define HEIMDAL_key_create(k,d,r) do { r = pthread_key_create(k,d); } while(0)
+#define HEIMDAL_setspecific(k,s,r) do { r = pthread_setspecific(k,s); } while(0)
+#define HEIMDAL_getspecific(k) pthread_getspecific(k)
+#define HEIMDAL_key_delete(k) pthread_key_delete(k)
+
+#elif defined(HEIMDAL_DEBUG_THREADS)
+
+/* no threads support, just do consistency checks */
+#include <stdlib.h>
+
+#define HEIMDAL_MUTEX int
+#define HEIMDAL_MUTEX_INITIALIZER 0
+#define HEIMDAL_MUTEX_init(m)  do { (*(m)) = 0; } while(0)
+#define HEIMDAL_MUTEX_lock(m)  do { if ((*(m))++ != 0) abort(); } while(0)
+#define HEIMDAL_MUTEX_unlock(m) do { if ((*(m))-- != 1) abort(); } while(0)
+#define HEIMDAL_MUTEX_destroy(m) do {if ((*(m)) != 0) abort(); } while(0)
+
+#define HEIMDAL_RWLOCK rwlock_t int
+#define HEIMDAL_RWLOCK_INITIALIZER 0
+#define	HEIMDAL_RWLOCK_init(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_rdlock(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_wrlock(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_tryrdlock(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_trywrlock(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_unlock(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_destroy(l) do { } while(0)
+
+#define HEIMDAL_internal_thread_key 1
+
+#else /* no thread support, no debug case */
+
+#define HEIMDAL_MUTEX int
+#define HEIMDAL_MUTEX_INITIALIZER 0
+#define HEIMDAL_MUTEX_init(m)  do { (void)(m); } while(0)
+#define HEIMDAL_MUTEX_lock(m)  do { (void)(m); } while(0)
+#define HEIMDAL_MUTEX_unlock(m) do { (void)(m); } while(0)
+#define HEIMDAL_MUTEX_destroy(m) do { (void)(m); } while(0)
+
+#define HEIMDAL_RWLOCK rwlock_t int
+#define HEIMDAL_RWLOCK_INITIALIZER 0
+#define	HEIMDAL_RWLOCK_init(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_rdlock(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_wrlock(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_tryrdlock(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_trywrlock(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_unlock(l) do { } while(0)
+#define	HEIMDAL_RWLOCK_destroy(l) do { } while(0)
+
+#define HEIMDAL_internal_thread_key 1
+
+#endif /* no thread support */
+
+#ifdef HEIMDAL_internal_thread_key
+
+typedef struct heim_thread_key {
+    void *value;
+    void (*destructor)(void *);
+} heim_thread_key;
+
+#define HEIMDAL_thread_key heim_thread_key
+#define HEIMDAL_key_create(k,d,r) \
+	do { (k)->value = NULL; (k)->destructor = (d); r = 0; } while(0)
+#define HEIMDAL_setspecific(k,s,r) do { (k).value = s ; r = 0; } while(0)
+#define HEIMDAL_getspecific(k) ((k).value)
+#define HEIMDAL_key_delete(k) do { (*(k).destructor)((k).value); } while(0)
+
+#undef HEIMDAL_internal_thread_key
+#endif /* HEIMDAL_internal_thread_key */
+
+#endif /* HEIM_THREADS_H */
diff --git a/crypto/heimdal/lib/krb5/init_creds.c b/crypto/heimdal/lib/krb5/init_creds.c
index 6f93005..a59c903 100644
--- a/crypto/heimdal/lib/krb5/init_creds.c
+++ b/crypto/heimdal/lib/krb5/init_creds.c
@@ -1,45 +1,149 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
 #include "krb5_locl.h"
 
-RCSID("$Id: init_creds.c,v 1.9 2001/07/03 18:42:07 assar Exp $");
+RCSID("$Id: init_creds.c 21711 2007-07-27 14:22:02Z lha $");
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
 {
     memset (opt, 0, sizeof(*opt));
     opt->flags = 0;
+    opt->opt_private = NULL;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_alloc(krb5_context context, 
+			      krb5_get_init_creds_opt **opt)
+{
+    krb5_get_init_creds_opt *o;
+    
+    *opt = NULL;
+    o = calloc(1, sizeof(*o));
+    if (o == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    krb5_get_init_creds_opt_init(o);
+    o->opt_private = calloc(1, sizeof(*o->opt_private));
+    if (o->opt_private == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	free(o);
+	return ENOMEM;
+    }
+    o->opt_private->refcount = 1;
+    *opt = o;
+    return 0;
+}
+
+krb5_error_code
+_krb5_get_init_creds_opt_copy(krb5_context context, 
+			      const krb5_get_init_creds_opt *in,
+			      krb5_get_init_creds_opt **out)
+{
+    krb5_get_init_creds_opt *opt;
+
+    *out = NULL;
+    opt = calloc(1, sizeof(*opt));
+    if (opt == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    if (in)
+	*opt = *in;
+    if(opt->opt_private == NULL) {
+	opt->opt_private = calloc(1, sizeof(*opt->opt_private));
+	if (opt->opt_private == NULL) {
+	    krb5_set_error_string(context, "out of memory");
+	    free(opt);
+	    return ENOMEM;
+	}
+	opt->opt_private->refcount = 1;
+    } else
+	opt->opt_private->refcount++;
+    *out = opt;
+    return 0;
+}
+
+void KRB5_LIB_FUNCTION
+_krb5_get_init_creds_opt_free_krb5_error(krb5_get_init_creds_opt *opt)
+{
+    if (opt->opt_private == NULL || opt->opt_private->error == NULL)
+	return;
+    free_KRB_ERROR(opt->opt_private->error);
+    free(opt->opt_private->error);
+    opt->opt_private->error = NULL;
+}
+
+void KRB5_LIB_FUNCTION
+_krb5_get_init_creds_opt_set_krb5_error(krb5_context context,
+					krb5_get_init_creds_opt *opt, 
+					const KRB_ERROR *error)
+{
+    krb5_error_code ret;
+
+    if (opt->opt_private == NULL)
+	return;
+
+    _krb5_get_init_creds_opt_free_krb5_error(opt);
+
+    opt->opt_private->error = malloc(sizeof(*opt->opt_private->error));
+    if (opt->opt_private->error == NULL)
+	return;
+    ret = copy_KRB_ERROR(error, opt->opt_private->error);
+    if (ret) {
+	free(opt->opt_private->error);
+	opt->opt_private->error = NULL;
+    }	
+}
+
+
+void KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_free(krb5_context context,
+			     krb5_get_init_creds_opt *opt)
+{
+    if (opt == NULL || opt->opt_private == NULL)
+	return;
+    if (opt->opt_private->refcount < 1) /* abort ? */
+	return;
+    if (--opt->opt_private->refcount == 0) {
+	_krb5_get_init_creds_opt_free_krb5_error(opt);
+	_krb5_get_init_creds_opt_free_pkinit(opt);
+	free(opt->opt_private);
+    }
+    memset(opt, 0, sizeof(*opt));
+    free(opt);
 }
 
 static int
@@ -91,11 +195,9 @@ get_config_bool (krb5_context context,
  * [realms] or [libdefaults] for some of the values.
  */
 
-static krb5_addresses no_addrs = {0, NULL};
-
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_default_flags(krb5_context context,
-					  const char *appname, 
+					  const char *appname,
 					  krb5_const_realm realm,
 					  krb5_get_init_creds_opt *opt)
 {
@@ -115,22 +217,22 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context,
 	t = get_config_time (context, realm, "ticket_lifetime", 0);
     if(t != 0)
 	krb5_get_init_creds_opt_set_tkt_life(opt, t);
-    
+
     krb5_appdefault_time(context, appname, realm, "renew_lifetime", 0, &t);
     if (t == 0)
 	t = get_config_time (context, realm, "renew_lifetime", 0);
     if(t != 0)
 	krb5_get_init_creds_opt_set_renew_life(opt, t);
 
-    krb5_appdefault_boolean(context, appname, realm, "no-addresses", FALSE, &b);
-    if (b)
-	krb5_get_init_creds_opt_set_address_list (opt, &no_addrs);
+    krb5_appdefault_boolean(context, appname, realm, "no-addresses", 
+			    KRB5_ADDRESSLESS_DEFAULT, &b);
+    krb5_get_init_creds_opt_set_addressless (context, opt, b);
 
 #if 0
     krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b);
     krb5_get_init_creds_opt_set_anonymous (opt, b);
 
-    krb5_get_init_creds_opt_set_etype_list(opt, enctype, 
+    krb5_get_init_creds_opt_set_etype_list(opt, enctype,
 					   etype_str.num_strings);
 
     krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
@@ -143,7 +245,7 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context,
 }
 
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
 				     krb5_deltat tkt_life)
 {
@@ -151,7 +253,7 @@ krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
     opt->tkt_life = tkt_life;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
 				       krb5_deltat renew_life)
 {
@@ -159,7 +261,7 @@ krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
     opt->renew_life = renew_life;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
 					int forwardable)
 {
@@ -167,7 +269,7 @@ krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
     opt->forwardable = forwardable;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
 				      int proxiable)
 {
@@ -175,7 +277,7 @@ krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
     opt->proxiable = proxiable;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
 				       krb5_enctype *etype_list,
 				       int etype_list_length)
@@ -185,7 +287,7 @@ krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
     opt->etype_list_length = etype_list_length;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
 					 krb5_addresses *addresses)
 {
@@ -193,7 +295,7 @@ krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
     opt->address_list = addresses;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
 					 krb5_preauthtype *preauth_list,
 					 int preauth_list_length)
@@ -203,7 +305,7 @@ krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
     opt->preauth_list = preauth_list;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
 				 krb5_data *salt)
 {
@@ -211,10 +313,130 @@ krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
     opt->salt = salt;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
 				      int anonymous)
 {
     opt->flags |= KRB5_GET_INIT_CREDS_OPT_ANONYMOUS;
     opt->anonymous = anonymous;
 }
+
+static krb5_error_code
+require_ext_opt(krb5_context context,
+		krb5_get_init_creds_opt *opt,
+		const char *type)
+{
+    if (opt->opt_private == NULL) {
+	krb5_set_error_string(context, "%s on non extendable opt", type);
+	return EINVAL;
+    }
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_pa_password(krb5_context context,
+					krb5_get_init_creds_opt *opt,
+					const char *password,
+					krb5_s2k_proc key_proc)
+{
+    krb5_error_code ret;
+    ret = require_ext_opt(context, opt, "init_creds_opt_set_pa_password");
+    if (ret)
+	return ret;
+    opt->opt_private->password = password;
+    opt->opt_private->key_proc = key_proc;
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_pac_request(krb5_context context,
+					krb5_get_init_creds_opt *opt,
+					krb5_boolean req_pac)
+{
+    krb5_error_code ret;
+    ret = require_ext_opt(context, opt, "init_creds_opt_set_pac_req");
+    if (ret)
+	return ret;
+    opt->opt_private->req_pac = req_pac ?
+	KRB5_INIT_CREDS_TRISTATE_TRUE :
+	KRB5_INIT_CREDS_TRISTATE_FALSE;
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_get_error(krb5_context context,
+				  krb5_get_init_creds_opt *opt,
+				  KRB_ERROR **error)
+{
+    krb5_error_code ret;
+
+    *error = NULL;
+
+    ret = require_ext_opt(context, opt, "init_creds_opt_get_error");
+    if (ret)
+	return ret;
+
+    if (opt->opt_private->error == NULL)
+	return 0;
+
+    *error = malloc(sizeof(**error));
+    if (*error == NULL) {
+	krb5_set_error_string(context, "malloc - out memory");
+	return ENOMEM;
+    }
+
+    ret = copy_KRB_ERROR(opt->opt_private->error, *error);
+    if (ret)
+	krb5_clear_error_string(context);
+
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_addressless(krb5_context context,
+					krb5_get_init_creds_opt *opt,
+					krb5_boolean addressless)
+{
+    krb5_error_code ret;
+    ret = require_ext_opt(context, opt, "init_creds_opt_set_pac_req");
+    if (ret)
+	return ret;
+    if (addressless)
+	opt->opt_private->addressless = KRB5_INIT_CREDS_TRISTATE_TRUE;
+    else
+	opt->opt_private->addressless = KRB5_INIT_CREDS_TRISTATE_FALSE;
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_canonicalize(krb5_context context,
+					 krb5_get_init_creds_opt *opt,
+					 krb5_boolean req)
+{
+    krb5_error_code ret;
+    ret = require_ext_opt(context, opt, "init_creds_opt_set_canonicalize");
+    if (ret)
+	return ret;
+    if (req)
+	opt->opt_private->flags |= KRB5_INIT_CREDS_CANONICALIZE;
+    else
+	opt->opt_private->flags &= ~KRB5_INIT_CREDS_CANONICALIZE;
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_win2k(krb5_context context,
+				  krb5_get_init_creds_opt *opt,
+				  krb5_boolean req)
+{
+    krb5_error_code ret;
+    ret = require_ext_opt(context, opt, "init_creds_opt_set_win2k");
+    if (ret)
+	return ret;
+    if (req)
+	opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK;
+    else
+	opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_CANON_CHECK;
+    return 0;
+}
+
diff --git a/crypto/heimdal/lib/krb5/init_creds_pw.c b/crypto/heimdal/lib/krb5/init_creds_pw.c
index e54e7c4..441adff 100644
--- a/crypto/heimdal/lib/krb5/init_creds_pw.c
+++ b/crypto/heimdal/lib/krb5/init_creds_pw.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,70 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: init_creds_pw.c,v 1.55.2.1 2004/08/30 23:21:07 lha Exp $");
+RCSID("$Id: init_creds_pw.c 21931 2007-08-27 14:11:55Z lha $");
+
+typedef struct krb5_get_init_creds_ctx {
+    KDCOptions flags;
+    krb5_creds cred;
+    krb5_addresses *addrs;
+    krb5_enctype *etypes;
+    krb5_preauthtype *pre_auth_types;
+    const char *in_tkt_service;
+    unsigned nonce;
+    unsigned pk_nonce;
+
+    krb5_data req_buffer;
+    AS_REQ as_req;
+    int pa_counter;
+
+    const char *password;
+    krb5_s2k_proc key_proc;
+
+    krb5_get_init_creds_tristate req_pac;
+
+    krb5_pk_init_ctx pk_init_ctx;
+    int ic_flags;
+} krb5_get_init_creds_ctx;
+
+static krb5_error_code
+default_s2k_func(krb5_context context, krb5_enctype type, 
+		 krb5_const_pointer keyseed,
+		 krb5_salt salt, krb5_data *s2kparms,
+		 krb5_keyblock **key)
+{
+    krb5_error_code ret;
+    krb5_data password;
+    krb5_data opaque;
+
+    password.data = rk_UNCONST(keyseed);
+    password.length = strlen(keyseed);
+    if (s2kparms)
+	opaque = *s2kparms;
+    else
+	krb5_data_zero(&opaque);
+	
+    *key = malloc(sizeof(**key));
+    if (*key == NULL)
+	return ENOMEM;
+    ret = krb5_string_to_key_data_salt_opaque(context, type, password,
+					      salt, opaque, *key);
+    if (ret) {
+	free(*key);
+	*key = NULL;
+    }
+    return ret;
+}
+
+static void
+free_init_creds_ctx(krb5_context context, krb5_get_init_creds_ctx *ctx)
+{
+    if (ctx->etypes)
+	free(ctx->etypes);
+    if (ctx->pre_auth_types)
+	free (ctx->pre_auth_types);
+    free_AS_REQ(&ctx->as_req);
+    memset(&ctx->as_req, 0, sizeof(ctx->as_req));
+}
 
 static int
 get_config_time (krb5_context context,
@@ -68,7 +131,7 @@ init_cred (krb5_context context,
 	   krb5_get_init_creds_opt *options)
 {
     krb5_error_code ret;
-    krb5_realm *client_realm;
+    krb5_const_realm client_realm;
     int tmp;
     krb5_timestamp now;
 
@@ -85,7 +148,7 @@ init_cred (krb5_context context,
 	    goto out;
     }
 
-    client_realm = krb5_princ_realm (context, cred->client);
+    client_realm = krb5_principal_get_realm (context, cred->client);
 
     if (start_time)
 	cred->times.starttime  = now + start_time;
@@ -107,12 +170,12 @@ init_cred (krb5_context context,
 	ret = krb5_parse_name (context, in_tkt_service, &cred->server);
 	if (ret)
 	    goto out;
-	server_realm = strdup (*client_realm);
+	server_realm = strdup (client_realm);
 	free (*krb5_princ_realm(context, cred->server));
 	krb5_princ_set_realm (context, cred->server, &server_realm);
     } else {
 	ret = krb5_make_principal(context, &cred->server, 
-				  *client_realm, KRB5_TGS_NAME, *client_realm,
+				  client_realm, KRB5_TGS_NAME, client_realm,
 				  NULL);
 	if (ret)
 	    goto out;
@@ -120,7 +183,7 @@ init_cred (krb5_context context,
     return 0;
 
 out:
-    krb5_free_creds_contents (context, cred);
+    krb5_free_cred_contents (context, cred);
     return ret;
 }
 
@@ -133,11 +196,11 @@ report_expiration (krb5_context context,
 		   krb5_prompter_fct prompter,
 		   krb5_data *data,
 		   const char *str,
-		   time_t time)
+		   time_t now)
 {
     char *p;
 	    
-    asprintf (&p, "%s%s", str, ctime(&time));
+    asprintf (&p, "%s%s", str, ctime(&now));
     (*prompter) (context, data, NULL, p, 0, NULL);
     free (p);
 }
@@ -148,7 +211,7 @@ report_expiration (krb5_context context,
 
 static void
 print_expire (krb5_context context,
-	      krb5_realm *realm,
+	      krb5_const_realm realm,
 	      krb5_kdc_rep *rep,
 	      krb5_prompter_fct prompter,
 	      krb5_data *data)
@@ -162,7 +225,7 @@ print_expire (krb5_context context,
     krb5_timeofday (context, &sec);
 
     t = sec + get_config_time (context,
-			       *realm,
+			       realm,
 			       "warn_pwexpire",
 			       7 * 24 * 60 * 60);
 
@@ -194,75 +257,113 @@ print_expire (krb5_context context,
     }
 }
 
+static krb5_addresses no_addrs = { 0, NULL };
+
 static krb5_error_code
 get_init_creds_common(krb5_context context,
-		      krb5_creds *creds,
 		      krb5_principal client,
 		      krb5_deltat start_time,
 		      const char *in_tkt_service,
 		      krb5_get_init_creds_opt *options,
-		      krb5_addresses **addrs,
-		      krb5_enctype **etypes,
-		      krb5_creds *cred,
-		      krb5_preauthtype **pre_auth_types,
-		      krb5_kdc_flags *flags)
+		      krb5_get_init_creds_ctx *ctx)
 {
-    krb5_error_code ret;
-    krb5_realm *client_realm;
     krb5_get_init_creds_opt default_opt;
+    krb5_error_code ret;
+    krb5_enctype *etypes;
+    krb5_preauthtype *pre_auth_types;
+
+    memset(ctx, 0, sizeof(*ctx));
 
     if (options == NULL) {
 	krb5_get_init_creds_opt_init (&default_opt);
 	options = &default_opt;
+    } else {
+	_krb5_get_init_creds_opt_free_krb5_error(options);
     }
 
-    ret = init_cred (context, cred, client, start_time,
+    if (options->opt_private) {
+	ctx->password = options->opt_private->password;
+	ctx->key_proc = options->opt_private->key_proc;
+	ctx->req_pac = options->opt_private->req_pac;
+	ctx->pk_init_ctx = options->opt_private->pk_init_ctx;
+	ctx->ic_flags = options->opt_private->flags;
+    } else
+	ctx->req_pac = KRB5_INIT_CREDS_TRISTATE_UNSET;
+
+    if (ctx->key_proc == NULL)
+	ctx->key_proc = default_s2k_func;
+
+    if (ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE)
+	ctx->flags.canonicalize = 1;
+
+    ctx->pre_auth_types = NULL;
+    ctx->addrs = NULL;
+    ctx->etypes = NULL;
+    ctx->pre_auth_types = NULL;
+    ctx->in_tkt_service = in_tkt_service;
+
+    ret = init_cred (context, &ctx->cred, client, start_time,
 		     in_tkt_service, options);
     if (ret)
 	return ret;
 
-    client_realm = krb5_princ_realm (context, cred->client);
-
-    flags->i = 0;
-
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE)
-	flags->b.forwardable = options->forwardable;
+	ctx->flags.forwardable = options->forwardable;
 
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE)
-	flags->b.proxiable = options->proxiable;
+	ctx->flags.proxiable = options->proxiable;
 
     if (start_time)
-	flags->b.postdated = 1;
-    if (cred->times.renew_till)
-	flags->b.renewable = 1;
-    if (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)
-	*addrs = options->address_list;
+	ctx->flags.postdated = 1;
+    if (ctx->cred.times.renew_till)
+	ctx->flags.renewable = 1;
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST) {
+	ctx->addrs = options->address_list;
+    } else if (options->opt_private) {
+	switch (options->opt_private->addressless) {
+	case KRB5_INIT_CREDS_TRISTATE_UNSET:
+#if KRB5_ADDRESSLESS_DEFAULT == TRUE
+	    ctx->addrs = &no_addrs;
+#else
+	    ctx->addrs = NULL;
+#endif
+	    break;
+	case KRB5_INIT_CREDS_TRISTATE_FALSE:
+	    ctx->addrs = NULL;
+	    break;
+	case KRB5_INIT_CREDS_TRISTATE_TRUE:
+	    ctx->addrs = &no_addrs;
+	    break;
+	}
+    }
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST) {
-	*etypes = malloc((options->etype_list_length + 1)
+	etypes = malloc((options->etype_list_length + 1)
 			* sizeof(krb5_enctype));
-	if (*etypes == NULL) {
+	if (etypes == NULL) {
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    return ENOMEM;
 	}
-	memcpy (*etypes, options->etype_list,
+	memcpy (etypes, options->etype_list,
 		options->etype_list_length * sizeof(krb5_enctype));
-	(*etypes)[options->etype_list_length] = ETYPE_NULL;
+	etypes[options->etype_list_length] = ETYPE_NULL;
+	ctx->etypes = etypes;
     }
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) {
-	*pre_auth_types = malloc((options->preauth_list_length + 1)
-				 * sizeof(krb5_preauthtype));
-	if (*pre_auth_types == NULL) {
+	pre_auth_types = malloc((options->preauth_list_length + 1)
+				* sizeof(krb5_preauthtype));
+	if (pre_auth_types == NULL) {
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    return ENOMEM;
 	}
-	memcpy (*pre_auth_types, options->preauth_list,
+	memcpy (pre_auth_types, options->preauth_list,
 		options->preauth_list_length * sizeof(krb5_preauthtype));
-	(*pre_auth_types)[options->preauth_list_length] = KRB5_PADATA_NONE;
+	pre_auth_types[options->preauth_list_length] = KRB5_PADATA_NONE;
+	ctx->pre_auth_types = pre_auth_types;
     }
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)
 	;			/* XXX */
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS)
-	flags->b.request_anonymous = options->anonymous;
+	ctx->flags.request_anonymous = options->anonymous;
     return 0;
 }
 
@@ -293,7 +394,7 @@ change_password (krb5_context context,
     krb5_get_init_creds_opt_set_tkt_life (&options, 60);
     krb5_get_init_creds_opt_set_forwardable (&options, FALSE);
     krb5_get_init_creds_opt_set_proxiable (&options, FALSE);
-    if (old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)
+    if (old_options && old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)
 	krb5_get_init_creds_opt_set_preauth_list (&options,
 						  old_options->preauth_list,
 						  old_options->preauth_list_length);					      
@@ -355,7 +456,7 @@ change_password (krb5_context context,
     asprintf (&p, "%s: %.*s\n",
 	      result_code ? "Error" : "Success",
 	      (int)result_string.length,
-	      (char*)result_string.data);
+	      result_string.length > 0 ? (char*)result_string.data : "");
 
     ret = (*prompter) (context, data, NULL, p, 0, NULL);
     free (p);
@@ -372,81 +473,1012 @@ out:
     memset (buf2, 0, sizeof(buf2));
     krb5_data_free (&result_string);
     krb5_data_free (&result_code_string);
-    krb5_free_creds_contents (context, &cpw_cred);
+    krb5_free_cred_contents (context, &cpw_cred);
     return ret;
 }
 
-krb5_error_code
-krb5_get_init_creds_password(krb5_context context,
-			     krb5_creds *creds,
-			     krb5_principal client,
-			     const char *password,
-			     krb5_prompter_fct prompter,
-			     void *data,
-			     krb5_deltat start_time,
-			     const char *in_tkt_service,
-			     krb5_get_init_creds_opt *options)
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_keyblock_key_proc (krb5_context context,
+			krb5_keytype type,
+			krb5_data *salt,
+			krb5_const_pointer keyseed,
+			krb5_keyblock **key)
 {
+    return krb5_copy_keyblock (context, keyseed, key);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_keytab(krb5_context context,
+			   krb5_creds *creds,
+			   krb5_principal client,
+			   krb5_keytab keytab,
+			   krb5_deltat start_time,
+			   const char *in_tkt_service,
+			   krb5_get_init_creds_opt *options)
+{
+    krb5_get_init_creds_ctx ctx;
     krb5_error_code ret;
-    krb5_kdc_flags flags;
-    krb5_addresses *addrs = NULL;
-    krb5_enctype *etypes = NULL;
-    krb5_preauthtype *pre_auth_types = NULL;
-    krb5_creds this_cred;
-    krb5_kdc_rep kdc_reply;
-    char buf[BUFSIZ];
-    krb5_data password_data;
-    int done;
+    krb5_keytab_key_proc_args *a;
+    
+    ret = get_init_creds_common(context, client, start_time,
+				in_tkt_service, options, &ctx);
+    if (ret)
+	goto out;
 
-    memset(&kdc_reply, 0, sizeof(kdc_reply));
+    a = malloc (sizeof(*a));
+    if (a == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+    a->principal = ctx.cred.client;
+    a->keytab    = keytab;
+
+    ret = krb5_get_in_cred (context,
+			    KDCOptions2int(ctx.flags),
+			    ctx.addrs,
+			    ctx.etypes,
+			    ctx.pre_auth_types,
+			    NULL,
+			    krb5_keytab_key_proc,
+			    a,
+			    NULL,
+			    NULL,
+			    &ctx.cred,
+			    NULL);
+    free (a);
+
+    if (ret == 0 && creds)
+	*creds = ctx.cred;
+    else
+	krb5_free_cred_contents (context, &ctx.cred);
+
+ out:
+    free_init_creds_ctx(context, &ctx);
+    return ret;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+init_creds_init_as_req (krb5_context context,
+			KDCOptions opts,
+			const krb5_creds *creds,
+			const krb5_addresses *addrs,
+			const krb5_enctype *etypes,
+			AS_REQ *a)
+{
+    krb5_error_code ret;
+
+    memset(a, 0, sizeof(*a));
+
+    a->pvno = 5;
+    a->msg_type = krb_as_req;
+    a->req_body.kdc_options = opts;
+    a->req_body.cname = malloc(sizeof(*a->req_body.cname));
+    if (a->req_body.cname == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto fail;
+    }
+    a->req_body.sname = malloc(sizeof(*a->req_body.sname));
+    if (a->req_body.sname == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto fail;
+    }
+
+    ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
+    if (ret)
+	goto fail;
+    ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
+    if (ret)
+	goto fail;
+
+    ret = _krb5_principal2principalname (a->req_body.sname, creds->server);
+    if (ret)
+	goto fail;
+
+    if(creds->times.starttime) {
+	a->req_body.from = malloc(sizeof(*a->req_body.from));
+	if (a->req_body.from == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto fail;
+	}
+	*a->req_body.from = creds->times.starttime;
+    }
+    if(creds->times.endtime){
+	ALLOC(a->req_body.till, 1);
+	*a->req_body.till = creds->times.endtime;
+    }
+    if(creds->times.renew_till){
+	a->req_body.rtime = malloc(sizeof(*a->req_body.rtime));
+	if (a->req_body.rtime == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto fail;
+	}
+	*a->req_body.rtime = creds->times.renew_till;
+    }
+    a->req_body.nonce = 0;
+    ret = krb5_init_etype (context,
+			   &a->req_body.etype.len,
+			   &a->req_body.etype.val,
+			   etypes);
+    if (ret)
+	goto fail;
 
-    ret = get_init_creds_common(context, creds, client, start_time,
-				in_tkt_service, options,
-				&addrs, &etypes, &this_cred, &pre_auth_types,
-				&flags);
-    if(ret)
+    /*
+     * This means no addresses
+     */
+
+    if (addrs && addrs->len == 0) {
+	a->req_body.addresses = NULL;
+    } else {
+	a->req_body.addresses = malloc(sizeof(*a->req_body.addresses));
+	if (a->req_body.addresses == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto fail;
+	}
+
+	if (addrs)
+	    ret = krb5_copy_addresses(context, addrs, a->req_body.addresses);
+	else {
+	    ret = krb5_get_all_client_addrs (context, a->req_body.addresses);
+	    if(ret == 0 && a->req_body.addresses->len == 0) {
+		free(a->req_body.addresses);
+		a->req_body.addresses = NULL;
+	    }
+	}
+	if (ret)
+	    goto fail;
+    }
+
+    a->req_body.enc_authorization_data = NULL;
+    a->req_body.additional_tickets = NULL;
+
+    a->padata = NULL;
+
+    return 0;
+ fail:
+    free_AS_REQ(a);
+    memset(a, 0, sizeof(*a));
+    return ret;
+}
+
+struct pa_info_data {
+    krb5_enctype etype;
+    krb5_salt salt;
+    krb5_data *s2kparams;
+};
+
+static void
+free_paid(krb5_context context, struct pa_info_data *ppaid)
+{
+    krb5_free_salt(context, ppaid->salt);
+    if (ppaid->s2kparams)
+	krb5_free_data(context, ppaid->s2kparams);
+}
+
+
+static krb5_error_code
+set_paid(struct pa_info_data *paid, krb5_context context,
+	 krb5_enctype etype,
+	 krb5_salttype salttype, void *salt_string, size_t salt_len,
+	 krb5_data *s2kparams)
+{
+    paid->etype = etype;
+    paid->salt.salttype = salttype;
+    paid->salt.saltvalue.data = malloc(salt_len + 1);
+    if (paid->salt.saltvalue.data == NULL) {
+	krb5_clear_error_string(context);
+	return ENOMEM;
+    }
+    memcpy(paid->salt.saltvalue.data, salt_string, salt_len);
+    ((char *)paid->salt.saltvalue.data)[salt_len] = '\0';
+    paid->salt.saltvalue.length = salt_len;
+    if (s2kparams) {
+	krb5_error_code ret;
+
+	ret = krb5_copy_data(context, s2kparams, &paid->s2kparams);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    krb5_free_salt(context, paid->salt);
+	    return ret;
+	}
+    } else
+	paid->s2kparams = NULL;
+
+    return 0;
+}
+
+static struct pa_info_data *
+pa_etype_info2(krb5_context context,
+	       const krb5_principal client, 
+	       const AS_REQ *asreq,
+	       struct pa_info_data *paid, 
+	       heim_octet_string *data)
+{
+    krb5_error_code ret;
+    ETYPE_INFO2 e;
+    size_t sz;
+    int i, j;
+
+    memset(&e, 0, sizeof(e));
+    ret = decode_ETYPE_INFO2(data->data, data->length, &e, &sz);
+    if (ret)
 	goto out;
+    if (e.len == 0)
+	goto out;
+    for (j = 0; j < asreq->req_body.etype.len; j++) {
+	for (i = 0; i < e.len; i++) {
+	    if (asreq->req_body.etype.val[j] == e.val[i].etype) {
+		krb5_salt salt;
+		if (e.val[i].salt == NULL)
+		    ret = krb5_get_pw_salt(context, client, &salt);
+		else {
+		    salt.saltvalue.data = *e.val[i].salt;
+		    salt.saltvalue.length = strlen(*e.val[i].salt);
+		    ret = 0;
+		}
+		if (ret == 0)
+		    ret = set_paid(paid, context, e.val[i].etype,
+				   KRB5_PW_SALT,
+				   salt.saltvalue.data, 
+				   salt.saltvalue.length,
+				   e.val[i].s2kparams);
+		if (e.val[i].salt == NULL)
+		    krb5_free_salt(context, salt);
+		if (ret == 0) {
+		    free_ETYPE_INFO2(&e);
+		    return paid;
+		}
+	    }
+	}
+    }
+ out:
+    free_ETYPE_INFO2(&e);
+    return NULL;
+}
 
-    if (password == NULL) {
-	krb5_prompt prompt;
-	char *p, *q;
+static struct pa_info_data *
+pa_etype_info(krb5_context context,
+	      const krb5_principal client, 
+	      const AS_REQ *asreq,
+	      struct pa_info_data *paid,
+	      heim_octet_string *data)
+{
+    krb5_error_code ret;
+    ETYPE_INFO e;
+    size_t sz;
+    int i, j;
 
-	krb5_unparse_name (context, this_cred.client, &p);
-	asprintf (&q, "%s's Password: ", p);
-	free (p);
-	prompt.prompt = q;
-	password_data.data   = buf;
-	password_data.length = sizeof(buf);
-	prompt.hidden = 1;
-	prompt.reply  = &password_data;
-	prompt.type   = KRB5_PROMPT_TYPE_PASSWORD;
+    memset(&e, 0, sizeof(e));
+    ret = decode_ETYPE_INFO(data->data, data->length, &e, &sz);
+    if (ret)
+	goto out;
+    if (e.len == 0)
+	goto out;
+    for (j = 0; j < asreq->req_body.etype.len; j++) {
+	for (i = 0; i < e.len; i++) {
+	    if (asreq->req_body.etype.val[j] == e.val[i].etype) {
+		krb5_salt salt;
+		salt.salttype = KRB5_PW_SALT;
+		if (e.val[i].salt == NULL)
+		    ret = krb5_get_pw_salt(context, client, &salt);
+		else {
+		    salt.saltvalue = *e.val[i].salt;
+		    ret = 0;
+		}
+		if (e.val[i].salttype)
+		    salt.salttype = *e.val[i].salttype;
+		if (ret == 0) {
+		    ret = set_paid(paid, context, e.val[i].etype,
+				   salt.salttype,
+				   salt.saltvalue.data, 
+				   salt.saltvalue.length,
+				   NULL);
+		    if (e.val[i].salt == NULL)
+			krb5_free_salt(context, salt);
+		}
+		if (ret == 0) {
+		    free_ETYPE_INFO(&e);
+		    return paid;
+		}
+	    }
+	}
+    }
+ out:
+    free_ETYPE_INFO(&e);
+    return NULL;
+}
 
-	ret = (*prompter) (context, data, NULL, NULL, 1, &prompt);
-	free (q);
+static struct pa_info_data *
+pa_pw_or_afs3_salt(krb5_context context,
+		   const krb5_principal client, 
+		   const AS_REQ *asreq,
+		   struct pa_info_data *paid,
+		   heim_octet_string *data)
+{
+    krb5_error_code ret;
+    if (paid->etype == ENCTYPE_NULL)
+	return NULL;
+    ret = set_paid(paid, context, 
+		   paid->etype,
+		   paid->salt.salttype,
+		   data->data, 
+		   data->length,
+		   NULL);
+    if (ret)
+	return NULL;
+    return paid;
+}
+
+
+struct pa_info {
+    krb5_preauthtype type;
+    struct pa_info_data *(*salt_info)(krb5_context,
+				      const krb5_principal, 
+				      const AS_REQ *,
+				      struct pa_info_data *, 
+				      heim_octet_string *);
+};
+
+static struct pa_info pa_prefs[] = {
+    { KRB5_PADATA_ETYPE_INFO2, pa_etype_info2 },
+    { KRB5_PADATA_ETYPE_INFO, pa_etype_info },
+    { KRB5_PADATA_PW_SALT, pa_pw_or_afs3_salt },
+    { KRB5_PADATA_AFS3_SALT, pa_pw_or_afs3_salt }
+};
+    
+static PA_DATA *
+find_pa_data(const METHOD_DATA *md, int type)
+{
+    int i;
+    if (md == NULL)
+	return NULL;
+    for (i = 0; i < md->len; i++)
+	if (md->val[i].padata_type == type)
+	    return &md->val[i];
+    return NULL;
+}
+
+static struct pa_info_data *
+process_pa_info(krb5_context context, 
+		const krb5_principal client, 
+		const AS_REQ *asreq,
+		struct pa_info_data *paid,
+		METHOD_DATA *md)
+{
+    struct pa_info_data *p = NULL;
+    int i;
+
+    for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) {
+	PA_DATA *pa = find_pa_data(md, pa_prefs[i].type);
+	if (pa == NULL)
+	    continue;
+	paid->salt.salttype = pa_prefs[i].type;
+	p = (*pa_prefs[i].salt_info)(context, client, asreq,
+				     paid, &pa->padata_value);
+    }
+    return p;
+}
+
+static krb5_error_code
+make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md, 
+		      krb5_enctype etype, krb5_keyblock *key)
+{
+    PA_ENC_TS_ENC p;
+    unsigned char *buf;
+    size_t buf_size;
+    size_t len;
+    EncryptedData encdata;
+    krb5_error_code ret;
+    int32_t usec;
+    int usec2;
+    krb5_crypto crypto;
+    
+    krb5_us_timeofday (context, &p.patimestamp, &usec);
+    usec2         = usec;
+    p.pausec      = &usec2;
+
+    ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret);
+    if (ret)
+	return ret;
+    if(buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret) {
+	free(buf);
+	return ret;
+    }
+    ret = krb5_encrypt_EncryptedData(context, 
+				     crypto,
+				     KRB5_KU_PA_ENC_TIMESTAMP,
+				     buf,
+				     len,
+				     0,
+				     &encdata);
+    free(buf);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+	return ret;
+		    
+    ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
+    free_EncryptedData(&encdata);
+    if (ret)
+	return ret;
+    if(buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
+    ret = krb5_padata_add(context, md, KRB5_PADATA_ENC_TIMESTAMP, buf, len);
+    if (ret)
+	free(buf);
+    return ret;
+}
+
+static krb5_error_code
+add_enc_ts_padata(krb5_context context,
+		  METHOD_DATA *md, 
+		  krb5_principal client,
+		  krb5_s2k_proc key_proc,
+		  krb5_const_pointer keyseed,
+		  krb5_enctype *enctypes,
+		  unsigned netypes,
+		  krb5_salt *salt,
+		  krb5_data *s2kparams)
+{
+    krb5_error_code ret;
+    krb5_salt salt2;
+    krb5_enctype *ep;
+    int i;
+    
+    if(salt == NULL) {
+	/* default to standard salt */
+	ret = krb5_get_pw_salt (context, client, &salt2);
+	salt = &salt2;
+    }
+    if (!enctypes) {
+	enctypes = context->etypes;
+	netypes = 0;
+	for (ep = enctypes; *ep != ETYPE_NULL; ep++)
+	    netypes++;
+    }
+
+    for (i = 0; i < netypes; ++i) {
+	krb5_keyblock *key;
+
+	ret = (*key_proc)(context, enctypes[i], keyseed,
+			  *salt, s2kparams, &key);
+	if (ret)
+	    continue;
+	ret = make_pa_enc_timestamp (context, md, enctypes[i], key);
+	krb5_free_keyblock (context, key);
+	if (ret)
+	    return ret;
+    }
+    if(salt == &salt2)
+	krb5_free_salt(context, salt2);
+    return 0;
+}
+
+static krb5_error_code
+pa_data_to_md_ts_enc(krb5_context context,
+		     const AS_REQ *a,
+		     const krb5_principal client,
+		     krb5_get_init_creds_ctx *ctx,
+		     struct pa_info_data *ppaid,
+		     METHOD_DATA *md)
+{
+    if (ctx->key_proc == NULL || ctx->password == NULL)
+	return 0;
+
+    if (ppaid) {
+	add_enc_ts_padata(context, md, client, 
+			  ctx->key_proc, ctx->password,
+			  &ppaid->etype, 1,
+			  &ppaid->salt, ppaid->s2kparams);
+    } else {
+	krb5_salt salt;
+	
+	/* make a v5 salted pa-data */
+	add_enc_ts_padata(context, md, client, 
+			  ctx->key_proc, ctx->password,
+			  a->req_body.etype.val, a->req_body.etype.len, 
+			  NULL, NULL);
+	
+	/* make a v4 salted pa-data */
+	salt.salttype = KRB5_PW_SALT;
+	krb5_data_zero(&salt.saltvalue);
+	add_enc_ts_padata(context, md, client, 
+			  ctx->key_proc, ctx->password, 
+			  a->req_body.etype.val, a->req_body.etype.len, 
+			  &salt, NULL);
+    }
+    return 0;
+}
+
+static krb5_error_code
+pa_data_to_key_plain(krb5_context context,
+		     const krb5_principal client,
+		     krb5_get_init_creds_ctx *ctx,
+		     krb5_salt salt,
+		     krb5_data *s2kparams,
+		     krb5_enctype etype,
+		     krb5_keyblock **key)
+{
+    krb5_error_code ret;
+
+    ret = (*ctx->key_proc)(context, etype, ctx->password,
+			   salt, s2kparams, key);
+    return ret;
+}
+
+
+static krb5_error_code
+pa_data_to_md_pkinit(krb5_context context,
+		     const AS_REQ *a,
+		     const krb5_principal client,
+		     krb5_get_init_creds_ctx *ctx,
+		     METHOD_DATA *md)
+{
+    if (ctx->pk_init_ctx == NULL)
+	return 0;
+#ifdef PKINIT
+    return _krb5_pk_mk_padata(context,
+			     ctx->pk_init_ctx,
+			     &a->req_body,
+			     ctx->pk_nonce,
+			     md);
+#else
+    krb5_set_error_string(context, "no support for PKINIT compiled in");
+    return EINVAL;
+#endif
+}
+
+static krb5_error_code
+pa_data_add_pac_request(krb5_context context,
+			krb5_get_init_creds_ctx *ctx,
+			METHOD_DATA *md)
+{
+    size_t len, length;
+    krb5_error_code ret;
+    PA_PAC_REQUEST req;
+    void *buf;
+    
+    switch (ctx->req_pac) {
+    case KRB5_INIT_CREDS_TRISTATE_UNSET:
+	return 0; /* don't bother */
+    case KRB5_INIT_CREDS_TRISTATE_TRUE:
+	req.include_pac = 1;
+	break;
+    case KRB5_INIT_CREDS_TRISTATE_FALSE:
+	req.include_pac = 0;
+    }	
+
+    ASN1_MALLOC_ENCODE(PA_PAC_REQUEST, buf, length, 
+		       &req, &len, ret);
+    if (ret)
+	return ret;
+    if(len != length)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
+    ret = krb5_padata_add(context, md, KRB5_PADATA_PA_PAC_REQUEST, buf, len);
+    if (ret)
+	free(buf);
+
+    return 0;
+}
+
+/*
+ * Assumes caller always will free `out_md', even on error.
+ */
+
+static krb5_error_code
+process_pa_data_to_md(krb5_context context,
+		      const krb5_creds *creds,
+		      const AS_REQ *a,
+		      krb5_get_init_creds_ctx *ctx,
+		      METHOD_DATA *in_md,
+		      METHOD_DATA **out_md,
+		      krb5_prompter_fct prompter,
+		      void *prompter_data)
+{
+    krb5_error_code ret;
+
+    ALLOC(*out_md, 1);
+    if (*out_md == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    (*out_md)->len = 0;
+    (*out_md)->val = NULL;
+    
+    /*
+     * Make sure we don't sent both ENC-TS and PK-INIT pa data, no
+     * need to expose our password protecting our PKCS12 key.
+     */
+
+    if (ctx->pk_init_ctx) {
+
+	ret = pa_data_to_md_pkinit(context, a, creds->client, ctx, *out_md);
+	if (ret)
+	    return ret;
+
+    } else if (in_md->len != 0) {
+	struct pa_info_data paid, *ppaid;
+	
+	memset(&paid, 0, sizeof(paid));
+	
+	paid.etype = ENCTYPE_NULL;
+	ppaid = process_pa_info(context, creds->client, a, &paid, in_md);
+	
+	pa_data_to_md_ts_enc(context, a, creds->client, ctx, ppaid, *out_md);
+	if (ppaid)
+	    free_paid(context, ppaid);
+    }
+
+    pa_data_add_pac_request(context, ctx, *out_md);
+
+    if ((*out_md)->len == 0) {
+	free(*out_md);
+	*out_md = NULL;
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+process_pa_data_to_key(krb5_context context,
+		       krb5_get_init_creds_ctx *ctx,
+		       krb5_creds *creds,
+		       AS_REQ *a,
+		       krb5_kdc_rep *rep,
+		       const krb5_krbhst_info *hi,
+		       krb5_keyblock **key)
+{
+    struct pa_info_data paid, *ppaid = NULL;
+    krb5_error_code ret;
+    krb5_enctype etype;
+    PA_DATA *pa;
+
+    memset(&paid, 0, sizeof(paid));
+
+    etype = rep->kdc_rep.enc_part.etype;
+
+    if (rep->kdc_rep.padata) {
+	paid.etype = etype;
+	ppaid = process_pa_info(context, creds->client, a, &paid, 
+				rep->kdc_rep.padata);
+    }
+    if (ppaid == NULL) {
+	ret = krb5_get_pw_salt (context, creds->client, &paid.salt);
+	if (ret)
+	    return ret;
+	paid.etype = etype;
+	paid.s2kparams = NULL;
+    }
+
+    pa = NULL;
+    if (rep->kdc_rep.padata) {
+	int idx = 0;
+	pa = krb5_find_padata(rep->kdc_rep.padata->val, 
+			      rep->kdc_rep.padata->len,
+			      KRB5_PADATA_PK_AS_REP,
+			      &idx);
+	if (pa == NULL) {
+	    idx = 0;
+	    pa = krb5_find_padata(rep->kdc_rep.padata->val, 
+				  rep->kdc_rep.padata->len,
+				  KRB5_PADATA_PK_AS_REP_19,
+				  &idx);
+	}
+    }
+    if (pa && ctx->pk_init_ctx) {
+#ifdef PKINIT
+	ret = _krb5_pk_rd_pa_reply(context,
+				   a->req_body.realm,
+				   ctx->pk_init_ctx,
+				   etype,
+				   hi,
+				   ctx->pk_nonce,
+				   &ctx->req_buffer,
+				   pa,
+				   key);
+#else
+	krb5_set_error_string(context, "no support for PKINIT compiled in");
+	ret = EINVAL;
+#endif
+    } else if (ctx->password)
+	ret = pa_data_to_key_plain(context, creds->client, ctx, 
+				   paid.salt, paid.s2kparams, etype, key);
+    else {
+	krb5_set_error_string(context, "No usable pa data type");
+	ret = EINVAL;
+    }
+
+    free_paid(context, &paid);
+    return ret;
+}
+
+static krb5_error_code
+init_cred_loop(krb5_context context,
+	       krb5_get_init_creds_opt *init_cred_opts,
+	       const krb5_prompter_fct prompter,
+	       void *prompter_data,
+	       krb5_get_init_creds_ctx *ctx,
+	       krb5_creds *creds,
+	       krb5_kdc_rep *ret_as_reply)
+{
+    krb5_error_code ret;
+    krb5_kdc_rep rep;
+    METHOD_DATA md;
+    krb5_data resp;
+    size_t len;
+    size_t size;
+    krb5_krbhst_info *hi = NULL;
+    krb5_sendto_ctx stctx = NULL;
+
+
+    memset(&md, 0, sizeof(md));
+    memset(&rep, 0, sizeof(rep));
+
+    _krb5_get_init_creds_opt_free_krb5_error(init_cred_opts);
+
+    if (ret_as_reply)
+	memset(ret_as_reply, 0, sizeof(*ret_as_reply));
+
+    ret = init_creds_init_as_req(context, ctx->flags, creds,
+				 ctx->addrs, ctx->etypes, &ctx->as_req);
+    if (ret)
+	return ret;
+
+    ret = krb5_sendto_ctx_alloc(context, &stctx);
+    if (ret)
+	goto out;
+    krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL);
+
+    /* Set a new nonce. */
+    krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce));
+    ctx->nonce &= 0xffffffff;
+    /* XXX these just needs to be the same when using Windows PK-INIT */
+    ctx->pk_nonce = ctx->nonce;
+
+    /*
+     * Increase counter when we want other pre-auth types then
+     * KRB5_PA_ENC_TIMESTAMP.
+     */
+#define MAX_PA_COUNTER 3 
+
+    ctx->pa_counter = 0;
+    while (ctx->pa_counter < MAX_PA_COUNTER) {
+
+	ctx->pa_counter++;
+
+	if (ctx->as_req.padata) {
+	    free_METHOD_DATA(ctx->as_req.padata);
+	    free(ctx->as_req.padata);
+	    ctx->as_req.padata = NULL;
+	}
+
+	/* Set a new nonce. */
+	ctx->as_req.req_body.nonce = ctx->nonce;
+
+	/* fill_in_md_data */
+	ret = process_pa_data_to_md(context, creds, &ctx->as_req, ctx,
+				    &md, &ctx->as_req.padata,
+				    prompter, prompter_data);
+	if (ret)
+	    goto out;
+
+	krb5_data_free(&ctx->req_buffer);
+
+	ASN1_MALLOC_ENCODE(AS_REQ, 
+			   ctx->req_buffer.data, ctx->req_buffer.length, 
+			   &ctx->as_req, &len, ret);
+	if (ret)
+	    goto out;
+	if(len != ctx->req_buffer.length)
+	    krb5_abortx(context, "internal error in ASN.1 encoder");
+
+	ret = krb5_sendto_context (context, stctx, &ctx->req_buffer,
+				   creds->client->realm, &resp);
+    	if (ret)
+	    goto out;
+
+	memset (&rep, 0, sizeof(rep));
+	ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size);
+	if (ret == 0) {
+	    krb5_data_free(&resp);
+	    krb5_clear_error_string(context);
+	    break;
+	} else {
+	    /* let's try to parse it as a KRB-ERROR */
+	    KRB_ERROR error;
+
+	    ret = krb5_rd_error(context, &resp, &error);
+	    if(ret && resp.data && ((char*)resp.data)[0] == 4)
+		ret = KRB5KRB_AP_ERR_V4_REPLY;
+	    krb5_data_free(&resp);
+	    if (ret)
+		goto out;
+
+	    ret = krb5_error_from_rd_error(context, &error, creds);
+
+	    /*
+	     * If no preauth was set and KDC requires it, give it one
+	     * more try.
+	     */
+
+	    if (ret == KRB5KDC_ERR_PREAUTH_REQUIRED) {
+		free_METHOD_DATA(&md);
+		memset(&md, 0, sizeof(md));
+
+		if (error.e_data) {
+		    ret = decode_METHOD_DATA(error.e_data->data, 
+					     error.e_data->length, 
+					     &md, 
+					     NULL);
+		    if (ret)
+			krb5_set_error_string(context,
+					      "failed to decode METHOD DATA");
+		} else {
+		    /* XXX guess what the server want here add add md */
+		}
+		krb5_free_error_contents(context, &error);
+		if (ret)
+		    goto out;
+	    } else {
+		_krb5_get_init_creds_opt_set_krb5_error(context,
+							init_cred_opts,
+							&error);
+		if (ret_as_reply)
+		    rep.error = error;
+		else
+		    krb5_free_error_contents(context, &error);
+		goto out;
+	    }
+	}
+    }
+
+    {
+	krb5_keyblock *key = NULL;
+	unsigned flags = 0;
+
+	if (ctx->flags.request_anonymous)
+	    flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
+	if (ctx->flags.canonicalize) {
+	    flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
+	    flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
+	    flags |= EXTRACT_TICKET_MATCH_REALM;
+	}
+
+	ret = process_pa_data_to_key(context, ctx, creds, 
+				     &ctx->as_req, &rep, hi, &key);
+	if (ret)
+	    goto out;
+	
+	ret = _krb5_extract_ticket(context,
+				   &rep,
+				   creds,
+				   key,
+				   NULL,
+				   KRB5_KU_AS_REP_ENC_PART,
+				   NULL,
+				   ctx->nonce,
+				   flags,
+				   NULL,
+				   NULL);
+	krb5_free_keyblock(context, key);
+    }
+    /*
+     * Verify referral data
+     */
+    if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) &&
+	(ctx->ic_flags & KRB5_INIT_CREDS_NO_C_CANON_CHECK) == 0)
+    {
+	PA_ClientCanonicalized canon;
+	krb5_crypto crypto;
+	krb5_data data;
+	PA_DATA *pa;
+	size_t len;
+
+	pa = find_pa_data(rep.kdc_rep.padata, KRB5_PADATA_CLIENT_CANONICALIZED);
+	if (pa == NULL) {
+	    ret = EINVAL;
+	    krb5_set_error_string(context, "Client canonicalizion not signed");
+	    goto out;
+	}
+	
+	ret = decode_PA_ClientCanonicalized(pa->padata_value.data, 
+					    pa->padata_value.length,
+					    &canon, &len);
 	if (ret) {
-	    memset (buf, 0, sizeof(buf));
-	    ret = KRB5_LIBOS_PWDINTR;
-	    krb5_clear_error_string (context);
+	    krb5_set_error_string(context, "Failed to decode "
+				  "PA_ClientCanonicalized");
+	    goto out;
+	}
+
+	ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
+			   &canon.names, &len, ret);
+	if (ret) 
+	    goto out;
+	if (data.length != len)
+	    krb5_abortx(context, "internal asn.1 error");
+
+	ret = krb5_crypto_init(context, &creds->session, 0, &crypto);
+	if (ret) {
+	    free(data.data);
+	    free_PA_ClientCanonicalized(&canon);
+	    goto out;
+	}
+
+	ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES,
+				   data.data, data.length,
+				   &canon.canon_checksum);
+	krb5_crypto_destroy(context, crypto);
+	free(data.data);
+	free_PA_ClientCanonicalized(&canon);
+	if (ret) {
+	    krb5_set_error_string(context, "Failed to verify "
+				  "client canonicalized data");
 	    goto out;
 	}
-	password = password_data.data;
     }
+out:
+    if (stctx)
+	krb5_sendto_ctx_free(context, stctx);
+    krb5_data_free(&ctx->req_buffer);
+    free_METHOD_DATA(&md);
+    memset(&md, 0, sizeof(md));
+
+    if (ret == 0 && ret_as_reply)
+	*ret_as_reply = rep;
+    else 
+	krb5_free_kdc_rep (context, &rep);
+    return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds(krb5_context context,
+		    krb5_creds *creds,
+		    krb5_principal client,
+		    krb5_prompter_fct prompter,
+		    void *data,
+		    krb5_deltat start_time,
+		    const char *in_tkt_service,
+		    krb5_get_init_creds_opt *options)
+{
+    krb5_get_init_creds_ctx ctx;
+    krb5_kdc_rep kdc_reply;
+    krb5_error_code ret;
+    char buf[BUFSIZ];
+    int done;
+
+    memset(&kdc_reply, 0, sizeof(kdc_reply));
+
+    ret = get_init_creds_common(context, client, start_time,
+				in_tkt_service, options, &ctx);
+    if (ret)
+	goto out;
 
     done = 0;
     while(!done) {
 	memset(&kdc_reply, 0, sizeof(kdc_reply));
-	ret = krb5_get_in_cred (context,
-				flags.i,
-				addrs,
-				etypes,
-				pre_auth_types,
-				NULL,
-				krb5_password_key_proc,
-				password,
-				NULL,
-				NULL,
-				&this_cred,
-				&kdc_reply);
+
+	ret = init_cred_loop(context,
+			     options,
+			     prompter,
+			     data,
+			     &ctx,
+			     &ctx.cred,
+			     &kdc_reply);
+	
 	switch (ret) {
 	case 0 :
 	    done = 1;
@@ -454,18 +1486,19 @@ krb5_get_init_creds_password(krb5_context context,
 	case KRB5KDC_ERR_KEY_EXPIRED :
 	    /* try to avoid recursion */
 
-	    if (prompter == NULL)
+	    /* don't try to change password where then where none */
+	    if (prompter == NULL || ctx.password == NULL)
 		goto out;
 
 	    krb5_clear_error_string (context);
 
-	    if (in_tkt_service != NULL
-		&& strcmp (in_tkt_service, "kadmin/changepw") == 0)
+	    if (ctx.in_tkt_service != NULL
+		&& strcmp (ctx.in_tkt_service, "kadmin/changepw") == 0)
 		goto out;
 
 	    ret = change_password (context,
 				   client,
-				   password,
+				   ctx.password,
 				   buf,
 				   sizeof(buf),
 				   prompter,
@@ -473,7 +1506,7 @@ krb5_get_init_creds_password(krb5_context context,
 				   options);
 	    if (ret)
 		goto out;
-	    password = buf;
+	    ctx.password = buf;
 	    break;
 	default:
 	    goto out;
@@ -482,94 +1515,144 @@ krb5_get_init_creds_password(krb5_context context,
 
     if (prompter)
 	print_expire (context,
-		      krb5_princ_realm (context, this_cred.client),
+		      krb5_principal_get_realm (context, ctx.cred.client),
 		      &kdc_reply,
 		      prompter,
 		      data);
-out:
-    memset (buf, 0, sizeof(buf));
 
+ out:
+    memset (buf, 0, sizeof(buf));
+    free_init_creds_ctx(context, &ctx);
     krb5_free_kdc_rep (context, &kdc_reply);
-
-    free (pre_auth_types);
-    free (etypes);
-    if (ret == 0 && creds)
-	*creds = this_cred;
+    if (ret == 0)
+	*creds = ctx.cred;
     else
-	krb5_free_creds_contents (context, &this_cred);
+	krb5_free_cred_contents (context, &ctx.cred);
+
     return ret;
 }
 
-krb5_error_code
-krb5_keyblock_key_proc (krb5_context context,
-			krb5_keytype type,
-			krb5_data *salt,
-			krb5_const_pointer keyseed,
-			krb5_keyblock **key)
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_password(krb5_context context,
+			     krb5_creds *creds,
+			     krb5_principal client,
+			     const char *password,
+			     krb5_prompter_fct prompter,
+			     void *data,
+			     krb5_deltat start_time,
+			     const char *in_tkt_service,
+			     krb5_get_init_creds_opt *in_options)
+{
+    krb5_get_init_creds_opt *options;
+    char buf[BUFSIZ];
+    krb5_error_code ret;
+
+    if (in_options == NULL) {
+	const char *realm = krb5_principal_get_realm(context, client);
+	ret = krb5_get_init_creds_opt_alloc(context, &options);
+	if (ret == 0)
+	    krb5_get_init_creds_opt_set_default_flags(context, 
+						      NULL, 
+						      realm, 
+						      options);
+    } else
+	ret = _krb5_get_init_creds_opt_copy(context, in_options, &options);
+    if (ret)
+	return ret;
+
+    if (password == NULL &&
+	options->opt_private->password == NULL &&
+	options->opt_private->pk_init_ctx == NULL)
+    {
+	krb5_prompt prompt;
+	krb5_data password_data;
+	char *p, *q;
+
+	krb5_unparse_name (context, client, &p);
+	asprintf (&q, "%s's Password: ", p);
+	free (p);
+	prompt.prompt = q;
+	password_data.data   = buf;
+	password_data.length = sizeof(buf);
+	prompt.hidden = 1;
+	prompt.reply  = &password_data;
+	prompt.type   = KRB5_PROMPT_TYPE_PASSWORD;
+
+	ret = (*prompter) (context, data, NULL, NULL, 1, &prompt);
+	free (q);
+	if (ret) {
+	    memset (buf, 0, sizeof(buf));
+	    krb5_get_init_creds_opt_free(context, options);
+	    ret = KRB5_LIBOS_PWDINTR;
+	    krb5_clear_error_string (context);
+	    return ret;
+	}
+	password = password_data.data;
+    }
+
+    if (options->opt_private->password == NULL) {
+	ret = krb5_get_init_creds_opt_set_pa_password(context, options,
+						      password, NULL);
+	if (ret) {
+	    krb5_get_init_creds_opt_free(context, options);
+	    memset(buf, 0, sizeof(buf));
+	    return ret;
+	}
+    }
+
+    ret = krb5_get_init_creds(context, creds, client, prompter,
+			      data, start_time, in_tkt_service, options);
+    krb5_get_init_creds_opt_free(context, options);
+    memset(buf, 0, sizeof(buf));
+    return ret;
+}
+
+static krb5_error_code
+init_creds_keyblock_key_proc (krb5_context context,
+			      krb5_enctype type,
+			      krb5_salt salt,
+			      krb5_const_pointer keyseed,
+			      krb5_keyblock **key)
 {
     return krb5_copy_keyblock (context, keyseed, key);
 }
 
-krb5_error_code
-krb5_get_init_creds_keytab(krb5_context context,
-			   krb5_creds *creds,
-			   krb5_principal client,
-			   krb5_keytab keytab,
-			   krb5_deltat start_time,
-			   const char *in_tkt_service,
-			   krb5_get_init_creds_opt *options)
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_keyblock(krb5_context context,
+			     krb5_creds *creds,
+			     krb5_principal client,
+			     krb5_keyblock *keyblock,
+			     krb5_deltat start_time,
+			     const char *in_tkt_service,
+			     krb5_get_init_creds_opt *options)
 {
+    struct krb5_get_init_creds_ctx ctx;
     krb5_error_code ret;
-    krb5_kdc_flags flags;
-    krb5_addresses *addrs = NULL;
-    krb5_enctype *etypes = NULL;
-    krb5_preauthtype *pre_auth_types = NULL;
-    krb5_creds this_cred;
-    krb5_keytab_key_proc_args *a;
     
-    ret = get_init_creds_common(context, creds, client, start_time,
-				in_tkt_service, options,
-				&addrs, &etypes, &this_cred, &pre_auth_types,
-				&flags);
-    if(ret)
-	goto out;
-
-    a = malloc (sizeof(*a));
-    if (a == NULL) {
-	krb5_set_error_string(context, "malloc: out of memory");
-	ret = ENOMEM;
+    ret = get_init_creds_common(context, client, start_time,
+				in_tkt_service, options, &ctx);
+    if (ret)
 	goto out;
-    }
-    a->principal = this_cred.client;
-    a->keytab    = keytab;
 
     ret = krb5_get_in_cred (context,
-			    flags.i,
-			    addrs,
-			    etypes,
-			    pre_auth_types,
+			    KDCOptions2int(ctx.flags),
+			    ctx.addrs,
+			    ctx.etypes,
+			    ctx.pre_auth_types,
 			    NULL,
-			    krb5_keytab_key_proc,
-			    a,
+			    init_creds_keyblock_key_proc,
+			    keyblock,
 			    NULL,
 			    NULL,
-			    &this_cred,
+			    &ctx.cred,
 			    NULL);
-    free (a);
 
-    if (ret)
-	goto out;
-    free (pre_auth_types);
-    free (etypes);
-    if (creds)
-	*creds = this_cred;
+    if (ret == 0 && creds)
+	*creds = ctx.cred;
     else
-	krb5_free_creds_contents (context, &this_cred);
-    return 0;
+	krb5_free_cred_contents (context, &ctx.cred);
 
-out:
-    free (pre_auth_types);
-    free (etypes);
-    krb5_free_creds_contents (context, &this_cred);
+ out:
+    free_init_creds_ctx(context, &ctx);
     return ret;
 }
diff --git a/crypto/heimdal/lib/krb5/k524_err.et b/crypto/heimdal/lib/krb5/k524_err.et
index 2dc60f4..0ca25f7 100644
--- a/crypto/heimdal/lib/krb5/k524_err.et
+++ b/crypto/heimdal/lib/krb5/k524_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: k524_err.et,v 1.1 2001/06/20 02:44:11 joda Exp $"
+id "$Id: k524_err.et 10141 2001-06-20 02:45:58Z joda $"
 
 error_table k524
 
diff --git a/crypto/heimdal/lib/krb5/kcm.c b/crypto/heimdal/lib/krb5/kcm.c
new file mode 100644
index 0000000..8afaa6e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/kcm.c
@@ -0,0 +1,1122 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+
+#ifdef HAVE_KCM
+/*
+ * Client library for Kerberos Credentials Manager (KCM) daemon
+ */
+
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
+
+#include "kcm.h"
+
+RCSID("$Id: kcm.c 22108 2007-12-03 17:23:53Z lha $");
+
+typedef struct krb5_kcmcache {
+    char *name;
+    struct sockaddr_un path;
+    char *door_path;
+} krb5_kcmcache;
+
+#define KCMCACHE(X)	((krb5_kcmcache *)(X)->data.data)
+#define CACHENAME(X)	(KCMCACHE(X)->name)
+#define KCMCURSOR(C)	(*(uint32_t *)(C))
+
+static krb5_error_code
+try_door(krb5_context context, const krb5_kcmcache *k,
+	 krb5_data *request_data,
+	 krb5_data *response_data)
+{
+#ifdef HAVE_DOOR_CREATE
+    door_arg_t arg;
+    int fd;
+    int ret;
+
+    memset(&arg, 0, sizeof(arg));
+	   
+    fd = open(k->door_path, O_RDWR);
+    if (fd < 0)
+	return KRB5_CC_IO;
+
+    arg.data_ptr = request_data->data;
+    arg.data_size = request_data->length;
+    arg.desc_ptr = NULL;
+    arg.desc_num = 0;
+    arg.rbuf = NULL;
+    arg.rsize = 0;
+
+    ret = door_call(fd, &arg);
+    close(fd);
+    if (ret != 0)
+	return KRB5_CC_IO;
+
+    ret = krb5_data_copy(response_data, arg.rbuf, arg.rsize);
+    munmap(arg.rbuf, arg.rsize);
+    if (ret)
+	return ret;
+
+    return 0;
+#else
+    return KRB5_CC_IO;
+#endif
+}
+
+static krb5_error_code
+try_unix_socket(krb5_context context, const krb5_kcmcache *k,
+		krb5_data *request_data,
+		krb5_data *response_data)
+{
+    krb5_error_code ret;
+    int fd;
+
+    fd = socket(AF_UNIX, SOCK_STREAM, 0);
+    if (fd < 0)
+	return KRB5_CC_IO;
+    
+    if (connect(fd, rk_UNCONST(&k->path), sizeof(k->path)) != 0) {
+	close(fd);
+	return KRB5_CC_IO;
+    }
+    
+    ret = _krb5_send_and_recv_tcp(fd, context->kdc_timeout,
+				  request_data, response_data);
+    close(fd);
+    return ret;
+}
+    
+static krb5_error_code
+kcm_send_request(krb5_context context,
+		 krb5_kcmcache *k,
+		 krb5_storage *request,
+		 krb5_data *response_data)
+{
+    krb5_error_code ret;
+    krb5_data request_data;
+    int i;
+
+    response_data->data = NULL;
+    response_data->length = 0;
+
+    ret = krb5_storage_to_data(request, &request_data);
+    if (ret) {
+	krb5_clear_error_string(context);
+	return KRB5_CC_NOMEM;
+    }
+
+    ret = KRB5_CC_IO;
+
+    for (i = 0; i < context->max_retries; i++) {
+	ret = try_door(context, k, &request_data, response_data);
+	if (ret == 0 && response_data->length != 0)
+	    break;
+	ret = try_unix_socket(context, k, &request_data, response_data);
+	if (ret == 0 && response_data->length != 0)
+	    break;
+    }
+
+    krb5_data_free(&request_data);
+
+    if (ret) {
+	krb5_clear_error_string(context);
+	ret = KRB5_CC_IO;
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+kcm_storage_request(krb5_context context,
+		    kcm_operation opcode,
+		    krb5_storage **storage_p)
+{
+    krb5_storage *sp;
+    krb5_error_code ret;
+
+    *storage_p = NULL;
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+
+    /* Send MAJOR | VERSION | OPCODE */
+    ret  = krb5_store_int8(sp, KCM_PROTOCOL_VERSION_MAJOR);
+    if (ret)
+	goto fail;
+    ret = krb5_store_int8(sp, KCM_PROTOCOL_VERSION_MINOR);
+    if (ret)
+	goto fail;
+    ret = krb5_store_int16(sp, opcode);
+    if (ret)
+	goto fail;
+
+    *storage_p = sp;
+ fail:
+    if (ret) {
+	krb5_set_error_string(context, "Failed to encode request");
+	krb5_storage_free(sp);
+    }
+   
+    return ret; 
+}
+
+static krb5_error_code
+kcm_alloc(krb5_context context, const char *name, krb5_ccache *id)
+{
+    krb5_kcmcache *k;
+    const char *path;
+
+    k = malloc(sizeof(*k));
+    if (k == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+
+    if (name != NULL) {
+	k->name = strdup(name);
+	if (k->name == NULL) {
+	    free(k);
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return KRB5_CC_NOMEM;
+	}
+    } else
+	k->name = NULL;
+
+    path = krb5_config_get_string_default(context, NULL,
+					  _PATH_KCM_SOCKET,
+					  "libdefaults", 
+					  "kcm_socket",
+					  NULL);
+    
+    k->path.sun_family = AF_UNIX;
+    strlcpy(k->path.sun_path, path, sizeof(k->path.sun_path));
+
+    path = krb5_config_get_string_default(context, NULL,
+					  _PATH_KCM_DOOR,
+					  "libdefaults", 
+					  "kcm_door",
+					  NULL);
+    k->door_path = strdup(path);
+
+    (*id)->data.data = k;
+    (*id)->data.length = sizeof(*k);
+
+    return 0;
+}
+
+static krb5_error_code
+kcm_call(krb5_context context,
+	 krb5_kcmcache *k,
+	 krb5_storage *request,
+	 krb5_storage **response_p,
+	 krb5_data *response_data_p)
+{
+    krb5_data response_data;
+    krb5_error_code ret;
+    int32_t status;
+    krb5_storage *response;
+
+    if (response_p != NULL)
+	*response_p = NULL;
+
+    ret = kcm_send_request(context, k, request, &response_data);
+    if (ret) {
+	return ret;
+    }
+
+    response = krb5_storage_from_data(&response_data);
+    if (response == NULL) {
+	krb5_data_free(&response_data);
+	return KRB5_CC_IO;
+    }
+
+    ret = krb5_ret_int32(response, &status);
+    if (ret) {
+	krb5_storage_free(response);
+	krb5_data_free(&response_data);
+	return KRB5_CC_FORMAT;
+    }
+
+    if (status) {
+	krb5_storage_free(response);
+	krb5_data_free(&response_data);
+	return status;
+    }
+
+    if (response_p != NULL) {
+	*response_data_p = response_data;
+	*response_p = response;
+
+	return 0;
+    }
+
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+
+    return 0;
+}
+
+static void
+kcm_free(krb5_context context, krb5_ccache *id)
+{
+    krb5_kcmcache *k = KCMCACHE(*id);
+
+    if (k != NULL) {
+	if (k->name != NULL)
+	    free(k->name);
+	if (k->door_path)
+	    free(k->door_path);
+	memset(k, 0, sizeof(*k));
+	krb5_data_free(&(*id)->data);
+    }
+
+    *id = NULL;
+}
+
+static const char *
+kcm_get_name(krb5_context context,
+	     krb5_ccache id)
+{
+    return CACHENAME(id);
+}
+
+static krb5_error_code
+kcm_resolve(krb5_context context, krb5_ccache *id, const char *res)
+{
+    return kcm_alloc(context, res, id);
+}
+
+/*
+ * Request:
+ *
+ * Response:
+ *      NameZ
+ */
+static krb5_error_code
+kcm_gen_new(krb5_context context, krb5_ccache *id)
+{
+    krb5_kcmcache *k;
+    krb5_error_code ret;
+    krb5_storage *request, *response;
+    krb5_data response_data;
+
+    ret = kcm_alloc(context, NULL, id);
+    if (ret)
+	return ret;
+
+    k = KCMCACHE(*id);
+
+    ret = kcm_storage_request(context, KCM_OP_GEN_NEW, &request);
+    if (ret) {
+	kcm_free(context, id);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, &response, &response_data);
+    if (ret) {
+	krb5_storage_free(request);
+	kcm_free(context, id);
+	return ret;
+    }
+
+    ret = krb5_ret_stringz(response, &k->name);
+    if (ret)
+	ret = KRB5_CC_IO;
+
+    krb5_storage_free(request);
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+
+    if (ret)
+	kcm_free(context, id);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *      NameZ
+ *      Principal
+ *
+ * Response:
+ *
+ */
+static krb5_error_code
+kcm_initialize(krb5_context context,
+	       krb5_ccache id,
+	       krb5_principal primary_principal)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+
+    ret = kcm_storage_request(context, KCM_OP_INITIALIZE, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_principal(request, primary_principal);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, NULL, NULL);
+
+    krb5_storage_free(request);
+    return ret;
+}
+
+static krb5_error_code
+kcm_close(krb5_context context,
+	  krb5_ccache id)
+{
+    kcm_free(context, &id);
+    return 0;
+}
+
+/*
+ * Request:
+ *      NameZ
+ *
+ * Response:
+ *
+ */
+static krb5_error_code
+kcm_destroy(krb5_context context,
+	    krb5_ccache id)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+
+    ret = kcm_storage_request(context, KCM_OP_DESTROY, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, NULL, NULL);
+
+    krb5_storage_free(request);
+    return ret;
+}
+
+/*
+ * Request:
+ *      NameZ
+ *      Creds
+ *
+ * Response:
+ *
+ */
+static krb5_error_code
+kcm_store_cred(krb5_context context,
+	       krb5_ccache id,
+	       krb5_creds *creds)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+
+    ret = kcm_storage_request(context, KCM_OP_STORE, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_creds(request, creds);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, NULL, NULL);
+
+    krb5_storage_free(request);
+    return ret;
+}
+
+/*
+ * Request:
+ *      NameZ
+ *      WhichFields
+ *      MatchCreds
+ *
+ * Response:
+ *      Creds
+ *
+ */
+static krb5_error_code
+kcm_retrieve(krb5_context context,
+	     krb5_ccache id,
+	     krb5_flags which,
+	     const krb5_creds *mcred,
+	     krb5_creds *creds)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request, *response;
+    krb5_data response_data;
+
+    ret = kcm_storage_request(context, KCM_OP_RETRIEVE, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_int32(request, which);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_creds_tag(request, rk_UNCONST(mcred));
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, &response, &response_data);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_ret_creds(response, creds);
+    if (ret)
+	ret = KRB5_CC_IO;
+
+    krb5_storage_free(request);
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *      NameZ
+ *
+ * Response:
+ *      Principal
+ */
+static krb5_error_code
+kcm_get_principal(krb5_context context,
+		  krb5_ccache id,
+		  krb5_principal *principal)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request, *response;
+    krb5_data response_data;
+
+    ret = kcm_storage_request(context, KCM_OP_GET_PRINCIPAL, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, &response, &response_data);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_ret_principal(response, principal);
+    if (ret)
+	ret = KRB5_CC_IO;
+
+    krb5_storage_free(request);
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *      NameZ
+ *
+ * Response:
+ *      Cursor
+ *
+ */
+static krb5_error_code
+kcm_get_first (krb5_context context,
+	       krb5_ccache id,
+	       krb5_cc_cursor *cursor)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request, *response;
+    krb5_data response_data;
+    int32_t tmp;
+
+    ret = kcm_storage_request(context, KCM_OP_GET_FIRST, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, &response, &response_data);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_ret_int32(response, &tmp);
+    if (ret || tmp < 0)
+	ret = KRB5_CC_IO;
+
+    krb5_storage_free(request);
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+
+    if (ret)
+	return ret;
+
+    *cursor = malloc(sizeof(tmp));
+    if (*cursor == NULL)
+	return KRB5_CC_NOMEM;
+
+    KCMCURSOR(*cursor) = tmp;
+
+    return 0;
+}
+
+/*
+ * Request:
+ *      NameZ
+ *      Cursor
+ *
+ * Response:
+ *      Creds
+ */
+static krb5_error_code
+kcm_get_next (krb5_context context,
+		krb5_ccache id,
+		krb5_cc_cursor *cursor,
+		krb5_creds *creds)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request, *response;
+    krb5_data response_data;
+
+    ret = kcm_storage_request(context, KCM_OP_GET_NEXT, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_int32(request, KCMCURSOR(*cursor));
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, &response, &response_data);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_ret_creds(response, creds);
+    if (ret)
+	ret = KRB5_CC_IO;
+
+    krb5_storage_free(request);
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+
+    return ret;
+}
+
+/*
+ * Request:
+ *      NameZ
+ *      Cursor
+ *
+ * Response:
+ *
+ */
+static krb5_error_code
+kcm_end_get (krb5_context context,
+	     krb5_ccache id,
+	     krb5_cc_cursor *cursor)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+
+    ret = kcm_storage_request(context, KCM_OP_END_GET, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_int32(request, KCMCURSOR(*cursor));
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, NULL, NULL);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+  
+    krb5_storage_free(request);
+
+    KCMCURSOR(*cursor) = 0;
+    free(*cursor);
+    *cursor = NULL;
+
+    return ret;
+}
+
+/*
+ * Request:
+ *      NameZ
+ *      WhichFields
+ *      MatchCreds
+ *
+ * Response:
+ *
+ */
+static krb5_error_code
+kcm_remove_cred(krb5_context context,
+		krb5_ccache id,
+		krb5_flags which,
+		krb5_creds *cred)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+
+    ret = kcm_storage_request(context, KCM_OP_REMOVE_CRED, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_int32(request, which);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_creds_tag(request, cred);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, NULL, NULL);
+
+    krb5_storage_free(request);
+    return ret;
+}
+
+static krb5_error_code
+kcm_set_flags(krb5_context context,
+	      krb5_ccache id,
+	      krb5_flags flags)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+
+    ret = kcm_storage_request(context, KCM_OP_SET_FLAGS, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_int32(request, flags);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, NULL, NULL);
+
+    krb5_storage_free(request);
+    return ret;
+}
+
+static krb5_error_code
+kcm_get_version(krb5_context context,
+		krb5_ccache id)
+{
+    return 0;
+}
+
+static krb5_error_code
+kcm_move(krb5_context context, krb5_ccache from, krb5_ccache to)
+{
+    krb5_set_error_string(context, "kcm_move not implemented");
+    return EINVAL;
+}
+
+static krb5_error_code
+kcm_default_name(krb5_context context, char **str)
+{
+    return _krb5_expand_default_cc_name(context, 
+					KRB5_DEFAULT_CCNAME_KCM,
+					str);
+}
+
+/**
+ * Variable containing the KCM based credential cache implemention.
+ *
+ * @ingroup krb5_ccache
+ */
+
+const krb5_cc_ops krb5_kcm_ops = {
+    "KCM",
+    kcm_get_name,
+    kcm_resolve,
+    kcm_gen_new,
+    kcm_initialize,
+    kcm_destroy,
+    kcm_close,
+    kcm_store_cred,
+    kcm_retrieve,
+    kcm_get_principal,
+    kcm_get_first,
+    kcm_get_next,
+    kcm_end_get,
+    kcm_remove_cred,
+    kcm_set_flags,
+    kcm_get_version,
+    NULL,
+    NULL,
+    NULL,
+    kcm_move,
+    kcm_default_name
+};
+
+krb5_boolean
+_krb5_kcm_is_running(krb5_context context)
+{
+    krb5_error_code ret;
+    krb5_ccache_data ccdata;
+    krb5_ccache id = &ccdata;
+    krb5_boolean running;
+
+    ret = kcm_alloc(context, NULL, &id);
+    if (ret)
+	return 0;
+
+    running = (_krb5_kcm_noop(context, id) == 0);
+
+    kcm_free(context, &id);
+
+    return running;
+}
+
+/*
+ * Request:
+ *
+ * Response:
+ *
+ */
+krb5_error_code
+_krb5_kcm_noop(krb5_context context,
+	       krb5_ccache id)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+
+    ret = kcm_storage_request(context, KCM_OP_NOOP, &request);
+    if (ret)
+	return ret;
+
+    ret = kcm_call(context, k, request, NULL, NULL);
+
+    krb5_storage_free(request);
+    return ret;
+}
+
+
+/*
+ * Request:
+ *      NameZ
+ *      Mode
+ *
+ * Response:
+ *
+ */
+krb5_error_code
+_krb5_kcm_chmod(krb5_context context,
+		krb5_ccache id,
+		uint16_t mode)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+
+    ret = kcm_storage_request(context, KCM_OP_CHMOD, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_int16(request, mode);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, NULL, NULL);
+
+    krb5_storage_free(request);
+    return ret;
+}
+
+
+/*
+ * Request:
+ *      NameZ
+ *      UID
+ *      GID
+ *
+ * Response:
+ *
+ */
+krb5_error_code
+_krb5_kcm_chown(krb5_context context,
+		krb5_ccache id,
+		uint32_t uid,
+		uint32_t gid)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+
+    ret = kcm_storage_request(context, KCM_OP_CHOWN, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_int32(request, uid);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_int32(request, gid);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, NULL, NULL);
+
+    krb5_storage_free(request);
+    return ret;
+}
+
+
+/*
+ * Request:
+ *      NameZ
+ *      ServerPrincipalPresent
+ *      ServerPrincipal OPTIONAL
+ *      Key
+ *
+ * Repsonse:
+ *
+ */
+krb5_error_code
+_krb5_kcm_get_initial_ticket(krb5_context context,
+			     krb5_ccache id,
+			     krb5_principal server,
+			     krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+
+    ret = kcm_storage_request(context, KCM_OP_GET_INITIAL_TICKET, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_int8(request, (server == NULL) ? 0 : 1);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    if (server != NULL) {
+	ret = krb5_store_principal(request, server);
+	if (ret) {
+	    krb5_storage_free(request);
+	    return ret;
+	}
+    }
+
+    ret = krb5_store_keyblock(request, *key);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, NULL, NULL);
+
+    krb5_storage_free(request);
+    return ret;
+}
+
+
+/*
+ * Request:
+ *      NameZ
+ *      KDCFlags
+ *      EncryptionType
+ *      ServerPrincipal
+ *
+ * Repsonse:
+ *
+ */
+krb5_error_code
+_krb5_kcm_get_ticket(krb5_context context,
+		     krb5_ccache id,
+		     krb5_kdc_flags flags,
+		     krb5_enctype enctype,
+		     krb5_principal server)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+
+    ret = kcm_storage_request(context, KCM_OP_GET_TICKET, &request);
+    if (ret)
+	return ret;
+
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_int32(request, flags.i);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_int32(request, enctype);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = krb5_store_principal(request, server);
+    if (ret) {
+	krb5_storage_free(request);
+	return ret;
+    }
+
+    ret = kcm_call(context, k, request, NULL, NULL);
+
+    krb5_storage_free(request);
+    return ret;
+}
+
+
+#endif /* HAVE_KCM */
diff --git a/crypto/heimdal/lib/krb5/kcm.h b/crypto/heimdal/lib/krb5/kcm.h
new file mode 100644
index 0000000..10dfa44
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/kcm.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2005, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef __KCM_H__
+#define __KCM_H__
+
+/*
+ * KCM protocol definitions
+ */
+
+#define KCM_PROTOCOL_VERSION_MAJOR	1
+#define KCM_PROTOCOL_VERSION_MINOR	0
+
+typedef enum kcm_operation {
+    KCM_OP_NOOP,
+    KCM_OP_GET_NAME,
+    KCM_OP_RESOLVE,
+    KCM_OP_GEN_NEW,
+    KCM_OP_INITIALIZE,
+    KCM_OP_DESTROY,
+    KCM_OP_STORE,
+    KCM_OP_RETRIEVE,
+    KCM_OP_GET_PRINCIPAL,
+    KCM_OP_GET_FIRST,
+    KCM_OP_GET_NEXT,
+    KCM_OP_END_GET,
+    KCM_OP_REMOVE_CRED,
+    KCM_OP_SET_FLAGS,
+    KCM_OP_CHOWN,
+    KCM_OP_CHMOD,
+    KCM_OP_GET_INITIAL_TICKET,
+    KCM_OP_GET_TICKET,
+    KCM_OP_MAX
+} kcm_operation;
+
+#define _PATH_KCM_SOCKET      "/var/run/.kcm_socket"
+#define _PATH_KCM_DOOR      "/var/run/.kcm_door"
+
+#endif /* __KCM_H__ */
+
diff --git a/crypto/heimdal/lib/krb5/kerberos.8 b/crypto/heimdal/lib/krb5/kerberos.8
index b0b4980..e45c947 100644
--- a/crypto/heimdal/lib/krb5/kerberos.8
+++ b/crypto/heimdal/lib/krb5/kerberos.8
@@ -1,35 +1,35 @@
 .\" Copyright (c) 2000 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: kerberos.8,v 1.6 2003/03/10 02:19:23 lha Exp $
+.\" $Id: kerberos.8 16121 2005-10-03 14:24:36Z lha $
 .\"
 .Dd September 1, 2000
 .Dt KERBEROS 8
@@ -94,11 +94,14 @@ filesystem.
 The problems with version 4 are that it has many limitations, the code
 was not too well written (since it had been developed over a long
 time), and it has a number of known security problems. To resolve many
-of these issues work on version five started, and resulted in IETF
-RFC1510 in 1993. Since then much work has been put into the further
-development, and a new RFC will hopefully appear soon.
+of these issues work on version five started, and resulted in IETF RFC
+1510 in 1993. IETF RFC 1510 was obsoleted in 2005 with IETF RFC 4120,
+also known as Kerberos clarifications. With the arrival of IETF RFC
+4120, the work on adding extensibility and internationalization have
+started (Kerberos extensions), and a new RFC will hopefully appear
+soon.
 .Pp
-This manual manual page is part of the
+This manual page is part of the
 .Nm Heimdal
 Kerberos 5 distribution, which has been in development at the Royal
 Institute of Technology in Stockholm, Sweden, since about 1997.
diff --git a/crypto/heimdal/lib/krb5/keyblock.c b/crypto/heimdal/lib/krb5/keyblock.c
index 7eb7067..ff4f972 100644
--- a/crypto/heimdal/lib/krb5/keyblock.c
+++ b/crypto/heimdal/lib/krb5/keyblock.c
@@ -33,9 +33,16 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: keyblock.c,v 1.12 2001/05/14 06:14:48 assar Exp $");
+RCSID("$Id: keyblock.c 15167 2005-05-18 04:21:57Z lha $");
 
-void
+void KRB5_LIB_FUNCTION
+krb5_keyblock_zero(krb5_keyblock *keyblock)
+{
+    keyblock->keytype = 0;
+    krb5_data_zero(&keyblock->keyvalue);
+}
+
+void KRB5_LIB_FUNCTION
 krb5_free_keyblock_contents(krb5_context context,
 			    krb5_keyblock *keyblock)
 {
@@ -43,10 +50,11 @@ krb5_free_keyblock_contents(krb5_context context,
 	if (keyblock->keyvalue.data != NULL)
 	    memset(keyblock->keyvalue.data, 0, keyblock->keyvalue.length);
 	krb5_data_free (&keyblock->keyvalue);
+	keyblock->keytype = ENCTYPE_NULL;
     }
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_keyblock(krb5_context context,
 		   krb5_keyblock *keyblock)
 {
@@ -56,7 +64,7 @@ krb5_free_keyblock(krb5_context context,
     }
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_keyblock_contents (krb5_context context,
 			     const krb5_keyblock *inblock,
 			     krb5_keyblock *to)
@@ -64,7 +72,7 @@ krb5_copy_keyblock_contents (krb5_context context,
     return copy_EncryptionKey(inblock, to);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_keyblock (krb5_context context,
 		    const krb5_keyblock *inblock,
 		    krb5_keyblock **to)
@@ -79,3 +87,47 @@ krb5_copy_keyblock (krb5_context context,
     *to = k;
     return krb5_copy_keyblock_contents (context, inblock, k);
 }
+
+krb5_enctype
+krb5_keyblock_get_enctype(const krb5_keyblock *block)
+{
+    return block->keytype;
+}
+
+/*
+ * Fill in `key' with key data of type `enctype' from `data' of length
+ * `size'. Key should be freed using krb5_free_keyblock_contents.
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_keyblock_init(krb5_context context,
+		   krb5_enctype type,
+		   const void *data,
+		   size_t size,
+		   krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    size_t len;
+
+    memset(key, 0, sizeof(*key));
+
+    ret = krb5_enctype_keysize(context, type, &len);
+    if (ret)
+	return ret;
+
+    if (len != size) {
+	krb5_set_error_string(context, "Encryption key %d is %lu bytes "
+			      "long, %lu was passed in",
+			      type, (unsigned long)len, (unsigned long)size);
+	return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    ret = krb5_data_copy(&key->keyvalue, data, len);
+    if(ret) {
+	krb5_set_error_string(context, "malloc failed: %lu",
+			      (unsigned long)len);
+	return ret;
+    }
+    key->keytype = type;
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/keytab.c b/crypto/heimdal/lib/krb5/keytab.c
index 9adf99b..f6c7858 100644
--- a/crypto/heimdal/lib/krb5/keytab.c
+++ b/crypto/heimdal/lib/krb5/keytab.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,14 +33,14 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: keytab.c,v 1.55 2003/03/27 03:45:01 lha Exp $");
+RCSID("$Id: keytab.c 20211 2007-02-09 07:11:03Z lha $");
 
 /*
  * Register a new keytab in `ops'
  * Return 0 or an error.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_register(krb5_context context,
 		 const krb5_kt_ops *ops)
 {
@@ -48,7 +48,7 @@ krb5_kt_register(krb5_context context,
 
     if (strlen(ops->prefix) > KRB5_KT_PREFIX_MAX_LEN - 1) {
 	krb5_set_error_string(context, "krb5_kt_register; prefix too long");
-	return KRB5_KT_NAME_TOOLONG;
+	return KRB5_KT_BADNAME;
     }
 
     tmp = realloc(context->kt_types,
@@ -70,7 +70,7 @@ krb5_kt_register(krb5_context context,
  * Return 0 or an error
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_resolve(krb5_context context,
 		const char *name,
 		krb5_keytab *id)
@@ -123,7 +123,7 @@ krb5_kt_resolve(krb5_context context,
  * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_default_name(krb5_context context, char *name, size_t namesize)
 {
     if (strlcpy (name, context->default_keytab, namesize) >= namesize) {
@@ -138,7 +138,7 @@ krb5_kt_default_name(krb5_context context, char *name, size_t namesize)
  * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize)
 {
     const char *kt = NULL;
@@ -169,7 +169,7 @@ krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize)
  * Return 0 or an error.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_default(krb5_context context, krb5_keytab *id)
 {
     return krb5_kt_resolve (context, context->default_keytab, id);
@@ -181,7 +181,7 @@ krb5_kt_default(krb5_context context, krb5_keytab *id)
  * Return 0 or an error.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_read_service_key(krb5_context context,
 			 krb5_pointer keyprocarg,
 			 krb5_principal principal,
@@ -215,7 +215,7 @@ krb5_kt_read_service_key(krb5_context context,
  * `prefixsize'.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_get_type(krb5_context context,
 		 krb5_keytab keytab,
 		 char *prefix,
@@ -230,7 +230,7 @@ krb5_kt_get_type(krb5_context context,
  * Return 0 or an error.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_get_name(krb5_context context, 
 		 krb5_keytab keytab,
 		 char *name,
@@ -240,19 +240,53 @@ krb5_kt_get_name(krb5_context context,
 }
 
 /*
- * Finish using the keytab in `id'.  All resources will be released.
- * Return 0 or an error.
+ * Retrieve the full name of the keytab `keytab' and store the name in
+ * `str'. `str' needs to be freed by the caller using free(3).
+ * Returns 0 or an error. On error, *str is set to NULL.
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_kt_get_full_name(krb5_context context, 
+		      krb5_keytab keytab,
+		      char **str)
+{
+    char type[KRB5_KT_PREFIX_MAX_LEN];
+    char name[MAXPATHLEN];
+    krb5_error_code ret;
+	      
+    *str = NULL;
+
+    ret = krb5_kt_get_type(context, keytab, type, sizeof(type));
+    if (ret)
+	return ret;
+
+    ret = krb5_kt_get_name(context, keytab, name, sizeof(name));
+    if (ret)
+	return ret;
+
+    if (asprintf(str, "%s:%s", type, name) == -1) {
+	krb5_set_error_string(context, "malloc - out of memory");
+	*str = NULL;
+	return ENOMEM;
+    }
+
+    return 0;
+}
+
+/*
+ * Finish using the keytab in `id'.  All resources will be released,
+ * even on errors.  Return 0 or an error.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_close(krb5_context context, 
 	      krb5_keytab id)
 {
     krb5_error_code ret;
 
     ret = (*id->close)(context, id);
-    if(ret == 0)
-	free(id);
+    memset(id, 0, sizeof(*id));
+    free(id);
     return ret;
 }
 
@@ -262,7 +296,7 @@ krb5_kt_close(krb5_context context,
  * Return TRUE if they compare the same, FALSE otherwise.
  */
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_kt_compare(krb5_context context,
 		krb5_keytab_entry *entry, 
 		krb5_const_principal principal,
@@ -286,7 +320,7 @@ krb5_kt_compare(krb5_context context,
  * Return 0 or an error.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_get_entry(krb5_context context,
 		  krb5_keytab id,
 		  krb5_const_principal principal,
@@ -302,8 +336,10 @@ krb5_kt_get_entry(krb5_context context,
 	return (*id->get)(context, id, principal, kvno, enctype, entry);
 
     ret = krb5_kt_start_seq_get (context, id, &cursor);
-    if (ret)
+    if (ret) {
+	krb5_clear_error_string(context);
 	return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */
+    }
 
     entry->vno = 0;
     while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) {
@@ -328,10 +364,12 @@ krb5_kt_get_entry(krb5_context context,
     if (entry->vno) {
 	return 0;
     } else {
-	char princ[256], kt_name[256], kvno_str[25];
+	char princ[256], kvno_str[25], *kt_name;
+	char *enctype_str = NULL;
 
 	krb5_unparse_name_fixed (context, principal, princ, sizeof(princ));
-	krb5_kt_get_name (context, id, kt_name, sizeof(kt_name));
+	krb5_kt_get_full_name (context, id, &kt_name);
+	krb5_enctype_to_string(context, enctype, &enctype_str);
 
 	if (kvno)
 	    snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno);
@@ -339,10 +377,13 @@ krb5_kt_get_entry(krb5_context context,
 	    kvno_str[0] = '\0';
 
 	krb5_set_error_string (context,
- 			       "failed to find %s%s in keytab %s",
+ 			       "Failed to find %s%s in keytab %s (%s)",
 			       princ,
 			       kvno_str,
-			       kt_name);
+			       kt_name ? kt_name : "unknown keytab",
+			       enctype_str ? enctype_str : "unknown enctype");
+	free(kt_name);
+	free(enctype_str);
 	return KRB5_KT_NOTFOUND;
     }
 }
@@ -351,7 +392,7 @@ krb5_kt_get_entry(krb5_context context,
  * Copy the contents of `in' into `out'.
  * Return 0 or an error.  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_copy_entry_contents(krb5_context context,
 			    const krb5_keytab_entry *in,
 			    krb5_keytab_entry *out)
@@ -380,40 +421,22 @@ fail:
  * Free the contents of `entry'.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_free_entry(krb5_context context,
 		   krb5_keytab_entry *entry)
 {
-  krb5_free_principal (context, entry->principal);
-  krb5_free_keyblock_contents (context, &entry->keyblock);
-  return 0;
-}
-
-#if 0
-static int
-xxxlock(int fd, int write)
-{
-    if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) {
-	sleep(1);
-	if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) 
-	    return -1;
-    }
+    krb5_free_principal (context, entry->principal);
+    krb5_free_keyblock_contents (context, &entry->keyblock);
+    memset(entry, 0, sizeof(*entry));
     return 0;
 }
 
-static void
-xxxunlock(int fd)
-{
-    flock(fd, LOCK_UN);
-}
-#endif
-
 /*
  * Set `cursor' to point at the beginning of `id'.
  * Return 0 or an error.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_start_seq_get(krb5_context context,
 		      krb5_keytab id,
 		      krb5_kt_cursor *cursor)
@@ -433,7 +456,7 @@ krb5_kt_start_seq_get(krb5_context context,
  * Return 0 or an error.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_next_entry(krb5_context context,
 		   krb5_keytab id,
 		   krb5_keytab_entry *entry,
@@ -452,7 +475,7 @@ krb5_kt_next_entry(krb5_context context,
  * Release all resources associated with `cursor'.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_end_seq_get(krb5_context context,
 		    krb5_keytab id,
 		    krb5_kt_cursor *cursor)
@@ -471,7 +494,7 @@ krb5_kt_end_seq_get(krb5_context context,
  * Return 0 or an error.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_add_entry(krb5_context context,
 		  krb5_keytab id,
 		  krb5_keytab_entry *entry)
@@ -490,7 +513,7 @@ krb5_kt_add_entry(krb5_context context,
  * Return 0 or an error.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_remove_entry(krb5_context context,
 		     krb5_keytab id,
 		     krb5_keytab_entry *entry)
diff --git a/crypto/heimdal/lib/krb5/keytab_any.c b/crypto/heimdal/lib/krb5/keytab_any.c
index 667788c..54272d4 100644
--- a/crypto/heimdal/lib/krb5/keytab_any.c
+++ b/crypto/heimdal/lib/krb5/keytab_any.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: keytab_any.c,v 1.7 2002/10/21 13:36:59 joda Exp $");
+RCSID("$Id: keytab_any.c 17035 2006-04-10 09:20:13Z lha $");
 
 struct any_data {
     krb5_keytab kt;
@@ -162,23 +162,22 @@ any_next_entry (krb5_context context,
 	ret = krb5_kt_next_entry(context, ed->a->kt, entry, &ed->cursor);
 	if (ret == 0)
 	    return 0;
-	else if (ret == KRB5_KT_END) {
-	    ret2 = krb5_kt_end_seq_get (context, ed->a->kt, &ed->cursor);
-	    if (ret2)
-		return ret2;
-	    while ((ed->a = ed->a->next) != NULL) {
-		ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor);
-		if (ret2 == 0)
-		    break;
-	    }
-	    if (ed->a == NULL) {
-		krb5_clear_error_string (context);
-		return KRB5_KT_END;
-	    }
-	} else
+	else if (ret != KRB5_KT_END)
 	    return ret;
-    } while (ret == KRB5_KT_END);
-    return ret;
+
+	ret2 = krb5_kt_end_seq_get (context, ed->a->kt, &ed->cursor);
+	if (ret2)
+	    return ret2;
+	while ((ed->a = ed->a->next) != NULL) {
+	    ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor);
+	    if (ret2 == 0)
+		break;
+	}
+	if (ed->a == NULL) {
+	    krb5_clear_error_string (context);
+	    return KRB5_KT_END;
+	}
+    } while (1);
 }
 
 static krb5_error_code
diff --git a/crypto/heimdal/lib/krb5/keytab_file.c b/crypto/heimdal/lib/krb5/keytab_file.c
index f2ff5386..4ada3a4 100644
--- a/crypto/heimdal/lib/krb5/keytab_file.c
+++ b/crypto/heimdal/lib/krb5/keytab_file.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,16 +33,20 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: keytab_file.c,v 1.12 2002/09/24 16:43:30 joda Exp $");
+RCSID("$Id: keytab_file.c 17457 2006-05-05 12:36:57Z lha $");
 
 #define KRB5_KT_VNO_1 1
 #define KRB5_KT_VNO_2 2
 #define KRB5_KT_VNO   KRB5_KT_VNO_2
 
+#define KRB5_KT_FL_JAVA 1
+
+
 /* file operations -------------------------------------------- */
 
 struct fkt_data {
     char *filename;
+    int flags;
 };
 
 static krb5_error_code
@@ -70,7 +74,7 @@ krb5_kt_ret_data(krb5_context context,
 static krb5_error_code
 krb5_kt_ret_string(krb5_context context,
 		   krb5_storage *sp,
-		   general_string *data)
+		   heim_general_string *data)
 {
     int ret;
     int16_t size;
@@ -109,7 +113,7 @@ krb5_kt_store_data(krb5_context context,
 
 static krb5_error_code
 krb5_kt_store_string(krb5_storage *sp,
-		     general_string data)
+		     heim_general_string data)
 {
     int ret;
     size_t len = strlen(data);
@@ -160,7 +164,7 @@ krb5_kt_ret_principal(krb5_context context,
     int i;
     int ret;
     krb5_principal p;
-    int16_t tmp;
+    int16_t len;
     
     ALLOC(p, 1);
     if(p == NULL) {
@@ -168,25 +172,34 @@ krb5_kt_ret_principal(krb5_context context,
 	return ENOMEM;
     }
 
-    ret = krb5_ret_int16(sp, &tmp);
-    if(ret)
-	return ret;
+    ret = krb5_ret_int16(sp, &len);
+    if(ret) {
+	krb5_set_error_string(context,
+			      "Failed decoding length of keytab principal");
+	goto out;
+    }
     if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
-	tmp--;
-    p->name.name_string.len = tmp;
+	len--;
+    if (len < 0) {
+	krb5_set_error_string(context, 
+			      "Keytab principal contains invalid length");
+	ret = KRB5_KT_END;
+	goto out;
+    }
     ret = krb5_kt_ret_string(context, sp, &p->realm);
     if(ret)
-	return ret;
-    p->name.name_string.val = calloc(p->name.name_string.len, 
-				     sizeof(*p->name.name_string.val));
+	goto out;
+    p->name.name_string.val = calloc(len, sizeof(*p->name.name_string.val));
     if(p->name.name_string.val == NULL) {
 	krb5_set_error_string (context, "malloc: out of memory");
-	return ENOMEM;
+	ret = ENOMEM;
+	goto out;
     }
+    p->name.name_string.len = len;
     for(i = 0; i < p->name.name_string.len; i++){
 	ret = krb5_kt_ret_string(context, sp, p->name.name_string.val + i);
 	if(ret)
-	    return ret;
+	    goto out;
     }
     if (krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE))
 	p->name.name_type = KRB5_NT_UNKNOWN;
@@ -195,10 +208,13 @@ krb5_kt_ret_principal(krb5_context context,
 	ret = krb5_ret_int32(sp, &tmp32);
 	p->name.name_type = tmp32;
 	if (ret)
-	    return ret;
+	    goto out;
     }
     *princ = p;
     return 0;
+out:
+    krb5_free_principal(context, p);
+    return ret;
 }
 
 static krb5_error_code
@@ -246,11 +262,25 @@ fkt_resolve(krb5_context context, const char *name, krb5_keytab id)
 	krb5_set_error_string (context, "malloc: out of memory");
 	return ENOMEM;
     }
+    d->flags = 0;
     id->data = d;
     return 0;
 }
 
 static krb5_error_code
+fkt_resolve_java14(krb5_context context, const char *name, krb5_keytab id)
+{
+    krb5_error_code ret;
+
+    ret = fkt_resolve(context, name, id);
+    if (ret == 0) {
+	struct fkt_data *d = id->data;
+	d->flags |= KRB5_KT_FL_JAVA;
+    }
+    return ret;
+}
+
+static krb5_error_code
 fkt_close(krb5_context context, krb5_keytab id)
 {
     struct fkt_data *d = id->data;
@@ -294,6 +324,7 @@ static krb5_error_code
 fkt_start_seq_get_int(krb5_context context, 
 		      krb5_keytab id, 
 		      int flags,
+		      int exclusive,
 		      krb5_kt_cursor *c)
 {
     int8_t pvno, tag;
@@ -307,16 +338,30 @@ fkt_start_seq_get_int(krb5_context context,
 			      strerror(ret));
 	return ret;
     }
+    ret = _krb5_xlock(context, c->fd, exclusive, d->filename);
+    if (ret) {
+	close(c->fd);
+	return ret;
+    }
     c->sp = krb5_storage_from_fd(c->fd);
+    if (c->sp == NULL) {
+	_krb5_xunlock(context, c->fd);
+	close(c->fd);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
     krb5_storage_set_eof_code(c->sp, KRB5_KT_END);
     ret = krb5_ret_int8(c->sp, &pvno);
     if(ret) {
 	krb5_storage_free(c->sp);
+	_krb5_xunlock(context, c->fd);
 	close(c->fd);
+	krb5_clear_error_string(context);
 	return ret;
     }
     if(pvno != 5) {
 	krb5_storage_free(c->sp);
+	_krb5_xunlock(context, c->fd);
 	close(c->fd);
 	krb5_clear_error_string (context);
 	return KRB5_KEYTAB_BADVNO;
@@ -324,7 +369,9 @@ fkt_start_seq_get_int(krb5_context context,
     ret = krb5_ret_int8(c->sp, &tag);
     if (ret) {
 	krb5_storage_free(c->sp);
+	_krb5_xunlock(context, c->fd);
 	close(c->fd);
+	krb5_clear_error_string(context);
 	return ret;
     }
     id->version = tag;
@@ -337,7 +384,7 @@ fkt_start_seq_get(krb5_context context,
 		  krb5_keytab id, 
 		  krb5_kt_cursor *c)
 {
-    return fkt_start_seq_get_int(context, id, O_RDONLY | O_BINARY, c);
+    return fkt_start_seq_get_int(context, id, O_RDONLY | O_BINARY, 0, c);
 }
 
 static krb5_error_code
@@ -381,14 +428,14 @@ loop:
      * if it's zero, assume that the 8bit one was right,
      * otherwise trust the new value */
     curpos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR);
-    if(len + 4 + pos - curpos == 4) {
+    if(len + 4 + pos - curpos >= 4) {
 	ret = krb5_ret_int32(cursor->sp, &tmp32);
 	if (ret == 0 && tmp32 != 0) {
 	    entry->vno = tmp32;
 	}
     }
     if(start) *start = pos;
-    if(end) *end = *start + 4 + len;
+    if(end) *end = pos + 4 + len;
  out:
     krb5_storage_seek(cursor->sp, pos + 4 + len, SEEK_SET);
     return ret;
@@ -409,6 +456,7 @@ fkt_end_seq_get(krb5_context context,
 		krb5_kt_cursor *cursor)
 {
     krb5_storage_free(cursor->sp);
+    _krb5_xunlock(context, cursor->fd);
     close(cursor->fd);
     return 0;
 }
@@ -448,17 +496,25 @@ fkt_add_entry(krb5_context context,
 				  strerror(ret));
 	    return ret;
 	}
+	ret = _krb5_xlock(context, fd, 1, d->filename);
+	if (ret) {
+	    close(fd);
+	    return ret;
+	}
 	sp = krb5_storage_from_fd(fd);
 	krb5_storage_set_eof_code(sp, KRB5_KT_END);
 	ret = fkt_setup_keytab(context, id, sp);
 	if(ret) {
-	    krb5_storage_free(sp);
-	    close(fd);
-	    return ret;
+	    goto out;
 	}
 	storage_set_flags(context, sp, id->version);
     } else {
 	int8_t pvno, tag;
+	ret = _krb5_xlock(context, fd, 1, d->filename);
+	if (ret) {
+	    close(fd);
+	    return ret;
+	}
 	sp = krb5_storage_from_fd(fd);
 	krb5_storage_set_eof_code(sp, KRB5_KT_END);
 	ret = krb5_ret_int8(sp, &pvno);
@@ -469,28 +525,21 @@ fkt_add_entry(krb5_context context,
 	    if(ret) {
 		krb5_set_error_string(context, "%s: keytab is corrupted: %s", 
 				      d->filename, strerror(ret));
-		krb5_storage_free(sp);
-		close(fd);
-		return ret;
+		goto out;
 	    }
 	    storage_set_flags(context, sp, id->version);
 	} else {
 	    if(pvno != 5) {
-		krb5_storage_free(sp);
-		close(fd);
-		krb5_clear_error_string (context);
 		ret = KRB5_KEYTAB_BADVNO;
 		krb5_set_error_string(context, "%s: %s", 
 				      d->filename, strerror(ret));
-		return ret;
+		goto out;
 	    }
 	    ret = krb5_ret_int8 (sp, &tag);
 	    if (ret) {
 		krb5_set_error_string(context, "%s: reading tag: %s", 
 				      d->filename, strerror(ret));
-		krb5_storage_free(sp);
-		close(fd);
-		return ret;
+		goto out;
 	    }
 	    id->version = tag;
 	    storage_set_flags(context, sp, id->version);
@@ -525,10 +574,12 @@ fkt_add_entry(krb5_context context,
 	    krb5_storage_free(emem);
 	    goto out;
 	}
-	ret = krb5_store_int32 (emem, entry->vno);
-	if (ret) {
-	    krb5_storage_free(emem);
-	    goto out;
+	if ((d->flags & KRB5_KT_FL_JAVA) == 0) {
+	    ret = krb5_store_int32 (emem, entry->vno);
+	    if (ret) {
+		krb5_storage_free(emem);
+		goto out;
+	    }
 	}
 
 	ret = krb5_storage_to_data(emem, &keytab);
@@ -559,6 +610,7 @@ fkt_add_entry(krb5_context context,
     krb5_data_free(&keytab);
   out:
     krb5_storage_free(sp);
+    _krb5_xunlock(context, fd);
     close(fd);
     return ret;
 }
@@ -574,7 +626,7 @@ fkt_remove_entry(krb5_context context,
     int found = 0;
     krb5_error_code ret;
     
-    ret = fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY, &cursor);
+    ret = fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY, 1, &cursor);
     if(ret != 0) 
 	goto out; /* return other error here? */
     while(fkt_next_entry_int(context, id, &e, &cursor, 
@@ -593,6 +645,7 @@ fkt_remove_entry(krb5_context context,
 		len -= min(len, sizeof(buf));
 	    }
 	}
+	krb5_kt_free_entry(context, &e);
     }
     krb5_kt_end_seq_get(context, id, &cursor);
   out:
@@ -615,3 +668,29 @@ const krb5_kt_ops krb5_fkt_ops = {
     fkt_add_entry,
     fkt_remove_entry
 };
+
+const krb5_kt_ops krb5_wrfkt_ops = {
+    "WRFILE",
+    fkt_resolve,
+    fkt_get_name,
+    fkt_close,
+    NULL, /* get */
+    fkt_start_seq_get,
+    fkt_next_entry,
+    fkt_end_seq_get,
+    fkt_add_entry,
+    fkt_remove_entry
+};
+
+const krb5_kt_ops krb5_javakt_ops = {
+    "JAVA14",
+    fkt_resolve_java14,
+    fkt_get_name,
+    fkt_close,
+    NULL, /* get */
+    fkt_start_seq_get,
+    fkt_next_entry,
+    fkt_end_seq_get,
+    fkt_add_entry,
+    fkt_remove_entry
+};
diff --git a/crypto/heimdal/lib/krb5/keytab_keyfile.c b/crypto/heimdal/lib/krb5/keytab_keyfile.c
index aca930f..77455ba 100644
--- a/crypto/heimdal/lib/krb5/keytab_keyfile.c
+++ b/crypto/heimdal/lib/krb5/keytab_keyfile.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: keytab_keyfile.c,v 1.15 2002/10/21 15:42:06 joda Exp $");
+RCSID("$Id: keytab_keyfile.c 20695 2007-05-30 14:09:09Z lha $");
 
 /* afs keyfile operations --------------------------------------- */
 
@@ -63,8 +63,7 @@ struct akf_data {
  */
 
 static int
-get_cell_and_realm (krb5_context context,
-		    struct akf_data *d)
+get_cell_and_realm (krb5_context context, struct akf_data *d)
 {
     FILE *f;
     char buf[BUFSIZ], *cp;
@@ -94,6 +93,8 @@ get_cell_and_realm (krb5_context context,
     f = fopen (AFS_SERVERMAGICKRBCONF, "r");
     if (f != NULL) {
 	if (fgets (buf, sizeof(buf), f) == NULL) {
+	    free (d->cell);
+	    d->cell = NULL;
 	    fclose (f);
 	    krb5_set_error_string (context, "no realm in %s",
 				   AFS_SERVERMAGICKRBCONF);
@@ -104,11 +105,12 @@ get_cell_and_realm (krb5_context context,
     }
     /* uppercase */
     for (cp = buf; *cp != '\0'; cp++)
-	*cp = toupper(*cp);
+	*cp = toupper((unsigned char)*cp);
     
     d->realm = strdup (buf);
     if (d->realm == NULL) {
 	free (d->cell);
+	d->cell = NULL;
 	krb5_set_error_string (context, "malloc: out of memory");
 	return ENOMEM;
     }
@@ -288,9 +290,16 @@ akf_add_entry(krb5_context context,
     krb5_storage *sp;
 
 
-    if (entry->keyblock.keyvalue.length != 8 
-	|| entry->keyblock.keytype != ETYPE_DES_CBC_MD5)
+    if (entry->keyblock.keyvalue.length != 8)
 	return 0;
+    switch(entry->keyblock.keytype) {
+    case ETYPE_DES_CBC_CRC:
+    case ETYPE_DES_CBC_MD4:
+    case ETYPE_DES_CBC_MD5:
+	break;
+    default:
+	return 0;
+    }
 
     fd = open (d->filename, O_RDWR | O_BINARY);
     if (fd < 0) {
@@ -329,50 +338,72 @@ akf_add_entry(krb5_context context,
 	    return ret;
 	}
     }
+
+    /*
+     * Make sure we don't add the entry twice, assumes the DES
+     * encryption types are all the same key.
+     */
+    if (len > 0) {
+	int32_t kvno;
+	int i;
+
+	for (i = 0; i < len; i++) {
+	    ret = krb5_ret_int32(sp, &kvno);
+	    if (ret) {
+		krb5_set_error_string (context, "Failed to get kvno ");
+		goto out;
+	    }
+	    if(krb5_storage_seek(sp, 8, SEEK_CUR) < 0) {
+		krb5_set_error_string (context, "seek: %s", strerror(ret));
+		goto out;
+	    }
+	    if (kvno == entry->vno) {
+		ret = 0;
+		goto out;
+	    }
+	}
+    }
+
     len++;
 	
     if(krb5_storage_seek(sp, 0, SEEK_SET) < 0) {
 	ret = errno;
-	krb5_storage_free(sp);
-	close(fd);
 	krb5_set_error_string (context, "seek: %s", strerror(ret));
-	return ret;
+	goto out;
     }
 	
     ret = krb5_store_int32(sp, len);
     if(ret) {
-	krb5_storage_free(sp);
-	close(fd);
+	krb5_set_error_string(context, "keytab keyfile failed new length");
 	return ret;
     }
-		
 
     if(krb5_storage_seek(sp, (len - 1) * (8 + 4), SEEK_CUR) < 0) {
 	ret = errno;
-	krb5_storage_free(sp);
-	close(fd);
-	krb5_set_error_string (context, "seek: %s", strerror(ret));
-	return ret;
+	krb5_set_error_string (context, "seek to end: %s", strerror(ret));
+	goto out;
     }
 	
     ret = krb5_store_int32(sp, entry->vno);
     if(ret) {
-	krb5_storage_free(sp);
-	close(fd);
-	return ret;
+	krb5_set_error_string(context, "keytab keyfile failed store kvno");
+	goto out;
     }
     ret = krb5_storage_write(sp, entry->keyblock.keyvalue.data, 
 			     entry->keyblock.keyvalue.length);
     if(ret != entry->keyblock.keyvalue.length) {
-	krb5_storage_free(sp);
-	close(fd);
-	if(ret < 0)
-	    return errno;
-	return ENOTTY;
+	if (ret < 0)
+	    ret = errno;
+	else
+	    ret = ENOTTY;
+	krb5_set_error_string(context, "keytab keyfile failed to add key");
+	goto out;
     }
+    ret = 0;
+out:
     krb5_storage_free(sp);
     close (fd);
-    return 0;
+    return ret;
 }
 
 const krb5_kt_ops krb5_akf_ops = {
diff --git a/crypto/heimdal/lib/krb5/keytab_krb4.c b/crypto/heimdal/lib/krb5/keytab_krb4.c
index 2405f82..907836c 100644
--- a/crypto/heimdal/lib/krb5/keytab_krb4.c
+++ b/crypto/heimdal/lib/krb5/keytab_krb4.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: keytab_krb4.c,v 1.10 2002/04/18 14:04:46 joda Exp $");
+RCSID("$Id: keytab_krb4.c 17046 2006-04-10 17:10:53Z lha $");
 
 struct krb4_kt_data {
     char *filename;
@@ -139,6 +139,11 @@ krb4_kt_start_seq_get_int (krb5_context context,
 	return ret;
     }
     c->sp = krb5_storage_from_fd(c->fd);
+    if(c->sp == NULL) {
+	close(c->fd);
+	free(ed);
+	return ENOMEM;
+    }
     krb5_storage_set_eof_code(c->sp, KRB5_KT_END);
     return 0;
 }
@@ -157,10 +162,10 @@ read_v4_entry (krb5_context context,
 	       krb5_kt_cursor *c,
 	       struct krb4_cursor_extra_data *ed)
 {
+    unsigned char des_key[8];
     krb5_error_code ret;
     char *service, *instance, *realm;
     int8_t kvno;
-    des_cblock key;
 
     ret = krb5_ret_stringz(c->sp, &service);
     if (ret)
@@ -188,7 +193,7 @@ read_v4_entry (krb5_context context,
 	krb5_free_principal (context, ed->entry.principal);
 	return ret;
     }
-    ret = krb5_storage_read(c->sp, key, 8);
+    ret = krb5_storage_read(c->sp, des_key, sizeof(des_key));
     if (ret < 0) {
 	krb5_free_principal(context, ed->entry.principal);
 	return ret;
@@ -199,7 +204,7 @@ read_v4_entry (krb5_context context,
     }
     ed->entry.vno = kvno;
     ret = krb5_data_copy (&ed->entry.keyblock.keyvalue,
-			  key, 8);
+			  des_key, sizeof(des_key));
     if (ret)
 	return ret;
     ed->entry.timestamp = time(NULL);
@@ -302,11 +307,11 @@ krb4_kt_add_entry (krb5_context context,
 	}
     }
     sp = krb5_storage_from_fd(fd);
-    krb5_storage_set_eof_code(sp, KRB5_KT_END);
     if(sp == NULL) {
 	close(fd);
 	return ENOMEM;
     }
+    krb5_storage_set_eof_code(sp, KRB5_KT_END);
     ret = krb4_store_keytab_entry(context, entry, sp);
     krb5_storage_free(sp);
     if(close (fd) < 0)
@@ -316,8 +321,8 @@ krb4_kt_add_entry (krb5_context context,
 
 static krb5_error_code
 krb4_kt_remove_entry(krb5_context context,
-		 krb5_keytab id,
-		 krb5_keytab_entry *entry)
+		     krb5_keytab id,
+		     krb5_keytab_entry *entry)
 {
     struct krb4_kt_data *d = id->data;
     krb5_error_code ret;
@@ -327,17 +332,27 @@ krb4_kt_remove_entry(krb5_context context,
     int remove_flag = 0;
     
     sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
     ret = krb5_kt_start_seq_get(context, id, &cursor);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }	
     while(krb5_kt_next_entry(context, id, &e, &cursor) == 0) {
 	if(!krb5_kt_compare(context, &e, entry->principal, 
 			    entry->vno, entry->keyblock.keytype)) {
 	    ret = krb4_store_keytab_entry(context, &e, sp);
 	    if(ret) {
+		krb5_kt_free_entry(context, &e);
 		krb5_storage_free(sp);
 		return ret;
 	    }
 	} else
 	    remove_flag = 1;
+	krb5_kt_free_entry(context, &e);
     }
     krb5_kt_end_seq_get(context, id, &cursor);
     if(remove_flag) {
@@ -361,12 +376,14 @@ krb4_kt_remove_entry(krb5_context context,
 
 	if(write(fd, data.data, data.length) != data.length) {
 	    memset(data.data, 0, data.length);
+	    krb5_data_free(&data);
 	    close(fd);
 	    krb5_set_error_string(context, "failed writing to \"%s\"", d->filename);
 	    return errno;
 	}
 	memset(data.data, 0, data.length);
 	if(fstat(fd, &st) < 0) {
+	    krb5_data_free(&data);
 	    close(fd);
 	    krb5_set_error_string(context, "failed getting size of \"%s\"", d->filename);
 	    return errno;
@@ -377,6 +394,7 @@ krb4_kt_remove_entry(krb5_context context,
 	    n = min(st.st_size, sizeof(buf));
 	    n = write(fd, buf, n);
 	    if(n <= 0) {
+		krb5_data_free(&data);
 		close(fd);
 		krb5_set_error_string(context, "failed writing to \"%s\"", d->filename);
 		return errno;
@@ -385,6 +403,7 @@ krb4_kt_remove_entry(krb5_context context,
 	    st.st_size -= n;
 	}
 	if(ftruncate(fd, data.length) < 0) {
+	    krb5_data_free(&data);
 	    close(fd);
 	    krb5_set_error_string(context, "failed truncating \"%s\"", d->filename);
 	    return errno;
@@ -395,8 +414,10 @@ krb4_kt_remove_entry(krb5_context context,
 	    return errno;
 	}
 	return 0;
-    } else
+    } else {
+	krb5_storage_free(sp);
 	return KRB5_KT_NOTFOUND;
+    }
 }
 
 
diff --git a/crypto/heimdal/lib/krb5/keytab_memory.c b/crypto/heimdal/lib/krb5/keytab_memory.c
index cde8943..0ad8720 100644
--- a/crypto/heimdal/lib/krb5/keytab_memory.c
+++ b/crypto/heimdal/lib/krb5/keytab_memory.c
@@ -33,26 +33,64 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: keytab_memory.c,v 1.5 2001/05/14 06:14:49 assar Exp $");
+RCSID("$Id: keytab_memory.c 16352 2005-12-05 18:39:46Z lha $");
 
 /* memory operations -------------------------------------------- */
 
 struct mkt_data {
     krb5_keytab_entry *entries;
     int num_entries;
+    char *name;
+    int refcount;
+    struct mkt_data *next;
 };
 
+/* this mutex protects mkt_head, ->refcount, and ->next 
+ * content is not protected (name is static and need no protection)
+ */
+static HEIMDAL_MUTEX mkt_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static struct mkt_data *mkt_head;
+
+
 static krb5_error_code
 mkt_resolve(krb5_context context, const char *name, krb5_keytab id)
 {
     struct mkt_data *d;
-    d = malloc(sizeof(*d));
+
+    HEIMDAL_MUTEX_lock(&mkt_mutex);
+
+    for (d = mkt_head; d != NULL; d = d->next)
+	if (strcmp(d->name, name) == 0)
+	    break;
+    if (d) {
+	if (d->refcount < 1)
+	    krb5_abortx(context, "Double close on memory keytab, "
+			"refcount < 1 %d", d->refcount);
+	d->refcount++;
+	id->data = d;
+	HEIMDAL_MUTEX_unlock(&mkt_mutex);
+	return 0;
+    }
+
+    d = calloc(1, sizeof(*d));
     if(d == NULL) {
+	HEIMDAL_MUTEX_unlock(&mkt_mutex);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    d->name = strdup(name);
+    if (d->name == NULL) {
+	HEIMDAL_MUTEX_unlock(&mkt_mutex);
+	free(d);
 	krb5_set_error_string (context, "malloc: out of memory");
 	return ENOMEM;
     }
     d->entries = NULL;
     d->num_entries = 0;
+    d->refcount = 1;
+    d->next = mkt_head;
+    mkt_head = d;
+    HEIMDAL_MUTEX_unlock(&mkt_mutex);
     id->data = d;
     return 0;
 }
@@ -60,8 +98,27 @@ mkt_resolve(krb5_context context, const char *name, krb5_keytab id)
 static krb5_error_code
 mkt_close(krb5_context context, krb5_keytab id)
 {
-    struct mkt_data *d = id->data;
+    struct mkt_data *d = id->data, **dp;
     int i;
+
+    HEIMDAL_MUTEX_lock(&mkt_mutex);
+    if (d->refcount < 1)
+	krb5_abortx(context, 
+		    "krb5 internal error, memory keytab refcount < 1 on close");
+
+    if (--d->refcount > 0) {
+	HEIMDAL_MUTEX_unlock(&mkt_mutex);
+	return 0;
+    }
+    for (dp = &mkt_head; *dp != NULL; dp = &(*dp)->next) {
+	if (*dp == d) {
+	    *dp = d->next;
+	    break;
+	}
+    }
+    HEIMDAL_MUTEX_unlock(&mkt_mutex);
+
+    free(d->name);
     for(i = 0; i < d->num_entries; i++)
 	krb5_kt_free_entry(context, &d->entries[i]);
     free(d->entries);
@@ -75,7 +132,8 @@ mkt_get_name(krb5_context context,
 	     char *name, 
 	     size_t namesize)
 {
-    strlcpy(name, "", namesize);
+    struct mkt_data *d = id->data;
+    strlcpy(name, d->name, namesize);
     return 0;
 }
 
@@ -133,7 +191,13 @@ mkt_remove_entry(krb5_context context,
 {
     struct mkt_data *d = id->data;
     krb5_keytab_entry *e, *end;
+    int found = 0;
     
+    if (d->num_entries == 0) {
+	krb5_clear_error_string(context);
+        return KRB5_KT_NOTFOUND;
+    }
+
     /* do this backwards to minimize copying */
     for(end = d->entries + d->num_entries, e = end - 1; e >= d->entries; e--) {
 	if(krb5_kt_compare(context, e, entry->principal, 
@@ -143,10 +207,15 @@ mkt_remove_entry(krb5_context context,
 	    memset(end - 1, 0, sizeof(*end));
 	    d->num_entries--;
 	    end--;
+	    found = 1;
 	}
     }
+    if (!found) {
+	krb5_clear_error_string (context);
+	return KRB5_KT_NOTFOUND;
+    }
     e = realloc(d->entries, d->num_entries * sizeof(*d->entries));
-    if(e != NULL)
+    if(e != NULL || d->num_entries == 0)
 	d->entries = e;
     return 0;
 }
diff --git a/crypto/heimdal/lib/krb5/krb5-private.h b/crypto/heimdal/lib/krb5/krb5-private.h
index 669e954..7e04446 100644
--- a/crypto/heimdal/lib/krb5/krb5-private.h
+++ b/crypto/heimdal/lib/krb5/krb5-private.h
@@ -4,23 +4,51 @@
 
 #include <stdarg.h>
 
-void
+void KRB5_LIB_FUNCTION
 _krb5_aes_cts_encrypt (
 	const unsigned char */*in*/,
 	unsigned char */*out*/,
 	size_t /*len*/,
-	const void */*aes_key*/,
+	const AES_KEY */*key*/,
 	unsigned char */*ivec*/,
-	const int /*enc*/);
+	const int /*encryptp*/);
+
+krb5_error_code
+_krb5_cc_allocate (
+	krb5_context /*context*/,
+	const krb5_cc_ops */*ops*/,
+	krb5_ccache */*id*/);
 
 void
 _krb5_crc_init_table (void);
 
-u_int32_t
+uint32_t
 _krb5_crc_update (
 	const char */*p*/,
 	size_t /*len*/,
-	u_int32_t /*res*/);
+	uint32_t /*res*/);
+
+krb5_error_code
+_krb5_dh_group_ok (
+	krb5_context /*context*/,
+	unsigned long /*bits*/,
+	heim_integer */*p*/,
+	heim_integer */*g*/,
+	heim_integer */*q*/,
+	struct krb5_dh_moduli **/*moduli*/,
+	char **/*name*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_enctype_to_oid (
+	krb5_context /*context*/,
+	krb5_enctype /*etype*/,
+	heim_oid */*oid*/);
+
+krb5_error_code
+_krb5_expand_default_cc_name (
+	krb5_context /*context*/,
+	const char */*str*/,
+	char **/*res*/);
 
 int
 _krb5_extract_ticket (
@@ -32,12 +60,47 @@ _krb5_extract_ticket (
 	krb5_key_usage /*key_usage*/,
 	krb5_addresses */*addrs*/,
 	unsigned /*nonce*/,
-	krb5_boolean /*allow_server_mismatch*/,
-	krb5_boolean /*ignore_cname*/,
+	unsigned /*flags*/,
 	krb5_decrypt_proc /*decrypt_proc*/,
 	krb5_const_pointer /*decryptarg*/);
 
-krb5_ssize_t
+void
+_krb5_free_krbhst_info (krb5_krbhst_info */*hi*/);
+
+void
+_krb5_free_moduli (struct krb5_dh_moduli **/*moduli*/);
+
+krb5_error_code
+_krb5_get_default_principal_local (
+	krb5_context /*context*/,
+	krb5_principal */*princ*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_get_host_realm_int (
+	krb5_context /*context*/,
+	const char */*host*/,
+	krb5_boolean /*use_dns*/,
+	krb5_realm **/*realms*/);
+
+krb5_error_code
+_krb5_get_init_creds_opt_copy (
+	krb5_context /*context*/,
+	const krb5_get_init_creds_opt */*in*/,
+	krb5_get_init_creds_opt **/*out*/);
+
+void KRB5_LIB_FUNCTION
+_krb5_get_init_creds_opt_free_krb5_error (krb5_get_init_creds_opt */*opt*/);
+
+void KRB5_LIB_FUNCTION
+_krb5_get_init_creds_opt_free_pkinit (krb5_get_init_creds_opt */*opt*/);
+
+void KRB5_LIB_FUNCTION
+_krb5_get_init_creds_opt_set_krb5_error (
+	krb5_context /*context*/,
+	krb5_get_init_creds_opt */*opt*/,
+	const KRB_ERROR */*error*/);
+
+krb5_ssize_t KRB5_LIB_FUNCTION
 _krb5_get_int (
 	void */*buffer*/,
 	unsigned long */*value*/,
@@ -50,44 +113,324 @@ _krb5_get_krbtgt (
 	krb5_realm /*realm*/,
 	krb5_creds **/*cred*/);
 
-time_t
+krb5_error_code
+_krb5_kcm_chmod (
+	krb5_context /*context*/,
+	krb5_ccache /*id*/,
+	uint16_t /*mode*/);
+
+krb5_error_code
+_krb5_kcm_chown (
+	krb5_context /*context*/,
+	krb5_ccache /*id*/,
+	uint32_t /*uid*/,
+	uint32_t /*gid*/);
+
+krb5_error_code
+_krb5_kcm_get_initial_ticket (
+	krb5_context /*context*/,
+	krb5_ccache /*id*/,
+	krb5_principal /*server*/,
+	krb5_keyblock */*key*/);
+
+krb5_error_code
+_krb5_kcm_get_ticket (
+	krb5_context /*context*/,
+	krb5_ccache /*id*/,
+	krb5_kdc_flags /*flags*/,
+	krb5_enctype /*enctype*/,
+	krb5_principal /*server*/);
+
+krb5_boolean
+_krb5_kcm_is_running (krb5_context /*context*/);
+
+krb5_error_code
+_krb5_kcm_noop (
+	krb5_context /*context*/,
+	krb5_ccache /*id*/);
+
+krb5_error_code
+_krb5_kdc_retry (
+	krb5_context /*context*/,
+	krb5_sendto_ctx /*ctx*/,
+	void */*data*/,
+	const krb5_data */*reply*/,
+	int */*action*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_cr_err_reply (
+	krb5_context /*context*/,
+	const char */*name*/,
+	const char */*inst*/,
+	const char */*realm*/,
+	uint32_t /*time_ws*/,
+	uint32_t /*e*/,
+	const char */*e_string*/,
+	krb5_data */*data*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_create_auth_reply (
+	krb5_context /*context*/,
+	const char */*pname*/,
+	const char */*pinst*/,
+	const char */*prealm*/,
+	int32_t /*time_ws*/,
+	int /*n*/,
+	uint32_t /*x_date*/,
+	unsigned char /*kvno*/,
+	const krb5_data */*cipher*/,
+	krb5_data */*data*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_create_ciph (
+	krb5_context /*context*/,
+	const krb5_keyblock */*session*/,
+	const char */*service*/,
+	const char */*instance*/,
+	const char */*realm*/,
+	uint32_t /*life*/,
+	unsigned char /*kvno*/,
+	const krb5_data */*ticket*/,
+	uint32_t /*kdc_time*/,
+	const krb5_keyblock */*key*/,
+	krb5_data */*enc_data*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_create_ticket (
+	krb5_context /*context*/,
+	unsigned char /*flags*/,
+	const char */*pname*/,
+	const char */*pinstance*/,
+	const char */*prealm*/,
+	int32_t /*paddress*/,
+	const krb5_keyblock */*session*/,
+	int16_t /*life*/,
+	int32_t /*life_sec*/,
+	const char */*sname*/,
+	const char */*sinstance*/,
+	const krb5_keyblock */*key*/,
+	krb5_data */*enc_data*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_decomp_ticket (
+	krb5_context /*context*/,
+	const krb5_data */*enc_ticket*/,
+	const krb5_keyblock */*key*/,
+	const char */*local_realm*/,
+	char **/*sname*/,
+	char **/*sinstance*/,
+	struct _krb5_krb_auth_data */*ad*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_dest_tkt (
+	krb5_context /*context*/,
+	const char */*tkfile*/);
+
+void KRB5_LIB_FUNCTION
+_krb5_krb_free_auth_data (
+	krb5_context /*context*/,
+	struct _krb5_krb_auth_data */*ad*/);
+
+time_t KRB5_LIB_FUNCTION
 _krb5_krb_life_to_time (
 	int /*start*/,
 	int /*life_*/);
 
-int
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_rd_req (
+	krb5_context /*context*/,
+	krb5_data */*authent*/,
+	const char */*service*/,
+	const char */*instance*/,
+	const char */*local_realm*/,
+	int32_t /*from_addr*/,
+	const krb5_keyblock */*key*/,
+	struct _krb5_krb_auth_data */*ad*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_tf_setup (
+	krb5_context /*context*/,
+	struct credentials */*v4creds*/,
+	const char */*tkfile*/,
+	int /*append*/);
+
+int KRB5_LIB_FUNCTION
 _krb5_krb_time_to_life (
 	time_t /*start*/,
 	time_t /*end*/);
 
-void
+krb5_error_code
+_krb5_krbhost_info_move (
+	krb5_context /*context*/,
+	krb5_krbhst_info */*from*/,
+	krb5_krbhst_info **/*to*/);
+
+krb5_error_code
+_krb5_mk_req_internal (
+	krb5_context /*context*/,
+	krb5_auth_context */*auth_context*/,
+	const krb5_flags /*ap_req_options*/,
+	krb5_data */*in_data*/,
+	krb5_creds */*in_creds*/,
+	krb5_data */*outbuf*/,
+	krb5_key_usage /*checksum_usage*/,
+	krb5_key_usage /*encrypt_usage*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 _krb5_n_fold (
 	const void */*str*/,
 	size_t /*len*/,
 	void */*key*/,
 	size_t /*size*/);
 
-krb5_ssize_t
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_oid_to_enctype (
+	krb5_context /*context*/,
+	const heim_oid */*oid*/,
+	krb5_enctype */*etype*/);
+
+krb5_error_code
+_krb5_pac_sign (
+	krb5_context /*context*/,
+	krb5_pac /*p*/,
+	time_t /*authtime*/,
+	krb5_principal /*principal*/,
+	const krb5_keyblock */*server_key*/,
+	const krb5_keyblock */*priv_key*/,
+	krb5_data */*data*/);
+
+krb5_error_code
+_krb5_parse_moduli (
+	krb5_context /*context*/,
+	const char */*file*/,
+	struct krb5_dh_moduli ***/*moduli*/);
+
+krb5_error_code
+_krb5_parse_moduli_line (
+	krb5_context /*context*/,
+	const char */*file*/,
+	int /*lineno*/,
+	char */*p*/,
+	struct krb5_dh_moduli **/*m*/);
+
+void KRB5_LIB_FUNCTION
+_krb5_pk_allow_proxy_certificate (
+	struct krb5_pk_identity */*id*/,
+	int /*boolean*/);
+
+void KRB5_LIB_FUNCTION
+_krb5_pk_cert_free (struct krb5_pk_cert */*cert*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_pk_load_id (
+	krb5_context /*context*/,
+	struct krb5_pk_identity **/*ret_id*/,
+	const char */*user_id*/,
+	const char */*anchor_id*/,
+	char * const */*chain_list*/,
+	char * const */*revoke_list*/,
+	krb5_prompter_fct /*prompter*/,
+	void */*prompter_data*/,
+	char */*password*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_pk_mk_ContentInfo (
+	krb5_context /*context*/,
+	const krb5_data */*buf*/,
+	const heim_oid */*oid*/,
+	struct ContentInfo */*content_info*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_pk_mk_padata (
+	krb5_context /*context*/,
+	void */*c*/,
+	const KDC_REQ_BODY */*req_body*/,
+	unsigned /*nonce*/,
+	METHOD_DATA */*md*/);
+
+krb5_error_code
+_krb5_pk_octetstring2key (
+	krb5_context /*context*/,
+	krb5_enctype /*type*/,
+	const void */*dhdata*/,
+	size_t /*dhsize*/,
+	const heim_octet_string */*c_n*/,
+	const heim_octet_string */*k_n*/,
+	krb5_keyblock */*key*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_pk_rd_pa_reply (
+	krb5_context /*context*/,
+	const char */*realm*/,
+	void */*c*/,
+	krb5_enctype /*etype*/,
+	const krb5_krbhst_info */*hi*/,
+	unsigned /*nonce*/,
+	const krb5_data */*req_buffer*/,
+	PA_DATA */*pa*/,
+	krb5_keyblock **/*key*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_pk_verify_sign (
+	krb5_context /*context*/,
+	const void */*data*/,
+	size_t /*length*/,
+	struct krb5_pk_identity */*id*/,
+	heim_oid */*contentType*/,
+	krb5_data */*content*/,
+	struct krb5_pk_cert **/*signer*/);
+
+krb5_error_code
+_krb5_plugin_find (
+	krb5_context /*context*/,
+	enum krb5_plugin_type /*type*/,
+	const char */*name*/,
+	struct krb5_plugin **/*list*/);
+
+void
+_krb5_plugin_free (struct krb5_plugin */*list*/);
+
+struct krb5_plugin *
+_krb5_plugin_get_next (struct krb5_plugin */*p*/);
+
+void *
+_krb5_plugin_get_symbol (struct krb5_plugin */*p*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_principal2principalname (
+	PrincipalName */*p*/,
+	const krb5_principal /*from*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_principalname2krb5_principal (
+	krb5_context /*context*/,
+	krb5_principal */*principal*/,
+	const PrincipalName /*from*/,
+	const Realm /*realm*/);
+
+krb5_ssize_t KRB5_LIB_FUNCTION
 _krb5_put_int (
 	void */*buffer*/,
 	unsigned long /*value*/,
 	size_t /*size*/);
 
-krb5_error_code
-_krb5_store_creds_heimdal_0_7 (
-	krb5_storage */*sp*/,
-	krb5_creds */*creds*/);
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_rd_req_out_ctx_alloc (
+	krb5_context /*context*/,
+	krb5_rd_req_out_ctx */*ctx*/);
 
-krb5_error_code
-_krb5_store_creds_heimdal_pre_0_7 (
-	krb5_storage */*sp*/,
-	krb5_creds */*creds*/);
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_s4u2self_to_checksumdata (
+	krb5_context /*context*/,
+	const PA_S4U2Self */*self*/,
+	krb5_data */*data*/);
 
-krb5_error_code
-_krb5_store_creds_internal (
-	krb5_storage */*sp*/,
-	krb5_creds */*creds*/,
-	int /*v0_6*/);
+int
+_krb5_send_and_recv_tcp (
+	int /*fd*/,
+	time_t /*tmout*/,
+	const krb5_data */*req*/,
+	krb5_data */*rep*/);
 
 int
 _krb5_xlock (
@@ -97,6 +440,8 @@ _krb5_xlock (
 	const char */*filename*/);
 
 int
-_krb5_xunlock (int /*fd*/);
+_krb5_xunlock (
+	krb5_context /*context*/,
+	int /*fd*/);
 
 #endif /* __krb5_private_h__ */
diff --git a/crypto/heimdal/lib/krb5/krb5-protos.h b/crypto/heimdal/lib/krb5/krb5-protos.h
index 58788ae..647d888 100644
--- a/crypto/heimdal/lib/krb5/krb5-protos.h
+++ b/crypto/heimdal/lib/krb5/krb5-protos.h
@@ -8,20 +8,32 @@
 #define __attribute__(x)
 #endif
 
-krb5_error_code
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef KRB5_LIB_FUNCTION
+#if defined(_WIN32)
+#define KRB5_LIB_FUNCTION _stdcall
+#else
+#define KRB5_LIB_FUNCTION
+#endif
+#endif
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb524_convert_creds_kdc (
 	krb5_context /*context*/,
 	krb5_creds */*in_cred*/,
 	struct credentials */*v4creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb524_convert_creds_kdc_ccache (
 	krb5_context /*context*/,
 	krb5_ccache /*ccache*/,
 	krb5_creds */*in_cred*/,
 	struct credentials */*v4creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_425_conv_principal (
 	krb5_context /*context*/,
 	const char */*name*/,
@@ -29,7 +41,7 @@ krb5_425_conv_principal (
 	const char */*realm*/,
 	krb5_principal */*princ*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_425_conv_principal_ext (
 	krb5_context /*context*/,
 	const char */*name*/,
@@ -37,9 +49,20 @@ krb5_425_conv_principal_ext (
 	const char */*realm*/,
 	krb5_boolean (*/*func*/)(krb5_context, krb5_principal),
 	krb5_boolean /*resolve*/,
+	krb5_principal */*principal*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_425_conv_principal_ext2 (
+	krb5_context /*context*/,
+	const char */*name*/,
+	const char */*instance*/,
+	const char */*realm*/,
+	krb5_boolean (*/*func*/)(krb5_context, void *, krb5_principal),
+	void */*funcctx*/,
+	krb5_boolean /*resolve*/,
 	krb5_principal */*princ*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_524_conv_principal (
 	krb5_context /*context*/,
 	const krb5_principal /*principal*/,
@@ -47,17 +70,7 @@ krb5_524_conv_principal (
 	char */*instance*/,
 	char */*realm*/);
 
-krb5_error_code
-krb5_PKCS5_PBKDF2 (
-	krb5_context /*context*/,
-	krb5_cksumtype /*cktype*/,
-	krb5_data /*password*/,
-	krb5_salt /*salt*/,
-	u_int32_t /*iter*/,
-	krb5_keytype /*type*/,
-	krb5_keyblock */*key*/);
-
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_abort (
 	krb5_context /*context*/,
 	krb5_error_code /*code*/,
@@ -65,59 +78,59 @@ krb5_abort (
 	...)
     __attribute__ ((noreturn, format (printf, 3, 4)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_abortx (
 	krb5_context /*context*/,
 	const char */*fmt*/,
 	...)
     __attribute__ ((noreturn, format (printf, 2, 3)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_acl_match_file (
 	krb5_context /*context*/,
 	const char */*file*/,
 	const char */*format*/,
 	...);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_acl_match_string (
 	krb5_context /*context*/,
 	const char */*string*/,
 	const char */*format*/,
 	...);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_add_et_list (
 	krb5_context /*context*/,
 	void (*/*func*/)(struct et_list **));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_add_extra_addresses (
 	krb5_context /*context*/,
 	krb5_addresses */*addresses*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_add_ignore_addresses (
 	krb5_context /*context*/,
 	krb5_addresses */*addresses*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_addlog_dest (
 	krb5_context /*context*/,
 	krb5_log_facility */*f*/,
 	const char */*orig*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_addlog_func (
 	krb5_context /*context*/,
 	krb5_log_facility */*fac*/,
 	int /*min*/,
 	int /*max*/,
-	krb5_log_log_func_t /*log*/,
-	krb5_log_close_func_t /*close*/,
+	krb5_log_log_func_t /*log_func*/,
+	krb5_log_close_func_t /*close_func*/,
 	void */*data*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_addr2sockaddr (
 	krb5_context /*context*/,
 	const krb5_address */*addr*/,
@@ -125,32 +138,40 @@ krb5_addr2sockaddr (
 	krb5_socklen_t */*sa_size*/,
 	int /*port*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_address_compare (
 	krb5_context /*context*/,
 	const krb5_address */*addr1*/,
 	const krb5_address */*addr2*/);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_address_order (
 	krb5_context /*context*/,
 	const krb5_address */*addr1*/,
 	const krb5_address */*addr2*/);
 
-krb5_boolean
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_address_prefixlen_boundary (
+	krb5_context /*context*/,
+	const krb5_address */*inaddr*/,
+	unsigned long /*prefixlen*/,
+	krb5_address */*low*/,
+	krb5_address */*high*/);
+
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_address_search (
 	krb5_context /*context*/,
 	const krb5_address */*addr*/,
 	const krb5_addresses */*addrlist*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_aname_to_localname (
 	krb5_context /*context*/,
 	krb5_const_principal /*aname*/,
 	size_t /*lnsize*/,
 	char */*lname*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_anyaddr (
 	krb5_context /*context*/,
 	int /*af*/,
@@ -158,7 +179,7 @@ krb5_anyaddr (
 	krb5_socklen_t */*sa_size*/,
 	int /*port*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_appdefault_boolean (
 	krb5_context /*context*/,
 	const char */*appname*/,
@@ -167,7 +188,7 @@ krb5_appdefault_boolean (
 	krb5_boolean /*def_val*/,
 	krb5_boolean */*ret_val*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_appdefault_string (
 	krb5_context /*context*/,
 	const char */*appname*/,
@@ -176,7 +197,7 @@ krb5_appdefault_string (
 	const char */*def_val*/,
 	char **/*ret_val*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_appdefault_time (
 	krb5_context /*context*/,
 	const char */*appname*/,
@@ -185,176 +206,190 @@ krb5_appdefault_time (
 	time_t /*def_val*/,
 	time_t */*ret_val*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_append_addresses (
 	krb5_context /*context*/,
 	krb5_addresses */*dest*/,
 	const krb5_addresses */*source*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_auth_con_addflags (
+	krb5_context /*context*/,
+	krb5_auth_context /*auth_context*/,
+	int32_t /*addflags*/,
+	int32_t */*flags*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_free (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_genaddrs (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	int /*fd*/,
 	int /*flags*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_generatelocalsubkey (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_keyblock */*key*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getaddrs (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_address **/*local_addr*/,
 	krb5_address **/*remote_addr*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getauthenticator (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_authenticator */*authenticator*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getcksumtype (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_cksumtype */*cksumtype*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getflags (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	int32_t */*flags*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getkey (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_keyblock **/*keyblock*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getkeytype (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_keytype */*keytype*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getlocalseqnumber (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	int32_t */*seqnumber*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getlocalsubkey (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_keyblock **/*keyblock*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getrcache (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_rcache */*rcache*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_getremotesubkey (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_keyblock **/*keyblock*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_init (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_auth_con_removeflags (
+	krb5_context /*context*/,
+	krb5_auth_context /*auth_context*/,
+	int32_t /*removeflags*/,
+	int32_t */*flags*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setaddrs (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_address */*local_addr*/,
 	krb5_address */*remote_addr*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setaddrs_from_fd (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	void */*p_fd*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setcksumtype (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_cksumtype /*cksumtype*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setflags (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	int32_t /*flags*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setkey (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_keyblock */*keyblock*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setkeytype (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_keytype /*keytype*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setlocalseqnumber (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	int32_t /*seqnumber*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setlocalsubkey (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_keyblock */*keyblock*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setrcache (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_rcache /*rcache*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setremoteseqnumber (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	int32_t /*seqnumber*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setremotesubkey (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_keyblock */*keyblock*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_con_setuserkey (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_keyblock */*keyblock*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_getremoteseqnumber (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	int32_t */*seqnumber*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_ap_req (
 	krb5_context /*context*/,
 	krb5_enctype /*enctype*/,
@@ -363,7 +398,7 @@ krb5_build_ap_req (
 	krb5_data /*authenticator*/,
 	krb5_data */*retdata*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_authenticator (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
@@ -374,7 +409,7 @@ krb5_build_authenticator (
 	krb5_data */*result*/,
 	krb5_key_usage /*usage*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_principal (
 	krb5_context /*context*/,
 	krb5_principal */*principal*/,
@@ -382,7 +417,7 @@ krb5_build_principal (
 	krb5_const_realm /*realm*/,
 	...);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_principal_ext (
 	krb5_context /*context*/,
 	krb5_principal */*principal*/,
@@ -390,7 +425,7 @@ krb5_build_principal_ext (
 	krb5_const_realm /*realm*/,
 	...);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_principal_va (
 	krb5_context /*context*/,
 	krb5_principal */*principal*/,
@@ -398,7 +433,7 @@ krb5_build_principal_va (
 	krb5_const_realm /*realm*/,
 	va_list /*ap*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_principal_va_ext (
 	krb5_context /*context*/,
 	krb5_principal */*principal*/,
@@ -406,43 +441,199 @@ krb5_build_principal_va_ext (
 	krb5_const_realm /*realm*/,
 	va_list /*ap*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_block_size (
+	krb5_context /*context*/,
+	krb5_enctype /*enctype*/,
+	size_t */*blocksize*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_checksum_length (
+	krb5_context /*context*/,
+	krb5_cksumtype /*cksumtype*/,
+	size_t */*length*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_decrypt (
+	krb5_context /*context*/,
+	const krb5_keyblock /*key*/,
+	krb5_keyusage /*usage*/,
+	const krb5_data */*ivec*/,
+	krb5_enc_data */*input*/,
+	krb5_data */*output*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_encrypt (
+	krb5_context /*context*/,
+	const krb5_keyblock */*key*/,
+	krb5_keyusage /*usage*/,
+	const krb5_data */*ivec*/,
+	const krb5_data */*input*/,
+	krb5_enc_data */*output*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_encrypt_length (
+	krb5_context /*context*/,
+	krb5_enctype /*enctype*/,
+	size_t /*inputlen*/,
+	size_t */*length*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_enctype_compare (
+	krb5_context /*context*/,
+	krb5_enctype /*e1*/,
+	krb5_enctype /*e2*/,
+	krb5_boolean */*similar*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_get_checksum (
+	krb5_context /*context*/,
+	const krb5_checksum */*cksum*/,
+	krb5_cksumtype */*type*/,
+	krb5_data **/*data*/);
+
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_c_is_coll_proof_cksum (krb5_cksumtype /*ctype*/);
+
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_c_is_keyed_cksum (krb5_cksumtype /*ctype*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_keylengths (
+	krb5_context /*context*/,
+	krb5_enctype /*enctype*/,
+	size_t */*ilen*/,
+	size_t */*keylen*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_make_checksum (
+	krb5_context /*context*/,
+	krb5_cksumtype /*cksumtype*/,
+	const krb5_keyblock */*key*/,
+	krb5_keyusage /*usage*/,
+	const krb5_data */*input*/,
+	krb5_checksum */*cksum*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_make_random_key (
+	krb5_context /*context*/,
+	krb5_enctype /*enctype*/,
+	krb5_keyblock */*random_key*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_prf (
+	krb5_context /*context*/,
+	const krb5_keyblock */*key*/,
+	const krb5_data */*input*/,
+	krb5_data */*output*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_prf_length (
+	krb5_context /*context*/,
+	krb5_enctype /*type*/,
+	size_t */*length*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_set_checksum (
+	krb5_context /*context*/,
+	krb5_checksum */*cksum*/,
+	krb5_cksumtype /*type*/,
+	const krb5_data */*data*/);
+
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_c_valid_cksumtype (krb5_cksumtype /*ctype*/);
+
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_c_valid_enctype (krb5_enctype /*etype*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_verify_checksum (
+	krb5_context /*context*/,
+	const krb5_keyblock */*key*/,
+	krb5_keyusage /*usage*/,
+	const krb5_data */*data*/,
+	const krb5_checksum */*cksum*/,
+	krb5_boolean */*valid*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_cache_end_seq_get (
+	krb5_context /*context*/,
+	krb5_cc_cache_cursor /*cursor*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_cache_get_first (
+	krb5_context /*context*/,
+	const char */*type*/,
+	krb5_cc_cache_cursor */*cursor*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_cache_match (
+	krb5_context /*context*/,
+	krb5_principal /*client*/,
+	const char */*type*/,
+	krb5_ccache */*id*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_cache_next (
+	krb5_context /*context*/,
+	krb5_cc_cache_cursor /*cursor*/,
+	krb5_ccache */*id*/);
+
+void KRB5_LIB_FUNCTION
+krb5_cc_clear_mcred (krb5_creds */*mcred*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_close (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_copy_cache (
 	krb5_context /*context*/,
 	const krb5_ccache /*from*/,
 	krb5_ccache /*to*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_copy_cache_match (
+	krb5_context /*context*/,
+	const krb5_ccache /*from*/,
+	krb5_ccache /*to*/,
+	krb5_flags /*whichfields*/,
+	const krb5_creds * /*mcreds*/,
+	unsigned int */*matched*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_default (
 	krb5_context /*context*/,
 	krb5_ccache */*id*/);
 
-const char*
+const char* KRB5_LIB_FUNCTION
 krb5_cc_default_name (krb5_context /*context*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_destroy (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_end_seq_get (
 	krb5_context /*context*/,
 	const krb5_ccache /*id*/,
 	krb5_cc_cursor */*cursor*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_gen_new (
 	krb5_context /*context*/,
 	const krb5_cc_ops */*ops*/,
 	krb5_ccache */*id*/);
 
-const char*
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_get_full_name (
+	krb5_context /*context*/,
+	krb5_ccache /*id*/,
+	char **/*str*/);
+
+const char* KRB5_LIB_FUNCTION
 krb5_cc_get_name (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/);
@@ -452,55 +643,82 @@ krb5_cc_get_ops (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/);
 
-krb5_error_code
+const krb5_cc_ops *
+krb5_cc_get_prefix_ops (
+	krb5_context /*context*/,
+	const char */*prefix*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_get_principal (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/,
 	krb5_principal */*principal*/);
 
-const char*
+const char* KRB5_LIB_FUNCTION
 krb5_cc_get_type (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_get_version (
 	krb5_context /*context*/,
 	const krb5_ccache /*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_initialize (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/,
 	krb5_principal /*primary_principal*/);
 
 krb5_error_code
+krb5_cc_move (
+	krb5_context /*context*/,
+	krb5_ccache /*from*/,
+	krb5_ccache /*to*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_new_unique (
+	krb5_context /*context*/,
+	const char */*type*/,
+	const char */*hint*/,
+	krb5_ccache */*id*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_next_cred (
 	krb5_context /*context*/,
 	const krb5_ccache /*id*/,
 	krb5_cc_cursor */*cursor*/,
 	krb5_creds */*creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_next_cred_match (
+	krb5_context /*context*/,
+	const krb5_ccache /*id*/,
+	krb5_cc_cursor * /*cursor*/,
+	krb5_creds * /*creds*/,
+	krb5_flags /*whichfields*/,
+	const krb5_creds * /*mcreds*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_register (
 	krb5_context /*context*/,
 	const krb5_cc_ops */*ops*/,
 	krb5_boolean /*override*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_remove_cred (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/,
 	krb5_flags /*which*/,
 	krb5_creds */*cred*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_resolve (
 	krb5_context /*context*/,
 	const char */*name*/,
 	krb5_ccache */*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_retrieve_cred (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/,
@@ -508,39 +726,39 @@ krb5_cc_retrieve_cred (
 	const krb5_creds */*mcreds*/,
 	krb5_creds */*creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_set_default_name (
 	krb5_context /*context*/,
 	const char */*name*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_set_flags (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/,
 	krb5_flags /*flags*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_start_seq_get (
 	krb5_context /*context*/,
 	const krb5_ccache /*id*/,
 	krb5_cc_cursor */*cursor*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_cc_store_cred (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/,
 	krb5_creds */*creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_change_password (
 	krb5_context /*context*/,
 	krb5_creds */*creds*/,
-	char */*newpw*/,
+	const char */*newpw*/,
 	int */*result_code*/,
 	krb5_data */*result_code_string*/,
 	krb5_data */*result_string*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_check_transited (
 	krb5_context /*context*/,
 	krb5_const_realm /*client_realm*/,
@@ -549,50 +767,65 @@ krb5_check_transited (
 	int /*num_realms*/,
 	int */*bad_realm*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_check_transited_realms (
 	krb5_context /*context*/,
 	const char *const */*realms*/,
 	int /*num_realms*/,
 	int */*bad_realm*/);
 
-krb5_boolean
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_checksum_disable (
+	krb5_context /*context*/,
+	krb5_cksumtype /*type*/);
+
+void KRB5_LIB_FUNCTION
+krb5_checksum_free (
+	krb5_context /*context*/,
+	krb5_checksum */*cksum*/);
+
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_checksum_is_collision_proof (
 	krb5_context /*context*/,
 	krb5_cksumtype /*type*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_checksum_is_keyed (
 	krb5_context /*context*/,
 	krb5_cksumtype /*type*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_checksumsize (
 	krb5_context /*context*/,
 	krb5_cksumtype /*type*/,
 	size_t */*size*/);
 
-void
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cksumtype_valid (
+	krb5_context /*context*/,
+	krb5_cksumtype /*ctype*/);
+
+void KRB5_LIB_FUNCTION
 krb5_clear_error_string (krb5_context /*context*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_closelog (
 	krb5_context /*context*/,
 	krb5_log_facility */*fac*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_compare_creds (
 	krb5_context /*context*/,
 	krb5_flags /*whichfields*/,
-	const krb5_creds */*mcreds*/,
-	const krb5_creds */*creds*/);
+	const krb5_creds * /*mcreds*/,
+	const krb5_creds * /*creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_config_file_free (
 	krb5_context /*context*/,
 	krb5_config_section */*s*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_config_free_strings (char **/*strings*/);
 
 const void *
@@ -602,26 +835,26 @@ krb5_config_get (
 	int /*type*/,
 	...);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_config_get_bool (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	...);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_config_get_bool_default (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	krb5_boolean /*def_value*/,
 	...);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_get_int (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	...);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_get_int_default (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
@@ -642,13 +875,13 @@ krb5_config_get_next (
 	int /*type*/,
 	...);
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_config_get_string (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	...);
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_config_get_string_default (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
@@ -661,31 +894,37 @@ krb5_config_get_strings (
 	const krb5_config_section */*c*/,
 	...);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_get_time (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	...);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_get_time_default (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	int /*def_value*/,
 	...);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_config_parse_file (
 	krb5_context /*context*/,
 	const char */*fname*/,
 	krb5_config_section **/*res*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_config_parse_file_multi (
 	krb5_context /*context*/,
 	const char */*fname*/,
 	krb5_config_section **/*res*/);
 
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_config_parse_string_multi (
+	krb5_context /*context*/,
+	const char */*string*/,
+	krb5_config_section **/*res*/);
+
 const void *
 krb5_config_vget (
 	krb5_context /*context*/,
@@ -693,26 +932,26 @@ krb5_config_vget (
 	int /*type*/,
 	va_list /*args*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_config_vget_bool (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	va_list /*args*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_config_vget_bool_default (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	krb5_boolean /*def_value*/,
 	va_list /*args*/);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_vget_int (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	va_list /*args*/);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_vget_int_default (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
@@ -733,99 +972,105 @@ krb5_config_vget_next (
 	int /*type*/,
 	va_list /*args*/);
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_config_vget_string (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	va_list /*args*/);
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_config_vget_string_default (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	const char */*def_value*/,
 	va_list /*args*/);
 
-char **
+char ** KRB5_LIB_FUNCTION
 krb5_config_vget_strings (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	va_list /*args*/);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_vget_time (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	va_list /*args*/);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_config_vget_time_default (
 	krb5_context /*context*/,
 	const krb5_config_section */*c*/,
 	int /*def_value*/,
 	va_list /*args*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_address (
 	krb5_context /*context*/,
 	const krb5_address */*inaddr*/,
 	krb5_address */*outaddr*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_addresses (
 	krb5_context /*context*/,
 	const krb5_addresses */*inaddr*/,
 	krb5_addresses */*outaddr*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_copy_checksum (
+	krb5_context /*context*/,
+	const krb5_checksum */*old*/,
+	krb5_checksum **/*new*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_creds (
 	krb5_context /*context*/,
 	const krb5_creds */*incred*/,
 	krb5_creds **/*outcred*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_creds_contents (
 	krb5_context /*context*/,
 	const krb5_creds */*incred*/,
 	krb5_creds */*c*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_data (
 	krb5_context /*context*/,
 	const krb5_data */*indata*/,
 	krb5_data **/*outdata*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_host_realm (
 	krb5_context /*context*/,
 	const krb5_realm */*from*/,
 	krb5_realm **/*to*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_keyblock (
 	krb5_context /*context*/,
 	const krb5_keyblock */*inblock*/,
 	krb5_keyblock **/*to*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_keyblock_contents (
 	krb5_context /*context*/,
 	const krb5_keyblock */*inblock*/,
 	krb5_keyblock */*to*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_principal (
 	krb5_context /*context*/,
 	krb5_const_principal /*inprinc*/,
 	krb5_principal */*outprinc*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_ticket (
 	krb5_context /*context*/,
 	const krb5_ticket */*from*/,
 	krb5_ticket **/*to*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_create_checksum (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
@@ -835,47 +1080,94 @@ krb5_create_checksum (
 	size_t /*len*/,
 	Checksum */*result*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_crypto_destroy (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_crypto_get_checksum_type (
+	krb5_context /*context*/,
+	krb5_crypto /*crypto*/,
+	krb5_cksumtype */*type*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_crypto_getblocksize (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
 	size_t */*blocksize*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_crypto_getconfoundersize (
+	krb5_context /*context*/,
+	krb5_crypto /*crypto*/,
+	size_t */*confoundersize*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_crypto_getenctype (
+	krb5_context /*context*/,
+	krb5_crypto /*crypto*/,
+	krb5_enctype */*enctype*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_crypto_getpadsize (
+	krb5_context /*context*/,
+	krb5_crypto /*crypto*/,
+	size_t */*padsize*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_crypto_init (
 	krb5_context /*context*/,
 	const krb5_keyblock */*key*/,
 	krb5_enctype /*etype*/,
 	krb5_crypto */*crypto*/);
 
-krb5_error_code
+size_t
+krb5_crypto_overhead (
+	krb5_context /*context*/,
+	krb5_crypto /*crypto*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_crypto_prf (
+	krb5_context /*context*/,
+	const krb5_crypto /*crypto*/,
+	const krb5_data */*input*/,
+	krb5_data */*output*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_crypto_prf_length (
+	krb5_context /*context*/,
+	krb5_enctype /*type*/,
+	size_t */*length*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_data_alloc (
 	krb5_data */*p*/,
 	int /*len*/);
 
-krb5_error_code
+int KRB5_LIB_FUNCTION
+krb5_data_cmp (
+	const krb5_data */*data1*/,
+	const krb5_data */*data2*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_data_copy (
 	krb5_data */*p*/,
 	const void */*data*/,
 	size_t /*len*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_data_free (krb5_data */*p*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_data_realloc (
 	krb5_data */*p*/,
 	int /*len*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_data_zero (krb5_data */*p*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_Authenticator (
 	krb5_context /*context*/,
 	const void */*data*/,
@@ -883,7 +1175,7 @@ krb5_decode_Authenticator (
 	Authenticator */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_ETYPE_INFO (
 	krb5_context /*context*/,
 	const void */*data*/,
@@ -891,7 +1183,15 @@ krb5_decode_ETYPE_INFO (
 	ETYPE_INFO */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_decode_ETYPE_INFO2 (
+	krb5_context /*context*/,
+	const void */*data*/,
+	size_t /*length*/,
+	ETYPE_INFO2 */*t*/,
+	size_t */*len*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_EncAPRepPart (
 	krb5_context /*context*/,
 	const void */*data*/,
@@ -899,7 +1199,7 @@ krb5_decode_EncAPRepPart (
 	EncAPRepPart */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_EncASRepPart (
 	krb5_context /*context*/,
 	const void */*data*/,
@@ -907,7 +1207,7 @@ krb5_decode_EncASRepPart (
 	EncASRepPart */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_EncKrbCredPart (
 	krb5_context /*context*/,
 	const void */*data*/,
@@ -915,7 +1215,7 @@ krb5_decode_EncKrbCredPart (
 	EncKrbCredPart */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_EncTGSRepPart (
 	krb5_context /*context*/,
 	const void */*data*/,
@@ -923,7 +1223,7 @@ krb5_decode_EncTGSRepPart (
 	EncTGSRepPart */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_EncTicketPart (
 	krb5_context /*context*/,
 	const void */*data*/,
@@ -931,13 +1231,13 @@ krb5_decode_EncTicketPart (
 	EncTicketPart */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_ap_req (
 	krb5_context /*context*/,
 	const krb5_data */*inbuf*/,
 	krb5_ap_req */*ap_req*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decrypt (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
@@ -946,7 +1246,7 @@ krb5_decrypt (
 	size_t /*len*/,
 	krb5_data */*result*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decrypt_EncryptedData (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
@@ -954,7 +1254,7 @@ krb5_decrypt_EncryptedData (
 	const EncryptedData */*e*/,
 	krb5_data */*result*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decrypt_ivec (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
@@ -964,7 +1264,7 @@ krb5_decrypt_ivec (
 	krb5_data */*result*/,
 	void */*ivec*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decrypt_ticket (
 	krb5_context /*context*/,
 	Ticket */*ticket*/,
@@ -972,7 +1272,7 @@ krb5_decrypt_ticket (
 	EncTicketPart */*out*/,
 	krb5_flags /*flags*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_derive_key (
 	krb5_context /*context*/,
 	const krb5_keyblock */*key*/,
@@ -982,6 +1282,182 @@ krb5_derive_key (
 	krb5_keyblock **/*derived_key*/);
 
 krb5_error_code
+krb5_digest_alloc (
+	krb5_context /*context*/,
+	krb5_digest */*digest*/);
+
+void
+krb5_digest_free (krb5_digest /*digest*/);
+
+krb5_error_code
+krb5_digest_get_client_binding (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	char **/*type*/,
+	char **/*binding*/);
+
+const char *
+krb5_digest_get_identifier (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/);
+
+const char *
+krb5_digest_get_opaque (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/);
+
+const char *
+krb5_digest_get_rsp (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/);
+
+const char *
+krb5_digest_get_server_nonce (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/);
+
+krb5_error_code
+krb5_digest_get_session_key (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	krb5_data */*data*/);
+
+krb5_error_code
+krb5_digest_get_tickets (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	Ticket **/*tickets*/);
+
+krb5_error_code
+krb5_digest_init_request (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	krb5_realm /*realm*/,
+	krb5_ccache /*ccache*/);
+
+krb5_error_code
+krb5_digest_probe (
+	krb5_context /*context*/,
+	krb5_realm /*realm*/,
+	krb5_ccache /*ccache*/,
+	unsigned */*flags*/);
+
+krb5_boolean
+krb5_digest_rep_get_status (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/);
+
+krb5_error_code
+krb5_digest_request (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	krb5_realm /*realm*/,
+	krb5_ccache /*ccache*/);
+
+krb5_error_code
+krb5_digest_set_authentication_user (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	krb5_principal /*authentication_user*/);
+
+krb5_error_code
+krb5_digest_set_authid (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*authid*/);
+
+krb5_error_code
+krb5_digest_set_client_nonce (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*nonce*/);
+
+krb5_error_code
+krb5_digest_set_digest (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*dgst*/);
+
+krb5_error_code
+krb5_digest_set_hostname (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*hostname*/);
+
+krb5_error_code
+krb5_digest_set_identifier (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*id*/);
+
+krb5_error_code
+krb5_digest_set_method (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*method*/);
+
+krb5_error_code
+krb5_digest_set_nonceCount (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*nonce_count*/);
+
+krb5_error_code
+krb5_digest_set_opaque (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*opaque*/);
+
+krb5_error_code
+krb5_digest_set_qop (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*qop*/);
+
+krb5_error_code
+krb5_digest_set_realm (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*realm*/);
+
+int
+krb5_digest_set_responseData (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*response*/);
+
+krb5_error_code
+krb5_digest_set_server_cb (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*type*/,
+	const char */*binding*/);
+
+krb5_error_code
+krb5_digest_set_server_nonce (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*nonce*/);
+
+krb5_error_code
+krb5_digest_set_type (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*type*/);
+
+krb5_error_code
+krb5_digest_set_uri (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*uri*/);
+
+krb5_error_code
+krb5_digest_set_username (
+	krb5_context /*context*/,
+	krb5_digest /*digest*/,
+	const char */*username*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_domain_x500_decode (
 	krb5_context /*context*/,
 	krb5_data /*tr*/,
@@ -990,18 +1466,18 @@ krb5_domain_x500_decode (
 	const char */*client_realm*/,
 	const char */*server_realm*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_domain_x500_encode (
 	char **/*realms*/,
 	int /*num_realms*/,
 	krb5_data */*encoding*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_eai_to_heim_errno (
 	int /*eai_errno*/,
 	int /*system_error*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_Authenticator (
 	krb5_context /*context*/,
 	void */*data*/,
@@ -1009,7 +1485,7 @@ krb5_encode_Authenticator (
 	Authenticator */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_ETYPE_INFO (
 	krb5_context /*context*/,
 	void */*data*/,
@@ -1017,7 +1493,15 @@ krb5_encode_ETYPE_INFO (
 	ETYPE_INFO */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_encode_ETYPE_INFO2 (
+	krb5_context /*context*/,
+	void */*data*/,
+	size_t /*length*/,
+	ETYPE_INFO2 */*t*/,
+	size_t */*len*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_EncAPRepPart (
 	krb5_context /*context*/,
 	void */*data*/,
@@ -1025,7 +1509,7 @@ krb5_encode_EncAPRepPart (
 	EncAPRepPart */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_EncASRepPart (
 	krb5_context /*context*/,
 	void */*data*/,
@@ -1033,7 +1517,7 @@ krb5_encode_EncASRepPart (
 	EncASRepPart */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_EncKrbCredPart (
 	krb5_context /*context*/,
 	void */*data*/,
@@ -1041,7 +1525,7 @@ krb5_encode_EncKrbCredPart (
 	EncKrbCredPart */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_EncTGSRepPart (
 	krb5_context /*context*/,
 	void */*data*/,
@@ -1049,7 +1533,7 @@ krb5_encode_EncTGSRepPart (
 	EncTGSRepPart */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encode_EncTicketPart (
 	krb5_context /*context*/,
 	void */*data*/,
@@ -1057,16 +1541,16 @@ krb5_encode_EncTicketPart (
 	EncTicketPart */*t*/,
 	size_t */*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encrypt (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
 	unsigned /*usage*/,
-	void */*data*/,
+	const void */*data*/,
 	size_t /*len*/,
 	krb5_data */*result*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encrypt_EncryptedData (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
@@ -1076,46 +1560,57 @@ krb5_encrypt_EncryptedData (
 	int /*kvno*/,
 	EncryptedData */*result*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_encrypt_ivec (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
 	unsigned /*usage*/,
-	void */*data*/,
+	const void */*data*/,
 	size_t /*len*/,
 	krb5_data */*result*/,
 	void */*ivec*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_enctype_disable (
+	krb5_context /*context*/,
+	krb5_enctype /*enctype*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_enctype_keybits (
+	krb5_context /*context*/,
+	krb5_enctype /*type*/,
+	size_t */*keybits*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_enctype_keysize (
 	krb5_context /*context*/,
 	krb5_enctype /*type*/,
 	size_t */*keysize*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_enctype_to_keytype (
 	krb5_context /*context*/,
 	krb5_enctype /*etype*/,
 	krb5_keytype */*keytype*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_enctype_to_string (
 	krb5_context /*context*/,
 	krb5_enctype /*etype*/,
 	char **/*string*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_enctype_valid (
 	krb5_context /*context*/,
 	krb5_enctype /*etype*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_enctypes_compatible_keys (
 	krb5_context /*context*/,
 	krb5_enctype /*etype1*/,
 	krb5_enctype /*etype2*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_err (
 	krb5_context /*context*/,
 	int /*eval*/,
@@ -1124,13 +1619,16 @@ krb5_err (
 	...)
     __attribute__ ((noreturn, format (printf, 4, 5)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION 
+    __attribute__((deprecated)) krb5_free_creds_contents (krb5_context context, krb5_creds *c);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_error_from_rd_error (
 	krb5_context /*context*/,
 	const krb5_error */*error*/,
 	const krb5_creds */*creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_errx (
 	krb5_context /*context*/,
 	int /*eval*/,
@@ -1138,13 +1636,13 @@ krb5_errx (
 	...)
     __attribute__ ((noreturn, format (printf, 3, 4)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_expand_hostname (
 	krb5_context /*context*/,
 	const char */*orig_hostname*/,
 	char **/*new_hostname*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_expand_hostname_realms (
 	krb5_context /*context*/,
 	const char */*orig_hostname*/,
@@ -1156,9 +1654,9 @@ krb5_find_padata (
 	PA_DATA */*val*/,
 	unsigned /*len*/,
 	int /*type*/,
-	int */*index*/);
+	int */*idx*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_format_time (
 	krb5_context /*context*/,
 	time_t /*t*/,
@@ -1166,113 +1664,118 @@ krb5_format_time (
 	size_t /*len*/,
 	krb5_boolean /*include_time*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_address (
 	krb5_context /*context*/,
 	krb5_address */*address*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_addresses (
 	krb5_context /*context*/,
 	krb5_addresses */*addresses*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_ap_rep_enc_part (
 	krb5_context /*context*/,
 	krb5_ap_rep_enc_part */*val*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_authenticator (
 	krb5_context /*context*/,
 	krb5_authenticator */*authenticator*/);
 
-void
+void KRB5_LIB_FUNCTION
+krb5_free_checksum (
+	krb5_context /*context*/,
+	krb5_checksum */*cksum*/);
+
+void KRB5_LIB_FUNCTION
+krb5_free_checksum_contents (
+	krb5_context /*context*/,
+	krb5_checksum */*cksum*/);
+
+void KRB5_LIB_FUNCTION
 krb5_free_config_files (char **/*filenames*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_context (krb5_context /*context*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_cred_contents (
 	krb5_context /*context*/,
 	krb5_creds */*c*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_creds (
 	krb5_context /*context*/,
 	krb5_creds */*c*/);
 
-krb5_error_code
-krb5_free_creds_contents (
-	krb5_context /*context*/,
-	krb5_creds */*c*/);
-
-void
+void KRB5_LIB_FUNCTION
 krb5_free_data (
 	krb5_context /*context*/,
 	krb5_data */*p*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_data_contents (
 	krb5_context /*context*/,
 	krb5_data */*data*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_error (
 	krb5_context /*context*/,
 	krb5_error */*error*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_error_contents (
 	krb5_context /*context*/,
 	krb5_error */*error*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_error_string (
 	krb5_context /*context*/,
 	char */*str*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_host_realm (
 	krb5_context /*context*/,
 	krb5_realm */*realmlist*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_kdc_rep (
 	krb5_context /*context*/,
 	krb5_kdc_rep */*rep*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_keyblock (
 	krb5_context /*context*/,
 	krb5_keyblock */*keyblock*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_keyblock_contents (
 	krb5_context /*context*/,
 	krb5_keyblock */*keyblock*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_krbhst (
 	krb5_context /*context*/,
 	char **/*hostlist*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_principal (
 	krb5_context /*context*/,
 	krb5_principal /*p*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_salt (
 	krb5_context /*context*/,
 	krb5_salt /*salt*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_ticket (
 	krb5_context /*context*/,
 	krb5_ticket */*ticket*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_fwd_tgt_creds (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
@@ -1283,40 +1786,47 @@ krb5_fwd_tgt_creds (
 	int /*forwardable*/,
 	krb5_data */*out_data*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_generate_random_block (
 	void */*buf*/,
 	size_t /*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_generate_random_keyblock (
 	krb5_context /*context*/,
 	krb5_enctype /*type*/,
 	krb5_keyblock */*key*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_generate_seq_number (
 	krb5_context /*context*/,
 	const krb5_keyblock */*key*/,
-	u_int32_t */*seqno*/);
+	uint32_t */*seqno*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_generate_subkey (
 	krb5_context /*context*/,
 	const krb5_keyblock */*key*/,
 	krb5_keyblock **/*subkey*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_generate_subkey_extended (
+	krb5_context /*context*/,
+	const krb5_keyblock */*key*/,
+	krb5_enctype /*etype*/,
+	krb5_keyblock **/*subkey*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_all_client_addrs (
 	krb5_context /*context*/,
 	krb5_addresses */*res*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_all_server_addrs (
 	krb5_context /*context*/,
 	krb5_addresses */*res*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_cred_from_kdc (
 	krb5_context /*context*/,
 	krb5_ccache /*ccache*/,
@@ -1324,7 +1834,7 @@ krb5_get_cred_from_kdc (
 	krb5_creds **/*out_creds*/,
 	krb5_creds ***/*ret_tgts*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_cred_from_kdc_opt (
 	krb5_context /*context*/,
 	krb5_ccache /*ccache*/,
@@ -1333,7 +1843,7 @@ krb5_get_cred_from_kdc_opt (
 	krb5_creds ***/*ret_tgts*/,
 	krb5_flags /*flags*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_credentials (
 	krb5_context /*context*/,
 	krb5_flags /*options*/,
@@ -1341,7 +1851,7 @@ krb5_get_credentials (
 	krb5_creds */*in_creds*/,
 	krb5_creds **/*out_creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_credentials_with_flags (
 	krb5_context /*context*/,
 	krb5_flags /*options*/,
@@ -1350,48 +1860,104 @@ krb5_get_credentials_with_flags (
 	krb5_creds */*in_creds*/,
 	krb5_creds **/*out_creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_creds (
+	krb5_context /*context*/,
+	krb5_get_creds_opt /*opt*/,
+	krb5_ccache /*ccache*/,
+	krb5_const_principal /*inprinc*/,
+	krb5_creds **/*out_creds*/);
+
+void KRB5_LIB_FUNCTION
+krb5_get_creds_opt_add_options (
+	krb5_context /*context*/,
+	krb5_get_creds_opt /*opt*/,
+	krb5_flags /*options*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_creds_opt_alloc (
+	krb5_context /*context*/,
+	krb5_get_creds_opt */*opt*/);
+
+void KRB5_LIB_FUNCTION
+krb5_get_creds_opt_free (
+	krb5_context /*context*/,
+	krb5_get_creds_opt /*opt*/);
+
+void KRB5_LIB_FUNCTION
+krb5_get_creds_opt_set_enctype (
+	krb5_context /*context*/,
+	krb5_get_creds_opt /*opt*/,
+	krb5_enctype /*enctype*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_creds_opt_set_impersonate (
+	krb5_context /*context*/,
+	krb5_get_creds_opt /*opt*/,
+	krb5_const_principal /*self*/);
+
+void KRB5_LIB_FUNCTION
+krb5_get_creds_opt_set_options (
+	krb5_context /*context*/,
+	krb5_get_creds_opt /*opt*/,
+	krb5_flags /*options*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_creds_opt_set_ticket (
+	krb5_context /*context*/,
+	krb5_get_creds_opt /*opt*/,
+	const Ticket */*ticket*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_default_config_files (char ***/*pfilenames*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_default_in_tkt_etypes (
 	krb5_context /*context*/,
 	krb5_enctype **/*etypes*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_default_principal (
 	krb5_context /*context*/,
 	krb5_principal */*princ*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_default_realm (
 	krb5_context /*context*/,
 	krb5_realm */*realm*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_default_realms (
 	krb5_context /*context*/,
 	krb5_realm **/*realms*/);
 
-const char *
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_get_dns_canonicalize_hostname (krb5_context /*context*/);
+
+const char* KRB5_LIB_FUNCTION
 krb5_get_err_text (
 	krb5_context /*context*/,
 	krb5_error_code /*code*/);
 
-char*
+char * KRB5_LIB_FUNCTION
+krb5_get_error_message (
+	krb5_context /*context*/,
+	krb5_error_code /*code*/);
+
+char * KRB5_LIB_FUNCTION
 krb5_get_error_string (krb5_context /*context*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_extra_addresses (
 	krb5_context /*context*/,
 	krb5_addresses */*addresses*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_fcache_version (
 	krb5_context /*context*/,
 	int */*version*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_forwarded_creds (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
@@ -1401,25 +1967,18 @@ krb5_get_forwarded_creds (
 	krb5_creds */*in_creds*/,
 	krb5_data */*out_data*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_host_realm (
 	krb5_context /*context*/,
-	const char */*host*/,
+	const char */*targethost*/,
 	krb5_realm **/*realms*/);
 
-krb5_error_code
-krb5_get_host_realm_int (
-	krb5_context /*context*/,
-	const char */*host*/,
-	krb5_boolean /*use_dns*/,
-	krb5_realm **/*realms*/);
-
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_ignore_addresses (
 	krb5_context /*context*/,
 	krb5_addresses */*addresses*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_in_cred (
 	krb5_context /*context*/,
 	krb5_flags /*options*/,
@@ -1434,7 +1993,7 @@ krb5_get_in_cred (
 	krb5_creds */*creds*/,
 	krb5_kdc_rep */*ret_as_reply*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_in_tkt (
 	krb5_context /*context*/,
 	krb5_flags /*options*/,
@@ -1449,7 +2008,7 @@ krb5_get_in_tkt (
 	krb5_ccache /*ccache*/,
 	krb5_kdc_rep */*ret_as_reply*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_in_tkt_with_keytab (
 	krb5_context /*context*/,
 	krb5_flags /*options*/,
@@ -1461,7 +2020,7 @@ krb5_get_in_tkt_with_keytab (
 	krb5_creds */*creds*/,
 	krb5_kdc_rep */*ret_as_reply*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_in_tkt_with_password (
 	krb5_context /*context*/,
 	krb5_flags /*options*/,
@@ -1473,7 +2032,7 @@ krb5_get_in_tkt_with_password (
 	krb5_creds */*creds*/,
 	krb5_kdc_rep */*ret_as_reply*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_in_tkt_with_skey (
 	krb5_context /*context*/,
 	krb5_flags /*options*/,
@@ -1485,7 +2044,28 @@ krb5_get_in_tkt_with_skey (
 	krb5_creds */*creds*/,
 	krb5_kdc_rep */*ret_as_reply*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds (
+	krb5_context /*context*/,
+	krb5_creds */*creds*/,
+	krb5_principal /*client*/,
+	krb5_prompter_fct /*prompter*/,
+	void */*data*/,
+	krb5_deltat /*start_time*/,
+	const char */*in_tkt_service*/,
+	krb5_get_init_creds_opt */*options*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_keyblock (
+	krb5_context /*context*/,
+	krb5_creds */*creds*/,
+	krb5_principal /*client*/,
+	krb5_keyblock */*keyblock*/,
+	krb5_deltat /*start_time*/,
+	const char */*in_tkt_service*/,
+	krb5_get_init_creds_opt */*options*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_init_creds_keytab (
 	krb5_context /*context*/,
 	krb5_creds */*creds*/,
@@ -1495,64 +2075,125 @@ krb5_get_init_creds_keytab (
 	const char */*in_tkt_service*/,
 	krb5_get_init_creds_opt */*options*/);
 
-void
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_alloc (
+	krb5_context /*context*/,
+	krb5_get_init_creds_opt **/*opt*/);
+
+void KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_free (
+	krb5_context /*context*/,
+	krb5_get_init_creds_opt */*opt*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_get_error (
+	krb5_context /*context*/,
+	krb5_get_init_creds_opt */*opt*/,
+	KRB_ERROR **/*error*/);
+
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_init (krb5_get_init_creds_opt */*opt*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_address_list (
 	krb5_get_init_creds_opt */*opt*/,
 	krb5_addresses */*addresses*/);
 
-void
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_addressless (
+	krb5_context /*context*/,
+	krb5_get_init_creds_opt */*opt*/,
+	krb5_boolean /*addressless*/);
+
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_anonymous (
 	krb5_get_init_creds_opt */*opt*/,
 	int /*anonymous*/);
 
-void
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_canonicalize (
+	krb5_context /*context*/,
+	krb5_get_init_creds_opt */*opt*/,
+	krb5_boolean /*req*/);
+
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_default_flags (
 	krb5_context /*context*/,
 	const char */*appname*/,
 	krb5_const_realm /*realm*/,
 	krb5_get_init_creds_opt */*opt*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_etype_list (
 	krb5_get_init_creds_opt */*opt*/,
 	krb5_enctype */*etype_list*/,
 	int /*etype_list_length*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_forwardable (
 	krb5_get_init_creds_opt */*opt*/,
 	int /*forwardable*/);
 
-void
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_pa_password (
+	krb5_context /*context*/,
+	krb5_get_init_creds_opt */*opt*/,
+	const char */*password*/,
+	krb5_s2k_proc /*key_proc*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_pac_request (
+	krb5_context /*context*/,
+	krb5_get_init_creds_opt */*opt*/,
+	krb5_boolean /*req_pac*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_pkinit (
+	krb5_context /*context*/,
+	krb5_get_init_creds_opt */*opt*/,
+	krb5_principal /*principal*/,
+	const char */*user_id*/,
+	const char */*x509_anchors*/,
+	char * const * /*pool*/,
+	char * const * /*pki_revoke*/,
+	int /*flags*/,
+	krb5_prompter_fct /*prompter*/,
+	void */*prompter_data*/,
+	char */*password*/);
+
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_preauth_list (
 	krb5_get_init_creds_opt */*opt*/,
 	krb5_preauthtype */*preauth_list*/,
 	int /*preauth_list_length*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_proxiable (
 	krb5_get_init_creds_opt */*opt*/,
 	int /*proxiable*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_renew_life (
 	krb5_get_init_creds_opt */*opt*/,
 	krb5_deltat /*renew_life*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_salt (
 	krb5_get_init_creds_opt */*opt*/,
 	krb5_data */*salt*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_set_tkt_life (
 	krb5_get_init_creds_opt */*opt*/,
 	krb5_deltat /*tkt_life*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_win2k (
+	krb5_context /*context*/,
+	krb5_get_init_creds_opt */*opt*/,
+	krb5_boolean /*req*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_init_creds_password (
 	krb5_context /*context*/,
 	krb5_creds */*creds*/,
@@ -1562,9 +2203,9 @@ krb5_get_init_creds_password (
 	void */*data*/,
 	krb5_deltat /*start_time*/,
 	const char */*in_tkt_service*/,
-	krb5_get_init_creds_opt */*options*/);
+	krb5_get_init_creds_opt */*in_options*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_kdc_cred (
 	krb5_context /*context*/,
 	krb5_ccache /*id*/,
@@ -1574,66 +2215,86 @@ krb5_get_kdc_cred (
 	krb5_creds */*in_creds*/,
 	krb5_creds **out_creds );
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_kdc_sec_offset (
+	krb5_context /*context*/,
+	int32_t */*sec*/,
+	int32_t */*usec*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_krb524hst (
 	krb5_context /*context*/,
 	const krb5_realm */*realm*/,
 	char ***/*hostlist*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_krb_admin_hst (
 	krb5_context /*context*/,
 	const krb5_realm */*realm*/,
 	char ***/*hostlist*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_krb_changepw_hst (
 	krb5_context /*context*/,
 	const krb5_realm */*realm*/,
 	char ***/*hostlist*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_krbhst (
 	krb5_context /*context*/,
 	const krb5_realm */*realm*/,
 	char ***/*hostlist*/);
 
-krb5_error_code
+time_t KRB5_LIB_FUNCTION
+krb5_get_max_time_skew (krb5_context /*context*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_pw_salt (
 	krb5_context /*context*/,
 	krb5_const_principal /*principal*/,
 	krb5_salt */*salt*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_renewed_creds (
+	krb5_context /*context*/,
+	krb5_creds */*creds*/,
+	krb5_const_principal /*client*/,
+	krb5_ccache /*ccache*/,
+	const char */*in_tkt_service*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_server_rcache (
 	krb5_context /*context*/,
 	const krb5_data */*piece*/,
 	krb5_rcache */*id*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_get_use_admin_kdc (krb5_context /*context*/);
 
+krb5_log_facility * KRB5_LIB_FUNCTION
+krb5_get_warn_dest (krb5_context /*context*/);
+
 size_t
 krb5_get_wrapped_length (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
 	size_t /*data_len*/);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_getportbyname (
 	krb5_context /*context*/,
 	const char */*service*/,
 	const char */*proto*/,
 	int /*default_port*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_h_addr2addr (
 	krb5_context /*context*/,
 	int /*af*/,
 	const char */*haddr*/,
 	krb5_address */*addr*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_h_addr2sockaddr (
 	krb5_context /*context*/,
 	int /*af*/,
@@ -1642,13 +2303,13 @@ krb5_h_addr2sockaddr (
 	krb5_socklen_t */*sa_size*/,
 	int /*port*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_h_errno_to_heim_errno (int /*eai_errno*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_have_error_string (krb5_context /*context*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_hmac (
 	krb5_context /*context*/,
 	krb5_cksumtype /*cktype*/,
@@ -1658,26 +2319,43 @@ krb5_hmac (
 	krb5_keyblock */*key*/,
 	Checksum */*result*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_init_context (krb5_context */*context*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_init_ets (krb5_context /*context*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_init_etype (
 	krb5_context /*context*/,
 	unsigned */*len*/,
 	krb5_enctype **/*val*/,
 	const krb5_enctype */*etypes*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_initlog (
 	krb5_context /*context*/,
 	const char */*program*/,
 	krb5_log_facility **/*fac*/);
 
-krb5_error_code
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_is_thread_safe (void);
+
+const krb5_enctype * KRB5_LIB_FUNCTION
+krb5_kerberos_enctypes (krb5_context /*context*/);
+
+krb5_enctype
+krb5_keyblock_get_enctype (const krb5_keyblock */*block*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_keyblock_init (
+	krb5_context /*context*/,
+	krb5_enctype /*type*/,
+	const void */*data*/,
+	size_t /*size*/,
+	krb5_keyblock */*key*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_keyblock_key_proc (
 	krb5_context /*context*/,
 	krb5_keytype /*type*/,
@@ -1685,7 +2363,10 @@ krb5_keyblock_key_proc (
 	krb5_const_pointer /*keyseed*/,
 	krb5_keyblock **/*key*/);
 
-krb5_error_code
+void KRB5_LIB_FUNCTION
+krb5_keyblock_zero (krb5_keyblock */*keyblock*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_keytab_key_proc (
 	krb5_context /*context*/,
 	krb5_enctype /*enctype*/,
@@ -1693,81 +2374,89 @@ krb5_keytab_key_proc (
 	krb5_const_pointer /*keyseed*/,
 	krb5_keyblock **/*key*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_keytype_to_enctypes (
 	krb5_context /*context*/,
 	krb5_keytype /*keytype*/,
 	unsigned */*len*/,
 	krb5_enctype **/*val*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_keytype_to_enctypes_default (
 	krb5_context /*context*/,
 	krb5_keytype /*keytype*/,
 	unsigned */*len*/,
 	krb5_enctype **/*val*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_keytype_to_string (
 	krb5_context /*context*/,
 	krb5_keytype /*keytype*/,
 	char **/*string*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_krbhst_format_string (
 	krb5_context /*context*/,
 	const krb5_krbhst_info */*host*/,
 	char */*hostname*/,
 	size_t /*hostlen*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_krbhst_free (
 	krb5_context /*context*/,
 	krb5_krbhst_handle /*handle*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_krbhst_get_addrinfo (
 	krb5_context /*context*/,
 	krb5_krbhst_info */*host*/,
 	struct addrinfo **/*ai*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_krbhst_init (
 	krb5_context /*context*/,
 	const char */*realm*/,
 	unsigned int /*type*/,
 	krb5_krbhst_handle */*handle*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_krbhst_init_flags (
+	krb5_context /*context*/,
+	const char */*realm*/,
+	unsigned int /*type*/,
+	int /*flags*/,
+	krb5_krbhst_handle */*handle*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_krbhst_next (
 	krb5_context /*context*/,
 	krb5_krbhst_handle /*handle*/,
 	krb5_krbhst_info **/*host*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_krbhst_next_as_string (
 	krb5_context /*context*/,
 	krb5_krbhst_handle /*handle*/,
 	char */*hostname*/,
 	size_t /*hostlen*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_krbhst_reset (
 	krb5_context /*context*/,
 	krb5_krbhst_handle /*handle*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_add_entry (
 	krb5_context /*context*/,
 	krb5_keytab /*id*/,
 	krb5_keytab_entry */*entry*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_close (
 	krb5_context /*context*/,
 	krb5_keytab /*id*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_kt_compare (
 	krb5_context /*context*/,
 	krb5_keytab_entry */*entry*/,
@@ -1775,41 +2464,41 @@ krb5_kt_compare (
 	krb5_kvno /*vno*/,
 	krb5_enctype /*enctype*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_copy_entry_contents (
 	krb5_context /*context*/,
 	const krb5_keytab_entry */*in*/,
 	krb5_keytab_entry */*out*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_default (
 	krb5_context /*context*/,
 	krb5_keytab */*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_default_modify_name (
 	krb5_context /*context*/,
 	char */*name*/,
 	size_t /*namesize*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_default_name (
 	krb5_context /*context*/,
 	char */*name*/,
 	size_t /*namesize*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_end_seq_get (
 	krb5_context /*context*/,
 	krb5_keytab /*id*/,
 	krb5_kt_cursor */*cursor*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_free_entry (
 	krb5_context /*context*/,
 	krb5_keytab_entry */*entry*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_get_entry (
 	krb5_context /*context*/,
 	krb5_keytab /*id*/,
@@ -1818,28 +2507,34 @@ krb5_kt_get_entry (
 	krb5_enctype /*enctype*/,
 	krb5_keytab_entry */*entry*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_kt_get_full_name (
+	krb5_context /*context*/,
+	krb5_keytab /*keytab*/,
+	char **/*str*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_get_name (
 	krb5_context /*context*/,
 	krb5_keytab /*keytab*/,
 	char */*name*/,
 	size_t /*namesize*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_get_type (
 	krb5_context /*context*/,
 	krb5_keytab /*keytab*/,
 	char */*prefix*/,
 	size_t /*prefixsize*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_next_entry (
 	krb5_context /*context*/,
 	krb5_keytab /*id*/,
 	krb5_keytab_entry */*entry*/,
 	krb5_kt_cursor */*cursor*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_read_service_key (
 	krb5_context /*context*/,
 	krb5_pointer /*keyprocarg*/,
@@ -1848,36 +2543,36 @@ krb5_kt_read_service_key (
 	krb5_enctype /*enctype*/,
 	krb5_keyblock **/*key*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_register (
 	krb5_context /*context*/,
 	const krb5_kt_ops */*ops*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_remove_entry (
 	krb5_context /*context*/,
 	krb5_keytab /*id*/,
 	krb5_keytab_entry */*entry*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_resolve (
 	krb5_context /*context*/,
 	const char */*name*/,
 	krb5_keytab */*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_kt_start_seq_get (
 	krb5_context /*context*/,
 	krb5_keytab /*id*/,
 	krb5_kt_cursor */*cursor*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_kuserok (
 	krb5_context /*context*/,
 	krb5_principal /*principal*/,
 	const char */*luser*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_log (
 	krb5_context /*context*/,
 	krb5_log_facility */*fac*/,
@@ -1886,7 +2581,7 @@ krb5_log (
 	...)
     __attribute__((format (printf, 4, 5)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_log_msg (
 	krb5_context /*context*/,
 	krb5_log_facility */*fac*/,
@@ -1896,24 +2591,24 @@ krb5_log_msg (
 	...)
     __attribute__((format (printf, 5, 6)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_make_addrport (
 	krb5_context /*context*/,
 	krb5_address **/*res*/,
 	const krb5_address */*addr*/,
 	int16_t /*port*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_make_principal (
 	krb5_context /*context*/,
 	krb5_principal */*principal*/,
 	krb5_const_realm /*realm*/,
 	...);
 
-size_t
+size_t KRB5_LIB_FUNCTION
 krb5_max_sockaddr_size (void);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_error (
 	krb5_context /*context*/,
 	krb5_error_code /*error_code*/,
@@ -1925,21 +2620,21 @@ krb5_mk_error (
 	int */*client_usec*/,
 	krb5_data */*reply*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_priv (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	const krb5_data */*userdata*/,
 	krb5_data */*outbuf*/,
-	void */*outdata*/);
+	krb5_replay_data */*outdata*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_rep (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_data */*outbuf*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_req (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/,
@@ -1950,7 +2645,7 @@ krb5_mk_req (
 	krb5_ccache /*ccache*/,
 	krb5_data */*outbuf*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_req_exact (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/,
@@ -1960,7 +2655,7 @@ krb5_mk_req_exact (
 	krb5_ccache /*ccache*/,
 	krb5_data */*outbuf*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_req_extended (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/,
@@ -1969,63 +2664,241 @@ krb5_mk_req_extended (
 	krb5_creds */*in_creds*/,
 	krb5_data */*outbuf*/);
 
-krb5_error_code
-krb5_mk_req_internal (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	const krb5_flags /*ap_req_options*/,
-	krb5_data */*in_data*/,
-	krb5_creds */*in_creds*/,
-	krb5_data */*outbuf*/,
-	krb5_key_usage /*checksum_usage*/,
-	krb5_key_usage /*encrypt_usage*/);
-
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_safe (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	const krb5_data */*userdata*/,
 	krb5_data */*outbuf*/,
-	void */*outdata*/);
+	krb5_replay_data */*outdata*/);
 
-krb5_ssize_t
+krb5_ssize_t KRB5_LIB_FUNCTION
 krb5_net_read (
 	krb5_context /*context*/,
 	void */*p_fd*/,
 	void */*buf*/,
 	size_t /*len*/);
 
-krb5_ssize_t
+krb5_ssize_t KRB5_LIB_FUNCTION
 krb5_net_write (
 	krb5_context /*context*/,
 	void */*p_fd*/,
 	const void */*buf*/,
 	size_t /*len*/);
 
+krb5_ssize_t KRB5_LIB_FUNCTION
+krb5_net_write_block (
+	krb5_context /*context*/,
+	void */*p_fd*/,
+	const void */*buf*/,
+	size_t /*len*/,
+	time_t /*timeout*/);
+
 krb5_error_code
+krb5_ntlm_alloc (
+	krb5_context /*context*/,
+	krb5_ntlm */*ntlm*/);
+
+krb5_error_code
+krb5_ntlm_free (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/);
+
+krb5_error_code
+krb5_ntlm_init_get_challange (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	krb5_data */*challange*/);
+
+krb5_error_code
+krb5_ntlm_init_get_flags (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	uint32_t */*flags*/);
+
+krb5_error_code
+krb5_ntlm_init_get_opaque (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	krb5_data */*opaque*/);
+
+krb5_error_code
+krb5_ntlm_init_get_targetinfo (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	krb5_data */*data*/);
+
+krb5_error_code
+krb5_ntlm_init_get_targetname (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	char **/*name*/);
+
+krb5_error_code
+krb5_ntlm_init_request (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	krb5_realm /*realm*/,
+	krb5_ccache /*ccache*/,
+	uint32_t /*flags*/,
+	const char */*hostname*/,
+	const char */*domainname*/);
+
+krb5_error_code
+krb5_ntlm_rep_get_sessionkey (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	krb5_data */*data*/);
+
+krb5_boolean
+krb5_ntlm_rep_get_status (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/);
+
+krb5_error_code
+krb5_ntlm_req_set_flags (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	uint32_t /*flags*/);
+
+krb5_error_code
+krb5_ntlm_req_set_lm (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	void */*hash*/,
+	size_t /*len*/);
+
+krb5_error_code
+krb5_ntlm_req_set_ntlm (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	void */*hash*/,
+	size_t /*len*/);
+
+krb5_error_code
+krb5_ntlm_req_set_opaque (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	krb5_data */*opaque*/);
+
+krb5_error_code
+krb5_ntlm_req_set_session (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	void */*sessionkey*/,
+	size_t /*length*/);
+
+krb5_error_code
+krb5_ntlm_req_set_targetname (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	const char */*targetname*/);
+
+krb5_error_code
+krb5_ntlm_req_set_username (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	const char */*username*/);
+
+krb5_error_code
+krb5_ntlm_request (
+	krb5_context /*context*/,
+	krb5_ntlm /*ntlm*/,
+	krb5_realm /*realm*/,
+	krb5_ccache /*ccache*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_openlog (
 	krb5_context /*context*/,
 	const char */*program*/,
 	krb5_log_facility **/*fac*/);
 
 krb5_error_code
+krb5_pac_add_buffer (
+	krb5_context /*context*/,
+	krb5_pac /*p*/,
+	uint32_t /*type*/,
+	const krb5_data */*data*/);
+
+void
+krb5_pac_free (
+	krb5_context /*context*/,
+	krb5_pac /*pac*/);
+
+krb5_error_code
+krb5_pac_get_buffer (
+	krb5_context /*context*/,
+	krb5_pac /*p*/,
+	uint32_t /*type*/,
+	krb5_data */*data*/);
+
+krb5_error_code
+krb5_pac_get_types (
+	krb5_context /*context*/,
+	krb5_pac /*p*/,
+	size_t */*len*/,
+	uint32_t **/*types*/);
+
+krb5_error_code
+krb5_pac_init (
+	krb5_context /*context*/,
+	krb5_pac */*pac*/);
+
+krb5_error_code
+krb5_pac_parse (
+	krb5_context /*context*/,
+	const void */*ptr*/,
+	size_t /*len*/,
+	krb5_pac */*pac*/);
+
+krb5_error_code
+krb5_pac_verify (
+	krb5_context /*context*/,
+	const krb5_pac /*pac*/,
+	time_t /*authtime*/,
+	krb5_const_principal /*principal*/,
+	const krb5_keyblock */*server*/,
+	const krb5_keyblock */*privsvr*/);
+
+int KRB5_LIB_FUNCTION
+krb5_padata_add (
+	krb5_context /*context*/,
+	METHOD_DATA */*md*/,
+	int /*type*/,
+	void */*buf*/,
+	size_t /*len*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_parse_address (
 	krb5_context /*context*/,
 	const char */*string*/,
 	krb5_addresses */*addresses*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_parse_name (
 	krb5_context /*context*/,
 	const char */*name*/,
 	krb5_principal */*principal*/);
 
-const char*
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_parse_name_flags (
+	krb5_context /*context*/,
+	const char */*name*/,
+	int /*flags*/,
+	krb5_principal */*principal*/);
+
+krb5_error_code
+krb5_parse_nametype (
+	krb5_context /*context*/,
+	const char */*str*/,
+	int32_t */*nametype*/);
+
+const char* KRB5_LIB_FUNCTION
 krb5_passwd_result_to_string (
 	krb5_context /*context*/,
 	int /*result*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_password_key_proc (
 	krb5_context /*context*/,
 	krb5_enctype /*type*/,
@@ -2033,64 +2906,83 @@ krb5_password_key_proc (
 	krb5_const_pointer /*keyseed*/,
 	krb5_keyblock **/*key*/);
 
-krb5_realm*
+krb5_error_code
+krb5_plugin_register (
+	krb5_context /*context*/,
+	enum krb5_plugin_type /*type*/,
+	const char */*name*/,
+	void */*symbol*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_prepend_config_files (
+	const char */*filelist*/,
+	char **/*pq*/,
+	char ***/*ret_pp*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_prepend_config_files_default (
+	const char */*filelist*/,
+	char ***/*pfilenames*/);
+
+krb5_realm * KRB5_LIB_FUNCTION
 krb5_princ_realm (
 	krb5_context /*context*/,
 	krb5_principal /*principal*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_princ_set_realm (
 	krb5_context /*context*/,
 	krb5_principal /*principal*/,
 	krb5_realm */*realm*/);
 
-krb5_error_code
-krb5_principal2principalname (
-	PrincipalName */*p*/,
-	const krb5_principal /*from*/);
-
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_principal_compare (
 	krb5_context /*context*/,
 	krb5_const_principal /*princ1*/,
 	krb5_const_principal /*princ2*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_principal_compare_any_realm (
 	krb5_context /*context*/,
 	krb5_const_principal /*princ1*/,
 	krb5_const_principal /*princ2*/);
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_principal_get_comp_string (
 	krb5_context /*context*/,
-	krb5_principal /*principal*/,
+	krb5_const_principal /*principal*/,
 	unsigned int /*component*/);
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_principal_get_realm (
 	krb5_context /*context*/,
-	krb5_principal /*principal*/);
+	krb5_const_principal /*principal*/);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_principal_get_type (
 	krb5_context /*context*/,
-	krb5_principal /*principal*/);
+	krb5_const_principal /*principal*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_principal_match (
 	krb5_context /*context*/,
 	krb5_const_principal /*princ*/,
 	krb5_const_principal /*pattern*/);
 
-krb5_error_code
+void KRB5_LIB_FUNCTION
+krb5_principal_set_type (
+	krb5_context /*context*/,
+	krb5_principal /*principal*/,
+	int /*type*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_print_address (
 	const krb5_address */*addr*/,
 	char */*str*/,
 	size_t /*len*/,
 	size_t */*ret_len*/);
 
-int
+int KRB5_LIB_FUNCTION
 krb5_program_setup (
 	krb5_context */*context*/,
 	int /*argc*/,
@@ -2099,7 +2991,7 @@ krb5_program_setup (
 	int /*num_args*/,
 	void (*/*usage*/)(int, struct getargs*, int));
 
-int
+int KRB5_LIB_FUNCTION
 krb5_prompter_posix (
 	krb5_context /*context*/,
 	void */*data*/,
@@ -2108,120 +3000,128 @@ krb5_prompter_posix (
 	int /*num_prompts*/,
 	krb5_prompt prompts[]);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_random_to_key (
+	krb5_context /*context*/,
+	krb5_enctype /*type*/,
+	const void */*data*/,
+	size_t /*size*/,
+	krb5_keyblock */*key*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_close (
 	krb5_context /*context*/,
 	krb5_rcache /*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_default (
 	krb5_context /*context*/,
 	krb5_rcache */*id*/);
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_rc_default_name (krb5_context /*context*/);
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_rc_default_type (krb5_context /*context*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_destroy (
 	krb5_context /*context*/,
 	krb5_rcache /*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_expunge (
 	krb5_context /*context*/,
 	krb5_rcache /*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_get_lifespan (
 	krb5_context /*context*/,
 	krb5_rcache /*id*/,
 	krb5_deltat */*auth_lifespan*/);
 
-const char*
+const char* KRB5_LIB_FUNCTION
 krb5_rc_get_name (
 	krb5_context /*context*/,
 	krb5_rcache /*id*/);
 
-const char*
+const char* KRB5_LIB_FUNCTION
 krb5_rc_get_type (
 	krb5_context /*context*/,
 	krb5_rcache /*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_initialize (
 	krb5_context /*context*/,
 	krb5_rcache /*id*/,
 	krb5_deltat /*auth_lifespan*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_recover (
 	krb5_context /*context*/,
 	krb5_rcache /*id*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_resolve (
 	krb5_context /*context*/,
 	krb5_rcache /*id*/,
 	const char */*name*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_resolve_full (
 	krb5_context /*context*/,
 	krb5_rcache */*id*/,
 	const char */*string_name*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_resolve_type (
 	krb5_context /*context*/,
 	krb5_rcache */*id*/,
 	const char */*type*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_store (
 	krb5_context /*context*/,
 	krb5_rcache /*id*/,
 	krb5_donot_replay */*rep*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_cred (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_data */*in_data*/,
 	krb5_creds ***/*ret_creds*/,
-	krb5_replay_data */*out_data*/);
+	krb5_replay_data */*outdata*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_cred2 (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	krb5_ccache /*ccache*/,
 	krb5_data */*in_data*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_error (
 	krb5_context /*context*/,
-	krb5_data */*msg*/,
+	const krb5_data */*msg*/,
 	KRB_ERROR */*result*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_priv (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	const krb5_data */*inbuf*/,
 	krb5_data */*outbuf*/,
-	void */*outdata*/);
+	krb5_replay_data */*outdata*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_rep (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	const krb5_data */*inbuf*/,
 	krb5_ap_rep_enc_part **/*repl*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_req (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/,
@@ -2231,7 +3131,67 @@ krb5_rd_req (
 	krb5_flags */*ap_req_options*/,
 	krb5_ticket **/*ticket*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_ctx (
+	krb5_context /*context*/,
+	krb5_auth_context */*auth_context*/,
+	const krb5_data */*inbuf*/,
+	krb5_const_principal /*server*/,
+	krb5_rd_req_in_ctx /*inctx*/,
+	krb5_rd_req_out_ctx */*outctx*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_alloc (
+	krb5_context /*context*/,
+	krb5_rd_req_in_ctx */*ctx*/);
+
+void KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_free (
+	krb5_context /*context*/,
+	krb5_rd_req_in_ctx /*ctx*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keyblock (
+	krb5_context /*context*/,
+	krb5_rd_req_in_ctx /*in*/,
+	krb5_keyblock */*keyblock*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keytab (
+	krb5_context /*context*/,
+	krb5_rd_req_in_ctx /*in*/,
+	krb5_keytab /*keytab*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_pac_check (
+	krb5_context /*context*/,
+	krb5_rd_req_in_ctx /*in*/,
+	krb5_boolean /*flag*/);
+
+void KRB5_LIB_FUNCTION
+krb5_rd_req_out_ctx_free (
+	krb5_context /*context*/,
+	krb5_rd_req_out_ctx /*ctx*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ap_req_options (
+	krb5_context /*context*/,
+	krb5_rd_req_out_ctx /*out*/,
+	krb5_flags */*ap_req_options*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_keyblock (
+	krb5_context /*context*/,
+	krb5_rd_req_out_ctx /*out*/,
+	krb5_keyblock **/*keyblock*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ticket (
+	krb5_context /*context*/,
+	krb5_rd_req_out_ctx /*out*/,
+	krb5_ticket **/*ticket*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_req_with_keyblock (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/,
@@ -2241,41 +3201,41 @@ krb5_rd_req_with_keyblock (
 	krb5_flags */*ap_req_options*/,
 	krb5_ticket **/*ticket*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_safe (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	const krb5_data */*inbuf*/,
 	krb5_data */*outbuf*/,
-	void */*outdata*/);
+	krb5_replay_data */*outdata*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_read_message (
 	krb5_context /*context*/,
 	krb5_pointer /*p_fd*/,
 	krb5_data */*data*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_read_priv_message (
 	krb5_context /*context*/,
 	krb5_auth_context /*ac*/,
 	krb5_pointer /*p_fd*/,
 	krb5_data */*data*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_read_safe_message (
 	krb5_context /*context*/,
 	krb5_auth_context /*ac*/,
 	krb5_pointer /*p_fd*/,
 	krb5_data */*data*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_realm_compare (
 	krb5_context /*context*/,
 	krb5_const_principal /*princ1*/,
 	krb5_const_principal /*princ2*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_recvauth (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/,
@@ -2286,7 +3246,7 @@ krb5_recvauth (
 	krb5_keytab /*keytab*/,
 	krb5_ticket **/*ticket*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_recvauth_match_version (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/,
@@ -2298,79 +3258,104 @@ krb5_recvauth_match_version (
 	krb5_keytab /*keytab*/,
 	krb5_ticket **/*ticket*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_address (
 	krb5_storage */*sp*/,
 	krb5_address */*adr*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_addrs (
 	krb5_storage */*sp*/,
 	krb5_addresses */*adr*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_authdata (
 	krb5_storage */*sp*/,
 	krb5_authdata */*auth*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_creds (
 	krb5_storage */*sp*/,
 	krb5_creds */*creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_creds_tag (
+	krb5_storage */*sp*/,
+	krb5_creds */*creds*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_data (
 	krb5_storage */*sp*/,
 	krb5_data */*data*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_int16 (
 	krb5_storage */*sp*/,
 	int16_t */*value*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_int32 (
 	krb5_storage */*sp*/,
 	int32_t */*value*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_int8 (
 	krb5_storage */*sp*/,
 	int8_t */*value*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_keyblock (
 	krb5_storage */*sp*/,
 	krb5_keyblock */*p*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_principal (
 	krb5_storage */*sp*/,
 	krb5_principal */*princ*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_string (
 	krb5_storage */*sp*/,
 	char **/*string*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_stringnl (
+	krb5_storage */*sp*/,
+	char **/*string*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_stringz (
 	krb5_storage */*sp*/,
 	char **/*string*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_times (
 	krb5_storage */*sp*/,
 	krb5_times */*times*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint16 (
+	krb5_storage */*sp*/,
+	uint16_t */*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint32 (
+	krb5_storage */*sp*/,
+	uint32_t */*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint8 (
+	krb5_storage */*sp*/,
+	uint8_t */*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_salttype_to_string (
 	krb5_context /*context*/,
 	krb5_enctype /*etype*/,
 	krb5_salttype /*stype*/,
 	char **/*string*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sendauth (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/,
@@ -2386,96 +3371,155 @@ krb5_sendauth (
 	krb5_ap_rep_enc_part **/*rep_result*/,
 	krb5_creds **/*out_creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sendto (
 	krb5_context /*context*/,
 	const krb5_data */*send_data*/,
 	krb5_krbhst_handle /*handle*/,
 	krb5_data */*receive*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_sendto_context (
+	krb5_context /*context*/,
+	krb5_sendto_ctx /*ctx*/,
+	const krb5_data */*send_data*/,
+	const krb5_realm /*realm*/,
+	krb5_data */*receive*/);
+
+void KRB5_LIB_FUNCTION
+krb5_sendto_ctx_add_flags (
+	krb5_sendto_ctx /*ctx*/,
+	int /*flags*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_sendto_ctx_alloc (
+	krb5_context /*context*/,
+	krb5_sendto_ctx */*ctx*/);
+
+void KRB5_LIB_FUNCTION
+krb5_sendto_ctx_free (
+	krb5_context /*context*/,
+	krb5_sendto_ctx /*ctx*/);
+
+int KRB5_LIB_FUNCTION
+krb5_sendto_ctx_get_flags (krb5_sendto_ctx /*ctx*/);
+
+void KRB5_LIB_FUNCTION
+krb5_sendto_ctx_set_func (
+	krb5_sendto_ctx /*ctx*/,
+	krb5_sendto_ctx_func /*func*/,
+	void */*data*/);
+
+void KRB5_LIB_FUNCTION
+krb5_sendto_ctx_set_type (
+	krb5_sendto_ctx /*ctx*/,
+	int /*type*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sendto_kdc (
 	krb5_context /*context*/,
 	const krb5_data */*send_data*/,
 	const krb5_realm */*realm*/,
 	krb5_data */*receive*/);
 
-krb5_error_code
-krb5_sendto_kdc2 (
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_sendto_kdc_flags (
 	krb5_context /*context*/,
 	const krb5_data */*send_data*/,
 	const krb5_realm */*realm*/,
 	krb5_data */*receive*/,
-	krb5_boolean /*master*/);
+	int /*flags*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_config_files (
 	krb5_context /*context*/,
 	char **/*filenames*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_default_in_tkt_etypes (
 	krb5_context /*context*/,
 	const krb5_enctype */*etypes*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_default_realm (
 	krb5_context /*context*/,
 	const char */*realm*/);
 
-krb5_error_code
+void KRB5_LIB_FUNCTION
+krb5_set_dns_canonicalize_hostname (
+	krb5_context /*context*/,
+	krb5_boolean /*flag*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_error_string (
 	krb5_context /*context*/,
 	const char */*fmt*/,
 	...)
     __attribute__((format (printf, 2, 3)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_extra_addresses (
 	krb5_context /*context*/,
 	const krb5_addresses */*addresses*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_fcache_version (
 	krb5_context /*context*/,
 	int /*version*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_ignore_addresses (
 	krb5_context /*context*/,
 	const krb5_addresses */*addresses*/);
 
-krb5_error_code
+void KRB5_LIB_FUNCTION
+krb5_set_max_time_skew (
+	krb5_context /*context*/,
+	time_t /*t*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_password (
 	krb5_context /*context*/,
 	krb5_creds */*creds*/,
-	char */*newpw*/,
+	const char */*newpw*/,
 	krb5_principal /*targprinc*/,
 	int */*result_code*/,
 	krb5_data */*result_code_string*/,
 	krb5_data */*result_string*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_password_using_ccache (
 	krb5_context /*context*/,
 	krb5_ccache /*ccache*/,
-	char */*newpw*/,
+	const char */*newpw*/,
 	krb5_principal /*targprinc*/,
 	int */*result_code*/,
 	krb5_data */*result_code_string*/,
 	krb5_data */*result_string*/);
 
-void
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_set_real_time (
+	krb5_context /*context*/,
+	krb5_timestamp /*sec*/,
+	int32_t /*usec*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_set_send_to_kdc_func (
+	krb5_context /*context*/,
+	krb5_send_to_kdc_func /*func*/,
+	void */*data*/);
+
+void KRB5_LIB_FUNCTION
 krb5_set_use_admin_kdc (
 	krb5_context /*context*/,
 	krb5_boolean /*flag*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_warn_dest (
 	krb5_context /*context*/,
 	krb5_log_facility */*fac*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sname_to_principal (
 	krb5_context /*context*/,
 	const char */*hostname*/,
@@ -2483,7 +3527,7 @@ krb5_sname_to_principal (
 	int32_t /*type*/,
 	krb5_principal */*ret_princ*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sock_to_principal (
 	krb5_context /*context*/,
 	int /*sock*/,
@@ -2491,174 +3535,204 @@ krb5_sock_to_principal (
 	int32_t /*type*/,
 	krb5_principal */*ret_princ*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sockaddr2address (
 	krb5_context /*context*/,
 	const struct sockaddr */*sa*/,
 	krb5_address */*addr*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sockaddr2port (
 	krb5_context /*context*/,
 	const struct sockaddr */*sa*/,
 	int16_t */*port*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_sockaddr_uninteresting (const struct sockaddr */*sa*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_std_usage (
 	int /*code*/,
 	struct getargs */*args*/,
 	int /*num_args*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_storage_clear_flags (
 	krb5_storage */*sp*/,
 	krb5_flags /*flags*/);
 
-krb5_storage *
+krb5_storage * KRB5_LIB_FUNCTION
 krb5_storage_emem (void);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_storage_free (krb5_storage */*sp*/);
 
-krb5_storage *
+krb5_storage * KRB5_LIB_FUNCTION
 krb5_storage_from_data (krb5_data */*data*/);
 
-krb5_storage *
+krb5_storage * KRB5_LIB_FUNCTION
 krb5_storage_from_fd (int /*fd*/);
 
-krb5_storage *
+krb5_storage * KRB5_LIB_FUNCTION
 krb5_storage_from_mem (
 	void */*buf*/,
 	size_t /*len*/);
 
-krb5_flags
+krb5_storage * KRB5_LIB_FUNCTION
+krb5_storage_from_readonly_mem (
+	const void */*buf*/,
+	size_t /*len*/);
+
+krb5_flags KRB5_LIB_FUNCTION
 krb5_storage_get_byteorder (
 	krb5_storage */*sp*/,
 	krb5_flags /*byteorder*/);
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_storage_is_flags (
 	krb5_storage */*sp*/,
 	krb5_flags /*flags*/);
 
-krb5_ssize_t
+krb5_ssize_t KRB5_LIB_FUNCTION
 krb5_storage_read (
 	krb5_storage */*sp*/,
 	void */*buf*/,
 	size_t /*len*/);
 
-off_t
+off_t KRB5_LIB_FUNCTION
 krb5_storage_seek (
 	krb5_storage */*sp*/,
 	off_t /*offset*/,
 	int /*whence*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_storage_set_byteorder (
 	krb5_storage */*sp*/,
 	krb5_flags /*byteorder*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_storage_set_eof_code (
 	krb5_storage */*sp*/,
 	int /*code*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_storage_set_flags (
 	krb5_storage */*sp*/,
 	krb5_flags /*flags*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_storage_to_data (
 	krb5_storage */*sp*/,
 	krb5_data */*data*/);
 
-krb5_ssize_t
+krb5_ssize_t KRB5_LIB_FUNCTION
 krb5_storage_write (
 	krb5_storage */*sp*/,
 	const void */*buf*/,
 	size_t /*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_address (
 	krb5_storage */*sp*/,
 	krb5_address /*p*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_addrs (
 	krb5_storage */*sp*/,
 	krb5_addresses /*p*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_authdata (
 	krb5_storage */*sp*/,
 	krb5_authdata /*auth*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_creds (
 	krb5_storage */*sp*/,
 	krb5_creds */*creds*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_creds_tag (
+	krb5_storage */*sp*/,
+	krb5_creds */*creds*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_data (
 	krb5_storage */*sp*/,
 	krb5_data /*data*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_int16 (
 	krb5_storage */*sp*/,
 	int16_t /*value*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_int32 (
 	krb5_storage */*sp*/,
 	int32_t /*value*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_int8 (
 	krb5_storage */*sp*/,
 	int8_t /*value*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_keyblock (
 	krb5_storage */*sp*/,
 	krb5_keyblock /*p*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_principal (
 	krb5_storage */*sp*/,
-	krb5_principal /*p*/);
+	krb5_const_principal /*p*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_string (
 	krb5_storage */*sp*/,
 	const char */*s*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_stringnl (
+	krb5_storage */*sp*/,
+	const char */*s*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_stringz (
 	krb5_storage */*sp*/,
 	const char */*s*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_times (
 	krb5_storage */*sp*/,
 	krb5_times /*times*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint16 (
+	krb5_storage */*sp*/,
+	uint16_t /*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint32 (
+	krb5_storage */*sp*/,
+	uint32_t /*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint8 (
+	krb5_storage */*sp*/,
+	uint8_t /*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_string_to_deltat (
 	const char */*string*/,
 	krb5_deltat */*deltat*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_string_to_enctype (
 	krb5_context /*context*/,
 	const char */*string*/,
 	krb5_enctype */*etype*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_string_to_key (
 	krb5_context /*context*/,
 	krb5_enctype /*enctype*/,
@@ -2666,7 +3740,7 @@ krb5_string_to_key (
 	krb5_principal /*principal*/,
 	krb5_keyblock */*key*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_string_to_key_data (
 	krb5_context /*context*/,
 	krb5_enctype /*enctype*/,
@@ -2674,7 +3748,7 @@ krb5_string_to_key_data (
 	krb5_principal /*principal*/,
 	krb5_keyblock */*key*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_string_to_key_data_salt (
 	krb5_context /*context*/,
 	krb5_enctype /*enctype*/,
@@ -2682,7 +3756,7 @@ krb5_string_to_key_data_salt (
 	krb5_salt /*salt*/,
 	krb5_keyblock */*key*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_string_to_key_data_salt_opaque (
 	krb5_context /*context*/,
 	krb5_enctype /*enctype*/,
@@ -2691,7 +3765,7 @@ krb5_string_to_key_data_salt_opaque (
 	krb5_data /*opaque*/,
 	krb5_keyblock */*key*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_string_to_key_derived (
 	krb5_context /*context*/,
 	const void */*str*/,
@@ -2699,7 +3773,7 @@ krb5_string_to_key_derived (
 	krb5_enctype /*etype*/,
 	krb5_keyblock */*key*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_string_to_key_salt (
 	krb5_context /*context*/,
 	krb5_enctype /*enctype*/,
@@ -2707,57 +3781,105 @@ krb5_string_to_key_salt (
 	krb5_salt /*salt*/,
 	krb5_keyblock */*key*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_string_to_key_salt_opaque (
+	krb5_context /*context*/,
+	krb5_enctype /*enctype*/,
+	const char */*password*/,
+	krb5_salt /*salt*/,
+	krb5_data /*opaque*/,
+	krb5_keyblock */*key*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_string_to_keytype (
 	krb5_context /*context*/,
 	const char */*string*/,
 	krb5_keytype */*keytype*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_string_to_salttype (
 	krb5_context /*context*/,
 	krb5_enctype /*etype*/,
 	const char */*string*/,
 	krb5_salttype */*salttype*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ticket_get_authorization_data_type (
+	krb5_context /*context*/,
+	krb5_ticket */*ticket*/,
+	int /*type*/,
+	krb5_data */*data*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ticket_get_client (
+	krb5_context /*context*/,
+	const krb5_ticket */*ticket*/,
+	krb5_principal */*client*/);
+
+time_t KRB5_LIB_FUNCTION
+krb5_ticket_get_endtime (
+	krb5_context /*context*/,
+	const krb5_ticket */*ticket*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ticket_get_server (
+	krb5_context /*context*/,
+	const krb5_ticket */*ticket*/,
+	krb5_principal */*server*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_timeofday (
 	krb5_context /*context*/,
 	krb5_timestamp */*timeret*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_unparse_name (
 	krb5_context /*context*/,
 	krb5_const_principal /*principal*/,
 	char **/*name*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_unparse_name_fixed (
 	krb5_context /*context*/,
 	krb5_const_principal /*principal*/,
 	char */*name*/,
 	size_t /*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_unparse_name_fixed_flags (
+	krb5_context /*context*/,
+	krb5_const_principal /*principal*/,
+	int /*flags*/,
+	char */*name*/,
+	size_t /*len*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_unparse_name_fixed_short (
 	krb5_context /*context*/,
 	krb5_const_principal /*principal*/,
 	char */*name*/,
 	size_t /*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_unparse_name_flags (
+	krb5_context /*context*/,
+	krb5_const_principal /*principal*/,
+	int /*flags*/,
+	char **/*name*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_unparse_name_short (
 	krb5_context /*context*/,
 	krb5_const_principal /*principal*/,
 	char **/*name*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_us_timeofday (
 	krb5_context /*context*/,
-	int32_t */*sec*/,
+	krb5_timestamp */*sec*/,
 	int32_t */*usec*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vabort (
 	krb5_context /*context*/,
 	krb5_error_code /*code*/,
@@ -2765,14 +3887,14 @@ krb5_vabort (
 	va_list /*ap*/)
     __attribute__ ((noreturn, format (printf, 3, 0)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vabortx (
 	krb5_context /*context*/,
 	const char */*fmt*/,
 	va_list /*ap*/)
     __attribute__ ((noreturn, format (printf, 2, 0)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_ap_req (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/,
@@ -2783,7 +3905,7 @@ krb5_verify_ap_req (
 	krb5_flags */*ap_req_options*/,
 	krb5_ticket **/*ticket*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_ap_req2 (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/,
@@ -2795,14 +3917,14 @@ krb5_verify_ap_req2 (
 	krb5_ticket **/*ticket*/,
 	krb5_key_usage /*usage*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_authenticator_checksum (
 	krb5_context /*context*/,
 	krb5_auth_context /*ac*/,
 	void */*data*/,
 	size_t /*len*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_checksum (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
@@ -2811,7 +3933,7 @@ krb5_verify_checksum (
 	size_t /*len*/,
 	Checksum */*cksum*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_init_creds (
 	krb5_context /*context*/,
 	krb5_creds */*creds*/,
@@ -2820,43 +3942,51 @@ krb5_verify_init_creds (
 	krb5_ccache */*ccache*/,
 	krb5_verify_init_creds_opt */*options*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_init_creds_opt_init (krb5_verify_init_creds_opt */*options*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_init_creds_opt_set_ap_req_nofail (
 	krb5_verify_init_creds_opt */*options*/,
 	int /*ap_req_nofail*/);
 
-void
+int KRB5_LIB_FUNCTION
+krb5_verify_opt_alloc (
+	krb5_context /*context*/,
+	krb5_verify_opt **/*opt*/);
+
+void KRB5_LIB_FUNCTION
+krb5_verify_opt_free (krb5_verify_opt */*opt*/);
+
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_init (krb5_verify_opt */*opt*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_set_ccache (
 	krb5_verify_opt */*opt*/,
 	krb5_ccache /*ccache*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_set_flags (
 	krb5_verify_opt */*opt*/,
 	unsigned int /*flags*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_set_keytab (
 	krb5_verify_opt */*opt*/,
 	krb5_keytab /*keytab*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_set_secure (
 	krb5_verify_opt */*opt*/,
 	krb5_boolean /*secure*/);
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_set_service (
 	krb5_verify_opt */*opt*/,
 	const char */*service*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_user (
 	krb5_context /*context*/,
 	krb5_principal /*principal*/,
@@ -2865,7 +3995,7 @@ krb5_verify_user (
 	krb5_boolean /*secure*/,
 	const char */*service*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_user_lrealm (
 	krb5_context /*context*/,
 	krb5_principal /*principal*/,
@@ -2874,14 +4004,14 @@ krb5_verify_user_lrealm (
 	krb5_boolean /*secure*/,
 	const char */*service*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_user_opt (
 	krb5_context /*context*/,
 	krb5_principal /*principal*/,
 	const char */*password*/,
 	krb5_verify_opt */*opt*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verr (
 	krb5_context /*context*/,
 	int /*eval*/,
@@ -2890,7 +4020,7 @@ krb5_verr (
 	va_list /*ap*/)
     __attribute__ ((noreturn, format (printf, 4, 0)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verrx (
 	krb5_context /*context*/,
 	int /*eval*/,
@@ -2898,7 +4028,7 @@ krb5_verrx (
 	va_list /*ap*/)
     __attribute__ ((noreturn, format (printf, 3, 0)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vlog (
 	krb5_context /*context*/,
 	krb5_log_facility */*fac*/,
@@ -2907,7 +4037,7 @@ krb5_vlog (
 	va_list /*ap*/)
     __attribute__((format (printf, 4, 0)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vlog_msg (
 	krb5_context /*context*/,
 	krb5_log_facility */*fac*/,
@@ -2917,14 +4047,14 @@ krb5_vlog_msg (
 	va_list /*ap*/)
     __attribute__((format (printf, 5, 0)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vset_error_string (
 	krb5_context /*context*/,
 	const char */*fmt*/,
 	va_list /*args*/)
     __attribute__ ((format (printf, 2, 0)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vwarn (
 	krb5_context /*context*/,
 	krb5_error_code /*code*/,
@@ -2932,14 +4062,14 @@ krb5_vwarn (
 	va_list /*ap*/)
     __attribute__ ((format (printf, 3, 0)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vwarnx (
 	krb5_context /*context*/,
 	const char */*fmt*/,
 	va_list /*ap*/)
     __attribute__ ((format (printf, 2, 0)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_warn (
 	krb5_context /*context*/,
 	krb5_error_code /*code*/,
@@ -2947,40 +4077,38 @@ krb5_warn (
 	...)
     __attribute__ ((format (printf, 3, 4)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_warnx (
 	krb5_context /*context*/,
 	const char */*fmt*/,
 	...)
     __attribute__ ((format (printf, 2, 3)));
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_write_message (
 	krb5_context /*context*/,
 	krb5_pointer /*p_fd*/,
 	krb5_data */*data*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_write_priv_message (
 	krb5_context /*context*/,
 	krb5_auth_context /*ac*/,
 	krb5_pointer /*p_fd*/,
 	krb5_data */*data*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_write_safe_message (
 	krb5_context /*context*/,
 	krb5_auth_context /*ac*/,
 	krb5_pointer /*p_fd*/,
 	krb5_data */*data*/);
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_xfree (void */*ptr*/);
 
-krb5_error_code
-principalname2krb5_principal (
-	krb5_principal */*principal*/,
-	const PrincipalName /*from*/,
-	const Realm /*realm*/);
+#ifdef __cplusplus
+}
+#endif
 
 #endif /* __krb5_protos_h__ */
diff --git a/crypto/heimdal/lib/krb5/krb5-v4compat.h b/crypto/heimdal/lib/krb5/krb5-v4compat.h
index 2f89281..dfd7e94 100644
--- a/crypto/heimdal/lib/krb5/krb5-v4compat.h
+++ b/crypto/heimdal/lib/krb5/krb5-v4compat.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,11 +31,13 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5-v4compat.h,v 1.2 2003/03/18 03:08:20 lha Exp $ */
+/* $Id: krb5-v4compat.h 21575 2007-07-16 07:44:54Z lha $ */
 
 #ifndef __KRB5_V4COMPAT_H__
 #define __KRB5_V4COMPAT_H__
 
+#include "krb_err.h"
+
 /* 
  * This file must only be included with v4 compat glue stuff in
  * heimdal sources.
@@ -43,6 +45,26 @@
  * It MUST NOT be installed.
  */
 
+#define		KRB_PROT_VERSION 	4
+
+#define		AUTH_MSG_KDC_REQUEST			 (1<<1)
+#define 	AUTH_MSG_KDC_REPLY			 (2<<1)
+#define		AUTH_MSG_APPL_REQUEST			 (3<<1)
+#define		AUTH_MSG_APPL_REQUEST_MUTUAL		 (4<<1)
+#define		AUTH_MSG_ERR_REPLY			 (5<<1)
+#define		AUTH_MSG_PRIVATE			 (6<<1)
+#define		AUTH_MSG_SAFE				 (7<<1)
+#define		AUTH_MSG_APPL_ERR			 (8<<1)
+#define		AUTH_MSG_KDC_FORWARD			 (9<<1)
+#define		AUTH_MSG_KDC_RENEW			(10<<1)
+#define 	AUTH_MSG_DIE				(63<<1)
+
+/* General definitions */
+#define		KSUCCESS	0
+#define		KFAILURE	255
+
+/* */
+
 #define		MAX_KTXT_LEN	1250
 
 #define 	ANAME_SZ	40
@@ -53,14 +75,14 @@
 struct ktext {
     unsigned int length;		/* Length of the text */
     unsigned char dat[MAX_KTXT_LEN];	/* The data itself */
-    u_int32_t mbz;		/* zero to catch runaway strings */
+    uint32_t mbz;		/* zero to catch runaway strings */
 };
 
 struct credentials {
     char    service[ANAME_SZ];	/* Service name */
     char    instance[INST_SZ];	/* Instance */
     char    realm[REALM_SZ];	/* Auth domain */
-    des_cblock session;		/* Session key */
+    char    session[8];		/* Session key */
     int     lifetime;		/* Lifetime */
     int     kvno;		/* Key version number */
     struct ktext ticket_st;	/* The ticket itself */
@@ -69,7 +91,6 @@ struct credentials {
     char    pinst[INST_SZ];	/* Principal's instance */
 };
 
-
 #define TKTLIFENUMFIXED 64
 #define TKTLIFEMINFIXED 0x80
 #define TKTLIFEMAXFIXED 0xBF
@@ -81,11 +102,29 @@ struct credentials {
 
 #define		KERB_ERR_NULL_KEY	10
 
-int
-_krb5_krb_time_to_life(time_t start, time_t end);
+#define 	CLOCK_SKEW	5*60
+
+#ifndef TKT_ROOT
+#define TKT_ROOT "/tmp/tkt"
+#endif
+
+struct _krb5_krb_auth_data {
+    int8_t  k_flags;		/* Flags from ticket */
+    char    *pname;		/* Principal's name */
+    char    *pinst;		/* His Instance */
+    char    *prealm;		/* His Realm */
+    uint32_t checksum;		/* Data checksum (opt) */
+    krb5_keyblock session;	/* Session Key */
+    unsigned char life;		/* Life of ticket */
+    uint32_t time_sec;		/* Time ticket issued */
+    uint32_t address;		/* Address in ticket */
+};
 
-time_t
-_krb5_krb_life_to_time(int start, int life_);
+time_t		_krb5_krb_life_to_time (int, int);
+int		_krb5_krb_time_to_life (time_t, time_t);
+krb5_error_code	_krb5_krb_tf_setup (krb5_context, struct credentials *,
+				    const char *, int);
+krb5_error_code	_krb5_krb_dest_tkt(krb5_context, const char *);
 
 #define krb_time_to_life	_krb5_krb_time_to_life
 #define krb_life_to_time	_krb5_krb_life_to_time
diff --git a/crypto/heimdal/lib/krb5/krb5.3 b/crypto/heimdal/lib/krb5/krb5.3
index 8e169a0..3ce8c1f 100644
--- a/crypto/heimdal/lib/krb5/krb5.3
+++ b/crypto/heimdal/lib/krb5/krb5.3
@@ -1,57 +1,68 @@
-.\" Copyright (c) 2001, 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2001, 2003 - 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.Dd March 20, 2003
+.\" $Id: krb5.3 18212 2006-10-03 10:39:35Z lha $
+.\"
+.Dd May  1, 2006
 .Dt KRB5 3
 .Os
 .Sh NAME
 .Nm krb5
-.Nd kerberos 5 library
+.Nd Kerberos 5 library
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
 .Sh DESCRIPTION
 These functions constitute the Kerberos 5 library,
 .Em libkrb5 .
-Declarations for these functions may be obtained from the include file
-.Pa krb5.h .
 .Sh LIST OF FUNCTIONS
 .sp 2
 .nf
-.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u
+.ta \w'krb5_ticket_get_authorization_data_type.3'u+2n +\w'Description goes here'u
 \fIName/Page\fP	\fIDescription\fP
-.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u+6nC
+.ta \w'krb5_ticket_get_authorization_data_type.3'u+2n +\w'Description goes here'u+6nC
 .sp 5p
+krb524_convert_creds_kdc.3
+krb524_convert_creds_kdc_cache.3
 krb5_425_conv_principal.3
 krb5_425_conv_principal_ext.3
 krb5_524_conv_principal.3
+krb5_abort.3
+krb5_abortx.3
+krb5_acl_match_file.3
+krb5_acl_match_string.3
+krb5_add_et_list.3
+krb5_add_extra_addresses.3
+krb5_add_ignore_addresses.3
 krb5_addlog_dest.3
 krb5_addlog_func.3
 krb5_addr2sockaddr.3
@@ -60,45 +71,68 @@ krb5_address_compare.3
 krb5_address_order.3
 krb5_address_search.3
 krb5_addresses.3
+krb5_aname_to_localname.3
 krb5_anyaddr.3
 krb5_appdefault_boolean.3
 krb5_appdefault_string.3
 krb5_appdefault_time.3
 krb5_append_addresses.3
+krb5_auth_con_addflags.3
 krb5_auth_con_free.3
 krb5_auth_con_genaddrs.3
+krb5_auth_con_generatelocalsubkey.3
 krb5_auth_con_getaddrs.3
+krb5_auth_con_getauthenticator.3
+krb5_auth_con_getcksumtype.3
 krb5_auth_con_getflags.3
 krb5_auth_con_getkey.3
+krb5_auth_con_getkeytype.3
+krb5_auth_con_getlocalseqnumber.3
 krb5_auth_con_getlocalsubkey.3
 krb5_auth_con_getrcache.3
 krb5_auth_con_getremotesubkey.3
 krb5_auth_con_getuserkey.3
 krb5_auth_con_init.3
 krb5_auth_con_initivector.3
+krb5_auth_con_removeflags.3
 krb5_auth_con_setaddrs.3
 krb5_auth_con_setaddrs_from_fd.3
+krb5_auth_con_setcksumtype.3
 krb5_auth_con_setflags.3
 krb5_auth_con_setivector.3
 krb5_auth_con_setkey.3
+krb5_auth_con_setkeytype.3
+krb5_auth_con_setlocalseqnumber.3
 krb5_auth_con_setlocalsubkey.3
 krb5_auth_con_setrcache.3
+krb5_auth_con_setremoteseqnumber.3
 krb5_auth_con_setremotesubkey.3
 krb5_auth_con_setuserkey.3
 krb5_auth_context.3
-krb5_auth_getauthenticator.3
-krb5_auth_getcksumtype.3
-krb5_auth_getkeytype.3
-krb5_auth_getlocalseqnumber.3
 krb5_auth_getremoteseqnumber.3
-krb5_auth_setcksumtype.3
-krb5_auth_setkeytype.3
-krb5_auth_setlocalseqnumber.3
-krb5_auth_setremoteseqnumber.3
 krb5_build_principal.3
 krb5_build_principal_ext.3
 krb5_build_principal_va.3
 krb5_build_principal_va_ext.3
+krb5_c_block_size.3
+krb5_c_checksum_length.3
+krb5_c_decrypt.3
+krb5_c_encrypt.3
+krb5_c_encrypt_length.3
+krb5_c_enctype_compare.3
+krb5_c_get_checksum.3
+krb5_c_is_coll_proof_cksum.3
+krb5_c_is_keyed_cksum.3
+krb5_c_make_checksum.3
+krb5_c_make_random_key.3
+krb5_c_set_checksum.3
+krb5_c_valid_cksumtype.3
+krb5_c_valid_enctype.3
+krb5_c_verify_checksum.3
+krb5_cc_cache_end_seq_get.3
+krb5_cc_cache_get_first.3
+krb5_cc_cache_match.3
+krb5_cc_cache_next.3
 krb5_cc_close.3
 krb5_cc_copy_cache.3
 krb5_cc_default.3
@@ -106,11 +140,14 @@ krb5_cc_default_name.3
 krb5_cc_destroy.3
 krb5_cc_end_seq_get.3
 krb5_cc_gen_new.3
+krb5_cc_get_full_name.3
 krb5_cc_get_name.3
+krb5_cc_get_ops.3
 krb5_cc_get_principal.3
 krb5_cc_get_type.3
 krb5_cc_get_version.3
 krb5_cc_initialize.3
+krb5_cc_new_unique.3
 krb5_cc_next_cred.3
 krb5_cc_register.3
 krb5_cc_remove_cred.3
@@ -119,20 +156,62 @@ krb5_cc_retrieve_cred.3
 krb5_cc_set_default_name.3
 krb5_cc_set_flags.3
 krb5_cc_store_cred.3
+krb5_change_password.3
+krb5_check_transited.3
+krb5_check_transited_realms.3
+krb5_checksum_disable.3
+krb5_checksum_free.3
 krb5_checksum_is_collision_proof.3
 krb5_checksum_is_keyed.3
 krb5_checksumsize.3
+krb5_clear_error_string.3
 krb5_closelog.3
+krb5_config_file_free.3
+krb5_config_free_strings.3
+krb5_config_get.3
+krb5_config_get_bool.3
 krb5_config_get_bool_default.3
+krb5_config_get_int.3
 krb5_config_get_int_default.3
+krb5_config_get_list.3
+krb5_config_get_next.3
+krb5_config_get_string.3
 krb5_config_get_string_default.3
+krb5_config_get_strings.3
+krb5_config_get_time.3
 krb5_config_get_time_default.3
+krb5_config_parse_file.3
+krb5_config_parse_file_multi.3
+krb5_config_vget.3
+krb5_config_vget_bool.3
+krb5_config_vget_bool_default.3
+krb5_config_vget_int.3
+krb5_config_vget_int_default.3
+krb5_config_vget_list.3
+krb5_config_vget_next.3
+krb5_config_vget_string.3
+krb5_config_vget_string_default.3
+krb5_config_vget_strings.3
+krb5_config_vget_time.3
+krb5_config_vget_time_default.3
 krb5_context.3
 krb5_copy_address.3
 krb5_copy_addresses.3
+krb5_copy_checksum.3
 krb5_copy_data.3
+krb5_copy_host_realm.3
+krb5_copy_keyblock.3
+krb5_copy_keyblock_contents.3
+krb5_copy_principal.3
+krb5_copy_ticket.3
 krb5_create_checksum.3
+krb5_creds.3
 krb5_crypto_destroy.3
+krb5_crypto_get_checksum_type.3
+krb5_crypto_getblocksize.3
+krb5_crypto_getconfoundersize.3
+krb5_crypto_getenctype.3
+krb5_crypto_getpadsize.3
 krb5_crypto_init.3
 krb5_data_alloc.3
 krb5_data_copy.3
@@ -141,36 +220,140 @@ krb5_data_realloc.3
 krb5_data_zero.3
 krb5_decrypt.3
 krb5_decrypt_EncryptedData.3
+krb5_digest.3
+krb5_digest_alloc.3
+krb5_digest_free.3
+krb5_digest_get_a1_hash.3
+krb5_digest_get_client_binding.3
+krb5_digest_get_identifier.3
+krb5_digest_get_opaque.3
+krb5_digest_get_responseData.3
+krb5_digest_get_rsp.3
+krb5_digest_get_server_nonce.3
+krb5_digest_get_tickets.3
+krb5_digest_init_request.3
+krb5_digest_request.3
+krb5_digest_set_authentication_user.3
+krb5_digest_set_authid.3
+krb5_digest_set_client_nonce.3
+krb5_digest_set_digest.3
+krb5_digest_set_hostname.3
+krb5_digest_set_identifier.3
+krb5_digest_set_method.3
+krb5_digest_set_nonceCount.3
+krb5_digest_set_opaque.3
+krb5_digest_set_qop.3
+krb5_digest_set_realm.3
+krb5_digest_set_server_cb.3
+krb5_digest_set_server_nonce.3
+krb5_digest_set_type.3
+krb5_digest_set_uri.3
+krb5_digest_set_username.3
+krb5_domain_x500_decode.3
+krb5_domain_x500_encode.3
+krb5_eai_to_heim_errno.3
 krb5_encrypt.3
 krb5_encrypt_EncryptedData.3
+krb5_enctype_disable.3
+krb5_enctype_to_string.3
+krb5_enctype_valid.3
 krb5_err.3
 krb5_errx.3
+krb5_expand_hostname.3
+krb5_expand_hostname_realms.3
+krb5_find_padata.3
+krb5_format_time.3
 krb5_free_address.3
 krb5_free_addresses.3
+krb5_free_authenticator.3
+krb5_free_checksum.3
+krb5_free_checksum_contents.3
+krb5_free_config_files.3
 krb5_free_context.3
 krb5_free_data.3
 krb5_free_data_contents.3
+krb5_free_error_string.3
 krb5_free_host_realm.3
+krb5_free_kdc_rep.3
+krb5_free_keyblock.3
+krb5_free_keyblock_contents.3
 krb5_free_krbhst.3
 krb5_free_principal.3
+krb5_free_salt.3
+krb5_free_ticket.3
+krb5_fwd_tgt_creds.3
+krb5_generate_random_block.3
+krb5_generate_random_keyblock.3
+krb5_generate_subkey.3
 krb5_get_all_client_addrs.3
 krb5_get_all_server_addrs.3
+krb5_get_cred_from_kdc.3
+krb5_get_cred_from_kdc_opt.3
+krb5_get_credentials.3
+krb5_get_credentials_with_flags.3
+krb5_get_default_config_files.3
+krb5_get_default_principal.3
 krb5_get_default_realm.3
 krb5_get_default_realms.3
+krb5_get_err_text.3
+krb5_get_error_message.3
+krb5_get_error_string.3
+krb5_get_extra_addresses.3
+krb5_get_fcache_version.3
+krb5_get_forwarded_creds.3
 krb5_get_host_realm.3
+krb5_get_ignore_addresses.3
+krb5_get_in_cred.3
+krb5_get_in_tkt.3
+krb5_get_in_tkt_with_keytab.3
+krb5_get_in_tkt_with_password.3
+krb5_get_in_tkt_with_skey.3
+krb5_get_init_creds.3
+krb5_get_init_creds_keytab.3
+krb5_get_init_creds_opt_alloc.3
+krb5_get_init_creds_opt_free.3
+krb5_get_init_creds_opt_free_pkinit.3
+krb5_get_init_creds_opt_init.3
+krb5_get_init_creds_opt_set_address_list.3
+krb5_get_init_creds_opt_set_anonymous.3
+krb5_get_init_creds_opt_set_default_flags.3
+krb5_get_init_creds_opt_set_etype_list.3
+krb5_get_init_creds_opt_set_forwardable.3
+krb5_get_init_creds_opt_set_pa_password.3
+krb5_get_init_creds_opt_set_paq_request.3
+krb5_get_init_creds_opt_set_pkinit.3
+krb5_get_init_creds_opt_set_preauth_list.3
+krb5_get_init_creds_opt_set_proxiable.3
+krb5_get_init_creds_opt_set_renew_life.3
+krb5_get_init_creds_opt_set_salt.3
+krb5_get_init_creds_opt_set_tkt_life.3
+krb5_get_init_creds_password.3
+krb5_get_kdc_cred.3
 krb5_get_krb524hst.3
 krb5_get_krb_admin_hst.3
 krb5_get_krb_changepw_hst.3
 krb5_get_krbhst.3
+krb5_get_pw_salt.3
+krb5_get_server_rcache.3
+krb5_get_use_admin_kdc.3
+krb5_get_wrapped_length.3
+krb5_getportbyname.3
 krb5_h_addr2addr.3
 krb5_h_addr2sockaddr.3
+krb5_h_errno_to_heim_errno.3
+krb5_have_error_string.3
+krb5_hmac.3
 krb5_init_context.3
+krb5_init_ets.3
 krb5_initlog.3
+krb5_keyblock_get_enctype.3
+krb5_keyblock_zero.3
 krb5_keytab_entry.3
 krb5_krbhst_format_string.3
 krb5_krbhst_free.3
 krb5_krbhst_get_addrinfo.3
 krb5_krbhst_init.3
+krb5_krbhst_init_flags.3
 krb5_krbhst_next.3
 krb5_krbhst_next_as_string.3
 krb5_krbhst_reset.3
@@ -179,13 +362,14 @@ krb5_kt_close.3
 krb5_kt_compare.3
 krb5_kt_copy_entry_contents.3
 krb5_kt_cursor.3
-krb5_kt_cursor.3
 krb5_kt_default.3
+krb5_kt_default_modify_name.3
 krb5_kt_default_name.3
 krb5_kt_end_seq_get.3
 krb5_kt_free_entry.3
 krb5_kt_get_entry.3
 krb5_kt_get_name.3
+krb5_kt_get_type.3
 krb5_kt_next_entry.3
 krb5_kt_ops.3
 krb5_kt_read_service_key.3
@@ -193,30 +377,132 @@ krb5_kt_register.3
 krb5_kt_remove_entry.3
 krb5_kt_resolve.3.3
 krb5_kt_start_seq_get
+krb5_kuserok.3
 krb5_log.3
 krb5_log_msg.3
 krb5_make_addrport.3
 krb5_make_principal.3
 krb5_max_sockaddr_size.3
 krb5_openlog.3
+krb5_padata_add.3
 krb5_parse_address.3
 krb5_parse_name.3
+krb5_passwd_result_to_string.3
+krb5_password_key_proc.3
+krb5_prepend_config_files.3
+krb5_prepend_config_files_default.3
+krb5_princ_realm.3
+krb5_princ_set_realm.3
 krb5_principal.3
+krb5_principal_compare.3
+krb5_principal_compare_any_realm.3
 krb5_principal_get_comp_string.3
 krb5_principal_get_realm.3
+krb5_principal_get_type.3
+krb5_principal_match.3
+krb5_principal_set_type.3
 krb5_print_address.3
+krb5_rc_close.3
+krb5_rc_default.3
+krb5_rc_default_name.3
+krb5_rc_default_type.3
+krb5_rc_destroy.3
+krb5_rc_expunge.3
+krb5_rc_get_lifespan.3
+krb5_rc_get_name.3
+krb5_rc_get_type.3
+krb5_rc_initialize.3
+krb5_rc_recover.3
+krb5_rc_resolve.3
+krb5_rc_resolve_full.3
+krb5_rc_resolve_type.3
+krb5_rc_store.3
+krb5_rcache.3
+krb5_realm_compare.3
+krb5_ret_address.3
+krb5_ret_addrs.3
+krb5_ret_authdata.3
+krb5_ret_creds.3
+krb5_ret_data.3
+krb5_ret_int16.3
+krb5_ret_int32.3
+krb5_ret_int8.3
+krb5_ret_keyblock.3
+krb5_ret_principal.3
+krb5_ret_string.3
+krb5_ret_stringz.3
+krb5_ret_times.3
+krb5_set_config_files.3
 krb5_set_default_realm.3
+krb5_set_error_string.3
+krb5_set_extra_addresses.3
+krb5_set_fcache_version.3
+krb5_set_ignore_addresses.3
+krb5_set_password.3
+krb5_set_password_using_ccache.3
+krb5_set_real_time.3
+krb5_set_use_admin_kdc.3
 krb5_set_warn_dest.3
 krb5_sname_to_principal.3
 krb5_sock_to_principal.3
 krb5_sockaddr2address.3
 krb5_sockaddr2port.3
 krb5_sockaddr_uninteresting.3
+krb5_storage.3
+krb5_storage_clear_flags.3
+krb5_storage_emem.3
+krb5_storage_free.3
+krb5_storage_from_data.3
+krb5_storage_from_fd.3
+krb5_storage_from_mem.3
+krb5_storage_get_byteorder.3
+krb5_storage_is_flags.3
+krb5_storage_read.3
+krb5_storage_seek.3
+krb5_storage_set_byteorder.3
+krb5_storage_set_eof_code.3
+krb5_storage_set_flags.3
+krb5_storage_to_data.3
+krb5_storage_write.3
+krb5_store_address.3
+krb5_store_addrs.3
+krb5_store_authdata.3
+krb5_store_creds.3
+krb5_store_data.3
+krb5_store_int16.3
+krb5_store_int32.3
+krb5_store_int8.3
+krb5_store_keyblock.3
+krb5_store_principal.3
+krb5_store_string.3
+krb5_store_stringz.3
+krb5_store_times.3
+krb5_string_to_deltat.3
+krb5_string_to_enctype.3
+krb5_string_to_key.3
+krb5_string_to_key_data.3
+krb5_string_to_key_data_salt.3
+krb5_string_to_key_data_salt_opaque.3
+krb5_string_to_key_salt.3
+krb5_string_to_key_salt_opaque.3
+krb5_ticket.3
+krb5_ticket_get_authorization_data_type.3
+krb5_ticket_get_client.3
+krb5_ticket_get_server.3
 krb5_timeofday.3
 krb5_unparse_name.3
+krb5_unparse_name_fixed.3
+krb5_unparse_name_fixed_short.3
+krb5_unparse_name_short.3
 krb5_us_timeofday.3
+krb5_vabort.3
+krb5_vabortx.3
 krb5_verify_checksum.3
+krb5_verify_init_creds.3
+krb5_verify_init_creds_opt_init.3
+krb5_verify_init_creds_opt_set_ap_req_nofail.3
 krb5_verify_opt_init.3
+krb5_verify_opt_set_ccache.3
 krb5_verify_opt_set_flags.3
 krb5_verify_opt_set_keytab.3
 krb5_verify_opt_set_secure.3
@@ -228,11 +514,11 @@ krb5_verr.3
 krb5_verrx.3
 krb5_vlog.3
 krb5_vlog_msg.3
+krb5_vset_error_string.3
 krb5_vwarn.3
 krb5_vwarnx.3
 krb5_warn.3
 krb5_warnx.3
-krn5_kuserok.3
 .ta
 .Fi
 .Sh SEE ALSO
diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5
index c9f8771..ceb16a4 100644
--- a/crypto/heimdal/lib/krb5/krb5.conf.5
+++ b/crypto/heimdal/lib/krb5/krb5.conf.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan
+.\" Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden).
 .\" All rights reserved.
 .\"
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5.conf.5,v 1.35.2.2 2004/03/09 19:52:07 lha Exp $
+.\" $Id: krb5.conf.5 15514 2005-06-23 18:43:34Z lha $
 .\"
-.Dd March  9, 2004
+.Dd May  4, 2005
 .Dt KRB5.CONF 5
 .Os HEIMDAL
 .Sh NAME
@@ -88,6 +88,7 @@ values can be either yes/true or no/false.
 .It time
 values can be a list of year, month, day, hour, min, second.
 Example: 1 month 2 days 30 min.
+If no unit is given, seconds is assumed.
 .It etypes
 valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5,
 des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and
@@ -148,8 +149,8 @@ times.
 Default is 300 seconds (five minutes).
 .It Li kdc_timeout = Va time
 Maximum time to wait for a reply from the kdc, default is 3 seconds.
-.It v4_name_convert
-.It v4_instance_resolve
+.It Li v4_name_convert
+.It Li v4_instance_resolve
 These are described in the
 .Xr krb5_425_conv_principal  3
 manual page.
@@ -162,6 +163,12 @@ manual page.
 This is deprecated, see the 
 .Li capaths
 section below.
+.It Li default_cc_name = Va ccname
+the default credentials cache name.
+The string can contain variables that are expanded on runtime.
+Only support variable now is
+.Li %{uid}
+that expands to the current user id.
 .It Li default_etypes = Va etypes ...
 A list of default encryption types to use.
 .It Li default_etypes_des = Va etypes ...
@@ -178,6 +185,9 @@ Try to keep track of the time differential between the local machine
 and the KDC, and then compensate for that when issuing requests.
 .It Li max_retries = Va number
 The max number of times to try to contact each KDC.
+.It Li large_msg_size = Va number
+The threshold where protocols with tiny maximum message sizes are not
+considered usable to send messages to the KDC.
 .It Li ticket_lifetime = Va time
 Default ticket lifetime.
 .It Li renew_lifetime = Va time
@@ -241,6 +251,13 @@ Each binding in this section looks like:
 The domain can be either a full name of a host or a trailing
 component, in the latter case the domain-string should start with a
 period.
+The trailing component only matches hosts that are in the same domain, ie
+.Dq .example.com
+matches
+.Dq foo.example.com ,
+but not
+.Dq foo.test.example.com .
+.Pp
 The realm may be the token `dns_locate', in which case the actual
 realm will be determined using DNS (independently of the setting
 of the `dns_lookup_realm' option).
@@ -330,72 +347,94 @@ manual page for a list of defined destinations.
 .El
 .It Li [kdc]
 .Bl -tag -width "xxx" -offset indent
-.It database Li = {
+.It Li database Li = {
 .Bl -tag -width "xxx" -offset indent
-.It dbname Li = Va DATABASENAME
+.It Li dbname Li = Va DATABASENAME
 Use this database for this realm.
-.It realm Li = Va REALM
+See the info documetation how to configure diffrent database backends.
+.It Li realm Li = Va REALM
 Specifies the realm that will be stored in this database.
-.It mkey_file Li = Pa FILENAME
+It realm isn't set, it will used as the default database, there can
+only be one entry that doesn't have a
+.Li realm
+stanza.
+.It Li mkey_file Li = Pa FILENAME
 Use this keytab file for the master key of this database.
 If not specified
 .Va DATABASENAME Ns .mkey
 will be used.
-.It acl_file Li = PA FILENAME
+.It Li acl_file Li = PA FILENAME
 Use this file for the ACL list of this database.
-.It log_file Li = Pa FILENAME
+.It Li log_file Li = Pa FILENAME
 Use this file as the log of changes performed to the database.
 This file is used by
 .Nm ipropd-master
 for propagating changes to slaves.
 .El
 .It Li }
-.It max-request = Va SIZE
+.It Li max-request = Va SIZE
 Maximum size of a kdc request.
-.It require-preauth = Va BOOL
+.It Li require-preauth = Va BOOL
 If set pre-authentication is required.
 Since krb4 requests are not pre-authenticated they will be rejected.
-.It ports = Va "list of ports"
+.It Li ports = Va "list of ports"
 List of ports the kdc should listen to.
-.It addresses = Va "list of interfaces"
+.It Li addresses = Va "list of interfaces"
 List of addresses the kdc should bind to.
-.It enable-kerberos4 = Va BOOL
+.It Li enable-kerberos4 = Va BOOL
 Turn on Kerberos 4 support.
-.It v4-realm = Va REALM
+.It Li v4-realm = Va REALM
 To what realm v4 requests should be mapped.
-.It enable-524 = Va BOOL
+.It Li enable-524 = Va BOOL
 Should the Kerberos 524 converting facility be turned on.
-Default is same as
+Default is the same as
 .Va enable-kerberos4 .
-.It enable-http = Va BOOL
+.It Li enable-http = Va BOOL
 Should the kdc answer kdc-requests over http.
-.It enable-kaserver = Va BOOL
+.It Li enable-kaserver = Va BOOL
 If this kdc should emulate the AFS kaserver.
-.It check-ticket-addresses = Va BOOL
-verify the addresses in the tickets used in tgs requests.
+.It Li check-ticket-addresses = Va BOOL
+Verify the addresses in the tickets used in tgs requests.
 .\" XXX
-.It allow-null-ticket-addresses = Va BOOL
-Allow addresses-less tickets.
+.It Li allow-null-ticket-addresses = Va BOOL
+Allow address-less tickets.
 .\" XXX
-.It allow-anonymous = Va BOOL
+.It Li allow-anonymous = Va BOOL
 If the kdc is allowed to hand out anonymous tickets.
-.It encode_as_rep_as_tgs_rep = Va BOOL
+.It Li encode_as_rep_as_tgs_rep = Va BOOL
 Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
 .\" XXX
-.It kdc_warn_pwexpire = Va TIME
+.It Li kdc_warn_pwexpire = Va TIME
 The time before expiration that the user should be warned that her
 password is about to expire.
-.It logging = Va Logging
+.It Li logging = Va Logging
 What type of logging the kdc should use, see also [logging]/kdc.
-.It use_2b = Va principal list
-List of principals to use AFS 2b tokens for.
+.It Li use_2b = {
+.Bl -tag -width "xxx" -offset indent
+.It Va principal Li = Va BOOL
+boolean value if the 524 daemon should return AFS 2b tokens for
+.Fa principal .
+.It ...
+.El
+.It Li }
+.It Li hdb-ldap-structural-object Va structural object
+If the LDAP backend is used for storing principals, this is the
+structural object that will be used when creating and when reading
+objects.
+The default value is account .
+.It Li hdb-ldap-create-base Va creation dn
+is the dn that will be appended to the principal when creating entries.
+Default value is the search dn.
 .El
 .It Li [kadmin]
 .Bl -tag -width "xxx" -offset indent
-.It require-preauth = Va BOOL
+.It Li require-preauth = Va BOOL
 If pre-authentication is required to talk to the kadmin server.
-.It default_keys = Va keytypes...
-for each entry in
+.It Li password_lifetime = Va time
+If a principal already have its password set for expiration, this is
+the time it will be valid for after a change.
+.It Li default_keys = Va keytypes...
+For each entry in
 .Va default_keys
 try to parse it as a sequence of
 .Va etype:salttype:salt
@@ -409,20 +448,34 @@ is omitted it means everything, and if string is omitted it means the
 default salt string (for that principal and encryption type).
 Additional special values of keytypes are:
 .Bl -tag -width "xxx" -offset indent
-.It v5
+.It Li v5
 The Kerberos 5 salt
 .Va pw-salt
-.It v4
+.It Li v4
 The Kerberos 4 salt
 .Va des:pw-salt:
 .El
-.It use_v4_salt = Va BOOL
+.It Li use_v4_salt = Va BOOL
 When true, this is the same as
 .Pp
 .Va default_keys = Va des3:pw-salt Va v4
 .Pp
 and is only left for backwards compatibility.
 .El
+.It Li [password-quality]
+Check the Password quality assurance in the info documentation for
+more information.
+.Bl -tag -width "xxx" -offset indent
+.It Li check_library = Va library-name
+Library name that contains the password check_function
+.It Li check_function = Va function-name
+Function name for checking passwords in check_library
+.It Li policy_libraries = Va library1 ... libraryN
+List of libraries that can do password policy checks
+.It Li policies = Va policy1 ... policyN
+List of policy names to apply to the password. Builtin policies are
+among other minimum-length, character-class, external-check.
+.El
 .El
 .Sh ENVIRONMENT
 .Ev KRB5_CONFIG
diff --git a/crypto/heimdal/lib/krb5/krb5.h b/crypto/heimdal/lib/krb5/krb5.h
index 9a327f1..571eb61 100644
--- a/crypto/heimdal/lib/krb5/krb5.h
+++ b/crypto/heimdal/lib/krb5/krb5.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5.h,v 1.209.2.2 2004/06/21 08:32:00 lha Exp $ */
+/* $Id: krb5.h 22100 2007-12-03 17:15:00Z lha $ */
 
 #ifndef __KRB5_H__
 #define __KRB5_H__
@@ -64,22 +64,48 @@ typedef int32_t krb5_error_code;
 
 typedef int krb5_kvno;
 
-typedef u_int32_t krb5_flags;
+typedef uint32_t krb5_flags;
 
 typedef void *krb5_pointer;
 typedef const void *krb5_const_pointer;
 
-typedef octet_string krb5_data;
-
 struct krb5_crypto_data;
 typedef struct krb5_crypto_data *krb5_crypto;
 
+struct krb5_get_creds_opt_data;
+typedef struct krb5_get_creds_opt_data *krb5_get_creds_opt;
+
+struct krb5_digest_data;
+typedef struct krb5_digest_data *krb5_digest;
+struct krb5_ntlm_data;
+typedef struct krb5_ntlm_data *krb5_ntlm;
+
+struct krb5_pac_data;
+typedef struct krb5_pac_data *krb5_pac;
+
+typedef struct krb5_rd_req_in_ctx_data *krb5_rd_req_in_ctx;
+typedef struct krb5_rd_req_out_ctx_data *krb5_rd_req_out_ctx;
+
 typedef CKSUMTYPE krb5_cksumtype;
 
 typedef Checksum krb5_checksum;
 
 typedef ENCTYPE krb5_enctype;
 
+typedef heim_octet_string krb5_data;
+
+/* PKINIT related forward declarations */
+struct ContentInfo;
+struct krb5_pk_identity;
+struct krb5_pk_cert;
+
+/* krb5_enc_data is a mit compat structure */
+typedef struct krb5_enc_data {
+    krb5_enctype enctype;
+    krb5_kvno kvno;
+    krb5_data ciphertext;
+} krb5_enc_data;
+
 /* alternative names */
 enum {
     ENCTYPE_NULL		= ETYPE_NULL,
@@ -92,6 +118,9 @@ enum {
     ENCTYPE_ENCRYPT_RSA_PRIV	= ETYPE_ENCRYPT_RSA_PRIV,
     ENCTYPE_ENCRYPT_RSA_PUB	= ETYPE_ENCRYPT_RSA_PUB,
     ENCTYPE_DES3_CBC_SHA1	= ETYPE_DES3_CBC_SHA1,
+    ENCTYPE_AES128_CTS_HMAC_SHA1_96 = ETYPE_AES128_CTS_HMAC_SHA1_96,
+    ENCTYPE_AES256_CTS_HMAC_SHA1_96 = ETYPE_AES256_CTS_HMAC_SHA1_96,
+    ENCTYPE_ARCFOUR_HMAC	= ETYPE_ARCFOUR_HMAC_MD5,
     ENCTYPE_ARCFOUR_HMAC_MD5	= ETYPE_ARCFOUR_HMAC_MD5,
     ENCTYPE_ARCFOUR_HMAC_MD5_56	= ETYPE_ARCFOUR_HMAC_MD5_56,
     ENCTYPE_ENCTYPE_PK_CROSS	= ETYPE_ENCTYPE_PK_CROSS,
@@ -170,8 +199,34 @@ typedef enum krb5_key_usage {
     /* seal in GSSAPI krb5 mechanism */
     KRB5_KU_USAGE_SIGN = 23,
     /* sign in GSSAPI krb5 mechanism */
-    KRB5_KU_USAGE_SEQ = 24
+    KRB5_KU_USAGE_SEQ = 24,
     /* SEQ in GSSAPI krb5 mechanism */
+    KRB5_KU_USAGE_ACCEPTOR_SEAL = 22,
+    /* acceptor sign in GSSAPI CFX krb5 mechanism */
+    KRB5_KU_USAGE_ACCEPTOR_SIGN = 23,
+    /* acceptor seal in GSSAPI CFX krb5 mechanism */
+    KRB5_KU_USAGE_INITIATOR_SEAL = 24,       
+    /* initiator sign in GSSAPI CFX krb5 mechanism */
+    KRB5_KU_USAGE_INITIATOR_SIGN = 25,
+    /* initiator seal in GSSAPI CFX krb5 mechanism */
+    KRB5_KU_PA_SERVER_REFERRAL_DATA = 22,
+    /* encrypted server referral data */
+    KRB5_KU_SAM_CHECKSUM = 25,
+    /* Checksum for the SAM-CHECKSUM field */
+    KRB5_KU_SAM_ENC_TRACK_ID = 26,
+    /* Encryption of the SAM-TRACK-ID field */
+    KRB5_KU_PA_SERVER_REFERRAL = 26,
+    /* Keyusage for the server referral in a TGS req */
+    KRB5_KU_SAM_ENC_NONCE_SAD = 27,
+    /* Encryption of the SAM-NONCE-OR-SAD field */
+    KRB5_KU_DIGEST_ENCRYPT = -18,
+    /* Encryption key usage used in the digest encryption field */
+    KRB5_KU_DIGEST_OPAQUE = -19,
+    /* Checksum key usage used in the digest opaque field */
+    KRB5_KU_KRB5SIGNEDPATH = -21,
+    /* Checksum key usage on KRB5SignedPath */
+    KRB5_KU_CANONICALIZED_NAMES = -23
+    /* Checksum key usage on PA-CANONICALIZED */
 } krb5_key_usage;
 
 typedef krb5_key_usage krb5_keyusage;
@@ -200,6 +255,7 @@ typedef struct krb5_preauthdata {
 
 typedef enum krb5_address_type { 
     KRB5_ADDRESS_INET     =   2,
+    KRB5_ADDRESS_NETBIOS  =  20,
     KRB5_ADDRESS_INET6    =  24,
     KRB5_ADDRESS_ADDRPORT = 256,
     KRB5_ADDRESS_IPPORT   = 257
@@ -302,10 +358,24 @@ typedef union {
 
 #define KRB5_GC_CACHED			(1U << 0)
 #define KRB5_GC_USER_USER		(1U << 1)
+#define KRB5_GC_EXPIRED_OK		(1U << 2)
+#define KRB5_GC_NO_STORE		(1U << 3)
+#define KRB5_GC_FORWARDABLE		(1U << 4)
+#define KRB5_GC_NO_TRANSIT_CHECK	(1U << 5)
+#define KRB5_GC_CONSTRAINED_DELEGATION	(1U << 6)
 
 /* constants for compare_creds (and cc_retrieve_cred) */
 #define KRB5_TC_DONT_MATCH_REALM	(1U << 31)
 #define KRB5_TC_MATCH_KEYTYPE		(1U << 30)
+#define KRB5_TC_MATCH_KTYPE		KRB5_TC_MATCH_KEYTYPE    /* MIT name */
+#define KRB5_TC_MATCH_SRV_NAMEONLY	(1 << 29)
+#define KRB5_TC_MATCH_FLAGS_EXACT	(1 << 28)
+#define KRB5_TC_MATCH_FLAGS		(1 << 27)
+#define KRB5_TC_MATCH_TIMES_EXACT	(1 << 26)
+#define KRB5_TC_MATCH_TIMES		(1 << 25)
+#define KRB5_TC_MATCH_AUTHDATA		(1 << 24)
+#define KRB5_TC_MATCH_2ND_TKT		(1 << 23)
+#define KRB5_TC_MATCH_IS_SKEY		(1 << 22)
 
 typedef AuthorizationData krb5_authdata;
 
@@ -323,6 +393,8 @@ typedef struct krb5_creds {
     krb5_ticket_flags flags;
 } krb5_creds;
 
+typedef struct krb5_cc_cache_cursor_data *krb5_cc_cache_cursor;
+
 typedef struct krb5_cc_ops {
     const char *prefix;
     const char* (*get_name)(krb5_context, krb5_ccache);
@@ -333,7 +405,7 @@ typedef struct krb5_cc_ops {
     krb5_error_code (*close)(krb5_context, krb5_ccache);
     krb5_error_code (*store)(krb5_context, krb5_ccache, krb5_creds*);
     krb5_error_code (*retrieve)(krb5_context, krb5_ccache, 
-				krb5_flags, krb5_creds*, krb5_creds);
+				krb5_flags, const krb5_creds*, krb5_creds *);
     krb5_error_code (*get_princ)(krb5_context, krb5_ccache, krb5_principal*);
     krb5_error_code (*get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *);
     krb5_error_code (*get_next)(krb5_context, krb5_ccache, 
@@ -343,6 +415,11 @@ typedef struct krb5_cc_ops {
 				   krb5_flags, krb5_creds*);
     krb5_error_code (*set_flags)(krb5_context, krb5_ccache, krb5_flags);
     int (*get_version)(krb5_context, krb5_ccache);
+    krb5_error_code (*get_cache_first)(krb5_context, krb5_cc_cursor *);
+    krb5_error_code (*get_cache_next)(krb5_context, krb5_cc_cursor, krb5_ccache *);
+    krb5_error_code (*end_cache_get)(krb5_context, krb5_cc_cursor);
+    krb5_error_code (*move)(krb5_context, krb5_ccache, krb5_ccache);
+    krb5_error_code (*default_name)(krb5_context, char **);
 } krb5_cc_ops;
 
 struct krb5_log_facility;
@@ -362,41 +439,6 @@ typedef struct krb5_config_binding krb5_config_binding;
 
 typedef krb5_config_binding krb5_config_section;
 
-typedef struct krb5_context_data {
-    krb5_enctype *etypes;
-    krb5_enctype *etypes_des;
-    char **default_realms;
-    time_t max_skew;
-    time_t kdc_timeout;
-    unsigned max_retries;
-    int32_t kdc_sec_offset;
-    int32_t kdc_usec_offset;
-    krb5_config_section *cf;
-    struct et_list *et_list;
-    struct krb5_log_facility *warn_dest;
-    krb5_cc_ops *cc_ops;
-    int num_cc_ops;
-    const char *http_proxy;
-    const char *time_fmt;
-    krb5_boolean log_utc;
-    const char *default_keytab;
-    const char *default_keytab_modify;
-    krb5_boolean use_admin_kdc;
-    krb5_addresses *extra_addresses;
-    krb5_boolean scan_interfaces;	/* `ifconfig -a' */
-    krb5_boolean srv_lookup;		/* do SRV lookups */
-    krb5_boolean srv_try_txt;		/* try TXT records also */
-    int32_t fcache_vno;			/* create cache files w/ this
-                                           version */
-    int num_kt_types;			/* # of registered keytab types */
-    struct krb5_keytab_data *kt_types;  /* registered keytab types */
-    const char *date_fmt;
-    char *error_string;
-    char error_buf[256];
-    krb5_addresses *ignore_addresses;
-    char *default_cc_name;
-} krb5_context_data;
-
 typedef struct krb5_ticket {
     EncTicketPart ticket;
     krb5_principal client;
@@ -419,6 +461,7 @@ typedef Authenticator krb5_donot_replay;
 #define KRB5_STORAGE_BYTEORDER_BE			0x00 /* default */
 #define KRB5_STORAGE_BYTEORDER_LE			0x20
 #define KRB5_STORAGE_BYTEORDER_HOST			0x40
+#define KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER		0x80
 
 struct krb5_storage_data;
 typedef struct krb5_storage_data krb5_storage;
@@ -427,7 +470,7 @@ typedef struct krb5_keytab_entry {
     krb5_principal principal;
     krb5_kvno vno;
     krb5_keyblock keyblock;
-    u_int32_t timestamp;
+    uint32_t timestamp;
 } krb5_keytab_entry;
 
 typedef struct krb5_kt_cursor {
@@ -470,17 +513,19 @@ typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args;
 
 typedef struct krb5_replay_data {
     krb5_timestamp timestamp;
-    u_int32_t usec;
-    u_int32_t seq;
+    int32_t usec;
+    uint32_t seq;
 } krb5_replay_data;
 
 /* flags for krb5_auth_con_setflags */
 enum {
-    KRB5_AUTH_CONTEXT_DO_TIME      = 1,
-    KRB5_AUTH_CONTEXT_RET_TIME     = 2,
-    KRB5_AUTH_CONTEXT_DO_SEQUENCE  = 4,
-    KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8,
-    KRB5_AUTH_CONTEXT_PERMIT_ALL   = 16
+    KRB5_AUTH_CONTEXT_DO_TIME      		= 1,
+    KRB5_AUTH_CONTEXT_RET_TIME     		= 2,
+    KRB5_AUTH_CONTEXT_DO_SEQUENCE  		= 4,
+    KRB5_AUTH_CONTEXT_RET_SEQUENCE 		= 8,
+    KRB5_AUTH_CONTEXT_PERMIT_ALL   		= 16,
+    KRB5_AUTH_CONTEXT_USE_SUBKEY   		= 32,
+    KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED	= 64
 };
 
 /* flags for krb5_auth_con_genaddrs */
@@ -502,8 +547,8 @@ typedef struct krb5_auth_context_data {
     krb5_keyblock *local_subkey;
     krb5_keyblock *remote_subkey;
 
-    u_int32_t local_seqnumber;
-    u_int32_t remote_seqnumber;
+    uint32_t local_seqnumber;
+    uint32_t remote_seqnumber;
 
     krb5_authenticator authenticator;
   
@@ -528,7 +573,7 @@ typedef void (*krb5_log_log_func_t)(const char*, const char*, void*);
 typedef void (*krb5_log_close_func_t)(void*);
 
 typedef struct krb5_log_facility {
-    const char *program;
+    char *program;
     int len;
     struct facility *val;
 } krb5_log_facility;
@@ -542,6 +587,8 @@ typedef EncAPRepPart krb5_ap_rep_enc_part;
 #define KRB5_TGS_NAME_SIZE (6)
 #define KRB5_TGS_NAME ("krbtgt")
 
+#define KRB5_DIGEST_NAME ("digest")
+
 /* variables */
 
 extern const char *krb5_config_file;
@@ -551,7 +598,8 @@ typedef enum {
     KRB5_PROMPT_TYPE_PASSWORD		= 0x1,
     KRB5_PROMPT_TYPE_NEW_PASSWORD	= 0x2,
     KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN = 0x3,
-    KRB5_PROMPT_TYPE_PREAUTH		= 0x4
+    KRB5_PROMPT_TYPE_PREAUTH		= 0x4,
+    KRB5_PROMPT_TYPE_INFO		= 0x5
 } krb5_prompt_type;
 
 typedef struct _krb5_prompt {
@@ -561,24 +609,30 @@ typedef struct _krb5_prompt {
     krb5_prompt_type type;
 } krb5_prompt;
 
-typedef int (*krb5_prompter_fct)(krb5_context context,
-				 void *data,
-				 const char *name,
-				 const char *banner,
-				 int num_prompts,
-				 krb5_prompt prompts[]);
-
-typedef krb5_error_code (*krb5_key_proc)(krb5_context context,
-					 krb5_enctype type,
-					 krb5_salt salt,
-					 krb5_const_pointer keyseed,
-					 krb5_keyblock **key);
-typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context context,
-					     krb5_keyblock *key,
-					     krb5_key_usage usage,
-					     krb5_const_pointer decrypt_arg,
-					     krb5_kdc_rep *dec_rep);
-
+typedef int (*krb5_prompter_fct)(krb5_context /*context*/,
+				 void * /*data*/,
+				 const char * /*name*/,
+				 const char * /*banner*/,
+				 int /*num_prompts*/,
+				 krb5_prompt /*prompts*/[]);
+typedef krb5_error_code (*krb5_key_proc)(krb5_context /*context*/,
+					 krb5_enctype /*type*/,
+					 krb5_salt /*salt*/,
+					 krb5_const_pointer /*keyseed*/,
+					 krb5_keyblock ** /*key*/);
+typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context /*context*/,
+					     krb5_keyblock * /*key*/,
+					     krb5_key_usage /*usage*/,
+					     krb5_const_pointer /*decrypt_arg*/,
+					     krb5_kdc_rep * /*dec_rep*/);
+typedef krb5_error_code (*krb5_s2k_proc)(krb5_context /*context*/,
+					 krb5_enctype /*type*/,
+					 krb5_const_pointer /*keyseed*/,
+					 krb5_salt /*salt*/,
+					 krb5_data * /*s2kparms*/,
+					 krb5_keyblock ** /*key*/);
+
+struct _krb5_get_init_creds_opt_private;
 
 typedef struct _krb5_get_init_creds_opt {
     krb5_flags flags;
@@ -590,14 +644,12 @@ typedef struct _krb5_get_init_creds_opt {
     krb5_enctype *etype_list;
     int etype_list_length;
     krb5_addresses *address_list;
-#if 0 /* this is the MIT-way */
-    krb5_address **address_list;
-#endif
     /* XXX the next three should not be used, as they may be
        removed later */
     krb5_preauthtype *preauth_list;
     int preauth_list_length;
     krb5_data *salt;
+    struct _krb5_get_init_creds_opt_private *opt_private;
 } krb5_get_init_creds_opt;
 
 #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE	0x0001
@@ -609,6 +661,7 @@ typedef struct _krb5_get_init_creds_opt {
 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST	0x0040
 #define KRB5_GET_INIT_CREDS_OPT_SALT		0x0080
 #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS	0x0100
+#define KRB5_GET_INIT_CREDS_OPT_DISABLE_TRANSITED_CHECK	0x0200
 
 typedef struct _krb5_verify_init_creds_opt {
     krb5_flags flags;
@@ -628,10 +681,14 @@ typedef struct krb5_verify_opt {
 #define KRB5_VERIFY_LREALMS		1
 #define KRB5_VERIFY_NO_ADDRESSES	2
 
+extern const krb5_cc_ops krb5_acc_ops;
 extern const krb5_cc_ops krb5_fcc_ops;
 extern const krb5_cc_ops krb5_mcc_ops;
+extern const krb5_cc_ops krb5_kcm_ops;
 
 extern const krb5_kt_ops krb5_fkt_ops;
+extern const krb5_kt_ops krb5_wrfkt_ops;
+extern const krb5_kt_ops krb5_javakt_ops;
 extern const krb5_kt_ops krb5_mkt_ops;
 extern const krb5_kt_ops krb5_akf_ops;
 extern const krb5_kt_ops krb4_fkt_ops;
@@ -660,6 +717,7 @@ typedef struct krb5_krbhst_data *krb5_krbhst_handle;
 #define KRB5_KRBHST_ADMIN	2
 #define KRB5_KRBHST_CHANGEPW	3
 #define KRB5_KRBHST_KRB524	4
+#define KRB5_KRBHST_KCA		5
 
 typedef struct krb5_krbhst_info {
     enum { KRB5_KRBHST_UDP,
@@ -672,6 +730,45 @@ typedef struct krb5_krbhst_info {
     char hostname[1]; /* has to come last */
 } krb5_krbhst_info;
 
+/* flags for krb5_krbhst_init_flags (and krb5_send_to_kdc_flags) */
+enum {
+    KRB5_KRBHST_FLAGS_MASTER      = 1,
+    KRB5_KRBHST_FLAGS_LARGE_MSG	  = 2
+};
+
+typedef krb5_error_code (*krb5_send_to_kdc_func)(krb5_context, 
+						 void *, 
+						 krb5_krbhst_info *,
+						 const krb5_data *,
+						 krb5_data *);
+
+/* flags for krb5_parse_name_flags */
+enum {
+    KRB5_PRINCIPAL_PARSE_NO_REALM = 1,
+    KRB5_PRINCIPAL_PARSE_MUST_REALM = 2,
+    KRB5_PRINCIPAL_PARSE_ENTERPRISE = 4
+};
+
+/* flags for krb5_unparse_name_flags */
+enum {
+    KRB5_PRINCIPAL_UNPARSE_SHORT = 1,
+    KRB5_PRINCIPAL_UNPARSE_NO_REALM = 2,
+    KRB5_PRINCIPAL_UNPARSE_DISPLAY = 4
+};
+
+typedef struct krb5_sendto_ctx_data *krb5_sendto_ctx;
+
+#define KRB5_SENDTO_DONE	0
+#define KRB5_SENDTO_RESTART	1
+#define KRB5_SENDTO_CONTINUE	2
+
+typedef krb5_error_code (*krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, const krb5_data *, int *);
+
+struct krb5_plugin;
+enum krb5_plugin_type {
+    PLUGIN_TYPE_DATA = 1,
+    PLUGIN_TYPE_FUNC
+};
 
 struct credentials; /* this is to keep the compiler happy */
 struct getargs;
diff --git a/crypto/heimdal/lib/krb5/krb5.moduli b/crypto/heimdal/lib/krb5/krb5.moduli
new file mode 100644
index 0000000..f67d2b2
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5.moduli
@@ -0,0 +1,3 @@
+# $Id: krb5.moduli 16154 2005-10-08 15:39:42Z lha $
+# comment security-bits-decimal secure-prime(p)-hex generator(g)-hex (q)-hex
+rfc3526-MODP-group14 1760 FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF 02 7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68948127044533E63A0105DF531D89CD9128A5043CC71A026EF7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9EE1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AFC1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36B3861AA7255E4C0278BA3604650C10BE19482F23171B671DF1CF3B960C074301CD93C1D17603D147DAE2AEF837A62964EF15E5FB4AAC0B8C1CCAA4BE754AB5728AE9130C4C7D02880AB9472D455655347FFFFFFFFFFFFFFF
diff --git a/crypto/heimdal/lib/krb5/krb524_convert_creds_kdc.3 b/crypto/heimdal/lib/krb5/krb524_convert_creds_kdc.3
new file mode 100644
index 0000000..1f4b9bf
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb524_convert_creds_kdc.3
@@ -0,0 +1,86 @@
+.\" Copyright (c) 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb524_convert_creds_kdc.3 15239 2005-05-25 13:19:16Z lha $
+.\"
+.Dd March 20, 2004
+.Dt KRB524_CONVERT_CREDS_KDC 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb524_convert_creds_kdc ,
+.Nm krb524_convert_creds_kdc_ccache
+.Nd converts Kerberos 5 credentials to Kerberos 4 credentials
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_error_code
+.Fo krb524_convert_creds_kdc
+.Fa "krb5_context context"
+.Fa "krb5_creds *in_cred"
+.Fa "struct credentials *v4creds"
+.Fc
+.Ft krb5_error_code
+.Fo krb524_convert_creds_kdc_ccache
+.Fa "krb5_context context"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_creds *in_cred"
+.Fa "struct credentials *v4creds"
+.Fc
+.Sh DESCRIPTION
+Convert the Kerberos 5 credential to Kerberos 4 credential.
+This is done by sending them to the 524 service in the KDC.
+.Pp
+.Fn krb524_convert_creds_kdc
+converts the Kerberos 5 credential in
+.Fa in_cred
+to Kerberos 4 credential that is stored in
+.Fa credentials .
+.Pp
+.Fn krb524_convert_creds_kdc_ccache
+is diffrent from
+.Fn krb524_convert_creds_kdc
+in that way that if
+.Fa in_cred
+doesn't contain a DES session key, then a new one is fetched from the
+KDC and stored in the cred cache
+.Fa ccache ,
+and then the KDC is queried to convert the credential.
+.Pp
+This interfaces are used to make the migration to Kerberos 5 from
+Kerberos 4 easier.
+There are few services that still need Kerberos 4, and this is mainly
+for compatibility for those services.
+Some services, like AFS, really have Kerberos 5 supports, but still
+uses the 524 interface to make the migration easier.
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3
index 78bb62c..16c118f 100644
--- a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3
+++ b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3
@@ -1,37 +1,37 @@
-.\" Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_425_conv_principal.3,v 1.10 2003/04/16 13:58:13 lha Exp $
+.\" $Id: krb5_425_conv_principal.3 12734 2003-09-03 00:13:07Z lha $
 .\"
-.Dd April 11, 1999
+.Dd September  3, 2003
 .Dt KRB5_425_CONV_PRINCIPAL 3
 .Os HEIMDAL
 .Sh NAME
@@ -193,11 +193,11 @@ b-host.bar.com
 .Ed
 the following conversions will be made:
 .Bd -literal -offset indent
-rcmd.a-host	\(-> host/a-host.foo.com
-ftp.b-host	\(-> ftp/b-host.bar.com
-pop.foo		\(-> pop/foo.com
-ftp.other	\(-> ftp/other.foo.com
-other.a-host	\(-> other/a-host
+rcmd.a-host	-\*(Gt host/a-host.foo.com
+ftp.b-host	-\*(Gt ftp/b-host.bar.com
+pop.foo		-\*(Gt pop/foo.com
+ftp.other	-\*(Gt ftp/other.foo.com
+other.a-host	-\*(Gt other/a-host
 .Ed
 .Pp
 The first three are what you expect. If you remove the
diff --git a/crypto/heimdal/lib/krb5/krb5_acl_match_file.3 b/crypto/heimdal/lib/krb5/krb5_acl_match_file.3
new file mode 100644
index 0000000..342645e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_acl_match_file.3
@@ -0,0 +1,111 @@
+.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_acl_match_file.3 17534 2006-05-11 22:43:44Z lha $
+.\"
+.Dd May 12, 2006
+.Dt KRB5_ACL_MATCH_FILE 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_acl_match_file ,
+.Nm krb5_acl_match_string
+.Nd ACL matching functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.Ft krb5_error_code
+.Fo krb5_acl_match_file
+.Fa "krb5_context context"
+.Fa "const char *file"
+.Fa "const char *format"
+.Fa "..."
+.Fc
+.Ft krb5_error_code
+.Fo krb5_acl_match_string
+.Fa "krb5_context context"
+.Fa "const char *string"
+.Fa "const char *format"
+.Fa "..."
+.Fc
+.Sh DESCRIPTION
+.Nm krb5_acl_match_file
+matches ACL format against each line in a file.
+Lines starting with # are treated like comments and ignored.
+.Pp
+.Nm krb5_acl_match_string
+matches ACL format against a string.
+.Pp
+The ACL format has three format specifiers: s, f, and r.
+Each specifier will retrieve one argument from the variable arguments
+for either matching or storing data.
+The input string is split up using " " and "\et" as a delimiter; multiple
+" " and "\et" in a row are considered to be the same.
+.Pp
+.Bl -tag -width "fXX" -offset indent
+.It s
+Matches a string using
+.Xr strcmp 3
+(case sensitive).
+.It f
+Matches the string with
+.Xr fnmatch 3 .
+The
+.Fa flags
+argument (the last argument) passed to the fnmatch function is 0.
+.It r
+Returns a copy of the string in the char ** passed in; the copy must be
+freed with
+.Xr free 3 .
+There is no need to
+.Xr free 3
+the string on error: the function will clean up and set the pointer to
+.Dv NULL .
+.El
+.Pp
+All unknown format specifiers cause an error.
+.Sh EXAMPLES
+.Bd -literal -offset indent
+char *s;
+
+ret = krb5_acl_match_string(context, "foo", "s", "foo");
+if (ret)
+    krb5_errx(context, 1, "acl didn't match");
+ret = krb5_acl_match_string(context, "foo foo baz/kaka",
+    "ss", "foo", &s, "foo/*");
+if (ret) {
+    /* no need to free(s) on error */
+    assert(s == NULL);
+    krb5_errx(context, 1, "acl didn't match");
+}
+free(s);
+.Ed
+.Sh SEE ALSO
+.Xr krb5 3
diff --git a/crypto/heimdal/lib/krb5/krb5_address.3 b/crypto/heimdal/lib/krb5/krb5_address.3
index dc780ad..06f7fa5 100644
--- a/crypto/heimdal/lib/krb5/krb5_address.3
+++ b/crypto/heimdal/lib/krb5/krb5_address.3
@@ -1,37 +1,37 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2003, 2005 - 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\" 
-.\" $Id: krb5_address.3,v 1.4 2003/04/16 13:58:12 lha Exp $
-.\" 
-.Dd March 11, 2002
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_address.3 17461 2006-05-05 13:13:18Z lha $
+.\"
+.Dd May  1, 2006
 .Dt KRB5_ADDRESS 3
 .Os HEIMDAL
 .Sh NAME
@@ -56,7 +56,7 @@
 .Nm krb5_copy_addresses ,
 .Nm krb5_append_addresses ,
 .Nm krb5_make_addrport
-.Nd mange addresses in Kerberos.
+.Nd mange addresses in Kerberos
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
@@ -192,7 +192,7 @@ The
 structure holds a set of krb5_address:es.
 .Pp
 .Fn krb5_sockaddr2address
-stores a address a 
+stores a address a
 .Li "struct sockaddr"
 .Fa sa
 in the krb5_address
@@ -213,8 +213,9 @@ from
 .Fa addr
 and
 .Fa port .
-.Fa Sa_size
-should be initially contain the size of the
+The argument
+.Fa sa_size
+should initially contain the size of the
 .Fa sa ,
 and after the call, it will contain the actual length of the address.
 .Pp
@@ -228,7 +229,7 @@ returns
 .Dv TRUE
 for all
 .Fa sa
-that for that the kerberos library thinks are uninteresting.
+that the kerberos library thinks are uninteresting.
 One example are link local addresses.
 .Pp
 .Fn krb5_h_addr2sockaddr
@@ -241,14 +242,13 @@ and the
 .Li "struct hostent"
 (see
 .Xr gethostbyname 3 )
-.Fa h_addr_list 
+.Fa h_addr_list
 component.
-.Fa Sa_size
-should be initially contain the size of the
+The argument
+.Fa sa_size
+should initially contain the size of the
 .Fa sa ,
 and after the call, it will contain the actual length of the address.
-.Fa sa
-argument.
 .Pp
 .Fn krb5_h_addr2addr
 works like
@@ -256,55 +256,59 @@ works like
 with the exception that it operates on a
 .Li krb5_address
 instead of a
-.Li struct sockaddr
+.Li struct sockaddr .
 .Pp
 .Fn krb5_anyaddr
 fills in a
 .Li "struct sockaddr"
 .Fa sa
 that can be used to
-.Xf bind 3
+.Xr bind 2
 to.
-.Fa Sa_size
-should be initially contain the size of the
+The argument
+.Fa sa_size
+should initially contain the size of the
 .Fa sa ,
 and after the call, it will contain the actual length of the address.
 .Pp
 .Fn krb5_print_address
 prints the address in
 .Fa addr
-to the a string
+to the string
 .Fa string
 that have the length
 .Fa len .
 If
 .Fa ret_len
-if not
+is not
 .Dv NULL ,
-it will be filled in length of the string.
+it will be filled with the length of the string if size were unlimited (not
+including the final
+.Ql \e0 ) .
 .Pp
 .Fn krb5_parse_address
-Returns the resolving a hostname in
+Returns the resolved hostname in
 .Fa string
 to the
 .Li krb5_addresses
 .Fa addresses .
 .Pp
 .Fn krb5_address_order
-compares to addresses
+compares the addresses
 .Fa addr1
 and
 .Fa addr2
 so that it can be used for sorting addresses. If the addresses are the
 same address
-.Fa krb5_address_order will be return 0.
+.Fa krb5_address_order
+will return 0.
 .Pp
 .Fn krb5_address_compare
 compares the addresses
 .Fa addr1
 and
 .Fa addr2 .
-returns
+Returns
 .Dv TRUE
 if the two addresses are the same.
 .Pp
@@ -344,7 +348,7 @@ to
 While copying the addresses, duplicates are also sorted out.
 .Pp
 .Fn krb5_make_addrport
-allocates and creates an 
+allocates and creates an
 krb5_address in
 .Fa res
 of type KRB5_ADDRESS_ADDRPORT from
diff --git a/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3 b/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3
index 900e1d9..a0c3e4b 100644
--- a/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3
+++ b/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3
@@ -1,42 +1,42 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_aname_to_localname.3,v 1.2 2003/04/16 13:58:13 lha Exp $
+.\" $Id: krb5_aname_to_localname.3 22071 2007-11-14 20:04:50Z lha $
 .\"
-.Dd March 17, 2003
+.Dd February 18, 2006
 .Dt KRB5_ANAME_TO_LOCALNAME 3
 .Os HEIMDAL
 .Sh NAME
 .Nm krb5_aname_to_localname
-.Nd converts a principal to a system local name.
+.Nd converts a principal to a system local name
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
@@ -51,28 +51,28 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh DESCRIPTION
 This function takes a principal
 .Fa name ,
-verifies its in the local realm (using
+verifies that it is in the local realm (using
 .Fn krb5_get_default_realms )
 and then returns the local name of the principal.
 .Pp
 If
 .Fa name
-isn't in one of the local realms and error is returned.
+isn't in one of the local realms an error is returned.
 .Pp
-If size
+If the size
 .Fa ( lnsize )
 of the local name
 .Fa ( lname )
-is to small, an error is returned.
+is too small, an error is returned.
 .Pp
 .Fn krb5_aname_to_localname
-should only be use by application that implements protocols that
-doesn't transport the login name and thus needs to convert a principal
+should only be use by an application that implements protocols that
+don't transport the login name and thus needs to convert a principal
 to a local name.
 .Pp
-Protocols should be designed so that the it autheticates using
-Kerberos, send over the login name and then verifies in the principal
-that authenticated is allowed to login and the login name.
+Protocols should be designed so that they authenticate using
+Kerberos, send over the login name and then verify the principal
+that is authenticated is allowed to login and the login name.
 A way to check if a user is allowed to login is using the function
 .Fn krb5_kuserok .
 .Sh SEE ALSO
diff --git a/crypto/heimdal/lib/krb5/krb5_appdefault.3 b/crypto/heimdal/lib/krb5/krb5_appdefault.3
index f913fdc..f5b5329 100644
--- a/crypto/heimdal/lib/krb5/krb5_appdefault.3
+++ b/crypto/heimdal/lib/krb5/krb5_appdefault.3
@@ -1,35 +1,35 @@
 .\" Copyright (c) 2000 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_appdefault.3,v 1.10 2003/04/16 13:58:10 lha Exp $
+.\" $Id: krb5_appdefault.3 12329 2003-05-26 14:09:04Z lha $
 .\"
 .Dd July 25, 2000
 .Dt KRB5_APPDEFAULT 3
diff --git a/crypto/heimdal/lib/krb5/krb5_auth_context.3 b/crypto/heimdal/lib/krb5/krb5_auth_context.3
index 69db324..66d150e 100644
--- a/crypto/heimdal/lib/krb5/krb5_auth_context.3
+++ b/crypto/heimdal/lib/krb5/krb5_auth_context.3
@@ -1,70 +1,74 @@
-.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2001 - 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_auth_context.3,v 1.8 2003/04/16 13:58:13 lha Exp $
+.\" $Id: krb5_auth_context.3 15240 2005-05-25 13:47:58Z lha $
 .\"
-.Dd January 21, 2001
+.Dd May 17, 2005
 .Dt KRB5_AUTH_CONTEXT 3
 .Os HEIMDAL
 .Sh NAME
-.Nm krb5_auth_context ,
-.Nm krb5_auth_con_init ,
+.Nm krb5_auth_con_addflags ,
 .Nm krb5_auth_con_free ,
-.Nm krb5_auth_con_setflags ,
+.Nm krb5_auth_con_genaddrs ,
+.Nm krb5_auth_con_generatelocalsubkey ,
+.Nm krb5_auth_con_getaddrs ,
+.Nm krb5_auth_con_getauthenticator ,
 .Nm krb5_auth_con_getflags ,
+.Nm krb5_auth_con_getkey ,
+.Nm krb5_auth_con_getlocalsubkey ,
+.Nm krb5_auth_con_getrcache ,
+.Nm krb5_auth_con_getremotesubkey ,
+.Nm krb5_auth_con_getuserkey ,
+.Nm krb5_auth_con_init ,
+.Nm krb5_auth_con_initivector ,
+.Nm krb5_auth_con_removeflags ,
 .Nm krb5_auth_con_setaddrs ,
 .Nm krb5_auth_con_setaddrs_from_fd ,
-.Nm krb5_auth_con_getaddrs ,
-.Nm krb5_auth_con_genaddrs ,
-.Nm krb5_auth_con_getkey ,
+.Nm krb5_auth_con_setflags ,
+.Nm krb5_auth_con_setivector ,
 .Nm krb5_auth_con_setkey ,
-.Nm krb5_auth_con_getuserkey ,
-.Nm krb5_auth_con_setuserkey ,
-.Nm krb5_auth_con_getlocalsubkey ,
 .Nm krb5_auth_con_setlocalsubkey ,
-.Nm krb5_auth_con_getremotesubkey ,
+.Nm krb5_auth_con_setrcache ,
 .Nm krb5_auth_con_setremotesubkey ,
-.Nm krb5_auth_setcksumtype ,
+.Nm krb5_auth_con_setuserkey ,
+.Nm krb5_auth_context ,
 .Nm krb5_auth_getcksumtype ,
-.Nm krb5_auth_setkeytype ,
 .Nm krb5_auth_getkeytype ,
 .Nm krb5_auth_getlocalseqnumber ,
-.Nm krb5_auth_setlocalseqnumber ,
 .Nm krb5_auth_getremoteseqnumber ,
+.Nm krb5_auth_setcksumtype ,
+.Nm krb5_auth_setkeytype ,
+.Nm krb5_auth_setlocalseqnumber ,
 .Nm krb5_auth_setremoteseqnumber ,
-.Nm krb5_auth_getauthenticator ,
-.Nm krb5_auth_con_getrcache ,
-.Nm krb5_auth_con_setrcache ,
-.Nm krb5_auth_con_initivector ,
-.Nm krb5_auth_con_setivector
+.Nm krb5_free_authenticator
 .Nd manage authentication on connection level
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
@@ -93,6 +97,20 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Fa "int32_t *flags"
 .Fc
 .Ft krb5_error_code
+.Fo krb5_auth_con_addflags
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "int32_t addflags"
+.Fa "int32_t *flags"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_removeflags
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "int32_t removelags"
+.Fa "int32_t *flags"
+.Fc
+.Ft krb5_error_code
 .Fo krb5_auth_con_setaddrs
 .Fa "krb5_context context"
 .Fa "krb5_auth_context auth_context"
@@ -138,6 +156,12 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Fa "krb5_keyblock **keyblock"
 .Fc
 .Ft krb5_error_code
+.Fo krb5_auth_con_generatelocalsubkey
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa krb5_keyblock *key"
+.Fc
+.Ft krb5_error_code
 .Fo krb5_auth_con_initivector
 .Fa "krb5_context context"
 .Fa "krb5_auth_context auth_context"
@@ -148,6 +172,11 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Fa "krb5_auth_context *auth_context"
 .Fa "krb5_pointer ivector"
 .Fc
+.Ft void
+.Fo krb5_free_authenticator
+.Fa "krb5_context context"
+.Fa "krb5_authenticator *authenticator"
+.Fc
 .Sh DESCRIPTION
 The
 .Nm krb5_auth_context
@@ -174,19 +203,56 @@ The
 structure must be freed by
 .Fn krb5_auth_con_free .
 .Pp
-.Fn krb5_auth_con_getflags
+.Fn krb5_auth_con_getflags ,
+.Fn krb5_auth_con_setflags ,
+.Fn krb5_auth_con_addflags
 and
-.Fn krb5_auth_con_setflags
+.Fn krb5_auth_con_removeflags
 gets and modifies the flags for a
 .Nm krb5_auth_context
 structure. Possible flags to set are:
 .Bl -tag -width Ds
-.It Dv KRB5_AUTH_CONTEXT_DO_TIME
-check timestamp on incoming packets.
-.\".It Dv KRB5_AUTH_CONTEXT_RET_TIME
 .It Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE
 Generate and check sequence-number on each packet.
-.\".It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE
+.It Dv KRB5_AUTH_CONTEXT_DO_TIME
+Check timestamp on incoming packets.
+.It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE , Dv KRB5_AUTH_CONTEXT_RET_TIME
+Return sequence numbers and time stamps in the outdata parameters.
+.It Dv KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
+will force
+.Fn krb5_get_forwarded_creds
+and
+.Fn krb5_fwd_tgt_creds
+to create unencrypted )
+.Dv ENCTYPE_NULL )
+credentials.
+This is for use with old MIT server and JAVA based servers as
+they can't handle encrypted
+.Dv KRB-CRED .
+Note that sending such
+.Dv KRB-CRED
+is clear exposes crypto keys and tickets and is insecure,
+make sure the packet is encrypted in the protocol.
+.Xr krb5_rd_cred 3 ,
+.Xr krb5_rd_priv 3 ,
+.Xr krb5_rd_safe 3 ,
+.Xr krb5_mk_priv 3
+and
+.Xr krb5_mk_safe 3 .
+Setting this flag requires that parameter to be passed to these
+functions.
+.Pp
+The flags
+.Dv KRB5_AUTH_CONTEXT_DO_TIME
+also modifies the behavior the function
+.Fn krb5_get_forwarded_creds
+by removing the timestamp in the forward credential message, this have
+backward compatibility problems since not all versions of the heimdal
+supports timeless credentional messages.
+Is very useful since it always the sender of the message to cache
+forward message and thus avoiding a round trip to the KDC for each
+time a credential is forwarded.
+The same functionality can be obtained by using address-less tickets.
 .\".It Dv KRB5_AUTH_CONTEXT_PERMIT_ALL
 .El
 .Pp
@@ -263,7 +329,8 @@ is equivalent to
 .Fn krb5_auth_con_getremotesubkey
 and
 .Fn krb5_auth_con_setremotesubkey
-gets and sets the keyblock for the local and remote subkey. The keyblock returned by
+gets and sets the keyblock for the local and remote subkey.
+The keyblock returned by
 .Fn krb5_auth_con_getlocalsubkey
 and
 .Fn krb5_auth_con_getremotesubkey
@@ -276,6 +343,10 @@ and
 sets and gets the checksum type that should be used for this
 connection.
 .Pp
+.Fn krb5_auth_con_generatelocalsubkey
+generates a local subkey that have the same encryption type as
+.Fa key .
+.Pp
 .Fn krb5_auth_getremoteseqnumber
 .Fn krb5_auth_setremoteseqnumber ,
 .Fn krb5_auth_getlocalseqnumber
@@ -290,7 +361,7 @@ and
 gets and gets the keytype of the keyblock in
 .Nm krb5_auth_context .
 .Pp
-.Fn krb5_auth_getauthenticator
+.Fn krb5_auth_con_getauthenticator
 Retrieves the authenticator that was used during mutual
 authentication. The
 .Dv authenticator
@@ -312,6 +383,13 @@ sets the i_vector portion of
 .Fa auth_context
 to
 .Fa ivector .
+.Pp
+.Fn krb5_free_authenticator
+free the content of
+.Fa authenticator
+and
+.Fa authenticator
+itself.
 .Sh SEE ALSO
 .Xr krb5_context 3 ,
 .Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_c_make_checksum.3 b/crypto/heimdal/lib/krb5/krb5_c_make_checksum.3
new file mode 100644
index 0000000..a323cce
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_c_make_checksum.3
@@ -0,0 +1,297 @@
+.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_c_make_checksum.3 19066 2006-11-17 22:09:25Z lha $
+.\"
+.Dd Nov  17, 2006
+.Dt KRB5_C_MAKE_CHECKSUM 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_c_block_size ,
+.Nm krb5_c_decrypt ,
+.Nm krb5_c_encrypt ,
+.Nm krb5_c_encrypt_length ,
+.Nm krb5_c_enctype_compare ,
+.Nm krb5_c_get_checksum ,
+.Nm krb5_c_is_coll_proof_cksum ,
+.Nm krb5_c_is_keyed_cksum ,
+.Nm krb5_c_keylength ,
+.Nm krb5_c_make_checksum ,
+.Nm krb5_c_make_random_key ,
+.Nm krb5_c_set_checksum ,
+.Nm krb5_c_valid_cksumtype ,
+.Nm krb5_c_valid_enctype ,
+.Nm krb5_c_verify_checksum ,
+.Nm krb5_c_checksum_length
+.Nd Kerberos 5 crypto API
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Ft krb5_error_code
+.Fo krb5_c_block_size
+.Fa "krb5_context context"
+.Fa "krb5_enctype enctype"
+.Fa "size_t *blocksize"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_c_decrypt
+.Fa "krb5_context context"
+.Fa "const krb5_keyblock key"
+.Fa "krb5_keyusage usage"
+.Fa "const krb5_data *ivec"
+.Fa "krb5_enc_data *input"
+.Fa "krb5_data *output"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_c_encrypt
+.Fa "krb5_context context"
+.Fa "const krb5_keyblock *key"
+.Fa "krb5_keyusage usage"
+.Fa "const krb5_data *ivec"
+.Fa "const krb5_data *input"
+.Fa "krb5_enc_data *output"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_c_encrypt_length
+.Fa "krb5_context context"
+.Fa "krb5_enctype enctype"
+.Fa "size_t inputlen"
+.Fa "size_t *length"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_c_enctype_compare
+.Fa "krb5_context context"
+.Fa "krb5_enctype e1"
+.Fa "krb5_enctype e2"
+.Fa "krb5_boolean *similar"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_c_make_random_key
+.Fa "krb5_context context"
+.Fa "krb5_enctype enctype"
+.Fa "krb5_keyblock *random_key"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_c_make_checksum
+.Fa "krb5_context context"
+.Fa "krb5_cksumtype cksumtype"
+.Fa "const krb5_keyblock *key"
+.Fa "krb5_keyusage usage"
+.Fa "const krb5_data *input"
+.Fa "krb5_checksum *cksum"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_c_verify_checksum
+.Fa "krb5_context context
+.Fa "const krb5_keyblock *key"
+.Fa "krb5_keyusage usage"
+.Fa "const krb5_data *data"
+.Fa "const krb5_checksum *cksum"
+.Fa "krb5_boolean *valid"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_c_checksum_length
+.Fa "krb5_context context"
+.Fa "krb5_cksumtype cksumtype"
+.Fa "size_t *length"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_c_get_checksum
+.Fa "krb5_context context"
+.Fa "const krb5_checksum *cksum"
+.Fa "krb5_cksumtype *type"
+.Fa "krb5_data **data"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_c_set_checksum
+.Fa "krb5_context context"
+.Fa "krb5_checksum *cksum"
+.Fa "krb5_cksumtype type"
+.Fa "const krb5_data *data"
+.Fc
+.Ft krb5_boolean
+.Fo krb5_c_valid_enctype
+.Fa krb5_enctype etype"
+.Fc
+.Ft krb5_boolean
+.Fo krb5_c_valid_cksumtype
+.Fa "krb5_cksumtype ctype"
+.Fc
+.Ft krb5_boolean
+.Fo krb5_c_is_coll_proof_cksum
+.Fa "krb5_cksumtype ctype"
+.Fc
+.Ft krb5_boolean
+.Fo krb5_c_is_keyed_cksum
+.Fa "krb5_cksumtype ctype"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_c_keylengths
+.Fa "krb5_context context"
+.Fa "krb5_enctype enctype"
+.Fa "size_t *inlength"
+.Fa "size_t *keylength"
+.Fc
+.Sh DESCRIPTION
+The functions starting with krb5_c are compat functions with MIT kerberos.
+.Pp
+The
+.Li krb5_enc_data
+structure holds and encrypted data.
+There are two public accessable members of
+.Li krb5_enc_data .
+.Li enctype
+that holds the encryption type of the data encrypted and
+.Li ciphertext
+that is a
+.Ft krb5_data
+that might contain the encrypted data.
+.Pp
+.Fn krb5_c_block_size
+returns the blocksize of the encryption type.
+.Pp
+.Fn krb5_c_decrypt
+decrypts
+.Fa input
+and store the data in
+.Fa output.
+If 
+.Fa ivec
+is
+.Dv NULL
+the default initialization vector for that encryption type will be used.
+.Pp
+.Fn krb5_c_encrypt
+encrypts the plaintext in
+.Fa input
+and store the ciphertext in
+.Fa output .
+.Pp
+.Fn krb5_c_encrypt_length
+returns the length the encrypted data given the plaintext length.
+.Pp
+.Fn krb5_c_enctype_compare
+compares to encryption types and returns if they use compatible
+encryption key types.
+.Pp
+.Fn krb5_c_make_checksum
+creates a checksum
+.Fa cksum
+with the checksum type
+.Fa cksumtype
+of the data in
+.Fa data .
+.Fa key
+and
+.Fa usage
+are used if the checksum is a keyed checksum type.
+Returns 0 or an error code.
+.Pp
+.Fn krb5_c_verify_checksum
+verifies the checksum
+of
+.Fa data
+in
+.Fa cksum
+that was created with
+.Fa key
+using the key usage
+.Fa usage .
+.Fa verify
+is set to non-zero if the checksum verifies correctly and zero if not.
+Returns 0 or an error code.
+.Pp
+.Fn krb5_c_checksum_length
+returns the length of the checksum.
+.Pp
+.Fn krb5_c_set_checksum
+sets the
+.Li krb5_checksum
+structure given
+.Fa type
+and
+.Fa data .
+The content of
+.Fa cksum
+should be freeed with
+.Fn krb5_c_free_checksum_contents .
+.Pp
+.Fn krb5_c_get_checksum
+retrieves the components of the
+.Li krb5_checksum .
+structure.
+.Fa data
+should be free with
+.Fn krb5_free_data .
+If some either of
+.Fa data
+or
+.Fa checksum
+is not needed for the application, 
+.Dv NULL
+can be passed in.
+.Pp
+.Fn krb5_c_valid_enctype
+returns true if
+.Fa etype
+is a valid encryption type.
+.Pp
+.Fn krb5_c_valid_cksumtype
+returns true if
+.Fa ctype
+is a valid checksum type.
+.Pp
+.Fn krb5_c_is_keyed_cksum
+return true if
+.Fa ctype
+is a keyed checksum type.
+.Pp
+.Fn krb5_c_is_coll_proof_cksum
+returns true if
+.Fa ctype
+is a collition proof checksum type.
+.Pp
+.Fn krb5_c_keylengths
+return the minimum length (
+.Fa inlength )
+bytes needed to create a key and the
+length (
+.Fa keylength )
+of the resulting key
+for the
+.Fa enctype .
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_create_checksum 3 ,
+.Xr krb5_free_data 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_ccache.3 b/crypto/heimdal/lib/krb5/krb5_ccache.3
index ec48c5f..3fca595 100644
--- a/crypto/heimdal/lib/krb5/krb5_ccache.3
+++ b/crypto/heimdal/lib/krb5/krb5_ccache.3
@@ -1,37 +1,37 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\" 
-.\" $Id: krb5_ccache.3,v 1.7 2003/04/16 13:58:12 lha Exp $
-.\" 
-.Dd March 16, 2003
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_ccache.3 22071 2007-11-14 20:04:50Z lha $
+.\"
+.Dd October 19, 2005
 .Dt KRB5_CCACHE 3
 .Os HEIMDAL
 .Sh NAME
@@ -40,6 +40,7 @@
 .Nm krb5_cc_ops ,
 .Nm krb5_fcc_ops ,
 .Nm krb5_mcc_ops ,
+.Nm krb5_cc_clear_mcred ,
 .Nm krb5_cc_close ,
 .Nm krb5_cc_copy_cache ,
 .Nm krb5_cc_default ,
@@ -47,21 +48,26 @@
 .Nm krb5_cc_destroy ,
 .Nm krb5_cc_end_seq_get ,
 .Nm krb5_cc_gen_new ,
+.Nm krb5_cc_get_full_name ,
 .Nm krb5_cc_get_name ,
+.Nm krb5_cc_get_ops ,
+.Nm krb5_cc_get_prefix_ops ,
 .Nm krb5_cc_get_principal ,
 .Nm krb5_cc_get_type ,
-.Nm krb5_cc_get_ops ,
 .Nm krb5_cc_get_version ,
 .Nm krb5_cc_initialize ,
+.Nm krb5_cc_next_cred ,
+.Nm krb5_cc_next_cred_match ,
+.Nm krb5_cc_new_unique ,
 .Nm krb5_cc_register ,
+.Nm krb5_cc_remove_cred ,
 .Nm krb5_cc_resolve ,
 .Nm krb5_cc_retrieve_cred ,
-.Nm krb5_cc_remove_cred ,
 .Nm krb5_cc_set_default_name ,
-.Nm krb5_cc_store_cred ,
 .Nm krb5_cc_set_flags ,
-.Nm krb5_cc_next_cred
-.Nd mange credential cache.
+.Nm krb5_cc_start_seq_get ,
+.Nm krb5_cc_store_cred
+.Nd mange credential cache
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
@@ -77,90 +83,105 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Pp
 .Li "struct krb5_cc_ops *krb5_mcc_ops;"
 .Pp
+.Ft void
+.Fo krb5_cc_clear_mcred
+.Fa "krb5_creds *mcred"
+.Fc
 .Ft krb5_error_code
 .Fo krb5_cc_close
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_ccache id"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_copy_cache
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "const krb5_ccache from"
 .Fa "krb5_ccache to"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_default
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_ccache *id"
 .Fc
 .Ft "const char *"
 .Fo krb5_cc_default_name
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_destroy
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_ccache id"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_end_seq_get
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "const krb5_ccache id"
 .Fa "krb5_cc_cursor *cursor"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_gen_new
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "const krb5_cc_ops *ops"
 .Fa "krb5_ccache *id"
 .Fc
+.Ft krb5_error_code
+.Fo krb5_cc_get_full_name
+.Fa "krb5_context context"
+.Fa "krb5_ccache id"
+.Fa "char **str"
+.Fc
 .Ft "const char *"
 .Fo krb5_cc_get_name
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_ccache id"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_get_principal
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_ccache id"
 .Fa "krb5_principal *principal"
 .Fc
 .Ft "const char *"
 .Fo krb5_cc_get_type
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_ccache id"
 .Fc
 .Ft "const krb5_cc_ops *"
 .Fo krb5_cc_get_ops
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_ccache id"
 .Fc
+.Ft "const krb5_cc_ops *"
+.Fo krb5_cc_get_prefix_ops
+.Fa "krb5_context context"
+.Fa "const char *prefix"
+.Fc
 .Ft krb5_error_code
 .Fo krb5_cc_get_version
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "const krb5_ccache id"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_initialize
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_ccache id"
 .Fa "krb5_principal primary_principal"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_register
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "const krb5_cc_ops *ops"
 .Fa "krb5_boolean override"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_resolve
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "const char *name"
 .Fa "krb5_ccache *id"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_retrieve_cred
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_ccache id"
 .Fa "krb5_flags whichfields"
 .Fa "const krb5_creds *mcreds"
@@ -168,34 +189,56 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_remove_cred
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_ccache id"
 .Fa "krb5_flags which"
 .Fa "krb5_creds *cred"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_set_default_name
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "const char *name"
 .Fc
 .Ft krb5_error_code
+.Fo krb5_cc_start_seq_get
+.Fa "krb5_context context"
+.Fa "const krb5_ccache id"
+.Fa "krb5_cc_cursor *cursor"
+.Fc
+.Ft krb5_error_code
 .Fo krb5_cc_store_cred
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_ccache id"
 .Fa "krb5_creds *creds"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_set_flags
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
 .Fa "krb5_cc_set_flags id"
 .Fa "krb5_flags flags"
 .Fc
 .Ft krb5_error_code
 .Fo krb5_cc_next_cred
-.Fa "krb5_context *context"
+.Fa "krb5_context context"
+.Fa "const krb5_ccache id"
+.Fa "krb5_cc_cursor *cursor"
+.Fa "krb5_creds *creds"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_cc_next_cred_match
+.Fa "krb5_context context"
 .Fa "const krb5_ccache id"
 .Fa "krb5_cc_cursor *cursor"
 .Fa "krb5_creds *creds"
+.Fa "krb5_flags whichfields"
+.Fa "const krb5_creds *mcreds"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_cc_new_unique
+.Fa "krb5_context context"
+.Fa "const char *type"
+.Fa "const char *hint"
+.Fa "krb5_ccache *id"
 .Fc
 .Sh DESCRIPTION
 The
@@ -231,68 +274,108 @@ gets and sets the default name for the
 .Fa context .
 .Pp
 .Fn krb5_cc_default
-opens the default ccache in 
+opens the default credential cache in
 .Fa id .
 Return 0 or an error code.
 .Pp
 .Fn krb5_cc_gen_new
-generates a new ccache of type
+generates a new credential cache of type
 .Fa ops
 in
 .Fa id .
 Return 0 or an error code.
+The Heimdal version of this function also runs
+.Fn krb5_cc_initialize
+on the credential cache, but since the MIT version doesn't, portable
+code must call krb5_cc_initialize.
+.Pp
+.Fn krb5_cc_new_unique
+generates a new unique credential cache of
+.Fa type
+in
+.Fa id .
+If type is
+.Dv NULL ,
+the library chooses the default credential cache type.
+The supplied
+.Fa hint
+(that can be
+.Dv NULL )
+is a string that the credential cache type can use to base the name of
+the credential on, this is to make it easier for the user to
+differentiate the credentials.
+The returned credential cache
+.Fa id
+should be freed using
+.Fn krb5_cc_close
+or
+.Fn krb5_cc_destroy .
+Returns 0 or an error code.
 .Pp
 .Fn krb5_cc_resolve
-finds and allocates a ccache in 
+finds and allocates a credential cache in
 .Fa id
-from the specification in 
+from the specification in
 .Fa residual .
-If the ccache name doesn't contain any colon (:), interpret it as a
+If the credential cache name doesn't contain any colon (:), interpret it as a
 file name.
 Return 0 or an error code.
 .Pp
 .Fn krb5_cc_initialize
-creates a new ccache in
+creates a new credential cache in
 .Fa id
 for
 .Fa primary_principal .
 Return 0 or an error code.
 .Pp
 .Fn krb5_cc_close
-stops using the ccache 
+stops using the credential cache
 .Fa id
 and frees the related resources.
 Return 0 or an error code.
 .Fn krb5_cc_destroy
-removes the ccache 
+removes the credential cache
 and closes (by calling
 .Fn krb5_cc_close )
 .Fa id .
 Return 0 or an error code.
 .Pp
 .Fn krb5_cc_copy_cache
-copys the contents of 
+copys the contents of
 .Fa from
-to 
+to
 .Fa to .
 .Pp
+.Fn krb5_cc_get_full_name
+returns the complete resolvable name of the credential cache
+.Fa id
+in
+.Fa str .
+.Fa str
+should be freed with
+.Xr free 3 .
+Returns 0 or an error, on error
+.Fa *str
+is set to
+.Dv NULL .
+.Pp
 .Fn krb5_cc_get_name
-returns the name of the ccache 
+returns the name of the credential cache
 .Fa id .
 .Pp
 .Fn krb5_cc_get_principal
-returns the principal of 
+returns the principal of
 .Fa id
 in
 .Fa principal .
 Return 0 or an error code.
 .Pp
 .Fn krb5_cc_get_type
-returns the type of the ccache
+returns the type of the credential cache
 .Fa id .
 .Pp
 .Fn krb5_cc_get_ops
-returns the ops of the ccache
+returns the ops of the credential cache
 .Fa id .
 .Pp
 .Fn krb5_cc_get_version
@@ -300,23 +383,32 @@ returns the version of
 .Fa id .
 .Pp
 .Fn krb5_cc_register
-Adds a new ccache type with operations 
+Adds a new credential cache type with operations
 .Fa ops ,
 overwriting any existing one if
 .Fa override .
 Return an error code or 0.
 .Pp
+.Fn krb5_cc_get_prefix_ops
+Get the cc ops that is registered in
+.Fa context
+to handle the
+.Fa prefix .
+Returns
+.Dv NULL
+if ops not found.
+.Pp
 .Fn krb5_cc_remove_cred
 removes the credential identified by
 .Fa ( cred ,
 .Fa which )
-from 
+from
 .Fa id .
 .Pp
 .Fn krb5_cc_store_cred
 stores
 .Fa creds
-in the ccache
+in the credential cache
 .Fa id .
 Return 0 or an error code.
 .Pp
@@ -326,8 +418,14 @@ sets the flags of
 to
 .Fa flags .
 .Pp
+.Fn krb5_cc_clear_mcred
+clears the
+.Fa mcreds
+argument so it is reset and can be used with
+.Fa krb5_cc_retrieve_cred .
+.Pp
 .Fn krb5_cc_retrieve_cred ,
-retrieves the credential identified by 
+retrieves the credential identified by
 .Fa mcreds
 (and
 .Fa whichfields )
@@ -335,8 +433,16 @@ from
 .Fa id
 in
 .Fa creds .
+.Fa creds
+should be freed using
+.Fn krb5_free_cred_contents .
 Return 0 or an error code.
 .Pp
+.Fn krb5_cc_start_seq_get
+initiates the
+.Li krb5_cc_cursor
+structure to be used for iteration over the credential cache.
+.Pp
 .Fn krb5_cc_next_cred
 retrieves the next cred pointed to by
 .Fa ( id ,
@@ -347,9 +453,64 @@ and advance
 .Fa cursor .
 Return 0 or an error code.
 .Pp
+.Fn krb5_cc_next_cred_match
+is similar to
+.Fn krb5_cc_next_cred
+except that it will only return creds matching 
+.Fa whichfields
+and
+.Fa mcreds
+(as interpreted by 
+.Xr krb5_compare_creds 3 . )
+.Pp
 .Fn krb5_cc_end_seq_get
 Destroys the cursor
 .Fa cursor .
+.Sh EXAMPLE
+This is a minimalistic version of
+.Nm klist .
+.Pp
+.Bd -literal
+#include <krb5.h>
+
+int
+main (int argc, char **argv)
+{
+    krb5_context context;
+    krb5_cc_cursor cursor;
+    krb5_error_code ret;
+    krb5_ccache id;
+    krb5_creds creds;
+
+    if (krb5_init_context (&context) != 0)
+	errx(1, "krb5_context");
+
+    ret = krb5_cc_default (context, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_default");
+
+    ret = krb5_cc_start_seq_get(context, id, &cursor);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
+
+    while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){
+        char *principal;
+
+	krb5_unparse_name_short(context, creds.server, &principal);
+	printf("principal: %s\\n", principal);
+	free(principal);
+	krb5_free_cred_contents (context, &creds);
+    }
+    ret = krb5_cc_end_seq_get(context, id, &cursor);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_end_seq_get");
+
+    krb5_cc_close(context, id);
+
+    krb5_free_context(context);
+    return 0;
+}
+.Ed
 .Sh SEE ALSO
 .Xr krb5 3 ,
 .Xr krb5.conf 5 ,
diff --git a/crypto/heimdal/lib/krb5/krb5_ccapi.h b/crypto/heimdal/lib/krb5/krb5_ccapi.h
new file mode 100644
index 0000000..59a3842
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_ccapi.h
@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: krb5_ccapi.h 22090 2007-12-02 23:23:43Z lha $ */
+
+#ifndef KRB5_CCAPI_H
+#define KRB5_CCAPI_H 1
+
+#include <krb5-types.h>
+
+enum {
+    cc_credentials_v5 = 2
+};
+
+enum {
+    ccapi_version_3 = 3,
+    ccapi_version_4 = 4
+};
+
+enum {
+    ccNoError						= 0,
+    
+    ccIteratorEnd					= 201,
+    ccErrBadParam,
+    ccErrNoMem,
+    ccErrInvalidContext,
+    ccErrInvalidCCache,
+
+    ccErrInvalidString,					/* 206 */
+    ccErrInvalidCredentials,
+    ccErrInvalidCCacheIterator,
+    ccErrInvalidCredentialsIterator,
+    ccErrInvalidLock,
+    
+    ccErrBadName,					/* 211 */
+    ccErrBadCredentialsVersion,
+    ccErrBadAPIVersion,
+    ccErrContextLocked,
+    ccErrContextUnlocked,
+    
+    ccErrCCacheLocked,					/* 216 */
+    ccErrCCacheUnlocked,
+    ccErrBadLockType,
+    ccErrNeverDefault,
+    ccErrCredentialsNotFound,
+    
+    ccErrCCacheNotFound,				/* 221 */
+    ccErrContextNotFound,
+    ccErrServerUnavailable,
+    ccErrServerInsecure,
+    ccErrServerCantBecomeUID,
+    
+    ccErrTimeOffsetNotSet				/* 226 */
+};
+
+typedef int32_t cc_int32;
+typedef uint32_t cc_uint32;
+typedef struct cc_context_t *cc_context_t;
+typedef struct cc_ccache_t *cc_ccache_t;
+typedef struct cc_ccache_iterator_t *cc_ccache_iterator_t;
+typedef struct cc_credentials_v5_t cc_credentials_v5_t;
+typedef struct cc_credentials_t *cc_credentials_t;
+typedef struct cc_credentials_iterator_t *cc_credentials_iterator_t;
+typedef struct cc_string_t *cc_string_t;
+typedef time_t cc_time_t;
+
+typedef struct cc_data {
+    cc_uint32 type;
+    cc_uint32 length;
+    void *data;
+} cc_data;
+
+struct cc_credentials_v5_t {
+    char *client;
+    char *server;
+    cc_data keyblock;
+    cc_time_t authtime;
+    cc_time_t starttime;
+    cc_time_t endtime;
+    cc_time_t renew_till;
+    cc_uint32 is_skey;
+    cc_uint32 ticket_flags;
+#define	KRB5_CCAPI_TKT_FLG_FORWARDABLE			0x40000000
+#define	KRB5_CCAPI_TKT_FLG_FORWARDED			0x20000000
+#define	KRB5_CCAPI_TKT_FLG_PROXIABLE			0x10000000
+#define	KRB5_CCAPI_TKT_FLG_PROXY			0x08000000
+#define	KRB5_CCAPI_TKT_FLG_MAY_POSTDATE			0x04000000
+#define	KRB5_CCAPI_TKT_FLG_POSTDATED			0x02000000
+#define	KRB5_CCAPI_TKT_FLG_INVALID			0x01000000
+#define	KRB5_CCAPI_TKT_FLG_RENEWABLE			0x00800000
+#define	KRB5_CCAPI_TKT_FLG_INITIAL			0x00400000
+#define	KRB5_CCAPI_TKT_FLG_PRE_AUTH			0x00200000
+#define	KRB5_CCAPI_TKT_FLG_HW_AUTH			0x00100000
+#define	KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED	0x00080000
+#define	KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE		0x00040000
+#define	KRB5_CCAPI_TKT_FLG_ANONYMOUS			0x00020000
+    cc_data **addresses;
+    cc_data ticket;
+    cc_data second_ticket;
+    cc_data **authdata;
+};
+
+
+typedef struct cc_string_functions {
+    cc_int32 (*release)(cc_string_t);
+} cc_string_functions;
+
+struct cc_string_t {
+    const char *data;
+    const cc_string_functions *func;
+};
+
+typedef struct cc_credentials_union {
+    cc_int32 version;
+    union {
+	cc_credentials_v5_t* credentials_v5;
+    } credentials;
+} cc_credentials_union;
+
+struct cc_credentials_functions {
+    cc_int32 (*release)(cc_credentials_t);
+    cc_int32 (*compare)(cc_credentials_t, cc_credentials_t, cc_uint32*);
+};
+
+struct cc_credentials_t {
+    const cc_credentials_union* data;
+    const struct cc_credentials_functions* func;
+};
+
+struct cc_credentials_iterator_functions {
+    cc_int32 (*release)(cc_credentials_iterator_t);
+    cc_int32 (*next)(cc_credentials_iterator_t, cc_credentials_t*);
+};
+
+struct cc_credentials_iterator_t {
+    const struct cc_credentials_iterator_functions *func;
+};
+
+struct cc_ccache_iterator_functions {
+    cc_int32 (*release) (cc_ccache_iterator_t);
+    cc_int32 (*next)(cc_ccache_iterator_t, cc_ccache_t*);
+};
+
+struct cc_ccache_iterator_t {
+    const struct cc_ccache_iterator_functions* func;
+};
+
+typedef struct cc_ccache_functions {
+    cc_int32 (*release)(cc_ccache_t);
+    cc_int32 (*destroy)(cc_ccache_t);
+    cc_int32 (*set_default)(cc_ccache_t);
+    cc_int32 (*get_credentials_version)(cc_ccache_t, cc_uint32*);
+    cc_int32 (*get_name)(cc_ccache_t, cc_string_t*);
+    cc_int32 (*get_principal)(cc_ccache_t, cc_uint32, cc_string_t*);
+    cc_int32 (*set_principal)(cc_ccache_t, cc_uint32, const char*);
+    cc_int32 (*store_credentials)(cc_ccache_t, const cc_credentials_union*);
+    cc_int32 (*remove_credentials)(cc_ccache_t, cc_credentials_t);
+    cc_int32 (*new_credentials_iterator)(cc_ccache_t,
+					 cc_credentials_iterator_t*);
+    cc_int32 (*move)(cc_ccache_t, cc_ccache_t);
+    cc_int32 (*lock)(cc_ccache_t, cc_uint32, cc_uint32);
+    cc_int32 (*unlock)(cc_ccache_t);
+    cc_int32 (*get_last_default_time)(cc_ccache_t, cc_time_t*);
+    cc_int32 (*get_change_time)(cc_ccache_t, cc_time_t*);
+    cc_int32 (*compare)(cc_ccache_t, cc_ccache_t, cc_uint32*);
+    cc_int32 (*get_kdc_time_offset)(cc_ccache_t, cc_int32, cc_time_t *);
+    cc_int32 (*set_kdc_time_offset)(cc_ccache_t, cc_int32, cc_time_t);
+    cc_int32 (*clear_kdc_time_offset)(cc_ccache_t, cc_int32);
+} cc_ccache_functions;
+
+struct cc_ccache_t {
+    const cc_ccache_functions *func;
+};
+
+struct  cc_context_functions {
+    cc_int32 (*release)(cc_context_t);
+    cc_int32 (*get_change_time)(cc_context_t, cc_time_t *);
+    cc_int32 (*get_default_ccache_name)(cc_context_t, cc_string_t*);
+    cc_int32 (*open_ccache)(cc_context_t, const char*, cc_ccache_t *);
+    cc_int32 (*open_default_ccache)(cc_context_t, cc_ccache_t*);
+    cc_int32 (*create_ccache)(cc_context_t,const char*, cc_uint32,
+			      const char*, cc_ccache_t*);
+    cc_int32 (*create_default_ccache)(cc_context_t, cc_uint32,
+				      const char*, cc_ccache_t*);
+    cc_int32 (*create_new_ccache)(cc_context_t, cc_uint32,
+				  const char*, cc_ccache_t*);
+    cc_int32 (*new_ccache_iterator)(cc_context_t, cc_ccache_iterator_t*);
+    cc_int32 (*lock)(cc_context_t, cc_uint32, cc_uint32);
+    cc_int32 (*unlock)(cc_context_t);
+    cc_int32 (*compare)(cc_context_t, cc_context_t, cc_uint32*);
+};
+
+struct cc_context_t {
+    const struct cc_context_functions* func;
+};
+
+typedef cc_int32 
+(*cc_initialize_func)(cc_context_t*, cc_int32, cc_int32 *, char const **);
+
+#endif /* KRB5_CCAPI_H */
diff --git a/crypto/heimdal/lib/krb5/krb5_check_transited.3 b/crypto/heimdal/lib/krb5/krb5_check_transited.3
new file mode 100644
index 0000000..65ce077
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_check_transited.3
@@ -0,0 +1,106 @@
+.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_check_transited.3 17382 2006-05-01 07:09:16Z lha $
+.\"
+.Dd May  1, 2006
+.Dt KRB5_CHECK_TRANSITED 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_check_transited ,
+.Nm krb5_check_transited_realms ,
+.Nm krb5_domain_x500_decode ,
+.Nm krb5_domain_x500_encode
+.Nd realm transit verification and encoding/decoding functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_error_code
+.Fo krb5_check_transited
+.Fa "krb5_context context"
+.Fa "krb5_const_realm client_realm"
+.Fa "krb5_const_realm server_realm"
+.Fa "krb5_realm *realms"
+.Fa "int num_realms"
+.Fa "int *bad_realm"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_check_transited_realms
+.Fa "krb5_context context"
+.Fa "const char *const *realms"
+.Fa "int num_realms"
+.Fa "int *bad_realm"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_domain_x500_decode
+.Fa "krb5_context context"
+.Fa "krb5_data tr"
+.Fa "char ***realms"
+.Fa "int *num_realms"
+.Fa "const char *client_realm"
+.Fa "const char *server_realm"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_domain_x500_encode
+.Fa "char **realms"
+.Fa "int num_realms"
+.Fa "krb5_data *encoding"
+.Fc
+.Sh DESCRIPTION
+.Fn krb5_check_transited
+checks the path from
+.Fa client_realm
+to
+.Fa server_realm
+where
+.Fa realms
+and
+.Fa num_realms
+is the realms between them.
+If the function returns an error value, 
+.Fa bad_realm
+will be set to the realm in the list causing the error.
+.Fn krb5_check_transited
+is used internally by the KDC and libkrb5 and should not be called by
+client applications.
+.Pp
+.Fn krb5_check_transited_realms
+is deprecated.
+.Pp
+.Fn krb5_domain_x500_encode
+and
+.Fn krb5_domain_x500_decode
+encodes and decodes the realm names in the X500 format that Kerberos
+uses to describe the transited realms in krbtgts.
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_compare_creds.3 b/crypto/heimdal/lib/krb5/krb5_compare_creds.3
new file mode 100644
index 0000000..9fd2bbb
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_compare_creds.3
@@ -0,0 +1,104 @@
+.\" Copyright (c) 2004-2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_compare_creds.3 15110 2005-05-10 09:21:06Z lha $
+.\"
+.Dd May 10, 2005
+.Dt KRB5_COMPARE_CREDS 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_compare_creds
+.Nd compare Kerberos 5 credentials
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_boolean
+.Fo krb5_compare_creds
+.Fa "krb5_context context"
+.Fa "krb5_flags whichfields"
+.Fa "const krb5_creds *mcreds"
+.Fa "const krb5_creds *creds"
+.Fc
+.Sh DESCRIPTION
+.Fn krb5_compare_creds
+compares
+.Fa mcreds
+(usually filled in by the application)
+to
+.Fa creds
+(most often from a credentials cache)
+and return
+.Dv TRUE
+if they are equal.
+Unless
+.Va mcreds-\*[Gt]server
+is
+.Dv NULL ,
+the service of the credentials are always compared.  If the client
+name in
+.Fa mcreds
+is present, the client names are also compared. This function is
+normally only called indirectly via
+.Xr krb5_cc_retrieve_cred 3 .
+.Pp
+The following flags, set in
+.Fa whichfields ,
+affects the comparison:
+.Bl -tag -width KRB5_TC_MATCH_SRV_NAMEONLY -compact -offset indent
+.It KRB5_TC_MATCH_SRV_NAMEONLY
+Consider all realms equal when comparing the service principal.
+.It KRB5_TC_MATCH_KEYTYPE
+Compare enctypes.
+.It KRB5_TC_MATCH_FLAGS_EXACT
+Make sure that the ticket flags are identical.
+.It KRB5_TC_MATCH_FLAGS
+Make sure that all ticket flags set in
+.Fa mcreds
+are also present  in
+.Fa creds .
+.It KRB5_TC_MATCH_TIMES_EXACT
+Compares the ticket times exactly.
+.It KRB5_TC_MATCH_TIMES
+Compares only the expiration times of the creds.
+.It KRB5_TC_MATCH_AUTHDATA
+Compares the authdata fields.
+.It KRB5_TC_MATCH_2ND_TKT
+Compares the second tickets (used by user-to-user authentication).
+.It KRB5_TC_MATCH_IS_SKEY
+Compares the existance of the second ticket.
+.El
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_cc_retrieve_cred 3 ,
+.Xr krb5_creds 3 ,
+.Xr krb5_get_init_creds 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_config.3 b/crypto/heimdal/lib/krb5/krb5_config.3
index 471389e..9c302ae 100644
--- a/crypto/heimdal/lib/krb5/krb5_config.3
+++ b/crypto/heimdal/lib/krb5/krb5_config.3
@@ -1,26 +1,239 @@
-.\" Copyright (c) 2000 Kungliga Tekniska Högskolan
-.\" $Id: krb5_config.3,v 1.5 2003/04/16 13:58:14 lha Exp $
-.Dd July 25, 2000
-.Dt KRB5_CONFIG 3
+.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"
+.\" $Id: krb5_config.3 21905 2007-08-10 10:16:45Z lha $
+.\"
+.Dd August 10, 2007
+.Dt KRB5_CONFIG_GET 3
 .Os HEIMDAL
 .Sh NAME
+.Nm krb5_config_file_free ,
+.Nm krb5_config_free_strings ,
+.Nm krb5_config_get ,
+.Nm krb5_config_get_bool ,
 .Nm krb5_config_get_bool_default ,
+.Nm krb5_config_get_int ,
 .Nm krb5_config_get_int_default ,
+.Nm krb5_config_get_list ,
+.Nm krb5_config_get_next ,
+.Nm krb5_config_get_string ,
 .Nm krb5_config_get_string_default ,
-.Nm krb5_config_get_time_default
+.Nm krb5_config_get_strings ,
+.Nm krb5_config_get_time ,
+.Nm krb5_config_get_time_default ,
+.Nm krb5_config_parse_file ,
+.Nm krb5_config_parse_file_multi ,
+.Nm krb5_config_vget ,
+.Nm krb5_config_vget_bool ,
+.Nm krb5_config_vget_bool_default ,
+.Nm krb5_config_vget_int ,
+.Nm krb5_config_vget_int_default ,
+.Nm krb5_config_vget_list ,
+.Nm krb5_config_vget_next ,
+.Nm krb5_config_vget_string ,
+.Nm krb5_config_vget_string_default ,
+.Nm krb5_config_vget_strings ,
+.Nm krb5_config_vget_time ,
+.Nm krb5_config_vget_time_default
 .Nd get configuration value
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
 .In krb5.h
+.Ft krb5_error_code
+.Fo krb5_config_file_free
+.Fa "krb5_context context"
+.Fa "krb5_config_section *s"
+.Fc
+.Ft void
+.Fo krb5_config_free_strings
+.Fa "char **strings"
+.Fc
+.Ft "const void *"
+.Fo krb5_config_get
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "int type"
+.Fa "..."
+.Fc
 .Ft krb5_boolean
-.Fn krb5_config_get_bool_default "krb5_context context" "krb5_config_section *c" "krb5_boolean def_value" "..."
+.Fo krb5_config_get_bool
+.Fa "krb5_context context"
+.Fa "krb5_config_section *c"
+.Fa "..."
+.Fc
+.Ft krb5_boolean
+.Fo krb5_config_get_bool_default
+.Fa "krb5_context context"
+.Fa "krb5_config_section *c"
+.Fa "krb5_boolean def_value"
+.Fa "..."
+.Fc
+.Ft int
+.Fo krb5_config_get_int
+.Fa "krb5_context context"
+.Fa "krb5_config_section *c"
+.Fa "..."
+.Fc
 .Ft int
-.Fn krb5_config_get_int_default "krb5_context context" "krb5_config_section *c" "int def_value" "..."
+.Fo krb5_config_get_int_default
+.Fa "krb5_context context"
+.Fa "krb5_config_section *c"
+.Fa "int def_value"
+.Fa "..."
+.Fc
 .Ft const char*
-.Fn krb5_config_get_string_default "krb5_context context" "krb5_config_section *c" "const char *def_value" "..."
+.Fo krb5_config_get_string
+.Fa "krb5_context context"
+.Fa "krb5_config_section *c"
+.Fa "..."
+.Fc
+.Ft const char*
+.Fo krb5_config_get_string_default
+.Fa "krb5_context context"
+.Fa "krb5_config_section *c"
+.Fa "const char *def_value"
+.Fa "..."
+.Fc
+.Ft "char**"
+.Fo krb5_config_get_strings
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "..."
+.Fc
+.Ft int
+.Fo krb5_config_get_time
+.Fa "krb5_context context"
+.Fa "krb5_config_section *c"
+.Fa "..."
+.Fc
+.Ft int
+.Fo krb5_config_get_time_default
+.Fa "krb5_context context"
+.Fa "krb5_config_section *c"
+.Fa "int def_value"
+.Fa "..."
+.Fc
+.Ft krb5_error_code
+.Fo krb5_config_parse_file
+.Fa "krb5_context context"
+.Fa "const char *fname"
+.Fa "krb5_config_section **res"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_config_parse_file_multi
+.Fa "krb5_context context"
+.Fa "const char *fname"
+.Fa "krb5_config_section **res"
+.Fc
+.Ft "const void *"
+.Fo krb5_config_vget
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "int type"
+.Fa "va_list args"
+.Fc
+.Ft krb5_boolean
+.Fo krb5_config_vget_bool
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "va_list args"
+.Fc
+.Ft krb5_boolean
+.Fo krb5_config_vget_bool_default
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "krb5_boolean def_value"
+.Fa "va_list args"
+.Fc
+.Ft int
+.Fo krb5_config_vget_int
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "va_list args"
+.Fc
 .Ft int
-.Fn krb5_config_get_time_default "krb5_context context" "krb5_config_section *c" "int def_value" "..."
+.Fo krb5_config_vget_int_default
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "int def_value"
+.Fa "va_list args"
+.Fc
+.Ft "const krb5_config_binding *"
+.Fo krb5_config_vget_list
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "va_list args"
+.Fc
+.Ft "const void *"
+.Fo krb5_config_vget_next
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "const krb5_config_binding **pointer"
+.Fa "int type"
+.Fa "va_list args"
+.Fc
+.Ft "const char *"
+.Fo krb5_config_vget_string
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "va_list args"
+.Fc
+.Ft "const char *"
+.Fo krb5_config_vget_string_default
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "const char *def_value"
+.Fa "va_list args"
+.Fc
+.Ft char **
+.Fo krb5_config_vget_strings
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "va_list args"
+.Fc
+.Ft int
+.Fo krb5_config_vget_time
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "va_list args"
+.Fc
+.Ft int
+.Fo krb5_config_vget_time_default
+.Fa "krb5_context context"
+.Fa "const krb5_config_section *c"
+.Fa "int def_value"
+.Fa "va_list args"
+.Fc
 .Sh DESCRIPTION
 These functions get values from the
 .Xr krb5.conf 5
@@ -31,7 +244,8 @@ parameter.
 The variable arguments should be a list of strings naming each
 subsection to look for. For example:
 .Bd -literal -offset indent
-krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults", "log_utc", NULL)
+krb5_config_get_bool_default(context, NULL, FALSE, 
+     "libdefaults", "log_utc", NULL);
 .Ed
 .Pp
 gets the boolean value for the
@@ -57,9 +271,37 @@ seconds, so the string
 .Sq 2 weeks
 will be converted to
 1209600 (2 * 7 * 24 * 60 * 60).
-.Sh BUGS
-Other than for the string case, there's no way to tell whether there
-was a value specified or not.
+.Pp
+.Fn krb5_config_get_string
+returns a
+.Ft "const char *"
+to a string in the configuration database.  The string not be valid
+after reload of the configuration database
+.\" or a call to .Fn krb5_config_set_string ,
+so a caller should make a local copy if its need to keep the database.
+.Pp
+.Fn krb5_config_free_strings
+free
+.Fa strings
+as returned by
+.Fn krb5_config_get_strings
+and
+.Fn krb5_config_vget_strings .
+If the argument
+.Fa strings
+is a 
+.Dv NULL
+pointer, no action occurs.
+.Pp
+.Fn krb5_config_file_free
+free the result of
+.Fn krb5_config_parse_file
+and
+.Fn krb5_config_parse_file_multi .
 .Sh SEE ALSO
 .Xr krb5_appdefault 3 ,
+.Xr krb5_init_context 3 ,
 .Xr krb5.conf 5
+.Sh BUGS
+For the default functions, other than for the string case, there's no
+way to tell whether there was a value specified or not.
diff --git a/crypto/heimdal/lib/krb5/krb5_context.3 b/crypto/heimdal/lib/krb5/krb5_context.3
index 95d1120..5bfcc26 100644
--- a/crypto/heimdal/lib/krb5/krb5_context.3
+++ b/crypto/heimdal/lib/krb5/krb5_context.3
@@ -1,35 +1,35 @@
-.\" Copyright (c) 2001 - 200 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_context.3,v 1.5 2003/03/10 02:19:28 lha Exp $
+.\" $Id: krb5_context.3 12329 2003-05-26 14:09:04Z lha $
 .\"
 .Dd January 21, 2001
 .Dt KRB5_CONTEXT 3
@@ -37,6 +37,10 @@
 .Sh NAME
 .Nm krb5_context
 .Nd krb5 state structure
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
 .Sh DESCRIPTION
 The
 .Nm
diff --git a/crypto/heimdal/lib/krb5/krb5_create_checksum.3 b/crypto/heimdal/lib/krb5/krb5_create_checksum.3
index 6704113..43d5b4e 100644
--- a/crypto/heimdal/lib/krb5/krb5_create_checksum.3
+++ b/crypto/heimdal/lib/krb5/krb5_create_checksum.3
@@ -1,60 +1,146 @@
-.\" Copyright (c) 1999 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 1999-2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_create_checksum.3,v 1.6 2003/04/16 13:58:14 lha Exp $
+.\" $Id: krb5_create_checksum.3 15921 2005-08-12 09:01:22Z lha $
 .\"
-.Dd April  7, 1999
+.Dd August 12, 2005
 .Dt NAME 3
 .Os HEIMDAL
 .Sh NAME
+.Nm krb5_checksum ,
+.Nm krb5_checksum_disable ,
 .Nm krb5_checksum_is_collision_proof ,
 .Nm krb5_checksum_is_keyed ,
 .Nm krb5_checksumsize ,
+.Nm krb5_cksumtype_valid ,
+.Nm krb5_copy_checksum ,
 .Nm krb5_create_checksum ,
+.Nm krb5_crypto_get_checksum_type
+.Nm krb5_free_checksum ,
+.Nm krb5_free_checksum_contents ,
+.Nm krb5_hmac ,
 .Nm krb5_verify_checksum
-.Nd creates and verifies checksums
+.Nd creates, handles and verifies checksums
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
 .In krb5.h
-.Ft krb5_error_code
-.Fn krb5_create_checksum "krb5_context context" "krb5_crypto crypto" "unsigned usage_or_type" "void *data" "size_t len" "Checksum *result"
-.Ft krb5_error_code
-.Fn krb5_verify_checksum "krb5_context context" "krb5_crypto crypto" "krb5_key_usage usage" "void *data" "size_t len" "Checksum *cksum"
+.Pp
+.Li "typedef Checksum krb5_checksum;"
+.Ft void
+.Fo krb5_checksum_disable
+.Fa "krb5_context context"
+.Fa "krb5_cksumtype type"
+.Fc
 .Ft krb5_boolean
-.Fn krb5_checksum_is_collision_proof "krb5_context context" "krb5_cksumtype type"
+.Fo krb5_checksum_is_collision_proof
+.Fa "krb5_context context"
+.Fa "krb5_cksumtype type"
+.Fc
 .Ft krb5_boolean
-.Fn krb5_checksum_is_keyed "krb5_context context" "krb5_cksumtype type"
+.Fo krb5_checksum_is_keyed
+.Fa "krb5_context context"
+.Fa "krb5_cksumtype type"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_cksumtype_valid
+.Fa "krb5_context context"
+.Fa "krb5_cksumtype ctype"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_checksumsize
+.Fa "krb5_context context"
+.Fa "krb5_cksumtype type"
+.Fa "size_t *size"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_create_checksum
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto"
+.Fa "krb5_key_usage usage"
+.Fa "int type"
+.Fa "void *data"
+.Fa "size_t len"
+.Fa "Checksum *result"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_verify_checksum
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto"
+.Fa "krb5_key_usage usage"
+.Fa "void *data"
+.Fa "size_t len"
+.Fa "Checksum *cksum"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_crypto_get_checksum_type
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto"
+.Fa "krb5_cksumtype *type"
+.Fc
+.Ft void
+.Fo krb5_free_checksum
+.Fa "krb5_context context"
+.Fa "krb5_checksum *cksum"
+.Fc
+.Ft void
+.Fo krb5_free_checksum_contents
+.Fa "krb5_context context"
+.Fa "krb5_checksum *cksum"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_hmac
+.Fa "krb5_context context"
+.Fa "krb5_cksumtype cktype"
+.Fa "const void *data"
+.Fa "size_t len"
+.Fa "unsigned usage"
+.Fa "krb5_keyblock *key"
+.Fa "Checksum *result"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_copy_checksum
+.Fa "krb5_context context"
+.Fa "const krb5_checksum *old"
+.Fa "krb5_checksum **new"
+.Fc
 .Sh DESCRIPTION
-These functions are used to create and verify checksums.
+The
+.Li krb5_checksum
+structure holds a Kerberos checksum.
+There is no component inside
+.Li krb5_checksum
+that is directly referable.
+.Pp
+The functions are used to create and verify checksums.
 .Fn krb5_create_checksum
 creates a checksum of the specified data, and puts it in
 .Fa result .
@@ -73,7 +159,7 @@ specifies a key-usage.
 .Pp
 .Fn krb5_verify_checksum
 verifies the
-.Fa checksum ,
+.Fa checksum
 against the provided data.
 .Pp
 .Fn krb5_checksum_is_collision_proof
@@ -88,8 +174,53 @@ value is a function of both the data, and a separate key). Examples of
 keyed hash algorithms are HMAC-SHA1-DES3, and RSA-MD5-DES. The
 .Dq plain
 hash functions MD5, and SHA1 are not keyed.
+.Pp
+.Fn krb5_crypto_get_checksum_type
+returns the checksum type that will be used when creating a checksum for the given
+.Fa crypto
+context.
+This function is useful in combination with
+.Fn krb5_checksumsize
+when you want to know the size a checksum will
+use when you create it.
+.Pp
+.Fn krb5_cksumtype_valid
+returns 0 or an error if the checksumtype is implemented and not
+currently disabled in this kerberos library.
+.Pp
+.Fn krb5_checksumsize
+returns the size of the outdata of checksum function.
+.Pp
+.Fn krb5_copy_checksum
+returns a copy of the checksum
+.Fn krb5_free_checksum
+should use used to free the
+.Fa new
+checksum.
+.Pp
+.Fn krb5_free_checksum
+free the checksum and the content of the checksum.
+.Pp
+.Fn krb5_free_checksum_contents
+frees the content of checksum in
+.Fa cksum .
+.Pp
+.Fn krb5_hmac
+calculates the HMAC over
+.Fa data
+(with length
+.Fa len )
+using the keyusage
+.Fa usage
+and keyblock
+.Fa key .
+Note that keyusage is not always used in checksums.
+.Pp
+.Nm krb5_checksum_disable
+globally disables the checksum type. 
 .\" .Sh EXAMPLE
 .\" .Sh BUGS
 .Sh SEE ALSO
 .Xr krb5_crypto_init 3 ,
+.Xr krb5_c_encrypt 3 ,
 .Xr krb5_encrypt 3
diff --git a/crypto/heimdal/lib/krb5/krb5_creds.3 b/crypto/heimdal/lib/krb5/krb5_creds.3
new file mode 100644
index 0000000..9eb9a2b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_creds.3
@@ -0,0 +1,119 @@
+.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_creds.3 17383 2006-05-01 07:13:03Z lha $
+.\"
+.Dd May  1, 2006
+.Dt KRB5_CREDS 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_creds ,
+.Nm krb5_copy_creds ,
+.Nm krb5_copy_creds_contents ,
+.Nm krb5_free_creds ,
+.Nm krb5_free_cred_contents
+.Nd Kerberos 5 credential handling functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_error_code
+.Fo krb5_copy_creds
+.Fa "krb5_context context"
+.Fa "const krb5_creds *incred"
+.Fa "krb5_creds **outcred"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_copy_creds_contents
+.Fa "krb5_context context"
+.Fa "const krb5_creds *incred"
+.Fa "krb5_creds *outcred"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_free_creds
+.Fa "krb5_context context"
+.Fa "krb5_creds *outcred"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_free_cred_contents
+.Fa "krb5_context context"
+.Fa "krb5_creds *cred"
+.Fc
+.Sh DESCRIPTION
+.Vt krb5_creds
+holds Kerberos credentials:
+.Bd -literal -offset
+typedef struct krb5_creds {
+    krb5_principal	client;
+    krb5_principal	server;
+    krb5_keyblock	session;
+    krb5_times		times;
+    krb5_data		ticket;
+    krb5_data		second_ticket;
+    krb5_authdata	authdata;
+    krb5_addresses	addresses;
+    krb5_ticket_flags	flags;
+} krb5_creds;
+.Ed
+.Pp
+.Fn krb5_copy_creds
+makes a copy of
+.Fa incred
+to
+.Fa outcred .
+.Fa outcred
+should be freed with
+.Fn krb5_free_creds
+by the caller.
+.Pp
+.Fn krb5_copy_creds_contents
+makes a copy of the content of
+.Fa incred
+to
+.Fa outcreds .
+.Fa outcreds
+should be freed by the called with
+.Fn krb5_free_creds_contents .
+.Pp
+.Fn krb5_free_creds
+frees the content of the 
+.Fa cred
+structure and the structure itself.
+.Pp
+.Fn krb5_free_cred_contents
+frees the content of the
+.Fa cred
+structure.
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_compare_creds 3 ,
+.Xr krb5_get_init_creds 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_crypto_init.3 b/crypto/heimdal/lib/krb5/krb5_crypto_init.3
index 4b0284c..822006e 100644
--- a/crypto/heimdal/lib/krb5/krb5_crypto_init.3
+++ b/crypto/heimdal/lib/krb5/krb5_crypto_init.3
@@ -1,43 +1,43 @@
 .\" Copyright (c) 1999 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_crypto_init.3,v 1.6 2003/04/16 13:58:15 lha Exp $
+.\" $Id: krb5_crypto_init.3 13563 2004-03-20 12:00:01Z lha $
 .\"
 .Dd April  7, 1999
 .Dt NAME 3
 .Os HEIMDAL
 .Sh NAME
-.Nm krb5_crypto_init ,
-.Nm krb5_crypto_destroy
-.Nd initialize encryption context
+.Nm krb5_crypto_destroy ,
+.Nm krb5_crypto_init
+.Nd encryption support in krb5
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
@@ -47,22 +47,19 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Ft krb5_error_code
 .Fn krb5_crypto_destroy "krb5_context context" "krb5_crypto crypto"
 .Sh DESCRIPTION
-These functions are used to initialize an encryption context that can
-be used to encrypt or checksum data.
+Heimdal exports parts of the Kerberos crypto interface for applications.
 .Pp
-The
-.Fn krb5_crypt_init
-initializes the encrytion context
-.Fa crypto .
-The
-.Fa key
-parameter is the key to use for encryption, and checksums. The
-encryption type to use is taken from the key, but can be overridden
+Each kerberos encrytion/checksum function takes a crypto context.
+.Pp
+To setup and destroy crypto contextes there are two functions
+.Fn krb5_crypto_init
+and
+.Fn krb5_crypto_destroy .
+The encryption type to use is taken from the key, but can be overridden
 with the
 .Fa enctype parameter .
-.Pp
-.Fn krb5_crypto_destroy
-frees a previously allocated encrypion context.
+This can be useful for encryptions types which is compatiable (DES for
+example).
 .\" .Sh EXAMPLE
 .\" .Sh BUGS
 .Sh SEE ALSO
diff --git a/crypto/heimdal/lib/krb5/krb5_data.3 b/crypto/heimdal/lib/krb5/krb5_data.3
index 355d934..2ccff19 100644
--- a/crypto/heimdal/lib/krb5/krb5_data.3
+++ b/crypto/heimdal/lib/krb5/krb5_data.3
@@ -1,50 +1,51 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2003 - 2005, 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\" 
-.\" $Id: krb5_data.3,v 1.4 2003/04/16 13:58:13 lha Exp $
-.\" 
-.Dd March 20, 2003
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_data.3 20040 2007-01-23 20:35:12Z lha $
+.\"
+.Dd Jan 23, 2007
 .Dt KRB5_DATA 3
 .Os HEIMDAL
 .Sh NAME
-.Nm krb5_data
-.Nm krb5_data_zero
-.Nm krb5_data_free
-.Nm krb5_free_data_contents
-.Nm krb5_free_data
-.Nm krb5_data_alloc
-.Nm krb5_data_realloc
-.Nm krb5_data_copy
-.Nm krb5_copy_data
-.Nd operates on the Kerberos datatype krb5_data.
+.Nm krb5_data ,
+.Nm krb5_data_zero ,
+.Nm krb5_data_free ,
+.Nm krb5_free_data_contents ,
+.Nm krb5_free_data ,
+.Nm krb5_data_alloc ,
+.Nm krb5_data_realloc ,
+.Nm krb5_data_copy ,
+.Nm krb5_copy_data ,
+.Nm krb5_data_cmp
+.Nd operates on the Kerberos datatype krb5_data
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
@@ -67,6 +68,8 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Fn krb5_data_copy "krb5_data *p" "const void *data" "size_t len"
 .Ft krb5_error_code
 .Fn krb5_copy_data "krb5_context context" "const krb5_data *indata" "krb5_data **outdata"
+.Ft krb5_error_code
+.Fn krb5_data_cmp "const krb5_data *data1" "const krb5_data *data2"
 .Sh DESCRIPTION
 The
 .Li krb5_data
@@ -86,7 +89,9 @@ resets the content of
 .Pp
 .Fn krb5_data_free
 free the data in
-.Fa p .
+.Fa p
+and reset the content of the structure with
+.Fn krb5_data_zero .
 .Pp
 .Fn krb5_free_data_contents
 works the same way as
@@ -99,13 +104,13 @@ frees the data in
 .Fa p
 and
 .Fa p
-itself .
+itself.
 .Pp
 .Fn krb5_data_alloc
 allocates
 .Fa len
 bytes in
-.Fa p
+.Fa p .
 Returns 0 or an error.
 .Pp
 .Fn  krb5_data_realloc
@@ -143,6 +148,11 @@ doesn't contain anything needs to be freed.
 should be freed using
 .Fn krb5_free_data .
 Returns 0 or an error.
+.Pp
+.Fn krb5_data_cmp
+will compare two data object and check if they are the same in a
+simular way as memcmp does it.  The return value can be used for
+sorting.
 .Sh SEE ALSO
 .Xr krb5 3 ,
 .Xr krb5_storage 3 ,
diff --git a/crypto/heimdal/lib/krb5/krb5_digest.3 b/crypto/heimdal/lib/krb5/krb5_digest.3
new file mode 100644
index 0000000..f9d7571
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_digest.3
@@ -0,0 +1,260 @@
+.\" Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_digest.3 20259 2007-02-17 23:49:54Z lha $
+.\"
+.Dd February  18, 2007
+.Dt KRB5_DIGEST 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_digest ,
+.Nm krb5_digest_alloc ,
+.Nm krb5_digest_free ,
+.Nm krb5_digest_set_server_cb ,
+.Nm krb5_digest_set_type ,
+.Nm krb5_digest_set_hostname ,
+.Nm krb5_digest_get_server_nonce ,
+.Nm krb5_digest_set_server_nonce ,
+.Nm krb5_digest_get_opaque ,
+.Nm krb5_digest_set_opaque ,
+.Nm krb5_digest_get_identifier ,
+.Nm krb5_digest_set_identifier ,
+.Nm krb5_digest_init_request ,
+.Nm krb5_digest_set_client_nonce ,
+.Nm krb5_digest_set_digest ,
+.Nm krb5_digest_set_username ,
+.Nm krb5_digest_set_authid ,
+.Nm krb5_digest_set_authentication_user ,
+.Nm krb5_digest_set_realm ,
+.Nm krb5_digest_set_method ,
+.Nm krb5_digest_set_uri ,
+.Nm krb5_digest_set_nonceCount ,
+.Nm krb5_digest_set_qop ,
+.Nm krb5_digest_request ,
+.Nm krb5_digest_get_responseData ,
+.Nm krb5_digest_get_rsp ,
+.Nm krb5_digest_get_tickets ,
+.Nm krb5_digest_get_client_binding ,
+.Nm krb5_digest_get_a1_hash
+.Nd remote digest (HTTP-DIGEST, SASL, CHAP) suppport
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Li "typedef struct krb5_digest *krb5_digest;"
+.Pp
+.Ft krb5_error_code
+.Fo krb5_digest_alloc
+.Fa "krb5_context context"
+.Fa "krb5_digest *digest"
+.Fc
+.Ft void
+.Fo krb5_digest_free
+.Fa "krb5_digest digest"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_type
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *type"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_server_cb
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *type"
+.Fa "const char *binding"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_hostname
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *hostname"
+.Fc
+.Ft "const char *"
+.Fo krb5_digest_get_server_nonce
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_server_nonce
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *nonce"
+.Fc
+.Ft "const char *"
+.Fo krb5_digest_get_opaque
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_opaque
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *opaque"
+.Fc
+.Ft "const char *"
+.Fo krb5_digest_get_identifier
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_identifier
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *id"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_init_request
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "krb5_realm realm"
+.Fa "krb5_ccache ccache"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_client_nonce
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *nonce"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_digest
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *dgst"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_username
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *username"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_authid
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *authid"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_authentication_user
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "krb5_principal authentication_user"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_realm
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *realm"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_method
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *method"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_uri
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *uri"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_nonceCount
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *nonce_count"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_set_qop
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "const char *qop"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_request
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "krb5_realm realm"
+.Fa "krb5_ccache ccache"
+.Fc
+.Ft "const char *"
+.Fo krb5_digest_get_responseData
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fc
+.Ft "const char *"
+.Fo krb5_digest_get_rsp
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_get_tickets
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "Ticket **tickets"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_get_client_binding
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "char **type"
+.Fa "char **binding"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_digest_get_a1_hash
+.Fa "krb5_context context"
+.Fa "krb5_digest digest"
+.Fa "krb5_data *data"
+.Fc
+.Sh DESCRIPTION
+The
+.Fn krb5_digest_alloc
+function allocatates the
+.Fa digest
+structure.  The structure should be freed with
+.Fn krb5_digest_free
+when it is no longer being used.
+.Pp
+.Fn krb5_digest_alloc
+returns 0 to indicate success.
+Otherwise an kerberos code is returned and the pointer that
+.Fa digest
+points to is set to
+.Dv NULL .
+.Pp
+.Fn krb5_digest_free
+free the structure
+.Fa digest .
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_eai_to_heim_errno.3 b/crypto/heimdal/lib/krb5/krb5_eai_to_heim_errno.3
new file mode 100644
index 0000000..fcada92
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_eai_to_heim_errno.3
@@ -0,0 +1,68 @@
+.\" Copyright (c) 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_eai_to_heim_errno.3 14086 2004-08-03 11:13:46Z lha $
+.\"
+.Dd April 13, 2004
+.Dt KRB5_EAI_TO_HEIM_ERRNO 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_eai_to_heim_errno ,
+.Nm krb5_h_errno_to_heim_errno
+.Nd convert resolver error code to com_err error codes
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_error_code
+.Fo krb5_eai_to_heim_errno
+.Fa "int eai_errno"
+.Fa "int system_error"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_h_errno_to_heim_errno
+.Fa "int eai_errno"
+.Fc
+.Sh DESCRIPTION
+.Fn krb5_eai_to_heim_errno
+and
+.Fn krb5_h_errno_to_heim_errno
+convert
+.Xr getaddrinfo 3 ,
+.Xr getnameinfo 3 ,
+and
+.Xr h_errno 3
+to com_err error code that are used by Heimdal, this is useful for for
+function returning kerberos errors and needs to communicate failures
+from resolver function.
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_encrypt.3 b/crypto/heimdal/lib/krb5/krb5_encrypt.3
index 84140bf..76cb4c7 100644
--- a/crypto/heimdal/lib/krb5/krb5_encrypt.3
+++ b/crypto/heimdal/lib/krb5/krb5_encrypt.3
@@ -1,61 +1,192 @@
-.\" Copyright (c) 1999 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_encrypt.3,v 1.7 2003/04/16 13:58:15 lha Exp $
+.\" $Id: krb5_encrypt.3 22071 2007-11-14 20:04:50Z lha $
 .\"
-.Dd April  7, 1999
+.Dd March 20, 2004
 .Dt KRB5_ENCRYPT 3
 .Os HEIMDAL
 .Sh NAME
+.Nm krb5_crypto_getblocksize ,
+.Nm krb5_crypto_getconfoundersize
+.Nm krb5_crypto_getenctype ,
+.Nm krb5_crypto_getpadsize ,
+.Nm krb5_crypto_overhead ,
 .Nm krb5_decrypt ,
 .Nm krb5_decrypt_EncryptedData ,
+.Nm krb5_decrypt_ivec ,
+.Nm krb5_decrypt_ticket ,
 .Nm krb5_encrypt ,
-.Nm krb5_encrypt_EncryptedData
-.Nd encrypt and decrypt data
+.Nm krb5_encrypt_EncryptedData ,
+.Nm krb5_encrypt_ivec ,
+.Nm krb5_enctype_disable ,
+.Nm krb5_enctype_keysize ,
+.Nm krb5_enctype_to_string ,
+.Nm krb5_enctype_valid ,
+.Nm krb5_get_wrapped_length ,
+.Nm krb5_string_to_enctype
+.Nd "encrypt and decrypt data, set and get encryption type parameters"
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
 .In krb5.h
 .Ft krb5_error_code
-.Fn krb5_encrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result"
+.Fo krb5_encrypt
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto"
+.Fa "unsigned usage"
+.Fa "void *data"
+.Fa "size_t len"
+.Fa "krb5_data *result"
+.Fc
 .Ft krb5_error_code
-.Fn krb5_encrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "int kvno" "EncryptedData *result"
+.Fo krb5_encrypt_EncryptedData
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto"
+.Fa "unsigned usage"
+.Fa "void *data"
+.Fa "size_t len"
+.Fa "int kvno"
+.Fa "EncryptedData *result"
+.Fc
 .Ft krb5_error_code
-.Fn krb5_decrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result"
+.Fo krb5_encrypt_ivec
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto"
+.Fa "unsigned usage"
+.Fa "void *data"
+.Fa "size_t len"
+.Fa "krb5_data *result"
+.Fa "void *ivec"
+.Fc
 .Ft krb5_error_code
-.Fn krb5_decrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "EncryptedData *e" "krb5_data *result"
+.Fo krb5_decrypt
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto"
+.Fa "unsigned usage"
+.Fa "void *data"
+.Fa "size_t len"
+.Fa "krb5_data *result"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_decrypt_EncryptedData
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto"
+.Fa "unsigned usage"
+.Fa "EncryptedData *e"
+.Fa "krb5_data *result"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_decrypt_ivec
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto"
+.Fa "unsigned usage"
+.Fa "void *data"
+.Fa "size_t len"
+.Fa "krb5_data *result"
+.Fa "void *ivec"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_decrypt_ticket
+.Fa "krb5_context context"
+.Fa "Ticket *ticket"
+.Fa "krb5_keyblock *key"
+.Fa "EncTicketPart *out"
+.Fa "krb5_flags flags"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_crypto_getblocksize
+.Fa "krb5_context context"
+.Fa "size_t *blocksize"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_crypto_getenctype
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto"
+.Fa "krb5_enctype *enctype"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_crypto_getpadsize
+.Fa "krb5_context context"
+.Fa size_t *padsize"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_crypto_getconfoundersize
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto
+.Fa size_t *confoundersize"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_enctype_keysize
+.Fa "krb5_context context"
+.Fa "krb5_enctype type"
+.Fa "size_t *keysize"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_crypto_overhead
+.Fa "krb5_context context"
+.Fa size_t *padsize"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_string_to_enctype
+.Fa "krb5_context context"
+.Fa "const char *string"
+.Fa "krb5_enctype *etype"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_enctype_to_string
+.Fa "krb5_context context"
+.Fa "krb5_enctype etype"
+.Fa "char **string"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_enctype_valid
+.Fa "krb5_context context"
+.Fa "krb5_enctype etype"
+.Fc
+.Ft void
+.Fo krb5_enctype_disable
+.Fa "krb5_context context"
+.Fa "krb5_enctype etype"
+.Fc
+.Ft size_t
+.Fo krb5_get_wrapped_length
+.Fa "krb5_context context"
+.Fa "krb5_crypto crypto"
+.Fa "size_t data_len"
+.Fc
 .Sh DESCRIPTION
 These functions are used to encrypt and decrypt data.
 .Pp
-.Fn krb5_encrypt
+.Fn krb5_encrypt_ivec
 puts the encrypted version of
 .Fa data
 (of size
@@ -65,6 +196,20 @@ in
 If the encryption type supports using derived keys,
 .Fa usage
 should be the appropriate key-usage.
+.Fa ivec
+is a pointer to a initial IV, it is modified to the end IV at the end of
+the round.
+Ivec should be the size of 
+If
+.Dv NULL
+is passed in, the default IV is used.
+.Fn krb5_encrypt
+does the same as
+.Fn krb5_encrypt_ivec
+but with
+.Fa ivec
+being
+.Dv NULL .
 .Fn krb5_encrypt_EncryptedData
 does the same as
 .Fn krb5_encrypt ,
@@ -72,14 +217,60 @@ but it puts the encrypted data in a
 .Fa EncryptedData
 structure instead. If
 .Fa kvno
-is not zero, it will be put in the
-.Fa kvno field in the
+is not zero, it will be put in the (optional)
+.Fa kvno
+field in the
 .Fa EncryptedData .
 .Pp
+.Fn krb5_decrypt_ivec ,
 .Fn krb5_decrypt ,
 and
 .Fn krb5_decrypt_EncryptedData
 works similarly.
+.Pp
+.Fn krb5_decrypt_ticket
+decrypts the encrypted part of 
+.Fa ticket
+with
+.Fa key .
+.Fn krb5_decrypt_ticket
+also verifies the timestamp in the ticket, invalid flag and if the KDC
+haven't verified the transited path, the transit path.
+.Pp
+.Fn krb5_enctype_keysize ,
+.Fn krb5_crypto_getconfoundersize ,
+.Fn krb5_crypto_getblocksize ,
+.Fn krb5_crypto_getenctype ,
+.Fn krb5_crypto_getpadsize ,
+.Fn krb5_crypto_overhead
+all returns various (sometimes) useful information from a crypto context.
+.Fn krb5_crypto_overhead
+is the combination of krb5_crypto_getconfoundersize,
+krb5_crypto_getblocksize and krb5_crypto_getpadsize and return the
+maximum overhead size.
+.Pp
+.Fn krb5_enctype_to_string
+converts a encryption type number to a string that can be printable
+and stored. The strings returned should be freed with
+.Xr free 3 .
+.Pp
+.Fn krb5_string_to_enctype
+converts a encryption type strings to a encryption type number that
+can use used for other Kerberos crypto functions.
+.Pp
+.Fn krb5_enctype_valid
+returns 0 if the encrypt is supported and not disabled, otherwise and
+error code is returned.
+.Pp
+.Fn krb5_enctype_disable
+(globally, for all contextes) disables the
+.Fa enctype .
+.Pp
+.Fn krb5_get_wrapped_length
+returns the size of an encrypted packet by
+.Fa crypto
+of length
+.Fa data_len .
 .\" .Sh EXAMPLE
 .\" .Sh BUGS
 .Sh SEE ALSO
diff --git a/crypto/heimdal/lib/krb5/krb5_err.et b/crypto/heimdal/lib/krb5/krb5_err.et
index 3427923..6714401 100644
--- a/crypto/heimdal/lib/krb5/krb5_err.et
+++ b/crypto/heimdal/lib/krb5/krb5_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $"
+id "$Id: krb5_err.et 21050 2007-06-12 02:00:40Z lha $"
 
 error_table krb5
 
@@ -35,8 +35,10 @@ error_code KEY_EXPIRED,		"Password has expired"
 error_code PREAUTH_FAILED,	"Preauthentication failed"
 error_code PREAUTH_REQUIRED,	"Additional pre-authentication required"
 error_code SERVER_NOMATCH,	"Requested server and ticket don't match"
+error_code KDC_ERR_MUST_USE_USER2USER, "Server principal valid for user2user only"
+error_code PATH_NOT_ACCEPTED,   "KDC Policy rejects transited path"
+error_code SVC_UNAVAILABLE, 	"A service is not available"
 
-# 27-30 are reserved
 index 31
 prefix KRB5KRB_AP
 error_code ERR_BAD_INTEGRITY,	"Decrypt integrity check failed"
@@ -70,28 +72,45 @@ error_code FIELD_TOOLONG,	"Field is too long for this implementation"
 
 # pkinit
 index 62
-prefix KDC_ERROR
+prefix KRB5_KDC_ERR
 error_code CLIENT_NOT_TRUSTED,	"Client not trusted"
 error_code KDC_NOT_TRUSTED,	"KDC not trusted"
 error_code INVALID_SIG,		"Invalid signature"
-error_code KEY_TOO_WEAK,	"Key too weak"
-error_code CERTIFICATE_MISMATCH, "Certificate mismatch"
+error_code DH_KEY_PARAMETERS_NOT_ACCEPTED, "DH parameters not accepted"
+
+index 68
+prefix KRB5_KDC_ERR
+error_code WRONG_REALM,		"Wrong realm"
+
+index 69
 prefix KRB5_AP_ERR
 error_code USER_TO_USER_REQUIRED, "User to user required"
-prefix KDC_ERROR
-error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate"
-error_code INVALID_CERTIFICATE,	"Invalid certificate"
-error_code REVOKED_CERTIFICATE,	"Revoked certificate"
-error_code REVOCATION_STATUS_UNKNOWN,	"Revocation status unknown"
-error_code REVOCATION_STATUS_UNAVAILABLE,"Revocation status unavailable"
-error_code CLIENT_NAME_MISMATCH,	"Client name mismatch"
-error_code KDC_NAME_MISMATCH,	"KDC name mismatch"
 
-# 77-127 are reserved
+index 70
+prefix KRB5_KDC_ERR
+error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate"
+error_code INVALID_CERTIFICATE, "Certificate invalid"
+error_code REVOKED_CERTIFICATE, "Certificate revoked"
+error_code REVOCATION_STATUS_UNKNOWN, "Revocation status unknown"
+error_code REVOCATION_STATUS_UNAVAILABLE, "Revocation status unavaible"
+error_code CLIENT_NAME_MISMATCH, "Client name mismatch in certificate"
+error_code INCONSISTENT_KEY_PURPOSE, "Inconsistent key purpose"
+error_code DIGEST_IN_CERT_NOT_ACCEPTED, "Digest in certificate not accepted"
+error_code PA_CHECKSUM_MUST_BE_INCLUDED, "paChecksum must be included"
+error_code DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED, "Digest in signedData not accepted"
+error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not supported"
+
+## these are never used
+#index 80
+#prefix KRB5_IAKERB
+#error_code ERR_KDC_NOT_FOUND,	"IAKERB proxy could not find a KDC"
+#error_code ERR_KDC_NO_RESPONSE,	"IAKERB proxy never reeived a response from a KDC"
+
+# 82-127 are reserved
 
 index 128
 prefix
-error_code KRB5_ERR_RCSID,	"$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $"
+error_code KRB5_ERR_RCSID,	"$Id: krb5_err.et 21050 2007-06-12 02:00:40Z lha $"
 
 error_code KRB5_LIBOS_BADLOCKFLAG,	"Invalid flag for file lock mode"
 error_code KRB5_LIBOS_CANTREADPWD,	"Cannot read password"
@@ -186,6 +205,7 @@ error_code KRB5_FCC_INTERNAL,		"Internal file credentials cache error"
 error_code KRB5_CC_WRITE,		"Error writing to credentials cache file"
 error_code KRB5_CC_NOMEM,		"No more memory to allocate (in credentials cache code)"
 error_code KRB5_CC_FORMAT,		"Bad format in credentials cache"
+error_code KRB5_CC_NOT_KTYPE,		"No credentials found with supported encryption types"
 
 # errors for dual tgt library calls
 error_code KRB5_INVALID_FLAGS,		"Invalid KDC option combination (library internal error)"
@@ -230,6 +250,17 @@ error_code KRB5_GET_IN_TKT_LOOP,  "Looping detected inside krb5_get_in_tkt"
 error_code KRB5_CONFIG_NODEFREALM,	"Configuration file does not specify default realm"
 
 error_code KRB5_SAM_UNSUPPORTED,  "Bad SAM flags in obtain_sam_padata"
-error_code KRB5_KT_NAME_TOOLONG,	"Keytab name too long"
+error_code KRB5_SAM_INVALID_ETYPE,  "Invalid encryption type in SAM challenge"
+error_code KRB5_SAM_NO_CHECKSUM,  "Missing checksum in SAM challenge"
+error_code KRB5_SAM_BAD_CHECKSUM,  "Bad checksum in SAM challenge"
+
+index 238
+error_code KRB5_OBSOLETE_FN,	"Program called an obsolete, deleted function"
+
+index 245
+error_code KRB5_ERR_BAD_S2K_PARAMS, "Invalid key generation parameters from KDC"
+error_code KRB5_ERR_NO_SERVICE,	"Service not available"
+error_code KRB5_CC_NOSUPP,      "Credential cache function not supported"
+error_code KRB5_DELTAT_BADFORMAT,	"Invalid format of Kerberos lifetime or clock skew string"
 
 end
diff --git a/crypto/heimdal/lib/krb5/krb5_expand_hostname.3 b/crypto/heimdal/lib/krb5/krb5_expand_hostname.3
new file mode 100644
index 0000000..ffd98da
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_expand_hostname.3
@@ -0,0 +1,93 @@
+.\" Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_expand_hostname.3 17461 2006-05-05 13:13:18Z lha $
+.\"
+.Dd May  5, 2006
+.Dt KRB5_EXPAND_HOSTNAME 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_expand_hostname ,
+.Nm krb5_expand_hostname_realms
+.Nd Kerberos 5 host name canonicalization functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Ft krb5_error_code
+.Fo krb5_expand_hostname
+.Fa "krb5_context context"
+.Fa "const char *orig_hostname"
+.Fa "char **new_hostname"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_expand_hostname_realms
+.Fa "krb5_context context"
+.Fa "const char *orig_hostname"
+.Fa "char **new_hostname"
+.Fa "char ***realms"
+.Fc
+.Sh DESCRIPTION
+.Fn krb5_expand_hostname
+tries to make
+.Fa orig_hostname
+into a more canonical one in the newly allocated space returned in
+.Fa new_hostname .
+Caller must free the hostname with
+.Xr free 3 .
+.Pp
+.Fn krb5_expand_hostname_realms
+expands
+.Fa orig_hostname
+to a name we believe to be a hostname in newly
+allocated space in
+.Fa new_hostname
+and return the realms
+.Fa new_hostname
+is belive to belong to in
+.Fa realms .
+.Fa Realms
+is a array terminated with
+.Dv NULL .
+Caller must free the
+.Fa realms
+with
+.Fn krb5_free_host_realm 
+and
+.Fa new_hostname
+with
+.Xr free 3 .
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_free_host_realm 3 ,
+.Xr krb5_get_host_realm 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_find_padata.3 b/crypto/heimdal/lib/krb5/krb5_find_padata.3
new file mode 100644
index 0000000..b726784
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_find_padata.3
@@ -0,0 +1,87 @@
+.\" Copyright (c) 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_find_padata.3 13595 2004-03-21 13:17:41Z lha $
+.\"
+.Dd March 21, 2004
+.Dt KRB5_FIND_PADATA 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_find_padata ,
+.Nm krb5_padata_add
+.Nd Kerberos 5 pre-authentication data handling functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Ft "PA_DATA *"
+.Fo krb5_find_padata
+.Fa "PA_DATA *val"
+.Fa "unsigned len"
+.Fa "int type"
+.Fa "int *index"
+.Fc
+.Ft int
+.Fo krb5_padata_add
+.Fa "krb5_context context"
+.Fa "METHOD_DATA *md"
+.Fa "int type"
+.Fa "void *buf"
+.Fa "size_t len"
+.Fc
+.Sh DESCRIPTION
+.Fn krb5_find_padata
+tries to find the pre-authentication data entry of type
+.Fa type
+in the array
+.Fa val
+of length
+.Fa len .
+The search is started at entry pointed out by
+.Fa *index
+(zero based indexing).
+If the type isn't found,
+.Dv NULL
+is returned.
+.Pp
+.Fn krb5_padata_add
+adds a pre-authentication data entry of type
+.Fa type
+pointed out by
+.Fa buf
+and
+.Fa len
+to
+.Fa md .
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_generate_random_block.3 b/crypto/heimdal/lib/krb5/krb5_generate_random_block.3
new file mode 100644
index 0000000..4b46954
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_generate_random_block.3
@@ -0,0 +1,57 @@
+.\" Copyright (c) 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_generate_random_block.3 17385 2006-05-01 08:48:55Z lha $
+.\"
+.Dd March 21, 2004
+.Dt KRB5_GENERATE_RANDOM_BLOCK 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_generate_random_block
+.Nd Kerberos 5 random functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft void
+.Fo krb5_generate_random_block
+.Fa "void *buf"
+.Fa "size_t len"
+.Fc
+.Sh DESCRIPTION
+.Fn krb5_generate_random_block
+generates a cryptographically strong pseudo-random block into the buffer
+.Fa buf
+of length
+.Fa len .
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3 b/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3
index 0aef63e3..f6f4c85 100644
--- a/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3
+++ b/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3
@@ -1,38 +1,39 @@
 .\" Copyright (c) 2001 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_get_all_client_addrs.3,v 1.6 2003/04/16 13:58:16 lha Exp $
+.\" $Id: krb5_get_all_client_addrs.3 12329 2003-05-26 14:09:04Z lha $
 .\"
 .Dd July  1, 2001
 .Dt KRB5_GET_ADDRS 3
+.Os HEIMDAL
 .Sh NAME
 .Nm krb5_get_all_client_addrs ,
 .Nm krb5_get_all_server_addrs
diff --git a/crypto/heimdal/lib/krb5/krb5_get_credentials.3 b/crypto/heimdal/lib/krb5/krb5_get_credentials.3
new file mode 100644
index 0000000..32e0ffe
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_get_credentials.3
@@ -0,0 +1,208 @@
+.\" Copyright (c) 2004 - 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_get_credentials.3 22071 2007-11-14 20:04:50Z lha $
+.\"
+.Dd July 26, 2004
+.Dt KRB5_GET_CREDENTIALS 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_get_credentials ,
+.Nm krb5_get_credentials_with_flags ,
+.Nm krb5_get_cred_from_kdc ,
+.Nm krb5_get_cred_from_kdc_opt ,
+.Nm krb5_get_kdc_cred ,
+.Nm krb5_get_renewed_creds
+.Nd get credentials from the KDC using krbtgt
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_error_code
+.Fo krb5_get_credentials
+.Fa "krb5_context context"
+.Fa "krb5_flags options"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_creds *in_creds"
+.Fa "krb5_creds **out_creds"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_credentials_with_flags
+.Fa "krb5_context context"
+.Fa "krb5_flags options"
+.Fa "krb5_kdc_flags flags"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_creds *in_creds"
+.Fa "krb5_creds **out_creds"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_cred_from_kdc
+.Fa "krb5_context context"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_creds *in_creds"
+.Fa "krb5_creds **out_creds"
+.Fa "krb5_creds ***ret_tgts"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_cred_from_kdc_opt
+.Fa "krb5_context context"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_creds *in_creds"
+.Fa "krb5_creds **out_creds"
+.Fa "krb5_creds ***ret_tgts"
+.Fa "krb5_flags flags"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_kdc_cred
+.Fa "krb5_context context"
+.Fa "krb5_ccache id"
+.Fa "krb5_kdc_flags flags"
+.Fa "krb5_addresses *addresses"
+.Fa "Ticket  *second_ticket"
+.Fa "krb5_creds *in_creds"
+.Fa "krb5_creds **out_creds"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_renewed_creds
+.Fa "krb5_context context"
+.Fa "krb5_creds *creds"
+.Fa "krb5_const_principal client"
+.Fa "krb5_ccache ccache"
+.Fa "const char *in_tkt_service"
+.Fc
+.Sh DESCRIPTION
+.Fn krb5_get_credentials_with_flags
+get credentials specified by
+.Fa in_creds->server
+and
+.Fa in_creds->client
+(the rest of the
+.Fa in_creds
+structure is ignored)
+by first looking in the
+.Fa ccache
+and if doesn't exists or is expired, fetch the credential from the KDC
+using the krbtgt in
+.Fa ccache .
+The credential is returned in
+.Fa out_creds
+and should be freed using the function
+.Fn krb5_free_creds .
+.Pp
+Valid flags to pass into
+.Fa options
+argument are:
+.Pp
+.Bl -tag -width "KRB5_GC_USER_USER" -compact
+.It KRB5_GC_CACHED
+Only check the
+.Fa ccache ,
+don't got out on network to fetch credential.
+.It KRB5_GC_USER_USER
+Request a user to user ticket.
+This option doesn't store the resulting user to user credential in
+the
+.Fa ccache .
+.It KRB5_GC_EXPIRED_OK
+returns the credential even if it is expired, default behavior is trying
+to refetch the credential from the KDC.
+.El
+.Pp
+.Fa Flags
+are KDCOptions, note the caller must fill in the bit-field and not
+use the integer associated structure.
+.Pp
+.Fn krb5_get_credentials
+works the same way as
+.Fn krb5_get_credentials_with_flags
+except that the
+.Fa flags
+field is missing.
+.Pp
+.Fn krb5_get_cred_from_kdc
+and
+.Fn krb5_get_cred_from_kdc_opt
+fetches the credential from the KDC very much like
+.Fn krb5_get_credentials, but doesn't look in the
+.Fa ccache
+if the credential exists there first.
+.Pp
+.Fn krb5_get_kdc_cred
+does the same as the functions above, but the caller must fill in all
+the information andits closer to the wire protocol.
+.Pp
+.Fn krb5_get_renewed_creds
+renews a credential given by
+.Fa in_tkt_service
+(if
+.Dv NULL
+the default
+.Li krbtgt )
+using the credential cache
+.Fa ccache .
+The result is stored in
+.Fa creds
+and should be freed using
+.Fa krb5_free_creds .
+.Sh EXAMPLES
+Here is a example function that get a credential from a credential cache
+.Fa id
+or the KDC and returns it to the caller.
+.Bd -literal
+#include <krb5.h>
+
+int
+getcred(krb5_context context, krb5_ccache id, krb5_creds **creds)
+{
+    krb5_error_code ret;
+    krb5_creds in;
+
+    ret = krb5_parse_name(context, "client@EXAMPLE.COM", 
+			  &in.client);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_parse_name(context, "host/server.example.com@EXAMPLE.COM",
+			  &in.server);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_get_credentials(context, 0, id, &in, creds);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_get_credentials");
+
+    return 0;
+}
+.Ed
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_get_forwarded_creds 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_get_creds.3 b/crypto/heimdal/lib/krb5/krb5_get_creds.3
new file mode 100644
index 0000000..189c93f
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_get_creds.3
@@ -0,0 +1,173 @@
+.\" Copyright (c) 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_get_creds.3 22071 2007-11-14 20:04:50Z lha $
+.\"
+.Dd June 15, 2006
+.Dt KRB5_GET_CREDS 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_get_creds ,
+.Nm krb5_get_creds_opt_add_options ,
+.Nm krb5_get_creds_opt_alloc ,
+.Nm krb5_get_creds_opt_free ,
+.Nm krb5_get_creds_opt_set_enctype ,
+.Nm krb5_get_creds_opt_set_impersonate ,
+.Nm krb5_get_creds_opt_set_options ,
+.Nm krb5_get_creds_opt_set_ticket
+.Nd get credentials from the KDC
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_error_code
+.Fo krb5_get_creds
+.Fa "krb5_context context"
+.Fa "krb5_get_creds_opt opt"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_const_principal inprinc"
+.Fa "krb5_creds **out_creds"
+.Fc
+.Ft void
+.Fo krb5_get_creds_opt_add_options
+.Fa "krb5_context context"
+.Fa "krb5_get_creds_opt opt"
+.Fa "krb5_flags options"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_creds_opt_alloc
+.Fa "krb5_context context"
+.Fa "krb5_get_creds_opt *opt"
+.Fc
+.Ft void
+.Fo krb5_get_creds_opt_free
+.Fa "krb5_context context"
+.Fa "krb5_get_creds_opt opt"
+.Fc
+.Ft void
+.Fo krb5_get_creds_opt_set_enctype
+.Fa "krb5_context context"
+.Fa "krb5_get_creds_opt opt"
+.Fa "krb5_enctype enctype"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_creds_opt_set_impersonate
+.Fa "krb5_context context"
+.Fa "krb5_get_creds_opt opt"
+.Fa "krb5_const_principal self"
+.Fc
+.Ft void
+.Fo krb5_get_creds_opt_set_options
+.Fa "krb5_context context"
+.Fa "krb5_get_creds_opt opt"
+.Fa "krb5_flags options"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_creds_opt_set_ticket
+.Fa "krb5_context context"
+.Fa "krb5_get_creds_opt opt"
+.Fa "const Ticket *ticket"
+.Fc
+.Sh DESCRIPTION
+.Fn krb5_get_creds
+fetches credentials specified by
+.Fa opt
+by first looking in the
+.Fa ccache ,
+and then it doesn't exists, fetch the credential from the KDC
+using the krbtgts in
+.Fa ccache .
+The credential is returned in
+.Fa out_creds
+and should be freed using the function
+.Fn krb5_free_creds .
+.Pp
+The structure
+.Li krb5_get_creds_opt
+controls the behavior of
+.Fn krb5_get_creds .
+The structure is opaque to consumers that can set the content of the
+structure with accessors functions. All accessor functions make copies
+of the data that is passed into accessor functions, so external
+consumers free the memory before calling
+.Fn krb5_get_creds .
+.Pp
+The structure
+.Li krb5_get_creds_opt
+is allocated with
+.Fn krb5_get_creds_opt_alloc
+and freed with
+.Fn krb5_get_creds_opt_free .
+The free function also frees the content of the structure set by the
+accessor functions.
+.Pp
+.Fn krb5_get_creds_opt_add_options
+and
+.Fn krb5_get_creds_opt_set_options
+adds and sets options to the
+.Fi krb5_get_creds_opt
+structure .
+The possible options to set are
+.Bl -tag -width "KRB5_GC_USER_USER" -compact
+.It KRB5_GC_CACHED
+Only check the
+.Fa ccache ,
+don't got out on network to fetch credential.
+.It KRB5_GC_USER_USER
+request a user to user ticket.
+This options doesn't store the resulting user to user credential in
+the
+.Fa ccache .
+.It KRB5_GC_EXPIRED_OK
+returns the credential even if it is expired, default behavior is trying
+to refetch the credential from the KDC.
+.It KRB5_GC_NO_STORE
+Do not store the resulting credentials in the
+.Fa ccache .
+.El
+.Pp
+.Fn krb5_get_creds_opt_set_enctype
+sets the preferred encryption type of the application. Don't set this
+unless you have to since if there is no match in the KDC, the function
+call will fail.
+.Pp
+.Fn krb5_get_creds_opt_set_impersonate
+sets the principal to impersonate., Returns a ticket that have the
+impersonation principal as a client and the requestor as the
+service. Note that the requested principal have to be the same as the
+client principal in the krbtgt.
+.Pp
+.Fn krb5_get_creds_opt_set_ticket
+sets the extra ticket used in user-to-user or contrained delegation use case.
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_get_credentials 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_get_forwarded_creds.3 b/crypto/heimdal/lib/krb5/krb5_get_forwarded_creds.3
new file mode 100644
index 0000000..bbe46ec
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_get_forwarded_creds.3
@@ -0,0 +1,79 @@
+.\" Copyright (c) 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_get_forwarded_creds.3 14068 2004-07-26 13:34:33Z lha $
+.\"
+.Dd July 26, 2004
+.Dt KRB5_GET_FORWARDED_CREDS 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_get_forwarded_creds ,
+.Nm krb5_fwd_tgt_creds
+.Nd get forwarded credentials from the KDC
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_error_code
+.Fo krb5_get_forwarded_creds
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_flags flags"
+.Fa "const char *hostname"
+.Fa "krb5_creds *in_creds"
+.Fa "krb5_data *out_data"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_fwd_tgt_creds
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "const char *hostname"
+.Fa "krb5_principal client"
+.Fa "krb5_principal server"
+.Fa "krb5_ccache ccache"
+.Fa "int forwardable"
+.Fa "krb5_data *out_data"
+.Fc
+.Sh DESCRIPTION
+.Fn krb5_get_forwarded_creds
+and
+.Fn krb5_fwd_tgt_creds
+get tickets forwarded to
+.Fa hostname.
+If the tickets that are forwarded are address-less, the forwarded
+tickets will also be address-less, otherwise
+.Fa hostname
+will be used for figure out the address to forward the ticket too.
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_get_credentials 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_get_in_cred.3 b/crypto/heimdal/lib/krb5/krb5_get_in_cred.3
new file mode 100644
index 0000000..290e3c5
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_get_in_cred.3
@@ -0,0 +1,274 @@
+.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_get_in_cred.3 17593 2006-05-29 14:55:18Z lha $
+.\"
+.Dd May 31, 2003
+.Dt KRB5_GET_IN_TKT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_get_in_tkt ,
+.Nm krb5_get_in_cred ,
+.Nm krb5_get_in_tkt_with_password ,
+.Nm krb5_get_in_tkt_with_keytab ,
+.Nm krb5_get_in_tkt_with_skey ,
+.Nm krb5_free_kdc_rep ,
+.Nm krb5_password_key_proc
+.Nd deprecated initial authentication functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Ft krb5_error_code
+.Fo krb5_get_in_tkt
+.Fa "krb5_context context"
+.Fa "krb5_flags options"
+.Fa "const krb5_addresses *addrs"
+.Fa "const krb5_enctype *etypes"
+.Fa "const krb5_preauthtype *ptypes"
+.Fa "krb5_key_proc key_proc"
+.Fa "krb5_const_pointer keyseed"
+.Fa "krb5_decrypt_proc decrypt_proc"
+.Fa "krb5_const_pointer decryptarg"
+.Fa "krb5_creds *creds"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_kdc_rep *ret_as_reply"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_in_cred
+.Fa "krb5_context context"
+.Fa "krb5_flags options"
+.Fa "const krb5_addresses *addrs"
+.Fa "const krb5_enctype *etypes"
+.Fa "const krb5_preauthtype *ptypes"
+.Fa "const krb5_preauthdata *preauth"
+.Fa "krb5_key_proc key_proc"
+.Fa "krb5_const_pointer keyseed"
+.Fa "krb5_decrypt_proc decrypt_proc"
+.Fa "krb5_const_pointer decryptarg"
+.Fa "krb5_creds *creds"
+.Fa "krb5_kdc_rep *ret_as_reply"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_in_tkt_with_password
+.Fa "krb5_context context"
+.Fa "krb5_flags options"
+.Fa "krb5_addresses *addrs"
+.Fa "const krb5_enctype *etypes"
+.Fa "const krb5_preauthtype *pre_auth_types"
+.Fa "const char *password"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_creds *creds"
+.Fa "krb5_kdc_rep *ret_as_reply"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_in_tkt_with_keytab
+.Fa "krb5_context context"
+.Fa "krb5_flags options"
+.Fa "krb5_addresses *addrs"
+.Fa "const krb5_enctype *etypes"
+.Fa "const krb5_preauthtype *pre_auth_types"
+.Fa "krb5_keytab keytab"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_creds *creds"
+.Fa "krb5_kdc_rep *ret_as_reply"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_in_tkt_with_skey
+.Fa "krb5_context context"
+.Fa "krb5_flags options"
+.Fa "krb5_addresses *addrs"
+.Fa "const krb5_enctype *etypes"
+.Fa "const krb5_preauthtype *pre_auth_types"
+.Fa "const krb5_keyblock *key"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_creds *creds"
+.Fa "krb5_kdc_rep *ret_as_reply"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_free_kdc_rep
+.Fa "krb5_context context"
+.Fa "krb5_kdc_rep *rep"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_password_key_proc
+.Fa "krb5_context context"
+.Fa "krb5_enctype type"
+.Fa "krb5_salt salt"
+.Fa "krb5_const_pointer keyseed"
+.Fa "krb5_keyblock **key"
+.Fc
+.Sh DESCRIPTION
+.Bf Em
+All the functions in this manual page are deprecated in the MIT
+implementation, and will soon be deprecated in Heimdal too, don't use them.
+.Ef
+.Pp
+Getting initial credential ticket for a principal.
+.Nm krb5_get_in_cred
+is the function all other krb5_get_in function uses to fetch tickets.
+The other krb5_get_in function are more specialized and therefor
+somewhat easier to use.
+.Pp
+If your need is only to verify a user and password, consider using
+.Xr krb5_verify_user 3
+instead, it have a much simpler interface.
+.Pp
+.Nm krb5_get_in_tkt
+and
+.Nm krb5_get_in_cred
+fetches initial credential, queries after key using the
+.Fa key_proc
+argument.
+The differences between the two function is that
+.Nm krb5_get_in_tkt
+stores the credential in a
+.Li krb5_creds
+while
+.Nm krb5_get_in_cred
+stores the credential in a
+.Li krb5_ccache .
+.Pp
+.Nm krb5_get_in_tkt_with_password ,
+.Nm krb5_get_in_tkt_with_keytab ,
+and
+.Nm krb5_get_in_tkt_with_skey
+does the same work as
+.Nm krb5_get_in_cred
+but are more specialized.
+.Pp
+.Nm krb5_get_in_tkt_with_password
+uses the clients password to authenticate.
+If the password argument is
+.DV NULL
+the user user queried with the default password query function.
+.Pp
+.Nm krb5_get_in_tkt_with_keytab
+searches the given keytab for a service entry for the client principal.
+If the keytab is
+.Dv NULL
+the default keytab is used.
+.Pp
+.Nm krb5_get_in_tkt_with_skey
+uses a key to get the initial credential.
+.Pp
+There are some common arguments to the krb5_get_in functions, these are:
+.Pp
+.Fa options
+are the
+.Dv KDC_OPT
+flags.
+.Pp
+.Fa etypes
+is a
+.Dv NULL
+terminated array of encryption types that the client approves.
+.Pp
+.Fa addrs
+a list of the addresses that the initial ticket.
+If it is
+.Dv NULL
+the list will be generated by the library.
+.Pp
+.Fa pre_auth_types
+a
+.Dv NULL
+terminated array of pre-authentication types.
+If
+.Fa pre_auth_types
+is
+.Dv NULL
+the function will try without pre-authentication and return those
+pre-authentication that the KDC returned.
+.Pp
+.Fa ret_as_reply
+will (if not
+.Dv NULL )
+be filled in with the response of the KDC and should be free with
+.Fn krb5_free_kdc_rep .
+.Pp
+.Fa key_proc
+is a pointer to a function that should return a key salted appropriately.
+Using
+.Dv NULL
+will use the default password query function.
+.Pp
+.Fa decrypt_proc
+Using
+.Dv NULL
+will use the default decryption function.
+.Pp
+.Fa decryptarg
+will be passed to the decryption function
+.Fa decrypt_proc .
+.Pp
+.Fa creds
+creds should be filled in with the template for a credential that
+should be requested.
+The client and server elements of the creds structure must be filled in.
+Upon return of the function it will be contain the content of the
+requested credential
+.Fa ( krb5_get_in_cred ) ,
+or it will be freed with
+.Xr krb5_free_creds 3
+(all the other krb5_get_in functions).
+.Pp
+.Fa ccache
+will store the credential in the credential cache
+.Fa ccache .
+The credential cache will not be initialized, thats up the the caller.
+.Pp
+.Nm krb5_password_key_proc
+is a library function that is suitable using as the
+.Fa krb5_key_proc
+argument to
+.Nm krb5_get_in_cred
+or
+.Nm krb5_get_in_tkt .
+.Fa keyseed
+should be a pointer to a
+.Dv NUL
+terminated string or
+.Dv NULL .
+.Nm krb5_password_key_proc
+will query the user for the pass on the console if the password isn't
+given as the argument
+.Fa keyseed .
+.Pp
+.Fn krb5_free_kdc_rep
+frees the content of
+.Fa rep .
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_verify_user 3 ,
+.Xr krb5.conf 5 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_get_init_creds.3 b/crypto/heimdal/lib/krb5/krb5_get_init_creds.3
new file mode 100644
index 0000000..3838c14
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_get_init_creds.3
@@ -0,0 +1,398 @@
+.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_get_init_creds.3 20266 2007-02-18 10:41:10Z lha $
+.\"
+.Dd Sep  16, 2006
+.Dt KRB5_GET_INIT_CREDS 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_get_init_creds ,
+.Nm krb5_get_init_creds_keytab ,
+.Nm krb5_get_init_creds_opt ,
+.Nm krb5_get_init_creds_opt_alloc ,
+.Nm krb5_get_init_creds_opt_free ,
+.Nm krb5_get_init_creds_opt_init ,
+.Nm krb5_get_init_creds_opt_set_address_list ,
+.Nm krb5_get_init_creds_opt_set_addressless ,
+.Nm krb5_get_init_creds_opt_set_anonymous ,
+.Nm krb5_get_init_creds_opt_set_default_flags ,
+.Nm krb5_get_init_creds_opt_set_etype_list ,
+.Nm krb5_get_init_creds_opt_set_forwardable ,
+.Nm krb5_get_init_creds_opt_set_pa_password ,
+.Nm krb5_get_init_creds_opt_set_paq_request ,
+.Nm krb5_get_init_creds_opt_set_preauth_list ,
+.Nm krb5_get_init_creds_opt_set_proxiable ,
+.Nm krb5_get_init_creds_opt_set_renew_life ,
+.Nm krb5_get_init_creds_opt_set_salt ,
+.Nm krb5_get_init_creds_opt_set_tkt_life ,
+.Nm krb5_get_init_creds_opt_set_canonicalize ,
+.Nm krb5_get_init_creds_opt_set_win2k ,
+.Nm krb5_get_init_creds_password ,
+.Nm krb5_prompt ,
+.Nm krb5_prompter_posix
+.Nd Kerberos 5 initial authentication functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Ft krb5_get_init_creds_opt;
+.Pp
+.Ft krb5_error_code
+.Fo krb5_get_init_creds_opt_alloc
+.Fa "krb5_context context"
+.Fa "krb5_get_init_creds_opt **opt"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_free
+.Fa "krb5_context context"
+.Fa "krb5_get_init_creds_opt *opt"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_init
+.Fa "krb5_get_init_creds_opt *opt"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_set_address_list
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "krb5_addresses *addresses"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_set_addressless
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "krb5_boolean addressless"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_set_anonymous
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "int anonymous"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_set_default_flags
+.Fa "krb5_context context"
+.Fa "const char *appname"
+.Fa "krb5_const_realm realm"
+.Fa "krb5_get_init_creds_opt *opt"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_set_etype_list
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "krb5_enctype *etype_list"
+.Fa "int etype_list_length"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_set_forwardable
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "int forwardable"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_init_creds_opt_set_pa_password
+.Fa "krb5_context context"
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "const char *password"
+.Fa "krb5_s2k_proc key_proc"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_init_creds_opt_set_paq_request
+.Fa "krb5_context context"
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "krb5_boolean req_pac"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_init_creds_opt_set_pkinit
+.Fa "krb5_context context"
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "const char *cert_file"
+.Fa "const char *key_file"
+.Fa "const char *x509_anchors"
+.Fa "int flags"
+.Fa "char *password"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_set_preauth_list
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "krb5_preauthtype *preauth_list"
+.Fa "int preauth_list_length"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_set_proxiable
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "int proxiable"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_set_renew_life
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "krb5_deltat renew_life"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_set_salt
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "krb5_data *salt"
+.Fc
+.Ft void
+.Fo krb5_get_init_creds_opt_set_tkt_life
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "krb5_deltat tkt_life"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_init_creds_opt_set_canonicalize
+.Fa "krb5_context context"
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "krb5_boolean req"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_init_creds_opt_set_win2k
+.Fa "krb5_context context"
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "krb5_boolean req"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_init_creds
+.Fa "krb5_context context"
+.Fa "krb5_creds *creds"
+.Fa "krb5_principal client"
+.Fa "krb5_prompter_fct prompter"
+.Fa "void *prompter_data"
+.Fa "krb5_deltat start_time"
+.Fa "const char *in_tkt_service"
+.Fa "krb5_get_init_creds_opt *options"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_init_creds_password
+.Fa "krb5_context context"
+.Fa "krb5_creds *creds"
+.Fa "krb5_principal client"
+.Fa "const char *password"
+.Fa "krb5_prompter_fct prompter"
+.Fa "void *prompter_data"
+.Fa "krb5_deltat start_time"
+.Fa "const char *in_tkt_service"
+.Fa "krb5_get_init_creds_opt *in_options"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_init_creds_keytab
+.Fa "krb5_context context"
+.Fa "krb5_creds *creds"
+.Fa "krb5_principal client"
+.Fa "krb5_keytab keytab"
+.Fa "krb5_deltat start_time"
+.Fa "const char *in_tkt_service"
+.Fa "krb5_get_init_creds_opt *options"
+.Fc
+.Ft int
+.Fo krb5_prompter_posix
+.Fa "krb5_context context"
+.Fa "void *data"
+.Fa "const char *name"
+.Fa "const char *banner"
+.Fa "int num_prompts"
+.Fa "krb5_prompt prompts[]"
+.Fc
+.Sh DESCRIPTION
+Getting initial credential ticket for a principal.
+That may include changing an expired password, and doing preauthentication.
+This interface that replaces the deprecated
+.Fa krb5_in_tkt
+and 
+.Fa krb5_in_cred
+functions.
+.Pp
+If you only want to verify a username and password, consider using
+.Xr krb5_verify_user 3
+instead, since it also verifies that initial credentials with using a
+keytab to make sure the response was from the KDC.
+.Pp
+First a
+.Li krb5_get_init_creds_opt
+structure is initialized
+with
+.Fn krb5_get_init_creds_opt_alloc
+or
+.Fn krb5_get_init_creds_opt_init .
+.Fn krb5_get_init_creds_opt_alloc
+allocates a extendible structures that needs to be freed with
+.Fn krb5_get_init_creds_opt_free .
+The structure may be modified by any of the
+.Fn krb5_get_init_creds_opt_set
+functions to change request parameters and authentication information.
+.Pp
+If the caller want to use the default options,
+.Dv NULL
+can be passed instead.
+.Pp
+The the actual request to the KDC is done by any of the
+.Fn krb5_get_init_creds ,
+.Fn krb5_get_init_creds_password ,
+or
+.Fn krb5_get_init_creds_keytab
+functions.
+.Fn krb5_get_init_creds
+is the least specialized function and can, with the right in data,
+behave like the latter two.
+The latter two are there for compatibility with older releases and
+they are slightly easier to use.
+.Pp
+.Li krb5_prompt
+is a structure containing the following elements:
+.Bd -literal
+typedef struct {
+    const char *prompt;
+    int hidden;
+    krb5_data *reply;
+    krb5_prompt_type type
+} krb5_prompt;
+.Ed
+.Pp
+.Fa prompt
+is the prompt that should shown to the user
+If
+.Fa hidden
+is set, the prompter function shouldn't echo the output to the display
+device.
+.Fa reply
+must be preallocated; it will not be allocated by the prompter
+function.
+Possible values for the
+.Fa type
+element are:
+.Pp
+.Bl -tag -width Ds -compact -offset indent
+.It KRB5_PROMPT_TYPE_PASSWORD
+.It KRB5_PROMPT_TYPE_NEW_PASSWORD
+.It KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN
+.It KRB5_PROMPT_TYPE_PREAUTH
+.It KRB5_PROMPT_TYPE_INFO
+.El
+.Pp
+.Fn krb5_prompter_posix
+is the default prompter function in a POSIX environment.
+It matches the
+.Fa krb5_prompter_fct
+and can be used in the
+.Fa krb5_get_init_creds
+functions.
+.Fn krb5_prompter_posix
+doesn't require
+.Fa prompter_data.
+.Pp
+If the
+.Fa start_time
+is zero, then the requested ticket will be valid
+beginning immediately.
+Otherwise, the
+.Fa start_time
+indicates how far in the future the ticket should be postdated.
+.Pp
+If the
+.Fa in_tkt_service
+name is
+.Dv non-NULL ,
+that principal name will be
+used as the server name for the initial ticket request.
+The realm of the name specified will be ignored and will be set to the
+realm of the client name.
+If no in_tkt_service name is specified,
+krbtgt/CLIENT-REALM@CLIENT-REALM will be used.
+.Pp
+For the rest of arguments, a configuration or library default will be
+used if no value is specified in the options structure.
+.Pp
+.Fn krb5_get_init_creds_opt_set_address_list
+sets the list of
+.Fa addresses
+that is should be stored in the ticket.
+.Pp
+.Fn krb5_get_init_creds_opt_set_addressless
+controls if the ticket is requested with addresses or not,
+.Fn krb5_get_init_creds_opt_set_address_list
+overrides this option.
+.Pp
+.Fn krb5_get_init_creds_opt_set_anonymous
+make the request anonymous if the
+.Fa anonymous
+parameter is non-zero.
+.Pp
+.Fn krb5_get_init_creds_opt_set_default_flags
+sets the default flags using the configuration file.
+.Pp
+.Fn krb5_get_init_creds_opt_set_etype_list
+set a list of enctypes that the client is willing to support in the
+request.
+.Pp
+.Fn krb5_get_init_creds_opt_set_forwardable
+request a forwardable ticket.
+.Pp
+.Fn krb5_get_init_creds_opt_set_pa_password
+set the
+.Fa password
+and
+.Fa key_proc
+that is going to be used to get a new ticket.
+.Fa password
+or
+.Fa key_proc
+can be
+.Dv NULL
+if the caller wants to use the default values.
+If the
+.Fa password
+is unset and needed, the user will be prompted for it.
+.Pp
+.Fn krb5_get_init_creds_opt_set_paq_request
+sets the password that is going to be used to get a new ticket.
+.Pp
+.Fn krb5_get_init_creds_opt_set_preauth_list
+sets the list of client-supported preauth types.
+.Pp
+.Fn krb5_get_init_creds_opt_set_proxiable
+makes the request proxiable.
+.Pp
+.Fn krb5_get_init_creds_opt_set_renew_life
+sets the requested renewable lifetime.
+.Pp
+.Fn krb5_get_init_creds_opt_set_salt
+sets the salt that is going to be used in the request.
+.Pp
+.Fn krb5_get_init_creds_opt_set_tkt_life
+sets requested ticket lifetime.
+.Pp
+.Fn krb5_get_init_creds_opt_set_canonicalize
+requests that the KDC canonicalize the client pricipal if possible.
+.Pp
+.Fn krb5_get_init_creds_opt_set_win2k
+turns on compatibility with Windows 2000.
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_creds 3 ,
+.Xr krb5_verify_user 3 ,
+.Xr krb5.conf 5 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_get_krbhst.3 b/crypto/heimdal/lib/krb5/krb5_get_krbhst.3
index 76ad20b..d613a0d 100644
--- a/crypto/heimdal/lib/krb5/krb5_get_krbhst.3
+++ b/crypto/heimdal/lib/krb5/krb5_get_krbhst.3
@@ -1,44 +1,44 @@
 .\" Copyright (c) 2001 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_get_krbhst.3,v 1.6 2003/04/16 13:58:16 lha Exp $
+.\" $Id: krb5_get_krbhst.3 14905 2005-04-24 07:46:59Z lha $
 .\"
-.Dd June 17, 2001
+.Dd April 24, 2005
 .Dt KRB5_GET_KRBHST 3
 .Os HEIMDAL
 .Sh NAME
-.Nm krb5_get_krbhst
-.Nm krb5_get_krb_admin_hst
-.Nm krb5_get_krb_changepw_hst
-.Nm krb5_get_krb524hst
+.Nm krb5_get_krbhst ,
+.Nm krb5_get_krb_admin_hst ,
+.Nm krb5_get_krb_changepw_hst ,
+.Nm krb5_get_krb524hst ,
 .Nm krb5_free_krbhst
 .Nd lookup Kerberos KDC hosts
 .Sh LIBRARY
@@ -71,7 +71,7 @@ is a
 terminated list of strings, pointing to the requested Kerberos hosts. These should be freed with
 .Fn krb5_free_krbhst
 when done with.
-.Sh EXAMPLE
+.Sh EXAMPLES
 The following code will print the KDCs of the realm
 .Dq MY.REALM .
 .Bd -literal -offset indent
diff --git a/crypto/heimdal/lib/krb5/krb5_getportbyname.3 b/crypto/heimdal/lib/krb5/krb5_getportbyname.3
new file mode 100644
index 0000000..1436060
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_getportbyname.3
@@ -0,0 +1,67 @@
+.\" Copyright (c) 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_getportbyname.3 22071 2007-11-14 20:04:50Z lha $
+.\"
+.Dd August 15, 2004
+.Dt NAME 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_getportbyname
+.Nd get port number by name
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft int
+.Fo krb5_getportbyname
+.Fa "krb5_context context"
+.Fa "const char *service"
+.Fa "const char *proto"
+.Fa "int default_port"
+.Fc
+.Sh DESCRIPTION
+.Fn krb5_getportbyname
+gets the port number for
+.Fa service /
+.Fa proto
+pair from the global service table for and returns it in network order.
+If it isn't found in the global table, the
+.Fa default_port
+(given in host order)
+is returned.
+.Sh EXAMPLE
+.Bd -literal
+int port = krb5_getportbyname(context, "kerberos", "tcp", 88);
+.Ed
+.\" .Sh BUGS
+.Sh SEE ALSO
+.Xr krb5 3
diff --git a/crypto/heimdal/lib/krb5/krb5_init_context.3 b/crypto/heimdal/lib/krb5/krb5_init_context.3
index 76213fb..cf9d696 100644
--- a/crypto/heimdal/lib/krb5/krb5_init_context.3
+++ b/crypto/heimdal/lib/krb5/krb5_init_context.3
@@ -1,51 +1,187 @@
-.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2001 - 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\" 
-.\" $Id: krb5_init_context.3,v 1.9 2003/04/16 13:58:11 lha Exp $
-.\" 
-.Dd January 21, 2001
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_init_context.3 19980 2007-01-17 18:06:33Z lha $
+.\"
+.Dd December  8, 2004
 .Dt KRB5_CONTEXT 3
 .Os HEIMDAL
 .Sh NAME
+.Nm krb5_add_et_list ,
+.Nm krb5_add_extra_addresses ,
+.Nm krb5_add_ignore_addresses ,
+.Nm krb5_context ,
+.Nm krb5_free_config_files ,
+.Nm krb5_free_context ,
+.Nm krb5_get_default_config_files ,
+.Nm krb5_get_dns_canonize_hostname ,
+.Nm krb5_get_extra_addresses ,
+.Nm krb5_get_fcache_version ,
+.Nm krb5_get_ignore_addresses ,
+.Nm krb5_get_kdc_sec_offset ,
+.Nm krb5_get_max_time_skew ,
+.Nm krb5_get_use_admin_kdc
 .Nm krb5_init_context ,
-.Nm krb5_free_context
-.Nd create and delete krb5_context structures
+.Nm krb5_init_ets ,
+.Nm krb5_prepend_config_files ,
+.Nm krb5_prepend_config_files_default ,
+.Nm krb5_set_config_files ,
+.Nm krb5_set_dns_canonize_hostname ,
+.Nm krb5_set_extra_addresses ,
+.Nm krb5_set_fcache_version ,
+.Nm krb5_set_ignore_addresses ,
+.Nm krb5_set_max_time_skew ,
+.Nm krb5_set_use_admin_kdc ,
+.Nd create, modify and delete krb5_context structures
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
 .In krb5.h
+.Pp
+.Li "struct krb5_context;"
+.Pp
+.Ft krb5_error_code
+.Fo krb5_init_context
+.Fa "krb5_context *context"
+.Fc
+.Ft void
+.Fo krb5_free_context
+.Fa "krb5_context context"
+.Fc
+.Ft void
+.Fo krb5_init_ets
+.Fa "krb5_context context"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_add_et_list
+.Fa "krb5_context context"
+.Fa "void (*func)(struct et_list **)"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_add_extra_addresses
+.Fa "krb5_context context"
+.Fa "krb5_addresses *addresses"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_set_extra_addresses
+.Fa "krb5_context context"
+.Fa "const krb5_addresses *addresses"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_extra_addresses
+.Fa "krb5_context context"
+.Fa "krb5_addresses *addresses"
+.Fc
 .Ft krb5_error_code
-.Fn krb5_init_context "krb5_context *context"
+.Fo krb5_add_ignore_addresses
+.Fa "krb5_context context"
+.Fa "krb5_addresses *addresses"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_set_ignore_addresses
+.Fa "krb5_context context"
+.Fa "const krb5_addresses *addresses"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_ignore_addresses
+.Fa "krb5_context context"
+.Fa "krb5_addresses *addresses"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_set_fcache_version
+.Fa "krb5_context context"
+.Fa "int version"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_fcache_version
+.Fa "krb5_context context"
+.Fa "int *version"
+.Fc
 .Ft void
-.Fn krb5_free_context "krb5_context context"
+.Fo krb5_set_dns_canonize_hostname
+.Fa "krb5_context context"
+.Fa "krb5_boolean flag"
+.Fc
+.Ft krb5_boolean
+.Fo krb5_get_dns_canonize_hostname
+.Fa "krb5_context context"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_kdc_sec_offset
+.Fa "krb5_context context"
+.Fa "int32_t *sec"
+.Fa "int32_t *usec"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_set_config_files
+.Fa "krb5_context context"
+.Fa "char **filenames"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_prepend_config_files
+.Fa "const char *filelist"
+.Fa "char **pq"
+.Fa "char ***ret_pp"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_prepend_config_files_default
+.Fa "const char *filelist"
+.Fa "char ***pfilenames"
+.Fc
+.Ft krb5_error_code 
+.Fo krb5_get_default_config_files
+.Fa "char ***pfilenames"
+.Fc
+.Ft void
+.Fo krb5_free_config_files
+.Fa "char **filenames"
+.Fc
+.Ft void
+.Fo krb5_set_use_admin_kdc
+.Fa "krb5_context context"
+.Fa "krb5_boolean flag"
+.Fc
+.Ft krb5_boolean
+.Fo krb5_get_use_admin_kdc
+.Fa "krb5_context context"
+.Fc
+.Ft time_t
+.Fo krb5_get_max_time_skew
+.Fa "krb5_context context"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_set_max_time_skew
+.Fa "krb5_context context"
+.Fa "time_t time"
+.Fc
 .Sh DESCRIPTION
 The
 .Fn krb5_init_context
@@ -57,7 +193,7 @@ structure and reads the configuration file
 The structure should be freed by calling
 .Fn krb5_free_context
 when it is no longer being used.
-.Sh RETURN VALUES
+.Pp
 .Fn krb5_init_context
 returns 0 to indicate success.
 Otherwise an errno code is returned.
@@ -66,7 +202,107 @@ Failure means either that something bad happened during initialization
 .Bq ENOMEM )
 or that Kerberos should not be used
 .Bq ENXIO .
+.Pp
+.Fn krb5_init_ets
+adds all
+.Xr com_err 3
+libs to
+.Fa context .
+This is done by
+.Fn krb5_init_context .
+.Pp
+.Fn krb5_add_et_list 
+adds a
+.Xr com_err 3
+error-code handler
+.Fa func
+to the specified
+.Fa context .
+The error handler must generated by the the re-rentrant version of the
+.Xr compile_et 3
+program.
+.Fn krb5_add_extra_addresses
+add a list of addresses that should be added when requesting tickets.
+.Pp
+.Fn krb5_add_ignore_addresses
+add a list of addresses that should be ignored when requesting tickets.
+.Pp
+.Fn krb5_get_extra_addresses
+get the list of addresses that should be added when requesting tickets.
+.Pp
+.Fn krb5_get_ignore_addresses
+get the list of addresses that should be ignored when requesting tickets.
+.Pp
+.Fn krb5_set_ignore_addresses
+set the list of addresses that should be ignored when requesting tickets.
+.Pp
+.Fn krb5_set_extra_addresses
+set the list of addresses that should be added when requesting tickets.
+.Pp
+.Fn krb5_set_fcache_version
+sets the version of file credentials caches that should be used.
+.Pp
+.Fn krb5_get_fcache_version
+gets the version of file credentials caches that should be used.
+.Pp
+.Fn krb5_set_dns_canonize_hostname
+sets if the context is configured to canonicalize hostnames using DNS.
+.Pp
+.Fn krb5_get_dns_canonize_hostname
+returns if the context is configured to canonicalize hostnames using DNS.
+.Pp
+.Fn krb5_get_kdc_sec_offset
+returns the offset between the localtime and the KDC's time.
+.Fa sec
+and
+.Fa usec
+are both optional argument and
+.Dv NULL
+can be passed in.
+.Pp
+.Fn krb5_set_config_files
+set the list of configuration files to use and re-initialize the
+configuration from the files.
+.Pp
+.Fn krb5_prepend_config_files
+parse the 
+.Fa filelist
+and prepend the result to the already existing list
+.Fa pq
+The result is returned in
+.Fa ret_pp
+and should be freed with
+.Fn krb5_free_config_files .
+.Pp
+.Fn krb5_prepend_config_files_default
+parse the 
+.Fa filelist
+and append that to the default
+list of configuration files.
+.Pp
+.Fn krb5_get_default_config_files
+get a list of default configuration files.
+.Pp
+.Fn krb5_free_config_files
+free a list of configuration files returned by
+.Fn krb5_get_default_config_files ,
+.Fn krb5_prepend_config_files_default ,
+or
+.Fn krb5_prepend_config_files .
+.Pp
+.Fn krb5_set_use_admin_kdc
+sets if all KDC requests should go admin KDC.
+.Pp
+.Fn krb5_get_use_admin_kdc
+gets if all KDC requests should go admin KDC.
+.Pp
+.Fn krb5_get_max_time_skew
+and
+.Fn krb5_set_max_time_skew
+get and sets the maximum allowed time skew between client and server.
 .Sh SEE ALSO
 .Xr errno 2 ,
+.Xr krb5 3 ,
+.Xr krb5_config 3 ,
 .Xr krb5_context 3 ,
 .Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_is_thread_safe.3 b/crypto/heimdal/lib/krb5/krb5_is_thread_safe.3
new file mode 100644
index 0000000..9f0a919
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_is_thread_safe.3
@@ -0,0 +1,58 @@
+.\" Copyright (c) 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_is_thread_safe.3 17462 2006-05-05 13:18:39Z lha $
+.\"
+.Dd May  5, 2006
+.Dt KRB5_IS_THREAD_SAFE 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_is_thread_safe
+.Nd "is the Kerberos library compiled with multithread support"
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_boolean
+.Fn krb5_is_thread_safe "void"
+.Sh DESCRIPTION
+.Nm
+returns
+.Dv TRUE
+if the library was compiled with with multithread support.
+If the library isn't compiled, the consumer have to use a global lock
+to make sure Kerboros functions are not called at the same time by
+diffrent threads.
+.\" .Sh EXAMPLE
+.\" .Sh BUGS
+.Sh SEE ALSO
+.Xr krb5_create_checksum 3 ,
+.Xr krb5_encrypt 3
diff --git a/crypto/heimdal/lib/krb5/krb5_keyblock.3 b/crypto/heimdal/lib/krb5/krb5_keyblock.3
new file mode 100644
index 0000000..9fabd32
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_keyblock.3
@@ -0,0 +1,218 @@
+.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_keyblock.3 17385 2006-05-01 08:48:55Z lha $
+.\"
+.Dd May  1, 2006
+.Dt KRB5_KEYBLOCK 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_keyblock ,
+.Nm krb5_keyblock_get_enctype ,
+.Nm krb5_copy_keyblock ,
+.Nm krb5_copy_keyblock_contents ,
+.Nm krb5_free_keyblock ,
+.Nm krb5_free_keyblock_contents ,
+.Nm krb5_generate_random_keyblock ,
+.Nm krb5_generate_subkey ,
+.Nm krb5_generate_subkey_extended ,
+.Nm krb5_keyblock_init ,
+.Nm krb5_keyblock_zero ,
+.Nm krb5_random_to_key
+.Nd Kerberos 5 key handling functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Li krb5_keyblock ;
+.Ft krb5_enctype
+.Fo krb5_keyblock_get_enctype
+.Fa "const krb5_keyblock *block"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_copy_keyblock
+.Fa "krb5_context context"
+.Fa "krb5_keyblock **to"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_copy_keyblock_contents
+.Fa "krb5_context context"
+.Fa "const krb5_keyblock *inblock"
+.Fa "krb5_keyblock *to"
+.Fc
+.Ft void
+.Fo krb5_free_keyblock
+.Fa "krb5_context context"
+.Fa "krb5_keyblock *keyblock"
+.Fc
+.Ft void
+.Fo krb5_free_keyblock_contents
+.Fa "krb5_context context"
+.Fa "krb5_keyblock *keyblock"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_generate_random_keyblock
+.Fa "krb5_context context"
+.Fa "krb5_enctype type"
+.Fa "krb5_keyblock *key"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_generate_subkey
+.Fa "krb5_context context"
+.Fa "const krb5_keyblock *key"
+.Fa "krb5_keyblock **subkey"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_generate_subkey_extended
+.Fa "krb5_context context"
+.Fa "const krb5_keyblock *key"
+.Fa "krb5_enctype enctype"
+.Fa "krb5_keyblock **subkey"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_keyblock_init
+.Fa "krb5_context context"
+.Fa "krb5_enctype type"
+.Fa "const void *data"
+.Fa "size_t size"
+.Fa "krb5_keyblock *key"
+.Fc
+.Ft void
+.Fo krb5_keyblock_zero
+.Fa "krb5_keyblock *keyblock"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_random_to_key
+.Fa "krb5_context context"
+.Fa "krb5_enctype type"
+.Fa "const void *data"
+.Fa "size_t size"
+.Fa "krb5_keyblock *key"
+.Fc
+.Sh DESCRIPTION
+.Li krb5_keyblock
+holds the encryption key for a specific encryption type.
+There is no component inside
+.Li krb5_keyblock
+that is directly referable.
+.Pp
+.Fn krb5_keyblock_get_enctype
+returns the encryption type of the keyblock.
+.Pp
+.Fn krb5_copy_keyblock
+makes a copy the keyblock
+.Fa inblock
+to the
+output
+.Fa out .
+.Fa out
+should be freed by the caller with
+.Fa krb5_free_keyblock .
+.Pp
+.Fn krb5_copy_keyblock_contents
+copies the contents of
+.Fa inblock
+to the
+.Fa to
+keyblock.
+The destination keyblock is overritten.
+.Pp
+.Fn krb5_free_keyblock
+zeros out and frees the content and the keyblock itself.
+.Pp
+.Fn krb5_free_keyblock_contents
+zeros out and frees the content of the keyblock.
+.Pp
+.Fn krb5_generate_random_keyblock
+creates a new content of the keyblock
+.Fa key
+of type encrytion type
+.Fa type .
+The content of
+.Fa key
+is overwritten and not freed, so the caller should be sure it is
+freed before calling the function.
+.Pp
+.Fn krb5_generate_subkey
+generates a
+.Fa subkey
+of the same type as
+.Fa key .
+The caller must free the subkey with
+.Fa krb5_free_keyblock .
+.Pp
+.Fn krb5_generate_subkey_extended
+generates a
+.Fa subkey
+of the specified encryption type
+.Fa type .
+If
+.Fa type
+is
+.Dv ETYPE_NULL ,
+of the same type as
+.Fa key .
+The caller must free the subkey with
+.Fa krb5_free_keyblock .
+.Pp
+.Fn krb5_keyblock_init
+Fill in
+.Fa key
+with key data of type
+.Fa enctype
+from 
+.Fa data
+of length
+.Fa size .
+Key should be freed using
+.Fn krb5_free_keyblock_contents .
+.Pp
+.Fn krb5_keyblock_zero
+zeros out the keyblock to to make sure no keymaterial is in
+memory.
+Note that
+.Fn krb5_free_keyblock_contents
+also zeros out the memory.
+.Pp
+.Fn krb5_random_to_key
+converts the random bytestring to a protocol key according to Kerberos
+crypto frame work.
+It the resulting key will be of type
+.Fa enctype .
+It may be assumed that all the bits of the input string are equally
+random, even though the entropy present in the random source may be
+limited
+.\" .Sh EXAMPLES
+.Sh SEE ALSO
+.Xr krb5_crypto_init 3 ,
+.Xr krb5 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_keytab.3 b/crypto/heimdal/lib/krb5/krb5_keytab.3
index 164eb49..b6cb1a2 100644
--- a/crypto/heimdal/lib/krb5/krb5_keytab.3
+++ b/crypto/heimdal/lib/krb5/krb5_keytab.3
@@ -1,37 +1,37 @@
-.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2001 - 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_keytab.3,v 1.9 2003/04/16 13:58:16 lha Exp $
+.\" $Id: krb5_keytab.3 22071 2007-11-14 20:04:50Z lha $
 .\"
-.Dd February 5, 2001
+.Dd August 12, 2005
 .Dt KRB5_KEYTAB 3
 .Os HEIMDAL
 .Sh NAME
@@ -43,6 +43,7 @@
 .Nm krb5_kt_compare ,
 .Nm krb5_kt_copy_entry_contents ,
 .Nm krb5_kt_default ,
+.Nm krb5_kt_default_modify_name ,
 .Nm krb5_kt_default_name ,
 .Nm krb5_kt_end_seq_get ,
 .Nm krb5_kt_free_entry ,
@@ -92,6 +93,12 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Fa "krb5_keytab *id"
 .Fc
 .Ft krb5_error_code
+.Fo krb5_kt_default_modify_name
+.Fa "krb5_context context"
+.Fa "char *name"
+.Fa "size_t namesize"
+.Fc
+.Ft krb5_error_code
 .Fo krb5_kt_default_name
 .Fa "krb5_context context"
 .Fa "char *name"
@@ -191,8 +198,20 @@ are:
 .Bl -tag -width Ds
 .It Nm file
 store the keytab in a file, the type's name is
-.Li KEYFILE .
+.Li FILE .
 The residual part is a filename.
+For compatibility with other Kerberos implemtation
+.Li WRFILE
+and
+.LI JAVA14
+is also accepted.
+.Li WRFILE
+has the same format as
+.Li FILE .
+.Li JAVA14
+have a format that is compatible with older versions of MIT kerberos
+and SUN's Java based installation.  They store a truncted kvno, so
+when the knvo excess 255, they are truncted in this format.
 .It Nm keyfile
 store the keytab in a
 .Li AFS
@@ -211,10 +230,11 @@ The residual part is a filename.
 The keytab is stored in a memory segment. This allows sensitive and/or
 temporary data not to be stored on disk. The type's name is
 .Li MEMORY .
-There are no residual part, the only pointer back to the keytab is the
-.Fa id
-returned by
-.Fn krb5_kt_resolve .
+Each
+.Li MEMORY
+keytab is referenced counted by and opened by the residual name, so two
+handles can point to the same memory area.
+When the last user closes the entry, it disappears.
 .El
 .Pp
 .Nm krb5_keytab_entry
@@ -244,8 +264,10 @@ Returns 0 or an error. The opposite of
 .Fn krb5_kt_resolve
 is
 .Fn krb5_kt_close .
+.Pp
 .Fn krb5_kt_close
-frees all resources allocated to the keytab.
+frees all resources allocated to the keytab, even on failure.
+Returns 0 or an error.
 .Pp
 .Fn krb5_kt_default
 sets the argument
@@ -253,15 +275,22 @@ sets the argument
 to the default keytab.
 Returns 0 or an error.
 .Pp
+.Fn krb5_kt_default_modify_name
+copies the name of the default modify keytab into
+.Fa name .
+Return 0 or KRB5_CONFIG_NOTENUFSPACE if
+.Fa namesize
+is too short.
+.Pp
 .Fn krb5_kt_default_name
-copy the name of the default keytab into
+copies the name of the default keytab into
 .Fa name .
 Return 0 or KRB5_CONFIG_NOTENUFSPACE if
 .Fa namesize
 is too short.
 .Pp
 .Fn krb5_kt_add_entry
-Add a new
+adds a new
 .Fa entry
 to the keytab
 .Fa id .
@@ -306,7 +335,7 @@ and store the prefix/name for type of the keytab into
 .Fa prefix ,
 .Fa prefixsize .
 The prefix will have the maximum length of
-.Dv KRB5_KT_PREFIX_MAX_LEN 
+.Dv KRB5_KT_PREFIX_MAX_LEN
 (including terminating
 .Dv NUL ) .
 Returns 0 or an error.
@@ -329,6 +358,8 @@ pointed to by
 .Fa cursor
 and advance the
 .Fa cursor .
+On success the returne entry must be freed with
+.Fn krb5_kt_free_entry .
 Returns 0 or an error.
 .Pp
 .Fn krb5_kt_end_seq_get
@@ -338,23 +369,45 @@ releases all resources associated with
 .Fn krb5_kt_get_entry
 retrieves the keytab entry for
 .Fa principal ,
-.Fa kvno,
+.Fa kvno ,
 .Fa enctype
 into
 .Fa entry
 from the keytab
 .Fa id .
+When comparing an entry in the keytab to determine a match, the
+function
+.Fn krb5_kt_compare
+is used, so the wildcard rules applies to the argument of
+.F krb5_kt_get_entry
+too.
+On success the returne entry must be freed with
+.Fn krb5_kt_free_entry .
 Returns 0 or an error.
 .Pp
 .Fn krb5_kt_read_service_key
 reads the key identified by
-.Ns ( Fa principal ,
+.Fa ( principal ,
 .Fa vno ,
 .Fa enctype )
 from the keytab in
 .Fa keyprocarg
-(the default if == NULL) into
+(the system default keytab if 
+.Dv NULL
+is used) into
 .Fa *key .
+.Fa keyprocarg
+is the same argument as to
+.Fa name
+argument to
+.Fn krb5_kt_resolve .
+Internal
+.Fn krb5_kt_compare
+will be used, so the same wildcard rules applies
+to
+.Fn krb5_kt_read_service_key .
+On success the returned key must be freed with
+.Fa krb5_free_keyblock .
 Returns 0 or an error.
 .Pp
 .Fn krb5_kt_remove_entry
@@ -362,13 +415,20 @@ removes the entry
 .Fa entry
 from the keytab
 .Fa id .
-Returns 0 or an error.
+When comparing an entry in the keytab to determine a match, the
+function
+.Fn krb5_kt_compare
+is use, so the wildcard rules applies to the argument of
+.Fn krb5_kt_remove_entry .
+Returns 0, 
+.Dv KRB5_KT_NOTFOUND
+if not entry matched or another error.
 .Pp
 .Fn krb5_kt_register
 registers a new keytab type
 .Fa ops .
 Returns 0 or an error.
-.Sh EXAMPLE
+.Sh EXAMPLES
 This is a minimalistic version of
 .Nm ktutil .
 .Pp
@@ -402,10 +462,21 @@ main (int argc, char **argv)
     ret = krb5_kt_end_seq_get(context, keytab, &cursor);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_kt_end_seq_get");
+    ret = krb5_kt_close(context, keytab);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_close");
     krb5_free_context(context);
     return 0;
 }
 .Ed
+.Sh COMPATIBILITY
+Heimdal stored the ticket flags in machine bit-field order before
+Heimdal 0.7.  The behavior is possible to change in with the option
+.Li [libdefaults]fcc-mit-ticketflags .
+Heimdal 0.7 also code to detech that ticket flags was in the wrong
+order and correct them.  This matters when doing delegation in GSS-API
+because the client code looks at the flag to determin if it is possible
+to do delegation if the user requested it.
 .Sh SEE ALSO
 .Xr krb5.conf 5 ,
 .Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_krbhst_init.3 b/crypto/heimdal/lib/krb5/krb5_krbhst_init.3
index 87ea3f9..1d906bf 100644
--- a/crypto/heimdal/lib/krb5/krb5_krbhst_init.3
+++ b/crypto/heimdal/lib/krb5/krb5_krbhst_init.3
@@ -1,41 +1,42 @@
-.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2001-2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_krbhst_init.3,v 1.7 2003/04/16 13:58:16 lha Exp $
+.\" $Id: krb5_krbhst_init.3 15110 2005-05-10 09:21:06Z lha $
 .\"
-.Dd June 17, 2001
+.Dd May 10, 2005
 .Dt KRB5_KRBHST_INIT 3
 .Os HEIMDAL
 .Sh NAME
 .Nm krb5_krbhst_init ,
+.Nm krb5_krbhst_init_flags ,
 .Nm krb5_krbhst_next ,
 .Nm krb5_krbhst_next_as_string ,
 .Nm krb5_krbhst_reset ,
@@ -50,6 +51,8 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Ft krb5_error_code
 .Fn krb5_krbhst_init "krb5_context context" "const char *realm" "unsigned int type" "krb5_krbhst_handle *handle"
 .Ft krb5_error_code
+.Fn krb5_krbhst_init_flags "krb5_context context" "const char *realm" "unsigned int type" "int flags" "krb5_krbhst_handle *handle"
+.Ft krb5_error_code
 .Fn "krb5_krbhst_next" "krb5_context context" "krb5_krbhst_handle handle" "krb5_krbhst_info **host"
 .Ft krb5_error_code
 .Fn krb5_krbhst_next_as_string "krb5_context context" "krb5_krbhst_handle handle" "char *hostname" "size_t hostlen"
@@ -69,13 +72,15 @@ for Kerberos 4 ticket conversion.
 .Pp
 First a handle to a particular service is obtained by calling
 .Fn krb5_krbhst_init
+(or
+.Fn krb5_krbhst_init_flags )
 with the
 .Fa realm
 of interest and the type of service to lookup. The
 .Fa type
 can be one of:
 .Pp
-.Bl -hang -compact -offset indent
+.Bl -tag -width Ds -compact -offset indent
 .It KRB5_KRBHST_KDC
 .It KRB5_KRBHST_ADMIN
 .It KRB5_KRBHST_CHANGEPW
@@ -87,9 +92,25 @@ The
 is returned to the caller, and should be passed to the other
 functions.
 .Pp
+The
+.Fa flag
+argument to
+.Nm krb5_krbhst_init_flags
+is the same flags as
+.Fn krb5_send_to_kdc_flags
+uses.
+Possible values are:
+.Pp
+.Bl -tag -width KRB5_KRBHST_FLAGS_LARGE_MSG -compact -offset indent
+.It KRB5_KRBHST_FLAGS_MASTER
+only talk to master (readwrite) KDC
+.It KRB5_KRBHST_FLAGS_LARGE_MSG
+this is a large message, so use transport that can handle that.
+.El
+.Pp
 For each call to
 .Fn krb5_krbhst_next
-information a new host is returned. The former function returns in
+information on a new host is returned. The former function returns in
 .Fa host
 a pointer to a structure containing information about the host, such
 as protocol, hostname, and port:
@@ -107,7 +128,7 @@ typedef struct krb5_krbhst_info {
 .Pp
 The related function,
 .Fn krb5_krbhst_next_as_string ,
-return the same information as a url-like string.
+return the same information as a URL-like string.
 .Pp
 When there are no more hosts, these functions return
 .Dv KRB5_KDC_UNREACH .
@@ -132,9 +153,9 @@ and
 that will return a
 .Va struct addrinfo
 that can then be used for communicating with the server mentioned.
-.Sh EXAMPLE
+.Sh EXAMPLES
 The following code will print the KDCs of the realm
-.Dq MY.REALM .
+.Dq MY.REALM :
 .Bd -literal -offset indent
 krb5_krbhst_handle handle;
 char host[MAXHOSTNAMELEN];
@@ -145,8 +166,9 @@ while(krb5_krbhst_next_as_string(context, handle,
 krb5_krbhst_free(context, handle);
 .Ed
 .\" .Sh BUGS
-.Sh HISTORY
-These functions first appeared in Heimdal 0.3g.
 .Sh SEE ALSO
 .Xr getaddrinfo 3 ,
-.Xr krb5_get_krbhst 3
+.Xr krb5_get_krbhst 3 ,
+.Xr krb5_send_to_kdc_flags 3
+.Sh HISTORY
+These functions first appeared in Heimdal 0.3g.
diff --git a/crypto/heimdal/lib/krb5/krb5_kuserok.3 b/crypto/heimdal/lib/krb5/krb5_kuserok.3
index 1539202..e5e5c99 100644
--- a/crypto/heimdal/lib/krb5/krb5_kuserok.3
+++ b/crypto/heimdal/lib/krb5/krb5_kuserok.3
@@ -1,94 +1,103 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2003-2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_kuserok.3,v 1.5 2003/04/16 13:58:10 lha Exp $
+.\" $Id: krb5_kuserok.3 15083 2005-05-04 12:11:22Z joda $
 .\"
-.Dd Oct 17, 2002
+.Dd May 4, 2005
 .Dt KRB5_KUSEROK 3
 .Os HEIMDAL
 .Sh NAME
 .Nm krb5_kuserok
-.Nd verifies if a principal can log in as a user
+.Nd "checks if a principal is permitted to login as a user"
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
 .In krb5.h
 .Ft krb5_boolean
-.Fo krb5_kuserok 
+.Fo krb5_kuserok
 .Fa "krb5_context context"
 .Fa "krb5_principal principal"
-.Fa "const char *name"
+.Fa "const char *user"
 .Fc
 .Sh DESCRIPTION
-This function takes a local user
-.Fa name
-and verifies if
+This function takes the name of a local
+.Fa user
+and checks if
 .Fa principal
 is allowed to log in as that user.
 .Pp
-First
-.Nm
-check if there is a local account name
-.Fa username.
-If there isn't,
-.Nm
-returns
-.Dv FALSE .
+The
+.Fa user
+may have a
+.Pa ~/.k5login
+file listing principals that are allowed to login as that user. If
+that file does not exist, all principals with a first component
+identical to the username, and a realm considered local, are allowed
+access.
 .Pp
-Then
-.Nm
-checks if principal is the same as user@realm in any of the default
-realms. If that is the case,
+The
+.Pa .k5login
+file must contain one principal per line, be owned by
+.Fa user ,
+and not be writable by group or other (but must be readable by
+anyone).
+.Pp
+Note that if the file exists, no implicit access rights are given to
+.Fa user Ns @ Ns Aq localrealm .
+.Pp
+Optionally, a set of files may be put in 
+.Pa ~/.k5login.d ( Ns
+a directory), in which case they will all be checked in the same
+manner as
+.Pa .k5login .
+The files may be called anything, but files starting with a hash
+.Dq ( # ) ,
+or ending with a tilde
+.Dq ( ~ )
+are ignored. Subdirectories are not traversed. Note that this
+directory may not be checked by other implementations.
+.Sh RETURN VALUES
 .Nm
 returns
-.Dv TRUE .
-.Pp
-After that it reads the file 
-.Pa .k5login
-(if it exists) in the users home directory and checks if
-.Fa principal
-is in the file.
-If it does exists,
 .Dv TRUE
-is returned.
-If neither of the above turns out to be true,
-.DV FALSE
-is returned.
-.Pp
+if access should be granted,
+.Dv FALSE
+otherwise.
+.Sh HISTORY
 The
-.Pa .k5login
-should contain one principal per line.
+.Pa ~/.k5login.d
+feature appeared in Heimdal 0.7.
 .Sh SEE ALSO
 .Xr krb5_get_default_realms 3 ,
 .Xr krb5_verify_user 3 ,
 .Xr krb5_verify_user_lrealm 3 ,
-.Xr krb5_verify_user_opt 3,
+.Xr krb5_verify_user_opt 3 ,
 .Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_mk_req.3 b/crypto/heimdal/lib/krb5/krb5_mk_req.3
new file mode 100644
index 0000000..e37d8e7
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_mk_req.3
@@ -0,0 +1,187 @@
+.\" Copyright (c) 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_mk_req.3 16100 2005-09-26 05:38:55Z lha $
+.\"
+.Dd August 27, 2005
+.Dt KRB5_MK_REQ 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_mk_req ,
+.Nm krb5_mk_req_exact ,
+.Nm krb5_mk_req_extended ,
+.Nm krb5_rd_req ,
+.Nm krb5_rd_req_with_keyblock ,
+.Nm krb5_mk_rep ,
+.Nm krb5_mk_rep_exact ,
+.Nm krb5_mk_rep_extended ,
+.Nm krb5_rd_rep ,
+.Nm krb5_build_ap_req ,
+.Nm krb5_verify_ap_req
+.Nd create and read application authentication request
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_error_code
+.Fo krb5_mk_req
+.Fa "krb5_context context"
+.Fa "krb5_auth_context *auth_context"
+.Fa "const krb5_flags ap_req_options"
+.Fa "const char *service"
+.Fa "const char *hostname"
+.Fa "krb5_data *in_data"
+.Fa "krb5_ccache ccache"
+.Fa "krb5_data *outbuf"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_mk_req_extended
+.Fa "krb5_context context"
+.Fa "krb5_auth_context *auth_context"
+.Fa "const krb5_flags ap_req_options"
+.Fa "krb5_data *in_data"
+.Fa "krb5_creds *in_creds"
+.Fa "krb5_data *outbuf"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_rd_req
+.Fa "krb5_context context"
+.Fa "krb5_auth_context *auth_context"
+.Fa "const krb5_data *inbuf"
+.Fa "krb5_const_principal server"
+.Fa "krb5_keytab keytab"
+.Fa "krb5_flags *ap_req_options"
+.Fa "krb5_ticket **ticket"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_build_ap_req
+.Fa "krb5_context context"
+.Fa "krb5_enctype enctype"
+.Fa "krb5_creds *cred"
+.Fa "krb5_flags ap_options"
+.Fa "krb5_data authenticator"
+.Fa "krb5_data *retdata"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_verify_ap_req
+.Fa "krb5_context context"
+.Fa "krb5_auth_context *auth_context"
+.Fa "krb5_ap_req *ap_req"
+.Fa "krb5_const_principal server"
+.Fa "krb5_keyblock *keyblock"
+.Fa "krb5_flags flags"
+.Fa "krb5_flags *ap_req_options"
+.Fa "krb5_ticket **ticket"
+.Fc
+.Sh DESCRIPTION
+The functions documented in this manual page document the functions
+that facilitates the exchange between a Kerberos client and server.
+They are the core functions used in the authentication exchange
+between the client and the server.
+.Pp
+The
+.Nm krb5_mk_req
+and
+.Nm krb5_mk_req_extended
+creates the Kerberos message
+.Dv KRB_AP_REQ
+that is sent from the client to the server as the first packet in a client/server exchange.  The result that should be sent to server is stored in
+.Fa outbuf .
+.Pp
+.Fa auth_context
+should be allocated with
+.Fn krb5_auth_con_init
+or
+.Dv NULL
+passed in, in that case, it will be allocated and freed internally.
+.Pp
+The input data 
+.Fa in_data
+will have a checksum calculated over it and checksum will be
+transported in the message to the server.
+.Pp
+.Fa ap_req_options
+can be set to one or more of the following flags:
+.Pp
+.Bl -tag -width indent
+.It Dv AP_OPTS_USE_SESSION_KEY
+Use the session key when creating the request, used for user to user
+authentication.
+.It Dv AP_OPTS_MUTUAL_REQUIRED
+Mark the request as mutual authenticate required so that the receiver
+returns a mutual authentication packet.
+.El
+.Pp
+The
+.Nm krb5_rd_req
+read the AP_REQ in
+.Fa inbuf
+and verify and extract the content.
+If
+.Fa server
+is specified, that server will be fetched from the
+.Fa keytab
+and used unconditionally.
+If
+.Fa server
+is
+.Dv NULL ,
+the
+.Fa keytab
+will be search for a matching principal.
+.Pp
+The
+.Fa keytab
+argument specifies what keytab to search for receiving principals.
+The arguments
+.Fa ap_req_options
+and
+.Fa ticket
+returns the content.
+.Pp
+When the AS-REQ is a user to user request, neither of
+.Fa keytab
+or
+.Fa principal
+are used, instead
+.Fn krb5_rd_req
+expects the session key to be set in
+.Fa auth_context .
+.Pp
+The
+.Nm krb5_verify_ap_req
+and
+.Nm krb5_build_ap_req
+both constructs and verify the AP_REQ message, should not be used by
+external code.
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_mk_safe.3 b/crypto/heimdal/lib/krb5/krb5_mk_safe.3
new file mode 100644
index 0000000..25b6541
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_mk_safe.3
@@ -0,0 +1,82 @@
+.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_mk_safe.3 17385 2006-05-01 08:48:55Z lha $
+.\"
+.Dd May  1, 2006
+.Dt KRB5_MK_SAFE 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_mk_safe ,
+.Nm krb5_mk_priv
+.Nd generates integrity protected and/or encrypted messages
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Ft krb5_error_code
+.Fn krb5_mk_priv "krb5_context context" "krb5_auth_context auth_context" "const krb5_data *userdata" "krb5_data *outbuf" "krb5_replay_data *outdata"
+.Ft krb5_error_code
+.Fn krb5_mk_safe "krb5_context context" "krb5_auth_context auth_context" "const krb5_data *userdata" "krb5_data *outbuf" "krb5_replay_data *outdata"
+.Sh DESCRIPTION
+.Fn krb5_mk_safe
+and
+.Fn krb5_mk_priv
+formats
+.Li KRB-SAFE
+(integrity protected)
+and
+.Li KRB-PRIV
+(also encrypted)
+messages into
+.Fa outbuf .
+The actual message data is taken from
+.Fa userdata .
+If the
+.Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE
+or
+.Dv KRB5_AUTH_CONTEXT_DO_TIME
+flags are set in the
+.Fa auth_context ,
+sequence numbers and time stamps are generated.
+If the
+.Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE
+or
+.Dv KRB5_AUTH_CONTEXT_RET_TIME
+flags are set
+they are also returned in the
+.Fa outdata
+parameter.
+.Sh SEE ALSO
+.Xr krb5_auth_con_init 3 ,
+.Xr krb5_rd_priv 3 ,
+.Xr krb5_rd_safe 3
diff --git a/crypto/heimdal/lib/krb5/krb5_openlog.3 b/crypto/heimdal/lib/krb5/krb5_openlog.3
index cb1ccc9..4acad41 100644
--- a/crypto/heimdal/lib/krb5/krb5_openlog.3
+++ b/crypto/heimdal/lib/krb5/krb5_openlog.3
@@ -1,35 +1,35 @@
 .\" Copyright (c) 1997, 1999, 2001 - 2002 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\" 
-.\" $Id: krb5_openlog.3,v 1.9 2003/04/16 13:58:12 lha Exp $
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_openlog.3 12329 2003-05-26 14:09:04Z lha $
 .Dd August 6, 1997
 .Dt KRB5_OPENLOG 3
 .Os HEIMDAL
@@ -206,7 +206,7 @@ destination, otherwise not. Either of the min and max valued may be
 omitted, in this case min is assumed to be zero, and max is assumed to be
 infinity.  If you don't include a dash, both min and max gets set to the
 specified value. If no range is specified, all messages gets logged.
-.Sh EXAMPLE
+.Sh EXAMPLES
 .Bd -literal -offset indent
 [logging]
 	kdc = 0/FILE:/var/log/kdc.log
@@ -223,6 +223,9 @@ other messages will be logged to syslog with priority
 and facility
 .Li LOG_USER .
 All other programs will log all messages to their stderr.
+.Sh SEE ALSO
+.Xr syslog 3 ,
+.Xr krb5.conf 5
 .Sh BUGS
 These functions use
 .Fn asprintf
@@ -237,6 +240,3 @@ thread-safe, depending on the implementation of
 .Fn openlog ,
 and
 .Fn syslog .
-.Sh SEE ALSO
-.Xr syslog 3 ,
-.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_parse_name.3 b/crypto/heimdal/lib/krb5/krb5_parse_name.3
index b936c63..e876ee3 100644
--- a/crypto/heimdal/lib/krb5/krb5_parse_name.3
+++ b/crypto/heimdal/lib/krb5/krb5_parse_name.3
@@ -1,37 +1,37 @@
 .\" Copyright (c) 1997 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_parse_name.3,v 1.8 2003/04/16 13:58:17 lha Exp $
+.\" $Id: krb5_parse_name.3 17385 2006-05-01 08:48:55Z lha $
 .\"
-.Dd August 8, 1997
+.Dd May  1, 2006
 .Dt KRB5_PARSE_NAME 3
 .Os HEIMDAL
 .Sh NAME
@@ -57,8 +57,8 @@ The string should consist of one or more name components separated with slashes
 optionally followed with an
 .Dq @
 and a realm name. A slash or @ may be contained in a name component by
-quoting it with a back-slash
-.Pq Dq \ .
+quoting it with a backslash
+.Pq Dq \e .
 A realm should not contain slashes or colons.
 .Sh SEE ALSO
 .Xr krb5_425_conv_principal 3 ,
diff --git a/crypto/heimdal/lib/krb5/krb5_principal.3 b/crypto/heimdal/lib/krb5/krb5_principal.3
new file mode 100644
index 0000000..1b0c2da
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_principal.3
@@ -0,0 +1,384 @@
+.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_principal.3 21255 2007-06-21 04:36:31Z lha $
+.\"
+.Dd May  1, 2006
+.Dt KRB5_PRINCIPAL 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_get_default_principal ,
+.Nm krb5_principal ,
+.Nm krb5_build_principal ,
+.Nm krb5_build_principal_ext ,
+.Nm krb5_build_principal_va ,
+.Nm krb5_build_principal_va_ext ,
+.Nm krb5_copy_principal ,
+.Nm krb5_free_principal ,
+.Nm krb5_make_principal ,
+.Nm krb5_parse_name ,
+.Nm krb5_parse_name_flags ,
+.Nm krb5_parse_nametype ,
+.Nm krb5_princ_realm ,
+.Nm krb5_princ_set_realm ,
+.Nm krb5_principal_compare ,
+.Nm krb5_principal_compare_any_realm ,
+.Nm krb5_principal_get_comp_string ,
+.Nm krb5_principal_get_realm ,
+.Nm krb5_principal_get_type ,
+.Nm krb5_principal_match ,
+.Nm krb5_principal_set_type ,
+.Nm krb5_realm_compare ,
+.Nm krb5_sname_to_principal ,
+.Nm krb5_sock_to_principal ,
+.Nm krb5_unparse_name ,
+.Nm krb5_unparse_name_flags ,
+.Nm krb5_unparse_name_fixed ,
+.Nm krb5_unparse_name_fixed_flags ,
+.Nm krb5_unparse_name_fixed_short ,
+.Nm krb5_unparse_name_short
+.Nd Kerberos 5 principal handling functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Li krb5_principal ;
+.Ft void
+.Fn krb5_free_principal "krb5_context context" "krb5_principal principal"
+.Ft krb5_error_code
+.Fn krb5_parse_name "krb5_context context" "const char *name" "krb5_principal *principal"
+.Ft krb5_error_code
+.Fn krb5_parse_name_flags "krb5_context context" "const char *name" "int flags" "krb5_principal *principal"
+.Ft krb5_error_code
+.Fn "krb5_unparse_name" "krb5_context context" "krb5_const_principal principal" "char **name"
+.Ft krb5_error_code
+.Fn "krb5_unparse_name_flags" "krb5_context context" "krb5_const_principal principal" "int flags" "char **name"
+.Ft krb5_error_code
+.Fn krb5_unparse_name_fixed "krb5_context context" "krb5_const_principal principal" "char *name" "size_t len"
+.Ft krb5_error_code
+.Fn krb5_unparse_name_fixed_flags "krb5_context context" "krb5_const_principal principal" "int flags" "char *name" "size_t len"
+.Ft krb5_error_code
+.Fn "krb5_unparse_name_short" "krb5_context context" "krb5_const_principal principal" "char **name"
+.Ft krb5_error_code
+.Fn krb5_unparse_name_fixed_short "krb5_context context" "krb5_const_principal principal" "char *name" "size_t len"
+.Ft krb5_realm *
+.Fn krb5_princ_realm "krb5_context context" "krb5_principal principal"
+.Ft void
+.Fn krb5_princ_set_realm "krb5_context context" "krb5_principal principal" "krb5_realm *realm"
+.Ft krb5_error_code
+.Fn krb5_build_principal "krb5_context context" "krb5_principal *principal" "int rlen" "krb5_const_realm realm" "..."
+.Ft krb5_error_code
+.Fn krb5_build_principal_va "krb5_context context" "krb5_principal *principal" "int rlen" "krb5_const_realm realm" "va_list ap"
+.Ft krb5_error_code
+.Fn "krb5_build_principal_ext" "krb5_context context" "krb5_principal *principal" "int rlen" "krb5_const_realm realm" "..."
+.Ft krb5_error_code
+.Fn krb5_build_principal_va_ext "krb5_context context" "krb5_principal *principal" "int rlen" "krb5_const_realm realm" "va_list ap"
+.Ft krb5_error_code
+.Fn krb5_make_principal "krb5_context context" "krb5_principal *principal" "krb5_const_realm realm" "..."
+.Ft krb5_error_code
+.Fn krb5_copy_principal "krb5_context context" "krb5_const_principal inprinc" "krb5_principal *outprinc"
+.Ft krb5_boolean
+.Fn krb5_principal_compare "krb5_context context" "krb5_const_principal princ1" "krb5_const_principal princ2"
+.Ft krb5_boolean
+.Fn krb5_principal_compare_any_realm "krb5_context context" "krb5_const_principal princ1" "krb5_const_principal princ2"
+.Ft "const char *"
+.Fn krb5_principal_get_comp_string "krb5_context context" "krb5_const_principal principal" "unsigned int component"
+.Ft "const char *"
+.Fn krb5_principal_get_realm "krb5_context context" "krb5_const_principal principal"
+.Ft int
+.Fn krb5_principal_get_type "krb5_context context" "krb5_const_principal principal"
+.Ft krb5_boolean
+.Fn krb5_principal_match "krb5_context context" "krb5_const_principal principal" "krb5_const_principal pattern"
+.Ft void
+.Fn krb5_principal_set_type "krb5_context context" "krb5_principal principal" "int type"
+.Ft krb5_boolean
+.Fn krb5_realm_compare "krb5_context context" "krb5_const_principal princ1" "krb5_const_principal princ2"
+.Ft krb5_error_code
+.Fn krb5_sname_to_principal  "krb5_context context" "const char *hostname" "const char *sname" "int32_t type" "krb5_principal *ret_princ"
+.Ft krb5_error_code
+.Fn krb5_sock_to_principal "krb5_context context" "int socket" "const char *sname" "int32_t type" "krb5_principal *principal"
+.Ft krb5_error_code
+.Fn krb5_get_default_principal "krb5_context context" "krb5_principal *princ"
+.Ft krb5_error_code
+.Fn krb5_parse_nametype "krb5_context context" "const char *str" "int32_t *type"
+.Sh DESCRIPTION
+.Li krb5_principal
+holds the name of a user or service in Kerberos.
+.Pp
+A principal has two parts, a
+.Li PrincipalName
+and a
+.Li realm .
+The PrincipalName consists of one or more components. In printed form,
+the components are separated by /.
+The PrincipalName also has a name-type.
+.Pp
+Examples of a principal are
+.Li nisse/root@EXAMPLE.COM
+and
+.Li host/datan.kth.se@KTH.SE .
+.Fn krb5_parse_name
+and
+.Fn krb5_parse_name_flags
+passes a principal name in
+.Fa name
+to the kerberos principal structure.
+.Fn krb5_parse_name_flags
+takes an extra
+.Fa flags
+argument the following flags can be passed in
+.Bl -tag -width Ds
+.It Dv KRB5_PRINCIPAL_PARSE_NO_REALM
+requries the input string to be without a realm, and no realm is
+stored in the
+.Fa principal
+return argument.
+.It Dv KRB5_PRINCIPAL_PARSE_MUST_REALM
+requries the input string to with a realm.
+.El
+.Pp
+.Fn krb5_unparse_name
+and
+.Fn krb5_unparse_name_flags
+prints the principal
+.Fa princ
+to the string
+.Fa name .
+.Fa name
+should be freed with
+.Xr free 3 .
+To the 
+.Fa flags
+argument the following flags can be passed in
+.Bl -tag -width Ds
+.It Dv KRB5_PRINCIPAL_UNPARSE_SHORT
+no realm if the realm is one of the local realms.
+.It Dv KRB5_PRINCIPAL_UNPARSE_NO_REALM
+never include any realm in the principal name.
+.It Dv KRB5_PRINCIPAL_UNPARSE_DISPLAY
+don't quote
+.El
+On failure
+.Fa name
+is set to
+.Dv NULL .
+.Fn krb5_unparse_name_fixed
+and
+.Fn krb5_unparse_name_fixed_flags
+behaves just like
+.Fn krb5_unparse ,
+but instead unparses the principal into a fixed size buffer.
+.Pp
+.Fn krb5_unparse_name_short
+just returns the principal without the realm if the principal is
+in the default realm. If the principal isn't, the full name is
+returned.
+.Fn krb5_unparse_name_fixed_short
+works just like
+.Fn krb5_unparse_name_short
+but on a fixed size buffer.
+.Pp
+.Fn krb5_build_principal
+builds a principal from the realm
+.Fa realm
+that has the length
+.Fa rlen .
+The following arguments form the components of the principal.
+The list of components is terminated with
+.Dv NULL .
+.Pp
+.Fn krb5_build_principal_va
+works like
+.Fn krb5_build_principal
+using vargs.
+.Pp
+.Fn krb5_build_principal_ext
+and
+.Fn krb5_build_principal_va_ext
+take a list of length-value pairs, the list is terminated with a zero
+length.
+.Pp
+.Fn krb5_make_principal
+works the same way as
+.Fn krb5_build_principal ,
+except it figures out the length of the realm itself.
+.Pp
+.Fn krb5_copy_principal
+makes a copy of a principal.
+The copy needs to be freed with
+.Fn krb5_free_principal .
+.Pp
+.Fn krb5_principal_compare
+compares the two principals, including realm of the principals and returns
+.Dv TRUE
+if they are the same and
+.Dv FALSE
+if not.
+.Pp
+.Fn krb5_principal_compare_any_realm
+works the same way as
+.Fn krb5_principal_compare
+but doesn't compare the realm component of the principal.
+.Pp
+.Fn krb5_realm_compare
+compares the realms of the two principals and returns
+.Dv TRUE
+is they are the same, and
+.Dv FALSE
+if not.
+.Pp
+.Fn krb5_principal_match
+matches a
+.Fa principal
+against a
+.Fa pattern .
+The pattern is a globbing expression, where each component (separated
+by /) is matched against the corresponding component of the principal.
+.Pp
+The
+.Fn krb5_principal_get_realm
+and
+.Fn krb5_principal_get_comp_string
+functions return parts of the
+.Fa principal ,
+either the realm or a specific component.
+Both functions return string pointers to data inside the principal, so
+they are valid only as long as the principal exists.
+.Pp
+The
+.Fa component
+argument to
+.Fn krb5_principal_get_comp_string
+is the index of the component to return, from zero to the total number of
+components minus one. If the index is out of range
+.Dv NULL
+is returned.
+.Pp
+.Fn krb5_principal_get_realm
+and
+.Fn krb5_principal_get_comp_string
+are replacements for
+.Fn krb5_princ_realm ,
+.Fn krb5_princ_component
+and related macros, described as internal in the MIT API
+specification.
+Unlike the macros, these functions return strings, not
+.Dv krb5_data .
+A reason to return
+.Dv krb5_data
+was that it was believed that principal components could contain
+binary data, but this belief was unfounded, and it has been decided
+that principal components are infact UTF8, so it's safe to use zero
+terminated strings.
+.Pp
+It's generally not necessary to look at the components of a principal.
+.Pp
+.Fn krb5_principal_get_type
+and
+.Fn krb5_principal_set_type
+get and sets the name type for a principal.
+Name type handling is tricky and not often needed,
+don't use this unless you know what you do.
+.Pp
+.Fn krb5_princ_realm
+returns the realm component of the principal.
+The caller must not free realm unless
+.Fn krb5_princ_set_realm
+is called to set a new realm after freeing the realm.
+.Fn krb5_princ_set_realm
+sets the realm component of a principal. The old realm is not freed.
+.Pp
+.Fn krb5_sname_to_principal
+and
+.Fn krb5_sock_to_principal
+are for easy creation of
+.Dq service
+principals that can, for instance, be used to lookup a key in a keytab.
+For both functions the
+.Fa sname
+parameter will be used for the first component of the created principal.
+If
+.Fa sname
+is
+.Dv NULL ,
+.Dq host
+will be used instead.
+.Pp
+.Fn krb5_sname_to_principal
+will use the passed
+.Fa hostname
+for the second component.
+If
+.Fa type
+is
+.Dv KRB5_NT_SRV_HST
+this name will be looked up with
+.Fn gethostbyname .
+If
+.Fa hostname
+is
+.Dv NULL ,
+the local hostname will be used.
+.Pp
+.Fn krb5_sock_to_principal
+will use the
+.Dq sockname
+of the passed
+.Fa socket ,
+which should be a bound
+.Dv AF_INET
+or
+.Dv AF_INET6
+socket.
+There must be a mapping between the address and
+.Dq sockname .
+The function may try to resolve the name in DNS.
+.Pp
+.Fn krb5_get_default_principal
+tries to find out what's a reasonable default principal by looking at
+the environment it is running in.
+.Pp
+.Fn krb5_parse_nametype
+parses and returns the name type integer value in
+.Fa type .
+On failure the function returns an error code and set the error
+string.
+.\" .Sh EXAMPLES
+.Sh SEE ALSO
+.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_config 3 ,
+.Xr krb5.conf 5
+.Sh BUGS
+You can not have a NUL in a component in some of the variable argument
+functions above.
+Until someone can give a good example of where it would be a good idea
+to have NUL's in a component, this will not be fixed.
diff --git a/crypto/heimdal/lib/krb5/krb5_rcache.3 b/crypto/heimdal/lib/krb5/krb5_rcache.3
new file mode 100644
index 0000000..0b7e83a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_rcache.3
@@ -0,0 +1,163 @@
+.\" Copyright (c) 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_rcache.3 17462 2006-05-05 13:18:39Z lha $
+.\"
+.Dd May  1, 2006
+.Dt KRB5_RCACHE 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_rcache ,
+.Nm krb5_rc_close ,
+.Nm krb5_rc_default ,
+.Nm krb5_rc_default_name ,
+.Nm krb5_rc_default_type ,
+.Nm krb5_rc_destroy ,
+.Nm krb5_rc_expunge ,
+.Nm krb5_rc_get_lifespan ,
+.Nm krb5_rc_get_name ,
+.Nm krb5_rc_get_type ,
+.Nm krb5_rc_initialize ,
+.Nm krb5_rc_recover ,
+.Nm krb5_rc_resolve ,
+.Nm krb5_rc_resolve_full ,
+.Nm krb5_rc_resolve_type ,
+.Nm krb5_rc_store ,
+.Nm krb5_get_server_rcache
+.Nd Kerberos 5 replay cache
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Li "struct krb5_rcache;"
+.Pp
+.Ft krb5_error_code
+.Fo krb5_rc_close
+.Fa "krb5_context context"
+.Fa "krb5_rcache id"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_rc_default
+.Fa "krb5_context context"
+.Fa "krb5_rcache *id"
+.Fc
+.Ft "const char *"
+.Fo krb5_rc_default_name
+.Fa "krb5_context context"
+.Fc
+.Ft "const char *"
+.Fo krb5_rc_default_type
+.Fa "krb5_context context"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_rc_destroy
+.Fa "krb5_context context"
+.Fa "krb5_rcache id"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_rc_expunge
+.Fa "krb5_context context"
+.Fa "krb5_rcache id"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_rc_get_lifespan
+.Fa "krb5_context context"
+.Fa "krb5_rcache id"
+.Fa "krb5_deltat *auth_lifespan"
+.Fc
+.Ft "const char*"
+.Fo krb5_rc_get_name
+.Fa "krb5_context context"
+.Fa "krb5_rcache id"
+.Fc
+.Ft "const char*"
+.Fo "krb5_rc_get_type"
+.Fa "krb5_context context"
+.Fa "krb5_rcache id"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_rc_initialize
+.Fa "krb5_context context"
+.Fa "krb5_rcache id"
+.Fa "krb5_deltat auth_lifespan"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_rc_recover
+.Fa "krb5_context context"
+.Fa "krb5_rcache id"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_rc_resolve
+.Fa "krb5_context context"
+.Fa "krb5_rcache id"
+.Fa "const char *name"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_rc_resolve_full
+.Fa "krb5_context context"
+.Fa "krb5_rcache *id"
+.Fa "const char *string_name"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_rc_resolve_type
+.Fa "krb5_context context"
+.Fa "krb5_rcache *id"
+.Fa "const char *type"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_rc_store
+.Fa "krb5_context context"
+.Fa "krb5_rcache id"
+.Fa "krb5_donot_replay *rep"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_server_rcache
+.Fa "krb5_context context"
+.Fa "const krb5_data *piece"
+.Fa "krb5_rcache *id"
+.Fc
+.Sh DESCRIPTION
+The
+.Li krb5_rcache
+structure holds a storage element that is used for data manipulation.
+The structure contains no public accessible elements.
+.Pp
+.Fn krb5_rc_initialize
+Creates the reply cache
+.Fa id
+and sets it lifespan to
+.Fa auth_lifespan .
+If the cache already exists, the content is destroyed.
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_data 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_rd_error.3 b/crypto/heimdal/lib/krb5/krb5_rd_error.3
new file mode 100644
index 0000000..00203cd
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_rd_error.3
@@ -0,0 +1,98 @@
+.\" Copyright (c) 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_rd_error.3 21059 2007-06-12 17:52:46Z lha $
+.\"
+.Dd July 26, 2004
+.Dt KRB5_RD_ERROR 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_rd_error ,
+.Nm krb5_free_error ,
+.Nm krb5_free_error_contents ,
+.Nm krb5_error_from_rd_error
+.Nd parse, free and read error from KRB-ERROR message
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_error_code
+.Fo krb5_rd_error
+.Fa "krb5_context context"
+.Fa "const krb5_data *msg"
+.Fa "KRB_ERROR *result"
+.Fc
+.Ft void
+.Fo krb5_free_error
+.Fa "krb5_context context"
+.Fa "krb5_error *error"
+.Fc
+.Ft void
+.Fo krb5_free_error_contents
+.Fa "krb5_context context"
+.Fa "krb5_error *error"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_error_from_rd_error
+.Fa "krb5_context context"
+.Fa "const krb5_error *error"
+.Fa "const krb5_creds *creds"
+.Fc
+.Sh DESCRIPTION
+Usually applications never needs to parse and understand Kerberos
+error messages since higher level functions will parse and push up the
+error in the krb5_context.
+These functions are described for completeness.
+.Pp
+.Fn krb5_rd_error
+parses and returns the kerboeros error message, the structure should be freed with
+.Fn krb5_free_error_contents
+when the caller is done with the structure.
+.Pp
+.Fn krb5_free_error
+frees the content and the memory region holding the structure iself.
+.Pp
+.Fn krb5_free_error_contents
+free the content of the KRB-ERROR message.
+.Pp
+.Fn krb5_error_from_rd_error
+will parse the error message and set the error buffer in krb5_context
+to the error string passed back or the matching error code in the
+KRB-ERROR message.
+Caller should pick up the message with
+.Fn krb5_get_error_string 3
+(don't forget to free the returned string with
+.Fn krb5_free_error_string ) .
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_set_error_string 3 ,
+.Xr krb5_get_error_string 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_rd_safe.3 b/crypto/heimdal/lib/krb5/krb5_rd_safe.3
new file mode 100644
index 0000000..d024ae4
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_rd_safe.3
@@ -0,0 +1,81 @@
+.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_rd_safe.3 17385 2006-05-01 08:48:55Z lha $
+.\"
+.Dd May  1, 2006
+.Dt KRB5_RD_SAFE 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_rd_safe ,
+.Nm krb5_rd_priv
+.Nd verifies authenticity of messages
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Ft krb5_error_code
+.Fn krb5_rd_priv "krb5_context context" "krb5_auth_context auth_context" "const krb5_data *inbuf" "krb5_data *outbuf" "krb5_replay_data *outdata"
+.Ft krb5_error_code
+.Fn krb5_rd_safe "krb5_context context" "krb5_auth_context auth_context" "const krb5_data *inbuf" "krb5_data *outbuf" "krb5_replay_data *outdata"
+.Sh DESCRIPTION
+.Fn krb5_rd_safe
+and
+.Fn krb5_rd_priv
+parses
+.Li KRB-SAFE
+and
+.Li KRB-PRIV
+messages (as generated by
+.Xr krb5_mk_safe 3
+and
+.Xr krb5_mk_priv 3 )
+from
+.Fa inbuf
+and verifies its integrity. The user data part of the message in put
+in
+.Fa outbuf .
+The encryption state, including keyblocks and addresses, is taken from
+.Fa auth_context .
+If the
+.Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE
+or
+.Dv KRB5_AUTH_CONTEXT_RET_TIME
+flags are set in the
+.Fa auth_context
+the sequence number and time are returned in the
+.Fa outdata
+parameter.
+.Sh SEE ALSO
+.Xr krb5_auth_con_init 3 ,
+.Xr krb5_mk_priv 3 ,
+.Xr krb5_mk_safe 3
diff --git a/crypto/heimdal/lib/krb5/krb5_set_default_realm.3 b/crypto/heimdal/lib/krb5/krb5_set_default_realm.3
index e4b9a36..27467d8 100644
--- a/crypto/heimdal/lib/krb5/krb5_set_default_realm.3
+++ b/crypto/heimdal/lib/krb5/krb5_set_default_realm.3
@@ -1,44 +1,45 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_set_default_realm.3,v 1.2 2003/04/16 13:58:11 lha Exp $
+.\" $Id: krb5_set_default_realm.3 17462 2006-05-05 13:18:39Z lha $
 .\"
-.Dd Mar 16, 2003
+.Dd April 24, 2005
 .Dt KRB5_SET_DEFAULT_REALM 3
 .Os HEIMDAL
 .Sh NAME
-.Nm krb5_free_host_realm
-.Nm krb5_get_default_realm
-.Nm krb5_get_default_realms
-.Nm krb5_get_host_realm
+.Nm krb5_copy_host_realm ,
+.Nm krb5_free_host_realm ,
+.Nm krb5_get_default_realm ,
+.Nm krb5_get_default_realms ,
+.Nm krb5_get_host_realm ,
 .Nm krb5_set_default_realm
 .Nd default and host realm read and manipulation routines
 .Sh LIBRARY
@@ -46,6 +47,12 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
 .In krb5.h
 .Ft krb5_error_code
+.Fo krb5_copy_host_realm
+.Fa "krb5_context context"
+.Fa "const krb5_realm *from"
+.Fa "krb5_realm **to"
+.Fc
+.Ft krb5_error_code
 .Fo krb5_free_host_realm
 .Fa "krb5_context context"
 .Fa "krb5_realm *realmlist"
@@ -72,13 +79,22 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Fa "const char *realm"
 .Fc
 .Sh DESCRIPTION
+.Fn krb5_copy_host_realm
+copies the list of realms from
+.Fa from
+to
+.Fa to .
+.Fa to
+should be freed by the caller using
+.Fa krb5_free_host_realm .
+.Pp
 .Fn krb5_free_host_realm
 frees all memory allocated by
 .Fa realmlist .
 .Pp
 .Fn krb5_get_default_realm
 returns the first default realm for this host.
-The realm returned should be free with
+The realm returned should be freed with
 .Fn free .
 .Pp
 .Fn krb5_get_default_realms
@@ -87,7 +103,7 @@ returns a
 terminated list of default realms for this context.
 Realms returned by
 .Fn krb5_get_default_realms
-should be free with
+should be freed with
 .Fn krb5_free_host_realm .
 .Pp
 .Fn krb5_get_host_realm
@@ -109,11 +125,11 @@ DNS is used to lookup the realm.
 .Pp
 When using
 .Li DNS
-to a resolve the domain for the host a.b.c, 
+to a resolve the domain for the host a.b.c,
 .Fn krb5_get_host_realm
 looks for a
 .Dv TXT
-resource record named 
+resource record named
 .Li _kerberos.a.b.c ,
 and if not found, it strips off the first component and tries a again
 (_kerberos.b.c) until it reaches the root.
@@ -123,6 +139,10 @@ If there is no configuration or DNS information found,
 assumes it can use the domain part of the
 .Fa host
 to form a realm.
+Caller must free
+.Fa realmlist
+with
+.Fn krb5_free_host_realm .
 .Pp
 .Fn krb5_set_default_realm
 sets the default realm for the
@@ -140,5 +160,5 @@ If there is no such stanza in the configuration file, the
 .Fn krb5_get_host_realm
 function is used to form a default realm.
 .Sh SEE ALSO
-.Xr krb5.conf 5 ,
-.Xr free 3
+.Xr free 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_set_password.3 b/crypto/heimdal/lib/krb5/krb5_set_password.3
index e2e3086..45ed41d 100644
--- a/crypto/heimdal/lib/krb5/krb5_set_password.3
+++ b/crypto/heimdal/lib/krb5/krb5_set_password.3
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
+.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden).
 .\" All rights reserved.
 .\"
@@ -29,15 +29,16 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_set_password.3,v 1.3.2.1 2004/06/21 10:51:20 lha Exp $
+.\" $Id: krb5_set_password.3 14052 2004-07-15 14:39:06Z lha $
 .\"
-.Dd June  2, 2004
+.Dd July 15, 2004
 .Dt KRB5_SET_PASSWORD 3
 .Os HEIMDAL
 .Sh NAME
 .Nm krb5_change_password ,
 .Nm krb5_set_password ,
-.Nm krb5_set_password_using_ccache
+.Nm krb5_set_password_using_ccache ,
+.Nm krb5_passwd_result_to_string
 .Nd change password functions
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
@@ -57,7 +58,7 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Fa "krb5_context context"
 .Fa "krb5_creds *creds"
 .Fa "char *newpw"
-.Fa "krb5_principal targprinc",
+.Fa "krb5_principal targprinc"
 .Fa "int *result_code"
 .Fa "krb5_data *result_code_string"
 .Fa "krb5_data *result_string"
@@ -72,17 +73,23 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Fa "krb5_data *result_code_string"
 .Fa "krb5_data *result_string"
 .Fc
+.Ft "const char *"
+.Fo krb5_passwd_result_to_string
+.Fa "krb5_context context"
+.Fa "int result"
+.Fc
 .Sh DESCRIPTION
 These functions change the password for a given principal.
 .Pp
 .Fn krb5_set_password
 and
-.Fa krb5_set_password_using_ccache
-is the newer two of the three functions and uses a newer version of the
-protocol (and falls back to the older when the newer doesn't work).
+.Fn krb5_set_password_using_ccache
+are the newer of the three functions, and use a newer version of the
+protocol (and also fall back to the older set-password protocol if the
+newer protocol doesn't work).
 .Pp
 .Fn krb5_change_password
-set the password
+sets the password
 .Fa newpasswd
 for the client principal in
 .Fa creds .
@@ -90,20 +97,47 @@ The server principal of creds must be
 .Li kadmin/changepw .
 .Pp
 .Fn krb5_set_password
-changes the password for the principal
-.Fa targprinc ,
-if
+and
+.Fn krb5_set_password_using_ccache
+change the password for the principal
+.Fa targprinc .
+.Pp
+.Fn krb5_set_password
+requires that the credential for
+.Li kadmin/changepw@REALM
+is in
+.Fa creds .
+If the user caller isn't an administrator, this credential
+needs to be an initial credential, see
+.Xr krb5_get_init_creds 3
+how to get such credentials.
+.Pp
+.Fn krb5_set_password_using_ccache
+will get the credential from
+.Fa ccache .
+.Pp
+If
 .Fa targprinc
 is
-.Dv NULL
-the default principal in
+.Dv NULL ,
+.Fn krb5_set_password_using_ccache
+uses the the default principal in
 .Fa ccache
-is used.
+and
+.Fn krb5_set_password
+uses the global the default principal.
 .Pp
-Both functions returns and error in
+All three functions return an error in
 .Fa result_code
-and maybe an error strings to print in
+and maybe an error string to print in
 .Fa result_string .
+.Pp
+.Fn krb5_passwd_result_to_string
+returns an human readable string describing the error code in
+.Fa result_code
+from the
+.Fn krb5_set_password
+functions.
 .Sh SEE ALSO
 .Xr krb5_ccache 3 ,
 .Xr krb5_init_context 3
diff --git a/crypto/heimdal/lib/krb5/krb5_storage.3 b/crypto/heimdal/lib/krb5/krb5_storage.3
new file mode 100644
index 0000000..cc03c5b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_storage.3
@@ -0,0 +1,427 @@
+.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_storage.3 17884 2006-08-18 08:41:09Z lha $
+.\"
+.Dd Aug 18, 2006
+.Dt KRB5_STORAGE 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_storage ,
+.Nm krb5_storage_emem ,
+.Nm krb5_storage_from_data ,
+.Nm krb5_storage_from_fd ,
+.Nm krb5_storage_from_mem ,
+.Nm krb5_storage_set_flags ,
+.Nm krb5_storage_clear_flags ,
+.Nm krb5_storage_is_flags ,
+.Nm krb5_storage_set_byteorder ,
+.Nm krb5_storage_get_byteorder ,
+.Nm krb5_storage_set_eof_code ,
+.Nm krb5_storage_seek ,
+.Nm krb5_storage_read ,
+.Nm krb5_storage_write ,
+.Nm krb5_storage_free ,
+.Nm krb5_storage_to_data ,
+.Nm krb5_store_int32 ,
+.Nm krb5_ret_int32 ,
+.Nm krb5_store_uint32 ,
+.Nm krb5_ret_uint32 ,
+.Nm krb5_store_int16 ,
+.Nm krb5_ret_int16 ,
+.Nm krb5_store_uint16 ,
+.Nm krb5_ret_uint16 ,
+.Nm krb5_store_int8 ,
+.Nm krb5_ret_int8 ,
+.Nm krb5_store_uint8 ,
+.Nm krb5_ret_uint8 ,
+.Nm krb5_store_data ,
+.Nm krb5_ret_data ,
+.Nm krb5_store_string ,
+.Nm krb5_ret_string ,
+.Nm krb5_store_stringnl ,
+.Nm krb5_ret_stringnl ,
+.Nm krb5_store_stringz ,
+.Nm krb5_ret_stringz ,
+.Nm krb5_store_principal ,
+.Nm krb5_ret_principal ,
+.Nm krb5_store_keyblock ,
+.Nm krb5_ret_keyblock ,
+.Nm krb5_store_times ,
+.Nm krb5_ret_times ,
+.Nm krb5_store_address ,
+.Nm krb5_ret_address ,
+.Nm krb5_store_addrs ,
+.Nm krb5_ret_addrs ,
+.Nm krb5_store_authdata ,
+.Nm krb5_ret_authdata ,
+.Nm krb5_store_creds ,
+.Nm krb5_ret_creds
+.Nd operates on the Kerberos datatype krb5_storage
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Li "struct krb5_storage;"
+.Pp
+.Ft "krb5_storage *"
+.Fn krb5_storage_from_fd "int fd"
+.Ft "krb5_storage *"
+.Fn krb5_storage_emem "void"
+.Ft "krb5_storage *"
+.Fn krb5_storage_from_mem "void *buf" "size_t len"
+.Ft "krb5_storage *"
+.Fn krb5_storage_from_data "krb5_data *data"
+.Ft void
+.Fn krb5_storage_set_flags "krb5_storage *sp" "krb5_flags flags"
+.Ft void
+.Fn krb5_storage_clear_flags "krb5_storage *sp" "krb5_flags flags"
+.Ft krb5_boolean
+.Fn krb5_storage_is_flags "krb5_storage *sp" "krb5_flags flags"
+.Ft void
+.Fn krb5_storage_set_byteorder "krb5_storage *sp" "krb5_flags byteorder"
+.Ft krb5_flags
+.Fn krb5_storage_get_byteorder "krb5_storage *sp" "krb5_flags byteorder"
+.Ft void
+.Fn krb5_storage_set_eof_code "krb5_storage *sp" "int code"
+.Ft off_t
+.Fn krb5_storage_seek "krb5_storage *sp" "off_t offset" "int whence"
+.Ft krb5_ssize_t
+.Fn krb5_storage_read "krb5_storage *sp" "void *buf" "size_t len"
+.Ft krb5_ssize_t
+.Fn krb5_storage_write "krb5_storage *sp" "const void *buf" "size_t len"
+.Ft krb5_error_code
+.Fn krb5_storage_free "krb5_storage *sp"
+.Ft krb5_error_code
+.Fn krb5_storage_to_data "krb5_storage *sp" "krb5_data *data"
+.Ft krb5_error_code
+.Fn krb5_store_int32 "krb5_storage *sp" "int32_t value"
+.Ft krb5_error_code
+.Fn krb5_ret_int32 "krb5_storage *sp" "int32_t *value"
+.Ft krb5_error_code
+.Fn krb5_ret_uint32 "krb5_storage *sp" "uint32_t *value"
+.Ft krb5_error_code
+.Fn krb5_store_uint32 "krb5_storage *sp" "uint32_t value"
+.Ft krb5_error_code
+.Fn krb5_store_int16 "krb5_storage *sp" "int16_t value"
+.Ft krb5_error_code
+.Fn krb5_ret_int16 "krb5_storage *sp" "int16_t *value"
+.Ft krb5_error_code
+.Fn krb5_store_uint16 "krb5_storage *sp" "uint16_t value"
+.Ft krb5_error_code
+.Fn krb5_ret_uint16 "krb5_storage *sp" "u_int16_t *value"
+.Ft krb5_error_code
+.Fn krb5_store_int8 "krb5_storage *sp" "int8_t value"
+.Ft krb5_error_code
+.Fn krb5_ret_int8 "krb5_storage *sp" "int8_t *value"
+.Ft krb5_error_code
+.Fn krb5_store_uint8 "krb5_storage *sp" "u_int8_t value"
+.Ft krb5_error_code
+.Fn krb5_ret_uint8 "krb5_storage *sp" "u_int8_t *value"
+.Ft krb5_error_code
+.Fn krb5_store_data "krb5_storage *sp" "krb5_data data"
+.Ft krb5_error_code
+.Fn krb5_ret_data "krb5_storage *sp" "krb5_data *data"
+.Ft krb5_error_code
+.Fn krb5_store_string "krb5_storage *sp" "const char *s"
+.Ft krb5_error_code
+.Fn krb5_ret_string "krb5_storage *sp" "char **string"
+.Ft krb5_error_code
+.Fn krb5_store_stringnl "krb5_storage *sp" "const char *s"
+.Ft krb5_error_code
+.Fn krb5_ret_stringnl "krb5_storage *sp" "char **string"
+.Ft krb5_error_code
+.Fn krb5_store_stringz "krb5_storage *sp" "const char *s"
+.Ft krb5_error_code
+.Fn krb5_ret_stringz "krb5_storage *sp" "char **string"
+.Ft krb5_error_code
+.Fn krb5_store_principal "krb5_storage *sp" "krb5_const_principal p"
+.Ft krb5_error_code
+.Fn krb5_ret_principal "krb5_storage *sp" "krb5_principal *princ"
+.Ft krb5_error_code
+.Fn krb5_store_keyblock "krb5_storage *sp" "krb5_keyblock p"
+.Ft krb5_error_code
+.Fn krb5_ret_keyblock "krb5_storage *sp" "krb5_keyblock *p"
+.Ft krb5_error_code
+.Fn krb5_store_times "krb5_storage *sp" "krb5_times times"
+.Ft krb5_error_code
+.Fn krb5_ret_times "krb5_storage *sp" "krb5_times *times"
+.Ft krb5_error_code
+.Fn krb5_store_address "krb5_storage *sp" "krb5_address p"
+.Ft krb5_error_code
+.Fn krb5_ret_address "krb5_storage *sp" "krb5_address *adr"
+.Ft krb5_error_code
+.Fn krb5_store_addrs "krb5_storage *sp" "krb5_addresses p"
+.Ft krb5_error_code
+.Fn krb5_ret_addrs "krb5_storage *sp" "krb5_addresses *adr"
+.Ft krb5_error_code
+.Fn krb5_store_authdata "krb5_storage *sp" "krb5_authdata auth"
+.Ft krb5_error_code
+.Fn krb5_ret_authdata "krb5_storage *sp" "krb5_authdata *auth"
+.Ft krb5_error_code
+.Fn krb5_store_creds "krb5_storage *sp" "krb5_creds *creds"
+.Ft krb5_error_code
+.Fn krb5_ret_creds "krb5_storage *sp" "krb5_creds *creds"
+.Sh DESCRIPTION
+The
+.Li krb5_storage
+structure holds a storage element that is used for data manipulation.
+The structure contains no public accessible elements.
+.Pp
+.Fn krb5_storage_emem
+create a memory based krb5 storage unit that dynamicly resized to the
+ammount of data stored in.
+The storage never returns errors, on memory allocation errors
+.Xr exit 3
+will be called.
+.Pp
+.Fn krb5_storage_from_data
+create a krb5 storage unit that will read is data from a
+.Li krb5_data .
+There is no copy made of the
+.Fa data ,
+so the caller must not free
+.Fa data
+until the storage is freed.
+.Pp
+.Fn krb5_storage_from_fd
+create a krb5 storage unit that will read is data from a
+file descriptor.
+The descriptor must be seekable if
+.Fn krb5_storage_seek
+is used.
+Caller must not free the file descriptor before the storage is freed.
+.Pp
+.Fn krb5_storage_from_mem
+create a krb5 storage unit that will read is data from a
+memory region.
+There is no copy made of the
+.Fa data ,
+so the caller must not free
+.Fa data
+until the storage is freed.
+.Pp
+.Fn krb5_storage_set_flags
+and
+.Fn krb5_storage_clear_flags
+modifies the behavior of the storage functions.
+.Fn krb5_storage_is_flags
+tests if the
+.Fa flags
+are set on the
+.Li krb5_storage .
+Valid flags to set, is and clear is are:
+.Pp
+.Bl -tag -width "Fan vet..." -compact -offset indent
+.It KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS
+Stores the number of principal componets one too many when storing
+principal namees, used for compatibility with version 1 of file
+keytabs and version 1 of file credential caches.
+.It KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE
+Doesn't store the name type in when storing a principal name, used for
+compatibility with version 1 of file keytabs and version 1 of file
+credential caches.
+.It KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE
+Stores the keyblock type twice storing a keyblock, used for
+compatibility version 3 of file credential caches.
+.It KRB5_STORAGE_BYTEORDER_MASK
+bitmask that can be used to and out what type of byte order order is used.
+.It KRB5_STORAGE_BYTEORDER_BE
+Store integers in in big endian byte order, this is the default mode.
+.It KRB5_STORAGE_BYTEORDER_LE
+Store integers in in little endian byte order.
+.It KRB5_STORAGE_BYTEORDER_HOST
+Stores the integers in host byte order, used for compatibility with
+version 1 of file keytabs and version 1 and 2 of file credential
+caches.
+.It KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER
+Store the credential flags in a krb5_creds in the reverse bit order.
+.El
+.Pp
+.Fn krb5_storage_set_byteorder
+and
+.Fn krb5_storage_get_byteorder
+modifies the byte order used in the storage for integers.
+The flags used is same as above.
+The valid flags are
+.Dv KRB5_STORAGE_BYTEORDER_BE ,
+.Dv KRB5_STORAGE_BYTEORDER_LE
+and
+.Dv KRB5_STORAGE_BYTEORDER_HOST .
+.Pp
+.Fn krb5_storage_set_eof_code
+sets the error code that will be returned on end of file condition to
+.Fa code .
+.Pp
+.Fn krb5_storage_seek
+seeks
+.Fa offset
+bytes in the storage
+.Fa sp .
+The
+.Fa whence
+argument is one of
+.Bl -tag -width SEEK_SET -compact -offset indent
+.It SEEK_SET
+offset is from begining of storage.
+.It SEEK_CUR
+offset is relative from current offset.
+.It SEEK_END
+offset is from end of storage.
+.El
+.Pp
+.Fn krb5_storage_read
+reads
+.Fa len
+(or less bytes in case of end of file) into
+.Fa buf
+from the current offset in the storage
+.Fa sp .
+.Pp
+.Fn krb5_storage_write
+writes
+.Fa len
+or (less bytes in case of end of file) from
+.Fa buf
+from the current offset in the storage
+.Fa sp .
+.Pp
+.Fn krb5_storage_free
+frees the storage
+.Fa sp .
+.Pp
+.Fn krb5_storage_to_data
+converts the data in storage
+.Fa sp
+into a
+.Li krb5_data
+structure.
+.Fa data
+must be freed with
+.Fn krb5_data_free
+by the caller when done with the
+.Fa data .
+.Pp
+All
+.Li krb5_store
+and
+.Li krb5_ret
+functions move the current offset forward when the functions returns.
+.Pp
+.Fn krb5_store_int32 ,
+.Fn krb5_ret_int32 ,
+.Fn krb5_store_uint32 ,
+.Fn krb5_ret_uint32 ,
+.Fn krb5_store_int16 ,
+.Fn krb5_ret_int16 ,
+.Fn krb5_store_uint16 ,
+.Fn krb5_ret_uint16 ,
+.Fn krb5_store_int8 ,
+.Fn krb5_ret_int8 
+.Fn krb5_store_uint8 ,
+and
+.Fn krb5_ret_uint8 
+stores and reads an integer from
+.Fa sp
+in the byte order specified by the flags set on the
+.Fa sp .
+.Pp
+.Fn krb5_store_data
+and
+.Fn krb5_ret_data
+store and reads a krb5_data.
+The length of the data is stored with
+.Fn krb5_store_int32 .
+.Pp
+.Fn krb5_store_string
+and
+.Fn krb5_ret_string
+store and reads a string by storing the length of the string with
+.Fn krb5_store_int32
+followed by the string itself.
+.Pp
+.Fn krb5_store_stringnl
+and 
+.Fn krb5_ret_stringnl
+store and reads a string by storing string followed by a
+.Dv '\n' .
+.Pp
+.Fn krb5_store_stringz
+and 
+.Fn krb5_ret_stringz
+store and reads a string by storing string followed by a
+.Dv NUL .
+.Pp
+.Fn krb5_store_principal
+and
+.Fn krb5_ret_principal
+store and reads a principal.
+.Pp
+.Fn krb5_store_keyblock
+and
+.Fn krb5_ret_keyblock
+store and reads a
+.Li krb5_keyblock .
+.Pp
+.Fn krb5_store_times
+.Fn krb5_ret_times
+store and reads
+.Li krb5_times 
+structure .
+.Pp
+.Fn krb5_store_address
+and
+.Fn krb5_ret_address
+store and reads a 
+.Li krb5_address .
+.Pp
+.Fn krb5_store_addrs
+and
+.Fn krb5_ret_addrs
+store and reads a 
+.Li krb5_addresses .
+.Pp
+.Fn krb5_store_authdata
+and
+.Fn krb5_ret_authdata
+store and reads a
+.Li krb5_authdata .
+.Pp
+.Fn krb5_store_creds
+and
+.Fn krb5_ret_creds
+store and reads a
+.Li krb5_creds .
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_data 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_string_to_key.3 b/crypto/heimdal/lib/krb5/krb5_string_to_key.3
new file mode 100644
index 0000000..cf96f4e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_string_to_key.3
@@ -0,0 +1,156 @@
+.\" Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_string_to_key.3 17820 2006-07-10 14:28:01Z lha $
+.\"
+.Dd July 10, 2006
+.Dt KRB5_STRING_TO_KEY 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_string_to_key ,
+.Nm krb5_string_to_key_data ,
+.Nm krb5_string_to_key_data_salt ,
+.Nm krb5_string_to_key_data_salt_opaque ,
+.Nm krb5_string_to_key_salt ,
+.Nm krb5_string_to_key_salt_opaque ,
+.Nm krb5_get_pw_salt ,
+.Nm krb5_free_salt
+.Nd turns a string to a Kerberos key
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_error_code
+.Fo krb5_string_to_key
+.Fa "krb5_context context"
+.Fa "krb5_enctype enctype"
+.Fa "const char *password"
+.Fa "krb5_principal principal"
+.Fa "krb5_keyblock *key"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_string_to_key_data
+.Fa "krb5_context context"
+.Fa "krb5_enctype enctype"
+.Fa "krb5_data password"
+.Fa "krb5_principal principal"
+.Fa "krb5_keyblock *key"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_string_to_key_data_salt
+.Fa "krb5_context context"
+.Fa "krb5_enctype enctype"
+.Fa "krb5_data password"
+.Fa "krb5_salt salt"
+.Fa "krb5_keyblock *key"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_string_to_key_data_salt_opaque
+.Fa "krb5_context context"
+.Fa "krb5_enctype enctype"
+.Fa "krb5_data password"
+.Fa "krb5_salt salt"
+.Fa "krb5_data opaque"
+.Fa "krb5_keyblock *key"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_string_to_key_salt
+.Fa "krb5_context context"
+.Fa "krb5_enctype enctype"
+.Fa "const char *password"
+.Fa "krb5_salt salt"
+.Fa "krb5_keyblock *key"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_string_to_key_salt_opaque
+.Fa "krb5_context context"
+.Fa "krb5_enctype enctype"
+.Fa "const char *password"
+.Fa "krb5_salt salt"
+.Fa "krb5_data opaque"
+.Fa "krb5_keyblock *key"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_get_pw_salt
+.Fa "krb5_context context"
+.Fa "krb5_const_principal principal"
+.Fa "krb5_salt *salt"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_free_salt
+.Fa "krb5_context context"
+.Fa "krb5_salt salt"
+.Fc
+.Sh DESCRIPTION
+The string to key functions convert a string to a kerberos key.
+.Pp
+.Fn krb5_string_to_key_data_salt_opaque
+is the function that does all the work, the rest of the functions are
+just wrapers around
+.Fn krb5_string_to_key_data_salt_opaque
+that calls it with default values.
+.Pp
+.Fn krb5_string_to_key_data_salt_opaque
+transforms the
+.Fa password
+with the given salt-string
+.Fa salt
+and the opaque, encryption type specific parameter
+.Fa opaque
+to a encryption key
+.Fa key
+according to the string to key function associated with
+.Fa enctype .
+.Pp
+The
+.Fa key
+should be freed with
+.Fn krb5_free_keyblock_contents .
+.Pp
+If one of the functions that doesn't take a
+.Li krb5_salt
+as it argument
+.Fn krb5_get_pw_salt
+is used to get the salt value.
+.Pp
+.Fn krb5_get_pw_salt
+get the default password salt for a principal, use
+.Fn krb5_free_salt
+to free the salt when done.
+.Pp
+.Fn krb5_free_salt
+frees the content of
+.Fa salt .
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_data 3 ,
+.Xr krb5_keyblock 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_ticket.3 b/crypto/heimdal/lib/krb5/krb5_ticket.3
new file mode 100644
index 0000000..4f6d45b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_ticket.3
@@ -0,0 +1,137 @@
+.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_ticket.3 19543 2006-12-28 20:48:50Z lha $
+.\"
+.Dd May  1, 2006
+.Dt KRB5_TICKET 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_ticket ,
+.Nm krb5_free_ticket ,
+.Nm krb5_copy_ticket ,
+.Nm krb5_ticket_get_authorization_data_type ,
+.Nm krb5_ticket_get_client ,
+.Nm krb5_ticket_get_server ,
+.Nm krb5_ticket_get_endtime
+.Nd Kerberos 5 ticket access and handling functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Li krb5_ticket ;
+.Pp
+.Ft krb5_error_code
+.Fo krb5_free_ticket
+.Fa "krb5_context context"
+.Fa "krb5_ticket *ticket"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_copy_ticket
+.Fa "krb5_context context"
+.Fa "const krb5_ticket *from"
+.Fa "krb5_ticket **to"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_ticket_get_authorization_data_type
+.Fa "krb5_context context"
+.Fa "krb5_ticket *ticket"
+.Fa "int type"
+.Fa "krb5_data *data"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_ticket_get_client
+.Fa "krb5_context context"
+.Fa "const krb5_ticket *ticket"
+.Fa "krb5_principal *client"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_ticket_get_server
+.Fa "krb5_context context"
+.Fa "const krb5_ticket *ticket"
+.Fa "krb5_principal *server"
+.Fc
+.Ft time_t
+.Fo krb5_ticket_get_endtime
+.Fa "krb5_context context"
+.Fa "const krb5_ticket *ticket"
+.Fc
+.Sh DESCRIPTION
+.Li krb5_ticket
+holds a kerberos ticket.
+The internals of the structure should never be accessed directly,
+functions exist for extracting information.
+.Pp
+.Fn krb5_free_ticket
+frees the
+.Fa ticket
+and its content.
+Used to free the result of
+.Fn krb5_copy_ticket
+and
+.Fn krb5_recvauth .
+.Pp
+.Fn krb5_copy_ticket
+copies the content of the ticket
+.Fa from
+to the ticket
+.Fa to .
+The result
+.Fa to
+should be freed with
+.Fn krb5_free_ticket .
+.Pp
+.Fn krb5_ticket_get_authorization_data_type
+fetches the authorization data of the type
+.Fa type
+from the
+.Fa ticket .
+If there isn't any authorization data of type
+.Fa type ,
+.Dv ENOENT
+is returned.
+.Fa data
+needs to be freed with
+.Fn krb5_data_free
+on success.
+.Pp
+.Fn krb5_ticket_get_client
+and
+.Fn krb5_ticket_get_server
+returns a copy of the client/server principal from the ticket.
+The principal returned should be free using
+.Xr krb5_free_principal 3 .
+.Pp
+.Fn krb5_ticket_get_endtime
+return the end time of the ticket.
+.Sh SEE ALSO
+.Xr krb5 3
diff --git a/crypto/heimdal/lib/krb5/krb5_timeofday.3 b/crypto/heimdal/lib/krb5/krb5_timeofday.3
index 6d5dbb3..4163cc1 100644
--- a/crypto/heimdal/lib/krb5/krb5_timeofday.3
+++ b/crypto/heimdal/lib/krb5/krb5_timeofday.3
@@ -1,57 +1,118 @@
-.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
-.\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
-.\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
-.\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\"
-.\" $Id: krb5_timeofday.3,v 1.5 2003/04/16 13:58:18 lha Exp $
-.\"
-.Dd July  1, 2001
+.\" $Id: krb5_timeofday.3 18093 2006-09-16 09:27:28Z lha $
+.\"
+.\" Copyright (c) 2001, 2003, 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_timeofday.3 18093 2006-09-16 09:27:28Z lha $
+.\"
+.Dd Sepember  16, 2006
 .Dt KRB5_TIMEOFDAY 3
+.Os HEIMDAL
 .Sh NAME
 .Nm krb5_timeofday ,
-.Nm krb5_us_timeofday
-.Nd whatever these functions do
+.Nm krb5_set_real_time ,
+.Nm krb5_us_timeofday ,
+.Nm krb5_format_time ,
+.Nm krb5_string_to_deltat
+.Nd Kerberos 5 time handling functions
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
 .In krb5.h
-.Ft "krb5_error_code"
-.Fn krb5_timeofday "krb5_context context" "krb5_timestamp *timeret"
-.Ft "krb5_error_code"
-.Fn krb5_us_timeofday "krb5_context context" "int32_t *sec" "int32_t *usec"
+.Pp
+.Li krb5_timestamp ;
+.Pp
+.Li krb5_deltat ;
+.Ft krb5_error_code
+.Fo krb5_set_real_time
+.Fa "krb5_context context"
+.Fa "krb5_timestamp sec"
+.Fa "int32_t usec"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_timeofday
+.Fa "krb5_context context"
+.Fa "krb5_timestamp *timeret"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_us_timeofday
+.Fa "krb5_context context"
+.Fa "krb5_timestamp *sec"
+.Fa "int32_t *usec"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_format_time
+.Fa "krb5_context context"
+.Fa "time_t t"
+.Fa "char *s"
+.Fa "size_t len"
+.Fa "krb5_boolean include_time"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_string_to_deltat
+.Fa "const char *string"
+.Fa "krb5_deltat *deltat"
+.Fc
 .Sh DESCRIPTION
+.Nm krb5_set_real_time
+sets the absolute time that the caller knows the KDC has.
+With this the Kerberos library can calculate the relative
+difference between the KDC time and the local system time and store it
+in the
+.Fa context .
+With this information the Kerberos library can adjust all time stamps
+in Kerberos packages.
+.Pp
 .Fn krb5_timeofday
 returns the current time, but adjusted with the time difference
 between the local host and the KDC.
 .Fn krb5_us_timeofday
 also returns microseconds.
 .Pp
-.\".Sh EXAMPLE
+.Nm krb5_format_time
+formats the time
+.Fa t
+into the string
+.Fa s
+of length
+.Fa len .
+If
+.Fa include_time
+is set, the time is set include_time.
+.Pp
+.Nm krb5_string_to_deltat
+parses delta time
+.Fa string
+into
+.Fa deltat .
 .Sh SEE ALSO
-.Xr gettimeofday 2
+.Xr gettimeofday 2 ,
+.Xr krb5 3
diff --git a/crypto/heimdal/lib/krb5/krb5_unparse_name.3 b/crypto/heimdal/lib/krb5/krb5_unparse_name.3
index ed96c5d..274d638 100644
--- a/crypto/heimdal/lib/krb5/krb5_unparse_name.3
+++ b/crypto/heimdal/lib/krb5/krb5_unparse_name.3
@@ -1,35 +1,35 @@
 .\" Copyright (c) 1997 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5_unparse_name.3,v 1.8 2003/04/16 13:58:18 lha Exp $
+.\" $Id: krb5_unparse_name.3 12329 2003-05-26 14:09:04Z lha $
 .\"
 .Dd August 8, 1997
 .Dt KRB5_UNPARSE_NAME 3
diff --git a/crypto/heimdal/lib/krb5/krb5_verify_init_creds.3 b/crypto/heimdal/lib/krb5/krb5_verify_init_creds.3
new file mode 100644
index 0000000..9a34648
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_verify_init_creds.3
@@ -0,0 +1,103 @@
+.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_verify_init_creds.3 22071 2007-11-14 20:04:50Z lha $
+.\"
+.Dd May  1, 2006
+.Dt KRB5_VERIFY_INIT_CREDS 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_verify_init_creds_opt_init ,
+.Nm krb5_verify_init_creds_opt_set_ap_req_nofail ,
+.Nm krb5_verify_init_creds
+.Nd "verifies a credential cache is correct by using a local keytab"
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Pp
+.Li "struct krb5_verify_init_creds_opt;"
+.Ft void
+.Fo krb5_verify_init_creds_opt_init
+.Fa "krb5_verify_init_creds_opt *options"
+.Fc
+.Ft void
+.Fo krb5_verify_init_creds_opt_set_ap_req_nofail
+.Fa "krb5_verify_init_creds_opt *options"
+.Fa "int ap_req_nofail"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_verify_init_creds
+.Fa "krb5_context context"
+.Fa "krb5_creds *creds"
+.Fa "krb5_principal ap_req_server"
+.Fa "krb5_ccache *ccache"
+.Fa "krb5_verify_init_creds_opt *options"
+.Fc
+.Sh DESCRIPTION
+The
+.Nm krb5_verify_init_creds
+function verifies the initial tickets with the local keytab to make
+sure the response of the KDC was spoof-ed.
+.Pp
+.Nm krb5_verify_init_creds
+will use principal
+.Fa ap_req_server
+from the local keytab, if
+.Dv NULL
+is passed in, the code will guess the local hostname and use that to
+form host/hostname/GUESSED-REALM-FOR-HOSTNAME.
+.Fa creds
+is the credential that
+.Nm krb5_verify_init_creds
+should verify.
+If
+.Fa ccache
+is given
+.Fn krb5_verify_init_creds
+stores all credentials it fetched from the KDC there, otherwise it
+will use a memory credential cache that is destroyed when done.
+.Pp
+.Fn krb5_verify_init_creds_opt_init
+cleans the the structure, must be used before trying to pass it in to
+.Fn krb5_verify_init_creds .
+.Pp
+.Fn krb5_verify_init_creds_opt_set_ap_req_nofail
+controls controls the behavior if
+.Fa ap_req_server
+doesn't exists in the local keytab or in the KDC's database, if it's
+true, the error will be ignored.  Note that this use is possible
+insecure.
+.Sh SEE ALSO
+.Xr krb5 3 ,
+.Xr krb5_get_init_creds 3 ,
+.Xr krb5_verify_user 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_verify_user.3 b/crypto/heimdal/lib/krb5/krb5_verify_user.3
index 1357ef1..8086bc0 100644
--- a/crypto/heimdal/lib/krb5/krb5_verify_user.3
+++ b/crypto/heimdal/lib/krb5/krb5_verify_user.3
@@ -1,49 +1,52 @@
-.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2001 - 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\" 
-.\" $Id: krb5_verify_user.3,v 1.10 2003/04/16 13:58:11 lha Exp $
-.\" 
-.Dd March 25, 2003
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_verify_user.3 22071 2007-11-14 20:04:50Z lha $
+.\"
+.Dd May  1, 2006
 .Dt KRB5_VERIFY_USER 3
 .Os HEIMDAL
 .Sh NAME
 .Nm krb5_verify_user ,
 .Nm krb5_verify_user_lrealm ,
 .Nm krb5_verify_user_opt ,
-.Nm krb5_verify_opt_init
+.Nm krb5_verify_opt_init ,
+.Nm krb5_verify_opt_alloc ,
+.Nm krb5_verify_opt_free ,
+.Nm krb5_verify_opt_set_ccache ,
 .Nm krb5_verify_opt_set_flags ,
 .Nm krb5_verify_opt_set_service ,
 .Nm krb5_verify_opt_set_secure ,
 .Nm krb5_verify_opt_set_keytab
-.Nd Heimdal password verifying functions.
+.Nd Heimdal password verifying functions
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
@@ -55,6 +58,10 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Ft void
 .Fn krb5_verify_opt_init "krb5_verify_opt *opt"
 .Ft void
+.Fn krb5_verify_opt_alloc "krb5_verify_opt **opt"
+.Ft void
+.Fn krb5_verify_opt_free "krb5_verify_opt *opt"
+.Ft void
 .Fn krb5_verify_opt_set_ccache "krb5_verify_opt *opt" "krb5_ccache ccache"
 .Ft void
 .Fn krb5_verify_opt_set_keytab "krb5_verify_opt *opt" "krb5_keytab keytab"
@@ -79,7 +86,7 @@ The principal whose password will be verified is specified in
 .Fa principal .
 New tickets will be obtained as a side-effect and stored in
 .Fa ccache
-(if 
+(if
 .Dv NULL ,
 the default ccache is used).
 .Fn krb5_verify_user
@@ -109,7 +116,7 @@ if given as
 ).
 .Pp
 The
-.Nm krb5_verify_user_lrealm
+.Fn krb5_verify_user_lrealm
 function does the same, except that it ignores the realm in
 .Fa principal
 and tries all the local realms (see
@@ -119,11 +126,20 @@ realm. If the call fails, the principal will not be meaningful, and
 should only be freed with
 .Xr krb5_free_principal 3 .
 .Pp
+.Fn krb5_verify_opt_alloc
+and
+.Fn krb5_verify_opt_free
+allocates and frees a
+.Li krb5_verify_opt .
+You should use the the alloc and free function instead of allocation
+the structure yourself, this is because in a future release the
+structure wont be exported.
+.Pp
 .Fn krb5_verify_opt_init
 resets all opt to default values.
 .Pp
 None of the krb5_verify_opt_set function makes a copy of the data
-structure that they are called with. Its up the caller to free them
+structure that they are called with. It's up the caller to free them
 after the
 .Fn krb5_verify_user_opt
 is called.
@@ -180,7 +196,7 @@ The principal whose password will be verified is specified in
 .Fa principal .
 Options the to the verification process is pass in in
 .Fa opt .
-.Sh EXAMPLE
+.Sh EXAMPLES
 Here is a example program that verifies a password. it uses the
 .Ql host/`hostname`
 service principal in
@@ -215,10 +231,10 @@ main(int argc, char **argv)
 }
 .Ed
 .Sh SEE ALSO
-.Xr krb5_err 3 ,
 .Xr krb5_cc_gen_new 3 ,
-.Xr krb5_cc_resolve 3 ,
 .Xr krb5_cc_initialize 3 ,
+.Xr krb5_cc_resolve 3 ,
+.Xr krb5_err 3 ,
 .Xr krb5_free_principal 3 ,
 .Xr krb5_init_context 3 ,
 .Xr krb5_kt_default 3 ,
diff --git a/crypto/heimdal/lib/krb5/krb5_warn.3 b/crypto/heimdal/lib/krb5/krb5_warn.3
index 7ed4b31..5610cd8 100644
--- a/crypto/heimdal/lib/krb5/krb5_warn.3
+++ b/crypto/heimdal/lib/krb5/krb5_warn.3
@@ -1,32 +1,86 @@
-.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
-.\" $Id: krb5_warn.3,v 1.7 2003/04/16 19:31:49 lha Exp $
-.Dd August 8, 1997
+.\" Copyright (c) 1997, 2001 - 2006 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: krb5_warn.3 19085 2006-11-21 07:55:20Z lha $
+.\"
+.Dd May  1, 2006
 .Dt KRB5_WARN 3
 .Os HEIMDAL
 .Sh NAME
-.Nm krb5_warn ,
-.Nm krb5_warnx ,
-.Nm krb5_vwarn ,
-.Nm krb5_vwarnx ,
+.Nm krb5_abort ,
+.Nm krb5_abortx ,
+.Nm krb5_clear_error_string ,
 .Nm krb5_err ,
 .Nm krb5_errx ,
+.Nm krb5_free_error_string ,
+.Nm krb5_get_err_text ,
+.Nm krb5_get_error_message ,
+.Nm krb5_get_error_string ,
+.Nm krb5_have_error_string ,
+.Nm krb5_set_error_string ,
+.Nm krb5_set_warn_dest ,
+.Nm krb5_get_warn_dest ,
+.Nm krb5_vabort ,
+.Nm krb5_vabortx ,
 .Nm krb5_verr ,
 .Nm krb5_verrx ,
-.Nm krb5_set_warn_dest
+.Nm krb5_vset_error_string ,
+.Nm krb5_vwarn ,
+.Nm krb5_vwarnx ,
+.Nm krb5_warn ,
+.Nm krb5_warnx
 .Nd Heimdal warning and error functions
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
 .In krb5.h
 .Ft krb5_error_code
+.Fn krb5_abort "krb5_context context" "krb5_error_code code" "const char *fmt"  "..."
+.Ft krb5_error_code
+.Fn krb5_abortx "krb5_context context" "krb5_error_code code" "const char *fmt"  "..."
+.Ft void
+.Fn krb5_clear_error_string "krb5_context context"
+.Ft krb5_error_code
 .Fn krb5_err "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "..."
 .Ft krb5_error_code
 .Fn krb5_errx "krb5_context context" "int eval" "const char *format" "..."
+.Ft void
+.Fn krb5_free_error_string "krb5_context context" "char *str"
 .Ft krb5_error_code
 .Fn krb5_verr "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "va_list ap"
 .Ft krb5_error_code
 .Fn krb5_verrx "krb5_context context" "int eval" "const char *format" "va_list ap"
 .Ft krb5_error_code
+.Fn krb5_vset_error_string "krb5_context context" "const char *fmt" "va_list args"
+.Ft krb5_error_code
 .Fn krb5_vwarn "krb5_context context" "krb5_error_code code" "const char *format" "va_list ap"
 .Ft krb5_error_code
 .Fn krb5_vwarnx "krb5_context context" "const char *format" "va_list ap"
@@ -35,23 +89,43 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Ft krb5_error_code
 .Fn krb5_warnx "krb5_context context" "const char *format" "..."
 .Ft krb5_error_code
+.Fn krb5_set_error_string "krb5_context context" "const char *fmt" "..."
+.Ft krb5_error_code
 .Fn krb5_set_warn_dest "krb5_context context" "krb5_log_facility *facility"
 .Ft "char *"
+.Ft krb5_log_facility *
+.Fo krb5_get_warn_dest
+.Fa "krb5_context context"
+.Fc
 .Fn krb5_get_err_text "krb5_context context" "krb5_error_code code"
+.Ft char*
+.Fn krb5_get_error_string "krb5_context context"
+.Ft char*
+.Fn krb5_get_error_message "krb5_context context, krb5_error_code code"
+.Ft krb5_boolean
+.Fn krb5_have_error_string "krb5_context context"
+.Ft krb5_error_code
+.Fn krb5_vabortx "krb5_context context" "const char *fmt" "va_list ap"
+.Ft krb5_error_code
+.Fn krb5_vabort "krb5_context context" "const char *fmt" "va_list ap"
 .Sh DESCRIPTION
-These functions prints a warning message to some destination.
+These functions print a warning message to some destination.
 .Fa format
 is a printf style format specifying the message to print. The forms not ending in an
 .Dq x
-prints the error string associated with
+print the error string associated with
 .Fa code
 along with the message.
 The
 .Dq err
-functions exits with exit status
+functions exit with exit status
 .Fa eval
 after printing the message.
 .Pp
+Applications that want to get the error message to report it to a user
+or store it in a log want to use
+.Fn krb5_get_error_message .
+.Pp
 The
 .Fn krb5_set_warn_func
 function sets the destination for warning messages to the specified
@@ -60,9 +134,100 @@ Messages logged with the
 .Dq warn
 functions have a log level of 1, while the
 .Dq err
-functions logs with level 0.
+functions log with level 0.
 .Pp
 .Fn krb5_get_err_text
 fetches the human readable strings describing the error-code.
+.Pp
+.Fn krb5_abort
+and 
+.Nm krb5_abortx
+behaves like
+.Nm krb5_err
+and
+.Nm krb5_errx
+but instead of exiting using the
+.Xr exit 3
+call,
+.Xr abort 3
+is used.
+.Pp
+.Fn krb5_free_error_string
+frees the error string
+.Fa str
+returned by
+.Fn krb5_get_error_string .
+.Pp
+.Fn krb5_clear_error_string
+clears the error string from the
+.Fa context .
+.Pp
+.Fn krb5_set_error_string
+and
+.Fn krb5_vset_error_string
+sets an verbose error string in
+.Fa context .
+.Pp
+.Fn krb5_get_error_string
+fetches the error string from
+.Fa context .
+The error message in the context is consumed and must be freed using
+.Fn krb5_free_error_string
+by the caller.
+See also
+.Fn krb5_get_error_message ,
+what is usually less verbose to use.
+.Pp
+.Fn krb5_have_error_string
+returns
+.Dv TRUE
+if there is a verbose error message in the
+.Fa context .
+.Pp
+.Fn krb5_get_error_message
+fetches the error string from the context, or if there
+is no customized error string in
+.Fa context ,
+uses
+.Fa code
+to return a error string.
+In either case, the error message in the context is consumed and must
+be freed using
+.Fn krb5_free_error_string
+by the caller.
+.Pp
+.Fn krb5_set_warn_dest
+and
+.Fn krb5_get_warn_dest
+sets and get the log context that is used by
+.Fn krb5_warn
+and friends.  By using this the application can control where the
+output should go.  For example, this is imperative to inetd servers
+where logging status and error message will end up on the output
+stream to the client.
+.Sh EXAMPLES
+Below is a simple example how to report error messages from the
+Kerberos library in an application.
+.Bd -literal
+#include <krb5.h>
+
+krb5_error_code
+function (krb5_context context)
+{
+    krb5_error_code ret;
+
+    ret = krb5_function (context, arg1, arg2);
+    if (ret) {
+	char *s = krb5_get_error_message(context, ret);
+	if (s == NULL)
+	     errx(1, "kerberos error: %d (and out of memory)", ret);
+	application_logger("krb5_function failed: %s", s);
+	krb5_free_error_string(context, s);
+	return ret;
+    }
+    return 0;
+}
+.Ed
 .Sh SEE ALSO
+.Xr krb5 3 ,
 .Xr krb5_openlog 3
diff --git a/crypto/heimdal/lib/krb5/krb_err.et b/crypto/heimdal/lib/krb5/krb_err.et
new file mode 100644
index 0000000..f7dbb6c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb_err.et
@@ -0,0 +1,63 @@
+#
+# Error messages for the krb4 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: krb_err.et,v 1.7 1998/03/29 14:19:52 bg Exp $"
+
+error_table krb
+
+prefix KRB4ET
+ec KSUCCESS,		"Kerberos 4 successful"
+ec KDC_NAME_EXP,	"Kerberos 4 principal expired"
+ec KDC_SERVICE_EXP,	"Kerberos 4 service expired"
+ec KDC_AUTH_EXP,	"Kerberos 4 auth expired"
+ec KDC_PKT_VER,		"Incorrect Kerberos 4 master key version"
+ec KDC_P_MKEY_VER,	"Incorrect Kerberos 4 master key version"
+ec KDC_S_MKEY_VER,	"Incorrect Kerberos 4 master key version"
+ec KDC_BYTE_ORDER,	"Kerberos 4 byte order unknown"
+ec KDC_PR_UNKNOWN,	"Kerberos 4 principal unknown"
+ec KDC_PR_N_UNIQUE,	"Kerberos 4 principal not unique"
+ec KDC_NULL_KEY,	"Kerberos 4 principal has null key"
+index 20
+ec KDC_GEN_ERR,		"Generic error from KDC (Kerberos 4)"
+ec GC_TKFIL,		"Can't read Kerberos 4 ticket file"
+ec GC_NOTKT,		"Can't find Kerberos 4 ticket or TGT"
+index 26
+ec MK_AP_TGTEXP,	"Kerberos 4 TGT Expired"
+index 31
+ec RD_AP_UNDEC,		"Kerberos 4: Can't decode authenticator"
+ec RD_AP_EXP,		"Kerberos 4 ticket expired"
+ec RD_AP_NYV,		"Kerberos 4 ticket not yet valid"
+ec RD_AP_REPEAT,	"Kerberos 4: Repeated request"
+ec RD_AP_NOT_US,	"The Kerberos 4 ticket isn't for us"
+ec RD_AP_INCON,		"Kerberos 4 request inconsistent"
+ec RD_AP_TIME,		"Kerberos 4: delta_t too big"
+ec RD_AP_BADD,		"Kerberos 4: incorrect net address"
+ec RD_AP_VERSION,	"Kerberos protocol not version 4"
+ec RD_AP_MSG_TYPE,	"Kerberos 4: invalid msg type"
+ec RD_AP_MODIFIED,	"Kerberos 4: message stream modified"
+ec RD_AP_ORDER,		"Kerberos 4: message out of order"
+ec RD_AP_UNAUTHOR,	"Kerberos 4: unauthorized request"
+index 51
+ec GT_PW_NULL,		"Kerberos 4: current PW is null"
+ec GT_PW_BADPW,		"Kerberos 4: Incorrect current password"
+ec GT_PW_PROT,		"Kerberos 4 protocol error"
+ec GT_PW_KDCERR,	"Error returned by KDC (Kerberos 4)"
+ec GT_PW_NULLTKT,	"Null Kerberos 4 ticket returned by KDC"
+ec SKDC_RETRY,		"Kerberos 4: Retry count exceeded"
+ec SKDC_CANT,		"Kerberos 4: Can't send request"
+index 61
+ec INTK_W_NOTALL,	"Kerberos 4: not all tickets returned"
+ec INTK_BADPW,		"Kerberos 4: incorrect password"
+ec INTK_PROT,		"Kerberos 4: Protocol Error"
+index 70
+ec INTK_ERR,		"Other error in Kerberos 4"
+ec AD_NOTGT,		"Don't have Kerberos 4 ticket-granting ticket"
+index 76
+ec NO_TKT_FIL,		"No Kerberos 4 ticket file found"
+ec TKT_FIL_ACC,		"Couldn't access Kerberos 4 ticket file"
+ec TKT_FIL_LCK,		"Couldn't lock Kerberos 4 ticket file"
+ec TKT_FIL_FMT,		"Bad Kerberos 4 ticket file format"
+ec TKT_FIL_INI,		"Kerberos 4: tf_init not called first"
+ec KNAME_FMT,		"Bad Kerberos 4 name format"
diff --git a/crypto/heimdal/lib/krb5/krbhst-test.c b/crypto/heimdal/lib/krb5/krbhst-test.c
index bf98104..38b0b6a 100644
--- a/crypto/heimdal/lib/krb5/krbhst-test.c
+++ b/crypto/heimdal/lib/krb5/krbhst-test.c
@@ -36,7 +36,7 @@
 #include <err.h>
 #include <getarg.h>
 
-RCSID("$Id: krbhst-test.c,v 1.3 2002/08/23 03:43:18 assar Exp $");
+RCSID("$Id: krbhst-test.c 15466 2005-06-17 04:21:47Z lha $");
 
 static int version_flag = 0;
 static int help_flag	= 0;
@@ -66,11 +66,11 @@ main(int argc, char **argv)
     int types[] = {KRB5_KRBHST_KDC, KRB5_KRBHST_ADMIN, KRB5_KRBHST_CHANGEPW,
 		   KRB5_KRBHST_KRB524};
     const char *type_str[] = {"kdc", "admin", "changepw", "krb524"};
-    int optind = 0;
+    int optidx = 0;
     
     setprogname (argv[0]);
 
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
     
     if (help_flag)
@@ -81,8 +81,8 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     krb5_init_context (&context);
     for(i = 0; i < argc; i++) {
diff --git a/crypto/heimdal/lib/krb5/krbhst.c b/crypto/heimdal/lib/krb5/krbhst.c
index e0cc9f4..094fd4f 100644
--- a/crypto/heimdal/lib/krb5/krbhst.c
+++ b/crypto/heimdal/lib/krb5/krbhst.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,8 +33,9 @@
 
 #include "krb5_locl.h"
 #include <resolve.h>
+#include "locate_plugin.h"
 
-RCSID("$Id: krbhst.c,v 1.43.2.1 2003/04/22 15:00:38 lha Exp $");
+RCSID("$Id: krbhst.c 21457 2007-07-10 12:53:25Z lha $");
 
 static int
 string_to_proto(const char *string)
@@ -66,6 +67,9 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
     int proto_num;
     int def_port;
 
+    *res = NULL;
+    *count = 0;
+
     proto_num = string_to_proto(proto);
     if(proto_num < 0) {
 	krb5_set_error_string(context, "unknown protocol `%s'", proto);
@@ -82,11 +86,8 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
     snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm);
 
     r = dns_lookup(domain, dns_type);
-    if(r == NULL) {
-	*res = NULL;
-	*count = 0;
+    if(r == NULL)
 	return KRB5_KDC_UNREACH;
-    }
 
     for(num_srv = 0, rr = r->head; rr; rr = rr->next) 
 	if(rr->type == T_SRV)
@@ -112,6 +113,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
 		while(--num_srv >= 0)
 		    free((*res)[num_srv]);
 		free(*res);
+		*res = NULL;
 		return ENOMEM;
 	    }
 	    (*res)[num_srv++] = hi;
@@ -139,13 +141,14 @@ struct krb5_krbhst_data {
     unsigned int flags;
     int def_port;
     int port;			/* hardwired port number if != 0 */
-#define KD_CONFIG		1
-#define KD_SRV_UDP		2
-#define KD_SRV_TCP		4
-#define KD_SRV_HTTP		8
-#define KD_FALLBACK	       16
-#define KD_CONFIG_EXISTS       32
-
+#define KD_CONFIG		 1
+#define KD_SRV_UDP		 2
+#define KD_SRV_TCP		 4
+#define KD_SRV_HTTP		 8
+#define KD_FALLBACK		16
+#define KD_CONFIG_EXISTS	32
+#define KD_LARGE_MSG		64
+#define KD_PLUGIN	       128
     krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, 
 				krb5_krbhst_info**);
 
@@ -161,12 +164,26 @@ krbhst_empty(const struct krb5_krbhst_data *kd)
 }
 
 /*
+ * Return the default protocol for the `kd' (either TCP or UDP)
+ */
+
+static int
+krbhst_get_default_proto(struct krb5_krbhst_data *kd)
+{
+    if (kd->flags & KD_LARGE_MSG)
+	return KRB5_KRBHST_TCP;
+    return KRB5_KRBHST_UDP;
+}
+
+
+/*
  * parse `spec' into a krb5_krbhst_info, defaulting the port to `def_port'
  * and forcing it to `port' if port != 0
  */
 
 static struct krb5_krbhst_info*
-parse_hostspec(krb5_context context, const char *spec, int def_port, int port)
+parse_hostspec(krb5_context context, struct krb5_krbhst_data *kd,
+	       const char *spec, int def_port, int port)
 {
     const char *p = spec;
     struct krb5_krbhst_info *hi;
@@ -175,7 +192,7 @@ parse_hostspec(krb5_context context, const char *spec, int def_port, int port)
     if(hi == NULL)
 	return NULL;
        
-    hi->proto = KRB5_KRBHST_UDP;
+    hi->proto = krbhst_get_default_proto(kd);
 
     if(strncmp(p, "http://", 7) == 0){
 	hi->proto = KRB5_KRBHST_HTTP;
@@ -213,14 +230,38 @@ parse_hostspec(krb5_context context, const char *spec, int def_port, int port)
     return hi;
 }
 
-static void
-free_krbhst_info(krb5_krbhst_info *hi)
+void
+_krb5_free_krbhst_info(krb5_krbhst_info *hi)
 {
     if (hi->ai != NULL)
 	freeaddrinfo(hi->ai);
     free(hi);
 }
 
+krb5_error_code
+_krb5_krbhost_info_move(krb5_context context,
+			krb5_krbhst_info *from,
+			krb5_krbhst_info **to)
+{
+    size_t hostnamelen = strlen(from->hostname);
+    /* trailing NUL is included in structure */
+    *to = calloc(1, sizeof(**to) + hostnamelen); 
+    if(*to == NULL) {
+	krb5_set_error_string(context, "malloc - out of memory");
+	return ENOMEM;
+    }
+
+    (*to)->proto = from->proto;
+    (*to)->port = from->port;
+    (*to)->def_port = from->def_port;
+    (*to)->ai = from->ai;
+    from->ai = NULL;
+    (*to)->next = NULL;
+    memcpy((*to)->hostname, from->hostname, hostnamelen + 1);
+    return 0;
+}
+
+
 static void
 append_host_hostinfo(struct krb5_krbhst_data *kd, struct krb5_krbhst_info *host)
 {
@@ -230,7 +271,7 @@ append_host_hostinfo(struct krb5_krbhst_data *kd, struct krb5_krbhst_info *host)
 	if(h->proto == host->proto && 
 	   h->port == host->port && 
 	   strcmp(h->hostname, host->hostname) == 0) {
-	    free_krbhst_info(host);
+	    _krb5_free_krbhst_info(host);
 	    return;
 	}
     *kd->end = host;
@@ -243,7 +284,7 @@ append_host_string(krb5_context context, struct krb5_krbhst_data *kd,
 {
     struct krb5_krbhst_info *hi;
 
-    hi = parse_hostspec(context, host, def_port, port);
+    hi = parse_hostspec(context, kd, host, def_port, port);
     if(hi == NULL)
 	return ENOMEM;
     
@@ -255,7 +296,7 @@ append_host_string(krb5_context context, struct krb5_krbhst_data *kd,
  * return a readable representation of `host' in `hostname, hostlen'
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_krbhst_format_string(krb5_context context, const krb5_krbhst_info *host, 
 			  char *hostname, size_t hostlen)
 {
@@ -296,7 +337,7 @@ make_hints(struct addrinfo *hints, int proto)
  * in `host'.  free:ing is handled by krb5_krbhst_free.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host,
 			 struct addrinfo **ai)
 {
@@ -329,13 +370,14 @@ get_next(struct krb5_krbhst_data *kd, krb5_krbhst_info **host)
 
 static void
 srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, 
-	const char *proto, const char *service)
+	      const char *proto, const char *service)
 {
     krb5_krbhst_info **res;
     int count, i;
 
-    srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service,
-		   kd->port);
+    if (srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service,
+		       kd->port))
+	return;
     for(i = 0; i < count; i++)
 	append_host_hostinfo(kd, res[i]);
     free(res);
@@ -382,6 +424,15 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
     struct addrinfo hints;
     char portstr[NI_MAXSERV];
 
+    /* 
+     * Don't try forever in case the DNS server keep returning us
+     * entries (like wildcard entries or the .nu TLD)
+     */
+    if(kd->fallback_count >= 5) {
+	kd->flags |= KD_FALLBACK;
+	return 0;
+    }
+
     if(kd->fallback_count == 0)
 	asprintf(&host, "%s.%s.", serv_string, kd->realm);
     else
@@ -411,8 +462,8 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
 	hi->proto = proto;
 	hi->port  = hi->def_port = port;
 	hi->ai    = ai;
-	memmove(hi->hostname, host, hostlen - 1);
-	hi->hostname[hostlen - 1] = '\0';
+	memmove(hi->hostname, host, hostlen);
+	hi->hostname[hostlen] = '\0';
 	free(host);
 	append_host_hostinfo(kd, hi);
 	kd->fallback_count++;
@@ -420,6 +471,86 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
     return 0;
 }
 
+/*
+ * Fetch hosts from plugin
+ */
+
+static krb5_error_code 
+add_locate(void *ctx, int type, struct sockaddr *addr)
+{
+    struct krb5_krbhst_info *hi;
+    struct krb5_krbhst_data *kd = ctx;
+    char host[NI_MAXHOST], port[NI_MAXSERV];
+    struct addrinfo hints, *ai;
+    socklen_t socklen;
+    size_t hostlen;
+    int ret;
+
+    socklen = socket_sockaddr_size(addr);
+
+    ret = getnameinfo(addr, socklen, host, sizeof(host), port, sizeof(port),
+		      NI_NUMERICHOST|NI_NUMERICSERV);
+    if (ret != 0)
+	return 0;
+
+    make_hints(&hints, krbhst_get_default_proto(kd));
+    ret = getaddrinfo(host, port, &hints, &ai);
+    if (ret)
+	return 0;
+
+    hostlen = strlen(host);
+
+    hi = calloc(1, sizeof(*hi) + hostlen);
+    if(hi == NULL)
+	return ENOMEM;
+    
+    hi->proto = krbhst_get_default_proto(kd);
+    hi->port  = hi->def_port = socket_get_port(addr);
+    hi->ai    = ai;
+    memmove(hi->hostname, host, hostlen);
+    hi->hostname[hostlen] = '\0';
+    append_host_hostinfo(kd, hi);
+
+    return 0;
+}
+
+static void
+plugin_get_hosts(krb5_context context,
+		 struct krb5_krbhst_data *kd,
+		 enum locate_service_type type)
+{
+    struct krb5_plugin *list = NULL, *e;
+    krb5_error_code ret;
+
+    ret = _krb5_plugin_find(context, PLUGIN_TYPE_DATA, "resolve", &list);
+    if(ret != 0 || list == NULL)
+	return;
+
+    kd->flags |= KD_CONFIG_EXISTS;
+
+    for (e = list; e != NULL; e = _krb5_plugin_get_next(e)) {
+	krb5plugin_service_locate_ftable *service;
+	void *ctx;
+
+	service = _krb5_plugin_get_symbol(e);
+	if (service->minor_version != 0)
+	    continue;
+	
+	(*service->init)(context, &ctx);
+	ret = (*service->lookup)(ctx, type, kd->realm, 0, 0, add_locate, kd);
+	(*service->fini)(ctx);
+	if (ret) {
+	    krb5_set_error_string(context, "Plugin failed to lookup");
+	    break;
+	}
+    }
+    _krb5_plugin_free(list);
+}
+
+/*
+ *
+ */
+
 static krb5_error_code
 kdc_get_next(krb5_context context,
 	     struct krb5_krbhst_data *kd,
@@ -427,6 +558,13 @@ kdc_get_next(krb5_context context,
 {
     krb5_error_code ret;
 
+    if ((kd->flags & KD_PLUGIN) == 0) {
+	plugin_get_hosts(context, kd, locate_service_kdc);
+	kd->flags |= KD_PLUGIN;
+	if(get_next(kd, host))
+	    return 0;
+    }
+
     if((kd->flags & KD_CONFIG) == 0) {
 	config_get_hosts(context, kd, "kdc");
 	kd->flags |= KD_CONFIG;
@@ -438,7 +576,7 @@ kdc_get_next(krb5_context context,
 	return KRB5_KDC_UNREACH; /* XXX */
 
     if(context->srv_lookup) {
-	if((kd->flags & KD_SRV_UDP) == 0) {
+	if((kd->flags & KD_SRV_UDP) == 0 && (kd->flags & KD_LARGE_MSG) == 0) {
 	    srv_get_hosts(context, kd, "udp", "kerberos");
 	    kd->flags |= KD_SRV_UDP;
 	    if(get_next(kd, host))
@@ -461,7 +599,8 @@ kdc_get_next(krb5_context context,
 
     while((kd->flags & KD_FALLBACK) == 0) {
 	ret = fallback_get_hosts(context, kd, "kerberos",
-				 kd->def_port, KRB5_KRBHST_UDP);
+				 kd->def_port, 
+				 krbhst_get_default_proto(kd));
 	if(ret)
 	    return ret;
 	if(get_next(kd, host))
@@ -478,6 +617,13 @@ admin_get_next(krb5_context context,
 {
     krb5_error_code ret;
 
+    if ((kd->flags & KD_PLUGIN) == 0) {
+	plugin_get_hosts(context, kd, locate_service_kadmin);
+	kd->flags |= KD_PLUGIN;
+	if(get_next(kd, host))
+	    return 0;
+    }
+
     if((kd->flags & KD_CONFIG) == 0) {
 	config_get_hosts(context, kd, "admin_server");
 	kd->flags |= KD_CONFIG;
@@ -500,7 +646,8 @@ admin_get_next(krb5_context context,
     if (krbhst_empty(kd)
 	&& (kd->flags & KD_FALLBACK) == 0) {
 	ret = fallback_get_hosts(context, kd, "kerberos",
-				 kd->def_port, KRB5_KRBHST_UDP);
+				 kd->def_port,
+				 krbhst_get_default_proto(kd));
 	if(ret)
 	    return ret;
 	kd->flags |= KD_FALLBACK;
@@ -518,8 +665,16 @@ kpasswd_get_next(krb5_context context,
 {
     krb5_error_code ret;
 
+    if ((kd->flags & KD_PLUGIN) == 0) {
+	plugin_get_hosts(context, kd, locate_service_kpasswd);
+	kd->flags |= KD_PLUGIN;
+	if(get_next(kd, host))
+	    return 0;
+    }
+
     if((kd->flags & KD_CONFIG) == 0) {
 	config_get_hosts(context, kd, "kpasswd_server");
+	kd->flags |= KD_CONFIG;
 	if(get_next(kd, host))
 	    return 0;
     }
@@ -534,6 +689,12 @@ kpasswd_get_next(krb5_context context,
 	    if(get_next(kd, host))
 		return 0;
 	}
+	if((kd->flags & KD_SRV_TCP) == 0) {
+	    srv_get_hosts(context, kd, "tcp", "kpasswd");
+	    kd->flags |= KD_SRV_TCP;
+	    if(get_next(kd, host))
+		return 0;
+	}
     }
 
     /* no matches -> try admin */
@@ -544,7 +705,7 @@ kpasswd_get_next(krb5_context context,
 	kd->get_next = admin_get_next;
 	ret = (*kd->get_next)(context, kd, host);
 	if (ret == 0)
-	    (*host)->proto = KRB5_KRBHST_UDP;
+	    (*host)->proto = krbhst_get_default_proto(kd);
 	return ret;
     }
 
@@ -556,6 +717,13 @@ krb524_get_next(krb5_context context,
 		struct krb5_krbhst_data *kd,
 		krb5_krbhst_info **host)
 {
+    if ((kd->flags & KD_PLUGIN) == 0) {
+	plugin_get_hosts(context, kd, locate_service_krb524);
+	kd->flags |= KD_PLUGIN;
+	if(get_next(kd, host))
+	    return 0;
+    }
+
     if((kd->flags & KD_CONFIG) == 0) {
 	config_get_hosts(context, kd, "krb524_server");
 	if(get_next(kd, host))
@@ -596,7 +764,8 @@ krb524_get_next(krb5_context context,
 
 static struct krb5_krbhst_data*
 common_init(krb5_context context,
-	    const char *realm)
+	    const char *realm,
+	    int flags)
 {
     struct krb5_krbhst_data *kd;
 
@@ -608,6 +777,12 @@ common_init(krb5_context context,
 	return NULL;
     }
 
+    /* For 'realms' without a . do not even think of going to DNS */
+    if (!strchr(realm, '.'))
+	kd->flags |= KD_CONFIG_EXISTS;
+
+    if (flags & KRB5_KRBHST_FLAGS_LARGE_MSG)
+	kd->flags |= KD_LARGE_MSG;
     kd->end = kd->index = &kd->hosts;
     return kd;
 }
@@ -616,43 +791,53 @@ common_init(krb5_context context,
  * initialize `handle' to look for hosts of type `type' in realm `realm'
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_krbhst_init(krb5_context context,
 		 const char *realm,
 		 unsigned int type,
 		 krb5_krbhst_handle *handle)
 {
+    return krb5_krbhst_init_flags(context, realm, type, 0, handle);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_krbhst_init_flags(krb5_context context,
+		       const char *realm,
+		       unsigned int type,
+		       int flags,
+		       krb5_krbhst_handle *handle)
+{
     struct krb5_krbhst_data *kd;
-    krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, 
-				krb5_krbhst_info **);
+    krb5_error_code (*next)(krb5_context, struct krb5_krbhst_data *, 
+			    krb5_krbhst_info **);
     int def_port;
 
     switch(type) {
     case KRB5_KRBHST_KDC:
-	get_next = kdc_get_next;
+	next = kdc_get_next;
 	def_port = ntohs(krb5_getportbyname (context, "kerberos", "udp", 88));
 	break;
     case KRB5_KRBHST_ADMIN:
-	get_next = admin_get_next;
+	next = admin_get_next;
 	def_port = ntohs(krb5_getportbyname (context, "kerberos-adm",
 					     "tcp", 749));
 	break;
     case KRB5_KRBHST_CHANGEPW:
-	get_next = kpasswd_get_next;
+	next = kpasswd_get_next;
 	def_port = ntohs(krb5_getportbyname (context, "kpasswd", "udp",
 					     KPASSWD_PORT));
 	break;
     case KRB5_KRBHST_KRB524:
-	get_next = krb524_get_next;
+	next = krb524_get_next;
 	def_port = ntohs(krb5_getportbyname (context, "krb524", "udp", 4444));
 	break;
     default:
 	krb5_set_error_string(context, "unknown krbhst type (%u)", type);
 	return ENOTTY;
     }
-    if((kd = common_init(context, realm)) == NULL)
+    if((kd = common_init(context, realm, flags)) == NULL)
 	return ENOMEM;
-    kd->get_next = get_next;
+    kd->get_next = next;
     kd->def_port = def_port;
     *handle = kd;
     return 0;
@@ -662,7 +847,7 @@ krb5_krbhst_init(krb5_context context,
  * return the next host information from `handle' in `host'
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_krbhst_next(krb5_context context,
 		 krb5_krbhst_handle handle,
 		 krb5_krbhst_info **host)
@@ -678,7 +863,7 @@ krb5_krbhst_next(krb5_context context,
  * in `hostname' (or length `hostlen)
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_krbhst_next_as_string(krb5_context context,
 			   krb5_krbhst_handle handle,
 			   char *hostname,
@@ -693,13 +878,13 @@ krb5_krbhst_next_as_string(krb5_context context,
 }
 
 
-void
+void KRB5_LIB_FUNCTION
 krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle)
 {
     handle->index = &handle->hosts;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle)
 {
     krb5_krbhst_info *h, *next;
@@ -709,7 +894,7 @@ krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle)
 
     for (h = handle->hosts; h != NULL; h = next) {
 	next = h->next;
-	free_krbhst_info(h);
+	_krb5_free_krbhst_info(h);
     }
 
     free(handle->realm);
@@ -734,8 +919,10 @@ gethostlist(krb5_context context, const char *realm,
 
     while(krb5_krbhst_next(context, handle, &hostinfo) == 0)
 	nhost++;
-    if(nhost == 0)
+    if(nhost == 0) {
+	krb5_set_error_string(context, "No KDC found for realm %s", realm);
 	return KRB5_KDC_UNREACH;
+    }
     *hostlist = calloc(nhost + 1, sizeof(**hostlist));
     if(*hostlist == NULL) {
 	krb5_krbhst_free(context, handle);
@@ -761,7 +948,7 @@ gethostlist(krb5_context context, const char *realm,
  * return an malloced list of kadmin-hosts for `realm' in `hostlist'
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_krb_admin_hst (krb5_context context,
 			const krb5_realm *realm,
 			char ***hostlist)
@@ -773,7 +960,7 @@ krb5_get_krb_admin_hst (krb5_context context,
  * return an malloced list of changepw-hosts for `realm' in `hostlist'
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_krb_changepw_hst (krb5_context context,
 			   const krb5_realm *realm,
 			   char ***hostlist)
@@ -785,7 +972,7 @@ krb5_get_krb_changepw_hst (krb5_context context,
  * return an malloced list of 524-hosts for `realm' in `hostlist'
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_krb524hst (krb5_context context,
 		    const krb5_realm *realm,
 		    char ***hostlist)
@@ -798,7 +985,7 @@ krb5_get_krb524hst (krb5_context context,
  * return an malloced list of KDC's for `realm' in `hostlist'
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_krbhst (krb5_context context,
 		 const krb5_realm *realm,
 		 char ***hostlist)
@@ -810,7 +997,7 @@ krb5_get_krbhst (krb5_context context,
  * free all the memory allocated in `hostlist'
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_krbhst (krb5_context context,
 		  char **hostlist)
 {
diff --git a/crypto/heimdal/lib/krb5/kuserok.c b/crypto/heimdal/lib/krb5/kuserok.c
index a79532e..8f0ff99 100644
--- a/crypto/heimdal/lib/krb5/kuserok.c
+++ b/crypto/heimdal/lib/krb5/kuserok.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,76 +32,231 @@
  */
 
 #include "krb5_locl.h"
+#include <dirent.h>
 
-RCSID("$Id: kuserok.c,v 1.7 2003/03/13 19:53:43 lha Exp $");
+RCSID("$Id: kuserok.c 16048 2005-09-09 10:33:33Z lha $");
 
-/*
- * Return TRUE iff `principal' is allowed to login as `luser'.
- */
+/* see if principal is mentioned in the filename access file, return
+   TRUE (in result) if so, FALSE otherwise */
 
-krb5_boolean
-krb5_kuserok (krb5_context context,
-	      krb5_principal principal,
-	      const char *luser)
+static krb5_error_code
+check_one_file(krb5_context context, 
+	       const char *filename, 
+	       struct passwd *pwd,
+	       krb5_principal principal, 
+	       krb5_boolean *result)
 {
-    char buf[BUFSIZ];
-    struct passwd *pwd;
     FILE *f;
-    krb5_realm *realms, *r;
+    char buf[BUFSIZ];
     krb5_error_code ret;
-    krb5_boolean b;
+    struct stat st;
+    
+    *result = FALSE;
 
-    pwd = getpwnam (luser);	/* XXX - Should use k_getpwnam? */
-    if (pwd == NULL)
+    f = fopen (filename, "r");
+    if (f == NULL)
+	return errno;
+    
+    /* check type and mode of file */
+    if (fstat(fileno(f), &st) != 0) {
+	fclose (f);
+	return errno;
+    }
+    if (S_ISDIR(st.st_mode)) {
+	fclose (f);
+	return EISDIR;
+    }
+    if (st.st_uid != pwd->pw_uid && st.st_uid != 0) {
+	fclose (f);
+	return EACCES;
+    }
+    if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
+	fclose (f);
+	return EACCES;
+    }
+
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	krb5_principal tmp;
+	char *newline = buf + strcspn(buf, "\n");
+
+	if(*newline != '\n') {
+	    int c;
+	    c = fgetc(f);
+	    if(c != EOF) {
+		while(c != EOF && c != '\n')
+		    c = fgetc(f);
+		/* line was too long, so ignore it */
+		continue;
+	    }
+	}
+	*newline = '\0';
+	ret = krb5_parse_name (context, buf, &tmp);
+	if (ret)
+	    continue;
+	*result = krb5_principal_compare (context, principal, tmp);
+	krb5_free_principal (context, tmp);
+	if (*result) {
+	    fclose (f);
+	    return 0;
+	}
+    }
+    fclose (f);
+    return 0;
+}
+
+static krb5_error_code
+check_directory(krb5_context context, 
+		const char *dirname, 
+		struct passwd *pwd,
+		krb5_principal principal, 
+		krb5_boolean *result)
+{
+    DIR *d;
+    struct dirent *dent;
+    char filename[MAXPATHLEN];
+    krb5_error_code ret = 0;
+    struct stat st;
+
+    *result = FALSE;
+
+    if(lstat(dirname, &st) < 0)
+	return errno;
+
+    if (!S_ISDIR(st.st_mode))
+	return ENOTDIR;
+    
+    if (st.st_uid != pwd->pw_uid && st.st_uid != 0)
+	return EACCES;
+    if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0)
+	return EACCES;
+
+    if((d = opendir(dirname)) == NULL) 
+	return errno;
+
+#ifdef HAVE_DIRFD
+    {
+	int fd;
+	struct stat st2;
+
+	fd = dirfd(d);
+	if(fstat(fd, &st2) < 0) {
+	    closedir(d);
+	    return errno;
+	}
+	if(st.st_dev != st2.st_dev || st.st_ino != st2.st_ino) {
+	    closedir(d);
+	    return EACCES;
+	}
+    }
+#endif
+
+    while((dent = readdir(d)) != NULL) {
+	if(strcmp(dent->d_name, ".") == 0 ||
+	   strcmp(dent->d_name, "..") == 0 ||
+	   dent->d_name[0] == '#' ||			  /* emacs autosave */
+	   dent->d_name[strlen(dent->d_name) - 1] == '~') /* emacs backup */
+	    continue;
+	snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name);
+	ret = check_one_file(context, filename, pwd, principal, result);
+	if(ret == 0 && *result == TRUE)
+	    break;
+	ret = 0; /* don't propagate errors upstream */
+    }
+    closedir(d);
+    return ret;
+}
+
+static krb5_boolean
+match_local_principals(krb5_context context,
+		       krb5_principal principal,
+		       const char *luser)
+{
+    krb5_error_code ret;
+    krb5_realm *realms, *r;
+    krb5_boolean result = FALSE;
+    
+    /* multi-component principals can never match */
+    if(krb5_principal_get_comp_string(context, principal, 1) != NULL)
 	return FALSE;
 
     ret = krb5_get_default_realms (context, &realms);
     if (ret)
 	return FALSE;
-
+	
     for (r = realms; *r != NULL; ++r) {
-	krb5_principal local_principal;
-
-	ret = krb5_build_principal (context,
-				    &local_principal,
-				    strlen(*r),
-				    *r,
-				    luser,
-				    NULL);
-	if (ret) {
-	    krb5_free_host_realm (context, realms);
-	    return FALSE;
-	}
-
-	b = krb5_principal_compare (context, principal, local_principal);
-	krb5_free_principal (context, local_principal);
-	if (b) {
-	    krb5_free_host_realm (context, realms);
-	    return TRUE;
+	if(strcmp(krb5_principal_get_realm(context, principal),
+		  *r) != 0)
+	    continue;
+	if(strcmp(krb5_principal_get_comp_string(context, principal, 0),
+		  luser) == 0) {
+	    result = TRUE;
+	    break;
 	}
     }
     krb5_free_host_realm (context, realms);
+    return result;
+}
 
-    snprintf (buf, sizeof(buf), "%s/.k5login", pwd->pw_dir);
-    f = fopen (buf, "r");
-    if (f == NULL)
+/**
+ * Return TRUE iff `principal' is allowed to login as `luser'.
+ */
+
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_kuserok (krb5_context context,
+	      krb5_principal principal,
+	      const char *luser)
+{
+    char *buf;
+    size_t buflen;
+    struct passwd *pwd;
+    krb5_error_code ret;
+    krb5_boolean result = FALSE;
+
+    krb5_boolean found_file = FALSE;
+
+#ifdef POSIX_GETPWNAM_R
+    char pwbuf[2048];
+    struct passwd pw;
+
+    if(getpwnam_r(luser, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0)
+	return FALSE;
+#else
+    pwd = getpwnam (luser);
+#endif
+    if (pwd == NULL)
 	return FALSE;
-    while (fgets (buf, sizeof(buf), f) != NULL) {
-	krb5_principal tmp;
 
-	buf[strcspn(buf, "\n")] = '\0';
-	ret = krb5_parse_name (context, buf, &tmp);
-	if (ret) {
-	    fclose (f);
-	    return FALSE;
-	}
-	b = krb5_principal_compare (context, principal, tmp);
-	krb5_free_principal (context, tmp);
-	if (b) {
-	    fclose (f);
-	    return TRUE;
-	}
+#define KLOGIN "/.k5login"
+    buflen = strlen(pwd->pw_dir) + sizeof(KLOGIN) + 2; /* 2 for .d */
+    buf = malloc(buflen);
+    if(buf == NULL)
+	return FALSE;
+    /* check user's ~/.k5login */
+    strlcpy(buf, pwd->pw_dir, buflen);
+    strlcat(buf, KLOGIN, buflen);
+    ret = check_one_file(context, buf, pwd, principal, &result);
+
+    if(ret == 0 && result == TRUE) {
+	free(buf);
+	return TRUE;
     }
-    fclose (f);
+
+    if(ret != ENOENT) 
+	found_file = TRUE;
+
+    strlcat(buf, ".d", buflen);
+    ret = check_directory(context, buf, pwd, principal, &result);
+    free(buf);
+    if(ret == 0 && result == TRUE)
+	return TRUE;
+
+    if(ret != ENOENT && ret != ENOTDIR) 
+	found_file = TRUE;
+
+    /* finally if no files exist, allow all principals matching
+       <localuser>@<LOCALREALM> */
+    if(found_file == FALSE)
+	return match_local_principals(context, principal, luser);
+
     return FALSE;
 }
diff --git a/crypto/heimdal/lib/krb5/locate_plugin.h b/crypto/heimdal/lib/krb5/locate_plugin.h
new file mode 100644
index 0000000..251712c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/locate_plugin.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: locate_plugin.h 18998 2006-11-12 19:00:03Z lha $ */
+
+#ifndef HEIMDAL_KRB5_LOCATE_PLUGIN_H
+#define HEIMDAL_KRB5_LOCATE_PLUGIN_H 1
+
+#include <krb5.h>
+
+enum locate_service_type {
+    locate_service_kdc = 1,
+    locate_service_master_kdc,
+    locate_service_kadmin,
+    locate_service_krb524,
+    locate_service_kpasswd
+};
+
+typedef krb5_error_code 
+(*krb5plugin_service_locate_lookup) (void *, enum locate_service_type,
+				     const char *, int, int, 
+				     int (*)(void *,int,struct sockaddr *),
+				     void *);
+
+
+typedef struct krb5plugin_service_locate_ftable {
+    int			minor_version;
+    krb5_error_code	(*init)(krb5_context, void **);
+    void		(*fini)(void *);
+    krb5plugin_service_locate_lookup lookup;
+} krb5plugin_service_locate_ftable;
+
+#endif /* HEIMDAL_KRB5_LOCATE_PLUGIN_H */
+
diff --git a/crypto/heimdal/lib/krb5/log.c b/crypto/heimdal/lib/krb5/log.c
index bd7451b..c04f50f 100644
--- a/crypto/heimdal/lib/krb5/log.c
+++ b/crypto/heimdal/lib/krb5/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,13 +33,13 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: log.c,v 1.31 2002/09/05 14:59:14 joda Exp $");
+RCSID("$Id: log.c 19088 2006-11-21 08:08:46Z lha $");
 
 struct facility {
     int min;
     int max;
-    krb5_log_log_func_t log;
-    krb5_log_close_func_t close;
+    krb5_log_log_func_t log_func;
+    krb5_log_close_func_t close_func;
     void *data;
 };
 
@@ -47,10 +47,10 @@ static struct facility*
 log_realloc(krb5_log_facility *f)
 {
     struct facility *fp;
-    f->len++;
-    fp = realloc(f->val, f->len * sizeof(*f->val));
+    fp = realloc(f->val, (f->len + 1) * sizeof(*f->val));
     if(fp == NULL)
 	return NULL;
+    f->len++;
     f->val = fp;
     fp += f->len - 1;
     return fp;
@@ -114,7 +114,7 @@ find_value(const char *s, struct s2i *table)
     return table->val;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_initlog(krb5_context context,
 	     const char *program,
 	     krb5_log_facility **fac)
@@ -134,13 +134,13 @@ krb5_initlog(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_addlog_func(krb5_context context,
 		 krb5_log_facility *fac,
 		 int min,
 		 int max,
-		 krb5_log_log_func_t log,
-		 krb5_log_close_func_t close,
+		 krb5_log_log_func_t log_func,
+		 krb5_log_close_func_t close_func,
 		 void *data)
 {
     struct facility *fp = log_realloc(fac);
@@ -150,8 +150,8 @@ krb5_addlog_func(krb5_context context,
     }
     fp->min = min;
     fp->max = max;
-    fp->log = log;
-    fp->close = close;
+    fp->log_func = log_func;
+    fp->close_func = close_func;
     fp->data = data;
     return 0;
 }
@@ -162,7 +162,7 @@ struct _heimdal_syslog_data{
 };
 
 static void
-log_syslog(const char *time,
+log_syslog(const char *timestr,
 	   const char *msg,
 	   void *data)
      
@@ -211,7 +211,7 @@ struct file_data{
 };
 
 static void
-log_file(const char *time,
+log_file(const char *timestr,
 	 const char *msg,
 	 void *data)
 {
@@ -220,9 +220,11 @@ log_file(const char *time,
 	f->fd = fopen(f->filename, f->mode);
     if(f->fd == NULL)
 	return;
-    fprintf(f->fd, "%s %s\n", time, msg);
-    if(f->keep_open == 0)
+    fprintf(f->fd, "%s %s\n", timestr, msg);
+    if(f->keep_open == 0) {
 	fclose(f->fd);
+	f->fd = NULL;
+    }
 }
 
 static void
@@ -253,7 +255,7 @@ open_file(krb5_context context, krb5_log_facility *fac, int min, int max,
 
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig)
 {
     krb5_error_code ret = 0;
@@ -284,7 +286,7 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig)
 	ret = open_file(context, f, min, max, NULL, NULL, stderr, 1);
     }else if(strcmp(p, "CONSOLE") == 0){
 	ret = open_file(context, f, min, max, "/dev/console", "w", NULL, 0);
-    }else if(strncmp(p, "FILE:", 4) == 0 && (p[4] == ':' || p[4] == '=')){
+    }else if(strncmp(p, "FILE", 4) == 0 && (p[4] == ':' || p[4] == '=')){
 	char *fn;
 	FILE *file = NULL;
 	int keep_open = 0;
@@ -300,6 +302,7 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig)
 		ret = errno;
 		krb5_set_error_string (context, "open(%s): %s", fn,
 				       strerror(ret));
+		free(fn);
 		return ret;
 	    }
 	    file = fdopen(i, "a");
@@ -308,12 +311,13 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig)
 		close(i);
 		krb5_set_error_string (context, "fdopen(%s): %s", fn,
 				       strerror(ret));
+		free(fn);
 		return ret;
 	    }
 	    keep_open = 1;
 	}
 	ret = open_file(context, f, min, max, fn, "a", file, keep_open);
-    }else if(strncmp(p, "DEVICE=", 6) == 0){
+    }else if(strncmp(p, "DEVICE", 6) == 0 && (p[6] == ':' || p[6] == '=')){
 	ret = open_file(context, f, min, max, strdup(p + 7), "w", NULL, 0);
     }else if(strncmp(p, "SYSLOG", 6) == 0 && (p[6] == '\0' || p[6] == ':')){
 	char severity[128] = "";
@@ -336,7 +340,7 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig)
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_openlog(krb5_context context,
 	     const char *program,
 	     krb5_log_facility **fac)
@@ -360,20 +364,26 @@ krb5_openlog(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_closelog(krb5_context context,
 	      krb5_log_facility *fac)
 {
     int i;
     for(i = 0; i < fac->len; i++)
-	(*fac->val[i].close)(fac->val[i].data);
+	(*fac->val[i].close_func)(fac->val[i].data);
+    free(fac->val);
+    free(fac->program);
+    fac->val = NULL;
+    fac->len = 0;
+    fac->program = NULL;
+    free(fac);
     return 0;
 }
 
 #undef __attribute__
 #define __attribute__(X)
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vlog_msg(krb5_context context,
 	      krb5_log_facility *fac,
 	      char **reply,
@@ -403,7 +413,7 @@ krb5_vlog_msg(krb5_context context,
 		else
 		    actual = msg;
 	    }
-	    (*fac->val[i].log)(buf, actual, fac->val[i].data);
+	    (*fac->val[i].log_func)(buf, actual, fac->val[i].data);
 	}
     if(reply == NULL)
 	free(msg);
@@ -412,7 +422,7 @@ krb5_vlog_msg(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vlog(krb5_context context,
 	  krb5_log_facility *fac,
 	  int level,
@@ -423,7 +433,7 @@ krb5_vlog(krb5_context context,
     return krb5_vlog_msg(context, fac, NULL, level, fmt, ap);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_log_msg(krb5_context context,
 	     krb5_log_facility *fac,
 	     int level,
@@ -442,7 +452,7 @@ krb5_log_msg(krb5_context context,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_log(krb5_context context,
 	 krb5_log_facility *fac,
 	 int level,
diff --git a/crypto/heimdal/lib/krb5/mcache.c b/crypto/heimdal/lib/krb5/mcache.c
index 1157604..01bcb09 100644
--- a/crypto/heimdal/lib/krb5/mcache.c
+++ b/crypto/heimdal/lib/krb5/mcache.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: mcache.c,v 1.15.6.1 2004/03/06 16:57:16 lha Exp $");
+RCSID("$Id: mcache.c 22107 2007-12-03 17:22:51Z lha $");
 
 typedef struct krb5_mcache {
     char *name;
@@ -47,14 +47,13 @@ typedef struct krb5_mcache {
     struct krb5_mcache *next;
 } krb5_mcache;
 
+static HEIMDAL_MUTEX mcc_mutex = HEIMDAL_MUTEX_INITIALIZER;
 static struct krb5_mcache *mcc_head;
 
 #define	MCACHE(X)	((krb5_mcache *)(X)->data.data)
 
 #define MISDEAD(X)	((X)->dead)
 
-#define MCC_CURSOR(C) ((struct link*)(C))
-
 static const char*
 mcc_get_name(krb5_context context,
 	     krb5_ccache id)
@@ -65,7 +64,7 @@ mcc_get_name(krb5_context context,
 static krb5_mcache *
 mcc_alloc(const char *name)
 {
-    krb5_mcache *m;
+    krb5_mcache *m, *m_c;
 
     ALLOC(m, 1);
     if(m == NULL)
@@ -78,12 +77,25 @@ mcc_alloc(const char *name)
 	free(m);
 	return NULL;
     }
+    /* check for dups first */
+    HEIMDAL_MUTEX_lock(&mcc_mutex);
+    for (m_c = mcc_head; m_c != NULL; m_c = m_c->next)
+	if (strcmp(m->name, m_c->name) == 0)
+	    break;
+    if (m_c) {
+	free(m->name);
+	free(m);
+	HEIMDAL_MUTEX_unlock(&mcc_mutex);
+	return NULL;
+    }
+
     m->dead = 0;
     m->refcnt = 1;
     m->primary_principal = NULL;
     m->creds = NULL;
     m->next = mcc_head;
     mcc_head = m;
+    HEIMDAL_MUTEX_unlock(&mcc_mutex);
     return m;
 }
 
@@ -92,9 +104,11 @@ mcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
 {
     krb5_mcache *m;
 
+    HEIMDAL_MUTEX_lock(&mcc_mutex);
     for (m = mcc_head; m != NULL; m = m->next)
 	if (strcmp(m->name, res) == 0)
 	    break;
+    HEIMDAL_MUTEX_unlock(&mcc_mutex);
 
     if (m != NULL) {
 	m->refcnt++;
@@ -146,20 +160,25 @@ mcc_initialize(krb5_context context,
 				&m->primary_principal);
 }
 
-static krb5_error_code
-mcc_close(krb5_context context,
-	  krb5_ccache id)
+static int
+mcc_close_internal(krb5_mcache *m)
 {
-    krb5_mcache *m = MCACHE(id);
-
     if (--m->refcnt != 0)
 	return 0;
 
     if (MISDEAD(m)) {
 	free (m->name);
-	krb5_data_free(&id->data);
+	return 1;
     }
+    return 0;
+}
 
+static krb5_error_code
+mcc_close(krb5_context context,
+	  krb5_ccache id)
+{
+    if (mcc_close_internal(MCACHE(id)))
+	krb5_data_free(&id->data);
     return 0;
 }
 
@@ -176,12 +195,14 @@ mcc_destroy(krb5_context context,
     if (!MISDEAD(m)) {
 	/* if this is an active mcache, remove it from the linked
            list, and free all data */
+	HEIMDAL_MUTEX_lock(&mcc_mutex);
 	for(n = &mcc_head; n && *n; n = &(*n)->next) {
 	    if(m == *n) {
 		*n = m->next;
 		break;
 	    }
 	}
+	HEIMDAL_MUTEX_unlock(&mcc_mutex);
 	if (m->primary_principal != NULL) {
 	    krb5_free_principal (context, m->primary_principal);
 	    m->primary_principal = NULL;
@@ -192,7 +213,7 @@ mcc_destroy(krb5_context context,
 	while (l != NULL) {
 	    struct link *old;
 	    
-	    krb5_free_creds_contents (context, &l->cred);
+	    krb5_free_cred_contents (context, &l->cred);
 	    old = l;
 	    l = l->next;
 	    free (old);
@@ -300,7 +321,7 @@ mcc_remove_cred(krb5_context context,
     for(q = &m->creds, p = *q; p; p = *q) {
 	if(krb5_compare_creds(context, which, mcreds, &p->cred)) {
 	    *q = p->next;
-	    krb5_free_creds_contents(context, &p->cred);
+	    krb5_free_cred_contents(context, &p->cred);
 	    free(p);
 	} else
 	    q = &p->next;
@@ -316,6 +337,121 @@ mcc_set_flags(krb5_context context,
     return 0; /* XXX */
 }
 		    
+struct mcache_iter {
+    krb5_mcache *cache;
+};
+
+static krb5_error_code
+mcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
+{
+    struct mcache_iter *iter;
+
+    iter = calloc(1, sizeof(*iter));
+    if (iter == NULL) {
+	krb5_set_error_string(context, "malloc - out of memory");
+	return ENOMEM;
+    }    
+
+    HEIMDAL_MUTEX_lock(&mcc_mutex);
+    iter->cache = mcc_head;
+    if (iter->cache)
+	iter->cache->refcnt++;
+    HEIMDAL_MUTEX_unlock(&mcc_mutex);
+
+    *cursor = iter;
+    return 0;
+}
+
+static krb5_error_code
+mcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
+{
+    struct mcache_iter *iter = cursor;
+    krb5_error_code ret;
+    krb5_mcache *m;
+
+    if (iter->cache == NULL)
+	return KRB5_CC_END;
+
+    HEIMDAL_MUTEX_lock(&mcc_mutex);
+    m = iter->cache;
+    if (m->next)
+	m->next->refcnt++;
+    iter->cache = m->next;
+    HEIMDAL_MUTEX_unlock(&mcc_mutex);
+
+    ret = _krb5_cc_allocate(context, &krb5_mcc_ops, id);
+    if (ret)
+	return ret;
+
+    (*id)->data.data = m;
+    (*id)->data.length = sizeof(*m);
+
+    return 0;
+}
+
+static krb5_error_code
+mcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
+{
+    struct mcache_iter *iter = cursor;
+
+    if (iter->cache)
+	mcc_close_internal(iter->cache);
+    iter->cache = NULL;
+    free(iter);
+    return 0;
+}
+
+static krb5_error_code
+mcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
+{
+    krb5_mcache *mfrom = MCACHE(from), *mto = MCACHE(to);
+    struct link *creds;
+    krb5_principal principal;
+    krb5_mcache **n;
+
+    HEIMDAL_MUTEX_lock(&mcc_mutex);
+
+    /* drop the from cache from the linked list to avoid lookups */
+    for(n = &mcc_head; n && *n; n = &(*n)->next) {
+	if(mfrom == *n) {
+	    *n = mfrom->next;
+	    break;
+	}
+    }
+
+    /* swap creds */
+    creds = mto->creds;
+    mto->creds = mfrom->creds;
+    mfrom->creds = creds;
+    /* swap principal */
+    principal = mto->primary_principal;
+    mto->primary_principal = mfrom->primary_principal;
+    mfrom->primary_principal = principal;
+
+    HEIMDAL_MUTEX_unlock(&mcc_mutex);
+    mcc_destroy(context, from);
+
+    return 0;
+}
+
+static krb5_error_code
+mcc_default_name(krb5_context context, char **str)
+{
+    *str = strdup("MEMORY:");
+    if (*str == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+
+/**
+ * Variable containing the MEMORY based credential cache implemention.
+ *
+ * @ingroup krb5_ccache
+ */
+
 const krb5_cc_ops krb5_mcc_ops = {
     "MEMORY",
     mcc_get_name,
@@ -331,5 +467,11 @@ const krb5_cc_ops krb5_mcc_ops = {
     mcc_get_next,
     mcc_end_get,
     mcc_remove_cred,
-    mcc_set_flags
+    mcc_set_flags,
+    NULL,
+    mcc_get_cache_first,
+    mcc_get_cache_next,
+    mcc_end_cache_get,
+    mcc_move,
+    mcc_default_name
 };
diff --git a/crypto/heimdal/lib/krb5/misc.c b/crypto/heimdal/lib/krb5/misc.c
index baf63f6..8050bdb 100644
--- a/crypto/heimdal/lib/krb5/misc.c
+++ b/crypto/heimdal/lib/krb5/misc.c
@@ -33,4 +33,54 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: misc.c,v 1.5 1999/12/02 17:05:11 joda Exp $");
+RCSID("$Id: misc.c 21174 2007-06-19 10:10:58Z lha $");
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_s4u2self_to_checksumdata(krb5_context context, 
+			       const PA_S4U2Self *self, 
+			       krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_ssize_t ssize;
+    krb5_storage *sp;
+    size_t size;
+    int i;
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_clear_error_string(context);
+	return ENOMEM;
+    }
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+    ret = krb5_store_int32(sp, self->name.name_type);
+    if (ret)
+	goto out;
+    for (i = 0; i < self->name.name_string.len; i++) {
+	size = strlen(self->name.name_string.val[i]);
+	ssize = krb5_storage_write(sp, self->name.name_string.val[i], size);
+	if (ssize != size) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+    }
+    size = strlen(self->realm);
+    ssize = krb5_storage_write(sp, self->realm, size);
+    if (ssize != size) {
+	ret = ENOMEM;
+	goto out;
+    }
+    size = strlen(self->auth);
+    ssize = krb5_storage_write(sp, self->auth, size);
+    if (ssize != size) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ret = krb5_storage_to_data(sp, data);
+    krb5_storage_free(sp);
+    return ret;
+
+out:
+    krb5_clear_error_string(context);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/mit_glue.c b/crypto/heimdal/lib/krb5/mit_glue.c
new file mode 100644
index 0000000..7440d54
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mit_glue.c
@@ -0,0 +1,369 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: mit_glue.c 20042 2007-01-23 20:37:43Z lha $");
+
+/*
+ * Glue for MIT API
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_make_checksum(krb5_context context, 
+		     krb5_cksumtype cksumtype, 
+		     const krb5_keyblock *key, 
+		     krb5_keyusage usage,
+		     const krb5_data *input, 
+		     krb5_checksum *cksum)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
+
+    ret = krb5_create_checksum(context, crypto,  usage, cksumtype,
+			       input->data, input->length, cksum);
+    krb5_crypto_destroy(context, crypto);
+
+    return ret ;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
+		       krb5_keyusage usage, const krb5_data *data,
+		       const krb5_checksum *cksum, krb5_boolean *valid)
+{
+    krb5_error_code ret;
+    krb5_checksum data_cksum;
+
+    *valid = 0;
+
+    ret = krb5_c_make_checksum(context, cksum->cksumtype,
+			       key, usage, data, &data_cksum);
+    if (ret)
+	return ret;
+
+    if (data_cksum.cksumtype == cksum->cksumtype
+	&& data_cksum.checksum.length == cksum->checksum.length
+	&& memcmp(data_cksum.checksum.data, cksum->checksum.data, cksum->checksum.length) == 0)
+	*valid = 1;
+
+    krb5_free_checksum_contents(context, &data_cksum);
+
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_get_checksum(krb5_context context, const krb5_checksum *cksum,
+		    krb5_cksumtype *type, krb5_data **data)
+{
+    krb5_error_code ret;
+
+    if (type)
+	*type = cksum->cksumtype;
+    if (data) {
+	*data = malloc(sizeof(**data));
+	if (*data == NULL)
+	    return ENOMEM;
+
+	ret = der_copy_octet_string(&cksum->checksum, *data);
+	if (ret) {
+	    free(*data);
+	    *data = NULL;
+	    return ret;
+	}
+    }
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_set_checksum(krb5_context context, krb5_checksum *cksum,
+		    krb5_cksumtype type, const krb5_data *data)
+{
+    cksum->cksumtype = type;
+    return der_copy_octet_string(data, &cksum->checksum);
+}
+
+void KRB5_LIB_FUNCTION 
+krb5_free_checksum (krb5_context context, krb5_checksum *cksum)
+{
+    krb5_checksum_free(context, cksum);
+    free(cksum);
+}
+
+void KRB5_LIB_FUNCTION
+krb5_free_checksum_contents(krb5_context context, krb5_checksum *cksum)
+{
+    krb5_checksum_free(context, cksum);
+    memset(cksum, 0, sizeof(*cksum));
+}
+
+void KRB5_LIB_FUNCTION
+krb5_checksum_free(krb5_context context, krb5_checksum *cksum)
+{
+    free_Checksum(cksum);
+}
+
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_c_valid_enctype (krb5_enctype etype)
+{
+    return krb5_enctype_valid(NULL, etype);
+}
+
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_c_valid_cksumtype(krb5_cksumtype ctype)
+{
+    return krb5_cksumtype_valid(NULL, ctype);
+}
+
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype)
+{
+    return krb5_checksum_is_collision_proof(NULL, ctype);
+}
+
+krb5_boolean KRB5_LIB_FUNCTION
+krb5_c_is_keyed_cksum(krb5_cksumtype ctype)
+{
+    return krb5_checksum_is_keyed(NULL, ctype);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_copy_checksum (krb5_context context,
+		    const krb5_checksum *old,
+		    krb5_checksum **new)
+{
+    *new = malloc(sizeof(**new));
+    if (*new == NULL)
+	return ENOMEM;
+    return copy_Checksum(old, *new);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_checksum_length (krb5_context context, krb5_cksumtype cksumtype,
+			size_t *length)
+{
+    return krb5_checksumsize(context, cksumtype, length);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_block_size(krb5_context context, 
+		  krb5_enctype enctype, 
+		  size_t *blocksize)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    krb5_keyblock key;
+
+    ret = krb5_generate_random_keyblock(context, enctype, &key);
+    if (ret)
+	return ret;
+
+    ret = krb5_crypto_init(context, &key, 0, &crypto);
+    krb5_free_keyblock_contents(context, &key);
+    if (ret)
+	return ret;
+    ret = krb5_crypto_getblocksize(context, crypto, blocksize);
+    krb5_crypto_destroy(context, crypto);
+
+    return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_decrypt(krb5_context context, 
+	       const krb5_keyblock key, 
+	       krb5_keyusage usage, 
+	       const krb5_data *ivec, 
+	       krb5_enc_data *input, 
+	       krb5_data *output)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+
+    ret = krb5_crypto_init(context, &key, input->enctype, &crypto);
+    if (ret)
+	return ret;
+
+    if (ivec) {
+	size_t blocksize;
+
+	ret = krb5_crypto_getblocksize(context, crypto, &blocksize);
+	if (ret) {
+	krb5_crypto_destroy(context, crypto);
+	return ret;
+	}
+	
+	if (blocksize > ivec->length) {
+	    krb5_crypto_destroy(context, crypto);
+	    return KRB5_BAD_MSIZE;
+	}
+    }
+
+    ret = krb5_decrypt_ivec(context, crypto, usage, 
+			    input->ciphertext.data, input->ciphertext.length, 
+			    output, 
+			    ivec ? ivec->data : NULL);
+
+    krb5_crypto_destroy(context, crypto);
+
+    return ret ;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_encrypt(krb5_context context, 
+	       const krb5_keyblock *key, 
+	       krb5_keyusage usage,
+	       const krb5_data *ivec, 
+	       const krb5_data *input,
+	       krb5_enc_data *output)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
+
+    if (ivec) {
+	size_t blocksize;
+
+	ret = krb5_crypto_getblocksize(context, crypto, &blocksize);
+	if (ret) {
+	    krb5_crypto_destroy(context, crypto);
+	    return ret;
+	}
+
+	if (blocksize > ivec->length) {
+	    krb5_crypto_destroy(context, crypto);
+	    return KRB5_BAD_MSIZE;
+	}
+    }
+
+    ret = krb5_encrypt_ivec(context, crypto, usage, 
+			    input->data, input->length, 
+			    &output->ciphertext, 
+			    ivec ? ivec->data : NULL);
+    output->kvno = 0;
+    krb5_crypto_getenctype(context, crypto, &output->enctype);
+
+    krb5_crypto_destroy(context, crypto);
+
+    return ret ;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_encrypt_length(krb5_context context, 
+		      krb5_enctype enctype, 
+		      size_t inputlen,
+		      size_t *length)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    krb5_keyblock key;
+
+    ret = krb5_generate_random_keyblock(context, enctype, &key);
+    if (ret)
+	return ret;
+
+    ret = krb5_crypto_init(context, &key, 0, &crypto);
+    krb5_free_keyblock_contents(context, &key);
+    if (ret)
+	return ret;
+
+    *length = krb5_get_wrapped_length(context, crypto, inputlen);
+    krb5_crypto_destroy(context, crypto);
+
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_enctype_compare(krb5_context context, 
+		       krb5_enctype e1,
+		       krb5_enctype e2, 
+		       krb5_boolean *similar)
+{
+    *similar = krb5_enctypes_compatible_keys(context, e1, e2);
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_make_random_key(krb5_context context,
+		       krb5_enctype enctype, 
+		       krb5_keyblock *random_key)
+{
+    return krb5_generate_random_keyblock(context, enctype, random_key);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_keylengths(krb5_context context,
+		  krb5_enctype enctype,
+		  size_t *ilen,
+		  size_t *keylen)
+{
+    krb5_error_code ret;
+
+    ret = krb5_enctype_keybits(context, enctype, ilen);
+    if (ret)
+	return ret;
+    *ilen = (*ilen + 7) / 8;
+    return krb5_enctype_keysize(context, enctype, keylen);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_prf_length(krb5_context context,
+		  krb5_enctype type,
+		  size_t *length)
+{
+    return krb5_crypto_prf_length(context, type, length);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_c_prf(krb5_context context,
+	   const krb5_keyblock *key,
+	   const krb5_data *input, 
+	   krb5_data *output)
+{
+    krb5_crypto crypto;
+    krb5_error_code ret;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
+
+    ret = krb5_crypto_prf(context, crypto, input, output);
+    krb5_crypto_destroy(context, crypto);
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/mk_error.c b/crypto/heimdal/lib/krb5/mk_error.c
index ae9e10a..7046649 100644
--- a/crypto/heimdal/lib/krb5/mk_error.c
+++ b/crypto/heimdal/lib/krb5/mk_error.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,9 +33,9 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: mk_error.c,v 1.18 2002/09/04 16:26:04 joda Exp $");
+RCSID("$Id: mk_error.c 15457 2005-06-16 21:16:40Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_error(krb5_context context,
 	      krb5_error_code error_code,
 	      const char *e_text,
@@ -47,7 +47,8 @@ krb5_mk_error(krb5_context context,
 	      krb5_data *reply)
 {
     KRB_ERROR msg;
-    int32_t sec, usec;
+    krb5_timestamp sec;
+    int32_t usec;
     size_t len;
     krb5_error_code ret = 0;
 
@@ -68,9 +69,9 @@ krb5_mk_error(krb5_context context,
     }
     msg.error_code = error_code - KRB5KDC_ERR_NONE;
     if (e_text)
-	msg.e_text = (general_string*)&e_text;
+	msg.e_text = rk_UNCONST(&e_text);
     if (e_data)
-	msg.e_data = (octet_string*)e_data;
+	msg.e_data = rk_UNCONST(e_data);
     if(server){
 	msg.realm = server->realm;
 	msg.sname = server->name;
diff --git a/crypto/heimdal/lib/krb5/mk_priv.c b/crypto/heimdal/lib/krb5/mk_priv.c
index b89f7e9..87e429a 100644
--- a/crypto/heimdal/lib/krb5/mk_priv.c
+++ b/crypto/heimdal/lib/krb5/mk_priv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,103 +33,123 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: mk_priv.c,v 1.31 2002/09/04 16:26:04 joda Exp $");
+RCSID("$Id: mk_priv.c 16680 2006-02-01 12:39:26Z lha $");
 
       
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_priv(krb5_context context,
 	     krb5_auth_context auth_context,
 	     const krb5_data *userdata,
 	     krb5_data *outbuf,
-	     /*krb5_replay_data*/ void *outdata)
+	     krb5_replay_data *outdata)
 {
-  krb5_error_code ret;
-  KRB_PRIV s;
-  EncKrbPrivPart part;
-  u_char *buf;
-  size_t buf_size;
-  size_t len;
-  u_int32_t tmp_seq;
-  krb5_keyblock *key;
-  int32_t sec, usec;
-  KerberosTime sec2;
-  int usec2;
-  krb5_crypto crypto;
-
-  if (auth_context->local_subkey)
-      key = auth_context->local_subkey;
-  else if (auth_context->remote_subkey)
-      key = auth_context->remote_subkey;
-  else
-      key = auth_context->keyblock;
-
-  krb5_us_timeofday (context, &sec, &usec);
-
-  part.user_data = *userdata;
-  sec2           = sec;
-  part.timestamp = &sec2;
-  usec2          = usec;
-  part.usec      = &usec2;
-  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-    tmp_seq = auth_context->local_seqnumber;
-    part.seq_number = &tmp_seq;
-  } else {
-    part.seq_number = NULL;
-  }
-
-  part.s_address = auth_context->local_address;
-  part.r_address = auth_context->remote_address;
-
-  krb5_data_zero (&s.enc_part.cipher);
-
-  ASN1_MALLOC_ENCODE(EncKrbPrivPart, buf, buf_size, &part, &len, ret);
-  if (ret)
-      goto fail;
-
-  s.pvno = 5;
-  s.msg_type = krb_priv;
-  s.enc_part.etype = key->keytype;
-  s.enc_part.kvno = NULL;
-
-  ret = krb5_crypto_init(context, key, 0, &crypto);
-  if (ret) {
-      free (buf);
-      return ret;
-  }
-  ret = krb5_encrypt (context, 
-		      crypto,
-		      KRB5_KU_KRB_PRIV,
-		      buf + buf_size - len, 
-		      len,
-		      &s.enc_part.cipher);
-  krb5_crypto_destroy(context, crypto);
-  if (ret) {
-      free(buf);
-      return ret;
-  }
-  free(buf);
-
-
-  ASN1_MALLOC_ENCODE(KRB_PRIV, buf, buf_size, &s, &len, ret);
-
-  if(ret)
-      goto fail;
-  krb5_data_free (&s.enc_part.cipher);
-
-  ret = krb5_data_copy(outbuf, buf + buf_size - len, len);
-  if (ret) {
-      krb5_set_error_string (context, "malloc: out of memory");
-      free(buf);
-      return ENOMEM;
-  }
-  free (buf);
-  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
-      auth_context->local_seqnumber =
-	  (auth_context->local_seqnumber + 1) & 0xFFFFFFFF;
-  return 0;
-
-fail:
-  free (buf);
-  krb5_data_free (&s.enc_part.cipher);
-  return ret;
+    krb5_error_code ret;
+    KRB_PRIV s;
+    EncKrbPrivPart part;
+    u_char *buf = NULL;
+    size_t buf_size;
+    size_t len;
+    krb5_crypto crypto;
+    krb5_keyblock *key;
+    krb5_replay_data rdata;
+
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+	outdata == NULL)
+	return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+
+    if (auth_context->local_subkey)
+	key = auth_context->local_subkey;
+    else if (auth_context->remote_subkey)
+	key = auth_context->remote_subkey;
+    else
+	key = auth_context->keyblock;
+
+    memset(&rdata, 0, sizeof(rdata));
+
+    part.user_data = *userdata;
+
+    krb5_us_timeofday (context, &rdata.timestamp, &rdata.usec);
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+	part.timestamp = &rdata.timestamp;
+	part.usec      = &rdata.usec;
+    } else {
+	part.timestamp = NULL;
+	part.usec      = NULL;
+    }
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) {
+	outdata->timestamp = rdata.timestamp;
+	outdata->usec = rdata.usec;
+    }
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+	rdata.seq = auth_context->local_seqnumber;
+	part.seq_number = &rdata.seq;
+    } else
+	part.seq_number = NULL;
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
+	outdata->seq = auth_context->local_seqnumber;
+    
+    part.s_address = auth_context->local_address;
+    part.r_address = auth_context->remote_address;
+
+    krb5_data_zero (&s.enc_part.cipher);
+
+    ASN1_MALLOC_ENCODE(EncKrbPrivPart, buf, buf_size, &part, &len, ret);
+    if (ret)
+	goto fail;
+    if (buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
+    s.pvno = 5;
+    s.msg_type = krb_priv;
+    s.enc_part.etype = key->keytype;
+    s.enc_part.kvno = NULL;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret) {
+	free (buf);
+	return ret;
+    }
+    ret = krb5_encrypt (context, 
+			crypto,
+			KRB5_KU_KRB_PRIV,
+			buf + buf_size - len, 
+			len,
+			&s.enc_part.cipher);
+    krb5_crypto_destroy(context, crypto);
+    if (ret) {
+	free(buf);
+	return ret;
+    }
+    free(buf);
+
+
+    ASN1_MALLOC_ENCODE(KRB_PRIV, buf, buf_size, &s, &len, ret);
+    if (ret)
+	goto fail;
+    if (buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
+    krb5_data_free (&s.enc_part.cipher);
+
+    ret = krb5_data_copy(outbuf, buf + buf_size - len, len);
+    if (ret) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	free(buf);
+	return ENOMEM;
+    }
+    free (buf);
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
+	auth_context->local_seqnumber =
+	    (auth_context->local_seqnumber + 1) & 0xFFFFFFFF;
+    return 0;
+
+  fail:
+    free (buf);
+    krb5_data_free (&s.enc_part.cipher);
+    return ret;
 }
diff --git a/crypto/heimdal/lib/krb5/mk_rep.c b/crypto/heimdal/lib/krb5/mk_rep.c
index 1026df0..570a837 100644
--- a/crypto/heimdal/lib/krb5/mk_rep.c
+++ b/crypto/heimdal/lib/krb5/mk_rep.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,9 +33,9 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: mk_rep.c,v 1.21 2002/12/19 13:30:36 joda Exp $");
+RCSID("$Id: mk_rep.c 13863 2004-05-25 21:46:46Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_rep(krb5_context context,
 	    krb5_auth_context auth_context,
 	    krb5_data *outbuf)
@@ -55,14 +55,37 @@ krb5_mk_rep(krb5_context context,
 
     body.ctime = auth_context->authenticator->ctime;
     body.cusec = auth_context->authenticator->cusec;
-    body.subkey = NULL;
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) {
+	if (auth_context->local_subkey == NULL) {
+	    ret = krb5_auth_con_generatelocalsubkey(context,
+						    auth_context,
+						    auth_context->keyblock);
+	    if(ret) {
+		krb5_set_error_string (context,
+				       "krb5_mk_rep: generating subkey");
+		free_EncAPRepPart(&body);
+		return ret;
+	    }
+	}
+	ret = krb5_copy_keyblock(context, auth_context->local_subkey,
+				 &body.subkey);
+	if (ret) {
+	    krb5_set_error_string (context,
+				   "krb5_copy_keyblock: out of memory");
+	    free_EncAPRepPart(&body);
+	    return ENOMEM;
+	}
+    } else
+	body.subkey = NULL;
     if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-	krb5_generate_seq_number (context,
-				  auth_context->keyblock,
-				  &auth_context->local_seqnumber);
-	body.seq_number = malloc (sizeof(*body.seq_number));
+	if(auth_context->local_seqnumber == 0) 
+	    krb5_generate_seq_number (context,
+				      auth_context->keyblock,
+				      &auth_context->local_seqnumber);
+	ALLOC(body.seq_number, 1);
 	if (body.seq_number == NULL) {
 	    krb5_set_error_string (context, "malloc: out of memory");
+	    free_EncAPRepPart(&body);
 	    return ENOMEM;
 	}
 	*(body.seq_number) = auth_context->local_seqnumber;
@@ -76,6 +99,8 @@ krb5_mk_rep(krb5_context context,
     free_EncAPRepPart (&body);
     if(ret)
 	return ret;
+    if (buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
     ret = krb5_crypto_init(context, auth_context->keyblock, 
 			   0 /* ap.enc_part.etype */, &crypto);
     if (ret) {
@@ -94,6 +119,8 @@ krb5_mk_rep(krb5_context context,
 	return ret;
 
     ASN1_MALLOC_ENCODE(AP_REP, outbuf->data, outbuf->length, &ap, &len, ret);
+    if (ret == 0 && outbuf->length != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
     free_AP_REP (&ap);
     return ret;
 }
diff --git a/crypto/heimdal/lib/krb5/mk_req.c b/crypto/heimdal/lib/krb5/mk_req.c
index a554123..5f64f01 100644
--- a/crypto/heimdal/lib/krb5/mk_req.c
+++ b/crypto/heimdal/lib/krb5/mk_req.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,9 +33,9 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: mk_req.c,v 1.24 2001/06/18 20:05:52 joda Exp $");
+RCSID("$Id: mk_req.c 13863 2004-05-25 21:46:46Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_req_exact(krb5_context context,
 		  krb5_auth_context *auth_context,
 		  const krb5_flags ap_req_options,
@@ -56,7 +56,7 @@ krb5_mk_req_exact(krb5_context context,
 
     ret = krb5_copy_principal (context, server, &this_cred.server);
     if (ret) {
-	krb5_free_creds_contents (context, &this_cred);
+	krb5_free_cred_contents (context, &this_cred);
 	return ret;
     }
 
@@ -65,7 +65,7 @@ krb5_mk_req_exact(krb5_context context,
 	this_cred.session.keytype = (*auth_context)->keytype;
 
     ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred);
-    krb5_free_creds_contents(context, &this_cred);
+    krb5_free_cred_contents(context, &this_cred);
     if (ret)
 	return ret;
 
@@ -79,7 +79,7 @@ krb5_mk_req_exact(krb5_context context,
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_req(krb5_context context,
 	    krb5_auth_context *auth_context,
 	    const krb5_flags ap_req_options,
diff --git a/crypto/heimdal/lib/krb5/mk_req_ext.c b/crypto/heimdal/lib/krb5/mk_req_ext.c
index 922be9e..b6d55c8 100644
--- a/crypto/heimdal/lib/krb5/mk_req_ext.c
+++ b/crypto/heimdal/lib/krb5/mk_req_ext.c
@@ -33,134 +33,120 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: mk_req_ext.c,v 1.26.4.1 2003/09/18 20:34:30 lha Exp $");
+RCSID("$Id: mk_req_ext.c 19511 2006-12-27 12:07:22Z lha $");
 
 krb5_error_code
-krb5_mk_req_internal(krb5_context context,
-		     krb5_auth_context *auth_context,
-		     const krb5_flags ap_req_options,
-		     krb5_data *in_data,
-		     krb5_creds *in_creds,
-		     krb5_data *outbuf,
-		     krb5_key_usage checksum_usage,
-		     krb5_key_usage encrypt_usage)
+_krb5_mk_req_internal(krb5_context context,
+		      krb5_auth_context *auth_context,
+		      const krb5_flags ap_req_options,
+		      krb5_data *in_data,
+		      krb5_creds *in_creds,
+		      krb5_data *outbuf,
+		      krb5_key_usage checksum_usage,
+		      krb5_key_usage encrypt_usage)
 {
-  krb5_error_code ret;
-  krb5_data authenticator;
-  Checksum c;
-  Checksum *c_opt;
-  krb5_auth_context ac;
+    krb5_error_code ret;
+    krb5_data authenticator;
+    Checksum c;
+    Checksum *c_opt;
+    krb5_auth_context ac;
 
-  if(auth_context) {
-      if(*auth_context == NULL)
-	  ret = krb5_auth_con_init(context, auth_context);
-      else
-	  ret = 0;
-      ac = *auth_context;
-  } else
-      ret = krb5_auth_con_init(context, &ac);
-  if(ret)
-      return ret;
+    if(auth_context) {
+	if(*auth_context == NULL)
+	    ret = krb5_auth_con_init(context, auth_context);
+	else
+	    ret = 0;
+	ac = *auth_context;
+    } else
+	ret = krb5_auth_con_init(context, &ac);
+    if(ret)
+	return ret;
       
-  if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
-      ret = krb5_auth_con_generatelocalsubkey(context, ac, &in_creds->session);
-      if(ret)
-	  return ret;
-  }
+    if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
+	ret = krb5_auth_con_generatelocalsubkey(context,
+						ac, 
+						&in_creds->session);
+	if(ret)
+	    goto out;
+    }
 
-#if 0
-  {
-      /* This is somewhat bogus since we're possibly overwriting a
-         value specified by the user, but it's the easiest way to make
-         the code use a compatible enctype */
-      Ticket ticket;
-      krb5_keytype ticket_keytype;
+    krb5_free_keyblock(context, ac->keyblock);
+    ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
+    if (ret)
+	goto out;
+  
+    /* it's unclear what type of checksum we can use.  try the best one, except:
+     * a) if it's configured differently for the current realm, or
+     * b) if the session key is des-cbc-crc
+     */
 
-      ret = decode_Ticket(in_creds->ticket.data, 
-			  in_creds->ticket.length, 
-			  &ticket, 
-			  NULL);
-      krb5_enctype_to_keytype (context,
-			       ticket.enc_part.etype,
-			       &ticket_keytype);
+    if (in_data) {
+	if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
+	    /* this is to make DCE secd (and older MIT kdcs?) happy */
+	    ret = krb5_create_checksum(context, 
+				       NULL,
+				       0,
+				       CKSUMTYPE_RSA_MD4,
+				       in_data->data,
+				       in_data->length,
+				       &c);
+	} else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
+		  ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 ||
+		  ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
+		  ac->keyblock->keytype == ETYPE_DES_CBC_MD5) {
+	    /* this is to make MS kdc happy */ 
+	    ret = krb5_create_checksum(context, 
+				       NULL,
+				       0,
+				       CKSUMTYPE_RSA_MD5,
+				       in_data->data,
+				       in_data->length,
+				       &c);
+	} else {
+	    krb5_crypto crypto;
 
-      if (ticket_keytype == in_creds->session.keytype)
-	  krb5_auth_setenctype(context, 
-			       ac,
-			       ticket.enc_part.etype);
-      free_Ticket(&ticket);
-  }
-#endif
+	    ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
+	    if (ret)
+		goto out;
+	    ret = krb5_create_checksum(context, 
+				       crypto,
+				       checksum_usage,
+				       0,
+				       in_data->data,
+				       in_data->length,
+				       &c);
+	    krb5_crypto_destroy(context, crypto);
+	}
+	c_opt = &c;
+    } else {
+	c_opt = NULL;
+    }
 
-  krb5_free_keyblock(context, ac->keyblock);
-  krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
+    if (ret)
+	goto out;
   
-  /* it's unclear what type of checksum we can use.  try the best one, except:
-   * a) if it's configured differently for the current realm, or
-   * b) if the session key is des-cbc-crc
-   */
+    ret = krb5_build_authenticator (context,
+				    ac,
+				    ac->keyblock->keytype,
+				    in_creds,
+				    c_opt,
+				    NULL,
+				    &authenticator,
+				    encrypt_usage);
+    if (c_opt)
+	free_Checksum (c_opt);
+    if (ret)
+	goto out;
 
-  if (in_data) {
-      if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
-	  /* this is to make DCE secd (and older MIT kdcs?) happy */
-	  ret = krb5_create_checksum(context, 
-				     NULL,
-				     0,
-				     CKSUMTYPE_RSA_MD4,
-				     in_data->data,
-				     in_data->length,
-				     &c);
-      } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5) {
-	  /* this is to make MS kdc happy */ 
-	  ret = krb5_create_checksum(context, 
-				     NULL,
-				     0,
-				     CKSUMTYPE_RSA_MD5,
-				     in_data->data,
-				     in_data->length,
-				     &c);
-      } else {
-	  krb5_crypto crypto;
-
-	  ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
-	  if (ret)
-	      return ret;
-	  ret = krb5_create_checksum(context, 
-				     crypto,
-				     checksum_usage,
-				     0,
-				     in_data->data,
-				     in_data->length,
-				     &c);
-      
-	  krb5_crypto_destroy(context, crypto);
-      }
-      c_opt = &c;
-  } else {
-      c_opt = NULL;
-  }
-  
-  ret = krb5_build_authenticator (context,
-				  ac,
-				  ac->keyblock->keytype,
-				  in_creds,
-				  c_opt,
-				  NULL,
-				  &authenticator,
-				  encrypt_usage);
-  if (c_opt)
-      free_Checksum (c_opt);
-  if (ret)
+    ret = krb5_build_ap_req (context, ac->keyblock->keytype, 
+			     in_creds, ap_req_options, authenticator, outbuf);
+out:
+    if(auth_context == NULL)
+	krb5_auth_con_free(context, ac);
     return ret;
-
-  ret = krb5_build_ap_req (context, ac->keyblock->keytype, 
-			   in_creds, ap_req_options, authenticator, outbuf);
-  if(auth_context == NULL)
-      krb5_auth_con_free(context, ac);
-  return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_req_extended(krb5_context context,
 		     krb5_auth_context *auth_context,
 		     const krb5_flags ap_req_options,
@@ -168,7 +154,7 @@ krb5_mk_req_extended(krb5_context context,
 		     krb5_creds *in_creds,
 		     krb5_data *outbuf)
 {
-    return krb5_mk_req_internal (context,
+    return _krb5_mk_req_internal (context,
 				 auth_context,
 				 ap_req_options,
 				 in_data,
diff --git a/crypto/heimdal/lib/krb5/mk_safe.c b/crypto/heimdal/lib/krb5/mk_safe.c
index 8bfa066..0b75759 100644
--- a/crypto/heimdal/lib/krb5/mk_safe.c
+++ b/crypto/heimdal/lib/krb5/mk_safe.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,92 +33,109 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: mk_safe.c,v 1.28.4.1 2004/03/07 12:46:43 lha Exp $");
+RCSID("$Id: mk_safe.c 13863 2004-05-25 21:46:46Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_mk_safe(krb5_context context,
 	     krb5_auth_context auth_context,
 	     const krb5_data *userdata,
 	     krb5_data *outbuf,
-	     /*krb5_replay_data*/ void *outdata)
+	     krb5_replay_data *outdata)
 {
-  krb5_error_code ret;
-  KRB_SAFE s;
-  int32_t sec, usec;
-  KerberosTime sec2;
-  int usec2;
-  u_char *buf = NULL;
-  size_t buf_size;
-  size_t len;
-  u_int32_t tmp_seq;
-  krb5_crypto crypto;
-  krb5_keyblock *key;
-
-  if (auth_context->local_subkey)
-      key = auth_context->local_subkey;
-  else if (auth_context->remote_subkey)
-      key = auth_context->remote_subkey;
-  else
-      key = auth_context->keyblock;
-
-  s.pvno = 5;
-  s.msg_type = krb_safe;
-
-  s.safe_body.user_data = *userdata;
-  krb5_us_timeofday (context, &sec, &usec);
-
-  sec2                   = sec;
-  s.safe_body.timestamp  = &sec2;
-  usec2                  = usec;
-  s.safe_body.usec       = &usec2;
-  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-      tmp_seq = auth_context->local_seqnumber;
-      s.safe_body.seq_number = &tmp_seq;
-  } else 
-      s.safe_body.seq_number = NULL;
-
-  s.safe_body.s_address = auth_context->local_address;
-  s.safe_body.r_address = auth_context->remote_address;
-
-  s.cksum.cksumtype       = 0;
-  s.cksum.checksum.data   = NULL;
-  s.cksum.checksum.length = 0;
-
-  ASN1_MALLOC_ENCODE(KRB_SAFE, buf, buf_size, &s, &len, ret);
-  if (ret)
-      return ret;
-  if(buf_size != len)
-      krb5_abortx(context, "internal error in ASN.1 encoder");
-  ret = krb5_crypto_init(context, key, 0, &crypto);
-  if (ret) {
-      free (buf);
-      return ret;
-  }
-  ret = krb5_create_checksum(context, 
-			     crypto,
-			     KRB5_KU_KRB_SAFE_CKSUM,
-			     0,
-			     buf,
-			     len,
-			     &s.cksum);
-  krb5_crypto_destroy(context, crypto);
-  if (ret) {
-      free (buf);
-      return ret;
-  }
-
-  free(buf);
-  ASN1_MALLOC_ENCODE(KRB_SAFE, buf, buf_size, &s, &len, ret);
-  free_Checksum (&s.cksum);
-  if(ret)
-      return ret;
-  if(buf_size != len)
-      krb5_abortx(context, "internal error in ASN.1 encoder");
-
-  outbuf->length = len;
-  outbuf->data   = buf;
-  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
-      auth_context->local_seqnumber =
-	  (auth_context->local_seqnumber + 1) & 0xFFFFFFFF;
-  return 0;
+    krb5_error_code ret;
+    KRB_SAFE s;
+    u_char *buf = NULL;
+    size_t buf_size;
+    size_t len;
+    krb5_crypto crypto;
+    krb5_keyblock *key;
+    krb5_replay_data rdata;
+
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+	outdata == NULL)
+	return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+
+    if (auth_context->local_subkey)
+	key = auth_context->local_subkey;
+    else if (auth_context->remote_subkey)
+	key = auth_context->remote_subkey;
+    else
+	key = auth_context->keyblock;
+
+    s.pvno = 5;
+    s.msg_type = krb_safe;
+
+    memset(&rdata, 0, sizeof(rdata));
+
+    s.safe_body.user_data = *userdata;
+
+    krb5_us_timeofday (context, &rdata.timestamp, &rdata.usec);
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+	s.safe_body.timestamp  = &rdata.timestamp;
+	s.safe_body.usec       = &rdata.usec;
+    } else {
+	s.safe_body.timestamp  = NULL;
+	s.safe_body.usec       = NULL;
+    }
+    
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) {
+	outdata->timestamp = rdata.timestamp;
+	outdata->usec = rdata.usec;
+    }
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+	rdata.seq = auth_context->local_seqnumber;
+	s.safe_body.seq_number = &rdata.seq;
+    } else 
+	s.safe_body.seq_number = NULL;
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
+	outdata->seq = auth_context->local_seqnumber;
+    
+    s.safe_body.s_address = auth_context->local_address;
+    s.safe_body.r_address = auth_context->remote_address;
+
+    s.cksum.cksumtype       = 0;
+    s.cksum.checksum.data   = NULL;
+    s.cksum.checksum.length = 0;
+
+    ASN1_MALLOC_ENCODE(KRB_SAFE, buf, buf_size, &s, &len, ret);
+    if (ret)
+	return ret;
+    if(buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret) {
+	free (buf);
+	return ret;
+    }
+    ret = krb5_create_checksum(context, 
+			       crypto,
+			       KRB5_KU_KRB_SAFE_CKSUM,
+			       0,
+			       buf,
+			       len,
+			       &s.cksum);
+    krb5_crypto_destroy(context, crypto);
+    if (ret) {
+	free (buf);
+	return ret;
+    }
+
+    free(buf);
+    ASN1_MALLOC_ENCODE(KRB_SAFE, buf, buf_size, &s, &len, ret);
+    free_Checksum (&s.cksum);
+    if(ret)
+	return ret;
+    if(buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
+    outbuf->length = len;
+    outbuf->data   = buf;
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
+	auth_context->local_seqnumber =
+	    (auth_context->local_seqnumber + 1) & 0xFFFFFFFF;
+    return 0;
 }
diff --git a/crypto/heimdal/lib/krb5/n-fold-test.c b/crypto/heimdal/lib/krb5/n-fold-test.c
index 7cf4905..248e232 100644
--- a/crypto/heimdal/lib/krb5/n-fold-test.c
+++ b/crypto/heimdal/lib/krb5/n-fold-test.c
@@ -32,7 +32,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: n-fold-test.c,v 1.4 2001/03/12 07:42:30 assar Exp $");
+RCSID("$Id: n-fold-test.c 21745 2007-07-31 16:11:25Z lha $");
 
 enum { MAXSIZE = 24 };
 
@@ -102,7 +102,9 @@ main(int argc, char **argv)
     for (t = tests; t->str; ++t) {
 	int i;
 
-	_krb5_n_fold (t->str, strlen(t->str), data, t->n);
+	ret = _krb5_n_fold (t->str, strlen(t->str), data, t->n);
+	if (ret)
+	    errx(1, "out of memory");
 	if (memcmp (data, t->res, t->n) != 0) {
 	    printf ("n-fold(\"%s\", %d) failed\n", t->str, t->n);
 	    printf ("should be: ");
diff --git a/crypto/heimdal/lib/krb5/n-fold.c b/crypto/heimdal/lib/krb5/n-fold.c
index d0db5e8..53528cf 100644
--- a/crypto/heimdal/lib/krb5/n-fold.c
+++ b/crypto/heimdal/lib/krb5/n-fold.c
@@ -32,21 +32,23 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: n-fold.c,v 1.6 1999/08/27 09:03:41 joda Exp $");
+RCSID("$Id: n-fold.c 22190 2007-12-06 16:24:22Z lha $");
 
-static void
+static krb5_error_code
 rr13(unsigned char *buf, size_t len)
 {
     unsigned char *tmp;
     int bytes = (len + 7) / 8;
     int i;
     if(len == 0)
-	return;
+	return 0;
     {
 	const int bits = 13 % len;
 	const int lbit = len % 8;
     
 	tmp = malloc(bytes);
+	if (tmp == NULL)
+	    return ENOMEM;
 	memcpy(tmp, buf, bytes);
 	if(lbit) {
 	    /* pad final byte with inital bits */
@@ -75,9 +77,10 @@ rr13(unsigned char *buf, size_t len)
 	}
 	free(tmp);
     }
+    return 0;
 }
 
-/* Add `b' to `a', both beeing one's complement numbers. */
+/* Add `b' to `a', both being one's complement numbers. */
 static void
 add1(unsigned char *a, unsigned char *b, size_t len)
 {
@@ -95,22 +98,28 @@ add1(unsigned char *a, unsigned char *b, size_t len)
     }
 }
 
-void
+krb5_error_code KRB5_LIB_FUNCTION
 _krb5_n_fold(const void *str, size_t len, void *key, size_t size)
 {
     /* if len < size we need at most N * len bytes, ie < 2 * size;
        if len > size we need at most 2 * len */
+    krb5_error_code ret = 0;
     size_t maxlen = 2 * max(size, len);
     size_t l = 0;
     unsigned char *tmp = malloc(maxlen);
     unsigned char *buf = malloc(len);
     
+    if (tmp == NULL || buf == NULL) 
+	return ENOMEM;
+
     memcpy(buf, str, len);
     memset(key, 0, size);
     do {
 	memcpy(tmp + l, buf, len);
 	l += len;
-	rr13(buf, len * 8);
+	ret = rr13(buf, len * 8);
+	if (ret)
+	    goto out;
 	while(l >= size) {
 	    add1(key, tmp, size);
 	    l -= size;
@@ -119,8 +128,10 @@ _krb5_n_fold(const void *str, size_t len, void *key, size_t size)
 	    memmove(tmp, tmp + size, l);
 	}
     } while(l != 0);
+out:
     memset(buf, 0, len);
     free(buf);
     memset(tmp, 0, maxlen);
     free(tmp);
+    return ret;
 }
diff --git a/crypto/heimdal/lib/krb5/name-45-test.c b/crypto/heimdal/lib/krb5/name-45-test.c
index f1455cd..0bb05f5 100644
--- a/crypto/heimdal/lib/krb5/name-45-test.c
+++ b/crypto/heimdal/lib/krb5/name-45-test.c
@@ -31,8 +31,9 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 
 #include "krb5_locl.h"
+#include <err.h>
 
-RCSID("$Id: name-45-test.c,v 1.3.2.1 2003/05/06 16:49:14 joda Exp $");
+RCSID("$Id: name-45-test.c 19763 2007-01-08 13:35:49Z lha $");
 
 enum { MAX_COMPONENTS = 3 };
 
@@ -58,10 +59,10 @@ static struct testcase {
     {"krbtgt", "FOO.SE", "FOO.SE", "FOO.SE", 2,
      {"krbtgt", "FOO.SE"}, NULL, 0, 0},
 
-    {"foo", "bar", "BAZ", "BAZ", 2,
-     {"foo", "bar"}, NULL, 0, 0},
-    {"foo", "bar", "BAZ", "BAZ", 2,
-     {"foo", "bar"},
+    {"foo", "bar2", "BAZ", "BAZ", 2,
+     {"foo", "bar2"}, NULL, 0, 0},
+    {"foo", "bar2", "BAZ", "BAZ", 2,
+     {"foo", "bar2"},
      "[libdefaults]\n"
      "	v4_name_convert = {\n"
      "		host = {\n"
@@ -69,8 +70,8 @@ static struct testcase {
      "		}\n"
      "}\n",
     HEIM_ERR_V4_PRINC_NO_CONV, 0},
-    {"foo", "bar", "BAZ", "BAZ", 2,
-     {"foo5", "bar.baz"},
+    {"foo", "bar2", "BAZ", "BAZ", 2,
+     {"foo5", "bar2.baz"},
      "[realms]\n"
      "  BAZ = {\n"
      "		v4_name_convert = {\n"
@@ -79,7 +80,7 @@ static struct testcase {
      "			}\n"
      "		}\n"
      "		v4_instance_convert = {\n"
-     "			bar = bar.baz\n"
+     "			bar2 = bar2.baz\n"
      "		}\n"
      "  }\n",
      0, 0},
@@ -152,8 +153,15 @@ main(int argc, char **argv)
     struct testcase *t;
     krb5_context context;
     krb5_error_code ret;
+    char hostname[1024];
     int val = 0;
 
+    setprogname(argv[0]);
+
+    gethostname(hostname, sizeof(hostname));
+    if (!(strstr(hostname, "kth.se") != NULL || strstr(hostname, "su.se") != NULL))
+	return 0;
+
     for (t = tests; t->v4_name; ++t) {
 	krb5_principal princ;
 	int i;
@@ -207,12 +215,15 @@ main(int argc, char **argv)
 			    t->v4_name, t->v4_inst, t->v4_realm, s);
 		free(s);
 		val = 1;
+		krb5_free_context(context);
 		continue;
 	    }
 	}
 
-	if (ret)
+	if (ret) {
+	    krb5_free_context(context);
 	    continue;
+	}
 
 	if (strcmp (t->v5_realm, princ->realm) != 0) {
 	    printf ("wrong realm (\"%s\" should be \"%s\")"
@@ -266,15 +277,18 @@ main(int argc, char **argv)
 			    "krb5_524_conv_principal %s "
 			    "passed unexpected", printable_princ);
 		val = 1;
+		krb5_free_context(context);
 		continue;
 	    }
 	}
 	if (ret) {
 	    krb5_free_principal (context, princ);
+	    krb5_free_context(context);
 	    continue;
 	}
 
 	krb5_free_principal (context, princ);
+	krb5_free_context(context);
     }
     return val;
 }
diff --git a/crypto/heimdal/lib/krb5/net_read.c b/crypto/heimdal/lib/krb5/net_read.c
index 38ff0ea..f0fa2ce 100644
--- a/crypto/heimdal/lib/krb5/net_read.c
+++ b/crypto/heimdal/lib/krb5/net_read.c
@@ -33,9 +33,9 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: net_read.c,v 1.6 2002/08/21 09:08:06 joda Exp $");
+RCSID("$Id: net_read.c 13863 2004-05-25 21:46:46Z lha $");
 
-krb5_ssize_t
+krb5_ssize_t KRB5_LIB_FUNCTION
 krb5_net_read (krb5_context context,
 	       void *p_fd,
 	       void *buf,
diff --git a/crypto/heimdal/lib/krb5/net_write.c b/crypto/heimdal/lib/krb5/net_write.c
index 5d87b97..868015f 100644
--- a/crypto/heimdal/lib/krb5/net_write.c
+++ b/crypto/heimdal/lib/krb5/net_write.c
@@ -33,9 +33,9 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: net_write.c,v 1.7 2002/08/21 09:08:07 joda Exp $");
+RCSID("$Id: net_write.c 13863 2004-05-25 21:46:46Z lha $");
 
-krb5_ssize_t
+krb5_ssize_t KRB5_LIB_FUNCTION
 krb5_net_write (krb5_context context,
 		void *p_fd,
 		const void *buf,
@@ -45,3 +45,61 @@ krb5_net_write (krb5_context context,
 
   return net_write (fd, buf, len);
 }
+
+krb5_ssize_t KRB5_LIB_FUNCTION
+krb5_net_write_block(krb5_context context,
+		     void *p_fd,
+		     const void *buf,
+		     size_t len,
+		     time_t timeout)
+{
+  int fd = *((int *)p_fd);
+  int ret;
+  struct timeval tv, *tvp;
+  const char *cbuf = (const char *)buf;
+  size_t rem = len;
+  ssize_t count;
+  fd_set wfds;
+
+  do {
+      FD_ZERO(&wfds);
+      FD_SET(fd, &wfds);
+      
+      if (timeout != 0) {
+	  tv.tv_sec = timeout;
+	  tv.tv_usec = 0;
+	  tvp = &tv;
+      } else
+	  tvp = NULL;
+
+      ret = select(fd + 1, NULL, &wfds, NULL, tvp);
+      if (ret < 0) {
+	  if (errno == EINTR)
+	      continue;
+	  return -1;
+      } else if (ret == 0)
+	  return 0;
+      
+      if (!FD_ISSET(fd, &wfds)) {
+	  errno = ETIMEDOUT;
+	  return -1;
+      }
+
+#ifdef WIN32
+      count = send (fd, cbuf, rem, 0);
+#else
+      count = write (fd, cbuf, rem);
+#endif
+      if (count < 0) {
+	  if (errno == EINTR)
+	      continue;
+	  else
+	      return count;
+      }
+      cbuf += count;
+      rem -= count;
+
+  } while (rem > 0);
+
+  return len;
+}
diff --git a/crypto/heimdal/lib/krb5/pac.c b/crypto/heimdal/lib/krb5/pac.c
new file mode 100644
index 0000000..1b21750
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/pac.c
@@ -0,0 +1,1041 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: pac.c 21934 2007-08-27 14:21:04Z lha $");
+
+struct PAC_INFO_BUFFER {
+    uint32_t type;
+    uint32_t buffersize;
+    uint32_t offset_hi;
+    uint32_t offset_lo;
+};
+
+struct PACTYPE {
+    uint32_t numbuffers;
+    uint32_t version;                         
+    struct PAC_INFO_BUFFER buffers[1];
+};
+
+struct krb5_pac_data {
+    struct PACTYPE *pac;
+    krb5_data data;
+    struct PAC_INFO_BUFFER *server_checksum;
+    struct PAC_INFO_BUFFER *privsvr_checksum;
+    struct PAC_INFO_BUFFER *logon_name;
+};
+
+#define PAC_ALIGNMENT			8
+
+#define PACTYPE_SIZE			8
+#define PAC_INFO_BUFFER_SIZE		16
+
+#define PAC_SERVER_CHECKSUM		6
+#define PAC_PRIVSVR_CHECKSUM		7
+#define PAC_LOGON_NAME			10
+#define PAC_CONSTRAINED_DELEGATION	11
+
+#define CHECK(r,f,l)						\
+	do {							\
+		if (((r) = f ) != 0) {				\
+			krb5_clear_error_string(context);	\
+			goto l;					\
+		}						\
+	} while(0)
+
+static const char zeros[PAC_ALIGNMENT] = { 0 };
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
+	       krb5_pac *pac)
+{
+    krb5_error_code ret;
+    krb5_pac p;
+    krb5_storage *sp = NULL;
+    uint32_t i, tmp, tmp2, header_end;
+
+    p = calloc(1, sizeof(*p));
+    if (p == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "out of memory");
+	goto out;
+    }
+
+    sp = krb5_storage_from_readonly_mem(ptr, len);
+    if (sp == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "out of memory");
+	goto out;
+    }
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    CHECK(ret, krb5_ret_uint32(sp, &tmp), out);
+    CHECK(ret, krb5_ret_uint32(sp, &tmp2), out);
+    if (tmp < 1) {
+	krb5_set_error_string(context, "PAC have too few buffer");
+	ret = EINVAL; /* Too few buffers */
+	goto out;
+    }
+    if (tmp2 != 0) {
+	krb5_set_error_string(context, "PAC have wrong version");
+	ret = EINVAL; /* Wrong version */
+	goto out;
+    }
+
+    p->pac = calloc(1, 
+		    sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (tmp - 1)));
+    if (p->pac == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+
+    p->pac->numbuffers = tmp;
+    p->pac->version = tmp2;
+
+    header_end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
+    if (header_end > len) {
+	ret = EINVAL;
+	goto out;
+    }
+
+    for (i = 0; i < p->pac->numbuffers; i++) {
+	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].type), out);
+	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].buffersize), out);
+	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_lo), out);
+	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_hi), out);
+
+	/* consistency checks */
+	if (p->pac->buffers[i].offset_lo & (PAC_ALIGNMENT - 1)) {
+	    krb5_set_error_string(context, "PAC out of allignment");
+	    ret = EINVAL;
+	    goto out;
+	}
+	if (p->pac->buffers[i].offset_hi) {
+	    krb5_set_error_string(context, "PAC high offset set");
+	    ret = EINVAL;
+	    goto out;
+	}
+	if (p->pac->buffers[i].offset_lo > len) {
+	    krb5_set_error_string(context, "PAC offset off end");
+	    ret = EINVAL;
+	    goto out;
+	}
+	if (p->pac->buffers[i].offset_lo < header_end) {
+	    krb5_set_error_string(context, "PAC offset inside header: %d %d",
+				  p->pac->buffers[i].offset_lo, header_end);
+	    ret = EINVAL;
+	    goto out;
+	}
+	if (p->pac->buffers[i].buffersize > len - p->pac->buffers[i].offset_lo){
+	    krb5_set_error_string(context, "PAC length off end");
+	    ret = EINVAL;
+	    goto out;
+	}
+
+	/* let save pointer to data we need later */
+	if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
+	    if (p->server_checksum) {
+		krb5_set_error_string(context, "PAC have two server checksums");
+		ret = EINVAL;
+		goto out;
+	    }
+	    p->server_checksum = &p->pac->buffers[i];
+	} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
+	    if (p->privsvr_checksum) {
+		krb5_set_error_string(context, "PAC have two KDC checksums");
+		ret = EINVAL;
+		goto out;
+	    }
+	    p->privsvr_checksum = &p->pac->buffers[i];
+	} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
+	    if (p->logon_name) {
+		krb5_set_error_string(context, "PAC have two logon names");
+		ret = EINVAL;
+		goto out;
+	    }
+	    p->logon_name = &p->pac->buffers[i];
+	}
+    }
+
+    ret = krb5_data_copy(&p->data, ptr, len);
+    if (ret)
+	goto out;
+
+    krb5_storage_free(sp);
+
+    *pac = p;
+    return 0;
+
+out:
+    if (sp)
+	krb5_storage_free(sp);
+    if (p) {
+	if (p->pac)
+	    free(p->pac);
+	free(p);
+    }
+    *pac = NULL;
+
+    return ret;
+}
+
+krb5_error_code
+krb5_pac_init(krb5_context context, krb5_pac *pac)
+{
+    krb5_error_code ret;
+    krb5_pac p;
+
+    p = calloc(1, sizeof(*p));
+    if (p == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+
+    p->pac = calloc(1, sizeof(*p->pac));
+    if (p->pac == NULL) {
+	free(p);
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+
+    ret = krb5_data_alloc(&p->data, PACTYPE_SIZE);
+    if (ret) {
+	free (p->pac);
+	free(p);
+	krb5_set_error_string(context, "out of memory");
+	return ret;
+    }
+
+
+    *pac = p;
+    return 0;
+}
+
+krb5_error_code
+krb5_pac_add_buffer(krb5_context context, krb5_pac p,
+		    uint32_t type, const krb5_data *data)
+{
+    krb5_error_code ret;
+    void *ptr;
+    size_t len, offset, header_end, old_end;
+    uint32_t i;
+
+    len = p->pac->numbuffers;
+
+    ptr = realloc(p->pac,
+		  sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * len));
+    if (ptr == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    p->pac = ptr;
+
+    for (i = 0; i < len; i++)
+	p->pac->buffers[i].offset_lo += PAC_INFO_BUFFER_SIZE;
+
+    offset = p->data.length + PAC_INFO_BUFFER_SIZE;
+
+    p->pac->buffers[len].type = type;
+    p->pac->buffers[len].buffersize = data->length;
+    p->pac->buffers[len].offset_lo = offset;
+    p->pac->buffers[len].offset_hi = 0;
+
+    old_end = p->data.length;
+    len = p->data.length + data->length + PAC_INFO_BUFFER_SIZE;
+    if (len < p->data.length) {
+	krb5_set_error_string(context, "integer overrun");
+	return EINVAL;
+    }
+    
+    /* align to PAC_ALIGNMENT */
+    len = ((len + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT;
+
+    ret = krb5_data_realloc(&p->data, len);
+    if (ret) {
+	krb5_set_error_string(context, "out of memory");
+	return ret;
+    }
+
+    /* 
+     * make place for new PAC INFO BUFFER header
+     */
+    header_end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
+    memmove((unsigned char *)p->data.data + header_end + PAC_INFO_BUFFER_SIZE,
+	    (unsigned char *)p->data.data + header_end ,
+	    old_end - header_end);
+    memset((unsigned char *)p->data.data + header_end, 0, PAC_INFO_BUFFER_SIZE);
+
+    /*
+     * copy in new data part
+     */
+
+    memcpy((unsigned char *)p->data.data + offset,
+	   data->data, data->length);
+    memset((unsigned char *)p->data.data + offset + data->length,
+	   0, p->data.length - offset - data->length);
+
+    p->pac->numbuffers += 1;
+
+    return 0;
+}
+
+krb5_error_code
+krb5_pac_get_buffer(krb5_context context, krb5_pac p,
+		    uint32_t type, krb5_data *data)
+{
+    krb5_error_code ret;
+    uint32_t i;
+
+    /*
+     * Hide the checksums from external consumers
+     */
+
+    if (type == PAC_PRIVSVR_CHECKSUM || type == PAC_SERVER_CHECKSUM) {
+	ret = krb5_data_alloc(data, 16);
+	if (ret) {
+	    krb5_set_error_string(context, "out of memory");
+	    return ret;
+	}
+	memset(data->data, 0, data->length);
+	return 0;
+    }
+
+    for (i = 0; i < p->pac->numbuffers; i++) {
+	size_t len = p->pac->buffers[i].buffersize;
+	size_t offset = p->pac->buffers[i].offset_lo;
+
+	if (p->pac->buffers[i].type != type)
+	    continue;
+
+	ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len);
+	if (ret) {
+	    krb5_set_error_string(context, "Out of memory");
+	    return ret;
+	}
+	return 0;
+    }
+    krb5_set_error_string(context, "No PAC buffer of type %lu was found",
+			  (unsigned long)type);
+    return ENOENT;
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_pac_get_types(krb5_context context,
+		   krb5_pac p,
+		   size_t *len,
+		   uint32_t **types)
+{
+    size_t i;
+
+    *types = calloc(p->pac->numbuffers, sizeof(*types));
+    if (*types == NULL) {
+	*len = 0;
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    for (i = 0; i < p->pac->numbuffers; i++)
+	(*types)[i] = p->pac->buffers[i].type;
+    *len = p->pac->numbuffers;
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+void
+krb5_pac_free(krb5_context context, krb5_pac pac)
+{
+    krb5_data_free(&pac->data);
+    free(pac->pac);
+    free(pac);
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+verify_checksum(krb5_context context,
+		const struct PAC_INFO_BUFFER *sig,
+		const krb5_data *data,
+		void *ptr, size_t len,
+		const krb5_keyblock *key)
+{
+    krb5_crypto crypto = NULL;
+    krb5_storage *sp = NULL;
+    uint32_t type;
+    krb5_error_code ret;
+    Checksum cksum;
+
+    memset(&cksum, 0, sizeof(cksum));
+
+    sp = krb5_storage_from_mem((char *)data->data + sig->offset_lo,
+			       sig->buffersize);
+    if (sp == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    CHECK(ret, krb5_ret_uint32(sp, &type), out);
+    cksum.cksumtype = type;
+    cksum.checksum.length = 
+	sig->buffersize - krb5_storage_seek(sp, 0, SEEK_CUR);
+    cksum.checksum.data = malloc(cksum.checksum.length);
+    if (cksum.checksum.data == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+    ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length);
+    if (ret != cksum.checksum.length) {
+	krb5_set_error_string(context, "PAC checksum missing checksum");
+	ret = EINVAL;
+	goto out;
+    }
+
+    if (!krb5_checksum_is_keyed(context, cksum.cksumtype)) {
+	krb5_set_error_string (context, "Checksum type %d not keyed",
+			       cksum.cksumtype);
+	ret = EINVAL;
+	goto out;
+    }
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	goto out;
+
+    ret = krb5_verify_checksum(context, crypto, KRB5_KU_OTHER_CKSUM,
+			       ptr, len, &cksum);
+    free(cksum.checksum.data);
+    krb5_crypto_destroy(context, crypto);
+    krb5_storage_free(sp);
+
+    return ret;
+
+out:
+    if (cksum.checksum.data)
+	free(cksum.checksum.data);
+    if (sp)
+	krb5_storage_free(sp);
+    if (crypto)
+	krb5_crypto_destroy(context, crypto);
+    return ret;
+}
+
+static krb5_error_code
+create_checksum(krb5_context context,
+		const krb5_keyblock *key,
+		void *data, size_t datalen,
+		void *sig, size_t siglen)
+{
+    krb5_crypto crypto = NULL;
+    krb5_error_code ret;
+    Checksum cksum;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
+
+    ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0,
+			       data, datalen, &cksum);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+	return ret;
+
+    if (cksum.checksum.length != siglen) {
+	krb5_set_error_string(context, "pac checksum wrong length");
+	free_Checksum(&cksum);
+	return EINVAL;
+    }
+
+    memcpy(sig, cksum.checksum.data, siglen);
+    free_Checksum(&cksum);
+
+    return 0;
+}
+
+
+/*
+ *
+ */
+
+#define NTTIME_EPOCH 0x019DB1DED53E8000LL
+
+static uint64_t
+unix2nttime(time_t unix_time)
+{
+    long long wt;
+    wt = unix_time * (uint64_t)10000000 + (uint64_t)NTTIME_EPOCH;
+    return wt;
+}
+
+static krb5_error_code
+verify_logonname(krb5_context context,
+		 const struct PAC_INFO_BUFFER *logon_name,
+		 const krb5_data *data,
+		 time_t authtime,
+		 krb5_const_principal principal)
+{
+    krb5_error_code ret;
+    krb5_principal p2;
+    uint32_t time1, time2;
+    krb5_storage *sp;
+    uint16_t len;
+    char *s;
+
+    sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset_lo,
+					logon_name->buffersize);
+    if (sp == NULL) {
+	krb5_set_error_string(context, "Out of memory");
+	return ENOMEM;
+    }
+
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    CHECK(ret, krb5_ret_uint32(sp, &time1), out);
+    CHECK(ret, krb5_ret_uint32(sp, &time2), out);
+
+    {
+	uint64_t t1, t2;
+	t1 = unix2nttime(authtime);
+	t2 = ((uint64_t)time2 << 32) | time1;
+	if (t1 != t2) {
+	    krb5_storage_free(sp);
+	    krb5_set_error_string(context, "PAC timestamp mismatch");
+	    return EINVAL;
+	}
+    }
+    CHECK(ret, krb5_ret_uint16(sp, &len), out);
+    if (len == 0) {
+	krb5_storage_free(sp);
+	krb5_set_error_string(context, "PAC logon name length missing");
+	return EINVAL;
+    }
+
+    s = malloc(len);
+    if (s == NULL) {
+	krb5_storage_free(sp);
+	krb5_set_error_string(context, "Out of memory");
+	return ENOMEM;
+    }
+    ret = krb5_storage_read(sp, s, len);
+    if (ret != len) {
+	krb5_storage_free(sp);
+	krb5_set_error_string(context, "Failed to read pac logon name");
+	return EINVAL;
+    }
+    krb5_storage_free(sp);
+#if 1 /* cheat for now */
+    {
+	size_t i;
+
+	if (len & 1) {
+	    krb5_set_error_string(context, "PAC logon name malformed");
+	    return EINVAL;
+	}
+
+	for (i = 0; i < len / 2; i++) {
+	    if (s[(i * 2) + 1]) {
+		krb5_set_error_string(context, "PAC logon name not ASCII");
+		return EINVAL;
+	    }
+	    s[i] = s[i * 2];
+	}
+	s[i] = '\0';
+    }
+#else
+    {
+	uint16_t *ucs2;
+	ssize_t ucs2len;
+	size_t u8len;
+
+	ucs2 = malloc(sizeof(ucs2[0]) * len / 2);
+	if (ucs2)
+	    abort();
+	ucs2len = wind_ucs2read(s, len / 2, ucs2);
+	free(s);
+	if (len < 0)
+	    return -1;
+	ret = wind_ucs2toutf8(ucs2, ucs2len, NULL, &u8len);
+	if (ret < 0)
+	    abort();
+	s = malloc(u8len + 1);
+	if (s == NULL)
+	    abort();
+	wind_ucs2toutf8(ucs2, ucs2len, s, &u8len);
+	free(ucs2);
+    }
+#endif
+    ret = krb5_parse_name_flags(context, s, KRB5_PRINCIPAL_PARSE_NO_REALM, &p2);
+    free(s);
+    if (ret)
+	return ret;
+    
+    if (krb5_principal_compare_any_realm(context, principal, p2) != TRUE) {
+	krb5_set_error_string(context, "PAC logon name mismatch");
+	ret = EINVAL;
+    }
+    krb5_free_principal(context, p2);
+    return ret;
+out:
+    return ret;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+build_logon_name(krb5_context context, 
+		 time_t authtime,
+		 krb5_const_principal principal, 
+		 krb5_data *logon)
+{
+    krb5_error_code ret;
+    krb5_storage *sp;
+    uint64_t t;
+    char *s, *s2;
+    size_t i, len;
+
+    t = unix2nttime(authtime);
+
+    krb5_data_zero(logon);
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    CHECK(ret, krb5_store_uint32(sp, t & 0xffffffff), out);
+    CHECK(ret, krb5_store_uint32(sp, t >> 32), out);
+
+    ret = krb5_unparse_name_flags(context, principal,
+				  KRB5_PRINCIPAL_UNPARSE_NO_REALM, &s);
+    if (ret)
+	goto out;
+
+    len = strlen(s);
+    
+    CHECK(ret, krb5_store_uint16(sp, len * 2), out);
+
+#if 1 /* cheat for now */
+    s2 = malloc(len * 2);
+    if (s2 == NULL) {
+	ret = ENOMEM;
+	free(s);
+	goto out;
+    }
+    for (i = 0; i < len; i++) {
+	s2[i * 2] = s[i];
+	s2[i * 2 + 1] = 0;
+    }
+    free(s);
+#else
+    /* write libwind code here */
+#endif
+
+    ret = krb5_storage_write(sp, s2, len * 2);
+    free(s2);
+    if (ret != len * 2) {
+	ret = ENOMEM;
+	goto out;
+    }
+    ret = krb5_storage_to_data(sp, logon);
+    if (ret)
+	goto out;
+    krb5_storage_free(sp);
+
+    return 0;
+out:
+    krb5_storage_free(sp);
+    return ret;
+}
+
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_pac_verify(krb5_context context, 
+		const krb5_pac pac,
+		time_t authtime,
+		krb5_const_principal principal,
+		const krb5_keyblock *server,
+		const krb5_keyblock *privsvr)
+{
+    krb5_error_code ret;
+
+    if (pac->server_checksum == NULL) {
+	krb5_set_error_string(context, "PAC missing server checksum");
+	return EINVAL;
+    }
+    if (pac->privsvr_checksum == NULL) {
+	krb5_set_error_string(context, "PAC missing kdc checksum");
+	return EINVAL;
+    }
+    if (pac->logon_name == NULL) {
+	krb5_set_error_string(context, "PAC missing logon name");
+	return EINVAL;
+    }
+
+    ret = verify_logonname(context, 
+			   pac->logon_name,
+			   &pac->data,
+			   authtime,
+			   principal);
+    if (ret)
+	return ret;
+
+    /* 
+     * in the service case, clean out data option of the privsvr and
+     * server checksum before checking the checksum.
+     */
+    {
+	krb5_data *copy;
+
+	ret = krb5_copy_data(context, &pac->data, &copy);
+	if (ret)
+	    return ret;
+
+	if (pac->server_checksum->buffersize < 4)
+	    return EINVAL;
+	if (pac->privsvr_checksum->buffersize < 4)
+	    return EINVAL;
+
+	memset((char *)copy->data + pac->server_checksum->offset_lo + 4,
+	       0,
+	       pac->server_checksum->buffersize - 4);
+
+	memset((char *)copy->data + pac->privsvr_checksum->offset_lo + 4,
+	       0,
+	       pac->privsvr_checksum->buffersize - 4);
+
+	ret = verify_checksum(context,
+			      pac->server_checksum,
+			      &pac->data,
+			      copy->data,
+			      copy->length,
+			      server);
+	krb5_free_data(context, copy);
+	if (ret)
+	    return ret;
+    }
+    if (privsvr) {
+	ret = verify_checksum(context,
+			      pac->privsvr_checksum,
+			      &pac->data,
+			      (char *)pac->data.data
+			      + pac->server_checksum->offset_lo + 4,
+			      pac->server_checksum->buffersize - 4,
+			      privsvr);
+	if (ret)
+	    return ret;
+    }
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+fill_zeros(krb5_context context, krb5_storage *sp, size_t len)
+{
+    ssize_t sret;
+    size_t l;
+
+    while (len) {
+	l = len;
+	if (l > sizeof(zeros))
+	    l = sizeof(zeros);
+	sret = krb5_storage_write(sp, zeros, l);
+	if (sret <= 0) {
+	    krb5_set_error_string(context, "out of memory");
+	    return ENOMEM;
+	}
+	len -= sret;
+    }
+    return 0;
+}
+
+static krb5_error_code
+pac_checksum(krb5_context context, 
+	     const krb5_keyblock *key,
+	     uint32_t *cksumtype,
+	     size_t *cksumsize)
+{
+    krb5_cksumtype cktype;
+    krb5_error_code ret;
+    krb5_crypto crypto = NULL;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
+
+    ret = krb5_crypto_get_checksum_type(context, crypto, &cktype);
+    ret = krb5_crypto_destroy(context, crypto);
+    if (ret)
+	return ret;
+
+    if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
+	krb5_set_error_string(context, "PAC checksum type is not keyed");
+	return EINVAL;
+    }
+
+    ret = krb5_checksumsize(context, cktype, cksumsize);
+    if (ret)
+	return ret;
+    
+    *cksumtype = (uint32_t)cktype;
+
+    return 0;
+}
+
+krb5_error_code
+_krb5_pac_sign(krb5_context context,
+	       krb5_pac p,
+	       time_t authtime,
+	       krb5_principal principal,
+	       const krb5_keyblock *server_key,
+	       const krb5_keyblock *priv_key,
+	       krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_storage *sp = NULL, *spdata = NULL;
+    uint32_t end;
+    size_t server_size, priv_size;
+    uint32_t server_offset = 0, priv_offset = 0;
+    uint32_t server_cksumtype = 0, priv_cksumtype = 0;
+    int i, num = 0;
+    krb5_data logon, d;
+
+    krb5_data_zero(&logon);
+
+    if (p->logon_name == NULL)
+	num++;
+    if (p->server_checksum == NULL)
+	num++;
+    if (p->privsvr_checksum == NULL)
+	num++;
+
+    if (num) {
+	void *ptr;
+
+	ptr = realloc(p->pac, sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (p->pac->numbuffers + num - 1)));
+	if (ptr == NULL) {
+	    krb5_set_error_string(context, "out of memory");
+	    return ENOMEM;
+	}
+	p->pac = ptr;
+
+	if (p->logon_name == NULL) {
+	    p->logon_name = &p->pac->buffers[p->pac->numbuffers++];
+	    memset(p->logon_name, 0, sizeof(*p->logon_name));
+	    p->logon_name->type = PAC_LOGON_NAME;
+	}
+	if (p->server_checksum == NULL) {
+	    p->server_checksum = &p->pac->buffers[p->pac->numbuffers++];
+	    memset(p->server_checksum, 0, sizeof(*p->server_checksum));
+	    p->server_checksum->type = PAC_SERVER_CHECKSUM;
+	}
+	if (p->privsvr_checksum == NULL) {
+	    p->privsvr_checksum = &p->pac->buffers[p->pac->numbuffers++];
+	    memset(p->privsvr_checksum, 0, sizeof(*p->privsvr_checksum));
+	    p->privsvr_checksum->type = PAC_PRIVSVR_CHECKSUM;
+	}
+    }
+
+    /* Calculate LOGON NAME */
+    ret = build_logon_name(context, authtime, principal, &logon);
+    if (ret)
+	goto out;
+
+    /* Set lengths for checksum */
+    ret = pac_checksum(context, server_key, &server_cksumtype, &server_size);
+    if (ret)
+	goto out;
+    ret = pac_checksum(context, priv_key, &priv_cksumtype, &priv_size);
+    if (ret)
+	goto out;
+
+    /* Encode PAC */
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    spdata = krb5_storage_emem();
+    if (spdata == NULL) {
+	krb5_storage_free(sp);
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    krb5_storage_set_flags(spdata, KRB5_STORAGE_BYTEORDER_LE);
+
+    CHECK(ret, krb5_store_uint32(sp, p->pac->numbuffers), out);
+    CHECK(ret, krb5_store_uint32(sp, p->pac->version), out);
+
+    end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
+
+    for (i = 0; i < p->pac->numbuffers; i++) {
+	uint32_t len;
+	size_t sret;
+	void *ptr = NULL;
+
+	/* store data */
+
+	if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
+	    len = server_size + 4;
+	    server_offset = end + 4;
+	    CHECK(ret, krb5_store_uint32(spdata, server_cksumtype), out);
+	    CHECK(ret, fill_zeros(context, spdata, server_size), out);
+	} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
+	    len = priv_size + 4;
+	    priv_offset = end + 4;
+	    CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
+	    CHECK(ret, fill_zeros(context, spdata, priv_size), out);
+	} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
+	    len = krb5_storage_write(spdata, logon.data, logon.length);
+	    if (logon.length != len) {
+		ret = EINVAL;
+		goto out;
+	    }
+	} else {
+	    len = p->pac->buffers[i].buffersize;
+	    ptr = (char *)p->data.data + p->pac->buffers[i].offset_lo;
+
+	    sret = krb5_storage_write(spdata, ptr, len);
+	    if (sret != len) {
+		krb5_set_error_string(context, "out of memory");
+		ret = ENOMEM;
+		goto out;
+	    }
+	    /* XXX if not aligned, fill_zeros */
+	}
+
+	/* write header */
+	CHECK(ret, krb5_store_uint32(sp, p->pac->buffers[i].type), out);
+	CHECK(ret, krb5_store_uint32(sp, len), out);
+	CHECK(ret, krb5_store_uint32(sp, end), out);
+	CHECK(ret, krb5_store_uint32(sp, 0), out);
+
+	/* advance data endpointer and align */
+	{
+	    int32_t e;
+
+	    end += len;
+	    e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT;
+	    if (end != e) {
+		CHECK(ret, fill_zeros(context, spdata, e - end), out);
+	    }
+	    end = e;
+	}
+
+    }
+
+    /* assert (server_offset != 0 && priv_offset != 0); */
+
+    /* export PAC */
+    ret = krb5_storage_to_data(spdata, &d);
+    if (ret) {
+	krb5_set_error_string(context, "out of memory");
+	goto out;
+    }
+    ret = krb5_storage_write(sp, d.data, d.length);
+    if (ret != d.length) {
+	krb5_data_free(&d);
+	krb5_set_error_string(context, "out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+    krb5_data_free(&d);
+
+    ret = krb5_storage_to_data(sp, &d);
+    if (ret) {
+	krb5_set_error_string(context, "out of memory");
+	goto out;
+    }
+
+    /* sign */
+
+    ret = create_checksum(context, server_key,
+			  d.data, d.length,
+			  (char *)d.data + server_offset, server_size);
+    if (ret) {
+	krb5_data_free(&d);
+	goto out;
+    }
+
+    ret = create_checksum(context, priv_key,
+			  (char *)d.data + server_offset, server_size,
+			  (char *)d.data + priv_offset, priv_size);
+    if (ret) {
+	krb5_data_free(&d);
+	goto out;
+    }
+
+    /* done */
+    *data = d;
+
+    krb5_data_free(&logon);
+    krb5_storage_free(sp);
+    krb5_storage_free(spdata);
+
+    return 0;
+out:
+    krb5_data_free(&logon);
+    if (sp)
+	krb5_storage_free(sp);
+    if (spdata)
+	krb5_storage_free(spdata);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/padata.c b/crypto/heimdal/lib/krb5/padata.c
index bcf7952..b2b70f5 100644
--- a/crypto/heimdal/lib/krb5/padata.c
+++ b/crypto/heimdal/lib/krb5/padata.c
@@ -33,13 +33,34 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: padata.c,v 1.2 1999/12/02 17:05:11 joda Exp $");
+RCSID("$Id: padata.c 15469 2005-06-17 04:28:35Z lha $");
 
 PA_DATA *
-krb5_find_padata(PA_DATA *val, unsigned len, int type, int *index)
+krb5_find_padata(PA_DATA *val, unsigned len, int type, int *idx)
 {
-    for(; *index < len; (*index)++)
-	if(val[*index].padata_type == type)
-	    return val + *index;
+    for(; *idx < len; (*idx)++)
+	if(val[*idx].padata_type == type)
+	    return val + *idx;
     return NULL;    
 }
+
+int KRB5_LIB_FUNCTION
+krb5_padata_add(krb5_context context, METHOD_DATA *md,
+		int type, void *buf, size_t len)
+{
+    PA_DATA *pa;
+
+    pa = realloc (md->val, (md->len + 1) * sizeof(*md->val));
+    if (pa == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    md->val = pa;
+
+    pa[md->len].padata_type = type;
+    pa[md->len].padata_value.length = len;
+    pa[md->len].padata_value.data = buf;
+    md->len++;    
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/parse-name-test.c b/crypto/heimdal/lib/krb5/parse-name-test.c
index 29bd6bb..7e60705 100644
--- a/crypto/heimdal/lib/krb5/parse-name-test.c
+++ b/crypto/heimdal/lib/krb5/parse-name-test.c
@@ -31,8 +31,9 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 
 #include "krb5_locl.h"
+#include <err.h>
 
-RCSID("$Id: parse-name-test.c,v 1.3.4.1 2004/03/22 19:27:36 joda Exp $");
+RCSID("$Id: parse-name-test.c 16342 2005-12-02 14:14:43Z lha $");
 
 enum { MAX_COMPONENTS = 3 };
 
@@ -62,7 +63,7 @@ static struct testcase {
     {"a/b/c", "a/b/c@", "", 3, {"a", "b", "c"}, FALSE},
     {NULL, NULL, "", 0, { NULL }, FALSE}};
 
-int
+int KRB5_LIB_FUNCTION
 main(int argc, char **argv)
 {
     struct testcase *t;
@@ -188,5 +189,6 @@ main(int argc, char **argv)
 	}
 	krb5_free_principal (context, princ);
     }
+    krb5_free_context(context);
     return val;
 }
diff --git a/crypto/heimdal/lib/krb5/pkinit.c b/crypto/heimdal/lib/krb5/pkinit.c
new file mode 100644
index 0000000..a0b6a4e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/pkinit.c
@@ -0,0 +1,2070 @@
+/*
+ * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: pkinit.c 22433 2008-01-13 14:11:46Z lha $");
+
+struct krb5_dh_moduli {
+    char *name;
+    unsigned long bits;
+    heim_integer p;
+    heim_integer g;
+    heim_integer q;
+};
+
+#ifdef PKINIT
+
+#include <heim_asn1.h>
+#include <rfc2459_asn1.h>
+#include <cms_asn1.h>
+#include <pkcs8_asn1.h>
+#include <pkcs9_asn1.h>
+#include <pkcs12_asn1.h>
+#include <pkinit_asn1.h>
+#include <asn1_err.h>
+
+#include <der.h>
+
+#include <hx509.h>
+
+enum {
+    COMPAT_WIN2K = 1,
+    COMPAT_IETF = 2
+};
+
+struct krb5_pk_identity {
+    hx509_context hx509ctx;
+    hx509_verify_ctx verify_ctx;
+    hx509_certs certs;
+    hx509_certs anchors;
+    hx509_certs certpool;
+    hx509_revoke_ctx revokectx;
+};
+
+struct krb5_pk_cert {
+    hx509_cert cert;
+};
+
+struct krb5_pk_init_ctx_data {
+    struct krb5_pk_identity *id;
+    DH *dh;
+    krb5_data *clientDHNonce;
+    struct krb5_dh_moduli **m;
+    hx509_peer_info peer;
+    int type;
+    unsigned int require_binding:1;
+    unsigned int require_eku:1;
+    unsigned int require_krbtgt_otherName:1;
+    unsigned int require_hostname_match:1;
+    unsigned int trustedCertifiers:1;
+};
+
+static void
+_krb5_pk_copy_error(krb5_context context,
+		    hx509_context hx509ctx,
+		    int hxret,
+		    const char *fmt,
+		    ...)
+    __attribute__ ((format (printf, 4, 5)));
+
+/*
+ *
+ */
+
+void KRB5_LIB_FUNCTION
+_krb5_pk_cert_free(struct krb5_pk_cert *cert)
+{
+    if (cert->cert) {
+	hx509_cert_free(cert->cert);
+    }
+    free(cert);
+}
+
+static krb5_error_code
+BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer)
+{
+    integer->length = BN_num_bytes(bn);
+    integer->data = malloc(integer->length);
+    if (integer->data == NULL) {
+	krb5_clear_error_string(context);
+	return ENOMEM;
+    }
+    BN_bn2bin(bn, integer->data);
+    integer->negative = BN_is_negative(bn);
+    return 0;
+}
+
+static BIGNUM *
+integer_to_BN(krb5_context context, const char *field, const heim_integer *f)
+{
+    BIGNUM *bn;
+
+    bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL);
+    if (bn == NULL) {
+	krb5_set_error_string(context, "PKINIT: parsing BN failed %s", field);
+	return NULL;
+    }
+    BN_set_negative(bn, f->negative);
+    return bn;
+}
+
+
+static krb5_error_code
+_krb5_pk_create_sign(krb5_context context,
+		     const heim_oid *eContentType,
+		     krb5_data *eContent,
+		     struct krb5_pk_identity *id,
+		     hx509_peer_info peer,
+		     krb5_data *sd_data)
+{
+    hx509_cert cert;
+    hx509_query *q;
+    int ret;
+
+    ret = hx509_query_alloc(id->hx509ctx, &q);
+    if (ret) {
+	_krb5_pk_copy_error(context, id->hx509ctx, ret, 
+			    "Allocate query to find signing certificate");
+	return ret;
+    }
+
+    hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+    hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+
+    ret = hx509_certs_find(id->hx509ctx, id->certs, q, &cert);
+    hx509_query_free(id->hx509ctx, q);
+    if (ret) {
+	_krb5_pk_copy_error(context, id->hx509ctx, ret, 
+			    "Find certificate to signed CMS data");
+	return ret;
+    }
+
+    ret = hx509_cms_create_signed_1(id->hx509ctx,
+				    0,
+				    eContentType,
+				    eContent->data,
+				    eContent->length,
+				    NULL,
+				    cert,
+				    peer,
+				    NULL,
+				    id->certs,
+				    sd_data);
+    if (ret)
+	_krb5_pk_copy_error(context, id->hx509ctx, ret, "create CMS signedData");
+    hx509_cert_free(cert);
+
+    return ret;
+}
+
+static int
+cert2epi(hx509_context context, void *ctx, hx509_cert c)
+{
+    ExternalPrincipalIdentifiers *ids = ctx;
+    ExternalPrincipalIdentifier id;
+    hx509_name subject = NULL;
+    void *p;
+    int ret;
+
+    memset(&id, 0, sizeof(id));
+
+    ret = hx509_cert_get_subject(c, &subject);
+    if (ret)
+	return ret;
+
+    if (hx509_name_is_null_p(subject) != 0) {
+
+	id.subjectName = calloc(1, sizeof(*id.subjectName));
+	if (id.subjectName == NULL) {
+	    hx509_name_free(&subject);
+	    free_ExternalPrincipalIdentifier(&id);
+	    return ENOMEM;
+	}
+    
+	ret = hx509_name_binary(subject, id.subjectName);
+	if (ret) {
+	    hx509_name_free(&subject);
+	    free_ExternalPrincipalIdentifier(&id);
+	    return ret;
+	}
+    }
+    hx509_name_free(&subject);
+
+
+    id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber));
+    if (id.issuerAndSerialNumber == NULL) {
+	free_ExternalPrincipalIdentifier(&id);
+	return ENOMEM;
+    }
+
+    {
+	IssuerAndSerialNumber iasn;
+	hx509_name issuer;
+	size_t size;
+	
+	memset(&iasn, 0, sizeof(iasn));
+
+	ret = hx509_cert_get_issuer(c, &issuer);
+	if (ret) {
+	    free_ExternalPrincipalIdentifier(&id);
+	    return ret;
+	}
+
+	ret = hx509_name_to_Name(issuer, &iasn.issuer);
+	hx509_name_free(&issuer);
+	if (ret) {
+	    free_ExternalPrincipalIdentifier(&id);
+	    return ret;
+	}
+	
+	ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber);
+	if (ret) {
+	    free_IssuerAndSerialNumber(&iasn);
+	    free_ExternalPrincipalIdentifier(&id);
+	    return ret;
+	}
+
+	ASN1_MALLOC_ENCODE(IssuerAndSerialNumber,
+			   id.issuerAndSerialNumber->data, 
+			   id.issuerAndSerialNumber->length,
+			   &iasn, &size, ret);
+	free_IssuerAndSerialNumber(&iasn);
+	if (ret)
+	    return ret;
+	if (id.issuerAndSerialNumber->length != size)
+	    abort();
+    }
+
+    id.subjectKeyIdentifier = NULL;
+
+    p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1)); 
+    if (p == NULL) {
+	free_ExternalPrincipalIdentifier(&id);
+	return ENOMEM;
+    }
+
+    ids->val = p;
+    ids->val[ids->len] = id;
+    ids->len++;
+
+    return 0;
+}
+
+static krb5_error_code
+build_edi(krb5_context context,
+	  hx509_context hx509ctx,
+	  hx509_certs certs,
+	  ExternalPrincipalIdentifiers *ids)
+{
+    return hx509_certs_iter(hx509ctx, certs, cert2epi, ids);
+}
+
+static krb5_error_code
+build_auth_pack(krb5_context context,
+		unsigned nonce,
+		krb5_pk_init_ctx ctx,
+		DH *dh,
+		const KDC_REQ_BODY *body,
+		AuthPack *a)
+{
+    size_t buf_size, len;
+    krb5_error_code ret;
+    void *buf;
+    krb5_timestamp sec;
+    int32_t usec;
+    Checksum checksum;
+
+    krb5_clear_error_string(context);
+
+    memset(&checksum, 0, sizeof(checksum));
+
+    krb5_us_timeofday(context, &sec, &usec);
+    a->pkAuthenticator.ctime = sec;
+    a->pkAuthenticator.nonce = nonce;
+
+    ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret);
+    if (ret)
+	return ret;
+    if (buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
+    ret = krb5_create_checksum(context,
+			       NULL,
+			       0,
+			       CKSUMTYPE_SHA1,
+			       buf,
+			       len,
+			       &checksum);
+    free(buf);
+    if (ret) 
+	return ret;
+
+    ALLOC(a->pkAuthenticator.paChecksum, 1);
+    if (a->pkAuthenticator.paChecksum == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    ret = krb5_data_copy(a->pkAuthenticator.paChecksum,
+			 checksum.checksum.data, checksum.checksum.length);
+    free_Checksum(&checksum);
+    if (ret)
+	return ret;
+
+    if (dh) {
+	DomainParameters dp;
+	heim_integer dh_pub_key;
+	krb5_data dhbuf;
+	size_t size;
+
+	if (1 /* support_cached_dh */) {
+	    ALLOC(a->clientDHNonce, 1);
+	    if (a->clientDHNonce == NULL) {
+		krb5_clear_error_string(context);
+		return ENOMEM;
+	    }
+	    ret = krb5_data_alloc(a->clientDHNonce, 40);
+	    if (a->clientDHNonce == NULL) {
+		krb5_clear_error_string(context);
+		return ENOMEM;
+	    }
+	    memset(a->clientDHNonce->data, 0, a->clientDHNonce->length);
+	    ret = krb5_copy_data(context, a->clientDHNonce, 
+				 &ctx->clientDHNonce);
+	    if (ret)
+		return ret;
+	}
+
+	ALLOC(a->clientPublicValue, 1);
+	if (a->clientPublicValue == NULL)
+	    return ENOMEM;
+	ret = der_copy_oid(oid_id_dhpublicnumber(),
+			   &a->clientPublicValue->algorithm.algorithm);
+	if (ret)
+	    return ret;
+	
+	memset(&dp, 0, sizeof(dp));
+
+	ret = BN_to_integer(context, dh->p, &dp.p);
+	if (ret) {
+	    free_DomainParameters(&dp);
+	    return ret;
+	}
+	ret = BN_to_integer(context, dh->g, &dp.g);
+	if (ret) {
+	    free_DomainParameters(&dp);
+	    return ret;
+	}
+	ret = BN_to_integer(context, dh->q, &dp.q);
+	if (ret) {
+	    free_DomainParameters(&dp);
+	    return ret;
+	}
+	dp.j = NULL;
+	dp.validationParms = NULL;
+
+	a->clientPublicValue->algorithm.parameters = 
+	    malloc(sizeof(*a->clientPublicValue->algorithm.parameters));
+	if (a->clientPublicValue->algorithm.parameters == NULL) {
+	    free_DomainParameters(&dp);
+	    return ret;
+	}
+
+	ASN1_MALLOC_ENCODE(DomainParameters,
+			   a->clientPublicValue->algorithm.parameters->data,
+			   a->clientPublicValue->algorithm.parameters->length,
+			   &dp, &size, ret);
+	free_DomainParameters(&dp);
+	if (ret)
+	    return ret;
+	if (size != a->clientPublicValue->algorithm.parameters->length)
+	    krb5_abortx(context, "Internal ASN1 encoder error");
+
+	ret = BN_to_integer(context, dh->pub_key, &dh_pub_key);
+	if (ret)
+	    return ret;
+
+	ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length,
+			   &dh_pub_key, &size, ret);
+	der_free_heim_integer(&dh_pub_key);
+	if (ret)
+	    return ret;
+	if (size != dhbuf.length)
+	    krb5_abortx(context, "asn1 internal error");
+
+	a->clientPublicValue->subjectPublicKey.length = dhbuf.length * 8;
+	a->clientPublicValue->subjectPublicKey.data = dhbuf.data;
+    }
+
+    {
+	a->supportedCMSTypes = calloc(1, sizeof(*a->supportedCMSTypes));
+	if (a->supportedCMSTypes == NULL)
+	    return ENOMEM;
+
+	ret = hx509_crypto_available(ctx->id->hx509ctx, HX509_SELECT_ALL, NULL,
+				     &a->supportedCMSTypes->val,
+				     &a->supportedCMSTypes->len);
+	if (ret)
+	    return ret;
+    }
+
+    return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_pk_mk_ContentInfo(krb5_context context,
+			const krb5_data *buf, 
+			const heim_oid *oid,
+			struct ContentInfo *content_info)
+{
+    krb5_error_code ret;
+
+    ret = der_copy_oid(oid, &content_info->contentType);
+    if (ret)
+	return ret;
+    ALLOC(content_info->content, 1);
+    if (content_info->content == NULL)
+	return ENOMEM;
+    content_info->content->data = malloc(buf->length);
+    if (content_info->content->data == NULL)
+	return ENOMEM;
+    memcpy(content_info->content->data, buf->data, buf->length);
+    content_info->content->length = buf->length;
+    return 0;
+}
+
+static krb5_error_code
+pk_mk_padata(krb5_context context,
+	     krb5_pk_init_ctx ctx,
+	     const KDC_REQ_BODY *req_body,
+	     unsigned nonce,
+	     METHOD_DATA *md)
+{
+    struct ContentInfo content_info;
+    krb5_error_code ret;
+    const heim_oid *oid;
+    size_t size;
+    krb5_data buf, sd_buf;
+    int pa_type;
+
+    krb5_data_zero(&buf);
+    krb5_data_zero(&sd_buf);
+    memset(&content_info, 0, sizeof(content_info));
+
+    if (ctx->type == COMPAT_WIN2K) {
+	AuthPack_Win2k ap;
+	krb5_timestamp sec;
+	int32_t usec;
+
+	memset(&ap, 0, sizeof(ap));
+
+	/* fill in PKAuthenticator */
+	ret = copy_PrincipalName(req_body->sname, &ap.pkAuthenticator.kdcName);
+	if (ret) {
+	    free_AuthPack_Win2k(&ap);
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+	ret = copy_Realm(&req_body->realm, &ap.pkAuthenticator.kdcRealm);
+	if (ret) {
+	    free_AuthPack_Win2k(&ap);
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+
+	krb5_us_timeofday(context, &sec, &usec);
+	ap.pkAuthenticator.ctime = sec;
+	ap.pkAuthenticator.cusec = usec;
+	ap.pkAuthenticator.nonce = nonce;
+
+	ASN1_MALLOC_ENCODE(AuthPack_Win2k, buf.data, buf.length,
+			   &ap, &size, ret);
+	free_AuthPack_Win2k(&ap);
+	if (ret) {
+	    krb5_set_error_string(context, "AuthPack_Win2k: %d", ret);
+	    goto out;
+	}
+	if (buf.length != size)
+	    krb5_abortx(context, "internal ASN1 encoder error");
+
+	oid = oid_id_pkcs7_data();
+    } else if (ctx->type == COMPAT_IETF) {
+	AuthPack ap;
+	
+	memset(&ap, 0, sizeof(ap));
+
+	ret = build_auth_pack(context, nonce, ctx, ctx->dh, req_body, &ap);
+	if (ret) {
+	    free_AuthPack(&ap);
+	    goto out;
+	}
+
+	ASN1_MALLOC_ENCODE(AuthPack, buf.data, buf.length, &ap, &size, ret);
+	free_AuthPack(&ap);
+	if (ret) {
+	    krb5_set_error_string(context, "AuthPack: %d", ret);
+	    goto out;
+	}
+	if (buf.length != size)
+	    krb5_abortx(context, "internal ASN1 encoder error");
+
+	oid = oid_id_pkauthdata();
+    } else
+	krb5_abortx(context, "internal pkinit error");
+
+    ret = _krb5_pk_create_sign(context,
+			       oid,
+			       &buf,
+			       ctx->id,
+			       ctx->peer,
+			       &sd_buf);
+    krb5_data_free(&buf);
+    if (ret)
+	goto out;
+
+    ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(), &sd_buf, &buf);
+    krb5_data_free(&sd_buf);
+    if (ret) {
+	krb5_set_error_string(context,
+			      "ContentInfo wrapping of signedData failed");
+	goto out;
+    }
+
+    if (ctx->type == COMPAT_WIN2K) {
+	PA_PK_AS_REQ_Win2k winreq;
+
+	pa_type = KRB5_PADATA_PK_AS_REQ_WIN;
+
+	memset(&winreq, 0, sizeof(winreq));
+
+	winreq.signed_auth_pack = buf;
+
+	ASN1_MALLOC_ENCODE(PA_PK_AS_REQ_Win2k, buf.data, buf.length,
+			   &winreq, &size, ret);
+	free_PA_PK_AS_REQ_Win2k(&winreq);
+
+    } else if (ctx->type == COMPAT_IETF) {
+	PA_PK_AS_REQ req;
+
+	pa_type = KRB5_PADATA_PK_AS_REQ;
+
+	memset(&req, 0, sizeof(req));
+	req.signedAuthPack = buf;	
+
+	if (ctx->trustedCertifiers) {
+
+	    req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
+	    if (req.trustedCertifiers == NULL) {
+		krb5_set_error_string(context, "malloc: out of memory");
+		free_PA_PK_AS_REQ(&req);
+		goto out;
+	    }
+	    ret = build_edi(context, ctx->id->hx509ctx, 
+			    ctx->id->anchors, req.trustedCertifiers);
+	    if (ret) {
+		krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers");
+		free_PA_PK_AS_REQ(&req);
+		goto out;
+	    }
+	}
+	req.kdcPkId = NULL;
+
+	ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length,
+			   &req, &size, ret);
+
+	free_PA_PK_AS_REQ(&req);
+
+    } else
+	krb5_abortx(context, "internal pkinit error");
+    if (ret) {
+	krb5_set_error_string(context, "PA-PK-AS-REQ %d", ret);
+	goto out;
+    }
+    if (buf.length != size)
+	krb5_abortx(context, "Internal ASN1 encoder error");
+
+    ret = krb5_padata_add(context, md, pa_type, buf.data, buf.length);
+    if (ret)
+	free(buf.data);
+
+    if (ret == 0 && ctx->type == COMPAT_WIN2K)
+	krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0);
+
+out:
+    free_ContentInfo(&content_info);
+
+    return ret;
+}
+
+
+krb5_error_code KRB5_LIB_FUNCTION 
+_krb5_pk_mk_padata(krb5_context context,
+		   void *c,
+		   const KDC_REQ_BODY *req_body,
+		   unsigned nonce,
+		   METHOD_DATA *md)
+{
+    krb5_pk_init_ctx ctx = c;
+    int win2k_compat;
+
+    win2k_compat = krb5_config_get_bool_default(context, NULL,
+						FALSE,
+						"realms",
+						req_body->realm,
+						"pkinit_win2k",
+						NULL);
+
+    if (win2k_compat) {
+	ctx->require_binding = 
+	    krb5_config_get_bool_default(context, NULL,
+					 FALSE,
+					 "realms",
+					 req_body->realm,
+					 "pkinit_win2k_require_binding",
+					 NULL);
+	ctx->type = COMPAT_WIN2K;
+    } else
+	ctx->type = COMPAT_IETF;
+
+    ctx->require_eku = 
+	krb5_config_get_bool_default(context, NULL,
+				     TRUE,
+				     "realms",
+				     req_body->realm,
+				     "pkinit_require_eku",
+				     NULL);
+    ctx->require_krbtgt_otherName = 
+	krb5_config_get_bool_default(context, NULL,
+				     TRUE,
+				     "realms",
+				     req_body->realm,
+				     "pkinit_require_krbtgt_otherName",
+				     NULL);
+
+    ctx->require_hostname_match = 
+	krb5_config_get_bool_default(context, NULL,
+				     FALSE,
+				     "realms",
+				     req_body->realm,
+				     "pkinit_require_hostname_match",
+				     NULL);
+
+    ctx->trustedCertifiers = 
+	krb5_config_get_bool_default(context, NULL,
+				     TRUE,
+				     "realms",
+				     req_body->realm,
+				     "pkinit_trustedCertifiers",
+				     NULL);
+
+    return pk_mk_padata(context, ctx, req_body, nonce, md);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_pk_verify_sign(krb5_context context,
+		     const void *data,
+		     size_t length,
+		     struct krb5_pk_identity *id,
+		     heim_oid *contentType,
+		     krb5_data *content,
+		     struct krb5_pk_cert **signer)
+{
+    hx509_certs signer_certs;
+    int ret;
+
+    *signer = NULL;
+
+    ret = hx509_cms_verify_signed(id->hx509ctx,
+				  id->verify_ctx,
+				  data,
+				  length,
+				  NULL,
+				  id->certpool,
+				  contentType,
+				  content,
+				  &signer_certs);
+    if (ret) {
+	_krb5_pk_copy_error(context, id->hx509ctx, ret,
+			    "CMS verify signed failed");
+	return ret;
+    }
+
+    *signer = calloc(1, sizeof(**signer));
+    if (*signer == NULL) {
+	krb5_clear_error_string(context);
+	ret = ENOMEM;
+	goto out;
+    }
+	
+    ret = hx509_get_one_cert(id->hx509ctx, signer_certs, &(*signer)->cert);
+    if (ret) {
+	_krb5_pk_copy_error(context, id->hx509ctx, ret,
+			    "Failed to get on of the signer certs");
+	goto out;
+    }
+
+out:
+    hx509_certs_free(&signer_certs);
+    if (ret) {
+	if (*signer) {
+	    hx509_cert_free((*signer)->cert);
+	    free(*signer);
+	    *signer = NULL;
+	}
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+get_reply_key_win(krb5_context context,
+		  const krb5_data *content,
+		  unsigned nonce,
+		  krb5_keyblock **key)
+{
+    ReplyKeyPack_Win2k key_pack;
+    krb5_error_code ret;
+    size_t size;
+
+    ret = decode_ReplyKeyPack_Win2k(content->data,
+				    content->length,
+				    &key_pack,
+				    &size);
+    if (ret) {
+	krb5_set_error_string(context, "PKINIT decoding reply key failed");
+	free_ReplyKeyPack_Win2k(&key_pack);
+	return ret;
+    }
+     
+    if (key_pack.nonce != nonce) {
+	krb5_set_error_string(context, "PKINIT enckey nonce is wrong");
+	free_ReplyKeyPack_Win2k(&key_pack);
+	return KRB5KRB_AP_ERR_MODIFIED;
+    }
+
+    *key = malloc (sizeof (**key));
+    if (*key == NULL) {
+	krb5_set_error_string(context, "PKINIT failed allocating reply key");
+	free_ReplyKeyPack_Win2k(&key_pack);
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    ret = copy_EncryptionKey(&key_pack.replyKey, *key);
+    free_ReplyKeyPack_Win2k(&key_pack);
+    if (ret) {
+	krb5_set_error_string(context, "PKINIT failed copying reply key");
+	free(*key);
+	*key = NULL;
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+get_reply_key(krb5_context context,
+	      const krb5_data *content,
+	      const krb5_data *req_buffer,
+	      krb5_keyblock **key)
+{
+    ReplyKeyPack key_pack;
+    krb5_error_code ret;
+    size_t size;
+
+    ret = decode_ReplyKeyPack(content->data,
+			      content->length,
+			      &key_pack,
+			      &size);
+    if (ret) {
+	krb5_set_error_string(context, "PKINIT decoding reply key failed");
+	free_ReplyKeyPack(&key_pack);
+	return ret;
+    }
+    
+    {
+	krb5_crypto crypto;
+
+	/* 
+	 * XXX Verify kp.replyKey is a allowed enctype in the
+	 * configuration file
+	 */
+
+	ret = krb5_crypto_init(context, &key_pack.replyKey, 0, &crypto);
+	if (ret) {
+	    free_ReplyKeyPack(&key_pack);
+	    return ret;
+	}
+
+	ret = krb5_verify_checksum(context, crypto, 6,
+				   req_buffer->data, req_buffer->length,
+				   &key_pack.asChecksum);
+	krb5_crypto_destroy(context, crypto);
+	if (ret) {
+	    free_ReplyKeyPack(&key_pack);
+	    return ret;
+	}
+    }
+
+    *key = malloc (sizeof (**key));
+    if (*key == NULL) {
+	krb5_set_error_string(context, "PKINIT failed allocating reply key");
+	free_ReplyKeyPack(&key_pack);
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    ret = copy_EncryptionKey(&key_pack.replyKey, *key);
+    free_ReplyKeyPack(&key_pack);
+    if (ret) {
+	krb5_set_error_string(context, "PKINIT failed copying reply key");
+	free(*key);
+	*key = NULL;
+    }
+
+    return ret;
+}
+
+
+static krb5_error_code
+pk_verify_host(krb5_context context,
+	       const char *realm,
+	       const krb5_krbhst_info *hi,
+	       struct krb5_pk_init_ctx_data *ctx,
+	       struct krb5_pk_cert *host)
+{
+    krb5_error_code ret = 0;
+
+    if (ctx->require_eku) {
+	ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
+				   oid_id_pkkdcekuoid(), 0);
+	if (ret) {
+	    krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate");
+	    return ret;
+	}
+    }
+    if (ctx->require_krbtgt_otherName) {
+	hx509_octet_string_list list;
+	int i;
+
+	ret = hx509_cert_find_subjectAltName_otherName(ctx->id->hx509ctx,
+						       host->cert,
+						       oid_id_pkinit_san(),
+						       &list);
+	if (ret) {
+	    krb5_set_error_string(context, "Failed to find the PK-INIT "
+				  "subjectAltName in the KDC certificate");
+
+	    return ret;
+	}
+
+	for (i = 0; i < list.len; i++) {
+	    KRB5PrincipalName r;
+
+	    ret = decode_KRB5PrincipalName(list.val[i].data,
+					   list.val[i].length,
+					   &r,
+					   NULL);
+	    if (ret) {
+		krb5_set_error_string(context, "Failed to decode the PK-INIT "
+				      "subjectAltName in the KDC certificate");
+
+		break;
+	    }
+
+	    if (r.principalName.name_string.len != 2 ||
+		strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 ||
+		strcmp(r.principalName.name_string.val[1], realm) != 0 ||
+		strcmp(r.realm, realm) != 0)
+	    {
+		krb5_set_error_string(context, "KDC have wrong realm name in "
+				      "the certificate");
+		ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
+	    }
+
+	    free_KRB5PrincipalName(&r);
+	    if (ret)
+		break;
+	}
+	hx509_free_octet_string_list(&list);
+    }
+    if (ret)
+	return ret;
+    
+    if (hi) {
+	ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert, 
+				    ctx->require_hostname_match,
+				    HX509_HN_HOSTNAME,
+				    hi->hostname,
+				    hi->ai->ai_addr, hi->ai->ai_addrlen);
+
+	if (ret)
+	    krb5_set_error_string(context, "Address mismatch in "
+				  "the KDC certificate");
+    }
+    return ret;
+}
+
+static krb5_error_code
+pk_rd_pa_reply_enckey(krb5_context context,
+		      int type,
+		      const heim_octet_string *indata,
+		      const heim_oid *dataType,
+		      const char *realm,
+		      krb5_pk_init_ctx ctx,
+		      krb5_enctype etype,
+		      const krb5_krbhst_info *hi,
+	       	      unsigned nonce,
+		      const krb5_data *req_buffer,
+	       	      PA_DATA *pa,
+	       	      krb5_keyblock **key) 
+{
+    krb5_error_code ret;
+    struct krb5_pk_cert *host = NULL;
+    krb5_data content;
+    heim_oid contentType = { 0, NULL };
+
+    if (der_heim_oid_cmp(oid_id_pkcs7_envelopedData(), dataType)) {
+	krb5_set_error_string(context, "PKINIT: Invalid content type");
+	return EINVAL;
+    }
+
+    ret = hx509_cms_unenvelope(ctx->id->hx509ctx,
+			       ctx->id->certs,
+			       HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT,
+			       indata->data,
+			       indata->length,
+			       NULL,
+			       &contentType,
+			       &content);
+    if (ret) {
+	_krb5_pk_copy_error(context, ctx->id->hx509ctx, ret,
+			    "Failed to unenvelope CMS data in PK-INIT reply");
+	return ret;
+    }
+    der_free_oid(&contentType);
+
+#if 0 /* windows LH with interesting CMS packets, leaks memory */
+    {
+	size_t ph = 1 + der_length_len (length);
+	unsigned char *ptr = malloc(length + ph);
+	size_t l;
+
+	memcpy(ptr + ph, p, length);
+
+	ret = der_put_length_and_tag (ptr + ph - 1, ph, length,
+				      ASN1_C_UNIV, CONS, UT_Sequence, &l);
+	if (ret)
+	    return ret;
+	ptr += ph - l;
+	length += l;
+	p = ptr;
+    }
+#endif
+
+    /* win2k uses ContentInfo */
+    if (type == COMPAT_WIN2K) {
+	heim_oid type;
+	heim_octet_string out;
+
+	ret = hx509_cms_unwrap_ContentInfo(&content, &type, &out, NULL);
+	if (der_heim_oid_cmp(&type, oid_id_pkcs7_signedData())) {
+	    ret = EINVAL; /* XXX */
+	    krb5_set_error_string(context, "PKINIT: Invalid content type");
+	    der_free_oid(&type);
+	    der_free_octet_string(&out);
+	    goto out;
+	}
+	der_free_oid(&type);
+	krb5_data_free(&content);
+	ret = krb5_data_copy(&content, out.data, out.length);
+	der_free_octet_string(&out);
+	if (ret) {
+	    krb5_set_error_string(context, "PKINIT: out of memory");
+	    goto out;
+	}
+    }
+
+    ret = _krb5_pk_verify_sign(context, 
+			       content.data,
+			       content.length,
+			       ctx->id,
+			       &contentType,
+			       &content,
+			       &host);
+    if (ret)
+	goto out;
+
+    /* make sure that it is the kdc's certificate */
+    ret = pk_verify_host(context, realm, hi, ctx, host);
+    if (ret) {
+	goto out;
+    }
+
+#if 0
+    if (type == COMPAT_WIN2K) {
+	if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) != 0) {
+	    krb5_set_error_string(context, "PKINIT: reply key, wrong oid");
+	    ret = KRB5KRB_AP_ERR_MSG_TYPE;
+	    goto out;
+	}
+    } else {
+	if (der_heim_oid_cmp(&contentType, oid_id_pkrkeydata()) != 0) {
+	    krb5_set_error_string(context, "PKINIT: reply key, wrong oid");
+	    ret = KRB5KRB_AP_ERR_MSG_TYPE;
+	    goto out;
+	}
+    }
+#endif
+
+    switch(type) {
+    case COMPAT_WIN2K:
+	ret = get_reply_key(context, &content, req_buffer, key);
+	if (ret != 0 && ctx->require_binding == 0)
+	    ret = get_reply_key_win(context, &content, nonce, key);
+	break;
+    case COMPAT_IETF:
+	ret = get_reply_key(context, &content, req_buffer, key);
+	break;
+    }
+    if (ret)
+	goto out;
+
+    /* XXX compare given etype with key->etype */
+
+ out:
+    if (host)
+	_krb5_pk_cert_free(host);
+    der_free_oid(&contentType);
+    krb5_data_free(&content);
+
+    return ret;
+}
+
+static krb5_error_code
+pk_rd_pa_reply_dh(krb5_context context,
+		  const heim_octet_string *indata,
+		  const heim_oid *dataType,
+		  const char *realm,
+		  krb5_pk_init_ctx ctx,
+		  krb5_enctype etype,
+		  const krb5_krbhst_info *hi,
+		  const DHNonce *c_n,
+		  const DHNonce *k_n,
+                  unsigned nonce,
+                  PA_DATA *pa,
+                  krb5_keyblock **key)
+{
+    unsigned char *p, *dh_gen_key = NULL;
+    struct krb5_pk_cert *host = NULL;
+    BIGNUM *kdc_dh_pubkey = NULL;
+    KDCDHKeyInfo kdc_dh_info;
+    heim_oid contentType = { 0, NULL };
+    krb5_data content;
+    krb5_error_code ret;
+    int dh_gen_keylen;
+    size_t size;
+
+    krb5_data_zero(&content);
+    memset(&kdc_dh_info, 0, sizeof(kdc_dh_info));
+
+    if (der_heim_oid_cmp(oid_id_pkcs7_signedData(), dataType)) {
+	krb5_set_error_string(context, "PKINIT: Invalid content type");
+	return EINVAL;
+    }
+
+    ret = _krb5_pk_verify_sign(context, 
+			       indata->data,
+			       indata->length,
+			       ctx->id,
+			       &contentType,
+			       &content,
+			       &host);
+    if (ret)
+	goto out;
+
+    /* make sure that it is the kdc's certificate */
+    ret = pk_verify_host(context, realm, hi, ctx, host);
+    if (ret)
+	goto out;
+
+    if (der_heim_oid_cmp(&contentType, oid_id_pkdhkeydata())) {
+	krb5_set_error_string(context, "pkinit - dh reply contains wrong oid");
+	ret = KRB5KRB_AP_ERR_MSG_TYPE;
+	goto out;
+    }
+
+    ret = decode_KDCDHKeyInfo(content.data,
+			      content.length,
+			      &kdc_dh_info,
+			      &size);
+
+    if (ret) {
+	krb5_set_error_string(context, "pkinit - "
+			      "failed to decode KDC DH Key Info");
+	goto out;
+    }
+
+    if (kdc_dh_info.nonce != nonce) {
+	krb5_set_error_string(context, "PKINIT: DH nonce is wrong");
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto out;
+    }
+
+    if (kdc_dh_info.dhKeyExpiration) {
+	if (k_n == NULL) {
+	    krb5_set_error_string(context, "pkinit; got key expiration "
+				  "without server nonce");
+	    ret = KRB5KRB_ERR_GENERIC;
+	    goto out;
+	}
+	if (c_n == NULL) {
+	    krb5_set_error_string(context, "pkinit; got DH reuse but no "
+				  "client nonce");
+	    ret = KRB5KRB_ERR_GENERIC;
+	    goto out;
+	}
+    } else {
+	if (k_n) {
+	    krb5_set_error_string(context, "pkinit: got server nonce "
+				  "without key expiration");
+	    ret = KRB5KRB_ERR_GENERIC;
+	    goto out;
+	}
+	c_n = NULL;
+    }
+
+
+    p = kdc_dh_info.subjectPublicKey.data;
+    size = (kdc_dh_info.subjectPublicKey.length + 7) / 8;
+
+    {
+	DHPublicKey k;
+	ret = decode_DHPublicKey(p, size, &k, NULL);
+	if (ret) {
+	    krb5_set_error_string(context, "pkinit: can't decode "
+				  "without key expiration");
+	    goto out;
+	}
+
+	kdc_dh_pubkey = integer_to_BN(context, "DHPublicKey", &k);
+	free_DHPublicKey(&k);
+	if (kdc_dh_pubkey == NULL) {
+	    ret = KRB5KRB_ERR_GENERIC;
+	    goto out;
+	}
+    }
+    
+    dh_gen_keylen = DH_size(ctx->dh);
+    size = BN_num_bytes(ctx->dh->p);
+    if (size < dh_gen_keylen)
+	size = dh_gen_keylen;
+
+    dh_gen_key = malloc(size);
+    if (dh_gen_key == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+    memset(dh_gen_key, 0, size - dh_gen_keylen);
+
+    dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen),
+				   kdc_dh_pubkey, ctx->dh);
+    if (dh_gen_keylen == -1) {
+	krb5_set_error_string(context, 
+			      "PKINIT: Can't compute Diffie-Hellman key");
+	ret = KRB5KRB_ERR_GENERIC;
+	goto out;
+    }
+
+    *key = malloc (sizeof (**key));
+    if (*key == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ret = _krb5_pk_octetstring2key(context,
+				   etype,
+				   dh_gen_key, dh_gen_keylen,
+				   c_n, k_n,
+				   *key);
+    if (ret) {
+	krb5_set_error_string(context,
+			      "PKINIT: can't create key from DH key");
+	free(*key);
+	*key = NULL;
+	goto out;
+    }
+
+ out:
+    if (kdc_dh_pubkey)
+	BN_free(kdc_dh_pubkey);
+    if (dh_gen_key) {
+	memset(dh_gen_key, 0, DH_size(ctx->dh));
+	free(dh_gen_key);
+    }
+    if (host)
+	_krb5_pk_cert_free(host);
+    if (content.data)
+	krb5_data_free(&content);
+    der_free_oid(&contentType);
+    free_KDCDHKeyInfo(&kdc_dh_info);
+
+    return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_pk_rd_pa_reply(krb5_context context,
+		     const char *realm,
+		     void *c,
+		     krb5_enctype etype,
+		     const krb5_krbhst_info *hi,
+		     unsigned nonce,
+		     const krb5_data *req_buffer,
+		     PA_DATA *pa,
+		     krb5_keyblock **key)
+{
+    krb5_pk_init_ctx ctx = c;
+    krb5_error_code ret;
+    size_t size;
+
+    /* Check for IETF PK-INIT first */
+    if (ctx->type == COMPAT_IETF) {
+	PA_PK_AS_REP rep;
+	heim_octet_string os, data;
+	heim_oid oid;
+	
+	if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
+	    krb5_set_error_string(context, "PKINIT: wrong padata recv");
+	    return EINVAL;
+	}
+
+	ret = decode_PA_PK_AS_REP(pa->padata_value.data,
+				  pa->padata_value.length,
+				  &rep,
+				  &size);
+	if (ret) {
+	    krb5_set_error_string(context, "Failed to decode pkinit AS rep");
+	    return ret;
+	}
+
+	switch (rep.element) {
+	case choice_PA_PK_AS_REP_dhInfo:
+	    os = rep.u.dhInfo.dhSignedData;
+	    break;
+	case choice_PA_PK_AS_REP_encKeyPack:
+	    os = rep.u.encKeyPack;
+	    break;
+	default:
+	    free_PA_PK_AS_REP(&rep);
+	    krb5_set_error_string(context, "PKINIT: -27 reply "
+				  "invalid content type");
+	    return EINVAL;
+	}
+
+	ret = hx509_cms_unwrap_ContentInfo(&os, &oid, &data, NULL);
+	if (ret) {
+	    free_PA_PK_AS_REP(&rep);
+	    krb5_set_error_string(context, "PKINIT: failed to unwrap CI");
+	    return ret;
+	}
+
+	switch (rep.element) {
+	case choice_PA_PK_AS_REP_dhInfo:
+	    ret = pk_rd_pa_reply_dh(context, &data, &oid, realm, ctx, etype, hi,
+				    ctx->clientDHNonce,
+				    rep.u.dhInfo.serverDHNonce,
+				    nonce, pa, key);
+	    break;
+	case choice_PA_PK_AS_REP_encKeyPack:
+	    ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &data, &oid, realm, 
+					ctx, etype, hi, nonce, req_buffer, pa, key);
+	    break;
+	default:
+	    krb5_abortx(context, "pk-init as-rep case not possible to happen");
+	}
+	der_free_octet_string(&data);
+	der_free_oid(&oid);
+	free_PA_PK_AS_REP(&rep);
+
+    } else if (ctx->type == COMPAT_WIN2K) {
+	PA_PK_AS_REP_Win2k w2krep;
+
+	/* Check for Windows encoding of the AS-REP pa data */ 
+
+#if 0 /* should this be ? */
+	if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
+	    krb5_set_error_string(context, "PKINIT: wrong padata recv");
+	    return EINVAL;
+	}
+#endif
+
+	memset(&w2krep, 0, sizeof(w2krep));
+	
+	ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data,
+					pa->padata_value.length,
+					&w2krep,
+					&size);
+	if (ret) {
+	    krb5_set_error_string(context, "PKINIT: Failed decoding windows "
+				  "pkinit reply %d", ret);
+	    return ret;
+	}
+
+	krb5_clear_error_string(context);
+	
+	switch (w2krep.element) {
+	case choice_PA_PK_AS_REP_Win2k_encKeyPack: {
+	    heim_octet_string data;
+	    heim_oid oid;
+	    
+	    ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack, 
+					       &oid, &data, NULL);
+	    free_PA_PK_AS_REP_Win2k(&w2krep);
+	    if (ret) {
+		krb5_set_error_string(context, "PKINIT: failed to unwrap CI");
+		return ret;
+	    }
+
+	    ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &data, &oid, realm,
+					ctx, etype, hi, nonce, req_buffer, pa, key);
+	    der_free_octet_string(&data);
+	    der_free_oid(&oid);
+
+	    break;
+	}
+	default:
+	    free_PA_PK_AS_REP_Win2k(&w2krep);
+	    krb5_set_error_string(context, "PKINIT: win2k reply invalid "
+				  "content type");
+	    ret = EINVAL;
+	    break;
+	}
+    
+    } else {
+	krb5_set_error_string(context, "PKINIT: unknown reply type");
+	ret = EINVAL;
+    }
+
+    return ret;
+}
+
+struct prompter {
+    krb5_context context;
+    krb5_prompter_fct prompter;
+    void *prompter_data;
+};
+
+static int 
+hx_pass_prompter(void *data, const hx509_prompt *prompter)
+{
+    krb5_error_code ret;
+    krb5_prompt prompt;
+    krb5_data password_data;
+    struct prompter *p = data;
+   
+    password_data.data   = prompter->reply.data;
+    password_data.length = prompter->reply.length;
+
+    prompt.prompt = prompter->prompt;
+    prompt.hidden = hx509_prompt_hidden(prompter->type);
+    prompt.reply  = &password_data;
+
+    switch (prompter->type) {
+    case HX509_PROMPT_TYPE_INFO:
+	prompt.type   = KRB5_PROMPT_TYPE_INFO;
+	break;
+    case HX509_PROMPT_TYPE_PASSWORD:
+    case HX509_PROMPT_TYPE_QUESTION:
+    default:
+	prompt.type   = KRB5_PROMPT_TYPE_PASSWORD;
+	break;
+    }	
+   
+    ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt);
+    if (ret) {
+	memset (prompter->reply.data, 0, prompter->reply.length);
+	return 1;
+    }
+    return 0;
+}
+
+
+void KRB5_LIB_FUNCTION
+_krb5_pk_allow_proxy_certificate(struct krb5_pk_identity *id,
+				 int boolean)
+{
+    hx509_verify_set_proxy_certificate(id->verify_ctx, boolean);
+}
+
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_pk_load_id(krb5_context context,
+		 struct krb5_pk_identity **ret_id,
+		 const char *user_id,
+		 const char *anchor_id,
+		 char * const *chain_list,
+		 char * const *revoke_list,
+		 krb5_prompter_fct prompter,
+		 void *prompter_data,
+		 char *password)
+{
+    struct krb5_pk_identity *id = NULL;
+    hx509_lock lock = NULL;
+    struct prompter p;
+    int ret;
+
+    *ret_id = NULL;
+
+    if (anchor_id == NULL) {
+	krb5_set_error_string(context, "PKINIT: No anchor given");
+	return HEIM_PKINIT_NO_VALID_CA;
+    }
+
+    if (user_id == NULL) {
+	krb5_set_error_string(context,
+			      "PKINIT: No user certificate given");
+	return HEIM_PKINIT_NO_PRIVATE_KEY;
+    }
+
+    /* load cert */
+
+    id = calloc(1, sizeof(*id));
+    if (id == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }	
+
+    ret = hx509_context_init(&id->hx509ctx);
+    if (ret)
+	goto out;
+
+    ret = hx509_lock_init(id->hx509ctx, &lock);
+    if (password && password[0])
+	hx509_lock_add_password(lock, password);
+
+    if (prompter) {
+	p.context = context;
+	p.prompter = prompter;
+	p.prompter_data = prompter_data;
+
+	ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p);
+	if (ret)
+	    goto out;
+    }
+
+    ret = hx509_certs_init(id->hx509ctx, user_id, 0, lock, &id->certs);
+    if (ret) {
+	_krb5_pk_copy_error(context, id->hx509ctx, ret,
+			    "Failed to init cert certs");
+	goto out;
+    }
+
+    ret = hx509_certs_init(id->hx509ctx, anchor_id, 0, NULL, &id->anchors);
+    if (ret) {
+	_krb5_pk_copy_error(context, id->hx509ctx, ret,
+			    "Failed to init anchors");
+	goto out;
+    }
+
+    ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain", 
+			   0, NULL, &id->certpool);
+    if (ret) {
+	_krb5_pk_copy_error(context, id->hx509ctx, ret,
+			    "Failed to init chain");
+	goto out;
+    }
+
+    while (chain_list && *chain_list) {
+	ret = hx509_certs_append(id->hx509ctx, id->certpool,
+				 NULL, *chain_list);
+	if (ret) {
+	    _krb5_pk_copy_error(context, id->hx509ctx, ret,
+				"Failed to laod chain %s",
+				*chain_list);
+	    goto out;
+	}
+	chain_list++;
+    }
+
+    if (revoke_list) {
+	ret = hx509_revoke_init(id->hx509ctx, &id->revokectx);
+	if (ret) {
+	    _krb5_pk_copy_error(context, id->hx509ctx, ret,
+				"Failed init revoke list");
+	    goto out;
+	}
+
+	while (*revoke_list) {
+	    ret = hx509_revoke_add_crl(id->hx509ctx, 
+				       id->revokectx,
+				       *revoke_list);
+	    if (ret) {
+		_krb5_pk_copy_error(context, id->hx509ctx, ret, 
+				    "Failed load revoke list");
+		goto out;
+	    }
+	    revoke_list++;
+	}
+    } else
+	hx509_context_set_missing_revoke(id->hx509ctx, 1);
+
+    ret = hx509_verify_init_ctx(id->hx509ctx, &id->verify_ctx);
+    if (ret) {
+	_krb5_pk_copy_error(context, id->hx509ctx, ret, 
+			    "Failed init verify context");
+	goto out;
+    }
+
+    hx509_verify_attach_anchors(id->verify_ctx, id->anchors);
+    hx509_verify_attach_revoke(id->verify_ctx, id->revokectx);
+
+out:
+    if (ret) {
+	hx509_verify_destroy_ctx(id->verify_ctx);
+	hx509_certs_free(&id->certs);
+	hx509_certs_free(&id->anchors);
+	hx509_certs_free(&id->certpool);
+	hx509_revoke_free(&id->revokectx);
+	hx509_context_free(&id->hx509ctx);
+	free(id);
+    } else
+	*ret_id = id;
+
+    hx509_lock_free(lock);
+
+    return ret;
+}
+
+static krb5_error_code
+select_dh_group(krb5_context context, DH *dh, unsigned long bits, 
+		struct krb5_dh_moduli **moduli)
+{
+    const struct krb5_dh_moduli *m;
+
+    if (bits == 0) {
+	m = moduli[1]; /* XXX */
+	if (m == NULL)
+	    m = moduli[0]; /* XXX */
+    } else {
+	int i;
+	for (i = 0; moduli[i] != NULL; i++) {
+	    if (bits < moduli[i]->bits)
+		break;
+	}
+	if (moduli[i] == NULL) {
+	    krb5_set_error_string(context, 
+				  "Did not find a DH group parameter "
+				  "matching requirement of %lu bits",
+				  bits);
+	    return EINVAL;
+	}
+	m = moduli[i];
+    }
+
+    dh->p = integer_to_BN(context, "p", &m->p);
+    if (dh->p == NULL)
+	return ENOMEM;
+    dh->g = integer_to_BN(context, "g", &m->g);
+    if (dh->g == NULL)
+	return ENOMEM;
+    dh->q = integer_to_BN(context, "q", &m->q);
+    if (dh->q == NULL)
+	return ENOMEM;
+
+    return 0;
+}
+
+#endif /* PKINIT */
+
+static int
+parse_integer(krb5_context context, char **p, const char *file, int lineno, 
+	      const char *name, heim_integer *integer)
+{
+    int ret;
+    char *p1;
+    p1 = strsep(p, " \t");
+    if (p1 == NULL) {
+	krb5_set_error_string(context, "moduli file %s missing %s on line %d",
+			      file, name, lineno);
+	return EINVAL;
+    }
+    ret = der_parse_hex_heim_integer(p1, integer);
+    if (ret) {
+	krb5_set_error_string(context, "moduli file %s failed parsing %s "
+			      "on line %d",
+			      file, name, lineno);
+	return ret;
+    }
+
+    return 0;
+}
+
+krb5_error_code
+_krb5_parse_moduli_line(krb5_context context, 
+			const char *file,
+			int lineno,
+			char *p,
+			struct krb5_dh_moduli **m)
+{
+    struct krb5_dh_moduli *m1;
+    char *p1;
+    int ret;
+
+    *m = NULL;
+
+    m1 = calloc(1, sizeof(*m1));
+    if (m1 == NULL) {
+	krb5_set_error_string(context, "malloc - out of memory");
+	return ENOMEM;
+    }
+
+    while (isspace((unsigned char)*p))
+	p++;
+    if (*p  == '#')
+	return 0;
+    ret = EINVAL;
+
+    p1 = strsep(&p, " \t");
+    if (p1 == NULL) {
+	krb5_set_error_string(context, "moduli file %s missing name "
+			      "on line %d", file, lineno);
+	goto out;
+    }
+    m1->name = strdup(p1);
+    if (p1 == NULL) {
+	krb5_set_error_string(context, "malloc - out of memeory");
+	ret = ENOMEM;
+	goto out;
+    }
+
+    p1 = strsep(&p, " \t");
+    if (p1 == NULL) {
+	krb5_set_error_string(context, "moduli file %s missing bits on line %d",
+			      file, lineno);
+	goto out;
+    }
+
+    m1->bits = atoi(p1);
+    if (m1->bits == 0) {
+	krb5_set_error_string(context, "moduli file %s have un-parsable "
+			      "bits on line %d", file, lineno);
+	goto out;
+    }
+	
+    ret = parse_integer(context, &p, file, lineno, "p", &m1->p);
+    if (ret)
+	goto out;
+    ret = parse_integer(context, &p, file, lineno, "g", &m1->g);
+    if (ret)
+	goto out;
+    ret = parse_integer(context, &p, file, lineno, "q", &m1->q);
+    if (ret)
+	goto out;
+
+    *m = m1;
+
+    return 0;
+out:
+    free(m1->name);
+    der_free_heim_integer(&m1->p);
+    der_free_heim_integer(&m1->g);
+    der_free_heim_integer(&m1->q);
+    free(m1);
+    return ret;
+}
+
+void
+_krb5_free_moduli(struct krb5_dh_moduli **moduli)
+{
+    int i;
+    for (i = 0; moduli[i] != NULL; i++) {
+	free(moduli[i]->name);
+	der_free_heim_integer(&moduli[i]->p);
+	der_free_heim_integer(&moduli[i]->g);
+	der_free_heim_integer(&moduli[i]->q);
+	free(moduli[i]);
+    }
+    free(moduli);
+}
+
+static const char *default_moduli_RFC2412_MODP_group2 =
+    /* name */
+    "RFC2412-MODP-group2 "
+    /* bits */
+    "1024 "
+    /* p */
+    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
+    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
+    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
+    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
+    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
+    "FFFFFFFF" "FFFFFFFF "
+    /* g */
+    "02 "
+    /* q */
+    "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68"
+    "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E"
+    "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122"
+    "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6"
+    "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F67329C0"
+    "FFFFFFFF" "FFFFFFFF";
+
+static const char *default_moduli_rfc3526_MODP_group14 =
+    /* name */
+    "rfc3526-MODP-group14 "
+    /* bits */
+    "1760 "
+    /* p */
+    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
+    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
+    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
+    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
+    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
+    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
+    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
+    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
+    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
+    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
+    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF "
+    /* g */
+    "02 "
+    /* q */
+    "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68"
+    "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E"
+    "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122"
+    "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6"
+    "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F6722D9E"
+    "E1003E5C" "50B1DF82" "CC6D241B" "0E2AE9CD" "348B1FD4" "7E9267AF"
+    "C1B2AE91" "EE51D6CB" "0E3179AB" "1042A95D" "CF6A9483" "B84B4B36"
+    "B3861AA7" "255E4C02" "78BA3604" "650C10BE" "19482F23" "171B671D"
+    "F1CF3B96" "0C074301" "CD93C1D1" "7603D147" "DAE2AEF8" "37A62964"
+    "EF15E5FB" "4AAC0B8C" "1CCAA4BE" "754AB572" "8AE9130C" "4C7D0288"
+    "0AB9472D" "45565534" "7FFFFFFF" "FFFFFFFF";
+
+krb5_error_code
+_krb5_parse_moduli(krb5_context context, const char *file,
+		   struct krb5_dh_moduli ***moduli)
+{
+    /* name bits P G Q */
+    krb5_error_code ret;
+    struct krb5_dh_moduli **m = NULL, **m2;
+    char buf[4096];
+    FILE *f;
+    int lineno = 0, n = 0;
+
+    *moduli = NULL;
+
+    m = calloc(1, sizeof(m[0]) * 3);
+    if (m == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    strlcpy(buf, default_moduli_rfc3526_MODP_group14, sizeof(buf));
+    ret = _krb5_parse_moduli_line(context, "builtin", 1, buf,  &m[0]);
+    if (ret) {
+	_krb5_free_moduli(m);
+	return ret;
+    }
+    n++;
+
+    strlcpy(buf, default_moduli_RFC2412_MODP_group2, sizeof(buf));
+    ret = _krb5_parse_moduli_line(context, "builtin", 1, buf,  &m[1]);
+    if (ret) {
+	_krb5_free_moduli(m);
+	return ret;
+    }
+    n++;
+
+
+    if (file == NULL)
+	file = MODULI_FILE;
+
+    f = fopen(file, "r");
+    if (f == NULL) {
+	*moduli = m;
+	return 0;
+    }
+
+    while(fgets(buf, sizeof(buf), f) != NULL) {
+	struct krb5_dh_moduli *element;
+
+	buf[strcspn(buf, "\n")] = '\0';
+	lineno++;
+
+	m2 = realloc(m, (n + 2) * sizeof(m[0]));
+	if (m2 == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    _krb5_free_moduli(m);
+	    return ENOMEM;
+	}
+	m = m2;
+	
+	m[n] = NULL;
+
+	ret = _krb5_parse_moduli_line(context, file, lineno, buf,  &element);
+	if (ret) {
+	    _krb5_free_moduli(m);
+	    return ret;
+	}
+	if (element == NULL)
+	    continue;
+
+	m[n] = element;
+	m[n + 1] = NULL;
+	n++;
+    }
+    *moduli = m;
+    return 0;
+}
+
+krb5_error_code
+_krb5_dh_group_ok(krb5_context context, unsigned long bits,
+		  heim_integer *p, heim_integer *g, heim_integer *q,
+		  struct krb5_dh_moduli **moduli,
+		  char **name)
+{
+    int i;
+
+    if (name)
+	*name = NULL;
+
+    for (i = 0; moduli[i] != NULL; i++) {
+	if (der_heim_integer_cmp(&moduli[i]->g, g) == 0 &&
+	    der_heim_integer_cmp(&moduli[i]->p, p) == 0 &&
+	    (q == NULL || der_heim_integer_cmp(&moduli[i]->q, q) == 0))
+	{
+	    if (bits && bits > moduli[i]->bits) {
+		krb5_set_error_string(context, "PKINIT: DH group parameter %s "
+				      "no accepted, not enough bits generated",
+				      moduli[i]->name);
+		return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
+	    }
+	    if (name)
+		*name = strdup(moduli[i]->name);
+	    return 0;
+	}
+    }
+    krb5_set_error_string(context, "PKINIT: DH group parameter no ok");
+    return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
+}
+
+void KRB5_LIB_FUNCTION
+_krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
+{
+#ifdef PKINIT
+    krb5_pk_init_ctx ctx;
+
+    if (opt->opt_private == NULL || opt->opt_private->pk_init_ctx == NULL)
+	return;
+    ctx = opt->opt_private->pk_init_ctx;
+    if (ctx->dh)
+	DH_free(ctx->dh);
+	ctx->dh = NULL;
+    if (ctx->id) {
+	hx509_verify_destroy_ctx(ctx->id->verify_ctx);
+	hx509_certs_free(&ctx->id->certs);
+	hx509_certs_free(&ctx->id->anchors);
+	hx509_certs_free(&ctx->id->certpool);
+	hx509_context_free(&ctx->id->hx509ctx);
+
+	if (ctx->clientDHNonce) {
+	    krb5_free_data(NULL, ctx->clientDHNonce);
+	    ctx->clientDHNonce = NULL;
+	}
+	if (ctx->m)
+	    _krb5_free_moduli(ctx->m);
+	free(ctx->id);
+	ctx->id = NULL;
+    }
+    free(opt->opt_private->pk_init_ctx);
+    opt->opt_private->pk_init_ctx = NULL;
+#endif
+}
+    
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_pkinit(krb5_context context,
+				   krb5_get_init_creds_opt *opt,
+				   krb5_principal principal,
+				   const char *user_id,
+				   const char *x509_anchors,
+				   char * const * pool,
+				   char * const * pki_revoke,
+				   int flags,
+				   krb5_prompter_fct prompter,
+				   void *prompter_data,
+				   char *password)
+{
+#ifdef PKINIT
+    krb5_error_code ret;
+    char *anchors = NULL;
+
+    if (opt->opt_private == NULL) {
+	krb5_set_error_string(context, "PKINIT: on non extendable opt");
+	return EINVAL;
+    }
+
+    opt->opt_private->pk_init_ctx = 
+	calloc(1, sizeof(*opt->opt_private->pk_init_ctx));
+    if (opt->opt_private->pk_init_ctx == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    opt->opt_private->pk_init_ctx->dh = NULL;
+    opt->opt_private->pk_init_ctx->id = NULL;
+    opt->opt_private->pk_init_ctx->clientDHNonce = NULL;
+    opt->opt_private->pk_init_ctx->require_binding = 0;
+    opt->opt_private->pk_init_ctx->require_eku = 1;
+    opt->opt_private->pk_init_ctx->require_krbtgt_otherName = 1;
+    opt->opt_private->pk_init_ctx->peer = NULL;
+
+    /* XXX implement krb5_appdefault_strings  */
+    if (pool == NULL)
+	pool = krb5_config_get_strings(context, NULL,
+				       "appdefaults", 
+				       "pkinit_pool", 
+				       NULL);
+
+    if (pki_revoke == NULL)
+	pki_revoke = krb5_config_get_strings(context, NULL,
+					     "appdefaults", 
+					     "pkinit_revoke", 
+					     NULL);
+
+    if (x509_anchors == NULL) {
+	krb5_appdefault_string(context, "kinit",
+			       krb5_principal_get_realm(context, principal), 
+			       "pkinit_anchors", NULL, &anchors);
+	x509_anchors = anchors;
+    }
+
+    ret = _krb5_pk_load_id(context,
+			   &opt->opt_private->pk_init_ctx->id,
+			   user_id,
+			   x509_anchors,
+			   pool,
+			   pki_revoke,
+			   prompter,
+			   prompter_data,
+			   password);
+    if (ret) {
+	free(opt->opt_private->pk_init_ctx);
+	opt->opt_private->pk_init_ctx = NULL;
+	return ret;
+    }
+
+    if ((flags & 2) == 0) {
+	const char *moduli_file;
+	unsigned long dh_min_bits;
+
+	moduli_file = krb5_config_get_string(context, NULL,
+					     "libdefaults",
+					     "moduli",
+					     NULL);
+
+	dh_min_bits =
+	    krb5_config_get_int_default(context, NULL, 0,
+					"libdefaults",
+					"pkinit_dh_min_bits",
+					NULL);
+
+	ret = _krb5_parse_moduli(context, moduli_file, 
+				 &opt->opt_private->pk_init_ctx->m);
+	if (ret) {
+	    _krb5_get_init_creds_opt_free_pkinit(opt);
+	    return ret;
+	}
+	
+	opt->opt_private->pk_init_ctx->dh = DH_new();
+	if (opt->opt_private->pk_init_ctx->dh == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    _krb5_get_init_creds_opt_free_pkinit(opt);
+	    return ENOMEM;
+	}
+
+	ret = select_dh_group(context, opt->opt_private->pk_init_ctx->dh,
+			      dh_min_bits, 
+			      opt->opt_private->pk_init_ctx->m);
+	if (ret) {
+	    _krb5_get_init_creds_opt_free_pkinit(opt);
+	    return ret;
+	}
+
+	if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) {
+	    krb5_set_error_string(context, "pkinit: failed to generate DH key");
+	    _krb5_get_init_creds_opt_free_pkinit(opt);
+	    return ENOMEM;
+	}
+    }
+
+    return 0;
+#else
+    krb5_set_error_string(context, "no support for PKINIT compiled in");
+    return EINVAL;
+#endif
+}
+
+/*
+ *
+ */
+
+static void
+_krb5_pk_copy_error(krb5_context context,
+		    hx509_context hx509ctx,
+		    int hxret,
+		    const char *fmt,
+		    ...)
+{
+    va_list va;
+    char *s, *f;
+
+    va_start(va, fmt);
+    vasprintf(&f, fmt, va);
+    va_end(va);
+    if (f == NULL) {
+	krb5_clear_error_string(context);
+	return;
+    }
+
+    s = hx509_get_error_string(hx509ctx, hxret);
+    if (s == NULL) {
+	krb5_clear_error_string(context);
+	free(f);
+	return;
+    }
+    krb5_set_error_string(context, "%s: %s", f, s);
+    free(s);
+    free(f);
+}
diff --git a/crypto/heimdal/lib/krb5/plugin.c b/crypto/heimdal/lib/krb5/plugin.c
new file mode 100644
index 0000000..bae2849
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/plugin.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: plugin.c 22033 2007-11-10 10:39:47Z lha $");
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+#include <dirent.h>
+
+struct krb5_plugin {
+    void *symbol;
+    void *dsohandle;
+    struct krb5_plugin *next;
+};
+
+struct plugin {
+    enum krb5_plugin_type type;
+    void *name;
+    void *symbol;
+    struct plugin *next;
+};
+
+static HEIMDAL_MUTEX plugin_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static struct plugin *registered = NULL;
+
+static const char *plugin_dir = LIBDIR "/plugin/krb5";
+
+/*
+ *
+ */
+
+void *
+_krb5_plugin_get_symbol(struct krb5_plugin *p)
+{
+    return p->symbol;
+}
+
+struct krb5_plugin *
+_krb5_plugin_get_next(struct krb5_plugin *p)
+{
+    return p->next;
+}
+
+/*
+ *
+ */
+
+#ifdef HAVE_DLOPEN
+
+static krb5_error_code
+loadlib(krb5_context context,
+	enum krb5_plugin_type type,
+	const char *name,
+	const char *lib,
+	struct krb5_plugin **e)
+{
+    *e = calloc(1, sizeof(**e));
+    if (*e == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+
+#ifndef RTLD_LAZY
+#define RTLD_LAZY 0
+#endif
+
+    (*e)->dsohandle = dlopen(lib, RTLD_LAZY);
+    if ((*e)->dsohandle == NULL) {
+	free(*e);
+	*e = NULL;
+	krb5_set_error_string(context, "Failed to load %s: %s", 
+			      lib, dlerror());
+	return ENOMEM;
+    }
+
+    /* dlsym doesn't care about the type */
+    (*e)->symbol = dlsym((*e)->dsohandle, name);
+    if ((*e)->symbol == NULL) {
+	dlclose((*e)->dsohandle);
+	free(*e);
+	krb5_clear_error_string(context);
+	return ENOMEM;
+    }
+
+    return 0;
+}
+#endif /* HAVE_DLOPEN */
+
+/**
+ * Register a plugin symbol name of specific type.
+ * @param context a Keberos context
+ * @param type type of plugin symbol
+ * @param name name of plugin symbol
+ * @param symbol a pointer to the named symbol
+ * @return In case of error a non zero error com_err error is returned
+ * and the Kerberos error string is set.
+ *
+ * @ingroup krb5_support
+ */
+
+krb5_error_code
+krb5_plugin_register(krb5_context context,
+		     enum krb5_plugin_type type,
+		     const char *name, 
+		     void *symbol)
+{
+    struct plugin *e;
+
+    e = calloc(1, sizeof(*e));
+    if (e == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    e->type = type;
+    e->name = strdup(name);
+    if (e->name == NULL) {
+	free(e);
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    e->symbol = symbol;
+
+    HEIMDAL_MUTEX_lock(&plugin_mutex);
+    e->next = registered;
+    registered = e;
+    HEIMDAL_MUTEX_unlock(&plugin_mutex);
+
+    return 0;
+}
+
+krb5_error_code
+_krb5_plugin_find(krb5_context context,
+		  enum krb5_plugin_type type,
+		  const char *name, 
+		  struct krb5_plugin **list)
+{
+    struct krb5_plugin *e;
+    struct plugin *p;
+    krb5_error_code ret;
+    char *sysdirs[2] = { NULL, NULL };
+    char **dirs = NULL, **di;
+    struct dirent *entry;
+    char *path;
+    DIR *d = NULL;
+
+    *list = NULL;
+
+    HEIMDAL_MUTEX_lock(&plugin_mutex);
+
+    for (p = registered; p != NULL; p = p->next) {
+	if (p->type != type || strcmp(p->name, name) != 0)
+	    continue;
+
+	e = calloc(1, sizeof(*e));
+	if (e == NULL) {
+	    HEIMDAL_MUTEX_unlock(&plugin_mutex);
+	    krb5_set_error_string(context, "out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	e->symbol = p->symbol;
+	e->dsohandle = NULL;
+	e->next = *list;
+	*list = e;
+    }
+    HEIMDAL_MUTEX_unlock(&plugin_mutex);
+
+#ifdef HAVE_DLOPEN
+
+    dirs = krb5_config_get_strings(context, NULL, "libdefaults", 
+				   "plugin_dir", NULL);
+    if (dirs == NULL) {
+	sysdirs[0] = rk_UNCONST(plugin_dir);
+	dirs = sysdirs;
+    }
+
+    for (di = dirs; *di != NULL; di++) {
+
+	d = opendir(*di);
+	if (d == NULL)
+	    continue;
+
+	while ((entry = readdir(d)) != NULL) {
+	    asprintf(&path, "%s/%s", *di, entry->d_name);
+	    if (path == NULL) {
+		krb5_set_error_string(context, "out of memory");
+		ret = ENOMEM;
+		goto out;
+	    }
+	    ret = loadlib(context, type, name, path, &e);
+	    free(path);
+	    if (ret)
+		continue;
+	    
+	    e->next = *list;
+	    *list = e;
+	}
+	closedir(d);
+    }
+    if (dirs != sysdirs)
+	krb5_config_free_strings(dirs);
+#endif /* HAVE_DLOPEN */
+
+    if (*list == NULL) {
+	krb5_set_error_string(context, "Did not find a plugin for %s", name);
+	return ENOENT;
+    }
+
+    return 0;
+
+out:
+    if (dirs && dirs != sysdirs)
+	krb5_config_free_strings(dirs);
+    if (d)
+	closedir(d);
+    _krb5_plugin_free(*list);
+    *list = NULL;
+
+    return ret;
+}
+
+void
+_krb5_plugin_free(struct krb5_plugin *list)
+{
+    struct krb5_plugin *next;
+    while (list) {
+	next = list->next;
+	if (list->dsohandle)
+	    dlclose(list->dsohandle);
+	free(list);
+	list = next;
+    }
+}
diff --git a/crypto/heimdal/lib/krb5/principal.c b/crypto/heimdal/lib/krb5/principal.c
index d46f328..8d9c880 100644
--- a/crypto/heimdal/lib/krb5/principal.c
+++ b/crypto/heimdal/lib/krb5/principal.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -41,7 +41,7 @@
 #include <fnmatch.h>
 #include "resolve.h"
 
-RCSID("$Id: principal.c,v 1.82.2.1 2003/08/15 14:30:07 lha Exp $");
+RCSID("$Id: principal.c 21741 2007-07-31 16:00:37Z lha $");
 
 #define princ_num_comp(P) ((P)->name.name_string.len)
 #define princ_type(P) ((P)->name.name_type)
@@ -49,7 +49,7 @@ RCSID("$Id: principal.c,v 1.82.2.1 2003/08/15 14:30:07 lha Exp $");
 #define princ_ncomp(P, N) ((P)->name.name_string.val[(N)])
 #define princ_realm(P) ((P)->realm)
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_principal(krb5_context context,
 		    krb5_principal p)
 {
@@ -59,23 +59,31 @@ krb5_free_principal(krb5_context context,
     }
 }
 
-int
+void KRB5_LIB_FUNCTION
+krb5_principal_set_type(krb5_context context,
+			krb5_principal principal,
+			int type)
+{
+    princ_type(principal) = type;
+}
+
+int KRB5_LIB_FUNCTION
 krb5_principal_get_type(krb5_context context,
-			krb5_principal principal)
+			krb5_const_principal principal)
 {
     return princ_type(principal);
 }
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_principal_get_realm(krb5_context context,
-			 krb5_principal principal)
+			 krb5_const_principal principal)
 {
     return princ_realm(principal);
 }			 
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_principal_get_comp_string(krb5_context context,
-			       krb5_principal principal,
+			       krb5_const_principal principal,
 			       unsigned int component)
 {
     if(component >= princ_num_comp(principal))
@@ -83,14 +91,15 @@ krb5_principal_get_comp_string(krb5_context context,
     return princ_ncomp(principal, component);
 }
 
-krb5_error_code
-krb5_parse_name(krb5_context context,
-		const char *name,
-		krb5_principal *principal)
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_parse_name_flags(krb5_context context,
+		      const char *name,
+		      int flags,
+		      krb5_principal *principal)
 {
     krb5_error_code ret;
-    general_string *comp;
-    general_string realm;
+    heim_general_string *comp;
+    heim_general_string realm = NULL;
     int ncomp;
 
     const char *p;
@@ -101,19 +110,38 @@ krb5_parse_name(krb5_context context,
     int n;
     char c;
     int got_realm = 0;
+    int first_at = 1;
+    int enterprise = (flags & KRB5_PRINCIPAL_PARSE_ENTERPRISE);
   
-    /* count number of component */
+    *principal = NULL;
+
+#define RFLAGS (KRB5_PRINCIPAL_PARSE_NO_REALM|KRB5_PRINCIPAL_PARSE_MUST_REALM)
+
+    if ((flags & RFLAGS) == RFLAGS) {
+	krb5_set_error_string(context, "Can't require both realm and "
+			      "no realm at the same time");
+	return KRB5_ERR_NO_SERVICE;
+    }
+#undef RFLAGS
+
+    /* count number of component,
+     * enterprise names only have one component
+     */
     ncomp = 1;
-    for(p = name; *p; p++){
-	if(*p=='\\'){
-	    if(!p[1]) {
-		krb5_set_error_string (context,
-				       "trailing \\ in principal name");
-		return KRB5_PARSE_MALFORMED;
-	    }
-	    p++;
-	} else if(*p == '/')
-	    ncomp++;
+    if (!enterprise) {
+	for(p = name; *p; p++){
+	    if(*p=='\\'){
+		if(!p[1]) {
+		    krb5_set_error_string (context,
+					   "trailing \\ in principal name");
+		    return KRB5_PARSE_MALFORMED;
+		}
+		p++;
+	    } else if(*p == '/')
+		ncomp++;
+	    else if(*p == '@')
+		break;
+	}
     }
     comp = calloc(ncomp, sizeof(*comp));
     if (comp == NULL) {
@@ -146,7 +174,10 @@ krb5_parse_name(krb5_context context,
 		ret = KRB5_PARSE_MALFORMED;
 		goto exit;
 	    }
-	}else if(c == '/' || c == '@'){
+	}else if(enterprise && first_at) {
+	    if (c == '@')
+		first_at = 0;
+	}else if((c == '/' && !enterprise) || c == '@'){
 	    if(got_realm){
 		krb5_set_error_string (context,
 				       "part after realm in principal name");
@@ -177,6 +208,12 @@ krb5_parse_name(krb5_context context,
 	*q++ = c;
     }
     if(got_realm){
+	if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) {
+	    krb5_set_error_string (context, "realm found in 'short' principal "
+				   "expected to be without one");
+	    ret = KRB5_PARSE_MALFORMED;
+	    goto exit;
+	}
 	realm = malloc(q - start + 1);
 	if (realm == NULL) {
 	    krb5_set_error_string (context, "malloc: out of memory");
@@ -186,9 +223,18 @@ krb5_parse_name(krb5_context context,
 	memcpy(realm, start, q - start);
 	realm[q - start] = 0;
     }else{
-	ret = krb5_get_default_realm (context, &realm);
-	if (ret)
+	if (flags & KRB5_PRINCIPAL_PARSE_MUST_REALM) {
+	    krb5_set_error_string (context, "realm NOT found in principal "
+				   "expected to be with one");
+	    ret = KRB5_PARSE_MALFORMED;
 	    goto exit;
+	} else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) {
+	    realm = NULL;
+	} else {
+	    ret = krb5_get_default_realm (context, &realm);
+	    if (ret)
+		goto exit;
+	}
 
 	comp[n] = malloc(q - start + 1);
 	if (comp[n] == NULL) {
@@ -206,7 +252,10 @@ krb5_parse_name(krb5_context context,
 	ret = ENOMEM;
 	goto exit;
     }
-    (*principal)->name.name_type = KRB5_NT_PRINCIPAL;
+    if (enterprise)
+	(*principal)->name.name_type = KRB5_NT_ENTERPRISE_PRINCIPAL;
+    else
+	(*principal)->name.name_type = KRB5_NT_PRINCIPAL;
     (*principal)->name.name_string.val = comp;
     princ_num_comp(*principal) = n;
     (*principal)->realm = realm;
@@ -217,29 +266,42 @@ exit:
 	free(comp[--n]);
     }
     free(comp);
+    free(realm);
     free(s);
     return ret;
 }
 
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_parse_name(krb5_context context,
+		const char *name,
+		krb5_principal *principal)
+{
+    return krb5_parse_name_flags(context, name, 0, principal);
+}
+
 static const char quotable_chars[] = " \n\t\b\\/@";
 static const char replace_chars[] = " ntb\\/@";
+static const char nq_chars[] = "    \\/@";
 
 #define add_char(BASE, INDEX, LEN, C) do { if((INDEX) < (LEN)) (BASE)[(INDEX)++] = (C); }while(0);
 
 static size_t
-quote_string(const char *s, char *out, size_t index, size_t len)
+quote_string(const char *s, char *out, size_t idx, size_t len, int display)
 {
     const char *p, *q;
-    for(p = s; *p && index < len; p++){
-	if((q = strchr(quotable_chars, *p))){
-	    add_char(out, index, len, '\\');
-	    add_char(out, index, len, replace_chars[q - quotable_chars]);
+    for(p = s; *p && idx < len; p++){
+	q = strchr(quotable_chars, *p);
+	if (q && display) {
+	    add_char(out, idx, len, replace_chars[q - quotable_chars]);
+	} else if (q) {
+	    add_char(out, idx, len, '\\');
+	    add_char(out, idx, len, replace_chars[q - quotable_chars]);
 	}else
-	    add_char(out, index, len, *p);
+	    add_char(out, idx, len, *p);
     }
-    if(index < len)
-	out[index] = '\0';
-    return index;
+    if(idx < len)
+	out[idx] = '\0';
+    return idx;
 }
 
 
@@ -248,19 +310,31 @@ unparse_name_fixed(krb5_context context,
 		   krb5_const_principal principal,
 		   char *name,
 		   size_t len,
-		   krb5_boolean short_form)
+		   int flags)
 {
-    size_t index = 0;
+    size_t idx = 0;
     int i;
+    int short_form = (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) != 0;
+    int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0;
+    int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0;
+
+    if (!no_realm && princ_realm(principal) == NULL) {
+	krb5_set_error_string(context, "Realm missing from principal, "
+			      "can't unparse");
+	return ERANGE;
+    }
+
     for(i = 0; i < princ_num_comp(principal); i++){
 	if(i)
-	    add_char(name, index, len, '/');
-	index = quote_string(princ_ncomp(principal, i), name, index, len);
-	if(index == len)
+	    add_char(name, idx, len, '/');
+	idx = quote_string(princ_ncomp(principal, i), name, idx, len, display);
+	if(idx == len) {
+	    krb5_set_error_string(context, "Out of space printing principal");
 	    return ERANGE;
+	}
     } 
     /* add realm if different from default realm */
-    if(short_form) {
+    if(short_form && !no_realm) {
 	krb5_realm r;
 	krb5_error_code ret;
 	ret = krb5_get_default_realm(context, &r);
@@ -270,49 +344,66 @@ unparse_name_fixed(krb5_context context,
 	    short_form = 0;
 	free(r);
     }
-    if(!short_form) {
-	add_char(name, index, len, '@');
-	index = quote_string(princ_realm(principal), name, index, len);
-	if(index == len)
+    if(!short_form && !no_realm) {
+	add_char(name, idx, len, '@');
+	idx = quote_string(princ_realm(principal), name, idx, len, display);
+	if(idx == len) {
+	    krb5_set_error_string(context, 
+				  "Out of space printing realm of principal");
 	    return ERANGE;
+	}
     }
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_unparse_name_fixed(krb5_context context,
 			krb5_const_principal principal,
 			char *name,
 			size_t len)
 {
-    return unparse_name_fixed(context, principal, name, len, FALSE);
+    return unparse_name_fixed(context, principal, name, len, 0);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_unparse_name_fixed_short(krb5_context context,
 			      krb5_const_principal principal,
 			      char *name,
 			      size_t len)
 {
-    return unparse_name_fixed(context, principal, name, len, TRUE);
+    return unparse_name_fixed(context, principal, name, len, 
+			      KRB5_PRINCIPAL_UNPARSE_SHORT);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_unparse_name_fixed_flags(krb5_context context,
+			      krb5_const_principal principal,
+			      int flags,
+			      char *name,
+			      size_t len)
+{
+    return unparse_name_fixed(context, principal, name, len, flags);
 }
 
 static krb5_error_code
 unparse_name(krb5_context context,
 	     krb5_const_principal principal,
 	     char **name,
-	     krb5_boolean short_flag)
+	     int flags)
 {
     size_t len = 0, plen;
     int i;
     krb5_error_code ret;
     /* count length */
-    plen = strlen(princ_realm(principal));
-    if(strcspn(princ_realm(principal), quotable_chars) == plen)
-	len += plen;
-    else
-	len += 2*plen;
-    len++;
+    if (princ_realm(principal)) {
+	plen = strlen(princ_realm(principal));
+
+	if(strcspn(princ_realm(principal), quotable_chars) == plen)
+	    len += plen;
+	else
+	    len += 2*plen;
+	len++; /* '@' */
+    }
     for(i = 0; i < princ_num_comp(principal); i++){
 	plen = strlen(princ_ncomp(principal, i));
 	if(strcspn(princ_ncomp(principal, i), quotable_chars) == plen)
@@ -321,13 +412,13 @@ unparse_name(krb5_context context,
 	    len += 2*plen;
 	len++;
     }
-    len++;
+    len++; /* '\0' */
     *name = malloc(len);
     if(*name == NULL) {
 	krb5_set_error_string (context, "malloc: out of memory");
 	return ENOMEM;
     }
-    ret = unparse_name_fixed(context, principal, *name, len, short_flag);
+    ret = unparse_name_fixed(context, principal, *name, len, flags);
     if(ret) {
 	free(*name);
 	*name = NULL;
@@ -335,25 +426,34 @@ unparse_name(krb5_context context,
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_unparse_name(krb5_context context,
 		  krb5_const_principal principal,
 		  char **name)
 {
-    return unparse_name(context, principal, name, FALSE);
+    return unparse_name(context, principal, name, 0);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_unparse_name_flags(krb5_context context,
+			krb5_const_principal principal,
+			int flags,
+			char **name)
+{
+    return unparse_name(context, principal, name, flags);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_unparse_name_short(krb5_context context,
 			krb5_const_principal principal,
 			char **name)
 {
-    return unparse_name(context, principal, name, TRUE);
+    return unparse_name(context, principal, name, KRB5_PRINCIPAL_UNPARSE_SHORT);
 }
 
 #if 0 /* not implemented */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_unparse_name_ext(krb5_context context,
 		      krb5_const_principal principal,
 		      char **name,
@@ -364,7 +464,7 @@ krb5_unparse_name_ext(krb5_context context,
 
 #endif
 
-krb5_realm*
+krb5_realm * KRB5_LIB_FUNCTION
 krb5_princ_realm(krb5_context context,
 		 krb5_principal principal)
 {
@@ -372,7 +472,7 @@ krb5_princ_realm(krb5_context context,
 }
 
 
-void
+void KRB5_LIB_FUNCTION
 krb5_princ_set_realm(krb5_context context,
 		     krb5_principal principal,
 		     krb5_realm *realm)
@@ -381,7 +481,7 @@ krb5_princ_set_realm(krb5_context context,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_principal(krb5_context context,
 		     krb5_principal *principal,
 		     int rlen,
@@ -401,7 +501,7 @@ append_component(krb5_context context, krb5_principal p,
 		 const char *comp,
 		 size_t comp_len)
 {
-    general_string *tmp;
+    heim_general_string *tmp;
     size_t len = princ_num_comp(p);
 
     tmp = realloc(princ_comp(p), (len + 1) * sizeof(*tmp));
@@ -477,7 +577,7 @@ build_principal(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_make_principal(krb5_context context,
 		    krb5_principal *principal,
 		    krb5_const_realm realm,
@@ -500,7 +600,7 @@ krb5_make_principal(krb5_context context,
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_principal_va(krb5_context context, 
 			krb5_principal *principal, 
 			int rlen,
@@ -510,7 +610,7 @@ krb5_build_principal_va(krb5_context context,
     return build_principal(context, principal, rlen, realm, va_princ, ap);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_principal_va_ext(krb5_context context, 
 			    krb5_principal *principal, 
 			    int rlen,
@@ -521,7 +621,7 @@ krb5_build_principal_va_ext(krb5_context context,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_build_principal_ext(krb5_context context,
 			 krb5_principal *principal,
 			 int rlen,
@@ -537,7 +637,7 @@ krb5_build_principal_ext(krb5_context context,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_principal(krb5_context context,
 		    krb5_const_principal inprinc,
 		    krb5_principal *outprinc)
@@ -560,7 +660,7 @@ krb5_copy_principal(krb5_context context,
  * return TRUE iff princ1 == princ2 (without considering the realm)
  */
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_principal_compare_any_realm(krb5_context context,
 				 krb5_const_principal princ1,
 				 krb5_const_principal princ2)
@@ -579,7 +679,7 @@ krb5_principal_compare_any_realm(krb5_context context,
  * return TRUE iff princ1 == princ2
  */
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_principal_compare(krb5_context context,
 		       krb5_const_principal princ1,
 		       krb5_const_principal princ2)
@@ -593,7 +693,7 @@ krb5_principal_compare(krb5_context context,
  * return TRUE iff realm(princ1) == realm(princ2)
  */
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_realm_compare(krb5_context context,
 		   krb5_const_principal princ1,
 		   krb5_const_principal princ2)
@@ -605,7 +705,7 @@ krb5_realm_compare(krb5_context context,
  * return TRUE iff princ matches pattern
  */
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_principal_match(krb5_context context,
 		     krb5_const_principal princ,
 		     krb5_const_principal pattern)
@@ -623,7 +723,7 @@ krb5_principal_match(krb5_context context,
 }
 
 
-struct v4_name_convert {
+static struct v4_name_convert {
     const char *from;
     const char *to; 
 } default_v4_name_convert[] = {
@@ -686,14 +786,16 @@ get_name_conversion(krb5_context context, const char *realm, const char *name)
  * if `func', use that function for validating the conversion
  */
 
-krb5_error_code
-krb5_425_conv_principal_ext(krb5_context context,
-			    const char *name,
-			    const char *instance,
-			    const char *realm,
-			    krb5_boolean (*func)(krb5_context, krb5_principal),
-			    krb5_boolean resolve,
-			    krb5_principal *princ)
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_425_conv_principal_ext2(krb5_context context,
+			     const char *name,
+			     const char *instance,
+			     const char *realm,
+			     krb5_boolean (*func)(krb5_context, 
+						  void *, krb5_principal),
+			     void *funcctx,
+			     krb5_boolean resolve,
+			     krb5_principal *princ)
 {
     const char *p;
     krb5_error_code ret;
@@ -702,7 +804,7 @@ krb5_425_conv_principal_ext(krb5_context context,
     char local_hostname[MAXHOSTNAMELEN];
 
     /* do the following: if the name is found in the
-       `v4_name_convert:host' part, is is assumed to be a `host' type
+       `v4_name_convert:host' part, is assumed to be a `host' type
        principal, and the instance is looked up in the
        `v4_instance_convert' part. if not found there the name is
        (optionally) looked up as a hostname, and if that doesn't yield
@@ -724,7 +826,7 @@ krb5_425_conv_principal_ext(krb5_context context,
     if(p){
 	instance = p;
 	ret = krb5_make_principal(context, &pr, realm, name, instance, NULL);
-	if(func == NULL || (*func)(context, pr)){
+	if(func == NULL || (*func)(context, funcctx, pr)){
 	    *princ = pr;
 	    return 0;
 	}
@@ -740,21 +842,24 @@ krb5_425_conv_principal_ext(krb5_context context,
 	struct dns_reply *r;
 
 	r = dns_lookup(instance, "aaaa");
-	if (r && r->head && r->head->type == T_AAAA) {
-	    inst = strdup(r->head->domain);
+	if (r) {
+	    if (r->head && r->head->type == T_AAAA) {
+		inst = strdup(r->head->domain);
+		passed = TRUE;
+	    }
 	    dns_free_data(r);
-	    passed = TRUE;
 	} else {
 	    r = dns_lookup(instance, "a");
-	    if(r && r->head && r->head->type == T_A) {
-		inst = strdup(r->head->domain);
+	    if (r) {
+		if(r->head && r->head->type == T_A) {
+		    inst = strdup(r->head->domain);
+		    passed = TRUE;
+		}
 		dns_free_data(r);
-		passed = TRUE;
 	    }
 	}
 #else
 	struct addrinfo hints, *ai;
-	int ret;
 	
 	memset (&hints, 0, sizeof(hints));
 	hints.ai_flags = AI_CANONNAME;
@@ -781,7 +886,7 @@ krb5_425_conv_principal_ext(krb5_context context,
 				      NULL);
 	    free (inst);
 	    if(ret == 0) {
-		if(func == NULL || (*func)(context, pr)){
+		if(func == NULL || (*func)(context, funcctx, pr)){
 		    *princ = pr;
 		    return 0;
 		}
@@ -793,7 +898,7 @@ krb5_425_conv_principal_ext(krb5_context context,
 	snprintf(host, sizeof(host), "%s.%s", instance, realm);
 	strlwr(host);
 	ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
-	if((*func)(context, pr)){
+	if((*func)(context, funcctx, pr)){
 	    *princ = pr;
 	    return 0;
 	}
@@ -820,7 +925,7 @@ krb5_425_conv_principal_ext(krb5_context context,
 	for(d = domains; d && *d; d++){
 	    snprintf(host, sizeof(host), "%s.%s", instance, *d);
 	    ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
-	    if(func == NULL || (*func)(context, pr)){
+	    if(func == NULL || (*func)(context, funcctx, pr)){
 		*princ = pr;
 		krb5_config_free_strings(domains);
 		return 0;
@@ -844,7 +949,7 @@ krb5_425_conv_principal_ext(krb5_context context,
     snprintf(host, sizeof(host), "%s.%s", instance, p);
 local_host:
     ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
-    if(func == NULL || (*func)(context, pr)){
+    if(func == NULL || (*func)(context, funcctx, pr)){
 	*princ = pr;
 	return 0;
     }
@@ -870,7 +975,7 @@ no_host:
 	name = p;
     
     ret = krb5_make_principal(context, &pr, realm, name, instance, NULL);
-    if(func == NULL || (*func)(context, pr)){
+    if(func == NULL || (*func)(context, funcctx, pr)){
 	*princ = pr;
 	return 0;
     }
@@ -879,7 +984,35 @@ no_host:
     return HEIM_ERR_V4_PRINC_NO_CONV;
 }
 
-krb5_error_code
+static krb5_boolean
+convert_func(krb5_context conxtext, void *funcctx, krb5_principal principal)
+{
+    krb5_boolean (*func)(krb5_context, krb5_principal) = funcctx;
+    return (*func)(conxtext, principal);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_425_conv_principal_ext(krb5_context context,
+			    const char *name,
+			    const char *instance,
+			    const char *realm,
+			    krb5_boolean (*func)(krb5_context, krb5_principal),
+			    krb5_boolean resolve,
+			    krb5_principal *principal)
+{
+    return krb5_425_conv_principal_ext2(context,
+					name,
+					instance,
+					realm,
+					func ? convert_func : NULL,
+					func,
+					resolve,
+					principal);
+}
+
+
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_425_conv_principal(krb5_context context,
 			const char *name,
 			const char *instance,
@@ -972,7 +1105,7 @@ name_convert(krb5_context context, const char *name, const char *realm,
  * three parameters.  They have to be 40 bytes each (ANAME_SZ).
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_524_conv_principal(krb5_context context,
 			const krb5_principal principal,
 			char *name, 
@@ -1043,7 +1176,7 @@ krb5_524_conv_principal(krb5_context context,
  * Create a principal in `ret_princ' for the service `sname' running
  * on host `hostname'.  */
 			
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sname_to_principal (krb5_context context,
 			 const char *hostname,
 			 const char *sname,
@@ -1085,3 +1218,37 @@ krb5_sname_to_principal (krb5_context context,
     krb5_free_host_realm(context, realms);
     return ret;
 }
+
+static const struct {
+    const char *type;
+    int32_t value;
+} nametypes[] = {
+    { "UNKNOWN", KRB5_NT_UNKNOWN },
+    { "PRINCIPAL", KRB5_NT_PRINCIPAL },
+    { "SRV_INST", KRB5_NT_SRV_INST },
+    { "SRV_HST", KRB5_NT_SRV_HST },
+    { "SRV_XHST", KRB5_NT_SRV_XHST },
+    { "UID", KRB5_NT_UID },
+    { "X500_PRINCIPAL", KRB5_NT_X500_PRINCIPAL },
+    { "SMTP_NAME", KRB5_NT_SMTP_NAME },
+    { "ENTERPRISE_PRINCIPAL", KRB5_NT_ENTERPRISE_PRINCIPAL },
+    { "ENT_PRINCIPAL_AND_ID", KRB5_NT_ENT_PRINCIPAL_AND_ID },
+    { "MS_PRINCIPAL", KRB5_NT_MS_PRINCIPAL },
+    { "MS_PRINCIPAL_AND_ID", KRB5_NT_MS_PRINCIPAL_AND_ID },
+    { NULL }
+};
+
+krb5_error_code
+krb5_parse_nametype(krb5_context context, const char *str, int32_t *nametype)
+{
+    size_t i;
+    
+    for(i = 0; nametypes[i].type; i++) {
+	if (strcasecmp(nametypes[i].type, str) == 0) {
+	    *nametype = nametypes[i].value;
+	    return 0;
+	}
+    }
+    krb5_set_error_string(context, "Failed to find name type %s", str);
+    return KRB5_PARSE_MALFORMED;
+}
diff --git a/crypto/heimdal/lib/krb5/prog_setup.c b/crypto/heimdal/lib/krb5/prog_setup.c
index 3f5efb6..0586155 100644
--- a/crypto/heimdal/lib/krb5/prog_setup.c
+++ b/crypto/heimdal/lib/krb5/prog_setup.c
@@ -35,22 +35,22 @@
 #include <getarg.h>
 #include <err.h>
 
-RCSID("$Id: prog_setup.c,v 1.9 2001/02/20 01:44:54 assar Exp $");
+RCSID("$Id: prog_setup.c 15470 2005-06-17 04:29:41Z lha $");
 
-void
+void KRB5_LIB_FUNCTION
 krb5_std_usage(int code, struct getargs *args, int num_args)
 {
     arg_printusage(args, num_args, NULL, "");
     exit(code);
 }
 
-int
+int KRB5_LIB_FUNCTION
 krb5_program_setup(krb5_context *context, int argc, char **argv,
 		   struct getargs *args, int num_args, 
 		   void (*usage)(int, struct getargs*, int))
 {
     krb5_error_code ret;
-    int optind = 0;
+    int optidx = 0;
 
     if(usage == NULL)
 	usage = krb5_std_usage;
@@ -60,7 +60,7 @@ krb5_program_setup(krb5_context *context, int argc, char **argv,
     if (ret)
 	errx (1, "krb5_init_context failed: %d", ret);
     
-    if(getarg(args, num_args, argc, argv, &optind))
+    if(getarg(args, num_args, argc, argv, &optidx))
 	(*usage)(1, args, num_args);
-    return optind;
+    return optidx;
 }
diff --git a/crypto/heimdal/lib/krb5/prompter_posix.c b/crypto/heimdal/lib/krb5/prompter_posix.c
index 4aea3a4..e0f407f 100644
--- a/crypto/heimdal/lib/krb5/prompter_posix.c
+++ b/crypto/heimdal/lib/krb5/prompter_posix.c
@@ -33,9 +33,9 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: prompter_posix.c,v 1.7 2002/09/16 17:32:11 nectar Exp $");
+RCSID("$Id: prompter_posix.c 13863 2004-05-25 21:46:46Z lha $");
 
-int
+int KRB5_LIB_FUNCTION
 krb5_prompter_posix (krb5_context context,
 		     void *data,
 		     const char *name,
@@ -49,9 +49,11 @@ krb5_prompter_posix (krb5_context context,
 	fprintf (stderr, "%s\n", name);
     if (banner)
 	fprintf (stderr, "%s\n", banner);
+    if (name || banner)
+	fflush(stderr);
     for (i = 0; i < num_prompts; ++i) {
 	if (prompts[i].hidden) {
-	    if(des_read_pw_string(prompts[i].reply->data,
+	    if(UI_UTIL_read_pw_string(prompts[i].reply->data,
 				  prompts[i].reply->length,
 				  prompts[i].prompt,
 				  0))
diff --git a/crypto/heimdal/lib/krb5/rd_cred.c b/crypto/heimdal/lib/krb5/rd_cred.c
index 4a7d74c..c3f7322 100644
--- a/crypto/heimdal/lib/krb5/rd_cred.c
+++ b/crypto/heimdal/lib/krb5/rd_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,14 +33,32 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_cred.c,v 1.18 2002/09/04 16:26:05 joda Exp $");
+RCSID("$Id: rd_cred.c 20304 2007-04-11 11:15:05Z lha $");
 
-krb5_error_code
+static krb5_error_code
+compare_addrs(krb5_context context,
+	      krb5_address *a,
+	      krb5_address *b,
+	      const char *message)
+{
+    char a_str[64], b_str[64];
+    size_t len;
+
+    if(krb5_address_compare (context, a, b))
+	return 0;
+
+    krb5_print_address (a, a_str, sizeof(a_str), &len);
+    krb5_print_address (b, b_str, sizeof(b_str), &len);
+    krb5_set_error_string(context, "%s: %s != %s", message, b_str, a_str);
+    return KRB5KRB_AP_ERR_BADADDR;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_cred(krb5_context context,
 	     krb5_auth_context auth_context,
 	     krb5_data *in_data,
 	     krb5_creds ***ret_creds,
-	     krb5_replay_data *out_data)
+	     krb5_replay_data *outdata)
 {
     krb5_error_code ret;
     size_t len;
@@ -50,12 +68,21 @@ krb5_rd_cred(krb5_context context,
     krb5_crypto crypto;
     int i;
 
+    memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
+
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+	outdata == NULL)
+	return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+
     *ret_creds = NULL;
 
     ret = decode_KRB_CRED(in_data->data, in_data->length, 
 			  &cred, &len);
-    if(ret)
+    if(ret) {
+	krb5_clear_error_string(context);
 	return ret;
+    }
 
     if (cred.pvno != 5) {
 	ret = KRB5KRB_AP_ERR_BADVERSION;
@@ -70,28 +97,53 @@ krb5_rd_cred(krb5_context context,
     }
 
     if (cred.enc_part.etype == ETYPE_NULL) {  
-       /* DK: MIT GSS-API Compatibility */
-       enc_krb_cred_part_data.length = cred.enc_part.cipher.length;
-       enc_krb_cred_part_data.data   = cred.enc_part.cipher.data;
+	/* DK: MIT GSS-API Compatibility */
+	enc_krb_cred_part_data.length = cred.enc_part.cipher.length;
+	enc_krb_cred_part_data.data   = cred.enc_part.cipher.data;
     } else {
-	if (auth_context->remote_subkey)
+	/* Try both subkey and session key.
+	 * 
+	 * RFC4120 claims we should use the session key, but Heimdal
+	 * before 0.8 used the remote subkey if it was send in the
+	 * auth_context.
+	 */
+
+	if (auth_context->remote_subkey) {
 	    ret = krb5_crypto_init(context, auth_context->remote_subkey,
 				   0, &crypto);
-	else
+	    if (ret)
+		goto out;
+
+	    ret = krb5_decrypt_EncryptedData(context,
+					     crypto,
+					     KRB5_KU_KRB_CRED,
+					     &cred.enc_part,
+					     &enc_krb_cred_part_data);
+	    
+	    krb5_crypto_destroy(context, crypto);
+	}
+
+	/* 
+	 * If there was not subkey, or we failed using subkey, 
+	 * retry using the session key
+	 */
+	if (auth_context->remote_subkey == NULL || ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
+	{
+
 	    ret = krb5_crypto_init(context, auth_context->keyblock,
 				   0, &crypto);
-          /* DK: MIT rsh */
 
-	if (ret)
-	    goto out;
-       
-	ret = krb5_decrypt_EncryptedData(context,
-					 crypto,
-					 KRB5_KU_KRB_CRED,
-					 &cred.enc_part,
-					 &enc_krb_cred_part_data);
-       
-	krb5_crypto_destroy(context, crypto);
+	    if (ret)
+		goto out;
+	    
+	    ret = krb5_decrypt_EncryptedData(context,
+					     crypto,
+					     KRB5_KU_KRB_CRED,
+					     &cred.enc_part,
+					     &enc_krb_cred_part_data);
+	    
+	    krb5_crypto_destroy(context, crypto);
+	}
 	if (ret)
 	    goto out;
     }
@@ -101,6 +153,8 @@ krb5_rd_cred(krb5_context context,
 				      enc_krb_cred_part_data.length,
 				      &enc_krb_cred_part,
 				      &len);
+    if (enc_krb_cred_part_data.data != cred.enc_part.cipher.data)
+	krb5_data_free(&enc_krb_cred_part_data);
     if (ret)
 	goto out;
 
@@ -110,7 +164,6 @@ krb5_rd_cred(krb5_context context,
 	&& auth_context->remote_address
 	&& auth_context->remote_port) {
 	krb5_address *a;
-	int cmp;
 
 	ret = krb5_make_addrport (context, &a,
 				  auth_context->remote_address,
@@ -119,18 +172,12 @@ krb5_rd_cred(krb5_context context,
 	    goto out;
 
 
-	cmp = krb5_address_compare (context,
-				    a,
-				    enc_krb_cred_part.s_address);
-
-	krb5_free_address (context, a);
-	free (a);
-
-	if (cmp == 0) {
-	    krb5_clear_error_string (context);
-	    ret = KRB5KRB_AP_ERR_BADADDR;
+	ret = compare_addrs(context, a, enc_krb_cred_part.s_address, 
+			    "sender address is wrong in received creds");
+	krb5_free_address(context, a);
+	free(a);
+	if(ret)
 	    goto out;
-	}
     }
 
     /* check receiver address */
@@ -140,32 +187,24 @@ krb5_rd_cred(krb5_context context,
 	if(auth_context->local_port &&
 	   enc_krb_cred_part.r_address->addr_type == KRB5_ADDRESS_ADDRPORT) {
 	    krb5_address *a;
-	    int cmp;
 	    ret = krb5_make_addrport (context, &a,
 				      auth_context->local_address,
 				      auth_context->local_port);
 	    if (ret)
 		goto out;
 	    
-	    cmp = krb5_address_compare (context,
-					a,
-					enc_krb_cred_part.r_address);
-	    krb5_free_address (context, a);
-	    free (a);
-	    
-	    if (cmp == 0) {
-		krb5_clear_error_string (context);
-		ret = KRB5KRB_AP_ERR_BADADDR;
+	    ret = compare_addrs(context, a, enc_krb_cred_part.r_address, 
+				"receiver address is wrong in received creds");
+	    krb5_free_address(context, a);
+	    free(a);
+	    if(ret)
 		goto out;
-	    }
 	} else {
-	    if(!krb5_address_compare (context,
-				      auth_context->local_address,
-				      enc_krb_cred_part.r_address)) {
-		krb5_clear_error_string (context);
-		ret = KRB5KRB_AP_ERR_BADADDR;
+	    ret = compare_addrs(context, auth_context->local_address,
+				enc_krb_cred_part.r_address,
+				"receiver address is wrong in received creds");
+	    if(ret)
 		goto out;
-	    }		
 	}
     }
 
@@ -185,25 +224,23 @@ krb5_rd_cred(krb5_context context,
 	}
     }
 
-    if(out_data != NULL) {
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
+	/* if these fields are not present in the cred-part, silently
+           return zero */
+	memset(outdata, 0, sizeof(*outdata));
 	if(enc_krb_cred_part.timestamp)
-	    out_data->timestamp = *enc_krb_cred_part.timestamp;
-	else 
-	    out_data->timestamp = 0;
+	    outdata->timestamp = *enc_krb_cred_part.timestamp;
 	if(enc_krb_cred_part.usec)
-	    out_data->usec = *enc_krb_cred_part.usec;
-	else 
-	    out_data->usec = 0;
+	    outdata->usec = *enc_krb_cred_part.usec;
 	if(enc_krb_cred_part.nonce)
-	    out_data->seq = *enc_krb_cred_part.nonce;
-	else 
-	    out_data->seq = 0;
+	    outdata->seq = *enc_krb_cred_part.nonce;
     }
     
     /* Convert to NULL terminated list of creds */
 
     *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1, 
-		       sizeof(**ret_creds));
+			sizeof(**ret_creds));
 
     if (*ret_creds == NULL) {
 	ret = ENOMEM;
@@ -214,7 +251,6 @@ krb5_rd_cred(krb5_context context,
     for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) {
 	KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i];
 	krb5_creds *creds;
-	size_t len;
 
 	creds = calloc(1, sizeof(*creds));
 	if(creds == NULL) {
@@ -225,15 +261,18 @@ krb5_rd_cred(krb5_context context,
 
 	ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, 
 			   &cred.tickets.val[i], &len, ret);
-	if (ret)
+	if (ret) {
+	    free(creds);
 	    goto out;
+	}
 	if(creds->ticket.length != len)
 	    krb5_abortx(context, "internal error in ASN.1 encoder");
 	copy_EncryptionKey (&kci->key, &creds->session);
 	if (kci->prealm && kci->pname)
-	    principalname2krb5_principal (&creds->client,
-					  *kci->pname,
-					  *kci->prealm);
+	    _krb5_principalname2krb5_principal (context,
+						&creds->client,
+						*kci->pname,
+						*kci->prealm);
 	if (kci->flags)
 	    creds->flags.b = *kci->flags;
 	if (kci->authtime)
@@ -245,9 +284,10 @@ krb5_rd_cred(krb5_context context,
 	if (kci->renew_till)
 	    creds->times.renew_till = *kci->renew_till;
 	if (kci->srealm && kci->sname)
-	    principalname2krb5_principal (&creds->server,
-					  *kci->sname,
-					  *kci->srealm);
+	    _krb5_principalname2krb5_principal (context,
+						&creds->server,
+						*kci->sname,
+						*kci->srealm);
 	if (kci->caddr)
 	    krb5_copy_addresses (context,
 				 kci->caddr,
@@ -257,19 +297,25 @@ krb5_rd_cred(krb5_context context,
 	
     }
     (*ret_creds)[i] = NULL;
+
+    free_KRB_CRED (&cred);
+    free_EncKrbCredPart(&enc_krb_cred_part);
+
     return 0;
 
-out:
+  out:
+    free_EncKrbCredPart(&enc_krb_cred_part);
     free_KRB_CRED (&cred);
     if(*ret_creds) {
 	for(i = 0; (*ret_creds)[i]; i++)
 	    krb5_free_creds(context, (*ret_creds)[i]);
 	free(*ret_creds);
+	*ret_creds = NULL;
     }
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_cred2 (krb5_context      context,
 	       krb5_auth_context auth_context,
 	       krb5_ccache       ccache,
diff --git a/crypto/heimdal/lib/krb5/rd_error.c b/crypto/heimdal/lib/krb5/rd_error.c
index ca02f3d..e764646 100644
--- a/crypto/heimdal/lib/krb5/rd_error.c
+++ b/crypto/heimdal/lib/krb5/rd_error.c
@@ -33,11 +33,11 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: rd_error.c,v 1.6 2001/05/15 06:35:10 assar Exp $");
+RCSID("$Id: rd_error.c 21057 2007-06-12 17:22:31Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_error(krb5_context context,
-	      krb5_data *msg,
+	      const krb5_data *msg,
 	      KRB_ERROR *result)
 {
     
@@ -45,20 +45,23 @@ krb5_rd_error(krb5_context context,
     krb5_error_code ret;
 
     ret = decode_KRB_ERROR(msg->data, msg->length, result, &len);
-    if(ret)
+    if(ret) {
+	krb5_clear_error_string(context);
 	return ret;
+    }
     result->error_code += KRB5KDC_ERR_NONE;
     return 0;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_error_contents (krb5_context context,
 			  krb5_error *error)
 {
     free_KRB_ERROR(error);
+    memset(error, 0, sizeof(*error));
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_error (krb5_context context,
 		 krb5_error *error)
 {
@@ -66,7 +69,7 @@ krb5_free_error (krb5_context context,
     free (error);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_error_from_rd_error(krb5_context context,
 			 const krb5_error *error,
 			 const krb5_creds *creds)
diff --git a/crypto/heimdal/lib/krb5/rd_priv.c b/crypto/heimdal/lib/krb5/rd_priv.c
index 36ffed5..ed7a2cc 100644
--- a/crypto/heimdal/lib/krb5/rd_priv.c
+++ b/crypto/heimdal/lib/krb5/rd_priv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,130 +33,153 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_priv.c,v 1.29 2001/06/18 02:46:15 assar Exp $");
+RCSID("$Id: rd_priv.c 21751 2007-07-31 20:42:20Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_priv(krb5_context context,
 	     krb5_auth_context auth_context,
 	     const krb5_data *inbuf,
 	     krb5_data *outbuf,
-	     /*krb5_replay_data*/ void *outdata)
+	     krb5_replay_data *outdata)
 {
-  krb5_error_code ret;
-  KRB_PRIV priv;
-  EncKrbPrivPart part;
-  size_t len;
-  krb5_data plain;
-  krb5_keyblock *key;
-  krb5_crypto crypto;
-
-  memset(&priv, 0, sizeof(priv));
-  ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
-  if (ret) 
-      goto failure;
-  if (priv.pvno != 5) {
-      krb5_clear_error_string (context);
-      ret = KRB5KRB_AP_ERR_BADVERSION;
-      goto failure;
-  }
-  if (priv.msg_type != krb_priv) {
-      krb5_clear_error_string (context);
-      ret = KRB5KRB_AP_ERR_MSG_TYPE;
-      goto failure;
-  }
-
-  if (auth_context->remote_subkey)
-      key = auth_context->remote_subkey;
-  else if (auth_context->local_subkey)
-      key = auth_context->local_subkey;
-  else
-      key = auth_context->keyblock;
-
-  ret = krb5_crypto_init(context, key, 0, &crypto);
-  if (ret)
-      goto failure;
-  ret = krb5_decrypt_EncryptedData(context,
-				   crypto,
-				   KRB5_KU_KRB_PRIV,
-				   &priv.enc_part,
-				   &plain);
-  krb5_crypto_destroy(context, crypto);
-  if (ret) 
-      goto failure;
-
-  ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len);
-  krb5_data_free (&plain);
-  if (ret) 
-      goto failure;
+    krb5_error_code ret;
+    KRB_PRIV priv;
+    EncKrbPrivPart part;
+    size_t len;
+    krb5_data plain;
+    krb5_keyblock *key;
+    krb5_crypto crypto;
+
+    if (outbuf)
+	krb5_data_zero(outbuf);
+
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+	outdata == NULL) {
+	krb5_clear_error_string (context);
+	return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+    }
+
+    memset(&priv, 0, sizeof(priv));
+    ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
+    if (ret) {
+	krb5_clear_error_string (context);
+	goto failure;
+    }
+    if (priv.pvno != 5) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_BADVERSION;
+	goto failure;
+    }
+    if (priv.msg_type != krb_priv) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_MSG_TYPE;
+	goto failure;
+    }
+
+    if (auth_context->remote_subkey)
+	key = auth_context->remote_subkey;
+    else if (auth_context->local_subkey)
+	key = auth_context->local_subkey;
+    else
+	key = auth_context->keyblock;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	goto failure;
+    ret = krb5_decrypt_EncryptedData(context,
+				     crypto,
+				     KRB5_KU_KRB_PRIV,
+				     &priv.enc_part,
+				     &plain);
+    krb5_crypto_destroy(context, crypto);
+    if (ret) 
+	goto failure;
+
+    ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len);
+    krb5_data_free (&plain);
+    if (ret) {
+	krb5_clear_error_string (context);
+	goto failure;
+    }
   
-  /* check sender address */
-
-  if (part.s_address
-      && auth_context->remote_address
-      && !krb5_address_compare (context,
-				auth_context->remote_address,
-				part.s_address)) {
-      krb5_clear_error_string (context);
-      ret = KRB5KRB_AP_ERR_BADADDR;
-      goto failure_part;
-  }
-
-  /* check receiver address */
-
-  if (part.r_address
-      && auth_context->local_address
-      && !krb5_address_compare (context,
-				auth_context->local_address,
-				part.r_address)) {
-      krb5_clear_error_string (context);
-      ret = KRB5KRB_AP_ERR_BADADDR;
-      goto failure_part;
-  }
-
-  /* check timestamp */
-  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
-      krb5_timestamp sec;
-
-      krb5_timeofday (context, &sec);
-      if (part.timestamp == NULL ||
-	  part.usec      == NULL ||
-	  abs(*part.timestamp - sec) > context->max_skew) {
-	  krb5_clear_error_string (context);
-	  ret = KRB5KRB_AP_ERR_SKEW;
-	  goto failure_part;
-      }
-  }
-
-  /* XXX - check replay cache */
-
-  /* check sequence number. since MIT krb5 cannot generate a sequence
-     number of zero but instead generates no sequence number, we accept that
-  */
-
-  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-      if ((part.seq_number == NULL
-	   && auth_context->remote_seqnumber != 0)
-	  || (part.seq_number != NULL
-	      && *part.seq_number != auth_context->remote_seqnumber)) {
-	  krb5_clear_error_string (context);
-	  ret = KRB5KRB_AP_ERR_BADORDER;
-	  goto failure_part;
-      }
-      auth_context->remote_seqnumber++;
-  }
-
-  ret = krb5_data_copy (outbuf, part.user_data.data, part.user_data.length);
-  if (ret)
-      goto failure_part;
-
-  free_EncKrbPrivPart (&part);
-  free_KRB_PRIV (&priv);
-  return 0;
-
-failure_part:
-  free_EncKrbPrivPart (&part);
-
-failure:
-  free_KRB_PRIV (&priv);
-  return ret;
+    /* check sender address */
+
+    if (part.s_address
+	&& auth_context->remote_address
+	&& !krb5_address_compare (context,
+				  auth_context->remote_address,
+				  part.s_address)) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_BADADDR;
+	goto failure_part;
+    }
+
+    /* check receiver address */
+
+    if (part.r_address
+	&& auth_context->local_address
+	&& !krb5_address_compare (context,
+				  auth_context->local_address,
+				  part.r_address)) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_BADADDR;
+	goto failure_part;
+    }
+
+    /* check timestamp */
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+	krb5_timestamp sec;
+
+	krb5_timeofday (context, &sec);
+	if (part.timestamp == NULL ||
+	    part.usec      == NULL ||
+	    abs(*part.timestamp - sec) > context->max_skew) {
+	    krb5_clear_error_string (context);
+	    ret = KRB5KRB_AP_ERR_SKEW;
+	    goto failure_part;
+	}
+    }
+
+    /* XXX - check replay cache */
+
+    /* check sequence number. since MIT krb5 cannot generate a sequence
+       number of zero but instead generates no sequence number, we accept that
+    */
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+	if ((part.seq_number == NULL
+	     && auth_context->remote_seqnumber != 0)
+	    || (part.seq_number != NULL
+		&& *part.seq_number != auth_context->remote_seqnumber)) {
+	    krb5_clear_error_string (context);
+	    ret = KRB5KRB_AP_ERR_BADORDER;
+	    goto failure_part;
+	}
+	auth_context->remote_seqnumber++;
+    }
+
+    ret = krb5_data_copy (outbuf, part.user_data.data, part.user_data.length);
+    if (ret)
+	goto failure_part;
+
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
+	/* if these fields are not present in the priv-part, silently
+           return zero */
+	memset(outdata, 0, sizeof(*outdata));
+	if(part.timestamp)
+	    outdata->timestamp = *part.timestamp;
+	if(part.usec)
+	    outdata->usec = *part.usec;
+	if(part.seq_number)
+	    outdata->seq = *part.seq_number;
+    }
+
+  failure_part:
+    free_EncKrbPrivPart (&part);
+
+  failure:
+    free_KRB_PRIV (&priv);
+    return ret;
 }
diff --git a/crypto/heimdal/lib/krb5/rd_rep.c b/crypto/heimdal/lib/krb5/rd_rep.c
index 7f947de..8c9b7bb 100644
--- a/crypto/heimdal/lib/krb5/rd_rep.c
+++ b/crypto/heimdal/lib/krb5/rd_rep.c
@@ -33,85 +33,92 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_rep.c,v 1.22 2001/06/18 02:46:53 assar Exp $");
+RCSID("$Id: rd_rep.c 17890 2006-08-21 09:19:22Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_rep(krb5_context context,
 	    krb5_auth_context auth_context,
 	    const krb5_data *inbuf,
 	    krb5_ap_rep_enc_part **repl)
 {
-  krb5_error_code ret;
-  AP_REP ap_rep;
-  size_t len;
-  krb5_data data;
-  krb5_crypto crypto;
+    krb5_error_code ret;
+    AP_REP ap_rep;
+    size_t len;
+    krb5_data data;
+    krb5_crypto crypto;
 
-  krb5_data_zero (&data);
-  ret = 0;
+    krb5_data_zero (&data);
+    ret = 0;
 
-  ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len);
-  if (ret)
-      return ret;
-  if (ap_rep.pvno != 5) {
-    ret = KRB5KRB_AP_ERR_BADVERSION;
-    krb5_clear_error_string (context);
-    goto out;
-  }
-  if (ap_rep.msg_type != krb_ap_rep) {
-    ret = KRB5KRB_AP_ERR_MSG_TYPE;
-    krb5_clear_error_string (context);
-    goto out;
-  }
+    ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len);
+    if (ret)
+	return ret;
+    if (ap_rep.pvno != 5) {
+	ret = KRB5KRB_AP_ERR_BADVERSION;
+	krb5_clear_error_string (context);
+	goto out;
+    }
+    if (ap_rep.msg_type != krb_ap_rep) {
+	ret = KRB5KRB_AP_ERR_MSG_TYPE;
+	krb5_clear_error_string (context);
+	goto out;
+    }
 
-  ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
-  if (ret)
-      goto out;
-  ret = krb5_decrypt_EncryptedData (context, 
-				    crypto,	
-				    KRB5_KU_AP_REQ_ENC_PART,
-				    &ap_rep.enc_part,
-				    &data);
-  krb5_crypto_destroy(context, crypto);
-  if (ret)
-      goto out;
+    ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+    if (ret)
+	goto out;
+    ret = krb5_decrypt_EncryptedData (context, 
+				      crypto,	
+				      KRB5_KU_AP_REQ_ENC_PART,
+				      &ap_rep.enc_part,
+				      &data);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+	goto out;
 
-  *repl = malloc(sizeof(**repl));
-  if (*repl == NULL) {
-    ret = ENOMEM;
-    krb5_set_error_string (context, "malloc: out of memory");
-    goto out;
-  }
-  ret = krb5_decode_EncAPRepPart(context,
-				 data.data,
-				 data.length,
-				 *repl, 
-				 &len);
-  if (ret)
-      return ret;
+    *repl = malloc(sizeof(**repl));
+    if (*repl == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string (context, "malloc: out of memory");
+	goto out;
+    }
+    ret = krb5_decode_EncAPRepPart(context,
+				   data.data,
+				   data.length,
+				   *repl, 
+				   &len);
+    if (ret)
+	return ret;
   
-  if ((*repl)->ctime != auth_context->authenticator->ctime ||
-      (*repl)->cusec != auth_context->authenticator->cusec) {
-    ret = KRB5KRB_AP_ERR_MUT_FAIL;
-    krb5_clear_error_string (context);
-    goto out;
-  }
-  if ((*repl)->seq_number)
-      krb5_auth_con_setremoteseqnumber(context, auth_context,
-				       *((*repl)->seq_number));
-  if ((*repl)->subkey)
-    krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey);
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { 
+	if ((*repl)->ctime != auth_context->authenticator->ctime ||
+	    (*repl)->cusec != auth_context->authenticator->cusec) 
+	{
+	    krb5_free_ap_rep_enc_part(context, *repl);
+	    *repl = NULL;
+	    ret = KRB5KRB_AP_ERR_MUT_FAIL;
+	    krb5_clear_error_string (context);
+	    goto out;
+	}
+    }
+    if ((*repl)->seq_number)
+	krb5_auth_con_setremoteseqnumber(context, auth_context,
+					 *((*repl)->seq_number));
+    if ((*repl)->subkey)
+	krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey);
   
-out:
-  krb5_data_free (&data);
-  free_AP_REP (&ap_rep);
-  return ret;
+ out:
+    krb5_data_free (&data);
+    free_AP_REP (&ap_rep);
+    return ret;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_free_ap_rep_enc_part (krb5_context context,
 			   krb5_ap_rep_enc_part *val)
 {
-    free_EncAPRepPart (val);
-    free (val);
+    if (val) {
+	free_EncAPRepPart (val);
+	free (val);
+    }
 }
diff --git a/crypto/heimdal/lib/krb5/rd_req.c b/crypto/heimdal/lib/krb5/rd_req.c
index 590952e..0f33b97 100644
--- a/crypto/heimdal/lib/krb5/rd_req.c
+++ b/crypto/heimdal/lib/krb5/rd_req.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_req.c,v 1.47.8.3 2003/10/21 20:10:33 lha Exp $");
+RCSID("$Id: rd_req.c 22235 2007-12-08 21:52:07Z lha $");
 
 static krb5_error_code
 decrypt_tkt_enc_part (krb5_context context,
@@ -101,7 +101,7 @@ decrypt_authenticator (krb5_context context,
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decode_ap_req(krb5_context context,
 		   const krb5_data *inbuf,
 		   krb5_ap_req *ap_req)
@@ -136,6 +136,14 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
     int num_realms;
     krb5_error_code ret;
 	    
+    /* 
+     * Windows 2000 and 2003 uses this inside their TGT so it's normaly
+     * not seen by others, however, samba4 joined with a Windows AD as
+     * a Domain Controller gets exposed to this.
+     */
+    if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0)
+	return 0;
+
     if(enc->transited.tr_type != DOMAIN_X500_COMPRESS)
 	return KRB5KDC_ERR_TRTYPE_NOSUPP;
 
@@ -155,7 +163,60 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
     return ret;
 }
 
-krb5_error_code
+static krb5_error_code
+find_etypelist(krb5_context context,
+	       krb5_auth_context auth_context,
+	       EtypeList *etypes)
+{
+    krb5_error_code ret;
+    krb5_authdata *ad;
+    krb5_authdata adIfRelevant;
+    unsigned i;
+
+    adIfRelevant.len = 0;
+
+    etypes->len = 0;
+    etypes->val = NULL;
+
+    ad = auth_context->authenticator->authorization_data;
+    if (ad == NULL)
+	return 0;
+
+    for (i = 0; i < ad->len; i++) {
+	if (ad->val[i].ad_type == KRB5_AUTHDATA_IF_RELEVANT) {
+	    ret = decode_AD_IF_RELEVANT(ad->val[i].ad_data.data,
+					ad->val[i].ad_data.length,
+					&adIfRelevant,
+					NULL);
+	    if (ret)
+		return ret;
+
+	    if (adIfRelevant.len == 1 &&
+		adIfRelevant.val[0].ad_type ==
+			KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION) {
+		break;
+	    }
+	    free_AD_IF_RELEVANT(&adIfRelevant);
+	    adIfRelevant.len = 0;
+	}
+    }
+
+    if (adIfRelevant.len == 0)
+	return 0;
+
+    ret = decode_EtypeList(adIfRelevant.val[0].ad_data.data,
+			   adIfRelevant.val[0].ad_data.length,
+			   etypes,
+			   NULL);
+    if (ret)
+	krb5_clear_error_string(context);
+
+    free_AD_IF_RELEVANT(&adIfRelevant);
+
+    return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_decrypt_ticket(krb5_context context,
 		    Ticket *ticket,
 		    krb5_keyblock *key,
@@ -204,7 +265,7 @@ krb5_decrypt_ticket(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_authenticator_checksum(krb5_context context,
 				   krb5_auth_context ac,
 				   void *data,
@@ -220,8 +281,10 @@ krb5_verify_authenticator_checksum(krb5_context context,
 				      &authenticator);
     if(ret)
 	return ret;
-    if(authenticator->cksum == NULL)
+    if(authenticator->cksum == NULL) {
+	krb5_free_authenticator(context, &authenticator);
 	return -17;
+    }
     ret = krb5_auth_con_getkey(context, ac, &key);
     if(ret) {
 	krb5_free_authenticator(context, &authenticator);
@@ -244,7 +307,7 @@ out:
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_ap_req(krb5_context context,
 		   krb5_auth_context *auth_context,
 		   krb5_ap_req *ap_req,
@@ -265,7 +328,7 @@ krb5_verify_ap_req(krb5_context context,
 				KRB5_KU_AP_REQ_AUTH);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_ap_req2(krb5_context context,
 		    krb5_auth_context *auth_context,
 		    krb5_ap_req *ap_req,
@@ -276,10 +339,14 @@ krb5_verify_ap_req2(krb5_context context,
 		    krb5_ticket **ticket,
 		    krb5_key_usage usage)
 {
-    krb5_ticket t;
+    krb5_ticket *t;
     krb5_auth_context ac;
     krb5_error_code ret;
+    EtypeList etypes;
     
+    if (ticket)
+	*ticket = NULL;
+
     if (auth_context && *auth_context) {
 	ac = *auth_context;
     } else {
@@ -288,69 +355,98 @@ krb5_verify_ap_req2(krb5_context context,
 	    return ret;
     }
 
+    t = calloc(1, sizeof(*t));
+    if (t == NULL) {
+	ret = ENOMEM;
+	krb5_clear_error_string (context);
+	goto out;
+    }
+
     if (ap_req->ap_options.use_session_key && ac->keyblock){
 	ret = krb5_decrypt_ticket(context, &ap_req->ticket, 
 				  ac->keyblock, 
-				  &t.ticket,
+				  &t->ticket,
 				  flags);
 	krb5_free_keyblock(context, ac->keyblock);
 	ac->keyblock = NULL;
     }else
 	ret = krb5_decrypt_ticket(context, &ap_req->ticket, 
 				  keyblock, 
-				  &t.ticket,
+				  &t->ticket,
 				  flags);
     
     if(ret)
 	goto out;
 
-    principalname2krb5_principal(&t.server, ap_req->ticket.sname, 
-				 ap_req->ticket.realm);
-    principalname2krb5_principal(&t.client, t.ticket.cname, 
-				 t.ticket.crealm);
+    ret = _krb5_principalname2krb5_principal(context,
+					     &t->server,
+					     ap_req->ticket.sname, 
+					     ap_req->ticket.realm);
+    if (ret) goto out;
+    ret = _krb5_principalname2krb5_principal(context,
+					     &t->client,
+					     t->ticket.cname, 
+					     t->ticket.crealm);
+    if (ret) goto out;
 
     /* save key */
 
-    krb5_copy_keyblock(context, &t.ticket.key, &ac->keyblock);
+    ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock);
+    if (ret) goto out;
 
     ret = decrypt_authenticator (context,
-				 &t.ticket.key,
+				 &t->ticket.key,
 				 &ap_req->authenticator,
 				 ac->authenticator,
 				 usage);
     if (ret)
-	goto out2;
+	goto out;
 
     {
 	krb5_principal p1, p2;
 	krb5_boolean res;
 	
-	principalname2krb5_principal(&p1,
-				     ac->authenticator->cname,
-				     ac->authenticator->crealm);
-	principalname2krb5_principal(&p2, 
-				     t.ticket.cname,
-				     t.ticket.crealm);
+	_krb5_principalname2krb5_principal(context,
+					   &p1,
+					   ac->authenticator->cname,
+					   ac->authenticator->crealm);
+	_krb5_principalname2krb5_principal(context,
+					   &p2, 
+					   t->ticket.cname,
+					   t->ticket.crealm);
 	res = krb5_principal_compare (context, p1, p2);
 	krb5_free_principal (context, p1);
 	krb5_free_principal (context, p2);
 	if (!res) {
 	    ret = KRB5KRB_AP_ERR_BADMATCH;
 	    krb5_clear_error_string (context);
-	    goto out2;
+	    goto out;
 	}
     }
 
     /* check addresses */
 
-    if (t.ticket.caddr
+    if (t->ticket.caddr
 	&& ac->remote_address
 	&& !krb5_address_search (context,
 				 ac->remote_address,
-				 t.ticket.caddr)) {
+				 t->ticket.caddr)) {
 	ret = KRB5KRB_AP_ERR_BADADDR;
 	krb5_clear_error_string (context);
-	goto out2;
+	goto out;
+    }
+
+    /* check timestamp in authenticator */
+    {
+	krb5_timestamp now;
+
+	krb5_timeofday (context, &now);
+
+	if (abs(ac->authenticator->ctime - now) > context->max_skew) {
+	    ret = KRB5KRB_AP_ERR_SKEW;
+	    krb5_clear_error_string (context);
+	    goto out;
+	}
     }
 
     if (ac->authenticator->seq_number)
@@ -363,38 +459,226 @@ krb5_verify_ap_req2(krb5_context context,
 	ret = krb5_auth_con_setremotesubkey(context, ac,
 					    ac->authenticator->subkey);
 	if (ret)
-	    goto out2;
+	    goto out;
+    }
+
+    ret = find_etypelist(context, ac, &etypes);
+    if (ret)
+	goto out;
+
+    ac->keytype = ETYPE_NULL;
+
+    if (etypes.val) {
+	int i;
+
+	for (i = 0; i < etypes.len; i++) {
+	    if (krb5_enctype_valid(context, etypes.val[i]) == 0) {
+		ac->keytype = etypes.val[i];
+		break;
+	    }
+	}
     }
 
     if (ap_req_options) {
 	*ap_req_options = 0;
+	if (ac->keytype != ETYPE_NULL)
+	    *ap_req_options |= AP_OPTS_USE_SUBKEY;
 	if (ap_req->ap_options.use_session_key)
 	    *ap_req_options |= AP_OPTS_USE_SESSION_KEY;
 	if (ap_req->ap_options.mutual_required)
 	    *ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
     }
 
-    if(ticket){
-	*ticket = malloc(sizeof(**ticket));
-	**ticket = t;
-    } else
-	krb5_free_ticket (context, &t);
+    if(ticket)
+	*ticket = t;
+    else
+	krb5_free_ticket (context, t);
     if (auth_context) {
 	if (*auth_context == NULL)
 	    *auth_context = ac;
     } else
 	krb5_auth_con_free (context, ac);
+    free_EtypeList(&etypes);
     return 0;
- out2:
-    krb5_free_ticket (context, &t);
  out:
+    if (t)
+	krb5_free_ticket (context, t);
     if (auth_context == NULL || *auth_context == NULL)
 	krb5_auth_con_free (context, ac);
     return ret;
 }
 		   
+/*
+ *
+ */
+
+struct krb5_rd_req_in_ctx_data {
+    krb5_keytab keytab;
+    krb5_keyblock *keyblock;
+    krb5_boolean check_pac;
+};
+
+struct krb5_rd_req_out_ctx_data {
+    krb5_keyblock *keyblock;
+    krb5_flags ap_req_options;
+    krb5_ticket *ticket;
+};
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_alloc(krb5_context context, krb5_rd_req_in_ctx *ctx)
+{
+    *ctx = calloc(1, sizeof(**ctx));
+    if (*ctx == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    (*ctx)->check_pac = (context->flags & KRB5_CTX_F_CHECK_PAC) ? 1 : 0;
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keytab(krb5_context context, 
+			  krb5_rd_req_in_ctx in,
+			  krb5_keytab keytab)
+{
+    in->keytab = keytab; /* XXX should make copy */
+    return 0;
+}
+
+/**
+ * Set if krb5_rq_red() is going to check the Windows PAC or not
+ * 
+ * @param context Keberos 5 context.
+ * @param in krb5_rd_req_in_ctx to check the option on.
+ * @param flag flag to select if to check the pac (TRUE) or not (FALSE).
+ *
+ * @return Kerberos 5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_pac_check(krb5_context context, 
+			     krb5_rd_req_in_ctx in,
+			     krb5_boolean flag)
+{
+    in->check_pac = flag;
+    return 0;
+}
+
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keyblock(krb5_context context, 
+			    krb5_rd_req_in_ctx in,
+			    krb5_keyblock *keyblock)
+{
+    in->keyblock = keyblock; /* XXX should make copy */
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ap_req_options(krb5_context context, 
+				   krb5_rd_req_out_ctx out,
+				   krb5_flags *ap_req_options)
+{
+    *ap_req_options = out->ap_req_options;
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ticket(krb5_context context, 
+			    krb5_rd_req_out_ctx out,
+			    krb5_ticket **ticket)
+{
+    return krb5_copy_ticket(context, out->ticket, ticket);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_keyblock(krb5_context context, 
+			    krb5_rd_req_out_ctx out,
+			    krb5_keyblock **keyblock)
+{
+    return krb5_copy_keyblock(context, out->keyblock, keyblock);
+}
+
+void  KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_free(krb5_context context, krb5_rd_req_in_ctx ctx)
+{
+    free(ctx);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_rd_req_out_ctx_alloc(krb5_context context, krb5_rd_req_out_ctx *ctx)
+{
+    *ctx = calloc(1, sizeof(**ctx));
+    if (*ctx == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+void  KRB5_LIB_FUNCTION
+krb5_rd_req_out_ctx_free(krb5_context context, krb5_rd_req_out_ctx ctx)
+{
+    krb5_free_keyblock(context, ctx->keyblock);
+    free(ctx);
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req(krb5_context context,
+	    krb5_auth_context *auth_context,
+	    const krb5_data *inbuf,
+	    krb5_const_principal server,
+	    krb5_keytab keytab,
+	    krb5_flags *ap_req_options,
+	    krb5_ticket **ticket)
+{
+    krb5_error_code ret;
+    krb5_rd_req_in_ctx in;
+    krb5_rd_req_out_ctx out;
+
+    ret = krb5_rd_req_in_ctx_alloc(context, &in);
+    if (ret)
+	return ret;
+    
+    ret = krb5_rd_req_in_set_keytab(context, in, keytab);
+    if (ret) {
+	krb5_rd_req_in_ctx_free(context, in);
+	return ret;
+    }
+
+    ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out);
+    krb5_rd_req_in_ctx_free(context, in);
+    if (ret)
+	return ret;
+
+    if (ap_req_options)
+	*ap_req_options = out->ap_req_options;
+    if (ticket) {
+	ret = krb5_copy_ticket(context, out->ticket, ticket);
+	if (ret)
+	    goto out;
+    }
+
+out:
+    krb5_rd_req_out_ctx_free(context, out);
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_req_with_keyblock(krb5_context context,
 			  krb5_auth_context *auth_context,
 			  const krb5_data *inbuf,
@@ -404,31 +688,41 @@ krb5_rd_req_with_keyblock(krb5_context context,
 			  krb5_ticket **ticket)
 {
     krb5_error_code ret;
-    krb5_ap_req ap_req;
+    krb5_rd_req_in_ctx in;
+    krb5_rd_req_out_ctx out;
 
-    if (*auth_context == NULL) {
-	ret = krb5_auth_con_init(context, auth_context);
-	if (ret)
-	    return ret;
+    ret = krb5_rd_req_in_ctx_alloc(context, &in);
+    if (ret)
+	return ret;
+    
+    ret = krb5_rd_req_in_set_keyblock(context, in, keyblock);
+    if (ret) {
+	krb5_rd_req_in_ctx_free(context, in);
+	return ret;
     }
 
-    ret = krb5_decode_ap_req(context, inbuf, &ap_req);
-    if(ret)
+    ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out);
+    krb5_rd_req_in_ctx_free(context, in);
+    if (ret)
 	return ret;
 
-    ret = krb5_verify_ap_req(context,
-			     auth_context,
-			     &ap_req,
-			     server,
-			     keyblock,
-			     0,
-			     ap_req_options,
-			     ticket);
+    if (ap_req_options)
+	*ap_req_options = out->ap_req_options;
+    if (ticket) {
+	ret = krb5_copy_ticket(context, out->ticket, ticket);
+	if (ret)
+	    goto out;
+    }
 
-    free_AP_REQ(&ap_req);
+out:
+    krb5_rd_req_out_ctx_free(context, out);
     return ret;
 }
 
+/*
+ *
+ */
+
 static krb5_error_code
 get_key_from_keytab(krb5_context context,
 		    krb5_auth_context *auth_context,
@@ -469,34 +763,44 @@ out:
     return ret;
 }
 
-krb5_error_code
-krb5_rd_req(krb5_context context,
-	    krb5_auth_context *auth_context,
-	    const krb5_data *inbuf,
-	    krb5_const_principal server,
-	    krb5_keytab keytab,
-	    krb5_flags *ap_req_options,
-	    krb5_ticket **ticket)
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_ctx(krb5_context context,
+		krb5_auth_context *auth_context,
+		const krb5_data *inbuf,
+		krb5_const_principal server,
+		krb5_rd_req_in_ctx inctx,
+		krb5_rd_req_out_ctx *outctx)
 {
     krb5_error_code ret;
     krb5_ap_req ap_req;
-    krb5_keyblock *keyblock = NULL;
     krb5_principal service = NULL;
+    krb5_rd_req_out_ctx o = NULL;
+
+    ret = _krb5_rd_req_out_ctx_alloc(context, &o);
+    if (ret)
+	goto out;
 
     if (*auth_context == NULL) {
 	ret = krb5_auth_con_init(context, auth_context);
 	if (ret)
-	    return ret;
+	    goto out;
     }
 
     ret = krb5_decode_ap_req(context, inbuf, &ap_req);
     if(ret)
-	return ret;
+	goto out;
 
     if(server == NULL){
-	principalname2krb5_principal(&service,
-				     ap_req.ticket.sname,
-				     ap_req.ticket.realm);
+	ret = _krb5_principalname2krb5_principal(context,
+						 &service,
+						 ap_req.ticket.sname,
+						 ap_req.ticket.realm);
+	if (ret)
+	    goto out;
 	server = service;
     }
     if (ap_req.ap_options.use_session_key &&
@@ -507,36 +811,80 @@ krb5_rd_req(krb5_context context,
 	goto out;
     }
 
-    if((*auth_context)->keyblock == NULL){
+    if((*auth_context)->keyblock){
+	ret = krb5_copy_keyblock(context,
+				 (*auth_context)->keyblock,
+				 &o->keyblock);
+	if (ret)
+	    goto out;
+    } else if(inctx->keyblock){
+	ret = krb5_copy_keyblock(context,
+				 inctx->keyblock,
+				 &o->keyblock);
+	if (ret)
+	    goto out;
+    } else {
+	krb5_keytab keytab = NULL;
+
+	if (inctx && inctx->keytab)
+	    keytab = inctx->keytab;
+
 	ret = get_key_from_keytab(context, 
 				  auth_context, 
 				  &ap_req,
 				  server,
 				  keytab,
-				  &keyblock);
+				  &o->keyblock);
 	if(ret)
 	    goto out;
-    } else {
-	ret = krb5_copy_keyblock(context,
-				 (*auth_context)->keyblock,
-				 &keyblock);
-	if (ret)
-	    goto out;
     }
 
-    ret = krb5_verify_ap_req(context,
-			     auth_context,
-			     &ap_req,
-			     server,
-			     keyblock,
-			     0,
-			     ap_req_options,
-			     ticket);
+    ret = krb5_verify_ap_req2(context,
+			      auth_context,
+			      &ap_req,
+			      server,
+			      o->keyblock,
+			      0,
+			      &o->ap_req_options,
+			      &o->ticket,
+			      KRB5_KU_AP_REQ_AUTH);
 
-    if(keyblock != NULL)
-	krb5_free_keyblock(context, keyblock);
+    if (ret)
+	goto out;
 
+    /* If there is a PAC, verify its server signature */
+    if (inctx->check_pac) {
+	krb5_pac pac;
+	krb5_data data;
+
+	ret = krb5_ticket_get_authorization_data_type(context,
+						      o->ticket,
+						      KRB5_AUTHDATA_WIN2K_PAC,
+						      &data);
+	if (ret == 0) {
+	    ret = krb5_pac_parse(context, data.data, data.length, &pac);
+	    krb5_data_free(&data);
+	    if (ret)
+		goto out;
+	
+	    ret = krb5_pac_verify(context,
+				  pac, 
+				  o->ticket->ticket.authtime,
+				  o->ticket->client, 
+				  o->keyblock, 
+				  NULL);
+	    krb5_pac_free(context, pac);
+	    if (ret)
+		goto out;
+	}
+	ret = 0;
+    }
 out:
+    if (ret || outctx == NULL) {
+	krb5_rd_req_out_ctx_free(context, o);
+    } else 
+	*outctx = o;
+
     free_AP_REQ(&ap_req);
     if(service)
 	krb5_free_principal(context, service);
diff --git a/crypto/heimdal/lib/krb5/rd_safe.c b/crypto/heimdal/lib/krb5/rd_safe.c
index bbba237..b2fb5c5 100644
--- a/crypto/heimdal/lib/krb5/rd_safe.c
+++ b/crypto/heimdal/lib/krb5/rd_safe.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_safe.c,v 1.27 2002/09/04 16:26:05 joda Exp $");
+RCSID("$Id: rd_safe.c 19827 2007-01-11 02:54:59Z lha $");
 
 static krb5_error_code
 verify_checksum(krb5_context context,
@@ -82,109 +82,132 @@ out:
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_safe(krb5_context context,
 	     krb5_auth_context auth_context,
 	     const krb5_data *inbuf,
 	     krb5_data *outbuf,
-	     /*krb5_replay_data*/ void *outdata)
+	     krb5_replay_data *outdata)
 {
-  krb5_error_code ret;
-  KRB_SAFE safe;
-  size_t len;
-
-  ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len);
-  if (ret) 
-      return ret;
-  if (safe.pvno != 5) {
-      ret = KRB5KRB_AP_ERR_BADVERSION;
-      krb5_clear_error_string (context);
-      goto failure;
-  }
-  if (safe.msg_type != krb_safe) {
-      ret = KRB5KRB_AP_ERR_MSG_TYPE;
-      krb5_clear_error_string (context);
-      goto failure;
-  }
-  if (!krb5_checksum_is_keyed(context, safe.cksum.cksumtype)
-      || !krb5_checksum_is_collision_proof(context, safe.cksum.cksumtype)) {
-      ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
-      krb5_clear_error_string (context);
-      goto failure;
-  }
-
-  /* check sender address */
-
-  if (safe.safe_body.s_address
-      && auth_context->remote_address
-      && !krb5_address_compare (context,
-				auth_context->remote_address,
-				safe.safe_body.s_address)) {
-      ret = KRB5KRB_AP_ERR_BADADDR;
-      krb5_clear_error_string (context);
-      goto failure;
-  }
-
-  /* check receiver address */
-
-  if (safe.safe_body.r_address
-      && auth_context->local_address
-      && !krb5_address_compare (context,
-				auth_context->local_address,
-				safe.safe_body.r_address)) {
-      ret = KRB5KRB_AP_ERR_BADADDR;
-      krb5_clear_error_string (context);
-      goto failure;
-  }
-
-  /* check timestamp */
-  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
-      krb5_timestamp sec;
-
-      krb5_timeofday (context, &sec);
-
-      if (safe.safe_body.timestamp == NULL ||
-	  safe.safe_body.usec      == NULL ||
-	  abs(*safe.safe_body.timestamp - sec) > context->max_skew) {
-	  ret = KRB5KRB_AP_ERR_SKEW;
-	  krb5_clear_error_string (context);
-	  goto failure;
-      }
-  }
-  /* XXX - check replay cache */
-
-  /* check sequence number. since MIT krb5 cannot generate a sequence
-     number of zero but instead generates no sequence number, we accept that
-  */
-
-  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-      if ((safe.safe_body.seq_number == NULL
-	   && auth_context->remote_seqnumber != 0)
-	  || (safe.safe_body.seq_number != NULL
-	      && *safe.safe_body.seq_number !=
-	      auth_context->remote_seqnumber)) {
-	  ret = KRB5KRB_AP_ERR_BADORDER;
-	  krb5_clear_error_string (context);
-	  goto failure;
-      }
-      auth_context->remote_seqnumber++;
-  }
-
-  ret = verify_checksum (context, auth_context, &safe);
-  if (ret)
-      goto failure;
+    krb5_error_code ret;
+    KRB_SAFE safe;
+    size_t len;
+
+    if (outbuf)
+	krb5_data_zero(outbuf);
+
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+	outdata == NULL) {
+	krb5_set_error_string(context, "rd_safe: need outdata to return data");
+	return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+    }
+
+    ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len);
+    if (ret) 
+	return ret;
+    if (safe.pvno != 5) {
+	ret = KRB5KRB_AP_ERR_BADVERSION;
+	krb5_clear_error_string (context);
+	goto failure;
+    }
+    if (safe.msg_type != krb_safe) {
+	ret = KRB5KRB_AP_ERR_MSG_TYPE;
+	krb5_clear_error_string (context);
+	goto failure;
+    }
+    if (!krb5_checksum_is_keyed(context, safe.cksum.cksumtype)
+	|| !krb5_checksum_is_collision_proof(context, safe.cksum.cksumtype)) {
+	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+	krb5_clear_error_string (context);
+	goto failure;
+    }
+
+    /* check sender address */
+
+    if (safe.safe_body.s_address
+	&& auth_context->remote_address
+	&& !krb5_address_compare (context,
+				  auth_context->remote_address,
+				  safe.safe_body.s_address)) {
+	ret = KRB5KRB_AP_ERR_BADADDR;
+	krb5_clear_error_string (context);
+	goto failure;
+    }
+
+    /* check receiver address */
+
+    if (safe.safe_body.r_address
+	&& auth_context->local_address
+	&& !krb5_address_compare (context,
+				  auth_context->local_address,
+				  safe.safe_body.r_address)) {
+	ret = KRB5KRB_AP_ERR_BADADDR;
+	krb5_clear_error_string (context);
+	goto failure;
+    }
+
+    /* check timestamp */
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+	krb5_timestamp sec;
+
+	krb5_timeofday (context, &sec);
+
+	if (safe.safe_body.timestamp == NULL ||
+	    safe.safe_body.usec      == NULL ||
+	    abs(*safe.safe_body.timestamp - sec) > context->max_skew) {
+	    ret = KRB5KRB_AP_ERR_SKEW;
+	    krb5_clear_error_string (context);
+	    goto failure;
+	}
+    }
+    /* XXX - check replay cache */
+
+    /* check sequence number. since MIT krb5 cannot generate a sequence
+       number of zero but instead generates no sequence number, we accept that
+    */
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+	if ((safe.safe_body.seq_number == NULL
+	     && auth_context->remote_seqnumber != 0)
+	    || (safe.safe_body.seq_number != NULL
+		&& *safe.safe_body.seq_number !=
+		auth_context->remote_seqnumber)) {
+	    ret = KRB5KRB_AP_ERR_BADORDER;
+	    krb5_clear_error_string (context);
+	    goto failure;
+	}
+	auth_context->remote_seqnumber++;
+    }
+
+    ret = verify_checksum (context, auth_context, &safe);
+    if (ret)
+	goto failure;
   
-  outbuf->length = safe.safe_body.user_data.length;
-  outbuf->data   = malloc(outbuf->length);
-  if (outbuf->data == NULL) {
-      ret = ENOMEM;
-      krb5_set_error_string (context, "malloc: out of memory");
-      goto failure;
-  }
-  memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length);
-  free_KRB_SAFE (&safe);
-  return 0;
-failure:
-  free_KRB_SAFE (&safe);
-  return ret;
+    outbuf->length = safe.safe_body.user_data.length;
+    outbuf->data   = malloc(outbuf->length);
+    if (outbuf->data == NULL && outbuf->length != 0) {
+	ret = ENOMEM;
+	krb5_set_error_string (context, "malloc: out of memory");
+	krb5_data_zero(outbuf);
+	goto failure;
+    }
+    memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length);
+
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
+	/* if these fields are not present in the safe-part, silently
+           return zero */
+	memset(outdata, 0, sizeof(*outdata));
+	if(safe.safe_body.timestamp)
+	    outdata->timestamp = *safe.safe_body.timestamp;
+	if(safe.safe_body.usec)
+	    outdata->usec = *safe.safe_body.usec;
+	if(safe.safe_body.seq_number)
+	    outdata->seq = *safe.safe_body.seq_number;
+    }
+
+  failure:
+    free_KRB_SAFE (&safe);
+    return ret;
 }
diff --git a/crypto/heimdal/lib/krb5/read_message.c b/crypto/heimdal/lib/krb5/read_message.c
index 124499a..5e03507 100644
--- a/crypto/heimdal/lib/krb5/read_message.c
+++ b/crypto/heimdal/lib/krb5/read_message.c
@@ -33,16 +33,18 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: read_message.c,v 1.8 2001/05/14 06:14:51 assar Exp $");
+RCSID("$Id: read_message.c 21750 2007-07-31 20:41:25Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_read_message (krb5_context context,
 		   krb5_pointer p_fd,
 		   krb5_data *data)
 {
     krb5_error_code ret;
-    u_int32_t len;
-    u_int8_t buf[4];
+    uint32_t len;
+    uint8_t buf[4];
+
+    krb5_data_zero(data);
 
     ret = krb5_net_read (context, p_fd, buf, 4);
     if(ret == -1) {
@@ -51,13 +53,15 @@ krb5_read_message (krb5_context context,
 	return ret;
     }
     if(ret < 4) {
-	data->length = 0;
+	krb5_clear_error_string(context);
 	return HEIM_ERR_EOF;
     }
     len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3];
     ret = krb5_data_alloc (data, len);
-    if (ret)
+    if (ret) {
+	krb5_clear_error_string(context);
 	return ret;
+    }
     if (krb5_net_read (context, p_fd, data->data, len) != len) {
 	ret = errno;
 	krb5_data_free (data);
@@ -67,7 +71,7 @@ krb5_read_message (krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_read_priv_message(krb5_context context,
 		       krb5_auth_context ac,
 		       krb5_pointer p_fd,
@@ -84,7 +88,7 @@ krb5_read_priv_message(krb5_context context,
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_read_safe_message(krb5_context context,
 		       krb5_auth_context ac,
 		       krb5_pointer p_fd,
diff --git a/crypto/heimdal/lib/krb5/recvauth.c b/crypto/heimdal/lib/krb5/recvauth.c
index d72b5c6..0348285 100644
--- a/crypto/heimdal/lib/krb5/recvauth.c
+++ b/crypto/heimdal/lib/krb5/recvauth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: recvauth.c,v 1.16 2002/04/18 09:41:33 joda Exp $");
+RCSID("$Id: recvauth.c 20306 2007-04-11 11:15:55Z lha $");
 
 /*
  * See `sendauth.c' for the format.
@@ -45,7 +45,7 @@ match_exact(const void *data, const char *appl_version)
     return strcmp(data, appl_version) == 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_recvauth(krb5_context context,
 	      krb5_auth_context *auth_context,
 	      krb5_pointer p_fd,
@@ -61,7 +61,7 @@ krb5_recvauth(krb5_context context,
 				       keytab, ticket);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_recvauth_match_version(krb5_context context,
 			    krb5_auth_context *auth_context,
 			    krb5_pointer p_fd,
@@ -73,33 +73,54 @@ krb5_recvauth_match_version(krb5_context context,
 			    krb5_keytab keytab,
 			    krb5_ticket **ticket)
 {
-  krb5_error_code ret;
-  const char *version = KRB5_SENDAUTH_VERSION;
-  char her_version[sizeof(KRB5_SENDAUTH_VERSION)];
-  char *her_appl_version;
-  u_int32_t len;
-  u_char repl;
-  krb5_data data;
-  krb5_flags ap_options;
-  ssize_t n;
-
-  /*
-   * If there are no addresses in auth_context, get them from `fd'.
-   */
-
-  if (*auth_context == NULL) {
-      ret = krb5_auth_con_init (context, auth_context);
-      if (ret)
-	  return ret;
-  }
-
-  ret = krb5_auth_con_setaddrs_from_fd (context,
-					*auth_context,
-					p_fd);
-  if (ret)
-      return ret;
-
-  if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) {
+    krb5_error_code ret;
+    const char *version = KRB5_SENDAUTH_VERSION;
+    char her_version[sizeof(KRB5_SENDAUTH_VERSION)];
+    char *her_appl_version;
+    uint32_t len;
+    u_char repl;
+    krb5_data data;
+    krb5_flags ap_options;
+    ssize_t n;
+
+    /*
+     * If there are no addresses in auth_context, get them from `fd'.
+     */
+
+    if (*auth_context == NULL) {
+	ret = krb5_auth_con_init (context, auth_context);
+	if (ret)
+	    return ret;
+    }
+
+    ret = krb5_auth_con_setaddrs_from_fd (context,
+					  *auth_context,
+					  p_fd);
+    if (ret)
+	return ret;
+
+    if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) {
+	n = krb5_net_read (context, p_fd, &len, 4);
+	if (n < 0) {
+	    ret = errno;
+	    krb5_set_error_string (context, "read: %s", strerror(errno));
+	    return ret;
+	}
+	if (n == 0) {
+	    krb5_set_error_string (context, "Failed to receive sendauth data");
+	    return KRB5_SENDAUTH_BADAUTHVERS;
+	}
+	len = ntohl(len);
+	if (len != sizeof(her_version)
+	    || krb5_net_read (context, p_fd, her_version, len) != len
+	    || strncmp (version, her_version, len)) {
+	    repl = 1;
+	    krb5_net_write (context, p_fd, &repl, 1);
+	    krb5_clear_error_string (context);
+	    return KRB5_SENDAUTH_BADAUTHVERS;
+	}
+    }
+
     n = krb5_net_read (context, p_fd, &len, 4);
     if (n < 0) {
 	ret = errno;
@@ -108,104 +129,83 @@ krb5_recvauth_match_version(krb5_context context,
     }
     if (n == 0) {
 	krb5_clear_error_string (context);
-	return KRB5_SENDAUTH_BADAUTHVERS;
+	return KRB5_SENDAUTH_BADAPPLVERS;
     }
     len = ntohl(len);
-    if (len != sizeof(her_version)
-	|| krb5_net_read (context, p_fd, her_version, len) != len
-	|| strncmp (version, her_version, len)) {
-      repl = 1;
-      krb5_net_write (context, p_fd, &repl, 1);
-	krb5_clear_error_string (context);
-      return KRB5_SENDAUTH_BADAUTHVERS;
+    her_appl_version = malloc (len);
+    if (her_appl_version == NULL) {
+	repl = 2;
+	krb5_net_write (context, p_fd, &repl, 1);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    if (krb5_net_read (context, p_fd, her_appl_version, len) != len
+	|| !(*match_appl_version)(match_data, her_appl_version)) {
+	repl = 2;
+	krb5_net_write (context, p_fd, &repl, 1);
+	krb5_set_error_string (context, "wrong sendauth version (%s)",
+			       her_appl_version);
+	free (her_appl_version);
+	return KRB5_SENDAUTH_BADAPPLVERS;
     }
-  }
-
-  n = krb5_net_read (context, p_fd, &len, 4);
-  if (n < 0) {
-      ret = errno;
-      krb5_set_error_string (context, "read: %s", strerror(errno));
-      return ret;
-  }
-  if (n == 0) {
-      krb5_clear_error_string (context);
-      return KRB5_SENDAUTH_BADAPPLVERS;
-  }
-  len = ntohl(len);
-  her_appl_version = malloc (len);
-  if (her_appl_version == NULL) {
-      repl = 2;
-      krb5_net_write (context, p_fd, &repl, 1);
-      krb5_set_error_string (context, "malloc: out of memory");
-      return ENOMEM;
-  }
-  if (krb5_net_read (context, p_fd, her_appl_version, len) != len
-      || !(*match_appl_version)(match_data, her_appl_version)) {
-    repl = 2;
-    krb5_net_write (context, p_fd, &repl, 1);
-    krb5_set_error_string (context, "wrong sendauth version (%s)",
-			   her_appl_version);
     free (her_appl_version);
-    return KRB5_SENDAUTH_BADAPPLVERS;
-  }
-  free (her_appl_version);
-
-  repl = 0;
-  if (krb5_net_write (context, p_fd, &repl, 1) != 1) {
-    ret = errno;
-    krb5_set_error_string (context, "write: %s", strerror(errno));
-    return ret;
-  }
-
-  krb5_data_zero (&data);
-  ret = krb5_read_message (context, p_fd, &data);
-  if (ret)
-      return ret;
-
-  ret = krb5_rd_req (context,
-		     auth_context,
-		     &data,
-		     server,
-		     keytab,
-		     &ap_options,
-		     ticket);
-  krb5_data_free (&data);
-  if (ret) {
-      krb5_data error_data;
-      krb5_error_code ret2;
-
-      ret2 = krb5_mk_error (context,
-			    ret,
-			    NULL,
-			    NULL,
-			    NULL,
-			    server,
-			    NULL,
-			    NULL,
-			    &error_data);
-      if (ret2 == 0) {
-	  krb5_write_message (context, p_fd, &error_data);
-	  krb5_data_free (&error_data);
-      }
-      return ret;
-  }      
-
-  len = 0;
-  if (krb5_net_write (context, p_fd, &len, 4) != 4) {
-      ret = errno;
-      krb5_set_error_string (context, "write: %s", strerror(errno));
-      return ret;
-  }
-
-  if (ap_options & AP_OPTS_MUTUAL_REQUIRED) {
-    ret = krb5_mk_rep (context, *auth_context, &data);
-    if (ret)
-      return ret;
 
-    ret = krb5_write_message (context, p_fd, &data);
+    repl = 0;
+    if (krb5_net_write (context, p_fd, &repl, 1) != 1) {
+	ret = errno;
+	krb5_set_error_string (context, "write: %s", strerror(errno));
+	return ret;
+    }
+
+    krb5_data_zero (&data);
+    ret = krb5_read_message (context, p_fd, &data);
     if (ret)
 	return ret;
+
+    ret = krb5_rd_req (context,
+		       auth_context,
+		       &data,
+		       server,
+		       keytab,
+		       &ap_options,
+		       ticket);
     krb5_data_free (&data);
-  }
-  return 0;
+    if (ret) {
+	krb5_data error_data;
+	krb5_error_code ret2;
+
+	ret2 = krb5_mk_error (context,
+			      ret,
+			      NULL,
+			      NULL,
+			      NULL,
+			      server,
+			      NULL,
+			      NULL,
+			      &error_data);
+	if (ret2 == 0) {
+	    krb5_write_message (context, p_fd, &error_data);
+	    krb5_data_free (&error_data);
+	}
+	return ret;
+    }      
+
+    len = 0;
+    if (krb5_net_write (context, p_fd, &len, 4) != 4) {
+	ret = errno;
+	krb5_set_error_string (context, "write: %s", strerror(errno));
+	return ret;
+    }
+
+    if (ap_options & AP_OPTS_MUTUAL_REQUIRED) {
+	ret = krb5_mk_rep (context, *auth_context, &data);
+	if (ret)
+	    return ret;
+
+	ret = krb5_write_message (context, p_fd, &data);
+	if (ret)
+	    return ret;
+	krb5_data_free (&data);
+    }
+    return 0;
 }
diff --git a/crypto/heimdal/lib/krb5/replay.c b/crypto/heimdal/lib/krb5/replay.c
index 4298d12..12894d9 100644
--- a/crypto/heimdal/lib/krb5/replay.c
+++ b/crypto/heimdal/lib/krb5/replay.c
@@ -34,13 +34,13 @@
 #include "krb5_locl.h"
 #include <vis.h>
 
-RCSID("$Id: replay.c,v 1.9 2001/07/03 19:33:13 assar Exp $");
+RCSID("$Id: replay.c 17047 2006-04-10 17:13:49Z lha $");
 
 struct krb5_rcache_data {
     char *name;
 };
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_resolve(krb5_context context,
 		krb5_rcache id,
 		const char *name)
@@ -53,11 +53,12 @@ krb5_rc_resolve(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_resolve_type(krb5_context context,
 		     krb5_rcache *id,
 		     const char *type)
 {
+    *id = NULL;
     if(strcmp(type, "FILE")) {
 	krb5_set_error_string (context, "replay cache type %s not supported",
 			       type);
@@ -71,12 +72,15 @@ krb5_rc_resolve_type(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_resolve_full(krb5_context context,
 		     krb5_rcache *id,
 		     const char *string_name)
 {
     krb5_error_code ret;
+
+    *id = NULL;
+
     if(strncmp(string_name, "FILE:", 5)) {
 	krb5_set_error_string (context, "replay cache type %s not supported",
 			       string_name);
@@ -86,22 +90,26 @@ krb5_rc_resolve_full(krb5_context context,
     if(ret)
 	return ret;
     ret = krb5_rc_resolve(context, *id, string_name + 5);
+    if (ret) {
+	krb5_rc_close(context, *id);
+	*id = NULL;
+    }
     return ret;
 }
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_rc_default_name(krb5_context context)
 {
     return "FILE:/var/run/default_rcache";
 }
 
-const char *
+const char* KRB5_LIB_FUNCTION
 krb5_rc_default_type(krb5_context context)
 {
     return "FILE";
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_default(krb5_context context,
 		krb5_rcache *id)
 {
@@ -113,7 +121,7 @@ struct rc_entry{
     unsigned char data[16];
 };
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_initialize(krb5_context context,
 		   krb5_rcache id,
 		   krb5_deltat auth_lifespan)
@@ -134,14 +142,14 @@ krb5_rc_initialize(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_recover(krb5_context context,
 		krb5_rcache id)
 {
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_destroy(krb5_context context,
 		krb5_rcache id)
 {
@@ -156,7 +164,7 @@ krb5_rc_destroy(krb5_context context,
     return krb5_rc_close(context, id);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_close(krb5_context context,
 	      krb5_rcache id)
 {
@@ -181,7 +189,7 @@ checksum_authenticator(Authenticator *auth, void *data)
     MD5_Final (data, &md5);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_store(krb5_context context,
 	      krb5_rcache id,
 	      krb5_donot_replay *rep)
@@ -229,14 +237,14 @@ krb5_rc_store(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_expunge(krb5_context context,
 		krb5_rcache id)
 {
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_rc_get_lifespan(krb5_context context,
 		     krb5_rcache id,
 		     krb5_deltat *auth_lifespan)
@@ -254,21 +262,21 @@ krb5_rc_get_lifespan(krb5_context context,
     return KRB5_RC_IO_UNKNOWN;
 }
 
-const char*
+const char* KRB5_LIB_FUNCTION
 krb5_rc_get_name(krb5_context context,
 		 krb5_rcache id)
 {
     return id->name;
 }
 		 
-const char*
+const char* KRB5_LIB_FUNCTION
 krb5_rc_get_type(krb5_context context,
 		 krb5_rcache id)
 {
     return "FILE";
 }
 		 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_server_rcache(krb5_context context, 
 		       const krb5_data *piece, 
 		       krb5_rcache *id)
diff --git a/crypto/heimdal/lib/krb5/send_to_kdc.c b/crypto/heimdal/lib/krb5/send_to_kdc.c
index 94dae30..2582a61 100644
--- a/crypto/heimdal/lib/krb5/send_to_kdc.c
+++ b/crypto/heimdal/lib/krb5/send_to_kdc.c
@@ -33,7 +33,12 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: send_to_kdc.c,v 1.48 2002/03/27 09:32:50 joda Exp $");
+RCSID("$Id: send_to_kdc.c 21934 2007-08-27 14:21:04Z lha $");
+
+struct send_to_kdc {
+    krb5_send_to_kdc_func func;
+    void *data;
+};
 
 /*
  * send the data in `req' on the socket `fd' (which is datagram iff udp)
@@ -78,7 +83,7 @@ recv_loop (int fd,
 		 krb5_data_free (rep);
 		 return -1;
 	     }
-	     if(nbytes == 0)
+	     if(nbytes <= 0)
 		 return 0;
 
 	     if (limit)
@@ -157,6 +162,15 @@ send_and_recv_tcp(int fd,
     return 0;
 }
 
+int
+_krb5_send_and_recv_tcp(int fd,
+			time_t tmout,
+			const krb5_data *req,
+			krb5_data *rep)
+{
+    return send_and_recv_tcp(fd, tmout, req, rep);
+}
+
 /*
  * `send_and_recv' tailored for the HTTP protocol.
  */
@@ -198,6 +212,7 @@ send_and_recv_http(int fd,
 	s[rep->length] = 0;
 	p = strstr(s, "\r\n\r\n");
 	if(p == NULL) {
+	    krb5_data_zero(rep);
 	    free(s);
 	    return -1;
 	}
@@ -205,12 +220,14 @@ send_and_recv_http(int fd,
 	rep->data = s;
 	rep->length -= p - s;
 	if(rep->length < 4) { /* remove length */
+	    krb5_data_zero(rep);
 	    free(s);
 	    return -1;
 	}
 	rep->length -= 4;
 	_krb5_get_int(p, &rep_len, 4);
 	if (rep_len != rep->length) {
+	    krb5_data_zero(rep);
 	    free(s);
 	    return -1;
 	}
@@ -304,28 +321,40 @@ send_via_proxy (krb5_context context,
  * in `receive'.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sendto (krb5_context context,
 	     const krb5_data *send_data,
 	     krb5_krbhst_handle handle,	     
 	     krb5_data *receive)
 {
-     krb5_error_code ret = 0;
+     krb5_error_code ret;
      int fd;
      int i;
 
+     krb5_data_zero(receive);
+
      for (i = 0; i < context->max_retries; ++i) {
 	 krb5_krbhst_info *hi;
 
 	 while (krb5_krbhst_next(context, handle, &hi) == 0) {
-	     int ret;
 	     struct addrinfo *ai, *a;
 
+	     if (context->send_to_kdc) {
+		 struct send_to_kdc *s = context->send_to_kdc;
+
+		 ret = (*s->func)(context, s->data, 
+				  hi, send_data, receive);
+		 if (ret == 0 && receive->length != 0)
+		     goto out;
+		 continue;
+	     }
+
 	     if(hi->proto == KRB5_KRBHST_HTTP && context->http_proxy) {
-		 if (send_via_proxy (context, hi, send_data, receive))
-		     continue;
-		 else
+		 if (send_via_proxy (context, hi, send_data, receive) == 0) {
+		     ret = 0;
 		     goto out;
+		 }
+		 continue;
 	     }
 
 	     ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
@@ -367,39 +396,209 @@ out:
      return ret;
 }
 
-krb5_error_code
-krb5_sendto_kdc2(krb5_context context,
-		 const krb5_data *send_data,
-		 const krb5_realm *realm,
-		 krb5_data *receive,
-		 krb5_boolean master)
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_sendto_kdc(krb5_context context,
+		const krb5_data *send_data,
+		const krb5_realm *realm,
+		krb5_data *receive)
 {
-    krb5_error_code ret;
-    krb5_krbhst_handle handle;
-    int type;
+    return krb5_sendto_kdc_flags(context, send_data, realm, receive, 0);
+}
 
-    if (master || context->use_admin_kdc)
-	type = KRB5_KRBHST_ADMIN;
-    else
-	type = KRB5_KRBHST_KDC;
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_sendto_kdc_flags(krb5_context context,
+		      const krb5_data *send_data,
+		      const krb5_realm *realm,
+		      krb5_data *receive,
+		      int flags)
+{
+    krb5_error_code ret;
+    krb5_sendto_ctx ctx;
 
-    ret = krb5_krbhst_init(context, *realm, type, &handle);
+    ret = krb5_sendto_ctx_alloc(context, &ctx);
     if (ret)
 	return ret;
+    krb5_sendto_ctx_add_flags(ctx, flags);
+    krb5_sendto_ctx_set_func(ctx, _krb5_kdc_retry, NULL);
+
+    ret = krb5_sendto_context(context, ctx, send_data, *realm, receive);
+    krb5_sendto_ctx_free(context, ctx);
+    return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_set_send_to_kdc_func(krb5_context context, 
+			  krb5_send_to_kdc_func func,
+			  void *data)
+{
+    free(context->send_to_kdc);
+    if (func == NULL) {
+	context->send_to_kdc = NULL;
+	return 0;
+    }
+
+    context->send_to_kdc = malloc(sizeof(*context->send_to_kdc));
+    if (context->send_to_kdc == NULL) {
+	krb5_set_error_string(context, "Out of memory");
+	return ENOMEM;
+    }
 
-    ret = krb5_sendto(context, send_data, handle, receive);
-    krb5_krbhst_free(context, handle);
+    context->send_to_kdc->func = func;
+    context->send_to_kdc->data = data;
+    return 0;
+}
+
+struct krb5_sendto_ctx_data {
+    int flags;
+    int type;
+    krb5_sendto_ctx_func func;
+    void *data;
+};
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_sendto_ctx_alloc(krb5_context context, krb5_sendto_ctx *ctx)
+{
+    *ctx = calloc(1, sizeof(**ctx));
+    if (*ctx == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+void KRB5_LIB_FUNCTION
+krb5_sendto_ctx_add_flags(krb5_sendto_ctx ctx, int flags)
+{
+    ctx->flags |= flags;
+}
+
+int KRB5_LIB_FUNCTION
+krb5_sendto_ctx_get_flags(krb5_sendto_ctx ctx)
+{
+    return ctx->flags;
+}
+
+void KRB5_LIB_FUNCTION
+krb5_sendto_ctx_set_type(krb5_sendto_ctx ctx, int type)
+{
+    ctx->type = type;
+}
+
+
+void KRB5_LIB_FUNCTION
+krb5_sendto_ctx_set_func(krb5_sendto_ctx ctx,
+			 krb5_sendto_ctx_func func,
+			 void *data)
+{
+    ctx->func = func;
+    ctx->data = data;
+}
+
+void KRB5_LIB_FUNCTION
+krb5_sendto_ctx_free(krb5_context context, krb5_sendto_ctx ctx)
+{
+    memset(ctx, 0, sizeof(*ctx));
+    free(ctx);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_sendto_context(krb5_context context,
+		    krb5_sendto_ctx ctx,
+		    const krb5_data *send_data,
+		    const krb5_realm realm,
+		    krb5_data *receive)
+{
+    krb5_error_code ret;
+    krb5_krbhst_handle handle = NULL;
+    int type, freectx = 0;
+    int action;
+
+    krb5_data_zero(receive);
+
+    if (ctx == NULL) {
+	freectx = 1;
+	ret = krb5_sendto_ctx_alloc(context, &ctx);
+	if (ret)
+	    return ret;
+    }
+
+    type = ctx->type;
+    if (type == 0) {
+	if ((ctx->flags & KRB5_KRBHST_FLAGS_MASTER) || context->use_admin_kdc)
+	    type = KRB5_KRBHST_ADMIN;
+	else
+	    type = KRB5_KRBHST_KDC;
+    }
+
+    if (send_data->length > context->large_msg_size)
+	ctx->flags |= KRB5_KRBHST_FLAGS_LARGE_MSG;
+
+    /* loop until we get back a appropriate response */
+
+    do {
+	action = KRB5_SENDTO_DONE;
+
+	krb5_data_free(receive);
+
+	if (handle == NULL) {
+	    ret = krb5_krbhst_init_flags(context, realm, type, 
+					 ctx->flags, &handle);
+	    if (ret) {
+		if (freectx)
+		    krb5_sendto_ctx_free(context, ctx);
+		return ret;
+	    }
+	}
+    
+	ret = krb5_sendto(context, send_data, handle, receive);
+	if (ret)
+	    break;
+	if (ctx->func) {
+	    ret = (*ctx->func)(context, ctx, ctx->data, receive, &action);
+	    if (ret)
+		break;
+	}
+	if (action != KRB5_SENDTO_CONTINUE) {
+	    krb5_krbhst_free(context, handle);
+	    handle = NULL;
+	}
+    } while (action != KRB5_SENDTO_DONE);
+    if (handle)
+	krb5_krbhst_free(context, handle);
     if (ret == KRB5_KDC_UNREACH)
-	krb5_set_error_string(context,
-			      "unable to reach any KDC in realm %s", *realm);
+	krb5_set_error_string(context, 
+			      "unable to reach any KDC in realm %s", realm);
+    if (ret)
+	krb5_data_free(receive);
+    if (freectx)
+	krb5_sendto_ctx_free(context, ctx);
     return ret;
 }
 
 krb5_error_code
-krb5_sendto_kdc(krb5_context context,
-		const krb5_data *send_data,
-		const krb5_realm *realm,
-		krb5_data *receive)
+_krb5_kdc_retry(krb5_context context, krb5_sendto_ctx ctx, void *data,
+		const krb5_data *reply, int *action)
 {
-    return krb5_sendto_kdc2(context, send_data, realm, receive, FALSE);
+    krb5_error_code ret;
+    KRB_ERROR error;
+
+    if(krb5_rd_error(context, reply, &error))
+	return 0;
+
+    ret = krb5_error_from_rd_error(context, &error, NULL);
+    krb5_free_error_contents(context, &error);
+
+    switch(ret) {
+    case KRB5KRB_ERR_RESPONSE_TOO_BIG: {
+	if (krb5_sendto_ctx_get_flags(ctx) & KRB5_KRBHST_FLAGS_LARGE_MSG)
+	    break;
+	krb5_sendto_ctx_add_flags(ctx, KRB5_KRBHST_FLAGS_LARGE_MSG);
+	*action = KRB5_SENDTO_RESTART;
+	break;
+    }
+    case KRB5KDC_ERR_SVC_UNAVAILABLE:
+	*action = KRB5_SENDTO_CONTINUE;
+	break;
+    }
+    return 0;
 }
diff --git a/crypto/heimdal/lib/krb5/sendauth.c b/crypto/heimdal/lib/krb5/sendauth.c
index c2889ee..a7242f0 100644
--- a/crypto/heimdal/lib/krb5/sendauth.c
+++ b/crypto/heimdal/lib/krb5/sendauth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: sendauth.c,v 1.19 2002/09/04 21:34:43 joda Exp $");
+RCSID("$Id: sendauth.c 17442 2006-05-05 09:31:15Z lha $");
 
 /*
  * The format seems to be:
@@ -62,7 +62,7 @@ RCSID("$Id: sendauth.c,v 1.19 2002/09/04 21:34:43 joda Exp $");
  * }
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sendauth(krb5_context context,
 	      krb5_auth_context *auth_context,
 	      krb5_pointer p_fd,
@@ -78,7 +78,7 @@ krb5_sendauth(krb5_context context,
 	      krb5_creds **out_creds)
 {
     krb5_error_code ret;
-    u_int32_t len, net_len;
+    uint32_t len, net_len;
     const char *version = KRB5_SENDAUTH_VERSION;
     u_char repl;
     krb5_data ap_req, error_data;
@@ -223,11 +223,11 @@ krb5_sendauth(krb5_context context,
 
 	ret = krb5_rd_rep (context, *auth_context, &ap_rep,
 			   rep_result ? rep_result : &ignore);
+	krb5_data_free (&ap_rep);
 	if (ret)
 	    return ret;
 	if (rep_result == NULL)
 	    krb5_free_ap_rep_enc_part (context, ignore);
-	krb5_data_free (&ap_rep);
     }
     return 0;
 }
diff --git a/crypto/heimdal/lib/krb5/set_default_realm.c b/crypto/heimdal/lib/krb5/set_default_realm.c
index 8b872df..98040bc 100644
--- a/crypto/heimdal/lib/krb5/set_default_realm.c
+++ b/crypto/heimdal/lib/krb5/set_default_realm.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: set_default_realm.c,v 1.13 2001/09/18 09:43:31 joda Exp $");
+RCSID("$Id: set_default_realm.c 13863 2004-05-25 21:46:46Z lha $");
 
 /*
  * Convert the simple string `s' into a NULL-terminated and freshly allocated 
@@ -65,7 +65,7 @@ string_to_list (krb5_context context, const char *s, krb5_realm **list)
  * Otherwise, the realm(s) are figured out from configuration or DNS.  
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_default_realm(krb5_context context,
 		       const char *realm)
 {
diff --git a/crypto/heimdal/lib/krb5/sock_principal.c b/crypto/heimdal/lib/krb5/sock_principal.c
index 7bb0bdf..9b4ba97 100644
--- a/crypto/heimdal/lib/krb5/sock_principal.c
+++ b/crypto/heimdal/lib/krb5/sock_principal.c
@@ -33,9 +33,9 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: sock_principal.c,v 1.16 2001/07/26 09:05:30 assar Exp $");
+RCSID("$Id: sock_principal.c 13863 2004-05-25 21:46:46Z lha $");
 			
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_sock_to_principal (krb5_context context,
 			int sock,
 			const char *sname,
diff --git a/crypto/heimdal/lib/krb5/store-test.c b/crypto/heimdal/lib/krb5/store-test.c
index 512d2a5..aec2dfe 100644
--- a/crypto/heimdal/lib/krb5/store-test.c
+++ b/crypto/heimdal/lib/krb5/store-test.c
@@ -32,7 +32,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: store-test.c,v 1.1 2001/05/11 16:06:25 joda Exp $");
+RCSID("$Id: store-test.c 16344 2005-12-02 15:15:43Z lha $");
 
 static void
 print_data(unsigned char *data, size_t len)
@@ -106,10 +106,13 @@ main(int argc, char **argv)
     sp = krb5_storage_emem();
     krb5_make_principal(context, &principal, "TEST", "foobar", NULL);
     krb5_store_principal(sp, principal);
+    krb5_free_principal(context, principal);
     nerr += compare("Principal", sp, "\x0\x0\x0\x1"
 		    "\x0\x0\x0\x1"
 		    "\x0\x0\x0\x4TEST"
 		    "\x0\x0\x0\x6""foobar", 26);
     
+    krb5_free_context(context);
+
     return nerr ? 1 : 0;
 }
diff --git a/crypto/heimdal/lib/krb5/store.c b/crypto/heimdal/lib/krb5/store.c
index b0ca731..c9cbbb5 100644
--- a/crypto/heimdal/lib/krb5/store.c
+++ b/crypto/heimdal/lib/krb5/store.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 #include "store-int.h"
 
-RCSID("$Id: store.c,v 1.38.4.1 2004/03/09 19:32:14 lha Exp $");
+RCSID("$Id: store.c 22071 2007-11-14 20:04:50Z lha $");
 
 #define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V))
 #define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE)
@@ -42,62 +42,62 @@ RCSID("$Id: store.c,v 1.38.4.1 2004/03/09 19:32:14 lha Exp $");
 #define BYTEORDER_IS_HOST(SP) (BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_HOST) || \
 			       krb5_storage_is_flags((SP), KRB5_STORAGE_HOST_BYTEORDER))
 
-void
+void KRB5_LIB_FUNCTION
 krb5_storage_set_flags(krb5_storage *sp, krb5_flags flags)
 {
     sp->flags |= flags;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_storage_clear_flags(krb5_storage *sp, krb5_flags flags)
 {
     sp->flags &= ~flags;
 }
 
-krb5_boolean
+krb5_boolean KRB5_LIB_FUNCTION
 krb5_storage_is_flags(krb5_storage *sp, krb5_flags flags)
 {
     return (sp->flags & flags) == flags;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_storage_set_byteorder(krb5_storage *sp, krb5_flags byteorder)
 {
     sp->flags &= ~KRB5_STORAGE_BYTEORDER_MASK;
     sp->flags |= byteorder;
 }
 
-krb5_flags
+krb5_flags KRB5_LIB_FUNCTION
 krb5_storage_get_byteorder(krb5_storage *sp, krb5_flags byteorder)
 {
     return sp->flags & KRB5_STORAGE_BYTEORDER_MASK;
 }
 
-off_t
+off_t KRB5_LIB_FUNCTION
 krb5_storage_seek(krb5_storage *sp, off_t offset, int whence)
 {
     return (*sp->seek)(sp, offset, whence);
 }
 
-krb5_ssize_t
+krb5_ssize_t KRB5_LIB_FUNCTION
 krb5_storage_read(krb5_storage *sp, void *buf, size_t len)
 {
     return sp->fetch(sp, buf, len);
 }
 
-krb5_ssize_t
+krb5_ssize_t KRB5_LIB_FUNCTION
 krb5_storage_write(krb5_storage *sp, const void *buf, size_t len)
 {
     return sp->store(sp, buf, len);
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_storage_set_eof_code(krb5_storage *sp, int code)
 {
     sp->eof_code = code;
 }
 
-krb5_ssize_t
+krb5_ssize_t KRB5_LIB_FUNCTION
 _krb5_put_int(void *buffer, unsigned long value, size_t size)
 {
     unsigned char *p = buffer;
@@ -109,7 +109,7 @@ _krb5_put_int(void *buffer, unsigned long value, size_t size)
     return size;
 }
 
-krb5_ssize_t
+krb5_ssize_t KRB5_LIB_FUNCTION
 _krb5_get_int(void *buffer, unsigned long *value, size_t size)
 {
     unsigned char *p = buffer;
@@ -121,7 +121,7 @@ _krb5_get_int(void *buffer, unsigned long *value, size_t size)
     return size;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_storage_free(krb5_storage *sp)
 {
     if(sp->free)
@@ -131,7 +131,7 @@ krb5_storage_free(krb5_storage *sp)
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_storage_to_data(krb5_storage *sp, krb5_data *data)
 {
     off_t pos;
@@ -170,7 +170,7 @@ krb5_store_int(krb5_storage *sp,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_int32(krb5_storage *sp,
 		 int32_t value)
 {
@@ -181,6 +181,13 @@ krb5_store_int32(krb5_storage *sp,
     return krb5_store_int(sp, value, 4);
 }
 
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint32(krb5_storage *sp,
+		  uint32_t value)
+{
+    return krb5_store_int32(sp, (int32_t)value);
+}
+
 static krb5_error_code
 krb5_ret_int(krb5_storage *sp,
 	     int32_t *value,
@@ -197,7 +204,7 @@ krb5_ret_int(krb5_storage *sp,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_int32(krb5_storage *sp,
 	       int32_t *value)
 {
@@ -211,7 +218,21 @@ krb5_ret_int32(krb5_storage *sp,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint32(krb5_storage *sp,
+		uint32_t *value)
+{
+    krb5_error_code ret;
+    int32_t v;
+
+    ret = krb5_ret_int32(sp, &v);
+    if (ret == 0)
+	*value = (uint32_t)v;
+
+    return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_int16(krb5_storage *sp,
 		 int16_t value)
 {
@@ -222,7 +243,14 @@ krb5_store_int16(krb5_storage *sp,
     return krb5_store_int(sp, value, 2);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint16(krb5_storage *sp,
+		  uint16_t value)
+{
+    return krb5_store_int16(sp, (int16_t)value);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_int16(krb5_storage *sp,
 	       int16_t *value)
 {
@@ -239,7 +267,21 @@ krb5_ret_int16(krb5_storage *sp,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint16(krb5_storage *sp,
+		uint16_t *value)
+{
+    krb5_error_code ret;
+    int16_t v;
+
+    ret = krb5_ret_int16(sp, &v);
+    if (ret == 0)
+	*value = (uint16_t)v;
+
+    return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_int8(krb5_storage *sp,
 		int8_t value)
 {
@@ -251,7 +293,14 @@ krb5_store_int8(krb5_storage *sp,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint8(krb5_storage *sp,
+		 uint8_t value)
+{
+    return krb5_store_int8(sp, (int8_t)value);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_int8(krb5_storage *sp,
 	      int8_t *value)
 {
@@ -263,7 +312,21 @@ krb5_ret_int8(krb5_storage *sp,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint8(krb5_storage *sp,
+	       uint8_t *value)
+{
+    krb5_error_code ret;
+    int8_t v;
+
+    ret = krb5_ret_int8(sp, &v);
+    if (ret == 0)
+	*value = (uint8_t)v;
+
+    return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_data(krb5_storage *sp,
 		krb5_data data)
 {
@@ -280,7 +343,7 @@ krb5_store_data(krb5_storage *sp,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_data(krb5_storage *sp,
 	      krb5_data *data)
 {
@@ -301,16 +364,16 @@ krb5_ret_data(krb5_storage *sp,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_string(krb5_storage *sp, const char *s)
 {
     krb5_data data;
     data.length = strlen(s);
-    data.data = (void*)s;
+    data.data = rk_UNCONST(s);
     return krb5_store_data(sp, data);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_string(krb5_storage *sp,
 		char **string)
 {
@@ -328,7 +391,7 @@ krb5_ret_string(krb5_storage *sp,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_stringz(krb5_storage *sp, const char *s)
 {
     size_t len = strlen(s) + 1;
@@ -344,7 +407,7 @@ krb5_store_stringz(krb5_storage *sp, const char *s)
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_stringz(krb5_storage *sp,
 		char **string)
 {
@@ -377,22 +440,92 @@ krb5_ret_stringz(krb5_storage *sp,
     return 0;
 }
 
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_stringnl(krb5_storage *sp, const char *s)
+{
+    size_t len = strlen(s);
+    ssize_t ret;
+
+    ret = sp->store(sp, s, len);
+    if(ret != len) {
+	if(ret < 0)
+	    return ret;
+	else
+	    return sp->eof_code;
+    }
+    ret = sp->store(sp, "\n", 1);
+    if(ret != 1) {
+	if(ret < 0)
+	    return ret;
+	else
+	    return sp->eof_code;
+    }
+
+    return 0;
+
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_stringnl(krb5_storage *sp,
+		  char **string)
+{
+    int expect_nl = 0;
+    char c;
+    char *s = NULL;
+    size_t len = 0;
+    ssize_t ret;
+
+    while((ret = sp->fetch(sp, &c, 1)) == 1){
+	char *tmp;
+
+	if (c == '\r') {
+	    expect_nl = 1;
+	    continue;
+	}
+	if (expect_nl && c != '\n') {
+	    free(s);
+	    return KRB5_BADMSGTYPE;
+	}
+
+	len++;
+	tmp = realloc (s, len);
+	if (tmp == NULL) {
+	    free (s);
+	    return ENOMEM;
+	}
+	s = tmp;
+	if(c == '\n') {
+	    s[len - 1] = '\0';
+	    break;
+	}
+	s[len - 1] = c;
+    }
+    if(ret != 1){
+	free(s);
+	if(ret == 0)
+	    return sp->eof_code;
+	return ret;
+    }
+    *string = s;
+    return 0;
+}
+
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_principal(krb5_storage *sp,
-		     krb5_principal p)
+		     krb5_const_principal p)
 {
     int i;
     int ret;
 
     if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) {
-    ret = krb5_store_int32(sp, p->name.name_type);
-    if(ret) return ret;
+	ret = krb5_store_int32(sp, p->name.name_type);
+	if(ret) return ret;
     }
     if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
 	ret = krb5_store_int32(sp, p->name.name_string.len + 1);
     else
-    ret = krb5_store_int32(sp, p->name.name_string.len);
+	ret = krb5_store_int32(sp, p->name.name_string.len);
     
     if(ret) return ret;
     ret = krb5_store_string(sp, p->realm);
@@ -404,7 +537,7 @@ krb5_store_principal(krb5_storage *sp,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_principal(krb5_storage *sp,
 		   krb5_principal *princ)
 {
@@ -420,7 +553,7 @@ krb5_ret_principal(krb5_storage *sp,
 
     if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE))
 	type = KRB5_NT_UNKNOWN;
-    else 	if((ret = krb5_ret_int32(sp, &type))){
+    else if((ret = krb5_ret_int32(sp, &type))){
 	free(p);
 	return ret;
     }
@@ -430,24 +563,38 @@ krb5_ret_principal(krb5_storage *sp,
     }
     if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
 	ncomp--;
+    if (ncomp < 0) {
+	free(p);
+	return EINVAL;
+    }
     p->name.name_type = type;
     p->name.name_string.len = ncomp;
     ret = krb5_ret_string(sp, &p->realm);
-    if(ret) return ret;
+    if(ret) {
+	free(p);
+	return ret;
+    }
     p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val));
-    if(p->name.name_string.val == NULL){
+    if(p->name.name_string.val == NULL && ncomp != 0){
 	free(p->realm);
+	free(p);
 	return ENOMEM;
     }
     for(i = 0; i < ncomp; i++){
 	ret = krb5_ret_string(sp, &p->name.name_string.val[i]);
-	if(ret) return ret; /* XXX */
+	if(ret) {
+	    while (i >= 0)
+		free(p->name.name_string.val[i--]);
+	    free(p->realm);
+	    free(p);
+	    return ret;
+	}
     }
     *princ = p;
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_keyblock(krb5_storage *sp, krb5_keyblock p)
 {
     int ret;
@@ -465,7 +612,7 @@ krb5_store_keyblock(krb5_storage *sp, krb5_keyblock p)
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_keyblock(krb5_storage *sp, krb5_keyblock *p)
 {
     int ret;
@@ -484,7 +631,7 @@ krb5_ret_keyblock(krb5_storage *sp, krb5_keyblock *p)
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_times(krb5_storage *sp, krb5_times times)
 {
     int ret;
@@ -498,7 +645,7 @@ krb5_store_times(krb5_storage *sp, krb5_times times)
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_times(krb5_storage *sp, krb5_times *times)
 {
     int ret;
@@ -517,7 +664,7 @@ krb5_ret_times(krb5_storage *sp, krb5_times *times)
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_address(krb5_storage *sp, krb5_address p)
 {
     int ret;
@@ -527,7 +674,7 @@ krb5_store_address(krb5_storage *sp, krb5_address p)
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_address(krb5_storage *sp, krb5_address *adr)
 {
     int16_t t;
@@ -539,7 +686,7 @@ krb5_ret_address(krb5_storage *sp, krb5_address *adr)
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
 {
     int i;
@@ -553,7 +700,7 @@ krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr)
 {
     int i;
@@ -564,6 +711,8 @@ krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr)
     if(ret) return ret;
     adr->len = tmp;
     ALLOC(adr->val, adr->len);
+    if (adr->val == NULL && adr->len != 0)
+	return ENOMEM;
     for(i = 0; i < adr->len; i++){
 	ret = krb5_ret_address(sp, &adr->val[i]);
 	if(ret) break;
@@ -571,7 +720,7 @@ krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr)
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_store_authdata(krb5_storage *sp, krb5_authdata auth)
 {
     krb5_error_code ret;
@@ -587,7 +736,7 @@ krb5_store_authdata(krb5_storage *sp, krb5_authdata auth)
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth)
 {
     krb5_error_code ret;
@@ -597,6 +746,8 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth)
     ret = krb5_ret_int32(sp, &tmp);
     if(ret) return ret;
     ALLOC_SEQ(auth, tmp);
+    if (auth->val == NULL && tmp != 0)
+	return ENOMEM;
     for(i = 0; i < tmp; i++){
 	ret = krb5_ret_int16(sp, &tmp2);
 	if(ret) break;
@@ -624,8 +775,8 @@ bitswap32(int32_t b)
  *
  */
 
-krb5_error_code
-_krb5_store_creds_internal(krb5_storage *sp, krb5_creds *creds, int v0_6)
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_creds(krb5_storage *sp, krb5_creds *creds)
 {
     int ret;
 
@@ -641,19 +792,17 @@ _krb5_store_creds_internal(krb5_storage *sp, krb5_creds *creds, int v0_6)
     ret = krb5_store_times(sp, creds->times);
     if(ret)
 	return ret;
-    ret = krb5_store_int8(sp, 0);  /* this is probably the
-				enc-tkt-in-skey bit from KDCOptions */
+    ret = krb5_store_int8(sp, creds->second_ticket.length != 0); /* is_skey */
     if(ret)
 	return ret;
-    if (v0_6) {
+
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER))
 	ret = krb5_store_int32(sp, creds->flags.i);
-	if(ret)
-	    return ret;
-    } else {
+    else
 	ret = krb5_store_int32(sp, bitswap32(TicketFlags2int(creds->flags.b)));
-	if(ret)
-	    return ret;
-    }
+    if(ret)
+	return ret;
+
     ret = krb5_store_addrs(sp, creds->addresses);
     if(ret)
 	return ret;
@@ -667,29 +816,7 @@ _krb5_store_creds_internal(krb5_storage *sp, krb5_creds *creds, int v0_6)
     return ret;
 }
 
-/*
- * store `creds' on `sp' returning error or zero
- */
-
-krb5_error_code
-krb5_store_creds(krb5_storage *sp, krb5_creds *creds)
-{
-    return _krb5_store_creds_internal(sp, creds, 1);
-}
-
-krb5_error_code
-_krb5_store_creds_heimdal_0_7(krb5_storage *sp, krb5_creds *creds)
-{
-    return _krb5_store_creds_internal(sp, creds, 0);
-}
-
-krb5_error_code
-_krb5_store_creds_heimdal_pre_0_7(krb5_storage *sp, krb5_creds *creds)
-{
-    return _krb5_store_creds_internal(sp, creds, 1);
-}
-
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_ret_creds(krb5_storage *sp, krb5_creds *creds)
 {
     krb5_error_code ret;
@@ -711,13 +838,13 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds)
     if(ret) goto cleanup;
     /*
      * Runtime detect the what is the higher bits of the bitfield. If
-     * any of the higher bits are set in the input data, its either a
-     * new ticket flag (and this code need to be removed), or its a
+     * any of the higher bits are set in the input data, it's either a
+     * new ticket flag (and this code need to be removed), or it's a
      * MIT cache (or new Heimdal cache), lets change it to our current
      * format.
      */
     {
-	u_int32_t mask = 0xffff0000;
+	uint32_t mask = 0xffff0000;
 	creds->flags.i = 0;
 	creds->flags.b.anonymous = 1;
 	if (creds->flags.i & mask)
@@ -736,7 +863,172 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds)
 cleanup:
     if(ret) {
 #if 0	
-	krb5_free_creds_contents(context, creds); /* XXX */
+	krb5_free_cred_contents(context, creds); /* XXX */
+#endif
+    }
+    return ret;
+}
+
+#define SC_CLIENT_PRINCIPAL	    0x0001
+#define SC_SERVER_PRINCIPAL	    0x0002
+#define SC_SESSION_KEY		    0x0004
+#define SC_TICKET		    0x0008
+#define SC_SECOND_TICKET	    0x0010
+#define SC_AUTHDATA		    0x0020
+#define SC_ADDRESSES		    0x0040
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_creds_tag(krb5_storage *sp, krb5_creds *creds)
+{
+    int ret;
+    int32_t header = 0;
+
+    if (creds->client)
+	header |= SC_CLIENT_PRINCIPAL;
+    if (creds->server)
+	header |= SC_SERVER_PRINCIPAL;
+    if (creds->session.keytype != ETYPE_NULL)
+	header |= SC_SESSION_KEY;
+    if (creds->ticket.data)
+	header |= SC_TICKET;
+    if (creds->second_ticket.length)
+	header |= SC_SECOND_TICKET;
+    if (creds->authdata.len)
+	header |= SC_AUTHDATA;
+    if (creds->addresses.len)
+	header |= SC_ADDRESSES;
+
+    ret = krb5_store_int32(sp, header);
+
+    if (creds->client) {
+	ret = krb5_store_principal(sp, creds->client);
+	if(ret)
+	    return ret;
+    }
+
+    if (creds->server) {
+	ret = krb5_store_principal(sp, creds->server);
+	if(ret)
+	    return ret;
+    }
+
+    if (creds->session.keytype != ETYPE_NULL) {
+	ret = krb5_store_keyblock(sp, creds->session);
+	if(ret)
+	    return ret;
+    }
+
+    ret = krb5_store_times(sp, creds->times);
+    if(ret)
+	return ret;
+    ret = krb5_store_int8(sp, creds->second_ticket.length != 0); /* is_skey */
+    if(ret)
+	return ret;
+
+    ret = krb5_store_int32(sp, bitswap32(TicketFlags2int(creds->flags.b)));
+    if(ret)
+	return ret;
+
+    if (creds->addresses.len) {
+	ret = krb5_store_addrs(sp, creds->addresses);
+	if(ret)
+	    return ret;
+    }
+
+    if (creds->authdata.len) {
+	ret = krb5_store_authdata(sp, creds->authdata);
+	if(ret)
+	    return ret;
+    }
+
+    if (creds->ticket.data) {
+	ret = krb5_store_data(sp, creds->ticket);
+	if(ret)
+	    return ret;
+    }
+
+    if (creds->second_ticket.data) {
+	ret = krb5_store_data(sp, creds->second_ticket);
+	if (ret)
+	    return ret;
+    }
+
+    return ret;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_creds_tag(krb5_storage *sp,
+		   krb5_creds *creds)
+{
+    krb5_error_code ret;
+    int8_t dummy8;
+    int32_t dummy32, header;
+
+    memset(creds, 0, sizeof(*creds));
+
+    ret = krb5_ret_int32 (sp, &header);
+    if (ret) goto cleanup;
+
+    if (header & SC_CLIENT_PRINCIPAL) {
+	ret = krb5_ret_principal (sp,  &creds->client);
+	if(ret) goto cleanup;
+    }
+    if (header & SC_SERVER_PRINCIPAL) {
+	ret = krb5_ret_principal (sp,  &creds->server);
+	if(ret) goto cleanup;
+    }
+    if (header & SC_SESSION_KEY) {
+	ret = krb5_ret_keyblock (sp,  &creds->session);
+	if(ret) goto cleanup;
+    }
+    ret = krb5_ret_times (sp,  &creds->times);
+    if(ret) goto cleanup;
+    ret = krb5_ret_int8 (sp,  &dummy8);
+    if(ret) goto cleanup;
+    ret = krb5_ret_int32 (sp,  &dummy32);
+    if(ret) goto cleanup;
+    /*
+     * Runtime detect the what is the higher bits of the bitfield. If
+     * any of the higher bits are set in the input data, it's either a
+     * new ticket flag (and this code need to be removed), or it's a
+     * MIT cache (or new Heimdal cache), lets change it to our current
+     * format.
+     */
+    {
+	uint32_t mask = 0xffff0000;
+	creds->flags.i = 0;
+	creds->flags.b.anonymous = 1;
+	if (creds->flags.i & mask)
+	    mask = ~mask;
+	if (dummy32 & mask)
+	    dummy32 = bitswap32(dummy32);
+    }
+    creds->flags.i = dummy32;
+    if (header & SC_ADDRESSES) {
+	ret = krb5_ret_addrs (sp,  &creds->addresses);
+	if(ret) goto cleanup;
+    }
+    if (header & SC_AUTHDATA) {
+	ret = krb5_ret_authdata (sp,  &creds->authdata);
+	if(ret) goto cleanup;
+    }
+    if (header & SC_TICKET) {
+	ret = krb5_ret_data (sp,  &creds->ticket);
+	if(ret) goto cleanup;
+    }
+    if (header & SC_SECOND_TICKET) {
+	ret = krb5_ret_data (sp,  &creds->second_ticket);
+	if(ret) goto cleanup;
+    }
+
+cleanup:
+    if(ret) {
+#if 0	
+	krb5_free_cred_contents(context, creds); /* XXX */
 #endif
     }
     return ret;
diff --git a/crypto/heimdal/lib/krb5/store_emem.c b/crypto/heimdal/lib/krb5/store_emem.c
index 526cf32..b59a647 100644
--- a/crypto/heimdal/lib/krb5/store_emem.c
+++ b/crypto/heimdal/lib/krb5/store_emem.c
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 #include "store-int.h"
 
-RCSID("$Id: store_emem.c,v 1.13 2002/10/21 15:36:23 joda Exp $");
+RCSID("$Id: store_emem.c 21745 2007-07-31 16:11:25Z lha $");
 
 typedef struct emem_storage{
     unsigned char *base;
@@ -112,16 +112,27 @@ emem_free(krb5_storage *sp)
     free(s->base);
 }
 
-krb5_storage *
+krb5_storage * KRB5_LIB_FUNCTION
 krb5_storage_emem(void)
 {
     krb5_storage *sp = malloc(sizeof(krb5_storage));
+    if (sp == NULL)
+	return NULL;
     emem_storage *s = malloc(sizeof(*s));
+    if (s == NULL) {
+	free(sp);
+	return NULL;
+    }
     sp->data = s;
     sp->flags = 0;
     sp->eof_code = HEIM_ERR_EOF;
     s->size = 1024;
     s->base = malloc(s->size);
+    if (s->base == NULL) {
+	free(sp);
+	free(s);
+	return NULL;
+    }
     s->len = 0;
     s->ptr = s->base;
     sp->fetch = emem_fetch;
diff --git a/crypto/heimdal/lib/krb5/store_fd.c b/crypto/heimdal/lib/krb5/store_fd.c
index e31b956..15f86fc 100644
--- a/crypto/heimdal/lib/krb5/store_fd.c
+++ b/crypto/heimdal/lib/krb5/store_fd.c
@@ -1,75 +1,89 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
 #include "krb5_locl.h"
 #include "store-int.h"
 
-RCSID("$Id: store_fd.c,v 1.10 2002/04/18 14:00:39 joda Exp $");
+RCSID("$Id: store_fd.c 17779 2006-06-30 21:23:19Z lha $");
 
-typedef struct fd_storage{
+typedef struct fd_storage {
     int fd;
-}fd_storage;
+} fd_storage;
 
 #define FD(S) (((fd_storage*)(S)->data)->fd)
 
 static ssize_t
-fd_fetch(krb5_storage *sp, void *data, size_t size)
+fd_fetch(krb5_storage * sp, void *data, size_t size)
 {
     return net_read(FD(sp), data, size);
 }
 
 static ssize_t
-fd_store(krb5_storage *sp, const void *data, size_t size)
+fd_store(krb5_storage * sp, const void *data, size_t size)
 {
     return net_write(FD(sp), data, size);
 }
 
 static off_t
-fd_seek(krb5_storage *sp, off_t offset, int whence)
+fd_seek(krb5_storage * sp, off_t offset, int whence)
 {
     return lseek(FD(sp), offset, whence);
 }
 
-krb5_storage *
+static void
+fd_free(krb5_storage * sp)
+{
+    close(FD(sp));
+}
+
+krb5_storage * KRB5_LIB_FUNCTION
 krb5_storage_from_fd(int fd)
 {
-    krb5_storage *sp = malloc(sizeof(krb5_storage));
+    krb5_storage *sp;
 
-    if (sp == NULL)
+    fd = dup(fd);
+    if (fd < 0)
 	return NULL;
 
+    sp = malloc(sizeof(krb5_storage));
+    if (sp == NULL) {
+	close(fd);
+	return NULL;
+    }
+
     sp->data = malloc(sizeof(fd_storage));
     if (sp->data == NULL) {
+	close(fd);
 	free(sp);
 	return NULL;
     }
@@ -79,6 +93,6 @@ krb5_storage_from_fd(int fd)
     sp->fetch = fd_fetch;
     sp->store = fd_store;
     sp->seek = fd_seek;
-    sp->free = NULL;
+    sp->free = fd_free;
     return sp;
 }
diff --git a/crypto/heimdal/lib/krb5/store_mem.c b/crypto/heimdal/lib/krb5/store_mem.c
index b0be2002..e6e62b5 100644
--- a/crypto/heimdal/lib/krb5/store_mem.c
+++ b/crypto/heimdal/lib/krb5/store_mem.c
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 #include "store-int.h"
 
-RCSID("$Id: store_mem.c,v 1.11 2002/04/18 14:00:44 joda Exp $");
+RCSID("$Id: store_mem.c 20307 2007-04-11 11:16:28Z lha $");
 
 typedef struct mem_storage{
     unsigned char *base;
@@ -64,6 +64,12 @@ mem_store(krb5_storage *sp, const void *data, size_t size)
     return size;
 }
 
+static ssize_t
+mem_no_store(krb5_storage *sp, const void *data, size_t size)
+{
+    return -1;
+}
+
 static off_t
 mem_seek(krb5_storage *sp, off_t offset, int whence)
 {
@@ -87,7 +93,7 @@ mem_seek(krb5_storage *sp, off_t offset, int whence)
     return s->ptr - s->base;
 }
 
-krb5_storage *
+krb5_storage * KRB5_LIB_FUNCTION
 krb5_storage_from_mem(void *buf, size_t len)
 {
     krb5_storage *sp = malloc(sizeof(krb5_storage));
@@ -112,8 +118,33 @@ krb5_storage_from_mem(void *buf, size_t len)
     return sp;
 }
 
-krb5_storage *
+krb5_storage * KRB5_LIB_FUNCTION
 krb5_storage_from_data(krb5_data *data)
 {
-	return krb5_storage_from_mem(data->data, data->length);
+    return krb5_storage_from_mem(data->data, data->length);
+}
+
+krb5_storage * KRB5_LIB_FUNCTION
+krb5_storage_from_readonly_mem(const void *buf, size_t len)
+{
+    krb5_storage *sp = malloc(sizeof(krb5_storage));
+    mem_storage *s;
+    if(sp == NULL)
+	return NULL;
+    s = malloc(sizeof(*s));
+    if(s == NULL) {
+	free(sp);
+	return NULL;
+    }
+    sp->data = s;
+    sp->flags = 0;
+    sp->eof_code = HEIM_ERR_EOF;
+    s->base = rk_UNCONST(buf);
+    s->size = len;
+    s->ptr = rk_UNCONST(buf);
+    sp->fetch = mem_fetch;
+    sp->store = mem_no_store;
+    sp->seek = mem_seek;
+    sp->free = NULL;
+    return sp;
 }
diff --git a/crypto/heimdal/lib/krb5/string-to-key-test.c b/crypto/heimdal/lib/krb5/string-to-key-test.c
index 0ea5cd1..30075ea 100644
--- a/crypto/heimdal/lib/krb5/string-to-key-test.c
+++ b/crypto/heimdal/lib/krb5/string-to-key-test.c
@@ -31,8 +31,9 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 
 #include "krb5_locl.h"
+#include <err.h>
 
-RCSID("$Id: string-to-key-test.c,v 1.7 2001/05/11 16:15:27 joda Exp $");
+RCSID("$Id: string-to-key-test.c 16344 2005-12-02 15:15:43Z lha $");
 
 enum { MAXSIZE = 24 };
 
@@ -48,10 +49,12 @@ static struct testcase {
      {0xfe, 0x67, 0xbf, 0x9e, 0x57, 0x6b, 0xfe, 0x52}},
     {"assar/liten@FOO.SE", "hemligt", ETYPE_DES_CBC_MD5,
      {0x5b, 0x9b, 0xcb, 0xf2, 0x97, 0x43, 0xc8, 0x40}},
+#if 0
     {"@", "", ETYPE_DES3_CBC_SHA1,
      {0xce, 0xa2, 0x2f, 0x9b, 0x52, 0x2c, 0xb0, 0x15, 0x6e, 0x6b, 0x64,
       0x73, 0x62, 0x64, 0x73, 0x4f, 0x6e, 0x73, 0xce, 0xa2, 0x2f, 0x9b,
       0x52, 0x57}},
+#endif
     {"nisse@FOO.SE", "hej", ETYPE_DES3_CBC_SHA1,
      {0x0e, 0xbc, 0x23, 0x9d, 0x68, 0x46, 0xf2, 0xd5, 0x51, 0x98, 0x5b,
       0x57, 0xc1, 0x57, 0x01, 0x79, 0x04, 0xc4, 0xe9, 0xfe, 0xc1, 0x0e,
@@ -130,6 +133,8 @@ main(int argc, char **argv)
 	    printf ("\n");
 	    val = 1;
 	}
+	krb5_free_keyblock_contents(context, &key);
     }
+    krb5_free_context(context);
     return val;
 }
diff --git a/crypto/heimdal/lib/krb5/test_acl.c b/crypto/heimdal/lib/krb5/test_acl.c
new file mode 100644
index 0000000..e52f31a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_acl.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+RCSID("$Id: test_acl.c 15036 2005-04-30 15:19:58Z lha $");
+
+#define RETVAL(c, r, e, s) \
+	do { if (r != e) krb5_errx(c, 1, "%s", s); } while (0)
+#define STRINGMATCH(c, s, _s1, _s2) \
+	do {							\
+		if (_s1 == NULL || _s2 == NULL) 		\
+			krb5_errx(c, 1, "s1 or s2 is NULL");	\
+		if (strcmp(_s1,_s2) != 0) 			\
+			krb5_errx(c, 1, "%s", s);		\
+	} while (0)
+
+static void
+test_match_string(krb5_context context)
+{
+    krb5_error_code ret;
+    char *s1, *s2;
+
+    ret = krb5_acl_match_string(context, "foo", "s", "foo");
+    RETVAL(context, ret, 0, "single s");
+    ret = krb5_acl_match_string(context, "foo foo", "s", "foo");
+    RETVAL(context, ret, EACCES, "too many strings");
+    ret = krb5_acl_match_string(context, "foo bar", "ss", "foo", "bar");
+    RETVAL(context, ret, 0, "two strings");
+    ret = krb5_acl_match_string(context, "foo  bar", "ss", "foo", "bar");
+    RETVAL(context, ret, 0, "two strings double space");
+    ret = krb5_acl_match_string(context, "foo \tbar", "ss", "foo", "bar");
+    RETVAL(context, ret, 0, "two strings space + tab");
+    ret = krb5_acl_match_string(context, "foo", "ss", "foo", "bar");
+    RETVAL(context, ret, EACCES, "one string, two format strings");
+    ret = krb5_acl_match_string(context, "foo", "ss", "foo", "foo");
+    RETVAL(context, ret, EACCES, "one string, two format strings (same)");
+    ret = krb5_acl_match_string(context, "foo  \t", "s", "foo");
+    RETVAL(context, ret, 0, "ending space");
+
+    ret = krb5_acl_match_string(context, "foo/bar", "f", "foo/bar");
+    RETVAL(context, ret, 0, "liternal fnmatch");
+    ret = krb5_acl_match_string(context, "foo/bar", "f", "foo/*");
+    RETVAL(context, ret, 0, "foo/*");
+    ret = krb5_acl_match_string(context, "foo/bar/baz", "f", "foo/*/baz");
+    RETVAL(context, ret, 0, "foo/*/baz");
+
+    ret = krb5_acl_match_string(context, "foo", "r", &s1);
+    RETVAL(context, ret, 0, "ret 1");
+    STRINGMATCH(context, "ret 1 match", s1, "foo"); free(s1);
+
+    ret = krb5_acl_match_string(context, "foo bar", "rr", &s1, &s2);
+    RETVAL(context, ret, 0, "ret 2");
+    STRINGMATCH(context, "ret 2 match 1", s1, "foo"); free(s1);
+    STRINGMATCH(context, "ret 2 match 2", s2, "bar"); free(s2);
+
+    ret = krb5_acl_match_string(context, "foo bar", "sr", "bar", &s1);
+    RETVAL(context, ret, EACCES, "ret mismatch");
+    if (s1 != NULL) krb5_errx(context, 1, "s1 not NULL");
+
+    ret = krb5_acl_match_string(context, "foo", "l", "foo");
+    RETVAL(context, ret, EINVAL, "unknown letter");
+}
+
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+
+    setprogname(argv[0]);
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    test_match_string(context);
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_addr.c b/crypto/heimdal/lib/krb5/test_addr.c
new file mode 100644
index 0000000..1ab47ae
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_addr.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+RCSID("$Id: test_addr.c 15036 2005-04-30 15:19:58Z lha $");
+
+static void
+print_addr(krb5_context context, const char *addr)
+{
+    krb5_addresses addresses;
+    krb5_error_code ret;
+    char buf[38];
+    char buf2[1000];
+    size_t len;
+    int i;
+
+    ret = krb5_parse_address(context, addr, &addresses);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_address");
+
+    if (addresses.len < 1)
+	krb5_err(context, 1, ret, "too few addresses");
+    
+    for (i = 0; i < addresses.len; i++) {
+	krb5_print_address(&addresses.val[i], buf, sizeof(buf), &len);
+#if 0
+	printf("addr %d: %s (%d/%d)\n", i, buf, (int)len, (int)strlen(buf)); 
+#endif
+	if (strlen(buf) > sizeof(buf))
+	    abort();
+	krb5_print_address(&addresses.val[i], buf2, sizeof(buf2), &len);
+#if 0
+	printf("addr %d: %s (%d/%d)\n", i, buf2, (int)len, (int)strlen(buf2)); 
+#endif
+	if (strlen(buf2) > sizeof(buf2))
+	    abort();
+
+    }
+    krb5_free_addresses(context, &addresses);
+
+}
+
+static void
+truncated_addr(krb5_context context, const char *addr, 
+	       size_t truncate_len, size_t outlen)
+{
+    krb5_addresses addresses;
+    krb5_error_code ret;
+    char *buf;
+    size_t len;
+
+    buf = ecalloc(1, outlen + 1);
+
+    ret = krb5_parse_address(context, addr, &addresses);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_address");
+
+    if (addresses.len != 1)
+	krb5_err(context, 1, ret, "addresses should be one");
+    
+    krb5_print_address(&addresses.val[0], buf, truncate_len, &len);
+    
+#if 0
+    printf("addr %s (%d/%d)\n", buf, (int)len, (int)strlen(buf)); 
+#endif
+    
+    if (truncate_len > strlen(buf) + 1)
+	abort();
+    if (outlen != len)
+	abort();
+    
+    krb5_print_address(&addresses.val[0], buf, outlen + 1, &len);
+
+#if 0
+    printf("addr %s (%d/%d)\n", buf, (int)len, (int)strlen(buf)); 
+#endif
+
+    if (len != outlen)
+	abort();
+    if (strlen(buf) != len)
+	abort();
+
+    krb5_free_addresses(context, &addresses);
+    free(buf);
+}
+
+static void
+check_truncation(krb5_context context, const char *addr)
+{
+    int i, len = strlen(addr);
+
+    for (i = 0; i < len; i++)
+	truncated_addr(context, addr, i, len);
+}
+
+static void
+match_addr(krb5_context context, const char *range_addr, 
+	   const char *one_addr, int match)
+{
+    krb5_addresses range, one;
+    krb5_error_code ret;
+
+    ret = krb5_parse_address(context, range_addr, &range);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_address");
+
+    if (range.len != 1)
+	krb5_err(context, 1, ret, "wrong num of addresses");
+    
+    ret = krb5_parse_address(context, one_addr, &one);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_address");
+
+    if (one.len != 1)
+	krb5_err(context, 1, ret, "wrong num of addresses");
+
+    if (krb5_address_order(context, &range.val[0], &one.val[0]) == 0) {
+	if (!match)
+	    krb5_errx(context, 1, "match when one shouldn't be");
+    } else {
+	if (match)
+	    krb5_errx(context, 1, "no match when one should be");
+    }
+
+    krb5_free_addresses(context, &range);
+    krb5_free_addresses(context, &one);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+
+    setprogname(argv[0]);
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    print_addr(context, "RANGE:127.0.0.0/8");
+    print_addr(context, "RANGE:127.0.0.0/24");
+    print_addr(context, "RANGE:IPv4:127.0.0.0-IPv4:127.0.0.255");
+    print_addr(context, "RANGE:130.237.237.4/29");
+#ifdef HAVE_IPV6
+    print_addr(context, "RANGE:fe80::209:6bff:fea0:e522/64");
+    print_addr(context, "RANGE:IPv6:fe80::209:6bff:fea0:e522/64");
+    print_addr(context, "RANGE:IPv6:fe80::-IPv6:fe80::ffff:ffff:ffff:ffff");
+    print_addr(context, "RANGE:fe80::-fe80::ffff:ffff:ffff:ffff");
+#endif
+
+    check_truncation(context, "IPv4:127.0.0.0");
+    check_truncation(context, "RANGE:IPv4:127.0.0.0-IPv4:127.0.0.255");
+#ifdef HAVE_IPV6
+    check_truncation(context, "IPv6:::1");
+    check_truncation(context, "IPv6:fe80::ffff:ffff:ffff:ffff");
+#endif
+
+    match_addr(context, "RANGE:127.0.0.0/8", "inet:127.0.0.0", 1);
+    match_addr(context, "RANGE:127.0.0.0/8", "inet:127.255.255.255", 1);
+    match_addr(context, "RANGE:127.0.0.0/8", "inet:128.0.0.0", 0);
+
+    match_addr(context, "RANGE:130.237.237.8/29", "inet:130.237.237.7", 0);
+    match_addr(context, "RANGE:130.237.237.8/29", "inet:130.237.237.8", 1);
+    match_addr(context, "RANGE:130.237.237.8/29", "inet:130.237.237.15", 1);
+    match_addr(context, "RANGE:130.237.237.8/29", "inet:130.237.237.16", 0);
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_alname.c b/crypto/heimdal/lib/krb5/test_alname.c
index 8a6ec6d..e8397b7 100644
--- a/crypto/heimdal/lib/krb5/test_alname.c
+++ b/crypto/heimdal/lib/krb5/test_alname.c
@@ -34,10 +34,10 @@
 #include <getarg.h>
 #include <err.h>
 
-RCSID("$Id: test_alname.c,v 1.4 2003/04/17 05:46:45 lha Exp $");
+RCSID("$Id: test_alname.c 15474 2005-06-17 04:48:02Z lha $");
 
 static void
-test_alname(krb5_context context, krb5_realm realm,
+test_alname(krb5_context context, krb5_const_realm realm,
 	    const char *user, const char *inst, 
 	    const char *localuser, int ok)
 {
@@ -102,12 +102,12 @@ main(int argc, char **argv)
     krb5_context context;
     krb5_error_code ret;
     krb5_realm realm;
-    int optind = 0;
+    int optidx = 0;
     char *user;
 
     setprogname(argv[0]);
 
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
     
     if (help_flag)
@@ -118,8 +118,8 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     if (argc != 1)
 	errx(1, "first argument should be a local user that in root .k5login");
diff --git a/crypto/heimdal/lib/krb5/test_cc.c b/crypto/heimdal/lib/krb5/test_cc.c
index 15181f4..075cfe2 100644
--- a/crypto/heimdal/lib/krb5/test_cc.c
+++ b/crypto/heimdal/lib/krb5/test_cc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,25 +31,21 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 
 #include "krb5_locl.h"
+#include <getarg.h>
 #include <err.h>
 
-RCSID("$Id: test_cc.c,v 1.1 2003/03/10 00:26:40 lha Exp $");
+RCSID("$Id: test_cc.c 22115 2007-12-03 21:21:42Z lha $");
 
-#define TEST_CC_NAME "/tmp/foo"
+static int debug_flag	= 0;
+static int version_flag = 0;
+static int help_flag	= 0;
 
-int
-main(int argc, char **argv)
+static void
+test_default_name(krb5_context context)
 {
-    krb5_context context;
     krb5_error_code ret;
+    const char *p, *test_cc_name = "/tmp/krb5-cc-test-foo";
     char *p1, *p2, *p3;
-    const char *p;
-
-    setprogname(argv[0]);
-
-    ret = krb5_init_context(&context);
-    if (ret)
-	errx (1, "krb5_init_context failed: %d", ret);
 
     p = krb5_cc_default_name(context);
     if (p == NULL)
@@ -68,7 +64,7 @@ main(int argc, char **argv)
     if (strcmp(p1, p2) != 0)
 	krb5_errx (context, 1, "krb5_cc_default_name no longer same");
 	
-    ret = krb5_cc_set_default_name(context, TEST_CC_NAME);
+    ret = krb5_cc_set_default_name(context, test_cc_name);
     if (p == NULL)
 	krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed");
     
@@ -77,9 +73,459 @@ main(int argc, char **argv)
 	krb5_errx (context, 1, "krb5_cc_default_name 2 failed");
     p3 = estrdup(p);
     
-    if (strcmp(p3, TEST_CC_NAME) != 0)
+    if (strcmp(p3, test_cc_name) != 0)
 	krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed");
 
+    free(p1);
+    free(p2);
+    free(p3);
+}
+
+/*
+ * Check that a closed cc still keeps it data and that it's no longer
+ * there when it's destroyed.
+ */
+
+static void
+test_mcache(krb5_context context)
+{
+    krb5_error_code ret;
+    krb5_ccache id, id2;
+    const char *nc, *tc;
+    char *c;
+    krb5_principal p, p2;
+
+    ret = krb5_parse_name(context, "lha@SU.SE", &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_gen_new");
+
+    ret = krb5_cc_initialize(context, id, p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_initialize");
+
+    nc = krb5_cc_get_name(context, id);
+    if (nc == NULL)
+	krb5_errx(context, 1, "krb5_cc_get_name");
+
+    tc = krb5_cc_get_type(context, id);
+    if (tc == NULL)
+	krb5_errx(context, 1, "krb5_cc_get_name");
+
+    asprintf(&c, "%s:%s", tc, nc);
+    
+    krb5_cc_close(context, id);
+    
+    ret = krb5_cc_resolve(context, c, &id2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_resolve");
+
+    ret = krb5_cc_get_principal(context, id2, &p2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_get_principal");
+
+    if (krb5_principal_compare(context, p, p2) == FALSE)
+	krb5_errx(context, 1, "p != p2");
+
+    krb5_cc_destroy(context, id2);
+    krb5_free_principal(context, p);
+    krb5_free_principal(context, p2);
+
+    ret = krb5_cc_resolve(context, c, &id2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_resolve");
+
+    ret = krb5_cc_get_principal(context, id2, &p2);
+    if (ret == 0)
+	krb5_errx(context, 1, "krb5_cc_get_principal");
+
+    krb5_cc_destroy(context, id2);
+    free(c);
+}
+
+/*
+ * Test that init works on a destroyed cc.
+ */
+
+static void
+test_init_vs_destroy(krb5_context context, const krb5_cc_ops *ops)
+{
+    krb5_error_code ret;
+    krb5_ccache id, id2;
+    krb5_principal p, p2;
+    char *n;
+
+    ret = krb5_parse_name(context, "lha@SU.SE", &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_cc_gen_new(context, ops, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_gen_new");
+
+    asprintf(&n, "%s:%s",
+	     krb5_cc_get_type(context, id),
+	     krb5_cc_get_name(context, id));
+
+    ret = krb5_cc_resolve(context, n, &id2);
+    free(n);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_resolve");
+
+    krb5_cc_destroy(context, id);
+
+    ret = krb5_cc_initialize(context, id2, p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_initialize");
+
+    ret = krb5_cc_get_principal(context, id2, &p2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_get_principal");
+
+    krb5_cc_destroy(context, id2);
+    krb5_free_principal(context, p);
+    krb5_free_principal(context, p2);
+}
+
+static void
+test_fcache_remove(krb5_context context)
+{
+    krb5_error_code ret;
+    krb5_ccache id;
+    krb5_principal p;
+    krb5_creds cred;
+
+    ret = krb5_parse_name(context, "lha@SU.SE", &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_gen_new");
+
+    ret = krb5_cc_initialize(context, id, p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_initialize");
+
+    /* */
+    memset(&cred, 0, sizeof(cred));
+    ret = krb5_parse_name(context, "krbtgt/SU.SE@SU.SE", &cred.server);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+    ret = krb5_parse_name(context, "lha@SU.SE", &cred.client);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_cc_store_cred(context, id, &cred);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_store_cred");
+
+    ret = krb5_cc_remove_cred(context, id, 0, &cred);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_remove_cred");
+
+    ret = krb5_cc_destroy(context, id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_destroy");
+
+    krb5_free_principal(context, p);
+    krb5_free_principal(context, cred.server);
+    krb5_free_principal(context, cred.client);
+}
+
+static void
+test_mcc_default(void)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_ccache id, id2;
+    int i;
+
+    for (i = 0; i < 10; i++) {
+
+	ret = krb5_init_context(&context);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_init_context");
+
+	ret = krb5_cc_set_default_name(context, "MEMORY:foo");
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_cc_set_default_name");
+
+	ret = krb5_cc_default(context, &id);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_cc_default");
+
+	ret = krb5_cc_default(context, &id2);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_cc_default");
+
+	ret = krb5_cc_close(context, id);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_cc_close");
+
+	ret = krb5_cc_close(context, id2);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_cc_close");
+
+	krb5_free_context(context);
+    }
+}
+
+struct {
+    char *str;
+    int fail;
+    char *res;
+} cc_names[] = {
+    { "foo", 0, "foo" },
+    { "%{uid}", 0 },
+    { "foo%{null}", 0, "foo" },
+    { "foo%{null}bar", 0, "foobar" },
+    { "%{", 1 },
+    { "%{foo %{", 1 },
+    { "%{{", 1 },
+};
+
+static void
+test_def_cc_name(krb5_context context)
+{
+    krb5_error_code ret;
+    char *str;
+    int i;
+
+    for (i = 0; i < sizeof(cc_names)/sizeof(cc_names[0]); i++) {
+	ret = _krb5_expand_default_cc_name(context, cc_names[i].str, &str);
+	if (ret) {
+	    if (cc_names[i].fail == 0)
+		krb5_errx(context, 1, "test %d \"%s\" failed", 
+			  i, cc_names[i].str);
+	} else {
+	    if (cc_names[i].fail)
+		krb5_errx(context, 1, "test %d \"%s\" was successful", 
+			  i, cc_names[i].str);
+	    if (cc_names[i].res && strcmp(cc_names[i].res, str) != 0)
+		krb5_errx(context, 1, "test %d %s != %s", 
+			  i, cc_names[i].res, str);
+	    if (debug_flag)
+		printf("%s => %s\n", cc_names[i].str, str);
+	    free(str);
+	}
+    }
+}
+
+static void
+test_cache_find(krb5_context context, const char *type, const char *principal,
+		int find)
+{
+    krb5_principal client;
+    krb5_error_code ret;
+    krb5_ccache id = NULL;
+
+    ret = krb5_parse_name(context, principal, &client);
+    if (ret)
+	krb5_err(context, 1, ret, "parse_name for %s failed", principal);
+    
+    ret = krb5_cc_cache_match(context, client, type, &id);
+    if (ret && find)
+	krb5_err(context, 1, ret, "cc_cache_match for %s failed", principal);
+    if (ret == 0 && !find)
+	krb5_err(context, 1, ret, "cc_cache_match for %s found", principal);
+
+    if (id)
+	krb5_cc_close(context, id);
+    krb5_free_principal(context, client);
+}
+
+
+static void
+test_cache_iter(krb5_context context, const char *type, int destroy)
+{
+    krb5_cc_cache_cursor cursor;
+    krb5_error_code ret;
+    krb5_ccache id;
+    
+    ret = krb5_cc_cache_get_first (context, type, &cursor);
+    if (ret == KRB5_CC_NOSUPP)
+	return;
+    else if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_cache_get_first(%s)", type);
+
+
+    while ((ret = krb5_cc_cache_next (context, cursor, &id)) == 0) {
+	krb5_principal principal;
+	char *name;
+
+	if (debug_flag)
+	    printf("name: %s\n", krb5_cc_get_name(context, id));
+	ret = krb5_cc_get_principal(context, id, &principal);
+	if (ret == 0) {
+	    ret = krb5_unparse_name(context, principal, &name);
+	    if (ret == 0) {
+		if (debug_flag)
+		    printf("\tprincipal: %s\n", name);
+		free(name);
+	    }
+	    krb5_free_principal(context, principal);
+	}
+	if (destroy)
+	    krb5_cc_destroy(context, id);
+	else
+	    krb5_cc_close(context, id);
+    }
+
+    krb5_cc_cache_end_seq_get(context, cursor);
+}
+
+static void
+test_copy(krb5_context context, const char *fromtype, const char *totype)
+{
+    const krb5_cc_ops *from, *to;
+    krb5_ccache fromid, toid;
+    krb5_error_code ret;
+    krb5_principal p, p2;
+
+    from = krb5_cc_get_prefix_ops(context, fromtype);
+    if (from == NULL)
+	krb5_errx(context, 1, "%s isn't a type", fromtype);
+
+    to = krb5_cc_get_prefix_ops(context, totype);
+    if (to == NULL)
+	krb5_errx(context, 1, "%s isn't a type", totype);
+
+    ret = krb5_parse_name(context, "lha@SU.SE", &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_cc_gen_new(context, from, &fromid);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_gen_new");
+
+    ret = krb5_cc_initialize(context, fromid, p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_initialize");
+
+    ret = krb5_cc_gen_new(context, to, &toid);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_gen_new");
+
+    ret = krb5_cc_copy_cache(context, fromid, toid);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_copy_cache");
+
+    ret = krb5_cc_get_principal(context, toid, &p2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_get_principal");
+
+    if (krb5_principal_compare(context, p, p2) == FALSE)
+	krb5_errx(context, 1, "p != p2");
+
+    krb5_free_principal(context, p);
+    krb5_free_principal(context, p2);
+
+    krb5_cc_destroy(context, fromid);
+    krb5_cc_destroy(context, toid);
+}
+
+static void
+test_prefix_ops(krb5_context context, const char *name, const krb5_cc_ops *ops)
+{
+    const krb5_cc_ops *o;
+
+    o = krb5_cc_get_prefix_ops(context, name);
+    if (o == NULL)
+	krb5_errx(context, 1, "found no match for prefix '%s'", name);
+    if (strcmp(o->prefix, ops->prefix) != 0)
+	krb5_errx(context, 1, "ops for prefix '%s' is not "
+		  "the expected %s != %s", name, o->prefix, ops->prefix);
+}
+
+
+static struct getargs args[] = {
+    {"debug",	'd',	arg_flag,	&debug_flag,
+     "turn on debuggin", NULL },
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "hostname ...");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    int optidx = 0;
+    krb5_ccache id1, id2;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    test_fcache_remove(context);
+    test_default_name(context);
+    test_mcache(context);
+    test_init_vs_destroy(context, &krb5_mcc_ops);
+    test_init_vs_destroy(context, &krb5_fcc_ops);
+    test_mcc_default();
+    test_def_cc_name(context);
+    test_cache_iter(context, "MEMORY", 0);
+    {
+	krb5_principal p;
+	krb5_cc_new_unique(context, "MEMORY", "bar", &id1);
+	krb5_cc_new_unique(context, "MEMORY", "baz", &id2);
+	krb5_parse_name(context, "lha@SU.SE", &p);
+	krb5_cc_initialize(context, id1, p);
+	krb5_free_principal(context, p);
+    }
+
+    test_cache_find(context, "MEMORY", "lha@SU.SE", 1);
+    test_cache_find(context, "MEMORY", "hulabundulahotentot@SU.SE", 0);
+
+    test_cache_iter(context, "MEMORY", 0);
+    test_cache_iter(context, "MEMORY", 1);
+    test_cache_iter(context, "MEMORY", 0);
+    test_cache_iter(context, "FILE", 0);
+    test_cache_iter(context, "API", 0);
+
+    test_copy(context, "FILE", "FILE");
+    test_copy(context, "MEMORY", "MEMORY");
+    test_copy(context, "FILE", "MEMORY");
+    test_copy(context, "MEMORY", "FILE");
+
+    test_prefix_ops(context, "FILE:/tmp/foo", &krb5_fcc_ops);
+    test_prefix_ops(context, "FILE", &krb5_fcc_ops);
+    test_prefix_ops(context, "MEMORY", &krb5_mcc_ops);
+    test_prefix_ops(context, "MEMORY:foo", &krb5_mcc_ops);
+    test_prefix_ops(context, "/tmp/kaka", &krb5_fcc_ops);
+
+    krb5_cc_destroy(context, id1);
+    krb5_cc_destroy(context, id2);
+
     krb5_free_context(context);
 
     return 0;
diff --git a/crypto/heimdal/lib/krb5/test_config.c b/crypto/heimdal/lib/krb5/test_config.c
new file mode 100644
index 0000000..7fe224e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_config.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+RCSID("$Id: test_config.c 15036 2005-04-30 15:19:58Z lha $");
+
+static int
+check_config_file(krb5_context context, char *filelist, char **res, int def)
+{
+    krb5_error_code ret;
+    char **pp;
+    int i;
+
+    pp = NULL;
+
+    if (def)
+	ret = krb5_prepend_config_files_default(filelist, &pp);
+    else
+	ret = krb5_prepend_config_files(filelist, NULL, &pp);
+    
+    if (ret)
+	krb5_err(context, 1, ret, "prepend_config_files");
+    
+    for (i = 0; res[i] && pp[i]; i++)
+	if (strcmp(pp[i], res[i]) != 0)
+	    krb5_errx(context, 1, "'%s' != '%s'", pp[i], res[i]);
+    
+    if (res[i] != NULL)
+	krb5_errx(context, 1, "pp ended before res list");
+    
+    if (def) {
+	char **deflist;
+	int j;
+	
+	ret = krb5_get_default_config_files(&deflist);
+	if (ret)
+	    krb5_err(context, 1, ret, "get_default_config_files");
+	
+	for (j = 0 ; pp[i] && deflist[j]; i++, j++)
+	    if (strcmp(pp[i], deflist[j]) != 0)
+		krb5_errx(context, 1, "'%s' != '%s'", pp[i], deflist[j]);
+	
+	if (deflist[j] != NULL)
+	    krb5_errx(context, 1, "pp ended before def list");
+	krb5_free_config_files(deflist);
+    }
+    
+    if (pp[i] != NULL)
+	krb5_errx(context, 1, "pp ended after res (and def) list");
+    
+    krb5_free_config_files(pp);
+    
+    return 0;
+}
+
+char *list0[] =  { "/tmp/foo", NULL };
+char *list1[] =  { "/tmp/foo", "/tmp/foo/bar", NULL };
+char *list2[] =  { "", NULL };
+
+struct {
+    char *fl;
+    char **res;
+} test[] = {
+    { "/tmp/foo", NULL },
+    { "/tmp/foo:/tmp/foo/bar", NULL },
+    { "", NULL }
+};
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    int i;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_init_context %d", ret);
+
+    test[0].res = list0;
+    test[1].res = list1;
+    test[2].res = list2;
+
+    for (i = 0; i < sizeof(test)/sizeof(*test); i++) {
+	check_config_file(context, test[i].fl, test[i].res, 0);
+	check_config_file(context, test[i].fl, test[i].res, 1);
+    }
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_crypto.c b/crypto/heimdal/lib/krb5/test_crypto.c
new file mode 100644
index 0000000..0837911
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_crypto.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (c) 2003-2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+#include <getarg.h>
+
+RCSID("$Id: test_crypto.c 16290 2005-11-24 09:57:50Z lha $");
+
+static void
+time_encryption(krb5_context context, size_t size,
+		krb5_enctype etype, int iterations)
+{
+    struct timeval tv1, tv2;
+    krb5_error_code ret;
+    krb5_keyblock key;
+    krb5_crypto crypto;
+    krb5_data data;
+    char *etype_name;
+    void *buf;
+    int i;
+
+    ret = krb5_generate_random_keyblock(context, etype, &key);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
+    ret = krb5_enctype_to_string(context, etype, &etype_name);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_enctype_to_string");
+
+    buf = malloc(size);
+    if (buf == NULL)
+	krb5_errx(context, 1, "out of memory");
+    memset(buf, 0, size);
+
+    ret = krb5_crypto_init(context, &key, 0, &crypto);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_crypto_init");
+
+    gettimeofday(&tv1, NULL);
+
+    for (i = 0; i < iterations; i++) {
+	ret = krb5_encrypt(context, crypto, 0, buf, size, &data);
+	if (ret)
+	    krb5_err(context, 1, ret, "encrypt: %d", i);
+	krb5_data_free(&data);
+    }
+
+    gettimeofday(&tv2, NULL);
+
+    timevalsub(&tv2, &tv1);
+
+    printf("%s size: %7lu iterations: %d time: %3ld.%06ld\n", 
+	   etype_name, (unsigned long)size, iterations,
+	   (long)tv2.tv_sec, (long)tv2.tv_usec);
+
+    free(buf);
+    free(etype_name);
+    krb5_crypto_destroy(context, crypto);
+    krb5_free_keyblock_contents(context, &key);
+}
+
+static void
+time_s2k(krb5_context context,
+	 krb5_enctype etype, 
+	 const char *password,
+	 krb5_salt salt,
+	 int iterations)
+{
+    struct timeval tv1, tv2;
+    krb5_error_code ret;
+    krb5_keyblock key;
+    krb5_data opaque;
+    char *etype_name;
+    int i;
+
+    ret = krb5_enctype_to_string(context, etype, &etype_name);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_enctype_to_string");
+
+    opaque.data = NULL;
+    opaque.length = 0;
+
+    gettimeofday(&tv1, NULL);
+
+    for (i = 0; i < iterations; i++) {
+	ret = krb5_string_to_key_salt_opaque(context, etype, password, salt,
+					 opaque, &key);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_string_to_key_data_salt_opaque");
+	krb5_free_keyblock_contents(context, &key);
+    }
+
+    gettimeofday(&tv2, NULL);
+
+    timevalsub(&tv2, &tv1);
+
+    printf("%s string2key %d iterations time: %3ld.%06ld\n", 
+	   etype_name, iterations, (long)tv2.tv_sec, (long)tv2.tv_usec);
+    free(etype_name);
+
+}
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    int i, enciter, s2kiter;
+    int optidx = 0;
+    krb5_salt salt;
+
+    krb5_enctype enctypes[] = { 
+	ETYPE_DES_CBC_CRC,
+	ETYPE_DES3_CBC_SHA1,
+	ETYPE_ARCFOUR_HMAC_MD5,
+	ETYPE_AES128_CTS_HMAC_SHA1_96,
+	ETYPE_AES256_CTS_HMAC_SHA1_96
+    };
+
+    setprogname(argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    salt.salttype = KRB5_PW_SALT;
+    salt.saltvalue.data = NULL;
+    salt.saltvalue.length = 0;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    enciter = 1000;
+    s2kiter = 100;
+
+    for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) {
+
+	time_encryption(context, 16, enctypes[i], enciter);
+	time_encryption(context, 32, enctypes[i], enciter);
+	time_encryption(context, 512, enctypes[i], enciter);
+	time_encryption(context, 1024, enctypes[i], enciter);
+	time_encryption(context, 2048, enctypes[i], enciter);
+	time_encryption(context, 4096, enctypes[i], enciter);
+	time_encryption(context, 8192, enctypes[i], enciter);
+	time_encryption(context, 16384, enctypes[i], enciter);
+	time_encryption(context, 32768, enctypes[i], enciter);
+
+	time_s2k(context, enctypes[i], "mYsecreitPassword", salt, s2kiter);
+    }
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_crypto_wrapping.c b/crypto/heimdal/lib/krb5/test_crypto_wrapping.c
new file mode 100644
index 0000000..1618fdf
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_crypto_wrapping.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+#include <getarg.h>
+
+RCSID("$Id: test_crypto_wrapping.c 18809 2006-10-22 07:11:43Z lha $");
+
+static void
+test_wrapping(krb5_context context,
+	      size_t min_size,
+	      size_t max_size,
+	      size_t step,
+	      krb5_enctype etype)
+{
+    krb5_error_code ret;
+    krb5_keyblock key;
+    krb5_crypto crypto;
+    krb5_data data;
+    char *etype_name;
+    void *buf;
+    size_t size;
+
+    ret = krb5_generate_random_keyblock(context, etype, &key);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
+    ret = krb5_enctype_to_string(context, etype, &etype_name);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_enctype_to_string");
+
+    buf = malloc(max_size);
+    if (buf == NULL)
+	krb5_errx(context, 1, "out of memory");
+    memset(buf, 0, max_size);
+
+    ret = krb5_crypto_init(context, &key, 0, &crypto);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_crypto_init");
+
+    for (size = min_size; size < max_size; size += step) {
+	size_t wrapped_size;
+
+	ret = krb5_encrypt(context, crypto, 0, buf, size, &data);
+	if (ret)
+	    krb5_err(context, 1, ret, "encrypt size %lu using %s",
+		     (unsigned long)size, etype_name);
+
+	wrapped_size = krb5_get_wrapped_length(context, crypto, size);
+
+	if (wrapped_size != data.length)
+	    krb5_errx(context, 1, "calculated wrapped length %lu != "
+		      "real wrapped length %lu for data length %lu using "
+		      "enctype %s",
+		      (unsigned long)wrapped_size,
+		      (unsigned long)data.length,
+		      (unsigned long)size,
+		      etype_name);
+	krb5_data_free(&data);
+    }
+
+    free(etype_name);
+    free(buf);
+    krb5_crypto_destroy(context, crypto);
+    krb5_free_keyblock_contents(context, &key);
+}
+
+
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    int i, optidx = 0;
+
+    krb5_enctype enctypes[] = { 
+	ETYPE_DES_CBC_CRC,
+	ETYPE_DES_CBC_MD4,
+	ETYPE_DES_CBC_MD5,
+	ETYPE_DES3_CBC_SHA1,
+	ETYPE_ARCFOUR_HMAC_MD5,
+	ETYPE_AES128_CTS_HMAC_SHA1_96,
+	ETYPE_AES256_CTS_HMAC_SHA1_96
+    };
+
+    setprogname(argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) {
+	test_wrapping(context, 0, 1024, 1, enctypes[i]);
+	test_wrapping(context, 1024, 1024 * 100, 1024, enctypes[i]);
+    }
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_forward.c b/crypto/heimdal/lib/krb5/test_forward.c
new file mode 100644
index 0000000..1639953
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_forward.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+#include <getarg.h>
+
+RCSID("$Id$");
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "hostname");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    const char *hostname;
+    krb5_context context;
+    krb5_auth_context ac;
+    krb5_error_code ret;
+    krb5_creds cred;
+    krb5_ccache id;
+    krb5_data data;
+    int optidx = 0;
+
+    setprogname (argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    if (argc < 1)
+	usage(1);
+
+    hostname = argv[0];
+
+    memset(&cred, 0, sizeof(cred));
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    ret = krb5_cc_default(context, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_default failed: %d", ret);
+
+    ret = krb5_auth_con_init(context, &ac);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_auth_con_init failed: %d", ret);
+
+    krb5_auth_con_addflags(context, ac,
+			   KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, NULL);
+
+    ret = krb5_cc_get_principal(context, id, &cred.client);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_get_principal");
+
+    ret = krb5_make_principal(context,
+			      &cred.server,
+			      krb5_principal_get_realm(context, cred.client),
+			      KRB5_TGS_NAME,
+			      krb5_principal_get_realm(context, cred.client),
+			      NULL);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_make_principal(server)");
+
+    ret = krb5_get_forwarded_creds (context,
+				    ac,
+				    id,
+				    KDC_OPT_FORWARDABLE,
+				    hostname,
+				    &cred,
+				    &data);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_forwarded_creds");
+
+    krb5_data_free(&data);
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_get_addrs.c b/crypto/heimdal/lib/krb5/test_get_addrs.c
index 97e3b2b..1d53e0e 100644
--- a/crypto/heimdal/lib/krb5/test_get_addrs.c
+++ b/crypto/heimdal/lib/krb5/test_get_addrs.c
@@ -34,7 +34,7 @@
 #include <err.h>
 #include <getarg.h>
 
-RCSID("$Id: test_get_addrs.c,v 1.4 2002/08/23 03:42:54 assar Exp $");
+RCSID("$Id: test_get_addrs.c 15474 2005-06-17 04:48:02Z lha $");
 
 /* print all addresses that we find */
 
@@ -77,11 +77,11 @@ main(int argc, char **argv)
     krb5_context context;
     krb5_error_code ret;
     krb5_addresses addrs;
-    int optind = 0;
+    int optidx = 0;
 
     setprogname (argv[0]);
 
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
     
     if (help_flag)
@@ -92,8 +92,8 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     ret = krb5_init_context(&context);
     if (ret)
diff --git a/crypto/heimdal/lib/krb5/test_hostname.c b/crypto/heimdal/lib/krb5/test_hostname.c
new file mode 100644
index 0000000..095cb39
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_hostname.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+#include <getarg.h>
+
+RCSID("$Id: test_hostname.c 15965 2005-08-23 20:18:55Z lha $");
+
+static int debug_flag	= 0;
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static int
+expand_hostname(krb5_context context, const char *host)
+{
+    krb5_error_code ret;
+    char *h, **r;
+
+    ret = krb5_expand_hostname(context, host, &h);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_expand_hostname(%s)", host);
+
+    free(h);
+
+    if (debug_flag)
+	printf("hostname: %s -> %s\n", host, h);
+
+    ret = krb5_expand_hostname_realms(context, host, &h, &r);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_expand_hostname_realms(%s)", host);
+
+    if (debug_flag) {
+	int j;
+
+	printf("hostname: %s -> %s\n", host, h);
+	for (j = 0; r[j]; j++) {
+	    printf("\trealm: %s\n", r[j]);
+	}
+    }
+    free(h);
+    krb5_free_host_realm(context, r);
+
+    return 0;
+}
+
+static int
+test_expand_hostname(krb5_context context)
+{
+    int i, errors = 0;
+
+    struct t {
+	krb5_error_code ret;
+	const char *orig_hostname;
+	const char *new_hostname;
+    } tests[] = {
+	{ 0, "pstn1.su.se", "pstn1.su.se" },
+	{ 0, "pstnproxy.su.se", "pstnproxy.su.se" },
+    };
+
+    for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
+	errors += expand_hostname(context, tests[i].orig_hostname);
+    }
+
+    return errors;
+}
+
+static struct getargs args[] = {
+    {"debug",	'd',	arg_flag,	&debug_flag,
+     "turn on debuggin", NULL },
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "hostname ...");
+    exit (ret);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    int optidx = 0, errors = 0;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    if (argc > 0) {
+	while (argc-- > 0)
+	    errors += expand_hostname(context, *argv++);
+	return errors;
+    }
+
+    errors += test_expand_hostname(context);
+
+    krb5_free_context(context);
+
+    return errors;
+}
diff --git a/crypto/heimdal/lib/krb5/test_keytab.c b/crypto/heimdal/lib/krb5/test_keytab.c
new file mode 100644
index 0000000..97361cc
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_keytab.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+RCSID("$Id: test_keytab.c 18809 2006-10-22 07:11:43Z lha $");
+
+/*
+ * Test that removal entry from of empty keytab doesn't corrupts
+ * memory.
+ */
+
+static void
+test_empty_keytab(krb5_context context, const char *keytab)
+{
+    krb5_error_code ret;
+    krb5_keytab id;
+    krb5_keytab_entry entry;
+
+    ret = krb5_kt_resolve(context, keytab, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_resolve");
+
+    memset(&entry, 0, sizeof(entry));
+
+    krb5_kt_remove_entry(context, id, &entry);
+
+    ret = krb5_kt_close(context, id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_close");
+}
+
+/*
+ * Test that memory keytab are refcounted.
+ */
+
+static void
+test_memory_keytab(krb5_context context, const char *keytab, const char *keytab2)
+{
+    krb5_error_code ret;
+    krb5_keytab id, id2, id3;
+    krb5_keytab_entry entry, entry2, entry3;
+
+    ret = krb5_kt_resolve(context, keytab, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_resolve");
+
+    memset(&entry, 0, sizeof(entry));
+    ret = krb5_parse_name(context, "lha@SU.SE", &entry.principal);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+    entry.vno = 1;
+    ret = krb5_generate_random_keyblock(context,
+					ETYPE_AES256_CTS_HMAC_SHA1_96,
+					&entry.keyblock);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
+    krb5_kt_add_entry(context, id, &entry);
+
+    ret = krb5_kt_resolve(context, keytab, &id2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_resolve");
+
+    ret = krb5_kt_get_entry(context, id,
+			    entry.principal,
+			    0,
+			    ETYPE_AES256_CTS_HMAC_SHA1_96,
+			    &entry2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_get_entry");
+    krb5_kt_free_entry(context, &entry2);
+
+    ret = krb5_kt_close(context, id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_close");
+
+    ret = krb5_kt_get_entry(context, id2,
+			    entry.principal,
+			    0,
+			    ETYPE_AES256_CTS_HMAC_SHA1_96,
+			    &entry2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_get_entry");
+    krb5_kt_free_entry(context, &entry2);
+
+    ret = krb5_kt_close(context, id2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_close");
+
+
+    ret = krb5_kt_resolve(context, keytab2, &id3);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_resolve");
+
+    memset(&entry3, 0, sizeof(entry3));
+    ret = krb5_parse_name(context, "lha3@SU.SE", &entry3.principal);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+    entry3.vno = 1;
+    ret = krb5_generate_random_keyblock(context,
+					ETYPE_AES256_CTS_HMAC_SHA1_96,
+					&entry3.keyblock);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
+    krb5_kt_add_entry(context, id3, &entry3);
+
+
+    ret = krb5_kt_resolve(context, keytab, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_resolve");
+
+    ret = krb5_kt_get_entry(context, id,
+			    entry.principal,
+			    0,
+			    ETYPE_AES256_CTS_HMAC_SHA1_96,
+			    &entry2);
+    if (ret == 0)
+	krb5_errx(context, 1, "krb5_kt_get_entry when if should fail");
+
+    krb5_kt_remove_entry(context, id, &entry);
+
+    ret = krb5_kt_close(context, id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_close");
+
+    krb5_kt_free_entry(context, &entry);
+
+    krb5_kt_remove_entry(context, id3, &entry3);
+
+    ret = krb5_kt_close(context, id3);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_close");
+
+    krb5_free_principal(context, entry3.principal);
+    krb5_free_keyblock_contents(context, &entry3.keyblock);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+
+    setprogname(argv[0]);
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    test_empty_keytab(context, "MEMORY:foo");
+    test_empty_keytab(context, "FILE:foo");
+    test_empty_keytab(context, "KRB4:foo");
+
+    test_memory_keytab(context, "MEMORY:foo", "MEMORY:foo2");
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_kuserok.c b/crypto/heimdal/lib/krb5/test_kuserok.c
new file mode 100644
index 0000000..04a6f21
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_kuserok.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <getarg.h>
+#include <err.h>
+
+RCSID("$Id: test_kuserok.c 15033 2005-04-30 15:15:38Z lha $");
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "principal luser");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_principal principal;
+    char *p;
+    int o = 0;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &o))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= o;
+    argv += o;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    if (argc != 2)
+	usage(1);
+
+    ret = krb5_parse_name(context, argv[0], &principal);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+    
+    ret = krb5_unparse_name(context, principal, &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name");
+
+    ret = krb5_kuserok(context, principal, argv[1]);
+
+    krb5_free_context(context);
+
+    printf("%s is %sallowed to login as %s\n", p, ret ? "" : "NOT ", argv[1]);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_mem.c b/crypto/heimdal/lib/krb5/test_mem.c
new file mode 100644
index 0000000..8989cae
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_mem.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+RCSID("$Id: test_mem.c 15931 2005-08-12 13:43:46Z lha $");
+
+/*
+ * Test run functions, to be used with valgrind to detect memoryleaks.
+ */
+
+static void
+check_log(void)
+{
+    int i;
+
+    for (i = 0; i < 10; i++) {
+	krb5_log_facility *logfacility;
+	krb5_context context;
+	krb5_error_code ret;
+
+	ret = krb5_init_context(&context);
+	if (ret)
+	    errx (1, "krb5_init_context failed: %d", ret);
+    
+	krb5_initlog(context, "test-mem", &logfacility);
+	krb5_addlog_dest(context, logfacility, "0/STDERR:");
+	krb5_set_warn_dest(context, logfacility);
+    
+	krb5_free_context(context);
+    }
+}
+
+
+int
+main(int argc, char **argv)
+{
+    setprogname(argv[0]);
+
+    check_log();
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_pac.c b/crypto/heimdal/lib/krb5/test_pac.c
new file mode 100644
index 0000000..a22fe3a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_pac.c
@@ -0,0 +1,295 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: test_pac.c 21934 2007-08-27 14:21:04Z lha $");
+
+/*
+ * This PAC and keys are copied (with permission) from Samba torture
+ * regression test suite, they where created by Andrew Bartlet.
+ */
+
+static const unsigned char saved_pac[] = {
+	0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, 
+	0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
+	0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
+	0x40, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
+	0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc,
+	0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x30, 0xdf, 0xa6, 0xcb, 
+	0x4f, 0x7d, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 
+	0xff, 0xff, 0xff, 0x7f, 0xc0, 0x3c, 0x4e, 0x59, 0x62, 0x73, 0xc5, 0x01, 0xc0, 0x3c, 0x4e, 0x59,
+	0x62, 0x73, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x16, 0x00, 0x16, 0x00,
+	0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 
+	0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x65, 0x00, 0x00, 0x00, 
+	0xed, 0x03, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00,
+	0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x16, 0x00, 0x20, 0x00, 0x02, 0x00, 0x16, 0x00, 0x18, 0x00,
+	0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x01, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00,
+	0x57, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00,
+	0x41, 0x00, 0x4c, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
+	0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x57, 0x00, 0x32, 0x00,
+	0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x41, 0x00, 0x4c, 0x00,
+	0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x57, 0x00, 0x49, 0x00,
+	0x4e, 0x00, 0x32, 0x00, 0x4b, 0x00, 0x33, 0x00, 0x54, 0x00, 0x48, 0x00, 0x49, 0x00, 0x4e, 0x00,
+	0x4b, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
+	0x15, 0x00, 0x00, 0x00, 0x11, 0x2f, 0xaf, 0xb5, 0x90, 0x04, 0x1b, 0xec, 0x50, 0x3b, 0xec, 0xdc,
+	0x01, 0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+	0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x80, 0x66, 0x28, 0xea, 0x37, 0x80, 0xc5, 0x01, 0x16, 0x00, 0x77, 0x00, 0x32, 0x00, 0x30, 0x00,
+	0x30, 0x00, 0x33, 0x00, 0x66, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x24, 0x00,
+	0x76, 0xff, 0xff, 0xff, 0x37, 0xd5, 0xb0, 0xf7, 0x24, 0xf0, 0xd6, 0xd4, 0xec, 0x09, 0x86, 0x5a,
+	0xa0, 0xe8, 0xc3, 0xa9, 0x00, 0x00, 0x00, 0x00, 0x76, 0xff, 0xff, 0xff, 0xb4, 0xd8, 0xb8, 0xfe,
+	0x83, 0xb3, 0x13, 0x3f, 0xfc, 0x5c, 0x41, 0xad, 0xe2, 0x64, 0x83, 0xe0, 0x00, 0x00, 0x00, 0x00
+};
+
+static int type_1_length = 472;
+
+static const krb5_keyblock kdc_keyblock = {
+    ETYPE_ARCFOUR_HMAC_MD5,
+    { 16, "\xB2\x86\x75\x71\x48\xAF\x7F\xD2\x52\xC5\x36\x03\xA1\x50\xB7\xE7" }
+};
+
+static const krb5_keyblock member_keyblock = {
+    ETYPE_ARCFOUR_HMAC_MD5,
+    { 16, "\xD2\x17\xFA\xEA\xE5\xE6\xB5\xF9\x5C\xCC\x94\x07\x7A\xB8\xA5\xFC" }
+};
+
+static time_t authtime = 1120440609;
+static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL";
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_pac pac;
+    krb5_data data;
+    krb5_principal p;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_init_contex");
+
+    ret = krb5_parse_name(context, user, &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_pac_parse(context, saved_pac, sizeof(saved_pac), &pac);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_pac_parse");
+
+    ret = krb5_pac_verify(context, pac, authtime, p,
+			   &member_keyblock, &kdc_keyblock);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_pac_verify");
+
+    ret = _krb5_pac_sign(context, pac, authtime, p, 
+			 &member_keyblock, &kdc_keyblock, &data);
+    if (ret)
+	krb5_err(context, 1, ret, "_krb5_pac_sign");
+
+    krb5_pac_free(context, pac);
+
+    ret = krb5_pac_parse(context, data.data, data.length, &pac);
+    krb5_data_free(&data);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_pac_parse 2");
+
+    ret = krb5_pac_verify(context, pac, authtime, p,
+			   &member_keyblock, &kdc_keyblock);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_pac_verify 2");
+
+    /* make a copy and try to reproduce it */
+    {
+	uint32_t *list;
+	size_t len, i;
+	krb5_pac pac2;
+
+	ret = krb5_pac_init(context, &pac2);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_pac_init");
+
+	/* our two user buffer plus the three "system" buffers */
+	ret = krb5_pac_get_types(context, pac, &len, &list);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_pac_get_types");
+
+	for (i = 0; i < len; i++) {
+	    /* skip server_cksum, privsvr_cksum, and logon_name */
+	    if (list[i] == 6 || list[i] == 7 || list[i] == 10)
+		continue;
+
+	    ret = krb5_pac_get_buffer(context, pac, list[i], &data);
+	    if (ret)
+		krb5_err(context, 1, ret, "krb5_pac_get_buffer");
+
+	    if (list[i] == 1) {
+		if (type_1_length != data.length)
+		    krb5_errx(context, 1, "type 1 have wrong length: %lu", 
+			      (unsigned long)data.length);
+	    } else
+		krb5_errx(context, 1, "unknown type %lu", 
+			  (unsigned long)list[i]);
+
+	    ret = krb5_pac_add_buffer(context, pac2, list[i], &data);
+	    if (ret)
+		krb5_err(context, 1, ret, "krb5_pac_add_buffer");
+	    krb5_data_free(&data);
+	}
+	free(list);
+	
+	ret = _krb5_pac_sign(context, pac2, authtime, p, 
+			     &member_keyblock, &kdc_keyblock, &data);
+	if (ret)
+	    krb5_err(context, 1, ret, "_krb5_pac_sign 4");
+	
+	krb5_pac_free(context, pac2);
+
+	ret = krb5_pac_parse(context, data.data, data.length, &pac2);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_pac_parse 4");
+	
+	ret = krb5_pac_verify(context, pac2, authtime, p,
+			      &member_keyblock, &kdc_keyblock);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_pac_verify 4");
+	
+	krb5_pac_free(context, pac2);
+    }
+
+    krb5_pac_free(context, pac);
+
+    /*
+     * Test empty free
+     */
+
+    ret = krb5_pac_init(context, &pac);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_pac_init");
+    krb5_pac_free(context, pac);
+
+    /*
+     * Test add remove buffer
+     */
+
+    ret = krb5_pac_init(context, &pac);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_pac_init");
+
+    {
+	const krb5_data cdata = { 2, "\x00\x01" } ;
+
+	ret = krb5_pac_add_buffer(context, pac, 1, &cdata);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_pac_add_buffer");
+    }
+    {
+	ret = krb5_pac_get_buffer(context, pac, 1, &data);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_pac_get_buffer");
+	if (data.length != 2 || memcmp(data.data, "\x00\x01", 2) != 0)
+	    krb5_errx(context, 1, "krb5_pac_get_buffer data not the same");
+	krb5_data_free(&data);
+    }
+
+    {
+	const krb5_data cdata = { 2, "\x02\x00" } ;
+
+	ret = krb5_pac_add_buffer(context, pac, 2, &cdata);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_pac_add_buffer");
+    }
+    {
+	ret = krb5_pac_get_buffer(context, pac, 1, &data);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_pac_get_buffer");
+	if (data.length != 2 || memcmp(data.data, "\x00\x01", 2) != 0)
+	    krb5_errx(context, 1, "krb5_pac_get_buffer data not the same");
+	krb5_data_free(&data);
+	/* */
+	ret = krb5_pac_get_buffer(context, pac, 2, &data);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_pac_get_buffer");
+	if (data.length != 2 || memcmp(data.data, "\x02\x00", 2) != 0)
+	    krb5_errx(context, 1, "krb5_pac_get_buffer data not the same");
+	krb5_data_free(&data);
+    }
+
+    ret = _krb5_pac_sign(context, pac, authtime, p, 
+			 &member_keyblock, &kdc_keyblock, &data);
+    if (ret)
+	krb5_err(context, 1, ret, "_krb5_pac_sign");
+
+    krb5_pac_free(context, pac);
+
+    ret = krb5_pac_parse(context, data.data, data.length, &pac);
+    krb5_data_free(&data);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_pac_parse 3");
+
+    ret = krb5_pac_verify(context, pac, authtime, p,
+			   &member_keyblock, &kdc_keyblock);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_pac_verify 3");
+
+    {
+	uint32_t *list;
+	size_t len;
+
+	/* our two user buffer plus the three "system" buffers */
+	ret = krb5_pac_get_types(context, pac, &len, &list);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_pac_get_types");
+	if (len != 5)
+	    krb5_errx(context, 1, "list wrong length");
+	free(list);
+    }
+
+    krb5_pac_free(context, pac);
+
+    krb5_free_principal(context, p);
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_pkinit_dh2key.c b/crypto/heimdal/lib/krb5/test_pkinit_dh2key.c
new file mode 100644
index 0000000..e23bef9
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_pkinit_dh2key.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+#include <getarg.h>
+
+RCSID("$Id: test_pkinit_dh2key.c 18809 2006-10-22 07:11:43Z lha $");
+
+static void
+test_dh2key(int i,
+	    krb5_context context, 
+	    const heim_octet_string *dh,
+	    const heim_octet_string *c_n,
+	    const heim_octet_string *k_n,
+	    krb5_enctype etype,
+	    const heim_octet_string *result)
+{
+    krb5_error_code ret;
+    krb5_keyblock key;
+
+    ret = _krb5_pk_octetstring2key(context,
+				   etype,
+				   dh->data, dh->length,
+				   c_n,
+				   k_n,
+				   &key);
+    if (ret != 0)
+	krb5_err(context, 1, ret, "_krb5_pk_octetstring2key: %d", i);
+
+    if (key.keyvalue.length != result->length ||
+	memcmp(key.keyvalue.data, result->data, result->length) != 0)
+	krb5_errx(context, 1, "resulting key wrong: %d", i);
+
+    krb5_free_keyblock_contents(context, &key);
+}
+
+
+struct {
+    krb5_enctype type;
+    krb5_data X;
+    krb5_data key;
+} tests[] = {
+    /* 0 */
+    {
+	ETYPE_AES256_CTS_HMAC_SHA1_96,
+	{
+	    256,
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	},
+	{
+	    32,
+	    "\x5e\xe5\x0d\x67\x5c\x80\x9f\xe5\x9e\x4a\x77\x62\xc5\x4b\x65\x83"
+	    "\x75\x47\xea\xfb\x15\x9b\xd8\xcd\xc7\x5f\xfc\xa5\x91\x1e\x4c\x41"
+	}
+    },
+    /* 1 */
+    {
+	ETYPE_AES256_CTS_HMAC_SHA1_96,
+	{
+	    128,
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	},
+	{
+	    32,
+	    "\xac\xf7\x70\x7c\x08\x97\x3d\xdf\xdb\x27\xcd\x36\x14\x42\xcc\xfb"
+	    "\xa3\x55\xc8\x88\x4c\xb4\x72\xf3\x7d\xa6\x36\xd0\x7d\x56\x78\x7e"
+	}
+    },
+    /* 2 */
+    {
+	ETYPE_AES256_CTS_HMAC_SHA1_96,
+	{
+	    128,
+	    "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+	    "\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e"
+	    "\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d"
+	    "\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c"
+	    "\x0d\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"
+	    "\x0c\x0d\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+	    "\x0b\x0c\x0d\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09"
+	    "\x0a\x0b\x0c\x0d\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+	},
+	{
+	    32,
+	    "\xc4\x42\xda\x58\x5f\xcb\x80\xe4\x3b\x47\x94\x6f\x25\x40\x93\xe3"
+	    "\x73\x29\xd9\x90\x01\x38\x0d\xb7\x83\x71\xdb\x3a\xcf\x5c\x79\x7e"
+	}
+    },
+    /* 3 */
+    {
+	ETYPE_AES256_CTS_HMAC_SHA1_96,
+	{
+	    77,
+	    "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+	    "\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e"
+	    "\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d"
+	    "\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c"
+	    "\x0d\x0e\x0f\x10\x00\x01\x02\x03"
+	    "\x04\x05\x06\x07\x08"
+	},
+	{
+	    32,
+	    "\x00\x53\x95\x3b\x84\xc8\x96\xf4\xeb\x38\x5c\x3f\x2e\x75\x1c\x4a"
+	    "\x59\x0e\xd6\xff\xad\xca\x6f\xf6\x4f\x47\xeb\xeb\x8d\x78\x0f\xfc"
+	}
+    }
+};
+
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "");
+    exit (ret);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    int i, optidx = 0;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
+	test_dh2key(i, context, &tests[i].X, NULL, NULL, 
+		    tests[i].type, &tests[i].key);
+    }
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_plugin.c b/crypto/heimdal/lib/krb5/test_plugin.c
new file mode 100644
index 0000000..18e9fcd
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_plugin.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+RCSID("$Id: test_plugin.c 22024 2007-11-03 21:36:55Z lha $");
+#include "locate_plugin.h"
+
+static krb5_error_code
+resolve_init(krb5_context context, void **ctx)
+{
+    *ctx = NULL;
+    return 0;
+}
+
+static void
+resolve_fini(void *ctx)
+{
+}
+
+static krb5_error_code
+resolve_lookup(void *ctx,
+	       enum locate_service_type service,
+	       const char *realm,
+	       int domain,
+	       int type, 
+	       int (*add)(void *,int,struct sockaddr *),
+	       void *addctx)
+{
+    struct sockaddr_in s;
+
+    memset(&s, 0, sizeof(s));
+
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+    s.sin_len = sizeof(s);
+#endif
+    s.sin_family = AF_INET;
+    s.sin_port = htons(88);
+    s.sin_addr.s_addr = htonl(0x7f000002);
+
+    if (strcmp(realm, "NOTHERE.H5L.SE") == 0)
+	(*add)(addctx, type, (struct sockaddr *)&s);
+
+    return 0;
+}
+
+
+krb5plugin_service_locate_ftable resolve = {
+    0,
+    resolve_init,
+    resolve_fini,
+    resolve_lookup
+};
+
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_krbhst_handle handle;
+    char host[MAXHOSTNAMELEN];
+    int found = 0;
+
+    setprogname(argv[0]);
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_init_contex");
+
+    ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, "resolve", &resolve);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_plugin_register");
+
+
+    ret = krb5_krbhst_init_flags(context,
+				 "NOTHERE.H5L.SE",
+				 KRB5_KRBHST_KDC,
+				 0,
+				 &handle);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_krbhst_init_flags");
+
+    
+    while(krb5_krbhst_next_as_string(context, handle, host, sizeof(host)) == 0){
+	found++;
+ 	if (strcmp(host, "127.0.0.2") != 0)
+	    krb5_errx(context, 1, "wrong address: %s", host);
+    }
+    if (!found)
+	krb5_errx(context, 1, "failed to find host");
+
+    krb5_krbhst_free(context, handle);
+
+    krb5_free_context(context);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_prf.c b/crypto/heimdal/lib/krb5/test_prf.c
new file mode 100644
index 0000000..94fb67d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_prf.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: test_prf.c 20843 2007-06-03 14:23:20Z lha $");
+
+#include <hex.h>
+#include <err.h>
+
+/*
+ * key: string2key(aes256, "testkey", "testkey", default_params)
+ * input: unhex(1122334455667788)
+ * output: 58b594b8a61df6e9439b7baa991ff5c1
+ * 
+ * key: string2key(aes128, "testkey", "testkey", default_params)
+ * input: unhex(1122334455667788)
+ * output: ffa2f823aa7f83a8ce3c5fb730587129
+ */
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_keyblock key;
+    krb5_crypto crypto;
+    size_t length;
+    krb5_data input, output, output2;
+    krb5_enctype etype = ETYPE_AES256_CTS_HMAC_SHA1_96;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_init_context %d", ret);
+
+    ret = krb5_generate_random_keyblock(context, etype, &key);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
+    ret = krb5_crypto_prf_length(context, etype, &length);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_crypto_prf_length");
+
+    ret = krb5_crypto_init(context, &key, 0, &crypto);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_crypto_init");
+
+    input.data = rk_UNCONST("foo");
+    input.length = 3;
+
+    ret = krb5_crypto_prf(context, crypto, &input, &output);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_crypto_prf");
+
+    ret = krb5_crypto_prf(context, crypto, &input, &output2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_crypto_prf");
+
+    if (krb5_data_cmp(&output, &output2) != 0)
+	krb5_errx(context, 1, "krb5_data_cmp");
+
+    krb5_data_free(&output);
+    krb5_data_free(&output2);
+
+    krb5_crypto_destroy(context, crypto);
+    
+    krb5_free_keyblock_contents(context, &key);
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_princ.c b/crypto/heimdal/lib/krb5/test_princ.c
new file mode 100644
index 0000000..d1036c1
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_princ.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+RCSID("$Id: test_princ.c 22071 2007-11-14 20:04:50Z lha $");
+
+/*
+ * Check that a closed cc still keeps it data and that it's no longer
+ * there when it's destroyed.
+ */
+
+static void
+test_princ(krb5_context context)
+{
+    const char *princ = "lha@SU.SE";
+    const char *princ_short = "lha";
+    const char *noquote;
+    krb5_error_code ret;
+    char *princ_unparsed;
+    char *princ_reformed = NULL;
+    const char *realm;
+
+    krb5_principal p, p2;
+
+    ret = krb5_parse_name(context, princ, &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_unparse_name(context, p, &princ_unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    if (strcmp(princ, princ_unparsed)) {
+	krb5_errx(context, 1, "%s != %s", princ, princ_unparsed);
+    }
+
+    free(princ_unparsed);
+
+    ret = krb5_unparse_name_flags(context, p, 
+				  KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+				  &princ_unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    if (strcmp(princ_short, princ_unparsed))
+	krb5_errx(context, 1, "%s != %s", princ_short, princ_unparsed);
+    free(princ_unparsed);
+    
+    realm = krb5_principal_get_realm(context, p);
+
+    asprintf(&princ_reformed, "%s@%s", princ_short, realm);
+
+    ret = krb5_parse_name(context, princ_reformed, &p2);
+    free(princ_reformed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    if (!krb5_principal_compare(context, p, p2)) {
+	krb5_errx(context, 1, "p != p2");
+    }    
+
+    krb5_free_principal(context, p2);
+
+    ret = krb5_set_default_realm(context, "SU.SE");
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_unparse_name_flags(context, p, 
+				  KRB5_PRINCIPAL_UNPARSE_SHORT,
+				  &princ_unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    if (strcmp(princ_short, princ_unparsed))
+	krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
+    free(princ_unparsed);
+
+    ret = krb5_parse_name(context, princ_short, &p2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    if (!krb5_principal_compare(context, p, p2))
+	krb5_errx(context, 1, "p != p2");
+    krb5_free_principal(context, p2);
+
+    ret = krb5_unparse_name(context, p, &princ_unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    if (strcmp(princ, princ_unparsed))
+	krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
+    free(princ_unparsed);
+
+    ret = krb5_set_default_realm(context, "SAMBA.ORG");
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_parse_name(context, princ_short, &p2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    if (krb5_principal_compare(context, p, p2))
+	krb5_errx(context, 1, "p == p2");
+
+    if (!krb5_principal_compare_any_realm(context, p, p2))
+	krb5_errx(context, 1, "(ignoring realms) p != p2");
+
+    ret = krb5_unparse_name(context, p2, &princ_unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    if (strcmp(princ, princ_unparsed) == 0)
+	krb5_errx(context, 1, "%s == %s", princ, princ_unparsed);
+    free(princ_unparsed);
+
+    krb5_free_principal(context, p2);
+
+    ret = krb5_parse_name(context, princ, &p2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    if (!krb5_principal_compare(context, p, p2))
+	krb5_errx(context, 1, "p != p2");
+
+    ret = krb5_unparse_name(context, p2, &princ_unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    if (strcmp(princ, princ_unparsed))
+	krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
+    free(princ_unparsed);
+
+    krb5_free_principal(context, p2);
+
+    ret = krb5_unparse_name_flags(context, p,
+				  KRB5_PRINCIPAL_UNPARSE_SHORT,
+				  &princ_unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name_short");
+
+    if (strcmp(princ, princ_unparsed) != 0)
+	krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
+    free(princ_unparsed);
+
+    ret = krb5_unparse_name(context, p, &princ_unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name_short");
+
+    if (strcmp(princ, princ_unparsed))
+	krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
+    free(princ_unparsed);
+
+    ret = krb5_parse_name_flags(context, princ, 
+				KRB5_PRINCIPAL_PARSE_NO_REALM,
+				&p2);
+    if (!ret)
+	krb5_err(context, 1, ret, "Should have failed to parse %s a "
+		 "short name", princ);
+
+    ret = krb5_parse_name_flags(context, princ_short, 
+				KRB5_PRINCIPAL_PARSE_NO_REALM,
+				&p2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_unparse_name_flags(context, p2, 
+				  KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+				  &princ_unparsed);
+    krb5_free_principal(context, p2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name_norealm");
+
+    if (strcmp(princ_short, princ_unparsed))
+	krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
+    free(princ_unparsed);
+
+    ret = krb5_parse_name_flags(context, princ_short, 
+				KRB5_PRINCIPAL_PARSE_MUST_REALM,
+				&p2);
+    if (!ret)
+	krb5_err(context, 1, ret, "Should have failed to parse %s "
+		 "because it lacked a realm", princ_short);
+
+    ret = krb5_parse_name_flags(context, princ,
+				KRB5_PRINCIPAL_PARSE_MUST_REALM,
+				&p2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+    
+    if (!krb5_principal_compare(context, p, p2))
+	krb5_errx(context, 1, "p != p2");
+
+    ret = krb5_unparse_name_flags(context, p2, 
+				  KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+				  &princ_unparsed);
+    krb5_free_principal(context, p2);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name_norealm");
+
+    if (strcmp(princ_short, princ_unparsed))
+	krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
+    free(princ_unparsed);
+
+    krb5_free_principal(context, p);
+
+    /* test quoting */
+
+    princ = "test\\ principal@SU.SE";
+    noquote = "test principal@SU.SE";
+
+    ret = krb5_parse_name_flags(context, princ, 0, &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_unparse_name_flags(context, p, 0, &princ_unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name_flags");
+
+    if (strcmp(princ, princ_unparsed))
+	krb5_errx(context, 1, "q '%s' != '%s'", princ, princ_unparsed);
+    free(princ_unparsed);
+
+    ret = krb5_unparse_name_flags(context, p, KRB5_PRINCIPAL_UNPARSE_DISPLAY,
+				  &princ_unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name_flags");
+
+    if (strcmp(noquote, princ_unparsed))
+	krb5_errx(context, 1, "nq '%s' != '%s'", noquote, princ_unparsed);
+    free(princ_unparsed);
+
+    krb5_free_principal(context, p);
+}
+
+static void
+test_enterprise(krb5_context context)
+{
+    krb5_error_code ret;
+    char *unparsed;
+    krb5_principal p;
+
+    ret = krb5_set_default_realm(context, "SAMBA.ORG");
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_parse_name_flags(context, "lha@su.se@WIN.SU.SE", 
+				KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name_flags");
+
+    ret = krb5_unparse_name(context, p, &unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name");
+
+    krb5_free_principal(context, p);
+
+    if (strcmp(unparsed, "lha\\@su.se@WIN.SU.SE") != 0)
+	krb5_errx(context, 1, "enterprise name failed 1");
+    free(unparsed);
+
+    /*
+     *
+     */
+
+    ret = krb5_parse_name_flags(context, "lha\\@su.se@WIN.SU.SE", 
+				KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name_flags");
+
+    ret = krb5_unparse_name(context, p, &unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name");
+
+    krb5_free_principal(context, p);
+    if (strcmp(unparsed, "lha\\@su.se\\@WIN.SU.SE@SAMBA.ORG") != 0)
+	krb5_errx(context, 1, "enterprise name failed 2: %s", unparsed);
+    free(unparsed);
+
+    /*
+     *
+     */
+
+    ret = krb5_parse_name_flags(context, "lha\\@su.se@WIN.SU.SE", 0, &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name_flags");
+
+    ret = krb5_unparse_name(context, p, &unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name");
+
+    krb5_free_principal(context, p);
+    if (strcmp(unparsed, "lha\\@su.se@WIN.SU.SE") != 0)
+	krb5_errx(context, 1, "enterprise name failed 3");
+    free(unparsed);
+
+    /*
+     *
+     */
+
+    ret = krb5_parse_name_flags(context, "lha@su.se", 
+				KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name_flags");
+
+    ret = krb5_unparse_name(context, p, &unparsed);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name");
+
+    krb5_free_principal(context, p);
+    if (strcmp(unparsed, "lha\\@su.se@SAMBA.ORG") != 0)
+	krb5_errx(context, 1, "enterprise name failed 2: %s", unparsed);
+    free(unparsed);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+
+    setprogname(argv[0]);
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    test_princ(context);
+
+    test_enterprise(context);
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_renew.c b/crypto/heimdal/lib/krb5/test_renew.c
new file mode 100644
index 0000000..5fa2de1
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_renew.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+#include <err.h>
+#include <getarg.h>
+
+RCSID("$Id$");
+
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "[principal]");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_principal client;
+    krb5_context context;
+    const char *in_tkt_service = NULL;
+    krb5_ccache id;
+    krb5_error_code ret;
+    krb5_creds out;;
+    int optidx = 0;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    if (argc > 0)
+	in_tkt_service = argv[0];
+
+    memset(&out, 0, sizeof(out));
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_init_context");
+
+    ret = krb5_cc_default(context, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_default");
+
+    ret = krb5_cc_get_principal(context, id, &client);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_default");
+
+    ret = krb5_get_renewed_creds(context,
+				 &out,
+				 client,
+				 id,
+				 in_tkt_service);
+
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_get_kdc_cred");
+
+    if (krb5_principal_compare(context, out.client, client) != TRUE)
+	krb5_errx(context, 1, "return principal is not as expected");
+
+    krb5_free_cred_contents(context, &out);
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_store.c b/crypto/heimdal/lib/krb5/test_store.c
new file mode 100644
index 0000000..2ce6c8d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_store.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <getarg.h>
+
+RCSID("$Id: test_store.c 20192 2007-02-05 23:21:03Z lha $");
+
+static void
+test_int8(krb5_context context, krb5_storage *sp)
+{
+    krb5_error_code ret;
+    int i;
+    int8_t val[] = {
+	0, 1, -1, 128, -127
+    }, v;
+
+    for (i = 0; i < sizeof(val[0])/sizeof(val); i++) {
+
+	ret = krb5_store_int8(sp, val[i]);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_store_int8");
+	krb5_storage_seek(sp, 0, SEEK_SET);
+	ret = krb5_ret_int8(sp, &v);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_ret_int8");
+	if (v != val[i])
+	    krb5_errx(context, 1, "store and ret mismatch");
+    }
+}
+
+static void
+test_int16(krb5_context context, krb5_storage *sp)
+{
+    krb5_error_code ret;
+    int i;
+    int16_t val[] = {
+	0, 1, -1, 32768, -32767
+    }, v;
+
+    for (i = 0; i < sizeof(val[0])/sizeof(val); i++) {
+
+	ret = krb5_store_int16(sp, val[i]);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_store_int16");
+	krb5_storage_seek(sp, 0, SEEK_SET);
+	ret = krb5_ret_int16(sp, &v);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_ret_int16");
+	if (v != val[i])
+	    krb5_errx(context, 1, "store and ret mismatch");
+    }
+}
+
+static void
+test_int32(krb5_context context, krb5_storage *sp)
+{
+    krb5_error_code ret;
+    int i;
+    int32_t val[] = {
+	0, 1, -1, 2147483647, -2147483646
+    }, v;
+
+    for (i = 0; i < sizeof(val[0])/sizeof(val); i++) {
+
+	ret = krb5_store_int32(sp, val[i]);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_store_int32");
+	krb5_storage_seek(sp, 0, SEEK_SET);
+	ret = krb5_ret_int32(sp, &v);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_ret_int32");
+	if (v != val[i])
+	    krb5_errx(context, 1, "store and ret mismatch");
+    }
+}
+
+static void
+test_uint8(krb5_context context, krb5_storage *sp)
+{
+    krb5_error_code ret;
+    int i;
+    uint8_t val[] = {
+	0, 1, 255
+    }, v;
+
+    for (i = 0; i < sizeof(val[0])/sizeof(val); i++) {
+
+	ret = krb5_store_uint8(sp, val[i]);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_store_uint8");
+	krb5_storage_seek(sp, 0, SEEK_SET);
+	ret = krb5_ret_uint8(sp, &v);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_ret_uint8");
+	if (v != val[i])
+	    krb5_errx(context, 1, "store and ret mismatch");
+    }
+}
+
+static void
+test_uint16(krb5_context context, krb5_storage *sp)
+{
+    krb5_error_code ret;
+    int i;
+    uint16_t val[] = {
+	0, 1, 65535
+    }, v;
+
+    for (i = 0; i < sizeof(val[0])/sizeof(val); i++) {
+
+	ret = krb5_store_uint16(sp, val[i]);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_store_uint16");
+	krb5_storage_seek(sp, 0, SEEK_SET);
+	ret = krb5_ret_uint16(sp, &v);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_ret_uint16");
+	if (v != val[i])
+	    krb5_errx(context, 1, "store and ret mismatch");
+    }
+}
+
+static void
+test_uint32(krb5_context context, krb5_storage *sp)
+{
+    krb5_error_code ret;
+    int i;
+    uint32_t val[] = {
+	0, 1, 4294967295UL
+    }, v;
+
+    for (i = 0; i < sizeof(val[0])/sizeof(val); i++) {
+
+	ret = krb5_store_uint32(sp, val[i]);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_store_uint32");
+	krb5_storage_seek(sp, 0, SEEK_SET);
+	ret = krb5_ret_uint32(sp, &v);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_ret_uint32");
+	if (v != val[i])
+	    krb5_errx(context, 1, "store and ret mismatch");
+    }
+}
+
+
+static void
+test_storage(krb5_context context)
+{
+    krb5_storage *sp;
+
+    sp = krb5_storage_emem();
+    if (sp == NULL)
+	krb5_errx(context, 1, "krb5_storage_emem: no mem");
+
+    test_int8(context, sp);
+    test_int16(context, sp);
+    test_int32(context, sp);
+    test_uint8(context, sp);
+    test_uint16(context, sp);
+    test_uint32(context, sp);
+
+    krb5_storage_free(sp);
+}
+
+/*
+ *
+ */
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    int optidx = 0;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    test_storage(context);
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/test_time.c b/crypto/heimdal/lib/krb5/test_time.c
new file mode 100644
index 0000000..02a0204
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_time.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+RCSID("$Id: test_time.c 18809 2006-10-22 07:11:43Z lha $");
+
+static void
+check_set_time(krb5_context context)
+{
+    krb5_error_code ret;
+    krb5_timestamp sec;
+    int32_t usec;
+    struct timeval tv;
+    int diff = 10;
+    int diff2;
+
+    gettimeofday(&tv, NULL);
+
+    ret = krb5_set_real_time(context, tv.tv_sec + diff, tv.tv_usec);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_us_timeofday");
+    
+    ret = krb5_us_timeofday(context, &sec, &usec);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_us_timeofday");
+
+    diff2 = abs(sec - tv.tv_sec);
+
+    if (diff2 < 9 || diff > 11)
+	krb5_errx(context, 1, "set time error: diff: %d",
+		  abs(sec - tv.tv_sec));
+}
+
+
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_init_context %d", ret);
+
+    check_set_time(context);
+    check_set_time(context);
+    check_set_time(context);
+    check_set_time(context);
+    check_set_time(context);
+
+    krb5_free_context(context);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/ticket.c b/crypto/heimdal/lib/krb5/ticket.c
index 888218e..7eb4d32 100644
--- a/crypto/heimdal/lib/krb5/ticket.c
+++ b/crypto/heimdal/lib/krb5/ticket.c
@@ -33,19 +33,20 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: ticket.c,v 1.5.8.1 2003/09/18 21:01:57 lha Exp $");
+RCSID("$Id: ticket.c 19544 2006-12-28 20:49:18Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_free_ticket(krb5_context context,
 		 krb5_ticket *ticket)
 {
     free_EncTicketPart(&ticket->ticket);
     krb5_free_principal(context, ticket->client);
     krb5_free_principal(context, ticket->server);
+    free(ticket);
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_copy_ticket(krb5_context context,
 		 const krb5_ticket *from,
 		 krb5_ticket **to)
@@ -79,3 +80,193 @@ krb5_copy_ticket(krb5_context context,
     *to = tmp;
     return 0;
 }
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ticket_get_client(krb5_context context,
+		       const krb5_ticket *ticket,
+		       krb5_principal *client)
+{
+    return krb5_copy_principal(context, ticket->client, client);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ticket_get_server(krb5_context context,
+		       const krb5_ticket *ticket,
+		       krb5_principal *server)
+{
+    return krb5_copy_principal(context, ticket->server, server);
+}
+
+time_t KRB5_LIB_FUNCTION
+krb5_ticket_get_endtime(krb5_context context,
+			const krb5_ticket *ticket)
+{
+    return ticket->ticket.endtime;
+}
+
+static int
+find_type_in_ad(krb5_context context,
+		int type, 
+		krb5_data *data,
+		krb5_boolean *found,
+		krb5_boolean failp,
+		krb5_keyblock *sessionkey,
+		const AuthorizationData *ad,
+		int level)
+{
+    krb5_error_code ret = 0;
+    int i;
+
+    if (level > 9) {
+	krb5_set_error_string(context, "Authorization data nested deeper "
+			      "then %d levels, stop searching", level);
+	ret = ENOENT; /* XXX */
+	goto out;
+    }
+
+    /*
+     * Only copy out the element the first time we get to it, we need
+     * to run over the whole authorization data fields to check if
+     * there are any container clases we need to care about.
+     */
+    for (i = 0; i < ad->len; i++) {
+	if (!*found && ad->val[i].ad_type == type) {
+	    ret = der_copy_octet_string(&ad->val[i].ad_data, data);
+	    if (ret) {
+		krb5_set_error_string(context, "malloc - out of memory");
+		goto out;
+	    }
+	    *found = TRUE;
+	    continue;
+	}
+	switch (ad->val[i].ad_type) {
+	case KRB5_AUTHDATA_IF_RELEVANT: {
+	    AuthorizationData child;
+	    ret = decode_AuthorizationData(ad->val[i].ad_data.data,
+					   ad->val[i].ad_data.length,
+					   &child,
+					   NULL);
+	    if (ret) {
+		krb5_set_error_string(context, "Failed to decode "
+				      "IF_RELEVANT with %d", ret);
+		goto out;
+	    }
+	    ret = find_type_in_ad(context, type, data, found, FALSE,
+				  sessionkey, &child, level + 1);
+	    free_AuthorizationData(&child);
+	    if (ret)
+		goto out;
+	    break;
+	}
+#if 0 /* XXX test */
+	case KRB5_AUTHDATA_KDC_ISSUED: {
+	    AD_KDCIssued child;
+
+	    ret = decode_AD_KDCIssued(ad->val[i].ad_data.data,
+				      ad->val[i].ad_data.length,
+				      &child,
+				      NULL);
+	    if (ret) {
+		krb5_set_error_string(context, "Failed to decode "
+				      "AD_KDCIssued with %d", ret);
+		goto out;
+	    }
+	    if (failp) {
+		krb5_boolean valid;
+		krb5_data buf;
+		size_t len;
+
+		ASN1_MALLOC_ENCODE(AuthorizationData, buf.data, buf.length, 
+				   &child.elements, &len, ret);
+		if (ret) {
+		    free_AD_KDCIssued(&child);
+		    krb5_clear_error_string(context);
+		    goto out;
+		}
+		if(buf.length != len)
+		    krb5_abortx(context, "internal error in ASN.1 encoder");
+
+		ret = krb5_c_verify_checksum(context, sessionkey, 19, &buf,
+					     &child.ad_checksum, &valid);
+		krb5_data_free(&buf);
+		if (ret) {
+		    free_AD_KDCIssued(&child);
+		    goto out;
+		}
+		if (!valid) {
+		    krb5_clear_error_string(context);
+		    ret = ENOENT;
+		    free_AD_KDCIssued(&child);
+		    goto out;
+		}
+	    }
+	    ret = find_type_in_ad(context, type, data, found, failp, sessionkey,
+				  &child.elements, level + 1);
+	    free_AD_KDCIssued(&child);
+	    if (ret)
+		goto out;
+	    break;
+	}
+#endif
+	case KRB5_AUTHDATA_AND_OR:
+	    if (!failp)
+		break;
+	    krb5_set_error_string(context, "Authorization data contains "
+				  "AND-OR element that is unknown to the "
+				  "application");
+	    ret = ENOENT; /* XXX */
+	    goto out;
+	default:
+	    if (!failp)
+		break;
+	    krb5_set_error_string(context, "Authorization data contains "
+				  "unknown type (%d) ", ad->val[i].ad_type);
+	    ret = ENOENT; /* XXX */
+	    goto out;
+	}
+    }
+out:
+    if (ret) {
+	if (*found) {
+	    krb5_data_free(data);
+	    *found = 0;
+	}
+    }
+    return ret;
+}
+
+/*
+ * Extract the authorization data type of `type' from the
+ * 'ticket'. Store the field in `data'. This function is to use for
+ * kerberos applications.
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ticket_get_authorization_data_type(krb5_context context,
+					krb5_ticket *ticket,
+					int type,
+					krb5_data *data)
+{
+    AuthorizationData *ad;
+    krb5_error_code ret;
+    krb5_boolean found = FALSE;
+
+    krb5_data_zero(data);
+
+    ad = ticket->ticket.authorization_data;
+    if (ticket->ticket.authorization_data == NULL) {
+	krb5_set_error_string(context, "Ticket have not authorization data");
+	return ENOENT; /* XXX */
+    }
+
+    ret = find_type_in_ad(context, type, data, &found, TRUE,
+			  &ticket->ticket.key, ad, 0);
+    if (ret)
+	return ret;
+    if (!found) {
+	krb5_set_error_string(context, "Ticket have not authorization "
+			  "data of type %d", type);
+	return ENOENT; /* XXX */
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/time.c b/crypto/heimdal/lib/krb5/time.c
index 9346546..4cd992d 100644
--- a/crypto/heimdal/lib/krb5/time.c
+++ b/crypto/heimdal/lib/krb5/time.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,13 +33,38 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: time.c,v 1.5 2001/05/02 10:06:11 joda Exp $");
+RCSID("$Id: time.c 14308 2004-10-13 17:57:11Z lha $");
+
+/*
+ * Set the absolute time that the caller knows the kdc has so the
+ * kerberos library can calculate the relative diffrence beteen the
+ * KDC time and local system time.
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_set_real_time (krb5_context context,
+		    krb5_timestamp sec,
+		    int32_t usec)
+{
+    struct timeval tv;
+    
+    gettimeofday(&tv, NULL);
+
+    context->kdc_sec_offset = sec - tv.tv_sec;
+    context->kdc_usec_offset = usec - tv.tv_usec;
+
+    if (context->kdc_usec_offset < 0) {
+	context->kdc_sec_offset--;
+	context->kdc_usec_offset += 1000000;
+    }
+    return 0;
+}
 
 /*
  * return ``corrected'' time in `timeret'.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_timeofday (krb5_context context,
 		krb5_timestamp *timeret)
 {
@@ -51,9 +76,9 @@ krb5_timeofday (krb5_context context,
  * like gettimeofday but with time correction to the KDC
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_us_timeofday (krb5_context context,
-		   int32_t *sec,
+		   krb5_timestamp *sec,
 		   int32_t *usec)
 {
     struct timeval tv;
@@ -65,7 +90,7 @@ krb5_us_timeofday (krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_format_time(krb5_context context, time_t t, 
 		 char *s, size_t len, krb5_boolean include_time)
 {
@@ -74,14 +99,16 @@ krb5_format_time(krb5_context context, time_t t,
 	tm = gmtime (&t);
     else
 	tm = localtime(&t);
-    strftime(s, len, include_time ? context->time_fmt : context->date_fmt, tm);
+    if(tm == NULL ||
+       strftime(s, len, include_time ? context->time_fmt : context->date_fmt, tm) == 0)
+	snprintf(s, len, "%ld", (long)t);
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_string_to_deltat(const char *string, krb5_deltat *deltat)
 {
     if((*deltat = parse_time(string, "s")) == -1)
-	return EINVAL;
+	return KRB5_DELTAT_BADFORMAT;
     return 0;
 }
diff --git a/crypto/heimdal/lib/krb5/transited.c b/crypto/heimdal/lib/krb5/transited.c
index 8f48ff1..9b67ecc 100644
--- a/crypto/heimdal/lib/krb5/transited.c
+++ b/crypto/heimdal/lib/krb5/transited.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: transited.c,v 1.10.2.3 2003/10/22 06:07:41 lha Exp $");
+RCSID("$Id: transited.c 21745 2007-07-31 16:11:25Z lha $");
 
 /* this is an attempt at one of the most horrible `compression'
    schemes that has ever been invented; it's so amazingly brain-dead
@@ -69,10 +69,10 @@ make_path(krb5_context context, struct tr_realm *r,
     struct tr_realm *tmp;
 
     if(strlen(from) < strlen(to)){
-	const char *tmp;
-	tmp = from;
+	const char *str;
+	str = from;
 	from = to;
-	to = tmp;
+	to = str;
     }
 	
     if(strcmp(from + strlen(from) - strlen(to), to) == 0){
@@ -87,6 +87,10 @@ make_path(krb5_context context, struct tr_realm *r,
 	    if(strcmp(p, to) == 0)
 		break;
 	    tmp = calloc(1, sizeof(*tmp));
+	    if(tmp == NULL){
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;
+	    }
 	    tmp->next = path;
 	    path = tmp;
 	    path->realm = strdup(p);
@@ -100,11 +104,17 @@ make_path(krb5_context context, struct tr_realm *r,
 	p = from + strlen(from);
 	while(1){
 	    while(p >= from && *p != '/') p--;
-	    if(p == from)
+	    if(p == from) {
+		r->next = path; /* XXX */
 		return KRB5KDC_ERR_POLICY;
+	    }
 	    if(strncmp(to, from, p - from) == 0)
 		break;
 	    tmp = calloc(1, sizeof(*tmp));
+	    if(tmp == NULL){
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;
+	    }
 	    tmp->next = path;
 	    path = tmp;
 	    path->realm = malloc(p - from + 1);
@@ -166,10 +176,13 @@ expand_realms(krb5_context context,
     for(r = realms; r; r = r->next){
 	if(r->trailing_dot){
 	    char *tmp;
-	    size_t len = strlen(r->realm) + strlen(prev_realm) + 1;
+	    size_t len;
 
 	    if(prev_realm == NULL)
 		prev_realm = client_realm;
+
+	    len = strlen(r->realm) + strlen(prev_realm) + 1;
+
 	    tmp = realloc(r->realm, len);
 	    if(tmp == NULL){
 		free_realms(realms);
@@ -272,6 +285,10 @@ decode_realms(krb5_context context,
 	}
 	if(tr[i] == ','){
 	    tmp = malloc(tr + i - start + 1);
+	    if(tmp == NULL){
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;
+	    }
 	    memcpy(tmp, start, tr + i - start);
 	    tmp[tr + i - start] = '\0';
 	    r = make_realm(tmp);
@@ -285,6 +302,11 @@ decode_realms(krb5_context context,
 	}
     }
     tmp = malloc(tr + i - start + 1);
+    if(tmp == NULL){
+	free(*realms);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
     memcpy(tmp, start, tr + i - start);
     tmp[tr + i - start] = '\0';
     r = make_realm(tmp);
@@ -299,7 +321,7 @@ decode_realms(krb5_context context,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_domain_x500_decode(krb5_context context,
 			krb5_data tr, char ***realms, int *num_realms, 
 			const char *client_realm, const char *server_realm)
@@ -362,7 +384,7 @@ krb5_domain_x500_decode(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding)
 {
     char *s = NULL;
@@ -393,7 +415,7 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding)
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_check_transited(krb5_context context,
 		     krb5_const_realm client_realm,
 		     krb5_const_realm server_realm,
@@ -431,7 +453,7 @@ krb5_check_transited(krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_check_transited_realms(krb5_context context,
 			    const char *const *realms, 
 			    int num_realms, 
diff --git a/crypto/heimdal/lib/krb5/v4_glue.c b/crypto/heimdal/lib/krb5/v4_glue.c
new file mode 100644
index 0000000..37b1e35
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/v4_glue.c
@@ -0,0 +1,939 @@
+/*
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: v4_glue.c 22071 2007-11-14 20:04:50Z lha $");
+
+#include "krb5-v4compat.h"
+
+/*
+ *
+ */
+
+#define RCHECK(r,func,label) \
+	do { (r) = func ; if (r) goto label; } while(0);
+
+
+/* include this here, to avoid dependencies on libkrb */
+
+static const int _tkt_lifetimes[TKTLIFENUMFIXED] = {
+   38400,   41055,   43894,   46929,   50174,   53643,   57352,   61318,
+   65558,   70091,   74937,   80119,   85658,   91581,   97914,  104684,
+  111922,  119661,  127935,  136781,  146239,  156350,  167161,  178720,
+  191077,  204289,  218415,  233517,  249664,  266926,  285383,  305116,
+  326213,  348769,  372885,  398668,  426234,  455705,  487215,  520904,
+  556921,  595430,  636601,  680618,  727680,  777995,  831789,  889303,
+  950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247,
+ 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000
+};
+
+int KRB5_LIB_FUNCTION
+_krb5_krb_time_to_life(time_t start, time_t end)
+{
+    int i;
+    time_t life = end - start;
+
+    if (life > MAXTKTLIFETIME || life <= 0) 
+	return 0;
+#if 0    
+    if (krb_no_long_lifetimes) 
+	return (life + 5*60 - 1)/(5*60);
+#endif
+    
+    if (end >= NEVERDATE)
+	return TKTLIFENOEXPIRE;
+    if (life < _tkt_lifetimes[0]) 
+	return (life + 5*60 - 1)/(5*60);
+    for (i=0; i<TKTLIFENUMFIXED; i++)
+	if (life <= _tkt_lifetimes[i])
+	    return i + TKTLIFEMINFIXED;
+    return 0;
+    
+}
+
+time_t KRB5_LIB_FUNCTION
+_krb5_krb_life_to_time(int start, int life_)
+{
+    unsigned char life = (unsigned char) life_;
+
+#if 0    
+    if (krb_no_long_lifetimes)
+	return start + life*5*60;
+#endif
+
+    if (life == TKTLIFENOEXPIRE)
+	return NEVERDATE;
+    if (life < TKTLIFEMINFIXED)
+	return start + life*5*60;
+    if (life > TKTLIFEMAXFIXED)
+	return start + MAXTKTLIFETIME;
+    return start + _tkt_lifetimes[life - TKTLIFEMINFIXED];
+}
+
+/*
+ * Get the name of the krb4 credentials cache, will use `tkfile' as
+ * the name if that is passed in. `cc' must be free()ed by caller,
+ */
+
+static krb5_error_code
+get_krb4_cc_name(const char *tkfile, char **cc)
+{
+
+    *cc = NULL;
+    if(tkfile == NULL) {
+	char *path;
+	if(!issuid()) {
+	    path = getenv("KRBTKFILE");
+	    if (path)
+		*cc = strdup(path);
+	}
+	if(*cc == NULL)
+	    if (asprintf(cc, "%s%u", TKT_ROOT, (unsigned)getuid()) < 0)
+		return errno;
+    } else {
+	*cc = strdup(tkfile);
+	if (*cc == NULL)
+	    return ENOMEM;
+    }
+    return 0;
+}
+
+/*
+ * Write a Kerberos 4 ticket file
+ */
+
+#define KRB5_TF_LCK_RETRY_COUNT 50
+#define KRB5_TF_LCK_RETRY 1
+
+static krb5_error_code
+write_v4_cc(krb5_context context, const char *tkfile, 
+	    krb5_storage *sp, int append)
+{
+    krb5_error_code ret;
+    struct stat sb;
+    krb5_data data;
+    char *path;
+    int fd, i;
+
+    ret = get_krb4_cc_name(tkfile, &path);
+    if (ret) {
+	krb5_set_error_string(context, 
+			      "krb5_krb_tf_setup: failed getting "
+			      "the krb4 credentials cache name"); 
+	return ret;
+    }
+
+    fd = open(path, O_WRONLY|O_CREAT, 0600);
+    if (fd < 0) {
+	ret = errno;
+	krb5_set_error_string(context, 
+			      "krb5_krb_tf_setup: error opening file %s", 
+			      path);
+	free(path);
+	return ret;
+    }
+
+    if (fstat(fd, &sb) != 0 || !S_ISREG(sb.st_mode)) {
+	krb5_set_error_string(context, 
+			      "krb5_krb_tf_setup: tktfile %s is not a file",
+			      path);
+	free(path);
+	close(fd);
+	return KRB5_FCC_PERM;
+    }
+
+    for (i = 0; i < KRB5_TF_LCK_RETRY_COUNT; i++) {
+	if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
+	    sleep(KRB5_TF_LCK_RETRY);
+	} else
+	    break;
+    }
+    if (i == KRB5_TF_LCK_RETRY_COUNT) {
+	krb5_set_error_string(context,
+			      "krb5_krb_tf_setup: failed to lock %s",
+			      path);
+	free(path);
+	close(fd);
+	return KRB5_FCC_PERM;
+    }
+
+    if (!append) {
+	ret = ftruncate(fd, 0);
+	if (ret < 0) {
+	    flock(fd, LOCK_UN);
+	    krb5_set_error_string(context,
+				  "krb5_krb_tf_setup: failed to truncate %s",
+				  path);
+	    free(path);
+	    close(fd);
+	    return KRB5_FCC_PERM;
+	}
+    }
+    ret = lseek(fd, 0L, SEEK_END);
+    if (ret < 0) {
+	ret = errno;
+	flock(fd, LOCK_UN);
+	free(path);
+	close(fd);
+	return ret;
+    }
+
+    krb5_storage_to_data(sp, &data);
+
+    ret = write(fd, data.data, data.length);
+    if (ret != data.length)
+	ret = KRB5_CC_IO;
+
+    krb5_free_data_contents(context, &data);
+
+    flock(fd, LOCK_UN);
+    free(path);
+    close(fd);
+
+    return 0;
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_tf_setup(krb5_context context, 
+		   struct credentials *v4creds, 
+		   const char *tkfile,
+		   int append)
+{
+    krb5_error_code ret;
+    krb5_storage *sp;
+
+    sp = krb5_storage_emem();
+    if (sp == NULL)
+	return ENOMEM;
+
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_HOST);
+    krb5_storage_set_eof_code(sp, KRB5_CC_IO);
+
+    krb5_clear_error_string(context);
+
+    if (!append) {
+	RCHECK(ret, krb5_store_stringz(sp, v4creds->pname), error);
+	RCHECK(ret, krb5_store_stringz(sp, v4creds->pinst), error);
+    }
+
+    /* cred */
+    RCHECK(ret, krb5_store_stringz(sp, v4creds->service), error);
+    RCHECK(ret, krb5_store_stringz(sp, v4creds->instance), error);
+    RCHECK(ret, krb5_store_stringz(sp, v4creds->realm), error);
+    ret = krb5_storage_write(sp, v4creds->session, 8);
+    if (ret != 8) {
+	ret = KRB5_CC_IO;
+	goto error;
+    }
+    RCHECK(ret, krb5_store_int32(sp, v4creds->lifetime), error);
+    RCHECK(ret, krb5_store_int32(sp, v4creds->kvno), error);
+    RCHECK(ret, krb5_store_int32(sp, v4creds->ticket_st.length), error);
+
+    ret = krb5_storage_write(sp, v4creds->ticket_st.dat, 
+			     v4creds->ticket_st.length);
+    if (ret != v4creds->ticket_st.length) {
+	ret = KRB5_CC_IO;
+	goto error;
+    }
+    RCHECK(ret, krb5_store_int32(sp, v4creds->issue_date), error);
+
+    ret = write_v4_cc(context, tkfile, sp, append);
+
+ error:
+    krb5_storage_free(sp);
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_dest_tkt(krb5_context context, const char *tkfile)
+{
+    krb5_error_code ret;
+    char *path;
+
+    ret = get_krb4_cc_name(tkfile, &path);
+    if (ret) {
+	krb5_set_error_string(context, 
+			      "krb5_krb_tf_setup: failed getting "
+			      "the krb4 credentials cache name"); 
+	return ret;
+    }
+
+    if (unlink(path) < 0) {
+	ret = errno;
+	krb5_set_error_string(context, 
+			      "krb5_krb_dest_tkt failed removing the cache "
+			      "with error %s", strerror(ret));
+    }
+    free(path);
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+decrypt_etext(krb5_context context, const krb5_keyblock *key,
+	      const krb5_data *cdata, krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+
+    ret = krb5_crypto_init(context, key, ETYPE_DES_PCBC_NONE, &crypto);
+    if (ret)
+	return ret;
+
+    ret = krb5_decrypt(context, crypto, 0, cdata->data, cdata->length, data);
+    krb5_crypto_destroy(context, crypto);
+
+    return ret;
+}
+
+
+/*
+ *
+ */
+
+static const char eightzeros[8] = "\x00\x00\x00\x00\x00\x00\x00\x00";
+
+static krb5_error_code
+storage_to_etext(krb5_context context,
+		 krb5_storage *sp,
+		 const krb5_keyblock *key, 
+		 krb5_data *enc_data)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    krb5_ssize_t size;
+    krb5_data data;
+
+    /* multiple of eight bytes */
+
+    size = krb5_storage_seek(sp, 0, SEEK_END);
+    if (size < 0)
+	return KRB4ET_RD_AP_UNDEC;
+    size = 8 - (size & 7);
+
+    ret = krb5_storage_write(sp, eightzeros, size);
+    if (ret != size)
+	return KRB4ET_RD_AP_UNDEC;
+
+    ret = krb5_storage_to_data(sp, &data);
+    if (ret)
+	return ret;
+
+    ret = krb5_crypto_init(context, key, ETYPE_DES_PCBC_NONE, &crypto);
+    if (ret) {
+	krb5_data_free(&data);
+	return ret;
+    }
+
+    ret = krb5_encrypt(context, crypto, 0, data.data, data.length, enc_data);
+
+    krb5_data_free(&data);
+    krb5_crypto_destroy(context, crypto);
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+put_nir(krb5_storage *sp, const char *name,
+	const char *instance, const char *realm)
+{
+    krb5_error_code ret;
+
+    RCHECK(ret, krb5_store_stringz(sp, name), error);
+    RCHECK(ret, krb5_store_stringz(sp, instance), error);
+    if (realm) {
+	RCHECK(ret, krb5_store_stringz(sp, realm), error);
+    }
+ error:
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_create_ticket(krb5_context context,
+			unsigned char flags,
+			const char *pname,
+			const char *pinstance,
+			const char *prealm,
+			int32_t paddress,
+			const krb5_keyblock *session,
+			int16_t life,
+			int32_t life_sec,
+			const char *sname,
+			const char *sinstance,
+			const krb5_keyblock *key,
+			krb5_data *enc_data)
+{
+    krb5_error_code ret;
+    krb5_storage *sp;
+
+    krb5_data_zero(enc_data);
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+    RCHECK(ret, krb5_store_int8(sp, flags), error);
+    RCHECK(ret, put_nir(sp, pname, pinstance, prealm), error);
+    RCHECK(ret, krb5_store_int32(sp, ntohl(paddress)), error);
+
+    /* session key */
+    ret = krb5_storage_write(sp,
+			     session->keyvalue.data, 
+			     session->keyvalue.length);
+    if (ret != session->keyvalue.length) {
+	ret = KRB4ET_INTK_PROT;
+	goto error;
+    }
+
+    RCHECK(ret, krb5_store_int8(sp, life), error);
+    RCHECK(ret, krb5_store_int32(sp, life_sec), error);
+    RCHECK(ret, put_nir(sp, sname, sinstance, NULL), error);
+
+    ret = storage_to_etext(context, sp, key, enc_data);
+
+ error:
+    krb5_storage_free(sp);
+    if (ret)
+	krb5_set_error_string(context, "Failed to encode kerberos 4 ticket");
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_create_ciph(krb5_context context,
+		      const krb5_keyblock *session,
+		      const char *service,
+		      const char *instance,
+		      const char *realm,
+		      uint32_t life,
+		      unsigned char kvno,
+		      const krb5_data *ticket,
+		      uint32_t kdc_time,
+		      const krb5_keyblock *key,
+		      krb5_data *enc_data)
+{
+    krb5_error_code ret;
+    krb5_storage *sp;
+
+    krb5_data_zero(enc_data);
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+    /* session key */
+    ret = krb5_storage_write(sp,
+			     session->keyvalue.data, 
+			     session->keyvalue.length);
+    if (ret != session->keyvalue.length) {
+	ret = KRB4ET_INTK_PROT;
+	goto error;
+    }
+
+    RCHECK(ret, put_nir(sp, service, instance, realm), error);
+    RCHECK(ret, krb5_store_int8(sp, life), error);
+    RCHECK(ret, krb5_store_int8(sp, kvno), error);
+    RCHECK(ret, krb5_store_int8(sp, ticket->length), error);
+    ret = krb5_storage_write(sp, ticket->data, ticket->length);
+    if (ret != ticket->length) {
+	ret = KRB4ET_INTK_PROT;
+	goto error;
+    }
+    RCHECK(ret, krb5_store_int32(sp, kdc_time), error);
+
+    ret = storage_to_etext(context, sp, key, enc_data);
+
+ error:
+    krb5_storage_free(sp);
+    if (ret)
+	krb5_set_error_string(context, "Failed to encode kerberos 4 ticket");
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_create_auth_reply(krb5_context context,
+			    const char *pname,
+			    const char *pinst,
+			    const char *prealm,
+			    int32_t time_ws,
+			    int n,
+			    uint32_t x_date,
+			    unsigned char kvno,
+			    const krb5_data *cipher,
+			    krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_storage *sp;
+
+    krb5_data_zero(data);
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+    RCHECK(ret, krb5_store_int8(sp, KRB_PROT_VERSION), error);
+    RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_KDC_REPLY), error);
+    RCHECK(ret, put_nir(sp, pname, pinst, prealm), error);
+    RCHECK(ret, krb5_store_int32(sp, time_ws), error);
+    RCHECK(ret, krb5_store_int8(sp, n), error);
+    RCHECK(ret, krb5_store_int32(sp, x_date), error);
+    RCHECK(ret, krb5_store_int8(sp, kvno), error);
+    RCHECK(ret, krb5_store_int16(sp, cipher->length), error);
+    ret = krb5_storage_write(sp, cipher->data, cipher->length);
+    if (ret != cipher->length) {
+	ret = KRB4ET_INTK_PROT;
+	goto error;
+    }
+
+    ret = krb5_storage_to_data(sp, data);
+
+ error:
+    krb5_storage_free(sp);
+    if (ret)
+	krb5_set_error_string(context, "Failed to encode kerberos 4 ticket");
+	
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_cr_err_reply(krb5_context context,
+		       const char *name,
+		       const char *inst,
+		       const char *realm,
+		       uint32_t time_ws,
+		       uint32_t e,
+		       const char *e_string,
+		       krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_storage *sp;
+
+    krb5_data_zero(data);
+
+    if (name == NULL) name = "";
+    if (inst == NULL) inst = "";
+    if (realm == NULL) realm = "";
+    if (e_string == NULL) e_string = "";
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+    RCHECK(ret, krb5_store_int8(sp, KRB_PROT_VERSION), error);
+    RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_ERR_REPLY), error);
+    RCHECK(ret, put_nir(sp, name, inst, realm), error);
+    RCHECK(ret, krb5_store_int32(sp, time_ws), error);
+    /* If it is a Kerberos 4 error-code, remove the et BASE */
+    if (e >= ERROR_TABLE_BASE_krb && e <= ERROR_TABLE_BASE_krb + 255)
+	e -= ERROR_TABLE_BASE_krb;
+    RCHECK(ret, krb5_store_int32(sp, e), error);
+    RCHECK(ret, krb5_store_stringz(sp, e_string), error);
+
+    ret = krb5_storage_to_data(sp, data);
+
+ error:
+    krb5_storage_free(sp);
+    if (ret)
+	krb5_set_error_string(context, "Failed to encode kerberos 4 error");
+	
+    return 0;
+}
+
+static krb5_error_code
+get_v4_stringz(krb5_storage *sp, char **str, size_t max_len)
+{
+    krb5_error_code ret;
+
+    ret = krb5_ret_stringz(sp, str);
+    if (ret)
+	return ret;
+    if (strlen(*str) > max_len) {
+	free(*str);
+	*str = NULL;
+	return KRB4ET_INTK_PROT;
+    }
+    return 0;
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_decomp_ticket(krb5_context context,
+			const krb5_data *enc_ticket,
+			const krb5_keyblock *key,
+			const char *local_realm,
+			char **sname,
+			char **sinstance,
+			struct _krb5_krb_auth_data *ad)
+{
+    krb5_error_code ret;
+    krb5_ssize_t size;
+    krb5_storage *sp = NULL;
+    krb5_data ticket;
+    unsigned char des_key[8];
+
+    memset(ad, 0, sizeof(*ad));
+    krb5_data_zero(&ticket);
+
+    *sname = NULL;
+    *sinstance = NULL;
+
+    RCHECK(ret, decrypt_etext(context, key, enc_ticket, &ticket), error);
+
+    sp = krb5_storage_from_data(&ticket);
+    if (sp == NULL) {
+	krb5_data_free(&ticket);
+	krb5_set_error_string(context, "alloc: out of memory");
+	return ENOMEM;
+    }
+
+    krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT);
+
+    RCHECK(ret, krb5_ret_int8(sp, &ad->k_flags), error);
+    RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error);
+    RCHECK(ret, get_v4_stringz(sp, &ad->pinst, INST_SZ), error);
+    RCHECK(ret, get_v4_stringz(sp, &ad->prealm, REALM_SZ), error);
+    RCHECK(ret, krb5_ret_uint32(sp, &ad->address), error);
+	
+    size = krb5_storage_read(sp, des_key, sizeof(des_key));
+    if (size != sizeof(des_key)) {
+	ret = KRB4ET_INTK_PROT;
+	goto error;
+    }
+
+    RCHECK(ret, krb5_ret_uint8(sp, &ad->life), error);
+
+    if (ad->k_flags & 1)
+	krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE);
+    else
+	krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+    RCHECK(ret, krb5_ret_uint32(sp, &ad->time_sec), error);
+
+    RCHECK(ret, get_v4_stringz(sp, sname, ANAME_SZ), error);
+    RCHECK(ret, get_v4_stringz(sp, sinstance, INST_SZ), error);
+
+    ret = krb5_keyblock_init(context, ETYPE_DES_PCBC_NONE,
+			     des_key, sizeof(des_key), &ad->session);
+    if (ret)
+	goto error;
+
+    if (strlen(ad->prealm) == 0) {
+	free(ad->prealm);
+	ad->prealm = strdup(local_realm);
+	if (ad->prealm == NULL) {
+	    ret = ENOMEM;
+	    goto error;
+	}
+    }
+
+ error:
+    memset(des_key, 0, sizeof(des_key));
+    if (sp)
+	krb5_storage_free(sp);
+    krb5_data_free(&ticket);
+    if (ret) {
+	if (*sname) {
+	    free(*sname);
+	    *sname = NULL;
+	}
+	if (*sinstance) {
+	    free(*sinstance);
+	    *sinstance = NULL;
+	}
+	_krb5_krb_free_auth_data(context, ad);
+	krb5_set_error_string(context, "Failed to decode v4 ticket");
+    }
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_krb_rd_req(krb5_context context,
+		 krb5_data *authent,
+		 const char *service,
+		 const char *instance,
+		 const char *local_realm,
+		 int32_t from_addr,
+		 const krb5_keyblock *key,
+		 struct _krb5_krb_auth_data *ad)
+{
+    krb5_error_code ret;
+    krb5_storage *sp;
+    krb5_data ticket, eaut, aut;
+    krb5_ssize_t size;
+    int little_endian;
+    int8_t pvno;
+    int8_t type;
+    int8_t s_kvno;
+    uint8_t ticket_length;
+    uint8_t eaut_length;
+    uint8_t time_5ms;
+    char *realm = NULL;
+    char *sname = NULL;
+    char *sinstance = NULL;
+    char *r_realm = NULL;
+    char *r_name = NULL;
+    char *r_instance = NULL;
+
+    uint32_t r_time_sec;	/* Coarse time from authenticator */
+    unsigned long delta_t;      /* Time in authenticator - local time */
+    long tkt_age;		/* Age of ticket */
+
+    struct timeval tv;
+
+    krb5_data_zero(&ticket);
+    krb5_data_zero(&eaut);
+    krb5_data_zero(&aut);
+
+    sp = krb5_storage_from_data(authent);
+    if (sp == NULL) {
+	krb5_set_error_string(context, "alloc: out of memory");
+	return ENOMEM;
+    }
+
+    krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT);
+
+    ret = krb5_ret_int8(sp, &pvno);
+    if (ret) {
+	krb5_set_error_string(context, "Failed reading v4 pvno");
+	goto error;
+    }
+
+    if (pvno != KRB_PROT_VERSION) {
+	ret = KRB4ET_RD_AP_VERSION;
+	krb5_set_error_string(context, "Failed v4 pvno not 4");
+	goto error;
+    }
+
+    ret = krb5_ret_int8(sp, &type);
+    if (ret) {
+	krb5_set_error_string(context, "Failed readin v4 type");
+	goto error;
+    }
+
+    little_endian = type & 1;
+    type &= ~1;
+    
+    if(type != AUTH_MSG_APPL_REQUEST && type != AUTH_MSG_APPL_REQUEST_MUTUAL) {
+	ret = KRB4ET_RD_AP_MSG_TYPE;
+	krb5_set_error_string(context, "Not a valid v4 request type");
+	goto error;
+    }
+
+    RCHECK(ret, krb5_ret_int8(sp, &s_kvno), error);
+    RCHECK(ret, get_v4_stringz(sp, &realm, REALM_SZ), error);
+    RCHECK(ret, krb5_ret_uint8(sp, &ticket_length), error);
+    RCHECK(ret, krb5_ret_uint8(sp, &eaut_length), error);
+    RCHECK(ret, krb5_data_alloc(&ticket, ticket_length), error);
+
+    size = krb5_storage_read(sp, ticket.data, ticket.length);
+    if (size != ticket.length) {
+	ret = KRB4ET_INTK_PROT;
+	krb5_set_error_string(context, "Failed reading v4 ticket");
+	goto error;
+    }
+
+    /* Decrypt and take apart ticket */
+    ret = _krb5_krb_decomp_ticket(context, &ticket, key, local_realm, 
+				  &sname, &sinstance, ad);
+    if (ret)
+	goto error;
+
+    RCHECK(ret, krb5_data_alloc(&eaut, eaut_length), error);
+
+    size = krb5_storage_read(sp, eaut.data, eaut.length);
+    if (size != eaut.length) {
+	ret = KRB4ET_INTK_PROT;
+	krb5_set_error_string(context, "Failed reading v4 authenticator");
+	goto error;
+    }
+
+    krb5_storage_free(sp);
+    sp = NULL;
+
+    ret = decrypt_etext(context, &ad->session, &eaut, &aut);
+    if (ret)
+	goto error;
+
+    sp = krb5_storage_from_data(&aut);
+    if (sp == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "alloc: out of memory");
+	goto error;
+    }
+
+    if (little_endian)
+	krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE);
+    else
+	krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+    RCHECK(ret, get_v4_stringz(sp, &r_name, ANAME_SZ), error);
+    RCHECK(ret, get_v4_stringz(sp, &r_instance, INST_SZ), error);
+    RCHECK(ret, get_v4_stringz(sp, &r_realm, REALM_SZ), error);
+
+    RCHECK(ret, krb5_ret_uint32(sp, &ad->checksum), error);
+    RCHECK(ret, krb5_ret_uint8(sp, &time_5ms), error);
+    RCHECK(ret, krb5_ret_uint32(sp, &r_time_sec), error);
+
+    if (strcmp(ad->pname, r_name) != 0 ||
+	strcmp(ad->pinst, r_instance) != 0 ||
+	strcmp(ad->prealm, r_realm) != 0) {
+	krb5_set_error_string(context, "v4 principal mismatch");
+	ret = KRB4ET_RD_AP_INCON;
+	goto error;
+    }
+    
+    if (from_addr && ad->address && from_addr != ad->address) {
+	krb5_set_error_string(context, "v4 bad address in ticket");
+	ret = KRB4ET_RD_AP_BADD;
+	goto error;
+    }
+
+    gettimeofday(&tv, NULL);
+    delta_t = abs((int)(tv.tv_sec - r_time_sec));
+    if (delta_t > CLOCK_SKEW) {
+        ret = KRB4ET_RD_AP_TIME;
+	krb5_set_error_string(context, "v4 clock skew");
+	goto error;
+    }
+
+    /* Now check for expiration of ticket */
+
+    tkt_age = tv.tv_sec - ad->time_sec;
+    
+    if ((tkt_age < 0) && (-tkt_age > CLOCK_SKEW)) {
+        ret = KRB4ET_RD_AP_NYV;
+	krb5_set_error_string(context, "v4 clock skew for expiration");
+	goto error;
+    }
+
+    if (tv.tv_sec > _krb5_krb_life_to_time(ad->time_sec, ad->life)) {
+	ret = KRB4ET_RD_AP_EXP;
+	krb5_set_error_string(context, "v4 ticket expired");
+	goto error;
+    }
+
+    ret = 0;
+ error:
+    krb5_data_free(&ticket);
+    krb5_data_free(&eaut);
+    krb5_data_free(&aut);
+    if (realm)
+	free(realm);
+    if (sname)
+	free(sname);
+    if (sinstance)
+	free(sinstance);
+    if (r_name)
+	free(r_name);
+    if (r_instance)
+	free(r_instance);
+    if (r_realm)
+	free(r_realm);
+    if (sp)
+	krb5_storage_free(sp);
+
+    if (ret)
+	krb5_clear_error_string(context);
+
+    return ret;
+}
+
+/*
+ *
+ */
+
+void KRB5_LIB_FUNCTION
+_krb5_krb_free_auth_data(krb5_context context, struct _krb5_krb_auth_data *ad)
+{
+    if (ad->pname)
+	free(ad->pname);
+    if (ad->pinst)
+	free(ad->pinst);
+    if (ad->prealm)
+	free(ad->prealm);
+    krb5_free_keyblock_contents(context, &ad->session);
+    memset(ad, 0, sizeof(*ad));
+}
diff --git a/crypto/heimdal/lib/krb5/verify_init.c b/crypto/heimdal/lib/krb5/verify_init.c
index 243ac5f..37db346 100644
--- a/crypto/heimdal/lib/krb5/verify_init.c
+++ b/crypto/heimdal/lib/krb5/verify_init.c
@@ -33,15 +33,15 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: verify_init.c,v 1.17 2002/08/20 14:47:59 joda Exp $");
+RCSID("$Id: verify_init.c 15555 2005-07-06 00:48:16Z lha $");
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options)
 {
     memset (options, 0, sizeof(*options));
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options,
 					     int ap_req_nofail)
 {
@@ -69,7 +69,7 @@ fail_verify_is_ok (krb5_context context,
 	return TRUE;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_init_creds(krb5_context context,
 		       krb5_creds *creds,
 		       krb5_principal ap_req_server,
@@ -80,14 +80,12 @@ krb5_verify_init_creds(krb5_context context,
     krb5_error_code ret;
     krb5_data req;
     krb5_ccache local_ccache = NULL;
-    krb5_keytab_entry entry;
     krb5_creds *new_creds = NULL;
     krb5_auth_context auth_context = NULL;
     krb5_principal server = NULL;
     krb5_keytab keytab = NULL;
 
     krb5_data_zero (&req);
-    memset (&entry, 0, sizeof(entry));
 
     if (ap_req_server == NULL) {
 	char local_hostname[MAXHOSTNAMELEN];
@@ -182,7 +180,6 @@ cleanup:
     if (auth_context)
 	krb5_auth_con_free (context, auth_context);
     krb5_data_free (&req);
-    krb5_kt_free_entry (context, &entry);
     if (new_creds != NULL)
 	krb5_free_creds (context, new_creds);
     if (ap_req_server == NULL && server)
diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.8 b/crypto/heimdal/lib/krb5/verify_krb5_conf.8
index 7d854bf..28f84ab 100644
--- a/crypto/heimdal/lib/krb5/verify_krb5_conf.8
+++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.8
@@ -1,6 +1,37 @@
-.\" $Id: verify_krb5_conf.8,v 1.7 2002/08/20 17:07:28 joda Exp $
+.\" Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.Dd August 30, 2001
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id: verify_krb5_conf.8 14375 2004-12-08 17:52:41Z lha $
+.\"
+.Dd December  8, 2004
 .Dt VERIFY_KRB5_CONF 8
 .Os HEIMDAL
 .Sh NAME
@@ -19,22 +50,30 @@ and parses it, thereby verifying that the syntax is not correctly wrong.
 If the file is syntactically correct,
 .Nm
 tries to verify that the contents of the file is of relevant nature.
+.Sh ENVIRONMENT
+.Ev KRB5_CONFIG
+points to the configuration file to read.
+.Sh FILES
+.Bl -tag -width /etc/krb5.conf -compact
+.It Pa /etc/krb5.conf
+Kerberos 5 configuration file
+.El
 .Sh DIAGNOSTICS
 Possible output from
 .Nm
 include:
-.Bl -tag -width "<path>"
+.Bl -tag -width "FpathF"
 .It "<path>: failed to parse <something> as size/time/number/boolean"
 Usually means that <something> is misspelled, or that it contains
 weird characters. The parsing done by
 .Nm
-is more strict than the one performed by libkrb5, and so strings that
-work in real life, might be reported as bad.
+is more strict than the one performed by libkrb5, so strings that
+work in real life might be reported as bad.
 .It "<path>: host not found (<hostname>)"
 Means that <path> is supposed to point to a host, but it can't be
 recognised as one.
 .It <path>: unknown or wrong type
-Means that <path> is either is a string when it should be a list, vice
+Means that <path> is either a string when it should be a list, vice
 versa, or just that
 .Nm
 is confused.
@@ -42,19 +81,11 @@ is confused.
 Means that <string> is not known by
 .Nm "" .
 .El
-.Sh ENVIRONMENT
-.Ev KRB5_CONFIG
-points to the configuration file to read.
-.Sh FILES
-.Bl -tag -width /etc/krb5.conf -compact
-.It Pa /etc/krb5.conf
-Kerberos 5 configuration file
-.El
 .Sh SEE ALSO
 .Xr krb5.conf 5
 .Sh BUGS
 Since each application can put almost anything in the config file,
-it's hard to come up with a water tight verification process. Most of
+it's hard to come up with a watertight verification process. Most of
 the default settings are sanity checked, but this does not mean that
 every problem is discovered, or that everything that is reported as a
 possible problem actually is one. This tool should thus be used with
diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.c b/crypto/heimdal/lib/krb5/verify_krb5_conf.c
index 6017dfc..b55fbd7 100644
--- a/crypto/heimdal/lib/krb5/verify_krb5_conf.c
+++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -35,17 +35,20 @@
 #include <getarg.h>
 #include <parse_bytes.h>
 #include <err.h>
-RCSID("$Id: verify_krb5_conf.c,v 1.17.2.2 2004/02/13 16:19:44 lha Exp $");
+RCSID("$Id: verify_krb5_conf.c 22233 2007-12-08 21:43:37Z lha $");
 
 /* verify krb5.conf */
 
 static int dumpconfig_flag = 0;
 static int version_flag = 0;
 static int help_flag	= 0;
+static int warn_mit_syntax_flag = 0;
 
 static struct getargs args[] = {
     {"dumpconfig", 0,      arg_flag,       &dumpconfig_flag, 
      "show the parsed config files", NULL },
+    {"warn-mit-syntax", 0, arg_flag,       &warn_mit_syntax_flag, 
+     "show the parsed config files", NULL },
     {"version",	0,	arg_flag,	&version_flag,
      "print version", NULL },
     {"help",	0,	arg_flag,	&help_flag,
@@ -138,23 +141,68 @@ check_host(krb5_context context, const char *path, char *data)
     int ret;
     char hostname[128];
     const char *p = data;
+    struct addrinfo hints;
+    char service[32];
+    int defport;
     struct addrinfo *ai;
+
+    hints.ai_flags = 0;
+    hints.ai_family = PF_UNSPEC;
+    hints.ai_socktype = 0;
+    hints.ai_protocol = 0;
+
+    hints.ai_addrlen = 0;
+    hints.ai_canonname = NULL;
+    hints.ai_addr = NULL;
+    hints.ai_next = NULL;
+    
     /* XXX data could be a list of hosts that this code can't handle */
     /* XXX copied from krbhst.c */
     if(strncmp(p, "http://", 7) == 0){
         p += 7;
+	hints.ai_socktype = SOCK_STREAM;
+	strlcpy(service, "http", sizeof(service));
+	defport = 80;
     } else if(strncmp(p, "http/", 5) == 0) {
         p += 5;
+	hints.ai_socktype = SOCK_STREAM;
+	strlcpy(service, "http", sizeof(service));
+	defport = 80;
     }else if(strncmp(p, "tcp/", 4) == 0){
         p += 4;
+	hints.ai_socktype = SOCK_STREAM;
+	strlcpy(service, "kerberos", sizeof(service));
+	defport = 88;
     } else if(strncmp(p, "udp/", 4) == 0) {
         p += 4;
+	hints.ai_socktype = SOCK_DGRAM;
+	strlcpy(service, "kerberos", sizeof(service));
+	defport = 88;
+    } else {
+	hints.ai_socktype = SOCK_DGRAM;
+	strlcpy(service, "kerberos", sizeof(service));
+	defport = 88;
     }
     if(strsep_copy(&p, ":", hostname, sizeof(hostname)) < 0) {
 	return 1;
     }
     hostname[strcspn(hostname, "/")] = '\0';
-    ret = getaddrinfo(hostname, "telnet" /* XXX */, NULL, &ai);
+    if(p != NULL) {
+	char *end;
+	int tmp = strtol(p, &end, 0);
+	if(end == p) {
+	    krb5_warnx(context, "%s: failed to parse port number in %s", 
+		       path, data);
+	    return 1;
+	}
+	defport = tmp;
+	snprintf(service, sizeof(service), "%u", defport);
+    }
+    ret = getaddrinfo(hostname, service, &hints, &ai);
+    if(ret == EAI_SERVICE && !isdigit((unsigned char)service[0])) {
+	snprintf(service, sizeof(service), "%u", defport);
+	ret = getaddrinfo(hostname, service, &hints, &ai);
+    }
     if(ret != 0) {
 	krb5_warnx(context, "%s: %s (%s)", path, gai_strerror(ret), hostname);
 	return 1;
@@ -162,17 +210,16 @@ check_host(krb5_context context, const char *path, char *data)
     return 0;
 }
 
-#if 0
 static int
 mit_entry(krb5_context context, const char *path, char *data)
 {
-    krb5_warnx(context, "%s is only used by MIT Kerberos", path);
+    if (warn_mit_syntax_flag)
+	krb5_warnx(context, "%s is only used by MIT Kerberos", path);
     return 0;
 }
-#endif
 
 struct s2i {
-    char *s;
+    const char *s;
     int val;
 };
 
@@ -304,6 +351,12 @@ struct entry all_strings[] = {
     { NULL }
 };
 
+struct entry all_boolean[] = {
+    { "", krb5_config_string, check_boolean },
+    { NULL }
+};
+
+
 struct entry v4_name_convert_entries[] = {
     { "host", krb5_config_list, all_strings },
     { "plain", krb5_config_list, all_strings },
@@ -313,13 +366,16 @@ struct entry v4_name_convert_entries[] = {
 struct entry libdefaults_entries[] = {
     { "accept_null_addresses", krb5_config_string, check_boolean },
     { "capath", krb5_config_list, all_strings },
+    { "check_pac", krb5_config_string, check_boolean },
     { "clockskew", krb5_config_string, check_time },
     { "date_format", krb5_config_string, NULL },
+    { "default_cc_name", krb5_config_string, NULL },
     { "default_etypes", krb5_config_string, NULL },
     { "default_etypes_des", krb5_config_string, NULL },
     { "default_keytab_modify_name", krb5_config_string, NULL },
     { "default_keytab_name", krb5_config_string, NULL },
     { "default_realm", krb5_config_string, NULL },
+    { "dns_canonize_hostname", krb5_config_string, check_boolean },
     { "dns_proxy", krb5_config_string, NULL },
     { "dns_lookup_kdc", krb5_config_string, check_boolean },
     { "dns_lookup_realm", krb5_config_string, check_boolean },
@@ -328,6 +384,7 @@ struct entry libdefaults_entries[] = {
     { "encrypt", krb5_config_string, check_boolean },
     { "extra_addresses", krb5_config_string, NULL },
     { "fcache_version", krb5_config_string, check_numeric },
+    { "fcc-mit-ticketflags", krb5_config_string, check_boolean },
     { "forward", krb5_config_string, check_boolean },
     { "forwardable", krb5_config_string, check_boolean },
     { "http_proxy", krb5_config_string, check_host /* XXX */ },
@@ -342,21 +399,38 @@ struct entry libdefaults_entries[] = {
     { "ticket_lifetime", krb5_config_string, check_time },
     { "time_format", krb5_config_string, NULL },
     { "transited_realms_reject", krb5_config_string, NULL },
+    { "no-addresses", krb5_config_string, check_boolean },
     { "v4_instance_resolve", krb5_config_string, check_boolean },
     { "v4_name_convert", krb5_config_list, v4_name_convert_entries },
     { "verify_ap_req_nofail", krb5_config_string, check_boolean },
+    { "max_retries", krb5_config_string, check_time },
+    { "renew_lifetime", krb5_config_string, check_time },
+    { "proxiable", krb5_config_string, check_boolean },
+    { "warn_pwexpire", krb5_config_string, check_time },
+    /* MIT stuff */
+    { "permitted_enctypes", krb5_config_string, mit_entry },
+    { "default_tgs_enctypes", krb5_config_string, mit_entry },
+    { "default_tkt_enctypes", krb5_config_string, mit_entry },
     { NULL }
 };
 
 struct entry appdefaults_entries[] = {
     { "afslog", krb5_config_string, check_boolean },
     { "afs-use-524", krb5_config_string, check_524 },
+    { "encrypt", krb5_config_string, check_boolean },
+    { "forward", krb5_config_string, check_boolean },
     { "forwardable", krb5_config_string, check_boolean },
     { "proxiable", krb5_config_string, check_boolean },
     { "ticket_lifetime", krb5_config_string, check_time },
     { "renew_lifetime", krb5_config_string, check_time },
     { "no-addresses", krb5_config_string, check_boolean },
     { "krb4_get_tickets", krb5_config_string, check_boolean },
+    { "pkinit_anchors", krb5_config_string, NULL },
+    { "pkinit_win2k", krb5_config_string, NULL },
+    { "pkinit_win2k_require_binding", krb5_config_string, NULL },
+    { "pkinit_require_eku", krb5_config_string, NULL },
+    { "pkinit_require_krbtgt_otherName", krb5_config_string, NULL },
+    { "pkinit_require_hostname_match", krb5_config_string, NULL },
 #if 0
     { "anonymous", krb5_config_string, check_boolean },
 #endif
@@ -378,7 +452,7 @@ struct entry realms_entries[] = {
     { "v4_instance_convert", krb5_config_list, all_strings },
     { "v4_domains", krb5_config_string, NULL },
     { "default_domain", krb5_config_string, NULL },
-#if 0
+    { "win2k_pkinit", krb5_config_string, NULL },
     /* MIT stuff */
     { "admin_keytab", krb5_config_string, mit_entry },
     { "acl_file", krb5_config_string, mit_entry },
@@ -394,7 +468,6 @@ struct entry realms_entries[] = {
     { "default_principal_flags", krb5_config_string, mit_entry },
     { "supported_enctypes", krb5_config_string, mit_entry },
     { "database_name", krb5_config_string, mit_entry },
-#endif
     { NULL }
 };
 
@@ -408,6 +481,8 @@ struct entry kdc_database_entries[] = {
     { "realm", krb5_config_string, NULL },
     { "dbname", krb5_config_string, NULL },
     { "mkey_file", krb5_config_string, NULL },
+    { "acl_file", krb5_config_string, NULL },
+    { "log_file", krb5_config_string, NULL },
     { NULL }
 };
 
@@ -422,13 +497,25 @@ struct entry kdc_entries[] = {
     { "enable-kerberos4", krb5_config_string, check_boolean },
     { "enable-524", krb5_config_string, check_boolean },
     { "enable-http", krb5_config_string, check_boolean },
-    { "check_ticket-addresses", krb5_config_string, check_boolean },
-    { "allow-null-addresses", krb5_config_string, check_boolean },
+    { "check-ticket-addresses", krb5_config_string, check_boolean },
+    { "allow-null-ticket-addresses", krb5_config_string, check_boolean },
     { "allow-anonymous", krb5_config_string, check_boolean },
     { "v4_realm", krb5_config_string, NULL },
     { "enable-kaserver", krb5_config_string, check_boolean },
     { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean },
     { "kdc_warn_pwexpire", krb5_config_string, check_time },
+    { "use_2b", krb5_config_list, NULL },
+    { "enable-pkinit", krb5_config_string, check_boolean },
+    { "pkinit_identity", krb5_config_string, NULL },
+    { "pkinit_anchors", krb5_config_string, NULL },
+    { "pkinit_pool", krb5_config_string, NULL },
+    { "pkinit_revoke", krb5_config_string, NULL },
+    { "pkinit_kdc_ocsp", krb5_config_string, NULL },
+    { "pkinit_principal_in_certificate", krb5_config_string, NULL },
+    { "pkinit_dh_min_bits", krb5_config_string, NULL },
+    { "pkinit_allow_proxy_certificate", krb5_config_string, NULL },
+    { "hdb-ldap-create-base", krb5_config_string, NULL },
+    { "v4-realm", krb5_config_string, NULL },
     { NULL }
 };
 
@@ -436,6 +523,7 @@ struct entry kadmin_entries[] = {
     { "password_lifetime", krb5_config_string, check_time },
     { "default_keys", krb5_config_string, NULL },
     { "use_v4_salt", krb5_config_string, NULL },
+    { "require-preauth", krb5_config_string, check_boolean },
     { NULL }
 };
 struct entry log_strings[] = {
@@ -444,13 +532,26 @@ struct entry log_strings[] = {
 };
 
 
-#if 0
+/* MIT stuff */
 struct entry kdcdefaults_entries[] = {
     { "kdc_ports", krb5_config_string, mit_entry },
     { "v4_mode", krb5_config_string, mit_entry },
     { NULL }
 };
-#endif
+
+struct entry capaths_entries[] = {
+    { "", krb5_config_list, all_strings },
+    { NULL }
+};
+
+struct entry password_quality_entries[] = {
+    { "policies", krb5_config_string, NULL },
+    { "external_program", krb5_config_string, NULL },
+    { "min_classes", krb5_config_string, check_numeric },
+    { "min_length", krb5_config_string, check_numeric },
+    { "", krb5_config_list, all_strings },
+    { NULL }
+};
 
 struct entry toplevel_sections[] = {
     { "libdefaults" , krb5_config_list, libdefaults_entries },
@@ -460,10 +561,11 @@ struct entry toplevel_sections[] = {
     { "kdc", krb5_config_list, kdc_entries },
     { "kadmin", krb5_config_list, kadmin_entries },
     { "appdefaults", krb5_config_list, appdefaults_entries },
-#if 0
+    { "gssapi", krb5_config_list, NULL },
+    { "capaths", krb5_config_list, capaths_entries },
+    { "password_quality", krb5_config_list, password_quality_entries },
     /* MIT stuff */
     { "kdcdefaults", krb5_config_list, kdcdefaults_entries },
-#endif
     { NULL }
 };
 
@@ -532,15 +634,17 @@ main(int argc, char **argv)
     krb5_context context;
     krb5_error_code ret;
     krb5_config_section *tmp_cf;
-    int optind = 0;
+    int optidx = 0;
 
     setprogname (argv[0]);
 
     ret = krb5_init_context(&context);
-    if (ret)
-	errx (1, "krb5_init_context failed");
+    if (ret == KRB5_CONFIG_BADFORMAT)
+	errx (1, "krb5_init_context failed to parse configuration file");
+    else if (ret)
+	errx (1, "krb5_init_context failed with %d", ret);
 
-    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
     
     if (help_flag)
@@ -551,8 +655,8 @@ main(int argc, char **argv)
 	exit(0);
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     tmp_cf = NULL;
     if(argc == 0)
diff --git a/crypto/heimdal/lib/krb5/verify_user.c b/crypto/heimdal/lib/krb5/verify_user.c
index 1cd571b..1edbaff 100644
--- a/crypto/heimdal/lib/krb5/verify_user.c
+++ b/crypto/heimdal/lib/krb5/verify_user.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: verify_user.c,v 1.17 2002/08/20 14:48:31 joda Exp $");
+RCSID("$Id: verify_user.c 19078 2006-11-20 18:12:41Z lha $");
 
 static krb5_error_code
 verify_common (krb5_context context,
@@ -78,7 +78,7 @@ verify_common (krb5_context context,
 	if(ccache == NULL)
 	    krb5_cc_close(context, id);
     }
-    krb5_free_creds_contents(context, &cred);
+    krb5_free_cred_contents(context, &cred);
     return ret;
 }
 
@@ -90,7 +90,7 @@ verify_common (krb5_context context,
  * As a side effect, fresh tickets are obtained and stored in `ccache'.
  */
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_init(krb5_verify_opt *opt)
 {
     memset(opt, 0, sizeof(*opt));
@@ -98,31 +98,49 @@ krb5_verify_opt_init(krb5_verify_opt *opt)
     opt->service = "host";
 }
 
-void
+int KRB5_LIB_FUNCTION
+krb5_verify_opt_alloc(krb5_context context, krb5_verify_opt **opt)
+{
+    *opt = calloc(1, sizeof(**opt));
+    if ((*opt) == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    krb5_verify_opt_init(*opt);
+    return 0;
+}
+
+void KRB5_LIB_FUNCTION
+krb5_verify_opt_free(krb5_verify_opt *opt)
+{
+    free(opt);
+}
+
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache)
 {
     opt->ccache = ccache;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab)
 {
     opt->keytab = keytab;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure)
 {
     opt->secure = secure;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service)
 {
     opt->service = service;
 }
 
-void
+void KRB5_LIB_FUNCTION
 krb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags)
 {
     opt->flags |= flags;
@@ -136,13 +154,15 @@ verify_user_opt_int(krb5_context context,
 
 {
     krb5_error_code ret;
-    krb5_get_init_creds_opt opt;
+    krb5_get_init_creds_opt *opt;
     krb5_creds cred;
 
-    krb5_get_init_creds_opt_init (&opt);
+    ret = krb5_get_init_creds_opt_alloc (context, &opt);
+    if (ret)
+	return ret;
     krb5_get_init_creds_opt_set_default_flags(context, NULL, 
-					      *krb5_princ_realm(context, principal), 
-					      &opt);
+					      krb5_principal_get_realm(context, principal), 
+					      opt);
     ret = krb5_get_init_creds_password (context,
 					&cred,
 					principal,
@@ -151,7 +171,8 @@ verify_user_opt_int(krb5_context context,
 					NULL,
 					0,
 					NULL,
-					&opt);
+					opt);
+    krb5_get_init_creds_opt_free(context, opt);
     if(ret)
 	return ret;
 #define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D))
@@ -161,7 +182,7 @@ verify_user_opt_int(krb5_context context,
 #undef OPT
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_user_opt(krb5_context context,
 		     krb5_principal principal,
 		     const char *password,
@@ -199,7 +220,7 @@ krb5_verify_user_opt(krb5_context context,
 
 /* compat function that calls above */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_user(krb5_context context, 
 		 krb5_principal principal,
 		 krb5_ccache ccache,
@@ -223,7 +244,7 @@ krb5_verify_user(krb5_context context,
  * ignored and all the local realms are tried.
  */
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verify_user_lrealm(krb5_context context, 
 			krb5_principal principal,
 			krb5_ccache ccache,
diff --git a/crypto/heimdal/lib/krb5/version-script.map b/crypto/heimdal/lib/krb5/version-script.map
new file mode 100644
index 0000000..df8804a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/version-script.map
@@ -0,0 +1,722 @@
+# $Id$
+
+HEIMDAL_KRB5_1.0 {
+	global:
+		krb524_convert_creds_kdc;
+		krb524_convert_creds_kdc_ccache;
+		krb5_425_conv_principal;
+		krb5_425_conv_principal_ext2;
+		krb5_425_conv_principal_ext;
+		krb5_524_conv_principal;
+		krb5_abort;
+		krb5_abortx;
+		krb5_acl_match_file;
+		krb5_acl_match_string;
+		krb5_add_et_list;
+		krb5_add_extra_addresses;
+		krb5_add_ignore_addresses;
+		krb5_addlog_dest;
+		krb5_addlog_func;
+		krb5_addr2sockaddr;
+		krb5_address_compare;
+		krb5_address_order;
+		krb5_address_prefixlen_boundary;
+		krb5_address_search;
+		krb5_aname_to_localname;
+		krb5_anyaddr;
+		krb5_appdefault_boolean;
+		krb5_appdefault_string;
+		krb5_appdefault_time;
+		krb5_append_addresses;
+		krb5_auth_con_addflags;
+		krb5_auth_con_free;
+		krb5_auth_con_genaddrs;
+		krb5_auth_con_generatelocalsubkey;
+		krb5_auth_con_getaddrs;
+		krb5_auth_con_getauthenticator;
+		krb5_auth_con_getcksumtype;
+		krb5_auth_con_getflags;
+		krb5_auth_con_getkey;
+		krb5_auth_con_getkeytype;
+		krb5_auth_con_getlocalseqnumber;
+		krb5_auth_con_getlocalsubkey;
+		krb5_auth_con_getrcache;
+		krb5_auth_con_getremotesubkey;
+		krb5_auth_con_init;
+		krb5_auth_con_removeflags;
+		krb5_auth_con_setaddrs;
+		krb5_auth_con_setaddrs_from_fd;
+		krb5_auth_con_setcksumtype;
+		krb5_auth_con_setflags;
+		krb5_auth_con_setkey;
+		krb5_auth_con_setkeytype;
+		krb5_auth_con_setlocalseqnumber;
+		krb5_auth_con_setlocalsubkey;
+		krb5_auth_con_setrcache;
+		krb5_auth_con_setremoteseqnumber;
+		krb5_auth_con_setremotesubkey;
+		krb5_auth_con_setuserkey;
+		krb5_auth_getremoteseqnumber;
+		krb5_build_ap_req;
+		krb5_build_authenticator;
+		krb5_build_principal;
+		krb5_build_principal_ext;
+		krb5_build_principal_va;
+		krb5_build_principal_va_ext;
+		krb5_c_block_size;
+		krb5_c_checksum_length;
+		krb5_c_decrypt;
+		krb5_c_encrypt;
+		krb5_c_encrypt_length;
+		krb5_c_enctype_compare;
+		krb5_c_get_checksum;
+		krb5_c_is_coll_proof_cksum;
+		krb5_c_is_keyed_cksum;
+		krb5_c_keylengths;
+		krb5_c_make_checksum;
+		krb5_c_make_random_key;
+		krb5_c_prf;
+		krb5_c_prf_length;
+		krb5_c_set_checksum;
+		krb5_c_valid_cksumtype;
+		krb5_c_valid_enctype;
+		krb5_c_verify_checksum;
+		krb5_cc_cache_end_seq_get;
+		krb5_cc_cache_get_first;
+		krb5_cc_cache_match;
+		krb5_cc_cache_next;
+		krb5_cc_clear_mcred;
+		krb5_cc_close;
+		krb5_cc_copy_cache;
+		krb5_cc_copy_cache_match;
+		krb5_cc_default;
+		krb5_cc_default_name;
+		krb5_cc_destroy;
+		krb5_cc_end_seq_get;
+		krb5_cc_gen_new;
+		krb5_cc_get_full_name;
+		krb5_cc_get_name;
+		krb5_cc_get_ops;
+		krb5_cc_get_prefix_ops;
+		krb5_cc_get_principal;
+		krb5_cc_get_type;
+		krb5_cc_get_version;
+		krb5_cc_initialize;
+		krb5_cc_move;
+		krb5_cc_new_unique;
+		krb5_cc_next_cred;
+		krb5_cc_next_cred_match;
+		krb5_cc_register;
+		krb5_cc_remove_cred;
+		krb5_cc_resolve;
+		krb5_cc_retrieve_cred;
+		krb5_cc_set_default_name;
+		krb5_cc_set_flags;
+		krb5_cc_start_seq_get;
+		krb5_cc_store_cred;
+		krb5_change_password;
+		krb5_check_transited;
+		krb5_check_transited_realms;
+		krb5_checksum_disable;
+		krb5_checksum_free;
+		krb5_checksum_is_collision_proof;
+		krb5_checksum_is_keyed;
+		krb5_checksumsize;
+		krb5_cksumtype_valid;
+		krb5_clear_error_string;
+		krb5_closelog;
+		krb5_compare_creds;
+		krb5_config_file_free;
+		krb5_config_free_strings;
+		krb5_config_get;
+		krb5_config_get_bool;
+		krb5_config_get_bool_default;
+		krb5_config_get_int;
+		krb5_config_get_int_default;
+		krb5_config_get_list;
+		krb5_config_get_next;
+		krb5_config_get_string;
+		krb5_config_get_string_default;
+		krb5_config_get_strings;
+		krb5_config_get_time;
+		krb5_config_get_time_default;
+		krb5_config_parse_file;
+		krb5_config_parse_file_multi;
+		krb5_config_parse_string_multi;
+		krb5_config_vget;
+		krb5_config_vget_bool;
+		krb5_config_vget_bool_default;
+		krb5_config_vget_int;
+		krb5_config_vget_int_default;
+		krb5_config_vget_list;
+		krb5_config_vget_next;
+		krb5_config_vget_string;
+		krb5_config_vget_string_default;
+		krb5_config_vget_strings;
+		krb5_config_vget_time;
+		krb5_config_vget_time_default;
+		krb5_copy_address;
+		krb5_copy_addresses;
+		krb5_copy_checksum;
+		krb5_copy_creds;
+		krb5_copy_creds_contents;
+		krb5_copy_data;
+		krb5_copy_host_realm;
+		krb5_copy_keyblock;
+		krb5_copy_keyblock_contents;
+		krb5_copy_principal;
+		krb5_copy_ticket;
+		krb5_create_checksum;
+		krb5_crypto_destroy;
+		krb5_crypto_get_checksum_type;
+		krb5_crypto_getblocksize;
+		krb5_crypto_getconfoundersize;
+		krb5_crypto_getenctype;
+		krb5_crypto_getpadsize;
+		krb5_crypto_init;
+		krb5_crypto_overhead;
+		krb5_crypto_prf;
+		krb5_crypto_prf_length;
+		krb5_data_alloc;
+		krb5_data_cmp;
+		krb5_data_copy;
+		krb5_data_free;
+		krb5_data_realloc;
+		krb5_data_zero;
+		krb5_decode_Authenticator;
+		krb5_decode_ETYPE_INFO2;
+		krb5_decode_ETYPE_INFO;
+		krb5_decode_EncAPRepPart;
+		krb5_decode_EncASRepPart;
+		krb5_decode_EncKrbCredPart;
+		krb5_decode_EncTGSRepPart;
+		krb5_decode_EncTicketPart;
+		krb5_decode_ap_req;
+		krb5_decrypt;
+		krb5_decrypt_EncryptedData;
+		krb5_decrypt_ivec;
+		krb5_decrypt_ticket;
+		krb5_derive_key;
+		krb5_digest_alloc;
+		krb5_digest_free;
+		krb5_digest_get_client_binding;
+		krb5_digest_get_identifier;
+		krb5_digest_get_opaque;
+		krb5_digest_get_rsp;
+		krb5_digest_get_server_nonce;
+		krb5_digest_get_session_key;
+		krb5_digest_get_tickets;
+		krb5_digest_init_request;
+		krb5_digest_probe;
+		krb5_digest_rep_get_status;
+		krb5_digest_request;
+		krb5_digest_set_authentication_user;
+		krb5_digest_set_authid;
+		krb5_digest_set_client_nonce;
+		krb5_digest_set_digest;
+		krb5_digest_set_hostname;
+		krb5_digest_set_identifier;
+		krb5_digest_set_method;
+		krb5_digest_set_nonceCount;
+		krb5_digest_set_opaque;
+		krb5_digest_set_qop;
+		krb5_digest_set_realm;
+		krb5_digest_set_responseData;
+		krb5_digest_set_server_cb;
+		krb5_digest_set_server_nonce;
+		krb5_digest_set_type;
+		krb5_digest_set_uri;
+		krb5_digest_set_username;
+		krb5_domain_x500_decode;
+		krb5_domain_x500_encode;
+		krb5_eai_to_heim_errno;
+		krb5_encode_Authenticator;
+		krb5_encode_ETYPE_INFO2;
+		krb5_encode_ETYPE_INFO;
+		krb5_encode_EncAPRepPart;
+		krb5_encode_EncASRepPart;
+		krb5_encode_EncKrbCredPart;
+		krb5_encode_EncTGSRepPart;
+		krb5_encode_EncTicketPart;
+		krb5_encrypt;
+		krb5_encrypt_EncryptedData;
+		krb5_encrypt_ivec;
+		krb5_enctype_disable;
+		krb5_enctype_keybits;
+		krb5_enctype_keysize;
+		krb5_enctype_to_keytype;
+		krb5_enctype_to_string;
+		krb5_enctype_valid;
+		krb5_enctypes_compatible_keys;
+		krb5_err;
+		krb5_error_from_rd_error;
+		krb5_errx;
+		krb5_expand_hostname;
+		krb5_expand_hostname_realms;
+		krb5_find_padata;
+		krb5_format_time;
+		krb5_free_address;
+		krb5_free_addresses;
+		krb5_free_ap_rep_enc_part;
+		krb5_free_authenticator;
+		krb5_free_checksum;
+		krb5_free_checksum_contents;
+		krb5_free_config_files;
+		krb5_free_context;
+		krb5_free_cred_contents;
+		krb5_free_creds;
+		krb5_free_creds_contents;
+		krb5_free_data;
+		krb5_free_data_contents;
+		krb5_free_error;
+		krb5_free_error_contents;
+		krb5_free_error_string;
+		krb5_free_host_realm;
+		krb5_free_kdc_rep;
+		krb5_free_keyblock;
+		krb5_free_keyblock_contents;
+		krb5_free_krbhst;
+		krb5_free_principal;
+		krb5_free_salt;
+		krb5_free_ticket;
+		krb5_fwd_tgt_creds;
+		krb5_generate_random_block;
+		krb5_generate_random_keyblock;
+		krb5_generate_seq_number;
+		krb5_generate_subkey;
+		krb5_generate_subkey_extended;
+		krb5_get_all_client_addrs;
+		krb5_get_all_server_addrs;
+		krb5_get_cred_from_kdc;
+		krb5_get_cred_from_kdc_opt;
+		krb5_get_credentials;
+		krb5_get_credentials_with_flags;
+		krb5_get_creds;
+		krb5_get_creds_opt_add_options;
+		krb5_get_creds_opt_alloc;
+		krb5_get_creds_opt_free;
+		krb5_get_creds_opt_set_enctype;
+		krb5_get_creds_opt_set_impersonate;
+		krb5_get_creds_opt_set_options;
+		krb5_get_creds_opt_set_ticket;
+		krb5_get_default_config_files;
+		krb5_get_default_in_tkt_etypes;
+		krb5_get_default_principal;
+		krb5_get_default_realm;
+		krb5_get_default_realms;
+		krb5_get_dns_canonicalize_hostname;
+		krb5_get_err_text;
+		krb5_get_error_message;
+		krb5_get_error_string;
+		krb5_get_extra_addresses;
+		krb5_get_fcache_version;
+		krb5_get_forwarded_creds;
+		krb5_get_host_realm;
+		krb5_get_ignore_addresses;
+		krb5_get_in_cred;
+		krb5_get_in_tkt;
+		krb5_get_in_tkt_with_keytab;
+		krb5_get_in_tkt_with_password;
+		krb5_get_in_tkt_with_skey;
+		krb5_get_init_creds;
+		krb5_get_init_creds_keyblock;
+		krb5_get_init_creds_keytab;
+		krb5_get_init_creds_opt_alloc;
+		krb5_get_init_creds_opt_free;
+		krb5_get_init_creds_opt_get_error;
+		krb5_get_init_creds_opt_init;
+		krb5_get_init_creds_opt_set_address_list;
+		krb5_get_init_creds_opt_set_addressless;
+		krb5_get_init_creds_opt_set_anonymous;
+		krb5_get_init_creds_opt_set_canonicalize;
+		krb5_get_init_creds_opt_set_default_flags;
+		krb5_get_init_creds_opt_set_etype_list;
+		krb5_get_init_creds_opt_set_forwardable;
+		krb5_get_init_creds_opt_set_pa_password;
+		krb5_get_init_creds_opt_set_pac_request;
+		krb5_get_init_creds_opt_set_pkinit;
+		krb5_get_init_creds_opt_set_preauth_list;
+		krb5_get_init_creds_opt_set_proxiable;
+		krb5_get_init_creds_opt_set_renew_life;
+		krb5_get_init_creds_opt_set_salt;
+		krb5_get_init_creds_opt_set_tkt_life;
+		krb5_get_init_creds_opt_set_win2k;
+		krb5_get_init_creds_password;
+		krb5_get_kdc_cred;
+		krb5_get_kdc_sec_offset;
+		krb5_get_krb524hst;
+		krb5_get_krb_admin_hst;
+		krb5_get_krb_changepw_hst;
+		krb5_get_krbhst;
+		krb5_get_max_time_skew;
+		krb5_get_pw_salt;
+		krb5_get_renewed_creds;
+		krb5_get_server_rcache;
+		krb5_get_use_admin_kdc;
+		krb5_get_warn_dest;
+		krb5_get_wrapped_length;
+		krb5_getportbyname;
+		krb5_h_addr2addr;
+		krb5_h_addr2sockaddr;
+		krb5_h_errno_to_heim_errno;
+		krb5_have_error_string;
+		krb5_hmac;
+		krb5_init_context;
+		krb5_init_ets;
+		krb5_init_etype;
+		krb5_initlog;
+		krb5_is_thread_safe;
+		krb5_kerberos_enctypes;
+		krb5_keyblock_get_enctype;
+		krb5_keyblock_init;
+		krb5_keyblock_key_proc;
+		krb5_keyblock_zero;
+		krb5_keytab_key_proc;
+		krb5_keytype_to_enctypes;
+		krb5_keytype_to_enctypes_default;
+		krb5_keytype_to_string;
+		krb5_krbhst_format_string;
+		krb5_krbhst_free;
+		krb5_krbhst_get_addrinfo;
+		krb5_krbhst_init;
+		krb5_krbhst_init_flags;
+		krb5_krbhst_next;
+		krb5_krbhst_next_as_string;
+		krb5_krbhst_reset;
+		krb5_kt_add_entry;
+		krb5_kt_close;
+		krb5_kt_compare;
+		krb5_kt_copy_entry_contents;
+		krb5_kt_default;
+		krb5_kt_default_modify_name;
+		krb5_kt_default_name;
+		krb5_kt_end_seq_get;
+		krb5_kt_free_entry;
+		krb5_kt_get_entry;
+		krb5_kt_get_full_name;
+		krb5_kt_get_name;
+		krb5_kt_get_type;
+		krb5_kt_next_entry;
+		krb5_kt_read_service_key;
+		krb5_kt_register;
+		krb5_kt_remove_entry;
+		krb5_kt_resolve;
+		krb5_kt_start_seq_get;
+		krb5_kuserok;
+		krb5_log;
+		krb5_log_msg;
+		krb5_make_addrport;
+		krb5_make_principal;
+		krb5_max_sockaddr_size;
+		krb5_mk_error;
+		krb5_mk_priv;
+		krb5_mk_rep;
+		krb5_mk_req;
+		krb5_mk_req_exact;
+		krb5_mk_req_extended;
+		krb5_mk_safe;
+		krb5_net_read;
+		krb5_net_write;
+		krb5_net_write_block;
+		krb5_ntlm_alloc;
+		krb5_ntlm_free;
+		krb5_ntlm_init_get_challange;
+		krb5_ntlm_init_get_flags;
+		krb5_ntlm_init_get_opaque;
+		krb5_ntlm_init_get_targetinfo;
+		krb5_ntlm_init_get_targetname;
+		krb5_ntlm_init_request;
+		krb5_ntlm_rep_get_sessionkey;
+		krb5_ntlm_rep_get_status;
+		krb5_ntlm_req_set_flags;
+		krb5_ntlm_req_set_lm;
+		krb5_ntlm_req_set_ntlm;
+		krb5_ntlm_req_set_opaque;
+		krb5_ntlm_req_set_session;
+		krb5_ntlm_req_set_targetname;
+		krb5_ntlm_req_set_username;
+		krb5_ntlm_request;
+		krb5_openlog;
+		krb5_pac_add_buffer;
+		krb5_pac_free;
+		krb5_pac_get_buffer;
+		krb5_pac_get_types;
+		krb5_pac_init;
+		krb5_pac_parse;
+		krb5_pac_verify;
+		krb5_padata_add;
+		krb5_parse_address;
+		krb5_parse_name;
+		krb5_parse_name_flags;
+		krb5_parse_nametype;
+		krb5_passwd_result_to_string;
+		krb5_password_key_proc;
+		krb5_plugin_register;
+		krb5_prepend_config_files;
+		krb5_prepend_config_files_default;
+		krb5_princ_realm;
+		krb5_princ_set_realm;
+		krb5_principal_compare;
+		krb5_principal_compare_any_realm;
+		krb5_principal_get_comp_string;
+		krb5_principal_get_realm;
+		krb5_principal_get_type;
+		krb5_principal_match;
+		krb5_principal_set_type;
+		krb5_print_address;
+		krb5_program_setup;
+		krb5_prompter_posix;
+		krb5_random_to_key;
+		krb5_rc_close;
+		krb5_rc_default;
+		krb5_rc_default_name;
+		krb5_rc_default_type;
+		krb5_rc_destroy;
+		krb5_rc_expunge;
+		krb5_rc_get_lifespan;
+		krb5_rc_get_name;
+		krb5_rc_get_type;
+		krb5_rc_initialize;
+		krb5_rc_recover;
+		krb5_rc_resolve;
+		krb5_rc_resolve_full;
+		krb5_rc_resolve_type;
+		krb5_rc_store;
+		krb5_rd_cred2;
+		krb5_rd_cred;
+		krb5_rd_error;
+		krb5_rd_priv;
+		krb5_rd_rep;
+		krb5_rd_req;
+		krb5_rd_req_ctx;
+		krb5_rd_req_in_ctx_alloc;
+		krb5_rd_req_in_ctx_free;
+		krb5_rd_req_in_set_keyblock;
+		krb5_rd_req_in_set_keytab;
+		krb5_rd_req_in_set_pac_check;
+		krb5_rd_req_out_ctx_free;
+		krb5_rd_req_out_get_ap_req_options;
+		krb5_rd_req_out_get_keyblock;
+		krb5_rd_req_out_get_ticket;
+		krb5_rd_req_with_keyblock;
+		krb5_rd_safe;
+		krb5_read_message;
+		krb5_read_priv_message;
+		krb5_read_safe_message;
+		krb5_realm_compare;
+		krb5_recvauth;
+		krb5_recvauth_match_version;
+		krb5_ret_address;
+		krb5_ret_addrs;
+		krb5_ret_authdata;
+		krb5_ret_creds;
+		krb5_ret_creds_tag;
+		krb5_ret_data;
+		krb5_ret_int16;
+		krb5_ret_int32;
+		krb5_ret_int8;
+		krb5_ret_keyblock;
+		krb5_ret_principal;
+		krb5_ret_string;
+		krb5_ret_stringnl;
+		krb5_ret_stringz;
+		krb5_ret_times;
+		krb5_ret_uint16;
+		krb5_ret_uint32;
+		krb5_ret_uint8;
+		krb5_salttype_to_string;
+		krb5_sendauth;
+		krb5_sendto;
+		krb5_sendto_context;
+		krb5_sendto_ctx_add_flags;
+		krb5_sendto_ctx_alloc;
+		krb5_sendto_ctx_free;
+		krb5_sendto_ctx_get_flags;
+		krb5_sendto_ctx_set_func;
+		krb5_sendto_ctx_set_type;
+		krb5_sendto_kdc;
+		krb5_sendto_kdc_flags;
+		krb5_set_config_files;
+		krb5_set_default_in_tkt_etypes;
+		krb5_set_default_realm;
+		krb5_set_dns_canonicalize_hostname;
+		krb5_set_error_string;
+		krb5_set_extra_addresses;
+		krb5_set_fcache_version;
+		krb5_set_ignore_addresses;
+		krb5_set_max_time_skew;
+		krb5_set_password;
+		krb5_set_password_using_ccache;
+		krb5_set_real_time;
+		krb5_set_send_to_kdc_func;
+		krb5_set_use_admin_kdc;
+		krb5_set_warn_dest;
+		krb5_sname_to_principal;
+		krb5_sock_to_principal;
+		krb5_sockaddr2address;
+		krb5_sockaddr2port;
+		krb5_sockaddr_uninteresting;
+		krb5_std_usage;
+		krb5_storage_clear_flags;
+		krb5_storage_emem;
+		krb5_storage_free;
+		krb5_storage_from_data;
+		krb5_storage_from_fd;
+		krb5_storage_from_mem;
+		krb5_storage_from_readonly_mem;
+		krb5_storage_get_byteorder;
+		krb5_storage_is_flags;
+		krb5_storage_read;
+		krb5_storage_seek;
+		krb5_storage_set_byteorder;
+		krb5_storage_set_eof_code;
+		krb5_storage_set_flags;
+		krb5_storage_to_data;
+		krb5_storage_write;
+		krb5_store_address;
+		krb5_store_addrs;
+		krb5_store_authdata;
+		krb5_store_creds;
+		krb5_store_creds_tag;
+		krb5_store_data;
+		krb5_store_int16;
+		krb5_store_int32;
+		krb5_store_int8;
+		krb5_store_keyblock;
+		krb5_store_principal;
+		krb5_store_string;
+		krb5_store_stringnl;
+		krb5_store_stringz;
+		krb5_store_times;
+		krb5_store_uint16;
+		krb5_store_uint32;
+		krb5_store_uint8;
+		krb5_string_to_deltat;
+		krb5_string_to_enctype;
+		krb5_string_to_key;
+		krb5_string_to_key_data;
+		krb5_string_to_key_data_salt;
+		krb5_string_to_key_data_salt_opaque;
+		krb5_string_to_key_derived;
+		krb5_string_to_key_salt;
+		krb5_string_to_key_salt_opaque;
+		krb5_string_to_keytype;
+		krb5_string_to_salttype;
+		krb5_ticket_get_authorization_data_type;
+		krb5_ticket_get_client;
+		krb5_ticket_get_endtime;
+		krb5_ticket_get_server;
+		krb5_timeofday;
+		krb5_unparse_name;
+		krb5_unparse_name_fixed;
+		krb5_unparse_name_fixed_flags;
+		krb5_unparse_name_fixed_short;
+		krb5_unparse_name_flags;
+		krb5_unparse_name_short;
+		krb5_us_timeofday;
+		krb5_vabort;
+		krb5_vabortx;
+		krb5_verify_ap_req2;
+		krb5_verify_ap_req;
+		krb5_verify_authenticator_checksum;
+		krb5_verify_checksum;
+		krb5_verify_init_creds;
+		krb5_verify_init_creds_opt_init;
+		krb5_verify_init_creds_opt_set_ap_req_nofail;
+		krb5_verify_opt_alloc;
+		krb5_verify_opt_free;
+		krb5_verify_opt_init;
+		krb5_verify_opt_set_ccache;
+		krb5_verify_opt_set_flags;
+		krb5_verify_opt_set_keytab;
+		krb5_verify_opt_set_secure;
+		krb5_verify_opt_set_service;
+		krb5_verify_user;
+		krb5_verify_user_lrealm;
+		krb5_verify_user_opt;
+		krb5_verr;
+		krb5_verrx;
+		krb5_vlog;
+		krb5_vlog_msg;
+		krb5_vset_error_string;
+		krb5_vwarn;
+		krb5_vwarnx;
+		krb5_warn;
+		krb5_warnx;
+		krb5_write_message;
+		krb5_write_priv_message;
+		krb5_write_safe_message;
+		krb5_xfree;
+
+		# com_err error tables
+		initialize_krb5_error_table_r;
+		initialize_krb5_error_table;
+		initialize_krb_error_table_r;
+		initialize_krb_error_table;
+		initialize_heim_error_table_r;
+		initialize_heim_error_table;
+		initialize_k524_error_table_r;
+		initialize_k524_error_table;
+
+		# variables
+		krb5_mcc_ops;
+		krb5_acc_ops;
+		krb5_fcc_ops;
+		krb5_kcm_ops;
+		krb4_fkt_ops;
+		krb5_wrfkt_ops;
+		krb5_mkt_ops;
+		krb5_fkt_ops;
+		krb5_akf_ops;
+		krb5_srvtab_fkt_ops;
+		krb5_any_ops;
+		heimdal_version;
+		heimdal_long_version;
+		krb5_config_file;
+		krb5_defkeyname;
+
+		# Shared with GSSAPI krb5
+		_krb5_crc_init_table;		
+		_krb5_crc_update;		
+
+		# V4 compat glue
+		_krb5_krb_tf_setup;
+		_krb5_krb_dest_tkt;
+		_krb5_krb_life_to_time;
+		_krb5_krb_decomp_ticket;
+		_krb5_krb_decomp_ticket;
+		_krb5_krb_create_ticket;
+		_krb5_krb_create_ciph;
+		_krb5_krb_create_auth_reply;
+		_krb5_krb_rd_req;
+		_krb5_krb_free_auth_data;
+		_krb5_krb_time_to_life;
+		_krb5_krb_cr_err_reply;
+
+		# Shared with libkdc
+		_krb5_principalname2krb5_principal;
+		_krb5_principal2principalname;
+		_krb5_s4u2self_to_checksumdata;
+		_krb5_put_int;
+		_krb5_get_int;
+		_krb5_pk_load_id;
+		_krb5_parse_moduli;
+		_krb5_pk_mk_ContentInfo;
+		_krb5_dh_group_ok;
+		_krb5_pk_octetstring2key;
+		_krb5_pk_allow_proxy_certificate;
+		_krb5_pac_sign;
+		_krb5_plugin_find;
+		_krb5_plugin_get_symbol;
+		_krb5_plugin_get_next;
+		_krb5_plugin_free;
+		_krb5_AES_string_to_default_iterator;
+		_krb5_get_host_realm_int;
+
+		# testing
+		_krb5_aes_cts_encrypt;
+		_krb5_n_fold;
+		_krb5_expand_default_cc_name;
+	local:
+		*;
+};
diff --git a/crypto/heimdal/lib/krb5/version.c b/crypto/heimdal/lib/krb5/version.c
index 5f0fd66..f7ccff5 100644
--- a/crypto/heimdal/lib/krb5/version.c
+++ b/crypto/heimdal/lib/krb5/version.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: version.c,v 1.3 1999/12/02 17:05:13 joda Exp $");
+RCSID("$Id: version.c 7464 1999-12-02 17:05:13Z joda $");
 
 /* this is just to get a version stamp in the library file */
 
diff --git a/crypto/heimdal/lib/krb5/warn.c b/crypto/heimdal/lib/krb5/warn.c
index 72398bf..85f143b 100644
--- a/crypto/heimdal/lib/krb5/warn.c
+++ b/crypto/heimdal/lib/krb5/warn.c
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 #include <err.h>
 
-RCSID("$Id: warn.c,v 1.14 2003/04/16 16:13:08 lha Exp $");
+RCSID("$Id: warn.c 19086 2006-11-21 08:06:40Z lha $");
 
 static krb5_error_code _warnerr(krb5_context context, int do_errtext, 
 	 krb5_error_code code, int level, const char *fmt, va_list ap)
@@ -96,7 +96,7 @@ _warnerr(krb5_context context, int do_errtext,
 #undef __attribute__
 #define __attribute__(X)
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vwarn(krb5_context context, krb5_error_code code, 
 	   const char *fmt, va_list ap)
      __attribute__ ((format (printf, 3, 0)))
@@ -105,7 +105,7 @@ krb5_vwarn(krb5_context context, krb5_error_code code,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...)
      __attribute__ ((format (printf, 3, 4)))
 {
@@ -113,14 +113,14 @@ krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...)
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vwarnx(krb5_context context, const char *fmt, va_list ap)
      __attribute__ ((format (printf, 2, 0)))
 {
     return _warnerr(context, 0, 0, 1, fmt, ap);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_warnx(krb5_context context, const char *fmt, ...)
      __attribute__ ((format (printf, 2, 3)))
 {
@@ -128,7 +128,7 @@ krb5_warnx(krb5_context context, const char *fmt, ...)
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verr(krb5_context context, int eval, krb5_error_code code, 
 	  const char *fmt, va_list ap)
      __attribute__ ((noreturn, format (printf, 4, 0)))
@@ -138,7 +138,7 @@ krb5_verr(krb5_context context, int eval, krb5_error_code code,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_err(krb5_context context, int eval, krb5_error_code code, 
 	 const char *fmt, ...)
      __attribute__ ((noreturn, format (printf, 4, 5)))
@@ -147,7 +147,7 @@ krb5_err(krb5_context context, int eval, krb5_error_code code,
     exit(eval);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap)
      __attribute__ ((noreturn, format (printf, 3, 0)))
 {
@@ -155,7 +155,7 @@ krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap)
     exit(eval);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_errx(krb5_context context, int eval, const char *fmt, ...)
      __attribute__ ((noreturn, format (printf, 3, 4)))
 {
@@ -163,7 +163,7 @@ krb5_errx(krb5_context context, int eval, const char *fmt, ...)
     exit(eval);
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vabort(krb5_context context, krb5_error_code code, 
 	    const char *fmt, va_list ap)
      __attribute__ ((noreturn, format (printf, 3, 0)))
@@ -173,7 +173,7 @@ krb5_vabort(krb5_context context, krb5_error_code code,
 }
 
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...)
      __attribute__ ((noreturn, format (printf, 3, 4)))
 {
@@ -181,7 +181,7 @@ krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...)
     abort();
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_vabortx(krb5_context context, const char *fmt, va_list ap)
      __attribute__ ((noreturn, format (printf, 2, 0)))
 {
@@ -189,7 +189,7 @@ krb5_vabortx(krb5_context context, const char *fmt, va_list ap)
     abort();
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_abortx(krb5_context context, const char *fmt, ...)
      __attribute__ ((noreturn, format (printf, 2, 3)))
 {
@@ -197,9 +197,15 @@ krb5_abortx(krb5_context context, const char *fmt, ...)
     abort();
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac)
 {
     context->warn_dest = fac;
     return 0;
 }
+
+krb5_log_facility * KRB5_LIB_FUNCTION
+krb5_get_warn_dest(krb5_context context)
+{
+    return context->warn_dest;
+}
diff --git a/crypto/heimdal/lib/krb5/write_message.c b/crypto/heimdal/lib/krb5/write_message.c
index 3e23a3a..1694a10 100644
--- a/crypto/heimdal/lib/krb5/write_message.c
+++ b/crypto/heimdal/lib/krb5/write_message.c
@@ -33,15 +33,15 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: write_message.c,v 1.8 2001/07/02 18:43:06 joda Exp $");
+RCSID("$Id: write_message.c 17442 2006-05-05 09:31:15Z lha $");
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_write_message (krb5_context context,
 		    krb5_pointer p_fd,
 		    krb5_data *data)
 {
-    u_int32_t len;
-    u_int8_t buf[4];
+    uint32_t len;
+    uint8_t buf[4];
     int ret;
 
     len = data->length;
@@ -55,7 +55,7 @@ krb5_write_message (krb5_context context,
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_write_priv_message(krb5_context context,
 			krb5_auth_context ac,
 			krb5_pointer p_fd,
@@ -72,7 +72,7 @@ krb5_write_priv_message(krb5_context context,
     return ret;
 }
 
-krb5_error_code
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_write_safe_message(krb5_context context,
 			krb5_auth_context ac,
 			krb5_pointer p_fd,
diff --git a/crypto/heimdal/lib/ntlm/ChangeLog b/crypto/heimdal/lib/ntlm/ChangeLog
new file mode 100644
index 0000000..b38ae91
--- /dev/null
+++ b/crypto/heimdal/lib/ntlm/ChangeLog
@@ -0,0 +1,112 @@
+2007-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* heimntlm.h: Add NTLM_TARGET_*
+
+	* ntlm.c: Make heim_ntlm_decode_type3 more useful and provide a
+	username. From Ming Yang.
+
+2007-11-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* move doxygen into the main file
+
+	* write doxygen documentation
+
+	* export heim_ntlm_free_buf, start doxygen documentation
+	
+2007-07-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm.c: Use unsigned char * as argument to HMAC_Update to please
+	OpenSSL and gcc.
+
+	* test_ntlm.c: more verbose what we are testing.
+
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: New library version.
+
+2007-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_ntlm.c: heim_ntlm_calculate_ntlm2_sess_resp
+
+	* ntlm.c: Change prototype to match other heim_ntlm_calculate
+	functions.
+
+	* test_ntlm.c: Its ok if infotarget2 length is longer.
+
+	* ntlm.c: Merge in changes from Puneet Mehra and make work again.
+
+	* ntlm.c (heim_ntlm_ntlmv2_key): target should be uppercase.
+	From Puneet Mehra.
+
+	* version-script.map: Add heim_ntlm_calculate_ntlm2_sess_resp from
+	Puneet Mehra.
+
+	* ntlm.c: Add heim_ntlm_calculate_ntlm2_sess_resp from Puneet
+	Mehra.
+	
+	* test_ntlm.c: Test heim_ntlm_calculate_ntlm2_sess_resp from
+	Puneet Mehra.
+	
+2007-06-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: EXTRA_DIST += version-script.map.
+	
+2007-06-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_ntlm.c: Free memory diffrently.
+
+	* ntlm.c: Make free functions free memory.
+	
+2007-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: symbol versioning.
+	
+	* version-script.map: symbol versioning.
+	
+2007-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_ntlm.c: No need to include <gssapi.h>.
+	
+2007-01-04  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: add LIB_roken for test_ntlm
+	
+2006-12-26  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_ntlm.c: Verify infotarget.
+
+	* ntlm.c: Extract the infotarget from the answer.
+
+	* ntlm.c (heim_ntlm_verify_ntlm2): verify the ntlmv2 reply
+	
+2006-12-22  Dave Love  <fx@gnu.org>
+
+	* ntlm.c: Include <limits.h>.
+	
+2006-12-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_ntlm.c: add some new tests.
+
+	* ntlm.c: Add ntlmv2 answer calculating functions.
+
+	* ntlm.c: sent lm hashes, needed for NTLM2 session
+
+	* heimntlm.h: Add NTLM_NEG_NTLM2_SESSION, NTLMv2 session security.
+	
+2006-12-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm.c (heim_ntlm_build_ntlm1_master): return session master
+	key.
+	
+2006-12-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ntlm.c (heim_ntlm_build_ntlm1_master): calculate the ntlm
+	version 1 "master" key.
+	
+2006-12-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_ntlm.c: Add simple parser test app.
+
+	* inital version of a NTLM library, only handles ntml version 1 and
+	ascii strings for now
+
diff --git a/crypto/heimdal/lib/ntlm/Makefile.am b/crypto/heimdal/lib/ntlm/Makefile.am
new file mode 100644
index 0000000..8d62141
--- /dev/null
+++ b/crypto/heimdal/lib/ntlm/Makefile.am
@@ -0,0 +1,34 @@
+# $Id: Makefile.am 22045 2007-11-11 08:57:47Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+lib_LTLIBRARIES	= libheimntlm.la
+
+include_HEADERS = heimntlm.h heimntlm-protos.h
+
+libheimntlm_la_SOURCES	= ntlm.c heimntlm.h
+
+libheimntlm_la_LDFLAGS = -version-info 1:0:1
+
+if versionscript
+libheimntlm_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+endif
+$(libheimntlm_la_OBJECTS): $(srcdir)/version-script.map
+
+libheimntlm_la_LIBADD = \
+	../krb5/libkrb5.la \
+	$(LIBADD_roken)
+
+$(srcdir)/heimntlm-protos.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o heimntlm-protos.h $(libheimntlm_la_SOURCES) || rm -f heimntlm-protos.h
+
+$(libheimntlm_la_OBJECTS): $(srcdir)/heimntlm-protos.h
+
+
+TESTS = test_ntlm
+
+check_PROGRAMS = test_ntlm
+
+LDADD = libheimntlm.la $(LIB_roken)
+
+EXTRA_DIST = version-script.map
diff --git a/crypto/heimdal/lib/ntlm/Makefile.in b/crypto/heimdal/lib/ntlm/Makefile.in
new file mode 100644
index 0000000..b5c614f
--- /dev/null
+++ b/crypto/heimdal/lib/ntlm/Makefile.in
@@ -0,0 +1,909 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 22045 2007-11-11 08:57:47Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common ChangeLog
+@versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+TESTS = test_ntlm$(EXEEXT)
+check_PROGRAMS = test_ntlm$(EXEEXT)
+subdir = lib/ntlm
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)"
+libLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(lib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libheimntlm_la_DEPENDENCIES = ../krb5/libkrb5.la $(am__DEPENDENCIES_1)
+am_libheimntlm_la_OBJECTS = ntlm.lo
+libheimntlm_la_OBJECTS = $(am_libheimntlm_la_OBJECTS)
+libheimntlm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libheimntlm_la_LDFLAGS) $(LDFLAGS) -o $@
+test_ntlm_SOURCES = test_ntlm.c
+test_ntlm_OBJECTS = test_ntlm.$(OBJEXT)
+test_ntlm_LDADD = $(LDADD)
+test_ntlm_DEPENDENCIES = libheimntlm.la $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
+depcomp =
+am__depfiles_maybe =
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libheimntlm_la_SOURCES) test_ntlm.c
+DIST_SOURCES = $(libheimntlm_la_SOURCES) test_ntlm.c
+includeHEADERS_INSTALL = $(INSTALL_HEADER)
+HEADERS = $(include_HEADERS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+lib_LTLIBRARIES = libheimntlm.la
+include_HEADERS = heimntlm.h heimntlm-protos.h
+libheimntlm_la_SOURCES = ntlm.c heimntlm.h
+libheimntlm_la_LDFLAGS = -version-info 1:0:1 $(am__append_1)
+libheimntlm_la_LIBADD = \
+	../krb5/libkrb5.la \
+	$(LIBADD_roken)
+
+LDADD = libheimntlm.la $(LIB_roken)
+EXTRA_DIST = version-script.map
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps lib/ntlm/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps lib/ntlm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
+	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
+	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
+	done
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libheimntlm.la: $(libheimntlm_la_OBJECTS) $(libheimntlm_la_DEPENDENCIES) 
+	$(libheimntlm_la_LINK) -rpath $(libdir) $(libheimntlm_la_OBJECTS) $(libheimntlm_la_LIBADD) $(LIBS)
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+test_ntlm$(EXEEXT): $(test_ntlm_OBJECTS) $(test_ntlm_DEPENDENCIES) 
+	@rm -f test_ntlm$(EXEEXT)
+	$(LINK) $(test_ntlm_OBJECTS) $(test_ntlm_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+.c.o:
+	$(COMPILE) -c $<
+
+.c.obj:
+	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(HEADERS) all-local
+installdirs:
+	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
+	clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-includeHEADERS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-includeHEADERS uninstall-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
+	check-local clean clean-checkPROGRAMS clean-generic \
+	clean-libLTLIBRARIES clean-libtool ctags dist-hook distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am \
+	install-data-hook install-dvi install-dvi-am install-exec \
+	install-exec-am install-exec-hook install-html install-html-am \
+	install-includeHEADERS install-info install-info-am \
+	install-libLTLIBRARIES install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-hook \
+	uninstall-includeHEADERS uninstall-libLTLIBRARIES
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+$(libheimntlm_la_OBJECTS): $(srcdir)/version-script.map
+
+$(srcdir)/heimntlm-protos.h:
+	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o heimntlm-protos.h $(libheimntlm_la_SOURCES) || rm -f heimntlm-protos.h
+
+$(libheimntlm_la_OBJECTS): $(srcdir)/heimntlm-protos.h
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/ntlm/heimntlm-protos.h b/crypto/heimdal/lib/ntlm/heimntlm-protos.h
new file mode 100644
index 0000000..bc64791
--- /dev/null
+++ b/crypto/heimdal/lib/ntlm/heimntlm-protos.h
@@ -0,0 +1,131 @@
+/* This is a generated file */
+#ifndef __heimntlm_protos_h__
+#define __heimntlm_protos_h__
+
+#include <stdarg.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int
+heim_ntlm_build_ntlm1_master (
+	void */*key*/,
+	size_t /*len*/,
+	struct ntlm_buf */*session*/,
+	struct ntlm_buf */*master*/);
+
+int
+heim_ntlm_calculate_ntlm1 (
+	void */*key*/,
+	size_t /*len*/,
+	unsigned char challange[8],
+	struct ntlm_buf */*answer*/);
+
+int
+heim_ntlm_calculate_ntlm2 (
+	const void */*key*/,
+	size_t /*len*/,
+	const char */*username*/,
+	const char */*target*/,
+	const unsigned char serverchallange[8],
+	const struct ntlm_buf */*infotarget*/,
+	unsigned char ntlmv2[16],
+	struct ntlm_buf */*answer*/);
+
+int
+heim_ntlm_calculate_ntlm2_sess (
+	const unsigned char clnt_nonce[8],
+	const unsigned char svr_chal[8],
+	const unsigned char ntlm_hash[16],
+	struct ntlm_buf */*lm*/,
+	struct ntlm_buf */*ntlm*/);
+
+int
+heim_ntlm_decode_targetinfo (
+	const struct ntlm_buf */*data*/,
+	int /*ucs2*/,
+	struct ntlm_targetinfo */*ti*/);
+
+int
+heim_ntlm_decode_type1 (
+	const struct ntlm_buf */*buf*/,
+	struct ntlm_type1 */*data*/);
+
+int
+heim_ntlm_decode_type2 (
+	const struct ntlm_buf */*buf*/,
+	struct ntlm_type2 */*type2*/);
+
+int
+heim_ntlm_decode_type3 (
+	const struct ntlm_buf */*buf*/,
+	int /*ucs2*/,
+	struct ntlm_type3 */*type3*/);
+
+int
+heim_ntlm_encode_targetinfo (
+	const struct ntlm_targetinfo */*ti*/,
+	int /*ucs2*/,
+	struct ntlm_buf */*data*/);
+
+int
+heim_ntlm_encode_type1 (
+	const struct ntlm_type1 */*type1*/,
+	struct ntlm_buf */*data*/);
+
+int
+heim_ntlm_encode_type2 (
+	const struct ntlm_type2 */*type2*/,
+	struct ntlm_buf */*data*/);
+
+int
+heim_ntlm_encode_type3 (
+	const struct ntlm_type3 */*type3*/,
+	struct ntlm_buf */*data*/);
+
+void
+heim_ntlm_free_buf (struct ntlm_buf */*p*/);
+
+void
+heim_ntlm_free_targetinfo (struct ntlm_targetinfo */*ti*/);
+
+void
+heim_ntlm_free_type1 (struct ntlm_type1 */*data*/);
+
+void
+heim_ntlm_free_type2 (struct ntlm_type2 */*data*/);
+
+void
+heim_ntlm_free_type3 (struct ntlm_type3 */*data*/);
+
+int
+heim_ntlm_nt_key (
+	const char */*password*/,
+	struct ntlm_buf */*key*/);
+
+void
+heim_ntlm_ntlmv2_key (
+	const void */*key*/,
+	size_t /*len*/,
+	const char */*username*/,
+	const char */*target*/,
+	unsigned char ntlmv2[16]);
+
+int
+heim_ntlm_verify_ntlm2 (
+	const void */*key*/,
+	size_t /*len*/,
+	const char */*username*/,
+	const char */*target*/,
+	time_t /*now*/,
+	const unsigned char serverchallange[8],
+	const struct ntlm_buf */*answer*/,
+	struct ntlm_buf */*infotarget*/,
+	unsigned char ntlmv2[16]);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __heimntlm_protos_h__ */
diff --git a/crypto/heimdal/lib/ntlm/heimntlm.h b/crypto/heimdal/lib/ntlm/heimntlm.h
new file mode 100644
index 0000000..09d2205
--- /dev/null
+++ b/crypto/heimdal/lib/ntlm/heimntlm.h
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: heimntlm.h 22376 2007-12-28 18:38:23Z lha $ */
+
+#ifndef HEIM_NTLM_H
+#define HEIM_NTLM_H
+
+/**
+ * Buffer for storing data in the NTLM library. When filled in by the
+ * library it should be freed with heim_ntlm_free_buf().
+ */
+struct ntlm_buf {
+    size_t length; /**< length buffer data */
+    void *data; /**< pointer to the data itself */
+};
+
+#define NTLM_NEG_UNICODE		0x00000001
+#define NTLM_NEG_TARGET			0x00000004
+#define NTLM_NEG_SIGN			0x00000010
+#define NTLM_NEG_SEAL			0x00000020
+#define NTLM_NEG_NTLM			0x00000200
+
+#define NTLM_SUPPLIED_DOMAIN		0x00001000
+#define NTLM_SUPPLIED_WORKSTAION	0x00002000
+
+#define NTLM_NEG_ALWAYS_SIGN		0x00008000
+#define NTLM_NEG_NTLM2_SESSION		0x00080000
+
+#define NTLM_TARGET_DOMAIN		0x00010000
+#define NTLM_TARGET_SERVER		0x00020000
+#define NTLM_ENC_128			0x20000000
+#define NTLM_NEG_KEYEX			0x40000000
+
+/**
+ * Struct for the NTLM target info, the strings is assumed to be in
+ * UTF8.  When filled in by the library it should be freed with
+ * heim_ntlm_free_targetinfo().
+ */
+struct ntlm_targetinfo {
+    char *servername; /**< */
+    char *domainname; /**< */
+    char *dnsdomainname; /**< */
+    char *dnsservername; /**< */
+};
+
+/**
+ * Struct for the NTLM type1 message info, the strings is assumed to
+ * be in UTF8.  When filled in by the library it should be freed with
+ * heim_ntlm_free_type1().
+ */
+
+struct ntlm_type1 {
+    uint32_t flags; /**< */
+    char *domain; /**< */
+    char *hostname; /**< */
+    uint32_t os[2]; /**< */
+};
+
+/**
+ * Struct for the NTLM type2 message info, the strings is assumed to
+ * be in UTF8.  When filled in by the library it should be freed with
+ * heim_ntlm_free_type2().
+ */
+
+struct ntlm_type2 {
+    uint32_t flags; /**< */
+    char *targetname; /**< */
+    struct ntlm_buf targetinfo; /**< */
+    unsigned char challange[8]; /**< */
+    uint32_t context[2]; /**< */
+    uint32_t os[2]; /**< */
+};
+
+/**
+ * Struct for the NTLM type3 message info, the strings is assumed to
+ * be in UTF8.  When filled in by the library it should be freed with
+ * heim_ntlm_free_type3().
+ */
+
+struct ntlm_type3 {
+    uint32_t flags; /**< */
+    char *username; /**< */
+    char *targetname; /**< */
+    struct ntlm_buf lm; /**< */
+    struct ntlm_buf ntlm; /**< */
+    struct ntlm_buf sessionkey; /**< */
+    char *ws; /**< */
+    uint32_t os[2]; /**< */
+};
+
+#include <heimntlm-protos.h>
+
+#endif /* NTLM_NTLM_H */
diff --git a/crypto/heimdal/lib/ntlm/ntlm.c b/crypto/heimdal/lib/ntlm/ntlm.c
new file mode 100644
index 0000000..f3dccfa
--- /dev/null
+++ b/crypto/heimdal/lib/ntlm/ntlm.c
@@ -0,0 +1,1364 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <config.h>
+
+RCSID("$Id: ntlm.c 22370 2007-12-28 16:12:01Z lha $");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+
+#include <krb5.h>
+#include <roken.h>
+
+#include "krb5-types.h"
+#include "crypto-headers.h"
+
+#include <heimntlm.h>
+
+/*! \mainpage Heimdal NTLM library
+ *
+ * \section intro Introduction
+ *
+ * Heimdal libheimntlm library is a implementation of the NTLM
+ * protocol, both version 1 and 2. The GSS-API mech that uses this
+ * library adds support for transport encryption and integrity
+ * checking.
+ * 
+ * NTLM is a protocol for mutual authentication, its still used in
+ * many protocol where Kerberos is not support, one example is
+ * EAP/X802.1x mechanism LEAP from Microsoft and Cisco.
+ *
+ * This is a support library for the core protocol, its used in
+ * Heimdal to implement and GSS-API mechanism. There is also support
+ * in the KDC to do remote digest authenticiation, this to allow
+ * services to authenticate users w/o direct access to the users ntlm
+ * hashes (same as Kerberos arcfour enctype hashes).
+ *
+ * More information about the NTLM protocol can found here
+ * http://davenport.sourceforge.net/ntlm.html .
+ * 
+ * The Heimdal projects web page: http://www.h5l.org/
+ */
+
+/** @defgroup ntlm_core Heimdal NTLM library 
+ * 
+ * The NTLM core functions implement the string2key generation
+ * function, message encode and decode function, and the hash function
+ * functions.
+ */
+
+struct sec_buffer {
+    uint16_t length;
+    uint16_t allocated;
+    uint32_t offset;
+};
+
+static const unsigned char ntlmsigature[8] = "NTLMSSP\x00";
+
+/*
+ *
+ */
+
+#define CHECK(f, e)							\
+    do { ret = f ; if (ret != (e)) { ret = EINVAL; goto out; } } while(0)
+
+/**
+ * heim_ntlm_free_buf frees the ntlm buffer
+ *
+ * @param p buffer to be freed
+ *
+ * @ingroup ntlm_core
+ */
+
+void
+heim_ntlm_free_buf(struct ntlm_buf *p)
+{
+    if (p->data)
+	free(p->data);
+    p->data = NULL;
+    p->length = 0;
+}
+    
+
+static int
+ascii2ucs2le(const char *string, int up, struct ntlm_buf *buf)
+{
+    unsigned char *p;
+    size_t len, i;
+
+    len = strlen(string);
+    if (len / 2 > UINT_MAX)
+	return ERANGE;
+
+    buf->length = len * 2;
+    buf->data = malloc(buf->length);
+    if (buf->data == NULL && len != 0) {
+	heim_ntlm_free_buf(buf);
+	return ENOMEM;
+    }
+
+    p = buf->data;
+    for (i = 0; i < len; i++) {
+	unsigned char t = (unsigned char)string[i];
+	if (t & 0x80) {
+	    heim_ntlm_free_buf(buf);
+	    return EINVAL;
+	}
+	if (up)
+	    t = toupper(t);
+	p[(i * 2) + 0] = t;
+	p[(i * 2) + 1] = 0;
+    }
+    return 0;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+ret_sec_buffer(krb5_storage *sp, struct sec_buffer *buf)
+{
+    krb5_error_code ret;
+    CHECK(krb5_ret_uint16(sp, &buf->length), 0);
+    CHECK(krb5_ret_uint16(sp, &buf->allocated), 0);
+    CHECK(krb5_ret_uint32(sp, &buf->offset), 0);
+out:
+    return ret;
+}
+
+static krb5_error_code
+store_sec_buffer(krb5_storage *sp, const struct sec_buffer *buf)
+{
+    krb5_error_code ret;
+    CHECK(krb5_store_uint16(sp, buf->length), 0);
+    CHECK(krb5_store_uint16(sp, buf->allocated), 0);
+    CHECK(krb5_store_uint32(sp, buf->offset), 0);
+out:
+    return ret;
+}
+
+/*
+ * Strings are either OEM or UNICODE. The later is encoded as ucs2 on
+ * wire, but using utf8 in memory.
+ */
+
+static krb5_error_code
+len_string(int ucs2, const char *s)
+{
+    size_t len = strlen(s);
+    if (ucs2)
+	len *= 2;
+    return len;
+}
+
+static krb5_error_code
+ret_string(krb5_storage *sp, int ucs2, struct sec_buffer *desc, char **s)
+{
+    krb5_error_code ret;
+
+    *s = malloc(desc->length + 1);
+    CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
+    CHECK(krb5_storage_read(sp, *s, desc->length), desc->length);
+    (*s)[desc->length] = '\0';
+
+    if (ucs2) {
+	size_t i;
+	for (i = 0; i < desc->length / 2; i++) {
+	    (*s)[i] = (*s)[i * 2];
+	    if ((*s)[i * 2 + 1]) {
+		free(*s);
+		*s = NULL;
+		return EINVAL;
+	    }
+	}
+	(*s)[i] = '\0';
+    }
+    ret = 0;
+out:
+    return ret;
+
+    return 0;
+}
+
+static krb5_error_code
+put_string(krb5_storage *sp, int ucs2, const char *s)
+{
+    krb5_error_code ret;
+    struct ntlm_buf buf;
+
+    if (ucs2) {
+	ret = ascii2ucs2le(s, 0, &buf);
+	if (ret)
+	    return ret;
+    } else {
+	buf.data = rk_UNCONST(s);
+	buf.length = strlen(s);
+    }
+
+    CHECK(krb5_storage_write(sp, buf.data, buf.length), buf.length);
+    if (ucs2)
+	heim_ntlm_free_buf(&buf);
+    ret = 0;
+out:
+    return ret;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+ret_buf(krb5_storage *sp, struct sec_buffer *desc, struct ntlm_buf *buf)
+{
+    krb5_error_code ret;
+
+    buf->data = malloc(desc->length);
+    buf->length = desc->length;
+    CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
+    CHECK(krb5_storage_read(sp, buf->data, buf->length), buf->length);
+    ret = 0;
+out:
+    return ret;
+}
+
+static krb5_error_code
+put_buf(krb5_storage *sp, const struct ntlm_buf *buf)
+{
+    krb5_error_code ret;
+    CHECK(krb5_storage_write(sp, buf->data, buf->length), buf->length);
+    ret = 0;
+out:
+    return ret;
+}
+
+/**
+ * Frees the ntlm_targetinfo message
+ *
+ * @param ti targetinfo to be freed
+ *
+ * @ingroup ntlm_core
+ */
+
+void
+heim_ntlm_free_targetinfo(struct ntlm_targetinfo *ti)
+{
+    free(ti->servername);
+    free(ti->domainname);
+    free(ti->dnsdomainname);
+    free(ti->dnsservername);
+    memset(ti, 0, sizeof(*ti));
+}
+
+static int
+encode_ti_blob(krb5_storage *out, uint16_t type, int ucs2, char *s)
+{
+    krb5_error_code ret;
+    CHECK(krb5_store_uint16(out, type), 0);
+    CHECK(krb5_store_uint16(out, len_string(ucs2, s)), 0);
+    CHECK(put_string(out, ucs2, s), 0);
+out:
+    return ret;
+}
+
+/**
+ * Encodes a ntlm_targetinfo message.
+ *
+ * @param ti the ntlm_targetinfo message to encode.
+ * @param ucs2 if the strings should be encoded with ucs2 (selected by flag in message).
+ * @param data is the return buffer with the encoded message, should be
+ * freed with heim_ntlm_free_buf().
+ *
+ * @return In case of success 0 is return, an errors, a errno in what
+ * went wrong.
+ *
+ * @ingroup ntlm_core
+ */
+
+int
+heim_ntlm_encode_targetinfo(const struct ntlm_targetinfo *ti,
+			    int ucs2, 
+			    struct ntlm_buf *data)
+{
+    krb5_error_code ret;
+    krb5_storage *out;
+
+    data->data = NULL;
+    data->length = 0;
+
+    out = krb5_storage_emem();
+    if (out == NULL)
+	return ENOMEM;
+
+    if (ti->servername)
+	CHECK(encode_ti_blob(out, 1, ucs2, ti->servername), 0);
+    if (ti->domainname)
+	CHECK(encode_ti_blob(out, 2, ucs2, ti->domainname), 0);
+    if (ti->dnsservername)
+	CHECK(encode_ti_blob(out, 3, ucs2, ti->dnsservername), 0);
+    if (ti->dnsdomainname)
+	CHECK(encode_ti_blob(out, 4, ucs2, ti->dnsdomainname), 0);
+
+    /* end tag */
+    CHECK(krb5_store_int16(out, 0), 0);
+    CHECK(krb5_store_int16(out, 0), 0);
+
+    {
+	krb5_data d;
+	ret = krb5_storage_to_data(out, &d);
+	data->data = d.data;
+	data->length = d.length;
+    }
+out:
+    krb5_storage_free(out);
+    return ret;
+}
+
+/**
+ * Decodes an NTLM targetinfo message
+ *
+ * @param data input data buffer with the encode NTLM targetinfo message
+ * @param ucs2 if the strings should be encoded with ucs2 (selected by flag in message).
+ * @param ti the decoded target info, should be freed with heim_ntlm_free_targetinfo().
+ *
+ * @return In case of success 0 is return, an errors, a errno in what
+ * went wrong.
+ *
+ * @ingroup ntlm_core
+ */
+
+int
+heim_ntlm_decode_targetinfo(const struct ntlm_buf *data,
+			    int ucs2,
+			    struct ntlm_targetinfo *ti)
+{
+    memset(ti, 0, sizeof(*ti));
+    return 0;
+}
+
+/**
+ * Frees the ntlm_type1 message
+ *
+ * @param data message to be freed
+ *
+ * @ingroup ntlm_core
+ */
+
+void
+heim_ntlm_free_type1(struct ntlm_type1 *data)
+{
+    if (data->domain)
+	free(data->domain);
+    if (data->hostname)
+	free(data->hostname);
+    memset(data, 0, sizeof(*data));
+}
+
+int
+heim_ntlm_decode_type1(const struct ntlm_buf *buf, struct ntlm_type1 *data)
+{
+    krb5_error_code ret;
+    unsigned char sig[8];
+    uint32_t type;
+    struct sec_buffer domain, hostname;
+    krb5_storage *in;
+    
+    memset(data, 0, sizeof(*data));
+
+    in = krb5_storage_from_readonly_mem(buf->data, buf->length);
+    if (in == NULL) {
+	ret = EINVAL;
+	goto out;
+    }
+    krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
+
+    CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
+    CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
+    CHECK(krb5_ret_uint32(in, &type), 0);
+    CHECK(type, 1);
+    CHECK(krb5_ret_uint32(in, &data->flags), 0);
+    if (data->flags & NTLM_SUPPLIED_DOMAIN)
+	CHECK(ret_sec_buffer(in, &domain), 0);
+    if (data->flags & NTLM_SUPPLIED_WORKSTAION)
+	CHECK(ret_sec_buffer(in, &hostname), 0);
+#if 0
+    if (domain.offset > 32) {
+	CHECK(krb5_ret_uint32(in, &data->os[0]), 0);
+	CHECK(krb5_ret_uint32(in, &data->os[1]), 0);
+    }
+#endif
+    if (data->flags & NTLM_SUPPLIED_DOMAIN)
+	CHECK(ret_string(in, 0, &domain, &data->domain), 0);
+    if (data->flags & NTLM_SUPPLIED_WORKSTAION)
+	CHECK(ret_string(in, 0, &hostname, &data->hostname), 0);
+
+out:
+    krb5_storage_free(in);
+    if (ret)
+	heim_ntlm_free_type1(data);
+
+    return ret;
+}
+
+/**
+ * Encodes an ntlm_type1 message.
+ *
+ * @param type1 the ntlm_type1 message to encode.
+ * @param data is the return buffer with the encoded message, should be
+ * freed with heim_ntlm_free_buf().
+ *
+ * @return In case of success 0 is return, an errors, a errno in what
+ * went wrong.
+ *
+ * @ingroup ntlm_core
+ */
+
+int
+heim_ntlm_encode_type1(const struct ntlm_type1 *type1, struct ntlm_buf *data)
+{
+    krb5_error_code ret;
+    struct sec_buffer domain, hostname;
+    krb5_storage *out;
+    uint32_t base, flags;
+    
+    flags = type1->flags;
+    base = 16;
+
+    if (type1->domain) {
+	base += 8;
+	flags |= NTLM_SUPPLIED_DOMAIN;
+    }
+    if (type1->hostname) {
+	base += 8;
+	flags |= NTLM_SUPPLIED_WORKSTAION;
+    }
+    if (type1->os[0])
+	base += 8;
+
+    if (type1->domain) {
+	domain.offset = base;
+	domain.length = len_string(0, type1->domain);
+	domain.allocated = domain.length;
+    }
+    if (type1->hostname) {
+	hostname.offset = domain.allocated + domain.offset;
+	hostname.length = len_string(0, type1->hostname);
+	hostname.allocated = hostname.length;
+    }
+
+    out = krb5_storage_emem();
+    if (out == NULL)
+	return ENOMEM;
+
+    krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
+    CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)), 
+	  sizeof(ntlmsigature));
+    CHECK(krb5_store_uint32(out, 1), 0);
+    CHECK(krb5_store_uint32(out, flags), 0);
+    
+    if (type1->domain)
+	CHECK(store_sec_buffer(out, &domain), 0);
+    if (type1->hostname)
+	CHECK(store_sec_buffer(out, &hostname), 0);
+    if (type1->os[0]) {
+	CHECK(krb5_store_uint32(out, type1->os[0]), 0);
+	CHECK(krb5_store_uint32(out, type1->os[1]), 0);
+    }
+    if (type1->domain)
+	CHECK(put_string(out, 0, type1->domain), 0);
+    if (type1->hostname)
+	CHECK(put_string(out, 0, type1->hostname), 0);
+
+    {
+	krb5_data d;
+	ret = krb5_storage_to_data(out, &d);
+	data->data = d.data;
+	data->length = d.length;
+    }
+out:
+    krb5_storage_free(out);
+
+    return ret;
+}
+
+/**
+ * Frees the ntlm_type2 message
+ *
+ * @param data message to be freed
+ *
+ * @ingroup ntlm_core
+ */
+
+void
+heim_ntlm_free_type2(struct ntlm_type2 *data)
+{
+    if (data->targetname)
+	free(data->targetname);
+    heim_ntlm_free_buf(&data->targetinfo);
+    memset(data, 0, sizeof(*data));
+}
+
+int
+heim_ntlm_decode_type2(const struct ntlm_buf *buf, struct ntlm_type2 *type2)
+{
+    krb5_error_code ret;
+    unsigned char sig[8];
+    uint32_t type, ctx[2];
+    struct sec_buffer targetname, targetinfo;
+    krb5_storage *in;
+    int ucs2 = 0;
+    
+    memset(type2, 0, sizeof(*type2));
+
+    in = krb5_storage_from_readonly_mem(buf->data, buf->length);
+    if (in == NULL) {
+	ret = EINVAL;
+	goto out;
+    }
+    krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
+
+    CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
+    CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
+    CHECK(krb5_ret_uint32(in, &type), 0);
+    CHECK(type, 2);
+
+    CHECK(ret_sec_buffer(in, &targetname), 0);
+    CHECK(krb5_ret_uint32(in, &type2->flags), 0);
+    if (type2->flags & NTLM_NEG_UNICODE)
+	ucs2 = 1;
+    CHECK(krb5_storage_read(in, type2->challange, sizeof(type2->challange)),
+	  sizeof(type2->challange));
+    CHECK(krb5_ret_uint32(in, &ctx[0]), 0); /* context */
+    CHECK(krb5_ret_uint32(in, &ctx[1]), 0);
+    CHECK(ret_sec_buffer(in, &targetinfo), 0);
+    /* os version */
+#if 0
+    CHECK(krb5_ret_uint32(in, &type2->os[0]), 0);
+    CHECK(krb5_ret_uint32(in, &type2->os[1]), 0);
+#endif
+
+    CHECK(ret_string(in, ucs2, &targetname, &type2->targetname), 0);
+    CHECK(ret_buf(in, &targetinfo, &type2->targetinfo), 0);
+    ret = 0;
+
+out:
+    krb5_storage_free(in);
+    if (ret)
+	heim_ntlm_free_type2(type2);
+
+    return ret;
+}
+
+/**
+ * Encodes an ntlm_type2 message.
+ *
+ * @param type2 the ntlm_type2 message to encode.
+ * @param data is the return buffer with the encoded message, should be
+ * freed with heim_ntlm_free_buf().
+ *
+ * @return In case of success 0 is return, an errors, a errno in what
+ * went wrong.
+ *
+ * @ingroup ntlm_core
+ */
+
+int
+heim_ntlm_encode_type2(const struct ntlm_type2 *type2, struct ntlm_buf *data)
+{
+    struct sec_buffer targetname, targetinfo;
+    krb5_error_code ret;
+    krb5_storage *out = NULL;
+    uint32_t base;
+    int ucs2 = 0;
+
+    if (type2->os[0])
+	base = 56;
+    else
+	base = 48;
+
+    if (type2->flags & NTLM_NEG_UNICODE)
+	ucs2 = 1;
+
+    targetname.offset = base;
+    targetname.length = len_string(ucs2, type2->targetname);
+    targetname.allocated = targetname.length;
+
+    targetinfo.offset = targetname.allocated + targetname.offset;
+    targetinfo.length = type2->targetinfo.length;
+    targetinfo.allocated = type2->targetinfo.length;
+
+    out = krb5_storage_emem();
+    if (out == NULL)
+	return ENOMEM;
+
+    krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
+    CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)), 
+	  sizeof(ntlmsigature));
+    CHECK(krb5_store_uint32(out, 2), 0);
+    CHECK(store_sec_buffer(out, &targetname), 0);
+    CHECK(krb5_store_uint32(out, type2->flags), 0);
+    CHECK(krb5_storage_write(out, type2->challange, sizeof(type2->challange)),
+	  sizeof(type2->challange));
+    CHECK(krb5_store_uint32(out, 0), 0); /* context */
+    CHECK(krb5_store_uint32(out, 0), 0);
+    CHECK(store_sec_buffer(out, &targetinfo), 0);
+    /* os version */
+    if (type2->os[0]) {
+	CHECK(krb5_store_uint32(out, type2->os[0]), 0);
+	CHECK(krb5_store_uint32(out, type2->os[1]), 0);
+    }
+    CHECK(put_string(out, ucs2, type2->targetname), 0);
+    CHECK(krb5_storage_write(out, type2->targetinfo.data, 
+			     type2->targetinfo.length),
+	  type2->targetinfo.length);
+    
+    {
+	krb5_data d;
+	ret = krb5_storage_to_data(out, &d);
+	data->data = d.data;
+	data->length = d.length;
+    }
+
+out:
+    krb5_storage_free(out);
+
+    return ret;
+}
+
+/**
+ * Frees the ntlm_type3 message
+ *
+ * @param data message to be freed
+ *
+ * @ingroup ntlm_core
+ */
+
+void
+heim_ntlm_free_type3(struct ntlm_type3 *data)
+{
+    heim_ntlm_free_buf(&data->lm);
+    heim_ntlm_free_buf(&data->ntlm);
+    if (data->targetname)
+	free(data->targetname);
+    if (data->username)
+	free(data->username);
+    if (data->ws)
+	free(data->ws);
+    heim_ntlm_free_buf(&data->sessionkey);
+    memset(data, 0, sizeof(*data));
+}
+
+/*
+ *
+ */
+
+int
+heim_ntlm_decode_type3(const struct ntlm_buf *buf,
+		       int ucs2,
+		       struct ntlm_type3 *type3)
+{
+    krb5_error_code ret;
+    unsigned char sig[8];
+    uint32_t type;
+    krb5_storage *in;
+    struct sec_buffer lm, ntlm, target, username, sessionkey, ws;
+
+    memset(type3, 0, sizeof(*type3));
+    memset(&sessionkey, 0, sizeof(sessionkey));
+
+    in = krb5_storage_from_readonly_mem(buf->data, buf->length);
+    if (in == NULL) {
+	ret = EINVAL;
+	goto out;
+    }
+    krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
+
+    CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
+    CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
+    CHECK(krb5_ret_uint32(in, &type), 0);
+    CHECK(type, 3);
+    CHECK(ret_sec_buffer(in, &lm), 0);
+    CHECK(ret_sec_buffer(in, &ntlm), 0);
+    CHECK(ret_sec_buffer(in, &target), 0);
+    CHECK(ret_sec_buffer(in, &username), 0);
+    CHECK(ret_sec_buffer(in, &ws), 0);
+    if (lm.offset >= 60) {
+	CHECK(ret_sec_buffer(in, &sessionkey), 0);
+    }
+    if (lm.offset >= 64) {
+	CHECK(krb5_ret_uint32(in, &type3->flags), 0);
+    }
+    if (lm.offset >= 72) {
+	CHECK(krb5_ret_uint32(in, &type3->os[0]), 0);
+	CHECK(krb5_ret_uint32(in, &type3->os[1]), 0);
+    }
+    CHECK(ret_buf(in, &lm, &type3->lm), 0);
+    CHECK(ret_buf(in, &ntlm, &type3->ntlm), 0);
+    CHECK(ret_string(in, ucs2, &target, &type3->targetname), 0);
+    CHECK(ret_string(in, ucs2, &username, &type3->username), 0);
+    CHECK(ret_string(in, ucs2, &ws, &type3->ws), 0);
+    if (sessionkey.offset)
+	CHECK(ret_buf(in, &sessionkey, &type3->sessionkey), 0);
+
+out:
+    krb5_storage_free(in);
+    if (ret)
+	heim_ntlm_free_type3(type3);
+
+    return ret;
+}
+
+/**
+ * Encodes an ntlm_type3 message.
+ *
+ * @param type3 the ntlm_type3 message to encode.
+ * @param data is the return buffer with the encoded message, should be
+ * freed with heim_ntlm_free_buf().
+ *
+ * @return In case of success 0 is return, an errors, a errno in what
+ * went wrong.
+ *
+ * @ingroup ntlm_core
+ */
+
+int
+heim_ntlm_encode_type3(const struct ntlm_type3 *type3, struct ntlm_buf *data)
+{
+    struct sec_buffer lm, ntlm, target, username, sessionkey, ws;
+    krb5_error_code ret;
+    krb5_storage *out = NULL;
+    uint32_t base;
+    int ucs2 = 0;
+
+    memset(&lm, 0, sizeof(lm));
+    memset(&ntlm, 0, sizeof(ntlm));
+    memset(&target, 0, sizeof(target));
+    memset(&username, 0, sizeof(username));
+    memset(&ws, 0, sizeof(ws));
+    memset(&sessionkey, 0, sizeof(sessionkey));
+
+    base = 52;
+    if (type3->sessionkey.length) {
+	base += 8; /* sessionkey sec buf */
+	base += 4; /* flags */
+    }
+    if (type3->os[0]) {
+	base += 8;
+    }
+
+    if (type3->flags & NTLM_NEG_UNICODE)
+	ucs2 = 1;
+
+    lm.offset = base;
+    lm.length = type3->lm.length;
+    lm.allocated = type3->lm.length;
+
+    ntlm.offset = lm.offset + lm.allocated;
+    ntlm.length = type3->ntlm.length;
+    ntlm.allocated = ntlm.length;
+
+    target.offset = ntlm.offset + ntlm.allocated;
+    target.length = len_string(ucs2, type3->targetname);
+    target.allocated = target.length;
+
+    username.offset = target.offset + target.allocated;
+    username.length = len_string(ucs2, type3->username);
+    username.allocated = username.length;
+
+    ws.offset = username.offset + username.allocated;
+    ws.length = len_string(ucs2, type3->ws);
+    ws.allocated = ws.length;
+
+    sessionkey.offset = ws.offset + ws.allocated;
+    sessionkey.length = type3->sessionkey.length;
+    sessionkey.allocated = type3->sessionkey.length;
+
+    out = krb5_storage_emem();
+    if (out == NULL)
+	return ENOMEM;
+
+    krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
+    CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)), 
+	  sizeof(ntlmsigature));
+    CHECK(krb5_store_uint32(out, 3), 0);
+
+    CHECK(store_sec_buffer(out, &lm), 0);
+    CHECK(store_sec_buffer(out, &ntlm), 0);
+    CHECK(store_sec_buffer(out, &target), 0);
+    CHECK(store_sec_buffer(out, &username), 0);
+    CHECK(store_sec_buffer(out, &ws), 0);
+    /* optional */
+    if (type3->sessionkey.length) {
+	CHECK(store_sec_buffer(out, &sessionkey), 0);
+	CHECK(krb5_store_uint32(out, type3->flags), 0);
+    }
+#if 0
+    CHECK(krb5_store_uint32(out, 0), 0); /* os0 */
+    CHECK(krb5_store_uint32(out, 0), 0); /* os1 */
+#endif
+
+    CHECK(put_buf(out, &type3->lm), 0);
+    CHECK(put_buf(out, &type3->ntlm), 0);
+    CHECK(put_string(out, ucs2, type3->targetname), 0);
+    CHECK(put_string(out, ucs2, type3->username), 0);
+    CHECK(put_string(out, ucs2, type3->ws), 0);
+    CHECK(put_buf(out, &type3->sessionkey), 0);
+    
+    {
+	krb5_data d;
+	ret = krb5_storage_to_data(out, &d);
+	data->data = d.data;
+	data->length = d.length;
+    }
+
+out:
+    krb5_storage_free(out);
+
+    return ret;
+}
+
+
+/*
+ *
+ */
+
+static void
+splitandenc(unsigned char *hash, 
+	    unsigned char *challange,
+	    unsigned char *answer)
+{
+    DES_cblock key;
+    DES_key_schedule sched;
+
+    ((unsigned char*)key)[0] =  hash[0];
+    ((unsigned char*)key)[1] = (hash[0] << 7) | (hash[1] >> 1);
+    ((unsigned char*)key)[2] = (hash[1] << 6) | (hash[2] >> 2);
+    ((unsigned char*)key)[3] = (hash[2] << 5) | (hash[3] >> 3);
+    ((unsigned char*)key)[4] = (hash[3] << 4) | (hash[4] >> 4);
+    ((unsigned char*)key)[5] = (hash[4] << 3) | (hash[5] >> 5);
+    ((unsigned char*)key)[6] = (hash[5] << 2) | (hash[6] >> 6);
+    ((unsigned char*)key)[7] = (hash[6] << 1);
+
+    DES_set_odd_parity(&key);
+    DES_set_key(&key, &sched);
+    DES_ecb_encrypt((DES_cblock *)challange, (DES_cblock *)answer, &sched, 1);
+    memset(&sched, 0, sizeof(sched));
+    memset(key, 0, sizeof(key));
+}
+
+/**
+ * Calculate the NTLM key, the password is assumed to be in UTF8.
+ *
+ * @param password password to calcute the key for.
+ * @param key calcuted key, should be freed with heim_ntlm_free_buf().
+ *
+ * @return In case of success 0 is return, an errors, a errno in what
+ * went wrong.
+ *
+ * @ingroup ntlm_core
+ */
+
+int
+heim_ntlm_nt_key(const char *password, struct ntlm_buf *key)
+{
+    struct ntlm_buf buf;
+    MD4_CTX ctx;
+    int ret;
+
+    key->data = malloc(MD5_DIGEST_LENGTH);
+    if (key->data == NULL)
+	return ENOMEM;
+    key->length = MD5_DIGEST_LENGTH;
+
+    ret = ascii2ucs2le(password, 0, &buf);
+    if (ret) {
+	heim_ntlm_free_buf(key);
+	return ret;
+    }
+    MD4_Init(&ctx);
+    MD4_Update(&ctx, buf.data, buf.length);
+    MD4_Final(key->data, &ctx);
+    heim_ntlm_free_buf(&buf);
+    return 0;
+}
+
+/**
+ * Calculate NTLMv1 response hash
+ *
+ * @param key the ntlm v1 key
+ * @param len length of key
+ * @param challange sent by the server
+ * @param answer calculated answer, should be freed with heim_ntlm_free_buf().
+ *
+ * @return In case of success 0 is return, an errors, a errno in what
+ * went wrong.
+ *
+ * @ingroup ntlm_core
+ */
+
+int
+heim_ntlm_calculate_ntlm1(void *key, size_t len,
+			  unsigned char challange[8],
+			  struct ntlm_buf *answer)
+{
+    unsigned char res[21];
+
+    if (len != MD4_DIGEST_LENGTH)
+	return EINVAL;
+
+    memcpy(res, key, len);
+    memset(&res[MD4_DIGEST_LENGTH], 0, sizeof(res) - MD4_DIGEST_LENGTH);
+
+    answer->data = malloc(24);
+    if (answer->data == NULL)
+	return ENOMEM;
+    answer->length = 24;
+
+    splitandenc(&res[0],  challange, ((unsigned char *)answer->data) + 0);
+    splitandenc(&res[7],  challange, ((unsigned char *)answer->data) + 8);
+    splitandenc(&res[14], challange, ((unsigned char *)answer->data) + 16);
+
+    return 0;
+}
+
+/**
+ * Generates an NTLMv1 session random with assosited session master key.
+ *
+ * @param key the ntlm v1 key
+ * @param len length of key
+ * @param session generated session nonce, should be freed with heim_ntlm_free_buf().
+ * @param master calculated session master key, should be freed with heim_ntlm_free_buf().
+ *
+ * @return In case of success 0 is return, an errors, a errno in what
+ * went wrong.
+ *
+ * @ingroup ntlm_core
+ */
+
+int
+heim_ntlm_build_ntlm1_master(void *key, size_t len,
+			     struct ntlm_buf *session,
+			     struct ntlm_buf *master)
+{
+    RC4_KEY rc4;
+
+    memset(master, 0, sizeof(*master));
+    memset(session, 0, sizeof(*session));
+
+    if (len != MD4_DIGEST_LENGTH)
+	return EINVAL;
+    
+    session->length = MD4_DIGEST_LENGTH;
+    session->data = malloc(session->length);
+    if (session->data == NULL) {
+	session->length = 0;
+	return EINVAL;
+    }    
+    master->length = MD4_DIGEST_LENGTH;
+    master->data = malloc(master->length);
+    if (master->data == NULL) {
+	heim_ntlm_free_buf(master);
+	heim_ntlm_free_buf(session);
+	return EINVAL;
+    }
+    
+    {
+	unsigned char sessionkey[MD4_DIGEST_LENGTH];
+	MD4_CTX ctx;
+    
+	MD4_Init(&ctx);
+	MD4_Update(&ctx, key, len);
+	MD4_Final(sessionkey, &ctx);
+	
+	RC4_set_key(&rc4, sizeof(sessionkey), sessionkey);
+    }
+    
+    if (RAND_bytes(session->data, session->length) != 1) {
+	heim_ntlm_free_buf(master);
+	heim_ntlm_free_buf(session);
+	return EINVAL;
+    }
+    
+    RC4(&rc4, master->length, session->data, master->data);
+    memset(&rc4, 0, sizeof(rc4));
+    
+    return 0;
+}
+
+/**
+ * Generates an NTLMv2 session key.
+ *
+ * @param key the ntlm key
+ * @param len length of key
+ * @param username name of the user, as sent in the message, assumed to be in UTF8.
+ * @param target the name of the target, assumed to be in UTF8.
+ * @param ntlmv2 the ntlmv2 session key
+ *
+ * @ingroup ntlm_core
+ */
+
+void
+heim_ntlm_ntlmv2_key(const void *key, size_t len,
+		     const char *username,
+		     const char *target,
+		     unsigned char ntlmv2[16])
+{
+    unsigned int hmaclen;
+    HMAC_CTX c;
+
+    HMAC_CTX_init(&c);
+    HMAC_Init_ex(&c, key, len, EVP_md5(), NULL);
+    {
+	struct ntlm_buf buf;
+	/* uppercase username and turn it inte ucs2-le */
+	ascii2ucs2le(username, 1, &buf);
+	HMAC_Update(&c, buf.data, buf.length);
+	free(buf.data);
+	/* uppercase target and turn into ucs2-le */
+	ascii2ucs2le(target, 1, &buf);
+	HMAC_Update(&c, buf.data, buf.length);
+	free(buf.data);
+    }
+    HMAC_Final(&c, ntlmv2, &hmaclen);
+    HMAC_CTX_cleanup(&c);
+
+}
+
+/*
+ *
+ */
+
+#define NTTIME_EPOCH 0x019DB1DED53E8000LL
+
+static uint64_t
+unix2nttime(time_t unix_time)
+{
+    long long wt;
+    wt = unix_time * (uint64_t)10000000 + (uint64_t)NTTIME_EPOCH;
+    return wt;
+}
+
+static time_t
+nt2unixtime(uint64_t t)
+{
+    t = ((t - (uint64_t)NTTIME_EPOCH) / (uint64_t)10000000);
+    if (t > (((time_t)(~(uint64_t)0)) >> 1))
+	return 0;
+    return (time_t)t;
+}
+
+
+/**
+ * Calculate NTLMv2 response
+ *
+ * @param key the ntlm key
+ * @param len length of key
+ * @param username name of the user, as sent in the message, assumed to be in UTF8.
+ * @param target the name of the target, assumed to be in UTF8.
+ * @param serverchallange challange as sent by the server in the type2 message.
+ * @param infotarget infotarget as sent by the server in the type2 message.
+ * @param ntlmv2 calculated session key
+ * @param answer ntlm response answer, should be freed with heim_ntlm_free_buf().
+ *
+ * @return In case of success 0 is return, an errors, a errno in what
+ * went wrong.
+ *
+ * @ingroup ntlm_core
+ */
+
+int
+heim_ntlm_calculate_ntlm2(const void *key, size_t len,
+			  const char *username,
+			  const char *target,
+			  const unsigned char serverchallange[8],
+			  const struct ntlm_buf *infotarget,
+			  unsigned char ntlmv2[16],
+			  struct ntlm_buf *answer)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    unsigned int hmaclen;
+    unsigned char ntlmv2answer[16];
+    krb5_storage *sp;
+    unsigned char clientchallange[8];
+    HMAC_CTX c;
+    uint64_t t;
+    
+    t = unix2nttime(time(NULL));
+
+    if (RAND_bytes(clientchallange, sizeof(clientchallange)) != 1)
+	return EINVAL;
+    
+    /* calculate ntlmv2 key */
+
+    heim_ntlm_ntlmv2_key(key, len, username, target, ntlmv2);
+
+    /* calculate and build ntlmv2 answer */
+
+    sp = krb5_storage_emem();
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    CHECK(krb5_store_uint32(sp, 0x00000101), 0);
+    CHECK(krb5_store_uint32(sp, 0), 0);
+    /* timestamp le 64 bit ts */
+    CHECK(krb5_store_uint32(sp, t & 0xffffffff), 0);
+    CHECK(krb5_store_uint32(sp, t >> 32), 0);
+
+    CHECK(krb5_storage_write(sp, clientchallange, 8), 8);
+
+    CHECK(krb5_store_uint32(sp, 0), 0);  /* unknown but zero will work */
+    CHECK(krb5_storage_write(sp, infotarget->data, infotarget->length), 
+	  infotarget->length);
+    CHECK(krb5_store_uint32(sp, 0), 0); /* unknown but zero will work */
+    
+    CHECK(krb5_storage_to_data(sp, &data), 0);
+    krb5_storage_free(sp);
+    sp = NULL;
+
+    HMAC_CTX_init(&c);
+    HMAC_Init_ex(&c, ntlmv2, 16, EVP_md5(), NULL);
+    HMAC_Update(&c, serverchallange, 8);
+    HMAC_Update(&c, data.data, data.length);
+    HMAC_Final(&c, ntlmv2answer, &hmaclen);
+    HMAC_CTX_cleanup(&c);
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_data_free(&data);
+	return ENOMEM;
+    }
+
+    CHECK(krb5_storage_write(sp, ntlmv2answer, 16), 16);
+    CHECK(krb5_storage_write(sp, data.data, data.length), data.length);
+    krb5_data_free(&data);
+    
+    CHECK(krb5_storage_to_data(sp, &data), 0);
+    krb5_storage_free(sp);
+    sp = NULL;
+
+    answer->data = data.data;
+    answer->length = data.length;
+
+    return 0;
+out:
+    if (sp)
+	krb5_storage_free(sp);
+    return ret;
+}
+
+static const int authtimediff = 3600 * 2; /* 2 hours */
+
+/**
+ * Verify NTLMv2 response.
+ *
+ * @param key the ntlm key
+ * @param len length of key
+ * @param username name of the user, as sent in the message, assumed to be in UTF8.
+ * @param target the name of the target, assumed to be in UTF8.
+ * @param now the time now (0 if the library should pick it up itself)
+ * @param serverchallange challange as sent by the server in the type2 message.
+ * @param answer ntlm response answer, should be freed with heim_ntlm_free_buf().
+ * @param infotarget infotarget as sent by the server in the type2 message.
+ * @param ntlmv2 calculated session key
+ *
+ * @return In case of success 0 is return, an errors, a errno in what
+ * went wrong.
+ *
+ * @ingroup ntlm_core
+ */
+
+int
+heim_ntlm_verify_ntlm2(const void *key, size_t len,
+		       const char *username,
+		       const char *target,
+		       time_t now,
+		       const unsigned char serverchallange[8],
+		       const struct ntlm_buf *answer,
+		       struct ntlm_buf *infotarget,
+		       unsigned char ntlmv2[16])
+{
+    krb5_error_code ret;
+    unsigned int hmaclen;
+    unsigned char clientanswer[16];
+    unsigned char clientnonce[8];
+    unsigned char serveranswer[16];
+    krb5_storage *sp;
+    HMAC_CTX c;
+    uint64_t t;
+    time_t authtime;
+    uint32_t temp;
+
+    infotarget->length = 0;    
+    infotarget->data = NULL;    
+
+    if (answer->length < 16)
+	return EINVAL;
+
+    if (now == 0)
+	now = time(NULL);
+
+    /* calculate ntlmv2 key */
+
+    heim_ntlm_ntlmv2_key(key, len, username, target, ntlmv2);
+
+    /* calculate and build ntlmv2 answer */
+
+    sp = krb5_storage_from_readonly_mem(answer->data, answer->length);
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    CHECK(krb5_storage_read(sp, clientanswer, 16), 16);
+
+    CHECK(krb5_ret_uint32(sp, &temp), 0);
+    CHECK(temp, 0x00000101);
+    CHECK(krb5_ret_uint32(sp, &temp), 0);
+    CHECK(temp, 0);
+    /* timestamp le 64 bit ts */
+    CHECK(krb5_ret_uint32(sp, &temp), 0);
+    t = temp;
+    CHECK(krb5_ret_uint32(sp, &temp), 0);
+    t |= ((uint64_t)temp)<< 32;
+
+    authtime = nt2unixtime(t);
+
+    if (abs((int)(authtime - now)) > authtimediff) {
+	ret = EINVAL;
+	goto out;
+    }
+
+    /* client challange */
+    CHECK(krb5_storage_read(sp, clientnonce, 8), 8);
+
+    CHECK(krb5_ret_uint32(sp, &temp), 0); /* unknown */
+
+    /* should really unparse the infotarget, but lets pick up everything */
+    infotarget->length = answer->length - krb5_storage_seek(sp, 0, SEEK_CUR);
+    infotarget->data = malloc(infotarget->length);
+    if (infotarget->data == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    CHECK(krb5_storage_read(sp, infotarget->data, infotarget->length), 
+	  infotarget->length);
+    /* XXX remove the unknown ?? */
+    krb5_storage_free(sp);
+    sp = NULL;
+
+    HMAC_CTX_init(&c);
+    HMAC_Init_ex(&c, ntlmv2, 16, EVP_md5(), NULL);
+    HMAC_Update(&c, serverchallange, 8);
+    HMAC_Update(&c, ((unsigned char *)answer->data) + 16, answer->length - 16);
+    HMAC_Final(&c, serveranswer, &hmaclen);
+    HMAC_CTX_cleanup(&c);
+
+    if (memcmp(serveranswer, clientanswer, 16) != 0) {
+	heim_ntlm_free_buf(infotarget);
+	return EINVAL;
+    }
+
+    return 0;
+out:
+    heim_ntlm_free_buf(infotarget);
+    if (sp)
+	krb5_storage_free(sp);
+    return ret;
+}
+
+
+/*
+ * Calculate the NTLM2 Session Response
+ *
+ * @param clnt_nonce client nonce
+ * @param svr_chal server challage
+ * @param ntlm2_hash ntlm hash
+ * @param lm The LM response, should be freed with heim_ntlm_free_buf().
+ * @param ntlm The NTLM response, should be freed with heim_ntlm_free_buf().
+ *
+ * @return In case of success 0 is return, an errors, a errno in what
+ * went wrong.
+ *
+ * @ingroup ntlm_core
+ */
+
+int
+heim_ntlm_calculate_ntlm2_sess(const unsigned char clnt_nonce[8],
+			       const unsigned char svr_chal[8],
+			       const unsigned char ntlm_hash[16],
+			       struct ntlm_buf *lm,
+			       struct ntlm_buf *ntlm)
+{
+    unsigned char ntlm2_sess_hash[MD5_DIGEST_LENGTH];
+    unsigned char res[21], *resp;
+    MD5_CTX md5;
+
+    lm->data = malloc(24);
+    if (lm->data == NULL)
+	return ENOMEM;
+    lm->length = 24;
+
+    ntlm->data = malloc(24);
+    if (ntlm->data == NULL) {
+	free(lm->data);
+	lm->data = NULL;
+	return ENOMEM;
+    }
+    ntlm->length = 24;
+
+    /* first setup the lm resp */
+    memset(lm->data, 0, 24);
+    memcpy(lm->data, clnt_nonce, 8);
+
+    MD5_Init(&md5);
+    MD5_Update(&md5, svr_chal, 8); /* session nonce part 1 */
+    MD5_Update(&md5, clnt_nonce, 8); /* session nonce part 2 */
+    MD5_Final(ntlm2_sess_hash, &md5); /* will only use first 8 bytes */
+
+    memset(res, 0, sizeof(res));
+    memcpy(res, ntlm_hash, 16);
+
+    resp = ntlm->data;
+    splitandenc(&res[0], ntlm2_sess_hash, resp + 0);
+    splitandenc(&res[7], ntlm2_sess_hash, resp + 8);
+    splitandenc(&res[14], ntlm2_sess_hash, resp + 16);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/ntlm/test_ntlm.c b/crypto/heimdal/lib/ntlm/test_ntlm.c
new file mode 100644
index 0000000..11eceb0
--- /dev/null
+++ b/crypto/heimdal/lib/ntlm/test_ntlm.c
@@ -0,0 +1,339 @@
+/*
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+
+RCSID("$Id: test_ntlm.c 22377 2007-12-28 18:38:53Z lha $");
+
+#include <krb5.h>
+#include <heimntlm.h>
+
+static int
+test_parse(void)
+{
+    const char *user = "foo", 
+	*domain = "mydomain",
+	*password = "digestpassword",
+	*target = "DOMAIN";
+    struct ntlm_type1 type1;
+    struct ntlm_type2 type2;
+    struct ntlm_type3 type3;
+    struct ntlm_buf data;
+    krb5_error_code ret;
+    int flags;
+    
+    memset(&type1, 0, sizeof(type1));
+
+    type1.flags = NTLM_NEG_UNICODE|NTLM_NEG_TARGET|NTLM_NEG_NTLM;
+    type1.domain = rk_UNCONST(domain);
+    type1.hostname = NULL;
+    type1.os[0] = 0;
+    type1.os[1] = 0;
+
+    ret = heim_ntlm_encode_type1(&type1, &data);
+    if (ret)
+	errx(1, "heim_ntlm_encode_type1");
+
+    memset(&type1, 0, sizeof(type1));
+
+    ret = heim_ntlm_decode_type1(&data, &type1);
+    free(data.data);
+    if (ret)
+	errx(1, "heim_ntlm_encode_type1");
+
+    heim_ntlm_free_type1(&type1);
+
+    /*
+     *
+     */
+
+    memset(&type2, 0, sizeof(type2));
+
+    flags = NTLM_NEG_UNICODE | NTLM_NEG_NTLM | NTLM_TARGET_DOMAIN;
+    type2.flags = flags;
+
+    memset(type2.challange, 0x7f, sizeof(type2.challange));
+    type2.targetname = rk_UNCONST(target);
+    type2.targetinfo.data = NULL;
+    type2.targetinfo.length = 0;
+
+    ret = heim_ntlm_encode_type2(&type2, &data);
+    if (ret)
+	errx(1, "heim_ntlm_encode_type2");
+
+    memset(&type2, 0, sizeof(type2));
+
+    ret = heim_ntlm_decode_type2(&data, &type2);
+    free(data.data);
+    if (ret)
+	errx(1, "heim_ntlm_decode_type2");
+
+    heim_ntlm_free_type2(&type2);
+
+    /*
+     *
+     */
+
+    memset(&type3, 0, sizeof(type3));
+
+    type3.flags = flags;
+    type3.username = rk_UNCONST(user);
+    type3.targetname = rk_UNCONST(target);
+    type3.ws = rk_UNCONST("workstation");
+
+    {
+	struct ntlm_buf key;
+	heim_ntlm_nt_key(password, &key);
+
+	heim_ntlm_calculate_ntlm1(key.data, key.length,
+				  type2.challange,
+				  &type3.ntlm);
+	free(key.data);
+    }
+
+    ret = heim_ntlm_encode_type3(&type3, &data);
+    if (ret)
+	errx(1, "heim_ntlm_encode_type3");
+
+    free(type3.ntlm.data);
+
+    memset(&type3, 0, sizeof(type3));
+
+    ret = heim_ntlm_decode_type3(&data, 1, &type3);
+    free(data.data);
+    if (ret)
+	errx(1, "heim_ntlm_decode_type3");
+
+    if (strcmp("workstation", type3.ws) != 0)
+	errx(1, "type3 ws wrong");
+
+    if (strcmp(target, type3.targetname) != 0)
+	errx(1, "type3 targetname wrong");
+
+    if (strcmp(user, type3.username) != 0)
+	errx(1, "type3 username wrong");
+
+
+    heim_ntlm_free_type3(&type3);
+
+    /*
+     * NTLMv2
+     */
+
+    memset(&type2, 0, sizeof(type2));
+
+    flags = NTLM_NEG_UNICODE | NTLM_NEG_NTLM | NTLM_TARGET_DOMAIN;
+    type2.flags = flags;
+
+    memset(type2.challange, 0x7f, sizeof(type2.challange));
+    type2.targetname = rk_UNCONST(target);
+    type2.targetinfo.data = "\x00\x00";
+    type2.targetinfo.length = 2;
+
+    ret = heim_ntlm_encode_type2(&type2, &data);
+    if (ret)
+	errx(1, "heim_ntlm_encode_type2");
+
+    memset(&type2, 0, sizeof(type2));
+
+    ret = heim_ntlm_decode_type2(&data, &type2);
+    free(data.data);
+    if (ret)
+	errx(1, "heim_ntlm_decode_type2");
+
+    heim_ntlm_free_type2(&type2);
+
+    return 0;
+}
+
+static int
+test_keys(void)
+{
+    const char
+	*username = "test",
+	*password = "test1234",
+	*target = "TESTNT";
+    const unsigned char 
+	serverchallange[8] = "\x67\x7f\x1c\x55\x7a\x5e\xe9\x6c";
+    struct ntlm_buf infotarget, infotarget2, answer, key;
+    unsigned char ntlmv2[16], ntlmv2_1[16];
+    int ret;
+    
+    infotarget.length = 70;
+    infotarget.data =
+	"\x02\x00\x0c\x00\x54\x00\x45\x00\x53\x00\x54\x00\x4e\x00\x54\x00"
+	"\x01\x00\x0c\x00\x4d\x00\x45\x00\x4d\x00\x42\x00\x45\x00\x52\x00"
+	"\x03\x00\x1e\x00\x6d\x00\x65\x00\x6d\x00\x62\x00\x65\x00\x72\x00"
+	    "\x2e\x00\x74\x00\x65\x00\x73\x00\x74\x00\x2e\x00\x63\x00\x6f"
+	    "\x00\x6d\x00"
+	"\x00\x00\x00\x00";
+
+    answer.length = 0;
+    answer.data = NULL;
+
+    heim_ntlm_nt_key(password, &key);
+
+    ret = heim_ntlm_calculate_ntlm2(key.data,
+				    key.length,
+				    username,
+				    target,
+				    serverchallange,
+				    &infotarget,
+				    ntlmv2,
+				    &answer);
+    if (ret)
+	errx(1, "heim_ntlm_calculate_ntlm2");
+
+    ret = heim_ntlm_verify_ntlm2(key.data,
+				 key.length,
+				 username,
+				 target,
+				 0,
+				 serverchallange,
+				 &answer,
+				 &infotarget2,
+				 ntlmv2_1);
+    if (ret)
+	errx(1, "heim_ntlm_verify_ntlm2");
+
+    if (memcmp(ntlmv2, ntlmv2_1, sizeof(ntlmv2)) != 0)
+	errx(1, "ntlm master key not same");
+
+    if (infotarget.length > infotarget2.length)
+	errx(1, "infotarget length");
+
+    if (memcmp(infotarget.data, infotarget2.data, infotarget.length) != 0)
+	errx(1, "infotarget not the same");
+
+    free(key.data);
+    free(answer.data);
+    free(infotarget2.data);
+
+    return 0;
+}
+
+static int
+test_ntlm2_session_resp(void)
+{
+    int ret;
+    struct ntlm_buf lm, ntlm;
+
+    const unsigned char lm_resp[24] = 
+	"\xff\xff\xff\x00\x11\x22\x33\x44"
+	"\x00\x00\x00\x00\x00\x00\x00\x00"
+	"\x00\x00\x00\x00\x00\x00\x00\x00";
+    const unsigned char ntlm2_sess_resp[24] = 
+	"\x10\xd5\x50\x83\x2d\x12\xb2\xcc"
+	"\xb7\x9d\x5a\xd1\xf4\xee\xd3\xdf"
+	"\x82\xac\xa4\xc3\x68\x1d\xd4\x55";
+    
+    const unsigned char client_nonce[8] =
+	"\xff\xff\xff\x00\x11\x22\x33\x44";
+    const unsigned char server_challange[8] =
+	"\x01\x23\x45\x67\x89\xab\xcd\xef";
+
+    const unsigned char ntlm_hash[16] =
+	"\xcd\x06\xca\x7c\x7e\x10\xc9\x9b"
+	"\x1d\x33\xb7\x48\x5a\x2e\xd8\x08";
+
+    ret = heim_ntlm_calculate_ntlm2_sess(client_nonce,
+					 server_challange,
+					 ntlm_hash,
+					 &lm,
+					 &ntlm);
+    if (ret)
+	errx(1, "heim_ntlm_calculate_ntlm2_sess_resp");
+
+    if (lm.length != 24 || memcmp(lm.data, lm_resp, 24) != 0)
+	errx(1, "lm_resp wrong");
+    if (ntlm.length != 24 || memcmp(ntlm.data, ntlm2_sess_resp, 24) != 0)
+	errx(1, "ntlm2_sess_resp wrong");
+    
+    free(lm.data);
+    free(ntlm.data);
+
+
+    return 0;
+}
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args),
+		    NULL, "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int ret = 0, optind = 0;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    printf("test_parse\n");
+    ret += test_parse();
+    printf("test_keys\n");
+    ret += test_keys();
+    printf("test_ntlm2_session_resp\n");
+    ret += test_ntlm2_session_resp();
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/ntlm/version-script.map b/crypto/heimdal/lib/ntlm/version-script.map
new file mode 100644
index 0000000..654a630
--- /dev/null
+++ b/crypto/heimdal/lib/ntlm/version-script.map
@@ -0,0 +1,27 @@
+# $Id: version-script.map 22041 2007-11-11 07:43:27Z lha $
+
+HEIMDAL_NTLM_1.0 {
+	global:
+		heim_ntlm_build_ntlm1_master;
+		heim_ntlm_calculate_ntlm1;
+		heim_ntlm_calculate_ntlm2;
+		heim_ntlm_calculate_ntlm2_sess;
+		heim_ntlm_decode_targetinfo;
+		heim_ntlm_decode_type1;
+		heim_ntlm_decode_type2;
+		heim_ntlm_decode_type3;
+		heim_ntlm_encode_targetinfo;
+		heim_ntlm_encode_type1;
+		heim_ntlm_encode_type2;
+		heim_ntlm_encode_type3;
+		heim_ntlm_free_buf;
+		heim_ntlm_free_targetinfo;
+		heim_ntlm_free_type1;
+		heim_ntlm_free_type2;
+		heim_ntlm_free_type3;
+		heim_ntlm_nt_key;
+		heim_ntlm_ntlmv2_key;
+		heim_ntlm_verify_ntlm2;
+	local:
+		*;
+};
diff --git a/crypto/heimdal/lib/roken/ChangeLog b/crypto/heimdal/lib/roken/ChangeLog
index 3132d23..6a9abe7 100644
--- a/crypto/heimdal/lib/roken/ChangeLog
+++ b/crypto/heimdal/lib/roken/ChangeLog
@@ -1,21 +1,729 @@
-2004-01-15  Love  <lha@stacken.kth.se>
+2008-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
 
-	* roken-common.h: 1.52: use EAI_NONAME instead of EAI_ADDRFAMILY
-	  to check for if we need EAI_ macros
+	* Makefile.am: add missing files.
+
+2007-08-09  Love Hörnquist Åstrand  <lha@it.su.se>
 	
-	* gai_strerror.c: 1.4: correct ifdef for EAI_ADDRFAMILY
-	1.3: EAI_ADDRFAMILY and EAI_NODATA is deprecated
+	* strftime.c: rewrite str[pf]time for testing.
+
+	* strptime.c: rewrite str[pf]time for testing.
+
+	* Makefile.am: add TEST_STRPFTIME
 	
-2003-08-29  Love  <lha@stacken.kth.se>
+2007-07-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ndbm_wrap.c (dbm_get): set dsize to 0 on failure.
+
+	* Makefile.am: add ndbm_wrap.[ch] to EXTRA_DIST
+
+	* ndbm_wrap.c (dbm_fetch): set dsize to 0 on failure.
+
+2007-07-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* socket_wrapper.c: Implement swrap_dup too.
+
+	* socket_wrapper.c: Add dup(dummy stub) and dup2(real).
+
+	* socket_wrapper.h: Add dup(dummy stub) and dup2(real).
 
-	* ndbm_wrap.c: 1.1->1.2: patch for working with DB4 on
-	heimdal-discuss From: Luke Howard <lukeh@PADL.COM>
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: New library version.
+
+2007-06-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken_gethostby.c: set proxy_port to 0 to pacify BEAM.
+
+2007-06-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* use "roken.h" consitantly
+
+2007-06-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test-readenv.c: Free environment.
+
+	* environment.c (free_environment): free result of
+	read_environment().
+
+	* roken-common.h (free_environment): free result of
+	read_environment().
 	
-2003-04-22  Love  <lha@stacken.kth.se>
+2007-05-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* fnmatch.c: Do recursive call to rk_fnmatch
+	
+2007-01-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolve.c: Try harder to call res_ndestroy().
+	
+2006-12-27  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: make sure built headers are copied to the
+	${build_topdir}/include
+	
+2006-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* unvis.c: Use internal version of rk_unvis
+
+	* unvis.c: Always include rk_versions.
+
+	* vis.c: Always include rk_versions.
+
+	* vis.hin: Fix argument for unvis and strsvisx.
+	
+	* unvis.c: prefix unvis functions with rk_, and prototypes.
+	
+2006-12-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* vis.c: Provide some prototypes for the rk_vis functions.
+	
+2006-12-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* ifaddrs.hin: Prefix getifaddrs functions with rk_ and do symbol
+	renaming.
+
+	* fnmatch.c: Prefix fnmatch functions with rk_ and do symbol
+	renaming.
+
+	* vis.hin: Prefix strvis functions with rk_ and do symbol
+	renaming.
+
+	* vis.c: prefix strvis functions with rk_
+
+	* Makefile.am: Install extra posix headers in <roken/...> to avoid
+	dup headers.
+	
+2006-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* socket_wrapper.c (swrap_sendto): fail on to unknown si->type
+	
+2006-11-06  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* socket_wrapper.c: A few fixes to have Heimdal pass the make
+	check under socket_wrapper. The first is a missing 'break' before
+	the (heimdal specific) IPv6 support. The second works around the
+	fact that sendto() *may* object to a destination being specified.
+	It appears to be that on Linux, this objects (with EISCONN) for
+	unix stream sockets, but not for TCP sockets. The alternate fix
+	would be to have the KDC use 'send()' in this case. Andrew Bartlett.
+
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: split dist and nondist HEADERS
+	
+2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* roken.h.in: Add timegm glue.
+
+	* timegm.c: add timegm()
+	
+	* socket_wrapper.c: Include <roken.h>, gives os socklen_t on IRIX
+	6.4.
+	
+	* socket_wrapper.c: Maybe include <sys/time.h> and/or maybe
+	include <time.h>.
+	
+2006-10-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken.h.in: Revert prevois for now, the problem is that we have
+	to include symbols unconditionally, even for those that just needs
+	protos.
+
+	* roken.h.in: Provide symbol renaming, let see what breaks.
+
+	* socket_wrapper.c: Maybe include <sys/filio.h>.
+	
+2006-10-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* socket_wrapper.c: more consitity check, remove dead code, add
+	socket length code, add missing break, make diffrent chars of type
+	type files for case-insensitiv filesystems
+
+	* socket_wrapper.c: try even hard to not use socket wrapper for
+	socket_wrapper itself.
+
+	* socket_wrapper.c: Force no socket wrapper for socket_wrapper
+	itself.
+	
+2006-10-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* socket_wrapper.c: Maybe include <config.h>.
+
+	* socket_wrapper.c: Protect AF_INET6 with #ifdef HAVE_IPV6.
+
+	* socket_wrapper.c: Use a symbol for the v6 address.
+
+	* socket_wrapper.c: Add IPv6 suppport.
+	
+	* socket_wrapper.[ch]: Include socket wrapper from samba4 (rev
+	19179).
+	
+2006-10-07 Love Hörnquist Åstrand <lha@it.su.se>
+
+	* Makefile.am: Add build_HEADERZ to EXTRA_DIST
+
+	* Makefile.am: Add man_MANS to EXTRA_DIST
+
+	* Makefile.am: Add to all objects BUILD_ROKEN_LIB.
+	
+2006-09-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken.h.in: Add samba socket wrapper fragment.
+
+	* Makefile.am: Add samba socket wrapper fragment.
+	
+2006-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* snprintf.c: reapply patch that went away in last commit
+	
+	* snprintf-test.c: unbreak from previous commit
+
+	* snprintf.c: Add size_t formater (z modifer).
+
+	* snprintf-test.c: add tests for size_t printf formater
+	
+2006-06-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rtbl.h: Add extern "C" for C++.
+
+	* rtbl.c: Add rtbl_add_column_entryv functions, printf like
+
+	* rtbl.h: Add rtbl_add_column_entryv functions, printf like
+	
+2006-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* glob.hin: Add extern "C" for C++. From joerg at britannica dot
+	bec dot de
+
+	* fnmatch.hin: Add extern "C" for C++. From joerg at britannica
+	dot bec dot de
+	
+2006-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* fnmatch.hin (fnmatch): CPP rename to rk_fnmatch
+	
+2006-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* resolve.c (dns_srv_order): change a if (ptr == NULL) continue
+	into a assert(ptr != NULL) since it could never happen, found by
+	the IBM code checker (beam).  Thanks to Florian Krohm for
+	explaining it.
+	
+2006-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken_gethostby.c (roken_gethostby): make addr_list one larger
+	to avoid a off-by-one error. Found by IBM checker.
+
+	* resolve.c: Plug memory leak found by IBM checker (and try to
+	please it).
+	
+2006-02-06  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* resolve.c: Spelling, from Alexey Dobriyan, via Jason McIntyre
+	
+2006-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* getcap.c: Don't use db support unless its build into libc but we
+	dont check for that now, so just disable the code. This removes
+	the dependency on libdb for roken, and that is a good thing since
+	it causes problem with nss plugins that uses DB3 that also
+	provides the same symbol, but with a diffrent ABI. so when the
+	application calls getpwnamn() and it linked to roken, it craches
+	in the nss functions.
+	
+2006-01-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hex.c (hex_decode): support decoding odd number of characters,
+	in the odd len case, the first character ends up in the first byte
+	in the lower nibble.
+
+	* hex-test.c: Check that we can decode single character hex chars.
+
+2005-12-12  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* getifaddrs.c: Try handle HP/UX 11.nn, its diffrent from Solaris
+	large SIOCGIFCONF.
+	
+2005-09-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-common.h: Move rk_UNCONST to roken.h.in since it might use
+	uintptr_t depending on avaibility.
+
+	* roken.h.in: Include <stdint.h> if it exists.  If avaiable, use
+	uintptr_t to define rk_UNCONST.
+	
+2005-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-common.h: Add rk_dumpdata.
+	
+	* dumpdata.c: Add rk_dumpdata() that write a chunk of data into a
+	file for later processing by some other tool (like asn1_print).
+	
+2005-09-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* strptime.c: cast to unsigned char to make sure its not negative
+	when passing it to is* functions
+	
+2005-09-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* socket.c: Add socket_set_ipv6only.
+
+	* roken-common.h: Add socket_set_ipv6only, remove some argument
+	names.
+	
+2005-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* strpool.c (rk_strpoolprintf): remove debug printf, plug memory
+	leak
+	
+2005-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* setprogname.c (setprogname): const poision
+	
+	* print_version.c: Removed, moved to libvers.
+
+2005-08-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolve.c (dns_lookup_int): if we have res_ndestroy, prefeer
+	that before res_nclose
+
+2005-08-12 Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* getaddrinfo-test.c: Rename optind to optidx to avoid shadowing.
+
+2005-08-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gai_strerror.c: sprinkel more const
+	
+	* gai_strerror.c, roken.h.in: Make return value of gai_strerror
+	const to match SUSv3.  Prompted by Stefan Metzmacher change to
+	Samba.
+
+2005-07-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken.h.in: Remove parameter names to avoid shadow warnings.
+
+2005-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* getifaddrs.c (nl_getlist): poll to get messages from kernel, and
+	retry if the message was lost
+	(free_nlmsglist): free all linked elements, not just the first one
+
+2005-07-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* snprintf-test.c: Check a very simple format string
+	
+2005-07-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken.h.in: If we have <strings.h> include it, its needed for
+	strcasecmp() on those platforms that are SUS3/iso c99 strict (like
+	AIX)
+
+	* roken-common.h: remove duplicate ;
+	
+2005-07-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-common.h: rk_strpoolprintf first variable identifier is 3
+
+2005-06-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* base64.h: remove variable names
+	
+2005-06-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-common.h: fix format attribute
+
+	* Makefile.am (libroken_la_SOURCES): += strpool.c
+	
+	* roken-common.h: add strpool, a printf collector to make it
+	eaiser to collect strings into one string
+	
+	* strpool.c: add strpool, a printf collector to make it eaiser to
+	collect strings into one string
+
+2005-06-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* base64.c: Add const, from Andrew Abartlet <abartlet@samba.org>
+
+2005-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* strpftime-test.c: test for "%Y%m"
+
+	* esetenv.c: unconst
+
+	* strptime.c: Write a new parse_number function that is possible
+	to limit that amount of numbers used, with this strptime can
+	handle strptime("200505", "%Y%m", &tm);
+
+2005-06-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* getaddrinfo.c: avoid shadowing sin
+	
+	* resolve-test.c: rename optind to optidx to avoid shadowing
+	
+	* strptime.c: UNCONST return value from strptime
+	
+	* strftime.c: rk_UNCONST argument mktime
+	
+	* getnameinfo.c: avoid shadowing sin
+	
+	* socket.c: avoid shadowing sin
+
+	* resolve.c (parse_record): fix casting to avoid losing const
+	
+	* roken.awk: since we got no feedback regarding people running
+	heimdal on the crays, remove the quoted # version
 	
-	* resolve.c: 1.38->1.39: copy NUL too, from janj@wenf.org via
-	openbsd
+	* environment.c: rename index to idx to avoid shadowing
 
+2005-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* parse_reply-test.c: avoid signedness warnings
+
+	* test-mem.c: avoid signedness warnings
+
+2005-05-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hex.c: include "roken.h" to avoid undefined size_t/ssize_t
+
+2005-05-24  Dave Love  <fx@gnu.org>
+
+	* Makefile.am (snprintf_test_SOURCES): Add snprintf-test.h.
+
+2005-05-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* environment.c (rk_read_env_file): move assignment to later to
+	make pre c99 compiler happy
+
+2005-05-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* strptime.c: use english spelling of March
+
+2005-05-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: only link with dblib if we need it
+	
+	* Makefile.am: add test_readenv
+	
+	* test-readenv.c: test for read_environment()
+	
+	* environment.c: eliminate duplicates
+	
+2005-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* issuid.c (issuid): change the #ifdef order to avoid unreachable
+	code warning.
+
+2005-05-10  Dave Love  <fx@gnu.org>
+
+	* roken.h.in: Get daemon declared on Solaris (it's in unistd.h but
+	masked by a feature test), just to avoid a warning, since it has
+	int args. Include err.h unconditionally, since it's always
+	supplied.
+
+2005-05-04  Dave Love  <fx@gnu.org>
+
+	* snprintf-test.c: Include snprintf-test.h earlier.
+
+2005-05-03  Dave Love  <fx@gnu.org>
+
+	* snprintf.c: Include snprintf-test.h earlier.
+	
+	* test-mem.c: Add member fd to map.
+	(rk_test_mem_alloc, rk_test_mem_free): Use it.
+
+2005-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* getifaddrs.c: add break on default: statements, from Douglas
+	E. Engert
+
+	* snprintf.c (vsnprintf): don't write the NUL into the string if
+	the length was 0
+
+	* snprintf-test.c: add check that snprintf doesn't write the NUL
+	into the last byte when its a zero length input string
+
+	* parse_time-test.c: Include <err.h>.
+	
+2005-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* parse_time-test.c: improve testing
+	
+	* roken-common.h: add rk_realloc
+
+	* Makefile.am: add realloc
+
+	* realloc.c: add rk_realloc, unbroken version of realloc
+
+2005-04-26  Dave Love  <fx@gnu.org>
+
+	* getusershell.c: Include roken.h
+
+2005-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* unvis.c: cast to unsigned char to make sure its not negative
+	when passing it to is* functions
+
+	* strptime.c: cast to unsigned char to make sure its not negative
+	when passing it to to* functions
+
+2005-04-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* simple_exec.c: don't close stderr, close all fd that is num 3
+	and larger
+
+	* simple_exec.c (pipe_execv): use closefrom
+
+	* add closefrom
+
+2005-04-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* add ROKEN_LIB_FUNCTION to all exported functions
+
+2005-04-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolve-test.c: print DS
+
+2005-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* parse_time-test.c: remove unused variable
+	
+2005-04-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* strpftime-test.c: print size_t by casting to unsigned long
+	
+	* base64-test.c: print size_t by casting to unsigned long
+	
+	* hex-test.c: print size_t by casting to unsigned long
+	
+	* resolve-test.c: print size_t by casting to unsigned long
+	
+2005-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* snprintf-test.c (try): reset va_list argument between reuse,
+	from Peter Kruty <xkruty@fi.muni.cz>
+
+2005-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken_gethostby.c (roken_gethostby): s/sin/addr/ to avoid
+	shadowing
+
+	* resolve.c (dns_lookup_int): s/stat/state/ to avoid shadowing
+
+	* parse_units.c: avoid shadowing div
+
+2005-03-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* snprintf.c: use defined(TEST_SNPRINTF) like on all other places
+	in the same file
+
+2005-03-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* hex.c: check for overflows
+
+2005-03-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* vis.c: use RCSID instead of __RCSID
+
+2005-03-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: check_PROGRAMS += hex-test
+	
+	* hex-test.c: hex encoding/decoding test
+	
+	* hex.c: fix decodeing, it processed to much data and thus
+	returned the wrong length
+
+2005-03-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add hex.[ch]
+
+	* hex.c: add hex encoder/decoder
+
+2005-03-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* daemon.c fnmatch.c fnmatch.hin getcap.c getopt.c getusershell.c
+	glob.c glob.hin iruserok.c unvis.c vis.hin:
+	
+	In 1997, the University of California, Berkeley issued a statement
+	retroactively relicensing all code held under their copyright from
+	a 4-clause 'traditional' BSD license to a new 3-clause 'revised'
+	BSD license, which removed the advertising clause.
+
+	From NetBSD, via Joel Baker, and Alistair G. Crooks
+	
+	* getaddrinfo-test.c: remove stray ( in output
+	
+	* vis.c: Update new revision from NetBSD (copyright update)
+
+2005-02-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: bump version to 17:0:1
+
+2005-01-19  Dave Love  <d.love@dl.ac.uk>
+
+	* getusershell.c: Include ctype.h, cast argument to isspace to
+	unsigned char.
+
+2004-10-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* parse_time.3, parse_units.c: Change the behavior of the
+	parse_unit code to return the number of bytes needed to print the
+	whole string (minus the trailing '\0'), just like snprintf.  Idea
+	from bugreport from Gabriel Kihlman <gk@stacken.kth.se>.
+
+	* parse_time-test.c Makefile.am test-mem.c test-mem.h: test parse_time
+
+2004-10-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolve.c: put dns_type_to_string and dns_string_to_type in the
+	abi
+
+	* resolve.c: add ds_record
+	
+	* resolve.h: add ds_record
+	
+2004-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ndbm_wrap.c: undefine open so this works on solaris with large
+	file support From netbsd's pkgsrc via Gavan Fantom
+	
+2004-09-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolve-test.c: add --version/--help
+	
+2004-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: make resolve-test a noinst program
+	
+2004-09-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolve-test.c: test program for libroken resolve from resolve.c
+	
+	* Makefile.am: add resolve-test
+	
+	* resolve.h: add constant for max DNS protocol packet size
+	
+	* resolve.c (dns_lookup_int): grow the answer buffer to the size
+	the server send to us if the answer buffer was too small (limited
+	to the dns protocol max packet size)
+	
+2004-08-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* err.hin: no need to declare __progname here
+
+	* Makefile.am: always clean generated headers
+
+2004-06-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* rtbl.3: use .In for header, remove trailing space
+	
+2004-06-23  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rtbl.h: add protos and macros
+	
+	* rtbl.c: implement a bunch of stuff:
+	  - column separator (instead of global column prefix)
+	  - per column suffix
+	  - indexing columns by id-number instead of column header
+	  - optional header supression (via settable flags)
+	  - ability to end a row
+	  - don't extend last column to full width
+	
+2004-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolve.[ch]: add and use and bind9 version of rr type
+	(rk_ns_t_XXX) instead of the old bind4 version (T_XXX)
+
+2004-05-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolve.c (stot): add AAAA
+	
+2004-02-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* getarg.c (add_string): catch error from realloc
+	
+2004-02-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* roken-common.h: add simple_execve_timed
+	
+	* roken-common.h: add timed simple_exec
+	
+	* simple_exec.c: add timed simple_exec
+	
+2004-01-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gai_strerror.c: correct ifdef for EAI_ADDRFAMILY
+
+2003-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolve.c: parse dns header, add support for SSHFP
+	
+	* resolve.h: add cpp rewrite for sshfp_record
+	
+	* resolve.h: add SSHFP, clean up the the dns_header
+	
+2003-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolve.h: remove HEADER (only used for crays)
+	
+	* resolve.c: number-of fields no longer stored in network order
+	
+2003-12-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolve.c: remove depency on c99 types in resolv.h
+	
+	* resolve.h: remove depency on c99 types
+	
+2003-12-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* resolv.h: add more T_ types and inline the dns headers, all this
+	for bind9 resolvers
+
+2003-12-02  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* gai_strerror.c: EAI_ADDRFAMILY and EAI_NODATA is deprecated
+	
+	* roken-common.h: use EAI_NONAME instead of EAI_ADDRFAMILY to
+	check for if we need EAI_ macros
+
+2003-10-04   Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* strptime.c: let t and n match zero or more whitespaces
+	
+2003-08-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ndbm_wrap.c: patch for working with DB4 on heimdal-discuss
+	From: Luke Howard <lukeh@PADL.COM>
+	
+2003-08-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: don't include discovered files in EXTRA_SOURCES;
+	don't depend on all header files, just the built ones
+
+2003-08-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* emalloc.3: manpage
+	
+2003-07-11  Love  <lha@stacken.kth.se>
+
+	* resolve.c: AIX have broken res_nsearch() in 5.1 (5.0 also ?)  so
+	just don't use res_nsearch on AIX
+
+2003-06-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* snprintf.c: * don't ever print sign for unsigned conversions *
+	don't break when right justifying a number past the end of the
+	buffer * handle zero precision and the value zero more correctly
+
+2003-06-14  Love  <lha@stacken.kth.se>
+
+	* glob.hin: prefix glob symbols with rk_
+	
+2003-04-22  Love  <lha@stacken.kth.se>
+
+	* resolve.c: copy NUL too, from janj@wenf.org via openbsd
+	
 2003-04-16  Love  <lha@stacken.kth.se>
 
 	* parse_units.h: remove typedef for units to avoid problems with
@@ -1388,7 +2096,7 @@ Thu Mar 19 20:41:25 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
 
 Fri Mar  6 00:21:53 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
 
-	* roken_gethostby.c: Make `roken_gethostby_setup' take url-like
+	* roken_gethostby.c: Make `roken_gethostby_setup' take URL-like
  	specification instead of split up versions. Makes it easier for
  	calling applications.
 
diff --git a/crypto/heimdal/lib/roken/Makefile.am b/crypto/heimdal/lib/roken/Makefile.am
index 34235ab..b1a4251 100644
--- a/crypto/heimdal/lib/roken/Makefile.am
+++ b/crypto/heimdal/lib/roken/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.122.6.3 2003/10/14 16:13:15 joda Exp $
+# $Id: Makefile.am 22409 2008-01-12 05:53:37Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -7,17 +7,24 @@ ACLOCAL_AMFLAGS = -I ../../cf
 CLEANFILES = roken.h make-roken.c $(XHEADERS)
 
 lib_LTLIBRARIES = libroken.la
-libroken_la_LDFLAGS = -version-info 16:3:0
+libroken_la_LDFLAGS = -version-info 19:0:1
+libroken_la_CPPFLAGS = -DBUILD_ROKEN_LIB
 
-noinst_PROGRAMS = make-roken snprintf-test
+# XXX this is needed for the LIBOBJS objects
+CPPFLAGS = $(libroken_la_CPPFLAGS)
+
+noinst_PROGRAMS = make-roken snprintf-test resolve-test
 
 nodist_make_roken_SOURCES = make-roken.c
 
 check_PROGRAMS = 				\
 		base64-test			\
 		getaddrinfo-test		\
+		hex-test			\
+		test-readenv			\
 		parse_bytes-test		\
 		parse_reply-test		\
+		parse_time-test			\
 		snprintf-test			\
 		strpftime-test
 
@@ -28,21 +35,29 @@ make_roken_LDADD =
 
 noinst_LTLIBRARIES = libtest.la
 libtest_la_SOURCES = strftime.c strptime.c snprintf.c
-libtest_la_CFLAGS = -DTEST_SNPRINTF
+libtest_la_CFLAGS = -DTEST_SNPRINTF -DTEST_STRPFTIME
 
 parse_reply_test_SOURCES = parse_reply-test.c resolve.c
 parse_reply_test_CFLAGS  = -DTEST_RESOLVE
 
-strpftime_test_SOURCES	= strpftime-test.c
+test_readenv_SOURCES = test-readenv.c test-mem.c
+
+parse_time_test_SOURCES = parse_time-test.c test-mem.c
+
+strpftime_test_SOURCES	= strpftime-test.c strpftime-test.h
 strpftime_test_LDADD = libtest.la $(LDADD)
-snprintf_test_SOURCES	= snprintf-test.c
+strpftime_test_CFLAGS = -DTEST_STRPFTIME
+snprintf_test_SOURCES	= snprintf-test.c snprintf-test.h
 snprintf_test_LDADD = libtest.la $(LDADD)
 snprintf_test_CFLAGS	= -DTEST_SNPRINTF
 
+resolve_test_SOURCES = resolve-test.c
+
 libroken_la_SOURCES =		\
 	base64.c		\
 	bswap.c			\
 	concat.c		\
+	dumpdata.c		\
 	environment.c		\
 	eread.c			\
 	esetenv.c		\
@@ -54,6 +69,7 @@ libroken_la_SOURCES =		\
 	getnameinfo_verified.c	\
 	getprogname.c		\
 	h_errno.c		\
+	hex.c			\
 	hostent_find_fqdn.c	\
 	issuid.c		\
 	k_getpwnam.c		\
@@ -64,6 +80,7 @@ libroken_la_SOURCES =		\
 	parse_bytes.c		\
 	parse_time.c		\
 	parse_units.c		\
+	realloc.c		\
 	resolve.c		\
 	roken_gethostby.c	\
 	rtbl.c			\
@@ -74,6 +91,7 @@ libroken_la_SOURCES =		\
 	snprintf.c		\
 	socket.c		\
 	strcollect.c		\
+	strpool.c		\
 	timeval.c		\
 	tm2time.c		\
 	unvis.c			\
@@ -87,12 +105,11 @@ libroken_la_SOURCES =		\
 EXTRA_libroken_la_SOURCES =	\
 	err.hin			\
 	glob.hin		\
+	fnmatch.hin		\
 	ifaddrs.hin		\
 	vis.hin	
 
-EXTRA_DIST = roken.awk roken.h.in
-
-libroken_la_LIBADD = @LTLIBOBJS@ $(DBLIB)
+libroken_la_LIBADD = @LTLIBOBJS@
 
 $(LTLIBOBJS) $(libroken_la_OBJECTS): roken.h $(XHEADERS)
 
@@ -130,22 +147,32 @@ endif
 
 ## these are controlled by configure
 XHEADERS = $(err_h) $(fnmatch_h) $(glob_h) $(ifaddrs_h) $(vis_h)
+CLEANFILES += err.h fnmatch.h glob.h ifaddrs.h vis.h
 
-include_HEADERS = 				\
+dist_include_HEADERS = 				\
 	base64.h				\
 	getarg.h				\
+	hex.h					\
 	parse_bytes.h 				\
 	parse_time.h 				\
 	parse_units.h				\
 	resolve.h 				\
 	roken-common.h 				\
 	rtbl.h 					\
-	xdbm.h					\
-	$(XHEADERS) 
+	xdbm.h
+
+if have_socket_wrapper
+libroken_la_SOURCES += socket_wrapper.c socket_wrapper.h
+dist_include_HEADERS += socket_wrapper.h
+endif
+
+build_HEADERZ = test-mem.h $(XHEADERS)
 
 nodist_include_HEADERS = roken.h
+rokenincludedir = $(includedir)/roken
+nodist_rokeninclude_HEADERS = $(XHEADERS)
 
-man_MANS = getarg.3
+man_MANS = getarg.3 parse_time.3 rtbl.3 ecalloc.3
 
 SUFFIXES += .hin
 .hin.h:
@@ -158,3 +185,10 @@ roken.h: make-roken$(EXEEXT)
 
 make-roken.c: roken.h.in roken.awk
 	$(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c
+
+EXTRA_DIST = \
+	roken.awk roken.h.in \
+	$(man_MANS) \
+	test-mem.h \
+	ndbm_wrap.c \
+	ndbm_wrap.h
diff --git a/crypto/heimdal/lib/roken/Makefile.in b/crypto/heimdal/lib/roken/Makefile.in
index d9ddcdd..0398523 100644
--- a/crypto/heimdal/lib/roken/Makefile.in
+++ b/crypto/heimdal/lib/roken/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,25 +14,19 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.122.6.3 2003/10/14 16:13:15 joda Exp $
+# $Id: Makefile.am 22409 2008-01-12 05:53:37Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
 
-SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) $(libtest_la_SOURCES) base64-test.c getaddrinfo-test.c $(nodist_make_roken_SOURCES) parse_bytes-test.c $(parse_reply_test_SOURCES) $(snprintf_test_SOURCES) $(strpftime_test_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -44,42 +38,46 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
-DIST_COMMON = $(am__include_HEADERS_DIST) $(srcdir)/Makefile.am \
+DIST_COMMON = $(am__dist_include_HEADERS_DIST) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
 	$(top_srcdir)/cf/Makefile.am.common ChangeLog chown.c \
-	copyhostent.c daemon.c ecalloc.c emalloc.c erealloc.c err.c \
-	errx.c estrdup.c fchown.c flock.c fnmatch.c freeaddrinfo.c \
-	freehostent.c gai_strerror.c getaddrinfo.c getcap.c getcwd.c \
-	getdtablesize.c getegid.c geteuid.c getgid.c gethostname.c \
-	getifaddrs.c getipnodebyaddr.c getipnodebyname.c getnameinfo.c \
-	getopt.c gettimeofday.c getuid.c getusershell.c glob.c \
-	hstrerror.c inet_aton.c inet_ntop.c inet_pton.c initgroups.c \
-	innetgr.c install-sh iruserok.c localtime_r.c lstat.c \
-	memmove.c missing mkinstalldirs mkstemp.c putenv.c rcmd.c \
-	readv.c recvmsg.c sendmsg.c setegid.c setenv.c seteuid.c \
-	strcasecmp.c strdup.c strerror.c strftime.c strlcat.c \
-	strlcpy.c strlwr.c strncasecmp.c strndup.c strnlen.c \
+	closefrom.c copyhostent.c daemon.c ecalloc.c emalloc.c \
+	erealloc.c err.c errx.c estrdup.c fchown.c flock.c fnmatch.c \
+	freeaddrinfo.c freehostent.c gai_strerror.c getaddrinfo.c \
+	getcap.c getcwd.c getdtablesize.c getegid.c geteuid.c getgid.c \
+	gethostname.c getifaddrs.c getipnodebyaddr.c getipnodebyname.c \
+	getnameinfo.c getopt.c gettimeofday.c getuid.c getusershell.c \
+	glob.c hstrerror.c inet_aton.c inet_ntop.c inet_pton.c \
+	initgroups.c innetgr.c install-sh iruserok.c localtime_r.c \
+	lstat.c memmove.c missing mkinstalldirs mkstemp.c putenv.c \
+	rcmd.c readv.c recvmsg.c sendmsg.c setegid.c setenv.c \
+	seteuid.c strcasecmp.c strdup.c strerror.c strftime.c \
+	strlcat.c strlcpy.c strlwr.c strncasecmp.c strndup.c strnlen.c \
 	strptime.c strsep.c strsep_copy.c strtok_r.c strupr.c swab.c \
-	unsetenv.c verr.c verrx.c vsyslog.c vwarn.c vwarnx.c warn.c \
-	warnx.c writev.c
-noinst_PROGRAMS = make-roken$(EXEEXT) snprintf-test$(EXEEXT)
+	timegm.c unsetenv.c verr.c verrx.c vsyslog.c vwarn.c vwarnx.c \
+	warn.c warnx.c writev.c
+noinst_PROGRAMS = make-roken$(EXEEXT) snprintf-test$(EXEEXT) \
+	resolve-test$(EXEEXT)
 check_PROGRAMS = base64-test$(EXEEXT) getaddrinfo-test$(EXEEXT) \
+	hex-test$(EXEEXT) test-readenv$(EXEEXT) \
 	parse_bytes-test$(EXEEXT) parse_reply-test$(EXEEXT) \
-	snprintf-test$(EXEEXT) strpftime-test$(EXEEXT)
+	parse_time-test$(EXEEXT) snprintf-test$(EXEEXT) \
+	strpftime-test$(EXEEXT)
+@have_socket_wrapper_TRUE@am__append_1 = socket_wrapper.c socket_wrapper.h
+@have_socket_wrapper_TRUE@am__append_2 = socket_wrapper.h
 subdir = lib/roken
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -92,6 +90,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -100,47 +99,96 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" \
+	"$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)" \
+	"$(DESTDIR)$(rokenincludedir)"
 libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-libroken_la_DEPENDENCIES = @LTLIBOBJS@ $(am__DEPENDENCIES_1)
-am_libroken_la_OBJECTS = base64.lo bswap.lo concat.lo environment.lo \
-	eread.lo esetenv.lo ewrite.lo getaddrinfo_hostspec.lo \
-	get_default_username.lo get_window_size.lo getarg.lo \
-	getnameinfo_verified.lo getprogname.lo h_errno.lo \
-	hostent_find_fqdn.lo issuid.lo k_getpwnam.lo k_getpwuid.lo \
-	mini_inetd.lo net_read.lo net_write.lo parse_bytes.lo \
-	parse_time.lo parse_units.lo resolve.lo roken_gethostby.lo \
-	rtbl.lo setprogname.lo signal.lo simple_exec.lo snprintf.lo \
-	socket.lo strcollect.lo timeval.lo tm2time.lo unvis.lo \
-	verify.lo vis.lo warnerr.lo write_pid.lo
+libroken_la_DEPENDENCIES = @LTLIBOBJS@
+am__libroken_la_SOURCES_DIST = base64.c bswap.c concat.c dumpdata.c \
+	environment.c eread.c esetenv.c ewrite.c \
+	getaddrinfo_hostspec.c get_default_username.c \
+	get_window_size.c getarg.c getnameinfo_verified.c \
+	getprogname.c h_errno.c hex.c hostent_find_fqdn.c issuid.c \
+	k_getpwnam.c k_getpwuid.c mini_inetd.c net_read.c net_write.c \
+	parse_bytes.c parse_time.c parse_units.c realloc.c resolve.c \
+	roken_gethostby.c rtbl.c rtbl.h setprogname.c signal.c \
+	simple_exec.c snprintf.c socket.c strcollect.c strpool.c \
+	timeval.c tm2time.c unvis.c verify.c vis.c vis.h warnerr.c \
+	write_pid.c xdbm.h socket_wrapper.c socket_wrapper.h
+@have_socket_wrapper_TRUE@am__objects_1 =  \
+@have_socket_wrapper_TRUE@	libroken_la-socket_wrapper.lo
+am_libroken_la_OBJECTS = libroken_la-base64.lo libroken_la-bswap.lo \
+	libroken_la-concat.lo libroken_la-dumpdata.lo \
+	libroken_la-environment.lo libroken_la-eread.lo \
+	libroken_la-esetenv.lo libroken_la-ewrite.lo \
+	libroken_la-getaddrinfo_hostspec.lo \
+	libroken_la-get_default_username.lo \
+	libroken_la-get_window_size.lo libroken_la-getarg.lo \
+	libroken_la-getnameinfo_verified.lo libroken_la-getprogname.lo \
+	libroken_la-h_errno.lo libroken_la-hex.lo \
+	libroken_la-hostent_find_fqdn.lo libroken_la-issuid.lo \
+	libroken_la-k_getpwnam.lo libroken_la-k_getpwuid.lo \
+	libroken_la-mini_inetd.lo libroken_la-net_read.lo \
+	libroken_la-net_write.lo libroken_la-parse_bytes.lo \
+	libroken_la-parse_time.lo libroken_la-parse_units.lo \
+	libroken_la-realloc.lo libroken_la-resolve.lo \
+	libroken_la-roken_gethostby.lo libroken_la-rtbl.lo \
+	libroken_la-setprogname.lo libroken_la-signal.lo \
+	libroken_la-simple_exec.lo libroken_la-snprintf.lo \
+	libroken_la-socket.lo libroken_la-strcollect.lo \
+	libroken_la-strpool.lo libroken_la-timeval.lo \
+	libroken_la-tm2time.lo libroken_la-unvis.lo \
+	libroken_la-verify.lo libroken_la-vis.lo \
+	libroken_la-warnerr.lo libroken_la-write_pid.lo \
+	$(am__objects_1)
 libroken_la_OBJECTS = $(am_libroken_la_OBJECTS)
+libroken_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libroken_la_LDFLAGS) $(LDFLAGS) -o $@
 libtest_la_LIBADD =
 am_libtest_la_OBJECTS = libtest_la-strftime.lo libtest_la-strptime.lo \
 	libtest_la-snprintf.lo
 libtest_la_OBJECTS = $(am_libtest_la_OBJECTS)
+libtest_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(libtest_la_CFLAGS) \
+	$(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
 PROGRAMS = $(noinst_PROGRAMS)
 base64_test_SOURCES = base64-test.c
 base64_test_OBJECTS = base64-test.$(OBJEXT)
 base64_test_LDADD = $(LDADD)
+am__DEPENDENCIES_1 =
 base64_test_DEPENDENCIES = libroken.la $(am__DEPENDENCIES_1)
 getaddrinfo_test_SOURCES = getaddrinfo-test.c
 getaddrinfo_test_OBJECTS = getaddrinfo-test.$(OBJEXT)
 getaddrinfo_test_LDADD = $(LDADD)
 getaddrinfo_test_DEPENDENCIES = libroken.la $(am__DEPENDENCIES_1)
+hex_test_SOURCES = hex-test.c
+hex_test_OBJECTS = hex-test.$(OBJEXT)
+hex_test_LDADD = $(LDADD)
+hex_test_DEPENDENCIES = libroken.la $(am__DEPENDENCIES_1)
 nodist_make_roken_OBJECTS = make-roken.$(OBJEXT)
 make_roken_OBJECTS = $(nodist_make_roken_OBJECTS)
 make_roken_DEPENDENCIES =
@@ -154,52 +202,74 @@ am_parse_reply_test_OBJECTS =  \
 parse_reply_test_OBJECTS = $(am_parse_reply_test_OBJECTS)
 parse_reply_test_LDADD = $(LDADD)
 parse_reply_test_DEPENDENCIES = libroken.la $(am__DEPENDENCIES_1)
+parse_reply_test_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(parse_reply_test_CFLAGS) \
+	$(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+am_parse_time_test_OBJECTS = parse_time-test.$(OBJEXT) \
+	test-mem.$(OBJEXT)
+parse_time_test_OBJECTS = $(am_parse_time_test_OBJECTS)
+parse_time_test_LDADD = $(LDADD)
+parse_time_test_DEPENDENCIES = libroken.la $(am__DEPENDENCIES_1)
+am_resolve_test_OBJECTS = resolve-test.$(OBJEXT)
+resolve_test_OBJECTS = $(am_resolve_test_OBJECTS)
+resolve_test_LDADD = $(LDADD)
+resolve_test_DEPENDENCIES = libroken.la $(am__DEPENDENCIES_1)
 am_snprintf_test_OBJECTS = snprintf_test-snprintf-test.$(OBJEXT)
 snprintf_test_OBJECTS = $(am_snprintf_test_OBJECTS)
 am__DEPENDENCIES_2 = libroken.la $(am__DEPENDENCIES_1)
 snprintf_test_DEPENDENCIES = libtest.la $(am__DEPENDENCIES_2)
-am_strpftime_test_OBJECTS = strpftime-test.$(OBJEXT)
+snprintf_test_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(snprintf_test_CFLAGS) \
+	$(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+am_strpftime_test_OBJECTS = strpftime_test-strpftime-test.$(OBJEXT)
 strpftime_test_OBJECTS = $(am_strpftime_test_OBJECTS)
 strpftime_test_DEPENDENCIES = libtest.la $(am__DEPENDENCIES_2)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+strpftime_test_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(strpftime_test_CFLAGS) \
+	$(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+am_test_readenv_OBJECTS = test-readenv.$(OBJEXT) test-mem.$(OBJEXT)
+test_readenv_OBJECTS = $(am_test_readenv_OBJECTS)
+test_readenv_LDADD = $(LDADD)
+test_readenv_DEPENDENCIES = libroken.la $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) \
 	$(libtest_la_SOURCES) base64-test.c getaddrinfo-test.c \
-	$(nodist_make_roken_SOURCES) parse_bytes-test.c \
-	$(parse_reply_test_SOURCES) $(snprintf_test_SOURCES) \
-	$(strpftime_test_SOURCES)
-DIST_SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) \
-	$(libtest_la_SOURCES) base64-test.c getaddrinfo-test.c \
-	parse_bytes-test.c $(parse_reply_test_SOURCES) \
-	$(snprintf_test_SOURCES) $(strpftime_test_SOURCES)
+	hex-test.c $(nodist_make_roken_SOURCES) parse_bytes-test.c \
+	$(parse_reply_test_SOURCES) $(parse_time_test_SOURCES) \
+	$(resolve_test_SOURCES) $(snprintf_test_SOURCES) \
+	$(strpftime_test_SOURCES) $(test_readenv_SOURCES)
+DIST_SOURCES = $(am__libroken_la_SOURCES_DIST) \
+	$(EXTRA_libroken_la_SOURCES) $(libtest_la_SOURCES) \
+	base64-test.c getaddrinfo-test.c hex-test.c parse_bytes-test.c \
+	$(parse_reply_test_SOURCES) $(parse_time_test_SOURCES) \
+	$(resolve_test_SOURCES) $(snprintf_test_SOURCES) \
+	$(strpftime_test_SOURCES) $(test_readenv_SOURCES)
 man3dir = $(mandir)/man3
 MANS = $(man_MANS)
-am__include_HEADERS_DIST = base64.h getarg.h parse_bytes.h \
+am__dist_include_HEADERS_DIST = base64.h getarg.h hex.h parse_bytes.h \
 	parse_time.h parse_units.h resolve.h roken-common.h rtbl.h \
-	xdbm.h err.h fnmatch.h glob.h ifaddrs.h vis.h
-includeHEADERS_INSTALL = $(INSTALL_HEADER)
+	xdbm.h socket_wrapper.h
+dist_includeHEADERS_INSTALL = $(INSTALL_HEADER)
 nodist_includeHEADERS_INSTALL = $(INSTALL_HEADER)
-HEADERS = $(include_HEADERS) $(nodist_include_HEADERS)
+nodist_rokenincludeHEADERS_INSTALL = $(INSTALL_HEADER)
+HEADERS = $(dist_include_HEADERS) $(nodist_include_HEADERS) \
+	$(nodist_rokeninclude_HEADERS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -209,23 +279,22 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
 CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
+
+# XXX this is needed for the LIBOBJS objects
+CPPFLAGS = $(libroken_la_CPPFLAGS)
 CXX = @CXX@
 CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -233,42 +302,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -286,12 +340,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -301,15 +352,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -318,6 +368,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -329,15 +380,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -345,74 +391,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .hin
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .hin
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -429,78 +480,51 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 ACLOCAL_AMFLAGS = -I ../../cf
-CLEANFILES = roken.h make-roken.c $(XHEADERS)
+CLEANFILES = roken.h make-roken.c $(XHEADERS) err.h fnmatch.h glob.h \
+	ifaddrs.h vis.h
 lib_LTLIBRARIES = libroken.la
-libroken_la_LDFLAGS = -version-info 16:3:0
+libroken_la_LDFLAGS = -version-info 19:0:1
+libroken_la_CPPFLAGS = -DBUILD_ROKEN_LIB
 nodist_make_roken_SOURCES = make-roken.c
 TESTS = $(check_PROGRAMS)
 LDADD = libroken.la $(LIB_crypt)
 make_roken_LDADD = 
 noinst_LTLIBRARIES = libtest.la
 libtest_la_SOURCES = strftime.c strptime.c snprintf.c
-libtest_la_CFLAGS = -DTEST_SNPRINTF
+libtest_la_CFLAGS = -DTEST_SNPRINTF -DTEST_STRPFTIME
 parse_reply_test_SOURCES = parse_reply-test.c resolve.c
 parse_reply_test_CFLAGS = -DTEST_RESOLVE
-strpftime_test_SOURCES = strpftime-test.c
+test_readenv_SOURCES = test-readenv.c test-mem.c
+parse_time_test_SOURCES = parse_time-test.c test-mem.c
+strpftime_test_SOURCES = strpftime-test.c strpftime-test.h
 strpftime_test_LDADD = libtest.la $(LDADD)
-snprintf_test_SOURCES = snprintf-test.c
+strpftime_test_CFLAGS = -DTEST_STRPFTIME
+snprintf_test_SOURCES = snprintf-test.c snprintf-test.h
 snprintf_test_LDADD = libtest.la $(LDADD)
 snprintf_test_CFLAGS = -DTEST_SNPRINTF
-libroken_la_SOURCES = \
-	base64.c		\
-	bswap.c			\
-	concat.c		\
-	environment.c		\
-	eread.c			\
-	esetenv.c		\
-	ewrite.c		\
-	getaddrinfo_hostspec.c	\
-	get_default_username.c	\
-	get_window_size.c	\
-	getarg.c		\
-	getnameinfo_verified.c	\
-	getprogname.c		\
-	h_errno.c		\
-	hostent_find_fqdn.c	\
-	issuid.c		\
-	k_getpwnam.c		\
-	k_getpwuid.c		\
-	mini_inetd.c		\
-	net_read.c		\
-	net_write.c		\
-	parse_bytes.c		\
-	parse_time.c		\
-	parse_units.c		\
-	resolve.c		\
-	roken_gethostby.c	\
-	rtbl.c			\
-	rtbl.h			\
-	setprogname.c		\
-	signal.c		\
-	simple_exec.c		\
-	snprintf.c		\
-	socket.c		\
-	strcollect.c		\
-	timeval.c		\
-	tm2time.c		\
-	unvis.c			\
-	verify.c		\
-	vis.c			\
-	vis.h			\
-	warnerr.c		\
-	write_pid.c		\
-	xdbm.h
-
+resolve_test_SOURCES = resolve-test.c
+libroken_la_SOURCES = base64.c bswap.c concat.c dumpdata.c \
+	environment.c eread.c esetenv.c ewrite.c \
+	getaddrinfo_hostspec.c get_default_username.c \
+	get_window_size.c getarg.c getnameinfo_verified.c \
+	getprogname.c h_errno.c hex.c hostent_find_fqdn.c issuid.c \
+	k_getpwnam.c k_getpwuid.c mini_inetd.c net_read.c net_write.c \
+	parse_bytes.c parse_time.c parse_units.c realloc.c resolve.c \
+	roken_gethostby.c rtbl.c rtbl.h setprogname.c signal.c \
+	simple_exec.c snprintf.c socket.c strcollect.c strpool.c \
+	timeval.c tm2time.c unvis.c verify.c vis.c vis.h warnerr.c \
+	write_pid.c xdbm.h $(am__append_1)
 EXTRA_libroken_la_SOURCES = \
 	err.hin			\
 	glob.hin		\
+	fnmatch.hin		\
 	ifaddrs.hin		\
 	vis.hin	
 
-EXTRA_DIST = roken.awk roken.h.in
-libroken_la_LIBADD = @LTLIBOBJS@ $(DBLIB)
+libroken_la_LIBADD = @LTLIBOBJS@
 BUILT_SOURCES = make-roken.c roken.h
 @have_err_h_FALSE@err_h = err.h
 @have_err_h_TRUE@err_h = 
@@ -513,25 +537,26 @@ BUILT_SOURCES = make-roken.c roken.h
 @have_vis_h_FALSE@vis_h = vis.h
 @have_vis_h_TRUE@vis_h = 
 XHEADERS = $(err_h) $(fnmatch_h) $(glob_h) $(ifaddrs_h) $(vis_h)
-include_HEADERS = \
-	base64.h				\
-	getarg.h				\
-	parse_bytes.h 				\
-	parse_time.h 				\
-	parse_units.h				\
-	resolve.h 				\
-	roken-common.h 				\
-	rtbl.h 					\
-	xdbm.h					\
-	$(XHEADERS) 
-
+dist_include_HEADERS = base64.h getarg.h hex.h parse_bytes.h \
+	parse_time.h parse_units.h resolve.h roken-common.h rtbl.h \
+	xdbm.h $(am__append_2)
+build_HEADERZ = test-mem.h $(XHEADERS)
 nodist_include_HEADERS = roken.h
-man_MANS = getarg.3
+rokenincludedir = $(includedir)/roken
+nodist_rokeninclude_HEADERS = $(XHEADERS)
+man_MANS = getarg.3 parse_time.3 rtbl.3 ecalloc.3
+EXTRA_DIST = \
+	roken.awk roken.h.in \
+	$(man_MANS) \
+	test-mem.h \
+	ndbm_wrap.c \
+	ndbm_wrap.h
+
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .hin .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .hin .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -563,10 +588,10 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    f="`echo $$p | sed -e 's|^.*/||'`"; \
+	    f=$(am__strip_dir) \
 	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
 	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
 	  else :; fi; \
@@ -575,7 +600,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	    p="`echo $$p | sed -e 's|^.*/||'`"; \
+	  p=$(am__strip_dir) \
 	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
 	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
 	done
@@ -584,7 +609,7 @@ clean-libLTLIBRARIES:
 	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" = "$$p" && dir=.; \
+	  test "$$dir" != "$$p" || dir=.; \
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
@@ -593,14 +618,14 @@ clean-noinstLTLIBRARIES:
 	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
 	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
 	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" = "$$p" && dir=.; \
+	  test "$$dir" != "$$p" || dir=.; \
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
 libroken.la: $(libroken_la_OBJECTS) $(libroken_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libroken_la_LDFLAGS) $(libroken_la_OBJECTS) $(libroken_la_LIBADD) $(LIBS)
+	$(libroken_la_LINK) -rpath $(libdir) $(libroken_la_OBJECTS) $(libroken_la_LIBADD) $(LIBS)
 libtest.la: $(libtest_la_OBJECTS) $(libtest_la_DEPENDENCIES) 
-	$(LINK)  $(libtest_la_LDFLAGS) $(libtest_la_OBJECTS) $(libtest_la_LIBADD) $(LIBS)
+	$(libtest_la_LINK)  $(libtest_la_OBJECTS) $(libtest_la_LIBADD) $(LIBS)
 
 clean-checkPROGRAMS:
 	@list='$(check_PROGRAMS)'; for p in $$list; do \
@@ -617,25 +642,37 @@ clean-noinstPROGRAMS:
 	done
 base64-test$(EXEEXT): $(base64_test_OBJECTS) $(base64_test_DEPENDENCIES) 
 	@rm -f base64-test$(EXEEXT)
-	$(LINK) $(base64_test_LDFLAGS) $(base64_test_OBJECTS) $(base64_test_LDADD) $(LIBS)
+	$(LINK) $(base64_test_OBJECTS) $(base64_test_LDADD) $(LIBS)
 getaddrinfo-test$(EXEEXT): $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_DEPENDENCIES) 
 	@rm -f getaddrinfo-test$(EXEEXT)
-	$(LINK) $(getaddrinfo_test_LDFLAGS) $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_LDADD) $(LIBS)
+	$(LINK) $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_LDADD) $(LIBS)
+hex-test$(EXEEXT): $(hex_test_OBJECTS) $(hex_test_DEPENDENCIES) 
+	@rm -f hex-test$(EXEEXT)
+	$(LINK) $(hex_test_OBJECTS) $(hex_test_LDADD) $(LIBS)
 make-roken$(EXEEXT): $(make_roken_OBJECTS) $(make_roken_DEPENDENCIES) 
 	@rm -f make-roken$(EXEEXT)
-	$(LINK) $(make_roken_LDFLAGS) $(make_roken_OBJECTS) $(make_roken_LDADD) $(LIBS)
+	$(LINK) $(make_roken_OBJECTS) $(make_roken_LDADD) $(LIBS)
 parse_bytes-test$(EXEEXT): $(parse_bytes_test_OBJECTS) $(parse_bytes_test_DEPENDENCIES) 
 	@rm -f parse_bytes-test$(EXEEXT)
-	$(LINK) $(parse_bytes_test_LDFLAGS) $(parse_bytes_test_OBJECTS) $(parse_bytes_test_LDADD) $(LIBS)
+	$(LINK) $(parse_bytes_test_OBJECTS) $(parse_bytes_test_LDADD) $(LIBS)
 parse_reply-test$(EXEEXT): $(parse_reply_test_OBJECTS) $(parse_reply_test_DEPENDENCIES) 
 	@rm -f parse_reply-test$(EXEEXT)
-	$(LINK) $(parse_reply_test_LDFLAGS) $(parse_reply_test_OBJECTS) $(parse_reply_test_LDADD) $(LIBS)
+	$(parse_reply_test_LINK) $(parse_reply_test_OBJECTS) $(parse_reply_test_LDADD) $(LIBS)
+parse_time-test$(EXEEXT): $(parse_time_test_OBJECTS) $(parse_time_test_DEPENDENCIES) 
+	@rm -f parse_time-test$(EXEEXT)
+	$(LINK) $(parse_time_test_OBJECTS) $(parse_time_test_LDADD) $(LIBS)
+resolve-test$(EXEEXT): $(resolve_test_OBJECTS) $(resolve_test_DEPENDENCIES) 
+	@rm -f resolve-test$(EXEEXT)
+	$(LINK) $(resolve_test_OBJECTS) $(resolve_test_LDADD) $(LIBS)
 snprintf-test$(EXEEXT): $(snprintf_test_OBJECTS) $(snprintf_test_DEPENDENCIES) 
 	@rm -f snprintf-test$(EXEEXT)
-	$(LINK) $(snprintf_test_LDFLAGS) $(snprintf_test_OBJECTS) $(snprintf_test_LDADD) $(LIBS)
+	$(snprintf_test_LINK) $(snprintf_test_OBJECTS) $(snprintf_test_LDADD) $(LIBS)
 strpftime-test$(EXEEXT): $(strpftime_test_OBJECTS) $(strpftime_test_DEPENDENCIES) 
 	@rm -f strpftime-test$(EXEEXT)
-	$(LINK) $(strpftime_test_LDFLAGS) $(strpftime_test_OBJECTS) $(strpftime_test_LDADD) $(LIBS)
+	$(strpftime_test_LINK) $(strpftime_test_OBJECTS) $(strpftime_test_LDADD) $(LIBS)
+test-readenv$(EXEEXT): $(test_readenv_OBJECTS) $(test_readenv_DEPENDENCIES) 
+	@rm -f test-readenv$(EXEEXT)
+	$(LINK) $(test_readenv_OBJECTS) $(test_readenv_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -652,32 +689,149 @@ distclean-compile:
 .c.lo:
 	$(LTCOMPILE) -c -o $@ $<
 
-libtest_la-strftime.o: strftime.c
-	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strftime.o `test -f 'strftime.c' || echo '$(srcdir)/'`strftime.c
+libroken_la-base64.lo: base64.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-base64.lo `test -f 'base64.c' || echo '$(srcdir)/'`base64.c
 
-libtest_la-strftime.obj: strftime.c
-	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strftime.obj `if test -f 'strftime.c'; then $(CYGPATH_W) 'strftime.c'; else $(CYGPATH_W) '$(srcdir)/strftime.c'; fi`
+libroken_la-bswap.lo: bswap.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-bswap.lo `test -f 'bswap.c' || echo '$(srcdir)/'`bswap.c
 
-libtest_la-strftime.lo: strftime.c
-	$(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strftime.lo `test -f 'strftime.c' || echo '$(srcdir)/'`strftime.c
+libroken_la-concat.lo: concat.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-concat.lo `test -f 'concat.c' || echo '$(srcdir)/'`concat.c
 
-libtest_la-strptime.o: strptime.c
-	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strptime.o `test -f 'strptime.c' || echo '$(srcdir)/'`strptime.c
+libroken_la-dumpdata.lo: dumpdata.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-dumpdata.lo `test -f 'dumpdata.c' || echo '$(srcdir)/'`dumpdata.c
 
-libtest_la-strptime.obj: strptime.c
-	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strptime.obj `if test -f 'strptime.c'; then $(CYGPATH_W) 'strptime.c'; else $(CYGPATH_W) '$(srcdir)/strptime.c'; fi`
+libroken_la-environment.lo: environment.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-environment.lo `test -f 'environment.c' || echo '$(srcdir)/'`environment.c
 
-libtest_la-strptime.lo: strptime.c
-	$(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strptime.lo `test -f 'strptime.c' || echo '$(srcdir)/'`strptime.c
+libroken_la-eread.lo: eread.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-eread.lo `test -f 'eread.c' || echo '$(srcdir)/'`eread.c
+
+libroken_la-esetenv.lo: esetenv.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-esetenv.lo `test -f 'esetenv.c' || echo '$(srcdir)/'`esetenv.c
+
+libroken_la-ewrite.lo: ewrite.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-ewrite.lo `test -f 'ewrite.c' || echo '$(srcdir)/'`ewrite.c
+
+libroken_la-getaddrinfo_hostspec.lo: getaddrinfo_hostspec.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-getaddrinfo_hostspec.lo `test -f 'getaddrinfo_hostspec.c' || echo '$(srcdir)/'`getaddrinfo_hostspec.c
+
+libroken_la-get_default_username.lo: get_default_username.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-get_default_username.lo `test -f 'get_default_username.c' || echo '$(srcdir)/'`get_default_username.c
+
+libroken_la-get_window_size.lo: get_window_size.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-get_window_size.lo `test -f 'get_window_size.c' || echo '$(srcdir)/'`get_window_size.c
+
+libroken_la-getarg.lo: getarg.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-getarg.lo `test -f 'getarg.c' || echo '$(srcdir)/'`getarg.c
+
+libroken_la-getnameinfo_verified.lo: getnameinfo_verified.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-getnameinfo_verified.lo `test -f 'getnameinfo_verified.c' || echo '$(srcdir)/'`getnameinfo_verified.c
+
+libroken_la-getprogname.lo: getprogname.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-getprogname.lo `test -f 'getprogname.c' || echo '$(srcdir)/'`getprogname.c
+
+libroken_la-h_errno.lo: h_errno.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-h_errno.lo `test -f 'h_errno.c' || echo '$(srcdir)/'`h_errno.c
+
+libroken_la-hex.lo: hex.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-hex.lo `test -f 'hex.c' || echo '$(srcdir)/'`hex.c
+
+libroken_la-hostent_find_fqdn.lo: hostent_find_fqdn.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-hostent_find_fqdn.lo `test -f 'hostent_find_fqdn.c' || echo '$(srcdir)/'`hostent_find_fqdn.c
+
+libroken_la-issuid.lo: issuid.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-issuid.lo `test -f 'issuid.c' || echo '$(srcdir)/'`issuid.c
+
+libroken_la-k_getpwnam.lo: k_getpwnam.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-k_getpwnam.lo `test -f 'k_getpwnam.c' || echo '$(srcdir)/'`k_getpwnam.c
+
+libroken_la-k_getpwuid.lo: k_getpwuid.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-k_getpwuid.lo `test -f 'k_getpwuid.c' || echo '$(srcdir)/'`k_getpwuid.c
+
+libroken_la-mini_inetd.lo: mini_inetd.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-mini_inetd.lo `test -f 'mini_inetd.c' || echo '$(srcdir)/'`mini_inetd.c
+
+libroken_la-net_read.lo: net_read.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-net_read.lo `test -f 'net_read.c' || echo '$(srcdir)/'`net_read.c
+
+libroken_la-net_write.lo: net_write.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-net_write.lo `test -f 'net_write.c' || echo '$(srcdir)/'`net_write.c
+
+libroken_la-parse_bytes.lo: parse_bytes.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-parse_bytes.lo `test -f 'parse_bytes.c' || echo '$(srcdir)/'`parse_bytes.c
+
+libroken_la-parse_time.lo: parse_time.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-parse_time.lo `test -f 'parse_time.c' || echo '$(srcdir)/'`parse_time.c
+
+libroken_la-parse_units.lo: parse_units.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-parse_units.lo `test -f 'parse_units.c' || echo '$(srcdir)/'`parse_units.c
+
+libroken_la-realloc.lo: realloc.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-realloc.lo `test -f 'realloc.c' || echo '$(srcdir)/'`realloc.c
+
+libroken_la-resolve.lo: resolve.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-resolve.lo `test -f 'resolve.c' || echo '$(srcdir)/'`resolve.c
+
+libroken_la-roken_gethostby.lo: roken_gethostby.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-roken_gethostby.lo `test -f 'roken_gethostby.c' || echo '$(srcdir)/'`roken_gethostby.c
+
+libroken_la-rtbl.lo: rtbl.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-rtbl.lo `test -f 'rtbl.c' || echo '$(srcdir)/'`rtbl.c
+
+libroken_la-setprogname.lo: setprogname.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-setprogname.lo `test -f 'setprogname.c' || echo '$(srcdir)/'`setprogname.c
+
+libroken_la-signal.lo: signal.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-signal.lo `test -f 'signal.c' || echo '$(srcdir)/'`signal.c
+
+libroken_la-simple_exec.lo: simple_exec.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-simple_exec.lo `test -f 'simple_exec.c' || echo '$(srcdir)/'`simple_exec.c
+
+libroken_la-snprintf.lo: snprintf.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-snprintf.lo `test -f 'snprintf.c' || echo '$(srcdir)/'`snprintf.c
+
+libroken_la-socket.lo: socket.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-socket.lo `test -f 'socket.c' || echo '$(srcdir)/'`socket.c
 
-libtest_la-snprintf.o: snprintf.c
-	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-snprintf.o `test -f 'snprintf.c' || echo '$(srcdir)/'`snprintf.c
+libroken_la-strcollect.lo: strcollect.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-strcollect.lo `test -f 'strcollect.c' || echo '$(srcdir)/'`strcollect.c
 
-libtest_la-snprintf.obj: snprintf.c
-	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-snprintf.obj `if test -f 'snprintf.c'; then $(CYGPATH_W) 'snprintf.c'; else $(CYGPATH_W) '$(srcdir)/snprintf.c'; fi`
+libroken_la-strpool.lo: strpool.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-strpool.lo `test -f 'strpool.c' || echo '$(srcdir)/'`strpool.c
+
+libroken_la-timeval.lo: timeval.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-timeval.lo `test -f 'timeval.c' || echo '$(srcdir)/'`timeval.c
+
+libroken_la-tm2time.lo: tm2time.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-tm2time.lo `test -f 'tm2time.c' || echo '$(srcdir)/'`tm2time.c
+
+libroken_la-unvis.lo: unvis.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-unvis.lo `test -f 'unvis.c' || echo '$(srcdir)/'`unvis.c
+
+libroken_la-verify.lo: verify.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-verify.lo `test -f 'verify.c' || echo '$(srcdir)/'`verify.c
+
+libroken_la-vis.lo: vis.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-vis.lo `test -f 'vis.c' || echo '$(srcdir)/'`vis.c
+
+libroken_la-warnerr.lo: warnerr.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-warnerr.lo `test -f 'warnerr.c' || echo '$(srcdir)/'`warnerr.c
+
+libroken_la-write_pid.lo: write_pid.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-write_pid.lo `test -f 'write_pid.c' || echo '$(srcdir)/'`write_pid.c
+
+libroken_la-socket_wrapper.lo: socket_wrapper.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libroken_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libroken_la-socket_wrapper.lo `test -f 'socket_wrapper.c' || echo '$(srcdir)/'`socket_wrapper.c
+
+libtest_la-strftime.lo: strftime.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strftime.lo `test -f 'strftime.c' || echo '$(srcdir)/'`strftime.c
+
+libtest_la-strptime.lo: strptime.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-strptime.lo `test -f 'strptime.c' || echo '$(srcdir)/'`strptime.c
 
 libtest_la-snprintf.lo: snprintf.c
-	$(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-snprintf.lo `test -f 'snprintf.c' || echo '$(srcdir)/'`snprintf.c
+	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libtest_la_CFLAGS) $(CFLAGS) -c -o libtest_la-snprintf.lo `test -f 'snprintf.c' || echo '$(srcdir)/'`snprintf.c
 
 parse_reply_test-parse_reply-test.o: parse_reply-test.c
 	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-parse_reply-test.o `test -f 'parse_reply-test.c' || echo '$(srcdir)/'`parse_reply-test.c
@@ -685,39 +839,32 @@ parse_reply_test-parse_reply-test.o: parse_reply-test.c
 parse_reply_test-parse_reply-test.obj: parse_reply-test.c
 	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-parse_reply-test.obj `if test -f 'parse_reply-test.c'; then $(CYGPATH_W) 'parse_reply-test.c'; else $(CYGPATH_W) '$(srcdir)/parse_reply-test.c'; fi`
 
-parse_reply_test-parse_reply-test.lo: parse_reply-test.c
-	$(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-parse_reply-test.lo `test -f 'parse_reply-test.c' || echo '$(srcdir)/'`parse_reply-test.c
-
 parse_reply_test-resolve.o: resolve.c
 	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-resolve.o `test -f 'resolve.c' || echo '$(srcdir)/'`resolve.c
 
 parse_reply_test-resolve.obj: resolve.c
 	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-resolve.obj `if test -f 'resolve.c'; then $(CYGPATH_W) 'resolve.c'; else $(CYGPATH_W) '$(srcdir)/resolve.c'; fi`
 
-parse_reply_test-resolve.lo: resolve.c
-	$(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(parse_reply_test_CFLAGS) $(CFLAGS) -c -o parse_reply_test-resolve.lo `test -f 'resolve.c' || echo '$(srcdir)/'`resolve.c
-
 snprintf_test-snprintf-test.o: snprintf-test.c
 	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snprintf_test_CFLAGS) $(CFLAGS) -c -o snprintf_test-snprintf-test.o `test -f 'snprintf-test.c' || echo '$(srcdir)/'`snprintf-test.c
 
 snprintf_test-snprintf-test.obj: snprintf-test.c
 	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snprintf_test_CFLAGS) $(CFLAGS) -c -o snprintf_test-snprintf-test.obj `if test -f 'snprintf-test.c'; then $(CYGPATH_W) 'snprintf-test.c'; else $(CYGPATH_W) '$(srcdir)/snprintf-test.c'; fi`
 
-snprintf_test-snprintf-test.lo: snprintf-test.c
-	$(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snprintf_test_CFLAGS) $(CFLAGS) -c -o snprintf_test-snprintf-test.lo `test -f 'snprintf-test.c' || echo '$(srcdir)/'`snprintf-test.c
+strpftime_test-strpftime-test.o: strpftime-test.c
+	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(strpftime_test_CFLAGS) $(CFLAGS) -c -o strpftime_test-strpftime-test.o `test -f 'strpftime-test.c' || echo '$(srcdir)/'`strpftime-test.c
+
+strpftime_test-strpftime-test.obj: strpftime-test.c
+	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(strpftime_test_CFLAGS) $(CFLAGS) -c -o strpftime_test-strpftime-test.obj `if test -f 'strpftime-test.c'; then $(CYGPATH_W) 'strpftime-test.c'; else $(CYGPATH_W) '$(srcdir)/strpftime-test.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man3: $(man3_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)"
+	test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)"
 	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -760,29 +907,29 @@ uninstall-man3:
 	  echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \
 	  rm -f "$(DESTDIR)$(man3dir)/$$inst"; \
 	done
-install-includeHEADERS: $(include_HEADERS)
+install-dist_includeHEADERS: $(dist_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)"
-	@list='$(include_HEADERS)'; for p in $$list; do \
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
+	@list='$(dist_include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
-	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
-	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	  f=$(am__strip_dir) \
+	  echo " $(dist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
+	  $(dist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
 	done
 
-uninstall-includeHEADERS:
+uninstall-dist_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(include_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	@list='$(dist_include_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
 	done
 install-nodist_includeHEADERS: $(nodist_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)"
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
 	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " $(nodist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
 	  $(nodist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -790,10 +937,27 @@ install-nodist_includeHEADERS: $(nodist_include_HEADERS)
 uninstall-nodist_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
 	done
+install-nodist_rokenincludeHEADERS: $(nodist_rokeninclude_HEADERS)
+	@$(NORMAL_INSTALL)
+	test -z "$(rokenincludedir)" || $(MKDIR_P) "$(DESTDIR)$(rokenincludedir)"
+	@list='$(nodist_rokeninclude_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(nodist_rokenincludeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(rokenincludedir)/$$f'"; \
+	  $(nodist_rokenincludeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(rokenincludedir)/$$f"; \
+	done
+
+uninstall-nodist_rokenincludeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nodist_rokeninclude_HEADERS)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(rokenincludedir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(rokenincludedir)/$$f"; \
+	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -815,9 +979,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -842,9 +1008,9 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 check-TESTS: $(TESTS)
-	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
 	srcdir=$(srcdir); export srcdir; \
-	list='$(TESTS)'; \
+	list=' $(TESTS) '; \
 	if test -n "$$list"; then \
 	  for tst in $$list; do \
 	    if test -f ./$$tst; then dir=./; \
@@ -853,7 +1019,7 @@ check-TESTS: $(TESTS)
 	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
 	      all=`expr $$all + 1`; \
 	      case " $(XFAIL_TESTS) " in \
-	      *" $$tst "*) \
+	      *$$ws$$tst$$ws*) \
 		xpass=`expr $$xpass + 1`; \
 		failed=`expr $$failed + 1`; \
 		echo "XPASS: $$tst"; \
@@ -865,7 +1031,7 @@ check-TESTS: $(TESTS)
 	    elif test $$? -ne 77; then \
 	      all=`expr $$all + 1`; \
 	      case " $(XFAIL_TESTS) " in \
-	      *" $$tst "*) \
+	      *$$ws$$tst$$ws*) \
 		xfail=`expr $$xfail + 1`; \
 		echo "XFAIL: $$tst"; \
 	      ;; \
@@ -896,42 +1062,40 @@ check-TESTS: $(TESTS)
 	  skipped=""; \
 	  if test "$$skip" -ne 0; then \
 	    skipped="($$skip tests were not run)"; \
-	    test `echo "$$skipped" | wc -c` -gt `echo "$$banner" | wc -c` && \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
 	      dashes="$$skipped"; \
 	  fi; \
 	  report=""; \
 	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
 	    report="Please report to $(PACKAGE_BUGREPORT)"; \
-	    test `echo "$$report" | wc -c` -gt `echo "$$banner" | wc -c` && \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
 	      dashes="$$report"; \
 	  fi; \
 	  dashes=`echo "$$dashes" | sed s/./=/g`; \
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
-	  test -n "$$skipped" && echo "$$skipped"; \
-	  test -n "$$report" && echo "$$report"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
 	  echo "$$dashes"; \
 	  test "$$failed" -eq 0; \
 	else :; fi
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -953,8 +1117,8 @@ check: $(BUILT_SOURCES)
 all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \
 		all-local
 installdirs:
-	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(rokenincludedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) install-am
@@ -977,7 +1141,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -992,7 +1156,7 @@ clean-am: clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -1004,19 +1168,28 @@ info: info-am
 
 info-am:
 
-install-data-am: install-includeHEADERS install-man \
-	install-nodist_includeHEADERS
+install-data-am: install-dist_includeHEADERS install-man \
+	install-nodist_includeHEADERS \
+	install-nodist_rokenincludeHEADERS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-libLTLIBRARIES
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man3
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -1036,28 +1209,38 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-includeHEADERS uninstall-info-am \
-	uninstall-libLTLIBRARIES uninstall-man \
-	uninstall-nodist_includeHEADERS
+uninstall-am: uninstall-dist_includeHEADERS uninstall-libLTLIBRARIES \
+	uninstall-man uninstall-nodist_includeHEADERS \
+	uninstall-nodist_rokenincludeHEADERS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man3
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
 	check-local clean clean-checkPROGRAMS clean-generic \
 	clean-libLTLIBRARIES clean-libtool clean-noinstLTLIBRARIES \
-	clean-noinstPROGRAMS ctags distclean distclean-compile \
-	distclean-generic distclean-libtool distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-exec install-exec-am \
-	install-includeHEADERS install-info install-info-am \
+	clean-noinstPROGRAMS ctags dist-hook distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am \
+	install-data-hook install-dist_includeHEADERS install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
 	install-libLTLIBRARIES install-man install-man3 \
-	install-nodist_includeHEADERS install-strip installcheck \
+	install-nodist_includeHEADERS \
+	install-nodist_rokenincludeHEADERS install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
 	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-includeHEADERS \
-	uninstall-info-am uninstall-libLTLIBRARIES uninstall-man \
-	uninstall-man3 uninstall-nodist_includeHEADERS
+	tags uninstall uninstall-am uninstall-dist_includeHEADERS \
+	uninstall-hook uninstall-libLTLIBRARIES uninstall-man \
+	uninstall-man3 uninstall-nodist_includeHEADERS \
+	uninstall-nodist_rokenincludeHEADERS
 
 
 install-suid-programs:
@@ -1072,8 +1255,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -1083,19 +1266,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -1111,7 +1306,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -1181,15 +1376,40 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 $(LTLIBOBJS) $(libroken_la_OBJECTS): roken.h $(XHEADERS)
 .hin.h:
 	cp $< $@
diff --git a/crypto/heimdal/lib/roken/base64-test.c b/crypto/heimdal/lib/roken/base64-test.c
index eace04b..435e41b 100644
--- a/crypto/heimdal/lib/roken/base64-test.c
+++ b/crypto/heimdal/lib/roken/base64-test.c
@@ -33,10 +33,10 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: base64-test.c,v 1.2 2001/05/29 13:12:21 assar Exp $");
+RCSID("$Id: base64-test.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
-#include <roken.h>
+#include "roken.h"
 #include <base64.h>
 
 int
@@ -71,8 +71,8 @@ main(int argc, char **argv)
 	str = strdup(t->result);
 	len = base64_decode(t->result, str);
 	if(len != t->len) {
-	    fprintf(stderr, "failed test %d: len %d != %d\n", numtest,
-		    len, t->len);
+	    fprintf(stderr, "failed test %d: len %lu != %lu\n", numtest,
+		    (unsigned long)len, (unsigned long)t->len);
 	    numerr++;
 	} else if(memcmp(str, t->data, t->len) != 0) {
 	    fprintf(stderr, "failed test %d: data\n", numtest);
diff --git a/crypto/heimdal/lib/roken/base64.c b/crypto/heimdal/lib/roken/base64.c
index 21e79c1..daf7fc5 100644
--- a/crypto/heimdal/lib/roken/base64.c
+++ b/crypto/heimdal/lib/roken/base64.c
@@ -33,26 +33,26 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: base64.c,v 1.5 2001/05/28 17:33:41 joda Exp $");
+RCSID("$Id: base64.c 15506 2005-06-23 10:47:57Z lha $");
 #endif
 #include <stdlib.h>
 #include <string.h>
 #include "base64.h"
 
-static char base64_chars[] = 
+static const char base64_chars[] = 
     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 
 static int 
 pos(char c)
 {
-    char *p;
+    const char *p;
     for (p = base64_chars; *p; p++)
 	if (*p == c)
 	    return p - base64_chars;
     return -1;
 }
 
-int 
+int ROKEN_LIB_FUNCTION
 base64_encode(const void *data, int size, char **str)
 {
     char *s, *p;
@@ -114,7 +114,7 @@ token_decode(const char *token)
     return (marker << 24) | val;
 }
 
-int
+int ROKEN_LIB_FUNCTION
 base64_decode(const char *str, void *data)
 {
     const char *p;
diff --git a/crypto/heimdal/lib/roken/base64.h b/crypto/heimdal/lib/roken/base64.h
index 5ad1e3b..09aadff 100644
--- a/crypto/heimdal/lib/roken/base64.h
+++ b/crypto/heimdal/lib/roken/base64.h
@@ -31,12 +31,23 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: base64.h,v 1.2 1999/12/02 16:58:45 joda Exp $ */
+/* $Id: base64.h 15535 2005-06-30 07:13:33Z lha $ */
 
 #ifndef _BASE64_H_
 #define _BASE64_H_
 
-int base64_encode(const void *data, int size, char **str);
-int base64_decode(const char *str, void *data);
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+int ROKEN_LIB_FUNCTION
+base64_encode(const void *, int, char **);
+
+int ROKEN_LIB_FUNCTION
+base64_decode(const char *, void *);
 
 #endif
diff --git a/crypto/heimdal/lib/roken/bswap.c b/crypto/heimdal/lib/roken/bswap.c
index c57dc6f..e669eb2 100644
--- a/crypto/heimdal/lib/roken/bswap.c
+++ b/crypto/heimdal/lib/roken/bswap.c
@@ -36,11 +36,11 @@
 #endif
 #include "roken.h"
 
-RCSID("$Id: bswap.c,v 1.3 2001/05/18 15:32:11 joda Exp $");
+RCSID("$Id: bswap.c 14773 2005-04-12 11:29:18Z lha $");
 
 #ifndef HAVE_BSWAP32
 
-unsigned int
+unsigned int ROKEN_LIB_FUNCTION
 bswap32 (unsigned int val)
 {
     return (val & 0xff) << 24 |
@@ -52,7 +52,7 @@ bswap32 (unsigned int val)
 
 #ifndef HAVE_BSWAP16
 
-unsigned short
+unsigned short ROKEN_LIB_FUNCTION
 bswap16 (unsigned short val)
 {
     return (val & 0xff) << 8 |
diff --git a/crypto/heimdal/lib/roken/chown.c b/crypto/heimdal/lib/roken/chown.c
index f3d34e3..5eb9c92 100644
--- a/crypto/heimdal/lib/roken/chown.c
+++ b/crypto/heimdal/lib/roken/chown.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: chown.c,v 1.3 1999/12/02 16:58:45 joda Exp $");
+RCSID("$Id: chown.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 chown(const char *path, uid_t owner, gid_t group)
 {
   return 0;
diff --git a/crypto/heimdal/lib/roken/closefrom.c b/crypto/heimdal/lib/roken/closefrom.c
new file mode 100644
index 0000000..f56e556
--- /dev/null
+++ b/crypto/heimdal/lib/roken/closefrom.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: closefrom.c 21005 2007-06-08 01:54:35Z lha $");
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "roken.h"
+
+int ROKEN_LIB_FUNCTION
+closefrom(int fd)
+{
+    int num = getdtablesize();
+
+    if (num < 0)
+	num = 1024; /* XXX */
+
+    for (; fd <= num; fd++)
+	close(fd);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/concat.c b/crypto/heimdal/lib/roken/concat.c
index ca295c0..94e0fcc 100644
--- a/crypto/heimdal/lib/roken/concat.c
+++ b/crypto/heimdal/lib/roken/concat.c
@@ -33,11 +33,11 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: concat.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+RCSID("$Id: concat.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 #include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 roken_concat (char *s, size_t len, ...)
 {
     int ret;
@@ -49,7 +49,7 @@ roken_concat (char *s, size_t len, ...)
     return ret;
 }
 
-int
+int ROKEN_LIB_FUNCTION
 roken_vconcat (char *s, size_t len, va_list args)
 {
     const char *a;
@@ -67,7 +67,7 @@ roken_vconcat (char *s, size_t len, va_list args)
     return 0;
 }
 
-size_t
+size_t ROKEN_LIB_FUNCTION
 roken_vmconcat (char **s, size_t max_len, va_list args)
 {
     const char *a;
@@ -99,7 +99,7 @@ roken_vmconcat (char **s, size_t max_len, va_list args)
     return len;
 }
 
-size_t
+size_t ROKEN_LIB_FUNCTION
 roken_mconcat (char **s, size_t max_len, ...)
 {
     int ret;
diff --git a/crypto/heimdal/lib/roken/copyhostent.c b/crypto/heimdal/lib/roken/copyhostent.c
index a3be6db..6410449 100644
--- a/crypto/heimdal/lib/roken/copyhostent.c
+++ b/crypto/heimdal/lib/roken/copyhostent.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: copyhostent.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+RCSID("$Id: copyhostent.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -42,7 +42,7 @@ RCSID("$Id: copyhostent.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
  * return a malloced copy of `h'
  */
 
-struct hostent *
+struct hostent * ROKEN_LIB_FUNCTION
 copyhostent (const struct hostent *h)
 {
     struct hostent *res;
diff --git a/crypto/heimdal/lib/roken/daemon.c b/crypto/heimdal/lib/roken/daemon.c
index 758856c..2bc2350 100644
--- a/crypto/heimdal/lib/roken/daemon.c
+++ b/crypto/heimdal/lib/roken/daemon.c
@@ -10,11 +10,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
@@ -39,7 +35,7 @@ static char sccsid[] = "@(#)daemon.c	8.1 (Berkeley) 6/4/93";
 #include <config.h>
 #endif
 
-RCSID("$Id: daemon.c,v 1.3 1997/10/04 21:55:48 joda Exp $");
+RCSID("$Id: daemon.c 14773 2005-04-12 11:29:18Z lha $");
 
 #ifndef HAVE_DAEMON
 
@@ -55,7 +51,7 @@ RCSID("$Id: daemon.c,v 1.3 1997/10/04 21:55:48 joda Exp $");
 
 #include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 daemon(int nochdir, int noclose)
 {
     int fd;
diff --git a/crypto/heimdal/lib/roken/dumpdata.c b/crypto/heimdal/lib/roken/dumpdata.c
new file mode 100644
index 0000000..4750cac
--- /dev/null
+++ b/crypto/heimdal/lib/roken/dumpdata.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: dumpdata.c 21005 2007-06-08 01:54:35Z lha $");
+#endif
+
+#include <unistd.h>
+
+#include "roken.h"
+
+/*
+ * Write datablob to a filename, don't care about errors.
+ */
+
+void ROKEN_LIB_FUNCTION
+rk_dumpdata (const char *filename, const void *buf, size_t size)
+{
+    int fd;
+
+    fd = open(filename, O_WRONLY|O_TRUNC|O_CREAT, 0640);
+    if (fd < 0)
+	return;
+    net_write(fd, buf, size);
+    close(fd);
+}
diff --git a/crypto/heimdal/lib/roken/ecalloc.3 b/crypto/heimdal/lib/roken/ecalloc.3
new file mode 100644
index 0000000..194ad27
--- /dev/null
+++ b/crypto/heimdal/lib/roken/ecalloc.3
@@ -0,0 +1,84 @@
+.\" Copyright (c) 2001, 2003 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden). 
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\" $Id: ecalloc.3 12527 2003-08-15 12:28:14Z joda $
+.\"
+.Dd August 14, 2003
+.Dt ECALLOC 3
+.Os HEIMDAL
+.Sh NAME
+.Nm ecalloc ,
+.Nm emalloc ,
+.Nm eread ,
+.Nm erealloc ,
+.Nm esetenv ,
+.Nm estrdup ,
+.Nm ewrite
+.Nd exit-on-failure wrapper functions
+.Sh LIBRARY
+The roken library (libroken, -lroken)
+.Sh SYNOPSIS
+.Fd #include <roken.h>
+.Ft "void *"
+.Fn ecalloc "size_t number" "size_t size"
+.Ft "void *"
+.Fn emalloc "size_t sz"
+.Ft ssize_t
+.Fn eread "int fd" "void *buf" "size_t nbytes"
+.Ft "void *"
+.Fn erealloc "void *ptr" "size_t sz"
+.Ft void
+.Fn esetenv "const char *var" "const char *val" "int rewrite"
+.Ft "char *"
+.Fn estrdup "const char *str"
+.Ft ssize_t
+.Fn ewrite "int fd" "const void *buf" "size_t nbytes"
+.Sh DESCRIPTION
+These functions do the same as the ones without the 
+.Dq e
+prefix, but if there is an error they will print a message with 
+.Xr errx 3 ,
+and exit. For
+.Nm eread
+and 
+.Nm ewrite
+this is also true for partial data.
+.Pp
+This is useful in applications when there is no need for a more
+advanced failure mode.
+.Sh SEE ALSO
+.Xr read 2 ,
+.Xr write 2 ,
+.Xr calloc 3 ,
+.Xr errx 3 ,
+.Xr malloc 3 ,
+.Xr realloc 3 ,
+.Xr setenv 3 ,
+.Xr strdup 3
diff --git a/crypto/heimdal/lib/roken/ecalloc.c b/crypto/heimdal/lib/roken/ecalloc.c
index 142704f..c5ef4a7 100644
--- a/crypto/heimdal/lib/roken/ecalloc.c
+++ b/crypto/heimdal/lib/roken/ecalloc.c
@@ -33,19 +33,19 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: ecalloc.c,v 1.1 2001/06/17 12:09:37 assar Exp $");
+RCSID("$Id: ecalloc.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <stdlib.h>
 #include <err.h>
 
-#include <roken.h>
+#include "roken.h"
 
 /*
  * Like calloc but never fails.
  */
 
-void *
+void * ROKEN_LIB_FUNCTION
 ecalloc (size_t number, size_t size)
 {
     void *tmp = calloc (number, size);
diff --git a/crypto/heimdal/lib/roken/emalloc.c b/crypto/heimdal/lib/roken/emalloc.c
index e2734f3..a39fcc0 100644
--- a/crypto/heimdal/lib/roken/emalloc.c
+++ b/crypto/heimdal/lib/roken/emalloc.c
@@ -33,19 +33,19 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: emalloc.c,v 1.5 2001/06/17 12:07:48 assar Exp $");
+RCSID("$Id: emalloc.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <stdlib.h>
 #include <err.h>
 
-#include <roken.h>
+#include "roken.h"
 
 /*
  * Like malloc but never fails.
  */
 
-void *
+void * ROKEN_LIB_FUNCTION
 emalloc (size_t sz)
 {
     void *tmp = malloc (sz);
diff --git a/crypto/heimdal/lib/roken/environment.c b/crypto/heimdal/lib/roken/environment.c
index 62c732c..3822e4c 100644
--- a/crypto/heimdal/lib/roken/environment.c
+++ b/crypto/heimdal/lib/roken/environment.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000, 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -34,70 +34,123 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: environment.c,v 1.1 2000/06/21 02:05:03 assar Exp $");
+RCSID("$Id: environment.c 20866 2007-06-03 21:00:29Z lha $");
 #endif
 
 #include <stdio.h>
 #include <string.h>
+#include <ctype.h>
 #include "roken.h"
 
+/* find assignment in env list; len is length of variable including
+ * equal 
+ */
+
+static int
+find_var(char **env, char *assignment, size_t len)
+{
+    int i;
+    for(i = 0; env != NULL && env[i] != NULL; i++)
+	if(strncmp(env[i], assignment, len) == 0)
+	    return i;
+    return -1;
+}
+
 /*
- * return count of environment assignments from `file' and 
- * list of malloced strings in `env'
+ * return count of environment assignments from open file F in
+ * assigned and list of malloced strings in env, return 0 or errno
+ * number
  */
 
-int
-read_environment(const char *file, char ***env)
+static int
+rk_read_env_file(FILE *F, char ***env, int *assigned)
 {
-    int i, k;
-    FILE *F;
+    int idx = 0;
+    int i;
     char **l;
     char buf[BUFSIZ], *p, *r;
+    char **tmp;
+    int ret = 0;
 
-    if ((F = fopen(file, "r")) == NULL) {
-	return 0;
-    }
+    *assigned = 0;
 
-    i = 0;
-    if (*env) {
-	l = *env;
-	while (*l != NULL) {
-	    i++;
-	    l++;
-	}
-    }
+    for(idx = 0; *env != NULL && (*env)[idx] != NULL; idx++);
     l = *env;
+
     /* This is somewhat more relaxed on what it accepts then
      * Wietses sysv_environ from K4 was...
      */
     while (fgets(buf, BUFSIZ, F) != NULL) {
-	if (buf[0] == '#')
-	    continue;
-
-	p = strchr(buf, '#');
-	if (p != NULL)
-	    *p = '\0';
+	buf[strcspn(buf, "#\n")] = '\0';
 
-	p = buf;
-	while (*p == ' ' || *p == '\t' || *p == '\n') p++;
+	for(p = buf; isspace((unsigned char)*p); p++);
 	if (*p == '\0')
 	    continue;
 
-	k = strlen(p);
-	if (p[k-1] == '\n')
-	    p[k-1] = '\0';
-
-	/* Here one should check that is is a 'valid' env string... */
+	/* Here one should check that it's a 'valid' env string... */
 	r = strchr(p, '=');
 	if (r == NULL)
 	    continue;
 
-	l = realloc(l, (i+1) * sizeof (char *));
-	l[i++] = strdup(p);
+	if((i = find_var(l, p, r - p + 1)) >= 0) {
+	    char *val = strdup(p);
+	    if(val == NULL) {
+		ret = ENOMEM;
+		break;
+	    }
+	    free(l[i]);
+	    l[i] = val;
+	    (*assigned)++;
+	    continue;
+	}
+
+	tmp = realloc(l, (idx+2) * sizeof (char *));
+	if(tmp == NULL) {
+	    ret = ENOMEM;
+	    break;
+	}
+
+	l = tmp;
+	l[idx] = strdup(p);
+	if(l[idx] == NULL) {
+	    ret = ENOMEM;
+	    break;
+	}
+	l[++idx] = NULL;
+	(*assigned)++;
     }
-    fclose(F);
-    l = realloc(l, (i+1) * sizeof (char *));
-    l[i] = NULL;
+    if(ferror(F))
+	ret = errno;
     *env = l;
-    return i;
+    return ret;
+}
+
+/*
+ * return count of environment assignments from file and 
+ * list of malloced strings in `env'
+ */
+
+int ROKEN_LIB_FUNCTION
+read_environment(const char *file, char ***env)
+{
+    int assigned;
+    FILE *F;
+
+    if ((F = fopen(file, "r")) == NULL)
+	return 0;
+
+    rk_read_env_file(F, env, &assigned);
+    fclose(F);
+    return assigned;
+}
+
+void ROKEN_LIB_FUNCTION
+free_environment(char **env)
+{
+    int i;
+    if (env == NULL)
+	return;
+    for (i = 0; env[i]; i++)
+	free(env[i]);
+    free(env);
 }
diff --git a/crypto/heimdal/lib/roken/eread.c b/crypto/heimdal/lib/roken/eread.c
index 9a1b24b..ec4eed4 100644
--- a/crypto/heimdal/lib/roken/eread.c
+++ b/crypto/heimdal/lib/roken/eread.c
@@ -33,19 +33,19 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: eread.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+RCSID("$Id: eread.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <unistd.h>
 #include <err.h>
 
-#include <roken.h>
+#include "roken.h"
 
 /*
  * Like read but never fails (and never returns partial data).
  */
 
-ssize_t
+ssize_t ROKEN_LIB_FUNCTION
 eread (int fd, void *buf, size_t nbytes)
 {
     ssize_t ret;
diff --git a/crypto/heimdal/lib/roken/erealloc.c b/crypto/heimdal/lib/roken/erealloc.c
index 8eddd2b..c382360 100644
--- a/crypto/heimdal/lib/roken/erealloc.c
+++ b/crypto/heimdal/lib/roken/erealloc.c
@@ -33,19 +33,19 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: erealloc.c,v 1.5 2001/06/17 12:08:05 assar Exp $");
+RCSID("$Id: erealloc.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <stdlib.h>
 #include <err.h>
 
-#include <roken.h>
+#include "roken.h"
 
 /*
  * Like realloc but never fails.
  */
 
-void *
+void * ROKEN_LIB_FUNCTION
 erealloc (void *ptr, size_t sz)
 {
     void *tmp = realloc (ptr, sz);
diff --git a/crypto/heimdal/lib/roken/err.c b/crypto/heimdal/lib/roken/err.c
index 29b1f7b..dcb820b 100644
--- a/crypto/heimdal/lib/roken/err.c
+++ b/crypto/heimdal/lib/roken/err.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: err.c,v 1.6 1999/12/02 16:58:45 joda Exp $");
+RCSID("$Id: err.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "err.h"
 
-void
+void ROKEN_LIB_FUNCTION
 err(int eval, const char *fmt, ...)
 {
   va_list ap;
diff --git a/crypto/heimdal/lib/roken/err.hin b/crypto/heimdal/lib/roken/err.hin
index 1fa7774..2f1232d 100644
--- a/crypto/heimdal/lib/roken/err.hin
+++ b/crypto/heimdal/lib/roken/err.hin
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan 
+ * Copyright (c) 1995 - 2004 Kungliga Tekniska Högskolan 
  * (Royal Institute of Technology, Stockholm, Sweden).  
  * All rights reserved.
  * 
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: err.hin,v 1.16 2000/12/11 04:40:59 assar Exp $ */
+/* $Id: err.hin 14773 2005-04-12 11:29:18Z lha $ */
 
 #ifndef __ERR_H__
 #define __ERR_H__
@@ -42,27 +42,47 @@
 #include <string.h>
 #include <stdarg.h>
 
-extern const char *__progname;
-
 #if !defined(__GNUC__) && !defined(__attribute__)
 #define __attribute__(x)
 #endif
 
-void verr(int eval, const char *fmt, va_list ap)
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+void ROKEN_LIB_FUNCTION
+verr(int eval, const char *fmt, va_list ap)
      __attribute__ ((noreturn, format (printf, 2, 0)));
-void err(int eval, const char *fmt, ...)
+
+void ROKEN_LIB_FUNCTION
+err(int eval, const char *fmt, ...)
      __attribute__ ((noreturn, format (printf, 2, 3)));
-void verrx(int eval, const char *fmt, va_list ap)
+
+void ROKEN_LIB_FUNCTION
+verrx(int eval, const char *fmt, va_list ap)
      __attribute__ ((noreturn, format (printf, 2, 0)));
-void errx(int eval, const char *fmt, ...)
+
+void ROKEN_LIB_FUNCTION
+errx(int eval, const char *fmt, ...)
      __attribute__ ((noreturn, format (printf, 2, 3)));
-void vwarn(const char *fmt, va_list ap)
+void ROKEN_LIB_FUNCTION
+vwarn(const char *fmt, va_list ap)
      __attribute__ ((format (printf, 1, 0)));
-void warn(const char *fmt, ...)
+
+void ROKEN_LIB_FUNCTION
+warn(const char *fmt, ...)
      __attribute__ ((format (printf, 1, 2)));
-void vwarnx(const char *fmt, va_list ap)
+
+void ROKEN_LIB_FUNCTION
+vwarnx(const char *fmt, va_list ap)
      __attribute__ ((format (printf, 1, 0)));
-void warnx(const char *fmt, ...)
+
+void ROKEN_LIB_FUNCTION
+warnx(const char *fmt, ...)
      __attribute__ ((format (printf, 1, 2)));
 
 #endif /* __ERR_H__ */
diff --git a/crypto/heimdal/lib/roken/errx.c b/crypto/heimdal/lib/roken/errx.c
index 2f8ec18..1090ac7 100644
--- a/crypto/heimdal/lib/roken/errx.c
+++ b/crypto/heimdal/lib/roken/errx.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: errx.c,v 1.6 1999/12/02 16:58:45 joda Exp $");
+RCSID("$Id: errx.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "err.h"
 
-void
+void ROKEN_LIB_FUNCTION
 errx(int eval, const char *fmt, ...)
 {
   va_list ap;
diff --git a/crypto/heimdal/lib/roken/esetenv.c b/crypto/heimdal/lib/roken/esetenv.c
index cb35752..e92f04a 100644
--- a/crypto/heimdal/lib/roken/esetenv.c
+++ b/crypto/heimdal/lib/roken/esetenv.c
@@ -33,16 +33,16 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: esetenv.c,v 1.3 2001/01/27 05:28:38 assar Exp $");
+RCSID("$Id: esetenv.c 15502 2005-06-21 18:56:15Z lha $");
 #endif
 
 #include "roken.h"
 
 #include <err.h>
 
-void
+void ROKEN_LIB_FUNCTION
 esetenv(const char *var, const char *val, int rewrite)
 {
-    if (setenv ((char *)var, (char *)val, rewrite))
+    if (setenv (rk_UNCONST(var), rk_UNCONST(val), rewrite))
 	errx (1, "failed setting environment variable %s", var);
 }
diff --git a/crypto/heimdal/lib/roken/estrdup.c b/crypto/heimdal/lib/roken/estrdup.c
index 75d2721..262412b 100644
--- a/crypto/heimdal/lib/roken/estrdup.c
+++ b/crypto/heimdal/lib/roken/estrdup.c
@@ -33,19 +33,19 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: estrdup.c,v 1.3 2001/06/17 12:07:56 assar Exp $");
+RCSID("$Id: estrdup.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <stdlib.h>
 #include <err.h>
 
-#include <roken.h>
+#include "roken.h"
 
 /*
  * Like strdup but never fails.
  */
 
-char *
+char * ROKEN_LIB_FUNCTION
 estrdup (const char *str)
 {
     char *tmp = strdup (str);
diff --git a/crypto/heimdal/lib/roken/ewrite.c b/crypto/heimdal/lib/roken/ewrite.c
index b2c43de..a2323d6 100644
--- a/crypto/heimdal/lib/roken/ewrite.c
+++ b/crypto/heimdal/lib/roken/ewrite.c
@@ -33,19 +33,19 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: ewrite.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+RCSID("$Id: ewrite.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <unistd.h>
 #include <err.h>
 
-#include <roken.h>
+#include "roken.h"
 
 /*
  * Like write but never fails (and never returns partial data).
  */
 
-ssize_t
+ssize_t ROKEN_LIB_FUNCTION
 ewrite (int fd, const void *buf, size_t nbytes)
 {
     ssize_t ret;
diff --git a/crypto/heimdal/lib/roken/fchown.c b/crypto/heimdal/lib/roken/fchown.c
index 61e8546..87a2051 100644
--- a/crypto/heimdal/lib/roken/fchown.c
+++ b/crypto/heimdal/lib/roken/fchown.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: fchown.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: fchown.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 fchown(int fd, uid_t owner, gid_t group)
 {
   return 0;
diff --git a/crypto/heimdal/lib/roken/flock.c b/crypto/heimdal/lib/roken/flock.c
index 13da4f4..911d5ff 100644
--- a/crypto/heimdal/lib/roken/flock.c
+++ b/crypto/heimdal/lib/roken/flock.c
@@ -36,14 +36,14 @@
 #endif
 
 #ifndef HAVE_FLOCK
-RCSID("$Id: flock.c,v 1.4 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: flock.c 14773 2005-04-12 11:29:18Z lha $");
 
 #include "roken.h"
 
 
 #define OP_MASK (LOCK_SH | LOCK_EX | LOCK_UN)
 
-int
+int ROKEN_LIB_FUNCTION
 flock(int fd, int operation)
 {
 #if defined(HAVE_FCNTL) && defined(F_SETLK)
diff --git a/crypto/heimdal/lib/roken/fnmatch.c b/crypto/heimdal/lib/roken/fnmatch.c
index dc01d6e..126949a 100644
--- a/crypto/heimdal/lib/roken/fnmatch.c
+++ b/crypto/heimdal/lib/roken/fnmatch.c
@@ -15,11 +15,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
@@ -56,8 +52,8 @@ static char rcsid[] = "$NetBSD: fnmatch.c,v 1.11 1995/02/27 03:43:06 cgd Exp $";
 
 static const char *rangematch (const char *, int, int);
 
-int
-fnmatch(const char *pattern, const char *string, int flags)
+int ROKEN_LIB_FUNCTION
+rk_fnmatch(const char *pattern, const char *string, int flags)
 {
 	const char *stringstart;
 	char c, test;
@@ -103,7 +99,7 @@ fnmatch(const char *pattern, const char *string, int flags)
 
 			/* General case, use recursion. */
 			while ((test = *string) != EOS) {
-				if (!fnmatch(pattern, string, flags & ~FNM_PERIOD))
+				if (!rk_fnmatch(pattern, string, flags & ~FNM_PERIOD))
 					return (0);
 				if (test == '/' && flags & FNM_PATHNAME)
 					break;
diff --git a/crypto/heimdal/lib/roken/fnmatch.hin b/crypto/heimdal/lib/roken/fnmatch.hin
index 95c91d6..d5d54a5 100644
--- a/crypto/heimdal/lib/roken/fnmatch.hin
+++ b/crypto/heimdal/lib/roken/fnmatch.hin
@@ -12,11 +12,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
@@ -38,12 +34,31 @@
 #ifndef	_FNMATCH_H_
 #define	_FNMATCH_H_
 
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #define	FNM_NOMATCH	1	/* Match failed. */
 
 #define	FNM_NOESCAPE	0x01	/* Disable backslash escaping. */
 #define	FNM_PATHNAME	0x02	/* Slash must be matched by slash. */
 #define	FNM_PERIOD	0x04	/* Period must be matched by period. */
 
-int	 fnmatch (const char *, const char *, int);
+int ROKEN_LIB_FUNCTION
+rk_fnmatch (const char *, const char *, int);
+
+#define fnmatch(a,b,c) rk_fnmatch(a,b,c)
+
+#ifdef __cplusplus
+}
+#endif
 
 #endif /* !_FNMATCH_H_ */
diff --git a/crypto/heimdal/lib/roken/freeaddrinfo.c b/crypto/heimdal/lib/roken/freeaddrinfo.c
index 56124e5..a61536d 100644
--- a/crypto/heimdal/lib/roken/freeaddrinfo.c
+++ b/crypto/heimdal/lib/roken/freeaddrinfo.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: freeaddrinfo.c,v 1.4 2001/05/11 09:10:32 joda Exp $");
+RCSID("$Id: freeaddrinfo.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -42,7 +42,7 @@ RCSID("$Id: freeaddrinfo.c,v 1.4 2001/05/11 09:10:32 joda Exp $");
  * free the list of `struct addrinfo' starting at `ai'
  */
 
-void
+void ROKEN_LIB_FUNCTION
 freeaddrinfo(struct addrinfo *ai)
 {
     struct addrinfo *tofree;
diff --git a/crypto/heimdal/lib/roken/freehostent.c b/crypto/heimdal/lib/roken/freehostent.c
index 0cd92cd..54fc495 100644
--- a/crypto/heimdal/lib/roken/freehostent.c
+++ b/crypto/heimdal/lib/roken/freehostent.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: freehostent.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: freehostent.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -42,7 +42,7 @@ RCSID("$Id: freehostent.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
  * free a malloced hostent
  */
 
-void
+void ROKEN_LIB_FUNCTION
 freehostent (struct hostent *h)
 {
     char **p;
diff --git a/crypto/heimdal/lib/roken/gai_strerror.c b/crypto/heimdal/lib/roken/gai_strerror.c
index 8e1530f..c862743 100644
--- a/crypto/heimdal/lib/roken/gai_strerror.c
+++ b/crypto/heimdal/lib/roken/gai_strerror.c
@@ -33,14 +33,14 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: gai_strerror.c,v 1.2.20.1 2004/01/15 18:14:17 lha Exp $");
+RCSID("$Id: gai_strerror.c 15837 2005-08-05 09:31:35Z lha $");
 #endif
 
 #include "roken.h"
 
 static struct gai_error {
     int code;
-    char *str;
+    const char *str;
 } errors[] = {
 {EAI_NOERROR,		"no error"},
 #ifdef EAI_ADDRFAMILY
@@ -65,7 +65,7 @@ static struct gai_error {
  *
  */
 
-char *
+const char * ROKEN_LIB_FUNCTION
 gai_strerror(int ecode)
 {
     struct gai_error *g;
diff --git a/crypto/heimdal/lib/roken/get_default_username.c b/crypto/heimdal/lib/roken/get_default_username.c
index 10b0863..754b60d 100644
--- a/crypto/heimdal/lib/roken/get_default_username.c
+++ b/crypto/heimdal/lib/roken/get_default_username.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: get_default_username.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: get_default_username.c 14773 2005-04-12 11:29:18Z lha $");
 #endif /* HAVE_CONFIG_H */
 
 #include "roken.h"
@@ -43,7 +43,7 @@ RCSID("$Id: get_default_username.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
  * NULL if we can't guess at all.
  */
 
-const char *
+const char * ROKEN_LIB_FUNCTION
 get_default_username (void)
 {
     const char *user;
diff --git a/crypto/heimdal/lib/roken/get_window_size.c b/crypto/heimdal/lib/roken/get_window_size.c
index 4eff8d2..7fa91d6 100644
--- a/crypto/heimdal/lib/roken/get_window_size.c
+++ b/crypto/heimdal/lib/roken/get_window_size.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: get_window_size.c,v 1.9 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: get_window_size.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <stdlib.h>
@@ -58,9 +58,9 @@ RCSID("$Id: get_window_size.c,v 1.9 1999/12/02 16:58:46 joda Exp $");
 #include <termios.h>
 #endif
 
-#include <roken.h>
+#include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 get_window_size(int fd, struct winsize *wp)
 {
     int ret = -1;
diff --git a/crypto/heimdal/lib/roken/getaddrinfo-test.c b/crypto/heimdal/lib/roken/getaddrinfo-test.c
index 4274081..027e32a 100644
--- a/crypto/heimdal/lib/roken/getaddrinfo-test.c
+++ b/crypto/heimdal/lib/roken/getaddrinfo-test.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getaddrinfo-test.c,v 1.4 2001/02/20 01:44:54 assar Exp $");
+RCSID("$Id: getaddrinfo-test.c 15930 2005-08-12 13:42:17Z lha $");
 #endif
 
 #include "roken.h"
@@ -94,7 +94,7 @@ doit (const char *nodename, const char *servname)
 	    printf ("\tbad address?\n");
 	    continue;
 	} 
-	printf ("\t(family = %d, socktype = %d, protocol = %d, "
+	printf ("\tfamily = %d, socktype = %d, protocol = %d, "
 		"address = \"%s\", port = %d",
 		r->ai_family, r->ai_socktype, r->ai_protocol,
 		addrstr,
@@ -109,13 +109,13 @@ doit (const char *nodename, const char *servname)
 int
 main(int argc, char **argv)
 {
-    int optind = 0;
+    int optidx = 0;
     int i;
 
     setprogname (argv[0]);
 
     if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
-		&optind))
+		&optidx))
 	usage (1);
 
     if (help_flag)
@@ -126,8 +126,8 @@ main(int argc, char **argv)
 	return 0;
     }
 
-    argc -= optind;
-    argv += optind;
+    argc -= optidx;
+    argv += optidx;
 
     if (argc % 2 != 0)
 	usage (1);
diff --git a/crypto/heimdal/lib/roken/getaddrinfo.c b/crypto/heimdal/lib/roken/getaddrinfo.c
index 83957bb..f9ffcd8 100644
--- a/crypto/heimdal/lib/roken/getaddrinfo.c
+++ b/crypto/heimdal/lib/roken/getaddrinfo.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getaddrinfo.c,v 1.12 2001/08/17 13:06:57 joda Exp $");
+RCSID("$Id: getaddrinfo.c 15417 2005-06-16 17:49:29Z lha $");
 #endif
 
 #include "roken.h"
@@ -135,19 +135,19 @@ add_one (int port, int protocol, int socktype,
 static int
 const_v4 (struct addrinfo *a, void *data, int port)
 {
-    struct sockaddr_in *sin;
+    struct sockaddr_in *sin4;
     struct in_addr *addr = (struct in_addr *)data;
 
     a->ai_family  = PF_INET;
-    a->ai_addrlen = sizeof(*sin);
-    a->ai_addr    = malloc (sizeof(*sin));
+    a->ai_addrlen = sizeof(*sin4);
+    a->ai_addr    = malloc (sizeof(*sin4));
     if (a->ai_addr == NULL)
 	return EAI_MEMORY;
-    sin = (struct sockaddr_in *)a->ai_addr;
-    memset (sin, 0, sizeof(*sin));
-    sin->sin_family = AF_INET;
-    sin->sin_port   = port;
-    sin->sin_addr   = *addr;
+    sin4 = (struct sockaddr_in *)a->ai_addr;
+    memset (sin4, 0, sizeof(*sin4));
+    sin4->sin_family = AF_INET;
+    sin4->sin_port   = port;
+    sin4->sin_addr   = *addr;
     return 0;
 }
 
@@ -368,7 +368,7 @@ get_nodes (const char *nodename,
  * };
  */
 
-int
+int ROKEN_LIB_FUNCTION
 getaddrinfo(const char *nodename,
 	    const char *servname,
 	    const struct addrinfo *hints,
diff --git a/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c b/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c
index 7f6b0d1..29eae31 100644
--- a/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c
+++ b/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c
@@ -33,14 +33,14 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getaddrinfo_hostspec.c,v 1.3 2000/07/15 12:50:32 joda Exp $");
+RCSID("$Id: getaddrinfo_hostspec.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 
 /* getaddrinfo via string specifying host and port */
 
-int
+int ROKEN_LIB_FUNCTION
 roken_getaddrinfo_hostspec2(const char *hostspec, 
 			    int socktype,
 			    int port,
@@ -95,7 +95,7 @@ roken_getaddrinfo_hostspec2(const char *hostspec,
     return getaddrinfo (host, portstr, &hints, ai);
 }
 
-int
+int ROKEN_LIB_FUNCTION
 roken_getaddrinfo_hostspec(const char *hostspec, 
 			   int port,
 			   struct addrinfo **ai)
diff --git a/crypto/heimdal/lib/roken/getarg.3 b/crypto/heimdal/lib/roken/getarg.3
index e2f0412..fd5ed3d 100644
--- a/crypto/heimdal/lib/roken/getarg.3
+++ b/crypto/heimdal/lib/roken/getarg.3
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: getarg.3,v 1.7 2003/04/16 13:58:24 lha Exp $
+.\" $Id: getarg.3 13380 2004-02-17 12:04:59Z lha $
 .Dd September 24, 1999
 .Dt GETARG 3
 .Os ROKEN
@@ -220,7 +220,7 @@ to specify a coordinate); if you also have to set
 to a sane value.
 .Pp
 The collect function should return one of
-.Dv ARG_ERR_NO_MATCH , ARG_ERR_BAD_ARG , ARG_ERR_NO_ARG
+.Dv ARG_ERR_NO_MATCH , ARG_ERR_BAD_ARG , ARG_ERR_NO_ARG, ENOMEM
 on error, zero otherwise.
 .Pp
 For your convenience there is a function,
diff --git a/crypto/heimdal/lib/roken/getarg.c b/crypto/heimdal/lib/roken/getarg.c
index eff81f2..c732d2f 100644
--- a/crypto/heimdal/lib/roken/getarg.c
+++ b/crypto/heimdal/lib/roken/getarg.c
@@ -33,13 +33,13 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getarg.c,v 1.46 2002/08/20 16:23:07 joda Exp $");
+RCSID("$Id: getarg.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <roken.h>
+#include "roken.h"
 #include "getarg.h"
 
 #define ISFLAG(X) ((X).type == arg_flag || (X).type == arg_negative_flag)
@@ -198,7 +198,7 @@ check_column(FILE *f, int col, int len, int columns)
     return col;
 }
 
-void
+void ROKEN_LIB_FUNCTION
 arg_printusage (struct getargs *args,
 		size_t num_args,
 		const char *progname,
@@ -307,12 +307,22 @@ arg_printusage (struct getargs *args,
     }
 }
 
-static void
+static int
 add_string(getarg_strings *s, char *value)
 {
-    s->strings = realloc(s->strings, (s->num_strings + 1) * sizeof(*s->strings));
+    char **strings;
+
+    strings = realloc(s->strings, (s->num_strings + 1) * sizeof(*s->strings));
+    if (strings == NULL) {
+	free(s->strings);
+	s->strings = NULL;
+	s->num_strings = 0;
+	return ENOMEM;
+    }
+    s->strings = strings;
     s->strings[s->num_strings] = value;
     s->num_strings++;
+    return 0;
 }
 
 static int
@@ -390,8 +400,7 @@ arg_match_long(struct getargs *args, size_t num_args,
     }
     case arg_strings:
     {
-	add_string((getarg_strings*)current->value, goptarg + 1);
-	return 0;
+	return add_string((getarg_strings*)current->value, goptarg + 1);
     }
     case arg_flag:
     case arg_negative_flag:
@@ -497,8 +506,7 @@ arg_match_short (struct getargs *args, size_t num_args,
 		    *(char**)args[k].value = goptarg;
 		    return 0;
 		} else if(args[k].type == arg_strings) {
-		    add_string((getarg_strings*)args[k].value, goptarg);
-		    return 0;
+		    return add_string((getarg_strings*)args[k].value, goptarg);
 		} else if(args[k].type == arg_double) {
 		    double tmp;
 		    if(sscanf(goptarg, "%lf", &tmp) != 1)
@@ -515,7 +523,7 @@ arg_match_short (struct getargs *args, size_t num_args,
     return 0;
 }
 
-int
+int ROKEN_LIB_FUNCTION
 getarg(struct getargs *args, size_t num_args, 
        int argc, char **argv, int *goptind)
 {
@@ -551,7 +559,7 @@ getarg(struct getargs *args, size_t num_args,
     return ret;
 }
 
-void
+void ROKEN_LIB_FUNCTION
 free_getarg_strings (getarg_strings *s)
 {
     free (s->strings);
diff --git a/crypto/heimdal/lib/roken/getarg.h b/crypto/heimdal/lib/roken/getarg.h
index c68b66a1..62d1b66 100644
--- a/crypto/heimdal/lib/roken/getarg.h
+++ b/crypto/heimdal/lib/roken/getarg.h
@@ -31,13 +31,21 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: getarg.h,v 1.12 2002/04/18 08:50:08 joda Exp $ */
+/* $Id: getarg.h 14776 2005-04-13 05:52:27Z lha $ */
 
 #ifndef __GETARG_H__
 #define __GETARG_H__
 
 #include <stddef.h>
 
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
 struct getargs{
     const char *long_name;
     char short_name;
@@ -78,14 +86,17 @@ typedef struct getarg_collect_info {
     void *data;
 } getarg_collect_info;
 
-int getarg(struct getargs *args, size_t num_args, 
-	   int argc, char **argv, int *goptind);
+int ROKEN_LIB_FUNCTION
+getarg(struct getargs *args, size_t num_args, 
+       int argc, char **argv, int *goptind);
 
-void arg_printusage (struct getargs *args,
-		     size_t num_args,
-		     const char *progname,
-		     const char *extra_string);
+void ROKEN_LIB_FUNCTION
+arg_printusage (struct getargs *args,
+		size_t num_args,
+		const char *progname,
+		const char *extra_string);
 
-void free_getarg_strings (getarg_strings *);
+void ROKEN_LIB_FUNCTION
+free_getarg_strings (getarg_strings *);
 
 #endif /* __GETARG_H__ */
diff --git a/crypto/heimdal/lib/roken/getcap.c b/crypto/heimdal/lib/roken/getcap.c
index 8a29e1f..a4e3a7d 100644
--- a/crypto/heimdal/lib/roken/getcap.c
+++ b/crypto/heimdal/lib/roken/getcap.c
@@ -15,11 +15,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
@@ -40,7 +36,7 @@
 #include <config.h>
 #endif
 #include "roken.h"
-RCSID("$Id: getcap.c,v 1.8 2003/04/16 16:23:36 lha Exp $");
+RCSID("$Id: getcap.c 22071 2007-11-14 20:04:50Z lha $");
 
 #include <sys/types.h>
 #include <ctype.h>
@@ -73,9 +69,14 @@ static size_t	 topreclen;	/* toprec length */
 static char	*toprec;	/* Additional record specified by cgetset() */
 static int	 gottoprec;	/* Flag indicating retrieval of toprecord */
 
+#if 0 /*
+       * Don't use db support unless it's build into libc but we don't
+       * check for that now, so just disable the code.
+       */
 #if defined(HAVE_DBOPEN) && defined(HAVE_DB_H)
 #define USE_DB
 #endif
+#endif
 
 #ifdef USE_DB
 static int	cdbget (DB *, char **, const char *);
@@ -84,24 +85,24 @@ static int 	getent (char **, size_t *, char **, int, const char *, int, char *);
 static int	nfcmp (char *, char *);
 
 
-int cgetset(const char *ent);
-char *cgetcap(char *buf, const char *cap, int type);
-int cgetent(char **buf, char **db_array, const char *name);
-int cgetmatch(const char *buf, const char *name);
-int cgetclose(void);
+int ROKEN_LIB_FUNCTION cgetset(const char *ent);
+char *ROKEN_LIB_FUNCTION cgetcap(char *buf, const char *cap, int type);
+int ROKEN_LIB_FUNCTION cgetent(char **buf, char **db_array, const char *name);
+int ROKEN_LIB_FUNCTION cgetmatch(const char *buf, const char *name);
+int ROKEN_LIB_FUNCTION cgetclose(void);
 #if 0
 int cgetfirst(char **buf, char **db_array);
 int cgetnext(char **bp, char **db_array);
 #endif
-int cgetstr(char *buf, const char *cap, char **str);
-int cgetustr(char *buf, const char *cap, char **str);
-int cgetnum(char *buf, const char *cap, long *num);
+int ROKEN_LIB_FUNCTION cgetstr(char *buf, const char *cap, char **str);
+int ROKEN_LIB_FUNCTION cgetustr(char *buf, const char *cap, char **str);
+int ROKEN_LIB_FUNCTION cgetnum(char *buf, const char *cap, long *num);
 /*
  * Cgetset() allows the addition of a user specified buffer to be added
  * to the database array, in effect "pushing" the buffer on top of the
  * virtual database. 0 is returned on success, -1 on failure.
  */
-int
+int ROKEN_LIB_FUNCTION
 cgetset(const char *ent)
 {
     const char *source, *check;
@@ -154,7 +155,7 @@ cgetset(const char *ent)
  * If (cap, '@') or (cap, terminator, '@') is found before (cap, terminator)
  * return NULL.
  */
-char *
+char * ROKEN_LIB_FUNCTION
 cgetcap(char *buf, const char *cap, int type)
 {
     char *bp;
@@ -205,7 +206,7 @@ cgetcap(char *buf, const char *cap, int type)
  * encountered (couldn't open/read a file, etc.), and -3 if a potential
  * reference loop is detected.
  */
-int
+int ROKEN_LIB_FUNCTION
 cgetent(char **buf, char **db_array, const char *name)
 {
     size_t dummy;
@@ -305,6 +306,8 @@ getent(char **cap, size_t *len, char **db_array, int fd,
 				/* save the data; close frees it */
 		clen = strlen(record);
 		cbuf = malloc(clen + 1);
+		if (cbuf == NULL)
+		    return (-2);
 		memmove(cbuf, record, clen + 1);
 		if (capdbp->close(capdbp) < 0) {
 		    free(cbuf);
@@ -699,7 +702,7 @@ static FILE *pfp;
 static int slash;
 static char **dbp;
 
-int
+int ROKEN_LIB_FUNCTION
 cgetclose(void)
 {
     if (pfp != NULL) {
@@ -846,7 +849,7 @@ cgetnext(char **bp, char **db_array)
  * couldn't be found, -2 if a system error was encountered (storage
  * allocation failure).
  */
-int
+int ROKEN_LIB_FUNCTION
 cgetstr(char *buf, const char *cap, char **str)
 {
     u_int m_room;
@@ -970,7 +973,7 @@ cgetstr(char *buf, const char *cap, char **str)
  * -1 if the requested string capability couldn't be found, -2 if a system 
  * error was encountered (storage allocation failure).
  */
-int
+int ROKEN_LIB_FUNCTION
 cgetustr(char *buf, const char *cap, char **str)
 {
     u_int m_room;
@@ -1039,7 +1042,7 @@ cgetustr(char *buf, const char *cap, char **str)
  * the long pointed to by num.  0 is returned on success, -1 if the requested
  * numeric capability couldn't be found.
  */
-int
+int ROKEN_LIB_FUNCTION
 cgetnum(char *buf, const char *cap, long *num)
 {
     long n;
diff --git a/crypto/heimdal/lib/roken/getcwd.c b/crypto/heimdal/lib/roken/getcwd.c
index c1f2610..a32149c 100644
--- a/crypto/heimdal/lib/roken/getcwd.c
+++ b/crypto/heimdal/lib/roken/getcwd.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getcwd.c,v 1.12 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: getcwd.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #ifdef HAVE_UNISTD_H
@@ -45,7 +45,7 @@ RCSID("$Id: getcwd.c,v 1.12 1999/12/02 16:58:46 joda Exp $");
 
 #include "roken.h"
 
-char*
+char* ROKEN_LIB_FUNCTION
 getcwd(char *path, size_t size)
 {
     char xxx[MaxPathLen];
diff --git a/crypto/heimdal/lib/roken/getdtablesize.c b/crypto/heimdal/lib/roken/getdtablesize.c
index 183e8ff..a6ef38b 100644
--- a/crypto/heimdal/lib/roken/getdtablesize.c
+++ b/crypto/heimdal/lib/roken/getdtablesize.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getdtablesize.c,v 1.11 2001/06/20 00:00:38 joda Exp $");
+RCSID("$Id: getdtablesize.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -64,7 +64,8 @@ RCSID("$Id: getdtablesize.c,v 1.11 2001/06/20 00:00:38 joda Exp $");
 #include <sys/sysctl.h>
 #endif
 
-int getdtablesize(void)
+int ROKEN_LIB_FUNCTION
+getdtablesize(void)
 {
   int files = -1;
 #if defined(HAVE_SYSCONF) && defined(_SC_OPEN_MAX)
diff --git a/crypto/heimdal/lib/roken/getegid.c b/crypto/heimdal/lib/roken/getegid.c
index b6eab85..57ea198 100644
--- a/crypto/heimdal/lib/roken/getegid.c
+++ b/crypto/heimdal/lib/roken/getegid.c
@@ -38,9 +38,10 @@
 
 #ifndef HAVE_GETEGID
 
-RCSID("$Id: getegid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: getegid.c 14773 2005-04-12 11:29:18Z lha $");
 
-int getegid(void)
+int ROKEN_LIB_FUNCTION
+getegid(void)
 {
     return getgid();
 }
diff --git a/crypto/heimdal/lib/roken/geteuid.c b/crypto/heimdal/lib/roken/geteuid.c
index 4bdf531..f2f771e 100644
--- a/crypto/heimdal/lib/roken/geteuid.c
+++ b/crypto/heimdal/lib/roken/geteuid.c
@@ -38,9 +38,10 @@
 
 #ifndef HAVE_GETEUID
 
-RCSID("$Id: geteuid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: geteuid.c 14773 2005-04-12 11:29:18Z lha $");
 
-int geteuid(void)
+int ROKEN_LIB_FUNCTION
+geteuid(void)
 {
     return getuid();
 }
diff --git a/crypto/heimdal/lib/roken/getgid.c b/crypto/heimdal/lib/roken/getgid.c
index f2ca01a..fbe4f6d 100644
--- a/crypto/heimdal/lib/roken/getgid.c
+++ b/crypto/heimdal/lib/roken/getgid.c
@@ -38,9 +38,10 @@
 
 #ifndef HAVE_GETGID
 
-RCSID("$Id: getgid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: getgid.c 14773 2005-04-12 11:29:18Z lha $");
 
-int getgid(void)
+int ROKEN_LIB_FUNCTION
+getgid(void)
 {
     return 17;
 }
diff --git a/crypto/heimdal/lib/roken/gethostname.c b/crypto/heimdal/lib/roken/gethostname.c
index 753ba9f..f291ce2 100644
--- a/crypto/heimdal/lib/roken/gethostname.c
+++ b/crypto/heimdal/lib/roken/gethostname.c
@@ -49,7 +49,7 @@
  * interface is identical to gethostname(2).)
  */
 
-int
+int ROKEN_LIB_FUNCTION
 gethostname(char *name, int namelen)
 {
 #if defined(HAVE_UNAME)
diff --git a/crypto/heimdal/lib/roken/getifaddrs.c b/crypto/heimdal/lib/roken/getifaddrs.c
index e8c53f8..485c0d6 100644
--- a/crypto/heimdal/lib/roken/getifaddrs.c
+++ b/crypto/heimdal/lib/roken/getifaddrs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000 - 2002, 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getifaddrs.c,v 1.9 2002/09/05 03:36:23 assar Exp $");
+RCSID("$Id: getifaddrs.c 21745 2007-07-31 16:11:25Z lha $");
 #endif
 #include "roken.h"
 
@@ -56,6 +56,21 @@ struct mbuf;
 
 #include <ifaddrs.h>
 
+#ifdef __hpux
+#define lifconf if_laddrconf
+#define lifc_len iflc_len
+#define lifc_buf iflc_buf
+#define lifc_req iflc_req
+
+#define lifreq if_laddrreq
+#define lifr_addr iflr_addr
+#define lifr_name iflr_name
+#define lifr_dstaddr iflr_dstaddr
+#define lifr_broadaddr iflr_broadaddr
+#define lifr_flags iflr_flags
+#define lifr_index iflr_index
+#endif
+
 #ifdef AF_NETLINK
 
 /*
@@ -108,6 +123,7 @@ struct mbuf;
 #include <linux/rtnetlink.h>
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <sys/poll.h>
 #include <netpacket/packet.h>
 #include <net/ethernet.h>     /* the L2 protocols */
 #include <sys/uio.h>
@@ -172,6 +188,7 @@ ifa_sa_len(sa_family_t family, int len)
     size = (size_t)(((struct sockaddr *)NULL)->sa_data) + len;
     if (size < sizeof(struct sockaddr))
       size = sizeof(struct sockaddr);
+    break;
   }
   return size;
 }
@@ -377,13 +394,30 @@ nl_getlist(int sd, int seq,
   struct nlmsghdr *nlh = NULL;
   int status;
   int done = 0;
+  int tries = 3;
 
+ try_again:
   status = nl_sendreq(sd, request, NLM_F_ROOT|NLM_F_MATCH, &seq);
   if (status < 0)
     return status;
   if (seq == 0)
     seq = (int)time(NULL);
   while(!done){
+    struct pollfd pfd;
+
+    pfd.fd = sd;
+    pfd.events = POLLIN | POLLPRI;
+    pfd.revents = 0;
+    status = poll(&pfd, 1, 1000);
+    if (status < 0)
+	return status;
+    else if (status == 0) {
+	seq++;
+	if (tries-- > 0)
+	    goto try_again;
+	return -1;
+    }
+
     status = nl_getmsg(sd, request, seq, &nlh, &done);
     if (status < 0)
       return status;
@@ -416,16 +450,17 @@ nl_getlist(int sd, int seq,
 static void 
 free_nlmsglist(struct nlmsg_list *nlm0)
 {
-  struct nlmsg_list *nlm;
+  struct nlmsg_list *nlm, *nlm_next;
   int saved_errno;
   if (!nlm0)
     return;
   saved_errno = errno;
-  for (nlm=nlm0; nlm; nlm=nlm->nlm_next){
+  for (nlm=nlm0; nlm; nlm=nlm_next){
     if (nlm->nlh)
       free(nlm->nlh);
+    nlm_next=nlm->nlm_next;
+    free(nlm);
   }
-  free(nlm0);
   __set_errno(saved_errno);
 }
 
@@ -466,7 +501,8 @@ nl_open(void)
 }
 
 /* ====================================================================== */
-int getifaddrs(struct ifaddrs **ifap)
+int ROKEN_LIB_FUNCTION
+rk_getifaddrs(struct ifaddrs **ifap)
 {
   int sd;
   struct nlmsg_list *nlmsg_list, *nlmsg_end, *nlm;
@@ -669,6 +705,7 @@ int getifaddrs(struct ifaddrs **ifap)
 	    case IFLA_QDISC:
 	      break;
 	    default:
+	      break;
 	    }
 	    break;
 	  case RTM_NEWADDR:
@@ -709,6 +746,7 @@ int getifaddrs(struct ifaddrs **ifap)
 	    case IFA_CACHEINFO:
 	      break;
 	    default:
+	      break;
 	    }
 	  }
 	}
@@ -818,14 +856,6 @@ int getifaddrs(struct ifaddrs **ifap)
   return 0;
 }
 
-/* ---------------------------------------------------------------------- */
-void 
-freeifaddrs(struct ifaddrs *ifa)
-{
-  free(ifa);
-}
-
-
 #else /* !AF_NETLINK */
 
 /*
@@ -919,8 +949,16 @@ getifaddrs2(struct ifaddrs **ifap,
 
 	(*end)->ifa_next = NULL;
 	(*end)->ifa_name = strdup(ifr->ifr_name);
+	if ((*end)->ifa_name == NULL) {
+	    ret = ENOMEM;
+	    goto error_out;
+	}
 	(*end)->ifa_flags = ifreq.ifr_flags;
 	(*end)->ifa_addr = malloc(salen);
+	if ((*end)->ifa_addr == NULL) {
+	    ret = ENOMEM;
+	    goto error_out;
+	}
 	memcpy((*end)->ifa_addr, sa, salen);
 	(*end)->ifa_netmask = NULL;
 
@@ -928,10 +966,18 @@ getifaddrs2(struct ifaddrs **ifap,
 	/* fix these when we actually need them */
 	if(ifreq.ifr_flags & IFF_BROADCAST) {
 	    (*end)->ifa_broadaddr = malloc(sizeof(ifr->ifr_broadaddr));
+	    if ((*end)->ifa_broadaddr == NULL) {
+		ret = ENOMEM;
+		goto error_out;
+	    }
 	    memcpy((*end)->ifa_broadaddr, &ifr->ifr_broadaddr, 
 		   sizeof(ifr->ifr_broadaddr));
 	} else if(ifreq.ifr_flags & IFF_POINTOPOINT) {
 	    (*end)->ifa_dstaddr = malloc(sizeof(ifr->ifr_dstaddr));
+	    if ((*end)->ifa_dstaddr == NULL) {
+		ret = ENOMEM;
+		goto error_out;
+	    }
 	    memcpy((*end)->ifa_dstaddr, &ifr->ifr_dstaddr, 
 		   sizeof(ifr->ifr_dstaddr));
 	} else
@@ -950,7 +996,7 @@ getifaddrs2(struct ifaddrs **ifap,
     free(buf);
     return 0;
   error_out:
-    freeifaddrs(start);
+    rk_freeifaddrs(start);
     close(fd);
     free(buf);
     errno = ret;
@@ -988,8 +1034,10 @@ getlifaddrs2(struct ifaddrs **ifap,
 	    ret = ENOMEM;
 	    goto error_out;
 	}
+#ifndef __hpux
 	ifconf.lifc_family = AF_UNSPEC;
 	ifconf.lifc_flags  = 0;
+#endif
 	ifconf.lifc_len    = buf_size;
 	ifconf.lifc_buf    = buf;
 
@@ -1040,11 +1088,23 @@ getlifaddrs2(struct ifaddrs **ifap,
 	}
 
 	*end = malloc(sizeof(**end));
+	if (*end == NULL) {
+	    ret = ENOMEM;
+	    goto error_out;
+	}
 
 	(*end)->ifa_next = NULL;
 	(*end)->ifa_name = strdup(ifr->lifr_name);
+	if ((*end)->ifa_name == NULL) {
+	    ret = ENOMEM;
+	    goto error_out;
+	}
 	(*end)->ifa_flags = ifreq.lifr_flags;
 	(*end)->ifa_addr = malloc(salen);
+	if ((*end)->ifa_addr == NULL) {
+	    ret = ENOMEM;
+	    goto error_out;
+	}
 	memcpy((*end)->ifa_addr, sa, salen);
 	(*end)->ifa_netmask = NULL;
 
@@ -1052,10 +1112,18 @@ getlifaddrs2(struct ifaddrs **ifap,
 	/* fix these when we actually need them */
 	if(ifreq.ifr_flags & IFF_BROADCAST) {
 	    (*end)->ifa_broadaddr = malloc(sizeof(ifr->ifr_broadaddr));
+	    if ((*end)->ifa_broadaddr == NULL) {
+		ret = ENOMEM;
+		goto error_out;
+	    }
 	    memcpy((*end)->ifa_broadaddr, &ifr->ifr_broadaddr, 
 		   sizeof(ifr->ifr_broadaddr));
 	} else if(ifreq.ifr_flags & IFF_POINTOPOINT) {
 	    (*end)->ifa_dstaddr = malloc(sizeof(ifr->ifr_dstaddr));
+	    if ((*end)->ifa_dstaddr == NULL) {
+		ret = ENOMEM;
+		goto error_out;
+	    }
 	    memcpy((*end)->ifa_dstaddr, &ifr->ifr_dstaddr, 
 		   sizeof(ifr->ifr_dstaddr));
 	} else
@@ -1074,7 +1142,7 @@ getlifaddrs2(struct ifaddrs **ifap,
     free(buf);
     return 0;
   error_out:
-    freeifaddrs(start);
+    rk_freeifaddrs(start);
     close(fd);
     free(buf);
     errno = ret;
@@ -1082,8 +1150,8 @@ getlifaddrs2(struct ifaddrs **ifap,
 }
 #endif /* defined(HAVE_IPV6) && defined(SIOCGLIFCONF) && defined(SIOCGLIFFLAGS) */
 
-int
-getifaddrs(struct ifaddrs **ifap) 
+int ROKEN_LIB_FUNCTION
+rk_getifaddrs(struct ifaddrs **ifap) 
 {
     int ret = -1;
     errno = ENXIO;
@@ -1110,8 +1178,10 @@ getifaddrs(struct ifaddrs **ifap)
     return ret;
 }
 
-void
-freeifaddrs(struct ifaddrs *ifp)
+#endif /* !AF_NETLINK */
+
+void ROKEN_LIB_FUNCTION
+rk_freeifaddrs(struct ifaddrs *ifp)
 {
     struct ifaddrs *p, *q;
     
@@ -1131,8 +1201,6 @@ freeifaddrs(struct ifaddrs *ifp)
     }
 }
 
-#endif /* !AF_NETLINK */
-
 #ifdef TEST
 
 void
diff --git a/crypto/heimdal/lib/roken/getipnodebyaddr.c b/crypto/heimdal/lib/roken/getipnodebyaddr.c
index f22aad7..56ae860 100644
--- a/crypto/heimdal/lib/roken/getipnodebyaddr.c
+++ b/crypto/heimdal/lib/roken/getipnodebyaddr.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getipnodebyaddr.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: getipnodebyaddr.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -43,7 +43,7 @@ RCSID("$Id: getipnodebyaddr.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
  * to a malloced struct hostent or NULL.
  */
 
-struct hostent *
+struct hostent * ROKEN_LIB_FUNCTION
 getipnodebyaddr (const void *src, size_t len, int af, int *error_num)
 {
     struct hostent *tmp;
diff --git a/crypto/heimdal/lib/roken/getipnodebyname.c b/crypto/heimdal/lib/roken/getipnodebyname.c
index 576feef..739b329 100644
--- a/crypto/heimdal/lib/roken/getipnodebyname.c
+++ b/crypto/heimdal/lib/roken/getipnodebyname.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getipnodebyname.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: getipnodebyname.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -47,7 +47,7 @@ static int h_errno = NO_RECOVERY;
  * to a malloced struct hostent or NULL.
  */
 
-struct hostent *
+struct hostent * ROKEN_LIB_FUNCTION
 getipnodebyname (const char *name, int af, int flags, int *error_num)
 {
     struct hostent *tmp;
diff --git a/crypto/heimdal/lib/roken/getnameinfo.c b/crypto/heimdal/lib/roken/getnameinfo.c
index 44fcb04..4f820f0 100644
--- a/crypto/heimdal/lib/roken/getnameinfo.c
+++ b/crypto/heimdal/lib/roken/getnameinfo.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getnameinfo.c,v 1.4 2001/07/09 15:14:19 assar Exp $");
+RCSID("$Id: getnameinfo.c 15412 2005-06-16 16:53:09Z lha $");
 #endif
 
 #include "roken.h"
@@ -94,7 +94,7 @@ doit (int af,
  *
  */
 
-int
+int ROKEN_LIB_FUNCTION
 getnameinfo(const struct sockaddr *sa, socklen_t salen,
 	    char *host, size_t hostlen,
 	    char *serv, size_t servlen,
@@ -113,10 +113,10 @@ getnameinfo(const struct sockaddr *sa, socklen_t salen,
     }
 #endif
     case AF_INET : {
-	const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+	const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa;
 
-	return doit (AF_INET, &sin->sin_addr, sizeof(sin->sin_addr),
-		     sin->sin_port,
+	return doit (AF_INET, &sin4->sin_addr, sizeof(sin4->sin_addr),
+		     sin4->sin_port,
 		     host, hostlen,
 		     serv, servlen,
 		     flags);
diff --git a/crypto/heimdal/lib/roken/getnameinfo_verified.c b/crypto/heimdal/lib/roken/getnameinfo_verified.c
index 0145262..91f938a 100644
--- a/crypto/heimdal/lib/roken/getnameinfo_verified.c
+++ b/crypto/heimdal/lib/roken/getnameinfo_verified.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getnameinfo_verified.c,v 1.6 2002/09/05 01:36:27 assar Exp $");
+RCSID("$Id: getnameinfo_verified.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -46,7 +46,7 @@ RCSID("$Id: getnameinfo_verified.c,v 1.6 2002/09/05 01:36:27 assar Exp $");
  * NI_NAMEREQD flag is set or return the numeric address as a string.
  */
 
-int
+int ROKEN_LIB_FUNCTION
 getnameinfo_verified(const struct sockaddr *sa, socklen_t salen,
 		     char *host, size_t hostlen,
 		     char *serv, size_t servlen,
diff --git a/crypto/heimdal/lib/roken/getopt.c b/crypto/heimdal/lib/roken/getopt.c
index 45fc350..12bf138 100644
--- a/crypto/heimdal/lib/roken/getopt.c
+++ b/crypto/heimdal/lib/roken/getopt.c
@@ -10,11 +10,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
@@ -55,7 +51,7 @@ char	*optarg;		/* argument associated with option */
 #define	BADARG	(int)':'
 #define	EMSG	""
 
-int
+int ROKEN_LIB_FUNCTION
 getopt(nargc, nargv, ostr)
 	int nargc;
 	char * const *nargv;
diff --git a/crypto/heimdal/lib/roken/getprogname.c b/crypto/heimdal/lib/roken/getprogname.c
index fcd4a40..6d0bfee 100644
--- a/crypto/heimdal/lib/roken/getprogname.c
+++ b/crypto/heimdal/lib/roken/getprogname.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
+ * Copyright (c) 1995-2004 Kungliga Tekniska Högskolan 
  * (Royal Institute of Technology, Stockholm, Sweden).  
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: getprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $");
+RCSID("$Id: getprogname.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -43,16 +43,9 @@ const char *__progname;
 #endif
 
 #ifndef HAVE_GETPROGNAME
-const char *
+const char * ROKEN_LIB_FUNCTION
 getprogname(void)
 {
     return __progname;
 }
 #endif /* HAVE_GETPROGNAME */
-
-const char *
-get_progname (void)
-{
-    return getprogname ();
-}
-
diff --git a/crypto/heimdal/lib/roken/gettimeofday.c b/crypto/heimdal/lib/roken/gettimeofday.c
index ec8b62f..d8e4e75 100644
--- a/crypto/heimdal/lib/roken/gettimeofday.c
+++ b/crypto/heimdal/lib/roken/gettimeofday.c
@@ -37,12 +37,12 @@
 #include "roken.h"
 #ifndef HAVE_GETTIMEOFDAY
 
-RCSID("$Id: gettimeofday.c,v 1.8 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: gettimeofday.c 14773 2005-04-12 11:29:18Z lha $");
 
 /*
  * Simple gettimeofday that only returns seconds.
  */
-int
+int ROKEN_LIB_FUNCTION
 gettimeofday (struct timeval *tp, void *ignore)
 {
      time_t t;
diff --git a/crypto/heimdal/lib/roken/getuid.c b/crypto/heimdal/lib/roken/getuid.c
index 6ebce0a..f558ab6 100644
--- a/crypto/heimdal/lib/roken/getuid.c
+++ b/crypto/heimdal/lib/roken/getuid.c
@@ -38,9 +38,10 @@
 
 #ifndef HAVE_GETUID
 
-RCSID("$Id: getuid.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+RCSID("$Id: getuid.c 14773 2005-04-12 11:29:18Z lha $");
 
-int getuid(void)
+int ROKEN_LIB_FUNCTION
+getuid(void)
 {
     return 17;
 }
diff --git a/crypto/heimdal/lib/roken/getusershell.c b/crypto/heimdal/lib/roken/getusershell.c
index eb990f3..8def1ca 100644
--- a/crypto/heimdal/lib/roken/getusershell.c
+++ b/crypto/heimdal/lib/roken/getusershell.c
@@ -10,11 +10,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
@@ -35,13 +31,14 @@
 #include <config.h>
 #endif
 
-RCSID("$Id: getusershell.c,v 1.10 2000/05/22 09:11:59 joda Exp $");
+RCSID("$Id: getusershell.c 21005 2007-06-08 01:54:35Z lha $");
 
 #ifndef HAVE_GETUSERSHELL
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <ctype.h>
 #ifdef HAVE_PATHS_H
 #include <paths.h>
 #endif
@@ -62,6 +59,7 @@ struct aud_rec;
 #ifdef HAVE_USERCONF_H
 #include <userconf.h>
 #endif
+#include "roken.h"
 
 #ifndef _PATH_SHELLS
 #define _PATH_SHELLS "/etc/shells"
@@ -87,7 +85,7 @@ static char **initshells (void);
 /*
  * Get a list of shells from _PATH_SHELLS, if it exists.
  */
-char *
+char * ROKEN_LIB_FUNCTION
 getusershell()
 {
     char *ret;
@@ -100,7 +98,7 @@ getusershell()
     return (ret);
 }
 
-void
+void ROKEN_LIB_FUNCTION
 endusershell()
 {
     if (shells != NULL)
@@ -112,7 +110,7 @@ endusershell()
     curshell = NULL;
 }
 
-void
+void ROKEN_LIB_FUNCTION
 setusershell()
 {
     curshell = initshells();
@@ -179,7 +177,7 @@ initshells()
 	if (*cp == '#' || *cp == '\0')
 	    continue;
 	*sp++ = cp;
-	while (!isspace(*cp) && *cp != '#' && *cp != '\0')
+	while (!isspace((unsigned char)*cp) && *cp != '#' && *cp != '\0')
 	    cp++;
 	*cp++ = '\0';
     }
diff --git a/crypto/heimdal/lib/roken/glob.c b/crypto/heimdal/lib/roken/glob.c
index 295aa2d..803eda1 100644
--- a/crypto/heimdal/lib/roken/glob.c
+++ b/crypto/heimdal/lib/roken/glob.c
@@ -13,11 +13,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
@@ -170,7 +166,7 @@ static int	 match (Char *, Char *, Char *);
 static void	 qprintf (const char *, Char *);
 #endif
 
-int
+int ROKEN_LIB_FUNCTION
 glob(const char *pattern, 
      int flags, 
      int (*errfunc)(const char *, int), 
@@ -745,7 +741,7 @@ match(Char *name, Char *pat, Char *patend)
 }
 
 /* Free allocated data belonging to a glob_t structure. */
-void
+void ROKEN_LIB_FUNCTION
 globfree(glob_t *pglob)
 {
 	int i;
diff --git a/crypto/heimdal/lib/roken/glob.hin b/crypto/heimdal/lib/roken/glob.hin
index 98d8796..ffb6081 100644
--- a/crypto/heimdal/lib/roken/glob.hin
+++ b/crypto/heimdal/lib/roken/glob.hin
@@ -13,11 +13,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
@@ -39,6 +35,22 @@
 #ifndef _GLOB_H_
 #define	_GLOB_H_
 
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define glob_t rk_glob_t
+#define	glob rk_glob
+#define	globfree rk_globfree
+
 struct stat;
 typedef struct {
 	int gl_pathc;		/* Count of total paths so far. */
@@ -79,7 +91,14 @@ typedef struct {
 #define	GLOB_NOSPACE	(-1)	/* Malloc call failed. */
 #define	GLOB_ABEND	(-2)	/* Unignored error. */
 
-int	glob (const char *, int, int (*)(const char *, int), glob_t *);
-void	globfree (glob_t *);
+int ROKEN_LIB_FUNCTION
+glob (const char *, int, int (*)(const char *, int), glob_t *);
+
+void ROKEN_LIB_FUNCTION
+globfree (glob_t *);
+
+#ifdef __cplusplus
+}
+#endif
 
 #endif /* !_GLOB_H_ */
diff --git a/crypto/heimdal/lib/roken/h_errno.c b/crypto/heimdal/lib/roken/h_errno.c
index c2d4452..11dcb08 100644
--- a/crypto/heimdal/lib/roken/h_errno.c
+++ b/crypto/heimdal/lib/roken/h_errno.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: h_errno.c,v 1.1 2001/08/08 03:47:23 assar Exp $");
+RCSID("$Id: h_errno.c 10442 2001-08-08 03:47:23Z assar $");
 #endif
 
 #ifndef HAVE_H_ERRNO
diff --git a/crypto/heimdal/lib/roken/hex-test.c b/crypto/heimdal/lib/roken/hex-test.c
new file mode 100644
index 0000000..72aea1e
--- /dev/null
+++ b/crypto/heimdal/lib/roken/hex-test.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (c) 1999 - 2001, 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+
+RCSID("$Id: hex-test.c 21005 2007-06-08 01:54:35Z lha $");
+#endif
+
+#include "roken.h"
+#include <hex.h>
+
+int
+main(int argc, char **argv)
+{
+    int numerr = 0;
+    int numtest = 1;
+    struct test {
+	void *data;
+	size_t len;
+	const char *result;
+    } *t, tests[] = {
+	{ "", 0 , "" },
+	{ "a", 1, "61" },
+	{ "ab", 2, "6162" },
+	{ "abc", 3, "616263" },
+	{ "abcd", 4, "61626364" },
+	{ "abcde", 5, "6162636465" },
+	{ "abcdef", 6, "616263646566" },
+	{ "abcdefg", 7, "61626364656667" },
+	{ "=", 1, "3D" },
+	{ NULL }
+    };
+    for(t = tests; t->data; t++) {
+	char *str;
+	int len;
+	len = hex_encode(t->data, t->len, &str);
+	if(strcmp(str, t->result) != 0) {
+	    fprintf(stderr, "failed test %d: %s != %s\n", numtest, 
+		    str, t->result);
+	    numerr++;
+	}
+	free(str);
+	str = strdup(t->result);
+	len = strlen(str);
+	len = hex_decode(t->result, str, len);
+	if(len != t->len) {
+	    fprintf(stderr, "failed test %d: len %lu != %lu\n", numtest,
+		    (unsigned long)len, (unsigned long)t->len);
+	    numerr++;
+	} else if(memcmp(str, t->data, t->len) != 0) {
+	    fprintf(stderr, "failed test %d: data\n", numtest);
+	    numerr++;
+	}
+	free(str);
+	numtest++;
+    }
+
+    {
+	unsigned char buf[2] = { 0, 0xff } ;
+	int len;
+
+	len = hex_decode("A", buf, 1);
+	if (len != 1) {
+	    fprintf(stderr, "len != 1");
+	    numerr++;
+	}
+	if (buf[0] != 10) {
+	    fprintf(stderr, "buf != 10");
+	    numerr++;
+	}
+	if (buf[1] != 0xff) {
+	    fprintf(stderr, "buf != 0xff");
+	    numerr++;
+	}
+
+    }
+
+    return numerr;
+}
diff --git a/crypto/heimdal/lib/roken/hex.c b/crypto/heimdal/lib/roken/hex.c
new file mode 100644
index 0000000..89fb0e1
--- /dev/null
+++ b/crypto/heimdal/lib/roken/hex.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2004-2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: hex.c 16504 2006-01-09 17:09:29Z lha $");
+#endif
+#include "roken.h"
+#include <ctype.h>
+#include "hex.h"
+
+const static char hexchar[] = "0123456789ABCDEF";
+
+static int 
+pos(char c)
+{
+    const char *p;
+    c = toupper((unsigned char)c);
+    for (p = hexchar; *p; p++)
+	if (*p == c)
+	    return p - hexchar;
+    return -1;
+}
+
+ssize_t ROKEN_LIB_FUNCTION
+hex_encode(const void *data, size_t size, char **str)
+{
+    const unsigned char *q = data;
+    size_t i;
+    char *p;
+
+    /* check for overflow */
+    if (size * 2 < size)
+	return -1;
+
+    p = malloc(size * 2 + 1);
+    if (p == NULL)
+	return -1;
+    
+    for (i = 0; i < size; i++) {
+	p[i * 2] = hexchar[(*q >> 4) & 0xf];
+	p[i * 2 + 1] = hexchar[*q & 0xf];
+	q++;
+    }
+    p[i * 2] = '\0';
+    *str = p;
+
+    return i * 2;
+}
+
+ssize_t ROKEN_LIB_FUNCTION
+hex_decode(const char *str, void *data, size_t len)
+{
+    size_t l;
+    unsigned char *p = data;
+    size_t i;
+	
+    l = strlen(str);
+    
+    /* check for overflow, same as (l+1)/2 but overflow safe */
+    if ((l/2) + (l&1) > len)
+	return -1;
+
+    i = 0;
+    if (l & 1) {
+	p[0] = pos(str[0]);
+	str++;
+	p++;
+    }
+    for (i = 0; i < l / 2; i++)
+	p[i] = pos(str[i * 2]) << 4 | pos(str[(i * 2) + 1]);
+    return i + (l & 1);
+}
diff --git a/crypto/heimdal/lib/roken/hex.h b/crypto/heimdal/lib/roken/hex.h
new file mode 100644
index 0000000..4c4b850
--- /dev/null
+++ b/crypto/heimdal/lib/roken/hex.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: hex.h 14773 2005-04-12 11:29:18Z lha $ */
+
+#ifndef _rk_HEX_H_
+#define _rk_HEX_H_ 1
+
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+#define hex_encode rk_hex_encode
+#define hex_decode rk_hex_decode
+
+ssize_t	ROKEN_LIB_FUNCTION
+	hex_encode(const void *, size_t, char **);
+ssize_t ROKEN_LIB_FUNCTION
+	hex_decode(const char *, void *, size_t);
+
+#endif /* _rk_HEX_H_ */
diff --git a/crypto/heimdal/lib/roken/hostent_find_fqdn.c b/crypto/heimdal/lib/roken/hostent_find_fqdn.c
index 8e955a4..299ed6d3 100644
--- a/crypto/heimdal/lib/roken/hostent_find_fqdn.c
+++ b/crypto/heimdal/lib/roken/hostent_find_fqdn.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: hostent_find_fqdn.c,v 1.2 2001/07/10 11:58:23 assar Exp $");
+RCSID("$Id: hostent_find_fqdn.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -42,7 +42,7 @@ RCSID("$Id: hostent_find_fqdn.c,v 1.2 2001/07/10 11:58:23 assar Exp $");
  * Try to find a fqdn (with `.') in he if possible, else return h_name
  */
 
-const char *
+const char * ROKEN_LIB_FUNCTION
 hostent_find_fqdn (const struct hostent *he)
 {
     const char *ret = he->h_name;
diff --git a/crypto/heimdal/lib/roken/hstrerror.c b/crypto/heimdal/lib/roken/hstrerror.c
index 61897cc..32dab23 100644
--- a/crypto/heimdal/lib/roken/hstrerror.c
+++ b/crypto/heimdal/lib/roken/hstrerror.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: hstrerror.c,v 1.24 2001/08/08 03:47:23 assar Exp $");
+RCSID("$Id: hstrerror.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #ifndef HAVE_HSTRERROR
@@ -60,14 +60,14 @@ const
 int h_nerr = { sizeof h_errlist / sizeof h_errlist[0] };
 #else
 
-#ifndef HAVE_H_ERRLIST_DECLARATION
+#if !HAVE_DECL_H_ERRLIST
 extern const char *h_errlist[];
 extern int h_nerr;
 #endif
 
 #endif
 
-const char *
+const char * ROKEN_LIB_FUNCTION
 hstrerror(int herr)
 {
     if (0 <= herr && herr < h_nerr)
diff --git a/crypto/heimdal/lib/roken/ifaddrs.hin b/crypto/heimdal/lib/roken/ifaddrs.hin
index d2b9be8..0951c8c 100644
--- a/crypto/heimdal/lib/roken/ifaddrs.hin
+++ b/crypto/heimdal/lib/roken/ifaddrs.hin
@@ -31,11 +31,19 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: ifaddrs.hin,v 1.3 2000/12/11 00:01:13 assar Exp $ */
+/* $Id: ifaddrs.hin 19309 2006-12-11 18:58:15Z lha $ */
 
 #ifndef __ifaddrs_h__
 #define __ifaddrs_h__
 
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
 /*
  * the interface is defined in terms of the fields below, and this is
  * sometimes #define'd, so there seems to be no simple way of solving
@@ -57,8 +65,13 @@ struct ifaddrs {
 #define ifa_broadaddr ifa_dstaddr
 #endif
 
-int getifaddrs(struct ifaddrs**);
+int ROKEN_LIB_FUNCTION
+rk_getifaddrs(struct ifaddrs**);
+
+void ROKEN_LIB_FUNCTION
+rk_freeifaddrs(struct ifaddrs*);
 
-void freeifaddrs(struct ifaddrs*);
+#define getifaddrs(a) rk_getifaddrs(a)
+#define freeifaddrs(a) rk_freeifaddrs(a)
 
 #endif /* __ifaddrs_h__ */
diff --git a/crypto/heimdal/lib/roken/inet_aton.c b/crypto/heimdal/lib/roken/inet_aton.c
index cdc6bdd..3010935 100644
--- a/crypto/heimdal/lib/roken/inet_aton.c
+++ b/crypto/heimdal/lib/roken/inet_aton.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: inet_aton.c,v 1.13 1999/12/05 13:26:20 assar Exp $");
+RCSID("$Id: inet_aton.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -41,7 +41,7 @@ RCSID("$Id: inet_aton.c,v 1.13 1999/12/05 13:26:20 assar Exp $");
 /* Minimal implementation of inet_aton.
  * Cannot distinguish between failure and a local broadcast address. */
 
-int
+int ROKEN_LIB_FUNCTION
 inet_aton(const char *cp, struct in_addr *addr)
 {
   addr->s_addr = inet_addr(cp);
diff --git a/crypto/heimdal/lib/roken/inet_ntop.c b/crypto/heimdal/lib/roken/inet_ntop.c
index 63c99a5..7433c37 100644
--- a/crypto/heimdal/lib/roken/inet_ntop.c
+++ b/crypto/heimdal/lib/roken/inet_ntop.c
@@ -33,10 +33,10 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: inet_ntop.c,v 1.5 2001/04/04 23:58:01 assar Exp $");
+RCSID("$Id: inet_ntop.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
-#include <roken.h>
+#include "roken.h"
 
 /*
  *
@@ -116,7 +116,7 @@ inet_ntop_v6 (const void *src, char *dst, size_t size)
 }
 #endif /* HAVE_IPV6 */
 
-const char *
+const char * ROKEN_LIB_FUNCTION
 inet_ntop(int af, const void *src, char *dst, size_t size)
 {
     switch (af) {
diff --git a/crypto/heimdal/lib/roken/inet_pton.c b/crypto/heimdal/lib/roken/inet_pton.c
index d9c976c..390233a 100644
--- a/crypto/heimdal/lib/roken/inet_pton.c
+++ b/crypto/heimdal/lib/roken/inet_pton.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: inet_pton.c,v 1.3 2000/07/27 04:56:13 assar Exp $");
+RCSID("$Id: inet_pton.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
-#include <roken.h>
+#include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 inet_pton(int af, const char *src, void *dst)
 {
     if (af != AF_INET) {
diff --git a/crypto/heimdal/lib/roken/initgroups.c b/crypto/heimdal/lib/roken/initgroups.c
index dcf1d08..f326e5f 100644
--- a/crypto/heimdal/lib/roken/initgroups.c
+++ b/crypto/heimdal/lib/roken/initgroups.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: initgroups.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
+RCSID("$Id: initgroups.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 initgroups(const char *name, gid_t basegid)
 {
   return 0;
diff --git a/crypto/heimdal/lib/roken/innetgr.c b/crypto/heimdal/lib/roken/innetgr.c
index 4bc57f9..598bad2 100644
--- a/crypto/heimdal/lib/roken/innetgr.c
+++ b/crypto/heimdal/lib/roken/innetgr.c
@@ -37,9 +37,9 @@
 
 #ifndef HAVE_INNETGR
 
-RCSID("$Id: innetgr.c,v 1.1 1999/03/11 14:04:01 joda Exp $");
+RCSID("$Id: innetgr.c 14773 2005-04-12 11:29:18Z lha $");
 
-int
+int ROKEN_LIB_FUNCTION
 innetgr(const char *netgroup, const char *machine, 
 	const char *user, const char *domain)
 {
diff --git a/crypto/heimdal/lib/roken/iruserok.c b/crypto/heimdal/lib/roken/iruserok.c
index 3b3880b..ca93e1c 100644
--- a/crypto/heimdal/lib/roken/iruserok.c
+++ b/crypto/heimdal/lib/roken/iruserok.c
@@ -10,11 +10,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
@@ -33,7 +29,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: iruserok.c,v 1.23 1999/12/05 13:27:05 assar Exp $");
+RCSID("$Id: iruserok.c 17879 2006-08-08 21:50:40Z lha $");
 #endif
 
 #include <stdio.h>
@@ -221,7 +217,7 @@ __ivaliduser(FILE *hostf, unsigned raddr, const char *luser,
  *
  * Returns 0 if ok, -1 if not ok.
  */
-int
+int ROKEN_LIB_FUNCTION
 iruserok(unsigned raddr, int superuser, const char *ruser, const char *luser)
 {
 	char *cp;
@@ -254,7 +250,8 @@ again:
 		 * are protected read/write owner only.
 		 */
 		uid = geteuid();
-		seteuid(pwd->pw_uid);
+		if (seteuid(pwd->pw_uid) < 0)
+			return (-1);
 		hostf = fopen(pbuf, "r");
 		seteuid(uid);
 
diff --git a/crypto/heimdal/lib/roken/issuid.c b/crypto/heimdal/lib/roken/issuid.c
index 910d850..46bde77 100644
--- a/crypto/heimdal/lib/roken/issuid.c
+++ b/crypto/heimdal/lib/roken/issuid.c
@@ -33,17 +33,18 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: issuid.c,v 1.4 2001/08/27 23:08:34 assar Exp $");
+RCSID("$Id: issuid.c 15131 2005-05-13 07:42:03Z lha $");
 #endif
 
 #include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 issuid(void)
 {
 #if defined(HAVE_ISSETUGID)
     return issetugid();
-#endif
+#else /* !HAVE_ISSETUGID */
+
 #if defined(HAVE_GETUID) && defined(HAVE_GETEUID)
     if(getuid() != geteuid())
 	return 1;
@@ -52,5 +53,7 @@ issuid(void)
     if(getgid() != getegid())
 	return 2;
 #endif
+
     return 0;
+#endif /* HAVE_ISSETUGID */
 }
diff --git a/crypto/heimdal/lib/roken/k_getpwnam.c b/crypto/heimdal/lib/roken/k_getpwnam.c
index 40681cd..81eba28 100644
--- a/crypto/heimdal/lib/roken/k_getpwnam.c
+++ b/crypto/heimdal/lib/roken/k_getpwnam.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: k_getpwnam.c,v 1.9 1999/12/02 16:58:47 joda Exp $");
+RCSID("$Id: k_getpwnam.c 14773 2005-04-12 11:29:18Z lha $");
 #endif /* HAVE_CONFIG_H */
 
 #include "roken.h"
@@ -41,7 +41,7 @@ RCSID("$Id: k_getpwnam.c,v 1.9 1999/12/02 16:58:47 joda Exp $");
 #include <shadow.h>
 #endif
 
-struct passwd *
+struct passwd * ROKEN_LIB_FUNCTION
 k_getpwnam (const char *user)
 {
      struct passwd *p;
diff --git a/crypto/heimdal/lib/roken/k_getpwuid.c b/crypto/heimdal/lib/roken/k_getpwuid.c
index 1e2ca54..7fe03b9 100644
--- a/crypto/heimdal/lib/roken/k_getpwuid.c
+++ b/crypto/heimdal/lib/roken/k_getpwuid.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: k_getpwuid.c,v 1.9 1999/12/02 16:58:47 joda Exp $");
+RCSID("$Id: k_getpwuid.c 14773 2005-04-12 11:29:18Z lha $");
 #endif /* HAVE_CONFIG_H */
 
 #include "roken.h"
@@ -41,7 +41,7 @@ RCSID("$Id: k_getpwuid.c,v 1.9 1999/12/02 16:58:47 joda Exp $");
 #include <shadow.h>
 #endif
 
-struct passwd *
+struct passwd * ROKEN_LIB_FUNCTION
 k_getpwuid (uid_t uid)
 {
      struct passwd *p;
diff --git a/crypto/heimdal/lib/roken/localtime_r.c b/crypto/heimdal/lib/roken/localtime_r.c
index 4340234..ad515c14 100644
--- a/crypto/heimdal/lib/roken/localtime_r.c
+++ b/crypto/heimdal/lib/roken/localtime_r.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: localtime_r.c,v 1.2 2002/08/20 13:00:35 joda Exp $");
+RCSID("$Id: localtime_r.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <stdio.h>
@@ -42,7 +42,7 @@ RCSID("$Id: localtime_r.c,v 1.2 2002/08/20 13:00:35 joda Exp $");
 
 #ifndef HAVE_LOCALTIME_R
 
-struct tm *
+struct tm * ROKEN_LIB_FUNCTION
 localtime_r(const time_t *timer, struct tm *result)
 {
     struct tm *tm;
diff --git a/crypto/heimdal/lib/roken/lstat.c b/crypto/heimdal/lib/roken/lstat.c
index 2f03e19..9357e12 100644
--- a/crypto/heimdal/lib/roken/lstat.c
+++ b/crypto/heimdal/lib/roken/lstat.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: lstat.c,v 1.4 1999/12/02 16:58:51 joda Exp $");
+RCSID("$Id: lstat.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 lstat(const char *path, struct stat *buf)
 {
   return stat(path, buf);
diff --git a/crypto/heimdal/lib/roken/memmove.c b/crypto/heimdal/lib/roken/memmove.c
index b77d56a..5f78ac2 100644
--- a/crypto/heimdal/lib/roken/memmove.c
+++ b/crypto/heimdal/lib/roken/memmove.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: memmove.c,v 1.7 1999/12/02 16:58:51 joda Exp $");
+RCSID("$Id: memmove.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 /* 
@@ -44,7 +44,8 @@ RCSID("$Id: memmove.c,v 1.7 1999/12/02 16:58:51 joda Exp $");
 #include <sys/types.h>
 #endif
 
-void* memmove(void *s1, const void *s2, size_t n)
+void* ROKEN_LIB_FUNCTION
+memmove(void *s1, const void *s2, size_t n)
 {
   char *s=(char*)s2, *d=(char*)s1;
 
diff --git a/crypto/heimdal/lib/roken/mini_inetd.c b/crypto/heimdal/lib/roken/mini_inetd.c
index 8c8f72d..9eb114d 100644
--- a/crypto/heimdal/lib/roken/mini_inetd.c
+++ b/crypto/heimdal/lib/roken/mini_inetd.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: mini_inetd.c,v 1.30 2002/02/18 19:08:55 joda Exp $");
+RCSID("$Id: mini_inetd.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <err.h>
@@ -62,7 +62,7 @@ accept_it (int s)
  * Listen on a specified port, emulating inetd.
  */
 
-void
+void ROKEN_LIB_FUNCTION
 mini_inetd_addrinfo (struct addrinfo *ai)
 {
     int ret;
@@ -124,7 +124,7 @@ mini_inetd_addrinfo (struct addrinfo *ai)
     abort ();
 }
 
-void
+void ROKEN_LIB_FUNCTION
 mini_inetd (int port)
 {
     int error;
diff --git a/crypto/heimdal/lib/roken/mkstemp.c b/crypto/heimdal/lib/roken/mkstemp.c
index 350f4cb..ccb2e700 100644
--- a/crypto/heimdal/lib/roken/mkstemp.c
+++ b/crypto/heimdal/lib/roken/mkstemp.c
@@ -44,11 +44,11 @@
 #endif
 #include <errno.h>
 
-RCSID("$Id: mkstemp.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+RCSID("$Id: mkstemp.c 14773 2005-04-12 11:29:18Z lha $");
 
 #ifndef HAVE_MKSTEMP
 
-int
+int ROKEN_LIB_FUNCTION
 mkstemp(char *template)
 {
     int start, i;
diff --git a/crypto/heimdal/lib/roken/ndbm_wrap.c b/crypto/heimdal/lib/roken/ndbm_wrap.c
index 0a1ab92..8bc5d93 100644
--- a/crypto/heimdal/lib/roken/ndbm_wrap.c
+++ b/crypto/heimdal/lib/roken/ndbm_wrap.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: ndbm_wrap.c,v 1.1.8.1 2003/08/29 17:00:34 lha Exp $");
+RCSID("$Id: ndbm_wrap.c 21634 2007-07-17 11:30:36Z lha $");
 #endif
 
 #include "ndbm_wrap.h"
@@ -50,6 +50,8 @@ RCSID("$Id: ndbm_wrap.c,v 1.1.8.1 2003/08/29 17:00:34 lha Exp $");
 #include <string.h>
 #include <fcntl.h>
 
+/* XXX undefine open so this works on Solaris with large file support */
+#undef open
 
 #define DBT2DATUM(DBT, DATUM) do { (DATUM)->dptr = (DBT)->data; (DATUM)->dsize = (DBT)->size; } while(0)
 #define DATUM2DBT(DATUM, DBT) do { (DBT)->data = (DATUM)->dptr; (DBT)->size = (DATUM)->dsize; } while(0)
@@ -61,7 +63,7 @@ static DBC *cursor;
 
 #define D(X) ((DB*)(X))
 
-void
+void ROKEN_LIB_FUNCTION
 dbm_close (DBM *db)
 {
 #ifdef HAVE_DB3
@@ -72,7 +74,7 @@ dbm_close (DBM *db)
 #endif
 }
 
-int
+int ROKEN_LIB_FUNCTION
 dbm_delete (DBM *db, datum dkey)
 {
     DBT key;
@@ -94,8 +96,10 @@ dbm_fetch (DBM *db, datum dkey)
 #ifdef HAVE_DB3
 	       NULL, 
 #endif
-	       &key, &value, 0) != 0) 
+	       &key, &value, 0) != 0) {
 	dvalue.dptr = NULL;
+	dvalue.dsize = 0;
+    }
     else
 	DBT2DATUM(&value, &dvalue);
 
@@ -110,9 +114,10 @@ dbm_get (DB *db, int flags)
 #ifdef HAVE_DB3
     if(cursor == NULL) 
 	db->cursor(db, NULL, &cursor, 0);
-    if(cursor->c_get(cursor, &key, &value, flags) != 0) 
+    if(cursor->c_get(cursor, &key, &value, flags) != 0) {
 	datum.dptr = NULL;
-    else 
+	datum.dsize = 0;
+    } else 
 	DBT2DATUM(&value, &datum);
 #else
     db->seq(db, &key, &value, flags);
@@ -127,19 +132,19 @@ dbm_get (DB *db, int flags)
 #define DB_KEYEXIST	1
 #endif
 
-datum
+datum ROKEN_LIB_FUNCTION
 dbm_firstkey (DBM *db)
 {
     return dbm_get(D(db), DB_FIRST);
 }
 
-datum 
+datum ROKEN_LIB_FUNCTION
 dbm_nextkey (DBM *db)
 {
     return dbm_get(D(db), DB_NEXT);
 }
 
-DBM*
+DBM* ROKEN_LIB_FUNCTION
 dbm_open (const char *file, int flags, mode_t mode)
 {
     DB *db;
@@ -182,7 +187,7 @@ dbm_open (const char *file, int flags, mode_t mode)
     return (DBM*)db;
 }
 
-int
+int ROKEN_LIB_FUNCTION
 dbm_store (DBM *db, datum dkey, datum dvalue, int flags)
 {
     int ret;
@@ -202,13 +207,13 @@ dbm_store (DBM *db, datum dkey, datum dvalue, int flags)
     RETURN(ret);
 }
 
-int
+int ROKEN_LIB_FUNCTION
 dbm_error (DBM *db)
 {
     return 0;
 }
 
-int
+int ROKEN_LIB_FUNCTION
 dbm_clearerr (DBM *db)
 {
     return 0;
diff --git a/crypto/heimdal/lib/roken/ndbm_wrap.h b/crypto/heimdal/lib/roken/ndbm_wrap.h
index 77c88b4..4149402 100644
--- a/crypto/heimdal/lib/roken/ndbm_wrap.h
+++ b/crypto/heimdal/lib/roken/ndbm_wrap.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: ndbm_wrap.h,v 1.1 2002/04/30 16:37:20 joda Exp $ */
+/* $Id: ndbm_wrap.h 14773 2005-04-12 11:29:18Z lha $ */
 
 #ifndef __ndbm_wrap_h__
 #define __ndbm_wrap_h__
@@ -39,6 +39,14 @@
 #include <stdio.h>
 #include <sys/types.h>
 
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
 #ifndef dbm_rename
 #define dbm_rename(X)	__roken_ ## X
 #endif
@@ -70,14 +78,14 @@ typedef struct {
 } DBM;
 #endif
 
-int dbm_clearerr (DBM*);
-void dbm_close (DBM*);
-int dbm_delete (DBM*, datum);
-int dbm_error (DBM*);
-datum dbm_fetch (DBM*, datum);
-datum dbm_firstkey (DBM*);
-datum dbm_nextkey (DBM*);
-DBM* dbm_open (const char*, int, mode_t);
-int dbm_store (DBM*, datum, datum, int);
+int ROKEN_LIB_FUNCTION dbm_clearerr (DBM*);
+void ROKEN_LIB_FUNCTION dbm_close (DBM*);
+int ROKEN_LIB_FUNCTION dbm_delete (DBM*, datum);
+int ROKEN_LIB_FUNCTION dbm_error (DBM*);
+datum ROKEN_LIB_FUNCTION dbm_fetch (DBM*, datum);
+datum ROKEN_LIB_FUNCTION dbm_firstkey (DBM*);
+datum ROKEN_LIB_FUNCTION dbm_nextkey (DBM*);
+DBM* ROKEN_LIB_FUNCTION dbm_open (const char*, int, mode_t);
+int ROKEN_LIB_FUNCTION dbm_store (DBM*, datum, datum, int);
 
 #endif /* __ndbm_wrap_h__ */
diff --git a/crypto/heimdal/lib/roken/net_read.c b/crypto/heimdal/lib/roken/net_read.c
index 6d45bfa..effc001 100644
--- a/crypto/heimdal/lib/roken/net_read.c
+++ b/crypto/heimdal/lib/roken/net_read.c
@@ -33,20 +33,20 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: net_read.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+RCSID("$Id: net_read.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <sys/types.h>
 #include <unistd.h>
 #include <errno.h>
 
-#include <roken.h>
+#include "roken.h"
 
 /*
  * Like read but never return partial data.
  */
 
-ssize_t
+ssize_t ROKEN_LIB_FUNCTION
 net_read (int fd, void *buf, size_t nbytes)
 {
     char *cbuf = (char *)buf;
diff --git a/crypto/heimdal/lib/roken/net_write.c b/crypto/heimdal/lib/roken/net_write.c
index 2f63dbe..a68317f 100644
--- a/crypto/heimdal/lib/roken/net_write.c
+++ b/crypto/heimdal/lib/roken/net_write.c
@@ -33,20 +33,20 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: net_write.c,v 1.4 1999/12/02 16:58:51 joda Exp $");
+RCSID("$Id: net_write.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <sys/types.h>
 #include <unistd.h>
 #include <errno.h>
 
-#include <roken.h>
+#include "roken.h"
 
 /*
  * Like write but never return partial data.
  */
 
-ssize_t
+ssize_t ROKEN_LIB_FUNCTION
 net_write (int fd, const void *buf, size_t nbytes)
 {
     const char *cbuf = (const char *)buf;
diff --git a/crypto/heimdal/lib/roken/parse_bytes-test.c b/crypto/heimdal/lib/roken/parse_bytes-test.c
index 6583f22..5e55b30 100644
--- a/crypto/heimdal/lib/roken/parse_bytes-test.c
+++ b/crypto/heimdal/lib/roken/parse_bytes-test.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: parse_bytes-test.c,v 1.3 2001/09/04 09:56:00 assar Exp $");
+RCSID("$Id: parse_bytes-test.c 10655 2001-09-04 09:56:00Z assar $");
 #endif
 
 #include "roken.h"
diff --git a/crypto/heimdal/lib/roken/parse_bytes.c b/crypto/heimdal/lib/roken/parse_bytes.c
index b556ddc..4ab02b4 100644
--- a/crypto/heimdal/lib/roken/parse_bytes.c
+++ b/crypto/heimdal/lib/roken/parse_bytes.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: parse_bytes.c,v 1.4 2003/03/07 15:51:53 lha Exp $");
+RCSID("$Id: parse_bytes.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <parse_units.h>
@@ -59,19 +59,19 @@ static struct units bytes_short_units[] = {
     { NULL, 0 }
 };
 
-int
+int ROKEN_LIB_FUNCTION
 parse_bytes (const char *s, const char *def_unit)
 {
     return parse_units (s, bytes_units, def_unit);
 }
 
-int
+int ROKEN_LIB_FUNCTION
 unparse_bytes (int t, char *s, size_t len)
 {
     return unparse_units (t, bytes_units, s, len);
 }
 
-int
+int ROKEN_LIB_FUNCTION
 unparse_bytes_short (int t, char *s, size_t len)
 {
     return unparse_units_approx (t, bytes_short_units, s, len);
diff --git a/crypto/heimdal/lib/roken/parse_bytes.h b/crypto/heimdal/lib/roken/parse_bytes.h
index d7e759d..1998f70 100644
--- a/crypto/heimdal/lib/roken/parse_bytes.h
+++ b/crypto/heimdal/lib/roken/parse_bytes.h
@@ -31,18 +31,26 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: parse_bytes.h,v 1.3 2001/09/04 09:56:00 assar Exp $ */
+/* $Id: parse_bytes.h 14787 2005-04-13 13:19:07Z lha $ */
 
 #ifndef __PARSE_BYTES_H__
 #define __PARSE_BYTES_H__
 
-int
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+int ROKEN_LIB_FUNCTION
 parse_bytes (const char *s, const char *def_unit);
 
-int
+int ROKEN_LIB_FUNCTION
 unparse_bytes (int t, char *s, size_t len);
 
-int
+int ROKEN_LIB_FUNCTION
 unparse_bytes_short (int t, char *s, size_t len);
 
 #endif /* __PARSE_BYTES_H__ */
diff --git a/crypto/heimdal/lib/roken/parse_reply-test.c b/crypto/heimdal/lib/roken/parse_reply-test.c
index 47e12d1..f6342ef 100644
--- a/crypto/heimdal/lib/roken/parse_reply-test.c
+++ b/crypto/heimdal/lib/roken/parse_reply-test.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: parse_reply-test.c,v 1.2 2002/09/04 03:25:06 assar Exp $");
+RCSID("$Id: parse_reply-test.c 15287 2005-05-29 21:21:12Z lha $");
 #endif
 
 #include <sys/types.h>
@@ -109,18 +109,18 @@ main(int argc, char **argv)
 #endif
 	flags |= MAP_PRIVATE;
 
-	p1 = (char *)mmap(0, 2 * pagesize, PROT_READ | PROT_WRITE,
+	p1 = (unsigned char *)mmap(0, 2 * pagesize, PROT_READ | PROT_WRITE,
 		  flags, fd, 0);
 	if (p1 == (unsigned char *)MAP_FAILED)
 	    err (1, "mmap");
 	p2 = p1 + pagesize;
-	ret = mprotect (p2, pagesize, 0);
+	ret = mprotect ((void *)p2, pagesize, 0);
 	if (ret < 0)
 	    err (1, "mprotect");
 	buf = p2 - t->buf_len;
 	memcpy (buf, t->buf, t->buf_len);
 	parse_reply (buf, t->buf_len);
-	ret = munmap (p1, 2 * pagesize);
+	ret = munmap ((void *)p1, 2 * pagesize);
 	if (ret < 0)
 	    err (1, "munmap");
     }
diff --git a/crypto/heimdal/lib/roken/parse_time-test.c b/crypto/heimdal/lib/roken/parse_time-test.c
new file mode 100644
index 0000000..0ce7063
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_time-test.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_time-test.c 15028 2005-04-30 14:48:29Z lha $");
+#endif
+
+#include "roken.h"
+#include "parse_time.h"
+#include "test-mem.h"
+#include "err.h"
+
+static struct testcase {
+    size_t size;
+    time_t val;
+    char *str;
+} tests[] = {
+    { 8, 1,		"1 second" },
+    { 17, 61,		"1 minute 1 second" },
+    { 18, 62,		"1 minute 2 seconds" },
+    { 8, 60,		"1 minute" },
+    { 6, 3600,	 	"1 hour" },
+    { 15, 3601,	 	"1 hour 1 second" },
+    { 16, 3602,	 	"1 hour 2 seconds" }
+};
+
+int
+main(int argc, char **argv)
+{
+    size_t sz;
+    size_t buf_sz;
+    int i, j;
+
+    for (i = 0; i < sizeof(tests)/sizeof(tests[0]); ++i) {
+	char *buf;
+
+	sz = unparse_time(tests[i].val, NULL, 0);
+	if  (sz != tests[i].size)
+	    errx(1, "sz (%lu) != tests[%d].size (%lu)",
+		 (unsigned long)sz, i, (unsigned long)tests[i].size);
+	
+	for (buf_sz = 0; buf_sz < tests[i].size + 2; buf_sz++) {
+
+	    buf = rk_test_mem_alloc(RK_TM_OVERRUN, "overrun",
+				    NULL, buf_sz);
+	    sz = unparse_time(tests[i].val, buf, buf_sz);
+	    if (sz != tests[i].size)
+		errx(1, "sz (%lu) != tests[%d].size (%lu) with in size %lu",
+		     (unsigned long)sz, i, 
+		     (unsigned long)tests[i].size,
+		     (unsigned long)buf_sz);
+	    if (buf_sz > 0 && memcmp(buf, tests[i].str, buf_sz - 1) != 0)
+		errx(1, "test %i wrong result %s vs %s", i, buf, tests[i].str);
+	    if (buf_sz > 0 && buf[buf_sz - 1] != '\0')
+		errx(1, "test %i not zero terminated", i);
+	    rk_test_mem_free("overrun");
+
+	    buf = rk_test_mem_alloc(RK_TM_UNDERRUN, "underrun", 
+				    NULL, tests[i].size);
+	    sz = unparse_time(tests[i].val, buf, buf_sz);
+	    if (sz != tests[i].size)
+		errx(1, "sz (%lu) != tests[%d].size (%lu) with insize %lu",
+		     (unsigned long)sz, i,
+		     (unsigned long)tests[i].size,
+		     (unsigned long)buf_sz);
+	    if (buf_sz > 0 && strncmp(buf, tests[i].str, buf_sz - 1) != 0)
+		errx(1, "test %i wrong result %s vs %s", i, buf, tests[i].str);
+	    if (buf_sz > 0 && buf[buf_sz - 1] != '\0')
+		errx(1, "test %i not zero terminated", i);
+	    rk_test_mem_free("underrun");
+	}
+	buf = rk_test_mem_alloc(RK_TM_OVERRUN, "overrun",
+				tests[i].str, tests[i].size + 1);
+	j = parse_time(buf, "s");
+	if (j != tests[i].val)
+	    errx(1, "parse_time failed for test %d", i);
+	rk_test_mem_free("overrun");
+
+	buf = rk_test_mem_alloc(RK_TM_UNDERRUN, "underrun",
+				tests[i].str, tests[i].size + 1);
+	j = parse_time(buf, "s");
+	if (j != tests[i].val)
+	    errx(1, "parse_time failed for test %d", i);
+	rk_test_mem_free("underrun");
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/parse_time.3 b/crypto/heimdal/lib/roken/parse_time.3
new file mode 100644
index 0000000..f7a801b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_time.3
@@ -0,0 +1,173 @@
+.\" Copyright (c) 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden). 
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\" $Id: parse_time.3 14325 2004-10-30 22:34:28Z lha $
+.\"
+.Dd October 31, 2004
+.Dt PARSE_TIME 3
+.Os HEIMDAL
+.Sh NAME
+.Nm parse_time ,
+.Nm print_time_table ,
+.Nm unparse_time ,
+.Nm unparse_time_approx ,
+.Nd parse and unparse time intervals
+.Sh LIBRARY
+The roken library (libroken, -lroken)
+.Sh SYNOPSIS
+.Fd #include <parse_time.h>
+.Ft int
+.Fn parse_time "const char *timespec" "const char *def_unit"
+.Ft void
+.Fn print_time_table "FILE *f"
+.Ft size_t
+.Fn unparse_time "int seconds" "char *buf" "size_t len"
+.Ft size_t
+.Fn unparse_time_approx "int seconds" "char *buf" "size_t len"
+.Sh DESCRIPTION
+The 
+.Fn parse_time
+function converts a the period of time specified in
+into a number of seconds.
+The 
+.Fa timespec
+can be any number of 
+.Aq number unit
+pairs separated by comma and whitespace. The number can be
+negative. Number without explicit units are taken as being
+.Fa def_unit .
+.Pp
+The
+.Fn unparse_time
+and
+.Fn unparse_time_approx
+does the opposite of 
+.Fn parse_time ,
+that is they take a number of seconds and express that as human
+readable string. 
+.Fa unparse_time
+produces an exact time, while 
+.Fa unparse_time_approx
+restricts the result to only include one units.
+.Pp
+.Fn print_time_table
+prints a descriptive list of available units on the passed file
+descriptor.
+.Pp
+The possible units include:
+.Bl -tag -width "month" -compact -offset indent
+.It Li second , s
+.It Li minute , m
+.It Li hour , h
+.It day
+.It week
+seven days
+.It month
+30 days
+.It year
+365 days
+.El
+.Pp
+Units names can be arbitrarily abbreviated (as long as they are
+unique).
+.Sh RETURN VALUES
+.Fn parse_time
+returns the number of seconds that represents the expression in 
+.Fa timespec
+or -1 on error.
+.Fn unparse_time
+and 
+.Fn unparse_time_approx 
+return the number of characters written to 
+.Fa buf .
+if the return value is greater than or equal to the
+.Fa len
+argument, the string was too short and some of the printed characters
+were discarded.
+.Sh EXAMPLES
+.Bd -literal
+#include <stdio.h>
+#include <parse_time.h>
+
+int
+main(int argc, char **argv)
+{
+    int i;
+    int result;
+    char buf[128];
+    print_time_table(stdout);
+    for (i = 1; i < argc; i++) {
+	result = parse_time(argv[i], "second");
+	if(result == -1) {
+	    fprintf(stderr, "%s: parse error\\n", argv[i]);
+	    continue;
+	}
+	printf("--\\n");
+	printf("parse_time = %d\\n", result);
+	unparse_time(result, buf, sizeof(buf));
+	printf("unparse_time = %s\\n", buf);
+	unparse_time_approx(result, buf, sizeof(buf));
+	printf("unparse_time_approx = %s\\n", buf);
+    }
+    return 0;
+}
+.Ed
+.Bd -literal
+$ ./a.out "1 minute 30 seconds" "90 s" "1 y -1 s"     
+1   year = 365 days
+1  month = 30 days
+1   week = 7 days
+1    day = 24 hours
+1   hour = 60 minutes
+1 minute = 60 seconds
+1 second
+--
+parse_time = 90
+unparse_time = 1 minute 30 seconds
+unparse_time_approx = 1 minute
+--
+parse_time = 90
+unparse_time = 1 minute 30 seconds
+unparse_time_approx = 1 minute
+--
+parse_time = 31535999
+unparse_time = 12 months 4 days 23 hours 59 minutes 59 seconds
+unparse_time_approx = 12 months
+.Ed
+.Sh BUGS
+Since
+.Fn parse_time
+returns -1 on error there is no way to parse "minus one second".
+Currently "s" at the end of units is ignored. This is a hack for
+English plural forms. If these functions are ever localised, this
+scheme will have to change.
+.\".Sh SEE ALSO
+.\".Xr parse_bytes 3
+.\".Xr parse_units 3
diff --git a/crypto/heimdal/lib/roken/parse_time.c b/crypto/heimdal/lib/roken/parse_time.c
index deab102..1c39bde 100644
--- a/crypto/heimdal/lib/roken/parse_time.c
+++ b/crypto/heimdal/lib/roken/parse_time.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: parse_time.c,v 1.6 2003/03/07 15:51:06 lha Exp $");
+RCSID("$Id: parse_time.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <parse_units.h>
@@ -53,25 +53,25 @@ static struct units time_units[] = {
     {NULL, 0},
 };
 
-int
+int ROKEN_LIB_FUNCTION
 parse_time (const char *s, const char *def_unit)
 {
     return parse_units (s, time_units, def_unit);
 }
 
-size_t
+size_t ROKEN_LIB_FUNCTION
 unparse_time (int t, char *s, size_t len)
 {
     return unparse_units (t, time_units, s, len);
 }
 
-size_t
+size_t ROKEN_LIB_FUNCTION
 unparse_time_approx (int t, char *s, size_t len)
 {
     return unparse_units_approx (t, time_units, s, len);
 }
 
-void
+void ROKEN_LIB_FUNCTION
 print_time_table (FILE *f)
 {
     print_units_table (time_units, f);
diff --git a/crypto/heimdal/lib/roken/parse_time.h b/crypto/heimdal/lib/roken/parse_time.h
index 55de505..4dc2da0 100644
--- a/crypto/heimdal/lib/roken/parse_time.h
+++ b/crypto/heimdal/lib/roken/parse_time.h
@@ -31,11 +31,19 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: parse_time.h,v 1.4 1999/12/02 16:58:51 joda Exp $ */
+/* $Id: parse_time.h 14773 2005-04-12 11:29:18Z lha $ */
 
 #ifndef __PARSE_TIME_H__
 #define __PARSE_TIME_H__
 
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
 int
 parse_time (const char *s, const char *def_unit);
 
diff --git a/crypto/heimdal/lib/roken/parse_units.c b/crypto/heimdal/lib/roken/parse_units.c
index 217d55e..1960bec 100644
--- a/crypto/heimdal/lib/roken/parse_units.c
+++ b/crypto/heimdal/lib/roken/parse_units.c
@@ -33,13 +33,13 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: parse_units.c,v 1.14 2001/09/04 09:56:00 assar Exp $");
+RCSID("$Id: parse_units.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <stdio.h>
 #include <ctype.h>
 #include <string.h>
-#include <roken.h>
+#include "roken.h"
 #include "parse_units.h"
 
 /*
@@ -152,7 +152,7 @@ acc_units(int res, int val, unsigned mult)
     return res + val * mult;
 }
 
-int
+int ROKEN_LIB_FUNCTION
 parse_units (const char *s, const struct units *units,
 	     const char *def_unit)
 {
@@ -178,7 +178,7 @@ acc_flags(int res, int val, unsigned mult)
 	return -1;
 }
 
-int
+int ROKEN_LIB_FUNCTION
 parse_flags (const char *s, const struct units *units,
 	     int orig)
 {
@@ -192,9 +192,8 @@ parse_flags (const char *s, const struct units *units,
 
 static int
 unparse_something (int num, const struct units *units, char *s, size_t len,
-		   int (*print) (char *s, size_t len, int div,
-				const char *name, int rem),
-		   int (*update) (int in, unsigned mult),
+		   int (*print) (char *, size_t, int, const char *, int),
+		   int (*update) (int, unsigned),
 		   const char *zero_string)
 {
     const struct units *u;
@@ -204,17 +203,21 @@ unparse_something (int num, const struct units *units, char *s, size_t len,
 	return snprintf (s, len, "%s", zero_string);
 
     for (u = units; num > 0 && u->name; ++u) {
-	int div;
+	int divisor;
 
-	div = num / u->mult;
-	if (div) {
+	divisor = num / u->mult;
+	if (divisor) {
 	    num = (*update) (num, u->mult);
-	    tmp = (*print) (s, len, div, u->name, num);
+	    tmp = (*print) (s, len, divisor, u->name, num);
 	    if (tmp < 0)
 		return tmp;
-
-	    len -= tmp;
-	    s += tmp;
+	    if (tmp > len) {
+		len = 0;
+		s = NULL;
+	    } else {
+		len -= tmp;
+		s += tmp;
+	    }
 	    ret += tmp;
 	}
     }
@@ -222,11 +225,11 @@ unparse_something (int num, const struct units *units, char *s, size_t len,
 }
 
 static int
-print_unit (char *s, size_t len, int div, const char *name, int rem)
+print_unit (char *s, size_t len, int divisor, const char *name, int rem)
 {
     return snprintf (s, len, "%u %s%s%s",
-		     div, name,
-		     div == 1 ? "" : "s",
+		     divisor, name,
+		     divisor == 1 ? "" : "s",
 		     rem > 0 ? " " : "");
 }
 
@@ -245,7 +248,7 @@ update_unit_approx (int in, unsigned mult)
 	return update_unit (in, mult);
 }
 
-int
+int ROKEN_LIB_FUNCTION
 unparse_units (int num, const struct units *units, char *s, size_t len)
 {
     return unparse_something (num, units, s, len,
@@ -254,7 +257,7 @@ unparse_units (int num, const struct units *units, char *s, size_t len)
 			      "0");
 }
 
-int
+int ROKEN_LIB_FUNCTION
 unparse_units_approx (int num, const struct units *units, char *s, size_t len)
 {
     return unparse_something (num, units, s, len,
@@ -263,7 +266,7 @@ unparse_units_approx (int num, const struct units *units, char *s, size_t len)
 			      "0");
 }
 
-void
+void ROKEN_LIB_FUNCTION
 print_units_table (const struct units *units, FILE *f)
 {
     const struct units *u, *u2;
@@ -297,7 +300,7 @@ print_units_table (const struct units *units, FILE *f)
 }
 
 static int
-print_flag (char *s, size_t len, int div, const char *name, int rem)
+print_flag (char *s, size_t len, int divisor, const char *name, int rem)
 {
     return snprintf (s, len, "%s%s", name, rem > 0 ? ", " : "");
 }
@@ -308,7 +311,7 @@ update_flag (int in, unsigned mult)
     return in - mult;
 }
 
-int
+int ROKEN_LIB_FUNCTION
 unparse_flags (int num, const struct units *units, char *s, size_t len)
 {
     return unparse_something (num, units, s, len,
@@ -317,7 +320,7 @@ unparse_flags (int num, const struct units *units, char *s, size_t len)
 			      "");
 }
 
-void
+void ROKEN_LIB_FUNCTION
 print_flags_table (const struct units *units, FILE *f)
 {
     const struct units *u;
diff --git a/crypto/heimdal/lib/roken/parse_units.h b/crypto/heimdal/lib/roken/parse_units.h
index 2002625..a42154d 100644
--- a/crypto/heimdal/lib/roken/parse_units.h
+++ b/crypto/heimdal/lib/roken/parse_units.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: parse_units.h,v 1.8 2003/04/16 17:30:54 lha Exp $ */
+/* $Id: parse_units.h 14773 2005-04-12 11:29:18Z lha $ */
 
 #ifndef __PARSE_UNITS_H__
 #define __PARSE_UNITS_H__
@@ -39,33 +39,41 @@
 #include <stdio.h>
 #include <stddef.h>
 
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
 struct units {
     const char *name;
     unsigned mult;
 };
 
-int
+int ROKEN_LIB_FUNCTION
 parse_units (const char *s, const struct units *units,
 	     const char *def_unit);
 
-void
+void ROKEN_LIB_FUNCTION
 print_units_table (const struct units *units, FILE *f);
 
-int
+int ROKEN_LIB_FUNCTION
 parse_flags (const char *s, const struct units *units,
 	     int orig);
 
-int
+int ROKEN_LIB_FUNCTION
 unparse_units (int num, const struct units *units, char *s, size_t len);
 
-int
+int ROKEN_LIB_FUNCTION
 unparse_units_approx (int num, const struct units *units, char *s,
 		      size_t len);
 
-int
+int ROKEN_LIB_FUNCTION
 unparse_flags (int num, const struct units *units, char *s, size_t len);
 
-void
+void ROKEN_LIB_FUNCTION
 print_flags_table (const struct units *units, FILE *f);
 
 #endif /* __PARSE_UNITS_H__ */
diff --git a/crypto/heimdal/lib/roken/putenv.c b/crypto/heimdal/lib/roken/putenv.c
index a6bdf60..5e501dc 100644
--- a/crypto/heimdal/lib/roken/putenv.c
+++ b/crypto/heimdal/lib/roken/putenv.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: putenv.c,v 1.7 2000/03/26 23:08:24 assar Exp $");
+RCSID("$Id: putenv.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <stdlib.h>
@@ -48,7 +48,7 @@ extern char **environ;
  *      value by altering an existing variable or creating a new one.
  */
 
-int
+int ROKEN_LIB_FUNCTION
 putenv(const char *string)
 {
     int i;
diff --git a/crypto/heimdal/lib/roken/rcmd.c b/crypto/heimdal/lib/roken/rcmd.c
index 4117948..e732fe3 100644
--- a/crypto/heimdal/lib/roken/rcmd.c
+++ b/crypto/heimdal/lib/roken/rcmd.c
@@ -33,13 +33,13 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: rcmd.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+RCSID("$Id: rcmd.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 #include <stdio.h>
 
-int
+int ROKEN_LIB_FUNCTION
 rcmd(char **ahost,
      unsigned short inport,
      const char *locuser,
diff --git a/crypto/heimdal/lib/roken/readv.c b/crypto/heimdal/lib/roken/readv.c
index de2f9ea..b49890e 100644
--- a/crypto/heimdal/lib/roken/readv.c
+++ b/crypto/heimdal/lib/roken/readv.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: readv.c,v 1.5 1999/12/02 16:58:52 joda Exp $");
+RCSID("$Id: readv.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 
-ssize_t
+ssize_t ROKEN_LIB_FUNCTION
 readv(int d, const struct iovec *iov, int iovcnt)
 {
     ssize_t ret, nb;
diff --git a/crypto/heimdal/lib/roken/realloc.c b/crypto/heimdal/lib/roken/realloc.c
new file mode 100644
index 0000000..33e898c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/realloc.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#undef realloc
+#endif
+#include <stdlib.h>
+#include "roken.h"
+
+RCSID("$Id");
+
+
+void * ROKEN_LIB_FUNCTION
+rk_realloc(void *ptr, size_t size)
+{
+    if (ptr == NULL)
+	return malloc(size);
+    return realloc(ptr, size);
+}
diff --git a/crypto/heimdal/lib/roken/recvmsg.c b/crypto/heimdal/lib/roken/recvmsg.c
index e94ad68..d92186c 100644
--- a/crypto/heimdal/lib/roken/recvmsg.c
+++ b/crypto/heimdal/lib/roken/recvmsg.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: recvmsg.c,v 1.5 1999/12/02 16:58:52 joda Exp $");
+RCSID("$Id: recvmsg.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 
-ssize_t
+ssize_t ROKEN_LIB_FUNCTION
 recvmsg(int s, struct msghdr *msg, int flags)
 {
     ssize_t ret, nb;
diff --git a/crypto/heimdal/lib/roken/resolve-test.c b/crypto/heimdal/lib/roken/resolve-test.c
new file mode 100644
index 0000000..106cfd7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/resolve-test.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) 1995 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+#include "getarg.h"
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+#include "resolve.h"
+
+RCSID("$Id: resolve-test.c 15415 2005-06-16 16:58:45Z lha $");
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "dns-record resource-record-type");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    struct dns_reply *r;
+    struct resource_record *rr;
+    int optidx = 0;
+
+    setprogname (argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	printf("some version\n");
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    if (argc != 2)
+	usage(1);
+
+    r = dns_lookup(argv[0], argv[1]);
+    if(r == NULL){
+	printf("No reply.\n");
+	return 1;
+    }
+    if(r->q.type == rk_ns_t_srv)
+	dns_srv_order(r);
+
+    for(rr = r->head; rr;rr=rr->next){
+	printf("%-30s %-5s %-6d ", rr->domain, dns_type_to_string(rr->type), rr->ttl);
+	switch(rr->type){
+	case rk_ns_t_ns:
+	case rk_ns_t_cname:
+	case rk_ns_t_ptr:
+	    printf("%s\n", (char*)rr->u.data);
+	    break;
+	case rk_ns_t_a:
+	    printf("%s\n", inet_ntoa(*rr->u.a));
+	    break;
+	case rk_ns_t_mx:
+	case rk_ns_t_afsdb:{
+	    printf("%d %s\n", rr->u.mx->preference, rr->u.mx->domain);
+	    break;
+	}
+	case rk_ns_t_srv:{
+	    struct srv_record *srv = rr->u.srv;
+	    printf("%d %d %d %s\n", srv->priority, srv->weight, 
+		   srv->port, srv->target);
+	    break;
+	}
+	case rk_ns_t_txt: {
+	    printf("%s\n", rr->u.txt);
+	    break;
+	}
+	case rk_ns_t_sig : {
+	    struct sig_record *sig = rr->u.sig;
+	    const char *type_string = dns_type_to_string (sig->type);
+
+	    printf ("type %u (%s), algorithm %u, labels %u, orig_ttl %u, sig_expiration %u, sig_inception %u, key_tag %u, signer %s\n",
+		    sig->type, type_string ? type_string : "",
+		    sig->algorithm, sig->labels, sig->orig_ttl,
+		    sig->sig_expiration, sig->sig_inception, sig->key_tag,
+		    sig->signer);
+	    break;
+	}
+	case rk_ns_t_key : {
+	    struct key_record *key = rr->u.key;
+
+	    printf ("flags %u, protocol %u, algorithm %u\n",
+		    key->flags, key->protocol, key->algorithm);
+	    break;
+	}
+	case rk_ns_t_sshfp : {
+	    struct sshfp_record *sshfp = rr->u.sshfp;
+	    int i;
+
+	    printf ("alg %u type %u length %lu data ", sshfp->algorithm, 
+		    sshfp->type,  (unsigned long)sshfp->sshfp_len);
+	    for (i = 0; i < sshfp->sshfp_len; i++)
+		printf("%02X", sshfp->sshfp_data[i]);
+	    printf("\n");
+
+	    break;
+	}
+	case rk_ns_t_ds : {
+	    struct ds_record *ds = rr->u.ds;
+	    int i;
+
+	    printf ("key tag %u alg %u type %u length %u data ",
+		    ds->key_tag, ds->algorithm, ds->digest_type, 
+		    ds->digest_len);
+	    for (i = 0; i < ds->digest_len; i++)
+		printf("%02X", ds->digest_data[i]);
+	    printf("\n");
+
+	    break;
+	}
+	default:
+	    printf("\n");
+	    break;
+	}
+    }
+    
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/resolve.c b/crypto/heimdal/lib/roken/resolve.c
index cdbc069..8f8fec7 100644
--- a/crypto/heimdal/lib/roken/resolve.c
+++ b/crypto/heimdal/lib/roken/resolve.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -45,35 +45,39 @@
 
 #include <assert.h>
 
-RCSID("$Id: resolve.c,v 1.38.2.1 2003/04/22 15:02:47 lha Exp $");
+RCSID("$Id: resolve.c 19869 2007-01-12 16:03:14Z lha $");
 
+#ifdef _AIX /* AIX have broken res_nsearch() in 5.1 (5.0 also ?) */
 #undef HAVE_RES_NSEARCH
-#if (defined(HAVE_RES_SEARCH) || defined(HAVE_RES_NSEARCH)) && defined(HAVE_DN_EXPAND)
+#endif
 
-#define DECL(X) {#X, T_##X}
+#define DECL(X) {#X, rk_ns_t_##X}
 
 static struct stot{
     const char *name;
     int type;
 }stot[] = {
-    DECL(A),
-    DECL(NS),
-    DECL(CNAME),
-    DECL(SOA),
-    DECL(PTR),
-    DECL(MX),
-    DECL(TXT),
-    DECL(AFSDB),
-    DECL(SIG),
-    DECL(KEY),
-    DECL(SRV),
-    DECL(NAPTR),
+    DECL(a),
+    DECL(aaaa),
+    DECL(ns),
+    DECL(cname),
+    DECL(soa),
+    DECL(ptr),
+    DECL(mx),
+    DECL(txt),
+    DECL(afsdb),
+    DECL(sig),
+    DECL(key),
+    DECL(srv),
+    DECL(naptr),
+    DECL(sshfp),
+    DECL(ds),
     {NULL, 	0}
 };
 
 int _resolve_debug = 0;
 
-int
+int ROKEN_LIB_FUNCTION
 dns_string_to_type(const char *name)
 {
     struct stot *p = stot;
@@ -83,7 +87,7 @@ dns_string_to_type(const char *name)
     return -1;
 }
 
-const char *
+const char * ROKEN_LIB_FUNCTION
 dns_type_to_string(int type)
 {
     struct stot *p = stot;
@@ -93,7 +97,19 @@ dns_type_to_string(int type)
     return NULL;
 }
 
-void
+#if (defined(HAVE_RES_SEARCH) || defined(HAVE_RES_NSEARCH)) && defined(HAVE_DN_EXPAND)
+
+static void
+dns_free_rr(struct resource_record *rr)
+{
+    if(rr->domain)
+	free(rr->domain);
+    if(rr->u.data)
+	free(rr->u.data);
+    free(rr);
+}
+
+void ROKEN_LIB_FUNCTION
 dns_free_data(struct dns_reply *r)
 {
     struct resource_record *rr;
@@ -101,29 +117,30 @@ dns_free_data(struct dns_reply *r)
 	free(r->q.domain);
     for(rr = r->head; rr;){
 	struct resource_record *tmp = rr;
-	if(rr->domain)
-	    free(rr->domain);
-	if(rr->u.data)
-	    free(rr->u.data);
 	rr = rr->next;
-	free(tmp);
+	dns_free_rr(tmp);
     }
     free (r);
 }
 
 static int
 parse_record(const unsigned char *data, const unsigned char *end_data, 
-	     const unsigned char **pp, struct resource_record **rr)
+	     const unsigned char **pp, struct resource_record **ret_rr)
 {
+    struct resource_record *rr;
     int type, class, ttl, size;
     int status;
     char host[MAXDNAME];
     const unsigned char *p = *pp;
+
+    *ret_rr = NULL;
+
     status = dn_expand(data, end_data, p, host, sizeof(host));
     if(status < 0) 
 	return -1;
     if (p + status + 10 > end_data)
 	return -1;
+
     p += status;
     type = (p[0] << 8) | p[1];
     p += 2;
@@ -137,198 +154,246 @@ parse_record(const unsigned char *data, const unsigned char *end_data,
     if (p + size > end_data)
 	return -1;
 
-    *rr = calloc(1, sizeof(**rr));
-    if(*rr == NULL) 
+    rr = calloc(1, sizeof(*rr));
+    if(rr == NULL) 
 	return -1;
-    (*rr)->domain = strdup(host);
-    if((*rr)->domain == NULL) {
-	free(*rr);
+    rr->domain = strdup(host);
+    if(rr->domain == NULL) {
+	dns_free_rr(rr);
 	return -1;
     }
-    (*rr)->type = type;
-    (*rr)->class = class;
-    (*rr)->ttl = ttl;
-    (*rr)->size = size;
+    rr->type = type;
+    rr->class = class;
+    rr->ttl = ttl;
+    rr->size = size;
     switch(type){
-    case T_NS:
-    case T_CNAME:
-    case T_PTR:
+    case rk_ns_t_ns:
+    case rk_ns_t_cname:
+    case rk_ns_t_ptr:
 	status = dn_expand(data, end_data, p, host, sizeof(host));
 	if(status < 0) {
-	    free(*rr);
+	    dns_free_rr(rr);
 	    return -1;
 	}
-	(*rr)->u.txt = strdup(host);
-	if((*rr)->u.txt == NULL) {
-	    free(*rr);
+	rr->u.txt = strdup(host);
+	if(rr->u.txt == NULL) {
+	    dns_free_rr(rr);
 	    return -1;
 	}
 	break;
-    case T_MX:
-    case T_AFSDB:{
+    case rk_ns_t_mx:
+    case rk_ns_t_afsdb:{
 	size_t hostlen;
 
 	status = dn_expand(data, end_data, p + 2, host, sizeof(host));
 	if(status < 0){
-	    free(*rr);
+	    dns_free_rr(rr);
 	    return -1;
 	}
 	if (status + 2 > size) {
-	    free(*rr);
+	    dns_free_rr(rr);
 	    return -1;
 	}
 
 	hostlen = strlen(host);
-	(*rr)->u.mx = (struct mx_record*)malloc(sizeof(struct mx_record) + 
+	rr->u.mx = (struct mx_record*)malloc(sizeof(struct mx_record) + 
 						hostlen);
-	if((*rr)->u.mx == NULL) {
-	    free(*rr);
+	if(rr->u.mx == NULL) {
+	    dns_free_rr(rr);
 	    return -1;
 	}
-	(*rr)->u.mx->preference = (p[0] << 8) | p[1];
-	strlcpy((*rr)->u.mx->domain, host, hostlen + 1);
+	rr->u.mx->preference = (p[0] << 8) | p[1];
+	strlcpy(rr->u.mx->domain, host, hostlen + 1);
 	break;
     }
-    case T_SRV:{
+    case rk_ns_t_srv:{
 	size_t hostlen;
 	status = dn_expand(data, end_data, p + 6, host, sizeof(host));
 	if(status < 0){
-	    free(*rr);
+	    dns_free_rr(rr);
 	    return -1;
 	}
 	if (status + 6 > size) {
-	    free(*rr);
+	    dns_free_rr(rr);
 	    return -1;
 	}
 
 	hostlen = strlen(host);
-	(*rr)->u.srv = 
+	rr->u.srv = 
 	    (struct srv_record*)malloc(sizeof(struct srv_record) + 
 				       hostlen);
-	if((*rr)->u.srv == NULL) {
-	    free(*rr);
+	if(rr->u.srv == NULL) {
+	    dns_free_rr(rr);
 	    return -1;
 	}
-	(*rr)->u.srv->priority = (p[0] << 8) | p[1];
-	(*rr)->u.srv->weight = (p[2] << 8) | p[3];
-	(*rr)->u.srv->port = (p[4] << 8) | p[5];
-	strlcpy((*rr)->u.srv->target, host, hostlen + 1);
+	rr->u.srv->priority = (p[0] << 8) | p[1];
+	rr->u.srv->weight = (p[2] << 8) | p[3];
+	rr->u.srv->port = (p[4] << 8) | p[5];
+	strlcpy(rr->u.srv->target, host, hostlen + 1);
 	break;
     }
-    case T_TXT:{
+    case rk_ns_t_txt:{
 	if(size == 0 || size < *p + 1) {
-	    free(*rr);
+	    dns_free_rr(rr);
 	    return -1;
 	}
-	(*rr)->u.txt = (char*)malloc(*p + 1);
-	if((*rr)->u.txt == NULL) {
-	    free(*rr);
+	rr->u.txt = (char*)malloc(*p + 1);
+	if(rr->u.txt == NULL) {
+	    dns_free_rr(rr);
 	    return -1;
 	}
-	strncpy((*rr)->u.txt, (char*)p + 1, *p);
-	(*rr)->u.txt[*p] = '\0';
+	strncpy(rr->u.txt, (const char*)(p + 1), *p);
+	rr->u.txt[*p] = '\0';
 	break;
     }
-    case T_KEY : {
+    case rk_ns_t_key : {
 	size_t key_len;
 
 	if (size < 4) {
-	    free(*rr);
+	    dns_free_rr(rr);
 	    return -1;
 	}
 
 	key_len = size - 4;
-	(*rr)->u.key = malloc (sizeof(*(*rr)->u.key) + key_len - 1);
-	if ((*rr)->u.key == NULL) {
-	    free(*rr);
+	rr->u.key = malloc (sizeof(*rr->u.key) + key_len - 1);
+	if (rr->u.key == NULL) {
+	    dns_free_rr(rr);
 	    return -1;
 	}
 
-	(*rr)->u.key->flags     = (p[0] << 8) | p[1];
-	(*rr)->u.key->protocol  = p[2];
-	(*rr)->u.key->algorithm = p[3];
-	(*rr)->u.key->key_len   = key_len;
-	memcpy ((*rr)->u.key->key_data, p + 4, key_len);
+	rr->u.key->flags     = (p[0] << 8) | p[1];
+	rr->u.key->protocol  = p[2];
+	rr->u.key->algorithm = p[3];
+	rr->u.key->key_len   = key_len;
+	memcpy (rr->u.key->key_data, p + 4, key_len);
 	break;
     }
-    case T_SIG : {
+    case rk_ns_t_sig : {
 	size_t sig_len, hostlen;
 
 	if(size <= 18) {
-	    free(*rr);
+	    dns_free_rr(rr);
 	    return -1;
 	}
 	status = dn_expand (data, end_data, p + 18, host, sizeof(host));
 	if (status < 0) {
-	    free(*rr);
+	    dns_free_rr(rr);
 	    return -1;
 	}
 	if (status + 18 > size) {
-	    free(*rr);
+	    dns_free_rr(rr);
 	    return -1;
 	}
 
 	/* the signer name is placed after the sig_data, to make it
-           easy to free this struture; the size calculation below
+           easy to free this structure; the size calculation below
            includes the zero-termination if the structure itself.
 	   don't you just love C?
 	*/
 	sig_len = size - 18 - status;
 	hostlen = strlen(host);
-	(*rr)->u.sig = malloc(sizeof(*(*rr)->u.sig)
+	rr->u.sig = malloc(sizeof(*rr->u.sig)
 			      + hostlen + sig_len);
-	if ((*rr)->u.sig == NULL) {
-	    free(*rr);
+	if (rr->u.sig == NULL) {
+	    dns_free_rr(rr);
 	    return -1;
 	}
-	(*rr)->u.sig->type           = (p[0] << 8) | p[1];
-	(*rr)->u.sig->algorithm      = p[2];
-	(*rr)->u.sig->labels         = p[3];
-	(*rr)->u.sig->orig_ttl       = (p[4] << 24) | (p[5] << 16)
+	rr->u.sig->type           = (p[0] << 8) | p[1];
+	rr->u.sig->algorithm      = p[2];
+	rr->u.sig->labels         = p[3];
+	rr->u.sig->orig_ttl       = (p[4] << 24) | (p[5] << 16)
 	    | (p[6] << 8) | p[7];
-	(*rr)->u.sig->sig_expiration = (p[8] << 24) | (p[9] << 16)
+	rr->u.sig->sig_expiration = (p[8] << 24) | (p[9] << 16)
 	    | (p[10] << 8) | p[11];
-	(*rr)->u.sig->sig_inception  = (p[12] << 24) | (p[13] << 16)
+	rr->u.sig->sig_inception  = (p[12] << 24) | (p[13] << 16)
 	    | (p[14] << 8) | p[15];
-	(*rr)->u.sig->key_tag        = (p[16] << 8) | p[17];
-	(*rr)->u.sig->sig_len        = sig_len;
-	memcpy ((*rr)->u.sig->sig_data, p + 18 + status, sig_len);
-	(*rr)->u.sig->signer         = &(*rr)->u.sig->sig_data[sig_len];
-	strlcpy((*rr)->u.sig->signer, host, hostlen + 1);
+	rr->u.sig->key_tag        = (p[16] << 8) | p[17];
+	rr->u.sig->sig_len        = sig_len;
+	memcpy (rr->u.sig->sig_data, p + 18 + status, sig_len);
+	rr->u.sig->signer         = &rr->u.sig->sig_data[sig_len];
+	strlcpy(rr->u.sig->signer, host, hostlen + 1);
 	break;
     }
 
-    case T_CERT : {
+    case rk_ns_t_cert : {
 	size_t cert_len;
 
 	if (size < 5) {
-	    free(*rr);
+	    dns_free_rr(rr);
 	    return -1;
 	}
 
 	cert_len = size - 5;
-	(*rr)->u.cert = malloc (sizeof(*(*rr)->u.cert) + cert_len - 1);
-	if ((*rr)->u.cert == NULL) {
-	    free(*rr);
+	rr->u.cert = malloc (sizeof(*rr->u.cert) + cert_len - 1);
+	if (rr->u.cert == NULL) {
+	    dns_free_rr(rr);
 	    return -1;
 	}
 
-	(*rr)->u.cert->type      = (p[0] << 8) | p[1];
-	(*rr)->u.cert->tag       = (p[2] << 8) | p[3];
-	(*rr)->u.cert->algorithm = p[4];
-	(*rr)->u.cert->cert_len  = cert_len;
-	memcpy ((*rr)->u.cert->cert_data, p + 5, cert_len);
+	rr->u.cert->type      = (p[0] << 8) | p[1];
+	rr->u.cert->tag       = (p[2] << 8) | p[3];
+	rr->u.cert->algorithm = p[4];
+	rr->u.cert->cert_len  = cert_len;
+	memcpy (rr->u.cert->cert_data, p + 5, cert_len);
+	break;
+    }
+    case rk_ns_t_sshfp : {
+	size_t sshfp_len;
+
+	if (size < 2) {
+	    dns_free_rr(rr);
+	    return -1;
+	}
+
+	sshfp_len = size - 2;
+
+	rr->u.sshfp = malloc (sizeof(*rr->u.sshfp) + sshfp_len - 1);
+	if (rr->u.sshfp == NULL) {
+	    dns_free_rr(rr);
+	    return -1;
+	}
+
+	rr->u.sshfp->algorithm = p[0];
+	rr->u.sshfp->type      = p[1];
+	rr->u.sshfp->sshfp_len  = sshfp_len;
+	memcpy (rr->u.sshfp->sshfp_data, p + 2, sshfp_len);
+	break;
+    }
+    case rk_ns_t_ds: {
+	size_t digest_len;
+
+	if (size < 4) {
+	    dns_free_rr(rr);
+	    return -1;
+	}
+
+	digest_len = size - 4;
+
+	rr->u.ds = malloc (sizeof(*rr->u.ds) + digest_len - 1);
+	if (rr->u.ds == NULL) {
+	    dns_free_rr(rr);
+	    return -1;
+	}
+
+	rr->u.ds->key_tag     = (p[0] << 8) | p[1];
+	rr->u.ds->algorithm   = p[2];
+	rr->u.ds->digest_type = p[3];
+	rr->u.ds->digest_len  = digest_len;
+	memcpy (rr->u.ds->digest_data, p + 4, digest_len);
 	break;
     }
     default:
-	(*rr)->u.data = (unsigned char*)malloc(size);
-	if(size != 0 && (*rr)->u.data == NULL) {
-	    free(*rr);
+	rr->u.data = (unsigned char*)malloc(size);
+	if(size != 0 && rr->u.data == NULL) {
+	    dns_free_rr(rr);
 	    return -1;
 	}
-	memcpy((*rr)->u.data, p, size);
+	if (size)
+	    memcpy(rr->u.data, p, size);
     }
     *pp = p + size;
+    *ret_rr = rr;
+
     return 0;
 }
 
@@ -351,15 +416,33 @@ parse_reply(const unsigned char *data, size_t len)
 	return NULL;
 
     p = data;
-#if 0
-    /* doesn't work on Crays */
-    memcpy(&r->h, p, sizeof(HEADER));
-    p += sizeof(HEADER);
-#else
-    memcpy(&r->h, p, 12); /* XXX this will probably be mostly garbage */
+
+    r->h.id = (p[0] << 8) | p[1];
+    r->h.flags = 0;
+    if (p[2] & 0x01)
+	r->h.flags |= rk_DNS_HEADER_RESPONSE_FLAG;
+    r->h.opcode = (p[2] >> 1) & 0xf;
+    if (p[2] & 0x20)
+	r->h.flags |= rk_DNS_HEADER_AUTHORITIVE_ANSWER;
+    if (p[2] & 0x40)
+	r->h.flags |= rk_DNS_HEADER_TRUNCATED_MESSAGE;
+    if (p[2] & 0x80)
+	r->h.flags |= rk_DNS_HEADER_RECURSION_DESIRED;
+    if (p[3] & 0x01)
+	r->h.flags |= rk_DNS_HEADER_RECURSION_AVAILABLE;
+    if (p[3] & 0x04)
+	r->h.flags |= rk_DNS_HEADER_AUTHORITIVE_ANSWER;
+    if (p[3] & 0x08)
+	r->h.flags |= rk_DNS_HEADER_CHECKING_DISABLED;
+    r->h.response_code = (p[3] >> 4) & 0xf;
+    r->h.qdcount = (p[4] << 8) | p[5];
+    r->h.ancount = (p[6] << 8) | p[7];
+    r->h.nscount = (p[8] << 8) | p[9];
+    r->h.arcount = (p[10] << 8) | p[11];
+
     p += 12;
-#endif
-    if(ntohs(r->h.qdcount) != 1) {
+
+    if(r->h.qdcount != 1) {
 	free(r);
 	return NULL;
     }
@@ -384,21 +467,21 @@ parse_reply(const unsigned char *data, size_t len)
     p += 2;
     
     rr = &r->head;
-    for(i = 0; i < ntohs(r->h.ancount); i++) {
+    for(i = 0; i < r->h.ancount; i++) {
 	if(parse_record(data, end_data, &p, rr) != 0) {
 	    dns_free_data(r);
 	    return NULL;
 	}
 	rr = &(*rr)->next;
     }
-    for(i = 0; i < ntohs(r->h.nscount); i++) {
+    for(i = 0; i < r->h.nscount; i++) {
 	if(parse_record(data, end_data, &p, rr) != 0) {
 	    dns_free_data(r);
 	    return NULL;
 	}
 	rr = &(*rr)->next;
     }
-    for(i = 0; i < ntohs(r->h.arcount); i++) {
+    for(i = 0; i < r->h.arcount; i++) {
 	if(parse_record(data, end_data, &p, rr) != 0) {
 	    dns_free_data(r);
 	    return NULL;
@@ -409,54 +492,87 @@ parse_reply(const unsigned char *data, size_t len)
     return r;
 }
 
+#ifdef HAVE_RES_NSEARCH
+#ifdef HAVE_RES_NDESTROY
+#define rk_res_free(x) res_ndestroy(x)
+#else
+#define rk_res_free(x) res_nclose(x)
+#endif
+#endif
+
 static struct dns_reply *
 dns_lookup_int(const char *domain, int rr_class, int rr_type)
 {
-    unsigned char reply[1024];
+    struct dns_reply *r;
+    unsigned char *reply = NULL;
+    int size;
     int len;
 #ifdef HAVE_RES_NSEARCH
-    struct __res_state stat;
-    memset(&stat, 0, sizeof(stat));
-    if(res_ninit(&stat))
+    struct __res_state state;
+    memset(&state, 0, sizeof(state));
+    if(res_ninit(&state))
 	return NULL; /* is this the best we can do? */
 #elif defined(HAVE__RES)
     u_long old_options = 0;
 #endif
     
-    if (_resolve_debug) {
+    size = 0;
+    len = 1000;
+    do {
+	if (reply) {
+	    free(reply);
+	    reply = NULL;
+	}
+	if (size <= len)
+	    size = len;
+	if (_resolve_debug) {
 #ifdef HAVE_RES_NSEARCH
-	stat.options |= RES_DEBUG;
+	    state.options |= RES_DEBUG;
 #elif defined(HAVE__RES)
-        old_options = _res.options;
-	_res.options |= RES_DEBUG;
+	    old_options = _res.options;
+	    _res.options |= RES_DEBUG;
 #endif
-	fprintf(stderr, "dns_lookup(%s, %d, %s)\n", domain,
-		rr_class, dns_type_to_string(rr_type));
-    }
+	    fprintf(stderr, "dns_lookup(%s, %d, %s), buffer size %d\n", domain,
+		    rr_class, dns_type_to_string(rr_type), size);
+	}
+	reply = malloc(size);
+	if (reply == NULL) {
+#ifdef HAVE_RES_NSEARCH
+	    rk_res_free(&state);
+#endif
+	    return NULL;
+	}
 #ifdef HAVE_RES_NSEARCH
-    len = res_nsearch(&stat, domain, rr_class, rr_type, reply, sizeof(reply));
+	len = res_nsearch(&state, domain, rr_class, rr_type, reply, size);
 #else
-    len = res_search(domain, rr_class, rr_type, reply, sizeof(reply));
+	len = res_search(domain, rr_class, rr_type, reply, size);
 #endif
-    if (_resolve_debug) {
+	if (_resolve_debug) {
 #if defined(HAVE__RES) && !defined(HAVE_RES_NSEARCH)
-        _res.options = old_options;
+	    _res.options = old_options;
 #endif
-	fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n",
-		domain, rr_class, dns_type_to_string(rr_type), len);
-    }
+	    fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n",
+		    domain, rr_class, dns_type_to_string(rr_type), len);
+	}
+	if (len < 0) {
 #ifdef HAVE_RES_NSEARCH
-    res_nclose(&stat);
-#endif    
-    if(len < 0) {
-	return NULL;
-    } else {
-	len = min(len, sizeof(reply));
-	return parse_reply(reply, len);
-    }
+	    rk_res_free(&state);
+#endif
+	    free(reply);
+	    return NULL;
+	}
+    } while (size < len && len < rk_DNS_MAX_PACKET_SIZE);
+#ifdef HAVE_RES_NSEARCH
+    rk_res_free(&state);
+#endif
+
+    len = min(len, size);
+    r = parse_reply(reply, len);
+    free(reply);
+    return r;
 }
 
-struct dns_reply *
+struct dns_reply * ROKEN_LIB_FUNCTION
 dns_lookup(const char *domain, const char *type_name)
 {
     int type;
@@ -486,7 +602,7 @@ compare_srv(const void *a, const void *b)
 #endif
 
 /* try to rearrange the srv-records by the algorithm in RFC2782 */
-void
+void ROKEN_LIB_FUNCTION
 dns_srv_order(struct dns_reply *r)
 {
     struct resource_record **srvs, **ss, **headp;
@@ -499,7 +615,7 @@ dns_srv_order(struct dns_reply *r)
 #endif
 
     for(rr = r->head; rr; rr = rr->next) 
-	if(rr->type == T_SRV)
+	if(rr->type == rk_ns_t_srv)
 	    num_srv++;
 
     if(num_srv == 0)
@@ -512,7 +628,7 @@ dns_srv_order(struct dns_reply *r)
     /* unlink all srv-records from the linked list and put them in
        a vector */
     for(ss = srvs, headp = &r->head; *headp; )
-	if((*headp)->type == T_SRV) {
+	if((*headp)->type == rk_ns_t_srv) {
 	    *ss = *headp;
 	    *headp = (*headp)->next;
 	    (*ss)->next = NULL;
@@ -535,8 +651,7 @@ dns_srv_order(struct dns_reply *r)
 	/* find the last record with the same priority and count the
            sum of all weights */
 	for(sum = 0, tt = ss; tt < srvs + num_srv; tt++) {
-	    if(*tt == NULL)
-		continue;
+	    assert(*tt != NULL);
 	    if((*tt)->u.srv->priority != (*ss)->u.srv->priority)
 		break;
 	    sum += (*tt)->u.srv->weight;
@@ -577,88 +692,20 @@ dns_srv_order(struct dns_reply *r)
 
 #else /* NOT defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND) */
 
-struct dns_reply *
+struct dns_reply * ROKEN_LIB_FUNCTION
 dns_lookup(const char *domain, const char *type_name)
 {
     return NULL;
 }
 
-void
+void ROKEN_LIB_FUNCTION
 dns_free_data(struct dns_reply *r)
 {
 }
 
-void
+void ROKEN_LIB_FUNCTION
 dns_srv_order(struct dns_reply *r)
 {
 }
 
 #endif
-
-#ifdef TEST
-int 
-main(int argc, char **argv)
-{
-    struct dns_reply *r;
-    struct resource_record *rr;
-    r = dns_lookup(argv[1], argv[2]);
-    if(r == NULL){
-	printf("No reply.\n");
-	return 1;
-    }
-    if(r->q.type == T_SRV)
-	dns_srv_order(r);
-
-    for(rr = r->head; rr;rr=rr->next){
-	printf("%-30s %-5s %-6d ", rr->domain, dns_type_to_string(rr->type), rr->ttl);
-	switch(rr->type){
-	case T_NS:
-	case T_CNAME:
-	case T_PTR:
-	    printf("%s\n", (char*)rr->u.data);
-	    break;
-	case T_A:
-	    printf("%s\n", inet_ntoa(*rr->u.a));
-	    break;
-	case T_MX:
-	case T_AFSDB:{
-	    printf("%d %s\n", rr->u.mx->preference, rr->u.mx->domain);
-	    break;
-	}
-	case T_SRV:{
-	    struct srv_record *srv = rr->u.srv;
-	    printf("%d %d %d %s\n", srv->priority, srv->weight, 
-		   srv->port, srv->target);
-	    break;
-	}
-	case T_TXT: {
-	    printf("%s\n", rr->u.txt);
-	    break;
-	}
-	case T_SIG : {
-	    struct sig_record *sig = rr->u.sig;
-	    const char *type_string = dns_type_to_string (sig->type);
-
-	    printf ("type %u (%s), algorithm %u, labels %u, orig_ttl %u, sig_expiration %u, sig_inception %u, key_tag %u, signer %s\n",
-		    sig->type, type_string ? type_string : "",
-		    sig->algorithm, sig->labels, sig->orig_ttl,
-		    sig->sig_expiration, sig->sig_inception, sig->key_tag,
-		    sig->signer);
-	    break;
-	}
-	case T_KEY : {
-	    struct key_record *key = rr->u.key;
-
-	    printf ("flags %u, protocol %u, algorithm %u\n",
-		    key->flags, key->protocol, key->algorithm);
-	    break;
-	}
-	default:
-	    printf("\n");
-	    break;
-	}
-    }
-    
-    return 0;
-}
-#endif
diff --git a/crypto/heimdal/lib/roken/resolve.h b/crypto/heimdal/lib/roken/resolve.h
index cb25b7a..fe83115 100644
--- a/crypto/heimdal/lib/roken/resolve.h
+++ b/crypto/heimdal/lib/roken/resolve.h
@@ -31,13 +31,100 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: resolve.h,v 1.15 2002/08/26 13:30:16 assar Exp $ */
+/* $Id: resolve.h 14773 2005-04-12 11:29:18Z lha $ */
 
 #ifndef __RESOLVE_H__
 #define __RESOLVE_H__
 
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+typedef enum {
+	rk_ns_t_invalid = 0,	/* Cookie. */
+	rk_ns_t_a = 1,		/* Host address. */
+	rk_ns_t_ns = 2,		/* Authoritative server. */
+	rk_ns_t_md = 3,		/* Mail destination. */
+	rk_ns_t_mf = 4,		/* Mail forwarder. */
+	rk_ns_t_cname = 5,	/* Canonical name. */
+	rk_ns_t_soa = 6,	/* Start of authority zone. */
+	rk_ns_t_mb = 7,		/* Mailbox domain name. */
+	rk_ns_t_mg = 8,		/* Mail group member. */
+	rk_ns_t_mr = 9,		/* Mail rename name. */
+	rk_ns_t_null = 10,	/* Null resource record. */
+	rk_ns_t_wks = 11,	/* Well known service. */
+	rk_ns_t_ptr = 12,	/* Domain name pointer. */
+	rk_ns_t_hinfo = 13,	/* Host information. */
+	rk_ns_t_minfo = 14,	/* Mailbox information. */
+	rk_ns_t_mx = 15,	/* Mail routing information. */
+	rk_ns_t_txt = 16,	/* Text strings. */
+	rk_ns_t_rp = 17,	/* Responsible person. */
+	rk_ns_t_afsdb = 18,	/* AFS cell database. */
+	rk_ns_t_x25 = 19,	/* X_25 calling address. */
+	rk_ns_t_isdn = 20,	/* ISDN calling address. */
+	rk_ns_t_rt = 21,	/* Router. */
+	rk_ns_t_nsap = 22,	/* NSAP address. */
+	rk_ns_t_nsap_ptr = 23,	/* Reverse NSAP lookup (deprecated). */
+	rk_ns_t_sig = 24,	/* Security signature. */
+	rk_ns_t_key = 25,	/* Security key. */
+	rk_ns_t_px = 26,	/* X.400 mail mapping. */
+	rk_ns_t_gpos = 27,	/* Geographical position (withdrawn). */
+	rk_ns_t_aaaa = 28,	/* Ip6 Address. */
+	rk_ns_t_loc = 29,	/* Location Information. */
+	rk_ns_t_nxt = 30,	/* Next domain (security). */
+	rk_ns_t_eid = 31,	/* Endpoint identifier. */
+	rk_ns_t_nimloc = 32,	/* Nimrod Locator. */
+	rk_ns_t_srv = 33,	/* Server Selection. */
+	rk_ns_t_atma = 34,	/* ATM Address */
+	rk_ns_t_naptr = 35,	/* Naming Authority PoinTeR */
+	rk_ns_t_kx = 36,	/* Key Exchange */
+	rk_ns_t_cert = 37,	/* Certification record */
+	rk_ns_t_a6 = 38,	/* IPv6 address (deprecates AAAA) */
+	rk_ns_t_dname = 39,	/* Non-terminal DNAME (for IPv6) */
+	rk_ns_t_sink = 40,	/* Kitchen sink (experimentatl) */
+	rk_ns_t_opt = 41,	/* EDNS0 option (meta-RR) */
+	rk_ns_t_apl = 42,	/* Address prefix list (RFC 3123) */
+	rk_ns_t_ds = 43,	/* Delegation Signer (RFC 3658) */
+	rk_ns_t_sshfp = 44,	/* SSH fingerprint */
+	rk_ns_t_tkey = 249,	/* Transaction key */
+	rk_ns_t_tsig = 250,	/* Transaction signature. */
+	rk_ns_t_ixfr = 251,	/* Incremental zone transfer. */
+	rk_ns_t_axfr = 252,	/* Transfer zone of authority. */
+	rk_ns_t_mailb = 253,	/* Transfer mailbox records. */
+	rk_ns_t_maila = 254,	/* Transfer mail agent records. */
+	rk_ns_t_any = 255,	/* Wildcard match. */
+	rk_ns_t_zxfr = 256,	/* BIND-specific, nonstandard. */
+	rk_ns_t_max = 65536
+} rk_ns_type;
+
 /* We use these, but they are not always present in <arpa/nameser.h> */
 
+#ifndef C_IN
+#define C_IN		1
+#endif
+
+#ifndef T_A
+#define T_A		1
+#endif
+#ifndef T_NS
+#define T_NS		2
+#endif
+#ifndef T_CNAME
+#define T_CNAME		5
+#endif
+#ifndef T_SOA
+#define T_SOA		5
+#endif
+#ifndef T_PTR
+#define T_PTR		12
+#endif
+#ifndef T_MX
+#define T_MX		15
+#endif
 #ifndef T_TXT
 #define T_TXT		16
 #endif
@@ -62,6 +149,13 @@
 #ifndef T_CERT
 #define T_CERT		37
 #endif
+#ifndef T_SSHFP
+#define T_SSHFP		44
+#endif
+
+#ifndef MAXDNAME
+#define MAXDNAME	1025
+#endif
 
 #define dns_query		rk_dns_query
 #define mx_record		rk_mx_record
@@ -69,6 +163,7 @@
 #define key_record		rk_key_record
 #define sig_record		rk_sig_record
 #define cert_record		rk_cert_record
+#define sshfp_record		rk_sshfp_record
 #define resource_record		rk_resource_record
 #define dns_reply		rk_dns_reply
 
@@ -125,6 +220,21 @@ struct cert_record {
     u_char   cert_data[1];
 };
 
+struct sshfp_record {
+    unsigned algorithm;
+    unsigned type;
+    size_t   sshfp_len;
+    u_char   sshfp_data[1];
+};
+
+struct ds_record {
+    unsigned key_tag;
+    unsigned algorithm;
+    unsigned digest_type;
+    unsigned digest_len;
+    u_char digest_data[1];
+};
+
 struct resource_record{
     char *domain;
     unsigned type;
@@ -141,25 +251,48 @@ struct resource_record{
 	struct key_record *key;
 	struct cert_record *cert;
 	struct sig_record *sig;
+	struct sshfp_record *sshfp;
+	struct ds_record *ds;
     }u;
     struct resource_record *next;
 };
 
-#ifndef T_A /* XXX if <arpa/nameser.h> isn't included */
-typedef int HEADER; /* will never be used */
-#endif
+#define rk_DNS_MAX_PACKET_SIZE		0xffff
+
+struct dns_header {
+    unsigned id;
+    unsigned flags;
+#define rk_DNS_HEADER_RESPONSE_FLAG		1
+#define rk_DNS_HEADER_AUTHORITIVE_ANSWER	2
+#define rk_DNS_HEADER_TRUNCATED_MESSAGE		4
+#define rk_DNS_HEADER_RECURSION_DESIRED		8
+#define rk_DNS_HEADER_RECURSION_AVAILABLE	16
+#define rk_DNS_HEADER_AUTHENTIC_DATA		32
+#define rk_DNS_HEADER_CHECKING_DISABLED		64
+    unsigned opcode;
+    unsigned response_code;
+    unsigned qdcount;
+    unsigned ancount;
+    unsigned nscount;
+    unsigned arcount;
+};
 
 struct dns_reply{
-    HEADER h;
+    struct dns_header h;
     struct dns_query q;
     struct resource_record *head;
 };
 
 
-struct dns_reply* dns_lookup(const char *, const char *);
-void dns_free_data(struct dns_reply *);
-int dns_string_to_type(const char *name);
-const char *dns_type_to_string(int type);
-void dns_srv_order(struct dns_reply*);
+struct dns_reply* ROKEN_LIB_FUNCTION
+	dns_lookup(const char *, const char *);
+void ROKEN_LIB_FUNCTION
+	dns_free_data(struct dns_reply *);
+int ROKEN_LIB_FUNCTION
+	dns_string_to_type(const char *name);
+const char *ROKEN_LIB_FUNCTION
+	dns_type_to_string(int type);
+void ROKEN_LIB_FUNCTION
+	dns_srv_order(struct dns_reply*);
 
 #endif /* __RESOLVE_H__ */
diff --git a/crypto/heimdal/lib/roken/roken-common.h b/crypto/heimdal/lib/roken/roken-common.h
index 6f6d6cc..b835e88 100644
--- a/crypto/heimdal/lib/roken/roken-common.h
+++ b/crypto/heimdal/lib/roken/roken-common.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -31,11 +31,19 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: roken-common.h,v 1.51.6.1 2004/01/15 18:15:05 lha Exp $ */
+/* $Id: roken-common.h 20867 2007-06-03 21:00:45Z lha $ */
 
 #ifndef __ROKEN_COMMON_H__
 #define __ROKEN_COMMON_H__
 
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
 #ifdef __cplusplus
 #define ROKEN_CPP_START	extern "C" {
 #define ROKEN_CPP_END	}
@@ -259,80 +267,139 @@ SigAction signal(int iSig, SigAction pAction); /* BSD compatible */
 #endif
 #endif
 
-int ROKEN_LIB_FUNCTION simple_execve(const char*, char*const[], char*const[]);
-int ROKEN_LIB_FUNCTION simple_execvp(const char*, char *const[]);
-int ROKEN_LIB_FUNCTION simple_execlp(const char*, ...);
-int ROKEN_LIB_FUNCTION simple_execle(const char*, ...);
-int ROKEN_LIB_FUNCTION simple_execl(const char *file, ...);
+int ROKEN_LIB_FUNCTION
+simple_execve(const char*, char*const[], char*const[]);
+
+int ROKEN_LIB_FUNCTION
+simple_execve_timed(const char *, char *const[], 
+		    char *const [], time_t (*)(void *), 
+		    void *, time_t);
+int ROKEN_LIB_FUNCTION
+simple_execvp(const char*, char *const[]);
+
+int ROKEN_LIB_FUNCTION
+simple_execvp_timed(const char *, char *const[], 
+		    time_t (*)(void *), void *, time_t);
+int ROKEN_LIB_FUNCTION
+simple_execlp(const char*, ...);
 
-int ROKEN_LIB_FUNCTION wait_for_process(pid_t);
-int ROKEN_LIB_FUNCTION pipe_execv(FILE**, FILE**, FILE**, const char*, ...);
+int ROKEN_LIB_FUNCTION
+simple_execle(const char*, ...);
 
-void ROKEN_LIB_FUNCTION print_version(const char *);
+int ROKEN_LIB_FUNCTION
+simple_execl(const char *file, ...);
 
-ssize_t ROKEN_LIB_FUNCTION eread (int fd, void *buf, size_t nbytes);
-ssize_t ROKEN_LIB_FUNCTION ewrite (int fd, const void *buf, size_t nbytes);
+int ROKEN_LIB_FUNCTION
+wait_for_process(pid_t);
+
+int ROKEN_LIB_FUNCTION
+wait_for_process_timed(pid_t, time_t (*)(void *), 
+					      void *, time_t);
+int ROKEN_LIB_FUNCTION
+pipe_execv(FILE**, FILE**, FILE**, const char*, ...);
+
+void ROKEN_LIB_FUNCTION
+print_version(const char *);
+
+ssize_t ROKEN_LIB_FUNCTION
+eread (int fd, void *buf, size_t nbytes);
+
+ssize_t ROKEN_LIB_FUNCTION
+ewrite (int fd, const void *buf, size_t nbytes);
 
 struct hostent;
 
-const char *
-hostent_find_fqdn (const struct hostent *he);
+const char * ROKEN_LIB_FUNCTION
+hostent_find_fqdn (const struct hostent *);
+
+void ROKEN_LIB_FUNCTION
+esetenv(const char *, const char *, int);
 
-void
-esetenv(const char *var, const char *val, int rewrite);
+void ROKEN_LIB_FUNCTION
+socket_set_address_and_port (struct sockaddr *, const void *, int);
 
-void
-socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port);
+size_t ROKEN_LIB_FUNCTION
+socket_addr_size (const struct sockaddr *);
 
-size_t
-socket_addr_size (const struct sockaddr *sa);
+void ROKEN_LIB_FUNCTION
+socket_set_any (struct sockaddr *, int);
 
-void
-socket_set_any (struct sockaddr *sa, int af);
+size_t ROKEN_LIB_FUNCTION
+socket_sockaddr_size (const struct sockaddr *);
 
-size_t
-socket_sockaddr_size (const struct sockaddr *sa);
+void * ROKEN_LIB_FUNCTION
+socket_get_address (struct sockaddr *);
 
-void *
-socket_get_address (struct sockaddr *sa);
+int ROKEN_LIB_FUNCTION
+socket_get_port (const struct sockaddr *);
 
-int
-socket_get_port (const struct sockaddr *sa);
+void ROKEN_LIB_FUNCTION
+socket_set_port (struct sockaddr *, int);
 
-void
-socket_set_port (struct sockaddr *sa, int port);
+void ROKEN_LIB_FUNCTION
+socket_set_portrange (int, int, int);
 
-void
-socket_set_portrange (int sock, int restr, int af);
+void ROKEN_LIB_FUNCTION
+socket_set_debug (int);
 
-void
-socket_set_debug (int sock);
+void ROKEN_LIB_FUNCTION
+socket_set_tos (int, int);
 
-void
-socket_set_tos (int sock, int tos);
+void ROKEN_LIB_FUNCTION
+socket_set_reuseaddr (int, int);
 
-void
-socket_set_reuseaddr (int sock, int val);
+void ROKEN_LIB_FUNCTION
+socket_set_ipv6only (int, int);
 
-char **
+char ** ROKEN_LIB_FUNCTION
 vstrcollect(va_list *ap);
 
-char **
+char ** ROKEN_LIB_FUNCTION
 strcollect(char *first, ...);
 
-void timevalfix(struct timeval *t1);
-void timevaladd(struct timeval *t1, const struct timeval *t2);
-void timevalsub(struct timeval *t1, const struct timeval *t2);
+void ROKEN_LIB_FUNCTION
+timevalfix(struct timeval *t1);
 
-char *pid_file_write (const char *progname);
-void pid_file_delete (char **);
+void ROKEN_LIB_FUNCTION
+timevaladd(struct timeval *t1, const struct timeval *t2);
 
-int
+void ROKEN_LIB_FUNCTION
+timevalsub(struct timeval *t1, const struct timeval *t2);
+
+char *ROKEN_LIB_FUNCTION
+pid_file_write (const char *progname);
+
+void ROKEN_LIB_FUNCTION
+pid_file_delete (char **);
+
+int ROKEN_LIB_FUNCTION
 read_environment(const char *file, char ***env);
 
-void warnerr(int doerrno, const char *fmt, va_list ap)
+void ROKEN_LIB_FUNCTION
+free_environment(char **);
+
+void ROKEN_LIB_FUNCTION
+warnerr(int doerrno, const char *fmt, va_list ap)
     __attribute__ ((format (printf, 2, 0)));
 
+void * ROKEN_LIB_FUNCTION
+rk_realloc(void *, size_t);
+
+struct rk_strpool;
+
+char * ROKEN_LIB_FUNCTION
+rk_strpoolcollect(struct rk_strpool *);
+
+struct rk_strpool * ROKEN_LIB_FUNCTION
+rk_strpoolprintf(struct rk_strpool *, const char *, ...)
+    __attribute__ ((format (printf, 2, 3)));
+
+void ROKEN_LIB_FUNCTION
+rk_strpoolfree(struct rk_strpool *);
+
+void ROKEN_LIB_FUNCTION
+rk_dumpdata (const char *, const void *, size_t);
+
 ROKEN_CPP_END
 
 #endif /* __ROKEN_COMMON_H__ */
diff --git a/crypto/heimdal/lib/roken/roken.awk b/crypto/heimdal/lib/roken/roken.awk
index 1c1e0c0..e0c19d7 100644
--- a/crypto/heimdal/lib/roken/roken.awk
+++ b/crypto/heimdal/lib/roken/roken.awk
@@ -1,4 +1,4 @@
-# $Id: roken.awk,v 1.9 2003/03/04 10:37:26 lha Exp $
+# $Id: roken.awk 15409 2005-06-16 16:29:58Z lha $
 
 BEGIN {
 	print "#ifdef HAVE_CONFIG_H"
@@ -15,7 +15,7 @@ BEGIN {
 	print "puts(\"\");"
 }
 
-$1 == "\#ifdef" || $1 == "\#ifndef" || $1 == "\#if" || $1 == "\#else" || $1 == "\#elif" || $1 == "\#endif" || $1 == "#ifdef" || $1 == "#ifndef" || $1 == "#if" || $1 == "#else" || $1 == "#elif" || $1 == "#endif" {
+$1 == "#ifdef" || $1 == "#ifndef" || $1 == "#if" || $1 == "#else" || $1 == "#elif" || $1 == "#endif" {
 	print $0;
 	next
 }
diff --git a/crypto/heimdal/lib/roken/roken.h.in b/crypto/heimdal/lib/roken/roken.h.in
index 16fc6d8..cf2ee9e 100644
--- a/crypto/heimdal/lib/roken/roken.h.in
+++ b/crypto/heimdal/lib/roken/roken.h.in
@@ -1,6 +1,6 @@
 /* -*- C -*- */
 /*
- * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995-2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -32,11 +32,14 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: roken.h.in,v 1.169 2002/08/26 21:43:38 assar Exp $ */
+/* $Id: roken.h.in 18612 2006-10-19 16:35:16Z lha $ */
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdarg.h>
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
 #include <string.h>
 #include <signal.h>
 
@@ -107,9 +110,7 @@ struct sockaddr_dl;
 #ifdef HAVE_ERRNO_H
 #include <errno.h>
 #endif
-#ifdef HAVE_ERR_H
 #include <err.h>
-#endif
 #ifdef HAVE_TERMIOS_H
 #include <termios.h>
 #endif
@@ -124,22 +125,14 @@ struct sockaddr_dl;
 #else
 #include <time.h>
 #endif
+#ifdef HAVE_STRINGS_H
+#include <strings.h>
+#endif
 
 #ifdef HAVE_PATHS_H
 #include <paths.h>
 #endif
 
-
-#ifndef ROKEN_LIB_FUNCTION
-#if defined(__BORLANDC__)
-#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet */
-#elif defined(_MSC_VER)
-#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet2 */
-#else
-#define ROKEN_LIB_FUNCTION
-#endif
-#endif
-
 #ifndef HAVE_SSIZE_T
 typedef int ssize_t;
 #endif
@@ -148,235 +141,248 @@ typedef int ssize_t;
 
 ROKEN_CPP_START
 
+#ifdef HAVE_UINTPTR_T
+#define rk_UNCONST(x) ((void *)(uintptr_t)(const void *)(x))
+#else
+#define rk_UNCONST(x) ((void *)(unsigned long)(const void *)(x))
+#endif
+
 #if !defined(HAVE_SETSID) && defined(HAVE__SETSID)
 #define setsid _setsid
 #endif
 
 #ifndef HAVE_PUTENV
-int putenv(const char *string);
+int ROKEN_LIB_FUNCTION putenv(const char *);
 #endif
 
 #if !defined(HAVE_SETENV) || defined(NEED_SETENV_PROTO)
-int setenv(const char *var, const char *val, int rewrite);
+int ROKEN_LIB_FUNCTION setenv(const char *, const char *, int);
 #endif
 
 #if !defined(HAVE_UNSETENV) || defined(NEED_UNSETENV_PROTO)
-void unsetenv(const char *name);
+void ROKEN_LIB_FUNCTION unsetenv(const char *);
 #endif
 
 #if !defined(HAVE_GETUSERSHELL) || defined(NEED_GETUSERSHELL_PROTO)
-char *getusershell(void);
-void endusershell(void);
+char * ROKEN_LIB_FUNCTION getusershell(void);
+void ROKEN_LIB_FUNCTION endusershell(void);
 #endif
 
 #if !defined(HAVE_SNPRINTF) || defined(NEED_SNPRINTF_PROTO)
-int snprintf (char *str, size_t sz, const char *format, ...)
+int ROKEN_LIB_FUNCTION snprintf (char *, size_t, const char *, ...)
      __attribute__ ((format (printf, 3, 4)));
 #endif
 
 #if !defined(HAVE_VSNPRINTF) || defined(NEED_VSNPRINTF_PROTO)
-int vsnprintf (char *str, size_t sz, const char *format, va_list ap)
+int ROKEN_LIB_FUNCTION 
+     vsnprintf (char *, size_t, const char *, va_list)
      __attribute__((format (printf, 3, 0)));
 #endif
 
 #if !defined(HAVE_ASPRINTF) || defined(NEED_ASPRINTF_PROTO)
-int asprintf (char **ret, const char *format, ...)
+int ROKEN_LIB_FUNCTION
+     asprintf (char **, const char *, ...)
      __attribute__ ((format (printf, 2, 3)));
 #endif
 
 #if !defined(HAVE_VASPRINTF) || defined(NEED_VASPRINTF_PROTO)
-int vasprintf (char **ret, const char *format, va_list ap)
+int ROKEN_LIB_FUNCTION
+    vasprintf (char **, const char *, va_list)
      __attribute__((format (printf, 2, 0)));
 #endif
 
 #if !defined(HAVE_ASNPRINTF) || defined(NEED_ASNPRINTF_PROTO)
-int asnprintf (char **ret, size_t max_sz, const char *format, ...)
+int ROKEN_LIB_FUNCTION
+    asnprintf (char **, size_t, const char *, ...)
      __attribute__ ((format (printf, 3, 4)));
 #endif
 
 #if !defined(HAVE_VASNPRINTF) || defined(NEED_VASNPRINTF_PROTO)
-int vasnprintf (char **ret, size_t max_sz, const char *format, va_list ap)
+int ROKEN_LIB_FUNCTION
+    vasnprintf (char **, size_t, const char *, va_list)
      __attribute__((format (printf, 3, 0)));
 #endif
 
 #ifndef HAVE_STRDUP
-char * strdup(const char *old);
+char * ROKEN_LIB_FUNCTION strdup(const char *);
 #endif
 
 #if !defined(HAVE_STRNDUP) || defined(NEED_STRNDUP_PROTO)
-char * strndup(const char *old, size_t sz);
+char * ROKEN_LIB_FUNCTION strndup(const char *, size_t);
 #endif
 
 #ifndef HAVE_STRLWR
-char * strlwr(char *);
+char * ROKEN_LIB_FUNCTION strlwr(char *);
 #endif
 
 #ifndef HAVE_STRNLEN
-size_t strnlen(const char*, size_t);
+size_t ROKEN_LIB_FUNCTION strnlen(const char*, size_t);
 #endif
 
 #if !defined(HAVE_STRSEP) || defined(NEED_STRSEP_PROTO)
-char *strsep(char**, const char*);
+char * ROKEN_LIB_FUNCTION strsep(char**, const char*);
 #endif
 
 #if !defined(HAVE_STRSEP_COPY) || defined(NEED_STRSEP_COPY_PROTO)
-ssize_t strsep_copy(const char**, const char*, char*, size_t);
+ssize_t ROKEN_LIB_FUNCTION strsep_copy(const char**, const char*, char*, size_t);
 #endif
 
 #ifndef HAVE_STRCASECMP
-int strcasecmp(const char *s1, const char *s2);
+int ROKEN_LIB_FUNCTION strcasecmp(const char *, const char *);
 #endif
 
 #ifdef NEED_FCLOSE_PROTO
-int fclose(FILE *);
+int ROKEN_LIB_FUNCTION fclose(FILE *);
 #endif
 
 #ifdef NEED_STRTOK_R_PROTO
-char *strtok_r(char *s1, const char *s2, char **lasts);
+char * ROKEN_LIB_FUNCTION strtok_r(char *, const char *, char **);
 #endif
 
 #ifndef HAVE_STRUPR
-char * strupr(char *);
+char * ROKEN_LIB_FUNCTION strupr(char *);
 #endif
 
 #ifndef HAVE_STRLCPY
-size_t strlcpy (char *dst, const char *src, size_t dst_sz);
+size_t ROKEN_LIB_FUNCTION strlcpy (char *, const char *, size_t);
 #endif
 
 #ifndef HAVE_STRLCAT
-size_t strlcat (char *dst, const char *src, size_t dst_sz);
+size_t ROKEN_LIB_FUNCTION strlcat (char *, const char *, size_t);
 #endif
 
 #ifndef HAVE_GETDTABLESIZE
-int getdtablesize(void);
+int ROKEN_LIB_FUNCTION getdtablesize(void);
 #endif
 
 #if !defined(HAVE_STRERROR) && !defined(strerror)
-char *strerror(int eno);
+char * ROKEN_LIB_FUNCTION strerror(int);
 #endif
 
 #if !defined(HAVE_HSTRERROR) || defined(NEED_HSTRERROR_PROTO)
 /* This causes a fatal error under Psoriasis */
 #if !(defined(SunOS) && (SunOS >= 50))
-const char *hstrerror(int herr);
+const char * ROKEN_LIB_FUNCTION hstrerror(int);
 #endif
 #endif
 
-#ifndef HAVE_H_ERRNO_DECLARATION
+#if !HAVE_DECL_H_ERRNO
 extern int h_errno;
 #endif
 
 #if !defined(HAVE_INET_ATON) || defined(NEED_INET_ATON_PROTO)
-int inet_aton(const char *cp, struct in_addr *adr);
+int ROKEN_LIB_FUNCTION inet_aton(const char *, struct in_addr *);
 #endif
 
 #ifndef HAVE_INET_NTOP
-const char *
+const char * ROKEN_LIB_FUNCTION
 inet_ntop(int af, const void *src, char *dst, size_t size);
 #endif
 
 #ifndef HAVE_INET_PTON
-int
-inet_pton(int af, const char *src, void *dst);
+int ROKEN_LIB_FUNCTION
+inet_pton(int, const char *, void *);
 #endif
 
 #if !defined(HAVE_GETCWD)
-char* getcwd(char *path, size_t size);
+char* ROKEN_LIB_FUNCTION getcwd(char *, size_t);
 #endif
 
 #ifdef HAVE_PWD_H
 #include <pwd.h>
-struct passwd *k_getpwnam (const char *user);
-struct passwd *k_getpwuid (uid_t uid);
+struct passwd * ROKEN_LIB_FUNCTION k_getpwnam (const char *);
+struct passwd * ROKEN_LIB_FUNCTION k_getpwuid (uid_t);
 #endif
 
-const char *get_default_username (void);
+const char * ROKEN_LIB_FUNCTION get_default_username (void);
 
 #ifndef HAVE_SETEUID
-int seteuid(uid_t euid);
+int ROKEN_LIB_FUNCTION seteuid(uid_t);
 #endif
 
 #ifndef HAVE_SETEGID
-int setegid(gid_t egid);
+int ROKEN_LIB_FUNCTION setegid(gid_t);
 #endif
 
 #ifndef HAVE_LSTAT
-int lstat(const char *path, struct stat *buf);
+int ROKEN_LIB_FUNCTION lstat(const char *, struct stat *);
 #endif
 
 #if !defined(HAVE_MKSTEMP) || defined(NEED_MKSTEMP_PROTO)
-int mkstemp(char *);
+int ROKEN_LIB_FUNCTION mkstemp(char *);
 #endif
 
 #ifndef HAVE_CGETENT
-int cgetent(char **buf, char **db_array, const char *name);
-int cgetstr(char *buf, const char *cap, char **str);
+int ROKEN_LIB_FUNCTION cgetent(char **, char **, const char *);
+int ROKEN_LIB_FUNCTION cgetstr(char *, const char *, char **);
 #endif
 
 #ifndef HAVE_INITGROUPS
-int initgroups(const char *name, gid_t basegid);
+int ROKEN_LIB_FUNCTION initgroups(const char *, gid_t);
 #endif
 
 #ifndef HAVE_FCHOWN
-int fchown(int fd, uid_t owner, gid_t group);
+int ROKEN_LIB_FUNCTION fchown(int, uid_t, gid_t);
 #endif
 
-#ifndef HAVE_DAEMON
-int daemon(int nochdir, int noclose);
+#if !defined(HAVE_DAEMON) || defined(NEED_DAEMON_PROTO)
+int ROKEN_LIB_FUNCTION daemon(int, int);
 #endif
 
 #ifndef HAVE_INNETGR
-int innetgr(const char *netgroup, const char *machine, 
-	    const char *user, const char *domain);
+int ROKEN_LIB_FUNCTION innetgr(const char *, const char *, 
+	    const char *, const char *);
 #endif
 
 #ifndef HAVE_CHOWN
-int chown(const char *path, uid_t owner, gid_t group);
+int ROKEN_LIB_FUNCTION chown(const char *, uid_t, gid_t);
 #endif
 
 #ifndef HAVE_RCMD
-int rcmd(char **ahost, unsigned short inport, const char *locuser,
-	 const char *remuser, const char *cmd, int *fd2p);
+int ROKEN_LIB_FUNCTION
+    rcmd(char **, unsigned short, const char *,
+	 const char *, const char *, int *);
 #endif
 
 #if !defined(HAVE_INNETGR) || defined(NEED_INNETGR_PROTO)
-int innetgr(const char*, const char*, const char*, const char*);
+int ROKEN_LIB_FUNCTION innetgr(const char*, const char*,
+    const char*, const char*);
 #endif
 
 #ifndef HAVE_IRUSEROK
-int iruserok(unsigned raddr, int superuser, const char *ruser,
-	     const char *luser);
+int ROKEN_LIB_FUNCTION iruserok(unsigned, int, 
+    const char *, const char *);
 #endif
 
 #if !defined(HAVE_GETHOSTNAME) || defined(NEED_GETHOSTNAME_PROTO)
-int gethostname(char *name, int namelen);
+int ROKEN_LIB_FUNCTION gethostname(char *, int);
 #endif
 
 #ifndef HAVE_WRITEV
-ssize_t
-writev(int d, const struct iovec *iov, int iovcnt);
+ssize_t ROKEN_LIB_FUNCTION
+writev(int, const struct iovec *, int);
 #endif
 
 #ifndef HAVE_READV
-ssize_t
-readv(int d, const struct iovec *iov, int iovcnt);
+ssize_t ROKEN_LIB_FUNCTION
+readv(int, const struct iovec *, int);
 #endif
 
 #ifndef HAVE_MKSTEMP
-int
-mkstemp(char *template);
+int ROKEN_LIB_FUNCTION
+mkstemp(char *);
 #endif
 
 #ifndef HAVE_PIDFILE
-void pidfile (const char*);
+void ROKEN_LIB_FUNCTION pidfile (const char*);
 #endif
 
 #ifndef HAVE_BSWAP32
-unsigned int bswap32(unsigned int);
+unsigned int ROKEN_LIB_FUNCTION bswap32(unsigned int);
 #endif
 
 #ifndef HAVE_BSWAP16
-unsigned short bswap16(unsigned short);
+unsigned short ROKEN_LIB_FUNCTION bswap16(unsigned short);
 #endif
 
 #ifndef HAVE_FLOCK
@@ -396,23 +402,24 @@ unsigned short bswap16(unsigned short);
 int flock(int fd, int operation);
 #endif /* HAVE_FLOCK */
 
-time_t tm2time (struct tm tm, int local);
+time_t ROKEN_LIB_FUNCTION tm2time (struct tm, int);
 
-int unix_verify_user(char *user, char *password);
+int ROKEN_LIB_FUNCTION unix_verify_user(char *, char *);
 
-int roken_concat (char *s, size_t len, ...);
+int ROKEN_LIB_FUNCTION roken_concat (char *, size_t, ...);
 
-size_t roken_mconcat (char **s, size_t max_len, ...);
+size_t ROKEN_LIB_FUNCTION roken_mconcat (char **, size_t, ...);
 
-int roken_vconcat (char *s, size_t len, va_list args);
+int ROKEN_LIB_FUNCTION roken_vconcat (char *, size_t, va_list);
 
-size_t roken_vmconcat (char **s, size_t max_len, va_list args);
+size_t ROKEN_LIB_FUNCTION
+    roken_vmconcat (char **, size_t, va_list);
 
-ssize_t net_write (int fd, const void *buf, size_t nbytes);
+ssize_t ROKEN_LIB_FUNCTION net_write (int, const void *, size_t);
 
-ssize_t net_read (int fd, void *buf, size_t nbytes);
+ssize_t ROKEN_LIB_FUNCTION net_read (int, void *, size_t);
 
-int issuid(void);
+int ROKEN_LIB_FUNCTION issuid(void);
 
 #ifndef HAVE_STRUCT_WINSIZE
 struct winsize {
@@ -421,48 +428,44 @@ struct winsize {
 };
 #endif
 
-int get_window_size(int fd, struct winsize *);
+int ROKEN_LIB_FUNCTION get_window_size(int fd, struct winsize *);
 
 #ifndef HAVE_VSYSLOG
-void vsyslog(int pri, const char *fmt, va_list ap);
+void ROKEN_LIB_FUNCTION vsyslog(int, const char *, va_list);
 #endif
 
-#ifndef HAVE_OPTARG_DECLARATION
+#if !HAVE_DECL_OPTARG
 extern char *optarg;
 #endif
-#ifndef HAVE_OPTIND_DECLARATION
+#if !HAVE_DECL_OPTIND
 extern int optind;
 #endif
-#ifndef HAVE_OPTERR_DECLARATION
+#if !HAVE_DECL_OPTERR
 extern int opterr;
 #endif
 
-#ifndef HAVE___PROGNAME_DECLARATION
-extern const char *__progname;
-#endif
-
-#ifndef HAVE_ENVIRON_DECLARATION
+#if !HAVE_DECL_ENVIRON
 extern char **environ;
 #endif
 
 #ifndef HAVE_GETIPNODEBYNAME
-struct hostent *
-getipnodebyname (const char *name, int af, int flags, int *error_num);
+struct hostent * ROKEN_LIB_FUNCTION
+getipnodebyname (const char *, int, int, int *);
 #endif
 
 #ifndef HAVE_GETIPNODEBYADDR
-struct hostent *
-getipnodebyaddr (const void *src, size_t len, int af, int *error_num);
+struct hostent * ROKEN_LIB_FUNCTION
+getipnodebyaddr (const void *, size_t, int, int *);
 #endif
 
 #ifndef HAVE_FREEHOSTENT
-void
-freehostent (struct hostent *h);
+void ROKEN_LIB_FUNCTION
+freehostent (struct hostent *);
 #endif
 
 #ifndef HAVE_COPYHOSTENT
-struct hostent *
-copyhostent (const struct hostent *h);
+struct hostent * ROKEN_LIB_FUNCTION
+copyhostent (const struct hostent *);
 #endif
 
 #ifndef HAVE_SOCKLEN_T
@@ -528,61 +531,63 @@ struct addrinfo {
 #endif
 
 #ifndef HAVE_GETADDRINFO
-int
-getaddrinfo(const char *nodename,
-	    const char *servname,
-	    const struct addrinfo *hints,
-	    struct addrinfo **res);
+int ROKEN_LIB_FUNCTION
+getaddrinfo(const char *,
+	    const char *,
+	    const struct addrinfo *,
+	    struct addrinfo **);
 #endif
 
 #ifndef HAVE_GETNAMEINFO
-int getnameinfo(const struct sockaddr *sa, socklen_t salen,
-		char *host, size_t hostlen,
-		char *serv, size_t servlen,
-		int flags);
+int ROKEN_LIB_FUNCTION
+getnameinfo(const struct sockaddr *, socklen_t,
+		char *, size_t,
+		char *, size_t,
+		int);
 #endif
 
 #ifndef HAVE_FREEADDRINFO
-void
-freeaddrinfo(struct addrinfo *ai);
+void ROKEN_LIB_FUNCTION
+freeaddrinfo(struct addrinfo *);
 #endif
 
 #ifndef HAVE_GAI_STRERROR
-char *
-gai_strerror(int ecode);
+const char * ROKEN_LIB_FUNCTION
+gai_strerror(int);
 #endif
 
-int
-getnameinfo_verified(const struct sockaddr *sa, socklen_t salen,
-		     char *host, size_t hostlen,
-		     char *serv, size_t servlen,
-		     int flags);
+int ROKEN_LIB_FUNCTION
+getnameinfo_verified(const struct sockaddr *, socklen_t,
+		     char *, size_t,
+		     char *, size_t,
+		     int);
 
-int roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **); 
-int roken_getaddrinfo_hostspec2(const char *, int, int, struct addrinfo **);
+int ROKEN_LIB_FUNCTION
+roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **); 
+int ROKEN_LIB_FUNCTION
+roken_getaddrinfo_hostspec2(const char *, int, int, struct addrinfo **);
 
 #ifndef HAVE_STRFTIME
-size_t
-strftime (char *buf, size_t maxsize, const char *format,
-	  const struct tm *tm);
+size_t ROKEN_LIB_FUNCTION
+strftime (char *, size_t, const char *, const struct tm *);
 #endif
 
 #ifndef HAVE_STRPTIME
-char *
-strptime (const char *buf, const char *format, struct tm *timeptr);
+char * ROKEN_LIB_FUNCTION
+strptime (const char *, const char *, struct tm *);
 #endif
 
 #ifndef HAVE_EMALLOC
-void *emalloc (size_t);
+void * ROKEN_LIB_FUNCTION emalloc (size_t);
 #endif
 #ifndef HAVE_ECALLOC
-void *ecalloc(size_t num, size_t sz);
+void * ROKEN_LIB_FUNCTION ecalloc(size_t, size_t);
 #endif
 #ifndef HAVE_EREALLOC
-void *erealloc (void *, size_t);
+void * ROKEN_LIB_FUNCTION erealloc (void *, size_t);
 #endif
 #ifndef HAVE_ESTRDUP
-char *estrdup (const char *);
+char * ROKEN_LIB_FUNCTION estrdup (const char *);
 #endif
 
 /*
@@ -590,9 +595,12 @@ char *estrdup (const char *);
  */
 
 #if 1
-int roken_gethostby_setup(const char*, const char*);
-struct hostent* roken_gethostbyname(const char*);
-struct hostent* roken_gethostbyaddr(const void*, size_t, int);
+int ROKEN_LIB_FUNCTION
+roken_gethostby_setup(const char*, const char*);
+struct hostent* ROKEN_LIB_FUNCTION
+roken_gethostbyname(const char*);
+struct hostent* ROKEN_LIB_FUNCTION 
+roken_gethostbyaddr(const void*, size_t, int);
 #else
 #ifdef GETHOSTBYNAME_PROTO_COMPATIBLE
 #define roken_gethostbyname(x) gethostbyname(x)
@@ -626,57 +634,73 @@ struct hostent* roken_gethostbyaddr(const void*, size_t, int);
 #endif
 
 #ifndef HAVE_SETPROGNAME
-void setprogname(const char *argv0);
+void ROKEN_LIB_FUNCTION setprogname(const char *);
 #endif
 
 #ifndef HAVE_GETPROGNAME
-const char *getprogname(void);
+const char * ROKEN_LIB_FUNCTION getprogname(void);
 #endif
 
-void mini_inetd_addrinfo (struct addrinfo*);
-void mini_inetd (int port);
+#if !defined(HAVE_SETPROGNAME) && !defined(HAVE_GETPROGNAME) && !HAVE_DECL___PROGNAME
+extern const char *__progname;
+#endif
 
-void set_progname(char *argv0);
-const char *get_progname(void);
+void ROKEN_LIB_FUNCTION mini_inetd_addrinfo (struct addrinfo*);
+void ROKEN_LIB_FUNCTION mini_inetd (int);
 
 #ifndef HAVE_LOCALTIME_R
-struct tm *
-localtime_r(const time_t *timer, struct tm *result);
+struct tm * ROKEN_LIB_FUNCTION
+localtime_r(const time_t *, struct tm *);
 #endif
 
 #if !defined(HAVE_STRSVIS) || defined(NEED_STRSVIS_PROTO)
-int
-strsvis(char *dst, const char *src, int flag, const char *extra);
+int ROKEN_LIB_FUNCTION
+strsvis(char *, const char *, int, const char *);
 #endif
 
 #if !defined(HAVE_STRUNVIS) || defined(NEED_STRUNVIS_PROTO)
-int
-strunvis(char *dst, const char *src);
+int ROKEN_LIB_FUNCTION
+strunvis(char *, const char *);
 #endif
 
 #if !defined(HAVE_STRVIS) || defined(NEED_STRVIS_PROTO)
-int
-strvis(char *dst, const char *src, int flag);
+int ROKEN_LIB_FUNCTION
+strvis(char *, const char *, int);
 #endif
 
 #if !defined(HAVE_STRVISX) || defined(NEED_STRVISX_PROTO)
-int
-strvisx(char *dst, const char *src, size_t len, int flag);
+int ROKEN_LIB_FUNCTION
+strvisx(char *, const char *, size_t, int);
 #endif
 
 #if !defined(HAVE_SVIS) || defined(NEED_SVIS_PROTO)
-char *
-svis(char *dst, int c, int flag, int nextc, const char *extra);
+char * ROKEN_LIB_FUNCTION
+svis(char *, int, int, int, const char *);
 #endif
 
 #if !defined(HAVE_UNVIS) || defined(NEED_UNVIS_PROTO)
-int
-unvis(char *cp, int c, int *astate, int flag);
+int ROKEN_LIB_FUNCTION
+unvis(char *, int, int *, int);
 #endif
 
 #if !defined(HAVE_VIS) || defined(NEED_VIS_PROTO)
-char *
-vis(char *dst, int c, int flag, int nextc);
+char * ROKEN_LIB_FUNCTION
+vis(char *, int, int, int);
+#endif
+
+#if !defined(HAVE_CLOSEFROM)
+int ROKEN_LIB_FUNCTION
+closefrom(int);
+#endif
+
+#if !defined(HAVE_TIMEGM)
+#define timegm rk_timegm
+time_t ROKEN_LIB_FUNCTION
+rk_timegm(struct tm *tm);
+#endif
+
+#ifdef SOCKET_WRAPPER_REPLACE
+#include <socket_wrapper.h>
 #endif
 
 ROKEN_CPP_END
diff --git a/crypto/heimdal/lib/roken/roken_gethostby.c b/crypto/heimdal/lib/roken/roken_gethostby.c
index 6df6c57..ff0af86 100644
--- a/crypto/heimdal/lib/roken/roken_gethostby.c
+++ b/crypto/heimdal/lib/roken/roken_gethostby.c
@@ -33,10 +33,10 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: roken_gethostby.c,v 1.5 1999/12/05 13:16:44 assar Exp $");
+RCSID("$Id: roken_gethostby.c 21157 2007-06-18 22:03:13Z lha $");
 #endif
 
-#include <roken.h>
+#include "roken.h"
 
 #undef roken_gethostbyname
 #undef roken_gethostbyaddr
@@ -107,11 +107,11 @@ split_spec(const char *spec, char **host, int *port, char **path, int def_port)
 }
 
 
-int
+int ROKEN_LIB_FUNCTION
 roken_gethostby_setup(const char *proxy_spec, const char *dns_spec)
 {
     char *proxy_host = NULL;
-    int proxy_port;
+    int proxy_port = 0;
     char *dns_host, *dns_path;
     int dns_port;
     
@@ -137,7 +137,7 @@ static struct hostent*
 roken_gethostby(const char *hostname)
 {
     int s;
-    struct sockaddr_in sin;
+    struct sockaddr_in addr;
     char *request;
     char buf[1024];
     int offset = 0;
@@ -146,7 +146,7 @@ roken_gethostby(const char *hostname)
     
     if(dns_addr.sin_family == 0)
 	return NULL; /* no configured host */
-    sin = dns_addr;
+    addr = dns_addr;
     asprintf(&request, "GET %s?%s HTTP/1.0\r\n\r\n", dns_req, hostname);
     if(request == NULL)
 	return NULL;
@@ -155,7 +155,7 @@ roken_gethostby(const char *hostname)
 	free(request);
 	return NULL;
     }
-    if(connect(s, (struct sockaddr*)&sin, sizeof(sin)) < 0) {
+    if(connect(s, (struct sockaddr*)&addr, sizeof(addr)) < 0) {
 	close(s);
 	free(request);
 	return NULL;
@@ -186,7 +186,7 @@ roken_gethostby(const char *hostname)
 #define MAX_ADDRS 16
 	static struct hostent he;
 	static char addrs[4 * MAX_ADDRS];
-	static char *addr_list[MAX_ADDRS];
+	static char *addr_list[MAX_ADDRS + 1];
 	int num_addrs = 0;
 	
 	he.h_name = p;
@@ -220,7 +220,7 @@ roken_gethostbyname(const char *hostname)
     return roken_gethostby(hostname);
 }
 
-struct hostent*
+struct hostent* ROKEN_LIB_FUNCTION
 roken_gethostbyaddr(const void *addr, size_t len, int type)
 {
     struct in_addr a;
diff --git a/crypto/heimdal/lib/roken/rtbl.3 b/crypto/heimdal/lib/roken/rtbl.3
new file mode 100644
index 0000000..ccdc73f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/rtbl.3
@@ -0,0 +1,201 @@
+.\" Copyright (c) 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\" $Id: rtbl.3 22088 2007-11-25 14:10:15Z lha $
+.\"
+.Dd June 26, 2004
+.Dt RTBL 3
+.Os HEIMDAL
+.Sh NAME
+.Nm rtbl_create ,
+.Nm rtbl_destroy ,
+.Nm rtbl_set_flags ,
+.Nm rtbl_get_flags ,
+.Nm rtbl_set_prefix ,
+.Nm rtbl_set_separator ,
+.Nm rtbl_set_column_prefix ,
+.Nm rtbl_set_column_affix_by_id ,
+.Nm rtbl_add_column ,
+.Nm rtbl_add_column_by_id ,
+.Nm rtbl_add_column_entry ,
+.Nm rtbl_add_column_entry_by_id ,
+.Nm rtbl_new_row ,
+.Nm rtbl_format
+.Nd format data in simple tables
+.Sh LIBRARY
+The roken library (libroken, -lroken)
+.Sh SYNOPSIS
+.In rtbl.h
+.Ft int
+.Fn rtbl_add_column "rtbl_t table" "const char *column_name" "unsigned int flags"
+.Ft int
+.Fn rtbl_add_column_by_id "rtbl_t table" "unsigned int column_id" "const char *column_header" "unsigned int flags"
+.Ft int
+.Fn rtbl_add_column_entry "rtbl_t table" "const char *column_name" "const char *cell_entry"
+.Ft int
+.Fn rtbl_add_column_entry_by_id "rtbl_t table" "unsigned int column_id" "const char *cell_entry"
+.Ft rtbl_t
+.Fn rtbl_create "void"
+.Ft void
+.Fn rtbl_destroy "rtbl_t table"
+.Ft int
+.Fn rtbl_new_row "rtbl_t table"
+.Ft int
+.Fn rtbl_set_column_affix_by_id "rtbl_t table" "unsigned int column_id "const char *prefix" "const char *suffix"
+.Ft int
+.Fn rtbl_set_column_prefix "rtbl_t table" "const char *column_name" "const char *prefix"
+.Ft "unsigned int"
+.Fn rtbl_get_flags "rtbl_t table"
+.Ft void
+.Fn rtbl_set_flags "rtbl_t table" "unsigned int flags"
+.Ft int
+.Fn rtbl_set_prefix "rtbl_t table" "const char *prefix"
+.Ft int
+.Fn rtbl_set_separator "rtbl_t table" "const char *separator"
+.Ft int
+.Fn rtbl_format "rtbl_t table "FILE *file"
+.Sh DESCRIPTION
+This set of functions assemble a simple table consisting of rows and
+columns, allowing it to be printed with certain options. Typical use
+would be output from tools such as
+.Xr ls 1
+or
+.Xr netstat 1 ,
+where you have a fixed number of columns, but don't know the column
+widthds before hand.
+.Pp
+A table is created with
+.Fn rtbl_create
+and destroyed with
+.Fn rtbl_destroy .
+.Pp
+Global flags on the table are set with
+.Fa rtbl_set_flags
+and retrieved with
+.Fa rtbl_get_flags .
+At present the only defined flag is
+.Dv RTBL_HEADER_STYLE_NONE
+which suppresses printing the header.
+.Pp
+Before adding data to the table, one or more columns need to be
+created. This would normally be done with
+.Fn rtbl_add_column_by_id ,
+.Fa column_id
+is any number of your choice (it's used only to identify columns),
+.Fa column_header
+is the header to print at the top of the column, and
+.Fa flags
+are flags specific to this column. Currently the only defined flag is
+.Dv RTBL_ALIGN_RIGHT ,
+aligning column entries to the right. Columns are printed in the order
+they are added.
+.Pp
+There's also a way to add columns by column name with
+.Fn rtbl_add_column ,
+but this is less flexible (you need unique header names), and is
+considered deprecated.
+.Pp
+To add data to a column you use
+.Fn rtbl_add_column_entry_by_id ,
+where the
+.Fa column_id
+is the same as when the column was added (adding data to a
+non-existent column is undefined), and
+.Fa cell_entry
+is whatever string you wish to include in that cell. It should not
+include newlines.
+For columns added with
+.Fn rtbl_add_column
+you must use
+.Fn rtbl_add_column_entry
+instead.
+.Pp
+.Fn rtbl_new_row
+fills all columns with blank entries until they all have the same
+number of rows.
+.Pp
+Each column can have a separate prefix and suffix, set with
+.Fa rtbl_set_column_affix_by_id ;
+.Fa rtbl_set_column_prefix
+allows setting the prefix only by column name. In addition to this,
+columns may be separated by a string set with
+.Fa rtbl_set_separator ( Ns
+by default columns are not seprated by anything).
+.Pp
+The finished table is printed to
+.Fa file
+with
+.Fa rtbl_format .
+.Sh EXAMPLES
+This program:
+.Bd -literal -offset xxxx
+#include <stdio.h>
+#include <rtbl.h>
+int
+main(int argc, char **argv)
+{
+    rtbl_t table;
+    table = rtbl_create();
+    rtbl_set_separator(table, "  ");
+    rtbl_add_column_by_id(table, 0, "Column A", 0);
+    rtbl_add_column_by_id(table, 1, "Column B", RTBL_ALIGN_RIGHT);
+    rtbl_add_column_by_id(table, 2, "Column C", 0);
+    rtbl_add_column_entry_by_id(table, 0, "A-1");
+    rtbl_add_column_entry_by_id(table, 0, "A-2");
+    rtbl_add_column_entry_by_id(table, 0, "A-3");
+    rtbl_add_column_entry_by_id(table, 1, "B-1");
+    rtbl_add_column_entry_by_id(table, 2, "C-1");
+    rtbl_add_column_entry_by_id(table, 2, "C-2");
+    rtbl_add_column_entry_by_id(table, 1, "B-2");
+    rtbl_add_column_entry_by_id(table, 1, "B-3");
+    rtbl_add_column_entry_by_id(table, 2, "C-3");
+    rtbl_add_column_entry_by_id(table, 0, "A-4");
+    rtbl_new_row(table);
+    rtbl_add_column_entry_by_id(table, 1, "B-4");
+    rtbl_new_row(table);
+    rtbl_add_column_entry_by_id(table, 2, "C-4");
+    rtbl_new_row(table);
+    rtbl_format(table, stdout);
+    rtbl_destroy(table);
+    return 0;
+}
+.Ed
+.Pp
+will output the following:
+.Bd -literal -offset xxxx
+Column A  Column B  Column C
+A-1            B-1  C-1
+A-2            B-2  C-2
+A-3            B-3  C-3
+A-4
+               B-4
+                    C-4
+.Ed
+.\" .Sh SEE ALSO
diff --git a/crypto/heimdal/lib/roken/rtbl.c b/crypto/heimdal/lib/roken/rtbl.c
index 5a3bc00..dd4328f 100644
--- a/crypto/heimdal/lib/roken/rtbl.c
+++ b/crypto/heimdal/lib/roken/rtbl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000, 2002, 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID ("$Id: rtbl.c,v 1.4 2002/09/04 21:25:09 joda Exp $");
+RCSID ("$Id: rtbl.c 17758 2006-06-30 13:41:40Z lha $");
 #endif
 #include "roken.h"
 #include "rtbl.h"
@@ -49,20 +49,46 @@ struct column_data {
     unsigned flags;
     size_t num_rows;
     struct column_entry *rows;
+    unsigned int column_id;
+    char *suffix;
 };
 
 struct rtbl_data {
     char *column_prefix;
     size_t num_columns;
     struct column_data **columns;
+    unsigned int flags;
+    char *column_separator;
 };
 
-rtbl_t
+rtbl_t ROKEN_LIB_FUNCTION
 rtbl_create (void)
 {
     return calloc (1, sizeof (struct rtbl_data));
 }
 
+void ROKEN_LIB_FUNCTION
+rtbl_set_flags (rtbl_t table, unsigned int flags)
+{
+    table->flags = flags;
+}
+
+unsigned int ROKEN_LIB_FUNCTION
+rtbl_get_flags (rtbl_t table)
+{
+    return table->flags;
+}
+
+static struct column_data *
+rtbl_get_column_by_id (rtbl_t table, unsigned int id)
+{
+    int i;
+    for(i = 0; i < table->num_columns; i++)
+	if(table->columns[i]->column_id == id)
+	    return table->columns[i];
+    return NULL;
+}
+
 static struct column_data *
 rtbl_get_column (rtbl_t table, const char *column)
 {
@@ -73,7 +99,7 @@ rtbl_get_column (rtbl_t table, const char *column)
     return NULL;
 }
 
-void
+void ROKEN_LIB_FUNCTION
 rtbl_destroy (rtbl_t table)
 {
     int i, j;
@@ -86,15 +112,18 @@ rtbl_destroy (rtbl_t table)
 	free (c->rows);
 	free (c->header);
 	free (c->prefix);
+	free (c->suffix);
 	free (c);
     }
     free (table->column_prefix);
+    free (table->column_separator);
     free (table->columns);
     free (table);
 }
 
-int
-rtbl_add_column (rtbl_t table, const char *header, unsigned int flags)
+int ROKEN_LIB_FUNCTION
+rtbl_add_column_by_id (rtbl_t table, unsigned int id, 
+		       const char *header, unsigned int flags)
 {
     struct column_data *col, **tmp;
 
@@ -110,26 +139,64 @@ rtbl_add_column (rtbl_t table, const char *header, unsigned int flags)
 	free (col);
 	return ENOMEM;
     }
-    col->prefix   = NULL;
-    col->width    = 0;
-    col->flags    = flags;
+    col->prefix = NULL;
+    col->width = 0;
+    col->flags = flags;
     col->num_rows = 0;
-    col->rows     = NULL;
+    col->rows = NULL;
+    col->column_id = id;
+    col->suffix = NULL;
     table->columns[table->num_columns++] = col;
     return 0;
 }
 
+int ROKEN_LIB_FUNCTION
+rtbl_add_column (rtbl_t table, const char *header, unsigned int flags)
+{
+    return rtbl_add_column_by_id(table, 0, header, flags);
+}
+
+int ROKEN_LIB_FUNCTION
+rtbl_new_row(rtbl_t table)
+{
+    size_t max_rows = 0;
+    size_t c;
+    for (c = 0; c < table->num_columns; c++)
+	if(table->columns[c]->num_rows > max_rows)
+	    max_rows = table->columns[c]->num_rows;
+    for (c = 0; c < table->num_columns; c++) {
+	struct column_entry *tmp;
+
+	if(table->columns[c]->num_rows == max_rows)
+	    continue;
+	tmp = realloc(table->columns[c]->rows, 
+		      max_rows * sizeof(table->columns[c]->rows));
+	if(tmp == NULL)
+	    return ENOMEM;
+	table->columns[c]->rows = tmp;
+	while(table->columns[c]->num_rows < max_rows) {
+	    if((tmp[table->columns[c]->num_rows++].data = strdup("")) == NULL)
+		return ENOMEM;
+	}
+    }
+    return 0;
+}
+
 static void
-column_compute_width (struct column_data *column)
+column_compute_width (rtbl_t table, struct column_data *column)
 {
     int i;
 
-    column->width = strlen (column->header);
+    if(table->flags & RTBL_HEADER_STYLE_NONE)
+	column->width = 0;
+    else
+	column->width = strlen (column->header);
     for (i = 0; i < column->num_rows; i++)
 	column->width = max (column->width, strlen (column->rows[i].data));
 }
 
-int
+/* DEPRECATED */
+int ROKEN_LIB_FUNCTION
 rtbl_set_prefix (rtbl_t table, const char *prefix)
 {
     if (table->column_prefix)
@@ -140,7 +207,18 @@ rtbl_set_prefix (rtbl_t table, const char *prefix)
     return 0;
 }
 
-int
+int ROKEN_LIB_FUNCTION
+rtbl_set_separator (rtbl_t table, const char *separator)
+{
+    if (table->column_separator)
+	free (table->column_separator);
+    table->column_separator = strdup (separator);
+    if (table->column_separator == NULL)
+	return ENOMEM;
+    return 0;
+}
+
+int ROKEN_LIB_FUNCTION
 rtbl_set_column_prefix (rtbl_t table, const char *column,
 			const char *prefix)
 {
@@ -156,6 +234,36 @@ rtbl_set_column_prefix (rtbl_t table, const char *column,
     return 0;
 }
 
+int ROKEN_LIB_FUNCTION
+rtbl_set_column_affix_by_id(rtbl_t table, unsigned int id,
+			    const char *prefix, const char *suffix)
+{
+    struct column_data *c = rtbl_get_column_by_id (table, id);
+
+    if (c == NULL)
+	return -1;
+    if (c->prefix)
+	free (c->prefix);
+    if(prefix == NULL)
+	c->prefix = NULL;
+    else {
+	c->prefix = strdup (prefix);
+	if (c->prefix == NULL)
+	    return ENOMEM;
+    }
+
+    if (c->suffix)
+	free (c->suffix);
+    if(suffix == NULL)
+	c->suffix = NULL;
+    else {
+	c->suffix = strdup (suffix);
+	if (c->suffix == NULL)
+	    return ENOMEM;
+    }
+    return 0;
+}
+
 
 static const char *
 get_column_prefix (rtbl_t table, struct column_data *c)
@@ -169,15 +277,18 @@ get_column_prefix (rtbl_t table, struct column_data *c)
     return "";
 }
 
-int
-rtbl_add_column_entry (rtbl_t table, const char *column, const char *data)
+static const char *
+get_column_suffix (rtbl_t table, struct column_data *c)
 {
-    struct column_entry row, *tmp;
-
-    struct column_data *c = rtbl_get_column (table, column);
+    if (c && c->suffix)
+	return c->suffix;
+    return "";
+}
 
-    if (c == NULL)
-	return -1;
+static int
+add_column_entry (struct column_data *c, const char *data)
+{
+    struct column_entry row, *tmp;
 
     row.data = strdup (data);
     if (row.data == NULL)
@@ -192,24 +303,92 @@ rtbl_add_column_entry (rtbl_t table, const char *column, const char *data)
     return 0;
 }
 
-int
+int ROKEN_LIB_FUNCTION
+rtbl_add_column_entry_by_id (rtbl_t table, unsigned int id, const char *data)
+{
+    struct column_data *c = rtbl_get_column_by_id (table, id);
+
+    if (c == NULL)
+	return -1;
+
+    return add_column_entry(c, data);
+}
+
+int ROKEN_LIB_FUNCTION
+rtbl_add_column_entryv_by_id (rtbl_t table, unsigned int id,
+			      const char *fmt, ...)
+{
+    va_list ap;
+    char *str;
+    int ret;
+
+    va_start(ap, fmt);
+    ret = vasprintf(&str, fmt, ap);
+    va_end(ap);
+    if (ret == -1)
+	return -1;
+    ret = rtbl_add_column_entry_by_id(table, id, str);
+    free(str);
+    return ret;
+}
+
+int ROKEN_LIB_FUNCTION
+rtbl_add_column_entry (rtbl_t table, const char *column, const char *data)
+{
+    struct column_data *c = rtbl_get_column (table, column);
+
+    if (c == NULL)
+	return -1;
+
+    return add_column_entry(c, data);
+}
+
+int ROKEN_LIB_FUNCTION
+rtbl_add_column_entryv (rtbl_t table, const char *column, const char *fmt, ...)
+{
+    va_list ap;
+    char *str;
+    int ret;
+
+    va_start(ap, fmt);
+    ret = vasprintf(&str, fmt, ap);
+    va_end(ap);
+    if (ret == -1)
+	return -1;
+    ret = rtbl_add_column_entry(table, column, str);
+    free(str);
+    return ret;
+}
+
+
+int ROKEN_LIB_FUNCTION
 rtbl_format (rtbl_t table, FILE * f)
 {
     int i, j;
 
     for (i = 0; i < table->num_columns; i++)
-	column_compute_width (table->columns[i]);
-    for (i = 0; i < table->num_columns; i++) {
-	struct column_data *c = table->columns[i];
+	column_compute_width (table, table->columns[i]);
+    if((table->flags & RTBL_HEADER_STYLE_NONE) == 0) {
+	for (i = 0; i < table->num_columns; i++) {
+	    struct column_data *c = table->columns[i];
 
-	fprintf (f, "%s", get_column_prefix (table, c));
-	fprintf (f, "%-*s", (int)c->width, c->header);
+	    if(table->column_separator != NULL && i > 0)
+		fprintf (f, "%s", table->column_separator);
+	    fprintf (f, "%s", get_column_prefix (table, c));
+	    if(i == table->num_columns - 1 && c->suffix == NULL)
+		/* last column, so no need to pad with spaces */
+		fprintf (f, "%-*s", 0, c->header);
+	    else
+		fprintf (f, "%-*s", (int)c->width, c->header);
+	    fprintf (f, "%s", get_column_suffix (table, c));
+	}
+	fprintf (f, "\n");
     }
-    fprintf (f, "\n");
 
     for (j = 0;; j++) {
 	int flag = 0;
 
+	/* are there any more rows left? */
 	for (i = 0; flag == 0 && i < table->num_columns; ++i) {
 	    struct column_data *c = table->columns[i];
 
@@ -225,15 +404,24 @@ rtbl_format (rtbl_t table, FILE * f)
 	    int w;
 	    struct column_data *c = table->columns[i];
 
+	    if(table->column_separator != NULL && i > 0)
+		fprintf (f, "%s", table->column_separator);
+
 	    w = c->width;
 
-	    if ((c->flags & RTBL_ALIGN_RIGHT) == 0)
-		w = -w;
+	    if ((c->flags & RTBL_ALIGN_RIGHT) == 0) {
+		if(i == table->num_columns - 1 && c->suffix == NULL)
+		    /* last column, so no need to pad with spaces */
+		    w = 0;
+		else
+		    w = -w;
+	    }
 	    fprintf (f, "%s", get_column_prefix (table, c));
 	    if (c->num_rows <= j)
 		fprintf (f, "%*s", w, "");
 	    else
 		fprintf (f, "%*s", w, c->rows[j].data);
+	    fprintf (f, "%s", get_column_suffix (table, c));
 	}
 	fprintf (f, "\n");
     }
@@ -245,36 +433,57 @@ int
 main (int argc, char **argv)
 {
     rtbl_t table;
-    unsigned int a, b, c, d;
 
     table = rtbl_create ();
-    rtbl_add_column (table, "Issued", 0, &a);
-    rtbl_add_column (table, "Expires", 0, &b);
-    rtbl_add_column (table, "Foo", RTBL_ALIGN_RIGHT, &d);
-    rtbl_add_column (table, "Principal", 0, &c);
+    rtbl_add_column_by_id (table, 0, "Issued", 0);
+    rtbl_add_column_by_id (table, 1, "Expires", 0);
+    rtbl_add_column_by_id (table, 2, "Foo", RTBL_ALIGN_RIGHT);
+    rtbl_add_column_by_id (table, 3, "Principal", 0);
+
+    rtbl_add_column_entry_by_id (table, 0, "Jul  7 21:19:29");
+    rtbl_add_column_entry_by_id (table, 1, "Jul  8 07:19:29");
+    rtbl_add_column_entry_by_id (table, 2, "73");
+    rtbl_add_column_entry_by_id (table, 2, "0");
+    rtbl_add_column_entry_by_id (table, 2, "-2000");
+    rtbl_add_column_entry_by_id (table, 3, "krbtgt/NADA.KTH.SE@NADA.KTH.SE");
 
-    rtbl_add_column_entry (table, a, "Jul  7 21:19:29");
-    rtbl_add_column_entry (table, b, "Jul  8 07:19:29");
-    rtbl_add_column_entry (table, d, "73");
-    rtbl_add_column_entry (table, d, "0");
-    rtbl_add_column_entry (table, d, "-2000");
-    rtbl_add_column_entry (table, c, "krbtgt/NADA.KTH.SE@NADA.KTH.SE");
+    rtbl_add_column_entry_by_id (table, 0, "Jul  7 21:19:29");
+    rtbl_add_column_entry_by_id (table, 1, "Jul  8 07:19:29");
+    rtbl_add_column_entry_by_id (table, 3, "afs/pdc.kth.se@NADA.KTH.SE");
 
-    rtbl_add_column_entry (table, a, "Jul  7 21:19:29");
-    rtbl_add_column_entry (table, b, "Jul  8 07:19:29");
-    rtbl_add_column_entry (table, c, "afs/pdc.kth.se@NADA.KTH.SE");
+    rtbl_add_column_entry_by_id (table, 0, "Jul  7 21:19:29");
+    rtbl_add_column_entry_by_id (table, 1, "Jul  8 07:19:29");
+    rtbl_add_column_entry_by_id (table, 3, "afs@NADA.KTH.SE");
 
-    rtbl_add_column_entry (table, a, "Jul  7 21:19:29");
-    rtbl_add_column_entry (table, b, "Jul  8 07:19:29");
-    rtbl_add_column_entry (table, c, "afs@NADA.KTH.SE");
+    rtbl_set_separator (table, "  ");
 
-    rtbl_set_prefix (table, "  ");
-    rtbl_set_column_prefix (table, a, "");
+    rtbl_format (table, stdout);
+
+    rtbl_destroy (table);
 
+    printf("\n");
+
+    table = rtbl_create ();
+    rtbl_add_column_by_id (table, 0, "Column A", 0);
+    rtbl_set_column_affix_by_id (table, 0, "<", ">");
+    rtbl_add_column_by_id (table, 1, "Column B", 0);
+    rtbl_set_column_affix_by_id (table, 1, "[", "]");
+    rtbl_add_column_by_id (table, 2, "Column C", 0);
+    rtbl_set_column_affix_by_id (table, 2, "(", ")");
+
+    rtbl_add_column_entry_by_id (table, 0, "1");
+    rtbl_new_row(table);
+    rtbl_add_column_entry_by_id (table, 1, "2");
+    rtbl_new_row(table);
+    rtbl_add_column_entry_by_id (table, 2, "3");
+    rtbl_new_row(table);
+
+    rtbl_set_separator (table, "  ");
     rtbl_format (table, stdout);
 
     rtbl_destroy (table);
 
+    return 0;
 }
 
 #endif
diff --git a/crypto/heimdal/lib/roken/rtbl.h b/crypto/heimdal/lib/roken/rtbl.h
index 16496a7..9b168c7 100644
--- a/crypto/heimdal/lib/roken/rtbl.h
+++ b/crypto/heimdal/lib/roken/rtbl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000,2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -30,28 +30,89 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
+/* $Id: rtbl.h 17760 2006-06-30 13:42:39Z lha $ */
 
 #ifndef __rtbl_h__
 #define __rtbl_h__
 
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 struct rtbl_data;
 typedef struct rtbl_data *rtbl_t;
 
 #define RTBL_ALIGN_LEFT		0
 #define RTBL_ALIGN_RIGHT	1
 
-rtbl_t rtbl_create (void);
+/* flags */
+#define RTBL_HEADER_STYLE_NONE	1
+
+int ROKEN_LIB_FUNCTION
+rtbl_add_column (rtbl_t, const char*, unsigned int);
+
+int ROKEN_LIB_FUNCTION
+rtbl_add_column_by_id (rtbl_t, unsigned int, const char*, unsigned int);
+
+int ROKEN_LIB_FUNCTION
+rtbl_add_column_entryv_by_id (rtbl_t table, unsigned int id,
+			      const char *fmt, ...)
+	__attribute__ ((format (printf, 3, 0)));
+
+int ROKEN_LIB_FUNCTION
+rtbl_add_column_entry (rtbl_t, const char*, const char*);
+
+int ROKEN_LIB_FUNCTION
+rtbl_add_column_entryv (rtbl_t, const char*, const char*, ...)
+	__attribute__ ((format (printf, 3, 0)));
+
+int ROKEN_LIB_FUNCTION
+rtbl_add_column_entry_by_id (rtbl_t, unsigned int, const char*);
+
+rtbl_t ROKEN_LIB_FUNCTION
+rtbl_create (void);
+
+void ROKEN_LIB_FUNCTION
+rtbl_destroy (rtbl_t);
+
+int ROKEN_LIB_FUNCTION
+rtbl_format (rtbl_t, FILE*);
+
+unsigned int ROKEN_LIB_FUNCTION
+rtbl_get_flags (rtbl_t);
+
+int ROKEN_LIB_FUNCTION
+rtbl_new_row (rtbl_t);
 
-void rtbl_destroy (rtbl_t);
+int ROKEN_LIB_FUNCTION
+rtbl_set_column_affix_by_id (rtbl_t, unsigned int, const char*, const char*);
 
-int rtbl_set_prefix (rtbl_t, const char*);
+int ROKEN_LIB_FUNCTION
+rtbl_set_column_prefix (rtbl_t, const char*, const char*);
 
-int rtbl_set_column_prefix (rtbl_t, const char*, const char*);
+void ROKEN_LIB_FUNCTION
+rtbl_set_flags (rtbl_t, unsigned int);
 
-int rtbl_add_column (rtbl_t, const char*, unsigned int);
+int ROKEN_LIB_FUNCTION
+rtbl_set_prefix (rtbl_t, const char*);
 
-int rtbl_add_column_entry (rtbl_t, const char*, const char*);
+int ROKEN_LIB_FUNCTION
+rtbl_set_separator (rtbl_t, const char*);
 
-int rtbl_format (rtbl_t, FILE*);
+#ifdef __cplusplus
+}
+#endif
 
 #endif /* __rtbl_h__ */
diff --git a/crypto/heimdal/lib/roken/sendmsg.c b/crypto/heimdal/lib/roken/sendmsg.c
index 7075bf2..e7478bf 100644
--- a/crypto/heimdal/lib/roken/sendmsg.c
+++ b/crypto/heimdal/lib/roken/sendmsg.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: sendmsg.c,v 1.4 1999/12/02 16:58:52 joda Exp $");
+RCSID("$Id: sendmsg.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 
-ssize_t
+ssize_t ROKEN_LIB_FUNCTION
 sendmsg(int s, const struct msghdr *msg, int flags)
 {
     ssize_t ret;
diff --git a/crypto/heimdal/lib/roken/setegid.c b/crypto/heimdal/lib/roken/setegid.c
index 2f46fe4..14d99ee 100644
--- a/crypto/heimdal/lib/roken/setegid.c
+++ b/crypto/heimdal/lib/roken/setegid.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: setegid.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
+RCSID("$Id: setegid.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #ifdef HAVE_UNISTD_H
@@ -42,7 +42,7 @@ RCSID("$Id: setegid.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
 
 #include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 setegid(gid_t egid)
 {
 #ifdef HAVE_SETREGID
diff --git a/crypto/heimdal/lib/roken/setenv.c b/crypto/heimdal/lib/roken/setenv.c
index 15b5811..2bf09be 100644
--- a/crypto/heimdal/lib/roken/setenv.c
+++ b/crypto/heimdal/lib/roken/setenv.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: setenv.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
+RCSID("$Id: setenv.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -47,7 +47,7 @@ RCSID("$Id: setenv.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
  * anyway.
  */
 
-int
+int ROKEN_LIB_FUNCTION
 setenv(const char *var, const char *val, int rewrite)
 {
     char *t;
diff --git a/crypto/heimdal/lib/roken/seteuid.c b/crypto/heimdal/lib/roken/seteuid.c
index ee68ba7..4f786bb 100644
--- a/crypto/heimdal/lib/roken/seteuid.c
+++ b/crypto/heimdal/lib/roken/seteuid.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: seteuid.c,v 1.10 1999/12/02 16:58:52 joda Exp $");
+RCSID("$Id: seteuid.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #ifdef HAVE_UNISTD_H
@@ -42,7 +42,7 @@ RCSID("$Id: seteuid.c,v 1.10 1999/12/02 16:58:52 joda Exp $");
 
 #include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 seteuid(uid_t euid)
 {
 #ifdef HAVE_SETREUID
diff --git a/crypto/heimdal/lib/roken/setprogname.c b/crypto/heimdal/lib/roken/setprogname.c
index e66deab..b24c785 100644
--- a/crypto/heimdal/lib/roken/setprogname.c
+++ b/crypto/heimdal/lib/roken/setprogname.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
+ * Copyright (c) 1995-2004 Kungliga Tekniska Högskolan 
  * (Royal Institute of Technology, Stockholm, Sweden).  
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: setprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $");
+RCSID("$Id: setprogname.c 15955 2005-08-23 10:19:20Z lha $");
 #endif
 
 #include "roken.h"
@@ -43,25 +43,19 @@ extern const char *__progname;
 #endif
 
 #ifndef HAVE_SETPROGNAME
-void
+void ROKEN_LIB_FUNCTION
 setprogname(const char *argv0)
 {
 #ifndef HAVE___PROGNAME
-    char *p;
+    const char *p;
     if(argv0 == NULL)
 	return;
     p = strrchr(argv0, '/');
     if(p == NULL)
-	p = (char *)argv0;
+	p = argv0;
     else
 	p++;
     __progname = p;
 #endif
 }
 #endif /* HAVE_SETPROGNAME */
-
-void
-set_progname(char *argv0)
-{
-    setprogname ((const char *)argv0);
-}
diff --git a/crypto/heimdal/lib/roken/signal.c b/crypto/heimdal/lib/roken/signal.c
index 1d482a0..e184390 100644
--- a/crypto/heimdal/lib/roken/signal.c
+++ b/crypto/heimdal/lib/roken/signal.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: signal.c,v 1.12 2000/07/08 12:39:06 assar Exp $");
+RCSID("$Id: signal.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <signal.h>
@@ -50,7 +50,7 @@ RCSID("$Id: signal.c,v 1.12 2000/07/08 12:39:06 assar Exp $");
  * Do we need any extra hacks for SIGCLD and/or SIGCHLD?
  */
 
-SigAction
+SigAction ROKEN_LIB_FUNCTION
 signal(int iSig, SigAction pAction)
 {
     struct sigaction saNew, saOld;
diff --git a/crypto/heimdal/lib/roken/simple_exec.c b/crypto/heimdal/lib/roken/simple_exec.c
index 1f27c00..447b5bf 100644
--- a/crypto/heimdal/lib/roken/simple_exec.c
+++ b/crypto/heimdal/lib/roken/simple_exec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2001, 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: simple_exec.c,v 1.10 2001/06/21 03:38:03 assar Exp $");
+RCSID("$Id: simple_exec.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <stdarg.h>
@@ -49,7 +49,7 @@ RCSID("$Id: simple_exec.c,v 1.10 2001/06/21 03:38:03 assar Exp $");
 #endif
 #include <errno.h>
 
-#include <roken.h>
+#include "roken.h"
 
 #define EX_NOEXEC	126
 #define EX_NOTFOUND	127
@@ -58,31 +58,92 @@ RCSID("$Id: simple_exec.c,v 1.10 2001/06/21 03:38:03 assar Exp $");
    -1   on `unspecified' system errors
    -2   on fork failures
    -3   on waitpid errors
+   -4   exec timeout
    0-   is return value from subprocess
    126  if the program couldn't be executed
    127  if the program couldn't be found
    128- is 128 + signal that killed subprocess
+
+   possible values `func' can return:
+   ((time_t)-2)		exit loop w/o killing child and return
+   			`exec timeout'/-4 from simple_exec
+   ((time_t)-1)		kill child with SIGTERM and wait for child to exit
+   0			don't timeout again
+   n			seconds to next timeout
    */
 
-int
-wait_for_process(pid_t pid)
+static int sig_alarm;
+
+static RETSIGTYPE
+sigtimeout(int sig)
+{
+    sig_alarm = 1;
+    SIGRETURN(0);
+}
+
+int ROKEN_LIB_FUNCTION
+wait_for_process_timed(pid_t pid, time_t (*func)(void *), 
+		       void *ptr, time_t timeout)
 {
+    RETSIGTYPE (*old_func)(int sig) = NULL;
+    unsigned int oldtime = 0;
+    int ret;
+
+    sig_alarm = 0;
+
+    if (func) {
+	old_func = signal(SIGALRM, sigtimeout);
+	oldtime = alarm(timeout);
+    }
+
     while(1) {
 	int status;
 
-	while(waitpid(pid, &status, 0) < 0)
-	    if (errno != EINTR)
-		return -3;
+	while(waitpid(pid, &status, 0) < 0) {
+	    if (errno != EINTR) {
+		ret = -3;
+		goto out;
+	    }
+	    if (func == NULL)
+		continue;
+	    if (sig_alarm == 0)
+		continue;
+	    timeout = (*func)(ptr);
+	    if (timeout == (time_t)-1) {
+		kill(pid, SIGTERM);
+		continue;
+	    } else if (timeout == (time_t)-2) {
+		ret = -4;
+		goto out;
+	    }
+	    alarm(timeout);
+	}
 	if(WIFSTOPPED(status))
 	    continue;
-	if(WIFEXITED(status))
-	    return WEXITSTATUS(status);
-	if(WIFSIGNALED(status))
-	    return WTERMSIG(status) + 128;
+	if(WIFEXITED(status)) {
+	    ret = WEXITSTATUS(status);
+	    break;
+	}
+	if(WIFSIGNALED(status)) {
+	    ret = WTERMSIG(status) + 128;
+	    break;
+	}
     }
+ out:
+    if (func) {
+	signal(SIGALRM, old_func);
+	alarm(oldtime);
+    }
+    return ret;
 }
 
-int
+int ROKEN_LIB_FUNCTION
+wait_for_process(pid_t pid)
+{
+    return wait_for_process_timed(pid, NULL, NULL, 0);
+}
+
+int ROKEN_LIB_FUNCTION
 pipe_execv(FILE **stdin_fd, FILE **stdout_fd, FILE **stderr_fd, 
 	   const char *file, ...)
 {
@@ -136,6 +197,8 @@ pipe_execv(FILE **stdin_fd, FILE **stdout_fd, FILE **stderr_fd,
 	    close(err_fd[1]);
 	}
 
+	closefrom(3);
+
 	execv(file, argv);
 	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
     case -1:
@@ -169,8 +232,9 @@ pipe_execv(FILE **stdin_fd, FILE **stdout_fd, FILE **stderr_fd,
     return pid;
 }
 
-int
-simple_execvp(const char *file, char *const args[])
+int ROKEN_LIB_FUNCTION
+simple_execvp_timed(const char *file, char *const args[], 
+		    time_t (*func)(void *), void *ptr, time_t timeout)
 {
     pid_t pid = fork();
     switch(pid){
@@ -180,13 +244,20 @@ simple_execvp(const char *file, char *const args[])
 	execvp(file, args);
 	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
     default: 
-	return wait_for_process(pid);
+	return wait_for_process_timed(pid, func, ptr, timeout);
     }
 }
 
+int ROKEN_LIB_FUNCTION
+simple_execvp(const char *file, char *const args[])
+{
+    return simple_execvp_timed(file, args, NULL, NULL, 0);
+}
+
 /* gee, I'd like a execvpe */
-int
-simple_execve(const char *file, char *const args[], char *const envp[])
+int ROKEN_LIB_FUNCTION
+simple_execve_timed(const char *file, char *const args[], char *const envp[],
+		    time_t (*func)(void *), void *ptr, time_t timeout)
 {
     pid_t pid = fork();
     switch(pid){
@@ -196,11 +267,17 @@ simple_execve(const char *file, char *const args[], char *const envp[])
 	execve(file, args, envp);
 	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
     default: 
-	return wait_for_process(pid);
+	return wait_for_process_timed(pid, func, ptr, timeout);
     }
 }
 
-int
+int ROKEN_LIB_FUNCTION
+simple_execve(const char *file, char *const args[], char *const envp[])
+{
+    return simple_execve_timed(file, args, envp, NULL, NULL, 0);
+}
+
+int ROKEN_LIB_FUNCTION
 simple_execlp(const char *file, ...)
 {
     va_list ap;
@@ -217,7 +294,7 @@ simple_execlp(const char *file, ...)
     return ret;
 }
 
-int
+int ROKEN_LIB_FUNCTION
 simple_execle(const char *file, ... /* ,char *const envp[] */)
 {
     va_list ap;
@@ -236,7 +313,7 @@ simple_execle(const char *file, ... /* ,char *const envp[] */)
     return ret;
 }
 
-int
+int ROKEN_LIB_FUNCTION
 simple_execl(const char *file, ...) 
 {
     va_list ap;
diff --git a/crypto/heimdal/lib/roken/snprintf-test.c b/crypto/heimdal/lib/roken/snprintf-test.c
index 6904ba6..047d54b 100644
--- a/crypto/heimdal/lib/roken/snprintf-test.c
+++ b/crypto/heimdal/lib/roken/snprintf-test.c
@@ -33,12 +33,11 @@
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
+#include "snprintf-test.h"
 #include "roken.h"
 #include <limits.h>
 
-#include "snprintf-test.h"
-
-RCSID("$Id: snprintf-test.c,v 1.5 2001/09/13 01:01:16 assar Exp $");
+RCSID("$Id: snprintf-test.c 21627 2007-07-17 10:53:17Z lha $");
 
 static int
 try (const char *format, ...)
@@ -51,6 +50,8 @@ try (const char *format, ...)
     ret = vsnprintf (buf1, sizeof(buf1), format, ap);
     if (ret >= sizeof(buf1))
 	errx (1, "increase buf and try again");
+    va_end (ap);
+    va_start (ap, format);
     vsprintf (buf2, format, ap);
     ret = strcmp (buf1, buf2);
     if (ret)
@@ -128,6 +129,9 @@ cmp_with_sprintf_long (void)
 
 #ifdef HAVE_LONG_LONG
 
+/* XXX doesn't work as expected on lp64 platforms with sizeof(long
+ * long) == sizeof(long) */
+
 static int
 cmp_with_sprintf_long_long (void)
 {
@@ -223,6 +227,32 @@ test_null (void)
     return snprintf (NULL, 0, "foo") != 3;
 }
 
+static int
+test_sizet (void)
+{
+    int tot = 0;
+    size_t sizet_values[] = { 0, 1, 2, 200, 4294967295u }; /* SIZE_MAX */
+    char *result[] = { "0", "1", "2", "200", "4294967295" };
+    int i;
+
+    for (i = 0; i < sizeof(sizet_values) / sizeof(sizet_values[0]); ++i) {
+#if 0
+	tot += try("%zu", sizet_values[i]);
+	tot += try("%zx", sizet_values[i]);
+	tot += try("%zX", sizet_values[i]);
+#else
+	char buf[256];
+	snprintf(buf, sizeof(buf), "%zu", sizet_values[i]);
+	if (strcmp(buf, result[i]) != 0) {
+	    printf("%s != %s", buf, result[i]);
+	    tot++;
+	}
+#endif
+    }
+    return tot;
+}
+
+
 int
 main (int argc, char **argv)
 {
@@ -234,5 +264,6 @@ main (int argc, char **argv)
     ret += cmp_with_sprintf_long_long ();
 #endif
     ret += test_null ();
+    ret += test_sizet ();
     return ret;
 }
diff --git a/crypto/heimdal/lib/roken/snprintf-test.h b/crypto/heimdal/lib/roken/snprintf-test.h
index 5eb591b..d672873 100644
--- a/crypto/heimdal/lib/roken/snprintf-test.h
+++ b/crypto/heimdal/lib/roken/snprintf-test.h
@@ -31,7 +31,7 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-/* $Id: snprintf-test.h,v 1.2 2001/07/19 18:39:14 assar Exp $ */
+/* $Id: snprintf-test.h 10377 2001-07-19 18:39:14Z assar $ */
 
 #ifndef __SNPRINTF_TEST_H__
 #define __SNPRINTF_TEST_H__
diff --git a/crypto/heimdal/lib/roken/snprintf.c b/crypto/heimdal/lib/roken/snprintf.c
index 5e4b85e9..6b3352f 100644
--- a/crypto/heimdal/lib/roken/snprintf.c
+++ b/crypto/heimdal/lib/roken/snprintf.c
@@ -33,14 +33,18 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: snprintf.c,v 1.35 2003/03/26 10:05:48 joda Exp $");
+RCSID("$Id: snprintf.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
+#if defined(TEST_SNPRINTF)
+#include "snprintf-test.h"
+#endif /* TEST_SNPRINTF */
 #include <stdio.h>
 #include <stdarg.h>
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
-#include <roken.h>
+#include "roken.h"
+#include <assert.h>
 
 enum format_flags {
     minus_flag     =  1,
@@ -55,62 +59,58 @@ enum format_flags {
  */
 
 struct snprintf_state {
-  unsigned char *str;
-  unsigned char *s;
-  unsigned char *theend;
-  size_t sz;
-  size_t max_sz;
-  void (*append_char)(struct snprintf_state *, unsigned char);
-  /* XXX - methods */
+    unsigned char *str;
+    unsigned char *s;
+    unsigned char *theend;
+    size_t sz;
+    size_t max_sz;
+    void (*append_char)(struct snprintf_state *, unsigned char);
+    /* XXX - methods */
 };
 
-#if TEST_SNPRINTF
-#include "snprintf-test.h"
-#endif /* TEST_SNPRINTF */
-
 #if !defined(HAVE_VSNPRINTF) || defined(TEST_SNPRINTF)
 static int
 sn_reserve (struct snprintf_state *state, size_t n)
 {
-  return state->s + n > state->theend;
+    return state->s + n > state->theend;
 }
 
 static void
 sn_append_char (struct snprintf_state *state, unsigned char c)
 {
-  if (!sn_reserve (state, 1))
-    *state->s++ = c;
+    if (!sn_reserve (state, 1))
+	*state->s++ = c;
 }
 #endif
 
 static int
 as_reserve (struct snprintf_state *state, size_t n)
 {
-  if (state->s + n > state->theend) {
-    int off = state->s - state->str;
-    unsigned char *tmp;
-
-    if (state->max_sz && state->sz >= state->max_sz)
-      return 1;
-
-    state->sz = max(state->sz * 2, state->sz + n);
-    if (state->max_sz)
-      state->sz = min(state->sz, state->max_sz);
-    tmp = realloc (state->str, state->sz);
-    if (tmp == NULL)
-      return 1;
-    state->str = tmp;
-    state->s = state->str + off;
-    state->theend = state->str + state->sz - 1;
-  }
-  return 0;
+    if (state->s + n > state->theend) {
+	int off = state->s - state->str;
+	unsigned char *tmp;
+
+	if (state->max_sz && state->sz >= state->max_sz)
+	    return 1;
+
+	state->sz = max(state->sz * 2, state->sz + n);
+	if (state->max_sz)
+	    state->sz = min(state->sz, state->max_sz);
+	tmp = realloc (state->str, state->sz);
+	if (tmp == NULL)
+	    return 1;
+	state->str = tmp;
+	state->s = state->str + off;
+	state->theend = state->str + state->sz - 1;
+    }
+    return 0;
 }
 
 static void
 as_append_char (struct snprintf_state *state, unsigned char c)
 {
-  if(!as_reserve (state, 1))
-    *state->s++ = c;
+    if(!as_reserve (state, 1))
+	*state->s++ = c;
 }
 
 /* longest integer types */
@@ -123,14 +123,24 @@ typedef unsigned long u_longest;
 typedef long longest;
 #endif
 
-/*
- * is # supposed to do anything?
- */
 
+
+static int
+pad(struct snprintf_state *state, int width, char c)
+{
+    int len = 0;
+    while(width-- > 0){
+	(*state->append_char)(state,  c);
+	++len;
+    }
+    return len;
+}
+
+/* return true if we should use alternatve hex form */
 static int
 use_alternative (int flags, u_longest num, unsigned base)
 {
-  return flags & alternate_flag && (base == 16 || base == 8) && num != 0;
+    return (flags & alternate_flag) && base == 16 && num != 0;
 }
 
 static int
@@ -138,79 +148,110 @@ append_number(struct snprintf_state *state,
 	      u_longest num, unsigned base, const char *rep,
 	      int width, int prec, int flags, int minusp)
 {
-  int len = 0;
-  int i;
-  u_longest n = num;
-
-  /* given precision, ignore zero flag */
-  if(prec != -1)
-    flags &= ~zero_flag;
-  else
-    prec = 1;
-  /* zero value with zero precision -> "" */
-  if(prec == 0 && n == 0)
-    return 0;
-  do{
-    (*state->append_char)(state, rep[n % base]);
-    ++len;
-    n /= base;
-  } while(n);
-  prec -= len;
-  /* pad with prec zeros */
-  while(prec-- > 0){
-    (*state->append_char)(state, '0');
-    ++len;
-  }
-  /* add length of alternate prefix (added later) to len */
-  if(use_alternative(flags, num, base))
-    len += base / 8;
-  /* pad with zeros */
-  if(flags & zero_flag){
-    width -= len;
-    if(minusp || (flags & space_flag) || (flags & plus_flag))
-      width--;
-    while(width-- > 0){
-      (*state->append_char)(state, '0');
-      len++;
+    int len = 0;
+    u_longest n = num;
+    char nstr[64]; /* enough for <192 bit octal integers */
+    int nstart, nlen;
+    char signchar;
+
+    /* given precision, ignore zero flag */
+    if(prec != -1)
+	flags &= ~zero_flag;
+    else
+	prec = 1;
+
+    /* format number as string */
+    nstart = sizeof(nstr);
+    nlen = 0;
+    nstr[--nstart] = '\0';
+    do {
+	assert(nstart > 0);
+	nstr[--nstart] = rep[n % base];
+	++nlen;
+	n /= base;
+    } while(n);
+
+    /* zero value with zero precision should produce no digits */
+    if(prec == 0 && num == 0) {
+	nlen--;
+	nstart++;
     }
-  }
-  /* add alternate prefix */
-  if(use_alternative(flags, num, base)){
-    if(base == 16)
-      (*state->append_char)(state, rep[10] + 23); /* XXX */
-    (*state->append_char)(state, '0');
-  }
-  /* add sign */
-  if(minusp){
-    (*state->append_char)(state, '-');
-    ++len;
-  } else if(flags & plus_flag) {
-    (*state->append_char)(state, '+');
-    ++len;
-  } else if(flags & space_flag) {
-    (*state->append_char)(state, ' ');
-    ++len;
-  }
-  if(flags & minus_flag)
-    /* swap before padding with spaces */
-    for(i = 0; i < len / 2; i++){
-      char c = state->s[-i-1];
-      state->s[-i-1] = state->s[-len+i];
-      state->s[-len+i] = c;
+
+    /* figure out what char to use for sign */
+    if(minusp)
+	signchar = '-';
+    else if((flags & plus_flag))
+	signchar = '+';
+    else if((flags & space_flag))
+	signchar = ' ';
+    else
+	signchar = '\0';
+    
+    if((flags & alternate_flag) && base == 8) {
+	/* if necessary, increase the precision to 
+	   make first digit a zero */
+
+	/* XXX C99 claims (regarding # and %o) that "if the value and
+           precision are both 0, a single 0 is printed", but there is
+           no such wording for %x. This would mean that %#.o would
+           output "0", but %#.x "". This does not make sense, and is
+           also not what other printf implementations are doing. */
+	
+	if(prec <= nlen && nstr[nstart] != '0' && nstr[nstart] != '\0')
+	    prec = nlen + 1;
     }
-  width -= len;
-  while(width-- > 0){
-    (*state->append_char)(state,  ' ');
-    ++len;
-  }
-  if(!(flags & minus_flag))
-    /* swap after padding with spaces */
-    for(i = 0; i < len / 2; i++){
-      char c = state->s[-i-1];
-      state->s[-i-1] = state->s[-len+i];
-      state->s[-len+i] = c;
+
+    /* possible formats:
+       pad | sign | alt | zero | digits
+       sign | alt | zero | digits | pad   minus_flag
+       sign | alt | zero | digits zero_flag */
+
+    /* if not right justifying or padding with zeros, we need to
+       compute the length of the rest of the string, and then pad with
+       spaces */
+    if(!(flags & (minus_flag | zero_flag))) {
+	if(prec > nlen)
+	    width -= prec;
+	else
+	    width -= nlen;
+	
+	if(use_alternative(flags, num, base))
+	    width -= 2;
+	
+	if(signchar != '\0')
+	    width--;
+	
+	/* pad to width */
+	len += pad(state, width, ' ');
+    }
+    if(signchar != '\0') {
+	(*state->append_char)(state, signchar);
+	++len;
+    }
+    if(use_alternative(flags, num, base)) {
+	(*state->append_char)(state, '0');
+	(*state->append_char)(state, rep[10] + 23); /* XXX */
+	len += 2;
     }
-  return len;
+    if(flags & zero_flag) {
+	/* pad to width with zeros */
+	if(prec - nlen > width - len - nlen)
+	    len += pad(state, prec - nlen, '0');
+	else
+	    len += pad(state, width - len - nlen, '0');
+    } else
+	/* pad to prec with zeros */
+	len += pad(state, prec - nlen, '0');
+	
+    while(nstr[nstart] != '\0') {
+	(*state->append_char)(state, nstr[nstart++]);
+	++len;
+    }
+	
+    if(flags & minus_flag)
+	len += pad(state, width - len, ' ');
+
+    return len;
 }
 
 /*
@@ -234,10 +275,8 @@ append_string (struct snprintf_state *state,
     else
 	width -= strlen((const char *)arg);
     if(!(flags & minus_flag))
-	while(width-- > 0) {
-	    (*state->append_char) (state, ' ');
-	    ++len;
-	}
+	len += pad(state, width, ' ');
+
     if (prec != -1) {
 	while (*arg && prec--) {
 	    (*state->append_char) (state, *arg++);
@@ -250,10 +289,7 @@ append_string (struct snprintf_state *state,
 	}
     }
     if(flags & minus_flag)
-	while(width-- > 0) {
-	    (*state->append_char) (state, ' ');
-	    ++len;
-	}
+	len += pad(state, width, ' ');
     return len;
 }
 
@@ -263,19 +299,19 @@ append_char(struct snprintf_state *state,
 	    int width,
 	    int flags)
 {
-  int len = 0;
+    int len = 0;
 
-  while(!(flags & minus_flag) && --width > 0) {
-    (*state->append_char) (state, ' ')    ;
-    ++len;
-  }
-  (*state->append_char) (state, arg);
-  ++len;
-  while((flags & minus_flag) && --width > 0) {
-    (*state->append_char) (state, ' ');
+    while(!(flags & minus_flag) && --width > 0) {
+	(*state->append_char) (state, ' ')    ;
+	++len;
+    }
+    (*state->append_char) (state, arg);
     ++len;
-  }
-  return 0;
+    while((flags & minus_flag) && --width > 0) {
+	(*state->append_char) (state, ' ');
+	++len;
+    }
+    return 0;
 }
 
 /*
@@ -289,6 +325,8 @@ if (long_long_flag) \
      res = (unsig long long)va_arg(arg, unsig long long); \
 else if (long_flag) \
      res = (unsig long)va_arg(arg, unsig long); \
+else if (size_t_flag) \
+     res = (unsig long)va_arg(arg, size_t); \
 else if (short_flag) \
      res = (unsig short)va_arg(arg, unsig int); \
 else \
@@ -299,6 +337,8 @@ else \
 #define PARSE_INT_FORMAT(res, arg, unsig) \
 if (long_flag) \
      res = (unsig long)va_arg(arg, unsig long); \
+else if (size_t_flag) \
+     res = (unsig long)va_arg(arg, size_t); \
 else if (short_flag) \
      res = (unsig short)va_arg(arg, unsig int); \
 else \
@@ -313,343 +353,350 @@ else \
 static int
 xyzprintf (struct snprintf_state *state, const char *char_format, va_list ap)
 {
-  const unsigned char *format = (const unsigned char *)char_format;
-  unsigned char c;
-  int len = 0;
-
-  while((c = *format++)) {
-    if (c == '%') {
-      int flags          = 0;
-      int width          = 0;
-      int prec           = -1;
-      int long_long_flag = 0;
-      int long_flag      = 0;
-      int short_flag     = 0;
-
-      /* flags */
-      while((c = *format++)){
-	if(c == '-')
-	  flags |= minus_flag;
-	else if(c == '+')
-	  flags |= plus_flag;
-	else if(c == ' ')
-	  flags |= space_flag;
-	else if(c == '#')
-	  flags |= alternate_flag;
-	else if(c == '0')
-	  flags |= zero_flag;
-	else if(c == '\'')
-	    ; /* just ignore */
-	else
-	  break;
-      }
+    const unsigned char *format = (const unsigned char *)char_format;
+    unsigned char c;
+    int len = 0;
+
+    while((c = *format++)) {
+	if (c == '%') {
+	    int flags          = 0;
+	    int width          = 0;
+	    int prec           = -1;
+	    int size_t_flag    = 0;
+	    int long_long_flag = 0;
+	    int long_flag      = 0;
+	    int short_flag     = 0;
+
+	    /* flags */
+	    while((c = *format++)){
+		if(c == '-')
+		    flags |= minus_flag;
+		else if(c == '+')
+		    flags |= plus_flag;
+		else if(c == ' ')
+		    flags |= space_flag;
+		else if(c == '#')
+		    flags |= alternate_flag;
+		else if(c == '0')
+		    flags |= zero_flag;
+		else if(c == '\'')
+		    ; /* just ignore */
+		else
+		    break;
+	    }
       
-      if((flags & space_flag) && (flags & plus_flag))
-	flags ^= space_flag;
-
-      if((flags & minus_flag) && (flags & zero_flag))
-	flags ^= zero_flag;
-
-      /* width */
-      if (isdigit(c))
-	do {
-	  width = width * 10 + c - '0';
-	  c = *format++;
-	} while(isdigit(c));
-      else if(c == '*') {
-	width = va_arg(ap, int);
-	c = *format++;
-      }
-
-      /* precision */
-      if (c == '.') {
-	prec = 0;
-	c = *format++;
-	if (isdigit(c))
-	  do {
-	    prec = prec * 10 + c - '0';
-	    c = *format++;
-	  } while(isdigit(c));
-	else if (c == '*') {
-	  prec = va_arg(ap, int);
-	  c = *format++;
-	}
-      }
-
-      /* size */
-
-      if (c == 'h') {
-	short_flag = 1;
-	c = *format++;
-      } else if (c == 'l') {
-	long_flag = 1;
-	c = *format++;
-	if (c == 'l') {
-	    long_long_flag = 1;
-	    c = *format++;
+	    if((flags & space_flag) && (flags & plus_flag))
+		flags ^= space_flag;
+
+	    if((flags & minus_flag) && (flags & zero_flag))
+		flags ^= zero_flag;
+
+	    /* width */
+	    if (isdigit(c))
+		do {
+		    width = width * 10 + c - '0';
+		    c = *format++;
+		} while(isdigit(c));
+	    else if(c == '*') {
+		width = va_arg(ap, int);
+		c = *format++;
+	    }
+
+	    /* precision */
+	    if (c == '.') {
+		prec = 0;
+		c = *format++;
+		if (isdigit(c))
+		    do {
+			prec = prec * 10 + c - '0';
+			c = *format++;
+		    } while(isdigit(c));
+		else if (c == '*') {
+		    prec = va_arg(ap, int);
+		    c = *format++;
+		}
+	    }
+
+	    /* size */
+
+	    if (c == 'h') {
+		short_flag = 1;
+		c = *format++;
+	    } else if (c == 'z') {
+		size_t_flag = 1;
+		c = *format++;
+	    } else if (c == 'l') {
+		long_flag = 1;
+		c = *format++;
+		if (c == 'l') {
+		    long_long_flag = 1;
+		    c = *format++;
+		}
+	    }
+
+	    if(c != 'd' && c != 'i')
+		flags &= ~(plus_flag | space_flag);
+
+	    switch (c) {
+	    case 'c' :
+		append_char(state, va_arg(ap, int), width, flags);
+		++len;
+		break;
+	    case 's' :
+		len += append_string(state,
+				     va_arg(ap, unsigned char*),
+				     width,
+				     prec, 
+				     flags);
+		break;
+	    case 'd' :
+	    case 'i' : {
+		longest arg;
+		u_longest num;
+		int minusp = 0;
+
+		PARSE_INT_FORMAT(arg, ap, signed);
+
+		if (arg < 0) {
+		    minusp = 1;
+		    num = -arg;
+		} else
+		    num = arg;
+
+		len += append_number (state, num, 10, "0123456789",
+				      width, prec, flags, minusp);
+		break;
+	    }
+	    case 'u' : {
+		u_longest arg;
+
+		PARSE_INT_FORMAT(arg, ap, unsigned);
+
+		len += append_number (state, arg, 10, "0123456789",
+				      width, prec, flags, 0);
+		break;
+	    }
+	    case 'o' : {
+		u_longest arg;
+
+		PARSE_INT_FORMAT(arg, ap, unsigned);
+
+		len += append_number (state, arg, 010, "01234567",
+				      width, prec, flags, 0);
+		break;
+	    }
+	    case 'x' : {
+		u_longest arg;
+
+		PARSE_INT_FORMAT(arg, ap, unsigned);
+
+		len += append_number (state, arg, 0x10, "0123456789abcdef",
+				      width, prec, flags, 0);
+		break;
+	    }
+	    case 'X' :{
+		u_longest arg;
+
+		PARSE_INT_FORMAT(arg, ap, unsigned);
+
+		len += append_number (state, arg, 0x10, "0123456789ABCDEF",
+				      width, prec, flags, 0);
+		break;
+	    }
+	    case 'p' : {
+		unsigned long arg = (unsigned long)va_arg(ap, void*);
+
+		len += append_number (state, arg, 0x10, "0123456789ABCDEF",
+				      width, prec, flags, 0);
+		break;
+	    }
+	    case 'n' : {
+		int *arg = va_arg(ap, int*);
+		*arg = state->s - state->str;
+		break;
+	    }
+	    case '\0' :
+		--format;
+		/* FALLTHROUGH */
+	    case '%' :
+		(*state->append_char)(state, c);
+		++len;
+		break;
+	    default :
+		(*state->append_char)(state, '%');
+		(*state->append_char)(state, c);
+		len += 2;
+		break;
+	    }
+	} else {
+	    (*state->append_char) (state, c);
+	    ++len;
 	}
-      }
-
-      switch (c) {
-      case 'c' :
-	append_char(state, va_arg(ap, int), width, flags);
-	++len;
-	break;
-      case 's' :
-	len += append_string(state,
-			     va_arg(ap, unsigned char*),
-			     width,
-			     prec, 
-			     flags);
-	break;
-      case 'd' :
-      case 'i' : {
-	longest arg;
-	u_longest num;
-	int minusp = 0;
-
-	PARSE_INT_FORMAT(arg, ap, signed);
-
-	if (arg < 0) {
-	  minusp = 1;
-	  num = -arg;
-	} else
-	  num = arg;
-
-	len += append_number (state, num, 10, "0123456789",
-			      width, prec, flags, minusp);
-	break;
-      }
-      case 'u' : {
-	u_longest arg;
-
-	PARSE_INT_FORMAT(arg, ap, unsigned);
-
-	len += append_number (state, arg, 10, "0123456789",
-			      width, prec, flags, 0);
-	break;
-      }
-      case 'o' : {
-	u_longest arg;
-
-	PARSE_INT_FORMAT(arg, ap, unsigned);
-
-	len += append_number (state, arg, 010, "01234567",
-			      width, prec, flags, 0);
-	break;
-      }
-      case 'x' : {
-	u_longest arg;
-
-	PARSE_INT_FORMAT(arg, ap, unsigned);
-
-	len += append_number (state, arg, 0x10, "0123456789abcdef",
-			      width, prec, flags, 0);
-	break;
-      }
-      case 'X' :{
-	u_longest arg;
-
-	PARSE_INT_FORMAT(arg, ap, unsigned);
-
-	len += append_number (state, arg, 0x10, "0123456789ABCDEF",
-			      width, prec, flags, 0);
-	break;
-      }
-      case 'p' : {
-	unsigned long arg = (unsigned long)va_arg(ap, void*);
-
-	len += append_number (state, arg, 0x10, "0123456789ABCDEF",
-			      width, prec, flags, 0);
-	break;
-      }
-      case 'n' : {
-	int *arg = va_arg(ap, int*);
-	*arg = state->s - state->str;
-	break;
-      }
-      case '\0' :
-	  --format;
-	  /* FALLTHROUGH */
-      case '%' :
-	(*state->append_char)(state, c);
-	++len;
-	break;
-      default :
-	(*state->append_char)(state, '%');
-	(*state->append_char)(state, c);
-	len += 2;
-	break;
-      }
-    } else {
-      (*state->append_char) (state, c);
-      ++len;
     }
-  }
-  return len;
+    return len;
 }
 
 #if !defined(HAVE_SNPRINTF) || defined(TEST_SNPRINTF)
-int
+int ROKEN_LIB_FUNCTION
 snprintf (char *str, size_t sz, const char *format, ...)
 {
-  va_list args;
-  int ret;
-
-  va_start(args, format);
-  ret = vsnprintf (str, sz, format, args);
-  va_end(args);
-
-#ifdef PARANOIA
-  {
-    int ret2;
-    char *tmp;
-
-    tmp = malloc (sz);
-    if (tmp == NULL)
-      abort ();
+    va_list args;
+    int ret;
 
     va_start(args, format);
-    ret2 = vsprintf (tmp, format, args);
+    ret = vsnprintf (str, sz, format, args);
     va_end(args);
-    if (ret != ret2 || strcmp(str, tmp))
-      abort ();
-    free (tmp);
-  }
+
+#ifdef PARANOIA
+    {
+	int ret2;
+	char *tmp;
+
+	tmp = malloc (sz);
+	if (tmp == NULL)
+	    abort ();
+
+	va_start(args, format);
+	ret2 = vsprintf (tmp, format, args);
+	va_end(args);
+	if (ret != ret2 || strcmp(str, tmp))
+	    abort ();
+	free (tmp);
+    }
 #endif
 
-  return ret;
+    return ret;
 }
 #endif
 
 #if !defined(HAVE_ASPRINTF) || defined(TEST_SNPRINTF)
-int
+int ROKEN_LIB_FUNCTION
 asprintf (char **ret, const char *format, ...)
 {
-  va_list args;
-  int val;
-
-  va_start(args, format);
-  val = vasprintf (ret, format, args);
-  va_end(args);
-
-#ifdef PARANOIA
-  {
-    int ret2;
-    char *tmp;
-    tmp = malloc (val + 1);
-    if (tmp == NULL)
-      abort ();
+    va_list args;
+    int val;
 
     va_start(args, format);
-    ret2 = vsprintf (tmp, format, args);
+    val = vasprintf (ret, format, args);
     va_end(args);
-    if (val != ret2 || strcmp(*ret, tmp))
-      abort ();
-    free (tmp);
-  }
+
+#ifdef PARANOIA
+    {
+	int ret2;
+	char *tmp;
+	tmp = malloc (val + 1);
+	if (tmp == NULL)
+	    abort ();
+
+	va_start(args, format);
+	ret2 = vsprintf (tmp, format, args);
+	va_end(args);
+	if (val != ret2 || strcmp(*ret, tmp))
+	    abort ();
+	free (tmp);
+    }
 #endif
 
-  return val;
+    return val;
 }
 #endif
 
 #if !defined(HAVE_ASNPRINTF) || defined(TEST_SNPRINTF)
-int
+int ROKEN_LIB_FUNCTION
 asnprintf (char **ret, size_t max_sz, const char *format, ...)
 {
-  va_list args;
-  int val;
+    va_list args;
+    int val;
 
-  va_start(args, format);
-  val = vasnprintf (ret, max_sz, format, args);
+    va_start(args, format);
+    val = vasnprintf (ret, max_sz, format, args);
 
 #ifdef PARANOIA
-  {
-    int ret2;
-    char *tmp;
-    tmp = malloc (val + 1);
-    if (tmp == NULL)
-      abort ();
-
-    ret2 = vsprintf (tmp, format, args);
-    if (val != ret2 || strcmp(*ret, tmp))
-      abort ();
-    free (tmp);
-  }
+    {
+	int ret2;
+	char *tmp;
+	tmp = malloc (val + 1);
+	if (tmp == NULL)
+	    abort ();
+
+	ret2 = vsprintf (tmp, format, args);
+	if (val != ret2 || strcmp(*ret, tmp))
+	    abort ();
+	free (tmp);
+    }
 #endif
 
-  va_end(args);
-  return val;
+    va_end(args);
+    return val;
 }
 #endif
 
 #if !defined(HAVE_VASPRINTF) || defined(TEST_SNPRINTF)
-int
+int ROKEN_LIB_FUNCTION
 vasprintf (char **ret, const char *format, va_list args)
 {
-  return vasnprintf (ret, 0, format, args);
+    return vasnprintf (ret, 0, format, args);
 }
 #endif
 
 
 #if !defined(HAVE_VASNPRINTF) || defined(TEST_SNPRINTF)
-int
+int ROKEN_LIB_FUNCTION
 vasnprintf (char **ret, size_t max_sz, const char *format, va_list args)
 {
-  int st;
-  struct snprintf_state state;
-
-  state.max_sz = max_sz;
-  state.sz     = 1;
-  state.str    = malloc(state.sz);
-  if (state.str == NULL) {
-    *ret = NULL;
-    return -1;
-  }
-  state.s = state.str;
-  state.theend = state.s + state.sz - 1;
-  state.append_char = as_append_char;
-
-  st = xyzprintf (&state, format, args);
-  if (st > state.sz) {
-    free (state.str);
-    *ret = NULL;
-    return -1;
-  } else {
-    char *tmp;
-
-    *state.s = '\0';
-    tmp = realloc (state.str, st+1);
-    if (tmp == NULL) {
-      free (state.str);
-      *ret = NULL;
-      return -1;
+    int st;
+    struct snprintf_state state;
+
+    state.max_sz = max_sz;
+    state.sz     = 1;
+    state.str    = malloc(state.sz);
+    if (state.str == NULL) {
+	*ret = NULL;
+	return -1;
+    }
+    state.s = state.str;
+    state.theend = state.s + state.sz - 1;
+    state.append_char = as_append_char;
+
+    st = xyzprintf (&state, format, args);
+    if (st > state.sz) {
+	free (state.str);
+	*ret = NULL;
+	return -1;
+    } else {
+	char *tmp;
+
+	*state.s = '\0';
+	tmp = realloc (state.str, st+1);
+	if (tmp == NULL) {
+	    free (state.str);
+	    *ret = NULL;
+	    return -1;
+	}
+	*ret = tmp;
+	return st;
     }
-    *ret = tmp;
-    return st;
-  }
 }
 #endif
 
 #if !defined(HAVE_VSNPRINTF) || defined(TEST_SNPRINTF)
-int
+int ROKEN_LIB_FUNCTION
 vsnprintf (char *str, size_t sz, const char *format, va_list args)
 {
-  struct snprintf_state state;
-  int ret;
-  unsigned char *ustr = (unsigned char *)str;
-
-  state.max_sz = 0;
-  state.sz     = sz;
-  state.str    = ustr;
-  state.s      = ustr;
-  state.theend = ustr + sz - (sz > 0);
-  state.append_char = sn_append_char;
-
-  ret = xyzprintf (&state, format, args);
-  if (state.s != NULL)
-    *state.s = '\0';
-  return ret;
+    struct snprintf_state state;
+    int ret;
+    unsigned char *ustr = (unsigned char *)str;
+
+    state.max_sz = 0;
+    state.sz     = sz;
+    state.str    = ustr;
+    state.s      = ustr;
+    state.theend = ustr + sz - (sz > 0);
+    state.append_char = sn_append_char;
+
+    ret = xyzprintf (&state, format, args);
+    if (state.s != NULL && sz != 0)
+	*state.s = '\0';
+    return ret;
 }
 #endif
diff --git a/crypto/heimdal/lib/roken/socket.c b/crypto/heimdal/lib/roken/socket.c
index bd67013..a82dd01 100644
--- a/crypto/heimdal/lib/roken/socket.c
+++ b/crypto/heimdal/lib/roken/socket.c
@@ -33,27 +33,27 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: socket.c,v 1.8 2003/04/15 03:26:51 lha Exp $");
+RCSID("$Id: socket.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
-#include <roken.h>
+#include "roken.h"
 #include <err.h>
 
 /*
  * Set `sa' to the unitialized address of address family `af'
  */
 
-void
+void ROKEN_LIB_FUNCTION
 socket_set_any (struct sockaddr *sa, int af)
 {
     switch (af) {
     case AF_INET : {
-	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+	struct sockaddr_in *sin4 = (struct sockaddr_in *)sa;
 
-	memset (sin, 0, sizeof(*sin));
-	sin->sin_family = AF_INET;
-	sin->sin_port   = 0;
-	sin->sin_addr.s_addr = INADDR_ANY;
+	memset (sin4, 0, sizeof(*sin4));
+	sin4->sin_family = AF_INET;
+	sin4->sin_port   = 0;
+	sin4->sin_addr.s_addr = INADDR_ANY;
 	break;
     }
 #ifdef HAVE_IPV6
@@ -77,17 +77,17 @@ socket_set_any (struct sockaddr *sa, int af)
  * set `sa' to (`ptr', `port')
  */
 
-void
+void ROKEN_LIB_FUNCTION
 socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port)
 {
     switch (sa->sa_family) {
     case AF_INET : {
-	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+	struct sockaddr_in *sin4 = (struct sockaddr_in *)sa;
 
-	memset (sin, 0, sizeof(*sin));
-	sin->sin_family = AF_INET;
-	sin->sin_port   = port;
-	memcpy (&sin->sin_addr, ptr, sizeof(struct in_addr));
+	memset (sin4, 0, sizeof(*sin4));
+	sin4->sin_family = AF_INET;
+	sin4->sin_port   = port;
+	memcpy (&sin4->sin_addr, ptr, sizeof(struct in_addr));
 	break;
     }
 #ifdef HAVE_IPV6
@@ -111,7 +111,7 @@ socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port)
  * Return the size of an address of the type in `sa'
  */
 
-size_t
+size_t ROKEN_LIB_FUNCTION
 socket_addr_size (const struct sockaddr *sa)
 {
     switch (sa->sa_family) {
@@ -131,7 +131,7 @@ socket_addr_size (const struct sockaddr *sa)
  * Return the size of a `struct sockaddr' in `sa'.
  */
 
-size_t
+size_t ROKEN_LIB_FUNCTION
 socket_sockaddr_size (const struct sockaddr *sa)
 {
     switch (sa->sa_family) {
@@ -151,13 +151,13 @@ socket_sockaddr_size (const struct sockaddr *sa)
  * Return the binary address of `sa'.
  */
 
-void *
+void * ROKEN_LIB_FUNCTION
 socket_get_address (struct sockaddr *sa)
 {
     switch (sa->sa_family) {
     case AF_INET : {
-	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
-	return &sin->sin_addr;
+	struct sockaddr_in *sin4 = (struct sockaddr_in *)sa;
+	return &sin4->sin_addr;
     }
 #ifdef HAVE_IPV6
     case AF_INET6 : {
@@ -175,13 +175,13 @@ socket_get_address (struct sockaddr *sa)
  * Return the port number from `sa'.
  */
 
-int
+int ROKEN_LIB_FUNCTION
 socket_get_port (const struct sockaddr *sa)
 {
     switch (sa->sa_family) {
     case AF_INET : {
-	const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
-	return sin->sin_port;
+	const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa;
+	return sin4->sin_port;
     }
 #ifdef HAVE_IPV6
     case AF_INET6 : {
@@ -199,13 +199,13 @@ socket_get_port (const struct sockaddr *sa)
  * Set the port in `sa' to `port'.
  */
 
-void
+void ROKEN_LIB_FUNCTION
 socket_set_port (struct sockaddr *sa, int port)
 {
     switch (sa->sa_family) {
     case AF_INET : {
-	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
-	sin->sin_port = port;
+	struct sockaddr_in *sin4 = (struct sockaddr_in *)sa;
+	sin4->sin_port = port;
 	break;
     }
 #ifdef HAVE_IPV6
@@ -224,7 +224,7 @@ socket_set_port (struct sockaddr *sa, int port)
 /*
  * Set the range of ports to use when binding with port = 0.
  */
-void
+void ROKEN_LIB_FUNCTION
 socket_set_portrange (int sock, int restr, int af)
 {
 #if defined(IP_PORTRANGE)
@@ -250,7 +250,7 @@ socket_set_portrange (int sock, int restr, int af)
  * Enable debug on `sock'.
  */
 
-void
+void ROKEN_LIB_FUNCTION
 socket_set_debug (int sock)
 {
 #if defined(SO_DEBUG) && defined(HAVE_SETSOCKOPT)
@@ -265,7 +265,7 @@ socket_set_debug (int sock)
  * Set the type-of-service of `sock' to `tos'.
  */
 
-void
+void ROKEN_LIB_FUNCTION
 socket_set_tos (int sock, int tos)
 {
 #if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
@@ -279,7 +279,7 @@ socket_set_tos (int sock, int tos)
  * set the reuse of addresses on `sock' to `val'.
  */
 
-void
+void ROKEN_LIB_FUNCTION
 socket_set_reuseaddr (int sock, int val)
 {
 #if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT)
@@ -288,3 +288,15 @@ socket_set_reuseaddr (int sock, int val)
 	err (1, "setsockopt SO_REUSEADDR");
 #endif
 }
+
+/*
+ * Set the that the `sock' should bind to only IPv6 addresses.
+ */
+
+void ROKEN_LIB_FUNCTION
+socket_set_ipv6only (int sock, int val)
+{
+#if defined(IPV6_V6ONLY) && defined(HAVE_SETSOCKOPT)
+    setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&val, sizeof(val));
+#endif
+}
diff --git a/crypto/heimdal/lib/roken/socket_wrapper.c b/crypto/heimdal/lib/roken/socket_wrapper.c
new file mode 100644
index 0000000..9e6bfdd
--- /dev/null
+++ b/crypto/heimdal/lib/roken/socket_wrapper.c
@@ -0,0 +1,1913 @@
+/*
+ * Copyright (C) Jelmer Vernooij 2005 <jelmer@samba.org>
+ * Copyright (C) Stefan Metzmacher 2006 <metze@samba.org>
+ *
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the author nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+/*
+   Socket wrapper library. Passes all socket communication over
+   unix domain sockets if the environment variable SOCKET_WRAPPER_DIR
+   is set.
+*/
+
+#define SOCKET_WRAPPER_NOT_REPLACE
+
+#ifdef _SAMBA_BUILD_
+
+#include "includes.h"
+#include "system/network.h"
+#include "system/filesys.h"
+
+#ifdef malloc
+#undef malloc
+#endif
+#ifdef calloc
+#undef calloc
+#endif
+#ifdef strdup
+#undef strdup
+#endif
+
+#else /* _SAMBA_BUILD_ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#undef SOCKET_WRAPPER_REPLACE
+
+#include <sys/types.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+#include <errno.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+#include "roken.h"
+
+#include "socket_wrapper.h"
+
+#define HAVE_GETTIMEOFDAY_TZ 1
+
+#define _PUBLIC_
+
+#endif
+
+#define SWRAP_DLIST_ADD(list,item) do { \
+	if (!(list)) { \
+		(item)->prev	= NULL; \
+		(item)->next	= NULL; \
+		(list)		= (item); \
+	} else { \
+		(item)->prev	= NULL; \
+		(item)->next	= (list); \
+		(list)->prev	= (item); \
+		(list)		= (item); \
+	} \
+} while (0)
+
+#define SWRAP_DLIST_REMOVE(list,item) do { \
+	if ((list) == (item)) { \
+		(list)		= (item)->next; \
+		if (list) { \
+			(list)->prev	= NULL; \
+		} \
+	} else { \
+		if ((item)->prev) { \
+			(item)->prev->next	= (item)->next; \
+		} \
+		if ((item)->next) { \
+			(item)->next->prev	= (item)->prev; \
+		} \
+	} \
+	(item)->prev	= NULL; \
+	(item)->next	= NULL; \
+} while (0)
+
+/* LD_PRELOAD doesn't work yet, so REWRITE_CALLS is all we support
+ * for now */
+#define REWRITE_CALLS 
+
+#ifdef REWRITE_CALLS
+#define real_accept accept
+#define real_connect connect
+#define real_bind bind
+#define real_listen listen
+#define real_getpeername getpeername
+#define real_getsockname getsockname
+#define real_getsockopt getsockopt
+#define real_setsockopt setsockopt
+#define real_recvfrom recvfrom
+#define real_sendto sendto
+#define real_ioctl ioctl
+#define real_recv recv
+#define real_send send
+#define real_socket socket
+#define real_close close
+#define real_dup dup
+#define real_dup2 dup2
+#endif
+
+#ifdef HAVE_GETTIMEOFDAY_TZ
+#define swrapGetTimeOfDay(tval) gettimeofday(tval,NULL)
+#else
+#define swrapGetTimeOfDay(tval)	gettimeofday(tval)
+#endif
+
+/* we need to use a very terse format here as IRIX 6.4 silently
+   truncates names to 16 chars, so if we use a longer name then we
+   can't tell which port a packet came from with recvfrom() 
+   
+   with this format we have 8 chars left for the directory name
+*/
+#define SOCKET_FORMAT "%c%02X%04X"
+#define SOCKET_TYPE_CHAR_TCP		'T'
+#define SOCKET_TYPE_CHAR_UDP		'U'
+#define SOCKET_TYPE_CHAR_TCP_V6		'X'
+#define SOCKET_TYPE_CHAR_UDP_V6		'Y'
+
+#define MAX_WRAPPED_INTERFACES 16
+
+#define SW_IPV6_ADDRESS 1
+
+static struct sockaddr *sockaddr_dup(const void *data, socklen_t len)
+{
+	struct sockaddr *ret = (struct sockaddr *)malloc(len);
+	memcpy(ret, data, len);
+	return ret;
+}
+
+static void set_port(int family, int prt, struct sockaddr *addr)
+{
+	switch (family) {
+	case AF_INET:
+		((struct sockaddr_in *)addr)->sin_port = htons(prt);
+		break;
+#ifdef HAVE_IPV6
+	case AF_INET6:
+		((struct sockaddr_in6 *)addr)->sin6_port = htons(prt);
+		break;
+#endif
+	}
+}
+
+static int socket_length(int family)
+{
+	switch (family) {
+	case AF_INET:
+		return sizeof(struct sockaddr_in);
+#ifdef HAVE_IPV6
+	case AF_INET6:
+		return sizeof(struct sockaddr_in6);
+#endif
+	}
+	return -1;
+}
+
+
+
+struct socket_info
+{
+	int fd;
+
+	int family;
+	int type;
+	int protocol;
+	int bound;
+	int bcast;
+	int is_server;
+
+	char *path;
+	char *tmp_path;
+
+	struct sockaddr *myname;
+	socklen_t myname_len;
+
+	struct sockaddr *peername;
+	socklen_t peername_len;
+
+	struct {
+		unsigned long pck_snd;
+		unsigned long pck_rcv;
+	} io;
+
+	struct socket_info *prev, *next;
+};
+
+static struct socket_info *sockets;
+
+
+static const char *socket_wrapper_dir(void)
+{
+	const char *s = getenv("SOCKET_WRAPPER_DIR");
+	if (s == NULL) {
+		return NULL;
+	}
+	if (strncmp(s, "./", 2) == 0) {
+		s += 2;
+	}
+	return s;
+}
+
+static unsigned int socket_wrapper_default_iface(void)
+{
+	const char *s = getenv("SOCKET_WRAPPER_DEFAULT_IFACE");
+	if (s) {
+		unsigned int iface;
+		if (sscanf(s, "%u", &iface) == 1) {
+			if (iface >= 1 && iface <= MAX_WRAPPED_INTERFACES) {
+				return iface;
+			}
+		}
+	}
+
+	return 1;/* 127.0.0.1 */
+}
+
+static int convert_un_in(const struct sockaddr_un *un, struct sockaddr *in, socklen_t *len)
+{
+	unsigned int iface;
+	unsigned int prt;
+	const char *p;
+	char type;
+
+	p = strrchr(un->sun_path, '/');
+	if (p) p++; else p = un->sun_path;
+
+	if (sscanf(p, SOCKET_FORMAT, &type, &iface, &prt) != 3) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (iface == 0 || iface > MAX_WRAPPED_INTERFACES) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (prt > 0xFFFF) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	switch(type) {
+	case SOCKET_TYPE_CHAR_TCP:
+	case SOCKET_TYPE_CHAR_UDP: {
+		struct sockaddr_in *in2 = (struct sockaddr_in *)in;
+		
+		if ((*len) < sizeof(*in2)) {
+		    errno = EINVAL;
+		    return -1;
+		}
+
+		memset(in2, 0, sizeof(*in2));
+		in2->sin_family = AF_INET;
+		in2->sin_addr.s_addr = htonl((127<<24) | iface);
+		in2->sin_port = htons(prt);
+
+		*len = sizeof(*in2);
+		break;
+	}
+#ifdef HAVE_IPV6
+	case SOCKET_TYPE_CHAR_TCP_V6:
+	case SOCKET_TYPE_CHAR_UDP_V6: {
+		struct sockaddr_in6 *in2 = (struct sockaddr_in6 *)in;
+		
+		if ((*len) < sizeof(*in2)) {
+			errno = EINVAL;
+			return -1;
+		}
+
+		memset(in2, 0, sizeof(*in2));
+		in2->sin6_family = AF_INET6;
+		in2->sin6_addr.s6_addr[0] = SW_IPV6_ADDRESS;
+		in2->sin6_port = htons(prt);
+
+		*len = sizeof(*in2);
+		break;
+	}
+#endif
+	default:
+		errno = EINVAL;
+		return -1;
+	}
+
+	return 0;
+}
+
+static int convert_in_un_remote(struct socket_info *si, const struct sockaddr *inaddr, struct sockaddr_un *un,
+				int *bcast)
+{
+	char type = '\0';
+	unsigned int prt;
+	unsigned int iface;
+	int is_bcast = 0;
+
+	if (bcast) *bcast = 0;
+
+	switch (si->family) {
+	case AF_INET: {
+		const struct sockaddr_in *in = 
+		    (const struct sockaddr_in *)inaddr;
+		unsigned int addr = ntohl(in->sin_addr.s_addr);
+		char u_type = '\0';
+		char b_type = '\0';
+		char a_type = '\0';
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			u_type = SOCKET_TYPE_CHAR_TCP;
+			break;
+		case SOCK_DGRAM:
+			u_type = SOCKET_TYPE_CHAR_UDP;
+			a_type = SOCKET_TYPE_CHAR_UDP;
+			b_type = SOCKET_TYPE_CHAR_UDP;
+			break;
+		}
+
+		prt = ntohs(in->sin_port);
+		if (a_type && addr == 0xFFFFFFFF) {
+			/* 255.255.255.255 only udp */
+			is_bcast = 2;
+			type = a_type;
+			iface = socket_wrapper_default_iface();
+		} else if (b_type && addr == 0x7FFFFFFF) {
+			/* 127.255.255.255 only udp */
+			is_bcast = 1;
+			type = b_type;
+			iface = socket_wrapper_default_iface();
+		} else if ((addr & 0xFFFFFF00) == 0x7F000000) {
+			/* 127.0.0.X */
+			is_bcast = 0;
+			type = u_type;
+			iface = (addr & 0x000000FF);
+		} else {
+			errno = ENETUNREACH;
+			return -1;
+		}
+		if (bcast) *bcast = is_bcast;
+		break;
+	}
+#ifdef HAVE_IPV6
+	case AF_INET6: {
+		const struct sockaddr_in6 *in = 
+		    (const struct sockaddr_in6 *)inaddr;
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			type = SOCKET_TYPE_CHAR_TCP_V6;
+			break;
+		case SOCK_DGRAM:
+			type = SOCKET_TYPE_CHAR_UDP_V6;
+			break;
+		}
+
+		/* XXX no multicast/broadcast */
+
+		prt = ntohs(in->sin6_port);
+		iface = SW_IPV6_ADDRESS;
+		
+		break;
+	}
+#endif
+	default:
+		errno = ENETUNREACH;
+		return -1;
+	}
+
+	if (prt == 0) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (is_bcast) {
+		snprintf(un->sun_path, sizeof(un->sun_path), "%s/EINVAL", 
+			 socket_wrapper_dir());
+		/* the caller need to do more processing */
+		return 0;
+	}
+
+	snprintf(un->sun_path, sizeof(un->sun_path), "%s/"SOCKET_FORMAT, 
+		 socket_wrapper_dir(), type, iface, prt);
+
+	return 0;
+}
+
+static int convert_in_un_alloc(struct socket_info *si, const struct sockaddr *inaddr, struct sockaddr_un *un,
+			       int *bcast)
+{
+	char type = '\0';
+	unsigned int prt;
+	unsigned int iface;
+	struct stat st;
+	int is_bcast = 0;
+
+	if (bcast) *bcast = 0;
+
+	switch (si->family) {
+	case AF_INET: {
+		const struct sockaddr_in *in = 
+		    (const struct sockaddr_in *)inaddr;
+		unsigned int addr = ntohl(in->sin_addr.s_addr);
+		char u_type = '\0';
+		char d_type = '\0';
+		char b_type = '\0';
+		char a_type = '\0';
+
+		prt = ntohs(in->sin_port);
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			u_type = SOCKET_TYPE_CHAR_TCP;
+			d_type = SOCKET_TYPE_CHAR_TCP;
+			break;
+		case SOCK_DGRAM:
+			u_type = SOCKET_TYPE_CHAR_UDP;
+			d_type = SOCKET_TYPE_CHAR_UDP;
+			a_type = SOCKET_TYPE_CHAR_UDP;
+			b_type = SOCKET_TYPE_CHAR_UDP;
+			break;
+		}
+
+		if (addr == 0) {
+			/* 0.0.0.0 */
+		 	is_bcast = 0;
+			type = d_type;
+			iface = socket_wrapper_default_iface();
+		} else if (a_type && addr == 0xFFFFFFFF) {
+			/* 255.255.255.255 only udp */
+			is_bcast = 2;
+			type = a_type;
+			iface = socket_wrapper_default_iface();
+		} else if (b_type && addr == 0x7FFFFFFF) {
+			/* 127.255.255.255 only udp */
+			is_bcast = 1;
+			type = b_type;
+			iface = socket_wrapper_default_iface();
+		} else if ((addr & 0xFFFFFF00) == 0x7F000000) {
+			/* 127.0.0.X */
+			is_bcast = 0;
+			type = u_type;
+			iface = (addr & 0x000000FF);
+		} else {
+			errno = EADDRNOTAVAIL;
+			return -1;
+		}
+		break;
+	}
+#ifdef HAVE_IPV6
+	case AF_INET6: {
+		const struct sockaddr_in6 *in = 
+		    (const struct sockaddr_in6 *)inaddr;
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			type = SOCKET_TYPE_CHAR_TCP_V6;
+			break;
+		case SOCK_DGRAM:
+			type = SOCKET_TYPE_CHAR_UDP_V6;
+			break;
+		}
+
+		/* XXX no multicast/broadcast */
+
+		prt = ntohs(in->sin6_port);
+		iface = SW_IPV6_ADDRESS;
+		
+		break;
+	}
+#endif
+	default:
+		errno = ENETUNREACH;
+		return -1;
+	}
+
+
+	if (bcast) *bcast = is_bcast;
+
+	if (prt == 0) {
+		/* handle auto-allocation of ephemeral ports */
+		for (prt = 5001; prt < 10000; prt++) {
+			snprintf(un->sun_path, sizeof(un->sun_path), "%s/"SOCKET_FORMAT, 
+				 socket_wrapper_dir(), type, iface, prt);
+			if (stat(un->sun_path, &st) == 0) continue;
+
+			set_port(si->family, prt, si->myname);
+		}
+	}
+
+	snprintf(un->sun_path, sizeof(un->sun_path), "%s/"SOCKET_FORMAT, 
+		 socket_wrapper_dir(), type, iface, prt);
+	return 0;
+}
+
+static struct socket_info *find_socket_info(int fd)
+{
+	struct socket_info *i;
+	for (i = sockets; i; i = i->next) {
+		if (i->fd == fd) 
+			return i;
+	}
+
+	return NULL;
+}
+
+static int sockaddr_convert_to_un(struct socket_info *si, const struct sockaddr *in_addr, socklen_t in_len, 
+				  struct sockaddr_un *out_addr, int alloc_sock, int *bcast)
+{
+	if (!out_addr)
+		return 0;
+
+	out_addr->sun_family = AF_UNIX;
+
+	switch (in_addr->sa_family) {
+	case AF_INET:
+#ifdef HAVE_IPV6
+	case AF_INET6:
+#endif
+		switch (si->type) {
+		case SOCK_STREAM:
+		case SOCK_DGRAM:
+			break;
+		default:
+			errno = ESOCKTNOSUPPORT;
+			return -1;
+		}
+		if (alloc_sock) {
+			return convert_in_un_alloc(si, in_addr, out_addr, bcast);
+		} else {
+			return convert_in_un_remote(si, in_addr, out_addr, bcast);
+		}
+	default:
+		break;
+	}
+	
+	errno = EAFNOSUPPORT;
+	return -1;
+}
+
+static int sockaddr_convert_from_un(const struct socket_info *si, 
+				    const struct sockaddr_un *in_addr, 
+				    socklen_t un_addrlen,
+				    int family,
+				    struct sockaddr *out_addr,
+				    socklen_t *out_addrlen)
+{
+	if (out_addr == NULL || out_addrlen == NULL) 
+		return 0;
+
+	if (un_addrlen == 0) {
+		*out_addrlen = 0;
+		return 0;
+	}
+
+	switch (family) {
+	case AF_INET:
+#ifdef HAVE_IPV6
+	case AF_INET6:
+#endif
+		switch (si->type) {
+		case SOCK_STREAM:
+		case SOCK_DGRAM:
+			break;
+		default:
+			errno = ESOCKTNOSUPPORT;
+			return -1;
+		}
+		return convert_un_in(in_addr, out_addr, out_addrlen);
+	default:
+		break;
+	}
+
+	errno = EAFNOSUPPORT;
+	return -1;
+}
+
+enum swrap_packet_type {
+	SWRAP_CONNECT_SEND,
+	SWRAP_CONNECT_UNREACH,
+	SWRAP_CONNECT_RECV,
+	SWRAP_CONNECT_ACK,
+	SWRAP_ACCEPT_SEND,
+	SWRAP_ACCEPT_RECV,
+	SWRAP_ACCEPT_ACK,
+	SWRAP_RECVFROM,
+	SWRAP_SENDTO,
+	SWRAP_SENDTO_UNREACH,
+	SWRAP_PENDING_RST,
+	SWRAP_RECV,
+	SWRAP_RECV_RST,
+	SWRAP_SEND,
+	SWRAP_SEND_RST,
+	SWRAP_CLOSE_SEND,
+	SWRAP_CLOSE_RECV,
+	SWRAP_CLOSE_ACK
+};
+
+struct swrap_file_hdr {
+	unsigned long	magic;
+	unsigned short	version_major;	
+	unsigned short	version_minor;
+	long		timezone;
+	unsigned long	sigfigs;
+	unsigned long	frame_max_len;
+#define SWRAP_FRAME_LENGTH_MAX 0xFFFF
+	unsigned long	link_type;
+};
+#define SWRAP_FILE_HDR_SIZE 24
+
+struct swrap_packet {
+	struct {
+		unsigned long seconds;
+		unsigned long micro_seconds;
+		unsigned long recorded_length;
+		unsigned long full_length;
+	} frame;
+#define SWRAP_PACKET__FRAME_SIZE 16
+
+	struct {
+		struct {
+			unsigned char	ver_hdrlen;
+			unsigned char	tos;
+			unsigned short	packet_length;
+			unsigned short	identification;
+			unsigned char	flags;
+			unsigned char	fragment;
+			unsigned char	ttl;
+			unsigned char	protocol;
+			unsigned short	hdr_checksum;
+			unsigned long	src_addr;
+			unsigned long	dest_addr;
+		} hdr;
+#define SWRAP_PACKET__IP_HDR_SIZE 20
+
+		union {
+			struct {
+				unsigned short	source_port;
+				unsigned short	dest_port;
+				unsigned long	seq_num;
+				unsigned long	ack_num;
+				unsigned char	hdr_length;
+				unsigned char	control;
+				unsigned short	window;
+				unsigned short	checksum;
+				unsigned short	urg;
+			} tcp;
+#define SWRAP_PACKET__IP_P_TCP_SIZE 20
+			struct {
+				unsigned short	source_port;
+				unsigned short	dest_port;
+				unsigned short	length;
+				unsigned short	checksum;
+			} udp;
+#define SWRAP_PACKET__IP_P_UDP_SIZE 8
+			struct {
+				unsigned char	type;
+				unsigned char	code;
+				unsigned short	checksum;
+				unsigned long	unused;
+			} icmp;
+#define SWRAP_PACKET__IP_P_ICMP_SIZE 8
+		} p;
+	} ip;
+};
+#define SWRAP_PACKET_SIZE 56
+
+static const char *socket_wrapper_pcap_file(void)
+{
+	static int initialized = 0;
+	static const char *s = NULL;
+	static const struct swrap_file_hdr h;
+	static const struct swrap_packet p;
+
+	if (initialized == 1) {
+		return s;
+	}
+	initialized = 1;
+
+	/*
+	 * TODO: don't use the structs use plain buffer offsets
+	 *       and PUSH_U8(), PUSH_U16() and PUSH_U32()
+	 * 
+	 * for now make sure we disable PCAP support
+	 * if the struct has alignment!
+	 */
+	if (sizeof(h) != SWRAP_FILE_HDR_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p) != SWRAP_PACKET_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p.frame) != SWRAP_PACKET__FRAME_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p.ip.hdr) != SWRAP_PACKET__IP_HDR_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p.ip.p.tcp) != SWRAP_PACKET__IP_P_TCP_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p.ip.p.udp) != SWRAP_PACKET__IP_P_UDP_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p.ip.p.icmp) != SWRAP_PACKET__IP_P_ICMP_SIZE) {
+		return NULL;
+	}
+
+	s = getenv("SOCKET_WRAPPER_PCAP_FILE");
+	if (s == NULL) {
+		return NULL;
+	}
+	if (strncmp(s, "./", 2) == 0) {
+		s += 2;
+	}
+	return s;
+}
+
+static struct swrap_packet *swrap_packet_init(struct timeval *tval,
+					      const struct sockaddr_in *src_addr,
+					      const struct sockaddr_in *dest_addr,
+					      int socket_type,
+					      const unsigned char *payload,
+					      size_t payload_len,
+					      unsigned long tcp_seq,
+					      unsigned long tcp_ack,
+					      unsigned char tcp_ctl,
+					      int unreachable,
+					      size_t *_packet_len)
+{
+	struct swrap_packet *ret;
+	struct swrap_packet *packet;
+	size_t packet_len;
+	size_t alloc_len;
+	size_t nonwire_len = sizeof(packet->frame);
+	size_t wire_hdr_len = 0;
+	size_t wire_len = 0;
+	size_t icmp_hdr_len = 0;
+	size_t icmp_truncate_len = 0;
+	unsigned char protocol = 0, icmp_protocol = 0;
+	unsigned short src_port = src_addr->sin_port;
+	unsigned short dest_port = dest_addr->sin_port;
+
+	switch (socket_type) {
+	case SOCK_STREAM:
+		protocol = 0x06; /* TCP */
+		wire_hdr_len = sizeof(packet->ip.hdr) + sizeof(packet->ip.p.tcp);
+		wire_len = wire_hdr_len + payload_len;
+		break;
+
+	case SOCK_DGRAM:
+		protocol = 0x11; /* UDP */
+		wire_hdr_len = sizeof(packet->ip.hdr) + sizeof(packet->ip.p.udp);
+		wire_len = wire_hdr_len + payload_len;
+		break;
+	}
+
+	if (unreachable) {
+		icmp_protocol = protocol;
+		protocol = 0x01; /* ICMP */
+		if (wire_len > 64 ) {
+			icmp_truncate_len = wire_len - 64;
+		}
+		icmp_hdr_len = sizeof(packet->ip.hdr) + sizeof(packet->ip.p.icmp);
+		wire_hdr_len += icmp_hdr_len;
+		wire_len += icmp_hdr_len;
+	}
+
+	packet_len = nonwire_len + wire_len;
+	alloc_len = packet_len;
+	if (alloc_len < sizeof(struct swrap_packet)) {
+		alloc_len = sizeof(struct swrap_packet);
+	}
+	ret = (struct swrap_packet *)malloc(alloc_len);
+	if (!ret) return NULL;
+
+	packet = ret;
+
+	packet->frame.seconds		= tval->tv_sec;
+	packet->frame.micro_seconds	= tval->tv_usec;
+	packet->frame.recorded_length	= wire_len - icmp_truncate_len;
+	packet->frame.full_length	= wire_len - icmp_truncate_len;
+
+	packet->ip.hdr.ver_hdrlen	= 0x45; /* version 4 and 5 * 32 bit words */
+	packet->ip.hdr.tos		= 0x00;
+	packet->ip.hdr.packet_length	= htons(wire_len - icmp_truncate_len);
+	packet->ip.hdr.identification	= htons(0xFFFF);
+	packet->ip.hdr.flags		= 0x40; /* BIT 1 set - means don't fraqment */
+	packet->ip.hdr.fragment		= htons(0x0000);
+	packet->ip.hdr.ttl		= 0xFF;
+	packet->ip.hdr.protocol		= protocol;
+	packet->ip.hdr.hdr_checksum	= htons(0x0000);
+	packet->ip.hdr.src_addr		= src_addr->sin_addr.s_addr;
+	packet->ip.hdr.dest_addr	= dest_addr->sin_addr.s_addr;
+
+	if (unreachable) {
+		packet->ip.p.icmp.type		= 0x03; /* destination unreachable */
+		packet->ip.p.icmp.code		= 0x01; /* host unreachable */
+		packet->ip.p.icmp.checksum	= htons(0x0000);
+		packet->ip.p.icmp.unused	= htonl(0x00000000);
+
+		/* set the ip header in the ICMP payload */
+		packet = (struct swrap_packet *)(((unsigned char *)ret) + icmp_hdr_len);
+		packet->ip.hdr.ver_hdrlen	= 0x45; /* version 4 and 5 * 32 bit words */
+		packet->ip.hdr.tos		= 0x00;
+		packet->ip.hdr.packet_length	= htons(wire_len - icmp_hdr_len);
+		packet->ip.hdr.identification	= htons(0xFFFF);
+		packet->ip.hdr.flags		= 0x40; /* BIT 1 set - means don't fraqment */
+		packet->ip.hdr.fragment		= htons(0x0000);
+		packet->ip.hdr.ttl		= 0xFF;
+		packet->ip.hdr.protocol		= icmp_protocol;
+		packet->ip.hdr.hdr_checksum	= htons(0x0000);
+		packet->ip.hdr.src_addr		= dest_addr->sin_addr.s_addr;
+		packet->ip.hdr.dest_addr	= src_addr->sin_addr.s_addr;
+
+		src_port = dest_addr->sin_port;
+		dest_port = src_addr->sin_port;
+	}
+
+	switch (socket_type) {
+	case SOCK_STREAM:
+		packet->ip.p.tcp.source_port	= src_port;
+		packet->ip.p.tcp.dest_port	= dest_port;
+		packet->ip.p.tcp.seq_num	= htonl(tcp_seq);
+		packet->ip.p.tcp.ack_num	= htonl(tcp_ack);
+		packet->ip.p.tcp.hdr_length	= 0x50; /* 5 * 32 bit words */
+		packet->ip.p.tcp.control	= tcp_ctl;
+		packet->ip.p.tcp.window		= htons(0x7FFF);
+		packet->ip.p.tcp.checksum	= htons(0x0000);
+		packet->ip.p.tcp.urg		= htons(0x0000);
+
+		break;
+
+	case SOCK_DGRAM:
+		packet->ip.p.udp.source_port	= src_addr->sin_port;
+		packet->ip.p.udp.dest_port	= dest_addr->sin_port;
+		packet->ip.p.udp.length		= htons(8 + payload_len);
+		packet->ip.p.udp.checksum	= htons(0x0000);
+
+		break;
+	}
+
+	if (payload && payload_len > 0) {
+		unsigned char *p = (unsigned char *)ret;
+		p += nonwire_len;
+		p += wire_hdr_len;
+		memcpy(p, payload, payload_len);
+	}
+
+	*_packet_len = packet_len - icmp_truncate_len;
+	return ret;
+}
+
+static int swrap_get_pcap_fd(const char *fname)
+{
+	static int fd = -1;
+
+	if (fd != -1) return fd;
+
+	fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_APPEND, 0644);
+	if (fd != -1) {
+		struct swrap_file_hdr file_hdr;
+		file_hdr.magic		= 0xA1B2C3D4;
+		file_hdr.version_major	= 0x0002;	
+		file_hdr.version_minor	= 0x0004;
+		file_hdr.timezone	= 0x00000000;
+		file_hdr.sigfigs	= 0x00000000;
+		file_hdr.frame_max_len	= SWRAP_FRAME_LENGTH_MAX;
+		file_hdr.link_type	= 0x0065; /* 101 RAW IP */
+
+		write(fd, &file_hdr, sizeof(file_hdr));
+		return fd;
+	}
+
+	fd = open(fname, O_WRONLY|O_APPEND, 0644);
+
+	return fd;
+}
+
+static void swrap_dump_packet(struct socket_info *si, const struct sockaddr *addr,
+			      enum swrap_packet_type type,
+			      const void *buf, size_t len)
+{
+	const struct sockaddr_in *src_addr;
+	const struct sockaddr_in *dest_addr;
+	const char *file_name;
+	unsigned long tcp_seq = 0;
+	unsigned long tcp_ack = 0;
+	unsigned char tcp_ctl = 0;
+	int unreachable = 0;
+	struct timeval tv;
+	struct swrap_packet *packet;
+	size_t packet_len = 0;
+	int fd;
+
+	file_name = socket_wrapper_pcap_file();
+	if (!file_name) {
+		return;
+	}
+
+	switch (si->family) {
+	case AF_INET:
+#ifdef HAVE_IPV6
+	case AF_INET6:
+#endif
+		break;
+	default:
+		return;
+	}
+
+	switch (type) {
+	case SWRAP_CONNECT_SEND:
+		if (si->type != SOCK_STREAM) return;
+
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seq = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x02; /* SYN */
+
+		si->io.pck_snd += 1;
+
+		break;
+
+	case SWRAP_CONNECT_RECV:
+		if (si->type != SOCK_STREAM) return;
+
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seq = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x12; /** SYN,ACK */
+
+		si->io.pck_rcv += 1;
+
+		break;
+
+	case SWRAP_CONNECT_UNREACH:
+		if (si->type != SOCK_STREAM) return;
+
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		/* Unreachable: resend the data of SWRAP_CONNECT_SEND */
+		tcp_seq = si->io.pck_snd - 1;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x02; /* SYN */
+		unreachable = 1;
+
+		break;
+
+	case SWRAP_CONNECT_ACK:
+		if (si->type != SOCK_STREAM) return;
+
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seq = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x10; /* ACK */
+
+		break;
+
+	case SWRAP_ACCEPT_SEND:
+		if (si->type != SOCK_STREAM) return;
+
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seq = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x02; /* SYN */
+
+		si->io.pck_rcv += 1;
+
+		break;
+
+	case SWRAP_ACCEPT_RECV:
+		if (si->type != SOCK_STREAM) return;
+
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seq = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x12; /* SYN,ACK */
+
+		si->io.pck_snd += 1;
+
+		break;
+
+	case SWRAP_ACCEPT_ACK:
+		if (si->type != SOCK_STREAM) return;
+
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seq = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x10; /* ACK */
+
+		break;
+
+	case SWRAP_SEND:
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)si->peername;
+
+		tcp_seq = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x18; /* PSH,ACK */
+
+		si->io.pck_snd += len;
+
+		break;
+
+	case SWRAP_SEND_RST:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)si->peername;
+
+		if (si->type == SOCK_DGRAM) {
+			swrap_dump_packet(si, si->peername,
+					  SWRAP_SENDTO_UNREACH,
+			      		  buf, len);
+			return;
+		}
+
+		tcp_seq = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x14; /** RST,ACK */
+
+		break;
+
+	case SWRAP_PENDING_RST:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)si->peername;
+
+		if (si->type == SOCK_DGRAM) {
+			return;
+		}
+
+		tcp_seq = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x14; /* RST,ACK */
+
+		break;
+
+	case SWRAP_RECV:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)si->peername;
+
+		tcp_seq = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x18; /* PSH,ACK */
+
+		si->io.pck_rcv += len;
+
+		break;
+
+	case SWRAP_RECV_RST:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)si->peername;
+
+		if (si->type == SOCK_DGRAM) {
+			return;
+		}
+
+		tcp_seq = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x14; /* RST,ACK */
+
+		break;
+
+	case SWRAP_SENDTO:
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)addr;
+
+		si->io.pck_snd += len;
+
+		break;
+
+	case SWRAP_SENDTO_UNREACH:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		unreachable = 1;
+
+		break;
+
+	case SWRAP_RECVFROM:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		si->io.pck_rcv += len;
+
+		break;
+
+	case SWRAP_CLOSE_SEND:
+		if (si->type != SOCK_STREAM) return;
+
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)si->peername;
+
+		tcp_seq = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x11; /* FIN, ACK */
+
+		si->io.pck_snd += 1;
+
+		break;
+
+	case SWRAP_CLOSE_RECV:
+		if (si->type != SOCK_STREAM) return;
+
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)si->peername;
+
+		tcp_seq = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x11; /* FIN,ACK */
+
+		si->io.pck_rcv += 1;
+
+		break;
+
+	case SWRAP_CLOSE_ACK:
+		if (si->type != SOCK_STREAM) return;
+
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)si->peername;
+
+		tcp_seq = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x10; /* ACK */
+
+		break;
+	default:
+		return;
+	}
+
+	swrapGetTimeOfDay(&tv);
+
+	packet = swrap_packet_init(&tv, src_addr, dest_addr, si->type,
+				   (const unsigned char *)buf, len,
+				   tcp_seq, tcp_ack, tcp_ctl, unreachable,
+				   &packet_len);
+	if (!packet) {
+		return;
+	}
+
+	fd = swrap_get_pcap_fd(file_name);
+	if (fd != -1) {
+		write(fd, packet, packet_len);
+	}
+
+	free(packet);
+}
+
+_PUBLIC_ int swrap_socket(int family, int type, int protocol)
+{
+	struct socket_info *si;
+	int fd;
+
+	if (!socket_wrapper_dir()) {
+		return real_socket(family, type, protocol);
+	}
+
+	switch (family) {
+	case AF_INET:
+#ifdef HAVE_IPV6
+	case AF_INET6:
+#endif
+		break;
+	case AF_UNIX:
+		return real_socket(family, type, protocol);
+	default:
+		errno = EAFNOSUPPORT;
+		return -1;
+	}
+
+	switch (type) {
+	case SOCK_STREAM:
+		break;
+	case SOCK_DGRAM:
+		break;
+	default:
+		errno = EPROTONOSUPPORT;
+		return -1;
+	}
+
+#if 0
+	switch (protocol) {
+	case 0:
+		break;
+	default:
+		errno = EPROTONOSUPPORT;
+		return -1;
+	}
+#endif
+
+	fd = real_socket(AF_UNIX, type, 0);
+
+	if (fd == -1) return -1;
+
+	si = (struct socket_info *)calloc(1, sizeof(struct socket_info));
+
+	si->family = family;
+	si->type = type;
+	si->protocol = protocol;
+	si->fd = fd;
+
+	SWRAP_DLIST_ADD(sockets, si);
+
+	return si->fd;
+}
+
+_PUBLIC_ int swrap_accept(int s, struct sockaddr *addr, socklen_t *addrlen)
+{
+	struct socket_info *parent_si, *child_si;
+	int fd;
+	struct sockaddr_un un_addr;
+	socklen_t un_addrlen = sizeof(un_addr);
+	struct sockaddr_un un_my_addr;
+	socklen_t un_my_addrlen = sizeof(un_my_addr);
+	struct sockaddr *my_addr;
+	socklen_t my_addrlen, len;
+	int ret;
+
+	parent_si = find_socket_info(s);
+	if (!parent_si) {
+		return real_accept(s, addr, addrlen);
+	}
+
+	/* 
+	 * assume out sockaddr have the same size as the in parent
+	 * socket family
+	 */
+	my_addrlen = socket_length(parent_si->family);
+	if (my_addrlen < 0) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	my_addr = malloc(my_addrlen);
+	if (my_addr == NULL) {
+		return -1;
+	}
+
+	memset(&un_addr, 0, sizeof(un_addr));
+	memset(&un_my_addr, 0, sizeof(un_my_addr));
+
+	ret = real_accept(s, (struct sockaddr *)&un_addr, &un_addrlen);
+	if (ret == -1) {
+		free(my_addr);
+		return ret;
+	}
+
+	fd = ret;
+
+	len = my_addrlen;
+	ret = sockaddr_convert_from_un(parent_si, &un_addr, un_addrlen,
+				       parent_si->family, my_addr, &len);
+	if (ret == -1) {
+		free(my_addr);
+		close(fd);
+		return ret;
+	}
+
+	child_si = (struct socket_info *)malloc(sizeof(struct socket_info));
+	memset(child_si, 0, sizeof(*child_si));
+
+	child_si->fd = fd;
+	child_si->family = parent_si->family;
+	child_si->type = parent_si->type;
+	child_si->protocol = parent_si->protocol;
+	child_si->bound = 1;
+	child_si->is_server = 1;
+
+	child_si->peername_len = len;
+	child_si->peername = sockaddr_dup(my_addr, len);
+
+	if (addr != NULL && addrlen != NULL) {
+	    *addrlen = len;
+	    if (*addrlen >= len)
+		memcpy(addr, my_addr, len);
+	    *addrlen = 0;
+	}
+
+	ret = real_getsockname(fd, (struct sockaddr *)&un_my_addr, &un_my_addrlen);
+	if (ret == -1) {
+		free(child_si);
+		close(fd);
+		return ret;
+	}
+
+	len = my_addrlen;
+	ret = sockaddr_convert_from_un(child_si, &un_my_addr, un_my_addrlen,
+				       child_si->family, my_addr, &len);
+	if (ret == -1) {
+		free(child_si);
+		free(my_addr);
+		close(fd);
+		return ret;
+	}
+
+	child_si->myname_len = len;
+	child_si->myname = sockaddr_dup(my_addr, len);
+	free(my_addr);
+
+	SWRAP_DLIST_ADD(sockets, child_si);
+
+	swrap_dump_packet(child_si, addr, SWRAP_ACCEPT_SEND, NULL, 0);
+	swrap_dump_packet(child_si, addr, SWRAP_ACCEPT_RECV, NULL, 0);
+	swrap_dump_packet(child_si, addr, SWRAP_ACCEPT_ACK, NULL, 0);
+
+	return fd;
+}
+
+static int autobind_start_init;
+static int autobind_start;
+
+/* using sendto() or connect() on an unbound socket would give the
+   recipient no way to reply, as unlike UDP and TCP, a unix domain
+   socket can't auto-assign emphemeral port numbers, so we need to
+   assign it here */
+static int swrap_auto_bind(struct socket_info *si)
+{
+	struct sockaddr_un un_addr;
+	int i;
+	char type;
+	int ret;
+	int port;
+	struct stat st;
+
+	if (autobind_start_init != 1) {
+		autobind_start_init = 1;
+		autobind_start = getpid();
+		autobind_start %= 50000;
+		autobind_start += 10000;
+	}
+
+	un_addr.sun_family = AF_UNIX;
+
+	switch (si->family) {
+	case AF_INET: {
+		struct sockaddr_in in;
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			type = SOCKET_TYPE_CHAR_TCP;
+			break;
+		case SOCK_DGRAM:
+		    	type = SOCKET_TYPE_CHAR_UDP;
+			break;
+		default:
+		    errno = ESOCKTNOSUPPORT;
+		    return -1;
+		}
+
+		memset(&in, 0, sizeof(in));
+		in.sin_family = AF_INET;
+		in.sin_addr.s_addr = htonl(127<<24 | 
+					   socket_wrapper_default_iface());
+
+		si->myname_len = sizeof(in);
+		si->myname = sockaddr_dup(&in, si->myname_len);
+		break;
+	}
+#ifdef HAVE_IPV6
+	case AF_INET6: {
+		struct sockaddr_in6 in6;
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			type = SOCKET_TYPE_CHAR_TCP_V6;
+			break;
+		case SOCK_DGRAM:
+		    	type = SOCKET_TYPE_CHAR_UDP_V6;
+			break;
+		default:
+		    errno = ESOCKTNOSUPPORT;
+		    return -1;
+		}
+
+		memset(&in6, 0, sizeof(in6));
+		in6.sin6_family = AF_INET6;
+		in6.sin6_addr.s6_addr[0] = SW_IPV6_ADDRESS;
+		si->myname_len = sizeof(in6);
+		si->myname = sockaddr_dup(&in6, si->myname_len);
+		break;
+	}
+#endif
+	default:
+		errno = ESOCKTNOSUPPORT;
+		return -1;
+	}
+
+	if (autobind_start > 60000) {
+		autobind_start = 10000;
+	}
+
+	for (i=0;i<1000;i++) {
+		port = autobind_start + i;
+		snprintf(un_addr.sun_path, sizeof(un_addr.sun_path), 
+			 "%s/"SOCKET_FORMAT, socket_wrapper_dir(),
+			 type, socket_wrapper_default_iface(), port);
+		if (stat(un_addr.sun_path, &st) == 0) continue;
+		
+		ret = real_bind(si->fd, (struct sockaddr *)&un_addr, sizeof(un_addr));
+		if (ret == -1) return ret;
+
+		si->tmp_path = strdup(un_addr.sun_path);
+		si->bound = 1;
+		autobind_start = port + 1;
+		break;
+	}
+	if (i == 1000) {
+		errno = ENFILE;
+		return -1;
+	}
+
+	set_port(si->family, port, si->myname);
+
+	return 0;
+}
+
+
+_PUBLIC_ int swrap_connect(int s, const struct sockaddr *serv_addr, socklen_t addrlen)
+{
+	int ret;
+	struct sockaddr_un un_addr;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_connect(s, serv_addr, addrlen);
+	}
+
+	if (si->bound == 0) {
+		ret = swrap_auto_bind(si);
+		if (ret == -1) return -1;
+	}
+
+	if (si->family != serv_addr->sa_family) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	ret = sockaddr_convert_to_un(si, (const struct sockaddr *)serv_addr, addrlen, &un_addr, 0, NULL);
+	if (ret == -1) return -1;
+
+	swrap_dump_packet(si, serv_addr, SWRAP_CONNECT_SEND, NULL, 0);
+
+	ret = real_connect(s, (struct sockaddr *)&un_addr, 
+			   sizeof(struct sockaddr_un));
+
+	/* to give better errors */
+	if (ret == -1 && errno == ENOENT) {
+		errno = EHOSTUNREACH;
+	}
+
+	if (ret == 0) {
+		si->peername_len = addrlen;
+		si->peername = sockaddr_dup(serv_addr, addrlen);
+
+		swrap_dump_packet(si, serv_addr, SWRAP_CONNECT_RECV, NULL, 0);
+		swrap_dump_packet(si, serv_addr, SWRAP_CONNECT_ACK, NULL, 0);
+	} else {
+		swrap_dump_packet(si, serv_addr, SWRAP_CONNECT_UNREACH, NULL, 0);
+	}
+
+	return ret;
+}
+
+_PUBLIC_ int swrap_bind(int s, const struct sockaddr *myaddr, socklen_t addrlen)
+{
+	int ret;
+	struct sockaddr_un un_addr;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_bind(s, myaddr, addrlen);
+	}
+
+	si->myname_len = addrlen;
+	si->myname = sockaddr_dup(myaddr, addrlen);
+
+	ret = sockaddr_convert_to_un(si, (const struct sockaddr *)myaddr, addrlen, &un_addr, 1, &si->bcast);
+	if (ret == -1) return -1;
+
+	unlink(un_addr.sun_path);
+
+	ret = real_bind(s, (struct sockaddr *)&un_addr,
+			sizeof(struct sockaddr_un));
+
+	if (ret == 0) {
+		si->bound = 1;
+	}
+
+	return ret;
+}
+
+_PUBLIC_ int swrap_listen(int s, int backlog)
+{
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_listen(s, backlog);
+	}
+
+	ret = real_listen(s, backlog);
+
+	return ret;
+}
+
+_PUBLIC_ int swrap_getpeername(int s, struct sockaddr *name, socklen_t *addrlen)
+{
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_getpeername(s, name, addrlen);
+	}
+
+	if (!si->peername)
+	{
+		errno = ENOTCONN;
+		return -1;
+	}
+
+	memcpy(name, si->peername, si->peername_len);
+	*addrlen = si->peername_len;
+
+	return 0;
+}
+
+_PUBLIC_ int swrap_getsockname(int s, struct sockaddr *name, socklen_t *addrlen)
+{
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_getsockname(s, name, addrlen);
+	}
+
+	memcpy(name, si->myname, si->myname_len);
+	*addrlen = si->myname_len;
+
+	return 0;
+}
+
+_PUBLIC_ int swrap_getsockopt(int s, int level, int optname, void *optval, socklen_t *optlen)
+{
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_getsockopt(s, level, optname, optval, optlen);
+	}
+
+	if (level == SOL_SOCKET) {
+		return real_getsockopt(s, level, optname, optval, optlen);
+	} 
+
+	errno = ENOPROTOOPT;
+	return -1;
+}
+
+_PUBLIC_ int swrap_setsockopt(int s, int  level,  int  optname,  const  void  *optval, socklen_t optlen)
+{
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_setsockopt(s, level, optname, optval, optlen);
+	}
+
+	if (level == SOL_SOCKET) {
+		return real_setsockopt(s, level, optname, optval, optlen);
+	}
+
+	switch (si->family) {
+	case AF_INET:
+		return 0;
+	default:
+		errno = ENOPROTOOPT;
+		return -1;
+	}
+}
+
+_PUBLIC_ ssize_t swrap_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen)
+{
+	struct sockaddr_un un_addr;
+	socklen_t un_addrlen = sizeof(un_addr);
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_recvfrom(s, buf, len, flags, from, fromlen);
+	}
+
+	/* irix 6.4 forgets to null terminate the sun_path string :-( */
+	memset(&un_addr, 0, sizeof(un_addr));
+	ret = real_recvfrom(s, buf, len, flags, (struct sockaddr *)&un_addr, &un_addrlen);
+	if (ret == -1) 
+		return ret;
+
+	if (sockaddr_convert_from_un(si, &un_addr, un_addrlen,
+				     si->family, from, fromlen) == -1) {
+		return -1;
+	}
+
+	swrap_dump_packet(si, from, SWRAP_RECVFROM, buf, ret);
+
+	return ret;
+}
+
+
+_PUBLIC_ ssize_t swrap_sendto(int s, const void *buf, size_t len, int flags, const struct sockaddr *to, socklen_t tolen)
+{
+	struct sockaddr_un un_addr;
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+	int bcast = 0;
+
+	if (!si) {
+		return real_sendto(s, buf, len, flags, to, tolen);
+	}
+
+	switch (si->type) {
+	case SOCK_STREAM:
+		ret = real_send(s, buf, len, flags);
+		break;
+	case SOCK_DGRAM:
+		if (si->bound == 0) {
+			ret = swrap_auto_bind(si);
+			if (ret == -1) return -1;
+		}
+		
+		ret = sockaddr_convert_to_un(si, to, tolen, &un_addr, 0, &bcast);
+		if (ret == -1) return -1;
+		
+		if (bcast) {
+			struct stat st;
+			unsigned int iface;
+			unsigned int prt = ntohs(((const struct sockaddr_in *)to)->sin_port);
+			char type;
+			
+			type = SOCKET_TYPE_CHAR_UDP;
+			
+			for(iface=0; iface <= MAX_WRAPPED_INTERFACES; iface++) {
+				snprintf(un_addr.sun_path, sizeof(un_addr.sun_path), "%s/"SOCKET_FORMAT, 
+					 socket_wrapper_dir(), type, iface, prt);
+				if (stat(un_addr.sun_path, &st) != 0) continue;
+				
+				/* ignore the any errors in broadcast sends */
+				real_sendto(s, buf, len, flags, (struct sockaddr *)&un_addr, sizeof(un_addr));
+			}
+			
+			swrap_dump_packet(si, to, SWRAP_SENDTO, buf, len);
+			
+			return len;
+		}
+		
+		ret = real_sendto(s, buf, len, flags, (struct sockaddr *)&un_addr, sizeof(un_addr));
+		break;
+	default:
+		ret = -1;
+		errno = EHOSTUNREACH;
+		break;
+	}
+		
+	/* to give better errors */
+	if (ret == -1 && errno == ENOENT) {
+		errno = EHOSTUNREACH;
+	}
+
+	if (ret == -1) {
+		swrap_dump_packet(si, to, SWRAP_SENDTO, buf, len);
+		swrap_dump_packet(si, to, SWRAP_SENDTO_UNREACH, buf, len);
+	} else {
+		swrap_dump_packet(si, to, SWRAP_SENDTO, buf, ret);
+	}
+
+	return ret;
+}
+
+_PUBLIC_ int swrap_ioctl(int s, int r, void *p)
+{
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+	int value;
+
+	if (!si) {
+		return real_ioctl(s, r, p);
+	}
+
+	ret = real_ioctl(s, r, p);
+
+	switch (r) {
+	case FIONREAD:
+		value = *((int *)p);
+		if (ret == -1 && errno != EAGAIN && errno != ENOBUFS) {
+			swrap_dump_packet(si, NULL, SWRAP_PENDING_RST, NULL, 0);
+		} else if (value == 0) { /* END OF FILE */
+			swrap_dump_packet(si, NULL, SWRAP_PENDING_RST, NULL, 0);
+		}
+		break;
+	}
+
+	return ret;
+}
+
+_PUBLIC_ ssize_t swrap_recv(int s, void *buf, size_t len, int flags)
+{
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_recv(s, buf, len, flags);
+	}
+
+	ret = real_recv(s, buf, len, flags);
+	if (ret == -1 && errno != EAGAIN && errno != ENOBUFS) {
+		swrap_dump_packet(si, NULL, SWRAP_RECV_RST, NULL, 0);
+	} else if (ret == 0) { /* END OF FILE */
+		swrap_dump_packet(si, NULL, SWRAP_RECV_RST, NULL, 0);
+	} else {
+		swrap_dump_packet(si, NULL, SWRAP_RECV, buf, ret);
+	}
+
+	return ret;
+}
+
+
+_PUBLIC_ ssize_t swrap_send(int s, const void *buf, size_t len, int flags)
+{
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_send(s, buf, len, flags);
+	}
+
+	ret = real_send(s, buf, len, flags);
+
+	if (ret == -1) {
+		swrap_dump_packet(si, NULL, SWRAP_SEND, buf, len);
+		swrap_dump_packet(si, NULL, SWRAP_SEND_RST, NULL, 0);
+	} else {
+		swrap_dump_packet(si, NULL, SWRAP_SEND, buf, ret);
+	}
+
+	return ret;
+}
+
+_PUBLIC_ int swrap_close(int fd)
+{
+	struct socket_info *si = find_socket_info(fd);
+	int ret;
+
+	if (!si) {
+		return real_close(fd);
+	}
+
+	SWRAP_DLIST_REMOVE(sockets, si);
+
+	if (si->myname && si->peername) {
+		swrap_dump_packet(si, NULL, SWRAP_CLOSE_SEND, NULL, 0);
+	}
+
+	ret = real_close(fd);
+
+	if (si->myname && si->peername) {
+		swrap_dump_packet(si, NULL, SWRAP_CLOSE_RECV, NULL, 0);
+		swrap_dump_packet(si, NULL, SWRAP_CLOSE_ACK, NULL, 0);
+	}
+
+	if (si->path) free(si->path);
+	if (si->myname) free(si->myname);
+	if (si->peername) free(si->peername);
+	if (si->tmp_path) {
+		unlink(si->tmp_path);
+		free(si->tmp_path);
+	}
+	free(si);
+
+	return ret;
+}
+
+static int
+dup_internal(const struct socket_info *si_oldd, int fd)
+{
+	struct socket_info *si_newd;
+
+	si_newd = (struct socket_info *)calloc(1, sizeof(struct socket_info));
+
+	si_newd->fd = fd;
+
+	si_newd->family = si_oldd->family;
+	si_newd->type = si_oldd->type;
+	si_newd->protocol = si_oldd->protocol;
+	si_newd->bound = si_oldd->bound;
+	si_newd->bcast = si_oldd->bcast;
+	if (si_oldd->path)
+		si_newd->path = strdup(si_oldd->path);
+	if (si_oldd->tmp_path)
+		si_newd->tmp_path = strdup(si_oldd->tmp_path);
+	si_newd->myname =
+	    sockaddr_dup(si_oldd->myname, si_oldd->myname_len);
+	si_newd->myname_len = si_oldd->myname_len;
+	si_newd->peername = 
+	    sockaddr_dup(si_oldd->peername, si_oldd->peername_len);
+	si_newd->peername_len = si_oldd->peername_len;
+
+	si_newd->io = si_oldd->io;
+
+	SWRAP_DLIST_ADD(sockets, si_newd);
+
+	return fd;
+}
+
+
+_PUBLIC_ int swrap_dup(int oldd)
+{
+	struct socket_info *si;
+	int fd;
+
+	si = find_socket_info(oldd);
+	if (si == NULL)
+		return real_dup(oldd);
+
+	fd = real_dup(si->fd);
+	if (fd < 0)
+		return fd;
+
+	return dup_internal(si, fd);
+}
+
+
+_PUBLIC_ int swrap_dup2(int oldd, int newd)
+{
+	struct socket_info *si_newd, *si_oldd;
+	int fd;
+
+	if (newd == oldd)
+	    return newd;
+
+	si_oldd = find_socket_info(oldd);
+	si_newd = find_socket_info(newd);
+
+	if (si_oldd == NULL && si_newd == NULL)
+		return real_dup2(oldd, newd);
+
+	fd = real_dup2(si_oldd->fd, newd);
+	if (fd < 0)
+		return fd;
+
+	/* close new socket first */
+	if (si_newd)
+	       	swrap_close(newd);
+
+	return dup_internal(si_oldd, fd);
+}
diff --git a/crypto/heimdal/lib/roken/socket_wrapper.h b/crypto/heimdal/lib/roken/socket_wrapper.h
new file mode 100644
index 0000000..316b024
--- /dev/null
+++ b/crypto/heimdal/lib/roken/socket_wrapper.h
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) Jelmer Vernooij 2005 <jelmer@samba.org>
+ * Copyright (C) Stefan Metzmacher 2006 <metze@samba.org>
+ *
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the author nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#ifndef __SOCKET_WRAPPER_H__
+#define __SOCKET_WRAPPER_H__
+
+int swrap_socket(int family, int type, int protocol);
+int swrap_accept(int s, struct sockaddr *addr, socklen_t *addrlen);
+int swrap_connect(int s, const struct sockaddr *serv_addr, socklen_t addrlen);
+int swrap_bind(int s, const struct sockaddr *myaddr, socklen_t addrlen);
+int swrap_listen(int s, int backlog);
+int swrap_getpeername(int s, struct sockaddr *name, socklen_t *addrlen);
+int swrap_getsockname(int s, struct sockaddr *name, socklen_t *addrlen);
+int swrap_getsockopt(int s, int level, int optname, void *optval, socklen_t *optlen);
+int swrap_setsockopt(int s, int  level,  int  optname,  const  void  *optval, socklen_t optlen);
+ssize_t swrap_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen);
+ssize_t swrap_sendto(int s, const void *buf, size_t len, int flags, const struct sockaddr *to, socklen_t tolen);
+int swrap_ioctl(int s, int req, void *ptr);
+ssize_t swrap_recv(int s, void *buf, size_t len, int flags);
+ssize_t swrap_send(int s, const void *buf, size_t len, int flags);
+int swrap_close(int);
+int swrap_dup(int);
+int swrap_dup2(int, int);
+
+#ifdef SOCKET_WRAPPER_REPLACE
+
+#ifdef accept
+#undef accept
+#endif
+#define accept(s,addr,addrlen)		swrap_accept(s,addr,addrlen)
+
+#ifdef connect
+#undef connect
+#endif
+#define connect(s,serv_addr,addrlen)	swrap_connect(s,serv_addr,addrlen)
+
+#ifdef bind
+#undef bind
+#endif
+#define bind(s,myaddr,addrlen)		swrap_bind(s,myaddr,addrlen)
+
+#ifdef listen
+#undef listen
+#endif
+#define listen(s,blog)			swrap_listen(s,blog)
+
+#ifdef getpeername
+#undef getpeername
+#endif
+#define getpeername(s,name,addrlen)	swrap_getpeername(s,name,addrlen)
+
+#ifdef getsockname
+#undef getsockname
+#endif
+#define getsockname(s,name,addrlen)	swrap_getsockname(s,name,addrlen)
+
+#ifdef getsockopt
+#undef getsockopt
+#endif
+#define getsockopt(s,level,optname,optval,optlen) swrap_getsockopt(s,level,optname,optval,optlen)
+
+#ifdef setsockopt
+#undef setsockopt
+#endif
+#define setsockopt(s,level,optname,optval,optlen) swrap_setsockopt(s,level,optname,optval,optlen)
+
+#ifdef recvfrom
+#undef recvfrom
+#endif
+#define recvfrom(s,buf,len,flags,from,fromlen) 	  swrap_recvfrom(s,buf,len,flags,from,fromlen)
+
+#ifdef sendto
+#undef sendto
+#endif
+#define sendto(s,buf,len,flags,to,tolen)          swrap_sendto(s,buf,len,flags,to,tolen)
+
+#ifdef ioctl
+#undef ioctl
+#endif
+#define ioctl(s,req,ptr)		swrap_ioctl(s,req,ptr)
+
+#ifdef recv
+#undef recv
+#endif
+#define recv(s,buf,len,flags)		swrap_recv(s,buf,len,flags)
+
+#ifdef send
+#undef send
+#endif
+#define send(s,buf,len,flags)		swrap_send(s,buf,len,flags)
+
+#ifdef socket
+#undef socket
+#endif
+#define socket(domain,type,protocol)	swrap_socket(domain,type,protocol)
+
+#ifdef close
+#undef close
+#endif
+#define close(s)			swrap_close(s)
+
+#ifdef dup
+#undef dup
+#endif
+#define dup(oldd)			swrap_dup(oldd)
+
+#ifdef dup2
+#undef dup2
+#endif
+#define dup2(oldd, newd)		swrap_dup2(oldd, newd)
+
+#endif
+
+#endif /* __SOCKET_WRAPPER_H__ */
diff --git a/crypto/heimdal/lib/roken/strcasecmp.c b/crypto/heimdal/lib/roken/strcasecmp.c
index cde5b3b..4788d4f 100644
--- a/crypto/heimdal/lib/roken/strcasecmp.c
+++ b/crypto/heimdal/lib/roken/strcasecmp.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strcasecmp.c,v 1.10 2003/04/14 11:26:27 lha Exp $");
+RCSID("$Id: strcasecmp.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <string.h>
@@ -43,7 +43,7 @@ RCSID("$Id: strcasecmp.c,v 1.10 2003/04/14 11:26:27 lha Exp $");
 
 #ifndef HAVE_STRCASECMP
 
-int
+int ROKEN_LIB_FUNCTION
 strcasecmp(const char *s1, const char *s2)
 {
     while(toupper((unsigned char)*s1) == toupper((unsigned char)*s2)) {
diff --git a/crypto/heimdal/lib/roken/strcollect.c b/crypto/heimdal/lib/roken/strcollect.c
index 1e82ad0..f291891 100644
--- a/crypto/heimdal/lib/roken/strcollect.c
+++ b/crypto/heimdal/lib/roken/strcollect.c
@@ -33,14 +33,14 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strcollect.c,v 1.1 2000/01/09 10:57:43 assar Exp $");
+RCSID("$Id: strcollect.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <stdarg.h>
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
-#include <roken.h>
+#include "roken.h"
 
 enum { initial = 10, increment = 5 };
 
@@ -69,7 +69,7 @@ sub (char **argv, int i, int argc, va_list *ap)
  * terminated by NULL.
  */
 
-char **
+char ** ROKEN_LIB_FUNCTION
 vstrcollect(va_list *ap)
 {
     return sub (NULL, 0, 0, ap);
@@ -79,7 +79,7 @@ vstrcollect(va_list *ap)
  *
  */
 
-char **
+char ** ROKEN_LIB_FUNCTION
 strcollect(char *first, ...)
 {
     va_list ap;
diff --git a/crypto/heimdal/lib/roken/strdup.c b/crypto/heimdal/lib/roken/strdup.c
index 87fb43e..a832120 100644
--- a/crypto/heimdal/lib/roken/strdup.c
+++ b/crypto/heimdal/lib/roken/strdup.c
@@ -33,13 +33,13 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strdup.c,v 1.10 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: strdup.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 #include <stdlib.h>
 #include <string.h>
 
 #ifndef HAVE_STRDUP
-char *
+char * ROKEN_LIB_FUNCTION
 strdup(const char *old)
 {
 	char *t = malloc(strlen(old)+1);
diff --git a/crypto/heimdal/lib/roken/strerror.c b/crypto/heimdal/lib/roken/strerror.c
index 21936d7..ca152f4 100644
--- a/crypto/heimdal/lib/roken/strerror.c
+++ b/crypto/heimdal/lib/roken/strerror.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strerror.c,v 1.10 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: strerror.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <stdio.h>
@@ -43,7 +43,7 @@ RCSID("$Id: strerror.c,v 1.10 1999/12/02 16:58:53 joda Exp $");
 extern int sys_nerr;
 extern char *sys_errlist[];
 
-char*
+char* ROKEN_LIB_FUNCTION
 strerror(int eno)
 {
     static char emsg[1024];
diff --git a/crypto/heimdal/lib/roken/strftime.c b/crypto/heimdal/lib/roken/strftime.c
index 985b38a..b7176b6 100644
--- a/crypto/heimdal/lib/roken/strftime.c
+++ b/crypto/heimdal/lib/roken/strftime.c
@@ -33,9 +33,12 @@
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
+#ifdef TEST_STRPFTIME
+#include "strpftime-test.h"
+#endif
 #include "roken.h"
 
-RCSID("$Id: strftime.c,v 1.13 2002/08/20 12:42:37 joda Exp $");
+RCSID("$Id: strftime.c 21896 2007-08-09 08:46:08Z lha $");
 
 static const char *abb_weekdays[] = {
     "Sun",
@@ -167,7 +170,7 @@ week_number_mon4 (const struct tm *tm)
  *
  */
 
-size_t
+size_t ROKEN_LIB_FUNCTION
 strftime (char *buf, size_t maxsize, const char *format,
 	  const struct tm *tm)
 {
@@ -290,7 +293,7 @@ strftime (char *buf, size_t maxsize, const char *format,
 		    
 	    case 's' :
 		ret = snprintf (buf, maxsize - n,
-				"%d", (int)mktime((struct tm *)tm));
+				"%d", (int)mktime(rk_UNCONST(tm)));
 		break;
 	    case 'S' :
 		ret = snprintf (buf, maxsize - n,
diff --git a/crypto/heimdal/lib/roken/strlcat.c b/crypto/heimdal/lib/roken/strlcat.c
index 1366e88..3f9c085 100644
--- a/crypto/heimdal/lib/roken/strlcat.c
+++ b/crypto/heimdal/lib/roken/strlcat.c
@@ -36,11 +36,11 @@
 #endif
 #include "roken.h"
 
-RCSID("$Id: strlcat.c,v 1.6 2002/08/20 09:46:20 joda Exp $");
+RCSID("$Id: strlcat.c 14773 2005-04-12 11:29:18Z lha $");
 
 #ifndef HAVE_STRLCAT
 
-size_t
+size_t ROKEN_LIB_FUNCTION
 strlcat (char *dst, const char *src, size_t dst_sz)
 {
     size_t len = strlen(dst);
diff --git a/crypto/heimdal/lib/roken/strlcpy.c b/crypto/heimdal/lib/roken/strlcpy.c
index b43dbde..6797317 100644
--- a/crypto/heimdal/lib/roken/strlcpy.c
+++ b/crypto/heimdal/lib/roken/strlcpy.c
@@ -36,11 +36,11 @@
 #endif
 #include "roken.h"
 
-RCSID("$Id: strlcpy.c,v 1.6 2002/08/20 09:42:08 joda Exp $");
+RCSID("$Id: strlcpy.c 14773 2005-04-12 11:29:18Z lha $");
 
 #ifndef HAVE_STRLCPY
 
-size_t
+size_t ROKEN_LIB_FUNCTION
 strlcpy (char *dst, const char *src, size_t dst_sz)
 {
     size_t n;
diff --git a/crypto/heimdal/lib/roken/strlwr.c b/crypto/heimdal/lib/roken/strlwr.c
index f2c6a9f..9e5e973 100644
--- a/crypto/heimdal/lib/roken/strlwr.c
+++ b/crypto/heimdal/lib/roken/strlwr.c
@@ -33,15 +33,15 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strlwr.c,v 1.5 2003/04/14 11:44:34 lha Exp $");
+RCSID("$Id: strlwr.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 #include <string.h>
 #include <ctype.h>
 
-#include <roken.h>
+#include "roken.h"
 
 #ifndef HAVE_STRLWR
-char *
+char * ROKEN_LIB_FUNCTION
 strlwr(char *str)
 {
   char *s;
diff --git a/crypto/heimdal/lib/roken/strncasecmp.c b/crypto/heimdal/lib/roken/strncasecmp.c
index a08d9e8..e534393 100644
--- a/crypto/heimdal/lib/roken/strncasecmp.c
+++ b/crypto/heimdal/lib/roken/strncasecmp.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strncasecmp.c,v 1.3 2003/04/14 11:46:04 lha Exp $");
+RCSID("$Id: strncasecmp.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <string.h>
@@ -42,7 +42,7 @@ RCSID("$Id: strncasecmp.c,v 1.3 2003/04/14 11:46:04 lha Exp $");
 
 #ifndef HAVE_STRNCASECMP
 
-int
+int ROKEN_LIB_FUNCTION
 strncasecmp(const char *s1, const char *s2, size_t n)
 {
     while(n > 0 
diff --git a/crypto/heimdal/lib/roken/strndup.c b/crypto/heimdal/lib/roken/strndup.c
index 31e7e9f..1960fd2 100644
--- a/crypto/heimdal/lib/roken/strndup.c
+++ b/crypto/heimdal/lib/roken/strndup.c
@@ -33,15 +33,15 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strndup.c,v 1.2 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: strndup.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 #include <stdlib.h>
 #include <string.h>
 
-#include <roken.h>
+#include "roken.h"
 
 #ifndef HAVE_STRNDUP
-char *
+char * ROKEN_LIB_FUNCTION
 strndup(const char *old, size_t sz)
 {
     size_t len = strnlen (old, sz);
diff --git a/crypto/heimdal/lib/roken/strnlen.c b/crypto/heimdal/lib/roken/strnlen.c
index fffb3b7..3ba61a5 100644
--- a/crypto/heimdal/lib/roken/strnlen.c
+++ b/crypto/heimdal/lib/roken/strnlen.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strnlen.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: strnlen.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 
-size_t
+size_t ROKEN_LIB_FUNCTION
 strnlen(const char *s, size_t len)
 {
     size_t i;
diff --git a/crypto/heimdal/lib/roken/strpftime-test.c b/crypto/heimdal/lib/roken/strpftime-test.c
index 7eb8fb8..a1c13f3 100644
--- a/crypto/heimdal/lib/roken/strpftime-test.c
+++ b/crypto/heimdal/lib/roken/strpftime-test.c
@@ -33,9 +33,12 @@
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
+#ifdef TEST_STRPFTIME
+#include "strpftime-test.h"
+#endif
 #include "roken.h"
 
-RCSID("$Id: strpftime-test.c,v 1.2 1999/11/12 15:29:55 assar Exp $");
+RCSID("$Id: strpftime-test.c 21897 2007-08-09 08:46:34Z lha $");
 
 enum { MAXSIZE = 26 };
 
@@ -246,8 +249,8 @@ main(int argc, char **argv)
 
 	    len = strftime (buf, sizeof(buf), tests[i].vals[j].format, tm);
 	    if (len != strlen (buf)) {
-		printf ("length of strftime(\"%s\") = %d (\"%s\")\n",
-			tests[i].vals[j].format, len,
+		printf ("length of strftime(\"%s\") = %lu (\"%s\")\n",
+			tests[i].vals[j].format, (unsigned long)len,
 			buf);
 		++ret;
 		continue;
@@ -279,6 +282,15 @@ main(int argc, char **argv)
 	    }
 	}
     }
+    {
+	struct tm tm;
+	memset(&tm, 0, sizeof(tm));
+	strptime ("200505", "%Y%m", &tm);
+	if (tm.tm_year != 105)
+	    ++ret;
+	if (tm.tm_mon != 4)
+	    ++ret;
+    }
     if (ret) {
 	printf ("%d errors\n", ret);
 	return 1;
diff --git a/crypto/heimdal/lib/roken/strpftime-test.h b/crypto/heimdal/lib/roken/strpftime-test.h
new file mode 100644
index 0000000..546e552
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strpftime-test.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id: snprintf-test.h 10377 2001-07-19 18:39:14Z assar $ */
+
+#ifndef __STRFTIME_TEST_H__
+#define __STRFTIME_TEST_H__
+
+/*
+ * we cannot use the real names of the functions when testing, since
+ * they might have different prototypes as the system functions, hence
+ * these evil hacks
+ */
+
+#define strftime test_strftime
+#define strptime test_strptime
+
+#endif /* __STRFTIME_TEST_H__ */
diff --git a/crypto/heimdal/lib/roken/strpool.c b/crypto/heimdal/lib/roken/strpool.c
new file mode 100644
index 0000000..6ebe0ce
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strpool.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strpool.c 21005 2007-06-08 01:54:35Z lha $");
+#endif
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include "roken.h"
+
+struct rk_strpool {
+    char *str;
+    size_t len;
+};
+
+/*
+ *
+ */
+
+void ROKEN_LIB_FUNCTION
+rk_strpoolfree(struct rk_strpool *p)
+{
+    if (p->str) {
+	free(p->str);
+	p->str = NULL;
+    }
+    free(p);
+}
+
+/*
+ *
+ */
+
+struct rk_strpool * ROKEN_LIB_FUNCTION
+rk_strpoolprintf(struct rk_strpool *p, const char *fmt, ...)
+{
+    va_list ap;
+    char *str, *str2;
+    int len;
+
+    if (p == NULL) {
+	p = malloc(sizeof(*p));
+	if (p == NULL)
+	    return NULL;
+	p->str = NULL;
+	p->len = 0;
+    }
+    va_start(ap, fmt);
+    len = vasprintf(&str, fmt, ap);
+    va_end(ap);
+    if (str == NULL) {
+	rk_strpoolfree(p);
+	return NULL;
+    }
+    str2 = realloc(p->str, len + p->len + 1);
+    if (str2 == NULL) {
+	rk_strpoolfree(p);
+	return NULL;
+    }
+    p->str = str2;
+    memcpy(p->str + p->len, str, len + 1);
+    p->len += len;
+    free(str);
+    return p;
+}
+
+/*
+ *
+ */
+
+char * ROKEN_LIB_FUNCTION
+rk_strpoolcollect(struct rk_strpool *p)
+{
+    char *str = p->str;
+    p->str = NULL;
+    free(p);
+    return str;
+}
diff --git a/crypto/heimdal/lib/roken/strptime.c b/crypto/heimdal/lib/roken/strptime.c
index 36f0822..9cd1333 100644
--- a/crypto/heimdal/lib/roken/strptime.c
+++ b/crypto/heimdal/lib/roken/strptime.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999, 2003, 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,10 +33,13 @@
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
+#ifdef TEST_STRPFTIME
+#include "strpftime-test.h"
+#endif
 #include <ctype.h>
 #include "roken.h"
 
-RCSID("$Id: strptime.c,v 1.2 1999/11/12 15:29:55 assar Exp $");
+RCSID("$Id: strptime.c 21895 2007-08-09 08:45:54Z lha $");
 
 static const char *abb_weekdays[] = {
     "Sun",
@@ -79,7 +82,7 @@ static const char *abb_month[] = {
 static const char *full_month[] = {
     "January",
     "February",
-    "Mars",
+    "March",
     "April",
     "May",
     "June",
@@ -120,7 +123,41 @@ match_string (const char **buf, const char **strs)
 }
 
 /*
- * tm_year is relative this year */
+ * Try to match `*buf' to at the most `n' characters and return the
+ * resulting number in `num'. Returns 0 or an error.  Also advance
+ * buf.
+ */
+
+static int
+parse_number (const char **buf, int n, int *num)
+{
+    char *s, *str;
+    int i;
+
+    str = malloc(n + 1);
+    if (str == NULL)
+	return -1;
+
+    /* skip whitespace */
+    for (; **buf != '\0' && isspace((unsigned char)(**buf)); (*buf)++)
+	;
+
+    /* parse at least n characters */
+    for (i = 0; **buf != '\0' && i < n && isdigit((unsigned char)(**buf)); i++, (*buf)++)
+	str[i] = **buf;
+    str[i] = '\0';
+
+    *num = strtol (str, &s, 10);
+    free(str);
+    if (s == str)
+	return -1;
+
+    return 0;
+}
+
+/*
+ * tm_year is relative this year
+ */
 
 const int tm_year_base = 1900;
 
@@ -204,7 +241,7 @@ set_week_number_mon4 (struct tm *timeptr, int wnum)
  *
  */
 
-char *
+char * ROKEN_LIB_FUNCTION
 strptime (const char *buf, const char *format, struct tm *timeptr)
 {
     char c;
@@ -213,8 +250,8 @@ strptime (const char *buf, const char *format, struct tm *timeptr)
 	char *s;
 	int ret;
 
-	if (isspace (c)) {
-	    while (isspace (*buf))
+	if (isspace ((unsigned char)c)) {
+	    while (isspace ((unsigned char)*buf))
 		++buf;
 	} else if (c == '%' && format[1] != '\0') {
 	    c = *++format;
@@ -247,11 +284,9 @@ strptime (const char *buf, const char *format, struct tm *timeptr)
 		timeptr->tm_mon = ret;
 		break;
 	    case 'C' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 2, &ret))
 		    return NULL;
 		timeptr->tm_year = (ret * 100) - tm_year_base;
-		buf = s;
 		break;
 	    case 'c' :
 		abort ();
@@ -263,57 +298,47 @@ strptime (const char *buf, const char *format, struct tm *timeptr)
 		break;
 	    case 'd' :
 	    case 'e' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 2, &ret))
 		    return NULL;
 		timeptr->tm_mday = ret;
-		buf = s;
 		break;
 	    case 'H' :
 	    case 'k' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 2, &ret))
 		    return NULL;
 		timeptr->tm_hour = ret;
-		buf = s;
 		break;
 	    case 'I' :
 	    case 'l' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 2, &ret))
 		    return NULL;
 		if (ret == 12)
 		    timeptr->tm_hour = 0;
 		else
 		    timeptr->tm_hour = ret;
-		buf = s;
 		break;
 	    case 'j' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 3, &ret))
+		    return NULL;
+		if (ret == 0)
 		    return NULL;
 		timeptr->tm_yday = ret - 1;
-		buf = s;
 		break;
 	    case 'm' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 2, &ret))
+		    return NULL;
+		if (ret == 0)
 		    return NULL;
 		timeptr->tm_mon = ret - 1;
-		buf = s;
 		break;
 	    case 'M' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 2, &ret))
 		    return NULL;
 		timeptr->tm_min = ret;
-		buf = s;
 		break;
 	    case 'n' :
-		if (*buf == '\n')
-		    ++buf;
-		else
-		    return NULL;
+		while (isspace ((unsigned char)*buf))
+		    buf++;
 		break;
 	    case 'p' :
 		ret = match_string (&buf, ampm);
@@ -338,17 +363,13 @@ strptime (const char *buf, const char *format, struct tm *timeptr)
 		buf = s;
 		break;
 	    case 'S' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 2, &ret))
 		    return NULL;
 		timeptr->tm_sec = ret;
-		buf = s;
 		break;
 	    case 't' :
-		if (*buf == '\t')
-		    ++buf;
-		else
-		    return NULL;
+		while (isspace ((unsigned char)*buf))
+		    buf++;
 		break;
 	    case 'T' :		/* %H:%M:%S */
 	    case 'X' :
@@ -358,39 +379,31 @@ strptime (const char *buf, const char *format, struct tm *timeptr)
 		buf = s;
 		break;
 	    case 'u' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 1, &ret))
+		    return NULL;
+		if (ret <= 0)
 		    return NULL;
 		timeptr->tm_wday = ret - 1;
-		buf = s;
 		break;
 	    case 'w' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 1, &ret))
 		    return NULL;
 		timeptr->tm_wday = ret;
-		buf = s;
 		break;
 	    case 'U' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 2, &ret))
 		    return NULL;
 		set_week_number_sun (timeptr, ret);
-		buf = s;
 		break;
 	    case 'V' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 2, &ret))
 		    return NULL;
 		set_week_number_mon4 (timeptr, ret);
-		buf = s;
 		break;
 	    case 'W' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 2, &ret))
 		    return NULL;
 		set_week_number_mon (timeptr, ret);
-		buf = s;
 		break;
 	    case 'x' :
 		s = strptime (buf, "%Y:%m:%d", timeptr);
@@ -399,21 +412,17 @@ strptime (const char *buf, const char *format, struct tm *timeptr)
 		buf = s;
 		break;
 	    case 'y' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 2, &ret))
 		    return NULL;
 		if (ret < 70)
 		    timeptr->tm_year = 100 + ret;
 		else
 		    timeptr->tm_year = ret;
-		buf = s;
 		break;
 	    case 'Y' :
-		ret = strtol (buf, &s, 10);
-		if (s == buf)
+		if (parse_number(&buf, 4, &ret))
 		    return NULL;
 		timeptr->tm_year = ret - tm_year_base;
-		buf = s;
 		break;
 	    case 'Z' :
 		abort ();
@@ -440,5 +449,5 @@ strptime (const char *buf, const char *format, struct tm *timeptr)
 		return NULL;
 	}
     }
-    return (char *)buf;
+    return rk_UNCONST(buf);
 }
diff --git a/crypto/heimdal/lib/roken/strsep.c b/crypto/heimdal/lib/roken/strsep.c
index efc714a..dd191c4 100644
--- a/crypto/heimdal/lib/roken/strsep.c
+++ b/crypto/heimdal/lib/roken/strsep.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strsep.c,v 1.3 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: strsep.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <string.h>
@@ -42,7 +42,7 @@ RCSID("$Id: strsep.c,v 1.3 1999/12/02 16:58:53 joda Exp $");
 
 #ifndef HAVE_STRSEP
 
-char *
+char * ROKEN_LIB_FUNCTION
 strsep(char **str, const char *delim)
 {
     char *save = *str;
diff --git a/crypto/heimdal/lib/roken/strsep_copy.c b/crypto/heimdal/lib/roken/strsep_copy.c
index abe9731..4a0a8b0 100644
--- a/crypto/heimdal/lib/roken/strsep_copy.c
+++ b/crypto/heimdal/lib/roken/strsep_copy.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strsep_copy.c,v 1.4 2002/08/14 17:20:40 joda Exp $");
+RCSID("$Id: strsep_copy.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <string.h>
@@ -44,7 +44,7 @@ RCSID("$Id: strsep_copy.c,v 1.4 2002/08/14 17:20:40 joda Exp $");
 
 /* strsep, but with const stringp, so return string in buf */
 
-ssize_t
+ssize_t ROKEN_LIB_FUNCTION
 strsep_copy(const char **stringp, const char *delim, char *buf, size_t len)
 {
     const char *save = *stringp;
diff --git a/crypto/heimdal/lib/roken/strtok_r.c b/crypto/heimdal/lib/roken/strtok_r.c
index 45b036a..fb72f5d 100644
--- a/crypto/heimdal/lib/roken/strtok_r.c
+++ b/crypto/heimdal/lib/roken/strtok_r.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strtok_r.c,v 1.5 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: strtok_r.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <string.h>
@@ -42,7 +42,7 @@ RCSID("$Id: strtok_r.c,v 1.5 1999/12/02 16:58:53 joda Exp $");
 
 #ifndef HAVE_STRTOK_R
 
-char *
+char * ROKEN_LIB_FUNCTION
 strtok_r(char *s1, const char *s2, char **lasts)
 {
   char *ret;
diff --git a/crypto/heimdal/lib/roken/strupr.c b/crypto/heimdal/lib/roken/strupr.c
index 9d136e0..2a53226 100644
--- a/crypto/heimdal/lib/roken/strupr.c
+++ b/crypto/heimdal/lib/roken/strupr.c
@@ -33,15 +33,15 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: strupr.c,v 1.5 2003/04/14 11:46:41 lha Exp $");
+RCSID("$Id: strupr.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 #include <string.h>
 #include <ctype.h>
 
-#include <roken.h>
+#include "roken.h"
 
 #ifndef HAVE_STRUPR
-char *
+char * ROKEN_LIB_FUNCTION
 strupr(char *str)
 {
   char *s;
diff --git a/crypto/heimdal/lib/roken/swab.c b/crypto/heimdal/lib/roken/swab.c
index c623bd0..20744ca 100644
--- a/crypto/heimdal/lib/roken/swab.c
+++ b/crypto/heimdal/lib/roken/swab.c
@@ -38,9 +38,9 @@
 
 #ifndef HAVE_SWAB
 
-RCSID("$Id: swab.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: swab.c 14773 2005-04-12 11:29:18Z lha $");
 
-void
+void ROKEN_LIB_FUNCTION
 swab (char *from, char *to, int nbytes)
 {
      while(nbytes >= 2) {
diff --git a/crypto/heimdal/lib/roken/test-mem.c b/crypto/heimdal/lib/roken/test-mem.c
new file mode 100644
index 0000000..d955c1a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/test-mem.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+#include <stdio.h>
+#include <string.h>
+#include <err.h>
+#include "roken.h"
+
+#include "test-mem.h"
+
+RCSID("$Id: test-mem.c 21005 2007-06-08 01:54:35Z lha $");
+
+/* #undef HAVE_MMAP */
+
+struct {
+    void *start;
+    size_t size;
+    void *data_start;
+    size_t data_size;
+    enum rk_test_mem_type type;
+    int fd;
+} map;
+
+struct sigaction sa, osa;
+
+char *testname;
+
+static RETSIGTYPE
+segv_handler(int sig)
+{
+    int fd;
+    char msg[] = "SIGSEGV i current test: ";
+    
+    fd = open("/dev/stdout", O_WRONLY, 0600);
+    if (fd >= 0) {
+	write(fd, msg, sizeof(msg) - 1);
+	write(fd, testname, strlen(testname));
+	write(fd, "\n", 1);
+	close(fd);
+    }
+    _exit(1);
+}
+
+#define TESTREC()							\
+    if (testname)							\
+	errx(1, "test %s run recursively on %s", name, testname);	\
+    testname = strdup(name);						\
+    if (testname == NULL)						\
+	errx(1, "malloc");
+
+
+void * ROKEN_LIB_FUNCTION
+rk_test_mem_alloc(enum rk_test_mem_type type, const char *name,
+		  void *buf, size_t size)
+{
+#ifndef HAVE_MMAP
+    unsigned char *p;
+    
+    TESTREC();
+
+    p = malloc(size + 2);
+    if (p == NULL)
+	errx(1, "malloc");
+    map.type = type;
+    map.start = p;
+    map.size = size + 2;
+    p[0] = 0xff;
+    p[map.size] = 0xff;
+    map.data_start = p + 1;
+#else
+    unsigned char *p;
+    int flags, ret, fd;
+    size_t pagesize = getpagesize();
+
+    TESTREC();
+
+    map.type = type;
+
+#ifdef MAP_ANON
+    flags = MAP_ANON;
+    fd = -1;
+#else
+    flags = 0;
+    fd = open ("/dev/zero", O_RDONLY);
+    if(fd < 0)
+	err (1, "open /dev/zero");
+#endif
+    map.fd = fd;
+    flags |= MAP_PRIVATE;
+
+    map.size = size + pagesize - (size % pagesize) + pagesize * 2;
+
+    p = (unsigned char *)mmap(0, map.size, PROT_READ | PROT_WRITE,
+			      flags, fd, 0);
+    if (p == (unsigned char *)MAP_FAILED)
+	err (1, "mmap");
+
+    map.start = p;
+
+    ret = mprotect ((void *)p, pagesize, 0);
+    if (ret < 0)
+	err (1, "mprotect");
+
+    ret = mprotect (p + map.size - pagesize, pagesize, 0);
+    if (ret < 0)
+	err (1, "mprotect");
+
+    switch (type) {
+    case RK_TM_OVERRUN:
+	map.data_start = p + map.size - pagesize - size;
+	break;
+    case RK_TM_UNDERRUN:
+	map.data_start = p + pagesize;
+	break;
+    default:
+	abort();
+    }
+#endif
+    sigemptyset (&sa.sa_mask);
+    sa.sa_flags = 0;
+#ifdef SA_RESETHAND
+    sa.sa_flags |= SA_RESETHAND;
+#endif
+    sa.sa_handler = segv_handler;
+    sigaction (SIGSEGV, &sa, &osa);
+
+    map.data_size = size;
+    if (buf)
+	memcpy(map.data_start, buf, size);
+    return map.data_start;
+}
+
+void ROKEN_LIB_FUNCTION
+rk_test_mem_free(const char *map_name)
+{
+#ifndef HAVE_MMAP
+    unsigned char *p = map.start;
+    
+    if (testname == NULL)
+	errx(1, "test_mem_free call on no free");
+
+    if (p[0] != 0xff)
+	errx(1, "%s: %s underrun %x\n", testname, map_name, p[0]);
+    if (p[map.size] != 0xff)
+	errx(1, "%s: %s overrun %x\n", testname, map_name, p[map.size - 1]);
+    free(map.start);
+#else
+    int ret;
+    
+    if (testname == NULL)
+	errx(1, "test_mem_free call on no free");
+
+    ret = munmap (map.start, map.size);
+    if (ret < 0)
+	err (1, "munmap");
+    if (map.fd > 0)
+	close(map.fd);
+#endif
+    free(testname);
+    testname = NULL;
+
+    sigaction (SIGSEGV, &osa, NULL);
+}
diff --git a/crypto/heimdal/lib/roken/test-mem.h b/crypto/heimdal/lib/roken/test-mem.h
new file mode 100644
index 0000000..896222f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/test-mem.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+enum rk_test_mem_type { RK_TM_OVERRUN, RK_TM_UNDERRUN };
+
+void * ROKEN_LIB_FUNCTION
+	rk_test_mem_alloc(enum rk_test_mem_type, const char *, void *, size_t);
+void ROKEN_LIB_FUNCTION
+	rk_test_mem_free(const char *);
diff --git a/crypto/heimdal/lib/roken/test-readenv.c b/crypto/heimdal/lib/roken/test-readenv.c
new file mode 100644
index 0000000..2cbf816
--- /dev/null
+++ b/crypto/heimdal/lib/roken/test-readenv.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: test-readenv.c 20868 2007-06-03 21:02:04Z lha $");
+#endif
+
+#include "roken.h"
+#include "test-mem.h"
+
+char *s1 = "VAR1=VAL1#comment\n\
+VAR2=VAL2 VAL2 #comment\n\
+#this another comment\n\
+\n\
+VAR3=FOO";
+
+char *s2 = "VAR1=ENV2\n\
+";
+
+static void
+make_file(char *tmpl, size_t l)
+{
+    int fd;
+    strlcpy(tmpl, "env.XXXXXX", l);
+    fd = mkstemp(tmpl);
+    if(fd < 0)
+	err(1, "mkstemp");
+    close(fd);
+}
+
+static void
+write_file(const char *fn, const char *s)
+{
+    FILE *f;
+    f = fopen(fn, "w");
+    if(f == NULL) {
+	unlink(fn);
+	err(1, "fopen");
+    }
+    if(fwrite(s, 1, strlen(s), f) != strlen(s))
+	err(1, "short write");
+    if(fclose(f) != 0) {
+	unlink(fn);
+	err(1, "fclose");
+    }
+}
+
+int
+main(int argc, char **argv)
+{
+    char **env = NULL;
+    int count = 0;
+    char fn[MAXPATHLEN];
+    int error = 0;
+
+    make_file(fn, sizeof(fn));
+
+    write_file(fn, s1);
+    count = read_environment(fn, &env);
+    if(count != 3) {
+	warnx("test 1: variable count %d != 3", count);
+	error++;
+    }
+
+    write_file(fn, s2);
+    count = read_environment(fn, &env);
+    if(count != 1) {
+	warnx("test 2: variable count %d != 1", count);
+	error++;
+    }
+
+    unlink(fn);
+    count = read_environment(fn, &env);
+    if(count != 0) {
+	warnx("test 3: variable count %d != 0", count);
+	error++;
+    }
+    for(count = 0; env && env[count]; count++);
+    if(count != 3) {
+	warnx("total variable count %d != 3", count);
+	error++;
+    }
+    free_environment(env);
+    
+    
+    return error;
+}
diff --git a/crypto/heimdal/lib/roken/timegm.c b/crypto/heimdal/lib/roken/timegm.c
new file mode 100644
index 0000000..41eb487
--- /dev/null
+++ b/crypto/heimdal/lib/roken/timegm.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 1997, 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: timegm.c 18606 2006-10-19 16:19:10Z lha $");
+#endif
+
+#include "roken.h"
+
+static int
+is_leap(unsigned y)
+{
+    y += 1900;
+    return (y % 4) == 0 && ((y % 100) != 0 || (y % 400) == 0);
+}
+
+/* 
+ * XXX This is a simplifed version of timegm, it needs to support out of
+ * bounds values.
+ */
+
+time_t
+rk_timegm (struct tm *tm)
+{
+  static const unsigned ndays[2][12] ={
+    {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
+    {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}};
+  time_t res = 0;
+  unsigned i;
+
+  if (tm->tm_year < 0) 
+      return -1;
+  if (tm->tm_mon < 0 || tm->tm_mon > 11) 
+      return -1;
+  if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon])
+      return -1;
+  if (tm->tm_hour < 0 || tm->tm_hour > 23) 
+      return -1;
+  if (tm->tm_min < 0 || tm->tm_min > 59) 
+      return -1;
+  if (tm->tm_sec < 0 || tm->tm_sec > 59) 
+      return -1;
+
+  for (i = 70; i < tm->tm_year; ++i)
+    res += is_leap(i) ? 366 : 365;
+
+  for (i = 0; i < tm->tm_mon; ++i)
+    res += ndays[is_leap(tm->tm_year)][i];
+  res += tm->tm_mday - 1;
+  res *= 24;
+  res += tm->tm_hour;
+  res *= 60;
+  res += tm->tm_min;
+  res *= 60;
+  res += tm->tm_sec;
+  return res;
+}
diff --git a/crypto/heimdal/lib/roken/timeval.c b/crypto/heimdal/lib/roken/timeval.c
index ea4dee8..b72e202 100644
--- a/crypto/heimdal/lib/roken/timeval.c
+++ b/crypto/heimdal/lib/roken/timeval.c
@@ -37,7 +37,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: timeval.c,v 1.1 2000/03/03 09:02:42 assar Exp $");
+RCSID("$Id: timeval.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
@@ -46,7 +46,7 @@ RCSID("$Id: timeval.c,v 1.1 2000/03/03 09:02:42 assar Exp $");
  * Make `t1' consistent.
  */
 
-void
+void ROKEN_LIB_FUNCTION
 timevalfix(struct timeval *t1)
 {
     if (t1->tv_usec < 0) {
@@ -63,7 +63,7 @@ timevalfix(struct timeval *t1)
  * t1 += t2
  */
 
-void
+void ROKEN_LIB_FUNCTION
 timevaladd(struct timeval *t1, const struct timeval *t2)
 {
     t1->tv_sec  += t2->tv_sec;
@@ -75,7 +75,7 @@ timevaladd(struct timeval *t1, const struct timeval *t2)
  * t1 -= t2
  */
 
-void
+void ROKEN_LIB_FUNCTION
 timevalsub(struct timeval *t1, const struct timeval *t2)
 {
     t1->tv_sec  -= t2->tv_sec;
diff --git a/crypto/heimdal/lib/roken/tm2time.c b/crypto/heimdal/lib/roken/tm2time.c
index b912e32..7bcba83 100644
--- a/crypto/heimdal/lib/roken/tm2time.c
+++ b/crypto/heimdal/lib/roken/tm2time.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995, 1996, 1997, 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: tm2time.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: tm2time.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #ifdef TIME_WITH_SYS_TIME
@@ -46,16 +46,16 @@ RCSID("$Id: tm2time.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
 #endif
 #include "roken.h"
 
-time_t
+time_t ROKEN_LIB_FUNCTION
 tm2time (struct tm tm, int local)
 {
-     time_t t;
+    time_t t;
 
-     tm.tm_isdst = -1;
+    tm.tm_isdst = local ? -1 : 0;
 
-     t = mktime (&tm);
+    t = mktime (&tm);
 
-     if (!local)
-       t += t - mktime (gmtime (&t));
-     return t;
+    if (!local)
+	t += t - mktime (gmtime (&t));
+    return t;
 }
diff --git a/crypto/heimdal/lib/roken/unsetenv.c b/crypto/heimdal/lib/roken/unsetenv.c
index 6d95a51..54cf7b7 100644
--- a/crypto/heimdal/lib/roken/unsetenv.c
+++ b/crypto/heimdal/lib/roken/unsetenv.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: unsetenv.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: unsetenv.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <stdlib.h>
@@ -46,7 +46,7 @@ extern char **environ;
 /*
  * unsetenv --
  */
-void
+void ROKEN_LIB_FUNCTION
 unsetenv(const char *name)
 {
   int len;
diff --git a/crypto/heimdal/lib/roken/unvis.c b/crypto/heimdal/lib/roken/unvis.c
index 363564c..72d5f16 100644
--- a/crypto/heimdal/lib/roken/unvis.c
+++ b/crypto/heimdal/lib/roken/unvis.c
@@ -12,11 +12,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
@@ -36,9 +32,9 @@
 #if 1
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: unvis.c,v 1.2 2000/12/06 21:41:46 joda Exp $");
+RCSID("$Id: unvis.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
-#include <roken.h>
+#include "roken.h"
 #ifndef _DIAGASSERT
 #define _DIAGASSERT(X)
 #endif
@@ -86,12 +82,17 @@ __warn_references(unvis,
 
 #define	isoctal(c)	(((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
 
+int ROKEN_LIB_FUNCTION
+	rk_strunvis (char *, const char *);
+int ROKEN_LIB_FUNCTION
+	rk_unvis (char *, int, int *, int);
+
 /*
  * unvis - decode characters previously encoded by vis
  */
-#ifndef HAVE_UNVIS
-int
-unvis(char *cp, int c, int *astate, int flag)
+
+int ROKEN_LIB_FUNCTION
+rk_unvis(char *cp, int c, int *astate, int flag)
 {
 
 	_DIAGASSERT(cp != NULL);
@@ -244,7 +245,6 @@ unvis(char *cp, int c, int *astate, int flag)
 		return (UNVIS_SYNBAD);
 	}
 }
-#endif
 
 /*
  * strunvis - decode src into dst 
@@ -253,9 +253,8 @@ unvis(char *cp, int c, int *astate, int flag)
  *	Dst is null terminated.
  */
 
-#ifndef HAVE_STRUNVIS
-int
-strunvis(char *dst, const char *src)
+int ROKEN_LIB_FUNCTION
+rk_strunvis(char *dst, const char *src)
 {
 	char c;
 	char *start = dst;
@@ -266,7 +265,7 @@ strunvis(char *dst, const char *src)
 
 	while ((c = *src++) != '\0') {
 	again:
-		switch (unvis(dst, c, &state, 0)) {
+		switch (rk_unvis(dst, (unsigned char)c, &state, 0)) {
 		case UNVIS_VALID:
 			dst++;
 			break;
@@ -280,9 +279,8 @@ strunvis(char *dst, const char *src)
 			return (-1);
 		}
 	}
-	if (unvis(dst, c, &state, UNVIS_END) == UNVIS_VALID)
+	if (unvis(dst, (unsigned char)c, &state, UNVIS_END) == UNVIS_VALID)
 		dst++;
 	*dst = '\0';
 	return (dst - start);
 }
-#endif
diff --git a/crypto/heimdal/lib/roken/verify.c b/crypto/heimdal/lib/roken/verify.c
index 842fa9a..54ad814 100644
--- a/crypto/heimdal/lib/roken/verify.c
+++ b/crypto/heimdal/lib/roken/verify.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: verify.c,v 1.13 1999/12/02 16:58:53 joda Exp $");
+RCSID("$Id: verify.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include <stdio.h>
@@ -45,7 +45,7 @@ RCSID("$Id: verify.c,v 1.13 1999/12/02 16:58:53 joda Exp $");
 #endif
 #include "roken.h"
 
-int
+int ROKEN_LIB_FUNCTION
 unix_verify_user(char *user, char *password)
 {
     struct passwd *pw;
diff --git a/crypto/heimdal/lib/roken/verr.c b/crypto/heimdal/lib/roken/verr.c
index 67b4512..3db3c1c 100644
--- a/crypto/heimdal/lib/roken/verr.c
+++ b/crypto/heimdal/lib/roken/verr.c
@@ -33,13 +33,13 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: verr.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
+RCSID("$Id: verr.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 #include <err.h>
 
-void
+void ROKEN_LIB_FUNCTION
 verr(int eval, const char *fmt, va_list ap)
 {
     warnerr(1, fmt, ap);
diff --git a/crypto/heimdal/lib/roken/verrx.c b/crypto/heimdal/lib/roken/verrx.c
index 5df5c8d..a3a59d0 100644
--- a/crypto/heimdal/lib/roken/verrx.c
+++ b/crypto/heimdal/lib/roken/verrx.c
@@ -33,13 +33,13 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: verrx.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
+RCSID("$Id: verrx.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 #include <err.h>
 
-void
+void ROKEN_LIB_FUNCTION
 verrx(int eval, const char *fmt, va_list ap)
 {
     warnerr(0, fmt, ap);
diff --git a/crypto/heimdal/lib/roken/vis.c b/crypto/heimdal/lib/roken/vis.c
index 8dd5832..1114223 100644
--- a/crypto/heimdal/lib/roken/vis.c
+++ b/crypto/heimdal/lib/roken/vis.c
@@ -1,7 +1,6 @@
-/*	$NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $	*/
+/*	$NetBSD: vis.c,v 1.4 2003/08/07 09:15:32 agc Exp $	*/
 
 /*-
- * Copyright (c) 1999 The NetBSD Foundation, Inc.
  * Copyright (c) 1989, 1993
  *	The Regents of the University of California.  All rights reserved.
  *
@@ -13,6 +12,34 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*-
+ * Copyright (c) 1999 The NetBSD Foundation, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  * 3. All advertising materials mentioning features or use of this software
  *    must display the following acknowledgement:
  *	This product includes software developed by the University of
@@ -38,16 +65,16 @@
 #if 1
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: vis.c,v 1.5 2001/09/03 05:37:23 assar Exp $");
+RCSID("$Id: vis.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
-#include <roken.h>
+#include "roken.h"
 #ifndef _DIAGASSERT
 #define _DIAGASSERT(X)
 #endif
 #else
 #include <sys/cdefs.h>
 #if !defined(lint)
-__RCSID("$NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $");
+__RCSID("$NetBSD: vis.c,v 1.4 2003/08/07 09:15:32 agc Exp $");
 #endif /* not lint */
 #endif
 
@@ -81,6 +108,20 @@ __weak_alias(vis,_vis)
 #define BELL '\007'
 #endif
 
+char ROKEN_LIB_FUNCTION
+	*rk_vis (char *, int, int, int);
+char ROKEN_LIB_FUNCTION
+	*rk_svis (char *, int, int, int, const char *);
+int ROKEN_LIB_FUNCTION
+	rk_strvis (char *, const char *, int);
+int ROKEN_LIB_FUNCTION
+	rk_strsvis (char *, const char *, int, const char *);
+int ROKEN_LIB_FUNCTION
+	rk_strvisx (char *, const char *, size_t, int);
+int ROKEN_LIB_FUNCTION
+	rk_strsvisx (char *, const char *, size_t, int, const char *);
+
+
 #define isoctal(c)	(((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
 #define iswhite(c)	(c == ' ' || c == '\t' || c == '\n')
 #define issafe(c)	(c == '\b' || c == BELL || c == '\r')
@@ -181,9 +222,9 @@ do {									   \
  * svis - visually encode characters, also encoding the characters
  * 	  pointed to by `extra'
  */
-#ifndef HAVE_SVIS
-char *
-svis(char *dst, int c, int flag, int nextc, const char *extra)
+
+char * ROKEN_LIB_FUNCTION
+rk_svis(char *dst, int c, int flag, int nextc, const char *extra)
 {
 	_DIAGASSERT(dst != NULL);
 	_DIAGASSERT(extra != NULL);
@@ -192,7 +233,6 @@ svis(char *dst, int c, int flag, int nextc, const char *extra)
 	*dst = '\0';
 	return(dst);
 }
-#endif
 
 
 /*
@@ -210,9 +250,9 @@ svis(char *dst, int c, int flag, int nextc, const char *extra)
  *	Strsvisx encodes exactly len bytes from src into dst.
  *	This is useful for encoding a block of data.
  */
-#ifndef HAVE_STRSVIS
-int
-strsvis(char *dst, const char *src, int flag, const char *extra)
+
+int ROKEN_LIB_FUNCTION
+rk_strsvis(char *dst, const char *src, int flag, const char *extra)
 {
 	char c;
 	char *start;
@@ -226,12 +266,10 @@ strsvis(char *dst, const char *src, int flag, const char *extra)
 	*dst = '\0';
 	return (dst - start);
 }
-#endif
 
 
-#ifndef HAVE_STRVISX
-int
-strsvisx(char *dst, const char *src, size_t len, int flag, const char *extra)
+int ROKEN_LIB_FUNCTION
+rk_strsvisx(char *dst, const char *src, size_t len, int flag, const char *extra)
 {
 	char c;
 	char *start;
@@ -247,15 +285,13 @@ strsvisx(char *dst, const char *src, size_t len, int flag, const char *extra)
 	*dst = '\0';
 	return (dst - start);
 }
-#endif
 
 
 /*
  * vis - visually encode characters
  */
-#ifndef HAVE_VIS
-char *
-vis(char *dst, int c, int flag, int nextc)
+char * ROKEN_LIB_FUNCTION
+rk_vis(char *dst, int c, int flag, int nextc)
 {
 	char extra[MAXEXTRAS];
 
@@ -266,7 +302,6 @@ vis(char *dst, int c, int flag, int nextc)
 	*dst = '\0';
 	return (dst);
 }
-#endif
 
 
 /*
@@ -279,25 +314,22 @@ vis(char *dst, int c, int flag, int nextc)
  *	Strvisx encodes exactly len bytes from src into dst.
  *	This is useful for encoding a block of data.
  */
-#ifndef HAVE_STRVIS
-int
-strvis(char *dst, const char *src, int flag)
+
+int ROKEN_LIB_FUNCTION
+rk_strvis(char *dst, const char *src, int flag)
 {
 	char extra[MAXEXTRAS];
 
 	MAKEEXTRALIST(flag, extra);
-	return (strsvis(dst, src, flag, extra));
+	return (rk_strsvis(dst, src, flag, extra));
 }
-#endif
 
 
-#ifndef HAVE_STRVISX
-int
-strvisx(char *dst, const char *src, size_t len, int flag)
+int ROKEN_LIB_FUNCTION
+rk_strvisx(char *dst, const char *src, size_t len, int flag)
 {
 	char extra[MAXEXTRAS];
 
 	MAKEEXTRALIST(flag, extra);
-	return (strsvisx(dst, src, len, flag, extra));
+	return (rk_strsvisx(dst, src, len, flag, extra));
 }
-#endif
diff --git a/crypto/heimdal/lib/roken/vis.h b/crypto/heimdal/lib/roken/vis.h
new file mode 100644
index 0000000..224870b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/vis.h
@@ -0,0 +1,115 @@
+/*	$NetBSD: vis.h,v 1.11 1999/11/25 16:55:50 wennmach Exp $	*/
+/*	$Id: vis.hin 19341 2006-12-15 11:53:09Z lha $	*/
+
+/*-
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)vis.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef _VIS_H_
+#define	_VIS_H_
+
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+/*
+ * to select alternate encoding format
+ */
+#define	VIS_OCTAL	0x01	/* use octal \ddd format */
+#define	VIS_CSTYLE	0x02	/* use \[nrft0..] where appropiate */
+
+/*
+ * to alter set of characters encoded (default is to encode all
+ * non-graphic except space, tab, and newline).
+ */
+#define	VIS_SP		0x04	/* also encode space */
+#define	VIS_TAB		0x08	/* also encode tab */
+#define	VIS_NL		0x10	/* also encode newline */
+#define	VIS_WHITE	(VIS_SP | VIS_TAB | VIS_NL)
+#define	VIS_SAFE	0x20	/* only encode "unsafe" characters */
+
+/*
+ * other
+ */
+#define	VIS_NOSLASH	0x40	/* inhibit printing '\' */
+
+/*
+ * unvis return codes
+ */
+#define	UNVIS_VALID	 1	/* character valid */
+#define	UNVIS_VALIDPUSH	 2	/* character valid, push back passed char */
+#define	UNVIS_NOCHAR	 3	/* valid sequence, no character produced */
+#define	UNVIS_SYNBAD	-1	/* unrecognized escape sequence */
+#define	UNVIS_ERROR	-2	/* decoder in unknown state (unrecoverable) */
+
+/*
+ * unvis flags
+ */
+#define	UNVIS_END	1	/* no more characters */
+
+char ROKEN_LIB_FUNCTION
+	*rk_vis (char *, int, int, int);
+char ROKEN_LIB_FUNCTION
+	*rk_svis (char *, int, int, int, const char *);
+int ROKEN_LIB_FUNCTION
+	rk_strvis (char *, const char *, int);
+int ROKEN_LIB_FUNCTION
+	rk_strsvis (char *, const char *, int, const char *);
+int ROKEN_LIB_FUNCTION
+	rk_strvisx (char *, const char *, size_t, int);
+int ROKEN_LIB_FUNCTION
+	rk_strsvisx (char *, const char *, size_t, int, const char *);
+int ROKEN_LIB_FUNCTION
+	rk_strunvis (char *, const char *);
+int ROKEN_LIB_FUNCTION
+	rk_unvis (char *, int, int *, int);
+
+#undef vis
+#define vis(a,b,c,d) rk_vis(a,b,c,d)
+#undef svis
+#define svis(a,b,c,d,e) rk_svis(a,b,c,d,e)
+#undef strvis
+#define strvis(a,b,c) rk_strvis(a,b,c)
+#undef strsvis
+#define strsvis(a,b,c,d) rk_strsvis(a,b,c,d)
+#undef strvisx
+#define strvisx(a,b,c,d) rk_strvisx(a,b,c,d)
+#undef strsvisx
+#define strsvisx(a,b,c,d,e) rk_strsvisx(a,b,c,d,e)
+#undef strunvis
+#define strunvis(a,b) rk_strunvis(a,b)
+#undef unvis
+#define unvis(a,b,c,d) rk_unvis(a,b,c,d)
+
+#endif /* !_VIS_H_ */
diff --git a/crypto/heimdal/lib/roken/vis.hin b/crypto/heimdal/lib/roken/vis.hin
index a9d09da9..224870b 100644
--- a/crypto/heimdal/lib/roken/vis.hin
+++ b/crypto/heimdal/lib/roken/vis.hin
@@ -1,5 +1,5 @@
 /*	$NetBSD: vis.h,v 1.11 1999/11/25 16:55:50 wennmach Exp $	*/
-/*	$Id: vis.hin,v 1.1 2000/12/06 21:35:47 joda Exp $	*/
+/*	$Id: vis.hin 19341 2006-12-15 11:53:09Z lha $	*/
 
 /*-
  * Copyright (c) 1990, 1993
@@ -13,11 +13,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
@@ -39,6 +35,14 @@
 #ifndef _VIS_H_
 #define	_VIS_H_
 
+#ifndef ROKEN_LIB_FUNCTION
+#ifdef _WIN32
+#define ROKEN_LIB_FUNCTION _stdcall
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
 /*
  * to select alternate encoding format
  */
@@ -74,13 +78,38 @@
  */
 #define	UNVIS_END	1	/* no more characters */
 
-char	*vis (char *, int, int, int);
-char	*svis (char *, int, int, int, const char *);
-int	strvis (char *, const char *, int);
-int	strsvis (char *, const char *, int, const char *);
-int	strvisx (char *, const char *, size_t, int);
-int	strsvisx (char *, const char *, size_t, int, const char *);
-int	strunvis (char *, const char *);
-int	unvis (char *, int, int *, int);
+char ROKEN_LIB_FUNCTION
+	*rk_vis (char *, int, int, int);
+char ROKEN_LIB_FUNCTION
+	*rk_svis (char *, int, int, int, const char *);
+int ROKEN_LIB_FUNCTION
+	rk_strvis (char *, const char *, int);
+int ROKEN_LIB_FUNCTION
+	rk_strsvis (char *, const char *, int, const char *);
+int ROKEN_LIB_FUNCTION
+	rk_strvisx (char *, const char *, size_t, int);
+int ROKEN_LIB_FUNCTION
+	rk_strsvisx (char *, const char *, size_t, int, const char *);
+int ROKEN_LIB_FUNCTION
+	rk_strunvis (char *, const char *);
+int ROKEN_LIB_FUNCTION
+	rk_unvis (char *, int, int *, int);
+
+#undef vis
+#define vis(a,b,c,d) rk_vis(a,b,c,d)
+#undef svis
+#define svis(a,b,c,d,e) rk_svis(a,b,c,d,e)
+#undef strvis
+#define strvis(a,b,c) rk_strvis(a,b,c)
+#undef strsvis
+#define strsvis(a,b,c,d) rk_strsvis(a,b,c,d)
+#undef strvisx
+#define strvisx(a,b,c,d) rk_strvisx(a,b,c,d)
+#undef strsvisx
+#define strsvisx(a,b,c,d,e) rk_strsvisx(a,b,c,d,e)
+#undef strunvis
+#define strunvis(a,b) rk_strunvis(a,b)
+#undef unvis
+#define unvis(a,b,c,d) rk_unvis(a,b,c,d)
 
 #endif /* !_VIS_H_ */
diff --git a/crypto/heimdal/lib/roken/vsyslog.c b/crypto/heimdal/lib/roken/vsyslog.c
index c72cf33..690eb7d 100644
--- a/crypto/heimdal/lib/roken/vsyslog.c
+++ b/crypto/heimdal/lib/roken/vsyslog.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: vsyslog.c,v 1.6 2000/05/22 22:09:25 assar Exp $");
+RCSID("$Id: vsyslog.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #ifndef HAVE_VSYSLOG
@@ -61,7 +61,7 @@ simple_vsyslog(int pri, const char *fmt, va_list ap)
  * do like syslog but with a `va_list'
  */
 
-void
+void ROKEN_LIB_FUNCTION
 vsyslog(int pri, const char *fmt, va_list ap)
 {
     char *fmt2;
diff --git a/crypto/heimdal/lib/roken/vwarn.c b/crypto/heimdal/lib/roken/vwarn.c
index 4034b1b..c25ca62 100644
--- a/crypto/heimdal/lib/roken/vwarn.c
+++ b/crypto/heimdal/lib/roken/vwarn.c
@@ -33,13 +33,13 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: vwarn.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
+RCSID("$Id: vwarn.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 #include <err.h>
 
-void
+void ROKEN_LIB_FUNCTION
 vwarn(const char *fmt, va_list ap)
 {
     warnerr(1, fmt, ap);
diff --git a/crypto/heimdal/lib/roken/vwarnx.c b/crypto/heimdal/lib/roken/vwarnx.c
index 7449a75..e35c0de 100644
--- a/crypto/heimdal/lib/roken/vwarnx.c
+++ b/crypto/heimdal/lib/roken/vwarnx.c
@@ -33,13 +33,13 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: vwarnx.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
+RCSID("$Id: vwarnx.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 #include <err.h>
 
-void
+void ROKEN_LIB_FUNCTION
 vwarnx(const char *fmt, va_list ap)
 {
     warnerr(0, fmt, ap);
diff --git a/crypto/heimdal/lib/roken/warn.c b/crypto/heimdal/lib/roken/warn.c
index d8ee335..0924880 100644
--- a/crypto/heimdal/lib/roken/warn.c
+++ b/crypto/heimdal/lib/roken/warn.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: warn.c,v 1.6 1999/12/02 16:58:54 joda Exp $");
+RCSID("$Id: warn.c 7463 1999-12-02 16:58:55Z joda $");
 #endif
 
 #include "err.h"
diff --git a/crypto/heimdal/lib/roken/warnerr.c b/crypto/heimdal/lib/roken/warnerr.c
index 0509d19..6dee466 100644
--- a/crypto/heimdal/lib/roken/warnerr.c
+++ b/crypto/heimdal/lib/roken/warnerr.c
@@ -33,13 +33,13 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: warnerr.c,v 1.15 2001/07/09 14:56:51 assar Exp $");
+RCSID("$Id: warnerr.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 #include "err.h"
 
-void
+void ROKEN_LIB_FUNCTION
 warnerr(int doerrno, const char *fmt, va_list ap)
 {
     int sverrno = errno;
diff --git a/crypto/heimdal/lib/roken/warnx.c b/crypto/heimdal/lib/roken/warnx.c
index c991176..7e1de7a 100644
--- a/crypto/heimdal/lib/roken/warnx.c
+++ b/crypto/heimdal/lib/roken/warnx.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: warnx.c,v 1.6 1999/12/02 16:58:54 joda Exp $");
+RCSID("$Id: warnx.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "err.h"
 
-void
+void ROKEN_LIB_FUNCTION
 warnx(const char *fmt, ...)
 {
   va_list ap;
diff --git a/crypto/heimdal/lib/roken/write_pid.c b/crypto/heimdal/lib/roken/write_pid.c
index 763b513..edadf5c 100644
--- a/crypto/heimdal/lib/roken/write_pid.c
+++ b/crypto/heimdal/lib/roken/write_pid.c
@@ -33,17 +33,17 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: write_pid.c,v 1.6 2001/09/02 23:58:15 assar Exp $");
+RCSID("$Id: write_pid.c 21005 2007-06-08 01:54:35Z lha $");
 #endif
 
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
-#include <roken.h>
+#include "roken.h"
 
 #include "roken.h"
 
-char *
+char * ROKEN_LIB_FUNCTION
 pid_file_write (const char *progname)
 {
     FILE *fp;
@@ -62,7 +62,7 @@ pid_file_write (const char *progname)
     return ret;
 }
 
-void
+void ROKEN_LIB_FUNCTION
 pid_file_delete (char **filename)
 {
     if (*filename != NULL) {
diff --git a/crypto/heimdal/lib/roken/writev.c b/crypto/heimdal/lib/roken/writev.c
index e3859bf..2500e6d 100644
--- a/crypto/heimdal/lib/roken/writev.c
+++ b/crypto/heimdal/lib/roken/writev.c
@@ -33,12 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: writev.c,v 1.3 1999/12/02 16:58:54 joda Exp $");
+RCSID("$Id: writev.c 14773 2005-04-12 11:29:18Z lha $");
 #endif
 
 #include "roken.h"
 
-ssize_t
+ssize_t ROKEN_LIB_FUNCTION
 writev(int d, const struct iovec *iov, int iovcnt)
 {
     ssize_t ret;
diff --git a/crypto/heimdal/lib/roken/xdbm.h b/crypto/heimdal/lib/roken/xdbm.h
index 6e65217..618e074 100644
--- a/crypto/heimdal/lib/roken/xdbm.h
+++ b/crypto/heimdal/lib/roken/xdbm.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: xdbm.h,v 1.15 2002/05/17 16:02:22 joda Exp $ */
+/* $Id: xdbm.h 10986 2002-05-17 16:02:22Z joda $ */
 
 /* Generic *dbm include file */
 
diff --git a/crypto/heimdal/lib/sl/ChangeLog b/crypto/heimdal/lib/sl/ChangeLog
index e25ae81..3937232b0 100644
--- a/crypto/heimdal/lib/sl/ChangeLog
+++ b/crypto/heimdal/lib/sl/ChangeLog
@@ -1,3 +1,136 @@
+2007-07-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: roken_rename.h is a dist_ source k
+
+	* Makefile.am: split source files in dist and nodist.
+
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: New library version.
+
+2007-06-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* sl.c: make compile.
+
+	* sl.c: Pass in pointer to strlen().
+
+	* sl.c (sl_make_argv): use memmove since we are dealing with
+	overlapping strings.
+
+2007-06-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: don't clean yacc/lex files in CLEANFILES,
+	maintainers clean will do that for us.
+	
+2007-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* slc-gram.y (main): also fclose yyin.
+	
+2007-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add dependency on slc-gram.h for slc-lex.c, breaks
+	in disttree with make -j
+	
+2006-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_sl.c: Fix caseing for case-sensitive filesystems
+	
+2006-12-27  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* test_sl.c: catch test that should fail but didn't
+
+	* test_sl.c: Test more quoting variants.
+
+	* sl_locl.h: Include <ctype.h>.
+
+	* test_sl.c: test sl_make_argv
+
+	* sl.c (sl_make_argv): Add quoting support (both "" and \ style).
+	
+2006-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* sl.c: Use strcspn to remove \n from fgets result. Prompted by
+	change by Ray Lai of OpenBSD via Björn Sandell.
+	
+2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am (ES): add roken_rename.h
+	
+2006-08-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* sl.c (sl_slc_help): remove return
+	
+2006-08-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* sl.h: Add sl_slc_help.
+
+	* sl.c: Add sl_slc_help.
+	
+2005-07-27  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* slc-gram.y (gen_wrapper): use the generated version of name for
+	function, if no function is is used, also use the generated name
+	for the structure name.
+	
+2005-06-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* slc-gram.y: fix a merge error
+	
+	* slc-gram.y: rename optind to optidx, rename variables to avoid
+	shadowing
+
+	* make_cmds.c: rename optind to optidx, move variable define to
+	avoid shadowing
+
+	* ss.c: rename index to idx
+	
+	* sl.c: use rk_UNCONST to un-constify
+
+2005-05-10  Dave Love  <fx@gnu.org>
+
+	* slc-lex.l: Include <stdlib.h>.
+
+2005-05-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* sl.c (sl_command_loop): new return code -2 for EOF
+	(sl_loop): treat all return value from sl_command_loop >= 0 as ok, and
+	continue.
+
+2005-04-29  Dave Love  <fx@gnu.org>
+
+	* Makefile.am (LDADD): Add libsl.la.
+
+2005-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* slc-gram.y: include <config.h> since defines _GNU_SOURCE if
+	needed, avoid asprintf warning
+
+2005-01-21  Dave Love  <d.love@dl.ac.uk>
+
+	* slc-gram.y: include <roken.h>
+
+2005-01-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* slc-gram.y: cast argument to isalnum to unsigned char
+
+2004-09-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* slc-gram.y: add support for "strings" and "negative-flag" types,
+	plus some usability tweaks and bug fixes
+	
+2004-07-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* slc-gram.y: add min_args/max_args checking
+	
+2004-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* slc-gram.y: pull in <stdlib.h> and <vers.h> to avoid warnings
+	
+2004-03-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* sl.h: make it possible to use libsl from c++
+	From: Mattias Amnefelt <mattiasa@kth.se>
+	
 2002-05-19  Johan Danielsson  <joda@pdc.kth.se>
 
 	* Makefile.am: just link mk_cmds against libsl; avoids libtool
diff --git a/crypto/heimdal/lib/sl/Makefile.am b/crypto/heimdal/lib/sl/Makefile.am
index 2589e58..9c1b2dc 100644
--- a/crypto/heimdal/lib/sl/Makefile.am
+++ b/crypto/heimdal/lib/sl/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.29 2002/08/13 13:48:17 joda Exp $
+# $Id: Makefile.am 21625 2007-07-17 07:48:26Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -6,37 +6,46 @@ if do_roken_rename
 ES = strtok_r.c snprintf.c strdup.c strupr.c getprogname.c
 endif
 
-INCLUDES += $(ROKEN_RENAME)
+AM_CPPFLAGS += $(ROKEN_RENAME)
 
 YFLAGS = -d
 
 include_HEADERS = sl.h
 
 lib_LTLIBRARIES = libsl.la libss.la
-libsl_la_LDFLAGS = -version-info 1:2:1
-libss_la_LDFLAGS = -version-info 1:4:1
+libsl_la_LDFLAGS = -version-info 2:1:2
+libss_la_LDFLAGS = -version-info 1:6:1
 
 libsl_la_LIBADD = @LIB_readline@
 libss_la_LIBADD = @LIB_readline@ @LIB_com_err@
 
-libsl_la_SOURCES = sl_locl.h sl.c $(ES)
-libss_la_SOURCES = $(libsl_la_SOURCES) ss.c ss.h
+dist_libsl_la_SOURCES = sl_locl.h sl.c roken_rename.h
+nodist_libsl_la_SOURCES = $(ES)
+dist_libss_la_SOURCES = $(dist_libsl_la_SOURCES) ss.c ss.h
+nodist_libss_la_SOURCES = $(ES)
+
+TESTS = test_sl
+check_PROGRAMS = $(TESTS)	
 
 # install these?
 
 bin_PROGRAMS = mk_cmds
+noinst_PROGRAMS = slc
 
 mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l
 mk_cmds_LDADD = libsl.la $(LDADD)
 
+slc_SOURCES = slc-gram.y slc-lex.l slc.h
+
 ssincludedir = $(includedir)/ss
 ssinclude_HEADERS = ss.h
 
-CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c strdup.c strupr.c getprogname.c
+CLEANFILES = snprintf.c strtok_r.c strdup.c strupr.c getprogname.c
 
 $(mk_cmds_OBJECTS): parse.h parse.c
 
 LDADD =						\
+	libsl.la				\
 	$(LIB_roken)				\
 	$(LEXLIB)
 
@@ -50,3 +59,5 @@ strupr.c:
 	$(LN_S) $(srcdir)/../roken/strupr.c .
 getprogname.c:
 	$(LN_S) $(srcdir)/../roken/getprogname.c .
+
+slc-lex.c: slc-gram.h
diff --git a/crypto/heimdal/lib/sl/Makefile.in b/crypto/heimdal/lib/sl/Makefile.in
index a970795..0814375 100644
--- a/crypto/heimdal/lib/sl/Makefile.in
+++ b/crypto/heimdal/lib/sl/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,25 +14,19 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.29 2002/08/13 13:48:17 joda Exp $
+# $Id: Makefile.am 21625 2007-07-17 07:48:26Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
 
-SOURCES = $(libsl_la_SOURCES) $(libss_la_SOURCES) $(mk_cmds_SOURCES)
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -44,26 +38,28 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(ssinclude_HEADERS) \
 	$(top_srcdir)/Makefile.am.common \
 	$(top_srcdir)/cf/Makefile.am.common ChangeLog lex.c parse.c \
-	parse.h
+	parse.h slc-gram.c slc-gram.h slc-lex.c
+TESTS = test_sl$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
 bin_PROGRAMS = mk_cmds$(EXEEXT)
+noinst_PROGRAMS = slc$(EXEEXT)
 subdir = lib/sl
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -76,6 +72,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -84,60 +81,94 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(ssincludedir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \
+	"$(DESTDIR)$(includedir)" "$(DESTDIR)$(ssincludedir)"
 libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
 libsl_la_DEPENDENCIES =
-am__libsl_la_SOURCES_DIST = sl_locl.h sl.c strtok_r.c snprintf.c \
-	strdup.c strupr.c getprogname.c
+dist_libsl_la_OBJECTS = sl.lo
 @do_roken_rename_TRUE@am__objects_1 = strtok_r.lo snprintf.lo \
 @do_roken_rename_TRUE@	strdup.lo strupr.lo getprogname.lo
-am_libsl_la_OBJECTS = sl.lo $(am__objects_1)
-libsl_la_OBJECTS = $(am_libsl_la_OBJECTS)
+nodist_libsl_la_OBJECTS = $(am__objects_1)
+libsl_la_OBJECTS = $(dist_libsl_la_OBJECTS) $(nodist_libsl_la_OBJECTS)
+libsl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(libsl_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 libss_la_DEPENDENCIES =
-am__libss_la_SOURCES_DIST = sl_locl.h sl.c strtok_r.c snprintf.c \
-	strdup.c strupr.c getprogname.c ss.c ss.h
-am__objects_2 = sl.lo $(am__objects_1)
-am_libss_la_OBJECTS = $(am__objects_2) ss.lo
-libss_la_OBJECTS = $(am_libss_la_OBJECTS)
+am__objects_2 = sl.lo
+dist_libss_la_OBJECTS = $(am__objects_2) ss.lo
+nodist_libss_la_OBJECTS = $(am__objects_1)
+libss_la_OBJECTS = $(dist_libss_la_OBJECTS) $(nodist_libss_la_OBJECTS)
+libss_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(libss_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-PROGRAMS = $(bin_PROGRAMS)
+am__EXEEXT_1 = test_sl$(EXEEXT)
+PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS)
 am_mk_cmds_OBJECTS = make_cmds.$(OBJEXT) parse.$(OBJEXT) lex.$(OBJEXT)
 mk_cmds_OBJECTS = $(am_mk_cmds_OBJECTS)
 am__DEPENDENCIES_1 =
-am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+am__DEPENDENCIES_2 = libsl.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
 mk_cmds_DEPENDENCIES = libsl.la $(am__DEPENDENCIES_2)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+am_slc_OBJECTS = slc-gram.$(OBJEXT) slc-lex.$(OBJEXT)
+slc_OBJECTS = $(am_slc_OBJECTS)
+slc_LDADD = $(LDADD)
+slc_DEPENDENCIES = libsl.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+test_sl_SOURCES = test_sl.c
+test_sl_OBJECTS = test_sl.$(OBJEXT)
+test_sl_LDADD = $(LDADD)
+test_sl_DEPENDENCIES = libsl.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MAINTAINER_MODE_FALSE@am__skiplex = test -f $@ ||
 LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+YLWRAP = $(top_srcdir)/ylwrap
+@MAINTAINER_MODE_FALSE@am__skipyacc = test -f $@ ||
 YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) \
-	$(AM_YFLAGS)
-SOURCES = $(libsl_la_SOURCES) $(libss_la_SOURCES) $(mk_cmds_SOURCES)
-DIST_SOURCES = $(am__libsl_la_SOURCES_DIST) \
-	$(am__libss_la_SOURCES_DIST) $(mk_cmds_SOURCES)
+LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+SOURCES = $(dist_libsl_la_SOURCES) $(nodist_libsl_la_SOURCES) \
+	$(dist_libss_la_SOURCES) $(nodist_libss_la_SOURCES) \
+	$(mk_cmds_SOURCES) $(slc_SOURCES) test_sl.c
+DIST_SOURCES = $(dist_libsl_la_SOURCES) $(dist_libss_la_SOURCES) \
+	$(mk_cmds_SOURCES) $(slc_SOURCES) test_sl.c
 includeHEADERS_INSTALL = $(INSTALL_HEADER)
 ssincludeHEADERS_INSTALL = $(INSTALL_HEADER)
 HEADERS = $(include_HEADERS) $(ssinclude_HEADERS)
@@ -145,13 +176,7 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -161,8 +186,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -173,11 +196,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -185,42 +207,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -238,12 +245,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -253,15 +257,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -270,6 +273,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -281,15 +285,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -297,74 +296,80 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = -d
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(ROKEN_RENAME)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
+	$(ROKEN_RENAME)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -381,30 +386,34 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 @do_roken_rename_TRUE@ES = strtok_r.c snprintf.c strdup.c strupr.c getprogname.c
-YFLAGS = -d
 include_HEADERS = sl.h
 lib_LTLIBRARIES = libsl.la libss.la
-libsl_la_LDFLAGS = -version-info 1:2:1
-libss_la_LDFLAGS = -version-info 1:4:1
+libsl_la_LDFLAGS = -version-info 2:1:2
+libss_la_LDFLAGS = -version-info 1:6:1
 libsl_la_LIBADD = @LIB_readline@
 libss_la_LIBADD = @LIB_readline@ @LIB_com_err@
-libsl_la_SOURCES = sl_locl.h sl.c $(ES)
-libss_la_SOURCES = $(libsl_la_SOURCES) ss.c ss.h
+dist_libsl_la_SOURCES = sl_locl.h sl.c roken_rename.h
+nodist_libsl_la_SOURCES = $(ES)
+dist_libss_la_SOURCES = $(dist_libsl_la_SOURCES) ss.c ss.h
+nodist_libss_la_SOURCES = $(ES)
 mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l
 mk_cmds_LDADD = libsl.la $(LDADD)
+slc_SOURCES = slc-gram.y slc-lex.l slc.h
 ssincludedir = $(includedir)/ss
 ssinclude_HEADERS = ss.h
-CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c strdup.c strupr.c getprogname.c
+CLEANFILES = snprintf.c strtok_r.c strdup.c strupr.c getprogname.c
 LDADD = \
+	libsl.la				\
 	$(LIB_roken)				\
 	$(LEXLIB)
 
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -436,10 +445,10 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
-	    f="`echo $$p | sed -e 's|^.*/||'`"; \
+	    f=$(am__strip_dir) \
 	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
 	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
 	  else :; fi; \
@@ -448,7 +457,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	    p="`echo $$p | sed -e 's|^.*/||'`"; \
+	  p=$(am__strip_dir) \
 	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
 	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
 	done
@@ -457,17 +466,17 @@ clean-libLTLIBRARIES:
 	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" = "$$p" && dir=.; \
+	  test "$$dir" != "$$p" || dir=.; \
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
 libsl.la: $(libsl_la_OBJECTS) $(libsl_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libsl_la_LDFLAGS) $(libsl_la_OBJECTS) $(libsl_la_LIBADD) $(LIBS)
+	$(libsl_la_LINK) -rpath $(libdir) $(libsl_la_OBJECTS) $(libsl_la_LIBADD) $(LIBS)
 libss.la: $(libss_la_OBJECTS) $(libss_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libss_la_LDFLAGS) $(libss_la_OBJECTS) $(libss_la_LIBADD) $(LIBS)
+	$(libss_la_LINK) -rpath $(libdir) $(libss_la_OBJECTS) $(libss_la_LIBADD) $(LIBS)
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; for p in $$list; do \
 	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
 	  if test -f $$p \
@@ -493,14 +502,39 @@ clean-binPROGRAMS:
 	  echo " rm -f $$p $$f"; \
 	  rm -f $$p $$f ; \
 	done
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
 parse.h: parse.c
 	@if test ! -f $@; then \
 	  rm -f parse.c; \
-	  $(MAKE) parse.c; \
+	  $(MAKE) $(AM_MAKEFLAGS) parse.c; \
 	else :; fi
 mk_cmds$(EXEEXT): $(mk_cmds_OBJECTS) $(mk_cmds_DEPENDENCIES) 
 	@rm -f mk_cmds$(EXEEXT)
-	$(LINK) $(mk_cmds_LDFLAGS) $(mk_cmds_OBJECTS) $(mk_cmds_LDADD) $(LIBS)
+	$(LINK) $(mk_cmds_OBJECTS) $(mk_cmds_LDADD) $(LIBS)
+slc-gram.h: slc-gram.c
+	@if test ! -f $@; then \
+	  rm -f slc-gram.c; \
+	  $(MAKE) $(AM_MAKEFLAGS) slc-gram.c; \
+	else :; fi
+slc$(EXEEXT): $(slc_OBJECTS) $(slc_DEPENDENCIES) 
+	@rm -f slc$(EXEEXT)
+	$(LINK) $(slc_OBJECTS) $(slc_LDADD) $(LIBS)
+test_sl$(EXEEXT): $(test_sl_OBJECTS) $(test_sl_DEPENDENCIES) 
+	@rm -f test_sl$(EXEEXT)
+	$(LINK) $(test_sl_OBJECTS) $(test_sl_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -518,45 +552,22 @@ distclean-compile:
 	$(LTCOMPILE) -c -o $@ $<
 
 .l.c:
-	$(LEXCOMPILE) $<
-	sed '/^#/ s|$(LEX_OUTPUT_ROOT)\.c|$@|' $(LEX_OUTPUT_ROOT).c >$@
-	rm -f $(LEX_OUTPUT_ROOT).c
+	$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
 
 .y.c:
-	$(YACCCOMPILE) $<
-	if test -f y.tab.h; then \
-	  to=`echo "$*_H" | sed \
-                -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \
-                -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`; \
-	  sed "/^#/ s/Y_TAB_H/$$to/g" y.tab.h >$*.ht; \
-	  rm -f y.tab.h; \
-	  if cmp -s $*.ht $*.h; then \
-	    rm -f $*.ht ;\
-	  else \
-	    mv $*.ht $*.h; \
-	  fi; \
-	fi
-	if test -f y.output; then \
-	  mv y.output $*.output; \
-	fi
-	sed '/^#/ s|y\.tab\.c|$@|' y.tab.c >$@t && mv $@t $@
-	rm -f y.tab.c
+	$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-includeHEADERS: $(include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)"
+	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
 	@list='$(include_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
 	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
 	done
@@ -564,16 +575,16 @@ install-includeHEADERS: $(include_HEADERS)
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(include_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
 	done
 install-ssincludeHEADERS: $(ssinclude_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ssincludedir)" || $(mkdir_p) "$(DESTDIR)$(ssincludedir)"
+	test -z "$(ssincludedir)" || $(MKDIR_P) "$(DESTDIR)$(ssincludedir)"
 	@list='$(ssinclude_HEADERS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " $(ssincludeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(ssincludedir)/$$f'"; \
 	  $(ssincludeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(ssincludedir)/$$f"; \
 	done
@@ -581,7 +592,7 @@ install-ssincludeHEADERS: $(ssinclude_HEADERS)
 uninstall-ssincludeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(ssinclude_HEADERS)'; for p in $$list; do \
-	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  f=$(am__strip_dir) \
 	  echo " rm -f '$(DESTDIR)$(ssincludedir)/$$f'"; \
 	  rm -f "$(DESTDIR)$(ssincludedir)/$$f"; \
 	done
@@ -606,9 +617,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -632,24 +645,95 @@ GTAGS:
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
-distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
 	  else \
-	    dir=''; \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
 	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -664,14 +748,15 @@ distdir: $(DISTFILES)
 	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
 	  dist-hook
 check-am: all-am
-	$(MAKE) $(AM_MAKEFLAGS) check-local
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
 check: check-am
 all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
 install-binPROGRAMS: install-libLTLIBRARIES
 
 installdirs:
 	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(ssincludedir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -693,23 +778,27 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
-	-rm -f parse.h
 	-rm -f lex.c
 	-rm -f parse.c
+	-rm -f parse.h
+	-rm -f slc-gram.c
+	-rm -f slc-gram.h
+	-rm -f slc-lex.c
 clean: clean-am
 
-clean-am: clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \
-	clean-libtool mostlyclean-am
+clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \
+	clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS \
+	mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -725,14 +814,22 @@ install-data-am: install-includeHEADERS install-ssincludeHEADERS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binPROGRAMS install-libLTLIBRARIES
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -753,23 +850,31 @@ ps: ps-am
 ps-am:
 
 uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \
-	uninstall-info-am uninstall-libLTLIBRARIES \
-	uninstall-ssincludeHEADERS
-
-.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
-	clean clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \
-	clean-libtool ctags distclean distclean-compile \
-	distclean-generic distclean-libtool distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-binPROGRAMS install-data install-data-am install-exec \
-	install-exec-am install-includeHEADERS install-info \
-	install-info-am install-libLTLIBRARIES install-man \
+	uninstall-libLTLIBRARIES uninstall-ssincludeHEADERS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
+	check-local clean clean-binPROGRAMS clean-checkPROGRAMS \
+	clean-generic clean-libLTLIBRARIES clean-libtool \
+	clean-noinstPROGRAMS ctags dist-hook distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-binPROGRAMS install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-includeHEADERS install-info \
+	install-info-am install-libLTLIBRARIES install-man install-pdf \
+	install-pdf-am install-ps install-ps-am \
 	install-ssincludeHEADERS install-strip installcheck \
 	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags uninstall uninstall-am uninstall-binPROGRAMS \
-	uninstall-includeHEADERS uninstall-info-am \
+	uninstall-hook uninstall-includeHEADERS \
 	uninstall-libLTLIBRARIES uninstall-ssincludeHEADERS
 
 
@@ -785,8 +890,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -796,19 +901,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -824,7 +941,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -894,15 +1011,40 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 $(mk_cmds_OBJECTS): parse.h parse.c
 
 strtok_r.c:
@@ -915,6 +1057,8 @@ strupr.c:
 	$(LN_S) $(srcdir)/../roken/strupr.c .
 getprogname.c:
 	$(LN_S) $(srcdir)/../roken/getprogname.c .
+
+slc-lex.c: slc-gram.h
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/lib/sl/lex.c b/crypto/heimdal/lib/sl/lex.c
new file mode 100644
index 0000000..57e6a7c
--- /dev/null
+++ b/crypto/heimdal/lib/sl/lex.c
@@ -0,0 +1,1880 @@
+
+#line 3 "lex.c"
+
+#define  YY_INT_ALIGNED short int
+
+/* A lexical scanner generated by flex */
+
+#define FLEX_SCANNER
+#define YY_FLEX_MAJOR_VERSION 2
+#define YY_FLEX_MINOR_VERSION 5
+#define YY_FLEX_SUBMINOR_VERSION 33
+#if YY_FLEX_SUBMINOR_VERSION > 0
+#define FLEX_BETA
+#endif
+
+/* First, we deal with  platform-specific or compiler-specific issues. */
+
+/* begin standard C headers. */
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+
+/* end standard C headers. */
+
+/* flex integer type definitions */
+
+#ifndef FLEXINT_H
+#define FLEXINT_H
+
+/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
+
+#if __STDC_VERSION__ >= 199901L
+
+/* C99 says to define __STDC_LIMIT_MACROS before including stdint.h,
+ * if you want the limit (max/min) macros for int types. 
+ */
+#ifndef __STDC_LIMIT_MACROS
+#define __STDC_LIMIT_MACROS 1
+#endif
+
+#include <inttypes.h>
+typedef int8_t flex_int8_t;
+typedef uint8_t flex_uint8_t;
+typedef int16_t flex_int16_t;
+typedef uint16_t flex_uint16_t;
+typedef int32_t flex_int32_t;
+typedef uint32_t flex_uint32_t;
+#else
+typedef signed char flex_int8_t;
+typedef short int flex_int16_t;
+typedef int flex_int32_t;
+typedef unsigned char flex_uint8_t; 
+typedef unsigned short int flex_uint16_t;
+typedef unsigned int flex_uint32_t;
+#endif /* ! C99 */
+
+/* Limits of integral types. */
+#ifndef INT8_MIN
+#define INT8_MIN               (-128)
+#endif
+#ifndef INT16_MIN
+#define INT16_MIN              (-32767-1)
+#endif
+#ifndef INT32_MIN
+#define INT32_MIN              (-2147483647-1)
+#endif
+#ifndef INT8_MAX
+#define INT8_MAX               (127)
+#endif
+#ifndef INT16_MAX
+#define INT16_MAX              (32767)
+#endif
+#ifndef INT32_MAX
+#define INT32_MAX              (2147483647)
+#endif
+#ifndef UINT8_MAX
+#define UINT8_MAX              (255U)
+#endif
+#ifndef UINT16_MAX
+#define UINT16_MAX             (65535U)
+#endif
+#ifndef UINT32_MAX
+#define UINT32_MAX             (4294967295U)
+#endif
+
+#endif /* ! FLEXINT_H */
+
+#ifdef __cplusplus
+
+/* The "const" storage-class-modifier is valid. */
+#define YY_USE_CONST
+
+#else	/* ! __cplusplus */
+
+#if __STDC__
+
+#define YY_USE_CONST
+
+#endif	/* __STDC__ */
+#endif	/* ! __cplusplus */
+
+#ifdef YY_USE_CONST
+#define yyconst const
+#else
+#define yyconst
+#endif
+
+/* Returned upon end-of-file. */
+#define YY_NULL 0
+
+/* Promotes a possibly negative, possibly signed char to an unsigned
+ * integer for use as an array index.  If the signed char is negative,
+ * we want to instead treat it as an 8-bit unsigned char, hence the
+ * double cast.
+ */
+#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+
+/* Enter a start condition.  This macro really ought to take a parameter,
+ * but we do it the disgusting crufty way forced on us by the ()-less
+ * definition of BEGIN.
+ */
+#define BEGIN (yy_start) = 1 + 2 *
+
+/* Translate the current start state into a value that can be later handed
+ * to BEGIN to return to the state.  The YYSTATE alias is for lex
+ * compatibility.
+ */
+#define YY_START (((yy_start) - 1) / 2)
+#define YYSTATE YY_START
+
+/* Action number for EOF rule of a given start state. */
+#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
+
+/* Special action meaning "start processing a new file". */
+#define YY_NEW_FILE yyrestart(yyin  )
+
+#define YY_END_OF_BUFFER_CHAR 0
+
+/* Size of default input buffer. */
+#ifndef YY_BUF_SIZE
+#define YY_BUF_SIZE 16384
+#endif
+
+/* The state buf must be large enough to hold one state per character in the main buffer.
+ */
+#define YY_STATE_BUF_SIZE   ((YY_BUF_SIZE + 2) * sizeof(yy_state_type))
+
+#ifndef YY_TYPEDEF_YY_BUFFER_STATE
+#define YY_TYPEDEF_YY_BUFFER_STATE
+typedef struct yy_buffer_state *YY_BUFFER_STATE;
+#endif
+
+extern int yyleng;
+
+extern FILE *yyin, *yyout;
+
+#define EOB_ACT_CONTINUE_SCAN 0
+#define EOB_ACT_END_OF_FILE 1
+#define EOB_ACT_LAST_MATCH 2
+
+    #define YY_LESS_LINENO(n)
+    
+/* Return all but the first "n" matched characters back to the input stream. */
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+        int yyless_macro_arg = (n); \
+        YY_LESS_LINENO(yyless_macro_arg);\
+		*yy_cp = (yy_hold_char); \
+		YY_RESTORE_YY_MORE_OFFSET \
+		(yy_c_buf_p) = yy_cp = yy_bp + yyless_macro_arg - YY_MORE_ADJ; \
+		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
+		} \
+	while ( 0 )
+
+#define unput(c) yyunput( c, (yytext_ptr)  )
+
+/* The following is because we cannot portably get our hands on size_t
+ * (without autoconf's help, which isn't available because we want
+ * flex-generated scanners to compile on their own).
+ */
+
+#ifndef YY_TYPEDEF_YY_SIZE_T
+#define YY_TYPEDEF_YY_SIZE_T
+typedef unsigned int yy_size_t;
+#endif
+
+#ifndef YY_STRUCT_YY_BUFFER_STATE
+#define YY_STRUCT_YY_BUFFER_STATE
+struct yy_buffer_state
+	{
+	FILE *yy_input_file;
+
+	char *yy_ch_buf;		/* input buffer */
+	char *yy_buf_pos;		/* current position in input buffer */
+
+	/* Size of input buffer in bytes, not including room for EOB
+	 * characters.
+	 */
+	yy_size_t yy_buf_size;
+
+	/* Number of characters read into yy_ch_buf, not including EOB
+	 * characters.
+	 */
+	int yy_n_chars;
+
+	/* Whether we "own" the buffer - i.e., we know we created it,
+	 * and can realloc() it to grow it, and should free() it to
+	 * delete it.
+	 */
+	int yy_is_our_buffer;
+
+	/* Whether this is an "interactive" input source; if so, and
+	 * if we're using stdio for input, then we want to use getc()
+	 * instead of fread(), to make sure we stop fetching input after
+	 * each newline.
+	 */
+	int yy_is_interactive;
+
+	/* Whether we're considered to be at the beginning of a line.
+	 * If so, '^' rules will be active on the next match, otherwise
+	 * not.
+	 */
+	int yy_at_bol;
+
+    int yy_bs_lineno; /**< The line count. */
+    int yy_bs_column; /**< The column count. */
+    
+	/* Whether to try to fill the input buffer when we reach the
+	 * end of it.
+	 */
+	int yy_fill_buffer;
+
+	int yy_buffer_status;
+
+#define YY_BUFFER_NEW 0
+#define YY_BUFFER_NORMAL 1
+	/* When an EOF's been seen but there's still some text to process
+	 * then we mark the buffer as YY_EOF_PENDING, to indicate that we
+	 * shouldn't try reading from the input source any more.  We might
+	 * still have a bunch of tokens to match, though, because of
+	 * possible backing-up.
+	 *
+	 * When we actually see the EOF, we change the status to "new"
+	 * (via yyrestart()), so that the user can continue scanning by
+	 * just pointing yyin at a new input file.
+	 */
+#define YY_BUFFER_EOF_PENDING 2
+
+	};
+#endif /* !YY_STRUCT_YY_BUFFER_STATE */
+
+/* Stack of input buffers. */
+static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */
+static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */
+static YY_BUFFER_STATE * yy_buffer_stack = 0; /**< Stack as an array. */
+
+/* We provide macros for accessing buffer states in case in the
+ * future we want to put the buffer states in a more general
+ * "scanner state".
+ *
+ * Returns the top of the stack, or NULL.
+ */
+#define YY_CURRENT_BUFFER ( (yy_buffer_stack) \
+                          ? (yy_buffer_stack)[(yy_buffer_stack_top)] \
+                          : NULL)
+
+/* Same as previous macro, but useful when we know that the buffer stack is not
+ * NULL or when we need an lvalue. For internal use only.
+ */
+#define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)]
+
+/* yy_hold_char holds the character lost when yytext is formed. */
+static char yy_hold_char;
+static int yy_n_chars;		/* number of characters read into yy_ch_buf */
+int yyleng;
+
+/* Points to current character in buffer. */
+static char *yy_c_buf_p = (char *) 0;
+static int yy_init = 0;		/* whether we need to initialize */
+static int yy_start = 0;	/* start state number */
+
+/* Flag which is used to allow yywrap()'s to do buffer switches
+ * instead of setting up a fresh yyin.  A bit of a hack ...
+ */
+static int yy_did_buffer_switch_on_eof;
+
+void yyrestart (FILE *input_file  );
+void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer  );
+YY_BUFFER_STATE yy_create_buffer (FILE *file,int size  );
+void yy_delete_buffer (YY_BUFFER_STATE b  );
+void yy_flush_buffer (YY_BUFFER_STATE b  );
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer  );
+void yypop_buffer_state (void );
+
+static void yyensure_buffer_stack (void );
+static void yy_load_buffer_state (void );
+static void yy_init_buffer (YY_BUFFER_STATE b,FILE *file  );
+
+#define YY_FLUSH_BUFFER yy_flush_buffer(YY_CURRENT_BUFFER )
+
+YY_BUFFER_STATE yy_scan_buffer (char *base,yy_size_t size  );
+YY_BUFFER_STATE yy_scan_string (yyconst char *yy_str  );
+YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,int len  );
+
+void *yyalloc (yy_size_t  );
+void *yyrealloc (void *,yy_size_t  );
+void yyfree (void *  );
+
+#define yy_new_buffer yy_create_buffer
+
+#define yy_set_interactive(is_interactive) \
+	{ \
+	if ( ! YY_CURRENT_BUFFER ){ \
+        yyensure_buffer_stack (); \
+		YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+	} \
+	YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
+	}
+
+#define yy_set_bol(at_bol) \
+	{ \
+	if ( ! YY_CURRENT_BUFFER ){\
+        yyensure_buffer_stack (); \
+		YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+	} \
+	YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
+	}
+
+#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
+
+/* Begin user sect3 */
+
+typedef unsigned char YY_CHAR;
+
+FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
+
+typedef int yy_state_type;
+
+extern int yylineno;
+
+int yylineno = 1;
+
+extern char *yytext;
+#define yytext_ptr yytext
+
+static yy_state_type yy_get_previous_state (void );
+static yy_state_type yy_try_NUL_trans (yy_state_type current_state  );
+static int yy_get_next_buffer (void );
+static void yy_fatal_error (yyconst char msg[]  );
+
+/* Done after the current pattern has been matched and before the
+ * corresponding action - sets up yytext.
+ */
+#define YY_DO_BEFORE_ACTION \
+	(yytext_ptr) = yy_bp; \
+	yyleng = (size_t) (yy_cp - yy_bp); \
+	(yy_hold_char) = *yy_cp; \
+	*yy_cp = '\0'; \
+	(yy_c_buf_p) = yy_cp;
+
+#define YY_NUM_RULES 12
+#define YY_END_OF_BUFFER 13
+/* This struct is not used in this scanner,
+   but its presence is necessary. */
+struct yy_trans_info
+	{
+	flex_int32_t yy_verify;
+	flex_int32_t yy_nxt;
+	};
+static yyconst flex_int16_t yy_accept[54] =
+    {   0,
+        0,    0,   13,   11,    7,    8,    9,    6,   10,   10,
+       10,   10,   10,    6,   10,   10,   10,   10,   10,   10,
+        5,   10,   10,   10,   10,   10,   10,   10,   10,   10,
+       10,   10,   10,   10,   10,   10,   10,    2,   10,    3,
+       10,   10,   10,   10,   10,   10,   10,   10,   10,   10,
+        1,    4,    0
+    } ;
+
+static yyconst flex_int32_t yy_ec[256] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    2,    1,    4,    5,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    6,    6,    6,
+        6,    6,    6,    6,    6,    6,    6,    1,    1,    1,
+        1,    1,    1,    1,    6,    6,    6,    6,    6,    6,
+        6,    6,    6,    6,    6,    6,    6,    6,    6,    6,
+        6,    6,    6,    6,    6,    6,    6,    6,    6,    6,
+        1,    1,    1,    1,    7,    1,    8,    9,   10,   11,
+
+       12,    6,    6,    6,   13,    6,   14,   15,   16,   17,
+       18,   19,   20,   21,   22,   23,   24,    6,   25,    6,
+        6,    6,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1
+    } ;
+
+static yyconst flex_int32_t yy_meta[26] =
+    {   0,
+        1,    1,    2,    1,    1,    3,    3,    3,    3,    3,
+        3,    3,    3,    3,    3,    3,    3,    3,    3,    3,
+        3,    3,    3,    3,    3
+    } ;
+
+static yyconst flex_int16_t yy_base[57] =
+    {   0,
+        0,   24,   69,   70,   70,   70,   70,    0,    0,   50,
+       50,   54,   48,    0,    0,   48,   52,   42,    0,   45,
+        0,   36,   43,   41,   49,   44,   36,   35,   30,   24,
+       29,   18,   31,   18,   28,   22,   31,    0,   21,    0,
+       12,   21,   24,   14,   21,    0,    2,    4,    3,    0,
+        0,    0,   70,   48,   51,    3
+    } ;
+
+static yyconst flex_int16_t yy_def[57] =
+    {   0,
+       54,   54,   53,   53,   53,   53,   53,   55,   56,   56,
+       56,   56,   56,   55,   56,   56,   56,   56,   56,   56,
+       56,   56,   56,   56,   56,   56,   56,   56,   56,   56,
+       56,   56,   56,   56,   56,   56,   56,   56,   56,   56,
+       56,   56,   56,   56,   56,   56,   56,   56,   56,   56,
+       56,   56,    0,   53,   53,   53
+    } ;
+
+static yyconst flex_int16_t yy_nxt[96] =
+    {   0,
+        4,    5,    6,    7,    8,   15,   53,   53,   53,   10,
+       52,   11,   23,   24,   51,   50,   49,   53,   53,   53,
+       12,   53,   48,   13,    4,    5,    6,    7,    8,   47,
+       46,   45,   44,   10,   43,   11,   42,   41,   40,   39,
+       38,   37,   36,   35,   12,   34,   33,   13,    9,    9,
+        9,   14,   32,   14,   31,   30,   29,   28,   27,   26,
+       25,   22,   21,   20,   19,   18,   17,   16,   53,    3,
+       53,   53,   53,   53,   53,   53,   53,   53,   53,   53,
+       53,   53,   53,   53,   53,   53,   53,   53,   53,   53,
+       53,   53,   53,   53,   53
+
+    } ;
+
+static yyconst flex_int16_t yy_chk[96] =
+    {   0,
+        1,    1,    1,    1,    1,   56,    0,    0,    0,    1,
+       50,    1,   19,   19,   49,   48,   47,    0,    0,    0,
+        1,    0,   46,    1,    2,    2,    2,    2,    2,   45,
+       44,   43,   42,    2,   41,    2,   39,   37,   36,   35,
+       34,   33,   32,   31,    2,   30,   29,    2,   54,   54,
+       54,   55,   28,   55,   27,   26,   25,   24,   23,   22,
+       20,   18,   17,   16,   13,   12,   11,   10,    3,   53,
+       53,   53,   53,   53,   53,   53,   53,   53,   53,   53,
+       53,   53,   53,   53,   53,   53,   53,   53,   53,   53,
+       53,   53,   53,   53,   53
+
+    } ;
+
+static yy_state_type yy_last_accepting_state;
+static char *yy_last_accepting_cpos;
+
+extern int yy_flex_debug;
+int yy_flex_debug = 0;
+
+/* The intent behind this definition is that it'll catch
+ * any uses of REJECT which flex missed.
+ */
+#define REJECT reject_used_but_not_detected
+#define yymore() yymore_used_but_not_detected
+#define YY_MORE_ADJ 0
+#define YY_RESTORE_YY_MORE_OFFSET
+char *yytext;
+#line 1 "lex.l"
+#line 2 "lex.l"
+/*
+ * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#undef ECHO
+
+#include "make_cmds.h"
+#include "parse.h"
+
+RCSID("$Id: lex.l 10703 2001-09-16 23:10:10Z assar $");
+
+static unsigned lineno = 1;
+static int getstring(void);
+
+#define YY_NO_UNPUT
+
+#undef ECHO
+
+#line 538 "lex.c"
+
+#define INITIAL 0
+
+#ifndef YY_NO_UNISTD_H
+/* Special case for "unistd.h", since it is non-ANSI. We include it way
+ * down here because we want the user's section 1 to have been scanned first.
+ * The user has a chance to override it with an option.
+ */
+#include <unistd.h>
+#endif
+
+#ifndef YY_EXTRA_TYPE
+#define YY_EXTRA_TYPE void *
+#endif
+
+static int yy_init_globals (void );
+
+/* Macros after this point can all be overridden by user definitions in
+ * section 1.
+ */
+
+#ifndef YY_SKIP_YYWRAP
+#ifdef __cplusplus
+extern "C" int yywrap (void );
+#else
+extern int yywrap (void );
+#endif
+#endif
+
+    static void yyunput (int c,char *buf_ptr  );
+    
+#ifndef yytext_ptr
+static void yy_flex_strncpy (char *,yyconst char *,int );
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen (yyconst char * );
+#endif
+
+#ifndef YY_NO_INPUT
+
+#ifdef __cplusplus
+static int yyinput (void );
+#else
+static int input (void );
+#endif
+
+#endif
+
+/* Amount of stuff to slurp up with each read. */
+#ifndef YY_READ_BUF_SIZE
+#define YY_READ_BUF_SIZE 8192
+#endif
+
+/* Copy whatever the last rule matched to the standard output. */
+#ifndef ECHO
+/* This used to be an fputs(), but since the string might contain NUL's,
+ * we now use fwrite().
+ */
+#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
+#endif
+
+/* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
+ * is returned in "result".
+ */
+#ifndef YY_INPUT
+#define YY_INPUT(buf,result,max_size) \
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
+		{ \
+		int c = '*'; \
+		size_t n; \
+		for ( n = 0; n < max_size && \
+			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
+			buf[n] = (char) c; \
+		if ( c == '\n' ) \
+			buf[n++] = (char) c; \
+		if ( c == EOF && ferror( yyin ) ) \
+			YY_FATAL_ERROR( "input in flex scanner failed" ); \
+		result = n; \
+		} \
+	else \
+		{ \
+		errno=0; \
+		while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \
+			{ \
+			if( errno != EINTR) \
+				{ \
+				YY_FATAL_ERROR( "input in flex scanner failed" ); \
+				break; \
+				} \
+			errno=0; \
+			clearerr(yyin); \
+			} \
+		}\
+\
+
+#endif
+
+/* No semi-colon after return; correct usage is to write "yyterminate();" -
+ * we don't want an extra ';' after the "return" because that will cause
+ * some compilers to complain about unreachable statements.
+ */
+#ifndef yyterminate
+#define yyterminate() return YY_NULL
+#endif
+
+/* Number of entries by which start-condition stack grows. */
+#ifndef YY_START_STACK_INCR
+#define YY_START_STACK_INCR 25
+#endif
+
+/* Report a fatal error. */
+#ifndef YY_FATAL_ERROR
+#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
+#endif
+
+/* end tables serialization structures and prototypes */
+
+/* Default declaration of generated scanner - a define so the user can
+ * easily add parameters.
+ */
+#ifndef YY_DECL
+#define YY_DECL_IS_OURS 1
+
+extern int yylex (void);
+
+#define YY_DECL int yylex (void)
+#endif /* !YY_DECL */
+
+/* Code executed at the beginning of each rule, after yytext and yyleng
+ * have been set up.
+ */
+#ifndef YY_USER_ACTION
+#define YY_USER_ACTION
+#endif
+
+/* Code executed at the end of each rule. */
+#ifndef YY_BREAK
+#define YY_BREAK break;
+#endif
+
+#define YY_RULE_SETUP \
+	YY_USER_ACTION
+
+/** The main scanner function which does all the work.
+ */
+YY_DECL
+{
+	register yy_state_type yy_current_state;
+	register char *yy_cp, *yy_bp;
+	register int yy_act;
+    
+#line 52 "lex.l"
+
+#line 693 "lex.c"
+
+	if ( !(yy_init) )
+		{
+		(yy_init) = 1;
+
+#ifdef YY_USER_INIT
+		YY_USER_INIT;
+#endif
+
+		if ( ! (yy_start) )
+			(yy_start) = 1;	/* first start state */
+
+		if ( ! yyin )
+			yyin = stdin;
+
+		if ( ! yyout )
+			yyout = stdout;
+
+		if ( ! YY_CURRENT_BUFFER ) {
+			yyensure_buffer_stack ();
+			YY_CURRENT_BUFFER_LVALUE =
+				yy_create_buffer(yyin,YY_BUF_SIZE );
+		}
+
+		yy_load_buffer_state( );
+		}
+
+	while ( 1 )		/* loops until end-of-file is reached */
+		{
+		yy_cp = (yy_c_buf_p);
+
+		/* Support of yytext. */
+		*yy_cp = (yy_hold_char);
+
+		/* yy_bp points to the position in yy_ch_buf of the start of
+		 * the current run.
+		 */
+		yy_bp = yy_cp;
+
+		yy_current_state = (yy_start);
+yy_match:
+		do
+			{
+			register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
+			if ( yy_accept[yy_current_state] )
+				{
+				(yy_last_accepting_state) = yy_current_state;
+				(yy_last_accepting_cpos) = yy_cp;
+				}
+			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+				{
+				yy_current_state = (int) yy_def[yy_current_state];
+				if ( yy_current_state >= 54 )
+					yy_c = yy_meta[(unsigned int) yy_c];
+				}
+			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+			++yy_cp;
+			}
+		while ( yy_base[yy_current_state] != 70 );
+
+yy_find_action:
+		yy_act = yy_accept[yy_current_state];
+		if ( yy_act == 0 )
+			{ /* have to back up */
+			yy_cp = (yy_last_accepting_cpos);
+			yy_current_state = (yy_last_accepting_state);
+			yy_act = yy_accept[yy_current_state];
+			}
+
+		YY_DO_BEFORE_ACTION;
+
+do_action:	/* This label is used only to access EOF actions. */
+
+		switch ( yy_act )
+	{ /* beginning of action switch */
+			case 0: /* must back up */
+			/* undo the effects of YY_DO_BEFORE_ACTION */
+			*yy_cp = (yy_hold_char);
+			yy_cp = (yy_last_accepting_cpos);
+			yy_current_state = (yy_last_accepting_state);
+			goto yy_find_action;
+
+case 1:
+YY_RULE_SETUP
+#line 53 "lex.l"
+{ return TABLE; }
+	YY_BREAK
+case 2:
+YY_RULE_SETUP
+#line 54 "lex.l"
+{ return REQUEST; }
+	YY_BREAK
+case 3:
+YY_RULE_SETUP
+#line 55 "lex.l"
+{ return UNKNOWN; }
+	YY_BREAK
+case 4:
+YY_RULE_SETUP
+#line 56 "lex.l"
+{ return UNIMPLEMENTED; }
+	YY_BREAK
+case 5:
+YY_RULE_SETUP
+#line 57 "lex.l"
+{ return END; }
+	YY_BREAK
+case 6:
+YY_RULE_SETUP
+#line 58 "lex.l"
+;
+	YY_BREAK
+case 7:
+YY_RULE_SETUP
+#line 59 "lex.l"
+;
+	YY_BREAK
+case 8:
+/* rule 8 can match eol */
+YY_RULE_SETUP
+#line 60 "lex.l"
+{ lineno++; }
+	YY_BREAK
+case 9:
+YY_RULE_SETUP
+#line 61 "lex.l"
+{ return getstring(); }
+	YY_BREAK
+case 10:
+YY_RULE_SETUP
+#line 62 "lex.l"
+{ yylval.string = strdup(yytext); return STRING; }
+	YY_BREAK
+case 11:
+YY_RULE_SETUP
+#line 63 "lex.l"
+{ return *yytext; }
+	YY_BREAK
+case 12:
+YY_RULE_SETUP
+#line 64 "lex.l"
+ECHO;
+	YY_BREAK
+#line 837 "lex.c"
+case YY_STATE_EOF(INITIAL):
+	yyterminate();
+
+	case YY_END_OF_BUFFER:
+		{
+		/* Amount of text matched not including the EOB char. */
+		int yy_amount_of_matched_text = (int) (yy_cp - (yytext_ptr)) - 1;
+
+		/* Undo the effects of YY_DO_BEFORE_ACTION. */
+		*yy_cp = (yy_hold_char);
+		YY_RESTORE_YY_MORE_OFFSET
+
+		if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_NEW )
+			{
+			/* We're scanning a new file or input source.  It's
+			 * possible that this happened because the user
+			 * just pointed yyin at a new source and called
+			 * yylex().  If so, then we have to assure
+			 * consistency between YY_CURRENT_BUFFER and our
+			 * globals.  Here is the right place to do so, because
+			 * this is the first action (other than possibly a
+			 * back-up) that will match for the new input source.
+			 */
+			(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
+			YY_CURRENT_BUFFER_LVALUE->yy_input_file = yyin;
+			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = YY_BUFFER_NORMAL;
+			}
+
+		/* Note that here we test for yy_c_buf_p "<=" to the position
+		 * of the first EOB in the buffer, since yy_c_buf_p will
+		 * already have been incremented past the NUL character
+		 * (since all states make transitions on EOB to the
+		 * end-of-buffer state).  Contrast this with the test
+		 * in input().
+		 */
+		if ( (yy_c_buf_p) <= &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
+			{ /* This was really a NUL. */
+			yy_state_type yy_next_state;
+
+			(yy_c_buf_p) = (yytext_ptr) + yy_amount_of_matched_text;
+
+			yy_current_state = yy_get_previous_state(  );
+
+			/* Okay, we're now positioned to make the NUL
+			 * transition.  We couldn't have
+			 * yy_get_previous_state() go ahead and do it
+			 * for us because it doesn't know how to deal
+			 * with the possibility of jamming (and we don't
+			 * want to build jamming into it because then it
+			 * will run more slowly).
+			 */
+
+			yy_next_state = yy_try_NUL_trans( yy_current_state );
+
+			yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+
+			if ( yy_next_state )
+				{
+				/* Consume the NUL. */
+				yy_cp = ++(yy_c_buf_p);
+				yy_current_state = yy_next_state;
+				goto yy_match;
+				}
+
+			else
+				{
+				yy_cp = (yy_c_buf_p);
+				goto yy_find_action;
+				}
+			}
+
+		else switch ( yy_get_next_buffer(  ) )
+			{
+			case EOB_ACT_END_OF_FILE:
+				{
+				(yy_did_buffer_switch_on_eof) = 0;
+
+				if ( yywrap( ) )
+					{
+					/* Note: because we've taken care in
+					 * yy_get_next_buffer() to have set up
+					 * yytext, we can now set up
+					 * yy_c_buf_p so that if some total
+					 * hoser (like flex itself) wants to
+					 * call the scanner after we return the
+					 * YY_NULL, it'll still work - another
+					 * YY_NULL will get returned.
+					 */
+					(yy_c_buf_p) = (yytext_ptr) + YY_MORE_ADJ;
+
+					yy_act = YY_STATE_EOF(YY_START);
+					goto do_action;
+					}
+
+				else
+					{
+					if ( ! (yy_did_buffer_switch_on_eof) )
+						YY_NEW_FILE;
+					}
+				break;
+				}
+
+			case EOB_ACT_CONTINUE_SCAN:
+				(yy_c_buf_p) =
+					(yytext_ptr) + yy_amount_of_matched_text;
+
+				yy_current_state = yy_get_previous_state(  );
+
+				yy_cp = (yy_c_buf_p);
+				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+				goto yy_match;
+
+			case EOB_ACT_LAST_MATCH:
+				(yy_c_buf_p) =
+				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)];
+
+				yy_current_state = yy_get_previous_state(  );
+
+				yy_cp = (yy_c_buf_p);
+				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+				goto yy_find_action;
+			}
+		break;
+		}
+
+	default:
+		YY_FATAL_ERROR(
+			"fatal flex scanner internal error--no action found" );
+	} /* end of action switch */
+		} /* end of scanning one token */
+} /* end of yylex */
+
+/* yy_get_next_buffer - try to read in a new buffer
+ *
+ * Returns a code representing an action:
+ *	EOB_ACT_LAST_MATCH -
+ *	EOB_ACT_CONTINUE_SCAN - continue scanning from current position
+ *	EOB_ACT_END_OF_FILE - end of file
+ */
+static int yy_get_next_buffer (void)
+{
+    	register char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
+	register char *source = (yytext_ptr);
+	register int number_to_move, i;
+	int ret_val;
+
+	if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] )
+		YY_FATAL_ERROR(
+		"fatal flex scanner internal error--end of buffer missed" );
+
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 )
+		{ /* Don't try to fill the buffer, so this is an EOF. */
+		if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 )
+			{
+			/* We matched a single character, the EOB, so
+			 * treat this as a final EOF.
+			 */
+			return EOB_ACT_END_OF_FILE;
+			}
+
+		else
+			{
+			/* We matched some text prior to the EOB, first
+			 * process it.
+			 */
+			return EOB_ACT_LAST_MATCH;
+			}
+		}
+
+	/* Try to read more data. */
+
+	/* First move last chars to start of buffer. */
+	number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr)) - 1;
+
+	for ( i = 0; i < number_to_move; ++i )
+		*(dest++) = *(source++);
+
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+		/* don't do the read, it's not guaranteed to return an EOF,
+		 * just force an EOF
+		 */
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0;
+
+	else
+		{
+			int num_to_read =
+			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+
+		while ( num_to_read <= 0 )
+			{ /* Not enough room in the buffer - grow it. */
+
+			/* just a shorter name for the current buffer */
+			YY_BUFFER_STATE b = YY_CURRENT_BUFFER;
+
+			int yy_c_buf_p_offset =
+				(int) ((yy_c_buf_p) - b->yy_ch_buf);
+
+			if ( b->yy_is_our_buffer )
+				{
+				int new_size = b->yy_buf_size * 2;
+
+				if ( new_size <= 0 )
+					b->yy_buf_size += b->yy_buf_size / 8;
+				else
+					b->yy_buf_size *= 2;
+
+				b->yy_ch_buf = (char *)
+					/* Include room in for 2 EOB chars. */
+					yyrealloc((void *) b->yy_ch_buf,b->yy_buf_size + 2  );
+				}
+			else
+				/* Can't grow it, we don't own it. */
+				b->yy_ch_buf = 0;
+
+			if ( ! b->yy_ch_buf )
+				YY_FATAL_ERROR(
+				"fatal error - scanner input buffer overflow" );
+
+			(yy_c_buf_p) = &b->yy_ch_buf[yy_c_buf_p_offset];
+
+			num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size -
+						number_to_move - 1;
+
+			}
+
+		if ( num_to_read > YY_READ_BUF_SIZE )
+			num_to_read = YY_READ_BUF_SIZE;
+
+		/* Read in more data. */
+		YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
+			(yy_n_chars), num_to_read );
+
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	if ( (yy_n_chars) == 0 )
+		{
+		if ( number_to_move == YY_MORE_ADJ )
+			{
+			ret_val = EOB_ACT_END_OF_FILE;
+			yyrestart(yyin  );
+			}
+
+		else
+			{
+			ret_val = EOB_ACT_LAST_MATCH;
+			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status =
+				YY_BUFFER_EOF_PENDING;
+			}
+		}
+
+	else
+		ret_val = EOB_ACT_CONTINUE_SCAN;
+
+	(yy_n_chars) += number_to_move;
+	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
+	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
+
+	(yytext_ptr) = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[0];
+
+	return ret_val;
+}
+
+/* yy_get_previous_state - get the state just before the EOB char was reached */
+
+    static yy_state_type yy_get_previous_state (void)
+{
+	register yy_state_type yy_current_state;
+	register char *yy_cp;
+    
+	yy_current_state = (yy_start);
+
+	for ( yy_cp = (yytext_ptr) + YY_MORE_ADJ; yy_cp < (yy_c_buf_p); ++yy_cp )
+		{
+		register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
+		if ( yy_accept[yy_current_state] )
+			{
+			(yy_last_accepting_state) = yy_current_state;
+			(yy_last_accepting_cpos) = yy_cp;
+			}
+		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+			{
+			yy_current_state = (int) yy_def[yy_current_state];
+			if ( yy_current_state >= 54 )
+				yy_c = yy_meta[(unsigned int) yy_c];
+			}
+		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+		}
+
+	return yy_current_state;
+}
+
+/* yy_try_NUL_trans - try to make a transition on the NUL character
+ *
+ * synopsis
+ *	next_state = yy_try_NUL_trans( current_state );
+ */
+    static yy_state_type yy_try_NUL_trans  (yy_state_type yy_current_state )
+{
+	register int yy_is_jam;
+    	register char *yy_cp = (yy_c_buf_p);
+
+	register YY_CHAR yy_c = 1;
+	if ( yy_accept[yy_current_state] )
+		{
+		(yy_last_accepting_state) = yy_current_state;
+		(yy_last_accepting_cpos) = yy_cp;
+		}
+	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+		{
+		yy_current_state = (int) yy_def[yy_current_state];
+		if ( yy_current_state >= 54 )
+			yy_c = yy_meta[(unsigned int) yy_c];
+		}
+	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+	yy_is_jam = (yy_current_state == 53);
+
+	return yy_is_jam ? 0 : yy_current_state;
+}
+
+    static void yyunput (int c, register char * yy_bp )
+{
+	register char *yy_cp;
+    
+    yy_cp = (yy_c_buf_p);
+
+	/* undo effects of setting up yytext */
+	*yy_cp = (yy_hold_char);
+
+	if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
+		{ /* need to shift things up to make room */
+		/* +2 for EOB chars. */
+		register int number_to_move = (yy_n_chars) + 2;
+		register char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
+					YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
+		register char *source =
+				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move];
+
+		while ( source > YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
+			*--dest = *--source;
+
+		yy_cp += (int) (dest - source);
+		yy_bp += (int) (dest - source);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
+			(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
+
+		if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
+			YY_FATAL_ERROR( "flex scanner push-back overflow" );
+		}
+
+	*--yy_cp = (char) c;
+
+	(yytext_ptr) = yy_bp;
+	(yy_hold_char) = *yy_cp;
+	(yy_c_buf_p) = yy_cp;
+}
+
+#ifndef YY_NO_INPUT
+#ifdef __cplusplus
+    static int yyinput (void)
+#else
+    static int input  (void)
+#endif
+
+{
+	int c;
+    
+	*(yy_c_buf_p) = (yy_hold_char);
+
+	if ( *(yy_c_buf_p) == YY_END_OF_BUFFER_CHAR )
+		{
+		/* yy_c_buf_p now points to the character we want to return.
+		 * If this occurs *before* the EOB characters, then it's a
+		 * valid NUL; if not, then we've hit the end of the buffer.
+		 */
+		if ( (yy_c_buf_p) < &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
+			/* This was really a NUL. */
+			*(yy_c_buf_p) = '\0';
+
+		else
+			{ /* need more input */
+			int offset = (yy_c_buf_p) - (yytext_ptr);
+			++(yy_c_buf_p);
+
+			switch ( yy_get_next_buffer(  ) )
+				{
+				case EOB_ACT_LAST_MATCH:
+					/* This happens because yy_g_n_b()
+					 * sees that we've accumulated a
+					 * token and flags that we need to
+					 * try matching the token before
+					 * proceeding.  But for input(),
+					 * there's no matching to consider.
+					 * So convert the EOB_ACT_LAST_MATCH
+					 * to EOB_ACT_END_OF_FILE.
+					 */
+
+					/* Reset buffer status. */
+					yyrestart(yyin );
+
+					/*FALLTHROUGH*/
+
+				case EOB_ACT_END_OF_FILE:
+					{
+					if ( yywrap( ) )
+						return 0;
+
+					if ( ! (yy_did_buffer_switch_on_eof) )
+						YY_NEW_FILE;
+#ifdef __cplusplus
+					return yyinput();
+#else
+					return input();
+#endif
+					}
+
+				case EOB_ACT_CONTINUE_SCAN:
+					(yy_c_buf_p) = (yytext_ptr) + offset;
+					break;
+				}
+			}
+		}
+
+	c = *(unsigned char *) (yy_c_buf_p);	/* cast for 8-bit char's */
+	*(yy_c_buf_p) = '\0';	/* preserve yytext */
+	(yy_hold_char) = *++(yy_c_buf_p);
+
+	return c;
+}
+#endif	/* ifndef YY_NO_INPUT */
+
+/** Immediately switch to a different input stream.
+ * @param input_file A readable stream.
+ * 
+ * @note This function does not reset the start condition to @c INITIAL .
+ */
+    void yyrestart  (FILE * input_file )
+{
+    
+	if ( ! YY_CURRENT_BUFFER ){
+        yyensure_buffer_stack ();
+		YY_CURRENT_BUFFER_LVALUE =
+            yy_create_buffer(yyin,YY_BUF_SIZE );
+	}
+
+	yy_init_buffer(YY_CURRENT_BUFFER,input_file );
+	yy_load_buffer_state( );
+}
+
+/** Switch to a different input buffer.
+ * @param new_buffer The new input buffer.
+ * 
+ */
+    void yy_switch_to_buffer  (YY_BUFFER_STATE  new_buffer )
+{
+    
+	/* TODO. We should be able to replace this entire function body
+	 * with
+	 *		yypop_buffer_state();
+	 *		yypush_buffer_state(new_buffer);
+     */
+	yyensure_buffer_stack ();
+	if ( YY_CURRENT_BUFFER == new_buffer )
+		return;
+
+	if ( YY_CURRENT_BUFFER )
+		{
+		/* Flush out information for old buffer. */
+		*(yy_c_buf_p) = (yy_hold_char);
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	YY_CURRENT_BUFFER_LVALUE = new_buffer;
+	yy_load_buffer_state( );
+
+	/* We don't actually know whether we did this switch during
+	 * EOF (yywrap()) processing, but the only time this flag
+	 * is looked at is after yywrap() is called, so it's safe
+	 * to go ahead and always set it.
+	 */
+	(yy_did_buffer_switch_on_eof) = 1;
+}
+
+static void yy_load_buffer_state  (void)
+{
+    	(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
+	(yytext_ptr) = (yy_c_buf_p) = YY_CURRENT_BUFFER_LVALUE->yy_buf_pos;
+	yyin = YY_CURRENT_BUFFER_LVALUE->yy_input_file;
+	(yy_hold_char) = *(yy_c_buf_p);
+}
+
+/** Allocate and initialize an input buffer state.
+ * @param file A readable stream.
+ * @param size The character buffer size in bytes. When in doubt, use @c YY_BUF_SIZE.
+ * 
+ * @return the allocated buffer state.
+ */
+    YY_BUFFER_STATE yy_create_buffer  (FILE * file, int  size )
+{
+	YY_BUFFER_STATE b;
+    
+	b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state )  );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_buf_size = size;
+
+	/* yy_ch_buf has to be 2 characters longer than the size given because
+	 * we need to put in 2 end-of-buffer characters.
+	 */
+	b->yy_ch_buf = (char *) yyalloc(b->yy_buf_size + 2  );
+	if ( ! b->yy_ch_buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_is_our_buffer = 1;
+
+	yy_init_buffer(b,file );
+
+	return b;
+}
+
+/** Destroy the buffer.
+ * @param b a buffer created with yy_create_buffer()
+ * 
+ */
+    void yy_delete_buffer (YY_BUFFER_STATE  b )
+{
+    
+	if ( ! b )
+		return;
+
+	if ( b == YY_CURRENT_BUFFER ) /* Not sure if we should pop here. */
+		YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0;
+
+	if ( b->yy_is_our_buffer )
+		yyfree((void *) b->yy_ch_buf  );
+
+	yyfree((void *) b  );
+}
+
+#ifndef __cplusplus
+extern int isatty (int );
+#endif /* __cplusplus */
+    
+/* Initializes or reinitializes a buffer.
+ * This function is sometimes called more than once on the same buffer,
+ * such as during a yyrestart() or at EOF.
+ */
+    static void yy_init_buffer  (YY_BUFFER_STATE  b, FILE * file )
+
+{
+	int oerrno = errno;
+    
+	yy_flush_buffer(b );
+
+	b->yy_input_file = file;
+	b->yy_fill_buffer = 1;
+
+    /* If b is the current buffer, then yy_init_buffer was _probably_
+     * called from yyrestart() or through yy_get_next_buffer.
+     * In that case, we don't want to reset the lineno or column.
+     */
+    if (b != YY_CURRENT_BUFFER){
+        b->yy_bs_lineno = 1;
+        b->yy_bs_column = 0;
+    }
+
+        b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+    
+	errno = oerrno;
+}
+
+/** Discard all buffered characters. On the next scan, YY_INPUT will be called.
+ * @param b the buffer state to be flushed, usually @c YY_CURRENT_BUFFER.
+ * 
+ */
+    void yy_flush_buffer (YY_BUFFER_STATE  b )
+{
+    	if ( ! b )
+		return;
+
+	b->yy_n_chars = 0;
+
+	/* We always need two end-of-buffer characters.  The first causes
+	 * a transition to the end-of-buffer state.  The second causes
+	 * a jam in that state.
+	 */
+	b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
+	b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
+
+	b->yy_buf_pos = &b->yy_ch_buf[0];
+
+	b->yy_at_bol = 1;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	if ( b == YY_CURRENT_BUFFER )
+		yy_load_buffer_state( );
+}
+
+/** Pushes the new state onto the stack. The new state becomes
+ *  the current state. This function will allocate the stack
+ *  if necessary.
+ *  @param new_buffer The new state.
+ *  
+ */
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer )
+{
+    	if (new_buffer == NULL)
+		return;
+
+	yyensure_buffer_stack();
+
+	/* This block is copied from yy_switch_to_buffer. */
+	if ( YY_CURRENT_BUFFER )
+		{
+		/* Flush out information for old buffer. */
+		*(yy_c_buf_p) = (yy_hold_char);
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	/* Only push if top exists. Otherwise, replace top. */
+	if (YY_CURRENT_BUFFER)
+		(yy_buffer_stack_top)++;
+	YY_CURRENT_BUFFER_LVALUE = new_buffer;
+
+	/* copied from yy_switch_to_buffer. */
+	yy_load_buffer_state( );
+	(yy_did_buffer_switch_on_eof) = 1;
+}
+
+/** Removes and deletes the top of the stack, if present.
+ *  The next element becomes the new top.
+ *  
+ */
+void yypop_buffer_state (void)
+{
+    	if (!YY_CURRENT_BUFFER)
+		return;
+
+	yy_delete_buffer(YY_CURRENT_BUFFER );
+	YY_CURRENT_BUFFER_LVALUE = NULL;
+	if ((yy_buffer_stack_top) > 0)
+		--(yy_buffer_stack_top);
+
+	if (YY_CURRENT_BUFFER) {
+		yy_load_buffer_state( );
+		(yy_did_buffer_switch_on_eof) = 1;
+	}
+}
+
+/* Allocates the stack if it does not exist.
+ *  Guarantees space for at least one push.
+ */
+static void yyensure_buffer_stack (void)
+{
+	int num_to_alloc;
+    
+	if (!(yy_buffer_stack)) {
+
+		/* First allocation is just for 2 elements, since we don't know if this
+		 * scanner will even need a stack. We use 2 instead of 1 to avoid an
+		 * immediate realloc on the next call.
+         */
+		num_to_alloc = 1;
+		(yy_buffer_stack) = (struct yy_buffer_state**)yyalloc
+								(num_to_alloc * sizeof(struct yy_buffer_state*)
+								);
+		
+		memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
+				
+		(yy_buffer_stack_max) = num_to_alloc;
+		(yy_buffer_stack_top) = 0;
+		return;
+	}
+
+	if ((yy_buffer_stack_top) >= ((yy_buffer_stack_max)) - 1){
+
+		/* Increase the buffer to prepare for a possible push. */
+		int grow_size = 8 /* arbitrary grow size */;
+
+		num_to_alloc = (yy_buffer_stack_max) + grow_size;
+		(yy_buffer_stack) = (struct yy_buffer_state**)yyrealloc
+								((yy_buffer_stack),
+								num_to_alloc * sizeof(struct yy_buffer_state*)
+								);
+
+		/* zero only the new slots.*/
+		memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*));
+		(yy_buffer_stack_max) = num_to_alloc;
+	}
+}
+
+/** Setup the input buffer state to scan directly from a user-specified character buffer.
+ * @param base the character buffer
+ * @param size the size in bytes of the character buffer
+ * 
+ * @return the newly allocated buffer state object. 
+ */
+YY_BUFFER_STATE yy_scan_buffer  (char * base, yy_size_t  size )
+{
+	YY_BUFFER_STATE b;
+    
+	if ( size < 2 ||
+	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
+	     base[size-1] != YY_END_OF_BUFFER_CHAR )
+		/* They forgot to leave room for the EOB's. */
+		return 0;
+
+	b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state )  );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
+
+	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
+	b->yy_buf_pos = b->yy_ch_buf = base;
+	b->yy_is_our_buffer = 0;
+	b->yy_input_file = 0;
+	b->yy_n_chars = b->yy_buf_size;
+	b->yy_is_interactive = 0;
+	b->yy_at_bol = 1;
+	b->yy_fill_buffer = 0;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	yy_switch_to_buffer(b  );
+
+	return b;
+}
+
+/** Setup the input buffer state to scan a string. The next call to yylex() will
+ * scan from a @e copy of @a str.
+ * @param str a NUL-terminated string to scan
+ * 
+ * @return the newly allocated buffer state object.
+ * @note If you want to scan bytes that may contain NUL values, then use
+ *       yy_scan_bytes() instead.
+ */
+YY_BUFFER_STATE yy_scan_string (yyconst char * yystr )
+{
+    
+	return yy_scan_bytes(yystr,strlen(yystr) );
+}
+
+/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
+ * scan from a @e copy of @a bytes.
+ * @param bytes the byte buffer to scan
+ * @param len the number of bytes in the buffer pointed to by @a bytes.
+ * 
+ * @return the newly allocated buffer state object.
+ */
+YY_BUFFER_STATE yy_scan_bytes  (yyconst char * yybytes, int  _yybytes_len )
+{
+	YY_BUFFER_STATE b;
+	char *buf;
+	yy_size_t n;
+	int i;
+    
+	/* Get memory for full buffer, including space for trailing EOB's. */
+	n = _yybytes_len + 2;
+	buf = (char *) yyalloc(n  );
+	if ( ! buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
+
+	for ( i = 0; i < _yybytes_len; ++i )
+		buf[i] = yybytes[i];
+
+	buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR;
+
+	b = yy_scan_buffer(buf,n );
+	if ( ! b )
+		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
+
+	/* It's okay to grow etc. this buffer, and we should throw it
+	 * away when we're done.
+	 */
+	b->yy_is_our_buffer = 1;
+
+	return b;
+}
+
+#ifndef YY_EXIT_FAILURE
+#define YY_EXIT_FAILURE 2
+#endif
+
+static void yy_fatal_error (yyconst char* msg )
+{
+    	(void) fprintf( stderr, "%s\n", msg );
+	exit( YY_EXIT_FAILURE );
+}
+
+/* Redefine yyless() so it works in section 3 code. */
+
+#undef yyless
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+        int yyless_macro_arg = (n); \
+        YY_LESS_LINENO(yyless_macro_arg);\
+		yytext[yyleng] = (yy_hold_char); \
+		(yy_c_buf_p) = yytext + yyless_macro_arg; \
+		(yy_hold_char) = *(yy_c_buf_p); \
+		*(yy_c_buf_p) = '\0'; \
+		yyleng = yyless_macro_arg; \
+		} \
+	while ( 0 )
+
+/* Accessor  methods (get/set functions) to struct members. */
+
+/** Get the current line number.
+ * 
+ */
+int yyget_lineno  (void)
+{
+        
+    return yylineno;
+}
+
+/** Get the input stream.
+ * 
+ */
+FILE *yyget_in  (void)
+{
+        return yyin;
+}
+
+/** Get the output stream.
+ * 
+ */
+FILE *yyget_out  (void)
+{
+        return yyout;
+}
+
+/** Get the length of the current token.
+ * 
+ */
+int yyget_leng  (void)
+{
+        return yyleng;
+}
+
+/** Get the current token.
+ * 
+ */
+
+char *yyget_text  (void)
+{
+        return yytext;
+}
+
+/** Set the current line number.
+ * @param line_number
+ * 
+ */
+void yyset_lineno (int  line_number )
+{
+    
+    yylineno = line_number;
+}
+
+/** Set the input stream. This does not discard the current
+ * input buffer.
+ * @param in_str A readable stream.
+ * 
+ * @see yy_switch_to_buffer
+ */
+void yyset_in (FILE *  in_str )
+{
+        yyin = in_str ;
+}
+
+void yyset_out (FILE *  out_str )
+{
+        yyout = out_str ;
+}
+
+int yyget_debug  (void)
+{
+        return yy_flex_debug;
+}
+
+void yyset_debug (int  bdebug )
+{
+        yy_flex_debug = bdebug ;
+}
+
+static int yy_init_globals (void)
+{
+        /* Initialization is the same as for the non-reentrant scanner.
+     * This function is called from yylex_destroy(), so don't allocate here.
+     */
+
+    (yy_buffer_stack) = 0;
+    (yy_buffer_stack_top) = 0;
+    (yy_buffer_stack_max) = 0;
+    (yy_c_buf_p) = (char *) 0;
+    (yy_init) = 0;
+    (yy_start) = 0;
+
+/* Defined in main.c */
+#ifdef YY_STDINIT
+    yyin = stdin;
+    yyout = stdout;
+#else
+    yyin = (FILE *) 0;
+    yyout = (FILE *) 0;
+#endif
+
+    /* For future reference: Set errno on error, since we are called by
+     * yylex_init()
+     */
+    return 0;
+}
+
+/* yylex_destroy is for both reentrant and non-reentrant scanners. */
+int yylex_destroy  (void)
+{
+    
+    /* Pop the buffer stack, destroying each element. */
+	while(YY_CURRENT_BUFFER){
+		yy_delete_buffer(YY_CURRENT_BUFFER  );
+		YY_CURRENT_BUFFER_LVALUE = NULL;
+		yypop_buffer_state();
+	}
+
+	/* Destroy the stack itself. */
+	yyfree((yy_buffer_stack) );
+	(yy_buffer_stack) = NULL;
+
+    /* Reset the globals. This is important in a non-reentrant scanner so the next time
+     * yylex() is called, initialization will occur. */
+    yy_init_globals( );
+
+    return 0;
+}
+
+/*
+ * Internal utility routines.
+ */
+
+#ifndef yytext_ptr
+static void yy_flex_strncpy (char* s1, yyconst char * s2, int n )
+{
+	register int i;
+	for ( i = 0; i < n; ++i )
+		s1[i] = s2[i];
+}
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen (yyconst char * s )
+{
+	register int n;
+	for ( n = 0; s[n]; ++n )
+		;
+
+	return n;
+}
+#endif
+
+void *yyalloc (yy_size_t  size )
+{
+	return (void *) malloc( size );
+}
+
+void *yyrealloc  (void * ptr, yy_size_t  size )
+{
+	/* The cast to (char *) in the following accommodates both
+	 * implementations that use char* generic pointers, and those
+	 * that use void* generic pointers.  It works with the latter
+	 * because both ANSI C and C++ allow castless assignment from
+	 * any pointer type to void*, and deal with argument conversions
+	 * as though doing an assignment.
+	 */
+	return (void *) realloc( (char *) ptr, size );
+}
+
+void yyfree (void * ptr )
+{
+	free( (char *) ptr );	/* see yyrealloc() for (char *) cast */
+}
+
+#define YYTABLES_NAME "yytables"
+
+#line 64 "lex.l"
+
+
+
+#ifndef yywrap /* XXX */
+int
+yywrap () 
+{
+     return 1;
+}
+#endif
+
+static int
+getstring(void)
+{
+    char x[128];
+    int i = 0;
+    int c;
+    int backslash = 0;
+    while((c = input()) != EOF){
+	if(backslash) {
+	    if(c == 'n')
+		c = '\n';
+	    else if(c == 't')
+		c = '\t';
+	    x[i++] = c;
+	    backslash = 0;
+	    continue;
+	}
+	if(c == '\n'){
+	    error_message("unterminated string");
+	    lineno++;
+	    break;
+	}
+	if(c == '\\'){
+	    backslash++;
+	    continue;
+	}
+	if(c == '\"')
+	    break;
+	x[i++] = c;
+    }
+    x[i] = '\0';
+    yylval.string = strdup(x);
+    return STRING;
+}
+
+void
+error_message (const char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, "%s:%d: ", filename, lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+     numerror++;
+}
+
diff --git a/crypto/heimdal/lib/sl/lex.l b/crypto/heimdal/lib/sl/lex.l
index 3e39479..b4f8a2c 100644
--- a/crypto/heimdal/lib/sl/lex.l
+++ b/crypto/heimdal/lib/sl/lex.l
@@ -37,7 +37,7 @@
 #include "make_cmds.h"
 #include "parse.h"
 
-RCSID("$Id: lex.l,v 1.6 2001/09/16 23:10:10 assar Exp $");
+RCSID("$Id: lex.l 10703 2001-09-16 23:10:10Z assar $");
 
 static unsigned lineno = 1;
 static int getstring(void);
diff --git a/crypto/heimdal/lib/sl/make_cmds.c b/crypto/heimdal/lib/sl/make_cmds.c
index 723dfdc..c39be21 100644
--- a/crypto/heimdal/lib/sl/make_cmds.c
+++ b/crypto/heimdal/lib/sl/make_cmds.c
@@ -34,7 +34,7 @@
 #include "make_cmds.h"
 #include <getarg.h>
 
-RCSID("$Id: make_cmds.c,v 1.7 2001/02/20 01:44:55 assar Exp $");
+RCSID("$Id: make_cmds.c 15430 2005-06-16 19:25:45Z lha $");
 
 #include <roken.h>
 #include <err.h>
@@ -113,7 +113,7 @@ generate_commands(void)
 {
     char *base;
     char *cfn;
-    char *p;
+    char *p, *q;
 
     p = strrchr(table_name, '/');
     if(p == NULL)
@@ -145,7 +145,6 @@ generate_commands(void)
 
     {
 	struct command_list *cl, *xl;
-	char *p, *q;
 
 	for(cl = commands; cl; cl = cl->next) {
 	    for(xl = commands; xl != cl; xl = xl->next)
@@ -211,10 +210,10 @@ usage(int code)
 int
 main(int argc, char **argv)
 {
-    int optind = 0;
+    int optidx = 0;
 
     setprogname(argv[0]);
-    if(getarg(args, num_args, argc, argv, &optind))
+    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
     if(help_flag)
 	usage(0);
@@ -223,9 +222,9 @@ main(int argc, char **argv)
 	exit(0);
     }
     
-    if(argc == optind)
+    if(argc == optidx)
 	usage(1);
-    filename = argv[optind];
+    filename = argv[optidx];
     yyin = fopen(filename, "r");
     if(yyin == NULL)
 	err(1, "%s", filename);
diff --git a/crypto/heimdal/lib/sl/make_cmds.h b/crypto/heimdal/lib/sl/make_cmds.h
index 6d64d97..818e5e8 100644
--- a/crypto/heimdal/lib/sl/make_cmds.h
+++ b/crypto/heimdal/lib/sl/make_cmds.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: make_cmds.h,v 1.3 2000/06/27 02:36:56 assar Exp $ */
+/* $Id: make_cmds.h 8467 2000-06-27 02:36:56Z assar $ */
 
 #ifndef __MAKE_CMDS_H__
 #define __MAKE_CMDS_H__
diff --git a/crypto/heimdal/lib/sl/parse.c b/crypto/heimdal/lib/sl/parse.c
new file mode 100644
index 0000000..f79318d
--- /dev/null
+++ b/crypto/heimdal/lib/sl/parse.c
@@ -0,0 +1,1724 @@
+/* A Bison parser, made by GNU Bison 2.3.  */
+
+/* Skeleton implementation for Bison's Yacc-like parsers in C
+
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+   Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
+
+/* As a special exception, you may create a larger work that contains
+   part or all of the Bison parser skeleton and distribute that work
+   under terms of your choice, so long as that work isn't itself a
+   parser generator using the skeleton or a modified version thereof
+   as a parser skeleton.  Alternatively, if you modify or redistribute
+   the parser skeleton itself, you may (at your option) remove this
+   special exception, which will cause the skeleton and the resulting
+   Bison output files to be licensed under the GNU General Public
+   License without this special exception.
+
+   This special exception was added by the Free Software Foundation in
+   version 2.2 of Bison.  */
+
+/* C LALR(1) parser skeleton written by Richard Stallman, by
+   simplifying the original so-called "semantic" parser.  */
+
+/* All symbols defined below should begin with yy or YY, to avoid
+   infringing on user name space.  This should be done even for local
+   variables, as they might otherwise be expanded by user macros.
+   There are some unavoidable exceptions within include files to
+   define necessary library symbols; they are noted "INFRINGES ON
+   USER NAME SPACE" below.  */
+
+/* Identify Bison output.  */
+#define YYBISON 1
+
+/* Bison version.  */
+#define YYBISON_VERSION "2.3"
+
+/* Skeleton name.  */
+#define YYSKELETON_NAME "yacc.c"
+
+/* Pure parsers.  */
+#define YYPURE 0
+
+/* Using locations.  */
+#define YYLSP_NEEDED 0
+
+
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     TABLE = 258,
+     REQUEST = 259,
+     UNKNOWN = 260,
+     UNIMPLEMENTED = 261,
+     END = 262,
+     STRING = 263
+   };
+#endif
+/* Tokens.  */
+#define TABLE 258
+#define REQUEST 259
+#define UNKNOWN 260
+#define UNIMPLEMENTED 261
+#define END 262
+#define STRING 263
+
+
+
+
+/* Copy the first part of user declarations.  */
+#line 1 "parse.y"
+
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "make_cmds.h"
+RCSID("$Id: parse.y 21745 2007-07-31 16:11:25Z lha $");
+
+static void yyerror (char *s);
+
+struct string_list* append_string(struct string_list*, char*);
+void free_string_list(struct string_list *list);
+unsigned string_to_flag(const char *);
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+
+
+/* Enabling traces.  */
+#ifndef YYDEBUG
+# define YYDEBUG 0
+#endif
+
+/* Enabling verbose error messages.  */
+#ifdef YYERROR_VERBOSE
+# undef YYERROR_VERBOSE
+# define YYERROR_VERBOSE 1
+#else
+# define YYERROR_VERBOSE 0
+#endif
+
+/* Enabling the token table.  */
+#ifndef YYTOKEN_TABLE
+# define YYTOKEN_TABLE 0
+#endif
+
+#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
+typedef union YYSTYPE
+#line 52 "parse.y"
+{
+  char *string;
+  unsigned number;
+  struct string_list *list;
+}
+/* Line 193 of yacc.c.  */
+#line 169 "parse.c"
+	YYSTYPE;
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
+# define YYSTYPE_IS_DECLARED 1
+# define YYSTYPE_IS_TRIVIAL 1
+#endif
+
+
+
+/* Copy the second part of user declarations.  */
+
+
+/* Line 216 of yacc.c.  */
+#line 182 "parse.c"
+
+#ifdef short
+# undef short
+#endif
+
+#ifdef YYTYPE_UINT8
+typedef YYTYPE_UINT8 yytype_uint8;
+#else
+typedef unsigned char yytype_uint8;
+#endif
+
+#ifdef YYTYPE_INT8
+typedef YYTYPE_INT8 yytype_int8;
+#elif (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+typedef signed char yytype_int8;
+#else
+typedef short int yytype_int8;
+#endif
+
+#ifdef YYTYPE_UINT16
+typedef YYTYPE_UINT16 yytype_uint16;
+#else
+typedef unsigned short int yytype_uint16;
+#endif
+
+#ifdef YYTYPE_INT16
+typedef YYTYPE_INT16 yytype_int16;
+#else
+typedef short int yytype_int16;
+#endif
+
+#ifndef YYSIZE_T
+# ifdef __SIZE_TYPE__
+#  define YYSIZE_T __SIZE_TYPE__
+# elif defined size_t
+#  define YYSIZE_T size_t
+# elif ! defined YYSIZE_T && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+#  include <stddef.h> /* INFRINGES ON USER NAME SPACE */
+#  define YYSIZE_T size_t
+# else
+#  define YYSIZE_T unsigned int
+# endif
+#endif
+
+#define YYSIZE_MAXIMUM ((YYSIZE_T) -1)
+
+#ifndef YY_
+# if defined YYENABLE_NLS && YYENABLE_NLS
+#  if ENABLE_NLS
+#   include <libintl.h> /* INFRINGES ON USER NAME SPACE */
+#   define YY_(msgid) dgettext ("bison-runtime", msgid)
+#  endif
+# endif
+# ifndef YY_
+#  define YY_(msgid) msgid
+# endif
+#endif
+
+/* Suppress unused-variable warnings by "using" E.  */
+#if ! defined lint || defined __GNUC__
+# define YYUSE(e) ((void) (e))
+#else
+# define YYUSE(e) /* empty */
+#endif
+
+/* Identity function, used to suppress warnings about constant conditions.  */
+#ifndef lint
+# define YYID(n) (n)
+#else
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static int
+YYID (int i)
+#else
+static int
+YYID (i)
+    int i;
+#endif
+{
+  return i;
+}
+#endif
+
+#if ! defined yyoverflow || YYERROR_VERBOSE
+
+/* The parser invokes alloca or malloc; define the necessary symbols.  */
+
+# ifdef YYSTACK_USE_ALLOCA
+#  if YYSTACK_USE_ALLOCA
+#   ifdef __GNUC__
+#    define YYSTACK_ALLOC __builtin_alloca
+#   elif defined __BUILTIN_VA_ARG_INCR
+#    include <alloca.h> /* INFRINGES ON USER NAME SPACE */
+#   elif defined _AIX
+#    define YYSTACK_ALLOC __alloca
+#   elif defined _MSC_VER
+#    include <malloc.h> /* INFRINGES ON USER NAME SPACE */
+#    define alloca _alloca
+#   else
+#    define YYSTACK_ALLOC alloca
+#    if ! defined _ALLOCA_H && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+#     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+#     ifndef _STDLIB_H
+#      define _STDLIB_H 1
+#     endif
+#    endif
+#   endif
+#  endif
+# endif
+
+# ifdef YYSTACK_ALLOC
+   /* Pacify GCC's `empty if-body' warning.  */
+#  define YYSTACK_FREE(Ptr) do { /* empty */; } while (YYID (0))
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+    /* The OS might guarantee only one guard page at the bottom of the stack,
+       and a page size can be as small as 4096 bytes.  So we cannot safely
+       invoke alloca (N) if N exceeds 4096.  Use a slightly smaller number
+       to allow for a few compiler-allocated temporary stack slots.  */
+#   define YYSTACK_ALLOC_MAXIMUM 4032 /* reasonable circa 2006 */
+#  endif
+# else
+#  define YYSTACK_ALLOC YYMALLOC
+#  define YYSTACK_FREE YYFREE
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+#   define YYSTACK_ALLOC_MAXIMUM YYSIZE_MAXIMUM
+#  endif
+#  if (defined __cplusplus && ! defined _STDLIB_H \
+       && ! ((defined YYMALLOC || defined malloc) \
+	     && (defined YYFREE || defined free)))
+#   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+#   ifndef _STDLIB_H
+#    define _STDLIB_H 1
+#   endif
+#  endif
+#  ifndef YYMALLOC
+#   define YYMALLOC malloc
+#   if ! defined malloc && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+#  ifndef YYFREE
+#   define YYFREE free
+#   if ! defined free && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+void free (void *); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+# endif
+#endif /* ! defined yyoverflow || YYERROR_VERBOSE */
+
+
+#if (! defined yyoverflow \
+     && (! defined __cplusplus \
+	 || (defined YYSTYPE_IS_TRIVIAL && YYSTYPE_IS_TRIVIAL)))
+
+/* A type that is properly aligned for any stack member.  */
+union yyalloc
+{
+  yytype_int16 yyss;
+  YYSTYPE yyvs;
+  };
+
+/* The size of the maximum gap between one aligned stack and the next.  */
+# define YYSTACK_GAP_MAXIMUM (sizeof (union yyalloc) - 1)
+
+/* The size of an array large to enough to hold all stacks, each with
+   N elements.  */
+# define YYSTACK_BYTES(N) \
+     ((N) * (sizeof (yytype_int16) + sizeof (YYSTYPE)) \
+      + YYSTACK_GAP_MAXIMUM)
+
+/* Copy COUNT objects from FROM to TO.  The source and destination do
+   not overlap.  */
+# ifndef YYCOPY
+#  if defined __GNUC__ && 1 < __GNUC__
+#   define YYCOPY(To, From, Count) \
+      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
+#  else
+#   define YYCOPY(To, From, Count)		\
+      do					\
+	{					\
+	  YYSIZE_T yyi;				\
+	  for (yyi = 0; yyi < (Count); yyi++)	\
+	    (To)[yyi] = (From)[yyi];		\
+	}					\
+      while (YYID (0))
+#  endif
+# endif
+
+/* Relocate STACK from its old location to the new one.  The
+   local variables YYSIZE and YYSTACKSIZE give the old and new number of
+   elements in the stack, and YYPTR gives the new location of the
+   stack.  Advance YYPTR to a properly aligned location for the next
+   stack.  */
+# define YYSTACK_RELOCATE(Stack)					\
+    do									\
+      {									\
+	YYSIZE_T yynewbytes;						\
+	YYCOPY (&yyptr->Stack, Stack, yysize);				\
+	Stack = &yyptr->Stack;						\
+	yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \
+	yyptr += yynewbytes / sizeof (*yyptr);				\
+      }									\
+    while (YYID (0))
+
+#endif
+
+/* YYFINAL -- State number of the termination state.  */
+#define YYFINAL  15
+/* YYLAST -- Last index in YYTABLE.  */
+#define YYLAST   37
+
+/* YYNTOKENS -- Number of terminals.  */
+#define YYNTOKENS  13
+/* YYNNTS -- Number of nonterminals.  */
+#define YYNNTS  7
+/* YYNRULES -- Number of rules.  */
+#define YYNRULES  16
+/* YYNRULES -- Number of states.  */
+#define YYNSTATES  40
+
+/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX.  */
+#define YYUNDEFTOK  2
+#define YYMAXUTOK   263
+
+#define YYTRANSLATE(YYX)						\
+  ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
+
+/* YYTRANSLATE[YYLEX] -- Bison symbol number corresponding to YYLEX.  */
+static const yytype_uint8 yytranslate[] =
+{
+       0,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+      11,    12,     2,     2,    10,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     9,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     1,     2,     3,     4,
+       5,     6,     7,     8
+};
+
+#if YYDEBUG
+/* YYPRHS[YYN] -- Index of the first RHS symbol of rule number YYN in
+   YYRHS.  */
+static const yytype_uint8 yyprhs[] =
+{
+       0,     0,     3,     4,     6,     8,    11,    15,    27,    35,
+      43,    47,    50,    52,    56,    58,    62
+};
+
+/* YYRHS -- A `-1'-separated list of the rules' RHS.  */
+static const yytype_int8 yyrhs[] =
+{
+      14,     0,    -1,    -1,    15,    -1,    16,    -1,    15,    16,
+      -1,     3,     8,     9,    -1,     4,     8,    10,     8,    10,
+      17,    10,    11,    18,    12,     9,    -1,     4,     8,    10,
+       8,    10,    17,     9,    -1,     6,     8,    10,     8,    10,
+      17,     9,    -1,     5,    17,     9,    -1,     7,     9,    -1,
+       8,    -1,    17,    10,     8,    -1,    19,    -1,    18,    10,
+      19,    -1,     8,    -1
+};
+
+/* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
+static const yytype_uint8 yyrline[] =
+{
+       0,    65,    65,    66,    69,    70,    73,    77,    81,    85,
+      91,    95,   101,   105,   111,   115,   120
+};
+#endif
+
+#if YYDEBUG || YYERROR_VERBOSE || YYTOKEN_TABLE
+/* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM.
+   First, the terminals, then, starting at YYNTOKENS, nonterminals.  */
+static const char *const yytname[] =
+{
+  "$end", "error", "$undefined", "TABLE", "REQUEST", "UNKNOWN",
+  "UNIMPLEMENTED", "END", "STRING", "';'", "','", "'('", "')'", "$accept",
+  "file", "statements", "statement", "aliases", "flags", "flag", 0
+};
+#endif
+
+# ifdef YYPRINT
+/* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to
+   token YYLEX-NUM.  */
+static const yytype_uint16 yytoknum[] =
+{
+       0,   256,   257,   258,   259,   260,   261,   262,   263,    59,
+      44,    40,    41
+};
+# endif
+
+/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
+static const yytype_uint8 yyr1[] =
+{
+       0,    13,    14,    14,    15,    15,    16,    16,    16,    16,
+      16,    16,    17,    17,    18,    18,    19
+};
+
+/* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN.  */
+static const yytype_uint8 yyr2[] =
+{
+       0,     2,     0,     1,     1,     2,     3,    11,     7,     7,
+       3,     2,     1,     3,     1,     3,     1
+};
+
+/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
+   STATE-NUM when YYTABLE doesn't specify something else to do.  Zero
+   means the default is an error.  */
+static const yytype_uint8 yydefact[] =
+{
+       2,     0,     0,     0,     0,     0,     0,     3,     4,     0,
+       0,    12,     0,     0,    11,     1,     5,     6,     0,    10,
+       0,     0,     0,    13,     0,     0,     0,     0,     0,     8,
+       0,     9,     0,    16,     0,    14,     0,     0,    15,     7
+};
+
+/* YYDEFGOTO[NTERM-NUM].  */
+static const yytype_int8 yydefgoto[] =
+{
+      -1,     6,     7,     8,    12,    34,    35
+};
+
+/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
+   STATE-NUM.  */
+#define YYPACT_NINF -10
+static const yytype_int8 yypact[] =
+{
+      -3,     0,    10,    11,    12,    13,    21,    -3,   -10,    14,
+      15,   -10,     1,    16,   -10,   -10,   -10,   -10,    19,   -10,
+      20,    22,    23,   -10,    24,    11,    11,     3,     5,   -10,
+      -2,   -10,    27,   -10,    -5,   -10,    27,    28,   -10,   -10
+};
+
+/* YYPGOTO[NTERM-NUM].  */
+static const yytype_int8 yypgoto[] =
+{
+     -10,   -10,   -10,    17,    -9,   -10,    -7
+};
+
+/* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
+   positive, shift that token.  If negative, reduce the rule which
+   number is the opposite.  If zero, do what YYDEFACT says.
+   If YYTABLE_NINF, syntax error.  */
+#define YYTABLE_NINF -1
+static const yytype_uint8 yytable[] =
+{
+       1,     2,     3,     4,     5,    36,    23,    37,     9,    32,
+      19,    20,    29,    30,    31,    20,    27,    28,    10,    11,
+      13,    15,    14,    17,    16,    18,    21,    22,    23,    38,
+      24,     0,     0,    25,    26,    33,     0,    39
+};
+
+static const yytype_int8 yycheck[] =
+{
+       3,     4,     5,     6,     7,    10,     8,    12,     8,    11,
+       9,    10,     9,    10,     9,    10,    25,    26,     8,     8,
+       8,     0,     9,     9,     7,    10,    10,     8,     8,    36,
+       8,    -1,    -1,    10,    10,     8,    -1,     9
+};
+
+/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
+   symbol of state STATE-NUM.  */
+static const yytype_uint8 yystos[] =
+{
+       0,     3,     4,     5,     6,     7,    14,    15,    16,     8,
+       8,     8,    17,     8,     9,     0,    16,     9,    10,     9,
+      10,    10,     8,     8,     8,    10,    10,    17,    17,     9,
+      10,     9,    11,     8,    18,    19,    10,    12,    19,     9
+};
+
+#define yyerrok		(yyerrstatus = 0)
+#define yyclearin	(yychar = YYEMPTY)
+#define YYEMPTY		(-2)
+#define YYEOF		0
+
+#define YYACCEPT	goto yyacceptlab
+#define YYABORT		goto yyabortlab
+#define YYERROR		goto yyerrorlab
+
+
+/* Like YYERROR except do call yyerror.  This remains here temporarily
+   to ease the transition to the new meaning of YYERROR, for GCC.
+   Once GCC version 2 has supplanted version 1, this can go.  */
+
+#define YYFAIL		goto yyerrlab
+
+#define YYRECOVERING()  (!!yyerrstatus)
+
+#define YYBACKUP(Token, Value)					\
+do								\
+  if (yychar == YYEMPTY && yylen == 1)				\
+    {								\
+      yychar = (Token);						\
+      yylval = (Value);						\
+      yytoken = YYTRANSLATE (yychar);				\
+      YYPOPSTACK (1);						\
+      goto yybackup;						\
+    }								\
+  else								\
+    {								\
+      yyerror (YY_("syntax error: cannot back up")); \
+      YYERROR;							\
+    }								\
+while (YYID (0))
+
+
+#define YYTERROR	1
+#define YYERRCODE	256
+
+
+/* YYLLOC_DEFAULT -- Set CURRENT to span from RHS[1] to RHS[N].
+   If N is 0, then set CURRENT to the empty location which ends
+   the previous symbol: RHS[0] (always defined).  */
+
+#define YYRHSLOC(Rhs, K) ((Rhs)[K])
+#ifndef YYLLOC_DEFAULT
+# define YYLLOC_DEFAULT(Current, Rhs, N)				\
+    do									\
+      if (YYID (N))                                                    \
+	{								\
+	  (Current).first_line   = YYRHSLOC (Rhs, 1).first_line;	\
+	  (Current).first_column = YYRHSLOC (Rhs, 1).first_column;	\
+	  (Current).last_line    = YYRHSLOC (Rhs, N).last_line;		\
+	  (Current).last_column  = YYRHSLOC (Rhs, N).last_column;	\
+	}								\
+      else								\
+	{								\
+	  (Current).first_line   = (Current).last_line   =		\
+	    YYRHSLOC (Rhs, 0).last_line;				\
+	  (Current).first_column = (Current).last_column =		\
+	    YYRHSLOC (Rhs, 0).last_column;				\
+	}								\
+    while (YYID (0))
+#endif
+
+
+/* YY_LOCATION_PRINT -- Print the location on the stream.
+   This macro was not mandated originally: define only if we know
+   we won't break user code: when these are the locations we know.  */
+
+#ifndef YY_LOCATION_PRINT
+# if defined YYLTYPE_IS_TRIVIAL && YYLTYPE_IS_TRIVIAL
+#  define YY_LOCATION_PRINT(File, Loc)			\
+     fprintf (File, "%d.%d-%d.%d",			\
+	      (Loc).first_line, (Loc).first_column,	\
+	      (Loc).last_line,  (Loc).last_column)
+# else
+#  define YY_LOCATION_PRINT(File, Loc) ((void) 0)
+# endif
+#endif
+
+
+/* YYLEX -- calling `yylex' with the right arguments.  */
+
+#ifdef YYLEX_PARAM
+# define YYLEX yylex (YYLEX_PARAM)
+#else
+# define YYLEX yylex ()
+#endif
+
+/* Enable debugging if requested.  */
+#if YYDEBUG
+
+# ifndef YYFPRINTF
+#  include <stdio.h> /* INFRINGES ON USER NAME SPACE */
+#  define YYFPRINTF fprintf
+# endif
+
+# define YYDPRINTF(Args)			\
+do {						\
+  if (yydebug)					\
+    YYFPRINTF Args;				\
+} while (YYID (0))
+
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)			  \
+do {									  \
+  if (yydebug)								  \
+    {									  \
+      YYFPRINTF (stderr, "%s ", Title);					  \
+      yy_symbol_print (stderr,						  \
+		  Type, Value); \
+      YYFPRINTF (stderr, "\n");						  \
+    }									  \
+} while (YYID (0))
+
+
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
+
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_symbol_value_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_value_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
+{
+  if (!yyvaluep)
+    return;
+# ifdef YYPRINT
+  if (yytype < YYNTOKENS)
+    YYPRINT (yyoutput, yytoknum[yytype], *yyvaluep);
+# else
+  YYUSE (yyoutput);
+# endif
+  switch (yytype)
+    {
+      default:
+	break;
+    }
+}
+
+
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_symbol_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
+{
+  if (yytype < YYNTOKENS)
+    YYFPRINTF (yyoutput, "token %s (", yytname[yytype]);
+  else
+    YYFPRINTF (yyoutput, "nterm %s (", yytname[yytype]);
+
+  yy_symbol_value_print (yyoutput, yytype, yyvaluep);
+  YYFPRINTF (yyoutput, ")");
+}
+
+/*------------------------------------------------------------------.
+| yy_stack_print -- Print the state stack from its BOTTOM up to its |
+| TOP (included).                                                   |
+`------------------------------------------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_stack_print (yytype_int16 *bottom, yytype_int16 *top)
+#else
+static void
+yy_stack_print (bottom, top)
+    yytype_int16 *bottom;
+    yytype_int16 *top;
+#endif
+{
+  YYFPRINTF (stderr, "Stack now");
+  for (; bottom <= top; ++bottom)
+    YYFPRINTF (stderr, " %d", *bottom);
+  YYFPRINTF (stderr, "\n");
+}
+
+# define YY_STACK_PRINT(Bottom, Top)				\
+do {								\
+  if (yydebug)							\
+    yy_stack_print ((Bottom), (Top));				\
+} while (YYID (0))
+
+
+/*------------------------------------------------.
+| Report that the YYRULE is going to be reduced.  |
+`------------------------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_reduce_print (YYSTYPE *yyvsp, int yyrule)
+#else
+static void
+yy_reduce_print (yyvsp, yyrule)
+    YYSTYPE *yyvsp;
+    int yyrule;
+#endif
+{
+  int yynrhs = yyr2[yyrule];
+  int yyi;
+  unsigned long int yylno = yyrline[yyrule];
+  YYFPRINTF (stderr, "Reducing stack by rule %d (line %lu):\n",
+	     yyrule - 1, yylno);
+  /* The symbols being reduced.  */
+  for (yyi = 0; yyi < yynrhs; yyi++)
+    {
+      fprintf (stderr, "   $%d = ", yyi + 1);
+      yy_symbol_print (stderr, yyrhs[yyprhs[yyrule] + yyi],
+		       &(yyvsp[(yyi + 1) - (yynrhs)])
+		       		       );
+      fprintf (stderr, "\n");
+    }
+}
+
+# define YY_REDUCE_PRINT(Rule)		\
+do {					\
+  if (yydebug)				\
+    yy_reduce_print (yyvsp, Rule); \
+} while (YYID (0))
+
+/* Nonzero means print parse trace.  It is left uninitialized so that
+   multiple parsers can coexist.  */
+int yydebug;
+#else /* !YYDEBUG */
+# define YYDPRINTF(Args)
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)
+# define YY_STACK_PRINT(Bottom, Top)
+# define YY_REDUCE_PRINT(Rule)
+#endif /* !YYDEBUG */
+
+
+/* YYINITDEPTH -- initial size of the parser's stacks.  */
+#ifndef	YYINITDEPTH
+# define YYINITDEPTH 200
+#endif
+
+/* YYMAXDEPTH -- maximum size the stacks can grow to (effective only
+   if the built-in stack extension method is used).
+
+   Do not make this value too large; the results are undefined if
+   YYSTACK_ALLOC_MAXIMUM < YYSTACK_BYTES (YYMAXDEPTH)
+   evaluated with infinite-precision integer arithmetic.  */
+
+#ifndef YYMAXDEPTH
+# define YYMAXDEPTH 10000
+#endif
+
+
+
+#if YYERROR_VERBOSE
+
+# ifndef yystrlen
+#  if defined __GLIBC__ && defined _STRING_H
+#   define yystrlen strlen
+#  else
+/* Return the length of YYSTR.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static YYSIZE_T
+yystrlen (const char *yystr)
+#else
+static YYSIZE_T
+yystrlen (yystr)
+    const char *yystr;
+#endif
+{
+  YYSIZE_T yylen;
+  for (yylen = 0; yystr[yylen]; yylen++)
+    continue;
+  return yylen;
+}
+#  endif
+# endif
+
+# ifndef yystpcpy
+#  if defined __GLIBC__ && defined _STRING_H && defined _GNU_SOURCE
+#   define yystpcpy stpcpy
+#  else
+/* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in
+   YYDEST.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static char *
+yystpcpy (char *yydest, const char *yysrc)
+#else
+static char *
+yystpcpy (yydest, yysrc)
+    char *yydest;
+    const char *yysrc;
+#endif
+{
+  char *yyd = yydest;
+  const char *yys = yysrc;
+
+  while ((*yyd++ = *yys++) != '\0')
+    continue;
+
+  return yyd - 1;
+}
+#  endif
+# endif
+
+# ifndef yytnamerr
+/* Copy to YYRES the contents of YYSTR after stripping away unnecessary
+   quotes and backslashes, so that it's suitable for yyerror.  The
+   heuristic is that double-quoting is unnecessary unless the string
+   contains an apostrophe, a comma, or backslash (other than
+   backslash-backslash).  YYSTR is taken from yytname.  If YYRES is
+   null, do not copy; instead, return the length of what the result
+   would have been.  */
+static YYSIZE_T
+yytnamerr (char *yyres, const char *yystr)
+{
+  if (*yystr == '"')
+    {
+      YYSIZE_T yyn = 0;
+      char const *yyp = yystr;
+
+      for (;;)
+	switch (*++yyp)
+	  {
+	  case '\'':
+	  case ',':
+	    goto do_not_strip_quotes;
+
+	  case '\\':
+	    if (*++yyp != '\\')
+	      goto do_not_strip_quotes;
+	    /* Fall through.  */
+	  default:
+	    if (yyres)
+	      yyres[yyn] = *yyp;
+	    yyn++;
+	    break;
+
+	  case '"':
+	    if (yyres)
+	      yyres[yyn] = '\0';
+	    return yyn;
+	  }
+    do_not_strip_quotes: ;
+    }
+
+  if (! yyres)
+    return yystrlen (yystr);
+
+  return yystpcpy (yyres, yystr) - yyres;
+}
+# endif
+
+/* Copy into YYRESULT an error message about the unexpected token
+   YYCHAR while in state YYSTATE.  Return the number of bytes copied,
+   including the terminating null byte.  If YYRESULT is null, do not
+   copy anything; just return the number of bytes that would be
+   copied.  As a special case, return 0 if an ordinary "syntax error"
+   message will do.  Return YYSIZE_MAXIMUM if overflow occurs during
+   size calculation.  */
+static YYSIZE_T
+yysyntax_error (char *yyresult, int yystate, int yychar)
+{
+  int yyn = yypact[yystate];
+
+  if (! (YYPACT_NINF < yyn && yyn <= YYLAST))
+    return 0;
+  else
+    {
+      int yytype = YYTRANSLATE (yychar);
+      YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]);
+      YYSIZE_T yysize = yysize0;
+      YYSIZE_T yysize1;
+      int yysize_overflow = 0;
+      enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
+      char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
+      int yyx;
+
+# if 0
+      /* This is so xgettext sees the translatable formats that are
+	 constructed on the fly.  */
+      YY_("syntax error, unexpected %s");
+      YY_("syntax error, unexpected %s, expecting %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s or %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s");
+# endif
+      char *yyfmt;
+      char const *yyf;
+      static char const yyunexpected[] = "syntax error, unexpected %s";
+      static char const yyexpecting[] = ", expecting %s";
+      static char const yyor[] = " or %s";
+      char yyformat[sizeof yyunexpected
+		    + sizeof yyexpecting - 1
+		    + ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2)
+		       * (sizeof yyor - 1))];
+      char const *yyprefix = yyexpecting;
+
+      /* Start YYX at -YYN if negative to avoid negative indexes in
+	 YYCHECK.  */
+      int yyxbegin = yyn < 0 ? -yyn : 0;
+
+      /* Stay within bounds of both yycheck and yytname.  */
+      int yychecklim = YYLAST - yyn + 1;
+      int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
+      int yycount = 1;
+
+      yyarg[0] = yytname[yytype];
+      yyfmt = yystpcpy (yyformat, yyunexpected);
+
+      for (yyx = yyxbegin; yyx < yyxend; ++yyx)
+	if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
+	  {
+	    if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
+	      {
+		yycount = 1;
+		yysize = yysize0;
+		yyformat[sizeof yyunexpected - 1] = '\0';
+		break;
+	      }
+	    yyarg[yycount++] = yytname[yyx];
+	    yysize1 = yysize + yytnamerr (0, yytname[yyx]);
+	    yysize_overflow |= (yysize1 < yysize);
+	    yysize = yysize1;
+	    yyfmt = yystpcpy (yyfmt, yyprefix);
+	    yyprefix = yyor;
+	  }
+
+      yyf = YY_(yyformat);
+      yysize1 = yysize + yystrlen (yyf);
+      yysize_overflow |= (yysize1 < yysize);
+      yysize = yysize1;
+
+      if (yysize_overflow)
+	return YYSIZE_MAXIMUM;
+
+      if (yyresult)
+	{
+	  /* Avoid sprintf, as that infringes on the user's name space.
+	     Don't have undefined behavior even if the translation
+	     produced a string with the wrong number of "%s"s.  */
+	  char *yyp = yyresult;
+	  int yyi = 0;
+	  while ((*yyp = *yyf) != '\0')
+	    {
+	      if (*yyp == '%' && yyf[1] == 's' && yyi < yycount)
+		{
+		  yyp += yytnamerr (yyp, yyarg[yyi++]);
+		  yyf += 2;
+		}
+	      else
+		{
+		  yyp++;
+		  yyf++;
+		}
+	    }
+	}
+      return yysize;
+    }
+}
+#endif /* YYERROR_VERBOSE */
+
+
+/*-----------------------------------------------.
+| Release the memory associated to this symbol.  |
+`-----------------------------------------------*/
+
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep)
+#else
+static void
+yydestruct (yymsg, yytype, yyvaluep)
+    const char *yymsg;
+    int yytype;
+    YYSTYPE *yyvaluep;
+#endif
+{
+  YYUSE (yyvaluep);
+
+  if (!yymsg)
+    yymsg = "Deleting";
+  YY_SYMBOL_PRINT (yymsg, yytype, yyvaluep, yylocationp);
+
+  switch (yytype)
+    {
+
+      default:
+	break;
+    }
+}
+
+
+/* Prevent warnings from -Wmissing-prototypes.  */
+
+#ifdef YYPARSE_PARAM
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void *YYPARSE_PARAM);
+#else
+int yyparse ();
+#endif
+#else /* ! YYPARSE_PARAM */
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void);
+#else
+int yyparse ();
+#endif
+#endif /* ! YYPARSE_PARAM */
+
+
+
+/* The look-ahead symbol.  */
+int yychar;
+
+/* The semantic value of the look-ahead symbol.  */
+YYSTYPE yylval;
+
+/* Number of syntax errors so far.  */
+int yynerrs;
+
+
+
+/*----------.
+| yyparse.  |
+`----------*/
+
+#ifdef YYPARSE_PARAM
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+int
+yyparse (void *YYPARSE_PARAM)
+#else
+int
+yyparse (YYPARSE_PARAM)
+    void *YYPARSE_PARAM;
+#endif
+#else /* ! YYPARSE_PARAM */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+int
+yyparse (void)
+#else
+int
+yyparse ()
+
+#endif
+#endif
+{
+  
+  int yystate;
+  int yyn;
+  int yyresult;
+  /* Number of tokens to shift before error messages enabled.  */
+  int yyerrstatus;
+  /* Look-ahead token as an internal (translated) token number.  */
+  int yytoken = 0;
+#if YYERROR_VERBOSE
+  /* Buffer for error messages, and its allocated size.  */
+  char yymsgbuf[128];
+  char *yymsg = yymsgbuf;
+  YYSIZE_T yymsg_alloc = sizeof yymsgbuf;
+#endif
+
+  /* Three stacks and their tools:
+     `yyss': related to states,
+     `yyvs': related to semantic values,
+     `yyls': related to locations.
+
+     Refer to the stacks thru separate pointers, to allow yyoverflow
+     to reallocate them elsewhere.  */
+
+  /* The state stack.  */
+  yytype_int16 yyssa[YYINITDEPTH];
+  yytype_int16 *yyss = yyssa;
+  yytype_int16 *yyssp;
+
+  /* The semantic value stack.  */
+  YYSTYPE yyvsa[YYINITDEPTH];
+  YYSTYPE *yyvs = yyvsa;
+  YYSTYPE *yyvsp;
+
+
+
+#define YYPOPSTACK(N)   (yyvsp -= (N), yyssp -= (N))
+
+  YYSIZE_T yystacksize = YYINITDEPTH;
+
+  /* The variables used to return semantic value and location from the
+     action routines.  */
+  YYSTYPE yyval;
+
+
+  /* The number of symbols on the RHS of the reduced rule.
+     Keep to zero when no symbol should be popped.  */
+  int yylen = 0;
+
+  YYDPRINTF ((stderr, "Starting parse\n"));
+
+  yystate = 0;
+  yyerrstatus = 0;
+  yynerrs = 0;
+  yychar = YYEMPTY;		/* Cause a token to be read.  */
+
+  /* Initialize stack pointers.
+     Waste one element of value and location stack
+     so that they stay on the same level as the state stack.
+     The wasted elements are never initialized.  */
+
+  yyssp = yyss;
+  yyvsp = yyvs;
+
+  goto yysetstate;
+
+/*------------------------------------------------------------.
+| yynewstate -- Push a new state, which is found in yystate.  |
+`------------------------------------------------------------*/
+ yynewstate:
+  /* In all cases, when you get here, the value and location stacks
+     have just been pushed.  So pushing a state here evens the stacks.  */
+  yyssp++;
+
+ yysetstate:
+  *yyssp = yystate;
+
+  if (yyss + yystacksize - 1 <= yyssp)
+    {
+      /* Get the current used size of the three stacks, in elements.  */
+      YYSIZE_T yysize = yyssp - yyss + 1;
+
+#ifdef yyoverflow
+      {
+	/* Give user a chance to reallocate the stack.  Use copies of
+	   these so that the &'s don't force the real ones into
+	   memory.  */
+	YYSTYPE *yyvs1 = yyvs;
+	yytype_int16 *yyss1 = yyss;
+
+
+	/* Each stack pointer address is followed by the size of the
+	   data in use in that stack, in bytes.  This used to be a
+	   conditional around just the two extra args, but that might
+	   be undefined if yyoverflow is a macro.  */
+	yyoverflow (YY_("memory exhausted"),
+		    &yyss1, yysize * sizeof (*yyssp),
+		    &yyvs1, yysize * sizeof (*yyvsp),
+
+		    &yystacksize);
+
+	yyss = yyss1;
+	yyvs = yyvs1;
+      }
+#else /* no yyoverflow */
+# ifndef YYSTACK_RELOCATE
+      goto yyexhaustedlab;
+# else
+      /* Extend the stack our own way.  */
+      if (YYMAXDEPTH <= yystacksize)
+	goto yyexhaustedlab;
+      yystacksize *= 2;
+      if (YYMAXDEPTH < yystacksize)
+	yystacksize = YYMAXDEPTH;
+
+      {
+	yytype_int16 *yyss1 = yyss;
+	union yyalloc *yyptr =
+	  (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
+	if (! yyptr)
+	  goto yyexhaustedlab;
+	YYSTACK_RELOCATE (yyss);
+	YYSTACK_RELOCATE (yyvs);
+
+#  undef YYSTACK_RELOCATE
+	if (yyss1 != yyssa)
+	  YYSTACK_FREE (yyss1);
+      }
+# endif
+#endif /* no yyoverflow */
+
+      yyssp = yyss + yysize - 1;
+      yyvsp = yyvs + yysize - 1;
+
+
+      YYDPRINTF ((stderr, "Stack size increased to %lu\n",
+		  (unsigned long int) yystacksize));
+
+      if (yyss + yystacksize - 1 <= yyssp)
+	YYABORT;
+    }
+
+  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
+
+  goto yybackup;
+
+/*-----------.
+| yybackup.  |
+`-----------*/
+yybackup:
+
+  /* Do appropriate processing given the current state.  Read a
+     look-ahead token if we need one and don't already have one.  */
+
+  /* First try to decide what to do without reference to look-ahead token.  */
+  yyn = yypact[yystate];
+  if (yyn == YYPACT_NINF)
+    goto yydefault;
+
+  /* Not known => get a look-ahead token if don't already have one.  */
+
+  /* YYCHAR is either YYEMPTY or YYEOF or a valid look-ahead symbol.  */
+  if (yychar == YYEMPTY)
+    {
+      YYDPRINTF ((stderr, "Reading a token: "));
+      yychar = YYLEX;
+    }
+
+  if (yychar <= YYEOF)
+    {
+      yychar = yytoken = YYEOF;
+      YYDPRINTF ((stderr, "Now at end of input.\n"));
+    }
+  else
+    {
+      yytoken = YYTRANSLATE (yychar);
+      YY_SYMBOL_PRINT ("Next token is", yytoken, &yylval, &yylloc);
+    }
+
+  /* If the proper action on seeing token YYTOKEN is to reduce or to
+     detect an error, take that action.  */
+  yyn += yytoken;
+  if (yyn < 0 || YYLAST < yyn || yycheck[yyn] != yytoken)
+    goto yydefault;
+  yyn = yytable[yyn];
+  if (yyn <= 0)
+    {
+      if (yyn == 0 || yyn == YYTABLE_NINF)
+	goto yyerrlab;
+      yyn = -yyn;
+      goto yyreduce;
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  /* Count tokens shifted since error; after three, turn off error
+     status.  */
+  if (yyerrstatus)
+    yyerrstatus--;
+
+  /* Shift the look-ahead token.  */
+  YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc);
+
+  /* Discard the shifted token unless it is eof.  */
+  if (yychar != YYEOF)
+    yychar = YYEMPTY;
+
+  yystate = yyn;
+  *++yyvsp = yylval;
+
+  goto yynewstate;
+
+
+/*-----------------------------------------------------------.
+| yydefault -- do the default action for the current state.  |
+`-----------------------------------------------------------*/
+yydefault:
+  yyn = yydefact[yystate];
+  if (yyn == 0)
+    goto yyerrlab;
+  goto yyreduce;
+
+
+/*-----------------------------.
+| yyreduce -- Do a reduction.  |
+`-----------------------------*/
+yyreduce:
+  /* yyn is the number of a rule to reduce with.  */
+  yylen = yyr2[yyn];
+
+  /* If YYLEN is nonzero, implement the default value of the action:
+     `$$ = $1'.
+
+     Otherwise, the following line sets YYVAL to garbage.
+     This behavior is undocumented and Bison
+     users should not rely upon it.  Assigning to YYVAL
+     unconditionally makes the parser a bit smaller, and it avoids a
+     GCC warning that YYVAL may be used uninitialized.  */
+  yyval = yyvsp[1-yylen];
+
+
+  YY_REDUCE_PRINT (yyn);
+  switch (yyn)
+    {
+        case 6:
+#line 74 "parse.y"
+    {
+		    table_name = (yyvsp[(2) - (3)].string);
+		}
+    break;
+
+  case 7:
+#line 78 "parse.y"
+    {
+		    add_command((yyvsp[(2) - (11)].string), (yyvsp[(4) - (11)].string), (yyvsp[(6) - (11)].list), (yyvsp[(9) - (11)].number));
+		}
+    break;
+
+  case 8:
+#line 82 "parse.y"
+    {
+		    add_command((yyvsp[(2) - (7)].string), (yyvsp[(4) - (7)].string), (yyvsp[(6) - (7)].list), 0);
+		}
+    break;
+
+  case 9:
+#line 86 "parse.y"
+    {
+		    free((yyvsp[(2) - (7)].string));
+		    free((yyvsp[(4) - (7)].string));
+		    free_string_list((yyvsp[(6) - (7)].list));
+		}
+    break;
+
+  case 10:
+#line 92 "parse.y"
+    {
+		    free_string_list((yyvsp[(2) - (3)].list));
+		}
+    break;
+
+  case 11:
+#line 96 "parse.y"
+    {
+		    YYACCEPT;
+		}
+    break;
+
+  case 12:
+#line 102 "parse.y"
+    {
+		    (yyval.list) = append_string(NULL, (yyvsp[(1) - (1)].string));
+		}
+    break;
+
+  case 13:
+#line 106 "parse.y"
+    {
+		    (yyval.list) = append_string((yyvsp[(1) - (3)].list), (yyvsp[(3) - (3)].string));
+		}
+    break;
+
+  case 14:
+#line 112 "parse.y"
+    {
+		    (yyval.number) = (yyvsp[(1) - (1)].number);
+		}
+    break;
+
+  case 15:
+#line 116 "parse.y"
+    {
+		    (yyval.number) = (yyvsp[(1) - (3)].number) | (yyvsp[(3) - (3)].number);
+		}
+    break;
+
+  case 16:
+#line 121 "parse.y"
+    {
+		    (yyval.number) = string_to_flag((yyvsp[(1) - (1)].string));
+		    free((yyvsp[(1) - (1)].string));
+		}
+    break;
+
+
+/* Line 1267 of yacc.c.  */
+#line 1469 "parse.c"
+      default: break;
+    }
+  YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
+
+  YYPOPSTACK (yylen);
+  yylen = 0;
+  YY_STACK_PRINT (yyss, yyssp);
+
+  *++yyvsp = yyval;
+
+
+  /* Now `shift' the result of the reduction.  Determine what state
+     that goes to, based on the state we popped back to and the rule
+     number reduced by.  */
+
+  yyn = yyr1[yyn];
+
+  yystate = yypgoto[yyn - YYNTOKENS] + *yyssp;
+  if (0 <= yystate && yystate <= YYLAST && yycheck[yystate] == *yyssp)
+    yystate = yytable[yystate];
+  else
+    yystate = yydefgoto[yyn - YYNTOKENS];
+
+  goto yynewstate;
+
+
+/*------------------------------------.
+| yyerrlab -- here on detecting error |
+`------------------------------------*/
+yyerrlab:
+  /* If not already recovering from an error, report this error.  */
+  if (!yyerrstatus)
+    {
+      ++yynerrs;
+#if ! YYERROR_VERBOSE
+      yyerror (YY_("syntax error"));
+#else
+      {
+	YYSIZE_T yysize = yysyntax_error (0, yystate, yychar);
+	if (yymsg_alloc < yysize && yymsg_alloc < YYSTACK_ALLOC_MAXIMUM)
+	  {
+	    YYSIZE_T yyalloc = 2 * yysize;
+	    if (! (yysize <= yyalloc && yyalloc <= YYSTACK_ALLOC_MAXIMUM))
+	      yyalloc = YYSTACK_ALLOC_MAXIMUM;
+	    if (yymsg != yymsgbuf)
+	      YYSTACK_FREE (yymsg);
+	    yymsg = (char *) YYSTACK_ALLOC (yyalloc);
+	    if (yymsg)
+	      yymsg_alloc = yyalloc;
+	    else
+	      {
+		yymsg = yymsgbuf;
+		yymsg_alloc = sizeof yymsgbuf;
+	      }
+	  }
+
+	if (0 < yysize && yysize <= yymsg_alloc)
+	  {
+	    (void) yysyntax_error (yymsg, yystate, yychar);
+	    yyerror (yymsg);
+	  }
+	else
+	  {
+	    yyerror (YY_("syntax error"));
+	    if (yysize != 0)
+	      goto yyexhaustedlab;
+	  }
+      }
+#endif
+    }
+
+
+
+  if (yyerrstatus == 3)
+    {
+      /* If just tried and failed to reuse look-ahead token after an
+	 error, discard it.  */
+
+      if (yychar <= YYEOF)
+	{
+	  /* Return failure if at end of input.  */
+	  if (yychar == YYEOF)
+	    YYABORT;
+	}
+      else
+	{
+	  yydestruct ("Error: discarding",
+		      yytoken, &yylval);
+	  yychar = YYEMPTY;
+	}
+    }
+
+  /* Else will try to reuse look-ahead token after shifting the error
+     token.  */
+  goto yyerrlab1;
+
+
+/*---------------------------------------------------.
+| yyerrorlab -- error raised explicitly by YYERROR.  |
+`---------------------------------------------------*/
+yyerrorlab:
+
+  /* Pacify compilers like GCC when the user code never invokes
+     YYERROR and the label yyerrorlab therefore never appears in user
+     code.  */
+  if (/*CONSTCOND*/ 0)
+     goto yyerrorlab;
+
+  /* Do not reclaim the symbols of the rule which action triggered
+     this YYERROR.  */
+  YYPOPSTACK (yylen);
+  yylen = 0;
+  YY_STACK_PRINT (yyss, yyssp);
+  yystate = *yyssp;
+  goto yyerrlab1;
+
+
+/*-------------------------------------------------------------.
+| yyerrlab1 -- common code for both syntax error and YYERROR.  |
+`-------------------------------------------------------------*/
+yyerrlab1:
+  yyerrstatus = 3;	/* Each real token shifted decrements this.  */
+
+  for (;;)
+    {
+      yyn = yypact[yystate];
+      if (yyn != YYPACT_NINF)
+	{
+	  yyn += YYTERROR;
+	  if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
+	    {
+	      yyn = yytable[yyn];
+	      if (0 < yyn)
+		break;
+	    }
+	}
+
+      /* Pop the current state because it cannot handle the error token.  */
+      if (yyssp == yyss)
+	YYABORT;
+
+
+      yydestruct ("Error: popping",
+		  yystos[yystate], yyvsp);
+      YYPOPSTACK (1);
+      yystate = *yyssp;
+      YY_STACK_PRINT (yyss, yyssp);
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  *++yyvsp = yylval;
+
+
+  /* Shift the error token.  */
+  YY_SYMBOL_PRINT ("Shifting", yystos[yyn], yyvsp, yylsp);
+
+  yystate = yyn;
+  goto yynewstate;
+
+
+/*-------------------------------------.
+| yyacceptlab -- YYACCEPT comes here.  |
+`-------------------------------------*/
+yyacceptlab:
+  yyresult = 0;
+  goto yyreturn;
+
+/*-----------------------------------.
+| yyabortlab -- YYABORT comes here.  |
+`-----------------------------------*/
+yyabortlab:
+  yyresult = 1;
+  goto yyreturn;
+
+#ifndef yyoverflow
+/*-------------------------------------------------.
+| yyexhaustedlab -- memory exhaustion comes here.  |
+`-------------------------------------------------*/
+yyexhaustedlab:
+  yyerror (YY_("memory exhausted"));
+  yyresult = 2;
+  /* Fall through.  */
+#endif
+
+yyreturn:
+  if (yychar != YYEOF && yychar != YYEMPTY)
+     yydestruct ("Cleanup: discarding lookahead",
+		 yytoken, &yylval);
+  /* Do not reclaim the symbols of the rule which action triggered
+     this YYABORT or YYACCEPT.  */
+  YYPOPSTACK (yylen);
+  YY_STACK_PRINT (yyss, yyssp);
+  while (yyssp != yyss)
+    {
+      yydestruct ("Cleanup: popping",
+		  yystos[*yyssp], yyvsp);
+      YYPOPSTACK (1);
+    }
+#ifndef yyoverflow
+  if (yyss != yyssa)
+    YYSTACK_FREE (yyss);
+#endif
+#if YYERROR_VERBOSE
+  if (yymsg != yymsgbuf)
+    YYSTACK_FREE (yymsg);
+#endif
+  /* Make sure YYID is used.  */
+  return YYID (yyresult);
+}
+
+
+#line 129 "parse.y"
+
+
+static void
+yyerror (char *s)
+{
+    error_message ("%s\n", s);
+}
+
+struct string_list*
+append_string(struct string_list *list, char *str)
+{
+    struct string_list *sl = malloc(sizeof(*sl));
+    if (sl == NULL)
+	return sl;
+    sl->string = str;
+    sl->next = NULL;
+    if(list) {
+	*list->tail = sl;
+	list->tail = &sl->next;
+	return list;
+    }
+    sl->tail = &sl->next;
+    return sl;
+}
+
+void
+free_string_list(struct string_list *list)
+{
+    while(list) {
+	struct string_list *sl = list->next;
+	free(list->string);
+	free(list);
+	list = sl;
+    }
+}
+
+unsigned
+string_to_flag(const char *string)
+{
+    return 0;
+}
+
diff --git a/crypto/heimdal/lib/sl/parse.h b/crypto/heimdal/lib/sl/parse.h
new file mode 100644
index 0000000..f7fef6d
--- /dev/null
+++ b/crypto/heimdal/lib/sl/parse.h
@@ -0,0 +1,78 @@
+/* A Bison parser, made by GNU Bison 2.3.  */
+
+/* Skeleton interface for Bison's Yacc-like parsers in C
+
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+   Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
+
+/* As a special exception, you may create a larger work that contains
+   part or all of the Bison parser skeleton and distribute that work
+   under terms of your choice, so long as that work isn't itself a
+   parser generator using the skeleton or a modified version thereof
+   as a parser skeleton.  Alternatively, if you modify or redistribute
+   the parser skeleton itself, you may (at your option) remove this
+   special exception, which will cause the skeleton and the resulting
+   Bison output files to be licensed under the GNU General Public
+   License without this special exception.
+
+   This special exception was added by the Free Software Foundation in
+   version 2.2 of Bison.  */
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     TABLE = 258,
+     REQUEST = 259,
+     UNKNOWN = 260,
+     UNIMPLEMENTED = 261,
+     END = 262,
+     STRING = 263
+   };
+#endif
+/* Tokens.  */
+#define TABLE 258
+#define REQUEST 259
+#define UNKNOWN 260
+#define UNIMPLEMENTED 261
+#define END 262
+#define STRING 263
+
+
+
+
+#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
+typedef union YYSTYPE
+#line 52 "parse.y"
+{
+  char *string;
+  unsigned number;
+  struct string_list *list;
+}
+/* Line 1529 of yacc.c.  */
+#line 71 "parse.h"
+	YYSTYPE;
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
+# define YYSTYPE_IS_DECLARED 1
+# define YYSTYPE_IS_TRIVIAL 1
+#endif
+
+extern YYSTYPE yylval;
+
diff --git a/crypto/heimdal/lib/sl/parse.y b/crypto/heimdal/lib/sl/parse.y
index deff933..b08c193 100644
--- a/crypto/heimdal/lib/sl/parse.y
+++ b/crypto/heimdal/lib/sl/parse.y
@@ -33,7 +33,7 @@
  */
 
 #include "make_cmds.h"
-RCSID("$Id: parse.y,v 1.7 2000/06/27 02:37:18 assar Exp $");
+RCSID("$Id: parse.y 21745 2007-07-31 16:11:25Z lha $");
 
 static void yyerror (char *s);
 
@@ -138,6 +138,8 @@ struct string_list*
 append_string(struct string_list *list, char *str)
 {
     struct string_list *sl = malloc(sizeof(*sl));
+    if (sl == NULL)
+	return sl;
     sl->string = str;
     sl->next = NULL;
     if(list) {
diff --git a/crypto/heimdal/lib/sl/roken_rename.h b/crypto/heimdal/lib/sl/roken_rename.h
index 17837fb..88ec0f8 100644
--- a/crypto/heimdal/lib/sl/roken_rename.h
+++ b/crypto/heimdal/lib/sl/roken_rename.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: roken_rename.h,v 1.5 2001/05/06 21:47:54 assar Exp $ */
+/* $Id: roken_rename.h 9842 2001-05-06 21:47:54Z assar $ */
 
 #ifndef __roken_rename_h__
 #define __roken_rename_h__
diff --git a/crypto/heimdal/lib/sl/sl.c b/crypto/heimdal/lib/sl/sl.c
index 98b101c..8f604e8 100644
--- a/crypto/heimdal/lib/sl/sl.c
+++ b/crypto/heimdal/lib/sl/sl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,32 +33,12 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: sl.c,v 1.29 2001/02/20 01:44:55 assar Exp $");
+RCSID("$Id: sl.c 21160 2007-06-18 22:58:21Z lha $");
 #endif
 
 #include "sl_locl.h"
 #include <setjmp.h>
 
-static size_t
-print_sl (FILE *stream, int mdoc, int longp, SL_cmd *c)
-    __attribute__ ((unused));
-
-static size_t
-print_sl (FILE *stream, int mdoc, int longp, SL_cmd *c)
-{
-    if(mdoc){
-	if(longp)
-	    fprintf(stream, "= Ns");
-	fprintf(stream, " Ar ");
-    }else
-	if (longp)
-	    putc ('=', stream);
-	else
-	    putc (' ', stream);
-
-    return 1;
-}
-
 static void
 mandoc_template(SL_cmd *cmds,
 		const char *extra_string)
@@ -94,7 +74,6 @@ mandoc_template(SL_cmd *cmds,
 /*	if (c->func == NULL)
 	    continue; */
 	printf(".Op Fl %s", c->name);
-/*	print_sl(stdout, 1, 0, c);*/
 	printf("\n");
 	
     }
@@ -129,7 +108,7 @@ mandoc_template(SL_cmd *cmds,
     printf(".\\\".Sh BUGS\n");
 }
 
-static SL_cmd *
+SL_cmd *
 sl_match (SL_cmd *cmds, char *cmd, int exactp)
 {
     SL_cmd *c, *current = NULL, *partial_cmd = NULL;
@@ -212,8 +191,7 @@ readline(char *prompt)
     fflush (stdout);
     if(fgets(buf, sizeof(buf), stdin) == NULL)
 	return NULL;
-    if (buf[strlen(buf) - 1] == '\n')
-	buf[strlen(buf) - 1] = '\0';
+    buf[strcspn(buf, "\r\n")] = '\0';
     return strdup(buf);
 }
 
@@ -242,10 +220,10 @@ struct sl_data {
 int
 sl_make_argv(char *line, int *ret_argc, char ***ret_argv)
 {
-    char *foo = NULL;
-    char *p;
+    char *p, *begining;
     int argc, nargv;
     char **argv;
+    int quote = 0;
     
     nargv = 10;
     argv = malloc(nargv * sizeof(*argv));
@@ -253,9 +231,32 @@ sl_make_argv(char *line, int *ret_argc, char ***ret_argv)
 	return ENOMEM;
     argc = 0;
 
-    for(p = strtok_r (line, " \t", &foo);
-	p;
-	p = strtok_r (NULL, " \t", &foo)) {
+    p = line;
+
+    while(isspace((unsigned char)*p))
+	p++;
+    begining = p;
+
+    while (1) {
+	if (*p == '\0') {
+	    ;
+	} else if (*p == '"') {
+	    quote = !quote;
+	    memmove(&p[0], &p[1], strlen(&p[1]) + 1);
+	    continue;
+	} else if (*p == '\\') {
+	    if (p[1] == '\0')
+		goto failed;
+	    memmove(&p[0], &p[1], strlen(&p[1]) + 1);
+	    p += 2;
+	    continue;
+	} else if (quote || !isspace((unsigned char)*p)) {
+	    p++;
+	    continue;
+	} else
+	    *p++ = '\0';
+	if (quote)
+	    goto failed;
 	if(argc == nargv - 1) {
 	    char **tmp;
 	    nargv *= 2;
@@ -266,12 +267,20 @@ sl_make_argv(char *line, int *ret_argc, char ***ret_argv)
 	    }
 	    argv = tmp;
 	}
-	argv[argc++] = p;
+	argv[argc++] = begining;
+	while(isspace((unsigned char)*p))
+	    p++;
+	if (*p == '\0')
+	    break;
+	begining = p;
     }
     argv[argc] = NULL;
     *ret_argc = argc;
     *ret_argv = argv;
     return 0;
+failed:
+    free(argv);
+    return ERANGE;
 }
 
 static jmp_buf sl_jmp;
@@ -288,12 +297,16 @@ static char *sl_readline(const char *prompt)
     old = signal(SIGINT, sl_sigint);
     if(setjmp(sl_jmp))
 	printf("\n");
-    s = readline((char*)prompt);
+    s = readline(rk_UNCONST(prompt));
     signal(SIGINT, old);
     return s;
 }
 
-/* return values: 0 on success, -1 on fatal error, or return value of command */
+/* return values: 
+ * 0 on success,
+ * -1 on fatal error,
+ * -2 if EOF, or
+ * return value of command */
 int
 sl_command_loop(SL_cmd *cmds, const char *prompt, void **data)
 {
@@ -305,7 +318,7 @@ sl_command_loop(SL_cmd *cmds, const char *prompt, void **data)
     ret = 0;
     buf = sl_readline(prompt);
     if(buf == NULL)
-	return 1;
+	return -2;
 
     if(*buf)
 	add_history(buf);
@@ -332,7 +345,7 @@ sl_loop(SL_cmd *cmds, const char *prompt)
 {
     void *data = NULL;
     int ret;
-    while((ret = sl_command_loop(cmds, prompt, &data)) == 0)
+    while((ret = sl_command_loop(cmds, prompt, &data)) >= 0)
 	;
     return ret;
 }
@@ -344,3 +357,40 @@ sl_apropos (SL_cmd *cmd, const char *topic)
         if (cmd->usage != NULL && strstr(cmd->usage, topic) != NULL)
 	    printf ("%-20s%s\n", cmd->name, cmd->usage);
 }
+
+/*
+ * Help to be used with slc.
+ */
+
+void
+sl_slc_help (SL_cmd *cmds, int argc, char **argv)
+{
+    if(argc == 0) {
+	sl_help(cmds, 1, argv - 1 /* XXX */);
+    } else {
+	SL_cmd *c = sl_match (cmds, argv[0], 0);
+ 	if(c == NULL) {
+	    fprintf (stderr, "No such command: %s. "
+		     "Try \"help\" for a list of commands\n",
+		     argv[0]);
+	} else {
+	    if(c->func) {
+		char *fake[] = { NULL, "--help", NULL };
+		fake[0] = argv[0];
+		(*c->func)(2, fake);
+		fprintf(stderr, "\n");
+	    }
+	    if(c->help && *c->help)
+		fprintf (stderr, "%s\n", c->help);
+	    if((++c)->name && c->func == NULL) {
+		int f = 0;
+		fprintf (stderr, "Synonyms:");
+		while (c->name && c->func == NULL) {
+		    fprintf (stderr, "%s%s", f ? ", " : " ", (c++)->name);
+		    f = 1;
+		}
+		fprintf (stderr, "\n");
+	    }
+	}
+    }
+}
diff --git a/crypto/heimdal/lib/sl/sl.h b/crypto/heimdal/lib/sl/sl.h
index 5b3e4b7..8798ee8 100644
--- a/crypto/heimdal/lib/sl/sl.h
+++ b/crypto/heimdal/lib/sl/sl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: sl.h,v 1.9 2001/01/26 14:58:41 joda Exp $ */
+/* $Id: sl.h 17948 2006-08-28 14:16:43Z lha $ */
 
 #ifndef _SL_H
 #define _SL_H
@@ -49,12 +49,21 @@ struct sl_cmd {
 
 typedef struct sl_cmd SL_cmd;
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 void sl_help (SL_cmd *, int argc, char **argv);
 int  sl_loop (SL_cmd *, const char *prompt);
 int  sl_command_loop (SL_cmd *cmds, const char *prompt, void **data);
 int  sl_command (SL_cmd *cmds, int argc, char **argv);
 int sl_make_argv(char*, int*, char***);
 void sl_apropos (SL_cmd *cmd, const char *topic);
+SL_cmd *sl_match (SL_cmd *cmds, char *cmd, int exactp);
+void sl_slc_help (SL_cmd *cmds, int argc, char **argv);
 
+#ifdef __cplusplus
+}
+#endif
 
 #endif /* _SL_H */
diff --git a/crypto/heimdal/lib/sl/sl_locl.h b/crypto/heimdal/lib/sl/sl_locl.h
index 4bd9660..a7bc843 100644
--- a/crypto/heimdal/lib/sl/sl_locl.h
+++ b/crypto/heimdal/lib/sl/sl_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: sl_locl.h,v 1.6 1999/12/02 16:58:55 joda Exp $ */
+/* $Id: sl_locl.h 19517 2006-12-27 20:27:00Z lha $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -40,6 +40,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <stdarg.h>
+#include <ctype.h>
 
 #include <roken.h>
 
diff --git a/crypto/heimdal/lib/sl/slc-gram.c b/crypto/heimdal/lib/sl/slc-gram.c
new file mode 100644
index 0000000..1ab243b
--- /dev/null
+++ b/crypto/heimdal/lib/sl/slc-gram.c
@@ -0,0 +1,2275 @@
+/* A Bison parser, made by GNU Bison 2.3.  */
+
+/* Skeleton implementation for Bison's Yacc-like parsers in C
+
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+   Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
+
+/* As a special exception, you may create a larger work that contains
+   part or all of the Bison parser skeleton and distribute that work
+   under terms of your choice, so long as that work isn't itself a
+   parser generator using the skeleton or a modified version thereof
+   as a parser skeleton.  Alternatively, if you modify or redistribute
+   the parser skeleton itself, you may (at your option) remove this
+   special exception, which will cause the skeleton and the resulting
+   Bison output files to be licensed under the GNU General Public
+   License without this special exception.
+
+   This special exception was added by the Free Software Foundation in
+   version 2.2 of Bison.  */
+
+/* C LALR(1) parser skeleton written by Richard Stallman, by
+   simplifying the original so-called "semantic" parser.  */
+
+/* All symbols defined below should begin with yy or YY, to avoid
+   infringing on user name space.  This should be done even for local
+   variables, as they might otherwise be expanded by user macros.
+   There are some unavoidable exceptions within include files to
+   define necessary library symbols; they are noted "INFRINGES ON
+   USER NAME SPACE" below.  */
+
+/* Identify Bison output.  */
+#define YYBISON 1
+
+/* Bison version.  */
+#define YYBISON_VERSION "2.3"
+
+/* Skeleton name.  */
+#define YYSKELETON_NAME "yacc.c"
+
+/* Pure parsers.  */
+#define YYPURE 0
+
+/* Using locations.  */
+#define YYLSP_NEEDED 0
+
+
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     LITERAL = 258,
+     STRING = 259
+   };
+#endif
+/* Tokens.  */
+#define LITERAL 258
+#define STRING 259
+
+
+
+
+/* Copy the first part of user declarations.  */
+#line 1 "slc-gram.y"
+
+/*
+ * Copyright (c) 2004-2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: slc-gram.y 20767 2007-06-01 11:24:52Z lha $");
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <err.h>
+#include <ctype.h>
+#include <limits.h>
+#include <getarg.h>
+#include <vers.h>
+#include <roken.h>
+
+#include "slc.h"
+extern FILE *yyin;
+extern struct assignment *assignment;
+
+
+/* Enabling traces.  */
+#ifndef YYDEBUG
+# define YYDEBUG 0
+#endif
+
+/* Enabling verbose error messages.  */
+#ifdef YYERROR_VERBOSE
+# undef YYERROR_VERBOSE
+# define YYERROR_VERBOSE 1
+#else
+# define YYERROR_VERBOSE 0
+#endif
+
+/* Enabling the token table.  */
+#ifndef YYTOKEN_TABLE
+# define YYTOKEN_TABLE 0
+#endif
+
+#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
+typedef union YYSTYPE
+#line 54 "slc-gram.y"
+{
+	char *string;
+	struct assignment *assignment;
+}
+/* Line 193 of yacc.c.  */
+#line 162 "slc-gram.c"
+	YYSTYPE;
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
+# define YYSTYPE_IS_DECLARED 1
+# define YYSTYPE_IS_TRIVIAL 1
+#endif
+
+
+
+/* Copy the second part of user declarations.  */
+
+
+/* Line 216 of yacc.c.  */
+#line 175 "slc-gram.c"
+
+#ifdef short
+# undef short
+#endif
+
+#ifdef YYTYPE_UINT8
+typedef YYTYPE_UINT8 yytype_uint8;
+#else
+typedef unsigned char yytype_uint8;
+#endif
+
+#ifdef YYTYPE_INT8
+typedef YYTYPE_INT8 yytype_int8;
+#elif (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+typedef signed char yytype_int8;
+#else
+typedef short int yytype_int8;
+#endif
+
+#ifdef YYTYPE_UINT16
+typedef YYTYPE_UINT16 yytype_uint16;
+#else
+typedef unsigned short int yytype_uint16;
+#endif
+
+#ifdef YYTYPE_INT16
+typedef YYTYPE_INT16 yytype_int16;
+#else
+typedef short int yytype_int16;
+#endif
+
+#ifndef YYSIZE_T
+# ifdef __SIZE_TYPE__
+#  define YYSIZE_T __SIZE_TYPE__
+# elif defined size_t
+#  define YYSIZE_T size_t
+# elif ! defined YYSIZE_T && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+#  include <stddef.h> /* INFRINGES ON USER NAME SPACE */
+#  define YYSIZE_T size_t
+# else
+#  define YYSIZE_T unsigned int
+# endif
+#endif
+
+#define YYSIZE_MAXIMUM ((YYSIZE_T) -1)
+
+#ifndef YY_
+# if defined YYENABLE_NLS && YYENABLE_NLS
+#  if ENABLE_NLS
+#   include <libintl.h> /* INFRINGES ON USER NAME SPACE */
+#   define YY_(msgid) dgettext ("bison-runtime", msgid)
+#  endif
+# endif
+# ifndef YY_
+#  define YY_(msgid) msgid
+# endif
+#endif
+
+/* Suppress unused-variable warnings by "using" E.  */
+#if ! defined lint || defined __GNUC__
+# define YYUSE(e) ((void) (e))
+#else
+# define YYUSE(e) /* empty */
+#endif
+
+/* Identity function, used to suppress warnings about constant conditions.  */
+#ifndef lint
+# define YYID(n) (n)
+#else
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static int
+YYID (int i)
+#else
+static int
+YYID (i)
+    int i;
+#endif
+{
+  return i;
+}
+#endif
+
+#if ! defined yyoverflow || YYERROR_VERBOSE
+
+/* The parser invokes alloca or malloc; define the necessary symbols.  */
+
+# ifdef YYSTACK_USE_ALLOCA
+#  if YYSTACK_USE_ALLOCA
+#   ifdef __GNUC__
+#    define YYSTACK_ALLOC __builtin_alloca
+#   elif defined __BUILTIN_VA_ARG_INCR
+#    include <alloca.h> /* INFRINGES ON USER NAME SPACE */
+#   elif defined _AIX
+#    define YYSTACK_ALLOC __alloca
+#   elif defined _MSC_VER
+#    include <malloc.h> /* INFRINGES ON USER NAME SPACE */
+#    define alloca _alloca
+#   else
+#    define YYSTACK_ALLOC alloca
+#    if ! defined _ALLOCA_H && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+#     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+#     ifndef _STDLIB_H
+#      define _STDLIB_H 1
+#     endif
+#    endif
+#   endif
+#  endif
+# endif
+
+# ifdef YYSTACK_ALLOC
+   /* Pacify GCC's `empty if-body' warning.  */
+#  define YYSTACK_FREE(Ptr) do { /* empty */; } while (YYID (0))
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+    /* The OS might guarantee only one guard page at the bottom of the stack,
+       and a page size can be as small as 4096 bytes.  So we cannot safely
+       invoke alloca (N) if N exceeds 4096.  Use a slightly smaller number
+       to allow for a few compiler-allocated temporary stack slots.  */
+#   define YYSTACK_ALLOC_MAXIMUM 4032 /* reasonable circa 2006 */
+#  endif
+# else
+#  define YYSTACK_ALLOC YYMALLOC
+#  define YYSTACK_FREE YYFREE
+#  ifndef YYSTACK_ALLOC_MAXIMUM
+#   define YYSTACK_ALLOC_MAXIMUM YYSIZE_MAXIMUM
+#  endif
+#  if (defined __cplusplus && ! defined _STDLIB_H \
+       && ! ((defined YYMALLOC || defined malloc) \
+	     && (defined YYFREE || defined free)))
+#   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
+#   ifndef _STDLIB_H
+#    define _STDLIB_H 1
+#   endif
+#  endif
+#  ifndef YYMALLOC
+#   define YYMALLOC malloc
+#   if ! defined malloc && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+#  ifndef YYFREE
+#   define YYFREE free
+#   if ! defined free && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+void free (void *); /* INFRINGES ON USER NAME SPACE */
+#   endif
+#  endif
+# endif
+#endif /* ! defined yyoverflow || YYERROR_VERBOSE */
+
+
+#if (! defined yyoverflow \
+     && (! defined __cplusplus \
+	 || (defined YYSTYPE_IS_TRIVIAL && YYSTYPE_IS_TRIVIAL)))
+
+/* A type that is properly aligned for any stack member.  */
+union yyalloc
+{
+  yytype_int16 yyss;
+  YYSTYPE yyvs;
+  };
+
+/* The size of the maximum gap between one aligned stack and the next.  */
+# define YYSTACK_GAP_MAXIMUM (sizeof (union yyalloc) - 1)
+
+/* The size of an array large to enough to hold all stacks, each with
+   N elements.  */
+# define YYSTACK_BYTES(N) \
+     ((N) * (sizeof (yytype_int16) + sizeof (YYSTYPE)) \
+      + YYSTACK_GAP_MAXIMUM)
+
+/* Copy COUNT objects from FROM to TO.  The source and destination do
+   not overlap.  */
+# ifndef YYCOPY
+#  if defined __GNUC__ && 1 < __GNUC__
+#   define YYCOPY(To, From, Count) \
+      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
+#  else
+#   define YYCOPY(To, From, Count)		\
+      do					\
+	{					\
+	  YYSIZE_T yyi;				\
+	  for (yyi = 0; yyi < (Count); yyi++)	\
+	    (To)[yyi] = (From)[yyi];		\
+	}					\
+      while (YYID (0))
+#  endif
+# endif
+
+/* Relocate STACK from its old location to the new one.  The
+   local variables YYSIZE and YYSTACKSIZE give the old and new number of
+   elements in the stack, and YYPTR gives the new location of the
+   stack.  Advance YYPTR to a properly aligned location for the next
+   stack.  */
+# define YYSTACK_RELOCATE(Stack)					\
+    do									\
+      {									\
+	YYSIZE_T yynewbytes;						\
+	YYCOPY (&yyptr->Stack, Stack, yysize);				\
+	Stack = &yyptr->Stack;						\
+	yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \
+	yyptr += yynewbytes / sizeof (*yyptr);				\
+      }									\
+    while (YYID (0))
+
+#endif
+
+/* YYFINAL -- State number of the termination state.  */
+#define YYFINAL  6
+/* YYLAST -- Last index in YYTABLE.  */
+#define YYLAST   7
+
+/* YYNTOKENS -- Number of terminals.  */
+#define YYNTOKENS  8
+/* YYNNTS -- Number of nonterminals.  */
+#define YYNNTS  4
+/* YYNRULES -- Number of rules.  */
+#define YYNRULES  6
+/* YYNRULES -- Number of states.  */
+#define YYNSTATES  12
+
+/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX.  */
+#define YYUNDEFTOK  2
+#define YYMAXUTOK   259
+
+#define YYTRANSLATE(YYX)						\
+  ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
+
+/* YYTRANSLATE[YYLEX] -- Bison symbol number corresponding to YYLEX.  */
+static const yytype_uint8 yytranslate[] =
+{
+       0,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     5,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     6,     2,     7,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
+       2,     2,     2,     2,     2,     2,     1,     2,     3,     4
+};
+
+#if YYDEBUG
+/* YYPRHS[YYN] -- Index of the first RHS symbol of rule number YYN in
+   YYRHS.  */
+static const yytype_uint8 yyprhs[] =
+{
+       0,     0,     3,     5,     8,    10,    14
+};
+
+/* YYRHS -- A `-1'-separated list of the rules' RHS.  */
+static const yytype_int8 yyrhs[] =
+{
+       9,     0,    -1,    10,    -1,    11,    10,    -1,    11,    -1,
+       3,     5,     4,    -1,     3,     5,     6,    10,     7,    -1
+};
+
+/* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
+static const yytype_uint8 yyrline[] =
+{
+       0,    67,    67,    73,    78,    81,    90
+};
+#endif
+
+#if YYDEBUG || YYERROR_VERBOSE || YYTOKEN_TABLE
+/* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM.
+   First, the terminals, then, starting at YYNTOKENS, nonterminals.  */
+static const char *const yytname[] =
+{
+  "$end", "error", "$undefined", "LITERAL", "STRING", "'='", "'{'", "'}'",
+  "$accept", "start", "assignments", "assignment", 0
+};
+#endif
+
+# ifdef YYPRINT
+/* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to
+   token YYLEX-NUM.  */
+static const yytype_uint16 yytoknum[] =
+{
+       0,   256,   257,   258,   259,    61,   123,   125
+};
+# endif
+
+/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
+static const yytype_uint8 yyr1[] =
+{
+       0,     8,     9,    10,    10,    11,    11
+};
+
+/* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN.  */
+static const yytype_uint8 yyr2[] =
+{
+       0,     2,     1,     2,     1,     3,     5
+};
+
+/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
+   STATE-NUM when YYTABLE doesn't specify something else to do.  Zero
+   means the default is an error.  */
+static const yytype_uint8 yydefact[] =
+{
+       0,     0,     0,     2,     4,     0,     1,     3,     5,     0,
+       0,     6
+};
+
+/* YYDEFGOTO[NTERM-NUM].  */
+static const yytype_int8 yydefgoto[] =
+{
+      -1,     2,     3,     4
+};
+
+/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
+   STATE-NUM.  */
+#define YYPACT_NINF -5
+static const yytype_int8 yypact[] =
+{
+      -1,     1,     4,    -5,    -1,    -3,    -5,    -5,    -5,    -1,
+       0,    -5
+};
+
+/* YYPGOTO[NTERM-NUM].  */
+static const yytype_int8 yypgoto[] =
+{
+      -5,    -5,    -4,    -5
+};
+
+/* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
+   positive, shift that token.  If negative, reduce the rule which
+   number is the opposite.  If zero, do what YYDEFACT says.
+   If YYTABLE_NINF, syntax error.  */
+#define YYTABLE_NINF -1
+static const yytype_uint8 yytable[] =
+{
+       7,     8,     1,     9,     6,    10,     5,    11
+};
+
+static const yytype_uint8 yycheck[] =
+{
+       4,     4,     3,     6,     0,     9,     5,     7
+};
+
+/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
+   symbol of state STATE-NUM.  */
+static const yytype_uint8 yystos[] =
+{
+       0,     3,     9,    10,    11,     5,     0,    10,     4,     6,
+      10,     7
+};
+
+#define yyerrok		(yyerrstatus = 0)
+#define yyclearin	(yychar = YYEMPTY)
+#define YYEMPTY		(-2)
+#define YYEOF		0
+
+#define YYACCEPT	goto yyacceptlab
+#define YYABORT		goto yyabortlab
+#define YYERROR		goto yyerrorlab
+
+
+/* Like YYERROR except do call yyerror.  This remains here temporarily
+   to ease the transition to the new meaning of YYERROR, for GCC.
+   Once GCC version 2 has supplanted version 1, this can go.  */
+
+#define YYFAIL		goto yyerrlab
+
+#define YYRECOVERING()  (!!yyerrstatus)
+
+#define YYBACKUP(Token, Value)					\
+do								\
+  if (yychar == YYEMPTY && yylen == 1)				\
+    {								\
+      yychar = (Token);						\
+      yylval = (Value);						\
+      yytoken = YYTRANSLATE (yychar);				\
+      YYPOPSTACK (1);						\
+      goto yybackup;						\
+    }								\
+  else								\
+    {								\
+      yyerror (YY_("syntax error: cannot back up")); \
+      YYERROR;							\
+    }								\
+while (YYID (0))
+
+
+#define YYTERROR	1
+#define YYERRCODE	256
+
+
+/* YYLLOC_DEFAULT -- Set CURRENT to span from RHS[1] to RHS[N].
+   If N is 0, then set CURRENT to the empty location which ends
+   the previous symbol: RHS[0] (always defined).  */
+
+#define YYRHSLOC(Rhs, K) ((Rhs)[K])
+#ifndef YYLLOC_DEFAULT
+# define YYLLOC_DEFAULT(Current, Rhs, N)				\
+    do									\
+      if (YYID (N))                                                    \
+	{								\
+	  (Current).first_line   = YYRHSLOC (Rhs, 1).first_line;	\
+	  (Current).first_column = YYRHSLOC (Rhs, 1).first_column;	\
+	  (Current).last_line    = YYRHSLOC (Rhs, N).last_line;		\
+	  (Current).last_column  = YYRHSLOC (Rhs, N).last_column;	\
+	}								\
+      else								\
+	{								\
+	  (Current).first_line   = (Current).last_line   =		\
+	    YYRHSLOC (Rhs, 0).last_line;				\
+	  (Current).first_column = (Current).last_column =		\
+	    YYRHSLOC (Rhs, 0).last_column;				\
+	}								\
+    while (YYID (0))
+#endif
+
+
+/* YY_LOCATION_PRINT -- Print the location on the stream.
+   This macro was not mandated originally: define only if we know
+   we won't break user code: when these are the locations we know.  */
+
+#ifndef YY_LOCATION_PRINT
+# if defined YYLTYPE_IS_TRIVIAL && YYLTYPE_IS_TRIVIAL
+#  define YY_LOCATION_PRINT(File, Loc)			\
+     fprintf (File, "%d.%d-%d.%d",			\
+	      (Loc).first_line, (Loc).first_column,	\
+	      (Loc).last_line,  (Loc).last_column)
+# else
+#  define YY_LOCATION_PRINT(File, Loc) ((void) 0)
+# endif
+#endif
+
+
+/* YYLEX -- calling `yylex' with the right arguments.  */
+
+#ifdef YYLEX_PARAM
+# define YYLEX yylex (YYLEX_PARAM)
+#else
+# define YYLEX yylex ()
+#endif
+
+/* Enable debugging if requested.  */
+#if YYDEBUG
+
+# ifndef YYFPRINTF
+#  include <stdio.h> /* INFRINGES ON USER NAME SPACE */
+#  define YYFPRINTF fprintf
+# endif
+
+# define YYDPRINTF(Args)			\
+do {						\
+  if (yydebug)					\
+    YYFPRINTF Args;				\
+} while (YYID (0))
+
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)			  \
+do {									  \
+  if (yydebug)								  \
+    {									  \
+      YYFPRINTF (stderr, "%s ", Title);					  \
+      yy_symbol_print (stderr,						  \
+		  Type, Value); \
+      YYFPRINTF (stderr, "\n");						  \
+    }									  \
+} while (YYID (0))
+
+
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
+
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_symbol_value_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_value_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
+{
+  if (!yyvaluep)
+    return;
+# ifdef YYPRINT
+  if (yytype < YYNTOKENS)
+    YYPRINT (yyoutput, yytoknum[yytype], *yyvaluep);
+# else
+  YYUSE (yyoutput);
+# endif
+  switch (yytype)
+    {
+      default:
+	break;
+    }
+}
+
+
+/*--------------------------------.
+| Print this symbol on YYOUTPUT.  |
+`--------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_symbol_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
+#else
+static void
+yy_symbol_print (yyoutput, yytype, yyvaluep)
+    FILE *yyoutput;
+    int yytype;
+    YYSTYPE const * const yyvaluep;
+#endif
+{
+  if (yytype < YYNTOKENS)
+    YYFPRINTF (yyoutput, "token %s (", yytname[yytype]);
+  else
+    YYFPRINTF (yyoutput, "nterm %s (", yytname[yytype]);
+
+  yy_symbol_value_print (yyoutput, yytype, yyvaluep);
+  YYFPRINTF (yyoutput, ")");
+}
+
+/*------------------------------------------------------------------.
+| yy_stack_print -- Print the state stack from its BOTTOM up to its |
+| TOP (included).                                                   |
+`------------------------------------------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_stack_print (yytype_int16 *bottom, yytype_int16 *top)
+#else
+static void
+yy_stack_print (bottom, top)
+    yytype_int16 *bottom;
+    yytype_int16 *top;
+#endif
+{
+  YYFPRINTF (stderr, "Stack now");
+  for (; bottom <= top; ++bottom)
+    YYFPRINTF (stderr, " %d", *bottom);
+  YYFPRINTF (stderr, "\n");
+}
+
+# define YY_STACK_PRINT(Bottom, Top)				\
+do {								\
+  if (yydebug)							\
+    yy_stack_print ((Bottom), (Top));				\
+} while (YYID (0))
+
+
+/*------------------------------------------------.
+| Report that the YYRULE is going to be reduced.  |
+`------------------------------------------------*/
+
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yy_reduce_print (YYSTYPE *yyvsp, int yyrule)
+#else
+static void
+yy_reduce_print (yyvsp, yyrule)
+    YYSTYPE *yyvsp;
+    int yyrule;
+#endif
+{
+  int yynrhs = yyr2[yyrule];
+  int yyi;
+  unsigned long int yylno = yyrline[yyrule];
+  YYFPRINTF (stderr, "Reducing stack by rule %d (line %lu):\n",
+	     yyrule - 1, yylno);
+  /* The symbols being reduced.  */
+  for (yyi = 0; yyi < yynrhs; yyi++)
+    {
+      fprintf (stderr, "   $%d = ", yyi + 1);
+      yy_symbol_print (stderr, yyrhs[yyprhs[yyrule] + yyi],
+		       &(yyvsp[(yyi + 1) - (yynrhs)])
+		       		       );
+      fprintf (stderr, "\n");
+    }
+}
+
+# define YY_REDUCE_PRINT(Rule)		\
+do {					\
+  if (yydebug)				\
+    yy_reduce_print (yyvsp, Rule); \
+} while (YYID (0))
+
+/* Nonzero means print parse trace.  It is left uninitialized so that
+   multiple parsers can coexist.  */
+int yydebug;
+#else /* !YYDEBUG */
+# define YYDPRINTF(Args)
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)
+# define YY_STACK_PRINT(Bottom, Top)
+# define YY_REDUCE_PRINT(Rule)
+#endif /* !YYDEBUG */
+
+
+/* YYINITDEPTH -- initial size of the parser's stacks.  */
+#ifndef	YYINITDEPTH
+# define YYINITDEPTH 200
+#endif
+
+/* YYMAXDEPTH -- maximum size the stacks can grow to (effective only
+   if the built-in stack extension method is used).
+
+   Do not make this value too large; the results are undefined if
+   YYSTACK_ALLOC_MAXIMUM < YYSTACK_BYTES (YYMAXDEPTH)
+   evaluated with infinite-precision integer arithmetic.  */
+
+#ifndef YYMAXDEPTH
+# define YYMAXDEPTH 10000
+#endif
+
+
+
+#if YYERROR_VERBOSE
+
+# ifndef yystrlen
+#  if defined __GLIBC__ && defined _STRING_H
+#   define yystrlen strlen
+#  else
+/* Return the length of YYSTR.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static YYSIZE_T
+yystrlen (const char *yystr)
+#else
+static YYSIZE_T
+yystrlen (yystr)
+    const char *yystr;
+#endif
+{
+  YYSIZE_T yylen;
+  for (yylen = 0; yystr[yylen]; yylen++)
+    continue;
+  return yylen;
+}
+#  endif
+# endif
+
+# ifndef yystpcpy
+#  if defined __GLIBC__ && defined _STRING_H && defined _GNU_SOURCE
+#   define yystpcpy stpcpy
+#  else
+/* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in
+   YYDEST.  */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static char *
+yystpcpy (char *yydest, const char *yysrc)
+#else
+static char *
+yystpcpy (yydest, yysrc)
+    char *yydest;
+    const char *yysrc;
+#endif
+{
+  char *yyd = yydest;
+  const char *yys = yysrc;
+
+  while ((*yyd++ = *yys++) != '\0')
+    continue;
+
+  return yyd - 1;
+}
+#  endif
+# endif
+
+# ifndef yytnamerr
+/* Copy to YYRES the contents of YYSTR after stripping away unnecessary
+   quotes and backslashes, so that it's suitable for yyerror.  The
+   heuristic is that double-quoting is unnecessary unless the string
+   contains an apostrophe, a comma, or backslash (other than
+   backslash-backslash).  YYSTR is taken from yytname.  If YYRES is
+   null, do not copy; instead, return the length of what the result
+   would have been.  */
+static YYSIZE_T
+yytnamerr (char *yyres, const char *yystr)
+{
+  if (*yystr == '"')
+    {
+      YYSIZE_T yyn = 0;
+      char const *yyp = yystr;
+
+      for (;;)
+	switch (*++yyp)
+	  {
+	  case '\'':
+	  case ',':
+	    goto do_not_strip_quotes;
+
+	  case '\\':
+	    if (*++yyp != '\\')
+	      goto do_not_strip_quotes;
+	    /* Fall through.  */
+	  default:
+	    if (yyres)
+	      yyres[yyn] = *yyp;
+	    yyn++;
+	    break;
+
+	  case '"':
+	    if (yyres)
+	      yyres[yyn] = '\0';
+	    return yyn;
+	  }
+    do_not_strip_quotes: ;
+    }
+
+  if (! yyres)
+    return yystrlen (yystr);
+
+  return yystpcpy (yyres, yystr) - yyres;
+}
+# endif
+
+/* Copy into YYRESULT an error message about the unexpected token
+   YYCHAR while in state YYSTATE.  Return the number of bytes copied,
+   including the terminating null byte.  If YYRESULT is null, do not
+   copy anything; just return the number of bytes that would be
+   copied.  As a special case, return 0 if an ordinary "syntax error"
+   message will do.  Return YYSIZE_MAXIMUM if overflow occurs during
+   size calculation.  */
+static YYSIZE_T
+yysyntax_error (char *yyresult, int yystate, int yychar)
+{
+  int yyn = yypact[yystate];
+
+  if (! (YYPACT_NINF < yyn && yyn <= YYLAST))
+    return 0;
+  else
+    {
+      int yytype = YYTRANSLATE (yychar);
+      YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]);
+      YYSIZE_T yysize = yysize0;
+      YYSIZE_T yysize1;
+      int yysize_overflow = 0;
+      enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
+      char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
+      int yyx;
+
+# if 0
+      /* This is so xgettext sees the translatable formats that are
+	 constructed on the fly.  */
+      YY_("syntax error, unexpected %s");
+      YY_("syntax error, unexpected %s, expecting %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s or %s");
+      YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s");
+# endif
+      char *yyfmt;
+      char const *yyf;
+      static char const yyunexpected[] = "syntax error, unexpected %s";
+      static char const yyexpecting[] = ", expecting %s";
+      static char const yyor[] = " or %s";
+      char yyformat[sizeof yyunexpected
+		    + sizeof yyexpecting - 1
+		    + ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2)
+		       * (sizeof yyor - 1))];
+      char const *yyprefix = yyexpecting;
+
+      /* Start YYX at -YYN if negative to avoid negative indexes in
+	 YYCHECK.  */
+      int yyxbegin = yyn < 0 ? -yyn : 0;
+
+      /* Stay within bounds of both yycheck and yytname.  */
+      int yychecklim = YYLAST - yyn + 1;
+      int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
+      int yycount = 1;
+
+      yyarg[0] = yytname[yytype];
+      yyfmt = yystpcpy (yyformat, yyunexpected);
+
+      for (yyx = yyxbegin; yyx < yyxend; ++yyx)
+	if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
+	  {
+	    if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
+	      {
+		yycount = 1;
+		yysize = yysize0;
+		yyformat[sizeof yyunexpected - 1] = '\0';
+		break;
+	      }
+	    yyarg[yycount++] = yytname[yyx];
+	    yysize1 = yysize + yytnamerr (0, yytname[yyx]);
+	    yysize_overflow |= (yysize1 < yysize);
+	    yysize = yysize1;
+	    yyfmt = yystpcpy (yyfmt, yyprefix);
+	    yyprefix = yyor;
+	  }
+
+      yyf = YY_(yyformat);
+      yysize1 = yysize + yystrlen (yyf);
+      yysize_overflow |= (yysize1 < yysize);
+      yysize = yysize1;
+
+      if (yysize_overflow)
+	return YYSIZE_MAXIMUM;
+
+      if (yyresult)
+	{
+	  /* Avoid sprintf, as that infringes on the user's name space.
+	     Don't have undefined behavior even if the translation
+	     produced a string with the wrong number of "%s"s.  */
+	  char *yyp = yyresult;
+	  int yyi = 0;
+	  while ((*yyp = *yyf) != '\0')
+	    {
+	      if (*yyp == '%' && yyf[1] == 's' && yyi < yycount)
+		{
+		  yyp += yytnamerr (yyp, yyarg[yyi++]);
+		  yyf += 2;
+		}
+	      else
+		{
+		  yyp++;
+		  yyf++;
+		}
+	    }
+	}
+      return yysize;
+    }
+}
+#endif /* YYERROR_VERBOSE */
+
+
+/*-----------------------------------------------.
+| Release the memory associated to this symbol.  |
+`-----------------------------------------------*/
+
+/*ARGSUSED*/
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+static void
+yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep)
+#else
+static void
+yydestruct (yymsg, yytype, yyvaluep)
+    const char *yymsg;
+    int yytype;
+    YYSTYPE *yyvaluep;
+#endif
+{
+  YYUSE (yyvaluep);
+
+  if (!yymsg)
+    yymsg = "Deleting";
+  YY_SYMBOL_PRINT (yymsg, yytype, yyvaluep, yylocationp);
+
+  switch (yytype)
+    {
+
+      default:
+	break;
+    }
+}
+
+
+/* Prevent warnings from -Wmissing-prototypes.  */
+
+#ifdef YYPARSE_PARAM
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void *YYPARSE_PARAM);
+#else
+int yyparse ();
+#endif
+#else /* ! YYPARSE_PARAM */
+#if defined __STDC__ || defined __cplusplus
+int yyparse (void);
+#else
+int yyparse ();
+#endif
+#endif /* ! YYPARSE_PARAM */
+
+
+
+/* The look-ahead symbol.  */
+int yychar;
+
+/* The semantic value of the look-ahead symbol.  */
+YYSTYPE yylval;
+
+/* Number of syntax errors so far.  */
+int yynerrs;
+
+
+
+/*----------.
+| yyparse.  |
+`----------*/
+
+#ifdef YYPARSE_PARAM
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+int
+yyparse (void *YYPARSE_PARAM)
+#else
+int
+yyparse (YYPARSE_PARAM)
+    void *YYPARSE_PARAM;
+#endif
+#else /* ! YYPARSE_PARAM */
+#if (defined __STDC__ || defined __C99__FUNC__ \
+     || defined __cplusplus || defined _MSC_VER)
+int
+yyparse (void)
+#else
+int
+yyparse ()
+
+#endif
+#endif
+{
+  
+  int yystate;
+  int yyn;
+  int yyresult;
+  /* Number of tokens to shift before error messages enabled.  */
+  int yyerrstatus;
+  /* Look-ahead token as an internal (translated) token number.  */
+  int yytoken = 0;
+#if YYERROR_VERBOSE
+  /* Buffer for error messages, and its allocated size.  */
+  char yymsgbuf[128];
+  char *yymsg = yymsgbuf;
+  YYSIZE_T yymsg_alloc = sizeof yymsgbuf;
+#endif
+
+  /* Three stacks and their tools:
+     `yyss': related to states,
+     `yyvs': related to semantic values,
+     `yyls': related to locations.
+
+     Refer to the stacks thru separate pointers, to allow yyoverflow
+     to reallocate them elsewhere.  */
+
+  /* The state stack.  */
+  yytype_int16 yyssa[YYINITDEPTH];
+  yytype_int16 *yyss = yyssa;
+  yytype_int16 *yyssp;
+
+  /* The semantic value stack.  */
+  YYSTYPE yyvsa[YYINITDEPTH];
+  YYSTYPE *yyvs = yyvsa;
+  YYSTYPE *yyvsp;
+
+
+
+#define YYPOPSTACK(N)   (yyvsp -= (N), yyssp -= (N))
+
+  YYSIZE_T yystacksize = YYINITDEPTH;
+
+  /* The variables used to return semantic value and location from the
+     action routines.  */
+  YYSTYPE yyval;
+
+
+  /* The number of symbols on the RHS of the reduced rule.
+     Keep to zero when no symbol should be popped.  */
+  int yylen = 0;
+
+  YYDPRINTF ((stderr, "Starting parse\n"));
+
+  yystate = 0;
+  yyerrstatus = 0;
+  yynerrs = 0;
+  yychar = YYEMPTY;		/* Cause a token to be read.  */
+
+  /* Initialize stack pointers.
+     Waste one element of value and location stack
+     so that they stay on the same level as the state stack.
+     The wasted elements are never initialized.  */
+
+  yyssp = yyss;
+  yyvsp = yyvs;
+
+  goto yysetstate;
+
+/*------------------------------------------------------------.
+| yynewstate -- Push a new state, which is found in yystate.  |
+`------------------------------------------------------------*/
+ yynewstate:
+  /* In all cases, when you get here, the value and location stacks
+     have just been pushed.  So pushing a state here evens the stacks.  */
+  yyssp++;
+
+ yysetstate:
+  *yyssp = yystate;
+
+  if (yyss + yystacksize - 1 <= yyssp)
+    {
+      /* Get the current used size of the three stacks, in elements.  */
+      YYSIZE_T yysize = yyssp - yyss + 1;
+
+#ifdef yyoverflow
+      {
+	/* Give user a chance to reallocate the stack.  Use copies of
+	   these so that the &'s don't force the real ones into
+	   memory.  */
+	YYSTYPE *yyvs1 = yyvs;
+	yytype_int16 *yyss1 = yyss;
+
+
+	/* Each stack pointer address is followed by the size of the
+	   data in use in that stack, in bytes.  This used to be a
+	   conditional around just the two extra args, but that might
+	   be undefined if yyoverflow is a macro.  */
+	yyoverflow (YY_("memory exhausted"),
+		    &yyss1, yysize * sizeof (*yyssp),
+		    &yyvs1, yysize * sizeof (*yyvsp),
+
+		    &yystacksize);
+
+	yyss = yyss1;
+	yyvs = yyvs1;
+      }
+#else /* no yyoverflow */
+# ifndef YYSTACK_RELOCATE
+      goto yyexhaustedlab;
+# else
+      /* Extend the stack our own way.  */
+      if (YYMAXDEPTH <= yystacksize)
+	goto yyexhaustedlab;
+      yystacksize *= 2;
+      if (YYMAXDEPTH < yystacksize)
+	yystacksize = YYMAXDEPTH;
+
+      {
+	yytype_int16 *yyss1 = yyss;
+	union yyalloc *yyptr =
+	  (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
+	if (! yyptr)
+	  goto yyexhaustedlab;
+	YYSTACK_RELOCATE (yyss);
+	YYSTACK_RELOCATE (yyvs);
+
+#  undef YYSTACK_RELOCATE
+	if (yyss1 != yyssa)
+	  YYSTACK_FREE (yyss1);
+      }
+# endif
+#endif /* no yyoverflow */
+
+      yyssp = yyss + yysize - 1;
+      yyvsp = yyvs + yysize - 1;
+
+
+      YYDPRINTF ((stderr, "Stack size increased to %lu\n",
+		  (unsigned long int) yystacksize));
+
+      if (yyss + yystacksize - 1 <= yyssp)
+	YYABORT;
+    }
+
+  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
+
+  goto yybackup;
+
+/*-----------.
+| yybackup.  |
+`-----------*/
+yybackup:
+
+  /* Do appropriate processing given the current state.  Read a
+     look-ahead token if we need one and don't already have one.  */
+
+  /* First try to decide what to do without reference to look-ahead token.  */
+  yyn = yypact[yystate];
+  if (yyn == YYPACT_NINF)
+    goto yydefault;
+
+  /* Not known => get a look-ahead token if don't already have one.  */
+
+  /* YYCHAR is either YYEMPTY or YYEOF or a valid look-ahead symbol.  */
+  if (yychar == YYEMPTY)
+    {
+      YYDPRINTF ((stderr, "Reading a token: "));
+      yychar = YYLEX;
+    }
+
+  if (yychar <= YYEOF)
+    {
+      yychar = yytoken = YYEOF;
+      YYDPRINTF ((stderr, "Now at end of input.\n"));
+    }
+  else
+    {
+      yytoken = YYTRANSLATE (yychar);
+      YY_SYMBOL_PRINT ("Next token is", yytoken, &yylval, &yylloc);
+    }
+
+  /* If the proper action on seeing token YYTOKEN is to reduce or to
+     detect an error, take that action.  */
+  yyn += yytoken;
+  if (yyn < 0 || YYLAST < yyn || yycheck[yyn] != yytoken)
+    goto yydefault;
+  yyn = yytable[yyn];
+  if (yyn <= 0)
+    {
+      if (yyn == 0 || yyn == YYTABLE_NINF)
+	goto yyerrlab;
+      yyn = -yyn;
+      goto yyreduce;
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  /* Count tokens shifted since error; after three, turn off error
+     status.  */
+  if (yyerrstatus)
+    yyerrstatus--;
+
+  /* Shift the look-ahead token.  */
+  YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc);
+
+  /* Discard the shifted token unless it is eof.  */
+  if (yychar != YYEOF)
+    yychar = YYEMPTY;
+
+  yystate = yyn;
+  *++yyvsp = yylval;
+
+  goto yynewstate;
+
+
+/*-----------------------------------------------------------.
+| yydefault -- do the default action for the current state.  |
+`-----------------------------------------------------------*/
+yydefault:
+  yyn = yydefact[yystate];
+  if (yyn == 0)
+    goto yyerrlab;
+  goto yyreduce;
+
+
+/*-----------------------------.
+| yyreduce -- Do a reduction.  |
+`-----------------------------*/
+yyreduce:
+  /* yyn is the number of a rule to reduce with.  */
+  yylen = yyr2[yyn];
+
+  /* If YYLEN is nonzero, implement the default value of the action:
+     `$$ = $1'.
+
+     Otherwise, the following line sets YYVAL to garbage.
+     This behavior is undocumented and Bison
+     users should not rely upon it.  Assigning to YYVAL
+     unconditionally makes the parser a bit smaller, and it avoids a
+     GCC warning that YYVAL may be used uninitialized.  */
+  yyval = yyvsp[1-yylen];
+
+
+  YY_REDUCE_PRINT (yyn);
+  switch (yyn)
+    {
+        case 2:
+#line 68 "slc-gram.y"
+    {
+			assignment = (yyvsp[(1) - (1)].assignment);
+		}
+    break;
+
+  case 3:
+#line 74 "slc-gram.y"
+    {
+			(yyvsp[(1) - (2)].assignment)->next = (yyvsp[(2) - (2)].assignment);
+			(yyval.assignment) = (yyvsp[(1) - (2)].assignment);
+		}
+    break;
+
+  case 5:
+#line 82 "slc-gram.y"
+    {
+			(yyval.assignment) = malloc(sizeof(*(yyval.assignment)));
+			(yyval.assignment)->name = (yyvsp[(1) - (3)].string);
+			(yyval.assignment)->type = a_value;
+			(yyval.assignment)->lineno = lineno;
+			(yyval.assignment)->u.value = (yyvsp[(3) - (3)].string);
+			(yyval.assignment)->next = NULL;
+		}
+    break;
+
+  case 6:
+#line 91 "slc-gram.y"
+    {
+			(yyval.assignment) = malloc(sizeof(*(yyval.assignment)));
+			(yyval.assignment)->name = (yyvsp[(1) - (5)].string);
+			(yyval.assignment)->type = a_assignment;
+			(yyval.assignment)->lineno = lineno;
+			(yyval.assignment)->u.assignment = (yyvsp[(4) - (5)].assignment);
+			(yyval.assignment)->next = NULL;
+		}
+    break;
+
+
+/* Line 1267 of yacc.c.  */
+#line 1397 "slc-gram.c"
+      default: break;
+    }
+  YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
+
+  YYPOPSTACK (yylen);
+  yylen = 0;
+  YY_STACK_PRINT (yyss, yyssp);
+
+  *++yyvsp = yyval;
+
+
+  /* Now `shift' the result of the reduction.  Determine what state
+     that goes to, based on the state we popped back to and the rule
+     number reduced by.  */
+
+  yyn = yyr1[yyn];
+
+  yystate = yypgoto[yyn - YYNTOKENS] + *yyssp;
+  if (0 <= yystate && yystate <= YYLAST && yycheck[yystate] == *yyssp)
+    yystate = yytable[yystate];
+  else
+    yystate = yydefgoto[yyn - YYNTOKENS];
+
+  goto yynewstate;
+
+
+/*------------------------------------.
+| yyerrlab -- here on detecting error |
+`------------------------------------*/
+yyerrlab:
+  /* If not already recovering from an error, report this error.  */
+  if (!yyerrstatus)
+    {
+      ++yynerrs;
+#if ! YYERROR_VERBOSE
+      yyerror (YY_("syntax error"));
+#else
+      {
+	YYSIZE_T yysize = yysyntax_error (0, yystate, yychar);
+	if (yymsg_alloc < yysize && yymsg_alloc < YYSTACK_ALLOC_MAXIMUM)
+	  {
+	    YYSIZE_T yyalloc = 2 * yysize;
+	    if (! (yysize <= yyalloc && yyalloc <= YYSTACK_ALLOC_MAXIMUM))
+	      yyalloc = YYSTACK_ALLOC_MAXIMUM;
+	    if (yymsg != yymsgbuf)
+	      YYSTACK_FREE (yymsg);
+	    yymsg = (char *) YYSTACK_ALLOC (yyalloc);
+	    if (yymsg)
+	      yymsg_alloc = yyalloc;
+	    else
+	      {
+		yymsg = yymsgbuf;
+		yymsg_alloc = sizeof yymsgbuf;
+	      }
+	  }
+
+	if (0 < yysize && yysize <= yymsg_alloc)
+	  {
+	    (void) yysyntax_error (yymsg, yystate, yychar);
+	    yyerror (yymsg);
+	  }
+	else
+	  {
+	    yyerror (YY_("syntax error"));
+	    if (yysize != 0)
+	      goto yyexhaustedlab;
+	  }
+      }
+#endif
+    }
+
+
+
+  if (yyerrstatus == 3)
+    {
+      /* If just tried and failed to reuse look-ahead token after an
+	 error, discard it.  */
+
+      if (yychar <= YYEOF)
+	{
+	  /* Return failure if at end of input.  */
+	  if (yychar == YYEOF)
+	    YYABORT;
+	}
+      else
+	{
+	  yydestruct ("Error: discarding",
+		      yytoken, &yylval);
+	  yychar = YYEMPTY;
+	}
+    }
+
+  /* Else will try to reuse look-ahead token after shifting the error
+     token.  */
+  goto yyerrlab1;
+
+
+/*---------------------------------------------------.
+| yyerrorlab -- error raised explicitly by YYERROR.  |
+`---------------------------------------------------*/
+yyerrorlab:
+
+  /* Pacify compilers like GCC when the user code never invokes
+     YYERROR and the label yyerrorlab therefore never appears in user
+     code.  */
+  if (/*CONSTCOND*/ 0)
+     goto yyerrorlab;
+
+  /* Do not reclaim the symbols of the rule which action triggered
+     this YYERROR.  */
+  YYPOPSTACK (yylen);
+  yylen = 0;
+  YY_STACK_PRINT (yyss, yyssp);
+  yystate = *yyssp;
+  goto yyerrlab1;
+
+
+/*-------------------------------------------------------------.
+| yyerrlab1 -- common code for both syntax error and YYERROR.  |
+`-------------------------------------------------------------*/
+yyerrlab1:
+  yyerrstatus = 3;	/* Each real token shifted decrements this.  */
+
+  for (;;)
+    {
+      yyn = yypact[yystate];
+      if (yyn != YYPACT_NINF)
+	{
+	  yyn += YYTERROR;
+	  if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
+	    {
+	      yyn = yytable[yyn];
+	      if (0 < yyn)
+		break;
+	    }
+	}
+
+      /* Pop the current state because it cannot handle the error token.  */
+      if (yyssp == yyss)
+	YYABORT;
+
+
+      yydestruct ("Error: popping",
+		  yystos[yystate], yyvsp);
+      YYPOPSTACK (1);
+      yystate = *yyssp;
+      YY_STACK_PRINT (yyss, yyssp);
+    }
+
+  if (yyn == YYFINAL)
+    YYACCEPT;
+
+  *++yyvsp = yylval;
+
+
+  /* Shift the error token.  */
+  YY_SYMBOL_PRINT ("Shifting", yystos[yyn], yyvsp, yylsp);
+
+  yystate = yyn;
+  goto yynewstate;
+
+
+/*-------------------------------------.
+| yyacceptlab -- YYACCEPT comes here.  |
+`-------------------------------------*/
+yyacceptlab:
+  yyresult = 0;
+  goto yyreturn;
+
+/*-----------------------------------.
+| yyabortlab -- YYABORT comes here.  |
+`-----------------------------------*/
+yyabortlab:
+  yyresult = 1;
+  goto yyreturn;
+
+#ifndef yyoverflow
+/*-------------------------------------------------.
+| yyexhaustedlab -- memory exhaustion comes here.  |
+`-------------------------------------------------*/
+yyexhaustedlab:
+  yyerror (YY_("memory exhausted"));
+  yyresult = 2;
+  /* Fall through.  */
+#endif
+
+yyreturn:
+  if (yychar != YYEOF && yychar != YYEMPTY)
+     yydestruct ("Cleanup: discarding lookahead",
+		 yytoken, &yylval);
+  /* Do not reclaim the symbols of the rule which action triggered
+     this YYABORT or YYACCEPT.  */
+  YYPOPSTACK (yylen);
+  YY_STACK_PRINT (yyss, yyssp);
+  while (yyssp != yyss)
+    {
+      yydestruct ("Cleanup: popping",
+		  yystos[*yyssp], yyvsp);
+      YYPOPSTACK (1);
+    }
+#ifndef yyoverflow
+  if (yyss != yyssa)
+    YYSTACK_FREE (yyss);
+#endif
+#if YYERROR_VERBOSE
+  if (yymsg != yymsgbuf)
+    YYSTACK_FREE (yymsg);
+#endif
+  /* Make sure YYID is used.  */
+  return YYID (yyresult);
+}
+
+
+#line 101 "slc-gram.y"
+
+char *filename;
+FILE *cfile, *hfile;
+int error_flag;
+struct assignment *assignment;
+
+
+static void
+ex(struct assignment *a, const char *fmt, ...)
+{
+    va_list ap;
+    fprintf(stderr, "%s:%d: ", a->name, a->lineno);
+    va_start(ap, fmt);
+    vfprintf(stderr, fmt, ap);
+    va_end(ap);
+    fprintf(stderr, "\n");
+}
+
+
+
+static int
+check_option(struct assignment *as)
+{
+    struct assignment *a;
+    int seen_long = 0;
+    int seen_short = 0;
+    int seen_type = 0;
+    int seen_argument = 0;
+    int seen_help = 0;
+    int seen_default = 0;
+    int ret = 0;
+
+    for(a = as; a != NULL; a = a->next) {
+	if(strcmp(a->name, "long") == 0)
+	    seen_long++;
+	else if(strcmp(a->name, "short") == 0)
+	    seen_short++;
+	else if(strcmp(a->name, "type") == 0)
+	    seen_type++;
+	else if(strcmp(a->name, "argument") == 0)
+	    seen_argument++;
+	else if(strcmp(a->name, "help") == 0)
+	    seen_help++;
+	else if(strcmp(a->name, "default") == 0)
+	    seen_default++;
+	else {
+	    ex(a, "unknown name");
+	    ret++;
+	}
+    }
+    if(seen_long == 0 && seen_short == 0) {
+	ex(as, "neither long nor short option");
+	ret++;
+    }
+    if(seen_long > 1) {
+	ex(as, "multiple long options");
+	ret++;
+    }
+    if(seen_short > 1) {
+	ex(as, "multiple short options");
+	ret++;
+    }
+    if(seen_type > 1) {
+	ex(as, "multiple types");
+	ret++;
+    }
+    if(seen_argument > 1) {
+	ex(as, "multiple arguments");
+	ret++;
+    }
+    if(seen_help > 1) {
+	ex(as, "multiple help strings");
+	ret++;
+    }
+    if(seen_default > 1) {
+	ex(as, "multiple default values");
+	ret++;
+    }
+    return ret;
+}
+
+static int
+check_command(struct assignment *as)
+{
+	struct assignment *a;
+	int seen_name = 0;
+	int seen_function = 0;
+	int seen_help = 0;
+	int seen_argument = 0;
+	int seen_minargs = 0;
+	int seen_maxargs = 0;
+	int ret = 0;
+	for(a = as; a != NULL; a = a->next) {
+		if(strcmp(a->name, "name") == 0)
+			seen_name++;
+		else if(strcmp(a->name, "function") == 0) {
+			seen_function++;
+		} else if(strcmp(a->name, "option") == 0)
+			ret += check_option(a->u.assignment);
+		else if(strcmp(a->name, "help") == 0) {
+			seen_help++;
+		} else if(strcmp(a->name, "argument") == 0) {
+			seen_argument++;
+		} else if(strcmp(a->name, "min_args") == 0) {
+			seen_minargs++;
+		} else if(strcmp(a->name, "max_args") == 0) {
+			seen_maxargs++;
+		} else {
+			ex(a, "unknown name");
+			ret++;
+		}
+	}
+	if(seen_name == 0) {
+		ex(as, "no command name");
+		ret++;
+	}
+	if(seen_function > 1) {
+		ex(as, "multiple function names");
+		ret++;
+	}
+	if(seen_help > 1) {
+		ex(as, "multiple help strings");
+		ret++;
+	}
+	if(seen_argument > 1) {
+		ex(as, "multiple argument strings");
+		ret++;
+	}
+	if(seen_minargs > 1) {
+		ex(as, "multiple min_args strings");
+		ret++;
+	}
+	if(seen_maxargs > 1) {
+		ex(as, "multiple max_args strings");
+		ret++;
+	}
+	
+	return ret;
+}
+
+static int
+check(struct assignment *as)
+{
+    struct assignment *a;
+    int ret = 0;
+    for(a = as; a != NULL; a = a->next) {
+	if(strcmp(a->name, "command")) {
+	    fprintf(stderr, "unknown type %s line %d\n", a->name, a->lineno);
+	    ret++;
+	    continue;
+	}
+	if(a->type != a_assignment) {
+	    fprintf(stderr, "bad command definition %s line %d\n", a->name, a->lineno);
+	    ret++;
+	    continue;
+	}
+	ret += check_command(a->u.assignment);
+    }
+    return ret;
+}
+
+static struct assignment *
+find_next(struct assignment *as, const char *name)
+{
+    for(as = as->next; as != NULL; as = as->next) {
+	if(strcmp(as->name, name) == 0)
+	    return as;
+    }
+    return NULL;
+}
+
+static struct assignment *
+find(struct assignment *as, const char *name)
+{
+    for(; as != NULL; as = as->next) {
+	if(strcmp(as->name, name) == 0)
+	    return as;
+    }
+    return NULL;
+}
+
+static void
+space(FILE *f, int level)
+{
+    fprintf(f, "%*.*s", level * 4, level * 4, " ");
+}
+
+static void
+cprint(int level, const char *fmt, ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    space(cfile, level);
+    vfprintf(cfile, fmt, ap);
+    va_end(ap);
+}
+
+static void
+hprint(int level, const char *fmt, ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    space(hfile, level);
+    vfprintf(hfile, fmt, ap);
+    va_end(ap);
+}
+
+static void gen_name(char *str);
+
+static void
+gen_command(struct assignment *as)
+{
+    struct assignment *a, *b;
+    char *f;
+    a = find(as, "name");
+    f = strdup(a->u.value);
+    gen_name(f);
+    cprint(1, "    { ");
+    fprintf(cfile, "\"%s\", ", a->u.value);
+    fprintf(cfile, "%s_wrap, ", f);
+    b = find(as, "argument");
+    if(b)
+	fprintf(cfile, "\"%s %s\", ", a->u.value, b->u.value);
+    else
+	fprintf(cfile, "\"%s\", ", a->u.value);
+    b = find(as, "help");
+    if(b)
+	fprintf(cfile, "\"%s\"", b->u.value);
+    else
+	fprintf(cfile, "NULL");
+    fprintf(cfile, " },\n");
+    for(a = a->next; a != NULL; a = a->next)
+	if(strcmp(a->name, "name") == 0)
+	    cprint(1, "    { \"%s\" },\n", a->u.value);
+    cprint(0, "\n");
+}
+
+static void
+gen_name(char *str)
+{
+    char *p;
+    for(p = str; *p != '\0'; p++)
+	if(!isalnum((unsigned char)*p))
+	    *p = '_';
+}
+
+static char *
+make_name(struct assignment *as)
+{
+    struct assignment *lopt;
+    struct assignment *type;
+    char *s;
+
+    lopt = find(as, "long");
+    if(lopt == NULL)
+	lopt = find(as, "name");
+    if(lopt == NULL)
+	return NULL;
+    
+    type = find(as, "type");
+    if(strcmp(type->u.value, "-flag") == 0)
+	asprintf(&s, "%s_flag", lopt->u.value);
+    else
+	asprintf(&s, "%s_%s", lopt->u.value, type->u.value);
+    gen_name(s);
+    return s;
+}
+
+
+static void defval_int(const char *name, struct assignment *defval)
+{
+    if(defval != NULL)
+	cprint(1, "opt.%s = %s;\n", name, defval->u.value);
+    else
+	cprint(1, "opt.%s = 0;\n", name);
+}
+static void defval_string(const char *name, struct assignment *defval) 
+{
+    if(defval != NULL)
+	cprint(1, "opt.%s = \"%s\";\n", name, defval->u.value);
+    else
+	cprint(1, "opt.%s = NULL;\n", name);
+}
+static void defval_strings(const char *name, struct assignment *defval)
+{
+    cprint(1, "opt.%s.num_strings = 0;\n", name);
+    cprint(1, "opt.%s.strings = NULL;\n", name);
+}
+
+static void free_strings(const char *name)
+{
+    cprint(1, "free_getarg_strings (&opt.%s);\n", name);
+}
+
+struct type_handler {
+    const char *typename;
+    const char *c_type;
+    const char *getarg_type;
+    void (*defval)(const char*, struct assignment*);
+    void (*free)(const char*);
+} type_handlers[] = {
+	{ "integer",
+	  "int",
+	  "arg_integer",
+	  defval_int,
+	  NULL
+	},
+	{ "string",
+	  "char*",
+	  "arg_string",
+	  defval_string,
+	  NULL
+	},
+	{ "strings",
+	  "struct getarg_strings",
+	  "arg_strings",
+	  defval_strings,
+	  free_strings
+	},
+	{ "flag",
+	  "int",
+	  "arg_flag",
+	  defval_int,
+	  NULL
+	},
+	{ "-flag",
+	  "int",
+	  "arg_negative_flag",
+	  defval_int,
+	  NULL
+	},
+	{ NULL }
+};
+
+static struct type_handler *find_handler(struct assignment *type)
+{
+    struct type_handler *th;
+    for(th = type_handlers; th->typename != NULL; th++)
+	if(strcmp(type->u.value, th->typename) == 0)
+	    return th;
+    ex(type, "unknown type \"%s\"", type->u.value);
+    exit(1);
+}
+
+static void
+gen_options(struct assignment *opt1, const char *name)
+{
+    struct assignment *tmp;
+
+    hprint(0, "struct %s_options {\n", name);
+
+    for(tmp = opt1; 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	struct assignment *type;
+	struct type_handler *th;
+	char *s;
+	
+	s = make_name(tmp->u.assignment);
+	type = find(tmp->u.assignment, "type");
+	th = find_handler(type);
+	hprint(1, "%s %s;\n", th->c_type, s);
+	free(s);
+    }
+    hprint(0, "};\n");
+}
+
+static void
+gen_wrapper(struct assignment *as)
+{
+    struct assignment *name;
+    struct assignment *arg;
+    struct assignment *opt1;
+    struct assignment *function;
+    struct assignment *tmp;
+    char *n, *f;
+    int nargs = 0;
+
+    name = find(as, "name");
+    n = strdup(name->u.value);
+    gen_name(n);
+    arg = find(as, "argument");
+    opt1 = find(as, "option");
+    function = find(as, "function");
+    if(function)
+	f = function->u.value;
+    else
+	f = n;
+    
+       
+    if(opt1 != NULL) {
+	gen_options(opt1, n);
+	hprint(0, "int %s(struct %s_options*, int, char **);\n", f, n);
+    } else {
+	hprint(0, "int %s(void*, int, char **);\n", f);
+    }
+
+    fprintf(cfile, "static int\n");
+    fprintf(cfile, "%s_wrap(int argc, char **argv)\n", n);
+    fprintf(cfile, "{\n");
+    if(opt1 != NULL)
+	cprint(1, "struct %s_options opt;\n", n);
+    cprint(1, "int ret;\n");
+    cprint(1, "int optidx = 0;\n");
+    cprint(1, "struct getargs args[] = {\n");
+    for(tmp = find(as, "option"); 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	struct assignment *type = find(tmp->u.assignment, "type");
+	struct assignment *lopt = find(tmp->u.assignment, "long");
+	struct assignment *sopt = find(tmp->u.assignment, "short");
+	struct assignment *aarg = find(tmp->u.assignment, "argument");
+	struct assignment *help = find(tmp->u.assignment, "help");
+
+	struct type_handler *th;
+	
+	cprint(2, "{ ");
+	if(lopt)
+	    fprintf(cfile, "\"%s\", ", lopt->u.value);
+	else
+	    fprintf(cfile, "NULL, ");
+	if(sopt)
+	    fprintf(cfile, "'%c', ", *sopt->u.value);
+	else
+	    fprintf(cfile, "0, ");
+	th = find_handler(type);
+	fprintf(cfile, "%s, ", th->getarg_type);
+	fprintf(cfile, "NULL, ");
+	if(help)
+	    fprintf(cfile, "\"%s\", ", help->u.value);
+	else
+	    fprintf(cfile, "NULL, ");
+	if(aarg)
+	    fprintf(cfile, "\"%s\"", aarg->u.value);
+	else
+	    fprintf(cfile, "NULL");
+	fprintf(cfile, " },\n");
+    }
+    cprint(2, "{ \"help\", 'h', arg_flag, NULL, NULL, NULL }\n");
+    cprint(1, "};\n");
+    cprint(1, "int help_flag = 0;\n");
+
+    for(tmp = find(as, "option"); 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	char *s;
+	struct assignment *type = find(tmp->u.assignment, "type");
+
+	struct assignment *defval = find(tmp->u.assignment, "default");
+
+	struct type_handler *th;
+	
+	s = make_name(tmp->u.assignment);
+	th = find_handler(type);
+	(*th->defval)(s, defval);
+	free(s);
+    }
+
+    for(tmp = find(as, "option"); 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	char *s;
+	s = make_name(tmp->u.assignment);
+	cprint(1, "args[%d].value = &opt.%s;\n", nargs++, s);
+	free(s);
+    }
+    cprint(1, "args[%d].value = &help_flag;\n", nargs++);
+    cprint(1, "if(getarg(args, %d, argc, argv, &optidx))\n", nargs);
+    cprint(2, "goto usage;\n");
+
+    {
+	int min_args = -1;
+	int max_args = -1;
+	char *end;
+	if(arg == NULL) {
+	    max_args = 0;
+	} else {
+	    if((tmp = find(as, "min_args")) != NULL) {
+		min_args = strtol(tmp->u.value, &end, 0);
+		if(*end != '\0') {
+		    ex(tmp, "min_args is not numeric");
+		    exit(1);
+		}
+		if(min_args < 0) {
+		    ex(tmp, "min_args must be non-negative");
+		    exit(1);
+		}
+	    }
+	    if((tmp = find(as, "max_args")) != NULL) {
+		max_args = strtol(tmp->u.value, &end, 0);
+		if(*end != '\0') {
+		    ex(tmp, "max_args is not numeric");
+		    exit(1);
+		}
+		if(max_args < 0) {
+		    ex(tmp, "max_args must be non-negative");
+		    exit(1);
+		}
+	    }
+	}
+	if(min_args != -1 || max_args != -1) {
+	    if(min_args == max_args) {
+		cprint(1, "if(argc - optidx != %d) {\n", 
+		       min_args);
+		cprint(2, "fprintf(stderr, \"Need exactly %u parameters (%%u given).\\n\\n\", argc - optidx);\n", min_args);
+		cprint(2, "goto usage;\n");
+		cprint(1, "}\n");
+	    } else {
+		if(max_args != -1) {
+		    cprint(1, "if(argc - optidx > %d) {\n", max_args);
+		    cprint(2, "fprintf(stderr, \"Arguments given (%%u) are more than expected (%u).\\n\\n\", argc - optidx);\n", max_args);
+		    cprint(2, "goto usage;\n");
+		    cprint(1, "}\n");
+		}
+		if(min_args != -1) {
+		    cprint(1, "if(argc - optidx < %d) {\n", min_args);
+		    cprint(2, "fprintf(stderr, \"Arguments given (%%u) are less than expected (%u).\\n\\n\", argc - optidx);\n", min_args);
+		    cprint(2, "goto usage;\n");
+		    cprint(1, "}\n");
+		}
+	    }
+	}
+    }
+    
+    cprint(1, "if(help_flag)\n");
+    cprint(2, "goto usage;\n");
+
+    cprint(1, "ret = %s(%s, argc - optidx, argv + optidx);\n", 
+	   f, opt1 ? "&opt": "NULL");
+    
+    /* free allocated data */
+    for(tmp = find(as, "option"); 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	char *s;
+	struct assignment *type = find(tmp->u.assignment, "type");
+	struct type_handler *th;
+	th = find_handler(type);
+	if(th->free == NULL)
+	    continue;
+	s = make_name(tmp->u.assignment);
+	(*th->free)(s);
+	free(s);
+    }
+    cprint(1, "return ret;\n");
+
+    cprint(0, "usage:\n");
+    cprint(1, "arg_printusage (args, %d, \"%s\", \"%s\");\n", nargs, 
+	   name->u.value, arg ? arg->u.value : "");
+    /* free allocated data */
+    for(tmp = find(as, "option"); 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	char *s;
+	struct assignment *type = find(tmp->u.assignment, "type");
+	struct type_handler *th;
+	th = find_handler(type);
+	if(th->free == NULL)
+	    continue;
+	s = make_name(tmp->u.assignment);
+	(*th->free)(s);
+	free(s);
+    }
+    cprint(1, "return 0;\n");
+    cprint(0, "}\n");
+    cprint(0, "\n");
+}
+
+char cname[PATH_MAX];
+char hname[PATH_MAX];
+
+static void
+gen(struct assignment *as)
+{
+    struct assignment *a;
+    cprint(0, "#include <stdio.h>\n");
+    cprint(0, "#include <getarg.h>\n");
+    cprint(0, "#include <sl.h>\n");
+    cprint(0, "#include \"%s\"\n\n", hname);
+
+    hprint(0, "#include <stdio.h>\n");
+    hprint(0, "#include <sl.h>\n");
+    hprint(0, "\n");
+
+
+    for(a = as; a != NULL; a = a->next)
+	gen_wrapper(a->u.assignment);
+
+    cprint(0, "SL_cmd commands[] = {\n");
+    for(a = as; a != NULL; a = a->next)
+	gen_command(a->u.assignment);
+    cprint(1, "{ NULL }\n");
+    cprint(0, "};\n");
+
+    hprint(0, "extern SL_cmd commands[];\n");
+}
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "command-table");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    char *p;
+
+    int optidx = 0;
+
+    setprogname(argv[0]);
+    if(getarg(args, num_args, argc, argv, &optidx))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(argc == optidx)
+	usage(1);
+
+    filename = argv[optidx];
+    yyin = fopen(filename, "r");
+    if(yyin == NULL)
+	err(1, "%s", filename);
+    p = strrchr(filename, '/');
+    if(p)
+	strlcpy(cname, p + 1, sizeof(cname));
+    else
+	strlcpy(cname, filename, sizeof(cname));
+    p = strrchr(cname, '.');
+    if(p)
+	*p = '\0';
+    strlcpy(hname, cname, sizeof(hname));
+    strlcat(cname, ".c", sizeof(cname));
+    strlcat(hname, ".h", sizeof(hname));
+    yyparse();
+    if(error_flag)
+	exit(1);
+    if(check(assignment) == 0) {
+	cfile = fopen(cname, "w");
+	if(cfile == NULL)
+	  err(1, "%s", cname);
+	hfile = fopen(hname, "w");
+	if(hfile == NULL)
+	  err(1, "%s", hname);
+	gen(assignment);
+	fclose(cfile);
+	fclose(hfile);
+    }
+    fclose(yyin);
+    return 0;
+}
+
diff --git a/crypto/heimdal/lib/sl/slc-gram.h b/crypto/heimdal/lib/sl/slc-gram.h
new file mode 100644
index 0000000..1d50c2a
--- /dev/null
+++ b/crypto/heimdal/lib/sl/slc-gram.h
@@ -0,0 +1,69 @@
+/* A Bison parser, made by GNU Bison 2.3.  */
+
+/* Skeleton interface for Bison's Yacc-like parsers in C
+
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+   Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
+
+/* As a special exception, you may create a larger work that contains
+   part or all of the Bison parser skeleton and distribute that work
+   under terms of your choice, so long as that work isn't itself a
+   parser generator using the skeleton or a modified version thereof
+   as a parser skeleton.  Alternatively, if you modify or redistribute
+   the parser skeleton itself, you may (at your option) remove this
+   special exception, which will cause the skeleton and the resulting
+   Bison output files to be licensed under the GNU General Public
+   License without this special exception.
+
+   This special exception was added by the Free Software Foundation in
+   version 2.2 of Bison.  */
+
+/* Tokens.  */
+#ifndef YYTOKENTYPE
+# define YYTOKENTYPE
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
+      know about them.  */
+   enum yytokentype {
+     LITERAL = 258,
+     STRING = 259
+   };
+#endif
+/* Tokens.  */
+#define LITERAL 258
+#define STRING 259
+
+
+
+
+#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
+typedef union YYSTYPE
+#line 54 "slc-gram.y"
+{
+	char *string;
+	struct assignment *assignment;
+}
+/* Line 1529 of yacc.c.  */
+#line 62 "slc-gram.h"
+	YYSTYPE;
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
+# define YYSTYPE_IS_DECLARED 1
+# define YYSTYPE_IS_TRIVIAL 1
+#endif
+
+extern YYSTYPE yylval;
+
diff --git a/crypto/heimdal/lib/sl/slc-gram.y b/crypto/heimdal/lib/sl/slc-gram.y
new file mode 100644
index 0000000..7d9fadc
--- /dev/null
+++ b/crypto/heimdal/lib/sl/slc-gram.y
@@ -0,0 +1,764 @@
+%{
+/*
+ * Copyright (c) 2004-2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: slc-gram.y 20767 2007-06-01 11:24:52Z lha $");
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <err.h>
+#include <ctype.h>
+#include <limits.h>
+#include <getarg.h>
+#include <vers.h>
+#include <roken.h>
+
+#include "slc.h"
+extern FILE *yyin;
+extern struct assignment *assignment;
+%}
+
+%union {
+	char *string;
+	struct assignment *assignment;
+}
+
+%token <string> LITERAL
+%token <string> STRING
+%type <assignment> assignment assignments
+
+%start start
+
+%%
+
+start		: assignments
+		{
+			assignment = $1;
+		}
+		;
+
+assignments	: assignment assignments
+		{
+			$1->next = $2;
+			$$ = $1;
+		}
+		| assignment
+		;
+
+assignment	: LITERAL '=' STRING
+		{
+			$$ = malloc(sizeof(*$$));
+			$$->name = $1;
+			$$->type = a_value;
+			$$->lineno = lineno;
+			$$->u.value = $3;
+			$$->next = NULL;
+		}
+		| LITERAL '=' '{' assignments '}'
+		{
+			$$ = malloc(sizeof(*$$));
+			$$->name = $1;
+			$$->type = a_assignment;
+			$$->lineno = lineno;
+			$$->u.assignment = $4;
+			$$->next = NULL;
+		}
+		;
+
+%%
+char *filename;
+FILE *cfile, *hfile;
+int error_flag;
+struct assignment *assignment;
+
+
+static void
+ex(struct assignment *a, const char *fmt, ...)
+{
+    va_list ap;
+    fprintf(stderr, "%s:%d: ", a->name, a->lineno);
+    va_start(ap, fmt);
+    vfprintf(stderr, fmt, ap);
+    va_end(ap);
+    fprintf(stderr, "\n");
+}
+
+
+
+static int
+check_option(struct assignment *as)
+{
+    struct assignment *a;
+    int seen_long = 0;
+    int seen_short = 0;
+    int seen_type = 0;
+    int seen_argument = 0;
+    int seen_help = 0;
+    int seen_default = 0;
+    int ret = 0;
+
+    for(a = as; a != NULL; a = a->next) {
+	if(strcmp(a->name, "long") == 0)
+	    seen_long++;
+	else if(strcmp(a->name, "short") == 0)
+	    seen_short++;
+	else if(strcmp(a->name, "type") == 0)
+	    seen_type++;
+	else if(strcmp(a->name, "argument") == 0)
+	    seen_argument++;
+	else if(strcmp(a->name, "help") == 0)
+	    seen_help++;
+	else if(strcmp(a->name, "default") == 0)
+	    seen_default++;
+	else {
+	    ex(a, "unknown name");
+	    ret++;
+	}
+    }
+    if(seen_long == 0 && seen_short == 0) {
+	ex(as, "neither long nor short option");
+	ret++;
+    }
+    if(seen_long > 1) {
+	ex(as, "multiple long options");
+	ret++;
+    }
+    if(seen_short > 1) {
+	ex(as, "multiple short options");
+	ret++;
+    }
+    if(seen_type > 1) {
+	ex(as, "multiple types");
+	ret++;
+    }
+    if(seen_argument > 1) {
+	ex(as, "multiple arguments");
+	ret++;
+    }
+    if(seen_help > 1) {
+	ex(as, "multiple help strings");
+	ret++;
+    }
+    if(seen_default > 1) {
+	ex(as, "multiple default values");
+	ret++;
+    }
+    return ret;
+}
+
+static int
+check_command(struct assignment *as)
+{
+	struct assignment *a;
+	int seen_name = 0;
+	int seen_function = 0;
+	int seen_help = 0;
+	int seen_argument = 0;
+	int seen_minargs = 0;
+	int seen_maxargs = 0;
+	int ret = 0;
+	for(a = as; a != NULL; a = a->next) {
+		if(strcmp(a->name, "name") == 0)
+			seen_name++;
+		else if(strcmp(a->name, "function") == 0) {
+			seen_function++;
+		} else if(strcmp(a->name, "option") == 0)
+			ret += check_option(a->u.assignment);
+		else if(strcmp(a->name, "help") == 0) {
+			seen_help++;
+		} else if(strcmp(a->name, "argument") == 0) {
+			seen_argument++;
+		} else if(strcmp(a->name, "min_args") == 0) {
+			seen_minargs++;
+		} else if(strcmp(a->name, "max_args") == 0) {
+			seen_maxargs++;
+		} else {
+			ex(a, "unknown name");
+			ret++;
+		}
+	}
+	if(seen_name == 0) {
+		ex(as, "no command name");
+		ret++;
+	}
+	if(seen_function > 1) {
+		ex(as, "multiple function names");
+		ret++;
+	}
+	if(seen_help > 1) {
+		ex(as, "multiple help strings");
+		ret++;
+	}
+	if(seen_argument > 1) {
+		ex(as, "multiple argument strings");
+		ret++;
+	}
+	if(seen_minargs > 1) {
+		ex(as, "multiple min_args strings");
+		ret++;
+	}
+	if(seen_maxargs > 1) {
+		ex(as, "multiple max_args strings");
+		ret++;
+	}
+	
+	return ret;
+}
+
+static int
+check(struct assignment *as)
+{
+    struct assignment *a;
+    int ret = 0;
+    for(a = as; a != NULL; a = a->next) {
+	if(strcmp(a->name, "command")) {
+	    fprintf(stderr, "unknown type %s line %d\n", a->name, a->lineno);
+	    ret++;
+	    continue;
+	}
+	if(a->type != a_assignment) {
+	    fprintf(stderr, "bad command definition %s line %d\n", a->name, a->lineno);
+	    ret++;
+	    continue;
+	}
+	ret += check_command(a->u.assignment);
+    }
+    return ret;
+}
+
+static struct assignment *
+find_next(struct assignment *as, const char *name)
+{
+    for(as = as->next; as != NULL; as = as->next) {
+	if(strcmp(as->name, name) == 0)
+	    return as;
+    }
+    return NULL;
+}
+
+static struct assignment *
+find(struct assignment *as, const char *name)
+{
+    for(; as != NULL; as = as->next) {
+	if(strcmp(as->name, name) == 0)
+	    return as;
+    }
+    return NULL;
+}
+
+static void
+space(FILE *f, int level)
+{
+    fprintf(f, "%*.*s", level * 4, level * 4, " ");
+}
+
+static void
+cprint(int level, const char *fmt, ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    space(cfile, level);
+    vfprintf(cfile, fmt, ap);
+    va_end(ap);
+}
+
+static void
+hprint(int level, const char *fmt, ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    space(hfile, level);
+    vfprintf(hfile, fmt, ap);
+    va_end(ap);
+}
+
+static void gen_name(char *str);
+
+static void
+gen_command(struct assignment *as)
+{
+    struct assignment *a, *b;
+    char *f;
+    a = find(as, "name");
+    f = strdup(a->u.value);
+    gen_name(f);
+    cprint(1, "    { ");
+    fprintf(cfile, "\"%s\", ", a->u.value);
+    fprintf(cfile, "%s_wrap, ", f);
+    b = find(as, "argument");
+    if(b)
+	fprintf(cfile, "\"%s %s\", ", a->u.value, b->u.value);
+    else
+	fprintf(cfile, "\"%s\", ", a->u.value);
+    b = find(as, "help");
+    if(b)
+	fprintf(cfile, "\"%s\"", b->u.value);
+    else
+	fprintf(cfile, "NULL");
+    fprintf(cfile, " },\n");
+    for(a = a->next; a != NULL; a = a->next)
+	if(strcmp(a->name, "name") == 0)
+	    cprint(1, "    { \"%s\" },\n", a->u.value);
+    cprint(0, "\n");
+}
+
+static void
+gen_name(char *str)
+{
+    char *p;
+    for(p = str; *p != '\0'; p++)
+	if(!isalnum((unsigned char)*p))
+	    *p = '_';
+}
+
+static char *
+make_name(struct assignment *as)
+{
+    struct assignment *lopt;
+    struct assignment *type;
+    char *s;
+
+    lopt = find(as, "long");
+    if(lopt == NULL)
+	lopt = find(as, "name");
+    if(lopt == NULL)
+	return NULL;
+    
+    type = find(as, "type");
+    if(strcmp(type->u.value, "-flag") == 0)
+	asprintf(&s, "%s_flag", lopt->u.value);
+    else
+	asprintf(&s, "%s_%s", lopt->u.value, type->u.value);
+    gen_name(s);
+    return s;
+}
+
+
+static void defval_int(const char *name, struct assignment *defval)
+{
+    if(defval != NULL)
+	cprint(1, "opt.%s = %s;\n", name, defval->u.value);
+    else
+	cprint(1, "opt.%s = 0;\n", name);
+}
+static void defval_string(const char *name, struct assignment *defval) 
+{
+    if(defval != NULL)
+	cprint(1, "opt.%s = \"%s\";\n", name, defval->u.value);
+    else
+	cprint(1, "opt.%s = NULL;\n", name);
+}
+static void defval_strings(const char *name, struct assignment *defval)
+{
+    cprint(1, "opt.%s.num_strings = 0;\n", name);
+    cprint(1, "opt.%s.strings = NULL;\n", name);
+}
+
+static void free_strings(const char *name)
+{
+    cprint(1, "free_getarg_strings (&opt.%s);\n", name);
+}
+
+struct type_handler {
+    const char *typename;
+    const char *c_type;
+    const char *getarg_type;
+    void (*defval)(const char*, struct assignment*);
+    void (*free)(const char*);
+} type_handlers[] = {
+	{ "integer",
+	  "int",
+	  "arg_integer",
+	  defval_int,
+	  NULL
+	},
+	{ "string",
+	  "char*",
+	  "arg_string",
+	  defval_string,
+	  NULL
+	},
+	{ "strings",
+	  "struct getarg_strings",
+	  "arg_strings",
+	  defval_strings,
+	  free_strings
+	},
+	{ "flag",
+	  "int",
+	  "arg_flag",
+	  defval_int,
+	  NULL
+	},
+	{ "-flag",
+	  "int",
+	  "arg_negative_flag",
+	  defval_int,
+	  NULL
+	},
+	{ NULL }
+};
+
+static struct type_handler *find_handler(struct assignment *type)
+{
+    struct type_handler *th;
+    for(th = type_handlers; th->typename != NULL; th++)
+	if(strcmp(type->u.value, th->typename) == 0)
+	    return th;
+    ex(type, "unknown type \"%s\"", type->u.value);
+    exit(1);
+}
+
+static void
+gen_options(struct assignment *opt1, const char *name)
+{
+    struct assignment *tmp;
+
+    hprint(0, "struct %s_options {\n", name);
+
+    for(tmp = opt1; 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	struct assignment *type;
+	struct type_handler *th;
+	char *s;
+	
+	s = make_name(tmp->u.assignment);
+	type = find(tmp->u.assignment, "type");
+	th = find_handler(type);
+	hprint(1, "%s %s;\n", th->c_type, s);
+	free(s);
+    }
+    hprint(0, "};\n");
+}
+
+static void
+gen_wrapper(struct assignment *as)
+{
+    struct assignment *name;
+    struct assignment *arg;
+    struct assignment *opt1;
+    struct assignment *function;
+    struct assignment *tmp;
+    char *n, *f;
+    int nargs = 0;
+
+    name = find(as, "name");
+    n = strdup(name->u.value);
+    gen_name(n);
+    arg = find(as, "argument");
+    opt1 = find(as, "option");
+    function = find(as, "function");
+    if(function)
+	f = function->u.value;
+    else
+	f = n;
+    
+       
+    if(opt1 != NULL) {
+	gen_options(opt1, n);
+	hprint(0, "int %s(struct %s_options*, int, char **);\n", f, n);
+    } else {
+	hprint(0, "int %s(void*, int, char **);\n", f);
+    }
+
+    fprintf(cfile, "static int\n");
+    fprintf(cfile, "%s_wrap(int argc, char **argv)\n", n);
+    fprintf(cfile, "{\n");
+    if(opt1 != NULL)
+	cprint(1, "struct %s_options opt;\n", n);
+    cprint(1, "int ret;\n");
+    cprint(1, "int optidx = 0;\n");
+    cprint(1, "struct getargs args[] = {\n");
+    for(tmp = find(as, "option"); 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	struct assignment *type = find(tmp->u.assignment, "type");
+	struct assignment *lopt = find(tmp->u.assignment, "long");
+	struct assignment *sopt = find(tmp->u.assignment, "short");
+	struct assignment *aarg = find(tmp->u.assignment, "argument");
+	struct assignment *help = find(tmp->u.assignment, "help");
+
+	struct type_handler *th;
+	
+	cprint(2, "{ ");
+	if(lopt)
+	    fprintf(cfile, "\"%s\", ", lopt->u.value);
+	else
+	    fprintf(cfile, "NULL, ");
+	if(sopt)
+	    fprintf(cfile, "'%c', ", *sopt->u.value);
+	else
+	    fprintf(cfile, "0, ");
+	th = find_handler(type);
+	fprintf(cfile, "%s, ", th->getarg_type);
+	fprintf(cfile, "NULL, ");
+	if(help)
+	    fprintf(cfile, "\"%s\", ", help->u.value);
+	else
+	    fprintf(cfile, "NULL, ");
+	if(aarg)
+	    fprintf(cfile, "\"%s\"", aarg->u.value);
+	else
+	    fprintf(cfile, "NULL");
+	fprintf(cfile, " },\n");
+    }
+    cprint(2, "{ \"help\", 'h', arg_flag, NULL, NULL, NULL }\n");
+    cprint(1, "};\n");
+    cprint(1, "int help_flag = 0;\n");
+
+    for(tmp = find(as, "option"); 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	char *s;
+	struct assignment *type = find(tmp->u.assignment, "type");
+
+	struct assignment *defval = find(tmp->u.assignment, "default");
+
+	struct type_handler *th;
+	
+	s = make_name(tmp->u.assignment);
+	th = find_handler(type);
+	(*th->defval)(s, defval);
+	free(s);
+    }
+
+    for(tmp = find(as, "option"); 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	char *s;
+	s = make_name(tmp->u.assignment);
+	cprint(1, "args[%d].value = &opt.%s;\n", nargs++, s);
+	free(s);
+    }
+    cprint(1, "args[%d].value = &help_flag;\n", nargs++);
+    cprint(1, "if(getarg(args, %d, argc, argv, &optidx))\n", nargs);
+    cprint(2, "goto usage;\n");
+
+    {
+	int min_args = -1;
+	int max_args = -1;
+	char *end;
+	if(arg == NULL) {
+	    max_args = 0;
+	} else {
+	    if((tmp = find(as, "min_args")) != NULL) {
+		min_args = strtol(tmp->u.value, &end, 0);
+		if(*end != '\0') {
+		    ex(tmp, "min_args is not numeric");
+		    exit(1);
+		}
+		if(min_args < 0) {
+		    ex(tmp, "min_args must be non-negative");
+		    exit(1);
+		}
+	    }
+	    if((tmp = find(as, "max_args")) != NULL) {
+		max_args = strtol(tmp->u.value, &end, 0);
+		if(*end != '\0') {
+		    ex(tmp, "max_args is not numeric");
+		    exit(1);
+		}
+		if(max_args < 0) {
+		    ex(tmp, "max_args must be non-negative");
+		    exit(1);
+		}
+	    }
+	}
+	if(min_args != -1 || max_args != -1) {
+	    if(min_args == max_args) {
+		cprint(1, "if(argc - optidx != %d) {\n", 
+		       min_args);
+		cprint(2, "fprintf(stderr, \"Need exactly %u parameters (%%u given).\\n\\n\", argc - optidx);\n", min_args);
+		cprint(2, "goto usage;\n");
+		cprint(1, "}\n");
+	    } else {
+		if(max_args != -1) {
+		    cprint(1, "if(argc - optidx > %d) {\n", max_args);
+		    cprint(2, "fprintf(stderr, \"Arguments given (%%u) are more than expected (%u).\\n\\n\", argc - optidx);\n", max_args);
+		    cprint(2, "goto usage;\n");
+		    cprint(1, "}\n");
+		}
+		if(min_args != -1) {
+		    cprint(1, "if(argc - optidx < %d) {\n", min_args);
+		    cprint(2, "fprintf(stderr, \"Arguments given (%%u) are less than expected (%u).\\n\\n\", argc - optidx);\n", min_args);
+		    cprint(2, "goto usage;\n");
+		    cprint(1, "}\n");
+		}
+	    }
+	}
+    }
+    
+    cprint(1, "if(help_flag)\n");
+    cprint(2, "goto usage;\n");
+
+    cprint(1, "ret = %s(%s, argc - optidx, argv + optidx);\n", 
+	   f, opt1 ? "&opt": "NULL");
+    
+    /* free allocated data */
+    for(tmp = find(as, "option"); 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	char *s;
+	struct assignment *type = find(tmp->u.assignment, "type");
+	struct type_handler *th;
+	th = find_handler(type);
+	if(th->free == NULL)
+	    continue;
+	s = make_name(tmp->u.assignment);
+	(*th->free)(s);
+	free(s);
+    }
+    cprint(1, "return ret;\n");
+
+    cprint(0, "usage:\n");
+    cprint(1, "arg_printusage (args, %d, \"%s\", \"%s\");\n", nargs, 
+	   name->u.value, arg ? arg->u.value : "");
+    /* free allocated data */
+    for(tmp = find(as, "option"); 
+	tmp != NULL; 
+	tmp = find_next(tmp, "option")) {
+	char *s;
+	struct assignment *type = find(tmp->u.assignment, "type");
+	struct type_handler *th;
+	th = find_handler(type);
+	if(th->free == NULL)
+	    continue;
+	s = make_name(tmp->u.assignment);
+	(*th->free)(s);
+	free(s);
+    }
+    cprint(1, "return 0;\n");
+    cprint(0, "}\n");
+    cprint(0, "\n");
+}
+
+char cname[PATH_MAX];
+char hname[PATH_MAX];
+
+static void
+gen(struct assignment *as)
+{
+    struct assignment *a;
+    cprint(0, "#include <stdio.h>\n");
+    cprint(0, "#include <getarg.h>\n");
+    cprint(0, "#include <sl.h>\n");
+    cprint(0, "#include \"%s\"\n\n", hname);
+
+    hprint(0, "#include <stdio.h>\n");
+    hprint(0, "#include <sl.h>\n");
+    hprint(0, "\n");
+
+
+    for(a = as; a != NULL; a = a->next)
+	gen_wrapper(a->u.assignment);
+
+    cprint(0, "SL_cmd commands[] = {\n");
+    for(a = as; a != NULL; a = a->next)
+	gen_command(a->u.assignment);
+    cprint(1, "{ NULL }\n");
+    cprint(0, "};\n");
+
+    hprint(0, "extern SL_cmd commands[];\n");
+}
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "command-table");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    char *p;
+
+    int optidx = 0;
+
+    setprogname(argv[0]);
+    if(getarg(args, num_args, argc, argv, &optidx))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(argc == optidx)
+	usage(1);
+
+    filename = argv[optidx];
+    yyin = fopen(filename, "r");
+    if(yyin == NULL)
+	err(1, "%s", filename);
+    p = strrchr(filename, '/');
+    if(p)
+	strlcpy(cname, p + 1, sizeof(cname));
+    else
+	strlcpy(cname, filename, sizeof(cname));
+    p = strrchr(cname, '.');
+    if(p)
+	*p = '\0';
+    strlcpy(hname, cname, sizeof(hname));
+    strlcat(cname, ".c", sizeof(cname));
+    strlcat(hname, ".h", sizeof(hname));
+    yyparse();
+    if(error_flag)
+	exit(1);
+    if(check(assignment) == 0) {
+	cfile = fopen(cname, "w");
+	if(cfile == NULL)
+	  err(1, "%s", cname);
+	hfile = fopen(hname, "w");
+	if(hfile == NULL)
+	  err(1, "%s", hname);
+	gen(assignment);
+	fclose(cfile);
+	fclose(hfile);
+    }
+    fclose(yyin);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/sl/slc-lex.c b/crypto/heimdal/lib/sl/slc-lex.c
new file mode 100644
index 0000000..d89b39c
--- /dev/null
+++ b/crypto/heimdal/lib/sl/slc-lex.c
@@ -0,0 +1,1877 @@
+
+#line 3 "slc-lex.c"
+
+#define  YY_INT_ALIGNED short int
+
+/* A lexical scanner generated by flex */
+
+#define FLEX_SCANNER
+#define YY_FLEX_MAJOR_VERSION 2
+#define YY_FLEX_MINOR_VERSION 5
+#define YY_FLEX_SUBMINOR_VERSION 33
+#if YY_FLEX_SUBMINOR_VERSION > 0
+#define FLEX_BETA
+#endif
+
+/* First, we deal with  platform-specific or compiler-specific issues. */
+
+/* begin standard C headers. */
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+
+/* end standard C headers. */
+
+/* flex integer type definitions */
+
+#ifndef FLEXINT_H
+#define FLEXINT_H
+
+/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
+
+#if __STDC_VERSION__ >= 199901L
+
+/* C99 says to define __STDC_LIMIT_MACROS before including stdint.h,
+ * if you want the limit (max/min) macros for int types. 
+ */
+#ifndef __STDC_LIMIT_MACROS
+#define __STDC_LIMIT_MACROS 1
+#endif
+
+#include <inttypes.h>
+typedef int8_t flex_int8_t;
+typedef uint8_t flex_uint8_t;
+typedef int16_t flex_int16_t;
+typedef uint16_t flex_uint16_t;
+typedef int32_t flex_int32_t;
+typedef uint32_t flex_uint32_t;
+#else
+typedef signed char flex_int8_t;
+typedef short int flex_int16_t;
+typedef int flex_int32_t;
+typedef unsigned char flex_uint8_t; 
+typedef unsigned short int flex_uint16_t;
+typedef unsigned int flex_uint32_t;
+#endif /* ! C99 */
+
+/* Limits of integral types. */
+#ifndef INT8_MIN
+#define INT8_MIN               (-128)
+#endif
+#ifndef INT16_MIN
+#define INT16_MIN              (-32767-1)
+#endif
+#ifndef INT32_MIN
+#define INT32_MIN              (-2147483647-1)
+#endif
+#ifndef INT8_MAX
+#define INT8_MAX               (127)
+#endif
+#ifndef INT16_MAX
+#define INT16_MAX              (32767)
+#endif
+#ifndef INT32_MAX
+#define INT32_MAX              (2147483647)
+#endif
+#ifndef UINT8_MAX
+#define UINT8_MAX              (255U)
+#endif
+#ifndef UINT16_MAX
+#define UINT16_MAX             (65535U)
+#endif
+#ifndef UINT32_MAX
+#define UINT32_MAX             (4294967295U)
+#endif
+
+#endif /* ! FLEXINT_H */
+
+#ifdef __cplusplus
+
+/* The "const" storage-class-modifier is valid. */
+#define YY_USE_CONST
+
+#else	/* ! __cplusplus */
+
+#if __STDC__
+
+#define YY_USE_CONST
+
+#endif	/* __STDC__ */
+#endif	/* ! __cplusplus */
+
+#ifdef YY_USE_CONST
+#define yyconst const
+#else
+#define yyconst
+#endif
+
+/* Returned upon end-of-file. */
+#define YY_NULL 0
+
+/* Promotes a possibly negative, possibly signed char to an unsigned
+ * integer for use as an array index.  If the signed char is negative,
+ * we want to instead treat it as an 8-bit unsigned char, hence the
+ * double cast.
+ */
+#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+
+/* Enter a start condition.  This macro really ought to take a parameter,
+ * but we do it the disgusting crufty way forced on us by the ()-less
+ * definition of BEGIN.
+ */
+#define BEGIN (yy_start) = 1 + 2 *
+
+/* Translate the current start state into a value that can be later handed
+ * to BEGIN to return to the state.  The YYSTATE alias is for lex
+ * compatibility.
+ */
+#define YY_START (((yy_start) - 1) / 2)
+#define YYSTATE YY_START
+
+/* Action number for EOF rule of a given start state. */
+#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
+
+/* Special action meaning "start processing a new file". */
+#define YY_NEW_FILE yyrestart(yyin  )
+
+#define YY_END_OF_BUFFER_CHAR 0
+
+/* Size of default input buffer. */
+#ifndef YY_BUF_SIZE
+#define YY_BUF_SIZE 16384
+#endif
+
+/* The state buf must be large enough to hold one state per character in the main buffer.
+ */
+#define YY_STATE_BUF_SIZE   ((YY_BUF_SIZE + 2) * sizeof(yy_state_type))
+
+#ifndef YY_TYPEDEF_YY_BUFFER_STATE
+#define YY_TYPEDEF_YY_BUFFER_STATE
+typedef struct yy_buffer_state *YY_BUFFER_STATE;
+#endif
+
+extern int yyleng;
+
+extern FILE *yyin, *yyout;
+
+#define EOB_ACT_CONTINUE_SCAN 0
+#define EOB_ACT_END_OF_FILE 1
+#define EOB_ACT_LAST_MATCH 2
+
+    #define YY_LESS_LINENO(n)
+    
+/* Return all but the first "n" matched characters back to the input stream. */
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+        int yyless_macro_arg = (n); \
+        YY_LESS_LINENO(yyless_macro_arg);\
+		*yy_cp = (yy_hold_char); \
+		YY_RESTORE_YY_MORE_OFFSET \
+		(yy_c_buf_p) = yy_cp = yy_bp + yyless_macro_arg - YY_MORE_ADJ; \
+		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
+		} \
+	while ( 0 )
+
+#define unput(c) yyunput( c, (yytext_ptr)  )
+
+/* The following is because we cannot portably get our hands on size_t
+ * (without autoconf's help, which isn't available because we want
+ * flex-generated scanners to compile on their own).
+ */
+
+#ifndef YY_TYPEDEF_YY_SIZE_T
+#define YY_TYPEDEF_YY_SIZE_T
+typedef unsigned int yy_size_t;
+#endif
+
+#ifndef YY_STRUCT_YY_BUFFER_STATE
+#define YY_STRUCT_YY_BUFFER_STATE
+struct yy_buffer_state
+	{
+	FILE *yy_input_file;
+
+	char *yy_ch_buf;		/* input buffer */
+	char *yy_buf_pos;		/* current position in input buffer */
+
+	/* Size of input buffer in bytes, not including room for EOB
+	 * characters.
+	 */
+	yy_size_t yy_buf_size;
+
+	/* Number of characters read into yy_ch_buf, not including EOB
+	 * characters.
+	 */
+	int yy_n_chars;
+
+	/* Whether we "own" the buffer - i.e., we know we created it,
+	 * and can realloc() it to grow it, and should free() it to
+	 * delete it.
+	 */
+	int yy_is_our_buffer;
+
+	/* Whether this is an "interactive" input source; if so, and
+	 * if we're using stdio for input, then we want to use getc()
+	 * instead of fread(), to make sure we stop fetching input after
+	 * each newline.
+	 */
+	int yy_is_interactive;
+
+	/* Whether we're considered to be at the beginning of a line.
+	 * If so, '^' rules will be active on the next match, otherwise
+	 * not.
+	 */
+	int yy_at_bol;
+
+    int yy_bs_lineno; /**< The line count. */
+    int yy_bs_column; /**< The column count. */
+    
+	/* Whether to try to fill the input buffer when we reach the
+	 * end of it.
+	 */
+	int yy_fill_buffer;
+
+	int yy_buffer_status;
+
+#define YY_BUFFER_NEW 0
+#define YY_BUFFER_NORMAL 1
+	/* When an EOF's been seen but there's still some text to process
+	 * then we mark the buffer as YY_EOF_PENDING, to indicate that we
+	 * shouldn't try reading from the input source any more.  We might
+	 * still have a bunch of tokens to match, though, because of
+	 * possible backing-up.
+	 *
+	 * When we actually see the EOF, we change the status to "new"
+	 * (via yyrestart()), so that the user can continue scanning by
+	 * just pointing yyin at a new input file.
+	 */
+#define YY_BUFFER_EOF_PENDING 2
+
+	};
+#endif /* !YY_STRUCT_YY_BUFFER_STATE */
+
+/* Stack of input buffers. */
+static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */
+static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */
+static YY_BUFFER_STATE * yy_buffer_stack = 0; /**< Stack as an array. */
+
+/* We provide macros for accessing buffer states in case in the
+ * future we want to put the buffer states in a more general
+ * "scanner state".
+ *
+ * Returns the top of the stack, or NULL.
+ */
+#define YY_CURRENT_BUFFER ( (yy_buffer_stack) \
+                          ? (yy_buffer_stack)[(yy_buffer_stack_top)] \
+                          : NULL)
+
+/* Same as previous macro, but useful when we know that the buffer stack is not
+ * NULL or when we need an lvalue. For internal use only.
+ */
+#define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)]
+
+/* yy_hold_char holds the character lost when yytext is formed. */
+static char yy_hold_char;
+static int yy_n_chars;		/* number of characters read into yy_ch_buf */
+int yyleng;
+
+/* Points to current character in buffer. */
+static char *yy_c_buf_p = (char *) 0;
+static int yy_init = 0;		/* whether we need to initialize */
+static int yy_start = 0;	/* start state number */
+
+/* Flag which is used to allow yywrap()'s to do buffer switches
+ * instead of setting up a fresh yyin.  A bit of a hack ...
+ */
+static int yy_did_buffer_switch_on_eof;
+
+void yyrestart (FILE *input_file  );
+void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer  );
+YY_BUFFER_STATE yy_create_buffer (FILE *file,int size  );
+void yy_delete_buffer (YY_BUFFER_STATE b  );
+void yy_flush_buffer (YY_BUFFER_STATE b  );
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer  );
+void yypop_buffer_state (void );
+
+static void yyensure_buffer_stack (void );
+static void yy_load_buffer_state (void );
+static void yy_init_buffer (YY_BUFFER_STATE b,FILE *file  );
+
+#define YY_FLUSH_BUFFER yy_flush_buffer(YY_CURRENT_BUFFER )
+
+YY_BUFFER_STATE yy_scan_buffer (char *base,yy_size_t size  );
+YY_BUFFER_STATE yy_scan_string (yyconst char *yy_str  );
+YY_BUFFER_STATE yy_scan_bytes (yyconst char *bytes,int len  );
+
+void *yyalloc (yy_size_t  );
+void *yyrealloc (void *,yy_size_t  );
+void yyfree (void *  );
+
+#define yy_new_buffer yy_create_buffer
+
+#define yy_set_interactive(is_interactive) \
+	{ \
+	if ( ! YY_CURRENT_BUFFER ){ \
+        yyensure_buffer_stack (); \
+		YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+	} \
+	YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
+	}
+
+#define yy_set_bol(at_bol) \
+	{ \
+	if ( ! YY_CURRENT_BUFFER ){\
+        yyensure_buffer_stack (); \
+		YY_CURRENT_BUFFER_LVALUE =    \
+            yy_create_buffer(yyin,YY_BUF_SIZE ); \
+	} \
+	YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
+	}
+
+#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
+
+/* Begin user sect3 */
+
+typedef unsigned char YY_CHAR;
+
+FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
+
+typedef int yy_state_type;
+
+extern int yylineno;
+
+int yylineno = 1;
+
+extern char *yytext;
+#define yytext_ptr yytext
+
+static yy_state_type yy_get_previous_state (void );
+static yy_state_type yy_try_NUL_trans (yy_state_type current_state  );
+static int yy_get_next_buffer (void );
+static void yy_fatal_error (yyconst char msg[]  );
+
+/* Done after the current pattern has been matched and before the
+ * corresponding action - sets up yytext.
+ */
+#define YY_DO_BEFORE_ACTION \
+	(yytext_ptr) = yy_bp; \
+	yyleng = (size_t) (yy_cp - yy_bp); \
+	(yy_hold_char) = *yy_cp; \
+	*yy_cp = '\0'; \
+	(yy_c_buf_p) = yy_cp;
+
+#define YY_NUM_RULES 7
+#define YY_END_OF_BUFFER 8
+/* This struct is not used in this scanner,
+   but its presence is necessary. */
+struct yy_trans_info
+	{
+	flex_int32_t yy_verify;
+	flex_int32_t yy_nxt;
+	};
+static yyconst flex_int16_t yy_accept[14] =
+    {   0,
+        0,    0,    8,    7,    6,    3,    2,    7,    5,    1,
+        4,    1,    0
+    } ;
+
+static yyconst flex_int32_t yy_ec[256] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    2,    1,    4,    1,    1,    1,    1,    1,    1,
+        1,    5,    1,    1,    6,    1,    7,    6,    6,    6,
+        6,    6,    6,    6,    6,    6,    6,    1,    1,    1,
+        8,    1,    1,    1,    9,    9,    9,    9,    9,    9,
+        9,    9,    9,    9,    9,    9,    9,    9,    9,    9,
+        9,    9,    9,    9,    9,    9,    9,    9,    9,    9,
+        1,    1,    1,    1,    6,    1,    9,    9,    9,    9,
+
+        9,    9,    9,    9,    9,    9,    9,    9,    9,    9,
+        9,    9,    9,    9,    9,    9,    9,    9,    9,    9,
+        9,    9,    8,    1,    8,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1
+    } ;
+
+static yyconst flex_int32_t yy_meta[10] =
+    {   0,
+        1,    1,    1,    1,    1,    2,    1,    1,    2
+    } ;
+
+static yyconst flex_int16_t yy_base[15] =
+    {   0,
+        0,    0,   12,   13,   13,   13,   13,    6,   13,    0,
+       13,    0,   13,    8
+    } ;
+
+static yyconst flex_int16_t yy_def[15] =
+    {   0,
+       13,    1,   13,   13,   13,   13,   13,   13,   13,   14,
+       13,   14,    0,   13
+    } ;
+
+static yyconst flex_int16_t yy_nxt[23] =
+    {   0,
+        4,    5,    6,    7,    4,    4,    8,    9,   10,   12,
+       11,   13,    3,   13,   13,   13,   13,   13,   13,   13,
+       13,   13
+    } ;
+
+static yyconst flex_int16_t yy_chk[23] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,   14,
+        8,    3,   13,   13,   13,   13,   13,   13,   13,   13,
+       13,   13
+    } ;
+
+static yy_state_type yy_last_accepting_state;
+static char *yy_last_accepting_cpos;
+
+extern int yy_flex_debug;
+int yy_flex_debug = 0;
+
+/* The intent behind this definition is that it'll catch
+ * any uses of REJECT which flex missed.
+ */
+#define REJECT reject_used_but_not_detected
+#define yymore() yymore_used_but_not_detected
+#define YY_MORE_ADJ 0
+#define YY_RESTORE_YY_MORE_OFFSET
+char *yytext;
+#line 1 "slc-lex.l"
+#line 2 "slc-lex.l"
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: slc-lex.l 15118 2005-05-10 22:19:01Z lha $ */
+
+#undef ECHO
+
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include "slc.h"
+#include "slc-gram.h"
+unsigned lineno = 1;
+
+static void handle_comment(void);
+static char * handle_string(void);
+
+#define YY_NO_UNPUT
+
+#undef ECHO
+
+#line 513 "slc-lex.c"
+
+#define INITIAL 0
+
+#ifndef YY_NO_UNISTD_H
+/* Special case for "unistd.h", since it is non-ANSI. We include it way
+ * down here because we want the user's section 1 to have been scanned first.
+ * The user has a chance to override it with an option.
+ */
+#include <unistd.h>
+#endif
+
+#ifndef YY_EXTRA_TYPE
+#define YY_EXTRA_TYPE void *
+#endif
+
+static int yy_init_globals (void );
+
+/* Macros after this point can all be overridden by user definitions in
+ * section 1.
+ */
+
+#ifndef YY_SKIP_YYWRAP
+#ifdef __cplusplus
+extern "C" int yywrap (void );
+#else
+extern int yywrap (void );
+#endif
+#endif
+
+    static void yyunput (int c,char *buf_ptr  );
+    
+#ifndef yytext_ptr
+static void yy_flex_strncpy (char *,yyconst char *,int );
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen (yyconst char * );
+#endif
+
+#ifndef YY_NO_INPUT
+
+#ifdef __cplusplus
+static int yyinput (void );
+#else
+static int input (void );
+#endif
+
+#endif
+
+/* Amount of stuff to slurp up with each read. */
+#ifndef YY_READ_BUF_SIZE
+#define YY_READ_BUF_SIZE 8192
+#endif
+
+/* Copy whatever the last rule matched to the standard output. */
+#ifndef ECHO
+/* This used to be an fputs(), but since the string might contain NUL's,
+ * we now use fwrite().
+ */
+#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
+#endif
+
+/* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
+ * is returned in "result".
+ */
+#ifndef YY_INPUT
+#define YY_INPUT(buf,result,max_size) \
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
+		{ \
+		int c = '*'; \
+		size_t n; \
+		for ( n = 0; n < max_size && \
+			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
+			buf[n] = (char) c; \
+		if ( c == '\n' ) \
+			buf[n++] = (char) c; \
+		if ( c == EOF && ferror( yyin ) ) \
+			YY_FATAL_ERROR( "input in flex scanner failed" ); \
+		result = n; \
+		} \
+	else \
+		{ \
+		errno=0; \
+		while ( (result = fread(buf, 1, max_size, yyin))==0 && ferror(yyin)) \
+			{ \
+			if( errno != EINTR) \
+				{ \
+				YY_FATAL_ERROR( "input in flex scanner failed" ); \
+				break; \
+				} \
+			errno=0; \
+			clearerr(yyin); \
+			} \
+		}\
+\
+
+#endif
+
+/* No semi-colon after return; correct usage is to write "yyterminate();" -
+ * we don't want an extra ';' after the "return" because that will cause
+ * some compilers to complain about unreachable statements.
+ */
+#ifndef yyterminate
+#define yyterminate() return YY_NULL
+#endif
+
+/* Number of entries by which start-condition stack grows. */
+#ifndef YY_START_STACK_INCR
+#define YY_START_STACK_INCR 25
+#endif
+
+/* Report a fatal error. */
+#ifndef YY_FATAL_ERROR
+#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
+#endif
+
+/* end tables serialization structures and prototypes */
+
+/* Default declaration of generated scanner - a define so the user can
+ * easily add parameters.
+ */
+#ifndef YY_DECL
+#define YY_DECL_IS_OURS 1
+
+extern int yylex (void);
+
+#define YY_DECL int yylex (void)
+#endif /* !YY_DECL */
+
+/* Code executed at the beginning of each rule, after yytext and yyleng
+ * have been set up.
+ */
+#ifndef YY_USER_ACTION
+#define YY_USER_ACTION
+#endif
+
+/* Code executed at the end of each rule. */
+#ifndef YY_BREAK
+#define YY_BREAK break;
+#endif
+
+#define YY_RULE_SETUP \
+	YY_USER_ACTION
+
+/** The main scanner function which does all the work.
+ */
+YY_DECL
+{
+	register yy_state_type yy_current_state;
+	register char *yy_cp, *yy_bp;
+	register int yy_act;
+    
+#line 55 "slc-lex.l"
+
+#line 668 "slc-lex.c"
+
+	if ( !(yy_init) )
+		{
+		(yy_init) = 1;
+
+#ifdef YY_USER_INIT
+		YY_USER_INIT;
+#endif
+
+		if ( ! (yy_start) )
+			(yy_start) = 1;	/* first start state */
+
+		if ( ! yyin )
+			yyin = stdin;
+
+		if ( ! yyout )
+			yyout = stdout;
+
+		if ( ! YY_CURRENT_BUFFER ) {
+			yyensure_buffer_stack ();
+			YY_CURRENT_BUFFER_LVALUE =
+				yy_create_buffer(yyin,YY_BUF_SIZE );
+		}
+
+		yy_load_buffer_state( );
+		}
+
+	while ( 1 )		/* loops until end-of-file is reached */
+		{
+		yy_cp = (yy_c_buf_p);
+
+		/* Support of yytext. */
+		*yy_cp = (yy_hold_char);
+
+		/* yy_bp points to the position in yy_ch_buf of the start of
+		 * the current run.
+		 */
+		yy_bp = yy_cp;
+
+		yy_current_state = (yy_start);
+yy_match:
+		do
+			{
+			register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
+			if ( yy_accept[yy_current_state] )
+				{
+				(yy_last_accepting_state) = yy_current_state;
+				(yy_last_accepting_cpos) = yy_cp;
+				}
+			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+				{
+				yy_current_state = (int) yy_def[yy_current_state];
+				if ( yy_current_state >= 14 )
+					yy_c = yy_meta[(unsigned int) yy_c];
+				}
+			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+			++yy_cp;
+			}
+		while ( yy_base[yy_current_state] != 13 );
+
+yy_find_action:
+		yy_act = yy_accept[yy_current_state];
+		if ( yy_act == 0 )
+			{ /* have to back up */
+			yy_cp = (yy_last_accepting_cpos);
+			yy_current_state = (yy_last_accepting_state);
+			yy_act = yy_accept[yy_current_state];
+			}
+
+		YY_DO_BEFORE_ACTION;
+
+do_action:	/* This label is used only to access EOF actions. */
+
+		switch ( yy_act )
+	{ /* beginning of action switch */
+			case 0: /* must back up */
+			/* undo the effects of YY_DO_BEFORE_ACTION */
+			*yy_cp = (yy_hold_char);
+			yy_cp = (yy_last_accepting_cpos);
+			yy_current_state = (yy_last_accepting_state);
+			goto yy_find_action;
+
+case 1:
+YY_RULE_SETUP
+#line 56 "slc-lex.l"
+{
+			  yylval.string = strdup ((const char *)yytext);
+			  return LITERAL;
+			}
+	YY_BREAK
+case 2:
+YY_RULE_SETUP
+#line 60 "slc-lex.l"
+{ yylval.string = handle_string(); return STRING; }
+	YY_BREAK
+case 3:
+/* rule 3 can match eol */
+YY_RULE_SETUP
+#line 61 "slc-lex.l"
+{ ++lineno; }
+	YY_BREAK
+case 4:
+YY_RULE_SETUP
+#line 62 "slc-lex.l"
+{ handle_comment(); }
+	YY_BREAK
+case 5:
+YY_RULE_SETUP
+#line 63 "slc-lex.l"
+{ return *yytext; }
+	YY_BREAK
+case 6:
+YY_RULE_SETUP
+#line 64 "slc-lex.l"
+;
+	YY_BREAK
+case 7:
+YY_RULE_SETUP
+#line 65 "slc-lex.l"
+ECHO;
+	YY_BREAK
+#line 790 "slc-lex.c"
+case YY_STATE_EOF(INITIAL):
+	yyterminate();
+
+	case YY_END_OF_BUFFER:
+		{
+		/* Amount of text matched not including the EOB char. */
+		int yy_amount_of_matched_text = (int) (yy_cp - (yytext_ptr)) - 1;
+
+		/* Undo the effects of YY_DO_BEFORE_ACTION. */
+		*yy_cp = (yy_hold_char);
+		YY_RESTORE_YY_MORE_OFFSET
+
+		if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_NEW )
+			{
+			/* We're scanning a new file or input source.  It's
+			 * possible that this happened because the user
+			 * just pointed yyin at a new source and called
+			 * yylex().  If so, then we have to assure
+			 * consistency between YY_CURRENT_BUFFER and our
+			 * globals.  Here is the right place to do so, because
+			 * this is the first action (other than possibly a
+			 * back-up) that will match for the new input source.
+			 */
+			(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
+			YY_CURRENT_BUFFER_LVALUE->yy_input_file = yyin;
+			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = YY_BUFFER_NORMAL;
+			}
+
+		/* Note that here we test for yy_c_buf_p "<=" to the position
+		 * of the first EOB in the buffer, since yy_c_buf_p will
+		 * already have been incremented past the NUL character
+		 * (since all states make transitions on EOB to the
+		 * end-of-buffer state).  Contrast this with the test
+		 * in input().
+		 */
+		if ( (yy_c_buf_p) <= &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
+			{ /* This was really a NUL. */
+			yy_state_type yy_next_state;
+
+			(yy_c_buf_p) = (yytext_ptr) + yy_amount_of_matched_text;
+
+			yy_current_state = yy_get_previous_state(  );
+
+			/* Okay, we're now positioned to make the NUL
+			 * transition.  We couldn't have
+			 * yy_get_previous_state() go ahead and do it
+			 * for us because it doesn't know how to deal
+			 * with the possibility of jamming (and we don't
+			 * want to build jamming into it because then it
+			 * will run more slowly).
+			 */
+
+			yy_next_state = yy_try_NUL_trans( yy_current_state );
+
+			yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+
+			if ( yy_next_state )
+				{
+				/* Consume the NUL. */
+				yy_cp = ++(yy_c_buf_p);
+				yy_current_state = yy_next_state;
+				goto yy_match;
+				}
+
+			else
+				{
+				yy_cp = (yy_c_buf_p);
+				goto yy_find_action;
+				}
+			}
+
+		else switch ( yy_get_next_buffer(  ) )
+			{
+			case EOB_ACT_END_OF_FILE:
+				{
+				(yy_did_buffer_switch_on_eof) = 0;
+
+				if ( yywrap( ) )
+					{
+					/* Note: because we've taken care in
+					 * yy_get_next_buffer() to have set up
+					 * yytext, we can now set up
+					 * yy_c_buf_p so that if some total
+					 * hoser (like flex itself) wants to
+					 * call the scanner after we return the
+					 * YY_NULL, it'll still work - another
+					 * YY_NULL will get returned.
+					 */
+					(yy_c_buf_p) = (yytext_ptr) + YY_MORE_ADJ;
+
+					yy_act = YY_STATE_EOF(YY_START);
+					goto do_action;
+					}
+
+				else
+					{
+					if ( ! (yy_did_buffer_switch_on_eof) )
+						YY_NEW_FILE;
+					}
+				break;
+				}
+
+			case EOB_ACT_CONTINUE_SCAN:
+				(yy_c_buf_p) =
+					(yytext_ptr) + yy_amount_of_matched_text;
+
+				yy_current_state = yy_get_previous_state(  );
+
+				yy_cp = (yy_c_buf_p);
+				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+				goto yy_match;
+
+			case EOB_ACT_LAST_MATCH:
+				(yy_c_buf_p) =
+				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)];
+
+				yy_current_state = yy_get_previous_state(  );
+
+				yy_cp = (yy_c_buf_p);
+				yy_bp = (yytext_ptr) + YY_MORE_ADJ;
+				goto yy_find_action;
+			}
+		break;
+		}
+
+	default:
+		YY_FATAL_ERROR(
+			"fatal flex scanner internal error--no action found" );
+	} /* end of action switch */
+		} /* end of scanning one token */
+} /* end of yylex */
+
+/* yy_get_next_buffer - try to read in a new buffer
+ *
+ * Returns a code representing an action:
+ *	EOB_ACT_LAST_MATCH -
+ *	EOB_ACT_CONTINUE_SCAN - continue scanning from current position
+ *	EOB_ACT_END_OF_FILE - end of file
+ */
+static int yy_get_next_buffer (void)
+{
+    	register char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
+	register char *source = (yytext_ptr);
+	register int number_to_move, i;
+	int ret_val;
+
+	if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] )
+		YY_FATAL_ERROR(
+		"fatal flex scanner internal error--end of buffer missed" );
+
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 )
+		{ /* Don't try to fill the buffer, so this is an EOF. */
+		if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 )
+			{
+			/* We matched a single character, the EOB, so
+			 * treat this as a final EOF.
+			 */
+			return EOB_ACT_END_OF_FILE;
+			}
+
+		else
+			{
+			/* We matched some text prior to the EOB, first
+			 * process it.
+			 */
+			return EOB_ACT_LAST_MATCH;
+			}
+		}
+
+	/* Try to read more data. */
+
+	/* First move last chars to start of buffer. */
+	number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr)) - 1;
+
+	for ( i = 0; i < number_to_move; ++i )
+		*(dest++) = *(source++);
+
+	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+		/* don't do the read, it's not guaranteed to return an EOF,
+		 * just force an EOF
+		 */
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0;
+
+	else
+		{
+			int num_to_read =
+			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+
+		while ( num_to_read <= 0 )
+			{ /* Not enough room in the buffer - grow it. */
+
+			/* just a shorter name for the current buffer */
+			YY_BUFFER_STATE b = YY_CURRENT_BUFFER;
+
+			int yy_c_buf_p_offset =
+				(int) ((yy_c_buf_p) - b->yy_ch_buf);
+
+			if ( b->yy_is_our_buffer )
+				{
+				int new_size = b->yy_buf_size * 2;
+
+				if ( new_size <= 0 )
+					b->yy_buf_size += b->yy_buf_size / 8;
+				else
+					b->yy_buf_size *= 2;
+
+				b->yy_ch_buf = (char *)
+					/* Include room in for 2 EOB chars. */
+					yyrealloc((void *) b->yy_ch_buf,b->yy_buf_size + 2  );
+				}
+			else
+				/* Can't grow it, we don't own it. */
+				b->yy_ch_buf = 0;
+
+			if ( ! b->yy_ch_buf )
+				YY_FATAL_ERROR(
+				"fatal error - scanner input buffer overflow" );
+
+			(yy_c_buf_p) = &b->yy_ch_buf[yy_c_buf_p_offset];
+
+			num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size -
+						number_to_move - 1;
+
+			}
+
+		if ( num_to_read > YY_READ_BUF_SIZE )
+			num_to_read = YY_READ_BUF_SIZE;
+
+		/* Read in more data. */
+		YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
+			(yy_n_chars), num_to_read );
+
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	if ( (yy_n_chars) == 0 )
+		{
+		if ( number_to_move == YY_MORE_ADJ )
+			{
+			ret_val = EOB_ACT_END_OF_FILE;
+			yyrestart(yyin  );
+			}
+
+		else
+			{
+			ret_val = EOB_ACT_LAST_MATCH;
+			YY_CURRENT_BUFFER_LVALUE->yy_buffer_status =
+				YY_BUFFER_EOF_PENDING;
+			}
+		}
+
+	else
+		ret_val = EOB_ACT_CONTINUE_SCAN;
+
+	(yy_n_chars) += number_to_move;
+	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
+	YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
+
+	(yytext_ptr) = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[0];
+
+	return ret_val;
+}
+
+/* yy_get_previous_state - get the state just before the EOB char was reached */
+
+    static yy_state_type yy_get_previous_state (void)
+{
+	register yy_state_type yy_current_state;
+	register char *yy_cp;
+    
+	yy_current_state = (yy_start);
+
+	for ( yy_cp = (yytext_ptr) + YY_MORE_ADJ; yy_cp < (yy_c_buf_p); ++yy_cp )
+		{
+		register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
+		if ( yy_accept[yy_current_state] )
+			{
+			(yy_last_accepting_state) = yy_current_state;
+			(yy_last_accepting_cpos) = yy_cp;
+			}
+		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+			{
+			yy_current_state = (int) yy_def[yy_current_state];
+			if ( yy_current_state >= 14 )
+				yy_c = yy_meta[(unsigned int) yy_c];
+			}
+		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+		}
+
+	return yy_current_state;
+}
+
+/* yy_try_NUL_trans - try to make a transition on the NUL character
+ *
+ * synopsis
+ *	next_state = yy_try_NUL_trans( current_state );
+ */
+    static yy_state_type yy_try_NUL_trans  (yy_state_type yy_current_state )
+{
+	register int yy_is_jam;
+    	register char *yy_cp = (yy_c_buf_p);
+
+	register YY_CHAR yy_c = 1;
+	if ( yy_accept[yy_current_state] )
+		{
+		(yy_last_accepting_state) = yy_current_state;
+		(yy_last_accepting_cpos) = yy_cp;
+		}
+	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+		{
+		yy_current_state = (int) yy_def[yy_current_state];
+		if ( yy_current_state >= 14 )
+			yy_c = yy_meta[(unsigned int) yy_c];
+		}
+	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+	yy_is_jam = (yy_current_state == 13);
+
+	return yy_is_jam ? 0 : yy_current_state;
+}
+
+    static void yyunput (int c, register char * yy_bp )
+{
+	register char *yy_cp;
+    
+    yy_cp = (yy_c_buf_p);
+
+	/* undo effects of setting up yytext */
+	*yy_cp = (yy_hold_char);
+
+	if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
+		{ /* need to shift things up to make room */
+		/* +2 for EOB chars. */
+		register int number_to_move = (yy_n_chars) + 2;
+		register char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
+					YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
+		register char *source =
+				&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move];
+
+		while ( source > YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
+			*--dest = *--source;
+
+		yy_cp += (int) (dest - source);
+		yy_bp += (int) (dest - source);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
+			(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
+
+		if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
+			YY_FATAL_ERROR( "flex scanner push-back overflow" );
+		}
+
+	*--yy_cp = (char) c;
+
+	(yytext_ptr) = yy_bp;
+	(yy_hold_char) = *yy_cp;
+	(yy_c_buf_p) = yy_cp;
+}
+
+#ifndef YY_NO_INPUT
+#ifdef __cplusplus
+    static int yyinput (void)
+#else
+    static int input  (void)
+#endif
+
+{
+	int c;
+    
+	*(yy_c_buf_p) = (yy_hold_char);
+
+	if ( *(yy_c_buf_p) == YY_END_OF_BUFFER_CHAR )
+		{
+		/* yy_c_buf_p now points to the character we want to return.
+		 * If this occurs *before* the EOB characters, then it's a
+		 * valid NUL; if not, then we've hit the end of the buffer.
+		 */
+		if ( (yy_c_buf_p) < &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
+			/* This was really a NUL. */
+			*(yy_c_buf_p) = '\0';
+
+		else
+			{ /* need more input */
+			int offset = (yy_c_buf_p) - (yytext_ptr);
+			++(yy_c_buf_p);
+
+			switch ( yy_get_next_buffer(  ) )
+				{
+				case EOB_ACT_LAST_MATCH:
+					/* This happens because yy_g_n_b()
+					 * sees that we've accumulated a
+					 * token and flags that we need to
+					 * try matching the token before
+					 * proceeding.  But for input(),
+					 * there's no matching to consider.
+					 * So convert the EOB_ACT_LAST_MATCH
+					 * to EOB_ACT_END_OF_FILE.
+					 */
+
+					/* Reset buffer status. */
+					yyrestart(yyin );
+
+					/*FALLTHROUGH*/
+
+				case EOB_ACT_END_OF_FILE:
+					{
+					if ( yywrap( ) )
+						return 0;
+
+					if ( ! (yy_did_buffer_switch_on_eof) )
+						YY_NEW_FILE;
+#ifdef __cplusplus
+					return yyinput();
+#else
+					return input();
+#endif
+					}
+
+				case EOB_ACT_CONTINUE_SCAN:
+					(yy_c_buf_p) = (yytext_ptr) + offset;
+					break;
+				}
+			}
+		}
+
+	c = *(unsigned char *) (yy_c_buf_p);	/* cast for 8-bit char's */
+	*(yy_c_buf_p) = '\0';	/* preserve yytext */
+	(yy_hold_char) = *++(yy_c_buf_p);
+
+	return c;
+}
+#endif	/* ifndef YY_NO_INPUT */
+
+/** Immediately switch to a different input stream.
+ * @param input_file A readable stream.
+ * 
+ * @note This function does not reset the start condition to @c INITIAL .
+ */
+    void yyrestart  (FILE * input_file )
+{
+    
+	if ( ! YY_CURRENT_BUFFER ){
+        yyensure_buffer_stack ();
+		YY_CURRENT_BUFFER_LVALUE =
+            yy_create_buffer(yyin,YY_BUF_SIZE );
+	}
+
+	yy_init_buffer(YY_CURRENT_BUFFER,input_file );
+	yy_load_buffer_state( );
+}
+
+/** Switch to a different input buffer.
+ * @param new_buffer The new input buffer.
+ * 
+ */
+    void yy_switch_to_buffer  (YY_BUFFER_STATE  new_buffer )
+{
+    
+	/* TODO. We should be able to replace this entire function body
+	 * with
+	 *		yypop_buffer_state();
+	 *		yypush_buffer_state(new_buffer);
+     */
+	yyensure_buffer_stack ();
+	if ( YY_CURRENT_BUFFER == new_buffer )
+		return;
+
+	if ( YY_CURRENT_BUFFER )
+		{
+		/* Flush out information for old buffer. */
+		*(yy_c_buf_p) = (yy_hold_char);
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	YY_CURRENT_BUFFER_LVALUE = new_buffer;
+	yy_load_buffer_state( );
+
+	/* We don't actually know whether we did this switch during
+	 * EOF (yywrap()) processing, but the only time this flag
+	 * is looked at is after yywrap() is called, so it's safe
+	 * to go ahead and always set it.
+	 */
+	(yy_did_buffer_switch_on_eof) = 1;
+}
+
+static void yy_load_buffer_state  (void)
+{
+    	(yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
+	(yytext_ptr) = (yy_c_buf_p) = YY_CURRENT_BUFFER_LVALUE->yy_buf_pos;
+	yyin = YY_CURRENT_BUFFER_LVALUE->yy_input_file;
+	(yy_hold_char) = *(yy_c_buf_p);
+}
+
+/** Allocate and initialize an input buffer state.
+ * @param file A readable stream.
+ * @param size The character buffer size in bytes. When in doubt, use @c YY_BUF_SIZE.
+ * 
+ * @return the allocated buffer state.
+ */
+    YY_BUFFER_STATE yy_create_buffer  (FILE * file, int  size )
+{
+	YY_BUFFER_STATE b;
+    
+	b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state )  );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_buf_size = size;
+
+	/* yy_ch_buf has to be 2 characters longer than the size given because
+	 * we need to put in 2 end-of-buffer characters.
+	 */
+	b->yy_ch_buf = (char *) yyalloc(b->yy_buf_size + 2  );
+	if ( ! b->yy_ch_buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_is_our_buffer = 1;
+
+	yy_init_buffer(b,file );
+
+	return b;
+}
+
+/** Destroy the buffer.
+ * @param b a buffer created with yy_create_buffer()
+ * 
+ */
+    void yy_delete_buffer (YY_BUFFER_STATE  b )
+{
+    
+	if ( ! b )
+		return;
+
+	if ( b == YY_CURRENT_BUFFER ) /* Not sure if we should pop here. */
+		YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0;
+
+	if ( b->yy_is_our_buffer )
+		yyfree((void *) b->yy_ch_buf  );
+
+	yyfree((void *) b  );
+}
+
+#ifndef __cplusplus
+extern int isatty (int );
+#endif /* __cplusplus */
+    
+/* Initializes or reinitializes a buffer.
+ * This function is sometimes called more than once on the same buffer,
+ * such as during a yyrestart() or at EOF.
+ */
+    static void yy_init_buffer  (YY_BUFFER_STATE  b, FILE * file )
+
+{
+	int oerrno = errno;
+    
+	yy_flush_buffer(b );
+
+	b->yy_input_file = file;
+	b->yy_fill_buffer = 1;
+
+    /* If b is the current buffer, then yy_init_buffer was _probably_
+     * called from yyrestart() or through yy_get_next_buffer.
+     * In that case, we don't want to reset the lineno or column.
+     */
+    if (b != YY_CURRENT_BUFFER){
+        b->yy_bs_lineno = 1;
+        b->yy_bs_column = 0;
+    }
+
+        b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+    
+	errno = oerrno;
+}
+
+/** Discard all buffered characters. On the next scan, YY_INPUT will be called.
+ * @param b the buffer state to be flushed, usually @c YY_CURRENT_BUFFER.
+ * 
+ */
+    void yy_flush_buffer (YY_BUFFER_STATE  b )
+{
+    	if ( ! b )
+		return;
+
+	b->yy_n_chars = 0;
+
+	/* We always need two end-of-buffer characters.  The first causes
+	 * a transition to the end-of-buffer state.  The second causes
+	 * a jam in that state.
+	 */
+	b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
+	b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
+
+	b->yy_buf_pos = &b->yy_ch_buf[0];
+
+	b->yy_at_bol = 1;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	if ( b == YY_CURRENT_BUFFER )
+		yy_load_buffer_state( );
+}
+
+/** Pushes the new state onto the stack. The new state becomes
+ *  the current state. This function will allocate the stack
+ *  if necessary.
+ *  @param new_buffer The new state.
+ *  
+ */
+void yypush_buffer_state (YY_BUFFER_STATE new_buffer )
+{
+    	if (new_buffer == NULL)
+		return;
+
+	yyensure_buffer_stack();
+
+	/* This block is copied from yy_switch_to_buffer. */
+	if ( YY_CURRENT_BUFFER )
+		{
+		/* Flush out information for old buffer. */
+		*(yy_c_buf_p) = (yy_hold_char);
+		YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
+		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
+		}
+
+	/* Only push if top exists. Otherwise, replace top. */
+	if (YY_CURRENT_BUFFER)
+		(yy_buffer_stack_top)++;
+	YY_CURRENT_BUFFER_LVALUE = new_buffer;
+
+	/* copied from yy_switch_to_buffer. */
+	yy_load_buffer_state( );
+	(yy_did_buffer_switch_on_eof) = 1;
+}
+
+/** Removes and deletes the top of the stack, if present.
+ *  The next element becomes the new top.
+ *  
+ */
+void yypop_buffer_state (void)
+{
+    	if (!YY_CURRENT_BUFFER)
+		return;
+
+	yy_delete_buffer(YY_CURRENT_BUFFER );
+	YY_CURRENT_BUFFER_LVALUE = NULL;
+	if ((yy_buffer_stack_top) > 0)
+		--(yy_buffer_stack_top);
+
+	if (YY_CURRENT_BUFFER) {
+		yy_load_buffer_state( );
+		(yy_did_buffer_switch_on_eof) = 1;
+	}
+}
+
+/* Allocates the stack if it does not exist.
+ *  Guarantees space for at least one push.
+ */
+static void yyensure_buffer_stack (void)
+{
+	int num_to_alloc;
+    
+	if (!(yy_buffer_stack)) {
+
+		/* First allocation is just for 2 elements, since we don't know if this
+		 * scanner will even need a stack. We use 2 instead of 1 to avoid an
+		 * immediate realloc on the next call.
+         */
+		num_to_alloc = 1;
+		(yy_buffer_stack) = (struct yy_buffer_state**)yyalloc
+								(num_to_alloc * sizeof(struct yy_buffer_state*)
+								);
+		
+		memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
+				
+		(yy_buffer_stack_max) = num_to_alloc;
+		(yy_buffer_stack_top) = 0;
+		return;
+	}
+
+	if ((yy_buffer_stack_top) >= ((yy_buffer_stack_max)) - 1){
+
+		/* Increase the buffer to prepare for a possible push. */
+		int grow_size = 8 /* arbitrary grow size */;
+
+		num_to_alloc = (yy_buffer_stack_max) + grow_size;
+		(yy_buffer_stack) = (struct yy_buffer_state**)yyrealloc
+								((yy_buffer_stack),
+								num_to_alloc * sizeof(struct yy_buffer_state*)
+								);
+
+		/* zero only the new slots.*/
+		memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*));
+		(yy_buffer_stack_max) = num_to_alloc;
+	}
+}
+
+/** Setup the input buffer state to scan directly from a user-specified character buffer.
+ * @param base the character buffer
+ * @param size the size in bytes of the character buffer
+ * 
+ * @return the newly allocated buffer state object. 
+ */
+YY_BUFFER_STATE yy_scan_buffer  (char * base, yy_size_t  size )
+{
+	YY_BUFFER_STATE b;
+    
+	if ( size < 2 ||
+	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
+	     base[size-1] != YY_END_OF_BUFFER_CHAR )
+		/* They forgot to leave room for the EOB's. */
+		return 0;
+
+	b = (YY_BUFFER_STATE) yyalloc(sizeof( struct yy_buffer_state )  );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
+
+	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
+	b->yy_buf_pos = b->yy_ch_buf = base;
+	b->yy_is_our_buffer = 0;
+	b->yy_input_file = 0;
+	b->yy_n_chars = b->yy_buf_size;
+	b->yy_is_interactive = 0;
+	b->yy_at_bol = 1;
+	b->yy_fill_buffer = 0;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	yy_switch_to_buffer(b  );
+
+	return b;
+}
+
+/** Setup the input buffer state to scan a string. The next call to yylex() will
+ * scan from a @e copy of @a str.
+ * @param str a NUL-terminated string to scan
+ * 
+ * @return the newly allocated buffer state object.
+ * @note If you want to scan bytes that may contain NUL values, then use
+ *       yy_scan_bytes() instead.
+ */
+YY_BUFFER_STATE yy_scan_string (yyconst char * yystr )
+{
+    
+	return yy_scan_bytes(yystr,strlen(yystr) );
+}
+
+/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
+ * scan from a @e copy of @a bytes.
+ * @param bytes the byte buffer to scan
+ * @param len the number of bytes in the buffer pointed to by @a bytes.
+ * 
+ * @return the newly allocated buffer state object.
+ */
+YY_BUFFER_STATE yy_scan_bytes  (yyconst char * yybytes, int  _yybytes_len )
+{
+	YY_BUFFER_STATE b;
+	char *buf;
+	yy_size_t n;
+	int i;
+    
+	/* Get memory for full buffer, including space for trailing EOB's. */
+	n = _yybytes_len + 2;
+	buf = (char *) yyalloc(n  );
+	if ( ! buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
+
+	for ( i = 0; i < _yybytes_len; ++i )
+		buf[i] = yybytes[i];
+
+	buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR;
+
+	b = yy_scan_buffer(buf,n );
+	if ( ! b )
+		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
+
+	/* It's okay to grow etc. this buffer, and we should throw it
+	 * away when we're done.
+	 */
+	b->yy_is_our_buffer = 1;
+
+	return b;
+}
+
+#ifndef YY_EXIT_FAILURE
+#define YY_EXIT_FAILURE 2
+#endif
+
+static void yy_fatal_error (yyconst char* msg )
+{
+    	(void) fprintf( stderr, "%s\n", msg );
+	exit( YY_EXIT_FAILURE );
+}
+
+/* Redefine yyless() so it works in section 3 code. */
+
+#undef yyless
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+        int yyless_macro_arg = (n); \
+        YY_LESS_LINENO(yyless_macro_arg);\
+		yytext[yyleng] = (yy_hold_char); \
+		(yy_c_buf_p) = yytext + yyless_macro_arg; \
+		(yy_hold_char) = *(yy_c_buf_p); \
+		*(yy_c_buf_p) = '\0'; \
+		yyleng = yyless_macro_arg; \
+		} \
+	while ( 0 )
+
+/* Accessor  methods (get/set functions) to struct members. */
+
+/** Get the current line number.
+ * 
+ */
+int yyget_lineno  (void)
+{
+        
+    return yylineno;
+}
+
+/** Get the input stream.
+ * 
+ */
+FILE *yyget_in  (void)
+{
+        return yyin;
+}
+
+/** Get the output stream.
+ * 
+ */
+FILE *yyget_out  (void)
+{
+        return yyout;
+}
+
+/** Get the length of the current token.
+ * 
+ */
+int yyget_leng  (void)
+{
+        return yyleng;
+}
+
+/** Get the current token.
+ * 
+ */
+
+char *yyget_text  (void)
+{
+        return yytext;
+}
+
+/** Set the current line number.
+ * @param line_number
+ * 
+ */
+void yyset_lineno (int  line_number )
+{
+    
+    yylineno = line_number;
+}
+
+/** Set the input stream. This does not discard the current
+ * input buffer.
+ * @param in_str A readable stream.
+ * 
+ * @see yy_switch_to_buffer
+ */
+void yyset_in (FILE *  in_str )
+{
+        yyin = in_str ;
+}
+
+void yyset_out (FILE *  out_str )
+{
+        yyout = out_str ;
+}
+
+int yyget_debug  (void)
+{
+        return yy_flex_debug;
+}
+
+void yyset_debug (int  bdebug )
+{
+        yy_flex_debug = bdebug ;
+}
+
+static int yy_init_globals (void)
+{
+        /* Initialization is the same as for the non-reentrant scanner.
+     * This function is called from yylex_destroy(), so don't allocate here.
+     */
+
+    (yy_buffer_stack) = 0;
+    (yy_buffer_stack_top) = 0;
+    (yy_buffer_stack_max) = 0;
+    (yy_c_buf_p) = (char *) 0;
+    (yy_init) = 0;
+    (yy_start) = 0;
+
+/* Defined in main.c */
+#ifdef YY_STDINIT
+    yyin = stdin;
+    yyout = stdout;
+#else
+    yyin = (FILE *) 0;
+    yyout = (FILE *) 0;
+#endif
+
+    /* For future reference: Set errno on error, since we are called by
+     * yylex_init()
+     */
+    return 0;
+}
+
+/* yylex_destroy is for both reentrant and non-reentrant scanners. */
+int yylex_destroy  (void)
+{
+    
+    /* Pop the buffer stack, destroying each element. */
+	while(YY_CURRENT_BUFFER){
+		yy_delete_buffer(YY_CURRENT_BUFFER  );
+		YY_CURRENT_BUFFER_LVALUE = NULL;
+		yypop_buffer_state();
+	}
+
+	/* Destroy the stack itself. */
+	yyfree((yy_buffer_stack) );
+	(yy_buffer_stack) = NULL;
+
+    /* Reset the globals. This is important in a non-reentrant scanner so the next time
+     * yylex() is called, initialization will occur. */
+    yy_init_globals( );
+
+    return 0;
+}
+
+/*
+ * Internal utility routines.
+ */
+
+#ifndef yytext_ptr
+static void yy_flex_strncpy (char* s1, yyconst char * s2, int n )
+{
+	register int i;
+	for ( i = 0; i < n; ++i )
+		s1[i] = s2[i];
+}
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen (yyconst char * s )
+{
+	register int n;
+	for ( n = 0; s[n]; ++n )
+		;
+
+	return n;
+}
+#endif
+
+void *yyalloc (yy_size_t  size )
+{
+	return (void *) malloc( size );
+}
+
+void *yyrealloc  (void * ptr, yy_size_t  size )
+{
+	/* The cast to (char *) in the following accommodates both
+	 * implementations that use char* generic pointers, and those
+	 * that use void* generic pointers.  It works with the latter
+	 * because both ANSI C and C++ allow castless assignment from
+	 * any pointer type to void*, and deal with argument conversions
+	 * as though doing an assignment.
+	 */
+	return (void *) realloc( (char *) ptr, size );
+}
+
+void yyfree (void * ptr )
+{
+	free( (char *) ptr );	/* see yyrealloc() for (char *) cast */
+}
+
+#define YYTABLES_NAME "yytables"
+
+#line 65 "slc-lex.l"
+
+
+
+void
+error_message (const char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, "%s:%d: ", filename, lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+     error_flag++;
+}
+
+void
+yyerror (char *s)
+{
+    error_message("%s\n", s);
+}
+
+static void
+handle_comment(void)
+{
+    int c;
+    int start_lineno = lineno;
+    int level = 1;
+    int seen_star = 0;
+    int seen_slash = 0;
+    while((c = input()) != EOF) {
+	if(c == '/') {
+	    if(seen_star) {
+		if(--level == 0)
+		    return;
+		seen_star = 0;
+		continue;
+	    }
+	    seen_slash = 1;
+	    continue;
+	}
+	if(seen_star && c == '/') {
+	    if(--level == 0)
+		return;
+	    seen_star = 0;
+	    continue;
+	}
+	if(c == '*') {
+	    if(seen_slash) {
+		level++;
+		seen_star = seen_slash = 0;
+		continue;
+	    } 
+	    seen_star = 1;
+	    continue;
+	}
+	seen_star = seen_slash = 0;
+	if(c == '\n') {
+	    lineno++;
+	    continue;
+	}
+    }
+    if(c == EOF)
+	error_message("unterminated comment, possibly started on line %d\n", start_lineno);
+}
+
+static char *
+handle_string(void)
+{
+    char x[1024];
+    int i = 0;
+    int c;
+    int quote = 0;
+    while((c = input()) != EOF){
+	if(quote) {
+	    x[i++] = '\\';
+	    x[i++] = c;
+	    quote = 0;
+	    continue;
+	}
+	if(c == '\n'){
+	    error_message("unterminated string");
+	    lineno++;
+	    break;
+	}
+	if(c == '\\'){
+	    quote++;
+	    continue;
+	}
+	if(c == '\"')
+	    break;
+	x[i++] = c;
+    }
+    x[i] = '\0';
+    return strdup(x);
+}
+
+int
+yywrap () 
+{
+     return 1;
+}
+
diff --git a/crypto/heimdal/lib/sl/slc-lex.l b/crypto/heimdal/lib/sl/slc-lex.l
new file mode 100644
index 0000000..b810b12
--- /dev/null
+++ b/crypto/heimdal/lib/sl/slc-lex.l
@@ -0,0 +1,164 @@
+%{
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: slc-lex.l 15118 2005-05-10 22:19:01Z lha $ */
+
+#undef ECHO
+
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include "slc.h"
+#include "slc-gram.h"
+unsigned lineno = 1;
+
+static void handle_comment(void);
+static char * handle_string(void);
+
+#define YY_NO_UNPUT
+
+#undef ECHO
+
+%}
+%%
+[A-Za-z][-A-Za-z0-9_]*	{
+			  yylval.string = strdup ((const char *)yytext);
+			  return LITERAL;
+			}
+"\""			{ yylval.string = handle_string(); return STRING; }
+\n			{ ++lineno; }
+\/\*			{ handle_comment(); }
+[={}]			{ return *yytext; }
+[ \t]			;
+%%
+
+void
+error_message (const char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, "%s:%d: ", filename, lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+     error_flag++;
+}
+
+void
+yyerror (char *s)
+{
+    error_message("%s\n", s);
+}
+
+static void
+handle_comment(void)
+{
+    int c;
+    int start_lineno = lineno;
+    int level = 1;
+    int seen_star = 0;
+    int seen_slash = 0;
+    while((c = input()) != EOF) {
+	if(c == '/') {
+	    if(seen_star) {
+		if(--level == 0)
+		    return;
+		seen_star = 0;
+		continue;
+	    }
+	    seen_slash = 1;
+	    continue;
+	}
+	if(seen_star && c == '/') {
+	    if(--level == 0)
+		return;
+	    seen_star = 0;
+	    continue;
+	}
+	if(c == '*') {
+	    if(seen_slash) {
+		level++;
+		seen_star = seen_slash = 0;
+		continue;
+	    } 
+	    seen_star = 1;
+	    continue;
+	}
+	seen_star = seen_slash = 0;
+	if(c == '\n') {
+	    lineno++;
+	    continue;
+	}
+    }
+    if(c == EOF)
+	error_message("unterminated comment, possibly started on line %d\n", start_lineno);
+}
+
+static char *
+handle_string(void)
+{
+    char x[1024];
+    int i = 0;
+    int c;
+    int quote = 0;
+    while((c = input()) != EOF){
+	if(quote) {
+	    x[i++] = '\\';
+	    x[i++] = c;
+	    quote = 0;
+	    continue;
+	}
+	if(c == '\n'){
+	    error_message("unterminated string");
+	    lineno++;
+	    break;
+	}
+	if(c == '\\'){
+	    quote++;
+	    continue;
+	}
+	if(c == '\"')
+	    break;
+	x[i++] = c;
+    }
+    x[i] = '\0';
+    return strdup(x);
+}
+
+int
+yywrap () 
+{
+     return 1;
+}
diff --git a/crypto/heimdal/lib/sl/slc.h b/crypto/heimdal/lib/sl/slc.h
new file mode 100644
index 0000000..2b05813
--- /dev/null
+++ b/crypto/heimdal/lib/sl/slc.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: slc.h 13969 2004-06-21 19:10:59Z joda $ */
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+struct assignment {
+    char *name;
+    enum { a_value, a_assignment } type;
+    union {
+	char *value;
+	struct assignment *assignment;
+    } u;
+    unsigned int lineno;
+    struct assignment *next;
+};
+
+extern char *filename;
+extern int error_flag;
+void error_message (const char *format, ...);
+int yylex(void);
+void yyerror (char *s);
+extern unsigned lineno;
diff --git a/crypto/heimdal/lib/sl/ss.c b/crypto/heimdal/lib/sl/ss.c
index 7655a9e..f2f3cbc 100644
--- a/crypto/heimdal/lib/sl/ss.c
+++ b/crypto/heimdal/lib/sl/ss.c
@@ -35,7 +35,7 @@
 #include <com_err.h>
 #include "ss.h"
 
-RCSID("$Id: ss.c,v 1.6 2000/05/25 00:14:58 assar Exp $");
+RCSID("$Id: ss.c 15429 2005-06-16 19:24:11Z lha $");
 
 struct ss_subst {
     char *name;
@@ -89,35 +89,35 @@ ss_create_invocation(const char *subsystem,
 }
 
 void
-ss_error (int index, long code, const char *fmt, ...)
+ss_error (int idx, long code, const char *fmt, ...)
 {
     va_list ap;
     va_start(ap, fmt);
-    com_err_va (subsystems[index].name, code, fmt, ap);
+    com_err_va (subsystems[idx].name, code, fmt, ap);
     va_end(ap);
 }
 
 void
-ss_perror (int index, long code, const char *msg)
+ss_perror (int idx, long code, const char *msg)
 {
-    ss_error(index, code, "%s", msg);
+    ss_error(idx, code, "%s", msg);
 }
 
 int
-ss_execute_command(int index, char **argv)
+ss_execute_command(int idx, char **argv)
 {
     int argc = 0;
     int ret;
 
     while(argv[argc++]);
-    ret = sl_command(subsystems[index].table, argc, argv);
+    ret = sl_command(subsystems[idx].table, argc, argv);
     if (ret == SL_BADCOMMAND)
 	return SS_ET_COMMAND_NOT_FOUND;
     return 0;
 }
 
 int
-ss_execute_line (int index, const char *line)
+ss_execute_line (int idx, const char *line)
 {
     char *buf = strdup(line);
     int argc;
@@ -127,7 +127,7 @@ ss_execute_line (int index, const char *line)
     if (buf == NULL)
 	return ENOMEM;
     sl_make_argv(buf, &argc, &argv);
-    ret = sl_command(subsystems[index].table, argc, argv);
+    ret = sl_command(subsystems[idx].table, argc, argv);
     free(buf);
     if (ret == SL_BADCOMMAND)
 	return SS_ET_COMMAND_NOT_FOUND;
@@ -135,23 +135,23 @@ ss_execute_line (int index, const char *line)
 }
 
 int
-ss_listen (int index)
+ss_listen (int idx)
 {
-    char *prompt = malloc(strlen(subsystems[index].name) + 3);
+    char *prompt = malloc(strlen(subsystems[idx].name) + 3);
     if (prompt == NULL)
 	return ENOMEM;
 
-    strcpy(prompt, subsystems[index].name);
+    strcpy(prompt, subsystems[idx].name);
     strcat(prompt, ": ");
-    sl_loop(subsystems[index].table, prompt);
+    sl_loop(subsystems[idx].table, prompt);
     free(prompt);
     return 0;
 }
 
 int
-ss_list_requests(int argc, char **argv /* , int index, void *info */)
+ss_list_requests(int argc, char **argv /* , int idx, void *info */)
 {
-    sl_help(subsystems[0 /* index */].table, argc, argv);
+    sl_help(subsystems[0 /* idx */].table, argc, argv);
     return 0;
 }
 
diff --git a/crypto/heimdal/lib/sl/ss.h b/crypto/heimdal/lib/sl/ss.h
index 0149fa1..15e1f88 100644
--- a/crypto/heimdal/lib/sl/ss.h
+++ b/crypto/heimdal/lib/sl/ss.h
@@ -30,7 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
  * SUCH DAMAGE. 
  */
-/* $Id: ss.h,v 1.3 2000/05/25 00:15:21 assar Exp $ */
+/* $Id: ss.h 8294 2000-05-25 00:15:21Z assar $ */
 
 /* SS compatibility for SL */
 
diff --git a/crypto/heimdal/lib/sl/test_sl.c b/crypto/heimdal/lib/sl/test_sl.c
new file mode 100644
index 0000000..0610559
--- /dev/null
+++ b/crypto/heimdal/lib/sl/test_sl.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "sl_locl.h"
+
+RCSID("$Id: test_sl.c 19555 2006-12-28 23:40:17Z lha $");
+
+struct {
+    int ok;
+    const char *line;
+    int argc;
+    const char *argv[4];
+} lines[] = {
+    { 1, "", 1, { "" } },
+    { 1, "foo", 1, { "foo" } },
+    { 1, "foo bar", 2, { "foo", "bar" }},
+    { 1, "foo bar baz", 3, { "foo", "bar", "baz" }},
+    { 1, "foobar baz", 2, { "foobar", "baz" }},
+    { 1, " foo", 1, { "foo" } },
+    { 1, "foo   ", 1, { "foo" } },
+    { 1, " foo  ", 1, { "foo" } },
+    { 1, " foo  bar", 2, { "foo", "bar" } },
+    { 1, "foo\\ bar", 1, { "foo bar" } },
+    { 1, "\"foo bar\"", 1, { "foo bar" } },
+    { 1, "\"foo\\ bar\"", 1, { "foo bar" } },
+    { 1, "\"foo\\\" bar\"", 1, { "foo\" bar" } },
+    { 1, "\"\"f\"\"oo\"\"", 1, { "foo" } },
+    { 1, "\"foobar\"baz", 1, { "foobarbaz" }},
+    { 1, "foo\tbar baz", 3, { "foo", "bar", "baz" }},
+    { 1, "\"foo bar\" baz", 2, { "foo bar", "baz" }},
+    { 1, "\"foo bar baz\"", 1, { "foo bar baz" }},
+    { 1, "\\\"foo bar baz", 3, { "\"foo", "bar", "baz" }},
+    { 1, "\\ foo bar baz", 3, { " foo", "bar", "baz" }},
+    { 0, "\\", 0, { "" }},
+    { 0, "\"", 0, { "" }}
+};
+
+int
+main(int argc, char **argv)
+{
+    int ret, i;
+
+    for (i = 0; i < sizeof(lines)/sizeof(lines[0]); i++) {
+	int j, rargc = 0;
+	char **rargv = NULL;
+	char *buf = strdup(lines[i].line);
+
+	ret = sl_make_argv(buf, &rargc, &rargv);
+	if (ret) {
+	    if (!lines[i].ok)
+		goto next;
+	    errx(1, "sl_make_argv test %d failed", i);
+	} else if (!lines[i].ok)
+	    errx(1, "sl_make_argv passed test %d when it shouldn't", i);
+	if (rargc != lines[i].argc)
+	    errx(1, "result argc (%d) != should be argc (%d) for test %d", 
+		 rargc, lines[i].argc, i);
+	for (j = 0; j < rargc; j++)
+	    if (strcmp(rargv[j], lines[i].argv[j]) != 0)
+		errx(1, "result argv (%s) != should be argv (%s) for test %d",
+		     rargv[j], lines[i].argv[j], i);
+    next:
+	free(buf);
+	free(rargv);
+    }
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/vers/ChangeLog b/crypto/heimdal/lib/vers/ChangeLog
index f5a869d..6208232 100644
--- a/crypto/heimdal/lib/vers/ChangeLog
+++ b/crypto/heimdal/lib/vers/ChangeLog
@@ -1,3 +1,35 @@
+2007-10-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: don't run local checks.
+	
+2006-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* print_version.c: Update (c).
+	
+2006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* make-print-version.c: include <string.h>
+
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* make-print-version.c: Avoid creating a file called --version.
+	
+2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: fix spelling of build_HEADERZ
+
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: Add build_HEADERZ to EXTRA_DIST
+	
+2005-01-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* print_version.c: Happy New Year
+
+2004-01-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* print_version.c: add year 2004
+	
 2003-01-02  Johan Danielsson  <joda@pdc.kth.se>
 
 	* print_version.c: considerable clean up
diff --git a/crypto/heimdal/lib/vers/Makefile.am b/crypto/heimdal/lib/vers/Makefile.am
index d881612..a3b6da6 100644
--- a/crypto/heimdal/lib/vers/Makefile.am
+++ b/crypto/heimdal/lib/vers/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.5 2002/08/28 22:57:42 assar Exp $
+# $Id: Makefile.am 21959 2007-10-16 13:25:59Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -8,13 +8,15 @@ noinst_LTLIBRARIES	= libvers.la
 
 build_HEADERZ		= vers.h
 
+CHECK_LOCAL		= no-check-local
+
 noinst_PROGRAMS		= make-print-version
 
 if KRB4
 if KRB5
 ## need to link with des here; otherwise, if krb4 is shared the link
 ## will fail with unresolved references
-make_print_version_LDADD = $(LIB_krb4) $(LIB_des)
+make_print_version_LDADD = $(LIB_krb4) $(LIB_hcrypto)
 endif
 endif
 
@@ -26,3 +28,5 @@ print_version.h: make-print-version$(EXEEXT)
 	./make-print-version$(EXEEXT) print_version.h
 
 make-print-version.o: $(top_builddir)/include/version.h
+
+EXTRA_DIST = $(build_HEADERZ)
diff --git a/crypto/heimdal/lib/vers/Makefile.in b/crypto/heimdal/lib/vers/Makefile.in
index 6af8711..4dbc9e0 100644
--- a/crypto/heimdal/lib/vers/Makefile.in
+++ b/crypto/heimdal/lib/vers/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,24 +14,18 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.5 2002/08/28 22:57:42 assar Exp $
+# $Id: Makefile.am 21959 2007-10-16 13:25:59Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
 
-SOURCES = $(libvers_la_SOURCES) make-print-version.c
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -43,6 +37,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -51,16 +46,14 @@ noinst_PROGRAMS = make-print-version$(EXEEXT)
 subdir = lib/vers
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -73,6 +66,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -81,16 +75,20 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 LTLIBRARIES = $(noinst_LTLIBRARIES)
@@ -104,30 +102,25 @@ am__DEPENDENCIES_1 =
 @KRB4_TRUE@@KRB5_TRUE@make_print_version_DEPENDENCIES =  \
 @KRB4_TRUE@@KRB5_TRUE@	$(am__DEPENDENCIES_1) \
 @KRB4_TRUE@@KRB5_TRUE@	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
 depcomp =
 am__depfiles_maybe =
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(libvers_la_SOURCES) make-print-version.c
 DIST_SOURCES = $(libvers_la_SOURCES) make-print-version.c
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -137,8 +130,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -149,11 +140,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -161,42 +151,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -214,12 +189,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -229,15 +201,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -246,6 +217,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -257,15 +229,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -273,74 +240,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -357,16 +329,19 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 CLEANFILES = print_version.h
 noinst_LTLIBRARIES = libvers.la
 build_HEADERZ = vers.h
-@KRB4_TRUE@@KRB5_TRUE@make_print_version_LDADD = $(LIB_krb4) $(LIB_des)
+CHECK_LOCAL = no-check-local
+@KRB4_TRUE@@KRB5_TRUE@make_print_version_LDADD = $(LIB_krb4) $(LIB_hcrypto)
 libvers_la_SOURCES = print_version.c
+EXTRA_DIST = $(build_HEADERZ)
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -401,12 +376,12 @@ clean-noinstLTLIBRARIES:
 	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
 	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
 	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" = "$$p" && dir=.; \
+	  test "$$dir" != "$$p" || dir=.; \
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
 libvers.la: $(libvers_la_OBJECTS) $(libvers_la_DEPENDENCIES) 
-	$(LINK)  $(libvers_la_LDFLAGS) $(libvers_la_OBJECTS) $(libvers_la_LIBADD) $(LIBS)
+	$(LINK)  $(libvers_la_OBJECTS) $(libvers_la_LIBADD) $(LIBS)
 
 clean-noinstPROGRAMS:
 	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
@@ -416,7 +391,7 @@ clean-noinstPROGRAMS:
 	done
 make-print-version$(EXEEXT): $(make_print_version_OBJECTS) $(make_print_version_DEPENDENCIES) 
 	@rm -f make-print-version$(EXEEXT)
-	$(LINK) $(make_print_version_LDFLAGS) $(make_print_version_OBJECTS) $(make_print_version_LDADD) $(LIBS)
+	$(LINK) $(make_print_version_OBJECTS) $(make_print_version_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -439,10 +414,6 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -463,9 +434,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$tags$$unique" \
-	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	     $$tags $$unique
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
@@ -490,23 +463,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/../.. $(distdir)/../../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -545,7 +516,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -558,7 +529,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -574,14 +545,22 @@ install-data-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am:
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -601,19 +580,27 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \
 	clean clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-noinstPROGRAMS ctags distclean distclean-compile \
-	distclean-generic distclean-libtool distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-exec install-exec-am \
-	install-info install-info-am install-man install-strip \
+	clean-noinstPROGRAMS ctags dist-hook distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am \
+	install-data-hook install-dvi install-dvi-am install-exec \
+	install-exec-am install-exec-hook install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
 	installcheck installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-info-am
+	tags uninstall uninstall-am uninstall-hook
 
 
 install-suid-programs:
@@ -628,8 +615,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -639,19 +626,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -667,7 +666,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -737,15 +736,40 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 print_version.lo: print_version.h
 
 print_version.h: make-print-version$(EXEEXT)
diff --git a/crypto/heimdal/lib/vers/make-print-version.c b/crypto/heimdal/lib/vers/make-print-version.c
index eab167d..6601b04 100644
--- a/crypto/heimdal/lib/vers/make-print-version.c
+++ b/crypto/heimdal/lib/vers/make-print-version.c
@@ -33,10 +33,11 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: make-print-version.c,v 1.3 2003/01/02 15:31:38 joda Exp $");
+RCSID("$Id: make-print-version.c 18765 2006-10-21 17:37:32Z lha $");
 #endif
 
 #include <stdio.h>
+#include <string.h>
 
 #ifdef KRB5
 extern const char *heimdal_version;
@@ -52,6 +53,10 @@ main(int argc, char **argv)
     FILE *f;
     if(argc != 2)
 	return 1;
+    if (strcmp(argv[1], "--version") == 0) {
+	printf("some version");
+	return 0;
+    }
     f = fopen(argv[1], "w");
     if(f == NULL)
 	return 1;
diff --git a/crypto/heimdal/lib/vers/print_version.c b/crypto/heimdal/lib/vers/print_version.c
index 43f9baa..325f3fa 100644
--- a/crypto/heimdal/lib/vers/print_version.c
+++ b/crypto/heimdal/lib/vers/print_version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: print_version.c,v 1.6.2.1 2004/02/12 18:31:33 joda Exp $");
+RCSID("$Id: print_version.c 22428 2008-01-13 09:58:05Z lha $");
 #endif
 #include "roken.h"
 
@@ -50,6 +50,6 @@ print_version(const char *progname)
     if(*package_list == '\0')
 	package_list = "no version information";
     fprintf(stderr, "%s (%s)\n", progname, package_list);
-    fprintf(stderr, "Copyright 1999-2004 Kungliga Tekniska Högskolan\n");
+    fprintf(stderr, "Copyright 1995-2008 Kungliga Tekniska Högskolan\n");
     fprintf(stderr, "Send bug-reports to %s\n", PACKAGE_BUGREPORT);
 }
diff --git a/crypto/heimdal/lib/vers/vers.h b/crypto/heimdal/lib/vers/vers.h
index cc70355..c079103 100644
--- a/crypto/heimdal/lib/vers/vers.h
+++ b/crypto/heimdal/lib/vers/vers.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: vers.h,v 1.1 2000/07/01 19:47:36 assar Exp $ */
+/* $Id: vers.h 8513 2000-07-01 19:47:36Z assar $ */
 
 #ifndef __VERS_H__
 #define __VERS_H__
diff --git a/crypto/heimdal/ltmain.sh b/crypto/heimdal/ltmain.sh
index 47fa4f1..06823e0 100644
--- a/crypto/heimdal/ltmain.sh
+++ b/crypto/heimdal/ltmain.sh
@@ -1,7 +1,7 @@
 # ltmain.sh - Provide generalized library-building support services.
 # NOTE: Changing this file will not affect anything until you rerun configure.
 #
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005
 # Free Software Foundation, Inc.
 # Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 #
@@ -17,13 +17,41 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
 # configuration script generated by Autoconf, you may include it under
 # the same distribution terms that you use for the rest of that program.
 
+basename="s,^.*/,,g"
+
+# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
+# is ksh but when the shell is invoked as "sh" and the current value of
+# the _XPG environment variable is not equal to 1 (one), the special
+# positional parameter $0, within a function call, is the name of the
+# function.
+progpath="$0"
+
+# The name of this program:
+progname=`echo "$progpath" | $SED $basename`
+modename="$progname"
+
+# Global variables:
+EXIT_SUCCESS=0
+EXIT_FAILURE=1
+
+PROGRAM=ltmain.sh
+PACKAGE=libtool
+VERSION=1.5.22
+TIMESTAMP=" (1.1220.2.365 2005/12/18 22:14:06)"
+
+# See if we are running on zsh, and set the options which allow our
+# commands through without removal of \ escapes.
+if test -n "${ZSH_VERSION+set}" ; then
+  setopt NO_GLOB_SUBST
+fi
+
 # Check that we have a working $echo.
 if test "X$1" = X--no-reexec; then
   # Discard the --no-reexec flag, and continue.
@@ -36,7 +64,7 @@ elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
   :
 else
   # Restart under the correct shell, and then maybe $echo will work.
-  exec $SHELL "$0" --no-reexec ${1+"$@"}
+  exec $SHELL "$progpath" --no-reexec ${1+"$@"}
 fi
 
 if test "X$1" = X--fallback-echo; then
@@ -45,19 +73,9 @@ if test "X$1" = X--fallback-echo; then
   cat <<EOF
 $*
 EOF
-  exit 0
+  exit $EXIT_SUCCESS
 fi
 
-# The name of this program.
-progname=`$echo "$0" | ${SED} 's%^.*/%%'`
-modename="$progname"
-
-# Constants.
-PROGRAM=ltmain.sh
-PACKAGE=libtool
-VERSION=1.5.2
-TIMESTAMP=" (1.1220.2.60 2004/01/25 12:25:08)"
-
 default_mode=
 help="Try \`$progname --help' for more information."
 magic="%%%MAGIC variable%%%"
@@ -70,14 +88,15 @@ rm="rm -f"
 Xsed="${SED}"' -e 1s/^X//'
 sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
 # test EBCDIC or ASCII
-case `echo A|tr A '\301'` in
- A) # EBCDIC based system
-  SP2NL="tr '\100' '\n'"
-  NL2SP="tr '\r\n' '\100\100'"
+case `echo X|tr X '\101'` in
+ A) # ASCII based system
+    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
+  SP2NL='tr \040 \012'
+  NL2SP='tr \015\012 \040\040'
   ;;
- *) # Assume ASCII based system
-  SP2NL="tr '\040' '\012'"
-  NL2SP="tr '\015\012' '\040\040'"
+ *) # EBCDIC based system
+  SP2NL='tr \100 \n'
+  NL2SP='tr \r\n \100\100'
   ;;
 esac
 
@@ -94,13 +113,14 @@ if test "${LANG+set}" = set; then
 fi
 
 # Make sure IFS has a sensible default
-: ${IFS=" 	
-"}
+lt_nl='
+'
+IFS=" 	$lt_nl"
 
 if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
   $echo "$modename: not configured to build any kind of library" 1>&2
   $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-  exit 1
+  exit $EXIT_FAILURE
 fi
 
 # Global variables.
@@ -112,6 +132,8 @@ run=
 show="$echo"
 show_help=
 execute_dlfiles=
+duplicate_deps=no
+preserve_args=
 lo2o="s/\\.lo\$/.${objext}/"
 o2lo="s/\\.${objext}\$/.lo/"
 
@@ -119,10 +141,51 @@ o2lo="s/\\.${objext}\$/.lo/"
 # Shell function definitions:
 # This seems to be the best place for them
 
+# func_mktempdir [string]
+# Make a temporary directory that won't clash with other running
+# libtool processes, and avoids race conditions if possible.  If
+# given, STRING is the basename for that directory.
+func_mktempdir ()
+{
+    my_template="${TMPDIR-/tmp}/${1-$progname}"
+
+    if test "$run" = ":"; then
+      # Return a directory name, but don't create it in dry-run mode
+      my_tmpdir="${my_template}-$$"
+    else
+
+      # If mktemp works, use that first and foremost
+      my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null`
+
+      if test ! -d "$my_tmpdir"; then
+	# Failing that, at least try and use $RANDOM to avoid a race
+	my_tmpdir="${my_template}-${RANDOM-0}$$"
+
+	save_mktempdir_umask=`umask`
+	umask 0077
+	$mkdir "$my_tmpdir"
+	umask $save_mktempdir_umask
+      fi
+
+      # If we're not in dry-run mode, bomb out on failure
+      test -d "$my_tmpdir" || {
+        $echo "cannot create temporary directory \`$my_tmpdir'" 1>&2
+	exit $EXIT_FAILURE
+      }
+    fi
+
+    $echo "X$my_tmpdir" | $Xsed
+}
+
+
+# func_win32_libid arg
+# return the library type of file 'arg'
+#
 # Need a lot of goo to handle *both* DLLs and import libs
 # Has to be a shell function in order to 'eat' the argument
 # that is supplied when $file_magic_command is called.
-win32_libid () {
+func_win32_libid ()
+{
   win32_libid_type="unknown"
   win32_fileres=`file -L $1 2>/dev/null`
   case $win32_fileres in
@@ -131,17 +194,16 @@ win32_libid () {
     ;;
   *ar\ archive*) # could be an import, or static
     if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \
-      grep -E 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
+      $EGREP -e 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
       win32_nmres=`eval $NM -f posix -A $1 | \
-	sed -n -e '1,100{/ I /{x;/import/!{s/^/import/;h;p;};x;};}'`
-      if test "X$win32_nmres" = "Ximport" ; then
-        win32_libid_type="x86 archive import"
-      else
-        win32_libid_type="x86 archive static"
-      fi
+	$SED -n -e '1,100{/ I /{s,.*,import,;p;q;};}'`
+      case $win32_nmres in
+      import*)  win32_libid_type="x86 archive import";;
+      *)        win32_libid_type="x86 archive static";;
+      esac
     fi
     ;;
-  *DLL*) 
+  *DLL*)
     win32_libid_type="x86 DLL"
     ;;
   *executable*) # but shell scripts are "executable" too...
@@ -155,9 +217,181 @@ win32_libid () {
   $echo $win32_libid_type
 }
 
+
+# func_infer_tag arg
+# Infer tagged configuration to use if any are available and
+# if one wasn't chosen via the "--tag" command line option.
+# Only attempt this if the compiler in the base compile
+# command doesn't match the default compiler.
+# arg is usually of the form 'gcc ...'
+func_infer_tag ()
+{
+    if test -n "$available_tags" && test -z "$tagname"; then
+      CC_quoted=
+      for arg in $CC; do
+	case $arg in
+	  *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	CC_quoted="$CC_quoted $arg"
+      done
+      case $@ in
+      # Blanks in the command may have been stripped by the calling shell,
+      # but not from the CC environment variable when configure was run.
+      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*) ;;
+      # Blanks at the start of $base_compile will cause this to fail
+      # if we don't check for them as well.
+      *)
+	for z in $available_tags; do
+	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then
+	    # Evaluate the configuration.
+	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
+	    CC_quoted=
+	    for arg in $CC; do
+	    # Double-quote args containing other shell metacharacters.
+	    case $arg in
+	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	      arg="\"$arg\""
+	      ;;
+	    esac
+	    CC_quoted="$CC_quoted $arg"
+	  done
+	    case "$@ " in
+	      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*)
+	      # The compiler in the base compile command matches
+	      # the one in the tagged configuration.
+	      # Assume this is the tagged configuration we want.
+	      tagname=$z
+	      break
+	      ;;
+	    esac
+	  fi
+	done
+	# If $tagname still isn't set, then no tagged configuration
+	# was found and let the user know that the "--tag" command
+	# line option must be used.
+	if test -z "$tagname"; then
+	  $echo "$modename: unable to infer tagged configuration"
+	  $echo "$modename: specify a tag with \`--tag'" 1>&2
+	  exit $EXIT_FAILURE
+#        else
+#          $echo "$modename: using $tagname tagged configuration"
+	fi
+	;;
+      esac
+    fi
+}
+
+
+# func_extract_an_archive dir oldlib
+func_extract_an_archive ()
+{
+    f_ex_an_ar_dir="$1"; shift
+    f_ex_an_ar_oldlib="$1"
+
+    $show "(cd $f_ex_an_ar_dir && $AR x $f_ex_an_ar_oldlib)"
+    $run eval "(cd \$f_ex_an_ar_dir && $AR x \$f_ex_an_ar_oldlib)" || exit $?
+    if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
+     :
+    else
+      $echo "$modename: ERROR: object name conflicts: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" 1>&2
+      exit $EXIT_FAILURE
+    fi
+}
+
+# func_extract_archives gentop oldlib ...
+func_extract_archives ()
+{
+    my_gentop="$1"; shift
+    my_oldlibs=${1+"$@"}
+    my_oldobjs=""
+    my_xlib=""
+    my_xabs=""
+    my_xdir=""
+    my_status=""
+
+    $show "${rm}r $my_gentop"
+    $run ${rm}r "$my_gentop"
+    $show "$mkdir $my_gentop"
+    $run $mkdir "$my_gentop"
+    my_status=$?
+    if test "$my_status" -ne 0 && test ! -d "$my_gentop"; then
+      exit $my_status
+    fi
+
+    for my_xlib in $my_oldlibs; do
+      # Extract the objects.
+      case $my_xlib in
+	[\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;;
+	*) my_xabs=`pwd`"/$my_xlib" ;;
+      esac
+      my_xlib=`$echo "X$my_xlib" | $Xsed -e 's%^.*/%%'`
+      my_xdir="$my_gentop/$my_xlib"
+
+      $show "${rm}r $my_xdir"
+      $run ${rm}r "$my_xdir"
+      $show "$mkdir $my_xdir"
+      $run $mkdir "$my_xdir"
+      exit_status=$?
+      if test "$exit_status" -ne 0 && test ! -d "$my_xdir"; then
+	exit $exit_status
+      fi
+      case $host in
+      *-darwin*)
+	$show "Extracting $my_xabs"
+	# Do not bother doing anything if just a dry run
+	if test -z "$run"; then
+	  darwin_orig_dir=`pwd`
+	  cd $my_xdir || exit $?
+	  darwin_archive=$my_xabs
+	  darwin_curdir=`pwd`
+	  darwin_base_archive=`$echo "X$darwin_archive" | $Xsed -e 's%^.*/%%'`
+	  darwin_arches=`lipo -info "$darwin_archive" 2>/dev/null | $EGREP Architectures 2>/dev/null`
+	  if test -n "$darwin_arches"; then 
+	    darwin_arches=`echo "$darwin_arches" | $SED -e 's/.*are://'`
+	    darwin_arch=
+	    $show "$darwin_base_archive has multiple architectures $darwin_arches"
+	    for darwin_arch in  $darwin_arches ; do
+	      mkdir -p "unfat-$$/${darwin_base_archive}-${darwin_arch}"
+	      lipo -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}"
+	      cd "unfat-$$/${darwin_base_archive}-${darwin_arch}"
+	      func_extract_an_archive "`pwd`" "${darwin_base_archive}"
+	      cd "$darwin_curdir"
+	      $rm "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}"
+	    done # $darwin_arches
+      ## Okay now we have a bunch of thin objects, gotta fatten them up :)
+	    darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print| xargs basename | sort -u | $NL2SP`
+	    darwin_file=
+	    darwin_files=
+	    for darwin_file in $darwin_filelist; do
+	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
+	      lipo -create -output "$darwin_file" $darwin_files
+	    done # $darwin_filelist
+	    ${rm}r unfat-$$
+	    cd "$darwin_orig_dir"
+	  else
+	    cd "$darwin_orig_dir"
+ 	    func_extract_an_archive "$my_xdir" "$my_xabs"
+	  fi # $darwin_arches
+	fi # $run
+	;;
+      *)
+        func_extract_an_archive "$my_xdir" "$my_xabs"
+        ;;
+      esac
+      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
+    done
+    func_extract_archives_result="$my_oldobjs"
+}
 # End of Shell function definitions
 #####################################
 
+# Darwin sucks
+eval std_shrext=\"$shrext_cmds\"
+
+disable_libs=no
+
 # Parse our command line options once, thoroughly.
 while test "$#" -gt 0
 do
@@ -183,7 +417,7 @@ do
       case $tagname in
       *[!-_A-Za-z0-9,/]*)
 	$echo "$progname: invalid tag name: $tagname" 1>&2
-	exit 1
+	exit $EXIT_FAILURE
 	;;
       esac
 
@@ -193,10 +427,10 @@ do
 	# not specially marked.
 	;;
       *)
-	if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$0" > /dev/null; then
+	if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$progpath" > /dev/null; then
 	  taglist="$taglist $tagname"
 	  # Evaluate the configuration.
-	  eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $0`"
+	  eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $progpath`"
 	else
 	  $echo "$progname: ignoring unknown tag $tagname" 1>&2
 	fi
@@ -222,19 +456,19 @@ do
   --version)
     $echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"
     $echo
-    $echo "Copyright (C) 2003  Free Software Foundation, Inc."
+    $echo "Copyright (C) 2005  Free Software Foundation, Inc."
     $echo "This is free software; see the source for copying conditions.  There is NO"
     $echo "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-    exit 0
+    exit $?
     ;;
 
   --config)
-    ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $0
+    ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $progpath
     # Now print the configurations for the tags.
     for tagname in $taglist; do
-      ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$0"
+      ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$progpath"
     done
-    exit 0
+    exit $?
     ;;
 
   --debug)
@@ -259,7 +493,7 @@ do
     else
       $echo "disable static libraries"
     fi
-    exit 0
+    exit $?
     ;;
 
   --finish) mode="finish" ;;
@@ -274,7 +508,11 @@ do
     preserve_args="$preserve_args $arg"
     ;;
 
-  --tag) prevopt="--tag" prev=tag ;;
+  --tag)
+    prevopt="--tag"
+    prev=tag
+    preserve_args="$preserve_args --tag"
+    ;;
   --tag=*)
     set tag "$optarg" ${1+"$@"}
     shift
@@ -290,7 +528,7 @@ do
   -*)
     $echo "$modename: unrecognized option \`$arg'" 1>&2
     $echo "$help" 1>&2
-    exit 1
+    exit $EXIT_FAILURE
     ;;
 
   *)
@@ -303,9 +541,21 @@ done
 if test -n "$prevopt"; then
   $echo "$modename: option \`$prevopt' requires an argument" 1>&2
   $echo "$help" 1>&2
-  exit 1
+  exit $EXIT_FAILURE
 fi
 
+case $disable_libs in
+no) 
+  ;;
+shared)
+  build_libtool_libs=no
+  build_old_libs=yes
+  ;;
+static)
+  build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac`
+  ;;
+esac
+
 # If this variable is set in any of the actions, the command in it
 # will be execed at the end.  This prevents here-documents from being
 # left over by shells.
@@ -316,7 +566,7 @@ if test -z "$show_help"; then
   # Infer the operation mode.
   if test -z "$mode"; then
     $echo "*** Warning: inferring the mode of operation is deprecated." 1>&2
-    $echo "*** Future versions of Libtool will require -mode=MODE be specified." 1>&2
+    $echo "*** Future versions of Libtool will require --mode=MODE be specified." 1>&2
     case $nonopt in
     *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*)
       mode=link
@@ -359,7 +609,7 @@ if test -z "$show_help"; then
   if test -n "$execute_dlfiles" && test "$mode" != execute; then
     $echo "$modename: unrecognized option \`-dlopen'" 1>&2
     $echo "$help" 1>&2
-    exit 1
+    exit $EXIT_FAILURE
   fi
 
   # Change the help message to a mode-specific one.
@@ -382,7 +632,7 @@ if test -z "$show_help"; then
 
     for arg
     do
-      case "$arg_mode" in
+      case $arg_mode in
       arg  )
 	# do not "continue".  Instead, add this to base_compile
 	lastarg="$arg"
@@ -401,7 +651,7 @@ if test -z "$show_help"; then
 	-o)
 	  if test -n "$libobj" ; then
 	    $echo "$modename: you cannot specify \`-o' more than once" 1>&2
-	    exit 1
+	    exit $EXIT_FAILURE
 	  fi
 	  arg_mode=target
 	  continue
@@ -426,7 +676,7 @@ if test -z "$show_help"; then
 	  args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
 	  lastarg=
 	  save_ifs="$IFS"; IFS=','
-	  for arg in $args; do
+ 	  for arg in $args; do
 	    IFS="$save_ifs"
 
 	    # Double-quote args containing other shell metacharacters.
@@ -464,7 +714,10 @@ if test -z "$show_help"; then
       case $lastarg in
       # Double-quote args containing other shell metacharacters.
       # Many Bourne shells cannot handle close brackets correctly
-      # in scan sets, so we specify it separately.
+      # in scan sets, and some SunOS ksh mistreat backslash-escaping
+      # in scan sets (worked around with variable expansion),
+      # and furthermore cannot handle '|' '&' '(' ')' in scan sets 
+      # at all, so we specify them separately.
       *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
 	lastarg="\"$lastarg\""
 	;;
@@ -476,11 +729,11 @@ if test -z "$show_help"; then
     case $arg_mode in
     arg)
       $echo "$modename: you must specify an argument for -Xcompile"
-      exit 1
+      exit $EXIT_FAILURE
       ;;
     target)
       $echo "$modename: you must specify a target with \`-o'" 1>&2
-      exit 1
+      exit $EXIT_FAILURE
       ;;
     *)
       # Get the name of the library object.
@@ -513,50 +766,11 @@ if test -z "$show_help"; then
     *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
     *)
       $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
-      exit 1
+      exit $EXIT_FAILURE
       ;;
     esac
 
-    # Infer tagged configuration to use if any are available and
-    # if one wasn't chosen via the "--tag" command line option.
-    # Only attempt this if the compiler in the base compile
-    # command doesn't match the default compiler.
-    if test -n "$available_tags" && test -z "$tagname"; then
-      case $base_compile in
-      # Blanks in the command may have been stripped by the calling shell,
-      # but not from the CC environment variable when configure was run.
-      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "*) ;;
-      # Blanks at the start of $base_compile will cause this to fail
-      # if we don't check for them as well.
-      *)
-	for z in $available_tags; do
-	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$0" > /dev/null; then
-	    # Evaluate the configuration.
-	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $0`"
-	    case "$base_compile " in
-	    "$CC "* | " $CC "* | "`$echo $CC` "* | " `$echo $CC` "*)
-	      # The compiler in the base compile command matches
-	      # the one in the tagged configuration.
-	      # Assume this is the tagged configuration we want.
-	      tagname=$z
-	      break
-	      ;;
-	    esac
-	  fi
-	done
-	# If $tagname still isn't set, then no tagged configuration
-	# was found and let the user know that the "--tag" command
-	# line option must be used.
-	if test -z "$tagname"; then
-	  $echo "$modename: unable to infer tagged configuration"
-	  $echo "$modename: specify a tag with \`--tag'" 1>&2
-	  exit 1
-#        else
-#          $echo "$modename: using $tagname tagged configuration"
-	fi
-	;;
-      esac
-    fi
+    func_infer_tag $base_compile
 
     for arg in $later; do
       case $arg in
@@ -577,6 +791,14 @@ if test -z "$show_help"; then
       esac
     done
 
+    qlibobj=`$echo "X$libobj" | $Xsed -e "$sed_quote_subst"`
+    case $qlibobj in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	qlibobj="\"$qlibobj\"" ;;
+    esac
+    test "X$libobj" != "X$qlibobj" \
+	&& $echo "X$libobj" | grep '[]~#^*{};<>?"'"'"' 	&()|`$[]' \
+	&& $echo "$modename: libobj name \`$libobj' may not contain shell special characters."
     objname=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
     xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
     if test "X$xdir" = "X$obj"; then
@@ -589,7 +811,7 @@ if test -z "$show_help"; then
     if test -z "$base_compile"; then
       $echo "$modename: you must specify a compilation command" 1>&2
       $echo "$help" 1>&2
-      exit 1
+      exit $EXIT_FAILURE
     fi
 
     # Delete any leftover library objects.
@@ -600,7 +822,7 @@ if test -z "$show_help"; then
     fi
 
     $run $rm $removelist
-    trap "$run $rm $removelist; exit 1" 1 2 15
+    trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
 
     # On Cygwin there's no "real" PIC flag so we must build both object types
     case $host_os in
@@ -619,7 +841,7 @@ if test -z "$show_help"; then
       output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
       lockfile="$output_obj.lock"
       removelist="$removelist $output_obj $lockfile"
-      trap "$run $rm $removelist; exit 1" 1 2 15
+      trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
     else
       output_obj=
       need_locks=no
@@ -629,7 +851,7 @@ if test -z "$show_help"; then
     # Lock this critical section if it is needed
     # We use this script file to make the link, it avoids creating a new file
     if test "$need_locks" = yes; then
-      until $run ln "$0" "$lockfile" 2>/dev/null; do
+      until $run ln "$progpath" "$lockfile" 2>/dev/null; do
 	$show "Waiting for $lockfile to be removed"
 	sleep 2
       done
@@ -647,14 +869,19 @@ avoid parallel builds (make -j) in this platform, or get a better
 compiler."
 
 	$run $rm $removelist
-	exit 1
+	exit $EXIT_FAILURE
       fi
-      $echo $srcfile > "$lockfile"
+      $echo "$srcfile" > "$lockfile"
     fi
 
     if test -n "$fix_srcfile_path"; then
       eval srcfile=\"$fix_srcfile_path\"
     fi
+    qsrcfile=`$echo "X$srcfile" | $Xsed -e "$sed_quote_subst"`
+    case $qsrcfile in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+      qsrcfile="\"$qsrcfile\"" ;;
+    esac
 
     $run $rm "$libobj" "${libobj}T"
 
@@ -676,18 +903,18 @@ EOF
       fbsd_hideous_sh_bug=$base_compile
 
       if test "$pic_mode" != no; then
-	command="$base_compile $srcfile $pic_flag"
+	command="$base_compile $qsrcfile $pic_flag"
       else
 	# Don't build PIC code
-	command="$base_compile $srcfile"
+	command="$base_compile $qsrcfile"
       fi
 
       if test ! -d "${xdir}$objdir"; then
 	$show "$mkdir ${xdir}$objdir"
 	$run $mkdir ${xdir}$objdir
-	status=$?
-	if test "$status" -ne 0 && test ! -d "${xdir}$objdir"; then
-	  exit $status
+	exit_status=$?
+	if test "$exit_status" -ne 0 && test ! -d "${xdir}$objdir"; then
+	  exit $exit_status
 	fi
       fi
 
@@ -702,7 +929,7 @@ EOF
       if $run eval "$command"; then :
       else
 	test -n "$output_obj" && $run $rm $removelist
-	exit 1
+	exit $EXIT_FAILURE
       fi
 
       if test "$need_locks" = warn &&
@@ -722,7 +949,7 @@ avoid parallel builds (make -j) in this platform, or get a better
 compiler."
 
 	$run $rm $removelist
-	exit 1
+	exit $EXIT_FAILURE
       fi
 
       # Just move the object if needed, then go on to compile the next one
@@ -759,9 +986,9 @@ EOF
     if test "$build_old_libs" = yes; then
       if test "$pic_mode" != yes; then
 	# Don't build PIC code
-	command="$base_compile $srcfile"
+	command="$base_compile $qsrcfile"
       else
-	command="$base_compile $srcfile $pic_flag"
+	command="$base_compile $qsrcfile $pic_flag"
       fi
       if test "$compiler_c_o" = yes; then
 	command="$command -o $obj"
@@ -774,7 +1001,7 @@ EOF
       if $run eval "$command"; then :
       else
 	$run $rm $removelist
-	exit 1
+	exit $EXIT_FAILURE
       fi
 
       if test "$need_locks" = warn &&
@@ -794,7 +1021,7 @@ avoid parallel builds (make -j) in this platform, or get a better
 compiler."
 
 	$run $rm $removelist
-	exit 1
+	exit $EXIT_FAILURE
       fi
 
       # Just move the object if needed
@@ -832,7 +1059,7 @@ EOF
       $run $rm "$lockfile"
     fi
 
-    exit 0
+    exit $EXIT_SUCCESS
     ;;
 
   # libtool link mode
@@ -890,6 +1117,7 @@ EOF
     no_install=no
     objs=
     non_pic_objects=
+    notinst_path= # paths that contain not-installed libtool libraries
     precious_files_regex=
     prefer_static_libs=no
     preload=no
@@ -904,46 +1132,7 @@ EOF
     vinfo=
     vinfo_number=no
 
-    # Infer tagged configuration to use if any are available and
-    # if one wasn't chosen via the "--tag" command line option.
-    # Only attempt this if the compiler in the base link
-    # command doesn't match the default compiler.
-    if test -n "$available_tags" && test -z "$tagname"; then
-      case $base_compile in
-      # Blanks in the command may have been stripped by the calling shell,
-      # but not from the CC environment variable when configure was run.
-      "$CC "* | " $CC "* | "`$echo $CC` "* | " `$echo $CC` "*) ;;
-      # Blanks at the start of $base_compile will cause this to fail
-      # if we don't check for them as well.
-      *)
-	for z in $available_tags; do
-	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$0" > /dev/null; then
-	    # Evaluate the configuration.
-	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $0`"
-	    case $base_compile in
-	    "$CC "* | " $CC "* | "`$echo $CC` "* | " `$echo $CC` "*)
-	      # The compiler in $compile_command matches
-	      # the one in the tagged configuration.
-	      # Assume this is the tagged configuration we want.
-	      tagname=$z
-	      break
-	      ;;
-	    esac
-	  fi
-	done
-	# If $tagname still isn't set, then no tagged configuration
-	# was found and let the user know that the "--tag" command
-	# line option must be used.
-	if test -z "$tagname"; then
-	  $echo "$modename: unable to infer tagged configuration"
-	  $echo "$modename: specify a tag with \`--tag'" 1>&2
-	  exit 1
-#       else
-#         $echo "$modename: using $tagname tagged configuration"
-	fi
-	;;
-      esac
-    fi
+    func_infer_tag $base_compile
 
     # We need to know -static, to get the right output filenames.
     for arg
@@ -957,14 +1146,15 @@ EOF
 	  if test -n "$link_static_flag"; then
 	    dlopen_self=$dlopen_self_static
 	  fi
+	  prefer_static_libs=yes
 	else
 	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
 	    dlopen_self=$dlopen_self_static
 	  fi
+	  prefer_static_libs=built
 	fi
 	build_libtool_libs=no
 	build_old_libs=yes
-	prefer_static_libs=yes
 	break
 	;;
       esac
@@ -1039,7 +1229,7 @@ EOF
 	  export_symbols="$arg"
 	  if test ! -f "$arg"; then
 	    $echo "$modename: symbol file \`$arg' does not exist"
-	    exit 1
+	    exit $EXIT_FAILURE
 	  fi
 	  prev=
 	  continue
@@ -1091,7 +1281,7 @@ EOF
 		   test "$pic_object" = none && \
 		   test "$non_pic_object" = none; then
 		  $echo "$modename: cannot find name of object for \`$arg'" 1>&2
-		  exit 1
+		  exit $EXIT_FAILURE
 		fi
 
 		# Extract subdirectory from the argument.
@@ -1139,12 +1329,17 @@ EOF
 		  if test -z "$pic_object" || test "$pic_object" = none ; then
 		    arg="$non_pic_object"
 		  fi
+		else
+		  # If the PIC object exists, use it instead.
+		  # $xdir was prepended to $pic_object above.
+		  non_pic_object="$pic_object"
+		  non_pic_objects="$non_pic_objects $non_pic_object"
 		fi
 	      else
 		# Only an error if not doing a dry-run.
 		if test -z "$run"; then
 		  $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
-		  exit 1
+		  exit $EXIT_FAILURE
 		else
 		  # Dry-run case.
 
@@ -1165,7 +1360,7 @@ EOF
 	    done
 	  else
 	    $echo "$modename: link input file \`$save_arg' does not exist"
-	    exit 1
+	    exit $EXIT_FAILURE
 	  fi
 	  arg=$save_arg
 	  prev=
@@ -1177,7 +1372,7 @@ EOF
 	  [\\/]* | [A-Za-z]:[\\/]*) ;;
 	  *)
 	    $echo "$modename: only absolute run-paths are allowed" 1>&2
-	    exit 1
+	    exit $EXIT_FAILURE
 	    ;;
 	  esac
 	  if test "$prev" = rpath; then
@@ -1217,6 +1412,18 @@ EOF
 	  finalize_command="$finalize_command $qarg"
 	  continue
 	  ;;
+	shrext)
+  	  shrext_cmds="$arg"
+	  prev=
+	  continue
+	  ;;
+	darwin_framework|darwin_framework_skip)
+	  test "$prev" = "darwin_framework" && compiler_flags="$compiler_flags $arg"
+	  compile_command="$compile_command $arg"
+	  finalize_command="$finalize_command $arg"
+	  prev=
+	  continue
+	  ;;
 	*)
 	  eval "$prev=\"\$arg\""
 	  prev=
@@ -1265,7 +1472,7 @@ EOF
       -export-symbols | -export-symbols-regex)
 	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
 	  $echo "$modename: more than one -exported-symbols argument is not allowed"
-	  exit 1
+	  exit $EXIT_FAILURE
 	fi
 	if test "X$arg" = "X-export-symbols"; then
 	  prev=expsyms
@@ -1275,6 +1482,18 @@ EOF
 	continue
 	;;
 
+      -framework|-arch|-isysroot)
+	case " $CC " in
+	  *" ${arg} ${1} "* | *" ${arg}	${1} "*) 
+		prev=darwin_framework_skip ;;
+	  *) compiler_flags="$compiler_flags $arg"
+	     prev=darwin_framework ;;
+	esac
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+	continue
+	;;
+
       -inst-prefix-dir)
 	prev=inst_prefix
 	continue
@@ -1301,7 +1520,8 @@ EOF
 	  absdir=`cd "$dir" && pwd`
 	  if test -z "$absdir"; then
 	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
-	    exit 1
+	    absdir="$dir"
+	    notinst_path="$notinst_path $dir"
 	  fi
 	  dir="$absdir"
 	  ;;
@@ -1315,10 +1535,15 @@ EOF
 	esac
 	case $host in
 	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  testbindir=`$echo "X$dir" | $Xsed -e 's*/lib$*/bin*'`
 	  case :$dllsearchpath: in
 	  *":$dir:"*) ;;
 	  *) dllsearchpath="$dllsearchpath:$dir";;
 	  esac
+	  case :$dllsearchpath: in
+	  *":$testbindir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  esac
 	  ;;
 	esac
 	continue
@@ -1327,15 +1552,15 @@ EOF
       -l*)
 	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
 	  case $host in
-	  *-*-cygwin* | *-*-pw32* | *-*-beos*)
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos*)
 	    # These systems don't actually have a C or math library (as such)
 	    continue
 	    ;;
-	  *-*-mingw* | *-*-os2*)
+	  *-*-os2*)
 	    # These systems don't actually have a C library (as such)
 	    test "X$arg" = "X-lc" && continue
 	    ;;
-	  *-*-openbsd* | *-*-freebsd*)
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
 	    # Do not include libc due to us having libc/libc_r.
 	    test "X$arg" = "X-lc" && continue
 	    ;;
@@ -1343,10 +1568,19 @@ EOF
 	    # Rhapsody C and math libraries are in the System framework
 	    deplibs="$deplibs -framework System"
 	    continue
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
+	    test "X$arg" = "X-lc" && continue
+	    ;;
 	  esac
 	elif test "X$arg" = "X-lc_r"; then
 	 case $host in
-	 *-*-openbsd* | *-*-freebsd*)
+	 *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
 	   # Do not include libc_r directly, use -pthread flag.
 	   continue
 	   ;;
@@ -1356,8 +1590,20 @@ EOF
 	continue
 	;;
 
+      # Tru64 UNIX uses -model [arg] to determine the layout of C++
+      # classes, name mangling, and exception handling.
+      -model)
+	compile_command="$compile_command $arg"
+	compiler_flags="$compiler_flags $arg"
+	finalize_command="$finalize_command $arg"
+	prev=xcompiler
+	continue
+	;;
+
      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
-	deplibs="$deplibs $arg"
+	compiler_flags="$compiler_flags $arg"
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
 	continue
 	;;
 
@@ -1366,13 +1612,19 @@ EOF
 	continue
 	;;
 
-      # gcc -m* arguments should be passed to the linker via $compiler_flags
-      # in order to pass architecture information to the linker
-      # (e.g. 32 vs 64-bit).  This may also be accomplished via -Wl,-mfoo
-      # but this is not reliable with gcc because gcc may use -mfoo to
-      # select a different linker, different libraries, etc, while
-      # -Wl,-mfoo simply passes -mfoo to the linker.
-      -m*)
+      # -64, -mips[0-9] enable 64-bit mode on the SGI compiler
+      # -r[0-9][0-9]* specifies the processor on the SGI compiler
+      # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler
+      # +DA*, +DD* enable 64-bit mode on the HP compiler
+      # -q* pass through compiler args for the IBM compiler
+      # -m* pass through architecture-specific compiler args for GCC
+      # -m*, -t[45]*, -txscale* pass through architecture-specific
+      # compiler args for GCC
+      # -pg pass through profiling flag for GCC
+      # @file GCC response files
+      -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*|-pg| \
+      -t[45]*|-txscale*|@*)
+
 	# Unknown arguments in both finalize_command and compile_command need
 	# to be aesthetically quoted because they are evaled later.
 	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
@@ -1383,9 +1635,7 @@ EOF
 	esac
         compile_command="$compile_command $arg"
         finalize_command="$finalize_command $arg"
-        if test "$with_gcc" = "yes" ; then
-          compiler_flags="$compiler_flags $arg"
-        fi
+        compiler_flags="$compiler_flags $arg"
         continue
         ;;
 
@@ -1452,7 +1702,7 @@ EOF
 	[\\/]* | [A-Za-z]:[\\/]*) ;;
 	*)
 	  $echo "$modename: only absolute run-paths are allowed" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	  ;;
 	esac
 	case "$xrpath " in
@@ -1575,7 +1825,7 @@ EOF
 	     test "$pic_object" = none && \
 	     test "$non_pic_object" = none; then
 	    $echo "$modename: cannot find name of object for \`$arg'" 1>&2
-	    exit 1
+	    exit $EXIT_FAILURE
 	  fi
 
 	  # Extract subdirectory from the argument.
@@ -1623,12 +1873,17 @@ EOF
 	    if test -z "$pic_object" || test "$pic_object" = none ; then
 	      arg="$non_pic_object"
 	    fi
+	  else
+	    # If the PIC object exists, use it instead.
+	    # $xdir was prepended to $pic_object above.
+	    non_pic_object="$pic_object"
+	    non_pic_objects="$non_pic_objects $non_pic_object"
 	  fi
 	else
 	  # Only an error if not doing a dry-run.
 	  if test -z "$run"; then
 	    $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
-	    exit 1
+	    exit $EXIT_FAILURE
 	  else
 	    # Dry-run case.
 
@@ -1695,7 +1950,7 @@ EOF
     if test -n "$prev"; then
       $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
       $echo "$help" 1>&2
-      exit 1
+      exit $EXIT_FAILURE
     fi
 
     if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
@@ -1728,9 +1983,9 @@ EOF
     if test ! -d "$output_objdir"; then
       $show "$mkdir $output_objdir"
       $run $mkdir $output_objdir
-      status=$?
-      if test "$status" -ne 0 && test ! -d "$output_objdir"; then
-	exit $status
+      exit_status=$?
+      if test "$exit_status" -ne 0 && test ! -d "$output_objdir"; then
+	exit $exit_status
       fi
     fi
 
@@ -1739,7 +1994,7 @@ EOF
     "")
       $echo "$modename: you must specify an output file" 1>&2
       $echo "$help" 1>&2
-      exit 1
+      exit $EXIT_FAILURE
       ;;
     *.$libext) linkmode=oldlib ;;
     *.lo | *.$objext) linkmode=obj ;;
@@ -1749,7 +2004,7 @@ EOF
 
     case $host in
     *cygwin* | *mingw* | *pw32*)
-      # don't eliminate duplcations in $postdeps and $predeps
+      # don't eliminate duplications in $postdeps and $predeps
       duplicate_compiler_generated_deps=yes
       ;;
     *)
@@ -1793,7 +2048,6 @@ EOF
     newlib_search_path=
     need_relink=no # whether we're linking any uninstalled libtool libraries
     notinst_deplibs= # not-installed libtool libraries
-    notinst_path= # paths that contain not-installed libtool libraries
     case $linkmode in
     lib)
 	passes="conv link"
@@ -1802,7 +2056,7 @@ EOF
 	  *.la) ;;
 	  *)
 	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
-	    exit 1
+	    exit $EXIT_FAILURE
 	    ;;
 	  esac
 	done
@@ -1845,7 +2099,7 @@ EOF
 	    compile_deplibs="$deplib $compile_deplibs"
 	    finalize_deplibs="$deplib $finalize_deplibs"
 	  else
-	    deplibs="$deplib $deplibs"
+	    compiler_flags="$compiler_flags $deplib"
 	  fi
 	  continue
 	  ;;
@@ -1854,13 +2108,9 @@ EOF
 	    $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2
 	    continue
 	  fi
-	  if test "$pass" = conv; then
-	    deplibs="$deplib $deplibs"
-	    continue
-	  fi
 	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
 	  for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do
-	    for search_ext in .la $shrext .so .a; do
+	    for search_ext in .la $std_shrext .so .a; do
 	      # Search the libtool library
 	      lib="$searchdir/lib${name}${search_ext}"
 	      if test -f "$lib"; then
@@ -1936,11 +2186,11 @@ EOF
 	    fi
 	    if test "$pass" = scan; then
 	      deplibs="$deplib $deplibs"
-	      newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
 	    else
 	      compile_deplibs="$deplib $compile_deplibs"
 	      finalize_deplibs="$deplib $finalize_deplibs"
 	    fi
+	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
 	    ;;
 	  *)
 	    $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2
@@ -1968,7 +2218,22 @@ EOF
 	  fi
 	  case $linkmode in
 	  lib)
-	    if test "$deplibs_check_method" != pass_all; then
+	    valid_a_lib=no
+	    case $deplibs_check_method in
+	      match_pattern*)
+		set dummy $deplibs_check_method
+	        match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+		if eval $echo \"$deplib\" 2>/dev/null \
+		    | $SED 10q \
+		    | $EGREP "$match_pattern_regex" > /dev/null; then
+		  valid_a_lib=yes
+		fi
+		;;
+	      pass_all)
+		valid_a_lib=yes
+		;;
+            esac
+	    if test "$valid_a_lib" != yes; then
 	      $echo
 	      $echo "*** Warning: Trying to link with static lib archive $deplib."
 	      $echo "*** I have the capability to make that library automatically link in when"
@@ -2018,15 +2283,15 @@ EOF
 	esac # case $deplib
 	if test "$found" = yes || test -f "$lib"; then :
 	else
-	  $echo "$modename: cannot find the library \`$lib'" 1>&2
-	  exit 1
+	  $echo "$modename: cannot find the library \`$lib' or unhandled argument \`$deplib'" 1>&2
+	  exit $EXIT_FAILURE
 	fi
 
 	# Check to see that this really is a libtool archive.
 	if (${SED} -e '2q' $lib | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
 	else
 	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	fi
 
 	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
@@ -2042,6 +2307,8 @@ EOF
 	# it will not redefine variables installed, or shouldnotlink
 	installed=yes
 	shouldnotlink=no
+	avoidtemprpath=
+
 
 	# Read the .la file
 	case $lib in
@@ -2062,7 +2329,7 @@ EOF
 	  if test -z "$libdir"; then
 	    if test -z "$old_library"; then
 	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
-	      exit 1
+	      exit $EXIT_FAILURE
 	    fi
 	    # It is a libtool convenience library, so add in its objects.
 	    convenience="$convenience $ladir/$objdir/$old_library"
@@ -2079,12 +2346,12 @@ EOF
 	    done
 	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
 	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
-	    exit 1
+	    exit $EXIT_FAILURE
 	  fi
 	  continue
 	fi # $pass = conv
 
-    
+
 	# Get the name of the library we link against.
 	linklib=
 	for l in $old_library $library_names; do
@@ -2092,16 +2359,18 @@ EOF
 	done
 	if test -z "$linklib"; then
 	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	fi
 
 	# This library was specified with -dlopen.
 	if test "$pass" = dlopen; then
 	  if test -z "$libdir"; then
 	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
-	    exit 1
+	    exit $EXIT_FAILURE
 	  fi
-	  if test -z "$dlname" || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	  if test -z "$dlname" ||
+	     test "$dlopen_support" != yes ||
+	     test "$build_libtool_libs" = no; then
 	    # If there is no dlname, no dlopen support or we're linking
 	    # statically, we need to preload.  We also need to preload any
 	    # dependent libraries so libltdl's deplib preloader doesn't
@@ -2138,11 +2407,19 @@ EOF
 	    dir="$libdir"
 	    absdir="$libdir"
 	  fi
+	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
 	else
-	  dir="$ladir/$objdir"
-	  absdir="$abs_ladir/$objdir"
-	  # Remove this search path later
-	  notinst_path="$notinst_path $abs_ladir"
+	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    # Remove this search path later
+	    notinst_path="$notinst_path $abs_ladir"
+	  else
+	    dir="$ladir/$objdir"
+	    absdir="$abs_ladir/$objdir"
+	    # Remove this search path later
+	    notinst_path="$notinst_path $abs_ladir"
+	  fi
 	fi # $installed = yes
 	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
 
@@ -2150,7 +2427,7 @@ EOF
 	if test "$pass" = dlpreopen; then
 	  if test -z "$libdir"; then
 	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
-	    exit 1
+	    exit $EXIT_FAILURE
 	  fi
 	  # Prefer using a static library (so that no silly _DYNAMIC symbols
 	  # are required to link).
@@ -2177,7 +2454,7 @@ EOF
 	  continue
 	fi
 
-    
+
 	if test "$linkmode" = prog && test "$pass" != link; then
 	  newlib_search_path="$newlib_search_path $ladir"
 	  deplibs="$lib $deplibs"
@@ -2215,12 +2492,12 @@ EOF
 	  if test -n "$library_names" &&
 	     { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
 	    # We need to hardcode the library path
-	    if test -n "$shlibpath_var"; then
+	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then
 	      # Make sure the rpath contains only unique directories.
 	      case "$temp_rpath " in
 	      *" $dir "*) ;;
 	      *" $absdir "*) ;;
-	      *) temp_rpath="$temp_rpath $dir" ;;
+	      *) temp_rpath="$temp_rpath $absdir" ;;
 	      esac
 	    fi
 
@@ -2257,24 +2534,29 @@ EOF
 	fi
 
 	link_static=no # Whether the deplib will be linked statically
+	use_static_libs=$prefer_static_libs
+	if test "$use_static_libs" = built && test "$installed" = yes ; then
+	  use_static_libs=no
+	fi
 	if test -n "$library_names" &&
-	   { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	   { test "$use_static_libs" = no || test -z "$old_library"; }; then
 	  if test "$installed" = no; then
 	    notinst_deplibs="$notinst_deplibs $lib"
 	    need_relink=yes
 	  fi
 	  # This is a shared library
-	
-      # Warn about portability, can't link against -module's on some systems (darwin)
-      if test "$shouldnotlink" = yes && test "$pass" = link ; then
+
+	  # Warn about portability, can't link against -module's on
+	  # some systems (darwin)
+	  if test "$shouldnotlink" = yes && test "$pass" = link ; then
 	    $echo
 	    if test "$linkmode" = prog; then
 	      $echo "*** Warning: Linking the executable $output against the loadable module"
 	    else
 	      $echo "*** Warning: Linking the shared library $output against the loadable module"
 	    fi
-	    $echo "*** $linklib is not portable!"    
-      fi	  
+	    $echo "*** $linklib is not portable!"
+	  fi
 	  if test "$linkmode" = lib &&
 	     test "$hardcode_into_libs" = yes; then
 	    # Hardcode the library path.
@@ -2370,11 +2652,15 @@ EOF
 	      if test "$hardcode_direct" = no; then
 		add="$dir/$linklib"
 		case $host in
-		  *-*-sco3.2v5* ) add_dir="-L$dir" ;;
+		  *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;;
+		  *-*-sysv4*uw2*) add_dir="-L$dir" ;;
+		  *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \
+		    *-*-unixware7*) add_dir="-L$dir" ;;
 		  *-*-darwin* )
-		    # if the lib is a module then we can not link against it, someone
-		    # is ignoring the new warnings I added
-		    if /usr/bin/file -L $add 2> /dev/null | grep "bundle" >/dev/null ; then
+		    # if the lib is a module then we can not link against
+		    # it, someone is ignoring the new warnings I added
+		    if /usr/bin/file -L $add 2> /dev/null |
+                      $EGREP ": [^:]* bundle" >/dev/null ; then
 		      $echo "** Warning, lib $linklib is a module, not a shared library"
 		      if test -z "$old_library" ; then
 		        $echo
@@ -2382,7 +2668,7 @@ EOF
 		        $echo "** The link will probably fail, sorry"
 		      else
 		        add="$dir/$old_library"
-		      fi 
+		      fi
 		    fi
 		esac
 	      elif test "$hardcode_minus_L" = no; then
@@ -2405,7 +2691,7 @@ EOF
 		add_dir="-L$dir"
 		# Try looking first in the location we're being installed to.
 		if test -n "$inst_prefix_dir"; then
-		  case "$libdir" in
+		  case $libdir in
 		    [\\/]*)
 		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
 		      ;;
@@ -2424,7 +2710,7 @@ EOF
 
 	    if test "$lib_linked" != yes; then
 	      $echo "$modename: configuration error: unsupported hardcode properties"
-	      exit 1
+	      exit $EXIT_FAILURE
 	    fi
 
 	    if test -n "$add_shlibpath"; then
@@ -2467,7 +2753,8 @@ EOF
 	      esac
 	      add="-l$name"
 	    elif test "$hardcode_automatic" = yes; then
-	      if test -n "$inst_prefix_dir" && test -f "$inst_prefix_dir$libdir/$linklib" ; then
+	      if test -n "$inst_prefix_dir" &&
+		 test -f "$inst_prefix_dir$libdir/$linklib" ; then
 	        add="$inst_prefix_dir$libdir/$linklib"
 	      else
 	        add="$libdir/$linklib"
@@ -2477,7 +2764,7 @@ EOF
 	      add_dir="-L$libdir"
 	      # Try looking first in the location we're being installed to.
 	      if test -n "$inst_prefix_dir"; then
-		case "$libdir" in
+		case $libdir in
 		  [\\/]*)
 		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
 		    ;;
@@ -2538,8 +2825,6 @@ EOF
 	      fi
 	    fi
 	  else
-	    convenience="$convenience $dir/$old_library"
-	    old_convenience="$old_convenience $dir/$old_library"
 	    deplibs="$dir/$old_library $deplibs"
 	    link_static=yes
 	  fi
@@ -2547,7 +2832,8 @@ EOF
 
 	if test "$linkmode" = lib; then
 	  if test -n "$dependency_libs" &&
-	     { test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes ||
+	     { test "$hardcode_into_libs" != yes ||
+	       test "$build_old_libs" = yes ||
 	       test "$link_static" = yes; }; then
 	    # Extract -R from dependency_libs
 	    temp_deplibs=
@@ -2604,7 +2890,7 @@ EOF
 		  eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
 		  if test -z "$libdir"; then
 		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
-		    exit 1
+		    exit $EXIT_FAILURE
 		  fi
 		  if test "$absdir" != "$libdir"; then
 		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
@@ -2614,7 +2900,8 @@ EOF
 		depdepl=
 		case $host in
 		*-*-darwin*)
-		  # we do not want to link against static libs, but need to link against shared
+		  # we do not want to link against static libs,
+		  # but need to link against shared
 		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
 		  if test -n "$deplibrary_names" ; then
 		    for tmp in $deplibrary_names ; do
@@ -2622,7 +2909,7 @@ EOF
 		    done
 		    if test -f "$path/$depdepl" ; then
 		      depdepl="$path/$depdepl"
-		   fi
+		    fi
 		    # do not add paths which are already there
 		    case " $newlib_search_path " in
 		    *" $path "*) ;;
@@ -2632,36 +2919,35 @@ EOF
 		  path=""
 		  ;;
 		*)
-		path="-L$path"
-		;;
-		esac 
-		
+		  path="-L$path"
+		  ;;
+		esac
 		;;
-		  -l*)
+	      -l*)
 		case $host in
 		*-*-darwin*)
-		 # Again, we only want to link against shared libraries
-		 eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"`
-		 for tmp in $newlib_search_path ; do
-		     if test -f "$tmp/lib$tmp_libs.dylib" ; then
-		       eval depdepl="$tmp/lib$tmp_libs.dylib"
-		       break
-		     fi  
-         done
-         path=""
+		  # Again, we only want to link against shared libraries
+		  eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"`
+		  for tmp in $newlib_search_path ; do
+		    if test -f "$tmp/lib$tmp_libs.dylib" ; then
+		      eval depdepl="$tmp/lib$tmp_libs.dylib"
+		      break
+		    fi
+		  done
+		  path=""
 		  ;;
 		*) continue ;;
-		esac  		  
+		esac
 		;;
 	      *) continue ;;
 	      esac
 	      case " $deplibs " in
-	      *" $depdepl "*) ;;
-	      *) deplibs="$deplibs $depdepl" ;;
-	      esac	      
-	      case " $deplibs " in
 	      *" $path "*) ;;
-	      *) deplibs="$deplibs $path" ;;
+	      *) deplibs="$path $deplibs" ;;
+	      esac
+	      case " $deplibs " in
+	      *" $depdepl "*) ;;
+	      *) deplibs="$depdepl $deplibs" ;;
 	      esac
 	    done
 	  fi # link_all_deplibs != no
@@ -2748,7 +3034,8 @@ EOF
 	  eval $var=\"$tmp_libs\"
 	done # for var
       fi
-      # Last step: remove runtime libs from dependency_libs (they stay in deplibs)
+      # Last step: remove runtime libs from dependency_libs
+      # (they stay in deplibs)
       tmp_libs=
       for i in $dependency_libs ; do
 	case " $predeps $postdeps $compiler_lib_search_path " in
@@ -2808,19 +3095,19 @@ EOF
       case $outputname in
       lib*)
 	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
-	eval shared_ext=\"$shrext\"
+	eval shared_ext=\"$shrext_cmds\"
 	eval libname=\"$libname_spec\"
 	;;
       *)
 	if test "$module" = no; then
 	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
 	  $echo "$help" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	fi
 	if test "$need_lib_prefix" != no; then
 	  # Add the "lib" prefix for modules if required
 	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
-	  eval shared_ext=\"$shrext\"
+	  eval shared_ext=\"$shrext_cmds\"
 	  eval libname=\"$libname_spec\"
 	else
 	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
@@ -2831,7 +3118,7 @@ EOF
       if test -n "$objs"; then
 	if test "$deplibs_check_method" != pass_all; then
 	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
-	  exit 1
+	  exit $EXIT_FAILURE
 	else
 	  $echo
 	  $echo "*** Warning: Linking the shared library $output against the non-libtool"
@@ -2879,13 +3166,13 @@ EOF
 	if test -n "$8"; then
 	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
 	  $echo "$help" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	fi
 
 	# convert absolute version numbers to libtool ages
 	# this retains compatibility with .la files and attempts
 	# to make the code below a bit more comprehensible
-	
+
 	case $vinfo_number in
 	yes)
 	  number_major="$2"
@@ -2925,36 +3212,36 @@ EOF
 
 	# Check that each of the things are valid numbers.
 	case $current in
-	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
 	*)
-	  $echo "$modename: CURRENT \`$current' is not a nonnegative integer" 1>&2
+	  $echo "$modename: CURRENT \`$current' must be a nonnegative integer" 1>&2
 	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	  ;;
 	esac
 
 	case $revision in
-	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
 	*)
-	  $echo "$modename: REVISION \`$revision' is not a nonnegative integer" 1>&2
+	  $echo "$modename: REVISION \`$revision' must be a nonnegative integer" 1>&2
 	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	  ;;
 	esac
 
 	case $age in
-	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
 	*)
-	  $echo "$modename: AGE \`$age' is not a nonnegative integer" 1>&2
+	  $echo "$modename: AGE \`$age' must be a nonnegative integer" 1>&2
 	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	  ;;
 	esac
 
 	if test "$age" -gt "$current"; then
 	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
 	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	fi
 
 	# Calculate the version variables.
@@ -2971,7 +3258,7 @@ EOF
 	  versuffix="$major.$age.$revision"
 	  # Darwin ld doesn't like 0 for these options...
 	  minor_current=`expr $current + 1`
-	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
+	  verstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
 	  ;;
 
 	freebsd-aout)
@@ -3043,7 +3330,7 @@ EOF
 	*)
 	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
 	  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	  ;;
 	esac
 
@@ -3097,9 +3384,11 @@ EOF
 	    *.$objext)
 	       ;;
 	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
-	       if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
-	       then
-		 continue
+	       if test "X$precious_files_regex" != "X"; then
+	         if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
+	         then
+		   continue
+		 fi
 	       fi
 	       removelist="$removelist $p"
 	       ;;
@@ -3122,9 +3411,9 @@ EOF
 
       # Eliminate all temporary directories.
       for path in $notinst_path; do
-	lib_search_path=`$echo "$lib_search_path " | ${SED} -e 's% $path % %g'`
-	deplibs=`$echo "$deplibs " | ${SED} -e 's% -L$path % %g'`
-	dependency_libs=`$echo "$dependency_libs " | ${SED} -e 's% -L$path % %g'`
+	lib_search_path=`$echo "$lib_search_path " | ${SED} -e "s% $path % %g"`
+	deplibs=`$echo "$deplibs " | ${SED} -e "s% -L$path % %g"`
+	dependency_libs=`$echo "$dependency_libs " | ${SED} -e "s% -L$path % %g"`
       done
 
       if test -n "$xrpath"; then
@@ -3175,9 +3464,14 @@ EOF
 	  *-*-netbsd*)
 	    # Don't link with libc until the a.out ld.so is fixed.
 	    ;;
-	  *-*-openbsd* | *-*-freebsd*)
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
 	    # Do not include libc due to us having libc/libc_r.
-	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
 	    ;;
  	  *)
 	    # Add libc to deplibs on all other systems if necessary.
@@ -3221,11 +3515,11 @@ EOF
 	  int main() { return 0; }
 EOF
 	  $rm conftest
-	  $LTCC -o conftest conftest.c $deplibs
+	  $LTCC $LTCFLAGS -o conftest conftest.c $deplibs
 	  if test "$?" -eq 0 ; then
 	    ldd_output=`ldd conftest`
 	    for i in $deplibs; do
-	      name="`expr $i : '-l\(.*\)'`"
+	      name=`expr $i : '-l\(.*\)'`
 	      # If $name is empty we are operating on a -L argument.
               if test "$name" != "" && test "$name" -ne "0"; then
 		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
@@ -3262,11 +3556,11 @@ EOF
 	    # Error occurred in the first compile.  Let's try to salvage
 	    # the situation: Compile a separate program for each library.
 	    for i in $deplibs; do
-	      name="`expr $i : '-l\(.*\)'`"
+	      name=`expr $i : '-l\(.*\)'`
 	      # If $name is empty we are operating on a -L argument.
               if test "$name" != "" && test "$name" != "0"; then
 		$rm conftest
-		$LTCC -o conftest conftest.c $i
+		$LTCC $LTCFLAGS -o conftest conftest.c $i
 		# Did it work?
 		if test "$?" -eq 0 ; then
 		  ldd_output=`ldd conftest`
@@ -3314,7 +3608,7 @@ EOF
 	  set dummy $deplibs_check_method
 	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
 	  for a_deplib in $deplibs; do
-	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    name=`expr $a_deplib : '-l\(.*\)'`
 	    # If $name is empty we are operating on a -L argument.
             if test "$name" != "" && test  "$name" != "0"; then
 	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
@@ -3383,7 +3677,7 @@ EOF
 	  set dummy $deplibs_check_method
 	  match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
 	  for a_deplib in $deplibs; do
-	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    name=`expr $a_deplib : '-l\(.*\)'`
 	    # If $name is empty we are operating on a -L argument.
 	    if test -n "$name" && test "$name" != "0"; then
 	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
@@ -3513,6 +3807,35 @@ EOF
 	deplibs=$newdeplibs
       fi
 
+
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $deplibs " in
+	  *" -L$path/$objdir "*)
+	    new_libs="$new_libs -L$path/$objdir" ;;
+	  esac
+	  ;;
+	esac
+      done
+      for deplib in $deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) new_libs="$new_libs $deplib" ;;
+	  esac
+	  ;;
+	*) new_libs="$new_libs $deplib" ;;
+	esac
+      done
+      deplibs="$new_libs"
+
+
       # All the library-specific variables (install_libdir is set above).
       library_names=
       old_library=
@@ -3580,7 +3903,7 @@ EOF
 	fi
 
 	# Get the real and link names of the library.
-	eval shared_ext=\"$shrext\"
+	eval shared_ext=\"$shrext_cmds\"
 	eval library_names=\"$library_names_spec\"
 	set dummy $library_names
 	realname="$2"
@@ -3596,6 +3919,7 @@ EOF
 	fi
 
 	lib="$output_objdir/$realname"
+	linknames=
 	for link
 	do
 	  linknames="$linknames $link"
@@ -3624,6 +3948,9 @@ EOF
 	        # The command line is too long to execute in one step.
 	        $show "using reloadable object file for export list..."
 	        skipped_export=:
+		# Break out early, otherwise skipped_export may be
+		# set to false by a later but shorter cmd.
+		break
 	      fi
 	    done
 	    IFS="$save_ifs"
@@ -3644,12 +3971,12 @@ EOF
 	for test_deplib in $deplibs; do
 		case " $convenience " in
 		*" $test_deplib "*) ;;
-		*) 
+		*)
 			tmp_deplibs="$tmp_deplibs $test_deplib"
 			;;
 		esac
 	done
-	deplibs="$tmp_deplibs" 
+	deplibs="$tmp_deplibs"
 
 	if test -n "$convenience"; then
 	  if test -n "$whole_archive_flag_spec"; then
@@ -3657,67 +3984,13 @@ EOF
 	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
 	  else
 	    gentop="$output_objdir/${outputname}x"
-	    $show "${rm}r $gentop"
-	    $run ${rm}r "$gentop"
-	    $show "$mkdir $gentop"
-	    $run $mkdir "$gentop"
-	    status=$?
-	    if test "$status" -ne 0 && test ! -d "$gentop"; then
-	      exit $status
-	    fi
 	    generated="$generated $gentop"
 
-	    for xlib in $convenience; do
-	      # Extract the objects.
-	      case $xlib in
-	      [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
-	      *) xabs=`pwd`"/$xlib" ;;
-	      esac
-	      xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
-	      xdir="$gentop/$xlib"
-
-	      $show "${rm}r $xdir"
-	      $run ${rm}r "$xdir"
-	      $show "$mkdir $xdir"
-	      $run $mkdir "$xdir"
-	      status=$?
-	      if test "$status" -ne 0 && test ! -d "$xdir"; then
-		exit $status
-	      fi
-	      # We will extract separately just the conflicting names and we will no
-	      # longer touch any unique names. It is faster to leave these extract
-	      # automatically by $AR in one run.
-	      $show "(cd $xdir && $AR x $xabs)"
-	      $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
-	      if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then
-		:
-	      else
-		$echo "$modename: warning: object name conflicts; renaming object files" 1>&2
-		$echo "$modename: warning: to ensure that they will not overwrite" 1>&2
-		$AR t "$xabs" | sort | uniq -cd | while read -r count name
-		do
-		  i=1
-		  while test "$i" -le "$count"
-		  do
-		   # Put our $i before any first dot (extension)
-		   # Never overwrite any file
-		   name_to="$name"
-		   while test "X$name_to" = "X$name" || test -f "$xdir/$name_to"
-		   do
-		     name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
-		   done
-		   $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')"
-		   $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $?
-		   i=`expr $i + 1`
-		  done
-		done
-	      fi
-
-	      libobjs="$libobjs "`find $xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
-	    done
+	    func_extract_archives $gentop $convenience
+	    libobjs="$libobjs $func_extract_archives_result"
 	  fi
 	fi
-
+	
 	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
 	  eval flag=\"$thread_safe_flag_spec\"
 	  linker_flags="$linker_flags $flag"
@@ -3747,7 +4020,8 @@ EOF
 	  fi
 	fi
 
-	if test "X$skipped_export" != "X:" && len=`expr "X$test_cmds" : ".*"` &&
+	if test "X$skipped_export" != "X:" &&
+	   len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
 	   test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
 	  :
 	else
@@ -3766,6 +4040,7 @@ EOF
 	    save_libobjs=$libobjs
 	  fi
 	  save_output=$output
+	  output_la=`$echo "X$output" | $Xsed -e "$basename"`
 
 	  # Clear the reloadable object creation command queue and
 	  # initialize k to one.
@@ -3775,13 +4050,13 @@ EOF
 	  delfiles=
 	  last_robj=
 	  k=1
-	  output=$output_objdir/$save_output-${k}.$objext
+	  output=$output_objdir/$output_la-${k}.$objext
 	  # Loop over the list of objects to be linked.
 	  for obj in $save_libobjs
 	  do
 	    eval test_cmds=\"$reload_cmds $objlist $last_robj\"
 	    if test "X$objlist" = X ||
-	       { len=`expr "X$test_cmds" : ".*"` &&
+	       { len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
 		 test "$len" -le "$max_cmd_len"; }; then
 	      objlist="$objlist $obj"
 	    else
@@ -3795,9 +4070,9 @@ EOF
 		# the last one created.
 		eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj\"
 	      fi
-	      last_robj=$output_objdir/$save_output-${k}.$objext
+	      last_robj=$output_objdir/$output_la-${k}.$objext
 	      k=`expr $k + 1`
-	      output=$output_objdir/$save_output-${k}.$objext
+	      output=$output_objdir/$output_la-${k}.$objext
 	      objlist=$obj
 	      len=1
 	    fi
@@ -3817,13 +4092,13 @@ EOF
 	    eval concat_cmds=\"\$concat_cmds~$export_symbols_cmds\"
           fi
 
-	  # Set up a command to remove the reloadale object files
+	  # Set up a command to remove the reloadable object files
 	  # after they are used.
 	  i=0
 	  while test "$i" -lt "$k"
 	  do
 	    i=`expr $i + 1`
-	    delfiles="$delfiles $output_objdir/$save_output-${i}.$objext"
+	    delfiles="$delfiles $output_objdir/$output_la-${i}.$objext"
 	  done
 
 	  $echo "creating a temporary reloadable object file: $output"
@@ -3832,7 +4107,6 @@ EOF
 	  save_ifs="$IFS"; IFS='~'
 	  for cmd in $concat_cmds; do
 	    IFS="$save_ifs"
-	    eval cmd=\"$cmd\"
 	    $show "$cmd"
 	    $run eval "$cmd" || exit $?
 	  done
@@ -3872,14 +4146,31 @@ EOF
 	  IFS="$save_ifs"
 	  eval cmd=\"$cmd\"
 	  $show "$cmd"
-	  $run eval "$cmd" || exit $?
+	  $run eval "$cmd" || {
+	    lt_exit=$?
+
+	    # Restore the uninstalled library and exit
+	    if test "$mode" = relink; then
+	      $run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
+	    fi
+
+	    exit $lt_exit
+	  }
 	done
 	IFS="$save_ifs"
 
 	# Restore the uninstalled library and exit
 	if test "$mode" = relink; then
 	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
-	  exit 0
+
+	  if test -n "$convenience"; then
+	    if test -z "$whole_archive_flag_spec"; then
+	      $show "${rm}r $gentop"
+	      $run ${rm}r "$gentop"
+	    fi
+	  fi
+
+	  exit $EXIT_SUCCESS
 	fi
 
 	# Create links to the real library.
@@ -3927,7 +4218,7 @@ EOF
       *.lo)
 	if test -n "$objs$old_deplibs"; then
 	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	fi
 	libobj="$output"
 	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
@@ -3956,64 +4247,10 @@ EOF
 	  eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\"
 	else
 	  gentop="$output_objdir/${obj}x"
-	  $show "${rm}r $gentop"
-	  $run ${rm}r "$gentop"
-	  $show "$mkdir $gentop"
-	  $run $mkdir "$gentop"
-	  status=$?
-	  if test "$status" -ne 0 && test ! -d "$gentop"; then
-	    exit $status
-	  fi
 	  generated="$generated $gentop"
 
-	  for xlib in $convenience; do
-	    # Extract the objects.
-	    case $xlib in
-	    [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
-	    *) xabs=`pwd`"/$xlib" ;;
-	    esac
-	    xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
-	    xdir="$gentop/$xlib"
-
-	    $show "${rm}r $xdir"
-	    $run ${rm}r "$xdir"
-	    $show "$mkdir $xdir"
-	    $run $mkdir "$xdir"
-	    status=$?
-	    if test "$status" -ne 0 && test ! -d "$xdir"; then
-	      exit $status
-	    fi
-	    # We will extract separately just the conflicting names and we will no
-	    # longer touch any unique names. It is faster to leave these extract
-	    # automatically by $AR in one run.
-	    $show "(cd $xdir && $AR x $xabs)"
-	    $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
-	    if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then
-	      :
-	    else
-	      $echo "$modename: warning: object name conflicts; renaming object files" 1>&2
-	      $echo "$modename: warning: to ensure that they will not overwrite" 1>&2
-	      $AR t "$xabs" | sort | uniq -cd | while read -r count name
-	      do
-		i=1
-		while test "$i" -le "$count"
-		do
-		 # Put our $i before any first dot (extension)
-		 # Never overwrite any file
-		 name_to="$name"
-		 while test "X$name_to" = "X$name" || test -f "$xdir/$name_to"
-		 do
-		   name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
-		 done
-		 $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')"
-		 $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $?
-		 i=`expr $i + 1`
-		done
-	      done
-	    fi
-
-	    reload_conv_objs="$reload_objs "`find $xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
-	  done
+	  func_extract_archives $gentop $convenience
+	  reload_conv_objs="$reload_objs $func_extract_archives_result"
 	fi
       fi
 
@@ -4038,7 +4275,7 @@ EOF
 	  $run ${rm}r $gentop
 	fi
 
-	exit 0
+	exit $EXIT_SUCCESS
       fi
 
       if test "$build_libtool_libs" != yes; then
@@ -4051,7 +4288,7 @@ EOF
 	# accidentally link it into a program.
 	# $show "echo timestamp > $libobj"
 	# $run eval "echo timestamp > $libobj" || exit $?
-	exit 0
+	exit $EXIT_SUCCESS
       fi
 
       if test -n "$pic_flag" || test "$pic_mode" != default; then
@@ -4074,7 +4311,7 @@ EOF
 	$run ${rm}r $gentop
       fi
 
-      exit 0
+      exit $EXIT_SUCCESS
       ;;
 
     prog)
@@ -4114,6 +4351,35 @@ EOF
         ;;
       esac
 
+
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $compile_deplibs " in
+	  *" -L$path/$objdir "*)
+	    new_libs="$new_libs -L$path/$objdir" ;;
+	  esac
+	  ;;
+	esac
+      done
+      for deplib in $compile_deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) new_libs="$new_libs $deplib" ;;
+	  esac
+	  ;;
+	*) new_libs="$new_libs $deplib" ;;
+	esac
+      done
+      compile_deplibs="$new_libs"
+
+
       compile_command="$compile_command $compile_deplibs"
       finalize_command="$finalize_command $finalize_deplibs"
 
@@ -4158,10 +4424,15 @@ EOF
 	fi
 	case $host in
 	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  testbindir=`$echo "X$libdir" | $Xsed -e 's*/lib$*/bin*'`
 	  case :$dllsearchpath: in
 	  *":$libdir:"*) ;;
 	  *) dllsearchpath="$dllsearchpath:$libdir";;
 	  esac
+	  case :$dllsearchpath: in
+	  *":$testbindir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  esac
 	  ;;
 	esac
       done
@@ -4275,13 +4546,25 @@ extern \"C\" {
 
 	    # Prepare the list of exported symbols
 	    if test -z "$export_symbols"; then
-	      export_symbols="$output_objdir/$output.exp"
+	      export_symbols="$output_objdir/$outputname.exp"
 	      $run $rm $export_symbols
-	      $run eval "${SED} -n -e '/^: @PROGRAM@$/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+	      $run eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+              case $host in
+              *cygwin* | *mingw* )
+	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+		$run eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"'
+                ;;
+              esac
 	    else
-	      $run eval "${SED} -e 's/\([][.*^$]\)/\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$output.exp"'
-	      $run eval 'grep -f "$output_objdir/$output.exp" < "$nlist" > "$nlist"T'
+	      $run eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"'
+	      $run eval 'grep -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
 	      $run eval 'mv "$nlist"T "$nlist"'
+              case $host in
+              *cygwin* | *mingw* )
+	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+		$run eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
+                ;;
+              esac
 	    fi
 	  fi
 
@@ -4332,7 +4615,26 @@ extern \"C\" {
 #endif
 
 /* The mapping between symbol names and symbols. */
+"
+
+	    case $host in
+	    *cygwin* | *mingw* )
+	  $echo >> "$output_objdir/$dlsyms" "\
+/* DATA imports from DLLs on WIN32 can't be const, because
+   runtime relocations are performed -- see ld's documentation
+   on pseudo-relocs */
+struct {
+"
+	      ;;
+	    * )
+	  $echo >> "$output_objdir/$dlsyms" "\
 const struct {
+"
+	      ;;
+	    esac
+
+
+	  $echo >> "$output_objdir/$dlsyms" "\
   const char *name;
   lt_ptr address;
 }
@@ -4379,20 +4681,33 @@ static const void *lt_preloaded_setup() {
 	  esac
 
 	  # Now compile the dynamic symbol file.
-	  $show "(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
-	  $run eval '(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
+	  $show "(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
+	  $run eval '(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
 
 	  # Clean up the generated files.
 	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
 	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
 
 	  # Transform the symbol file into the correct name.
-	  compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
-	  finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+          case $host in
+          *cygwin* | *mingw* )
+            if test -f "$output_objdir/${outputname}.def" ; then
+              compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%"`
+              finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%"`
+            else
+              compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+              finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+             fi
+            ;;
+          * )
+            compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+            finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+            ;;
+          esac
 	  ;;
 	*)
 	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	  ;;
 	esac
       else
@@ -4413,7 +4728,7 @@ static const void *lt_preloaded_setup() {
 	# We have no uninstalled library dependencies, so finalize right now.
 	$show "$link_command"
 	$run eval "$link_command"
-	status=$?
+	exit_status=$?
 
 	# Delete the generated files.
 	if test -n "$dlsyms"; then
@@ -4421,7 +4736,7 @@ static const void *lt_preloaded_setup() {
 	  $run $rm "$output_objdir/${outputname}S.${objext}"
 	fi
 
-	exit $status
+	exit $exit_status
       fi
 
       if test -n "$shlibpath_var"; then
@@ -4480,7 +4795,7 @@ static const void *lt_preloaded_setup() {
 	# Link the executable and exit
 	$show "$link_command"
 	$run eval "$link_command" || exit $?
-	exit 0
+	exit $EXIT_SUCCESS
       fi
 
       if test "$hardcode_action" = relink; then
@@ -4535,10 +4850,10 @@ static const void *lt_preloaded_setup() {
       fi
 
       # Quote $echo for shipping.
-      if test "X$echo" = "X$SHELL $0 --fallback-echo"; then
-	case $0 in
-	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $0 --fallback-echo";;
-	*) qecho="$SHELL `pwd`/$0 --fallback-echo";;
+      if test "X$echo" = "X$SHELL $progpath --fallback-echo"; then
+	case $progpath in
+	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";;
+	*) qecho="$SHELL `pwd`/$progpath --fallback-echo";;
 	esac
 	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
       else
@@ -4561,10 +4876,12 @@ static const void *lt_preloaded_setup() {
 	esac
 	case $host in
 	  *cygwin* | *mingw* )
-	    cwrappersource=`$echo ${objdir}/lt-${output}.c`
-	    cwrapper=`$echo ${output}.exe`
-	    $rm $cwrappersource $cwrapper
-	    trap "$rm $cwrappersource $cwrapper; exit 1" 1 2 15
+            output_name=`basename $output`
+            output_path=`dirname $output`
+            cwrappersource="$output_path/$objdir/lt-$output_name.c"
+            cwrapper="$output_path/$output_name.exe"
+            $rm $cwrappersource $cwrapper
+            trap "$rm $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
 
 	    cat > $cwrappersource <<EOF
 
@@ -4573,7 +4890,7 @@ static const void *lt_preloaded_setup() {
 
    The $output program cannot be directly executed until all the libtool
    libraries that it depends on are installed.
-   
+
    This wrapper executable should never be moved out of the build directory.
    If it is, it will not operate correctly.
 
@@ -4589,6 +4906,9 @@ EOF
 #include <malloc.h>
 #include <stdarg.h>
 #include <assert.h>
+#include <string.h>
+#include <ctype.h>
+#include <sys/stat.h>
 
 #if defined(PATH_MAX)
 # define LT_PATHMAX PATH_MAX
@@ -4599,15 +4919,19 @@ EOF
 #endif
 
 #ifndef DIR_SEPARATOR
-#define DIR_SEPARATOR '/'
+# define DIR_SEPARATOR '/'
+# define PATH_SEPARATOR ':'
 #endif
 
 #if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
   defined (__OS2__)
-#define HAVE_DOS_BASED_FILE_SYSTEM
-#ifndef DIR_SEPARATOR_2 
-#define DIR_SEPARATOR_2 '\\'
-#endif
+# define HAVE_DOS_BASED_FILE_SYSTEM
+# ifndef DIR_SEPARATOR_2
+#  define DIR_SEPARATOR_2 '\\'
+# endif
+# ifndef PATH_SEPARATOR_2
+#  define PATH_SEPARATOR_2 ';'
+# endif
 #endif
 
 #ifndef DIR_SEPARATOR_2
@@ -4617,17 +4941,32 @@ EOF
         (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2))
 #endif /* DIR_SEPARATOR_2 */
 
+#ifndef PATH_SEPARATOR_2
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR)
+#else /* PATH_SEPARATOR_2 */
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
+#endif /* PATH_SEPARATOR_2 */
+
 #define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
 #define XFREE(stale) do { \
   if (stale) { free ((void *) stale); stale = 0; } \
 } while (0)
 
+/* -DDEBUG is fairly common in CFLAGS.  */
+#undef DEBUG
+#if defined DEBUGWRAPPER
+# define DEBUG(format, ...) fprintf(stderr, format, __VA_ARGS__)
+#else
+# define DEBUG(format, ...)
+#endif
+
 const char *program_name = NULL;
 
 void * xmalloc (size_t num);
 char * xstrdup (const char *string);
-char * basename (const char *name);
-char * fnqualify(const char *path);
+const char * base_name (const char *name);
+char * find_executable(const char *wrapper);
+int    check_executable(const char *path);
 char * strendzap(char *str, const char *pat);
 void lt_fatal (const char *message, ...);
 
@@ -4636,30 +4975,52 @@ main (int argc, char *argv[])
 {
   char **newargz;
   int i;
-  
-  program_name = (char *) xstrdup ((char *) basename (argv[0]));
+
+  program_name = (char *) xstrdup (base_name (argv[0]));
+  DEBUG("(main) argv[0]      : %s\n",argv[0]);
+  DEBUG("(main) program_name : %s\n",program_name);
   newargz = XMALLOC(char *, argc+2);
 EOF
 
-	    cat >> $cwrappersource <<EOF
-  newargz[0] = "$SHELL";
+            cat >> $cwrappersource <<EOF
+  newargz[0] = (char *) xstrdup("$SHELL");
 EOF
 
-	    cat >> $cwrappersource <<"EOF"
-  newargz[1] = fnqualify(argv[0]);
+            cat >> $cwrappersource <<"EOF"
+  newargz[1] = find_executable(argv[0]);
+  if (newargz[1] == NULL)
+    lt_fatal("Couldn't find %s", argv[0]);
+  DEBUG("(main) found exe at : %s\n",newargz[1]);
   /* we know the script has the same name, without the .exe */
   /* so make sure newargz[1] doesn't end in .exe */
-  strendzap(newargz[1],".exe"); 
+  strendzap(newargz[1],".exe");
   for (i = 1; i < argc; i++)
     newargz[i+1] = xstrdup(argv[i]);
   newargz[argc+1] = NULL;
+
+  for (i=0; i<argc+1; i++)
+  {
+    DEBUG("(main) newargz[%d]   : %s\n",i,newargz[i]);
+    ;
+  }
+
 EOF
 
-	    cat >> $cwrappersource <<EOF
+            case $host_os in
+              mingw*)
+                cat >> $cwrappersource <<EOF
+  execv("$SHELL",(char const **)newargz);
+EOF
+              ;;
+              *)
+                cat >> $cwrappersource <<EOF
   execv("$SHELL",newargz);
 EOF
+              ;;
+            esac
 
-	    cat >> $cwrappersource <<"EOF"
+            cat >> $cwrappersource <<"EOF"
+  return 127;
 }
 
 void *
@@ -4672,59 +5033,159 @@ xmalloc (size_t num)
   return p;
 }
 
-char * 
+char *
 xstrdup (const char *string)
 {
   return string ? strcpy ((char *) xmalloc (strlen (string) + 1), string) : NULL
 ;
 }
 
-char *
-basename (const char *name)
+const char *
+base_name (const char *name)
 {
   const char *base;
 
 #if defined (HAVE_DOS_BASED_FILE_SYSTEM)
   /* Skip over the disk name in MSDOS pathnames. */
-  if (isalpha (name[0]) && name[1] == ':') 
+  if (isalpha ((unsigned char)name[0]) && name[1] == ':')
     name += 2;
 #endif
 
   for (base = name; *name; name++)
     if (IS_DIR_SEPARATOR (*name))
       base = name + 1;
-  return (char *) base;
+  return base;
+}
+
+int
+check_executable(const char * path)
+{
+  struct stat st;
+
+  DEBUG("(check_executable)  : %s\n", path ? (*path ? path : "EMPTY!") : "NULL!");
+  if ((!path) || (!*path))
+    return 0;
+
+  if ((stat (path, &st) >= 0) &&
+      (
+        /* MinGW & native WIN32 do not support S_IXOTH or S_IXGRP */
+#if defined (S_IXOTH)
+       ((st.st_mode & S_IXOTH) == S_IXOTH) ||
+#endif
+#if defined (S_IXGRP)
+       ((st.st_mode & S_IXGRP) == S_IXGRP) ||
+#endif
+       ((st.st_mode & S_IXUSR) == S_IXUSR))
+      )
+    return 1;
+  else
+    return 0;
 }
 
-char * 
-fnqualify(const char *path)
+/* Searches for the full path of the wrapper.  Returns
+   newly allocated full path name if found, NULL otherwise */
+char *
+find_executable (const char* wrapper)
 {
-  size_t size;
-  char *p;
+  int has_slash = 0;
+  const char* p;
+  const char* p_next;
+  /* static buffer for getcwd */
   char tmp[LT_PATHMAX + 1];
+  int tmp_len;
+  char* concat_name;
+
+  DEBUG("(find_executable)  : %s\n", wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!");
 
-  assert(path != NULL);
+  if ((wrapper == NULL) || (*wrapper == '\0'))
+    return NULL;
 
-  /* Is it qualified already? */
+  /* Absolute path? */
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  if (isalpha ((unsigned char)wrapper[0]) && wrapper[1] == ':')
+  {
+    concat_name = xstrdup (wrapper);
+    if (check_executable(concat_name))
+      return concat_name;
+    XFREE(concat_name);
+  }
+  else
+  {
+#endif
+    if (IS_DIR_SEPARATOR (wrapper[0]))
+    {
+      concat_name = xstrdup (wrapper);
+      if (check_executable(concat_name))
+        return concat_name;
+      XFREE(concat_name);
+    }
 #if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  if (isalpha (path[0]) && path[1] == ':')
-    return xstrdup (path);
+  }
 #endif
-  if (IS_DIR_SEPARATOR (path[0]))
-    return xstrdup (path);
 
-  /* prepend the current directory */
-  /* doesn't handle '~' */
+  for (p = wrapper; *p; p++)
+    if (*p == '/')
+    {
+      has_slash = 1;
+      break;
+    }
+  if (!has_slash)
+  {
+    /* no slashes; search PATH */
+    const char* path = getenv ("PATH");
+    if (path != NULL)
+    {
+      for (p = path; *p; p = p_next)
+      {
+        const char* q;
+        size_t p_len;
+        for (q = p; *q; q++)
+          if (IS_PATH_SEPARATOR(*q))
+            break;
+        p_len = q - p;
+        p_next = (*q == '\0' ? q : q + 1);
+        if (p_len == 0)
+        {
+          /* empty path: current directory */
+          if (getcwd (tmp, LT_PATHMAX) == NULL)
+            lt_fatal ("getcwd failed");
+          tmp_len = strlen(tmp);
+          concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
+          memcpy (concat_name, tmp, tmp_len);
+          concat_name[tmp_len] = '/';
+          strcpy (concat_name + tmp_len + 1, wrapper);
+        }
+        else
+        {
+          concat_name = XMALLOC(char, p_len + 1 + strlen(wrapper) + 1);
+          memcpy (concat_name, p, p_len);
+          concat_name[p_len] = '/';
+          strcpy (concat_name + p_len + 1, wrapper);
+        }
+        if (check_executable(concat_name))
+          return concat_name;
+        XFREE(concat_name);
+      }
+    }
+    /* not found in PATH; assume curdir */
+  }
+  /* Relative path | not found in path: prepend cwd */
   if (getcwd (tmp, LT_PATHMAX) == NULL)
     lt_fatal ("getcwd failed");
-  size = strlen(tmp) + 1 + strlen(path) + 1; /* +2 for '/' and '\0' */
-  p = XMALLOC(char, size);
-  sprintf(p, "%s%c%s", tmp, DIR_SEPARATOR, path);
-  return p;
+  tmp_len = strlen(tmp);
+  concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
+  memcpy (concat_name, tmp, tmp_len);
+  concat_name[tmp_len] = '/';
+  strcpy (concat_name + tmp_len + 1, wrapper);
+
+  if (check_executable(concat_name))
+    return concat_name;
+  XFREE(concat_name);
+  return NULL;
 }
 
 char *
-strendzap(char *str, const char *pat) 
+strendzap(char *str, const char *pat)
 {
   size_t len, patlen;
 
@@ -4744,7 +5205,7 @@ strendzap(char *str, const char *pat)
 }
 
 static void
-lt_error_core (int exit_status, const char * mode, 
+lt_error_core (int exit_status, const char * mode,
           const char * message, va_list ap)
 {
   fprintf (stderr, "%s: %s: ", program_name, mode);
@@ -4764,16 +5225,16 @@ lt_fatal (const char *message, ...)
   va_end (ap);
 }
 EOF
-	  # we should really use a build-platform specific compiler
-	  # here, but OTOH, the wrappers (shell script and this C one)
-	  # are only useful if you want to execute the "real" binary.
-	  # Since the "real" binary is built for $host, then this
-	  # wrapper might as well be built for $host, too.
-	  $run $LTCC -s -o $cwrapper $cwrappersource
-	  ;;
-	esac
-	$rm $output
-	trap "$rm $output; exit 1" 1 2 15
+          # we should really use a build-platform specific compiler
+          # here, but OTOH, the wrappers (shell script and this C one)
+          # are only useful if you want to execute the "real" binary.
+          # Since the "real" binary is built for $host, then this
+          # wrapper might as well be built for $host, too.
+          $run $LTCC $LTCFLAGS -s -o $cwrapper $cwrappersource
+          ;;
+        esac
+        $rm $output
+        trap "$rm $output; exit $EXIT_FAILURE" 1 2 15
 
 	$echo > $output "\
 #! $SHELL
@@ -4794,7 +5255,7 @@ sed_quote_subst='$sed_quote_subst'
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-if test \"\${CDPATH+set}\" = set; then CDPATH=:; export CDPATH; fi
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
 relink_command=\"$relink_command\"
 
@@ -4873,7 +5334,7 @@ else
       else
 	$echo \"\$relink_command_output\" >&2
 	$rm \"\$progdir/\$file\"
-	exit 1
+	exit $EXIT_FAILURE
       fi
     fi
 
@@ -4923,32 +5384,32 @@ else
 	# Backslashes separate directories on plain windows
 	*-*-mingw | *-*-os2*)
 	  $echo >> $output "\
-      exec \$progdir\\\\\$program \${1+\"\$@\"}
+      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
 "
 	  ;;
 
 	*)
 	  $echo >> $output "\
-      exec \$progdir/\$program \${1+\"\$@\"}
+      exec \"\$progdir/\$program\" \${1+\"\$@\"}
 "
 	  ;;
 	esac
 	$echo >> $output "\
       \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
-      exit 1
+      exit $EXIT_FAILURE
     fi
   else
     # The program doesn't exist.
-    \$echo \"\$0: error: \$progdir/\$program does not exist\" 1>&2
+    \$echo \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
     \$echo \"This script is just a wrapper for \$program.\" 1>&2
     $echo \"See the $PACKAGE documentation for more information.\" 1>&2
-    exit 1
+    exit $EXIT_FAILURE
   fi
 fi\
 "
 	chmod +x $output
       fi
-      exit 0
+      exit $EXIT_SUCCESS
       ;;
     esac
 
@@ -4971,71 +5432,73 @@ fi\
 
       if test -n "$addlibs"; then
 	gentop="$output_objdir/${outputname}x"
-	$show "${rm}r $gentop"
-	$run ${rm}r "$gentop"
-	$show "$mkdir $gentop"
-	$run $mkdir "$gentop"
-	status=$?
-	if test "$status" -ne 0 && test ! -d "$gentop"; then
-	  exit $status
-	fi
 	generated="$generated $gentop"
 
-	# Add in members from convenience archives.
-	for xlib in $addlibs; do
-	  # Extract the objects.
-	  case $xlib in
-	  [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
-	  *) xabs=`pwd`"/$xlib" ;;
-	  esac
-	  xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
-	  xdir="$gentop/$xlib"
-
-	  $show "${rm}r $xdir"
-	  $run ${rm}r "$xdir"
-	  $show "$mkdir $xdir"
-	  $run $mkdir "$xdir"
-	  status=$?
-	  if test "$status" -ne 0 && test ! -d "$xdir"; then
-	    exit $status
-	  fi
-	  # We will extract separately just the conflicting names and we will no
-	  # longer touch any unique names. It is faster to leave these extract
-	  # automatically by $AR in one run.
-	  $show "(cd $xdir && $AR x $xabs)"
-	  $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
-	  if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then
-	    :
-	  else
-	    $echo "$modename: warning: object name conflicts; renaming object files" 1>&2
-	    $echo "$modename: warning: to ensure that they will not overwrite" 1>&2
-	    $AR t "$xabs" | sort | uniq -cd | while read -r count name
-	    do
-	      i=1
-	      while test "$i" -le "$count"
-	      do
-	       # Put our $i before any first dot (extension)
-	       # Never overwrite any file
-	       name_to="$name"
-	       while test "X$name_to" = "X$name" || test -f "$xdir/$name_to"
-	       do
-		 name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
-	       done
-	       $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')"
-	       $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $?
-	       i=`expr $i + 1`
-	      done
-	    done
-	  fi
-
-	  oldobjs="$oldobjs "`find $xdir -name \*.${objext} -print -o -name \*.lo -print | $NL2SP`
-	done
+	func_extract_archives $gentop $addlibs
+	oldobjs="$oldobjs $func_extract_archives_result"
       fi
 
       # Do each command in the archive commands.
       if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
        cmds=$old_archive_from_new_cmds
       else
+	# POSIX demands no paths to be encoded in archives.  We have
+	# to avoid creating archives with duplicate basenames if we
+	# might have to extract them afterwards, e.g., when creating a
+	# static archive out of a convenience library, or when linking
+	# the entirety of a libtool archive into another (currently
+	# not supported by libtool).
+	if (for obj in $oldobjs
+	    do
+	      $echo "X$obj" | $Xsed -e 's%^.*/%%'
+	    done | sort | sort -uc >/dev/null 2>&1); then
+	  :
+	else
+	  $echo "copying selected object files to avoid basename conflicts..."
+
+	  if test -z "$gentop"; then
+	    gentop="$output_objdir/${outputname}x"
+	    generated="$generated $gentop"
+
+	    $show "${rm}r $gentop"
+	    $run ${rm}r "$gentop"
+	    $show "$mkdir $gentop"
+	    $run $mkdir "$gentop"
+	    exit_status=$?
+	    if test "$exit_status" -ne 0 && test ! -d "$gentop"; then
+	      exit $exit_status
+	    fi
+	  fi
+
+	  save_oldobjs=$oldobjs
+	  oldobjs=
+	  counter=1
+	  for obj in $save_oldobjs
+	  do
+	    objbase=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
+	    case " $oldobjs " in
+	    " ") oldobjs=$obj ;;
+	    *[\ /]"$objbase "*)
+	      while :; do
+		# Make sure we don't pick an alternate name that also
+		# overlaps.
+		newobj=lt$counter-$objbase
+		counter=`expr $counter + 1`
+		case " $oldobjs " in
+		*[\ /]"$newobj "*) ;;
+		*) if test ! -f "$gentop/$newobj"; then break; fi ;;
+		esac
+	      done
+	      $show "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
+	      $run ln "$obj" "$gentop/$newobj" ||
+	      $run cp "$obj" "$gentop/$newobj"
+	      oldobjs="$oldobjs $gentop/$newobj"
+	      ;;
+	    *) oldobjs="$oldobjs $obj" ;;
+	    esac
+	  done
+	fi
+
 	eval cmds=\"$old_archive_cmds\"
 
 	if len=`expr "X$cmds" : ".*"` &&
@@ -5049,31 +5512,18 @@ fi\
 	  objlist=
 	  concat_cmds=
 	  save_oldobjs=$oldobjs
-	  # GNU ar 2.10+ was changed to match POSIX; thus no paths are
-	  # encoded into archives.  This makes 'ar r' malfunction in
-	  # this piecewise linking case whenever conflicting object
-	  # names appear in distinct ar calls; check, warn and compensate.
-	    if (for obj in $save_oldobjs
-	    do
-	      $echo "X$obj" | $Xsed -e 's%^.*/%%'
-	    done | sort | sort -uc >/dev/null 2>&1); then
-	    :
-	  else
-	    $echo "$modename: warning: object name conflicts; overriding AR_FLAGS to 'cq'" 1>&2
-	    $echo "$modename: warning: to ensure that POSIX-compatible ar will work" 1>&2
-	    AR_FLAGS=cq
-	  fi
+
 	  # Is there a better way of finding the last object in the list?
 	  for obj in $save_oldobjs
 	  do
 	    last_oldobj=$obj
-	  done  
+	  done
 	  for obj in $save_oldobjs
 	  do
 	    oldobjs="$objlist $obj"
 	    objlist="$objlist $obj"
 	    eval test_cmds=\"$old_archive_cmds\"
-	    if len=`expr "X$test_cmds" : ".*"` &&
+	    if len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
 	       test "$len" -le "$max_cmd_len"; then
 	      :
 	    else
@@ -5081,7 +5531,7 @@ fi\
 	      oldobjs=$objlist
 	      if test "$obj" = "$last_oldobj" ; then
 	        RANLIB=$save_RANLIB
-	      fi  
+	      fi
 	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
 	      eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\"
 	      objlist=
@@ -5130,11 +5580,13 @@ fi\
 	fi
       done
       # Quote the link command for shipping.
-      relink_command="(cd `pwd`; $SHELL $0 $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
+      relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
       relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
       if test "$hardcode_automatic" = yes ; then
-        relink_command=
-      fi  
+	relink_command=
+      fi
+
+
       # Only create the output if not a dry run.
       if test -z "$run"; then
 	for installed in no yes; do
@@ -5152,7 +5604,7 @@ fi\
 		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
 		if test -z "$libdir"; then
 		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
-		  exit 1
+		  exit $EXIT_FAILURE
 		fi
 		newdependency_libs="$newdependency_libs $libdir/$name"
 		;;
@@ -5166,7 +5618,7 @@ fi\
 	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 	      if test -z "$libdir"; then
 		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-		exit 1
+		exit $EXIT_FAILURE
 	      fi
 	      newdlfiles="$newdlfiles $libdir/$name"
 	    done
@@ -5177,7 +5629,7 @@ fi\
 	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 	      if test -z "$libdir"; then
 		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-		exit 1
+		exit $EXIT_FAILURE
 	      fi
 	      newdlprefiles="$newdlprefiles $libdir/$name"
 	    done
@@ -5185,7 +5637,7 @@ fi\
 	  else
 	    newdlfiles=
 	    for lib in $dlfiles; do
-	      case $lib in 
+	      case $lib in
 		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
@@ -5194,7 +5646,7 @@ fi\
 	    dlfiles="$newdlfiles"
 	    newdlprefiles=
 	    for lib in $dlprefiles; do
-	      case $lib in 
+	      case $lib in
 		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
@@ -5257,7 +5709,7 @@ relink_command=\"$relink_command\""
       $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
       ;;
     esac
-    exit 0
+    exit $EXIT_SUCCESS
     ;;
 
   # libtool install mode
@@ -5268,11 +5720,11 @@ relink_command=\"$relink_command\""
     # install_prog (especially on Windows NT).
     if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
        # Allow the use of GNU shtool's install command.
-       $echo "X$nonopt" | $Xsed | grep shtool > /dev/null; then
+       $echo "X$nonopt" | grep shtool > /dev/null; then
       # Aesthetically quote it.
       arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
       case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
 	arg="\"$arg\""
 	;;
       esac
@@ -5281,14 +5733,14 @@ relink_command=\"$relink_command\""
       shift
     else
       install_prog=
-      arg="$nonopt"
+      arg=$nonopt
     fi
 
     # The real first argument should be the name of the installation program.
     # Aesthetically quote it.
     arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
     case $arg in
-    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
       arg="\"$arg\""
       ;;
     esac
@@ -5306,28 +5758,31 @@ relink_command=\"$relink_command\""
     do
       if test -n "$dest"; then
 	files="$files $dest"
-	dest="$arg"
+	dest=$arg
 	continue
       fi
 
       case $arg in
       -d) isdir=yes ;;
-      -f) prev="-f" ;;
-      -g) prev="-g" ;;
-      -m) prev="-m" ;;
-      -o) prev="-o" ;;
+      -f) 
+      	case " $install_prog " in
+	*[\\\ /]cp\ *) ;;
+	*) prev=$arg ;;
+	esac
+	;;
+      -g | -m | -o) prev=$arg ;;
       -s)
 	stripme=" -s"
 	continue
 	;;
-      -*) ;;
-
+      -*)
+	;;
       *)
 	# If the previous option needed an argument, then skip it.
 	if test -n "$prev"; then
 	  prev=
 	else
-	  dest="$arg"
+	  dest=$arg
 	  continue
 	fi
 	;;
@@ -5336,7 +5791,7 @@ relink_command=\"$relink_command\""
       # Aesthetically quote the argument.
       arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
       case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
 	arg="\"$arg\""
 	;;
       esac
@@ -5346,13 +5801,13 @@ relink_command=\"$relink_command\""
     if test -z "$install_prog"; then
       $echo "$modename: you must specify an install program" 1>&2
       $echo "$help" 1>&2
-      exit 1
+      exit $EXIT_FAILURE
     fi
 
     if test -n "$prev"; then
       $echo "$modename: the \`$prev' option requires an argument" 1>&2
       $echo "$help" 1>&2
-      exit 1
+      exit $EXIT_FAILURE
     fi
 
     if test -z "$files"; then
@@ -5362,7 +5817,7 @@ relink_command=\"$relink_command\""
 	$echo "$modename: you must specify a destination" 1>&2
       fi
       $echo "$help" 1>&2
-      exit 1
+      exit $EXIT_FAILURE
     fi
 
     # Strip any trailing slash from the destination.
@@ -5383,7 +5838,7 @@ relink_command=\"$relink_command\""
       if test "$#" -gt 2; then
 	$echo "$modename: \`$dest' is not a directory" 1>&2
 	$echo "$help" 1>&2
-	exit 1
+	exit $EXIT_FAILURE
       fi
     fi
     case $destdir in
@@ -5395,7 +5850,7 @@ relink_command=\"$relink_command\""
 	*)
 	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
 	  $echo "$help" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	  ;;
 	esac
       done
@@ -5424,7 +5879,7 @@ relink_command=\"$relink_command\""
 	else
 	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
 	  $echo "$help" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	fi
 
 	library_names=
@@ -5466,7 +5921,7 @@ relink_command=\"$relink_command\""
 	  # but it's something to keep an eye on.
 	  if test "$inst_prefix_dir" = "$destdir"; then
 	    $echo "$modename: error: cannot install \`$file' to a directory not ending in $libdir" 1>&2
-	    exit 1
+	    exit $EXIT_FAILURE
 	  fi
 
 	  if test -n "$inst_prefix_dir"; then
@@ -5481,7 +5936,7 @@ relink_command=\"$relink_command\""
 	  if $run eval "$relink_command"; then :
 	  else
 	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
-	    exit 1
+	    exit $EXIT_FAILURE
 	  fi
 	fi
 
@@ -5505,11 +5960,14 @@ relink_command=\"$relink_command\""
 
 	  if test "$#" -gt 0; then
 	    # Delete the old symlinks, and create new ones.
+	    # Try `ln -sf' first, because the `ln' binary might depend on
+	    # the symlink we replace!  Solaris /bin/ln does not understand -f,
+	    # so we also need to try rm && ln -s.
 	    for linkname
 	    do
 	      if test "$linkname" != "$realname"; then
-		$show "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
-		$run eval "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+                $show "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
+                $run eval "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
 	      fi
 	    done
 	  fi
@@ -5522,7 +5980,16 @@ relink_command=\"$relink_command\""
 	    IFS="$save_ifs"
 	    eval cmd=\"$cmd\"
 	    $show "$cmd"
-	    $run eval "$cmd" || exit $?
+	    $run eval "$cmd" || {
+	      lt_exit=$?
+
+	      # Restore the uninstalled library and exit
+	      if test "$mode" = relink; then
+		$run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
+	      fi
+
+	      exit $lt_exit
+	    }
 	  done
 	  IFS="$save_ifs"
 	fi
@@ -5560,7 +6027,7 @@ relink_command=\"$relink_command\""
 	*)
 	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
 	  $echo "$help" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	  ;;
 	esac
 
@@ -5578,7 +6045,7 @@ relink_command=\"$relink_command\""
 	  $show "$install_prog $staticobj $staticdest"
 	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
 	fi
-	exit 0
+	exit $EXIT_SUCCESS
 	;;
 
       *)
@@ -5616,23 +6083,21 @@ relink_command=\"$relink_command\""
 	  notinst_deplibs=
 	  relink_command=
 
-	  # To insure that "foo" is sourced, and not "foo.exe",
-	  # finese the cygwin/MSYS system by explicitly sourcing "foo."
-	  # which disallows the automatic-append-.exe behavior.
-	  case $build in
-	  *cygwin* | *mingw*) wrapperdot=${wrapper}. ;;
-	  *) wrapperdot=${wrapper} ;;
-	  esac
+	  # Note that it is not necessary on cygwin/mingw to append a dot to
+	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
+	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
+	  # `FILE.' does not work on cygwin managed mounts.
+	  #
 	  # If there is no directory component, then add one.
-	  case $file in
-	  */* | *\\*) . ${wrapperdot} ;;
-	  *) . ./${wrapperdot} ;;
+	  case $wrapper in
+	  */* | *\\*) . ${wrapper} ;;
+	  *) . ./${wrapper} ;;
 	  esac
 
 	  # Check the variables that should have been set.
 	  if test -z "$notinst_deplibs"; then
 	    $echo "$modename: invalid libtool wrapper script \`$wrapper'" 1>&2
-	    exit 1
+	    exit $EXIT_FAILURE
 	  fi
 
 	  finalize=yes
@@ -5654,30 +6119,21 @@ relink_command=\"$relink_command\""
 	  done
 
 	  relink_command=
-	  # To insure that "foo" is sourced, and not "foo.exe",
-	  # finese the cygwin/MSYS system by explicitly sourcing "foo."
-	  # which disallows the automatic-append-.exe behavior.
-	  case $build in
-	  *cygwin* | *mingw*) wrapperdot=${wrapper}. ;;
-	  *) wrapperdot=${wrapper} ;;
-	  esac
+	  # Note that it is not necessary on cygwin/mingw to append a dot to
+	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
+	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
+	  # `FILE.' does not work on cygwin managed mounts.
+	  #
 	  # If there is no directory component, then add one.
-	  case $file in
-	  */* | *\\*) . ${wrapperdot} ;;
-	  *) . ./${wrapperdot} ;;
+	  case $wrapper in
+	  */* | *\\*) . ${wrapper} ;;
+	  *) . ./${wrapper} ;;
 	  esac
 
 	  outputname=
 	  if test "$fast_install" = no && test -n "$relink_command"; then
 	    if test "$finalize" = yes && test -z "$run"; then
-	      tmpdir="/tmp"
-	      test -n "$TMPDIR" && tmpdir="$TMPDIR"
-	      tmpdir="$tmpdir/libtool-$$"
-	      if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then :
-	      else
-		$echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
-		continue
-	      fi
+	      tmpdir=`func_mktempdir`
 	      file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
 	      outputname="$tmpdir/$file"
 	      # Replace the output file specification.
@@ -5701,7 +6157,7 @@ relink_command=\"$relink_command\""
 	fi
 
 	# remove .exe since cygwin /usr/bin/install will append another
-	# one anyways
+	# one anyway 
 	case $install_prog,$host in
 	*/usr/bin/install*,*cygwin*)
 	  case $file:$destfile in
@@ -5757,9 +6213,9 @@ relink_command=\"$relink_command\""
     if test -n "$current_libdirs"; then
       # Maybe just do a dry run.
       test -n "$run" && current_libdirs=" -n$current_libdirs"
-      exec_cmd='$SHELL $0 $preserve_args --finish$current_libdirs'
+      exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs'
     else
-      exit 0
+      exit $EXIT_SUCCESS
     fi
     ;;
 
@@ -5799,9 +6255,9 @@ relink_command=\"$relink_command\""
     fi
 
     # Exit here if they wanted silent mode.
-    test "$show" = : && exit 0
+    test "$show" = : && exit $EXIT_SUCCESS
 
-    $echo "----------------------------------------------------------------------"
+    $echo "X----------------------------------------------------------------------" | $Xsed
     $echo "Libraries have been installed in:"
     for libdir in $libdirs; do
       $echo "   $libdir"
@@ -5834,8 +6290,8 @@ relink_command=\"$relink_command\""
     $echo
     $echo "See any operating system documentation about shared libraries for"
     $echo "more information, such as the ld(1) and ld.so(8) manual pages."
-    $echo "----------------------------------------------------------------------"
-    exit 0
+    $echo "X----------------------------------------------------------------------" | $Xsed
+    exit $EXIT_SUCCESS
     ;;
 
   # libtool execute mode
@@ -5847,7 +6303,7 @@ relink_command=\"$relink_command\""
     if test -z "$cmd"; then
       $echo "$modename: you must specify a COMMAND" 1>&2
       $echo "$help"
-      exit 1
+      exit $EXIT_FAILURE
     fi
 
     # Handle -dlopen flags immediately.
@@ -5855,7 +6311,7 @@ relink_command=\"$relink_command\""
       if test ! -f "$file"; then
 	$echo "$modename: \`$file' is not a file" 1>&2
 	$echo "$help" 1>&2
-	exit 1
+	exit $EXIT_FAILURE
       fi
 
       dir=
@@ -5866,7 +6322,7 @@ relink_command=\"$relink_command\""
 	else
 	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
 	  $echo "$help" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	fi
 
 	# Read the libtool library.
@@ -5893,7 +6349,7 @@ relink_command=\"$relink_command\""
 	  dir="$dir/$objdir"
 	else
 	  $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
-	  exit 1
+	  exit $EXIT_FAILURE
 	fi
 	;;
 
@@ -5973,7 +6429,7 @@ relink_command=\"$relink_command\""
 	$echo "export $shlibpath_var"
       fi
       $echo "$cmd$args"
-      exit 0
+      exit $EXIT_SUCCESS
     fi
     ;;
 
@@ -6001,7 +6457,7 @@ relink_command=\"$relink_command\""
     if test -z "$rm"; then
       $echo "$modename: you must specify an RM program" 1>&2
       $echo "$help" 1>&2
-      exit 1
+      exit $EXIT_FAILURE
     fi
 
     rmdirs=
@@ -6051,9 +6507,17 @@ relink_command=\"$relink_command\""
 	    rmfiles="$rmfiles $objdir/$n"
 	  done
 	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
-	  test "$mode" = clean && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
 
-	  if test "$mode" = uninstall; then
+	  case "$mode" in
+	  clean)
+	    case "  $library_names " in
+	    # "  " in the beginning catches empty $dlname
+	    *" $dlname "*) ;;
+	    *) rmfiles="$rmfiles $objdir/$dlname" ;;
+	    esac
+	     test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+	    ;;
+	  uninstall)
 	    if test -n "$library_names"; then
 	      # Do each command in the postuninstall commands.
 	      cmds=$postuninstall_cmds
@@ -6086,7 +6550,8 @@ relink_command=\"$relink_command\""
 	      IFS="$save_ifs"
 	    fi
 	    # FIXME: should reinstall the best remaining shared library.
-	  fi
+	    ;;
+	  esac
 	fi
 	;;
 
@@ -6115,7 +6580,7 @@ relink_command=\"$relink_command\""
 	if test "$mode" = clean ; then
 	  noexename=$name
 	  case $file in
-	  *.exe) 
+	  *.exe)
 	    file=`$echo $file|${SED} 's,.exe$,,'`
 	    noexename=`$echo $name|${SED} 's,.exe$,,'`
 	    # $file with .exe has already been added to rmfiles,
@@ -6160,20 +6625,20 @@ relink_command=\"$relink_command\""
   "")
     $echo "$modename: you must specify a MODE" 1>&2
     $echo "$generic_help" 1>&2
-    exit 1
+    exit $EXIT_FAILURE
     ;;
   esac
 
   if test -z "$exec_cmd"; then
     $echo "$modename: invalid operation mode \`$mode'" 1>&2
     $echo "$generic_help" 1>&2
-    exit 1
+    exit $EXIT_FAILURE
   fi
 fi # test -z "$show_help"
 
 if test -n "$exec_cmd"; then
   eval exec $exec_cmd
-  exit 1
+  exit $EXIT_FAILURE
 fi
 
 # We need to display help for each of the modes.
@@ -6209,7 +6674,7 @@ MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
 a more detailed description of MODE.
 
 Report bugs to <bug-libtool@gnu.org>."
-  exit 0
+  exit $EXIT_SUCCESS
   ;;
 
 clean)
@@ -6364,14 +6829,14 @@ Otherwise, only FILE itself is deleted using RM."
 *)
   $echo "$modename: invalid operation mode \`$mode'" 1>&2
   $echo "$help" 1>&2
-  exit 1
+  exit $EXIT_FAILURE
   ;;
 esac
 
 $echo
 $echo "Try \`$modename --help' for more information about other modes."
 
-exit 0
+exit $?
 
 # The TAGs below are defined such that we never get into a situation
 # in which we disable both kinds of libraries.  Given conflicting
@@ -6385,12 +6850,11 @@ exit 0
 # configuration.  But we'll never go from static-only to shared-only.
 
 # ### BEGIN LIBTOOL TAG CONFIG: disable-shared
-build_libtool_libs=no
-build_old_libs=yes
+disable_libs=shared
 # ### END LIBTOOL TAG CONFIG: disable-shared
 
 # ### BEGIN LIBTOOL TAG CONFIG: disable-static
-build_old_libs=`case $build_libtool_libs in yes) $echo no;; *) $echo yes;; esac`
+disable_libs=static
 # ### END LIBTOOL TAG CONFIG: disable-static
 
 # Local Variables:
diff --git a/crypto/heimdal/missing b/crypto/heimdal/missing
index e7ef83a..1c8ff70 100644
--- a/crypto/heimdal/missing
+++ b/crypto/heimdal/missing
@@ -1,9 +1,9 @@
 #! /bin/sh
 # Common stub for a few missing GNU programs while installing.
 
-scriptversion=2003-09-02.23
+scriptversion=2006-05-10.23
 
-# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003 
+# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006
 #   Free Software Foundation, Inc.
 # Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
 
@@ -19,8 +19,8 @@ scriptversion=2003-09-02.23
 
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.
 
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -33,6 +33,8 @@ if test $# -eq 0; then
 fi
 
 run=:
+sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p'
+sed_minuso='s/.* -o \([^ ]*\).*/\1/p'
 
 # In the cases where this matters, `missing' is being run in the
 # srcdir already.
@@ -44,7 +46,7 @@ fi
 
 msg="missing on your system"
 
-case "$1" in
+case $1 in
 --run)
   # Try to run requested program, and just exit if it succeeds.
   run=
@@ -60,11 +62,6 @@ case "$1" in
     msg="probably too old"
   fi
   ;;
-esac
-
-# If it does not exist, or fails to run (possibly an outdated version),
-# try to emulate it.
-case "$1" in
 
   -h|--h|--he|--hel|--help)
     echo "\
@@ -82,6 +79,7 @@ Supported PROGRAM values:
   aclocal      touch file \`aclocal.m4'
   autoconf     touch file \`configure'
   autoheader   touch file \`config.h.in'
+  autom4te     touch the output file, or create a stub one
   automake     touch all \`Makefile.in' files
   bison        create \`y.tab.[ch]', if possible, from existing .[ch]
   flex         create \`lex.yy.c', if possible, from existing .c
@@ -92,10 +90,12 @@ Supported PROGRAM values:
   yacc         create \`y.tab.[ch]', if possible, from existing .[ch]
 
 Send bug reports to <bug-automake@gnu.org>."
+    exit $?
     ;;
 
   -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
     echo "missing $scriptversion (GNU Automake)"
+    exit $?
     ;;
 
   -*)
@@ -104,12 +104,42 @@ Send bug reports to <bug-automake@gnu.org>."
     exit 1
     ;;
 
-  aclocal*)
+esac
+
+# Now exit if we have it, but it failed.  Also exit now if we
+# don't have it and --version was passed (most likely to detect
+# the program).
+case $1 in
+  lex|yacc)
+    # Not GNU programs, they don't have --version.
+    ;;
+
+  tar)
+    if test -n "$run"; then
+       echo 1>&2 "ERROR: \`tar' requires --run"
+       exit 1
+    elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
+       exit 1
+    fi
+    ;;
+
+  *)
     if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
        # We have it, but it failed.
        exit 1
+    elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
+       # Could not run --version or --help.  This is probably someone
+       # running `$TOOL --version' or `$TOOL --help' to check whether
+       # $TOOL exists and not knowing $TOOL uses missing.
+       exit 1
     fi
+    ;;
+esac
 
+# If it does not exist, or fails to run (possibly an outdated version),
+# try to emulate it.
+case $1 in
+  aclocal*)
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
          you modified \`acinclude.m4' or \`${configure_ac}'.  You might want
@@ -119,11 +149,6 @@ WARNING: \`$1' is $msg.  You should only need it if
     ;;
 
   autoconf)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
          you modified \`${configure_ac}'.  You might want to install the
@@ -133,11 +158,6 @@ WARNING: \`$1' is $msg.  You should only need it if
     ;;
 
   autoheader)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
          you modified \`acconfig.h' or \`${configure_ac}'.  You might want
@@ -147,7 +167,7 @@ WARNING: \`$1' is $msg.  You should only need it if
     test -z "$files" && files="config.h"
     touch_files=
     for f in $files; do
-      case "$f" in
+      case $f in
       *:*) touch_files="$touch_files "`echo "$f" |
 				       sed -e 's/^[^:]*://' -e 's/:.*//'`;;
       *) touch_files="$touch_files $f.in";;
@@ -157,11 +177,6 @@ WARNING: \`$1' is $msg.  You should only need it if
     ;;
 
   automake*)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
          you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
@@ -173,11 +188,6 @@ WARNING: \`$1' is $msg.  You should only need it if
     ;;
 
   autom4te)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
     echo 1>&2 "\
 WARNING: \`$1' is needed, but is $msg.
          You might have modified some files without having the
@@ -185,8 +195,8 @@ WARNING: \`$1' is needed, but is $msg.
          You can get \`$1' as part of \`Autoconf' from any GNU
          archive site."
 
-    file=`echo "$*" | sed -n 's/.*--output[ =]*\([^ ]*\).*/\1/p'`
-    test -z "$file" && file=`echo "$*" | sed -n 's/.*-o[ ]*\([^ ]*\).*/\1/p'`
+    file=`echo "$*" | sed -n "$sed_output"`
+    test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
     if test -f "$file"; then
 	touch $file
     else
@@ -207,25 +217,25 @@ WARNING: \`$1' $msg.  You should only need it if
          in order for those modifications to take effect.  You can get
          \`Bison' from any GNU archive site."
     rm -f y.tab.c y.tab.h
-    if [ $# -ne 1 ]; then
+    if test $# -ne 1; then
         eval LASTARG="\${$#}"
-	case "$LASTARG" in
+	case $LASTARG in
 	*.y)
 	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
-	    if [ -f "$SRCFILE" ]; then
+	    if test -f "$SRCFILE"; then
 	         cp "$SRCFILE" y.tab.c
 	    fi
 	    SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
-	    if [ -f "$SRCFILE" ]; then
+	    if test -f "$SRCFILE"; then
 	         cp "$SRCFILE" y.tab.h
 	    fi
 	  ;;
 	esac
     fi
-    if [ ! -f y.tab.h ]; then
+    if test ! -f y.tab.h; then
 	echo >y.tab.h
     fi
-    if [ ! -f y.tab.c ]; then
+    if test ! -f y.tab.c; then
 	echo 'main() { return 0; }' >y.tab.c
     fi
     ;;
@@ -237,39 +247,32 @@ WARNING: \`$1' is $msg.  You should only need it if
          in order for those modifications to take effect.  You can get
          \`Flex' from any GNU archive site."
     rm -f lex.yy.c
-    if [ $# -ne 1 ]; then
+    if test $# -ne 1; then
         eval LASTARG="\${$#}"
-	case "$LASTARG" in
+	case $LASTARG in
 	*.l)
 	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
-	    if [ -f "$SRCFILE" ]; then
+	    if test -f "$SRCFILE"; then
 	         cp "$SRCFILE" lex.yy.c
 	    fi
 	  ;;
 	esac
     fi
-    if [ ! -f lex.yy.c ]; then
+    if test ! -f lex.yy.c; then
 	echo 'main() { return 0; }' >lex.yy.c
     fi
     ;;
 
   help2man)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
 	 you modified a dependency of a manual page.  You may need the
 	 \`Help2man' package in order for those modifications to take
 	 effect.  You can get \`Help2man' from any GNU archive site."
 
-    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
-    if test -z "$file"; then
-	file=`echo "$*" | sed -n 's/.*--output=\([^ ]*\).*/\1/p'`
-    fi
-    if [ -f "$file" ]; then
+    file=`echo "$*" | sed -n "$sed_output"`
+    test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
+    if test -f "$file"; then
 	touch $file
     else
 	test -z "$file" || exec >$file
@@ -279,11 +282,6 @@ WARNING: \`$1' is $msg.  You should only need it if
     ;;
 
   makeinfo)
-    if test -z "$run" && (makeinfo --version) > /dev/null 2>&1; then
-       # We have makeinfo, but it failed.
-       exit 1
-    fi
-
     echo 1>&2 "\
 WARNING: \`$1' is $msg.  You should only need it if
          you modified a \`.texi' or \`.texinfo' file, or any other file
@@ -291,20 +289,29 @@ WARNING: \`$1' is $msg.  You should only need it if
          call might also be the consequence of using a buggy \`make' (AIX,
          DU, IRIX).  You might want to install the \`Texinfo' package or
          the \`GNU make' package.  Grab either from any GNU archive site."
-    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
+    # The file to touch is that specified with -o ...
+    file=`echo "$*" | sed -n "$sed_output"`
+    test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
     if test -z "$file"; then
-      file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
-      file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file`
+      # ... or it is the one specified with @setfilename ...
+      infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
+      file=`sed -n '
+	/^@setfilename/{
+	  s/.* \([^ ]*\) *$/\1/
+	  p
+	  q
+	}' $infile`
+      # ... or it is derived from the source name (dir/f.texi becomes f.info)
+      test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info
     fi
+    # If the file does not exist, the user really needs makeinfo;
+    # let's fail without touching anything.
+    test -f $file || exit 1
     touch $file
     ;;
 
   tar)
     shift
-    if test -n "$run"; then
-      echo 1>&2 "ERROR: \`tar' requires --run"
-      exit 1
-    fi
 
     # We have already tried tar in the generic part.
     # Look for gnutar/gtar before invocation to avoid ugly error
@@ -317,13 +324,13 @@ WARNING: \`$1' is $msg.  You should only need it if
     fi
     firstarg="$1"
     if shift; then
-	case "$firstarg" in
+	case $firstarg in
 	*o*)
 	    firstarg=`echo "$firstarg" | sed s/o//`
 	    tar "$firstarg" "$@" && exit 0
 	    ;;
 	esac
-	case "$firstarg" in
+	case $firstarg in
 	*h*)
 	    firstarg=`echo "$firstarg" | sed s/h//`
 	    tar "$firstarg" "$@" && exit 0
diff --git a/crypto/heimdal/packages/ChangeLog b/crypto/heimdal/packages/ChangeLog
new file mode 100644
index 0000000..50f2575
--- /dev/null
+++ b/crypto/heimdal/packages/ChangeLog
@@ -0,0 +1,26 @@
+2007-12-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mac/Makefile.am: Rename Info.plist.in Info.plist.
+
+	* mac/mac.sh: Adapt to macos 10.5 packagemaker
+
+	* mac/Info.plist{,.in}: Rename, content static now
+	
+	* mac/Info.plist.in: set version number via makepackage
+
+2007-12-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mac/mac.sh: Packagemaker switch location.
+	
+2007-10-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: SUBDIRS += debian
+	
+	* debian: EXTRA_DIST
+	
+2006-11-15  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* mac/mac.sh: clean after ourself.
+
+	* mac/mac.sh: how to build a mac package
+	
diff --git a/crypto/heimdal/packages/Makefile.am b/crypto/heimdal/packages/Makefile.am
new file mode 100644
index 0000000..dbad7b1
--- /dev/null
+++ b/crypto/heimdal/packages/Makefile.am
@@ -0,0 +1,6 @@
+# $Id: Makefile.am 22003 2007-10-23 08:41:16Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS=  mac debian
+
diff --git a/crypto/heimdal/packages/Makefile.in b/crypto/heimdal/packages/Makefile.in
new file mode 100644
index 0000000..a65d1fa
--- /dev/null
+++ b/crypto/heimdal/packages/Makefile.in
@@ -0,0 +1,815 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 22003 2007-10-23 08:41:16Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common ChangeLog
+subdir = packages
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+	html-recursive info-recursive install-data-recursive \
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = $(SUBDIRS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+SUBDIRS = mac debian
+all: all-recursive
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps packages/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps packages/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+$(RECURSIVE_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+ctags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
+	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
+	    (cd $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+all-am: Makefile all-local
+installdirs: installdirs-recursive
+installdirs-am:
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-recursive
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-tags
+
+dvi: dvi-recursive
+
+dvi-am:
+
+html: html-recursive
+
+info: info-recursive
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-recursive
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-recursive
+
+install-info: install-info-recursive
+
+install-man:
+
+install-pdf: install-pdf-recursive
+
+install-ps: install-ps-recursive
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-recursive
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
+	install-data-am install-exec-am install-strip uninstall-am
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool ctags ctags-recursive dist-hook \
+	distclean distclean-generic distclean-libtool distclean-tags \
+	distdir dvi dvi-am html html-am info info-am install \
+	install-am install-data install-data-am install-data-hook \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-exec-hook install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/packages/debian/Makefile.am b/crypto/heimdal/packages/debian/Makefile.am
new file mode 100644
index 0000000..a73dc80
--- /dev/null
+++ b/crypto/heimdal/packages/debian/Makefile.am
@@ -0,0 +1,91 @@
+# $Id$
+
+include $(top_srcdir)/Makefile.am.common
+
+EXTRA_DIST = \
+	README \
+	README.Debian \
+	changelog \
+	compat \
+	control \
+	copyright \
+	extras/default \
+	extras/kadmind.acl \
+	extras/kdc.conf \
+	heimdal-clients-x.install \
+	heimdal-clients.install \
+	heimdal-clients.postinst \
+	heimdal-clients.prerm \
+	heimdal-dev.install \
+	heimdal-docs.install \
+	heimdal-kcm.init \
+	heimdal-kcm.install \
+	heimdal-kdc.dirs \
+	heimdal-kdc.examples \
+	heimdal-kdc.init \
+	heimdal-kdc.install \
+	heimdal-kdc.logrotate \
+	heimdal-kdc.postinst \
+	heimdal-kdc.postrm \
+	heimdal-kdc.templates \
+	heimdal-servers-x.dirs \
+	heimdal-servers-x.install \
+	heimdal-servers-x.postinst \
+	heimdal-servers-x.postrm \
+	heimdal-servers-x.prerm \
+	heimdal-servers.dirs \
+	heimdal-servers.install \
+	heimdal-servers.postinst \
+	heimdal-servers.postrm \
+	heimdal-servers.prerm \
+	libasn1-8-heimdal.install \
+	libasn1-8-heimdal.postinst.debhelper \
+	libasn1-8-heimdal.postrm.debhelper \
+	libasn1-8-heimdal.substvars \
+	libgssapi2-heimdal.install \
+	libgssapi2-heimdal.postinst.debhelper \
+	libgssapi2-heimdal.postrm.debhelper \
+	libgssapi2-heimdal.substvars \
+	libhdb9-heimdal.install \
+	libhdb9-heimdal.postinst.debhelper \
+	libhdb9-heimdal.postrm.debhelper \
+	libhdb9-heimdal.substvars \
+	libkadm5clnt7-heimdal.install \
+	libkadm5clnt7-heimdal.postinst.debhelper \
+	libkadm5clnt7-heimdal.postrm.debhelper \
+	libkadm5clnt7-heimdal.substvars \
+	libkadm5srv7-heimdal.install \
+	libkadm5srv8-heimdal.install \
+	libkafs0-heimdal.install \
+	libkrb5-22-heimdal.install \
+	libkrb5-22-heimdal.postinst.debhelper \
+	libkrb5-22-heimdal.postrm.debhelper \
+	libkrb5-22-heimdal.substvars \
+	libotp0-heimdal.install \
+	libroken18-heimdal.install \
+	libroken18-heimdal.postinst.debhelper \
+	libroken18-heimdal.postrm.debhelper \
+	libroken18-heimdal.substvars \
+	libsl0-heimdal.install \
+	patches/021_debian \
+	patches/022_ftp-roken-glob \
+	patches/022_openafs \
+	patches/025_pthreads \
+	patches/026_posix_max \
+	po/POTFILES.in \
+	po/cs.po \
+	po/da.po \
+	po/de.po \
+	po/es.po \
+	po/fr.po \
+	po/gl.po \
+	po/ja.po \
+	po/nl.po \
+	po/pt.po \
+	po/pt_BR.po \
+	po/ru.po \
+	po/sv.po \
+	po/templates.pot \
+	po/vi.po \
+	rules \
+	scripts/convert_source
diff --git a/crypto/heimdal/packages/debian/Makefile.in b/crypto/heimdal/packages/debian/Makefile.in
new file mode 100644
index 0000000..8be56b0
--- /dev/null
+++ b/crypto/heimdal/packages/debian/Makefile.in
@@ -0,0 +1,745 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id$
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+subdir = packages/debian
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+EXTRA_DIST = \
+	README \
+	README.Debian \
+	changelog \
+	compat \
+	control \
+	copyright \
+	extras/default \
+	extras/kadmind.acl \
+	extras/kdc.conf \
+	heimdal-clients-x.install \
+	heimdal-clients.install \
+	heimdal-clients.postinst \
+	heimdal-clients.prerm \
+	heimdal-dev.install \
+	heimdal-docs.install \
+	heimdal-kcm.init \
+	heimdal-kcm.install \
+	heimdal-kdc.dirs \
+	heimdal-kdc.examples \
+	heimdal-kdc.init \
+	heimdal-kdc.install \
+	heimdal-kdc.logrotate \
+	heimdal-kdc.postinst \
+	heimdal-kdc.postrm \
+	heimdal-kdc.templates \
+	heimdal-servers-x.dirs \
+	heimdal-servers-x.install \
+	heimdal-servers-x.postinst \
+	heimdal-servers-x.postrm \
+	heimdal-servers-x.prerm \
+	heimdal-servers.dirs \
+	heimdal-servers.install \
+	heimdal-servers.postinst \
+	heimdal-servers.postrm \
+	heimdal-servers.prerm \
+	libasn1-8-heimdal.install \
+	libasn1-8-heimdal.postinst.debhelper \
+	libasn1-8-heimdal.postrm.debhelper \
+	libasn1-8-heimdal.substvars \
+	libgssapi2-heimdal.install \
+	libgssapi2-heimdal.postinst.debhelper \
+	libgssapi2-heimdal.postrm.debhelper \
+	libgssapi2-heimdal.substvars \
+	libhdb9-heimdal.install \
+	libhdb9-heimdal.postinst.debhelper \
+	libhdb9-heimdal.postrm.debhelper \
+	libhdb9-heimdal.substvars \
+	libkadm5clnt7-heimdal.install \
+	libkadm5clnt7-heimdal.postinst.debhelper \
+	libkadm5clnt7-heimdal.postrm.debhelper \
+	libkadm5clnt7-heimdal.substvars \
+	libkadm5srv7-heimdal.install \
+	libkadm5srv8-heimdal.install \
+	libkafs0-heimdal.install \
+	libkrb5-22-heimdal.install \
+	libkrb5-22-heimdal.postinst.debhelper \
+	libkrb5-22-heimdal.postrm.debhelper \
+	libkrb5-22-heimdal.substvars \
+	libotp0-heimdal.install \
+	libroken18-heimdal.install \
+	libroken18-heimdal.postinst.debhelper \
+	libroken18-heimdal.postrm.debhelper \
+	libroken18-heimdal.substvars \
+	libsl0-heimdal.install \
+	patches/021_debian \
+	patches/022_ftp-roken-glob \
+	patches/022_openafs \
+	patches/025_pthreads \
+	patches/026_posix_max \
+	po/POTFILES.in \
+	po/cs.po \
+	po/da.po \
+	po/de.po \
+	po/es.po \
+	po/fr.po \
+	po/gl.po \
+	po/ja.po \
+	po/nl.po \
+	po/pt.po \
+	po/pt_BR.po \
+	po/ru.po \
+	po/sv.po \
+	po/templates.pot \
+	po/vi.po \
+	rules \
+	scripts/convert_source
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps packages/debian/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps packages/debian/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+all-am: Makefile all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/packages/debian/README b/crypto/heimdal/packages/debian/README
new file mode 100644
index 0000000..1a59f00
--- /dev/null
+++ b/crypto/heimdal/packages/debian/README
@@ -0,0 +1,15 @@
+
+d=ubuntu/gutsy
+
+mkdir foo
+cd foo
+svn co .... heimdal-src
+cd heimdal-src
+ln -s packages/debian
+test -f configure || autoreconf -f -i
+fakeroot debian/rules binary
+cd ..
+cp *.deb /afs/pdc.kth.se/public/ftp/pub/heimdal/binaries/$dist
+cd /afs/pdc.kth.se/public/ftp/pub/heimdal/binaries/$dist
+dpkg-scanpackages . /dev/null 2> /dev/null | gzip -9 > Packages.gz
+
diff --git a/crypto/heimdal/packages/debian/README.Debian b/crypto/heimdal/packages/debian/README.Debian
new file mode 100644
index 0000000..41a73cc
--- /dev/null
+++ b/crypto/heimdal/packages/debian/README.Debian
@@ -0,0 +1,120 @@
+Note on ksu
+-----------
+This program is not installed setuid root be default. If you want to
+install it setuid root, then you can override the package permissions
+with:
+
+dpkg-statoverride --update --add root root 4755 /usr/bin/ksu
+
+Note on ipropd and/or hpropd
+----------------------------
+The following entries may be required in you /etc/services
+file (see bug #139845):
+
+krb_prop      754/tcp                         # Kerberos slave propagation
+iprop         2121/tcp                        # incremental propagation
+
+Note on kerberos.8 man page
+---------------------------
+This man page is not currently included due to conflict with kerberos4kth-kdc
+package. For more information on Kerberos, see:
+http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html
+
+Installing heimdal for Debian
+-----------------------------
+(Note: if you do not have a krb4 KDC, you may need to include
+"krb4_get_tickets = no" in the [libdefaults] section of
+kdc.conf; otherwise kinit will complain with an error).
+
+Things you will have to do manually (see info documentation for
+details):
+
+On KDC:
+1. Add adminstrator keys using kadmin.
+
+For example:
+# kadmin -l
+kadmin> add bam/admin
+Max ticket life [unlimited]:
+Max renewable life [unlimited]:
+Principal expiration time [never]:
+Password expiration time [never]:
+Attributes []:
+bam/admin@CHOCBIT.ORG.AU's Password:
+Verifying password - bam/admin@CHOCBIT.ORG.AU's Password:
+
+2. Add kadmin/admin key to KDC:
+
+For example:
+# kadmin -l
+kadmin> add -r kadmin/admin@CHOCBIT.ORG.AU
+Max ticket life [unlimited]:
+Max renewable life [unlimited]:
+Principal expiration time [never]:
+Password expiration time [never]:
+Attributes []:
+
+(note: this key doesn't need to be extracted).
+
+3. Enable remote admistration by creating /etc/heimdal-kdc/kadmind.acl
+
+For example:
+echo 'bam/admin@CHOCBIT.ORG.AU all' > /etc/heimdal-kdc/kadmind.acl
+
+4. Test.
+
+For example:
+# kadmin -p bam/admin
+bam/admin@CHOCBIT.ORG.AU's Password:
+kadmin> list *
+[should list all keys]
+
+5. Add user keys
+
+For example:
+# kadmin -p bam/admin
+bam/admin@CHOCBIT.ORG.AU's Password:
+kadmin> add bam
+
+
+On other computers:
+1. If you installed heimdal-clients-x or heimdal-servers-x,
+then you will need to add the following entry to /etc/services
+kx              2111/tcp                        # X over kerberos
+(check to make sure this doesn't already exist).
+2. edit /etc/krb5.conf
+3. setup secret keys each computer, using kadmin and/or ktutil.
+
+For example, on remote computer dewey.chocbit.org.au:
+bam/admin@CHOCBIT.ORG.AU's Password:
+kadmin> add -r host/dewey.chocbit.org.au
+[...]
+kadmin> ext host/dewey.chocbit.org.au
+kadmin> add -r ftp/dewey.chocbit.org.au
+[...]
+kadmin> ext ftp/dewey.chocbit.org.au
+
+The ext command extracts keys to /etc/krb5.keytab, where
+they can be inspected with the "ktutil list" command at the
+shell prompt.
+
+Tell me if any files conflict with any other package - do not
+try to force the package to install, otherwise things may break...
+In general, this package conflicts with kerberos4kth and
+probably MIT Kerberos (not packaged as of potato). Local
+installations under /usr/local should be OK.
+
+Changes from upstream source:
+1. popper checks for $HOME/Maildir, $HOME/Mailbox and /var/spool/mail/<user>
+in that order.
+2. /var/lib/heimdal-kdc used instead of /var/heimdal
+3. /usr/bin/login moved to /usr/lib/heimdal-servers
+4. /usr/lib/heimdal-servers used instead of /usr/libexec
+5. telnet and ftp have been renamed to ktelnet and kftp, and
+use the update-alternatives mechanism. In the future, this
+should allow heimdal-clients to exist at the same time
+as telnet-ssl.
+6. kdc config files kdc.conf and kadmind.acl stored in
+/etc/heimdal-kdc instead of /usr/lib/heimdal-servers.
+
+ -- Brian May <bam@debian.org>, Wed,  8 Dec 1999 11:54:13 +1100
diff --git a/crypto/heimdal/packages/debian/changelog b/crypto/heimdal/packages/debian/changelog
new file mode 100644
index 0000000..b6ae93c
--- /dev/null
+++ b/crypto/heimdal/packages/debian/changelog
@@ -0,0 +1,1168 @@
+heimdal (1.0.2RC5.dfsg.1) gutsy; urgency=low
+
+  * New version
+
+ -- Love Hörnquist Åstrand <lha@h5l.se>  Mon, 4 Dec 2007 17:54:28 -0200
+
+heimdal (1.0.2RC2.dfsg.1) gutsy; urgency=low
+
+  * New version
+
+  * Add new libs
+
+ -- Love Hörnquist Åstrand <lha@h5l.se>  Fri, 19 Oct 2007 17:54:28 -0200
+
+heimdal (0.7.2.dfsg.1-10ubuntu2) gutsy; urgency=low
+
+  * debian/control:
+    - Actually added openbsd-inetd | inet-superserver to heimdal-servers'
+      dependencies (LP: #123782). 
+    - DebainMaintainerField foo
+
+ -- Rick Clark <rick.clark@ubuntu.com>  Tue, 03 Jul 2007 19:58:47 -0400
+
+heimdal (0.7.2.dfsg.1-10ubuntu1) feisty; urgency=low
+
+  * Merge from debian unstable, remaining changes:
+    - Add update-inetd to heimdal-servers and heimdal-kdc's dependencies
+    - Add openbsd-inetd | inet-superserver to heimdal-servers dependencies
+
+ -- Lionel Porcheron <lionel@alveonet.org>  Fri, 09 Feb 2007 14:17:33 +0100
+
+heimdal (0.7.2.dfsg.1-10) unstable; urgency=low
+
+  * Add Portuguese debconf translation (closes: #408186).
+  * Properly quote values in heimdal-kdc's postinst (closes: #408908).
+  * Fixes broken conflicts in libsl0-heimdal (closes: #406651).
+
+ -- Brian May <bam@snoopy.debian.net>  Thu,  8 Feb 2007 15:27:28 +1100
+
+heimdal (0.7.2.dfsg.1-9ubuntu1) feisty; urgency=low
+
+  * Merge from Debian unstable, remaining changes:
+    - Add update-inetd to heimdal-servers and heimdal-kdc's dependencies
+    - Add openbsd-inetd | inet-superserver to heimdal-servers dependencies
+
+ -- Lionel Porcheron <lionel@alveonet.org>  Sun, 14 Jan 2007 21:48:33 +0100
+
+heimdal (0.7.2.dfsg.1-9) unstable; urgency=low
+
+  * Include Spanish po-debconf translation (closes: #403481).
+
+ -- Brian May <bam@snoopy.debian.net>  Thu, 11 Jan 2007 09:09:26 +1100
+
+heimdal (0.7.2.dfsg.1-8ubuntu1) feisty; urgency=low
+
+  * debian/control: Add update-inetd to heimdal-servers's dependencies
+    (Closes Ubuntu: #76104).
+  * debian/control: Add openbsd-inetd | inet-superserver dependencies
+    as heimdal-servers needs an inet server to work
+
+ -- Lionel Porcheron <lionel@alveonet.org>  Sun, 17 Dec 2006 11:28:51 +0100
+
+heimdal (0.7.2.dfsg.1-8) unstable; urgency=high
+
+  * Swap -n with -z in test, otherwise servers won't get added on initial
+    installation. This was due to broken fix for #401258.
+
+ -- Brian May <bam@snoopy.debian.net>  Wed, 13 Dec 2006 14:45:52 +1100
+
+heimdal (0.7.2.dfsg.1-7) unstable; urgency=high
+
+  * Don't change services on upgrades, only on fresh installation, purge, and
+    upgrade from old versions.  Closes: #401258.
+
+ -- Brian May <bam@snoopy.debian.net>  Tue, 12 Dec 2006 14:45:22 +1100
+
+heimdal (0.7.2.dfsg.1-6) unstable; urgency=low
+
+  * Update maintainer E-Mail address.
+
+ -- Brian May <bam@snoopy.debian.net>  Mon, 20 Nov 2006 12:02:02 +1100
+
+heimdal (0.7.2.dfsg.1-5) unstable; urgency=low
+
+  * Rebuild against latest openldap (closes: #385809).
+  * Add SLAVE_PARAMS to KDC /etc/default/heimdal-kdc file (closes: #392933).
+  * Fix klist man page (closes: #389848).
+
+ -- Brian May <bam@debian.org>  Mon, 16 Oct 2006 15:15:32 +1000
+
+heimdal (0.7.2.dfsg.1-4) unstable; urgency=low
+
+  * Include KCM (closes: #379245).
+  * Move heimdal-docs to Section: doc.
+
+ -- Brian May <bam@debian.org>  Tue, 22 Aug 2006 12:19:57 +1000
+
+heimdal (0.7.2.dfsg.1-3) unstable; urgency=low
+
+  * Remove bashism in debian/rules. Closes: #376082.
+  * Build depends on texinfo, required for makeinfo. Closes: #376224.
+
+ -- Brian May <bam@debian.org>  Sun,  2 Jul 2006 10:49:35 +1000
+
+heimdal (0.7.2.dfsg.1-2) unstable; urgency=low
+
+  * Search for all references to HDB_DB_DIR "/kdc.conf" and replace with
+    "/etc/heimdal-kdc/kdc.conf". Closes: #365883, #365890.
+
+ -- Brian May <bam@debian.org>  Sun, 14 May 2006 10:42:24 +1000
+
+heimdal (0.7.2.dfsg.1-1) unstable; urgency=low
+
+  * Remove non-free documentation. Closes: #364860.
+  * Add Galician debconf templates. Closes: #362091.
+  * Update standards version to 3.7.2.
+
+ -- Brian May <bam@debian.org>  Sat, 13 May 2006 16:02:41 +1000
+
+heimdal (0.7.2-4) unstable; urgency=low
+
+  * Fix file deletion in postrm. Closes: #361411.
+
+ -- Brian May <bam@debian.org>  Mon, 10 Apr 2006 12:45:34 +1000
+
+heimdal (0.7.2-3) unstable; urgency=low
+
+  * Move heimdal-kdc config files, kdc.conf, kadmind.acl and .configured, from
+    /var/lib/heimdal-kdc to /etc/heimdal-kdc. Closes: #351960.
+
+ -- Brian May <bam@debian.org>  Fri,  7 Apr 2006 10:13:55 +1000
+
+heimdal (0.7.2-2) unstable; urgency=low
+
+  * Install krcp.1 manpage.
+  * Move xnlock.1 man page to correct man page section 1.
+  * heimdal-dev: add depends on comerr-dev. Closes: #357115.
+
+ -- Brian May <bam@debian.org>  Thu, 16 Mar 2006 19:15:32 +1100
+
+heimdal (0.7.2-1) unstable; urgency=low
+
+  * New upstream version. Includes security fixes. Changes from upstream:
+
+        * Fix security problem in rshd that enable an attacker to overwrite
+          and change ownership of any file that root could write
+          (CVE-2006-0582).
+
+        * Fix a DOS in telnetd. The attacker could force the server to crash
+          in a NULL de-reference before the user logged in, resulting in inetd
+          turning telnetd off because it forked too fast (CVE-2006-0677).
+
+        * Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
+          exists in the keytab before returning success. This allows servers
+          to check if its even possible to use GSSAPI.
+
+        * Fix receiving end of token delegation for GSS-API. It still wrongly
+          uses subkey for sending for compatibility reasons, this will change
+          in 0.8.
+
+        * telnetd, login and rshd are now more verbose in logging failed and
+          successful logins.
+
+        * Bug fixes.
+
+  * Ditch dbs build system in preference for quilt and cdbs.
+
+  * Don't install /usr/include/ss. It's not included by any other header
+    in heimdal-dev and is provided by ss-dev. Closes: #349213.
+
+  * Also remove /usr/bin/mk_cmds which is also provided by ss-dev.
+
+  * Supply /etc/ldap/schema/hdb.schema. Closes: #355287.
+
+  * Move iprop man pages from heimdal-clients package into
+    heimdal-kdc package. Closes: #347555.
+
+  * Change default program for krsh from rlogin to ktelnet if no parameters
+    given.  Closes: #355080.
+
+ -- Brian May <bam@debian.org>  Thu,  9 Mar 2006 18:24:51 +1100
+
+heimdal (0.7.1-3) unstable; urgency=high
+
+  * Brian May <bam@debian.org>:
+    * Delete patches for old Heimdal versions.
+    * Update Swedish debconf translation (closes: #347605).
+  * Michael Banck <mbanck@debian.org>:
+    * Changes for GNU HURD: 026_posix_max (closes: #113317),
+                            026_no_afs (closes: #324342).
+  * Steve Langasek <vorlon@debian.org>:
+    * 025_pthreads
+    * High-urgency upload for RC bugfix.
+    * Use -pthread -lpthread when linking shared libs, not just -pthread,
+      needed for proper linking of libgssapi on mips/mipsel.  Closes: #346346.
+    * Build-depend on libx11-dev, libxau-dev, libxt-dev, x-dev instead of the
+      obsolete xlibs-dev.  Closes: #346680.
+
+ -- Brian May <bam@debian.org>  Fri, 13 Jan 2006 19:04:05 +1100
+
+heimdal (0.7.1-2) unstable; urgency=low
+
+  * Apply 022_ftp-roken-glob again.
+  * Upload for unstable.
+
+ -- Brian May <bam@debian.org>  Thu, 22 Dec 2005 11:24:21 +1100
+
+heimdal (0.7.1-1) experimental; urgency=low
+
+  * New upstream version.
+  * Remove krb4 support (closes: #315059, #334632).
+  * Conflict with krb4.
+
+ -- Brian May <bam@debian.org>  Mon, 24 Oct 2005 08:08:39 +1000
+
+heimdal (0.6.3-13) unstable; urgency=low
+
+  * Add alternative depends of debconf-2.0 in heimdal-kdc. Closes
+    <URL:http://lists.debian.org/debian-devel/2005/08/msg00136.html>.
+  * Update sv translations (closes: #330318).
+
+ -- Brian May <bam@debian.org>  Sun,  2 Oct 2005 12:36:49 +1000
+
+heimdal (0.6.3-12) unstable; urgency=low
+
+  * Rebuild to fix broken *.la files (closes: #316980).
+  * Modify rxtelnet and rxterm to use ktelnet and krsh (closes: #274063).
+  * Add Vietnamese debconf translation (closes: #314197).
+  * Add Czech debconf translation (closes: #314749).
+  * Move string2key into heimdal-clients (closes: #314365).
+  * Fix LDAP searches (closes: #318409).
+
+ -- Brian May <bam@debian.org>  Thu, 25 Aug 2005 11:39:59 +1000
+
+heimdal (0.6.3-11) unstable; urgency=low
+
+  * Apply patch to fix "Remotely exploitable buffer overflow in
+    getterminaltype function", reported in Secunia advisory SA15718 at
+    http://secunia.com/advisories/15718/. Closes: #315065.
+
+ -- Brian May <bam@debian.org>  Sun,  3 Jul 2005 13:54:19 +1000
+
+heimdal (0.6.3-10) unstable; urgency=low
+
+  * LDAP support (closes: #95246).
+  * Fix buffer overflow security bug in telnet client, CAN-2005-0469,
+    closes: #305574.
+
+ -- Brian May <bam@debian.org>  Mon, 25 Apr 2005 14:48:03 +1000
+
+heimdal (0.6.3-9) unstable; urgency=low
+
+  * Add Japanese debconf translation (closes: #302485)
+  * Updated replaces for heimdal-clients (closes: #303751).
+  * Support update-alternatives with rcp man page (closes: #303753).
+
+ -- Brian May <bam@debian.org>  Sun, 10 Apr 2005 12:47:40 +1000
+
+heimdal (0.6.3-8) unstable; urgency=low
+
+  * Apply patch to build on amd64 (closes: #300811).
+  * Move verify_krb5_conf man page to heimdal-clients (closes: #299905).
+  * Include danish debconf translations (closes: #296987).
+  * Add missing (versioned) comerr-dev to build depends (closes: #293270).
+
+ -- Brian May <bam@debian.org>  Thu, 24 Mar 2005 10:34:46 +1100
+
+heimdal (0.6.3-7) unstable; urgency=low
+
+  * Remove setconfig from built package, the new kdc.conf config broke this
+    script, and the config it changed wasn't used by Heimdal anyway.
+    Closes: #289295.
+  * Add patch from upstream to stop KDC crashing with SIGPIPE error.
+    Closes: #284498.
+
+ -- Brian May <bam@debian.org>  Fri, 14 Jan 2005 15:59:20 +1100
+
+heimdal (0.6.3-6) unstable; urgency=low
+
+  * Make conflict between heimdal-kdc and krb5-admin-server explicit, see
+    #274763 for details.
+  * Supply better example kdc.conf (closes: #210575). I deliberately omitted
+    the database setting as upstream say it isn't currently usable and will
+    change soon. Improvements welcome.
+  * Fix hardcoded paths to work with openafs (closes: #286249).
+
+ -- Brian May <bam@debian.org>  Mon, 20 Dec 2004 10:39:43 +1100
+
+heimdal (0.6.3-5) unstable; urgency=low
+
+  * Add new German debconf translations (closes: #284375).
+  * Set Project-Id-Version, PO-Revision-Date, Last-Translator fields to
+    Swedish and Russian translations from information in BTS.
+  * Remove kerberos.8.gz man page. This hack is to remove the conflict with
+    kerberos4kth which also contains the same file. It doesn't appear worth
+    keeping. See bug #274763 for details on conflict.
+  * Add note concerning above item in README.Debian.
+  * Make conflict between heimdal-kdc and krb5-kdc explicit, see #274763
+    for details.
+
+ -- Brian May <bam@debian.org>  Sun, 12 Dec 2004 15:41:05 +1100
+
+heimdal (0.6.3-4) unstable; urgency=low
+
+  * Adding the attached Brazilian Portuguese templates (closes: #278730).
+  * Fix typo in prerm script (closes: #280354).
+
+ -- Brian May <bam@debian.org>  Tue,  9 Nov 2004 14:09:01 +1100
+
+heimdal (0.6.3-3) unstable; urgency=low
+
+  * Move kerberos.8.gz from heimdal-servers into heimdal-docs package.
+  * Move kadmind.8.gz from heimdal-servers into heimdal-kdc package.
+  * Conflict with pop3-server instead of qpopper (closes: #274774).
+
+ -- Brian May <bam@debian.org>  Mon, 18 Oct 2004 17:12:05 +1000
+
+heimdal (0.6.3-2) unstable; urgency=low
+
+  * Stop all daemons as long as PID file exists, regardless if deamon is
+    enabled or not (closes: #266575).
+  * Add Dutch po-debconf translations (closes: #263597).
+  * Add some cleanups recommended in #95246 to debian/rules.
+    * Remove debian/*.ex files.
+    * Remove debian/control.* files.
+    * Remove debian/ex.doc-base.package.
+    * Remove obsolete libtool hack.
+    * Remove calls to obsolete dh_suidregister program.
+
+ -- Brian May <bam@debian.org>  Sat, 25 Sep 2004 14:59:21 +1000
+
+heimdal (0.6.3-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Brian May <bam@debian.org>  Tue, 14 Sep 2004 08:28:11 +1000
+
+heimdal (0.6.2-0.6.3rc3-1) unstable; urgency=low
+
+  * New upstream version.
+  * Fixes security bugs in FTP server.
+
+ -- Brian May <bam@debian.org>  Mon, 13 Sep 2004 16:00:23 +1000
+
+heimdal (0.6.2-6) unstable; urgency=low
+
+  * Update replaces header for heimdal-clients, to allow for push.8.gz
+    moving from heimdal-servers to heimdal-clients (closes: #264979).
+
+ -- Brian May <bam@debian.org>  Thu, 12 Aug 2004 09:02:48 +1000
+
+heimdal (0.6.2-5) unstable; urgency=low
+
+  * Cave in to pressure and remove libdb4.2-dev from depends in
+    heimdal-dev. See bug #253894 for reasons, both for and against.
+
+ -- Brian May <bam@debian.org>  Mon,  2 Aug 2004 17:46:29 +1000
+
+heimdal (0.6.2-4) unstable; urgency=low
+
+  * Add patch 000_afslog to make afslog work (closes: #261065).
+
+ -- Brian May <bam@debian.org>  Sat, 31 Jul 2004 14:56:32 +1000
+
+heimdal (0.6.2-3) unstable; urgency=low
+
+  * Use default realm configured by krb5-config for KDC (closes:
+    #251725).
+  * Move push.8 man page from heimdal-servers to heimdal-clients
+    (push binary is already in heimdal-clients).
+
+ -- Brian May <bam@debian.org>  Mon, 31 May 2004 08:30:54 +1000
+
+heimdal (0.6.2-2) unstable; urgency=low
+
+  * Make build depends on libssl-dev versioned (closes: #249595).
+  * libdb4.2 support (closes: #223055).
+
+ -- Brian May <bam@debian.org>  Sun, 23 May 2004 10:10:04 +1000
+
+heimdal (0.6.2-1) unstable; urgency=low
+
+  * New upstream version.
+    * Fixes possible buffer overflow bug in the krb4 code in kadmin
+      (CAN-2004-0472).
+    * Disables krb4 support by default in kadmin.
+    * Next upstream version will remove krb4 support in kadmin.
+
+ -- Brian May <bam@debian.org>  Tue, 11 May 2004 09:57:12 +1000
+
+heimdal (0.6.1-1) unstable; urgency=low
+
+  * New upstream version:
+    * Fix cross realm trust vulnerability (closes: #241524).
+
+  * The following patches removed as they appear to be in upstream:
+    * patches/001_sasl_external.
+    * patches/010_gcc33.
+    * patches/016_nessus_dos.
+    * patches/023_db4
+
+  * Simplify patches/032_libtool_version_script, remove hunks that only
+    change line numbers (these created rejects).
+
+ -- Brian May <bam@debian.org>  Sun,  4 Apr 2004 10:14:22 +1000
+
+heimdal (0.6-8) unstable; urgency=low
+
+  * Change /etc/defaults/heimdal-kdc to /etc/default/heimdal-kdc in
+    heimdal-kdc init.d script (closes: #236289).
+  * Add french debconf templates (closes: #236891).
+
+ -- Brian May <bam@debian.org>  Thu, 11 Mar 2004 13:07:59 +1100
+
+heimdal (0.6-7) unstable; urgency=low
+
+  * Use new gettext based debconf (closes: #235170).
+
+ -- Brian May <bam@debian.org>  Sat, 28 Feb 2004 13:15:41 +1100
+
+heimdal (0.6-6) unstable; urgency=low
+
+  * Move /etc/defaults/heimdal-kdc to /etc/default/heimdal-kdc (closes:
+    #233824)
+
+ -- Brian May <bam@debian.org>  Wed, 25 Feb 2004 11:09:29 +1100
+
+heimdal (0.6-5) unstable; urgency=low
+
+  * Add sample kadmind.acl on initial installation (closes: #215649)
+  * Split KDC init.d script into /etc/default/heimdal-kdc (closes: #213534).
+  * Add openldap patch from upstream 001_sasl_external (LDAP is not
+    enabled in build though).
+
+ -- Brian May <bam@debian.org>  Wed, 31 Dec 2003 12:41:38 +1100
+
+heimdal (0.6-4) unstable; urgency=low
+
+  * The "Lets fix all these bugs release" (and see what breaks!).
+  * Set standards version to 3.6.1.
+  * Upgrade to DH_COMPAT version 4.
+  * Fix minor errors reported by linda, including:
+    * Remove call to dh_suidregister.
+    * Add versioned dependancy on debhelper (closes: #216290).
+    * Add versioned depends on debconf,
+  * When START_KDC is set, the init.d script should stop kdc; when
+    START_KPASSWDD is set, the init.d script should stop kpasswdd; not the
+    other way around. Closes #214447.
+  * Fix info pages by installing all files, closes #214248.
+  * Add libtool patch to version symbols, thanks Steve Langasek
+    <vorlon@netexpress.net>. Closes: #205592.
+  * Attempt to link against libdb4.1 instead of libdb3 failed, as automake
+    wouldn't stop complaining about lib/roken/Makefile.am (not touched by
+    this patch). Added debian/patch/db4 all the same.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Sat, 13 Dec 2003 11:17:42 +1100
+
+heimdal (0.6-3) unstable; urgency=low
+
+  * Remove heimdal-libs package, I am not sure why I kept it, it isn't really
+    required for upgrades. This solves the (non-)issue with the description
+    (closes: #209552).
+
+  * Fix nessus DOS attack (closes: #197161).
+
+  * Since 0.6-2.2 no longer links with libreadline (closes: #198511).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Sun, 28 Sep 2003 11:06:57 +1000
+
+heimdal (0.6-2.3) unstable; urgency=low
+
+  * NMU with Blessings from Brian May <bam@debian.org>
+
+ -- Mikael Andersson <mikan@debian.org>  Tue, 16 Sep 2003 07:14:03 +0200
+
+heimdal (0.6-2.2) unstable; urgency=low
+
+  * Compile against libedit instead of libreadline4.
+    Added patch 015_editline
+    Recreated 030_autotools (Need $TMP to be set, and add libtoolize)
+    Changed builddependency from libreadline4-dev to libedit-dev
+    Change configure --with-readline in rules
+
+ -- Mikael Andersson <mikan@debian.org>  Mon, 15 Sep 2003 12:31:46 +0200
+
+heimdal (0.6-2.1) unstable; urgency=low
+
+  * Use com_err from comerr-dev.
+  
+  * Removed comerr-dev, ss-dev from Conflicts of heimdal-dev
+
+ -- Mikael Andersson <mikan@debian.org>  Mon, 15 Sep 2003 11:36:49 +0200
+
+heimdal (0.6-2) unstable; urgency=low
+
+  * Remove login man page, it conflicts with the login package.
+
+ -- Brian May <bam@debian.org>  Sat,  6 Sep 2003 12:40:01 +1000
+
+heimdal (0.6-1) unstable; urgency=low
+
+  * New upstream version.
+  * Built for woody.
+
+ -- Brian May <bam@debian.org>  Thu, 28 Aug 2003 15:50:17 +1000
+
+heimdal (0.5.2-5) unstable; urgency=low
+
+  * Update conflicts for heimdal-clients not to conflict with ftp, as it
+    uses update-alternatives since version 0.16-1 (closes: #202701).
+
+ -- Brian May <bam@debian.org>  Wed,  6 Aug 2003 12:15:05 +1000
+
+heimdal (0.5.2-4) unstable; urgency=low
+
+  * Move conflicts libdb3-dev to depends libdb3-dev, really-closes
+    #196157.
+
+ -- Brian May <bam@debian.org>  Sun, 29 Jun 2003 09:32:20 +1000
+
+heimdal (0.5.2-3) unstable; urgency=low
+
+  * Fix FTBFS error with GCC-3.3 by adding debian/patches/010_gcc33
+    (closes: #196406).
+  * heimdal-dev depends on libdb3-dev, closes: #196157.
+
+ -- Brian May <bam@debian.org>  Sat, 28 Jun 2003 15:47:53 +1000
+
+heimdal (0.5.2-2) unstable; urgency=low
+
+  * Make heimdal-kdc daemons configurable. Also fix type in
+    etc/init.d/heimdal-kdc (closes: #186353).
+  * Upstream said kftp -n option was fixed in 0.5.2-1 (closes: #181697).
+
+ -- Brian May <bam@debian.org>  Thu, 27 Mar 2003 12:26:09 +1100
+
+heimdal (0.5.2-1) unstable; urgency=high
+
+  * New upstream version; Fixes krb4 security bug (closes: #185164).
+  * Remove versioned symbols patch, this more important.
+  * Remove debian/patches/016_openssl, hopefully it is no longer required.
+  * Remove debian/patches/018_sasize, hopefully it is no longer required.
+
+ -- Brian May <bam@debian.org>  Tue, 18 Mar 2003 10:57:31 +1100
+
+heimdal (0.5.1-7) unstable; urgency=low
+
+  * Use versioned symbols for all libraries.
+
+ -- Brian May <bam@debian.org>  Mon, 17 Mar 2003 12:50:38 +1100
+
+heimdal (0.5.1-6) unstable; urgency=low
+
+  * Fix credential delegation bug (018_gssapi_forward).
+  * Rename 023_sasize patch to 018_sasize, 02* is for Debian specific
+  changes, not bugs fixes of upstream code, that is for 01*.
+
+ -- Brian May <bam@debian.org>  Fri,  7 Mar 2003 18:47:29 +1100
+
+heimdal (0.5.1-5) unstable; urgency=low
+
+  * Fix error with sa_size not getting initialized properly. See
+  debian/patches/023_sasize.
+
+ -- Brian May <bam@debian.org>  Tue,  4 Mar 2003 19:06:01 +1100
+
+heimdal (0.5.1-4) unstable; urgency=low
+
+  * Rebuild for sid.
+  * 016_openssl patch to work with openssl 0.9.7.
+  * Now builds on sid (closes: #178775).
+  * New build will have correct dependancy on libroken (closes: #177250).
+
+ -- Brian May <bam@debian.org>  Thu, 30 Jan 2003 11:35:44 +1100
+
+heimdal (0.5.1-3) unstable; urgency=low
+
+  * 015_getifaddrs patch fixes segmentation fault.
+  * Remove *.rej file from 014_cache patch.
+
+ -- Brian May <bam@debian.org>  Thu, 16 Jan 2003 13:30:07 +1100
+
+heimdal (0.5.1-2) unstable; urgency=low
+
+  * Move dependancy on krb5-config to heimdal-servers and heimdal-
+    clients (closes: #171868).
+  * Add build depends on libhesiod-dev, it is only small, and
+    all versions of Heimdal need to be built the same.
+  * These changes were in 0.4e-23, but missed in 0.5.1-1.
+
+ -- Brian May <bam@debian.org>  Thu,  9 Jan 2003 16:29:39 +1100
+
+heimdal (0.5.1-1) unstable; urgency=low
+
+  * New upstream version.
+  * Build-depends on kerberos4kth-dev 1.2.1, it includes a new version
+    of libroken.
+  * New major version of libasn1-6-heimdal (was libasn1-5-heimdal).
+
+ -- Brian May <bam@debian.org>  Thu,  9 Jan 2003 14:34:54 +1100
+
+heimdal (0.5-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Sun, 29 Sep 2002 10:06:28 +1000
+
+heimdal (0.4e-20) unstable; urgency=low
+
+  * Add missing depends of kerberos4kth-dev to heimdal-dev (closes:
+    160669).
+  * Add description of changes required to /etc/services to get hprop
+    and/or iprop to work (closes: 139845).
+  * Add sample inetd entry for hprop and sample code in init.d script
+    for iprop (closes: #139851).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Fri, 13 Sep 2002 13:34:04 +1000
+
+heimdal (0.4e-19) unstable; urgency=low
+
+  * Apply patch to fix time sync problem (closes: #155816).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Tue, 20 Aug 2002 13:04:51 +1000
+
+heimdal (0.4e-18) unstable; urgency=low
+
+  * Apply patches from Mikael Andersson to fix FTP bug, closes: 150967.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Thu, 15 Aug 2002 10:05:46 +1000
+
+heimdal (0.4e-17) unstable; urgency=low
+
+  * Use Maintainer Mode for automake.
+  * Include krb5.conf.5heimdal man page (closes: #150293).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Tue,  6 Aug 2002 10:30:07 +1000
+
+heimdal (0.4e-16) unstable; urgency=low
+
+  * Fix heap overflow bug in ftp client that allows remote code
+    execution by malicious ftp server.
+  * Don't delete libkafs.so
+
+ -- Brian May <bam@snoopy.apana.org.au>  Thu, 30 May 2002 09:33:21 +1000
+
+heimdal (0.4e-15) unstable; urgency=low
+
+  * Attempt to use libraries from kerberos4kth.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Mon, 22 Apr 2002 18:03:13 +1000
+
+heimdal (0.4e-14) unstable; urgency=low
+
+  * Attempt to recompile with krb4 support. Closes: #143273.
+    For some reason this was marked as grave, even though the
+    rest of Heimdal functioned OK.
+  * Reopens bug: cyclic dependancies exist between Heimdal and
+    Kerberos4kth. This really needs to get fixed.
+  * Attempt to fix this in debian/patches-0.4e-trial (still needs
+    further work), but this failed as autoconf in Debian doesn't like
+    autoconf files used in Heimdal.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Sat, 20 Apr 2002 15:12:57 +1000
+
+heimdal (0.4e-13) unstable; urgency=low
+
+  * Move push to heimdal-clients (closes: #142331).
+  * The 'but I am sure I removed the build depends for kerberos4kth'
+    release. Closes: #142491
+  * Also get rid of libkafs0, as including an empty libkafs0 could be
+    confusing. closes: #142411
+
+ -- Brian May <bam@snoopy.apana.org.au>  Fri, 12 Apr 2002 18:44:34 +1000
+
+heimdal (0.4e-12) unstable; urgency=low
+
+  * Remove krb4 support, and remove build depends loop.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Wed, 10 Apr 2002 08:29:52 +1000
+
+heimdal (0.4e-11) unstable; urgency=low
+
+  * Move to main.
+  * Attempt to get priorities correct.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Wed,  3 Apr 2002 09:12:15 +1000
+
+heimdal (0.4e-10) unstable; urgency=low
+
+  * Change build depends from libssl096-dev to libssl-dev, closes:
+    #140690.
+  * Some dependancies are still in non-us, so this can't go in
+    main yet. Examples: krb5-config and kerberos4kth.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Mon,  1 Apr 2002 10:39:31 +1000
+
+heimdal (0.4e-9) unstable; urgency=low
+
+  * Use /bin/login instead of /usr/sbin/login (which doesn't exist),
+    closes #139250. /bin/login is better then the login provided with
+    Heimdal, as it provides support for PAM.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Thu, 21 Mar 2002 16:19:28 +1100
+
+heimdal (0.4e-8) unstable; urgency=low
+
+  * heimdal-servers: add conflicts qpopper (closes: #137208).
+  * Add russian debconf template (closes: #137657). I hope the character
+    encoding comes up Ok...
+  * Added note in README.Debian on making ksu setuid root (closes: #84468).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Thu, 14 Mar 2002 11:35:15 +1100
+
+heimdal (0.4e-7) unstable; urgency=low
+
+  * Move krb5-config man page to heimdal-dev (closes: #135957).
+  * Fix extended descriptions (closes #135525, #135515).
+  * Move ktutil man page to heimdal-clients (closes: #136449).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Mon,  4 Mar 2002 14:19:53 +1100
+
+heimdal (0.4e-6) unstable; urgency=low
+
+  * Versioned conflicts against openafs (closes: #127817,#128105).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Tue,  8 Jan 2002 11:19:12 +1100
+
+heimdal (0.4e-5) unstable; urgency=low
+
+  * Change conflicts keerberos4kth-clients, as it has changed from
+    kerberos4kth-user (closes: #124020). heimdal-clients is supposed to
+    have Kerberos4kth support, hence there should be no need to have
+    both installed as the same time.
+  * Build problem on hppa was previously fixed (closes: #101064). 
+  * Fix BSD license (closes: #123822).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Fri, 21 Dec 2001 11:46:23 +1100
+
+heimdal (0.4e-4) unstable; urgency=low
+
+  * Move login back to /usr/sbin/login.
+  * Use update-alternatives for pagsh.
+  * Apply patch to stop kstash from segfaulting (closes: #120502).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Tue,  4 Dec 2001 20:30:38 +1100
+
+heimdal (0.4e-3) unstable; urgency=low
+
+  * Move files to correct packages (closes: #121131)
+
+ -- Brian May <bam@snoopy.apana.org.au>  Mon, 26 Nov 2001 09:22:36 +1100
+
+heimdal (0.4e-2) unstable; urgency=low
+
+  * Kerberos 4 support (closes: #65387).
+  * Build libsl packages (closes: #120496).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Wed, 14 Nov 2001 17:49:40 +1100
+
+heimdal (0.4e-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Mon, 10 Sep 2001 09:40:06 +1000
+
+heimdal (0.4c-2) unstable; urgency=low
+
+  * Include devfs fix, telnetd now supports /dev/pts filesystem.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Mon,  6 Aug 2001 14:20:50 +1000
+
+heimdal (0.4c-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Sun, 29 Jul 2001 14:33:17 +1000
+
+heimdal (0.3f-1) unstable; urgency=low
+
+  * New upstream version.
+  * Move krb5.conf.5.gz man page from libkrb5 package to heimdal-doc,
+    in order to allow different versions of libkrb5 to be installed
+    at same time. What was I thinking?
+  * Previous compilation was based on old libraries. Lets try again...
+
+ -- Brian May <bam@snoopy.apana.org.au>  Thu, 28 Jun 2001 09:05:09 +1000
+
+heimdal (0.3e-6) unstable; urgency=low
+
+  * heimdal-dev no longer conflicts with kerberos4kth-dev.
+  * build conflicts with heimdal-dev, due to libtool hack.
+  * remove build dependancy on kerberos4kth-dev, as it is not
+    yet used.
+  * remove kafs.h and kafs.3.gz is these conflict with files from
+    kerberos4kth.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Tue, 12 Jun 2001 09:41:34 +1000
+
+heimdal (0.3e-5) unstable; urgency=low
+
+  * Fix library dependancy problem on libdb.
+  * Use libtool 1.4. Other packages should link -lkrb5 or -lgssapi,
+    and none of the other libraries (unless really required).
+  * Split libraries apart.
+  * Remove libsl, as it doesn't seem to be used anymore.
+  * Remove conflicts with kerberos4kth libraries (closes: #58090).
+  * Attempt build with kerberos4kth libraries (not-closed: #65387);
+    attempt failed (compile error); waiting till I get more time to fix
+    this or for somebody to fix it for me ;-).
+  * Uses updated config.sub and config.guess files from libtool 1.4
+    (as far as I can tell). Closes: #98153.
+  * add 31_autotools patch to work around install libtool bug.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Tue, 22 May 2001 11:14:25 +1000
+
+heimdal (0.3e-4) unstable; urgency=low
+
+  * Fix more silly postinst bugs. Disable anonymous ftp logins
+    by default.
+
+ -- Brian May <bam@debian.org>  Thu, 22 Feb 2001 09:38:40 +1100
+
+heimdal (0.3e-3) unstable; urgency=low
+
+  * Use update-alternatives for rcp (closes: #86702)
+  * Remove update-alternatives for rsh when package is removed.
+  * Add upstream patch to select versions for replay_log.
+
+ -- Brian May <bam@debian.org>  Wed, 21 Feb 2001 09:04:58 +1100
+
+heimdal (0.3e-2) unstable; urgency=low
+
+  * Disable anonymous ftp logins by default. This can be changed by
+    using the -a option to ftpd in /etc/inetd.conf.
+  * Add upstream patch to fix weak key detection.
+
+ -- Brian May <bam@debian.org>  Sat, 17 Feb 2001 13:52:35 +1100
+
+heimdal (0.3e-1) unstable; urgency=low
+
+  * New upstream version 0.3e. Warning: This fixes a potential security
+    problem (buffer overrun) in ftpd.
+
+ -- Brian May <bam@debian.org>  Tue,  6 Feb 2001 12:59:14 +1100
+
+heimdal (0.3d-8) unstable; urgency=low
+
+  * Change section to non-US.
+  * Add german translation to heimdal-lib.templates file (closes: #83754).
+  * Add german translation to heimdal-kdc.templates file (closes: #83864).
+  * Add Depends: libssl096 to heimdal-dev, so packages that use
+    heimdal-dev no longer need to include this in build-depends:
+    (unless they really do guse libssl).
+  * disable openldap support by default (I may enable it latter)
+    (closes: #83993).
+  * add patch for openldap.
+  * don't build binary-all for binary-dep target (closes: #84171).
+
+ -- Brian May <bam@debian.org>  Wed, 31 Jan 2001 09:26:39 +1100
+
+heimdal (0.3d-7) unstable; urgency=low
+
+  * Replace missing prerm script for heimdal-kdc, as kadmind wasn't being
+    disabled (in /etc/inetd.conf) on --remove (closes: #83526).
+  * Fix type in postrm script for heimdal-servers, as inetd entry for ftp
+    wasn't getting removed on -purge.
+  * Fix type in postrm script for heimdal-servers-x, as inetd entry for kx
+    wasn't getting removed on -purge.
+  * Add swedish translation to heimdal-lib.templates file.
+    Also add same translation to question in heimdal-kdc.templates, as the
+    question is exactly the same (closes: #83535).
+
+ -- Brian May <bam@debian.org>  Fri, 26 Jan 2001 10:27:13 +1100
+
+heimdal (0.3d-6) unstable; urgency=low
+
+  * Use rsh-server and telnet-sever virtual packages (see bug #77404).
+
+ -- Brian May <bam@debian.org>  Thu, 18 Jan 2001 18:20:54 +1100
+
+heimdal (0.3d-5) unstable; urgency=low
+
+  * Fix ftp bug with ports > 32767 (closes: #81663).
+  * Move krb5-config to heimdal-dev.
+
+ -- Brian May <bam@debian.org>  Fri, 12 Jan 2001 09:02:03 +1100
+
+heimdal (0.3d-4) unstable; urgency=low
+
+  * Better, non-hacked fix for krb5-config. Patch from
+    GOMBAS Gabor <gombasg@inf.elte.hu>.
+
+ -- Brian May <bam@debian.org>  Tue,  9 Jan 2001 10:13:28 +1100
+
+heimdal (0.3d-3) unstable; urgency=low
+
+  * Compile using libssl026 instead of libdes. Patch from
+    GOMBAS Gabor <gombasg@inf.elte.hu>.
+
+ -- Brian May <bam@debian.org>  Sat,  6 Jan 2001 10:30:03 +1100
+
+heimdal (0.3d-2) unstable; urgency=low
+
+  * Add libdb2-dev to build-depends (closes: #80442).
+
+ -- Brian May <bam@debian.org>  Tue, 26 Dec 2000 10:59:44 +1100
+
+heimdal (0.3d-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Brian May <bam@debian.org>  Tue, 12 Dec 2000 16:20:34 +1100
+
+heimdal (0.3c-6) unstable; urgency=low
+
+  * Rename xnlock.man to xnlock.1, closes: #78117
+  * Move xnlock.1 to heimdal-clients-x.
+
+ -- Brian May <bam@debian.org>  Tue, 28 Nov 2000 09:55:12 +1100
+
+heimdal (0.3c-5) unstable; urgency=low
+
+  * New structure for source. Now there is a different patch for each
+  change from upstream (closes: 77000).
+  * Move TODO and NEWS documentation to heimdal-docs, where it should always
+  have been
+  * Apply patch from
+  http://ns1.logidee.com/~joko/heimdal/src/heimdal_cache.patch,
+  which should allow PAM module to work.
+
+ -- Brian May <bam@debian.org>  Sat, 18 Nov 2000 13:04:39 +1100
+
+heimdal (0.3c-4) unstable; urgency=low
+
+  * applied patch to fix ftpd problem (closes: #64746).
+
+ -- Brian May <bam@debian.org>  Wed,  8 Nov 2000 17:26:16 +1100
+
+heimdal (0.3c-3) unstable; urgency=low
+
+  * Try to strip binaries again, by making libeditline libtool
+  controlled.
+
+ -- Brian May <bam@debian.org>  Mon,  9 Oct 2000 09:20:27 +1100
+
+heimdal (0.3c-2) unstable; urgency=low
+
+  * applied patch to disable line editing in ftp (closes: #69301).
+
+ -- Brian May <bam@debian.org>  Thu,  5 Oct 2000 09:15:44 +1100
+
+heimdal (0.3c-1) unstable; urgency=low
+
+  * New upstream version.
+  * applied patch to fix missing newline problem in ftp (closes: #64289).
+  * dh_strip commented out, as it crashed the build process.
+    A bug (#73637) has been opened on this issue.
+
+ -- Brian May <bam@debian.org>  Mon,  2 Oct 2000 10:07:53 +1100
+
+heimdal (0.3b-2) unstable; urgency=low
+
+  * Add debhelper, xlib6g-dev to build dependancies (closes: #70718).
+  
+  * Change documentation to indicate that kadmind uses kadmind.acl,
+    not kadm5.acl, as previously specified. Add warning in default
+    kdc.conf file that it needs checking, as it may not be
+    correct. Everything should work OK though with default values.
+    closes: #69139.
+
+ -- Brian May <bam@debian.org>  Sat,  2 Sep 2000 15:46:53 +1100
+
+heimdal (0.3b-1) unstable; urgency=low
+
+  * New upstream version.
+  
+  * Shouldn't conflict with telnet anymore, as both use
+    update-alternatives (not tested yet).
+  
+  * Provides telnet-client instead of telnet, as telnet-client is now
+    the accepted virtual package (see closed bug #58759).
+
+ -- Brian May <bam@debian.org>  Wed, 30 Aug 2000 10:58:07 +1100
+
+heimdal (0.3a-2) unstable; urgency=low
+
+  * Remove /usr/include/glob.h from heimdal-dev (closes: #68649). This
+  file conflicts with libc6-dev.
+
+  * For some reason heimdal doesn't detect /usr/include/glob.h, why?
+
+ -- Brian May <bam@debian.org>  Sun,  6 Aug 2000 18:07:52 +1000
+
+heimdal (0.3a-1) unstable; urgency=low
+
+  * New upstream version.
+  
+  * -rpath hack no longer required.
+  
+  * fix bug in postinst script (closes: #67509).
+
+  * No longer conflicts with rsh-client (<< 0.16.1-1), as rsh-client
+  now uses update-alternatives (closes: #58102).
+
+  * Uses new libtool version 1.3c (closes: 59037).
+
+ -- Brian May <bam@debian.org>  Mon, 31 Jul 2000 13:21:21 +1000
+
+heimdal (0.2t-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Brian May <bam@debian.org>  Fri, 19 May 2000 15:24:31 +1000
+
+heimdal (0.2r-2) unstable; urgency=low
+
+  * Add Build-Depends and Build-Conflicts line. It is possible
+  that the Build-Conflicts might be excessive (some libraries  
+  can be turned of with command line options to Configure),
+  however, I think this is safest for now.
+
+ -- Brian May <bam@debian.org>  Sun, 16 Apr 2000 10:29:33 +1000
+
+heimdal (0.2r-1) unstable; urgency=low
+
+  * New upstream version.
+  * Fix yet another silly typo in postinst script.
+  * Added hack to use defaults inside kadmin init without crashing.
+
+ -- Brian May <bam@debian.org>  Wed,  5 Apr 2000 14:36:55 +1000
+
+heimdal (0.2q-3) unstable; urgency=low
+
+  * fix silly typo in postinst script (closes: #61482).
+
+ -- Brian May <bam@debian.org>  Sat,  1 Apr 2000 12:33:34 +1000
+
+heimdal (0.2q-2) unstable; urgency=low
+
+  * Password to kstash now handled by debconf.
+
+ -- Brian May <bam@debian.org>  Sun, 12 Mar 2000 12:16:25 +1100
+
+heimdal (0.2q-1) unstable; urgency=low
+
+  * New upstream version.
+  * Looking through the upstream Changelog, I cannot see any changes
+  that might break functionality that wasn't already broken.
+  * Fix problem with debconf script (closes: #58011).
+  * Change ftp dependancy to ftp-server (closes: #58118).
+  * Replaced power-pc fix with patch from upstream.
+  * Fixed shlibs dependancy information - all executables will now
+  depend on *this* upstream version of heimdal-lib. This is currently
+  a hacked solution to allow clean (future) upgrades.
+  * Moved README.Debian to heimdal-docs.
+  * Include doc/standardisation in heimdal-docs, contains information
+  not found elsewhere.
+  * Use update-alternatives for rsh.
+  * Hack debian/rules not to run configure.
+  * ftp/ftpd no longer seems to work, fixes welcome.
+  * This should really go to frozen, but because of above problem
+  will go into unstable only.
+  
+ -- Brian May <bam@debian.org>  Fri, 25 Feb 2000 15:46:16 +1100
+
+heimdal (0.2l-7) frozen unstable; urgency=low
+
+  * Copied copyright file from doc/heimdal.texi
+  * heimdal-servers no longer conflicts with rsh-server (closes: #57545).
+  * heimdal-lib conflicts with kerberos4kth (closes: #57587, #57602, #57654).
+  * this conflicts business is never ending...
+  * fixed minor bugs in README.Debian, eg there is no need to
+  extract the kadmin/admin key to /etc/krb5.keytab.
+  * fixed compilation problem on power-pc (closes: #57919).
+
+ -- Brian May <bam@debian.org>  Sun, 13 Feb 2000 19:46:37 +1100
+
+heimdal (0.2l-6) frozen unstable; urgency=low
+
+  * Move /usr/bin/compile_et into heimdal-dev.
+  * heimdal-clients conflicts with otp.
+  * heimdal-dev conflicts with ss-dev and comerr-dev (closes: #56281).
+  * minor changes to sample kdc.conf file. eg stash file created
+  by postinst script wasn't used by kdc...
+
+ -- Brian May <bam@debian.org>  Sat, 29 Jan 2000 09:58:00 +1100
+
+heimdal (0.2l-5) frozen unstable; urgency=low
+
+  * Heimdal-servers: reenable telnet properly after upgrade
+    (closes: #55733).
+  * Change section to non-US/main (closes: #55546).
+  * These changes wont break anything that wasn't already broken ;-).
+  
+ -- Brian May <bam@debian.org>  Thu, 20 Jan 2000 16:13:21 +1100
+
+heimdal (0.2l-4) frozen unstable; urgency=low
+
+  * heimdal-kdc nows starts password server, so users can change
+    passwords.
+  * heimdal-kdc now inserts entry for kadmind into /etc/inetd.conf.
+    kadmind is essential for normal kerberos administration.
+  * Fix /etc/init.d/heimdal-kdc restart so it works.
+  * No code has been changed/added/removed apart from postinst,
+    prerm, postrm and init scripts for the above changes.
+  * Got rid of stupid looking syntax for log file in sample kdc.conf.
+  * Minor changes (including addition of examples) into README.Debian.
+  * Known problem: debconf doesn't replace default value for
+    some reason on initial installation. I can't see whats wrong...
+    This is annoying, but not a critical problem.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Mon, 17 Jan 2000 19:07:06 +1100
+
+heimdal (0.2l-3) unstable; urgency=low
+
+  * Conflicts with kerberos4kth packages. closes: #54783.
+  * Move kstash and man page to heimdal-kdc.
+  * Move kxd man page to heimdal-servers-x.
+  * Move kadmind page to heimdal-kdc.
+  * Move kpasswdd and man page to heimdal-kdc.
+  * Fix permissions of /var/lib/heimdal-kdc.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Fri, 14 Jan 2000 19:18:51 +1100
+
+heimdal (0.2l-2) unstable; urgency=low
+
+  * Move man pages into proper packages.
+  * heimdal-servers now conflicts and provides ftpd.
+    (closes: #54818).
+  * Problems believed to already be fixed. closes: #54792.
+  * heimdal-lib postrm: add -f parameter to rm so that it will not
+    fail if the file doesn't exist. closes: #54847.
+  * Rename telnet and ftp to ktelnet and kftp respectively.
+  * Use update-alternatives for ftp and telnet.
+    (note rxtelnet still uses telnet, not ktelnet).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Thu, 13 Jan 2000 10:47:14 +1100
+
+heimdal (0.2l-1) unstable; urgency=low
+
+  * New upstream source.
+  * heimdal-clients now provides ftp, telnet, and rsh-client
+    (closes: #54497).
+  * heimdal-servers now provides telnetd and rsh-server.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Sun,  9 Jan 2000 10:00:02 +1100
+
+heimdal (0.2j-1) unstable; urgency=low
+
+  * New upstream source.
+  * Improved debconf support, using setconfig helper program.
+  * setconfig may not parse all valid configuration files correctly.
+    Patches welcome!
+  * Moved /usr/bin/login to /usr/lib/heimdal-servers/login, as I
+    suspect this will help porting to the Hurd, if/when anyone tries.
+  * kdc now supports (and requires) logrotate.
+  * kdc tested and now works with minimal configuration.
+  * heimdal-kdc does not support dpkg-reconfigure (not sure how to
+    reconfigure without deleting existing setup first).
+
+ -- Brian May <bam@snoopy.apana.org.au>  Wed,  5 Jan 2000 02:31:00 +0000
+
+heimdal (0.2i-1) unstable; urgency=low
+
+  * Initial Release.
+
+ -- Brian May <bam@snoopy.apana.org.au>  Wed,  8 Dec 1999 11:54:13 +1100
+
diff --git a/crypto/heimdal/packages/debian/compat b/crypto/heimdal/packages/debian/compat
new file mode 100644
index 0000000..b8626c4
--- /dev/null
+++ b/crypto/heimdal/packages/debian/compat
@@ -0,0 +1 @@
+4
diff --git a/crypto/heimdal/packages/debian/control b/crypto/heimdal/packages/debian/control
new file mode 100644
index 0000000..b276bd8
--- /dev/null
+++ b/crypto/heimdal/packages/debian/control
@@ -0,0 +1,276 @@
+Source: heimdal
+Section: net
+Priority: optional
+Maintainer: Love Hornquist Astrand <lha@h5l.org>
+Standards-Version: 3.7.2
+Build-Depends: libncurses5-dev, bison, flex, debhelper (>= 4.1.16), libx11-dev, libxau-dev, libxt-dev, libedit-dev, libdb4.4-dev, libssl-dev (>= 0.9.8), cdbs, quilt, comerr-dev (>= 1.35-1), libldap2-dev, texinfo
+Build-Conflicts: heimdal-dev
+
+Package: heimdal-docs
+Section: doc
+Priority: extra
+Architecture: all
+Depends: 
+Replaces: heimdal-lib (<< 0.3c-5), libkrb5-15-heimdal, heimdal-servers (<< 0.6.3-3)
+Conflicts: heimdal-lib (<< 0.3c-5)
+Suggests: heimdal-clients, heimdal-clients-x, heimdal-servers, heimdal-servers-x
+Description: Documentation for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package includes documentation (in info format) on how to
+ use Heimdal, and relevant standards for Kerberos.
+
+Package: heimdal-kdc
+Priority: extra
+Architecture: any
+Conflicts: kerberos4kth-kdc, heimdal-clients (<< 0.4e-3), heimdal-servers (<< 0.6.3-3), krb5-kdc, krb5-admin-server
+Depends: ${shlibs:Depends}, heimdal-clients, logrotate, debconf (>= 0.5.00) | debconf-2.0, krb5-config, netbase, openbsd-inetd | inet-superserver, update-inetd
+Replaces: heimdal-clients (<< 0.7.2-1), heimdal-servers (<< 0.4e-3)
+Suggests: heimdal-docs
+Description: KDC for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package includes the KDC (key distribution centre) server,
+ which is designed to run on a secure computer and keeps track
+ of users passwords. This is done using the Kerberos protocol in
+ such a way that the server computers do not need to know user's
+ passwords.
+
+Package: heimdal-dev
+Section: devel
+Priority: extra
+Architecture: any
+Conflicts: heimdal-clients (<< 0.4e-7), kerberos4kth-dev
+Depends: libasn1-8-heimdal (= ${Source-Version}), libkrb5-22-heimdal (= ${Source-Version}), libhdb9-heimdal (= ${Source-Version}), libkadm5srv8-heimdal (= ${Source-Version}), libkadm5clnt7-heimdal (= ${Source-Version}), libgssapi2-heimdal (= ${Source-Version}), libkafs0-heimdal (= ${Source-Version}), libheimntlm-0-heimdal (= ${Source-Version}), libhx509-1-heimdal (= ${Source-Version}), comerr-dev
+Replaces: heimdal-clients (<< 0.4e-7)
+Suggests: heimdal-docs
+Description: Development files for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This is the development package, required for developing
+ programs for Heimdal.
+
+Package: heimdal-clients-x
+Priority: extra
+Architecture: any
+Depends: ${shlibs:Depends}, netbase, heimdal-clients
+Replaces: heimdal-clients (<< 0.2l-2)
+Conflicts: heimdal-clients (<< 0.2l-2), kerberos4kth-x11
+Suggests: heimdal-docs
+Description: X11 files for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package includes kerberos client programs for forwarding the X
+ connection securely to a remote computer.
+
+Package: heimdal-clients
+Priority: extra
+Architecture: any
+Depends: ${shlibs:Depends}, krb5-config
+Conflicts: telnet (<< 0.17-1), ftp (<< 0.16-1), rsh-client (<< 0.16.1-1), netstd, telnet-ssl (<< 0.14.9-2), ssltelnet, kerberos4kth-user, kerberos4kth-clients, otp, heimdal-servers (<< 0.4e-7), openafs-client (<< 1.2.2-3)
+Provides: telnet-client, ftp, rsh-client
+Suggests: heimdal-docs, heimdal-kcm
+Replaces: heimdal-servers (<< 0.6.3-12)
+Description: Clients for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package includes client programs like telnet and ftp that have been
+ compiled with Kerberos support.
+
+Package: heimdal-kcm
+Priority: extra
+Architecture: any
+Depends: ${shlibs:Depends}
+Description: KCM for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package includes the KCM daemon.
+ The kcm daemon can hold the credentials for all users in the system.
+ Access control is done with Unix-like permissions.  The daemon checks the
+ access on all operations based on the uid and gid of the user.  The
+ tickets are renewed as long as is permitted by the KDC's policy.
+
+Package: heimdal-servers-x
+Priority: extra
+Architecture: any
+Conflicts: kerberos4kth-x11, heimdal-servers (<< 0.2l-3)
+Depends: ${shlibs:Depends}, netbase, heimdal-servers
+Suggests: heimdal-docs
+Replaces: heimdal-servers (<< 0.2l-3)
+Description: X11 files for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package includes kerberos server programs for forwarding the X
+ connection securely from a remote computer.
+
+Package: heimdal-servers
+Priority: extra
+Architecture: any
+Depends: ${shlibs:Depends}, netbase, krb5-config, update-inetd, openbsd-inetd | inet-superserver
+Conflicts: telnetd,  wu-ftpd-academ (<< 2.5.0), netstd, heimdal-clients (<< 0.2l-2), telnetd-ssl, kerberos4kth-services, ftp-server, rsh-server, telnet-server, pop3-server
+Provides: ftp-server, rsh-server, telnet-server
+Suggests: heimdal-docs
+Replaces: heimdal-clients (<< 0.2l-2)
+Description: Servers for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package includes servers like telnetd and ftpd that have been
+ compiled with Heimdal support.
+
+Package: libasn1-8-heimdal
+Section: libs
+Architecture: any
+Depends: ${shlibs:Depends}
+Replaces: heimdal-lib (<< 0.3e-5)
+Conflicts: heimdal-libs (<< 0.3e-5)
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the asn1 parser required for Heimdal.
+
+Package: libkrb5-22-heimdal
+Section: libs
+Architecture: any
+Depends: ${shlibs:Depends}
+Replaces: heimdal-lib (<< 0.3e-5)
+Conflicts: heimdal-libs (<< 0.3e-5)
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the kerberos 5 library.
+
+Package: libheimntlm-0-heimdal
+Section: libs
+Architecture: any
+Depends: ${shlibs:Depends}
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the NTLM library.
+
+Package: libhx509-1-heimdal
+Section: libs
+Architecture: any
+Depends: ${shlibs:Depends}
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the hx509 library, and X.509 library.
+
+Package: libhcrypto-4-heimdal
+Section: libs
+Architecture: any
+Depends: ${shlibs:Depends}
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the hcrypto library.
+
+Package: libhdb9-heimdal
+Section: libs
+Architecture: any
+Depends: ${shlibs:Depends}
+Replaces: heimdal-lib (<< 0.3e-5)
+Conflicts: heimdal-libs (<< 0.3e-5)
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the library for storing the KDC database.
+
+Package: libkadm5srv8-heimdal
+Section: libs
+Architecture: any
+Depends: ${shlibs:Depends}
+Replaces: heimdal-lib (<< 0.3e-5)
+Conflicts: heimdal-libs (<< 0.3e-5)
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the server library for kadmin.
+
+Package: libkadm5clnt7-heimdal
+Section: libs
+Architecture: any
+Depends: ${shlibs:Depends}
+Replaces: heimdal-lib (<< 0.3e-5)
+Conflicts: heimdal-libs (<< 0.3e-5)
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the client library for kadmin.
+
+Package: libgssapi2-heimdal
+Section: libs
+Architecture: any
+Depends: ${shlibs:Depends}
+Replaces: heimdal-lib (<< 0.3e-5)
+Conflicts: heimdal-libs (<< 0.3e-5)
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the library for GSSAPI support.
+
+Package: libkafs0-heimdal
+Section: libs
+Priority: extra
+Architecture: any
+Depends: ${shlibs:Depends}
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the library for KAFS support.
+
+Package: libroken18-heimdal
+Section: libs
+Priority: extra
+Architecture: any
+Conflicts: libroken16-kerberos4kth
+Depends: ${shlibs:Depends}
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the library for roken support.
+
+Package: libotp0-heimdal
+Section: libs
+Priority: extra
+Architecture: any
+Conflicts: libotp0-kerberos4kth
+Depends: ${shlibs:Depends}
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the library for OTP support.
+
+Package: libsl0-heimdal
+Section: libs
+Priority: extra
+Architecture: any
+Conflicts: libsl0-kerberos4kth
+Depends: ${shlibs:Depends}
+Description: Libraries for Heimdal Kerberos
+ Heimdal is a free implementation of Kerberos 5, that aims to be
+ compatible with MIT Kerberos.
+ .
+ This package contains the library for SL support.
+
diff --git a/crypto/heimdal/packages/debian/copyright b/crypto/heimdal/packages/debian/copyright
new file mode 100644
index 0000000..b6b297d
--- /dev/null
+++ b/crypto/heimdal/packages/debian/copyright
@@ -0,0 +1,195 @@
+This package was debianized by Brian May <bam@snoopy.apana.org.au> on
+Wed,  8 Dec 1999 11:54:13 +1100.
+
+It was downloaded from http://www.pdc.kth.se/heimdal/
+
+Upstream Authors: heimdal-bugs@h5l.se
+(see above URL for mailing list info).
+
+Copyrights:
+
+As found in doc/heimdal.texi.
+
+
+Copyright (c) 1997-2007 Kungliga Tekniska Högskolan 
+(Royal Institute of Technology, Stockholm, Sweden).
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the Institute nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+
+
+Copyright (C) 1990 by the Massachusetts Institute of Technology
+
+Export of this software from the United States of America may
+require a specific license from the United States Government.
+It is the responsibility of any person or organization contemplating
+export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+
+
+Copyright (c) 1988, 1990, 1993
+     The Regents of the University of California.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the University nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+
+
+Copyright 1992 Simmule Turner and Rich Salz.  All rights reserved. 
+
+This software is not subject to any license of the American Telephone 
+and Telegraph Company or of the Regents of the University of California. 
+
+Permission is granted to anyone to use this software for any purpose on
+any computer system, and to alter it and redistribute it freely, subject
+to the following restrictions:
+
+1. The authors are not responsible for the consequences of use of this
+   software, no matter how awful, even if they arise from flaws in it.
+
+2. The origin of this software must not be misrepresented, either by
+   explicit claim or by omission.  Since few users ever read sources,
+   credits must appear in the documentation.
+
+3. Altered versions must be plainly marked as such, and must not be
+   misrepresented as being the original software.  Since few users
+   ever read sources, credits must appear in the documentation.
+
+4. This notice may not be removed or altered.
+
+
+
+IMath is Copyright 2002-2005 Michael J. Fromberger
+You may use it subject to the following Licensing Terms:
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+
+Copyright (c) 2005 Doug Rabson
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+
+
+Copyright (c) 2005 Marko Kreen
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+       notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.	IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
diff --git a/crypto/heimdal/packages/debian/extras/default b/crypto/heimdal/packages/debian/extras/default
new file mode 100644
index 0000000..d2d6b1e
--- /dev/null
+++ b/crypto/heimdal/packages/debian/extras/default
@@ -0,0 +1,17 @@
+# Do we start the KDC?
+KDC_ENABLED=yes
+KDC_PARAMS=""
+
+# the kpasswdd?
+KPASSWDD_ENABLED=yes
+KPASSWDD_PARAMS=""
+
+# kprop master?
+MASTER_ENABLED=no
+
+# How about the kprop slave?
+SLAVE_ENABLED=no
+
+# Add at least your master server name here when using iprop-replication
+# otherwise it would fail silently.
+SLAVE_PARAMS=""
diff --git a/crypto/heimdal/packages/debian/extras/kadmind.acl b/crypto/heimdal/packages/debian/extras/kadmind.acl
new file mode 100644
index 0000000..e5da87f
--- /dev/null
+++ b/crypto/heimdal/packages/debian/extras/kadmind.acl
@@ -0,0 +1 @@
+#principal       [priv1,priv2,...]       [glob-pattern]
diff --git a/crypto/heimdal/packages/debian/extras/kdc.conf b/crypto/heimdal/packages/debian/extras/kdc.conf
new file mode 100644
index 0000000..859133f
--- /dev/null
+++ b/crypto/heimdal/packages/debian/extras/kdc.conf
@@ -0,0 +1,91 @@
+[kdc]
+# See allowed values in krb5_openlog(3) man page.
+logging = FILE:/var/log/heimdal-kdc.log
+
+# detach = boolean
+
+# Gives an upper limit on the size of the requests that the kdc is
+# willing to handle.
+# max-request =  integer
+
+# Turn off the requirement for pre-autentication in the initial AS-
+# REQ for all principals.  The use of pre-authentication makes it
+# more difficult to do offline password attacks.  You might want to
+# turn it off if you have clients that don't support pre-authenti-
+# cation.  Since the version 4 protocol doesn't support any pre-
+# authentication, serving version 4 clients is just about the same
+# as not requiring pre-athentication.  The default is to require
+# pre-authentication.  Adding the require-preauth per principal is
+# a more flexible way of handling this.
+# require-preauth = boolean
+
+# Specifies the set of ports the KDC should listen on.  It is given
+# as a white-space separated list of services or port numbers.
+# ports = 88,750
+
+# The list of addresses to listen for requests on.  By default, the
+# kdc will listen on all the locally configured addresses.  If only
+# a subset is desired, or the automatic detection fails, this
+# option might be used.
+# addresses = list of ip addresses
+
+# respond to Kerberos 4 requests
+# enable-kerberos4 = false
+
+# respond to Kerberos 4 requests from foreign realms.  This is a
+# known security hole and should not be enabled unless you under-
+# stand the consequences and are willing to live with them.
+# enable-kerberos4-cross-realm = false
+
+# respond to 524 requests
+# enable-524 = value of enable-kerberos4
+
+# Makes the kdc listen on port 80 and handle requests encapsulated
+# in HTTP.
+# enable-http = boolean
+
+# What realm this server should act as when dealing with version 4
+# requests.  The database can contain any number of realms, but
+# since the version 4 protocol doesn't contain a realm for the
+# server, it must be explicitly specified.  The default is whatever
+# is returned by krb_get_lrealm().  This option is only availabe if
+# the KDC has been compiled with version 4 support.
+# v4-realm = string
+
+# Enable kaserver emulation (in case it's compiled in).
+# enable-kaserver = false
+
+# Check the addresses in the ticket when processing TGS requests.
+# check-ticket-addresses = true
+
+# Permit tickets with no addresses.  This option is only
+# relevent when check-ticket-addresses is TRUE.
+# allow-null-ticket-addresses = true
+
+# Permit anonymous tickets with no addresses.
+# allow-anonymous = boolean
+
+# Always verify the transited policy, ignoring the
+# disable-transited-check flag if set in the KDC client request.
+# transited-policy = {always-check,allow-per-principal,always-honour-request}
+
+# Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
+# code. The Heimdal clients allow both.
+# encode_as_rep_as_tgs_rep = boolean
+
+# How long before password/principal expiration the KDC should
+# start sending out warning messages.
+# kdc_warn_pwexpire = time
+
+# Specifies the set of ports the KDC should listen on.  It is given
+# as a white-space separated list of services or port numbers.
+# kdc_ports = 88,750
+
+# [password_quality]
+# check_library = LIBRARY
+# check_function = FUNCTION
+# min_length = value
+
+# [kadmin]
+# default_keys = list of strings
+# use_v4_salt = boolean
diff --git a/crypto/heimdal/packages/debian/heimdal-clients-x.install b/crypto/heimdal/packages/debian/heimdal-clients-x.install
new file mode 100644
index 0000000..4a44128
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-clients-x.install
@@ -0,0 +1,10 @@
+usr/bin/kx
+usr/bin/rxterm
+usr/bin/rxtelnet
+usr/bin/tenletxr
+usr/bin/xnlock
+usr/share/man/man1/kx.1
+usr/share/man/man1/rxterm.1
+usr/share/man/man1/rxtelnet.1
+usr/share/man/man1/tenletxr.1
+usr/share/man/man1/xnlock.1
diff --git a/crypto/heimdal/packages/debian/heimdal-clients.install b/crypto/heimdal/packages/debian/heimdal-clients.install
new file mode 100644
index 0000000..391197c
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-clients.install
@@ -0,0 +1,43 @@
+usr/bin/afslog
+usr/bin/rsh
+usr/bin/kauth
+usr/bin/kdestroy
+usr/bin/kf
+usr/bin/kgetcred
+usr/bin/kinit
+usr/bin/klist
+usr/bin/kpasswd
+usr/bin/otp
+usr/bin/otpprint
+usr/bin/su
+usr/bin/pfrom
+usr/bin/rcp
+usr/bin/string2key
+usr/bin/ftp
+usr/bin/verify_krb5_conf
+usr/bin/telnet
+usr/bin/pagsh
+usr/sbin/kadmin
+usr/sbin/ktutil
+usr/sbin/push
+usr/share/man/man1/kauth.1
+usr/share/man/man1/kdestroy.1
+usr/share/man/man1/kf.1
+usr/share/man/man1/kinit.1
+usr/share/man/man1/klist.1
+usr/share/man/man1/kpasswd.1
+usr/share/man/man1/otp.1
+usr/share/man/man1/otpprint.1
+usr/share/man/man1/su.1
+usr/share/man/man1/pfrom.1
+usr/share/man/man1/ftp.1
+usr/share/man/man1/telnet.1
+usr/share/man/man1/afslog.1
+usr/share/man/man1/rsh.1
+usr/share/man/man1/kgetcred.1
+usr/share/man/man1/pagsh.1
+usr/share/man/man8/kadmin.8
+usr/share/man/man8/ktutil.8
+usr/share/man/man8/push.8
+usr/share/man/man8/verify_krb5_conf.8
+usr/share/man/man8/string2key.8
diff --git a/crypto/heimdal/packages/debian/heimdal-clients.postinst b/crypto/heimdal/packages/debian/heimdal-clients.postinst
new file mode 100644
index 0000000..db283d7
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-clients.postinst
@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+for i in ftp telnet rsh rcp pagsh
+do
+    update-alternatives --install /usr/bin/$i $i /usr/bin/k$i 23 \
+    --slave /usr/share/man/man1/$i.1.gz $i.1.gz /usr/share/man/man1/k$i.1.gz
+done
+
+#DEBHELPER#
+
diff --git a/crypto/heimdal/packages/debian/heimdal-clients.prerm b/crypto/heimdal/packages/debian/heimdal-clients.prerm
new file mode 100644
index 0000000..4695730
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-clients.prerm
@@ -0,0 +1,13 @@
+#!/bin/sh -e
+
+if [ "$1" != "upgrade" ]
+then
+    for i in ftp telnet rsh rcp pagsh
+    do
+	update-alternatives --remove $i /usr/bin/k$i
+    done
+fi
+
+#DEBHELPER#
+
+
diff --git a/crypto/heimdal/packages/debian/heimdal-dev.install b/crypto/heimdal/packages/debian/heimdal-dev.install
new file mode 100644
index 0000000..816fb9f
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-dev.install
@@ -0,0 +1,8 @@
+usr/bin/krb5-config
+usr/bin/mk_cmds
+usr/lib/*.a
+usr/lib/*.la
+usr/lib/*.so
+usr/include
+usr/share/man/man1/krb5-config.1
+usr/share/man/man3
diff --git a/crypto/heimdal/packages/debian/heimdal-docs.install b/crypto/heimdal/packages/debian/heimdal-docs.install
new file mode 100644
index 0000000..3a18bf3
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-docs.install
@@ -0,0 +1,2 @@
+usr/share/man/man5/krb5.conf.5
+usr/share/info
diff --git a/crypto/heimdal/packages/debian/heimdal-kcm.init b/crypto/heimdal/packages/debian/heimdal-kcm.init
new file mode 100644
index 0000000..b0b7baf
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-kcm.init
@@ -0,0 +1,69 @@
+#! /bin/sh
+#
+# skeleton	example file to build /etc/init.d/ scripts.
+#		This file should be used to construct scripts for /etc/init.d.
+#
+#		Written by Miquel van Smoorenburg <miquels@cistron.nl>.
+#		Modified for Debian GNU/Linux
+#		by Ian Murdock <imurdock@gnu.ai.mit.edu>.
+#
+# Version:	@(#)skeleton  1.8  03-Mar-1998  miquels@cistron.nl
+#
+# This file was automatically customized by dh-make on Wed,  8 Dec 1999 11:54:13 +1100
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+KCM_DAEMON="/usr/sbin/kcm"
+KCM_NAME="kcm"
+KCM_DESC="Heimdal KCM"
+KCM_PARAMS="--detach"
+
+test -f $KCM_DAEMON || exit 0
+
+set -e
+
+case "$1" in
+  start)
+	echo -n "Starting $KCM_DESC: "
+	start-stop-daemon --start --quiet \
+		--pidfile /var/run/$KCM_NAME.pid \
+		--exec $KCM_DAEMON -- $KCM_PARAMS
+	echo "$KCM_NAME."
+	;;
+  stop)
+	echo -n "Stopping $KCM_DESC: "
+	start-stop-daemon --stop --oknodo --quiet \
+		--pidfile /var/run/$KCM_NAME.pid \
+		--exec $KCM_DAEMON -- $KCM_PARAMS
+	echo "$KCM_NAME."
+	;;
+  #reload)
+	#
+	#	If the daemon can reload its config files on the fly
+	#	for example by sending it SIGHUP, do it here.
+	#
+	#	If the daemon responds to changes in its config file
+	#	directly anyway, make this a do-nothing entry.
+	#
+	# echo "Reloading $DESC configuration files."
+	# start-stop-daemon --stop --signal 1 --quiet --pidfile \
+	#	/var/run/$NAME.pid --exec $DAEMON
+  #;;
+  restart|force-reload)
+	#
+	#	If the "reload" option is implemented, move the "force-reload"
+	#	option to the "reload" entry above. If not, "force-reload" is
+	#	just the same as "restart".
+	#
+	/etc/init.d/heimdal-kcm stop
+	sleep 1
+	/etc/init.d/heimdal-kcm start
+	;;
+  *)
+	N=/etc/init.d/$NAME
+	# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
+	echo "Usage: $N {start|stop|restart|force-reload}" >&2
+	exit 1
+	;;
+esac
+
+exit 0
diff --git a/crypto/heimdal/packages/debian/heimdal-kcm.install b/crypto/heimdal/packages/debian/heimdal-kcm.install
new file mode 100644
index 0000000..5a04cc2
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-kcm.install
@@ -0,0 +1,2 @@
+usr/sbin/kcm
+usr/share/man/man8/kcm.8
diff --git a/crypto/heimdal/packages/debian/heimdal-kdc.dirs b/crypto/heimdal/packages/debian/heimdal-kdc.dirs
new file mode 100644
index 0000000..7646c42
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-kdc.dirs
@@ -0,0 +1,5 @@
+etc/default
+etc/heimdal-kdc
+etc/ldap/schema
+usr/lib/heimdal-servers
+var/lib/heimdal-kdc
diff --git a/crypto/heimdal/packages/debian/heimdal-kdc.examples b/crypto/heimdal/packages/debian/heimdal-kdc.examples
new file mode 100644
index 0000000..2e6a436
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-kdc.examples
@@ -0,0 +1,2 @@
+debian/extras/kdc.conf
+debian/extras/kadmind.acl
diff --git a/crypto/heimdal/packages/debian/heimdal-kdc.init b/crypto/heimdal/packages/debian/heimdal-kdc.init
new file mode 100644
index 0000000..68be9de
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-kdc.init
@@ -0,0 +1,124 @@
+#! /bin/sh
+#
+# skeleton	example file to build /etc/init.d/ scripts.
+#		This file should be used to construct scripts for /etc/init.d.
+#
+#		Written by Miquel van Smoorenburg <miquels@cistron.nl>.
+#		Modified for Debian GNU/Linux
+#		by Ian Murdock <imurdock@gnu.ai.mit.edu>.
+#
+# Version:	@(#)skeleton  1.8  03-Mar-1998  miquels@cistron.nl
+#
+# This file was automatically customized by dh-make on Wed,  8 Dec 1999 11:54:13 +1100
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+KDC_DAEMON=/usr/lib/heimdal-servers/kdc
+KDC_NAME=heimdal-kdc
+KDC_DESC="Heimdal KDC"
+KPASSWDD_DAEMON=/usr/lib/heimdal-servers/kpasswdd
+KPASSWDD_NAME=kpasswdd
+KPASSWDD_DESC="Heimdal password server"
+
+. /etc/default/heimdal-kdc
+
+test -f $KDC_DAEMON || exit 0
+test -f $KPASSWDD_DAEMON || exit 0
+
+set -e
+
+case "$1" in
+  start)
+	if [ "$KDC_ENABLED" = "yes" ];
+	then
+		echo -n "Starting $KDC_DESC: "
+		start-stop-daemon --start --quiet --background \
+			--make-pidfile --pidfile /var/run/$KDC_NAME.pid \
+			--exec $KDC_DAEMON -- $KDC_PARAMS
+		echo "$KDC_NAME."
+	fi
+	if [ "$KPASSWDD_ENABLED" = "yes" ];
+	then
+		echo -n "Starting $KPASSWDD_DESC: "
+		start-stop-daemon --start --quiet --background \
+			--make-pidfile --pidfile /var/run/$KPASSWDD_NAME.pid \
+			--exec $KPASSWDD_DAEMON -- $KPASSWDD_PARAMS
+		echo "$KPASSWDD_NAME."
+	fi
+	if [ "$MASTER_ENABLED" = "yes" ];
+	then
+		echo -n "Starting incremental propagation master: "
+		start-stop-daemon --start --quiet --background \
+			--make-pidfile --pidfile /var/run/ipropd-master.pid \
+			--exec /usr/sbin/ipropd-master -- $MASTER_PARAMS
+		echo "ipropd-master."
+	fi
+	if [ "$SLAVE_ENABLED" = "yes" ];
+	then
+		echo -n "Starting incremental propagation slave: "
+		start-stop-daemon --start --quiet --background \
+			--make-pidfile --pidfile /var/run/ipropd-slave.pid \
+			--exec /usr/sbin/ipropd-slave -- $SLAVE_PARAMS
+		echo "ipropd-slave."
+	fi
+	;;
+  stop)
+	if [ -f /var/run/$KPASSWDD_NAME.pid ]
+	then
+		echo -n "Stopping $KPASSWDD_DESC: "
+		start-stop-daemon --stop --oknodo --quiet --pidfile /var/run/$KPASSWDD_NAME.pid \
+			--exec $KPASSWDD_DAEMON -- $KPASSWDD_PARAMS
+		echo "$KPASSWDD_NAME."
+	fi
+	if [ -f /var/run/$KDC_NAME.pid  ]
+	then
+		echo -n "Stopping $KDC_DESC: "
+		start-stop-daemon --stop --oknodo --quiet --pidfile /var/run/$KDC_NAME.pid \
+			--exec $KDC_DAEMON -- $KDC_PARAMS
+		echo "$KDC_NAME."
+	fi
+	if [ -f /var/run/ipropd-master.pid ]
+	then
+		echo -n "Stopping incremental propagation master: "
+		start-stop-daemon --stop --oknodo --quiet --pidfile /var/run/ipropd-master.pid \
+			--exec /usr/sbin/ipropd-master -- $MASTER_PARAMS
+		echo "ipropd-master."
+	fi
+	if [ -f /var/run/ipropd-slave.pid ]
+	then
+		echo -n "Stopping incremental propagation slave: "
+		start-stop-daemon --stop --oknodo --quiet --pidfile /var/run/ipropd-slave.pid \
+			--exec /usr/sbin/ipropd-slave -- $SLAVE_PARAMS
+		echo "/usr/sbin/ipropd-slave."
+	fi
+	;;
+  #reload)
+	#
+	#	If the daemon can reload its config files on the fly
+	#	for example by sending it SIGHUP, do it here.
+	#
+	#	If the daemon responds to changes in its config file
+	#	directly anyway, make this a do-nothing entry.
+	#
+	# echo "Reloading $DESC configuration files."
+	# start-stop-daemon --stop --signal 1 --quiet --pidfile \
+	#	/var/run/$NAME.pid --exec $DAEMON
+  #;;
+  restart|force-reload)
+	#
+	#	If the "reload" option is implemented, move the "force-reload"
+	#	option to the "reload" entry above. If not, "force-reload" is
+	#	just the same as "restart".
+	#
+	/etc/init.d/heimdal-kdc stop
+	sleep 1
+	/etc/init.d/heimdal-kdc start
+	;;
+  *)
+	N=/etc/init.d/$NAME
+	# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
+	echo "Usage: $N {start|stop|restart|force-reload}" >&2
+	exit 1
+	;;
+esac
+
+exit 0
diff --git a/crypto/heimdal/packages/debian/heimdal-kdc.install b/crypto/heimdal/packages/debian/heimdal-kdc.install
new file mode 100644
index 0000000..2731b51
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-kdc.install
@@ -0,0 +1,20 @@
+usr/sbin/iprop-log
+usr/sbin/hprop
+usr/sbin/hpropd
+usr/sbin/ipropd-master
+usr/sbin/ipropd-slave
+usr/sbin/kdc
+usr/sbin/kadmind
+usr/sbin/kpasswdd
+usr/share/man/man8/iprop.8
+usr/share/man/man8/iprop-log.8
+usr/share/man/man8/ipropd-master.8
+usr/share/man/man8/ipropd-slave.8
+usr/share/man/man8/kdc.8
+usr/share/man/man8/kadmind.8
+usr/share/man/man8/kstash.8
+usr/share/man/man8/kpasswdd.8
+usr/share/man/man8/hprop.8
+usr/share/man/man8/hpropd.8
+usr/lib/libkdc.so.2.*
+usr/lib/libkdc.so.2
diff --git a/crypto/heimdal/packages/debian/heimdal-kdc.logrotate b/crypto/heimdal/packages/debian/heimdal-kdc.logrotate
new file mode 100644
index 0000000..c5fad41
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-kdc.logrotate
@@ -0,0 +1,5 @@
+/var/log/heimdal-kdc.log {
+	rotate 5
+	weekly
+	compress
+}
diff --git a/crypto/heimdal/packages/debian/heimdal-kdc.postinst b/crypto/heimdal/packages/debian/heimdal-kdc.postinst
new file mode 100644
index 0000000..72e7af5
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-kdc.postinst
@@ -0,0 +1,98 @@
+#!/bin/sh -e
+
+. /usr/share/debconf/confmodule
+
+if [ ! -f /var/log/heimdal-kdc.log ]
+then
+	touch /var/log/heimdal-kdc.log
+	chmod 600 /var/log/heimdal-kdc.log
+fi
+
+add_servers() {
+kadmin_entry="kerberos-adm	stream	tcp	nowait	root	/usr/sbin/tcpd /usr/lib/heimdal-servers/kadmind"
+hprop_entry="#krb_prop	stream	tcp	nowait	root	/usr/sbin/tcpd /usr/sbin/hpropd"
+
+	update-inetd --group KRB5 --add "$kadmin_entry"
+	update-inetd --group KRB5 --add "$hprop_entry"
+}
+
+enable_servers() {
+	update-inetd --pattern '[ \t]/usr/lib/heimdal-servers/kadmind' --enable kerberos-adm
+}
+
+# if not configured, try moving existing configuration
+if [ ! -f /etc/heimdal-kdc/.configured ] &&
+   [   -f /var/lib/heimdal-kdc/.configured ]
+then
+        for i in kdc.conf kadmind.acl
+        do
+                if [ -f /var/lib/heimdal-kdc/$i ]
+                then
+                        mv /var/lib/heimdal-kdc/$i /etc/heimdal-kdc/$i
+                fi
+        done
+        mv /var/lib/heimdal-kdc/.configured /etc/heimdal-kdc/.configured
+fi
+
+# if already configured - dont reconfigure
+if [ ! -f /etc/heimdal-kdc/.configured ]
+then
+	# get default realm
+	# should use krb5-config setting???
+	if db_get krb5-config/default_realm && [ "x$RET" != "x" ]
+	then
+		default_realm="$RET"
+	else
+		default_realm="`hostname -d | tr a-z A-Z`"
+	fi
+	db_fget heimdal/realm seen
+	if [ "$RET" != "true" ]; then
+		db_set heimdal/realm "$default_realm"
+	fi
+	db_subst heimdal/realm default_realm "$default_realm"
+	db_input medium heimdal/realm || true
+	db_go
+	db_get heimdal/realm; REALM="$RET"
+	
+	# get password
+	db_input medium heimdal-kdc/password || true
+	db_go
+	db_get heimdal-kdc/password; PASSWORD="$RET"
+	db_set heimdal-kdc/password ""
+	
+	DST=/etc/heimdal-kdc/kdc.conf
+	cp -a /usr/share/doc/heimdal-kdc/examples/kdc.conf "$DST"
+#	/usr/lib/heimdal-kdc/setconfig --file "$DST" --section realms::REALM.ORG "=$REALM"
+	
+	DST=/etc/heimdal-kdc/kadmind.acl
+	cp -a /usr/share/doc/heimdal-kdc/examples/kadmind.acl "$DST"
+	
+	kstash --master-key-fd=0 <<EOF
+$PASSWORD
+EOF
+	
+	echo -e "\n\n" | kadmin -l init "$REALM" > /dev/null
+	
+	touch /etc/heimdal-kdc/.configured
+fi
+
+case "$1" in
+abort-upgrade | abort-deconfigure | abort-remove)
+	;;
+configure)
+	if [ -z "$2" ]
+	then
+		add_servers
+	elif dpkg --compare-versions "$2" le "0.7.2.dfsg.1-6"
+	then
+		enable_servers
+	fi
+	;;
+*)
+	printf "$0: incorrect arguments: $*\n" >&2
+	exit 1
+	;;
+esac
+
+	
+#DEBHELPER#
diff --git a/crypto/heimdal/packages/debian/heimdal-kdc.postrm b/crypto/heimdal/packages/debian/heimdal-kdc.postrm
new file mode 100644
index 0000000..640fde5
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-kdc.postrm
@@ -0,0 +1,32 @@
+#!/bin/sh -e
+
+remove_servers() {
+	update-inetd --remove 'kerberos-adm[ \t].*[ \t]/usr/lib/heimdal-servers/kadmind'
+	update-inetd --remove 'krb_prop[ \t].*[ \t]/usr/sbin/hpropd'
+}
+
+case "$1" in
+abort-install | remove | abort-upgrade | upgrade | failed-upgrade | disappear)
+	;;
+purge)
+	# If netbase is not installed, then we don't need to do the remove.
+	if command -v update-inetd >/dev/null 2>&1; then
+		remove_servers
+	fi
+	;;
+*)
+	echo "$0: incorrect arguments: $*" >&2
+	exit 1
+	;;
+esac
+
+if [ "$1" = "purge" ]
+then
+	rm -f /var/log/heimdal-kdc.log*
+	rm -rf /var/lib/heimdal-kdc
+	rm -f /etc/heimdal-kdc/.configured
+	rm -f /etc/heimdal-kdc/kdc.conf
+	rm -f /etc/heimdal-kdc/kadmind.acl
+fi
+
+#DEBHELPER#
diff --git a/crypto/heimdal/packages/debian/heimdal-kdc.templates b/crypto/heimdal/packages/debian/heimdal-kdc.templates
new file mode 100644
index 0000000..5882f3c
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-kdc.templates
@@ -0,0 +1,12 @@
+Template: heimdal/realm
+Type: string
+_Description: Local realm name:
+ Heimdal requires the name of your local realm. This is typically your
+ domain name in uppercase. eg if your hostname is host.org.com, then your
+ realm will become ORG.COM. The default for your host is ${default_realm}.
+
+Template: heimdal-kdc/password
+Type: password
+_Description: Password for KDC:
+ Heimdal can encrypt the KDC data with a password. A hashed representation
+ will be stored in /var/lib/heimdal-kdc/m-key.
diff --git a/crypto/heimdal/packages/debian/heimdal-servers-x.dirs b/crypto/heimdal/packages/debian/heimdal-servers-x.dirs
new file mode 100644
index 0000000..6209a9d
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-servers-x.dirs
@@ -0,0 +1 @@
+usr/lib/heimdal-servers
diff --git a/crypto/heimdal/packages/debian/heimdal-servers-x.install b/crypto/heimdal/packages/debian/heimdal-servers-x.install
new file mode 100644
index 0000000..250b28b
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-servers-x.install
@@ -0,0 +1,2 @@
+usr/sbin/kxd
+usr/share/man/man8/kxd.8
diff --git a/crypto/heimdal/packages/debian/heimdal-servers-x.postinst b/crypto/heimdal/packages/debian/heimdal-servers-x.postinst
new file mode 100644
index 0000000..bb0ea22
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-servers-x.postinst
@@ -0,0 +1,34 @@
+#!/bin/sh -e
+
+add_servers() {
+    kx_entry="kx	stream	tcp	nowait	root	/usr/sbin/tcpd /usr/lib/heimdal-servers/kxd"
+	update-inetd --group KRB5 --add "$kx_entry"
+}
+
+enable_servers() {
+	update-inetd --pattern '[ \t]/usr/lib/heimdal-servers/kx' --enable kx
+}
+
+remove_servers() {
+	update-inetd --remove 'kx[ \t].*[ \t]/usr/lib/heimdal-servers/kxd'
+}
+
+case "$1" in
+abort-upgrade | abort-deconfigure | abort-remove)
+	enable_servers
+	;;
+configure)
+	if [ -n "$2" ] && dpkg --compare-versions "$2" ge 0.2h-1; then
+		enable_servers
+	else
+		remove_servers
+		add_servers
+	fi
+	;;
+*)
+	printf "$0: incorrect arguments: $*\n" >&2
+	exit 1
+	;;
+esac
+
+#DEBHELPER#
diff --git a/crypto/heimdal/packages/debian/heimdal-servers-x.postrm b/crypto/heimdal/packages/debian/heimdal-servers-x.postrm
new file mode 100644
index 0000000..4bfc214
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-servers-x.postrm
@@ -0,0 +1,23 @@
+#!/bin/sh -e
+# $Id: heimdal-servers-x.postrm,v 1.2 1999/12/26 00:00:46 bam Exp $
+
+remove_servers() {
+	update-inetd --remove 'kx[ \t].*[ \t]/usr/lib/heimdal-servers/kxd'
+}
+
+case "$1" in
+abort-install | remove | abort-upgrade | upgrade | failed-upgrade | disappear)
+	;;
+purge)
+	# If netbase is not installed, then we don't need to do the remove.
+	if command -v update-inetd >/dev/null 2>&1; then
+		remove_servers
+	fi
+	;;
+*)
+	echo "$0: incorrect arguments: $*" >&2
+	exit 1
+	;;
+esac
+
+#DEBHELPER#
diff --git a/crypto/heimdal/packages/debian/heimdal-servers-x.prerm b/crypto/heimdal/packages/debian/heimdal-servers-x.prerm
new file mode 100644
index 0000000..646eb89
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-servers-x.prerm
@@ -0,0 +1,11 @@
+#!/bin/sh -e
+
+disable_servers() {
+	update-inetd --pattern '[ \t]/usr/lib/heimdal-servers/kx' --disable kx
+}
+
+if command -v update-inetd >/dev/null 2>&1; then
+	disable_servers
+fi
+
+#DEBHELPER#
diff --git a/crypto/heimdal/packages/debian/heimdal-servers.dirs b/crypto/heimdal/packages/debian/heimdal-servers.dirs
new file mode 100644
index 0000000..6209a9d
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-servers.dirs
@@ -0,0 +1 @@
+usr/lib/heimdal-servers
diff --git a/crypto/heimdal/packages/debian/heimdal-servers.install b/crypto/heimdal/packages/debian/heimdal-servers.install
new file mode 100644
index 0000000..f4c7b8e
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-servers.install
@@ -0,0 +1,12 @@
+usr/sbin/kfd
+usr/sbin/ftpd
+usr/sbin/rshd
+usr/sbin/telnetd
+usr/sbin/popper
+usr/bin/login
+usr/share/man/man5/ftpusers.5
+usr/share/man/man8/ftpd.8
+usr/share/man/man8/popper.8
+usr/share/man/man8/telnetd.8
+usr/share/man/man8/kfd.8
+usr/share/man/man8/rshd.8
diff --git a/crypto/heimdal/packages/debian/heimdal-servers.postinst b/crypto/heimdal/packages/debian/heimdal-servers.postinst
new file mode 100644
index 0000000..a1d9360
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-servers.postinst
@@ -0,0 +1,47 @@
+#!/bin/sh -e
+
+add_servers() {
+kshell_entry="kshell	stream	tcp	nowait	root	/usr/sbin/tcpd /usr/lib/heimdal-servers/rshd -k"
+   ftp_entry="ftp	stream	tcp	nowait	root	/usr/sbin/tcpd /usr/lib/heimdal-servers/ftpd -a plain"
+telnet_entry="telnet	stream	tcp	nowait	root	/usr/sbin/tcpd /usr/lib/heimdal-servers/telnetd -a none"
+ pop3_entry="pop-3	stream	tcp	nowait	root	/usr/sbin/tcpd /usr/lib/heimdal-servers/popper"
+
+	update-inetd --group KRB5 --add "$kshell_entry"
+	update-inetd --group KRB5 --add "$ftp_entry"
+	update-inetd --group KRB5 --add "$telnet_entry"
+	update-inetd --group KRB5 --add "$pop3_entry"
+}
+
+enable_servers() {
+	update-inetd --pattern '[ \t]/usr/lib/heimdal-servers/rshd' --enable kshell
+	update-inetd --pattern '[ \t]/usr/lib/heimdal-servers/ftpd' --enable ftp
+	update-inetd --pattern '[ \t]/usr/lib/heimdal-servers/telnetd' --enable telnet
+	update-inetd --pattern '[ \t]/usr/lib/heimdal-servers/popper' --enable pop-3
+}
+
+remove_servers() {
+	update-inetd --remove 'kshell[ \t].*[ \t]/usr/lib/heimdal-servers/rshd'
+	update-inetd --remove 'ftp[ \t].*[ \t]/usr/lib/heimdal-servers/ftpd'
+	update-inetd --remove 'telnet[ \t].*[ \t]/usr/lib/heimdal-servers/telnetd'
+	update-inetd --remove 'pop-3[ \t].*[ \t]/usr/lib/heimdal-servers/popper'
+}
+
+case "$1" in
+abort-upgrade | abort-deconfigure | abort-remove)
+	enable_servers
+	;;
+configure)
+	if [ -n "$2" ] && dpkg --compare-versions "$2" ge 0.3e-4; then
+		enable_servers
+	else
+		remove_servers
+		add_servers
+	fi
+	;;
+*)
+	printf "$0: incorrect arguments: $*\n" >&2
+	exit 1
+	;;
+esac
+
+#DEBHELPER#
diff --git a/crypto/heimdal/packages/debian/heimdal-servers.postrm b/crypto/heimdal/packages/debian/heimdal-servers.postrm
new file mode 100644
index 0000000..c8aa0f4
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-servers.postrm
@@ -0,0 +1,26 @@
+#!/bin/sh -e
+# $Id: heimdal-servers.postrm,v 1.4 1999/12/26 01:51:03 bam Exp $
+
+remove_servers() {
+	update-inetd --remove 'kshell[ \t].*[ \t]/usr/lib/heimdal-servers/rshd'
+	update-inetd --remove 'ftp[ \t].*[ \t]/usr/lib/heimdal-servers/ftpd'
+	update-inetd --remove 'telnet[ \t].*[ \t]/usr/lib/heimdal-servers/telnetd'
+	update-inetd --remove 'pop-3[ \t].*[ \t]/usr/lib/heimdal-servers/popper'
+}
+
+case "$1" in
+abort-install | remove | abort-upgrade | upgrade | failed-upgrade | disappear)
+	;;
+purge)
+	# If netbase is not installed, then we don't need to do the remove.
+	if command -v update-inetd >/dev/null 2>&1; then
+		remove_servers
+	fi
+	;;
+*)
+	echo "$0: incorrect arguments: $*" >&2
+	exit 1
+	;;
+esac
+
+#DEBHELPER#
diff --git a/crypto/heimdal/packages/debian/heimdal-servers.prerm b/crypto/heimdal/packages/debian/heimdal-servers.prerm
new file mode 100644
index 0000000..d978994
--- /dev/null
+++ b/crypto/heimdal/packages/debian/heimdal-servers.prerm
@@ -0,0 +1,14 @@
+#!/bin/sh -e
+
+disable_servers() {
+	update-inetd --pattern '[ \t]/usr/lib/heimdal-servers/rshd' --disable kshell
+	update-inetd --pattern '[ \t]/usr/lib/heimdal-servers/ftpd' --disable ftp
+	update-inetd --pattern '[ \t]/usr/lib/heimdal-servers/telnetd' --disable telnet
+	update-inetd --pattern '[ \t]/usr/lib/heimdal-servers/popper' --disable pop-3
+}
+
+if command -v update-inetd >/dev/null 2>&1; then
+	disable_servers
+fi
+
+#DEBHELPER#
diff --git a/crypto/heimdal/packages/debian/libasn1-8-heimdal.install b/crypto/heimdal/packages/debian/libasn1-8-heimdal.install
new file mode 100644
index 0000000..a4c26aa
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libasn1-8-heimdal.install
@@ -0,0 +1,2 @@
+usr/lib/libasn1.so.8.*
+usr/lib/libasn1.so.8
diff --git a/crypto/heimdal/packages/debian/libasn1-8-heimdal.postinst.debhelper b/crypto/heimdal/packages/debian/libasn1-8-heimdal.postinst.debhelper
new file mode 100644
index 0000000..3d89d3e
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libasn1-8-heimdal.postinst.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "configure" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libasn1-8-heimdal.postrm.debhelper b/crypto/heimdal/packages/debian/libasn1-8-heimdal.postrm.debhelper
new file mode 100644
index 0000000..7f44047
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libasn1-8-heimdal.postrm.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "remove" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libasn1-8-heimdal.substvars b/crypto/heimdal/packages/debian/libasn1-8-heimdal.substvars
new file mode 100644
index 0000000..6ea524c
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libasn1-8-heimdal.substvars
@@ -0,0 +1 @@
+shlibs:Depends=libc6 (>= 2.6-1), libcomerr2 (>= 1.33-3), libroken16-heimdal
diff --git a/crypto/heimdal/packages/debian/libgssapi2-heimdal.install b/crypto/heimdal/packages/debian/libgssapi2-heimdal.install
new file mode 100644
index 0000000..0715529
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libgssapi2-heimdal.install
@@ -0,0 +1,2 @@
+usr/lib/libgssapi.so.2.*
+usr/lib/libgssapi.so.2
diff --git a/crypto/heimdal/packages/debian/libgssapi2-heimdal.postinst.debhelper b/crypto/heimdal/packages/debian/libgssapi2-heimdal.postinst.debhelper
new file mode 100644
index 0000000..3d89d3e
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libgssapi2-heimdal.postinst.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "configure" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libgssapi2-heimdal.postrm.debhelper b/crypto/heimdal/packages/debian/libgssapi2-heimdal.postrm.debhelper
new file mode 100644
index 0000000..7f44047
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libgssapi2-heimdal.postrm.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "remove" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libgssapi2-heimdal.substvars b/crypto/heimdal/packages/debian/libgssapi2-heimdal.substvars
new file mode 100644
index 0000000..3b7204b
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libgssapi2-heimdal.substvars
@@ -0,0 +1 @@
+shlibs:Depends=libasn1-6-heimdal, libc6 (>= 2.6-1), libcomerr2 (>= 1.33-3), libkrb5-17-heimdal, libroken16-heimdal
diff --git a/crypto/heimdal/packages/debian/libhdb9-heimdal.install b/crypto/heimdal/packages/debian/libhdb9-heimdal.install
new file mode 100644
index 0000000..ff251bd
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libhdb9-heimdal.install
@@ -0,0 +1,3 @@
+usr/lib/libhdb.so.9.*
+usr/lib/libhdb.so.9
+
diff --git a/crypto/heimdal/packages/debian/libhdb9-heimdal.postinst.debhelper b/crypto/heimdal/packages/debian/libhdb9-heimdal.postinst.debhelper
new file mode 100644
index 0000000..3d89d3e
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libhdb9-heimdal.postinst.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "configure" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libhdb9-heimdal.postrm.debhelper b/crypto/heimdal/packages/debian/libhdb9-heimdal.postrm.debhelper
new file mode 100644
index 0000000..7f44047
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libhdb9-heimdal.postrm.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "remove" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libhdb9-heimdal.substvars b/crypto/heimdal/packages/debian/libhdb9-heimdal.substvars
new file mode 100644
index 0000000..e9392d1
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libhdb9-heimdal.substvars
@@ -0,0 +1 @@
+shlibs:Depends=libasn1-6-heimdal, libc6 (>= 2.6-1), libcomerr2 (>= 1.33-3), libdb4.4, libkrb5-17-heimdal, libroken16-heimdal
diff --git a/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.install b/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.install
new file mode 100644
index 0000000..6643c81
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.install
@@ -0,0 +1,3 @@
+usr/lib/libkadm5clnt.so.7.*
+usr/lib/libkadm5clnt.so.7
+
diff --git a/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.postinst.debhelper b/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.postinst.debhelper
new file mode 100644
index 0000000..3d89d3e
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.postinst.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "configure" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.postrm.debhelper b/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.postrm.debhelper
new file mode 100644
index 0000000..7f44047
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.postrm.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "remove" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.substvars b/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.substvars
new file mode 100644
index 0000000..b807683
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libkadm5clnt7-heimdal.substvars
@@ -0,0 +1 @@
+shlibs:Depends=libc6 (>= 2.6-1), libcomerr2 (>= 1.33-3), libkrb5-17-heimdal, libroken16-heimdal
diff --git a/crypto/heimdal/packages/debian/libkadm5srv7-heimdal.install b/crypto/heimdal/packages/debian/libkadm5srv7-heimdal.install
new file mode 100644
index 0000000..9611b09
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libkadm5srv7-heimdal.install
@@ -0,0 +1,2 @@
+usr/lib/libkadm5srv.so.*
+
diff --git a/crypto/heimdal/packages/debian/libkadm5srv8-heimdal.install b/crypto/heimdal/packages/debian/libkadm5srv8-heimdal.install
new file mode 100644
index 0000000..5e7ad52
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libkadm5srv8-heimdal.install
@@ -0,0 +1,3 @@
+usr/lib/libkadm5srv.so.8.*
+usr/lib/libkadm5srv.so.8
+
diff --git a/crypto/heimdal/packages/debian/libkafs0-heimdal.install b/crypto/heimdal/packages/debian/libkafs0-heimdal.install
new file mode 100644
index 0000000..0a2c479
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libkafs0-heimdal.install
@@ -0,0 +1,2 @@
+usr/lib/libkafs.so.0.*
+usr/lib/libkafs.so.0
diff --git a/crypto/heimdal/packages/debian/libkrb5-22-heimdal.install b/crypto/heimdal/packages/debian/libkrb5-22-heimdal.install
new file mode 100644
index 0000000..72ae23c
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libkrb5-22-heimdal.install
@@ -0,0 +1,3 @@
+usr/lib/libkrb5.so.22.*
+usr/lib/libkrb5.so.22
+
diff --git a/crypto/heimdal/packages/debian/libkrb5-22-heimdal.postinst.debhelper b/crypto/heimdal/packages/debian/libkrb5-22-heimdal.postinst.debhelper
new file mode 100644
index 0000000..3d89d3e
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libkrb5-22-heimdal.postinst.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "configure" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libkrb5-22-heimdal.postrm.debhelper b/crypto/heimdal/packages/debian/libkrb5-22-heimdal.postrm.debhelper
new file mode 100644
index 0000000..7f44047
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libkrb5-22-heimdal.postrm.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "remove" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libkrb5-22-heimdal.substvars b/crypto/heimdal/packages/debian/libkrb5-22-heimdal.substvars
new file mode 100644
index 0000000..00d2281
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libkrb5-22-heimdal.substvars
@@ -0,0 +1 @@
+shlibs:Depends=libasn1-6-heimdal, libc6 (>= 2.6-1), libcomerr2 (>= 1.33-3), libroken16-heimdal
diff --git a/crypto/heimdal/packages/debian/libotp0-heimdal.install b/crypto/heimdal/packages/debian/libotp0-heimdal.install
new file mode 100644
index 0000000..4953c19
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libotp0-heimdal.install
@@ -0,0 +1 @@
+usr/lib/libotp.so.*
diff --git a/crypto/heimdal/packages/debian/libroken18-heimdal.install b/crypto/heimdal/packages/debian/libroken18-heimdal.install
new file mode 100644
index 0000000..c544e71
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libroken18-heimdal.install
@@ -0,0 +1,2 @@
+usr/lib/libroken.so.18.*
+usr/lib/libroken.so.18
diff --git a/crypto/heimdal/packages/debian/libroken18-heimdal.postinst.debhelper b/crypto/heimdal/packages/debian/libroken18-heimdal.postinst.debhelper
new file mode 100644
index 0000000..3d89d3e
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libroken18-heimdal.postinst.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "configure" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libroken18-heimdal.postrm.debhelper b/crypto/heimdal/packages/debian/libroken18-heimdal.postrm.debhelper
new file mode 100644
index 0000000..7f44047
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libroken18-heimdal.postrm.debhelper
@@ -0,0 +1,5 @@
+# Automatically added by dh_makeshlibs
+if [ "$1" = "remove" ]; then
+	ldconfig
+fi
+# End automatically added section
diff --git a/crypto/heimdal/packages/debian/libroken18-heimdal.substvars b/crypto/heimdal/packages/debian/libroken18-heimdal.substvars
new file mode 100644
index 0000000..17c2baa
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libroken18-heimdal.substvars
@@ -0,0 +1 @@
+shlibs:Depends=libc6 (>= 2.6-1)
diff --git a/crypto/heimdal/packages/debian/libsl0-heimdal.install b/crypto/heimdal/packages/debian/libsl0-heimdal.install
new file mode 100644
index 0000000..ae61142
--- /dev/null
+++ b/crypto/heimdal/packages/debian/libsl0-heimdal.install
@@ -0,0 +1,2 @@
+usr/lib/libsl.so.0.*
+usr/lib/libsl.so.0
diff --git a/crypto/heimdal/packages/debian/patches/021_debian b/crypto/heimdal/packages/debian/patches/021_debian
new file mode 100644
index 0000000..52d1990
--- /dev/null
+++ b/crypto/heimdal/packages/debian/patches/021_debian
@@ -0,0 +1,204 @@
+Index: heimdal-0.7.2.dfsg.1/lib/hdb/hdb.h
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/lib/hdb/hdb.h	2006-05-13 16:42:53.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/lib/hdb/hdb.h	2006-05-13 16:42:58.000000000 +1000
+@@ -86,7 +86,7 @@
+     krb5_error_code (*create)(krb5_context, HDB **, const char *filename);
+ };
+ 
+-#define HDB_DB_DIR "/var/heimdal"
++#define HDB_DB_DIR "/var/lib/heimdal-kdc"
+ #define HDB_DEFAULT_DB HDB_DB_DIR "/heimdal"
+ #define HDB_DB_FORMAT_ENTRY "hdb/db-format"
+ 
+Index: heimdal-0.7.2.dfsg.1/appl/telnet/telnetd/telnetd.h
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/appl/telnet/telnetd/telnetd.h	2006-05-13 16:42:53.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/appl/telnet/telnetd/telnetd.h	2006-05-13 16:42:58.000000000 +1000
+@@ -192,7 +192,7 @@
+ #endif
+ 
+ #undef _PATH_LOGIN
+-#define _PATH_LOGIN	BINDIR "/login"
++#define _PATH_LOGIN	"/bin/login"
+ 
+ /* fallbacks */
+ 
+Index: heimdal-0.7.2.dfsg.1/kdc/kdc.8
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/kdc/kdc.8	2006-05-13 16:42:53.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/kdc/kdc.8	2006-05-13 16:42:58.000000000 +1000
+@@ -77,7 +77,7 @@
+ .Fl -config-file= Ns Ar file
+ .Xc
+ Specifies the location of the config file, the default is
+-.Pa /var/heimdal/kdc.conf .
++.Pa /etc/heimdal-kdc/kdc.conf .
+ This is the only value that can't be specified in the config file.
+ .It Xo
+ .Fl p ,
+Index: heimdal-0.7.2.dfsg.1/doc/setup.texi
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/doc/setup.texi	2006-05-13 16:42:53.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/doc/setup.texi	2006-05-13 16:42:58.000000000 +1000
+@@ -335,7 +335,7 @@
+ as @samp{749/tcp}.
+ 
+ Access to the administration server is controlled by an ACL file, (default
+-@file{/var/heimdal/kadmind.acl}.) The lines in the access file, have the
++@file{/etc/heimdal-kdc/kadmind.acl}.) The lines in the access file, have the
+ following syntax:
+ @smallexample
+ principal       [priv1,priv2,...]       [glob-pattern]
+Index: heimdal-0.7.2.dfsg.1/kdc/kdc_locl.h
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/kdc/kdc_locl.h	2006-05-13 16:42:53.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/kdc/kdc_locl.h	2006-05-13 16:42:58.000000000 +1000
+@@ -74,7 +74,7 @@
+ extern int enable_pkinit_princ_in_cert;
+ #endif
+ 
+-#define _PATH_KDC_CONF		HDB_DB_DIR "/kdc.conf"
++#define _PATH_KDC_CONF		"/etc/heimdal-kdc/kdc.conf"
+ #define DEFAULT_LOG_DEST	"0-1/FILE:" HDB_DB_DIR "/kdc.log"
+ 
+ extern struct timeval now;
+Index: heimdal-0.7.2.dfsg.1/lib/kadm5/context_s.c
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/lib/kadm5/context_s.c	2006-05-13 16:42:53.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/lib/kadm5/context_s.c	2006-05-13 16:42:58.000000000 +1000
+@@ -158,7 +158,7 @@
+ 	set_config(ctx, default_binding);
+     else {
+ 	ctx->config.dbname        = strdup(HDB_DEFAULT_DB);
+-	ctx->config.acl_file      = strdup(HDB_DB_DIR "/kadmind.acl");
++	ctx->config.acl_file      = strdup("/etc/heimdal-kdc/kadmind.acl");
+ 	ctx->config.stash_file    = strdup(HDB_DB_DIR "/m-key");
+ 	ctx->log_context.log_file = strdup(HDB_DB_DIR "/log");
+ 	memset(&ctx->log_context.socket_name, 0, 
+Index: heimdal-0.7.2.dfsg.1/kadmin/kadmind.8
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/kadmin/kadmind.8	2006-05-13 16:42:53.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/kadmin/kadmind.8	2006-05-13 16:42:58.000000000 +1000
+@@ -85,7 +85,7 @@
+ Principals are always allowed to change their own password and list
+ their own principal.  Apart from that, doing any operation requires
+ permission explicitly added in the ACL file
+-.Pa /var/heimdal/kadmind.acl .
++.Pa /etc/heimdal-kdc/kadmind.acl .
+ The format of this file is:
+ .Bd -ragged
+ .Va principal
+@@ -155,7 +155,7 @@
+ .El
+ .\".Sh ENVIRONMENT
+ .Sh FILES
+-.Pa /var/heimdal/kadmind.acl
++.Pa /etc/heimdal-kdc/kadmind.acl
+ .Sh EXAMPLES
+ This will cause
+ .Nm
+Index: heimdal-0.7.2.dfsg.1/lib/kadm5/truncate_log.c
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/lib/kadm5/truncate_log.c	2003-11-19 10:19:26.000000000 +1100
++++ heimdal-0.7.2.dfsg.1/lib/kadm5/truncate_log.c	2006-05-14 10:33:39.054471619 +1000
+@@ -69,7 +69,7 @@
+     }
+ 
+     if (config_file == NULL)
+-	config_file = HDB_DB_DIR "/kdc.conf";
++	config_file = "/etc/heimdal-kdc/kdc.conf";
+ 
+     ret = krb5_prepend_config_files_default(config_file, &files);
+     if (ret)
+Index: heimdal-0.7.2.dfsg.1/lib/kadm5/dump_log.c
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/lib/kadm5/dump_log.c	2005-04-26 04:17:51.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/lib/kadm5/dump_log.c	2006-05-14 10:33:13.743359875 +1000
+@@ -246,7 +246,7 @@
+     }
+ 
+     if (config_file == NULL)
+-	config_file = HDB_DB_DIR "/kdc.conf";
++	config_file = "/etc/heimdal-kdc/kdc.conf";
+ 
+     ret = krb5_prepend_config_files_default(config_file, &files);
+     if (ret)
+Index: heimdal-0.7.2.dfsg.1/kadmin/kadmind.c
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/kadmin/kadmind.c	2005-04-15 21:16:32.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/kadmin/kadmind.c	2006-05-14 10:27:22.837834789 +1000
+@@ -117,7 +117,7 @@
+     argv += optind;
+ 
+     if (config_file == NULL)
+-	config_file = HDB_DB_DIR "/kdc.conf";
++	config_file = "/etc/heimdal-kdc/kdc.conf";
+ 
+     ret = krb5_prepend_config_files_default(config_file, &files);
+     if (ret)
+Index: heimdal-0.7.2.dfsg.1/kadmin/kadmin.c
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/kadmin/kadmin.c	2005-05-10 01:35:22.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/kadmin/kadmin.c	2006-05-14 10:27:03.969138000 +1000
+@@ -194,7 +194,7 @@
+     argv += optind;
+ 
+     if (config_file == NULL)
+-	config_file = HDB_DB_DIR "/kdc.conf";
++	config_file = "/etc/heimdal-kdc/kdc.conf";
+ 
+     ret = krb5_prepend_config_files_default(config_file, &files);
+     if (ret)
+Index: heimdal-0.7.2.dfsg.1/lib/kadm5/replay_log.c
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/lib/kadm5/replay_log.c	2003-11-19 10:19:22.000000000 +1100
++++ heimdal-0.7.2.dfsg.1/lib/kadm5/replay_log.c	2006-05-14 10:33:28.976621605 +1000
+@@ -99,7 +99,7 @@
+     }
+ 
+     if (config_file == NULL)
+-	config_file = HDB_DB_DIR "/kdc.conf";
++	config_file = "/etc/heimdal-kdc/kdc.conf";
+ 
+     ret = krb5_prepend_config_files_default(config_file, &files);
+     if (ret)
+Index: heimdal-0.7.2.dfsg.1/lib/kadm5/ipropd_slave.c
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/lib/kadm5/ipropd_slave.c	2005-05-24 03:39:35.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/lib/kadm5/ipropd_slave.c	2006-05-14 10:31:34.812853916 +1000
+@@ -418,7 +418,7 @@
+     }
+ 
+     if (config_file == NULL)
+-	config_file = HDB_DB_DIR "/kdc.conf";
++	config_file = "/etc/heimdal-kdc/kdc.conf";
+ 
+     ret = krb5_prepend_config_files_default(config_file, &files);
+     if (ret)
+Index: heimdal-0.7.2.dfsg.1/lib/kadm5/ipropd_master.c
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/lib/kadm5/ipropd_master.c	2005-05-24 03:38:46.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/lib/kadm5/ipropd_master.c	2006-05-14 10:31:17.286905672 +1000
+@@ -654,7 +654,7 @@
+     }
+ 
+     if (config_file == NULL)
+-	config_file = HDB_DB_DIR "/kdc.conf";
++	config_file = "/etc/heimdal-kdc/kdc.conf";
+ 
+     ret = krb5_prepend_config_files_default(config_file, &files);
+     if (ret)
+Index: heimdal-0.7.2.dfsg.1/kpasswd/kpasswdd.c
+===================================================================
+--- heimdal-0.7.2.dfsg.1.orig/kpasswd/kpasswdd.c	2005-04-22 21:03:11.000000000 +1000
++++ heimdal-0.7.2.dfsg.1/kpasswd/kpasswdd.c	2006-05-14 10:27:49.778564590 +1000
+@@ -749,7 +749,7 @@
+     }
+ 
+     if (config_file == NULL)
+-	config_file = HDB_DB_DIR "/kdc.conf";
++	config_file = "/etc/heimdal-kdc/kdc.conf";
+ 
+     ret = krb5_prepend_config_files_default(config_file, &files);
+     if (ret)
diff --git a/crypto/heimdal/packages/debian/patches/022_ftp-roken-glob b/crypto/heimdal/packages/debian/patches/022_ftp-roken-glob
new file mode 100644
index 0000000..bd974da
--- /dev/null
+++ b/crypto/heimdal/packages/debian/patches/022_ftp-roken-glob
@@ -0,0 +1,270 @@
+Index: heimdal-0.7.2/appl/ftp/ftp/cmds.c
+===================================================================
+--- heimdal-0.7.2.orig/appl/ftp/ftp/cmds.c	2005-04-18 17:45:12.000000000 +1000
++++ heimdal-0.7.2/appl/ftp/ftp/cmds.c	2006-03-09 12:50:02.997025112 +1100
+@@ -536,9 +536,17 @@
+ 
+ 	memset(&gl, 0, sizeof(gl));
+ 	flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
++#ifdef HAVE_GLOB
+ 	if (glob(argv[i], flags, NULL, &gl) || gl.gl_pathc == 0) {
++#else
++	if (roken_glob(argv[i], flags, NULL, &gl) || gl.gl_pathc == 0) {
++#endif 
+ 	    warnx("%s: not found", argv[i]);
++#ifdef HAVE_GLOB
+ 	    globfree(&gl);
++#else
++	    roken_globfree(&gl);
++#endif
+ 	    continue;
+ 	}
+ 	for (cpp = gl.gl_pathv; cpp && *cpp != NULL; cpp++) {
+@@ -559,7 +567,11 @@
+ 		}
+ 	    }
+ 	}
++#ifdef HAVE_GLOB
+ 	globfree(&gl);
++#else
++	roken_globfree(&gl);
++#endif
+     }
+     signal(SIGINT, oldintr);
+     mflag = 0;
+@@ -1568,14 +1580,27 @@
+ 
+ 	flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+ 	memset(&gl, 0, sizeof(gl));
++#ifdef HAVE_GLOB
+ 	if (glob(*cpp, flags, NULL, &gl) ||
++#else 
++	if (roken_glob(*cpp, flags, NULL, &gl) ||
++#endif
+ 	    gl.gl_pathc == 0) {
+ 		warnx("%s: not found", *cpp);
++#ifdef HAVE_GLOB
+ 		globfree(&gl);
++#else
++		roken_globfree(&gl);
++#endif
+ 		return (0);
+ 	}
+ 	*cpp = strdup(gl.gl_pathv[0]);	/* XXX - wasted memory */
++#ifdef HAVE_GLOB
+ 	globfree(&gl);
++#else
++	roken_globfree(&gl);
++#endif
++
+ 	return (1);
+ }
+ 
+Index: heimdal-0.7.2/appl/ftp/ftp/ftp_locl.h
+===================================================================
+--- heimdal-0.7.2.orig/appl/ftp/ftp/ftp_locl.h	2002-09-11 06:03:46.000000000 +1000
++++ heimdal-0.7.2/appl/ftp/ftp/ftp_locl.h	2006-03-09 12:50:02.998024960 +1100
+@@ -101,7 +101,11 @@
+ 
+ #include <errno.h>
+ #include <ctype.h>
++#ifdef HAVE_GLOB
+ #include <glob.h>
++#else
++#include <roken-glob.h>
++#endif 
+ #ifdef HAVE_NETDB_H
+ #include <netdb.h>
+ #endif
+Index: heimdal-0.7.2/appl/ftp/ftpd/ftpcmd.y
+===================================================================
+--- heimdal-0.7.2.orig/appl/ftp/ftpd/ftpcmd.y	2004-08-20 23:31:19.000000000 +1000
++++ heimdal-0.7.2/appl/ftp/ftpd/ftpcmd.y	2006-03-09 12:50:03.000024656 +1100
+@@ -826,14 +826,22 @@
+ 				 GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+ 
+ 				memset(&gl, 0, sizeof(gl));
++#ifdef HAVE_GLOB
+ 				if (glob($1, flags, NULL, &gl) ||
++#else
++				if (roken_glob($1, flags, NULL, &gl) ||
++#endif
+ 				    gl.gl_pathc == 0) {
+ 					reply(550, "not found");
+ 					$$ = NULL;
+ 				} else {
+ 					$$ = strdup(gl.gl_pathv[0]);
+ 				}
++#ifdef HAVE_GLOB
+ 				globfree(&gl);
++#else
++				roken_globfree(&gl);
++#endif
+ 				free($1);
+ 			} else
+ 				$$ = $1;
+Index: heimdal-0.7.2/appl/ftp/ftpd/ftpd.c
+===================================================================
+--- heimdal-0.7.2.orig/appl/ftp/ftpd/ftpd.c	2005-06-02 20:41:28.000000000 +1000
++++ heimdal-0.7.2/appl/ftp/ftpd/ftpd.c	2006-03-09 12:50:03.003024200 +1100
+@@ -2234,7 +2234,11 @@
+ 
+ 	memset(&gl, 0, sizeof(gl));
+ 	freeglob = 1;
++#ifdef HAVE_GLOB
+ 	if (glob(whichf, flags, 0, &gl)) {
++#else
++	if (roken_glob(whichf, flags, 0, &gl)) {
++#endif
+ 	    reply(550, "not found");
+ 	    goto out;
+ 	} else if (gl.gl_pathc == 0) {
+@@ -2341,7 +2345,11 @@
+     pdata = -1;
+     if (freeglob) {
+ 	freeglob = 0;
++#ifdef HAVE_GLOB
+ 	globfree(&gl);
++#else
++	roken_globfree(&gl);
++#endif
+     }
+ }
+ 
+Index: heimdal-0.7.2/appl/ftp/ftpd/ftpd_locl.h
+===================================================================
+--- heimdal-0.7.2.orig/appl/ftp/ftpd/ftpd_locl.h	2005-04-25 05:58:14.000000000 +1000
++++ heimdal-0.7.2/appl/ftp/ftpd/ftpd_locl.h	2006-03-09 12:50:03.004024048 +1100
+@@ -106,7 +106,11 @@
+ #ifdef HAVE_FCNTL_H
+ #include <fcntl.h>
+ #endif
++#ifdef HAVE_GLOB
+ #include <glob.h>
++#else
++#include <roken-glob.h>
++#endif 
+ #include <limits.h>
+ #ifdef HAVE_PWD_H
+ #include <pwd.h>
+Index: heimdal-0.7.2/appl/ftp/ftpd/popen.c
+===================================================================
+--- heimdal-0.7.2.orig/appl/ftp/ftpd/popen.c	2002-04-02 21:57:39.000000000 +1000
++++ heimdal-0.7.2/appl/ftp/ftpd/popen.c	2006-03-09 12:50:03.013022680 +1100
+@@ -55,7 +55,11 @@
+ #include <sys/wait.h>
+ 
+ #include <errno.h>
++#ifdef HAVE_GLOB
+ #include <glob.h>
++#else
++#include <roken-glob.h>
++#endif
+ #include <signal.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -149,7 +153,11 @@
+ 
+ 		memset(&gl, 0, sizeof(gl));
+ 		if (no_glob || 
++#ifdef HAVE_GLOB
+ 		    glob(argv[argc], flags, NULL, &gl) || 
++#else
++		    roken_glob(argv[argc], flags, NULL, &gl) ||
++#endif
+ 		    gl.gl_pathc == 0)
+ 			gargv[gargc++] = strdup(argv[argc]);
+ 		else
+@@ -157,7 +165,11 @@
+ 			     *pop && gargc < MAXGLOBS - 1;
+ 			     pop++)
+ 				gargv[gargc++] = strdup(*pop);
++#ifdef HAVE_GLOB
+ 		globfree(&gl);
++#else
++		roken_globfree(&gl);
++#endif
+ 	}
+ 	gargv[gargc] = NULL;
+ 
+Index: heimdal-0.7.2/lib/roken/glob.c
+===================================================================
+--- heimdal-0.7.2.orig/lib/roken/glob.c	2005-04-12 21:28:50.000000000 +1000
++++ heimdal-0.7.2/lib/roken/glob.c	2006-03-09 12:50:03.015022376 +1100
+@@ -87,7 +87,7 @@
+ #include <limits.h>
+ #endif
+ 
+-#include "glob.h"
++#include "roken-glob.h"
+ #include "roken.h"
+ 
+ #ifndef ARG_MAX
+@@ -167,7 +167,7 @@
+ #endif
+ 
+ int ROKEN_LIB_FUNCTION
+-glob(const char *pattern, 
++roken_glob(const char *pattern, 
+      int flags, 
+      int (*errfunc)(const char *, int), 
+      glob_t *pglob)
+@@ -742,7 +742,7 @@
+ 
+ /* Free allocated data belonging to a glob_t structure. */
+ void ROKEN_LIB_FUNCTION
+-globfree(glob_t *pglob)
++roken_globfree(glob_t *pglob)
+ {
+ 	int i;
+ 	char **pp;
+Index: heimdal-0.7.2/lib/roken/glob.hin
+===================================================================
+--- heimdal-0.7.2.orig/lib/roken/glob.hin	2005-04-13 23:17:56.000000000 +1000
++++ heimdal-0.7.2/lib/roken/glob.hin	2006-03-09 12:50:03.016022224 +1100
+@@ -32,8 +32,8 @@
+  *	@(#)glob.h	8.1 (Berkeley) 6/2/93
+  */
+ 
+-#ifndef _GLOB_H_
+-#define	_GLOB_H_
++#ifndef _ROKEN_GLOB_H_
++#define	_ROKEN_GLOB_H_
+ 
+ #ifndef ROKEN_LIB_FUNCTION
+ #ifdef _WIN32
+@@ -88,9 +88,9 @@
+ #define	GLOB_ABEND	(-2)	/* Unignored error. */
+ 
+ int ROKEN_LIB_FUNCTION
+-glob (const char *, int, int (*)(const char *, int), glob_t *);
++roken_glob (const char *, int, int (*)(const char *, int), glob_t *);
+ 
+ void ROKEN_LIB_FUNCTION
+-globfree (glob_t *);
++roken_globfree (glob_t *);
+ 
+-#endif /* !_GLOB_H_ */
++#endif /* !_ROKEN_GLOB_H_ */
+Index: heimdal-0.7.2/lib/roken/Makefile.am
+===================================================================
+--- heimdal-0.7.2.orig/lib/roken/Makefile.am	2005-05-24 21:39:01.000000000 +1000
++++ heimdal-0.7.2/lib/roken/Makefile.am	2006-03-09 12:50:03.016022224 +1100
+@@ -129,7 +129,7 @@
+ if have_glob_h
+ glob_h =
+ else
+-glob_h = glob.h
++glob_h = roken-glob.h
+ endif
+ 
+ if have_ifaddrs_h
+@@ -170,6 +170,8 @@
+ SUFFIXES += .hin
+ .hin.h:
+ 	cp $< $@
++roken-glob.h:
++	cp glob.hin roken-glob.h
+ 
+ roken.h: make-roken$(EXEEXT)
+ 	@./make-roken$(EXEEXT) > tmp.h ;\
diff --git a/crypto/heimdal/packages/debian/patches/022_openafs b/crypto/heimdal/packages/debian/patches/022_openafs
new file mode 100644
index 0000000..64899fd
--- /dev/null
+++ b/crypto/heimdal/packages/debian/patches/022_openafs
@@ -0,0 +1,15 @@
+Index: heimdal-0.7.2/lib/krb5/keytab_keyfile.c
+===================================================================
+--- heimdal-0.7.2.orig/lib/krb5/keytab_keyfile.c	2005-01-09 09:57:18.000000000 +1100
++++ heimdal-0.7.2/lib/krb5/keytab_keyfile.c	2006-03-09 12:50:07.121398112 +1100
+@@ -48,8 +48,8 @@
+  *
+  */
+ 
+-#define AFS_SERVERTHISCELL "/usr/afs/etc/ThisCell"
+-#define AFS_SERVERMAGICKRBCONF "/usr/afs/etc/krb.conf"
++#define AFS_SERVERTHISCELL "/etc/openafs/ThisCell"
++#define AFS_SERVERMAGICKRBCONF "/etc/openafs/etc/krb.conf"
+ 
+ struct akf_data {
+     int num_entries;
diff --git a/crypto/heimdal/packages/debian/patches/025_pthreads b/crypto/heimdal/packages/debian/patches/025_pthreads
new file mode 100644
index 0000000..980a8ad
--- /dev/null
+++ b/crypto/heimdal/packages/debian/patches/025_pthreads
@@ -0,0 +1,13 @@
+Index: heimdal-0.7.2/cf/pthreads.m4
+===================================================================
+--- heimdal-0.7.2.orig/cf/pthreads.m4	2006-03-09 12:55:11.651102560 +1100
++++ heimdal-0.7.2/cf/pthreads.m4	2006-03-09 12:59:12.806441376 +1100
+@@ -32,7 +32,7 @@
+ 	2.*)
+ 		native_pthread_support=yes
+ 		PTHREADS_CFLAGS=-pthread
+-		PTHREADS_LIBS=-pthread
++		PTHREADS_LIBS="-pthread -lpthread"
+ 		;;
+ 	esac
+ 	;;
diff --git a/crypto/heimdal/packages/debian/patches/026_posix_max b/crypto/heimdal/packages/debian/patches/026_posix_max
new file mode 100644
index 0000000..bf26032
--- /dev/null
+++ b/crypto/heimdal/packages/debian/patches/026_posix_max
@@ -0,0 +1,293 @@
+Index: heimdal-0.7.2/appl/kf/kf_locl.h
+===================================================================
+--- heimdal-0.7.2.orig/appl/kf/kf_locl.h	2002-09-05 06:29:04.000000000 +1000
++++ heimdal-0.7.2/appl/kf/kf_locl.h	2006-03-09 12:59:30.120809192 +1100
+@@ -79,3 +79,7 @@
+ #define KF_PORT_NAME		"kf"
+ #define KF_PORT_NUM		2110
+ #define KF_VERSION_1		"KFWDV0.1"
++
++#ifndef MAXPATHLEN
++#define MAXPATHLEN 4096
++#endif
+Index: heimdal-0.7.2/appl/kf/kfd.c
+===================================================================
+--- heimdal-0.7.2.orig/appl/kf/kfd.c	2005-05-27 23:43:24.000000000 +1000
++++ heimdal-0.7.2/appl/kf/kfd.c	2006-03-09 12:59:30.121809040 +1100
+@@ -128,7 +128,7 @@
+     krb5_ticket *ticket;
+     char *name;
+     char ret_string[10];
+-    char hostname[MAXHOSTNAMELEN];
++    char hostname[MaxHostNameLen];
+     krb5_data data;
+     krb5_data remotename;
+     krb5_data tk_file;
+Index: heimdal-0.7.2/appl/kx/kx.h
+===================================================================
+--- heimdal-0.7.2.orig/appl/kx/kx.h	2003-04-17 02:45:43.000000000 +1000
++++ heimdal-0.7.2/appl/kx/kx.h	2006-03-09 12:59:30.122808888 +1100
+@@ -107,6 +107,10 @@
+ #include <sys/stropts.h>
+ #endif
+ 
++#ifndef MAXPATHLEN
++#define MAXPATHLEN 4096
++#endif
++
+ /* defined by aix's sys/stream.h and again by arpa/nameser.h */
+ 
+ #undef NOERROR
+Index: heimdal-0.7.2/appl/login/login_access.c
+===================================================================
+--- heimdal-0.7.2.orig/appl/login/login_access.c	2001-06-05 00:09:45.000000000 +1000
++++ heimdal-0.7.2/appl/login/login_access.c	2006-03-09 12:59:30.123808736 +1100
+@@ -163,11 +163,11 @@
+ 
+ static char *myhostname(void)
+ {
+-    static char name[MAXHOSTNAMELEN + 1] = "";
++    static char name[MaxHostNameLen + 1] = "";
+ 
+     if (name[0] == 0) {
+ 	gethostname(name, sizeof(name));
+-	name[MAXHOSTNAMELEN] = 0;
++	name[MaxHostNameLen] = 0;
+     }
+     return (name);
+ }
+Index: heimdal-0.7.2/appl/login/login_locl.h
+===================================================================
+--- heimdal-0.7.2.orig/appl/login/login_locl.h	2005-04-23 01:38:54.000000000 +1000
++++ heimdal-0.7.2/appl/login/login_locl.h	2006-03-09 12:59:30.124808584 +1100
+@@ -150,6 +150,10 @@
+ #endif
+ 
+ 
++#ifndef MAXPATHLEN
++#define MAXPATHLEN 4096
++#endif
++
+ struct spwd;
+ 
+ extern char **env;
+Index: heimdal-0.7.2/appl/popper/popper.h
+===================================================================
+--- heimdal-0.7.2.orig/appl/popper/popper.h	2004-07-14 19:10:30.000000000 +1000
++++ heimdal-0.7.2/appl/popper/popper.h	2006-03-09 12:59:30.125808432 +1100
+@@ -154,6 +154,10 @@
+ #define POP_MAILDIR	"/usr/spool/mail"
+ #endif
+ 
++#ifndef MAXPATHLEN
++#define MAXPATHLEN 4096
++#endif
++
+ #define POP_DROP        POP_MAILDIR "/.%s.pop"
+ 	/* POP_TMPSIZE needs to be big enough to hold the string
+ 	 * defined by POP_TMPDROP.  POP_DROP and POP_TMPDROP
+Index: heimdal-0.7.2/appl/rcp/rcp_locl.h
+===================================================================
+--- heimdal-0.7.2.orig/appl/rcp/rcp_locl.h	2005-05-30 04:24:43.000000000 +1000
++++ heimdal-0.7.2/appl/rcp/rcp_locl.h	2006-03-09 12:59:30.125808432 +1100
+@@ -65,3 +65,7 @@
+ #endif
+ #undef _PATH_RSH
+ #define	_PATH_RSH	BINDIR "/rsh"
++
++#ifndef MAXPATHLEN
++#define MAXPATHLEN 4096
++#endif
+Index: heimdal-0.7.2/appl/rsh/rsh_locl.h
+===================================================================
+--- heimdal-0.7.2.orig/appl/rsh/rsh_locl.h	2005-12-29 05:00:05.000000000 +1100
++++ heimdal-0.7.2/appl/rsh/rsh_locl.h	2006-03-09 12:59:30.126808280 +1100
+@@ -172,3 +172,7 @@
+ #define do_write(F, B, L, I) write((F), (B), (L))
+ #define do_read(F, B, L, I) read((F), (B), (L))
+ #endif
++
++#ifndef MAXPATHLEN
++#define MAXPATHLEN 4096
++#endif
+Index: heimdal-0.7.2/appl/test/tcp_server.c
+===================================================================
+--- heimdal-0.7.2.orig/appl/test/tcp_server.c	1999-12-16 21:31:08.000000000 +1100
++++ heimdal-0.7.2/appl/test/tcp_server.c	2006-03-09 12:59:30.127808128 +1100
+@@ -44,7 +44,7 @@
+     krb5_principal server;
+     krb5_ticket *ticket;
+     char *name;
+-    char hostname[MAXHOSTNAMELEN];
++    char hostname[MaxHostNameLen];
+     krb5_data packet;
+     krb5_data data;
+     u_int32_t len, net_len;
+Index: heimdal-0.7.2/lib/gssapi/gssapi_locl.h
+===================================================================
+--- heimdal-0.7.2.orig/lib/gssapi/gssapi_locl.h	2005-05-31 06:53:46.000000000 +1000
++++ heimdal-0.7.2/lib/gssapi/gssapi_locl.h	2006-03-09 12:59:30.128807976 +1100
+@@ -84,6 +84,10 @@
+  *
+  */
+ 
++#ifndef MAXPATHLEN
++#define MAXPATHLEN 4096
++#endif
++
+ extern krb5_context gssapi_krb5_context;
+ 
+ extern krb5_keytab gssapi_krb5_keytab;
+Index: heimdal-0.7.2/lib/gssapi/import_name.c
+===================================================================
+--- heimdal-0.7.2.orig/lib/gssapi/import_name.c	2003-03-17 04:33:31.000000000 +1100
++++ heimdal-0.7.2/lib/gssapi/import_name.c	2006-03-09 12:59:30.129807824 +1100
+@@ -90,7 +90,7 @@
+     char *tmp;
+     char *p;
+     char *host;
+-    char local_hostname[MAXHOSTNAMELEN];
++    char local_hostname[MaxHostNameLen];
+ 
+     *output_name = NULL;
+ 
+Index: heimdal-0.7.2/lib/kdfs/k5dfspag.c
+===================================================================
+--- heimdal-0.7.2.orig/lib/kdfs/k5dfspag.c	2002-08-13 01:11:58.000000000 +1000
++++ heimdal-0.7.2/lib/kdfs/k5dfspag.c	2006-03-09 12:59:30.130807672 +1100
+@@ -78,6 +78,9 @@
+ #define WAIT_USES_INT
+ typedef krb5_sigtype sigtype;
+ 
++#ifndef MAXPATHLEN
++#define MAXPATHLEN 4096
++#endif
+ 
+ /* 
+  * Need some syscall numbers based on different systems. 
+Index: heimdal-0.7.2/lib/krb5/get_addrs.c
+===================================================================
+--- heimdal-0.7.2.orig/lib/krb5/get_addrs.c	2004-05-26 07:26:05.000000000 +1000
++++ heimdal-0.7.2/lib/krb5/get_addrs.c	2006-03-09 12:59:30.139806304 +1100
+@@ -49,7 +49,7 @@
+ gethostname_fallback (krb5_context context, krb5_addresses *res)
+ {
+     krb5_error_code ret;
+-    char hostname[MAXHOSTNAMELEN];
++    char hostname[MaxHostNameLen];
+     struct hostent *hostent;
+ 
+     if (gethostname (hostname, sizeof(hostname))) {
+Index: heimdal-0.7.2/lib/krb5/get_host_realm.c
+===================================================================
+--- heimdal-0.7.2.orig/lib/krb5/get_host_realm.c	2005-04-20 04:52:51.000000000 +1000
++++ heimdal-0.7.2/lib/krb5/get_host_realm.c	2006-03-09 12:59:30.140806152 +1100
+@@ -95,7 +95,7 @@
+ 	       krb5_realm **realms)
+ {
+     static char *default_labels[] = { "_kerberos", NULL };
+-    char dom[MAXHOSTNAMELEN];
++    char dom[MaxHostNameLen];
+     struct dns_reply *r;
+     char **labels;
+     int i, ret;
+@@ -208,7 +208,7 @@
+ 		    const char *host,
+ 		    krb5_realm **realms)
+ {
+-    char hostname[MAXHOSTNAMELEN];
++    char hostname[MaxHostNameLen];
+ 
+     if (host == NULL) {
+ 	if (gethostname (hostname, sizeof(hostname)))
+Index: heimdal-0.7.2/lib/krb5/krbhst-test.c
+===================================================================
+--- heimdal-0.7.2.orig/lib/krb5/krbhst-test.c	2002-08-23 13:43:18.000000000 +1000
++++ heimdal-0.7.2/lib/krb5/krbhst-test.c	2006-03-09 12:59:30.140806152 +1100
+@@ -87,7 +87,7 @@
+     krb5_init_context (&context);
+     for(i = 0; i < argc; i++) {
+ 	krb5_krbhst_handle handle;
+-	char host[MAXHOSTNAMELEN];
++	char host[MaxHostNameLen];
+ 
+ 	for (j = 0; j < sizeof(types)/sizeof(*types); ++j) {
+ 	    printf ("%s for %s:\n", type_str[j], argv[i]);
+Index: heimdal-0.7.2/lib/krb5/krbhst.c
+===================================================================
+--- heimdal-0.7.2.orig/lib/krb5/krbhst.c	2005-05-20 19:09:42.000000000 +1000
++++ heimdal-0.7.2/lib/krb5/krbhst.c	2006-03-09 12:59:30.142805848 +1100
+@@ -763,7 +763,7 @@
+     krb5_error_code ret;
+     int nhost = 0;
+     krb5_krbhst_handle handle;
+-    char host[MAXHOSTNAMELEN];
++    char host[MaxHostNameLen];
+     krb5_krbhst_info *hostinfo;
+ 
+     ret = krb5_krbhst_init(context, realm, type, &handle);
+Index: heimdal-0.7.2/lib/krb5/principal.c
+===================================================================
+--- heimdal-0.7.2.orig/lib/krb5/principal.c	2004-12-29 12:54:54.000000000 +1100
++++ heimdal-0.7.2/lib/krb5/principal.c	2006-03-09 12:59:30.150804632 +1100
+@@ -706,8 +706,8 @@
+     const char *p;
+     krb5_error_code ret;
+     krb5_principal pr;
+-    char host[MAXHOSTNAMELEN];
+-    char local_hostname[MAXHOSTNAMELEN];
++    char host[MaxHostNameLen];
++    char local_hostname[MaxHostNameLen];
+ 
+     /* do the following: if the name is found in the
+        `v4_name_convert:host' part, is is assumed to be a `host' type
+@@ -1059,7 +1059,7 @@
+ 			 krb5_principal *ret_princ)
+ {
+     krb5_error_code ret;
+-    char localhost[MAXHOSTNAMELEN];
++    char localhost[MaxHostNameLen];
+     char **realms, *host = NULL;
+ 	
+     if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) {
+Index: heimdal-0.7.2/lib/krb5/verify_init.c
+===================================================================
+--- heimdal-0.7.2.orig/lib/krb5/verify_init.c	2004-05-26 07:45:47.000000000 +1000
++++ heimdal-0.7.2/lib/krb5/verify_init.c	2006-03-09 12:59:30.151804480 +1100
+@@ -90,7 +90,7 @@
+     memset (&entry, 0, sizeof(entry));
+ 
+     if (ap_req_server == NULL) {
+-	char local_hostname[MAXHOSTNAMELEN];
++	char local_hostname[MaxHostNameLen];
+ 
+ 	if (gethostname (local_hostname, sizeof(local_hostname)) < 0) {
+ 	    ret = errno;
+Index: heimdal-0.7.2/lib/roken/getaddrinfo_hostspec.c
+===================================================================
+--- heimdal-0.7.2.orig/lib/roken/getaddrinfo_hostspec.c	2005-04-12 21:28:43.000000000 +1000
++++ heimdal-0.7.2/lib/roken/getaddrinfo_hostspec.c	2006-03-09 12:59:30.152804328 +1100
+@@ -48,7 +48,7 @@
+ {
+     const char *p;
+     char portstr[NI_MAXSERV];
+-    char host[MAXHOSTNAMELEN];
++    char host[MaxHostNameLen];
+     struct addrinfo hints;
+     int hostspec_len;
+ 
+Index: heimdal-0.7.2/lib/sl/slc-gram.y
+===================================================================
+--- heimdal-0.7.2.orig/lib/sl/slc-gram.y	2005-04-19 20:28:28.000000000 +1000
++++ heimdal-0.7.2/lib/sl/slc-gram.y	2006-03-09 12:59:30.153804176 +1100
+@@ -46,6 +46,10 @@
+ #include <vers.h>
+ #include <roken.h>
+ 
++#ifndef PATH_MAX
++#define PATH_MAX 4096
++#endif
++
+ #include "slc.h"
+ extern FILE *yyin;
+ extern struct assignment *a;
diff --git a/crypto/heimdal/packages/debian/po/POTFILES.in b/crypto/heimdal/packages/debian/po/POTFILES.in
new file mode 100644
index 0000000..1fea324
--- /dev/null
+++ b/crypto/heimdal/packages/debian/po/POTFILES.in
@@ -0,0 +1 @@
+[type: gettext/rfc822deb] heimdal-kdc.templates
diff --git a/crypto/heimdal/packages/debian/po/templates.pot b/crypto/heimdal/packages/debian/po/templates.pot
new file mode 100644
index 0000000..41d0f31
--- /dev/null
+++ b/crypto/heimdal/packages/debian/po/templates.pot
@@ -0,0 +1,54 @@
+#
+#    Translators, if you are not familiar with the PO format, gettext
+#    documentation is worth reading, especially sections dedicated to
+#    this format, e.g. by running:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#
+#    Some information specific to po-debconf are available at
+#            /usr/share/doc/po-debconf/README-trans
+#         or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+#    Developers do not need to manually edit POT or PO files.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-02-27 10:15-0800\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: string
+#. Description
+#: ../heimdal-kdc.templates:3
+msgid "Local realm name:"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../heimdal-kdc.templates:3
+msgid ""
+"Heimdal requires the name of your local realm. This is typically your domain "
+"name in uppercase. eg if your hostname is host.org.com, then your realm will "
+"become ORG.COM. The default for your host is ${default_realm}."
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../heimdal-kdc.templates:10
+msgid "Password for KDC:"
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../heimdal-kdc.templates:10
+msgid ""
+"Heimdal can encrypt the KDC data with a password. A hashed representation "
+"will be stored in /var/lib/heimdal-kdc/m-key."
+msgstr ""
diff --git a/crypto/heimdal/packages/debian/rules b/crypto/heimdal/packages/debian/rules
new file mode 100755
index 0000000..8894667
--- /dev/null
+++ b/crypto/heimdal/packages/debian/rules
@@ -0,0 +1,62 @@
+#!/usr/bin/make -f
+
+include /usr/share/cdbs/1/rules/debhelper.mk
+include /usr/share/cdbs/1/class/autotools.mk
+include /usr/share/cdbs/1/rules/patchsys-quilt.mk
+
+DEB_INSTALL_DOCS_ALL =
+DEB_INSTALL_DOCS_heimdal-docs = $(filter-out $(DEB_INSTALL_CHANGELOGS_ALL),$(shell for f in README NEWS TODO BUGS AUTHORS THANKS; do if test -s $(DEB_SRCDIR)/$$f; then echo $(DEB_SRCDIR)/$$f; fi; done)) \
+	NEWS TODO
+
+
+DEB_DH_INSTALL_SOURCEDIR = debian/tmp
+
+DEB_CONFIGURE_LIBEXECDIR ="\$${prefix}/sbin"
+
+DEB_CONFIGURE_EXTRA_FLAGS := \
+	--enable-shared \
+	--enable-otp \
+	--with-kaserver \
+	--with-openssl \
+	--with-openldap \
+	--with-readline-include=/usr/include/editline \
+	--enable-kcm
+
+# /var/lib/heimdal-kdc is 700
+DEB_FIXPERMS_EXCLUDE = heimdal-kdc
+
+binary-post-install/heimdal-servers::
+	mv debian/heimdal-servers/usr/sbin/kfd debian/heimdal-servers/usr/lib/heimdal-servers
+	mv debian/heimdal-servers/usr/sbin/ftpd debian/heimdal-servers/usr/lib/heimdal-servers
+	mv debian/heimdal-servers/usr/sbin/rshd debian/heimdal-servers/usr/lib/heimdal-servers
+	mv debian/heimdal-servers/usr/sbin/telnetd debian/heimdal-servers/usr/lib/heimdal-servers
+	mv debian/heimdal-servers/usr/sbin/popper debian/heimdal-servers/usr/lib/heimdal-servers
+	mv debian/heimdal-servers/usr/bin/login debian/heimdal-servers/usr/lib/heimdal-servers
+
+binary-post-install/heimdal-servers-x::
+	mv debian/heimdal-servers-x/usr/sbin/kxd debian/heimdal-servers-x/usr/lib/heimdal-servers
+
+binary-post-install/heimdal-kdc::
+	mv debian/heimdal-kdc/usr/sbin/kdc debian/heimdal-kdc/usr/lib/heimdal-servers
+	mv debian/heimdal-kdc/usr/sbin/kadmind debian/heimdal-kdc/usr/lib/heimdal-servers
+	mv debian/heimdal-kdc/usr/sbin/kpasswdd debian/heimdal-kdc/usr/lib/heimdal-servers
+	install -m644 debian/extras/default debian/heimdal-kdc/etc/default/heimdal-kdc
+	install -m644 lib/hdb/hdb.schema debian/heimdal-kdc/etc/ldap/schema/hdb.schema
+	dh_fixperms -pheimdal-kdc
+	chmod 700 debian/heimdal-kdc/var/lib/heimdal-kdc
+
+binary-post-install/heimdal-clients::
+	mv debian/heimdal-clients/usr/bin/telnet debian/heimdal-clients/usr/bin/ktelnet
+	mv debian/heimdal-clients/usr/bin/ftp debian/heimdal-clients/usr/bin/kftp
+	mv debian/heimdal-clients/usr/share/man/man1/telnet.1 debian/heimdal-clients/usr/share/man/man1/ktelnet.1
+	mv debian/heimdal-clients/usr/share/man/man1/ftp.1 debian/heimdal-clients/usr/share/man/man1/kftp.1
+	mv debian/heimdal-clients/usr/bin/rsh debian/heimdal-clients/usr/bin/krsh
+	mv debian/heimdal-clients/usr/bin/rcp debian/heimdal-clients/usr/bin/krcp
+	mv debian/heimdal-clients/usr/bin/pagsh debian/heimdal-clients/usr/bin/kpagsh
+	mv debian/heimdal-clients/usr/bin/su debian/heimdal-clients/usr/bin/ksu
+	mv debian/heimdal-clients/usr/share/man/man1/rsh.1 debian/heimdal-clients/usr/share/man/man1/krsh.1
+	mv debian/heimdal-clients/usr/share/man/man1/pagsh.1 debian/heimdal-clients/usr/share/man/man1/kpagsh.1
+	mv debian/heimdal-clients/usr/share/man/man1/su.1 debian/heimdal-clients/usr/share/man/man1/ksu.1
+
+binary-post-install/heimdal-docs::
+	mv debian/heimdal-docs/usr/share/man/man5/krb5.conf.5 debian/heimdal-docs/usr/share/man/man5/krb5.conf.5heimdal
diff --git a/crypto/heimdal/packages/debian/scripts/convert_source b/crypto/heimdal/packages/debian/scripts/convert_source
new file mode 100644
index 0000000..3d9d4f7
--- /dev/null
+++ b/crypto/heimdal/packages/debian/scripts/convert_source
@@ -0,0 +1,17 @@
+#!/bin/sh -ex
+
+SRC="$1"
+VERSION="$2"
+DST="heimdal_$VERSION.dfsg.1.orig.tar.gz"
+SRC_DIR="heimdal-$VERSION"
+
+MYTMP=""
+trap 'if [ -n "$MYTMP" ]; then rm -rf $MYTMP; fi' EXIT
+MYTMP=`mktemp -td heimdal.XXXXXX` || exit 1
+
+tar -xzf $SRC -C $MYTMP
+ls -l $MYTMP/$SRC_DIR
+
+rm -r $MYTMP/$SRC_DIR/doc/standardisation
+
+tar -czf $DST -C $MYTMP $SRC_DIR
diff --git a/crypto/heimdal/packages/mac/Info.plist b/crypto/heimdal/packages/mac/Info.plist
new file mode 100644
index 0000000..c1d1705
--- /dev/null
+++ b/crypto/heimdal/packages/mac/Info.plist
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleGetInfoString</key>
+	<string>Heimdal @VERSION@</string>
+	<key>CFBundleName</key>
+	<string>Heimdal</string>
+	<key>CFBundleIdentifier</key>
+	<string>org.h5l.heimdal.pkg</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0</string>
+	<key>IFPkgFlagAllowBackRev</key>
+	<true/>
+	<key>IFPkgFlagAuthorizationAction</key>
+	<string>RootAuthorization</string>
+	<key>IFPkgFlagDefaultLocation</key>
+	<string>/</string>
+	<key>IFPkgFlagFollowLinks</key>
+	<true/>
+	<key>IFPkgFlagIsRequired</key>
+	<true/>
+	<key>IFPkgFlagOverwritePermissions</key>
+	<true/>
+	<key>IFPkgFlagRelocatable</key>
+	<false/>
+	<key>IFPkgFlagRestartAction</key>
+	<string>NoRestart</string>
+	<key>IFPkgFlagRootVolumeOnly</key>
+	<true/>
+	<key>IFPkgFlagUpdateInstalledLanguages</key>
+	<false/>
+	<key>IFPkgFormatVersion</key>
+	<real>0.10000000149011612</real>
+</dict>
+</plist>
diff --git a/crypto/heimdal/packages/mac/Makefile.am b/crypto/heimdal/packages/mac/Makefile.am
new file mode 100644
index 0000000..da258c1
--- /dev/null
+++ b/crypto/heimdal/packages/mac/Makefile.am
@@ -0,0 +1,9 @@
+# $Id: Makefile.am 22180 2007-12-05 02:49:01Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+EXTRA_DIST = \
+	Info.plist \
+	mac.sh \
+	Resources/Description.plist \
+	Resources/English.lproj/Welcome.rtf
diff --git a/crypto/heimdal/packages/mac/Makefile.in b/crypto/heimdal/packages/mac/Makefile.in
new file mode 100644
index 0000000..4b217f0
--- /dev/null
+++ b/crypto/heimdal/packages/mac/Makefile.in
@@ -0,0 +1,663 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 22180 2007-12-05 02:49:01Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+subdir = packages/mac
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+EXTRA_DIST = \
+	Info.plist \
+	mac.sh \
+	Resources/Description.plist \
+	Resources/English.lproj/Welcome.rtf
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps packages/mac/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps packages/mac/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+all-am: Makefile all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/packages/mac/Resources/Description.plist b/crypto/heimdal/packages/mac/Resources/Description.plist
new file mode 100644
index 0000000..15cd63a
--- /dev/null
+++ b/crypto/heimdal/packages/mac/Resources/Description.plist
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>IFPkgDescriptionDescription</key>
+	<string></string>
+	<key>IFPkgDescriptionTitle</key>
+	<string>Heimdal</string>
+</dict>
+</plist>
diff --git a/crypto/heimdal/packages/mac/Resources/English.lproj/Welcome.rtf b/crypto/heimdal/packages/mac/Resources/English.lproj/Welcome.rtf
new file mode 100644
index 0000000..8844872
--- /dev/null
+++ b/crypto/heimdal/packages/mac/Resources/English.lproj/Welcome.rtf
@@ -0,0 +1,8 @@
+{\rtf1\mac\ansicpg10000\cocoartf100
+{\fonttbl\f0\fswiss\fcharset77 Helvetica;}
+{\colortbl;\red255\green255\blue255;}
+\margl1440\margr1440\vieww9000\viewh9000\viewkind0
+\pard\tx1440\tx2880\tx4320\tx5760\tx7200\ql\qnatural
+
+\f0\fs28 \cf0 Welcome to the Heimdal Installation Program.\
+}
\ No newline at end of file
diff --git a/crypto/heimdal/packages/mac/mac.sh b/crypto/heimdal/packages/mac/mac.sh
new file mode 100644
index 0000000..8dcde86
--- /dev/null
+++ b/crypto/heimdal/packages/mac/mac.sh
@@ -0,0 +1,52 @@
+#!/bin/sh
+# $Id: mac.sh 22177 2007-12-05 01:43:30Z lha $
+
+dbase=`dirname $0`
+base=`cd $dbase && pwd`
+config=${base}/../../configure
+
+destdir=`pwd`/destdir
+builddir=`pwd`/builddir
+imgdir=`pwd`/imgdir
+
+rm -rf ${destdir} ${builddir} ${imgdir} || exit 1
+mkdir ${destdir} || exit 1
+mkdir ${builddir} || exit 1
+mkdir ${imgdir} || exit 1
+
+cd ${builddir} || exit 1
+
+version=`sh ${config} --help 2>/dev/null | head -1 | sed 's/.*Heimdal \([^ ]*\).*/\1/'`
+
+echo "Building Mac universal binary package for Heimdal ${version}"
+echo "Configure"
+env \
+  CFLAGS="-arch i386 -arch ppc" \
+  LDFLAGS="-arch i386 -arch ppc" \
+  ${config} > log || exit 1
+echo "Build"
+make all > /dev/null || exit 1
+echo "Run regression suite"
+make check > /dev/null || exit 1
+echo "Install"
+make install DESTDIR=${destdir} > /dev/null || exit 1 
+
+echo "Build package"
+/Developer/usr/bin/packagemaker \
+    --version "${version}" \
+    --root ${destdir} \
+    --info ${base}/Info.plist \
+    --out ${imgdir}/Heimdal.pkg \
+    --resources ${base}/Resources \
+    --domain system || exit 1
+
+cd ..
+echo "Build disk image"
+rm "heimdal-${version}.dmg"
+/usr/bin/hdiutil create -volname "Heimdal-${version}" -srcfolder ${imgdir} "heimdal-${version}.dmg" || exit 1
+
+echo "Clean"
+rm -rf ${destdir} ${builddir} ${imgdir} || exit 1
+
+echo "Done!"
+exit 0
diff --git a/crypto/heimdal/tests/ChangeLog b/crypto/heimdal/tests/ChangeLog
new file mode 100644
index 0000000..6fa41ac
--- /dev/null
+++ b/crypto/heimdal/tests/ChangeLog
@@ -0,0 +1,742 @@
+2008-01-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc: Test the PKCS11 provider built-in to libhx509.
+
+2007-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ldap/init.ldif: Add space to make valid ldiff file, from Buchan
+	Milne
+	
+	* ldap/slapd-init.in: Another place where schemas are installed,
+	from Buchan Milne.
+
+2007-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kadmin.in: Check that admin-less principal works.
+
+2007-12-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/check-ntlm.in: test kdigest digest-probe command.
+
+2007-12-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/check-basic.in: Test GSS_C_NO_NAME too.
+
+2007-10-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: Try multiple enctypes.
+
+2007-08-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* java/Makefile.am: EXTRA_DIST += jaas.conf
+	
+2007-08-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* java/Makefile.am: Add java source code.
+
+2007-08-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-iprop.in: Don't run this test in AFS since AFS is
+	missing unix sockets.
+
+	* kdc/wait-kdc.sh: Catch bind ../../tests/kdc/signal: Operation
+	not permitted
+
+2007-08-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-iprop.in: use wait-kdc.sh for all diffrent places we
+	start ipropd-{master,slave}.
+
+	* all-tests: empty messages.log
+
+	* kdc/check-iprop.in: Use wait-kdc.sh to wait for
+	ipropd-{master,slave}.
+
+	* kdc/wait-kdc.sh: look futher back in the logfile.
+	
+	* kdc/wait-kdc.sh: Make wait-kdc.sh able to wait on other things.
+
+	* kdc/check-iprop.in: Checking master going backward, create
+	iprop-stats.
+
+2007-08-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* java/have-java.sh: GNU GCC Java doesn't support Kerberos
+
+2007-08-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-iprop.in: wait longer for iprop, dump messages.log on
+	failure.
+
+	* kdc/Makefile.am: Clean after iprop tests.
+
+	* kdc/check-iprop.in: more iprop tests.
+
+2007-07-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/Makefile.am: Add check-iprop and related files.
+
+	* kdc/krb5.conf.in: Add stuff for iprop.
+
+	* kdc/check-iprop.in: Test for iprop.
+
+	* kdc/iprop-acl: ACL file for iprop.
+
+2007-07-28  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/donotexists.txt: missing file.
+
+2007-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/Makefile.am: EXTRA_DIST += donotexists.txt
+
+2007-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: Test renewing.
+	
+2007-07-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/Makefile.am: Test for simple salt types.
+
+	* kdc/krb5.conf.keys.in: Configuration file for testing keys.
+
+	* kdc/check-keys.in: Test some simple salt types.
+
+2007-07-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* java/Makefile.am: EXTRA_DIST += have_java.sh
+
+	* java/check-kinit.in: Make failing to compile a java program a
+	no-fatal error.
+
+	* java/check-kinit.in: Disable test if we use socket wrapper.
+
+2007-07-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kadmin.in: Give more hints of what went wrong.
+
+2007-07-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/Makefile.am: add check-kadmin.in
+	
+2007-07-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ldap/slapd.conf: add samba.schema.
+
+	* ldap/slapd-init.in: Add samba schema.
+
+	* ldap/init.ldif: Samba entry to do testing with.
+
+2007-07-11  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* java/check-kinit.in: Only print when there is an error.
+
+	* java/krb5.conf.in: Move the AES enctypes first.
+
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kadmin.in: Send kill outout to /dev/null.
+
+	* kdc/krb5.conf.in: Add bits needed for kadmind server test.
+
+	* kdc/Makefile.am: Add check-kadmin.
+
+	* kdc/check-kadmin.in: Simple test for server based kadmin.
+
+	* kdc/heimdal.acl: ACL file for check-admin test.
+
+2007-07-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add java.
+
+	* java: simple java kinit test
+
+2007-06-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ldap/check-ldap.in: Add one more principal and list the
+	database.
+
+	* kdc/check-pkinit.in: Fix hxtool issue-certificate --req.
+
+	* kdc/check-referral.in: Spelling.
+	
+2007-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/check-context.in: disable dns canon on test, break on some
+	buildfarm hosts.
+	
+2007-06-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* can/test_can.in: readline seems strange, try diffrent way to
+	setup the database.
+
+2007-06-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* can/test_can.in: spoon feed kadmin diffrently
+
+2007-06-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: Also test rename user to anther realm.
+
+	* kdc/check-kdc.in: Test renaming a user.
+
+	* can/test_can.in: Tell use what the messages.log told us.
+
+	* kdc/check-referral.in: Add some more as-req canon tests, add
+	disable tgs-req tests.
+	
+2007-06-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* can/check-can.in: Check is there is a working db backend here.
+	
+2007-06-08  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* can/Makefile.am: Clean up more cruft.
+	
+2007-06-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* can/Makefile.am: More files we want in the dist.
+
+	* can/test_can.in: Simplify error reporting.
+
+	* can/test_can.in: Catch error from kadmin.
+
+	* can/mit-pkinit-20070607.*: mit pkinit-9 request
+
+	* can/check-can.in: Add mit-pkinit test.
+
+	* can/Makefile.am: Create specific configurtion files for some
+	tests.
+
+	* can/test_can.in: Pick up the right generated
+	krb5.conf (spelling).
+
+	* can: Add Apple Tiger 10.4/MIT Kerberos 1.4
+
+	* can/test_can.in: Don't need to start a kdc for this test.
+
+	* can: pre-canned requests from older versions and other implementations
+
+	* Makefile.am: SUBDIRS += can
+	
+2007-06-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-uu.in: Use stdout from uu_server.
+	
+2007-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/check-pkinit.in: Try pkinit in w2k mode, also add tests for
+	MS SAN.
+
+	* kdc/Makefile.am: generate a krb5-pkinit-win.conf
+
+	* kdc/krb5-pkinit.conf.in: W2K tests.
+	
+2007-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/Makefile.am: remove more files
+	
+2007-05-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/check-pkinit.in: try principal subject in DB
+	
+2007-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/check-basic.in: test using test_kcred
+
+	* gss/check-ntlm.in: One more test.
+
+	* ldap/check-ldap.in: check in /usr/lib/openldap too for slapd and
+	slapadd
+	
+2007-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* db/add-modify-delete.in: Remove comment.
+
+	* db/add-modify-delete.in: try replay
+
+	* db/Makefile.am: clean more files.
+
+	* db/add-modify-delete.in: try iprop-log commands.
+	
+2007-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* db/krb5.conf.in: Add longer example.
+	
+2007-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* db: basic tests for dbinfo
+
+2007-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/Makefile.am: Add check-ntlm.
+
+	* gss/check-ntlm.in: test ntlm client credentials code.
+	
+2007-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* db/loaddump-db.in: make kstash quiet
+	
+2007-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/check-basic.in: more gss_acquire_cred tests
+	
+2007-04-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/Makefile.am: add check-basic
+
+	* gss/check-basic.in: basic tests that might require a KDC.
+	
+2007-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/Makefile.am: CLEANFILES += sdigest-init
+	
+2007-04-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ldap/slapd-init.in: Add Id tag
+	
+2007-02-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: test new kadmin add_enctype functionallity
+	
+2007-02-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am: add ldap
+
+	* kdc/check-referral.in: add check-referral
+	
+	* kdc/Makefile.am: add check-referral
+	
+2007-02-15  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* tests/ldap: simple ldap test, inspried by samba ldb ldap test
+
+2007-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-digest.in: Test ms-chap-v2 (client response, server
+	response, session key)
+	
+2007-02-02  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/krb5.conf.in: allow ms-chap-v2
+	
+2007-02-01  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/check-digest.in: Negative check too.
+	
+2007-01-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/check-uu.in: save log, wait longer
+	
+2007-01-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-pkinit.in: tell me about certifiate that we have
+	generated
+	
+2007-01-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* no random, no RSA/DH tests
+
+	* plugin/Makefile.am: remove files created by tests
+
+	* gss/Makefile.am: remove files created by tests
+
+	* gss/Makefile.am: add ntlm-user-file.txt
+
+2007-01-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/ap-req.c: --verify-pac no means verify existance of PAC in
+	ticket, the signature checking is done by the kerberos library.
+
+	* kdc/check-digest.in: display messages.log and help that that
+	tells us what went wrong.
+
+	* plugin/windc.c: Update to validate function signature change.
+
+	* Makefile.am: Only traverse into plugin if there is shared
+	library support.
+	
+2007-01-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-pkinit.in: Prefix key with FILE:
+	
+2007-01-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* plugin/Makefile.am: EXTRA_DIST += krb5.conf.in
+
+	* plugin/check-pac.in: test explicit requested pac and explicit
+	negative requested pac.
+
+	* kdc/ap-req.c: Make it possible to turn off PAC check, its
+	default on.
+
+	* plugin/windc.c: Add client_access.
+
+	* plugin/check-pac.in: Verify PAC on server end too.
+
+	* kdc/ap-req.c: Add verification of PAC.
+
+	* kdc/Makefile.am: Add test for pkinit with locally generated
+	certs.
+
+	* kdc/check-pkinit.in: Generate a ca, kdc cert and client cert and
+	try to use them
+
+	* kdc/pki-mapping: add other foo@TEST
+
+	* kdc/krb5-pkinit.conf.in: pkinit specific krb5.conf
+	
+2007-01-03  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* plugin/check-pac.in: test tgs-req
+
+	* plugin/windc.c: log that the function is called.
+
+	* kdc/check-digest.in: Test security layer in ntlm.
+
+	* plugin: test WinDC PAC functionallity
+	
+	* Makefile.am: Include plugin in tests
+	
+2006-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/ntlm-user-file.txt: Correct DOMAIN name
+	
+2006-12-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/krb5.conf.in: Add digests acls (all)
+	
+2006-12-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* gss/check-spnego.in: test wrapunwrap
+
+	* gss/check-spnego.in: Test get and verify MIC.
+	
+	* gss/check-context.in: don't need to set GSSAPI_SPNEGO_NAME any
+	longer
+	
+2006-12-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/check-context.in: Define GSSAPI_SPNEGO_NAME and re-add
+	spnego
+	
+	* gss/check-context.in: add trap, remove allow-digest, pretty
+	print.
+
+	* gss/check-gssmask.in: catch EXIT traps
+
+	* gss/check-spnego.in: test more combination of spnego contexts
+
+	* gss/Makefile.am: add check-spnego
+
+	* gss/check-spnego.in: check spnego combinations.
+	
+2006-12-16  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/check-digest.in: test more combinations of names
+	
+2006-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/ntlm-user-file.txt: ntlm username and password file
+
+	* kdc/check-digest.in: Check that ntlm works.
+	
+2006-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/check-digest.in: prefix digest commands with digest-
+	
+2006-11-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: Don't (afs) unlog using kdestroy
+	
+2006-11-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/Makefile.am: Add LIB_roken and (implictly by that libvers
+	for print_version) to LDADD
+	
+2006-11-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: check that the getarg -- option works for
+	delete and add.
+
+	* kdc/check-kdc.in: Test proxy cert.
+	
+2006-11-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/krb5.conf.in: revert the enable-pkinit change, and make it
+	consistant with all other other enable- options
+
+2006-11-15  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* gss/check-context.in: Add dce-style context building test.
+
+	* gss/check-context.in: test more combination of context building
+	
+2006-11-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Use TEST{,2}.H5L.SE for testing
+
+2006-11-08  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/Makefile.am: Use EGREP.
+
+	* kdc/check-kdc.in: Use EGREP.
+	
+2006-10-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: run eval on the testfailed variable so we run
+	all commands
+	
+2006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* db/Makefile.am: make have-db being built in the "make all"
+	target.
+
+	* kdc/check-kdc.in: tell more what the kdc though about the
+	failure.
+	
+2006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* db/add-modify-delete.in: Use EGREP.
+
+	* db/Makefile.am: add EGREP to do_subst
+	
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/Makefile.am: Clean temporary files
+
+	* db/Makefile.am: clean have-db
+
+	* kdc/Makefile.am: Add pki-mapping to dist file.
+
+	* kdc/Makefile.am: more files
+	
+	* db/Makefile.am: more files
+
+2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* gss/check-context.in: give path to have-db
+	
+	* gss/check-gssmask.in: give path to have-db
+	
+	* kdc/check-kdc.in: give path to have-db
+	
+	* kdc/check-digest.in: give path to have-db
+	
+	* gss/check-gssmask.in: If there is no useful db support compile
+	in, disable test
+
+	* gss/check-context.in: Add commeted out digest check.
+
+	* kdc/check-digest.in: If there is no useful db support compile
+	in, disable test
+
+	* kdc/check-kdc.in: If there is no useful db support compile in,
+	disable test
+
+	* db/loaddump-db.in: If there is no useful db support compile in,
+	disable test
+
+	* db/have-db.in: Check if the kdc have any useful builtin
+	database.
+
+	* kdc/check-kdc.in: Fix awk statement, put RE on the right side.
+	
+2006-10-17  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* gss/check-gssmask.in: remove dup exit
+
+	* gss/check-context.in: More name tests.
+
+	* gss/check-context.in: test with and without dns-canon
+	
+2006-10-14  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/check-kdc.in: Be more explit about what test failed.
+	
+2006-10-13  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* gss/check-context.in: et KRB5CCNAME in global enviorment
+	
+2006-10-12  Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* gss/Makefile.am: Check if the gss context tester test_context
+	works ok.
+
+	* gss/check-context.in: Check if the gss context tester
+	test_context works ok.
+	
+2006-10-10  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* gss/check-gssmask.in: use wait-kdc.sh script
+
+	* kdc/check-kdc.in: use wait-kdc.sh script
+
+	* kdc/check-digest.in: use wait-kdc.sh script
+
+	* Heimdal uses TESTS_ENVIRONMENT before every binary being tested
+	directly from the Makefile.  This now uses the same for the
+	scripts, so we can run them under valgrind. From Andrew Bartlet
+
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/Makefile.am: splits script tests and binary tests
+
+	* db/Makefile.am: Add tests script depenencies
+
+	* kdc/Makefile.am: Split script tests and binary tests
+	
+2006-10-04  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: Test pkinit encKey case.
+	
+2006-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/check-gssmask.in: Catch failures from gssmaestro.
+	
+2006-09-20  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* gss/check-gssmask.in: Add a third client
+	
+2006-09-19 Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* gss/check-gssmask.in: test for gssmask + gssmaestro.
+
+	* gss/krb5.conf.in: Add krb5.conf for krb5.conf
+	
+2006-09-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* gss/check-gss.in: Add (c)
+
+	* kdc/check-kdc.in: Test constrained delegation impersonation.
+	
+2006-09-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: Change the password on krbtgt a couple of
+	times to have a non boring kvno.
+	
+2006-08-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-digest.in: Use the server as the server and set
+	diffrent password for the user and service.
+
+	* kdc/check-digest.in: Set allow digest flag on the server.
+
+	* kdc/Makefile.am: Build and run check-digest test.
+
+	* kdc/check-digest.in: Remove channel bindings from CHAP tests,
+	there is no such thing for CHAP.
+
+	* kdc/check-kdc.in: Test aes only krbtgt and des3 only service.
+	
+2006-08-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: Remove empty lines for picky awks
+	
+2006-07-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: Check for cross realm case where remove user
+	doesn't exists in the database, this is ok assuming the cross
+	realm isn't local. In the general case this isn't true.
+
+2006-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: run kadmin check
+	
+2006-06-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: test that delegated cred works too
+
+	* kdc/check-kdc.in: Test delegation
+	
+2006-06-06 Love Hörnquist Åstrand <lha@it.su.se>
+	
+	* kdc/check-kdc.in: Add impersonation tests.
+	
+2006-06-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: Less verbose, spelling.
+
+	* kdc/check-kdc.in: test cross realm and deleted user
+	
+2006-05-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/check-kdc.in: Check password protected pk-init keyfile.
+	
+2006-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/check-kdc.in: Don't try pkinit if there is no rsa
+	
+2006-04-29  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/pki-mapping: change pki-mapping
+	
+	* kdc/Makefile.am: clean the server.keytab
+
+	* kdc/check-kdc.in: Add test for pk-init
+
+	* kdc/krb5.conf.in: Add pkinit glue
+
+2006-04-28  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/pki-mapping: Add pk-init mapping file
+	
+2006-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* kdc/check-kdc.in: Sprinkle more ap-req now that the credential
+	is removed from the cache using kdestroy --credential=
+
+	* kdc/ap-req.c: check that AP_OPTS_MUTUAL_REQUIRED matches, check
+	seqnumber
+
+	* kdc/Makefile.am: Build as-req.
+
+	* kdc/check-kdc.in: Sprinkel some as-req
+
+	* kdc/ap-req.c: simple test program checking that as ap-req/as-rep
+	exchange works
+	
+2006-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* {,kdc/,db/}.cvsignore: ignore Makefile.in
+
+	* kdc/check-kdc.in: Try to detect another KDC running.
+
+	* kdc/check-kdc.in: more tests regarding doing AS-REQ and TGS-REQ
+
+	* kdc/krb5.conf.in: krb5.conf template
+
+	* kdc/check-kdc.in: check that the keytab have the right kvno
+
+	* db/add-modify-delete.in: create a server too
+
+	* kdc/check-kdc.in: check kdc too
+
+	* db/Makefile.am: Add add-modify-delete
+
+	* db/add-modify-delete.in: basic kadmin tests
+
+	* Makefile.am: SUBDIRS += kdc
+
+	* kdc/check-kdc.in: Test framework for getting and checking
+	tickets, start kdc on localhost:8888.
+
+	* kdc/Makefile.am: Test framework for getting and checking
+	tickets.
+
+	* db/krb5.conf.in: log all message to local file
+
+	* db/Makefile.am: clean messages file
+	
+2006-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* db/krb5.conf.in: Set [libdefaults] default_realm = EXAMPLE.ORG.
+
+2005-11-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* db/loaddump-db.in: Specifify explicitly that the database is in
+	the current directory.
+
+2005-08-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test loading and dumping of the database
diff --git a/crypto/heimdal/tests/Makefile.am b/crypto/heimdal/tests/Makefile.am
new file mode 100644
index 0000000..10035f0
--- /dev/null
+++ b/crypto/heimdal/tests/Makefile.am
@@ -0,0 +1,11 @@
+# $Id: Makefile.am 21418 2007-07-05 13:55:37Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = db kdc gss ldap can java
+
+if ENABLE_SHARED
+if HAVE_DLOPEN
+SUBDIRS += plugin
+endif
+endif
diff --git a/crypto/heimdal/tests/Makefile.in b/crypto/heimdal/tests/Makefile.in
new file mode 100644
index 0000000..68e5ed5
--- /dev/null
+++ b/crypto/heimdal/tests/Makefile.in
@@ -0,0 +1,816 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 21418 2007-07-05 13:55:37Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common ChangeLog
+@ENABLE_SHARED_TRUE@@HAVE_DLOPEN_TRUE@am__append_1 = plugin
+subdir = tests
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+	html-recursive info-recursive install-data-recursive \
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = db kdc gss ldap can java plugin
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+SUBDIRS = db kdc gss ldap can java $(am__append_1)
+all: all-recursive
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps tests/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps tests/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+$(RECURSIVE_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+$(RECURSIVE_CLEAN_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+ctags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d "$(distdir)/$$subdir" \
+	    || $(MKDIR_P) "$(distdir)/$$subdir" \
+	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
+	    (cd $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+all-am: Makefile all-local
+installdirs: installdirs-recursive
+installdirs-am:
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-recursive
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-tags
+
+dvi: dvi-recursive
+
+dvi-am:
+
+html: html-recursive
+
+info: info-recursive
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-recursive
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-recursive
+
+install-info: install-info-recursive
+
+install-man:
+
+install-pdf: install-pdf-recursive
+
+install-ps: install-ps-recursive
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-recursive
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \
+	install-data-am install-exec-am install-strip uninstall-am
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am all-local check check-am check-local clean \
+	clean-generic clean-libtool ctags ctags-recursive dist-hook \
+	distclean distclean-generic distclean-libtool distclean-tags \
+	distdir dvi dvi-am html html-am info info-am install \
+	install-am install-data install-data-am install-data-hook \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-exec-hook install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/tests/can/Makefile.am b/crypto/heimdal/tests/can/Makefile.am
new file mode 100644
index 0000000..124074f
--- /dev/null
+++ b/crypto/heimdal/tests/can/Makefile.am
@@ -0,0 +1,56 @@
+# $Id: Makefile.am 21017 2007-06-08 05:36:30Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_DATA = krb5.conf mit-pkinit-20070607.cf
+
+check_SCRIPTS = $(SCRIPT_TESTS) test_can
+
+SCRIPT_TESTS = check-can
+TESTS = $(SCRIPT_TESTS)
+
+port = 49188
+
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/can,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+test_can: test_can.in Makefile
+	$(do_subst) < $(srcdir)/test_can.in > test_can.tmp
+	chmod +x test_can.tmp
+	mv test_can.tmp test_can
+
+check-can: check-can.in Makefile
+	$(do_subst) < $(srcdir)/check-can.in > check-can.tmp
+	chmod +x check-can.tmp
+	mv check-can.tmp check-can
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+
+SUFFIXES += .xf .cf
+
+.xf.cf:
+	$(do_subst) < $< > $@.tmp
+	mv $@.tmp $@
+
+CLEANFILES= $(TESTS) *.tmp *.cf \
+	current-db* \
+	krb5.conf \
+	messages.log \
+	test_can
+
+EXTRA_DIST = \
+	apple-10.4.kadm \
+	apple-10.4.req \
+	check-can.in \
+	heim-0.8.kadm \
+	heim-0.8.req \
+	krb5.conf.in \
+	mit-pkinit-20070607.ca.crt \
+	mit-pkinit-20070607.kadm \
+	mit-pkinit-20070607.req \
+	mit-pkinit-20070607.xf \
+	test_can.in
diff --git a/crypto/heimdal/tests/can/Makefile.in b/crypto/heimdal/tests/can/Makefile.in
new file mode 100644
index 0000000..39cd641
--- /dev/null
+++ b/crypto/heimdal/tests/can/Makefile.in
@@ -0,0 +1,781 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 21017 2007-06-08 05:36:30Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+subdir = tests/can
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+DATA = $(noinst_DATA)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .xf .cf
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+noinst_DATA = krb5.conf mit-pkinit-20070607.cf
+check_SCRIPTS = $(SCRIPT_TESTS) test_can
+SCRIPT_TESTS = check-can
+TESTS = $(SCRIPT_TESTS)
+port = 49188
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/can,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+CLEANFILES = $(TESTS) *.tmp *.cf \
+	current-db* \
+	krb5.conf \
+	messages.log \
+	test_can
+
+EXTRA_DIST = \
+	apple-10.4.kadm \
+	apple-10.4.req \
+	check-can.in \
+	heim-0.8.kadm \
+	heim-0.8.req \
+	krb5.conf.in \
+	mit-pkinit-20070607.ca.crt \
+	mit-pkinit-20070607.kadm \
+	mit-pkinit-20070607.req \
+	mit-pkinit-20070607.xf \
+	test_can.in
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .xf .cf .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps tests/can/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps tests/can/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_SCRIPTS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+all-am: Makefile $(DATA) all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: all all-am all-local check check-TESTS check-am check-local \
+	clean clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+test_can: test_can.in Makefile
+	$(do_subst) < $(srcdir)/test_can.in > test_can.tmp
+	chmod +x test_can.tmp
+	mv test_can.tmp test_can
+
+check-can: check-can.in Makefile
+	$(do_subst) < $(srcdir)/check-can.in > check-can.tmp
+	chmod +x check-can.tmp
+	mv check-can.tmp check-can
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+
+.xf.cf:
+	$(do_subst) < $< > $@.tmp
+	mv $@.tmp $@
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/tests/can/apple-10.4.kadm b/crypto/heimdal/tests/can/apple-10.4.kadm
new file mode 100644
index 0000000..a10904b
--- /dev/null
+++ b/crypto/heimdal/tests/can/apple-10.4.kadm
@@ -0,0 +1,4 @@
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month TEST.H5L.SE
+cpw -p kaka krbtgt/TEST.H5L.SE@TEST.H5L.SE
+add -p foo --use-defaults foo@TEST.H5L.SE
+add -p foo --use-defaults bar@TEST.H5L.SE
diff --git a/crypto/heimdal/tests/can/apple-10.4.req b/crypto/heimdal/tests/can/apple-10.4.req
new file mode 100644
index 0000000..7acc80b
--- /dev/null
+++ b/crypto/heimdal/tests/can/apple-10.4.req
diff --git a/crypto/heimdal/tests/can/check-can.in b/crypto/heimdal/tests/can/check-can.in
new file mode 100644
index 0000000..e5f3d71
--- /dev/null
+++ b/crypto/heimdal/tests/can/check-can.in
@@ -0,0 +1,47 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-can.in 21033 2007-06-09 14:49:35Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+./test_can TEST.H5L.SE heim-0.8 || exit 1
+./test_can TEST.H5L.SE apple-10.4 || exit 1
+./test_can HEIMDAL.CITI.UMICH.EDU mit-pkinit-20070607 || exit 1
+
+exit 0
diff --git a/crypto/heimdal/tests/can/heim-0.8.kadm b/crypto/heimdal/tests/can/heim-0.8.kadm
new file mode 100644
index 0000000..a10904b
--- /dev/null
+++ b/crypto/heimdal/tests/can/heim-0.8.kadm
@@ -0,0 +1,4 @@
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month TEST.H5L.SE
+cpw -p kaka krbtgt/TEST.H5L.SE@TEST.H5L.SE
+add -p foo --use-defaults foo@TEST.H5L.SE
+add -p foo --use-defaults bar@TEST.H5L.SE
diff --git a/crypto/heimdal/tests/can/heim-0.8.req b/crypto/heimdal/tests/can/heim-0.8.req
new file mode 100644
index 0000000..43b3a68
--- /dev/null
+++ b/crypto/heimdal/tests/can/heim-0.8.req
diff --git a/crypto/heimdal/tests/can/krb5.conf.in b/crypto/heimdal/tests/can/krb5.conf.in
new file mode 100644
index 0000000..e8aa7e7
--- /dev/null
+++ b/crypto/heimdal/tests/can/krb5.conf.in
@@ -0,0 +1,24 @@
+# $Id: krb5.conf.in 20965 2007-06-07 06:03:29Z lha $
+
+[libdefaults]
+	default_realm = TEST.H5L.SE
+	no-addresses = TRUE
+
+[appdefaults]
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = localhost:@port@
+	}
+
+[kdc]
+	database = {
+		dbname = @objdir@/current-db
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+	}
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
diff --git a/crypto/heimdal/tests/can/mit-pkinit-20070607.ca.crt b/crypto/heimdal/tests/can/mit-pkinit-20070607.ca.crt
new file mode 100644
index 0000000..5874788
--- /dev/null
+++ b/crypto/heimdal/tests/can/mit-pkinit-20070607.ca.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID4zCCAsugAwIBAgICNOswDQYJKoZIhvcNAQEFBQAwczELMAkGA1UEBhMCVVMx
+ETAPBgNVBAgTCE1pY2hpZ2FuMRIwEAYDVQQHEwlBbm4gQXJib3IxHzAdBgNVBAoT
+FlVuaXZlcnNpdHkgb2YgTWljaGlnYW4xHDAaBgNVBAMTE0NJVEkgUHJvZHVjdGlv
+biBLQ0EwHhcNMDYxMDEzMTYxNTIyWhcNMTYxMDEyMTYxNTIyWjBzMQswCQYDVQQG
+EwJVUzERMA8GA1UECBMITWljaGlnYW4xEjAQBgNVBAcTCUFubiBBcmJvcjEfMB0G
+A1UEChMWVW5pdmVyc2l0eSBvZiBNaWNoaWdhbjEcMBoGA1UEAxMTQ0lUSSBQcm9k
+dWN0aW9uIEtDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM85fWVD
+rneI9CM9NvpSw1PO571/8RhBiY1p0hMFi9ppD4Xaztswz0nrCEpuAhtXUxF+H6CS
+aAXFLiY/SQhj3JGpVw3yPE2CeGtmcMjDDxOW5Raw0XwbK/BdgYFg/AU5FH7RtOV7
+pnhBlk5oJt0VJyJs+NNw4+V2IqODRvX88AR6dDAd8TpbZJEdgoGU+LHaC6cha6WU
+p6nmjVx0TLUvIa16NFZGs44bNIIt7cI6zil/dM76881APTbYcB8hGqQJiphqX6ff
+HI3uiHclK2rOZufRqhn0NJNWDCrK55PXQX67UmKBLqAsoFSJDPD+cBIUXtVeFLGs
+uJYK8F9FaN3r9XsCAwEAAaOBgDB+MA8GA1UdEwQIMAYBAf8CAQAwEQYJYIZIAYb4
+QgEBBAQDAgAHMAsGA1UdDwQEAwIBhjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
+ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFGXMLAou01gvxxcJc+Tvat/T
+QHwwMA0GCSqGSIb3DQEBBQUAA4IBAQC99gg/E230FPGmDaP4YecmtSSGOnD+jJ+A
+sPcJKaeS3dOGDTngKCzzQZ4nl7LYRSj5DWZTTrlrKfbc6GiUE0n/K/+GBvL/kjOV
+qZsyGNfepscVe6mPz43NoNztf/1j+0QQcioHHHtAq/YFPBp1VdYsOsB+IE+g8RVi
+EDjsvmR/++s9zX5fGuVvN7RNwLFrxfqcPFZCUG8pkIHbBPRhRV/aOKHGMcThNrtC
+9cZ8xaDwhP0fdSUVESGFj+MMQCAp8YZvypJuHTYX7Ng4OMdCOPPg4Kk1ycOGAcYe
+o/m7ICx1md6Va9zEfwqmrXVxGaT0I23lI9H9sv+ugvZ3v5iedhO/
+-----END CERTIFICATE-----
diff --git a/crypto/heimdal/tests/can/mit-pkinit-20070607.kadm b/crypto/heimdal/tests/can/mit-pkinit-20070607.kadm
new file mode 100644
index 0000000..6a23c67
--- /dev/null
+++ b/crypto/heimdal/tests/can/mit-pkinit-20070607.kadm
@@ -0,0 +1,3 @@
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month HEIMDAL.CITI.UMICH.EDU
+cpw -p kaka krbtgt/HEIMDAL.CITI.UMICH.EDU@HEIMDAL.CITI.UMICH.EDU
+add -p foo --use-defaults aglo@HEIMDAL.CITI.UMICH.EDU
diff --git a/crypto/heimdal/tests/can/mit-pkinit-20070607.req b/crypto/heimdal/tests/can/mit-pkinit-20070607.req
new file mode 100644
index 0000000..652bbcf
--- /dev/null
+++ b/crypto/heimdal/tests/can/mit-pkinit-20070607.req
diff --git a/crypto/heimdal/tests/can/mit-pkinit-20070607.xf b/crypto/heimdal/tests/can/mit-pkinit-20070607.xf
new file mode 100644
index 0000000..bcb7408
--- /dev/null
+++ b/crypto/heimdal/tests/can/mit-pkinit-20070607.xf
@@ -0,0 +1,28 @@
+# $Id: mit-pkinit-20070607.xf 20992 2007-06-07 21:46:13Z lha $
+
+[libdefaults]
+	default_realm = HEIMDAL.CITI.UMICH.EDU
+	no-addresses = TRUE
+
+[appdefaults]
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = localhost:@port@
+	}
+
+[kdc]
+	enable-pkinit = yes
+	pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt,@srcdir@/mit-pkinit-20070607.ca.crt
+
+	database = {
+		dbname = @objdir@/current-db
+		realm = HEIMDAL.CITI.UMICH.EDU
+		mkey_file = @objdir@/mkey.file
+	}
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
diff --git a/crypto/heimdal/tests/can/test_can.in b/crypto/heimdal/tests/can/test_can.in
new file mode 100644
index 0000000..a592157
--- /dev/null
+++ b/crypto/heimdal/tests/can/test_can.in
@@ -0,0 +1,79 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: test_can.in 21164 2007-06-19 00:04:43Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+R=$1
+tst=$2
+
+if [ ! -f ${srcdir}/${tst}.req ] ; then
+    echo "${tst}.req missing"
+fi
+if [ ! -f ${srcdir}/${tst}.kadm ] ; then
+    echo "${tst}.kadm missing"
+fi
+
+port=@port@
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+replay="${TESTS_ENVIRONMENT} ../../kdc/kdc-replay"
+
+if [ -f ${objdir}/${tst}.cf ]; then
+    KRB5_CONFIG="${objdir}/${tst}.cf"
+else
+    KRB5_CONFIG="${objdir}/krb5.conf"
+fi
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+echo "Load database for ${tst}"
+while read x ; do
+    ${kadmin} $x || exit 1
+done < ${srcdir}/${tst}.kadm || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+> messages.log
+${replay} ${srcdir}/${tst}.req || { cat messages.log ; exit 1; }
+
+exit 0
diff --git a/crypto/heimdal/tests/db/Makefile.am b/crypto/heimdal/tests/db/Makefile.am
new file mode 100644
index 0000000..8e519d3
--- /dev/null
+++ b/crypto/heimdal/tests/db/Makefile.am
@@ -0,0 +1,66 @@
+# $Id: Makefile.am 20599 2007-05-08 02:48:22Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_DATA = krb5.conf
+
+noinst_SCRIPTS = have-db
+
+check_SCRIPTS = loaddump-db add-modify-delete check-dbinfo
+
+TESTS = $(check_SCRIPTS) 
+
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/db,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+loaddump-db: loaddump-db.in Makefile
+	$(do_subst) < $(srcdir)/loaddump-db.in > loaddump-db.tmp
+	chmod +x loaddump-db.tmp
+	mv loaddump-db.tmp loaddump-db
+
+add-modify-delete: add-modify-delete.in Makefile
+	$(do_subst) < $(srcdir)/add-modify-delete.in > add-modify-delete.tmp
+	chmod +x add-modify-delete.tmp
+	mv add-modify-delete.tmp add-modify-delete
+
+check-dbinfo: check-dbinfo.in Makefile
+	$(do_subst) < $(srcdir)/check-dbinfo.in > check-dbinfo.tmp
+	chmod +x check-dbinfo.tmp
+	mv check-dbinfo.tmp check-dbinfo
+
+have-db: have-db.in Makefile
+	$(do_subst) < $(srcdir)/have-db.in > have-db.tmp
+	chmod +x have-db.tmp
+	mv have-db.tmp have-db
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+
+
+CLEANFILES= \
+	$(TESTS) \
+	have-db \
+	db-dump* \
+	dbinfo.out \
+	current-db* \
+	out-text-dump* \
+	out-current-* \
+	mkey.file* \
+	krb5.conf krb5.conf.tmp \
+	tempfile \
+	log.current-db* \
+	messages.log
+
+EXTRA_DIST = \
+	check-dbinfo.in \
+	loaddump-db.in \
+	add-modify-delete.in \
+	have-db.in \
+	krb5.conf.in \
+	text-dump-0.7 \
+	text-dump-known-ext \
+	text-dump-no-ext \
+	text-dump-unknown-ext
+
diff --git a/crypto/heimdal/tests/db/Makefile.in b/crypto/heimdal/tests/db/Makefile.in
new file mode 100644
index 0000000..8616bab
--- /dev/null
+++ b/crypto/heimdal/tests/db/Makefile.in
@@ -0,0 +1,793 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 20599 2007-05-08 02:48:22Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+subdir = tests/db
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+SCRIPTS = $(noinst_SCRIPTS)
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+DATA = $(noinst_DATA)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+noinst_DATA = krb5.conf
+noinst_SCRIPTS = have-db
+check_SCRIPTS = loaddump-db add-modify-delete check-dbinfo
+TESTS = $(check_SCRIPTS) 
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/db,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+CLEANFILES = \
+	$(TESTS) \
+	have-db \
+	db-dump* \
+	dbinfo.out \
+	current-db* \
+	out-text-dump* \
+	out-current-* \
+	mkey.file* \
+	krb5.conf krb5.conf.tmp \
+	tempfile \
+	log.current-db* \
+	messages.log
+
+EXTRA_DIST = \
+	check-dbinfo.in \
+	loaddump-db.in \
+	add-modify-delete.in \
+	have-db.in \
+	krb5.conf.in \
+	text-dump-0.7 \
+	text-dump-known-ext \
+	text-dump-no-ext \
+	text-dump-unknown-ext
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps tests/db/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps tests/db/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_SCRIPTS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+all-am: Makefile $(SCRIPTS) $(DATA) all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: all all-am all-local check check-TESTS check-am check-local \
+	clean clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+loaddump-db: loaddump-db.in Makefile
+	$(do_subst) < $(srcdir)/loaddump-db.in > loaddump-db.tmp
+	chmod +x loaddump-db.tmp
+	mv loaddump-db.tmp loaddump-db
+
+add-modify-delete: add-modify-delete.in Makefile
+	$(do_subst) < $(srcdir)/add-modify-delete.in > add-modify-delete.tmp
+	chmod +x add-modify-delete.tmp
+	mv add-modify-delete.tmp add-modify-delete
+
+check-dbinfo: check-dbinfo.in Makefile
+	$(do_subst) < $(srcdir)/check-dbinfo.in > check-dbinfo.tmp
+	chmod +x check-dbinfo.tmp
+	mv check-dbinfo.tmp check-dbinfo
+
+have-db: have-db.in Makefile
+	$(do_subst) < $(srcdir)/have-db.in > have-db.tmp
+	chmod +x have-db.tmp
+	mv have-db.tmp have-db
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/tests/db/add-modify-delete.in b/crypto/heimdal/tests/db/add-modify-delete.in
new file mode 100644
index 0000000..b05a698
--- /dev/null
+++ b/crypto/heimdal/tests/db/add-modify-delete.in
@@ -0,0 +1,137 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: add-modify-delete.in 20606 2007-05-08 06:28:09Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+# If there is no useful db support compile in, disable test
+./have-db || exit 77
+
+R=EXAMPLE.ORG
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+iproplog="${TESTS_ENVIRONMENT} ../../lib/kadm5/iprop-log"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f current-db*
+rm -f log.current-db*
+rm -f out-*
+rm -f mkey.file*
+
+echo init database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    EXAMPLE.ORG || exit 1
+
+echo test add
+${kadmin} add -r --use-defaults foo || exit 1
+${kadmin} list '*' > /dev/null || exit 1
+${kadmin} list '*' | ${EGREP} '^foo$' > /dev/null || exit 1
+
+echo "test add (double)"
+${kadmin} add -r --use-defaults foo 2>/dev/null && exit 1
+
+echo test rename
+${kadmin} rename foo bar
+${kadmin} list '*' | ${EGREP} '^foo$' > /dev/null && exit 1
+${kadmin} list '*' | ${EGREP} '^bar$' > /dev/null || exit 1
+
+echo test delete
+${kadmin} delete bar || exit 1
+${kadmin} list '*' | ${EGREP} '^bar$' > /dev/null && exit 1
+
+echo "test delete (double)"
+${kadmin} delete bar 2> /dev/null && exit 1
+
+echo "creating sample user"
+${kadmin} add -r --use-defaults foo  || exit 1
+${kadmin} get foo > tempfile  || exit 1
+echo checking principal
+${EGREP} " *Principal: foo@EXAMPLE.ORG$" tempfile > /dev/null || exit 1
+echo checking kvno
+${EGREP} " *Kvno: 1$" tempfile > /dev/null || exit 1
+echo checking failed login count
+${EGREP} " *Failed login count: 0$" tempfile > /dev/null || exit 1
+echo checking modifier
+${EGREP} " *Modifier: kadmin/admin@EXAMPLE.ORG$" tempfile > /dev/null || exit 1
+echo checking attributes
+${EGREP} " *Attributes: $" tempfile > /dev/null || exit 1
+echo checking renew time
+${EGREP} " *Max renewable life: 1 week$" tempfile > /dev/null || exit 1
+
+echo modifing renewable-life
+${kadmin} modify --max-renewable-life=2months foo
+echo checking renew time
+${kadmin} get foo > tempfile  || exit 1
+${EGREP} " *Max renewable life: 2 months$" tempfile > /dev/null || exit 1
+
+echo "creating sample server"
+${kadmin} add -r --use-defaults host/datan.example.org  || exit 1
+${kadmin} get host/datan.example.org > tempfile  || exit 1
+echo checking principal
+${EGREP} " *Principal: host/datan.example.org@EXAMPLE.ORG$" tempfile > /dev/null || exit 1
+echo checking kvno
+${EGREP} " *Kvno: 1$" tempfile > /dev/null || exit 1
+
+echo "iprop-log dump"
+${iproplog} dump > /dev/null || exit 1
+echo "iprop-log last-version"
+${iproplog} last-version > /dev/null || exit 1
+
+echo "check iprop replay"
+
+${kadmin} dump out-current-db  || exit 1
+sort out-current-db > out-current-db-sort 
+
+rm -f current-db*
+
+echo "replaying"
+${iproplog} replay > /dev/null || exit 1
+
+${kadmin} dump out-current-db2  || exit 1
+sort out-current-db2 > out-current-db2-sort 
+
+# XXX database should really be the same afterward... :(
+# cmp out-current-db-sort out-current-db2-sort || exit 1
+
+
+
+exit 0
diff --git a/crypto/heimdal/tests/db/check-dbinfo.in b/crypto/heimdal/tests/db/check-dbinfo.in
new file mode 100644
index 0000000..7188060
--- /dev/null
+++ b/crypto/heimdal/tests/db/check-dbinfo.in
@@ -0,0 +1,45 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-dbinfo.in 20537 2007-04-23 08:00:04Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+../../lib/hdb/test_dbinfo > dbinfo.out || exit 1
+
+exit 0
diff --git a/crypto/heimdal/tests/db/have-db.in b/crypto/heimdal/tests/db/have-db.in
new file mode 100644
index 0000000..a6c373d
--- /dev/null
+++ b/crypto/heimdal/tests/db/have-db.in
@@ -0,0 +1,60 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: have-db.in 18579 2006-10-19 06:51:48Z lha $
+#
+
+srcdir="@srcdir@"
+base=`dirname "$0"`
+
+kdc="${base}/../../kdc/kdc"
+
+list=`${kdc} --builtin-hdb | sed 's/^builtin hdb backends: //'`
+oldIFS="$IFS"
+IPS=,
+set - ${list}
+IFS="$oldIFS"
+
+while [ $# != 0 ] ; do
+    case $1 in
+    db:*) exit 0 ;;
+    ndbm:*) exit 0 ;;
+    gdbm:*) exit 0 ;;
+    db4:*) exit 0 ;;
+    db3:*) exit 0 ;;
+    ldb:*) exit 0 ;;
+    esac
+    shift
+done
+
+exit 1
\ No newline at end of file
diff --git a/crypto/heimdal/tests/db/krb5.conf.in b/crypto/heimdal/tests/db/krb5.conf.in
new file mode 100644
index 0000000..446db31
--- /dev/null
+++ b/crypto/heimdal/tests/db/krb5.conf.in
@@ -0,0 +1,28 @@
+[libdefaults]
+	default_realm = EXAMPLE.ORG
+
+[realms]
+	EXAMPLE.ORG = {
+		kdc = localhost
+	}
+
+[kdc]
+	database = {
+		label = {
+			realm = LABEL.TEST.H5L.SE
+			dbname = @objdir@/label-db
+			mkey_file = @objdir@/mkey.file
+		}
+		label2 = {
+			dbname = @objdir@/lable2-db
+			realm = LABEL2.TEST.H5L.SE
+			mkey_file = @objdir@/mkey2.file
+		}
+		dbname = @objdir@/current-db
+		realm = EXAMPLE.ORG
+		mkey_file = @objdir@/mkey.file
+		log_file = @objdir@/log.current-db.log
+	}
+
+[logging]
+	default = 0-/FILE:@objdir@/messages.log
diff --git a/crypto/heimdal/tests/db/loaddump-db.in b/crypto/heimdal/tests/db/loaddump-db.in
new file mode 100644
index 0000000..1116e95
--- /dev/null
+++ b/crypto/heimdal/tests/db/loaddump-db.in
@@ -0,0 +1,132 @@
+#!/bin/sh
+#
+# Copyright (c) 2005 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: loaddump-db.in 20500 2007-04-21 21:48:17Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+# If there is no useful db support compile in, disable test
+./have-db || exit 77
+
+R=EXAMPLE.ORG
+
+kadmin="../../kadmin/kadmin -l -r $R"
+kstash="../../kdc/kstash"
+hprop="../../kdc/hprop"
+hpropd="../../kdc/hpropd"
+
+propdb="${hprop} --database=./current-db -n"
+propddb="${hpropd} --database=./current-db -n"
+
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    EXAMPLE.ORG || exit 1
+
+# check that we can dump and load ourself
+${kadmin} dump out-current-db  || exit 1
+sort out-current-db > out-current-db-sort 
+${kadmin} load out-current-db  || exit 1
+${kadmin} dump out-current-db2  || exit 1
+sort out-current-db2 > out-current-db2-sort 
+cmp out-current-db-sort out-current-db2-sort || exit 1
+
+rm -f current-db*
+
+# check with no extentions
+${kadmin} load ${srcdir}/text-dump-0.7  || exit 1
+${propdb} > db-dump.tmp|| exit 1
+rm -f current-db*
+${propddb} < db-dump.tmp || exit 1
+${kadmin} dump | sort | sed 's/[0-9]* -$//' > out-text-dump-0.7  || exit 1
+sort < ${srcdir}/text-dump-0.7 | \
+    sed 's/[0-9]*$//' > out-text-dump-0.7-orig  || exit 1
+cmp out-text-dump-0.7-orig out-text-dump-0.7 || exit 1
+
+# check with no extentions
+${kadmin} load ${srcdir}/text-dump-no-ext  || exit 1
+${propdb} > db-dump.tmp || exit 1
+${propddb} < db-dump.tmp || exit 1
+${kadmin} dump | sort | \
+    awk '{$11=""; print;}' > out-text-dump-no-ext  || exit 1
+sort < ${srcdir}/text-dump-no-ext | \
+    awk '{$11=""; print;}' > out-text-dump-no-ext-orig || exit 1
+cmp out-text-dump-no-ext-orig out-text-dump-no-ext || exit 1
+
+# check with known extentions
+${kadmin} load ${srcdir}/text-dump-known-ext  || exit 1
+${propdb} > db-dump.tmp || exit 1
+${propddb} < db-dump.tmp || exit 1
+${kadmin} dump | sort | \
+    awk '{$11=""; print;}' > out-text-dump-known-ext  || exit 1
+sort < ${srcdir}/text-dump-known-ext | \
+    awk '{$11=""; print;}' > out-text-dump-known-ext-orig || exit 1
+cmp out-text-dump-known-ext-orig out-text-dump-known-ext || exit 1
+
+# check with unknown extentions
+${kadmin} load ${srcdir}/text-dump-unknown-ext  || exit 1
+${propdb} > db-dump.tmp || exit 1
+${propddb} < db-dump.tmp || exit 1
+${kadmin} dump | sort | \
+    awk '{$11=""; print;}' > out-text-dump-unknown-ext  || exit 1
+sort < ${srcdir}/text-dump-unknown-ext | \
+    awk '{$11=""; print;}' > out-text-dump-unknown-ext-orig || exit 1
+cmp out-text-dump-unknown-ext-orig out-text-dump-unknown-ext || exit 1
+
+${kstash} -e aes256-cts-hmac-sha1-96 --random-key -k ./mkey.file >/dev/null 2>/dev/null || exit 1
+
+# remove masterkey
+${kadmin} load ${srcdir}/text-dump-0.7  || exit 1
+${propdb} > db-dump.tmp|| exit 1
+${propddb} < db-dump.tmp || exit 1
+${propdb} -m mkey.file -D > db-dump.tmp || exit 1
+mv mkey.file mkey.file.no || exit 1
+${propddb} < db-dump.tmp || exit 1
+${kadmin} dump | sort | \
+    awk '{$11=""; print;}' > out-text-dump-0.7  || exit 1
+sort < ${srcdir}/text-dump-unknown-ext | \
+    awk '{$11=""; print;}' > out-text-dump-0.7-orig || exit 1
+cmp out-text-dump-0.7 out-text-dump-0.7-orig || exit 1
+
+exit 0
diff --git a/crypto/heimdal/tests/db/text-dump-0.7 b/crypto/heimdal/tests/db/text-dump-0.7
new file mode 100644
index 0000000..4aff11d
--- /dev/null
+++ b/crypto/heimdal/tests/db/text-dump-0.7
@@ -0,0 +1,7 @@
+changepw/kerberos@EXAMPLE.ORG 1::3:2376E6A4C1D5456D:-::2:2376E6A4C1D5456D:-::1:2376E6A4C1D5456D:-::18:39C3D293A6B0CEE734C7874764A8B5449F348AC00A6EA94F7451D07BE31EF239:-::16:108373F74F105875DCCE866B160886C7BC6780E526D0DAEA:-::23:D279B73431AA349F63594EA800397195:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 639 20050728203748:743456:2
+default@EXAMPLE.ORG 0::3:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::2:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::1:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::18:AF401411D3F29C204611A9BA1EF54AEDEC43A01B0123C57B994B2EE104E7F127:3/"EXAMPLE.ORGdefault"::16:02401CAD7A92760E464025760BCD3BE5DF616DD5A798C719:3/"EXAMPLE.ORGdefault"::23:31D6CFE0D16AE931B73C59D7E0C089C0:3/"EXAMPLE.ORGdefault" 20050728203748:kadmin/admin@EXAMPLE.ORG - - - - 86400 604800 254 20050728203748:863727:0
+kadmin/admin@EXAMPLE.ORG 1::3:2FCD23DCC2C726CE:-::2:2FCD23DCC2C726CE:-::1:2FCD23DCC2C726CE:-::18:1675F5E5BAD61428DE51F7C8EDCD53F23426D90F4F0BB4F9C73514D317E0482A:-::16:C79D6B0879B6ABADCE4A9B436B5B4A4F792679CDBC7F5D10:-::23:265C712FED225A85567BAF8CD9A4C4ED:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 382 20050728203748:682995:2
+kadmin/changepw@EXAMPLE.ORG 1::3:57A132CB9D7F4F37:-::2:57A132CB9D7F4F37:-::1:57A132CB9D7F4F37:-::18:B8252C9E3EC99969053631C238BBF88A0AAA082A8F1C4ED8D1729170C79519B8:-::16:10CE89987A1FD0986E6D836DB3F473E04C648C34F17CBCE3:-::23:A6D2BCA6F54B1C1AA5E875F116EEDE82:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 300 300 867 20050728203748:623022:2
+kadmin/hprop@EXAMPLE.ORG 1::3:76DC5751EFE52931:-::2:76DC5751EFE52931:-::1:76DC5751EFE52931:-::18:9B4D02F7D74790AB929E607BE5940CFF66801C237840EE968FDEFD7ED1387350:-::16:4CD575703D197F2991D5233704BAE379DF4FFBE616256762:-::23:E3D49F7E3462823492F33FAD8F0A754F:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 383 20050728203748:803541:2
+krbtgt/EXAMPLE.ORG@EXAMPLE.ORG 1::3:C219830E0E73DCEC:-::2:C219830E0E73DCEC:-::1:C219830E0E73DCEC:-::18:56CD702EE58B6EF4CAF758DA0BA1B92B21EFC1D2E9FCC0785009BC391F8571B8:-::16:29E9A2F45B2561D5B592C1070708B94A894AE046D091CE7C:-::23:30A2FB86CDC17B4EC625DC66C47AAF37:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 86400 2592000 126 20050728203748:560639:2
+lha@EXAMPLE.ORG 1::3:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::2:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::1:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::18:96653BEA5A46E5DF97D535C6C49F007E02F0E56B21F498C14F8C014871FE9889:3/"EXAMPLE.ORGlha"::16:7545202640A81304AE987F231FCB1F625D02CE7FF8A4ABEA:3/"EXAMPLE.ORGlha"::23:AC8E657F83DF82BEEA5D43BDAF7800CC:3/"EXAMPLE.ORGlha" 20050728203752:kadmin/admin@EXAMPLE.ORG 20050728203758:kadmin/admin@EXAMPLE.ORG - - - 86400 604800 126 20050728203752:988968:1
diff --git a/crypto/heimdal/tests/db/text-dump-known-ext b/crypto/heimdal/tests/db/text-dump-known-ext
new file mode 100644
index 0000000..8c3649c
--- /dev/null
+++ b/crypto/heimdal/tests/db/text-dump-known-ext
@@ -0,0 +1,7 @@
+changepw/kerberos@EXAMPLE.ORG 1::3:2376E6A4C1D5456D:-::2:2376E6A4C1D5456D:-::1:2376E6A4C1D5456D:-::18:39C3D293A6B0CEE734C7874764A8B5449F348AC00A6EA94F7451D07BE31EF239:-::16:108373F74F105875DCCE866B160886C7BC6780E526D0DAEA:-::23:D279B73431AA349F63594EA800397195:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 639 20050728203748:743456:2 -
+default@EXAMPLE.ORG 0::3:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::2:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::1:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::18:AF401411D3F29C204611A9BA1EF54AEDEC43A01B0123C57B994B2EE104E7F127:3/"EXAMPLE.ORGdefault"::16:02401CAD7A92760E464025760BCD3BE5DF616DD5A798C719:3/"EXAMPLE.ORGdefault"::23:31D6CFE0D16AE931B73C59D7E0C089C0:3/"EXAMPLE.ORGdefault" 20050728203748:kadmin/admin@EXAMPLE.ORG - - - - 86400 604800 254 20050728203748:863727:0 -
+kadmin/admin@EXAMPLE.ORG 1::3:2FCD23DCC2C726CE:-::2:2FCD23DCC2C726CE:-::1:2FCD23DCC2C726CE:-::18:1675F5E5BAD61428DE51F7C8EDCD53F23426D90F4F0BB4F9C73514D317E0482A:-::16:C79D6B0879B6ABADCE4A9B436B5B4A4F792679CDBC7F5D10:-::23:265C712FED225A85567BAF8CD9A4C4ED:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 382 20050728203748:682995:2 -
+kadmin/changepw@EXAMPLE.ORG 1::3:57A132CB9D7F4F37:-::2:57A132CB9D7F4F37:-::1:57A132CB9D7F4F37:-::18:B8252C9E3EC99969053631C238BBF88A0AAA082A8F1C4ED8D1729170C79519B8:-::16:10CE89987A1FD0986E6D836DB3F473E04C648C34F17CBCE3:-::23:A6D2BCA6F54B1C1AA5E875F116EEDE82:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 300 300 867 20050728203748:623022:2 -
+kadmin/hprop@EXAMPLE.ORG 1::3:76DC5751EFE52931:-::2:76DC5751EFE52931:-::1:76DC5751EFE52931:-::18:9B4D02F7D74790AB929E607BE5940CFF66801C237840EE968FDEFD7ED1387350:-::16:4CD575703D197F2991D5233704BAE379DF4FFBE616256762:-::23:E3D49F7E3462823492F33FAD8F0A754F:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 383 20050728203748:803541:2 -
+krbtgt/EXAMPLE.ORG@EXAMPLE.ORG 1::3:C219830E0E73DCEC:-::2:C219830E0E73DCEC:-::1:C219830E0E73DCEC:-::18:56CD702EE58B6EF4CAF758DA0BA1B92B21EFC1D2E9FCC0785009BC391F8571B8:-::16:29E9A2F45B2561D5B592C1070708B94A894AE046D091CE7C:-::23:30A2FB86CDC17B4EC625DC66C47AAF37:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 86400 2592000 126 20050728203748:560639:2 -
+lha@EXAMPLE.ORG 1::3:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::2:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::1:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::18:96653BEA5A46E5DF97D535C6C49F007E02F0E56B21F498C14F8C014871FE9889:3/"EXAMPLE.ORGlha"::16:7545202640A81304AE987F231FCB1F625D02CE7FF8A4ABEA:3/"EXAMPLE.ORGlha"::23:AC8E657F83DF82BEEA5D43BDAF7800CC:3/"EXAMPLE.ORGlha" 20050728203752:kadmin/admin@EXAMPLE.ORG 20050728203758:kadmin/admin@EXAMPLE.ORG - - - 86400 604800 126 20050728203752:988968:1 -
diff --git a/crypto/heimdal/tests/db/text-dump-no-ext b/crypto/heimdal/tests/db/text-dump-no-ext
new file mode 100644
index 0000000..8c3649c
--- /dev/null
+++ b/crypto/heimdal/tests/db/text-dump-no-ext
@@ -0,0 +1,7 @@
+changepw/kerberos@EXAMPLE.ORG 1::3:2376E6A4C1D5456D:-::2:2376E6A4C1D5456D:-::1:2376E6A4C1D5456D:-::18:39C3D293A6B0CEE734C7874764A8B5449F348AC00A6EA94F7451D07BE31EF239:-::16:108373F74F105875DCCE866B160886C7BC6780E526D0DAEA:-::23:D279B73431AA349F63594EA800397195:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 639 20050728203748:743456:2 -
+default@EXAMPLE.ORG 0::3:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::2:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::1:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::18:AF401411D3F29C204611A9BA1EF54AEDEC43A01B0123C57B994B2EE104E7F127:3/"EXAMPLE.ORGdefault"::16:02401CAD7A92760E464025760BCD3BE5DF616DD5A798C719:3/"EXAMPLE.ORGdefault"::23:31D6CFE0D16AE931B73C59D7E0C089C0:3/"EXAMPLE.ORGdefault" 20050728203748:kadmin/admin@EXAMPLE.ORG - - - - 86400 604800 254 20050728203748:863727:0 -
+kadmin/admin@EXAMPLE.ORG 1::3:2FCD23DCC2C726CE:-::2:2FCD23DCC2C726CE:-::1:2FCD23DCC2C726CE:-::18:1675F5E5BAD61428DE51F7C8EDCD53F23426D90F4F0BB4F9C73514D317E0482A:-::16:C79D6B0879B6ABADCE4A9B436B5B4A4F792679CDBC7F5D10:-::23:265C712FED225A85567BAF8CD9A4C4ED:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 382 20050728203748:682995:2 -
+kadmin/changepw@EXAMPLE.ORG 1::3:57A132CB9D7F4F37:-::2:57A132CB9D7F4F37:-::1:57A132CB9D7F4F37:-::18:B8252C9E3EC99969053631C238BBF88A0AAA082A8F1C4ED8D1729170C79519B8:-::16:10CE89987A1FD0986E6D836DB3F473E04C648C34F17CBCE3:-::23:A6D2BCA6F54B1C1AA5E875F116EEDE82:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 300 300 867 20050728203748:623022:2 -
+kadmin/hprop@EXAMPLE.ORG 1::3:76DC5751EFE52931:-::2:76DC5751EFE52931:-::1:76DC5751EFE52931:-::18:9B4D02F7D74790AB929E607BE5940CFF66801C237840EE968FDEFD7ED1387350:-::16:4CD575703D197F2991D5233704BAE379DF4FFBE616256762:-::23:E3D49F7E3462823492F33FAD8F0A754F:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 383 20050728203748:803541:2 -
+krbtgt/EXAMPLE.ORG@EXAMPLE.ORG 1::3:C219830E0E73DCEC:-::2:C219830E0E73DCEC:-::1:C219830E0E73DCEC:-::18:56CD702EE58B6EF4CAF758DA0BA1B92B21EFC1D2E9FCC0785009BC391F8571B8:-::16:29E9A2F45B2561D5B592C1070708B94A894AE046D091CE7C:-::23:30A2FB86CDC17B4EC625DC66C47AAF37:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 86400 2592000 126 20050728203748:560639:2 -
+lha@EXAMPLE.ORG 1::3:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::2:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::1:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::18:96653BEA5A46E5DF97D535C6C49F007E02F0E56B21F498C14F8C014871FE9889:3/"EXAMPLE.ORGlha"::16:7545202640A81304AE987F231FCB1F625D02CE7FF8A4ABEA:3/"EXAMPLE.ORGlha"::23:AC8E657F83DF82BEEA5D43BDAF7800CC:3/"EXAMPLE.ORGlha" 20050728203752:kadmin/admin@EXAMPLE.ORG 20050728203758:kadmin/admin@EXAMPLE.ORG - - - 86400 604800 126 20050728203752:988968:1 -
diff --git a/crypto/heimdal/tests/db/text-dump-unknown-ext b/crypto/heimdal/tests/db/text-dump-unknown-ext
new file mode 100644
index 0000000..8c3649c
--- /dev/null
+++ b/crypto/heimdal/tests/db/text-dump-unknown-ext
@@ -0,0 +1,7 @@
+changepw/kerberos@EXAMPLE.ORG 1::3:2376E6A4C1D5456D:-::2:2376E6A4C1D5456D:-::1:2376E6A4C1D5456D:-::18:39C3D293A6B0CEE734C7874764A8B5449F348AC00A6EA94F7451D07BE31EF239:-::16:108373F74F105875DCCE866B160886C7BC6780E526D0DAEA:-::23:D279B73431AA349F63594EA800397195:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 639 20050728203748:743456:2 -
+default@EXAMPLE.ORG 0::3:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::2:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::1:3B2A671585E93D6B:3/"EXAMPLE.ORGdefault"::18:AF401411D3F29C204611A9BA1EF54AEDEC43A01B0123C57B994B2EE104E7F127:3/"EXAMPLE.ORGdefault"::16:02401CAD7A92760E464025760BCD3BE5DF616DD5A798C719:3/"EXAMPLE.ORGdefault"::23:31D6CFE0D16AE931B73C59D7E0C089C0:3/"EXAMPLE.ORGdefault" 20050728203748:kadmin/admin@EXAMPLE.ORG - - - - 86400 604800 254 20050728203748:863727:0 -
+kadmin/admin@EXAMPLE.ORG 1::3:2FCD23DCC2C726CE:-::2:2FCD23DCC2C726CE:-::1:2FCD23DCC2C726CE:-::18:1675F5E5BAD61428DE51F7C8EDCD53F23426D90F4F0BB4F9C73514D317E0482A:-::16:C79D6B0879B6ABADCE4A9B436B5B4A4F792679CDBC7F5D10:-::23:265C712FED225A85567BAF8CD9A4C4ED:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 382 20050728203748:682995:2 -
+kadmin/changepw@EXAMPLE.ORG 1::3:57A132CB9D7F4F37:-::2:57A132CB9D7F4F37:-::1:57A132CB9D7F4F37:-::18:B8252C9E3EC99969053631C238BBF88A0AAA082A8F1C4ED8D1729170C79519B8:-::16:10CE89987A1FD0986E6D836DB3F473E04C648C34F17CBCE3:-::23:A6D2BCA6F54B1C1AA5E875F116EEDE82:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 300 300 867 20050728203748:623022:2 -
+kadmin/hprop@EXAMPLE.ORG 1::3:76DC5751EFE52931:-::2:76DC5751EFE52931:-::1:76DC5751EFE52931:-::18:9B4D02F7D74790AB929E607BE5940CFF66801C237840EE968FDEFD7ED1387350:-::16:4CD575703D197F2991D5233704BAE379DF4FFBE616256762:-::23:E3D49F7E3462823492F33FAD8F0A754F:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 3600 3600 383 20050728203748:803541:2 -
+krbtgt/EXAMPLE.ORG@EXAMPLE.ORG 1::3:C219830E0E73DCEC:-::2:C219830E0E73DCEC:-::1:C219830E0E73DCEC:-::18:56CD702EE58B6EF4CAF758DA0BA1B92B21EFC1D2E9FCC0785009BC391F8571B8:-::16:29E9A2F45B2561D5B592C1070708B94A894AE046D091CE7C:-::23:30A2FB86CDC17B4EC625DC66C47AAF37:- 20050728203748:kadmin/admin@EXAMPLE.ORG 20050728203748:kadmin/admin@EXAMPLE.ORG - - - 86400 2592000 126 20050728203748:560639:2 -
+lha@EXAMPLE.ORG 1::3:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::2:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::1:80AB08A261D6A82F:3/"EXAMPLE.ORGlha"::18:96653BEA5A46E5DF97D535C6C49F007E02F0E56B21F498C14F8C014871FE9889:3/"EXAMPLE.ORGlha"::16:7545202640A81304AE987F231FCB1F625D02CE7FF8A4ABEA:3/"EXAMPLE.ORGlha"::23:AC8E657F83DF82BEEA5D43BDAF7800CC:3/"EXAMPLE.ORGlha" 20050728203752:kadmin/admin@EXAMPLE.ORG 20050728203758:kadmin/admin@EXAMPLE.ORG - - - 86400 604800 126 20050728203752:988968:1 -
diff --git a/crypto/heimdal/tests/gss/Makefile.am b/crypto/heimdal/tests/gss/Makefile.am
new file mode 100644
index 0000000..5a752d0
--- /dev/null
+++ b/crypto/heimdal/tests/gss/Makefile.am
@@ -0,0 +1,78 @@
+# $Id: Makefile.am 20513 2007-04-22 10:23:27Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_DATA = krb5.conf
+
+SCRIPT_TESTS = check-gss check-gssmask check-context check-spnego check-ntlm
+
+TESTS = $(SCRIPT_TESTS)
+
+check_SCRIPTS = $(SCRIPT_TESTS)
+
+port = 49188
+
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/gss,g'
+
+check-gss: check-gss.in Makefile
+	$(do_subst) < $(srcdir)/check-gss.in > check-gss.tmp
+	chmod +x check-gss.tmp
+	mv check-gss.tmp check-gss
+
+check-gssmask: check-gssmask.in Makefile
+	$(do_subst) < $(srcdir)/check-gssmask.in > check-gssmask.tmp
+	chmod +x check-gssmask.tmp
+	mv check-gssmask.tmp check-gssmask
+
+check-context: check-context.in Makefile
+	$(do_subst) < $(srcdir)/check-context.in > check-context.tmp
+	chmod +x check-context.tmp
+	mv check-context.tmp check-context
+
+check-spnego: check-spnego.in Makefile
+	$(do_subst) < $(srcdir)/check-spnego.in > check-spnego.tmp
+	chmod +x check-spnego.tmp
+	mv check-spnego.tmp check-spnego
+
+check-basic: check-basic.in Makefile
+	$(do_subst) < $(srcdir)/check-basic.in > check-basic.tmp
+	chmod +x check-basic.tmp
+	mv check-basic.tmp check-basic
+
+check-ntlm: check-ntlm.in Makefile
+	$(do_subst) < $(srcdir)/check-ntlm.in > check-ntlm.tmp
+	chmod +x check-ntlm.tmp
+	mv check-ntlm.tmp check-ntlm
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+
+CLEANFILES= \
+	$(TESTS) \
+	foopassword \
+	barpassword \
+	krb5ccfile \
+	krb5ccfile-ds \
+	server.keytab \
+	krb5.conf \
+	current-db* \
+	*.log \
+	check-basic.tmp \
+	check-gss.tmp \
+	check-gssmask.tmp \
+	check-spnego.tmp \
+	check-ntlm.tmp \
+	check-context.tmp
+
+EXTRA_DIST = \
+	check-basic.in \
+	check-gss.in \
+	check-gssmask.in \
+	check-spnego.in \
+	check-ntlm.in \
+	check-context.in \
+	ntlm-user-file.txt \
+	krb5.conf.in
diff --git a/crypto/heimdal/tests/gss/Makefile.in b/crypto/heimdal/tests/gss/Makefile.in
new file mode 100644
index 0000000..bffae6c
--- /dev/null
+++ b/crypto/heimdal/tests/gss/Makefile.in
@@ -0,0 +1,804 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 20513 2007-04-22 10:23:27Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+subdir = tests/gss
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+DATA = $(noinst_DATA)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+noinst_DATA = krb5.conf
+SCRIPT_TESTS = check-gss check-gssmask check-context check-spnego check-ntlm
+TESTS = $(SCRIPT_TESTS)
+check_SCRIPTS = $(SCRIPT_TESTS)
+port = 49188
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/gss,g'
+
+CLEANFILES = \
+	$(TESTS) \
+	foopassword \
+	barpassword \
+	krb5ccfile \
+	krb5ccfile-ds \
+	server.keytab \
+	krb5.conf \
+	current-db* \
+	*.log \
+	check-basic.tmp \
+	check-gss.tmp \
+	check-gssmask.tmp \
+	check-spnego.tmp \
+	check-ntlm.tmp \
+	check-context.tmp
+
+EXTRA_DIST = \
+	check-basic.in \
+	check-gss.in \
+	check-gssmask.in \
+	check-spnego.in \
+	check-ntlm.in \
+	check-context.in \
+	ntlm-user-file.txt \
+	krb5.conf.in
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps tests/gss/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps tests/gss/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_SCRIPTS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+all-am: Makefile $(DATA) all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: all all-am all-local check check-TESTS check-am check-local \
+	clean clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+check-gss: check-gss.in Makefile
+	$(do_subst) < $(srcdir)/check-gss.in > check-gss.tmp
+	chmod +x check-gss.tmp
+	mv check-gss.tmp check-gss
+
+check-gssmask: check-gssmask.in Makefile
+	$(do_subst) < $(srcdir)/check-gssmask.in > check-gssmask.tmp
+	chmod +x check-gssmask.tmp
+	mv check-gssmask.tmp check-gssmask
+
+check-context: check-context.in Makefile
+	$(do_subst) < $(srcdir)/check-context.in > check-context.tmp
+	chmod +x check-context.tmp
+	mv check-context.tmp check-context
+
+check-spnego: check-spnego.in Makefile
+	$(do_subst) < $(srcdir)/check-spnego.in > check-spnego.tmp
+	chmod +x check-spnego.tmp
+	mv check-spnego.tmp check-spnego
+
+check-basic: check-basic.in Makefile
+	$(do_subst) < $(srcdir)/check-basic.in > check-basic.tmp
+	chmod +x check-basic.tmp
+	mv check-basic.tmp check-basic
+
+check-ntlm: check-ntlm.in Makefile
+	$(do_subst) < $(srcdir)/check-ntlm.in > check-ntlm.tmp
+	chmod +x check-ntlm.tmp
+	mv check-ntlm.tmp check-ntlm
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/tests/gss/check-basic.in b/crypto/heimdal/tests/gss/check-basic.in
new file mode 100644
index 0000000..b6b95f6
--- /dev/null
+++ b/crypto/heimdal/tests/gss/check-basic.in
@@ -0,0 +1,156 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id$
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+nokeytab="FILE:no-such-keytab"
+cache="FILE:krb5ccfile"
+nocache="FILE:no-such-cache"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+acquire_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_acquire_cred"
+test_kcred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_kcred"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5_KTNAME="${keytab}"
+export KRB5_KTNAME
+KRB5CCNAME="${cache}"
+export KRB5CCNAME
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+echo upw > ${objdir}/foopassword
+
+${kadmin} add -p upw --use-defaults user@${R} || exit 1
+${kadmin} add -p upw --use-defaults another@${R} || exit 1
+${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/../kdc/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+exitcode=0
+
+echo "initial ticket"
+${kinit} --password-file=${objdir}/foopassword user@${R} || exitcode=1
+
+echo "keytab"
+${acquire_cred} \
+    --acquire-type=accept \
+    --acquire-name=host@host.test.h5l.se || exit 1
+echo "keytab w/o name"
+${acquire_cred} \
+    --acquire-type=accept || exit 1
+echo "keytab w/ wrong name"
+${acquire_cred} \
+    --acquire-type=accept \
+    --acquire-name=host@host2.test.h5l.se 2>/dev/null && exit 1
+echo "init using keytab"
+${acquire_cred} \
+    --acquire-type=initiate \
+    --acquire-name=host@host.test.h5l.se || exit 1
+echo "init using existing cc"
+${acquire_cred} \
+    --name-type=user-name \
+    --acquire-type=initiate \
+    --acquire-name=user || exit 1
+
+KRB5CCNAME=${nocache}
+
+echo "fail init using existing cc"
+${acquire_cred} \
+    --name-type=user-name \
+    --acquire-type=initiate \
+    --acquire-name=user 2>/dev/null && exit 1
+
+echo "use gss_krb5_ccache_name"
+${acquire_cred} \
+    --name-type=user-name \
+    --ccache=${cache} \
+    --acquire-type=initiate \
+    --acquire-name=user >/dev/null || exit 1
+
+KRB5CCNAME=${cache}
+KRB5_KTNAME=${nokeytab}
+
+echo "kcred"
+${test_kcred} || exit 1
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+kill ${kdcpid} 2> /dev/null
+
+exit $exitcode
diff --git a/crypto/heimdal/tests/gss/check-context.in b/crypto/heimdal/tests/gss/check-context.in
new file mode 100644
index 0000000..1a25a24
--- /dev/null
+++ b/crypto/heimdal/tests/gss/check-context.in
@@ -0,0 +1,188 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-context.in 22425 2008-01-13 09:46:01Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+cache="FILE:krb5ccfile"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5CCNAME=${cache}
+export KRB5CCNAME
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+# add both lucid and lucid.test.h5l.se to simulate aliases
+${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
+${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
+${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
+${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
+
+${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo u1 > ${objdir}/foopassword
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/../kdc/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+exitcode=0
+
+echo "Getting client initial tickets"
+${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
+
+echo "======test naming combinations"
+echo "plain"
+${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
+	{ exitcode=1 ; echo test failed; }
+echo "plain (krb5)"
+${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
+	{ exitcode=1 ; echo test failed; }
+echo "plain (krb5 realmless)"
+${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
+	{ exitcode=1 ; echo test failed; }
+echo "dns canon on (long name) OFF, need dns_wrapper"
+#${context} --dns-canon host@lucid.test.h5l.se || \
+#	{ exitcode=1 ; echo test failed; }
+echo "dns canon off (long name)"
+${context} --no-dns-canon host@lucid.test.h5l.se || \
+	{ exitcode=1 ; echo test failed; }
+echo "dns canon off (short name)"
+${context} --no-dns-canon host@lucid || \
+	{ exitcode=1 ; echo test failed; }
+echo "dns canon off (short name, krb5)"
+${context}  --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
+	{ exitcode=1 ; echo test failed; }
+echo "dns canon off (short name, krb5)"
+${context}  --no-dns-canon --name-type=krb5-principal-name host/lucid || \
+	{ exitcode=1 ; echo test failed; }
+
+echo "======test context building"
+for mech in krb5 spnego ; do
+	echo "${mech} no-mutual"
+	${context} --mech-type=${mech} \
+	    --name-type=hostbased-service host@lucid.test.h5l.se || \
+		{ exitcode=1 ; echo test failed; }
+
+	echo "${mech} mutual"
+	${context} --mech-type=${mech} \
+	    --mutual \
+	    --name-type=hostbased-service host@lucid.test.h5l.se || \
+		{ exitcode=1 ; echo test failed; }
+
+	echo "${mech} delegate"
+	${context} --mech-type=${mech} \
+	    --delegate \
+	    --name-type=hostbased-service host@lucid.test.h5l.se || \
+		{ exitcode=1 ; echo test failed; }
+
+	echo "${mech} mutual delegate"
+	${context} --mech-type=${mech} \
+	    --mutual --delegate \
+	    --name-type=hostbased-service host@lucid.test.h5l.se || \
+		{ exitcode=1 ; echo test failed; }
+done
+
+#add spnego !
+echo "======dce-style"
+for mech in krb5 ; do
+
+	echo "${mech}: dce-style"
+	${context} \
+	    --mech-type=${mech} \
+	    --mutual \
+	    --dce-style \
+	    --name-type=hostbased-service host@lucid.test.h5l.se || \
+	    { exitcode=1 ; echo test failed; }
+
+done
+
+#echo "sasl-digest-md5"
+#${context}  --mech-type=sasl-digest-md5 \
+#    --name-type=hostbased-service \
+#    host@lucid.test.h5l.se || \
+#	{ exitcode=1 ; echo test failed; }
+
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+kill ${kdcpid} 2> /dev/null
+
+exit $exitcode
+
+
diff --git a/crypto/heimdal/tests/gss/check-gss.in b/crypto/heimdal/tests/gss/check-gss.in
new file mode 100644
index 0000000..e023c2b
--- /dev/null
+++ b/crypto/heimdal/tests/gss/check-gss.in
@@ -0,0 +1,45 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-gss.in 18389 2006-10-10 09:30:20Z lha $
+#
+
+objdir="@objdir@"
+gssdir="${objdir}/../../lib/gssapi"
+
+${TESTS_ENVIRONMENT} ${gssdir}/gss help > /dev/null || exit 1
+${TESTS_ENVIRONMENT} ${gssdir}/gss supported-mechanisms > /dev/null || exit 1
+
+exit 0
+
+
diff --git a/crypto/heimdal/tests/gss/check-gssmask.in b/crypto/heimdal/tests/gss/check-gssmask.in
new file mode 100644
index 0000000..8b72af4
--- /dev/null
+++ b/crypto/heimdal/tests/gss/check-gssmask.in
@@ -0,0 +1,133 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-gssmask.in 21845 2007-08-08 06:54:48Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+
+gssmask="${TESTS_ENVIRONMENT} ../../appl/gssmask/gssmask"
+gssmaskn1="${gssmask} -p 8889 --spn=host/n1.test.h5l.se@${R} --logfile=n1.log"
+gssmaskn2="${gssmask} -p 8890 --spn=host/n2.test.h5l.se@${R} --logfile=n2.log"
+gssmaskn3="${gssmask} -p 8891 --spn=host/n3.test.h5l.se@${R} --logfile=n3.log"
+gssmaestro="../../appl/gssmask/gssmaestro"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p p1 --use-defaults host/n1.test.h5l.se@${R} || exit 1
+${kadmin} add -p p2 --use-defaults host/n2.test.h5l.se@${R} || exit 1
+${kadmin} add -p p3 --use-defaults host/n3.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/n1.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/n2.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/n3.test.h5l.se@${R} || exit 1
+
+${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/../kdc/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+exitcode=0
+
+echo "Starting client 1"
+${gssmaskn1} --moniker=n1 &
+n1pid=$!
+#echo $n1pid
+#xterm -display :0 -e g ${gssmaskn1} &
+#read x
+
+echo "Starting client 2"
+${gssmaskn2} --moniker=n2 &
+n2pid=$!
+
+echo "Starting client 3"
+${gssmaskn3} --moniker=n3 &
+n3pid=$!
+
+trap "kill ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2> /dev/null; echo signal killing kdc and maskar; exit 1;" EXIT
+
+sleep 10
+
+${gssmaestro} \
+    --slaves=localhost:8889 \
+    --slaves=localhost:8890 \
+    --slaves=localhost:8891 \
+    --principals=user1@${R}:u1 || exitcode=1
+
+trap "" EXIT
+
+echo "killing kdc and clients (${kdcpid}, ${n1pid}, ${n2pid}, ${n3pid})"
+kill ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2> /dev/null
+
+exit $exitcode
+
+
diff --git a/crypto/heimdal/tests/gss/check-ntlm.in b/crypto/heimdal/tests/gss/check-ntlm.in
new file mode 100644
index 0000000..a724d2d
--- /dev/null
+++ b/crypto/heimdal/tests/gss/check-ntlm.in
@@ -0,0 +1,170 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-ntlm.in 22160 2007-12-04 20:05:17Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+cache="FILE:krb5ccfile"
+cacheds="FILE:krb5ccfile-ds"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+kinitds="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cacheds --no-afslog"
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+kdigest="${TESTS_ENVIRONMENT} ../../kuser/kdigest"
+
+context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5_KTNAME="${keytab}"
+export KRB5_KTNAME
+KRB5CCNAME="${cache}"
+export KRB5CCNAME
+NTLM_ACCEPTOR_CCACHE="${cacheds}"
+export NTLM_ACCEPTOR_CCACHE
+NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
+export NTLM_USER_FILE
+
+GSSAPI_SPNEGO_NAME=host@host.test.h5l.se
+export GSSAPI_SPNEGO_NAME
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
+
+${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
+
+${kadmin} add -p ds --use-defaults digestserver@${R} || exit 1
+${kadmin} modify --attributes=+allow-digest digestserver@${R} || exit 1
+
+${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo u1 > ${objdir}/foopassword
+echo ds > ${objdir}/barpassword
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/../kdc/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+exitcode=0
+
+echo "Getting client initial tickets"
+${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
+echo "Getting digestserver initial tickets"
+${kinitds} --password-file=${objdir}/barpassword digestserver@${R} || exitcode=1
+
+echo "======probe"
+KRB5CCNAME="$cacheds"
+
+ ${kdigest} digest-probe --realm=${R} > /dev/null || \
+     { exitcode=1; echo "test failed"; }
+
+echo "======context building ntlm"
+
+NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt-no"
+KRB5CCNAME="$cache"
+
+echo "no NTLM initiator creds"
+${context} --mech-type=ntlm \
+	--mutual \
+        --name-type=hostbased-service \
+        --ret-mech-type=ntlm \
+        host@host.test.h5l.se 2> /dev/null && \
+        { exitcode=1 ; echo "test failed"; }
+
+echo "Getting client initial tickets (with ntlm creds)"
+${kinit} --password-file=${objdir}/foopassword --ntlm-domain=TEST user1@${R} || exitcode=1
+
+echo "NTLM initiator krb5 creds"
+${context} --mech-type=ntlm \
+	--mutual \
+        --name-type=hostbased-service \
+        --ret-mech-type=ntlm \
+        host@host.test.h5l.se || \
+        { exitcode=1 ; echo "test failed"; }
+
+echo "NTLM initiator krb5 creds (getverifymic, wrapunwrap)"
+${context} --mech-type=ntlm \
+	--mutual \
+        --name-type=hostbased-service \
+        --ret-mech-type=ntlm \
+        --getverifymic --wrapunwrap \
+        host@host.test.h5l.se || \
+        { exitcode=1 ; echo "test failed"; }
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+kill ${kdcpid} 2> /dev/null
+
+exit $exitcode
+
+
diff --git a/crypto/heimdal/tests/gss/check-spnego.in b/crypto/heimdal/tests/gss/check-spnego.in
new file mode 100644
index 0000000..c95ac6f
--- /dev/null
+++ b/crypto/heimdal/tests/gss/check-spnego.in
@@ -0,0 +1,209 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-spnego.in 21847 2007-08-08 06:55:32Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+cache="FILE:krb5ccfile"
+cacheds="FILE:krb5ccfile-ds"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+kinitds="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cacheds --no-afslog"
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5_KTNAME="${keytab}"
+export KRB5_KTNAME
+KRB5CCNAME="${cache}"
+export KRB5CCNAME
+NTLM_ACCEPTOR_CCACHE="${cacheds}"
+export NTLM_ACCEPTOR_CCACHE
+NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
+export NTLM_USER_FILE
+
+GSSAPI_SPNEGO_NAME=host@host.test.h5l.se
+export GSSAPI_SPNEGO_NAME
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
+
+${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
+
+${kadmin} add -p ds --use-defaults digestserver@${R} || exit 1
+${kadmin} modify --attributes=+allow-digest digestserver@${R} || exit 1
+
+${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo u1 > ${objdir}/foopassword
+echo ds > ${objdir}/barpassword
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/../kdc/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+exitcode=0
+
+echo "Getting client initial tickets"
+${kinit} --password-file=${objdir}/foopassword user1@${R} || exitcode=1
+echo "Getting digestserver initial tickets"
+${kinitds} --password-file=${objdir}/barpassword digestserver@${R} || exitcode=1
+
+echo "======context building for each mech"
+
+for mech in ntlm krb5 ; do 
+    echo "${mech}"
+    ${context} --mech-type=${mech} --ret-mech-type=${mech} \
+        --name-type=hostbased-service host@host.test.h5l.se || \
+	{ exitcode=1 ; echo test failed; }
+done
+
+echo "spnego"
+${context} \
+    --mech-type=spnego \
+    --ret-mech-type=krb5 \
+    --name-type=hostbased-service \
+    host@host.test.h5l.se || \
+    { exitcode=1 ; echo test failed; }
+
+echo "test failure cases"
+${context} --mech-type=ntlm --ret-mech-type=krb5 \
+    --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \
+    { exitcode=1 ; echo test failed; }
+
+${context} --mech-type=krb5 --ret-mech-type=ntlm \
+    --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \
+    { exitcode=1 ; echo test failed; }
+
+echo "======spnego variants context building"
+
+for arg in \
+     "" \
+     "--mutual" \
+     "--delegate" \
+     "--mutual --delegate" \
+     "--getverifymic --wrapunwrap" \
+     "--mutual --getverifymic --wrapunwrap" \
+    ; do
+
+    echo "no NTLM acceptor cred ${arg}"
+    NTLM_ACCEPTOR_CCACHE="${cacheds}-no"
+    ${context} --mech-type=spnego \
+        $arg \
+        --name-type=hostbased-service \
+        --ret-mech-type=krb5  \
+        host@host.test.h5l.se || \
+        { exitcode=1 ; echo test failed; }
+    NTLM_ACCEPTOR_CCACHE="${cacheds}"
+
+    echo "no NTLM initiator cred ${arg}"
+    NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt-no"
+    ${context} --mech-type=spnego \
+        $arg \
+        --name-type=hostbased-service \
+        --ret-mech-type=krb5 \
+        host@host.test.h5l.se || \
+        { exitcode=1 ; echo test failed; }
+    NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
+
+    echo "no krb5 acceptor cred ${arg}"
+    KRB5_KTNAME="${keytab}-no"
+    ${context} --mech-type=spnego \
+        $arg \
+        --name-type=hostbased-service \
+        --ret-mech-type=ntlm \
+        host@host.test.h5l.se || \
+        { exitcode=1 ; echo test failed; }
+    KRB5_KTNAME="${keytab}"
+
+    echo "no krb5 initiator cred ${arg}"
+    KRB5CCNAME="${cache}-no"
+    ${context} --mech-type=spnego \
+        $arg \
+        --name-type=hostbased-service \
+        --ret-mech-type=ntlm \
+        host@host.test.h5l.se || \
+        { exitcode=1 ; echo test failed; }
+    KRB5CCNAME="${cache}"
+
+done
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+kill ${kdcpid} 2> /dev/null
+
+exit $exitcode
+
+
diff --git a/crypto/heimdal/tests/gss/krb5.conf.in b/crypto/heimdal/tests/gss/krb5.conf.in
new file mode 100644
index 0000000..797fcdd
--- /dev/null
+++ b/crypto/heimdal/tests/gss/krb5.conf.in
@@ -0,0 +1,33 @@
+# $Id: krb5.conf.in 20202 2007-02-08 00:59:47Z lha $
+
+[libdefaults]
+	default_realm = TEST.H5L.SE
+	no-addresses = TRUE
+	default_keytab_name = @objdir@/server.keytab
+	dns_canonicalize_hostname = false
+	dns_lookup_realm = false
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = localhost:@port@
+	}
+
+[domain_realms]
+	.test.h5l.se = TEST.H5L.SE
+
+[kdc]
+	enable-digest = true
+	digests_allowed = ntlm-v2,ntlm-v1-session,ntlm-v1
+
+	database = {
+		dbname = @objdir@/current-db
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+	}
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
+
+[kadmin]
+	save-password = true
diff --git a/crypto/heimdal/tests/gss/ntlm-user-file.txt b/crypto/heimdal/tests/gss/ntlm-user-file.txt
new file mode 100644
index 0000000..853ba9b
--- /dev/null
+++ b/crypto/heimdal/tests/gss/ntlm-user-file.txt
@@ -0,0 +1,2 @@
+# $Id: ntlm-user-file.txt 19406 2006-12-18 13:12:44Z lha $
+TEST:user1:u1
diff --git a/crypto/heimdal/tests/java/KerberosInit.java b/crypto/heimdal/tests/java/KerberosInit.java
new file mode 100644
index 0000000..34714d9
--- /dev/null
+++ b/crypto/heimdal/tests/java/KerberosInit.java
@@ -0,0 +1,95 @@
+/*
+ *
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ *
+ * $Id$
+ */
+
+import javax.security.auth.login.*;
+import javax.security.auth.callback.*;
+
+public class KerberosInit {
+
+    private class TestCallBackHandler implements CallbackHandler {
+	
+	public void handle(Callback[] callbacks)
+	    throws UnsupportedCallbackException {
+	    for (int i = 0; i < callbacks.length; i++) {
+		if (callbacks[i] instanceof TextOutputCallback) {
+		    TextOutputCallback toc = (TextOutputCallback)callbacks[i];
+		    System.out.println(toc.getMessage());
+		} else if (callbacks[i] instanceof NameCallback) {
+		    NameCallback nc = (NameCallback)callbacks[i];
+		    nc.setName("lha");
+		} else if (callbacks[i] instanceof PasswordCallback) {
+		    PasswordCallback pc = (PasswordCallback)callbacks[i];
+		    pc.setPassword("foo".toCharArray());
+		} else {
+		    throw new
+			UnsupportedCallbackException(callbacks[i],
+						     "Unrecognized Callback");
+		}
+	    }
+	}
+    }
+    private TestCallBackHandler getHandler() {
+	return new TestCallBackHandler();
+    }
+
+    public static void main(String[] args) {
+
+        LoginContext lc = null;
+        try {
+            lc = new LoginContext("kinit", new KerberosInit().getHandler());
+        } catch (LoginException e) {
+            System.err.println("Cannot create LoginContext. " + e.getMessage());
+	    e.printStackTrace();
+            System.exit(1);
+        } catch (SecurityException e) {
+            System.err.println("Cannot create LoginContext. " + e.getMessage());
+	    e.printStackTrace();
+            System.exit(1);
+        } 
+
+        try {
+            lc.login();
+        } catch (LoginException e) {
+            System.err.println("Authentication failed:" + e.getMessage());
+	    e.printStackTrace();
+            System.exit(1);
+        }
+
+	System.out.println("lc.login ok");
+	System.exit(0);
+    }
+}
+
diff --git a/crypto/heimdal/tests/java/Makefile.am b/crypto/heimdal/tests/java/Makefile.am
new file mode 100644
index 0000000..7785ca1
--- /dev/null
+++ b/crypto/heimdal/tests/java/Makefile.am
@@ -0,0 +1,44 @@
+# $Id: Makefile.am 20739 2007-05-31 16:53:21Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_DATA = krb5.conf
+
+check_SCRIPTS = $(SCRIPT_TESTS) 
+
+SCRIPT_TESTS = check-kinit
+
+TESTS = $(SCRIPT_TESTS)
+
+port = 49188
+
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/java,g'
+
+LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken)
+
+check-kinit: check-kinit.in Makefile
+	$(do_subst) < $(srcdir)/check-kinit.in > check-kinit.tmp
+	chmod +x check-kinit.tmp
+	mv check-kinit.tmp check-kinit
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+
+CLEANFILES= \
+	$(TESTS) \
+	*.tmp \
+	*.class \
+	current-db* \
+	krb5.conf \
+	messages.log
+
+
+EXTRA_DIST = \
+	KerberosInit.java \
+	jaas.conf \
+	check-kinit.in \
+	have-java.sh \
+	krb5.conf.in
diff --git a/crypto/heimdal/tests/java/Makefile.in b/crypto/heimdal/tests/java/Makefile.in
new file mode 100644
index 0000000..9161e39
--- /dev/null
+++ b/crypto/heimdal/tests/java/Makefile.in
@@ -0,0 +1,768 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 20739 2007-05-31 16:53:21Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+subdir = tests/java
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+DATA = $(noinst_DATA)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+noinst_DATA = krb5.conf
+check_SCRIPTS = $(SCRIPT_TESTS) 
+SCRIPT_TESTS = check-kinit
+TESTS = $(SCRIPT_TESTS)
+port = 49188
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/java,g'
+
+LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken)
+CLEANFILES = \
+	$(TESTS) \
+	*.tmp \
+	*.class \
+	current-db* \
+	krb5.conf \
+	messages.log
+
+EXTRA_DIST = \
+	KerberosInit.java \
+	jaas.conf \
+	check-kinit.in \
+	have-java.sh \
+	krb5.conf.in
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps tests/java/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps tests/java/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_SCRIPTS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+all-am: Makefile $(DATA) all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: all all-am all-local check check-TESTS check-am check-local \
+	clean clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+check-kinit: check-kinit.in Makefile
+	$(do_subst) < $(srcdir)/check-kinit.in > check-kinit.tmp
+	chmod +x check-kinit.tmp
+	mv check-kinit.tmp check-kinit
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/tests/java/check-kinit.in b/crypto/heimdal/tests/java/check-kinit.in
new file mode 100644
index 0000000..1ef59f7
--- /dev/null
+++ b/crypto/heimdal/tests/java/check-kinit.in
@@ -0,0 +1,101 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id$
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+port="@port@"
+
+# Disable test if: no data, no java, or socket wrapper
+../db/have-db || exit 77
+sh ${srcdir}/have-java.sh || exit 77
+[ X"$SOCKET_WRAPPER_DIR" != X ] && exit 77
+
+R=TEST.H5L.SE
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=127.0.0.1 -P $port"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile} messages.log
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+echo "Compile"
+javac -d "${objdir}" "${srcdir}/KerberosInit.java" || \
+    { echo "Failed to compile java program: $?" ; exit 77; }
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults lha@${R} || exit 1
+${kadmin} modify --attributes=+requires-pre-auth lha@${R} || exit 1
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/../kdc/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+echo "Run init"
+java \
+  -Dsun.security.krb5.debug=true \
+  -Djava.security.krb5.conf="${objdir}"/krb5.conf \
+  -Djava.security.auth.login.config="${srcdir}/jaas.conf" \
+  KerberosInit > output.tmp 2>&1 || { cat output.tmp ; exit 1; }
+
+echo "Done"
+
+echo "killing kdc (${kdcpid})"
+kill $kdcpid || exit 1
+
+trap "" EXIT
+
+exit 0
diff --git a/crypto/heimdal/tests/java/have-java.sh b/crypto/heimdal/tests/java/have-java.sh
new file mode 100644
index 0000000..da84b03
--- /dev/null
+++ b/crypto/heimdal/tests/java/have-java.sh
@@ -0,0 +1,58 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id$
+#
+
+echo "Checking for java and javac"
+
+oldifs=$IFS
+IFS=:
+set -- $PATH
+IFS=$oldifs
+for i in $*; do
+  test -n "$i" || i="."
+  test -x $i/java && j=f
+  test -x $i/javac && k=c
+done
+
+test "$j$k" = fc || exit 1
+
+# GNU GCC Java doesn't support Kerberos
+if java -version 2>&1 | grep 'gij' > /dev/null ; then
+    exit 1
+fi
+
+echo "ok"
+
+exit 0
diff --git a/crypto/heimdal/tests/java/jaas.conf b/crypto/heimdal/tests/java/jaas.conf
new file mode 100644
index 0000000..a61fb49
--- /dev/null
+++ b/crypto/heimdal/tests/java/jaas.conf
@@ -0,0 +1,5 @@
+/* $Id$ */
+
+kinit {
+   com.sun.security.auth.module.Krb5LoginModule required;
+};
diff --git a/crypto/heimdal/tests/java/krb5.conf.in b/crypto/heimdal/tests/java/krb5.conf.in
new file mode 100644
index 0000000..d301fa4
--- /dev/null
+++ b/crypto/heimdal/tests/java/krb5.conf.in
@@ -0,0 +1,30 @@
+# $Id$
+
+[libdefaults]
+	default_realm = TEST.H5L.SE
+
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = localhost:@port@
+	}
+
+[kdc]
+	database = {
+		dbname = @objdir@/current-db
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+	}
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
+
+# Have both default and non default salting for single DES encryptes,
+# this to check if the kdc return default salting.
+[kadmin]
+	default_keys = aes256-cts-hmac-sha1-96:pw-salt
+	default_keys = aes128-cts-hmac-sha1-96:pw-salt
+	default_keys = des3-cbc-sha1:pw-salt
+        default_keys = des:pw-salt
+	default_keys = des:pw-salt:
diff --git a/crypto/heimdal/tests/kdc/Makefile.am b/crypto/heimdal/tests/kdc/Makefile.am
new file mode 100644
index 0000000..b22386a
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/Makefile.am
@@ -0,0 +1,159 @@
+# $Id: Makefile.am 22447 2008-01-15 06:05:17Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_DATA = \
+	krb5.conf \
+	krb5-pkinit.conf \
+	krb5-pkinit-win.conf \
+	krb5-slave.conf
+
+check_PROGRAMS = ap-req
+check_SCRIPTS = $(SCRIPT_TESTS) 
+
+SCRIPT_TESTS = \
+	check-digest \
+	check-kadmin \
+	check-kdc \
+	check-keys \
+	check-pkinit \
+	check-iprop \
+	check-referral \
+	check-uu
+
+TESTS = $(SCRIPT_TESTS)
+
+port = 49188
+admport = 49189
+
+if HAVE_DLOPEN
+do_dlopen = -e 's,[@]DLOPEN[@],true,g'
+else
+do_dlopen = -e 's,[@]DLOPEN[@],false,g'
+endif
+
+do_subst = sed $(do_dlopen) \
+	-e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]admport[@],$(admport),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/kdc,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken)
+
+check-kdc: check-kdc.in Makefile
+	$(do_subst) < $(srcdir)/check-kdc.in > check-kdc.tmp
+	chmod +x check-kdc.tmp
+	mv check-kdc.tmp check-kdc
+
+check-keys: check-keys.in Makefile
+	$(do_subst) < $(srcdir)/check-keys.in > check-keys.tmp
+	chmod +x check-keys.tmp
+	mv check-keys.tmp check-keys
+
+check-kadmin: check-kadmin.in Makefile
+	$(do_subst) < $(srcdir)/check-kadmin.in > check-kadmin.tmp
+	chmod +x check-kadmin.tmp
+	mv check-kadmin.tmp check-kadmin
+
+check-uu: check-uu.in Makefile
+	$(do_subst) < $(srcdir)/check-uu.in > check-uu.tmp
+	chmod +x check-uu.tmp
+	mv check-uu.tmp check-uu
+
+check-pkinit: check-pkinit.in Makefile krb5-pkinit.conf
+	$(do_subst) < $(srcdir)/check-pkinit.in > check-pkinit.tmp
+	chmod +x check-pkinit.tmp
+	mv check-pkinit.tmp check-pkinit
+
+check-iprop: check-iprop.in Makefile krb5.conf krb5-slave.conf
+	$(do_subst) < $(srcdir)/check-iprop.in > check-iprop.tmp
+	chmod +x check-iprop.tmp
+	mv check-iprop.tmp check-iprop
+
+check-digest: check-digest.in Makefile
+	$(do_subst) < $(srcdir)/check-digest.in > check-digest.tmp
+	chmod +x check-digest.tmp
+	mv check-digest.tmp check-digest
+
+check-referral: check-referral.in Makefile
+	$(do_subst) < $(srcdir)/check-referral.in > check-referral.tmp
+	chmod +x check-referral.tmp
+	mv check-referral.tmp check-referral
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) \
+	   -e 's,[@]kdc[@],,g' < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+
+krb5-slave.conf: krb5.conf.in Makefile
+	$(do_subst) \
+	   -e 's,[@]kdc[@],.slave,g' < $(srcdir)/krb5.conf.in > krb5-slave.conf.tmp
+	mv krb5-slave.conf.tmp krb5-slave.conf
+
+krb5-pkinit.conf: krb5-pkinit.conf.in Makefile
+	$(do_subst) -e 's,[@]w2k[@],no,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit.conf.tmp
+	mv krb5-pkinit.conf.tmp krb5-pkinit.conf
+
+krb5-pkinit-win.conf: krb5-pkinit.conf.in Makefile
+	$(do_subst) -e 's,[@]w2k[@],yes,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit-win.conf.tmp
+	mv krb5-pkinit-win.conf.tmp krb5-pkinit-win.conf
+
+CLEANFILES= \
+	$(TESTS) \
+	iprop-stats \
+	barpassword \
+	cache.krb5 \
+	cdigest-reply \
+	*.tmp \
+	client-cache \
+	current-db* \
+	current*.log \
+	iprop.keytab \
+	digest-reply \
+	foopassword \
+	krb5.conf \
+	krb5-slave.conf \
+	krb5-pkinit.conf \
+	krb5-pkinit-win.conf \
+	krb5.conf.keys \
+	signal \
+	messages.log \
+	o2cache.krb5 \
+	o2digest-reply \
+	ocache.krb5 \
+	s2digest-reply \
+	sdigest-init \
+	sdigest-reply \
+	server.keytab \
+	req-pkinit.der \
+	req-pkinit2.der \
+	req-kdc.der \
+	pkinit.crt \
+	pkinit2.crt \
+	pkinit3.crt \
+	kdc.crt \
+	ca.crt \
+	uuserver.log \
+	tempfile \
+	test-rc-file.rc
+
+EXTRA_DIST = \
+	check-kadmin.in \
+	check-kdc.in \
+	check-keys.in \
+	check-referral.in \
+	check-uu.in \
+	check-pkinit.in \
+	check-iprop.in \
+	check-digest.in \
+	heimdal.acl \
+	krb5.conf.in \
+	krb5.conf.keys.in \
+	krb5-pkinit.conf.in \
+	iprop-acl \
+	wait-kdc.sh \
+	pki-mapping \
+	ntlm-user-file.txt \
+	uuserver.txt \
+	donotexists.txt
diff --git a/crypto/heimdal/tests/kdc/Makefile.in b/crypto/heimdal/tests/kdc/Makefile.in
new file mode 100644
index 0000000..cf6f6d8
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/Makefile.in
@@ -0,0 +1,971 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 22447 2008-01-15 06:05:17Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+check_PROGRAMS = ap-req$(EXEEXT)
+subdir = tests/kdc
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+ap_req_SOURCES = ap-req.c
+ap_req_OBJECTS = ap-req.$(OBJEXT)
+ap_req_LDADD = $(LDADD)
+am__DEPENDENCIES_1 =
+ap_req_DEPENDENCIES = ../../lib/krb5/libkrb5.la $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
+depcomp =
+am__depfiles_maybe =
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = ap-req.c
+DIST_SOURCES = ap-req.c
+DATA = $(noinst_DATA)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+noinst_DATA = \
+	krb5.conf \
+	krb5-pkinit.conf \
+	krb5-pkinit-win.conf \
+	krb5-slave.conf
+
+check_SCRIPTS = $(SCRIPT_TESTS) 
+SCRIPT_TESTS = \
+	check-digest \
+	check-kadmin \
+	check-kdc \
+	check-keys \
+	check-pkinit \
+	check-iprop \
+	check-referral \
+	check-uu
+
+TESTS = $(SCRIPT_TESTS)
+port = 49188
+admport = 49189
+@HAVE_DLOPEN_FALSE@do_dlopen = -e 's,[@]DLOPEN[@],false,g'
+@HAVE_DLOPEN_TRUE@do_dlopen = -e 's,[@]DLOPEN[@],true,g'
+do_subst = sed $(do_dlopen) \
+	-e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]admport[@],$(admport),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/kdc,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken)
+CLEANFILES = \
+	$(TESTS) \
+	iprop-stats \
+	barpassword \
+	cache.krb5 \
+	cdigest-reply \
+	*.tmp \
+	client-cache \
+	current-db* \
+	current*.log \
+	iprop.keytab \
+	digest-reply \
+	foopassword \
+	krb5.conf \
+	krb5-slave.conf \
+	krb5-pkinit.conf \
+	krb5-pkinit-win.conf \
+	krb5.conf.keys \
+	signal \
+	messages.log \
+	o2cache.krb5 \
+	o2digest-reply \
+	ocache.krb5 \
+	s2digest-reply \
+	sdigest-init \
+	sdigest-reply \
+	server.keytab \
+	req-pkinit.der \
+	req-pkinit2.der \
+	req-kdc.der \
+	pkinit.crt \
+	pkinit2.crt \
+	pkinit3.crt \
+	kdc.crt \
+	ca.crt \
+	uuserver.log \
+	tempfile \
+	test-rc-file.rc
+
+EXTRA_DIST = \
+	check-kadmin.in \
+	check-kdc.in \
+	check-keys.in \
+	check-referral.in \
+	check-uu.in \
+	check-pkinit.in \
+	check-iprop.in \
+	check-digest.in \
+	heimdal.acl \
+	krb5.conf.in \
+	krb5.conf.keys.in \
+	krb5-pkinit.conf.in \
+	iprop-acl \
+	wait-kdc.sh \
+	pki-mapping \
+	ntlm-user-file.txt \
+	uuserver.txt \
+	donotexists.txt
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps tests/kdc/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps tests/kdc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+ap-req$(EXEEXT): $(ap_req_OBJECTS) $(ap_req_DEPENDENCIES) 
+	@rm -f ap-req$(EXEEXT)
+	$(LINK) $(ap_req_OBJECTS) $(ap_req_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+.c.o:
+	$(COMPILE) -c $<
+
+.c.obj:
+	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(check_SCRIPTS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+all-am: Makefile $(DATA) all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
+	check-local clean clean-checkPROGRAMS clean-generic \
+	clean-libtool ctags dist-hook distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-man install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+	uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+check-kdc: check-kdc.in Makefile
+	$(do_subst) < $(srcdir)/check-kdc.in > check-kdc.tmp
+	chmod +x check-kdc.tmp
+	mv check-kdc.tmp check-kdc
+
+check-keys: check-keys.in Makefile
+	$(do_subst) < $(srcdir)/check-keys.in > check-keys.tmp
+	chmod +x check-keys.tmp
+	mv check-keys.tmp check-keys
+
+check-kadmin: check-kadmin.in Makefile
+	$(do_subst) < $(srcdir)/check-kadmin.in > check-kadmin.tmp
+	chmod +x check-kadmin.tmp
+	mv check-kadmin.tmp check-kadmin
+
+check-uu: check-uu.in Makefile
+	$(do_subst) < $(srcdir)/check-uu.in > check-uu.tmp
+	chmod +x check-uu.tmp
+	mv check-uu.tmp check-uu
+
+check-pkinit: check-pkinit.in Makefile krb5-pkinit.conf
+	$(do_subst) < $(srcdir)/check-pkinit.in > check-pkinit.tmp
+	chmod +x check-pkinit.tmp
+	mv check-pkinit.tmp check-pkinit
+
+check-iprop: check-iprop.in Makefile krb5.conf krb5-slave.conf
+	$(do_subst) < $(srcdir)/check-iprop.in > check-iprop.tmp
+	chmod +x check-iprop.tmp
+	mv check-iprop.tmp check-iprop
+
+check-digest: check-digest.in Makefile
+	$(do_subst) < $(srcdir)/check-digest.in > check-digest.tmp
+	chmod +x check-digest.tmp
+	mv check-digest.tmp check-digest
+
+check-referral: check-referral.in Makefile
+	$(do_subst) < $(srcdir)/check-referral.in > check-referral.tmp
+	chmod +x check-referral.tmp
+	mv check-referral.tmp check-referral
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) \
+	   -e 's,[@]kdc[@],,g' < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+
+krb5-slave.conf: krb5.conf.in Makefile
+	$(do_subst) \
+	   -e 's,[@]kdc[@],.slave,g' < $(srcdir)/krb5.conf.in > krb5-slave.conf.tmp
+	mv krb5-slave.conf.tmp krb5-slave.conf
+
+krb5-pkinit.conf: krb5-pkinit.conf.in Makefile
+	$(do_subst) -e 's,[@]w2k[@],no,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit.conf.tmp
+	mv krb5-pkinit.conf.tmp krb5-pkinit.conf
+
+krb5-pkinit-win.conf: krb5-pkinit.conf.in Makefile
+	$(do_subst) -e 's,[@]w2k[@],yes,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit-win.conf.tmp
+	mv krb5-pkinit-win.conf.tmp krb5-pkinit-win.conf
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/tests/kdc/ap-req.c b/crypto/heimdal/tests/kdc/ap-req.c
new file mode 100644
index 0000000..24cc611
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/ap-req.c
@@ -0,0 +1,221 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: ap-req.c 19807 2007-01-10 19:35:45Z lha $");
+#endif
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <krb5.h>
+#include <err.h>
+#include <getarg.h>
+#include <roken.h>
+
+static int verify_pac = 0;
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"verify-pac",0,	arg_flag,	&verify_pac,
+     "verify the PAC", NULL },
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "...");
+    exit (ret);
+}
+
+
+static void
+test_ap(krb5_context context,
+	krb5_principal sprincipal,
+	krb5_keytab keytab,
+	krb5_ccache ccache,
+	const krb5_flags client_flags) 
+{
+    krb5_error_code ret;
+    krb5_auth_context client_ac = NULL, server_ac = NULL;
+    krb5_data data;
+    krb5_flags server_flags;
+    krb5_ticket *ticket = NULL;
+    int32_t server_seq, client_seq;
+
+    ret = krb5_mk_req_exact(context,
+			    &client_ac,
+			    client_flags,
+			    sprincipal,
+			    NULL,
+			    ccache,
+			    &data);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_mk_req_exact");
+
+    ret = krb5_rd_req(context,
+		      &server_ac,
+		      &data,
+		      sprincipal,
+		      keytab,
+		      &server_flags,
+		      &ticket);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_rd_req");
+
+
+    if (server_flags & AP_OPTS_MUTUAL_REQUIRED) {
+	krb5_ap_rep_enc_part *repl;
+
+	krb5_data_free(&data);
+
+	if ((client_flags & AP_OPTS_MUTUAL_REQUIRED) == 0)
+	    krb5_errx(context, 1, "client flag missing mutual req");
+
+	ret = krb5_mk_rep (context, server_ac, &data);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_mk_rep");
+
+	ret = krb5_rd_rep (context,
+			   client_ac,
+			   &data,
+			   &repl);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_rd_rep");
+
+	krb5_free_ap_rep_enc_part (context, repl);
+    } else {
+	if (client_flags & AP_OPTS_MUTUAL_REQUIRED)
+	    krb5_errx(context, 1, "server flag missing mutual req");
+    }
+
+    krb5_auth_getremoteseqnumber(context, server_ac, &server_seq);
+    krb5_auth_getremoteseqnumber(context, client_ac, &client_seq);
+    if (server_seq != client_seq)
+	krb5_errx(context, 1, "seq num differ");
+
+    krb5_auth_con_getlocalseqnumber(context, server_ac, &server_seq);
+    krb5_auth_con_getlocalseqnumber(context, client_ac, &client_seq);
+    if (server_seq != client_seq)
+	krb5_errx(context, 1, "seq num differ");
+
+    krb5_data_free(&data);
+    krb5_auth_con_free(context, client_ac);
+    krb5_auth_con_free(context, server_ac);
+
+    if (verify_pac) {
+	krb5_pac pac;
+
+	ret = krb5_ticket_get_authorization_data_type(context,
+						      ticket,
+						      KRB5_AUTHDATA_WIN2K_PAC,
+						      &data);
+	if (ret)
+	    krb5_err(context, 1, ret, "get pac");
+
+	ret = krb5_pac_parse(context, data.data, data.length, &pac);
+	if (ret)
+	    krb5_err(context, 1, ret, "pac parse");
+
+	krb5_pac_free(context, pac);
+    }
+
+    krb5_free_ticket(context, ticket);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    int optidx = 0;
+    const char *principal, *keytab, *ccache;
+    krb5_ccache id;
+    krb5_keytab kt;
+    krb5_principal sprincipal;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+    if (argc < 3)
+	usage(1);
+		    
+    principal = argv[0];
+    keytab = argv[1];
+    ccache = argv[2];
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    ret = krb5_cc_resolve(context, ccache, &id);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_resolve");
+
+    ret = krb5_parse_name(context, principal, &sprincipal);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_kt_resolve(context, keytab, &kt);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_resolve");
+
+    test_ap(context, sprincipal, kt, id, 0);
+    test_ap(context, sprincipal, kt, id, AP_OPTS_MUTUAL_REQUIRED);
+
+    krb5_cc_close(context, id);
+    krb5_kt_close(context, kt);
+    krb5_free_principal(context, sprincipal);
+
+    krb5_free_context(context);
+
+    return ret;
+}
diff --git a/crypto/heimdal/tests/kdc/check-digest.in b/crypto/heimdal/tests/kdc/check-digest.in
new file mode 100644
index 0000000..cb6c19f
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/check-digest.in
@@ -0,0 +1,295 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-digest.in 21849 2007-08-08 06:56:41Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+server=host/datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+ocache="FILE:${objdir}/ocache.krb5"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
+kdigest="${TESTS_ENVIRONMENT} ../../kuser/kdigest --ccache=$cache"
+test_ntlm="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_ntlm"
+context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
+
+username=foo
+userpassword=digestpassword
+
+password=foobarbaz
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1
+${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1
+${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
+${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1
+${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo $password > ${objdir}/foopassword
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+
+exitcode=0
+
+echo "Getting digest server tickets"
+${kinit} --password-file=${objdir}/foopassword ${server}@$R || exitcode=1
+${kdigest} digest-server-init \
+    --kerberos-realm=${R} \
+    --type=CHAP > /dev/null || exitcode=1
+
+echo "Trying NTLM"
+
+NTLM_ACCEPTOR_CCACHE="$cache"
+export NTLM_ACCEPTOR_CCACHE
+
+echo "Trying server-init"
+echo ${kdigest} ntlm-server-init \
+    --kerberos-realm=${R} \
+    > sdigest-init || exitcode=1
+
+echo "test_ntlm"
+${test_ntlm} || { echo "test_ntlm failed"; exit 1; }
+
+NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt"
+export NTLM_USER_FILE
+
+echo "test_context --mech-type=ntlm"
+${context} --mech-type=ntlm \
+	    --name-type=hostbased-service datan@TEST || \
+		{ echo "test_context 1 failed"; exit 1; }
+
+${context} --mech-type=ntlm \
+	    --name-type=hostbased-service datan@host.TEST || \
+		{ echo "test_context 2 failed"; exit 1; }
+
+${context} --mech-type=ntlm \
+	    --name-type=hostbased-service datan@host.test.domain2 || \
+		{ echo "test_context 3 failed"; exit 1; }
+
+${context} --mech-type=ntlm \
+	    --name-type=hostbased-service datan@host.foo 2>/dev/null && \
+		{ echo "test_context 4 failed"; exit 1; }
+
+echo "Trying SL in NTLM"
+
+
+for type in \
+    "" \
+    "--getverifymic" \
+    "--wrapunwrap" \
+    "--getverifymic --wrapunwrap" \
+    ; do
+
+	echo "Trying NTLM type: ${type}"
+	${context} --mech-type=ntlm ${type} \
+	    --name-type=hostbased-service datan@TEST || \
+	    { echo "test_context 1 failed"; exit 1; }
+
+done
+
+
+echo "Trying CHAP"
+
+${kdigest} digest-server-init \
+    --kerberos-realm=${R} \
+    --type=CHAP \
+    > sdigest-reply || exitcode=1
+
+snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
+identifier=`grep identifier= sdigest-reply | cut -f2- -d=`
+opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
+
+${kdigest} digest-client-request \
+    --type=CHAP \
+    --username="$username"  \
+    --password="$userpassword"  \
+    --opaque="$opaque"  \
+    --server-identifier="$identifier"  \
+    --server-nonce="$snonce" \
+    > cdigest-reply || exitcode=1
+
+cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
+
+#echo user: $username
+#echo server-nonce: $snonce
+#echo opaqeue: $opaque
+#echo identifier: $identifier
+
+${kdigest} digest-server-request \
+    --kerberos-realm=${R} \
+    --type=CHAP \
+    --username="$username"  \
+    --opaque="$opaque"  \
+    --client-response="$cresponseData"  \
+    --server-identifier="$identifier"  \
+    --server-nonce="$snonce"  \
+    > s2digest-reply || exitcode=1
+
+status=`grep status= s2digest-reply | cut -f2- -d=`
+
+if test "X$status" = "Xok" ; then
+    echo "CHAP response ok"
+else
+    echo "CHAP response failed"
+    exitcode=1
+fi
+
+cresponseData=`echo $cresponseData | sed 's/..../DEADBEEF/'`
+
+${kdigest} digest-server-request \
+    --kerberos-realm=${R} \
+    --type=CHAP \
+    --username="$username"  \
+    --opaque="$opaque"  \
+    --client-response="$cresponseData" \
+    --server-identifier="$identifier"  \
+    --server-nonce="$snonce"  \
+    > s2digest-reply || exitcode=1
+
+status=`grep status= s2digest-reply | cut -f2- -d=`
+
+if test "X$status" = "Xfailed" ; then
+    echo "CHAP response fail as it should"
+else
+    echo "CHAP response succeeded errorously"
+    exitcode=1
+fi
+
+echo "Trying MS-CHAP-V2"
+
+${kdigest} digest-server-init \
+    --kerberos-realm=${R} \
+    --type=MS-CHAP-V2 \
+    > sdigest-reply || exitcode=1
+
+snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=`
+opaque=`grep opaque= sdigest-reply | cut -f2- -d=`
+cnonce="21402324255E262A28295F2B3A337C7E"
+
+echo "MS-CHAP-V2 client request"
+${kdigest} digest-client-request \
+    --type=MS-CHAP-V2 \
+    --username="$username"  \
+    --password="$userpassword"  \
+    --opaque="$opaque"  \
+    --client-nonce="$cnonce"  \
+    --server-nonce="$snonce" \
+    > cdigest-reply || exitcode=1
+
+cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=`
+cRsp=`grep AuthenticatorResponse= cdigest-reply | cut -f2- -d=`
+ckey=`grep session-key= cdigest-reply | cut -f2- -d=`
+
+${kdigest} digest-server-request \
+    --kerberos-realm=${R} \
+    --type=MS-CHAP-V2 \
+    --username="$username"  \
+    --opaque="$opaque"  \
+    --client-response="$cresponseData"  \
+    --client-nonce="$cnonce"  \
+    --server-nonce="$snonce"  \
+    > s2digest-reply || exitcode=1
+
+status=`grep status= s2digest-reply | cut -f2- -d=`
+sRsp=`grep rsp= s2digest-reply | cut -f2- -d=`
+skey=`grep session-key= s2digest-reply | cut -f2- -d=`
+
+if test "X$sRsp" != "X$cRsp" ; then
+    echo "rsp wrong $sRsp != $cRsp"
+    exitcode=1
+fi
+
+if test "X$skey" != "X$ckey" ; then
+    echo "rsp wrong"
+    exitcode=1
+fi
+
+if test "X$status" = "Xok" ; then
+    echo "MS-CHAP-V2 response ok"
+else
+    echo "MS-CHAP-V2 response failed"
+    exitcode=1
+fi
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+kill $kdcpid || exit 1
+
+exit $exitcode
+
diff --git a/crypto/heimdal/tests/kdc/check-iprop.in b/crypto/heimdal/tests/kdc/check-iprop.in
new file mode 100644
index 0000000..4488246
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/check-iprop.in
@@ -0,0 +1,248 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id$
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+# Dont run this test in AFS, since it lacks support for AF_UNIX
+expr "X`/bin/pwd || pwd`" : "X/afs/.*" > /dev/null 2>/dev/null && exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+cache="FILE:${objdir}/cache.krb5"
+keytabfile=${objdir}/iprop.keytab
+keytab="FILE:${keytabfile}"
+
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -r $R"
+ipropdslave="${TESTS_ENVIRONMENT} ../../lib/kadm5/ipropd-slave"
+ipropdmaster="${TESTS_ENVIRONMENT} ../../lib/kadm5/ipropd-master"
+iproplog="${TESTS_ENVIRONMENT} ../../lib/kadm5/iprop-log"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f current*.log
+rm -f out-*
+rm -f mkey.file*
+rm -f messages.log
+
+> messages.log
+
+echo Creating database
+${kadmin} -l \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} -l add -p foo --use-defaults user@${R} || exit 1
+
+${kadmin} -l add --random-key --use-defaults iprop/localhost@${R} || exit 1
+${kadmin} -l ext -k ${keytab} iprop/localhost@${R} || exit 1
+${kadmin} -l add --random-key --use-defaults iprop/slave@${R} || exit 1
+${kadmin} -l ext -k ${keytab} iprop/slave@${R} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+# -- foo
+ipds=
+ipdm=
+kdcpid=
+
+> iprop-stats
+trap "echo 'killing ipropd s + m + kdc'; kill \${ipdm} \${ipds} \${kdcpid} >/dev/null 2>/dev/null; tail messages.log ; tail iprop-stats; exit 1;" EXIT
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/wait-kdc.sh || exit 1
+
+echo "starting master"
+${ipropdmaster} --hostname=localhost -k ${keytab} \
+    --database=${objdir}/current-db &
+ipdm=$!
+sh ${srcdir}/wait-kdc.sh ipropd-master || exit 1
+
+echo "starting slave"
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${ipropdslave} --hostname=slave -k ${keytab} localhost &
+ipds=$!
+sh ${srcdir}/wait-kdc.sh ipropd-slave || exit 1
+
+echo "checking slave is up"
+${EGREP} 'iprop/slave@TEST.H5L.SE.*Up' iprop-stats >/dev/null || exit 1
+
+# ----------------- checking: pushing lives changes
+
+echo "Add host"
+${kadmin} -l add --random-key --use-defaults host/foo@${R} || exit 1
+sleep 2
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${kadmin} -l get host/foo@${R} > /dev/null || exit 1
+
+echo "Rename host"
+${kadmin} -l rename host/foo@${R} host/bar@${R} || exit 1
+sleep 2
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${kadmin} -l get host/foo@${R} > /dev/null 2>/dev/null && exit 1
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${kadmin} -l get host/bar@${R} > /dev/null || exit 1
+
+echo "Delete host"
+${kadmin} -l delete host/bar@${R} || exit 1
+sleep 2
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${kadmin} -l get host/bar@${R} > /dev/null 2>/dev/null && exit 1
+
+echo "kill slave"
+> iprop-stats
+kill ${ipds}
+sleep 2
+
+${EGREP} 'iprop/slave@TEST.H5L.SE.*Down' iprop-stats >/dev/null || exit 1
+
+# ----------------- checking: slave is missing changes while down
+
+echo "doing changes while slave is down"
+${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1
+${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1
+
+echo "Makeing a copy of the master log file"
+cp ${objdir}/current.log ${objdir}/current.log.tmp
+
+# ----------------- checking: checking that master and slaves resyncs
+
+echo "starting slave again"
+> iprop-stats
+> messages.log
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${ipropdslave} --hostname=slave -k ${keytab} localhost &
+ipds=$!
+sh ${srcdir}/wait-kdc.sh ipropd-slave || exit 1
+
+echo "checking slave is up again"
+${EGREP} 'iprop/slave@TEST.H5L.SE.*Up' iprop-stats >/dev/null || exit 1
+echo "checking for replay problems"
+${EGREP} 'Entry already exists in database' messages.log && exit 1
+
+echo "kill slave and remove log and database"
+kill ${ipds}
+sleep 2
+
+rm current.slave.log current-db.slave* || exit 1
+> iprop-stats
+> messages.log
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${ipropdslave} --hostname=slave -k ${keytab} localhost &
+ipds=$!
+sh ${srcdir}/wait-kdc.sh ipropd-slave || exit 1
+
+echo "checking slave is up again"
+${EGREP} 'iprop/slave@TEST.H5L.SE.*Up' iprop-stats >/dev/null || exit 1
+echo "checking for replay problems"
+${EGREP} 'Entry already exists in database' messages.log && exit 1
+
+# ----------------- checking: checking live truncation of master log
+
+${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1
+sleep 2
+
+echo "live truncate on master log"
+${iproplog} truncate || exit 1
+sleep 2
+
+echo "Killing master and slave"
+kill ${ipdm} ${ipds} >/dev/null 2>/dev/null
+
+sleep 2
+${EGREP} "^master down at " iprop-stats > /dev/null || exit 1
+
+echo "compare versions on master and slave logs"
+KRB5_CONFIG=${objdir}/krb5-slave.conf \
+${iproplog} last-version > slave-last.tmp
+${iproplog} last-version > master-last.tmp
+cmp master-last.tmp slave-last.tmp || exit 1
+
+# ----------------- checking: master going backward
+> iprop-stats
+> messages.log
+
+echo "Going back to old version of the master log file"
+cp ${objdir}/current.log.tmp ${objdir}/current.log
+
+echo "starting master"
+${ipropdmaster} --hostname=localhost -k ${keytab} \
+    --database=${objdir}/current-db &
+ipdm=$!
+sh ${srcdir}/wait-kdc.sh ipropd-master || exit 1
+
+echo "starting slave"
+KRB5_CONFIG="${objdir}/krb5-slave.conf" \
+${ipropdslave} --hostname=slave -k ${keytab} localhost &
+ipds=$!
+sh ${srcdir}/wait-kdc.sh ipropd-slave || exit 1
+
+echo "checking slave is up again"
+${EGREP} 'iprop/slave@TEST.H5L.SE.*Up' iprop-stats >/dev/null || exit 1
+echo "checking for replay problems"
+${EGREP} 'Entry already exists in database' messages.log && exit 1
+
+echo "pushing one change"
+${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1
+sleep 2
+
+trap "" EXIT
+kill ${ipdm} ${ipds} ${kdcpid}
+
+echo "compare versions on master and slave logs"
+KRB5_CONFIG=${objdir}/krb5-slave.conf \
+${iproplog} last-version > slave-last.tmp
+${iproplog} last-version > master-last.tmp
+cmp master-last.tmp slave-last.tmp || exit 1
+
+exit $ec
diff --git a/crypto/heimdal/tests/kdc/check-kadmin.in b/crypto/heimdal/tests/kdc/check-kadmin.in
new file mode 100644
index 0000000..7888e81
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/check-kadmin.in
@@ -0,0 +1,151 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id$
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+R2=TEST2.H5L.SE
+
+port=@port@
+admport=@admport@
+
+cache="FILE:${objdir}/cache.krb5"
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+kadmind="${TESTS_ENVIRONMENT} ../../kadmin/kadmind -p $admport"
+
+server=host/datan.test.h5l.se
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
+kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+rm -f messages.log
+
+> messages.log
+
+echo Creating database
+${kadmin} -l \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} -l add -p foo --use-defaults foo/admin@${R} || exit 1
+${kadmin} -l add -p foo --use-defaults bar@${R} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    kill ${kadmpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid} ${kadmpid}" EXIT
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kinit (no admin)"
+${kinit} --password-file=${objdir}/foopassword \
+    -S kadmin/admin@${R} bar@${R} || exit 1
+echo "kadmin"
+env KRB5CCNAME=${cache} \
+${kadmin} -p bar@${R} add -p foo --use-defaults kaka2@${R} || 
+	{ echo "kadmin failed $?"; cat messages.log ; exit 1; }
+
+${kadmin} -l get kaka2@${R} > /dev/null ||
+	{ echo "kadmin failed $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kinit (admin)"
+${kinit} --password-file=${objdir}/foopassword \
+    -S kadmin/admin@${R} foo/admin@${R} || exit 1
+
+echo "kadmin"
+env KRB5CCNAME=${cache} \
+${kadmin} -p foo/admin@${R} add -p foo --use-defaults kaka@${R} || 
+	{ echo "kadmin failed $?"; cat messages.log ; exit 1; }
+
+#----------------------------------
+${kadmind} -d &
+kadmpid=$!
+sleep 1
+
+echo "kadmin get doesnotexists"
+env KRB5CCNAME=${cache} \
+${kadmin} -p foo/admin@${R} get -s doesnotexists@${R} \
+        > /dev/null 2>kadmin.tmp && \
+	{ echo "kadmin passed"; cat messages.log ; exit 1; }
+
+# evil hack to support libtool
+sed 's/lt-kadmin:/kadmin:/' < kadmin.tmp > kadmin2.tmp
+mv kadmin2.tmp kadmin.tmp
+
+cmp kadmin.tmp ${srcdir}/donotexists.txt || \
+    { echo "wrong response"; exit 1;}
+
+echo "killing kdc (${kdcpid} ${kadmpid})"
+kill ${kdcpid} ${kadmpid} > /dev/null 2>/dev/null
+
+trap "" EXIT
+
+exit $ec
diff --git a/crypto/heimdal/tests/kdc/check-kdc.in b/crypto/heimdal/tests/kdc/check-kdc.in
new file mode 100644
index 0000000..3a43172
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/check-kdc.in
@@ -0,0 +1,413 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-kdc.in 22019 2007-10-24 20:47:59Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+R2=TEST2.H5L.SE
+
+port=@port@
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+server=host/datan.test.h5l.se
+server2=host/computer.example.com
+cache="FILE:${objdir}/cache.krb5"
+ocache="FILE:${objdir}/ocache.krb5"
+o2cache="FILE:${objdir}/o2cache.krb5"
+icache="FILE:${objdir}/icache.krb5"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+ps="proxy-service@${R}"
+aesenctype="aes256-cts-hmac-sha1-96"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
+kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
+kgetcred_imp="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache --out-cache=${ocache}"
+kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog"
+ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
+hxtool="${TESTS_ENVIRONMENT} ../../lib/hx509/hxtool"
+kimpersonate="${TESTS_ENVIRONMENT} ../../kuser/kimpersonate -k ${keytab} --ccache=${ocache}"
+test_renew="${TESTS_ENVIRONMENT} ../../lib/krb5/test_renew"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R2} || exit 1
+
+${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
+${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
+${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
+${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} add -p bar --use-defaults bar@${R} || exit 1
+${kadmin} add -p foo --use-defaults remove@${R} || exit 1
+${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
+${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1
+${kadmin} add -p foo --use-defaults ${ps} || exit 1
+${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
+${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
+${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+${kadmin} ext -k ${keytab} ${ps} || exit 1
+
+${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
+${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
+${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
+
+${kadmin} add -p foo --use-defaults -- -p || exit 1
+${kadmin} delete -- -p || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+${kadmin} check ${R2} || exit 1
+
+echo "Extracting enctypes"
+${ktutil} -k ${keytab} list > tempfile || exit 1
+${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
+    awk '$1 !~ /1/  { exit 1 }' || exit 1
+
+${kadmin} get foo@${R} > tempfile || exit 1
+enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://'`
+
+enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'`
+enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'`
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets"; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Listing tickets"; > messages.log
+${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
+./ap-req ${server}@${R} ${keytab} ${cache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Specific enctype"; > messages.log
+${kinit} --password-file=${objdir}/foopassword \
+    -e ${aesenctype} -e ${aesenctype} \
+    foo@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+
+for a in $enctypes; do
+	echo "Getting client initial tickets ($a)"; > messages.log
+	${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
+	echo "Getting tickets"; > messages.log
+	${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+	./ap-req ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
+	${kdestroy}
+done
+
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+	echo "Getting tickets ($a)"; > messages.log
+	${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+	./ap-req ${server}@${R} ${keytab} ${cache} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kdestroy} --credential=${server}@${R}
+done
+${kdestroy}
+
+echo "Getting client initial tickets for cross realm case"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+	echo "Getting cross realm tickets ($a)"; > messages.log
+	${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+	./ap-req ${server2}@${R2} ${keytab} ${cache} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kdestroy} --credential=${server2}@${R2}
+done
+${kdestroy}
+
+echo "try all permutations"; > messages.log
+for a in $enctypes; do
+	echo "Getting client initial tickets ($a)"; > messages.log
+	${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \
+		{ ec=1 ; eval "${testfailed}"; }
+	for b in $enctypes; do
+		echo "Getting tickets ($a ->  $b)"; > messages.log
+		${kgetcred} -e $b ${server}@${R} || \
+			{ ec=1 ; eval "${testfailed}"; }
+		./ap-req ${server}@${R} ${keytab} ${cache} || \
+			{ ec=1 ; eval "${testfailed}"; }
+		${kdestroy} --credential=${server}@${R}
+	done
+	${kdestroy}
+done
+
+echo "Getting server initial tickets"; > messages.log
+${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
+echo "Listing tickets"; > messages.log
+${klist} | grep "Principal: ${server}" > /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "initial tickets for deleted user test case"; > messages.log
+${kinit} --password-file=${objdir}/foopassword remove@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "try getting ticket with deleted user"; > messages.log
+${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "cross realm case (removed user)"; > messages.log
+${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kadmin} delete remove2@${R2} || exit 1
+${kgetcred} ${server}@${R} 2> /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "rename user"; > messages.log
+${kadmin} add -p foo --use-defaults rename@${R} || exit 1
+${kinit} --password-file=${objdir}/foopassword rename@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kadmin} rename rename@${R} rename2@${R} || exit 1
+${kinit} --password-file=${objdir}/foopassword rename2@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+${kadmin} delete rename2@${R} || exit 1
+
+echo "rename user to another realm"; > messages.log
+${kadmin} add -p foo --use-defaults rename@${R} || exit 1
+${kinit} --password-file=${objdir}/foopassword rename@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kadmin} rename rename@${R} rename@${R2} || exit 1
+${kinit} --password-file=${objdir}/foopassword rename@${R2} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+${kadmin} delete rename@${R2} || exit 1
+
+echo deleting all but aes enctypes on krbtgt
+${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1
+
+echo deleting all but des enctypes on server-des3
+${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1
+${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1
+
+echo "try all permutations (only aes)"; > messages.log
+for a in $enctypes; do
+	echo "Getting client initial tickets ($a)"; > messages.log
+	${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\
+		{ ec=1 ; eval "${testfailed}"; }
+	for b in $enctypes; do
+		echo "Getting tickets ($a ->  $b)"; > messages.log
+		${kgetcred} -e $b ${server}@${R} || \
+			{ ec=1 ; eval "${testfailed}"; }
+		./ap-req ${server}@${R} ${keytab} ${cache} || \
+			{ ec=1 ; eval "${testfailed}"; }
+
+		echo "Getting tickets ($a ->  $b) (server des3 only)"; > messages.log
+		${kgetcred} ${server}-des3@${R} || \
+			{ ec=1 ; eval "${testfailed}"; }
+		./ap-req ${server}-des3@${R} ${keytab} ${cache} || \
+			{ ec=1 ; eval "${testfailed}"; }
+
+		${kdestroy} --credential=${server}@${R}
+		${kdestroy} --credential=${server}-des3@${R}
+	done
+	${kdestroy}
+done
+
+echo deleting all enctypes on krbtgt
+${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "try initial ticket w/o and keys on krbtgt"
+${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "adding random aes key"
+${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "try initial ticket with random aes key on krbtgt"
+${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+
+rsa=yes
+pkinit=no
+if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
+    rsa=no
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    rsa=no
+fi
+if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
+    pkinit=yes
+fi
+
+# If we support pkinit and have RSA, lets try that
+if test "$pkinit" = yes -a "$rsa" = yes ; then
+
+    for type in "" "--pk-use-enckey"; do
+	echo "Trying pk-init (principal in certificate) $type"; > messages.log
+	base="${srcdir}/../../lib/hx509/data"
+	${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key bar@${R} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+	${kdestroy}
+
+	echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log
+	${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key foo@${R} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+	${kdestroy}
+
+	echo "Trying pk-init (password protected key) $type"; > messages.log
+	${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kgetcred} ${server}@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+	${kdestroy}
+
+	echo "Trying pk-init (proxy cert) $type"; > messages.log
+	base="${srcdir}/../../lib/hx509/data"
+	${kinit} $type -C FILE:${base}/pkinit-proxy-chain.crt,${base}/pkinit-proxy.key foo@${R} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+	${kdestroy}
+
+    done
+else
+	echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log
+fi
+
+echo "tickets for impersonate test case"; > messages.log
+${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+./ap-req ${ps} ${keytab} ${ocache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+echo test constrained delegation
+${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+./ap-req ${server}@${R} ${keytab} ${o2cache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} bar@${R} 2>/dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation impersonation (non forward)"; > messages.log
+rm -f ocache.krb5
+${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log
+rm -f ocache.krb5
+${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+${kdestroy}
+
+echo "check renewing" > messages.log
+${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "kinit -R"
+${kinit} -R || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "check renewing MIT interface" > messages.log
+${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "test_renew"
+env KRB5CCNAME=${cache} ${test_renew} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+
+echo "killing kdc (${kdcpid})"
+kill $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/crypto/heimdal/tests/kdc/check-keys.in b/crypto/heimdal/tests/kdc/check-keys.in
new file mode 100644
index 0000000..596c9ca
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/check-keys.in
@@ -0,0 +1,101 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id$
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+principal=host/datan.test.h5l.se@${R}
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -r $R -l"
+
+CIN=${srcdir}/krb5.conf.keys.in
+COUT=${objdir}/krb5.conf.keys
+
+sedvars="-e s,[@]srcdir[@],${srcdir},g -e s,[@]objdir[@],${objdir},g"
+
+KRB5_CONFIG="${COUT}"
+export KRB5_CONFIG
+
+rm -f ${COUT}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+rm -f messages.log
+
+sed -e 's/@keys@/v5/' \
+	${sedvars} < ${CIN} > ${COUT}
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults ${principal} || exit 1
+
+${kadmin} cpw -p foo ${principal} || exit 1
+
+sed -e 's/@keys@/v4/' \
+	${sedvars} < ${CIN} > ${COUT}
+${kadmin} cpw -p foo ${principal} || exit 1
+
+sed -e 's/@keys@/v4 v5/' \
+	${sedvars} < ${CIN} > ${COUT}
+${kadmin} cpw -p foo ${principal} || exit 1
+
+sed -e 's/@keys@/v5 v4/' \
+	${sedvars} < ${CIN} > ${COUT}
+${kadmin} cpw -p foo ${principal} || exit 1
+
+sed -e 's/@keys@/des:pw-salt:/' \
+	${sedvars} < ${CIN} > ${COUT}
+${kadmin} cpw -p foo ${principal} || exit 1
+
+sed -e 's/@keys@/des-cbc-crc:afs3-salt:test.h5l.se/' \
+	${sedvars} < ${CIN} > ${COUT}
+${kadmin} cpw -p foo ${principal} || exit 1
+
+sed -e 's/@keys@/des:afs3-salt:test.h5l.se/' \
+	${sedvars} < ${CIN} > ${COUT}
+${kadmin} cpw -p foo ${principal} || exit 1
+
+exit 0
diff --git a/crypto/heimdal/tests/kdc/check-pkinit.in b/crypto/heimdal/tests/kdc/check-pkinit.in
new file mode 100644
index 0000000..3ae5a74
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/check-pkinit.in
@@ -0,0 +1,273 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-pkinit.in 22474 2008-01-17 11:16:25Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+server=host/datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+keyfile="${srcdir}/../../lib/hx509/data/key.der"
+keyfile2="${srcdir}/../../lib/hx509/data/key2.der"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
+kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog"
+hxtool="${TESTS_ENVIRONMENT} ../../lib/hx509/hxtool"
+
+KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
+export KRB5_CONFIG
+
+rsa=yes
+pkinit=no
+if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
+    rsa=no
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    rsa=no
+fi
+
+if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
+    pkinit=yes
+fi
+
+# If we doesn't support pkinit and have RSA, give up
+if test "$pkinit" != yes -o "$rsa" != yes ; then
+    exit 77
+fi
+
+
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} add -p bar --use-defaults bar@${R} || exit 1
+${kadmin} add -p baz --use-defaults baz@${R} || exit 1
+${kadmin} modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R} || exit 1
+
+${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo "Setting up certificates"
+${hxtool} request-create \
+	 --subject="CN=kdc,DC=test,DC=h5l,DC=se" \
+	 --key=FILE:${keyfile2} \
+	 req-kdc.der || exit 1
+${hxtool} request-create \
+	 --subject="CN=bar,DC=test,DC=h5l,DC=se" \
+	 --key=FILE:${keyfile2} \
+	 req-pkinit.der || exit 1
+${hxtool} request-create \
+	 --subject="CN=baz,DC=test,DC=h5l,DC=se" \
+	 --key=FILE:${keyfile2} \
+	 req-pkinit2.der || exit 1
+
+echo "issue self-signed ca cert"
+${hxtool} issue-certificate \
+	  --self-signed \
+	  --issue-ca \
+	  --ca-private-key=FILE:${keyfile} \
+          --subject="CN=CA,DC=test,DC=h5l,DC=se" \
+	  --certificate="FILE:ca.crt" || exit 1
+
+echo "issue kdc certificate"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+	  --type="pkinit-kdc" \
+          --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
+	  --req="PKCS10:req-kdc.der" \
+	  --certificate="FILE:kdc.crt" || exit 1
+
+echo "issue user certificate (pkinit san)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+	  --type="pkinit-client" \
+          --pk-init-principal="bar@TEST.H5L.SE" \
+	  --req="PKCS10:req-pkinit.der" \
+	  --certificate="FILE:pkinit.crt" || exit 1
+
+echo "issue user 2 certificate (no san)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+	  --type="pkinit-client" \
+	  --req="PKCS10:req-pkinit2.der" \
+	  --certificate="FILE:pkinit2.crt" || exit 1
+
+echo "issue user 3 certificate (ms san)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+	  --type="pkinit-client" \
+          --ms-upn="bar@test.h5l.se" \
+	  --req="PKCS10:req-pkinit2.der" \
+	  --certificate="FILE:pkinit3.crt" || exit 1
+
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt ;exit 1;" EXIT
+
+ec=0
+
+echo "Trying pk-init (principal in cert)"; > messages.log
+base="${objdir}"
+${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
+${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (principal subject in DB)"; > messages.log
+${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (ms upn)"; > messages.log
+${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+KRB5_CONFIG="${objdir}/krb5-pkinit-win.conf"
+export KRB5_CONFIG
+
+echo "Duplicated tests, now in windows 2000 mode"
+
+echo "Trying pk-init (principal in cert)"; > messages.log
+base="${objdir}"
+${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
+${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (principal subject in DB)"; > messages.log
+${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying pk-init (ms upn)"; > messages.log
+${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+
+KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
+export KRB5_CONFIG
+
+echo "Trying PKCS11 support"
+
+cat > test-rc-file.rc <<EOF
+certificate	cert	User certificate	FILE:${base}/pkinit.crt,${keyfile2}
+app-fatal	true
+EOF
+
+SOFTPKCS11RC="test-rc-file.rc"
+export SOFTPKCS11RC
+
+dir=${base}/../../lib/hx509
+file=
+
+for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do
+    if [ -f $dir/$a ] ; then
+	file=$dir/$a
+	break
+    fi
+done
+
+if [ X"$file" != X -a @DLOPEN@ ] ; then
+
+    echo "Trying pk-init (principal in pki-mapping file) "; > messages.log
+    ${kinit} -C PKCS11:${file} foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+    ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+    ${kdestroy}
+
+fi
+
+
+echo "killing kdc (${kdcpid})"
+kill $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/crypto/heimdal/tests/kdc/check-referral.in b/crypto/heimdal/tests/kdc/check-referral.in
new file mode 100644
index 0000000..fa8be43
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/check-referral.in
@@ -0,0 +1,200 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-referral.in 21854 2007-08-08 06:58:49Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+R2=SUB.TEST.H5L.SE
+
+service=ldap/host.sub.test.h5l.se
+
+port=@port@
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+cache="FILE:${objdir}/cache.krb5"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
+kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
+kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog"
+
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R2} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} modify --alias=alias1 --alias=alias2 foo@${R} || exit 1
+
+${kadmin} add -p foo --use-defaults  ${service}@${R2} || exit 1
+
+${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
+${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+${kadmin} check ${R2} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+echo "Test AS-REQ"
+
+echo "Getting client (no canon)"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: foo@${R}" > /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client client tickets (default realm, enterprisename)"; > messages.log
+${kinit} --canonicalize \
+	--password-file=${objdir}/foopassword foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: foo@${R}" > /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client alias1 tickets"; > messages.log
+${kinit} --canonicalize \
+	--password-file=${objdir}/foopassword foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: foo@${R}" > /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+
+echo "Getting client alias2 tickets"; > messages.log
+${kinit} --canonicalize \
+	--password-file=${objdir}/foopassword alias2@${R}@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: foo@${R}" > /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client alias1 tickets (non canon case)"; > messages.log
+${kinit} --password-file=${objdir}/foopassword \
+	alias1@${R}@${R} > /dev/null 2>/dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "Getting client alias2 tickets (removed)"; > messages.log
+${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
+${kinit} --canonicalize \
+	--password-file=${objdir}/foopassword \
+	alias2@${R}@${R} > /dev/null 2>/dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "Remove alias"
+${kadmin} modify --alias= foo@${R} || { ec=1 ; eval "${testfailed}"; }
+
+echo "Test TGS-REQ"
+
+#echo "Getting client for ${service}@${R} (kdc referral)"
+#> messages.log
+#${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+#	{ ec=1 ; eval "${testfailed}"; }
+#${kgetcred} --server ${service}@${R} ||
+#	{ ec=1 ; eval "${testfailed}"; }
+#${klist}
+#echo "checking that we got back right principal"
+#${klist} | grep "${service}@${R2}" > /dev/null || \
+#	{ ec=1 ; eval "${testfailed}"; }
+#${kdestroy}
+#
+#echo "Getting client for ${service}@${R2} (client side guessing)"
+#> messages.log
+#${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+#	{ ec=1 ; eval "${testfailed}"; }
+#${kgetcred} --server ${service}@${R2} ||
+#	{ ec=1 ; eval "${testfailed}"; }
+#${klist}
+#echo "checking that we got back right principal"
+#${klist} | grep "${service}@${R2}" > /dev/null || \
+#	{ ec=1 ; eval "${testfailed}"; }
+#${kdestroy}
+
+
+echo "killing kdc (${kdcpid})"
+kill $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/crypto/heimdal/tests/kdc/check-uu.in b/crypto/heimdal/tests/kdc/check-uu.in
new file mode 100644
index 0000000..c9aeb7b
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/check-uu.in
@@ -0,0 +1,138 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-uu.in 21855 2007-08-08 06:59:09Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+uuspid=
+
+port=@port@
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+cache1="FILE:${objdir}/cache1.krb5"
+cache2="FILE:${objdir}/cache2.krb5"
+
+kinit1="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache1 --no-afslog"
+kinit2="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache2 --no-afslog"
+kdestroy1="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache1 --no-unlog"
+kdestroy2="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache2 --no-unlog"
+uu_server="${TESTS_ENVIRONMENT} ../../appl/test/uu_server"
+uu_client="${TESTS_ENVIRONMENT} ../../appl/test/uu_client"
+
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults user1@${R} || exit 1
+${kadmin} add -p foo --use-defaults user2@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid} ${uuspid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+echo "Getting client initial tickets user1"; > messages.log
+${kinit1} --password-file=${objdir}/foopassword user1@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "Getting client initial tickets user2"; > messages.log
+${kinit2} --password-file=${objdir}/foopassword user2@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+
+
+echo "starting uu server (using user1)"
+KRB5CCNAME=$cache1 ${uu_server} > uuserver.log &
+uuspid=$!
+sleep 5
+
+echo "trying to contact server with client (using user2)"
+KRB5CCNAME=$cache2 ${uu_client} localhost > messages.log 2>&1 || \
+    { ec=1; eval "${testfailed}"; }
+
+sleep 5
+
+echo "checking if server got the right message"
+cmp uuserver.log ${srcdir}/uuserver.txt || \
+    { ec=1; eval "${testfailed}"; }
+
+uuspid=""
+
+${kdestroy1}
+${kdestroy2}
+
+echo "killing kdc uu_server (${kdcpid} ${uuspid})"
+kill $kdcpid $uuspid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/crypto/heimdal/tests/kdc/donotexists.txt b/crypto/heimdal/tests/kdc/donotexists.txt
new file mode 100644
index 0000000..5294397
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/donotexists.txt
@@ -0,0 +1 @@
+kadmin: get doesnotexists@TEST.H5L.SE: Principal does not exist
diff --git a/crypto/heimdal/tests/kdc/heimdal.acl b/crypto/heimdal/tests/kdc/heimdal.acl
new file mode 100644
index 0000000..c4bd35a
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/heimdal.acl
@@ -0,0 +1,3 @@
+# $Id$
+foo/admin@TEST.H5L.SE all
+bar@TEST.H5L.SE all
diff --git a/crypto/heimdal/tests/kdc/iprop-acl b/crypto/heimdal/tests/kdc/iprop-acl
new file mode 100644
index 0000000..d43f882
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/iprop-acl
@@ -0,0 +1 @@
+iprop/slave@TEST.H5L.SE
diff --git a/crypto/heimdal/tests/kdc/krb5-pkinit.conf.in b/crypto/heimdal/tests/kdc/krb5-pkinit.conf.in
new file mode 100644
index 0000000..c714426
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/krb5-pkinit.conf.in
@@ -0,0 +1,33 @@
+# $Id: krb5-pkinit.conf.in 20738 2007-05-31 16:52:40Z lha $
+
+[libdefaults]
+	default_realm = TEST.H5L.SE
+	no-addresses = TRUE
+
+[appdefaults]
+	pkinit_anchors = FILE:@objdir@/ca.crt
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = localhost:@port@
+		pkinit_win2k = @w2k@
+	}
+
+[kdc]
+	enable-pkinit = true
+	pkinit_identity = FILE:@objdir@/kdc.crt,@srcdir@/../../lib/hx509/data/key2.der
+	pkinit_anchors = FILE:@objdir@/ca.crt
+	pkinit_mappings_file = @srcdir@/pki-mapping
+
+	database = {
+		dbname = @objdir@/current-db
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+	}
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
+
+[kadmin]
+	save-password = true
diff --git a/crypto/heimdal/tests/kdc/krb5.conf.in b/crypto/heimdal/tests/kdc/krb5.conf.in
new file mode 100644
index 0000000..eeb5650
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/krb5.conf.in
@@ -0,0 +1,56 @@
+# $Id: krb5.conf.in 21754 2007-07-31 21:13:56Z lha $
+
+[libdefaults]
+	default_realm = TEST.H5L.SE
+	no-addresses = TRUE
+
+[appdefaults]
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = localhost:@port@
+		admin_server = localhost:@admport@
+	}
+	SUB.TEST.H5L.SE = {
+		kdc = localhost:@port@
+	}
+	TEST2.H5L.SE = {
+		kdc = localhost:@port@
+	}
+
+[domain_realms]
+	.sub.test.h5l.se = SUB.TEST.H5L.SE
+	localhost = TEST.H5L.SE
+	
+
+[kdc]
+	enable-digest = true
+	digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+
+	enable-pkinit = true
+	pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+	pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+#	pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+	pkinit_mappings_file = @srcdir@/pki-mapping
+	pkinit_allow_proxy_certificate = true
+
+	database = {
+		dbname = @objdir@/current-db@kdc@
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+		acl_file = @srcdir@/heimdal.acl
+		log_file = @objdir@/current@kdc@.log
+	}
+
+	signal_socket = @objdir@/signal
+	iprop-stats = @objdir@/iprop-stats
+	iprop-acl = @srcdir@/iprop-acl
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
+
+[kadmin]
+	save-password = true
diff --git a/crypto/heimdal/tests/kdc/krb5.conf.keys.in b/crypto/heimdal/tests/kdc/krb5.conf.keys.in
new file mode 100644
index 0000000..f02ecc7
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/krb5.conf.keys.in
@@ -0,0 +1,13 @@
+# $Id$
+
+[kdc]
+	database = {
+		dbname = @objdir@/current-db
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+		acl_file = @srcdir@/heimdal.acl
+	}
+
+
+[kadmin]
+	default_keys = @keys@
diff --git a/crypto/heimdal/tests/kdc/ntlm-user-file.txt b/crypto/heimdal/tests/kdc/ntlm-user-file.txt
new file mode 100644
index 0000000..abf33e6
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/ntlm-user-file.txt
@@ -0,0 +1,2 @@
+# $Id: ntlm-user-file.txt 19523 2006-12-28 10:20:00Z lha $
+TEST:foo:digestpassword
diff --git a/crypto/heimdal/tests/kdc/pki-mapping b/crypto/heimdal/tests/kdc/pki-mapping
new file mode 100644
index 0000000..af8099c
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/pki-mapping
@@ -0,0 +1,3 @@
+# $Id: pki-mapping 19661 2007-01-04 01:58:01Z lha $
+foo@TEST.H5L.SE:CN=pkinit,C=SE
+foo@TEST.H5L.SE:CN=bar,DC=test,DC=h5l,DC=se
diff --git a/crypto/heimdal/tests/kdc/uuserver.txt b/crypto/heimdal/tests/kdc/uuserver.txt
new file mode 100644
index 0000000..2c191bf
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/uuserver.txt
@@ -0,0 +1,4 @@
+User is `user2@TEST.H5L.SE'
+Server is `user1@TEST.H5L.SE'
+safe packet: hej
+priv packet: hemligt
diff --git a/crypto/heimdal/tests/kdc/wait-kdc.sh b/crypto/heimdal/tests/kdc/wait-kdc.sh
new file mode 100644
index 0000000..814b4b5
--- /dev/null
+++ b/crypto/heimdal/tests/kdc/wait-kdc.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: wait-kdc.sh 21881 2007-08-09 07:14:08Z lha $
+#
+
+name=${1:-KDC}
+log=${2:-messages.log}
+
+t=0
+waitsec=20
+
+echo "Waiting for ${name} to start, looking logfile ${log}"
+
+while true ; do
+    t=`expr ${t} + 2`
+    sleep 2
+    echo "Have waited $t seconds"
+    if tail -30 ${log} | grep "${name} started" > /dev/null; then
+	break
+    fi
+    if tail -30 ${log} | grep "No sockets" ; then
+       echo "The ${name} failed to bind to any sockets, another ${name} running ?"
+       exit 1
+    fi
+    if tail -30 ${log} | grep "bind" | grep "Operation not permitted" ; then
+       echo "The ${name} failed to bind to any sockets, another ${name} running ?"
+       exit 1
+    fi
+    if [ "$t" -gt $waitsec ]; then
+       echo "Waited for $waitsec for the ${name} to start, and it didnt happen"
+       exit 2
+    fi
+done
+
+exit 0
\ No newline at end of file
diff --git a/crypto/heimdal/tests/ldap/Makefile.am b/crypto/heimdal/tests/ldap/Makefile.am
new file mode 100644
index 0000000..e6ea42a
--- /dev/null
+++ b/crypto/heimdal/tests/ldap/Makefile.am
@@ -0,0 +1,52 @@
+# $Id: Makefile.am 22412 2008-01-12 05:57:22Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_DATA = krb5.conf
+
+check_SCRIPTS = $(TESTS) slapd-init
+
+TESTS = check-ldap
+
+port = 49188
+
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/ldap,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+check-ldap: check-ldap.in Makefile
+	$(do_subst) < $(srcdir)/check-ldap.in > check-ldap.tmp
+	chmod +x check-ldap.tmp
+	mv check-ldap.tmp check-ldap
+
+slapd-init: slapd-init.in Makefile
+	$(do_subst) < $(srcdir)/slapd-init.in > slapd-init.tmp
+	chmod +x slapd-init.tmp
+	mv slapd-init.tmp slapd-init
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+
+CLEANFILES= \
+	$(TESTS) \
+	check-ldap.tmp \
+	slapd-init.tmp \
+	current-db* \
+	krb5.conf krb5.conf.tmp \
+	modules.conf \
+	cache.krb5 \
+	slapd-init \
+	foopassword \
+	messages.log \
+	slapd.pid
+
+EXTRA_DIST = \
+	samba.schema \
+	slapd.conf \
+	slapd-stop \
+	check-ldap.in \
+	init.ldif \
+	krb5.conf.in \
+	slapd-init.in
diff --git a/crypto/heimdal/tests/ldap/Makefile.in b/crypto/heimdal/tests/ldap/Makefile.in
new file mode 100644
index 0000000..5cd2ce4
--- /dev/null
+++ b/crypto/heimdal/tests/ldap/Makefile.in
@@ -0,0 +1,779 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 22412 2008-01-12 05:57:22Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+subdir = tests/ldap
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+DATA = $(noinst_DATA)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+noinst_DATA = krb5.conf
+check_SCRIPTS = $(TESTS) slapd-init
+TESTS = check-ldap
+port = 49188
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/ldap,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+CLEANFILES = \
+	$(TESTS) \
+	check-ldap.tmp \
+	slapd-init.tmp \
+	current-db* \
+	krb5.conf krb5.conf.tmp \
+	modules.conf \
+	cache.krb5 \
+	slapd-init \
+	foopassword \
+	messages.log \
+	slapd.pid
+
+EXTRA_DIST = \
+	samba.schema \
+	slapd.conf \
+	slapd-stop \
+	check-ldap.in \
+	init.ldif \
+	krb5.conf.in \
+	slapd-init.in
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps tests/ldap/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps tests/ldap/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_SCRIPTS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+all-am: Makefile $(DATA) all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: all all-am all-local check check-TESTS check-am check-local \
+	clean clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-data-hook install-dvi install-dvi-am \
+	install-exec install-exec-am install-exec-hook install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-hook
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+check-ldap: check-ldap.in Makefile
+	$(do_subst) < $(srcdir)/check-ldap.in > check-ldap.tmp
+	chmod +x check-ldap.tmp
+	mv check-ldap.tmp check-ldap
+
+slapd-init: slapd-init.in Makefile
+	$(do_subst) < $(srcdir)/slapd-init.in > slapd-init.tmp
+	chmod +x slapd-init.tmp
+	mv slapd-init.tmp slapd-init
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/tests/ldap/check-ldap.in b/crypto/heimdal/tests/ldap/check-ldap.in
new file mode 100644
index 0000000..c4c731d
--- /dev/null
+++ b/crypto/heimdal/tests/ldap/check-ldap.in
@@ -0,0 +1,143 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-ldap.in 21856 2007-08-08 06:59:23Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+R=TEST.H5L.SE
+
+port=@port@
+
+cache="FILE:${objdir}/cache.krb5"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+testfailed="echo test failed; exit 1"
+
+# If there is no ldap support compile in, disable test
+if ${kdc} --builtin-hdb | grep ldap > /dev/null ; then
+   :
+else
+    echo "no ldap support"
+    exit 77
+fi
+
+#search for all ldap tools
+
+PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/libexec:/usr/lib/openldap:$PATH
+export PATH
+
+oldifs=$IFS
+IFS=:
+set -- $PATH
+IFS=$oldifs
+for j in slapd slapadd; do
+  for i in $*; do
+    test -n "$i" || i="."
+    if test -x $i/$j; then
+       continue 2
+    fi
+  done
+  echo "$j missing, not running test"
+  exit 77
+done
+
+sh ${objdir}/slapd-init || exit 1
+
+trap "sh ${srcdir}/slapd-stop ; exit 1;" EXIT
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f current-db*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} add -p foo --use-defaults bar@${R} || exit 1
+
+${kadmin} cpw --random-password bar@${R} > /dev/null || exit 1
+${kadmin} cpw --random-password bar@${R} > /dev/null || exit 1
+${kadmin} cpw --random-password bar@${R} > /dev/null || exit 1
+
+${kadmin} cpw --random-password suser@${R} > /dev/null|| exit 1
+${kadmin} cpw --password=foo suser@${R} || exit 1
+
+${kadmin} list '*' > /dev/null || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/../kdc/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    sh ${srcdir}/slapd-stop
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; sh ${srcdir}/slapd-stop ; exit 1;" EXIT
+
+ec=0
+
+echo "Getting client initial tickets";
+${kinit} --password-file=${objdir}/foopassword foo@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+
+
+echo "killing kdc (${kdcpid})"
+kill $kdcpid || exit 1
+
+trap "" EXIT
+
+# kill of old slapd
+sh ${srcdir}/slapd-stop
+
+rm -rf db schema
+
+exit $ec
diff --git a/crypto/heimdal/tests/ldap/init.ldif b/crypto/heimdal/tests/ldap/init.ldif
new file mode 100644
index 0000000..9cf39b1
--- /dev/null
+++ b/crypto/heimdal/tests/ldap/init.ldif
@@ -0,0 +1,44 @@
+dn: o=TEST,dc=H5L,dc=SE
+objectclass: organization
+o: Test
+
+dn: ou=kerberosPrincipals,o=TEST,dc=H5L,dc=SE
+objectclass: organizationalUnit
+ou: kerberosPrincipals
+
+dn: uid=suser,ou=kerberosPrincipals,o=TEST,dc=H5L,dc=SE
+cn: root
+sn: root
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+gidNumber: 0
+uid: suser
+uidNumber: 0
+homeDirectory: /root
+loginShell: /bin/bash
+gecos: Netbios root user
+structuralObjectClass: inetOrgPerson
+creatorsName: cn=root,dc=test,dc=h5l,dc=se
+userPassword:: AAAAAA
+objectClass: krb5KDCEntry
+krb5KeyVersionNumber: 2
+krb5PrincipalName: suser@TEST.H5L.SE
+objectClass: sambaSamAccount
+sambaHomePath: \\admin1\suser
+sambaPwdCanChange: 1159699688
+sambaPwdLastSet: 1159699688
+sambaPrimaryGroupSID: S-1-5-21-3017333096-1338036268-1966094567-512
+sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
+ 00000000
+sambaLMPassword: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+sambaNTPassword: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+sambaLogonTime: 0
+sambaLogoffTime: 2147483647
+sambaKickoffTime: 2147483647
+sambaPwdMustChange: 2147483647
+sambaHomeDrive: H:
+sambaAcctFlags: [U          ]
+sambaSID: S-1-5-21-3017333096-1338036268-1966094567-1000
diff --git a/crypto/heimdal/tests/ldap/krb5.conf.in b/crypto/heimdal/tests/ldap/krb5.conf.in
new file mode 100644
index 0000000..8ea9da5
--- /dev/null
+++ b/crypto/heimdal/tests/ldap/krb5.conf.in
@@ -0,0 +1,21 @@
+# $Id: krb5.conf.in 20220 2007-02-15 00:11:18Z lha $
+
+[libdefaults]
+	default_realm = TEST.H5L.SE
+	no-addresses = TRUE
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = localhost:@port@
+	}
+
+[kdc]
+	database = {
+		dbname = ldapi://ldap-socket:OU=KerberosPrincipals,o=test,DC=h5l,DC=se
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+	}
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
diff --git a/crypto/heimdal/tests/ldap/samba.schema b/crypto/heimdal/tests/ldap/samba.schema
new file mode 100644
index 0000000..549a708
--- /dev/null
+++ b/crypto/heimdal/tests/ldap/samba.schema
@@ -0,0 +1,554 @@
+##
+## schema file for OpenLDAP 2.x
+## Schema for storing Samba user accounts and group maps in LDAP
+## OIDs are owned by the Samba Team
+##
+## Prerequisite schemas - uid         (cosine.schema)
+##                      - displayName (inetorgperson.schema)
+##                      - gidNumber   (nis.schema)
+##
+## 1.3.6.1.4.1.7165.2.1.x - attributetypes
+## 1.3.6.1.4.1.7165.2.2.x - objectclasses
+##
+## Printer support
+## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes
+## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses
+##
+## Samba4
+## 1.3.6.1.4.1.7165.4.1.x - attributetypes
+## 1.3.6.1.4.1.7165.4.2.x - objectclasses
+## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
+## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
+## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
+##
+## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------
+##
+## Run the 'get_next_oid' bash script in this directory to find the 
+## next available OID for attribute type and object classes.
+##
+##   $ ./get_next_oid
+##   attributetype ( 1.3.6.1.4.1.7165.2.1.XX NAME ....
+##   objectclass ( 1.3.6.1.4.1.7165.2.2.XX NAME ....
+##
+## Also ensure that new entries adhere to the declaration style
+## used throughout this file
+##
+##    <attributetype|objectclass> ( 1.3.6.1.4.1.7165.2.XX.XX NAME ....
+##                               ^ ^                        ^
+##
+## The spaces are required for the get_next_oid script (and for 
+## readability).
+##
+## ------------------------------------------------------------------
+
+# objectIdentifier SambaRoot 1.3.6.1.4.1.7165
+# objectIdentifier Samba3 SambaRoot:2
+# objectIdentifier Samba3Attrib Samba3:1
+# objectIdentifier Samba3ObjectClass Samba3:2
+# objectIdentifier Samba4 SambaRoot:4
+
+########################################################################
+##                            HISTORICAL                              ##
+########################################################################
+
+##
+## Password hashes
+##
+#attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword'
+#	DESC 'LanManager Passwd'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword'
+#	DESC 'NT Passwd'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+
+##
+## Account flags in string format ([UWDX     ])
+##
+#attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags'
+#	DESC 'Account Flags'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
+
+##
+## Password timestamps & policies
+##
+#attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet'
+#	DESC 'NT pwdLastSet'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime'
+#	DESC 'NT logonTime'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime'
+#	DESC 'NT logoffTime'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime'
+#	DESC 'NT kickoffTime'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange'
+#	DESC 'NT pwdCanChange'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange'
+#	DESC 'NT pwdMustChange'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+##
+## string settings
+##
+#attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive'
+#	DESC 'NT homeDrive'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath'
+#	DESC 'NT scriptPath'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath'
+#	DESC 'NT profilePath'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations'
+#	DESC 'userWorkstations'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome'
+#	DESC 'smbHome'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain'
+#	DESC 'Windows NT domain to which the user belongs'
+#	EQUALITY caseIgnoreIA5Match
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+
+##
+## user and group RID
+##
+#attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
+#	DESC 'NT rid'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+#attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
+#	DESC 'NT Group RID'
+#	EQUALITY integerMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+##
+## The smbPasswordEntry objectclass has been depreciated in favor of the
+## sambaAccount objectclass
+##
+#objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY
+#        DESC 'Samba smbpasswd entry'
+#        MUST ( uid $ uidNumber )
+#        MAY  ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags ))
+
+#objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
+#	DESC 'Samba Account'
+#	MUST ( uid $ rid )
+#	MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
+#               logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
+#               displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
+#               description $ userWorkstations $ primaryGroupID $ domain ))
+
+#objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
+#	DESC 'Samba Auxiliary Account'
+#	MUST ( uid $ rid )
+#	MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
+#              logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
+#              displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
+#              description $ userWorkstations $ primaryGroupID $ domain ))
+
+########################################################################
+##                        END OF HISTORICAL                           ##
+########################################################################
+
+#######################################################################
+##                Attributes used by Samba 3.0 schema                ##
+#######################################################################
+
+##
+## Password hashes
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
+	DESC 'LanManager Password'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
+	DESC 'MD4 hash of the unicode password'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+
+##
+## Account flags in string format ([UWDX     ])
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
+	DESC 'Account Flags'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
+
+##
+## Password timestamps & policies
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
+	DESC 'Timestamp of the last password update'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
+	DESC 'Timestamp of when the user is allowed to update the password'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
+	DESC 'Timestamp of when the password will expire'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
+	DESC 'Timestamp of last logon'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
+	DESC 'Timestamp of last logoff'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
+	DESC 'Timestamp of when the user will be logged off automatically'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
+	DESC 'Bad password attempt count'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
+	DESC 'Time of the last bad password attempt'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'
+	DESC 'Logon Hours'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
+
+##
+## string settings
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
+	DESC 'Driver letter of home directory mapping'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
+	DESC 'Logon script path'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
+	DESC 'Roaming profile path'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
+	DESC 'List of user workstations the user is allowed to logon to'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
+	DESC 'Home directory UNC path'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
+	DESC 'Windows NT domain to which the user belongs'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
+	DESC 'Base64 encoded user parameter string'
+	EQUALITY caseExactMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
+	DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
+
+##
+## SID, of any type
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
+	DESC 'Security ID'
+	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseExactIA5SubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+
+##
+## Primary group SID, compatible with ntSid
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
+	DESC 'Primary Group Security ID'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
+	DESC 'Security ID List'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
+
+##
+## group mapping attributes
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
+	DESC 'NT Group Type'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+##
+## Store info on the domain
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
+	DESC 'Next NT rid to give our for users'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
+	DESC 'Next NT rid to give out for groups'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
+	DESC 'Next NT rid to give out for anything'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
+	DESC 'Base at which the samba RID generation algorithm should operate'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'
+	DESC 'Share Name'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'
+	DESC 'Option Name'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
+	DESC 'A boolean option'
+	EQUALITY booleanMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'
+	DESC 'An integer option'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'
+	DESC 'A string option'
+	EQUALITY caseExactIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
+	DESC 'A string list option'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' 
+##	SUP name )
+
+##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
+##	DESC 'Privileges List'
+##	EQUALITY caseIgnoreIA5Match
+##	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
+	DESC 'Trust Password Flags'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# "min password length"
+attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
+	DESC 'Minimal password length (default: 5)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "password history"
+attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
+	DESC 'Length of Password History Entries (default: 0 => off)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "user must logon to change password"
+attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
+	DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "maximum password age"
+attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
+	DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "minimum password age"
+attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
+	DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "lockout duration"
+attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
+	DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "reset count minutes"
+attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
+	DESC 'Reset time after lockout in minutes (default: 30)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "bad lockout attempt"
+attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
+	DESC 'Lockout users after bad logon attempts (default: 0 => off)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "disconnect time"
+attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
+	DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+# "refuse machine password change"
+attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
+	DESC 'Allow Machine Password changes (default: 0 => off)'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+
+
+
+#######################################################################
+##              objectClasses used by Samba 3.0 schema               ##
+#######################################################################
+
+## The X.500 data model (and therefore LDAPv3) says that each entry can
+## only have one structural objectclass.  OpenLDAP 2.0 does not enforce
+## this currently but will in v2.1
+
+##
+## added new objectclass (and OID) for 3.0 to help us deal with backwards
+## compatibility with 2.2 installations (e.g. ldapsam_compat)  --jerry
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
+	DESC 'Samba 3.0 Auxilary SAM Account'
+	MUST ( uid $ sambaSID )
+	MAY  ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
+	       sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
+	       sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
+               displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
+	       sambaProfilePath $ description $ sambaUserWorkstations $
+	       sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
+	       sambaBadPasswordCount $ sambaBadPasswordTime $
+	       sambaPasswordHistory $ sambaLogonHours))
+
+##
+## Group mapping info
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
+	DESC 'Samba Group Mapping'
+	MUST ( gidNumber $ sambaSID $ sambaGroupType )
+	MAY  ( displayName $ description $ sambaSIDList ))
+
+##
+## Trust password for trust relationships (any kind)
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL
+	DESC 'Samba Trust Password'
+	MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
+	MAY ( sambaSID $ sambaPwdLastSet ))
+
+##
+## Whole-of-domain info
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
+	DESC 'Samba Domain Information'
+	MUST ( sambaDomainName $ 
+	       sambaSID ) 
+	MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
+	      sambaAlgorithmicRidBase $ 
+	      sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
+	      sambaMaxPwdAge $ sambaMinPwdAge $
+	      sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $
+	      sambaForceLogoff $ sambaRefuseMachinePwdChange ))
+
+##
+## used for idmap_ldap module
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
+        DESC 'Pool for allocating UNIX uids/gids'
+        MUST ( uidNumber $ gidNumber ) )
+
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
+        DESC 'Mapping from a SID to an ID'
+        MUST ( sambaSID )
+	MAY ( uidNumber $ gidNumber ) )
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
+	DESC 'Structural Class for a SID'
+	MUST ( sambaSID ) )
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
+	DESC 'Samba Configuration Section'
+	MAY ( description ) )
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL
+	DESC 'Samba Share Section'
+	MUST ( sambaShareName )
+	MAY ( description ) )
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL
+	DESC 'Samba Configuration Option'
+	MUST ( sambaOptionName )
+	MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ 
+	      sambaStringListoption $ description ) )
+
+
+## retired during privilege rewrite
+##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
+##	DESC 'Samba Privilege'
+##	MUST ( sambaSID )
+##	MAY ( sambaPrivilegeList ) )
diff --git a/crypto/heimdal/tests/ldap/slapd-init.in b/crypto/heimdal/tests/ldap/slapd-init.in
new file mode 100644
index 0000000..e411808
--- /dev/null
+++ b/crypto/heimdal/tests/ldap/slapd-init.in
@@ -0,0 +1,39 @@
+#!/bin/sh 
+# $Id: slapd-init.in 22295 2007-12-14 05:59:04Z lha $
+
+srcdir=@srcdir@
+
+rm -rf db schema
+mkdir db
+
+# kill of old slapd if running
+sh ${srcdir}/slapd-stop > /dev/null
+
+SCHEMA_NEEDED="hdb core nis cosine inetorgperson openldap samba"
+
+SCHEMA_PATHS="${srcdir}/../../lib/hdb ${srcdir} /etc/ldap/schema /etc/openldap/schema /private/etc/openldap/schema /usr/share/openldap/schema"
+
+test -d schema || mkdir schema
+
+# setup needed schema files
+for f in $SCHEMA_NEEDED; do
+    if [ ! -r schema/$f.schema ]; then
+	for d in $SCHEMA_PATHS ; do
+	    if [ -r $d/$f.schema ] ; then
+		cp $d/$f.schema schema/$f.schema
+		continue 2
+	    fi
+	done
+	echo "SKIPPING TESTS: you need the following schema file: $f.schema"
+	exit 1
+    fi
+done
+
+touch modules.conf || exit 1
+
+slapadd -d 0 -f ${srcdir}/slapd.conf < ${srcdir}/init.ldif || exit 0
+
+echo "starting slapd"
+slapd -d0 -f ${srcdir}/slapd.conf -h ldapi://.%2Fldap-socket &
+
+sleep 4
diff --git a/crypto/heimdal/tests/ldap/slapd-stop b/crypto/heimdal/tests/ldap/slapd-stop
new file mode 100644
index 0000000..7c37c73
--- /dev/null
+++ b/crypto/heimdal/tests/ldap/slapd-stop
@@ -0,0 +1,18 @@
+#!/bin/sh 
+# $Id: slapd-stop 20220 2007-02-15 00:11:18Z lha $
+
+echo stoping slapd
+
+# kill of old slapd
+if [ -f slapd.pid ]; then
+    kill `cat slapd.pid`
+    sleep 5
+fi
+if [ -f slapd.pid ]; then
+    kill -9 `cat slapd.pid`
+    rm -f slapd.pid
+    sleep 5
+fi
+
+exit 0
+
diff --git a/crypto/heimdal/tests/ldap/slapd.conf b/crypto/heimdal/tests/ldap/slapd.conf
new file mode 100644
index 0000000..077727e
--- /dev/null
+++ b/crypto/heimdal/tests/ldap/slapd.conf
@@ -0,0 +1,28 @@
+loglevel 0
+
+include schema/core.schema
+include schema/cosine.schema
+include schema/inetorgperson.schema
+include schema/openldap.schema
+include schema/nis.schema
+include schema/hdb.schema
+include schema/samba.schema
+
+
+pidfile		slapd.pid
+argsfile	slapd.args
+
+access to * by * write
+
+allow update_anon bind_anon_dn
+
+include modules.conf
+
+defaultsearchbase "ou=TEST,dc=H5L,dc=SE"
+
+backend		bdb
+database        bdb
+suffix		"o=TEST,dc=H5L,dc=SE"
+directory	db
+index           objectClass eq
+index           uid eq
diff --git a/crypto/heimdal/tests/plugin/Makefile.am b/crypto/heimdal/tests/plugin/Makefile.am
new file mode 100644
index 0000000..46ccdc5
--- /dev/null
+++ b/crypto/heimdal/tests/plugin/Makefile.am
@@ -0,0 +1,43 @@
+# $Id: Makefile.am 20202 2007-02-08 00:59:47Z lha $
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_DATA = krb5.conf
+
+SCRIPT_TESTS = check-pac
+TESTS = $(SCRIPT_TESTS)
+
+port = 49188
+
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/plugin,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken)
+
+check-pac: check-pac.in Makefile
+	$(do_subst) < $(srcdir)/check-pac.in > check-pac.tmp
+	chmod +x check-pac.tmp
+	mv check-pac.tmp check-pac
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+
+lib_LTLIBRARIES = windc.la
+
+windc_la_SOURCES = windc.c
+windc_la_LDFLAGS = -module
+
+CLEANFILES= \
+	$(TESTS) \
+	server.keytab \
+	current-db* \
+	foopassword \
+	krb5.conf krb5.conf.tmp \
+	messages.log
+
+EXTRA_DIST = \
+	check-pac.in \
+	krb5.conf.in
diff --git a/crypto/heimdal/tests/plugin/Makefile.in b/crypto/heimdal/tests/plugin/Makefile.in
new file mode 100644
index 0000000..3e06d80
--- /dev/null
+++ b/crypto/heimdal/tests/plugin/Makefile.in
@@ -0,0 +1,890 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 20202 2007-02-08 00:59:47Z lha $
+
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common
+subdir = tests/plugin
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)"
+libLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(lib_LTLIBRARIES)
+windc_la_LIBADD =
+am_windc_la_OBJECTS = windc.lo
+windc_la_OBJECTS = $(am_windc_la_OBJECTS)
+windc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(windc_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
+depcomp =
+am__depfiles_maybe =
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(windc_la_SOURCES)
+DIST_SOURCES = $(windc_la_SOURCES)
+DATA = $(noinst_DATA)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CFLAGS = @CFLAGS@
+COMPILE_ET = @COMPILE_ET@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DBLIB = @DBLIB@
+DEFS = @DEFS@
+DIR_com_err = @DIR_com_err@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
+DIR_roken = @DIR_roken@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
+LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
+LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSIONING = @VERSIONING@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
+AM_CFLAGS = $(WFLAGS)
+CP = cp
+buildinclude = $(top_builddir)/include
+LIB_getattr = @LIB_getattr@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_setpcred = @LIB_setpcred@
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+NROFF_MAN = groff -mandoc -Tascii
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+noinst_DATA = krb5.conf
+SCRIPT_TESTS = check-pac
+TESTS = $(SCRIPT_TESTS)
+port = 49188
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/plugin,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken)
+lib_LTLIBRARIES = windc.la
+windc_la_SOURCES = windc.c
+windc_la_LDFLAGS = -module
+CLEANFILES = \
+	$(TESTS) \
+	server.keytab \
+	current-db* \
+	foopassword \
+	krb5.conf krb5.conf.tmp \
+	messages.log
+
+EXTRA_DIST = \
+	check-pac.in \
+	krb5.conf.in
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps tests/plugin/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps tests/plugin/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
+	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
+	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
+	done
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+windc.la: $(windc_la_OBJECTS) $(windc_la_DEPENDENCIES) 
+	$(windc_la_LINK) -rpath $(libdir) $(windc_la_OBJECTS) $(windc_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+.c.o:
+	$(COMPILE) -c $<
+
+.c.obj:
+	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+		echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *$$ws$$tst$$ws*) \
+		xfail=`expr $$xfail + 1`; \
+		echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      echo "SKIP: $$tst"; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    skipped="($$skip tests were not run)"; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(DATA) all-local
+installdirs:
+	for dir in "$(DESTDIR)$(libdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-dvi: install-dvi-am
+
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
+
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
+.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
+	check-local clean clean-generic clean-libLTLIBRARIES \
+	clean-libtool ctags dist-hook distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-libLTLIBRARIES install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-hook \
+	uninstall-libLTLIBRARIES
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0 || exit 1; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
+check-pac: check-pac.in Makefile
+	$(do_subst) < $(srcdir)/check-pac.in > check-pac.tmp
+	chmod +x check-pac.tmp
+	mv check-pac.tmp check-pac
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/tests/plugin/check-pac.in b/crypto/heimdal/tests/plugin/check-pac.in
new file mode 100644
index 0000000..290274d
--- /dev/null
+++ b/crypto/heimdal/tests/plugin/check-pac.in
@@ -0,0 +1,147 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: check-pac.in 21857 2007-08-08 06:59:36Z lha $
+#
+
+srcdir="@srcdir@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+# If there is no useful db support compile in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r ${R}"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+server=host/datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
+klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
+kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
+kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} add -p bar --use-defaults ${server}@${R} || exit 1
+${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+${kadmin} check ${R2} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo "Empty log"
+> messages.log
+
+echo Starting kdc
+${kdc} &
+kdcpid=$!
+
+sh ${srcdir}/../kdc/wait-kdc.sh
+if [ "$?" != 0 ] ; then
+    kill ${kdcpid}
+    exit 1
+fi
+
+trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+echo "Check that WINDC module was loaded "
+grep "windc init" messages.log >/dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets" ; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Verify PAC on server"; > messages.log
+../kdc/ap-req --verify-pac ${server}@${R} ${keytab} ${cache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client initial tickets (pag)"; > messages.log
+${kinit} --request-pac --password-file=${objdir}/foopassword foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets" ; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Verify PAC on server (pag)"; > messages.log
+../kdc/ap-req --verify-pac ${server}@${R} ${keytab} ${cache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client initial tickets (no pag)"; > messages.log
+${kinit} --no-request-pac --password-file=${objdir}/foopassword foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets" ; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Verify PAC on server (no pag)"; > messages.log
+../kdc/ap-req --verify-pac ${server}@${R} ${keytab} ${cache} 2> /dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+
+echo "killing kdc (${kdcpid})"
+kill $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/crypto/heimdal/tests/plugin/krb5.conf.in b/crypto/heimdal/tests/plugin/krb5.conf.in
new file mode 100644
index 0000000..fad9e74
--- /dev/null
+++ b/crypto/heimdal/tests/plugin/krb5.conf.in
@@ -0,0 +1,29 @@
+# $Id: krb5.conf.in 20202 2007-02-08 00:59:47Z lha $
+
+[libdefaults]
+	default_realm = TEST.H5L.SE
+	no-addresses = TRUE
+
+	plugin_dir = @objdir@ @objdir@/.libs
+
+[appdefaults]
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = localhost:@port@
+	}
+
+[kdc]
+	database = {
+		dbname = @objdir@/current-db
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+	}
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
+
+[kadmin]
+#	default_keys = arcfour-hmac-md5:pw-salt
diff --git a/crypto/heimdal/tests/plugin/windc.c b/crypto/heimdal/tests/plugin/windc.c
new file mode 100644
index 0000000..7c78847
--- /dev/null
+++ b/crypto/heimdal/tests/plugin/windc.c
@@ -0,0 +1,77 @@
+#include <krb5.h>
+#include <hdb.h>
+#include <windc_plugin.h>
+
+static krb5_error_code
+windc_init(krb5_context context, void **ctx)
+{
+    krb5_warnx(context, "windc init");
+    *ctx = NULL;
+    return 0;
+}
+
+static void
+windc_fini(void *ctx)
+{
+}
+
+static krb5_error_code 
+pac_generate(void *ctx, krb5_context context,
+	     struct hdb_entry_ex *client, krb5_pac *pac)
+{
+    krb5_error_code ret;
+    krb5_data data;
+
+    krb5_warnx(context, "pac generate");
+
+    data.data = "\x00\x01";
+    data.length = 2;
+
+    ret = krb5_pac_init(context, pac);
+    if (ret)
+	return ret;
+
+    ret = krb5_pac_add_buffer(context, *pac, 1, &data);
+    if (ret)
+	return ret;
+
+    return 0;
+}
+
+static krb5_error_code 
+pac_verify(void *ctx, krb5_context context,
+	   const krb5_principal client_principal,
+	   struct hdb_entry_ex *client, 
+	   struct hdb_entry_ex *server,
+	   krb5_pac *pac)
+{
+    krb5_error_code ret;
+    krb5_data data;
+
+    krb5_warnx(context, "pac_verify");
+
+    ret = krb5_pac_get_buffer(context, *pac, 1, &data);
+    if (ret)
+	return ret;
+
+    krb5_data_free(&data);
+
+    return 0;
+}
+
+static krb5_error_code 
+client_access(void *ctx, krb5_context context, 
+	      struct hdb_entry_ex *client, KDC_REQ *req)
+{
+    krb5_warnx(context, "client_access");
+    return 0;
+}
+
+krb5plugin_windc_ftable windc = {
+    KRB5_WINDC_PLUGING_MINOR,
+    windc_init,
+    windc_fini,
+    pac_generate,
+    pac_verify,
+    client_access
+};
diff --git a/crypto/heimdal/tools/Makefile.am b/crypto/heimdal/tools/Makefile.am
index b7a9d24..db60f48 100644
--- a/crypto/heimdal/tools/Makefile.am
+++ b/crypto/heimdal/tools/Makefile.am
@@ -1,26 +1,53 @@
-# $Id: Makefile.am,v 1.6 2002/09/09 22:29:26 joda Exp $
+# $Id: Makefile.am 22413 2008-01-12 05:58:14Z lha $
 
 include $(top_srcdir)/Makefile.am.common
 
-EXTRA_DIST = krb5-config.1
+bin_SCRIPTS = krb5-config
 
-CLEANFILES = krb5-config
+pkgconfigdir = $(libdir)/pkgconfig
 
-bin_SCRIPTS = krb5-config
+pkgconfig_DATA = heimdal-gssapi.pc
 
 man_MANS = krb5-config.1
 
+if PKINIT
+LIB_pkinit = -lhx509
+endif
+
+subst = sed	-e "s!@PACKAGE\@!$(PACKAGE)!g" \
+		-e "s!@VERSION\@!$(VERSION)!g" \
+		-e "s!@prefix\@!$(prefix)!g" \
+		-e "s!@exec_prefix\@!$(exec_prefix)!g" \
+		-e "s!@libdir\@!$(libdir)!g" \
+		-e "s!@includedir\@!$(includedir)!g" \
+		-e "s!@LIB_crypt\@!$(LIB_crypt)!g" \
+		-e "s!@LIB_dbopen\@!$(LIB_dbopen)!g" \
+		-e "s!@INCLUDE_hcrypto\@!$(INCLUDE_hcrypto)!g" \
+		-e "s!@LIB_hcrypto_appl\@!$(LIB_hcrypto_appl)!g" \
+		-e "s!@LIB_dlopen\@!$(LIB_dlopen)!g" \
+		-e "s!@LIB_door_create\@!$(LIB_door_create)!g" \
+		-e "s!@LIB_pkinit\@!$(LIB_pkinit)!g" \
+		-e "s!@LIBS\@!$(LIBS)!g"
+
 krb5-config: krb5-config.in
-	sed	-e "s,@PACKAGE\@,$(PACKAGE),g" \
-		-e "s,@VERSION\@,$(VERSION),g" \
-		-e "s,@prefix\@,$(prefix),g" \
-		-e "s,@exec_prefix\@,$(exec_prefix),g" \
-		-e "s,@libdir\@,$(libdir),g" \
-		-e "s,@includedir\@,$(includedir),g" \
-		-e "s,@LIB_crypt\@,$(LIB_crypt),g" \
-		-e "s,@LIB_dbopen\@,$(LIB_dbopen),g" \
-		-e "s,@INCLUDE_des\@,$(INCLUDE_des),g" \
-		-e "s,@LIB_des_appl\@,$(LIB_des_appl),g" \
-		-e "s,@LIBS\@,$(LIBS),g" \
-		$(srcdir)/krb5-config.in > $@
+	$(subst) $(srcdir)/krb5-config.in > $@.new
+	mv $@.new $@
 	chmod +x $@
+
+heimdal-gssapi.pc: heimdal-gssapi.pc.in
+	$(subst) $(srcdir)/heimdal-gssapi.pc.in > $@.new
+	mv $@.new $@
+
+EXTRA_DIST = \
+	$(man_MANS) \
+	heimdal-build.sh \
+	krb5-config.in \
+	heimdal-gssapi.pc.in \
+	kdc-log-analyze.pl
+
+CLEANFILES = \
+	krb5-config \
+	krb5-config.new \
+	heimdal-gssapi.pc \
+	heimdal-gssapi.pc.new
+
diff --git a/crypto/heimdal/tools/Makefile.in b/crypto/heimdal/tools/Makefile.in
index 87d8bf5..7fee343 100644
--- a/crypto/heimdal/tools/Makefile.in
+++ b/crypto/heimdal/tools/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,21 +14,18 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.6 2002/09/09 22:29:26 joda Exp $
+# $Id: Makefile.am 22413 2008-01-12 05:58:14Z lha $
 
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
+# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+
+# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
 
-# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
 
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -40,6 +37,7 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
+build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	$(top_srcdir)/Makefile.am.common \
@@ -47,16 +45,14 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 subdir = tools
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
-	$(top_srcdir)/cf/broken-getnameinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
 	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
 	$(top_srcdir)/cf/capabilities.m4 \
 	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-declaration.m4 \
 	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
@@ -69,6 +65,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
 	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/framework-security.m4 \
 	$(top_srcdir)/cf/have-struct-field.m4 \
 	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
@@ -77,19 +74,24 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
-	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
-	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
+	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
+	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
+	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
+	$(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
+	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
+	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"
+am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" \
+	"$(DESTDIR)$(pkgconfigdir)"
 binSCRIPT_INSTALL = $(INSTALL_SCRIPT)
 SCRIPTS = $(bin_SCRIPTS)
 depcomp =
@@ -98,15 +100,17 @@ SOURCES =
 DIST_SOURCES =
 man1dir = $(mandir)/man1
 MANS = $(man_MANS)
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+pkgconfigDATA_INSTALL = $(INSTALL_DATA)
+DATA = $(pkgconfig_DATA)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AIX4_FALSE = @AIX4_FALSE@
-AIX4_TRUE = @AIX4_TRUE@
-AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
-AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AIX_FALSE = @AIX_FALSE@
-AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
@@ -116,8 +120,6 @@ AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
-CATMAN_FALSE = @CATMAN_FALSE@
-CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
@@ -128,11 +130,10 @@ CXXCPP = @CXXCPP@
 CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DCE_FALSE = @DCE_FALSE@
-DCE_TRUE = @DCE_TRUE@
 DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
+DIR_hcrypto = @DIR_hcrypto@
+DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
@@ -140,42 +141,27 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-EXTRA_LIB45 = @EXTRA_LIB45@
 F77 = @F77@
 FFLAGS = @FFLAGS@
+GREP = @GREP@
 GROFF = @GROFF@
-HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
-HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
-HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
-HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
-HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
-HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
-HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
-HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
-HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
-HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
-HAVE_X_FALSE = @HAVE_X_FALSE@
-HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_des = @INCLUDE_des@
+INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IRIX_FALSE = @IRIX_FALSE@
-IRIX_TRUE = @IRIX_TRUE@
-KRB4_FALSE = @KRB4_FALSE@
-KRB4_TRUE = @KRB4_TRUE@
-KRB5_FALSE = @KRB5_FALSE@
-KRB5_TRUE = @KRB5_TRUE@
 LDFLAGS = @LDFLAGS@
+LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBADD_roken = @LIBADD_roken@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -193,12 +179,9 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_door_create = @LIB_door_create@
 LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
@@ -208,15 +191,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@
 LIB_getnameinfo = @LIB_getnameinfo@
 LIB_getpwnam_r = @LIB_getpwnam_r@
 LIB_getsockopt = @LIB_getsockopt@
+LIB_hcrypto = @LIB_hcrypto@
+LIB_hcrypto_a = @LIB_hcrypto_a@
+LIB_hcrypto_appl = @LIB_hcrypto_appl@
+LIB_hcrypto_so = @LIB_hcrypto_so@
 LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
-LIB_krb_disable_debug = @LIB_krb_disable_debug@
-LIB_krb_enable_debug = @LIB_krb_enable_debug@
-LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
-LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
-LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -225,6 +207,7 @@ LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
+LIB_res_ndestroy = @LIB_res_ndestroy@
 LIB_res_nsearch = @LIB_res_nsearch@
 LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
@@ -236,15 +219,10 @@ LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
-MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
-MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+MKDIR_P = @MKDIR_P@
 NROFF = @NROFF@
 OBJEXT = @OBJEXT@
-OTP_FALSE = @OTP_FALSE@
-OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -252,74 +230,79 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
+VERSIONING = @VERSIONING@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+XMKMF = @XMKMF@
 X_CFLAGS = @X_CFLAGS@
 X_EXTRA_LIBS = @X_EXTRA_LIBS@
 X_LIBS = @X_LIBS@
 X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-ac_ct_AR = @ac_ct_AR@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-ac_ct_RANLIB = @ac_ct_RANLIB@
-ac_ct_STRIP = @ac_ct_STRIP@
 am__leading_dot = @am__leading_dot@
+am__tar = @am__tar@
+am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 datadir = @datadir@
-do_roken_rename_FALSE = @do_roken_rename_FALSE@
-do_roken_rename_TRUE = @do_roken_rename_TRUE@
+datarootdir = @datarootdir@
+docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
 dpagaix_ldflags = @dpagaix_ldflags@
-el_compat_FALSE = @el_compat_FALSE@
-el_compat_TRUE = @el_compat_TRUE@
+dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-have_err_h_FALSE = @have_err_h_FALSE@
-have_err_h_TRUE = @have_err_h_TRUE@
-have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
-have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
-have_glob_h_FALSE = @have_glob_h_FALSE@
-have_glob_h_TRUE = @have_glob_h_TRUE@
-have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
-have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
-have_vis_h_FALSE = @have_vis_h_FALSE@
-have_vis_h_TRUE = @have_vis_h_TRUE@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
+htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
+localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
+psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
@@ -336,15 +319,45 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-EXTRA_DIST = krb5-config.1
-CLEANFILES = krb5-config
 bin_SCRIPTS = krb5-config
+pkgconfigdir = $(libdir)/pkgconfig
+pkgconfig_DATA = heimdal-gssapi.pc
 man_MANS = krb5-config.1
+@PKINIT_TRUE@LIB_pkinit = -lhx509
+subst = sed	-e "s!@PACKAGE\@!$(PACKAGE)!g" \
+		-e "s!@VERSION\@!$(VERSION)!g" \
+		-e "s!@prefix\@!$(prefix)!g" \
+		-e "s!@exec_prefix\@!$(exec_prefix)!g" \
+		-e "s!@libdir\@!$(libdir)!g" \
+		-e "s!@includedir\@!$(includedir)!g" \
+		-e "s!@LIB_crypt\@!$(LIB_crypt)!g" \
+		-e "s!@LIB_dbopen\@!$(LIB_dbopen)!g" \
+		-e "s!@INCLUDE_hcrypto\@!$(INCLUDE_hcrypto)!g" \
+		-e "s!@LIB_hcrypto_appl\@!$(LIB_hcrypto_appl)!g" \
+		-e "s!@LIB_dlopen\@!$(LIB_dlopen)!g" \
+		-e "s!@LIB_door_create\@!$(LIB_door_create)!g" \
+		-e "s!@LIB_pkinit\@!$(LIB_pkinit)!g" \
+		-e "s!@LIBS\@!$(LIBS)!g"
+
+EXTRA_DIST = \
+	$(man_MANS) \
+	heimdal-build.sh \
+	krb5-config.in \
+	heimdal-gssapi.pc.in \
+	kdc-log-analyze.pl
+
+CLEANFILES = \
+	krb5-config \
+	krb5-config.new \
+	heimdal-gssapi.pc \
+	heimdal-gssapi.pc.new
+
 all: all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -376,7 +389,7 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-binSCRIPTS: $(bin_SCRIPTS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_SCRIPTS)'; for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  if test -f $$d$$p; then \
@@ -399,13 +412,9 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
 install-man1: $(man1_MANS) $(man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man1dir)" || $(mkdir_p) "$(DESTDIR)$(man1dir)"
+	test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)"
 	@list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \
 	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
 	for i in $$l2; do \
@@ -448,6 +457,23 @@ uninstall-man1:
 	  echo " rm -f '$(DESTDIR)$(man1dir)/$$inst'"; \
 	  rm -f "$(DESTDIR)$(man1dir)/$$inst"; \
 	done
+install-pkgconfigDATA: $(pkgconfig_DATA)
+	@$(NORMAL_INSTALL)
+	test -z "$(pkgconfigdir)" || $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)"
+	@list='$(pkgconfig_DATA)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  f=$(am__strip_dir) \
+	  echo " $(pkgconfigDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(pkgconfigdir)/$$f'"; \
+	  $(pkgconfigDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(pkgconfigdir)/$$f"; \
+	done
+
+uninstall-pkgconfigDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(pkgconfig_DATA)'; for p in $$list; do \
+	  f=$(am__strip_dir) \
+	  echo " rm -f '$(DESTDIR)$(pkgconfigdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(pkgconfigdir)/$$f"; \
+	done
 tags: TAGS
 TAGS:
 
@@ -456,23 +482,21 @@ CTAGS:
 
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/.. $(distdir)/../cf
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -489,10 +513,10 @@ distdir: $(DISTFILES)
 check-am: all-am
 	$(MAKE) $(AM_MAKEFLAGS) check-local
 check: check-am
-all-am: Makefile $(SCRIPTS) $(MANS) all-local
+all-am: Makefile $(SCRIPTS) $(MANS) $(DATA) all-local
 installdirs:
-	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(pkgconfigdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
 install-exec: install-exec-am
@@ -514,7 +538,7 @@ clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
-	-rm -f $(CONFIG_CLEAN_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -525,7 +549,7 @@ clean-am: clean-generic clean-libtool mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool
+distclean-am: clean-am distclean-generic
 
 dvi: dvi-am
 
@@ -537,18 +561,26 @@ info: info-am
 
 info-am:
 
-install-data-am: install-man
+install-data-am: install-man install-pkgconfigDATA
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-binSCRIPTS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man: install-man1
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -567,21 +599,30 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-binSCRIPTS uninstall-info-am uninstall-man
+uninstall-am: uninstall-binSCRIPTS uninstall-man \
+	uninstall-pkgconfigDATA
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 
 uninstall-man: uninstall-man1
 
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
+
 .PHONY: all all-am all-local check check-am check-local clean \
-	clean-generic clean-libtool distclean distclean-generic \
-	distclean-libtool distdir dvi dvi-am html html-am info info-am \
-	install install-am install-binSCRIPTS install-data \
-	install-data-am install-exec install-exec-am install-info \
-	install-info-am install-man install-man1 install-strip \
+	clean-generic clean-libtool dist-hook distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-binSCRIPTS \
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-man install-man1 install-pdf install-pdf-am \
+	install-pkgconfigDATA install-ps install-ps-am install-strip \
 	installcheck installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-generic \
 	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am \
-	uninstall-binSCRIPTS uninstall-info-am uninstall-man \
-	uninstall-man1
+	uninstall-binSCRIPTS uninstall-hook uninstall-man \
+	uninstall-man1 uninstall-pkgconfigDATA
 
 
 install-suid-programs:
@@ -596,8 +637,8 @@ install-suid-programs:
 
 install-exec-hook: install-suid-programs
 
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -607,19 +648,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
 			$(CP) $$file $(buildinclude)/$$f; \
 		fi ; \
+	done ; \
+	foo='$(nobase_include_HEADERS)'; \
+	for f in $$foo; do \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
 	done
 
 all-local: install-build-headers
 
 check-local::
-	@if test '$(CHECK_LOCAL)'; then \
+	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
+	  foo=''; elif test '$(CHECK_LOCAL)'; then \
 	  foo='$(CHECK_LOCAL)'; else \
 	  foo='$(PROGRAMS)'; fi; \
 	  if test "$$foo"; then \
 	  failed=0; all=0; \
 	  for i in $$foo; do \
 	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
+	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
 	      echo "PASS: $$i"; \
 	    else \
 	      echo "FAIL: $$i"; \
@@ -635,7 +688,7 @@ check-local::
 	  echo "$$dashes"; \
 	  echo "$$banner"; \
 	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
+	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
 .x.c:
@@ -705,29 +758,48 @@ dist-cat8-mans:
 dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+uninstall-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
+uninstall-hook: uninstall-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
 
+#
+# Useful target for debugging
+#
+
+check-valgrind:
+	tobjdir=`cd $(top_builddir) && pwd` ; \
+	tsrcdir=`cd $(top_srcdir) && pwd` ; \
+	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+
+#
+# Target to please samba build farm, builds distfiles in-tree.
+# Will break when automake changes...
+#
+
+distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" != .; then \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
+	  fi ; \
+	done
+
 krb5-config: krb5-config.in
-	sed	-e "s,@PACKAGE\@,$(PACKAGE),g" \
-		-e "s,@VERSION\@,$(VERSION),g" \
-		-e "s,@prefix\@,$(prefix),g" \
-		-e "s,@exec_prefix\@,$(exec_prefix),g" \
-		-e "s,@libdir\@,$(libdir),g" \
-		-e "s,@includedir\@,$(includedir),g" \
-		-e "s,@LIB_crypt\@,$(LIB_crypt),g" \
-		-e "s,@LIB_dbopen\@,$(LIB_dbopen),g" \
-		-e "s,@INCLUDE_des\@,$(INCLUDE_des),g" \
-		-e "s,@LIB_des_appl\@,$(LIB_des_appl),g" \
-		-e "s,@LIBS\@,$(LIBS),g" \
-		$(srcdir)/krb5-config.in > $@
+	$(subst) $(srcdir)/krb5-config.in > $@.new
+	mv $@.new $@
 	chmod +x $@
+
+heimdal-gssapi.pc: heimdal-gssapi.pc.in
+	$(subst) $(srcdir)/heimdal-gssapi.pc.in > $@.new
+	mv $@.new $@
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/tools/heimdal-build.sh b/crypto/heimdal/tools/heimdal-build.sh
new file mode 100644
index 0000000..4e8a7ea
--- /dev/null
+++ b/crypto/heimdal/tools/heimdal-build.sh
@@ -0,0 +1,295 @@
+#!/bin/sh
+# Fetches, builds and store the result of a heimdal build
+# Version: $Id: heimdal-build.sh 21653 2007-07-18 20:15:59Z lha $
+
+fetchmethod=wget	   #options are: wget, curl, ftp, afs
+resultdir=
+email=heimdal-build-log@it.su.se
+baseurl=ftp://ftp.pdc.kth.se/pub/heimdal/src
+afsdir=/afs/pdc.kth.se/public/ftp/pub/heimdal/src
+keeptree=no
+passhrase=
+builddir=
+noemail=
+cputimelimit=3600
+confflags=
+
+# Add some bonus paths, to find sendmail and other tools
+# on interesting platforms.
+PATH="${PATH}:/usr/sbin:/usr/bin:/usr/libexec:/usr/lib"
+PATH="${PATH}:/usr/local/bin:/usr/local/sbin"
+
+# no more user configurabled part below (hopefully)
+
+usage="[--current] [--svn SourceRepository] [--cvs-flags] [--result-directory dir] [--fetch-method wget|ftp|curl|cvs|fetch|afs] --keep-tree] [--autotools] [--passhrase string] [--no-email] [--build-dir dir] [--cputime] [--distcheck] [--test-environment env] [--configure-flags flags]"
+
+date=`date +%Y%m%d`
+if [ "$?" != 0 ]; then
+    echo "have no sane date, punting"
+    exit 1
+fi
+
+hostname=`hostname`
+if [ "$?" != 0 ]; then
+    echo "have no sane hostname, punting"
+    exit 1
+fi
+
+version=`grep "^# Version: " "$0" | cut -f2- -d:`
+if [ "X${version}" = X ]; then
+    echo "Can not figure out what version I am"
+    exit 1
+fi
+
+dir=
+hversion=
+cvsroot=
+cvsflags=
+cvsbranch=
+branch=
+autotools=no
+distcheck=no
+
+while true
+do
+	case $1 in
+	--autotools)
+		autotools=yes
+		shift
+		;;
+	--build-dir)
+		builddir="$2"
+		shift 2
+		;;
+	--current)
+		dir="snapshots/"
+		hversion="heimdal-${date}"
+		shift
+		;;
+	--release)
+		hversion="heimdal-$2"
+		shift 2
+		;;
+	--cputime)
+		cputimelimit="$2"
+		shift 2
+		;;
+	--ccache-dir)
+		ccachedir="$2"
+		shift 2
+		;;
+	--svn)
+		hversion="heimdal-svn-${date}"
+		svnroot=$2
+		fetchmethod=svn
+		shift 2
+		;;
+	--distcheck)
+		distcheck=yes
+		shift
+		;;
+	--result-directory)
+		resultdir="$2"
+		if [ ! -d "$resultdir" ]; then
+		    echo "$resultdir doesn't exists"
+		    exit 1
+		fi
+		resultdir="`pwd`/${resultdir}"
+		shift 2
+		;;
+	--fetch-method)
+		fetchmethod="$2"
+		shift 2
+		;;
+	--keep-tree)
+		keeptree=yes
+		shift
+		;;
+	--passphrase)
+		passhrase="$2"
+		shift 2
+		;;
+	--prepend-path)
+		prependpath="$2"
+		shift 2
+		;;
+	--test-environment)
+		testenvironment="$2"
+		shift 2
+		;;
+	--no-email)
+		noemail="yes"
+		shift
+		;;
+	--configure-flags)
+		confflags="${confflags} $2"
+		shift 2
+		;;
+	--version)
+		echo "Version: $version"
+		exit 0
+		;;
+	-*)
+		echo "unknown option: $1"
+		break
+		;;
+	*)
+		break
+		;;
+	esac
+done
+if test $# -gt 0; then
+	echo $usage
+	exit 1
+fi
+
+if [ "X${hversion}" = X ]; then
+	echo "no version given"
+	exit 0
+fi
+
+hfile="${hversion}.tar.gz"
+url="${baseurl}/${dir}${hfile}"
+afsfile="${afsdir}/${dir}${hfile}"
+unpack=yes
+
+# extra paths for the user
+if [ "X${prependpath}" != X ]; then
+	PATH="${prependpath}:${PATH}"
+fi
+
+# Limit cpu seconds this all can take
+ulimit -t "$cputimelimit" > /dev/null 2>&1
+
+if [ "X${builddir}" != X ]; then
+	echo "Changing build dir to ${builddir}"
+	cd "${builddir}"
+fi
+
+echo "Removing old source" 
+rm -rf ${hversion}
+
+echo "Fetching ${hversion} using $fetchmethod"
+case "$fetchmethod" in
+wget|ftp|fetch)
+	${fetchmethod} $url > /dev/null
+	res=$?
+	;;
+curl)
+	${fetchmethod} -o ${hfile} ${url} > /dev/null
+	res=$?
+	;;
+afs)
+	cp ${afsfile} ${hfile}
+	res=$?
+	;;
+svn)
+	svn co $svnroot ${hversion}
+	res=$?
+	unpack=no
+	autotools=yes
+	;;
+*)
+	echo "unknown fetch method"
+	;;
+esac
+
+if [ "X$res" != X0 ]; then
+	echo "Failed to download the tar-ball"
+	exit 1
+fi
+
+if [ X"$unpack" = Xyes ]; then
+	echo Unpacking source
+	(gzip -dc ${hfile} | tar xf -) || exit 1
+fi
+
+if [ X"$autotools" = Xyes ]; then
+	echo "Autotooling"
+	(cd ${hversion} && sh ./autogen.sh) || exit 1
+fi
+
+if [ X"$ccachedir" != X ]; then
+	CCACHE_DIR="${ccachedir}"
+	export CCACHE_DIR
+fi
+
+cd ${hversion} || exit 1
+
+makecheckenv=
+if [ X"${testenvironment}" != X ] ; then
+    makecheckenv="${makecheckenv} TESTS_ENVIRONMENT=\"${testenvironment}\""
+fi
+
+mkdir socket_wrapper_dir
+SOCKET_WRAPPER_DIR=`pwd`/socket_wrapper_dir
+export SOCKET_WRAPPER_DIR
+
+echo "Configuring and building ($hversion)"
+echo "./configure --enable-socket-wrapper ${confflags}" > ab.txt
+./configure --enable-socket-wrapper ${confflags} >> ab.txt 2>&1
+if [ $? != 0 ] ; then
+    echo Configure failed
+    status=${status:-configure}
+fi
+echo make all >> ab.txt
+make all >> ab.txt 2>&1
+if [ $? != 0 ] ; then
+    echo Make all failed
+    status=${status:-make all}
+fi
+echo make check >> ab.txt
+eval env $makecheckenv make check >> ab.txt 2>&1
+if [ $? != 0 ] ; then
+    echo Make check failed
+    status=${status:-make check}
+fi
+
+if [ "$distcheck" = yes ] ; then
+    echo make distcheck >> ab.txt
+    if [ $? != 0 ] ; then
+        echo Make check failed
+        status=${status:-make distcheck}
+    fi
+fi
+
+status=${status:-ok}
+
+echo "done: ${status}"
+
+if [ "X${resultdir}" != X ] ; then
+	cp ab.txt "${resultdir}/ab-${hversion}-${hostname}-${date}.txt"
+fi
+
+if [ "X${noemail}" = X ] ; then
+	cat > email-header <<EOF
+From: ${USER:-unknown-user}@${hostname}
+To: <heimdal-build-log@it.su.se>
+Subject: heimdal-build-log SPAM COOKIE
+X-heimdal-build: kaka-till-love
+
+Script-version: ${version}
+Heimdal-version: ${hversion}
+Machine: `uname -a`
+Status: $status
+EOF
+
+	if [ "X$passhrase" != X ] ; then
+		cat >> email-header <<EOF
+autobuild-passphrase: ${passhrase}
+EOF
+	fi
+		cat >> email-header <<EOF
+------L-O-G------------------------------------
+EOF
+
+	cat email-header ab.txt | sendmail "${email}"
+fi
+
+cd ..
+if [ X"$keeptree" != Xyes ] ; then
+    rm -rf ${hversion}
+fi
+rm -f ${hfile}
+
+exit 0
diff --git a/crypto/heimdal/tools/heimdal-gssapi.pc.in b/crypto/heimdal/tools/heimdal-gssapi.pc.in
new file mode 100644
index 0000000..4589dee
--- /dev/null
+++ b/crypto/heimdal/tools/heimdal-gssapi.pc.in
@@ -0,0 +1,14 @@
+# $Id$
+prefix=@PREFIX@
+exec_prefix=${prefix}
+libdir=${exec_prefix}/lib
+includedir=${prefix}/include
+
+Name: @PACKAGE@
+Description: Heimdal is an implementation of Kerberos 5, freely available under a three clause BSD style license.
+Version: @VERSION@
+URL: http://www.pdc.kth.se/heimdal/
+#Requires: foo = 1.3.1
+#Conflicts: bar <= 4.5
+Libs: -L${libdir} -lgssapi -lheimntlm -lkrb5 @LIB_pkinit@ -lcom_err @LIB_hcrypto_appl@ -lasn1 -lroken @LIB_crypt@ @LIB_dlopen@ @LIB_door_create@ @LIBS@
+Cflags: -I${includedir}
diff --git a/crypto/heimdal/tools/kdc-log-analyze.pl b/crypto/heimdal/tools/kdc-log-analyze.pl
new file mode 100755
index 0000000..08d3e38
--- /dev/null
+++ b/crypto/heimdal/tools/kdc-log-analyze.pl
@@ -0,0 +1,549 @@
+#! /usr/pkg/bin/perl
+# -*- mode: perl; perl-indent-level: 8 -*-
+# 
+# Copyright (c) 2003 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+# 
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+# 
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+# 
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+# 
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+# 
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id: kdc-log-analyze.pl 17173 2006-04-23 13:19:21Z lha $
+#
+# kdc-log-analyze - Analyze a KDC log file and give a report on the contents
+#
+# Note: The parts you want likely want to customize are the variable $notlocal,
+# the array @local_network_re and the array @local_realms.
+#
+# Idea and implemetion for MIT Kerberos was done first by 
+# Ken Hornstein <kenh@cmf.nrl.navy.mil>, this program wouldn't exists
+# without his help.
+#
+
+use strict;
+use Sys::Hostname;
+
+my $notlocal = 'not SU';
+my @local_realms = ( "SU.SE" );
+my @local_networks_re = 
+    ( 
+      "130\.237",
+      "193\.11\.3[0-9]\.",
+      "130.242.128",
+      "2001:6b0:5:"
+      );
+
+my $as_req = 0;
+my %as_req_addr;
+my %as_req_addr_nonlocal;
+my %as_req_client;
+my %as_req_server;
+my %addr_uses_des;
+my %princ_uses_des;
+my $five24_req = 0;
+my %five24_req_addr;
+my %five24_req_addr_nonlocal;
+my %five24_req_server;
+my %five24_req_client;
+my $as_req_successful = 0;
+my $as_req_error = 0;
+my $no_such_princ = 0;
+my %no_such_princ_princ;
+my %no_such_princ_addr;
+my %no_such_princ_addr_nonlocal;
+my $as_req_etype_odd = 0;
+my %bw_addr;
+my $pa_alt_princ_request = 0;
+my $pa_alt_princ_verify = 0;
+my $tgs_req = 0;
+my %tgs_req_addr;
+my %tgs_req_addr_nonlocal;
+my %tgs_req_client;
+my %tgs_req_server;
+my $tgs_xrealm_out = 0;
+my %tgs_xrealm_out_realm;
+my %tgs_xrealm_out_princ;
+my $tgs_xrealm_in = 0;
+my %tgs_xrealm_in_realm;
+my %tgs_xrealm_in_princ;
+my %enctype_session;
+my %enctype_ticket;
+my $restarts = 0;
+my $forward_non_forward = 0;
+my $v4_req = 0;
+my %v4_req_addr;
+my %v4_req_addr_nonlocal;
+my $v4_cross = 0;
+my %v4_cross_realm;
+my $v5_cross = 0;
+my %v5_cross_realm;
+my $referrals = 0;
+my %referral_princ;
+my %referral_realm;
+my %strange_tcp_data;
+my $http_malformed = 0;
+my %http_malformed_addr;
+my $http_non_kdc = 0;
+my %http_non_kdc_addr;
+my $tcp_conn_timeout = 0;
+my %tcp_conn_timeout_addr;
+my $failed_processing = 0;
+my %failed_processing_addr;
+my $connection_closed = 0;
+my %connection_closed_addr;
+my $pa_failed = 0;
+my %pa_failed_princ;
+my %pa_failed_addr;
+my %ip;
+
+$ip{'4'} = $ip{'6'} = 0;
+
+while (<>) {
+	process_line($_);
+}
+
+print "Kerberos KDC Log Report for ", 
+    hostname, " on ", scalar localtime, "\n\n";
+
+print "General Statistics\n\n";
+
+print "\tNumber of IPv4 requests: $ip{'4'}\n";
+print "\tNumber of IPv6 requests: $ip{'6'}\n\n";
+
+print "\tNumber of restarts: $restarts\n";
+print "\tNumber of V4 requests: $v4_req\n";
+if ($v4_req > 0) {
+	print "\tTop ten IP addresses performing V4 requests:\n";
+	topten(\%v4_req_addr);
+}
+if (int(keys %v4_req_addr_nonlocal) > 0) {
+	print "\tTop ten $notlocal IP addresses performing V4 requests:\n";
+	topten(\%v4_req_addr_nonlocal);
+
+}
+print "\n";
+
+print "\tNumber of V4 cross realms (krb4 and 524) requests: $v4_cross\n";
+if ($v4_cross > 0) {
+	print "\tTop ten realms performing V4 cross requests:\n";
+	topten(\%v4_cross_realm);
+}
+print "\n";
+
+print "\tNumber of V45 cross realms requests: $v5_cross\n";
+if ($v5_cross > 0) {
+	print "\tTop ten realms performing V4 cross requests:\n";
+	topten(\%v5_cross_realm);
+}
+print "\n";
+
+print "\tNumber of failed lookups: $no_such_princ\n";
+if ($no_such_princ > 0) {
+	print "\tTop ten IP addresses failing to find principal:\n";
+	topten(\%no_such_princ_addr);
+	print "\tTop ten $notlocal IP addresses failing find principal:\n";
+	topten(\%no_such_princ_addr_nonlocal);
+	print "\tTop ten failed to find principals\n";
+	topten(\%no_such_princ_princ);
+}
+print "\n";
+
+print "\tBandwidth pigs:\n";
+topten(\%bw_addr);
+print "\n";
+
+print "\tStrange TCP data clients: ", int(keys %strange_tcp_data),"\n";
+topten(\%strange_tcp_data);
+print "\n";
+
+print "\tTimeout waiting on TCP requests: ", $tcp_conn_timeout,"\n";
+if ($tcp_conn_timeout > 0) {
+	print "\tTop ten TCP timeout request clients\n";
+	topten(\%tcp_conn_timeout_addr);
+}
+print "\n";
+
+print "\tFailed processing requests: ", $failed_processing,"\n";
+if ($failed_processing > 0) {
+	print "\tTop ten failed processing request clients\n";
+	topten(\%failed_processing_addr);
+}
+print "\n";
+
+print "\tConnection closed requests: ", $connection_closed,"\n";
+if ($connection_closed > 0) {
+	print "\tTop ten connection closed request clients\n";
+	topten(\%connection_closed_addr);
+}
+print "\n";
+
+print "\tMalformed HTTP requests: ", $http_malformed,"\n";
+if ($http_malformed > 0) {
+	print "\tTop ten malformed HTTP request clients\n";
+	topten(\%http_malformed_addr);
+}
+print "\n";
+
+print "\tHTTP non kdc requests: ", $http_non_kdc,"\n";
+if ($http_non_kdc > 0) {
+	print "\tTop ten HTTP non KDC request clients\n";
+	topten(\%http_non_kdc_addr);
+}
+print "\n";
+
+print "Report on AS_REQ requests\n\n";
+print "Overall AS_REQ statistics\n\n";
+
+print "\tTotal number: $as_req\n";
+
+print "\nAS_REQ client/server statistics\n\n";
+
+print "\tDistinct IP Addresses performing requests: ", 
+    int(keys %as_req_addr),"\n";
+print "\tOverall top ten IP addresses\n";
+topten(\%as_req_addr);
+
+print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ",
+					int(keys %as_req_addr_nonlocal), "\n";
+print "\tTop ten non-local ($notlocal) IP address:\n";
+topten(\%as_req_addr_nonlocal);
+
+print "\n\tPreauth failed for for: ", $pa_failed, " requests\n";
+if ($pa_failed) {
+	print "\tPreauth failed top ten IP addresses:\n";
+	topten(\%pa_failed_addr);
+	print "\tPreauth failed top ten principals:\n";
+	topten(\%pa_failed_princ);
+}
+
+print "\n\tDistinct clients performing requests: ", 
+    int(keys %as_req_client), "\n";
+print "\tTop ten clients:\n";
+topten(\%as_req_client);
+
+print "\tDistinct services requested: ", int(keys %as_req_server), "\n";
+print "\tTop ten requested services:\n";
+topten(\%as_req_server);
+
+print "\n\n\nReport on TGS_REQ requests:\n\n";
+print "Overall TGS_REQ statistics\n\n";
+print "\tTotal number: $tgs_req\n";
+
+print "\nTGS_REQ client/server statistics\n\n";
+print "\tDistinct IP addresses performing requests: ",
+				int(keys %tgs_req_addr), "\n";
+print "\tOverall top ten IP addresses\n";
+topten(\%tgs_req_addr);
+
+print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ",
+				int(keys %tgs_req_addr_nonlocal), "\n";
+print "\tTop ten non-local ($notlocal) IP address:\n";
+topten(\%tgs_req_addr_nonlocal);
+
+print "\tDistinct clients performing requests: ",
+				int(keys %tgs_req_client), "\n";
+print "\tTop ten clients:\n";
+topten(\%tgs_req_client);
+
+print "\tDistinct services requested: ", int(keys %tgs_req_server), "\n";
+print "\tTop ten requested services:\n";
+topten(\%tgs_req_server);
+
+print "\n\n\nReport on 524_REQ requests:\n\n";
+
+print "\t524_REQ client/server statistics\n\n";
+
+print "\tDistinct IP Addresses performing requests: ", 
+    int(keys %five24_req_addr),"\n";
+print "\tOverall top ten IP addresses\n";
+topten(\%five24_req_addr);
+
+print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ",
+					int(keys %five24_req_addr_nonlocal), "\n";
+print "\tTop ten non-local ($notlocal) IP address:\n";
+topten(\%five24_req_addr_nonlocal);
+
+print "\tDistinct clients performing requests: ", int(keys %five24_req_client), "\n";
+print "\tTop ten clients:\n";
+topten(\%five24_req_client);
+
+print "\tDistinct services requested: ", int(keys %five24_req_server), "\n";
+print "\tTop ten requested services:\n";
+topten(\%five24_req_server);
+print "\n";
+
+print "Cross realm statistics\n\n";
+
+print "\tNumber of cross-realm tgs out: $tgs_xrealm_out\n";
+if ($tgs_xrealm_out > 0) {
+	print "\tTop ten realms used for out cross-realm:\n";
+	topten(\%tgs_xrealm_out_realm);
+	print "\tTop ten principals use out cross-realm:\n";
+	topten(\%tgs_xrealm_out_princ);
+}
+print "\tNumber of cross-realm tgs in: $tgs_xrealm_in\n";
+if ($tgs_xrealm_in > 0) {
+	print "\tTop ten realms used for in cross-realm:\n";
+	topten(\%tgs_xrealm_in_realm);
+	print "\tTop ten principals use in cross-realm:\n";
+	topten(\%tgs_xrealm_in_princ);
+}
+
+print "\n\nReport on referral:\n\n";
+
+print "\tNumber of referrals: $referrals\n";
+if ($referrals > 0) {
+	print "\tTop ten referral-ed principals:\n";
+	topten(\%referral_princ);
+	print "\tTop ten to realm referrals:\n";
+	topten(\%referral_realm);
+}
+
+print "\n\nEnctype Statistics:\n\n";
+print "\tTop ten session enctypes:\n";
+topten(\%enctype_session);
+print "\tTop ten ticket enctypes:\n";
+topten(\%enctype_ticket);
+
+print "\tDistinct IP addresses using DES: ", int(keys %addr_uses_des), "\n";
+print "\tTop IP addresses using DES:\n";
+topten(\%addr_uses_des);
+print "\tDistinct principals using DES: ", int(keys %princ_uses_des), "\n";
+print "\tTop ten principals using DES:\n";
+topten(\%princ_uses_des);
+
+print "\n";
+
+printf("Requests to forward non-forwardable ticket: $forward_non_forward\n");
+
+
+exit 0;
+
+my $last_addr = "";
+my $last_principal = "";
+
+sub process_line {
+	local($_) = @_;
+	#
+	# Eat these lines that are output as a result of startup (but
+	# log the number of restarts)
+	#
+	if (/AS-REQ \(krb4\) (.*) from IPv([46]):([0-9\.:a-fA-F]+) for krbtgt.*$/){
+		$v4_req++;
+		$v4_req_addr{$3}++;
+		$v4_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+		$last_addr = $3;
+		$last_principal = $1;
+		$ip{$2}++;
+	} elsif (/AS-REQ (.*) from IPv([46]):([0-9\.:a-fA-F]+) for (.*)$/) {
+		$as_req++;
+		$as_req_client{$1}++;
+		$as_req_server{$4}++;
+		$as_req_addr{$3}++;
+		$as_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+		$last_addr = $3;
+		$last_principal = $1;
+		$ip{$2}++;
+	} elsif (/TGS-REQ \(krb4\)/) {
+		#Nothing
+	} elsif (/TGS-REQ (.+) from IPv([46]):([0-9\.:a-fA-F]+) for (.*?)( \[.*\]){0,1}$/) {
+		$tgs_req++;
+		$tgs_req_client{$1}++;
+		$tgs_req_server{$4}++;
+		$tgs_req_addr{$3}++;
+		$tgs_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+		$last_addr = $3;
+		$last_principal = $1;
+		$ip{$2}++;
+
+		my $source = $1;
+		my $dest = $4;
+		
+		if (!islocalrealm($source)) {
+			$tgs_xrealm_in++;
+			$tgs_xrealm_in_princ{$source}++;
+			if ($source =~ /[^@]+@([^@]+)/ ) {
+				$tgs_xrealm_in_realm{$1}++;
+			}
+		}
+		if ($dest =~ /krbtgt\/([^@]+)@[^@]+/) {
+			if (!islocalrealm($1)) {
+				$tgs_xrealm_out++;
+				$tgs_xrealm_out_realm{$1}++;
+				$tgs_xrealm_out_princ{$source}++;
+			}
+		}
+	} elsif (/524-REQ (.*) from IPv([46]):([0-9\.:a-fA-F]+) for (.*)$/) {
+		$five24_req++;
+		$five24_req_client{$1}++;
+		$five24_req_server{$4}++;
+		$five24_req_addr{$3}++;
+		$five24_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+		$last_addr = $3;
+		$last_principal = $1;
+		$ip{$2}++;
+	} elsif (/TCP data of strange type from IPv[46]:([0-9\.:a-fA-F]+)/) {
+		$strange_tcp_data{$1}++;
+	} elsif (/Lookup (.*) failed: No such entry in the database/) {
+		$no_such_princ++;
+		$no_such_princ_addr{$last_addr}++;
+		$no_such_princ_addr_nonlocal{$last_addr}++ if (!islocaladdr($last_addr));
+		$no_such_princ_princ{$1}++;
+	} elsif (/Lookup .* succeeded$/) {
+		# Nothing
+	} elsif (/Malformed HTTP request from IPv[46]:([0-9\.:a-fA-F]+)$/) {
+		$http_malformed++;
+		$http_malformed_addr{$1}++;
+	} elsif (/TCP-connection from IPv[46]:([0-9\.:a-fA-F]+) expired after [0-9]+ bytes/) {
+		$tcp_conn_timeout++;
+		$tcp_conn_timeout_addr{$1}++;
+	} elsif (/Failed processing [0-9]+ byte request from IPv[46]:([0-9\.:a-fA-F]+)/) {
+		$failed_processing++;
+		$failed_processing_addr{$1}++;
+	} elsif (/connection closed before end of data after [0-9]+ bytes from IPv[46]:([0-9\.:a-fA-F]+)/) {
+		$connection_closed++;
+		$connection_closed_addr{$1}++;
+	} elsif (/HTTP request from IPv[46]:([0-9\.:a-fA-F]+) is non KDC request/) {
+		$http_non_kdc++;
+		$http_non_kdc_addr{$1}++;
+	} elsif (/returning a referral to realm (.*) for server (.*) that was not found/) {
+		$referrals++;
+		$referral_princ{$2}++;
+		$referral_realm{$1}++;
+	} elsif (/krb4 Cross-realm (.*) -> (.*) disabled/) {
+		$v4_cross++;
+		$v4_cross_realm{$1."->".$2}++;
+	} elsif (/524 cross-realm (.*) -> (.*) disabled/) {
+		$v4_cross++;
+		$v4_cross_realm{$1."->".$2}++;
+	} elsif (/cross-realm (.*) -> (.*): no transit through realm (.*)/) {
+	} elsif (/cross-realm (.*) -> (.*) via \[([^\]]+)\]/) {
+		$v5_cross++;
+		$v5_cross_realm{$1."->".$2}++;
+	} elsif (/cross-realm (.*) -> (.*)/) {
+		$v5_cross++;
+		$v5_cross_realm{$1."->".$2}++;
+	} elsif (/sending ([0-9]+) bytes to IPv[46]:([0-9\.:a-fA-F]+)/) {
+		$bw_addr{$2} += $1;
+	} elsif (/Using ([-a-z0-9]+)\/([-a-z0-9]+)/) {
+		$enctype_ticket{$1}++;
+		$enctype_session{$2}++;
+
+		my $ticket = $1;
+		my $session = $2;
+
+		if ($ticket =~ /des-cbc-(crc|md4|md5)/) {
+			$addr_uses_des{$last_addr}++;
+			$princ_uses_des{$last_principal}++;
+		}
+
+	} elsif (/Failed to decrypt PA-DATA -- (.+)$/) {
+		$pa_failed++;
+		$pa_failed_princ{$last_principal}++;
+		$pa_failed_addr{$last_addr}++;
+
+	} elsif (/Request to forward non-forwardable ticket/) {
+		$forward_non_forward++;
+	} elsif (/HTTP request:/) {
+	} elsif (/krb_rd_req: Incorrect network address/) {
+	} elsif (/krb_rd_req: Ticket expired \(krb_rd_req\)/) {
+	} elsif (/Ticket expired \(.*\)/) {
+	} elsif (/krb_rd_req: Can't decode authenticator \(krb_rd_req\)/) {
+	} elsif (/Request from wrong address/) {
+		# XXX
+	} elsif (/UNKNOWN --/) {
+		# XXX
+	} elsif (/Too large time skew -- (.*)$/) {
+		# XXX
+	} elsif (/No PA-ENC-TIMESTAMP --/) {
+		# XXX
+	} elsif (/Looking for pa-data --/) {
+		# XXX
+	} elsif (/Pre-authentication succeded -- (.+)$/) {
+		# XXX
+	} elsif (/Bad request for ([,a-zA-Z0-9]+) ticket/) {
+		# XXX
+	} elsif (/Failed to verify AP-REQ: Ticket expired/) {
+		# XXX 
+	} elsif (/Client not found in database:/) {
+		# XXX
+	} elsif (/Server not found in database \(krb4\)/) {
+	} elsif (/Server not found in database:/) {
+		# XXX
+	} elsif (/newsyslog.*logfile turned over/) {
+		# Nothing
+	} elsif (/Requested flags:/) {
+		# Nothing
+	} elsif (/shutting down/) {
+		# Nothing
+	} elsif (/listening on IP/) {
+		# Nothing
+	} elsif (/commencing operation/) {
+		$restarts++;
+	}
+	#
+	# Log it if we didn't parse the line
+	#
+	else {
+		print "Unknown log file line: $_";
+	}
+}
+
+sub topten {
+	my ($list) = @_;
+	my @keys;
+
+	my $key;
+
+	@keys = (sort {$$list{$b} <=> $$list{$a}} (keys %{$list}));
+	splice @keys, 10;
+
+	foreach $key (@keys) {
+		print "\t\t$key - $$list{$key}\n";
+	}
+}
+
+sub islocaladdr (\$) {
+	my ($addr) = @_;
+	my $net;
+
+	foreach $net (@local_networks_re) {
+		return 1 if ($addr =~ /$net/);
+	}
+	return 0;
+}
+
+sub islocalrealm (\$) {
+	my ($princ) = @_;
+	my $realm;
+
+	foreach $realm (@local_realms) {
+		return 1 if ($princ eq $realm);
+		return 1 if ($princ =~ /[^@]+\@${realm}/);
+	}
+	return 0;
+}
diff --git a/crypto/heimdal/tools/krb5-config.1 b/crypto/heimdal/tools/krb5-config.1
index 222b760..4ed1cd8 100644
--- a/crypto/heimdal/tools/krb5-config.1
+++ b/crypto/heimdal/tools/krb5-config.1
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 .\" SUCH DAMAGE. 
 .\" 
-.\" $Id: krb5-config.1,v 1.5 2003/02/16 21:10:32 lha Exp $
+.\" $Id: krb5-config.1 11648 2003-02-16 21:10:32Z lha $
 .\"
 .Dd November 30, 2000
 .Dt KRB5-CONFIG 1
diff --git a/crypto/heimdal/tools/krb5-config.in b/crypto/heimdal/tools/krb5-config.in
index bdaa397..35da594 100755
--- a/crypto/heimdal/tools/krb5-config.in
+++ b/crypto/heimdal/tools/krb5-config.in
@@ -1,5 +1,5 @@
 #!/bin/sh
-# $Id: krb5-config.in,v 1.9 2002/09/09 22:29:06 joda Exp $
+# $Id: krb5-config.in 20528 2007-04-22 13:22:16Z lha $
 
 do_libs=no
 do_cflags=no
@@ -21,7 +21,7 @@ for i in $*; do
     ;;
   --version)
     echo "@PACKAGE@ @VERSION@"
-    echo '$Id: krb5-config.in,v 1.9 2002/09/09 22:29:06 joda Exp $'
+    echo '$Id: krb5-config.in 20528 2007-04-22 13:22:16Z lha $'
     exit 0
     ;;
   --prefix=*)
@@ -54,6 +54,9 @@ for i in $*; do
   kadm-server)
     library=kadm-server
     ;;
+  kafs)
+    library=kafs
+    ;;
   *)
     echo "unknown option: $i"
     exit 1
@@ -64,7 +67,7 @@ done
 if test "$do_usage" = "yes"; then
     echo "usage: $0 [options] [libraries]"
     echo "options: [--prefix[=dir]] [--exec-prefix[=dir]] [--libs] [--cflags]"
-    echo "libraries: krb5 gssapi kadm-client kadm-server"
+    echo "libraries: krb5 gssapi kadm-client kadm-server kafs"
     exit $usage_exit
 fi
 
@@ -90,21 +93,26 @@ if test "$do_libs" = "yes"; then
     lib_flags="-L${libdir}"
     case $library in
     gssapi)
-	lib_flags="$lib_flags -lgssapi"
+	lib_flags="$lib_flags -lgssapi -lheimntlm"
 	;;
     kadm-client)
 	lib_flags="$lib_flags -lkadm5clnt"
 	;;
     kadm-server)
-	lib_flags="$lib_flags -lkadm5srv"
+	lib_flags="$lib_flags -lkadm5srv @LIB_dbopen@"
+	;;
+    kafs)
+	lib_flags="$lib_flags -lkafs"
 	;;
     esac
-    lib_flags="$lib_flags -lkrb5 -lasn1 @LIB_des_appl@ -lroken"
-    lib_flags="$lib_flags @LIB_crypt@ @LIB_dbopen@ @LIBS@"
+    lib_flags="$lib_flags -lkrb5 @LIB_pkinit@ -lcom_err"
+    lib_flags="$lib_flags @LIB_hcrypto_appl@ -lasn1 -lroken"
+    lib_flags="$lib_flags @LIB_crypt@ @LIB_dlopen@"
+    lib_flags="$lib_flags @LIB_door_create@ @LIBS@"
     echo $lib_flags
 fi
 if test "$do_cflags" = "yes"; then
-    echo "-I${includedir} @INCLUDE_des@"
+    echo "-I${includedir} @INCLUDE_hcrypto@"
 fi
 
 exit 0